Up to [cvs.NetBSD.org] / pkgsrc / security / openssl
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
*/builtin.mk: Use ${_CROSS_DESTDIR:U} for build-time file checks. These are questions about the target system, whose files at build-time are all relative to ${_CROSS_DESTDIR} if it is defined, i.e., if USE_CROSS_COMPILE is set to yes. No change to native builds because ${_CROSS_DESTDIR:U} is empty in them. (Possible minor change by adding :Q to ${H_FOO} in command lines, but if this makes a difference it likely fixes problems.)
Pullup ticket #6740 - requested by he security/openssl: security fix Revisions pulled up: - security/openssl/Makefile 1.287 - security/openssl/builtin.mk 1.51 - security/openssl/distinfo 1.165 --- Module Name: pkgsrc Committed By: jperkin Date: Tue Feb 7 16:34:42 UTC 2023 Modified Files: pkgsrc/security/openssl: Makefile builtin.mk distinfo Log Message: openssl: Update to 1.1.1t. Changes between 1.1.1s and 1.1.1t [7 Feb 2023] *) Fixed X.400 address type confusion in X.509 GeneralName. There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This vulnerability may allow an attacker who can provide a certificate chain and CRL (neither of which need have a valid signature) to pass arbitrary pointers to a memcmp call, creating a possible read primitive, subject to some constraints. Refer to the advisory for more information. Thanks to David Benjamin for discovering this issue. (CVE-2023-0286) This issue has been fixed by changing the public header file definition of GENERAL_NAME so that x400Address reflects the implementation. It was not possible for any existing application to successfully use the existing definition; however, if any application references the x400Address field (e.g. in dead code), note that the type of this field has changed. There is no ABI change. [Hugo Landau] *) Fixed Use-after-free following BIO_new_NDEF. The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. (CVE-2023-0215) [Viktor Dukhovni, Matt Caswell] *) Fixed Double free after calling PEM_read_bio_ex. The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. (CVE-2022-4450) [Kurt Roeckx, Matt Caswell] *) Fixed Timing Oracle in RSA Decryption. A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. (CVE-2022-4304) [Dmitry Belyavsky, Hubert Kario]
openssl: Update to 1.1.1t. Changes between 1.1.1s and 1.1.1t [7 Feb 2023] *) Fixed X.400 address type confusion in X.509 GeneralName. There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This vulnerability may allow an attacker who can provide a certificate chain and CRL (neither of which need have a valid signature) to pass arbitrary pointers to a memcmp call, creating a possible read primitive, subject to some constraints. Refer to the advisory for more information. Thanks to David Benjamin for discovering this issue. (CVE-2023-0286) This issue has been fixed by changing the public header file definition of GENERAL_NAME so that x400Address reflects the implementation. It was not possible for any existing application to successfully use the existing definition; however, if any application references the x400Address field (e.g. in dead code), note that the type of this field has changed. There is no ABI change. [Hugo Landau] *) Fixed Use-after-free following BIO_new_NDEF. The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. (CVE-2023-0215) [Viktor Dukhovni, Matt Caswell] *) Fixed Double free after calling PEM_read_bio_ex. The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. (CVE-2022-4450) [Kurt Roeckx, Matt Caswell] *) Fixed Timing Oracle in RSA Decryption. A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. (CVE-2022-4304) [Dmitry Belyavsky, Hubert Kario]
openssl: allow builtin.mk to extract version from openssl3
openssl: pkglint cleanup
openssl: Update to 1.1.1l. Changes between 1.1.1k and 1.1.1l [24 Aug 2021] *) Fixed an SM2 Decryption Buffer Overflow. In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. (CVE-2021-3711) [Matt Caswell] *) Fixed various read buffer overruns processing ASN.1 strings ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). (CVE-2021-3712) [Matt Caswell]
seurity/openssl: Accomodate non-standard paths and cert bundles Some systems choose unusual paths fro certs, and some use bundles. Try to accomodate that, in particular by defining SSLCERTBUNDLE. Patch concept from Thomas Orgis on tech-pkg, with no objections.
openssl: fix PR pkg/54890 pkgsrc changes: --------------- * Make the BUILDLINK_API_DEPENDS of builtin.mk match the one of buildlink3.mk.
openssl: Update to 1.1.1d. This is a major upgrade to the current LTS release. 1.0.2 and 1.1.0 are now out of support and should not be used. pkgsrc changes include a large cleanup of patches and targets, many of which were clearly bogus, for example a CONFLICTS entry against a package that has never existed, and one that was removed in 1999. Tested on SmartOS, macOS, and NetBSD. Used for the SmartOS pkgsrc-2019Q4 LTS release. There are far too many individual changes to list, so the following text is instead taken from the 1.1.1 blog announcement: -------------------------------------------------------------------------- After two years of work we are excited to be releasing our latest version today - OpenSSL 1.1.1. This is also our new Long Term Support (LTS) version and so we are committing to support it for at least five years. OpenSSL 1.1.1 has been a huge team effort with nearly 5000 commits having been made from over 200 individual contributors since the release of OpenSSL 1.1.0. These statistics just illustrate the amazing vitality and diversity of the OpenSSL community. The contributions didn't just come in the form of commits though. There has been a great deal of interest in this new version so thanks needs to be extended to the large number of users who have downloaded the beta releases to test them out and report bugs. The headline new feature is TLSv1.3. This new version of the Transport Layer Security (formerly known as SSL) protocol was published by the IETF just one month ago as RFC8446. This is a major rewrite of the standard and introduces significant changes, features and improvements which have been reflected in the new OpenSSL version. What's more is that OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0 so most applications that work with 1.1.0 can gain many of the benefits of TLSv1.3 simply by dropping in the new OpenSSL version. Since TLSv1.3 works very differently to TLSv1.2 though there are a few caveats that may impact a minority of applications. See the TLSv1.3 page on the OpenSSL wiki for more details. Some of the benefits of TLSv1.3 include: * Improved connection times due to a reduction in the number of round trips required between the client and server * The ability, in certain circumstances, for clients to start sending encrypted data to the server straight away without any round trips with the server required (a feature known as 0-RTT or “early data”). * Improved security due to the removal of various obsolete and insecure cryptographic algorithms and encryption of more of the connection handshake Other features in the 1.1.1 release include: * Complete rewrite of the OpenSSL random number generator to introduce the following capabilities: * The default RAND method now utilizes an AES-CTR DRBG according to NIST standard SP 800-90Ar1. * Support for multiple DRBG instances with seed chaining. * There is a public and private DRBG instance. * The DRBG instances are fork-safe. * Keep all global DRBG instances on the secure heap if it is enabled. * The public and private DRBG instance are per thread for lock free operation * Support for various new cryptographic algorithms including: * SHA3 * SHA512/224 and SHA512/256 * EdDSA (including Ed25519 and Ed448) * X448 (adding to the existing X25519 support in 1.1.0) * Multi-prime RSA * SM2 * SM3 * SM4 * SipHash * ARIA (including TLS support) * Signficant Side-Channel attack security improvements * Maximum Fragment Length TLS extension support * A new STORE module, which implements a uniform and URI based reader of stores that can contain keys, certificates, CRLs and numerous other objects. Since 1.1.1 is our new LTS release we are strongly advising all users to upgrade as soon as possible. For most applications this should be straight forward if they are written to work with OpenSSL 1.1.0. Since OpenSSL 1.1.0 is not an LTS release it will start receiving security fixes only with immediate affect as per our previous announcement and as published in our release strategy. It will cease receiving all support in one years time. Our previous LTS release (OpenSSL 1.0.2) will continue to receive full support until the end of this year. After that it will receive security fixes only. It will stop receiving all support at the end of 2019. Users of that release are strongly advised to upgrade to OpenSSL 1.1.1.
security: align variable assignments pkglint -Wall -F --only aligned --only indent -r No manual corrections.
Fix builtin detection for latest version (introduced a space between '#' and 'define') - avoids unconditionally building pkgsrc openssl on netbsd-current. ok'd for during the freeze after an excessively long discussion :-/
Pullup ticket #4431 - requested by wiz security/openssl: security update Revisions pulled up: - security/openssl/Makefile 1.193 - security/openssl/builtin.mk 1.42 - security/openssl/distinfo 1.106-1.107 - security/openssl/patches/patch-Configure 1.2 - security/openssl/patches/patch-Makefile.org 1.2 - security/openssl/patches/patch-Makefile.shared 1.2 - security/openssl/patches/patch-apps_Makefile 1.2 - security/openssl/patches/patch-config 1.2 - security/openssl/patches/patch-crypto_bn_bn__prime.pl 1.2 - security/openssl/patches/patch-crypto_des_Makefile 1.1 - security/openssl/patches/patch-crypto_dso_dso__dlfcn.c 1.2 - security/openssl/patches/patch-doc_apps_cms.pod deleted - security/openssl/patches/patch-doc_apps_smine.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__COMP__add__compression__method.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__CTX__add__session.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__CTX__load__verify__locations.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__CTX__set__client__CA__list.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__CTX__set__session__id__context.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__CTX__set__ssl__version.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__CTX__use__psk__identity__hint.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__accept.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__clear.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__connect.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__do__handshake.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__read.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__session__reused.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__set__fd.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__set__session.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__shutdown.pod deleted - security/openssl/patches/patch-doc_ssl_SSL__write.pod deleted - security/openssl/patches/patch-engines_ccgost_Makefile 1.2 - security/openssl/patches/patch-tools_Makefile 1.2 --- Module Name: pkgsrc Committed By: rodent Date: Tue May 13 02:23:11 UTC 2014 Modified Files: pkgsrc/security/openssl: distinfo pkgsrc/security/openssl/patches: patch-Configure patch-Makefile.org patch-Makefile.shared patch-apps_Makefile patch-config patch-crypto_bn_bn__prime.pl patch-crypto_dso_dso__dlfcn.c patch-doc_apps_cms.pod patch-doc_apps_smine.pod patch-doc_ssl_SSL__COMP__add__compression__method.pod patch-doc_ssl_SSL__CTX__add__session.pod patch-doc_ssl_SSL__CTX__load__verify__locations.pod patch-doc_ssl_SSL__CTX__set__client__CA__list.pod patch-doc_ssl_SSL__CTX__set__session__id__context.pod patch-doc_ssl_SSL__CTX__set__ssl__version.pod patch-doc_ssl_SSL__CTX__use__psk__identity__hint.pod patch-doc_ssl_SSL__accept.pod patch-doc_ssl_SSL__clear.pod patch-doc_ssl_SSL__connect.pod patch-doc_ssl_SSL__do__handshake.pod patch-doc_ssl_SSL__read.pod patch-doc_ssl_SSL__session__reused.pod patch-doc_ssl_SSL__set__fd.pod patch-doc_ssl_SSL__set__session.pod patch-doc_ssl_SSL__shutdown.pod patch-doc_ssl_SSL__write.pod patch-engines_ccgost_Makefile patch-tools_Makefile Added Files: pkgsrc/security/openssl/patches: patch-crypto_des_Makefile Log Message: Fix build on OpenBSD/sparc64. Defuzz patches (sorry if this is annoying). --- Module Name: pkgsrc Committed By: wiz Date: Thu Jun 5 12:16:06 UTC 2014 Modified Files: pkgsrc/security/openssl: Makefile builtin.mk distinfo Removed Files: pkgsrc/security/openssl/patches: patch-doc_apps_cms.pod patch-doc_apps_smine.pod patch-doc_ssl_SSL__COMP__add__compression__method.pod patch-doc_ssl_SSL__CTX__add__session.pod patch-doc_ssl_SSL__CTX__load__verify__locations.pod patch-doc_ssl_SSL__CTX__set__client__CA__list.pod patch-doc_ssl_SSL__CTX__set__session__id__context.pod patch-doc_ssl_SSL__CTX__set__ssl__version.pod patch-doc_ssl_SSL__CTX__use__psk__identity__hint.pod patch-doc_ssl_SSL__accept.pod patch-doc_ssl_SSL__clear.pod patch-doc_ssl_SSL__connect.pod patch-doc_ssl_SSL__do__handshake.pod patch-doc_ssl_SSL__read.pod patch-doc_ssl_SSL__session__reused.pod patch-doc_ssl_SSL__set__fd.pod patch-doc_ssl_SSL__set__session.pod patch-doc_ssl_SSL__shutdown.pod patch-doc_ssl_SSL__write.pod Log Message: Update to 1.0.1h: Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014] o Fix for CVE-2014-0224 o Fix for CVE-2014-0221 o Fix for CVE-2014-0195 o Fix for CVE-2014-3470 o Fix for CVE-2010-5298
Update to 1.0.1h: Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014] o Fix for CVE-2014-0224 o Fix for CVE-2014-0221 o Fix for CVE-2014-0195 o Fix for CVE-2014-3470 o Fix for CVE-2010-5298
one more catch up to removal of /boot/common on Haiku.
catch up to removal of /boot/common on Haiku.
Remove BUILTIN_PKG.openssl masquerade for NetBSD. We need buitin version to check suficient API, not for security fix.
adapt to Haiku R1alpha4
Fixes builtin detection with CHECK_BUILTIN.openssl=yes. Define BUILTINK_API_DEPENDS.openssl same as buildlink3.mk if not defined yet for the case checking builtin (CHECK_BUILTIN.openssl==yes).
Use find-headers instead of find-files to detect builtin header files.
Change to create fake *.pc files much close to real one. Fixes to detect its prefix with `pkg-config --variable=prefix", such as CMake.
fix openssl builtin support, at least for solaris
Allow absolute paths arguments for Configure (e.g. -isysroot /path)
Use LIBABISUFFIX when creating the .pc files to make builtin openssl work on 64bit SunOS and possibly others.
Add BUILTIN_VERSION.openssl to MAKEVARS for later use. fixes PR pkg/44577.
Look in /usr/sfw to find built-in openssl on SunOS 5.10.
Add builtin OpenSSL support for Haiku.
Define openssl-fake-pc only once.
Create fake pc files for builtin openssl, for the packages that insist on them (like modular-xorg-server).
Fix detection of openssl configuration directory on NetBSD so it's /etc/openssl only if USE_BUILTIN.openssl is "yes".
Update to openssl-0.9.8g. Provided by Jukka Salmi in pkgsrc-wip. pkgsrc notes: o Tested on NetBSD/i386 (Jukka Salmi), Mac OSX 10.5 (Adrian Portelli), Linux (Jeremy C. Reed), Tru64 5.1b (tnn), HP-UX 11i (tnn). Because the Makefile system has been rewamped, other platforms may require fixes. Please test if you can. o OpenSSL can now be built with installation to DESTDIR. Overview of important changes since 0.9.7i: o Add gcc 4.2 support. o DTLS improvements. o RFC4507bis support. o TLS Extensions support. o RFC3779 support. o New cipher Camellia o Updated ECC cipher suite support. o New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free(). o Zlib compression usage fixes. o Major work on the BIGNUM library for higher efficiency and to make operations more streamlined and less contradictory. This is the result of a major audit of the BIGNUM library. o Addition of BIGNUM functions for fields GF(2^m) and NIST curves, to support the Elliptic Crypto functions. o Major work on Elliptic Crypto; ECDH and ECDSA added, including the use through EVP, X509 and ENGINE. o New ASN.1 mini-compiler that's usable through the OpenSSL configuration file. o Added support for ASN.1 indefinite length constructed encoding. o New PKCS#12 'medium level' API to manipulate PKCS#12 files. o Complete rework of shared library construction and linking programs with shared or static libraries, through a separate Makefile.shared. o Rework of the passing of parameters from one Makefile to another. o Changed ENGINE framework to load dynamic engine modules automatically from specifically given directories. o New structure and ASN.1 functions for CertificatePair. o Changed the key-generation and primality testing "progress" mechanism to take a structure that contains the ticker function and an argument. o New engine module: GMP (performs private key exponentiation). o New engine module: VIA PadLOck ACE extension in VIA C3 Nehemiah processors. o Added support for IPv6 addresses in certificate extensions. See RFC 1884, section 2.2. o Added support for certificate policy mappings, policy constraints and name constraints. o Added support for multi-valued AVAs in the OpenSSL configuration file. o Added support for multiple certificates with the same subject in the 'openssl ca' index file. o Make it possible to create self-signed certificates using 'openssl ca -selfsign'. o Make it possible to generate a serial number file with 'openssl ca -create_serial'. o New binary search functions with extended functionality. o New BUF functions. o New STORE structure and library to provide an interface to all sorts of data repositories. Supports storage of public and private keys, certificates, CRLs, numbers and arbitrary blobs. This library is unfortunately unfinished and unused withing OpenSSL. o New control functions for the error stack. o Changed the PKCS#7 library to support one-pass S/MIME processing. o New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512). o New X509_VERIFY_PARAM structure to support parametrisation of X.509 path validation. o Change the default digest in 'openssl' commands from MD5 to SHA-1. o Added support for DTLS. o New BIGNUM blinding. o Added support for the RSA-PSS encryption scheme o Added support for the RSA X.931 padding. o Added support for files larger than 2GB. o Added alternate pkg-config files.
Pullup ticket 2257 - requested by joerg build fix for openssl - pkgsrc/security/openssl/builtin.mk 1.24 Module Name: pkgsrc Committed By: joerg Date: Mon Jan 7 15:51:08 UTC 2008 Modified Files: pkgsrc/security/openssl: builtin.mk Log Message: Fix builtin.mk logic for thread feature if no native OpenSSL exists. Fixes PR pkg/37699 from Aleksey Cheusov.
Fix builtin.mk logic for thread feature if no native OpenSSL exists. Fixes PR pkg/37699 from Aleksey Cheusov.
Fixed a few pkglint warnings.
Allow packages that use OpenSSL to specify that they need an OpenSSL built with support for threads. This is done by adding the following line to the package Makefile before the inclusion of openssl/buildlink3.mk: USE_FEATURES.openssl= threads The openssl/builtin.mk file is also adjusted to detect whether or not the built-in OpenSSL was built with support for threads and the result is used accordingly to determine whether or not a pkgsrc OpenSSL is needed.
Whitespace cleanup, courtesy of pkglint. Patch provided by Sergey Svishchev in private mail.
some apps (dovecot) need the SSLDIR rather than SSLCERTS & SSLKEYS
Over 1200 files touched but no revisions bumped :) RECOMMENDED is removed. It becomes ABI_DEPENDS. BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo. BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo. BUILDLINK_DEPENDS does not change. IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS which defaults to "yes". Added to obsolete.mk checking for IGNORE_RECOMMENDED. I did not manually go through and fix any aesthetic tab/spacing issues. I have tested the above patch on DragonFly building and packaging subversion and pkglint and their many dependencies. I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I have used IGNORE_RECOMMENDED for a long time). I have been an active user of IGNORE_RECOMMENDED since it was available. As suggested, I removed the documentation sentences suggesting bumping for "security" issues. As discussed on tech-pkg. I will commit to revbump, pkglint, pkg_install, createbuildlink separately. Note that if you use wip, it will fail! I will commit to pkgsrc-wip later (within day).
Avoid extra stat() calls by not repeatedly checking whether a file exists on the disk -- we can just check whether a variable defined by find-files.mk is "__nonexistent__" or not.
Pullup tickets 822 and 825 - requested by Johnny C. Lam security update for openssl Revisions pulled up: - pkgsrc/security/openssl/Makefile 1.107 - pkgsrc/security/openssl/PLIST.common 1.11 - pkgsrc/security/openssl/builtin.mk 1.16, 1.17 - pkgsrc/security/openssl/distinfo 1.46 - pkgsrc/security/openssl/patches/patch-aa 1.18 - pkgsrc/security/openssl/patches/patch-ac 1.28 - pkgsrc/security/openssl/patches/patch-ad 1.15 - pkgsrc/security/openssl/patches/patch-af 1.17 Module Name: pkgsrc Committed By: jlam Date: Tue Oct 11 17:19:21 UTC 2005 Modified Files: pkgsrc/security/openssl: Makefile PLIST.common distinfo pkgsrc/security/openssl/patches: patch-aa patch-ac patch-ad patch-af Log Message: Update security/openssl to version 0.9.7h. This is a security vulnerability triggered update due to CAN-2005-2969. Changes from version 0.9.7f include: o Fix SSL 2.0 Rollback, CAN-2005-2969 o Allow use of fixed-length exponent on DSA signing o Default fixed-window RSA, DSA, DH private-key operations o More compilation issues fixed. o Adaptation to more modern Kerberos API. o Enhanced or corrected configuration for Solaris64, Mingw and Cygwin. o Enhanced x86_64 assembler BIGNUM module. o More constification. o Added processing of proxy certificates (RFC 3820). --- Module Name: pkgsrc Committed By: jlam Date: Wed Oct 12 02:00:03 UTC 2005 Modified Files: pkgsrc/security/openssl: builtin.mk Log Message: Remove leading "-" from version number when matching the openssl-0.9.6g from the netbsd-1-6 branch with the 20040401 fix. --- Module Name: pkgsrc Committed By: jlam Date: Wed Oct 12 02:20:10 UTC 2005 Modified Files: pkgsrc/security/openssl: builtin.mk Log Message: If the native openssl-0.9.7d contains the security fixes pulled up to the netbsd-2-0, netbsd-2, and netbsd-3-0 branches on 2005-10-11, then for the purposes of satisfying dependencies, pretend it's openssl-0.9.7h.
If the native openssl-0.9.7d contains the security fixes pulled up to the netbsd-2-0, netbsd-2, and netbsd-3-0 branches on 2005-10-11, then for the purposes of satisfying dependencies, pretend it's openssl-0.9.7h.
Remove leading "-" from version number when matching the openssl-0.9.6g from the netbsd-1-6 branch with the 20040401 fix.
For NetBSD's crippled OpenSSL distribution, create an <openssl/des_old.h> header in the buildlink directory that just pulls in /usr/include/des.h. This should allow packages that purposely include <openssl/des_old.h> on post-0.9.7 versions of OpenSSL to find it on NetBSD.
Fix copy-and-paste error -- in the case where we prefer the pkgsrc version of the software, USE_BUILTIN.<pkg> should be set to "no", not to ${IS_BUILTIN.<pkg>}.
Massive cleanup of buildlink3.mk and builtin.mk files in pkgsrc. Several changes are involved since they are all interrelated. These changes affect about 1000 files. The first major change is rewriting bsd.builtin.mk as well as all of the builtin.mk files to follow the new example in bsd.builtin.mk. The loop to include all of the builtin.mk files needed by the package is moved from bsd.builtin.mk and into bsd.buildlink3.mk. bsd.builtin.mk is now included by each of the individual builtin.mk files and provides some common logic for all of the builtin.mk files. Currently, this includes the computation for whether the native or pkgsrc version of the package is preferred. This causes USE_BUILTIN.* to be correctly set when one builtin.mk file includes another. The second major change is teach the builtin.mk files to consider files under ${LOCALBASE} to be from pkgsrc-controlled packages. Most of the builtin.mk files test for the presence of built-in software by checking for the existence of certain files, e.g. <pthread.h>, and we now assume that if that file is under ${LOCALBASE}, then it must be from pkgsrc. This modification is a nod toward LOCALBASE=/usr. The exceptions to this new check are the X11 distribution packages, which are handled specially as noted below. The third major change is providing builtin.mk and version.mk files for each of the X11 distribution packages in pkgsrc. The builtin.mk file can detect whether the native X11 distribution is the same as the one provided by pkgsrc, and the version.mk file computes the version of the X11 distribution package, whether it's built-in or not. The fourth major change is that the buildlink3.mk files for X11 packages that install parts which are part of X11 distribution packages, e.g. Xpm, Xcursor, etc., now use imake to query the X11 distribution for whether the software is already provided by the X11 distribution. This is more accurate than grepping for a symbol name in the imake config files. Using imake required sprinkling various builtin-imake.mk helper files into pkgsrc directories. These files are used as input to imake since imake can't use stdin for that purpose. The fifth major change is in how packages note that they use X11. Instead of setting USE_X11, package Makefiles should now include x11.buildlink3.mk instead. This causes the X11 package buildlink3 and builtin logic to be executed at the correct place for buildlink3.mk and builtin.mk files that previously set USE_X11, and fixes packages that relied on buildlink3.mk files to implicitly note that X11 is needed. Package buildlink3.mk should also include x11.buildlink3.mk when linking against the package libraries requires also linking against the X11 libraries. Where it was obvious, redundant inclusions of x11.buildlink3.mk have been removed.
Update security/openssl to openssl-0.9.7f. Pkgsrc changes from version 0.9.7e include: *) Install the man pages with names that are less likely to collide with other packages' man pages. *) Support PKG_OPTIONS of "idea", "mdc2" and "rc5" to allow building with patented algorithms. By default, this package still builds without patented algorithms. Major changes from version 0.9.7e include: *) Prompt for pass phrases when appropriate for PKCS12 input format. *) Back-port of selected performance improvements from development branch, as well as improved support for PowerPC platforms. *) Add lots of checks for memory allocation failure, error codes to indicate failure and freeing up memory if a failure occurs. *) Add new -passin argument to dgst. *) Make an explicit check during certificate validation to see that the CA setting in each certificate on the chain is correct.
Update security/openssl to 0.9.7e. Changes from openssl-0.9.6m are too numerous to be listed here, but include adding a new DES API (support for the old one is still present). Changes to the pkgsrc structure include: * Install the shared libraries with a version number that matches the OpenSSL version number * Move some of the less often-used c_* utilities back into the examples directory. * Drop support for using the RSAREF library and always use the built-in RSA code instead.
minor whitespace nit.
Fix a typo that caused us not to check the correct header for the presence of "des_cblock". This fixes PR pkg/28703.
Change the way that openssl/builtin.mk handles the USE_OLD_DES_API flag. The idea is to prevent needing to patch source files for packages that use OpenSSL for DES support by ensuring that including <openssl/des.h> will always present the old DES API. (1) If des_old.h exists, then we're using OpenSSL>=0.9.7, and <openssl/des.h> already does the right thing. (2) If des_old.h doesn't exist, then one of two things is happening: (a) If <openssl/des.h> is old and (only) supports the old DES API, then <openssl/des.h> does the right thing. (b) If it's NetBSD's Special(TM) one that stripped out the old DES support into a separate library and header (-ldes, <des.h>), then we create a new header <openssl/des.h> that includes the system one and <des.h>. Also modify existing packages that set USE_OLD_DES_API to simply include <openssl/des.h> instead of either <des.h> or <openssl/des_old.h> (This step is mostly just removing unnecessary patches). This should fix building packages that use OpenSSL's old DES API support on non-NetBSD systems where the built-in OpenSSL is at least 0.9.7.
Provide an SSLKEYS variable that points to the location where OpenSSL private keys are likely to be installed. Patch directly from PR pkg/28477 by Jason Thorpe.
Attempt to deal with the differing DES APIs between OpenSSL 0.9.6 (in pkgsrc and in NetBSD-1.6.x) and OpenSSL 0.9.7 (in NetBSD-2.0), by creating a new yes/no variable USE_OLD_DES_API that flags whether the package wants to use the old DES API. If USE_OLD_DES_API is "yes", then: * For OpenSSL 0.9.6, symlink ${BUILDLINK_DIR}/include/openssl/des_old.h to ${SSLBASE}/include/openssl/des.h. * For NetBSD 2.0's "special" installation of OpenSSL 0.9.7, symlink ${BUILDLINK_DIR}/include/openssl/des_old.h to /usr/include/des.h, and transform "-lcrypto" into "-ldes -lcrypto". This makes it behave like stock OpenSSL 0.9.7 where the old DES functions are part of libcrypto. Software that wants to use the old DES API should be taught to do it in a way that works with a stock installation of OpenSSL 0.9.7 -- by including <openssl/des_old.h> and linking against "-lcrypto". Software that wants to use the new DES API should simply depend on openssl>=0.9.7. This change has no impact on existing packages as the new code is active only when USE_OLD_DES_API == "yes".
Grammar fix.
If the native OpenSSL contains the security fixes pulled up to the netbsd-1-6 branch on 2004-04-01, then pretend it's openssl-0.9.6m.
Allow the rehash of the certs database to not error out during the build due to libssl.so.300 not being found by correctly setting LD_LIBRARY_PATH.
Update to 0.9.6m: Changes between 0.9.6l and 0.9.6m [17 Mar 2004] *) Fix null-pointer assignment in do_change_cipher_spec() revealed by using the Codenomicon TLS Test Tool (CAN-2004-0079) [Joe Orton, Steve Henson]
Split out the code that deals with checking whether the software is built-in or not into a separate builtin.mk file. The code to deal checking for built-in software is much simpler to deal with in pkgsrc. The buildlink3.mk file for a package will be of the usual format regardless of the package, which makes it simpler for packagers to update a package. The builtin.mk file for a package must define a single yes/no variable USE_BUILTIN.<pkg> that is used by bsd.buildlink3.mk to decide whether to use the built-in software or to use the pkgsrc software.