The NetBSD Project

CVS log for pkgsrc/security/openssl/builtin.mk

[BACK] Up to [cvs.NetBSD.org] / pkgsrc / security / openssl

Request diff between arbitrary revisions


Keyword substitution: kv
Default branch: MAIN


Revision 1.52: download - view: text, markup, annotated - select for diffs
Sat Jan 13 20:07:34 2024 UTC (10 months, 3 weeks ago) by riastradh
Branches: MAIN
CVS tags: pkgsrc-2024Q3-base, pkgsrc-2024Q3, pkgsrc-2024Q2-base, pkgsrc-2024Q2, pkgsrc-2024Q1-base, pkgsrc-2024Q1, HEAD
Diff to: previous 1.51: preferred, colored
Changes since revision 1.51: +6 -6 lines
*/builtin.mk: Use ${_CROSS_DESTDIR:U} for build-time file checks.

These are questions about the target system, whose files at
build-time are all relative to ${_CROSS_DESTDIR} if it is defined,
i.e., if USE_CROSS_COMPILE is set to yes.

No change to native builds because ${_CROSS_DESTDIR:U} is empty in
them.  (Possible minor change by adding :Q to ${H_FOO} in command
lines, but if this makes a difference it likely fixes problems.)

Revision 1.49.2.1: download - view: text, markup, annotated - select for diffs
Mon Mar 13 15:12:47 2023 UTC (20 months, 3 weeks ago) by bsiegert
Branches: pkgsrc-2022Q4
Diff to: previous 1.49: preferred, colored; next MAIN 1.50: preferred, colored
Changes since revision 1.49: +11 -11 lines
Pullup ticket #6740 - requested by he
security/openssl: security fix

Revisions pulled up:
- security/openssl/Makefile                                     1.287
- security/openssl/builtin.mk                                   1.51
- security/openssl/distinfo                                     1.165

---
   Module Name:	pkgsrc
   Committed By:	jperkin
   Date:		Tue Feb  7 16:34:42 UTC 2023

   Modified Files:
   	pkgsrc/security/openssl: Makefile builtin.mk distinfo

   Log Message:
   openssl: Update to 1.1.1t.

   Changes between 1.1.1s and 1.1.1t [7 Feb 2023]

    *) Fixed X.400 address type confusion in X.509 GeneralName.

      There is a type confusion vulnerability relating to X.400 address processing
      inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
      but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
      vulnerability may allow an attacker who can provide a certificate chain and
      CRL (neither of which need have a valid signature) to pass arbitrary
      pointers to a memcmp call, creating a possible read primitive, subject to
      some constraints. Refer to the advisory for more information. Thanks to
      David Benjamin for discovering this issue. (CVE-2023-0286)

      This issue has been fixed by changing the public header file definition of
      GENERAL_NAME so that x400Address reflects the implementation. It was not
      possible for any existing application to successfully use the existing
      definition; however, if any application references the x400Address field
      (e.g. in dead code), note that the type of this field has changed. There is
      no ABI change.
      [Hugo Landau]

    *) Fixed Use-after-free following BIO_new_NDEF.

      The public API function BIO_new_NDEF is a helper function used for
      streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
      to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
      be called directly by end user applications.

      The function receives a BIO from the caller, prepends a new BIO_f_asn1
      filter BIO onto the front of it to form a BIO chain, and then returns
      the new head of the BIO chain to the caller. Under certain conditions,
      for example if a CMS recipient public key is invalid, the new filter BIO
      is freed and the function returns a NULL result indicating a failure.
      However, in this case, the BIO chain is not properly cleaned up and the
      BIO passed by the caller still retains internal pointers to the previously
      freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
      then a use-after-free will occur. This will most likely result in a crash.
      (CVE-2023-0215)
      [Viktor Dukhovni, Matt Caswell]

    *) Fixed Double free after calling PEM_read_bio_ex.

      The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
      decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
      data. If the function succeeds then the "name_out", "header" and "data"
      arguments are populated with pointers to buffers containing the relevant
      decoded data. The caller is responsible for freeing those buffers. It is
      possible to construct a PEM file that results in 0 bytes of payload data.
      In this case PEM_read_bio_ex() will return a failure code but will populate
      the header argument with a pointer to a buffer that has already been freed.
      If the caller also frees this buffer then a double free will occur. This
      will most likely lead to a crash.

      The functions PEM_read_bio() and PEM_read() are simple wrappers around
      PEM_read_bio_ex() and therefore these functions are also directly affected.

      These functions are also called indirectly by a number of other OpenSSL
      functions including PEM_X509_INFO_read_bio_ex() and
      SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
      internal uses of these functions are not vulnerable because the caller does
      not free the header argument if PEM_read_bio_ex() returns a failure code.
      (CVE-2022-4450)
      [Kurt Roeckx, Matt Caswell]

    *) Fixed Timing Oracle in RSA Decryption.

      A timing based side channel exists in the OpenSSL RSA Decryption
      implementation which could be sufficient to recover a plaintext across
      a network in a Bleichenbacher style attack. To achieve a successful
      decryption an attacker would have to be able to send a very large number
      of trial messages for decryption. The vulnerability affects all RSA padding
      modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
      (CVE-2022-4304)
      [Dmitry Belyavsky, Hubert Kario]

Revision 1.51: download - view: text, markup, annotated - select for diffs
Tue Feb 7 16:34:42 2023 UTC (21 months, 3 weeks ago) by jperkin
Branches: MAIN
CVS tags: pkgsrc-2023Q4-base, pkgsrc-2023Q4, pkgsrc-2023Q3-base, pkgsrc-2023Q3, pkgsrc-2023Q2-base, pkgsrc-2023Q2, pkgsrc-2023Q1-base, pkgsrc-2023Q1
Diff to: previous 1.50: preferred, colored
Changes since revision 1.50: +11 -11 lines
openssl: Update to 1.1.1t.

Changes between 1.1.1s and 1.1.1t [7 Feb 2023]

 *) Fixed X.400 address type confusion in X.509 GeneralName.

   There is a type confusion vulnerability relating to X.400 address processing
   inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
   but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
   vulnerability may allow an attacker who can provide a certificate chain and
   CRL (neither of which need have a valid signature) to pass arbitrary
   pointers to a memcmp call, creating a possible read primitive, subject to
   some constraints. Refer to the advisory for more information. Thanks to
   David Benjamin for discovering this issue. (CVE-2023-0286)

   This issue has been fixed by changing the public header file definition of
   GENERAL_NAME so that x400Address reflects the implementation. It was not
   possible for any existing application to successfully use the existing
   definition; however, if any application references the x400Address field
   (e.g. in dead code), note that the type of this field has changed. There is
   no ABI change.
   [Hugo Landau]

 *) Fixed Use-after-free following BIO_new_NDEF.

   The public API function BIO_new_NDEF is a helper function used for
   streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
   to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
   be called directly by end user applications.

   The function receives a BIO from the caller, prepends a new BIO_f_asn1
   filter BIO onto the front of it to form a BIO chain, and then returns
   the new head of the BIO chain to the caller. Under certain conditions,
   for example if a CMS recipient public key is invalid, the new filter BIO
   is freed and the function returns a NULL result indicating a failure.
   However, in this case, the BIO chain is not properly cleaned up and the
   BIO passed by the caller still retains internal pointers to the previously
   freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
   then a use-after-free will occur. This will most likely result in a crash.
   (CVE-2023-0215)
   [Viktor Dukhovni, Matt Caswell]

 *) Fixed Double free after calling PEM_read_bio_ex.

   The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
   decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
   data. If the function succeeds then the "name_out", "header" and "data"
   arguments are populated with pointers to buffers containing the relevant
   decoded data. The caller is responsible for freeing those buffers. It is
   possible to construct a PEM file that results in 0 bytes of payload data.
   In this case PEM_read_bio_ex() will return a failure code but will populate
   the header argument with a pointer to a buffer that has already been freed.
   If the caller also frees this buffer then a double free will occur. This
   will most likely lead to a crash.

   The functions PEM_read_bio() and PEM_read() are simple wrappers around
   PEM_read_bio_ex() and therefore these functions are also directly affected.

   These functions are also called indirectly by a number of other OpenSSL
   functions including PEM_X509_INFO_read_bio_ex() and
   SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
   internal uses of these functions are not vulnerable because the caller does
   not free the header argument if PEM_read_bio_ex() returns a failure code.
   (CVE-2022-4450)
   [Kurt Roeckx, Matt Caswell]

 *) Fixed Timing Oracle in RSA Decryption.

   A timing based side channel exists in the OpenSSL RSA Decryption
   implementation which could be sufficient to recover a plaintext across
   a network in a Bleichenbacher style attack. To achieve a successful
   decryption an attacker would have to be able to send a very large number
   of trial messages for decryption. The vulnerability affects all RSA padding
   modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
   (CVE-2022-4304)
   [Dmitry Belyavsky, Hubert Kario]

Revision 1.50: download - view: text, markup, annotated - select for diffs
Thu Jan 12 11:01:41 2023 UTC (22 months, 3 weeks ago) by markd
Branches: MAIN
Diff to: previous 1.49: preferred, colored
Changes since revision 1.49: +5 -1 lines
openssl: allow builtin.mk to extract version from openssl3

Revision 1.49: download - view: text, markup, annotated - select for diffs
Sat Nov 5 18:43:00 2022 UTC (2 years ago) by wiz
Branches: MAIN
CVS tags: pkgsrc-2022Q4-base
Branch point for: pkgsrc-2022Q4
Diff to: previous 1.48: preferred, colored
Changes since revision 1.48: +11 -11 lines
openssl: pkglint cleanup

Revision 1.48: download - view: text, markup, annotated - select for diffs
Wed Aug 25 11:25:25 2021 UTC (3 years, 3 months ago) by jperkin
Branches: MAIN
CVS tags: pkgsrc-2022Q3-base, pkgsrc-2022Q3, pkgsrc-2022Q2-base, pkgsrc-2022Q2, pkgsrc-2022Q1-base, pkgsrc-2022Q1, pkgsrc-2021Q4-base, pkgsrc-2021Q4, pkgsrc-2021Q3-base, pkgsrc-2021Q3
Diff to: previous 1.47: preferred, colored
Changes since revision 1.47: +3 -3 lines
openssl: Update to 1.1.1l.

Changes between 1.1.1k and 1.1.1l [24 Aug 2021]

*) Fixed an SM2 Decryption Buffer Overflow.

   In order to decrypt SM2 encrypted data an application is expected to call the
   API function EVP_PKEY_decrypt(). Typically an application will call this
   function twice. The first time, on entry, the "out" parameter can be NULL and,
   on exit, the "outlen" parameter is populated with the buffer size required to
   hold the decrypted plaintext. The application can then allocate a sufficiently
   sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL
   value for the "out" parameter.

   A bug in the implementation of the SM2 decryption code means that the
   calculation of the buffer size required to hold the plaintext returned by the
   first call to EVP_PKEY_decrypt() can be smaller than the actual size required by
   the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is
   called by the application a second time with a buffer that is too small.

   A malicious attacker who is able present SM2 content for decryption to an
   application could cause attacker chosen data to overflow the buffer by up to a
   maximum of 62 bytes altering the contents of other data held after the
   buffer, possibly changing application behaviour or causing the application to
   crash. The location of the buffer is application dependent but is typically
   heap allocated.
   (CVE-2021-3711)
   [Matt Caswell]

*) Fixed various read buffer overruns processing ASN.1 strings

   ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING
   structure which contains a buffer holding the string data and a field holding
   the buffer length. This contrasts with normal C strings which are repesented as
   a buffer for the string data which is terminated with a NUL (0) byte.

   Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's
   own "d2i" functions (and other similar parsing functions) as well as any string
   whose value has been set with the ASN1_STRING_set() function will additionally
   NUL terminate the byte array in the ASN1_STRING structure.

   However, it is possible for applications to directly construct valid ASN1_STRING
   structures which do not NUL terminate the byte array by directly setting the
   "data" and "length" fields in the ASN1_STRING array. This can also happen by
   using the ASN1_STRING_set0() function.

   Numerous OpenSSL functions that print ASN.1 data have been found to assume that
   the ASN1_STRING byte array will be NUL terminated, even though this is not
   guaranteed for strings that have been directly constructed. Where an application
   requests an ASN.1 structure to be printed, and where that ASN.1 structure
   contains ASN1_STRINGs that have been directly constructed by the application
   without NUL terminating the "data" field, then a read buffer overrun can occur.

   The same thing can also occur during name constraints processing of certificates
   (for example if a certificate has been directly constructed by the application
   instead of loading it via the OpenSSL parsing functions, and the certificate
   contains non NUL terminated ASN1_STRING structures). It can also occur in the
   X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions.

   If a malicious actor can cause an application to directly construct an
   ASN1_STRING and then process it through one of the affected OpenSSL functions
   then this issue could be hit. This might result in a crash (causing a Denial of
   Service attack). It could also result in the disclosure of private memory
   contents (such as private keys, or sensitive plaintext).
   (CVE-2021-3712)
   [Matt Caswell]

Revision 1.47: download - view: text, markup, annotated - select for diffs
Mon Mar 1 23:28:54 2021 UTC (3 years, 9 months ago) by gdt
Branches: MAIN
CVS tags: pkgsrc-2021Q2-base, pkgsrc-2021Q2, pkgsrc-2021Q1-base, pkgsrc-2021Q1
Diff to: previous 1.46: preferred, colored
Changes since revision 1.46: +17 -2 lines
seurity/openssl: Accomodate non-standard paths and cert bundles

Some systems choose unusual paths fro certs, and some use bundles.
Try to accomodate that, in particular by defining SSLCERTBUNDLE.

Patch concept from Thomas Orgis on tech-pkg, with no objections.

Revision 1.46: download - view: text, markup, annotated - select for diffs
Tue Jan 28 07:34:57 2020 UTC (4 years, 10 months ago) by triaxx
Branches: MAIN
CVS tags: pkgsrc-2020Q4-base, pkgsrc-2020Q4, pkgsrc-2020Q3-base, pkgsrc-2020Q3, pkgsrc-2020Q2-base, pkgsrc-2020Q2, pkgsrc-2020Q1-base, pkgsrc-2020Q1
Diff to: previous 1.45: preferred, colored
Changes since revision 1.45: +2 -2 lines
openssl: fix PR pkg/54890

pkgsrc changes:
---------------
  * Make the BUILDLINK_API_DEPENDS of builtin.mk match the one of
    buildlink3.mk.

Revision 1.45: download - view: text, markup, annotated - select for diffs
Thu Jan 16 13:30:29 2020 UTC (4 years, 10 months ago) by jperkin
Branches: MAIN
Diff to: previous 1.44: preferred, colored
Changes since revision 1.44: +3 -73 lines
openssl: Update to 1.1.1d.

This is a major upgrade to the current LTS release.  1.0.2 and 1.1.0 are now
out of support and should not be used.

pkgsrc changes include a large cleanup of patches and targets, many of which
were clearly bogus, for example a CONFLICTS entry against a package that has
never existed, and one that was removed in 1999.

Tested on SmartOS, macOS, and NetBSD.  Used for the SmartOS pkgsrc-2019Q4 LTS
release.

There are far too many individual changes to list, so the following text is
instead taken from the 1.1.1 blog announcement:

  --------------------------------------------------------------------------

After two years of work we are excited to be releasing our latest version today
- OpenSSL 1.1.1. This is also our new Long Term Support (LTS) version and so we
are committing to support it for at least five years.

OpenSSL 1.1.1 has been a huge team effort with nearly 5000 commits having been
made from over 200 individual contributors since the release of OpenSSL 1.1.0.
These statistics just illustrate the amazing vitality and diversity of the
OpenSSL community. The contributions didn't just come in the form of commits
though. There has been a great deal of interest in this new version so thanks
needs to be extended to the large number of users who have downloaded the beta
releases to test them out and report bugs.

The headline new feature is TLSv1.3. This new version of the Transport Layer
Security (formerly known as SSL) protocol was published by the IETF just one
month ago as RFC8446. This is a major rewrite of the standard and introduces
significant changes, features and improvements which have been reflected in the
new OpenSSL version.

What's more is that OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0
so most applications that work with 1.1.0 can gain many of the benefits of
TLSv1.3 simply by dropping in the new OpenSSL version. Since TLSv1.3 works very
differently to TLSv1.2 though there are a few caveats that may impact a
minority of applications. See the TLSv1.3 page on the OpenSSL wiki for more
details.

Some of the benefits of TLSv1.3 include:

 * Improved connection times due to a reduction in the number of round trips
   required between the client and server

 * The ability, in certain circumstances, for clients to start sending
   encrypted data to the server straight away without any round trips with the
   server required (a feature known as 0-RTT or “early data”).

 * Improved security due to the removal of various obsolete and insecure
   cryptographic algorithms and encryption of more of the connection handshake

Other features in the 1.1.1 release include:

 * Complete rewrite of the OpenSSL random number generator to introduce the
   following capabilities:

   * The default RAND method now utilizes an AES-CTR DRBG according to NIST
     standard SP 800-90Ar1.
   * Support for multiple DRBG instances with seed chaining.
   * There is a public and private DRBG instance.
   * The DRBG instances are fork-safe.
   * Keep all global DRBG instances on the secure heap if it is enabled.
   * The public and private DRBG instance are per thread for lock free
     operation

 * Support for various new cryptographic algorithms including:

   * SHA3
   * SHA512/224 and SHA512/256
   * EdDSA (including Ed25519 and Ed448)
   * X448 (adding to the existing X25519 support in 1.1.0)
   * Multi-prime RSA
   * SM2
   * SM3
   * SM4
   * SipHash
   * ARIA (including TLS support)

 * Signficant Side-Channel attack security improvements

 * Maximum Fragment Length TLS extension support

 * A new STORE module, which implements a uniform and URI based reader of
   stores that can contain keys, certificates, CRLs and numerous other objects.

Since 1.1.1 is our new LTS release we are strongly advising all users to
upgrade as soon as possible. For most applications this should be straight
forward if they are written to work with OpenSSL 1.1.0. Since OpenSSL 1.1.0 is
not an LTS release it will start receiving security fixes only with immediate
affect as per our previous announcement and as published in our release
strategy. It will cease receiving all support in one years time.

Our previous LTS release (OpenSSL 1.0.2) will continue to receive full support
until the end of this year. After that it will receive security fixes only. It
will stop receiving all support at the end of 2019. Users of that release are
strongly advised to upgrade to OpenSSL 1.1.1.

Revision 1.44: download - view: text, markup, annotated - select for diffs
Mon Nov 4 21:12:56 2019 UTC (5 years, 1 month ago) by rillig
Branches: MAIN
CVS tags: pkgsrc-2019Q4-base, pkgsrc-2019Q4
Diff to: previous 1.43: preferred, colored
Changes since revision 1.43: +12 -12 lines
security: align variable assignments

pkglint -Wall -F --only aligned --only indent -r

No manual corrections.

Revision 1.43: download - view: text, markup, annotated - select for diffs
Thu Mar 26 08:05:02 2015 UTC (9 years, 8 months ago) by dholland
Branches: MAIN
CVS tags: pkgsrc-2019Q3-base, pkgsrc-2019Q3, pkgsrc-2019Q2-base, pkgsrc-2019Q2, pkgsrc-2019Q1-base, pkgsrc-2019Q1, pkgsrc-2018Q4-base, pkgsrc-2018Q4, pkgsrc-2018Q3-base, pkgsrc-2018Q3, pkgsrc-2018Q2-base, pkgsrc-2018Q2, pkgsrc-2018Q1-base, pkgsrc-2018Q1, pkgsrc-2017Q4-base, pkgsrc-2017Q4, pkgsrc-2017Q3-base, pkgsrc-2017Q3, pkgsrc-2017Q2-base, pkgsrc-2017Q2, pkgsrc-2017Q1-base, pkgsrc-2017Q1, pkgsrc-2016Q4-base, pkgsrc-2016Q4, pkgsrc-2016Q3-base, pkgsrc-2016Q3, pkgsrc-2016Q2-base, pkgsrc-2016Q2, pkgsrc-2016Q1-base, pkgsrc-2016Q1, pkgsrc-2015Q4-base, pkgsrc-2015Q4, pkgsrc-2015Q3-base, pkgsrc-2015Q3, pkgsrc-2015Q2-base, pkgsrc-2015Q2, pkgsrc-2015Q1-base, pkgsrc-2015Q1
Diff to: previous 1.42: preferred, colored
Changes since revision 1.42: +2 -1 lines
Fix builtin detection for latest version (introduced a space between
'#' and 'define') - avoids unconditionally building pkgsrc openssl
on netbsd-current.

ok'd for during the freeze after an excessively long discussion :-/

Revision 1.38.2.1: download - view: text, markup, annotated - select for diffs
Thu Jun 5 13:20:18 2014 UTC (10 years, 6 months ago) by tron
Branches: pkgsrc-2014Q1
Diff to: previous 1.38: preferred, colored; next MAIN 1.39: preferred, colored
Changes since revision 1.38: +9 -45 lines
Pullup ticket #4431 - requested by wiz
security/openssl: security update

Revisions pulled up:
- security/openssl/Makefile                                     1.193
- security/openssl/builtin.mk                                   1.42
- security/openssl/distinfo                                     1.106-1.107
- security/openssl/patches/patch-Configure                      1.2
- security/openssl/patches/patch-Makefile.org                   1.2
- security/openssl/patches/patch-Makefile.shared                1.2
- security/openssl/patches/patch-apps_Makefile                  1.2
- security/openssl/patches/patch-config                         1.2
- security/openssl/patches/patch-crypto_bn_bn__prime.pl         1.2
- security/openssl/patches/patch-crypto_des_Makefile            1.1
- security/openssl/patches/patch-crypto_dso_dso__dlfcn.c        1.2
- security/openssl/patches/patch-doc_apps_cms.pod               deleted
- security/openssl/patches/patch-doc_apps_smine.pod             deleted
- security/openssl/patches/patch-doc_ssl_SSL__COMP__add__compression__method.pod deleted
- security/openssl/patches/patch-doc_ssl_SSL__CTX__add__session.pod deleted
- security/openssl/patches/patch-doc_ssl_SSL__CTX__load__verify__locations.pod deleted
- security/openssl/patches/patch-doc_ssl_SSL__CTX__set__client__CA__list.pod deleted
- security/openssl/patches/patch-doc_ssl_SSL__CTX__set__session__id__context.pod deleted
- security/openssl/patches/patch-doc_ssl_SSL__CTX__set__ssl__version.pod deleted
- security/openssl/patches/patch-doc_ssl_SSL__CTX__use__psk__identity__hint.pod deleted
- security/openssl/patches/patch-doc_ssl_SSL__accept.pod        deleted
- security/openssl/patches/patch-doc_ssl_SSL__clear.pod         deleted
- security/openssl/patches/patch-doc_ssl_SSL__connect.pod       deleted
- security/openssl/patches/patch-doc_ssl_SSL__do__handshake.pod deleted
- security/openssl/patches/patch-doc_ssl_SSL__read.pod          deleted
- security/openssl/patches/patch-doc_ssl_SSL__session__reused.pod deleted
- security/openssl/patches/patch-doc_ssl_SSL__set__fd.pod       deleted
- security/openssl/patches/patch-doc_ssl_SSL__set__session.pod  deleted
- security/openssl/patches/patch-doc_ssl_SSL__shutdown.pod      deleted
- security/openssl/patches/patch-doc_ssl_SSL__write.pod         deleted
- security/openssl/patches/patch-engines_ccgost_Makefile        1.2
- security/openssl/patches/patch-tools_Makefile                 1.2

---
   Module Name:	pkgsrc
   Committed By:	rodent
   Date:		Tue May 13 02:23:11 UTC 2014

   Modified Files:
   	pkgsrc/security/openssl: distinfo
   	pkgsrc/security/openssl/patches: patch-Configure patch-Makefile.org
   	    patch-Makefile.shared patch-apps_Makefile patch-config
   	    patch-crypto_bn_bn__prime.pl patch-crypto_dso_dso__dlfcn.c
   	    patch-doc_apps_cms.pod patch-doc_apps_smine.pod
   	    patch-doc_ssl_SSL__COMP__add__compression__method.pod
   	    patch-doc_ssl_SSL__CTX__add__session.pod
   	    patch-doc_ssl_SSL__CTX__load__verify__locations.pod
   	    patch-doc_ssl_SSL__CTX__set__client__CA__list.pod
   	    patch-doc_ssl_SSL__CTX__set__session__id__context.pod
   	    patch-doc_ssl_SSL__CTX__set__ssl__version.pod
   	    patch-doc_ssl_SSL__CTX__use__psk__identity__hint.pod
   	    patch-doc_ssl_SSL__accept.pod patch-doc_ssl_SSL__clear.pod
   	    patch-doc_ssl_SSL__connect.pod patch-doc_ssl_SSL__do__handshake.pod
   	    patch-doc_ssl_SSL__read.pod patch-doc_ssl_SSL__session__reused.pod
   	    patch-doc_ssl_SSL__set__fd.pod patch-doc_ssl_SSL__set__session.pod
   	    patch-doc_ssl_SSL__shutdown.pod patch-doc_ssl_SSL__write.pod
   	    patch-engines_ccgost_Makefile patch-tools_Makefile
   Added Files:
   	pkgsrc/security/openssl/patches: patch-crypto_des_Makefile

   Log Message:
   Fix build on OpenBSD/sparc64. Defuzz patches (sorry if this is annoying).

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Thu Jun  5 12:16:06 UTC 2014

   Modified Files:
   	pkgsrc/security/openssl: Makefile builtin.mk distinfo
   Removed Files:
   	pkgsrc/security/openssl/patches: patch-doc_apps_cms.pod
   	    patch-doc_apps_smine.pod
   	    patch-doc_ssl_SSL__COMP__add__compression__method.pod
   	    patch-doc_ssl_SSL__CTX__add__session.pod
   	    patch-doc_ssl_SSL__CTX__load__verify__locations.pod
   	    patch-doc_ssl_SSL__CTX__set__client__CA__list.pod
   	    patch-doc_ssl_SSL__CTX__set__session__id__context.pod
   	    patch-doc_ssl_SSL__CTX__set__ssl__version.pod
   	    patch-doc_ssl_SSL__CTX__use__psk__identity__hint.pod
   	    patch-doc_ssl_SSL__accept.pod patch-doc_ssl_SSL__clear.pod
   	    patch-doc_ssl_SSL__connect.pod patch-doc_ssl_SSL__do__handshake.pod
   	    patch-doc_ssl_SSL__read.pod patch-doc_ssl_SSL__session__reused.pod
   	    patch-doc_ssl_SSL__set__fd.pod patch-doc_ssl_SSL__set__session.pod
   	    patch-doc_ssl_SSL__shutdown.pod patch-doc_ssl_SSL__write.pod

   Log Message:
   Update to 1.0.1h:

     Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014]

         o Fix for CVE-2014-0224
         o Fix for CVE-2014-0221
         o Fix for CVE-2014-0195
         o Fix for CVE-2014-3470
         o Fix for CVE-2010-5298

Revision 1.42: download - view: text, markup, annotated - select for diffs
Thu Jun 5 12:16:06 2014 UTC (10 years, 6 months ago) by wiz
Branches: MAIN
CVS tags: pkgsrc-2014Q4-base, pkgsrc-2014Q4, pkgsrc-2014Q3-base, pkgsrc-2014Q3, pkgsrc-2014Q2-base, pkgsrc-2014Q2
Diff to: previous 1.41: preferred, colored
Changes since revision 1.41: +3 -2 lines
Update to 1.0.1h:

  Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014]

      o Fix for CVE-2014-0224
      o Fix for CVE-2014-0221
      o Fix for CVE-2014-0195
      o Fix for CVE-2014-3470
      o Fix for CVE-2010-5298

Revision 1.41: download - view: text, markup, annotated - select for diffs
Sun May 18 11:20:53 2014 UTC (10 years, 6 months ago) by obache
Branches: MAIN
Diff to: previous 1.40: preferred, colored
Changes since revision 1.40: +3 -1 lines
one more catch up to removal of /boot/common on Haiku.

Revision 1.40: download - view: text, markup, annotated - select for diffs
Sun May 18 11:18:17 2014 UTC (10 years, 6 months ago) by obache
Branches: MAIN
Diff to: previous 1.39: preferred, colored
Changes since revision 1.39: +5 -1 lines
catch up to removal of /boot/common on Haiku.

Revision 1.39: download - view: text, markup, annotated - select for diffs
Sun Apr 27 01:57:51 2014 UTC (10 years, 7 months ago) by obache
Branches: MAIN
Diff to: previous 1.38: preferred, colored
Changes since revision 1.38: +1 -44 lines
Remove BUILTIN_PKG.openssl masquerade for NetBSD.
We need buitin version to check suficient API, not for security fix.

Revision 1.38: download - view: text, markup, annotated - select for diffs
Mon Mar 3 06:56:35 2014 UTC (10 years, 9 months ago) by obache
Branches: MAIN
CVS tags: pkgsrc-2014Q1-base
Branch point for: pkgsrc-2014Q1
Diff to: previous 1.37: preferred, colored
Changes since revision 1.37: +2 -2 lines
adapt to Haiku R1alpha4

Revision 1.37: download - view: text, markup, annotated - select for diffs
Sat Feb 22 09:45:36 2014 UTC (10 years, 9 months ago) by obache
Branches: MAIN
Diff to: previous 1.36: preferred, colored
Changes since revision 1.36: +6 -1 lines
Fixes builtin detection with CHECK_BUILTIN.openssl=yes.

Define BUILTINK_API_DEPENDS.openssl same as buildlink3.mk if not defined yet
for the case checking builtin (CHECK_BUILTIN.openssl==yes).

Revision 1.36: download - view: text, markup, annotated - select for diffs
Sat Nov 23 12:10:13 2013 UTC (11 years ago) by obache
Branches: MAIN
CVS tags: pkgsrc-2013Q4-base, pkgsrc-2013Q4
Diff to: previous 1.35: preferred, colored
Changes since revision 1.35: +4 -8 lines
Use find-headers instead of find-files to detect builtin header files.

Revision 1.35: download - view: text, markup, annotated - select for diffs
Sun Oct 6 12:54:10 2013 UTC (11 years, 2 months ago) by obache
Branches: MAIN
Diff to: previous 1.34: preferred, colored
Changes since revision 1.34: +31 -16 lines
Change to create fake *.pc files much close to real one.
Fixes to detect its prefix with `pkg-config --variable=prefix", such as CMake.

Revision 1.34: download - view: text, markup, annotated - select for diffs
Tue Aug 27 05:42:34 2013 UTC (11 years, 3 months ago) by richard
Branches: MAIN
CVS tags: pkgsrc-2013Q3-base, pkgsrc-2013Q3
Diff to: previous 1.33: preferred, colored
Changes since revision 1.33: +4 -4 lines
fix openssl builtin support, at least for solaris

Revision 1.33: download - view: text, markup, annotated - select for diffs
Thu Jun 13 07:51:26 2013 UTC (11 years, 5 months ago) by adam
Branches: MAIN
CVS tags: pkgsrc-2013Q2-base, pkgsrc-2013Q2
Diff to: previous 1.32: preferred, colored
Changes since revision 1.32: +2 -2 lines
Allow absolute paths arguments for Configure (e.g. -isysroot /path)

Revision 1.32: download - view: text, markup, annotated - select for diffs
Fri Feb 1 12:34:15 2013 UTC (11 years, 10 months ago) by hans
Branches: MAIN
CVS tags: pkgsrc-2013Q1-base, pkgsrc-2013Q1
Diff to: previous 1.31: preferred, colored
Changes since revision 1.31: +7 -7 lines
Use LIBABISUFFIX when creating the .pc files to make builtin openssl
work on 64bit SunOS and possibly others.

Revision 1.31: download - view: text, markup, annotated - select for diffs
Thu Nov 17 13:03:19 2011 UTC (13 years ago) by obache
Branches: MAIN
CVS tags: pkgsrc-2012Q4-base, pkgsrc-2012Q4, pkgsrc-2012Q3-base, pkgsrc-2012Q3, pkgsrc-2012Q2-base, pkgsrc-2012Q2, pkgsrc-2012Q1-base, pkgsrc-2012Q1, pkgsrc-2011Q4-base, pkgsrc-2011Q4
Diff to: previous 1.30: preferred, colored
Changes since revision 1.30: +2 -1 lines
Add BUILTIN_VERSION.openssl to MAKEVARS for later use.

fixes PR pkg/44577.

Revision 1.30: download - view: text, markup, annotated - select for diffs
Tue Oct 4 14:15:35 2011 UTC (13 years, 2 months ago) by hans
Branches: MAIN
Diff to: previous 1.29: preferred, colored
Changes since revision 1.29: +7 -2 lines
Look in /usr/sfw to find built-in openssl on SunOS 5.10.

Revision 1.29: download - view: text, markup, annotated - select for diffs
Sun Jul 4 16:33:25 2010 UTC (14 years, 5 months ago) by obache
Branches: MAIN
CVS tags: pkgsrc-2011Q3-base, pkgsrc-2011Q3, pkgsrc-2011Q2-base, pkgsrc-2011Q2, pkgsrc-2011Q1-base, pkgsrc-2011Q1, pkgsrc-2010Q4-base, pkgsrc-2010Q4, pkgsrc-2010Q3-base, pkgsrc-2010Q3
Diff to: previous 1.28: preferred, colored
Changes since revision 1.28: +13 -3 lines
Add builtin OpenSSL support for Haiku.

Revision 1.28: download - view: text, markup, annotated - select for diffs
Sun Jun 7 14:24:03 2009 UTC (15 years, 6 months ago) by joerg
Branches: MAIN
CVS tags: pkgsrc-2010Q2-base, pkgsrc-2010Q2, pkgsrc-2010Q1-base, pkgsrc-2010Q1, pkgsrc-2009Q4-base, pkgsrc-2009Q4, pkgsrc-2009Q3-base, pkgsrc-2009Q3, pkgsrc-2009Q2-base, pkgsrc-2009Q2
Diff to: previous 1.27: preferred, colored
Changes since revision 1.27: +5 -1 lines
Define openssl-fake-pc only once.

Revision 1.27: download - view: text, markup, annotated - select for diffs
Sun Jun 7 11:06:26 2009 UTC (15 years, 6 months ago) by wiz
Branches: MAIN
Diff to: previous 1.26: preferred, colored
Changes since revision 1.26: +52 -1 lines
Create fake pc files for builtin openssl, for the packages that
insist on them (like modular-xorg-server).

Revision 1.26: download - view: text, markup, annotated - select for diffs
Fri Apr 25 20:06:15 2008 UTC (16 years, 7 months ago) by jlam
Branches: MAIN
CVS tags: pkgsrc-2009Q1-base, pkgsrc-2009Q1, pkgsrc-2008Q4-base, pkgsrc-2008Q4, pkgsrc-2008Q3-base, pkgsrc-2008Q3, pkgsrc-2008Q2-base, pkgsrc-2008Q2, cwrapper, cube-native-xorg-base, cube-native-xorg
Diff to: previous 1.25: preferred, colored
Changes since revision 1.25: +5 -3 lines
Fix detection of openssl configuration directory on NetBSD so it's
/etc/openssl only if USE_BUILTIN.openssl is "yes".

Revision 1.25: download - view: text, markup, annotated - select for diffs
Thu Jan 17 06:42:47 2008 UTC (16 years, 10 months ago) by tnn
Branches: MAIN
CVS tags: pkgsrc-2008Q1-base, pkgsrc-2008Q1
Diff to: previous 1.24: preferred, colored
Changes since revision 1.24: +3 -3 lines
Update to openssl-0.9.8g. Provided by Jukka Salmi in pkgsrc-wip.

pkgsrc notes:
  o Tested on NetBSD/i386 (Jukka Salmi), Mac OSX 10.5 (Adrian Portelli),
    Linux (Jeremy C. Reed), Tru64 5.1b (tnn), HP-UX 11i (tnn).
    Because the Makefile system has been rewamped, other
    platforms may require fixes. Please test if you can.
  o OpenSSL can now be built with installation to DESTDIR.

Overview of important changes since 0.9.7i:
  o Add gcc 4.2 support.
  o DTLS improvements.
  o RFC4507bis support.
  o TLS Extensions support.
  o RFC3779 support.
  o New cipher Camellia
  o Updated ECC cipher suite support.
  o New functions EVP_CIPHER_CTX_new() and EVP_CIPHER_CTX_free().
  o Zlib compression usage fixes.
  o Major work on the BIGNUM library for higher efficiency and to
    make operations more streamlined and less contradictory.  This
    is the result of a major audit of the BIGNUM library.
  o Addition of BIGNUM functions for fields GF(2^m) and NIST
    curves, to support the Elliptic Crypto functions.
  o Major work on Elliptic Crypto; ECDH and ECDSA added, including
    the use through EVP, X509 and ENGINE.
  o New ASN.1 mini-compiler that's usable through the OpenSSL
    configuration file.
  o Added support for ASN.1 indefinite length constructed encoding.
  o New PKCS#12 'medium level' API to manipulate PKCS#12 files.
  o Complete rework of shared library construction and linking
    programs with shared or static libraries, through a separate
    Makefile.shared.
  o Rework of the passing of parameters from one Makefile to another.
  o Changed ENGINE framework to load dynamic engine modules
    automatically from specifically given directories.
  o New structure and ASN.1 functions for CertificatePair.
  o Changed the key-generation and primality testing "progress"
    mechanism to take a structure that contains the ticker
    function and an argument.
  o New engine module: GMP (performs private key exponentiation).
  o New engine module: VIA PadLOck ACE extension in VIA C3
    Nehemiah processors.
  o Added support for IPv6 addresses in certificate extensions.
    See RFC 1884, section 2.2.
  o Added support for certificate policy mappings, policy
    constraints and name constraints.
  o Added support for multi-valued AVAs in the OpenSSL
    configuration file.
  o Added support for multiple certificates with the same subject
    in the 'openssl ca' index file.
  o Make it possible to create self-signed certificates using
    'openssl ca -selfsign'.
  o Make it possible to generate a serial number file with
    'openssl ca -create_serial'.
  o New binary search functions with extended functionality.
  o New BUF functions.
  o New STORE structure and library to provide an interface to all
    sorts of data repositories.  Supports storage of public and
    private keys, certificates, CRLs, numbers and arbitrary blobs.
    This library is unfortunately unfinished and unused withing
    OpenSSL.
  o New control functions for the error stack.
  o Changed the PKCS#7 library to support one-pass S/MIME
    processing.
  o New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512).
  o New X509_VERIFY_PARAM structure to support parametrisation
    of X.509 path validation.
  o Change the default digest in 'openssl' commands from MD5 to
    SHA-1.
  o Added support for DTLS.
  o New BIGNUM blinding.
  o Added support for the RSA-PSS encryption scheme
  o Added support for the RSA X.931 padding.
  o Added support for files larger than 2GB.
  o Added alternate pkg-config files.

Revision 1.22.4.1: download - view: text, markup, annotated - select for diffs
Wed Jan 9 17:14:10 2008 UTC (16 years, 10 months ago) by ghen
Branches: pkgsrc-2007Q4
Diff to: previous 1.22: preferred, colored; next MAIN 1.23: preferred, colored
Changes since revision 1.22: +3 -2 lines
Pullup ticket 2257 - requested by joerg
build fix for openssl

- pkgsrc/security/openssl/builtin.mk			1.24

   Module Name:		pkgsrc
   Committed By:	joerg
   Date:		Mon Jan  7 15:51:08 UTC 2008

   Modified Files:
	   pkgsrc/security/openssl: builtin.mk

   Log Message:
   Fix builtin.mk logic for thread feature if no native OpenSSL exists.
   Fixes PR pkg/37699 from Aleksey Cheusov.

Revision 1.24: download - view: text, markup, annotated - select for diffs
Mon Jan 7 15:51:08 2008 UTC (16 years, 11 months ago) by joerg
Branches: MAIN
Diff to: previous 1.23: preferred, colored
Changes since revision 1.23: +3 -2 lines
Fix builtin.mk logic for thread feature if no native OpenSSL exists.
Fixes PR pkg/37699 from Aleksey Cheusov.

Revision 1.23: download - view: text, markup, annotated - select for diffs
Sat Jan 5 20:41:26 2008 UTC (16 years, 11 months ago) by rillig
Branches: MAIN
Diff to: previous 1.22: preferred, colored
Changes since revision 1.22: +2 -2 lines
Fixed a few pkglint warnings.

Revision 1.22: download - view: text, markup, annotated - select for diffs
Fri Sep 7 17:26:23 2007 UTC (17 years, 3 months ago) by jlam
Branches: MAIN
CVS tags: pkgsrc-2007Q4-base, pkgsrc-2007Q3-base, pkgsrc-2007Q3
Branch point for: pkgsrc-2007Q4
Diff to: previous 1.21: preferred, colored
Changes since revision 1.21: +30 -11 lines
Allow packages that use OpenSSL to specify that they need an OpenSSL
built with support for threads.  This is done by adding the following
line to the package Makefile before the inclusion of openssl/buildlink3.mk:

    USE_FEATURES.openssl=	threads

The openssl/builtin.mk file is also adjusted to detect whether or not
the built-in OpenSSL was built with support for threads and the result
is used accordingly to determine whether or not a pkgsrc OpenSSL is
needed.

Revision 1.21: download - view: text, markup, annotated - select for diffs
Thu Feb 22 19:27:08 2007 UTC (17 years, 9 months ago) by wiz
Branches: MAIN
CVS tags: pkgsrc-2007Q2-base, pkgsrc-2007Q2, pkgsrc-2007Q1-base, pkgsrc-2007Q1
Diff to: previous 1.20: preferred, colored
Changes since revision 1.20: +8 -8 lines
Whitespace cleanup, courtesy of pkglint.
Patch provided by Sergey Svishchev in private mail.

Revision 1.20: download - view: text, markup, annotated - select for diffs
Wed Aug 9 11:23:20 2006 UTC (18 years, 4 months ago) by abs
Branches: MAIN
CVS tags: pkgsrc-2006Q4-base, pkgsrc-2006Q4, pkgsrc-2006Q3-base, pkgsrc-2006Q3
Diff to: previous 1.19: preferred, colored
Changes since revision 1.19: +10 -10 lines
some apps (dovecot) need the SSLDIR rather than SSLCERTS & SSLKEYS

Revision 1.19: download - view: text, markup, annotated - select for diffs
Thu Apr 6 06:22:43 2006 UTC (18 years, 8 months ago) by reed
Branches: MAIN
CVS tags: pkgsrc-2006Q2-base, pkgsrc-2006Q2
Diff to: previous 1.18: preferred, colored
Changes since revision 1.18: +2 -2 lines
Over 1200 files touched but no revisions bumped :)

RECOMMENDED is removed. It becomes ABI_DEPENDS.

BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.

BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.

BUILDLINK_DEPENDS does not change.

IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".

Added to obsolete.mk checking for IGNORE_RECOMMENDED.

I did not manually go through and fix any aesthetic tab/spacing issues.

I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.

I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.

As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.

As discussed on tech-pkg.

I will commit to revbump, pkglint, pkg_install, createbuildlink separately.

Note that if you use wip, it will fail!  I will commit to pkgsrc-wip
later (within day).

Revision 1.18: download - view: text, markup, annotated - select for diffs
Thu Mar 30 18:06:18 2006 UTC (18 years, 8 months ago) by jlam
Branches: MAIN
Diff to: previous 1.17: preferred, colored
Changes since revision 1.17: +7 -5 lines
Avoid extra stat() calls by not repeatedly checking whether a file
exists on the disk -- we can just check whether a variable defined by
find-files.mk is "__nonexistent__" or not.

Revision 1.15.2.1: download - view: text, markup, annotated - select for diffs
Thu Oct 13 13:21:07 2005 UTC (19 years, 1 month ago) by salo
Branches: pkgsrc-2005Q3
Diff to: previous 1.15: preferred, colored; next MAIN 1.16: preferred, colored
Changes since revision 1.15: +17 -4 lines
Pullup tickets 822 and 825 - requested by Johnny C. Lam
security update for openssl

Revisions pulled up:
- pkgsrc/security/openssl/Makefile		1.107
- pkgsrc/security/openssl/PLIST.common		1.11
- pkgsrc/security/openssl/builtin.mk		1.16, 1.17
- pkgsrc/security/openssl/distinfo		1.46
- pkgsrc/security/openssl/patches/patch-aa	1.18
- pkgsrc/security/openssl/patches/patch-ac	1.28
- pkgsrc/security/openssl/patches/patch-ad	1.15
- pkgsrc/security/openssl/patches/patch-af	1.17

   Module Name:		pkgsrc
   Committed By:	jlam
   Date:		Tue Oct 11 17:19:21 UTC 2005

   Modified Files:
   	pkgsrc/security/openssl: Makefile PLIST.common distinfo
   	pkgsrc/security/openssl/patches: patch-aa patch-ac patch-ad patch-af

   Log Message:
   Update security/openssl to version 0.9.7h.  This is a security
   vulnerability triggered update due to CAN-2005-2969.  Changes from
   version 0.9.7f include:

         o Fix SSL 2.0 Rollback, CAN-2005-2969
         o Allow use of fixed-length exponent on DSA signing
         o Default fixed-window RSA, DSA, DH private-key operations
         o More compilation issues fixed.
         o Adaptation to more modern Kerberos API.
         o Enhanced or corrected configuration for Solaris64, Mingw
           and Cygwin.
         o Enhanced x86_64 assembler BIGNUM module.
         o More constification.
         o Added processing of proxy certificates (RFC 3820).
---
   Module Name:		pkgsrc
   Committed By:	jlam
   Date:		Wed Oct 12 02:00:03 UTC 2005

   Modified Files:
   	pkgsrc/security/openssl: builtin.mk

   Log Message:
   Remove leading "-" from version number when matching the openssl-0.9.6g
   from the netbsd-1-6 branch with the 20040401 fix.
---
   Module Name:		pkgsrc
   Committed By:	jlam
   Date:		Wed Oct 12 02:20:10 UTC 2005

   Modified Files:
   	pkgsrc/security/openssl: builtin.mk

   Log Message:
   If the native openssl-0.9.7d contains the security fixes pulled up to
   the netbsd-2-0, netbsd-2, and netbsd-3-0 branches on 2005-10-11, then
   for the purposes of satisfying dependencies, pretend it's openssl-0.9.7h.

Revision 1.17: download - view: text, markup, annotated - select for diffs
Wed Oct 12 02:20:10 2005 UTC (19 years, 1 month ago) by jlam
Branches: MAIN
CVS tags: pkgsrc-2006Q1-base, pkgsrc-2006Q1, pkgsrc-2005Q4-base, pkgsrc-2005Q4
Diff to: previous 1.16: preferred, colored
Changes since revision 1.16: +16 -3 lines
If the native openssl-0.9.7d contains the security fixes pulled up to
the netbsd-2-0, netbsd-2, and netbsd-3-0 branches on 2005-10-11, then
for the purposes of satisfying dependencies, pretend it's openssl-0.9.7h.

Revision 1.16: download - view: text, markup, annotated - select for diffs
Wed Oct 12 02:00:03 2005 UTC (19 years, 1 month ago) by jlam
Branches: MAIN
Diff to: previous 1.15: preferred, colored
Changes since revision 1.15: +2 -2 lines
Remove leading "-" from version number when matching the openssl-0.9.6g
from the netbsd-1-6 branch with the 20040401 fix.

Revision 1.15: download - view: text, markup, annotated - select for diffs
Tue Aug 16 16:58:29 2005 UTC (19 years, 3 months ago) by jlam
Branches: MAIN
CVS tags: pkgsrc-2005Q3-base
Branch point for: pkgsrc-2005Q3
Diff to: previous 1.14: preferred, colored
Changes since revision 1.14: +10 -2 lines
For NetBSD's crippled OpenSSL distribution, create an <openssl/des_old.h>
header in the buildlink directory that just pulls in /usr/include/des.h.
This should allow packages that purposely include <openssl/des_old.h> on
post-0.9.7 versions of OpenSSL to find it on NetBSD.

Revision 1.14: download - view: text, markup, annotated - select for diffs
Thu Jun 9 06:07:29 2005 UTC (19 years, 6 months ago) by jlam
Branches: MAIN
CVS tags: pkgsrc-2005Q2-base, pkgsrc-2005Q2
Diff to: previous 1.13: preferred, colored
Changes since revision 1.13: +2 -2 lines
Fix copy-and-paste error -- in the case where we prefer the pkgsrc
version of the software, USE_BUILTIN.<pkg> should be set to "no", not
to ${IS_BUILTIN.<pkg>}.

Revision 1.13: download - view: text, markup, annotated - select for diffs
Wed Jun 1 18:03:21 2005 UTC (19 years, 6 months ago) by jlam
Branches: MAIN
Diff to: previous 1.12: preferred, colored
Changes since revision 1.12: +92 -119 lines
Massive cleanup of buildlink3.mk and builtin.mk files in pkgsrc.
Several changes are involved since they are all interrelated.  These
changes affect about 1000 files.

The first major change is rewriting bsd.builtin.mk as well as all of
the builtin.mk files to follow the new example in bsd.builtin.mk.
The loop to include all of the builtin.mk files needed by the package
is moved from bsd.builtin.mk and into bsd.buildlink3.mk.  bsd.builtin.mk
is now included by each of the individual builtin.mk files and provides
some common logic for all of the builtin.mk files.  Currently, this
includes the computation for whether the native or pkgsrc version of
the package is preferred.  This causes USE_BUILTIN.* to be correctly
set when one builtin.mk file includes another.

The second major change is teach the builtin.mk files to consider
files under ${LOCALBASE} to be from pkgsrc-controlled packages.  Most
of the builtin.mk files test for the presence of built-in software by
checking for the existence of certain files, e.g. <pthread.h>, and we
now assume that if that file is under ${LOCALBASE}, then it must be
from pkgsrc.  This modification is a nod toward LOCALBASE=/usr.  The
exceptions to this new check are the X11 distribution packages, which
are handled specially as noted below.

The third major change is providing builtin.mk and version.mk files
for each of the X11 distribution packages in pkgsrc.  The builtin.mk
file can detect whether the native X11 distribution is the same as
the one provided by pkgsrc, and the version.mk file computes the
version of the X11 distribution package, whether it's built-in or not.

The fourth major change is that the buildlink3.mk files for X11 packages
that install parts which are part of X11 distribution packages, e.g.
Xpm, Xcursor, etc., now use imake to query the X11 distribution for
whether the software is already provided by the X11 distribution.
This is more accurate than grepping for a symbol name in the imake
config files.  Using imake required sprinkling various builtin-imake.mk
helper files into pkgsrc directories.  These files are used as input
to imake since imake can't use stdin for that purpose.

The fifth major change is in how packages note that they use X11.
Instead of setting USE_X11, package Makefiles should now include
x11.buildlink3.mk instead.  This causes the X11 package buildlink3
and builtin logic to be executed at the correct place for buildlink3.mk
and builtin.mk files that previously set USE_X11, and fixes packages
that relied on buildlink3.mk files to implicitly note that X11 is
needed.  Package buildlink3.mk should also include x11.buildlink3.mk
when linking against the package libraries requires also linking
against the X11 libraries.  Where it was obvious, redundant inclusions
of x11.buildlink3.mk have been removed.

Revision 1.12: download - view: text, markup, annotated - select for diffs
Wed Mar 23 09:06:38 2005 UTC (19 years, 8 months ago) by jlam
Branches: MAIN
Diff to: previous 1.11: preferred, colored
Changes since revision 1.11: +2 -2 lines
Update security/openssl to openssl-0.9.7f.

Pkgsrc changes from version 0.9.7e include:

  *) Install the man pages with names that are less likely to collide
     with other packages' man pages.
  *) Support PKG_OPTIONS of "idea", "mdc2" and "rc5" to allow building
     with patented algorithms.  By default, this package still builds
     without patented algorithms.

Major changes from version 0.9.7e include:

  *) Prompt for pass phrases when appropriate for PKCS12 input format.
  *) Back-port of selected performance improvements from development
     branch, as well as improved support for PowerPC platforms.
  *) Add lots of checks for memory allocation failure, error codes to indicate
     failure and freeing up memory if a failure occurs.
  *) Add new -passin argument to dgst.
  *) Make an explicit check during certificate validation to see that
     the CA setting in each certificate on the chain is correct.

Revision 1.11: download - view: text, markup, annotated - select for diffs
Fri Dec 24 22:02:38 2004 UTC (19 years, 11 months ago) by jlam
Branches: MAIN
CVS tags: pkgsrc-2005Q1-base, pkgsrc-2005Q1
Diff to: previous 1.10: preferred, colored
Changes since revision 1.10: +2 -2 lines
Update security/openssl to 0.9.7e.  Changes from openssl-0.9.6m are
too numerous to be listed here, but include adding a new DES API
(support for the old one is still present).

Changes to the pkgsrc structure include:

* Install the shared libraries with a version number that matches the
  OpenSSL version number

* Move some of the less often-used c_* utilities back into the examples
  directory.

* Drop support for using the RSAREF library and always use the built-in
  RSA code instead.

Revision 1.10: download - view: text, markup, annotated - select for diffs
Sat Dec 18 21:32:51 2004 UTC (19 years, 11 months ago) by jlam
Branches: MAIN
CVS tags: pkgsrc-2004Q4-base, pkgsrc-2004Q4
Diff to: previous 1.9: preferred, colored
Changes since revision 1.9: +2 -2 lines
minor whitespace nit.

Revision 1.9: download - view: text, markup, annotated - select for diffs
Sat Dec 18 17:14:22 2004 UTC (19 years, 11 months ago) by jlam
Branches: MAIN
Diff to: previous 1.8: preferred, colored
Changes since revision 1.8: +2 -2 lines
Fix a typo that caused us not to check the correct header for the presence
of "des_cblock".  This fixes PR pkg/28703.

Revision 1.8: download - view: text, markup, annotated - select for diffs
Tue Dec 14 19:24:29 2004 UTC (19 years, 11 months ago) by jlam
Branches: MAIN
Diff to: previous 1.7: preferred, colored
Changes since revision 1.7: +54 -28 lines
Change the way that openssl/builtin.mk handles the USE_OLD_DES_API flag.
The idea is to prevent needing to patch source files for packages that
use OpenSSL for DES support by ensuring that including <openssl/des.h>
will always present the old DES API.

(1) If des_old.h exists, then we're using OpenSSL>=0.9.7, and
    <openssl/des.h> already does the right thing.

(2) If des_old.h doesn't exist, then one of two things is happening:
    (a) If <openssl/des.h> is old and (only) supports the old DES API,
	then <openssl/des.h> does the right thing.
    (b) If it's NetBSD's Special(TM) one that stripped out the old DES
	support into a separate library and header (-ldes, <des.h>),
	then we create a new header <openssl/des.h> that includes the
	system one and <des.h>.

Also modify existing packages that set USE_OLD_DES_API to simply include
<openssl/des.h> instead of either <des.h> or <openssl/des_old.h> (This
step is mostly just removing unnecessary patches).

This should fix building packages that use OpenSSL's old DES API support
on non-NetBSD systems where the built-in OpenSSL is at least 0.9.7.

Revision 1.7: download - view: text, markup, annotated - select for diffs
Sat Dec 11 00:04:14 2004 UTC (19 years, 11 months ago) by jlam
Branches: MAIN
Diff to: previous 1.6: preferred, colored
Changes since revision 1.6: +6 -2 lines
Provide an SSLKEYS variable that points to the location where OpenSSL
private keys are likely to be installed.  Patch directly from PR
pkg/28477 by Jason Thorpe.

Revision 1.6: download - view: text, markup, annotated - select for diffs
Fri Dec 3 23:03:09 2004 UTC (20 years ago) by jlam
Branches: MAIN
Diff to: previous 1.5: preferred, colored
Changes since revision 1.5: +56 -1 lines
Attempt to deal with the differing DES APIs between OpenSSL 0.9.6 (in
pkgsrc and in NetBSD-1.6.x) and OpenSSL 0.9.7 (in NetBSD-2.0), by
creating a new yes/no variable USE_OLD_DES_API that flags whether the
package wants to use the old DES API.  If USE_OLD_DES_API is "yes",
then:

  * For OpenSSL 0.9.6, symlink ${BUILDLINK_DIR}/include/openssl/des_old.h
    to ${SSLBASE}/include/openssl/des.h.

  * For NetBSD 2.0's "special" installation of OpenSSL 0.9.7, symlink
    ${BUILDLINK_DIR}/include/openssl/des_old.h to /usr/include/des.h,
    and transform "-lcrypto" into "-ldes -lcrypto".  This makes it
    behave like stock OpenSSL 0.9.7 where the old DES functions are
    part of libcrypto.

Software that wants to use the old DES API should be taught to do it
in a way that works with a stock installation of OpenSSL 0.9.7 -- by
including <openssl/des_old.h> and linking against "-lcrypto".  Software
that wants to use the new DES API should simply depend on openssl>=0.9.7.

This change has no impact on existing packages as the new code is
active only when USE_OLD_DES_API == "yes".

Revision 1.5: download - view: text, markup, annotated - select for diffs
Fri Apr 2 23:41:50 2004 UTC (20 years, 8 months ago) by wiz
Branches: MAIN
CVS tags: pkgsrc-2004Q3-base, pkgsrc-2004Q3, pkgsrc-2004Q2-base, pkgsrc-2004Q2
Diff to: previous 1.4: preferred, colored
Changes since revision 1.4: +3 -3 lines
Grammar fix.

Revision 1.4: download - view: text, markup, annotated - select for diffs
Fri Apr 2 21:42:32 2004 UTC (20 years, 8 months ago) by jlam
Branches: MAIN
Diff to: previous 1.3: preferred, colored
Changes since revision 1.3: +19 -9 lines
If the native OpenSSL contains the security fixes pulled up to the
netbsd-1-6 branch on 2004-04-01, then pretend it's openssl-0.9.6m.

Revision 1.3: download - view: text, markup, annotated - select for diffs
Fri Mar 26 06:54:30 2004 UTC (20 years, 8 months ago) by jlam
Branches: MAIN
CVS tags: pkgsrc-2004Q1-base, pkgsrc-2004Q1
Diff to: previous 1.2: preferred, colored
Changes since revision 1.2: +10 -10 lines
Allow the rehash of the certs database to not error out during the build
due to libssl.so.300 not being found by correctly setting LD_LIBRARY_PATH.

Revision 1.2: download - view: text, markup, annotated - select for diffs
Fri Mar 26 02:22:38 2004 UTC (20 years, 8 months ago) by wiz
Branches: MAIN
Diff to: previous 1.1: preferred, colored
Changes since revision 1.1: +2 -2 lines
Update to 0.9.6m:
Changes between 0.9.6l and 0.9.6m  [17 Mar 2004]
  *) Fix null-pointer assignment in do_change_cipher_spec() revealed
     by using the Codenomicon TLS Test Tool (CAN-2004-0079)
     [Joe Orton, Steve Henson]

Revision 1.1: download - view: text, markup, annotated - select for diffs
Wed Mar 10 17:57:15 2004 UTC (20 years, 9 months ago) by jlam
Branches: MAIN
Split out the code that deals with checking whether the software is
built-in or not into a separate builtin.mk file.  The code to deal
checking for built-in software is much simpler to deal with in pkgsrc.

The buildlink3.mk file for a package will be of the usual format
regardless of the package, which makes it simpler for packagers to
update a package.

The builtin.mk file for a package must define a single yes/no variable
USE_BUILTIN.<pkg> that is used by bsd.buildlink3.mk to decide whether
to use the built-in software or to use the pkgsrc software.

Diff request

This form allows you to request diffs between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.

Log view options

CVSweb <webmaster@jp.NetBSD.org>