aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authordinoex <dinoex@FreeBSD.org>2009-05-21 03:22:47 +0800
committerdinoex <dinoex@FreeBSD.org>2009-05-21 03:22:47 +0800
commitd3b98ee57b31bcb51d4010c1f3fd57441a18e903 (patch)
tree3d7cab450e95b1f0ea6a19b20d1efa9f489e2703
parent14a9f6a8529869560bd035b665a00a72181900a6 (diff)
downloadfreebsd-ports-gnome-d3b98ee57b31bcb51d4010c1f3fd57441a18e903.tar.gz
freebsd-ports-gnome-d3b98ee57b31bcb51d4010c1f3fd57441a18e903.tar.zst
freebsd-ports-gnome-d3b98ee57b31bcb51d4010c1f3fd57441a18e903.zip
- add more DTLS bugfixes
- use options framework - new option WITH_FIPS add fips code - new option WITH_SCTP add SCTP support to openssl
-rw-r--r--security/openssl/Makefile41
-rw-r--r--security/openssl/distinfo15
-rw-r--r--security/openssl/files/patch-CVE-2009-137746
-rw-r--r--security/openssl/files/patch-CVE-2009-137822
-rw-r--r--security/openssl/files/patch-kssl.c14
-rw-r--r--security/openssl/pkg-descr1
6 files changed, 65 insertions, 74 deletions
diff --git a/security/openssl/Makefile b/security/openssl/Makefile
index 222d957a8bb2..e86cab424bb0 100644
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -7,13 +7,15 @@
PORTNAME= openssl
PORTVERSION= 0.9.8k
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= security devel
MASTER_SITES= http://www.openssl.org/%SUBDIR%/ \
ftp://ftp.openssl.org/%SUBDIR%/ \
ftp://ftp.sunet.se/pub/security/tools/net/openssl/%SUBDIR%/ \
ftp://ftp.cert.dfn.de/pub/tools/net/openssl/%SUBDIR%/
MASTER_SITE_SUBDIR= source
+PATCH_SITES= http://sctp.fh-muenster.de/dtls/
+PATCHFILES= dtls-bugs.patch
DISTNAME= ${PORTNAME}-${PORTVERSION}
MAINTAINER= dinoex@FreeBSD.org
@@ -25,6 +27,11 @@ BUILD_DEPENDS= makedepend:${PORTSDIR}/devel/makedepend
.error You have `USE_OPENSSL' variable defined either in environment or in make(1) arguments. Please undefine and try again.
.endif
+OPTIONS= I386 "Use optimzed assembler for 80386" off \
+ SSE2 "Use runtime SSE2 detection" on \
+ ZLIB "Build with zlib compression" on \
+ SCTP "Build with SCTP support" off \
+
EXTRACONFIGURE+= enable-camellia
MAKE_ARGS+= WHOLE_ARCHIVE_FLAG=--whole-archive
@@ -849,11 +856,13 @@ OPENSSL_SHLIBVER_BASE= ${OPENSSL_BASE_SONAME:E}
OPENSSL_BASE_SOPATH= ${OPENSSL_BASE_SONAME:H}
OPENSSL_SHLIBVER?= 5
+.if !defined(WITHOUT_SSE2)
# disable runtime SSE2 detection
-.if defined(WITHOUT_OPENSSL_SSE2)
EXTRACONFIGURE+= no-sse2
.endif
+.if !defined(WITH_FIPS)
EXTRACONFIGURE+= no-fips
+.endif
.if defined(NOSHARED)
PLIST_SUB+= SHARED="@comment "
.else
@@ -864,10 +873,20 @@ PLIST_SUB+= SHLIBVER=${OPENSSL_SHLIBVER}
USE_LDCONFIG= yes
.endif
-.if defined(WITH_OPENSSL_COMPRESSION)
+.if !defined(WITHOUT_ZLIB)
EXTRACONFIGURE+= zlib
.endif
+.if defined(WITH_SCTP)
+.if ${OSVERSION} >= 700000
+PATCHFILES+= tls-extractor.patch \
+ abbreviated-renegotiation.patch \
+ dtls-sctp.patch
+# freebsd-compatibility.patch
+CFLAGS+= -DSCTP
+.endif
+.endif
+
.if ${OPENSSL_SHLIBVER_BASE} > ${OPENSSL_SHLIBVER}
pre-everything::
@${ECHO_CMD} "#"
@@ -881,21 +900,30 @@ pre-everything::
OPENSSLDIR= ${PREFIX}/openssl
MANPREFIX= ${PREFIX}
-.if defined(BATCH) || defined(OPENSSL_WITH_386)
+.if defined(WITH_I386)
.if ${ARCH} == "i386"
EXTRACONFIGURE+= 386
.endif
.endif
do-configure:
+.if !defined(WITH_FIPS)
${RM} -rf ${WRKSRC}/fips
${RM} -f ${WRKSRC}/include/openssl/fips.h
${RM} -f ${WRKSRC}/include/openssl/fips_rand.h
+.endif
cd ${WRKSRC} \
&& ${SETENV} CC="${CC}" FREEBSDCC="${CC}" CFLAGS="${CFLAGS}" PERL="${PERL}" \
- PTHREAD_CFLAGS=${PTHREAD_CFLAGS} PTHREAD_LIBS=${PTHREAD_LIBS} \
+ PTHREAD_CFLAGS=${PTHREAD_CFLAGS} PTHREAD_LIBS=${PTHREAD_LIBS} \
./config --prefix=${PREFIX} --openssldir=${OPENSSLDIR} \
- -L${PREFIX}/lib ${EXTRACONFIGURE}
+ -L${PREFIX}/lib ${EXTRACONFIGURE}
+.if defined(WITH_FIPS)
+ @${REINPLACE_CMD} \
+ -e 's|^MANDIR=.*$$|MANDIR=$$(MANPREFIX)/man|' \
+ -e 's|lib/pkgconfig|libdata/pkgconfig|g' \
+ -e 's|LIBVERSION=[^ ]* |LIBVERSION=$(OPENSSL_SHLIBVER) |' \
+ ${WRKSRC}/Makefile
+.else
@${REINPLACE_CMD} \
-e 's|^MANDIR=.*$$|MANDIR=$$(MANPREFIX)/man|' \
-e 's|lib/pkgconfig|libdata/pkgconfig|g' \
@@ -920,6 +948,7 @@ do-configure:
-e 's|$$(FIPS_RNGVS)$$(EXE_EXT)||' \
-e 's|$$(FIPS_TEST_SUITE)$$(EXE_EXT)||' \
${WRKSRC}/test/Makefile
+.endif
@(cd ${BUILD_WRKSRC}/${i} && ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} depend)
post-install:
diff --git a/security/openssl/distinfo b/security/openssl/distinfo
index 7e1cd3e7b8a2..e1ef639d69a4 100644
--- a/security/openssl/distinfo
+++ b/security/openssl/distinfo
@@ -1,3 +1,18 @@
MD5 (openssl-0.9.8k.tar.gz) = e555c6d58d276aec7fdc53363e338ab3
SHA256 (openssl-0.9.8k.tar.gz) = 7e7cd4f3974199b729e6e3a0af08bd4279fde0370a1120c1a3b351ab090c6101
SIZE (openssl-0.9.8k.tar.gz) = 3852259
+MD5 (dtls-bugs.patch) = dc6a79d5dd8e9eacfaa5e2ae05457df4
+SHA256 (dtls-bugs.patch) = e4929a3fbaa20b1c22b0ba218b8c2ab4c5df941c70d975e8672337620eca3422
+SIZE (dtls-bugs.patch) = 33268
+MD5 (freebsd-compatibility.patch) = 2c1dcf5c25509e2a929eeb05cb4baa66
+SHA256 (freebsd-compatibility.patch) = e5b78a56a461892a8fe2cb5f156f381d54dee82dbec8f5ed4fb6e48329ffb59b
+SIZE (freebsd-compatibility.patch) = 399
+MD5 (tls-extractor.patch) = ac104f69472f37359d0fd8c6da56383f
+SHA256 (tls-extractor.patch) = 091bde68933fbf23cfd402bd6bb90b23dc95702a7302c5706336d3eaaa2982f5
+SIZE (tls-extractor.patch) = 1329
+MD5 (abbreviated-renegotiation.patch) = 374a11933e52b4c5a85295cd6cf08ef3
+SHA256 (abbreviated-renegotiation.patch) = fc6a1f6b0f12c9c43f1c66fd716ac3d3f6cf51a466444758ff270640addf795e
+SIZE (abbreviated-renegotiation.patch) = 6396
+MD5 (dtls-sctp.patch) = 146680bedb7fe104430a8d8c71927f9d
+SHA256 (dtls-sctp.patch) = 0696ad1aa23d59274c8a3925397f5f37f75d1ee70d2c270665e3615ee1746edc
+SIZE (dtls-sctp.patch) = 45747
diff --git a/security/openssl/files/patch-CVE-2009-1377 b/security/openssl/files/patch-CVE-2009-1377
deleted file mode 100644
index 9d0e941971d4..000000000000
--- a/security/openssl/files/patch-CVE-2009-1377
+++ /dev/null
@@ -1,46 +0,0 @@
-Obtained-from: http://rt.openssl.org/Ticket/Attachment/22260/10159/dtls-record-buffer-bug-1.0.0.patch
-
---- crypto/pqueue/pqueue.c 2005-12-20 08:03:10.000000000 +0100
-+++ crypto/pqueue/pqueue.c 2009-05-15 16:07:33.000000000 +0200
-@@ -237,3 +237,17 @@
-
- return ret;
- }
-+
-+int
-+pqueue_size(pqueue_s *pq)
-+{
-+ pitem *item = pq->items;
-+ int count = 0;
-+
-+ while(item != NULL)
-+ {
-+ count++;
-+ item = item->next;
-+ }
-+ return count;
-+}
-
---- crypto/pqueue/pqueue.h 2005-06-08 00:21:14.000000000 +0200
-+++ crypto/pqueue/pqueue.h 2009-05-15 16:07:03.000000000 +0200
-@@ -89,5 +89,6 @@
- pitem *pqueue_next(piterator *iter);
-
- void pqueue_print(pqueue pq);
-+int pqueue_size(pqueue pq);
-
- #endif /* ! HEADER_PQUEUE_H */
-
---- ssl/d1_pkt.c 2009-04-23 18:32:40.000000000 +0200
-+++ ssl/d1_pkt.c 2009-05-15 16:06:23.000000000 +0200
-@@ -207,6 +207,10 @@
- DTLS1_RECORD_DATA *rdata;
- pitem *item;
-
-+ /* Limit the size of the queue to prevent DOS attacks */
-+ if (pqueue_size(queue->q) >= 100)
-+ return 0;
-+
- rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
- item = pitem_new(priority, rdata);
- if (rdata == NULL || item == NULL)
diff --git a/security/openssl/files/patch-CVE-2009-1378 b/security/openssl/files/patch-CVE-2009-1378
deleted file mode 100644
index 9b00d550a64a..000000000000
--- a/security/openssl/files/patch-CVE-2009-1378
+++ /dev/null
@@ -1,22 +0,0 @@
-Obtained-from: http://rt.openssl.org/Ticket/Attachment/22314/10203/dtls-fragment-memleak-bug.patch
-
---- ssl/d1_both.c 2009-05-18 09:57:08.000000000 +0200
-+++ ssl/d1_both.c 2009-05-18 10:08:51.000000000 +0200
-@@ -561,7 +561,16 @@
- if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
- goto err;
-
-- if (msg_hdr->seq <= s->d1->handshake_read_seq)
-+ /* Try to find item in queue, to prevent duplicate entries */
-+ pq_64bit_init(&seq64);
-+ pq_64bit_assign_word(&seq64, msg_hdr->seq);
-+ item = pqueue_find(s->d1->buffered_messages, seq64);
-+ pq_64bit_free(&seq64);
-+
-+ /* Discard the message if sequence number was already there, is
-+ * too far in the future or the fragment is already in the queue */
-+ if (msg_hdr->seq <= s->d1->handshake_read_seq ||
-+ msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL)
- {
- unsigned char devnull [256];
-
diff --git a/security/openssl/files/patch-kssl.c b/security/openssl/files/patch-kssl.c
new file mode 100644
index 000000000000..e8ce3b22cff3
--- /dev/null
+++ b/security/openssl/files/patch-kssl.c
@@ -0,0 +1,14 @@
+--- ssl/kssl.c.orig 2009-02-14 22:50:13.000000000 +0100
++++ ssl/kssl.c 2009-05-20 17:11:00.000000000 +0200
+@@ -68,11 +68,6 @@
+
+ #include <openssl/opensslconf.h>
+
+-#define _XOPEN_SOURCE 500 /* glibc2 needs this to declare strptime() */
+-#include <time.h>
+-#if 0 /* experimental */
+-#undef _XOPEN_SOURCE /* To avoid clashes with anything else... */
+-#endif
+ #include <string.h>
+
+ #define KRB5_PRIVATE 1
diff --git a/security/openssl/pkg-descr b/security/openssl/pkg-descr
index eec6a81c8104..879200baf087 100644
--- a/security/openssl/pkg-descr
+++ b/security/openssl/pkg-descr
@@ -17,3 +17,4 @@ OpenSSL homepage:
http://www.openssl.org/
WWW: http://www.openssl.org/
+WWW: http://sctp.fh-muenster.de/dtls-patches.html