patch against SSL man-in-the-middle attack, described in

http://www.kde.org/info/security/advisory-20020818-1.txt (not yet confirmed on FreeBSD) Requested by: security-officer ftp://ftp.kde.org/pub/kde/security_patches/post-2.2.2-kdelibs-kssl.diff Approved by: will, with these reservations: Please note, however, that the patch will be untested and not supported by kde@, similar to the way other people offer patchsets for older versions of FreeBSD that so@ does not support. Also note that the patch does not really seem "official" because it was never applied to their CVS.
author: trevor <trevor@FreeBSD.org> 2002-08-22 15:13:24 +0800
committer: trevor <trevor@FreeBSD.org> 2002-08-22 15:13:24 +0800
commit: 29d3652e9c8bc1f43aa98dc26e4566e22c8d9046 (patch)
tree: de5da923cdf01e922c399b38970978e2578e2fef
parent: 560f6ba2968768ba7c5ffa6e7cf9a50f6161b415 (diff)
download: freebsd-ports-gnome-29d3652e9c8bc1f43aa98dc26e4566e22c8d9046.tar.gz
freebsd-ports-gnome-29d3652e9c8bc1f43aa98dc26e4566e22c8d9046.tar.zst
freebsd-ports-gnome-29d3652e9c8bc1f43aa98dc26e4566e22c8d9046.zip
4 files changed, 62 insertions, 4 deletions
diff --git a/x11/kdelibs2/Makefile b/x11/kdelibs2/Makefile
index 97de4b7063fe..7ef0136be1d2 100644
--- a/x11/kdelibs2/Makefile
+++ b/x11/kdelibs2/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	kdelibs
 PORTVERSION=	2.2.2
-PORTREVISION?=	3
+PORTREVISION?=	4
 CATEGORIES?=	x11 kde
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	Attic/${PORTVERSION}/src
@@ -28,9 +28,6 @@ LIB_DEPENDS=	tiff.4:${PORTSDIR}/graphics/tiff \
 LIB_DEPENDS+=	bz2.1:${PORTSDIR}/archivers/bzip2
 .endif
 
-FORBIDDEN=	Security advisory on serious SSL bug. No fix is planned. \
-		Ask not for whom the bell tolls, it tolls for thee.
-
 USE_OPENSSL=	yes
 USE_QT_VER=	2
 SOMAJOR=	4
diff --git a/x11/kdelibs2/files/patch-kssl_kopenssl.cc b/x11/kdelibs2/files/patch-kssl_kopenssl.cc
new file mode 100644
index 000000000000..31b8e6dd529b
--- /dev/null
+++ b/x11/kdelibs2/files/patch-kssl_kopenssl.cc
@@ -0,0 +1,31 @@
+$FreeBSD$
+
+--- kssl/kopenssl.cc.orig	Tue Sep  4 16:08:18 2001
++++ kssl/kopenssl.cc	Mon Aug 19 12:27:36 2002
+@@ -92,6 +92,7 @@ static int (*K_SSL_CTX_use_certificate) 
+ static int (*K_SSL_get_error) (SSL*, int) = NULL;
+ static STACK_OF(X509)* (*K_SSL_get_peer_cert_chain) (SSL*) = NULL;
+ static void (*K_X509_STORE_CTX_set_chain) (X509_STORE_CTX *, STACK_OF(X509)*) = NULL;
++static void (*K_X509_STORE_CTX_set_purpose) (X509_STORE_CTX *, int) = NULL;
+ static void (*K_sk_free) (STACK*) = NULL;
+ static int (*K_sk_num) (STACK*) = NULL;
+ static char* (*K_sk_value) (STACK*, int) = NULL;
+@@ -254,6 +255,7 @@ KConfig *cfg;
+                 X509**, STACK_OF(X509)**)) _cryptoLib->symbol("PKCS12_parse");
+       K_EVP_PKEY_free = (void (*) (EVP_PKEY *)) _cryptoLib->symbol("EVP_PKEY_free");
+       K_X509_STORE_CTX_set_chain = (void (*)(X509_STORE_CTX *, STACK_OF(X509)*)) _cryptoLib->symbol("X509_STORE_CTX_set_chain");
++      K_X509_STORE_CTX_set_purpose = (void (*)(X509_STORE_CTX *, int)) _cryptoLib->symbol("X509_STORE_CTX_set_purpose");
+       K_sk_free = (void (*) (STACK *)) _cryptoLib->symbol("sk_free");
+       K_sk_num = (int (*) (STACK *)) _cryptoLib->symbol("sk_num");
+       K_sk_value = (char* (*) (STACK *, int)) _cryptoLib->symbol("sk_value");
+@@ -742,6 +744,10 @@ char *KOpenSSLProxy::sk_value(STACK *s, 
+ 
+ void KOpenSSLProxy::X509_STORE_CTX_set_chain(X509_STORE_CTX *v, STACK_OF(X509)* x) {
+    if (K_X509_STORE_CTX_set_chain) (K_X509_STORE_CTX_set_chain)(v,x);
++}
++
++void KOpenSSLProxy::X509_STORE_CTX_set_purpose(X509_STORE_CTX *v, int purpose) {
++   if (K_X509_STORE_CTX_set_purpose) (K_X509_STORE_CTX_set_purpose)(v,purpose);
+ }
+ 
+ 
diff --git a/x11/kdelibs2/files/patch-kssl_kopenssl.h b/x11/kdelibs2/files/patch-kssl_kopenssl.h
new file mode 100644
index 000000000000..fa2b906ef9e3
--- /dev/null
+++ b/x11/kdelibs2/files/patch-kssl_kopenssl.h
@@ -0,0 +1,15 @@
+$FreeBSD$
+
+--- kssl/kopenssl.h.orig	Sat Jul 28 21:55:41 2001
++++ kssl/kopenssl.h	Mon Aug 19 12:27:23 2002
+@@ -277,6 +277,10 @@ public:
+     */
+    void X509_STORE_CTX_set_chain(X509_STORE_CTX *v, STACK_OF(X509)* x);
+ 
++   /*
++    *   X509_STORE_CTX_set_purpose - set the purpose of the certificate 
++    */
++   void X509_STORE_CTX_set_purpose(X509_STORE_CTX *v, int purpose);
+ 
+    /*
+     *   X509_verify_cert - verify the certificate
diff --git a/x11/kdelibs2/files/patch-kssl_ksslcertificate.cc b/x11/kdelibs2/files/patch-kssl_ksslcertificate.cc
new file mode 100644
index 000000000000..97fc3d2e67f1
--- /dev/null
+++ b/x11/kdelibs2/files/patch-kssl_ksslcertificate.cc
@@ -0,0 +1,15 @@
+$FreeBSD$
+
+--- kssl/ksslcertificate.cc.orig	Mon Nov  5 18:37:43 2001
++++ kssl/ksslcertificate.cc	Mon Aug 19 12:32:22 2002
+@@ -259,6 +259,10 @@ KSSLCertificate::KSSLValidation KSSLCert
+     if (d->_chain.isValid())
+       d->kossl->X509_STORE_CTX_set_chain(certStoreCTX, (STACK_OF(X509)*)d->_chain.rawChain());
+ 
++ 
++     // int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
++     d->kossl->X509_STORE_CTX_set_purpose(certStoreCTX, X509_PURPOSE_SSL_SERVER);
++ 
+     // FIXME: do all the X509_STORE_CTX_set_flags(); here
+     //   +----->  Note that this is for 0.9.6 or better ONLY!
+
author	trevor <trevor@FreeBSD.org>	2002-08-22 15:13:24 +0800
committer	trevor <trevor@FreeBSD.org>	2002-08-22 15:13:24 +0800
commit	29d3652e9c8bc1f43aa98dc26e4566e22c8d9046 (patch)
tree	de5da923cdf01e922c399b38970978e2578e2fef
parent	560f6ba2968768ba7c5ffa6e7cf9a50f6161b415 (diff)
download	freebsd-ports-gnome-29d3652e9c8bc1f43aa98dc26e4566e22c8d9046.tar.gz freebsd-ports-gnome-29d3652e9c8bc1f43aa98dc26e4566e22c8d9046.tar.zst freebsd-ports-gnome-29d3652e9c8bc1f43aa98dc26e4566e22c8d9046.zip