diff options
author | dinoex <dinoex@FreeBSD.org> | 2010-02-27 02:47:09 +0800 |
---|---|---|
committer | dinoex <dinoex@FreeBSD.org> | 2010-02-27 02:47:09 +0800 |
commit | 5ec196a7b7acf0c82dbf857367ac00312f6857b0 (patch) | |
tree | 4af680f06e660e52a9e7f5a61ed661b7076f0ebb /security/openssl | |
parent | 99f4c1db4c93d391fe4e9feb9a640500bb7031ab (diff) | |
download | freebsd-ports-gnome-5ec196a7b7acf0c82dbf857367ac00312f6857b0.tar.gz freebsd-ports-gnome-5ec196a7b7acf0c82dbf857367ac00312f6857b0.tar.zst freebsd-ports-gnome-5ec196a7b7acf0c82dbf857367ac00312f6857b0.zip |
- update to 0.9.8m
- support RFC5746
Security: CVE-2008-1678
Security: CVE-2009-1377
Security: CVE-2009-1378
Security: CVE-2009-1379
Approved by: portmgr (pav)
Feature safe: yes
Diffstat (limited to 'security/openssl')
-rw-r--r-- | security/openssl/Makefile | 82 | ||||
-rw-r--r-- | security/openssl/distinfo | 6 | ||||
-rw-r--r-- | security/openssl/files/patch-CVE-2009-4355 | 43 | ||||
-rw-r--r-- | security/openssl/files/patch-eng_cryptodev.c | 225 | ||||
-rw-r--r-- | security/openssl/files/patch-kssl.c | 14 |
5 files changed, 76 insertions, 294 deletions
diff --git a/security/openssl/Makefile b/security/openssl/Makefile index 3aa7ff11455c..dd07163c3d12 100644 --- a/security/openssl/Makefile +++ b/security/openssl/Makefile @@ -6,18 +6,13 @@ # PORTNAME= openssl -PORTVERSION= 0.9.8l -PORTREVISION= 4 +PORTVERSION= 0.9.8m +PORTREVISION= 0 CATEGORIES= security devel MASTER_SITES= http://www.openssl.org/%SUBDIR%/ \ ftp://ftp.openssl.org/%SUBDIR%/ \ ftp://ftp.cert.dfn.de/pub/tools/net/openssl/%SUBDIR%/ MASTER_SITE_SUBDIR= source -#PATCH_SITES= http://sctp.fh-muenster.de/dtls/ -PATCH_SITES= ${MASTER_SITE_LOCAL} \ - http://people.freebsd.org/~dinoex/distfiles/ -PATCH_SITE_SUBDIR= dinoex -PATCHFILES= dtls-bugs-2009-05-18.patch DISTNAME= ${PORTNAME}-${PORTVERSION} MAINTAINER= dinoex@FreeBSD.org @@ -566,8 +561,11 @@ MLINKS= dgst.1 md4.1 \ SSL_CTX_set_msg_callback.3 SSL_CTX_set_msg_callback_arg.3 \ SSL_CTX_set_msg_callback.3 SSL_get_msg_callback_arg.3 \ SSL_CTX_set_msg_callback.3 SSL_set_msg_callback.3 \ + SSL_CTX_set_options.3 SSL_CTX_clear_options.3 \ SSL_CTX_set_options.3 SSL_CTX_get_options.3 \ + SSL_CTX_set_options.3 SSL_clear_options.3 \ SSL_CTX_set_options.3 SSL_get_options.3 \ + SSL_CTX_set_options.3 SSL_get_secure_renegotiation_support.3 \ SSL_CTX_set_options.3 SSL_set_options.3 \ SSL_CTX_set_quiet_shutdown.3 SSL_CTX_get_quiet_shutdown.3 \ SSL_CTX_set_quiet_shutdown.3 SSL_get_quiet_shutdown.3 \ @@ -802,6 +800,72 @@ MLINKS= dgst.1 md4.1 \ mdc2.3 MDC2_Init.3 \ mdc2.3 MDC2_Update.3 \ pem.3 PEM.3 \ + pem.3 PEM_read_DHparams.3 \ + pem.3 PEM_read_DSAPrivateKey.3 \ + pem.3 PEM_read_DSA_PUBKEY.3 \ + pem.3 PEM_read_DSAparams.3 \ + pem.3 PEM_read_NETSCAPE_CERT_SEQUENCE.3 \ + pem.3 PEM_read_PKCS7.3 \ + pem.3 PEM_read_PUBKEY.3 \ + pem.3 PEM_read_PrivateKey.3 \ + pem.3 PEM_read_RSAPrivateKey.3 \ + pem.3 PEM_read_RSAPublicKey.3 \ + pem.3 PEM_read_RSA_PUBKEY.3 \ + pem.3 PEM_read_X509.3 \ + pem.3 PEM_read_X509_AUX.3 \ + pem.3 PEM_read_X509_CRL.3 \ + pem.3 PEM_read_X509_REQ.3 \ + pem.3 PEM_read_bio_DHparams.3 \ + pem.3 PEM_read_bio_DSAPrivateKey.3 \ + pem.3 PEM_read_bio_DSA_PUBKEY.3 \ + pem.3 PEM_read_bio_DSAparams.3 \ + pem.3 PEM_read_bio_NETSCAPE_CERT_SEQUENCE.3 \ + pem.3 PEM_read_bio_PKCS7.3 \ + pem.3 PEM_read_bio_PUBKEY.3 \ + pem.3 PEM_read_bio_PrivateKey.3 \ + pem.3 PEM_read_bio_RSAPrivateKey.3 \ + pem.3 PEM_read_bio_RSAPublicKey.3 \ + pem.3 PEM_read_bio_RSA_PUBKEY.3 \ + pem.3 PEM_read_bio_X509.3 \ + pem.3 PEM_read_bio_X509_AUX.3 \ + pem.3 PEM_read_bio_X509_CRL.3 \ + pem.3 PEM_read_bio_X509_REQ.3 \ + pem.3 PEM_write_DHparams.3 \ + pem.3 PEM_write_DSAPrivateKey.3 \ + pem.3 PEM_write_DSA_PUBKEY.3 \ + pem.3 PEM_write_DSAparams.3 \ + pem.3 PEM_write_NETSCAPE_CERT_SEQUENCE.3 \ + pem.3 PEM_write_PKCS7.3 \ + pem.3 PEM_write_PKCS8PrivateKey.3 \ + pem.3 PEM_write_PKCS8PrivateKey_nid.3 \ + pem.3 PEM_write_PUBKEY.3 \ + pem.3 PEM_write_PrivateKey.3 \ + pem.3 PEM_write_RSAPrivateKey.3 \ + pem.3 PEM_write_RSAPublicKey.3 \ + pem.3 PEM_write_RSA_PUBKEY.3 \ + pem.3 PEM_write_X509.3 \ + pem.3 PEM_write_X509_AUX.3 \ + pem.3 PEM_write_X509_CRL.3 \ + pem.3 PEM_write_X509_REQ.3 \ + pem.3 PEM_write_X509_REQ_NEW.3 \ + pem.3 PEM_write_bio_DHparams.3 \ + pem.3 PEM_write_bio_DSAPrivateKey.3 \ + pem.3 PEM_write_bio_DSA_PUBKEY.3 \ + pem.3 PEM_write_bio_DSAparams.3 \ + pem.3 PEM_write_bio_NETSCAPE_CERT_SEQUENCE.3 \ + pem.3 PEM_write_bio_PKCS7.3 \ + pem.3 PEM_write_bio_PKCS8PrivateKey.3 \ + pem.3 PEM_write_bio_PKCS8PrivateKey_nid.3 \ + pem.3 PEM_write_bio_PUBKEY.3 \ + pem.3 PEM_write_bio_PrivateKey.3 \ + pem.3 PEM_write_bio_RSAPrivateKey.3 \ + pem.3 PEM_write_bio_RSAPublicKey.3 \ + pem.3 PEM_write_bio_RSA_PUBKEY.3 \ + pem.3 PEM_write_bio_X509.3 \ + pem.3 PEM_write_bio_X509_AUX.3 \ + pem.3 PEM_write_bio_X509_CRL.3 \ + pem.3 PEM_write_bio_X509_REQ.3 \ + pem.3 PEM_write_bio_X509_REQ_NEW.3 \ rc4.3 RC4.3 \ rc4.3 RC4_set_key.3 \ ripemd.3 RIPEMD160.3 \ @@ -927,13 +991,13 @@ do-configure: .if defined(WITH_FIPS) @${REINPLACE_CMD} \ -e 's|^MANDIR=.*$$|MANDIR=$$(MANPREFIX)/man|' \ - -e 's|lib/pkgconfig|libdata/pkgconfig|g' \ + -e 's|$$(LIBDIR)/pkgconfig|libdata/pkgconfig|g' \ -e 's|LIBVERSION=[^ ]* |LIBVERSION=$(OPENSSL_SHLIBVER) |' \ ${WRKSRC}/Makefile .else @${REINPLACE_CMD} \ -e 's|^MANDIR=.*$$|MANDIR=$$(MANPREFIX)/man|' \ - -e 's|lib/pkgconfig|libdata/pkgconfig|g' \ + -e 's|$$(LIBDIR)/pkgconfig|libdata/pkgconfig|g' \ -e 's|LIBVERSION=[^ ]* |LIBVERSION=$(OPENSSL_SHLIBVER) |' \ -e 's| build_fips | |' \ ${WRKSRC}/Makefile diff --git a/security/openssl/distinfo b/security/openssl/distinfo index b128b3d9ae64..43c4b9c5eb86 100644 --- a/security/openssl/distinfo +++ b/security/openssl/distinfo @@ -1,6 +1,6 @@ -MD5 (openssl-0.9.8l.tar.gz) = 05a0ece1372392a2cf310ebb96333025 -SHA256 (openssl-0.9.8l.tar.gz) = ecd054e9eed2e9c1620ba15257e6fc4d882c9a4aea663d23b769e2138de8c91a -SIZE (openssl-0.9.8l.tar.gz) = 4179422 +MD5 (openssl-0.9.8m.tar.gz) = 898bf125370926d5f692a2201124f8ec +SHA256 (openssl-0.9.8m.tar.gz) = 36037160281cf4977d964e403d2bc0680fbca0a7ff9f65e33136d75fae12cb5b +SIZE (openssl-0.9.8m.tar.gz) = 3767604 MD5 (dtls-bugs-2009-05-18.patch) = dc6a79d5dd8e9eacfaa5e2ae05457df4 SHA256 (dtls-bugs-2009-05-18.patch) = e4929a3fbaa20b1c22b0ba218b8c2ab4c5df941c70d975e8672337620eca3422 SIZE (dtls-bugs-2009-05-18.patch) = 33268 diff --git a/security/openssl/files/patch-CVE-2009-4355 b/security/openssl/files/patch-CVE-2009-4355 deleted file mode 100644 index 7b4809010002..000000000000 --- a/security/openssl/files/patch-CVE-2009-4355 +++ /dev/null @@ -1,43 +0,0 @@ -Index: crypto/comp/c_zlib.c -RCS File: crypto/comp/c_zlib.c,v -rcsdiff -q -kk '-r1.15.2.7' '-r1.15.2.8' -u 'crypto/comp/c_zlib.c,v' 2>/dev/null ---- c_zlib.c 2008/12/13 17:00:53 1.15.2.7 -+++ c_zlib.c 2010/01/13 18:45:03 1.15.2.8 -@@ -136,15 +136,6 @@ - - static int zlib_stateful_ex_idx = -1; - --static void zlib_stateful_free_ex_data(void *obj, void *item, -- CRYPTO_EX_DATA *ad, int ind,long argl, void *argp) -- { -- struct zlib_state *state = (struct zlib_state *)item; -- inflateEnd(&state->istream); -- deflateEnd(&state->ostream); -- OPENSSL_free(state); -- } -- - static int zlib_stateful_init(COMP_CTX *ctx) - { - int err; -@@ -188,6 +179,12 @@ - - static void zlib_stateful_finish(COMP_CTX *ctx) - { -+ struct zlib_state *state = -+ (struct zlib_state *)CRYPTO_get_ex_data(&ctx->ex_data, -+ zlib_stateful_ex_idx); -+ inflateEnd(&state->istream); -+ deflateEnd(&state->ostream); -+ OPENSSL_free(state); - CRYPTO_free_ex_data(CRYPTO_EX_INDEX_COMP,ctx,&ctx->ex_data); - } - -@@ -402,7 +399,7 @@ - if (zlib_stateful_ex_idx == -1) - zlib_stateful_ex_idx = - CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_COMP, -- 0,NULL,NULL,NULL,zlib_stateful_free_ex_data); -+ 0,NULL,NULL,NULL,NULL); - CRYPTO_w_unlock(CRYPTO_LOCK_COMP); - if (zlib_stateful_ex_idx == -1) - goto err; diff --git a/security/openssl/files/patch-eng_cryptodev.c b/security/openssl/files/patch-eng_cryptodev.c deleted file mode 100644 index b8e146cc58be..000000000000 --- a/security/openssl/files/patch-eng_cryptodev.c +++ /dev/null @@ -1,225 +0,0 @@ ---- crypto/engine/eng_cryptodev.c.orig 2004-06-15 13:45:42.000000000 +0200 -+++ crypto/engine/eng_cryptodev.c 2009-01-09 19:14:28.000000000 +0100 -@@ -32,7 +32,7 @@ - #include <openssl/bn.h> - - #if (defined(__unix__) || defined(unix)) && !defined(USG) && \ -- (defined(OpenBSD) || defined(__FreeBSD_version)) -+ (defined(OpenBSD) || defined(__FreeBSD__)) - #include <sys/param.h> - # if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 500000) || __FreeBSD_version >= 500041) - # define HAVE_CRYPTODEV -@@ -70,14 +70,19 @@ - int d_fd; - }; - -+struct dev_crypto_cipher { -+ int c_id; -+ int c_nid; -+ int c_ivmax; -+ int c_keylen; -+}; -+ - static u_int32_t cryptodev_asymfeat = 0; - - static int get_asym_dev_crypto(void); - static int open_dev_crypto(void); - static int get_dev_crypto(void); --static int cryptodev_max_iv(int cipher); --static int cryptodev_key_length_valid(int cipher, int len); --static int cipher_nid_to_cryptodev(int nid); -+static struct dev_crypto_cipher *cipher_nid_to_cryptodev(int nid); - static int get_cryptodev_ciphers(const int **cnids); - static int get_cryptodev_digests(const int **cnids); - static int cryptodev_usable_ciphers(const int **nids); -@@ -124,15 +129,12 @@ - { 0, NULL, NULL, 0 } - }; - --static struct { -- int id; -- int nid; -- int ivmax; -- int keylen; --} ciphers[] = { -+static struct dev_crypto_cipher ciphers[] = { - { CRYPTO_DES_CBC, NID_des_cbc, 8, 8, }, - { CRYPTO_3DES_CBC, NID_des_ede3_cbc, 8, 24, }, - { CRYPTO_AES_CBC, NID_aes_128_cbc, 16, 16, }, -+ { CRYPTO_AES_CBC, NID_aes_192_cbc, 16, 24, }, -+ { CRYPTO_AES_CBC, NID_aes_256_cbc, 16, 32, }, - { CRYPTO_BLF_CBC, NID_bf_cbc, 8, 16, }, - { CRYPTO_CAST_CBC, NID_cast5_cbc, 8, 16, }, - { CRYPTO_SKIPJACK_CBC, NID_undef, 0, 0, }, -@@ -182,6 +184,10 @@ - return (-1); - if (ioctl(fd, CRIOGET, &retfd) == -1) - return (-1); -+ if (retfd == -1) -+ retfd = fd; -+/* else fix for PR=138881 */ -+/* close(fd); fix for PR=138881 */ - - /* close on exec */ - if (fcntl(retfd, F_SETFD, 1) == -1) { -@@ -202,48 +208,16 @@ - return fd; - } - --/* -- * XXXX this needs to be set for each alg - and determined from -- * a running card. -- */ --static int --cryptodev_max_iv(int cipher) --{ -- int i; -- -- for (i = 0; ciphers[i].id; i++) -- if (ciphers[i].id == cipher) -- return (ciphers[i].ivmax); -- return (0); --} -- --/* -- * XXXX this needs to be set for each alg - and determined from -- * a running card. For now, fake it out - but most of these -- * for real devices should return 1 for the supported key -- * sizes the device can handle. -- */ --static int --cryptodev_key_length_valid(int cipher, int len) --{ -- int i; -- -- for (i = 0; ciphers[i].id; i++) -- if (ciphers[i].id == cipher) -- return (ciphers[i].keylen == len); -- return (0); --} -- - /* convert libcrypto nids to cryptodev */ --static int -+static struct dev_crypto_cipher * - cipher_nid_to_cryptodev(int nid) - { - int i; - -- for (i = 0; ciphers[i].id; i++) -- if (ciphers[i].nid == nid) -- return (ciphers[i].id); -- return (0); -+ for (i = 0; ciphers[i].c_id; i++) -+ if (ciphers[i].c_nid == nid) -+ return (&ciphers[i]); -+ return (NULL); - } - - /* -@@ -266,15 +240,15 @@ - memset(&sess, 0, sizeof(sess)); - sess.key = (caddr_t)"123456781234567812345678"; - -- for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) { -- if (ciphers[i].nid == NID_undef) -+ for (i = 0; ciphers[i].c_id && count < CRYPTO_ALGORITHM_MAX; i++) { -+ if (ciphers[i].c_nid == NID_undef) - continue; -- sess.cipher = ciphers[i].id; -- sess.keylen = ciphers[i].keylen; -+ sess.cipher = ciphers[i].c_id; -+ sess.keylen = ciphers[i].c_keylen; - sess.mac = 0; - if (ioctl(fd, CIOCGSESSION, &sess) != -1 && - ioctl(fd, CIOCFSESSION, &sess.ses) != -1) -- nids[count++] = ciphers[i].nid; -+ nids[count++] = ciphers[i].c_nid; - } - close(fd); - -@@ -427,15 +401,15 @@ - { - struct dev_crypto_state *state = ctx->cipher_data; - struct session_op *sess = &state->d_sess; -- int cipher; -+ struct dev_crypto_cipher *cipher; - -- if ((cipher = cipher_nid_to_cryptodev(ctx->cipher->nid)) == NID_undef) -+ if ((cipher = cipher_nid_to_cryptodev(ctx->cipher->nid)) == NULL) - return (0); - -- if (ctx->cipher->iv_len > cryptodev_max_iv(cipher)) -+ if (ctx->cipher->iv_len > cipher->c_ivmax) - return (0); - -- if (!cryptodev_key_length_valid(cipher, ctx->key_len)) -+ if (ctx->key_len != cipher->c_keylen) - return (0); - - memset(sess, 0, sizeof(struct session_op)); -@@ -445,7 +419,7 @@ - - sess->key = (unsigned char *)key; - sess->keylen = ctx->key_len; -- sess->cipher = cipher; -+ sess->cipher = cipher->c_id; - - if (ioctl(state->d_fd, CIOCGSESSION, sess) == -1) { - close(state->d_fd); -@@ -550,7 +524,7 @@ - NULL - }; - --const EVP_CIPHER cryptodev_aes_cbc = { -+const EVP_CIPHER cryptodev_aes_128_cbc = { - NID_aes_128_cbc, - 16, 16, 16, - EVP_CIPH_CBC_MODE, -@@ -563,6 +537,32 @@ - NULL - }; - -+const EVP_CIPHER cryptodev_aes_192_cbc = { -+ NID_aes_192_cbc, -+ 16, 24, 16, -+ EVP_CIPH_CBC_MODE, -+ cryptodev_init_key, -+ cryptodev_cipher, -+ cryptodev_cleanup, -+ sizeof(struct dev_crypto_state), -+ EVP_CIPHER_set_asn1_iv, -+ EVP_CIPHER_get_asn1_iv, -+ NULL -+}; -+ -+const EVP_CIPHER cryptodev_aes_256_cbc = { -+ NID_aes_256_cbc, -+ 16, 32, 16, -+ EVP_CIPH_CBC_MODE, -+ cryptodev_init_key, -+ cryptodev_cipher, -+ cryptodev_cleanup, -+ sizeof(struct dev_crypto_state), -+ EVP_CIPHER_set_asn1_iv, -+ EVP_CIPHER_get_asn1_iv, -+ NULL -+}; -+ - /* - * Registered by the ENGINE when used to find out how to deal with - * a particular NID in the ENGINE. this says what we'll do at the -@@ -589,7 +589,13 @@ - *cipher = &cryptodev_cast_cbc; - break; - case NID_aes_128_cbc: -- *cipher = &cryptodev_aes_cbc; -+ *cipher = &cryptodev_aes_128_cbc; -+ break; -+ case NID_aes_192_cbc: -+ *cipher = &cryptodev_aes_192_cbc; -+ break; -+ case NID_aes_256_cbc: -+ *cipher = &cryptodev_aes_256_cbc; - break; - default: - *cipher = NULL; diff --git a/security/openssl/files/patch-kssl.c b/security/openssl/files/patch-kssl.c deleted file mode 100644 index e8ce3b22cff3..000000000000 --- a/security/openssl/files/patch-kssl.c +++ /dev/null @@ -1,14 +0,0 @@ ---- ssl/kssl.c.orig 2009-02-14 22:50:13.000000000 +0100 -+++ ssl/kssl.c 2009-05-20 17:11:00.000000000 +0200 -@@ -68,11 +68,6 @@ - - #include <openssl/opensslconf.h> - --#define _XOPEN_SOURCE 500 /* glibc2 needs this to declare strptime() */ --#include <time.h> --#if 0 /* experimental */ --#undef _XOPEN_SOURCE /* To avoid clashes with anything else... */ --#endif - #include <string.h> - - #define KRB5_PRIVATE 1 |