- update to 0.9.8m

- support RFC5746
Security: CVE-2008-1678
Security: CVE-2009-1377
Security: CVE-2009-1378
Security: CVE-2009-1379
Approved by:	portmgr (pav)
Feature safe:	yes

5 files changed, 76 insertions, 294 deletions

diff --git a/security/openssl/Makefile b/security/openssl/Makefile
index 3aa7ff11455c..dd07163c3d12 100644
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -6,18 +6,13 @@
 #
 
 PORTNAME=	openssl
-PORTVERSION=	0.9.8l
-PORTREVISION=	4
+PORTVERSION=	0.9.8m
+PORTREVISION=	0
 CATEGORIES=	security devel
 MASTER_SITES=	http://www.openssl.org/%SUBDIR%/ \
 		ftp://ftp.openssl.org/%SUBDIR%/ \
 		ftp://ftp.cert.dfn.de/pub/tools/net/openssl/%SUBDIR%/
 MASTER_SITE_SUBDIR=	source
-#PATCH_SITES=	http://sctp.fh-muenster.de/dtls/
-PATCH_SITES=	${MASTER_SITE_LOCAL} \
-		http://people.freebsd.org/~dinoex/distfiles/
-PATCH_SITE_SUBDIR=	dinoex
-PATCHFILES=	dtls-bugs-2009-05-18.patch
 DISTNAME=	${PORTNAME}-${PORTVERSION}
 
 MAINTAINER=	dinoex@FreeBSD.org
@@ -566,8 +561,11 @@ MLINKS=	dgst.1 md4.1 \
 	SSL_CTX_set_msg_callback.3 SSL_CTX_set_msg_callback_arg.3 \
 	SSL_CTX_set_msg_callback.3 SSL_get_msg_callback_arg.3 \
 	SSL_CTX_set_msg_callback.3 SSL_set_msg_callback.3 \
+	SSL_CTX_set_options.3 SSL_CTX_clear_options.3 \
 	SSL_CTX_set_options.3 SSL_CTX_get_options.3 \
+	SSL_CTX_set_options.3 SSL_clear_options.3 \
 	SSL_CTX_set_options.3 SSL_get_options.3 \
+	SSL_CTX_set_options.3 SSL_get_secure_renegotiation_support.3 \
 	SSL_CTX_set_options.3 SSL_set_options.3 \
 	SSL_CTX_set_quiet_shutdown.3 SSL_CTX_get_quiet_shutdown.3 \
 	SSL_CTX_set_quiet_shutdown.3 SSL_get_quiet_shutdown.3 \
@@ -802,6 +800,72 @@ MLINKS=	dgst.1 md4.1 \
 	mdc2.3 MDC2_Init.3 \
 	mdc2.3 MDC2_Update.3 \
 	pem.3 PEM.3 \
+	pem.3 PEM_read_DHparams.3  \
+	pem.3 PEM_read_DSAPrivateKey.3 \
+	pem.3 PEM_read_DSA_PUBKEY.3 \
+	pem.3 PEM_read_DSAparams.3 \
+	pem.3 PEM_read_NETSCAPE_CERT_SEQUENCE.3 \
+	pem.3 PEM_read_PKCS7.3 \
+	pem.3 PEM_read_PUBKEY.3 \
+	pem.3 PEM_read_PrivateKey.3 \
+	pem.3 PEM_read_RSAPrivateKey.3 \
+	pem.3 PEM_read_RSAPublicKey.3 \
+	pem.3 PEM_read_RSA_PUBKEY.3 \
+	pem.3 PEM_read_X509.3 \
+	pem.3 PEM_read_X509_AUX.3 \
+	pem.3 PEM_read_X509_CRL.3 \
+	pem.3 PEM_read_X509_REQ.3 \
+	pem.3 PEM_read_bio_DHparams.3 \
+	pem.3 PEM_read_bio_DSAPrivateKey.3 \
+	pem.3 PEM_read_bio_DSA_PUBKEY.3 \
+	pem.3 PEM_read_bio_DSAparams.3 \
+	pem.3 PEM_read_bio_NETSCAPE_CERT_SEQUENCE.3 \
+	pem.3 PEM_read_bio_PKCS7.3 \
+	pem.3 PEM_read_bio_PUBKEY.3 \
+	pem.3 PEM_read_bio_PrivateKey.3 \
+	pem.3 PEM_read_bio_RSAPrivateKey.3 \
+	pem.3 PEM_read_bio_RSAPublicKey.3 \
+	pem.3 PEM_read_bio_RSA_PUBKEY.3 \
+	pem.3 PEM_read_bio_X509.3 \
+	pem.3 PEM_read_bio_X509_AUX.3 \
+	pem.3 PEM_read_bio_X509_CRL.3 \
+	pem.3 PEM_read_bio_X509_REQ.3 \
+	pem.3 PEM_write_DHparams.3 \
+	pem.3 PEM_write_DSAPrivateKey.3 \
+	pem.3 PEM_write_DSA_PUBKEY.3 \
+	pem.3 PEM_write_DSAparams.3 \
+	pem.3 PEM_write_NETSCAPE_CERT_SEQUENCE.3 \
+	pem.3 PEM_write_PKCS7.3 \
+	pem.3 PEM_write_PKCS8PrivateKey.3 \
+	pem.3 PEM_write_PKCS8PrivateKey_nid.3 \
+	pem.3 PEM_write_PUBKEY.3 \
+	pem.3 PEM_write_PrivateKey.3 \
+	pem.3 PEM_write_RSAPrivateKey.3 \
+	pem.3 PEM_write_RSAPublicKey.3 \
+	pem.3 PEM_write_RSA_PUBKEY.3 \
+	pem.3 PEM_write_X509.3 \
+	pem.3 PEM_write_X509_AUX.3 \
+	pem.3 PEM_write_X509_CRL.3 \
+	pem.3 PEM_write_X509_REQ.3 \
+	pem.3 PEM_write_X509_REQ_NEW.3 \
+	pem.3 PEM_write_bio_DHparams.3 \
+	pem.3 PEM_write_bio_DSAPrivateKey.3 \
+	pem.3 PEM_write_bio_DSA_PUBKEY.3 \
+	pem.3 PEM_write_bio_DSAparams.3 \
+	pem.3 PEM_write_bio_NETSCAPE_CERT_SEQUENCE.3 \
+	pem.3 PEM_write_bio_PKCS7.3 \
+	pem.3 PEM_write_bio_PKCS8PrivateKey.3 \
+	pem.3 PEM_write_bio_PKCS8PrivateKey_nid.3 \
+	pem.3 PEM_write_bio_PUBKEY.3 \
+	pem.3 PEM_write_bio_PrivateKey.3 \
+	pem.3 PEM_write_bio_RSAPrivateKey.3 \
+	pem.3 PEM_write_bio_RSAPublicKey.3 \
+	pem.3 PEM_write_bio_RSA_PUBKEY.3 \
+	pem.3 PEM_write_bio_X509.3 \
+	pem.3 PEM_write_bio_X509_AUX.3 \
+	pem.3 PEM_write_bio_X509_CRL.3 \
+	pem.3 PEM_write_bio_X509_REQ.3 \
+	pem.3 PEM_write_bio_X509_REQ_NEW.3 \
 	rc4.3 RC4.3 \
 	rc4.3 RC4_set_key.3 \
 	ripemd.3 RIPEMD160.3 \
@@ -927,13 +991,13 @@ do-configure:
 .if defined(WITH_FIPS)
 	@${REINPLACE_CMD} \
 		-e 's|^MANDIR=.*$$|MANDIR=$$(MANPREFIX)/man|' \
-		-e 's|lib/pkgconfig|libdata/pkgconfig|g' \
+		-e 's|$$(LIBDIR)/pkgconfig|libdata/pkgconfig|g' \
 		-e 's|LIBVERSION=[^ ]* |LIBVERSION=$(OPENSSL_SHLIBVER) |' \
 		${WRKSRC}/Makefile
 .else
 	@${REINPLACE_CMD} \
 		-e 's|^MANDIR=.*$$|MANDIR=$$(MANPREFIX)/man|' \
-		-e 's|lib/pkgconfig|libdata/pkgconfig|g' \
+		-e 's|$$(LIBDIR)/pkgconfig|libdata/pkgconfig|g' \
 		-e 's|LIBVERSION=[^ ]* |LIBVERSION=$(OPENSSL_SHLIBVER) |' \
 		-e 's| build_fips | |' \
 		${WRKSRC}/Makefile
diff --git a/security/openssl/distinfo b/security/openssl/distinfo
index b128b3d9ae64..43c4b9c5eb86 100644
--- a/security/openssl/distinfo
+++ b/security/openssl/distinfo
@@ -1,6 +1,6 @@
-MD5 (openssl-0.9.8l.tar.gz) = 05a0ece1372392a2cf310ebb96333025
-SHA256 (openssl-0.9.8l.tar.gz) = ecd054e9eed2e9c1620ba15257e6fc4d882c9a4aea663d23b769e2138de8c91a
-SIZE (openssl-0.9.8l.tar.gz) = 4179422
+MD5 (openssl-0.9.8m.tar.gz) = 898bf125370926d5f692a2201124f8ec
+SHA256 (openssl-0.9.8m.tar.gz) = 36037160281cf4977d964e403d2bc0680fbca0a7ff9f65e33136d75fae12cb5b
+SIZE (openssl-0.9.8m.tar.gz) = 3767604
 MD5 (dtls-bugs-2009-05-18.patch) = dc6a79d5dd8e9eacfaa5e2ae05457df4
 SHA256 (dtls-bugs-2009-05-18.patch) = e4929a3fbaa20b1c22b0ba218b8c2ab4c5df941c70d975e8672337620eca3422
 SIZE (dtls-bugs-2009-05-18.patch) = 33268
diff --git a/security/openssl/files/patch-CVE-2009-4355 b/security/openssl/files/patch-CVE-2009-4355
deleted file mode 100644
index 7b4809010002..000000000000
--- a/security/openssl/files/patch-CVE-2009-4355
+++ /dev/null
@@ -1,43 +0,0 @@
-Index: crypto/comp/c_zlib.c
-RCS File: crypto/comp/c_zlib.c,v
-rcsdiff -q -kk '-r1.15.2.7' '-r1.15.2.8' -u 'crypto/comp/c_zlib.c,v' 2>/dev/null
---- c_zlib.c	2008/12/13 17:00:53	1.15.2.7
-+++ c_zlib.c	2010/01/13 18:45:03	1.15.2.8
-@@ -136,15 +136,6 @@
- 
- static int zlib_stateful_ex_idx = -1;
- 
--static void zlib_stateful_free_ex_data(void *obj, void *item,
--	CRYPTO_EX_DATA *ad, int ind,long argl, void *argp)
--	{
--	struct zlib_state *state = (struct zlib_state *)item;
--	inflateEnd(&state->istream);
--	deflateEnd(&state->ostream);
--	OPENSSL_free(state);
--	}
--
- static int zlib_stateful_init(COMP_CTX *ctx)
- 	{
- 	int err;
-@@ -188,6 +179,12 @@
- 
- static void zlib_stateful_finish(COMP_CTX *ctx)
- 	{
-+	struct zlib_state *state =
-+		(struct zlib_state *)CRYPTO_get_ex_data(&ctx->ex_data,
-+			zlib_stateful_ex_idx);
-+	inflateEnd(&state->istream);
-+	deflateEnd(&state->ostream);
-+	OPENSSL_free(state);
- 	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_COMP,ctx,&ctx->ex_data);
- 	}
- 
-@@ -402,7 +399,7 @@
- 			if (zlib_stateful_ex_idx == -1)
- 				zlib_stateful_ex_idx =
- 					CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_COMP,
--						0,NULL,NULL,NULL,zlib_stateful_free_ex_data);
-+						0,NULL,NULL,NULL,NULL);
- 			CRYPTO_w_unlock(CRYPTO_LOCK_COMP);
- 			if (zlib_stateful_ex_idx == -1)
- 				goto err;
diff --git a/security/openssl/files/patch-eng_cryptodev.c b/security/openssl/files/patch-eng_cryptodev.c
deleted file mode 100644
index b8e146cc58be..000000000000
--- a/security/openssl/files/patch-eng_cryptodev.c
+++ /dev/null
@@ -1,225 +0,0 @@
---- crypto/engine/eng_cryptodev.c.orig	2004-06-15 13:45:42.000000000 +0200
-+++ crypto/engine/eng_cryptodev.c	2009-01-09 19:14:28.000000000 +0100
-@@ -32,7 +32,7 @@
- #include <openssl/bn.h>
- 
- #if (defined(__unix__) || defined(unix)) && !defined(USG) && \
--	(defined(OpenBSD) || defined(__FreeBSD_version))
-+	(defined(OpenBSD) || defined(__FreeBSD__))
- #include <sys/param.h>
- # if (OpenBSD >= 200112) || ((__FreeBSD_version >= 470101 && __FreeBSD_version < 500000) || __FreeBSD_version >= 500041)
- #  define HAVE_CRYPTODEV
-@@ -70,14 +70,19 @@
- 	int d_fd;
- };
- 
-+struct dev_crypto_cipher {
-+	int	c_id;
-+	int	c_nid;
-+	int	c_ivmax;
-+	int	c_keylen;
-+};
-+
- static u_int32_t cryptodev_asymfeat = 0;
- 
- static int get_asym_dev_crypto(void);
- static int open_dev_crypto(void);
- static int get_dev_crypto(void);
--static int cryptodev_max_iv(int cipher);
--static int cryptodev_key_length_valid(int cipher, int len);
--static int cipher_nid_to_cryptodev(int nid);
-+static struct dev_crypto_cipher *cipher_nid_to_cryptodev(int nid);
- static int get_cryptodev_ciphers(const int **cnids);
- static int get_cryptodev_digests(const int **cnids);
- static int cryptodev_usable_ciphers(const int **nids);
-@@ -124,15 +129,12 @@
- 	{ 0, NULL, NULL, 0 }
- };
- 
--static struct {
--	int	id;
--	int	nid;
--	int	ivmax;
--	int	keylen;
--} ciphers[] = {
-+static struct dev_crypto_cipher ciphers[] = {
- 	{ CRYPTO_DES_CBC,		NID_des_cbc,		8,	 8, },
- 	{ CRYPTO_3DES_CBC,		NID_des_ede3_cbc,	8,	24, },
- 	{ CRYPTO_AES_CBC,		NID_aes_128_cbc,	16,	16, },
-+	{ CRYPTO_AES_CBC,		NID_aes_192_cbc,	16,	24, },
-+	{ CRYPTO_AES_CBC,		NID_aes_256_cbc,	16,	32, },
- 	{ CRYPTO_BLF_CBC,		NID_bf_cbc,		8,	16, },
- 	{ CRYPTO_CAST_CBC,		NID_cast5_cbc,		8,	16, },
- 	{ CRYPTO_SKIPJACK_CBC,		NID_undef,		0,	 0, },
-@@ -182,6 +184,10 @@
- 		return (-1);
- 	if (ioctl(fd, CRIOGET, &retfd) == -1)
- 		return (-1);
-+	if (retfd == -1)
-+		retfd = fd;
-+/*	else			fix for PR=138881 */
-+/*		close(fd);	fix for PR=138881 */
- 
- 	/* close on exec */
- 	if (fcntl(retfd, F_SETFD, 1) == -1) {
-@@ -202,48 +208,16 @@
- 	return fd;
- }
- 
--/*
-- * XXXX this needs to be set for each alg - and determined from
-- * a running card.
-- */
--static int
--cryptodev_max_iv(int cipher)
--{
--	int i;
--
--	for (i = 0; ciphers[i].id; i++)
--		if (ciphers[i].id == cipher)
--			return (ciphers[i].ivmax);
--	return (0);
--}
--
--/*
-- * XXXX this needs to be set for each alg - and determined from
-- * a running card. For now, fake it out - but most of these
-- * for real devices should return 1 for the supported key
-- * sizes the device can handle.
-- */
--static int
--cryptodev_key_length_valid(int cipher, int len)
--{
--	int i;
--
--	for (i = 0; ciphers[i].id; i++)
--		if (ciphers[i].id == cipher)
--			return (ciphers[i].keylen == len);
--	return (0);
--}
--
- /* convert libcrypto nids to cryptodev */
--static int
-+static struct dev_crypto_cipher *
- cipher_nid_to_cryptodev(int nid)
- {
- 	int i;
- 
--	for (i = 0; ciphers[i].id; i++)
--		if (ciphers[i].nid == nid)
--			return (ciphers[i].id);
--	return (0);
-+	for (i = 0; ciphers[i].c_id; i++)
-+		if (ciphers[i].c_nid == nid)
-+			return (&ciphers[i]);
-+	return (NULL);
- }
- 
- /*
-@@ -266,15 +240,15 @@
- 	memset(&sess, 0, sizeof(sess));
- 	sess.key = (caddr_t)"123456781234567812345678";
- 
--	for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) {
--		if (ciphers[i].nid == NID_undef)
-+	for (i = 0; ciphers[i].c_id && count < CRYPTO_ALGORITHM_MAX; i++) {
-+		if (ciphers[i].c_nid == NID_undef)
- 			continue;
--		sess.cipher = ciphers[i].id;
--		sess.keylen = ciphers[i].keylen;
-+		sess.cipher = ciphers[i].c_id;
-+		sess.keylen = ciphers[i].c_keylen;
- 		sess.mac = 0;
- 		if (ioctl(fd, CIOCGSESSION, &sess) != -1 &&
- 		    ioctl(fd, CIOCFSESSION, &sess.ses) != -1)
--			nids[count++] = ciphers[i].nid;
-+			nids[count++] = ciphers[i].c_nid;
- 	}
- 	close(fd);
- 
-@@ -427,15 +401,15 @@
- {
- 	struct dev_crypto_state *state = ctx->cipher_data;
- 	struct session_op *sess = &state->d_sess;
--	int cipher;
-+	struct dev_crypto_cipher *cipher;
- 
--	if ((cipher = cipher_nid_to_cryptodev(ctx->cipher->nid)) == NID_undef)
-+	if ((cipher = cipher_nid_to_cryptodev(ctx->cipher->nid)) == NULL)
- 		return (0);
- 
--	if (ctx->cipher->iv_len > cryptodev_max_iv(cipher))
-+	if (ctx->cipher->iv_len > cipher->c_ivmax)
- 		return (0);
- 
--	if (!cryptodev_key_length_valid(cipher, ctx->key_len))
-+	if (ctx->key_len != cipher->c_keylen)
- 		return (0);
- 
- 	memset(sess, 0, sizeof(struct session_op));
-@@ -445,7 +419,7 @@
- 
- 	sess->key = (unsigned char *)key;
- 	sess->keylen = ctx->key_len;
--	sess->cipher = cipher;
-+	sess->cipher = cipher->c_id;
- 
- 	if (ioctl(state->d_fd, CIOCGSESSION, sess) == -1) {
- 		close(state->d_fd);
-@@ -550,7 +524,7 @@
- 	NULL
- };
- 
--const EVP_CIPHER cryptodev_aes_cbc = {
-+const EVP_CIPHER cryptodev_aes_128_cbc = {
- 	NID_aes_128_cbc,
- 	16, 16, 16,
- 	EVP_CIPH_CBC_MODE,
-@@ -563,6 +537,32 @@
- 	NULL
- };
- 
-+const EVP_CIPHER cryptodev_aes_192_cbc = {
-+	NID_aes_192_cbc,
-+	16, 24, 16,
-+	EVP_CIPH_CBC_MODE,
-+	cryptodev_init_key,
-+	cryptodev_cipher,
-+	cryptodev_cleanup,
-+	sizeof(struct dev_crypto_state),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+};
-+
-+const EVP_CIPHER cryptodev_aes_256_cbc = {
-+	NID_aes_256_cbc,
-+	16, 32, 16,
-+	EVP_CIPH_CBC_MODE,
-+	cryptodev_init_key,
-+	cryptodev_cipher,
-+	cryptodev_cleanup,
-+	sizeof(struct dev_crypto_state),
-+	EVP_CIPHER_set_asn1_iv,
-+	EVP_CIPHER_get_asn1_iv,
-+	NULL
-+};
-+
- /*
-  * Registered by the ENGINE when used to find out how to deal with
-  * a particular NID in the ENGINE. this says what we'll do at the
-@@ -589,7 +589,13 @@
- 		*cipher = &cryptodev_cast_cbc;
- 		break;
- 	case NID_aes_128_cbc:
--		*cipher = &cryptodev_aes_cbc;
-+		*cipher = &cryptodev_aes_128_cbc;
-+		break;
-+	case NID_aes_192_cbc:
-+		*cipher = &cryptodev_aes_192_cbc;
-+		break;
-+	case NID_aes_256_cbc:
-+		*cipher = &cryptodev_aes_256_cbc;
- 		break;
- 	default:
- 		*cipher = NULL;
diff --git a/security/openssl/files/patch-kssl.c b/security/openssl/files/patch-kssl.c
deleted file mode 100644
index e8ce3b22cff3..000000000000
--- a/security/openssl/files/patch-kssl.c
+++ /dev/null
@@ -1,14 +0,0 @@
---- ssl/kssl.c.orig	2009-02-14 22:50:13.000000000 +0100
-+++ ssl/kssl.c	2009-05-20 17:11:00.000000000 +0200
-@@ -68,11 +68,6 @@
- 
- #include <openssl/opensslconf.h>
- 
--#define _XOPEN_SOURCE 500 /* glibc2 needs this to declare strptime() */
--#include <time.h>
--#if 0 /* experimental */
--#undef _XOPEN_SOURCE /* To avoid clashes with anything else... */
--#endif
- #include <string.h>
- 
- #define KRB5_PRIVATE	1