diff options
-rw-r--r-- | security/openssl-beta/Makefile | 3 | ||||
-rw-r--r-- | security/openssl-beta/files/patch-ab | 2 | ||||
-rw-r--r-- | security/openssl-beta/pkg-plist | 30 | ||||
-rw-r--r-- | security/openssl/Makefile | 11 | ||||
-rw-r--r-- | security/openssl/files/patch-ab | 2 | ||||
-rw-r--r-- | security/openssl/files/patch-rnd_keys | 33 | ||||
-rw-r--r-- | security/openssl/files/rnd_keys.c | 444 | ||||
-rw-r--r-- | security/openssl/pkg-plist | 30 |
8 files changed, 521 insertions, 34 deletions
diff --git a/security/openssl-beta/Makefile b/security/openssl-beta/Makefile index 8a10ffd6fa71..d99c09ecec89 100644 --- a/security/openssl-beta/Makefile +++ b/security/openssl-beta/Makefile @@ -43,13 +43,14 @@ SHLIBVER= 2 OPENSSLDIR= /etc/ssl MANPREFIX= ${PREFIX}/openssl PLIST_SUB+= MANDIR="" +PLIST_SUB+= NOBASE="@comment " .else OPENSSLDIR= ${PREFIX}/openssl MANPREFIX= ${PREFIX} PLIST_SUB+= MANDIR="@comment " +PLIST_SUB+= NOBASE="" .endif -MANPREFIX= ${PREFIX} MAKE_ENV+= MANPREFIX=${MANPREFIX} NO_LATEST_LINK= yes diff --git a/security/openssl-beta/files/patch-ab b/security/openssl-beta/files/patch-ab index 826485fc8a82..c5bd5f73382a 100644 --- a/security/openssl-beta/files/patch-ab +++ b/security/openssl-beta/files/patch-ab @@ -5,7 +5,7 @@ MAKE= make -f Makefile.ssl -MANDIR=$(OPENSSLDIR)/man -+MANDIR?=$(MANPREFIX)/man ++MANDIR=$(MANPREFIX)/man MAN1=1 MAN3=3 SHELL=/bin/sh diff --git a/security/openssl-beta/pkg-plist b/security/openssl-beta/pkg-plist index 68dc29bc826a..4b0155c500ce 100644 --- a/security/openssl-beta/pkg-plist +++ b/security/openssl-beta/pkg-plist @@ -71,24 +71,24 @@ lib/libcrypto.a lib/libssl.a %%SHARED%%lib/libssl.so %%SHARED%%lib/libssl.so.%%SHLIBVER%% -openssl/misc/CA.pl -openssl/misc/CA.sh -openssl/misc/c_hash -openssl/misc/c_info -openssl/misc/c_issuer -openssl/misc/c_name -openssl/misc/der_chop -openssl/openssl.cnf.sample +%%NOBASE%%openssl/misc/CA.pl +%%NOBASE%%openssl/misc/CA.sh +%%NOBASE%%openssl/misc/c_hash +%%NOBASE%%openssl/misc/c_info +%%NOBASE%%openssl/misc/c_issuer +%%NOBASE%%openssl/misc/c_name +%%NOBASE%%openssl/misc/der_chop +%%NOBASE%%openssl/openssl.cnf.sample %%PORTDOCS%%share/doc/openssl/openssl.txt @dirrm include/openssl -@dirrm openssl/certs -@dirrm openssl/lib +%%NOBASE%%@dirrm openssl/certs +%%NOBASE%%@dirrm openssl/lib %%MANDIR%%@dirrm openssl/man/man1 %%MANDIR%%@dirrm openssl/man/man3 %%MANDIR%%@dirrm openssl/man/man5 -%%MANDIR%%@dirrm openssl/man/man7 -%%MANDIR%%@dirrm openssl/man -@dirrm openssl/misc -@dirrm openssl/private -@dirrm openssl +%%MANDIR%%@dirrm openssl/man/man7 +%%MANDIR%%@dirrm openssl/man +%%NOBASE%%@dirrm openssl/misc +%%NOBASE%%@dirrm openssl/private +%%NOBASE%%@dirrm openssl %%PORTDOCS%%@dirrm share/doc/openssl diff --git a/security/openssl/Makefile b/security/openssl/Makefile index 2738786de6c7..21e465f60bff 100644 --- a/security/openssl/Makefile +++ b/security/openssl/Makefile @@ -7,6 +7,7 @@ PORTNAME= openssl PORTVERSION= 0.9.6g +PORTREVISION= 1 CATEGORIES= security devel MASTER_SITES= http://www.openssl.org/source/ \ ftp://ftp.openssl.org/source/ \ @@ -46,13 +47,14 @@ SHLIBVER= 2 OPENSSLDIR= /etc/ssl MANPREFIX= ${PREFIX}/openssl PLIST_SUB+= MANDIR="" +PLIST_SUB+= NOBASE="@comment " .else OPENSSLDIR= ${PREFIX}/openssl MANPREFIX= ${PREFIX} PLIST_SUB+= MANDIR="@comment " +PLIST_SUB+= NOBASE="" .endif -MANPREFIX= ${PREFIX} MAKE_ENV+= MANPREFIX=${MANPREFIX} MAN1= CA.pl.1 asn1parse.1 ca.1 ciphers.1 crl.1 crl2pkcs7.1 dgst.1 \ @@ -135,6 +137,13 @@ EXTRACONFIGURE= 386 .endif do-configure: +.if exists(/usr/src/crypto/openssl/crypto/des/rnd_keys.c) + ${CP} /usr/src/crypto/openssl/crypto/des/rnd_keys.c \ + ${WRKSRC}/crypto/des/rnd_keys.c +.else + ${CP} ${FILESDIR}/rnd_keys.c \ + ${WRKSRC}/crypto/des/rnd_keys.c +.endif @cd ${WRKSRC} \ && ${SETENV} CC="${CC}" CFLAGS="${CFLAGS}" PERL="${PERL}" \ ./config --prefix=${PREFIX} --openssldir=${OPENSSLDIR} \ diff --git a/security/openssl/files/patch-ab b/security/openssl/files/patch-ab index 826485fc8a82..c5bd5f73382a 100644 --- a/security/openssl/files/patch-ab +++ b/security/openssl/files/patch-ab @@ -5,7 +5,7 @@ MAKE= make -f Makefile.ssl -MANDIR=$(OPENSSLDIR)/man -+MANDIR?=$(MANPREFIX)/man ++MANDIR=$(MANPREFIX)/man MAN1=1 MAN3=3 SHELL=/bin/sh diff --git a/security/openssl/files/patch-rnd_keys b/security/openssl/files/patch-rnd_keys new file mode 100644 index 000000000000..20d38b47ce7b --- /dev/null +++ b/security/openssl/files/patch-rnd_keys @@ -0,0 +1,33 @@ +--- crypto/des/Makefile.ssl.bak Thu Oct 17 10:21:30 2002 ++++ crypto/des/Makefile.ssl Thu Oct 17 10:31:20 2002 +@@ -32,14 +32,14 @@ + fcrypt.c ofb64enc.c ofb_enc.c pcbc_enc.c \ + qud_cksm.c rand_key.c read_pwd.c rpc_enc.c set_key.c \ + des_enc.c fcrypt_b.c read2pwd.c \ +- xcbc_enc.c \ ++ xcbc_enc.c rnd_keys.c \ + str2key.c cfb64ede.c ofb64ede.c ede_cbcm_enc.c + + LIBOBJ= set_key.o ecb_enc.o cbc_enc.o \ + ecb3_enc.o cfb64enc.o cfb64ede.o cfb_enc.o ofb64ede.o \ + enc_read.o enc_writ.o ofb64enc.o \ + ofb_enc.o str2key.o pcbc_enc.o qud_cksm.o rand_key.o \ +- ${DES_ENC} read2pwd.o \ ++ ${DES_ENC} read2pwd.o rnd_keys.o \ + fcrypt.o xcbc_enc.o read_pwd.o rpc_enc.o cbc_cksm.o \ + ede_cbcm_enc.o + +--- crypto/des/des.h.bak Thu Oct 17 10:25:47 2002 ++++ crypto/des/des.h Thu Oct 17 10:30:00 2002 +@@ -200,6 +200,11 @@ + DES_LONG des_quad_cksum(const unsigned char *input,des_cblock output[], + long length,int out_count,des_cblock *seed); + void des_random_seed(des_cblock *key); ++ ++int des_new_random_key(des_cblock *key); ++void des_init_random_number_generator(des_cblock *seed); ++void des_rand_data(unsigned char *data, int size); ++ + int des_random_key(des_cblock *ret); + int des_read_password(des_cblock *key,const char *prompt,int verify); + int des_read_2passwords(des_cblock *key1,des_cblock *key2, diff --git a/security/openssl/files/rnd_keys.c b/security/openssl/files/rnd_keys.c new file mode 100644 index 000000000000..454ceb43ae7d --- /dev/null +++ b/security/openssl/files/rnd_keys.c @@ -0,0 +1,444 @@ +/* + * Copyright (c) 1995, 1996, 1997, 1999 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $Id$ + * $FreeBSD: /tmp/pcvs/ports/security/openssl/files/Attic/rnd_keys.c,v 1.1 2002-10-25 20:41:47 dinoex Exp $ + */ + +#include <openssl/des.h> +#include <sys/types.h> +#include <sys/wait.h> +#include <sys/time.h> +#include <sys/resource.h> +#include <fcntl.h> +#include <signal.h> +#include <string.h> +#include <time.h> +#include <unistd.h> + +#ifndef RETSIGTYPE +#define RETSIGTYPE void +#define SIGRETURN(x) return +#else +#define SIGRETURN(x) return (RETSIGTYPE)(x) +#endif + +/* + * Generate "random" data by checksumming a file. + * + * Returns -1 if there were any problems with permissions or I/O + * errors. + */ +static +int +sumFile (const char *name, int len, void *res) +{ + u_int32_t sum[2]; + u_int32_t buf[1024*2]; + int fd, i; + + fd = open (name, 0); + if (fd < 0) + return -1; + + while (len > 0) + { + int n = read(fd, buf, sizeof(buf)); + if (n < 0) + { + close(fd); + return n; + } + for (i = 0; i < (n/sizeof(buf[0])); i++) + { + sum[0] += buf[i]; + i++; + sum[1] += buf[i]; + } + len -= n; + } + close (fd); + memcpy (res, &sum, sizeof(sum)); + return 0; +} + +/* + * Create a sequence of random 64 bit blocks. + * The sequence is indexed with a long long and + * based on an initial des key used as a seed. + */ +static des_key_schedule sequence_seed; +static u_int32_t sequence_index[2]; + +/* + * Random number generator based on ideas from truerand in cryptolib + * as described on page 424 in Applied Cryptography 2 ed. by Bruce + * Schneier. + */ + +static volatile int counter; +static volatile unsigned char *gdata; /* Global data */ +static volatile int igdata; /* Index into global data */ +static int gsize; + +#if !defined(WIN32) && !defined(__EMX__) && !defined(__OS2__) && !defined(__CYGWIN32__) +/* Visual C++ 4.0 (Windows95/NT) */ + +static +RETSIGTYPE +sigALRM(int sig) +{ + if (igdata < gsize) + gdata[igdata++] ^= counter & 0xff; + +#ifndef HAVE_SIGACTION + signal(SIGALRM, sigALRM); /* Reinstall SysV signal handler */ +#endif + SIGRETURN(0); +} + +#endif + +#if !defined(HAVE_RANDOM) && defined(HAVE_RAND) +#ifndef srandom +#define srandom srand +#endif +#ifndef random +#define random rand +#endif +#endif + +static void +des_not_rand_data(unsigned char *data, int size) +{ + int i; + + srandom (time (NULL)); + + for(i = 0; i < size; ++i) + data[i] ^= random() % 0x100; +} + +#if !defined(WIN32) && !defined(__EMX__) && !defined(__OS2__) && !defined(__CYGWIN32__) + +#ifndef HAVE_SETITIMER +static void +pacemaker(struct timeval *tv) +{ + fd_set fds; + pid_t pid; + pid = getppid(); + while(1){ + FD_ZERO(&fds); + FD_SET(0, &fds); + select(1, &fds, NULL, NULL, tv); + kill(pid, SIGALRM); + } +} +#endif + +#ifdef HAVE_SIGACTION +/* XXX ugly hack, should perhaps use function from roken */ +static RETSIGTYPE +(*fake_signal(int sig, RETSIGTYPE (*f)(int)))(int) +{ + struct sigaction sa, osa; + sa.sa_handler = f; + sa.sa_flags = 0; + sigemptyset(&sa.sa_mask); + sigaction(sig, &sa, &osa); + return osa.sa_handler; +} +#define signal(S, F) fake_signal((S), (F)) +#endif + +/* + * Generate size bytes of "random" data using timed interrupts. + * It takes about 40ms/byte random data. + * It's not neccessary to be root to run it. + */ +void +des_rand_data(unsigned char *data, int size) +{ + struct itimerval tv; +#ifdef HAVE_SETITIMER + struct itimerval otv; +#endif + RETSIGTYPE (*osa)(int); + int i, j; +#ifndef HAVE_SETITIMER + RETSIGTYPE (*ochld)(int); + pid_t pid; +#endif + char *rnd_devices[] = {"/dev/random", + "/dev/srandom", + "/dev/urandom", + NULL}; + char **p; + + for(p = rnd_devices; *p; p++) { + int fd = open(*p, O_RDONLY | O_NDELAY); + + if(fd >= 0 && read(fd, data, size) == size) { + close(fd); + return; + } + close(fd); + } + + /* Paranoia? Initialize data from /dev/mem if we can read it. */ + if (size >= 8) + sumFile("/dev/mem", (1024*1024*2), data); + + gdata = data; + gsize = size; + igdata = 0; + + osa = signal(SIGALRM, sigALRM); + + /* Start timer */ + tv.it_value.tv_sec = 0; + tv.it_value.tv_usec = 10 * 1000; /* 10 ms */ + tv.it_interval = tv.it_value; +#ifdef HAVE_SETITIMER + setitimer(ITIMER_REAL, &tv, &otv); +#else + ochld = signal(SIGCHLD, SIG_IGN); + pid = fork(); + if(pid == -1){ + signal(SIGCHLD, ochld != SIG_ERR ? ochld : SIG_DFL); + des_not_rand_data(data, size); + return; + } + if(pid == 0) + pacemaker(&tv.it_interval); +#endif + + for(i = 0; i < 4; i++) { + for (igdata = 0; igdata < size;) /* igdata++ in sigALRM */ + counter++; + for (j = 0; j < size; j++) /* Only use 2 bits each lap */ + gdata[j] = (gdata[j]>>2) | (gdata[j]<<6); + } +#ifdef HAVE_SETITIMER + setitimer(ITIMER_REAL, &otv, 0); +#else + kill(pid, SIGKILL); + while(waitpid(pid, NULL, 0) != pid); + signal(SIGCHLD, ochld != SIG_ERR ? ochld : SIG_DFL); +#endif + signal(SIGALRM, osa != SIG_ERR ? osa : SIG_DFL); +} +#else +void +des_rand_data(unsigned char *p, int s) +{ + des_not_rand_data (p, s); +} +#endif + +void +des_generate_random_block(des_cblock *block) +{ + des_rand_data((unsigned char *)block, sizeof(*block)); +} + +/* + * Generate a "random" DES key. + */ +void +des_rand_data_key(des_cblock *key) +{ + unsigned char data[8]; + des_key_schedule sched; + do { + des_rand_data(data, sizeof(data)); + des_rand_data((unsigned char*)key, sizeof(des_cblock)); + des_set_odd_parity(key); + des_key_sched(key, sched); + des_ecb_encrypt(&data, key, sched, DES_ENCRYPT); + memset(&data, 0, sizeof(data)); + memset(&sched, 0, sizeof(sched)); + des_set_odd_parity(key); + } while(des_is_weak_key(key)); +} + +/* + * Generate "random" data by checksumming /dev/mem + * + * It's neccessary to be root to run it. Returns -1 if there were any + * problems with permissions. + */ +int +des_mem_rand8(unsigned char *data) +{ + return 1; +} + +/* + * In case the generator does not get initialized use this as fallback. + */ +static int initialized; + +static void +do_initialize(void) +{ + des_cblock default_seed; + do { + des_generate_random_block(&default_seed); + des_set_odd_parity(&default_seed); + } while (des_is_weak_key(&default_seed)); + des_init_random_number_generator(&default_seed); +} + +#define zero_long_long(ll) do { ll[0] = ll[1] = 0; } while (0) + +#define incr_long_long(ll) do { if (++ll[0] == 0) ++ll[1]; } while (0) + +#define set_sequence_number(ll) \ +memcpy((char *)sequence_index, (ll), sizeof(sequence_index)); + +/* + * Set the sequnce number to this value (a long long). + */ +void +des_set_sequence_number(unsigned char *ll) +{ + set_sequence_number(ll); +} + +/* + * Set the generator seed and reset the sequence number to 0. + */ +void +des_set_random_generator_seed(des_cblock *seed) +{ + des_key_sched(seed, sequence_seed); + zero_long_long(sequence_index); + initialized = 1; +} + +/* + * Generate a sequence of random des keys + * using the random block sequence, fixup + * parity and skip weak keys. + */ +int +des_new_random_key(des_cblock *key) +{ + if (!initialized) + do_initialize(); + + do { + des_ecb_encrypt((des_cblock *) sequence_index, + key, + sequence_seed, + DES_ENCRYPT); + incr_long_long(sequence_index); + /* random key must have odd parity and not be weak */ + des_set_odd_parity(key); + } while (des_is_weak_key(key)); + return(0); +} + +/* + * des_init_random_number_generator: + * + * Initialize the sequence of random 64 bit blocks. The input seed + * can be a secret key since it should be well hidden and is also not + * kept. + * + */ +void +des_init_random_number_generator(des_cblock *seed) +{ + struct timeval now; + des_cblock uniq; + des_cblock new_key; + + gettimeofday(&now, (struct timezone *)0); + des_generate_random_block(&uniq); + + /* Pick a unique random key from the shared sequence. */ + des_set_random_generator_seed(seed); + set_sequence_number((unsigned char *)&uniq); + des_new_random_key(&new_key); + + /* Select a new nonshared sequence, */ + des_set_random_generator_seed(&new_key); + + /* and use the current time to pick a key for the new sequence. */ + set_sequence_number((unsigned char *)&now); + des_new_random_key(&new_key); + des_set_random_generator_seed(&new_key); +} + +#ifdef TESTRUN +int +main() +{ + unsigned char data[8]; + int i; + + while (1) + { + if (sumFile("/dev/mem", (1024*1024*8), data) != 0) + { perror("sumFile"); exit(1); } + for (i = 0; i < 8; i++) + printf("%02x", data[i]); + printf("\n"); + } +} +#endif + +#ifdef TESTRUN2 +int +main() +{ + des_cblock data; + int i; + + while (1) + { + do_initialize(); + des_random_key(data); + for (i = 0; i < 8; i++) + printf("%02x", data[i]); + printf("\n"); + } +} +#endif diff --git a/security/openssl/pkg-plist b/security/openssl/pkg-plist index 385a25866930..286b1e53c129 100644 --- a/security/openssl/pkg-plist +++ b/security/openssl/pkg-plist @@ -62,24 +62,24 @@ lib/libcrypto.a lib/libssl.a %%SHARED%%lib/libssl.so %%SHARED%%lib/libssl.so.%%SHLIBVER%% -openssl/misc/CA.pl -openssl/misc/CA.sh -openssl/misc/c_hash -openssl/misc/c_info -openssl/misc/c_issuer -openssl/misc/c_name -openssl/misc/der_chop -openssl/openssl.cnf.sample +%%NOBASE%%openssl/misc/CA.pl +%%NOBASE%%openssl/misc/CA.sh +%%NOBASE%%openssl/misc/c_hash +%%NOBASE%%openssl/misc/c_info +%%NOBASE%%openssl/misc/c_issuer +%%NOBASE%%openssl/misc/c_name +%%NOBASE%%openssl/misc/der_chop +%%NOBASE%%openssl/openssl.cnf.sample %%PORTDOCS%%share/doc/openssl/openssl.txt @dirrm include/openssl -@dirrm openssl/certs -@dirrm openssl/lib +%%NOBASE%%@dirrm openssl/certs +%%NOBASE%%@dirrm openssl/lib %%MANDIR%%@dirrm openssl/man/man1 %%MANDIR%%@dirrm openssl/man/man3 %%MANDIR%%@dirrm openssl/man/man5 -%%MANDIR%%@dirrm openssl/man/man7 -%%MANDIR%%@dirrm openssl/man -@dirrm openssl/misc -@dirrm openssl/private -@dirrm openssl +%%MANDIR%%@dirrm openssl/man/man7 +%%MANDIR%%@dirrm openssl/man +%%NOBASE%%@dirrm openssl/misc +%%NOBASE%%@dirrm openssl/private +%%NOBASE%%@dirrm openssl %%PORTDOCS%%@dirrm share/doc/openssl |