diff options
Diffstat (limited to 'security/openssl-beta')
-rw-r--r-- | security/openssl-beta/Makefile | 3 | ||||
-rw-r--r-- | security/openssl-beta/distinfo | 2 | ||||
-rw-r--r-- | security/openssl-beta/files/patch-Makefile.org (renamed from security/openssl-beta/files/patch-ab) | 23 | ||||
-rw-r--r-- | security/openssl-beta/files/patch-security | 77 | ||||
-rw-r--r-- | security/openssl-beta/files/patch-ssl-s3_srvr.c | 53 |
5 files changed, 18 insertions, 140 deletions
diff --git a/security/openssl-beta/Makefile b/security/openssl-beta/Makefile index dfb5cda335da..7de92dbfdf0c 100644 --- a/security/openssl-beta/Makefile +++ b/security/openssl-beta/Makefile @@ -9,8 +9,7 @@ PORTNAME= openssl .ifdef OPENSSL_SNAPSHOT PORTREVISION!= date -v-1d +%Y%m%d .else -PORTVERSION= 0.9.7a -PORTREVISION= 2 +PORTVERSION= 0.9.7b .endif CATEGORIES= security devel .ifdef OPENSSL_SNAPSHOT diff --git a/security/openssl-beta/distinfo b/security/openssl-beta/distinfo index 7596c06f5dd3..7412ecf78474 100644 --- a/security/openssl-beta/distinfo +++ b/security/openssl-beta/distinfo @@ -1 +1 @@ -MD5 (openssl-0.9.7a.tar.gz) = a0d3203ecf10989fdc61c784ae82e531 +MD5 (openssl-0.9.7b.tar.gz) = fae4bec090fa78e20f09d76d55b6ccff diff --git a/security/openssl-beta/files/patch-ab b/security/openssl-beta/files/patch-Makefile.org index 2aeb3617967e..5dd4f462d2cc 100644 --- a/security/openssl-beta/files/patch-ab +++ b/security/openssl-beta/files/patch-Makefile.org @@ -1,6 +1,6 @@ ---- Makefile.org.orig Thu Apr 5 13:08:02 2001 -+++ Makefile.org Sat Oct 12 22:10:18 2002 -@@ -171,7 +171,7 @@ +--- Makefile.org.orig Tue Apr 8 13:54:32 2003 ++++ Makefile.org Fri Apr 11 20:01:14 2003 +@@ -191,7 +191,7 @@ MAKEFILE= Makefile.ssl MAKE= make -f Makefile.ssl @@ -9,11 +9,10 @@ MAN1=1 MAN3=3 SHELL=/bin/sh -@@ -250,6 +250,21 @@ - done +@@ -274,6 +274,21 @@ build-shared: clean-shared do_$(SHLIB_TARGET) link-shared -+ + +freebsd-shared: + for i in ${SHLIBDIRS}; do \ + rm -f lib$$i.a lib$$i.so \ @@ -28,6 +27,16 @@ + for i in ${SHLIBDIRS}; do \ + ln -s lib$$i.so.${SHLIBVER} lib$$i.so; \ + done; - ++ do_bsd-gcc-shared: do_gnu-shared do_linux-shared: do_gnu-shared + do_gnu-shared: +@@ -593,7 +608,7 @@ + @false + + libclean: +- rm -f *.map *.so *.so.* engines/*.so *.a */lib */*/lib ++ rm -f *.map *.So *.So.* engines/*.so *.a */lib */*/lib + + clean: libclean + rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c diff --git a/security/openssl-beta/files/patch-security b/security/openssl-beta/files/patch-security deleted file mode 100644 index 4e3eefb36688..000000000000 --- a/security/openssl-beta/files/patch-security +++ /dev/null @@ -1,77 +0,0 @@ -Index: crypto/rsa/rsa_eay.c -=================================================================== -RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_eay.c,v -retrieving revision 1.28.2.3 -diff -u -r1.28.2.3 rsa_eay.c ---- crypto/rsa/rsa_eay.c 30 Jan 2003 17:37:46 -0000 1.28.2.3 -+++ crypto/rsa/rsa_eay.c 16 Mar 2003 10:34:13 -0000 -@@ -195,6 +195,25 @@ - return(r); - } - -+static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) -+ { -+ int ret = 1; -+ CRYPTO_w_lock(CRYPTO_LOCK_RSA); -+ /* Check again inside the lock - the macro's check is racey */ -+ if(rsa->blinding == NULL) -+ ret = RSA_blinding_on(rsa, ctx); -+ CRYPTO_w_unlock(CRYPTO_LOCK_RSA); -+ return ret; -+ } -+ -+#define BLINDING_HELPER(rsa, ctx, err_instr) \ -+ do { \ -+ if(((rsa)->flags & RSA_FLAG_BLINDING) && \ -+ ((rsa)->blinding == NULL) && \ -+ !rsa_eay_blinding(rsa, ctx)) \ -+ err_instr \ -+ } while(0) -+ - /* signing */ - static int RSA_eay_private_encrypt(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding) -@@ -239,8 +258,8 @@ - goto err; - } - -- if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) -- RSA_blinding_on(rsa,ctx); -+ BLINDING_HELPER(rsa, ctx, goto err;); -+ - if (rsa->flags & RSA_FLAG_BLINDING) - if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; - -@@ -318,8 +337,8 @@ - goto err; - } - -- if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) -- RSA_blinding_on(rsa,ctx); -+ BLINDING_HELPER(rsa, ctx, goto err;); -+ - if (rsa->flags & RSA_FLAG_BLINDING) - if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; - -Index: crypto/rsa/rsa_lib.c -=================================================================== -RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_lib.c,v -retrieving revision 1.30.2.2 -diff -u -r1.30.2.2 rsa_lib.c ---- crypto/rsa/rsa_lib.c 30 Jan 2003 17:37:46 -0000 1.30.2.2 -+++ crypto/rsa/rsa_lib.c 16 Mar 2003 10:34:13 -0000 -@@ -72,7 +72,13 @@ - - RSA *RSA_new(void) - { -- return(RSA_new_method(NULL)); -+ RSA *r=RSA_new_method(NULL); -+ -+#ifndef OPENSSL_NO_FORCE_RSA_BLINDING -+ r->flags|=RSA_FLAG_BLINDING; -+#endif -+ -+ return r; - } - - void RSA_set_default_method(const RSA_METHOD *meth) diff --git a/security/openssl-beta/files/patch-ssl-s3_srvr.c b/security/openssl-beta/files/patch-ssl-s3_srvr.c deleted file mode 100644 index 52777355a66b..000000000000 --- a/security/openssl-beta/files/patch-ssl-s3_srvr.c +++ /dev/null @@ -1,53 +0,0 @@ ---- ssl/s3_srvr.c 29 Nov 2002 11:31:51 -0000 1.85.2.14 -+++ ssl/s3_srvr.c 19 Mar 2003 18:00:00 -0000 -@@ -1447,7 +1447,7 @@ - if (i != SSL_MAX_MASTER_KEY_LENGTH) - { - al=SSL_AD_DECODE_ERROR; -- SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); -+ /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ - } - - if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) -@@ -1463,30 +1463,29 @@ - (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) - { - al=SSL_AD_DECODE_ERROR; -- SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); -- goto f_err; -+ /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ -+ -+ /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack -+ * (http://eprint.iacr.org/2003/052/) exploits the version -+ * number check as a "bad version oracle" -- an alert would -+ * reveal that the plaintext corresponding to some ciphertext -+ * made up by the adversary is properly formatted except -+ * that the version number is wrong. To avoid such attacks, -+ * we should treat this just like any other decryption error. */ -+ p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-19"; - } - } - - if (al != -1) - { --#if 0 -- goto f_err; --#else - /* Some decryption failure -- use random value instead as countermeasure - * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding -- * (see RFC 2246, section 7.4.7.1). -- * But note that due to length and protocol version checking, the -- * attack is impractical anyway (see section 5 in D. Bleichenbacher: -- * "Chosen Ciphertext Attacks Against Protocols Based on the RSA -- * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12). -- */ -+ * (see RFC 2246, section 7.4.7.1). */ - ERR_clear_error(); - i = SSL_MAX_MASTER_KEY_LENGTH; - p[0] = s->client_version >> 8; - p[1] = s->client_version & 0xff; - RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ --#endif - } - - s->session->master_key_length= |