aboutsummaryrefslogtreecommitdiffstats
path: root/security/openssl-beta
diff options
context:
space:
mode:
Diffstat (limited to 'security/openssl-beta')
-rw-r--r--security/openssl-beta/Makefile3
-rw-r--r--security/openssl-beta/distinfo2
-rw-r--r--security/openssl-beta/files/patch-Makefile.org (renamed from security/openssl-beta/files/patch-ab)23
-rw-r--r--security/openssl-beta/files/patch-security77
-rw-r--r--security/openssl-beta/files/patch-ssl-s3_srvr.c53
5 files changed, 18 insertions, 140 deletions
diff --git a/security/openssl-beta/Makefile b/security/openssl-beta/Makefile
index dfb5cda335da..7de92dbfdf0c 100644
--- a/security/openssl-beta/Makefile
+++ b/security/openssl-beta/Makefile
@@ -9,8 +9,7 @@ PORTNAME= openssl
.ifdef OPENSSL_SNAPSHOT
PORTREVISION!= date -v-1d +%Y%m%d
.else
-PORTVERSION= 0.9.7a
-PORTREVISION= 2
+PORTVERSION= 0.9.7b
.endif
CATEGORIES= security devel
.ifdef OPENSSL_SNAPSHOT
diff --git a/security/openssl-beta/distinfo b/security/openssl-beta/distinfo
index 7596c06f5dd3..7412ecf78474 100644
--- a/security/openssl-beta/distinfo
+++ b/security/openssl-beta/distinfo
@@ -1 +1 @@
-MD5 (openssl-0.9.7a.tar.gz) = a0d3203ecf10989fdc61c784ae82e531
+MD5 (openssl-0.9.7b.tar.gz) = fae4bec090fa78e20f09d76d55b6ccff
diff --git a/security/openssl-beta/files/patch-ab b/security/openssl-beta/files/patch-Makefile.org
index 2aeb3617967e..5dd4f462d2cc 100644
--- a/security/openssl-beta/files/patch-ab
+++ b/security/openssl-beta/files/patch-Makefile.org
@@ -1,6 +1,6 @@
---- Makefile.org.orig Thu Apr 5 13:08:02 2001
-+++ Makefile.org Sat Oct 12 22:10:18 2002
-@@ -171,7 +171,7 @@
+--- Makefile.org.orig Tue Apr 8 13:54:32 2003
++++ Makefile.org Fri Apr 11 20:01:14 2003
+@@ -191,7 +191,7 @@
MAKEFILE= Makefile.ssl
MAKE= make -f Makefile.ssl
@@ -9,11 +9,10 @@
MAN1=1
MAN3=3
SHELL=/bin/sh
-@@ -250,6 +250,21 @@
- done
+@@ -274,6 +274,21 @@
build-shared: clean-shared do_$(SHLIB_TARGET) link-shared
-+
+
+freebsd-shared:
+ for i in ${SHLIBDIRS}; do \
+ rm -f lib$$i.a lib$$i.so \
@@ -28,6 +27,16 @@
+ for i in ${SHLIBDIRS}; do \
+ ln -s lib$$i.so.${SHLIBVER} lib$$i.so; \
+ done;
-
++
do_bsd-gcc-shared: do_gnu-shared
do_linux-shared: do_gnu-shared
+ do_gnu-shared:
+@@ -593,7 +608,7 @@
+ @false
+
+ libclean:
+- rm -f *.map *.so *.so.* engines/*.so *.a */lib */*/lib
++ rm -f *.map *.So *.So.* engines/*.so *.a */lib */*/lib
+
+ clean: libclean
+ rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
diff --git a/security/openssl-beta/files/patch-security b/security/openssl-beta/files/patch-security
deleted file mode 100644
index 4e3eefb36688..000000000000
--- a/security/openssl-beta/files/patch-security
+++ /dev/null
@@ -1,77 +0,0 @@
-Index: crypto/rsa/rsa_eay.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_eay.c,v
-retrieving revision 1.28.2.3
-diff -u -r1.28.2.3 rsa_eay.c
---- crypto/rsa/rsa_eay.c 30 Jan 2003 17:37:46 -0000 1.28.2.3
-+++ crypto/rsa/rsa_eay.c 16 Mar 2003 10:34:13 -0000
-@@ -195,6 +195,25 @@
- return(r);
- }
-
-+static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
-+ {
-+ int ret = 1;
-+ CRYPTO_w_lock(CRYPTO_LOCK_RSA);
-+ /* Check again inside the lock - the macro's check is racey */
-+ if(rsa->blinding == NULL)
-+ ret = RSA_blinding_on(rsa, ctx);
-+ CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
-+ return ret;
-+ }
-+
-+#define BLINDING_HELPER(rsa, ctx, err_instr) \
-+ do { \
-+ if(((rsa)->flags & RSA_FLAG_BLINDING) && \
-+ ((rsa)->blinding == NULL) && \
-+ !rsa_eay_blinding(rsa, ctx)) \
-+ err_instr \
-+ } while(0)
-+
- /* signing */
- static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
- unsigned char *to, RSA *rsa, int padding)
-@@ -239,8 +258,8 @@
- goto err;
- }
-
-- if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
-- RSA_blinding_on(rsa,ctx);
-+ BLINDING_HELPER(rsa, ctx, goto err;);
-+
- if (rsa->flags & RSA_FLAG_BLINDING)
- if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
-
-@@ -318,8 +337,8 @@
- goto err;
- }
-
-- if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
-- RSA_blinding_on(rsa,ctx);
-+ BLINDING_HELPER(rsa, ctx, goto err;);
-+
- if (rsa->flags & RSA_FLAG_BLINDING)
- if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
-
-Index: crypto/rsa/rsa_lib.c
-===================================================================
-RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_lib.c,v
-retrieving revision 1.30.2.2
-diff -u -r1.30.2.2 rsa_lib.c
---- crypto/rsa/rsa_lib.c 30 Jan 2003 17:37:46 -0000 1.30.2.2
-+++ crypto/rsa/rsa_lib.c 16 Mar 2003 10:34:13 -0000
-@@ -72,7 +72,13 @@
-
- RSA *RSA_new(void)
- {
-- return(RSA_new_method(NULL));
-+ RSA *r=RSA_new_method(NULL);
-+
-+#ifndef OPENSSL_NO_FORCE_RSA_BLINDING
-+ r->flags|=RSA_FLAG_BLINDING;
-+#endif
-+
-+ return r;
- }
-
- void RSA_set_default_method(const RSA_METHOD *meth)
diff --git a/security/openssl-beta/files/patch-ssl-s3_srvr.c b/security/openssl-beta/files/patch-ssl-s3_srvr.c
deleted file mode 100644
index 52777355a66b..000000000000
--- a/security/openssl-beta/files/patch-ssl-s3_srvr.c
+++ /dev/null
@@ -1,53 +0,0 @@
---- ssl/s3_srvr.c 29 Nov 2002 11:31:51 -0000 1.85.2.14
-+++ ssl/s3_srvr.c 19 Mar 2003 18:00:00 -0000
-@@ -1447,7 +1447,7 @@
- if (i != SSL_MAX_MASTER_KEY_LENGTH)
- {
- al=SSL_AD_DECODE_ERROR;
-- SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
-+ /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
- }
-
- if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
-@@ -1463,30 +1463,29 @@
- (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
- {
- al=SSL_AD_DECODE_ERROR;
-- SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
-- goto f_err;
-+ /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
-+
-+ /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
-+ * (http://eprint.iacr.org/2003/052/) exploits the version
-+ * number check as a "bad version oracle" -- an alert would
-+ * reveal that the plaintext corresponding to some ciphertext
-+ * made up by the adversary is properly formatted except
-+ * that the version number is wrong. To avoid such attacks,
-+ * we should treat this just like any other decryption error. */
-+ p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-19";
- }
- }
-
- if (al != -1)
- {
--#if 0
-- goto f_err;
--#else
- /* Some decryption failure -- use random value instead as countermeasure
- * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
-- * (see RFC 2246, section 7.4.7.1).
-- * But note that due to length and protocol version checking, the
-- * attack is impractical anyway (see section 5 in D. Bleichenbacher:
-- * "Chosen Ciphertext Attacks Against Protocols Based on the RSA
-- * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12).
-- */
-+ * (see RFC 2246, section 7.4.7.1). */
- ERR_clear_error();
- i = SSL_MAX_MASTER_KEY_LENGTH;
- p[0] = s->client_version >> 8;
- p[1] = s->client_version & 0xff;
- RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
--#endif
- }
-
- s->session->master_key_length=