From 29d3652e9c8bc1f43aa98dc26e4566e22c8d9046 Mon Sep 17 00:00:00 2001
From: trevor <trevor@FreeBSD.org>
Date: Thu, 22 Aug 2002 07:13:24 +0000
Subject: patch against SSL man-in-the-middle attack, described in
 http://www.kde.org/info/security/advisory-20020818-1.txt (not yet confirmed
 on FreeBSD)

Requested by:	security-officer
ftp://ftp.kde.org/pub/kde/security_patches/post-2.2.2-kdelibs-kssl.diff
Approved by:	will, with these reservations:
	Please note, however, that the patch will be untested and
	not supported by kde@, similar to the way other people offer
	patchsets for older versions of FreeBSD that so@ does not
	support.  Also note that the patch does not really seem
	"official" because it was never applied to their CVS.
---
 x11/kdelibs2/Makefile                            |  5 +---
 x11/kdelibs2/files/patch-kssl_kopenssl.cc        | 31 ++++++++++++++++++++++++
 x11/kdelibs2/files/patch-kssl_kopenssl.h         | 15 ++++++++++++
 x11/kdelibs2/files/patch-kssl_ksslcertificate.cc | 15 ++++++++++++
 4 files changed, 62 insertions(+), 4 deletions(-)
 create mode 100644 x11/kdelibs2/files/patch-kssl_kopenssl.cc
 create mode 100644 x11/kdelibs2/files/patch-kssl_kopenssl.h
 create mode 100644 x11/kdelibs2/files/patch-kssl_ksslcertificate.cc

diff --git a/x11/kdelibs2/Makefile b/x11/kdelibs2/Makefile
index 97de4b7063fe..7ef0136be1d2 100644
--- a/x11/kdelibs2/Makefile
+++ b/x11/kdelibs2/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	kdelibs
 PORTVERSION=	2.2.2
-PORTREVISION?=	3
+PORTREVISION?=	4
 CATEGORIES?=	x11 kde
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	Attic/${PORTVERSION}/src
@@ -28,9 +28,6 @@ LIB_DEPENDS=	tiff.4:${PORTSDIR}/graphics/tiff \
 LIB_DEPENDS+=	bz2.1:${PORTSDIR}/archivers/bzip2
 .endif
 
-FORBIDDEN=	Security advisory on serious SSL bug. No fix is planned. \
-		Ask not for whom the bell tolls, it tolls for thee.
-
 USE_OPENSSL=	yes
 USE_QT_VER=	2
 SOMAJOR=	4
diff --git a/x11/kdelibs2/files/patch-kssl_kopenssl.cc b/x11/kdelibs2/files/patch-kssl_kopenssl.cc
new file mode 100644
index 000000000000..31b8e6dd529b
--- /dev/null
+++ b/x11/kdelibs2/files/patch-kssl_kopenssl.cc
@@ -0,0 +1,31 @@
+$FreeBSD$
+
+--- kssl/kopenssl.cc.orig	Tue Sep  4 16:08:18 2001
++++ kssl/kopenssl.cc	Mon Aug 19 12:27:36 2002
+@@ -92,6 +92,7 @@ static int (*K_SSL_CTX_use_certificate) 
+ static int (*K_SSL_get_error) (SSL*, int) = NULL;
+ static STACK_OF(X509)* (*K_SSL_get_peer_cert_chain) (SSL*) = NULL;
+ static void (*K_X509_STORE_CTX_set_chain) (X509_STORE_CTX *, STACK_OF(X509)*) = NULL;
++static void (*K_X509_STORE_CTX_set_purpose) (X509_STORE_CTX *, int) = NULL;
+ static void (*K_sk_free) (STACK*) = NULL;
+ static int (*K_sk_num) (STACK*) = NULL;
+ static char* (*K_sk_value) (STACK*, int) = NULL;
+@@ -254,6 +255,7 @@ KConfig *cfg;
+                 X509**, STACK_OF(X509)**)) _cryptoLib->symbol("PKCS12_parse");
+       K_EVP_PKEY_free = (void (*) (EVP_PKEY *)) _cryptoLib->symbol("EVP_PKEY_free");
+       K_X509_STORE_CTX_set_chain = (void (*)(X509_STORE_CTX *, STACK_OF(X509)*)) _cryptoLib->symbol("X509_STORE_CTX_set_chain");
++      K_X509_STORE_CTX_set_purpose = (void (*)(X509_STORE_CTX *, int)) _cryptoLib->symbol("X509_STORE_CTX_set_purpose");
+       K_sk_free = (void (*) (STACK *)) _cryptoLib->symbol("sk_free");
+       K_sk_num = (int (*) (STACK *)) _cryptoLib->symbol("sk_num");
+       K_sk_value = (char* (*) (STACK *, int)) _cryptoLib->symbol("sk_value");
+@@ -742,6 +744,10 @@ char *KOpenSSLProxy::sk_value(STACK *s, 
+ 
+ void KOpenSSLProxy::X509_STORE_CTX_set_chain(X509_STORE_CTX *v, STACK_OF(X509)* x) {
+    if (K_X509_STORE_CTX_set_chain) (K_X509_STORE_CTX_set_chain)(v,x);
++}
++
++void KOpenSSLProxy::X509_STORE_CTX_set_purpose(X509_STORE_CTX *v, int purpose) {
++   if (K_X509_STORE_CTX_set_purpose) (K_X509_STORE_CTX_set_purpose)(v,purpose);
+ }
+ 
+ 
diff --git a/x11/kdelibs2/files/patch-kssl_kopenssl.h b/x11/kdelibs2/files/patch-kssl_kopenssl.h
new file mode 100644
index 000000000000..fa2b906ef9e3
--- /dev/null
+++ b/x11/kdelibs2/files/patch-kssl_kopenssl.h
@@ -0,0 +1,15 @@
+$FreeBSD$
+
+--- kssl/kopenssl.h.orig	Sat Jul 28 21:55:41 2001
++++ kssl/kopenssl.h	Mon Aug 19 12:27:23 2002
+@@ -277,6 +277,10 @@ public:
+     */
+    void X509_STORE_CTX_set_chain(X509_STORE_CTX *v, STACK_OF(X509)* x);
+ 
++   /*
++    *   X509_STORE_CTX_set_purpose - set the purpose of the certificate 
++    */
++   void X509_STORE_CTX_set_purpose(X509_STORE_CTX *v, int purpose);
+ 
+    /*
+     *   X509_verify_cert - verify the certificate
diff --git a/x11/kdelibs2/files/patch-kssl_ksslcertificate.cc b/x11/kdelibs2/files/patch-kssl_ksslcertificate.cc
new file mode 100644
index 000000000000..97fc3d2e67f1
--- /dev/null
+++ b/x11/kdelibs2/files/patch-kssl_ksslcertificate.cc
@@ -0,0 +1,15 @@
+$FreeBSD$
+
+--- kssl/ksslcertificate.cc.orig	Mon Nov  5 18:37:43 2001
++++ kssl/ksslcertificate.cc	Mon Aug 19 12:32:22 2002
+@@ -259,6 +259,10 @@ KSSLCertificate::KSSLValidation KSSLCert
+     if (d->_chain.isValid())
+       d->kossl->X509_STORE_CTX_set_chain(certStoreCTX, (STACK_OF(X509)*)d->_chain.rawChain());
+ 
++ 
++     // int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose);
++     d->kossl->X509_STORE_CTX_set_purpose(certStoreCTX, X509_PURPOSE_SSL_SERVER);
++ 
+     // FIXME: do all the X509_STORE_CTX_set_flags(); here
+     //   +----->  Note that this is for 0.9.6 or better ONLY!
+ 
-- 
cgit