From 1425ab1f8c606b83fed5a8fa0a21dffb76fbf420 Mon Sep 17 00:00:00 2001
From: dinoex <dinoex@FreeBSD.org>
Date: Sun, 21 Apr 2002 13:02:08 +0000
Subject: - Update to 0.9.6c - more manpages - shift FORBIDDEN

 Excerpt of Changes between 0.9.6b and 0.9.6c  [21 dec 2001]
  *) Fix BN_rand_range bug pointed out by Dominikus Scherkl
  *) Only add signing time to PKCS7 structures if it is not already present.
  *) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce", OBJ_ld_ce
     should be OBJ_id_ce.  Also some ip-pda OIDs in crypto/objects/objects.txt
     were incorrect (cf. RFC 3039).
  *) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid()
     returns early because it has nothing to do.
  *) Fix mutex callback return values in crypto/engine/hw_ncipher.c.
  *) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake
     messages are stored in a single piece (fixed-length part and
     variable-length part combined) and fix various bugs found on the way.
  *) Disable caching in BIO_gethostbyname(), directly use gethostbyname()
     instead.  BIO_gethostbyname() does not know what timeouts are
     appropriate, so entries would stay in cache even when they have
     become invalid.
  *) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when
     faced with a pathologically small ClientHello fragment that does
     not contain client_version: Instead of aborting with an error,
     simply choose the highest available protocol version (i.e.,
     TLS 1.0 unless it is disabled).
  *) Fix SSL handshake functions and SSL_clear() such that SSL_clear()
     never resets s->method to s->ctx->method when called from within
     one of the SSL handshake functions.
  *) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert
     (sent using the client's version number) if client_version is
     smaller than the protocol version in use.  Also change
     ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if
     the client demanded SSL 3.0 but only TLS 1.0 is enabled; then
     the client will at least see that alert.
  *) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation
     correctly.
  *) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a
     client receives HelloRequest while in a handshake.
  *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C
     should end in 'break', not 'goto end' which circuments various
     cleanups done in state SSL_ST_OK.   But session related stuff
     must be disabled for SSL_ST_OK in the case that we just sent a
     HelloRequest.  Also avoid some overhead by not calling
     ssl_init_wbio_buffer() before just sending a HelloRequest.
  *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
     reveal whether illegal block cipher padding was found or a MAC
     verification error occured.  (Neither SSLerr() codes nor alerts
     are directly visible to potential attackers, but the information
     may leak via logfiles.) ssl/s2_pkt.c failed to verify that the
     purported number of padding bytes is in the legal range.
  *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid
     'wristwatch attack' using huge encoding parameters (cf.
     James H. Manger's CRYPTO 2001 paper).  Note that the
     RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use
     encoding parameters and hence was not vulnerable.
  *) BN_sqr() bug fix.
  *) Rabin-Miller test analyses assume uniformly distributed witnesses,
     so use BN_pseudo_rand_range() instead of using BN_pseudo_rand()
     followed by modular reduction.
  *) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range()
     equivalent based on BN_pseudo_rand() instead of BN_rand().
  *) s3_srvr.c: allow sending of large client certificate lists (> 16 kB).
     This function was broken, as the check for a new client hello message
     to handle SGC did not allow these large messages.
  *) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long]().
  *) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl()
     for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton@netopia.com>).
  *) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message()
     with the same message size as in ssl3_get_certificate_request().
     Otherwise, if no ServerKeyExchange message occurs, CertificateRequest
     messages might inadvertently be reject as too long.
  *) Modified SSL library such that the verify_callback that has been set
     specificly for an SSL object with SSL_set_verify() is actually being
     used. Before the change, a verify_callback set with this function was
     ignored and the verify_callback() set in the SSL_CTX at the time of
     the call was used. New function X509_STORE_CTX_set_verify_cb() introduced
     to allow the necessary settings.
  *) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored
     dh->length and always used
          BN_rand_range(priv_key, dh->p).
     So switch back to
          BN_rand(priv_key, l, ...)
     where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1
     otherwise.
  *) In RSA_eay_public_encrypt, RSA_eay_private_decrypt, RSA_eay_private_encrypt
     RSA_eay_public_decrypt always reject numbers >= n.
  *) In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2
     to synchronize access to 'locking_thread'.
  *) In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID
     *before* setting the 'crypto_lock_rand' flag.  The previous code had
     a race condition if 0 is a valid thread ID.
---
 security/openssl-beta/Makefile | 39 ++++++++++++++++++++++-----------------
 1 file changed, 22 insertions(+), 17 deletions(-)

(limited to 'security/openssl-beta/Makefile')

diff --git a/security/openssl-beta/Makefile b/security/openssl-beta/Makefile
index 64dd35a7c672..1fbe3f02f33b 100644
--- a/security/openssl-beta/Makefile
+++ b/security/openssl-beta/Makefile
@@ -6,17 +6,17 @@
 #
 
 PORTNAME=	openssl
-PORTVERSION=	0.9.6b
+PORTVERSION=	0.9.6c
 CATEGORIES=	security devel
 MASTER_SITES=	http://www.openssl.org/source/ \
 		ftp://ftp.openssl.org/source/ \
 		ftp://ftp.sunet.se/pub/security/tools/net/openssl/source/ \
 		ftp://ftp.cert.dfn.de/pub/tools/net/openssl/source/
 
-MAINTAINER=	ports@FreeBSD.org
+MAINTAINER=	dinoex@FreeBSD.org
 
 .include <bsd.port.pre.mk>
-.if exists(/usr/lib/libssl.a) && ${OSVERSION} >= 430000
+.if exists(/usr/lib/libssl.a) && ${OSVERSION} >= 460000
 FORBIDDEN=	"OpenSSL is already in the base system"
 .endif
 
@@ -76,30 +76,35 @@ MAN3=		BN_CTX_new.3 BN_CTX_start.3 BN_add.3 BN_add_word.3 \
 		BIO_s_connect.3 BIO_s_fd.3 BIO_s_file.3 BIO_s_mem.3 \
 		BIO_s_null.3 BIO_s_socket.3 BIO_set_callback.3 \
 		BIO_should_retry.3 SSL_CIPHER_get_name.3 \
+		SSL_COMP_add_compression_method.3 \
 		SSL_CTX_add_extra_chain_cert.3 SSL_CTX_add_session.3 \
-		SSL_CTX_flush_sessions.3 SSL_CTX_free.3 \
+		SSL_CTX_ctrl.3 SSL_CTX_flush_sessions.3 SSL_CTX_free.3 \
 		SSL_CTX_get_ex_new_index.3 SSL_CTX_get_verify_mode.3 \
 		SSL_CTX_load_verify_locations.3 SSL_CTX_new.3 \
 		SSL_CTX_sess_number.3 SSL_CTX_sess_set_cache_size.3 \
 		SSL_CTX_sess_set_get_cb.3 SSL_CTX_sessions.3 \
+		SSL_CTX_set_cert_store.3 SSL_CTX_set_cert_verify_callback.3 \
 		SSL_CTX_set_cipher_list.3 SSL_CTX_set_client_CA_list.3 \
-		SSL_CTX_set_default_passwd_cb.3 SSL_CTX_set_mode.3 \
-		SSL_CTX_set_options.3 SSL_CTX_set_session_cache_mode.3 \
+		SSL_CTX_set_default_passwd_cb.3 SSL_CTX_set_info_callback.3 \
+		SSL_CTX_set_mode.3 SSL_CTX_set_options.3 \
+		SSL_CTX_set_quiet_shutdown.3 SSL_CTX_set_session_cache_mode.3 \
 		SSL_CTX_set_session_id_context.3 SSL_CTX_set_ssl_version.3 \
+		SSL_CTX_set_tmp_dh_callback.3 SSL_CTX_set_tmp_rsa_callback.3 \
 		SSL_CTX_set_timeout.3 SSL_CTX_set_verify.3 \
 		SSL_CTX_use_certificate.3 SSL_SESSION_free.3 \
 		SSL_SESSION_get_ex_new_index.3 SSL_SESSION_get_time.3 \
-		SSL_accept.3 SSL_clear.3 SSL_connect.3 \
-		SSL_free.3 SSL_get_ciphers.3 SSL_get_client_CA_list.3 \
-		SSL_get_current_cipher.3 SSL_get_ex_data_X509_STORE_CTX_idx.3 \
-		SSL_get_ex_new_index.3 SSL_get_fd.3 \
-		SSL_get_peer_cert_chain.3 SSL_get_peer_certificate.3 \
-		SSL_get_rbio.3 SSL_get_session.3 SSL_get_verify_result.3 \
-		SSL_get_version.3 SSL_library_init.3 \
-		SSL_load_client_CA_file.3 SSL_new.3 \
-		SSL_pending.3 SSL_read.3 SSL_set_bio.3 SSL_set_connect_state.3 \
-		SSL_set_fd.3 SSL_set_session.3 SSL_set_shutdown.3 \
-		SSL_set_verify_result.3 SSL_shutdown.3 SSL_write.3 \
+		SSL_accept.3 SSL_alert_type_string.3 SSL_clear.3 \
+		SSL_connect.3 SSL_free.3 SSL_get_SSL_CTX.3 SSL_get_ciphers.3 \
+		SSL_get_client_CA_list.3 SSL_get_current_cipher.3 \
+		SSL_get_default_timeout.3 SSL_get_ex_data_X509_STORE_CTX_idx.3 \
+		SSL_get_ex_new_index.3 SSL_get_fd.3 SSL_get_peer_cert_chain.3 \
+		SSL_get_peer_certificate.3 SSL_get_rbio.3 SSL_get_session.3 \
+		SSL_get_verify_result.3 SSL_get_version.3 SSL_library_init.3 \
+		SSL_load_client_CA_file.3 SSL_new.3 SSL_pending.3 SSL_read.3 \
+		SSL_rstate_string.3 SSL_session_reused.3 SSL_set_bio.3 \
+		SSL_set_connect_state.3 SSL_set_fd.3 SSL_set_session.3 \
+		SSL_set_shutdown.3 SSL_set_verify_result.3 SSL_shutdown.3 \
+		SSL_state_string.3 SSL_want.3 SSL_write.3 \
 		bio.3 d2i_SSL_SESSION.3 evp.3
 
 MAN5=		config.5
-- 
cgit