diff options
| author | Dirk Meyer <dinoex@FreeBSD.org> | 2009-05-20 19:22:47 +0000 |
|---|---|---|
| committer | Dirk Meyer <dinoex@FreeBSD.org> | 2009-05-20 19:22:47 +0000 |
| commit | f062b23d9f534f2d41866983f814825d69f18ad0 (patch) | |
| tree | d7d90a51e2b8878eb31fb96c38408312c8f08bcd | |
| parent | 7b6d851a3b1a25c9142cda11a67c1a17dfbf3cc8 (diff) | |
| download | ports-f062b23d9f534f2d41866983f814825d69f18ad0.tar.gz ports-f062b23d9f534f2d41866983f814825d69f18ad0.zip | |
- add more DTLS bugfixes
- use options framework
- new option WITH_FIPS
add fips code
- new option WITH_SCTP
add SCTP support to openssl
Notes
Notes:
svn path=/head/; revision=234293
| -rw-r--r-- | security/openssl/Makefile | 41 | ||||
| -rw-r--r-- | security/openssl/distinfo | 15 | ||||
| -rw-r--r-- | security/openssl/files/patch-CVE-2009-1377 | 46 | ||||
| -rw-r--r-- | security/openssl/files/patch-CVE-2009-1378 | 22 | ||||
| -rw-r--r-- | security/openssl/files/patch-kssl.c | 14 | ||||
| -rw-r--r-- | security/openssl/pkg-descr | 1 |
6 files changed, 65 insertions, 74 deletions
diff --git a/security/openssl/Makefile b/security/openssl/Makefile index 222d957a8bb2..e86cab424bb0 100644 --- a/security/openssl/Makefile +++ b/security/openssl/Makefile @@ -7,13 +7,15 @@ PORTNAME= openssl PORTVERSION= 0.9.8k -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security devel MASTER_SITES= http://www.openssl.org/%SUBDIR%/ \ ftp://ftp.openssl.org/%SUBDIR%/ \ ftp://ftp.sunet.se/pub/security/tools/net/openssl/%SUBDIR%/ \ ftp://ftp.cert.dfn.de/pub/tools/net/openssl/%SUBDIR%/ MASTER_SITE_SUBDIR= source +PATCH_SITES= http://sctp.fh-muenster.de/dtls/ +PATCHFILES= dtls-bugs.patch DISTNAME= ${PORTNAME}-${PORTVERSION} MAINTAINER= dinoex@FreeBSD.org @@ -25,6 +27,11 @@ BUILD_DEPENDS= makedepend:${PORTSDIR}/devel/makedepend .error You have `USE_OPENSSL' variable defined either in environment or in make(1) arguments. Please undefine and try again. .endif +OPTIONS= I386 "Use optimzed assembler for 80386" off \ + SSE2 "Use runtime SSE2 detection" on \ + ZLIB "Build with zlib compression" on \ + SCTP "Build with SCTP support" off \ + EXTRACONFIGURE+= enable-camellia MAKE_ARGS+= WHOLE_ARCHIVE_FLAG=--whole-archive @@ -849,11 +856,13 @@ OPENSSL_SHLIBVER_BASE= ${OPENSSL_BASE_SONAME:E} OPENSSL_BASE_SOPATH= ${OPENSSL_BASE_SONAME:H} OPENSSL_SHLIBVER?= 5 +.if !defined(WITHOUT_SSE2) # disable runtime SSE2 detection -.if defined(WITHOUT_OPENSSL_SSE2) EXTRACONFIGURE+= no-sse2 .endif +.if !defined(WITH_FIPS) EXTRACONFIGURE+= no-fips +.endif .if defined(NOSHARED) PLIST_SUB+= SHARED="@comment " .else @@ -864,10 +873,20 @@ PLIST_SUB+= SHLIBVER=${OPENSSL_SHLIBVER} USE_LDCONFIG= yes .endif -.if defined(WITH_OPENSSL_COMPRESSION) +.if !defined(WITHOUT_ZLIB) EXTRACONFIGURE+= zlib .endif +.if defined(WITH_SCTP) +.if ${OSVERSION} >= 700000 +PATCHFILES+= tls-extractor.patch \ + abbreviated-renegotiation.patch \ + dtls-sctp.patch +# freebsd-compatibility.patch +CFLAGS+= -DSCTP +.endif +.endif + .if ${OPENSSL_SHLIBVER_BASE} > ${OPENSSL_SHLIBVER} pre-everything:: @${ECHO_CMD} "#" @@ -881,21 +900,30 @@ pre-everything:: OPENSSLDIR= ${PREFIX}/openssl MANPREFIX= ${PREFIX} -.if defined(BATCH) || defined(OPENSSL_WITH_386) +.if defined(WITH_I386) .if ${ARCH} == "i386" EXTRACONFIGURE+= 386 .endif .endif do-configure: +.if !defined(WITH_FIPS) ${RM} -rf ${WRKSRC}/fips ${RM} -f ${WRKSRC}/include/openssl/fips.h ${RM} -f ${WRKSRC}/include/openssl/fips_rand.h +.endif cd ${WRKSRC} \ && ${SETENV} CC="${CC}" FREEBSDCC="${CC}" CFLAGS="${CFLAGS}" PERL="${PERL}" \ - PTHREAD_CFLAGS=${PTHREAD_CFLAGS} PTHREAD_LIBS=${PTHREAD_LIBS} \ + PTHREAD_CFLAGS=${PTHREAD_CFLAGS} PTHREAD_LIBS=${PTHREAD_LIBS} \ ./config --prefix=${PREFIX} --openssldir=${OPENSSLDIR} \ - -L${PREFIX}/lib ${EXTRACONFIGURE} + -L${PREFIX}/lib ${EXTRACONFIGURE} +.if defined(WITH_FIPS) + @${REINPLACE_CMD} \ + -e 's|^MANDIR=.*$$|MANDIR=$$(MANPREFIX)/man|' \ + -e 's|lib/pkgconfig|libdata/pkgconfig|g' \ + -e 's|LIBVERSION=[^ ]* |LIBVERSION=$(OPENSSL_SHLIBVER) |' \ + ${WRKSRC}/Makefile +.else @${REINPLACE_CMD} \ -e 's|^MANDIR=.*$$|MANDIR=$$(MANPREFIX)/man|' \ -e 's|lib/pkgconfig|libdata/pkgconfig|g' \ @@ -920,6 +948,7 @@ do-configure: -e 's|$$(FIPS_RNGVS)$$(EXE_EXT)||' \ -e 's|$$(FIPS_TEST_SUITE)$$(EXE_EXT)||' \ ${WRKSRC}/test/Makefile +.endif @(cd ${BUILD_WRKSRC}/${i} && ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} depend) post-install: diff --git a/security/openssl/distinfo b/security/openssl/distinfo index 7e1cd3e7b8a2..e1ef639d69a4 100644 --- a/security/openssl/distinfo +++ b/security/openssl/distinfo @@ -1,3 +1,18 @@ MD5 (openssl-0.9.8k.tar.gz) = e555c6d58d276aec7fdc53363e338ab3 SHA256 (openssl-0.9.8k.tar.gz) = 7e7cd4f3974199b729e6e3a0af08bd4279fde0370a1120c1a3b351ab090c6101 SIZE (openssl-0.9.8k.tar.gz) = 3852259 +MD5 (dtls-bugs.patch) = dc6a79d5dd8e9eacfaa5e2ae05457df4 +SHA256 (dtls-bugs.patch) = e4929a3fbaa20b1c22b0ba218b8c2ab4c5df941c70d975e8672337620eca3422 +SIZE (dtls-bugs.patch) = 33268 +MD5 (freebsd-compatibility.patch) = 2c1dcf5c25509e2a929eeb05cb4baa66 +SHA256 (freebsd-compatibility.patch) = e5b78a56a461892a8fe2cb5f156f381d54dee82dbec8f5ed4fb6e48329ffb59b +SIZE (freebsd-compatibility.patch) = 399 +MD5 (tls-extractor.patch) = ac104f69472f37359d0fd8c6da56383f +SHA256 (tls-extractor.patch) = 091bde68933fbf23cfd402bd6bb90b23dc95702a7302c5706336d3eaaa2982f5 +SIZE (tls-extractor.patch) = 1329 +MD5 (abbreviated-renegotiation.patch) = 374a11933e52b4c5a85295cd6cf08ef3 +SHA256 (abbreviated-renegotiation.patch) = fc6a1f6b0f12c9c43f1c66fd716ac3d3f6cf51a466444758ff270640addf795e +SIZE (abbreviated-renegotiation.patch) = 6396 +MD5 (dtls-sctp.patch) = 146680bedb7fe104430a8d8c71927f9d +SHA256 (dtls-sctp.patch) = 0696ad1aa23d59274c8a3925397f5f37f75d1ee70d2c270665e3615ee1746edc +SIZE (dtls-sctp.patch) = 45747 diff --git a/security/openssl/files/patch-CVE-2009-1377 b/security/openssl/files/patch-CVE-2009-1377 deleted file mode 100644 index 9d0e941971d4..000000000000 --- a/security/openssl/files/patch-CVE-2009-1377 +++ /dev/null @@ -1,46 +0,0 @@ -Obtained-from: http://rt.openssl.org/Ticket/Attachment/22260/10159/dtls-record-buffer-bug-1.0.0.patch - ---- crypto/pqueue/pqueue.c 2005-12-20 08:03:10.000000000 +0100 -+++ crypto/pqueue/pqueue.c 2009-05-15 16:07:33.000000000 +0200 -@@ -237,3 +237,17 @@ - - return ret; - } -+ -+int -+pqueue_size(pqueue_s *pq) -+{ -+ pitem *item = pq->items; -+ int count = 0; -+ -+ while(item != NULL) -+ { -+ count++; -+ item = item->next; -+ } -+ return count; -+} - ---- crypto/pqueue/pqueue.h 2005-06-08 00:21:14.000000000 +0200 -+++ crypto/pqueue/pqueue.h 2009-05-15 16:07:03.000000000 +0200 -@@ -89,5 +89,6 @@ - pitem *pqueue_next(piterator *iter); - - void pqueue_print(pqueue pq); -+int pqueue_size(pqueue pq); - - #endif /* ! HEADER_PQUEUE_H */ - ---- ssl/d1_pkt.c 2009-04-23 18:32:40.000000000 +0200 -+++ ssl/d1_pkt.c 2009-05-15 16:06:23.000000000 +0200 -@@ -207,6 +207,10 @@ - DTLS1_RECORD_DATA *rdata; - pitem *item; - -+ /* Limit the size of the queue to prevent DOS attacks */ -+ if (pqueue_size(queue->q) >= 100) -+ return 0; -+ - rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); - item = pitem_new(priority, rdata); - if (rdata == NULL || item == NULL) diff --git a/security/openssl/files/patch-CVE-2009-1378 b/security/openssl/files/patch-CVE-2009-1378 deleted file mode 100644 index 9b00d550a64a..000000000000 --- a/security/openssl/files/patch-CVE-2009-1378 +++ /dev/null @@ -1,22 +0,0 @@ -Obtained-from: http://rt.openssl.org/Ticket/Attachment/22314/10203/dtls-fragment-memleak-bug.patch - ---- ssl/d1_both.c 2009-05-18 09:57:08.000000000 +0200 -+++ ssl/d1_both.c 2009-05-18 10:08:51.000000000 +0200 -@@ -561,7 +561,16 @@ - if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) - goto err; - -- if (msg_hdr->seq <= s->d1->handshake_read_seq) -+ /* Try to find item in queue, to prevent duplicate entries */ -+ pq_64bit_init(&seq64); -+ pq_64bit_assign_word(&seq64, msg_hdr->seq); -+ item = pqueue_find(s->d1->buffered_messages, seq64); -+ pq_64bit_free(&seq64); -+ -+ /* Discard the message if sequence number was already there, is -+ * too far in the future or the fragment is already in the queue */ -+ if (msg_hdr->seq <= s->d1->handshake_read_seq || -+ msg_hdr->seq > s->d1->handshake_read_seq + 10 || item != NULL) - { - unsigned char devnull [256]; - diff --git a/security/openssl/files/patch-kssl.c b/security/openssl/files/patch-kssl.c new file mode 100644 index 000000000000..e8ce3b22cff3 --- /dev/null +++ b/security/openssl/files/patch-kssl.c @@ -0,0 +1,14 @@ +--- ssl/kssl.c.orig 2009-02-14 22:50:13.000000000 +0100 ++++ ssl/kssl.c 2009-05-20 17:11:00.000000000 +0200 +@@ -68,11 +68,6 @@ + + #include <openssl/opensslconf.h> + +-#define _XOPEN_SOURCE 500 /* glibc2 needs this to declare strptime() */ +-#include <time.h> +-#if 0 /* experimental */ +-#undef _XOPEN_SOURCE /* To avoid clashes with anything else... */ +-#endif + #include <string.h> + + #define KRB5_PRIVATE 1 diff --git a/security/openssl/pkg-descr b/security/openssl/pkg-descr index eec6a81c8104..879200baf087 100644 --- a/security/openssl/pkg-descr +++ b/security/openssl/pkg-descr @@ -17,3 +17,4 @@ OpenSSL homepage: http://www.openssl.org/ WWW: http://www.openssl.org/ +WWW: http://sctp.fh-muenster.de/dtls-patches.html |