mirror of
https://git.FreeBSD.org/ports.git
synced 2024-12-26 05:02:18 +00:00
- Update to 0.9.7b
This commit is contained in:
parent
7d2f60a86e
commit
ca0b5f5d3e
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=78755
@ -9,8 +9,7 @@ PORTNAME= openssl
|
||||
.ifdef OPENSSL_SNAPSHOT
|
||||
PORTREVISION!= date -v-1d +%Y%m%d
|
||||
.else
|
||||
PORTVERSION= 0.9.7a
|
||||
PORTREVISION= 2
|
||||
PORTVERSION= 0.9.7b
|
||||
.endif
|
||||
CATEGORIES= security devel
|
||||
.ifdef OPENSSL_SNAPSHOT
|
||||
|
@ -1 +1 @@
|
||||
MD5 (openssl-0.9.7a.tar.gz) = a0d3203ecf10989fdc61c784ae82e531
|
||||
MD5 (openssl-0.9.7b.tar.gz) = fae4bec090fa78e20f09d76d55b6ccff
|
||||
|
@ -1,6 +1,6 @@
|
||||
--- Makefile.org.orig Thu Apr 5 13:08:02 2001
|
||||
+++ Makefile.org Sat Oct 12 22:10:18 2002
|
||||
@@ -171,7 +171,7 @@
|
||||
--- Makefile.org.orig Tue Apr 8 13:54:32 2003
|
||||
+++ Makefile.org Fri Apr 11 20:01:14 2003
|
||||
@@ -191,7 +191,7 @@
|
||||
MAKEFILE= Makefile.ssl
|
||||
MAKE= make -f Makefile.ssl
|
||||
|
||||
@ -9,11 +9,10 @@
|
||||
MAN1=1
|
||||
MAN3=3
|
||||
SHELL=/bin/sh
|
||||
@@ -250,6 +250,21 @@
|
||||
done
|
||||
@@ -274,6 +274,21 @@
|
||||
|
||||
build-shared: clean-shared do_$(SHLIB_TARGET) link-shared
|
||||
+
|
||||
|
||||
+freebsd-shared:
|
||||
+ for i in ${SHLIBDIRS}; do \
|
||||
+ rm -f lib$$i.a lib$$i.so \
|
||||
@ -28,6 +27,16 @@
|
||||
+ for i in ${SHLIBDIRS}; do \
|
||||
+ ln -s lib$$i.so.${SHLIBVER} lib$$i.so; \
|
||||
+ done;
|
||||
|
||||
+
|
||||
do_bsd-gcc-shared: do_gnu-shared
|
||||
do_linux-shared: do_gnu-shared
|
||||
do_gnu-shared:
|
||||
@@ -593,7 +608,7 @@
|
||||
@false
|
||||
|
||||
libclean:
|
||||
- rm -f *.map *.so *.so.* engines/*.so *.a */lib */*/lib
|
||||
+ rm -f *.map *.So *.So.* engines/*.so *.a */lib */*/lib
|
||||
|
||||
clean: libclean
|
||||
rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
|
@ -1,77 +0,0 @@
|
||||
Index: crypto/rsa/rsa_eay.c
|
||||
===================================================================
|
||||
RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_eay.c,v
|
||||
retrieving revision 1.28.2.3
|
||||
diff -u -r1.28.2.3 rsa_eay.c
|
||||
--- crypto/rsa/rsa_eay.c 30 Jan 2003 17:37:46 -0000 1.28.2.3
|
||||
+++ crypto/rsa/rsa_eay.c 16 Mar 2003 10:34:13 -0000
|
||||
@@ -195,6 +195,25 @@
|
||||
return(r);
|
||||
}
|
||||
|
||||
+static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
|
||||
+ {
|
||||
+ int ret = 1;
|
||||
+ CRYPTO_w_lock(CRYPTO_LOCK_RSA);
|
||||
+ /* Check again inside the lock - the macro's check is racey */
|
||||
+ if(rsa->blinding == NULL)
|
||||
+ ret = RSA_blinding_on(rsa, ctx);
|
||||
+ CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
|
||||
+ return ret;
|
||||
+ }
|
||||
+
|
||||
+#define BLINDING_HELPER(rsa, ctx, err_instr) \
|
||||
+ do { \
|
||||
+ if(((rsa)->flags & RSA_FLAG_BLINDING) && \
|
||||
+ ((rsa)->blinding == NULL) && \
|
||||
+ !rsa_eay_blinding(rsa, ctx)) \
|
||||
+ err_instr \
|
||||
+ } while(0)
|
||||
+
|
||||
/* signing */
|
||||
static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
|
||||
unsigned char *to, RSA *rsa, int padding)
|
||||
@@ -239,8 +258,8 @@
|
||||
goto err;
|
||||
}
|
||||
|
||||
- if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
|
||||
- RSA_blinding_on(rsa,ctx);
|
||||
+ BLINDING_HELPER(rsa, ctx, goto err;);
|
||||
+
|
||||
if (rsa->flags & RSA_FLAG_BLINDING)
|
||||
if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
|
||||
|
||||
@@ -318,8 +337,8 @@
|
||||
goto err;
|
||||
}
|
||||
|
||||
- if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
|
||||
- RSA_blinding_on(rsa,ctx);
|
||||
+ BLINDING_HELPER(rsa, ctx, goto err;);
|
||||
+
|
||||
if (rsa->flags & RSA_FLAG_BLINDING)
|
||||
if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
|
||||
|
||||
Index: crypto/rsa/rsa_lib.c
|
||||
===================================================================
|
||||
RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_lib.c,v
|
||||
retrieving revision 1.30.2.2
|
||||
diff -u -r1.30.2.2 rsa_lib.c
|
||||
--- crypto/rsa/rsa_lib.c 30 Jan 2003 17:37:46 -0000 1.30.2.2
|
||||
+++ crypto/rsa/rsa_lib.c 16 Mar 2003 10:34:13 -0000
|
||||
@@ -72,7 +72,13 @@
|
||||
|
||||
RSA *RSA_new(void)
|
||||
{
|
||||
- return(RSA_new_method(NULL));
|
||||
+ RSA *r=RSA_new_method(NULL);
|
||||
+
|
||||
+#ifndef OPENSSL_NO_FORCE_RSA_BLINDING
|
||||
+ r->flags|=RSA_FLAG_BLINDING;
|
||||
+#endif
|
||||
+
|
||||
+ return r;
|
||||
}
|
||||
|
||||
void RSA_set_default_method(const RSA_METHOD *meth)
|
@ -1,53 +0,0 @@
|
||||
--- ssl/s3_srvr.c 29 Nov 2002 11:31:51 -0000 1.85.2.14
|
||||
+++ ssl/s3_srvr.c 19 Mar 2003 18:00:00 -0000
|
||||
@@ -1447,7 +1447,7 @@
|
||||
if (i != SSL_MAX_MASTER_KEY_LENGTH)
|
||||
{
|
||||
al=SSL_AD_DECODE_ERROR;
|
||||
- SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
|
||||
+ /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
|
||||
}
|
||||
|
||||
if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
|
||||
@@ -1463,30 +1463,29 @@
|
||||
(p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
|
||||
{
|
||||
al=SSL_AD_DECODE_ERROR;
|
||||
- SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
|
||||
- goto f_err;
|
||||
+ /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
|
||||
+
|
||||
+ /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
|
||||
+ * (http://eprint.iacr.org/2003/052/) exploits the version
|
||||
+ * number check as a "bad version oracle" -- an alert would
|
||||
+ * reveal that the plaintext corresponding to some ciphertext
|
||||
+ * made up by the adversary is properly formatted except
|
||||
+ * that the version number is wrong. To avoid such attacks,
|
||||
+ * we should treat this just like any other decryption error. */
|
||||
+ p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-19";
|
||||
}
|
||||
}
|
||||
|
||||
if (al != -1)
|
||||
{
|
||||
-#if 0
|
||||
- goto f_err;
|
||||
-#else
|
||||
/* Some decryption failure -- use random value instead as countermeasure
|
||||
* against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
|
||||
- * (see RFC 2246, section 7.4.7.1).
|
||||
- * But note that due to length and protocol version checking, the
|
||||
- * attack is impractical anyway (see section 5 in D. Bleichenbacher:
|
||||
- * "Chosen Ciphertext Attacks Against Protocols Based on the RSA
|
||||
- * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12).
|
||||
- */
|
||||
+ * (see RFC 2246, section 7.4.7.1). */
|
||||
ERR_clear_error();
|
||||
i = SSL_MAX_MASTER_KEY_LENGTH;
|
||||
p[0] = s->client_version >> 8;
|
||||
p[1] = s->client_version & 0xff;
|
||||
RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
|
||||
-#endif
|
||||
}
|
||||
|
||||
s->session->master_key_length=
|
Loading…
Reference in New Issue
Block a user