1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-26 05:02:18 +00:00

- Update to 0.9.7b

This commit is contained in:
Dirk Meyer 2003-04-11 18:29:57 +00:00
parent 7d2f60a86e
commit ca0b5f5d3e
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=78755
5 changed files with 18 additions and 140 deletions

View File

@ -9,8 +9,7 @@ PORTNAME= openssl
.ifdef OPENSSL_SNAPSHOT
PORTREVISION!= date -v-1d +%Y%m%d
.else
PORTVERSION= 0.9.7a
PORTREVISION= 2
PORTVERSION= 0.9.7b
.endif
CATEGORIES= security devel
.ifdef OPENSSL_SNAPSHOT

View File

@ -1 +1 @@
MD5 (openssl-0.9.7a.tar.gz) = a0d3203ecf10989fdc61c784ae82e531
MD5 (openssl-0.9.7b.tar.gz) = fae4bec090fa78e20f09d76d55b6ccff

View File

@ -1,6 +1,6 @@
--- Makefile.org.orig Thu Apr 5 13:08:02 2001
+++ Makefile.org Sat Oct 12 22:10:18 2002
@@ -171,7 +171,7 @@
--- Makefile.org.orig Tue Apr 8 13:54:32 2003
+++ Makefile.org Fri Apr 11 20:01:14 2003
@@ -191,7 +191,7 @@
MAKEFILE= Makefile.ssl
MAKE= make -f Makefile.ssl
@ -9,11 +9,10 @@
MAN1=1
MAN3=3
SHELL=/bin/sh
@@ -250,6 +250,21 @@
done
@@ -274,6 +274,21 @@
build-shared: clean-shared do_$(SHLIB_TARGET) link-shared
+
+freebsd-shared:
+ for i in ${SHLIBDIRS}; do \
+ rm -f lib$$i.a lib$$i.so \
@ -28,6 +27,16 @@
+ for i in ${SHLIBDIRS}; do \
+ ln -s lib$$i.so.${SHLIBVER} lib$$i.so; \
+ done;
+
do_bsd-gcc-shared: do_gnu-shared
do_linux-shared: do_gnu-shared
do_gnu-shared:
@@ -593,7 +608,7 @@
@false
libclean:
- rm -f *.map *.so *.so.* engines/*.so *.a */lib */*/lib
+ rm -f *.map *.So *.So.* engines/*.so *.a */lib */*/lib
clean: libclean
rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c

View File

@ -1,77 +0,0 @@
Index: crypto/rsa/rsa_eay.c
===================================================================
RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_eay.c,v
retrieving revision 1.28.2.3
diff -u -r1.28.2.3 rsa_eay.c
--- crypto/rsa/rsa_eay.c 30 Jan 2003 17:37:46 -0000 1.28.2.3
+++ crypto/rsa/rsa_eay.c 16 Mar 2003 10:34:13 -0000
@@ -195,6 +195,25 @@
return(r);
}
+static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
+ {
+ int ret = 1;
+ CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+ /* Check again inside the lock - the macro's check is racey */
+ if(rsa->blinding == NULL)
+ ret = RSA_blinding_on(rsa, ctx);
+ CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+ return ret;
+ }
+
+#define BLINDING_HELPER(rsa, ctx, err_instr) \
+ do { \
+ if(((rsa)->flags & RSA_FLAG_BLINDING) && \
+ ((rsa)->blinding == NULL) && \
+ !rsa_eay_blinding(rsa, ctx)) \
+ err_instr \
+ } while(0)
+
/* signing */
static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
@@ -239,8 +258,8 @@
goto err;
}
- if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
- RSA_blinding_on(rsa,ctx);
+ BLINDING_HELPER(rsa, ctx, goto err;);
+
if (rsa->flags & RSA_FLAG_BLINDING)
if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
@@ -318,8 +337,8 @@
goto err;
}
- if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
- RSA_blinding_on(rsa,ctx);
+ BLINDING_HELPER(rsa, ctx, goto err;);
+
if (rsa->flags & RSA_FLAG_BLINDING)
if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
Index: crypto/rsa/rsa_lib.c
===================================================================
RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_lib.c,v
retrieving revision 1.30.2.2
diff -u -r1.30.2.2 rsa_lib.c
--- crypto/rsa/rsa_lib.c 30 Jan 2003 17:37:46 -0000 1.30.2.2
+++ crypto/rsa/rsa_lib.c 16 Mar 2003 10:34:13 -0000
@@ -72,7 +72,13 @@
RSA *RSA_new(void)
{
- return(RSA_new_method(NULL));
+ RSA *r=RSA_new_method(NULL);
+
+#ifndef OPENSSL_NO_FORCE_RSA_BLINDING
+ r->flags|=RSA_FLAG_BLINDING;
+#endif
+
+ return r;
}
void RSA_set_default_method(const RSA_METHOD *meth)

View File

@ -1,53 +0,0 @@
--- ssl/s3_srvr.c 29 Nov 2002 11:31:51 -0000 1.85.2.14
+++ ssl/s3_srvr.c 19 Mar 2003 18:00:00 -0000
@@ -1447,7 +1447,7 @@
if (i != SSL_MAX_MASTER_KEY_LENGTH)
{
al=SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
+ /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
}
if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
@@ -1463,30 +1463,29 @@
(p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
{
al=SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
- goto f_err;
+ /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
+
+ /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
+ * (http://eprint.iacr.org/2003/052/) exploits the version
+ * number check as a "bad version oracle" -- an alert would
+ * reveal that the plaintext corresponding to some ciphertext
+ * made up by the adversary is properly formatted except
+ * that the version number is wrong. To avoid such attacks,
+ * we should treat this just like any other decryption error. */
+ p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-19";
}
}
if (al != -1)
{
-#if 0
- goto f_err;
-#else
/* Some decryption failure -- use random value instead as countermeasure
* against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
- * (see RFC 2246, section 7.4.7.1).
- * But note that due to length and protocol version checking, the
- * attack is impractical anyway (see section 5 in D. Bleichenbacher:
- * "Chosen Ciphertext Attacks Against Protocols Based on the RSA
- * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12).
- */
+ * (see RFC 2246, section 7.4.7.1). */
ERR_clear_error();
i = SSL_MAX_MASTER_KEY_LENGTH;
p[0] = s->client_version >> 8;
p[1] = s->client_version & 0xff;
RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
-#endif
}
s->session->master_key_length=