Subject: CVS commit: pkgsrc/security/openssl
To: None <>
From: Frederick Bruckman <>
List: pkgsrc-changes
Date: 08/04/2002 18:47:49
Module Name:	pkgsrc
Committed By:	fredb
Date:		Sun Aug  4 15:47:48 UTC 2002

Modified Files:
	pkgsrc/security/openssl: MESSAGE Makefile PLIST.common PLIST.darwin
	    PLIST.netbsd distinfo
	pkgsrc/security/openssl/patches: patch-aa patch-ab patch-ac
Added Files:
	pkgsrc/security/openssl/patches: patch-ad patch-ae patch-af patch-ag
Removed Files:
	pkgsrc/security/openssl/files: makelib
	pkgsrc/security/openssl/patches: patch-ai patch-aj

Log Message:
Update openssl to 0.9.6e. This update fixes multiple vulnerabilities,
and also changes the ABI of "libcrypto" and "libssl". (So the shared
library majors and buildlink requirements are bumped, too.) The code
base is now synced perfectly with NetBSD HEAD and netbsd-1-6 branches
as of 2002-08-04, the optimization levels are reduced to "-O2", but
I've retained some of the processor optimization flags and different code
path #defines in the "Configure" script, just to keep things interesting.

The default "certs" directory on NetBSD is now "/etc/openssl/certs", to
give continuity to those who find themselves using the package system's
"openssl" after upgrading a package that formerly used the base system's.
[Suggested by itojun.] The best way to avoid such problems, however, is
to upgrade your base system *first*.

I'm making use of the new and improved build system as much as possible.
This gives us a cleaner way to make shared libraries and real man pages,
but loses many of the symlinks to the openssl binary.

I've culled items from the "CHANGES" file that appear to have security
implications or are particularly interesting for NetBSD users, below.
My comments are marked off with '===>'.

===> This is from the netbsd-20020804-patch

  *) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX
     and get fix the header length calculation.
     [Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>,
      Alon Kantor <> (and others),
      Steve Henson]

 Changes between 0.9.6d and 0.9.6e  [30 Jul 2002]

  *) New option
     for disabling the SSL 3.0/TLS 1.0 CBC vulnerability countermeasure
     that was added in OpenSSL 0.9.6d.

     As the countermeasure turned out to be incompatible with some
     broken SSL implementations, the new option is part of SSL_OP_ALL.
     SSL_OP_ALL is usually employed when compatibility with weird SSL
     implementations is desired (e.g. '-bugs' option to 's_client' and
     's_server'), so the new option is automatically set in many
     [Bodo Moeller]

  *) Changes in security patch:

     Changes marked "(CHATS)" were sponsored by the Defense Advanced
     Research Projects Agency (DARPA) and Air Force Research Laboratory,
     Air Force Materiel Command, USAF, under agreement number

  *) Add various sanity checks to asn1_get_length() to reject
     the ASN1 length bytes if they exceed sizeof(long), will appear
     negative or the content length exceeds the length of the
     supplied buffer.
     [Steve Henson, Adi Stav <>, James Yonan <>]

  *) Assertions for various potential buffer overflows, not known to
     happen in practice.
     [Ben Laurie (CHATS)]

  *) Various temporary buffers to hold ASCII versions of integers were
     too small for 64 bit platforms. (CAN-2002-0655)
     [Matthew Byng-Maddick <> and Ben Laurie (CHATS)>

  *) Remote buffer overflow in SSL3 protocol - an attacker could
     supply an oversized session ID to a client. (CAN-2002-0656)
     [Ben Laurie (CHATS)]

  *) Remote buffer overflow in SSL2 protocol - an attacker could
     supply an oversized client master key. (CAN-2002-0656)
     [Ben Laurie (CHATS)]

 Changes between 0.9.6c and 0.9.6d  [9 May 2002]

  *) Implement a countermeasure against a vulnerability recently found
     in CBC ciphersuites in SSL 3.0/TLS 1.0: Send an empty fragment
     before application data chunks to avoid the use of known IVs
     with data potentially chosen by the attacker.
     [Bodo Moeller]

 Changes between 0.9.6a and 0.9.6b  [9 Jul 2001]

  *) Change ssleay_rand_bytes (crypto/rand/md_rand.c)
     to avoid a SSLeay/OpenSSL PRNG weakness pointed out by
     Markku-Juhani O. Saarinen <>:
     PRNG state recovery was possible based on the output of
     one PRNG request appropriately sized to gain knowledge on
     'md' followed by enough consecutive 1-byte PRNG requests
     to traverse all of 'state'.

     1. When updating 'md_local' (the current thread's copy of 'md')
        during PRNG output generation, hash all of the previous
        'md_local' value, not just the half used for PRNG output.

     2. Make the number of bytes from 'state' included into the hash
        independent from the number of PRNG bytes requested.

     The first measure alone would be sufficient to avoid
     Markku-Juhani's attack.  (Actually it had never occurred
     to me that the half of 'md_local' used for chaining was the
     half from which PRNG output bytes were taken -- I had always
     assumed that the secret half would be used.)  The second
     measure makes sure that additional data from 'state' is never
     mixed into 'md_local' in small portions; this heuristically
     further strengthens the PRNG.
     [Bodo Moeller]

  *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
     RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
     when fixing the server behaviour for backwards-compatible 'client
     hello' messages.  (Note that the attack is impractical against
     SSL 3.0 and TLS 1.0 anyway because length and version checking
     means that the probability of guessing a valid ciphertext is
     around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98

     Before 0.9.5, the countermeasure (hide the error by generating a
     random 'decryption result') did not work properly because
     ERR_clear_error() was missing, meaning that SSL_get_error() would
     detect the supposedly ignored error.

     Both problems are now fixed.
     [Bodo Moeller]

 Changes between 0.9.6 and 0.9.6a  [5 Apr 2001]

===> This is our ABI change.

  *) Rename 'des_encrypt' to 'des_encrypt1'.  This avoids the clashes
     with des_encrypt() defined on some operating systems, like Solaris
     and UnixWare.
     [Richard Levitte]

  *) Don't use getenv in library functions when run as setuid/setgid.
     New function OPENSSL_issetugid().
     [Ulf Moeller]

  *) Store verify_result within SSL_SESSION also for client side to
     avoid potential security hole. (Re-used sessions on the client side
     always resulted in verify_result==X509_V_OK, not using the original
     result of the server certificate verification.)
     [Lutz Jaenicke]

===> package doesn't doesn't do this. We'll bump major versions
===> as necessary.

  *) Make sure that shared libraries get the internal name engine with
     the full version number and not just 0.  This should mark the
     shared libraries as not backward compatible.  Of course, this should
     be changed again when we can guarantee backward binary compatibility.
     [Richard Levitte]

  *) Rework the system to generate shared libraries:

     - Make note of the expected extension for the shared libraries and
       if there is a need for symbolic links from for example
       to  There is extended info in Configure for

     - Make as few rebuilds of the shared libraries as possible.

     - Still avoid linking the OpenSSL programs with the shared libraries.

     - When installing, install the shared libraries separately from the
       static ones.

To generate a diff of this commit:
cvs rdiff -r1.1 -r1.2 pkgsrc/security/openssl/MESSAGE \
    pkgsrc/security/openssl/PLIST.darwin pkgsrc/security/openssl/PLIST.netbsd
cvs rdiff -r1.52 -r1.53 pkgsrc/security/openssl/Makefile
cvs rdiff -r1.3 -r1.4 pkgsrc/security/openssl/PLIST.common
cvs rdiff -r1.13 -r1.14 pkgsrc/security/openssl/
cvs rdiff -r1.8 -r1.9 pkgsrc/security/openssl/distinfo
cvs rdiff -r1.1 -r0 pkgsrc/security/openssl/files/
cvs rdiff -r1.2 -r0 pkgsrc/security/openssl/files/makelib
cvs rdiff -r1.8 -r1.9 pkgsrc/security/openssl/patches/patch-aa
cvs rdiff -r1.7 -r1.8 pkgsrc/security/openssl/patches/patch-ab
cvs rdiff -r1.4 -r1.5 pkgsrc/security/openssl/patches/patch-ac
cvs rdiff -r0 -r1.6 pkgsrc/security/openssl/patches/patch-ad
cvs rdiff -r0 -r1.5 pkgsrc/security/openssl/patches/patch-ae
cvs rdiff -r0 -r1.4 pkgsrc/security/openssl/patches/patch-af \
cvs rdiff -r1.2 -r0 pkgsrc/security/openssl/patches/patch-ai
cvs rdiff -r1.5 -r0 pkgsrc/security/openssl/patches/patch-aj

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.