head 1.4; access; symbols pkgsrc-2017Q4:1.3.0.18 pkgsrc-2017Q4-base:1.3 pkgsrc-2017Q3:1.3.0.16 pkgsrc-2017Q3-base:1.3 pkgsrc-2017Q2:1.3.0.12 pkgsrc-2017Q2-base:1.3 pkgsrc-2017Q1:1.3.0.10 pkgsrc-2017Q1-base:1.3 pkgsrc-2016Q4:1.3.0.8 pkgsrc-2016Q4-base:1.3 pkgsrc-2016Q3:1.3.0.6 pkgsrc-2016Q3-base:1.3 pkgsrc-2016Q2:1.3.0.4 pkgsrc-2016Q2-base:1.3 pkgsrc-2016Q1:1.3.0.2 pkgsrc-2016Q1-base:1.3 pkgsrc-2015Q4:1.2.0.34 pkgsrc-2015Q4-base:1.2 pkgsrc-2015Q3:1.2.0.32 pkgsrc-2015Q3-base:1.2 pkgsrc-2015Q2:1.2.0.30 pkgsrc-2015Q2-base:1.2 pkgsrc-2015Q1:1.2.0.28 pkgsrc-2015Q1-base:1.2 pkgsrc-2014Q4:1.2.0.26 pkgsrc-2014Q4-base:1.2 pkgsrc-2014Q3:1.2.0.24 pkgsrc-2014Q3-base:1.2 pkgsrc-2014Q2:1.2.0.22 pkgsrc-2014Q2-base:1.2 pkgsrc-2014Q1:1.2.0.20 pkgsrc-2014Q1-base:1.2 pkgsrc-2013Q4:1.2.0.18 pkgsrc-2013Q4-base:1.2 pkgsrc-2013Q3:1.2.0.16 pkgsrc-2013Q3-base:1.2 pkgsrc-2013Q2:1.2.0.14 pkgsrc-2013Q2-base:1.2 pkgsrc-2013Q1:1.2.0.12 pkgsrc-2013Q1-base:1.2 pkgsrc-2012Q4:1.2.0.10 pkgsrc-2012Q4-base:1.2 pkgsrc-2012Q3:1.2.0.8 pkgsrc-2012Q3-base:1.2 pkgsrc-2012Q2:1.2.0.6 pkgsrc-2012Q2-base:1.2 pkgsrc-2012Q1:1.2.0.4 pkgsrc-2012Q1-base:1.2 pkgsrc-2011Q4:1.2.0.2 pkgsrc-2011Q4-base:1.2 pkgsrc-2011Q3:1.1.0.24 pkgsrc-2011Q3-base:1.1 pkgsrc-2011Q2:1.1.0.22 pkgsrc-2011Q2-base:1.1 pkgsrc-2011Q1:1.1.0.20 pkgsrc-2011Q1-base:1.1 pkgsrc-2010Q4:1.1.0.18 pkgsrc-2010Q4-base:1.1 pkgsrc-2010Q3:1.1.0.16 pkgsrc-2010Q3-base:1.1 pkgsrc-2010Q2:1.1.0.14 pkgsrc-2010Q2-base:1.1 pkgsrc-2010Q1:1.1.0.12 pkgsrc-2010Q1-base:1.1 pkgsrc-2009Q4:1.1.0.10 pkgsrc-2009Q4-base:1.1 pkgsrc-2009Q3:1.1.0.8 pkgsrc-2009Q3-base:1.1 pkgsrc-2009Q2:1.1.0.6 pkgsrc-2009Q2-base:1.1 pkgsrc-2009Q1:1.1.0.4 pkgsrc-2009Q1-base:1.1 pkgsrc-2008Q4:1.1.0.2 pkgsrc-2008Q4-base:1.1; locks; strict; comment @# @; 1.4 date 2018.01.31.09.14.56; author markd; state dead; branches; next 1.3; commitid iRpQlDVOSkiay0pA; 1.3 date 2016.03.29.23.04.01; author khorben; state Exp; branches; next 1.2; commitid DG3iFPrs2OwdMA0z; 1.2 date 2011.12.17.12.46.51; author marino; state Exp; branches; next 1.1; 1.1 date 2008.12.30.15.13.28; author stacktic; state Exp; branches; next ; desc @@ 1.4 log @qca2{,-qt5}{,-gnupg,-ossl}: update to 2.1.0 New in 2.1.0 - Ported to Qt5 (Qt4 also supported) - New building system. CMake instead of qmake - Added CTR symetric cipher support to qca core - Added no padding encryption algorithm to qca core - qcatool2 renamed to qcatool - fixed crash in qcatool when only options provided on command line without any commands - Use plugins installation path as hard-coded runtime plugins search path - Added new functiion pluginPaths - Added functions to get runtime QCA version - Fixed 'no watch file' warnings in FileWatch - Added EME_PKCS1v15_SSL Encryption Algorithm - New implementation of SafeTimer to prevent crashes - Updated certificates for unittests - RSA Keys are permutable, can encrypt with private and decrypt with public - Add unloadProvider() function for symmetry with insertProvider() - Overloaded "makeKey" to derive a password depending on a time factor - Remove pointer to deinit() routine from QCoreApplication at deinitialization - Fix a couple of crashes where all plugins might not be available - Fix operating on keys with unrelated expired subkeys - Fixed timers in Synchronizer class - Dropped randomunittest - Fixed many unittests - qca-gnupg: internal refactoring - qca-gnupg: try both gpg and gpg2 to find gnupg executable - qca-gnupg: fixed some encodings problem - qca-ossl: no DSA_* dl groups in FIPS specification - qca-ossl: added missed signatures to CRLContext - qca-ossl: fixed certs time zone - qca-nss: fixed KeyLenght for Cipher - qca-botan: fixed getting result size for ciphers @ text @$NetBSD: patch-aa,v 1.3 2016/03/29 23:04:01 khorben Exp $ Remove support for SSLv2 --- qca-ossl.cpp.orig 2007-12-11 06:34:57.000000000 +0000 +++ qca-ossl.cpp @@@@ -42,6 +42,15 @@@@ #define OSSL_097 #endif +#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10000000L +// OpenSSL 1.0.0 makes a few changes that aren't very C++ friendly... +// Among other things, CHECKED_PTR_OF returns a void*, but is used in +// contexts requiring STACK pointers. +#undef CHECKED_PTR_OF +#define CHECKED_PTR_OF(type, p) \ + ((_STACK*) (1 ? p : (type*)0)) +#endif + using namespace QCA; namespace opensslQCAPlugin { @@@@ -327,7 +336,7 @@@@ static X509_EXTENSION *new_subject_key_i X509V3_CTX ctx; X509V3_set_ctx_nodb(&ctx); X509V3_set_ctx(&ctx, NULL, cert, NULL, NULL, 0); - X509_EXTENSION *ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_key_identifier, "hash"); + X509_EXTENSION *ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_key_identifier, (char *)"hash"); return ex; } @@@@ -1182,6 +1191,7 @@@@ public: { pkey = from.pkey; CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY); + raw_type = false; state = Idle; } @@@@ -1226,6 +1236,7 @@@@ public: } else { + raw_type = false; EVP_MD_CTX_init(&mdctx); if(!EVP_VerifyInit_ex(&mdctx, type, NULL)) state = VerifyError; @@@@ -1771,8 +1782,10 @@@@ public: md = EVP_sha1(); else if(alg == EMSA3_MD5) md = EVP_md5(); +#ifdef HAVE_OPENSSL_MD2 else if(alg == EMSA3_MD2) md = EVP_md2(); +#endif else if(alg == EMSA3_RIPEMD160) md = EVP_ripemd160(); else if(alg == EMSA3_Raw) @@@@ -1789,8 +1802,10 @@@@ public: md = EVP_sha1(); else if(alg == EMSA3_MD5) md = EVP_md5(); +#ifdef HAVE_OPENSSL_MD2 else if(alg == EMSA3_MD2) md = EVP_md2(); +#endif else if(alg == EMSA3_RIPEMD160) md = EVP_ripemd160(); else if(alg == EMSA3_Raw) @@@@ -3385,9 +3400,11 @@@@ public: case NID_md5WithRSAEncryption: p.sigalgo = QCA::EMSA3_MD5; break; +#ifdef HAVE_OPENSSL_MD2 case NID_md2WithRSAEncryption: p.sigalgo = QCA::EMSA3_MD2; break; +#endif case NID_ripemd160WithRSA: p.sigalgo = QCA::EMSA3_RIPEMD160; break; @@@@ -3871,9 +3888,11 @@@@ public: case NID_md5WithRSAEncryption: p.sigalgo = QCA::EMSA3_MD5; break; +#ifdef HAVE_OPENSSL_MD2 case NID_md2WithRSAEncryption: p.sigalgo = QCA::EMSA3_MD2; break; +#endif case NID_ripemd160WithRSA: p.sigalgo = QCA::EMSA3_RIPEMD160; break; @@@@ -4061,9 +4080,11 @@@@ public: case NID_md5WithRSAEncryption: p.sigalgo = QCA::EMSA3_MD5; break; +#ifdef HAVE_OPENSSL_MD2 case NID_md2WithRSAEncryption: p.sigalgo = QCA::EMSA3_MD2; break; +#endif case NID_ripemd160WithRSA: p.sigalgo = QCA::EMSA3_RIPEMD160; break; @@@@ -5128,14 +5149,21 @@@@ public: v_eof = false; } + // dummy verification function for SSL_set_verify() + static int ssl_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) + { + Q_UNUSED(preverify_ok); + Q_UNUSED(x509_ctx); + + // don't terminate handshake in case of verification failure + return 1; + } + virtual QStringList supportedCipherSuites(const TLS::Version &version) const { OpenSSL_add_ssl_algorithms(); SSL_CTX *ctx = 0; switch (version) { - case TLS::SSL_v2: - ctx = SSL_CTX_new(SSLv2_client_method()); - break; case TLS::SSL_v3: ctx = SSL_CTX_new(SSLv3_client_method()); break; @@@@ -5151,6 +5179,8 @@@@ public: if (NULL == ctx) return QStringList(); + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); + SSL *ssl = SSL_new(ctx); if (NULL == ssl) { SSL_CTX_free(ctx); @@@@ -5692,6 +5722,14 @@@@ public: } } + // request a certificate from the client, if in server mode + if(serv) + { + SSL_set_verify(ssl, + SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, + ssl_verify_callback); + } + return true; } @@@@ -6155,6 +6193,7 @@@@ public: i2d_PKCS7_bio(bo, p7); //PEM_write_bio_PKCS7(bo, p7); out = bio2ba(bo); + PKCS7_free(p7); } else { @@@@ -6582,7 +6621,9 @@@@ static QStringList all_hash_types() list += "sha1"; list += "sha0"; list += "ripemd160"; +#ifdef HAVE_OPENSSL_MD2 list += "md2"; +#endif list += "md4"; list += "md5"; #ifdef SHA224_DIGEST_LENGTH @@@@ -6597,9 +6638,11 @@@@ static QStringList all_hash_types() #ifdef SHA512_DIGEST_LENGTH list += "sha512"; #endif +/* #ifdef OBJ_whirlpool list += "whirlpool"; #endif +*/ return list; } @@@@ -6671,7 +6714,7 @@@@ public: { } - Context *clone() const + Provider::Context *clone() const { return new opensslInfoContext(*this); } @@@@ -6692,6 +6735,34 @@@@ public: } }; +class opensslRandomContext : public RandomContext +{ +public: + opensslRandomContext(QCA::Provider *p) : RandomContext(p) + { + } + + Context *clone() const + { + return new opensslRandomContext(*this); + } + + QCA::SecureArray nextBytes(int size) + { + QCA::SecureArray buf(size); + int r; + // FIXME: loop while we don't have enough random bytes. + while (true) { + r = RAND_bytes((unsigned char*)(buf.data()), size); + if (r == 1) break; // success + r = RAND_pseudo_bytes((unsigned char*)(buf.data()), + size); + if (r >= 0) break; // accept insecure random numbers + } + return buf; + } +}; + } using namespace opensslQCAPlugin; @@@@ -6711,11 +6782,14 @@@@ public: OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); - srand(time(NULL)); - char buf[128]; - for(int n = 0; n < 128; ++n) - buf[n] = rand(); - RAND_seed(buf, 128); + // seed the RNG if it's not seeded yet + if (RAND_status() == 0) { + qsrand(time(NULL)); + char buf[128]; + for(int n = 0; n < 128; ++n) + buf[n] = qrand(); + RAND_seed(buf, 128); + } openssl_initted = true; } @@@@ -6754,10 +6828,13 @@@@ public: QStringList features() const { QStringList list; + list += "random"; list += all_hash_types(); list += all_mac_types(); list += all_cipher_types(); +#ifdef HAVE_OPENSSL_MD2 list += "pbkdf1(md2)"; +#endif list += "pbkdf1(sha1)"; list += "pbkdf2(sha1)"; list += "pkey"; @@@@ -6780,7 +6857,9 @@@@ public: Context *createContext(const QString &type) { //OpenSSL_add_all_digests(); - if ( type == "info" ) + if ( type == "random" ) + return new opensslRandomContext(this); + else if ( type == "info" ) return new opensslInfoContext(this); else if ( type == "sha1" ) return new opensslHashContext( EVP_sha1(), this, type); @@@@ -6788,8 +6867,10 @@@@ public: return new opensslHashContext( EVP_sha(), this, type); else if ( type == "ripemd160" ) return new opensslHashContext( EVP_ripemd160(), this, type); +#ifdef HAVE_OPENSSL_MD2 else if ( type == "md2" ) return new opensslHashContext( EVP_md2(), this, type); +#endif else if ( type == "md4" ) return new opensslHashContext( EVP_md4(), this, type); else if ( type == "md5" ) @@@@ -6810,14 +6891,18 @@@@ public: else if ( type == "sha512" ) return new opensslHashContext( EVP_sha512(), this, type); #endif +/* #ifdef OBJ_whirlpool else if ( type == "whirlpool" ) return new opensslHashContext( EVP_whirlpool(), this, type); #endif +*/ else if ( type == "pbkdf1(sha1)" ) return new opensslPbkdf1Context( EVP_sha1(), this, type ); +#ifdef HAVE_OPENSSL_MD2 else if ( type == "pbkdf1(md2)" ) return new opensslPbkdf1Context( EVP_md2(), this, type ); +#endif else if ( type == "pbkdf2(sha1)" ) return new opensslPbkdf2Context( this, type ); else if ( type == "hmac(md5)" ) @ 1.3 log @Remove support for SSLv2 This fixes the build with the newest OpenSSL from pkgsrc. Bump revision. @ text @d1 1 a1 1 $NetBSD: patch-aa,v 1.2 2011/12/17 12:46:51 marino Exp $ @ 1.2 log @security/qca2-ossl: Support OpenSSL 1.0 DragonFly in on OpenSSL 1.0 and this package wasn't building due to the missing MD5 digest that no longer builds by default on the latest versions of OpenSSL. FreeBSD already ran into this and patched qca-ossl, and this ports their fix to pkgsrc. @ text @d1 1 a1 1 $NetBSD: patch-aa,v 1.1 2008/12/30 15:13:28 stacktic Exp $ d3 3 a5 1 --- qca-ossl.cpp.orig 2007-12-11 07:34:57.000000000 +0100 d23 1 a23 1 @@@@ -327,7 +336,7 @@@@ d32 1 a32 1 @@@@ -1182,6 +1191,7 @@@@ d40 1 a40 1 @@@@ -1226,6 +1236,7 @@@@ d48 1 a48 1 @@@@ -1771,8 +1782,10 @@@@ d59 1 a59 1 @@@@ -1789,8 +1802,10 @@@@ d70 1 a70 1 @@@@ -3385,9 +3400,11 @@@@ d82 1 a82 1 @@@@ -3871,9 +3888,11 @@@@ d94 1 a94 1 @@@@ -4061,9 +4080,11 @@@@ d106 1 a106 1 @@@@ -5128,6 +5149,16 @@@@ d123 18 a140 1 @@@@ -5692,6 +5723,14 @@@@ d155 1 a155 1 @@@@ -6155,6 +6194,7 @@@@ d163 1 a163 1 @@@@ -6582,7 +6622,9 @@@@ d173 1 a173 1 @@@@ -6597,9 +6639,11 @@@@ d185 1 a185 1 @@@@ -6671,7 +6715,7 @@@@ d194 1 a194 1 @@@@ -6692,6 +6736,34 @@@@ d229 1 a229 1 @@@@ -6711,11 +6783,14 @@@@ d249 1 a249 1 @@@@ -6754,10 +6829,13 @@@@ d263 1 a263 1 @@@@ -6780,7 +6858,9 @@@@ d274 1 a274 1 @@@@ -6788,8 +6868,10 @@@@ d285 1 a285 1 @@@@ -6810,14 +6892,18 @@@@ @ 1.1 log @Fixed build (removed whirlpool) (ok by wiz) @ text @d1 1 a1 1 $NetBSD$ d5 150 a154 1 @@@@ -6597,9 +6597,11 @@@@ static QStringList all_hash_types() d166 101 a266 1 @@@@ -6810,10 +6812,12 @@@@ public: d278 1 d280 5 @