Allow building against OpenSSL without SSLv2 support.

from brad
2012-06-28 18:49:54 +00:00 · 2012-06-28 18:49:54 +00:00 · 07f3a1c4cf
commit 07f3a1c4cf
parent 0c9db2e825
7 changed files with 298 additions and 20 deletions
--- a/security/nessus/libraries/Makefile
+++ b/security/nessus/libraries/Makefile
@ -1,8 +1,8 @@
-# $OpenBSD: Makefile,v 1.10 2011/11/16 00:21:16 sthen Exp $
+# $OpenBSD: Makefile,v 1.11 2012/06/28 18:52:00 jasper Exp $

 COMMENT=	libraries for Nessus
 DISTNAME=	nessus-libraries-${V}
-REVISION =	1
+REVISION=	2

 SHARED_LIBS=	hosts_gatherer	4.7 \
 		nessus		4.7
--- a/security/nessus/libraries/patches/patch-libnessus_network_c
+++ b/security/nessus/libraries/patches/patch-libnessus_network_c
@ -0,0 +1,29 @@
+$OpenBSD: patch-libnessus_network_c,v 1.1 2012/06/28 18:52:00 jasper Exp $
+
+Allow building against OpenSSL without SSLv2 support.
+
+--- libnessus/network.c.orig	Wed Jun 27 12:00:55 2012
+++ libnessus/network.c	Thu Jun 28 01:28:20 2012
+@@ -532,9 +532,6 @@ open_SSL_connection(fp, timeout, cert, key, passwd, ce
+ 
+   switch (fp->transport)
+     {
+-    case NESSUS_ENCAPS_SSLv2:
+-      fp->ssl_mt = SSLv2_client_method();
+-      break;
+     case NESSUS_ENCAPS_SSLv3:
+       fp->ssl_mt = SSLv3_client_method();
+       break;
+@@ -544,7 +541,11 @@ open_SSL_connection(fp, timeout, cert, key, passwd, ce
+     case NESSUS_ENCAPS_SSLv23:	/* Compatibility mode */
+       fp->ssl_mt = SSLv23_client_method();
+       break;
+-      
+    case NESSUS_ENCAPS_SSLv2:
+#ifndef OPENSSL_NO_SSL2
+      fp->ssl_mt = SSLv2_client_method();
+      break;
+#endif
+     default:
+ #if DEBUG_SSL > 0
+       fprintf(stderr, "*Bug* at %s:%d. Unknown transport %d\n",
--- a/x11/gnustep/base/Makefile
+++ b/x11/gnustep/base/Makefile
@ -1,9 +1,9 @@
-# $OpenBSD: Makefile,v 1.41 2012/05/17 05:01:35 ajacoutot Exp $
+# $OpenBSD: Makefile,v 1.42 2012/06/28 18:49:54 jasper Exp $

 COMMENT=	GNUstep base library

 DISTNAME=	gnustep-base-1.22.1
-REVISION=	1
+REVISION=	2

 SHARED_LIBS=	gnustep-base 4.0
 CATEGORIES=	devel
@ -27,6 +27,9 @@ MODULES=	x11/gnustep \
 MODGNUSTEP_NEEDS_GUI=	No
 MODGNUSTEP_NEEDS_BASE=	No

+AUTOCONF_VERSION= 2.67
+
+BUILD_DEPENDS+=	${MODGNU_AUTOCONF_DEPENDS}
 LIB_DEPENDS +=	devel/libffi \
 		devel/gmp \
 		textproc/libxslt \
@ -38,6 +41,9 @@ CONFIGURE_STYLE=gnu
 CONFIGURE_ARGS +=	--disable-procfs \
 			--disable-procfs-psinfo

+post-patch:
+	@cd ${WRKSRC}/SSL && env AUTOCONF_VERSION=${AUTOCONF_VERSION} autoconf
+
 pre-configure:
 	@perl -pi -e 's,^MAJOR_VERSION=.*,MAJOR_VERSION=${LIBgnustep-base_VERSION:R},g;' \
 		-e 's,^MINOR_VERSION=.*,MINOR_VERSION=${LIBgnustep-base_VERSION:E},g' \
--- a/x11/gnustep/base/patches/patch-SSL_configure_ac
+++ b/x11/gnustep/base/patches/patch-SSL_configure_ac
@ -0,0 +1,18 @@
+$OpenBSD: patch-SSL_configure_ac,v 1.1 2012/06/28 18:49:54 jasper Exp $
+
+Allow building against OpenSSL without SSLv2 support.
+
+--- SSL/configure.ac.orig	Wed Jun 27 09:18:16 2012
+++ SSL/configure.ac	Wed Jun 27 09:18:32 2012
+@@ -161,9 +161,9 @@ if test $enable_openssl = yes; then
+     if test $ac_cv_lib_crypto_CRYPTO_malloc = yes; then
+       # ssl needs socket on Solaris
+       AC_CHECK_LIB(socket, main)
+-      AC_CHECK_LIB(ssl, ssl2_clear)
+      AC_CHECK_LIB(ssl, SSL_clear)
+       AC_CHECK_LIB(cipher,des_setkey)
+-      if test $ac_cv_lib_ssl_ssl2_clear = yes; then
+      if test $ac_cv_lib_ssl_SSL_clear = yes; then
+         ssl_ok=yes
+       fi
+       AC_CHECK_FUNC(CRYPTO_THREADID_set_callback)
--- a/x11/kde/base3/Makefile
+++ b/x11/kde/base3/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.107 2012/06/15 08:30:23 ajacoutot Exp $
+# $OpenBSD: Makefile,v 1.108 2012/06/28 18:52:18 jasper Exp $

 COMMENT-main = 		K Desktop Environment, basic applications
 COMMENT-samba =		K Desktop Environment, samba support
@ -47,7 +47,7 @@ LIB_DEPENDS-samba = ${LIB_DEPENDS} \
 		net/samba>=3


-REVISION-main =		17
+REVISION-main =		18
 WANTLIB-main = ${WANTLIB} GL GLU Half Iex IlmImf IlmThread Imath Xcomposite \
 	Xcursor Xdamage Xdamage Xfixes Xfixes Xft Xi Xinerama Xmu Xrandr Xss \
 	Xt Xtst Xxf86misc Xxf86vm Xxf86vm asn1 audiofile c com_err crypto drm \
--- a/x11/kde/base3/patches/patch-kcontrol_crypto_crypto_cpp
+++ b/x11/kde/base3/patches/patch-kcontrol_crypto_crypto_cpp
@ -1,28 +1,236 @@
-$OpenBSD: patch-kcontrol_crypto_crypto_cpp,v 1.2 2010/10/06 08:11:25 landry Exp $
--- kcontrol/crypto/crypto.cpp.orig	Sun Oct  1 19:31:49 2006
-+++ kcontrol/crypto/crypto.cpp	Sun Oct  3 21:07:32 2010
-@@ -2321,7 +2321,7 @@ bool KCryptoConfig::loadCiphers() {
+$OpenBSD: patch-kcontrol_crypto_crypto_cpp,v 1.3 2012/06/28 18:52:18 jasper Exp $
+
+Allow building against OpenSSL without SSLv2 support.
+
+--- kcontrol/crypto/crypto.cpp.orig	Sun Oct  1 13:31:49 2006
+++ kcontrol/crypto/crypto.cpp	Thu Jun 28 01:46:27 2012
+@@ -272,33 +272,14 @@ QString whatstr;
+                  " replaced SSL in protocols such as POP3 and SMTP.");
+   QWhatsThis::add(mUseTLS, whatstr);
+ 
+-  mUseSSLv2 = new QCheckBox(i18n("Enable SSLv&2"), tabSSL);
+-  connect(mUseSSLv2, SIGNAL(clicked()), SLOT(configChanged()));
+-  grid->addWidget(mUseSSLv2, 1, 0);
+-  whatstr = i18n("SSL v2 is the second revision of the SSL protocol."
+-                " It is most common to enable v2 and v3.");
+-  QWhatsThis::add(mUseSSLv2, whatstr);
+-
+   mUseSSLv3 = new QCheckBox(i18n("Enable SSLv&3"), tabSSL);
+   connect(mUseSSLv3, SIGNAL(clicked()), SLOT(configChanged()));
+   grid->addWidget(mUseSSLv3, 1, 1);
+   whatstr = i18n("SSL v3 is the third revision of the SSL protocol."
+-                " It is most common to enable v2 and v3.");
+                " It is most common to enable v3.");
+   QWhatsThis::add(mUseSSLv3, whatstr);
+ 
+-#ifdef HAVE_SSL
+-  SSLv2Box = new QListView(tabSSL, "v2ciphers");
+-  (void) SSLv2Box->addColumn(i18n("SSLv2 Ciphers to Use"));
+-  whatstr = i18n("Select the ciphers you wish to enable when using the"
+-                " SSL v2 protocol. The actual protocol used will be"
+-                " negotiated with the server at connection time.");
+-  QWhatsThis::add(SSLv2Box, whatstr);
+-  SSLv2Box->setSelectionMode(QListView::NoSelection);
+-
+-  grid->addWidget( SSLv2Box, 2, 0 );
+-  connect( mUseSSLv2, SIGNAL( toggled( bool ) ),
+-	   SSLv2Box, SLOT( setEnabled( bool )));
+-#else
+#ifndef HAVE_SSL
+   QLabel *nossllabel = new QLabel(i18n("SSL ciphers cannot be configured"
+                                " because this module was not linked"
+                                " with OpenSSL."), tabSSL);
+@@ -876,9 +857,6 @@ void KCryptoConfig::load( bool useDefaults )
+   config->setGroup("TLS");
+   mUseTLS->setChecked(config->readBoolEntry("Enabled", true));
+ 
+-  config->setGroup("SSLv2");
+-  mUseSSLv2->setChecked(config->readBoolEntry("Enabled", true));
+-
+   config->setGroup("SSLv3");
+   mUseSSLv3->setChecked(config->readBoolEntry("Enabled", true));
+ 
+@@ -913,23 +891,14 @@ void KCryptoConfig::load( bool useDefaults )
+   oPath->setURL(config->readPathEntry("Path"));
+ #endif
+ 
+-  config->setGroup("SSLv2");
+-  CipherItem *item = static_cast<CipherItem *>(SSLv2Box->firstChild());
+-  while ( item ) {
+-      item->setOn(config->readBoolEntry(item->configName(),
+-					item->bits() >= 56));
+-      item = static_cast<CipherItem *>(item->nextSibling());
+-  }
+-
+   config->setGroup("SSLv3");
+-  item = static_cast<CipherItem *>(SSLv3Box->firstChild());
+  CipherItem *item = static_cast<CipherItem *>(SSLv3Box->firstChild());
+   while ( item ) {
+       item->setOn(config->readBoolEntry(item->configName(),
+ 					item->bits() >= 56));
+       item = static_cast<CipherItem *>(item->nextSibling());
+   }
+ 
+-  SSLv2Box->setEnabled( mUseSSLv2->isChecked() );
+   SSLv3Box->setEnabled( mUseSSLv3->isChecked() );
+ 
+   QStringList groups = policies->groupList();
+@@ -1030,8 +999,7 @@ void KCryptoConfig::load( bool useDefaults )
+ void KCryptoConfig::save()
+ {
+ #ifdef HAVE_SSL
+-  if (!mUseSSLv2->isChecked() &&
+-      !mUseSSLv3->isChecked())
+  if (!mUseSSLv3->isChecked())
+     KMessageBox::information(this, i18n("If you do not select at least one"
+                                        " SSL algorithm, either SSL will not"
+                                        " work or the application may be"
+@@ -1041,9 +1009,6 @@ void KCryptoConfig::save()
+   config->setGroup("TLS");
+   config->writeEntry("Enabled", mUseTLS->isChecked());
+ 
+-  config->setGroup("SSLv2");
+-  config->writeEntry("Enabled", mUseSSLv2->isChecked());
+-
+   config->setGroup("SSLv3");
+   config->writeEntry("Enabled", mUseSSLv3->isChecked());
+ 
+@@ -1072,25 +1037,8 @@ void KCryptoConfig::save()
+ #endif
+ 
+   int ciphercount = 0;
+-  config->setGroup("SSLv2");
+-  CipherItem *item = static_cast<CipherItem *>(SSLv2Box->firstChild());
+-  while ( item ) {
+-    if (item->isOn()) {
+-      config->writeEntry(item->configName(), true);
+-      ciphercount++;
+-    } else config->writeEntry(item->configName(), false);
+-
+-    item = static_cast<CipherItem *>(item->nextSibling());
+-  }
+-
+-  if (mUseSSLv2->isChecked() && ciphercount == 0)
+-    KMessageBox::information(this, i18n("If you do not select at least one"
+-                                       " cipher, SSLv2 will not work."),
+-                                   i18n("SSLv2 Ciphers"));
+-
+-  ciphercount = 0;
+   config->setGroup("SSLv3");
+-  item = static_cast<CipherItem *>(SSLv3Box->firstChild());
+  CipherItem *item = static_cast<CipherItem *>(SSLv3Box->firstChild());
+   while ( item ) {
+     if (item->isOn()) {
+       config->writeEntry(item->configName(), true);
+@@ -1251,18 +1199,12 @@ void KCryptoConfig::slotSelectCipher(int id) {
+ void KCryptoConfig::cwCompatible() {
+   #ifdef HAVE_SSL
+   CipherItem *item;
+-  for ( item = static_cast<CipherItem *>(SSLv2Box->firstChild()); item;
+-	item = static_cast<CipherItem *>(item->nextSibling()) ) {
+-    item->setOn( item->bits() >= 56 && item->bits() <= 128 );
+-  }
+-
+   for ( item = static_cast<CipherItem *>(SSLv3Box->firstChild()); item;
+ 	item = static_cast<CipherItem *>(item->nextSibling()) ) {
+     item->setOn( item->bits() >= 56 && item->bits() <= 128 );
+   }
+ 
+   mUseTLS->setChecked(true);
+-  mUseSSLv2->setChecked(true);
+   mUseSSLv3->setChecked(true);
+   configChanged();
+   #endif
+@@ -1272,11 +1214,6 @@ void KCryptoConfig::cwCompatible() {
+ void KCryptoConfig::cwUS() {
+   #ifdef HAVE_SSL
+   CipherItem *item;
+-  for ( item = static_cast<CipherItem *>(SSLv2Box->firstChild()); item;
+-	item = static_cast<CipherItem *>(item->nextSibling()) ) {
+-    item->setOn( item->bits() >= 128 );
+-  }
+-
+   for ( item = static_cast<CipherItem *>(SSLv3Box->firstChild()); item;
+ 	item = static_cast<CipherItem *>(item->nextSibling()) ) {
+     item->setOn( item->bits() >= 128 );
+@@ -1290,11 +1227,6 @@ void KCryptoConfig::cwUS() {
+ void KCryptoConfig::cwExp() {
+   #ifdef HAVE_SSL
+   CipherItem *item;
+-  for ( item = static_cast<CipherItem *>(SSLv2Box->firstChild()); item;
+-	item = static_cast<CipherItem *>(item->nextSibling()) ) {
+-    item->setOn( item->bits() <= 56 && item->bits() > 0);
+-  }
+-
+   for ( item = static_cast<CipherItem *>(SSLv3Box->firstChild()); item;
+ 	item = static_cast<CipherItem *>(item->nextSibling()) ) {
+     item->setOn( item->bits() <= 56 && item->bits() > 0);
+@@ -1308,18 +1240,12 @@ void KCryptoConfig::cwExp() {
+ void KCryptoConfig::cwAll() {
+   #ifdef HAVE_SSL
+   CipherItem *item;
+-  for ( item = static_cast<CipherItem *>(SSLv2Box->firstChild()); item;
+-	item = static_cast<CipherItem *>(item->nextSibling()) ) {
+-    item->setOn( true );
+-  }
+-
+   for ( item = static_cast<CipherItem *>(SSLv3Box->firstChild()); item;
+ 	item = static_cast<CipherItem *>(item->nextSibling()) ) {
+     item->setOn( true );
+   }
+ 
+   mUseTLS->setChecked(true);
+-  mUseSSLv2->setChecked(true);
+   mUseSSLv3->setChecked(true);
+   configChanged();
+   #endif
+@@ -2321,12 +2247,11 @@ bool KCryptoConfig::loadCiphers() {
 unsigned int i;
 SSL_CTX *ctx;
 SSL *ssl;
 -SSL_METHOD *meth;
 +const SSL_METHOD *meth;
 
-   SSLv2Box->clear();
+-  SSLv2Box->clear();
   SSLv3Box->clear();
-@@ -2337,7 +2337,7 @@ SSL_METHOD *meth;
+ 
+-  meth = SSLv2_client_method();
+  meth = SSLv3_client_method();
+   SSLeay_add_ssl_algorithms();
+   ctx = SSL_CTX_new(meth);
+   if (ctx == NULL) return false;
+@@ -2337,35 +2262,7 @@ SSL_METHOD *meth;
   CipherItem *item;
   for (i=0; ; i++) {
     int j, k;
 -    SSL_CIPHER *sc;
-+    const SSL_CIPHER *sc;
-     sc = (meth->get_cipher)(i);
-     if (!sc)
-       break;
-@@ -2365,7 +2365,7 @@ SSL_METHOD *meth;
- 
-   for (i=0; ; i++) {
-     int j, k;
+-    sc = (meth->get_cipher)(i);
+-    if (!sc)
+-      break;
+-    // Leak of sc*?
+-    QString scn(sc->name);
+-    if (scn.contains("ADH-") || scn.contains("NULL-") || scn.contains("DES-CBC3-SHA") || scn.contains("FZA-")) {
+-      continue;
+-    }
+-    k = SSL_CIPHER_get_bits(sc, &j);
+-
+-    item = new CipherItem( SSLv2Box, sc->name, k, j, this );
+-  }
+-
+-  if (ctx) SSL_CTX_free(ctx);
+-  if (ssl) SSL_free(ssl);
+-
+-  // We repeat for SSLv3
+-  meth = SSLv3_client_method();
+-  SSLeay_add_ssl_algorithms();
+-  ctx = SSL_CTX_new(meth);
+-  if (ctx == NULL) return false;
+-
+-  ssl = SSL_new(ctx);
+-  if (!ssl) return false;
+-
+-  for (i=0; ; i++) {
+-    int j, k;
 -    SSL_CIPHER *sc;
 +    const SSL_CIPHER *sc;
     sc = (meth->get_cipher)(i);
--- a/x11/kde/base3/patches/patch-kcontrol_crypto_crypto_h
+++ b/x11/kde/base3/patches/patch-kcontrol_crypto_crypto_h
@ -0,0 +1,17 @@
+$OpenBSD: patch-kcontrol_crypto_crypto_h,v 1.1 2012/06/28 18:52:18 jasper Exp $
+
+Allow building against OpenSSL without SSLv2 support.
+
+--- kcontrol/crypto/crypto.h.orig	Wed Jun 27 11:44:00 2012
+++ kcontrol/crypto/crypto.h	Wed Jun 27 11:44:19 2012
+@@ -288,8 +288,8 @@ public slots: (private)
+ 
+   QWidget *tabYourSSLCert, *tabOtherSSLCert, *tabSSLCA, *tabSSLCOpts, *tabAuth;
+ 
+-  QListView *SSLv2Box, *SSLv3Box;
+-  QCheckBox *mUseTLS, *mUseSSLv2, *mUseSSLv3;
+  QListView *SSLv3Box;
+  QCheckBox *mUseTLS, *mUseSSLv3;
+   QCheckBox *mWarnOnEnter, *mWarnOnLeave;
+ 
+   /* EGD stuff */