Commit Graph

140 Commits

Author SHA1 Message Date
tls
4147a3c54a Add new Makefile knob, USE_FORT, which extends USE_SSP by turning on the
FORTIFY_SOURCE feature of libssp, thus checking the size of arguments to
various string and memory copy and set functions (as well as a few system
calls and other miscellany) where known at function entry.  RedHat has
evidently built all "core system packages" with this option for some time.

This option should be used at the top of Makefiles (or Makefile.inc where
this is used for subdirectories) but after any setting of LIB.

This is only useful for userland code, and cannot be used in libc or in
any code which includes the libc internals, because it overrides certain
libc functions with macros.  Some effort has been made to make USE_FORT=yes
work correctly for a full-system build by having the bsd.sys.mk logic
disable the feature where it should not be used (libc, libssp iteself,
the kernel) but no attempt has been made to build the entire system with
USE_FORT and doing so will doubtless expose numerous bugs and misfeatures.

Adjust the system build so that all programs and libraries that are setuid,
directly handle network data (including serial comm data), perform
authentication, or appear likely to have (or have a history of having)
data-driven bugs (e.g. file(1)) are built with USE_FORT=yes by default,
with the exception of libc, which cannot use USE_FORT and thus uses
only USE_SSP by default.  Tested on i386 with no ill results; USE_FORT=no
per-directory or in a system build will disable if desired.
2007-05-28 12:06:17 +00:00
christos
74d38ec395 sort. 2007-03-10 16:30:45 +00:00
skrll
0cc210063b Add in new source files.
From Henning Petersen in PR 35967.
2007-03-10 12:50:09 +00:00
mjf
0e981a1e1c - Fix man pages for openssl upgrade
- Add myself to list of maintainers for openssl
- Note the openssl upgrade in CHANGES
2007-03-07 20:43:10 +00:00
hubertf
55ac93d329 Remove more duplicate #includes, and a few spurious whitespaces at EOL
From Slava Semushin <slava.semushin@gmail.com>
2007-01-17 23:24:22 +00:00
christos
c0179c282a spell precede; from Zafer 2006-11-25 16:48:31 +00:00
wiz
6919c6578c s/independant/independent/, from Zafer. 2006-11-24 22:04:21 +00:00
christos
7f29b88c81 regen 2006-11-13 22:01:59 +00:00
christos
10891a6668 compile alloca using code -Wno-stack-protector 2006-11-09 20:45:01 +00:00
oster
4f500646a9 Add a missing ')' to fix the example code. Already fixed in openssl upstream. 2006-05-24 16:44:34 +00:00
dsl
c3e43200eb A couple of the xxx.inc files are non-standard.
My sed script didn't update them properly!
Also man.inc isn't a source make file.
2006-03-17 23:10:48 +00:00
dsl
0ab764f9ff Don't add every source directory to the -I path.
Instead use CPPFLAGS.file to add the relevant directory for each file.
Removes about 4000000 failed open() system calls from the libcrypto build,
and reduces the compile time (on my system) from 154 seconds to 115 seconds.
The arch/*/*.inc files need similar treatment.
2006-03-17 20:47:45 +00:00
christos
fb6dad779a move all pqueue.h headers to libcrypto. 2005-12-31 00:14:35 +00:00
christos
616f676cc7 Add another include file. bump version for hardware cryptodev addition. 2005-12-31 00:04:51 +00:00
martin
c236b4a2eb Sync sparc64 compile time options with the pkgsrc version. 2005-12-13 09:52:20 +00:00
christos
8f90380d42 Add the last of the deprecated functions. 2005-11-27 02:00:46 +00:00
christos
66dedf6e69 add new man pages. 2005-11-26 22:39:15 +00:00
christos
f849a69336 Add some more files needed by openssl 2005-11-26 00:35:58 +00:00
christos
2b723133ba add o_dir.c 2005-11-25 23:18:13 +00:00
christos
a298f73e51 Regenerate man pages. 2005-11-25 21:09:33 +00:00
christos
684a3fe509 Add deprecated functions that openssh still uses. 2005-11-25 20:34:58 +00:00
christos
051fcc4890 put ENGINESDIR define in Makefile.openssl 2005-11-25 20:34:31 +00:00
christos
9ea9ccfcc6 Adjust to the new openssl-0.9.8a. Notable changes:
- no more fips
    - new algorithms
Bump version to 3.0
2005-11-25 19:15:08 +00:00
rpaulo
2f7f9ca516 Regen (PR security/13953). 2005-10-05 23:51:53 +00:00
simonb
2c43674831 Remove fips_standalone_sha1.c - fixes problem mentioned by Hubert Feyrer
on current-users.

OK'd by christos.
2005-06-29 14:41:16 +00:00
wiz
4878707c24 Oops, openssl_errstr(1), not (3). 2005-04-24 00:13:50 +00:00
wiz
d3e15626be Add openssl_errstr(1). 2005-04-24 00:12:07 +00:00
wiz
e19d039592 regen (sync with 0.9.7g). 2005-04-24 00:10:02 +00:00
christos
c20fe9e615 add new files. 2005-04-23 20:32:17 +00:00
christos
b97f63a242 Regen for OpenSSL 0.9.7f 2005-03-26 03:26:46 +00:00
christos
039caef355 bump minor. 2005-03-26 02:22:01 +00:00
christos
1adff5028c enable FIPS. 2005-03-26 02:21:34 +00:00
christos
4d2554560d Add fips include files, needed for compilation only. FIPS is not enabled
right now, but we will enable it later (adding -DOPENSSL_FIPS).
2005-03-25 20:14:40 +00:00
lukem
1e6ef7af3f remove unnecessary (and possibly incorrect for non-ELF) duplicate LIBDPLIBS 2005-03-09 01:55:51 +00:00
christos
0713fcd141 Make at least the ELF version work. crypt was broken because it was
compiled against the wrong headers. Now we just depend on libcrypt.
2005-03-02 01:04:21 +00:00
jmc
693535a5d9 Spelling errors 'dependant' vs 'dependent' from PR#27345 2004-10-22 18:35:41 +00:00
sjg
3a0c68edfd Add support for SHA1 hashed passwords.
The algorithm used is essentially PBKDF1 from RFC 2898 but using
hmac_sha1 rather than SHA1 directly (suggested by smb@research.att.com).

 * The format of the encrypted password is:
 * $<tag>$<iterations>$<salt>$<digest>
 *
 * where:
 *      <tag>           is "sha1"
 *      <iterations>    is an unsigned int identifying how many rounds
 *                      have been applied to <digest>.  The number
 *                      should vary slightly for each password to make
 *                      it harder to generate a dictionary of
 *                      pre-computed hashes.  See crypt_sha1_iterations.
 *      <salt>          up to 64 bytes of random data, 8 bytes is
 *                      currently considered more than enough.
 *      <digest>        the hashed password.

hmac.c implementes HMAC as defined in RFC 2104 and includes a unit
test for both hmac_sha1 and hmac_sha1 using a selection of the Known
Answer Tests from RFC 2202.

It is worth noting that to be FIPS compliant the hmac key (password)
should be 10-20 chars.
2004-07-02 00:05:23 +00:00
groo
19aa054c0d Actually install the new man pages. 2004-03-22 00:48:04 +00:00
groo
80ddfc8cb9 update documentation from 0.9.7b to 0.9.7d 2004-03-20 21:48:44 +00:00
wiz
73e1501b98 parameter with two es. From Peter Postma. 2004-02-24 15:22:01 +00:00
itojun
08cbee504f avoid bswapl, which is post-i486 (including i486) insn. markus@openbsd 2003-11-13 19:36:31 +00:00
itojun
015dc7875b accelerate sha1 by using asm (i386). markus@openbsd.
there's internal symbol name changes, but it does not warrant shlib minor
bump as the symbol is totally internal.
2003-11-13 02:10:00 +00:00
itojun
b6743615c4 correction made in 0.9.7c; from markus@openbsd 2003-11-12 16:20:27 +00:00
itojun
aec01dda91 sync w/ openssl 0.9.7c. shlib minor bump for libcrypto.
(ERR_release_err_state_table() added)
2003-11-04 23:54:26 +00:00
itojun
87abfaaaff resurrect assembly version of bignum operation; pointed out by perry 2003-11-04 21:06:32 +00:00
ragge
2fc6066af3 Add assembly routines for some of the bignum functions. Most comes from VMS,
a few written by me.  This speeds up ssh 2-3 times.
2003-11-03 10:22:28 +00:00
lukem
f85d2d1c14 Use ${HOST_SH} instead of `sh'.
If necessary, pull in <bsd.sys.mk> to get the definition of HOST_SH;
Makefiles that pull in one of (most of) <bsd.*.mk> will get this anyway.
2003-10-26 07:25:33 +00:00
itojun
f4401cd869 upgrade openssl to 0.9.7b. (AES is now supported)
alter des.h to be friendly with openssl/des.h (you can include both in the
same file)
make libkrb to depend on libdes.  bump major.
massage various portioin of heimdal to be friendly with openssl 0.9.7b.
2003-07-24 14:16:30 +00:00
itojun
df738798b1 install des_modes(7) from libdes, not from libcrypto 2003-07-23 05:46:00 +00:00
itojun
98cf94c860 install des.3 from libdes, not from libcrypto.
(eventually libcrypto will switch to DES_xx)
2003-07-23 05:43:43 +00:00