Date: Tue, 5 Jan 2016 09:19:44 +0000 (UTC) From: Bernard Spil <brnrd@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r405278 - in head/security/libressl-devel: . files Message-ID: <201601050919.u059JiZB059100@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: brnrd Date: Tue Jan 5 09:19:44 2016 New Revision: 405278 URL: https://svnweb.freebsd.org/changeset/ports/405278 Log: security/libressl-devel: Add next-stable LibreSSL 2.3 port - Add security/libressl-devel for version 2.3.1 - Repository copy of security/libressl [1] - Including corrections for CVE-2015-3194/3195 - Add support for multiple versions to bsd.openssl.mk - Add option to optionally install API man-pages [2] - Disable silent rules output Changes: - ftp://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.0-relnotes.txt - ftp://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.1-relnotes.txt PR: 201462 [2] Submitted by: adamw [2] Requested by: junovitch [1] Reviewed by: vsevolod (mentor, maintainer), koobs (mentor), feld (mentor) Approved by: koobs (mentor), feld (mentor), mat [1] (portmgr) Differential Revision: https://reviews.freebsd.org/D3585 Added: head/security/libressl-devel/ - copied from r405242, head/security/libressl/ head/security/libressl-devel/files/patch-crypto_asn1_tasn__dec.c (contents, props changed) head/security/libressl-devel/files/patch-crypto_rsa_rsa__ameth.c (contents, props changed) Modified: head/security/libressl-devel/Makefile head/security/libressl-devel/distinfo head/security/libressl-devel/files/patch-include_openssl_opensslv.h head/security/libressl-devel/pkg-plist Modified: head/security/libressl-devel/Makefile ============================================================================== --- head/security/libressl/Makefile Mon Jan 4 14:21:56 2016 (r405242) +++ head/security/libressl-devel/Makefile Tue Jan 5 09:19:44 2016 (r405278) @@ -1,12 +1,14 @@ -# Created by: Vsevolod Stakhov <vsevolod@FreeBSD.org> +# Created by: Bernard Spil <brnrd@FreeBSD.org> # $FreeBSD$ PORTNAME= libressl -PORTVERSION= 2.2.5 +PORTVERSION= 2.3.1 +PORTREVISIION= 1 CATEGORIES= security devel MASTER_SITES= OPENBSD/LibreSSL +PKGNAMESUFFIX= -devel -MAINTAINER= vsevolod@FreeBSD.org +MAINTAINER= brnrd@FreeBSD.org COMMENT= Free version of the SSL/TLS protocol forked from OpenSSL LICENSE= BSD4CLAUSE @@ -14,29 +16,29 @@ LICENSE_FILE= ${WRKSRC}/COPYING CPE_VENDOR= openbsd -OPTIONS_DEFINE= MAN3 -OPTIONS_DEFAULT= MAN3 +OPTIONS_DEFINE= MAN3 NC +OPTIONS_DEFAULT= MAN3 NC MAN3_DESC= Install API manpages (section 3) +NC_DESC= Build nc libtls demo application CONFLICTS?= openssl-[0-9]* \ - libressl-devel-[0-9]* + libressl-[0-9]* GNU_CONFIGURE= yes CONFIGURE_ARGS= --enable-silent-rules USES= cpe libtool pathfix pkgconfig USE_LDCONFIG= yes +OPTIONS_SUB= yes INSTALL_TARGET= install-strip TEST_TARGET= check -.include <bsd.port.pre.mk> - -.if ${ARCH} == "amd64" -CONFIGURE_TARGET= x86_64-portbld-${OPSYS:tl}${OSREL} -.endif +post-stage-NC-on: + ${INSTALL_PROGRAM} ${WRKSRC}/apps/nc/.libs/nc ${STAGEDIR}/${PREFIX}/bin/nc + ${INSTALL_MAN} ${WRKSRC}/apps/nc/nc.1 ${STAGEDIR}/${PREFIX}/man/man1/nc.1 post-install-MAN3-off: ${RM} -rf ${STAGEDIR}/${PREFIX}/man/man3 ${REINPLACE_CMD} -e '/^man\/man3/d' ${TMPPLIST} -.include <bsd.port.post.mk> +.include <bsd.port.mk> Modified: head/security/libressl-devel/distinfo ============================================================================== --- head/security/libressl/distinfo Mon Jan 4 14:21:56 2016 (r405242) +++ head/security/libressl-devel/distinfo Tue Jan 5 09:19:44 2016 (r405278) @@ -1,2 +1,2 @@ -SHA256 (libressl-2.2.5.tar.gz) = e3caded0469d8dc64f4ca2fe8e499ada4dd014e84d1c5a71818d39e54e6c914b -SIZE (libressl-2.2.5.tar.gz) = 2966527 +SHA256 (libressl-2.3.1.tar.gz) = 410b58db4ebbcab43c3357612e591094f64fb9339269caa2e68728e36f8d589e +SIZE (libressl-2.3.1.tar.gz) = 3014881 Added: head/security/libressl-devel/files/patch-crypto_asn1_tasn__dec.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/libressl-devel/files/patch-crypto_asn1_tasn__dec.c Tue Jan 5 09:19:44 2016 (r405278) @@ -0,0 +1,49 @@ +From 9900c16beb14eb3bfc8f4d8c6191e6e1a271c861 Mon Sep 17 00:00:00 2001 +From: beck <> +Date: Fri, 4 Dec 2015 04:19:25 +0000 +Subject: [PATCH] Fix for OpenSSL CVE-2015-3195 ok djm@ jsing@ + +--- + src/lib/libssl/src/crypto/asn1/tasn_dec.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/lib/libssl/src/crypto/asn1/tasn_dec.c b/src/lib/libssl/src/crypto/asn1/tasn_dec.c +index e50ec0a..0a6eaf2 100644 +--- crypto/asn1/tasn_dec.c ++++ crypto/asn1/tasn_dec.c +@@ -1,4 +1,4 @@ +-/* $OpenBSD: tasn_dec.c,v 1.26 2015/03/19 14:00:22 tedu Exp $ */ ++/* $OpenBSD: tasn_dec.c,v 1.27 2015/07/20 15:41:48 miod Exp $ */ + /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project 2000. + */ +@@ -166,6 +166,10 @@ ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, + int otag; + int ret = 0; + ASN1_VALUE **pchptr; ++ int combine; ++ ++ combine = aclass & ASN1_TFLG_COMBINE; ++ aclass &= ~ASN1_TFLG_COMBINE; + + if (!pval) + return 0; +@@ -447,7 +451,8 @@ ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, + auxerr: + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); + err: +- ASN1_item_ex_free(pval, it); ++ if (combine == 0) ++ ASN1_item_ex_free(pval, it); + if (errtt) + ERR_asprintf_error_data("Field=%s, Type=%s", errtt->field_name, + it->sname); +@@ -642,7 +647,7 @@ asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, long len, + } else { + /* Nothing special */ + ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), +- -1, 0, opt, ctx); ++ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); + if (!ret) { + ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, + ERR_R_NESTED_ASN1_ERROR); Added: head/security/libressl-devel/files/patch-crypto_rsa_rsa__ameth.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/security/libressl-devel/files/patch-crypto_rsa_rsa__ameth.c Tue Jan 5 09:19:44 2016 (r405278) @@ -0,0 +1,35 @@ +untrusted comment: signature from openbsd 5.8 base secret key +RWQNNZXtC/MqP8u13/pPZfTpPeHhU93PG0DBihXvQ7lB0CvONLwoTfHr9f40s515bidPGcGLAH4xu+yz3skT6b3tKETEWZw8BgA= + +OpenBSD 5.8 errata 9, Dec 3, 2015: + +CVE-2015-3194 - NULL pointer dereference in client certificate validation + +Apply by doing: + signify -Vep /etc/signify/openbsd-58-base.pub -x 009_clientcert.patch.sig \ + -m - | (cd /usr/src && patch -p0) + +And then rebuild and install libcrypto: + cd /usr/src/lib/libcrypto + make obj + make depend + make + make install + +Index: crypto/rsa/rsa_ameth.c +=================================================================== +RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_ameth.c,v +retrieving revision 1.14 +retrieving revision 1.14.6.1 +diff -u -p -u -p -r1.14 -r1.14.6.1 +--- crypto/rsa/rsa_ameth.c 11 Feb 2015 04:05:14 -0000 1.14 ++++ crypto/rsa/rsa_ameth.c 4 Dec 2015 04:13:43 -0000 1.14.6.1 +@@ -298,7 +298,7 @@ rsa_pss_decode(const X509_ALGOR *alg, X5 + if (pss->maskGenAlgorithm) { + ASN1_TYPE *param = pss->maskGenAlgorithm->parameter; + if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 && +- param->type == V_ASN1_SEQUENCE) { ++ param && param->type == V_ASN1_SEQUENCE) { + p = param->value.sequence->data; + plen = param->value.sequence->length; + *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen); Modified: head/security/libressl-devel/files/patch-include_openssl_opensslv.h ============================================================================== --- head/security/libressl/files/patch-include_openssl_opensslv.h Mon Jan 4 14:21:56 2016 (r405242) +++ head/security/libressl-devel/files/patch-include_openssl_opensslv.h Tue Jan 5 09:19:44 2016 (r405278) @@ -1,7 +1,12 @@ ---- include/openssl/opensslv.h.orig 2015-07-26 14:58:42 UTC +Many applications use checking of OPENSSL_VERSION to detect if +a feature is available and thus fail to build when the version +is set to 0x20000000L. This fixes the OPENSSL_VERSION to the +time at which LibreSSL forked. + +--- include/openssl/opensslv.h.orig 2015-09-11 22:35:14 UTC +++ include/openssl/opensslv.h @@ -7,7 +7,7 @@ - #define LIBRESSL_VERSION_TEXT "LibreSSL 2.2.2" + #define LIBRESSL_VERSION_TEXT "LibreSSL 2.3.0" /* These will never change */ -#define OPENSSL_VERSION_NUMBER 0x20000000L Modified: head/security/libressl-devel/pkg-plist ============================================================================== --- head/security/libressl/pkg-plist Mon Jan 4 14:21:56 2016 (r405242) +++ head/security/libressl-devel/pkg-plist Tue Jan 5 09:19:44 2016 (r405278) @@ -1,3 +1,4 @@ +%%NC%%bin/nc bin/openssl etc/ssl/cert.pem etc/ssl/openssl.cnf @@ -24,7 +25,6 @@ include/openssl/dh.h include/openssl/dsa.h include/openssl/dso.h include/openssl/dtls1.h -include/openssl/e_os2.h include/openssl/ec.h include/openssl/ecdh.h include/openssl/ecdsa.h @@ -76,20 +76,21 @@ include/openssl/x509v3.h include/tls.h lib/libcrypto.a lib/libcrypto.so -lib/libcrypto.so.35 -lib/libcrypto.so.35.0.0 +lib/libcrypto.so.36 +lib/libcrypto.so.36.0.0 lib/libssl.a lib/libssl.so -lib/libssl.so.35 -lib/libssl.so.35.0.0 +lib/libssl.so.37 +lib/libssl.so.37.0.0 lib/libtls.a lib/libtls.so -lib/libtls.so.6 -lib/libtls.so.6.0.0 +lib/libtls.so.9 +lib/libtls.so.9.0.0 libdata/pkgconfig/libcrypto.pc libdata/pkgconfig/libssl.pc libdata/pkgconfig/libtls.pc libdata/pkgconfig/openssl.pc +%%NC%%man/man1/nc.1.gz man/man1/openssl.1.gz man/man3/ASN1_OBJECT_free.3.gz man/man3/ASN1_OBJECT_new.3.gz @@ -646,6 +647,7 @@ man/man3/ERR_remove_state.3.gz man/man3/ERR_remove_thread_state.3.gz man/man3/ERR_set_mark.3.gz man/man3/EVP_BytesToKey.3.gz +man/man3/EVP_AEAD_CTX_init.3.gz man/man3/EVP_CIPHER_CTX_block_size.3.gz man/man3/EVP_CIPHER_CTX_cipher.3.gz man/man3/EVP_CIPHER_CTX_cleanup.3.gz @@ -844,7 +846,6 @@ man/man3/EVP_rc5_32_12_16_cfb.3.gz man/man3/EVP_rc5_32_12_16_ecb.3.gz man/man3/EVP_rc5_32_12_16_ofb.3.gz man/man3/EVP_ripemd160.3.gz -man/man3/EVP_sha.3.gz man/man3/EVP_sha1.3.gz man/man3/EVP_sha224.3.gz man/man3/EVP_sha256.3.gz @@ -1509,6 +1510,7 @@ man/man3/tls_config_clear_keys.3.gz man/man3/tls_config_free.3.gz man/man3/tls_config_insecure_noverifycert.3.gz man/man3/tls_config_insecure_noverifyname.3.gz +man/man3/tls_config_insecure_noverifytime.3.gz man/man3/tls_config_new.3.gz man/man3/tls_config_parse_protocols.3.gz man/man3/tls_config_set_ca_file.3.gz @@ -1529,14 +1531,28 @@ man/man3/tls_connect.3.gz man/man3/tls_connect_fds.3.gz man/man3/tls_connect_servername.3.gz man/man3/tls_connect_socket.3.gz +man/man3/tls_conn_cipher.3.gz +man/man3/tls_conn_version.3.gz man/man3/tls_error.3.gz man/man3/tls_free.3.gz man/man3/tls_init.3.gz man/man3/tls_load_file.3.gz +man/man3/tls_peer_cert_notafter.3.gz +man/man3/tls_peer_cert_notbefore.3.gz man/man3/tls_read.3.gz man/man3/tls_reset.3.gz man/man3/tls_server.3.gz man/man3/tls_write.3.gz +man/man3/tls_config_prefer_ciphers_client.3.gz +man/man3/tls_config_prefer_ciphers_server.3.gz +man/man3/tls_config_verify_client.3.gz +man/man3/tls_config_verify_client_optional.3.gz +man/man3/tls_handshake.3.gz +man/man3/tls_peer_cert_contains_name.3.gz +man/man3/tls_peer_cert_hash.3.gz +man/man3/tls_peer_cert_issuer.3.gz +man/man3/tls_peer_cert_provided.3.gz +man/man3/tls_peer_cert_subject.3.gz man/man3/tmp_rsa_callback.3.gz man/man3/ui.3.gz man/man3/ui_compat.3.gz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201601050919.u059JiZB059100>