ports/66007: [PATCH] bsd.openssl.mk: more consistent security check

Tue Apr 27 00:40:24 UTC 2004

>Number:         66007
>Category:       ports
>Synopsis:       [PATCH] bsd.openssl.mk: more consistent security check
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 26 17:40:23 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Oliver Eikemeier
>Release:        FreeBSD 4.10-STABLE i386
>Organization:
Fillmore Labs - http://www.fillmore-labs.com
>Environment:
System: FreeBSD nuuk.fillmore-labs.com 4.10-STABLE

>Description:

The current security check in bsd.openssl.mk ha some deficiencies:

- it installs an OpenSSL port even when not necessary or not desired
  by the systems adminstrator:
   <http://lists.freebsd.org/pipermail/freebsd-ports/2004-April/011540.html>

- it is disabled by WITH_OPENSSL_BASE=yes, which is the recommended workaround
  for this situation

- it completely ignores vulnerable OpenSSL versions installed from ports,
  which makes the check somewhat pointless (why is a vulnerable base more of
  a problem than a vulnerable port?)

Either the check should be eliminated or used consistently on the used OpenSSL
version, no matter if it is from the base or a port, which is what the attached
patch does.

>How-To-Repeat:
>Fix:

--- Mk/bsd.openssl.mk	8 Apr 2004 10:01:53 -0000	1.15
+++ Mk/bsd.openssl.mk	27 Apr 2004 00:20:50 -0000
@@ -42,19 +42,12 @@
 WITH_OPENSSL_PORT=yes
 .endif
 
-#	if no preference was set, check for an up to date base version
+#	if no preference was set, check for an base version
 #	but give an installed port preference over it.
 .if	!defined(WITH_OPENSSL_BASE) && \
 	!defined(WITH_OPENSSL_BETA) && \
 	!defined(WITH_OPENSSL_PORT) && \
-	!exists(${LOCALBASE}/lib/libcrypto.so) && \
-	exists(/usr/include/openssl/opensslv.h)
-#	Security: version in base must be 0.9.7d or have fixes
-#	http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssl/crypto/opensslv.h
-OPENSSLVER!=	${AWK} '/OPENSSL_VERSION_TEXT/ { print $$4; exit }' \
-		/usr/include/openssl/opensslv.h
-# check for safe versions in the base
-.if ${OPENSSLVER} == "0.9.7a-p1" || ${OPENSSLVER} == "0.9.7c-p1" || ${OPENSSLVER} == "0.9.7d"
+	!exists(${LOCALBASE}/lib/libcrypto.so)
 WITH_OPENSSL_BASE=yes
 .endif
 .endif
@@ -136,6 +129,17 @@
 MAKE_ENV+=		LDFLAGS="${LDFLAGS}"
 MAKE_ENV+=		OPENSSLLIB=${OPENSSLLIB} OPENSSLINC=${OPENSSLINC} \
 			OPENSSLBASE=${OPENSSLBASE} OPENSSLDIR=${OPENSSLDIR}
+
+.if exists(${OPENSSLINC}/openssl/opensslv.h)
+#	Security: version must be 0.9.7d or have fixes
+#	http://www.freebsd.org/cgi/cvsweb.cgi/src/crypto/openssl/crypto/opensslv.h
+OPENSSLVER!=	${AWK} '/OPENSSL_VERSION_TEXT/ { print $$4; exit }' \
+		${OPENSSLINC}/openssl/opensslv.h
+# check for safe versions
+.if ${OPENSSLVER} != "0.9.7a-p1" && ${OPENSSLVER} != "0.9.7c-p1" && ${OPENSSLVER} != "0.9.7d"
+check-depends::
+	@${ECHO_CMD} "Dependency warning: used OpenSSL version contains known vulnerabilities"
+.endif
 
 ### crypto
 #RESTRICTED=		"Contains cryptography."

>Release-Note:
>Audit-Trail:
>Unformatted:

