security/openssl BROKEN, DEPRECATED, and EXPIRED?

Wed Jan 13 17:21:26 UTC 2010

I'd like to echo some of the others regarding the recent changes in
security/openssl:  since this port is used by a large number of
people, it would be better to announce major changes in advance, and
to test more carefully before committing.

The reverted deprecation leaves me a bit puzzled.  What were the
problems that prompted the comment that the port had "unfixed
vulnerabilities"?  If that meant that flawed renegotiation could be
enabled via run-time flags, and this was thought to be unacceptable,
why not patch the port to disable it, as in the base system openssl,
rather than suddenly attempting to remove the port?  If it was
something else, what was it, and what, if anything, is going to be
done about it?  Can we expect an update to 1.0.x, and the resurrection
of SCTP support, after the renegotiation problem is settled?  Or is a
removal of the port still planned?  If that is the case, what do those
who want to remove the port propose as a replacement?

I note that there are still a few obvious minor flaws after the most
recent commits, including what looks like an unintentional inversion
of the logic surrounding the SSE2 option.  I'm attaching a suggested
patch.

Regards,
                    b.
-------------- next part --------------

--- old.Makefile	2010-01-13 10:45:10.000000000 -0500
+++ Makefile	2010-01-13 11:26:31.000000000 -0500
@@ -29,7 +29,8 @@
 .error You have `USE_OPENSSL' variable defined either in environment or in make(1) arguments. Please undefine and try again.
 .endif
 
-OPTIONS=	I386	"Use optimzed assembler for 80386" off \
+OPTIONS=	I386	"Use optimized assembler for 80386" off \
+		OPENSSL_THREADS "Build a multithreaded openssl" off \
 		SSE2	"Use runtime SSE2 detection" on \
 		ZLIB	"Build with zlib compression" on \
 
@@ -857,7 +858,7 @@
 OPENSSL_BASE_SOPATH=	${OPENSSL_BASE_SONAME:H}
 OPENSSL_SHLIBVER?=	7
 
-.if !defined(WITHOUT_SSE2)
+.if defined(WITHOUT_SSE2)
 # disable runtime SSE2 detection
 EXTRACONFIGURE+=	no-sse2
 .endif
@@ -900,11 +901,9 @@
 .endif
 
 do-configure:
-.if !defined(WITH_FIPS)
 	${RM} -rf ${WRKSRC}/fips
 	${RM} -f ${WRKSRC}/include/openssl/fips.h
 	${RM} -f ${WRKSRC}/include/openssl/fips_rand.h
-.endif
 .if defined(WITH_OPENSSL_THREADS)
 	cd ${WRKSRC} \
 	&& ${SETENV} CC="${CC}" FREEBSDCC="${CC}" CFLAGS="${CFLAGS}" PERL="${PERL}" \
@@ -918,13 +917,6 @@
 	./config --prefix=${PREFIX} --openssldir=${OPENSSLDIR} \
 		-L${PREFIX}/lib ${EXTRACONFIGURE}
 .endif
-.if defined(WITH_FIPS)
-	@${REINPLACE_CMD} \
-		-e 's|^MANDIR=.*$$|MANDIR=$$(MANPREFIX)/man|' \
-		-e 's|lib/pkgconfig|libdata/pkgconfig|g' \
-		-e 's|LIBVERSION=[^ ]* |LIBVERSION=$(OPENSSL_SHLIBVER) |' \
-		${WRKSRC}/Makefile
-.else
 	@${REINPLACE_CMD} \
 		-e 's|^MANDIR=.*$$|MANDIR=$$(MANPREFIX)/man|' \
 		-e 's|lib/pkgconfig|libdata/pkgconfig|g' \
@@ -949,8 +941,7 @@
 		-e 's|$$(FIPS_RNGVS)$$(EXE_EXT)||' \
 		-e 's|$$(FIPS_TEST_SUITE)$$(EXE_EXT)||' \
 		${WRKSRC}/test/Makefile
-.endif
-	@(cd ${BUILD_WRKSRC}/${i} && ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} depend)
+	@(cd ${BUILD_WRKSRC} && ${SETENV} ${MAKE_ENV} ${MAKE} ${MAKE_FLAGS} ${MAKEFILE} depend)
 
 post-install:
 .if !defined(NOSHARED)
