svn commit: r405278 - in head/security/libressl-devel: . files
Bernard Spil
brnrd at FreeBSD.org
Tue Jan 5 09:19:46 UTC 2016
Author: brnrd
Date: Tue Jan 5 09:19:44 2016
New Revision: 405278
URL: https://svnweb.freebsd.org/changeset/ports/405278
Log:
security/libressl-devel: Add next-stable LibreSSL 2.3 port
- Add security/libressl-devel for version 2.3.1
- Repository copy of security/libressl [1]
- Including corrections for CVE-2015-3194/3195
- Add support for multiple versions to bsd.openssl.mk
- Add option to optionally install API man-pages [2]
- Disable silent rules output
Changes:
- ftp://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.0-relnotes.txt
- ftp://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.1-relnotes.txt
PR: 201462 [2]
Submitted by: adamw [2]
Requested by: junovitch [1]
Reviewed by: vsevolod (mentor, maintainer), koobs (mentor), feld (mentor)
Approved by: koobs (mentor), feld (mentor), mat [1] (portmgr)
Differential Revision: https://reviews.freebsd.org/D3585
Added:
head/security/libressl-devel/
- copied from r405242, head/security/libressl/
head/security/libressl-devel/files/patch-crypto_asn1_tasn__dec.c (contents, props changed)
head/security/libressl-devel/files/patch-crypto_rsa_rsa__ameth.c (contents, props changed)
Modified:
head/security/libressl-devel/Makefile
head/security/libressl-devel/distinfo
head/security/libressl-devel/files/patch-include_openssl_opensslv.h
head/security/libressl-devel/pkg-plist
Modified: head/security/libressl-devel/Makefile
==============================================================================
--- head/security/libressl/Makefile Mon Jan 4 14:21:56 2016 (r405242)
+++ head/security/libressl-devel/Makefile Tue Jan 5 09:19:44 2016 (r405278)
@@ -1,12 +1,14 @@
-# Created by: Vsevolod Stakhov <vsevolod at FreeBSD.org>
+# Created by: Bernard Spil <brnrd at FreeBSD.org>
# $FreeBSD$
PORTNAME= libressl
-PORTVERSION= 2.2.5
+PORTVERSION= 2.3.1
+PORTREVISIION= 1
CATEGORIES= security devel
MASTER_SITES= OPENBSD/LibreSSL
+PKGNAMESUFFIX= -devel
-MAINTAINER= vsevolod at FreeBSD.org
+MAINTAINER= brnrd at FreeBSD.org
COMMENT= Free version of the SSL/TLS protocol forked from OpenSSL
LICENSE= BSD4CLAUSE
@@ -14,29 +16,29 @@ LICENSE_FILE= ${WRKSRC}/COPYING
CPE_VENDOR= openbsd
-OPTIONS_DEFINE= MAN3
-OPTIONS_DEFAULT= MAN3
+OPTIONS_DEFINE= MAN3 NC
+OPTIONS_DEFAULT= MAN3 NC
MAN3_DESC= Install API manpages (section 3)
+NC_DESC= Build nc libtls demo application
CONFLICTS?= openssl-[0-9]* \
- libressl-devel-[0-9]*
+ libressl-[0-9]*
GNU_CONFIGURE= yes
CONFIGURE_ARGS= --enable-silent-rules
USES= cpe libtool pathfix pkgconfig
USE_LDCONFIG= yes
+OPTIONS_SUB= yes
INSTALL_TARGET= install-strip
TEST_TARGET= check
-.include <bsd.port.pre.mk>
-
-.if ${ARCH} == "amd64"
-CONFIGURE_TARGET= x86_64-portbld-${OPSYS:tl}${OSREL}
-.endif
+post-stage-NC-on:
+ ${INSTALL_PROGRAM} ${WRKSRC}/apps/nc/.libs/nc ${STAGEDIR}/${PREFIX}/bin/nc
+ ${INSTALL_MAN} ${WRKSRC}/apps/nc/nc.1 ${STAGEDIR}/${PREFIX}/man/man1/nc.1
post-install-MAN3-off:
${RM} -rf ${STAGEDIR}/${PREFIX}/man/man3
${REINPLACE_CMD} -e '/^man\/man3/d' ${TMPPLIST}
-.include <bsd.port.post.mk>
+.include <bsd.port.mk>
Modified: head/security/libressl-devel/distinfo
==============================================================================
--- head/security/libressl/distinfo Mon Jan 4 14:21:56 2016 (r405242)
+++ head/security/libressl-devel/distinfo Tue Jan 5 09:19:44 2016 (r405278)
@@ -1,2 +1,2 @@
-SHA256 (libressl-2.2.5.tar.gz) = e3caded0469d8dc64f4ca2fe8e499ada4dd014e84d1c5a71818d39e54e6c914b
-SIZE (libressl-2.2.5.tar.gz) = 2966527
+SHA256 (libressl-2.3.1.tar.gz) = 410b58db4ebbcab43c3357612e591094f64fb9339269caa2e68728e36f8d589e
+SIZE (libressl-2.3.1.tar.gz) = 3014881
Added: head/security/libressl-devel/files/patch-crypto_asn1_tasn__dec.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/libressl-devel/files/patch-crypto_asn1_tasn__dec.c Tue Jan 5 09:19:44 2016 (r405278)
@@ -0,0 +1,49 @@
+From 9900c16beb14eb3bfc8f4d8c6191e6e1a271c861 Mon Sep 17 00:00:00 2001
+From: beck <>
+Date: Fri, 4 Dec 2015 04:19:25 +0000
+Subject: [PATCH] Fix for OpenSSL CVE-2015-3195 ok djm@ jsing@
+
+---
+ src/lib/libssl/src/crypto/asn1/tasn_dec.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/libssl/src/crypto/asn1/tasn_dec.c b/src/lib/libssl/src/crypto/asn1/tasn_dec.c
+index e50ec0a..0a6eaf2 100644
+--- crypto/asn1/tasn_dec.c
++++ crypto/asn1/tasn_dec.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: tasn_dec.c,v 1.26 2015/03/19 14:00:22 tedu Exp $ */
++/* $OpenBSD: tasn_dec.c,v 1.27 2015/07/20 15:41:48 miod Exp $ */
+ /* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
+ * project 2000.
+ */
+@@ -166,6 +166,10 @@ ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+ int otag;
+ int ret = 0;
+ ASN1_VALUE **pchptr;
++ int combine;
++
++ combine = aclass & ASN1_TFLG_COMBINE;
++ aclass &= ~ASN1_TFLG_COMBINE;
+
+ if (!pval)
+ return 0;
+@@ -447,7 +451,8 @@ ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+ auxerr:
+ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
+ err:
+- ASN1_item_ex_free(pval, it);
++ if (combine == 0)
++ ASN1_item_ex_free(pval, it);
+ if (errtt)
+ ERR_asprintf_error_data("Field=%s, Type=%s", errtt->field_name,
+ it->sname);
+@@ -642,7 +647,7 @@ asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, long len,
+ } else {
+ /* Nothing special */
+ ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
+- -1, 0, opt, ctx);
++ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
+ if (!ret) {
+ ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
+ ERR_R_NESTED_ASN1_ERROR);
Added: head/security/libressl-devel/files/patch-crypto_rsa_rsa__ameth.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/security/libressl-devel/files/patch-crypto_rsa_rsa__ameth.c Tue Jan 5 09:19:44 2016 (r405278)
@@ -0,0 +1,35 @@
+untrusted comment: signature from openbsd 5.8 base secret key
+RWQNNZXtC/MqP8u13/pPZfTpPeHhU93PG0DBihXvQ7lB0CvONLwoTfHr9f40s515bidPGcGLAH4xu+yz3skT6b3tKETEWZw8BgA=
+
+OpenBSD 5.8 errata 9, Dec 3, 2015:
+
+CVE-2015-3194 - NULL pointer dereference in client certificate validation
+
+Apply by doing:
+ signify -Vep /etc/signify/openbsd-58-base.pub -x 009_clientcert.patch.sig \
+ -m - | (cd /usr/src && patch -p0)
+
+And then rebuild and install libcrypto:
+ cd /usr/src/lib/libcrypto
+ make obj
+ make depend
+ make
+ make install
+
+Index: crypto/rsa/rsa_ameth.c
+===================================================================
+RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_ameth.c,v
+retrieving revision 1.14
+retrieving revision 1.14.6.1
+diff -u -p -u -p -r1.14 -r1.14.6.1
+--- crypto/rsa/rsa_ameth.c 11 Feb 2015 04:05:14 -0000 1.14
++++ crypto/rsa/rsa_ameth.c 4 Dec 2015 04:13:43 -0000 1.14.6.1
+@@ -298,7 +298,7 @@ rsa_pss_decode(const X509_ALGOR *alg, X5
+ if (pss->maskGenAlgorithm) {
+ ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
+ if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 &&
+- param->type == V_ASN1_SEQUENCE) {
++ param && param->type == V_ASN1_SEQUENCE) {
+ p = param->value.sequence->data;
+ plen = param->value.sequence->length;
+ *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen);
Modified: head/security/libressl-devel/files/patch-include_openssl_opensslv.h
==============================================================================
--- head/security/libressl/files/patch-include_openssl_opensslv.h Mon Jan 4 14:21:56 2016 (r405242)
+++ head/security/libressl-devel/files/patch-include_openssl_opensslv.h Tue Jan 5 09:19:44 2016 (r405278)
@@ -1,7 +1,12 @@
---- include/openssl/opensslv.h.orig 2015-07-26 14:58:42 UTC
+Many applications use checking of OPENSSL_VERSION to detect if
+a feature is available and thus fail to build when the version
+is set to 0x20000000L. This fixes the OPENSSL_VERSION to the
+time at which LibreSSL forked.
+
+--- include/openssl/opensslv.h.orig 2015-09-11 22:35:14 UTC
+++ include/openssl/opensslv.h
@@ -7,7 +7,7 @@
- #define LIBRESSL_VERSION_TEXT "LibreSSL 2.2.2"
+ #define LIBRESSL_VERSION_TEXT "LibreSSL 2.3.0"
/* These will never change */
-#define OPENSSL_VERSION_NUMBER 0x20000000L
Modified: head/security/libressl-devel/pkg-plist
==============================================================================
--- head/security/libressl/pkg-plist Mon Jan 4 14:21:56 2016 (r405242)
+++ head/security/libressl-devel/pkg-plist Tue Jan 5 09:19:44 2016 (r405278)
@@ -1,3 +1,4 @@
+%%NC%%bin/nc
bin/openssl
etc/ssl/cert.pem
etc/ssl/openssl.cnf
@@ -24,7 +25,6 @@ include/openssl/dh.h
include/openssl/dsa.h
include/openssl/dso.h
include/openssl/dtls1.h
-include/openssl/e_os2.h
include/openssl/ec.h
include/openssl/ecdh.h
include/openssl/ecdsa.h
@@ -76,20 +76,21 @@ include/openssl/x509v3.h
include/tls.h
lib/libcrypto.a
lib/libcrypto.so
-lib/libcrypto.so.35
-lib/libcrypto.so.35.0.0
+lib/libcrypto.so.36
+lib/libcrypto.so.36.0.0
lib/libssl.a
lib/libssl.so
-lib/libssl.so.35
-lib/libssl.so.35.0.0
+lib/libssl.so.37
+lib/libssl.so.37.0.0
lib/libtls.a
lib/libtls.so
-lib/libtls.so.6
-lib/libtls.so.6.0.0
+lib/libtls.so.9
+lib/libtls.so.9.0.0
libdata/pkgconfig/libcrypto.pc
libdata/pkgconfig/libssl.pc
libdata/pkgconfig/libtls.pc
libdata/pkgconfig/openssl.pc
+%%NC%%man/man1/nc.1.gz
man/man1/openssl.1.gz
man/man3/ASN1_OBJECT_free.3.gz
man/man3/ASN1_OBJECT_new.3.gz
@@ -646,6 +647,7 @@ man/man3/ERR_remove_state.3.gz
man/man3/ERR_remove_thread_state.3.gz
man/man3/ERR_set_mark.3.gz
man/man3/EVP_BytesToKey.3.gz
+man/man3/EVP_AEAD_CTX_init.3.gz
man/man3/EVP_CIPHER_CTX_block_size.3.gz
man/man3/EVP_CIPHER_CTX_cipher.3.gz
man/man3/EVP_CIPHER_CTX_cleanup.3.gz
@@ -844,7 +846,6 @@ man/man3/EVP_rc5_32_12_16_cfb.3.gz
man/man3/EVP_rc5_32_12_16_ecb.3.gz
man/man3/EVP_rc5_32_12_16_ofb.3.gz
man/man3/EVP_ripemd160.3.gz
-man/man3/EVP_sha.3.gz
man/man3/EVP_sha1.3.gz
man/man3/EVP_sha224.3.gz
man/man3/EVP_sha256.3.gz
@@ -1509,6 +1510,7 @@ man/man3/tls_config_clear_keys.3.gz
man/man3/tls_config_free.3.gz
man/man3/tls_config_insecure_noverifycert.3.gz
man/man3/tls_config_insecure_noverifyname.3.gz
+man/man3/tls_config_insecure_noverifytime.3.gz
man/man3/tls_config_new.3.gz
man/man3/tls_config_parse_protocols.3.gz
man/man3/tls_config_set_ca_file.3.gz
@@ -1529,14 +1531,28 @@ man/man3/tls_connect.3.gz
man/man3/tls_connect_fds.3.gz
man/man3/tls_connect_servername.3.gz
man/man3/tls_connect_socket.3.gz
+man/man3/tls_conn_cipher.3.gz
+man/man3/tls_conn_version.3.gz
man/man3/tls_error.3.gz
man/man3/tls_free.3.gz
man/man3/tls_init.3.gz
man/man3/tls_load_file.3.gz
+man/man3/tls_peer_cert_notafter.3.gz
+man/man3/tls_peer_cert_notbefore.3.gz
man/man3/tls_read.3.gz
man/man3/tls_reset.3.gz
man/man3/tls_server.3.gz
man/man3/tls_write.3.gz
+man/man3/tls_config_prefer_ciphers_client.3.gz
+man/man3/tls_config_prefer_ciphers_server.3.gz
+man/man3/tls_config_verify_client.3.gz
+man/man3/tls_config_verify_client_optional.3.gz
+man/man3/tls_handshake.3.gz
+man/man3/tls_peer_cert_contains_name.3.gz
+man/man3/tls_peer_cert_hash.3.gz
+man/man3/tls_peer_cert_issuer.3.gz
+man/man3/tls_peer_cert_provided.3.gz
+man/man3/tls_peer_cert_subject.3.gz
man/man3/tmp_rsa_callback.3.gz
man/man3/ui.3.gz
man/man3/ui_compat.3.gz
More information about the svn-ports-all
mailing list