security/openssl-devel: Remove port
- OpenSSL 1.1.1 is ABI compatible - Aligns with FreeBSD 12 Reviewed by: bapt, rene Differential Revision: https://reviews.freebsd.org/D17136
This commit is contained in:
parent
5ee8f2a662
commit
efd6dfdadf
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=483966
1
MOVED
1
MOVED
@ -10614,3 +10614,4 @@ devel/rubygem-sidekiq-limit_fetch||2018-11-01|Obsolete by www/gitlab-ce 11.4.x u
|
||||
textproc/rubygem-github-markup16|textproc/rubygem-github-markup|2018-11-01|Obsolete by www/gitlab-ce 11.4.x upgrade, please use textproc/rubygem-github-markup
|
||||
www/rubygem-dropzonejs-rails07|www/rubygem-dropzonejs-rails|2018-11-01|Obsolete by www/gitlab-ce 11.4.x upgrade, please use www/rubygem-dropzonejs-rails
|
||||
audio/icecast2|audio/icecast|2018-11-03|Use upstream naming
|
||||
security/openssl-devel|security/openssl111|2018-11-04|Use security/openssl111 instead
|
||||
|
@ -464,7 +464,6 @@
|
||||
SUBDIR += openssh-askpass
|
||||
SUBDIR += openssh-portable
|
||||
SUBDIR += openssl
|
||||
SUBDIR += openssl-devel
|
||||
SUBDIR += openssl-unsafe
|
||||
SUBDIR += openssl111
|
||||
SUBDIR += openssl_tpm_engine
|
||||
|
@ -1,145 +0,0 @@
|
||||
# Created by: Dirk Froemberg <dirk@FreeBSD.org>
|
||||
# $FreeBSD$
|
||||
|
||||
PORTNAME= openssl
|
||||
PORTVERSION= 1.1.0i
|
||||
PORTREVISION= 1
|
||||
CATEGORIES= security devel
|
||||
MASTER_SITES= https://www.openssl.org/source/ \
|
||||
ftp://ftp.cert.dfn.de/pub/tools/net/openssl/source/
|
||||
PKGNAMESUFFIX= -devel
|
||||
|
||||
MAINTAINER= brnrd@FreeBSD.org
|
||||
COMMENT= SSL and crypto library (1.1.0)
|
||||
|
||||
LICENSE= OpenSSL
|
||||
LICENSE_FILE= ${WRKSRC}/LICENSE
|
||||
|
||||
CONFLICTS_INSTALL= libressl-[0-9]* \
|
||||
libressl-devel-[0-9]* \
|
||||
openssl-[0-9]* \
|
||||
openssl111-[0-9]*
|
||||
|
||||
DEPRECATED= Upstream support ends 2019-09-11, use security/openssl111
|
||||
EXPIRATION_DATE= 2019-09-11
|
||||
|
||||
HAS_CONFIGURE= yes
|
||||
CONFIGURE_SCRIPT= config
|
||||
CONFIGURE_ENV= PERL="${PERL}"
|
||||
CONFIGURE_ARGS= --openssldir=${OPENSSLDIR} \
|
||||
--prefix=${PREFIX} -v
|
||||
|
||||
USES= cpe perl5
|
||||
USE_PERL5= build
|
||||
MAKE_ARGS+= WHOLE_ARCHIVE_FLAG=--whole-archive
|
||||
MAKE_ENV+= LIBRPATH="${PREFIX}/lib" GREP_OPTIONS=
|
||||
TEST_TARGET= test
|
||||
|
||||
OPTIONS_GROUP= CIPHERS HASHES OPTIMIZE PROTOCOLS
|
||||
OPTIONS_GROUP_CIPHERS= IDEA JPAKE RC2 RC4 RC5
|
||||
OPTIONS_GROUP_HASHES= MD2 MD4 MDC2 RMD160
|
||||
OPTIONS_GROUP_OPTIMIZE= ASM SSE2 THREADS
|
||||
OPTIONS_DEFINE_i386= I386
|
||||
OPTIONS_GROUP_PROTOCOLS= DH NEXTPROTONEG SCTP SSL3 TLS1 TLS1_1
|
||||
|
||||
OPTIONS_DEFINE= ASYNC MAN3 RFC3779 SHARED ZLIB
|
||||
|
||||
.if ${MACHINE_ARCH} == "amd64"
|
||||
OPTIONS_GROUP_OPTIMIZE+= EC
|
||||
.elif ${MACHINE_ARCH} == "mips64el"
|
||||
OPTIONS_GROUP_OPTIMIZE+= EC
|
||||
.endif
|
||||
OPTIONS_DEFAULT= ASM ASYNC DH EC MAN3 MD4 RC2 RC4 RMD160 SCTP SHARED SSE2 THREADS TLS1 TLS1_1
|
||||
OPTIONS_SUB= yes
|
||||
|
||||
ASM_DESC= Assembler code
|
||||
ASYNC_DESC= Asynchronous mode
|
||||
CIPHERS_DESC= Cipher Suite Support
|
||||
DH_DESC= Diffie-Helmann protocol Support
|
||||
EC_DESC= Optimize NIST elliptic curves
|
||||
HASHES_DESC= Hash Function Support
|
||||
I386_DESC= i386 (instead of i486+)
|
||||
IDEA_DESC= IDEA
|
||||
JPAKE_DESC= J-PAKE (experimental)
|
||||
MAN3_DESC= Install API manpages (section 3)
|
||||
MD2_DESC= MD2 (obsolete)
|
||||
MD4_DESC= MD4 (unsafe)
|
||||
MDC2_DESC= MDC-2
|
||||
MD_GHOST94_DESC= GHOST94 (obscure)
|
||||
NEXTPROTONEG_DESC= Next Protocol Negotiation (SPDY)
|
||||
OPTIMIZE_DESC= Optimizations
|
||||
PROTOCOLS_DESC= Protocol Support
|
||||
RC2_DESC= RC2 (unsafe)
|
||||
RC4_DESC= RC4 (unsafe)
|
||||
RC5_DESC= RC5 (patented)
|
||||
RMD160_DESC= RIPEMD-160
|
||||
RFC3779_DESC= RFC3779 support (BGP)
|
||||
SCTP_DESC= SCTP (Stream Control Transmission)
|
||||
SHARED_DESC= Build shared libraries
|
||||
SSE2_DESC= Runtime SSE2 detection
|
||||
SSL3_DESC= SSLv3 (unsafe)
|
||||
TLS1_DESC= TLSv1.0 support
|
||||
TLS1_1_DESC= TLSv1.1 support (disables TLSv1.0 as well)
|
||||
ZLIB_DESC= zlib compression support
|
||||
|
||||
# Upstream default disabled options
|
||||
.for _option in md2 rc5 sctp ssl3 zlib
|
||||
${_option:tu}_CONFIGURE_ON= enable-${_option}
|
||||
.endfor
|
||||
|
||||
# Upstream default enabled options
|
||||
.for _option in asm async dh idea md4 mdc2 md_ghost94 nextprotoneg rfc3779 \
|
||||
rmd160 shared sse2 threads tls1 tls1_1 zlib
|
||||
${_option:tu}_CONFIGURE_OFF= no-${_option}
|
||||
.endfor
|
||||
|
||||
EC_CONFIGURE_ON= enable-ec_nistp_64_gcc_128
|
||||
I386_CONFIGURE_ON= 386
|
||||
SHARED_MAKE_ENV= SHLIBVER=${OPENSSL_SHLIBVER}
|
||||
SHARED_PLIST_SUB= SHLIBVER=${OPENSSL_SHLIBVER}
|
||||
SHARED_USE= ldconfig=yes
|
||||
SSL3_CONFIGURE_ON+= enable-ssl3-method
|
||||
ZLIB_CONFIGURE_ON= zlib-dynamic
|
||||
|
||||
.include <bsd.port.pre.mk>
|
||||
.if ${PREFIX} == /usr
|
||||
IGNORE= the OpenSSL port cannot be installed over the base version
|
||||
.endif
|
||||
|
||||
OPENSSLDIR?= ${PREFIX}/openssl
|
||||
PLIST_SUB+= OPENSSLDIR=${OPENSSLDIR:S=^${PREFIX}/==}
|
||||
|
||||
.include "version.mk"
|
||||
|
||||
.if ${PORT_OPTIONS:MASM}
|
||||
BROKEN_sparc64= option ASM generates illegal instructions
|
||||
.endif
|
||||
|
||||
post-patch:
|
||||
${REINPLACE_CMD} \
|
||||
-e 's|^MANDIR=.*$$|MANDIR=$$(INSTALLTOP)/man|' \
|
||||
-e 's| install_html_docs$$||' \
|
||||
-e 's|$$(LIBDIR)/pkgconfig|libdata/pkgconfig|g' \
|
||||
${WRKSRC}/Configurations/unix-Makefile.tmpl
|
||||
|
||||
post-patch-MAN3-off:
|
||||
${GREP} -L openssl_manual_section ${WRKSRC}/doc/crypto/*.pod | ${XARGS} ${RM}
|
||||
${GREP} -L openssl_manual_section ${WRKSRC}/doc/ssl/*.pod | ${XARGS} ${RM}
|
||||
|
||||
post-configure:
|
||||
${REINPLACE_CMD} \
|
||||
-e 's|$$(SHLIB_MAJOR).$$(SHLIB_MINOR)|${OPENSSL_SHLIBVER}|g' \
|
||||
${WRKSRC}/Makefile
|
||||
${REINPLACE_CMD} \
|
||||
-e 's|SHLIB_VERSION_NUMBER "1.1"|SHLIB_VERSION_NUMBER "${OPENSSL_SHLIBVER}"|' \
|
||||
${WRKSRC}/include/openssl/opensslv.h
|
||||
${REINPLACE_CMD} -e 's|\^GNU ld|GNU|' ${WRKSRC}/Makefile.shared
|
||||
|
||||
post-install-SHARED-on:
|
||||
${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/lib*.so.${OPENSSL_SHLIBVER} \
|
||||
${STAGEDIR}${PREFIX}/lib/engines-1.1/*.so
|
||||
|
||||
post-install:
|
||||
${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/openssl
|
||||
|
||||
.include <bsd.port.post.mk>
|
@ -1,3 +0,0 @@
|
||||
TIMESTAMP = 1534254208
|
||||
SHA256 (openssl-1.1.0i.tar.gz) = ebbfc844a8c8cc0ea5dc10b86c9ce97f401837f3fa08c17b2cdadc118253cf99
|
||||
SIZE (openssl-1.1.0i.tar.gz) = 5453234
|
@ -1,98 +0,0 @@
|
||||
Timing vulnerability in DSA signature generation (CVE-2018-0734).
|
||||
|
||||
Avoid a timing attack that leaks information via a side channel that
|
||||
triggers when a BN is resized. Increasing the size of the BNs
|
||||
prior to doing anything with them suppresses the attack.
|
||||
|
||||
Thanks due to Samuel Weiser for finding and locating this.
|
||||
|
||||
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
|
||||
(Merged from #7486)
|
||||
|
||||
(cherry picked from commit a9cfb8c)
|
||||
|
||||
https://github.com/openssl/openssl/commit/8abfe72e8c1de1b95f50aa0d9134803b4d00070f
|
||||
--- crypto/dsa/dsa_ossl.c.orig 2018-09-11 12:48:21 UTC
|
||||
+++ crypto/dsa/dsa_ossl.c
|
||||
@@ -9,6 +9,7 @@
|
||||
|
||||
#include <stdio.h>
|
||||
#include "internal/cryptlib.h"
|
||||
+#include "internal/bn_int.h"
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/sha.h>
|
||||
#include "dsa_locl.h"
|
||||
@@ -178,9 +179,9 @@ static int dsa_sign_setup(DSA *dsa, BN_C
|
||||
{
|
||||
BN_CTX *ctx = NULL;
|
||||
BIGNUM *k, *kinv = NULL, *r = *rp;
|
||||
- BIGNUM *l, *m;
|
||||
+ BIGNUM *l;
|
||||
int ret = 0;
|
||||
- int q_bits;
|
||||
+ int q_bits, q_words;
|
||||
|
||||
if (!dsa->p || !dsa->q || !dsa->g) {
|
||||
DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
|
||||
@@ -189,8 +190,7 @@ static int dsa_sign_setup(DSA *dsa, BN_C
|
||||
|
||||
k = BN_new();
|
||||
l = BN_new();
|
||||
- m = BN_new();
|
||||
- if (k == NULL || l == NULL || m == NULL)
|
||||
+ if (k == NULL || l == NULL)
|
||||
goto err;
|
||||
|
||||
if (ctx_in == NULL) {
|
||||
@@ -201,9 +201,9 @@ static int dsa_sign_setup(DSA *dsa, BN_C
|
||||
|
||||
/* Preallocate space */
|
||||
q_bits = BN_num_bits(dsa->q);
|
||||
- if (!BN_set_bit(k, q_bits)
|
||||
- || !BN_set_bit(l, q_bits)
|
||||
- || !BN_set_bit(m, q_bits))
|
||||
+ q_words = bn_get_top(dsa->q);
|
||||
+ if (!bn_wexpand(k, q_words + 2)
|
||||
+ || !bn_wexpand(l, q_words + 2))
|
||||
goto err;
|
||||
|
||||
/* Get random k */
|
||||
@@ -238,14 +238,17 @@ static int dsa_sign_setup(DSA *dsa, BN_C
|
||||
* small timing information leakage. We then choose the sum that is
|
||||
* one bit longer than the modulus.
|
||||
*
|
||||
- * TODO: revisit the BN_copy aiming for a memory access agnostic
|
||||
- * conditional copy.
|
||||
+ * There are some concerns about the efficacy of doing this. More
|
||||
+ * specificly refer to the discussion starting with:
|
||||
+ * https://github.com/openssl/openssl/pull/7486#discussion_r228323705
|
||||
+ * The fix is to rework BN so these gymnastics aren't required.
|
||||
*/
|
||||
if (!BN_add(l, k, dsa->q)
|
||||
- || !BN_add(m, l, dsa->q)
|
||||
- || !BN_copy(k, BN_num_bits(l) > q_bits ? l : m))
|
||||
+ || !BN_add(k, l, dsa->q))
|
||||
goto err;
|
||||
|
||||
+ BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
|
||||
+
|
||||
if ((dsa)->meth->bn_mod_exp != NULL) {
|
||||
if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
|
||||
dsa->method_mont_p))
|
||||
@@ -258,7 +261,7 @@ static int dsa_sign_setup(DSA *dsa, BN_C
|
||||
if (!BN_mod(r, r, dsa->q, ctx))
|
||||
goto err;
|
||||
|
||||
- /* Compute part of 's = inv(k) (m + xr) mod q' */
|
||||
+ /* Compute part of 's = inv(k) (m + xr) mod q' */
|
||||
if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL)
|
||||
goto err;
|
||||
|
||||
@@ -273,7 +276,6 @@ static int dsa_sign_setup(DSA *dsa, BN_C
|
||||
BN_CTX_free(ctx);
|
||||
BN_clear_free(k);
|
||||
BN_clear_free(l);
|
||||
- BN_clear_free(m);
|
||||
return ret;
|
||||
}
|
||||
|
@ -1,33 +0,0 @@
|
||||
Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
|
||||
|
||||
Preallocate an extra limb for some of the big numbers to avoid a reallocation
|
||||
that can potentially provide a side channel.
|
||||
|
||||
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
|
||||
(Merged from #7486)
|
||||
|
||||
(cherry picked from commit 99540ec)
|
||||
|
||||
https://www.openssl.org/news/secadv/20181029.txt
|
||||
--- crypto/ec/ec_mult.c.orig 2018-08-14 12:45:07 UTC
|
||||
+++ crypto/ec/ec_mult.c
|
||||
@@ -177,8 +177,8 @@ static int ec_mul_consttime(const EC_GRO
|
||||
*/
|
||||
cardinality_bits = BN_num_bits(cardinality);
|
||||
group_top = bn_get_top(cardinality);
|
||||
- if ((bn_wexpand(k, group_top + 1) == NULL)
|
||||
- || (bn_wexpand(lambda, group_top + 1) == NULL))
|
||||
+ if ((bn_wexpand(k, group_top + 2) == NULL)
|
||||
+ || (bn_wexpand(lambda, group_top + 2) == NULL))
|
||||
goto err;
|
||||
|
||||
if (!BN_copy(k, scalar))
|
||||
@@ -205,7 +205,7 @@ static int ec_mul_consttime(const EC_GRO
|
||||
* k := scalar + 2*cardinality
|
||||
*/
|
||||
kbit = BN_is_bit_set(lambda, cardinality_bits);
|
||||
- BN_consttime_swap(kbit, k, lambda, group_top + 1);
|
||||
+ BN_consttime_swap(kbit, k, lambda, group_top + 2);
|
||||
|
||||
group_top = bn_get_top(group->field);
|
||||
if ((bn_wexpand(s->X, group_top) == NULL)
|
@ -1,19 +0,0 @@
|
||||
--- config.orig 2016-02-15 18:08:07 UTC
|
||||
+++ config
|
||||
@@ -713,14 +713,8 @@ case "$GUESSOS" in
|
||||
sparc64-*-*bsd*) OUT="BSD-sparc64" ;;
|
||||
ia64-*-*bsd*) OUT="BSD-ia64" ;;
|
||||
amd64-*-*bsd*) OUT="BSD-x86_64" ;;
|
||||
- *86*-*-*bsd*) # mimic ld behaviour when it's looking for libc...
|
||||
- if [ -L /usr/lib/libc.so ]; then # [Free|Net]BSD
|
||||
- libc=/usr/lib/libc.so
|
||||
- else # OpenBSD
|
||||
- # ld searches for highest libc.so.* and so do we
|
||||
- libc=`(ls /usr/lib/libc.so.* /lib/libc.so.* | tail -1) 2>/dev/null`
|
||||
- fi
|
||||
- case "`(file -L $libc) 2>/dev/null`" in
|
||||
+ *86*-*-*bsd*)
|
||||
+ case "`(file -L /bin/sh) 2>/dev/null`" in
|
||||
*ELF*) OUT="BSD-x86-elf" ;;
|
||||
*) OUT="BSD-x86"; options="$options no-sse2" ;;
|
||||
esac ;;
|
@ -1,4 +0,0 @@
|
||||
|
||||
Copy %%PREFIX%%/openssl/openssl.cnf.sample to %%PREFIX%%/openssl/openssl.cnf
|
||||
and edit it to fit your needs.
|
||||
|
@ -1,16 +0,0 @@
|
||||
The OpenSSL Project is a collaborative effort to develop a robust,
|
||||
commercial-grade, full-featured, and Open Source toolkit implementing
|
||||
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security
|
||||
(TLS v1) protocols with full-strength cryptography world-wide. The
|
||||
project is managed by a worldwide community of volunteers that use
|
||||
the Internet to communicate, plan, and develop the OpenSSL tookit
|
||||
and its related documentation.
|
||||
|
||||
OpenSSL is based on the excellent SSLeay library developed by Eric
|
||||
A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under
|
||||
an Apache-style licence, which basically means that you are free
|
||||
to get and use it for commercial and non-commercial purposes subject
|
||||
to some simple license conditions.
|
||||
|
||||
WWW: http://www.openssl.org/
|
||||
WWW: http://sctp.fh-muenster.de/dtls-patches.html
|
File diff suppressed because it is too large
Load Diff
@ -1 +0,0 @@
|
||||
OPENSSL_SHLIBVER?= 10
|
Loading…
Reference in New Issue
Block a user