cpet/freebsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security/openssl-devel: Remove port

Browse Source 
- OpenSSL 1.1.1 is ABI compatible
 - Aligns with FreeBSD 12

Reviewed by:	bapt, rene
Differential Revision: https://reviews.freebsd.org/D17136
This commit is contained in:
Bernard Spil 2018-11-04 08:59:18 +00:00
parent 5ee8f2a662
commit efd6dfdadf
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=483966
11 changed files with 1 additions and 3695 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
MOVED
View File

@ -10614,3 +10614,4 @@ devel/rubygem-sidekiq-limit_fetch||2018-11-01|Obsolete by www/gitlab-ce 11.4.x u
textproc/rubygem-github-markup16|textproc/rubygem-github-markup|2018-11-01|Obsolete by www/gitlab-ce 11.4.x upgrade, please use textproc/rubygem-github-markup
www/rubygem-dropzonejs-rails07|www/rubygem-dropzonejs-rails|2018-11-01|Obsolete by www/gitlab-ce 11.4.x upgrade, please use www/rubygem-dropzonejs-rails
audio/icecast2|audio/icecast|2018-11-03|Use upstream naming
security/openssl-devel|security/openssl111|2018-11-04|Use security/openssl111 instead

1
security/Makefile
View File

@ -464,7 +464,6 @@
SUBDIR += openssh-askpass
SUBDIR += openssh-portable
SUBDIR += openssl
SUBDIR += openssl-devel
SUBDIR += openssl-unsafe
SUBDIR += openssl111
SUBDIR += openssl_tpm_engine

145
security/openssl-devel/Makefile
View File

@ -1,145 +0,0 @@
# Created by: Dirk Froemberg <dirk@FreeBSD.org>
# $FreeBSD$
PORTNAME= openssl
PORTVERSION= 1.1.0i
PORTREVISION= 1
CATEGORIES= security devel
MASTER_SITES= https://www.openssl.org/source/ \
ftp://ftp.cert.dfn.de/pub/tools/net/openssl/source/
PKGNAMESUFFIX= -devel
MAINTAINER= brnrd@FreeBSD.org
COMMENT= SSL and crypto library (1.1.0)
LICENSE= OpenSSL
LICENSE_FILE= ${WRKSRC}/LICENSE
CONFLICTS_INSTALL= libressl-[0-9]* \
libressl-devel-[0-9]* \
openssl-[0-9]* \
openssl111-[0-9]*
DEPRECATED= Upstream support ends 2019-09-11, use security/openssl111
EXPIRATION_DATE= 2019-09-11
HAS_CONFIGURE= yes
CONFIGURE_SCRIPT= config
CONFIGURE_ENV= PERL="${PERL}"
CONFIGURE_ARGS= --openssldir=${OPENSSLDIR} \
--prefix=${PREFIX} -v
USES= cpe perl5
USE_PERL5= build
MAKE_ARGS+= WHOLE_ARCHIVE_FLAG=--whole-archive
MAKE_ENV+= LIBRPATH="${PREFIX}/lib" GREP_OPTIONS=
TEST_TARGET= test
OPTIONS_GROUP= CIPHERS HASHES OPTIMIZE PROTOCOLS
OPTIONS_GROUP_CIPHERS= IDEA JPAKE RC2 RC4 RC5
OPTIONS_GROUP_HASHES= MD2 MD4 MDC2 RMD160
OPTIONS_GROUP_OPTIMIZE= ASM SSE2 THREADS
OPTIONS_DEFINE_i386= I386
OPTIONS_GROUP_PROTOCOLS= DH NEXTPROTONEG SCTP SSL3 TLS1 TLS1_1
OPTIONS_DEFINE= ASYNC MAN3 RFC3779 SHARED ZLIB
.if ${MACHINE_ARCH} == "amd64"
OPTIONS_GROUP_OPTIMIZE+= EC
.elif ${MACHINE_ARCH} == "mips64el"
OPTIONS_GROUP_OPTIMIZE+= EC
.endif
OPTIONS_DEFAULT= ASM ASYNC DH EC MAN3 MD4 RC2 RC4 RMD160 SCTP SHARED SSE2 THREADS TLS1 TLS1_1
OPTIONS_SUB= yes
ASM_DESC= Assembler code
ASYNC_DESC= Asynchronous mode
CIPHERS_DESC= Cipher Suite Support
DH_DESC= Diffie-Helmann protocol Support
EC_DESC= Optimize NIST elliptic curves
HASHES_DESC= Hash Function Support
I386_DESC= i386 (instead of i486+)
IDEA_DESC= IDEA
JPAKE_DESC= J-PAKE (experimental)
MAN3_DESC= Install API manpages (section 3)
MD2_DESC= MD2 (obsolete)
MD4_DESC= MD4 (unsafe)
MDC2_DESC= MDC-2
MD_GHOST94_DESC= GHOST94 (obscure)
NEXTPROTONEG_DESC= Next Protocol Negotiation (SPDY)
OPTIMIZE_DESC= Optimizations
PROTOCOLS_DESC= Protocol Support
RC2_DESC= RC2 (unsafe)
RC4_DESC= RC4 (unsafe)
RC5_DESC= RC5 (patented)
RMD160_DESC= RIPEMD-160
RFC3779_DESC= RFC3779 support (BGP)
SCTP_DESC= SCTP (Stream Control Transmission)
SHARED_DESC= Build shared libraries
SSE2_DESC= Runtime SSE2 detection
SSL3_DESC= SSLv3 (unsafe)
TLS1_DESC= TLSv1.0 support
TLS1_1_DESC= TLSv1.1 support (disables TLSv1.0 as well)
ZLIB_DESC= zlib compression support
# Upstream default disabled options
.for _option in md2 rc5 sctp ssl3 zlib
${_option:tu}_CONFIGURE_ON= enable-${_option}
.endfor
# Upstream default enabled options
.for _option in asm async dh idea md4 mdc2 md_ghost94 nextprotoneg rfc3779 \
rmd160 shared sse2 threads tls1 tls1_1 zlib
${_option:tu}_CONFIGURE_OFF= no-${_option}
.endfor
EC_CONFIGURE_ON= enable-ec_nistp_64_gcc_128
I386_CONFIGURE_ON= 386
SHARED_MAKE_ENV= SHLIBVER=${OPENSSL_SHLIBVER}
SHARED_PLIST_SUB= SHLIBVER=${OPENSSL_SHLIBVER}
SHARED_USE= ldconfig=yes
SSL3_CONFIGURE_ON+= enable-ssl3-method
ZLIB_CONFIGURE_ON= zlib-dynamic
.include <bsd.port.pre.mk>
.if ${PREFIX} == /usr
IGNORE= the OpenSSL port cannot be installed over the base version
.endif
OPENSSLDIR?= ${PREFIX}/openssl
PLIST_SUB+= OPENSSLDIR=${OPENSSLDIR:S=^${PREFIX}/==}
.include "version.mk"
.if ${PORT_OPTIONS:MASM}
BROKEN_sparc64= option ASM generates illegal instructions
.endif
post-patch:
${REINPLACE_CMD} \
-e 's|^MANDIR=.*$$|MANDIR=$$(INSTALLTOP)/man|' \
-e 's| install_html_docs$$||' \
-e 's|$$(LIBDIR)/pkgconfig|libdata/pkgconfig|g' \
${WRKSRC}/Configurations/unix-Makefile.tmpl
post-patch-MAN3-off:
${GREP} -L openssl_manual_section ${WRKSRC}/doc/crypto/*.pod | ${XARGS} ${RM}
${GREP} -L openssl_manual_section ${WRKSRC}/doc/ssl/*.pod | ${XARGS} ${RM}
post-configure:
${REINPLACE_CMD} \
-e 's|$$(SHLIB_MAJOR).$$(SHLIB_MINOR)|${OPENSSL_SHLIBVER}|g' \
${WRKSRC}/Makefile
${REINPLACE_CMD} \
-e 's|SHLIB_VERSION_NUMBER "1.1"|SHLIB_VERSION_NUMBER "${OPENSSL_SHLIBVER}"|' \
${WRKSRC}/include/openssl/opensslv.h
${REINPLACE_CMD} -e 's|\^GNU ld|GNU|' ${WRKSRC}/Makefile.shared
post-install-SHARED-on:
${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/lib*.so.${OPENSSL_SHLIBVER} \
${STAGEDIR}${PREFIX}/lib/engines-1.1/*.so
post-install:
${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/openssl
.include <bsd.port.post.mk>

3
security/openssl-devel/distinfo
View File

@ -1,3 +0,0 @@
TIMESTAMP = 1534254208
SHA256 (openssl-1.1.0i.tar.gz) = ebbfc844a8c8cc0ea5dc10b86c9ce97f401837f3fa08c17b2cdadc118253cf99
SIZE (openssl-1.1.0i.tar.gz) = 5453234

98
security/openssl-devel/files/patch-CVE-2018-0734
View File

@ -1,98 +0,0 @@
Timing vulnerability in DSA signature generation (CVE-2018-0734).
Avoid a timing attack that leaks information via a side channel that
triggers when a BN is resized. Increasing the size of the BNs
prior to doing anything with them suppresses the attack.
Thanks due to Samuel Weiser for finding and locating this.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from #7486)
(cherry picked from commit a9cfb8c)
https://github.com/openssl/openssl/commit/8abfe72e8c1de1b95f50aa0d9134803b4d00070f
--- crypto/dsa/dsa_ossl.c.orig 2018-09-11 12:48:21 UTC
+++ crypto/dsa/dsa_ossl.c
@@ -9,6 +9,7 @@
#include <stdio.h>
#include "internal/cryptlib.h"
+#include "internal/bn_int.h"
#include <openssl/bn.h>
#include <openssl/sha.h>
#include "dsa_locl.h"
@@ -178,9 +179,9 @@ static int dsa_sign_setup(DSA *dsa, BN_C
{
BN_CTX *ctx = NULL;
BIGNUM *k, *kinv = NULL, *r = *rp;
- BIGNUM *l, *m;
+ BIGNUM *l;
int ret = 0;
- int q_bits;
+ int q_bits, q_words;
if (!dsa->p || !dsa->q || !dsa->g) {
DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
@@ -189,8 +190,7 @@ static int dsa_sign_setup(DSA *dsa, BN_C
k = BN_new();
l = BN_new();
- m = BN_new();
- if (k == NULL || l == NULL || m == NULL)
+ if (k == NULL || l == NULL)
goto err;
if (ctx_in == NULL) {
@@ -201,9 +201,9 @@ static int dsa_sign_setup(DSA *dsa, BN_C
/* Preallocate space */
q_bits = BN_num_bits(dsa->q);
- if (!BN_set_bit(k, q_bits)
- || !BN_set_bit(l, q_bits)
- || !BN_set_bit(m, q_bits))
+ q_words = bn_get_top(dsa->q);
+ if (!bn_wexpand(k, q_words + 2)
+ || !bn_wexpand(l, q_words + 2))
goto err;
/* Get random k */
@@ -238,14 +238,17 @@ static int dsa_sign_setup(DSA *dsa, BN_C
* small timing information leakage. We then choose the sum that is
* one bit longer than the modulus.
*
- * TODO: revisit the BN_copy aiming for a memory access agnostic
- * conditional copy.
+ * There are some concerns about the efficacy of doing this. More
+ * specificly refer to the discussion starting with:
+ * https://github.com/openssl/openssl/pull/7486#discussion_r228323705
+ * The fix is to rework BN so these gymnastics aren't required.
*/
if (!BN_add(l, k, dsa->q)
- || !BN_add(m, l, dsa->q)
- || !BN_copy(k, BN_num_bits(l) > q_bits ? l : m))
+ || !BN_add(k, l, dsa->q))
goto err;
+ BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
+
if ((dsa)->meth->bn_mod_exp != NULL) {
if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
dsa->method_mont_p))
@@ -258,7 +261,7 @@ static int dsa_sign_setup(DSA *dsa, BN_C
if (!BN_mod(r, r, dsa->q, ctx))
goto err;
- /* Compute part of 's = inv(k) (m + xr) mod q' */
+ /* Compute part of 's = inv(k) (m + xr) mod q' */
if ((kinv = BN_mod_inverse(NULL, k, dsa->q, ctx)) == NULL)
goto err;
@@ -273,7 +276,6 @@ static int dsa_sign_setup(DSA *dsa, BN_C
BN_CTX_free(ctx);
BN_clear_free(k);
BN_clear_free(l);
- BN_clear_free(m);
return ret;
}

33
security/openssl-devel/files/patch-CVE-2018-0735
View File

@ -1,33 +0,0 @@
Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
Preallocate an extra limb for some of the big numbers to avoid a reallocation
that can potentially provide a side channel.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from #7486)
(cherry picked from commit 99540ec)
https://www.openssl.org/news/secadv/20181029.txt
--- crypto/ec/ec_mult.c.orig 2018-08-14 12:45:07 UTC
+++ crypto/ec/ec_mult.c
@@ -177,8 +177,8 @@ static int ec_mul_consttime(const EC_GRO
*/
cardinality_bits = BN_num_bits(cardinality);
group_top = bn_get_top(cardinality);
- if ((bn_wexpand(k, group_top + 1) == NULL)
- || (bn_wexpand(lambda, group_top + 1) == NULL))
+ if ((bn_wexpand(k, group_top + 2) == NULL)
+ || (bn_wexpand(lambda, group_top + 2) == NULL))
goto err;
if (!BN_copy(k, scalar))
@@ -205,7 +205,7 @@ static int ec_mul_consttime(const EC_GRO
* k := scalar + 2*cardinality
*/
kbit = BN_is_bit_set(lambda, cardinality_bits);
- BN_consttime_swap(kbit, k, lambda, group_top + 1);
+ BN_consttime_swap(kbit, k, lambda, group_top + 2);
group_top = bn_get_top(group->field);
if ((bn_wexpand(s->X, group_top) == NULL)

19
security/openssl-devel/files/patch-config
View File

@ -1,19 +0,0 @@
--- config.orig 2016-02-15 18:08:07 UTC
+++ config
@@ -713,14 +713,8 @@ case "$GUESSOS" in
sparc64-*-*bsd*) OUT="BSD-sparc64" ;;
ia64-*-*bsd*) OUT="BSD-ia64" ;;
amd64-*-*bsd*) OUT="BSD-x86_64" ;;
- *86*-*-*bsd*) # mimic ld behaviour when it's looking for libc...
- if [ -L /usr/lib/libc.so ]; then # [Free|Net]BSD
- libc=/usr/lib/libc.so
- else # OpenBSD
- # ld searches for highest libc.so.* and so do we
- libc=`(ls /usr/lib/libc.so.* /lib/libc.so.* | tail -1) 2>/dev/null`
- fi
- case "`(file -L $libc) 2>/dev/null`" in
+ *86*-*-*bsd*)
+ case "`(file -L /bin/sh) 2>/dev/null`" in
*ELF*) OUT="BSD-x86-elf" ;;
*) OUT="BSD-x86"; options="$options no-sse2" ;;
esac ;;

4
security/openssl-devel/files/pkg-message.in
View File

@ -1,4 +0,0 @@
Copy %%PREFIX%%/openssl/openssl.cnf.sample to %%PREFIX%%/openssl/openssl.cnf
and edit it to fit your needs.

16
security/openssl-devel/pkg-descr
View File

@ -1,16 +0,0 @@
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, full-featured, and Open Source toolkit implementing
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security
(TLS v1) protocols with full-strength cryptography world-wide. The
project is managed by a worldwide community of volunteers that use
the Internet to communicate, plan, and develop the OpenSSL tookit
and its related documentation.
OpenSSL is based on the excellent SSLeay library developed by Eric
A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under
an Apache-style licence, which basically means that you are free
to get and use it for commercial and non-commercial purposes subject
to some simple license conditions.
WWW: http://www.openssl.org/
WWW: http://sctp.fh-muenster.de/dtls-patches.html

3375
security/openssl-devel/pkg-plist
View File

File diff suppressed because it is too large Load Diff

1
security/openssl-devel/version.mk
View File

@ -1 +0,0 @@
OPENSSL_SHLIBVER?= 10