Update to mbedtls-2.6.0

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2017-01 mentions 3 security issues, at least CVE-2017-2784 (Freeing of memory allocated on stack when validating a public key with a secp224k1 curve) affects mbedtls-2.2.1. Packaging: - bump major of shared libs since symbols have been removed - tweak license marker - kill code in testsuite that fails to build with our stdio implementation (can't take the address of stdout, the C standard warns about that) - kill some debug flags set by cmake Make test passes on amd64 and arm, also tests & ok juanfra@
2017-10-21 00:47:52 +00:00 · 2017-10-21 00:47:52 +00:00 · 1353cb4429
commit 1353cb4429
parent 04503b3607
6 changed files with 69 additions and 24 deletions
--- a/security/polarssl/Makefile
+++ b/security/polarssl/Makefile
@ -1,23 +1,20 @@
-# $OpenBSD: Makefile,v 1.17 2017/10/18 19:11:40 jca Exp $
+# $OpenBSD: Makefile,v 1.18 2017/10/21 00:47:52 jca Exp $

 COMMENT=	SSL library with an intuitive API and readable source code

-DISTNAME=	mbedtls-2.2.1
-REVISION=	1
+DISTNAME=	mbedtls-2.6.0
 EXTRACT_SUFX=	-gpl.tgz

 # check SOVERSION
-SHARED_LIBS +=	mbedtls                  2.1
-SHARED_LIBS +=  mbedcrypto                0.0 # 2.1
-SHARED_LIBS +=  mbedx509                  0.0 # 2.1
+SHARED_LIBS +=  mbedtls                   3.0 # 2.6
+SHARED_LIBS +=  mbedcrypto                1.0 # 2.6
+SHARED_LIBS +=  mbedx509                  1.0 # 2.6

 CATEGORIES=	security

 HOMEPAGE=	https://tls.mbed.org/

-# Dual licensed: GPLv2+/Commercial
-# name changed from PolarSSL to mbed TLS after the ARM acquisition and a
-# future update will change the license to Apache.
+# Dual licensed: GPLv2+/Commercial, Apache v2 is also available
 PERMIT_PACKAGE_CDROM=	Yes

 # libssl/libcrypto are used for polarssl_o_p_test only
--- a/security/polarssl/distinfo
+++ b/security/polarssl/distinfo
@ -1,2 +1,2 @@
-SHA256 (mbedtls-2.2.1-gpl.tgz) = uxv/o6xasUO+Kq49RaepKzYRKIjvRlAk2Dckhl/mKXQ=
-SIZE (mbedtls-2.2.1-gpl.tgz) = 1848038
+SHA256 (mbedtls-2.6.0-gpl.tgz) = qZlZ1zYN7yL5EI0tSHyd44T+dsNJaXF2sfIjcAgNWBA=
+SIZE (mbedtls-2.6.0-gpl.tgz) = 1958070
--- a/security/polarssl/patches/patch-CMakeLists_txt
+++ b/security/polarssl/patches/patch-CMakeLists_txt
@ -1,19 +1,22 @@
-$OpenBSD: patch-CMakeLists_txt,v 1.4 2015/09/12 20:30:00 sthen Exp $
--- CMakeLists.txt.orig	Fri Sep  4 13:38:26 2015
-+++ CMakeLists.txt	Tue Sep  8 20:19:54 2015
-@@ -32,7 +32,6 @@ if(CMAKE_COMPILER_IS_GNUCC)
+$OpenBSD: patch-CMakeLists_txt,v 1.5 2017/10/21 00:47:52 jca Exp $
+Index: CMakeLists.txt
+--- CMakeLists.txt.orig
+++ CMakeLists.txt
+@@ -70,8 +70,6 @@ if(CMAKE_COMPILER_IS_GNUCC)
     if (GCC_VERSION VERSION_GREATER 4.8 OR GCC_VERSION VERSION_EQUAL 4.8)
         set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wshadow")
     endif()
 -    set(CMAKE_C_FLAGS_RELEASE     "-O2")
-     set(CMAKE_C_FLAGS_DEBUG       "-O0 -g3")
+-    set(CMAKE_C_FLAGS_DEBUG       "-O0 -g3")
     set(CMAKE_C_FLAGS_COVERAGE    "-O0 -g3 --coverage")
     set(CMAKE_C_FLAGS_ASAN        "-Werror -fsanitize=address -fno-common -O3")
-@@ -43,7 +42,6 @@ endif(CMAKE_COMPILER_IS_GNUCC)
+     set(CMAKE_C_FLAGS_ASANDBG     "-Werror -fsanitize=address -fno-common -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls ")
+@@ -81,8 +79,6 @@ endif(CMAKE_COMPILER_IS_GNUCC)
 
 if(CMAKE_COMPILER_IS_CLANG)
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wdeclaration-after-statement -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow")
 -    set(CMAKE_C_FLAGS_RELEASE     "-O2")
-     set(CMAKE_C_FLAGS_DEBUG       "-O0 -g3")
+-    set(CMAKE_C_FLAGS_DEBUG       "-O0 -g3")
     set(CMAKE_C_FLAGS_COVERAGE    "-O0 -g3 --coverage")
     set(CMAKE_C_FLAGS_ASAN        "-Werror -fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover -O3")
+     set(CMAKE_C_FLAGS_ASANDBG     "-Werror -fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls ")
--- a/security/polarssl/patches/patch-include_mbedtls_config_h
+++ b/security/polarssl/patches/patch-include_mbedtls_config_h
@ -1,11 +1,12 @@
-$OpenBSD: patch-include_mbedtls_config_h,v 1.1 2016/08/27 07:46:50 juanfra Exp $
+$OpenBSD: patch-include_mbedtls_config_h,v 1.2 2017/10/21 00:47:52 jca Exp $

 MBEDTLS_THREADING_PTHREAD and MBEDTLS_THREADING_C are required by
 www/hiawatha.

--- include/mbedtls/config.h.orig	Sat Aug 27 03:17:22 2016
-+++ include/mbedtls/config.h	Sat Aug 27 03:18:03 2016
-@@ -1246,7 +1246,7 @@
+Index: include/mbedtls/config.h
+--- include/mbedtls/config.h.orig
+++ include/mbedtls/config.h
+@@ -1385,7 +1385,7 @@
  *
  * Uncomment this to enable pthread mutexes.
  */
@ -14,7 +15,7 @@ www/hiawatha.
 
 /**
  * \def MBEDTLS_VERSION_FEATURES
-@@ -2261,7 +2261,7 @@
+@@ -2423,7 +2423,7 @@
  *
  * Enable this layer to allow use of mutexes within mbed TLS
  */
--- a/security/polarssl/patches/patch-tests_suites_main_test_function
+++ b/security/polarssl/patches/patch-tests_suites_main_test_function
@ -0,0 +1,40 @@
+$OpenBSD: patch-tests_suites_main_test_function,v 1.1 2017/10/21 00:47:52 jca Exp $
+
+XXX can't take the address of stdout
+
+Index: tests/suites/main_test.function
+--- tests/suites/main_test.function.orig
+++ tests/suites/main_test.function
+@@ -401,32 +401,7 @@ int main(int argc, const char *argv[])
+             if( unmet_dep_count == 0 )
+             {
+                 test_errors = 0;
+-
+-#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
+-                /* Suppress all output from the library unless we're verbose
+-                 * mode
+-                 */
+-                if( !option_verbose )
+-                {
+-                    stdout_fd = redirect_output( &stdout, "/dev/null" );
+-                    if( stdout_fd == -1 )
+-                    {
+-                        /* Redirection has failed with no stdout so exit */
+-                        exit( 1 );
+-                    }
+-                }
+-#endif /* __unix__ || __APPLE__ __MACH__ */
+-
+                 ret = dispatch_test( cnt, params );
+-
+-#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
+-                if( !option_verbose && restore_output( &stdout, stdout_fd ) )
+-                {
+-                        /* Redirection has failed with no stdout so exit */
+-                        exit( 1 );
+-                }
+-#endif /* __unix__ || __APPLE__ __MACH__ */
+-
+             }
+ 
+             if( unmet_dep_count > 0 || ret == DISPATCH_UNSUPPORTED_SUITE )
--- a/security/polarssl/pkg/PLIST
+++ b/security/polarssl/pkg/PLIST
@ -1,4 +1,4 @@
-@comment $OpenBSD: PLIST,v 1.9 2015/11/11 21:01:44 benoit Exp $
+@comment $OpenBSD: PLIST,v 1.10 2017/10/21 00:47:52 jca Exp $
@conflict polarssl-*
 include/mbedtls/
 include/mbedtls/aes.h
@ -16,6 +16,7 @@ include/mbedtls/certs.h
 include/mbedtls/check_config.h
 include/mbedtls/cipher.h
 include/mbedtls/cipher_internal.h
+include/mbedtls/cmac.h
 include/mbedtls/compat-1.3.h
 include/mbedtls/config.h
 include/mbedtls/ctr_drbg.h
@ -26,6 +27,7 @@ include/mbedtls/ecdh.h
 include/mbedtls/ecdsa.h
 include/mbedtls/ecjpake.h
 include/mbedtls/ecp.h
+include/mbedtls/ecp_internal.h
 include/mbedtls/entropy.h
 include/mbedtls/entropy_poll.h
 include/mbedtls/error.h
@ -39,6 +41,7 @@ include/mbedtls/md5.h
 include/mbedtls/md_internal.h
 include/mbedtls/memory_buffer_alloc.h
 include/mbedtls/net.h
+include/mbedtls/net_sockets.h
 include/mbedtls/oid.h
 include/mbedtls/padlock.h
 include/mbedtls/pem.h
@ -48,6 +51,7 @@ include/mbedtls/pkcs11.h
 include/mbedtls/pkcs12.h
 include/mbedtls/pkcs5.h
 include/mbedtls/platform.h
+include/mbedtls/platform_time.h
 include/mbedtls/ripemd160.h
 include/mbedtls/rsa.h
 include/mbedtls/sha1.h