security/libressl-devel: Add next-stable LibreSSL 2.3 port

- Add security/libressl-devel for version 2.3.1 - Repository copy of security/libressl [1] - Including corrections for CVE-2015-3194/3195 - Add support for multiple versions to bsd.openssl.mk - Add option to optionally install API man-pages [2] - Disable silent rules output Changes: - ftp://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.0-relnotes.txt - ftp://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.1-relnotes.txt PR: 201462 [2] Submitted by: adamw [2] Requested by: junovitch [1] Reviewed by: vsevolod (mentor, maintainer), koobs (mentor), feld (mentor) Approved by: koobs (mentor), feld (mentor), mat [1] (portmgr) Differential Revision: https://reviews.freebsd.org/D3585
svn path=/head/; revision=405278
2024-12-02 01:20:54 +00:00 · 2016-01-05 09:19:44 +00:00 · 2016-01-05 09:19:44 +00:00 · 9d3d2c0c9a · 2021-03-31 03:12:20 +00:00
commit 9d3d2c0c9a
parent fbd88d8a74
7 changed files with 1719 additions and 0 deletions
--- a/security/libressl-devel/Makefile
+++ b/security/libressl-devel/Makefile
@ -0,0 +1,44 @@
+# Created by: Bernard Spil <brnrd@FreeBSD.org>
+# $FreeBSD$
+
+PORTNAME=	libressl
+PORTVERSION=	2.3.1
+PORTREVISIION=	1
+CATEGORIES=	security devel
+MASTER_SITES=	OPENBSD/LibreSSL
+PKGNAMESUFFIX=	-devel
+
+MAINTAINER=	brnrd@FreeBSD.org
+COMMENT=	Free version of the SSL/TLS protocol forked from OpenSSL
+
+LICENSE=	BSD4CLAUSE
+LICENSE_FILE=	${WRKSRC}/COPYING
+
+CPE_VENDOR=	openbsd
+
+OPTIONS_DEFINE=	MAN3 NC
+OPTIONS_DEFAULT=	MAN3 NC
+MAN3_DESC=	Install API manpages (section 3)
+NC_DESC=	Build nc libtls demo application
+
+CONFLICTS?=	openssl-[0-9]* \
+		libressl-[0-9]*
+
+GNU_CONFIGURE=	yes
+CONFIGURE_ARGS=	--enable-silent-rules
+USES=		cpe libtool pathfix pkgconfig
+USE_LDCONFIG=	yes
+OPTIONS_SUB=	yes
+
+INSTALL_TARGET=	install-strip
+TEST_TARGET=	check
+
+post-stage-NC-on:
+	${INSTALL_PROGRAM} ${WRKSRC}/apps/nc/.libs/nc ${STAGEDIR}/${PREFIX}/bin/nc
+	${INSTALL_MAN} ${WRKSRC}/apps/nc/nc.1 ${STAGEDIR}/${PREFIX}/man/man1/nc.1
+
+post-install-MAN3-off:
+	${RM} -rf ${STAGEDIR}/${PREFIX}/man/man3
+	${REINPLACE_CMD} -e '/^man\/man3/d' ${TMPPLIST}
+
+.include <bsd.port.mk>
--- a/security/libressl-devel/distinfo
+++ b/security/libressl-devel/distinfo
@ -0,0 +1,2 @@
+SHA256 (libressl-2.3.1.tar.gz) = 410b58db4ebbcab43c3357612e591094f64fb9339269caa2e68728e36f8d589e
+SIZE (libressl-2.3.1.tar.gz) = 3014881
--- a/security/libressl-devel/files/patch-crypto_asn1_tasn__dec.c
+++ b/security/libressl-devel/files/patch-crypto_asn1_tasn__dec.c
@ -0,0 +1,49 @@
+From 9900c16beb14eb3bfc8f4d8c6191e6e1a271c861 Mon Sep 17 00:00:00 2001
+From: beck <>
+Date: Fri, 4 Dec 2015 04:19:25 +0000
+Subject: [PATCH] Fix for OpenSSL CVE-2015-3195 ok djm@ jsing@
+
+---
+ src/lib/libssl/src/crypto/asn1/tasn_dec.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/libssl/src/crypto/asn1/tasn_dec.c b/src/lib/libssl/src/crypto/asn1/tasn_dec.c
+index e50ec0a..0a6eaf2 100644
+--- crypto/asn1/tasn_dec.c
+++ crypto/asn1/tasn_dec.c
+@@ -1,4 +1,4 @@
+-/* $OpenBSD: tasn_dec.c,v 1.26 2015/03/19 14:00:22 tedu Exp $ */
+/* $OpenBSD: tasn_dec.c,v 1.27 2015/07/20 15:41:48 miod Exp $ */
+ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+  * project 2000.
+  */
+@@ -166,6 +166,10 @@ ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+ 	int otag;
+ 	int ret = 0;
+ 	ASN1_VALUE **pchptr;
+	int combine;
+
+	combine = aclass & ASN1_TFLG_COMBINE;
+	aclass &= ~ASN1_TFLG_COMBINE;
+ 
+ 	if (!pval)
+ 		return 0;
+@@ -447,7 +451,8 @@ ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
+ auxerr:
+ 	ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
+ err:
+-	ASN1_item_ex_free(pval, it);
+	if (combine == 0)
+		ASN1_item_ex_free(pval, it);
+ 	if (errtt)
+ 		ERR_asprintf_error_data("Field=%s, Type=%s", errtt->field_name,
+ 		    it->sname);
+@@ -642,7 +647,7 @@ asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, long len,
+ 	} else {
+ 		/* Nothing special */
+ 		ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
+-		    -1, 0, opt, ctx);
+		    -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
+ 		if (!ret) {
+ 			ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
+ 			    ERR_R_NESTED_ASN1_ERROR);
--- a/security/libressl-devel/files/patch-crypto_rsa_rsa__ameth.c
+++ b/security/libressl-devel/files/patch-crypto_rsa_rsa__ameth.c
@ -0,0 +1,35 @@
+untrusted comment: signature from openbsd 5.8 base secret key
+RWQNNZXtC/MqP8u13/pPZfTpPeHhU93PG0DBihXvQ7lB0CvONLwoTfHr9f40s515bidPGcGLAH4xu+yz3skT6b3tKETEWZw8BgA=
+
+OpenBSD 5.8 errata 9, Dec 3, 2015:
+
+CVE-2015-3194 - NULL pointer dereference in client certificate validation
+
+Apply by doing:
+    signify -Vep /etc/signify/openbsd-58-base.pub -x 009_clientcert.patch.sig \
+        -m - | (cd /usr/src && patch -p0)
+
+And then rebuild and install libcrypto:
+    cd /usr/src/lib/libcrypto
+    make obj
+    make depend
+    make
+    make install
+
+Index: crypto/rsa/rsa_ameth.c
+===================================================================
+RCS file: /cvs/src/lib/libssl/src/crypto/rsa/rsa_ameth.c,v
+retrieving revision 1.14
+retrieving revision 1.14.6.1
+diff -u -p -u -p -r1.14 -r1.14.6.1
+--- crypto/rsa/rsa_ameth.c	11 Feb 2015 04:05:14 -0000	1.14
+++ crypto/rsa/rsa_ameth.c	4 Dec 2015 04:13:43 -0000	1.14.6.1
+@@ -298,7 +298,7 @@ rsa_pss_decode(const X509_ALGOR *alg, X5
+ 	if (pss->maskGenAlgorithm) {
+ 		ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
+ 		if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 &&
+-		    param->type == V_ASN1_SEQUENCE) {
+		    param && param->type == V_ASN1_SEQUENCE) {
+ 			p = param->value.sequence->data;
+ 			plen = param->value.sequence->length;
+ 			*pmaskHash = d2i_X509_ALGOR(NULL, &p, plen);
--- a/security/libressl-devel/files/patch-include_openssl_opensslv.h
+++ b/security/libressl-devel/files/patch-include_openssl_opensslv.h
@ -0,0 +1,16 @@
+Many applications use checking of OPENSSL_VERSION to detect if
+a feature is available and thus fail to build when the version
+is set to 0x20000000L. This fixes the OPENSSL_VERSION to the
+time at which LibreSSL forked.
+
+--- include/openssl/opensslv.h.orig	2015-09-11 22:35:14 UTC
+++ include/openssl/opensslv.h
+@@ -7,7 +7,7 @@
+ #define LIBRESSL_VERSION_TEXT	"LibreSSL 2.3.0"
+ 
+ /* These will never change */
+-#define OPENSSL_VERSION_NUMBER	0x20000000L
+#define OPENSSL_VERSION_NUMBER	0x1000107fL
+ #define OPENSSL_VERSION_TEXT	LIBRESSL_VERSION_TEXT
+ #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
+ 
--- a/security/libressl-devel/pkg-descr
+++ b/security/libressl-devel/pkg-descr
@ -0,0 +1,11 @@
+LibreSSL is an open-source implementation of the Secure Sockets Layer (SSL) and
+Transport Layer Security (TLS) protocols. It was forked from the OpenSSL
+cryptographic software library in April 2014 as a response by OpenBSD
+developers to the Heartbleed security vulnerability in OpenSSL,
+with the aim of refactoring the OpenSSL code so as to provide a more secure
+implementation.
+
+LibreSSL was forked from the OpenSSL library starting with the 1.0.1g branch
+and will follow the security guidelines used elsewhere in the OpenBSD project.
+
+WWW: http://www.libressl.org/
--- a/security/libressl-devel/pkg-plist
+++ b/security/libressl-devel/pkg-plist