diff options
author | Bernard Spil <brnrd@FreeBSD.org> | 2016-09-23 13:00:07 +0000 |
---|---|---|
committer | Bernard Spil <brnrd@FreeBSD.org> | 2016-09-23 13:00:07 +0000 |
commit | 1cfcb859a27d811dc9abc81a0492a7436a4f806d (patch) | |
tree | e29aff3fcac6e8d9f4f98eb62f946c3ca86b4ab4 | |
parent | 000b52cdd424e082ff2c2c9089451ea588603f85 (diff) | |
download | ports-1cfcb859a27d811dc9abc81a0492a7436a4f806d.tar.gz ports-1cfcb859a27d811dc9abc81a0492a7436a4f806d.zip |
MFH: r422668
security/openssl: Update to 1.0.2i
- Update to 1.0.2i
- Move from PORTREVISION to PORTVERSION updates
- Remove patches that are included upstream
Reviewed by: mat, delphij
Sponsored by: EuroBSDcon 2016 DevSummit
Differential Revision: D8006
Approved by: ports-secteam (delphij)
Notes
Notes:
svn path=/branches/2016Q3/; revision=422669
-rw-r--r-- | security/openssl/Makefile | 6 | ||||
-rw-r--r-- | security/openssl/distinfo | 21 | ||||
-rw-r--r-- | security/openssl/files/patch-dsa_ossl.c | 35 | ||||
-rw-r--r-- | security/openssl/files/patch-s3_srvr.c | 66 | ||||
-rw-r--r-- | security/openssl/files/patch-ssl_sess.c | 13 | ||||
-rw-r--r-- | security/openssl/files/patch-t1_lib.c | 163 |
6 files changed, 13 insertions, 291 deletions
diff --git a/security/openssl/Makefile b/security/openssl/Makefile index ccf6c51209fd..119f1bbb711d 100644 --- a/security/openssl/Makefile +++ b/security/openssl/Makefile @@ -2,9 +2,8 @@ # $FreeBSD$ PORTNAME= openssl -PORTVERSION= 1.0.2 -DISTVERSIONSUFFIX= h -PORTREVISION= 14 +PORTVERSION= 1.0.2i +PORTEPOCH= 1 CATEGORIES= security devel MASTER_SITES= http://www.openssl.org/source/ \ ftp://ftp.openssl.org/source/ \ @@ -182,7 +181,6 @@ pre-everything:: @${ECHO_CMD} "# please use DEFAULT_VERSIONS+= ssl=base instead." @${ECHO_CMD} "#" @${FALSE} - .endif post-patch: diff --git a/security/openssl/distinfo b/security/openssl/distinfo index 2a650f5a6f04..749c6789ba4e 100644 --- a/security/openssl/distinfo +++ b/security/openssl/distinfo @@ -1,10 +1,11 @@ -SHA256 (openssl-1.0.2h/openssl-1.0.2h.tar.gz) = 1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919 -SIZE (openssl-1.0.2h/openssl-1.0.2h.tar.gz) = 5274412 -SHA256 (openssl-1.0.2h/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 2eddcb7ab342285cb637ce6b6be143cca835f449f35dd9bb8c7b9167ba2117a7 -SIZE (openssl-1.0.2h/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 3717 -SHA256 (openssl-1.0.2h/1002-backport-changes-from-upstream-padlock-module.patch) = aee88a24622ce9d71e38deeb874e58435dcf8ff5690f56194f0e4a00fb09b260 -SIZE (openssl-1.0.2h/1002-backport-changes-from-upstream-padlock-module.patch) = 5770 -SHA256 (openssl-1.0.2h/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch) = c10b8aaf56a4f4f79ca195fc587e0bb533f643e777d7a3e6fb0350399a6060ea -SIZE (openssl-1.0.2h/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch) = 20935 -SHA256 (openssl-1.0.2h/1004-crypto-engine-autoload-padlock-dynamic-engine.patch) = 97eb4411d0fc0890e94bc7c2d682f68b71135da782af769ca73914b37da2b1fd -SIZE (openssl-1.0.2h/1004-crypto-engine-autoload-padlock-dynamic-engine.patch) = 832 +TIMESTAMP = 1474552146 +SHA256 (openssl-1.0.2i/openssl-1.0.2i.tar.gz) = 9287487d11c9545b6efb287cdb70535d4e9b284dd10d51441d9b9963d000de6f +SIZE (openssl-1.0.2i/openssl-1.0.2i.tar.gz) = 5308232 +SHA256 (openssl-1.0.2i/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 2eddcb7ab342285cb637ce6b6be143cca835f449f35dd9bb8c7b9167ba2117a7 +SIZE (openssl-1.0.2i/1001-crypto-hmac-support-EVP_MD_CTX_FLAG_ONESHOT-and-set-.patch) = 3717 +SHA256 (openssl-1.0.2i/1002-backport-changes-from-upstream-padlock-module.patch) = aee88a24622ce9d71e38deeb874e58435dcf8ff5690f56194f0e4a00fb09b260 +SIZE (openssl-1.0.2i/1002-backport-changes-from-upstream-padlock-module.patch) = 5770 +SHA256 (openssl-1.0.2i/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch) = c10b8aaf56a4f4f79ca195fc587e0bb533f643e777d7a3e6fb0350399a6060ea +SIZE (openssl-1.0.2i/1003-engines-e_padlock-implement-sha1-sha224-sha256-accel.patch) = 20935 +SHA256 (openssl-1.0.2i/1004-crypto-engine-autoload-padlock-dynamic-engine.patch) = 97eb4411d0fc0890e94bc7c2d682f68b71135da782af769ca73914b37da2b1fd +SIZE (openssl-1.0.2i/1004-crypto-engine-autoload-padlock-dynamic-engine.patch) = 832 diff --git a/security/openssl/files/patch-dsa_ossl.c b/security/openssl/files/patch-dsa_ossl.c deleted file mode 100644 index 5f282bd49634..000000000000 --- a/security/openssl/files/patch-dsa_ossl.c +++ /dev/null @@ -1,35 +0,0 @@ - -Fix DSA, preserve BN_FLG_CONSTTIME - -Operations in the DSA signing algorithm should run in constant time in -order to avoid side channel attacks. A flaw in the OpenSSL DSA -implementation means that a non-constant time codepath is followed for -certain operations. This has been demonstrated through a cache-timing -attack to be sufficient for an attacker to recover the private DSA key. - -CVE-2016-2178 - ---- crypto/dsa/dsa_ossl.c.orig 2016-05-03 15:44:42.000000000 +0200 -+++ crypto/dsa/dsa_ossl.c 2016-06-12 22:57:49.000000000 +0200 -@@ -248,9 +248,6 @@ - if (!BN_rand_range(&k, dsa->q)) - goto err; - while (BN_is_zero(&k)) ; -- if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { -- BN_set_flags(&k, BN_FLG_CONSTTIME); -- } - - if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { - if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, -@@ -282,6 +279,11 @@ - } else { - K = &k; - } -+ -+ if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) { -+ BN_set_flags(&k, BN_FLG_CONSTTIME); -+ } -+ - DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx, - dsa->method_mont_p); - if (!BN_mod(r, r, dsa->q, ctx)) diff --git a/security/openssl/files/patch-s3_srvr.c b/security/openssl/files/patch-s3_srvr.c deleted file mode 100644 index b7ca8069688b..000000000000 --- a/security/openssl/files/patch-s3_srvr.c +++ /dev/null @@ -1,66 +0,0 @@ -CVE-2016-2177 - ---- ssl/s3_srvr.c.orig -+++ ssl/s3_srvr.c -@@ -980,7 +980,7 @@ int ssl3_get_client_hello(SSL *s) - - session_length = *(p + SSL3_RANDOM_SIZE); - -- if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) { -+ if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -998,7 +998,7 @@ int ssl3_get_client_hello(SSL *s) - /* get the session-id */ - j = *(p++); - -- if (p + j > d + n) { -+ if ((d + n) - p < j) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -1054,14 +1054,14 @@ int ssl3_get_client_hello(SSL *s) - - if (SSL_IS_DTLS(s)) { - /* cookie stuff */ -- if (p + 1 > d + n) { -+ if ((d + n) - p < 1) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; - } - cookie_len = *(p++); - -- if (p + cookie_len > d + n) { -+ if ((d + n ) - p < cookie_len) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -1131,7 +1131,7 @@ int ssl3_get_client_hello(SSL *s) - } - } - -- if (p + 2 > d + n) { -+ if ((d + n ) - p < 2) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); - goto f_err; -@@ -1145,7 +1145,7 @@ int ssl3_get_client_hello(SSL *s) - } - - /* i bytes of cipher data + 1 byte for compression length later */ -- if ((p + i + 1) > (d + n)) { -+ if ((d + n) - p < i + 1) { - /* not enough data */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); -@@ -1211,7 +1211,7 @@ int ssl3_get_client_hello(SSL *s) - - /* compression */ - i = *(p++); -- if ((p + i) > (d + n)) { -+ if ((d + n) - p < i) { - /* not enough data */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); diff --git a/security/openssl/files/patch-ssl_sess.c b/security/openssl/files/patch-ssl_sess.c deleted file mode 100644 index 321ef62e2aee..000000000000 --- a/security/openssl/files/patch-ssl_sess.c +++ /dev/null @@ -1,13 +0,0 @@ -CVE-2016-2177 - ---- ssl/ssl_sess.c.orig -+++ ssl/ssl_sess.c -@@ -573,7 +573,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, - int r; - #endif - -- if (session_id + len > limit) { -+ if (limit - session_id < len) { - fatal = 1; - goto err; - } diff --git a/security/openssl/files/patch-t1_lib.c b/security/openssl/files/patch-t1_lib.c deleted file mode 100644 index b9ef5c35c920..000000000000 --- a/security/openssl/files/patch-t1_lib.c +++ /dev/null @@ -1,163 +0,0 @@ -CVE-2016-2177 - ---- ssl/t1_lib.c.orig -+++ ssl/t1_lib.c -@@ -1867,11 +1867,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - 0x02, 0x03, /* SHA-1/ECDSA */ - }; - -- if (data >= (limit - 2)) -+ if (limit - data <= 2) - return; - data += 2; - -- if (data > (limit - 4)) -+ if (limit - data < 4) - return; - n2s(data, type); - n2s(data, size); -@@ -1879,7 +1879,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - if (type != TLSEXT_TYPE_server_name) - return; - -- if (data + size > limit) -+ if (limit - data < size) - return; - data += size; - -@@ -1887,7 +1887,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - const size_t len1 = sizeof(kSafariExtensionsBlock); - const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock); - -- if (data + len1 + len2 != limit) -+ if (limit - data != (int)(len1 + len2)) - return; - if (memcmp(data, kSafariExtensionsBlock, len1) != 0) - return; -@@ -1896,7 +1896,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data, - } else { - const size_t len = sizeof(kSafariExtensionsBlock); - -- if (data + len != limit) -+ if (limit - data != (int)(len)) - return; - if (memcmp(data, kSafariExtensionsBlock, len) != 0) - return; -@@ -2053,19 +2053,19 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p, - if (data == limit) - goto ri_check; - -- if (data > (limit - 2)) -+ if (limit - data < 2) - goto err; - - n2s(data, len); - -- if (data + len != limit) -+ if (limit - data != len) - goto err; - -- while (data <= (limit - 4)) { -+ while (limit - data >= 4) { - n2s(data, type); - n2s(data, size); - -- if (data + size > (limit)) -+ if (limit - data < size) - goto err; - # if 0 - fprintf(stderr, "Received extension type %d size %d\n", type, size); -@@ -2472,18 +2472,18 @@ static int ssl_scan_clienthello_custom_tlsext(SSL *s, - if (s->hit || s->cert->srv_ext.meths_count == 0) - return 1; - -- if (data >= limit - 2) -+ if (limit - data <= 2) - return 1; - n2s(data, len); - -- if (data > limit - len) -+ if (limit - data < len) - return 1; - -- while (data <= limit - 4) { -+ while (limit - data >= 4) { - n2s(data, type); - n2s(data, size); - -- if (data + size > limit) -+ if (limit - data < size) - return 1; - if (custom_ext_parse(s, 1 /* server */ , type, data, size, al) <= 0) - return 0; -@@ -2569,20 +2569,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p, - SSL_TLSEXT_HB_DONT_SEND_REQUESTS); - # endif - -- if (data >= (d + n - 2)) -+ if ((d + n) - data <= 2) - goto ri_check; - - n2s(data, length); -- if (data + length != d + n) { -+ if ((d + n) - data != length) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - -- while (data <= (d + n - 4)) { -+ while ((d + n) - data >= 4) { - n2s(data, type); - n2s(data, size); - -- if (data + size > (d + n)) -+ if ((d + n) - data < size) - goto ri_check; - - if (s->tlsext_debug_cb) -@@ -3307,29 +3307,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len, - /* Skip past DTLS cookie */ - if (SSL_IS_DTLS(s)) { - i = *(p++); -- p += i; -- if (p >= limit) -+ -+ if (limit - p <= i) - return -1; -+ -+ p += i; - } - /* Skip past cipher list */ - n2s(p, i); -- p += i; -- if (p >= limit) -+ if (limit - p <= i) - return -1; -+ p += i; -+ - /* Skip past compression algorithm list */ - i = *(p++); -- p += i; -- if (p > limit) -+ if (limit - p < i) - return -1; -+ p += i; -+ - /* Now at start of extensions */ -- if ((p + 2) >= limit) -+ if (limit - p <= 2) - return 0; - n2s(p, i); -- while ((p + 4) <= limit) { -+ while (limit - p >= 4) { - unsigned short type, size; - n2s(p, type); - n2s(p, size); -- if (p + size > limit) -+ if (limit - p < size) - return 0; - if (type == TLSEXT_TYPE_session_ticket) { - int r; --- -1.9.1 - |