diff --git a/security/openssl/Makefile b/security/openssl/Makefile index d0ffd1cac2a2..886026009708 100644 --- a/security/openssl/Makefile +++ b/security/openssl/Makefile @@ -1,170 +1,169 @@ PORTNAME= openssl -PORTVERSION= 1.1.1u -PORTREVISION= 1 +PORTVERSION= 1.1.1v PORTEPOCH= 1 CATEGORIES= security devel MASTER_SITES= https://www.openssl.org/source/ \ ftp://ftp.cert.dfn.de/pub/tools/net/openssl/source/ MAINTAINER= brnrd@FreeBSD.org COMMENT= TLSv1.3 capable SSL and crypto library WWW= https://www.openssl.org/ LICENSE= OpenSSL LICENSE_FILE= ${WRKSRC}/LICENSE CONFLICTS_INSTALL= boringssl libressl libressl-devel openssl3[01] openssl-quictls HAS_CONFIGURE= yes CONFIGURE_SCRIPT= config CONFIGURE_ENV= PERL="${PERL}" CONFIGURE_ARGS= --openssldir=${OPENSSLDIR} \ --prefix=${PREFIX} USES= cpe perl5 USE_PERL5= build TEST_TARGET= test LDFLAGS_i386= -Wl,-znotext MAKE_ARGS+= WHOLE_ARCHIVE_FLAG=--whole-archive CNF_LDFLAGS="${LDFLAGS}" MAKE_ENV+= LIBRPATH="${PREFIX}/lib" GREP_OPTIONS= OPTIONS_GROUP= CIPHERS HASHES OPTIMIZE PROTOCOLS OPTIONS_GROUP_CIPHERS= ARIA DES GOST IDEA SM4 RC2 RC4 RC5 WEAK-SSL-CIPHERS OPTIONS_GROUP_HASHES= MD2 MD4 MDC2 RMD160 SM2 SM3 OPTIONS_GROUP_OPTIMIZE= ASM SSE2 THREADS OPTIONS_DEFINE_i386= I386 OPTIONS_GROUP_PROTOCOLS=NEXTPROTONEG SCTP SSL3 TLS1 TLS1_1 TLS1_2 OPTIONS_DEFINE= ASYNC CRYPTODEV CT KTLS MAN3 RFC3779 SHARED ZLIB OPTIONS_DEFAULT=ASM ASYNC CT GOST DES EC KTLS MAN3 MD4 NEXTPROTONEG RC2 \ RC4 RMD160 SCTP SHARED SSE2 THREADS TLS1 TLS1_1 TLS1_2 OPTIONS_EXCLUDE=${${OSVERSION} < 1300042:?KTLS:} \ ${${OSVERSION} > 1300000:?CRYPTODEV:} OPTIONS_GROUP_OPTIMIZE_amd64= EC .if ${MACHINE_ARCH} == "amd64" OPTIONS_GROUP_OPTIMIZE+= EC .elif ${MACHINE_ARCH} == "mips64el" OPTIONS_GROUP_OPTIMIZE+= EC .endif OPTIONS_SUB= yes ARIA_DESC= ARIA (South Korean standard) ASM_DESC= Assembler code ASYNC_DESC= Asynchronous mode CIPHERS_DESC= Block Cipher Support CRYPTODEV_DESC= /dev/crypto support CT_DESC= Certificate Transparency Support DES_DESC= (Triple) Data Encryption Standard EC_DESC= Optimize NIST elliptic curves GOST_DESC= GOST (Russian standard) HASHES_DESC= Hash Function Support I386_DESC= i386 (instead of i486+) IDEA_DESC= International Data Encryption Algorithm KTLS_DESC= Kernel TLS offload MAN3_DESC= Install API manpages (section 3, 7) MD2_DESC= MD2 (obsolete) MD4_DESC= MD4 (unsafe) MDC2_DESC= MDC-2 (patented, requires DES) NEXTPROTONEG_DESC= Next Protocol Negotiation (SPDY) OPTIMIZE_DESC= Optimizations PROTOCOLS_DESC= Protocol Support RC2_DESC= RC2 (unsafe) RC4_DESC= RC4 (unsafe) RC5_DESC= RC5 (patented) RMD160_DESC= RIPEMD-160 RFC3779_DESC= RFC3779 support (BGP) SCTP_DESC= SCTP (Stream Control Transmission) SHARED_DESC= Build shared libraries SM2_DESC= SM2 Elliptic Curve DH (Chinese standard) SM3_DESC= SM3 256bit (Chinese standard) SM4_DESC= SM4 128bit (Chinese standard) SSE2_DESC= Runtime SSE2 detection SSL3_DESC= SSLv3 (unsafe) TLS1_DESC= TLSv1.0 (requires TLS1_1, TLS1_2) TLS1_1_DESC= TLSv1.1 (requires TLS1_2) TLS1_2_DESC= TLSv1.2 WEAK-SSL-CIPHERS_DESC= Weak cipher support (unsafe) # Upstream default disabled options .for _option in ktls md2 rc5 sctp ssl3 zlib weak-ssl-ciphers ${_option:tu}_CONFIGURE_ON= enable-${_option} .endfor # Upstream default enabled options .for _option in aria asm async ct des gost idea md4 mdc2 nextprotoneg rc2 rc4 \ rfc3779 rmd160 shared sm2 sm3 sm4 sse2 threads tls1 tls1_1 tls1_2 ${_option:tu}_CONFIGURE_OFF= no-${_option} .endfor MDC2_IMPLIES= DES TLS1_IMPLIES= TLS1_1 TLS1_1_IMPLIES= TLS1_2 EC_CONFIGURE_ON= enable-ec_nistp_64_gcc_128 I386_CONFIGURE_ON= 386 KTLS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ktls MAN3_EXTRA_PATCHES_OFF= ${FILESDIR}/extra-patch-util_process__docs.pl SHARED_MAKE_ENV= SHLIBVER=${OPENSSL_SHLIBVER} SHARED_PLIST_SUB= SHLIBVER=${OPENSSL_SHLIBVER} SHARED_USE= ldconfig=yes SSL3_CONFIGURE_ON+= enable-ssl3-method ZLIB_CONFIGURE_ON= zlib-dynamic .include .if ${PREFIX} == /usr IGNORE= the OpenSSL port can not be installed over the base version .endif .if ${OPSYS} == FreeBSD && ${OSVERSION} < 1300000 && !${PORT_OPTIONS:MCRYPTODEV} CONFIGURE_ARGS+= no-devcryptoeng .endif OPENSSLDIR?= ${PREFIX}/openssl PLIST_SUB+= OPENSSLDIR=${OPENSSLDIR:S=^${PREFIX}/==} .include "version.mk" .if ${PORT_OPTIONS:MASM} BROKEN_sparc64= option ASM generates illegal instructions .endif post-patch: ${REINPLACE_CMD} \ -e 's|^MANDIR=.*$$|MANDIR=$$(INSTALLTOP)/man|' \ -e 's| install_html_docs$$||' \ -e 's|$$(LIBDIR)/pkgconfig|libdata/pkgconfig|g' \ ${WRKSRC}/Configurations/unix-Makefile.tmpl ${REINPLACE_CMD} -e 's|\^GNU ld|GNU|' ${WRKSRC}/Configurations/shared-info.pl post-configure: ${REINPLACE_CMD} \ -e 's|SHLIB_VERSION_NUMBER=1.1|SHLIB_VERSION_NUMBER=${OPENSSL_SHLIBVER}|' \ ${WRKSRC}/Makefile ${REINPLACE_CMD} \ -e 's|SHLIB_VERSION_NUMBER "1.1"|SHLIB_VERSION_NUMBER "${OPENSSL_SHLIBVER}"|' \ ${WRKSRC}/include/openssl/opensslv.h post-install-SHARED-on: .for i in libcrypto libssl ${INSTALL_LIB} ${WRKSRC}/$i.so.${OPENSSL_SHLIBVER} ${STAGEDIR}${PREFIX}/lib ${LN} -sf $i.so.${OPENSSL_SHLIBVER} ${STAGEDIR}${PREFIX}/lib/$i.so .endfor .for i in capi padlock ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/engines-1.1/${i}.so .endfor post-install: ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/openssl post-install-MAN3-on: ( cd ${STAGEDIR}/${PREFIX} ; ${FIND} man/man3 man/man7 -not -type d ) | \ ${SED} 's/$$/.gz/' >>${TMPPLIST} .include diff --git a/security/openssl/distinfo b/security/openssl/distinfo index a37ebb5597c4..f9b0843950cb 100644 --- a/security/openssl/distinfo +++ b/security/openssl/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1685529813 -SHA256 (openssl-1.1.1u.tar.gz) = e2f8d84b523eecd06c7be7626830370300fbcc15386bf5142d72758f6963ebc6 -SIZE (openssl-1.1.1u.tar.gz) = 9892176 +TIMESTAMP = 1691003970 +SHA256 (openssl-1.1.1v.tar.gz) = d6697e2871e77238460402e9362d47d18382b15ef9f246aba6c7bd780d38a6b0 +SIZE (openssl-1.1.1v.tar.gz) = 9893443 diff --git a/security/openssl/files/patch-CVE-2023-3817 b/security/openssl/files/patch-CVE-2023-3817 deleted file mode 100644 index 3f1d5193c73f..000000000000 --- a/security/openssl/files/patch-CVE-2023-3817 +++ /dev/null @@ -1,55 +0,0 @@ -From 91ddeba0f2269b017dc06c46c993a788974b1aa5 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Fri, 21 Jul 2023 11:39:41 +0200 -Subject: [PATCH] DH_check(): Do not try checking q properties if it is - obviously invalid - -If |q| >= |p| then the q value is obviously wrong as q -is supposed to be a prime divisor of p-1. - -We check if p is overly large so this added test implies that -q is not large either when performing subsequent tests using that -q value. - -Otherwise if it is too large these additional checks of the q value -such as the primality test can then trigger DoS by doing overly long -computations. - -Fixes CVE-2023-3817 - -Reviewed-by: Paul Dale -Reviewed-by: Matt Caswell -(Merged from https://github.com/openssl/openssl/pull/21551) ---- - crypto/dh/dh_check.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c -index 2001d2e7cb19..9ae96991eb4a 100644 ---- crypto/dh/dh_check.c.orig -+++ crypto/dh/dh_check.c -@@ -97,7 +97,7 @@ int DH_check_ex(const DH *dh) - - int DH_check(const DH *dh, int *ret) - { -- int ok = 0, r; -+ int ok = 0, r, q_good = 0; - BN_CTX *ctx = NULL; - BIGNUM *t1 = NULL, *t2 = NULL; - -@@ -120,7 +120,14 @@ int DH_check(const DH *dh, int *ret) - if (t2 == NULL) - goto err; - -- if (dh->q) { -+ if (dh->q != NULL) { -+ if (BN_ucmp(dh->p, dh->q) > 0) -+ q_good = 1; -+ else -+ *ret |= DH_CHECK_INVALID_Q_VALUE; -+ } -+ -+ if (q_good) { - if (BN_cmp(dh->g, BN_value_one()) <= 0) - *ret |= DH_NOT_SUITABLE_GENERATOR; - else if (BN_cmp(dh->g, dh->p) >= 0)