Page MenuHomeFreeBSD

security/libressl update to 2.2.0
ClosedPublic

Authored by brnrd on Jun 10 2015, 11:48 AM.

Details

Reviewers
vsevolod
koobs
Summary

OpenBSD released LibreSSL 2.2.0 inline with their latest version OpenBSD 5.7

Proposed commit log:

security/libressl: Update to 2.2.0

  - Update to 2.2.0
  - Remove opensslfeatures.h patch (included upstream)
  - Add pkg-plist (mainly documentation)
  - Bump libcrypto SHLIB version in Mk/bsd.openssl.mk

Changes: 

  http://marc.info/?l=openbsd-announce&m=143404058913441

Reviewed_by:	vsevolod, koobs
Approved by:	(vsevolod|koobs) (mentor(s))
Security:	8305e215-1080-11e5-8ba2-000c2980a9f3
MFH:		2015Q2
Test Plan
  • portlint (no change)
WARN: Makefile: for new port, make $FreeBSD$ tag in comment section empty, to make SVN happy.
WARN: Conflict "openssl-*" specified too broad. You should end it with a version number fragment (-[0-9]*).
0 fatal errors and 2 warnings found.
  • testport (OK{F157149})
  • poudriere bulk (110 ports rebuilt OK)
  • Apache (OK AH00489: Apache/2.4.12 (FreeBSD) LibreSSL/2.2.0 configured -- resuming normal operations)
  • OpenSSH (OK /usr/local/bin/ssh -V -> OpenSSH_6.8p1, LibreSSL 2.2.0)

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Linters Available
Unit
No Unit Test Coverage

Event Timeline

brnrd retitled this revision from to security/libressl update to 2.2.0.Jun 10 2015, 11:48 AM
brnrd updated this object.
brnrd edited the test plan for this revision. (Show Details)
brnrd added reviewers: vsevolod, koobs.
brnrd updated this revision to Diff 6071.
brnrd updated this object.Jun 10 2015, 11:50 AM
brnrd edited edge metadata.
brnrd updated this object.
vsevolod edited edge metadata.Jun 10 2015, 12:10 PM

Do you plan to make an update when they'll release the final version or to commit this one?

brnrd added a comment.Jun 10 2015, 6:17 PM

Do you plan to make an update when they'll release the final version or to commit this one?

Absolutely! Just eliciting early feedback.

brnrd added a comment.Jun 10 2015, 6:43 PM

Poudriere build log

% portlint -AC
WARN: Makefile: for new port, make $FreeBSD$ tag in comment section empty, to make SVN happy.
WARN: Conflict "openssl-*" specified too broad. You should end it with a version number fragment (-[0-9]*).
0 fatal errors and 2 warnings found.

koobs edited edge metadata.Jun 11 2015, 3:44 AM

@brnrd

  • Include QA logs links or attachments in the revision TEST PLAN section. It's hard to find them or they might be missed in the comment section.
  • Format your revision SUMMARY correctly as per the proposed commit log convention described in your wiki page
  • Only include port changes in the itemized changes section of the commit log. No need to include itemized "upstream" changes. Msg me on IRC if this is unclear.

Otherwise the changes look good.

security/libressl/Makefile
12

Is there a LICENSE_FILE in WKRSRC?

brnrd edited edge metadata.Jun 11 2015, 7:47 PM
brnrd updated this revision to Diff 6116.

Update patch for release of LibreSSL 2.2.0

This includes fixes for the following CVE's

  • CVE-2015-1788 - Malformed ECParameters causes infinite loop
  • CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
  • CVE-2015-1792 - CMS verify infinite loop with unknown hash function
brnrd updated this object.Jun 11 2015, 8:05 PM
zi added a subscriber: zi.Jun 12 2015, 2:25 AM

Port updated to 2.1.7 to address the CVEs. This also keeps us on their 'stable' branch.

2.2.0 is their development branch.

brnrd added a comment.Jun 12 2015, 6:11 AM
In D2770#53409, @zi wrote:

Port updated to 2.1.7 to address the CVEs. This also keeps us on their 'stable' branch.
2.2.0 is their development branch.

2.2.0 is release as far as I've been able to establish.
http://www.libressl.org/ -> LibreSSL 2.2.0 released June 11, 2015

https://github.com/libressl-portable/portable/blob/master/ChangeLog does not even list 2.1.7

brnrd updated this object.Jun 12 2015, 7:11 AM
brnrd edited the test plan for this revision. (Show Details)
brnrd updated this object.Jun 12 2015, 7:32 AM
brnrd edited the test plan for this revision. (Show Details)
brnrd updated this object.
brnrd edited the test plan for this revision. (Show Details)
brnrd updated this object.
brnrd updated this object.Jun 12 2015, 7:34 AM
brnrd updated this object.
brnrd updated this object.
brnrd updated this object.Jun 12 2015, 7:37 AM
brnrd updated this object.
brnrd updated this object.Jun 12 2015, 7:40 AM
brnrd updated this object.Jun 12 2015, 7:44 AM
brnrd edited the test plan for this revision. (Show Details)Jun 12 2015, 7:51 AM
brnrd updated this object.
koobs edited edge metadata.Jun 12 2015, 8:03 AM
koobs requested changes to this revision.

I'm happy to approve this change pending output of the test suite (make test)

This revision now requires changes to proceed.Jun 12 2015, 8:03 AM
zi added a comment.Jun 12 2015, 10:26 AM

"The latest OpenBSD-stable release is 2.1.7. The latest OpenBSD-current release is 2.2.0. "

brnrd added a comment.EditedJun 13 2015, 10:04 AM
In D2770#53439, @koobs wrote:

I'm happy to approve this change pending output of the test suite (make test)

One test failing: biotest.
Looks like FreeBSD's inet_pton behaves differently from OpenBSD's.
This test was added to 2.2.0-portable, does not exist in the 2.1.x tarballs.
Reported upstream

PASS: aeadtest.sh
PASS: aes_wrap
PASS: arc4randomforktest.sh
PASS: asn1test
PASS: base64test
PASS: bftest
**FAIL**: biotest
PASS: bntest
PASS: bytestringtest
PASS: casttest
PASS: chachatest
PASS: cipherstest
PASS: cts128test
PASS: destest
PASS: dhtest
PASS: dsatest
PASS: ecdhtest
PASS: ecdsatest
PASS: ectest
PASS: enginetest
PASS: evptest.sh
PASS: explicit_bzero
PASS: exptest
PASS: gcm128test
PASS: gost2814789t
PASS: hmactest
PASS: ideatest
PASS: igetest
PASS: md4test
PASS: md5test
PASS: mdc2test
PASS: mont
PASS: optionstest
PASS: pbkdf2
PASS: pidwraptest
PASS: pkcs7test
PASS: poly1305test
PASS: pq_test.sh
PASS: randtest
PASS: rc2test
PASS: rc4test
PASS: rmdtest
PASS: sha1test
PASS: sha256test
PASS: sha512test
PASS: shatest
PASS: ssltest.sh
PASS: testdsa.sh
PASS: testenc.sh
PASS: testrsa.sh
PASS: timingsafe
PASS: utf8test
========================
Testsuite summary for libressl 2.2.0
========================
# TOTAL: 52
# PASS:  51
# SKIP:  0
# XFAIL: 0
# **FAIL**:  1
# XPASS: 0
# ERROR: 0

biotest.log

FAIL: test 2 ("1") success, want failure
FAIL: test 3 ("1.2") success, want failure
FAIL: test 4 ("1.2.3") success, want failure
FAIL: test 13 ("0xff.0xff.0xff.0xff") success, want failure
FAIL biotest (exit status: 1)

Feedback from upstream (busterb/Brent Cook):

True. IIRC the results vary over other OSes as well, which is why LibreSSL portable does not enable this test by default. I've thought about including the OpenBSD inet_pton in the compat layer for the sake of consistency.

koobs edited edge metadata.Jun 14 2015, 1:33 AM
koobs accepted this revision.

LGTM, Approved.

Pending @vsevolod's approval since he is maintainer.

brnrd added a comment.Jun 14 2015, 8:55 AM

Shouldn't this have a

MFH: 2015Q2

In the commit-log so it will be merged with quarterly? This fixes some security vulnerabilities.

koobs added a comment.Jun 14 2015, 9:13 AM

Yes

In D2770#53938, @brnrd wrote:

Shouldn't this have a

MFH: 2015Q2

In the commit-log so it will be merged with quarterly? This fixes some security vulnerabilities.

Yes :)

brnrd updated this object.Jun 14 2015, 10:37 AM
brnrd edited edge metadata.
brnrd updated this object.Jun 14 2015, 11:24 AM
brnrd edited edge metadata.Jun 14 2015, 11:25 AM
brnrd updated this object.
brnrd updated this revision to Diff 6186.

Refresh patch against head (updated to 2.1.7)

mat removed a reviewer: portmgr.Jun 14 2015, 11:59 AM
vsevolod edited edge metadata.Jun 14 2015, 12:57 PM
vsevolod accepted this revision.

Looks good for me.

This revision is now accepted and ready to land.Jun 14 2015, 12:57 PM