Page MenuHomeFreeBSD

security/libressl update to 2.2.0
ClosedPublic

Authored by brnrd on Jun 10 2015, 11:48 AM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Mar 7, 5:24 PM
Unknown Object (File)
Feb 23 2024, 9:13 AM
Unknown Object (File)
Feb 12 2024, 6:12 AM
Unknown Object (File)
Jan 22 2024, 2:13 AM
Unknown Object (File)
Jan 10 2024, 7:56 PM
Unknown Object (File)
Jan 10 2024, 3:37 AM
Unknown Object (File)
Jan 1 2024, 8:29 PM
Unknown Object (File)
Dec 23 2023, 10:43 AM
Subscribers

Details

Reviewers
vsevolod
koobs
Summary

OpenBSD released LibreSSL 2.2.0 inline with their latest version OpenBSD 5.7

Proposed commit log:

security/libressl: Update to 2.2.0

  - Update to 2.2.0
  - Remove opensslfeatures.h patch (included upstream)
  - Add pkg-plist (mainly documentation)
  - Bump libcrypto SHLIB version in Mk/bsd.openssl.mk

Changes: 

  http://marc.info/?l=openbsd-announce&m=143404058913441

Reviewed_by:	vsevolod, koobs
Approved by:	(vsevolod|koobs) (mentor(s))
Security:	8305e215-1080-11e5-8ba2-000c2980a9f3
MFH:		2015Q2
Test Plan
  • portlint (no change)
WARN: Makefile: for new port, make $FreeBSD$ tag in comment section empty, to make SVN happy.
WARN: Conflict "openssl-*" specified too broad. You should end it with a version number fragment (-[0-9]*).
0 fatal errors and 2 warnings found.
  • testport (OK{F157149})
  • poudriere bulk (110 ports rebuilt OK)
  • Apache (OK AH00489: Apache/2.4.12 (FreeBSD) LibreSSL/2.2.0 configured -- resuming normal operations)
  • OpenSSH (OK /usr/local/bin/ssh -V -> OpenSSH_6.8p1, LibreSSL 2.2.0)

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

brnrd retitled this revision from to security/libressl update to 2.2.0.
brnrd updated this object.
brnrd edited the test plan for this revision. (Show Details)
brnrd added reviewers: vsevolod, koobs.
brnrd edited edge metadata.
brnrd updated this object.

Do you plan to make an update when they'll release the final version or to commit this one?

Do you plan to make an update when they'll release the final version or to commit this one?

Absolutely! Just eliciting early feedback.

Poudriere build log

% portlint -AC
WARN: Makefile: for new port, make $FreeBSD$ tag in comment section empty, to make SVN happy.
WARN: Conflict "openssl-*" specified too broad. You should end it with a version number fragment (-[0-9]*).
0 fatal errors and 2 warnings found.

@brnrd

  • Include QA logs links or attachments in the revision TEST PLAN section. It's hard to find them or they might be missed in the comment section.
  • Format your revision SUMMARY correctly as per the proposed commit log convention described in your wiki page
  • Only include port changes in the itemized changes section of the commit log. No need to include itemized "upstream" changes. Msg me on IRC if this is unclear.

Otherwise the changes look good.

security/libressl/Makefile
12

Is there a LICENSE_FILE in WKRSRC?

brnrd edited edge metadata.

Update patch for release of LibreSSL 2.2.0

This includes fixes for the following CVE's

  • CVE-2015-1788 - Malformed ECParameters causes infinite loop
  • CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
  • CVE-2015-1792 - CMS verify infinite loop with unknown hash function

Port updated to 2.1.7 to address the CVEs. This also keeps us on their 'stable' branch.

2.2.0 is their development branch.

In D2770#53409, @zi wrote:

Port updated to 2.1.7 to address the CVEs. This also keeps us on their 'stable' branch.

2.2.0 is their development branch.

2.2.0 is release as far as I've been able to establish.
http://www.libressl.org/ -> LibreSSL 2.2.0 released June 11, 2015

https://github.com/libressl-portable/portable/blob/master/ChangeLog does not even list 2.1.7

brnrd edited the test plan for this revision. (Show Details)
brnrd edited the test plan for this revision. (Show Details)
brnrd updated this object.
brnrd edited the test plan for this revision. (Show Details)
brnrd updated this object.
brnrd updated this object.
brnrd updated this object.
brnrd updated this object.
brnrd updated this object.
koobs requested changes to this revision.Jun 12 2015, 8:03 AM
koobs edited edge metadata.

I'm happy to approve this change pending output of the test suite (make test)

This revision now requires changes to proceed.Jun 12 2015, 8:03 AM

"The latest OpenBSD-stable release is 2.1.7. The latest OpenBSD-current release is 2.2.0. "

In D2770#53439, @koobs wrote:

I'm happy to approve this change pending output of the test suite (make test)

One test failing: biotest.
Looks like FreeBSD's inet_pton behaves differently from OpenBSD's.
This test was added to 2.2.0-portable, does not exist in the 2.1.x tarballs.
Reported upstream

PASS: aeadtest.sh
PASS: aes_wrap
PASS: arc4randomforktest.sh
PASS: asn1test
PASS: base64test
PASS: bftest
**FAIL**: biotest
PASS: bntest
PASS: bytestringtest
PASS: casttest
PASS: chachatest
PASS: cipherstest
PASS: cts128test
PASS: destest
PASS: dhtest
PASS: dsatest
PASS: ecdhtest
PASS: ecdsatest
PASS: ectest
PASS: enginetest
PASS: evptest.sh
PASS: explicit_bzero
PASS: exptest
PASS: gcm128test
PASS: gost2814789t
PASS: hmactest
PASS: ideatest
PASS: igetest
PASS: md4test
PASS: md5test
PASS: mdc2test
PASS: mont
PASS: optionstest
PASS: pbkdf2
PASS: pidwraptest
PASS: pkcs7test
PASS: poly1305test
PASS: pq_test.sh
PASS: randtest
PASS: rc2test
PASS: rc4test
PASS: rmdtest
PASS: sha1test
PASS: sha256test
PASS: sha512test
PASS: shatest
PASS: ssltest.sh
PASS: testdsa.sh
PASS: testenc.sh
PASS: testrsa.sh
PASS: timingsafe
PASS: utf8test
========================
Testsuite summary for libressl 2.2.0
========================
# TOTAL: 52
# PASS:  51
# SKIP:  0
# XFAIL: 0
# **FAIL**:  1
# XPASS: 0
# ERROR: 0

biotest.log

FAIL: test 2 ("1") success, want failure
FAIL: test 3 ("1.2") success, want failure
FAIL: test 4 ("1.2.3") success, want failure
FAIL: test 13 ("0xff.0xff.0xff.0xff") success, want failure
FAIL biotest (exit status: 1)

Feedback from upstream (busterb/Brent Cook):

True. IIRC the results vary over other OSes as well, which is why LibreSSL portable does not enable this test by default. I've thought about including the OpenBSD inet_pton in the compat layer for the sake of consistency.

koobs edited edge metadata.

LGTM, Approved.

Pending @vsevolod's approval since he is maintainer.

Shouldn't this have a

MFH: 2015Q2

In the commit-log so it will be merged with quarterly? This fixes some security vulnerabilities.

Yes

In D2770#53938, @brnrd wrote:

Shouldn't this have a

MFH: 2015Q2

In the commit-log so it will be merged with quarterly? This fixes some security vulnerabilities.

Yes :)

brnrd edited edge metadata.
brnrd edited edge metadata.
brnrd updated this object.

Refresh patch against head (updated to 2.1.7)

vsevolod edited edge metadata.

Looks good for me.

This revision is now accepted and ready to land.Jun 14 2015, 12:57 PM