Index: branches/2017Q1/security/libressl/Makefile =================================================================== --- branches/2017Q1/security/libressl/Makefile (revision 431205) +++ branches/2017Q1/security/libressl/Makefile (revision 431206) @@ -1,44 +1,45 @@ # Created by: Vsevolod Stakhov # $FreeBSD$ PORTNAME= libressl PORTVERSION= 2.4.4 +PORTREVISION= 1 CATEGORIES= security devel MASTER_SITES= OPENBSD/LibreSSL MAINTAINER= brnrd@FreeBSD.org COMMENT= Free version of the SSL/TLS protocol forked from OpenSSL LICENSE= BSD4CLAUSE LICENSE_FILE= ${WRKSRC}/COPYING CPE_VENDOR= openbsd OPTIONS_DEFINE= MAN3 NC OPTIONS_DEFAULT= MAN3 NC MAN3_DESC= Install API manpages (section 3) NC_DESC= Install TLS-enabled netcat CONFLICTS_INSTALL= libressl-devel-[0-9]* \ openssl-[0-9]* \ openssl-devel-[0-9]* MAN3_EXTRA_PATCHES_OFF= ${FILESDIR}/extra-patch-MAN3 GNU_CONFIGURE= yes USES= cpe libtool pathfix pkgconfig USE_LDCONFIG= yes OPTIONS_SUB= yes CFLAGS+= -fpic -DPIC INSTALL_TARGET= install-strip TEST_TARGET= check post-install: ${RM} -r ${STAGEDIR}/${PREFIX}/etc/ssl/cert.pem post-install-NC-on: ${INSTALL_PROGRAM} ${WRKSRC}/apps/nc/.libs/nc ${STAGEDIR}/${PREFIX}/bin/nc ${INSTALL_MAN} ${WRKSRC}/apps/nc/nc.1 ${STAGEDIR}/${PREFIX}/man/man1/nc.1 .include Index: branches/2017Q1/security/libressl/files/patch-CVE-2016-7056 =================================================================== --- branches/2017Q1/security/libressl/files/patch-CVE-2016-7056 (nonexistent) +++ branches/2017Q1/security/libressl/files/patch-CVE-2016-7056 (revision 431206) @@ -0,0 +1,35 @@ +untrusted comment: signature from openbsd 6.0 base secret key +RWSho3oKSqgLQ55BCxFoKK3pckJBYNZ3l6vujvan4SYLtXvRIsH6PNnmu7Xu18ILyYPxIQnYmCf1ux+IeoD8vzKfEeoCb+UVdQg= + +OpenBSD 6.0 errata 16, Jan 5, 2017: + +Avoid possible side-channel leak of ECDSA private keys when signing. + +Apply by doing: + signify -Vep /etc/signify/openbsd-60-base.pub -x 016_libcrypto.patch.sig \ + -m - | (cd /usr/src && patch -p0) + +And then rebuild and install libcrypto: + cd /usr/src/lib/libcrypto + make obj + make depend + make + make install + +Index: lib/libssl/src/crypto/ecdsa/ecs_ossl.c +=================================================================== +RCS file: /cvs/src/lib/libssl/src/crypto/ecdsa/Attic/ecs_ossl.c,v +retrieving revision 1.6 +retrieving revision 1.6.8.1 +diff -u -p -r1.6 -r1.6.8.1 +--- crypto/ecdsa/ecs_ossl.c 8 Feb 2015 13:35:07 -0000 1.6 ++++ crypto/ecdsa/ecs_ossl.c 5 Jan 2017 13:28:48 -0000 1.6.8.1 +@@ -141,6 +141,8 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX * + if (BN_num_bits(k) <= BN_num_bits(order)) + if (!BN_add(k, k, order)) + goto err; ++ ++ BN_set_flags(k, BN_FLG_CONSTTIME); + + /* compute r the x-coordinate of generator * k */ + if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) { Property changes on: branches/2017Q1/security/libressl/files/patch-CVE-2016-7056 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2017Q1 =================================================================== --- branches/2017Q1 (revision 431205) +++ branches/2017Q1 (revision 431206) Property changes on: branches/2017Q1 ___________________________________________________________________ Modified: svn:mergeinfo ## -0,0 +0,1 ## Merged /head:r431174