Index: head/security/openssl-devel/Makefile =================================================================== --- head/security/openssl-devel/Makefile (revision 467498) +++ head/security/openssl-devel/Makefile (revision 467499) @@ -1,140 +1,141 @@ # Created by: Dirk Froemberg # $FreeBSD$ PORTNAME= openssl PORTVERSION= 1.1.0h +PORTREVISION= 1 CATEGORIES= security devel MASTER_SITES= https://www.openssl.org/source/ \ ftp://ftp.cert.dfn.de/pub/tools/net/openssl/source/ PKGNAMESUFFIX= -devel MAINTAINER= brnrd@FreeBSD.org COMMENT= SSL and crypto library (1.1.x) LICENSE= OpenSSL LICENSE_FILE= ${WRKSRC}/LICENSE CONFLICTS_INSTALL= libressl-[0-9]* \ libressl-devel-[0-9]* \ openssl-[0-9]* HAS_CONFIGURE= yes CONFIGURE_SCRIPT= config CONFIGURE_ENV= PERL="${PERL}" CONFIGURE_ARGS= --openssldir=${OPENSSLDIR} \ --prefix=${PREFIX} OPTIONS_GROUP= CIPHERS HASHES OPTIMIZE PROTOCOLS OPTIONS_GROUP_CIPHERS= IDEA JPAKE RC2 RC4 RC5 OPTIONS_GROUP_HASHES= MD2 MD4 MDC2 RMD160 OPTIONS_GROUP_OPTIMIZE= ASM SSE2 THREADS OPTIONS_DEFINE_i386= I386 OPTIONS_GROUP_PROTOCOLS= DH NEXTPROTONEG SCTP SSL3 TLS1 TLS1_1 OPTIONS_DEFINE= ASYNC MAN3 RFC3779 SHARED ZLIB .if ${MACHINE_ARCH} == "amd64" OPTIONS_GROUP_OPTIMIZE+= EC .elif ${MACHINE_ARCH} == "mips64el" OPTIONS_GROUP_OPTIMIZE+= EC .endif OPTIONS_DEFAULT= ASM ASYNC DH EC MAN3 MD4 RC2 RC4 RMD160 SCTP SHARED SSE2 THREADS TLS1 TLS1_1 ASM_DESC= Assembler code ASYNC_DESC= Asynchronous mode CIPHERS_DESC= Cipher Suite Support DH_DESC= Diffie-Helmann protocol Support EC_DESC= Optimize NIST elliptic curves HASHES_DESC= Hash Function Support I386_DESC= i386 (instead of i486+) IDEA_DESC= IDEA JPAKE_DESC= J-PAKE (experimental) MAN3_DESC= Install API manpages (section 3) MD2_DESC= MD2 (obsolete) MD4_DESC= MD4 (unsafe) MDC2_DESC= MDC-2 MD_GHOST94_DESC= GHOST94 (obscure) NEXTPROTONEG_DESC= Next Protocol Negotiation (SPDY) OPTIMIZE_DESC= Optimizations PROTOCOLS_DESC= Protocol Support RC2_DESC= RC2 (unsafe) RC4_DESC= RC4 (unsafe) RC5_DESC= RC5 (patented) RMD160_DESC= RIPEMD-160 RFC3779_DESC= RFC3779 support (BGP) SCTP_DESC= SCTP (Stream Control Transmission) SHARED_DESC= Build shared libraries SSE2_DESC= Runtime SSE2 detection SSL3_DESC= SSLv3 (unsafe) TLS1_DESC= TLSv1.0 support TLS1_1_DESC= TLSv1.1 support (disables TLSv1.0 as well) ZLIB_DESC= zlib compression support OPTIONS_SUB= yes USES= cpe perl5 USE_PERL5= build MAKE_ARGS+= WHOLE_ARCHIVE_FLAG=--whole-archive MAKE_ENV+= LIBRPATH="${PREFIX}/lib" GREP_OPTIONS= TEST_TARGET= test # Upstream default disabled options .for _option in md2 rc5 sctp ssl3 zlib ${_option:tu}_CONFIGURE_ON= enable-${_option} .endfor # Upstream default enabled options .for _option in asm async dh idea md4 mdc2 md_ghost94 nextprotoneg rfc3779 \ rmd160 sse2 threads tls1 tls1_1 zlib ${_option:tu}_CONFIGURE_OFF= no-${_option} .endfor EC_CONFIGURE_ON= enable-ec_nistp_64_gcc_128 I386_CONFIGURE_ON= 386 SHARED_MAKE_ENV= SHLIBVER=${OPENSSL_SHLIBVER} SHARED_PLIST_SUB= SHLIBVER=${OPENSSL_SHLIBVER} SHARED_USE= ldconfig=yes SSL3_CONFIGURE_ON+= enable-ssl3-method ZLIB_CONFIGURE_ON= zlib-dynamic .include .if ${PREFIX} == /usr IGNORE= the OpenSSL port can not be installed over the base version .endif OPENSSLDIR?= ${PREFIX}/openssl PLIST_SUB+= OPENSSLDIR=${OPENSSLDIR:S=^${PREFIX}/==} .include "version.mk" .if ${PORT_OPTIONS:MASM} BROKEN_sparc64= option ASM generates illegal instructions .endif post-patch: ${REINPLACE_CMD} \ -e 's|^MANDIR=.*$$|MANDIR=$$(INSTALLTOP)/man|' \ -e 's| install_html_docs$$||' \ -e 's|$$(LIBDIR)/pkgconfig|libdata/pkgconfig|g' \ ${WRKSRC}/Configurations/unix-Makefile.tmpl post-patch-MAN3-off: ${GREP} -L openssl_manual_section ${WRKSRC}/doc/crypto/*.pod | ${XARGS} ${RM} ${GREP} -L openssl_manual_section ${WRKSRC}/doc/ssl/*.pod | ${XARGS} ${RM} post-configure: ${REINPLACE_CMD} \ -e 's|$$(SHLIB_MAJOR).$$(SHLIB_MINOR)|${OPENSSL_SHLIBVER}|g' \ ${WRKSRC}/Makefile ${REINPLACE_CMD} \ -e 's|SHLIB_VERSION_NUMBER "1.1"|SHLIB_VERSION_NUMBER "${OPENSSL_SHLIBVER}"|' \ ${WRKSRC}/include/openssl/opensslv.h post-install-SHARED-on: ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/lib*.so.${OPENSSL_SHLIBVER} \ ${STAGEDIR}${PREFIX}/lib/engines-1.1/*.so post-install: ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/openssl .include Index: head/security/openssl-devel/files/patch-CVE-2018-7037 =================================================================== --- head/security/openssl-devel/files/patch-CVE-2018-7037 (nonexistent) +++ head/security/openssl-devel/files/patch-CVE-2018-7037 (revision 467499) @@ -0,0 +1,27 @@ +From 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787 Mon Sep 17 00:00:00 2001 +From: Billy Brumley +Date: Wed, 11 Apr 2018 10:10:58 +0300 +Subject: [PATCH] RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont + both get called with BN_FLG_CONSTTIME flag set. + +CVE-2018-0737 + +Reviewed-by: Rich Salz +Reviewed-by: Matt Caswell +--- + crypto/rsa/rsa_gen.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c +index 9af43e05863..79f77e3eafd 100644 +--- crypto/rsa/rsa_gen.c.orig ++++ crypto/rsa/rsa_gen.c +@@ -89,6 +89,8 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, + if (BN_copy(rsa->e, e_value) == NULL) + goto err; + ++ BN_set_flags(rsa->p, BN_FLG_CONSTTIME); ++ BN_set_flags(rsa->q, BN_FLG_CONSTTIME); + BN_set_flags(r2, BN_FLG_CONSTTIME); + /* generate p and q */ + for (;;) { Property changes on: head/security/openssl-devel/files/patch-CVE-2018-7037 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property