Index: head/security/openssl/Makefile =================================================================== --- head/security/openssl/Makefile (revision 529813) +++ head/security/openssl/Makefile (revision 529814) @@ -1,160 +1,161 @@ # Created by: Dirk Froemberg # $FreeBSD$ PORTNAME= openssl PORTVERSION= 1.1.1e +PORTREVISION= 1 PORTEPOCH= 1 CATEGORIES= security devel MASTER_SITES= https://www.openssl.org/source/ \ ftp://ftp.cert.dfn.de/pub/tools/net/openssl/source/ MAINTAINER= brnrd@FreeBSD.org COMMENT= TLSv1.3 capable SSL and crypto library LICENSE= OpenSSL LICENSE_FILE= ${WRKSRC}/LICENSE CONFLICTS_INSTALL= libressl-[0-9]* \ libressl-devel-[0-9]* HAS_CONFIGURE= yes CONFIGURE_SCRIPT= config CONFIGURE_ENV= PERL="${PERL}" CONFIGURE_ARGS= --openssldir=${OPENSSLDIR} \ --prefix=${PREFIX} USES= cpe perl5 USE_PERL5= build TEST_TARGET= test LDFLAGS_i386= -Wl,-znotext MAKE_ARGS+= WHOLE_ARCHIVE_FLAG=--whole-archive CNF_LDFLAGS="${LDFLAGS}" MAKE_ENV+= LIBRPATH="${PREFIX}/lib" GREP_OPTIONS= OPTIONS_GROUP= CIPHERS HASHES OPTIMIZE PROTOCOLS OPTIONS_GROUP_CIPHERS= ARIA DES GOST IDEA SM4 RC2 RC4 RC5 WEAK-SSL-CIPHERS OPTIONS_GROUP_HASHES= MD2 MD4 MDC2 RMD160 SM2 SM3 OPTIONS_GROUP_OPTIMIZE= ASM SSE2 THREADS OPTIONS_DEFINE_i386= I386 OPTIONS_GROUP_PROTOCOLS=NEXTPROTONEG SCTP SSL3 TLS1 TLS1_1 TLS1_2 OPTIONS_DEFINE= ASYNC CT MAN3 RFC3779 SHARED ZLIB OPTIONS_DEFAULT=ASM ASYNC CT GOST DES EC MAN3 MD4 NEXTPROTONEG RC2 RC4 \ RMD160 SCTP SHARED SSE2 THREADS TLS1 TLS1_1 TLS1_2 OPTIONS_GROUP_OPTIMIZE_amd64= EC .if ${MACHINE_ARCH} == "amd64" OPTIONS_GROUP_OPTIMIZE+= EC .elif ${MACHINE_ARCH} == "mips64el" OPTIONS_GROUP_OPTIMIZE+= EC .endif OPTIONS_SUB= yes ARIA_DESC= ARIA (South Korean standard) ASM_DESC= Assembler code ASYNC_DESC= Asynchronous mode CIPHERS_DESC= Block Cipher Support CT_DESC= Certificate Transparency Support DES_DESC= (Triple) Data Encryption Standard EC_DESC= Optimize NIST elliptic curves GOST_DESC= GOST (Russian standard) HASHES_DESC= Hash Function Support I386_DESC= i386 (instead of i486+) IDEA_DESC= International Data Encryption Algorithm MAN3_DESC= Install API manpages (section 3, 7) MD2_DESC= MD2 (obsolete) MD4_DESC= MD4 (unsafe) MDC2_DESC= MDC-2 (patented, requires DES) NEXTPROTONEG_DESC= Next Protocol Negotiation (SPDY) OPTIMIZE_DESC= Optimizations PROTOCOLS_DESC= Protocol Support RC2_DESC= RC2 (unsafe) RC4_DESC= RC4 (unsafe) RC5_DESC= RC5 (patented) RMD160_DESC= RIPEMD-160 RFC3779_DESC= RFC3779 support (BGP) SCTP_DESC= SCTP (Stream Control Transmission) SHARED_DESC= Build shared libraries SM2_DESC= SM2 Elliptic Curve DH (Chinese standard) SM3_DESC= SM3 256bit (Chinese standard) SM4_DESC= SM4 128bit (Chinese standard) SSE2_DESC= Runtime SSE2 detection SSL3_DESC= SSLv3 (unsafe) TLS1_DESC= TLSv1.0 (requires TLS1_1, TLS1_2) TLS1_1_DESC= TLSv1.1 (requires TLS1_2) TLS1_2_DESC= TLSv1.2 WEAK-SSL-CIPHERS_DESC= Weak cipher support (unsafe) ZLIB_DESC= zlib compression support # Upstream default disabled options .for _option in md2 rc5 sctp ssl3 zlib weak-ssl-ciphers ${_option:tu}_CONFIGURE_ON= enable-${_option} .endfor # Upstream default enabled options .for _option in aria asm async ct des gost idea md4 mdc2 nextprotoneg rc2 rc4 \ rfc3779 rmd160 shared sm2 sm3 sm4 sse2 threads tls1 tls1_1 tls1_2 ${_option:tu}_CONFIGURE_OFF= no-${_option} .endfor MDC2_IMPLIES= DES TLS1_IMPLIES= TLS1_1 TLS1_1_IMPLIES= TLS1_2 EC_CONFIGURE_ON= enable-ec_nistp_64_gcc_128 I386_CONFIGURE_ON= 386 MAN3_EXTRA_PATCHES_OFF= ${FILESDIR}/extra-patch-util_process__docs.pl SHARED_MAKE_ENV= SHLIBVER=${OPENSSL_SHLIBVER} SHARED_PLIST_SUB= SHLIBVER=${OPENSSL_SHLIBVER} SHARED_USE= ldconfig=yes SSL3_CONFIGURE_ON+= enable-ssl3-method ZLIB_CONFIGURE_ON= zlib-dynamic .include .if ${PREFIX} == /usr IGNORE= the OpenSSL port can not be installed over the base version .endif OPENSSLDIR?= ${PREFIX}/openssl PLIST_SUB+= OPENSSLDIR=${OPENSSLDIR:S=^${PREFIX}/==} .include "version.mk" .if ${PORT_OPTIONS:MASM} BROKEN_sparc64= option ASM generates illegal instructions .endif post-patch: ${REINPLACE_CMD} \ -e 's|^MANDIR=.*$$|MANDIR=$$(INSTALLTOP)/man|' \ -e 's| install_html_docs$$||' \ -e 's|$$(LIBDIR)/pkgconfig|libdata/pkgconfig|g' \ ${WRKSRC}/Configurations/unix-Makefile.tmpl ${REINPLACE_CMD} -e 's|\^GNU ld|GNU|' ${WRKSRC}/Configurations/shared-info.pl post-configure: ${REINPLACE_CMD} \ -e 's|SHLIB_VERSION_NUMBER=1.1|SHLIB_VERSION_NUMBER=${OPENSSL_SHLIBVER}|' \ ${WRKSRC}/Makefile ${REINPLACE_CMD} \ -e 's|SHLIB_VERSION_NUMBER "1.1"|SHLIB_VERSION_NUMBER "${OPENSSL_SHLIBVER}"|' \ ${WRKSRC}/include/openssl/opensslv.h post-install-SHARED-on: .for i in libcrypto libssl ${INSTALL_DATA} ${WRKSRC}/$i.so.${OPENSSL_SHLIBVER} ${STAGEDIR}${PREFIX}/lib ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/$i.so.${OPENSSL_SHLIBVER} ${LN} -sf $i.so.${OPENSSL_SHLIBVER} ${STAGEDIR}${PREFIX}/lib/$i.so .endfor .for i in capi padlock ${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/engines-1.1/${i}.so .endfor post-install: ${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/openssl .include Index: head/security/openssl/files/patch-PR245154 =================================================================== --- head/security/openssl/files/patch-PR245154 (nonexistent) +++ head/security/openssl/files/patch-PR245154 (revision 529814) @@ -0,0 +1,155 @@ +From 0cd2ee64bffcdece599c3e4b5fac3830a55dc0fa Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Wed, 25 Mar 2020 14:18:13 +0100 +Subject: [PATCH] Document the revert of the proper reporting of an unexpected + EOF + +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/11400) +--- CHANGES.orig 2020-03-17 14:31:17 UTC ++++ CHANGES +@@ -7,6 +7,15 @@ + https://github.com/openssl/openssl/commits/ and pick the appropriate + release branch. + ++ Changes between 1.1.1e and 1.1.1f [xx XXX xxxx] ++ ++ *) Revert the change of EOF detection while reading in libssl to avoid ++ regressions in applications depending on the current way of reporting ++ the EOF. As the existing method is not fully accurate the change to ++ reporting the EOF via SSL_ERROR_SSL is kept on the current development ++ branch and will be present in the 3.0 release. ++ [Tomas Mraz] ++ + Changes between 1.1.1d and 1.1.1e [17 Mar 2020] + *) Properly detect EOF while reading in libssl. Previously if we hit an EOF + while reading in libssl then we would report an error back to the + CHANGES | 7 +++++++ + NEWS | 4 +++- + doc/man3/SSL_get_error.pod | 12 ++++++++++++ + 3 files changed, 22 insertions(+), 1 deletion(-) + +--- NEWS.orig 2020-03-17 14:31:17 UTC ++++ NEWS +@@ -5,7 +5,13 @@ + This file gives a brief overview of the major changes between each OpenSSL + release. For more details please read the CHANGES file. + +- Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020] ++ Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [under development] ++ ++ o Revert the unexpected EOF reporting via SSL_ERROR_SSL ++ o Properly detect unexpected EOF while reading in libssl and report ++ it via SSL_ERROR_SSL ++ ++ Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020] + + o Fixed an overflow bug in the x64_64 Montgomery squaring procedure + used in exponentiation with 512-bit moduli (CVE-2019-1551) +--- doc/man3/SSL_get_error.pod.orig 2020-03-17 14:31:17 UTC ++++ doc/man3/SSL_get_error.pod +@@ -155,6 +155,18 @@ connection and SSL_shutdown() must not be called. + + =back + ++=head1 BUGS ++ ++The B with B value of 0 indicates unexpected EOF from ++the peer. This will be properly reported as B with reason ++code B in the OpenSSL 3.0 release because ++it is truly a TLS protocol error to terminate the connection without ++a SSL_shutdown(). ++ ++The issue is kept unfixed in OpenSSL 1.1.1 releases because many applications ++which choose to ignore this protocol error depend on the existing way of ++reporting the error. ++ + =head1 SEE ALSO + + L +From 30d190caf311d534867df97e26b552e628cb7d85 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Wed, 25 Mar 2020 14:15:31 +0100 +Subject: [PATCH] Partially revert "Detect EOF while reading in libssl" + +This partially reverts commit db943f43a60d1b5b1277e4b5317e8f288e7a0a3a. + +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/11400) +--- + crypto/err/openssl.txt | 1 - + include/openssl/sslerr.h | 3 +-- + ssl/record/rec_layer_s3.c | 6 ------ + ssl/ssl_err.c | 4 +--- + 4 files changed, 2 insertions(+), 12 deletions(-) + +diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt +index f5324c6819d8..35512f9caf96 100644 +--- crypto/err/openssl.txt.orig ++++ crypto/err/openssl.txt +@@ -2852,7 +2852,6 @@ SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES:242:unable to load ssl3 md5 routines + SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES:243:unable to load ssl3 sha1 routines + SSL_R_UNEXPECTED_CCS_MESSAGE:262:unexpected ccs message + SSL_R_UNEXPECTED_END_OF_EARLY_DATA:178:unexpected end of early data +-SSL_R_UNEXPECTED_EOF_WHILE_READING:294:unexpected eof while reading + SSL_R_UNEXPECTED_MESSAGE:244:unexpected message + SSL_R_UNEXPECTED_RECORD:245:unexpected record + SSL_R_UNINITIALIZED:276:uninitialized +diff --git a/include/openssl/sslerr.h b/include/openssl/sslerr.h +index 0ef684f3c131..ba4c4ae5fbd3 100644 +--- include/openssl/sslerr.h.orig ++++ include/openssl/sslerr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -734,7 +734,6 @@ int ERR_load_SSL_strings(void); + # define SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES 243 + # define SSL_R_UNEXPECTED_CCS_MESSAGE 262 + # define SSL_R_UNEXPECTED_END_OF_EARLY_DATA 178 +-# define SSL_R_UNEXPECTED_EOF_WHILE_READING 294 + # define SSL_R_UNEXPECTED_MESSAGE 244 + # define SSL_R_UNEXPECTED_RECORD 245 + # define SSL_R_UNINITIALIZED 276 +diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c +index 1c885a664f35..b2a7a47eb075 100644 +--- ssl/record/rec_layer_s3.c.orig ++++ ssl/record/rec_layer_s3.c +@@ -296,12 +296,6 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold, + ret = BIO_read(s->rbio, pkt + len + left, max - left); + if (ret >= 0) + bioread = ret; +- if (ret <= 0 +- && !BIO_should_retry(s->rbio) +- && BIO_eof(s->rbio)) { +- SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_SSL3_READ_N, +- SSL_R_UNEXPECTED_EOF_WHILE_READING); +- } + } else { + SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_READ_N, + SSL_R_READ_BIO_NOT_SET); +diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c +index a0c7b79659d4..4b12ed1485d9 100644 +--- ssl/ssl_err.c.orig ++++ ssl/ssl_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -1205,8 +1205,6 @@ static const ERR_STRING_DATA SSL_str_reasons[] = { + "unexpected ccs message"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_END_OF_EARLY_DATA), + "unexpected end of early data"}, +- {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_EOF_WHILE_READING), +- "unexpected eof while reading"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_MESSAGE), "unexpected message"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNEXPECTED_RECORD), "unexpected record"}, + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_UNINITIALIZED), "uninitialized"}, Property changes on: head/security/openssl/files/patch-PR245154 ___________________________________________________________________ Added: fbsd:nokeywords ## -0,0 +1 ## +yes \ No newline at end of property Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property