pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/security/libressl Updated libressl to 2.3.6 (latest st...



details:   https://anonhg.NetBSD.org/pkgsrc/rev/27a4d64646f8
branches:  trunk
changeset: 349284:27a4d64646f8
user:      wiz <wiz%pkgsrc.org@localhost>
date:      Sun Jul 03 13:46:06 2016 +0000

description:
Updated libressl to 2.3.6 (latest stable version, 2.4.x is development).

2.3.6 - Security fix

        * Correct a problem that prevents the DSA signing algorithm from
          running in constant time even if the flag BN_FLG_CONSTTIME is set.
          This issue was reported by Cesar Pereida (Aalto University), Billy
          Brumley (Tampere University of Technology), and Yuval Yarom (The
          University of Adelaide and NICTA). The fix was developed by Cesar
          Pereida. See OpenBSD 5.9 errata 11, June 6, 2016

2.3.5 - Reliability fix

        * Fixed an error in libcrypto when parsing some ASN.1 elements > 16k.

2.3.4 - Security Update

        * Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding.
        From OpenSSL.

        * Minor build fixes

2.3.3 - OpenBSD 5.9 release branch tagged

        * Reworked build scripts to better sync with OpenNTPD-portable

        * Fixed broken manpage links

        * Fixed an nginx compatibility issue by adding an 'install_sw' make alias

        * Fixed HP-UX builds

        * Changed the default configuration directory to c:\LibreSSL\ssl on Windows
          binary builds

        * cert.pem has been reorganized and synced with Mozilla's certificate store

2.3.2 - Compatibility and Reliability fixes

        * Changed format of LIBRESSL_VERSION_NUMBER to match that of
          OPENSSL_VERSION_NUMBER, see:
          https://wiki.openssl.org/index.php/Manual:OPENSSL_VERSION_NUMBER(3)

        * Added EVP_aead_chacha20_poly1305_ietf() which matches the AEAD
          construction introduced in RFC 7539, which is different than that
          already used in TLS with EVP_aead_chacha20_poly1305()

        * Avoid a potential undefined C99+ behavior due to shift overflow in
          AES_decrypt, reported by Pascal Cuoq <cuoq at trust-in-soft.com>

        * More man pages converted from pod to mdoc format

        * Added COMODO RSA Certification Authority and QuoVadis
          root certificates to cert.pem

        * Removed Remove "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification
          Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root
          certificate from cert.pem

        * Added support for building nc(1) on Solaris

        * Fixed GCC 5.x+ preprocessor checks, reported by Ruslan Babayev

        * Improved console handling with openssl(1) on Windows

        * Ensure the network stack is enabled on Windows when running
          tls_init()

        * Fixed incorrect TLS certificate loading by nc(1)

        * Added support for Solaris 11.3's getentropy(2) system call

        * Enabled support for using NetBSD 7.0's arc4random(3) implementation

        * Deprecated the SSL_OP_SINGLE_DH_USE flag by disabling its effect

        * Fixes from OpenSSL 1.0.1q
         - CVE-2015-3194 - NULL pointer dereference in client side certificate
                           validation.
         - CVE-2015-3195 - Memory leak in PKCS7 - not reachable from TLS/SSL

        * The following OpenSSL CVEs did not apply to LibreSSL
         - CVE-2015-3193 - Carry propagating bug in the x86_64 Montgomery
                           squaring procedure.
         - CVE-2015-3196 - Double free race condition of the identify hint
                           data.

         See https://marc.info/?l=openbsd-announce&m=144925068504102

2.3.1 - ASN.1 and time handling cleanups

        * ASN.1 cleanups and RFC5280 compliance fixes.

        * Time representations switched from 'unsigned long' to 'time_t'. LibreSSL
          now checks if the host OS supports 64-bit time_t.

        * Fixed a leak in SSL_new in the error path.

        * Support always extracting the peer cipher and version with libtls.

        * Added ability to check certificate validity times with libtls,
          tls_peer_cert_notbefore and tls_peer_cert_notafter.

        * Changed tls_connect_servername to use the first address that resolves with
          getaddrinfo().

        * Remove broken conditional EVP_CHECK_DES_KEY code (non-functional since
          initial commit in 2004).

        * Fixed a memory leak and out-of-bounds access in OBJ_obj2txt, reported
          by Qualys Security.

        * Fixed an up-to 7 byte overflow in RC4 when len is not a multiple of
          sizeof(RC4_CHUNK), reported by Pascal Cuoq <cuoq at trust-in-soft.com>.

        * Reject too small bits value in BN_generate_prime_ex(), so that it does
          not risk becoming negative in probable_prime_dh_safe(), reported by
                Franck Denis.

        * Enable nc(1) builds on more platforms.

2.3.0 - SSLv3 removed, libtls API changes, portability improvements

        * SSLv3 is now permanently removed from the tree.

        * The libtls API is changed from the 2.2.x series.

          The read/write functions work correctly with external event
          libraries.  See the tls_init man page for examples of using libtls
          correctly in asynchronous mode.

          Client-side verification is now supported, with the client supplying
          the certificate to the server.

          Also, when using tls_connect_fds, tls_connect_socket or
          tls_accept_fds, libtls no longer implicitly closes the passed in
          sockets. The caller is responsible for closing them in this case.

        * When loading a DSA key from an raw (without DH parameters) ASN.1
          serialization, perform some consistency checks on its `p' and `q'
          values, and return an error if the checks failed.

          Thanks for Georgi Guninski (guninski at guninski dot com) for
          mentioning the possibility of a weak (non prime) q value and
          providing a test case.

          See
          https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html
          for a longer discussion.

        * Fixed a bug in ECDH_compute_key that can lead to silent truncation
          of the result key without error. A coding error could cause software
          to use much shorter keys than intended.

        * Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations are no
          longer supported.

        * The engine command and parameters are removed from the openssl(1).
          Previous releases removed dynamic and builtin engine support
          already.

        * SHA-0 is removed, which was withdrawn shortly after publication 20
          years ago.

        * Added Certplus CA root certificate to the default cert.pem file.

        * New interface OPENSSL_cpu_caps is provided that does not allow
          software to inadvertently modify cpu capability flags.
          OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed.

        * The out_len argument of AEAD changed from ssize_t to size_t.

        * Deduplicated DTLS code, sharing bugfixes and improvements with
          TLS.

        * Converted 'nc' to use libtls for client and server operations; it is
          included in the libressl-portable distribution as an example of how
          to use the library.

diffstat:

 security/libressl/Makefile |  11 +++----
 security/libressl/PLIST    |  58 ++++++++++++++++++++++++++++++---------------
 security/libressl/distinfo |  12 +++-----
 3 files changed, 49 insertions(+), 32 deletions(-)

diffs (280 lines):

diff -r cccd9babc95a -r 27a4d64646f8 security/libressl/Makefile
--- a/security/libressl/Makefile        Sun Jul 03 13:24:09 2016 +0000
+++ b/security/libressl/Makefile        Sun Jul 03 13:46:06 2016 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.6 2016/06/29 08:23:33 wiz Exp $
+# $NetBSD: Makefile,v 1.7 2016/07/03 13:46:06 wiz Exp $
 
-DISTNAME=      libressl-2.2.6
-PKGREVISION=   2
+DISTNAME=      libressl-2.3.6
 CATEGORIES=    security
 MASTER_SITES=  ${MASTER_SITE_OPENBSD:=LibreSSL/}
 
@@ -24,11 +23,10 @@
 PKG_SYSCONFSUBDIR=     ${PKGBASE}
 GNU_CONFIGURE_PREFIX=  ${LIBRESSL_PREFIX}
 CONFIGURE_ARGS+=       --with-openssldir=${PKG_SYSCONFDIR}
-CONFIGURE_ARGS+=       --with-enginesdir=${LIBRESSL_PREFIX}/lib/engines
 
 INSTALLATION_DIRS+=    ${EGDIR} lib
 
-EGDIR=                         ${PREFIX}/share/examples/${PKGBASE}
+EGDIR=                         ${PREFIX}/libressl/share/examples/${PKGBASE}
 CONFS=                         cert.pem openssl.cnf x509v3.cnf
 .for f in ${CONFS}
 CONF_FILES+=           ${EGDIR}/${f} ${PKG_SYSCONFDIR}/${f}
@@ -48,7 +46,8 @@
 .endif
 
 post-install:
-       cd ${WRKSRC}/apps; ${INSTALL_DATA} ${CONFS} ${DESTDIR}${EGDIR}
+       cd ${WRKSRC}/apps/openssl; ${INSTALL_DATA} ${CONFS} ${DESTDIR}${EGDIR}
        mv ${DESTDIR}${PREFIX}/libressl/lib/pkgconfig ${DESTDIR}${PREFIX}/lib
+       ${RM} -r ${DESTDIR}${PREFIX}/etc/libressl
 
 .include "../../mk/bsd.pkg.mk"
diff -r cccd9babc95a -r 27a4d64646f8 security/libressl/PLIST
--- a/security/libressl/PLIST   Sun Jul 03 13:24:09 2016 +0000
+++ b/security/libressl/PLIST   Sun Jul 03 13:46:06 2016 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.4 2016/06/29 08:23:33 wiz Exp $
+@comment $NetBSD: PLIST,v 1.5 2016/07/03 13:46:06 wiz Exp $
 lib/pkgconfig/libcrypto.pc
 lib/pkgconfig/libssl.pc
 lib/pkgconfig/libtls.pc
@@ -26,7 +26,6 @@
 libressl/include/openssl/dsa.h
 libressl/include/openssl/dso.h
 libressl/include/openssl/dtls1.h
-libressl/include/openssl/e_os2.h
 libressl/include/openssl/ec.h
 libressl/include/openssl/ecdh.h
 libressl/include/openssl/ecdsa.h
@@ -348,6 +347,7 @@
 libressl/man/man3/BUF_strdup.3
 libressl/man/man3/CMS_add0_cert.3
 libressl/man/man3/CMS_add1_recipient_cert.3
+libressl/man/man3/CMS_add1_signer.3
 libressl/man/man3/CMS_compress.3
 libressl/man/man3/CMS_decrypt.3
 libressl/man/man3/CMS_encrypt.3
@@ -357,7 +357,6 @@
 libressl/man/man3/CMS_get0_type.3
 libressl/man/man3/CMS_get1_ReceiptRequest.3
 libressl/man/man3/CMS_sign.3
-libressl/man/man3/CMS_sign_add1_signer.3
 libressl/man/man3/CMS_sign_receipt.3
 libressl/man/man3/CMS_uncompress.3
 libressl/man/man3/CMS_verify.3
@@ -373,6 +372,8 @@
 libressl/man/man3/CRYPTO_THREADID_get_callback.3
 libressl/man/man3/CRYPTO_THREADID_hash.3
 libressl/man/man3/CRYPTO_THREADID_set_callback.3
+libressl/man/man3/CRYPTO_THREADID_set_numeric.3
+libressl/man/man3/CRYPTO_THREADID_set_pointer.3
 libressl/man/man3/CRYPTO_add.3
 libressl/man/man3/CRYPTO_add_lock.3
 libressl/man/man3/CRYPTO_destroy_dynlockid.3
@@ -390,6 +391,7 @@
 libressl/man/man3/CRYPTO_set_locking_callback.3
 libressl/man/man3/CRYPTO_w_lock.3
 libressl/man/man3/CRYPTO_w_unlock.3
+libressl/man/man3/DECLARE_LHASH_OF.3
 libressl/man/man3/DES_cbc_cksum.3
 libressl/man/man3/DES_cfb64_encrypt.3
 libressl/man/man3/DES_cfb_encrypt.3
@@ -634,6 +636,14 @@
 libressl/man/man3/ERR_remove_state.3
 libressl/man/man3/ERR_remove_thread_state.3
 libressl/man/man3/ERR_set_mark.3
+libressl/man/man3/EVP_AEAD_CTX_cleanup.3
+libressl/man/man3/EVP_AEAD_CTX_init.3
+libressl/man/man3/EVP_AEAD_CTX_open.3
+libressl/man/man3/EVP_AEAD_CTX_seal.3
+libressl/man/man3/EVP_AEAD_key_length.3
+libressl/man/man3/EVP_AEAD_max_overhead.3
+libressl/man/man3/EVP_AEAD_max_tag_len.3
+libressl/man/man3/EVP_AEAD_nonce_length.3
 libressl/man/man3/EVP_BytesToKey.3
 libressl/man/man3/EVP_CIPHER_CTX_block_size.3
 libressl/man/man3/EVP_CIPHER_CTX_cipher.3
@@ -703,7 +713,6 @@
 libressl/man/man3/EVP_OpenFinal.3
 libressl/man/man3/EVP_OpenInit.3
 libressl/man/man3/EVP_OpenUpdate.3
-libressl/man/man3/EVP_PKEVP_PKEY_CTX_set_app_data.3
 libressl/man/man3/EVP_PKEY_CTX_ctrl.3
 libressl/man/man3/EVP_PKEY_CTX_ctrl_str.3
 libressl/man/man3/EVP_PKEY_CTX_dup.3
@@ -731,7 +740,6 @@
 libressl/man/man3/EVP_PKEY_cmp.3
 libressl/man/man3/EVP_PKEY_cmp_parameters.3
 libressl/man/man3/EVP_PKEY_copy_parameters.3
-libressl/man/man3/EVP_PKEY_ctrl_str.3
 libressl/man/man3/EVP_PKEY_decrypt.3
 libressl/man/man3/EVP_PKEY_decrypt_init.3
 libressl/man/man3/EVP_PKEY_derive.3
@@ -776,6 +784,10 @@
 libressl/man/man3/EVP_VerifyFinal.3
 libressl/man/man3/EVP_VerifyInit.3
 libressl/man/man3/EVP_VerifyUpdate.3
+libressl/man/man3/EVP_aead_aes_128_gcm.3
+libressl/man/man3/EVP_aead_aes_256_gcm.3
+libressl/man/man3/EVP_aead_chacha20_poly1305.3
+libressl/man/man3/EVP_aead_chacha20_poly1305_ietf.3
 libressl/man/man3/EVP_aes_128_ccm.3
 libressl/man/man3/EVP_aes_128_gcm.3
 libressl/man/man3/EVP_aes_192_ccm.3
@@ -833,7 +845,6 @@
 libressl/man/man3/EVP_rc5_32_12_16_ecb.3
 libressl/man/man3/EVP_rc5_32_12_16_ofb.3
 libressl/man/man3/EVP_ripemd160.3
-libressl/man/man3/EVP_sha.3
 libressl/man/man3/EVP_sha1.3
 libressl/man/man3/EVP_sha224.3
 libressl/man/man3/EVP_sha256.3
@@ -844,6 +855,10 @@
 libressl/man/man3/HMAC_Init.3
 libressl/man/man3/HMAC_Update.3
 libressl/man/man3/HMAC_cleanup.3
+libressl/man/man3/LHASH_COMP_FN_TYPE.3
+libressl/man/man3/LHASH_DOALL_ARG_FN_TYPE.3
+libressl/man/man3/LHASH_DOALL_FN_TYPE.3
+libressl/man/man3/LHASH_HASH_FN_TYPE.3
 libressl/man/man3/MD2.3
 libressl/man/man3/MD2_Final.3
 libressl/man/man3/MD2_Init.3
@@ -975,7 +990,6 @@
 libressl/man/man3/RIPEMD160_Final.3
 libressl/man/man3/RIPEMD160_Init.3
 libressl/man/man3/RIPEMD160_Update.3
-libressl/man/man3/RSA_PKCS1_RSAref.3
 libressl/man/man3/RSA_PKCS1_SSLeay.3
 libressl/man/man3/RSA_blinding_off.3
 libressl/man/man3/RSA_blinding_on.3
@@ -1076,7 +1090,6 @@
 libressl/man/man3/SSL_CTX_sess_set_cache_size.3
 libressl/man/man3/SSL_CTX_sess_set_get_cb.3
 libressl/man/man3/SSL_CTX_sess_set_new_cb.3
-libressl/man/man3/SSL_CTX_sess_set_remove.3
 libressl/man/man3/SSL_CTX_sess_set_remove_cb.3
 libressl/man/man3/SSL_CTX_sess_timeouts.3
 libressl/man/man3/SSL_CTX_sessions.3
@@ -1147,7 +1160,6 @@
 libressl/man/man3/SSL_get0_session.3
 libressl/man/man3/SSL_get1_session.3
 libressl/man/man3/SSL_get_SSL_CTX.3
-libressl/man/man3/SSL_get_accept_state.3
 libressl/man/man3/SSL_get_cipher.3
 libressl/man/man3/SSL_get_cipher_bits.3
 libressl/man/man3/SSL_get_cipher_list.3
@@ -1165,7 +1177,6 @@
 libressl/man/man3/SSL_get_info_callback.3
 libressl/man/man3/SSL_get_max_cert_list.3
 libressl/man/man3/SSL_get_mode.3
-libressl/man/man3/SSL_get_msg_callback_arg.3
 libressl/man/man3/SSL_get_options.3
 libressl/man/man3/SSL_get_peer_cert_chain.3
 libressl/man/man3/SSL_get_peer_certificate.3
@@ -1357,7 +1368,6 @@
 libressl/man/man3/bn_expand.3
 libressl/man/man3/bn_expand2.3
 libressl/man/man3/bn_fix_top.3
-libressl/man/man3/bn_internal.3
 libressl/man/man3/bn_mul_add_words.3
 libressl/man/man3/bn_mul_comba4.3
 libressl/man/man3/bn_mul_comba8.3
@@ -1403,7 +1413,6 @@
 libressl/man/man3/d2i_ECPKParameters_bio.3
 libressl/man/man3/d2i_ECPKParameters_fp.3
 libressl/man/man3/d2i_Netscape_RSA.3
-libressl/man/man3/d2i_PKCS8PrivateKey.3
 libressl/man/man3/d2i_PKCS8PrivateKey_bio.3
 libressl/man/man3/d2i_PKCS8PrivateKey_fp.3
 libressl/man/man3/d2i_RSAPrivateKey.3
@@ -1429,7 +1438,6 @@
 libressl/man/man3/dh.3
 libressl/man/man3/dsa.3
 libressl/man/man3/ec.3
-libressl/man/man3/ecdsa.3
 libressl/man/man3/engine.3
 libressl/man/man3/evp.3
 libressl/man/man3/get_session_cb.3
@@ -1481,7 +1489,6 @@
 libressl/man/man3/lh_retrieve.3
 libressl/man/man3/lh_stats.3
 libressl/man/man3/lh_stats_bio.3
-libressl/man/man3/lhash.3
 libressl/man/man3/mul.3
 libressl/man/man3/mul_add.3
 libressl/man/man3/new_session_cb.3
@@ -1498,8 +1505,11 @@
 libressl/man/man3/tls_config_free.3
 libressl/man/man3/tls_config_insecure_noverifycert.3
 libressl/man/man3/tls_config_insecure_noverifyname.3
+libressl/man/man3/tls_config_insecure_noverifytime.3
 libressl/man/man3/tls_config_new.3
 libressl/man/man3/tls_config_parse_protocols.3
+libressl/man/man3/tls_config_prefer_ciphers_client.3
+libressl/man/man3/tls_config_prefer_ciphers_server.3
 libressl/man/man3/tls_config_set_ca_file.3
 libressl/man/man3/tls_config_set_ca_mem.3
 libressl/man/man3/tls_config_set_ca_path.3
@@ -1513,24 +1523,34 @@
 libressl/man/man3/tls_config_set_protocols.3
 libressl/man/man3/tls_config_set_verify_depth.3
 libressl/man/man3/tls_config_verify.3
+libressl/man/man3/tls_config_verify_client.3
+libressl/man/man3/tls_config_verify_client_optional.3
 libressl/man/man3/tls_configure.3
+libressl/man/man3/tls_conn_cipher.3
+libressl/man/man3/tls_conn_version.3
 libressl/man/man3/tls_connect.3
 libressl/man/man3/tls_connect_fds.3
 libressl/man/man3/tls_connect_servername.3
 libressl/man/man3/tls_connect_socket.3
 libressl/man/man3/tls_error.3
 libressl/man/man3/tls_free.3
+libressl/man/man3/tls_handshake.3
 libressl/man/man3/tls_init.3
 libressl/man/man3/tls_load_file.3
+libressl/man/man3/tls_peer_cert_contains_name.3
+libressl/man/man3/tls_peer_cert_hash.3
+libressl/man/man3/tls_peer_cert_issuer.3
+libressl/man/man3/tls_peer_cert_notafter.3
+libressl/man/man3/tls_peer_cert_notbefore.3
+libressl/man/man3/tls_peer_cert_provided.3
+libressl/man/man3/tls_peer_cert_subject.3
 libressl/man/man3/tls_read.3
 libressl/man/man3/tls_reset.3
 libressl/man/man3/tls_server.3
 libressl/man/man3/tls_write.3
 libressl/man/man3/tmp_rsa_callback.3
-libressl/man/man3/ui.3
-libressl/man/man3/ui_compat.3
 libressl/man/man3/verify_callback.3
 libressl/man/man3/x509.3
-share/examples/libressl/cert.pem
-share/examples/libressl/openssl.cnf
-share/examples/libressl/x509v3.cnf
+libressl/share/examples/libressl/cert.pem
+libressl/share/examples/libressl/openssl.cnf
+libressl/share/examples/libressl/x509v3.cnf
diff -r cccd9babc95a -r 27a4d64646f8 security/libressl/distinfo
--- a/security/libressl/distinfo        Sun Jul 03 13:24:09 2016 +0000
+++ b/security/libressl/distinfo        Sun Jul 03 13:46:06 2016 +0000
@@ -1,8 +1,6 @@
-$NetBSD: distinfo,v 1.3 2016/03/01 02:07:48 sevan Exp $
+$NetBSD: distinfo,v 1.4 2016/07/03 13:46:06 wiz Exp $
 
-SHA1 (libressl-2.2.6.tar.gz) = 7dd05c3318ef0f9f15d43816cd892d212ca92e3c
-RMD160 (libressl-2.2.6.tar.gz) = ca39eba38a33ec61ea5616699de16f79a1c82a70
-SHA512 (libressl-2.2.6.tar.gz) = 41e29431ad9e8b18e2dbc30fe9df1d7be3ca372d5d7757b5b01f8904515bafd5333446957fbc9874f64f384dae56cf6bf29d6808a7c0df1836b55ea64804a4bf
-Size (libressl-2.2.6.tar.gz) = 2965531 bytes
-SHA1 (patch-apps_Makefile.am) = 0ae0a0176f68b08c5d3b5c05fa4f6fb37687cc07
-SHA1 (patch-apps_Makefile.in) = 668abb640ea091feee3d4be44f56660707d105d7
+SHA1 (libressl-2.3.6.tar.gz) = 87e9d5589a1e4f29e3417fcde28fe01a7783eb2c
+RMD160 (libressl-2.3.6.tar.gz) = 42deed65ad94de95ebbd0c31b8651328b152955b
+SHA512 (libressl-2.3.6.tar.gz) = d170fb6a457d3ad1861522f47ce27754dc13740575ef1ea397748b18709c3b17e3793a790d68791e3dc421a3e33de0d0ad023ceb8de132b2351f4ce00c8c67e9
+Size (libressl-2.3.6.tar.gz) = 3013459 bytes



Home | Main Index | Thread Index | Old Index