pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/security/openssl openssl: Update to 1.1.1d.



details:   https://anonhg.NetBSD.org/pkgsrc/rev/1c8fe2c6233f
branches:  trunk
changeset: 421504:1c8fe2c6233f
user:      jperkin <jperkin%pkgsrc.org@localhost>
date:      Thu Jan 16 13:30:29 2020 +0000

description:
openssl: Update to 1.1.1d.

This is a major upgrade to the current LTS release.  1.0.2 and 1.1.0 are now
out of support and should not be used.

pkgsrc changes include a large cleanup of patches and targets, many of which
were clearly bogus, for example a CONFLICTS entry against a package that has
never existed, and one that was removed in 1999.

Tested on SmartOS, macOS, and NetBSD.  Used for the SmartOS pkgsrc-2019Q4 LTS
release.

There are far too many individual changes to list, so the following text is
instead taken from the 1.1.1 blog announcement:

  --------------------------------------------------------------------------

After two years of work we are excited to be releasing our latest version today
- OpenSSL 1.1.1. This is also our new Long Term Support (LTS) version and so we
are committing to support it for at least five years.

OpenSSL 1.1.1 has been a huge team effort with nearly 5000 commits having been
made from over 200 individual contributors since the release of OpenSSL 1.1.0.
These statistics just illustrate the amazing vitality and diversity of the
OpenSSL community. The contributions didn't just come in the form of commits
though. There has been a great deal of interest in this new version so thanks
needs to be extended to the large number of users who have downloaded the beta
releases to test them out and report bugs.

The headline new feature is TLSv1.3. This new version of the Transport Layer
Security (formerly known as SSL) protocol was published by the IETF just one
month ago as RFC8446. This is a major rewrite of the standard and introduces
significant changes, features and improvements which have been reflected in the
new OpenSSL version.

What's more is that OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0
so most applications that work with 1.1.0 can gain many of the benefits of
TLSv1.3 simply by dropping in the new OpenSSL version. Since TLSv1.3 works very
differently to TLSv1.2 though there are a few caveats that may impact a
minority of applications. See the TLSv1.3 page on the OpenSSL wiki for more
details.

Some of the benefits of TLSv1.3 include:

 * Improved connection times due to a reduction in the number of round trips
   required between the client and server

 * The ability, in certain circumstances, for clients to start sending
   encrypted data to the server straight away without any round trips with the
   server required (a feature known as 0-RTT or ?early data?).

 * Improved security due to the removal of various obsolete and insecure
   cryptographic algorithms and encryption of more of the connection handshake

Other features in the 1.1.1 release include:

 * Complete rewrite of the OpenSSL random number generator to introduce the
   following capabilities:

   * The default RAND method now utilizes an AES-CTR DRBG according to NIST
     standard SP 800-90Ar1.
   * Support for multiple DRBG instances with seed chaining.
   * There is a public and private DRBG instance.
   * The DRBG instances are fork-safe.
   * Keep all global DRBG instances on the secure heap if it is enabled.
   * The public and private DRBG instance are per thread for lock free
     operation

 * Support for various new cryptographic algorithms including:

   * SHA3
   * SHA512/224 and SHA512/256
   * EdDSA (including Ed25519 and Ed448)
   * X448 (adding to the existing X25519 support in 1.1.0)
   * Multi-prime RSA
   * SM2
   * SM3
   * SM4
   * SipHash
   * ARIA (including TLS support)

 * Signficant Side-Channel attack security improvements

 * Maximum Fragment Length TLS extension support

 * A new STORE module, which implements a uniform and URI based reader of
   stores that can contain keys, certificates, CRLs and numerous other objects.

Since 1.1.1 is our new LTS release we are strongly advising all users to
upgrade as soon as possible. For most applications this should be straight
forward if they are written to work with OpenSSL 1.1.0. Since OpenSSL 1.1.0 is
not an LTS release it will start receiving security fixes only with immediate
affect as per our previous announcement and as published in our release
strategy. It will cease receiving all support in one years time.

Our previous LTS release (OpenSSL 1.0.2) will continue to receive full support
until the end of this year. After that it will receive security fixes only. It
will stop receiving all support at the end of 2019. Users of that release are
strongly advised to upgrade to OpenSSL 1.1.1.

diffstat:

 security/openssl/Makefile                                        |   174 +-
 security/openssl/PLIST.OSF1                                      |     3 -
 security/openssl/PLIST.common                                    |  1795 ----------
 security/openssl/PLIST.shlib                                     |     5 -
 security/openssl/buildlink3.mk                                   |     6 +-
 security/openssl/builtin.mk                                      |    76 +-
 security/openssl/distinfo                                        |    19 +-
 security/openssl/patches/patch-Configurations_unix-Makefile.tmpl |   102 +
 security/openssl/patches/patch-Configure                         |    81 -
 security/openssl/patches/patch-Makefile.org                      |   106 -
 security/openssl/patches/patch-Makefile.shared                   |   104 -
 security/openssl/patches/patch-apps_Makefile                     |    34 -
 security/openssl/patches/patch-config                            |    85 -
 security/openssl/patches/patch-crypto_bn_bn__prime.pl            |    22 -
 security/openssl/patches/patch-crypto_des_Makefile               |    18 -
 security/openssl/patches/patch-tools_Makefile                    |    27 -
 16 files changed, 141 insertions(+), 2516 deletions(-)

diffs (truncated from 2789 to 300 lines):

diff -r 857e6de08736 -r 1c8fe2c6233f security/openssl/Makefile
--- a/security/openssl/Makefile Thu Jan 16 13:30:17 2020 +0000
+++ b/security/openssl/Makefile Thu Jan 16 13:30:29 2020 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.247 2020/01/02 20:31:05 sevan Exp $
+# $NetBSD: Makefile,v 1.248 2020/01/16 13:30:29 jperkin Exp $
 
-DISTNAME=      openssl-1.0.2u
+DISTNAME=      openssl-1.1.1d
 CATEGORIES=    security
 MASTER_SITES=  https://www.openssl.org/source/
 
@@ -9,140 +9,19 @@
 COMMENT=       Secure Socket Layer and cryptographic library
 LICENSE=       openssl
 
-CONFLICTS=     SSLeay-[0-9]* ssleay-[0-9]*
-
-BUILD_DEPENDS+=        p5-Perl4-CoreLibs-[0-9]*:../../devel/p5-Perl4-CoreLibs
-
 USE_GCC_RUNTIME=       yes
 
-USE_TOOLS+=            fgrep gmake makedepend perl:run
+USE_TOOLS+=            fgrep gmake makedepend perl
 BUILD_TARGET=          depend all
 TEST_TARGET=           tests
-MAKE_JOBS_SAFE=                no
 
 HAS_CONFIGURE=         yes
 CONFIGURE_SCRIPT=      ./config
 CONFIGURE_ARGS+=       --prefix=${PREFIX}
-CONFIGURE_ARGS+=       --install_prefix=${DESTDIR}
 CONFIGURE_ARGS+=       --openssldir=${PKG_SYSCONFDIR}
-CONFIGURE_ARGS+=       shared no-fips
-
-.include "../../mk/compiler.mk"
-
-# Avoid dependency on 'makedepend' on platforms where the default CC is set
-# to 'cc' not 'gcc' in boostrap-mk-files.  OpenSSL only supports the latter.
-.if !empty(PKGSRC_COMPILER:Mgcc) && ${CC} == "cc"
-CC=                    gcc
-.endif
+CONFIGURE_ARGS+=       shared
 
-.if ${OPSYS} == "SunOS"
-.  if ${MACHINE_ARCH} == "sparc"
-OPENSSL_MACHINE_ARCH=  sparcv7
-.  elif ${MACHINE_ARCH} == "sparc64"
-OPENSSL_MACHINE_ARCH=  sparcv9
-.  elif ${MACHINE_ARCH} == "i386"
-OPENSSL_MACHINE_ARCH=  x86
-.  elif ${MACHINE_ARCH} == "x86_64"
-OPENSSL_MACHINE_ARCH=  ${MACHINE_ARCH}
-.  endif
-# only override the configure target if we know the platform, falling
-# back to ./config's autodetection if not.
-.  if defined(OPENSSL_MACHINE_ARCH) && !empty(OPENSSL_MACHINE_ARCH)
-CONFIGURE_SCRIPT=      ./Configure
-.    if !empty(PKGSRC_COMPILER:Mclang) || !empty(PKGSRC_COMPILER:Mgcc)
-CONFIGURE_ARGS+=       solaris${${ABI}==64:?64:}-${OPENSSL_MACHINE_ARCH}-gcc
-.    else
-CONFIGURE_ARGS+=       solaris${${ABI}==64:?64:}-${OPENSSL_MACHINE_ARCH}-cc
-.    endif
-.  endif
-.elif ${OPSYS} == "IRIX"
-CONFIGURE_ARGS+=       no-asm
-.  if defined(ABI) && ${ABI} == "64"
-CONFIGURE_SCRIPT=      ./Configure
-.    if !empty(CC_VERSION:Mgcc*)
-CONFIGURE_ARGS+=       irix64-mips4-gcc
-.    else
-CONFIGURE_ARGS+=       irix64-mips4-cc
-.    endif
-.  endif
-.elif ${OPSYS} == "OSF1"
-USE_PLIST_SHLIB=       no
-CONFIGURE_SCRIPT=      ./Configure
-.  if !empty(CC_VERSION:Mgcc*)
-CONFIGURE_ARGS+=       tru64-alpha-gcc
-.  else
-CONFIGURE_ARGS+=       tru64-alpha-cc
-.  endif
-.elif ${OPSYS} == "Darwin"
-CONFIGURE_SCRIPT=      ./Configure
-.  if defined(ABI) && ${ABI} == "64"
-_OS=                   darwin64
-.  else
-_OS=                   darwin
-.  endif
-.  if ${MACHINE_ARCH:Mpowerpc*}
-_ARCH=                 ppc
-.  else
-_ARCH=                 ${MACHINE_ARCH}
-.  endif
-CONFIGURE_ARGS+=       ${_OS}-${_ARCH}-cc
-
-SUBST_CLASSES+=                dl
-SUBST_MESSAGE.dl=      Adding dynamic link compatibility library.
-SUBST_STAGE.dl=                post-configure
-SUBST_FILES.dl=                Makefile apps/Makefile crypto/Makefile \
-                       crypto/pkcs7/Makefile test/Makefile
-SUBST_SED.dl=          -e 's,^EX_LIBS=,EX_LIBS=${DL_LDFLAGS:Q} ,g'
-
-.elif ${OPSYS} == "AIX"
-CONFIGURE_SCRIPT=      ./Configure
-.  if defined(ABI) && ${ABI} == "64"
-.    if !empty(CC_VERSION:Mgcc*)
-CONFIGURE_ARGS+=       aix64-gcc
-.    else
-CONFIGURE_ARGS+=       aix64-cc
-.    endif
-.  else
-.    if !empty(CC_VERSION:Mgcc*)
-CONFIGURE_ARGS+=       aix-gcc
-.    else
-CONFIGURE_ARGS+=       aix-cc
-.    endif
-.  endif
-.elif ${OPSYS} == "Interix"
-SUBST_CLASSES+=                soname
-SUBST_STAGE.soname=    post-configure
-SUBST_FILES.soname=    Makefile.shared
-SUBST_SED.soname=      -e 's/-Wl,-soname=/-Wl,-h,/g'
-.elif ${OPSYS} == "HPUX"
-CONFIGURE_SCRIPT=      ./Configure
-.  if defined(ABI) && ${ABI} == "64"
-.    if ${MACHINE_ARCH} == "hppa64"
-CONFIGURE_ARGS+=       hpux64-parisc2-${CC}
-.    else
-CONFIGURE_ARGS+=       hpux64-ia64-${CC}
-.    endif
-.  else
-.    if ${MACHINE_ARCH} == "hppa"
-CONFIGURE_ARGS+=       hpux-parisc-${CC}
-.    else
-CONFIGURE_ARGS+=       hpux-ia64-${CC}
-.    endif
-.  endif
-.elif ${OPSYS} == "Linux"
-.  if ${MACHINE_ARCH} == "powerpc64"
-CONFIGURE_SCRIPT=      ./Configure
-CONFIGURE_ARGS+=       linux-ppc64
-.  elif ${MACHINE_ARCH} == "i386"
-CONFIGURE_SCRIPT=      ./Configure
-CONFIGURE_ARGS+=       linux-elf
-.  endif
-.elif ${OS_VARIANT} == "SCOOSR5"
-# SIGILL in _sha1_block_data_order_ssse3().
-CONFIGURE_ARGS+=       no-sse2
-.endif
-
-.include "../../security/openssl/options.mk"
+.include "options.mk"
 
 CONFIGURE_ARGS+=       ${CFLAGS} ${LDFLAGS}
 CONFIGURE_ENV+=                PERL=${PERL5:Q}
@@ -150,14 +29,6 @@
 PKGCONFIG_OVERRIDE+=           libcrypto.pc libssl.pc openssl.pc
 PKGCONFIG_OVERRIDE_STAGE=      post-build
 
-PLIST_SRC+=            ${PKGDIR}/PLIST.common
-USE_PLIST_SHLIB?=      yes
-.if ${USE_PLIST_SHLIB} == "yes"
-PLIST_SRC+=            ${PKGDIR}/PLIST.shlib
-.endif
-PLIST_SUBST+=          SHLIB_VERSION=${OPENSSL_VERS:C/[^0-9]*$//}
-PLIST_SUBST+=          SHLIB_MAJOR=${OPENSSL_VERS:C/\..*$//}
-
 PKG_SYSCONFSUBDIR=     openssl
 CONF_FILES=            ${PREFIX}/share/examples/openssl/openssl.cnf    \
                        ${PKG_SYSCONFDIR}/openssl.cnf
@@ -165,21 +36,30 @@
 
 INSTALLATION_DIRS+=    share/examples/openssl
 
-# Fix the path to perl in various scripts.
-pre-configure:
-       cd ${WRKSRC} && ${PERL5} util/perlpath.pl ${PERL5}
+#
+# Note that this package cannot be updated solely from Darwin, it relies on
+# shlib-dylib.awk to convert the normal .so entries to dylib, which doesn't
+# work the other way around.  The lib/engines-1.1 plugins also need special
+# handling.
+#
+OPSYSVARS+=            SOEXT
+SOEXT.Darwin=          dylib
+SOEXT.*=               so
+PLIST_SUBST+=          SOEXT=${SOEXT}
 
-# BN_print.3 and bn_print.3 cannot co-exist on Darwin, we choose to remove
-# bn_print.3 simply because it has more aliases to the same manual page.
-PLIST_VARS+=   notmac
-.if ${OPSYS} == "Darwin"
+PRINT_PLIST_AWK+=      /^lib\/engines/ { gsub(/\.${SOEXT}$$/, ".$${SOEXT}"); }
+
+#
+# Get rid of ridiculous namespace collisions like passwd.1 and just leave the
+# openssl-*.1 style variants.  On a more practical note this avoids creating
+# a conflict with moreutils (ts.1).
+#
 post-install:
-       ${CP} -p ${DESTDIR}${PREFIX}/${PKGMANDIR}/man3/BN_print.3 ${WRKDIR}
-       ${RM} ${DESTDIR}${PREFIX}/${PKGMANDIR}/man3/bn_print.3*
-       ${MV} -f ${WRKDIR}/BN_print.3 ${DESTDIR}${PREFIX}/${PKGMANDIR}/man3
-.else
-PLIST.notmac=  yes
-.endif
+       cd ${DESTDIR}${PREFIX}/${PKGMANDIR}/man1;                       \
+       for f in openssl-*; do                                          \
+               ${RM} -f $${f};                                         \
+               ${MV} `${ECHO} $${f} | ${SED} -e 's/openssl-//'` $${f}; \
+       done
 
 .include "../../mk/dlopen.buildlink3.mk"
 .include "../../mk/bsd.pkg.mk"
diff -r 857e6de08736 -r 1c8fe2c6233f security/openssl/PLIST.OSF1
--- a/security/openssl/PLIST.OSF1       Thu Jan 16 13:30:17 2020 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,3 +0,0 @@
-@comment $NetBSD: PLIST.OSF1,v 1.1 2013/10/03 11:15:48 joerg Exp $
-lib/libcrypto.so
-lib/libssl.so
diff -r 857e6de08736 -r 1c8fe2c6233f security/openssl/PLIST.common
--- a/security/openssl/PLIST.common     Thu Jan 16 13:30:17 2020 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,1795 +0,0 @@
-@comment $NetBSD: PLIST.common,v 1.34 2019/06/30 22:52:54 sevan Exp $
-bin/c_rehash
-bin/openssl
-include/openssl/aes.h
-include/openssl/asn1.h
-include/openssl/asn1_mac.h
-include/openssl/asn1t.h
-include/openssl/bio.h
-include/openssl/blowfish.h
-include/openssl/bn.h
-include/openssl/buffer.h
-include/openssl/camellia.h
-include/openssl/cast.h
-include/openssl/cmac.h
-include/openssl/cms.h
-include/openssl/comp.h
-include/openssl/conf.h
-include/openssl/conf_api.h
-include/openssl/crypto.h
-include/openssl/des.h
-include/openssl/des_old.h
-include/openssl/dh.h
-include/openssl/dsa.h
-include/openssl/dso.h
-include/openssl/dtls1.h
-include/openssl/e_os2.h
-include/openssl/ebcdic.h
-include/openssl/ec.h
-include/openssl/ecdh.h
-include/openssl/ecdsa.h
-include/openssl/engine.h
-include/openssl/err.h
-include/openssl/evp.h
-include/openssl/hmac.h
-${PLIST.idea}include/openssl/idea.h
-include/openssl/krb5_asn.h
-include/openssl/kssl.h
-include/openssl/lhash.h
-${PLIST.md2}include/openssl/md2.h
-include/openssl/md4.h
-include/openssl/md5.h
-${PLIST.mdc2}include/openssl/mdc2.h
-include/openssl/modes.h
-include/openssl/obj_mac.h
-include/openssl/objects.h
-include/openssl/ocsp.h
-include/openssl/opensslconf.h
-include/openssl/opensslv.h
-include/openssl/ossl_typ.h
-include/openssl/pem.h
-include/openssl/pem2.h
-include/openssl/pkcs12.h
-include/openssl/pkcs7.h
-include/openssl/pqueue.h
-include/openssl/rand.h
-include/openssl/rc2.h
-include/openssl/rc4.h
-${PLIST.rc5}include/openssl/rc5.h
-include/openssl/ripemd.h
-include/openssl/rsa.h
-include/openssl/safestack.h
-include/openssl/seed.h
-include/openssl/sha.h
-include/openssl/srp.h
-include/openssl/srtp.h
-include/openssl/ssl.h
-include/openssl/ssl2.h
-include/openssl/ssl23.h
-include/openssl/ssl3.h
-include/openssl/stack.h
-include/openssl/symhacks.h
-include/openssl/tls1.h
-include/openssl/ts.h
-include/openssl/txt_db.h



Home | Main Index | Thread Index | Old Index