You've already forked macports-ports
mirror of
https://github.com/macports/macports-ports.git
synced 2026-07-12 18:20:25 -07:00
openssl3: Roll back broken v3.2.0 to v3.1.4 on OS <10.13
Version 3.2.0 has many issues on many older platforms. Adds -devel version to facilitate testing 3.2.0 in such cases. Although the epoch bump is only needed for the rollback cases, making it conditional on the OS version would require that it remain so in the future, so the unconditional epoch bump is preferable. The epoch bump is the only change for macOS >= 10.14. Revbumps the usual suspects. Closes: https://trac.macports.org/ticket/68763 Closes: https://trac.macports.org/ticket/68766 TESTED: Built, tested, and ran "openssl rand -hex 8" on 10.4-10.5 ppc, 10.4-10.6 i386, 10.5-10.15 x86_64, and 11.x-14.x arm64 The 3.1.4 version builds for all relevant platforms, and passes its tests on all but 10.6-10.8. The 3.2.0 -devel version builds for all but 10.4, failing its tests on 10.5-10.9 and 10.13 universal. The 3.2.0 version fails its tests on 10.14 and 14.x. The non-devel versions all pass "openssl rand".
This commit is contained in:
committed by
Clemens Lang
parent
45c1164c83
commit
dbf4acd621
@@ -6,7 +6,7 @@ PortGroup openssl 1.0
|
||||
name openssl
|
||||
epoch 2
|
||||
version [openssl::default_branch]
|
||||
revision 15
|
||||
revision 16
|
||||
|
||||
categories devel security
|
||||
platforms darwin
|
||||
|
||||
@@ -10,6 +10,8 @@ legacysupport.newest_darwin_requires_legacy 8
|
||||
|
||||
set major_v 3
|
||||
name openssl$major_v
|
||||
# For rolling back to 3.1.4 release where needed. Must now stay.
|
||||
epoch 1
|
||||
version ${major_v}.2.0
|
||||
revision 0
|
||||
|
||||
@@ -52,6 +54,29 @@ checksums rmd160 88d268dca2256ce7d6db7cd20e54bd936d134dbb \
|
||||
sha256 14c826f07c7e433706fb5c69fa9e25dab95684844b4c962a2cf1bf183eb4690e \
|
||||
size 17698352
|
||||
|
||||
# 3.2.0 is currently broken for OS < 10.14
|
||||
if {${os.platform} eq "darwin" && ${os.major} < 18} {
|
||||
|
||||
subport ${name}-devel {
|
||||
conflicts ${name}
|
||||
}
|
||||
|
||||
if {$subport eq $name} {
|
||||
conflicts ${name}-devel
|
||||
version ${major_v}.1.4
|
||||
revision 1
|
||||
|
||||
distname openssl-${version}
|
||||
|
||||
checksums rmd160 44e8f5368a6f62508b8b83124239bf1ebbba8d18 \
|
||||
sha256 840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3 \
|
||||
size 15569450
|
||||
|
||||
patchfiles ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6.patch
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
if {${os.platform} eq "darwin" && ${os.major} < 11} {
|
||||
# Having the stdlib set to libc++ on 10.6 causes a dependency on a
|
||||
# macports-clang compiler to be added, which would be a dep cycle.
|
||||
|
||||
@@ -0,0 +1,174 @@
|
||||
From ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6 Mon Sep 17 00:00:00 2001
|
||||
From: Richard Levitte <levitte@openssl.org>
|
||||
Date: Fri, 20 Oct 2023 09:18:19 +0200
|
||||
Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
|
||||
|
||||
We already check for an excessively large P in DH_generate_key(), but not in
|
||||
DH_check_pub_key(), and none of them check for an excessively large Q.
|
||||
|
||||
This change adds all the missing excessive size checks of P and Q.
|
||||
|
||||
It's to be noted that behaviours surrounding excessively sized P and Q
|
||||
differ. DH_check() raises an error on the excessively sized P, but only
|
||||
sets a flag for the excessively sized Q. This behaviour is mimicked in
|
||||
DH_check_pub_key().
|
||||
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Reviewed-by: Hugo Landau <hlandau@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/22518)
|
||||
|
||||
Upstream-Stauts: Backport [github.com/openssl/openssl/commit/ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6]
|
||||
---
|
||||
crypto/dh/dh_check.c | 12 ++++++++++++
|
||||
crypto/dh/dh_err.c | 3 ++-
|
||||
crypto/dh/dh_key.c | 12 ++++++++++++
|
||||
crypto/err/openssl.txt | 1 +
|
||||
include/crypto/dherr.h | 2 +-
|
||||
include/openssl/dh.h | 6 +++---
|
||||
include/openssl/dherr.h | 3 ++-
|
||||
7 files changed, 33 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
|
||||
index 7ba2beae7fd6b..e20eb62081c5e 100644
|
||||
--- ./crypto/dh/dh_check.c
|
||||
+++ ./crypto/dh/dh_check.c
|
||||
@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
|
||||
*/
|
||||
int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
|
||||
{
|
||||
+ /* Don't do any checks at all with an excessively large modulus */
|
||||
+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
|
||||
+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
|
||||
+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) {
|
||||
+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
|
||||
+ return 1;
|
||||
+ }
|
||||
+
|
||||
return ossl_ffc_validate_public_key(&dh->params, pub_key, ret);
|
||||
}
|
||||
|
||||
diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
|
||||
index 4152397426cc9..f76ac0dd1463f 100644
|
||||
--- ./crypto/dh/dh_err.c
|
||||
+++ ./crypto/dh/dh_err.c
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
|
||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
|
||||
"parameter encoding error"},
|
||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
|
||||
+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
|
||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
|
||||
{ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
|
||||
"unable to check generator"},
|
||||
diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
|
||||
index d84ea99241b9e..afc49f5cdc87d 100644
|
||||
--- ./crypto/dh/dh_key.c
|
||||
+++ ./crypto/dh/dh_key.c
|
||||
@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
|
||||
goto err;
|
||||
}
|
||||
|
||||
+ if (dh->params.q != NULL
|
||||
+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
||||
+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
|
||||
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
|
||||
return 0;
|
||||
@@ -267,6 +273,12 @@ static int generate_key(DH *dh)
|
||||
return 0;
|
||||
}
|
||||
|
||||
+ if (dh->params.q != NULL
|
||||
+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
|
||||
+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
|
||||
ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
|
||||
return 0;
|
||||
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
|
||||
index a1e6bbb617fcb..69e4f61aa1801 100644
|
||||
--- ./crypto/err/openssl.txt
|
||||
+++ ./crypto/err/openssl.txt
|
||||
@@ -513,6 +513,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set
|
||||
DH_R_NO_PRIVATE_VALUE:100:no private value
|
||||
DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
|
||||
DH_R_PEER_KEY_ERROR:111:peer key error
|
||||
+DH_R_Q_TOO_LARGE:130:q too large
|
||||
DH_R_SHARED_INFO_ERROR:113:shared info error
|
||||
DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
|
||||
DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters
|
||||
diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h
|
||||
index bb24d131eb887..519327f795742 100644
|
||||
--- ./include/crypto/dherr.h
|
||||
+++ ./include/crypto/dherr.h
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
|
||||
index 8bc17448a0817..f1c0ed06b375a 100644
|
||||
--- ./include/openssl/dh.h
|
||||
+++ ./include/openssl/dh.h
|
||||
@@ -144,7 +144,7 @@ DECLARE_ASN1_ITEM(DHparams)
|
||||
# define DH_GENERATOR_3 3
|
||||
# define DH_GENERATOR_5 5
|
||||
|
||||
-/* DH_check error codes */
|
||||
+/* DH_check error codes, some of them shared with DH_check_pub_key */
|
||||
/*
|
||||
* NB: These values must align with the equivalently named macros in
|
||||
* internal/ffc.h.
|
||||
@@ -154,10 +154,10 @@ DECLARE_ASN1_ITEM(DHparams)
|
||||
# define DH_UNABLE_TO_CHECK_GENERATOR 0x04
|
||||
# define DH_NOT_SUITABLE_GENERATOR 0x08
|
||||
# define DH_CHECK_Q_NOT_PRIME 0x10
|
||||
-# define DH_CHECK_INVALID_Q_VALUE 0x20
|
||||
+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */
|
||||
# define DH_CHECK_INVALID_J_VALUE 0x40
|
||||
# define DH_MODULUS_TOO_SMALL 0x80
|
||||
-# define DH_MODULUS_TOO_LARGE 0x100
|
||||
+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */
|
||||
|
||||
/* DH_check_pub_key error codes */
|
||||
# define DH_CHECK_PUBKEY_TOO_SMALL 0x01
|
||||
diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
|
||||
index 5d2a762a96f8c..074a70145f9f5 100644
|
||||
--- ./include/openssl/dherr.h
|
||||
+++ ./include/openssl/dherr.h
|
||||
@@ -1,6 +1,6 @@
|
||||
/*
|
||||
* Generated by util/mkerr.pl DO NOT EDIT
|
||||
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
|
||||
+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
||||
*
|
||||
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
||||
* this file except in compliance with the License. You can obtain a copy
|
||||
@@ -50,6 +50,7 @@
|
||||
# define DH_R_NO_PRIVATE_VALUE 100
|
||||
# define DH_R_PARAMETER_ENCODING_ERROR 105
|
||||
# define DH_R_PEER_KEY_ERROR 111
|
||||
+# define DH_R_Q_TOO_LARGE 130
|
||||
# define DH_R_SHARED_INFO_ERROR 113
|
||||
# define DH_R_UNABLE_TO_CHECK_GENERATOR 121
|
||||
|
||||
@@ -6,7 +6,7 @@ PortGroup compiler_blacklist_versions 1.0
|
||||
|
||||
name openssh
|
||||
version 9.5p1
|
||||
revision 2
|
||||
revision 3
|
||||
categories net
|
||||
maintainers {@artkiver gmail.com:artkiver} openmaintainer
|
||||
license BSD
|
||||
|
||||
@@ -5,7 +5,7 @@ PortGroup perl5 1.0
|
||||
|
||||
perl5.branches 5.28 5.30 5.32 5.34
|
||||
perl5.setup Net-SSLeay 1.92
|
||||
revision 2
|
||||
revision 3
|
||||
license Artistic-2
|
||||
maintainers nomaintainer
|
||||
description Perl extension for using OpenSSL
|
||||
|
||||
@@ -5,7 +5,7 @@ PortGroup muniversal 1.0
|
||||
|
||||
name freeradius
|
||||
version 3.0.21
|
||||
revision 19
|
||||
revision 20
|
||||
checksums rmd160 04a038b701f19d9c598e826a795a0cdaacd3768b \
|
||||
sha256 c22dad43954b0cbc957564d3f8cbb942ff09853852d2c2155d54e6bd641a4e7d \
|
||||
size 3184588
|
||||
|
||||
Reference in New Issue
Block a user