pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/security/libressl Updated libressl to 2.5.0.



details:   https://anonhg.NetBSD.org/pkgsrc/rev/6555e10194a3
branches:  trunk
changeset: 353395:6555e10194a3
user:      wiz <wiz%pkgsrc.org@localhost>
date:      Tue Oct 04 11:39:23 2016 +0000

description:
Updated libressl to 2.5.0.

2.5.0 - New APIs, bug fixes and improvements

        * libtls now supports ALPN and SNI

        * libtls adds a new callback interface for integrating custom IO
          functions. Thanks to Tobias Pape.

        * libtls now handles 4 cipher suite groups:
            "secure" (TLSv1.2+AEAD+PFS)
            "compat" (HIGH:!aNULL)
            "legacy" (HIGH:MEDIUM:!aNULL)
            "insecure" (ALL:!aNULL:!eNULL)

            This allows for flexibility and finer grained control, rather than
            having two extremes (an issue raised by Marko Kreen some time ago).

        * Tightened error handling for tls_config_set_ciphers().

        * libtls now always loads CA, key and certificate files at the time the
          configuration function is called. This simplifies code and results in
          a single memory based code path being used to provide data to libssl.

        * Add support for OCSP intermediate certificates.

        * Added functions used by stunnel and exim from BoringSSL - this
          brings in X509_check_host, X509_check_email, X509_check_ip, and
          X509_check_ip_asc.

        * Added initial support for iOS, thanks to Jacob Berkman.

        * Improved behavior of arc4random on Windows when using memory leak
          analysis software.

        * Correctly handle an EOF that occurs prior to the TLS handshake
          completing. Reported by Vasily Kolobkov, based on a diff from Marko
          Kreen.

        * Limit the support of the "backward compatible" ssl2 handshake to
          only be used if TLS 1.0 is enabled.

        * Fix incorrect results in certain cases on 64-bit systems when
          BN_mod_word() can return incorrect results. BN_mod_word() now can
          return an error condition. Thanks to Brian Smith.

        * Added constant-time updates to address CVE-2016-0702

        * Fixed undefined behavior in BN_GF2m_mod_arr()

        * Removed unused Cryptographic Message Support (CMS)

        * More conversions of long long idioms to time_t

        * Improved compatibility by avoiding printing NULL strings with
          printf.

        * Reverted change that cleans up the EVP cipher context in
          EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
          previous behaviour.

        * Avoid unbounded memory growth in libssl, which can be triggered by a
          TLS client repeatedly renegotiating and sending OCSP Status Request
          TLS extensions.

        * Avoid falling back to a weak digest for (EC)DH when using SNI with
          libssl.

2.4.2 - Bug fixes and improvements

        * Fixed loading default certificate locations with openssl s_client.

        * Ensured OSCP only uses and compares GENERALIZEDTIME values as per
          RFC6960. Also added fixes for OCSP to work with intermediate
          certificates provided in responses.

        * Improved behavior of arc4random on Windows to not appear to leak
          memory in debug tools, reduced privileges of allocated memory.

        * Fixed incorrect results from BN_mod_word() when the modulus is too
          large, thanks to Brian Smith from BoringSSL.

        * Correctly handle an EOF prior to completing the TLS handshake in
          libtls.

        * Improved libtls ceritificate loading and cipher string validation.

        * Updated libtls cipher group suites into four categories:
            "secure"   (TLSv1.2+AEAD+PFS)
            "compat"   (HIGH:!aNULL)
            "legacy"   (HIGH:MEDIUM:!aNULL)
            "insecure" (ALL:!aNULL:!eNULL)
          This allows for flexibility and finer grained control, rather than
          having two extremes.

        * Limited support for 'backward compatible' SSLv2 handshake packets to
          when TLS 1.0 is enabled, providing more restricted compatibility
          with TLS 1.0 clients.

        * openssl(1) and other documentation improvements.

        * Removed flags for disabling constant-time operations.
          This removes support for DSA_FLAG_NO_EXP_CONSTTIME,
          DH_FLAG_NO_EXP_CONSTTIME, and RSA_FLAG_NO_CONSTTIME flags, making
          all of these operations unconditionally constant-time.


2.4.1 - Security fix

        * Correct a problem that prevents the DSA signing algorithm from
          running in constant time even if the flag BN_FLG_CONSTTIME is set.
          This issue was reported by Cesar Pereida (Aalto University), Billy
          Brumley (Tampere University of Technology), and Yuval Yarom (The
          University of Adelaide and NICTA). The fix was developed by Cesar
          Pereida.

2.4.0 - Build improvements, new features

        * Many improvements to the CMake build infrastructure, including
          Solaris, mingw-w64, Cygwin, and HP-UX support. Thanks to Kinichiro
          Inoguchi for this work.

        * Added missing error handling around bn_wexpand() calls.

        * Added explicit_bzero calls for freed ASN.1 objects.

        * Fixed X509_*set_object functions to return 0 on allocation failure.

        * Implemented the IETF ChaCha20-Poly1305 cipher suites.

        * Changed default EVP_aead_chacha20_poly1305() implementation to the
          IETF version, which is now the default.

        * Fixed password prompts from openssl(1) to properly handle ^C.

        * Reworked error handling in libtls so that configuration errors are
          visible.

        * Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.

        * Manpage fixes and updates

diffstat:

 security/libressl/Makefile |   5 +++--
 security/libressl/PLIST    |  28 +++-------------------------
 security/libressl/distinfo |  10 +++++-----
 3 files changed, 11 insertions(+), 32 deletions(-)

diffs (127 lines):

diff -r a0008bb87e27 -r 6555e10194a3 security/libressl/Makefile
--- a/security/libressl/Makefile        Tue Oct 04 11:05:17 2016 +0000
+++ b/security/libressl/Makefile        Tue Oct 04 11:39:23 2016 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.8 2016/09/27 21:26:05 maya Exp $
+# $NetBSD: Makefile,v 1.9 2016/10/04 11:39:23 wiz Exp $
 
-DISTNAME=      libressl-2.3.8
+DISTNAME=      libressl-2.5.0
 CATEGORIES=    security
 MASTER_SITES=  ${MASTER_SITE_OPENBSD:=LibreSSL/}
 
@@ -42,6 +42,7 @@
 .include "../../mk/bsd.prefs.mk"
 
 .if ${OPSYS} != "Darwin"
+# bn_print(3) and BN_print(3) conflict on case-insensitive file system
 PLIST.man=     yes
 .endif
 
diff -r a0008bb87e27 -r 6555e10194a3 security/libressl/PLIST
--- a/security/libressl/PLIST   Tue Oct 04 11:05:17 2016 +0000
+++ b/security/libressl/PLIST   Tue Oct 04 11:39:23 2016 +0000
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.5 2016/07/03 13:46:06 wiz Exp $
+@comment $NetBSD: PLIST,v 1.6 2016/10/04 11:39:23 wiz Exp $
 lib/pkgconfig/libcrypto.pc
 lib/pkgconfig/libssl.pc
 lib/pkgconfig/libtls.pc
@@ -16,7 +16,6 @@
 libressl/include/openssl/cast.h
 libressl/include/openssl/chacha.h
 libressl/include/openssl/cmac.h
-libressl/include/openssl/cms.h
 libressl/include/openssl/comp.h
 libressl/include/openssl/conf.h
 libressl/include/openssl/conf_api.h
@@ -162,7 +161,6 @@
 libressl/man/man3/BIO_make_bio_pair.3
 libressl/man/man3/BIO_method_type.3
 libressl/man/man3/BIO_new.3
-libressl/man/man3/BIO_new_CMS.3
 libressl/man/man3/BIO_new_accept.3
 libressl/man/man3/BIO_new_bio_pair.3
 libressl/man/man3/BIO_new_buffer_ssl_connect.3
@@ -323,7 +321,7 @@
 libressl/man/man3/BN_num_bits_word.3
 libressl/man/man3/BN_num_bytes.3
 libressl/man/man3/BN_one.3
-${PLIST.man}libressl/man/man3/BN_print.3
+libressl/man/man3/BN_print.3
 libressl/man/man3/BN_print_fp.3
 libressl/man/man3/BN_pseudo_rand.3
 libressl/man/man3/BN_pseudo_rand_range.3
@@ -345,22 +343,6 @@
 libressl/man/man3/BUF_MEM_grow.3
 libressl/man/man3/BUF_MEM_new.3
 libressl/man/man3/BUF_strdup.3
-libressl/man/man3/CMS_add0_cert.3
-libressl/man/man3/CMS_add1_recipient_cert.3
-libressl/man/man3/CMS_add1_signer.3
-libressl/man/man3/CMS_compress.3
-libressl/man/man3/CMS_decrypt.3
-libressl/man/man3/CMS_encrypt.3
-libressl/man/man3/CMS_final.3
-libressl/man/man3/CMS_get0_RecipientInfos.3
-libressl/man/man3/CMS_get0_SignerInfos.3
-libressl/man/man3/CMS_get0_type.3
-libressl/man/man3/CMS_get1_ReceiptRequest.3
-libressl/man/man3/CMS_sign.3
-libressl/man/man3/CMS_sign_receipt.3
-libressl/man/man3/CMS_uncompress.3
-libressl/man/man3/CMS_verify.3
-libressl/man/man3/CMS_verify_receipt.3
 libressl/man/man3/CONF_modules_finish.3
 libressl/man/man3/CONF_modules_free.3
 libressl/man/man3/CONF_modules_load.3
@@ -941,7 +923,6 @@
 libressl/man/man3/PEM_write_X509_CRL.3
 libressl/man/man3/PEM_write_X509_REQ.3
 libressl/man/man3/PEM_write_X509_REQ_NEW.3
-libressl/man/man3/PEM_write_bio_CMS_stream.3
 libressl/man/man3/PEM_write_bio_DHparams.3
 libressl/man/man3/PEM_write_bio_DSAPrivateKey.3
 libressl/man/man3/PEM_write_bio_DSA_PUBKEY.3
@@ -1035,9 +1016,7 @@
 libressl/man/man3/SHA1_Final.3
 libressl/man/man3/SHA1_Init.3
 libressl/man/man3/SHA1_Update.3
-libressl/man/man3/SMIME_read_CMS.3
 libressl/man/man3/SMIME_read_PKCS7.3
-libressl/man/man3/SMIME_write_CMS.3
 libressl/man/man3/SMIME_write_PKCS7.3
 libressl/man/man3/SSL_CIPHER_description.3
 libressl/man/man3/SSL_CIPHER_get_bits.3
@@ -1378,7 +1357,7 @@
 libressl/man/man3/bn_mul_part_recursive.3
 libressl/man/man3/bn_mul_recursive.3
 libressl/man/man3/bn_mul_words.3
-libressl/man/man3/bn_print.3
+${PLIST.man}libressl/man/man3/bn_print.3
 libressl/man/man3/bn_set_high.3
 libressl/man/man3/bn_set_low.3
 libressl/man/man3/bn_set_max.3
@@ -1442,7 +1421,6 @@
 libressl/man/man3/evp.3
 libressl/man/man3/get_session_cb.3
 libressl/man/man3/i2d_ASN1_OBJECT.3
-libressl/man/man3/i2d_CMS_bio_stream.3
 libressl/man/man3/i2d_DHparams.3
 libressl/man/man3/i2d_DSAPrivateKey.3
 libressl/man/man3/i2d_DSAPublicKey.3
diff -r a0008bb87e27 -r 6555e10194a3 security/libressl/distinfo
--- a/security/libressl/distinfo        Tue Oct 04 11:05:17 2016 +0000
+++ b/security/libressl/distinfo        Tue Oct 04 11:39:23 2016 +0000
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.5 2016/09/27 21:26:05 maya Exp $
+$NetBSD: distinfo,v 1.6 2016/10/04 11:39:23 wiz Exp $
 
-SHA1 (libressl-2.3.8.tar.gz) = cc2d55b5011855db6a603a180c43eb51bb370245
-RMD160 (libressl-2.3.8.tar.gz) = f9d50018270366f3979b7f481cb166b9e65de3c6
-SHA512 (libressl-2.3.8.tar.gz) = 5cd99e740894afffa6803087dde4e4207e035bf6f440904fcd4439ca1f63f22bdfe367423b2e95264bef06d1a0f929526d90e623864d0f7e99250a4f825bf282
-Size (libressl-2.3.8.tar.gz) = 3013999 bytes
+SHA1 (libressl-2.5.0.tar.gz) = e103ed6dc366060c5104bad15270cf7a1b9b9bc4
+RMD160 (libressl-2.5.0.tar.gz) = a3e63495c8ae20f920fba9f2ffa323e2c609e6d6
+SHA512 (libressl-2.5.0.tar.gz) = 6372b27f1696e957389646a05b0572ad6936443b34fee0e57153b063831e00318fa1b434e3e0369f0c3df872e15ad3bee2f85db0851021444612f2a6f266a332
+Size (libressl-2.5.0.tar.gz) = 3012855 bytes



Home | Main Index | Thread Index | Old Index