From nobody Tue Feb 07 19:55:49 2023 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PBDQF64htz3ndZ8; Tue, 7 Feb 2023 19:55:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PBDQF3ztsz4glk; Tue, 7 Feb 2023 19:55:49 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1675799749; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=eWRNRKxTw+cewYaWOrXuHyRCph1GncXNg/wHLldOdas=; b=tuCtZ5MLJT3Zb71DLAgNpei+ndWjnxAYWiHFq4Qn0jwqirsQ9kbI7xxnsZ7qnS5pcbfDo0 BvMfmuipfLN5db8l9prd+QNy/aHrtbrREDs9hjev6UPON+7DUACZPNa+sMMH/qVTKMj/bP WBTwPONU8t8PVwAVuCrK0yEdW9S3+XluThztKNy3kvBiZ/sCP8ReGv8bPERxWbUWGsfZ8k c7M5xK47rzJl9jpyXVphiC5A5Urh8p4JH2sQylV/IG8s2WQds2vgKHCiLjK+bcvm0qO7bO bgs8+ev3fmXbGNPYHPx5RPCTsryo3dQ80imtbNftdYvx0aw8a3ewHDCQ/DjVnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1675799749; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=eWRNRKxTw+cewYaWOrXuHyRCph1GncXNg/wHLldOdas=; b=fPra9fNljwzQymXsF5H6yK+AwcVwdAp9mbDnE/wcjwKVks/tbAXSzdgOpXk0kvAYr4kqsp ZqdgfiPe+VwUDEe/M/x5asqOK1a+Iu7GYEPMQOJIAhdYTbOGlk1NvnkOEnrLeGijVmQk5x vcFZNDzn3UJ/60XPtvNy/FRIiE8jOgr8FXEpwR5cgsQsOyXqLVqsy2gGcm/wOz48cEF5g8 IwisUSQf7xXLUsEQxhC9bOtsQUuhT9z4/6ZRUdexk2fbCJnIr4hn3xsN+rfzE5H4ShV2EF UI4PwDA+FDPQNHe52gEmQrPBK+Az/xCpIbC9MuCjwsechB9dvG/YPxnA//hkqg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1675799749; a=rsa-sha256; cv=none; b=TszMlNxAjHvkDJGdMG0qYWVVPjl5txMb7T8yY3IH4IDIn8GBgmgvkXPQgf/LDX6GkQ6+AR eUKotPiFEPyaZmzRzEbW1PGCIfflrDTAJvQgrOV1UTZwi/xGfm1Kbzga246DQSnmCFAjpd oM9VK9vw9gbcel+NJZCFVAOdB6PmXuRtQLoANMj8LuZjmG37oEtS/Tggcg0WI4YLaMsjvQ chZq64qnlfh00INvTunCUJYxLiSE5i+9IVrtwSZriek4J0Z9jCReP/AE6hTJV1lfHOab/9 DHD5nl2TeIth90hPVYBxuef4ZnBNITFHSXaxq4A1jzv/8ROIinOS/fAqMDPeRQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PBDQF34FtzVB8; Tue, 7 Feb 2023 19:55:49 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 317JtniC007075; Tue, 7 Feb 2023 19:55:49 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 317JtnIX007074; Tue, 7 Feb 2023 19:55:49 GMT (envelope-from git) Date: Tue, 7 Feb 2023 19:55:49 GMT Message-Id: <202302071955.317JtnIX007074@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Bernard Spil Subject: git: bf0a2e5fb12f - main - security/openssl: Security update to 1.1.1t List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: brnrd X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: bf0a2e5fb12f267f3a43c72762dde9417889099f Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by brnrd: URL: https://cgit.FreeBSD.org/ports/commit/?id=bf0a2e5fb12f267f3a43c72762dde9417889099f commit bf0a2e5fb12f267f3a43c72762dde9417889099f Author: Bernard Spil AuthorDate: 2023-02-07 19:54:35 +0000 Commit: Bernard Spil CommitDate: 2023-02-07 19:54:35 +0000 security/openssl: Security update to 1.1.1t Security: 648a432c-a71f-11ed-86e9-d4c9ef517024 MFH: 2023Q1 --- security/openssl/Makefile | 2 +- security/openssl/distinfo | 6 ++-- security/openssl/files/extra-patch-ktls | 62 ++++++++++++++++++--------------- 3 files changed, 37 insertions(+), 33 deletions(-) diff --git a/security/openssl/Makefile b/security/openssl/Makefile index 51e83c8b3d32..3c48f10211bb 100644 --- a/security/openssl/Makefile +++ b/security/openssl/Makefile @@ -1,5 +1,5 @@ PORTNAME= openssl -PORTVERSION= 1.1.1s +PORTVERSION= 1.1.1t PORTEPOCH= 1 CATEGORIES= security devel MASTER_SITES= https://www.openssl.org/source/ \ diff --git a/security/openssl/distinfo b/security/openssl/distinfo index e8a5cc6a5c33..16117272b3a7 100644 --- a/security/openssl/distinfo +++ b/security/openssl/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1667320367 -SHA256 (openssl-1.1.1s.tar.gz) = c5ac01e760ee6ff0dab61d6b2bbd30146724d063eb322180c6f18a6f74e4b6aa -SIZE (openssl-1.1.1s.tar.gz) = 9868981 +TIMESTAMP = 1675796483 +SHA256 (openssl-1.1.1t.tar.gz) = 8dee9b24bdb1dcbf0c3d1e9b02fb8f6bf22165e807f45adeb7c9677536859d3b +SIZE (openssl-1.1.1t.tar.gz) = 9881866 diff --git a/security/openssl/files/extra-patch-ktls b/security/openssl/files/extra-patch-ktls index bdbfc2b5b17f..d38a70e779e3 100644 --- a/security/openssl/files/extra-patch-ktls +++ b/security/openssl/files/extra-patch-ktls @@ -1569,7 +1569,7 @@ diff --git ssl/record/rec_layer_s3.c ssl/record/rec_layer_s3.c index 8249b4ace9..1356bd7b7b 100644 --- ssl/record/rec_layer_s3.c +++ ssl/record/rec_layer_s3.c -@@ -268,11 +268,15 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold, +@@ -281,11 +281,15 @@ return -1; } @@ -1588,7 +1588,7 @@ index 8249b4ace9..1356bd7b7b 100644 if (max < n) max = n; if (max > rb->len - rb->offset) -@@ -422,6 +426,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len, +@@ -435,6 +439,7 @@ len >= 4 * (max_send_fragment = ssl_get_max_send_fragment(s)) && s->compress == NULL && s->msg_callback == NULL && !SSL_WRITE_ETM(s) && SSL_USE_EXPLICIT_IV(s) && @@ -1596,7 +1596,7 @@ index 8249b4ace9..1356bd7b7b 100644 EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx)) & EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) { unsigned char aad[13]; -@@ -751,6 +756,19 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, +@@ -764,6 +769,19 @@ s->s3->empty_fragment_done = 1; } @@ -1616,7 +1616,7 @@ index 8249b4ace9..1356bd7b7b 100644 if (create_empty_fragment) { wb = &s->rlayer.wbuf[0]; #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0 -@@ -820,6 +838,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, +@@ -833,6 +851,8 @@ } } @@ -1625,7 +1625,7 @@ index 8249b4ace9..1356bd7b7b 100644 totlen = 0; /* Clear our SSL3_RECORD structures */ memset(wr, 0, sizeof(wr)); -@@ -861,15 +881,19 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, +@@ -874,15 +894,19 @@ if (s->compress != NULL) maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD; @@ -1648,7 +1648,7 @@ index 8249b4ace9..1356bd7b7b 100644 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); goto err; -@@ -895,15 +919,20 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, +@@ -908,15 +932,20 @@ goto err; } } else { @@ -1674,7 +1674,7 @@ index 8249b4ace9..1356bd7b7b 100644 && s->enc_write_ctx != NULL && (s->statem.enc_write_state != ENC_WRITE_STATE_WRITE_PLAIN_ALERTS || type != SSL3_RT_ALERT)) { -@@ -959,7 +988,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, +@@ -972,7 +1001,7 @@ * in the wb->buf */ @@ -1683,11 +1683,13 @@ index 8249b4ace9..1356bd7b7b 100644 unsigned char *mac; if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac) -@@ -975,24 +1004,26 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, - * This will be at most one cipher block or the tag length if using - * AEAD. SSL_RT_MAX_CIPHER_BLOCK_SIZE covers either case. - */ -- if (!WPACKET_reserve_bytes(thispkt, SSL_RT_MAX_CIPHER_BLOCK_SIZE, +@@ -989,26 +1018,27 @@ + * max encrypted overhead does not need to include an allocation for that + * MAC + */ +- if (!WPACKET_reserve_bytes(thispkt, +- SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD +- - mac_size, - NULL) - /* - * We also need next the amount of bytes written to this @@ -1695,7 +1697,8 @@ index 8249b4ace9..1356bd7b7b 100644 - */ + if (!BIO_get_ktls_send(s->wbio)) { + if (!WPACKET_reserve_bytes(thispkt, -+ SSL_RT_MAX_CIPHER_BLOCK_SIZE, ++ SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD ++ - mac_size, + NULL) + /* + * We also need next the amount of bytes written to this @@ -1705,25 +1708,25 @@ index 8249b4ace9..1356bd7b7b 100644 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); goto err; +- } + } -+ -+ /* Get a pointer to the start of this record excluding header */ -+ recordstart = WPACKET_get_curr(thispkt) - len; -+ SSL3_RECORD_set_data(thiswr, recordstart); -+ SSL3_RECORD_reset_input(thiswr); -+ SSL3_RECORD_set_length(thiswr, len); - } -- + - /* Get a pointer to the start of this record excluding header */ - recordstart = WPACKET_get_curr(thispkt) - len; - - SSL3_RECORD_set_data(thiswr, recordstart); - SSL3_RECORD_reset_input(thiswr); - SSL3_RECORD_set_length(thiswr, len); ++ /* Get a pointer to the start of this record excluding header */ ++ recordstart = WPACKET_get_curr(thispkt) - len; ++ SSL3_RECORD_set_data(thiswr, recordstart); ++ SSL3_RECORD_reset_input(thiswr); ++ SSL3_RECORD_set_length(thiswr, len); ++ } } if (s->statem.enc_write_state == ENC_WRITE_STATE_WRITE_PLAIN_ALERTS) { -@@ -1008,12 +1039,14 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, +@@ -1024,12 +1054,14 @@ goto err; } } else { @@ -1743,16 +1746,17 @@ index 8249b4ace9..1356bd7b7b 100644 } } -@@ -1023,13 +1056,17 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, +@@ -1039,6 +1071,9 @@ thispkt = &pkt[j]; thiswr = &wr[j]; -+ if (BIO_get_ktls_send(s->wbio)) ++ if (BIO_get_ktls_send(s->wbio)) + goto mac_done; + /* Allocate bytes for the encryption overhead */ if (!WPACKET_get_length(thispkt, &origlen) - /* Encryption should never shrink the data! */ + /* Check we allowed enough room for the encryption growth */ +@@ -1048,7 +1083,8 @@ || origlen > thiswr->length || (thiswr->length > origlen && !WPACKET_allocate_bytes(thispkt, @@ -1762,7 +1766,7 @@ index 8249b4ace9..1356bd7b7b 100644 SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE, ERR_R_INTERNAL_ERROR); goto err; -@@ -1074,13 +1111,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, +@@ -1093,13 +1129,8 @@ goto err; } @@ -1778,7 +1782,7 @@ index 8249b4ace9..1356bd7b7b 100644 if (create_empty_fragment) { /* -@@ -1097,6 +1129,14 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf, +@@ -1116,6 +1147,14 @@ return 1; } @@ -1793,7 +1797,7 @@ index 8249b4ace9..1356bd7b7b 100644 /* now let's set up wb */ SSL3_BUFFER_set_left(&s->rlayer.wbuf[j], prefix_len + SSL3_RECORD_get_length(thiswr)); -@@ -1150,6 +1190,17 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len, +@@ -1169,6 +1208,17 @@ clear_sys_error(); if (s->wbio != NULL) { s->rwstate = SSL_WRITING; @@ -1811,7 +1815,7 @@ index 8249b4ace9..1356bd7b7b 100644 /* TODO(size_t): Convert this call */ i = BIO_write(s->wbio, (char *) &(SSL3_BUFFER_get_buf(&wb[currbuf]) -@@ -1162,7 +1213,15 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len, +@@ -1181,7 +1231,15 @@ SSL_R_BIO_NOT_SET); i = -1; }