From owner-freebsd-security@FreeBSD.ORG Mon Jul 2 17:39:26 2012 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3FE9F106564A; Mon, 2 Jul 2012 17:39:26 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from hammer.pct.niksun.com (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id BD30E8FC16; Mon, 2 Jul 2012 17:39:25 +0000 (UTC) Message-ID: <4FF1DCCD.6060109@FreeBSD.org> Date: Mon, 02 Jul 2012 13:39:25 -0400 From: Jung-uk Kim User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:13.0) Gecko/20120626 Thunderbird/13.0.1 MIME-Version: 1.0 To: freebsd-security@FreeBSD.org X-Enigmail-Version: 1.4.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: Ben Laurie , Stanislav Sedov , "Bjoern A. Zeeb" Subject: [PATCH] Switch to OpenSSL 1.0.1 branch X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jul 2012 17:39:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have upgraded OpenSSL in the base to 0.9.8x for all supported branches. Now it is time to move *head* to OpenSSL 1.0.1 branch[1]. Here is the patch to switch OpenSSL from 0.9.8x to 1.0.1c: http://people.freebsd.org/~jkim/openssl-1.0.1c.diff.bz2 I had to compress it because the patch was too big, unfortunately. :-( Some notes: - - Configuration is relatively close to what you'd expect when you run config script with the following options[2]: enable-rc5 enable-rfc3779 shared - - MD2 was removed because a) it was deprecated by OpenSSL team and disabled by default and b) we did the same for libmd. - - Optimized i386 asm files are updated and new files are added. Optimized amd64 asm files are added. - - opensslconf-amd64.h and opensslconf-i386.h are merged to a new opensslconf-x86.h[3]. - - A small change to libfetch was necessary to avoid buildworld breakage: - --- lib/libfetch/common.h +++ lib/libfetch/common.h @@ -63,7 +63,7 @@ struct fetchconn { SSL *ssl; /* SSL handle */ SSL_CTX *ssl_ctx; /* SSL context */ X509 *ssl_cert; /* server certificate */ - - SSL_METHOD *ssl_meth; /* SSL method */ + const SSL_METHOD *ssl_meth; /* SSL method */ #endif int ref; /* reference count */ }; - - Another small change to OpenSSL was necessary to avoid buildworld breakage: - --- crypto/openssl/ssl/srtp.h +++ crypto/openssl/ssl/srtp.h @@ -135,7 +135,6 @@ SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s); STACK_OF(SRTP_PROTECTION_PROFILE) *SSL_get_srtp_profiles(SSL *ssl); - -SRTP_PROTECTION_PROFILE *SSL_get_selected_srtp_profile(SSL *s); #ifdef __cplusplus } It was very briefly tested on amd64 (and on i386 chroot). Cheers, Jung-uk Kim 1. We have no plan to switch stable branches to 1.0.X. 2. Add "no-asm" for non-x86 platforms. I believe rc5 and rfc3779 were forcefully enabled on FreeBSD for POLA. 3. Very minimal changes were done for non-x86 platforms. They need platform maintainers' attention. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/x3M0ACgkQmlay1b9qnVMClwCdEL1Vq2+r6fm3UAcMXqG0lUeB +lMAnj9thNnXcgTd8JbzBzdlvfL59i7C =tJYx -----END PGP SIGNATURE-----