On Thu, Oct 19, 2017 at 09:51:29AM +0200, Jeremie Courreges-Anglas wrote: > > Here's an update to the latest version, tested on amd64. make test > passes. Some symbols aren't exported any more in all three libraries, > hence the major bump. Also a patch is needed to build the test suite, > I took the simple approach. In the end libc may be a better place to > fix this. > > I'd like to push this in before enabling the mbedtls flavor in > net/openvpn. It looks like some of the changes in this update could > warrant a backport of some security fixes, I did not investigate this. > Volunteers welcome. > > juanfra, any opinion? > > ok? > > > Index: Makefile > =================================================================== > RCS file: /d/cvs/ports/security/polarssl/Makefile,v > retrieving revision 1.17 > diff -u -p -r1.17 Makefile > --- Makefile 18 Oct 2017 19:11:40 -0000 1.17 > +++ Makefile 19 Oct 2017 07:49:49 -0000 > @@ -2,22 +2,19 @@ > > COMMENT= SSL library with an intuitive API and readable source code > > -DISTNAME= mbedtls-2.2.1 > -REVISION= 1 > +DISTNAME= mbedtls-2.6.0 > EXTRACT_SUFX= -gpl.tgz > > # check SOVERSION > -SHARED_LIBS += mbedtls 2.1 > -SHARED_LIBS += mbedcrypto 0.0 # 2.1 > -SHARED_LIBS += mbedx509 0.0 # 2.1 > +SHARED_LIBS += mbedtls 3.0 # 2.6 > +SHARED_LIBS += mbedcrypto 1.0 # 2.6 > +SHARED_LIBS += mbedx509 1.0 # 2.6 > > CATEGORIES= security > > HOMEPAGE= https://tls.mbed.org/ > > -# Dual licensed: GPLv2+/Commercial > -# name changed from PolarSSL to mbed TLS after the ARM acquisition and a > -# future update will change the license to Apache. > +# Dual licensed: GPLv2+/Commercial, Apache v2 is available too > PERMIT_PACKAGE_CDROM= Yes > > # libssl/libcrypto are used for polarssl_o_p_test only > Index: distinfo > =================================================================== > RCS file: /d/cvs/ports/security/polarssl/distinfo,v > retrieving revision 1.10 > diff -u -p -r1.10 distinfo > --- distinfo 6 Jan 2016 10:59:59 -0000 1.10 > +++ distinfo 19 Oct 2017 07:32:44 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (mbedtls-2.2.1-gpl.tgz) = uxv/o6xasUO+Kq49RaepKzYRKIjvRlAk2Dckhl/mKXQ= > -SIZE (mbedtls-2.2.1-gpl.tgz) = 1848038 > +SHA256 (mbedtls-2.6.0-gpl.tgz) = qZlZ1zYN7yL5EI0tSHyd44T+dsNJaXF2sfIjcAgNWBA= > +SIZE (mbedtls-2.6.0-gpl.tgz) = 1958070 > Index: patches/patch-CMakeLists_txt > =================================================================== > RCS file: /d/cvs/ports/security/polarssl/patches/patch-CMakeLists_txt,v > retrieving revision 1.4 > diff -u -p -r1.4 patch-CMakeLists_txt > --- patches/patch-CMakeLists_txt 12 Sep 2015 20:30:00 -0000 1.4 > +++ patches/patch-CMakeLists_txt 19 Oct 2017 07:32:44 -0000 > @@ -1,7 +1,8 @@ > $OpenBSD: patch-CMakeLists_txt,v 1.4 2015/09/12 20:30:00 sthen Exp $ > ---- CMakeLists.txt.orig Fri Sep 4 13:38:26 2015 > -+++ CMakeLists.txt Tue Sep 8 20:19:54 2015 > -@@ -32,7 +32,6 @@ if(CMAKE_COMPILER_IS_GNUCC) > +Index: CMakeLists.txt > +--- CMakeLists.txt.orig > ++++ CMakeLists.txt > +@@ -70,7 +70,6 @@ if(CMAKE_COMPILER_IS_GNUCC) > if (GCC_VERSION VERSION_GREATER 4.8 OR GCC_VERSION VERSION_EQUAL 4.8) > set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wshadow") > endif() > @@ -9,7 +10,7 @@ $OpenBSD: patch-CMakeLists_txt,v 1.4 201 > set(CMAKE_C_FLAGS_DEBUG "-O0 -g3") > set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage") > set(CMAKE_C_FLAGS_ASAN "-Werror -fsanitize=address -fno-common > -O3") > -@@ -43,7 +42,6 @@ endif(CMAKE_COMPILER_IS_GNUCC) > +@@ -81,7 +80,6 @@ endif(CMAKE_COMPILER_IS_GNUCC) > > if(CMAKE_COMPILER_IS_CLANG) > set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W > -Wdeclaration-after-statement -Wwrite-strings -Wpointer-arith > -Wimplicit-fallthrough -Wshadow") > Index: patches/patch-include_mbedtls_config_h > =================================================================== > RCS file: > /d/cvs/ports/security/polarssl/patches/patch-include_mbedtls_config_h,v > retrieving revision 1.1 > diff -u -p -r1.1 patch-include_mbedtls_config_h > --- patches/patch-include_mbedtls_config_h 27 Aug 2016 07:46:50 -0000 > 1.1 > +++ patches/patch-include_mbedtls_config_h 19 Oct 2017 07:32:44 -0000 > @@ -3,9 +3,10 @@ $OpenBSD: patch-include_mbedtls_config_h > MBEDTLS_THREADING_PTHREAD and MBEDTLS_THREADING_C are required by > www/hiawatha. > > ---- include/mbedtls/config.h.orig Sat Aug 27 03:17:22 2016 > -+++ include/mbedtls/config.h Sat Aug 27 03:18:03 2016 > -@@ -1246,7 +1246,7 @@ > +Index: include/mbedtls/config.h > +--- include/mbedtls/config.h.orig > ++++ include/mbedtls/config.h > +@@ -1385,7 +1385,7 @@ > * > * Uncomment this to enable pthread mutexes. > */ > @@ -14,7 +15,7 @@ www/hiawatha. > > /** > * \def MBEDTLS_VERSION_FEATURES > -@@ -2261,7 +2261,7 @@ > +@@ -2423,7 +2423,7 @@ > * > * Enable this layer to allow use of mutexes within mbed TLS > */ > Index: patches/patch-tests_suites_main_test_function > =================================================================== > RCS file: patches/patch-tests_suites_main_test_function > diff -N patches/patch-tests_suites_main_test_function > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-tests_suites_main_test_function 19 Oct 2017 07:37:09 > -0000 > @@ -0,0 +1,40 @@ > +$OpenBSD$ > + > +XXX can't take the address of stdout > + > +Index: tests/suites/main_test.function > +--- tests/suites/main_test.function.orig > ++++ tests/suites/main_test.function > +@@ -401,32 +401,7 @@ int main(int argc, const char *argv[]) > + if( unmet_dep_count == 0 ) > + { > + test_errors = 0; > +- > +-#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__)) > +- /* Suppress all output from the library unless we're verbose > +- * mode > +- */ > +- if( !option_verbose ) > +- { > +- stdout_fd = redirect_output( &stdout, "/dev/null" ); > +- if( stdout_fd == -1 ) > +- { > +- /* Redirection has failed with no stdout so exit */ > +- exit( 1 ); > +- } > +- } > +-#endif /* __unix__ || __APPLE__ __MACH__ */ > +- > + ret = dispatch_test( cnt, params ); > +- > +-#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__)) > +- if( !option_verbose && restore_output( &stdout, stdout_fd ) > ) > +- { > +- /* Redirection has failed with no stdout so exit */ > +- exit( 1 ); > +- } > +-#endif /* __unix__ || __APPLE__ __MACH__ */ > +- > + } > + > + if( unmet_dep_count > 0 || ret == DISPATCH_UNSUPPORTED_SUITE ) > Index: pkg/PLIST > =================================================================== > RCS file: /d/cvs/ports/security/polarssl/pkg/PLIST,v > retrieving revision 1.9 > diff -u -p -r1.9 PLIST > --- pkg/PLIST 11 Nov 2015 21:01:44 -0000 1.9 > +++ pkg/PLIST 19 Oct 2017 07:32:44 -0000 > @@ -16,6 +16,7 @@ include/mbedtls/certs.h > include/mbedtls/check_config.h > include/mbedtls/cipher.h > include/mbedtls/cipher_internal.h > +include/mbedtls/cmac.h > include/mbedtls/compat-1.3.h > include/mbedtls/config.h > include/mbedtls/ctr_drbg.h > @@ -26,6 +27,7 @@ include/mbedtls/ecdh.h > include/mbedtls/ecdsa.h > include/mbedtls/ecjpake.h > include/mbedtls/ecp.h > +include/mbedtls/ecp_internal.h > include/mbedtls/entropy.h > include/mbedtls/entropy_poll.h > include/mbedtls/error.h > @@ -39,6 +41,7 @@ include/mbedtls/md5.h > include/mbedtls/md_internal.h > include/mbedtls/memory_buffer_alloc.h > include/mbedtls/net.h > +include/mbedtls/net_sockets.h > include/mbedtls/oid.h > include/mbedtls/padlock.h > include/mbedtls/pem.h > @@ -48,6 +51,7 @@ include/mbedtls/pkcs11.h > include/mbedtls/pkcs12.h > include/mbedtls/pkcs5.h > include/mbedtls/platform.h > +include/mbedtls/platform_time.h > include/mbedtls/ripemd160.h > include/mbedtls/rsa.h > include/mbedtls/sha1.h
Works fine with hiawatha configured for https. Here is a new diff with a little change in CMakeLists.txt. The port was building with -O0. OK juanfra@. Thanks for the update. diff -r 68e9b0250db7 Makefile --- Makefile Fri Oct 20 13:48:09 2017 +0000 +++ Makefile Fri Oct 20 23:10:33 2017 +0200 @@ -2,22 +2,19 @@ COMMENT= SSL library with an intuitive API and readable source code -DISTNAME= mbedtls-2.2.1 -REVISION= 1 +DISTNAME= mbedtls-2.6.0 EXTRACT_SUFX= -gpl.tgz # check SOVERSION -SHARED_LIBS += mbedtls 2.1 -SHARED_LIBS += mbedcrypto 0.0 # 2.1 -SHARED_LIBS += mbedx509 0.0 # 2.1 +SHARED_LIBS += mbedtls 3.0 # 2.6 +SHARED_LIBS += mbedcrypto 1.0 # 2.6 +SHARED_LIBS += mbedx509 1.0 # 2.6 CATEGORIES= security HOMEPAGE= https://tls.mbed.org/ -# Dual licensed: GPLv2+/Commercial -# name changed from PolarSSL to mbed TLS after the ARM acquisition and a -# future update will change the license to Apache. +# Dual licensed: GPLv2+/Commercial, Apache v2 is available too PERMIT_PACKAGE_CDROM= Yes # libssl/libcrypto are used for polarssl_o_p_test only diff -r 68e9b0250db7 distinfo --- distinfo Fri Oct 20 13:48:09 2017 +0000 +++ distinfo Fri Oct 20 23:10:33 2017 +0200 @@ -1,2 +1,2 @@ -SHA256 (mbedtls-2.2.1-gpl.tgz) = uxv/o6xasUO+Kq49RaepKzYRKIjvRlAk2Dckhl/mKXQ= -SIZE (mbedtls-2.2.1-gpl.tgz) = 1848038 +SHA256 (mbedtls-2.6.0-gpl.tgz) = qZlZ1zYN7yL5EI0tSHyd44T+dsNJaXF2sfIjcAgNWBA= +SIZE (mbedtls-2.6.0-gpl.tgz) = 1958070 diff -r 68e9b0250db7 patches/patch-CMakeLists_txt --- patches/patch-CMakeLists_txt Fri Oct 20 13:48:09 2017 +0000 +++ patches/patch-CMakeLists_txt Fri Oct 20 23:10:33 2017 +0200 @@ -1,19 +1,22 @@ $OpenBSD: patch-CMakeLists_txt,v 1.4 2015/09/12 20:30:00 sthen Exp $ ---- CMakeLists.txt.orig Fri Sep 4 13:38:26 2015 -+++ CMakeLists.txt Tue Sep 8 20:19:54 2015 -@@ -32,7 +32,6 @@ if(CMAKE_COMPILER_IS_GNUCC) +Index: CMakeLists.txt +--- CMakeLists.txt.orig ++++ CMakeLists.txt +@@ -70,8 +70,6 @@ if(CMAKE_COMPILER_IS_GNUCC) if (GCC_VERSION VERSION_GREATER 4.8 OR GCC_VERSION VERSION_EQUAL 4.8) set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wshadow") endif() - set(CMAKE_C_FLAGS_RELEASE "-O2") - set(CMAKE_C_FLAGS_DEBUG "-O0 -g3") +- set(CMAKE_C_FLAGS_DEBUG "-O0 -g3") set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage") set(CMAKE_C_FLAGS_ASAN "-Werror -fsanitize=address -fno-common -O3") -@@ -43,7 +42,6 @@ endif(CMAKE_COMPILER_IS_GNUCC) + set(CMAKE_C_FLAGS_ASANDBG "-Werror -fsanitize=address -fno-common -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls ") +@@ -81,8 +79,6 @@ endif(CMAKE_COMPILER_IS_GNUCC) if(CMAKE_COMPILER_IS_CLANG) set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wdeclaration-after-statement -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow") - set(CMAKE_C_FLAGS_RELEASE "-O2") - set(CMAKE_C_FLAGS_DEBUG "-O0 -g3") +- set(CMAKE_C_FLAGS_DEBUG "-O0 -g3") set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage") set(CMAKE_C_FLAGS_ASAN "-Werror -fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover -O3") + set(CMAKE_C_FLAGS_ASANDBG "-Werror -fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls ") diff -r 68e9b0250db7 patches/patch-include_mbedtls_config_h --- patches/patch-include_mbedtls_config_h Fri Oct 20 13:48:09 2017 +0000 +++ patches/patch-include_mbedtls_config_h Fri Oct 20 23:10:33 2017 +0200 @@ -3,9 +3,10 @@ MBEDTLS_THREADING_PTHREAD and MBEDTLS_THREADING_C are required by www/hiawatha. ---- include/mbedtls/config.h.orig Sat Aug 27 03:17:22 2016 -+++ include/mbedtls/config.h Sat Aug 27 03:18:03 2016 -@@ -1246,7 +1246,7 @@ +Index: include/mbedtls/config.h +--- include/mbedtls/config.h.orig ++++ include/mbedtls/config.h +@@ -1385,7 +1385,7 @@ * * Uncomment this to enable pthread mutexes. */ @@ -14,7 +15,7 @@ /** * \def MBEDTLS_VERSION_FEATURES -@@ -2261,7 +2261,7 @@ +@@ -2423,7 +2423,7 @@ * * Enable this layer to allow use of mutexes within mbed TLS */ diff -r 68e9b0250db7 patches/patch-tests_suites_main_test_function --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ patches/patch-tests_suites_main_test_function Fri Oct 20 23:10:33 2017 +0200 @@ -0,0 +1,40 @@ +$OpenBSD$ + +XXX can't take the address of stdout + +Index: tests/suites/main_test.function +--- tests/suites/main_test.function.orig ++++ tests/suites/main_test.function +@@ -401,32 +401,7 @@ int main(int argc, const char *argv[]) + if( unmet_dep_count == 0 ) + { + test_errors = 0; +- +-#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__)) +- /* Suppress all output from the library unless we're verbose +- * mode +- */ +- if( !option_verbose ) +- { +- stdout_fd = redirect_output( &stdout, "/dev/null" ); +- if( stdout_fd == -1 ) +- { +- /* Redirection has failed with no stdout so exit */ +- exit( 1 ); +- } +- } +-#endif /* __unix__ || __APPLE__ __MACH__ */ +- + ret = dispatch_test( cnt, params ); +- +-#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__)) +- if( !option_verbose && restore_output( &stdout, stdout_fd ) ) +- { +- /* Redirection has failed with no stdout so exit */ +- exit( 1 ); +- } +-#endif /* __unix__ || __APPLE__ __MACH__ */ +- + } + + if( unmet_dep_count > 0 || ret == DISPATCH_UNSUPPORTED_SUITE ) diff -r 68e9b0250db7 pkg/PLIST --- pkg/PLIST Fri Oct 20 13:48:09 2017 +0000 +++ pkg/PLIST Fri Oct 20 23:10:33 2017 +0200 @@ -16,6 +16,7 @@ include/mbedtls/check_config.h include/mbedtls/cipher.h include/mbedtls/cipher_internal.h +include/mbedtls/cmac.h include/mbedtls/compat-1.3.h include/mbedtls/config.h include/mbedtls/ctr_drbg.h @@ -26,6 +27,7 @@ include/mbedtls/ecdsa.h include/mbedtls/ecjpake.h include/mbedtls/ecp.h +include/mbedtls/ecp_internal.h include/mbedtls/entropy.h include/mbedtls/entropy_poll.h include/mbedtls/error.h @@ -39,6 +41,7 @@ include/mbedtls/md_internal.h include/mbedtls/memory_buffer_alloc.h include/mbedtls/net.h +include/mbedtls/net_sockets.h include/mbedtls/oid.h include/mbedtls/padlock.h include/mbedtls/pem.h @@ -48,6 +51,7 @@ include/mbedtls/pkcs12.h include/mbedtls/pkcs5.h include/mbedtls/platform.h +include/mbedtls/platform_time.h include/mbedtls/ripemd160.h include/mbedtls/rsa.h include/mbedtls/sha1.h
