libressl: update to 3.4.2

[artkiver (グレェ)]

Hello!

It appears as if the MacPorts LibreSSL port is at version 3.2.3. While ​https://ports.macports.org/port/libressl/details/ shows a yellow exclamation mark which reads "libressl seems to have been updated (port version 3.2.3 new version: 3.4.0)" the current version on libressl.org is 3.3.5 so I am not really sure where the MacPorts version drift yellow exclamation mark is referencing as I cannot corroborate a version 3.4.0 having been released.

However, 3.3.5 addresses the following two fixes (quoted from ​https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.5-relnotes.txt)

• A stack overread could occur when checking X.509 name constraints. From GoldBinocle on GitHub.

• Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier. This compensates for the expiry of the DST Root X3 certificate.

In particular, the latter issue seems to impact some Let's Encrypt users and rectifies a bug which had been in OpenSSL which was fixed circa 2018 that LibreSSL developers apparently overlooked since their project forked approximately four years earlier. Anecdotally, GNUTLS also apparently had a similar bug.

I have tested building LibreSSL with 3.3.5 by changing the version number in the portfile as well as updating the checksums per the instructions outlined here: ​https://guide.macports.org/chunked/development.creating-portfile.html and it seems to have built cleanly using the newer source tarball!

# uname -a
Darwin enbie132020enuan.local 20.6.0 Darwin Kernel Version 20.6.0: Mon Aug 30 06:12:20 PDT 2021; root:xnu-7195.141.6~3/RELEASE_ARM64_T8101 arm64"

# openssl version
LibreSSL 3.3.5

# which openssl
/opt/local/bin/openssl

For reference, the checksums I derived were as follows:

checksums           rmd160  76cd468b68ba63b108af9750777b37617da20605 \
                    sha256 0a51393f0df1cf27e070054a2788a4d073339f363d79cd594076a1b4c48be9a5

Though undoubtedly, the port maintainer should verify those independently.

I guess I also removed the line for the size of the tar.gz since I wasn't entirely sure how MacPorts calculates that, but the port seemed to build OK without that information in the Portfile.

At least from my vantage, this appears as if it is a pretty easy version update, with minimal effort required by the port maintainer, though doubtlessly there may have been some things I overlooked. I couldn't help but notice MacPorts also has a libressl-devel port which is even further behind the main LibreSSL port at version 2.9.2, though I suppose that is still a more recent LibreSSL than the version which ships with Big Sur 11.6 (namely, 2.8.3).

I also noticed that Homebrew has updated their LibreSSL port to 3.3.5, so my guess is for those who really need it, they should be able to find workarounds as I did manually. Nonetheless, I thought I would open a Trac ticket to formalize the version skew/drift a bit more.

Thank you in advance for rectifying this!

[ryandesign (Ryan Carsten Schmidt)]

Replying to artkiver:

It appears as if the MacPorts LibreSSL port is at version 3.2.3.

Indeed.

While ​https://ports.macports.org/port/libressl/details/ shows a yellow exclamation mark which reads "libressl seems to have been updated (port version 3.2.3 new version: 3.4.0)" the current version on libressl.org is 3.3.5 so I am not really sure where the MacPorts version drift yellow exclamation mark is referencing as I cannot corroborate a version 3.4.0 having been released.

The libressl port's livecheck code returns the latest version available at ​https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/, which is 3.4.0. According to the libressl homepage, that's a development version, so we should not update to it; we should update to the latest stable version, 3.3.5. Ideally, the livecheck code would be changed to return the latest stable version.

I have tested building LibreSSL with 3.3.5 by changing the version number in the portfile as well as updating the checksums per the instructions outlined here: ​https://guide.macports.org/chunked/development.creating-portfile.html and it seems to have built cleanly using the newer source tarball!

Feel free to submit a pull request for this update if you would like.

I guess I also removed the line for the size of the tar.gz since I wasn't entirely sure how MacPorts calculates that, but the port seemed to build OK without that information in the Portfile.

We would like all ports to list their distfiles' sizes in the checksums line.

I couldn't help but notice MacPorts also has a libressl-devel port which is even further behind the main LibreSSL port at version 2.9.2

Indeed. If you would like to submit a pull request to update that port to 3.4.0, please do.

[artkiver (グレェ)]

diff for LibreSSL 3.2.3 Portfile to 3.3.5

[artkiver (グレェ)]

diff for Portfile of LibreSSL 2.9.2 to 3.4.0

[artkiver (グレェ)]

Ah, thanks for the clarifications. I hadn't noticed 3.4.0 on OpenBSD's folder. It appears as if that release is from mid September, so my guess is it may not have the fixes which made it into 3.3.5 and is probably "frozen" until OpenBSD 7.0 is released, and it will probably see some TLC after OpenBSD's source tree is unfrozen after their release is official (which is presumably "Real Soon Now").

Regardless, I attached a couple of diffs. Though I realize my descriptions are kinda bunk. libressl.diff is a diff to the Portfile for the main LibreSSL Portfile bumping it from version 3.2.3 to version 3.3.5 reflecting the official release version.

libressl-devel.diff is intended to be a diff for the libressl-devel MacPort bumping its version from 2.9.2 to 3.4.0.

Both of these seemed to build without issues for me, but I realize that "worksforme" isn't the be all end all. I'll look into submitting a Pull Request as well, though I tend to be a bit GitHub averse, so apologies in advance if I stall out there.

Through this I also noticed there's a MacPort for devel/libretls which itself seems to be derived from LibreSSL, though its version is at 3.3.4 and from August, so there isn't much to update there even though presumably that project could use at least a second set of eyeballs. While I certainly appreciate the name change given that SSL has been known as TLS for some time, I decided to leave that one alone mostly because it appears as if there isn't much to be done there and the project is mostly unfamiliar to me.

Thanks for the informative reply!

[artkiver (グレェ)]

As an additional update, I think I correctly submitted a pull request for libressl-devel to bump its version from 2.9.2 to 3.4.0. However, when I attempted to also submit a pull request for libressl from 3.2.3 to 3.3.5 I received this error: "a pull request for branch "artkiver:master" into branch "master" already exists: ​https://github.com/macports/macports-ports/pull/12572" and attempting to rectify it has me stumped at the moment.

The diffs attached to this Trac ticket should be correct and all I attempted to commit in either instance was the changed Portfile.¯\_(ツ)_/¯

[artkiver (グレェ)]

diff from LibreSSL 3.2.3 to 3.4.1

[artkiver (グレェ)]

I noticed there was a request on GitHub to change the Pull Request commit message? I looked into that and I have no idea how to do that.

Additionally, OpenBSD 7.0 has been officially released, and subsequently the new official release of LibreSSL is 3.4.1.

I've attached a diff for MacPorts' libressl (3.2.3) to bring it current to 3.4.1, though that tar.gz does not appear to be distributed to all mirrors yet. Release notes are here: ​https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.4.1-relnotes.txt

Since the port maintainer hasn't replied to any of this I'm not really sure what else to attempt at the moment. It seems to be functioning OK on my system, but I realize additional testing may be required.

Regardless, I hope this is helpful!

[artkiver (グレェ)]

diff for libressl-devel to bump version from 2.9.2 to 3.4.1

[artkiver (グレェ)]

diff to update Portfile to LibreSSL 3.4.2

[artkiver (グレェ)]

diff to update LibreSSL Portfile for libressl-devel from 2.9.2 to 3.4.2

[artkiver (グレェ)]

LibreSSL from libressl.org was updated to version 3.4.2 on 2021-11-25 (November, 25th, 2021). I've attached new diffs to reflect the new version.

From the release notes:

"It includes the following security fix

• In some situations the X.509 verifier would discard an error on an unverified certificate chain, resulting in an authentication bypass. Thanks to Ilya Shipitsin and Timo Steinlein for reporting."

[artkiver (グレェ)]

Current PR on GitHub: ​https://github.com/macports/macports-ports/pull/13311

[ryandesign (Ryan Carsten Schmidt)]

Replying to artkiver:

As an additional update, I think I correctly submitted a pull request for libressl-devel to bump its version from 2.9.2 to 3.4.0. However, when I attempted to also submit a pull request for libressl from 3.2.3 to 3.3.5 I received this error: "a pull request for branch "artkiver:master" into branch "master" already exists:

You made your changes on your clone's master branch, which kind of prevents you from making any other changes to your master (such as pulling new changes from our master) until the PR is dealt with, and even then makes it difficult for you to get your master back in sync with ours. It's wiser to make a branch from master and to make your changes there. You can make as many unrelated branches (and a pull request from each one) as you want.

Replying to artkiver:

I noticed there was a request on GitHub to change the Pull Request commit message? I looked into that and I have no idea how to do that.

git commit --amend is one way to do that. The person merging the pull request can also edit the commit message for you if they click the "Squash and merge" button.

[artkiver (グレェ)]

Thanks @ryandesign I think the most recent PR avoids those issues which I encountered that you are responding to from approximately two months ago?

I would suggest that perhaps ​https://guide.macports.org/chunked/project.github.html might benefit from more precise wording regarding "git commit --amend" type parameters?

Regardless, Jeremy has not replied whatsoever. So any diffs, commits or updates appear to be stalled out at the present moment.

[artkiver (グレェ)]

In a181749b488786ae6c359a078db987056fc991b3/macports-ports (master):

libressl: update to 3.4.2

Closes: #63615