From 10dae0460a46e6bd6075a52e28e8050e283925a1 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Tue, 12 Jan 2021 11:45:54 +0100 Subject: [PATCH] security/wolfssl: Add DEBUG option and enable more features - Set --enable-opensslall which is needed for wolfSSL_X509_NAME_print_ex() and friends. - Set --enable-certgen to allow certificate generation. - Define WOLFSSL_ALT_NAMES so one can generate certificates with the Subject Alternative Name extension. - Set --enable-sessioncerts to allow to inspect certificates with wolfSSL_get_peer_cert_chain(). - Set --enable-des3 so one can load PBES2-3DES-CBC-encoded keys. While at it, add a patch to prevent memory leaks. --- security/wolfssl/Makefile | 12 ++++++-- security/wolfssl/files/patch-src-ssl.c | 40 ++++++++++++++++++++++++++ 2 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 security/wolfssl/files/patch-src-ssl.c diff --git a/security/wolfssl/Makefile b/security/wolfssl/Makefile index dad5f8b2a600..cf12b46c2ec9 100644 --- a/security/wolfssl/Makefile +++ b/security/wolfssl/Makefile @@ -2,6 +2,7 @@ PORTNAME= wolfssl PORTVERSION= 4.6.0 +PORTREVISION= 1 CATEGORIES= security devel MASTER_SITES= https://www.wolfssl.com/ \ LOCAL/fox @@ -16,14 +17,18 @@ USE_LDCONFIG= yes GNU_CONFIGURE= yes CONFIGURE_ARGS= --disable-dependency-tracking \ + --enable-certgen \ + --enable-des3 \ --enable-dh \ --enable-dsa \ --enable-dtls \ --enable-ecc \ --enable-ipv6 \ --enable-keygen \ + --enable-opensslall \ --enable-opensslextra \ --enable-ripemd \ + --enable-sessioncerts \ --enable-sha512 \ --enable-shared \ --enable-sni \ @@ -32,8 +37,11 @@ CONFIGURE_ARGS= --disable-dependency-tracking \ --enable-tls13 \ --enable-tls13-draft18 TEST_TARGET= check +CFLAGS+= -DWOLFSSL_ALT_NAMES PORTDOCS= * -OPTIONS_DEFINE= DOCS +OPTIONS_DEFINE= DEBUG DOCS + +DEBUG_CONFIGURE_ON= --enable-debug post-configure: @${REINPLACE_CMD} \ @@ -42,7 +50,7 @@ post-configure: -e '/^pkgconfigdir/s|(libdir)|&data|' \ ${WRKSRC}/Makefile -post-install: +post-install-DEBUG-off: @${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/libwolfssl.so .include diff --git a/security/wolfssl/files/patch-src-ssl.c b/security/wolfssl/files/patch-src-ssl.c new file mode 100644 index 000000000000..020f7b991d58 --- /dev/null +++ b/security/wolfssl/files/patch-src-ssl.c @@ -0,0 +1,40 @@ +From 0aead8cb868003a5dff2e81d6a7ffd7579652610 Mon Sep 17 00:00:00 2001 +From: Fabian Keil +Date: Sun, 17 Jan 2021 11:21:59 +0100 +Subject: [PATCH] wolfSSL_CertManagerFree(): free refMutex + +Fixes memory leaks like: + ==323== 96 bytes in 1 blocks are definitely lost in loss record 3 of 4 + ==323== at 0x4C291E1: calloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so) + ==323== by 0x585495F: pthread_mutex_init (in /lib/libthr.so.3) + ==323== by 0x4E7B5E8: wc_InitMutex (wc_port.c:1071) + ==323== by 0x4F09540: wolfSSL_CertManagerNew_ex (ssl.c:3596) + ==323== by 0x4EC6A81: InitSSL_Ctx (internal.c:1752) + ==323== by 0x4F0441E: wolfSSL_CTX_new_ex (ssl.c:394) + ==323== by 0x4F04658: wolfSSL_CTX_new (ssl.c:436) + ==323== by 0x400AA2: main (wolfssl-ctx-leak.c:9) + +This is a partial cherry-pick of upstream commit +9598c037168b73ce2f by Tesfa Mael. +--- + src/ssl.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git src/ssl.c src/ssl.c +index 19d36795e..9433d302e 100644 +--- src/ssl.c ++++ src/ssl.c +@@ -3663,7 +3663,9 @@ void wolfSSL_CertManagerFree(WOLFSSL_CERT_MANAGER* cm) + FreeTrustedPeerTable(cm->tpTable, TP_TABLE_SIZE, cm->heap); + wc_FreeMutex(&cm->tpLock); + #endif +- ++ if (wc_FreeMutex(&cm->refMutex) != 0) { ++ WOLFSSL_MSG("Couldn't free refMutex mutex"); ++ } + XFREE(cm, cm->heap, DYNAMIC_TYPE_CERT_MANAGER); + } + } +-- +2.30.0 + -- 2.30.0