|Summary:||[PATCH] security/stunnel: Make EGD conditional/Fix build with LibreSSL|
|Product:||Ports & Packages||Reporter:||Bernard Spil <brnrd>|
|Component:||Individual Port(s)||Assignee:||Ryan Steinmetz <zi>|
|Status:||Closed Overcome By Events|
|Severity:||Affects Some People||CC:||Jungleboogie0, grembo, t-matubara|
Description Bernard Spil 2015-03-29 10:24:54 UTC
Created attachment 154953 [details] svn diff for security/stunnel security/stunnel unconditionally relies on RAND_egd which makes building fail with LibreSSL which has removed EGD. FreeBSD does not require EGD at all, /dev/random has been available since FreeBSD 4.2 This patch checks for the existence of RAND_egd in libcrypto and disables the code using egd.
Comment 1 Bernard Spil 2015-03-29 10:25:56 UTC
Created attachment 154954 [details] Poudriere build log for security/stunnel
Comment 2 Bernard Spil 2015-03-31 07:04:29 UTC
Feedback from upstream Hi Bernard, Perhaps I'm misunderstanding what the issue is. You probably already guessed that the issue political and not technical. LibreSSL decided to drop features that are essential to me (CAPI, FIPS) for no real technical reason. To be clear: I don't consider a feature being an "insecure" one a technical reason for removal as long as this "insecure" feature is not automatically selected by default. For example, compression only introduces vulnerability if the attacker can perform plaintext injection. Disabling compression by default is a good idea. Stunnel does it since version 4.51 (09 Jan 2012). Removing compression is a bad idea, as it is useful in many practical applications. Another example: MD5 is vulnerable to collision attacks, thus it is a good idea to prevent accepting digital signatures based on MD5. On the other hand weak collision resistance does not imply any problems with preimage or second-preimage properties. Removing HMAC-MD5 is a bad idea. For the aforementioned reasons, I'm going to refrain from any actions that could potentially benefit LibreSSL. Best regards, Mike
Comment 3 Ryan Steinmetz 2015-04-10 22:15:32 UTC
I'm going to defer to upstream at this point in time. If you'd like to reach back out to them with your proposed patch and they accept it, then I will include it in the port.
Comment 4 Ryan Steinmetz 2015-06-09 15:34:26 UTC
Rejecting and closing until upstream accepts these changes (or some variation).
Comment 5 Bernard Spil 2015-09-06 09:48:26 UTC
*** Bug 202920 has been marked as a duplicate of this bug. ***
Comment 6 Bernard Spil 2015-09-06 11:32:59 UTC
Created attachment 160778 [details] svn diff for security/stunnel - Update patch to use OPENSSL_NO_EGD - Remove the configure modifications - Honour distribution restriction
Comment 7 Bernard Spil 2015-09-06 11:41:11 UTC
Response from upstream on the src/ssl.c patch Hi Bernard, This is a very nice and clean patch indeed. I would use it if I ever decided to support LibreSSL. Best regards, Mike On 31.05.2015 18:55, Bernard Spil wrote: Hi Mike, Meanwhile, LibreSSL updated the includes and now has a define OPENSSL_NO_EGD. I've refactored the patch to use this instead making it a very minimal change. As this is now in line with the naming-scheme of disabled features in OpenSSL (e.g. OPENSSL_NO_COMP) I'm hoping you'll find it non-intrusive enough to include in stunnel, added patch is all that's left. Thanks, Bernard Spil.
Comment 8 Bernard Spil 2015-09-16 14:55:42 UTC
This has now been included in the upcoming 5.24 https://www.stunnel.org/sdf_ChangeLog.html * New features * Added OPENSSL_NO_EGD support
Comment 9 Ryan Steinmetz 2015-09-16 18:52:15 UTC
Excellent, this will be merged into the port when the new code is released. (stunnel doesn't have a public SCM)
Comment 10 Michael Gmelin 2015-09-17 00:11:04 UTC
Comment 11 commit-hook 2015-10-08 19:39:12 UTC
A commit references this bug: Author: brnrd Date: Thu Oct 8 19:38:53 UTC 2015 New revision: 398889 URL: https://svnweb.freebsd.org/changeset/ports/398889 Log: security/stunnel: Update to 5.24 - Supports building without EGD - Order options alphabetical Reviewed by: koobs (mentor), zi (maintainer) Approved by: zi (maintainer) PR: 198997 Differential Revision: https://reviews.freebsd.org/D2694 Changes: head/security/stunnel/Makefile head/security/stunnel/distinfo