Bug 198997 - [PATCH] security/stunnel: Make EGD conditional/Fix build with LibreSSL
Summary: [PATCH] security/stunnel: Make EGD conditional/Fix build with LibreSSL
Status: Closed Overcome By Events
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Ryan Steinmetz
Keywords: patch
: 202920 (view as bug list)
Depends on:
Reported: 2015-03-29 10:24 UTC by Bernard Spil
Modified: 2015-10-08 19:46 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (zi)

svn diff for security/stunnel (5.60 KB, patch)
2015-03-29 10:24 UTC, Bernard Spil
no flags Details | Diff
Poudriere build log for security/stunnel (41.00 KB, text/plain)
2015-03-29 10:25 UTC, Bernard Spil
no flags Details
svn diff for security/stunnel (2.67 KB, patch)
2015-09-06 11:32 UTC, Bernard Spil
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Bernard Spil freebsd_committer 2015-03-29 10:24:54 UTC
Created attachment 154953 [details]
svn diff for security/stunnel

security/stunnel unconditionally relies on RAND_egd which makes building fail with LibreSSL which has removed EGD. FreeBSD does not require EGD at all, /dev/random has been available since FreeBSD 4.2

This patch checks for the existence of RAND_egd in libcrypto and disables the code using egd.
Comment 1 Bernard Spil freebsd_committer 2015-03-29 10:25:56 UTC
Created attachment 154954 [details]
Poudriere build log for security/stunnel
Comment 2 Bernard Spil freebsd_committer 2015-03-31 07:04:29 UTC
Feedback from upstream

Hi Bernard,

Perhaps I'm misunderstanding what the issue is.

You probably already guessed that the issue political and not technical.
LibreSSL decided to drop features that are essential to me (CAPI,
FIPS) for no real technical reason. To be clear: I don't consider a
feature being an "insecure" one a technical reason for removal as long
as this "insecure" feature is not automatically selected by default.

For example, compression only introduces vulnerability if the attacker
can perform plaintext injection. Disabling compression by default is
a good idea. Stunnel does it since version 4.51 (09 Jan 2012).
Removing compression is a bad idea, as it is useful in many practical

Another example: MD5 is vulnerable to collision attacks, thus it is a
good idea to prevent accepting digital signatures based on MD5.
On the other hand weak collision resistance does not imply any
problems with preimage or second-preimage properties. Removing
HMAC-MD5 is a bad idea.

For the aforementioned reasons, I'm going to refrain from any actions
that could potentially benefit LibreSSL.

Best regards,
Comment 3 Ryan Steinmetz freebsd_committer freebsd_triage 2015-04-10 22:15:32 UTC
I'm going to defer to upstream at this point in time.  If you'd like to reach back out to them with your proposed patch and they accept it, then I will include it in the port.
Comment 4 Ryan Steinmetz freebsd_committer freebsd_triage 2015-06-09 15:34:26 UTC
Rejecting and closing until upstream accepts these changes (or some variation).
Comment 5 Bernard Spil freebsd_committer 2015-09-06 09:48:26 UTC
*** Bug 202920 has been marked as a duplicate of this bug. ***
Comment 6 Bernard Spil freebsd_committer 2015-09-06 11:32:59 UTC
Created attachment 160778 [details]
svn diff for security/stunnel

  - Update patch to use OPENSSL_NO_EGD 
  - Remove the configure modifications
  - Honour distribution restriction
Comment 7 Bernard Spil freebsd_committer 2015-09-06 11:41:11 UTC
Response from upstream on the src/ssl.c patch

Hi Bernard,

This is a very nice and clean patch indeed.
I would use it if I ever decided to support LibreSSL.

Best regards,

On 31.05.2015 18:55, Bernard Spil wrote:

    Hi Mike,

    Meanwhile, LibreSSL updated the includes and now has a define

    I've refactored the patch to use this instead making it a very
    minimal change. As this is now in line with the naming-scheme of
    disabled features in OpenSSL (e.g. OPENSSL_NO_COMP) I'm hoping
    you'll find it non-intrusive enough to include in stunnel, added
    patch is all that's left.


    Bernard Spil.
Comment 8 Bernard Spil freebsd_committer 2015-09-16 14:55:42 UTC
This has now been included in the upcoming 5.24


 * New features
    * Added OPENSSL_NO_EGD support
Comment 9 Ryan Steinmetz freebsd_committer freebsd_triage 2015-09-16 18:52:15 UTC
Excellent, this will be merged into the port when the new code is released.  (stunnel doesn't have a public SCM)
Comment 10 Michael Gmelin freebsd_committer 2015-09-17 00:11:04 UTC
Comment 11 commit-hook freebsd_committer 2015-10-08 19:39:12 UTC
A commit references this bug:

Author: brnrd
Date: Thu Oct  8 19:38:53 UTC 2015
New revision: 398889
URL: https://svnweb.freebsd.org/changeset/ports/398889

  security/stunnel: Update to 5.24

    - Supports building without EGD
    - Order options alphabetical

  Reviewed by:	koobs (mentor), zi (maintainer)
  Approved by:	zi (maintainer)
  PR:	198997
  Differential Revision:	https://reviews.freebsd.org/D2694

Comment 12 sf(jungleboogie) 2015-10-08 19:44:19 UTC
(In reply to commit-hook from comment #11)

based on the commit, can the status of the bug be correctly reflected?