[MacPorts] #63615: libressl: update to 3.3.5 (was: Please update LibreSSL port to 3.3.5)

[MacPorts]

#63615: libressl: update to 3.3.5
-----------------------+----------------------
  Reporter:  artkiver  |      Owner:  jeremyhu
      Type:  update    |     Status:  assigned
  Priority:  Normal    |  Milestone:
 Component:  ports     |    Version:
Resolution:            |   Keywords:
      Port:  libressl  |
-----------------------+----------------------
Changes (by ryandesign):

 * status:  new => assigned
 * owner:  (none) => jeremyhu
 * priority:  Not set => Normal


Old description:

> Hello!
>
> It appears as if the MacPorts LibreSSL port is at version 3.2.3. While
> https://ports.macports.org/port/libressl/details/ shows a yellow
> exclamation mark which reads "libressl seems to have been updated (port
> version 3.2.3 new version: 3.4.0)" the current version on libressl.org is
> 3.3.5 so I am not really sure where the MacPorts version drift yellow
> exclamation mark is referencing as I cannot corroborate a version 3.4.0
> having been released.
>
> However, 3.3.5 addresses the following two fixes (quoted from
> https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.5-relnotes.txt)
>
> "  * A stack overread could occur when checking X.509 name constraints.
>     From GoldBinocle on GitHub.
>
>   * Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.
>     This compensates for the expiry of the DST Root X3 certificate."
>
> In particular, the latter issue seems to impact some Let's Encrypt users
> and rectifies a bug which had been in OpenSSL which was fixed circa 2018
> that LibreSSL developers apparently overlooked since their project forked
> approximately four years earlier. Anecdotally, GNUTLS also apparently had
> a similar bug.
>
> I have tested building LibreSSL with 3.3.5 by changing the version number
> in the portfile as well as updating the checksums per the instructions
> outlined here: https://guide.macports.org/chunked/development.creating-
> portfile.html and it seems to have built cleanly using the newer source
> tarball!
>
> "# uname -a
> Darwin enbie132020enuan.local 20.6.0 Darwin Kernel Version 20.6.0: Mon
> Aug 30 06:12:20 PDT 2021; root:xnu-7195.141.6~3/RELEASE_ARM64_T8101
> arm64"
>
> # openssl version
> LibreSSL 3.3.5
>
> # which openssl
> /opt/local/bin/openssl"
>
> For reference, the checksums I derived were as follows:
>
> checksums           rmd160  76cd468b68ba63b108af9750777b37617da20605 \
>                     sha256
> 0a51393f0df1cf27e070054a2788a4d073339f363d79cd594076a1b4c48be9a5
>
> Though undoubtedly, the port maintainer should verify those
> independently.
>
> I guess I also removed the line for the size of the tar.gz since I wasn't
> entirely sure how MacPorts calculates that, but the port seemed to build
> OK without that information in the Portfile.
>
> At least from my vantage, this appears as if it is a pretty easy version
> update, with minimal effort required by the port maintainer, though
> doubtlessly there may have been some things I overlooked. I couldn't help
> but notice MacPorts also has a libressl-devel port which is even further
> behind the main LibreSSL port at version 2.9.2, though I suppose that is
> still a more recent LibreSSL than the version which ships with Big Sur
> 11.6 (namely, 2.8.3).
>
> I also noticed that Homebrew has updated their LibreSSL port to 3.3.5, so
> my guess is for those who really need it, they should be able to find
> workarounds as I did manually. Nonetheless, I thought I would open a Trac
> ticket to formalize the version skew/drift a bit more.
>
> Thank you in advance for rectifying this!

New description:

 Hello!

 It appears as if the MacPorts LibreSSL port is at version 3.2.3. While
 https://ports.macports.org/port/libressl/details/ shows a yellow
 exclamation mark which reads "libressl seems to have been updated (port
 version 3.2.3 new version: 3.4.0)" the current version on libressl.org is
 3.3.5 so I am not really sure where the MacPorts version drift yellow
 exclamation mark is referencing as I cannot corroborate a version 3.4.0
 having been released.

 However, 3.3.5 addresses the following two fixes (quoted from
 https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.3.5-relnotes.txt)

 >  * A stack overread could occur when checking X.509 name constraints.
 >    From GoldBinocle on GitHub.
 >
 >  * Enable X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.
 >    This compensates for the expiry of the DST Root X3 certificate.

 In particular, the latter issue seems to impact some Let's Encrypt users
 and rectifies a bug which had been in OpenSSL which was fixed circa 2018
 that LibreSSL developers apparently overlooked since their project forked
 approximately four years earlier. Anecdotally, GNUTLS also apparently had
 a similar bug.

 I have tested building LibreSSL with 3.3.5 by changing the version number
 in the portfile as well as updating the checksums per the instructions
 outlined here: https://guide.macports.org/chunked/development.creating-
 portfile.html and it seems to have built cleanly using the newer source
 tarball!

 {{{
 # uname -a
 Darwin enbie132020enuan.local 20.6.0 Darwin Kernel Version 20.6.0: Mon Aug
 30 06:12:20 PDT 2021; root:xnu-7195.141.6~3/RELEASE_ARM64_T8101 arm64"

 # openssl version
 LibreSSL 3.3.5

 # which openssl
 /opt/local/bin/openssl
 }}}

 For reference, the checksums I derived were as follows:

 {{{
 checksums           rmd160  76cd468b68ba63b108af9750777b37617da20605 \
                     sha256
 0a51393f0df1cf27e070054a2788a4d073339f363d79cd594076a1b4c48be9a5
 }}}

 Though undoubtedly, the port maintainer should verify those independently.

 I guess I also removed the line for the size of the tar.gz since I wasn't
 entirely sure how MacPorts calculates that, but the port seemed to build
 OK without that information in the Portfile.

 At least from my vantage, this appears as if it is a pretty easy version
 update, with minimal effort required by the port maintainer, though
 doubtlessly there may have been some things I overlooked. I couldn't help
 but notice MacPorts also has a libressl-devel port which is even further
 behind the main LibreSSL port at version 2.9.2, though I suppose that is
 still a more recent LibreSSL than the version which ships with Big Sur
 11.6 (namely, 2.8.3).

 I also noticed that Homebrew has updated their LibreSSL port to 3.3.5, so
 my guess is for those who really need it, they should be able to find
 workarounds as I did manually. Nonetheless, I thought I would open a Trac
 ticket to formalize the version skew/drift a bit more.

 Thank you in advance for rectifying this!

--

-- 
Ticket URL: <https://trac.macports.org/ticket/63615#comment:1>
MacPorts <https://www.macports.org/>
Ports system for macOS