Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssl merge conflicts
details: https://anonhg.NetBSD.org/src/rev/a52813465229
branches: trunk
changeset: 321813:a52813465229
user: christos <christos%NetBSD.org@localhost>
date: Fri Apr 06 23:04:43 2018 +0000
description:
merge conflicts
diffstat:
crypto/external/bsd/openssl/dist/CHANGES | 80 +-
crypto/external/bsd/openssl/dist/Configure | 127 +-
crypto/external/bsd/openssl/dist/NEWS | 7 +
crypto/external/bsd/openssl/dist/README | 2 +-
crypto/external/bsd/openssl/dist/apps/ca.c | 292 +-
crypto/external/bsd/openssl/dist/apps/ocsp.c | 4 +-
crypto/external/bsd/openssl/dist/apps/openssl.c | 19 +-
crypto/external/bsd/openssl/dist/apps/s_client.c | 39 +-
crypto/external/bsd/openssl/dist/apps/s_server.c | 27 +-
crypto/external/bsd/openssl/dist/apps/s_time.c | 97 +-
crypto/external/bsd/openssl/dist/apps/speed.c | 29 +-
crypto/external/bsd/openssl/dist/crypto/asn1/a_strex.c | 23 +-
crypto/external/bsd/openssl/dist/crypto/asn1/asn_mime.c | 3 +-
crypto/external/bsd/openssl/dist/crypto/asn1/tasn_dec.c | 49 +-
crypto/external/bsd/openssl/dist/crypto/bio/bio_lib.c | 8 +-
crypto/external/bsd/openssl/dist/crypto/bio/bss_file.c | 14 +-
crypto/external/bsd/openssl/dist/crypto/bio/bss_log.c | 11 +-
crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-gcc.c | 14 +-
crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c | 8 +-
crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c | 112 +-
crypto/external/bsd/openssl/dist/crypto/bn/bn_mont.c | 61 +-
crypto/external/bsd/openssl/dist/crypto/comp/c_zlib.c | 8 +-
crypto/external/bsd/openssl/dist/crypto/conf/conf_def.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/cryptlib.c | 6 +-
crypto/external/bsd/openssl/dist/crypto/dsa/dsa_ameth.c | 8 +-
crypto/external/bsd/openssl/dist/crypto/ec/ecp_smpl.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/engine/eng_cryptodev.c | 13 +-
crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c | 4 +-
crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c | 6 +-
crypto/external/bsd/openssl/dist/crypto/evp/m_sha1.c | 21 +-
crypto/external/bsd/openssl/dist/crypto/lhash/lhash.c | 4 +-
crypto/external/bsd/openssl/dist/crypto/mem.c | 12 +-
crypto/external/bsd/openssl/dist/crypto/ocsp/ocsp_vfy.c | 9 +
crypto/external/bsd/openssl/dist/crypto/pkcs7/pk7_doit.c | 10 +-
crypto/external/bsd/openssl/dist/crypto/rand/md_rand.c | 10 +-
crypto/external/bsd/openssl/dist/crypto/rand/rand_egd.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c | 10 +-
crypto/external/bsd/openssl/dist/doc/apps/openssl.pod | 2 +-
crypto/external/bsd/openssl/dist/doc/crypto/EVP_EncryptInit.pod | 20 +-
crypto/external/bsd/openssl/dist/doc/crypto/d2i_X509.pod | 24 +-
crypto/external/bsd/openssl/dist/ssl/s3_lib.c | 20 +-
crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c | 6 +-
crypto/external/bsd/openssl/dist/ssl/ssl_err.c | 7 +-
crypto/external/bsd/openssl/dist/ssl/ssl_lib.c | 118 +-
crypto/external/bsd/openssl/dist/ssl/ssl_locl.h | 2 +-
crypto/external/bsd/openssl/dist/ssl/ssl_sess.c | 6 +-
crypto/external/bsd/openssl/dist/ssl/t1_lib.c | 19 +-
crypto/external/bsd/openssl/dist/test/bftest.c | 2 +-
crypto/external/bsd/openssl/dist/test/bntest.c | 2 +-
crypto/external/bsd/openssl/dist/test/dhtest.c | 2 +-
crypto/external/bsd/openssl/dist/test/dsatest.c | 2 +-
crypto/external/bsd/openssl/dist/test/ectest.c | 14 +-
crypto/external/bsd/openssl/dist/test/exptest.c | 8 +-
crypto/external/bsd/openssl/dist/test/rsa_test.c | 2 +-
crypto/external/bsd/openssl/dist/test/testlib/OpenSSL/Test.pm | 1050 ----------
crypto/external/bsd/openssl/dist/test/testlib/OpenSSL/Test/Simple.pm | 91 -
crypto/external/bsd/openssl/dist/test/testlib/OpenSSL/Test/Utils.pm | 240 --
crypto/external/bsd/openssl/dist/util/TLSProxy/ClientHello.pm | 242 --
crypto/external/bsd/openssl/dist/util/TLSProxy/Message.pm | 456 ----
crypto/external/bsd/openssl/dist/util/TLSProxy/NewSessionTicket.pm | 81 -
crypto/external/bsd/openssl/dist/util/TLSProxy/Proxy.pm | 546 -----
crypto/external/bsd/openssl/dist/util/TLSProxy/Record.pm | 330 ---
crypto/external/bsd/openssl/dist/util/TLSProxy/ServerHello.pm | 210 --
crypto/external/bsd/openssl/dist/util/TLSProxy/ServerKeyExchange.pm | 134 -
crypto/external/bsd/openssl/dist/util/mkdef.pl | 174 +-
crypto/external/bsd/openssl/dist/util/with_fallback.pm | 24 -
crypto/external/bsd/openssl/lib/libcrypto/Makefile | 3 +-
crypto/external/bsd/openssl/lib/libcrypto/libc-sha512.c | 6 +-
crypto/external/bsd/openssl/lib/libcrypto/sha.inc | 3 +-
69 files changed, 908 insertions(+), 4091 deletions(-)
diffs (truncated from 6935 to 300 lines):
diff -r 71e6e211972d -r a52813465229 crypto/external/bsd/openssl/dist/CHANGES
--- a/crypto/external/bsd/openssl/dist/CHANGES Fri Apr 06 22:49:06 2018 +0000
+++ b/crypto/external/bsd/openssl/dist/CHANGES Fri Apr 06 23:04:43 2018 +0000
@@ -7,6 +7,79 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
+ Changes between 1.1.0g and 1.1.0h [27 Mar 2018]
+
+ *) Constructed ASN.1 types with a recursive definition could exceed the stack
+
+ Constructed ASN.1 types with a recursive definition (such as can be found
+ in PKCS7) could eventually exceed the stack given malicious input with
+ excessive recursion. This could result in a Denial Of Service attack. There
+ are no such structures used within SSL/TLS that come from untrusted sources
+ so this is considered safe.
+
+ This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
+ project.
+ (CVE-2018-0739)
+ [Matt Caswell]
+
+ *) Incorrect CRYPTO_memcmp on HP-UX PA-RISC
+
+ Because of an implementation bug the PA-RISC CRYPTO_memcmp function is
+ effectively reduced to only comparing the least significant bit of each
+ byte. This allows an attacker to forge messages that would be considered as
+ authenticated in an amount of tries lower than that guaranteed by the
+ security claims of the scheme. The module can only be compiled by the
+ HP-UX assembler, so that only HP-UX PA-RISC targets are affected.
+
+ This issue was reported to OpenSSL on 2nd March 2018 by Peter Waltenberg
+ (IBM).
+ (CVE-2018-0733)
+ [Andy Polyakov]
+
+ *) Add a build target 'build_all_generated', to build all generated files
+ and only that. This can be used to prepare everything that requires
+ things like perl for a system that lacks perl and then move everything
+ to that system and do the rest of the build there.
+ [Richard Levitte]
+
+ *) Backport SSL_OP_NO_RENGOTIATION
+
+ OpenSSL 1.0.2 and below had the ability to disable renegotiation using the
+ (undocumented) SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS flag. Due to the opacity
+ changes this is no longer possible in 1.1.0. Therefore the new
+ SSL_OP_NO_RENEGOTIATION option from 1.1.1-dev has been backported to
+ 1.1.0 to provide equivalent functionality.
+
+ Note that if an application built against 1.1.0h headers (or above) is run
+ using an older version of 1.1.0 (prior to 1.1.0h) then the option will be
+ accepted but nothing will happen, i.e. renegotiation will not be prevented.
+ [Matt Caswell]
+
+ *) Removed the OS390-Unix config target. It relied on a script that doesn't
+ exist.
+ [Rich Salz]
+
+ *) rsaz_1024_mul_avx2 overflow bug on x86_64
+
+ There is an overflow bug in the AVX2 Montgomery multiplication procedure
+ used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
+ Analysis suggests that attacks against RSA and DSA as a result of this
+ defect would be very difficult to perform and are not believed likely.
+ Attacks against DH1024 are considered just feasible, because most of the
+ work necessary to deduce information about a private key may be performed
+ offline. The amount of resources required for such an attack would be
+ significant. However, for an attack on TLS to be meaningful, the server
+ would have to share the DH1024 private key among multiple clients, which is
+ no longer an option since CVE-2016-0701.
+
+ This only affects processors that support the AVX2 but not ADX extensions
+ like Intel Haswell (4th generation).
+
+ This issue was reported to OpenSSL by David Benjamin (Google). The issue
+ was originally found via the OSS-Fuzz project.
+ (CVE-2017-3738)
+ [Andy Polyakov]
+
Changes between 1.1.0f and 1.1.0g [2 Nov 2017]
*) bn_sqrx8x_internal carry bug on x86_64
@@ -2989,8 +3062,11 @@
to work with OPENSSL_NO_SSL_INTERN defined.
[Steve Henson]
- *) Add SRP support.
- [Tom Wu <tjw%cs.stanford.edu@localhost> and Ben Laurie]
+ *) A long standing patch to add support for SRP from EdelWeb (Peter
+ Sylvester and Christophe Renou) was integrated.
+ [Christophe Renou <christophe.renou%edelweb.fr@localhost>, Peter Sylvester
+ <peter.sylvester%edelweb.fr@localhost>, Tom Wu <tjw%cs.stanford.edu@localhost>, and
+ Ben Laurie]
*) Add functions to copy EVP_PKEY_METHOD and retrieve flags and id.
[Steve Henson]
diff -r 71e6e211972d -r a52813465229 crypto/external/bsd/openssl/dist/Configure
--- a/crypto/external/bsd/openssl/dist/Configure Fri Apr 06 22:49:06 2018 +0000
+++ b/crypto/external/bsd/openssl/dist/Configure Fri Apr 06 23:04:43 2018 +0000
@@ -1,6 +1,6 @@
#! /usr/bin/env perl
# -*- mode: perl; -*-
-# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -11,10 +11,12 @@
use 5.10.0;
use strict;
+use FindBin;
+use lib "$FindBin::Bin/util/perl";
use File::Basename;
use File::Spec::Functions qw/:DEFAULT abs2rel rel2abs/;
use File::Path qw/mkpath/;
-use if $^O ne "VMS", 'File::Glob' => qw/glob/;
+use OpenSSL::Glob;
# see INSTALL for instructions.
@@ -459,31 +461,10 @@
sub { 0 == scalar grep { !$disabled{$_} } @dtls }
=> [ "dtls" ],
- # SSL 3.0, (D)TLS 1.0 and TLS 1.1 require MD5 and SHA
- "md5" => [ "ssl", "tls1", "tls1_1", "dtls1" ],
- "sha" => [ "ssl", "tls1", "tls1_1", "dtls1" ],
-
- # Additionally, SSL 3.0 requires either RSA or DSA+DH
- sub { $disabled{rsa}
- && ($disabled{dsa} || $disabled{dh}); }
- => [ "ssl" ],
-
- # (D)TLS 1.0 and TLS 1.1 also require either RSA or DSA+DH
- # or ECDSA + ECDH. (D)TLS 1.2 has this requirement as well.
- # (XXX: We don't support PSK-only builds).
- sub { $disabled{rsa}
- && ($disabled{dsa} || $disabled{dh})
- && ($disabled{ecdsa} || $disabled{ecdh}); }
- => [ "tls1", "tls1_1", "tls1_2",
- "dtls1", "dtls1_2" ],
-
"tls" => [ @tls ],
sub { 0 == scalar grep { !$disabled{$_} } @tls }
=> [ "tls" ],
- # SRP and HEARTBEATS require TLSEXT
- "tlsext" => [ "srp", "heartbeats" ],
-
"crypto-mdebug" => [ "crypto-mdebug-backtrace" ],
# Without DSO, we can't load dynamic engines, so don't build them dynamic
@@ -527,8 +508,6 @@
# To remove something from %disabled, use "enable-foo".
# For symmetry, "disable-foo" is a synonym for "no-foo".
-my $no_sse2=0;
-
&usage if ($#ARGV < 0);
my $user_cflags="";
@@ -878,7 +857,7 @@
elsif (/^zlib-dynamic$/)
{ }
elsif (/^sse2$/)
- { $no_sse2 = 1; }
+ { }
elsif (/^engine$/)
{
@{$config{dirs}} = grep !/^engines$/, @{$config{dirs}};
@@ -911,8 +890,6 @@
{
push @{$config{openssl_other_defines}}, "OPENSSL_NO_$WHAT";
print " OPENSSL_NO_$WHAT";
-
- if (/^err$/) { push @user_defines, "OPENSSL_NO_ERR"; }
}
}
@@ -1166,7 +1143,7 @@
# bn-586 is the only one implementing bn_*_part_words
push @{$config{defines}}, "OPENSSL_BN_ASM_PART_WORDS" if ($target{bn_asm_src} =~ /bn-586/);
- push @{$config{defines}}, "OPENSSL_IA32_SSE2" if (!$no_sse2 && $target{bn_asm_src} =~ /86/);
+ push @{$config{defines}}, "OPENSSL_IA32_SSE2" if (!$disabled{sse2} && $target{bn_asm_src} =~ /86/);
push @{$config{defines}}, "OPENSSL_BN_ASM_MONT" if ($target{bn_asm_src} =~ /-mont/);
push @{$config{defines}}, "OPENSSL_BN_ASM_MONT5" if ($target{bn_asm_src} =~ /-mont5/);
@@ -1198,7 +1175,7 @@
push @{$config{defines}}, "AES_CTR_ASM" if ($target{aes_asm_src} =~ s/\s*aes-ctr\.fake//);
# aes-xts.fake indicates presence of AES_xts_[en|de]crypt...
push @{$config{defines}}, "AES_XTS_ASM" if ($target{aes_asm_src} =~ s/\s*aes-xts\.fake//);
- $target{aes_asm_src} =~ s/\s*(vpaes|aesni)-x86\.s//g if ($no_sse2);
+ $target{aes_asm_src} =~ s/\s*(vpaes|aesni)-x86\.s//g if ($disabled{sse2});
push @{$config{defines}}, "VPAES_ASM" if ($target{aes_asm_src} =~ m/vpaes/);
push @{$config{defines}}, "BSAES_ASM" if ($target{aes_asm_src} =~ m/bsaes/);
}
@@ -1353,7 +1330,6 @@
my $buildinfo_debug = defined($ENV{CONFIGURE_DEBUG_BUILDINFO});
if ($builder eq "unified") {
- use lib catdir(dirname(__FILE__),"util");
use with_fallback qw(Text::Template);
sub cleandir {
@@ -1476,9 +1452,15 @@
my %sharednames = ();
my %generate = ();
+ # We want to detect configdata.pm in the source tree, so we
+ # don't use it if the build tree is different.
+ my $src_configdata = cleanfile($srcdir, "configdata.pm", $blddir);
+
push @{$config{build_infos}}, catfile(abs2rel($sourced, $blddir), $f);
- my $template = Text::Template->new(TYPE => 'FILE',
- SOURCE => catfile($sourced, $f));
+ my $template =
+ Text::Template->new(TYPE => 'FILE',
+ SOURCE => catfile($sourced, $f),
+ PREPEND => qq{use lib "$FindBin::Bin/util/perl";});
die "Something went wrong with $sourced/$f: $!\n" unless $template;
my @text =
split /^/m,
@@ -1779,7 +1761,7 @@
# If it isn't in the source tree, we assume it's generated
# in the build tree
- if (! -f $s) {
+ if ($s eq $src_configdata || ! -f $s || $generate{$_}) {
$s = cleanfile($buildd, $_, $blddir);
}
# We recognise C and asm files
@@ -1805,7 +1787,7 @@
# If it isn't in the source tree, we assume it's generated
# in the build tree
- if (! -f $s) {
+ if ($s eq $src_configdata || ! -f $s || $generate{$_}) {
$s = cleanfile($buildd, $_, $blddir);
}
# We recognise C and asm files
@@ -1840,7 +1822,7 @@
# If the destination doesn't exist in source, it can only be
# a generated file in the build tree.
- if ($ddest ne "" && ! -f $ddest) {
+ if ($ddest ne "" && ($ddest eq $src_configdata || ! -f $ddest)) {
$ddest = cleanfile($buildd, $_, $blddir);
if ($unified_info{rename}->{$ddest}) {
$ddest = $unified_info{rename}->{$ddest};
@@ -1854,7 +1836,8 @@
# in the build tree rather than the source tree, and assume
# and that there are lines to build it in a BEGINRAW..ENDRAW
# section or in the Makefile template.
- if (! -f $d
+ if ($d eq $src_configdata
+ || ! -f $d
|| (grep { $d eq $_ }
map { cleanfile($srcdir, $_, $blddir) }
grep { /\.h$/ } keys %{$unified_info{generate}})) {
@@ -1865,13 +1848,6 @@
$d = $unified_info{rename}->{$d};
}
$unified_info{depends}->{$ddest}->{$d} = 1;
- # If we depend on a header file or a perl module, let's make
- # sure it can get included
- if ($dest ne "" && $d =~ /\.(h|pm)$/) {
- my $i = dirname($d);
- push @{$unified_info{includes}->{$ddest}->{source}}, $i
- unless grep { $_ eq $i } @{$unified_info{includes}->{$ddest}->{source}};
- }
}
}
@@ -1881,7 +1857,7 @@
# If the destination doesn't exist in source, it can only be
# a generated file in the build tree.
- if (! -f $ddest) {
+ if ($ddest eq $src_configdata || ! -f $ddest) {
$ddest = cleanfile($buildd, $_, $blddir);
if ($unified_info{rename}->{$ddest}) {
$ddest = $unified_info{rename}->{$ddest};
@@ -1898,6 +1874,43 @@
}
}
+ # Massage the result
+
+ # If we depend on a header file or a perl module, add an inclusion of
+ # its directory to allow smoothe inclusion
+ foreach my $dest (keys %{$unified_info{depends}}) {
+ next if $dest eq "";
+ foreach my $d (keys %{$unified_info{depends}->{$dest}}) {
+ next unless $d =~ /\.(h|pm)$/;
+ my $i = dirname($d);
+ my $spot =
+ $d eq "configdata.pm" || defined($unified_info{generate}->{$d})
Home |
Main Index |
Thread Index |
Old Index