Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssl/dist update of openssl to the ne...
details: https://anonhg.NetBSD.org/src/rev/2c02137ceef5
branches: trunk
changeset: 333064:2c02137ceef5
user: spz <spz%NetBSD.org@localhost>
date: Fri Oct 17 16:34:25 2014 +0000
description:
update of openssl to the next higher version, 1.0.1j
Upstream condensed log:
Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014]
o Fix for CVE-2014-3513
o Fix for CVE-2014-3567
o Mitigation for CVE-2014-3566 (SSL protocol vulnerability)
o Fix for CVE-2014-3568
diffstat:
crypto/external/bsd/openssl/dist/CHANGES | 51 ++
crypto/external/bsd/openssl/dist/Configure | 6 +
crypto/external/bsd/openssl/dist/Makefile | 2 +-
crypto/external/bsd/openssl/dist/NEWS | 7 +
crypto/external/bsd/openssl/dist/README | 2 +-
crypto/external/bsd/openssl/dist/apps/makeapps.com | 21 +-
crypto/external/bsd/openssl/dist/apps/s_client.c | 10 +
crypto/external/bsd/openssl/dist/crypto/LPdir_vms.c | 7 +-
crypto/external/bsd/openssl/dist/crypto/LPdir_win.c | 48 +-
crypto/external/bsd/openssl/dist/crypto/Makefile | 4 +-
crypto/external/bsd/openssl/dist/crypto/aes/asm/aesni-x86_64.pl | 52 +-
crypto/external/bsd/openssl/dist/crypto/asn1/a_strex.c | 1 +
crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-gcc.c | 8 +-
crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c | 9 +-
crypto/external/bsd/openssl/dist/crypto/bn/bn_nist.c | 6 +-
crypto/external/bsd/openssl/dist/crypto/bn/exptest.c | 45 +-
crypto/external/bsd/openssl/dist/crypto/constant_time_locl.h | 216 ++++++++
crypto/external/bsd/openssl/dist/crypto/crypto-lib.com | 67 +-
crypto/external/bsd/openssl/dist/crypto/dsa/dsa_ameth.c | 7 +-
crypto/external/bsd/openssl/dist/crypto/ebcdic.h | 7 +
crypto/external/bsd/openssl/dist/crypto/ec/ec.h | 2 +-
crypto/external/bsd/openssl/dist/crypto/ec/ec2_smpl.c | 9 +-
crypto/external/bsd/openssl/dist/crypto/ec/ec_ameth.c | 14 +-
crypto/external/bsd/openssl/dist/crypto/ec/ec_asn1.c | 42 +-
crypto/external/bsd/openssl/dist/crypto/ec/ecp_mont.c | 9 +-
crypto/external/bsd/openssl/dist/crypto/ec/ecp_nist.c | 9 +-
crypto/external/bsd/openssl/dist/crypto/ec/ecp_smpl.c | 13 +-
crypto/external/bsd/openssl/dist/crypto/ec/ectest.c | 5 +-
crypto/external/bsd/openssl/dist/crypto/err/openssl.ec | 1 +
crypto/external/bsd/openssl/dist/crypto/evp/Makefile | 2 +-
crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c | 56 +-
crypto/external/bsd/openssl/dist/crypto/install-crypto.com | 9 +-
crypto/external/bsd/openssl/dist/crypto/md5/asm/md5-x86_64.pl | 2 +-
crypto/external/bsd/openssl/dist/crypto/modes/modes.h | 6 +
crypto/external/bsd/openssl/dist/crypto/ocsp/ocsp_vfy.c | 7 +-
crypto/external/bsd/openssl/dist/crypto/opensslconf.h | 6 +
crypto/external/bsd/openssl/dist/crypto/opensslv.h | 13 +-
crypto/external/bsd/openssl/dist/crypto/ossl_typ.h | 7 +
crypto/external/bsd/openssl/dist/crypto/pkcs7/pkcs7.h | 4 -
crypto/external/bsd/openssl/dist/crypto/pqueue/pqueue.h | 6 +
crypto/external/bsd/openssl/dist/crypto/rsa/Makefile | 5 +-
crypto/external/bsd/openssl/dist/crypto/rsa/rsa.h | 1 +
crypto/external/bsd/openssl/dist/crypto/rsa/rsa_err.c | 1 +
crypto/external/bsd/openssl/dist/crypto/rsa/rsa_oaep.c | 148 +++--
crypto/external/bsd/openssl/dist/crypto/rsa/rsa_pk1.c | 103 ++-
crypto/external/bsd/openssl/dist/crypto/rsa/rsa_sign.c | 21 +-
crypto/external/bsd/openssl/dist/crypto/stack/safestack.h | 8 +
crypto/external/bsd/openssl/dist/doc/apps/dgst.pod | 68 ++-
crypto/external/bsd/openssl/dist/doc/crypto/BIO_s_accept.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/crypto/EVP_DigestInit.pod | 30 +-
crypto/external/bsd/openssl/dist/doc/crypto/EVP_DigestVerifyInit.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/crypto/EVP_EncryptInit.pod | 56 +-
crypto/external/bsd/openssl/dist/doc/crypto/EVP_PKEY_set1_RSA.pod | 8 +-
crypto/external/bsd/openssl/dist/doc/crypto/EVP_PKEY_sign.pod | 20 +-
crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod | 15 +-
crypto/external/bsd/openssl/dist/e_os.h | 12 +-
crypto/external/bsd/openssl/dist/engines/makeengines.com | 23 +-
crypto/external/bsd/openssl/dist/makevms.com | 17 +-
crypto/external/bsd/openssl/dist/openssl.spec | 2 +-
crypto/external/bsd/openssl/dist/ssl/Makefile | 86 +-
crypto/external/bsd/openssl/dist/ssl/d1_both.c | 3 +
crypto/external/bsd/openssl/dist/ssl/d1_lib.c | 10 +
crypto/external/bsd/openssl/dist/ssl/d1_srtp.c | 93 +--
crypto/external/bsd/openssl/dist/ssl/dtls1.h | 3 +-
crypto/external/bsd/openssl/dist/ssl/s23_clnt.c | 12 +-
crypto/external/bsd/openssl/dist/ssl/s23_srvr.c | 21 +-
crypto/external/bsd/openssl/dist/ssl/s2_lib.c | 4 +-
crypto/external/bsd/openssl/dist/ssl/s3_cbc.c | 65 +--
crypto/external/bsd/openssl/dist/ssl/s3_clnt.c | 250 +++++++--
crypto/external/bsd/openssl/dist/ssl/s3_enc.c | 2 +-
crypto/external/bsd/openssl/dist/ssl/s3_lib.c | 40 +-
crypto/external/bsd/openssl/dist/ssl/s3_pkt.c | 19 +-
crypto/external/bsd/openssl/dist/ssl/s3_srvr.c | 109 ++-
crypto/external/bsd/openssl/dist/ssl/srtp.h | 4 +
crypto/external/bsd/openssl/dist/ssl/ssl-lib.com | 21 +-
crypto/external/bsd/openssl/dist/ssl/ssl.h | 9 +
crypto/external/bsd/openssl/dist/ssl/ssl3.h | 7 +-
crypto/external/bsd/openssl/dist/ssl/ssl_err.c | 2 +
crypto/external/bsd/openssl/dist/ssl/ssl_lib.c | 75 ++-
crypto/external/bsd/openssl/dist/ssl/t1_enc.c | 1 +
crypto/external/bsd/openssl/dist/ssl/t1_lib.c | 12 +-
crypto/external/bsd/openssl/dist/ssl/tls1.h | 15 +-
crypto/external/bsd/openssl/dist/test/Makefile | 22 +-
crypto/external/bsd/openssl/dist/test/maketests.com | 5 +-
crypto/external/bsd/openssl/dist/test/tests.com | 14 +-
crypto/external/bsd/openssl/dist/test/testssl | 6 +
crypto/external/bsd/openssl/dist/util/mk1mf.pl | 1 +
crypto/external/bsd/openssl/dist/util/mkdef.pl | 6 +-
crypto/external/bsd/openssl/dist/util/ssleay.num | 8 +-
90 files changed, 1604 insertions(+), 667 deletions(-)
diffs (truncated from 4613 to 300 lines):
diff -r 10fed8754e4b -r 2c02137ceef5 crypto/external/bsd/openssl/dist/CHANGES
--- a/crypto/external/bsd/openssl/dist/CHANGES Fri Oct 17 14:53:59 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/CHANGES Fri Oct 17 16:34:25 2014 +0000
@@ -2,6 +2,57 @@
OpenSSL CHANGES
_______________
+ Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
+
+ *) SRTP Memory Leak.
+
+ A flaw in the DTLS SRTP extension parsing code allows an attacker, who
+ sends a carefully crafted handshake message, to cause OpenSSL to fail
+ to free up to 64k of memory causing a memory leak. This could be
+ exploited in a Denial Of Service attack. This issue affects OpenSSL
+ 1.0.1 server implementations for both SSL/TLS and DTLS regardless of
+ whether SRTP is used or configured. Implementations of OpenSSL that
+ have been compiled with OPENSSL_NO_SRTP defined are not affected.
+
+ The fix was developed by the OpenSSL team.
+ (CVE-2014-3513)
+ [OpenSSL team]
+
+ *) Session Ticket Memory Leak.
+
+ When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
+ integrity of that ticket is first verified. In the event of a session
+ ticket integrity check failing, OpenSSL will fail to free memory
+ causing a memory leak. By sending a large number of invalid session
+ tickets an attacker could exploit this issue in a Denial Of Service
+ attack.
+ (CVE-2014-3567)
+ [Steve Henson]
+
+ *) Build option no-ssl3 is incomplete.
+
+ When OpenSSL is configured with "no-ssl3" as a build option, servers
+ could accept and complete a SSL 3.0 handshake, and clients could be
+ configured to send them.
+ (CVE-2014-3568)
+ [Akamai and the OpenSSL team]
+
+ *) Add support for TLS_FALLBACK_SCSV.
+ Client applications doing fallback retries should call
+ SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
+ (CVE-2014-3566)
+ [Adam Langley, Bodo Moeller]
+
+ *) Add additional DigestInfo checks.
+
+ Reencode DigestInto in DER and check against the original when
+ verifying RSA signature: this will reject any improperly encoded
+ DigestInfo structures.
+
+ Note: this is a precautionary measure and no attacks are currently known.
+
+ [Steve Henson]
+
Changes between 1.0.1h and 1.0.1i [6 Aug 2014]
*) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
diff -r 10fed8754e4b -r 2c02137ceef5 crypto/external/bsd/openssl/dist/Configure
--- a/crypto/external/bsd/openssl/dist/Configure Fri Oct 17 14:53:59 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/Configure Fri Oct 17 16:34:25 2014 +0000
@@ -1767,6 +1767,9 @@
print OUT "/* opensslconf.h */\n";
print OUT "/* WARNING: Generated automatically from opensslconf.h.in by Configure. */\n\n";
+print OUT "#ifdef __cplusplus\n";
+print OUT "extern \"C\" {\n";
+print OUT "#endif\n";
print OUT "/* OpenSSL was configured with the following options: */\n";
my $openssl_algorithm_defines_trans = $openssl_algorithm_defines;
$openssl_experimental_defines =~ s/^\s*#\s*define\s+OPENSSL_NO_(.*)/#ifndef OPENSSL_EXPERIMENTAL_$1\n# ifndef OPENSSL_NO_$1\n# define OPENSSL_NO_$1\n# endif\n#endif/mg;
@@ -1871,6 +1874,9 @@
{ print OUT $_; }
}
close(IN);
+print OUT "#ifdef __cplusplus\n";
+print OUT "}\n";
+print OUT "#endif\n";
close(OUT);
rename("crypto/opensslconf.h","crypto/opensslconf.h.bak") || die "unable to rename crypto/opensslconf.h\n" if -e "crypto/opensslconf.h";
rename("crypto/opensslconf.h.new","crypto/opensslconf.h") || die "unable to rename crypto/opensslconf.h.new\n";
diff -r 10fed8754e4b -r 2c02137ceef5 crypto/external/bsd/openssl/dist/Makefile
--- a/crypto/external/bsd/openssl/dist/Makefile Fri Oct 17 14:53:59 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/Makefile Fri Oct 17 16:34:25 2014 +0000
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
-VERSION=1.0.1i
+VERSION=1.0.1j
MAJOR=1
MINOR=0.1
SHLIB_VERSION_NUMBER=1.0.0
diff -r 10fed8754e4b -r 2c02137ceef5 crypto/external/bsd/openssl/dist/NEWS
--- a/crypto/external/bsd/openssl/dist/NEWS Fri Oct 17 14:53:59 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/NEWS Fri Oct 17 16:34:25 2014 +0000
@@ -5,6 +5,13 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014]
+
+ o Fix for CVE-2014-3513
+ o Fix for CVE-2014-3567
+ o Mitigation for CVE-2014-3566 (SSL protocol vulnerability)
+ o Fix for CVE-2014-3568
+
Major changes between OpenSSL 1.0.1h and OpenSSL 1.0.1i [6 Aug 2014]
o Fix for CVE-2014-3512
diff -r 10fed8754e4b -r 2c02137ceef5 crypto/external/bsd/openssl/dist/README
--- a/crypto/external/bsd/openssl/dist/README Fri Oct 17 14:53:59 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/README Fri Oct 17 16:34:25 2014 +0000
@@ -1,5 +1,5 @@
- OpenSSL 1.0.1i 6 Aug 2014
+ OpenSSL 1.0.1j 15 Oct 2014
Copyright (c) 1998-2011 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff -r 10fed8754e4b -r 2c02137ceef5 crypto/external/bsd/openssl/dist/apps/makeapps.com
--- a/crypto/external/bsd/openssl/dist/apps/makeapps.com Fri Oct 17 14:53:59 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/makeapps.com Fri Oct 17 16:34:25 2014 +0000
@@ -773,9 +773,12 @@
$ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
$ CCEXTRAFLAGS = ""
$ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
-$ CCDISABLEWARNINGS = "" !!! "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"
-$ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
- CCDISABLEWARNINGS = CCDISABLEWARNINGS + "," + USER_CCDISABLEWARNINGS
+$ CCDISABLEWARNINGS = "" !!! "MAYLOSEDATA3" !!! "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"
+$ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. ""
+$ THEN
+$ IF CCDISABLEWARNINGS .NES. "" THEN CCDISABLEWARNINGS = CCDISABLEWARNINGS + ","
+$ CCDISABLEWARNINGS = CCDISABLEWARNINGS + USER_CCDISABLEWARNINGS
+$ ENDIF
$!
$! Check To See If We Have A ZLIB Option.
$!
@@ -1064,6 +1067,18 @@
$!
$ IF COMPILER .EQS. "DECC"
$ THEN
+$! Not all compiler versions support MAYLOSEDATA3.
+$ OPT_TEST = "MAYLOSEDATA3"
+$ DEFINE /USER_MODE SYS$ERROR NL:
+$ DEFINE /USER_MODE SYS$OUTPUT NL:
+$ 'CC' /NOCROSS_REFERENCE /NOLIST /NOOBJECT -
+ /WARNINGS = DISABLE = ('OPT_TEST', EMPTYFILE) NL:
+$ IF ($SEVERITY)
+$ THEN
+$ IF CCDISABLEWARNINGS .NES. "" THEN -
+ CCDISABLEWARNINGS = CCDISABLEWARNINGS+ ","
+$ CCDISABLEWARNINGS = CCDISABLEWARNINGS+ OPT_TEST
+$ ENDIF
$ IF CCDISABLEWARNINGS .NES. ""
$ THEN
$ CCDISABLEWARNINGS = " /WARNING=(DISABLE=(" + CCDISABLEWARNINGS + "))"
diff -r 10fed8754e4b -r 2c02137ceef5 crypto/external/bsd/openssl/dist/apps/s_client.c
--- a/crypto/external/bsd/openssl/dist/apps/s_client.c Fri Oct 17 14:53:59 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/s_client.c Fri Oct 17 16:34:25 2014 +0000
@@ -337,6 +337,7 @@
BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
BIO_printf(bio_err," -tls1 - just use TLSv1\n");
BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
+ BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n");
BIO_printf(bio_err," -mtu - set the link layer MTU\n");
BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
@@ -618,6 +619,7 @@
char *sess_out = NULL;
struct sockaddr peer;
int peerlen = sizeof(peer);
+ int fallback_scsv = 0;
int enable_timeouts = 0 ;
long socket_mtu = 0;
#ifndef OPENSSL_NO_JPAKE
@@ -824,6 +826,10 @@
meth=DTLSv1_client_method();
socket_type=SOCK_DGRAM;
}
+ else if (strcmp(*argv,"-fallback_scsv") == 0)
+ {
+ fallback_scsv = 1;
+ }
else if (strcmp(*argv,"-timeout") == 0)
enable_timeouts=1;
else if (strcmp(*argv,"-mtu") == 0)
@@ -1236,6 +1242,10 @@
SSL_set_session(con, sess);
SSL_SESSION_free(sess);
}
+
+ if (fallback_scsv)
+ SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
+
#ifndef OPENSSL_NO_TLSEXT
if (servername != NULL)
{
diff -r 10fed8754e4b -r 2c02137ceef5 crypto/external/bsd/openssl/dist/crypto/LPdir_vms.c
--- a/crypto/external/bsd/openssl/dist/crypto/LPdir_vms.c Fri Oct 17 14:53:59 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/LPdir_vms.c Fri Oct 17 16:34:25 2014 +0000
@@ -1,4 +1,3 @@
-/* $LP: LPlib/source/LPdir_vms.c,v 1.20 2004/08/26 13:36:05 _cvs_levitte Exp $ */
/*
* Copyright (c) 2004, Richard Levitte <richard%levitte.org@localhost>
* All rights reserved.
@@ -88,6 +87,12 @@
size_t filespeclen = strlen(directory);
char *filespec = NULL;
+ if (filespeclen == 0)
+ {
+ errno = ENOENT;
+ return 0;
+ }
+
/* MUST be a VMS directory specification! Let's estimate if it is. */
if (directory[filespeclen-1] != ']'
&& directory[filespeclen-1] != '>'
diff -r 10fed8754e4b -r 2c02137ceef5 crypto/external/bsd/openssl/dist/crypto/LPdir_win.c
--- a/crypto/external/bsd/openssl/dist/crypto/LPdir_win.c Fri Oct 17 14:53:59 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/LPdir_win.c Fri Oct 17 16:34:25 2014 +0000
@@ -1,4 +1,3 @@
-/* $LP: LPlib/source/LPdir_win.c,v 1.10 2004/08/26 13:36:05 _cvs_levitte Exp $ */
/*
* Copyright (c) 2004, Richard Levitte <richard%levitte.org@localhost>
* All rights reserved.
@@ -63,6 +62,16 @@
errno = 0;
if (*ctx == NULL)
{
+ const char *extdir = directory;
+ char *extdirbuf = NULL;
+ size_t dirlen = strlen (directory);
+
+ if (dirlen == 0)
+ {
+ errno = ENOENT;
+ return 0;
+ }
+
*ctx = (LP_DIR_CTX *)malloc(sizeof(LP_DIR_CTX));
if (*ctx == NULL)
{
@@ -71,15 +80,35 @@
}
memset(*ctx, '\0', sizeof(LP_DIR_CTX));
+ if (directory[dirlen-1] != '*')
+ {
+ extdirbuf = (char *)malloc(dirlen + 3);
+ if (extdirbuf == NULL)
+ {
+ free(*ctx);
+ *ctx = NULL;
+ errno = ENOMEM;
+ return 0;
+ }
+ if (directory[dirlen-1] != '/' && directory[dirlen-1] != '\\')
+ extdir = strcat(strcpy (extdirbuf,directory),"/*");
+ else
+ extdir = strcat(strcpy (extdirbuf,directory),"*");
+ }
+
if (sizeof(TCHAR) != sizeof(char))
{
TCHAR *wdir = NULL;
/* len_0 denotes string length *with* trailing 0 */
- size_t index = 0,len_0 = strlen(directory) + 1;
+ size_t index = 0,len_0 = strlen(extdir) + 1;
- wdir = (TCHAR *)malloc(len_0 * sizeof(TCHAR));
+ wdir = (TCHAR *)calloc(len_0, sizeof(TCHAR));
if (wdir == NULL)
{
+ if (extdirbuf != NULL)
+ {
+ free (extdirbuf);
+ }
free(*ctx);
*ctx = NULL;
errno = ENOMEM;
@@ -87,17 +116,23 @@
}
#ifdef LP_MULTIBYTE_AVAILABLE
- if (!MultiByteToWideChar(CP_ACP, 0, directory, len_0, (WCHAR *)wdir, len_0))
+ if (!MultiByteToWideChar(CP_ACP, 0, extdir, len_0, (WCHAR *)wdir, len_0))
#endif
for (index = 0; index < len_0; index++)
- wdir[index] = (TCHAR)directory[index];
+ wdir[index] = (TCHAR)extdir[index];
(*ctx)->handle = FindFirstFile(wdir, &(*ctx)->ctx);
free(wdir);
Home |
Main Index |
Thread Index |
Old Index