Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssl/dist merge conflicts
details: https://anonhg.NetBSD.org/src/rev/ecf7e621bdbc
branches: trunk
changeset: 834576:ecf7e621bdbc
user: christos <christos%NetBSD.org@localhost>
date: Sat Aug 18 08:59:03 2018 +0000
description:
merge conflicts
diffstat:
crypto/external/bsd/openssl/dist/CHANGES | 75 +++
crypto/external/bsd/openssl/dist/Configurations/90-team.conf | 112 ----
crypto/external/bsd/openssl/dist/Configure | 60 +-
crypto/external/bsd/openssl/dist/NEWS | 5 +
crypto/external/bsd/openssl/dist/README | 4 +-
crypto/external/bsd/openssl/dist/apps/ca.c | 29 +-
crypto/external/bsd/openssl/dist/apps/ocsp.c | 3 +-
crypto/external/bsd/openssl/dist/apps/s_client.c | 10 +-
crypto/external/bsd/openssl/dist/apps/s_server.c | 17 +-
crypto/external/bsd/openssl/dist/apps/speed.c | 227 ++++-----
crypto/external/bsd/openssl/dist/crypto/arm_arch.h | 4 +-
crypto/external/bsd/openssl/dist/crypto/armcap.c | 3 +-
crypto/external/bsd/openssl/dist/crypto/asn1/a_strex.c | 77 +--
crypto/external/bsd/openssl/dist/crypto/asn1/asn_mime.c | 8 +-
crypto/external/bsd/openssl/dist/crypto/asn1/tasn_enc.c | 4 +-
crypto/external/bsd/openssl/dist/crypto/bio/b_sock.c | 6 +-
crypto/external/bsd/openssl/dist/crypto/bio/bss_log.c | 4 +-
crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c | 69 +-
crypto/external/bsd/openssl/dist/crypto/bn/bn_lcl.h | 23 +-
crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c | 85 ++-
crypto/external/bsd/openssl/dist/crypto/bn/bn_mont.c | 69 ++-
crypto/external/bsd/openssl/dist/crypto/cryptlib.c | 112 ++++-
crypto/external/bsd/openssl/dist/crypto/dso/dso_dlfcn.c | 83 +++-
crypto/external/bsd/openssl/dist/crypto/ec/ec2_smpl.c | 3 +-
crypto/external/bsd/openssl/dist/crypto/ec/ec_ameth.c | 13 +-
crypto/external/bsd/openssl/dist/crypto/ec/ec_lcl.h | 18 +-
crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c | 41 +-
crypto/external/bsd/openssl/dist/crypto/ec/ecp_smpl.c | 3 +-
crypto/external/bsd/openssl/dist/crypto/engine/eng_lib.c | 11 +-
crypto/external/bsd/openssl/dist/crypto/ex_data.c | 5 +-
crypto/external/bsd/openssl/dist/crypto/rsa/rsa_oaep.c | 40 +-
crypto/external/bsd/openssl/dist/crypto/rsa/rsa_pk1.c | 41 +-
crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c | 9 +-
crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c | 187 +++----
crypto/external/bsd/openssl/dist/doc/apps/genpkey.pod | 183 ++++---
crypto/external/bsd/openssl/dist/doc/crypto/EVP_DigestInit.pod | 51 ++-
crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c | 5 +-
crypto/external/bsd/openssl/dist/ssl/ssl_lib.c | 43 +-
crypto/external/bsd/openssl/dist/ssl/ssl_locl.h | 9 +-
crypto/external/bsd/openssl/dist/ssl/ssl_sess.c | 8 +-
crypto/external/bsd/openssl/dist/ssl/t1_lib.c | 50 +-
crypto/external/bsd/openssl/dist/test/evp_test.c | 10 +-
crypto/external/bsd/openssl/dist/util/mkdef.pl | 3 +-
43 files changed, 1070 insertions(+), 752 deletions(-)
diffs (truncated from 3667 to 300 lines):
diff -r dcac3bfdcbe6 -r ecf7e621bdbc crypto/external/bsd/openssl/dist/CHANGES
--- a/crypto/external/bsd/openssl/dist/CHANGES Sat Aug 18 08:45:55 2018 +0000
+++ b/crypto/external/bsd/openssl/dist/CHANGES Sat Aug 18 08:59:03 2018 +0000
@@ -7,6 +7,81 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
+ Changes between 1.1.0h and 1.1.0i [14 Aug 2018]
+
+ *) Client DoS due to large DH parameter
+
+ During key agreement in a TLS handshake using a DH(E) based ciphersuite a
+ malicious server can send a very large prime value to the client. This will
+ cause the client to spend an unreasonably long period of time generating a
+ key for this prime resulting in a hang until the client has finished. This
+ could be exploited in a Denial Of Service attack.
+
+ This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
+ (CVE-2018-0732)
+ [Guido Vranken]
+
+ *) Cache timing vulnerability in RSA Key Generation
+
+ The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
+ a cache timing side channel attack. An attacker with sufficient access to
+ mount cache timing attacks during the RSA key generation process could
+ recover the private key.
+
+ This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
+ Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
+ (CVE-2018-0737)
+ [Billy Brumley]
+
+ *) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str
+ parameter is no longer accepted, as it leads to a corrupt table. NULL
+ pem_str is reserved for alias entries only.
+ [Richard Levitte]
+
+ *) Revert blinding in ECDSA sign and instead make problematic addition
+ length-invariant. Switch even to fixed-length Montgomery multiplication.
+ [Andy Polyakov]
+
+ *) Change generating and checking of primes so that the error rate of not
+ being prime depends on the intended use based on the size of the input.
+ For larger primes this will result in more rounds of Miller-Rabin.
+ The maximal error rate for primes with more than 1080 bits is lowered
+ to 2^-128.
+ [Kurt Roeckx, Annie Yousar]
+
+ *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
+ [Kurt Roeckx]
+
+ *) Add blinding to ECDSA and DSA signatures to protect against side channel
+ attacks discovered by Keegan Ryan (NCC Group).
+ [Matt Caswell]
+
+ *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
+ now allow empty (zero character) pass phrases.
+ [Richard Levitte]
+
+ *) Certificate time validation (X509_cmp_time) enforces stricter
+ compliance with RFC 5280. Fractional seconds and timezone offsets
+ are no longer allowed.
+ [Emilia Käsper]
+
+ *) Fixed a text canonicalisation bug in CMS
+
+ Where a CMS detached signature is used with text content the text goes
+ through a canonicalisation process first prior to signing or verifying a
+ signature. This process strips trailing space at the end of lines, converts
+ line terminators to CRLF and removes additional trailing line terminators
+ at the end of a file. A bug in the canonicalisation process meant that
+ some characters, such as form-feed, were incorrectly treated as whitespace
+ and removed. This is contrary to the specification (RFC5485). This fix
+ could mean that detached text data signed with an earlier version of
+ OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
+ signed with a fixed OpenSSL may fail to verify with an earlier version of
+ OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
+ and use the "-binary" flag (for the "cms" command line application) or set
+ the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).
+ [Matt Caswell]
+
Changes between 1.1.0g and 1.1.0h [27 Mar 2018]
*) Constructed ASN.1 types with a recursive definition could exceed the stack
diff -r dcac3bfdcbe6 -r ecf7e621bdbc crypto/external/bsd/openssl/dist/Configurations/90-team.conf
--- a/crypto/external/bsd/openssl/dist/Configurations/90-team.conf Sat Aug 18 08:45:55 2018 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,112 +0,0 @@
-## -*- mode: perl; -*-
-## Build configuration targets for openssl-team members
-
-%targets = (
- "purify" => {
- cc => "purify gcc",
- cflags => "-g -Wall",
- thread_scheme => "(unknown)",
- ex_libs => add(" ","-lsocket -lnsl"),
- },
- "debug" => {
- cc => "gcc",
- cflags => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror",
- thread_scheme => "(unknown)",
- },
- "debug-erbridge" => {
- inherit_from => [ "x86_64_asm" ],
- cc => "gcc",
- cflags => combine("$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -m64 -DL_ENDIAN -DTERMIO -g",
- threads("-D_REENTRANT")),
- ex_libs => add(" ","-ldl"),
- bn_ops => "SIXTY_FOUR_BIT_LONG",
- thread_scheme => "pthreads",
- perlasm_scheme => "elf",
- dso_scheme => "dlfcn",
- shared_target => "linux-shared",
- shared_cflag => "-fPIC",
- shared_ldflag => "-m64",
- shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- multilib => "64",
- },
- "debug-linux-pentium" => {
- inherit_from => [ "x86_elf_asm" ],
- cc => "gcc",
- cflags => combine("-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentium -Wall",
- threads("-D_REENTRANT")),
- ex_libs => add(" ","-ldl"),
- bn_ops => "BN_LLONG",
- thread_scheme => "pthreads",
- dso_scheme => "dlfcn",
- },
- "debug-linux-ppro" => {
- inherit_from => [ "x86_elf_asm" ],
- cc => "gcc",
- cflags => combine("-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentiumpro -Wall",
- threads("-D_REENTRANT")),
- ex_libs => add(" ","-ldl"),
- bn_ops => "BN_LLONG",
- thread_scheme => "pthreads",
- dso_scheme => "dlfcn",
- },
- "debug-linux-ia32-aes" => {
- cc => "gcc",
- cflags => combine("-DL_ENDIAN -O3 -fomit-frame-pointer -Wall",
- threads("-D_REENTRANT")),
- ex_libs => add(" ","-ldl"),
- bn_ops => "BN_LLONG",
- cpuid_asm_src => "x86cpuid.s",
- bn_asm_src => "bn-586.s co-586.s x86-mont.s",
- des_asm_src => "des-586.s crypt586.s",
- aes_asm_src => "aes_x86core.s aes_cbc.s aesni-x86.s",
- bf_asm_src => "bf-586.s",
- md5_asm_src => "md5-586.s",
- sha1_asm_src => "sha1-586.s sha256-586.s sha512-586.s",
- cast_asm_src => "cast-586.s",
- rc4_asm_src => "rc4-586.s",
- rmd160_asm_src => "rmd-586.s",
- rc5_asm_src => "rc5-586.s",
- wp_asm_src => "wp_block.s wp-mmx.s",
- modes_asm_src => "ghash-x86.s",
- padlock_asm_src => "e_padlock-x86.s",
- thread_scheme => "pthreads",
- perlasm_scheme => "elf",
- dso_scheme => "dlfcn",
- shared_target => "linux-shared",
- shared_cflag => "-fPIC",
- shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- },
- "dist" => {
- cc => "cc",
- cflags => "-O",
- thread_scheme => "(unknown)",
- },
- "debug-test-64-clang" => {
- inherit_from => [ "x86_64_asm" ],
- cc => "clang",
- cflags => combine("$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable
-Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
- threads("${BSDthreads}")),
- bn_ops => "SIXTY_FOUR_BIT_LONG",
- thread_scheme => "pthreads",
- perlasm_scheme => "elf",
- dso_scheme => "dlfcn",
- shared_target => "bsd-gcc-shared",
- shared_cflag => "-fPIC",
- shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
- },
- "darwin64-debug-test-64-clang" => {
- inherit_from => [ "x86_64_asm" ],
- cc => "clang",
- cflags => combine("-arch x86_64 -DL_ENDIAN $gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token
-Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
- threads("${BSDthreads}")),
- sys_id => "MACOSX",
- bn_ops => "SIXTY_FOUR_BIT_LONG",
- thread_scheme => "pthreads",
- perlasm_scheme => "macosx",
- dso_scheme => "dlfcn",
- shared_target => "darwin-shared",
- shared_cflag => "-fPIC -fno-common",
- shared_ldflag => "-arch x86_64 -dynamiclib",
- shared_extension => ".\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
- },
-);
diff -r dcac3bfdcbe6 -r ecf7e621bdbc crypto/external/bsd/openssl/dist/Configure
--- a/crypto/external/bsd/openssl/dist/Configure Sat Aug 18 08:45:55 2018 +0000
+++ b/crypto/external/bsd/openssl/dist/Configure Sat Aug 18 08:59:03 2018 +0000
@@ -20,6 +20,9 @@
# see INSTALL for instructions.
+my $orig_death_handler = $SIG{__DIE__};
+$SIG{__DIE__} = \&death_handler;
+
my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso]
[no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
# Options:
@@ -756,21 +759,21 @@
else
{ $config{options} .= " ".$_; }
}
+ }
- if (defined($config{api}) && !exists $apitable->{$config{api}}) {
- die "***** Unsupported api compatibility level: $config{api}\n",
- }
+if (defined($config{api}) && !exists $apitable->{$config{api}}) {
+ die "***** Unsupported api compatibility level: $config{api}\n",
+}
- if (keys %deprecated_options)
- {
- warn "***** Deprecated options: ",
- join(", ", keys %deprecated_options), "\n";
- }
- if (keys %unsupported_options)
- {
- die "***** Unsupported options: ",
- join(", ", keys %unsupported_options), "\n";
- }
+if (keys %deprecated_options)
+ {
+ warn "***** Deprecated options: ",
+ join(", ", keys %deprecated_options), "\n";
+ }
+if (keys %unsupported_options)
+ {
+ die "***** Unsupported options: ",
+ join(", ", keys %unsupported_options), "\n";
}
if ($libs =~ /(^|\s)-Wl,-rpath,/
@@ -908,11 +911,12 @@
$target = $t;
}
}
+
+&usage if !$table{$target} || $table{$target}->{template};
+
$config{target} = $target;
my %target = resolve_config($target);
-&usage if (!%target || $target{template});
-
my %conf_files = map { $_ => 1 } (@{$target{_conf_fname_int}});
$config{conf_files} = [ sort keys %conf_files ];
%target = ( %{$table{DEFAULTS}}, %target );
@@ -1215,8 +1219,10 @@
if (!$disabled{makedepend}) {
# We know that GNU C version 3 and up as well as all clang
- # versions support dependency generation
- if ($predefined{__GNUC__} >= 3) {
+ # versions support dependency generation, but Xcode did not
+ # handle $cc -M before clang support (but claims __GNUC__ = 3)
+ if (($predefined{__GNUC__} // -1) >= 3
+ && !($predefined{__APPLE_CC__} && !$predefined{__clang__})) {
$config{makedepprog} = $cc;
} else {
$config{makedepprog} = which('makedepend');
@@ -2125,6 +2131,8 @@
$builders{$builder}->($builder_platform, @builder_opts);
+$SIG{__DIE__} = $orig_death_handler;
+
print <<"EOF";
Configured for $target.
@@ -2153,6 +2161,24 @@
# Helpers and utility functions
#
+# Death handler, to print a helpful message in case of failure #######
+#
+sub death_handler {
+ die @_ if $^S; # To prevent the added message in eval blocks
+ my $build_file = $target{build_file} // "build file";
+ my @message = ( <<"_____", @_ );
+
+Failure! $build_file wasn't produced.
+Please read INSTALL and associated NOTES files. You may also have to look over
+your available compiler tool chain or change your configuration.
Home |
Main Index |
Thread Index |
Old Index