Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/crypto/external/bsd/openssl/dist merge conflicts



details:   https://anonhg.NetBSD.org/src/rev/ecf7e621bdbc
branches:  trunk
changeset: 834576:ecf7e621bdbc
user:      christos <christos%NetBSD.org@localhost>
date:      Sat Aug 18 08:59:03 2018 +0000

description:
merge conflicts

diffstat:

 crypto/external/bsd/openssl/dist/CHANGES                       |   75 +++
 crypto/external/bsd/openssl/dist/Configurations/90-team.conf   |  112 ----
 crypto/external/bsd/openssl/dist/Configure                     |   60 +-
 crypto/external/bsd/openssl/dist/NEWS                          |    5 +
 crypto/external/bsd/openssl/dist/README                        |    4 +-
 crypto/external/bsd/openssl/dist/apps/ca.c                     |   29 +-
 crypto/external/bsd/openssl/dist/apps/ocsp.c                   |    3 +-
 crypto/external/bsd/openssl/dist/apps/s_client.c               |   10 +-
 crypto/external/bsd/openssl/dist/apps/s_server.c               |   17 +-
 crypto/external/bsd/openssl/dist/apps/speed.c                  |  227 ++++-----
 crypto/external/bsd/openssl/dist/crypto/arm_arch.h             |    4 +-
 crypto/external/bsd/openssl/dist/crypto/armcap.c               |    3 +-
 crypto/external/bsd/openssl/dist/crypto/asn1/a_strex.c         |   77 +--
 crypto/external/bsd/openssl/dist/crypto/asn1/asn_mime.c        |    8 +-
 crypto/external/bsd/openssl/dist/crypto/asn1/tasn_enc.c        |    4 +-
 crypto/external/bsd/openssl/dist/crypto/bio/b_sock.c           |    6 +-
 crypto/external/bsd/openssl/dist/crypto/bio/bss_log.c          |    4 +-
 crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c            |   69 +-
 crypto/external/bsd/openssl/dist/crypto/bn/bn_lcl.h            |   23 +-
 crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c            |   85 ++-
 crypto/external/bsd/openssl/dist/crypto/bn/bn_mont.c           |   69 ++-
 crypto/external/bsd/openssl/dist/crypto/cryptlib.c             |  112 ++++-
 crypto/external/bsd/openssl/dist/crypto/dso/dso_dlfcn.c        |   83 +++-
 crypto/external/bsd/openssl/dist/crypto/ec/ec2_smpl.c          |    3 +-
 crypto/external/bsd/openssl/dist/crypto/ec/ec_ameth.c          |   13 +-
 crypto/external/bsd/openssl/dist/crypto/ec/ec_lcl.h            |   18 +-
 crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c            |   41 +-
 crypto/external/bsd/openssl/dist/crypto/ec/ecp_smpl.c          |    3 +-
 crypto/external/bsd/openssl/dist/crypto/engine/eng_lib.c       |   11 +-
 crypto/external/bsd/openssl/dist/crypto/ex_data.c              |    5 +-
 crypto/external/bsd/openssl/dist/crypto/rsa/rsa_oaep.c         |   40 +-
 crypto/external/bsd/openssl/dist/crypto/rsa/rsa_pk1.c          |   41 +-
 crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c        |    9 +-
 crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c        |  187 +++----
 crypto/external/bsd/openssl/dist/doc/apps/genpkey.pod          |  183 ++++---
 crypto/external/bsd/openssl/dist/doc/crypto/EVP_DigestInit.pod |   51 ++-
 crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c                |    5 +-
 crypto/external/bsd/openssl/dist/ssl/ssl_lib.c                 |   43 +-
 crypto/external/bsd/openssl/dist/ssl/ssl_locl.h                |    9 +-
 crypto/external/bsd/openssl/dist/ssl/ssl_sess.c                |    8 +-
 crypto/external/bsd/openssl/dist/ssl/t1_lib.c                  |   50 +-
 crypto/external/bsd/openssl/dist/test/evp_test.c               |   10 +-
 crypto/external/bsd/openssl/dist/util/mkdef.pl                 |    3 +-
 43 files changed, 1070 insertions(+), 752 deletions(-)

diffs (truncated from 3667 to 300 lines):

diff -r dcac3bfdcbe6 -r ecf7e621bdbc crypto/external/bsd/openssl/dist/CHANGES
--- a/crypto/external/bsd/openssl/dist/CHANGES  Sat Aug 18 08:45:55 2018 +0000
+++ b/crypto/external/bsd/openssl/dist/CHANGES  Sat Aug 18 08:59:03 2018 +0000
@@ -7,6 +7,81 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.1.0h and 1.1.0i [14 Aug 2018]
+
+  *) Client DoS due to large DH parameter
+
+     During key agreement in a TLS handshake using a DH(E) based ciphersuite a
+     malicious server can send a very large prime value to the client. This will
+     cause the client to spend an unreasonably long period of time generating a
+     key for this prime resulting in a hang until the client has finished. This
+     could be exploited in a Denial Of Service attack.
+
+     This issue was reported to OpenSSL on 5th June 2018 by Guido Vranken
+     (CVE-2018-0732)
+     [Guido Vranken]
+
+  *) Cache timing vulnerability in RSA Key Generation
+
+     The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to
+     a cache timing side channel attack. An attacker with sufficient access to
+     mount cache timing attacks during the RSA key generation process could
+     recover the private key.
+
+     This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
+     Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
+     (CVE-2018-0737)
+     [Billy Brumley]
+
+  *) Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
+     parameter is no longer accepted, as it leads to a corrupt table.  NULL
+     pem_str is reserved for alias entries only.
+     [Richard Levitte]
+
+  *) Revert blinding in ECDSA sign and instead make problematic addition
+     length-invariant. Switch even to fixed-length Montgomery multiplication.
+     [Andy Polyakov]
+
+  *) Change generating and checking of primes so that the error rate of not
+     being prime depends on the intended use based on the size of the input.
+     For larger primes this will result in more rounds of Miller-Rabin.
+     The maximal error rate for primes with more than 1080 bits is lowered
+     to 2^-128.
+     [Kurt Roeckx, Annie Yousar]
+
+  *) Increase the number of Miller-Rabin rounds for DSA key generating to 64.
+     [Kurt Roeckx]
+
+  *) Add blinding to ECDSA and DSA signatures to protect against side channel
+     attacks discovered by Keegan Ryan (NCC Group).
+     [Matt Caswell]
+
+  *) When unlocking a pass phrase protected PEM file or PKCS#8 container, we
+     now allow empty (zero character) pass phrases.
+     [Richard Levitte]
+
+  *) Certificate time validation (X509_cmp_time) enforces stricter
+     compliance with RFC 5280. Fractional seconds and timezone offsets
+     are no longer allowed.
+     [Emilia Käsper]
+
+  *) Fixed a text canonicalisation bug in CMS
+
+     Where a CMS detached signature is used with text content the text goes
+     through a canonicalisation process first prior to signing or verifying a
+     signature. This process strips trailing space at the end of lines, converts
+     line terminators to CRLF and removes additional trailing line terminators
+     at the end of a file. A bug in the canonicalisation process meant that
+     some characters, such as form-feed, were incorrectly treated as whitespace
+     and removed. This is contrary to the specification (RFC5485). This fix
+     could mean that detached text data signed with an earlier version of
+     OpenSSL 1.1.0 may fail to verify using the fixed version, or text data
+     signed with a fixed OpenSSL may fail to verify with an earlier version of
+     OpenSSL 1.1.0. A workaround is to only verify the canonicalised text data
+     and use the "-binary" flag (for the "cms" command line application) or set
+     the SMIME_BINARY/PKCS7_BINARY/CMS_BINARY flags (if using CMS_verify()).
+     [Matt Caswell]
+
  Changes between 1.1.0g and 1.1.0h [27 Mar 2018]
 
   *) Constructed ASN.1 types with a recursive definition could exceed the stack
diff -r dcac3bfdcbe6 -r ecf7e621bdbc crypto/external/bsd/openssl/dist/Configurations/90-team.conf
--- a/crypto/external/bsd/openssl/dist/Configurations/90-team.conf      Sat Aug 18 08:45:55 2018 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,112 +0,0 @@
-## -*- mode: perl; -*-
-## Build configuration targets for openssl-team members
-
-%targets = (
-    "purify" => {
-        cc               => "purify gcc",
-        cflags           => "-g -Wall",
-        thread_scheme    => "(unknown)",
-        ex_libs          => add(" ","-lsocket -lnsl"),
-    },
-    "debug" => {
-        cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror",
-        thread_scheme    => "(unknown)",
-    },
-    "debug-erbridge" => {
-        inherit_from     => [ "x86_64_asm" ],
-        cc               => "gcc",
-        cflags           => combine("$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -m64 -DL_ENDIAN -DTERMIO -g",
-                                    threads("-D_REENTRANT")),
-        ex_libs          => add(" ","-ldl"),
-        bn_ops           => "SIXTY_FOUR_BIT_LONG",
-        thread_scheme    => "pthreads",
-        perlasm_scheme   => "elf",
-        dso_scheme       => "dlfcn",
-        shared_target    => "linux-shared",
-        shared_cflag     => "-fPIC",
-        shared_ldflag    => "-m64",
-        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-        multilib         => "64",
-    },
-    "debug-linux-pentium" => {
-        inherit_from     => [ "x86_elf_asm" ],
-        cc               => "gcc",
-        cflags           => combine("-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentium -Wall",
-                                    threads("-D_REENTRANT")),
-        ex_libs          => add(" ","-ldl"),
-        bn_ops           => "BN_LLONG",
-        thread_scheme    => "pthreads",
-        dso_scheme       => "dlfcn",
-    },
-    "debug-linux-ppro" => {
-        inherit_from     => [ "x86_elf_asm" ],
-        cc               => "gcc",
-        cflags           => combine("-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentiumpro -Wall",
-                                    threads("-D_REENTRANT")),
-        ex_libs          => add(" ","-ldl"),
-        bn_ops           => "BN_LLONG",
-        thread_scheme    => "pthreads",
-        dso_scheme       => "dlfcn",
-    },
-    "debug-linux-ia32-aes" => {
-        cc               => "gcc",
-        cflags           => combine("-DL_ENDIAN -O3 -fomit-frame-pointer -Wall",
-                                    threads("-D_REENTRANT")),
-        ex_libs          => add(" ","-ldl"),
-        bn_ops           => "BN_LLONG",
-        cpuid_asm_src    => "x86cpuid.s",
-        bn_asm_src       => "bn-586.s co-586.s x86-mont.s",
-        des_asm_src      => "des-586.s crypt586.s",
-        aes_asm_src      => "aes_x86core.s aes_cbc.s aesni-x86.s",
-        bf_asm_src       => "bf-586.s",
-        md5_asm_src      => "md5-586.s",
-        sha1_asm_src     => "sha1-586.s sha256-586.s sha512-586.s",
-        cast_asm_src     => "cast-586.s",
-        rc4_asm_src      => "rc4-586.s",
-        rmd160_asm_src   => "rmd-586.s",
-        rc5_asm_src      => "rc5-586.s",
-        wp_asm_src       => "wp_block.s wp-mmx.s",
-        modes_asm_src    => "ghash-x86.s",
-        padlock_asm_src  => "e_padlock-x86.s",
-        thread_scheme    => "pthreads",
-        perlasm_scheme   => "elf",
-        dso_scheme       => "dlfcn",
-        shared_target    => "linux-shared",
-        shared_cflag     => "-fPIC",
-        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-    },
-    "dist" => {
-        cc               => "cc",
-        cflags           => "-O",
-        thread_scheme    => "(unknown)",
-    },
-    "debug-test-64-clang" => {
-        inherit_from     => [ "x86_64_asm" ],
-        cc               => "clang",
-        cflags           => combine("$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable 
-Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
-                                    threads("${BSDthreads}")),
-        bn_ops           => "SIXTY_FOUR_BIT_LONG",
-        thread_scheme    => "pthreads",
-        perlasm_scheme   => "elf",
-        dso_scheme       => "dlfcn",
-        shared_target    => "bsd-gcc-shared",
-        shared_cflag     => "-fPIC",
-        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-    },
-    "darwin64-debug-test-64-clang" => {
-        inherit_from     => [ "x86_64_asm" ],
-        cc               => "clang",
-        cflags           => combine("-arch x86_64 -DL_ENDIAN $gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token 
-Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
-                                    threads("${BSDthreads}")),
-        sys_id           => "MACOSX",
-        bn_ops           => "SIXTY_FOUR_BIT_LONG",
-        thread_scheme    => "pthreads",
-        perlasm_scheme   => "macosx",
-        dso_scheme       => "dlfcn",
-        shared_target    => "darwin-shared",
-        shared_cflag     => "-fPIC -fno-common",
-        shared_ldflag    => "-arch x86_64 -dynamiclib",
-        shared_extension => ".\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-    },
-);
diff -r dcac3bfdcbe6 -r ecf7e621bdbc crypto/external/bsd/openssl/dist/Configure
--- a/crypto/external/bsd/openssl/dist/Configure        Sat Aug 18 08:45:55 2018 +0000
+++ b/crypto/external/bsd/openssl/dist/Configure        Sat Aug 18 08:59:03 2018 +0000
@@ -20,6 +20,9 @@
 
 # see INSTALL for instructions.
 
+my $orig_death_handler = $SIG{__DIE__};
+$SIG{__DIE__} = \&death_handler;
+
 my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] 
[no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n";
 
 # Options:
@@ -756,21 +759,21 @@
                else
                        { $config{options} .= " ".$_; }
                }
+       }
 
-        if (defined($config{api}) && !exists $apitable->{$config{api}}) {
-               die "***** Unsupported api compatibility level: $config{api}\n",
-        }
+if (defined($config{api}) && !exists $apitable->{$config{api}}) {
+       die "***** Unsupported api compatibility level: $config{api}\n",
+}
 
-       if (keys %deprecated_options)
-               {
-               warn "***** Deprecated options: ",
-                       join(", ", keys %deprecated_options), "\n";
-               }
-       if (keys %unsupported_options)
-               {
-               die "***** Unsupported options: ",
-                       join(", ", keys %unsupported_options), "\n";
-               }
+if (keys %deprecated_options)
+       {
+       warn "***** Deprecated options: ",
+               join(", ", keys %deprecated_options), "\n";
+       }
+if (keys %unsupported_options)
+       {
+       die "***** Unsupported options: ",
+               join(", ", keys %unsupported_options), "\n";
        }
 
 if ($libs =~ /(^|\s)-Wl,-rpath,/
@@ -908,11 +911,12 @@
        $target = $t;
     }
 }
+
+&usage if !$table{$target} || $table{$target}->{template};
+
 $config{target} = $target;
 my %target = resolve_config($target);
 
-&usage if (!%target || $target{template});
-
 my %conf_files = map { $_ => 1 } (@{$target{_conf_fname_int}});
 $config{conf_files} = [ sort keys %conf_files ];
 %target = ( %{$table{DEFAULTS}}, %target );
@@ -1215,8 +1219,10 @@
 
     if (!$disabled{makedepend}) {
        # We know that GNU C version 3 and up as well as all clang
-       # versions support dependency generation
-       if ($predefined{__GNUC__} >= 3) {
+       # versions support dependency generation, but Xcode did not
+       # handle $cc -M before clang support (but claims __GNUC__ = 3)
+       if (($predefined{__GNUC__} // -1) >= 3
+               && !($predefined{__APPLE_CC__} && !$predefined{__clang__})) {
            $config{makedepprog} = $cc;
        } else {
            $config{makedepprog} = which('makedepend');
@@ -2125,6 +2131,8 @@
 
 $builders{$builder}->($builder_platform, @builder_opts);
 
+$SIG{__DIE__} = $orig_death_handler;
+
 print <<"EOF";
 
 Configured for $target.
@@ -2153,6 +2161,24 @@
 # Helpers and utility functions
 #
 
+# Death handler, to print a helpful message in case of failure #######
+#
+sub death_handler {
+    die @_ if $^S;              # To prevent the added message in eval blocks
+    my $build_file = $target{build_file} // "build file";
+    my @message = ( <<"_____", @_ );
+
+Failure!  $build_file wasn't produced.
+Please read INSTALL and associated NOTES files.  You may also have to look over
+your available compiler tool chain or change your configuration.



Home | Main Index | Thread Index | Old Index