Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssl Merge conflicts
details: https://anonhg.NetBSD.org/src/rev/4e1e7f58e865
branches: trunk
changeset: 837514:4e1e7f58e865
user: christos <christos%NetBSD.org@localhost>
date: Sat Dec 08 22:35:42 2018 +0000
description:
Merge conflicts
diffstat:
crypto/external/bsd/openssl/dist/CHANGES | 37 ++-
crypto/external/bsd/openssl/dist/Configure | 81 +++++-
crypto/external/bsd/openssl/dist/NEWS | 5 +
crypto/external/bsd/openssl/dist/README | 2 +-
crypto/external/bsd/openssl/dist/apps/ca.c | 21 +-
crypto/external/bsd/openssl/dist/apps/ocsp.c | 2 +
crypto/external/bsd/openssl/dist/apps/openssl.cnf | 2 -
crypto/external/bsd/openssl/dist/apps/s_server.c | 10 +-
crypto/external/bsd/openssl/dist/apps/speed.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/bio/bio_lib.c | 4 +-
crypto/external/bsd/openssl/dist/crypto/bio/bss_log.c | 5 +
crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-gcc.c | 8 +-
crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c | 42 +-
crypto/external/bsd/openssl/dist/crypto/cryptlib.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/ec/ec_ameth.c | 4 +-
crypto/external/bsd/openssl/dist/crypto/engine/eng_devcrypto.c | 132 +++++----
crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c | 56 ++--
crypto/external/bsd/openssl/dist/crypto/rand/randfile.c | 44 ++-
crypto/external/bsd/openssl/dist/crypto/rsa/rsa_lib.c | 16 +-
crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c | 18 +
crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c | 11 +-
crypto/external/bsd/openssl/dist/doc/man3/SSL_CTX_set_client_CA_list.pod | 103 -------
crypto/external/bsd/openssl/dist/doc/man3/SSL_get_client_CA_list.pod | 62 ----
crypto/external/bsd/openssl/dist/doc/man3/SSL_get_server_tmp_key.pod | 43 ---
crypto/external/bsd/openssl/dist/e_os.h | 17 +-
crypto/external/bsd/openssl/dist/include/internal/tsan_assist.h | 6 +
crypto/external/bsd/openssl/dist/ssl/d1_lib.c | 93 ++----
crypto/external/bsd/openssl/dist/ssl/s3_cbc.c | 7 +-
crypto/external/bsd/openssl/dist/ssl/s3_enc.c | 8 +-
crypto/external/bsd/openssl/dist/ssl/s3_lib.c | 24 +-
crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c | 2 +-
crypto/external/bsd/openssl/dist/ssl/ssl_lib.c | 62 +++-
crypto/external/bsd/openssl/dist/ssl/ssl_locl.h | 22 +-
crypto/external/bsd/openssl/dist/ssl/t1_lib.c | 45 +++
crypto/external/bsd/openssl/dist/test/ecdsatest.c | 59 ++--
crypto/external/bsd/openssl/dist/test/evp_extra_test.c | 46 +++
crypto/external/bsd/openssl/dist/test/evp_test.c | 37 ++-
crypto/external/bsd/openssl/dist/util/mkdef.pl | 12 +-
crypto/external/bsd/openssl/lib/libcrypto/crypto.inc | 3 +-
41 files changed, 634 insertions(+), 525 deletions(-)
diffs (truncated from 2441 to 300 lines):
diff -r fc4d066c6d05 -r 4e1e7f58e865 crypto/external/bsd/openssl/dist/CHANGES
--- a/crypto/external/bsd/openssl/dist/CHANGES Sat Dec 08 22:33:03 2018 +0000
+++ b/crypto/external/bsd/openssl/dist/CHANGES Sat Dec 08 22:35:42 2018 +0000
@@ -7,6 +7,42 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
+ Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
+
+ *) Timing vulnerability in DSA signature generation
+
+ The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
+ timing side channel attack. An attacker could use variations in the signing
+ algorithm to recover the private key.
+
+ This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
+ (CVE-2018-0734)
+ [Paul Dale]
+
+ *) Timing vulnerability in ECDSA signature generation
+
+ The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
+ timing side channel attack. An attacker could use variations in the signing
+ algorithm to recover the private key.
+
+ This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
+ (CVE-2018-0735)
+ [Paul Dale]
+
+ *) Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
+ the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
+ are retained for backwards compatibility.
+ [Antoine Salon]
+
+ *) Fixed the issue that RAND_add()/RAND_seed() silently discards random input
+ if its length exceeds 4096 bytes. The limit has been raised to a buffer size
+ of two gigabytes and the error handling improved.
+
+ This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been
+ categorized as a normal bug, not a security issue, because the DRBG reseeds
+ automatically and is fully functional even without additional randomness
+ provided by the application.
+
Changes between 1.1.0i and 1.1.1 [11 Sep 2018]
*) Add a new ClientHello callback. Provides a callback interface that gives
@@ -13103,4 +13139,3 @@
*) A minor bug in ssl/s3_clnt.c where there would always be 4 0
bytes sent in the client random.
[Edward Bishop <ebishop%spyglass.com@localhost>]
-
diff -r fc4d066c6d05 -r 4e1e7f58e865 crypto/external/bsd/openssl/dist/Configure
--- a/crypto/external/bsd/openssl/dist/Configure Sat Dec 08 22:33:03 2018 +0000
+++ b/crypto/external/bsd/openssl/dist/Configure Sat Dec 08 22:35:42 2018 +0000
@@ -1013,13 +1013,18 @@
if (scalar(grep { $_ eq 'none' } @seed_sources) > 0) {
die "Cannot seed with none and anything else" if scalar(@seed_sources) > 1;
warn <<_____ if scalar(@seed_sources) == 1;
-You have selected the --with-rand-seed=none option, which effectively disables
-automatic reseeding of the OpenSSL random generator. All operations depending
-on the random generator such as creating keys will not work unless the random
-generator is seeded manually by the application.
-
-Please read the 'Note on random number generation' section in the INSTALL
-instructions and the RAND_DRBG(7) manual page for more details.
+
+============================== WARNING ===============================
+You have selected the --with-rand-seed=none option, which effectively
+disables automatic reseeding of the OpenSSL random generator.
+All operations depending on the random generator such as creating keys
+will not work unless the random generator is seeded manually by the
+application.
+
+Please read the 'Note on random number generation' section in the
+INSTALL instructions and the RAND_DRBG(7) manual page for more details.
+============================== WARNING ===============================
+
_____
}
push @{$config{openssl_other_defines}},
@@ -2174,6 +2179,16 @@
# Massage the result
+ # If the user configured no-shared, we allow no shared sources
+ if ($disabled{shared}) {
+ foreach (keys %{$unified_info{shared_sources}}) {
+ foreach (keys %{$unified_info{shared_sources}->{$_}}) {
+ delete $unified_info{sources}->{$_};
+ }
+ }
+ $unified_info{shared_sources} = {};
+ }
+
# If we depend on a header file or a perl module, add an inclusion of
# its directory to allow smoothe inclusion
foreach my $dest (keys %{$unified_info{depends}}) {
@@ -2198,8 +2213,8 @@
next unless defined($unified_info{includes}->{$dest}->{$k});
my @incs = reverse @{$unified_info{includes}->{$dest}->{$k}};
foreach my $obj (grep /\.o$/,
- (keys %{$unified_info{sources}->{$dest}},
- keys %{$unified_info{shared_sources}->{$dest}})) {
+ (keys %{$unified_info{sources}->{$dest} // {}},
+ keys %{$unified_info{shared_sources}->{$dest} // {}})) {
foreach my $inc (@incs) {
unshift @{$unified_info{includes}->{$obj}->{$k}}, $inc
unless grep { $_ eq $inc } @{$unified_info{includes}->{$obj}->{$k}};
@@ -2238,6 +2253,42 @@
[ @{$unified_info{includes}->{$dest}->{source}} ];
}
}
+
+ # For convenience collect information regarding directories where
+ # files are generated, those generated files and the end product
+ # they end up in where applicable. Then, add build rules for those
+ # directories
+ my %loopinfo = ( "lib" => [ @{$unified_info{libraries}} ],
+ "dso" => [ @{$unified_info{engines}} ],
+ "bin" => [ @{$unified_info{programs}} ],
+ "script" => [ @{$unified_info{scripts}} ] );
+ foreach my $type (keys %loopinfo) {
+ foreach my $product (@{$loopinfo{$type}}) {
+ my %dirs = ();
+ my $pd = dirname($product);
+
+ foreach (@{$unified_info{sources}->{$product} // []},
+ @{$unified_info{shared_sources}->{$product} // []}) {
+ my $d = dirname($_);
+
+ # We don't want to create targets for source directories
+ # when building out of source
+ next if ($config{sourcedir} ne $config{builddir}
+ && $d =~ m|^\Q$config{sourcedir}\E|);
+ # We already have a "test" target, and the current directory
+ # is just silly to make a target for
+ next if $d eq "test" || $d eq ".";
+
+ $dirs{$d} = 1;
+ push @{$unified_info{dirinfo}->{$d}->{deps}}, $_
+ if $d ne $pd;
+ }
+ foreach (keys %dirs) {
+ push @{$unified_info{dirinfo}->{$_}->{products}->{$type}},
+ $product;
+ }
+ }
+ }
}
# For the schemes that need it, we provide the old *_obj configs
@@ -2712,10 +2763,16 @@
**********************************************************************
*** ***
-*** If you want to report a building issue, please include the ***
-*** output from this command: ***
+*** OpenSSL has been successfully configured ***
*** ***
-*** perl configdata.pm --dump ***
+*** If you encounter a problem while building, please open an ***
+*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
+*** and include the output from the following command: ***
+*** ***
+*** perl configdata.pm --dump ***
+*** ***
+*** (If you are new to OpenSSL, you might want to consult the ***
+*** 'Troubleshooting' section in the INSTALL file first) ***
*** ***
**********************************************************************
EOF
diff -r fc4d066c6d05 -r 4e1e7f58e865 crypto/external/bsd/openssl/dist/NEWS
--- a/crypto/external/bsd/openssl/dist/NEWS Sat Dec 08 22:33:03 2018 +0000
+++ b/crypto/external/bsd/openssl/dist/NEWS Sat Dec 08 22:35:42 2018 +0000
@@ -5,6 +5,11 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018]
+
+ o Timing vulnerability in DSA signature generation (CVE-2018-0734)
+ o Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
+
Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018]
o Support for TLSv1.3 added (see https://wiki.openssl.org/index.php/TLS1.3
diff -r fc4d066c6d05 -r 4e1e7f58e865 crypto/external/bsd/openssl/dist/README
--- a/crypto/external/bsd/openssl/dist/README Sat Dec 08 22:33:03 2018 +0000
+++ b/crypto/external/bsd/openssl/dist/README Sat Dec 08 22:35:42 2018 +0000
@@ -1,5 +1,5 @@
- OpenSSL 1.1.1 11 Sep 2018
+ OpenSSL 1.1.1a 20 Nov 2018
Copyright (c) 1998-2018 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff -r fc4d066c6d05 -r 4e1e7f58e865 crypto/external/bsd/openssl/dist/apps/ca.c
--- a/crypto/external/bsd/openssl/dist/apps/ca.c Sat Dec 08 22:33:03 2018 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/ca.c Sat Dec 08 22:35:42 2018 +0000
@@ -605,7 +605,7 @@
/*
* outdir is a directory spec, but access() for VMS demands a
* filename. We could use the DEC C routine to convert the
- * directory syntax to Unixly, and give that to app_isdir,
+ * directory syntax to Unix, and give that to app_isdir,
* but for now the fopen will catch the error if it's not a
* directory
*/
@@ -976,7 +976,7 @@
BIO_printf(bio_err, "Write out database with %d new entries\n",
sk_X509_num(cert_sk));
- if (!rand_ser
+ if (serialfile != NULL
&& !save_serial(serialfile, "new", serial, NULL))
goto end;
@@ -1044,7 +1044,8 @@
if (sk_X509_num(cert_sk)) {
/* Rename the database and the serial file */
- if (!rotate_serial(serialfile, "new", "old"))
+ if (serialfile != NULL
+ && !rotate_serial(serialfile, "new", "old"))
goto end;
if (!rotate_index(dbfile, "new", "old"))
@@ -1177,10 +1178,9 @@
}
/* we have a CRL number that need updating */
- if (crlnumberfile != NULL)
- if (!rand_ser
- && !save_serial(crlnumberfile, "new", crlnumber, NULL))
- goto end;
+ if (crlnumberfile != NULL
+ && !save_serial(crlnumberfile, "new", crlnumber, NULL))
+ goto end;
BN_free(crlnumber);
crlnumber = NULL;
@@ -1195,9 +1195,10 @@
PEM_write_bio_X509_CRL(Sout, crl);
- if (crlnumberfile != NULL) /* Rename the crlnumber file */
- if (!rotate_serial(crlnumberfile, "new", "old"))
- goto end;
+ /* Rename the crlnumber file */
+ if (crlnumberfile != NULL
+ && !rotate_serial(crlnumberfile, "new", "old"))
+ goto end;
}
/*****************************************************************/
diff -r fc4d066c6d05 -r 4e1e7f58e865 crypto/external/bsd/openssl/dist/apps/ocsp.c
--- a/crypto/external/bsd/openssl/dist/apps/ocsp.c Sat Dec 08 22:33:03 2018 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/ocsp.c Sat Dec 08 22:35:42 2018 +0000
@@ -950,6 +950,7 @@
sleep(30);
break;
case 0: /* child */
+ OPENSSL_free(kidpids);
signal(SIGINT, SIG_DFL);
signal(SIGTERM, SIG_DFL);
if (termsig)
@@ -976,6 +977,7 @@
}
/* The loop above can only break on termsig */
+ OPENSSL_free(kidpids);
syslog(LOG_INFO, "terminating on signal: %d", termsig);
killall(0, kidpids);
}
diff -r fc4d066c6d05 -r 4e1e7f58e865 crypto/external/bsd/openssl/dist/apps/openssl.cnf
--- a/crypto/external/bsd/openssl/dist/apps/openssl.cnf Sat Dec 08 22:33:03 2018 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/openssl.cnf Sat Dec 08 22:35:42 2018 +0000
@@ -10,7 +10,6 @@
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
-RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
@@ -57,7 +56,6 @@
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
-RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extensions to add to the cert
diff -r fc4d066c6d05 -r 4e1e7f58e865 crypto/external/bsd/openssl/dist/apps/s_server.c
--- a/crypto/external/bsd/openssl/dist/apps/s_server.c Sat Dec 08 22:33:03 2018 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/s_server.c Sat Dec 08 22:35:42 2018 +0000
@@ -193,9 +193,8 @@
if (strlen(psk_identity) != identity_len
|| memcmp(psk_identity, identity, identity_len) != 0) {
Home |
Main Index |
Thread Index |
Old Index