Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/crypto/external/bsd/openssl Merge conflicts



details:   https://anonhg.NetBSD.org/src/rev/4e1e7f58e865
branches:  trunk
changeset: 837514:4e1e7f58e865
user:      christos <christos%NetBSD.org@localhost>
date:      Sat Dec 08 22:35:42 2018 +0000

description:
Merge conflicts

diffstat:

 crypto/external/bsd/openssl/dist/CHANGES                                 |   37 ++-
 crypto/external/bsd/openssl/dist/Configure                               |   81 +++++-
 crypto/external/bsd/openssl/dist/NEWS                                    |    5 +
 crypto/external/bsd/openssl/dist/README                                  |    2 +-
 crypto/external/bsd/openssl/dist/apps/ca.c                               |   21 +-
 crypto/external/bsd/openssl/dist/apps/ocsp.c                             |    2 +
 crypto/external/bsd/openssl/dist/apps/openssl.cnf                        |    2 -
 crypto/external/bsd/openssl/dist/apps/s_server.c                         |   10 +-
 crypto/external/bsd/openssl/dist/apps/speed.c                            |    2 +-
 crypto/external/bsd/openssl/dist/crypto/bio/bio_lib.c                    |    4 +-
 crypto/external/bsd/openssl/dist/crypto/bio/bss_log.c                    |    5 +
 crypto/external/bsd/openssl/dist/crypto/bn/asm/x86_64-gcc.c              |    8 +-
 crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c                      |    2 +-
 crypto/external/bsd/openssl/dist/crypto/bn/bn_lib.c                      |   42 +-
 crypto/external/bsd/openssl/dist/crypto/cryptlib.c                       |    2 +-
 crypto/external/bsd/openssl/dist/crypto/ec/ec_ameth.c                    |    4 +-
 crypto/external/bsd/openssl/dist/crypto/engine/eng_devcrypto.c           |  132 +++++----
 crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c                      |    2 +-
 crypto/external/bsd/openssl/dist/crypto/rand/rand_unix.c                 |   56 ++--
 crypto/external/bsd/openssl/dist/crypto/rand/randfile.c                  |   44 ++-
 crypto/external/bsd/openssl/dist/crypto/rsa/rsa_lib.c                    |   16 +-
 crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c                  |   18 +
 crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c                  |   11 +-
 crypto/external/bsd/openssl/dist/doc/man3/SSL_CTX_set_client_CA_list.pod |  103 -------
 crypto/external/bsd/openssl/dist/doc/man3/SSL_get_client_CA_list.pod     |   62 ----
 crypto/external/bsd/openssl/dist/doc/man3/SSL_get_server_tmp_key.pod     |   43 ---
 crypto/external/bsd/openssl/dist/e_os.h                                  |   17 +-
 crypto/external/bsd/openssl/dist/include/internal/tsan_assist.h          |    6 +
 crypto/external/bsd/openssl/dist/ssl/d1_lib.c                            |   93 ++----
 crypto/external/bsd/openssl/dist/ssl/s3_cbc.c                            |    7 +-
 crypto/external/bsd/openssl/dist/ssl/s3_enc.c                            |    8 +-
 crypto/external/bsd/openssl/dist/ssl/s3_lib.c                            |   24 +-
 crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c                          |    2 +-
 crypto/external/bsd/openssl/dist/ssl/ssl_lib.c                           |   62 +++-
 crypto/external/bsd/openssl/dist/ssl/ssl_locl.h                          |   22 +-
 crypto/external/bsd/openssl/dist/ssl/t1_lib.c                            |   45 +++
 crypto/external/bsd/openssl/dist/test/ecdsatest.c                        |   59 ++--
 crypto/external/bsd/openssl/dist/test/evp_extra_test.c                   |   46 +++
 crypto/external/bsd/openssl/dist/test/evp_test.c                         |   37 ++-
 crypto/external/bsd/openssl/dist/util/mkdef.pl                           |   12 +-
 crypto/external/bsd/openssl/lib/libcrypto/crypto.inc                     |    3 +-
 41 files changed, 634 insertions(+), 525 deletions(-)

diffs (truncated from 2441 to 300 lines):

diff -r fc4d066c6d05 -r 4e1e7f58e865 crypto/external/bsd/openssl/dist/CHANGES
--- a/crypto/external/bsd/openssl/dist/CHANGES  Sat Dec 08 22:33:03 2018 +0000
+++ b/crypto/external/bsd/openssl/dist/CHANGES  Sat Dec 08 22:35:42 2018 +0000
@@ -7,6 +7,42 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
+
+  *) Timing vulnerability in DSA signature generation
+
+     The OpenSSL DSA signature algorithm has been shown to be vulnerable to a
+     timing side channel attack. An attacker could use variations in the signing
+     algorithm to recover the private key.
+
+     This issue was reported to OpenSSL on 16th October 2018 by Samuel Weiser.
+     (CVE-2018-0734)
+     [Paul Dale]
+
+  *) Timing vulnerability in ECDSA signature generation
+
+     The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
+     timing side channel attack. An attacker could use variations in the signing
+     algorithm to recover the private key.
+
+     This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.
+     (CVE-2018-0735)
+     [Paul Dale]
+
+  *) Added EVP_PKEY_ECDH_KDF_X9_63 and ecdh_KDF_X9_63() as replacements for
+     the EVP_PKEY_ECDH_KDF_X9_62 KDF type and ECDH_KDF_X9_62(). The old names
+     are retained for backwards compatibility.
+     [Antoine Salon]
+
+  *) Fixed the issue that RAND_add()/RAND_seed() silently discards random input
+     if its length exceeds 4096 bytes. The limit has been raised to a buffer size
+     of two gigabytes and the error handling improved.
+
+     This issue was reported to OpenSSL by Dr. Falko Strenzke. It has been
+     categorized as a normal bug, not a security issue, because the DRBG reseeds
+     automatically and is fully functional even without additional randomness
+     provided by the application.
+
  Changes between 1.1.0i and 1.1.1 [11 Sep 2018]
 
   *) Add a new ClientHello callback. Provides a callback interface that gives
@@ -13103,4 +13139,3 @@
   *) A minor bug in ssl/s3_clnt.c where there would always be 4 0
      bytes sent in the client random.
      [Edward Bishop <ebishop%spyglass.com@localhost>]
-
diff -r fc4d066c6d05 -r 4e1e7f58e865 crypto/external/bsd/openssl/dist/Configure
--- a/crypto/external/bsd/openssl/dist/Configure        Sat Dec 08 22:33:03 2018 +0000
+++ b/crypto/external/bsd/openssl/dist/Configure        Sat Dec 08 22:35:42 2018 +0000
@@ -1013,13 +1013,18 @@
 if (scalar(grep { $_ eq 'none' } @seed_sources) > 0) {
     die "Cannot seed with none and anything else" if scalar(@seed_sources) > 1;
     warn <<_____ if scalar(@seed_sources) == 1;
-You have selected the --with-rand-seed=none option, which effectively disables
-automatic reseeding of the OpenSSL random generator. All operations depending
-on the random generator such as creating keys will not work unless the random
-generator is seeded manually by the application.
-
-Please read the 'Note on random number generation' section in the INSTALL
-instructions and the RAND_DRBG(7) manual page for more details.
+
+============================== WARNING ===============================
+You have selected the --with-rand-seed=none option, which effectively
+disables automatic reseeding of the OpenSSL random generator.
+All operations depending on the random generator such as creating keys
+will not work unless the random generator is seeded manually by the
+application.
+
+Please read the 'Note on random number generation' section in the
+INSTALL instructions and the RAND_DRBG(7) manual page for more details.
+============================== WARNING ===============================
+
 _____
 }
 push @{$config{openssl_other_defines}},
@@ -2174,6 +2179,16 @@
 
     # Massage the result
 
+    # If the user configured no-shared, we allow no shared sources
+    if ($disabled{shared}) {
+        foreach (keys %{$unified_info{shared_sources}}) {
+            foreach (keys %{$unified_info{shared_sources}->{$_}}) {
+                delete $unified_info{sources}->{$_};
+            }
+        }
+        $unified_info{shared_sources} = {};
+    }
+
     # If we depend on a header file or a perl module, add an inclusion of
     # its directory to allow smoothe inclusion
     foreach my $dest (keys %{$unified_info{depends}}) {
@@ -2198,8 +2213,8 @@
             next unless defined($unified_info{includes}->{$dest}->{$k});
             my @incs = reverse @{$unified_info{includes}->{$dest}->{$k}};
             foreach my $obj (grep /\.o$/,
-                             (keys %{$unified_info{sources}->{$dest}},
-                              keys %{$unified_info{shared_sources}->{$dest}})) {
+                             (keys %{$unified_info{sources}->{$dest} // {}},
+                              keys %{$unified_info{shared_sources}->{$dest} // {}})) {
                 foreach my $inc (@incs) {
                     unshift @{$unified_info{includes}->{$obj}->{$k}}, $inc
                         unless grep { $_ eq $inc } @{$unified_info{includes}->{$obj}->{$k}};
@@ -2238,6 +2253,42 @@
                 [ @{$unified_info{includes}->{$dest}->{source}} ];
         }
     }
+
+    # For convenience collect information regarding directories where
+    # files are generated, those generated files and the end product
+    # they end up in where applicable.  Then, add build rules for those
+    # directories
+    my %loopinfo = ( "lib" => [ @{$unified_info{libraries}} ],
+                     "dso" => [ @{$unified_info{engines}} ],
+                     "bin" => [ @{$unified_info{programs}} ],
+                     "script" => [ @{$unified_info{scripts}} ] );
+    foreach my $type (keys %loopinfo) {
+        foreach my $product (@{$loopinfo{$type}}) {
+            my %dirs = ();
+            my $pd = dirname($product);
+
+            foreach (@{$unified_info{sources}->{$product} // []},
+                     @{$unified_info{shared_sources}->{$product} // []}) {
+                my $d = dirname($_);
+
+                # We don't want to create targets for source directories
+                # when building out of source
+                next if ($config{sourcedir} ne $config{builddir}
+                             && $d =~ m|^\Q$config{sourcedir}\E|);
+                # We already have a "test" target, and the current directory
+                # is just silly to make a target for
+                next if $d eq "test" || $d eq ".";
+
+                $dirs{$d} = 1;
+                push @{$unified_info{dirinfo}->{$d}->{deps}}, $_
+                    if $d ne $pd;
+            }
+            foreach (keys %dirs) {
+                push @{$unified_info{dirinfo}->{$_}->{products}->{$type}},
+                    $product;
+            }
+        }
+    }
 }
 
 # For the schemes that need it, we provide the old *_obj configs
@@ -2712,10 +2763,16 @@
 
 **********************************************************************
 ***                                                                ***
-***   If you want to report a building issue, please include the   ***
-***   output from this command:                                    ***
+***   OpenSSL has been successfully configured                     ***
 ***                                                                ***
-***     perl configdata.pm --dump                                  ***
+***   If you encounter a problem while building, please open an    ***
+***   issue on GitHub <https://github.com/openssl/openssl/issues>  ***
+***   and include the output from the following command:           ***
+***                                                                ***
+***       perl configdata.pm --dump                                ***
+***                                                                ***
+***   (If you are new to OpenSSL, you might want to consult the    ***
+***   'Troubleshooting' section in the INSTALL file first)         ***
 ***                                                                ***
 **********************************************************************
 EOF
diff -r fc4d066c6d05 -r 4e1e7f58e865 crypto/external/bsd/openssl/dist/NEWS
--- a/crypto/external/bsd/openssl/dist/NEWS     Sat Dec 08 22:33:03 2018 +0000
+++ b/crypto/external/bsd/openssl/dist/NEWS     Sat Dec 08 22:35:42 2018 +0000
@@ -5,6 +5,11 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.1.1 and OpenSSL 1.1.1a [20 Nov 2018]
+
+      o Timing vulnerability in DSA signature generation (CVE-2018-0734)
+      o Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
+
   Major changes between OpenSSL 1.1.0i and OpenSSL 1.1.1 [11 Sep 2018]
 
       o Support for TLSv1.3 added (see https://wiki.openssl.org/index.php/TLS1.3
diff -r fc4d066c6d05 -r 4e1e7f58e865 crypto/external/bsd/openssl/dist/README
--- a/crypto/external/bsd/openssl/dist/README   Sat Dec 08 22:33:03 2018 +0000
+++ b/crypto/external/bsd/openssl/dist/README   Sat Dec 08 22:35:42 2018 +0000
@@ -1,5 +1,5 @@
 
- OpenSSL 1.1.1 11 Sep 2018
+ OpenSSL 1.1.1a 20 Nov 2018
 
  Copyright (c) 1998-2018 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff -r fc4d066c6d05 -r 4e1e7f58e865 crypto/external/bsd/openssl/dist/apps/ca.c
--- a/crypto/external/bsd/openssl/dist/apps/ca.c        Sat Dec 08 22:33:03 2018 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/ca.c        Sat Dec 08 22:35:42 2018 +0000
@@ -605,7 +605,7 @@
         /*
          * outdir is a directory spec, but access() for VMS demands a
          * filename.  We could use the DEC C routine to convert the
-         * directory syntax to Unixly, and give that to app_isdir,
+         * directory syntax to Unix, and give that to app_isdir,
          * but for now the fopen will catch the error if it's not a
          * directory
          */
@@ -976,7 +976,7 @@
             BIO_printf(bio_err, "Write out database with %d new entries\n",
                        sk_X509_num(cert_sk));
 
-            if (!rand_ser
+            if (serialfile != NULL
                     && !save_serial(serialfile, "new", serial, NULL))
                 goto end;
 
@@ -1044,7 +1044,8 @@
 
         if (sk_X509_num(cert_sk)) {
             /* Rename the database and the serial file */
-            if (!rotate_serial(serialfile, "new", "old"))
+            if (serialfile != NULL
+                    && !rotate_serial(serialfile, "new", "old"))
                 goto end;
 
             if (!rotate_index(dbfile, "new", "old"))
@@ -1177,10 +1178,9 @@
         }
 
         /* we have a CRL number that need updating */
-        if (crlnumberfile != NULL)
-            if (!rand_ser
-                    && !save_serial(crlnumberfile, "new", crlnumber, NULL))
-                goto end;
+        if (crlnumberfile != NULL
+                && !save_serial(crlnumberfile, "new", crlnumber, NULL))
+            goto end;
 
         BN_free(crlnumber);
         crlnumber = NULL;
@@ -1195,9 +1195,10 @@
 
         PEM_write_bio_X509_CRL(Sout, crl);
 
-        if (crlnumberfile != NULL) /* Rename the crlnumber file */
-            if (!rotate_serial(crlnumberfile, "new", "old"))
-                goto end;
+        /* Rename the crlnumber file */
+        if (crlnumberfile != NULL
+                && !rotate_serial(crlnumberfile, "new", "old"))
+            goto end;
 
     }
     /*****************************************************************/
diff -r fc4d066c6d05 -r 4e1e7f58e865 crypto/external/bsd/openssl/dist/apps/ocsp.c
--- a/crypto/external/bsd/openssl/dist/apps/ocsp.c      Sat Dec 08 22:33:03 2018 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/ocsp.c      Sat Dec 08 22:35:42 2018 +0000
@@ -950,6 +950,7 @@
             sleep(30);
             break;
         case 0:             /* child */
+            OPENSSL_free(kidpids);
             signal(SIGINT, SIG_DFL);
             signal(SIGTERM, SIG_DFL);
             if (termsig)
@@ -976,6 +977,7 @@
     }
 
     /* The loop above can only break on termsig */
+    OPENSSL_free(kidpids);
     syslog(LOG_INFO, "terminating on signal: %d", termsig);
     killall(0, kidpids);
 }
diff -r fc4d066c6d05 -r 4e1e7f58e865 crypto/external/bsd/openssl/dist/apps/openssl.cnf
--- a/crypto/external/bsd/openssl/dist/apps/openssl.cnf Sat Dec 08 22:33:03 2018 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/openssl.cnf Sat Dec 08 22:35:42 2018 +0000
@@ -10,7 +10,6 @@
 # This definition stops the following lines choking if HOME isn't
 # defined.
 HOME                   = .
-RANDFILE               = $ENV::HOME/.rnd
 
 # Extra OBJECT IDENTIFIER info:
 #oid_file              = $ENV::HOME/.oid
@@ -57,7 +56,6 @@
                                        # must be commented out to leave a V1 CRL
 crl            = $dir/crl.pem          # The current CRL
 private_key    = $dir/private/cakey.pem# The private key
-RANDFILE       = $dir/private/.rand    # private random number file
 
 x509_extensions        = usr_cert              # The extensions to add to the cert
 
diff -r fc4d066c6d05 -r 4e1e7f58e865 crypto/external/bsd/openssl/dist/apps/s_server.c
--- a/crypto/external/bsd/openssl/dist/apps/s_server.c  Sat Dec 08 22:33:03 2018 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/s_server.c  Sat Dec 08 22:35:42 2018 +0000
@@ -193,9 +193,8 @@
 
     if (strlen(psk_identity) != identity_len
             || memcmp(psk_identity, identity, identity_len) != 0) {



Home | Main Index | Thread Index | Old Index