[src/OPENSSL]: src/crypto/external/bsd/openssl/dist Changes between 1.1.1f an...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/OPENSSL]: src/crypto/external/bsd/openssl/dist Changes between 1.1.1f an...
From: christos <christos%NetBSD.org@localhost>
Date: Sat, 25 Apr 2020 03:00:21 +0000
details:   https://anonhg.NetBSD.org/src/rev/34e64fa8a1de
branches:  OPENSSL
changeset: 931257:34e64fa8a1de
user:      christos <christos%NetBSD.org@localhost>
date:      Fri Apr 24 19:34:15 2020 +0000

description:
Changes between 1.1.1f and 1.1.1g [21 Apr 2020]

  *) Fixed segmentation fault in SSL_check_chain()
     Server or client applications that call the SSL_check_chain() function
     during or after a TLS 1.3 handshake may crash due to a NULL pointer
     dereference as a result of incorrect handling of the
     "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
     or unrecognised signature algorithm is received from the peer. This could
     be exploited by a malicious peer in a Denial of Service attack.
     (CVE-2020-1967)
     [Benjamin Kaduk]

  *) Added AES consttime code for no-asm configurations
     an optional constant time support for AES was added
     when building openssl for no-asm.
     Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
     Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
     At this time this feature is by default disabled.
     It will be enabled by default in 3.0.
     [Bernd Edlinger]

diffstat:

 crypto/external/bsd/openssl/dist/CHANGES                           |   21 +
 crypto/external/bsd/openssl/dist/INSTALL                           |    6 +-
 crypto/external/bsd/openssl/dist/NEWS                              |    4 +
 crypto/external/bsd/openssl/dist/README                            |    2 +-
 crypto/external/bsd/openssl/dist/apps/build.info                   |   61 +-
 crypto/external/bsd/openssl/dist/apps/dhparam.c                    |   59 +-
 crypto/external/bsd/openssl/dist/apps/dsa.c                        |   55 +-
 crypto/external/bsd/openssl/dist/apps/dsaparam.c                   |   35 +-
 crypto/external/bsd/openssl/dist/apps/ec.c                         |   29 +-
 crypto/external/bsd/openssl/dist/apps/ecparam.c                    |   36 +-
 crypto/external/bsd/openssl/dist/apps/engine.c                     |   25 +-
 crypto/external/bsd/openssl/dist/apps/gendsa.c                     |   35 +-
 crypto/external/bsd/openssl/dist/apps/genrsa.c                     |   43 +-
 crypto/external/bsd/openssl/dist/apps/ocsp.c                       |  165 +-
 crypto/external/bsd/openssl/dist/apps/pkcs12.c                     |   52 +-
 crypto/external/bsd/openssl/dist/apps/rsa.c                        |   59 +-
 crypto/external/bsd/openssl/dist/apps/rsautl.c                     |   37 +-
 crypto/external/bsd/openssl/dist/apps/s_time.c                     |    3 +-
 crypto/external/bsd/openssl/dist/apps/srp.c                        |   41 +-
 crypto/external/bsd/openssl/dist/apps/ts.c                         |   48 +-
 crypto/external/bsd/openssl/dist/crypto/aes/aes_core.c             |  985 +++++++++-
 crypto/external/bsd/openssl/dist/crypto/aes/aes_local.h            |    3 +-
 crypto/external/bsd/openssl/dist/crypto/asn1/asn1_lib.c            |   23 +-
 crypto/external/bsd/openssl/dist/crypto/bio/bss_acpt.c             |   13 +-
 crypto/external/bsd/openssl/dist/crypto/ec/ec_asn1.c               |    4 +-
 crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c                |   10 +-
 crypto/external/bsd/openssl/dist/crypto/ec/ec_mult.c               |   31 +-
 crypto/external/bsd/openssl/dist/crypto/ec/ecp_smpl.c              |  313 +-
 crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c                |    5 +
 crypto/external/bsd/openssl/dist/crypto/rand/build.info            |    2 +
 crypto/external/bsd/openssl/dist/crypto/rand/drbg_ctr.c            |   25 +-
 crypto/external/bsd/openssl/dist/crypto/threads_win.c              |    4 +-
 crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c            |    6 +
 crypto/external/bsd/openssl/dist/crypto/x509v3/v3_purp.c           |   14 +-
 crypto/external/bsd/openssl/dist/doc/man1/s_time.pod               |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/EVP_aes.pod              |    9 +-
 crypto/external/bsd/openssl/dist/doc/man3/RAND_set_rand_method.pod |    6 +-
 crypto/external/bsd/openssl/dist/doc/man3/X509_check_purpose.pod   |   74 +
 crypto/external/bsd/openssl/dist/include/openssl/opensslv.h        |    4 +-
 crypto/external/bsd/openssl/dist/ssl/t1_lib.c                      |    2 +-
 crypto/external/bsd/openssl/dist/test/certs/ee-pathlen.pem         |   17 +
 crypto/external/bsd/openssl/dist/test/certs/setup.sh               |    4 +-
 crypto/external/bsd/openssl/dist/test/recipes/25-test_verify.t     |    8 +-
 crypto/external/bsd/openssl/dist/test/recipes/70-test_sslsigalgs.t |   66 +-
 crypto/external/bsd/openssl/dist/test/sm2_internal_test.c          |   21 +-
 45 files changed, 1839 insertions(+), 630 deletions(-)

diffs (truncated from 3780 to 300 lines):

diff -r b8e0b08cd0ff -r 34e64fa8a1de crypto/external/bsd/openssl/dist/CHANGES
--- a/crypto/external/bsd/openssl/dist/CHANGES  Sun Apr 05 21:50:44 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/CHANGES  Fri Apr 24 19:34:15 2020 +0000
@@ -7,6 +7,27 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
+
+  *) Fixed segmentation fault in SSL_check_chain()
+     Server or client applications that call the SSL_check_chain() function
+     during or after a TLS 1.3 handshake may crash due to a NULL pointer
+     dereference as a result of incorrect handling of the
+     "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
+     or unrecognised signature algorithm is received from the peer. This could
+     be exploited by a malicious peer in a Denial of Service attack.
+     (CVE-2020-1967)
+     [Benjamin Kaduk]
+
+  *) Added AES consttime code for no-asm configurations
+     an optional constant time support for AES was added
+     when building openssl for no-asm.
+     Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
+     Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
+     At this time this feature is by default disabled.
+     It will be enabled by default in 3.0.
+     [Bernd Edlinger]
+
  Changes between 1.1.1e and 1.1.1f [31 Mar 2020]
 
   *) Revert the change of EOF detection while reading in libssl to avoid
diff -r b8e0b08cd0ff -r 34e64fa8a1de crypto/external/bsd/openssl/dist/INSTALL
--- a/crypto/external/bsd/openssl/dist/INSTALL  Sun Apr 05 21:50:44 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/INSTALL  Fri Apr 24 19:34:15 2020 +0000
@@ -535,9 +535,9 @@
                    conjunction with the "-DPEDANTIC" option (or the
                    --strict-warnings option).
 
-  no-ui
-                   Don't build with the "UI" capability (i.e. the set of
-                   features enabling text based prompts).
+  no-ui-console
+                   Don't build with the "UI" console method (i.e. the "UI"
+                   method that enables text based console prompts).
 
   enable-unit-test
                    Enable additional unit test APIs. This should not typically
diff -r b8e0b08cd0ff -r 34e64fa8a1de crypto/external/bsd/openssl/dist/NEWS
--- a/crypto/external/bsd/openssl/dist/NEWS     Sun Apr 05 21:50:44 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/NEWS     Fri Apr 24 19:34:15 2020 +0000
@@ -5,6 +5,10 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [21 Apr 2020]
+
+      o Fixed segmentation fault in SSL_check_chain() (CVE-2020-1967)
+
   Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [31 Mar 2020]
 
       o Revert the unexpected EOF reporting via SSL_ERROR_SSL
diff -r b8e0b08cd0ff -r 34e64fa8a1de crypto/external/bsd/openssl/dist/README
--- a/crypto/external/bsd/openssl/dist/README   Sun Apr 05 21:50:44 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/README   Fri Apr 24 19:34:15 2020 +0000
@@ -1,5 +1,5 @@
 
- OpenSSL 1.1.1f 31 Mar 2020
+ OpenSSL 1.1.1g 21 Apr 2020
 
  Copyright (c) 1998-2020 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff -r b8e0b08cd0ff -r 34e64fa8a1de crypto/external/bsd/openssl/dist/apps/build.info
--- a/crypto/external/bsd/openssl/dist/apps/build.info  Sun Apr 05 21:50:44 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/build.info  Fri Apr 24 19:34:15 2020 +0000
@@ -1,16 +1,17 @@
 {- our @apps_openssl_src =
        qw(openssl.c
-          asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c dhparam.c
-          dsa.c dsaparam.c ec.c ecparam.c enc.c engine.c errstr.c gendsa.c
-          genpkey.c genrsa.c nseq.c ocsp.c passwd.c pkcs12.c pkcs7.c pkcs8.c
-          pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c
+          asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c
+          enc.c errstr.c
+          genpkey.c nseq.c passwd.c pkcs7.c pkcs8.c
+          pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c
           s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c
-          srp.c ts.c verify.c version.c x509.c rehash.c storeutl.c);
+          verify.c version.c x509.c rehash.c storeutl.c);
    our @apps_lib_src =
        ( qw(apps.c opt.c s_cb.c s_socket.c app_rand.c bf_prefix.c),
          split(/\s+/, $target{apps_aux_src}) );
    our @apps_init_src = split(/\s+/, $target{apps_init_src});
    "" -}
+
 IF[{- !$disabled{apps} -}]
   LIBS_NO_INST=libapps.a
   SOURCE[libapps.a]={- join(" ", @apps_lib_src) -}
@@ -21,11 +22,51 @@
   SOURCE[openssl]={- join(" ", @apps_openssl_src) -}
   INCLUDE[openssl]=.. ../include
   DEPEND[openssl]=libapps.a ../libssl
-
-IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-)/ -}]
-  GENERATE[openssl.rc]=../util/mkrc.pl openssl
-  SOURCE[openssl]=openssl.rc
-ENDIF
+  IF[{- !$disabled{'des'} -}]
+    SOURCE[openssl]=pkcs12.c
+    DEPEND[pkcs12.o]=progs.h
+  ENDIF
+  IF[{- !$disabled{'ec'} -}]
+    SOURCE[openssl]=ec.c ecparam.c
+    DEPEND[ec.o]=progs.h
+    DEPEND[ecparam.o]=progs.h
+  ENDIF
+  IF[{- !$disabled{'ocsp'} -}]
+    SOURCE[openssl]=ocsp.c
+    DEPEND[ocsp.o]=progs.h
+  ENDIF
+  IF[{- !$disabled{'srp'} -}]
+    SOURCE[openssl]=srp.c
+    DEPEND[srp.o]=progs.h
+  ENDIF
+  IF[{- !$disabled{'ts'} -}]
+    SOURCE[openssl]=ts.c
+    DEPEND[ts.o]=progs.h
+  ENDIF
+  IF[{- !$disabled{'dh'} -}]
+    SOURCE[openssl]=dhparam.c
+    DEPEND[dhparam.o]=progs.h
+  ENDIF
+  IF[{- !$disabled{'dsa'} -}]
+    SOURCE[openssl]=dsa.c dsaparam.c gendsa.c
+    DEPEND[dsa.o]=progs.h
+    DEPEND[dsaparam.o]=progs.h
+    DEPEND[gendsa.o]=progs.h
+  ENDIF
+  IF[{- !$disabled{'engine'} -}]
+    SOURCE[openssl]=engine.c
+    DEPEND[engine.o]=progs.h
+  ENDIF
+  IF[{- !$disabled{'rsa'} -}]
+    SOURCE[openssl]=rsa.c rsautl.c genrsa.c
+    DEPEND[rsa.o]=progs.h
+    DEPEND[rsautl.o]=progs.h
+    DEPEND[genrsa.o]=progs.h
+  ENDIF
+  IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-)/ -}]
+    GENERATE[openssl.rc]=../util/mkrc.pl openssl
+    SOURCE[openssl]=openssl.rc
+  ENDIF
 
   {- join("\n  ", map { (my $x = $_) =~ s|\.c$|.o|; "DEPEND[$x]=progs.h" }
                   @apps_openssl_src) -}
diff -r b8e0b08cd0ff -r 34e64fa8a1de crypto/external/bsd/openssl/dist/apps/dhparam.c
--- a/crypto/external/bsd/openssl/dist/apps/dhparam.c   Sun Apr 05 21:50:44 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/dhparam.c   Fri Apr 24 19:34:15 2020 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -8,28 +8,24 @@
  */
 
 #include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_DH
-NON_EMPTY_TRANSLATION_UNIT
-#else
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#include "apps.h"
+#include "progs.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
 
-# include <stdio.h>
-# include <stdlib.h>
-# include <time.h>
-# include <string.h>
-# include "apps.h"
-# include "progs.h"
-# include <openssl/bio.h>
-# include <openssl/err.h>
-# include <openssl/bn.h>
-# include <openssl/dh.h>
-# include <openssl/x509.h>
-# include <openssl/pem.h>
+#ifndef OPENSSL_NO_DSA
+# include <openssl/dsa.h>
+#endif
 
-# ifndef OPENSSL_NO_DSA
-#  include <openssl/dsa.h>
-# endif
-
-# define DEFBITS 2048
+#define DEFBITS 2048
 
 static int dh_cb(int p, int n, BN_GENCB *cb);
 
@@ -56,13 +52,13 @@
     {"C", OPT_C, '-', "Print C code"},
     {"2", OPT_2, '-', "Generate parameters using 2 as the generator value"},
     {"5", OPT_5, '-', "Generate parameters using 5 as the generator value"},
-# ifndef OPENSSL_NO_DSA
+#ifndef OPENSSL_NO_DSA
     {"dsaparam", OPT_DSAPARAM, '-',
      "Read or generate DSA parameters, convert to DH"},
-# endif
-# ifndef OPENSSL_NO_ENGINE
+#endif
+#ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
-# endif
+#endif
     {NULL}
 };
 
@@ -146,13 +142,13 @@
     if (g && !num)
         num = DEFBITS;
 
-# ifndef OPENSSL_NO_DSA
+#ifndef OPENSSL_NO_DSA
     if (dsaparam && g) {
         BIO_printf(bio_err,
                    "generator may not be chosen for DSA parameters\n");
         goto end;
     }
-# endif
+#endif
 
     out = bio_open_default(outfile, 'w', outformat);
     if (out == NULL)
@@ -173,7 +169,7 @@
 
         BN_GENCB_set(cb, dh_cb, bio_err);
 
-# ifndef OPENSSL_NO_DSA
+#ifndef OPENSSL_NO_DSA
         if (dsaparam) {
             DSA *dsa = DSA_new();
 
@@ -196,7 +192,7 @@
                 goto end;
             }
         } else
-# endif
+#endif
         {
             dh = DH_new();
             BIO_printf(bio_err,
@@ -217,7 +213,7 @@
         if (in == NULL)
             goto end;
 
-# ifndef OPENSSL_NO_DSA
+#ifndef OPENSSL_NO_DSA
         if (dsaparam) {
             DSA *dsa;
 
@@ -239,7 +235,7 @@
                 goto end;
             }
         } else
-# endif
+#endif
         {
             if (informat == FORMAT_ASN1) {
                 /*
@@ -376,4 +372,3 @@
     (void)BIO_flush(BN_GENCB_get_arg(cb));
     return 1;
 }
-#endif
diff -r b8e0b08cd0ff -r 34e64fa8a1de crypto/external/bsd/openssl/dist/apps/dsa.c
--- a/crypto/external/bsd/openssl/dist/apps/dsa.c       Sun Apr 05 21:50:44 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/dsa.c       Fri Apr 24 19:34:15 2020 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -8,23 +8,19 @@
  */
 
 #include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_DSA
-NON_EMPTY_TRANSLATION_UNIT
Prev by Date: [src/netbsd-9]: src/doc Tickets #846 - #851
Next by Date: [src/trunk]: src Switch to the new PTE naming. The old naming is now unused, ...
Previous by Thread: [src/netbsd-9]: src/doc Tickets #846 - #851
Next by Thread: [src/trunk]: src Switch to the new PTE naming. The old naming is now unused, ...
Indexes:
Home | Main Index | Thread Index | Old Index