Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssl/dist Changes between 1.1.1f and ...
details: https://anonhg.NetBSD.org/src/rev/d99c516fd21f
branches: trunk
changeset: 971458:d99c516fd21f
user: christos <christos%NetBSD.org@localhost>
date: Fri Apr 24 19:34:15 2020 +0000
description:
Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
*) Fixed segmentation fault in SSL_check_chain()
Server or client applications that call the SSL_check_chain() function
during or after a TLS 1.3 handshake may crash due to a NULL pointer
dereference as a result of incorrect handling of the
"signature_algorithms_cert" TLS extension. The crash occurs if an invalid
or unrecognised signature algorithm is received from the peer. This could
be exploited by a malicious peer in a Denial of Service attack.
(CVE-2020-1967)
[Benjamin Kaduk]
*) Added AES consttime code for no-asm configurations
an optional constant time support for AES was added
when building openssl for no-asm.
Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
At this time this feature is by default disabled.
It will be enabled by default in 3.0.
[Bernd Edlinger]
diffstat:
crypto/external/bsd/openssl/dist/INSTALL | 6 +-
crypto/external/bsd/openssl/dist/apps/build.info | 61 +-
crypto/external/bsd/openssl/dist/apps/dhparam.c | 59 +-
crypto/external/bsd/openssl/dist/apps/dsa.c | 55 +-
crypto/external/bsd/openssl/dist/apps/dsaparam.c | 35 +-
crypto/external/bsd/openssl/dist/apps/ec.c | 29 +-
crypto/external/bsd/openssl/dist/apps/ecparam.c | 36 +-
crypto/external/bsd/openssl/dist/apps/engine.c | 25 +-
crypto/external/bsd/openssl/dist/apps/gendsa.c | 35 +-
crypto/external/bsd/openssl/dist/apps/genrsa.c | 43 +-
crypto/external/bsd/openssl/dist/apps/pkcs12.c | 52 +-
crypto/external/bsd/openssl/dist/apps/rsa.c | 59 +-
crypto/external/bsd/openssl/dist/apps/rsautl.c | 37 +-
crypto/external/bsd/openssl/dist/apps/srp.c | 41 +-
crypto/external/bsd/openssl/dist/apps/ts.c | 48 +-
crypto/external/bsd/openssl/dist/crypto/aes/aes_core.c | 985 +++++++++-
crypto/external/bsd/openssl/dist/crypto/aes/aes_local.h | 3 +-
crypto/external/bsd/openssl/dist/crypto/asn1/asn1_lib.c | 23 +-
crypto/external/bsd/openssl/dist/crypto/bio/bss_acpt.c | 13 +-
crypto/external/bsd/openssl/dist/crypto/ec/ec_mult.c | 31 +-
crypto/external/bsd/openssl/dist/crypto/rand/build.info | 2 +
crypto/external/bsd/openssl/dist/crypto/rand/drbg_ctr.c | 25 +-
crypto/external/bsd/openssl/dist/crypto/threads_win.c | 4 +-
crypto/external/bsd/openssl/dist/crypto/x509v3/v3_purp.c | 14 +-
crypto/external/bsd/openssl/dist/doc/man1/s_time.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/man3/EVP_aes.pod | 9 +-
crypto/external/bsd/openssl/dist/doc/man3/RAND_set_rand_method.pod | 6 +-
crypto/external/bsd/openssl/dist/doc/man3/X509_check_purpose.pod | 74 +
crypto/external/bsd/openssl/dist/include/openssl/opensslv.h | 4 +-
crypto/external/bsd/openssl/dist/test/certs/ee-pathlen.pem | 17 +
crypto/external/bsd/openssl/dist/test/certs/setup.sh | 4 +-
crypto/external/bsd/openssl/dist/test/recipes/25-test_verify.t | 8 +-
crypto/external/bsd/openssl/dist/test/recipes/70-test_sslsigalgs.t | 66 +-
crypto/external/bsd/openssl/dist/test/sm2_internal_test.c | 21 +-
34 files changed, 1540 insertions(+), 394 deletions(-)
diffs (truncated from 2818 to 300 lines):
diff -r 168e1728b856 -r d99c516fd21f crypto/external/bsd/openssl/dist/INSTALL
--- a/crypto/external/bsd/openssl/dist/INSTALL Fri Apr 24 17:36:55 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/INSTALL Fri Apr 24 19:34:15 2020 +0000
@@ -535,9 +535,9 @@
conjunction with the "-DPEDANTIC" option (or the
--strict-warnings option).
- no-ui
- Don't build with the "UI" capability (i.e. the set of
- features enabling text based prompts).
+ no-ui-console
+ Don't build with the "UI" console method (i.e. the "UI"
+ method that enables text based console prompts).
enable-unit-test
Enable additional unit test APIs. This should not typically
diff -r 168e1728b856 -r d99c516fd21f crypto/external/bsd/openssl/dist/apps/build.info
--- a/crypto/external/bsd/openssl/dist/apps/build.info Fri Apr 24 17:36:55 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/build.info Fri Apr 24 19:34:15 2020 +0000
@@ -1,16 +1,17 @@
{- our @apps_openssl_src =
qw(openssl.c
- asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c dhparam.c
- dsa.c dsaparam.c ec.c ecparam.c enc.c engine.c errstr.c gendsa.c
- genpkey.c genrsa.c nseq.c ocsp.c passwd.c pkcs12.c pkcs7.c pkcs8.c
- pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c
+ asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c
+ enc.c errstr.c
+ genpkey.c nseq.c passwd.c pkcs7.c pkcs8.c
+ pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c
s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c
- srp.c ts.c verify.c version.c x509.c rehash.c storeutl.c);
+ verify.c version.c x509.c rehash.c storeutl.c);
our @apps_lib_src =
( qw(apps.c opt.c s_cb.c s_socket.c app_rand.c bf_prefix.c),
split(/\s+/, $target{apps_aux_src}) );
our @apps_init_src = split(/\s+/, $target{apps_init_src});
"" -}
+
IF[{- !$disabled{apps} -}]
LIBS_NO_INST=libapps.a
SOURCE[libapps.a]={- join(" ", @apps_lib_src) -}
@@ -21,11 +22,51 @@
SOURCE[openssl]={- join(" ", @apps_openssl_src) -}
INCLUDE[openssl]=.. ../include
DEPEND[openssl]=libapps.a ../libssl
-
-IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-)/ -}]
- GENERATE[openssl.rc]=../util/mkrc.pl openssl
- SOURCE[openssl]=openssl.rc
-ENDIF
+ IF[{- !$disabled{'des'} -}]
+ SOURCE[openssl]=pkcs12.c
+ DEPEND[pkcs12.o]=progs.h
+ ENDIF
+ IF[{- !$disabled{'ec'} -}]
+ SOURCE[openssl]=ec.c ecparam.c
+ DEPEND[ec.o]=progs.h
+ DEPEND[ecparam.o]=progs.h
+ ENDIF
+ IF[{- !$disabled{'ocsp'} -}]
+ SOURCE[openssl]=ocsp.c
+ DEPEND[ocsp.o]=progs.h
+ ENDIF
+ IF[{- !$disabled{'srp'} -}]
+ SOURCE[openssl]=srp.c
+ DEPEND[srp.o]=progs.h
+ ENDIF
+ IF[{- !$disabled{'ts'} -}]
+ SOURCE[openssl]=ts.c
+ DEPEND[ts.o]=progs.h
+ ENDIF
+ IF[{- !$disabled{'dh'} -}]
+ SOURCE[openssl]=dhparam.c
+ DEPEND[dhparam.o]=progs.h
+ ENDIF
+ IF[{- !$disabled{'dsa'} -}]
+ SOURCE[openssl]=dsa.c dsaparam.c gendsa.c
+ DEPEND[dsa.o]=progs.h
+ DEPEND[dsaparam.o]=progs.h
+ DEPEND[gendsa.o]=progs.h
+ ENDIF
+ IF[{- !$disabled{'engine'} -}]
+ SOURCE[openssl]=engine.c
+ DEPEND[engine.o]=progs.h
+ ENDIF
+ IF[{- !$disabled{'rsa'} -}]
+ SOURCE[openssl]=rsa.c rsautl.c genrsa.c
+ DEPEND[rsa.o]=progs.h
+ DEPEND[rsautl.o]=progs.h
+ DEPEND[genrsa.o]=progs.h
+ ENDIF
+ IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-)/ -}]
+ GENERATE[openssl.rc]=../util/mkrc.pl openssl
+ SOURCE[openssl]=openssl.rc
+ ENDIF
{- join("\n ", map { (my $x = $_) =~ s|\.c$|.o|; "DEPEND[$x]=progs.h" }
@apps_openssl_src) -}
diff -r 168e1728b856 -r d99c516fd21f crypto/external/bsd/openssl/dist/apps/dhparam.c
--- a/crypto/external/bsd/openssl/dist/apps/dhparam.c Fri Apr 24 17:36:55 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/dhparam.c Fri Apr 24 19:34:15 2020 +0000
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,28 +8,24 @@
*/
#include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_DH
-NON_EMPTY_TRANSLATION_UNIT
-#else
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+#include "apps.h"
+#include "progs.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
-# include <stdio.h>
-# include <stdlib.h>
-# include <time.h>
-# include <string.h>
-# include "apps.h"
-# include "progs.h"
-# include <openssl/bio.h>
-# include <openssl/err.h>
-# include <openssl/bn.h>
-# include <openssl/dh.h>
-# include <openssl/x509.h>
-# include <openssl/pem.h>
+#ifndef OPENSSL_NO_DSA
+# include <openssl/dsa.h>
+#endif
-# ifndef OPENSSL_NO_DSA
-# include <openssl/dsa.h>
-# endif
-
-# define DEFBITS 2048
+#define DEFBITS 2048
static int dh_cb(int p, int n, BN_GENCB *cb);
@@ -56,13 +52,13 @@
{"C", OPT_C, '-', "Print C code"},
{"2", OPT_2, '-', "Generate parameters using 2 as the generator value"},
{"5", OPT_5, '-', "Generate parameters using 5 as the generator value"},
-# ifndef OPENSSL_NO_DSA
+#ifndef OPENSSL_NO_DSA
{"dsaparam", OPT_DSAPARAM, '-',
"Read or generate DSA parameters, convert to DH"},
-# endif
-# ifndef OPENSSL_NO_ENGINE
+#endif
+#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
-# endif
+#endif
{NULL}
};
@@ -146,13 +142,13 @@
if (g && !num)
num = DEFBITS;
-# ifndef OPENSSL_NO_DSA
+#ifndef OPENSSL_NO_DSA
if (dsaparam && g) {
BIO_printf(bio_err,
"generator may not be chosen for DSA parameters\n");
goto end;
}
-# endif
+#endif
out = bio_open_default(outfile, 'w', outformat);
if (out == NULL)
@@ -173,7 +169,7 @@
BN_GENCB_set(cb, dh_cb, bio_err);
-# ifndef OPENSSL_NO_DSA
+#ifndef OPENSSL_NO_DSA
if (dsaparam) {
DSA *dsa = DSA_new();
@@ -196,7 +192,7 @@
goto end;
}
} else
-# endif
+#endif
{
dh = DH_new();
BIO_printf(bio_err,
@@ -217,7 +213,7 @@
if (in == NULL)
goto end;
-# ifndef OPENSSL_NO_DSA
+#ifndef OPENSSL_NO_DSA
if (dsaparam) {
DSA *dsa;
@@ -239,7 +235,7 @@
goto end;
}
} else
-# endif
+#endif
{
if (informat == FORMAT_ASN1) {
/*
@@ -376,4 +372,3 @@
(void)BIO_flush(BN_GENCB_get_arg(cb));
return 1;
}
-#endif
diff -r 168e1728b856 -r d99c516fd21f crypto/external/bsd/openssl/dist/apps/dsa.c
--- a/crypto/external/bsd/openssl/dist/apps/dsa.c Fri Apr 24 17:36:55 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/dsa.c Fri Apr 24 19:34:15 2020 +0000
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -8,23 +8,19 @@
*/
#include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_DSA
-NON_EMPTY_TRANSLATION_UNIT
-#else
-
-# include <stdio.h>
-# include <stdlib.h>
-# include <string.h>
-# include <time.h>
-# include "apps.h"
-# include "progs.h"
-# include <openssl/bio.h>
-# include <openssl/err.h>
-# include <openssl/dsa.h>
-# include <openssl/evp.h>
-# include <openssl/x509.h>
-# include <openssl/pem.h>
-# include <openssl/bn.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include "apps.h"
+#include "progs.h"
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/dsa.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/bn.h>
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -49,14 +45,14 @@
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{"", OPT_CIPHER, '-', "Any supported cipher"},
-# ifndef OPENSSL_NO_RC4
+#ifndef OPENSSL_NO_RC4
{"pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)"},
{"pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level"},
{"pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding"},
-# endif
-# ifndef OPENSSL_NO_ENGINE
+#endif
+#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
-# endif
+#endif
{NULL}
};
@@ -71,9 +67,9 @@
OPTION_CHOICE o;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
int i, modulus = 0, pubin = 0, pubout = 0, ret = 1;
-# ifndef OPENSSL_NO_RC4
Home |
Main Index |
Thread Index |
Old Index