Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/crypto/external/bsd/openssl/dist merge conflicts



details:   https://anonhg.NetBSD.org/src/rev/148284f2d302
branches:  trunk
changeset: 343350:148284f2d302
user:      christos <christos%NetBSD.org@localhost>
date:      Sat Jan 30 17:00:19 2016 +0000

description:
merge conflicts

diffstat:

 crypto/external/bsd/openssl/dist/CHANGES                                 |  24 ++
 crypto/external/bsd/openssl/dist/Configure                               |  33 ++-
 crypto/external/bsd/openssl/dist/Makefile                                |  40 ++--
 crypto/external/bsd/openssl/dist/NEWS                                    |   5 +
 crypto/external/bsd/openssl/dist/README                                  |  13 +-
 crypto/external/bsd/openssl/dist/apps/ocsp.c                             |   2 +-
 crypto/external/bsd/openssl/dist/apps/speed.c                            |   2 +-
 crypto/external/bsd/openssl/dist/crypto/aes/aes.h                        |   2 +-
 crypto/external/bsd/openssl/dist/crypto/aes/aes_locl.h                   |   2 +-
 crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c                      |  41 +++-
 crypto/external/bsd/openssl/dist/crypto/bn/exptest.c                     |  82 ++++++++-
 crypto/external/bsd/openssl/dist/crypto/dso/dso_dlfcn.c                  |   2 +-
 crypto/external/bsd/openssl/dist/crypto/ec/ectest.c                      |   2 +-
 crypto/external/bsd/openssl/dist/crypto/engine/eng_all.c                 |   2 +-
 crypto/external/bsd/openssl/dist/crypto/mem_clr.c                        |   2 +-
 crypto/external/bsd/openssl/dist/crypto/opensslv.h                       |   6 +-
 crypto/external/bsd/openssl/dist/crypto/rsa/rsa_sign.c                   |   4 +-
 crypto/external/bsd/openssl/dist/crypto/sha/sha1test.c                   |   2 +-
 crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c                  |   2 +-
 crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c                  |  39 ++-
 crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod |  29 +--
 crypto/external/bsd/openssl/dist/openssl.spec                            |   2 +-
 crypto/external/bsd/openssl/dist/ssl/d1_both.c                           |  70 +++++--
 crypto/external/bsd/openssl/dist/ssl/s2_srvr.c                           |  20 ++-
 crypto/external/bsd/openssl/dist/ssl/s3_clnt.c                           |  63 ++++---
 crypto/external/bsd/openssl/dist/ssl/s3_lib.c                            |  19 +-
 crypto/external/bsd/openssl/dist/ssl/s3_srvr.c                           |  25 +-
 crypto/external/bsd/openssl/dist/ssl/ssl.h                               |   2 +-
 crypto/external/bsd/openssl/dist/ssl/t1_enc.c                            |   2 +-
 crypto/external/bsd/openssl/dist/ssl/t1_lib.c                            |  14 +-
 30 files changed, 346 insertions(+), 207 deletions(-)

diffs (truncated from 1104 to 300 lines):

diff -r 181794eefb0a -r 148284f2d302 crypto/external/bsd/openssl/dist/CHANGES
--- a/crypto/external/bsd/openssl/dist/CHANGES  Sat Jan 30 16:56:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/CHANGES  Sat Jan 30 17:00:19 2016 +0000
@@ -2,6 +2,30 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.1q and 1.0.1r [28 Jan 2016]
+
+  *) Protection for DH small subgroup attacks
+
+     As a precautionary measure the SSL_OP_SINGLE_DH_USE option has been
+     switched on by default and cannot be disabled. This could have some
+     performance impact.
+     [Matt Caswell]
+
+  *) SSLv2 doesn't block disabled ciphers
+
+     A malicious client can negotiate SSLv2 ciphers that have been disabled on
+     the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
+     been disabled, provided that the SSLv2 protocol was not also disabled via
+     SSL_OP_NO_SSLv2.
+
+     This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
+     and Sebastian Schinzel.
+     (CVE-2015-3197)
+     [Viktor Dukhovni]
+
+  *) Reject DH handshakes with parameters shorter than 1024 bits.
+     [Kurt Roeckx]
+
  Changes between 1.0.1p and 1.0.1q [3 Dec 2015]
 
   *) Certificate verify crash with missing PSS parameter
diff -r 181794eefb0a -r 148284f2d302 crypto/external/bsd/openssl/dist/Configure
--- a/crypto/external/bsd/openssl/dist/Configure        Sat Jan 30 16:56:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/Configure        Sat Jan 30 17:00:19 2016 +0000
@@ -105,6 +105,9 @@
 
 my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK 
-DOPENSSL_NO_DEPRECATED";
 
+# Warn that "make depend" should be run?
+my $warn_make_depend = 0;
+
 my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof -Qunused-arguments";
 
 my $strict_warnings = 0;
@@ -1446,7 +1449,7 @@
 # linker only when --prefix is not /usr.
 if ($target =~ /^BSD\-/)
        {
-       $shared_ldflag.=" -Wl,-rpath,\$(LIBRPATH)" if ($prefix !~ m|^/usr[/]*$|);
+       $shared_ldflag.=" -Wl,-rpath,\$\$(LIBRPATH)" if ($prefix !~ m|^/usr[/]*$|);
        }
 
 if ($sys_id ne "")
@@ -1953,14 +1956,8 @@
            &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
        }
        if ($depflags ne $default_depflags && !$make_depend) {
-               print <<EOF;
-
-Since you've disabled or enabled at least one algorithm, you need to do
-the following before building:
-
-       make depend
-EOF
-       }
+            $warn_make_depend++;
+        }
 }
 
 # create the ms/version32.rc file if needed
@@ -2039,12 +2036,18 @@
 
 print <<\EOF if ($no_shared_warn);
 
-You gave the option 'shared'.  Normally, that would give you shared libraries.
-Unfortunately, the OpenSSL configuration doesn't include shared library support
-for this platform yet, so it will pretend you gave the option 'no-shared'.  If
-you can inform the developpers (openssl-dev\@openssl.org) how to support shared
-libraries on this platform, they will at least look at it and try their best
-(but please first make sure you have tried with a current version of OpenSSL).
+You gave the option 'shared', which is not supported on this platform, so
+we will pretend you gave the option 'no-shared'.  If you know how to implement
+shared libraries, please let us know (but please first make sure you have
+tried with a current version of OpenSSL).
+EOF
+
+print <<EOF if ($warn_make_depend);
+
+*** Because of configuration changes, you MUST do the following before
+*** building:
+
+       make depend
 EOF
 
 exit(0);
diff -r 181794eefb0a -r 148284f2d302 crypto/external/bsd/openssl/dist/Makefile
--- a/crypto/external/bsd/openssl/dist/Makefile Sat Jan 30 16:56:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/Makefile Sat Jan 30 17:00:19 2016 +0000
@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=1.0.1q
+VERSION=1.0.1r
 MAJOR=1
 MINOR=0.1
 SHLIB_VERSION_NUMBER=1.0.0
@@ -181,8 +181,7 @@
 GENERAL=        Makefile
 BASENAME=       openssl
 NAME=           $(BASENAME)-$(VERSION)
-TARFILE=        $(NAME).tar
-WTARFILE=       $(NAME)-win.tar
+TARFILE=        ../$(NAME).tar
 EXHEADER=       e_os2.h
 HEADER=         e_os.h
 
@@ -501,38 +500,35 @@
 # would occur. Therefore the list of files is temporarily stored into a file
 # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
 # tar does not support the --files-from option.
-TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list \
-                              --owner openssl:0 --group openssl:0 \
-                              --transform 's|^|openssl-$(VERSION)/|' \
+TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from $(TARFILE).list \
+                              --owner 0 --group 0 \
+                              --transform 's|^|$(NAME)/|' \
                               -cvf -
 
-../$(TARFILE).list:
+$(TARFILE).list:
        find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \
               \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \
-              \! -name '*test' \! -name '.#*' \! -name '*~' \
-           | sort > ../$(TARFILE).list
+              \( \! -name '*test' -o -name bctest -o -name pod2mantest \) \
+              \! -name '.#*' \! -name '*~' \! -type l \
+           | sort > $(TARFILE).list
 
-tar: ../$(TARFILE).list
+tar: $(TARFILE).list
        find . -type d -print | xargs chmod 755
        find . -type f -print | xargs chmod a+r
        find . -type f -perm -0100 -print | xargs chmod a+x
-       $(TAR_COMMAND) | gzip --best >../$(TARFILE).gz
-       rm -f ../$(TARFILE).list
-       ls -l ../$(TARFILE).gz
+       $(TAR_COMMAND) | gzip --best > $(TARFILE).gz
+       rm -f $(TARFILE).list
+       ls -l $(TARFILE).gz
 
-tar-snap: ../$(TARFILE).list
-       $(TAR_COMMAND) > ../$(TARFILE)
-       rm -f ../$(TARFILE).list
-       ls -l ../$(TARFILE)
+tar-snap: $(TARFILE).list
+       $(TAR_COMMAND) > $(TARFILE)
+       rm -f $(TARFILE).list
+       ls -l $(TARFILE)
 
 dist:   
        $(PERL) Configure dist
-       @$(MAKE) dist_pem_h
        @$(MAKE) SDIRS='$(SDIRS)' clean
-       @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' tar
-
-dist_pem_h:
-       (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
+       @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
 
 install: all install_docs install_sw
 
diff -r 181794eefb0a -r 148284f2d302 crypto/external/bsd/openssl/dist/NEWS
--- a/crypto/external/bsd/openssl/dist/NEWS     Sat Jan 30 16:56:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/NEWS     Sat Jan 30 17:00:19 2016 +0000
@@ -5,6 +5,11 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.1q and OpenSSL 1.0.1r [28 Jan 2016]
+
+      o Protection for DH small subgroup attacks
+      o SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
+
   Major changes between OpenSSL 1.0.1p and OpenSSL 1.0.1q [3 Dec 2015]
 
       o Certificate verify crash with missing PSS parameter (CVE-2015-3194)
diff -r 181794eefb0a -r 148284f2d302 crypto/external/bsd/openssl/dist/README
--- a/crypto/external/bsd/openssl/dist/README   Sat Jan 30 16:56:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/README   Sat Jan 30 17:00:19 2016 +0000
@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.1q 3 Dec 2015
+ OpenSSL 1.0.1r 28 Jan 2016
 
  Copyright (c) 1998-2015 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
@@ -90,11 +90,12 @@
 
  In order to avoid spam, this is a moderated mailing list, and it might
  take a day for the ticket to show up.  (We also scan posts to make sure
- that security disclosures aren't publically posted by mistake.) Mail to
- this address is recorded in the public RT (request tracker) database (see
- https://www.openssl.org/support/rt.html for details) and also forwarded
- the public openssl-dev mailing list.  Confidential mail may be sent to
- openssl-security%openssl.org@localhost (PGP key available from the key servers).
+ that security disclosures aren't publically posted by mistake.) Mail
+ to this address is recorded in the public RT (request tracker) database
+ (see https://www.openssl.org/community/index.html#bugs for details) and
+ also forwarded the public openssl-dev mailing list.  Confidential mail
+ may be sent to openssl-security%openssl.org@localhost (PGP key available from the
+ key servers).
 
  Please do NOT use this for general assistance or support queries.
  Just because something doesn't work the way you expect does not mean it
diff -r 181794eefb0a -r 148284f2d302 crypto/external/bsd/openssl/dist/apps/ocsp.c
--- a/crypto/external/bsd/openssl/dist/apps/ocsp.c      Sat Jan 30 16:56:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/ocsp.c      Sat Jan 30 17:00:19 2016 +0000
@@ -1003,7 +1003,7 @@
     bs = OCSP_BASICRESP_new();
     thisupd = X509_gmtime_adj(NULL, 0);
     if (ndays != -1)
-        nextupd = X509_gmtime_adj(NULL, nmin * 60 + ndays * 3600 * 24);
+        nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL);
 
     /* Examine each certificate id in the request */
     for (i = 0; i < id_count; i++) {
diff -r 181794eefb0a -r 148284f2d302 crypto/external/bsd/openssl/dist/apps/speed.c
--- a/crypto/external/bsd/openssl/dist/apps/speed.c     Sat Jan 30 16:56:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/speed.c     Sat Jan 30 17:00:19 2016 +0000
@@ -1,4 +1,4 @@
-/* apps/speed.c -*- mode:C; c-file-style: "eay" -*- */
+/* apps/speed.c */
 /* Copyright (C) 1995-1998 Eric Young (eay%cryptsoft.com@localhost)
  * All rights reserved.
  *
diff -r 181794eefb0a -r 148284f2d302 crypto/external/bsd/openssl/dist/crypto/aes/aes.h
--- a/crypto/external/bsd/openssl/dist/crypto/aes/aes.h Sat Jan 30 16:56:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/aes/aes.h Sat Jan 30 17:00:19 2016 +0000
@@ -1,4 +1,4 @@
-/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/aes/aes.h */
 /* ====================================================================
  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
  *
diff -r 181794eefb0a -r 148284f2d302 crypto/external/bsd/openssl/dist/crypto/aes/aes_locl.h
--- a/crypto/external/bsd/openssl/dist/crypto/aes/aes_locl.h    Sat Jan 30 16:56:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/aes/aes_locl.h    Sat Jan 30 17:00:19 2016 +0000
@@ -1,4 +1,4 @@
-/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/aes/aes.h */
 /* ====================================================================
  * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
  *
diff -r 181794eefb0a -r 148284f2d302 crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c
--- a/crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c       Sat Jan 30 16:56:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c       Sat Jan 30 17:00:19 2016 +0000
@@ -275,9 +275,14 @@
     }
 
     bits = BN_num_bits(p);
-
     if (bits == 0) {
-        ret = BN_one(r);
+        /* x**0 mod 1 is still zero. */
+        if (BN_is_one(m)) {
+            ret = 1;
+            BN_zero(r);
+        } else {
+            ret = BN_one(r);
+        }
         return ret;
     }
 
@@ -411,7 +416,13 @@
     }
     bits = BN_num_bits(p);
     if (bits == 0) {
-        ret = BN_one(rr);
+        /* x**0 mod 1 is still zero. */
+        if (BN_is_one(m)) {
+            ret = 1;
+            BN_zero(rr);
+        } else {
+            ret = BN_one(rr);
+        }
         return ret;
     }
 
@@ -583,7 +594,7 @@
  * precomputation memory layout to limit data-dependency to a minimum to
  * protect secret exponents (cf. the hyper-threading timing attacks pointed
  * out by Colin Percival,
- * http://www.daemong-consideredperthreading-considered-harmful/)
+ * http://www.daemonology.net/hyperthreading-considered-harmful/)
  */
 int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,



Home | Main Index | Thread Index | Old Index