Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssl/dist import latest openssl to fi...
details: https://anonhg.NetBSD.org/src/rev/0c9cf55ba8ad
branches: trunk
changeset: 795336:0c9cf55ba8ad
user: christos <christos%NetBSD.org@localhost>
date: Tue Apr 08 01:59:07 2014 +0000
description:
import latest openssl to fix the heartbleed vulnerability
diffstat:
crypto/external/bsd/openssl/dist/CHANGES | 29 +++
crypto/external/bsd/openssl/dist/FAQ | 3 +
crypto/external/bsd/openssl/dist/Makefile | 6 +-
crypto/external/bsd/openssl/dist/Makefile.org | 4 +-
crypto/external/bsd/openssl/dist/NEWS | 7 +
crypto/external/bsd/openssl/dist/README | 2 +-
crypto/external/bsd/openssl/dist/apps/apps.c | 6 +-
crypto/external/bsd/openssl/dist/apps/crl.c | 18 ++
crypto/external/bsd/openssl/dist/apps/dgst.c | 4 +-
crypto/external/bsd/openssl/dist/apps/ecparam.c | 4 +-
crypto/external/bsd/openssl/dist/apps/req.c | 13 +-
crypto/external/bsd/openssl/dist/crypto/aes/asm/vpaes-x86_64.pl | 2 +-
crypto/external/bsd/openssl/dist/crypto/asn1/asn1_err.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/cms/cms_lib.c | 2 -
crypto/external/bsd/openssl/dist/crypto/engine/eng_list.c | 1 +
crypto/external/bsd/openssl/dist/crypto/evp/bio_b64.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/modes/gcm128.c | 88 ++++++++++
crypto/external/bsd/openssl/dist/crypto/rand/rand_win.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/symhacks.h | 6 +
crypto/external/bsd/openssl/dist/crypto/x509/by_dir.c | 6 +-
crypto/external/bsd/openssl/dist/demos/cms/cms_comp.c | 2 +-
crypto/external/bsd/openssl/dist/demos/cms/cms_dec.c | 2 +-
crypto/external/bsd/openssl/dist/demos/cms/cms_sign.c | 2 +-
crypto/external/bsd/openssl/dist/doc/apps/config.pod | 2 +-
crypto/external/bsd/openssl/dist/doc/apps/crl.pod | 5 +
crypto/external/bsd/openssl/dist/doc/apps/ec.pod | 2 +-
crypto/external/bsd/openssl/dist/doc/apps/pkcs12.pod | 9 +-
crypto/external/bsd/openssl/dist/doc/apps/req.pod | 2 +-
crypto/external/bsd/openssl/dist/doc/apps/s_client.pod | 16 +-
crypto/external/bsd/openssl/dist/doc/apps/s_server.pod | 2 +-
crypto/external/bsd/openssl/dist/doc/apps/ts.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/crypto/BN_BLINDING_new.pod | 2 +-
crypto/external/bsd/openssl/dist/doc/crypto/ERR_get_error.pod | 7 +-
crypto/external/bsd/openssl/dist/doc/crypto/EVP_BytesToKey.pod | 2 +-
crypto/external/bsd/openssl/dist/doc/crypto/EVP_EncryptInit.pod | 2 +-
crypto/external/bsd/openssl/dist/doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 2 +-
crypto/external/bsd/openssl/dist/doc/crypto/pem.pod | 2 +-
crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_set_verify.pod | 4 +-
crypto/external/bsd/openssl/dist/doc/ssl/SSL_set_shutdown.pod | 2 +-
crypto/external/bsd/openssl/dist/e_os.h | 7 +
crypto/external/bsd/openssl/dist/engines/ccgost/gosthash.c | 19 +-
crypto/external/bsd/openssl/dist/ms/do_win64a.bat | 2 +-
crypto/external/bsd/openssl/dist/openssl.spec | 2 +-
crypto/external/bsd/openssl/dist/ssl/d1_both.c | 26 ++-
crypto/external/bsd/openssl/dist/ssl/kssl.h | 9 +
crypto/external/bsd/openssl/dist/ssl/ssl-lib.com | 4 +-
crypto/external/bsd/openssl/dist/ssl/tls1.h | 6 +
crypto/external/bsd/openssl/dist/util/libeay.num | 1 +
crypto/external/bsd/openssl/dist/util/pl/BC-32.pl | 8 +-
crypto/external/bsd/openssl/dist/util/pl/VC-32.pl | 7 +-
50 files changed, 288 insertions(+), 81 deletions(-)
diffs (truncated from 1226 to 300 lines):
diff -r 7bf17ba104fe -r 0c9cf55ba8ad crypto/external/bsd/openssl/dist/CHANGES
--- a/crypto/external/bsd/openssl/dist/CHANGES Tue Apr 08 00:09:15 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/CHANGES Tue Apr 08 01:59:07 2014 +0000
@@ -2,6 +2,35 @@
OpenSSL CHANGES
_______________
+ Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
+
+ *) A missing bounds check in the handling of the TLS heartbeat extension
+ can be used to reveal up to 64k of memory to a connected client or
+ server.
+
+ Thanks for Neel Mehta of Google Security for discovering this bug and to
+ Adam Langley <agl%chromium.org@localhost> and Bodo Moeller <bmoeller%acm.org@localhost> for
+ preparing the fix (CVE-2014-0160)
+ [Adam Langley, Bodo Moeller]
+
+ *) Fix for the attack described in the paper "Recovering OpenSSL
+ ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
+ by Yuval Yarom and Naomi Benger. Details can be obtained from:
+ http://eprint.iacr.org/2014/140
+
+ Thanks to Yuval Yarom and Naomi Benger for discovering this
+ flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
+ [Yuval Yarom and Naomi Benger]
+
+ *) TLS pad extension: draft-agl-tls-padding-03
+
+ Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
+ TLS client Hello record length value would otherwise be > 255 and
+ less that 512 pad with a dummy extension containing zeroes so it
+ is at least 512 bytes long.
+
+ [Adam Langley, Steve Henson]
+
Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
*) Fix for TLS record tampering bug. A carefully crafted invalid
diff -r 7bf17ba104fe -r 0c9cf55ba8ad crypto/external/bsd/openssl/dist/FAQ
--- a/crypto/external/bsd/openssl/dist/FAQ Tue Apr 08 00:09:15 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/FAQ Tue Apr 08 01:59:07 2014 +0000
@@ -768,6 +768,9 @@
acknowledging receipt then resend or mail it directly to one of the
more active team members (e.g. Steve).
+Note that bugs only present in the openssl utility are not in general
+considered to be security issues.
+
[PROG] ========================================================================
* Is OpenSSL thread-safe?
diff -r 7bf17ba104fe -r 0c9cf55ba8ad crypto/external/bsd/openssl/dist/Makefile
--- a/crypto/external/bsd/openssl/dist/Makefile Tue Apr 08 00:09:15 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/Makefile Tue Apr 08 01:59:07 2014 +0000
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
-VERSION=1.0.1f
+VERSION=1.0.1g
MAJOR=1
MINOR=0.1
SHLIB_VERSION_NUMBER=1.0.0
@@ -304,8 +304,8 @@
FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \
export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \
fi; \
- $(MAKE) -e SHLIBDIRS=crypto CC=$${CC:-$(CC)} build-shared; \
- touch -c fips_premain_dso$(EXE_EXT); \
+ $(MAKE) -e SHLIBDIRS=crypto CC="$${CC:-$(CC)}" build-shared && \
+ (touch -c fips_premain_dso$(EXE_EXT) || :); \
else \
echo "There's no support for shared libraries on this platform" >&2; \
exit 1; \
diff -r 7bf17ba104fe -r 0c9cf55ba8ad crypto/external/bsd/openssl/dist/Makefile.org
--- a/crypto/external/bsd/openssl/dist/Makefile.org Tue Apr 08 00:09:15 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/Makefile.org Tue Apr 08 01:59:07 2014 +0000
@@ -302,8 +302,8 @@
FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \
export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \
fi; \
- $(MAKE) -e SHLIBDIRS=crypto CC=$${CC:-$(CC)} build-shared; \
- touch -c fips_premain_dso$(EXE_EXT); \
+ $(MAKE) -e SHLIBDIRS=crypto CC="$${CC:-$(CC)}" build-shared && \
+ (touch -c fips_premain_dso$(EXE_EXT) || :); \
else \
echo "There's no support for shared libraries on this platform" >&2; \
exit 1; \
diff -r 7bf17ba104fe -r 0c9cf55ba8ad crypto/external/bsd/openssl/dist/NEWS
--- a/crypto/external/bsd/openssl/dist/NEWS Tue Apr 08 00:09:15 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/NEWS Tue Apr 08 01:59:07 2014 +0000
@@ -5,8 +5,15 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]
+
+ o Fix for CVE-2014-0160
+ o Add TLS padding extension workaround for broken servers.
+ o Fix for CVE-2014-0076
+
Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014]
+ o Don't include gmt_unix_time in TLS server and client random values
o Fix for TLS record tampering bug CVE-2013-4353
o Fix for TLS version checking bug CVE-2013-6449
o Fix for DTLS retransmission bug CVE-2013-6450
diff -r 7bf17ba104fe -r 0c9cf55ba8ad crypto/external/bsd/openssl/dist/README
--- a/crypto/external/bsd/openssl/dist/README Tue Apr 08 00:09:15 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/README Tue Apr 08 01:59:07 2014 +0000
@@ -1,5 +1,5 @@
- OpenSSL 1.0.1f 6 Jan 2014
+ OpenSSL 1.0.1g 7 Apr 2014
Copyright (c) 1998-2011 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff -r 7bf17ba104fe -r 0c9cf55ba8ad crypto/external/bsd/openssl/dist/apps/apps.c
--- a/crypto/external/bsd/openssl/dist/apps/apps.c Tue Apr 08 00:09:15 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/apps.c Tue Apr 08 01:59:07 2014 +0000
@@ -586,12 +586,12 @@
if (ok >= 0)
ok = UI_add_input_string(ui,prompt,ui_flags,buf,
- PW_MIN_LENGTH,BUFSIZ-1);
+ PW_MIN_LENGTH,bufsiz-1);
if (ok >= 0 && verify)
{
buff = (char *)OPENSSL_malloc(bufsiz);
ok = UI_add_verify_string(ui,prompt,ui_flags,buff,
- PW_MIN_LENGTH,BUFSIZ-1, buf);
+ PW_MIN_LENGTH,bufsiz-1, buf);
}
if (ok >= 0)
do
@@ -2841,7 +2841,7 @@
if (proc==NULL)
{
- if (GetVersion() < 0x80000000)
+ if (check_winnt())
proc = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,
GetCurrentProcessId());
if (proc==NULL) proc = (HANDLE)-1;
diff -r 7bf17ba104fe -r 0c9cf55ba8ad crypto/external/bsd/openssl/dist/apps/crl.c
--- a/crypto/external/bsd/openssl/dist/apps/crl.c Tue Apr 08 00:09:15 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/crl.c Tue Apr 08 01:59:07 2014 +0000
@@ -81,6 +81,9 @@
" -in arg - input file - default stdin\n",
" -out arg - output file - default stdout\n",
" -hash - print hash value\n",
+#ifndef OPENSSL_NO_MD5
+" -hash_old - print old-style (MD5) hash value\n",
+#endif
" -fingerprint - print the crl fingerprint\n",
" -issuer - print issuer DN\n",
" -lastupdate - lastUpdate field\n",
@@ -108,6 +111,9 @@
int informat,outformat;
char *infile=NULL,*outfile=NULL;
int hash=0,issuer=0,lastupdate=0,nextupdate=0,noout=0,text=0;
+#ifndef OPENSSL_NO_MD5
+ int hash_old=0;
+#endif
int fingerprint = 0, crlnumber = 0;
const char **pp;
X509_STORE *store = NULL;
@@ -192,6 +198,10 @@
text = 1;
else if (strcmp(*argv,"-hash") == 0)
hash= ++num;
+#ifndef OPENSSL_NO_MD5
+ else if (strcmp(*argv,"-hash_old") == 0)
+ hash_old= ++num;
+#endif
else if (strcmp(*argv,"-nameopt") == 0)
{
if (--argc < 1) goto bad;
@@ -304,6 +314,14 @@
BIO_printf(bio_out,"%08lx\n",
X509_NAME_hash(X509_CRL_get_issuer(x)));
}
+#ifndef OPENSSL_NO_MD5
+ if (hash_old == i)
+ {
+ BIO_printf(bio_out,"%08lx\n",
+ X509_NAME_hash_old(
+ X509_CRL_get_issuer(x)));
+ }
+#endif
if (lastupdate == i)
{
BIO_printf(bio_out,"lastUpdate=");
diff -r 7bf17ba104fe -r 0c9cf55ba8ad crypto/external/bsd/openssl/dist/apps/dgst.c
--- a/crypto/external/bsd/openssl/dist/apps/dgst.c Tue Apr 08 00:09:15 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/dgst.c Tue Apr 08 01:59:07 2014 +0000
@@ -427,9 +427,9 @@
goto end;
}
if (do_verify)
- r = EVP_DigestVerifyInit(mctx, &pctx, md, e, sigkey);
+ r = EVP_DigestVerifyInit(mctx, &pctx, md, NULL, sigkey);
else
- r = EVP_DigestSignInit(mctx, &pctx, md, e, sigkey);
+ r = EVP_DigestSignInit(mctx, &pctx, md, NULL, sigkey);
if (!r)
{
BIO_printf(bio_err, "Error setting context\n");
diff -r 7bf17ba104fe -r 0c9cf55ba8ad crypto/external/bsd/openssl/dist/apps/ecparam.c
--- a/crypto/external/bsd/openssl/dist/apps/ecparam.c Tue Apr 08 00:09:15 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/ecparam.c Tue Apr 08 01:59:07 2014 +0000
@@ -105,7 +105,7 @@
* in the asn1 der encoding
* possible values: named_curve (default)
* explicit
- * -no_seed - if 'explicit' parameters are choosen do not use the seed
+ * -no_seed - if 'explicit' parameters are chosen do not use the seed
* -genkey - generate ec key
* -rand file - files to use for random number input
* -engine e - use engine e, possibly a hardware device
@@ -286,7 +286,7 @@
BIO_printf(bio_err, " "
" explicit\n");
BIO_printf(bio_err, " -no_seed if 'explicit'"
- " parameters are choosen do not"
+ " parameters are chosen do not"
" use the seed\n");
BIO_printf(bio_err, " -genkey generate ec"
" key\n");
diff -r 7bf17ba104fe -r 0c9cf55ba8ad crypto/external/bsd/openssl/dist/apps/req.c
--- a/crypto/external/bsd/openssl/dist/apps/req.c Tue Apr 08 00:09:15 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/req.c Tue Apr 08 01:59:07 2014 +0000
@@ -644,6 +644,11 @@
if (inrand)
app_RAND_load_files(inrand);
+ if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey))
+ {
+ newkey=DEFAULT_KEY_LENGTH;
+ }
+
if (keyalg)
{
genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey,
@@ -652,12 +657,6 @@
goto end;
}
- if (newkey <= 0)
- {
- if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey))
- newkey=DEFAULT_KEY_LENGTH;
- }
-
if (newkey < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA))
{
BIO_printf(bio_err,"private key length is too short,\n");
@@ -1649,6 +1648,8 @@
keylen = atol(p + 1);
*pkeylen = keylen;
}
+ else
+ keylen = *pkeylen;
}
else if (p)
paramfile = p + 1;
diff -r 7bf17ba104fe -r 0c9cf55ba8ad crypto/external/bsd/openssl/dist/crypto/aes/asm/vpaes-x86_64.pl
--- a/crypto/external/bsd/openssl/dist/crypto/aes/asm/vpaes-x86_64.pl Tue Apr 08 00:09:15 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/aes/asm/vpaes-x86_64.pl Tue Apr 08 01:59:07 2014 +0000
@@ -1060,7 +1060,7 @@
.Lk_dsbo: # decryption sbox final output
.quad 0x1387EA537EF94000, 0xC7AA6DB9D4943E2D
.quad 0x12D7560F93441D00, 0xCA4B8159D8C58E9C
-.asciz "Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg (Stanford University)"
+.asciz "Vector Permutation AES for x86_64/SSSE3, Mike Hamburg (Stanford University)"
.align 64
.size _vpaes_consts,.-_vpaes_consts
___
diff -r 7bf17ba104fe -r 0c9cf55ba8ad crypto/external/bsd/openssl/dist/crypto/asn1/asn1_err.c
--- a/crypto/external/bsd/openssl/dist/crypto/asn1/asn1_err.c Tue Apr 08 00:09:15 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/asn1/asn1_err.c Tue Apr 08 01:59:07 2014 +0000
@@ -305,7 +305,7 @@
{ERR_REASON(ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE),"unknown public key type"},
{ERR_REASON(ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM),"unknown signature algorithm"},
{ERR_REASON(ASN1_R_UNKNOWN_TAG) ,"unknown tag"},
-{ERR_REASON(ASN1_R_UNKOWN_FORMAT) ,"unkown format"},
+{ERR_REASON(ASN1_R_UNKOWN_FORMAT) ,"unknown format"},
{ERR_REASON(ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE),"unsupported any defined by type"},
{ERR_REASON(ASN1_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"},
{ERR_REASON(ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM),"unsupported encryption algorithm"},
diff -r 7bf17ba104fe -r 0c9cf55ba8ad crypto/external/bsd/openssl/dist/crypto/cms/cms_lib.c
--- a/crypto/external/bsd/openssl/dist/crypto/cms/cms_lib.c Tue Apr 08 00:09:15 2014 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/cms/cms_lib.c Tue Apr 08 01:59:07 2014 +0000
@@ -465,8 +465,6 @@
pcerts = cms_get0_certificate_choices(cms);
if (!pcerts)
return 0;
- if (!pcerts)
- return 0;
Home |
Main Index |
Thread Index |
Old Index