Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssl/dist merge conflicts
details: https://anonhg.NetBSD.org/src/rev/536fcf0f30d2
branches: trunk
changeset: 813492:536fcf0f30d2
user: christos <christos%NetBSD.org@localhost>
date: Sat Jan 30 17:00:19 2016 +0000
description:
merge conflicts
diffstat:
crypto/external/bsd/openssl/dist/CHANGES | 24 ++
crypto/external/bsd/openssl/dist/Configure | 33 ++-
crypto/external/bsd/openssl/dist/Makefile | 40 ++--
crypto/external/bsd/openssl/dist/NEWS | 5 +
crypto/external/bsd/openssl/dist/README | 13 +-
crypto/external/bsd/openssl/dist/apps/ocsp.c | 2 +-
crypto/external/bsd/openssl/dist/apps/speed.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/aes/aes.h | 2 +-
crypto/external/bsd/openssl/dist/crypto/aes/aes_locl.h | 2 +-
crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c | 41 +++-
crypto/external/bsd/openssl/dist/crypto/bn/exptest.c | 82 ++++++++-
crypto/external/bsd/openssl/dist/crypto/dso/dso_dlfcn.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/ec/ectest.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/engine/eng_all.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/mem_clr.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/opensslv.h | 6 +-
crypto/external/bsd/openssl/dist/crypto/rsa/rsa_sign.c | 4 +-
crypto/external/bsd/openssl/dist/crypto/sha/sha1test.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/ui/ui_openssl.c | 2 +-
crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c | 39 ++-
crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod | 29 +--
crypto/external/bsd/openssl/dist/openssl.spec | 2 +-
crypto/external/bsd/openssl/dist/ssl/d1_both.c | 70 +++++--
crypto/external/bsd/openssl/dist/ssl/s2_srvr.c | 20 ++-
crypto/external/bsd/openssl/dist/ssl/s3_clnt.c | 63 ++++---
crypto/external/bsd/openssl/dist/ssl/s3_lib.c | 19 +-
crypto/external/bsd/openssl/dist/ssl/s3_srvr.c | 25 +-
crypto/external/bsd/openssl/dist/ssl/ssl.h | 2 +-
crypto/external/bsd/openssl/dist/ssl/t1_enc.c | 2 +-
crypto/external/bsd/openssl/dist/ssl/t1_lib.c | 14 +-
30 files changed, 346 insertions(+), 207 deletions(-)
diffs (truncated from 1104 to 300 lines):
diff -r 07d55c2aca50 -r 536fcf0f30d2 crypto/external/bsd/openssl/dist/CHANGES
--- a/crypto/external/bsd/openssl/dist/CHANGES Sat Jan 30 16:56:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/CHANGES Sat Jan 30 17:00:19 2016 +0000
@@ -2,6 +2,30 @@
OpenSSL CHANGES
_______________
+ Changes between 1.0.1q and 1.0.1r [28 Jan 2016]
+
+ *) Protection for DH small subgroup attacks
+
+ As a precautionary measure the SSL_OP_SINGLE_DH_USE option has been
+ switched on by default and cannot be disabled. This could have some
+ performance impact.
+ [Matt Caswell]
+
+ *) SSLv2 doesn't block disabled ciphers
+
+ A malicious client can negotiate SSLv2 ciphers that have been disabled on
+ the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
+ been disabled, provided that the SSLv2 protocol was not also disabled via
+ SSL_OP_NO_SSLv2.
+
+ This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
+ and Sebastian Schinzel.
+ (CVE-2015-3197)
+ [Viktor Dukhovni]
+
+ *) Reject DH handshakes with parameters shorter than 1024 bits.
+ [Kurt Roeckx]
+
Changes between 1.0.1p and 1.0.1q [3 Dec 2015]
*) Certificate verify crash with missing PSS parameter
diff -r 07d55c2aca50 -r 536fcf0f30d2 crypto/external/bsd/openssl/dist/Configure
--- a/crypto/external/bsd/openssl/dist/Configure Sat Jan 30 16:56:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/Configure Sat Jan 30 17:00:19 2016 +0000
@@ -105,6 +105,9 @@
my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK
-DOPENSSL_NO_DEPRECATED";
+# Warn that "make depend" should be run?
+my $warn_make_depend = 0;
+
my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof -Qunused-arguments";
my $strict_warnings = 0;
@@ -1446,7 +1449,7 @@
# linker only when --prefix is not /usr.
if ($target =~ /^BSD\-/)
{
- $shared_ldflag.=" -Wl,-rpath,\$(LIBRPATH)" if ($prefix !~ m|^/usr[/]*$|);
+ $shared_ldflag.=" -Wl,-rpath,\$\$(LIBRPATH)" if ($prefix !~ m|^/usr[/]*$|);
}
if ($sys_id ne "")
@@ -1953,14 +1956,8 @@
&dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
}
if ($depflags ne $default_depflags && !$make_depend) {
- print <<EOF;
-
-Since you've disabled or enabled at least one algorithm, you need to do
-the following before building:
-
- make depend
-EOF
- }
+ $warn_make_depend++;
+ }
}
# create the ms/version32.rc file if needed
@@ -2039,12 +2036,18 @@
print <<\EOF if ($no_shared_warn);
-You gave the option 'shared'. Normally, that would give you shared libraries.
-Unfortunately, the OpenSSL configuration doesn't include shared library support
-for this platform yet, so it will pretend you gave the option 'no-shared'. If
-you can inform the developpers (openssl-dev\@openssl.org) how to support shared
-libraries on this platform, they will at least look at it and try their best
-(but please first make sure you have tried with a current version of OpenSSL).
+You gave the option 'shared', which is not supported on this platform, so
+we will pretend you gave the option 'no-shared'. If you know how to implement
+shared libraries, please let us know (but please first make sure you have
+tried with a current version of OpenSSL).
+EOF
+
+print <<EOF if ($warn_make_depend);
+
+*** Because of configuration changes, you MUST do the following before
+*** building:
+
+ make depend
EOF
exit(0);
diff -r 07d55c2aca50 -r 536fcf0f30d2 crypto/external/bsd/openssl/dist/Makefile
--- a/crypto/external/bsd/openssl/dist/Makefile Sat Jan 30 16:56:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/Makefile Sat Jan 30 17:00:19 2016 +0000
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
-VERSION=1.0.1q
+VERSION=1.0.1r
MAJOR=1
MINOR=0.1
SHLIB_VERSION_NUMBER=1.0.0
@@ -181,8 +181,7 @@
GENERAL= Makefile
BASENAME= openssl
NAME= $(BASENAME)-$(VERSION)
-TARFILE= $(NAME).tar
-WTARFILE= $(NAME)-win.tar
+TARFILE= ../$(NAME).tar
EXHEADER= e_os2.h
HEADER= e_os.h
@@ -501,38 +500,35 @@
# would occur. Therefore the list of files is temporarily stored into a file
# and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
# tar does not support the --files-from option.
-TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list \
- --owner openssl:0 --group openssl:0 \
- --transform 's|^|openssl-$(VERSION)/|' \
+TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from $(TARFILE).list \
+ --owner 0 --group 0 \
+ --transform 's|^|$(NAME)/|' \
-cvf -
-../$(TARFILE).list:
+$(TARFILE).list:
find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \
\! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \
- \! -name '*test' \! -name '.#*' \! -name '*~' \
- | sort > ../$(TARFILE).list
+ \( \! -name '*test' -o -name bctest -o -name pod2mantest \) \
+ \! -name '.#*' \! -name '*~' \! -type l \
+ | sort > $(TARFILE).list
-tar: ../$(TARFILE).list
+tar: $(TARFILE).list
find . -type d -print | xargs chmod 755
find . -type f -print | xargs chmod a+r
find . -type f -perm -0100 -print | xargs chmod a+x
- $(TAR_COMMAND) | gzip --best >../$(TARFILE).gz
- rm -f ../$(TARFILE).list
- ls -l ../$(TARFILE).gz
+ $(TAR_COMMAND) | gzip --best > $(TARFILE).gz
+ rm -f $(TARFILE).list
+ ls -l $(TARFILE).gz
-tar-snap: ../$(TARFILE).list
- $(TAR_COMMAND) > ../$(TARFILE)
- rm -f ../$(TARFILE).list
- ls -l ../$(TARFILE)
+tar-snap: $(TARFILE).list
+ $(TAR_COMMAND) > $(TARFILE)
+ rm -f $(TARFILE).list
+ ls -l $(TARFILE)
dist:
$(PERL) Configure dist
- @$(MAKE) dist_pem_h
@$(MAKE) SDIRS='$(SDIRS)' clean
- @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' tar
-
-dist_pem_h:
- (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
+ @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
install: all install_docs install_sw
diff -r 07d55c2aca50 -r 536fcf0f30d2 crypto/external/bsd/openssl/dist/NEWS
--- a/crypto/external/bsd/openssl/dist/NEWS Sat Jan 30 16:56:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/NEWS Sat Jan 30 17:00:19 2016 +0000
@@ -5,6 +5,11 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.0.1q and OpenSSL 1.0.1r [28 Jan 2016]
+
+ o Protection for DH small subgroup attacks
+ o SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
+
Major changes between OpenSSL 1.0.1p and OpenSSL 1.0.1q [3 Dec 2015]
o Certificate verify crash with missing PSS parameter (CVE-2015-3194)
diff -r 07d55c2aca50 -r 536fcf0f30d2 crypto/external/bsd/openssl/dist/README
--- a/crypto/external/bsd/openssl/dist/README Sat Jan 30 16:56:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/README Sat Jan 30 17:00:19 2016 +0000
@@ -1,5 +1,5 @@
- OpenSSL 1.0.1q 3 Dec 2015
+ OpenSSL 1.0.1r 28 Jan 2016
Copyright (c) 1998-2015 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
@@ -90,11 +90,12 @@
In order to avoid spam, this is a moderated mailing list, and it might
take a day for the ticket to show up. (We also scan posts to make sure
- that security disclosures aren't publically posted by mistake.) Mail to
- this address is recorded in the public RT (request tracker) database (see
- https://www.openssl.org/support/rt.html for details) and also forwarded
- the public openssl-dev mailing list. Confidential mail may be sent to
- openssl-security%openssl.org@localhost (PGP key available from the key servers).
+ that security disclosures aren't publically posted by mistake.) Mail
+ to this address is recorded in the public RT (request tracker) database
+ (see https://www.openssl.org/community/index.html#bugs for details) and
+ also forwarded the public openssl-dev mailing list. Confidential mail
+ may be sent to openssl-security%openssl.org@localhost (PGP key available from the
+ key servers).
Please do NOT use this for general assistance or support queries.
Just because something doesn't work the way you expect does not mean it
diff -r 07d55c2aca50 -r 536fcf0f30d2 crypto/external/bsd/openssl/dist/apps/ocsp.c
--- a/crypto/external/bsd/openssl/dist/apps/ocsp.c Sat Jan 30 16:56:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/ocsp.c Sat Jan 30 17:00:19 2016 +0000
@@ -1003,7 +1003,7 @@
bs = OCSP_BASICRESP_new();
thisupd = X509_gmtime_adj(NULL, 0);
if (ndays != -1)
- nextupd = X509_gmtime_adj(NULL, nmin * 60 + ndays * 3600 * 24);
+ nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL);
/* Examine each certificate id in the request */
for (i = 0; i < id_count; i++) {
diff -r 07d55c2aca50 -r 536fcf0f30d2 crypto/external/bsd/openssl/dist/apps/speed.c
--- a/crypto/external/bsd/openssl/dist/apps/speed.c Sat Jan 30 16:56:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/speed.c Sat Jan 30 17:00:19 2016 +0000
@@ -1,4 +1,4 @@
-/* apps/speed.c -*- mode:C; c-file-style: "eay" -*- */
+/* apps/speed.c */
/* Copyright (C) 1995-1998 Eric Young (eay%cryptsoft.com@localhost)
* All rights reserved.
*
diff -r 07d55c2aca50 -r 536fcf0f30d2 crypto/external/bsd/openssl/dist/crypto/aes/aes.h
--- a/crypto/external/bsd/openssl/dist/crypto/aes/aes.h Sat Jan 30 16:56:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/aes/aes.h Sat Jan 30 17:00:19 2016 +0000
@@ -1,4 +1,4 @@
-/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/aes/aes.h */
/* ====================================================================
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
*
diff -r 07d55c2aca50 -r 536fcf0f30d2 crypto/external/bsd/openssl/dist/crypto/aes/aes_locl.h
--- a/crypto/external/bsd/openssl/dist/crypto/aes/aes_locl.h Sat Jan 30 16:56:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/aes/aes_locl.h Sat Jan 30 17:00:19 2016 +0000
@@ -1,4 +1,4 @@
-/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */
+/* crypto/aes/aes.h */
/* ====================================================================
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
*
diff -r 07d55c2aca50 -r 536fcf0f30d2 crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c
--- a/crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c Sat Jan 30 16:56:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c Sat Jan 30 17:00:19 2016 +0000
@@ -275,9 +275,14 @@
}
bits = BN_num_bits(p);
-
if (bits == 0) {
- ret = BN_one(r);
+ /* x**0 mod 1 is still zero. */
+ if (BN_is_one(m)) {
+ ret = 1;
+ BN_zero(r);
+ } else {
+ ret = BN_one(r);
+ }
return ret;
}
@@ -411,7 +416,13 @@
}
bits = BN_num_bits(p);
if (bits == 0) {
- ret = BN_one(rr);
+ /* x**0 mod 1 is still zero. */
+ if (BN_is_one(m)) {
+ ret = 1;
+ BN_zero(rr);
+ } else {
+ ret = BN_one(rr);
+ }
return ret;
}
@@ -583,7 +594,7 @@
* precomputation memory layout to limit data-dependency to a minimum to
* protect secret exponents (cf. the hyper-threading timing attacks pointed
* out by Colin Percival,
- * http://www.daemong-consideredperthreading-considered-harmful/)
+ * http://www.daemonology.net/hyperthreading-considered-harmful/)
*/
int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
Home |
Main Index |
Thread Index |
Old Index