Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/external/bsd/openssl/dist merge conflicts
details: https://anonhg.NetBSD.org/src/rev/fccd6c28b54e
branches: trunk
changeset: 931237:fccd6c28b54e
user: christos <christos%NetBSD.org@localhost>
date: Fri Apr 24 19:37:09 2020 +0000
description:
merge conflicts
diffstat:
crypto/external/bsd/openssl/dist/CHANGES | 21 +
crypto/external/bsd/openssl/dist/NEWS | 4 +
crypto/external/bsd/openssl/dist/README | 2 +-
crypto/external/bsd/openssl/dist/apps/ocsp.c | 165 ++++----
crypto/external/bsd/openssl/dist/apps/s_time.c | 3 +-
crypto/external/bsd/openssl/dist/crypto/ec/ec_asn1.c | 4 +-
crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c | 10 +-
crypto/external/bsd/openssl/dist/crypto/ec/ecp_smpl.c | 313 ++++++++-------
crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c | 5 +
crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c | 6 +
crypto/external/bsd/openssl/dist/ssl/t1_lib.c | 2 +-
11 files changed, 299 insertions(+), 236 deletions(-)
diffs (truncated from 962 to 300 lines):
diff -r fa6e91928135 -r fccd6c28b54e crypto/external/bsd/openssl/dist/CHANGES
--- a/crypto/external/bsd/openssl/dist/CHANGES Fri Apr 24 19:34:15 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/CHANGES Fri Apr 24 19:37:09 2020 +0000
@@ -7,6 +7,27 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
+ Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
+
+ *) Fixed segmentation fault in SSL_check_chain()
+ Server or client applications that call the SSL_check_chain() function
+ during or after a TLS 1.3 handshake may crash due to a NULL pointer
+ dereference as a result of incorrect handling of the
+ "signature_algorithms_cert" TLS extension. The crash occurs if an invalid
+ or unrecognised signature algorithm is received from the peer. This could
+ be exploited by a malicious peer in a Denial of Service attack.
+ (CVE-2020-1967)
+ [Benjamin Kaduk]
+
+ *) Added AES consttime code for no-asm configurations
+ an optional constant time support for AES was added
+ when building openssl for no-asm.
+ Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
+ Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
+ At this time this feature is by default disabled.
+ It will be enabled by default in 3.0.
+ [Bernd Edlinger]
+
Changes between 1.1.1e and 1.1.1f [31 Mar 2020]
*) Revert the change of EOF detection while reading in libssl to avoid
diff -r fa6e91928135 -r fccd6c28b54e crypto/external/bsd/openssl/dist/NEWS
--- a/crypto/external/bsd/openssl/dist/NEWS Fri Apr 24 19:34:15 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/NEWS Fri Apr 24 19:37:09 2020 +0000
@@ -5,6 +5,10 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [21 Apr 2020]
+
+ o Fixed segmentation fault in SSL_check_chain() (CVE-2020-1967)
+
Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [31 Mar 2020]
o Revert the unexpected EOF reporting via SSL_ERROR_SSL
diff -r fa6e91928135 -r fccd6c28b54e crypto/external/bsd/openssl/dist/README
--- a/crypto/external/bsd/openssl/dist/README Fri Apr 24 19:34:15 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/README Fri Apr 24 19:37:09 2020 +0000
@@ -1,5 +1,5 @@
- OpenSSL 1.1.1f 31 Mar 2020
+ OpenSSL 1.1.1g 21 Apr 2020
Copyright (c) 1998-2020 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff -r fa6e91928135 -r fccd6c28b54e crypto/external/bsd/openssl/dist/apps/ocsp.c
--- a/crypto/external/bsd/openssl/dist/apps/ocsp.c Fri Apr 24 19:34:15 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/ocsp.c Fri Apr 24 19:37:09 2020 +0000
@@ -1,5 +1,5 @@
/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -9,65 +9,62 @@
#include <openssl/opensslconf.h>
-#ifdef OPENSSL_NO_OCSP
-NON_EMPTY_TRANSLATION_UNIT
-#else
-# ifdef OPENSSL_SYS_VMS
-# define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined
+#ifdef OPENSSL_SYS_VMS
+# define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined
* on OpenVMS */
-# endif
+#endif
-# include <stdio.h>
-# include <stdlib.h>
-# include <string.h>
-# include <time.h>
-# include <ctype.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+#include <ctype.h>
/* Needs to be included before the openssl headers */
-# include "apps.h"
-# include "progs.h"
-# include "internal/sockets.h"
-# include <openssl/e_os2.h>
-# include <openssl/crypto.h>
-# include <openssl/err.h>
-# include <openssl/ssl.h>
-# include <openssl/evp.h>
-# include <openssl/bn.h>
-# include <openssl/x509v3.h>
-# include <openssl/rand.h>
+#include "apps.h"
+#include "progs.h"
+#include "internal/sockets.h"
+#include <openssl/e_os2.h>
+#include <openssl/crypto.h>
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+#include <openssl/evp.h>
+#include <openssl/bn.h>
+#include <openssl/x509v3.h>
+#include <openssl/rand.h>
#ifndef HAVE_FORK
-# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
-# define HAVE_FORK 0
-# else
-# define HAVE_FORK 1
-# endif
+#if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
+# define HAVE_FORK 0
+#else
+# define HAVE_FORK 1
+#endif
#endif
#if HAVE_FORK
-# undef NO_FORK
+#undef NO_FORK
#else
-# define NO_FORK
+#define NO_FORK
#endif
-# if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \
+#if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \
&& !defined(OPENSSL_NO_POSIX_IO)
-# define OCSP_DAEMON
-# include <sys/types.h>
-# include <sys/wait.h>
-# include <syslog.h>
-# include <signal.h>
-# define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */
-# else
-# undef LOG_INFO
-# undef LOG_WARNING
-# undef LOG_ERR
-# define LOG_INFO 0
-# define LOG_WARNING 1
-# define LOG_ERR 2
-# endif
+# define OCSP_DAEMON
+# include <sys/types.h>
+# include <sys/wait.h>
+# include <syslog.h>
+# include <signal.h>
+# define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */
+#else
+# undef LOG_INFO
+# undef LOG_WARNING
+# undef LOG_ERR
+# define LOG_INFO 0
+# define LOG_WARNING 1
+# define LOG_ERR 2
+#endif
-# if defined(OPENSSL_SYS_VXWORKS)
+#if defined(OPENSSL_SYS_VXWORKS)
/* not supported */
int setpgid(pid_t pid, pid_t pgid)
{
@@ -80,9 +77,9 @@
errno = ENOSYS;
return (pid_t) -1;
}
-# endif
+#endif
/* Maximum leeway in validity period: default 5 minutes */
-# define MAX_VALIDITY_PERIOD (5 * 60)
+#define MAX_VALIDITY_PERIOD (5 * 60)
static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert,
const EVP_MD *cert_id_md, X509 *issuer,
@@ -109,20 +106,20 @@
static char *prog;
static int multi = 0;
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
static int acfd = (int) INVALID_SOCKET;
static int index_changed(CA_DB *);
static void spawn_loop(void);
static int print_syslog(const char *str, size_t len, void *levPtr);
static void socket_timeout(int signum);
-# endif
+#endif
-# ifndef OPENSSL_NO_SOCK
+#ifndef OPENSSL_NO_SOCK
static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
const char *path,
const STACK_OF(CONF_VALUE) *headers,
OCSP_REQUEST *req, int req_timeout);
-# endif
+#endif
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -160,9 +157,9 @@
"Don't include any certificates in response"},
{"resp_key_id", OPT_RESP_KEY_ID, '-',
"Identify response by signing certificate key ID"},
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
{"multi", OPT_MULTI, 'p', "run multiple responder processes"},
-# endif
+#endif
{"no_certs", OPT_NO_CERTS, '-',
"Don't include any certificates in signed request"},
{"no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-',
@@ -511,9 +508,9 @@
trailing_md = 1;
break;
case OPT_MULTI:
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
multi = atoi(opt_arg());
-# endif
+#endif
break;
}
}
@@ -593,7 +590,7 @@
}
}
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
if (multi && acbio != NULL)
spawn_loop();
if (acbio != NULL && req_timeout > 0)
@@ -606,7 +603,7 @@
redo_accept:
if (acbio != NULL) {
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
if (index_changed(rdb)) {
CA_DB *newrdb = load_index(ridx_filename, NULL);
@@ -619,7 +616,7 @@
ridx_filename);
}
}
-# endif
+#endif
req = NULL;
if (!do_responder(&req, &cbio, acbio, req_timeout))
@@ -688,16 +685,16 @@
if (cbio != NULL)
send_ocsp_response(cbio, resp);
} else if (host != NULL) {
-# ifndef OPENSSL_NO_SOCK
+#ifndef OPENSSL_NO_SOCK
resp = process_responder(req, host, path,
port, use_ssl, headers, req_timeout);
if (resp == NULL)
goto end;
-# else
+#else
BIO_printf(bio_err,
"Error creating connect BIO - sockets not supported.\n");
goto end;
-# endif
+#endif
} else if (respin != NULL) {
derbio = bio_open_default(respin, 'r', FORMAT_ASN1);
if (derbio == NULL)
@@ -840,7 +837,7 @@
va_list ap;
va_start(ap, fmt);
-# ifdef OCSP_DAEMON
+#ifdef OCSP_DAEMON
if (multi) {
char buf[1024];
if (vsnprintf(buf, sizeof(buf), fmt, ap) > 0) {
@@ -849,7 +846,7 @@
if (level >= LOG_ERR)
ERR_print_errors_cb(print_syslog, &level);
}
-# endif
+#endif
if (!multi) {
BIO_printf(bio_err, "%s: ", prog);
BIO_vprintf(bio_err, fmt, ap);
@@ -858,7 +855,7 @@
Home |
Main Index |
Thread Index |
Old Index