Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/crypto/external/bsd/openssl/dist Changes between 1.1.1c and ...



details:   https://anonhg.NetBSD.org/src/rev/e89dd15971af
branches:  trunk
changeset: 968639:e89dd15971af
user:      christos <christos%NetBSD.org@localhost>
date:      Thu Jan 23 02:47:58 2020 +0000

description:
Changes between 1.1.1c and 1.1.1d [10 Sep 2019]

  *) Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
     number generator (RNG). This was intended to include protection in the
     event of a fork() system call in order to ensure that the parent and child
     processes did not share the same RNG state. However this protection was not
     being used in the default case.

     A partial mitigation for this issue is that the output from a high
     precision timer is mixed into the RNG state so the likelihood of a parent
     and child process sharing state is significantly reduced.

     If an application already calls OPENSSL_init_crypto() explicitly using
     OPENSSL_INIT_ATFORK then this problem does not occur at all.
     (CVE-2019-1549)
     [Matthias St. Pierre]

  *) For built-in EC curves, ensure an EC_GROUP built from the curve name is
     used even when parsing explicit parameters, when loading a serialized key
     or calling `EC_GROUP_new_from_ecpkparameters()`/
     `EC_GROUP_new_from_ecparameters()`.
     This prevents bypass of security hardening and performance gains,
     especially for curves with specialized EC_METHODs.
     By default, if a key encoded with explicit parameters is loaded and later
     serialized, the output is still encoded with explicit parameters, even if
     internally a "named" EC_GROUP is used for computation.
     [Nicola Tuveri]

  *) Compute ECC cofactors if not provided during EC_GROUP construction. Before
     this change, EC_GROUP_set_generator would accept order and/or cofactor as
     NULL. After this change, only the cofactor parameter can be NULL. It also
     does some minimal sanity checks on the passed order.
     (CVE-2019-1547)
     [Billy Bob Brumley]

  *) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
     An attack is simple, if the first CMS_recipientInfo is valid but the
     second CMS_recipientInfo is chosen ciphertext. If the second
     recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
     encryption key will be replaced by garbage, and the message cannot be
     decoded, but if the RSA decryption fails, the correct encryption key is
     used and the recipient will not notice the attack.
     As a work around for this potential attack the length of the decrypted
     key must be equal to the cipher default key length, in case the
     certifiate is not given and all recipientInfo are tried out.
     The old behaviour can be re-enabled in the CMS code by setting the
     CMS_DEBUG_DECRYPT flag.
     (CVE-2019-1563)
     [Bernd Edlinger]

  *) Early start up entropy quality from the DEVRANDOM seed source has been
     improved for older Linux systems.  The RAND subsystem will wait for
     /dev/random to be producing output before seeding from /dev/urandom.
     The seeded state is stored for future library initialisations using
     a system global shared memory segment.  The shared memory identifier
     can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to
     the desired value.  The default identifier is 114.
     [Paul Dale]

  *) Correct the extended master secret constant on EBCDIC systems. Without this
     fix TLS connections between an EBCDIC system and a non-EBCDIC system that
     negotiate EMS will fail. Unfortunately this also means that TLS connections
     between EBCDIC systems with this fix, and EBCDIC systems without this
     fix will fail if they negotiate EMS.
     [Matt Caswell]

  *) Use Windows installation paths in the mingw builds

     Mingw isn't a POSIX environment per se, which means that Windows
     paths should be used for installation.
     (CVE-2019-1552)
     [Richard Levitte]

  *) Changed DH_check to accept parameters with order q and 2q subgroups.
     With order 2q subgroups the bit 0 of the private key is not secret
     but DH_generate_key works around that by clearing bit 0 of the
     private key for those. This avoids leaking bit 0 of the private key.
     [Bernd Edlinger]

  *) Significantly reduce secure memory usage by the randomness pools.
     [Paul Dale]

  *) Revert the DEVRANDOM_WAIT feature for Linux systems

     The DEVRANDOM_WAIT feature added a select() call to wait for the
     /dev/random device to become readable before reading from the
     /dev/urandom device.

     It turned out that this change had negative side effects on
     performance which were not acceptable. After some discussion it
     was decided to revert this feature and leave it up to the OS
     resp. the platform maintainer to ensure a proper initialization
     during early boot time.
     [Matthias St. Pierre]

diffstat:

 crypto/external/bsd/openssl/dist/Configurations/00-base-templates.conf               |    4 +-
 crypto/external/bsd/openssl/dist/Configurations/10-main.conf                         |    6 +-
 crypto/external/bsd/openssl/dist/Configurations/15-ios.conf                          |    2 +-
 crypto/external/bsd/openssl/dist/Configurations/50-win-onecore.conf                  |    2 +-
 crypto/external/bsd/openssl/dist/Configurations/common0.tmpl                         |    2 +-
 crypto/external/bsd/openssl/dist/Configurations/unix-Makefile.tmpl                   |  106 +-
 crypto/external/bsd/openssl/dist/INSTALL                                             |   29 +-
 crypto/external/bsd/openssl/dist/NOTES.WIN                                           |   15 +
 crypto/external/bsd/openssl/dist/apps/apps.c                                         |    9 +-
 crypto/external/bsd/openssl/dist/apps/apps.h                                         |    4 +-
 crypto/external/bsd/openssl/dist/apps/dgst.c                                         |    4 +-
 crypto/external/bsd/openssl/dist/apps/enc.c                                          |    2 +-
 crypto/external/bsd/openssl/dist/apps/pkcs12.c                                       |    2 +-
 crypto/external/bsd/openssl/dist/apps/s_apps.h                                       |   20 +-
 crypto/external/bsd/openssl/dist/apps/s_cb.c                                         |    3 +-
 crypto/external/bsd/openssl/dist/apps/storeutl.c                                     |    4 +-
 crypto/external/bsd/openssl/dist/config                                              |    8 +-
 crypto/external/bsd/openssl/dist/crypto/aes/asm/aes-s390x.pl                         |    6 +-
 crypto/external/bsd/openssl/dist/crypto/asn1/a_time.c                                |   47 +-
 crypto/external/bsd/openssl/dist/crypto/asn1/x_bignum.c                              |   19 +-
 crypto/external/bsd/openssl/dist/crypto/bio/b_addr.c                                 |   26 +-
 crypto/external/bsd/openssl/dist/crypto/bio/bss_dgram.c                              |    4 +-
 crypto/external/bsd/openssl/dist/crypto/bio/bss_mem.c                                |    4 +-
 crypto/external/bsd/openssl/dist/crypto/bn/bn_div.c                                  |    4 +-
 crypto/external/bsd/openssl/dist/crypto/bn/bn_prime.c                                |    8 +-
 crypto/external/bsd/openssl/dist/crypto/bn/bn_sqrt.c                                 |    5 +-
 crypto/external/bsd/openssl/dist/crypto/cms/cms_att.c                                |  136 +-
 crypto/external/bsd/openssl/dist/crypto/cms/cms_env.c                                |   20 +-
 crypto/external/bsd/openssl/dist/crypto/cms/cms_err.c                                |    5 +-
 crypto/external/bsd/openssl/dist/crypto/cms/cms_lcl.h                                |    9 +-
 crypto/external/bsd/openssl/dist/crypto/cms/cms_sd.c                                 |   38 +-
 crypto/external/bsd/openssl/dist/crypto/cms/cms_smime.c                              |    6 +-
 crypto/external/bsd/openssl/dist/crypto/conf/conf_sap.c                              |    2 +-
 crypto/external/bsd/openssl/dist/crypto/ctype.c                                      |    8 +-
 crypto/external/bsd/openssl/dist/crypto/dh/dh_check.c                                |   37 +-
 crypto/external/bsd/openssl/dist/crypto/dh/dh_gen.c                                  |   56 +-
 crypto/external/bsd/openssl/dist/crypto/dh/dh_key.c                                  |   13 +-
 crypto/external/bsd/openssl/dist/crypto/dsa/dsa_err.c                                |    4 +-
 crypto/external/bsd/openssl/dist/crypto/dsa/dsa_ossl.c                               |   10 +-
 crypto/external/bsd/openssl/dist/crypto/ec/asm/ecp_nistz256-sparcv9.pl               |    3 +-
 crypto/external/bsd/openssl/dist/crypto/ec/asm/ecp_nistz256-x86_64.pl                |    2 +-
 crypto/external/bsd/openssl/dist/crypto/ec/asm/x25519-ppc64.pl                       |    6 +-
 crypto/external/bsd/openssl/dist/crypto/ec/ec_curve.c                                |  114 +-
 crypto/external/bsd/openssl/dist/crypto/ec/ecdh_ossl.c                               |    2 +-
 crypto/external/bsd/openssl/dist/crypto/ec/ecdsa_ossl.c                              |   16 +-
 crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistp224.c                            |   66 +-
 crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistp256.c                            |   67 +-
 crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistp521.c                            |   69 +-
 crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistputil.c                           |   26 +-
 crypto/external/bsd/openssl/dist/crypto/ec/ecx_meth.c                                |    2 +-
 crypto/external/bsd/openssl/dist/crypto/engine/eng_openssl.c                         |    8 +-
 crypto/external/bsd/openssl/dist/crypto/err/err.c                                    |   16 +-
 crypto/external/bsd/openssl/dist/crypto/err/openssl.txt                              |   12 +
 crypto/external/bsd/openssl/dist/crypto/evp/bio_ok.c                                 |    6 +-
 crypto/external/bsd/openssl/dist/crypto/evp/e_aria.c                                 |   13 +-
 crypto/external/bsd/openssl/dist/crypto/evp/e_chacha20_poly1305.c                    |    7 +-
 crypto/external/bsd/openssl/dist/crypto/evp/e_rc5.c                                  |    6 +-
 crypto/external/bsd/openssl/dist/crypto/evp/evp_err.c                                |   11 +-
 crypto/external/bsd/openssl/dist/crypto/evp/evp_lib.c                                |    9 +-
 crypto/external/bsd/openssl/dist/crypto/evp/m_sha3.c                                 |    5 +-
 crypto/external/bsd/openssl/dist/crypto/include/internal/ctype.h                     |    4 +-
 crypto/external/bsd/openssl/dist/crypto/include/internal/rand_int.h                  |    6 +-
 crypto/external/bsd/openssl/dist/crypto/include/internal/sm2err.h                    |    6 +-
 crypto/external/bsd/openssl/dist/crypto/init.c                                       |    3 +-
 crypto/external/bsd/openssl/dist/crypto/o_str.c                                      |    2 +-
 crypto/external/bsd/openssl/dist/crypto/pem/pvkfmt.c                                 |    5 +-
 crypto/external/bsd/openssl/dist/crypto/rand/drbg_lib.c                              |   13 +-
 crypto/external/bsd/openssl/dist/crypto/rand/rand_err.c                              |    3 +-
 crypto/external/bsd/openssl/dist/crypto/rand/rand_lcl.h                              |   46 +-
 crypto/external/bsd/openssl/dist/crypto/rand/rand_lib.c                              |  148 +-
 crypto/external/bsd/openssl/dist/crypto/rand/rand_win.c                              |    3 +-
 crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ameth.c                              |   13 +
 crypto/external/bsd/openssl/dist/crypto/rsa/rsa_ossl.c                               |   10 +
 crypto/external/bsd/openssl/dist/crypto/s390xcap.c                                   |   12 +-
 crypto/external/bsd/openssl/dist/crypto/sha/asm/keccak1600-armv4.pl                  |  192 +-
 crypto/external/bsd/openssl/dist/crypto/sha/asm/keccak1600-armv8.pl                  |    4 +-
 crypto/external/bsd/openssl/dist/crypto/sha/asm/sha512-sparcv9.pl                    |    4 +-
 crypto/external/bsd/openssl/dist/crypto/sm2/sm2_sign.c                               |    6 +-
 crypto/external/bsd/openssl/dist/crypto/store/loader_file.c                          |   18 +-
 crypto/external/bsd/openssl/dist/crypto/store/store_lib.c                            |    4 +-
 crypto/external/bsd/openssl/dist/crypto/threads_none.c                               |   15 +-
 crypto/external/bsd/openssl/dist/crypto/threads_win.c                                |    4 +
 crypto/external/bsd/openssl/dist/crypto/whrlpool/wp_block.c                          |    3 +-
 crypto/external/bsd/openssl/dist/crypto/x509/by_dir.c                                |    6 +-
 crypto/external/bsd/openssl/dist/crypto/x509/t_req.c                                 |    6 +-
 crypto/external/bsd/openssl/dist/crypto/x509/x509_att.c                              |    6 +-
 crypto/external/bsd/openssl/dist/crypto/x509/x509_cmp.c                              |   12 +-
 crypto/external/bsd/openssl/dist/crypto/x509/x509_err.c                              |    4 +-
 crypto/external/bsd/openssl/dist/crypto/x509/x509_lu.c                               |  113 +-
 crypto/external/bsd/openssl/dist/crypto/x509v3/v3_alt.c                              |   11 +-
 crypto/external/bsd/openssl/dist/crypto/x509v3/v3_purp.c                             |   16 +-
 crypto/external/bsd/openssl/dist/demos/bio/descrip.mms                               |    2 +-
 crypto/external/bsd/openssl/dist/demos/evp/aesgcm.c                                  |    4 +-
 crypto/external/bsd/openssl/dist/doc/HOWTO/proxy_certificates.txt                    |    2 +-
 crypto/external/bsd/openssl/dist/doc/man1/engine.pod                                 |    4 +-
 crypto/external/bsd/openssl/dist/doc/man1/errstr.pod                                 |    4 +-
 crypto/external/bsd/openssl/dist/doc/man1/pkcs12.pod                                 |    3 +-
 crypto/external/bsd/openssl/dist/doc/man1/pkeyparam.pod                              |    4 +-
 crypto/external/bsd/openssl/dist/doc/man1/s_client.pod                               |    2 +-
 crypto/external/bsd/openssl/dist/doc/man1/s_server.pod                               |    2 +-
 crypto/external/bsd/openssl/dist/doc/man3/ADMISSIONS.pod                             |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/ASYNC_start_job.pod                        |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/BIO_connect.pod                            |    2 +-
 crypto/external/bsd/openssl/dist/doc/man3/BIO_f_ssl.pod                              |   38 +-
 crypto/external/bsd/openssl/dist/doc/man3/BIO_find_type.pod                          |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/BIO_new.pod                                |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/BIO_s_accept.pod                           |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/BIO_s_bio.pod                              |    6 +-
 crypto/external/bsd/openssl/dist/doc/man3/BIO_s_connect.pod                          |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/BIO_s_fd.pod                               |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/BIO_s_mem.pod                              |   48 +-
 crypto/external/bsd/openssl/dist/doc/man3/BIO_set_callback.pod                       |   12 +-
 crypto/external/bsd/openssl/dist/doc/man3/BN_generate_prime.pod                      |   14 +-
 crypto/external/bsd/openssl/dist/doc/man3/BN_mod_mul_montgomery.pod                  |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/BN_new.pod                                 |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/CMS_final.pod                              |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/CRYPTO_THREAD_run_once.pod                 |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/CRYPTO_memcmp.pod                          |   39 +
 crypto/external/bsd/openssl/dist/doc/man3/DES_random_key.pod                         |    8 +-
 crypto/external/bsd/openssl/dist/doc/man3/DSA_generate_key.pod                       |    6 +-
 crypto/external/bsd/openssl/dist/doc/man3/DSA_sign.pod                               |    9 +-
 crypto/external/bsd/openssl/dist/doc/man3/ECDSA_SIG_new.pod                          |   25 +-
 crypto/external/bsd/openssl/dist/doc/man3/EVP_DigestInit.pod                         |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/EVP_DigestSignInit.pod                     |   12 +-
 crypto/external/bsd/openssl/dist/doc/man3/EVP_DigestVerifyInit.pod                   |   10 +-
 crypto/external/bsd/openssl/dist/doc/man3/EVP_PKEY_CTX_set_hkdf_md.pod               |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/EVP_PKEY_CTX_set_tls1_prf_md.pod           |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/EVP_PKEY_decrypt.pod                       |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/EVP_PKEY_derive.pod                        |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/EVP_PKEY_encrypt.pod                       |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/EVP_PKEY_sign.pod                          |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/EVP_PKEY_verify.pod                        |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/EVP_PKEY_verify_recover.pod                |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/EVP_SealInit.pod                           |    9 +-
 crypto/external/bsd/openssl/dist/doc/man3/EVP_SignInit.pod                           |    9 +-
 crypto/external/bsd/openssl/dist/doc/man3/EVP_VerifyInit.pod                         |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/EVP_aria.pod                               |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/EVP_md5.pod                                |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/EVP_rc5_32_12_16_cbc.pod                   |   27 +-
 crypto/external/bsd/openssl/dist/doc/man3/OCSP_REQUEST_new.pod                       |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/OPENSSL_fork_prepare.pod                   |    6 +-
 crypto/external/bsd/openssl/dist/doc/man3/OSSL_STORE_LOADER.pod                      |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/OSSL_STORE_expect.pod                      |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/PKCS12_newpass.pod                         |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/RAND_DRBG_set_callbacks.pod                |    2 +-
 crypto/external/bsd/openssl/dist/doc/man3/RAND_set_rand_method.pod                   |    9 +-
 crypto/external/bsd/openssl/dist/doc/man3/RSA_blinding_on.pod                        |    5 +-
 crypto/external/bsd/openssl/dist/doc/man3/RSA_generate_key.pod                       |   15 +-
 crypto/external/bsd/openssl/dist/doc/man3/RSA_padding_add_PKCS1_type_1.pod           |    7 +-
 crypto/external/bsd/openssl/dist/doc/man3/RSA_public_encrypt.pod                     |    2 +-
 crypto/external/bsd/openssl/dist/doc/man3/RSA_sign_ASN1_OCTET_STRING.pod             |   10 +-
 crypto/external/bsd/openssl/dist/doc/man3/SSL_CTX_config.pod                         |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/SSL_CTX_dane_enable.pod                    |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/SSL_CTX_get0_param.pod                     |   16 +-
 crypto/external/bsd/openssl/dist/doc/man3/SSL_CTX_new.pod                            |   19 +-
 crypto/external/bsd/openssl/dist/doc/man3/SSL_CTX_set_cipher_list.pod                |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/SSL_CTX_set_generate_session_id.pod        |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/SSL_CTX_set_session_id_context.pod         |    6 +-
 crypto/external/bsd/openssl/dist/doc/man3/SSL_CTX_set_verify.pod                     |   12 +-
 crypto/external/bsd/openssl/dist/doc/man3/SSL_SESSION_get0_hostname.pod              |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/SSL_get_error.pod                          |    6 +-
 crypto/external/bsd/openssl/dist/doc/man3/SSL_library_init.pod                       |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/SSL_set1_host.pod                          |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/SSL_write.pod                              |    2 +-
 crypto/external/bsd/openssl/dist/doc/man3/X509_STORE_CTX_get_error.pod               |   10 +-
 crypto/external/bsd/openssl/dist/doc/man3/X509_STORE_CTX_set_verify_cb.pod           |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/X509_STORE_add_cert.pod                    |    6 +-
 crypto/external/bsd/openssl/dist/doc/man3/X509_STORE_new.pod                         |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/X509_VERIFY_PARAM_set_flags.pod            |    4 +-
 crypto/external/bsd/openssl/dist/doc/man3/X509_cmp.pod                               |   80 +
 crypto/external/bsd/openssl/dist/doc/man3/X509_get_extension_flags.pod               |   14 +-
 crypto/external/bsd/openssl/dist/doc/man3/d2i_X509.pod                               |   20 +-
 crypto/external/bsd/openssl/dist/doc/man5/x509v3_config.pod                          |    5 +-
 crypto/external/bsd/openssl/dist/doc/man7/Ed25519.pod                                |    4 +-
 crypto/external/bsd/openssl/dist/doc/man7/RAND.pod                                   |    8 +-
 crypto/external/bsd/openssl/dist/doc/man7/SM2.pod                                    |    4 +-
 crypto/external/bsd/openssl/dist/doc/man7/X25519.pod                                 |    4 +-
 crypto/external/bsd/openssl/dist/doc/man7/bio.pod                                    |    4 +-
 crypto/external/bsd/openssl/dist/doc/man7/scrypt.pod                                 |    4 +-
 crypto/external/bsd/openssl/dist/engines/build.info                                  |   15 +-
 crypto/external/bsd/openssl/dist/engines/e_afalg.c                                   |   16 +-
 crypto/external/bsd/openssl/dist/include/internal/constant_time_locl.h               |   64 +-
 crypto/external/bsd/openssl/dist/include/internal/cryptlib.h                         |    1 +
 crypto/external/bsd/openssl/dist/include/internal/dsoerr.h                           |    4 +-
 crypto/external/bsd/openssl/dist/include/internal/thread_once.h                      |    2 +-
 crypto/external/bsd/openssl/dist/include/openssl/asn1err.h                           |    6 +-
 crypto/external/bsd/openssl/dist/include/openssl/asyncerr.h                          |    6 +-
 crypto/external/bsd/openssl/dist/include/openssl/bio.h                               |    6 +-
 crypto/external/bsd/openssl/dist/include/openssl/bioerr.h                            |    6 +-
 crypto/external/bsd/openssl/dist/include/openssl/bnerr.h                             |    6 +-
 crypto/external/bsd/openssl/dist/include/openssl/buffererr.h                         |    6 +-
 crypto/external/bsd/openssl/dist/include/openssl/cms.h                               |    5 +-
 crypto/external/bsd/openssl/dist/include/openssl/cmserr.h                            |    8 +-
 crypto/external/bsd/openssl/dist/include/openssl/comperr.h                           |    6 +-
 crypto/external/bsd/openssl/dist/include/openssl/conferr.h                           |    6 +-
 crypto/external/bsd/openssl/dist/include/openssl/cryptoerr.h                         |    9 +-
 crypto/external/bsd/openssl/dist/include/openssl/cterr.h                             |    6 +-
 crypto/external/bsd/openssl/dist/include/openssl/dherr.h                             |    6 +-
 crypto/external/bsd/openssl/dist/include/openssl/dsaerr.h                            |    7 +-
 crypto/external/bsd/openssl/dist/include/openssl/ec.h                                |    7 +-
 crypto/external/bsd/openssl/dist/include/openssl/ecerr.h                             |    4 +
 crypto/external/bsd/openssl/dist/include/openssl/engineerr.h                         |    6 +-
 crypto/external/bsd/openssl/dist/include/openssl/evp.h                               |    4 +
 crypto/external/bsd/openssl/dist/include/openssl/evperr.h                            |   12 +-
 crypto/external/bsd/openssl/dist/include/openssl/kdferr.h                            |    6 +-
 crypto/external/bsd/openssl/dist/include/openssl/objectserr.h                        |    6 +-
 crypto/external/bsd/openssl/dist/include/openssl/ocsperr.h                           |    6 +-
 crypto/external/bsd/openssl/dist/include/openssl/opensslv.h                          |    4 +-
 crypto/external/bsd/openssl/dist/include/openssl/pemerr.h                            |    6 +-
 crypto/external/bsd/openssl/dist/include/openssl/pkcs12err.h                         |    6 +-
 crypto/external/bsd/openssl/dist/include/openssl/pkcs7err.h                          |    6 +-
 crypto/external/bsd/openssl/dist/include/openssl/randerr.h                           |    5 +-
 crypto/external/bsd/openssl/dist/include/openssl/rsaerr.h                            |    7 +-
 crypto/external/bsd/openssl/dist/include/openssl/ssl.h                               |   60 +-
 crypto/external/bsd/openssl/dist/include/openssl/sslerr.h                            |    4 +
 crypto/external/bsd/openssl/dist/include/openssl/store.h                             |    6 +-
 crypto/external/bsd/openssl/dist/include/openssl/storeerr.h                          |    6 +-
 crypto/external/bsd/openssl/dist/include/openssl/tls1.h                              |    4 +-
 crypto/external/bsd/openssl/dist/include/openssl/tserr.h                             |    6 +-
 crypto/external/bsd/openssl/dist/include/openssl/uierr.h                             |    6 +-
 crypto/external/bsd/openssl/dist/include/openssl/x509err.h                           |    7 +-
 crypto/external/bsd/openssl/dist/include/openssl/x509v3.h                            |    2 +
 crypto/external/bsd/openssl/dist/include/openssl/x509v3err.h                         |    6 +-
 crypto/external/bsd/openssl/dist/ssl/d1_msg.c                                        |    5 +-
 crypto/external/bsd/openssl/dist/ssl/record/rec_layer_s3.c                           |   12 +-
 crypto/external/bsd/openssl/dist/ssl/ssl_cert.c                                      |    5 +-
 crypto/external/bsd/openssl/dist/ssl/statem/extensions.c                             |   21 +-
 crypto/external/bsd/openssl/dist/ssl/statem/extensions_clnt.c                        |   16 +-
 crypto/external/bsd/openssl/dist/ssl/statem/extensions_srvr.c                        |   20 +-
 crypto/external/bsd/openssl/dist/ssl/statem/statem_clnt.c                            |    6 -
 crypto/external/bsd/openssl/dist/ssl/statem/statem_lib.c                             |   19 +-
 crypto/external/bsd/openssl/dist/ssl/statem/statem_srvr.c                            |   54 +-
 crypto/external/bsd/openssl/dist/ssl/tls13_enc.c                                     |   53 +-
 crypto/external/bsd/openssl/dist/test/asn1_time_test.c                               |    6 +-
 crypto/external/bsd/openssl/dist/test/bio_memleak_test.c                             |   40 +
 crypto/external/bsd/openssl/dist/test/build.info                                     |    3 +-
 crypto/external/bsd/openssl/dist/test/certs/mkcert.sh                                |   31 +-
 crypto/external/bsd/openssl/dist/test/certs/server-pss-restrict-cert.pem             |   21 +
 crypto/external/bsd/openssl/dist/test/certs/server-pss-restrict-key.pem              |   29 +
 crypto/external/bsd/openssl/dist/test/certs/setup.sh                                 |    6 +
 crypto/external/bsd/openssl/dist/test/conf_include_test.c                            |    4 +-
 crypto/external/bsd/openssl/dist/test/ct_test.c                                      |   23 +-
 crypto/external/bsd/openssl/dist/test/drbgtest.c                                     |   47 +-
 crypto/external/bsd/openssl/dist/test/dtlstest.c                                     |    2 +-
 crypto/external/bsd/openssl/dist/test/recipes/30-test_evp_data/evpciph.txt           |   11 +
 crypto/external/bsd/openssl/dist/test/recipes/70-test_sslmessages.t                  |   27 +-
 crypto/external/bsd/openssl/dist/test/recipes/70-test_tls13kexmodes.t                |   38 +-
 crypto/external/bsd/openssl/dist/test/recipes/70-test_tls13messages.t                |   91 +-
 crypto/external/bsd/openssl/dist/test/recipes/80-test_cms.t                          |   69 +-
 crypto/external/bsd/openssl/dist/test/recipes/80-test_cms_data/bad_signtime_attr.cms |  Bin 
 crypto/external/bsd/openssl/dist/test/recipes/80-test_cms_data/ct_multiple_attr.cms  |  Bin 
 crypto/external/bsd/openssl/dist/test/recipes/80-test_cms_data/no_ct_attr.cms        |  Bin 
 crypto/external/bsd/openssl/dist/test/recipes/80-test_cms_data/no_md_attr.cms        |  Bin 
 crypto/external/bsd/openssl/dist/test/recipes/90-test_sslapi.t                       |    7 +-
 crypto/external/bsd/openssl/dist/test/ssl-tests/20-cert-select.conf                  |  984 +++++----
 crypto/external/bsd/openssl/dist/test/ssl-tests/20-cert-select.conf.in               |   66 +
 crypto/external/bsd/openssl/dist/test/sslapitest.c                                   |  345 +++-
 crypto/external/bsd/openssl/dist/test/ssltestlib.c                                   |   98 +-
 crypto/external/bsd/openssl/dist/test/ssltestlib.h                                   |    3 +
 crypto/external/bsd/openssl/dist/test/testutil.h                                     |   13 +-
 crypto/external/bsd/openssl/dist/test/testutil/random.c                              |   40 +
 crypto/external/bsd/openssl/dist/test/tls13secretstest.c                             |    2 +-
 crypto/external/bsd/openssl/dist/util/find-doc-nits                                  |   28 +-
 crypto/external/bsd/openssl/dist/util/libcrypto.num                                  |    2 +
 crypto/external/bsd/openssl/dist/util/mkerr.pl                                       |    8 +-
 crypto/external/bsd/openssl/dist/util/perl/OpenSSL/Test.pm                           |   11 +-
 crypto/external/bsd/openssl/dist/util/perl/TLSProxy/CertificateRequest.pm            |  105 +
 crypto/external/bsd/openssl/dist/util/perl/TLSProxy/Message.pm                       |   14 +
 crypto/external/bsd/openssl/dist/util/perl/TLSProxy/Proxy.pm                         |    1 +
 crypto/external/bsd/openssl/dist/util/perl/checkhandshake.pm                         |   20 +-
 270 files changed, 3836 insertions(+), 1535 deletions(-)

diffs (truncated from 11984 to 300 lines):

diff -r 7e5ff3845400 -r e89dd15971af crypto/external/bsd/openssl/dist/Configurations/00-base-templates.conf
--- a/crypto/external/bsd/openssl/dist/Configurations/00-base-templates.conf    Wed Jan 22 23:41:29 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/Configurations/00-base-templates.conf    Thu Jan 23 02:47:58 2020 +0000
@@ -198,7 +198,7 @@
        bn_asm_src      => "bn-586.s co-586.s x86-mont.s x86-gf2m.s",
        ec_asm_src      => "ecp_nistz256.c ecp_nistz256-x86.s",
        des_asm_src     => "des-586.s crypt586.s",
-       aes_asm_src     => "aes-586.s vpaes-x86.s aesni-x86.s",
+       aes_asm_src     => "aes_core.c aes_cbc.c vpaes-x86.s aesni-x86.s",
        bf_asm_src      => "bf-586.s",
        md5_asm_src     => "md5-586.s",
        cast_asm_src    => "cast-586.s",
@@ -223,7 +223,7 @@
        cpuid_asm_src   => "x86_64cpuid.s",
        bn_asm_src      => "asm/x86_64-gcc.c x86_64-mont.s x86_64-mont5.s x86_64-gf2m.s rsaz_exp.c rsaz-x86_64.s rsaz-avx2.s",
        ec_asm_src      => "ecp_nistz256.c ecp_nistz256-x86_64.s x25519-x86_64.s",
-       aes_asm_src     => "aes-x86_64.s vpaes-x86_64.s bsaes-x86_64.s aesni-x86_64.s aesni-sha1-x86_64.s aesni-sha256-x86_64.s aesni-mb-x86_64.s",
+       aes_asm_src     => "aes_core.c aes_cbc.c vpaes-x86_64.s aesni-x86_64.s aesni-sha1-x86_64.s aesni-sha256-x86_64.s aesni-mb-x86_64.s",
        md5_asm_src     => "md5-x86_64.s",
        sha1_asm_src    => "sha1-x86_64.s sha256-x86_64.s sha512-x86_64.s sha1-mb-x86_64.s sha256-mb-x86_64.s",
        rc4_asm_src     => "rc4-x86_64.s rc4-md5-x86_64.s",
diff -r 7e5ff3845400 -r e89dd15971af crypto/external/bsd/openssl/dist/Configurations/10-main.conf
--- a/crypto/external/bsd/openssl/dist/Configurations/10-main.conf      Wed Jan 22 23:41:29 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/Configurations/10-main.conf      Thu Jan 23 02:47:58 2020 +0000
@@ -1111,7 +1111,7 @@
         thread_scheme    => "pthreads",
         dso_scheme       => "dlfcn",
         shared_target    => "self",
-        module_ldflags   => "-Wl,-G,-bsymbolic,-bexpall",
+        module_ldflags   => "-Wl,-G,-bsymbolic,-bnoentry",
         shared_ldflag    => "-Wl,-G,-bsymbolic,-bnoentry",
         shared_defflag   => "-Wl,-bE:",
         shared_extension => ".so.\$(SHLIB_VERSION_NUMBER)",
@@ -1397,6 +1397,10 @@
         shared_extension => ".dll",
         multilib         => "",
         apps_aux_src     => add("win32_init.c"),
+        # "WOW" stands for "Windows on Windows", and that word engages
+        # some installation path heuristics in unix-Makefile.tmpl...
+        build_scheme     => add("WOW", { separator => undef }),
+
     },
     "mingw64" => {
         # As for OPENSSL_USE_APPLINK. Applink makes it possible to use
diff -r 7e5ff3845400 -r e89dd15971af crypto/external/bsd/openssl/dist/Configurations/15-ios.conf
--- a/crypto/external/bsd/openssl/dist/Configurations/15-ios.conf       Wed Jan 22 23:41:29 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/Configurations/15-ios.conf       Thu Jan 23 02:47:58 2020 +0000
@@ -1,6 +1,6 @@
 #### iPhoneOS/iOS
 #
-# It takes recent enough XCode to use following two targets. It shouldn't
+# It takes recent enough Xcode to use following two targets. It shouldn't
 # be a problem by now, but if they don't work, original targets below
 # that depend on manual definition of environment variables should still
 # work...
diff -r 7e5ff3845400 -r e89dd15971af crypto/external/bsd/openssl/dist/Configurations/50-win-onecore.conf
--- a/crypto/external/bsd/openssl/dist/Configurations/50-win-onecore.conf       Wed Jan 22 23:41:29 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/Configurations/50-win-onecore.conf       Thu Jan 23 02:47:58 2020 +0000
@@ -1,6 +1,6 @@
 # Windows OneCore targets.
 #
-# OneCore is new API stability "contract" that transends Desktop, IoT and
+# OneCore is new API stability "contract" that transcends Desktop, IoT and
 # Mobile[?] Windows editions. It's a set up "umbrella" libraries that
 # export subset of Win32 API that are common to all Windows 10 devices.
 #
diff -r 7e5ff3845400 -r e89dd15971af crypto/external/bsd/openssl/dist/Configurations/common0.tmpl
--- a/crypto/external/bsd/openssl/dist/Configurations/common0.tmpl      Wed Jan 22 23:41:29 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/Configurations/common0.tmpl      Thu Jan 23 02:47:58 2020 +0000
@@ -22,7 +22,7 @@
  our @generated =
      sort ( ( grep { defined $unified_info{generate}->{$_} }
               sort keys %generatables ),
-            # Scripts are assumed to be generated, so add thhem too
+            # Scripts are assumed to be generated, so add them too
             ( grep { defined $unified_info{sources}->{$_} }
               @{$unified_info{scripts}} ) );
 
diff -r 7e5ff3845400 -r e89dd15971af crypto/external/bsd/openssl/dist/Configurations/unix-Makefile.tmpl
--- a/crypto/external/bsd/openssl/dist/Configurations/unix-Makefile.tmpl        Wed Jan 22 23:41:29 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/Configurations/unix-Makefile.tmpl        Thu Jan 23 02:47:58 2020 +0000
@@ -14,6 +14,26 @@
      our $dsoext = $target{dso_extension} || ".so";
      our $makedepprog = $disabled{makedepend} ? undef : $config{makedepprog};
 
+     # $mingw_installroot and $mingw_commonroot is relevant for mingw only.
+     my $build_scheme = $target{build_scheme};
+     my $install_flavour = $build_scheme->[$#$build_scheme]; # last element
+     my $mingw_installenv = $install_flavour eq "WOW" ? "ProgramFiles(x86)"
+                                                      : "ProgramW6432";
+     my $mingw_commonenv = $install_flavour eq "WOW" ? "CommonProgramFiles(x86)"
+                                                     : "CommonProgramW6432";
+     our $mingw_installroot =
+         defined($ENV{$mingw_installenv}) ? $mingw_installenv : 'ProgramFiles';
+     our $mingw_commonroot =
+         defined($ENV{$mingw_commonenv}) ? $mingw_commonenv : 'CommonProgramFiles';
+     my $mingw_installdflt =
+         $install_flavour eq "WOW" ? "C:/Program Files (x86)"
+                                   : "C:/Program Files";
+     my $mingw_commondflt = "$mingw_installdflt/Common Files";
+
+     # expand variables early
+     $mingw_installroot = $ENV{$mingw_installroot} // $mingw_installdflt;
+     $mingw_commonroot = $ENV{$mingw_commonroot} // $mingw_commondflt;
+
      sub windowsdll { $config{target} =~ /^(?:Cygwin|mingw)/ }
 
      # Shared AIX support is special. We put libcrypto[64].so.ver into
@@ -132,6 +152,7 @@
 # Normally it is left empty.
 DESTDIR=
 
+{- output_off() if $config{target} =~ /^mingw/; "" -}
 # Do not edit these manually. Use Configure with --prefix or --openssldir
 # to change this!  Short explanation in the top comment in Configure
 INSTALLTOP={- # $prefix is used in the OPENSSLDIR perl snippet
@@ -175,6 +196,83 @@
 # Convenience variable for those who want to set the rpath in shared
 # libraries and applications
 LIBRPATH=$(libdir)
+{- output_on() if $config{target} =~ /^mingw/;
+   output_off() if $config{target} !~ /^mingw/;
+   "" -}
+# Do not edit these manually. Use Configure with --prefix or --openssldir
+# to change this!  Short explanation in the top comment in Configure
+INSTALLTOP_dev={- # $prefix is used in the OPENSSLDIR perl snippet
+                  #
+                  use File::Spec::Win32;
+                  my $prefix_default = "$mingw_installroot/OpenSSL";
+                  our $prefix =
+                      File::Spec::Win32->canonpath($config{prefix}
+                                                  || $prefix_default);
+                  our ($prefix_dev, $prefix_dir, $prefix_file) =
+                      File::Spec::Win32->splitpath($prefix, 1);
+                  $prefix =~ s|\\|/|g;
+                  $prefix_dir =~ s|\\|/|g;
+                  $prefix_dev -}
+INSTALLTOP_dir={- my $x = File::Spec::Win32->canonpath($prefix_dir);
+                  $x =~ s|\\|/|g;
+                  $x -}
+OPENSSLDIR_dev={- #
+                  # The logic here is that if no --openssldir was given,
+                  # OPENSSLDIR will get the value "$mingw_commonroot/SSL".
+                  # If --openssldir was given and the value is an absolute
+                  # path, OPENSSLDIR will get its value without change.
+                  # If the value from --openssldir is a relative path,
+                  # OPENSSLDIR will get $prefix with the --openssldir
+                  # value appended as a subdirectory.
+                  #
+                  use File::Spec::Win32;
+                  our $openssldir =
+                      $config{openssldir} ?
+                          (File::Spec::Win32->file_name_is_absolute($config{openssldir}) ?
+                               File::Spec::Win32->canonpath($config{openssldir})
+                               : File::Spec::Win32->catdir($prefix, $config{openssldir}))
+                          : File::Spec::Win32->canonpath("$mingw_commonroot/SSL");
+                  our ($openssldir_dev, $openssldir_dir, $openssldir_file) =
+                      File::Spec::Win32->splitpath($openssldir, 1);
+                  $openssldir =~ s|\\|/|g;
+                  $openssldir_dir =~ s|\\|/|g;
+                  $openssldir_dev -}
+OPENSSLDIR_dir={- my $x = File::Spec::Win32->canonpath($openssldir_dir);
+                  $x =~ s|\\|/|g;
+                  $x -}
+LIBDIR={- our $libdir = $config{libdir} || "lib";
+          File::Spec::Win32->file_name_is_absolute($libdir) ? "" : $libdir -}
+ENGINESDIR_dev={- use File::Spec::Win32;
+                  our $enginesdir =
+                      File::Spec::Win32->catdir($prefix,$libdir,
+                                                "engines-$sover_dirname");
+                  our ($enginesdir_dev, $enginesdir_dir, $enginesdir_file) =
+                      File::Spec::Win32->splitpath($enginesdir, 1);
+                  $enginesdir =~ s|\\|/|g;
+                  $enginesdir_dir =~ s|\\|/|g;
+                  $enginesdir_dev -}
+ENGINESDIR_dir={- my $x = File::Spec::Win32->canonpath($enginesdir_dir);
+                  $x =~ s|\\|/|g;
+                  $x -}
+# In a Windows environment, $(DESTDIR) is harder to contatenate with other
+# directory variables, because both may contain devices.  What we do here is
+# to adapt INSTALLTOP, OPENSSLDIR and ENGINESDIR depending on if $(DESTDIR)
+# has a value or not, to ensure that concatenation will always work further
+# down.
+ifneq "$(DESTDIR)" ""
+INSTALLTOP=$(INSTALLTOP_dir)
+OPENSSLDIR=$(OPENSSLDIR_dir)
+ENGINESDIR=$(ENGINESDIR_dir)
+else
+INSTALLTOP=$(INSTALLTOP_dev)$(INSTALLTOP_dir)
+OPENSSLDIR=$(OPENSSLDIR_dev)$(OPENSSLDIR_dir)
+ENGINESDIR=$(ENGINESDIR_dev)$(ENGINESDIR_dir)
+endif
+
+# $(libdir) is chosen to be compatible with the GNU coding standards
+libdir={- File::Spec::Win32->file_name_is_absolute($libdir)
+          ? $libdir : '$(INSTALLTOP)/$(LIBDIR)' -}
+{- output_on() if $config{target} !~ /^mingw/; "" -}
 
 MANDIR=$(INSTALLTOP)/share/man
 DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
@@ -418,13 +516,13 @@
 clean: libclean
        $(RM) $(PROGRAMS) $(TESTPROGS) $(ENGINES) $(SCRIPTS)
        $(RM) $(GENERATED_MANDATORY) $(GENERATED)
-       -$(RM) `find . -name .git -prune -o -name '*{- $depext -}' -print`
-       -$(RM) `find . -name .git -prune -o -name '*{- $objext -}' -print`
+       -$(RM) `find . -name '*{- $depext -}' \! -name '.*' -print`
+       -$(RM) `find . -name '*{- $objext -}' \! -name '.*' -print`
        $(RM) core
        $(RM) tags TAGS doc-nits
        $(RM) -r test/test-runs
        $(RM) openssl.pc libcrypto.pc libssl.pc
-       -$(RM) `find . -name .git -prune -o -type l -print`
+       -$(RM) `find . -type l \! -name '.*' -print`
        $(RM) $(TARFILE)
 
 distclean: clean
@@ -449,7 +547,7 @@
 install_docs: install_man_docs install_html_docs
 
 uninstall_docs: uninstall_man_docs uninstall_html_docs
-       $(RM) -r -v $(DESTDIR)$(DOCDIR)
+       $(RM) -r $(DESTDIR)$(DOCDIR)
 
 install_ssldirs:
        @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/certs
diff -r 7e5ff3845400 -r e89dd15971af crypto/external/bsd/openssl/dist/INSTALL
--- a/crypto/external/bsd/openssl/dist/INSTALL  Wed Jan 22 23:41:29 2020 +0000
+++ b/crypto/external/bsd/openssl/dist/INSTALL  Thu Jan 23 02:47:58 2020 +0000
@@ -98,6 +98,9 @@
     $ nmake test
     $ nmake install
 
+ Note that in order to perform the install step above you need to have
+ appropriate permissions to write to the installation directory.
+
  If any of these steps fails, see section Installation in Detail below.
 
  This will build and install OpenSSL in the default location, which is:
@@ -107,6 +110,12 @@
            OpenSSL version number with underscores instead of periods.
   Windows: C:\Program Files\OpenSSL or C:\Program Files (x86)\OpenSSL
 
+ The installation directory should be appropriately protected to ensure
+ unprivileged users cannot make changes to OpenSSL binaries or files, or install
+ engines. If you already have a pre-installed version of OpenSSL as part of
+ your Operating System it is recommended that you do not overwrite the system
+ version and instead install to somewhere else.
+
  If you want to install it anywhere else, run config like this:
 
   On Unix:
@@ -135,7 +144,10 @@
                    Don't build with support for deprecated APIs below the
                    specified version number. For example "--api=1.1.0" will
                    remove support for all APIS that were deprecated in OpenSSL
-                   version 1.1.0 or below.
+                   version 1.1.0 or below. This is a rather specialized option
+                   for developers. If you just intend to remove all deprecated
+                   APIs entirely (up to the current version), it is easier
+                   to add the 'no-deprecated' option instead (see below).
 
   --cross-compile-prefix=PREFIX
                    The PREFIX to include in front of commands for your
@@ -229,7 +241,7 @@
                                source exists.
                    getrandom:  Use the L<getrandom(2)> or equivalent system
                                call.
-                   devrandom:  Use the the first device from the DEVRANDOM list
+                   devrandom:  Use the first device from the DEVRANDOM list
                                which can be opened to read random bytes. The
                                DEVRANDOM preprocessor constant expands to
                                "/dev/urandom","/dev/random","/dev/srandom" on
@@ -908,8 +920,11 @@
        $ mms install                                    ! OpenVMS
        $ nmake install                                  # Windows
 
-     This will install all the software components in this directory
-     tree under PREFIX (the directory given with --prefix or its
+     Note that in order to perform the install step above you need to have
+     appropriate permissions to write to the installation directory.
+
+     The above commands will install all the software components in this
+     directory tree under PREFIX (the directory given with --prefix or its
      default):
 
        Unix:
@@ -965,6 +980,12 @@
                         for private key files.
          misc           Various scripts.
 
+     The installation directory should be appropriately protected to ensure
+     unprivileged users cannot make changes to OpenSSL binaries or files, or
+     install engines. If you already have a pre-installed version of OpenSSL as
+     part of your Operating System it is recommended that you do not overwrite
+     the system version and instead install to somewhere else.
+
      Package builders who want to configure the library for standard
      locations, but have the package installed somewhere else so that
      it can easily be packaged, can use




Home | Main Index | Thread Index | Old Index