Skip to content

Commit

Permalink
deps: upgrade openssl sources to 1.0.2m
Browse files Browse the repository at this point in the history
This replaces all sources of openssl-1.0.2m.tar.gz into
deps/openssl/openssl

PR-URL: #16691
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Myles Borins <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Rod Vagg <[email protected]>
Reviewed-By: Gireesh Punathil <[email protected]>
Reviewed-By: James M Snell <[email protected]>
  • Loading branch information
shigeki authored and MylesBorins committed Nov 3, 2017
1 parent fbde292 commit b130feb
Show file tree
Hide file tree
Showing 218 changed files with 1,846 additions and 38,827 deletions.
38 changes: 38 additions & 0 deletions deps/openssl/openssl/CHANGES
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,44 @@
OpenSSL CHANGES
_______________

This is a high-level summary of the most important changes.
For a full list of changes, see the git commit log; for example,
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.

Changes between 1.0.2l and 1.0.2m [2 Nov 2017]

*) bn_sqrx8x_internal carry bug on x86_64

There is a carry propagating bug in the x86_64 Montgomery squaring
procedure. No EC algorithms are affected. Analysis suggests that attacks
against RSA and DSA as a result of this defect would be very difficult to
perform and are not believed likely. Attacks against DH are considered just
feasible (although very difficult) because most of the work necessary to
deduce information about a private key may be performed offline. The amount
of resources required for such an attack would be very significant and
likely only accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients.

This only affects processors that support the BMI1, BMI2 and ADX extensions
like Intel Broadwell (5th generation) and later or AMD Ryzen.

This issue was reported to OpenSSL by the OSS-Fuzz project.
(CVE-2017-3736)
[Andy Polyakov]

*) Malformed X.509 IPAddressFamily could cause OOB read

If an X.509 certificate has a malformed IPAddressFamily extension,
OpenSSL could do a one-byte buffer overread. The most likely result
would be an erroneous display of the certificate in text format.

This issue was reported to OpenSSL by the OSS-Fuzz project.
(CVE-2017-3735)
[Rich Salz]

Changes between 1.0.2k and 1.0.2l [25 May 2017]

*) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
Expand Down
6 changes: 2 additions & 4 deletions deps/openssl/openssl/INSTALL
Original file line number Diff line number Diff line change
Expand Up @@ -190,10 +190,8 @@
the failure that isn't a problem in OpenSSL itself (like a missing
or malfunctioning bc). If it is a problem with OpenSSL itself,
try removing any compiler optimization flags from the CFLAG line
in Makefile.ssl and run "make clean; make". Please send a bug
report to <[email protected]>, including the output of
"make report" in order to be added to the request tracker at
http://www.openssl.org/support/rt.html.
in Makefile.ssl and run "make clean; make". To report a bug please open an
issue on GitHub, at https://github.com/openssl/openssl/issues.

4. If everything tests ok, install OpenSSL with

Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
## Makefile for OpenSSL
##

VERSION=1.0.2l
VERSION=1.0.2m
MAJOR=1
MINOR=0.2
SHLIB_VERSION_NUMBER=1.0.0
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/Makefile.bak
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
## Makefile for OpenSSL
##

VERSION=1.0.2l
VERSION=1.0.2m
MAJOR=1
MINOR=0.2
SHLIB_VERSION_NUMBER=1.0.0
Expand Down
5 changes: 5 additions & 0 deletions deps/openssl/openssl/NEWS
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,11 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.

Major changes between OpenSSL 1.0.2l and OpenSSL 1.0.2m [2 Nov 2017]

o bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
o Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)

Major changes between OpenSSL 1.0.2k and OpenSSL 1.0.2l [25 May 2017]

o config now recognises 64-bit mingw and chooses mingw64 instead of mingw
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/README
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@

OpenSSL 1.0.2l 25 May 2017
OpenSSL 1.0.2m 2 Nov 2017

Copyright (c) 1998-2015 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
Expand Down
11 changes: 1 addition & 10 deletions deps/openssl/openssl/apps/app_rand.c
Original file line number Diff line number Diff line change
Expand Up @@ -124,16 +124,7 @@ int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn)
char buffer[200];

#ifdef OPENSSL_SYS_WINDOWS
/*
* allocate 2 to dont_warn not to use RAND_screen() via
* -no_rand_screen option in s_client
*/
if (dont_warn != 2) {
BIO_printf(bio_e, "Loading 'screen' into random state -");
BIO_flush(bio_e);
RAND_screen();
BIO_printf(bio_e, " done\n");
}
RAND_screen();
#endif

if (file == NULL)
Expand Down
13 changes: 9 additions & 4 deletions deps/openssl/openssl/apps/ca.c
Original file line number Diff line number Diff line change
Expand Up @@ -1985,10 +1985,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
/* Lets add the extensions, if there are any */
if (ext_sect) {
X509V3_CTX ctx;
if (ci->version == NULL)
if ((ci->version = ASN1_INTEGER_new()) == NULL)
goto err;
ASN1_INTEGER_set(ci->version, 2); /* version 3 certificate */

/*
* Free the current entries if any, there should not be any I believe
Expand Down Expand Up @@ -2051,6 +2047,15 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
goto err;
}

{
STACK_OF(X509_EXTENSION) *exts = ci->extensions;

if (exts != NULL && sk_X509_EXTENSION_num(exts) > 0)
/* Make it an X509 v3 certificate. */
if (!X509_set_version(ret, 2))
goto err;
}

/* Set the right value for the noemailDN option */
if (email_dn == 0) {
if (!X509_set_subject_name(ret, dn_subject))
Expand Down
33 changes: 10 additions & 23 deletions deps/openssl/openssl/apps/s_client.c
Original file line number Diff line number Diff line change
Expand Up @@ -180,13 +180,6 @@ typedef unsigned int u_int;
# include <fcntl.h>
#endif

/* Use Windows API with STD_INPUT_HANDLE when checking for input?
Don't look at OPENSSL_SYS_MSDOS for this, since it is always defined if
OPENSSL_SYS_WINDOWS is defined */
#if defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_WINCE) && defined(STD_INPUT_HANDLE)
#define OPENSSL_USE_STD_INPUT_HANDLE
#endif

#undef PROG
#define PROG s_client_main

Expand Down Expand Up @@ -236,7 +229,6 @@ static BIO *bio_c_msg = NULL;
static int c_quiet = 0;
static int c_ign_eof = 0;
static int c_brief = 0;
static int c_no_rand_screen = 0;

#ifndef OPENSSL_NO_PSK
/* Default PSK identity and key */
Expand Down Expand Up @@ -452,10 +444,6 @@ static void sc_usage(void)
" -keymatexport label - Export keying material using label\n");
BIO_printf(bio_err,
" -keymatexportlen len - Export len bytes of keying material (default 20)\n");
#ifdef OPENSSL_SYS_WINDOWS
BIO_printf(bio_err,
" -no_rand_screen - Do not use RAND_screen() to initialize random state\n");
#endif
}

#ifndef OPENSSL_NO_TLSEXT
Expand Down Expand Up @@ -1148,10 +1136,6 @@ int MAIN(int argc, char **argv)
keymatexportlen = atoi(*(++argv));
if (keymatexportlen == 0)
goto bad;
#ifdef OPENSSL_SYS_WINDOWS
} else if (strcmp(*argv, "-no_rand_screen") == 0) {
c_no_rand_screen = 1;
#endif
} else {
BIO_printf(bio_err, "unknown option %s\n", *argv);
badop = 1;
Expand Down Expand Up @@ -1268,7 +1252,7 @@ int MAIN(int argc, char **argv)
if (!load_excert(&exc, bio_err))
goto end;

if (!app_RAND_load_file(NULL, bio_err, ++c_no_rand_screen) && inrand == NULL
if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
&& !RAND_status()) {
BIO_printf(bio_err,
"warning, not much extra random data, consider using the -rand option\n");
Expand Down Expand Up @@ -1683,6 +1667,8 @@ int MAIN(int argc, char **argv)
if (strstr(mbuf, "/stream:features>"))
goto shut;
seen = BIO_read(sbio, mbuf, BUFSIZZ);
if (seen <= 0)
goto shut;
mbuf[seen] = 0;
}
BIO_printf(sbio,
Expand Down Expand Up @@ -1806,16 +1792,17 @@ int MAIN(int argc, char **argv)
tv.tv_usec = 0;
i = select(width, (void *)&readfds, (void *)&writefds,
NULL, &tv);
#if defined(OPENSSL_USE_STD_INPUT_HANDLE)
# if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
if (!i && (!_kbhit() || !read_tty))
continue;
# else
if (!i && (!((_kbhit())
|| (WAIT_OBJECT_0 ==
WaitForSingleObject(GetStdHandle
(STD_INPUT_HANDLE),
0)))
|| !read_tty))
continue;
#else
if(!i && (!_kbhit() || !read_tty) ) continue;
# endif
} else
i = select(width, (void *)&readfds, (void *)&writefds,
Expand Down Expand Up @@ -2017,12 +2004,12 @@ int MAIN(int argc, char **argv)
}
}
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
#if defined(OPENSSL_USE_STD_INPUT_HANDLE)
# if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
else if (_kbhit())
# else
else if ((_kbhit())
|| (WAIT_OBJECT_0 ==
WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
#else
else if (_kbhit())
# endif
#elif defined (OPENSSL_SYS_NETWARE)
else if (_kbhit())
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/apps/s_server.c
Original file line number Diff line number Diff line change
Expand Up @@ -3017,7 +3017,7 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context)
PEM_write_bio_X509(io, peer);
} else
BIO_puts(io, "no client certificate available\n");
BIO_puts(io, "</BODY></HTML>\r\n\r\n");
BIO_puts(io, "</pre></BODY></HTML>\r\n\r\n");
break;
} else if ((www == 2 || www == 3)
&& (strncmp("GET /", buf, 5) == 0)) {
Expand Down
4 changes: 3 additions & 1 deletion deps/openssl/openssl/apps/speed.c
Original file line number Diff line number Diff line change
Expand Up @@ -307,7 +307,8 @@ static SIGRETTYPE sig_done(int sig)
# if !defined(SIGALRM)
# define SIGALRM
# endif
static unsigned int lapse, schlock;
static volatile unsigned int lapse;
static volatile unsigned int schlock;
static void alarm_win32(unsigned int secs)
{
lapse = secs * 1000;
Expand Down Expand Up @@ -725,6 +726,7 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err, "no EVP given\n");
goto end;
}
evp_md = NULL;
evp_cipher = EVP_get_cipherbyname(*argv);
if (!evp_cipher) {
evp_md = EVP_get_digestbyname(*argv);
Expand Down
19 changes: 11 additions & 8 deletions deps/openssl/openssl/apps/spkac.c
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
* 1999. Based on an original idea by Massimiliano Pala ([email protected]).
*/
/* ====================================================================
* Copyright (c) 1999 The OpenSSL Project. All rights reserved.
* Copyright (c) 1999-2017 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
Expand Down Expand Up @@ -185,20 +185,23 @@ int MAIN(int argc, char **argv)
}
e = setup_engine(bio_err, engine, 0);

if (keyfile) {
if (keyfile != NULL) {
pkey = load_key(bio_err,
strcmp(keyfile, "-") ? keyfile : NULL,
FORMAT_PEM, 1, passin, e, "private key");
if (!pkey) {
if (pkey == NULL)
goto end;
}
spki = NETSCAPE_SPKI_new();
if (challenge)
if (spki == NULL)
goto end;
if (challenge != NULL)
ASN1_STRING_set(spki->spkac->challenge,
challenge, (int)strlen(challenge));
NETSCAPE_SPKI_set_pubkey(spki, pkey);
NETSCAPE_SPKI_sign(spki, pkey, EVP_md5());
spkstr = NETSCAPE_SPKI_b64_encode(spki);
if (spkstr == NULL)
goto end;

if (outfile)
out = BIO_new_file(outfile, "w");
Expand Down Expand Up @@ -253,7 +256,7 @@ int MAIN(int argc, char **argv)

spki = NETSCAPE_SPKI_b64_decode(spkstr, -1);

if (!spki) {
if (spki == NULL) {
BIO_printf(bio_err, "Error loading SPKAC\n");
ERR_print_errors(bio_err);
goto end;
Expand Down Expand Up @@ -282,9 +285,9 @@ int MAIN(int argc, char **argv)
pkey = NETSCAPE_SPKI_get_pubkey(spki);
if (verify) {
i = NETSCAPE_SPKI_verify(spki, pkey);
if (i > 0)
if (i > 0) {
BIO_printf(bio_err, "Signature OK\n");
else {
} else {
BIO_printf(bio_err, "Signature Failure\n");
ERR_print_errors(bio_err);
goto end;
Expand Down
Loading

0 comments on commit b130feb

Please sign in to comment.