Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 1766cfc

Browse filesBrowse files
sam-githubBridgeAR
sam-github
authored and
BridgeAR
committed
deps: upgrade openssl sources to 1.1.1d
This updates all sources in deps/openssl/openssl by: $ cd deps/openssl/ $ rm -rf openssl $ tar zxf ~/tmp/openssl-1.1.0h.tar.gz $ mv openssl-1.1.0h openssl $ git add --all openssl $ git commit openssl PR-URL: #29550 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Anna Henningsen <anna@addaleax.net>
1 parent 0b46bca commit 1766cfc
Copy full SHA for 1766cfc

File tree

Expand file treeCollapse file tree

323 files changed

+5179
-10941
lines changed
Open diff view settings
Filter options

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Dismiss banner
Expand file treeCollapse file tree

323 files changed

+5179
-10941
lines changed
Open diff view settings
Collapse file

‎deps/openssl/openssl/CHANGES‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/CHANGES
+108-3Lines changed: 108 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,101 @@
77
https://github.com/openssl/openssl/commits/ and pick the appropriate
88
release branch.
99

10+
Changes between 1.1.1c and 1.1.1d [10 Sep 2019]
11+
12+
*) Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
13+
number generator (RNG). This was intended to include protection in the
14+
event of a fork() system call in order to ensure that the parent and child
15+
processes did not share the same RNG state. However this protection was not
16+
being used in the default case.
17+
18+
A partial mitigation for this issue is that the output from a high
19+
precision timer is mixed into the RNG state so the likelihood of a parent
20+
and child process sharing state is significantly reduced.
21+
22+
If an application already calls OPENSSL_init_crypto() explicitly using
23+
OPENSSL_INIT_ATFORK then this problem does not occur at all.
24+
(CVE-2019-1549)
25+
[Matthias St. Pierre]
26+
27+
*) For built-in EC curves, ensure an EC_GROUP built from the curve name is
28+
used even when parsing explicit parameters, when loading a serialized key
29+
or calling `EC_GROUP_new_from_ecpkparameters()`/
30+
`EC_GROUP_new_from_ecparameters()`.
31+
This prevents bypass of security hardening and performance gains,
32+
especially for curves with specialized EC_METHODs.
33+
By default, if a key encoded with explicit parameters is loaded and later
34+
serialized, the output is still encoded with explicit parameters, even if
35+
internally a "named" EC_GROUP is used for computation.
36+
[Nicola Tuveri]
37+
38+
*) Compute ECC cofactors if not provided during EC_GROUP construction. Before
39+
this change, EC_GROUP_set_generator would accept order and/or cofactor as
40+
NULL. After this change, only the cofactor parameter can be NULL. It also
41+
does some minimal sanity checks on the passed order.
42+
(CVE-2019-1547)
43+
[Billy Bob Brumley]
44+
45+
*) Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
46+
An attack is simple, if the first CMS_recipientInfo is valid but the
47+
second CMS_recipientInfo is chosen ciphertext. If the second
48+
recipientInfo decodes to PKCS #1 v1.5 form plaintext, the correct
49+
encryption key will be replaced by garbage, and the message cannot be
50+
decoded, but if the RSA decryption fails, the correct encryption key is
51+
used and the recipient will not notice the attack.
52+
As a work around for this potential attack the length of the decrypted
53+
key must be equal to the cipher default key length, in case the
54+
certifiate is not given and all recipientInfo are tried out.
55+
The old behaviour can be re-enabled in the CMS code by setting the
56+
CMS_DEBUG_DECRYPT flag.
57+
(CVE-2019-1563)
58+
[Bernd Edlinger]
59+
60+
*) Early start up entropy quality from the DEVRANDOM seed source has been
61+
improved for older Linux systems. The RAND subsystem will wait for
62+
/dev/random to be producing output before seeding from /dev/urandom.
63+
The seeded state is stored for future library initialisations using
64+
a system global shared memory segment. The shared memory identifier
65+
can be configured by defining OPENSSL_RAND_SEED_DEVRANDOM_SHM_ID to
66+
the desired value. The default identifier is 114.
67+
[Paul Dale]
68+
69+
*) Correct the extended master secret constant on EBCDIC systems. Without this
70+
fix TLS connections between an EBCDIC system and a non-EBCDIC system that
71+
negotiate EMS will fail. Unfortunately this also means that TLS connections
72+
between EBCDIC systems with this fix, and EBCDIC systems without this
73+
fix will fail if they negotiate EMS.
74+
[Matt Caswell]
75+
76+
*) Use Windows installation paths in the mingw builds
77+
78+
Mingw isn't a POSIX environment per se, which means that Windows
79+
paths should be used for installation.
80+
(CVE-2019-1552)
81+
[Richard Levitte]
82+
83+
*) Changed DH_check to accept parameters with order q and 2q subgroups.
84+
With order 2q subgroups the bit 0 of the private key is not secret
85+
but DH_generate_key works around that by clearing bit 0 of the
86+
private key for those. This avoids leaking bit 0 of the private key.
87+
[Bernd Edlinger]
88+
89+
*) Significantly reduce secure memory usage by the randomness pools.
90+
[Paul Dale]
91+
92+
*) Revert the DEVRANDOM_WAIT feature for Linux systems
93+
94+
The DEVRANDOM_WAIT feature added a select() call to wait for the
95+
/dev/random device to become readable before reading from the
96+
/dev/urandom device.
97+
98+
It turned out that this change had negative side effects on
99+
performance which were not acceptable. After some discussion it
100+
was decided to revert this feature and leave it up to the OS
101+
resp. the platform maintainer to ensure a proper initialization
102+
during early boot time.
103+
[Matthias St. Pierre]
104+
10105
Changes between 1.1.1b and 1.1.1c [28 May 2019]
11106

12107
*) Add build tests for C++. These are generated files that only do one
@@ -75,6 +170,16 @@
75170
(CVE-2019-1543)
76171
[Matt Caswell]
77172

173+
*) Add DEVRANDOM_WAIT feature for Linux systems
174+
175+
On older Linux systems where the getrandom() system call is not available,
176+
OpenSSL normally uses the /dev/urandom device for seeding its CSPRNG.
177+
Contrary to getrandom(), the /dev/urandom device will not block during
178+
early boot when the kernel CSPRNG has not been seeded yet.
179+
180+
To mitigate this known weakness, use select() to wait for /dev/random to
181+
become readable before reading from /dev/urandom.
182+
78183
*) Ensure that SM2 only uses SM3 as digest algorithm
79184
[Paul Yang]
80185

@@ -322,7 +427,7 @@
322427
SSL_set_ciphersuites()
323428
[Matt Caswell]
324429

325-
*) Memory allocation failures consistenly add an error to the error
430+
*) Memory allocation failures consistently add an error to the error
326431
stack.
327432
[Rich Salz]
328433

@@ -6860,7 +6965,7 @@
68606965
reason texts, thereby removing some of the footprint that may not
68616966
be interesting if those errors aren't displayed anyway.
68626967

6863-
NOTE: it's still possible for any application or module to have it's
6968+
NOTE: it's still possible for any application or module to have its
68646969
own set of error texts inserted. The routines are there, just not
68656970
used by default when no-err is given.
68666971
[Richard Levitte]
@@ -8826,7 +8931,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
88268931
Changes between 0.9.6g and 0.9.6h [5 Dec 2002]
88278932

88288933
*) New function OPENSSL_cleanse(), which is used to cleanse a section of
8829-
memory from it's contents. This is done with a counter that will
8934+
memory from its contents. This is done with a counter that will
88308935
place alternating values in each byte. This can be used to solve
88318936
two issues: 1) the removal of calls to memset() by highly optimizing
88328937
compilers, and 2) cleansing with other values than 0, since those can
Collapse file

‎deps/openssl/openssl/Configurations/00-base-templates.conf‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/Configurations/00-base-templates.conf
+2-2Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -198,7 +198,7 @@ my %targets=(
198198
bn_asm_src => "bn-586.s co-586.s x86-mont.s x86-gf2m.s",
199199
ec_asm_src => "ecp_nistz256.c ecp_nistz256-x86.s",
200200
des_asm_src => "des-586.s crypt586.s",
201-
aes_asm_src => "aes-586.s vpaes-x86.s aesni-x86.s",
201+
aes_asm_src => "aes_core.c aes_cbc.c vpaes-x86.s aesni-x86.s",
202202
bf_asm_src => "bf-586.s",
203203
md5_asm_src => "md5-586.s",
204204
cast_asm_src => "cast-586.s",
@@ -223,7 +223,7 @@ my %targets=(
223223
cpuid_asm_src => "x86_64cpuid.s",
224224
bn_asm_src => "asm/x86_64-gcc.c x86_64-mont.s x86_64-mont5.s x86_64-gf2m.s rsaz_exp.c rsaz-x86_64.s rsaz-avx2.s",
225225
ec_asm_src => "ecp_nistz256.c ecp_nistz256-x86_64.s x25519-x86_64.s",
226-
aes_asm_src => "aes-x86_64.s vpaes-x86_64.s bsaes-x86_64.s aesni-x86_64.s aesni-sha1-x86_64.s aesni-sha256-x86_64.s aesni-mb-x86_64.s",
226+
aes_asm_src => "aes_core.c aes_cbc.c vpaes-x86_64.s aesni-x86_64.s aesni-sha1-x86_64.s aesni-sha256-x86_64.s aesni-mb-x86_64.s",
227227
md5_asm_src => "md5-x86_64.s",
228228
sha1_asm_src => "sha1-x86_64.s sha256-x86_64.s sha512-x86_64.s sha1-mb-x86_64.s sha256-mb-x86_64.s",
229229
rc4_asm_src => "rc4-x86_64.s rc4-md5-x86_64.s",
Collapse file

‎deps/openssl/openssl/Configurations/10-main.conf‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/Configurations/10-main.conf
+5-1Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1111,7 +1111,7 @@ my %targets = (
11111111
thread_scheme => "pthreads",
11121112
dso_scheme => "dlfcn",
11131113
shared_target => "self",
1114-
module_ldflags => "-Wl,-G,-bsymbolic,-bexpall",
1114+
module_ldflags => "-Wl,-G,-bsymbolic,-bnoentry",
11151115
shared_ldflag => "-Wl,-G,-bsymbolic,-bnoentry",
11161116
shared_defflag => "-Wl,-bE:",
11171117
shared_extension => ".so.\$(SHLIB_VERSION_NUMBER)",
@@ -1397,6 +1397,10 @@ my %targets = (
13971397
shared_extension => ".dll",
13981398
multilib => "",
13991399
apps_aux_src => add("win32_init.c"),
1400+
# "WOW" stands for "Windows on Windows", and that word engages
1401+
# some installation path heuristics in unix-Makefile.tmpl...
1402+
build_scheme => add("WOW", { separator => undef }),
1403+
14001404
},
14011405
"mingw64" => {
14021406
# As for OPENSSL_USE_APPLINK. Applink makes it possible to use
Collapse file

‎deps/openssl/openssl/Configurations/15-ios.conf‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/Configurations/15-ios.conf
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
#### iPhoneOS/iOS
22
#
3-
# It takes recent enough XCode to use following two targets. It shouldn't
3+
# It takes recent enough Xcode to use following two targets. It shouldn't
44
# be a problem by now, but if they don't work, original targets below
55
# that depend on manual definition of environment variables should still
66
# work...
Collapse file

‎deps/openssl/openssl/Configurations/50-win-onecore.conf‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/Configurations/50-win-onecore.conf
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# Windows OneCore targets.
22
#
3-
# OneCore is new API stability "contract" that transends Desktop, IoT and
3+
# OneCore is new API stability "contract" that transcends Desktop, IoT and
44
# Mobile[?] Windows editions. It's a set up "umbrella" libraries that
55
# export subset of Win32 API that are common to all Windows 10 devices.
66
#
Collapse file

‎deps/openssl/openssl/Configurations/common0.tmpl‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/Configurations/common0.tmpl
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@
2222
our @generated =
2323
sort ( ( grep { defined $unified_info{generate}->{$_} }
2424
sort keys %generatables ),
25-
# Scripts are assumed to be generated, so add thhem too
25+
# Scripts are assumed to be generated, so add them too
2626
( grep { defined $unified_info{sources}->{$_} }
2727
@{$unified_info{scripts}} ) );
2828

Collapse file

‎deps/openssl/openssl/Configurations/unix-Makefile.tmpl‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/Configurations/unix-Makefile.tmpl
+102-4Lines changed: 102 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,26 @@
1414
our $dsoext = $target{dso_extension} || ".so";
1515
our $makedepprog = $disabled{makedepend} ? undef : $config{makedepprog};
1616

17+
# $mingw_installroot and $mingw_commonroot is relevant for mingw only.
18+
my $build_scheme = $target{build_scheme};
19+
my $install_flavour = $build_scheme->[$#$build_scheme]; # last element
20+
my $mingw_installenv = $install_flavour eq "WOW" ? "ProgramFiles(x86)"
21+
: "ProgramW6432";
22+
my $mingw_commonenv = $install_flavour eq "WOW" ? "CommonProgramFiles(x86)"
23+
: "CommonProgramW6432";
24+
our $mingw_installroot =
25+
defined($ENV{$mingw_installenv}) ? $mingw_installenv : 'ProgramFiles';
26+
our $mingw_commonroot =
27+
defined($ENV{$mingw_commonenv}) ? $mingw_commonenv : 'CommonProgramFiles';
28+
my $mingw_installdflt =
29+
$install_flavour eq "WOW" ? "C:/Program Files (x86)"
30+
: "C:/Program Files";
31+
my $mingw_commondflt = "$mingw_installdflt/Common Files";
32+
33+
# expand variables early
34+
$mingw_installroot = $ENV{$mingw_installroot} // $mingw_installdflt;
35+
$mingw_commonroot = $ENV{$mingw_commonroot} // $mingw_commondflt;
36+
1737
sub windowsdll { $config{target} =~ /^(?:Cygwin|mingw)/ }
1838

1939
# Shared AIX support is special. We put libcrypto[64].so.ver into
@@ -132,6 +152,7 @@ APPS_OPENSSL={- use File::Spec::Functions;
132152
# Normally it is left empty.
133153
DESTDIR=
134154

155+
{- output_off() if $config{target} =~ /^mingw/; "" -}
135156
# Do not edit these manually. Use Configure with --prefix or --openssldir
136157
# to change this! Short explanation in the top comment in Configure
137158
INSTALLTOP={- # $prefix is used in the OPENSSLDIR perl snippet
@@ -175,6 +196,83 @@ ENGINESDIR=$(libdir)/engines-{- $sover_dirname -}
175196
# Convenience variable for those who want to set the rpath in shared
176197
# libraries and applications
177198
LIBRPATH=$(libdir)
199+
{- output_on() if $config{target} =~ /^mingw/;
200+
output_off() if $config{target} !~ /^mingw/;
201+
"" -}
202+
# Do not edit these manually. Use Configure with --prefix or --openssldir
203+
# to change this! Short explanation in the top comment in Configure
204+
INSTALLTOP_dev={- # $prefix is used in the OPENSSLDIR perl snippet
205+
#
206+
use File::Spec::Win32;
207+
my $prefix_default = "$mingw_installroot/OpenSSL";
208+
our $prefix =
209+
File::Spec::Win32->canonpath($config{prefix}
210+
|| $prefix_default);
211+
our ($prefix_dev, $prefix_dir, $prefix_file) =
212+
File::Spec::Win32->splitpath($prefix, 1);
213+
$prefix =~ s|\\|/|g;
214+
$prefix_dir =~ s|\\|/|g;
215+
$prefix_dev -}
216+
INSTALLTOP_dir={- my $x = File::Spec::Win32->canonpath($prefix_dir);
217+
$x =~ s|\\|/|g;
218+
$x -}
219+
OPENSSLDIR_dev={- #
220+
# The logic here is that if no --openssldir was given,
221+
# OPENSSLDIR will get the value "$mingw_commonroot/SSL".
222+
# If --openssldir was given and the value is an absolute
223+
# path, OPENSSLDIR will get its value without change.
224+
# If the value from --openssldir is a relative path,
225+
# OPENSSLDIR will get $prefix with the --openssldir
226+
# value appended as a subdirectory.
227+
#
228+
use File::Spec::Win32;
229+
our $openssldir =
230+
$config{openssldir} ?
231+
(File::Spec::Win32->file_name_is_absolute($config{openssldir}) ?
232+
File::Spec::Win32->canonpath($config{openssldir})
233+
: File::Spec::Win32->catdir($prefix, $config{openssldir}))
234+
: File::Spec::Win32->canonpath("$mingw_commonroot/SSL");
235+
our ($openssldir_dev, $openssldir_dir, $openssldir_file) =
236+
File::Spec::Win32->splitpath($openssldir, 1);
237+
$openssldir =~ s|\\|/|g;
238+
$openssldir_dir =~ s|\\|/|g;
239+
$openssldir_dev -}
240+
OPENSSLDIR_dir={- my $x = File::Spec::Win32->canonpath($openssldir_dir);
241+
$x =~ s|\\|/|g;
242+
$x -}
243+
LIBDIR={- our $libdir = $config{libdir} || "lib";
244+
File::Spec::Win32->file_name_is_absolute($libdir) ? "" : $libdir -}
245+
ENGINESDIR_dev={- use File::Spec::Win32;
246+
our $enginesdir =
247+
File::Spec::Win32->catdir($prefix,$libdir,
248+
"engines-$sover_dirname");
249+
our ($enginesdir_dev, $enginesdir_dir, $enginesdir_file) =
250+
File::Spec::Win32->splitpath($enginesdir, 1);
251+
$enginesdir =~ s|\\|/|g;
252+
$enginesdir_dir =~ s|\\|/|g;
253+
$enginesdir_dev -}
254+
ENGINESDIR_dir={- my $x = File::Spec::Win32->canonpath($enginesdir_dir);
255+
$x =~ s|\\|/|g;
256+
$x -}
257+
# In a Windows environment, $(DESTDIR) is harder to contatenate with other
258+
# directory variables, because both may contain devices. What we do here is
259+
# to adapt INSTALLTOP, OPENSSLDIR and ENGINESDIR depending on if $(DESTDIR)
260+
# has a value or not, to ensure that concatenation will always work further
261+
# down.
262+
ifneq "$(DESTDIR)" ""
263+
INSTALLTOP=$(INSTALLTOP_dir)
264+
OPENSSLDIR=$(OPENSSLDIR_dir)
265+
ENGINESDIR=$(ENGINESDIR_dir)
266+
else
267+
INSTALLTOP=$(INSTALLTOP_dev)$(INSTALLTOP_dir)
268+
OPENSSLDIR=$(OPENSSLDIR_dev)$(OPENSSLDIR_dir)
269+
ENGINESDIR=$(ENGINESDIR_dev)$(ENGINESDIR_dir)
270+
endif
271+
272+
# $(libdir) is chosen to be compatible with the GNU coding standards
273+
libdir={- File::Spec::Win32->file_name_is_absolute($libdir)
274+
? $libdir : '$(INSTALLTOP)/$(LIBDIR)' -}
275+
{- output_on() if $config{target} !~ /^mingw/; "" -}
178276

179277
MANDIR=$(INSTALLTOP)/share/man
180278
DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME)
@@ -418,13 +516,13 @@ libclean:
418516
clean: libclean
419517
$(RM) $(PROGRAMS) $(TESTPROGS) $(ENGINES) $(SCRIPTS)
420518
$(RM) $(GENERATED_MANDATORY) $(GENERATED)
421-
-$(RM) `find . -name .git -prune -o -name '*{- $depext -}' -print`
422-
-$(RM) `find . -name .git -prune -o -name '*{- $objext -}' -print`
519+
-$(RM) `find . -name '*{- $depext -}' \! -name '.*' -print`
520+
-$(RM) `find . -name '*{- $objext -}' \! -name '.*' -print`
423521
$(RM) core
424522
$(RM) tags TAGS doc-nits
425523
$(RM) -r test/test-runs
426524
$(RM) openssl.pc libcrypto.pc libssl.pc
427-
-$(RM) `find . -name .git -prune -o -type l -print`
525+
-$(RM) `find . -type l \! -name '.*' -print`
428526
$(RM) $(TARFILE)
429527
430528
distclean: clean
@@ -449,7 +547,7 @@ uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
449547
install_docs: install_man_docs install_html_docs
450548
451549
uninstall_docs: uninstall_man_docs uninstall_html_docs
452-
$(RM) -r -v $(DESTDIR)$(DOCDIR)
550+
$(RM) -r $(DESTDIR)$(DOCDIR)
453551
454552
install_ssldirs:
455553
@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/certs
Collapse file

‎deps/openssl/openssl/Configure‎

Copy file name to clipboardExpand all lines: deps/openssl/openssl/Configure
+1-4Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -87,9 +87,6 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lx
8787
# linked openssl executable has rather debugging value than
8888
# production quality.
8989
#
90-
# DEBUG_SAFESTACK use type-safe stacks to enforce type-safety on stack items
91-
# provided to stack calls. Generates unique stack functions for
92-
# each possible stack type.
9390
# BN_LLONG use the type 'long long' in crypto/bn/bn.h
9491
# RC4_CHAR use 'char' instead of 'int' for RC4_INT in crypto/rc4/rc4.h
9592
# Following are set automatically by this script
@@ -145,13 +142,13 @@ my @gcc_devteam_warn = qw(
145142
# -Wunused-macros -- no, too tricky for BN and _XOPEN_SOURCE etc
146143
# -Wextended-offsetof -- no, needed in CMS ASN1 code
147144
my @clang_devteam_warn = qw(
145+
-Wno-unknown-warning-option
148146
-Wswitch-default
149147
-Wno-parentheses-equality
150148
-Wno-language-extension-token
151149
-Wno-extended-offsetof
152150
-Wconditional-uninitialized
153151
-Wincompatible-pointer-types-discards-qualifiers
154-
-Wno-unknown-warning-option
155152
-Wmissing-variable-declarations
156153
);
157154

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.