Skip to content

Commit

Permalink
deps: upgrade openssl sources to 1.1.1i
Browse files Browse the repository at this point in the history
This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1i.tar.gz
    $ mv openssl-1.1.1i openssl
    $ git add --all openssl
    $ git commit openssl

PR-URL: #36521
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Shelley Vohr <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
  • Loading branch information
MylesBorins authored and richardlau committed Dec 17, 2020
1 parent 76ea9c5 commit 7ec0eb4
Show file tree
Hide file tree
Showing 351 changed files with 4,263 additions and 4,175 deletions.
63 changes: 63 additions & 0 deletions deps/openssl/openssl/CHANGES
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,69 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.

Changes between 1.1.1h and 1.1.1i [8 Dec 2020]

*) Fixed NULL pointer deref in the GENERAL_NAME_cmp function
This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME.
If an attacker can control both items being compared then this could lead
to a possible denial of service attack. OpenSSL itself uses the
GENERAL_NAME_cmp function for two purposes:
1) Comparing CRL distribution point names between an available CRL and a
CRL distribution point embedded in an X509 certificate
2) When verifying that a timestamp response token signer matches the
timestamp authority name (exposed via the API functions
TS_RESP_verify_response and TS_RESP_verify_token)
(CVE-2020-1971)
[Matt Caswell]

*) Add support for Apple Silicon M1 Macs with the darwin64-arm64-cc target.
[Stuart Carnie]

*) The security callback, which can be customised by application code, supports
the security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY
in the "other" parameter. In most places this is what is passed. All these
places occur server side. However there was one client side call of this
security operation and it passed a DH object instead. This is incorrect
according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all
of the other locations. Therefore this client side call has been changed to
pass an EVP_PKEY instead.
[Matt Caswell]

*) In 1.1.1h, an expired trusted (root) certificate was not anymore rejected
when validating a certificate path. This check is restored in 1.1.1i.
[David von Oheimb]

Changes between 1.1.1g and 1.1.1h [22 Sep 2020]

*) Certificates with explicit curve parameters are now disallowed in
verification chains if the X509_V_FLAG_X509_STRICT flag is used.
[Tomas Mraz]

*) The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
ignore TLS protocol version bounds when configuring DTLS-based contexts, and
conversely, silently ignore DTLS protocol version bounds when configuring
TLS-based contexts. The commands can be repeated to set bounds of both
types. The same applies with the corresponding "min_protocol" and
"max_protocol" command-line switches, in case some application uses both TLS
and DTLS.

SSL_CTX instances that are created for a fixed protocol version (e.g.
TLSv1_server_method()) also silently ignore version bounds. Previously
attempts to apply bounds to these protocol versions would result in an
error. Now only the "version-flexible" SSL_CTX instances are subject to
limits in configuration files in command-line options.
[Viktor Dukhovni]

*) Handshake now fails if Extended Master Secret extension is dropped
on renegotiation.
[Tomas Mraz]

*) Accidentally, an expired trusted (root) certificate is not anymore rejected
when validating a certificate path.
[David von Oheimb]

*) The Oracle Developer Studio compiler will start reporting deprecated APIs

Changes between 1.1.1f and 1.1.1g [21 Apr 2020]

*) Fixed segmentation fault in SSL_check_chain()
Expand Down
16 changes: 8 additions & 8 deletions deps/openssl/openssl/Configurations/10-main.conf
Original file line number Diff line number Diff line change
Expand Up @@ -741,7 +741,7 @@ my %targets = (
inherit_from => [ "linux-generic32", asm("mips64_asm") ],
cflags => add("-mabi=n32"),
cxxflags => add("-mabi=n32"),
bn_ops => "SIXTY_FOUR_BIT RC4_CHAR",
bn_ops => "RC4_CHAR",
perlasm_scheme => "n32",
multilib => "32",
},
Expand Down Expand Up @@ -1125,7 +1125,7 @@ my %targets = (
CFLAGS => picker(debug => "-O0 -g",
release => "-O"),
cflags => add(threads("-pthread")),
ex_libs => threads("-pthread"),
ex_libs => add(threads("-pthread")),
bn_ops => "BN_LLONG RC4_CHAR",
perlasm_scheme => "aix32",
shared_ldflag => add_before("-shared -static-libgcc"),
Expand All @@ -1138,7 +1138,7 @@ my %targets = (
CFLAGS => picker(debug => "-O0 -g",
release => "-O"),
cflags => combine("-maix64", threads("-pthread")),
ex_libs => threads("-pthread"),
ex_libs => add(threads("-pthread")),
bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR",
perlasm_scheme => "aix64",
shared_ldflag => add_before("-shared -static-libgcc"),
Expand All @@ -1154,7 +1154,7 @@ my %targets = (
cflags => combine("-q32 -qmaxmem=16384 -qro -qroconst",
threads("-qthreaded")),
cppflags => threads("-D_THREAD_SAFE"),
ex_libs => threads("-lpthreads"),
ex_libs => add(threads("-lpthreads")),
bn_ops => "BN_LLONG RC4_CHAR",
perlasm_scheme => "aix32",
shared_cflag => "-qpic",
Expand All @@ -1169,7 +1169,7 @@ my %targets = (
cflags => combine("-q64 -qmaxmem=16384 -qro -qroconst",
threads("-qthreaded")),
cppflags => threads("-D_THREAD_SAFE"),
ex_libs => threads("-lpthreads"),
ex_libs => add(threads("-lpthreads")),
bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR",
perlasm_scheme => "aix64",
dso_scheme => "dlfcn",
Expand Down Expand Up @@ -1365,9 +1365,9 @@ my %targets = (
}
push @ex_libs, '$(PORTSDK_LIBPATH)/portlib.lib'
if (defined(env('PORTSDK_LIBPATH')));
push @ex_libs, ' /nodefaultlib coredll.lib corelibc.lib'
if (env('TARGETCPU') eq "X86");
return @ex_libs;
push @ex_libs, '/nodefaultlib coredll.lib corelibc.lib'
if (env('TARGETCPU') =~ /^X86|^ARMV4[IT]/);
return join(" ", @ex_libs);
}),
},

Expand Down
4 changes: 2 additions & 2 deletions deps/openssl/openssl/Configurations/windows-makefile.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -211,8 +211,8 @@ CNF_CPPFLAGS={- our $cppfags2 =
join(' ', $target{cppflags} || (),
(map { '-D'.quotify1($_) } @{$target{defines}},
@{$config{defines}}),
(map { '-I'.quotify1($_) } @{$target{includes}},
@{$config{includes}}),
(map { '-I'.'"'.$_.'"' } @{$target{includes}},
@{$config{includes}}),
@{$config{cppflags}}) -}
CNF_CFLAGS={- join(' ', $target{cflags} || (),
@{$config{cflags}}) -}
Expand Down
38 changes: 36 additions & 2 deletions deps/openssl/openssl/Configure
Original file line number Diff line number Diff line change
Expand Up @@ -217,12 +217,22 @@ sub resolve_config;
# Unified build supports separate build dir
my $srcdir = catdir(absolutedir(dirname($0))); # catdir ensures local syntax
my $blddir = catdir(absolutedir(".")); # catdir ensures local syntax

# File::Spec::Unix doesn't detect case insensitivity, so we make sure to
# check if the source and build directory are really the same, and make
# them so. This avoids all kinds of confusion later on.
# We must check @File::Spec::ISA rather than using File::Spec->isa() to
# know if File::Spec ended up loading File::Spec::Unix.
$srcdir = $blddir
if (grep(/::Unix$/, @File::Spec::ISA)
&& samedir($srcdir, $blddir));

my $dofile = abs2rel(catfile($srcdir, "util/dofile.pl"));

my $local_config_envname = 'OPENSSL_LOCAL_CONFIG_DIR';

$config{sourcedir} = abs2rel($srcdir);
$config{builddir} = abs2rel($blddir);
$config{sourcedir} = abs2rel($srcdir, $blddir);
$config{builddir} = abs2rel($blddir, $blddir);

# Collect reconfiguration information if needed
my @argvcopy=@ARGV;
Expand Down Expand Up @@ -1049,6 +1059,9 @@ if (scalar(@seed_sources) == 0) {
print "Using os-specific seed configuration\n";
push @seed_sources, 'os';
}
if (scalar(grep { $_ eq 'egd' } @seed_sources) > 0) {
delete $disabled{'egd'};
}
if (scalar(grep { $_ eq 'none' } @seed_sources) > 0) {
die "Cannot seed with none and anything else" if scalar(@seed_sources) > 1;
warn <<_____ if scalar(@seed_sources) == 1;
Expand Down Expand Up @@ -3424,6 +3437,27 @@ sub absolutedir {
return realpath($dir);
}

# Check if all paths are one and the same, using stat. They must both exist
# We need this for the cases when File::Spec doesn't detect case insensitivity
# (File::Spec::Unix assumes case sensitivity)
sub samedir {
die "samedir expects two arguments\n" unless scalar @_ == 2;

my @stat0 = stat($_[0]); # First argument
my @stat1 = stat($_[1]); # Second argument

die "Couldn't stat $_[0]" unless @stat0;
die "Couldn't stat $_[1]" unless @stat1;

# Compare device number
return 0 unless ($stat0[0] == $stat1[0]);
# Compare "inode". The perl manual recommends comparing as
# string rather than as number.
return 0 unless ($stat0[1] eq $stat1[1]);

return 1; # All the same
}

sub quotify {
my %processors = (
perl => sub { my $x = shift;
Expand Down
12 changes: 12 additions & 0 deletions deps/openssl/openssl/NEWS
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,18 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.

Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020]

o Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971)

Major changes between OpenSSL 1.1.1g and OpenSSL 1.1.1h [22 Sep 2020]

o Disallow explicit curve parameters in verifications chains when
X509_V_FLAG_X509_STRICT is used
o Enable 'MinProtocol' and 'MaxProtocol' to configure both TLS and DTLS
contexts
o Oracle Developer Studio will start reporting deprecation warnings

Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [21 Apr 2020]

o Fixed segmentation fault in SSL_check_chain() (CVE-2020-1967)
Expand Down
4 changes: 2 additions & 2 deletions deps/openssl/openssl/NOTES.ANDROID
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
-------------------

Beside basic tools like perl and make you'll need to download the Android
NDK. It's available for Linux, Mac OS X and Windows, but only Linux
version was actually tested. There is no reason to believe that Mac OS X
NDK. It's available for Linux, macOS and Windows, but only Linux
version was actually tested. There is no reason to believe that macOS
wouldn't work. And as for Windows, it's unclear which "shell" would be
suitable, MSYS2 might have best chances. NDK version should play lesser
role, the goal is to support a range of most recent versions.
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/NOTES.PERL
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@

$ cpan -f -i Text::Template

Note: on VMS, you must quote any argument that contains upper case
Note: on VMS, you must quote any argument that contains uppercase
characters, so the lines above would be:

$ cpan -i "Text::Template"
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/NOTES.VMS
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@
An ANSI C compiled is needed among other things. This means that
VAX C is not and will not be supported.

We have only tested with DEC C (a.k.a HP VMS C / VSI C) and require
We have only tested with DEC C (aka HP VMS C / VSI C) and require
version 7.1 or later. Compiling with a different ANSI C compiler may
require some work.

Expand Down
10 changes: 5 additions & 5 deletions deps/openssl/openssl/NOTES.WIN
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,11 @@
and require --cross-compile-prefix option. While on MSYS[2] it's solved
rather by placing gcc that produces "MinGW binary" code 1st on $PATH.
This is customarily source of confusion. "Hosted" applications "live" in
emulated file system name space with POSIX-y root, mount points, /dev
emulated filesystem name space with POSIX-y root, mount points, /dev
and even /proc. Confusion is intensified by the fact that MSYS2 shell
(or rather emulated execve(2) call) examines the binary it's about to
start, and if it's found *not* to be linked with MSYS2 POSIX-y thing,
command line arguments that look like file names get translated from
command line arguments that look like filenames get translated from
emulated name space to "native". For example '/c/some/where' becomes
'c:\some\where', '/dev/null' - 'nul'. This creates an illusion that
there is no difference between MSYS2 shell and "MinGW binary", but
Expand All @@ -26,7 +26,7 @@
it's referred to in quotes here, as "MinGW binary", it's just as
"native" as it can get.)

Visual C++ builds, a.k.a. VC-*
Visual C++ builds, aka VC-*
==============================

Requirement details
Expand All @@ -47,7 +47,7 @@
the other hand oldest one is known not to work. Everything between
falls into best-effort category.

- Netwide Assembler, a.k.a. NASM, available from https://www.nasm.us,
- Netwide Assembler, aka NASM, available from https://www.nasm.us,
is required. Note that NASM is the only supported assembler. Even
though Microsoft provided assembler is NOT supported, contemporary
64-bit version is exercised through continuous integration of
Expand Down Expand Up @@ -132,7 +132,7 @@
If you link with static OpenSSL libraries then you're expected to
additionally link your application with WS2_32.LIB, GDI32.LIB,
ADVAPI32.LIB, CRYPT32.LIB and USER32.LIB. Those developing
non-interactive service applications might feel concerned about
noninteractive service applications might feel concerned about
linking with GDI32.LIB and USER32.LIB, as they are justly associated
with interactive desktop, which is not available to service
processes. The toolkit is designed to detect in which context it's
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/README
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@

OpenSSL 1.1.1g 21 Apr 2020
OpenSSL 1.1.1i 8 Dec 2020

Copyright (c) 1998-2020 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
Expand Down
6 changes: 3 additions & 3 deletions deps/openssl/openssl/apps/ca.c
100644 → 100755
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -1862,8 +1862,8 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
row[DB_exp_date][tm->length] = '\0';
row[DB_rev_date] = NULL;
row[DB_file] = OPENSSL_strdup("unknown");
if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
(row[DB_file] == NULL) || (row[DB_name] == NULL)) {
if ((row[DB_type] == NULL) || (row[DB_file] == NULL)
|| (row[DB_name] == NULL)) {
BIO_printf(bio_err, "Memory allocation failure\n");
goto end;
}
Expand Down
8 changes: 5 additions & 3 deletions deps/openssl/openssl/apps/cms.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -545,9 +545,11 @@ int cms_main(int argc, char **argv)
if (key_param == NULL || key_param->idx != keyidx) {
cms_key_param *nparam;
nparam = app_malloc(sizeof(*nparam), "key param buffer");
nparam->idx = keyidx;
if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL)
if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL) {
OPENSSL_free(nparam);
goto end;
}
nparam->idx = keyidx;
nparam->next = NULL;
if (key_first == NULL)
key_first = nparam;
Expand Down
8 changes: 5 additions & 3 deletions deps/openssl/openssl/apps/genpkey.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand Down Expand Up @@ -177,9 +177,12 @@ int genpkey_main(int argc, char **argv)
goto end;
}

ret = 0;

if (rv <= 0) {
BIO_puts(bio_err, "Error writing key\n");
ERR_print_errors(bio_err);
ret = 1;
}

if (text) {
Expand All @@ -191,11 +194,10 @@ int genpkey_main(int argc, char **argv)
if (rv <= 0) {
BIO_puts(bio_err, "Error printing key\n");
ERR_print_errors(bio_err);
ret = 1;
}
}

ret = 0;

end:
EVP_PKEY_free(pkey);
EVP_PKEY_CTX_free(ctx);
Expand Down
4 changes: 1 addition & 3 deletions deps/openssl/openssl/apps/rsa8192.pem
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
-----BEGIN RSA PRIVATE KEY-----

MIISKAIBAAKCBAEAiQ2f1X6Bte1DKD0OoCBKEikzPW+5w3oXk3WwnE97Wxzy6wJZ
ebbZC3CZKKBnJeBMrysPf+lK+9+fP6Vm8bp1wvbcSIA59BDrX6irFSuM/bdnkbuF
MFlDjt+uVrxwoyqfPi2IPot1HQg3l5mdyBqcTWvbOnU2L9HZxJfPUCjfzdTMPrMY
Expand Down Expand Up @@ -62,7 +61,7 @@ JH1/Qx7C/mTAMRsN5SkOthnGq0djCNWfPv/3JV0H67Uf5krFlnwLebrgfTYoPPdo
yO7iBUNJzv6Qh22malLp4P8gzACkD7DGlSTnoB5cLwcjmDGg+i9WrUBbOiVTeQfZ
kOj1o+Tz35ndpq/DDUVlqliB9krcxva+QHeJPH53EGI+YVg1nD+s/vUDZ3mQMGX9
DQou2L8uU6RnWNv/BihGcL8QvS4Ty6QyPOUPpD3zc70JQAEcQk9BxQNaELgJX0IN
22cYn22tYvElew9G41OpDqzBRcfbdJmKXQ2HcroShutYJQRGUpAXHk24fy6JVkIU
2cYUn22tYvElew9G41OpDqzBRcfbdJmKXQ2HcroShutYJQRGUpAXHk24fy6JVkIU
ojF5U6cwextMja1ZIIZgh9eugIRUeIE7319nQNDzuXWjRCcoBLA25P7wnpHWDRpz
D9ovXCIvdja74lL5psqobV6L5+fbLPkSgXoImKR0LQKCAgAIC9Jk8kxumCyIVGCP
PeM5Uby9M3GMuKrfYsn0Y5e97+kSJF1dpojTodBgR2KQar6eVrvXt+8uZCcIjfx8
Expand Down Expand Up @@ -98,4 +97,3 @@ TwEgE67iOb2iIoUpon/NyP4LesMzvdpsu2JFlfz13PmmQ34mFI7tWvOb3NA5DP3c
rMlMLtKfp2w8HlMZpsUlToNCx6CI+tJrohzcs3BAVAbjFAXRKWGijB1rxwyDdHPv
I+/wJTNaRNPQ1M0SwtEL/zJd21y3KSPn4eL+GP3efhlDSjtlDvZqkdAUsU8=
-----END RSA PRIVATE KEY-----

Loading

0 comments on commit 7ec0eb4

Please sign in to comment.