Skip to content

Commit

Permalink
deps: upgrade openssl sources to 1.1.1g
Browse files Browse the repository at this point in the history
This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.1g.tar.gz
    $ mv openssl-1.1.1g openssl
    $ git add --all openssl
    $ git commit openssl

PR-URL: #32971
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Sam Roberts <[email protected]>
  • Loading branch information
hassaanp authored and BethGriggs committed Apr 28, 2020
1 parent 323da6f commit b12f163
Show file tree
Hide file tree
Showing 48 changed files with 1,842 additions and 636 deletions.
21 changes: 21 additions & 0 deletions deps/openssl/openssl/CHANGES
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,27 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.

Changes between 1.1.1f and 1.1.1g [21 Apr 2020]

*) Fixed segmentation fault in SSL_check_chain()
Server or client applications that call the SSL_check_chain() function
during or after a TLS 1.3 handshake may crash due to a NULL pointer
dereference as a result of incorrect handling of the
"signature_algorithms_cert" TLS extension. The crash occurs if an invalid
or unrecognised signature algorithm is received from the peer. This could
be exploited by a malicious peer in a Denial of Service attack.
(CVE-2020-1967)
[Benjamin Kaduk]

*) Added AES consttime code for no-asm configurations
an optional constant time support for AES was added
when building openssl for no-asm.
Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME
Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME
At this time this feature is by default disabled.
It will be enabled by default in 3.0.
[Bernd Edlinger]

Changes between 1.1.1e and 1.1.1f [31 Mar 2020]

*) Revert the change of EOF detection while reading in libssl to avoid
Expand Down
6 changes: 3 additions & 3 deletions deps/openssl/openssl/INSTALL
Original file line number Diff line number Diff line change
Expand Up @@ -535,9 +535,9 @@
conjunction with the "-DPEDANTIC" option (or the
--strict-warnings option).

no-ui
Don't build with the "UI" capability (i.e. the set of
features enabling text based prompts).
no-ui-console
Don't build with the "UI" console method (i.e. the "UI"
method that enables text based console prompts).

enable-unit-test
Enable additional unit test APIs. This should not typically
Expand Down
4 changes: 4 additions & 0 deletions deps/openssl/openssl/NEWS
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.

Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [21 Apr 2020]

o Fixed segmentation fault in SSL_check_chain() (CVE-2020-1967)

Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [31 Mar 2020]

o Revert the unexpected EOF reporting via SSL_ERROR_SSL
Expand Down
2 changes: 1 addition & 1 deletion deps/openssl/openssl/README
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@

OpenSSL 1.1.1f 31 Mar 2020
OpenSSL 1.1.1g 21 Apr 2020

Copyright (c) 1998-2020 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
Expand Down
61 changes: 51 additions & 10 deletions deps/openssl/openssl/apps/build.info
Original file line number Diff line number Diff line change
@@ -1,16 +1,17 @@
{- our @apps_openssl_src =
qw(openssl.c
asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c dhparam.c
dsa.c dsaparam.c ec.c ecparam.c enc.c engine.c errstr.c gendsa.c
genpkey.c genrsa.c nseq.c ocsp.c passwd.c pkcs12.c pkcs7.c pkcs8.c
pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c
asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c
enc.c errstr.c
genpkey.c nseq.c passwd.c pkcs7.c pkcs8.c
pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c
s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c
srp.c ts.c verify.c version.c x509.c rehash.c storeutl.c);
verify.c version.c x509.c rehash.c storeutl.c);
our @apps_lib_src =
( qw(apps.c opt.c s_cb.c s_socket.c app_rand.c bf_prefix.c),
split(/\s+/, $target{apps_aux_src}) );
our @apps_init_src = split(/\s+/, $target{apps_init_src});
"" -}

IF[{- !$disabled{apps} -}]
LIBS_NO_INST=libapps.a
SOURCE[libapps.a]={- join(" ", @apps_lib_src) -}
Expand All @@ -21,11 +22,51 @@ IF[{- !$disabled{apps} -}]
SOURCE[openssl]={- join(" ", @apps_openssl_src) -}
INCLUDE[openssl]=.. ../include
DEPEND[openssl]=libapps.a ../libssl

IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-)/ -}]
GENERATE[openssl.rc]=../util/mkrc.pl openssl
SOURCE[openssl]=openssl.rc
ENDIF
IF[{- !$disabled{'des'} -}]
SOURCE[openssl]=pkcs12.c
DEPEND[pkcs12.o]=progs.h
ENDIF
IF[{- !$disabled{'ec'} -}]
SOURCE[openssl]=ec.c ecparam.c
DEPEND[ec.o]=progs.h
DEPEND[ecparam.o]=progs.h
ENDIF
IF[{- !$disabled{'ocsp'} -}]
SOURCE[openssl]=ocsp.c
DEPEND[ocsp.o]=progs.h
ENDIF
IF[{- !$disabled{'srp'} -}]
SOURCE[openssl]=srp.c
DEPEND[srp.o]=progs.h
ENDIF
IF[{- !$disabled{'ts'} -}]
SOURCE[openssl]=ts.c
DEPEND[ts.o]=progs.h
ENDIF
IF[{- !$disabled{'dh'} -}]
SOURCE[openssl]=dhparam.c
DEPEND[dhparam.o]=progs.h
ENDIF
IF[{- !$disabled{'dsa'} -}]
SOURCE[openssl]=dsa.c dsaparam.c gendsa.c
DEPEND[dsa.o]=progs.h
DEPEND[dsaparam.o]=progs.h
DEPEND[gendsa.o]=progs.h
ENDIF
IF[{- !$disabled{'engine'} -}]
SOURCE[openssl]=engine.c
DEPEND[engine.o]=progs.h
ENDIF
IF[{- !$disabled{'rsa'} -}]
SOURCE[openssl]=rsa.c rsautl.c genrsa.c
DEPEND[rsa.o]=progs.h
DEPEND[rsautl.o]=progs.h
DEPEND[genrsa.o]=progs.h
ENDIF
IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-)/ -}]
GENERATE[openssl.rc]=../util/mkrc.pl openssl
SOURCE[openssl]=openssl.rc
ENDIF

{- join("\n ", map { (my $x = $_) =~ s|\.c$|.o|; "DEPEND[$x]=progs.h" }
@apps_openssl_src) -}
Expand Down
63 changes: 29 additions & 34 deletions deps/openssl/openssl/apps/dhparam.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand All @@ -8,28 +8,24 @@
*/

#include <openssl/opensslconf.h>
#ifdef OPENSSL_NO_DH
NON_EMPTY_TRANSLATION_UNIT
#else

# include <stdio.h>
# include <stdlib.h>
# include <time.h>
# include <string.h>
# include "apps.h"
# include "progs.h"
# include <openssl/bio.h>
# include <openssl/err.h>
# include <openssl/bn.h>
# include <openssl/dh.h>
# include <openssl/x509.h>
# include <openssl/pem.h>

# ifndef OPENSSL_NO_DSA
# include <openssl/dsa.h>
# endif

# define DEFBITS 2048
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>
#include "apps.h"
#include "progs.h"
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/bn.h>
#include <openssl/dh.h>
#include <openssl/x509.h>
#include <openssl/pem.h>

#ifndef OPENSSL_NO_DSA
# include <openssl/dsa.h>
#endif

#define DEFBITS 2048

static int dh_cb(int p, int n, BN_GENCB *cb);

Expand All @@ -56,13 +52,13 @@ const OPTIONS dhparam_options[] = {
{"C", OPT_C, '-', "Print C code"},
{"2", OPT_2, '-', "Generate parameters using 2 as the generator value"},
{"5", OPT_5, '-', "Generate parameters using 5 as the generator value"},
# ifndef OPENSSL_NO_DSA
#ifndef OPENSSL_NO_DSA
{"dsaparam", OPT_DSAPARAM, '-',
"Read or generate DSA parameters, convert to DH"},
# endif
# ifndef OPENSSL_NO_ENGINE
#endif
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
# endif
#endif
{NULL}
};

Expand Down Expand Up @@ -146,13 +142,13 @@ int dhparam_main(int argc, char **argv)
if (g && !num)
num = DEFBITS;

# ifndef OPENSSL_NO_DSA
#ifndef OPENSSL_NO_DSA
if (dsaparam && g) {
BIO_printf(bio_err,
"generator may not be chosen for DSA parameters\n");
goto end;
}
# endif
#endif

out = bio_open_default(outfile, 'w', outformat);
if (out == NULL)
Expand All @@ -173,7 +169,7 @@ int dhparam_main(int argc, char **argv)

BN_GENCB_set(cb, dh_cb, bio_err);

# ifndef OPENSSL_NO_DSA
#ifndef OPENSSL_NO_DSA
if (dsaparam) {
DSA *dsa = DSA_new();

Expand All @@ -196,7 +192,7 @@ int dhparam_main(int argc, char **argv)
goto end;
}
} else
# endif
#endif
{
dh = DH_new();
BIO_printf(bio_err,
Expand All @@ -217,7 +213,7 @@ int dhparam_main(int argc, char **argv)
if (in == NULL)
goto end;

# ifndef OPENSSL_NO_DSA
#ifndef OPENSSL_NO_DSA
if (dsaparam) {
DSA *dsa;

Expand All @@ -239,7 +235,7 @@ int dhparam_main(int argc, char **argv)
goto end;
}
} else
# endif
#endif
{
if (informat == FORMAT_ASN1) {
/*
Expand Down Expand Up @@ -376,4 +372,3 @@ static int dh_cb(int p, int n, BN_GENCB *cb)
(void)BIO_flush(BN_GENCB_get_arg(cb));
return 1;
}
#endif
55 changes: 25 additions & 30 deletions deps/openssl/openssl/apps/dsa.c
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
Expand All @@ -8,23 +8,19 @@
*/

#include <openssl/opensslconf.h>
#ifdef OPENSSL_NO_DSA
NON_EMPTY_TRANSLATION_UNIT
#else

# include <stdio.h>
# include <stdlib.h>
# include <string.h>
# include <time.h>
# include "apps.h"
# include "progs.h"
# include <openssl/bio.h>
# include <openssl/err.h>
# include <openssl/dsa.h>
# include <openssl/evp.h>
# include <openssl/x509.h>
# include <openssl/pem.h>
# include <openssl/bn.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include "apps.h"
#include "progs.h"
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/dsa.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/bn.h>

typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
Expand All @@ -49,14 +45,14 @@ const OPTIONS dsa_options[] = {
{"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
{"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
{"", OPT_CIPHER, '-', "Any supported cipher"},
# ifndef OPENSSL_NO_RC4
#ifndef OPENSSL_NO_RC4
{"pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)"},
{"pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level"},
{"pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding"},
# endif
# ifndef OPENSSL_NO_ENGINE
#endif
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
# endif
#endif
{NULL}
};

Expand All @@ -71,9 +67,9 @@ int dsa_main(int argc, char **argv)
OPTION_CHOICE o;
int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
int i, modulus = 0, pubin = 0, pubout = 0, ret = 1;
# ifndef OPENSSL_NO_RC4
#ifndef OPENSSL_NO_RC4
int pvk_encr = 2;
# endif
#endif
int private = 0;

prog = opt_init(argc, argv, dsa_options);
Expand Down Expand Up @@ -214,7 +210,7 @@ int dsa_main(int argc, char **argv)
i = PEM_write_bio_DSAPrivateKey(out, dsa, enc,
NULL, 0, NULL, passout);
}
# ifndef OPENSSL_NO_RSA
#ifndef OPENSSL_NO_RSA
} else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
EVP_PKEY *pk;
pk = EVP_PKEY_new();
Expand All @@ -229,21 +225,21 @@ int dsa_main(int argc, char **argv)
goto end;
}
assert(private);
# ifdef OPENSSL_NO_RC4
# ifdef OPENSSL_NO_RC4
BIO_printf(bio_err, "PVK format not supported\n");
EVP_PKEY_free(pk);
goto end;
# else
# else
i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
# endif
# endif
} else if (pubin || pubout) {
i = i2b_PublicKey_bio(out, pk);
} else {
assert(private);
i = i2b_PrivateKey_bio(out, pk);
}
EVP_PKEY_free(pk);
# endif
#endif
} else {
BIO_printf(bio_err, "bad output format specified for outfile\n");
goto end;
Expand All @@ -262,4 +258,3 @@ int dsa_main(int argc, char **argv)
OPENSSL_free(passout);
return ret;
}
#endif
Loading

0 comments on commit b12f163

Please sign in to comment.