Skip to content

Commit

Permalink
Merge branch 'openssl-updates'
Browse files Browse the repository at this point in the history
  • Loading branch information
@michaellukashov
michaellukashov committed Nov 3, 2017
2 parents 3cf1f41 + cb2faad commit f5b9d7b
Show file tree
Hide file tree
Showing 315 changed files with 9,466 additions and 1,581 deletions.
8 changes: 2 additions & 6 deletions libs/openssl/.gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ Makefile

# Auto generated headers
/crypto/buildinf.h
/apps/progs.h
/crypto/include/internal/*_conf.h
/openssl/include/opensslconf.h
/util/domd
Expand All @@ -52,12 +53,7 @@ Makefile
/test/v3ext

# Certain files that get created by tests on the fly
/test/*.ss
/test/*.srl
/test/.rnd
/test/test*.pem
/test/newkey.pem
/test/*.log
/test/test-runs
/test/buildtest_*

# Fuzz stuff.
Expand Down
15 changes: 15 additions & 0 deletions libs/openssl/.travis-apt-pin.preferences
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
Package: clang-3.9
Pin: release o=Ubuntu
Pin-Priority: -1

Package: libclang-common-3.9-dev
Pin: release o=Ubuntu
Pin-Priority: -1

Package: libclang1-3.9
Pin: release o=Ubuntu
Pin-Priority: -1

Package: libllvm3.9v4
Pin: release o=Ubuntu
Pin-Priority: -1
84 changes: 37 additions & 47 deletions libs/openssl/.travis.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,70 +28,29 @@ env:
- CONFIG_OPTS="no-engine no-shared --strict-warnings" BUILDONLY="yes"
- CONFIG_OPTS="no-stdio --strict-warnings" BUILDONLY="yes"
- CONFIG_OPTS="no-ec" BUILDONLY="yes"
- CONFIG_OPTS="no-asm --strict-warnings" BUILDONLY="yes" CHECKDOCS="yes"

matrix:
include:
- os: linux
addons:
apt:
packages:
- clang-3.9
sources:
- llvm-toolchain-trusty-3.9
- ubuntu-toolchain-r-test
compiler: clang-3.9
env: CONFIG_OPTS="--strict-warnings no-deprecated" BUILDONLY="yes"
- os: linux
compiler: gcc
env: CONFIG_OPTS="--debug --coverage no-asm enable-rc5 enable-md2 enable-ec_nistp_64_gcc_128 enable-ssl3 enable-ssl3-method enable-weak-ssl-ciphers" COVERALLS="yes"
- os: linux
addons:
apt:
packages:
- clang-3.9
sources:
- llvm-toolchain-trusty-3.9
- ubuntu-toolchain-r-test
compiler: clang-3.9
env: CONFIG_OPTS="enable-asan"
- os: linux
addons:
apt:
packages:
- clang-3.9
sources:
- llvm-toolchain-trusty-3.9
- ubuntu-toolchain-r-test
compiler: clang-3.9
env: CONFIG_OPTS="enable-msan"
- os: linux
addons:
apt:
packages:
- clang-3.9
sources:
- llvm-toolchain-trusty-3.9
- ubuntu-toolchain-r-test
compiler: clang-3.9
env: CONFIG_OPTS="no-asm enable-ubsan enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method -fno-sanitize=alignment"
- os: linux
addons:
apt:
packages:
- clang-3.9
sources:
- llvm-toolchain-trusty-3.9
- ubuntu-toolchain-r-test
compiler: clang-3.9
env: CONFIG_OPTS="no-asm enable-asan enable-rc5 enable-md2"
- os: linux
addons:
apt:
packages:
- clang-3.9
sources:
- llvm-toolchain-trusty-3.9
- ubuntu-toolchain-r-test
compiler: clang-3.9
env: CONFIG_OPTS="no-stdio"
- os: linux
Expand Down Expand Up @@ -160,7 +119,14 @@ before_script:
export CROSS_COMPILE=${CC%%gcc}; unset CC;
$srcdir/Configure mingw64 $CONFIG_OPTS -Wno-pedantic-ms-format;
else
if which ccache >/dev/null && [ "$CC" != clang-3.9 ]; then
if [ "$CC" == clang-3.9 ]; then
sudo cp .travis-apt-pin.preferences /etc/apt/preferences.d/no-ubuntu-clang;
curl -sSL "http://apt.llvm.org/llvm-snapshot.gpg.key" | sudo -E apt-key add -;
echo "deb http://apt.llvm.org/trusty/ llvm-toolchain-trusty-3.9 main" | sudo tee -a /etc/apt/sources.list > /dev/null;
sudo -E apt-add-repository -y "ppa:ubuntu-toolchain-r/test";
sudo -E apt-get -yq update;
sudo -E apt-get -yq --no-install-suggests --no-install-recommends --force-yes install clang-3.9;
elif which ccache >/dev/null; then
CC="ccache $CC";
fi;
$srcdir/config -v $CONFIG_OPTS;
Expand All @@ -187,20 +153,44 @@ script:
else
top=.;
fi
- $make update
- $make
- if $make update; then
echo -e '+\057 MAKE UPDATE OK';
else
echo -e '+\057 MAKE UPDATE FAILED'; false;
fi;
git diff --quiet
- if [ -n "$CHECKDOCS" ]; then
if $make doc-nits; then
echo -e '+\057\057 MAKE DOC-NITS OK';
else
echo -e '+\057\057 MAKE DOC-NITS FAILED'; false;
fi;
fi
- if $make ; then
echo -e '+\057\057\057 MAKE OK';
else
echo -e '+\057\057\057 MAKE FAILED'; false;
fi;
- if [ -z "$BUILDONLY" ]; then
if [ -n "$CROSS_COMPILE" ]; then
sudo apt-get -yq install wine;
export EXE_SHELL="wine" WINEPREFIX=`pwd`;
fi;
HARNESS_VERBOSE=yes make test;
else
$make build_tests;
if $make build_tests; then
echo -e '+\057\057\075 MAKE BUILD_TESTS OK';
else
echo -e '+\057\057\075 MAKE BUILD_TESTS FAILEd'; false;
fi;
fi
- if [ -n "$DESTDIR" ]; then
mkdir "../$DESTDIR";
$make install install_docs DESTDIR="../$DESTDIR";
if $make install install_docs DESTDIR="../$DESTDIR"; then
echo -e '+\057\057\057\057\057 MAKE INSTALL_DOCS OK';
else
echo -e '+\057\057\057\057\057 MAKE INSTALL_DOCS FAILED'; false;
fi;
fi
- cd $top

Expand Down
45 changes: 45 additions & 0 deletions libs/openssl/CHANGES
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,51 @@
OpenSSL CHANGES
_______________

This is a high-level summary of the most important changes.
For a full list of changes, see the git commit log; for example,
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.

Changes between 1.1.0f and 1.1.0g [2 Nov 2017]

*) bn_sqrx8x_internal carry bug on x86_64

There is a carry propagating bug in the x86_64 Montgomery squaring
procedure. No EC algorithms are affected. Analysis suggests that attacks
against RSA and DSA as a result of this defect would be very difficult to
perform and are not believed likely. Attacks against DH are considered just
feasible (although very difficult) because most of the work necessary to
deduce information about a private key may be performed offline. The amount
of resources required for such an attack would be very significant and
likely only accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients.

This only affects processors that support the BMI1, BMI2 and ADX extensions
like Intel Broadwell (5th generation) and later or AMD Ryzen.

This issue was reported to OpenSSL by the OSS-Fuzz project.
(CVE-2017-3736)
[Andy Polyakov]

*) Malformed X.509 IPAddressFamily could cause OOB read

If an X.509 certificate has a malformed IPAddressFamily extension,
OpenSSL could do a one-byte buffer overread. The most likely result
would be an erroneous display of the certificate in text format.

This issue was reported to OpenSSL by the OSS-Fuzz project.
(CVE-2017-3735)
[Rich Salz]

*) Ignore the '-named_curve auto' value for compatibility of applications
with OpenSSL 1.0.2.
[Tomas Mraz <tmraz@fedoraproject.org>]

*) Support for SSL_OP_NO_ENCRYPT_THEN_MAC in SSL_CONF_cmd.
[Emilia Käsper]

Changes between 1.1.0e and 1.1.0f [25 May 2017]

*) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
Expand Down
7 changes: 6 additions & 1 deletion libs/openssl/Configurations/descrip.mms.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@
sub dependmagic {
my $target = shift;

return "$target : build_generated\n\t\pipe \$(MMS) depend && \$(MMS) _$target\n_$target";
return "$target : build_generated\n\t\pipe \$(MMS) \$(MMSQUALIFIERS) depend && \$(MMS) \$(MMSQUALIFIERS) _$target\n_$target";
}
#use Data::Dumper;
#print STDERR "DEBUG: before:\n", Dumper($unified_info{before});
Expand Down Expand Up @@ -144,6 +144,9 @@ BIN_SCRIPTS=[.tools]c_rehash.pl
MISC_SCRIPTS=[.apps]CA.pl, [.apps]tsget.pl
{- output_on() if $disabled{apps}; "" -}

APPS_OPENSSL={- use File::Spec::Functions;
catfile("apps","openssl") -}

# DESTDIR is for package builders so that they can configure for, say,
# SYS$COMMON:[OPENSSL] and yet have everything installed in STAGING:[USER].
# In that case, configure with --prefix=SYS$COMMON:[OPENSSL] and then run
Expand Down Expand Up @@ -265,8 +268,10 @@ test : tests
{- dependmagic('tests'); -} : build_programs_nodep, build_engines_nodep
@ ! {- output_off() if $disabled{tests}; "" -}
SET DEFAULT [.test]{- move("test") -}
CREATE/DIR [.test-runs]
DEFINE SRCTOP {- sourcedir() -}
DEFINE BLDTOP {- builddir() -}
DEFINE RESULT_D {- builddir(qw(test test-runs)) -}
DEFINE OPENSSL_ENGINES {- builddir("engines") -}
DEFINE OPENSSL_DEBUG_MEMORY "on"
IF "$(VERBOSE)" .NES. "" THEN DEFINE VERBOSE "$(VERBOSE)"
Expand Down
53 changes: 25 additions & 28 deletions libs/openssl/Configurations/unix-Makefile.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,9 @@ BIN_SCRIPTS=$(BLDDIR)/tools/c_rehash
MISC_SCRIPTS=$(BLDDIR)/apps/CA.pl $(BLDDIR)/apps/tsget
{- output_on() if $disabled{apps}; "" -}

APPS_OPENSSL={- use File::Spec::Functions;
catfile("apps","openssl") -}

# DESTDIR is for package builders so that they can configure for, say,
# /usr/ and yet have everything installed to /tmp/somedir/usr/.
# Normally it is left empty.
Expand Down Expand Up @@ -241,11 +244,13 @@ test: tests
{- dependmagic('tests'); -}: build_programs_nodep build_engines_nodep link-utils
@ : {- output_off() if $disabled{tests}; "" -}
( cd test; \
mkdir -p test-runs; \
SRCTOP=../$(SRCDIR) \
BLDTOP=../$(BLDDIR) \
RESULT_D=test-runs \
PERL="$(PERL)" \
EXE_EXT={- $exeext -} \
OPENSSL_ENGINES=../$(BLDDIR)/engines \
OPENSSL_ENGINES=`cd ../$(BLDDIR)/engines; pwd` \
OPENSSL_DEBUG_MEMORY=on \
$(PERL) ../$(SRCDIR)/test/run_tests.pl $(TESTS) )
@ : {- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -}
Expand Down Expand Up @@ -592,19 +597,9 @@ doc-nits:
lint:
lint -DLINT $(INCLUDES) $(SRCS)

{- # because the program apps/openssl has object files as sources, and
# they then have the corresponding C files as source, we need to chain
# the lookups in %unified_info
my $apps_openssl = catfile("apps","openssl");
our @openssl_source = map { @{$unified_info{sources}->{$_}} }
@{$unified_info{sources}->{$apps_openssl}};
""; -}
generate_apps:
( cd $(SRCDIR); $(PERL) VMS/VMSify-conf.pl \
< apps/openssl.cnf > apps/openssl-vms.cnf )
( b=`pwd`; cd $(SRCDIR); $(PERL) -I$$b apps/progs.pl \
{- join(" ", @openssl_source) -} \
> apps/progs.h )

generate_crypto_bn:
( cd $(SRCDIR); $(PERL) crypto/bn/bn_prime.pl > crypto/bn/bn_prime.h )
Expand Down Expand Up @@ -656,9 +651,12 @@ tags TAGS: FORCE

# Release targets (note: only available on Unix) #####################

# If your tar command doesn't support --owner and --group, make sure to
# use one that does, for example GNU tar
TAR_COMMAND=$(TAR) $(TARFLAGS) --owner 0 --group 0 -cvf -
PREPARE_CMD=:
tar:
set -e; \
TMPDIR=/var/tmp/openssl-copy.$$$$; \
DISTDIR=$(NAME); \
mkdir -p $$TMPDIR/$$DISTDIR; \
Expand All @@ -669,12 +667,12 @@ tar:
mkdir -p $$TMPDIR/$$DISTDIR/`dirname $$F`; \
cp $$F $$TMPDIR/$$DISTDIR/$$F; \
done); \
(cd $$TMPDIR; \
(cd $$TMPDIR/$$DISTDIR; \
$(PREPARE_CMD); \
find $$TMPDIR/$$DISTDIR -type d -print | xargs chmod 755; \
find $$TMPDIR/$$DISTDIR -type f -print | xargs chmod a+r; \
find $$TMPDIR/$$DISTDIR -type f -perm -0100 -print | xargs chmod a+x; \
$(TAR_COMMAND) $$DISTDIR) \
find . -type d -print | xargs chmod 755; \
find . -type f -print | xargs chmod a+r; \
find . -type f -perm -0100 -print | xargs chmod a+x); \
(cd $$TMPDIR; $(TAR_COMMAND) $$DISTDIR) \
| (cd $(SRCDIR); gzip --best > $(TARFILE).gz); \
rm -rf $$TMPDIR
cd $(SRCDIR); ls -l $(TARFILE).gz
Expand Down Expand Up @@ -900,6 +898,7 @@ EOF
my $shlib_target = $target{shared_target};
my $ordinalsfile = defined($args{ordinals}) ? $args{ordinals}->[1] : "";
my $target = shlib_simple($lib);
my $target_full = shlib($lib);
return <<"EOF"
# With a build on a Windows POSIX layer (Cygwin or Mingw), we know for a fact
# that two files get produced, {shlibname}.dll and {libname}.dll.a.
Expand All @@ -914,11 +913,11 @@ $target: $lib$libext $deps $ordinalsfile
PERL="\$(PERL)" SRCDIR='\$(SRCDIR)' DSTDIR="$libd" \\
INSTALLTOP='\$(INSTALLTOP)' LIBDIR='\$(LIBDIR)' \\
LIBDEPS='\$(PLIB_LDFLAGS) '"$linklibs"' \$(EX_LIBS)' \\
LIBNAME=$libname LIBVERSION=\$(SHLIB_MAJOR).\$(SHLIB_MINOR) \\
LIBCOMPATVERSIONS=';\$(SHLIB_VERSION_HISTORY)' \\
LIBNAME=$libname SHLIBVERSION=\$(SHLIB_MAJOR).\$(SHLIB_MINOR) \\
STLIBNAME=$lib$libext \\
SHLIBNAME=$target SHLIBNAME_FULL=$target_full \\
CC='\$(CC)' CFLAGS='\$(CFLAGS) \$(LIB_CFLAGS)' \\
LDFLAGS='\$(LDFLAGS)' \\
SHARED_LDFLAGS='\$(LIB_LDFLAGS)' SHLIB_EXT=$shlibext \\
LDFLAGS='\$(LDFLAGS)' SHARED_LDFLAGS='\$(LIB_LDFLAGS)' \\
RC='\$(RC)' SHARED_RCFLAGS='\$(RCFLAGS)' \\
link_shlib.$shlib_target
EOF
Expand All @@ -931,28 +930,26 @@ EOF
}
sub obj2dso {
my %args = @_;
my $lib = $args{lib};
my $libd = dirname($lib);
my $libn = basename($lib);
(my $libname = $libn) =~ s/^lib//;
my $dso = $args{lib};
my $dsod = dirname($dso);
my $dson = basename($dso);
my $shlibdeps = join("", map { my $d = dirname($_);
my $f = basename($_);
(my $l = $f) =~ s/^lib//;
" -L$d -l$l" } @{$args{deps}});
my $deps = join(" ",compute_lib_depends(@{$args{deps}}));
my $shlib_target = $target{shared_target};
my $objs = join(" ", map { $_.$objext } @{$args{objs}});
my $target = dso($lib);
my $target = dso($dso);
return <<"EOF";
$target: $objs $deps
\$(MAKE) -f \$(SRCDIR)/Makefile.shared -e \\
PLATFORM=\$(PLATFORM) \\
PERL="\$(PERL)" SRCDIR='\$(SRCDIR)' DSTDIR="$libd" \\
PERL="\$(PERL)" SRCDIR='\$(SRCDIR)' DSTDIR="$dsod" \\
LIBDEPS='\$(PLIB_LDFLAGS) '"$shlibdeps"' \$(EX_LIBS)' \\
LIBNAME=$libname LDFLAGS='\$(LDFLAGS)' \\
SHLIBNAME_FULL=$target LDFLAGS='\$(LDFLAGS)' \\
CC='\$(CC)' CFLAGS='\$(CFLAGS) \$(DSO_CFLAGS)' \\
SHARED_LDFLAGS='\$(DSO_LDFLAGS)' \\
SHLIB_EXT=$dsoext \\
LIBEXTRAS="$objs" \\
link_dso.$shlib_target
EOF
Expand Down
Loading

0 comments on commit f5b9d7b

Please sign in to comment.