Skip to content

Commit

Permalink
deps: upgrade openssl sources to 1.0.2k
Browse files Browse the repository at this point in the history
This replaces all sources of openssl-1.0.2k.tar.gz into
deps/openssl/openssl

PR-URL: #11021
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
  • Loading branch information
shigeki authored and Myles Borins committed Jan 31, 2017
1 parent 6bedd0f commit c808447
Show file tree
Hide file tree
Showing 181 changed files with 1,122 additions and 39,081 deletions.
61 changes: 61 additions & 0 deletions deps/openssl/openssl/CHANGES
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,67 @@
OpenSSL CHANGES
_______________

Changes between 1.0.2j and 1.0.2k [26 Jan 2017]

*) Truncated packet could crash via OOB read

If one side of an SSL/TLS path is running on a 32-bit host and a specific
cipher is being used, then a truncated packet can cause that host to
perform an out-of-bounds read, usually resulting in a crash.

This issue was reported to OpenSSL by Robert Święcki of Google.
(CVE-2017-3731)
[Andy Polyakov]

*) BN_mod_exp may produce incorrect results on x86_64

There is a carry propagating bug in the x86_64 Montgomery squaring
procedure. No EC algorithms are affected. Analysis suggests that attacks
against RSA and DSA as a result of this defect would be very difficult to
perform and are not believed likely. Attacks against DH are considered just
feasible (although very difficult) because most of the work necessary to
deduce information about a private key may be performed offline. The amount
of resources required for such an attack would be very significant and
likely only accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients. For example this can occur by
default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
similar to CVE-2015-3193 but must be treated as a separate problem.

This issue was reported to OpenSSL by the OSS-Fuzz project.
(CVE-2017-3732)
[Andy Polyakov]

*) Montgomery multiplication may produce incorrect results

There is a carry propagating bug in the Broadwell-specific Montgomery
multiplication procedure that handles input lengths divisible by, but
longer than 256 bits. Analysis suggests that attacks against RSA, DSA
and DH private keys are impossible. This is because the subroutine in
question is not used in operations with the private key itself and an input
of the attacker's direct choice. Otherwise the bug can manifest itself as
transient authentication and key negotiation failures or reproducible
erroneous outcome of public-key operations with specially crafted input.
Among EC algorithms only Brainpool P-512 curves are affected and one
presumably can attack ECDH key negotiation. Impact was not analyzed in
detail, because pre-requisites for attack are considered unlikely. Namely
multiple clients have to choose the curve in question and the server has to
share the private key among them, neither of which is default behaviour.
Even then only clients that chose the curve will be affected.

This issue was publicly reported as transient failures and was not
initially recognized as a security issue. Thanks to Richard Morgan for
providing reproducible case.
(CVE-2016-7055)
[Andy Polyakov]

*) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
prevent issues where no progress is being made and the peer continually
sends unrecognised record types, using up resources processing them.
[Matt Caswell]

Changes between 1.0.2i and 1.0.2j [26 Sep 2016]

*) Missing CRL sanity check
Expand Down
55 changes: 17 additions & 38 deletions deps/openssl/openssl/CONTRIBUTING
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
HOW TO CONTRIBUTE TO PATCHES OpenSSL
HOW TO CONTRIBUTE PATCHES TO OpenSSL
------------------------------------

(Please visit https://www.openssl.org/community/getting-started.html for
Expand All @@ -11,34 +11,12 @@ OpenSSL community you might want to discuss it on the openssl-dev mailing
list first. Someone may be already working on the same thing or there
may be a good reason as to why that feature isn't implemented.

The best way to submit a patch is to make a pull request on GitHub.
(It is not necessary to send mail to rt@openssl.org to open a ticket!)
If you think the patch could use feedback from the community, please
start a thread on openssl-dev.
To submit a patch, make a pull request on GitHub. If you think the patch
could use feedback from the community, please start a thread on openssl-dev
to discuss it.

You can also submit patches by sending it as mail to rt@openssl.org.
Please include the word "PATCH" and an explanation of what the patch
does in the subject line. If you do this, our preferred format is "git
format-patch" output. For example to provide a patch file containing the
last commit in your local git repository use the following command:

% git format-patch --stdout HEAD^ >mydiffs.patch

Another method of creating an acceptable patch file without using git is as
follows:

% cd openssl-work
...make your changes...
% ./Configure dist; make clean
% cd ..
% diff -ur openssl-orig openssl-work >mydiffs.patch

Note that pull requests are generally easier for the team, and community, to
work with. Pull requests benefit from all of the standard GitHub features,
including code review tools, simpler integration, and CI build support.

No matter how a patch is submitted, the following items will help make
the acceptance and review process faster:
Having addressed the following items before the PR will help make the
acceptance and review process faster:

1. Anything other than trivial contributions will require a contributor
licensing agreement, giving us permission to use your code. See
Expand All @@ -55,21 +33,22 @@ the acceptance and review process faster:
in the file LICENSE in the source distribution or at
https://www.openssl.org/source/license.html

3. Patches should be as current as possible. When using GitHub, please
expect to have to rebase and update often. Note that we do not accept merge
commits. You will be asked to remove them before a patch is considered
acceptable.
3. Patches should be as current as possible; expect to have to rebase
often. We do not accept merge commits; You will be asked to remove
them before a patch is considered acceptable.

4. Patches should follow our coding style (see
https://www.openssl.org/policies/codingstyle.html) and compile without
warnings. Where gcc or clang is availble you should use the
--strict-warnings Configure option. OpenSSL compiles on many varied
platforms: try to ensure you only use portable features.
Clean builds via Travis and AppVeyor are expected, and done whenever
a PR is created or updated.

5. When at all possible, patches should include tests. These can either be
added to an existing test, or completely new. Please see test/README
for information on the test framework.
5. When at all possible, patches should include tests. These can
either be added to an existing test, or completely new. Please see
test/README for information on the test framework.

6. New features or changed functionality must include documentation. Please
look at the "pod" files in doc/apps, doc/crypto and doc/ssl for examples of
our style.
6. New features or changed functionality must include
documentation. Please look at the "pod" files in doc/apps, doc/crypto
and doc/ssl for examples of our style.
34 changes: 27 additions & 7 deletions deps/openssl/openssl/Configure
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ eval 'exec perl -S $0 ${1+"$@"}'

require 5.000;
use strict;
use File::Compare;

# see INSTALL for instructions.

Expand Down Expand Up @@ -57,12 +58,13 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimenta
# zlib-dynamic Like "zlib", but the zlib library is expected to be a shared
# library and will be loaded in run-time by the OpenSSL library.
# sctp include SCTP support
# 386 generate 80386 code
# enable-weak-ssl-ciphers
# Enable EXPORT and LOW SSLv3 ciphers that are disabled by
# default. Note, weak SSLv2 ciphers are unconditionally
# disabled.
# no-sse2 disables IA-32 SSE2 code, above option implies no-sse2
# 386 generate 80386 code in assembly modules
# no-sse2 disables IA-32 SSE2 code in assembly modules, the above
# mentioned '386' option implies this one
# no-<cipher> build without specified algorithm (rsa, idea, rc5, ...)
# -<xxx> +<xxx> compiler options are passed through
#
Expand Down Expand Up @@ -1792,8 +1794,16 @@ while (<IN>)
}
close(IN);
close(OUT);
rename($Makefile,"$Makefile.bak") || die "unable to rename $Makefile\n" if -e $Makefile;
rename("$Makefile.new",$Makefile) || die "unable to rename $Makefile.new\n";
if ((compare($Makefile, "$Makefile.new"))
or file_newer('Configure', $Makefile)
or file_newer('config', $Makefile)
or file_newer('Makefile.org', $Makefile))
{
rename($Makefile,"$Makefile.bak") || die "unable to rename $Makefile\n" if -e $Makefile;
rename("$Makefile.new",$Makefile) || die "unable to rename $Makefile.new\n";
}
else
{ unlink("$Makefile.new"); }

print "CC =$cc\n";
print "CFLAG =$cflags\n";
Expand Down Expand Up @@ -1985,9 +1995,13 @@ print OUT "#ifdef __cplusplus\n";
print OUT "}\n";
print OUT "#endif\n";
close(OUT);
rename("crypto/opensslconf.h","crypto/opensslconf.h.bak") || die "unable to rename crypto/opensslconf.h\n" if -e "crypto/opensslconf.h";
rename("crypto/opensslconf.h.new","crypto/opensslconf.h") || die "unable to rename crypto/opensslconf.h.new\n";

if (compare("crypto/opensslconf.h.new","crypto/opensslconf.h"))
{
rename("crypto/opensslconf.h","crypto/opensslconf.h.bak") || die "unable to rename crypto/opensslconf.h\n" if -e "crypto/opensslconf.h";
rename("crypto/opensslconf.h.new","crypto/opensslconf.h") || die "unable to rename crypto/opensslconf.h.new\n";
}
else
{ unlink("crypto/opensslconf.h.new"); }

# Fix the date

Expand Down Expand Up @@ -2289,3 +2303,9 @@ sub test_sanity
print STDERR "No sanity errors detected!\n" if $errorcnt == 0;
return $errorcnt;
}

sub file_newer
{
my ($file1, $file2) = @_;
return (stat($file1))[9] > (stat($file2))[9]
}
69 changes: 38 additions & 31 deletions deps/openssl/openssl/INSTALL
Original file line number Diff line number Diff line change
Expand Up @@ -74,24 +74,26 @@

no-asm Do not use assembler code.

386 Use the 80386 instruction set only (the default x86 code is
more efficient, but requires at least a 486). Note: Use
compiler flags for any other CPU specific configuration,
e.g. "-m32" to build x86 code on an x64 system.

no-sse2 Exclude SSE2 code pathes. Normally SSE2 extention is
detected at run-time, but the decision whether or not the
machine code will be executed is taken solely on CPU
capability vector. This means that if you happen to run OS
kernel which does not support SSE2 extension on Intel P4
processor, then your application might be exposed to
"illegal instruction" exception. There might be a way
to enable support in kernel, e.g. FreeBSD kernel can be
compiled with CPU_ENABLE_SSE, and there is a way to
disengage SSE2 code pathes upon application start-up,
but if you aim for wider "audience" running such kernel,
consider no-sse2. Both 386 and no-asm options above imply
no-sse2.
386 In 32-bit x86 builds, when generating assembly modules,
use the 80386 instruction set only (the default x86 code
is more efficient, but requires at least a 486). Note:
This doesn't affect code generated by compiler, you're
likely to complement configuration command line with
suitable compiler-specific option.

no-sse2 Exclude SSE2 code paths from 32-bit x86 assembly modules.
Normally SSE2 extension is detected at run-time, but the
decision whether or not the machine code will be executed
is taken solely on CPU capability vector. This means that
if you happen to run OS kernel which does not support SSE2
extension on Intel P4 processor, then your application
might be exposed to "illegal instruction" exception.
There might be a way to enable support in kernel, e.g.
FreeBSD kernel can be compiled with CPU_ENABLE_SSE, and
there is a way to disengage SSE2 code paths upon application
start-up, but if you aim for wider "audience" running
such kernel, consider no-sse2. Both the 386 and
no-asm options imply no-sse2.

no-<cipher> Build without the specified cipher (bf, cast, des, dh, dsa,
hmac, md2, md5, mdc2, rc2, rc4, rc5, rsa, sha).
Expand All @@ -101,7 +103,12 @@
-Dxxx, -lxxx, -Lxxx, -fxxx, -mXXX, -Kxxx These system specific options will
be passed through to the compiler to allow you to
define preprocessor symbols, specify additional libraries,
library directories or other compiler options.
library directories or other compiler options. It might be
worth noting that some compilers generate code specifically
for processor the compiler currently executes on. This is
not necessarily what you might have in mind, since it might
be unsuitable for execution on other, typically older,
processor. Consult your compiler documentation.

-DHAVE_CRYPTODEV Enable the BSD cryptodev engine even if we are not using
BSD. Useful if you are running ocf-linux or something
Expand Down Expand Up @@ -159,18 +166,18 @@
OpenSSL binary ("openssl"). The libraries will be built in the top-level
directory, and the binary will be in the "apps" directory.

If "make" fails, look at the output. There may be reasons for
the failure that aren't problems in OpenSSL itself (like missing
standard headers). If it is a problem with OpenSSL itself, please
report the problem to <openssl-bugs@openssl.org> (note that your
message will be recorded in the request tracker publicly readable
at https://www.openssl.org/community/index.html#bugs and will be
forwarded to a public mailing list). Include the output of "make
report" in your message. Please check out the request tracker. Maybe
the bug was already reported or has already been fixed.

[If you encounter assembler error messages, try the "no-asm"
configuration option as an immediate fix.]
If the build fails, look at the output. There may be reasons
for the failure that aren't problems in OpenSSL itself (like
missing standard headers). If you are having problems you can
get help by sending an email to the openssl-users email list (see
https://www.openssl.org/community/mailinglists.html for details). If
it is a bug with OpenSSL itself, please open an issue on GitHub, at
https://github.com/openssl/openssl/issues. Please review the existing
ones first; maybe the bug was already reported or has already been
fixed.

(If you encounter assembler error messages, try the "no-asm"
configuration option as an immediate fix.)

Compiling parts of OpenSSL with gcc and others with the system
compiler will result in unresolved symbols on some systems.
Expand Down
5 changes: 3 additions & 2 deletions deps/openssl/openssl/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
## Makefile for OpenSSL
##

VERSION=1.0.2j
VERSION=1.0.2k
MAJOR=1
MINOR=0.2
SHLIB_VERSION_NUMBER=1.0.0
Expand Down Expand Up @@ -203,7 +203,8 @@ CLEARENV= TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS} \
$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS} \
$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS} \
$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS} \
$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS}
$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS} \
$${APPS+APPS}

# LC_ALL=C ensures that error [and other] messages are delivered in
# same language for uniform treatment.
Expand Down
5 changes: 3 additions & 2 deletions deps/openssl/openssl/Makefile.bak
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
## Makefile for OpenSSL
##

VERSION=1.0.2j
VERSION=1.0.2k
MAJOR=1
MINOR=0.2
SHLIB_VERSION_NUMBER=1.0.0
Expand Down Expand Up @@ -203,7 +203,8 @@ CLEARENV= TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS} \
$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS} \
$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS} \
$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS} \
$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS}
$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS} \
$${APPS+APPS}

# LC_ALL=C ensures that error [and other] messages are delivered in
# same language for uniform treatment.
Expand Down
3 changes: 2 additions & 1 deletion deps/openssl/openssl/Makefile.org
Original file line number Diff line number Diff line change
Expand Up @@ -201,7 +201,8 @@ CLEARENV= TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS} \
$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS} \
$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS} \
$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS} \
$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS}
$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS} \
$${APPS+APPS}

# LC_ALL=C ensures that error [and other] messages are delivered in
# same language for uniform treatment.
Expand Down
8 changes: 7 additions & 1 deletion deps/openssl/openssl/NEWS
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,15 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.

Major changes between OpenSSL 1.0.2j and OpenSSL 1.0.2k [26 Jan 2017]

o Truncated packet could crash via OOB read (CVE-2017-3731)
o BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
o Montgomery multiplication may produce incorrect results (CVE-2016-7055)

Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016]

o Fix Use After Free for large message sizes (CVE-2016-6309)
o Missing CRL sanity check (CVE-2016-7052)

Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016]

Expand Down
Loading

0 comments on commit c808447

Please sign in to comment.