Skip to content

Commit c8f5ab2

Browse files
hassaanpBethGriggs
authored andcommittedMar 24, 2020
deps: upgrade openssl sources to 1.1.1e
This updates all sources in deps/openssl/openssl by: $ cd deps/openssl/ $ rm -rf openssl $ tar zxf ~/tmp/openssl-1.1.1e.tar.gz $ mv openssl-1.1.1e openssl $ git add --all openssl $ git commit openssl PR-URL: #32328 Backport-PR-URL: #32443 Fixes: #32210 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
1 parent bf26c44 commit c8f5ab2

File tree

1,021 files changed

+207941
-3251
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

1,021 files changed

+207941
-3251
lines changed
 

‎deps/openssl/openssl/CHANGES

+76-9
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,73 @@
77
https://github.com/openssl/openssl/commits/ and pick the appropriate
88
release branch.
99

10+
Changes between 1.1.1d and 1.1.1e [17 Mar 2020]
11+
*) Properly detect EOF while reading in libssl. Previously if we hit an EOF
12+
while reading in libssl then we would report an error back to the
13+
application (SSL_ERROR_SYSCALL) but errno would be 0. We now add
14+
an error to the stack (which means we instead return SSL_ERROR_SSL) and
15+
therefore give a hint as to what went wrong.
16+
[Matt Caswell]
17+
18+
*) Check that ed25519 and ed448 are allowed by the security level. Previously
19+
signature algorithms not using an MD were not being checked that they were
20+
allowed by the security level.
21+
[Kurt Roeckx]
22+
23+
*) Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername()
24+
was not quite right. The behaviour was not consistent between resumption
25+
and normal handshakes, and also not quite consistent with historical
26+
behaviour. The behaviour in various scenarios has been clarified and
27+
it has been updated to make it match historical behaviour as closely as
28+
possible.
29+
[Matt Caswell]
30+
31+
*) [VMS only] The header files that the VMS compilers include automatically,
32+
__DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H, use pragmas that
33+
the C++ compiler doesn't understand. This is a shortcoming in the
34+
compiler, but can be worked around with __cplusplus guards.
35+
36+
C++ applications that use OpenSSL libraries must be compiled using the
37+
qualifier '/NAMES=(AS_IS,SHORTENED)' to be able to use all the OpenSSL
38+
functions. Otherwise, only functions with symbols of less than 31
39+
characters can be used, as the linker will not be able to successfully
40+
resolve symbols with longer names.
41+
[Richard Levitte]
42+
43+
*) Corrected the documentation of the return values from the EVP_DigestSign*
44+
set of functions. The documentation mentioned negative values for some
45+
errors, but this was never the case, so the mention of negative values
46+
was removed.
47+
48+
Code that followed the documentation and thereby check with something
49+
like 'EVP_DigestSignInit(...) <= 0' will continue to work undisturbed.
50+
[Richard Levitte]
51+
52+
*) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure
53+
used in exponentiation with 512-bit moduli. No EC algorithms are
54+
affected. Analysis suggests that attacks against 2-prime RSA1024,
55+
3-prime RSA1536, and DSA1024 as a result of this defect would be very
56+
difficult to perform and are not believed likely. Attacks against DH512
57+
are considered just feasible. However, for an attack the target would
58+
have to re-use the DH512 private key, which is not recommended anyway.
59+
Also applications directly using the low level API BN_mod_exp may be
60+
affected if they use BN_FLG_CONSTTIME.
61+
(CVE-2019-1551)
62+
[Andy Polyakov]
63+
64+
*) Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
65+
The presence of this system service is determined at run-time.
66+
[Richard Levitte]
67+
68+
*) Added newline escaping functionality to a filename when using openssl dgst.
69+
This output format is to replicate the output format found in the '*sum'
70+
checksum programs. This aims to preserve backward compatibility.
71+
[Matt Eaton, Richard Levitte, and Paul Dale]
72+
73+
*) Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
74+
the first value.
75+
[Jon Spillett]
76+
1077
Changes between 1.1.1c and 1.1.1d [10 Sep 2019]
1178

1279
*) Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
@@ -633,9 +700,9 @@
633700
bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
634701
alerts across multiple records (some of which could be empty). In practice
635702
it make no sense to send an empty alert record, or to fragment one. TLSv1.3
636-
prohibts this altogether and other libraries (BoringSSL, NSS) do not
703+
prohibits this altogether and other libraries (BoringSSL, NSS) do not
637704
support this at all. Supporting it adds significant complexity to the
638-
record layer, and its removal is unlikely to cause inter-operability
705+
record layer, and its removal is unlikely to cause interoperability
639706
issues.
640707
[Matt Caswell]
641708

@@ -3652,7 +3719,7 @@
36523719
implementations).
36533720
[Emilia Käsper, Adam Langley, Bodo Moeller (Google)]
36543721

3655-
*) Use type ossl_ssize_t instad of ssize_t which isn't available on
3722+
*) Use type ossl_ssize_t instead of ssize_t which isn't available on
36563723
all platforms. Move ssize_t definition from e_os.h to the public
36573724
header file e_os2.h as it now appears in public header file cms.h
36583725
[Steve Henson]
@@ -8373,7 +8440,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
83738440

83748441
*) New OCSP utility. Allows OCSP requests to be generated or
83758442
read. The request can be sent to a responder and the output
8376-
parsed, outputed or printed in text form. Not complete yet:
8443+
parsed, outputted or printed in text form. Not complete yet:
83778444
still needs to check the OCSP response validity.
83788445
[Steve Henson]
83798446

@@ -9368,7 +9435,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
93689435
[Andy Polyakov]
93699436

93709437
*) Modified SSL library such that the verify_callback that has been set
9371-
specificly for an SSL object with SSL_set_verify() is actually being
9438+
specifically for an SSL object with SSL_set_verify() is actually being
93729439
used. Before the change, a verify_callback set with this function was
93739440
ignored and the verify_callback() set in the SSL_CTX at the time of
93749441
the call was used. New function X509_STORE_CTX_set_verify_cb() introduced
@@ -10485,10 +10552,10 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
1048510552
as other interfaces in OpenSSL, like the BIO interface.
1048610553
NCONF_dump_* dump the internal storage of the configuration file,
1048710554
which is useful for debugging. All other functions take the same
10488-
arguments as the old CONF_* functions wth the exception of the
10555+
arguments as the old CONF_* functions with the exception of the
1048910556
first that must be a `CONF *' instead of a `LHASH *'.
1049010557

10491-
To make it easer to use the new classes with the old CONF_* functions,
10558+
To make it easier to use the new classes with the old CONF_* functions,
1049210559
the function CONF_set_default_method is provided.
1049310560
[Richard Levitte]
1049410561

@@ -12331,7 +12398,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
1233112398
than the old method: it now uses a modified version of Ulf's parser to
1233212399
read the ANSI prototypes in all header files (thus the old K&R definitions
1233312400
aren't needed for error creation any more) and do a better job of
12334-
translating function codes into names. The old 'ASN1 error code imbedded
12401+
translating function codes into names. The old 'ASN1 error code embedded
1233512402
in a comment' is no longer necessary and it doesn't use .err files which
1233612403
have now been deleted. Also the error code call doesn't have to appear all
1233712404
on one line (which resulted in some large lines...).
@@ -12632,7 +12699,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
1263212699

1263312700
*) Add a useful kludge to allow package maintainers to specify compiler and
1263412701
other platforms details on the command line without having to patch the
12635-
Configure script everytime: One now can use ``perl Configure
12702+
Configure script every time: One now can use ``perl Configure
1263612703
<id>:<details>'', i.e. platform ids are allowed to have details appended
1263712704
to them (separated by colons). This is treated as there would be a static
1263812705
pre-configured entry in Configure's %table under key <id> with value

‎deps/openssl/openssl/CONTRIBUTING

+1-1
Original file line numberDiff line numberDiff line change
@@ -58,7 +58,7 @@ guidelines:
5858
consider adding a note in CHANGES. This could be a summarising
5959
description of the change, and could explain the grander details.
6060
Have a look through existing entries for inspiration.
61-
Please note that this is NOT simply a copy of git-log oneliners.
61+
Please note that this is NOT simply a copy of git-log one-liners.
6262
Also note that security fixes get an entry in CHANGES.
6363
This file helps users get more in depth information of what comes
6464
with a specific release without having to sift through the higher

0 commit comments

Comments
 (0)