From owner-svn-src-vendor@freebsd.org Tue Apr 21 19:07:49 2020 Return-Path: Delivered-To: svn-src-vendor@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DC0F82B5959; Tue, 21 Apr 2020 19:07:49 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 496CkY5tsTz3N03; Tue, 21 Apr 2020 19:07:49 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C50946018; Tue, 21 Apr 2020 19:07:49 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 03LJ7naV069019; Tue, 21 Apr 2020 19:07:49 GMT (envelope-from jkim@FreeBSD.org) Received: (from jkim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 03LJ7kQQ069002; Tue, 21 Apr 2020 19:07:46 GMT (envelope-from jkim@FreeBSD.org) Message-Id: <202004211907.03LJ7kQQ069002@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jkim set sender to jkim@FreeBSD.org using -f From: Jung-uk Kim Date: Tue, 21 Apr 2020 19:07:46 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r360173 - in vendor-crypto/openssl/dist: . apps crypto/aes crypto/asn1 crypto/bio crypto/ec crypto/evp crypto/rand crypto/x509 crypto/x509v3 doc/man1 doc/man3 include/openssl ssl X-SVN-Group: vendor-crypto X-SVN-Commit-Author: jkim X-SVN-Commit-Paths: in vendor-crypto/openssl/dist: . apps crypto/aes crypto/asn1 crypto/bio crypto/ec crypto/evp crypto/rand crypto/x509 crypto/x509v3 doc/man1 doc/man3 include/openssl ssl X-SVN-Commit-Revision: 360173 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-vendor@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the vendor work area tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Apr 2020 19:07:49 -0000 Author: jkim Date: Tue Apr 21 19:07:46 2020 New Revision: 360173 URL: https://svnweb.freebsd.org/changeset/base/360173 Log: Import OpenSSL 1.1.1g. Added: vendor-crypto/openssl/dist/doc/man3/X509_check_purpose.pod Modified: vendor-crypto/openssl/dist/CHANGES vendor-crypto/openssl/dist/FREEBSD-upgrade vendor-crypto/openssl/dist/INSTALL vendor-crypto/openssl/dist/NEWS vendor-crypto/openssl/dist/README vendor-crypto/openssl/dist/apps/build.info vendor-crypto/openssl/dist/apps/dhparam.c vendor-crypto/openssl/dist/apps/dsa.c vendor-crypto/openssl/dist/apps/dsaparam.c vendor-crypto/openssl/dist/apps/ec.c vendor-crypto/openssl/dist/apps/ecparam.c vendor-crypto/openssl/dist/apps/engine.c vendor-crypto/openssl/dist/apps/gendsa.c vendor-crypto/openssl/dist/apps/genrsa.c vendor-crypto/openssl/dist/apps/ocsp.c vendor-crypto/openssl/dist/apps/pkcs12.c vendor-crypto/openssl/dist/apps/rsa.c vendor-crypto/openssl/dist/apps/rsautl.c vendor-crypto/openssl/dist/apps/s_time.c vendor-crypto/openssl/dist/apps/srp.c vendor-crypto/openssl/dist/apps/ts.c vendor-crypto/openssl/dist/crypto/aes/aes_core.c vendor-crypto/openssl/dist/crypto/aes/aes_local.h vendor-crypto/openssl/dist/crypto/asn1/asn1_lib.c vendor-crypto/openssl/dist/crypto/bio/bss_acpt.c vendor-crypto/openssl/dist/crypto/ec/ec_asn1.c vendor-crypto/openssl/dist/crypto/ec/ec_lib.c vendor-crypto/openssl/dist/crypto/ec/ec_mult.c vendor-crypto/openssl/dist/crypto/ec/ecp_smpl.c vendor-crypto/openssl/dist/crypto/evp/e_aes.c vendor-crypto/openssl/dist/crypto/rand/build.info vendor-crypto/openssl/dist/crypto/rand/drbg_ctr.c vendor-crypto/openssl/dist/crypto/x509/x509_vfy.c vendor-crypto/openssl/dist/crypto/x509v3/v3_purp.c vendor-crypto/openssl/dist/doc/man1/s_time.pod vendor-crypto/openssl/dist/doc/man3/EVP_aes.pod vendor-crypto/openssl/dist/doc/man3/RAND_set_rand_method.pod vendor-crypto/openssl/dist/include/openssl/opensslv.h vendor-crypto/openssl/dist/ssl/t1_lib.c Modified: vendor-crypto/openssl/dist/CHANGES ============================================================================== --- vendor-crypto/openssl/dist/CHANGES Tue Apr 21 17:51:54 2020 (r360172) +++ vendor-crypto/openssl/dist/CHANGES Tue Apr 21 19:07:46 2020 (r360173) @@ -7,6 +7,27 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.1.1f and 1.1.1g [21 Apr 2020] + + *) Fixed segmentation fault in SSL_check_chain() + Server or client applications that call the SSL_check_chain() function + during or after a TLS 1.3 handshake may crash due to a NULL pointer + dereference as a result of incorrect handling of the + "signature_algorithms_cert" TLS extension. The crash occurs if an invalid + or unrecognised signature algorithm is received from the peer. This could + be exploited by a malicious peer in a Denial of Service attack. + (CVE-2020-1967) + [Benjamin Kaduk] + + *) Added AES consttime code for no-asm configurations + an optional constant time support for AES was added + when building openssl for no-asm. + Enable with: ./config no-asm -DOPENSSL_AES_CONST_TIME + Disable with: ./config no-asm -DOPENSSL_NO_AES_CONST_TIME + At this time this feature is by default disabled. + It will be enabled by default in 3.0. + [Bernd Edlinger] + Changes between 1.1.1e and 1.1.1f [31 Mar 2020] *) Revert the change of EOF detection while reading in libssl to avoid Modified: vendor-crypto/openssl/dist/FREEBSD-upgrade ============================================================================== --- vendor-crypto/openssl/dist/FREEBSD-upgrade Tue Apr 21 17:51:54 2020 (r360172) +++ vendor-crypto/openssl/dist/FREEBSD-upgrade Tue Apr 21 19:07:46 2020 (r360173) @@ -11,7 +11,7 @@ First, read http://wiki.freebsd.org/SubversionPrimer/V # Xlist setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist setenv FSVN "svn+ssh://repo.freebsd.org/base" -setenv OSSLVER 1.1.1e +setenv OSSLVER 1.1.1g ###setenv OSSLTAG v`echo ${OSSLVER} | tr . _` Modified: vendor-crypto/openssl/dist/INSTALL ============================================================================== --- vendor-crypto/openssl/dist/INSTALL Tue Apr 21 17:51:54 2020 (r360172) +++ vendor-crypto/openssl/dist/INSTALL Tue Apr 21 19:07:46 2020 (r360173) @@ -535,9 +535,9 @@ conjunction with the "-DPEDANTIC" option (or the --strict-warnings option). - no-ui - Don't build with the "UI" capability (i.e. the set of - features enabling text based prompts). + no-ui-console + Don't build with the "UI" console method (i.e. the "UI" + method that enables text based console prompts). enable-unit-test Enable additional unit test APIs. This should not typically Modified: vendor-crypto/openssl/dist/NEWS ============================================================================== --- vendor-crypto/openssl/dist/NEWS Tue Apr 21 17:51:54 2020 (r360172) +++ vendor-crypto/openssl/dist/NEWS Tue Apr 21 19:07:46 2020 (r360173) @@ -5,6 +5,10 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [21 Apr 2020] + + o Fixed segmentation fault in SSL_check_chain() (CVE-2020-1967) + Major changes between OpenSSL 1.1.1e and OpenSSL 1.1.1f [31 Mar 2020] o Revert the unexpected EOF reporting via SSL_ERROR_SSL Modified: vendor-crypto/openssl/dist/README ============================================================================== --- vendor-crypto/openssl/dist/README Tue Apr 21 17:51:54 2020 (r360172) +++ vendor-crypto/openssl/dist/README Tue Apr 21 19:07:46 2020 (r360173) @@ -1,5 +1,5 @@ - OpenSSL 1.1.1f 31 Mar 2020 + OpenSSL 1.1.1g 21 Apr 2020 Copyright (c) 1998-2020 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson Modified: vendor-crypto/openssl/dist/apps/build.info ============================================================================== --- vendor-crypto/openssl/dist/apps/build.info Tue Apr 21 17:51:54 2020 (r360172) +++ vendor-crypto/openssl/dist/apps/build.info Tue Apr 21 19:07:46 2020 (r360173) @@ -1,16 +1,17 @@ {- our @apps_openssl_src = qw(openssl.c - asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c dhparam.c - dsa.c dsaparam.c ec.c ecparam.c enc.c engine.c errstr.c gendsa.c - genpkey.c genrsa.c nseq.c ocsp.c passwd.c pkcs12.c pkcs7.c pkcs8.c - pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c + asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c + enc.c errstr.c + genpkey.c nseq.c passwd.c pkcs7.c pkcs8.c + pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c - srp.c ts.c verify.c version.c x509.c rehash.c storeutl.c); + verify.c version.c x509.c rehash.c storeutl.c); our @apps_lib_src = ( qw(apps.c opt.c s_cb.c s_socket.c app_rand.c bf_prefix.c), split(/\s+/, $target{apps_aux_src}) ); our @apps_init_src = split(/\s+/, $target{apps_init_src}); "" -} + IF[{- !$disabled{apps} -}] LIBS_NO_INST=libapps.a SOURCE[libapps.a]={- join(" ", @apps_lib_src) -} @@ -21,11 +22,51 @@ IF[{- !$disabled{apps} -}] SOURCE[openssl]={- join(" ", @apps_openssl_src) -} INCLUDE[openssl]=.. ../include DEPEND[openssl]=libapps.a ../libssl - -IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-)/ -}] - GENERATE[openssl.rc]=../util/mkrc.pl openssl - SOURCE[openssl]=openssl.rc -ENDIF + IF[{- !$disabled{'des'} -}] + SOURCE[openssl]=pkcs12.c + DEPEND[pkcs12.o]=progs.h + ENDIF + IF[{- !$disabled{'ec'} -}] + SOURCE[openssl]=ec.c ecparam.c + DEPEND[ec.o]=progs.h + DEPEND[ecparam.o]=progs.h + ENDIF + IF[{- !$disabled{'ocsp'} -}] + SOURCE[openssl]=ocsp.c + DEPEND[ocsp.o]=progs.h + ENDIF + IF[{- !$disabled{'srp'} -}] + SOURCE[openssl]=srp.c + DEPEND[srp.o]=progs.h + ENDIF + IF[{- !$disabled{'ts'} -}] + SOURCE[openssl]=ts.c + DEPEND[ts.o]=progs.h + ENDIF + IF[{- !$disabled{'dh'} -}] + SOURCE[openssl]=dhparam.c + DEPEND[dhparam.o]=progs.h + ENDIF + IF[{- !$disabled{'dsa'} -}] + SOURCE[openssl]=dsa.c dsaparam.c gendsa.c + DEPEND[dsa.o]=progs.h + DEPEND[dsaparam.o]=progs.h + DEPEND[gendsa.o]=progs.h + ENDIF + IF[{- !$disabled{'engine'} -}] + SOURCE[openssl]=engine.c + DEPEND[engine.o]=progs.h + ENDIF + IF[{- !$disabled{'rsa'} -}] + SOURCE[openssl]=rsa.c rsautl.c genrsa.c + DEPEND[rsa.o]=progs.h + DEPEND[rsautl.o]=progs.h + DEPEND[genrsa.o]=progs.h + ENDIF + IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-)/ -}] + GENERATE[openssl.rc]=../util/mkrc.pl openssl + SOURCE[openssl]=openssl.rc + ENDIF {- join("\n ", map { (my $x = $_) =~ s|\.c$|.o|; "DEPEND[$x]=progs.h" } @apps_openssl_src) -} Modified: vendor-crypto/openssl/dist/apps/dhparam.c ============================================================================== --- vendor-crypto/openssl/dist/apps/dhparam.c Tue Apr 21 17:51:54 2020 (r360172) +++ vendor-crypto/openssl/dist/apps/dhparam.c Tue Apr 21 19:07:46 2020 (r360173) @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,29 +8,25 @@ */ #include -#ifdef OPENSSL_NO_DH -NON_EMPTY_TRANSLATION_UNIT -#else +#include +#include +#include +#include +#include "apps.h" +#include "progs.h" +#include +#include +#include +#include +#include +#include -# include -# include -# include -# include -# include "apps.h" -# include "progs.h" -# include -# include -# include -# include -# include -# include +#ifndef OPENSSL_NO_DSA +# include +#endif -# ifndef OPENSSL_NO_DSA -# include -# endif +#define DEFBITS 2048 -# define DEFBITS 2048 - static int dh_cb(int p, int n, BN_GENCB *cb); typedef enum OPTION_choice { @@ -56,13 +52,13 @@ const OPTIONS dhparam_options[] = { {"C", OPT_C, '-', "Print C code"}, {"2", OPT_2, '-', "Generate parameters using 2 as the generator value"}, {"5", OPT_5, '-', "Generate parameters using 5 as the generator value"}, -# ifndef OPENSSL_NO_DSA +#ifndef OPENSSL_NO_DSA {"dsaparam", OPT_DSAPARAM, '-', "Read or generate DSA parameters, convert to DH"}, -# endif -# ifndef OPENSSL_NO_ENGINE +#endif +#ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, -# endif +#endif {NULL} }; @@ -146,13 +142,13 @@ int dhparam_main(int argc, char **argv) if (g && !num) num = DEFBITS; -# ifndef OPENSSL_NO_DSA +#ifndef OPENSSL_NO_DSA if (dsaparam && g) { BIO_printf(bio_err, "generator may not be chosen for DSA parameters\n"); goto end; } -# endif +#endif out = bio_open_default(outfile, 'w', outformat); if (out == NULL) @@ -173,7 +169,7 @@ int dhparam_main(int argc, char **argv) BN_GENCB_set(cb, dh_cb, bio_err); -# ifndef OPENSSL_NO_DSA +#ifndef OPENSSL_NO_DSA if (dsaparam) { DSA *dsa = DSA_new(); @@ -196,7 +192,7 @@ int dhparam_main(int argc, char **argv) goto end; } } else -# endif +#endif { dh = DH_new(); BIO_printf(bio_err, @@ -217,7 +213,7 @@ int dhparam_main(int argc, char **argv) if (in == NULL) goto end; -# ifndef OPENSSL_NO_DSA +#ifndef OPENSSL_NO_DSA if (dsaparam) { DSA *dsa; @@ -239,7 +235,7 @@ int dhparam_main(int argc, char **argv) goto end; } } else -# endif +#endif { if (informat == FORMAT_ASN1) { /* @@ -376,4 +372,3 @@ static int dh_cb(int p, int n, BN_GENCB *cb) (void)BIO_flush(BN_GENCB_get_arg(cb)); return 1; } -#endif Modified: vendor-crypto/openssl/dist/apps/dsa.c ============================================================================== --- vendor-crypto/openssl/dist/apps/dsa.c Tue Apr 21 17:51:54 2020 (r360172) +++ vendor-crypto/openssl/dist/apps/dsa.c Tue Apr 21 19:07:46 2020 (r360173) @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,24 +8,20 @@ */ #include -#ifdef OPENSSL_NO_DSA -NON_EMPTY_TRANSLATION_UNIT -#else +#include +#include +#include +#include +#include "apps.h" +#include "progs.h" +#include +#include +#include +#include +#include +#include +#include -# include -# include -# include -# include -# include "apps.h" -# include "progs.h" -# include -# include -# include -# include -# include -# include -# include - typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENGINE, @@ -49,14 +45,14 @@ const OPTIONS dsa_options[] = { {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, {"", OPT_CIPHER, '-', "Any supported cipher"}, -# ifndef OPENSSL_NO_RC4 +#ifndef OPENSSL_NO_RC4 {"pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)"}, {"pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level"}, {"pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding"}, -# endif -# ifndef OPENSSL_NO_ENGINE +#endif +#ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, -# endif +#endif {NULL} }; @@ -71,9 +67,9 @@ int dsa_main(int argc, char **argv) OPTION_CHOICE o; int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0; int i, modulus = 0, pubin = 0, pubout = 0, ret = 1; -# ifndef OPENSSL_NO_RC4 +#ifndef OPENSSL_NO_RC4 int pvk_encr = 2; -# endif +#endif int private = 0; prog = opt_init(argc, argv, dsa_options); @@ -214,7 +210,7 @@ int dsa_main(int argc, char **argv) i = PEM_write_bio_DSAPrivateKey(out, dsa, enc, NULL, 0, NULL, passout); } -# ifndef OPENSSL_NO_RSA +#ifndef OPENSSL_NO_RSA } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) { EVP_PKEY *pk; pk = EVP_PKEY_new(); @@ -229,13 +225,13 @@ int dsa_main(int argc, char **argv) goto end; } assert(private); -# ifdef OPENSSL_NO_RC4 +# ifdef OPENSSL_NO_RC4 BIO_printf(bio_err, "PVK format not supported\n"); EVP_PKEY_free(pk); goto end; -# else +# else i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout); -# endif +# endif } else if (pubin || pubout) { i = i2b_PublicKey_bio(out, pk); } else { @@ -243,7 +239,7 @@ int dsa_main(int argc, char **argv) i = i2b_PrivateKey_bio(out, pk); } EVP_PKEY_free(pk); -# endif +#endif } else { BIO_printf(bio_err, "bad output format specified for outfile\n"); goto end; @@ -262,4 +258,3 @@ int dsa_main(int argc, char **argv) OPENSSL_free(passout); return ret; } -#endif Modified: vendor-crypto/openssl/dist/apps/dsaparam.c ============================================================================== --- vendor-crypto/openssl/dist/apps/dsaparam.c Tue Apr 21 17:51:54 2020 (r360172) +++ vendor-crypto/openssl/dist/apps/dsaparam.c Tue Apr 21 19:07:46 2020 (r360173) @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,23 +8,19 @@ */ #include -#ifdef OPENSSL_NO_DSA -NON_EMPTY_TRANSLATION_UNIT -#else +#include +#include +#include +#include +#include "apps.h" +#include "progs.h" +#include +#include +#include +#include +#include +#include -# include -# include -# include -# include -# include "apps.h" -# include "progs.h" -# include -# include -# include -# include -# include -# include - static int dsa_cb(int p, int n, BN_GENCB *cb); typedef enum OPTION_choice { @@ -44,9 +40,9 @@ const OPTIONS dsaparam_options[] = { {"noout", OPT_NOOUT, '-', "No output"}, {"genkey", OPT_GENKEY, '-', "Generate a DSA key"}, OPT_R_OPTIONS, -# ifndef OPENSSL_NO_ENGINE +#ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, -# endif +#endif {NULL} }; @@ -255,4 +251,3 @@ static int dsa_cb(int p, int n, BN_GENCB *cb) (void)BIO_flush(BN_GENCB_get_arg(cb)); return 1; } -#endif Modified: vendor-crypto/openssl/dist/apps/ec.c ============================================================================== --- vendor-crypto/openssl/dist/apps/ec.c Tue Apr 21 17:51:54 2020 (r360172) +++ vendor-crypto/openssl/dist/apps/ec.c Tue Apr 21 19:07:46 2020 (r360173) @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,20 +8,16 @@ */ #include -#ifdef OPENSSL_NO_EC -NON_EMPTY_TRANSLATION_UNIT -#else +#include +#include +#include +#include "apps.h" +#include "progs.h" +#include +#include +#include +#include -# include -# include -# include -# include "apps.h" -# include "progs.h" -# include -# include -# include -# include - static OPT_PAIR conv_forms[] = { {"compressed", POINT_CONVERSION_COMPRESSED}, {"uncompressed", POINT_CONVERSION_UNCOMPRESSED}, @@ -62,9 +58,9 @@ const OPTIONS ec_options[] = { "Specifies the way the ec parameters are encoded"}, {"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "}, {"", OPT_CIPHER, '-', "Any supported cipher"}, -# ifndef OPENSSL_NO_ENGINE +#ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -# endif +#endif {NULL} }; @@ -280,4 +276,3 @@ int ec_main(int argc, char **argv) OPENSSL_free(passout); return ret; } -#endif Modified: vendor-crypto/openssl/dist/apps/ecparam.c ============================================================================== --- vendor-crypto/openssl/dist/apps/ecparam.c Tue Apr 21 17:51:54 2020 (r360172) +++ vendor-crypto/openssl/dist/apps/ecparam.c Tue Apr 21 19:07:46 2020 (r360173) @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use @@ -9,23 +9,19 @@ */ #include -#ifdef OPENSSL_NO_EC -NON_EMPTY_TRANSLATION_UNIT -#else +#include +#include +#include +#include +#include "apps.h" +#include "progs.h" +#include +#include +#include +#include +#include +#include -# include -# include -# include -# include -# include "apps.h" -# include "progs.h" -# include -# include -# include -# include -# include -# include - typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C, @@ -55,9 +51,9 @@ const OPTIONS ecparam_options[] = { "Specifies the way the ec parameters are encoded"}, {"genkey", OPT_GENKEY, '-', "Generate ec key"}, OPT_R_OPTIONS, -# ifndef OPENSSL_NO_ENGINE +#ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -# endif +#endif {NULL} }; @@ -446,5 +442,3 @@ int ecparam_main(int argc, char **argv) BIO_free_all(out); return ret; } - -#endif Modified: vendor-crypto/openssl/dist/apps/engine.c ============================================================================== --- vendor-crypto/openssl/dist/apps/engine.c Tue Apr 21 17:51:54 2020 (r360172) +++ vendor-crypto/openssl/dist/apps/engine.c Tue Apr 21 19:07:46 2020 (r360173) @@ -1,5 +1,5 @@ /* - * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,20 +8,16 @@ */ #include -#ifdef OPENSSL_NO_ENGINE -NON_EMPTY_TRANSLATION_UNIT -#else +#include "apps.h" +#include "progs.h" +#include +#include +#include +#include +#include +#include +#include -# include "apps.h" -# include "progs.h" -# include -# include -# include -# include -# include -# include -# include - typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_C, OPT_T, OPT_TT, OPT_PRE, OPT_POST, @@ -486,4 +482,3 @@ int engine_main(int argc, char **argv) BIO_free_all(out); return ret; } -#endif Modified: vendor-crypto/openssl/dist/apps/gendsa.c ============================================================================== --- vendor-crypto/openssl/dist/apps/gendsa.c Tue Apr 21 17:51:54 2020 (r360172) +++ vendor-crypto/openssl/dist/apps/gendsa.c Tue Apr 21 19:07:46 2020 (r360173) @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,23 +8,19 @@ */ #include -#ifdef OPENSSL_NO_DSA -NON_EMPTY_TRANSLATION_UNIT -#else +#include +#include +#include +#include +#include "apps.h" +#include "progs.h" +#include +#include +#include +#include +#include +#include -# include -# include -# include -# include -# include "apps.h" -# include "progs.h" -# include -# include -# include -# include -# include -# include - typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_OUT, OPT_PASSOUT, OPT_ENGINE, OPT_CIPHER, @@ -39,9 +35,9 @@ const OPTIONS gendsa_options[] = { {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, OPT_R_OPTIONS, {"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"}, -# ifndef OPENSSL_NO_ENGINE +#ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -# endif +#endif {NULL} }; @@ -143,4 +139,3 @@ int gendsa_main(int argc, char **argv) OPENSSL_free(passout); return ret; } -#endif Modified: vendor-crypto/openssl/dist/apps/genrsa.c ============================================================================== --- vendor-crypto/openssl/dist/apps/genrsa.c Tue Apr 21 17:51:54 2020 (r360172) +++ vendor-crypto/openssl/dist/apps/genrsa.c Tue Apr 21 19:07:46 2020 (r360173) @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -8,28 +8,24 @@ */ #include -#ifdef OPENSSL_NO_RSA -NON_EMPTY_TRANSLATION_UNIT -#else +#include +#include +#include +#include +#include "apps.h" +#include "progs.h" +#include +#include +#include +#include +#include +#include +#include +#include -# include -# include -# include -# include -# include "apps.h" -# include "progs.h" -# include -# include -# include -# include -# include -# include -# include -# include +#define DEFBITS 2048 +#define DEFPRIMES 2 -# define DEFBITS 2048 -# define DEFPRIMES 2 - static int genrsa_cb(int p, int n, BN_GENCB *cb); typedef enum OPTION_choice { @@ -48,9 +44,9 @@ const OPTIONS genrsa_options[] = { OPT_R_OPTIONS, {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, {"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"}, -# ifndef OPENSSL_NO_ENGINE +#ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -# endif +#endif {"primes", OPT_PRIMES, 'p', "Specify number of primes"}, {NULL} }; @@ -198,4 +194,3 @@ static int genrsa_cb(int p, int n, BN_GENCB *cb) (void)BIO_flush(BN_GENCB_get_arg(cb)); return 1; } -#endif Modified: vendor-crypto/openssl/dist/apps/ocsp.c ============================================================================== --- vendor-crypto/openssl/dist/apps/ocsp.c Tue Apr 21 17:51:54 2020 (r360172) +++ vendor-crypto/openssl/dist/apps/ocsp.c Tue Apr 21 19:07:46 2020 (r360173) @@ -1,5 +1,5 @@ /* - * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -9,65 +9,62 @@ #include -#ifdef OPENSSL_NO_OCSP -NON_EMPTY_TRANSLATION_UNIT -#else -# ifdef OPENSSL_SYS_VMS -# define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined +#ifdef OPENSSL_SYS_VMS +# define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined * on OpenVMS */ -# endif +#endif -# include -# include -# include -# include -# include +#include +#include +#include +#include +#include /* Needs to be included before the openssl headers */ -# include "apps.h" -# include "progs.h" -# include "internal/sockets.h" -# include -# include -# include -# include -# include -# include -# include -# include +#include "apps.h" +#include "progs.h" +#include "internal/sockets.h" +#include +#include +#include +#include +#include +#include +#include +#include #ifndef HAVE_FORK -# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) -# define HAVE_FORK 0 -# else -# define HAVE_FORK 1 -# endif +#if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) +# define HAVE_FORK 0 +#else +# define HAVE_FORK 1 #endif +#endif #if HAVE_FORK -# undef NO_FORK +#undef NO_FORK #else -# define NO_FORK +#define NO_FORK #endif -# if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \ +#if !defined(NO_FORK) && !defined(OPENSSL_NO_SOCK) \ && !defined(OPENSSL_NO_POSIX_IO) -# define OCSP_DAEMON -# include -# include -# include -# include -# define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */ -# else -# undef LOG_INFO -# undef LOG_WARNING -# undef LOG_ERR -# define LOG_INFO 0 -# define LOG_WARNING 1 -# define LOG_ERR 2 -# endif +# define OCSP_DAEMON +# include +# include +# include +# include +# define MAXERRLEN 1000 /* limit error text sent to syslog to 1000 bytes */ +#else +# undef LOG_INFO +# undef LOG_WARNING +# undef LOG_ERR +# define LOG_INFO 0 +# define LOG_WARNING 1 +# define LOG_ERR 2 +#endif -# if defined(OPENSSL_SYS_VXWORKS) +#if defined(OPENSSL_SYS_VXWORKS) /* not supported */ int setpgid(pid_t pid, pid_t pgid) { @@ -80,9 +77,9 @@ pid_t fork(void) errno = ENOSYS; return (pid_t) -1; } -# endif +#endif /* Maximum leeway in validity period: default 5 minutes */ -# define MAX_VALIDITY_PERIOD (5 * 60) +#define MAX_VALIDITY_PERIOD (5 * 60) static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, const EVP_MD *cert_id_md, X509 *issuer, @@ -109,20 +106,20 @@ static void log_message(int level, const char *fmt, .. static char *prog; static int multi = 0; -# ifdef OCSP_DAEMON +#ifdef OCSP_DAEMON static int acfd = (int) INVALID_SOCKET; static int index_changed(CA_DB *); static void spawn_loop(void); static int print_syslog(const char *str, size_t len, void *levPtr); static void socket_timeout(int signum); -# endif +#endif -# ifndef OPENSSL_NO_SOCK +#ifndef OPENSSL_NO_SOCK static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host, const char *path, const STACK_OF(CONF_VALUE) *headers, OCSP_REQUEST *req, int req_timeout); -# endif +#endif typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, @@ -160,9 +157,9 @@ const OPTIONS ocsp_options[] = { "Don't include any certificates in response"}, {"resp_key_id", OPT_RESP_KEY_ID, '-', "Identify response by signing certificate key ID"}, -# ifdef OCSP_DAEMON +#ifdef OCSP_DAEMON {"multi", OPT_MULTI, 'p', "run multiple responder processes"}, -# endif +#endif {"no_certs", OPT_NO_CERTS, '-', "Don't include any certificates in signed request"}, {"no_signature_verify", OPT_NO_SIGNATURE_VERIFY, '-', @@ -511,9 +508,9 @@ int ocsp_main(int argc, char **argv) trailing_md = 1; break; case OPT_MULTI: -# ifdef OCSP_DAEMON +#ifdef OCSP_DAEMON multi = atoi(opt_arg()); -# endif +#endif break; } } @@ -593,7 +590,7 @@ int ocsp_main(int argc, char **argv) } } -# ifdef OCSP_DAEMON +#ifdef OCSP_DAEMON if (multi && acbio != NULL) spawn_loop(); if (acbio != NULL && req_timeout > 0) @@ -606,7 +603,7 @@ int ocsp_main(int argc, char **argv) redo_accept: if (acbio != NULL) { -# ifdef OCSP_DAEMON +#ifdef OCSP_DAEMON if (index_changed(rdb)) { CA_DB *newrdb = load_index(ridx_filename, NULL); @@ -619,7 +616,7 @@ redo_accept: ridx_filename); } } -# endif +#endif req = NULL; if (!do_responder(&req, &cbio, acbio, req_timeout)) @@ -688,16 +685,16 @@ redo_accept: if (cbio != NULL) send_ocsp_response(cbio, resp); } else if (host != NULL) { -# ifndef OPENSSL_NO_SOCK +#ifndef OPENSSL_NO_SOCK resp = process_responder(req, host, path, port, use_ssl, headers, req_timeout); if (resp == NULL) goto end; -# else +#else BIO_printf(bio_err, "Error creating connect BIO - sockets not supported.\n"); goto end; -# endif +#endif } else if (respin != NULL) { derbio = bio_open_default(respin, 'r', FORMAT_ASN1); if (derbio == NULL) @@ -840,7 +837,7 @@ log_message(int level, const char *fmt, ...) va_list ap; va_start(ap, fmt); -# ifdef OCSP_DAEMON +#ifdef OCSP_DAEMON if (multi) { char buf[1024]; if (vsnprintf(buf, sizeof(buf), fmt, ap) > 0) { *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***