Permalink
Browse files

deps: upgrade openssl sources to 1.0.2k

This replaces all sources of openssl-1.0.2k.tar.gz into
deps/openssl/openssl

PR-URL: #11021
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
  • Loading branch information...
1 parent 1a47e5f commit 3f2bef60b851ab8c703e3a87718b5ca8a241f8a4 Shigeki Ohtsu committed with MylesBorins Jan 26, 2017
Showing with 1,122 additions and 39,081 deletions.
  1. +61 −0 deps/openssl/openssl/CHANGES
  2. +17 −38 deps/openssl/openssl/CONTRIBUTING
  3. +27 −7 deps/openssl/openssl/Configure
  4. +38 −31 deps/openssl/openssl/INSTALL
  5. +3 −2 deps/openssl/openssl/Makefile
  6. +3 −2 deps/openssl/openssl/Makefile.bak
  7. +2 −1 deps/openssl/openssl/Makefile.org
  8. +7 −1 deps/openssl/openssl/NEWS
  9. +9 −27 deps/openssl/openssl/README
  10. +1 −10 deps/openssl/openssl/apps/app_rand.c
  11. +15 −4 deps/openssl/openssl/apps/apps.c
  12. +2 −2 deps/openssl/openssl/apps/apps.h
  13. +1 −5 deps/openssl/openssl/apps/ca.c
  14. +1 −4 deps/openssl/openssl/apps/cms.c
  15. +1 −0 deps/openssl/openssl/apps/dgst.c
  16. +0 −6 deps/openssl/openssl/apps/dh.c
  17. +3 −5 deps/openssl/openssl/apps/dhparam.c
  18. +1 −6 deps/openssl/openssl/apps/dsa.c
  19. +3 −5 deps/openssl/openssl/apps/dsaparam.c
  20. +3 −3 deps/openssl/openssl/apps/ec.c
  21. +5 −5 deps/openssl/openssl/apps/ecparam.c
  22. +3 −5 deps/openssl/openssl/apps/enc.c
  23. +0 −4 deps/openssl/openssl/apps/gendh.c
  24. +3 −5 deps/openssl/openssl/apps/gendsa.c
  25. +1 −1 deps/openssl/openssl/apps/genpkey.c
  26. +1 −6 deps/openssl/openssl/apps/genrsa.c
  27. +3 −4 deps/openssl/openssl/apps/pkcs12.c
  28. +3 −5 deps/openssl/openssl/apps/pkcs7.c
  29. +1 −4 deps/openssl/openssl/apps/pkcs8.c
  30. +1 −4 deps/openssl/openssl/apps/pkey.c
  31. +3 −5 deps/openssl/openssl/apps/pkeyparam.c
  32. +1 −0 deps/openssl/openssl/apps/pkeyutl.c
  33. +10 −2 deps/openssl/openssl/apps/prime.c
  34. +3 −5 deps/openssl/openssl/apps/rand.c
  35. +1 −4 deps/openssl/openssl/apps/req.c
  36. +1 −4 deps/openssl/openssl/apps/rsa.c
  37. +1 −4 deps/openssl/openssl/apps/rsautl.c
  38. +2 −2 deps/openssl/openssl/apps/s_cb.c
  39. +12 −26 deps/openssl/openssl/apps/s_client.c
  40. +1 −6 deps/openssl/openssl/apps/s_server.c
  41. +1 −4 deps/openssl/openssl/apps/smime.c
  42. +7 −7 deps/openssl/openssl/apps/speed.c
  43. +1 −4 deps/openssl/openssl/apps/spkac.c
  44. +3 −5 deps/openssl/openssl/apps/srp.c
  45. +1 −4 deps/openssl/openssl/apps/verify.c
  46. +1 −4 deps/openssl/openssl/apps/x509.c
  47. +4 −4 deps/openssl/openssl/crypto/aes/asm/aes-s390x.pl
  48. +2 −6 deps/openssl/openssl/crypto/asn1/p5_pbev2.c
  49. +2 −1 deps/openssl/openssl/crypto/asn1/x_crl.c
  50. +2 −3 deps/openssl/openssl/crypto/bn/asm/x86_64-mont.pl
  51. +7 −9 deps/openssl/openssl/crypto/bn/asm/x86_64-mont5.pl
  52. +3 −2 deps/openssl/openssl/crypto/bn/bn_exp.c
  53. +3 −2 deps/openssl/openssl/crypto/bn/bn_mul.c
  54. +2 −1 deps/openssl/openssl/crypto/bn/bn_prime.c
  55. +3 −2 deps/openssl/openssl/crypto/bn/bn_sqr.c
  56. +4 −1 deps/openssl/openssl/crypto/cms/cms_kari.c
  57. +2 −0 deps/openssl/openssl/crypto/dh/dh_key.c
  58. +1 −1 deps/openssl/openssl/crypto/dsa/dsa_pmeth.c
  59. +11 −9 deps/openssl/openssl/crypto/ec/ec2_mult.c
  60. +3 −1 deps/openssl/openssl/crypto/ecdh/ech_ossl.c
  61. +3 −0 deps/openssl/openssl/crypto/err/err.c
  62. +2 −2 deps/openssl/openssl/crypto/evp/e_aes.c
  63. +2 −0 deps/openssl/openssl/crypto/evp/e_rc4_hmac_md5.c
  64. +4 −2 deps/openssl/openssl/crypto/evp/evp.h
  65. +2 −1 deps/openssl/openssl/crypto/evp/evp_err.c
  66. +16 −14 deps/openssl/openssl/crypto/evp/pmeth_fn.c
  67. +1 −27 deps/openssl/openssl/crypto/evp/pmeth_lib.c
  68. +1 −1 deps/openssl/openssl/crypto/modes/ctr128.c
  69. +265 −1 deps/openssl/openssl/crypto/opensslconf.h
  70. +3 −3 deps/openssl/openssl/crypto/opensslv.h
  71. +9 −2 deps/openssl/openssl/crypto/perlasm/x86_64-xlate.pl
  72. +7 −7 deps/openssl/openssl/crypto/perlasm/x86masm.pl
  73. +2 −1 deps/openssl/openssl/crypto/rsa/rsa_gen.c
  74. +6 −2 deps/openssl/openssl/crypto/rsa/rsa_oaep.c
  75. +4 −0 deps/openssl/openssl/crypto/rsa/rsa_pmeth.c
  76. +1 −0 deps/openssl/openssl/crypto/s390xcap.c
  77. +72 −66 deps/openssl/openssl/crypto/ui/ui_lib.c
  78. +38 −21 deps/openssl/openssl/crypto/ui/ui_openssl.c
  79. +1 −0 deps/openssl/openssl/demos/easy_tls/easy-tls.c
  80. +9 −0 deps/openssl/openssl/doc/apps/ocsp.pod
  81. +1 −1 deps/openssl/openssl/doc/crypto/EVP_DigestSignInit.pod
  82. +1 −1 deps/openssl/openssl/doc/crypto/EVP_DigestVerifyInit.pod
  83. +1 −1 deps/openssl/openssl/doc/crypto/RSA_generate_key.pod
  84. +1 −2 deps/openssl/openssl/doc/crypto/X509_NAME_get_index_by_NID.pod
  85. +5 −3 deps/openssl/openssl/doc/crypto/X509_NAME_print_ex.pod
  86. +1 −1 deps/openssl/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod
  87. +10 −12 deps/openssl/openssl/doc/ssl/SSL_get_error.pod
  88. +14 −18 deps/openssl/openssl/doc/ssl/SSL_read.pod
  89. +8 −11 deps/openssl/openssl/doc/ssl/SSL_write.pod
  90. +1 −1 deps/openssl/openssl/engines/ccgost/Makefile
  91. +0 −149 deps/openssl/openssl/include/openssl/aes.h
  92. +0 −1,419 deps/openssl/openssl/include/openssl/asn1.h
  93. +0 −579 deps/openssl/openssl/include/openssl/asn1_mac.h
  94. +0 −973 deps/openssl/openssl/include/openssl/asn1t.h
  95. +0 −883 deps/openssl/openssl/include/openssl/bio.h
  96. +0 −130 deps/openssl/openssl/include/openssl/blowfish.h
  97. +0 −951 deps/openssl/openssl/include/openssl/bn.h
  98. +0 −125 deps/openssl/openssl/include/openssl/buffer.h
  99. +0 −132 deps/openssl/openssl/include/openssl/camellia.h
  100. +0 −107 deps/openssl/openssl/include/openssl/cast.h
  101. +0 −82 deps/openssl/openssl/include/openssl/cmac.h
  102. +0 −555 deps/openssl/openssl/include/openssl/cms.h
  103. +0 −83 deps/openssl/openssl/include/openssl/comp.h
  104. +0 −267 deps/openssl/openssl/include/openssl/conf.h
  105. +0 −89 deps/openssl/openssl/include/openssl/conf_api.h
  106. +0 −661 deps/openssl/openssl/include/openssl/crypto.h
  107. +0 −257 deps/openssl/openssl/include/openssl/des.h
  108. +0 −497 deps/openssl/openssl/include/openssl/des_old.h
  109. +0 −393 deps/openssl/openssl/include/openssl/dh.h
  110. +0 −332 deps/openssl/openssl/include/openssl/dsa.h
  111. +0 −451 deps/openssl/openssl/include/openssl/dso.h
  112. +0 −272 deps/openssl/openssl/include/openssl/dtls1.h
  113. +0 −328 deps/openssl/openssl/include/openssl/e_os2.h
  114. +0 −26 deps/openssl/openssl/include/openssl/ebcdic.h
  115. +0 −1,282 deps/openssl/openssl/include/openssl/ec.h
  116. +0 −134 deps/openssl/openssl/include/openssl/ecdh.h
  117. +0 −335 deps/openssl/openssl/include/openssl/ecdsa.h
  118. +0 −960 deps/openssl/openssl/include/openssl/engine.h
  119. +0 −389 deps/openssl/openssl/include/openssl/err.h
  120. +0 −1,534 deps/openssl/openssl/include/openssl/evp.h
  121. +0 −109 deps/openssl/openssl/include/openssl/hmac.h
  122. +0 −105 deps/openssl/openssl/include/openssl/idea.h
  123. +0 −240 deps/openssl/openssl/include/openssl/krb5_asn.h
  124. +0 −197 deps/openssl/openssl/include/openssl/kssl.h
  125. +0 −240 deps/openssl/openssl/include/openssl/lhash.h
  126. +0 −119 deps/openssl/openssl/include/openssl/md4.h
  127. +0 −119 deps/openssl/openssl/include/openssl/md5.h
  128. +0 −94 deps/openssl/openssl/include/openssl/mdc2.h
  129. +0 −163 deps/openssl/openssl/include/openssl/modes.h
  130. +0 −4,194 deps/openssl/openssl/include/openssl/obj_mac.h
  131. +0 −1,143 deps/openssl/openssl/include/openssl/objects.h
  132. +0 −637 deps/openssl/openssl/include/openssl/ocsp.h
  133. +0 −1 deps/openssl/openssl/include/openssl/opensslconf.h
  134. +0 −97 deps/openssl/openssl/include/openssl/opensslv.h
  135. +0 −213 deps/openssl/openssl/include/openssl/ossl_typ.h
  136. +0 −617 deps/openssl/openssl/include/openssl/pem.h
  137. +0 −70 deps/openssl/openssl/include/openssl/pem2.h
  138. +0 −342 deps/openssl/openssl/include/openssl/pkcs12.h
  139. +0 −481 deps/openssl/openssl/include/openssl/pkcs7.h
  140. +0 −99 deps/openssl/openssl/include/openssl/pqueue.h
  141. +0 −150 deps/openssl/openssl/include/openssl/rand.h
  142. +0 −103 deps/openssl/openssl/include/openssl/rc2.h
  143. +0 −88 deps/openssl/openssl/include/openssl/rc4.h
  144. +0 −105 deps/openssl/openssl/include/openssl/ripemd.h
  145. +0 −664 deps/openssl/openssl/include/openssl/rsa.h
  146. +0 −2,672 deps/openssl/openssl/include/openssl/safestack.h
  147. +0 −149 deps/openssl/openssl/include/openssl/seed.h
  148. +0 −214 deps/openssl/openssl/include/openssl/sha.h
  149. +0 −179 deps/openssl/openssl/include/openssl/srp.h
  150. +0 −147 deps/openssl/openssl/include/openssl/srtp.h
  151. +0 −3,163 deps/openssl/openssl/include/openssl/ssl.h
  152. +0 −265 deps/openssl/openssl/include/openssl/ssl2.h
  153. +0 −84 deps/openssl/openssl/include/openssl/ssl23.h
  154. +0 −774 deps/openssl/openssl/include/openssl/ssl3.h
  155. +0 −107 deps/openssl/openssl/include/openssl/stack.h
  156. +0 −516 deps/openssl/openssl/include/openssl/symhacks.h
  157. +0 −810 deps/openssl/openssl/include/openssl/tls1.h
  158. +0 −865 deps/openssl/openssl/include/openssl/ts.h
  159. +0 −112 deps/openssl/openssl/include/openssl/txt_db.h
  160. +0 −415 deps/openssl/openssl/include/openssl/ui.h
  161. +0 −88 deps/openssl/openssl/include/openssl/ui_compat.h
  162. +0 −41 deps/openssl/openssl/include/openssl/whrlpool.h
  163. +0 −1,330 deps/openssl/openssl/include/openssl/x509.h
  164. +0 −652 deps/openssl/openssl/include/openssl/x509_vfy.h
  165. +0 −1,055 deps/openssl/openssl/include/openssl/x509v3.h
  166. +1 −1 deps/openssl/openssl/openssl.spec
  167. +4 −1 deps/openssl/openssl/ssl/bad_dtls_test.c
  168. +9 −3 deps/openssl/openssl/ssl/s23_pkt.c
  169. +1 −1 deps/openssl/openssl/ssl/s2_lib.c
  170. +8 −2 deps/openssl/openssl/ssl/s2_pkt.c
  171. +33 −11 deps/openssl/openssl/ssl/s3_clnt.c
  172. +13 −10 deps/openssl/openssl/ssl/s3_pkt.c
  173. +30 −3 deps/openssl/openssl/ssl/s3_srvr.c
  174. +1 −3 deps/openssl/openssl/ssl/ssl_cert.c
  175. +1 −0 deps/openssl/openssl/ssl/ssl_err.c
  176. +1 −3 deps/openssl/openssl/ssl/ssl_lib.c
  177. +1 −1 deps/openssl/openssl/ssl/ssl_locl.h
  178. +9 −0 deps/openssl/openssl/ssl/ssl_sess.c
  179. +188 −103 deps/openssl/openssl/ssl/t1_lib.c
  180. +9 −2 deps/openssl/openssl/util/domd
  181. +5 −3 deps/openssl/openssl/util/mklink.pl
@@ -2,6 +2,67 @@
OpenSSL CHANGES
_______________
+ Changes between 1.0.2j and 1.0.2k [26 Jan 2017]
+
+ *) Truncated packet could crash via OOB read
+
+ If one side of an SSL/TLS path is running on a 32-bit host and a specific
+ cipher is being used, then a truncated packet can cause that host to
+ perform an out-of-bounds read, usually resulting in a crash.
+
+ This issue was reported to OpenSSL by Robert Święcki of Google.
+ (CVE-2017-3731)
+ [Andy Polyakov]
+
+ *) BN_mod_exp may produce incorrect results on x86_64
+
+ There is a carry propagating bug in the x86_64 Montgomery squaring
+ procedure. No EC algorithms are affected. Analysis suggests that attacks
+ against RSA and DSA as a result of this defect would be very difficult to
+ perform and are not believed likely. Attacks against DH are considered just
+ feasible (although very difficult) because most of the work necessary to
+ deduce information about a private key may be performed offline. The amount
+ of resources required for such an attack would be very significant and
+ likely only accessible to a limited number of attackers. An attacker would
+ additionally need online access to an unpatched system using the target
+ private key in a scenario with persistent DH parameters and a private
+ key that is shared between multiple clients. For example this can occur by
+ default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
+ similar to CVE-2015-3193 but must be treated as a separate problem.
+
+ This issue was reported to OpenSSL by the OSS-Fuzz project.
+ (CVE-2017-3732)
+ [Andy Polyakov]
+
+ *) Montgomery multiplication may produce incorrect results
+
+ There is a carry propagating bug in the Broadwell-specific Montgomery
+ multiplication procedure that handles input lengths divisible by, but
+ longer than 256 bits. Analysis suggests that attacks against RSA, DSA
+ and DH private keys are impossible. This is because the subroutine in
+ question is not used in operations with the private key itself and an input
+ of the attacker's direct choice. Otherwise the bug can manifest itself as
+ transient authentication and key negotiation failures or reproducible
+ erroneous outcome of public-key operations with specially crafted input.
+ Among EC algorithms only Brainpool P-512 curves are affected and one
+ presumably can attack ECDH key negotiation. Impact was not analyzed in
+ detail, because pre-requisites for attack are considered unlikely. Namely
+ multiple clients have to choose the curve in question and the server has to
+ share the private key among them, neither of which is default behaviour.
+ Even then only clients that chose the curve will be affected.
+
+ This issue was publicly reported as transient failures and was not
+ initially recognized as a security issue. Thanks to Richard Morgan for
+ providing reproducible case.
+ (CVE-2016-7055)
+ [Andy Polyakov]
+
+ *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
+ or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
+ prevent issues where no progress is being made and the peer continually
+ sends unrecognised record types, using up resources processing them.
+ [Matt Caswell]
+
Changes between 1.0.2i and 1.0.2j [26 Sep 2016]
*) Missing CRL sanity check
@@ -1,4 +1,4 @@
-HOW TO CONTRIBUTE TO PATCHES OpenSSL
+HOW TO CONTRIBUTE PATCHES TO OpenSSL
------------------------------------
(Please visit https://www.openssl.org/community/getting-started.html for
@@ -11,34 +11,12 @@ OpenSSL community you might want to discuss it on the openssl-dev mailing
list first. Someone may be already working on the same thing or there
may be a good reason as to why that feature isn't implemented.
-The best way to submit a patch is to make a pull request on GitHub.
-(It is not necessary to send mail to rt@openssl.org to open a ticket!)
-If you think the patch could use feedback from the community, please
-start a thread on openssl-dev.
+To submit a patch, make a pull request on GitHub. If you think the patch
+could use feedback from the community, please start a thread on openssl-dev
+to discuss it.
-You can also submit patches by sending it as mail to rt@openssl.org.
-Please include the word "PATCH" and an explanation of what the patch
-does in the subject line. If you do this, our preferred format is "git
-format-patch" output. For example to provide a patch file containing the
-last commit in your local git repository use the following command:
-
- % git format-patch --stdout HEAD^ >mydiffs.patch
-
-Another method of creating an acceptable patch file without using git is as
-follows:
-
- % cd openssl-work
- ...make your changes...
- % ./Configure dist; make clean
- % cd ..
- % diff -ur openssl-orig openssl-work >mydiffs.patch
-
-Note that pull requests are generally easier for the team, and community, to
-work with. Pull requests benefit from all of the standard GitHub features,
-including code review tools, simpler integration, and CI build support.
-
-No matter how a patch is submitted, the following items will help make
-the acceptance and review process faster:
+Having addressed the following items before the PR will help make the
+acceptance and review process faster:
1. Anything other than trivial contributions will require a contributor
licensing agreement, giving us permission to use your code. See
@@ -55,21 +33,22 @@ the acceptance and review process faster:
in the file LICENSE in the source distribution or at
https://www.openssl.org/source/license.html
- 3. Patches should be as current as possible. When using GitHub, please
- expect to have to rebase and update often. Note that we do not accept merge
- commits. You will be asked to remove them before a patch is considered
- acceptable.
+ 3. Patches should be as current as possible; expect to have to rebase
+ often. We do not accept merge commits; You will be asked to remove
+ them before a patch is considered acceptable.
4. Patches should follow our coding style (see
https://www.openssl.org/policies/codingstyle.html) and compile without
warnings. Where gcc or clang is availble you should use the
--strict-warnings Configure option. OpenSSL compiles on many varied
platforms: try to ensure you only use portable features.
+ Clean builds via Travis and AppVeyor are expected, and done whenever
+ a PR is created or updated.
- 5. When at all possible, patches should include tests. These can either be
- added to an existing test, or completely new. Please see test/README
- for information on the test framework.
+ 5. When at all possible, patches should include tests. These can
+ either be added to an existing test, or completely new. Please see
+ test/README for information on the test framework.
- 6. New features or changed functionality must include documentation. Please
- look at the "pod" files in doc/apps, doc/crypto and doc/ssl for examples of
- our style.
+ 6. New features or changed functionality must include
+ documentation. Please look at the "pod" files in doc/apps, doc/crypto
+ and doc/ssl for examples of our style.
@@ -7,6 +7,7 @@ eval 'exec perl -S $0 ${1+"$@"}'
require 5.000;
use strict;
+use File::Compare;
# see INSTALL for instructions.
@@ -57,12 +58,13 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimenta
# zlib-dynamic Like "zlib", but the zlib library is expected to be a shared
# library and will be loaded in run-time by the OpenSSL library.
# sctp include SCTP support
-# 386 generate 80386 code
# enable-weak-ssl-ciphers
# Enable EXPORT and LOW SSLv3 ciphers that are disabled by
# default. Note, weak SSLv2 ciphers are unconditionally
# disabled.
-# no-sse2 disables IA-32 SSE2 code, above option implies no-sse2
+# 386 generate 80386 code in assembly modules
+# no-sse2 disables IA-32 SSE2 code in assembly modules, the above
+# mentioned '386' option implies this one
# no-<cipher> build without specified algorithm (rsa, idea, rc5, ...)
# -<xxx> +<xxx> compiler options are passed through
#
@@ -1792,8 +1794,16 @@ while (<IN>)
}
close(IN);
close(OUT);
-rename($Makefile,"$Makefile.bak") || die "unable to rename $Makefile\n" if -e $Makefile;
-rename("$Makefile.new",$Makefile) || die "unable to rename $Makefile.new\n";
+if ((compare($Makefile, "$Makefile.new"))
+ or file_newer('Configure', $Makefile)
+ or file_newer('config', $Makefile)
+ or file_newer('Makefile.org', $Makefile))
+ {
+ rename($Makefile,"$Makefile.bak") || die "unable to rename $Makefile\n" if -e $Makefile;
+ rename("$Makefile.new",$Makefile) || die "unable to rename $Makefile.new\n";
+ }
+else
+ { unlink("$Makefile.new"); }
print "CC =$cc\n";
print "CFLAG =$cflags\n";
@@ -1985,9 +1995,13 @@ print OUT "#ifdef __cplusplus\n";
print OUT "}\n";
print OUT "#endif\n";
close(OUT);
-rename("crypto/opensslconf.h","crypto/opensslconf.h.bak") || die "unable to rename crypto/opensslconf.h\n" if -e "crypto/opensslconf.h";
-rename("crypto/opensslconf.h.new","crypto/opensslconf.h") || die "unable to rename crypto/opensslconf.h.new\n";
-
+if (compare("crypto/opensslconf.h.new","crypto/opensslconf.h"))
+ {
+ rename("crypto/opensslconf.h","crypto/opensslconf.h.bak") || die "unable to rename crypto/opensslconf.h\n" if -e "crypto/opensslconf.h";
+ rename("crypto/opensslconf.h.new","crypto/opensslconf.h") || die "unable to rename crypto/opensslconf.h.new\n";
+ }
+else
+ { unlink("crypto/opensslconf.h.new"); }
# Fix the date
@@ -2289,3 +2303,9 @@ sub test_sanity
print STDERR "No sanity errors detected!\n" if $errorcnt == 0;
return $errorcnt;
}
+
+sub file_newer
+ {
+ my ($file1, $file2) = @_;
+ return (stat($file1))[9] > (stat($file2))[9]
+ }
@@ -74,24 +74,26 @@
no-asm Do not use assembler code.
- 386 Use the 80386 instruction set only (the default x86 code is
- more efficient, but requires at least a 486). Note: Use
- compiler flags for any other CPU specific configuration,
- e.g. "-m32" to build x86 code on an x64 system.
-
- no-sse2 Exclude SSE2 code pathes. Normally SSE2 extention is
- detected at run-time, but the decision whether or not the
- machine code will be executed is taken solely on CPU
- capability vector. This means that if you happen to run OS
- kernel which does not support SSE2 extension on Intel P4
- processor, then your application might be exposed to
- "illegal instruction" exception. There might be a way
- to enable support in kernel, e.g. FreeBSD kernel can be
- compiled with CPU_ENABLE_SSE, and there is a way to
- disengage SSE2 code pathes upon application start-up,
- but if you aim for wider "audience" running such kernel,
- consider no-sse2. Both 386 and no-asm options above imply
- no-sse2.
+ 386 In 32-bit x86 builds, when generating assembly modules,
+ use the 80386 instruction set only (the default x86 code
+ is more efficient, but requires at least a 486). Note:
+ This doesn't affect code generated by compiler, you're
+ likely to complement configuration command line with
+ suitable compiler-specific option.
+
+ no-sse2 Exclude SSE2 code paths from 32-bit x86 assembly modules.
+ Normally SSE2 extension is detected at run-time, but the
+ decision whether or not the machine code will be executed
+ is taken solely on CPU capability vector. This means that
+ if you happen to run OS kernel which does not support SSE2
+ extension on Intel P4 processor, then your application
+ might be exposed to "illegal instruction" exception.
+ There might be a way to enable support in kernel, e.g.
+ FreeBSD kernel can be compiled with CPU_ENABLE_SSE, and
+ there is a way to disengage SSE2 code paths upon application
+ start-up, but if you aim for wider "audience" running
+ such kernel, consider no-sse2. Both the 386 and
+ no-asm options imply no-sse2.
no-<cipher> Build without the specified cipher (bf, cast, des, dh, dsa,
hmac, md2, md5, mdc2, rc2, rc4, rc5, rsa, sha).
@@ -101,7 +103,12 @@
-Dxxx, -lxxx, -Lxxx, -fxxx, -mXXX, -Kxxx These system specific options will
be passed through to the compiler to allow you to
define preprocessor symbols, specify additional libraries,
- library directories or other compiler options.
+ library directories or other compiler options. It might be
+ worth noting that some compilers generate code specifically
+ for processor the compiler currently executes on. This is
+ not necessarily what you might have in mind, since it might
+ be unsuitable for execution on other, typically older,
+ processor. Consult your compiler documentation.
-DHAVE_CRYPTODEV Enable the BSD cryptodev engine even if we are not using
BSD. Useful if you are running ocf-linux or something
@@ -159,18 +166,18 @@
OpenSSL binary ("openssl"). The libraries will be built in the top-level
directory, and the binary will be in the "apps" directory.
- If "make" fails, look at the output. There may be reasons for
- the failure that aren't problems in OpenSSL itself (like missing
- standard headers). If it is a problem with OpenSSL itself, please
- report the problem to <openssl-bugs@openssl.org> (note that your
- message will be recorded in the request tracker publicly readable
- at https://www.openssl.org/community/index.html#bugs and will be
- forwarded to a public mailing list). Include the output of "make
- report" in your message. Please check out the request tracker. Maybe
- the bug was already reported or has already been fixed.
-
- [If you encounter assembler error messages, try the "no-asm"
- configuration option as an immediate fix.]
+ If the build fails, look at the output. There may be reasons
+ for the failure that aren't problems in OpenSSL itself (like
+ missing standard headers). If you are having problems you can
+ get help by sending an email to the openssl-users email list (see
+ https://www.openssl.org/community/mailinglists.html for details). If
+ it is a bug with OpenSSL itself, please open an issue on GitHub, at
+ https://github.com/openssl/openssl/issues. Please review the existing
+ ones first; maybe the bug was already reported or has already been
+ fixed.
+
+ (If you encounter assembler error messages, try the "no-asm"
+ configuration option as an immediate fix.)
Compiling parts of OpenSSL with gcc and others with the system
compiler will result in unresolved symbols on some systems.
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
-VERSION=1.0.2j
+VERSION=1.0.2k
MAJOR=1
MINOR=0.2
SHLIB_VERSION_NUMBER=1.0.0
@@ -203,7 +203,8 @@ CLEARENV= TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS} \
$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS} \
$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS} \
$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS} \
- $${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS}
+ $${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS} \
+ $${APPS+APPS}
# LC_ALL=C ensures that error [and other] messages are delivered in
# same language for uniform treatment.
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
-VERSION=1.0.2j
+VERSION=1.0.2k
MAJOR=1
MINOR=0.2
SHLIB_VERSION_NUMBER=1.0.0
@@ -203,7 +203,8 @@ CLEARENV= TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS} \
$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS} \
$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS} \
$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS} \
- $${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS}
+ $${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS} \
+ $${APPS+APPS}
# LC_ALL=C ensures that error [and other] messages are delivered in
# same language for uniform treatment.
@@ -201,7 +201,8 @@ CLEARENV= TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS} \
$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS} \
$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS} \
$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS} \
- $${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS}
+ $${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS} \
+ $${APPS+APPS}
# LC_ALL=C ensures that error [and other] messages are delivered in
# same language for uniform treatment.
@@ -5,9 +5,15 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.0.2j and OpenSSL 1.0.2k [26 Jan 2017]
+
+ o Truncated packet could crash via OOB read (CVE-2017-3731)
+ o BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
+ o Montgomery multiplication may produce incorrect results (CVE-2016-7055)
+
Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016]
- o Fix Use After Free for large message sizes (CVE-2016-6309)
+ o Missing CRL sanity check (CVE-2016-7052)
Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016]
Oops, something went wrong.

0 comments on commit 3f2bef6

Please sign in to comment.