Compare commits
13 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
3800681201 | ||
|
|
730f199c9c | ||
|
|
c4ee1a6fca | ||
|
|
bd53433877 | ||
|
|
7442568456 | ||
|
|
ebeda8bad3 | ||
|
|
b67802c2db | ||
|
|
25d8a429c1 | ||
|
|
926aa53242 | ||
|
|
950dcb2d07 | ||
|
|
f6582d1d76 | ||
|
|
3a193a58d4 | ||
|
|
94532f9619 |
@@ -107,7 +107,7 @@ if(HAVE_STRNDUP)
|
||||
endif()
|
||||
|
||||
if(MSVC)
|
||||
set(HAVE_STRNLEN)
|
||||
set(HAVE_STRNLEN true)
|
||||
add_definitions(-DHAVE_STRNLEN)
|
||||
else()
|
||||
check_function_exists(strnlen HAVE_STRNLEN)
|
||||
|
||||
38
ChangeLog
38
ChangeLog
@@ -28,6 +28,44 @@ history is also available from Git.
|
||||
|
||||
LibreSSL Portable Release Notes:
|
||||
|
||||
2.3.10 - Security and compatibility fixes
|
||||
|
||||
* Avoid a side-channel cache-timing attack that can leak the ECDSA
|
||||
private keys when signing. This is due to BN_mod_inverse() being
|
||||
used without the constant time flag being set.
|
||||
|
||||
This issue was reported by Cesar Pereida Garcia and Billy Brumley
|
||||
(Tampere University of Technology). The fix was developed by Cesar
|
||||
Pereida Garcia.
|
||||
|
||||
* iOS and MacOS compatibility updates from Simone Basso and Jacob
|
||||
Berkman.
|
||||
|
||||
2.3.9 - Reliability improvements
|
||||
|
||||
* Avoid continual processing of an unlimited number of TLS records,
|
||||
which can cause a denial-of-service condition.
|
||||
|
||||
2.3.8 - Security and reliability fixes
|
||||
|
||||
* Avoid unbounded memory growth in libssl, which can be triggered by a
|
||||
TLS client repeatedly renegotiating and sending OCSP Status Request
|
||||
TLS extensions.
|
||||
|
||||
* Avoid falling back to a weak digest for (EC)DH when using SNI with
|
||||
libssl.
|
||||
|
||||
2.3.7 - OCSP fixes
|
||||
|
||||
* Fix several issues in the OCSP code that could result in the
|
||||
incorrect generation and parsing of OCSP requests. This remediates a
|
||||
lack of error checking on time parsing in these functions, and
|
||||
ensures that only GENERALIZEDTIME formats are accepted for OCSP, as
|
||||
per RFC 6960.
|
||||
|
||||
Issues reported, and fixes provided by Kazuki Yamaguchi <k@rhe.jp>
|
||||
and Kinichiro Inoguchi <kinichiro.inoguchi@gmail.com>
|
||||
|
||||
2.3.6 - Security fix
|
||||
|
||||
* Correct a problem that prevents the DSA signing algorithm from
|
||||
|
||||
@@ -641,6 +641,9 @@ if (BUILD_SHARED)
|
||||
add_library(crypto-objects OBJECT ${CRYPTO_SRC})
|
||||
add_library(crypto STATIC $<TARGET_OBJECTS:crypto-objects>)
|
||||
add_library(crypto-shared SHARED $<TARGET_OBJECTS:crypto-objects>)
|
||||
if (MSVC)
|
||||
target_link_libraries(crypto-shared crypto Ws2_32.lib)
|
||||
endif()
|
||||
set_target_properties(crypto-shared PROPERTIES OUTPUT_NAME crypto)
|
||||
set_target_properties(crypto-shared PROPERTIES VERSION
|
||||
${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION})
|
||||
|
||||
@@ -47,7 +47,52 @@ AM_CONDITIONAL([HAVE_B64_NTOP], [test "x$ac_cv_func_b64_ntop_arg" = xyes])
|
||||
AC_DEFUN([CHECK_CRYPTO_COMPAT], [
|
||||
# Check crypto-related libc functions and syscalls
|
||||
AC_CHECK_FUNCS([arc4random arc4random_buf arc4random_uniform])
|
||||
AC_CHECK_FUNCS([explicit_bzero getauxval getentropy])
|
||||
AC_CHECK_FUNCS([explicit_bzero getauxval])
|
||||
|
||||
AC_CACHE_CHECK([for getentropy], ac_cv_func_getentropy, [
|
||||
AC_LINK_IFELSE([AC_LANG_PROGRAM([[
|
||||
#include <sys/types.h>
|
||||
#include <unistd.h>
|
||||
|
||||
/*
|
||||
* Explanation:
|
||||
*
|
||||
* - iOS <= 10.1 fails because of missing sys/random.h
|
||||
*
|
||||
* - in macOS 10.12 getentropy is not tagged as introduced in
|
||||
* 10.12 so we cannot use it for target < 10.12
|
||||
*/
|
||||
#ifdef __APPLE__
|
||||
# include <AvailabilityMacros.h>
|
||||
# include <TargetConditionals.h>
|
||||
|
||||
# if (TARGET_OS_IPHONE || TARGET_OS_SIMULATOR)
|
||||
# include <sys/random.h> /* Not available as of iOS <= 10.1 */
|
||||
# else
|
||||
|
||||
# include <sys/random.h> /* Pre 10.12 systems should die here */
|
||||
|
||||
/* Based on: https://gitweb.torproject.org/tor.git/commit/?id=16fcbd21 */
|
||||
# ifndef MAC_OS_X_VERSION_10_12
|
||||
# define MAC_OS_X_VERSION_10_12 101200 /* Robustness */
|
||||
# endif
|
||||
# if defined(MAC_OS_X_VERSION_MIN_REQUIRED)
|
||||
# if MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_12
|
||||
# error "Targeting on Mac OSX 10.11 or earlier"
|
||||
# endif
|
||||
# endif
|
||||
|
||||
# endif
|
||||
#endif /* __APPLE__ */
|
||||
]], [[
|
||||
char buffer;
|
||||
(void)getentropy(&buffer, sizeof (buffer));
|
||||
]])],
|
||||
[ ac_cv_func_getentropy="yes" ],
|
||||
[ ac_cv_func_getentropy="no"
|
||||
])
|
||||
])
|
||||
|
||||
AC_CHECK_FUNCS([timingsafe_bcmp timingsafe_memcmp])
|
||||
AM_CONDITIONAL([HAVE_ARC4RANDOM], [test "x$ac_cv_func_arc4random" = xyes])
|
||||
AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF], [test "x$ac_cv_func_arc4random_buf" = xyes])
|
||||
@@ -59,7 +104,7 @@ AM_CONDITIONAL([HAVE_TIMINGSAFE_MEMCMP], [test "x$ac_cv_func_timingsafe_memcmp"
|
||||
|
||||
# Override arc4random_buf implementations with known issues
|
||||
AM_CONDITIONAL([HAVE_ARC4RANDOM_BUF],
|
||||
[test "x$USE_BUILTIN_ARC4RANDOM" != yes \
|
||||
[test "x$USE_BUILTIN_ARC4RANDOM" != xyes \
|
||||
-a "x$ac_cv_func_arc4random_buf" = xyes])
|
||||
|
||||
# Check for getentropy fallback dependencies
|
||||
|
||||
@@ -17,10 +17,45 @@ case $host_os in
|
||||
*darwin*)
|
||||
HOST_OS=darwin
|
||||
HOST_ABI=macosx
|
||||
#
|
||||
# Don't use arc4random on systems before 10.12 because of
|
||||
# weak seed on failure to open /dev/random, based on latest
|
||||
# public source:
|
||||
# http://www.opensource.apple.com/source/Libc/Libc-997.90.3/gen/FreeBSD/arc4random.c
|
||||
USE_BUILTIN_ARC4RANDOM=yes
|
||||
#
|
||||
# We use the presence of getentropy() to detect 10.12. The
|
||||
# following check take into account that:
|
||||
#
|
||||
# - iOS <= 10.1 fails because of missing getentropy and
|
||||
# hence they miss sys/random.h
|
||||
#
|
||||
# - in macOS 10.12 getentropy is not tagged as introduced in
|
||||
# 10.12 so we cannot use it for target < 10.12
|
||||
#
|
||||
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
|
||||
#include <AvailabilityMacros.h>
|
||||
#include <unistd.h>
|
||||
#include <sys/random.h> /* Systems without getentropy() should die here */
|
||||
|
||||
/* Based on: https://gitweb.torproject.org/tor.git/commit/?id=16fcbd21 */
|
||||
#ifndef MAC_OS_X_VERSION_10_12
|
||||
# define MAC_OS_X_VERSION_10_12 101200
|
||||
#endif
|
||||
#if defined(MAC_OS_X_VERSION_MIN_REQUIRED)
|
||||
# if MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_12
|
||||
# error "Running on Mac OSX 10.11 or earlier"
|
||||
# endif
|
||||
#endif
|
||||
]], [[
|
||||
char buf[1]; getentropy(buf, 1);
|
||||
]])],
|
||||
[ USE_BUILTIN_ARC4RANDOM=no ],
|
||||
[ USE_BUILTIN_ARC4RANDOM=yes ]
|
||||
)
|
||||
AC_MSG_CHECKING([whether to use builtin arc4random])
|
||||
AC_MSG_RESULT([$USE_BUILTIN_ARC4RANDOM])
|
||||
# Not available on iOS
|
||||
AC_CHECK_HEADER([arpa/telnet.h], [], [BUILD_NC=no])
|
||||
;;
|
||||
*freebsd*)
|
||||
HOST_OS=freebsd
|
||||
|
||||
21
patches/modes_lcl.h
Normal file
21
patches/modes_lcl.h
Normal file
@@ -0,0 +1,21 @@
|
||||
--- openbsd/src/lib/libssl/src/crypto/modes/modes_lcl.h Sat Dec 6 17:15:50 2014
|
||||
+++ crypto/modes/modes_lcl.h Sun Jul 17 17:45:27 2016
|
||||
@@ -43,14 +43,16 @@
|
||||
asm ("bswapl %0" \
|
||||
: "+r"(ret)); ret; })
|
||||
# elif (defined(__arm__) || defined(__arm)) && !defined(__STRICT_ALIGNMENT)
|
||||
-# define BSWAP8(x) ({ u32 lo=(u64)(x)>>32,hi=(x); \
|
||||
+# if (__ARM_ARCH >= 6)
|
||||
+# define BSWAP8(x) ({ u32 lo=(u64)(x)>>32,hi=(x); \
|
||||
asm ("rev %0,%0; rev %1,%1" \
|
||||
: "+r"(hi),"+r"(lo)); \
|
||||
(u64)hi<<32|lo; })
|
||||
-# define BSWAP4(x) ({ u32 ret; \
|
||||
+# define BSWAP4(x) ({ u32 ret; \
|
||||
asm ("rev %0,%1" \
|
||||
: "=r"(ret) : "r"((u32)(x))); \
|
||||
ret; })
|
||||
+# endif
|
||||
# endif
|
||||
#endif
|
||||
#endif
|
||||
19
patches/ssl_txt.c.patch
Normal file
19
patches/ssl_txt.c.patch
Normal file
@@ -0,0 +1,19 @@
|
||||
--- ssl/ssl_txt.orig Sun Jul 17 17:26:59 2016
|
||||
+++ ssl/ssl_txt.c Sun Jul 17 17:35:44 2016
|
||||
@@ -82,6 +82,7 @@
|
||||
* OTHERWISE.
|
||||
*/
|
||||
|
||||
+#include <inttypes.h>
|
||||
#include <stdio.h>
|
||||
|
||||
#include <openssl/buffer.h>
|
||||
@@ -163,7 +164,7 @@
|
||||
}
|
||||
|
||||
if (x->time != 0) {
|
||||
- if (BIO_printf(bp, "\n Start Time: %lld", (long long)x->time) <= 0)
|
||||
+ if (BIO_printf(bp, "\n Start Time: %"PRId64, (int64_t)x->time) <= 0)
|
||||
goto err;
|
||||
}
|
||||
if (x->timeout != 0L) {
|
||||
@@ -52,6 +52,9 @@ if (BUILD_SHARED)
|
||||
add_library(ssl-objects OBJECT ${SSL_SRC})
|
||||
add_library(ssl STATIC $<TARGET_OBJECTS:ssl-objects>)
|
||||
add_library(ssl-shared SHARED $<TARGET_OBJECTS:ssl-objects>)
|
||||
if (MSVC)
|
||||
target_link_libraries(ssl-shared crypto-shared Ws2_32.lib)
|
||||
endif()
|
||||
set_target_properties(ssl-shared PROPERTIES OUTPUT_NAME ssl)
|
||||
set_target_properties(ssl-shared PROPERTIES VERSION ${SSL_VERSION}
|
||||
SOVERSION ${SSL_MAJOR_VERSION})
|
||||
|
||||
@@ -25,6 +25,9 @@ if (BUILD_SHARED)
|
||||
add_library(tls-objects OBJECT ${TLS_SRC})
|
||||
add_library(tls STATIC $<TARGET_OBJECTS:tls-objects>)
|
||||
add_library(tls-shared SHARED $<TARGET_OBJECTS:tls-objects>)
|
||||
if (MSVC)
|
||||
target_link_libraries(tls-shared ssl-shared crypto-shared Ws2_32.lib)
|
||||
endif()
|
||||
set_target_properties(tls-shared PROPERTIES OUTPUT_NAME tls)
|
||||
set_target_properties(tls-shared PROPERTIES VERSION ${TLS_VERSION}
|
||||
SOVERSION ${TLS_MAJOR_VERSION})
|
||||
|
||||
Reference in New Issue
Block a user