Upgrade to OpenSSL-1.0.2o

deps/openssl/openssl/CHANGES

@@ -7,6 +7,21 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.0.2n and 1.0.2o [27 Mar 2018]
+
+ *) Constructed ASN.1 types with a recursive definition could exceed the stack
+
+ Constructed ASN.1 types with a recursive definition (such as can be found
+ in PKCS7) could eventually exceed the stack given malicious input with
+ excessive recursion. This could result in a Denial Of Service attack. There
+ are no such structures used within SSL/TLS that come from untrusted sources
+ so this is considered safe.
+
+ This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
+ project.
+ (CVE-2018-0739)
+ [Matt Caswell]
+
  Changes between 1.0.2m and 1.0.2n [7 Dec 2017]
 
  *) Read/write after SSL object in error state
@@ -2012,8 +2027,11 @@
  to work with OPENSSL_NO_SSL_INTERN defined.
  [Steve Henson]
 
- *) Add SRP support.
- [Tom Wu <tjw@cs.stanford.edu> and Ben Laurie]
+ *) A long standing patch to add support for SRP from EdelWeb (Peter
+ Sylvester and Christophe Renou) was integrated.
+ [Christophe Renou <christophe.renou@edelweb.fr>, Peter Sylvester
+ <peter.sylvester@edelweb.fr>, Tom Wu <tjw@cs.stanford.edu>, and
+ Ben Laurie]
 
  *) Add functions to copy EVP_PKEY_METHOD and retrieve flags and id.
  [Steve Henson]

deps/openssl/openssl/Configure

@@ -354,7 +354,7 @@ my %table=(
 "hpux-gcc", "gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::-Wl,+s -ldld:DES_PTR DES_UNROLL DES_RISC1:${no_asm}:dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### HP MPE/iX http://jazz.external.hp.com/src/openssl/
-"MPE/iX-gcc", "gcc:-D_ENDIAN -DBN_DIV2W -O3 -D_POSIX_SOURCE -D_SOCKET_SOURCE -I/SYSLOG/PUB::(unknown):MPE:-L/SYSLOG/PUB -lsyslog -lsocket -lcurses:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+"MPE/iX-gcc", "gcc:-DBN_DIV2W -O3 -D_POSIX_SOURCE -D_SOCKET_SOURCE -I/SYSLOG/PUB::(unknown):MPE:-L/SYSLOG/PUB -lsyslog -lsocket -lcurses:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
 
 # DEC Alpha OSF/1/Tru64 targets.
 #
@@ -1269,7 +1269,7 @@ my ($prelflags,$postlflags)=split('%',$lflags);
 if (defined($postlflags)) { $lflags=$postlflags; }
 else { $lflags=$prelflags; undef $prelflags; }
 
-if ($target =~ /^mingw/ && `$cc --target-help 2>&1` !~ m/\-mno\-cygwin/m)
+if ($target =~ /^mingw/ && `$cross_compile_prefix$cc --target-help 2>&1` !~ m/\-mno\-cygwin/m)
  {
  $cflags =~ s/\-mno\-cygwin\s*//;
  $shared_ldflag =~ s/\-mno\-cygwin\s*//;
@@ -1661,18 +1661,25 @@ if ($shlib_version_number =~ /(^[0-9]*)\.([0-9\.]*)/)
  $shlib_minor=$2;
  }
 
-my $ecc = $cc;
-$ecc = "clang" if `$cc --version 2>&1` =~ /clang/;
+my %predefined;
+
+# collect compiler pre-defines from gcc or gcc-alike...
+open(PIPE, "$cross_compile_prefix$cc -dM -E -x c /dev/null 2>&1 |");
+while (<PIPE>) {
+ m/^#define\s+(\w+(?:\(\w+\))?)(?:\s+(.+))?/ or last;
+ $predefined{$1} = defined($2) ? $2 : "";
+}
+close(PIPE);
 
 if ($strict_warnings)
  {
  my $wopt;
- die "ERROR --strict-warnings requires gcc or clang" unless ($ecc =~ /gcc$/ or $ecc =~ /clang$/);
+ die "ERROR --strict-warnings requires gcc or clang" unless defined($predefined{__GNUC__});
  foreach $wopt (split /\s+/, $gcc_devteam_warn)
  {
  $cflags .= " $wopt" unless ($cflags =~ /(^|\s)$wopt(\s|$)/)
  }
- if ($ecc eq "clang")
+ if (defined($predefined{__clang__}))
  {
  foreach $wopt (split /\s+/, $clang_devteam_warn)
  {
@@ -1723,15 +1730,14 @@ while (<IN>)
  s/^NM=\s*/NM= \$\(CROSS_COMPILE\)/;
  s/^RANLIB=\s*/RANLIB= \$\(CROSS_COMPILE\)/;
  s/^RC=\s*/RC= \$\(CROSS_COMPILE\)/;
- s/^MAKEDEPPROG=.*$/MAKEDEPPROG= \$\(CROSS_COMPILE\)$cc/ if $cc eq "gcc";
+ s/^MAKEDEPPROG=.*$/MAKEDEPPROG= \$\(CROSS_COMPILE\)$cc/ if $predefined{__GNUC__} >= 3;
  }
  else {
  s/^CC=.*$/CC= $cc/;
  s/^AR=\s*ar/AR= $ar/;
  s/^RANLIB=.*/RANLIB= $ranlib/;
  s/^RC=.*/RC= $windres/;
- s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq "gcc";
- s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $ecc eq "gcc" || $ecc eq "clang";
+ s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $predefined{__GNUC__} >= 3;
  }
  s/^CFLAG=.*$/CFLAG= $cflags/;
  s/^DEPFLAG=.*$/DEPFLAG=$depflags/;

deps/openssl/openssl/LICENSE

@@ -12,7 +12,7 @@
  ---------------
 
 /* ====================================================================
- * Copyright (c) 1998-2017 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2018 The OpenSSL Project. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions

deps/openssl/openssl/MacOS/Randomizer.cpp

@@ -266,7 +266,7 @@ void CRandomizer::AddCurrentMouse (void)
 
  if (labs (mLastMouse.h - mouseLoc.h) > kMouseResolution/2 &&
  labs (mLastMouse.v - mouseLoc.v) > kMouseResolution/2)
- AddBytes (&mouseLoc, sizeof (mouseLoc),
+ AddBytes (&mouseLoc, sizeof(mouseLoc),
  kMousePositionEntropy);
 
  if (mLastMouse.h == mouseLoc.h && mLastMouse.v == mouseLoc.v)
@@ -286,7 +286,7 @@ void CRandomizer::AddCurrentMouse (void)
  (kTypicalMouseIdleTicks/(double)lastCheck);
  if (entropy < 0.0)
  entropy = 0.0;
- AddBytes (&mMouseStill, sizeof (mMouseStill), entropy);
+ AddBytes (&mMouseStill, sizeof(mMouseStill), entropy);
  mMouseStill = 0;
  }
  mLastMouse = mouseLoc;
@@ -299,7 +299,7 @@ void CRandomizer::AddAbsoluteSystemStartupTime (void)
  GetDateTime (&now);
  now -= TickCount() / 60; // Time in ticks since machine
  // startup
- AddBytes (&now, sizeof (now), kSysStartupEntropy);
+ AddBytes (&now, sizeof(now), kSysStartupEntropy);
 }
 
 void CRandomizer::AddTimeSinceMachineStartup (void)
@@ -314,7 +314,7 @@ void CRandomizer::AddAppRunningTime (void)
  ProcessSerialNumber PSN;
  ProcessInfoRec ProcessInfo;
 
- ProcessInfo.processInfoLength = sizeof (ProcessInfoRec);
+ ProcessInfo.processInfoLength = sizeof(ProcessInfoRec);
  ProcessInfo.processName = nil;
  ProcessInfo.processAppSpec = nil;
 
@@ -324,7 +324,7 @@ void CRandomizer::AddAppRunningTime (void)
  // Now add the amount of time in ticks that the current process
  // has been active
 
- AddBytes (&ProcessInfo, sizeof (ProcessInfoRec),
+ AddBytes (&ProcessInfo, sizeof(ProcessInfoRec),
  kApplicationUpTimeEntropy);
 }
 
@@ -353,7 +353,7 @@ void CRandomizer::AddStartupVolumeInfo (void)
  // unpredictable, so might as well toss the whole block in. See
  // comments for entropy estimate justifications.
 
- AddBytes (&pb, sizeof (pb),
+ AddBytes (&pb, sizeof(pb),
  kVolumeBytesEntropy +
  log2l (((pb.ioVTotalBytes.hi - pb.ioVFreeBytes.hi)
  * 4294967296.0D +
@@ -419,7 +419,7 @@ void CRandomizer::AddBytes (void *data, long size, double entropy)
 void CRandomizer::AddNow (double millisecondUncertainty)
 {
  long time = SysTimer();
- AddBytes (&time, sizeof (time), log2l (millisecondUncertainty *
+ AddBytes (&time, sizeof(time), log2l (millisecondUncertainty *
  mTimebaseTicksPerMillisec));
 }
 

deps/openssl/openssl/Makefile

@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=1.0.2n
+VERSION=1.0.2o
 MAJOR=1
 MINOR=0.2
 SHLIB_VERSION_NUMBER=1.0.0
@@ -73,7 +73,7 @@ NM= nm
 PERL= /usr/bin/perl
 TAR= tar
 TARFLAGS= --no-recursion
-MAKEDEPPROG=makedepend
+MAKEDEPPROG= cc
 LIBDIR=lib
 
 # We let the C compiler driver to take care of .s files. This is done in

deps/openssl/openssl/Makefile.bak

@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=1.0.2n
+VERSION=1.0.2o
 MAJOR=1
 MINOR=0.2
 SHLIB_VERSION_NUMBER=1.0.0

deps/openssl/openssl/NEWS

@@ -5,6 +5,11 @@
  This file gives a brief overview of the major changes between each OpenSSL
  release. For more details please read the CHANGES file.
 
+ Major changes between OpenSSL 1.0.2n and OpenSSL 1.0.2o [27 Mar 2018]
+
+ o Constructed ASN.1 types with a recursive definition could exceed the
+ stack (CVE-2018-0739)
+
  Major changes between OpenSSL 1.0.2m and OpenSSL 1.0.2n [7 Dec 2017]
 
  o Read/write after SSL object in error state (CVE-2017-3737)

deps/openssl/openssl/README

@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.2n 7 Dec 2017
+ OpenSSL 1.0.2o 27 Mar 2018
 
  Copyright (c) 1998-2015 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

deps/openssl/openssl/apps/app_rand.c

@@ -137,7 +137,7 @@ int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn)
 #endif
 
  if (file == NULL)
- file = RAND_file_name(buffer, sizeof buffer);
+ file = RAND_file_name(buffer, sizeof(buffer));
  else if (RAND_egd(file) > 0) {
  /*
  * we try if the given filename is an EGD socket. if it is, we don't
@@ -212,7 +212,7 @@ int app_RAND_write_file(const char *file, BIO *bio_e)
  return 0;
 
  if (file == NULL)
- file = RAND_file_name(buffer, sizeof buffer);
+ file = RAND_file_name(buffer, sizeof(buffer));
  if (file == NULL || !RAND_write_file(file)) {
  BIO_printf(bio_e, "unable to write 'random state'\n");
  return 0;

deps/openssl/openssl/apps/apps.c

@@ -1738,9 +1738,9 @@ int save_serial(char *serialfile, char *suffix, BIGNUM *serial,
  BUF_strlcpy(buf[0], serialfile, BSIZE);
  else {
 #ifndef OPENSSL_SYS_VMS
- j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, suffix);
+ j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", serialfile, suffix);
 #else
- j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, suffix);
+ j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", serialfile, suffix);
 #endif
  }
 #ifdef RL_DEBUG
@@ -1789,14 +1789,14 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)
  goto err;
  }
 #ifndef OPENSSL_SYS_VMS
- j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, new_suffix);
+ j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", serialfile, new_suffix);
 #else
- j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, new_suffix);
+ j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", serialfile, new_suffix);
 #endif
 #ifndef OPENSSL_SYS_VMS
- j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", serialfile, old_suffix);
+ j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s.%s", serialfile, old_suffix);
 #else
- j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", serialfile, old_suffix);
+ j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s-%s", serialfile, old_suffix);
 #endif
 #ifdef RL_DEBUG
  BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
@@ -1877,9 +1877,9 @@ CA_DB *load_index(char *dbfile, DB_ATTR *db_attr)
  goto err;
 
 #ifndef OPENSSL_SYS_VMS
- BIO_snprintf(buf[0], sizeof buf[0], "%s.attr", dbfile);
+ BIO_snprintf(buf[0], sizeof(buf[0]), "%s.attr", dbfile);
 #else
- BIO_snprintf(buf[0], sizeof buf[0], "%s-attr", dbfile);
+ BIO_snprintf(buf[0], sizeof(buf[0]), "%s-attr", dbfile);
 #endif
  dbattr_conf = NCONF_new(NULL);
  if (NCONF_load(dbattr_conf, buf[0], &errorline) <= 0) {
@@ -1967,19 +1967,19 @@ int save_index(const char *dbfile, const char *suffix, CA_DB *db)
  goto err;
  }
 #ifndef OPENSSL_SYS_VMS
- j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr", dbfile);
+ j = BIO_snprintf(buf[2], sizeof(buf[2]), "%s.attr", dbfile);
 #else
- j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr", dbfile);
+ j = BIO_snprintf(buf[2], sizeof(buf[2]), "%s-attr", dbfile);
 #endif
 #ifndef OPENSSL_SYS_VMS
- j = BIO_snprintf(buf[1], sizeof buf[1], "%s.attr.%s", dbfile, suffix);
+ j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s.attr.%s", dbfile, suffix);
 #else
- j = BIO_snprintf(buf[1], sizeof buf[1], "%s-attr-%s", dbfile, suffix);
+ j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s-attr-%s", dbfile, suffix);
 #endif
 #ifndef OPENSSL_SYS_VMS
- j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, suffix);
+ j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", dbfile, suffix);
 #else
- j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, suffix);
+ j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", dbfile, suffix);
 #endif
 #ifdef RL_DEBUG
  BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]);
@@ -2028,29 +2028,29 @@ int rotate_index(const char *dbfile, const char *new_suffix,
  goto err;
  }
 #ifndef OPENSSL_SYS_VMS
- j = BIO_snprintf(buf[4], sizeof buf[4], "%s.attr", dbfile);
+ j = BIO_snprintf(buf[4], sizeof(buf[4]), "%s.attr", dbfile);
 #else
- j = BIO_snprintf(buf[4], sizeof buf[4], "%s-attr", dbfile);
+ j = BIO_snprintf(buf[4], sizeof(buf[4]), "%s-attr", dbfile);
 #endif
 #ifndef OPENSSL_SYS_VMS
- j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr.%s", dbfile, new_suffix);
+ j = BIO_snprintf(buf[2], sizeof(buf[2]), "%s.attr.%s", dbfile, new_suffix);
 #else
- j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr-%s", dbfile, new_suffix);
+ j = BIO_snprintf(buf[2], sizeof(buf[2]), "%s-attr-%s", dbfile, new_suffix);
 #endif
 #ifndef OPENSSL_SYS_VMS
- j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, new_suffix);
+ j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s.%s", dbfile, new_suffix);
 #else
- j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, new_suffix);
+ j = BIO_snprintf(buf[0], sizeof(buf[0]), "%s-%s", dbfile, new_suffix);
 #endif
 #ifndef OPENSSL_SYS_VMS
- j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s", dbfile, old_suffix);
+ j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s.%s", dbfile, old_suffix);
 #else
- j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s", dbfile, old_suffix);
+ j = BIO_snprintf(buf[1], sizeof(buf[1]), "%s-%s", dbfile, old_suffix);
 #endif
 #ifndef OPENSSL_SYS_VMS
- j = BIO_snprintf(buf[3], sizeof buf[3], "%s.attr.%s", dbfile, old_suffix);
+ j = BIO_snprintf(buf[3], sizeof(buf[3]), "%s.attr.%s", dbfile, old_suffix);
 #else
- j = BIO_snprintf(buf[3], sizeof buf[3], "%s-attr-%s", dbfile, old_suffix);
+ j = BIO_snprintf(buf[3], sizeof(buf[3]), "%s-attr-%s", dbfile, old_suffix);
 #endif
 #ifdef RL_DEBUG
  BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n", dbfile, buf[1]);
@@ -2604,7 +2604,7 @@ static void jpake_send_step3a(BIO *bconn, JPAKE_CTX *ctx)
 
  JPAKE_STEP3A_init(&s3a);
  JPAKE_STEP3A_generate(&s3a, ctx);
- BIO_write(bconn, s3a.hhk, sizeof s3a.hhk);
+ BIO_write(bconn, s3a.hhk, sizeof(s3a.hhk));
  (void)BIO_flush(bconn);
  JPAKE_STEP3A_release(&s3a);
 }
@@ -2615,7 +2615,7 @@ static void jpake_send_step3b(BIO *bconn, JPAKE_CTX *ctx)
 
  JPAKE_STEP3B_init(&s3b);
  JPAKE_STEP3B_generate(&s3b, ctx);
- BIO_write(bconn, s3b.hk, sizeof s3b.hk);
+ BIO_write(bconn, s3b.hk, sizeof(s3b.hk));
  (void)BIO_flush(bconn);
  JPAKE_STEP3B_release(&s3b);
 }
@@ -2625,7 +2625,7 @@ static void readbn(BIGNUM **bn, BIO *bconn)
  char buf[10240];
  int l;
 
- l = BIO_gets(bconn, buf, sizeof buf);
+ l = BIO_gets(bconn, buf, sizeof(buf));
  assert(l > 0);
  assert(buf[l - 1] == '\n');
  buf[l - 1] = '\0';
@@ -2672,8 +2672,8 @@ static void jpake_receive_step3a(JPAKE_CTX *ctx, BIO *bconn)
  int l;
 
  JPAKE_STEP3A_init(&s3a);
- l = BIO_read(bconn, s3a.hhk, sizeof s3a.hhk);
- assert(l == sizeof s3a.hhk);
+ l = BIO_read(bconn, s3a.hhk, sizeof(s3a.hhk));
+ assert(l == sizeof(s3a.hhk));
  if (!JPAKE_STEP3A_process(ctx, &s3a)) {
  ERR_print_errors(bio_err);
  exit(1);
@@ -2687,8 +2687,8 @@ static void jpake_receive_step3b(JPAKE_CTX *ctx, BIO *bconn)
  int l;
 
  JPAKE_STEP3B_init(&s3b);
- l = BIO_read(bconn, s3b.hk, sizeof s3b.hk);
- assert(l == sizeof s3b.hk);
+ l = BIO_read(bconn, s3b.hk, sizeof(s3b.hk));
+ assert(l == sizeof(s3b.hk));
  if (!JPAKE_STEP3B_process(ctx, &s3b)) {
  ERR_print_errors(bio_err);
  exit(1);