Update to LibreSSL 3.0.2 version

CMakeLists.txt

@@ -107,7 +107,7 @@ if(WIN32)
 	add_definitions(-D_CRT_DEPRECATED_NO_WARNINGS)
 	add_definitions(-D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS)
 	add_definitions(-DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0600)
-	add_definitions(-DCPPFLAGS -DOPENSSL_NO_SPEED -DNO_SYSLOG -DNO_CRYPT)
+	add_definitions(-DCPPFLAGS -DNO_SYSLOG -DNO_CRYPT)
 	set(PLATFORM_LIBS ${PLATFORM_LIBS} ws2_32)
 endif()
 
@@ -289,10 +289,7 @@ if(ENABLE_ASM)
 		endif()
 	elseif(APPLE AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64")
 		set(HOST_ASM_MACOSX_X86_64 true)
-	elseif(MSVC AND "${CMAKE_GENERATOR}" MATCHES "Win64" AND FALSE)
-		# XXX Disabled for now, CMake's MASM support seems to either never
-		# build supply ASM or build it with the C compiler in a mode where it
-		# does not parse correctly. It might be easier to get NASM support working.
+	elseif(MSVC AND "${CMAKE_GENERATOR}" MATCHES "Win64")
 		set(HOST_ASM_MASM_X86_64 true)
 		ENABLE_LANGUAGE(ASM_MASM)
 	elseif(CMAKE_SYSTEM_NAME MATCHES "MINGW" AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64")
@@ -346,7 +343,9 @@ if(NOT MSVC)
 	set(exec_prefix \${prefix})
 	set(libdir      \${exec_prefix}/${CMAKE_INSTALL_LIBDIR})
 	set(includedir  \${prefix}/include)
-	string(REGEX REPLACE ";" " -l" PLATFORM_LDADD ";${PLATFORM_LIBS}")
+	if(PLATFORM_LIBS)
+		string(REGEX REPLACE ";" " -l" PLATFORM_LDADD ";${PLATFORM_LIBS}")
+	endif()
 	file(STRINGS    "VERSION" VERSION LIMIT_COUNT 1)
 	file(GLOB       OPENSSL_PKGCONFIGS "*.pc.in")
 	foreach(file ${OPENSSL_PKGCONFIGS})
@@ -358,10 +357,12 @@ if(NOT MSVC)
 		DESTINATION ${CMAKE_INSTALL_LIBDIR})
 endif()
 
-configure_file(
-	"${CMAKE_CURRENT_SOURCE_DIR}/cmake_uninstall.cmake.in"
-	"${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake"
-	IMMEDIATE @ONLY)
+if(NOT TARGET uninstall)
+	configure_file(
+		"${CMAKE_CURRENT_SOURCE_DIR}/cmake_uninstall.cmake.in"
+		"${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake"
+		IMMEDIATE @ONLY)
 
-add_custom_target(uninstall
-	COMMAND ${CMAKE_COMMAND} -P ${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake)
+	add_custom_target(uninstall
+		COMMAND ${CMAKE_COMMAND} -P ${CMAKE_CURRENT_BINARY_DIR}/cmake_uninstall.cmake)
+endif()

ChangeLog

@@ -28,6 +28,61 @@ history is also available from Git.
 
 LibreSSL Portable Release Notes:
 
+3.0.2 - Stable release
+
+	* Use a valid curve when constructing an EC_KEY that looks like X25519.
+	  The recent EC group cofactor change results in stricter validation,
+	  which causes the EC_GROUP_set_generator() call to fail.
+	  Issue reported and fix tested by rsadowski@
+
+	* Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey.
+	  (Note that the CMS code is currently disabled)
+	  Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license) 
+
+	* Avoid a path traversal bug in s_server on Windows when run with the -WWW
+	  or -HTTP options, due to incomplete path check logic.
+	  Issue reported and fix tested by Jobert Abma
+
+3.0.1 - Development release
+
+	* Ported Billy Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1. If a NULL
+	  or zero cofactor is passed to EC_GROUP_set_generator(), try to compute
+	  it using Hasse's bound. This works as long as the cofactor is small
+	  enough.
+
+	* Fixed a memory leak in error paths for eckey_type2param().
+
+	* Initial work on supporting Cryptographic Message Syntax (CMS) in
+	  libcrypto (not enabled).
+
+	* Various manual page improvements and additions.
+
+	* Added a CMake check for an existing uninstall target, facilitating
+	  embedding LibreSSL in larger CMake projects, from Matthew Albrecht.
+
+3.0.0 - Development release
+
+	* Completed the port of RSA_METHOD accessors from the OpenSSL 1.1 API.
+
+	* Documented undescribed options and removed unfunctional options
+	  description in openssl(1) manual.
+
+	* A plethora of small fixes due to regular oss-fuzz testing.
+
+	* Various side channels in DSA and ECDSA were addressed.  These are some of
+	  the many issues found in an extensive systematic analysis of bignum usage
+	  by Samuel Weiser, David Schrammel et al.
+
+	* Enabled openssl(1) speed subcommand on Windows platform.
+
+	* Enabled performance optimizations when building with Visual Studio on Windows.
+
+	* Fixed incorrect carry operation in 512 addition for Streebog.
+
+	* Fixed -modulus option with openssl(1) dsa subcommand.
+
+	* Fixed PVK format output issue with openssl(1) dsa and rsa subcommand.
+
 2.9.2 - Bug fixes
 
 	* Fixed portable builds with older versions of MacOS,

VERSION

@@ -1,2 +1,2 @@
-2.9.2.1
+3.0.2.0
 

apps/nc/netcat.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: netcat.c,v 1.203 2019/02/26 17:32:47 jsing Exp $ */
+/* $OpenBSD: netcat.c,v 1.206 2019/08/08 16:49:35 mestre Exp $ */
 /*
  * Copyright (c) 2001 Eric Jackson <[email protected]>
  * Copyright (c) 2015 Bob Beck.  All rights reserved.
@@ -393,6 +393,7 @@ main(int argc, char *argv[])
 					err(1, "unveil");
 			}
 		} else {
+			/* no filesystem visibility */
 			if (unveil("/", "") == -1)
 				err(1, "unveil");
 		}
@@ -578,7 +579,7 @@ main(int argc, char *argv[])
 					close(s);
 				s = local_listen(host, uport, hints);
 			}
-			if (s < 0)
+			if (s == -1)
 				err(1, NULL);
 			if (uflag && kflag) {
 				/*
@@ -600,11 +601,11 @@ main(int argc, char *argv[])
 				len = sizeof(z);
 				rv = recvfrom(s, buf, sizeof(buf), MSG_PEEK,
 				    (struct sockaddr *)&z, &len);
-				if (rv < 0)
+				if (rv == -1)
 					err(1, "recvfrom");
 
 				rv = connect(s, (struct sockaddr *)&z, len);
-				if (rv < 0)
+				if (rv == -1)
 					err(1, "connect");
 
 				if (vflag)
@@ -638,7 +639,7 @@ main(int argc, char *argv[])
 				tls_free(tls_cctx);
 			}
 			if (family == AF_UNIX && uflag) {
-				if (connect(s, NULL, 0) < 0)
+				if (connect(s, NULL, 0) == -1)
 					err(1, "connect");
 			}
 
@@ -749,7 +750,7 @@ unix_bind(char *path, int flags)
 
 	/* Create unix domain socket. */
 	if ((s = socket(AF_UNIX, flags | (uflag ? SOCK_DGRAM : SOCK_STREAM),
-	    0)) < 0)
+	    0)) == -1)
 		return -1;
 
 	memset(&s_un, 0, sizeof(struct sockaddr_un));
@@ -762,7 +763,7 @@ unix_bind(char *path, int flags)
 		return -1;
 	}
 
-	if (bind(s, (struct sockaddr *)&s_un, sizeof(s_un)) < 0) {
+	if (bind(s, (struct sockaddr *)&s_un, sizeof(s_un)) == -1) {
 		save_errno = errno;
 		close(s);
 		errno = save_errno;
@@ -872,10 +873,10 @@ unix_connect(char *path)
 	int s, save_errno;
 
 	if (uflag) {
-		if ((s = unix_bind(unix_dg_tmp_socket, SOCK_CLOEXEC)) < 0)
+		if ((s = unix_bind(unix_dg_tmp_socket, SOCK_CLOEXEC)) == -1)
 			return -1;
 	} else {
-		if ((s = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0)) < 0)
+		if ((s = socket(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0)) == -1)
 			return -1;
 	}
 
@@ -888,7 +889,7 @@ unix_connect(char *path)
 		errno = ENAMETOOLONG;
 		return -1;
 	}
-	if (connect(s, (struct sockaddr *)&s_un, sizeof(s_un)) < 0) {
+	if (connect(s, (struct sockaddr *)&s_un, sizeof(s_un)) == -1) {
 		save_errno = errno;
 		close(s);
 		errno = save_errno;
@@ -907,9 +908,9 @@ unix_listen(char *path)
 {
 	int s;
 
-	if ((s = unix_bind(path, 0)) < 0)
+	if ((s = unix_bind(path, 0)) == -1)
 		return -1;
-	if (listen(s, 5) < 0) {
+	if (listen(s, 5) == -1) {
 		close(s);
 		return -1;
 	}
@@ -939,7 +940,7 @@ remote_connect(const char *host, const char *port, struct addrinfo hints)
 
 	for (res = res0; res; res = res->ai_next) {
 		if ((s = socket(res->ai_family, res->ai_socktype |
-		    SOCK_NONBLOCK, res->ai_protocol)) < 0)
+		    SOCK_NONBLOCK, res->ai_protocol)) == -1)
 			continue;
 
 		/* Bind to a local port or source address if specified. */
@@ -959,7 +960,7 @@ remote_connect(const char *host, const char *port, struct addrinfo hints)
 				errx(1, "getaddrinfo: %s", gai_strerror(error));
 
 			if (bind(s, (struct sockaddr *)ares->ai_addr,
-			    ares->ai_addrlen) < 0)
+			    ares->ai_addrlen) == -1)
 				err(1, "bind failed");
 			freeaddrinfo(ares);
 		}
@@ -1041,7 +1042,7 @@ local_listen(const char *host, const char *port, struct addrinfo hints)
 
 	for (res = res0; res; res = res->ai_next) {
 		if ((s = socket(res->ai_family, res->ai_socktype,
-		    res->ai_protocol)) < 0)
+		    res->ai_protocol)) == -1)
 			continue;
 
 #ifdef SO_REUSEPORT
@@ -1063,7 +1064,7 @@ local_listen(const char *host, const char *port, struct addrinfo hints)
 	}
 
 	if (!uflag && s != -1) {
-		if (listen(s, 1) < 0)
+		if (listen(s, 1) == -1)
 			err(1, "listen");
 	}
 	if (vflag && s != -1) {
@@ -1473,12 +1474,12 @@ build_ports(char *p)
 			for (x = 0; x <= hi - lo; x++) {
 				cp = arc4random_uniform(x + 1);
 				portlist[x] = portlist[cp];
-				if (asprintf(&portlist[cp], "%d", x + lo) < 0)
+				if (asprintf(&portlist[cp], "%d", x + lo) == -1)
 					err(1, "asprintf");
 			}
 		} else { /* Load ports sequentially. */
 			for (cp = lo; cp <= hi; cp++) {
-				if (asprintf(&portlist[x], "%d", cp) < 0)
+				if (asprintf(&portlist[x], "%d", cp) == -1)
 					err(1, "asprintf");
 				x++;
 			}

apps/nc/socks.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: socks.c,v 1.27 2019/01/10 12:44:54 mestre Exp $	*/
+/*	$OpenBSD: socks.c,v 1.29 2019/07/29 15:19:03 benno Exp $	*/
 
 /*
  * Copyright (c) 1999 Niklas Hallqvist.  All rights reserved.
@@ -334,7 +334,7 @@ socks_connect(const char *host, const char *port,
 			    "CONNECT %s:%d HTTP/1.0\r\n",
 			    host, ntohs(serverport));
 		}
-		if (r == -1 || (size_t)r >= sizeof(buf))
+		if (r < 0 || (size_t)r >= sizeof(buf))
 			errx(1, "hostname too long");
 		r = strlen(buf);
 
@@ -357,7 +357,7 @@ socks_connect(const char *host, const char *port,
 				errx(1, "Proxy username/password too long");
 			r = snprintf(buf, sizeof(buf), "Proxy-Authorization: "
 			    "Basic %s\r\n", resp);
-			if (r == -1 || (size_t)r >= sizeof(buf))
+			if (r < 0 || (size_t)r >= sizeof(buf))
 				errx(1, "Proxy auth response too long");
 			r = strlen(buf);
 			if ((cnt = atomicio(vwrite, proxyfd, buf, r)) != r)
@@ -373,7 +373,8 @@ socks_connect(const char *host, const char *port,
 		/* Read status reply */
 		proxy_read_line(proxyfd, buf, sizeof(buf));
 		if (proxyuser != NULL &&
-		    strncmp(buf, "HTTP/1.0 407 ", 12) == 0) {
+		    (strncmp(buf, "HTTP/1.0 407 ", 12) == 0 ||
+		    strncmp(buf, "HTTP/1.1 407 ", 12) == 0)) {
 			if (authretry > 1) {
 				fprintf(stderr, "Proxy authentication "
 				    "failed\n");

apps/ocspcheck/http.c

@@ -1,4 +1,4 @@
-/*	$Id: http.c,v 1.11 2018/11/29 14:25:07 tedu Exp $ */
+/*	$Id: http.c,v 1.12 2019/06/28 13:32:49 deraadt Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <[email protected]>
  *
@@ -72,7 +72,7 @@ dosysread(char *buf, size_t sz, const struct http *http)
 	ssize_t	 rc;
 
 	rc = read(http->fd, buf, sz);
-	if (rc < 0)
+	if (rc == -1)
 		warn("%s: read", http->src.ip);
 	return rc;
 }
@@ -83,7 +83,7 @@ dosyswrite(const void *buf, size_t sz, const struct http *http)
 	ssize_t	 rc;
 
 	rc = write(http->fd, buf, sz);
-	if (rc < 0)
+	if (rc == -1)
 		warn("%s: write", http->src.ip);
 	return rc;
 }
@@ -97,7 +97,7 @@ dotlsread(char *buf, size_t sz, const struct http *http)
 		rc = tls_read(http->ctx, buf, sz);
 	} while (rc == TLS_WANT_POLLIN || rc == TLS_WANT_POLLOUT);
 
-	if (rc < 0)
+	if (rc == -1)
 		warnx("%s: tls_read: %s", http->src.ip,
 		    tls_error(http->ctx));
 	return rc;
@@ -112,7 +112,7 @@ dotlswrite(const void *buf, size_t sz, const struct http *http)
 		rc = tls_write(http->ctx, buf, sz);
 	} while (rc == TLS_WANT_POLLIN || rc == TLS_WANT_POLLOUT);
 
-	if (rc < 0)
+	if (rc == -1)
 		warnx("%s: tls_write: %s", http->src.ip,
 		    tls_error(http->ctx));
 	return rc;

apps/ocspcheck/ocspcheck.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ocspcheck.c,v 1.24 2017/12/01 14:42:23 visa Exp $ */
+/* $OpenBSD: ocspcheck.c,v 1.25 2019/05/15 13:44:18 bcook Exp $ */
 
 /*
  * Copyright (c) 2017 Bob Beck <[email protected]>
@@ -670,7 +670,9 @@ main(int argc, char **argv)
 	 * write out the DER format response to the staplefd
 	 */
 	if (staplefd >= 0) {
-		(void) ftruncate(staplefd, 0);
+		while (ftruncate(staplefd, 0) < 0)
+			if (errno != EINTR && errno != EAGAIN)
+				err(1, "Write of OCSP response failed");
 		w = 0;
 		written = 0;
 		while (written < instaplesz) {