Hello community,
here is the log from the commit of package libressl for openSUSE:Factory checked in at 2018-12-28 12:34:43
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libressl (Old)
and /work/SRC/openSUSE:Factory/.libressl.new.28833 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libressl"
Fri Dec 28 12:34:43 2018 rev:44 rq:661289 version:2.8.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/libressl/libressl.changes 2018-10-26 11:10:22.349710995 +0200
+++ /work/SRC/openSUSE:Factory/.libressl.new.28833/libressl.changes 2018-12-28 12:34:53.123981772 +0100
@@ -1,0 +2,9 @@
+Mon Dec 24 16:38:02 UTC 2018 - sean(a)suspend.net
+
+- Update to new upstream release 2.8.3
+ * Fixed warnings about clock_gettime on Windows VS builds
+ * Fixed CMake builds on systems where getpagesize is inline
+ * Implemented coordinate blinding for EC_POINT for portsmash
+ * Fixed a non-uniformity in getentropy(2) to discard zeroes
+
+-------------------------------------------------------------------
Old:
----
libressl-2.8.2.tar.gz
libressl-2.8.2.tar.gz.asc
New:
----
libressl-2.8.3.tar.gz
libressl-2.8.3.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ libressl.spec ++++++
--- /var/tmp/diff_new_pack.la8KXs/_old 2018-12-28 12:34:54.823980585 +0100
+++ /var/tmp/diff_new_pack.la8KXs/_new 2018-12-28 12:34:54.827980582 +0100
@@ -17,7 +17,7 @@
Name: libressl
-Version: 2.8.2
+Version: 2.8.3
Release: 0
Summary: An SSL/TLS protocol implementation
License: OpenSSL
++++++ libressl-2.8.2.tar.gz -> libressl-2.8.3.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.8.2/CMakeLists.txt new/libressl-2.8.3/CMakeLists.txt
--- old/libressl-2.8.2/CMakeLists.txt 2018-10-06 04:35:07.000000000 +0200
+++ new/libressl-2.8.3/CMakeLists.txt 2018-12-15 17:50:12.000000000 +0100
@@ -1,5 +1,6 @@
-cmake_minimum_required (VERSION 2.8.8)
+cmake_minimum_required (VERSION 3.0)
include(CheckFunctionExists)
+include(CheckSymbolExists)
include(CheckLibraryExists)
include(CheckIncludeFiles)
include(CheckTypeSize)
@@ -229,7 +230,7 @@
add_definitions(-DHAVE_GETENTROPY)
endif()
-check_function_exists(getpagesize HAVE_GETPAGESIZE)
+check_symbol_exists(getpagesize unistd.h HAVE_GETPAGESIZE)
if(HAVE_GETPAGESIZE)
add_definitions(-DHAVE_GETPAGESIZE)
endif()
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.8.2/ChangeLog new/libressl-2.8.3/ChangeLog
--- old/libressl-2.8.2/ChangeLog 2018-10-17 15:42:53.000000000 +0200
+++ new/libressl-2.8.3/ChangeLog 2018-12-15 17:56:03.000000000 +0100
@@ -28,6 +28,19 @@
LibreSSL Portable Release Notes:
+2.8.3 - Stable release
+
+ * Fixed warnings about clock_gettime on Windows Visual Studio builds.
+
+ * Fixed CMake builds on systems where getpagesize is defined as an
+ inline function.
+
+ * Implemented coordinate blinding for EC_POINT as an additional
+ mitigation for the portsmash vulnerability.
+
+ * Fixed a non-uniformity in getentropy(2) emulation where a block of
+ all zeroes would be discarded.
+
2.8.2 - Stable release
* Added Wycheproof support for ECDH and ECDSA Web Crypto test vectors,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.8.2/INSTALL new/libressl-2.8.3/INSTALL
--- old/libressl-2.8.2/INSTALL 2015-09-10 18:51:21.000000000 +0200
+++ new/libressl-2.8.3/INSTALL 1970-01-01 01:00:00.000000000 +0100
@@ -1,370 +0,0 @@
-Installation Instructions
-*************************
-
-Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation,
-Inc.
-
- Copying and distribution of this file, with or without modification,
-are permitted in any medium without royalty provided the copyright
-notice and this notice are preserved. This file is offered as-is,
-without warranty of any kind.
-
-Basic Installation
-==================
-
- Briefly, the shell command `./configure && make && make install'
-should configure, build, and install this package. The following
-more-detailed instructions are generic; see the `README' file for
-instructions specific to this package. Some packages provide this
-`INSTALL' file but do not implement all of the features documented
-below. The lack of an optional feature in a given package is not
-necessarily a bug. More recommendations for GNU packages can be found
-in *note Makefile Conventions: (standards)Makefile Conventions.
-
- The `configure' shell script attempts to guess correct values for
-various system-dependent variables used during compilation. It uses
-those values to create a `Makefile' in each directory of the package.
-It may also create one or more `.h' files containing system-dependent
-definitions. Finally, it creates a shell script `config.status' that
-you can run in the future to recreate the current configuration, and a
-file `config.log' containing compiler output (useful mainly for
-debugging `configure').
-
- It can also use an optional file (typically called `config.cache'
-and enabled with `--cache-file=config.cache' or simply `-C') that saves
-the results of its tests to speed up reconfiguring. Caching is
-disabled by default to prevent problems with accidental use of stale
-cache files.
-
- If you need to do unusual things to compile the package, please try
-to figure out how `configure' could check whether to do them, and mail
-diffs or instructions to the address given in the `README' so they can
-be considered for the next release. If you are using the cache, and at
-some point `config.cache' contains results you don't want to keep, you
-may remove or edit it.
-
- The file `configure.ac' (or `configure.in') is used to create
-`configure' by a program called `autoconf'. You need `configure.ac' if
-you want to change it or regenerate `configure' using a newer version
-of `autoconf'.
-
- The simplest way to compile this package is:
-
- 1. `cd' to the directory containing the package's source code and type
- `./configure' to configure the package for your system.
-
- Running `configure' might take a while. While running, it prints
- some messages telling which features it is checking for.
-
- 2. Type `make' to compile the package.
-
- 3. Optionally, type `make check' to run any self-tests that come with
- the package, generally using the just-built uninstalled binaries.
-
- 4. Type `make install' to install the programs and any data files and
- documentation. When installing into a prefix owned by root, it is
- recommended that the package be configured and built as a regular
- user, and only the `make install' phase executed with root
- privileges.
-
- 5. Optionally, type `make installcheck' to repeat any self-tests, but
- this time using the binaries in their final installed location.
- This target does not install anything. Running this target as a
- regular user, particularly if the prior `make install' required
- root privileges, verifies that the installation completed
- correctly.
-
- 6. You can remove the program binaries and object files from the
- source code directory by typing `make clean'. To also remove the
- files that `configure' created (so you can compile the package for
- a different kind of computer), type `make distclean'. There is
- also a `make maintainer-clean' target, but that is intended mainly
- for the package's developers. If you use it, you may have to get
- all sorts of other programs in order to regenerate files that came
- with the distribution.
-
- 7. Often, you can also type `make uninstall' to remove the installed
- files again. In practice, not all packages have tested that
- uninstallation works correctly, even though it is required by the
- GNU Coding Standards.
-
- 8. Some packages, particularly those that use Automake, provide `make
- distcheck', which can by used by developers to test that all other
- targets like `make install' and `make uninstall' work correctly.
- This target is generally not run by end users.
-
-Compilers and Options
-=====================
-
- Some systems require unusual options for compilation or linking that
-the `configure' script does not know about. Run `./configure --help'
-for details on some of the pertinent environment variables.
-
- You can give `configure' initial values for configuration parameters
-by setting variables in the command line or in the environment. Here
-is an example:
-
- ./configure CC=c99 CFLAGS=-g LIBS=-lposix
-
- *Note Defining Variables::, for more details.
-
-Compiling For Multiple Architectures
-====================================
-
- You can compile the package for more than one kind of computer at the
-same time, by placing the object files for each architecture in their
-own directory. To do this, you can use GNU `make'. `cd' to the
-directory where you want the object files and executables to go and run
-the `configure' script. `configure' automatically checks for the
-source code in the directory that `configure' is in and in `..'. This
-is known as a "VPATH" build.
-
- With a non-GNU `make', it is safer to compile the package for one
-architecture at a time in the source code directory. After you have
-installed the package for one architecture, use `make distclean' before
-reconfiguring for another architecture.
-
- On MacOS X 10.5 and later systems, you can create libraries and
-executables that work on multiple system types--known as "fat" or
-"universal" binaries--by specifying multiple `-arch' options to the
-compiler but only a single `-arch' option to the preprocessor. Like
-this:
-
- ./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
- CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \
- CPP="gcc -E" CXXCPP="g++ -E"
-
- This is not guaranteed to produce working output in all cases, you
-may have to build one architecture at a time and combine the results
-using the `lipo' tool if you have problems.
-
-Installation Names
-==================
-
- By default, `make install' installs the package's commands under
-`/usr/local/bin', include files under `/usr/local/include', etc. You
-can specify an installation prefix other than `/usr/local' by giving
-`configure' the option `--prefix=PREFIX', where PREFIX must be an
-absolute file name.
-
- You can specify separate installation prefixes for
-architecture-specific files and architecture-independent files. If you
-pass the option `--exec-prefix=PREFIX' to `configure', the package uses
-PREFIX as the prefix for installing programs and libraries.
-Documentation and other data files still use the regular prefix.
-
- In addition, if you use an unusual directory layout you can give
-options like `--bindir=DIR' to specify different values for particular
-kinds of files. Run `configure --help' for a list of the directories
-you can set and what kinds of files go in them. In general, the
-default for these options is expressed in terms of `${prefix}', so that
-specifying just `--prefix' will affect all of the other directory
-specifications that were not explicitly provided.
-
- The most portable way to affect installation locations is to pass the
-correct locations to `configure'; however, many packages provide one or
-both of the following shortcuts of passing variable assignments to the
-`make install' command line to change installation locations without
-having to reconfigure or recompile.
-
- The first method involves providing an override variable for each
-affected directory. For example, `make install
-prefix=/alternate/directory' will choose an alternate location for all
-directory configuration variables that were expressed in terms of
-`${prefix}'. Any directories that were specified during `configure',
-but not in terms of `${prefix}', must each be overridden at install
-time for the entire installation to be relocated. The approach of
-makefile variable overrides for each directory variable is required by
-the GNU Coding Standards, and ideally causes no recompilation.
-However, some platforms have known limitations with the semantics of
-shared libraries that end up requiring recompilation when using this
-method, particularly noticeable in packages that use GNU Libtool.
-
- The second method involves providing the `DESTDIR' variable. For
-example, `make install DESTDIR=/alternate/directory' will prepend
-`/alternate/directory' before all installation names. The approach of
-`DESTDIR' overrides is not required by the GNU Coding Standards, and
-does not work on platforms that have drive letters. On the other hand,
-it does better at avoiding recompilation issues, and works well even
-when some directory options were not specified in terms of `${prefix}'
-at `configure' time.
-
-Optional Features
-=================
-
- If the package supports it, you can cause programs to be installed
-with an extra prefix or suffix on their names by giving `configure' the
-option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'.
-
- Some packages pay attention to `--enable-FEATURE' options to
-`configure', where FEATURE indicates an optional part of the package.
-They may also pay attention to `--with-PACKAGE' options, where PACKAGE
-is something like `gnu-as' or `x' (for the X Window System). The
-`README' should mention any `--enable-' and `--with-' options that the
-package recognizes.
-
- For packages that use the X Window System, `configure' can usually
-find the X include and library files automatically, but if it doesn't,
-you can use the `configure' options `--x-includes=DIR' and
-`--x-libraries=DIR' to specify their locations.
-
- Some packages offer the ability to configure how verbose the
-execution of `make' will be. For these packages, running `./configure
---enable-silent-rules' sets the default to minimal output, which can be
-overridden with `make V=1'; while running `./configure
---disable-silent-rules' sets the default to verbose, which can be
-overridden with `make V=0'.
-
-Particular systems
-==================
-
- On HP-UX, the default C compiler is not ANSI C compatible. If GNU
-CC is not installed, it is recommended to use the following options in
-order to use an ANSI C compiler:
-
- ./configure CC="cc -Ae -D_XOPEN_SOURCE=500"
-
-and if that doesn't work, install pre-built binaries of GCC for HP-UX.
-
- HP-UX `make' updates targets which have the same time stamps as
-their prerequisites, which makes it generally unusable when shipped
-generated files such as `configure' are involved. Use GNU `make'
-instead.
-
- On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot
-parse its `<wchar.h>' header file. The option `-nodtk' can be used as
-a workaround. If GNU CC is not installed, it is therefore recommended
-to try
-
- ./configure CC="cc"
-
-and if that doesn't work, try
-
- ./configure CC="cc -nodtk"
-
- On Solaris, don't put `/usr/ucb' early in your `PATH'. This
-directory contains several dysfunctional programs; working variants of
-these programs are available in `/usr/bin'. So, if you need `/usr/ucb'
-in your `PATH', put it _after_ `/usr/bin'.
-
- On Haiku, software installed for all users goes in `/boot/common',
-not `/usr/local'. It is recommended to use the following options:
-
- ./configure --prefix=/boot/common
-
-Specifying the System Type
-==========================
-
- There may be some features `configure' cannot figure out
-automatically, but needs to determine by the type of machine the package
-will run on. Usually, assuming the package is built to be run on the
-_same_ architectures, `configure' can figure that out, but if it prints
-a message saying it cannot guess the machine type, give it the
-`--build=TYPE' option. TYPE can either be a short name for the system
-type, such as `sun4', or a canonical name which has the form:
-
- CPU-COMPANY-SYSTEM
-
-where SYSTEM can have one of these forms:
-
- OS
- KERNEL-OS
-
- See the file `config.sub' for the possible values of each field. If
-`config.sub' isn't included in this package, then this package doesn't
-need to know the machine type.
-
- If you are _building_ compiler tools for cross-compiling, you should
-use the option `--target=TYPE' to select the type of system they will
-produce code for.
-
- If you want to _use_ a cross compiler, that generates code for a
-platform different from the build platform, you should specify the
-"host" platform (i.e., that on which the generated programs will
-eventually be run) with `--host=TYPE'.
-
-Sharing Defaults
-================
-
- If you want to set default values for `configure' scripts to share,
-you can create a site shell script called `config.site' that gives
-default values for variables like `CC', `cache_file', and `prefix'.
-`configure' looks for `PREFIX/share/config.site' if it exists, then
-`PREFIX/etc/config.site' if it exists. Or, you can set the
-`CONFIG_SITE' environment variable to the location of the site script.
-A warning: not all `configure' scripts look for a site script.
-
-Defining Variables
-==================
-
- Variables not defined in a site shell script can be set in the
-environment passed to `configure'. However, some packages may run
-configure again during the build, and the customized values of these
-variables may be lost. In order to avoid this problem, you should set
-them in the `configure' command line, using `VAR=value'. For example:
-
- ./configure CC=/usr/local2/bin/gcc
-
-causes the specified `gcc' to be used as the C compiler (unless it is
-overridden in the site shell script).
-
-Unfortunately, this technique does not work for `CONFIG_SHELL' due to
-an Autoconf limitation. Until the limitation is lifted, you can use
-this workaround:
-
- CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash
-
-`configure' Invocation
-======================
-
- `configure' recognizes the following options to control how it
-operates.
-
-`--help'
-`-h'
- Print a summary of all of the options to `configure', and exit.
-
-`--help=short'
-`--help=recursive'
- Print a summary of the options unique to this package's
- `configure', and exit. The `short' variant lists options used
- only in the top level, while the `recursive' variant lists options
- also present in any nested packages.
-
-`--version'
-`-V'
- Print the version of Autoconf used to generate the `configure'
- script, and exit.
-
-`--cache-file=FILE'
- Enable the cache: use and save the results of the tests in FILE,
- traditionally `config.cache'. FILE defaults to `/dev/null' to
- disable caching.
-
-`--config-cache'
-`-C'
- Alias for `--cache-file=config.cache'.
-
-`--quiet'
-`--silent'
-`-q'
- Do not print messages saying which checks are being made. To
- suppress all normal output, redirect it to `/dev/null' (any error
- messages will still be shown).
-
-`--srcdir=DIR'
- Look for the package's source code in directory DIR. Usually
- `configure' can determine that directory automatically.
-
-`--prefix=DIR'
- Use DIR as the installation prefix. *note Installation Names::
- for more details, including other options available for fine-tuning
- the installation locations.
-
-`--no-create'
-`-n'
- Run the configure checks, but stop before creating any output
- files.
-
-`configure' also accepts some other, not widely useful, options. Run
-`configure --help' for more details.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.8.2/Makefile.in new/libressl-2.8.3/Makefile.in
--- old/libressl-2.8.2/Makefile.in 2018-10-17 15:50:12.000000000 +0200
+++ new/libressl-2.8.3/Makefile.in 2018-12-15 17:56:55.000000000 +0100
@@ -193,9 +193,8 @@
DIST_SUBDIRS = $(SUBDIRS)
am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/libcrypto.pc.in \
$(srcdir)/libssl.pc.in $(srcdir)/libtls.pc.in \
- $(srcdir)/openssl.pc.in COPYING ChangeLog INSTALL compile \
- config.guess config.sub depcomp install-sh ltmain.sh missing \
- tap-driver.sh
+ $(srcdir)/openssl.pc.in COPYING ChangeLog compile config.guess \
+ config.sub depcomp install-sh ltmain.sh missing tap-driver.sh
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
distdir = $(PACKAGE)-$(VERSION)
top_distdir = $(distdir)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.8.2/VERSION new/libressl-2.8.3/VERSION
--- old/libressl-2.8.2/VERSION 2018-10-17 15:49:52.000000000 +0200
+++ new/libressl-2.8.3/VERSION 2018-12-15 17:56:31.000000000 +0100
@@ -1,2 +1,2 @@
-2.8.2
+2.8.3
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.8.2/configure new/libressl-2.8.3/configure
--- old/libressl-2.8.2/configure 2018-10-17 15:50:11.000000000 +0200
+++ new/libressl-2.8.3/configure 2018-12-15 17:56:54.000000000 +0100
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for libressl 2.8.2.
+# Generated by GNU Autoconf 2.69 for libressl 2.8.3.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@
# Identity of this package.
PACKAGE_NAME='libressl'
PACKAGE_TARNAME='libressl'
-PACKAGE_VERSION='2.8.2'
-PACKAGE_STRING='libressl 2.8.2'
+PACKAGE_VERSION='2.8.3'
+PACKAGE_STRING='libressl 2.8.3'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -1421,7 +1421,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures libressl 2.8.2 to adapt to many kinds of systems.
+\`configure' configures libressl 2.8.3 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1491,7 +1491,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of libressl 2.8.2:";;
+ short | recursive ) echo "Configuration of libressl 2.8.3:";;
esac
cat <<\_ACEOF
@@ -1607,7 +1607,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-libressl configure 2.8.2
+libressl configure 2.8.3
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2155,7 +2155,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by libressl $as_me 2.8.2, which was
+It was created by libressl $as_me 2.8.3, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3096,7 +3096,7 @@
# Define the identity of the package.
PACKAGE='libressl'
- VERSION='2.8.2'
+ VERSION='2.8.3'
cat >>confdefs.h <<_ACEOF
@@ -14825,7 +14825,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by libressl $as_me 2.8.2, which was
+This file was extended by libressl $as_me 2.8.3, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -14882,7 +14882,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-libressl config.status 2.8.2
+libressl config.status 2.8.3
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.8.2/crypto/compat/getentropy_aix.c new/libressl-2.8.3/crypto/compat/getentropy_aix.c
--- old/libressl-2.8.2/crypto/compat/getentropy_aix.c 2018-10-17 15:49:52.000000000 +0200
+++ new/libressl-2.8.3/crypto/compat/getentropy_aix.c 2018-12-15 17:56:31.000000000 +0100
@@ -1,4 +1,4 @@
-/* $OpenBSD: getentropy_aix.c,v 1.5 2016/08/07 03:27:21 tb Exp $ */
+/* $OpenBSD: getentropy_aix.c,v 1.5.8.1 2018/12/15 15:10:12 bcook Exp $ */
/*
* Copyright (c) 2015 Michael Felt <aixtools(a)gmail.com>
@@ -60,7 +60,6 @@
int getentropy(void *buf, size_t len);
-static int gotdata(char *buf, size_t len);
static int getentropy_urandom(void *buf, size_t len, const char *path,
int devfscheck);
static int getentropy_fallback(void *buf, size_t len);
@@ -118,22 +117,6 @@
return (ret);
}
-/*
- * Basic sanity checking; wish we could do better.
- */
-static int
-gotdata(char *buf, size_t len)
-{
- char any_set = 0;
- size_t i;
-
- for (i = 0; i < len; ++i)
- any_set |= buf[i];
- if (any_set == 0)
- return (-1);
- return (0);
-}
-
static int
getentropy_urandom(void *buf, size_t len, const char *path, int devfscheck)
{
@@ -179,10 +162,8 @@
i += ret;
}
close(fd);
- if (gotdata(buf, len) == 0) {
- errno = save_errno;
- return (0); /* satisfied */
- }
+ errno = save_errno;
+ return (0); /* satisfied */
nodevrandom:
errno = EIO;
return (-1);
@@ -416,10 +397,6 @@
}
explicit_bzero(&ctx, sizeof ctx);
explicit_bzero(results, sizeof results);
- if (gotdata(buf, len) == 0) {
- errno = save_errno;
- return (0); /* satisfied */
- }
- errno = EIO;
- return (-1);
+ errno = save_errno;
+ return (0); /* satisfied */
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.8.2/crypto/compat/getentropy_hpux.c new/libressl-2.8.3/crypto/compat/getentropy_hpux.c
--- old/libressl-2.8.2/crypto/compat/getentropy_hpux.c 2018-10-17 15:49:52.000000000 +0200
+++ new/libressl-2.8.3/crypto/compat/getentropy_hpux.c 2018-12-15 17:56:31.000000000 +0100
@@ -1,4 +1,4 @@
-/* $OpenBSD: getentropy_hpux.c,v 1.5 2016/08/07 03:27:21 tb Exp $ */
+/* $OpenBSD: getentropy_hpux.c,v 1.5.8.1 2018/12/15 15:10:12 bcook Exp $ */
/*
* Copyright (c) 2014 Theo de Raadt <deraadt(a)openbsd.org>
@@ -64,7 +64,6 @@
int getentropy(void *buf, size_t len);
-static int gotdata(char *buf, size_t len);
static int getentropy_urandom(void *buf, size_t len, const char *path,
int devfscheck);
static int getentropy_fallback(void *buf, size_t len);
@@ -122,22 +121,6 @@
return (ret);
}
-/*
- * Basic sanity checking; wish we could do better.
- */
-static int
-gotdata(char *buf, size_t len)
-{
- char any_set = 0;
- size_t i;
-
- for (i = 0; i < len; ++i)
- any_set |= buf[i];
- if (any_set == 0)
- return (-1);
- return (0);
-}
-
static int
getentropy_urandom(void *buf, size_t len, const char *path, int devfscheck)
{
@@ -183,10 +166,8 @@
i += ret;
}
close(fd);
- if (gotdata(buf, len) == 0) {
- errno = save_errno;
- return (0); /* satisfied */
- }
+ errno = save_errno;
+ return (0); /* satisfied */
nodevrandom:
errno = EIO;
return (-1);
@@ -410,10 +391,6 @@
}
explicit_bzero(&ctx, sizeof ctx);
explicit_bzero(results, sizeof results);
- if (gotdata(buf, len) == 0) {
- errno = save_errno;
- return (0); /* satisfied */
- }
- errno = EIO;
- return (-1);
+ errno = save_errno;
+ return (0); /* satisfied */
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.8.2/crypto/compat/getentropy_linux.c new/libressl-2.8.3/crypto/compat/getentropy_linux.c
--- old/libressl-2.8.2/crypto/compat/getentropy_linux.c 2018-10-17 15:49:52.000000000 +0200
+++ new/libressl-2.8.3/crypto/compat/getentropy_linux.c 2018-12-15 17:56:31.000000000 +0100
@@ -1,4 +1,4 @@
-/* $OpenBSD: getentropy_linux.c,v 1.45 2018/03/13 22:53:28 bcook Exp $ */
+/* $OpenBSD: getentropy_linux.c,v 1.45.4.1 2018/12/15 15:10:12 bcook Exp $ */
/*
* Copyright (c) 2014 Theo de Raadt <deraadt(a)openbsd.org>
@@ -73,7 +73,6 @@
int getentropy(void *buf, size_t len);
-static int gotdata(char *buf, size_t len);
#if defined(SYS_getrandom) && defined(GRND_NONBLOCK)
static int getentropy_getrandom(void *buf, size_t len);
#endif
@@ -177,22 +176,6 @@
return (ret);
}
-/*
- * Basic sanity checking; wish we could do better.
- */
-static int
-gotdata(char *buf, size_t len)
-{
- char any_set = 0;
- size_t i;
-
- for (i = 0; i < len; ++i)
- any_set |= buf[i];
- if (any_set == 0)
- return (-1);
- return (0);
-}
-
#if defined(SYS_getrandom) && defined(GRND_NONBLOCK)
static int
getentropy_getrandom(void *buf, size_t len)
@@ -261,10 +244,8 @@
i += ret;
}
close(fd);
- if (gotdata(buf, len) == 0) {
- errno = save_errno;
- return (0); /* satisfied */
- }
+ errno = save_errno;
+ return (0); /* satisfied */
nodevrandom:
errno = EIO;
return (-1);
@@ -292,10 +273,8 @@
goto sysctlfailed;
i += chunk;
}
- if (gotdata(buf, len) == 0) {
- errno = save_errno;
- return (0); /* satisfied */
- }
+ errno = save_errno;
+ return (0); /* satisfied */
sysctlfailed:
errno = EIO;
return (-1);
@@ -541,10 +520,6 @@
}
explicit_bzero(&ctx, sizeof ctx);
explicit_bzero(results, sizeof results);
- if (gotdata(buf, len) == 0) {
- errno = save_errno;
- return (0); /* satisfied */
- }
- errno = EIO;
- return (-1);
+ errno = save_errno;
+ return (0); /* satisfied */
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.8.2/crypto/compat/getentropy_osx.c new/libressl-2.8.3/crypto/compat/getentropy_osx.c
--- old/libressl-2.8.2/crypto/compat/getentropy_osx.c 2018-10-17 15:49:52.000000000 +0200
+++ new/libressl-2.8.3/crypto/compat/getentropy_osx.c 2018-12-15 17:56:31.000000000 +0100
@@ -1,4 +1,4 @@
-/* $OpenBSD: getentropy_osx.c,v 1.11 2016/09/03 15:24:09 bcook Exp $ */
+/* $OpenBSD: getentropy_osx.c,v 1.11.8.1 2018/12/15 15:10:12 bcook Exp $ */
/*
* Copyright (c) 2014 Theo de Raadt <deraadt(a)openbsd.org>
@@ -82,7 +82,6 @@
int getentropy(void *buf, size_t len);
-static int gotdata(char *buf, size_t len);
static int getentropy_urandom(void *buf, size_t len);
static int getentropy_fallback(void *buf, size_t len);
@@ -142,22 +141,6 @@
return (ret);
}
-/*
- * Basic sanity checking; wish we could do better.
- */
-static int
-gotdata(char *buf, size_t len)
-{
- char any_set = 0;
- size_t i;
-
- for (i = 0; i < len; ++i)
- any_set |= buf[i];
- if (any_set == 0)
- return (-1);
- return (0);
-}
-
static int
getentropy_urandom(void *buf, size_t len)
{
@@ -203,10 +186,8 @@
i += ret;
}
close(fd);
- if (gotdata(buf, len) == 0) {
- errno = save_errno;
- return (0); /* satisfied */
- }
+ errno = save_errno;
+ return (0); /* satisfied */
nodevrandom:
errno = EIO;
return (-1);
@@ -431,10 +412,6 @@
}
explicit_bzero(&ctx, sizeof ctx);
explicit_bzero(results, sizeof results);
- if (gotdata(buf, len) == 0) {
- errno = save_errno;
- return (0); /* satisfied */
- }
- errno = EIO;
- return (-1);
+ errno = save_errno;
+ return (0); /* satisfied */
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.8.2/crypto/compat/getentropy_solaris.c new/libressl-2.8.3/crypto/compat/getentropy_solaris.c
--- old/libressl-2.8.2/crypto/compat/getentropy_solaris.c 2018-10-17 15:49:52.000000000 +0200
+++ new/libressl-2.8.3/crypto/compat/getentropy_solaris.c 2018-12-15 17:56:31.000000000 +0100
@@ -1,4 +1,4 @@
-/* $OpenBSD: getentropy_solaris.c,v 1.12 2016/08/07 03:27:21 tb Exp $ */
+/* $OpenBSD: getentropy_solaris.c,v 1.12.8.1 2018/12/15 15:10:12 bcook Exp $ */
/*
* Copyright (c) 2014 Theo de Raadt <deraadt(a)openbsd.org>
@@ -68,7 +68,6 @@
int getentropy(void *buf, size_t len);
-static int gotdata(char *buf, size_t len);
static int getentropy_urandom(void *buf, size_t len, const char *path,
int devfscheck);
static int getentropy_fallback(void *buf, size_t len);
@@ -148,22 +147,6 @@
return (ret);
}
-/*
- * Basic sanity checking; wish we could do better.
- */
-static int
-gotdata(char *buf, size_t len)
-{
- char any_set = 0;
- size_t i;
-
- for (i = 0; i < len; ++i)
- any_set |= buf[i];
- if (any_set == 0)
- return (-1);
- return (0);
-}
-
static int
getentropy_urandom(void *buf, size_t len, const char *path, int devfscheck)
{
@@ -210,10 +193,8 @@
i += ret;
}
close(fd);
- if (gotdata(buf, len) == 0) {
- errno = save_errno;
- return (0); /* satisfied */
- }
+ errno = save_errno;
+ return (0); /* satisfied */
nodevrandom:
errno = EIO;
return (-1);
@@ -436,10 +417,6 @@
}
explicit_bzero(&ctx, sizeof ctx);
explicit_bzero(results, sizeof results);
- if (gotdata(buf, len) == 0) {
- errno = save_errno;
- return (0); /* satisfied */
- }
- errno = EIO;
- return (-1);
+ errno = save_errno;
+ return (0); /* satisfied */
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.8.2/crypto/ec/ec2_smpl.c new/libressl-2.8.3/crypto/ec/ec2_smpl.c
--- old/libressl-2.8.2/crypto/ec/ec2_smpl.c 2018-08-02 13:03:32.000000000 +0200
+++ new/libressl-2.8.3/crypto/ec/ec2_smpl.c 2018-11-18 13:27:11.000000000 +0100
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec2_smpl.c,v 1.20 2018/07/16 17:32:39 tb Exp $ */
+/* $OpenBSD: ec2_smpl.c,v 1.20.2.1 2018/11/17 18:55:41 tb Exp $ */
/* ====================================================================
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
*
@@ -115,6 +115,7 @@
.field_mul = ec_GF2m_simple_field_mul,
.field_sqr = ec_GF2m_simple_field_sqr,
.field_div = ec_GF2m_simple_field_div,
+ .blind_coordinates = NULL,
};
return &ret;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.8.2/crypto/ec/ec_lcl.h new/libressl-2.8.3/crypto/ec/ec_lcl.h
--- old/libressl-2.8.2/crypto/ec/ec_lcl.h 2018-08-02 13:03:32.000000000 +0200
+++ new/libressl-2.8.3/crypto/ec/ec_lcl.h 2018-11-18 13:27:11.000000000 +0100
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lcl.h,v 1.10 2018/07/16 17:32:39 tb Exp $ */
+/* $OpenBSD: ec_lcl.h,v 1.10.2.1 2018/11/17 18:55:41 tb Exp $ */
/*
* Originally written by Bodo Moeller for the OpenSSL project.
*/
@@ -182,6 +182,7 @@
int (*field_encode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); /* e.g. to Montgomery */
int (*field_decode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); /* e.g. from Montgomery */
int (*field_set_to_one)(const EC_GROUP *, BIGNUM *r, BN_CTX *);
+ int (*blind_coordinates)(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx);
} /* EC_METHOD */;
typedef struct ec_extra_data_st {
@@ -339,6 +340,7 @@
int ec_GFp_simple_points_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
int ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *);
int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
+int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx);
int ec_GFp_simple_mul_generator_ct(const EC_GROUP *, EC_POINT *r, const BIGNUM *scalar, BN_CTX *);
int ec_GFp_simple_mul_single_ct(const EC_GROUP *, EC_POINT *r, const BIGNUM *scalar,
const EC_POINT *point, BN_CTX *);
@@ -358,6 +360,7 @@
int ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
int ec_GFp_mont_field_set_to_one(const EC_GROUP *, BIGNUM *r, BN_CTX *);
+int ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx);
/* method functions in ecp_nist.c */
int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.8.2/crypto/ec/ec_lib.c new/libressl-2.8.3/crypto/ec/ec_lib.c
--- old/libressl-2.8.2/crypto/ec/ec_lib.c 2018-08-02 13:03:32.000000000 +0200
+++ new/libressl-2.8.3/crypto/ec/ec_lib.c 2018-11-18 13:27:11.000000000 +0100
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_lib.c,v 1.29 2018/07/16 17:32:39 tb Exp $ */
+/* $OpenBSD: ec_lib.c,v 1.29.2.1 2018/11/17 18:55:41 tb Exp $ */
/*
* Originally written by Bodo Moeller for the OpenSSL project.
*/
@@ -533,6 +533,23 @@
return -1;
}
+/*
+ * Coordinate blinding for EC_POINT.
+ *
+ * The underlying EC_METHOD can optionally implement this function:
+ * underlying implementations should return 0 on errors, or 1 on success.
+ *
+ * This wrapper returns 1 in case the underlying EC_METHOD does not support
+ * coordinate blinding.
+ */
+int
+ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx)
+{
+ if (group->meth->blind_coordinates == NULL)
+ return 1;
+
+ return group->meth->blind_coordinates(group, p, ctx);
+}
/* this has 'package' visibility */
int
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.8.2/crypto/ec/ecp_mont.c new/libressl-2.8.3/crypto/ec/ecp_mont.c
--- old/libressl-2.8.2/crypto/ec/ecp_mont.c 2018-08-02 13:03:32.000000000 +0200
+++ new/libressl-2.8.3/crypto/ec/ecp_mont.c 2018-11-18 13:27:11.000000000 +0100
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_mont.c,v 1.16 2018/07/16 17:32:39 tb Exp $ */
+/* $OpenBSD: ecp_mont.c,v 1.16.2.1 2018/11/17 18:55:41 tb Exp $ */
/*
* Originally written by Bodo Moeller for the OpenSSL project.
*/
@@ -109,7 +109,8 @@
.field_sqr = ec_GFp_mont_field_sqr,
.field_encode = ec_GFp_mont_field_encode,
.field_decode = ec_GFp_mont_field_decode,
- .field_set_to_one = ec_GFp_mont_field_set_to_one
+ .field_set_to_one = ec_GFp_mont_field_set_to_one,
+ .blind_coordinates = ec_GFp_simple_blind_coordinates,
};
return &ret;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.8.2/crypto/ec/ecp_nist.c new/libressl-2.8.3/crypto/ec/ecp_nist.c
--- old/libressl-2.8.2/crypto/ec/ecp_nist.c 2018-08-02 13:03:32.000000000 +0200
+++ new/libressl-2.8.3/crypto/ec/ecp_nist.c 2018-11-18 13:27:11.000000000 +0100
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_nist.c,v 1.14 2018/07/16 17:32:39 tb Exp $ */
+/* $OpenBSD: ecp_nist.c,v 1.14.2.1 2018/11/17 18:55:41 tb Exp $ */
/*
* Written by Nils Larsch for the OpenSSL project.
*/
@@ -107,7 +107,8 @@
.mul_single_ct = ec_GFp_simple_mul_single_ct,
.mul_double_nonct = ec_GFp_simple_mul_double_nonct,
.field_mul = ec_GFp_nist_field_mul,
- .field_sqr = ec_GFp_nist_field_sqr
+ .field_sqr = ec_GFp_nist_field_sqr,
+ .blind_coordinates = ec_GFp_simple_blind_coordinates,
};
return &ret;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.8.2/crypto/ec/ecp_smpl.c new/libressl-2.8.3/crypto/ec/ecp_smpl.c
--- old/libressl-2.8.2/crypto/ec/ecp_smpl.c 2018-08-02 13:03:32.000000000 +0200
+++ new/libressl-2.8.3/crypto/ec/ecp_smpl.c 2018-11-18 13:27:11.000000000 +0100
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecp_smpl.c,v 1.22 2018/07/16 17:32:39 tb Exp $ */
+/* $OpenBSD: ecp_smpl.c,v 1.22.2.1 2018/11/17 18:55:41 tb Exp $ */
/* Includes code written by Lenka Fibikova <fibikova(a)exp-math.uni-essen.de>
* for the OpenSSL project.
* Includes code written by Bodo Moeller for the OpenSSL project.
@@ -107,7 +107,8 @@
.mul_single_ct = ec_GFp_simple_mul_single_ct,
.mul_double_nonct = ec_GFp_simple_mul_double_nonct,
.field_mul = ec_GFp_simple_field_mul,
- .field_sqr = ec_GFp_simple_field_sqr
+ .field_sqr = ec_GFp_simple_field_sqr,
+ .blind_coordinates = ec_GFp_simple_blind_coordinates,
};
return &ret;
@@ -1406,13 +1407,73 @@
return BN_mod_mul(r, a, b, &group->field, ctx);
}
-
int
ec_GFp_simple_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, BN_CTX * ctx)
{
return BN_mod_sqr(r, a, &group->field, ctx);
}
+/*
+ * Apply randomization of EC point projective coordinates:
+ *
+ * (X, Y, Z) = (lambda^2 * X, lambda^3 * Y, lambda * Z)
+ *
+ * where lambda is in the interval [1, group->field).
+ */
+int
+ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx)
+{
+ BIGNUM *lambda = NULL;
+ BIGNUM *tmp = NULL;
+ int ret = 0;
+
+ BN_CTX_start(ctx);
+ if ((lambda = BN_CTX_get(ctx)) == NULL)
+ goto err;
+ if ((tmp = BN_CTX_get(ctx)) == NULL)
+ goto err;
+
+ /* Generate lambda in [1, group->field - 1] */
+ do {
+ if (!BN_rand_range(lambda, &group->field))
+ goto err;
+ } while (BN_is_zero(lambda));
+
+ if (group->meth->field_encode != NULL &&
+ !group->meth->field_encode(group, lambda, lambda, ctx))
+ goto err;
+
+ /* Z = lambda * Z */
+ if (!group->meth->field_mul(group, &p->Z, lambda, &p->Z, ctx))
+ goto err;
+
+ /* tmp = lambda^2 */
+ if (!group->meth->field_sqr(group, tmp, lambda, ctx))
+ goto err;
+
+ /* X = lambda^2 * X */
+ if (!group->meth->field_mul(group, &p->X, tmp, &p->X, ctx))
+ goto err;
+
+ /* tmp = lambda^3 */
+ if (!group->meth->field_mul(group, tmp, tmp, lambda, ctx))
+ goto err;
+
+ /* Y = lambda^3 * Y */
+ if (!group->meth->field_mul(group, &p->Y, tmp, &p->Y, ctx))
+ goto err;
+
+ /* Disable optimized arithmetics after replacing Z by lambda * Z. */
+ p->Z_is_one = 0;
+
+ ret = 1;
+
+ err:
+ BN_CTX_end(ctx);
+ return ret;
+}
+
+
#define EC_POINT_BN_set_flags(P, flags) do { \
BN_set_flags(&(P)->X, (flags)); \
BN_set_flags(&(P)->Y, (flags)); \
@@ -1537,6 +1598,13 @@
(bn_wexpand(&r->Z, group_top) == NULL))
goto err;
+ /*
+ * Apply coordinate blinding for EC_POINT if the underlying EC_METHOD
+ * implements it.
+ */
+ if (!ec_point_blind_coordinates(group, s, ctx))
+ goto err;
+
/* top bit is a 1, in a fixed pos */
if (!EC_POINT_copy(r, s))
goto err;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.8.2/include/compat/time.h new/libressl-2.8.3/include/compat/time.h
--- old/libressl-2.8.2/include/compat/time.h 2018-05-03 06:22:42.000000000 +0200
+++ new/libressl-2.8.3/include/compat/time.h 2018-11-18 13:26:04.000000000 +0100
@@ -33,6 +33,7 @@
#define CLOCK_REALTIME 0
#endif
+#ifndef _WIN32
#ifndef HAVE_CLOCK_GETTIME
typedef int clockid_t;
int clock_gettime(clockid_t clock_id, struct timespec *tp);
@@ -49,5 +50,6 @@
} \
} while (0)
#endif
+#endif
#endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libressl-2.8.2/include/openssl/opensslv.h new/libressl-2.8.3/include/openssl/opensslv.h
--- old/libressl-2.8.2/include/openssl/opensslv.h 2018-10-16 09:53:42.000000000 +0200
+++ new/libressl-2.8.3/include/openssl/opensslv.h 2018-12-15 17:52:23.000000000 +0100
@@ -1,11 +1,11 @@
-/* $OpenBSD: opensslv.h,v 1.49 2018/09/30 02:35:23 bcook Exp $ */
+/* $OpenBSD: opensslv.h,v 1.49.2.1 2018/12/15 15:13:56 bcook Exp $ */
#ifndef HEADER_OPENSSLV_H
#define HEADER_OPENSSLV_H
/* These will change with each release of LibreSSL-portable */
-#define LIBRESSL_VERSION_NUMBER 0x2080200fL
+#define LIBRESSL_VERSION_NUMBER 0x2080300fL
/* ^ Patch starts here */
-#define LIBRESSL_VERSION_TEXT "LibreSSL 2.8.2"
+#define LIBRESSL_VERSION_TEXT "LibreSSL 2.8.3"
/* These will never change */
#define OPENSSL_VERSION_NUMBER 0x20000000L