CVS commit: src/crypto/external/bsd/openssl/lib/libcrypto

[Taylor R Campbell]

Module Name:    src
Committed By:   riastradh
Date:           Mon Jul 15 06:34:17 UTC 2024

Modified Files:
        src/crypto/external/bsd/openssl/lib/libcrypto: Makefile
        src/crypto/external/bsd/openssl/lib/libcrypto/arch/x86_64: sha.inc

Log Message:
openssl: Revert openssl asm enabling, which must not used yet.

They appear to have been christos's local changes for PR 58414
inadvertently mixed up in the openssl man page changes.

This stuff ABSOLUTELY MUST NOT BE ENABLED until the SHA-2 symbol mess
is resolved; see PR 58039 and
https://mail-index.netbsd.org/tech-userlevel/2024/03/17/msg014265.html
for more details.

While here, leave a comment to avoid stepping on this rake again.
The explanation was previously only in the commit message that added
the `.if 0', but it needs to be much more obvious.


To generate a diff of this commit:
cvs rdiff -u -r1.36 -r1.37 \
    src/crypto/external/bsd/openssl/lib/libcrypto/Makefile
cvs rdiff -u -r1.5 -r1.6 \
    src/crypto/external/bsd/openssl/lib/libcrypto/arch/x86_64/sha.inc

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/crypto/external/bsd/openssl/lib/libcrypto/Makefile
diff -u src/crypto/external/bsd/openssl/lib/libcrypto/Makefile:1.36 src/crypto/external/bsd/openssl/lib/libcrypto/Makefile:1.37
--- src/crypto/external/bsd/openssl/lib/libcrypto/Makefile:1.36	Fri Jul 12 21:00:45 2024
+++ src/crypto/external/bsd/openssl/lib/libcrypto/Makefile	Mon Jul 15 06:34:17 2024
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.36 2024/07/12 21:00:45 christos Exp $
+#	$NetBSD: Makefile,v 1.37 2024/07/15 06:34:17 riastradh Exp $
 
 # RCSid:
 #	Id: Makefile,v 1.33 1998/11/11 11:53:53 sjg Exp
@@ -43,7 +43,6 @@ OPENSSLINC=	${OPENSSLSRC}/include/openss
 CPPFLAGS+= -I${.CURDIR}/../libdefault
 CPPFLAGS+= -I${OPENSSLSRC}/providers/common/include
 CPPFLAGS+= -I${OPENSSLSRC}/providers/implementations/include
-CPPFLAGS+= ${AESCPPFLAGS}
 .PATH: ${.CURDIR}/../libdefault
 .include "${.CURDIR}/../libcommon/srcs.inc"
 .PATH: ${.CURDIR}/../libcommon

Index: src/crypto/external/bsd/openssl/lib/libcrypto/arch/x86_64/sha.inc
diff -u src/crypto/external/bsd/openssl/lib/libcrypto/arch/x86_64/sha.inc:1.5 src/crypto/external/bsd/openssl/lib/libcrypto/arch/x86_64/sha.inc:1.6
--- src/crypto/external/bsd/openssl/lib/libcrypto/arch/x86_64/sha.inc:1.5	Fri Jul 12 21:00:45 2024
+++ src/crypto/external/bsd/openssl/lib/libcrypto/arch/x86_64/sha.inc	Mon Jul 15 06:34:17 2024
@@ -2,7 +2,11 @@
 SHA_SRCS = sha1-x86_64.S sha1-mb-x86_64.S keccak1600-x86_64.S
 SHACPPFLAGS = -DSHA1_ASM -DKECCAK1600_ASM
 KECCAKNI = yes
-.if 1
+.if 0
+# This cannot be enabled until the SHA-2 symbol mess is resolved:
+# https://mail-index.netbsd.org/tech-userlevel/2024/03/17/msg014265.html
+# DO NOT TRY TO ENABLE IT, OR YOU MAY CAUSE NETBSD'S OPENSSL TO BE
+# VULNERABLE TO REMOTE CODE EXECUTION BY STACK BUFFER OVERRUNS.
 SHA_SRCS += sha512-x86_64.S sha256-mb-x86_64.S
 SHACPPFLAGS+= -DSHA256_ASM -DSHA512_ASM
 .endif