openssl-1.0.1d upgrade
Change-Id: Ie980c8834cf2c843858182d98d1f60c65a2a9b70
diff --git a/Crypto.mk b/Crypto.mk
index e012527..1ea3939 100644
--- a/Crypto.mk
+++ b/Crypto.mk
@@ -341,6 +341,7 @@
crypto/evp/e_xcbc_d.c \
crypto/evp/encode.c \
crypto/evp/evp_acnf.c \
+ crypto/evp/evp_cnf.c \
crypto/evp/evp_enc.c \
crypto/evp/evp_err.c \
crypto/evp/evp_key.c \
diff --git a/apps/apps.c b/apps/apps.c
index 4e11915..1096eee 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2132,7 +2132,7 @@
X509_NAME *n = NULL;
int nid;
- if (!buf || !ne_types || !ne_values)
+ if (!buf || !ne_types || !ne_values || !mval)
{
BIO_printf(bio_err, "malloc error\n");
goto error;
@@ -2236,6 +2236,7 @@
OPENSSL_free(ne_values);
OPENSSL_free(ne_types);
OPENSSL_free(buf);
+ OPENSSL_free(mval);
return n;
error:
@@ -2244,6 +2245,8 @@
OPENSSL_free(ne_values);
if (ne_types)
OPENSSL_free(ne_types);
+ if (mval)
+ OPENSSL_free(mval);
if (buf)
OPENSSL_free(buf);
return NULL;
diff --git a/apps/ca.c b/apps/ca.c
index 2a83d19..1cf50e0 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1408,6 +1408,7 @@
if (!NCONF_get_number(conf,section,
ENV_DEFAULT_CRL_HOURS, &crlhours))
crlhours = 0;
+ ERR_clear_error();
}
if ((crldays == 0) && (crlhours == 0) && (crlsec == 0))
{
diff --git a/apps/cms.c b/apps/cms.c
index d754140..5f77f8f 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -233,6 +233,8 @@
else if (!strcmp(*args,"-camellia256"))
cipher = EVP_camellia_256_cbc();
#endif
+ else if (!strcmp (*args, "-debug_decrypt"))
+ flags |= CMS_DEBUG_DECRYPT;
else if (!strcmp (*args, "-text"))
flags |= CMS_TEXT;
else if (!strcmp (*args, "-nointern"))
@@ -1039,6 +1041,8 @@
ret = 4;
if (operation == SMIME_DECRYPT)
{
+ if (flags & CMS_DEBUG_DECRYPT)
+ CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags);
if (secret_key)
{
diff --git a/apps/dgst.c b/apps/dgst.c
index b08e9a7..81bd870 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -216,10 +216,10 @@
out_bin = 1;
else if (strcmp(*argv,"-d") == 0)
debug=1;
- else if (strcmp(*argv,"-non-fips-allow") == 0)
- non_fips_allow=1;
else if (!strcmp(*argv,"-fips-fingerprint"))
hmac_key = "etaonrishdlcupfm";
+ else if (strcmp(*argv,"-non-fips-allow") == 0)
+ non_fips_allow=1;
else if (!strcmp(*argv,"-hmac"))
{
if (--argc < 1)
diff --git a/apps/dhparam.c b/apps/dhparam.c
index b47097c..1297d6f 100644
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -332,7 +332,6 @@
BIO_printf(bio_err,"This is going to take a long time\n");
if(!dh || !DH_generate_parameters_ex(dh, num, g, &cb))
{
- if(dh) DH_free(dh);
ERR_print_errors(bio_err);
goto end;
}
diff --git a/apps/dsaparam.c b/apps/dsaparam.c
index fe72c1d..683d513 100644
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -326,6 +326,7 @@
goto end;
}
#endif
+ ERR_print_errors(bio_err);
BIO_printf(bio_err,"Error, DSA key generation failed\n");
goto end;
}
@@ -429,13 +430,19 @@
assert(need_rand);
if ((dsakey=DSAparams_dup(dsa)) == NULL) goto end;
- if (!DSA_generate_key(dsakey)) goto end;
+ if (!DSA_generate_key(dsakey))
+ {
+ ERR_print_errors(bio_err);
+ DSA_free(dsakey);
+ goto end;
+ }
if (outformat == FORMAT_ASN1)
i=i2d_DSAPrivateKey_bio(out,dsakey);
else if (outformat == FORMAT_PEM)
i=PEM_write_bio_DSAPrivateKey(out,dsakey,NULL,NULL,0,NULL,NULL);
else {
BIO_printf(bio_err,"bad output format specified for outfile\n");
+ DSA_free(dsakey);
goto end;
}
DSA_free(dsakey);
diff --git a/apps/genrsa.c b/apps/genrsa.c
index 37e9310..ece114c 100644
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -78,7 +78,7 @@
#include <openssl/pem.h>
#include <openssl/rand.h>
-#define DEFBITS 512
+#define DEFBITS 1024
#undef PROG
#define PROG genrsa_main
diff --git a/apps/ocsp.c b/apps/ocsp.c
index 01847df..83c5a76 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -617,7 +617,7 @@
BIO_printf (bio_err, "-ndays n number of days before next update\n");
BIO_printf (bio_err, "-resp_key_id identify reponse by signing certificate key ID\n");
BIO_printf (bio_err, "-nrequest n number of requests to accept (default unlimited)\n");
- BIO_printf (bio_err, "-<dgst alg> use specified digest in the request");
+ BIO_printf (bio_err, "-<dgst alg> use specified digest in the request\n");
goto end;
}
diff --git a/apps/s_cb.c b/apps/s_cb.c
index 2cd7337..84c3b44 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -237,8 +237,8 @@
/* If we are using DSA, we can copy the parameters from
* the private key */
-
-
+
+
/* Now we know that a key and cert have been set against
* the SSL context */
if (!SSL_CTX_check_private_key(ctx))
@@ -436,6 +436,8 @@
if (version == SSL3_VERSION ||
version == TLS1_VERSION ||
+ version == TLS1_1_VERSION ||
+ version == TLS1_2_VERSION ||
version == DTLS1_VERSION ||
version == DTLS1_BAD_VER)
{
diff --git a/apps/s_client.c b/apps/s_client.c
index 7dce4cf..3a40a3f 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -357,7 +357,7 @@
BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
BIO_printf(bio_err," -status - request certificate status from server\n");
BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
-# if !defined(OPENSSL_NO_NEXTPROTONEG)
+# ifndef OPENSSL_NO_NEXTPROTONEG
BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
# endif
#endif
@@ -537,7 +537,7 @@
ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
return SSL_TLSEXT_ERR_OK;
}
-# endif
+# endif /* ndef OPENSSL_NO_NEXTPROTONEG */
#endif
enum
@@ -1903,6 +1903,10 @@
print_stuff(bio_c_out,con,1);
SSL_free(con);
}
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+ if (next_proto.data)
+ OPENSSL_free(next_proto.data);
+#endif
if (ctx != NULL) SSL_CTX_free(ctx);
if (cert)
X509_free(cert);
@@ -1910,6 +1914,8 @@
EVP_PKEY_free(key);
if (pass)
OPENSSL_free(pass);
+ if (vpm)
+ X509_VERIFY_PARAM_free(vpm);
if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
diff --git a/apps/s_server.c b/apps/s_server.c
index 3f9b370..4720c05 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1206,13 +1206,13 @@
{
if (--argc < 1) goto bad;
srp_verifier_file = *(++argv);
- meth=TLSv1_server_method();
+ meth = TLSv1_server_method();
}
else if (strcmp(*argv, "-srpuserseed") == 0)
{
if (--argc < 1) goto bad;
srpuserseed = *(++argv);
- meth=TLSv1_server_method();
+ meth = TLSv1_server_method();
}
#endif
else if (strcmp(*argv,"-www") == 0)
@@ -1431,25 +1431,24 @@
goto end;
}
}
-
-# ifndef OPENSSL_NO_NEXTPROTONEG
- if (next_proto_neg_in)
- {
- unsigned short len;
- next_proto.data = next_protos_parse(&len,
- next_proto_neg_in);
- if (next_proto.data == NULL)
- goto end;
- next_proto.len = len;
- }
- else
- {
- next_proto.data = NULL;
- }
-# endif
#endif
}
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+ if (next_proto_neg_in)
+ {
+ unsigned short len;
+ next_proto.data = next_protos_parse(&len, next_proto_neg_in);
+ if (next_proto.data == NULL)
+ goto end;
+ next_proto.len = len;
+ }
+ else
+ {
+ next_proto.data = NULL;
+ }
+#endif
+
if (s_dcert_file)
{
@@ -1730,7 +1729,7 @@
}
#endif
- if (!set_cert_key_stuff(ctx,s_cert,s_key))
+ if (!set_cert_key_stuff(ctx, s_cert, s_key))
goto end;
#ifndef OPENSSL_NO_TLSEXT
if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2))
@@ -1738,7 +1737,7 @@
#endif
if (s_dcert != NULL)
{
- if (!set_cert_key_stuff(ctx,s_dcert,s_dkey))
+ if (!set_cert_key_stuff(ctx, s_dcert, s_dkey))
goto end;
}
@@ -1893,7 +1892,15 @@
OPENSSL_free(pass);
if (dpass)
OPENSSL_free(dpass);
+ if (vpm)
+ X509_VERIFY_PARAM_free(vpm);
#ifndef OPENSSL_NO_TLSEXT
+ if (tlscstatp.host)
+ OPENSSL_free(tlscstatp.host);
+ if (tlscstatp.port)
+ OPENSSL_free(tlscstatp.port);
+ if (tlscstatp.path)
+ OPENSSL_free(tlscstatp.path);
if (ctx2 != NULL) SSL_CTX_free(ctx2);
if (s_cert2)
X509_free(s_cert2);
@@ -2433,6 +2440,7 @@
BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
+
#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
if (next_proto_neg)
@@ -2701,6 +2709,11 @@
}
BIO_puts(io,"\n");
+ BIO_printf(io,
+ "Secure Renegotiation IS%s supported\n",
+ SSL_get_secure_renegotiation_support(con) ?
+ "" : " NOT");
+
/* The following is evil and should not really
* be done */
BIO_printf(io,"Ciphers supported in s_server binary\n");
diff --git a/apps/speed.c b/apps/speed.c
index ab62e01..9c251eb 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -254,7 +254,7 @@
"aes-128 cbc","aes-192 cbc","aes-256 cbc",
"camellia-128 cbc","camellia-192 cbc","camellia-256 cbc",
"evp","sha256","sha512","whirlpool",
- "aes-128 ige","aes-192 ige","aes-256 ige","ghash"};
+ "aes-128 ige","aes-192 ige","aes-256 ige","ghash" };
static double results[ALGOR_NUM][SIZE_NUM];
static int lengths[SIZE_NUM]={16,64,256,1024,8*1024};
#ifndef OPENSSL_NO_RSA
@@ -299,7 +299,7 @@
#if defined(_WIN32)
#if !defined(SIGALRM)
-#define SIGALRM
+# define SIGALRM
#endif
static unsigned int lapse,schlock;
static void alarm_win32(unsigned int secs) { lapse = secs*1000; }
diff --git a/apps/srp.c b/apps/srp.c
index 80e1b8a..9c7ae18 100644
--- a/apps/srp.c
+++ b/apps/srp.c
@@ -125,13 +125,13 @@
if (type == DB_SRP_INDEX)
for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
{
- pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
- if (pp[DB_srptype][0] == DB_SRP_INDEX && !strcmp(id, pp[DB_srpid]))
+ pp = sk_OPENSSL_PSTRING_value(db->db->data,i);
+ if (pp[DB_srptype][0] == DB_SRP_INDEX && !strcmp(id,pp[DB_srpid]))
return i;
}
else for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
{
- pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
+ pp = sk_OPENSSL_PSTRING_value(db->db->data,i);
if (pp[DB_srptype][0] != DB_SRP_INDEX && !strcmp(id,pp[DB_srpid]))
return i;
@@ -145,7 +145,7 @@
if (indx >= 0 && verbose)
{
int j;
- char **pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, indx);
+ char **pp = sk_OPENSSL_PSTRING_value(db->db->data, indx);
BIO_printf(bio, "%s \"%s\"\n", s, pp[DB_srpid]);
for (j = 0; j < DB_NUMBER; j++)
{
@@ -163,7 +163,7 @@
{
if (verbose > 0)
{
- char **pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+ char **pp = sk_OPENSSL_PSTRING_value(db->db->data,userindex);
if (pp[DB_srptype][0] != 'I')
{
@@ -517,7 +517,7 @@
/* Lets check some fields */
for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
{
- pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
+ pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
if (pp[DB_srptype][0] == DB_SRP_INDEX)
{
@@ -533,8 +533,8 @@
if (gNindex >= 0)
{
- gNrow = (char **)sk_OPENSSL_PSTRING_value(db->db->data, gNindex);
- print_entry(db, bio_err, gNindex, verbose > 1, "Default g and N") ;
+ gNrow = sk_OPENSSL_PSTRING_value(db->db->data,gNindex);
+ print_entry(db, bio_err, gNindex, verbose > 1, "Default g and N");
}
else if (maxgN > 0 && !SRP_get_default_gN(gN))
{
@@ -587,7 +587,7 @@
if (userindex >= 0)
{
/* reactivation of a new user */
- char **row = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+ char **row = sk_OPENSSL_PSTRING_value(db->db->data, userindex);
BIO_printf(bio_err, "user \"%s\" reactivated.\n", user);
row[DB_srptype][0] = 'V';
@@ -634,7 +634,7 @@
else
{
- char **row = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+ char **row = sk_OPENSSL_PSTRING_value(db->db->data, userindex);
char type = row[DB_srptype][0];
if (type == 'v')
{
@@ -664,9 +664,9 @@
if (!(gNid=srp_create_user(user,&(row[DB_srpverifier]), &(row[DB_srpsalt]),gNrow?gNrow[DB_srpsalt]:NULL, gNrow?gNrow[DB_srpverifier]:NULL, passout, bio_err,verbose)))
{
- BIO_printf(bio_err, "Cannot create srp verifier for user \"%s\", operation abandoned.\n", user);
- errors++;
- goto err;
+ BIO_printf(bio_err, "Cannot create srp verifier for user \"%s\", operation abandoned.\n", user);
+ errors++;
+ goto err;
}
row[DB_srptype][0] = 'v';
@@ -689,7 +689,7 @@
}
else
{
- char **xpp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+ char **xpp = sk_OPENSSL_PSTRING_value(db->db->data,userindex);
BIO_printf(bio_err, "user \"%s\" revoked. t\n", user);
xpp[DB_srptype][0] = 'R';
@@ -714,7 +714,7 @@
/* Lets check some fields */
for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
{
- pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
+ pp = sk_OPENSSL_PSTRING_value(db->db->data,i);
if (pp[DB_srptype][0] == 'v')
{
diff --git a/apps/verify.c b/apps/verify.c
index b9749dc..893670f 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -222,11 +222,19 @@
goto end;
}
- if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, crls, e);
+ ret = 0;
+ if (argc < 1)
+ {
+ if (1 != check(cert_ctx, NULL, untrusted, trusted, crls, e))
+ ret = -1;
+ }
else
+ {
for (i=0; i<argc; i++)
- check(cert_ctx,argv[i], untrusted, trusted, crls, e);
- ret=0;
+ if (1 != check(cert_ctx,argv[i], untrusted, trusted, crls, e))
+ ret = -1;
+ }
+
end:
if (ret == 1) {
BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
@@ -235,13 +243,16 @@
BIO_printf(bio_err," [-engine e]");
#endif
BIO_printf(bio_err," cert1 cert2 ...\n");
+
BIO_printf(bio_err,"recognized usages:\n");
- for(i = 0; i < X509_PURPOSE_get_count(); i++) {
+ for(i = 0; i < X509_PURPOSE_get_count(); i++)
+ {
X509_PURPOSE *ptmp;
ptmp = X509_PURPOSE_get0(i);
- BIO_printf(bio_err, "\t%-10s\t%s\n", X509_PURPOSE_get0_sname(ptmp),
- X509_PURPOSE_get0_name(ptmp));
- }
+ BIO_printf(bio_err, "\t%-10s\t%s\n",
+ X509_PURPOSE_get0_sname(ptmp),
+ X509_PURPOSE_get0_name(ptmp));
+ }
}
if (vpm) X509_VERIFY_PARAM_free(vpm);
if (cert_ctx != NULL) X509_STORE_free(cert_ctx);
@@ -249,7 +260,7 @@
sk_X509_pop_free(trusted, X509_free);
sk_X509_CRL_pop_free(crls, X509_CRL_free);
apps_shutdown();
- OPENSSL_EXIT(ret);
+ OPENSSL_EXIT(ret < 0 ? 2 : ret);
}
static int check(X509_STORE *ctx, char *file,
diff --git a/apps/x509.c b/apps/x509.c
index e6e5e0d..3863ab9 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -288,7 +288,7 @@
days=atoi(*(++argv));
if (days == 0)
{
- BIO_printf(STDout,"bad number of days\n");
+ BIO_printf(bio_err,"bad number of days\n");
goto bad;
}
}
@@ -912,7 +912,7 @@
}
else if (text == i)
{
- X509_print_ex(out,x,nmflag, certflag);
+ X509_print_ex(STDout,x,nmflag, certflag);
}
else if (startdate == i)
{
diff --git a/crypto/aes/asm/aes-s390x.pl b/crypto/aes/asm/aes-s390x.pl
index 445a1e6..e75dcd0 100644
--- a/crypto/aes/asm/aes-s390x.pl
+++ b/crypto/aes/asm/aes-s390x.pl
@@ -1598,11 +1598,11 @@
lghi $s1,0x7f
nr $s1,%r0
lghi %r0,0 # query capability vector
- la %r1,2*$SIZE_T($sp)
+ la %r1,$tweak-16($sp)
.long 0xb92e0042 # km %r4,%r2
llihh %r1,0x8000
srlg %r1,%r1,32($s1) # check for 32+function code
- ng %r1,2*$SIZE_T($sp)
+ ng %r1,$tweak-16($sp)
lgr %r0,$s0 # restore the function code
la %r1,0($key1) # restore $key1
jz .Lxts_km_vanilla
@@ -1628,7 +1628,7 @@
lrvg $s0,$tweak+0($sp) # load the last tweak
lrvg $s1,$tweak+8($sp)
- stmg %r0,%r3,$tweak-32(%r1) # wipe copy of the key
+ stmg %r0,%r3,$tweak-32($sp) # wipe copy of the key
nill %r0,0xffdf # switch back to original function code
la %r1,0($key1) # restore pointer to $key1
@@ -1684,11 +1684,9 @@
lghi $i1,0x87
srag $i2,$s1,63 # broadcast upper bit
ngr $i1,$i2 # rem
- srlg $i2,$s0,63 # carry bit from lower half
- sllg $s0,$s0,1
- sllg $s1,$s1,1
+ algr $s0,$s0
+ alcgr $s1,$s1
xgr $s0,$i1
- ogr $s1,$i2
.Lxts_km_start:
lrvgr $i1,$s0 # flip byte order
lrvgr $i2,$s1
@@ -1745,11 +1743,9 @@
lghi $i1,0x87
srag $i2,$s1,63 # broadcast upper bit
ngr $i1,$i2 # rem
- srlg $i2,$s0,63 # carry bit from lower half
- sllg $s0,$s0,1
- sllg $s1,$s1,1
+ algr $s0,$s0
+ alcgr $s1,$s1
xgr $s0,$i1
- ogr $s1,$i2
ltr $len,$len # clear zero flag
br $ra
@@ -1781,8 +1777,8 @@
clr %r0,%r1
jl .Lxts_enc_software
+ st${g} $ra,5*$SIZE_T($sp)
stm${g} %r6,$s3,6*$SIZE_T($sp)
- st${g} $ra,14*$SIZE_T($sp)
sllg $len,$len,4 # $len&=~15
slgr $out,$inp
@@ -1830,9 +1826,9 @@
stg $i2,8($i3)
.Lxts_enc_km_done:
- l${g} $ra,14*$SIZE_T($sp)
- st${g} $sp,$tweak($sp) # wipe tweak
- st${g} $sp,$tweak($sp)
+ stg $sp,$tweak+0($sp) # wipe tweak
+ stg $sp,$tweak+8($sp)
+ l${g} $ra,5*$SIZE_T($sp)
lm${g} %r6,$s3,6*$SIZE_T($sp)
br $ra
.align 16
@@ -1843,12 +1839,11 @@
slgr $out,$inp
- xgr $s0,$s0 # clear upper half
- xgr $s1,$s1
- lrv $s0,$stdframe+4($sp) # load secno
- lrv $s1,$stdframe+0($sp)
- xgr $s2,$s2
- xgr $s3,$s3
+ l${g} $s3,$stdframe($sp) # ivp
+ llgf $s0,0($s3) # load iv
+ llgf $s1,4($s3)
+ llgf $s2,8($s3)
+ llgf $s3,12($s3)
stm${g} %r2,%r5,2*$SIZE_T($sp)
la $key,0($key2)
larl $tbl,AES_Te
@@ -1864,11 +1859,9 @@
lghi %r1,0x87
srag %r0,$s3,63 # broadcast upper bit
ngr %r1,%r0 # rem
- srlg %r0,$s1,63 # carry bit from lower half
- sllg $s1,$s1,1
- sllg $s3,$s3,1
+ algr $s1,$s1
+ alcgr $s3,$s3
xgr $s1,%r1
- ogr $s3,%r0
lrvgr $s1,$s1 # flip byte order
lrvgr $s3,$s3
srlg $s0,$s1,32 # smash the tweak to 4x32-bits
@@ -1917,11 +1910,9 @@
lghi %r1,0x87
srag %r0,$s3,63 # broadcast upper bit
ngr %r1,%r0 # rem
- srlg %r0,$s1,63 # carry bit from lower half
- sllg $s1,$s1,1
- sllg $s3,$s3,1
+ algr $s1,$s1
+ alcgr $s3,$s3
xgr $s1,%r1
- ogr $s3,%r0
lrvgr $s1,$s1 # flip byte order
lrvgr $s3,$s3
srlg $s0,$s1,32 # smash the tweak to 4x32-bits
@@ -1956,7 +1947,8 @@
.size AES_xts_encrypt,.-AES_xts_encrypt
___
# void AES_xts_decrypt(const char *inp,char *out,size_t len,
-# const AES_KEY *key1, const AES_KEY *key2,u64 secno);
+# const AES_KEY *key1, const AES_KEY *key2,
+# const unsigned char iv[16]);
#
$code.=<<___;
.globl AES_xts_decrypt
@@ -1988,8 +1980,8 @@
clr %r0,%r1
jl .Lxts_dec_software
+ st${g} $ra,5*$SIZE_T($sp)
stm${g} %r6,$s3,6*$SIZE_T($sp)
- st${g} $ra,14*$SIZE_T($sp)
nill $len,0xfff0 # $len&=~15
slgr $out,$inp
@@ -2028,11 +2020,9 @@
lghi $i1,0x87
srag $i2,$s1,63 # broadcast upper bit
ngr $i1,$i2 # rem
- srlg $i2,$s0,63 # carry bit from lower half
- sllg $s0,$s0,1
- sllg $s1,$s1,1
+ algr $s0,$s0
+ alcgr $s1,$s1
xgr $s0,$i1
- ogr $s1,$i2
lrvgr $i1,$s0 # flip byte order
lrvgr $i2,$s1
@@ -2075,9 +2065,9 @@
stg $s2,0($i3)
stg $s3,8($i3)
.Lxts_dec_km_done:
- l${g} $ra,14*$SIZE_T($sp)
- st${g} $sp,$tweak($sp) # wipe tweak
- st${g} $sp,$tweak($sp)
+ stg $sp,$tweak+0($sp) # wipe tweak
+ stg $sp,$tweak+8($sp)
+ l${g} $ra,5*$SIZE_T($sp)
lm${g} %r6,$s3,6*$SIZE_T($sp)
br $ra
.align 16
@@ -2089,12 +2079,11 @@
srlg $len,$len,4
slgr $out,$inp
- xgr $s0,$s0 # clear upper half
- xgr $s1,$s1
- lrv $s0,$stdframe+4($sp) # load secno
- lrv $s1,$stdframe+0($sp)
- xgr $s2,$s2
- xgr $s3,$s3
+ l${g} $s3,$stdframe($sp) # ivp
+ llgf $s0,0($s3) # load iv
+ llgf $s1,4($s3)
+ llgf $s2,8($s3)
+ llgf $s3,12($s3)
stm${g} %r2,%r5,2*$SIZE_T($sp)
la $key,0($key2)
larl $tbl,AES_Te
@@ -2113,11 +2102,9 @@
lghi %r1,0x87
srag %r0,$s3,63 # broadcast upper bit
ngr %r1,%r0 # rem
- srlg %r0,$s1,63 # carry bit from lower half
- sllg $s1,$s1,1
- sllg $s3,$s3,1
+ algr $s1,$s1
+ alcgr $s3,$s3
xgr $s1,%r1
- ogr $s3,%r0
lrvgr $s1,$s1 # flip byte order
lrvgr $s3,$s3
srlg $s0,$s1,32 # smash the tweak to 4x32-bits
@@ -2156,11 +2143,9 @@
lghi %r1,0x87
srag %r0,$s3,63 # broadcast upper bit
ngr %r1,%r0 # rem
- srlg %r0,$s1,63 # carry bit from lower half
- sllg $s1,$s1,1
- sllg $s3,$s3,1
+ algr $s1,$s1
+ alcgr $s3,$s3
xgr $s1,%r1
- ogr $s3,%r0
lrvgr $i2,$s1 # flip byte order
lrvgr $i3,$s3
stmg $i2,$i3,$tweak($sp) # save the 1st tweak
@@ -2176,11 +2161,9 @@
lghi %r1,0x87
srag %r0,$s3,63 # broadcast upper bit
ngr %r1,%r0 # rem
- srlg %r0,$s1,63 # carry bit from lower half
- sllg $s1,$s1,1
- sllg $s3,$s3,1
+ algr $s1,$s1
+ alcgr $s3,$s3
xgr $s1,%r1
- ogr $s3,%r0
lrvgr $s1,$s1 # flip byte order
lrvgr $s3,$s3
srlg $s0,$s1,32 # smash the tweak to 4x32-bits
diff --git a/crypto/aes/asm/aes-x86_64.pl b/crypto/aes/asm/aes-x86_64.pl
index 48fa857..34cbb5d 100755
--- a/crypto/aes/asm/aes-x86_64.pl
+++ b/crypto/aes/asm/aes-x86_64.pl
@@ -36,7 +36,8 @@
( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
die "can't locate x86_64-xlate.pl";
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
$verticalspin=1; # unlike 32-bit version $verticalspin performs
# ~15% better on both AMD and Intel cores
diff --git a/crypto/aes/asm/aesni-sha1-x86_64.pl b/crypto/aes/asm/aesni-sha1-x86_64.pl
index c6f6b33..3c8f6c1 100644
--- a/crypto/aes/asm/aesni-sha1-x86_64.pl
+++ b/crypto/aes/asm/aesni-sha1-x86_64.pl
@@ -69,7 +69,8 @@
`ml64 2>&1` =~ /Version ([0-9]+)\./ &&
$1>=10);
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
# void aesni_cbc_sha1_enc(const void *inp,
# void *out,
diff --git a/crypto/aes/asm/aesni-x86_64.pl b/crypto/aes/asm/aesni-x86_64.pl
index 499f3b3..0dbb194 100644
--- a/crypto/aes/asm/aesni-x86_64.pl
+++ b/crypto/aes/asm/aesni-x86_64.pl
@@ -172,7 +172,8 @@
( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
die "can't locate x86_64-xlate.pl";
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
$movkey = $PREFIX eq "aesni" ? "movups" : "movups";
@_4args=$win64? ("%rcx","%rdx","%r8", "%r9") : # Win64 order
diff --git a/crypto/aes/asm/bsaes-x86_64.pl b/crypto/aes/asm/bsaes-x86_64.pl
index c9c6312..ceb02b5 100644
--- a/crypto/aes/asm/bsaes-x86_64.pl
+++ b/crypto/aes/asm/bsaes-x86_64.pl
@@ -105,7 +105,8 @@
( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
die "can't locate x86_64-xlate.pl";
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
my ($inp,$out,$len,$key,$ivp)=("%rdi","%rsi","%rdx","%rcx");
my @XMM=map("%xmm$_",(15,0..14)); # best on Atom, +10% over (0..15)
diff --git a/crypto/aes/asm/vpaes-x86_64.pl b/crypto/aes/asm/vpaes-x86_64.pl
index 37998db..41f2e46 100644
--- a/crypto/aes/asm/vpaes-x86_64.pl
+++ b/crypto/aes/asm/vpaes-x86_64.pl
@@ -56,7 +56,8 @@
( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
die "can't locate x86_64-xlate.pl";
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
$PREFIX="vpaes";
diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c
index 264ebf2..ead37ac 100644
--- a/crypto/asn1/a_strex.c
+++ b/crypto/asn1/a_strex.c
@@ -567,6 +567,7 @@
if(mbflag == -1) return -1;
mbflag |= MBSTRING_FLAG;
stmp.data = NULL;
+ stmp.length = 0;
ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
if(ret < 0) return ret;
*out = stmp.data;
diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
index 432722e..fc84cd3 100644
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -140,6 +140,12 @@
int mdnid, pknid;
+ if (!pkey)
+ {
+ ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_PASSED_NULL_PARAMETER);
+ return -1;
+ }
+
EVP_MD_CTX_init(&ctx);
/* Convert signature OID into digest and public key OIDs */
diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c
index 3c66dd1..8990909 100644
--- a/crypto/bio/bss_dgram.c
+++ b/crypto/bio/bss_dgram.c
@@ -77,10 +77,20 @@
#define OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE 0xc0
#endif
-#ifdef OPENSSL_SYS_LINUX
+#if defined(OPENSSL_SYS_LINUX) && !defined(IP_MTU)
#define IP_MTU 14 /* linux is lame */
#endif
+#if defined(__FreeBSD__) && defined(IN6_IS_ADDR_V4MAPPED)
+/* Standard definition causes type-punning problems. */
+#undef IN6_IS_ADDR_V4MAPPED
+#define s6_addr32 __u6_addr.__u6_addr32
+#define IN6_IS_ADDR_V4MAPPED(a) \
+ (((a)->s6_addr32[0] == 0) && \
+ ((a)->s6_addr32[1] == 0) && \
+ ((a)->s6_addr32[2] == htonl(0x0000ffff)))
+#endif
+
#ifdef WATT32
#define sock_write SockWrite /* Watt-32 uses same names */
#define sock_read SockRead
@@ -255,7 +265,7 @@
{
#if defined(SO_RCVTIMEO)
bio_dgram_data *data = (bio_dgram_data *)b->ptr;
- int sz = sizeof(int);
+ union { size_t s; int i; } sz = {0};
/* Is a timer active? */
if (data->next_timeout.tv_sec > 0 || data->next_timeout.tv_usec > 0)
@@ -265,8 +275,10 @@
/* Read current socket timeout */
#ifdef OPENSSL_SYS_WINDOWS
int timeout;
+
+ sz.i = sizeof(timeout);
if (getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO,
- (void*)&timeout, &sz) < 0)
+ (void*)&timeout, &sz.i) < 0)
{ perror("getsockopt"); }
else
{
@@ -274,9 +286,12 @@
data->socket_timeout.tv_usec = (timeout % 1000) * 1000;
}
#else
+ sz.i = sizeof(data->socket_timeout);
if ( getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO,
&(data->socket_timeout), (void *)&sz) < 0)
{ perror("getsockopt"); }
+ else if (sizeof(sz.s)!=sizeof(sz.i) && sz.i==0)
+ OPENSSL_assert(sz.s<=sizeof(data->socket_timeout));
#endif
/* Get current time */
@@ -445,11 +460,10 @@
int *ip;
struct sockaddr *to = NULL;
bio_dgram_data *data = NULL;
-#if defined(IP_MTU_DISCOVER) || defined(IP_MTU)
- long sockopt_val = 0;
- socklen_t sockopt_len = 0;
-#endif
-#ifdef OPENSSL_SYS_LINUX
+#if defined(OPENSSL_SYS_LINUX) && (defined(IP_MTU_DISCOVER) || defined(IP_MTU))
+ int sockopt_val = 0;
+ socklen_t sockopt_len; /* assume that system supporting IP_MTU is
+ * modern enough to define socklen_t */
socklen_t addr_len;
union {
struct sockaddr sa;
@@ -531,7 +545,7 @@
break;
/* (Linux)kernel sets DF bit on outgoing IP packets */
case BIO_CTRL_DGRAM_MTU_DISCOVER:
-#ifdef OPENSSL_SYS_LINUX
+#if defined(OPENSSL_SYS_LINUX) && defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DO)
addr_len = (socklen_t)sizeof(addr);
memset((void *)&addr, 0, sizeof(addr));
if (getsockname(b->num, &addr.sa, &addr_len) < 0)
@@ -539,7 +553,6 @@
ret = 0;
break;
}
- sockopt_len = sizeof(sockopt_val);
switch (addr.sa.sa_family)
{
case AF_INET:
@@ -548,7 +561,7 @@
&sockopt_val, sizeof(sockopt_val))) < 0)
perror("setsockopt");
break;
-#if OPENSSL_USE_IPV6 && defined(IPV6_MTU_DISCOVER)
+#if OPENSSL_USE_IPV6 && defined(IPV6_MTU_DISCOVER) && defined(IPV6_PMTUDISC_DO)
case AF_INET6:
sockopt_val = IPV6_PMTUDISC_DO;
if ((ret = setsockopt(b->num, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
@@ -565,7 +578,7 @@
break;
#endif
case BIO_CTRL_DGRAM_QUERY_MTU:
-#ifdef OPENSSL_SYS_LINUX
+#if defined(OPENSSL_SYS_LINUX) && defined(IP_MTU)
addr_len = (socklen_t)sizeof(addr);
memset((void *)&addr, 0, sizeof(addr));
if (getsockname(b->num, &addr.sa, &addr_len) < 0)
@@ -727,12 +740,15 @@
#endif
break;
case BIO_CTRL_DGRAM_GET_RECV_TIMEOUT:
-#ifdef OPENSSL_SYS_WINDOWS
{
- int timeout, sz = sizeof(timeout);
+ union { size_t s; int i; } sz = {0};
+#ifdef OPENSSL_SYS_WINDOWS
+ int timeout;
struct timeval *tv = (struct timeval *)ptr;
+
+ sz.i = sizeof(timeout);
if (getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO,
- (void*)&timeout, &sz) < 0)
+ (void*)&timeout, &sz.i) < 0)
{ perror("getsockopt"); ret = -1; }
else
{
@@ -740,12 +756,20 @@
tv->tv_usec = (timeout % 1000) * 1000;
ret = sizeof(*tv);
}
- }
#else
+ sz.i = sizeof(struct timeval);
if ( getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO,
- ptr, (void *)&ret) < 0)
+ ptr, (void *)&sz) < 0)
{ perror("getsockopt"); ret = -1; }
+ else if (sizeof(sz.s)!=sizeof(sz.i) && sz.i==0)
+ {
+ OPENSSL_assert(sz.s<=sizeof(struct timeval));
+ ret = (int)sz.s;
+ }
+ else
+ ret = sz.i;
#endif
+ }
break;
#endif
#if defined(SO_SNDTIMEO)
@@ -765,12 +789,15 @@
#endif
break;
case BIO_CTRL_DGRAM_GET_SEND_TIMEOUT:
-#ifdef OPENSSL_SYS_WINDOWS
{
- int timeout, sz = sizeof(timeout);
+ union { size_t s; int i; } sz = {0};
+#ifdef OPENSSL_SYS_WINDOWS
+ int timeout;
struct timeval *tv = (struct timeval *)ptr;
+
+ sz.i = sizeof(timeout);
if (getsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO,
- (void*)&timeout, &sz) < 0)
+ (void*)&timeout, &sz.i) < 0)
{ perror("getsockopt"); ret = -1; }
else
{
@@ -778,12 +805,20 @@
tv->tv_usec = (timeout % 1000) * 1000;
ret = sizeof(*tv);
}
- }
#else
+ sz.i = sizeof(struct timeval);
if ( getsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO,
- ptr, (void *)&ret) < 0)
+ ptr, (void *)&sz) < 0)
{ perror("getsockopt"); ret = -1; }
+ else if (sizeof(sz.s)!=sizeof(sz.i) && sz.i==0)
+ {
+ OPENSSL_assert(sz.s<=sizeof(struct timeval));
+ ret = (int)sz.s;
+ }
+ else
+ ret = sz.i;
#endif
+ }
break;
#endif
case BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP:
@@ -955,7 +990,6 @@
#ifdef SCTP_AUTHENTICATION_EVENT
void dgram_sctp_handle_auth_free_key_event(BIO *b, union sctp_notification *snp)
{
- unsigned int sockopt_len = 0;
int ret;
struct sctp_authkey_event* authkeyevent = &snp->sn_auth_event;
@@ -965,9 +999,8 @@
/* delete key */
authkeyid.scact_keynumber = authkeyevent->auth_keynumber;
- sockopt_len = sizeof(struct sctp_authkeyid);
ret = setsockopt(b->num, IPPROTO_SCTP, SCTP_AUTH_DELETE_KEY,
- &authkeyid, sockopt_len);
+ &authkeyid, sizeof(struct sctp_authkeyid));
}
}
#endif
@@ -1298,7 +1331,7 @@
{
long ret=1;
bio_dgram_sctp_data *data = NULL;
- unsigned int sockopt_len = 0;
+ socklen_t sockopt_len = 0;
struct sctp_authkeyid authkeyid;
struct sctp_authkey *authkey;
diff --git a/crypto/bn/asm/bn-mips.S b/crypto/bn/asm/bn-mips.S
index 02097fa..229c709 100644
--- a/crypto/bn/asm/bn-mips.S
+++ b/crypto/bn/asm/bn-mips.S
@@ -582,7 +582,7 @@
bn_div_3_words_internal:
.set reorder
move $11,$31
- bal bn_div_words
+ bal bn_div_words_internal
move $31,$11
multu $10,$2
lw $14,-2*4($7)
diff --git a/crypto/bn/asm/mips.pl b/crypto/bn/asm/mips.pl
index c162a3e..38b5164 100644
--- a/crypto/bn/asm/mips.pl
+++ b/crypto/bn/asm/mips.pl
@@ -819,7 +819,7 @@
$code.=<<___;
.set reorder
move $ta3,$ra
- bal bn_div_words
+ bal bn_div_words_internal
move $ra,$ta3
$MULTU $ta2,$v0
$LD $t2,-2*$BNSZ($a3)
diff --git a/crypto/bn/asm/modexp512-x86_64.pl b/crypto/bn/asm/modexp512-x86_64.pl
index 54aeb01..bfd6e97 100644
--- a/crypto/bn/asm/modexp512-x86_64.pl
+++ b/crypto/bn/asm/modexp512-x86_64.pl
@@ -68,7 +68,8 @@
( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
die "can't locate x86_64-xlate.pl";
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
use strict;
my $code=".text\n\n";
diff --git a/crypto/bn/asm/x86_64-gf2m.pl b/crypto/bn/asm/x86_64-gf2m.pl
index 1658acb..a30d4ef 100644
--- a/crypto/bn/asm/x86_64-gf2m.pl
+++ b/crypto/bn/asm/x86_64-gf2m.pl
@@ -31,7 +31,7 @@
( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
die "can't locate x86_64-xlate.pl";
-open STDOUT,"| $^X $xlate $flavour $output";
+open STDOUT,"| \"$^X\" $xlate $flavour $output";
($lo,$hi)=("%rax","%rdx"); $a=$lo;
($i0,$i1)=("%rsi","%rdi");
diff --git a/crypto/bn/asm/x86_64-mont.pl b/crypto/bn/asm/x86_64-mont.pl
index 5d79b35..17fb94c 100755
--- a/crypto/bn/asm/x86_64-mont.pl
+++ b/crypto/bn/asm/x86_64-mont.pl
@@ -40,7 +40,8 @@
( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
die "can't locate x86_64-xlate.pl";
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
# int bn_mul_mont(
$rp="%rdi"; # BN_ULONG *rp,
diff --git a/crypto/bn/asm/x86_64-mont5.pl b/crypto/bn/asm/x86_64-mont5.pl
index 057cda2..8f8dc5a 100755
--- a/crypto/bn/asm/x86_64-mont5.pl
+++ b/crypto/bn/asm/x86_64-mont5.pl
@@ -28,7 +28,8 @@
( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
die "can't locate x86_64-xlate.pl";
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
# int bn_mul_mont_gather5(
$rp="%rdi"; # BN_ULONG *rp,
diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c
index 52b3304..7b24031 100644
--- a/crypto/bn/bn_div.c
+++ b/crypto/bn/bn_div.c
@@ -141,6 +141,7 @@
*
* <appro@fy.chalmers.se>
*/
+#undef bn_div_words
# define bn_div_words(n0,n1,d0) \
({ asm volatile ( \
"divl %4" \
@@ -155,6 +156,7 @@
* Same story here, but it's 128-bit by 64-bit division. Wow!
* <appro@fy.chalmers.se>
*/
+# undef bn_div_words
# define bn_div_words(n0,n1,d0) \
({ asm volatile ( \
"divq %4" \
diff --git a/crypto/bn/bn_gcd.c b/crypto/bn/bn_gcd.c
index 4a35211..a808f53 100644
--- a/crypto/bn/bn_gcd.c
+++ b/crypto/bn/bn_gcd.c
@@ -205,6 +205,7 @@
/* solves ax == 1 (mod n) */
static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx);
+
BIGNUM *BN_mod_inverse(BIGNUM *in,
const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
{
diff --git a/crypto/bn/bn_lcl.h b/crypto/bn/bn_lcl.h
index eecfd8c..817c773 100644
--- a/crypto/bn/bn_lcl.h
+++ b/crypto/bn/bn_lcl.h
@@ -282,16 +282,23 @@
# endif
# elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG))
# if defined(__GNUC__) && __GNUC__>=2
-# define BN_UMULT_HIGH(a,b) ({ \
+# if __GNUC__>=4 && __GNUC_MINOR__>=4 /* "h" constraint is no more since 4.4 */
+# define BN_UMULT_HIGH(a,b) (((__uint128_t)(a)*(b))>>64)
+# define BN_UMULT_LOHI(low,high,a,b) ({ \
+ __uint128_t ret=(__uint128_t)(a)*(b); \
+ (high)=ret>>64; (low)=ret; })
+# else
+# define BN_UMULT_HIGH(a,b) ({ \
register BN_ULONG ret; \
asm ("dmultu %1,%2" \
: "=h"(ret) \
: "r"(a), "r"(b) : "l"); \
ret; })
-# define BN_UMULT_LOHI(low,high,a,b) \
+# define BN_UMULT_LOHI(low,high,a,b)\
asm ("dmultu %2,%3" \
: "=l"(low),"=h"(high) \
: "r"(a), "r"(b));
+# endif
# endif
# endif /* cpu */
#endif /* OPENSSL_NO_ASM */
diff --git a/crypto/bn/bn_word.c b/crypto/bn/bn_word.c
index ee7b87c..de83a15 100644
--- a/crypto/bn/bn_word.c
+++ b/crypto/bn/bn_word.c
@@ -144,26 +144,17 @@
a->neg=!(a->neg);
return(i);
}
- /* Only expand (and risk failing) if it's possibly necessary */
- if (((BN_ULONG)(a->d[a->top - 1] + 1) == 0) &&
- (bn_wexpand(a,a->top+1) == NULL))
- return(0);
- i=0;
- for (;;)
+ for (i=0;w!=0 && i<a->top;i++)
{
- if (i >= a->top)
- l=w;
- else
- l=(a->d[i]+w)&BN_MASK2;
- a->d[i]=l;
- if (w > l)
- w=1;
- else
- break;
- i++;
+ a->d[i] = l = (a->d[i]+w)&BN_MASK2;
+ w = (w>l)?1:0;
}
- if (i >= a->top)
+ if (w && i==a->top)
+ {
+ if (bn_wexpand(a,a->top+1) == NULL) return 0;
a->top++;
+ a->d[i]=w;
+ }
bn_check_top(a);
return(1);
}
diff --git a/crypto/conf/conf_mall.c b/crypto/conf/conf_mall.c
index c6f4cb2..213890e 100644
--- a/crypto/conf/conf_mall.c
+++ b/crypto/conf/conf_mall.c
@@ -76,5 +76,6 @@
#ifndef OPENSSL_NO_ENGINE
ENGINE_add_conf_module();
#endif
+ EVP_add_alg_module();
}
diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c
index d47ab55..304c6b7 100644
--- a/crypto/cryptlib.c
+++ b/crypto/cryptlib.c
@@ -704,6 +704,7 @@
}
else
vec = OPENSSL_ia32_cpuid();
+
/*
* |(1<<10) sets a reserved bit to signal that variable
* was initialized already... This is to avoid interference
diff --git a/crypto/cryptlib.h b/crypto/cryptlib.h
index 1761f6b..d26f963 100644
--- a/crypto/cryptlib.h
+++ b/crypto/cryptlib.h
@@ -100,7 +100,7 @@
void OPENSSL_cpuid_setup(void);
extern unsigned int OPENSSL_ia32cap_P[];
-void OPENSSL_showfatal(const char *,...);
+void OPENSSL_showfatal(const char *fmta,...);
void *OPENSSL_stderr(void);
extern int OPENSSL_NONPIC_relocated;
diff --git a/crypto/crypto.h b/crypto/crypto.h
index 793a325..f92fc51 100644
--- a/crypto/crypto.h
+++ b/crypto/crypto.h
@@ -488,10 +488,10 @@
long (**go)(void));
void *CRYPTO_malloc_locked(int num, const char *file, int line);
-void CRYPTO_free_locked(void *);
+void CRYPTO_free_locked(void *ptr);
void *CRYPTO_malloc(int num, const char *file, int line);
char *CRYPTO_strdup(const char *str, const char *file, int line);
-void CRYPTO_free(void *);
+void CRYPTO_free(void *ptr);
void *CRYPTO_realloc(void *addr,int num, const char *file, int line);
void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file,
int line);
diff --git a/crypto/des/set_key.c b/crypto/des/set_key.c
index d3e69ca..da4d62e 100644
--- a/crypto/des/set_key.c
+++ b/crypto/des/set_key.c
@@ -63,9 +63,8 @@
* 1.1 added norm_expand_bits
* 1.0 First working version
*/
-#include "des_locl.h"
-
#include <openssl/crypto.h>
+#include "des_locl.h"
OPENSSL_IMPLEMENT_GLOBAL(int,DES_check_key,0) /* defaults to false */
diff --git a/crypto/des/str2key.c b/crypto/des/str2key.c
index 9c2054b..1077f99 100644
--- a/crypto/des/str2key.c
+++ b/crypto/des/str2key.c
@@ -56,8 +56,8 @@
* [including the GNU Public Licence.]
*/
-#include "des_locl.h"
#include <openssl/crypto.h>
+#include "des_locl.h"
void DES_string_to_key(const char *str, DES_cblock *key)
{
diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h
index 9d01325..dfe8710 100644
--- a/crypto/ec/ec.h
+++ b/crypto/ec/ec.h
@@ -274,10 +274,10 @@
void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag);
int EC_GROUP_get_asn1_flag(const EC_GROUP *group);
-void EC_GROUP_set_point_conversion_form(EC_GROUP *, point_conversion_form_t);
+void EC_GROUP_set_point_conversion_form(EC_GROUP *group, point_conversion_form_t form);
point_conversion_form_t EC_GROUP_get_point_conversion_form(const EC_GROUP *);
-unsigned char *EC_GROUP_get0_seed(const EC_GROUP *);
+unsigned char *EC_GROUP_get0_seed(const EC_GROUP *x);
size_t EC_GROUP_get_seed_len(const EC_GROUP *);
size_t EC_GROUP_set_seed(EC_GROUP *, const unsigned char *, size_t len);
@@ -626,8 +626,8 @@
*/
int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx);
-int EC_POINT_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
-int EC_POINTs_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
+int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx);
+int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx);
/** Computes r = generator * n sum_{i=0}^num p[i] * m[i]
* \param group underlying EC_GROUP object
@@ -800,16 +800,24 @@
int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub);
unsigned EC_KEY_get_enc_flags(const EC_KEY *key);
-void EC_KEY_set_enc_flags(EC_KEY *, unsigned int);
-point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *);
-void EC_KEY_set_conv_form(EC_KEY *, point_conversion_form_t);
+void EC_KEY_set_enc_flags(EC_KEY *eckey, unsigned int flags);
+point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key);
+void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform);
/* functions to set/get method specific data */
-void *EC_KEY_get_key_method_data(EC_KEY *,
+void *EC_KEY_get_key_method_data(EC_KEY *key,
void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
-void EC_KEY_insert_key_method_data(EC_KEY *, void *data,
+/** Sets the key method data of an EC_KEY object, if none has yet been set.
+ * \param key EC_KEY object
+ * \param data opaque data to install.
+ * \param dup_func a function that duplicates |data|.
+ * \param free_func a function that frees |data|.
+ * \param clear_free_func a function that wipes and frees |data|.
+ * \return the previously set data pointer, or NULL if |data| was inserted.
+ */
+void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
/* wrapper functions for the underlying EC_GROUP object */
-void EC_KEY_set_asn1_flag(EC_KEY *, int);
+void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);
/** Creates a table of pre-computed multiples of the generator to
* accelerate further EC_KEY operations.
diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
index bf9fd2d..7fa2475 100644
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@@ -520,18 +520,27 @@
void *EC_KEY_get_key_method_data(EC_KEY *key,
void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
{
- return EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func);
+ void *ret;
+
+ CRYPTO_r_lock(CRYPTO_LOCK_EC);
+ ret = EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func);
+ CRYPTO_r_unlock(CRYPTO_LOCK_EC);
+
+ return ret;
}
-void EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
+void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
{
EC_EXTRA_DATA *ex_data;
+
CRYPTO_w_lock(CRYPTO_LOCK_EC);
ex_data = EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func);
if (ex_data == NULL)
EC_EX_DATA_set_data(&key->method_data, data, dup_func, free_func, clear_free_func);
CRYPTO_w_unlock(CRYPTO_LOCK_EC);
+
+ return ex_data;
}
void EC_KEY_set_asn1_flag(EC_KEY *key, int flag)
diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c
index d1ed66c..66ee397 100644
--- a/crypto/ec/ec_pmeth.c
+++ b/crypto/ec/ec_pmeth.c
@@ -188,7 +188,7 @@
pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec);
- /* NB: unlike PKS#3 DH, if *outlen is less than maximum size this is
+ /* NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is
* not an error, the result is truncated.
*/
diff --git a/crypto/ec/ecp_mont.c b/crypto/ec/ecp_mont.c
index 079e474..f04f132 100644
--- a/crypto/ec/ecp_mont.c
+++ b/crypto/ec/ecp_mont.c
@@ -114,7 +114,6 @@
ec_GFp_mont_field_decode,
ec_GFp_mont_field_set_to_one };
-
return &ret;
#endif
}
diff --git a/crypto/ec/ectest.c b/crypto/ec/ectest.c
index f107782..102eaa9 100644
--- a/crypto/ec/ectest.c
+++ b/crypto/ec/ectest.c
@@ -236,7 +236,7 @@
}
static void prime_field_tests(void)
- {
+ {
BN_CTX *ctx = NULL;
BIGNUM *p, *a, *b;
EC_GROUP *group;
diff --git a/crypto/ecdh/ech_key.c b/crypto/ecdh/ech_key.c
index f44da92..2988899 100644
--- a/crypto/ecdh/ech_key.c
+++ b/crypto/ecdh/ech_key.c
@@ -68,9 +68,6 @@
*/
#include "ech_locl.h"
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
int ECDH_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
EC_KEY *eckey,
diff --git a/crypto/ecdh/ech_lib.c b/crypto/ecdh/ech_lib.c
index dadbfd3..0644431 100644
--- a/crypto/ecdh/ech_lib.c
+++ b/crypto/ecdh/ech_lib.c
@@ -222,8 +222,15 @@
ecdh_data = (ECDH_DATA *)ecdh_data_new();
if (ecdh_data == NULL)
return NULL;
- EC_KEY_insert_key_method_data(key, (void *)ecdh_data,
- ecdh_data_dup, ecdh_data_free, ecdh_data_free);
+ data = EC_KEY_insert_key_method_data(key, (void *)ecdh_data,
+ ecdh_data_dup, ecdh_data_free, ecdh_data_free);
+ if (data != NULL)
+ {
+ /* Another thread raced us to install the key_method
+ * data and won. */
+ ecdh_data_free(ecdh_data);
+ ecdh_data = (ECDH_DATA *)data;
+ }
}
else
ecdh_data = (ECDH_DATA *)data;
diff --git a/crypto/ecdsa/ecs_lib.c b/crypto/ecdsa/ecs_lib.c
index e477da4..814a6bf 100644
--- a/crypto/ecdsa/ecs_lib.c
+++ b/crypto/ecdsa/ecs_lib.c
@@ -200,8 +200,15 @@
ecdsa_data = (ECDSA_DATA *)ecdsa_data_new();
if (ecdsa_data == NULL)
return NULL;
- EC_KEY_insert_key_method_data(key, (void *)ecdsa_data,
- ecdsa_data_dup, ecdsa_data_free, ecdsa_data_free);
+ data = EC_KEY_insert_key_method_data(key, (void *)ecdsa_data,
+ ecdsa_data_dup, ecdsa_data_free, ecdsa_data_free);
+ if (data != NULL)
+ {
+ /* Another thread raced us to install the key_method
+ * data and won. */
+ ecdsa_data_free(ecdsa_data);
+ ecdsa_data = (ECDSA_DATA *)data;
+ }
}
else
ecdsa_data = (ECDSA_DATA *)data;
diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c
index bd8946d..8eb547d 100644
--- a/crypto/err/err_all.c
+++ b/crypto/err/err_all.c
@@ -64,7 +64,9 @@
#endif
#include <openssl/buffer.h>
#include <openssl/bio.h>
+#ifndef OPENSSL_NO_COMP
#include <openssl/comp.h>
+#endif
#ifndef OPENSSL_NO_RSA
#include <openssl/rsa.h>
#endif
@@ -95,6 +97,9 @@
#include <openssl/ui.h>
#include <openssl/ocsp.h>
#include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
#include <openssl/ts.h>
#ifndef OPENSSL_NO_CMS
#include <openssl/cms.h>
@@ -102,11 +107,6 @@
#ifndef OPENSSL_NO_JPAKE
#include <openssl/jpake.h>
#endif
-#include <openssl/comp.h>
-
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
void ERR_load_crypto_strings(void)
{
@@ -130,7 +130,9 @@
ERR_load_ASN1_strings();
ERR_load_CONF_strings();
ERR_load_CRYPTO_strings();
+#ifndef OPENSSL_NO_COMP
ERR_load_COMP_strings();
+#endif
#ifndef OPENSSL_NO_EC
ERR_load_EC_strings();
#endif
@@ -153,15 +155,14 @@
#endif
ERR_load_OCSP_strings();
ERR_load_UI_strings();
+#ifdef OPENSSL_FIPS
+ ERR_load_FIPS_strings();
+#endif
#ifndef OPENSSL_NO_CMS
ERR_load_CMS_strings();
#endif
#ifndef OPENSSL_NO_JPAKE
ERR_load_JPAKE_strings();
#endif
- ERR_load_COMP_strings();
-#endif
-#ifdef OPENSSL_FIPS
- ERR_load_FIPS_strings();
#endif
}
diff --git a/crypto/evp/c_allc.c b/crypto/evp/c_allc.c
index e230e60..2a45d43 100644
--- a/crypto/evp/c_allc.c
+++ b/crypto/evp/c_allc.c
@@ -195,13 +195,11 @@
EVP_add_cipher(EVP_aes_256_xts());
EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
-#if 0 /* Disabled because of timing side-channel leaks. */
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
#endif
#endif
-#endif
#ifndef OPENSSL_NO_CAMELLIA
EVP_add_cipher(EVP_camellia_128_ecb());
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index 467e6b5..6fc469f 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -267,6 +267,7 @@
return FIPS_digestfinal(ctx, md, size);
#else
int ret;
+
OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
ret=ctx->digest->final(ctx,md);
if (size != NULL)
diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
index 1e4af0c..1bfb5d9 100644
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
@@ -969,8 +969,6 @@
if (!gctx->iv_set)
return -1;
- if (!ctx->encrypt && gctx->taglen < 0)
- return -1;
if (in)
{
if (out == NULL)
@@ -1012,6 +1010,8 @@
{
if (!ctx->encrypt)
{
+ if (gctx->taglen < 0)
+ return -1;
if (CRYPTO_gcm128_finish(&gctx->gcm,
ctx->buf, gctx->taglen) != 0)
return -1;
@@ -1217,6 +1217,7 @@
vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks);
CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
&cctx->ks, (block128_f)vpaes_encrypt);
+ cctx->str = NULL;
cctx->key_set = 1;
break;
}
diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c
index 710fb79..b7aff44 100644
--- a/crypto/evp/e_aes_cbc_hmac_sha1.c
+++ b/crypto/evp/e_aes_cbc_hmac_sha1.c
@@ -1,5 +1,5 @@
/* ====================================================================
- * Copyright (c) 2011 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -90,6 +90,10 @@
defined(_M_AMD64) || defined(_M_X64) || \
defined(__INTEL__) )
+#if defined(__GNUC__) && __GNUC__>=2 && !defined(PEDANTIC)
+# define BSWAP(x) ({ unsigned int r=(x); asm ("bswapl %0":"=r"(r):"0"(r)); r; })
+#endif
+
extern unsigned int OPENSSL_ia32cap_P[2];
#define AESNI_CAPABLE (1<<(57-32))
@@ -167,6 +171,9 @@
SHA1_Update(c,ptr,res);
}
+#ifdef SHA1_Update
+#undef SHA1_Update
+#endif
#define SHA1_Update sha1_update
static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
@@ -184,6 +191,8 @@
sha_off = SHA_CBLOCK-key->md.num;
#endif
+ key->payload_length = NO_PAYLOAD_LENGTH;
+
if (len%AES_BLOCK_SIZE) return 0;
if (ctx->encrypt) {
@@ -234,47 +243,203 @@
&key->ks,ctx->iv,1);
}
} else {
- unsigned char mac[SHA_DIGEST_LENGTH];
+ union { unsigned int u[SHA_DIGEST_LENGTH/sizeof(unsigned int)];
+ unsigned char c[SHA_DIGEST_LENGTH]; } mac;
/* decrypt HMAC|padding at once */
aesni_cbc_encrypt(in,out,len,
&key->ks,ctx->iv,0);
if (plen) { /* "TLS" mode of operation */
- /* figure out payload length */
- if (len<(size_t)(out[len-1]+1+SHA_DIGEST_LENGTH))
- return 0;
-
- len -= (out[len-1]+1+SHA_DIGEST_LENGTH);
+ size_t inp_len, mask, j, i;
+ unsigned int res, maxpad, pad, bitlen;
+ int ret = 1;
+ union { unsigned int u[SHA_LBLOCK];
+ unsigned char c[SHA_CBLOCK]; }
+ *data = (void *)key->md.data;
if ((key->aux.tls_aad[plen-4]<<8|key->aux.tls_aad[plen-3])
- >= TLS1_1_VERSION) {
- len -= AES_BLOCK_SIZE;
+ >= TLS1_1_VERSION)
iv = AES_BLOCK_SIZE;
- }
- key->aux.tls_aad[plen-2] = len>>8;
- key->aux.tls_aad[plen-1] = len;
+ if (len<(iv+SHA_DIGEST_LENGTH+1))
+ return 0;
- /* calculate HMAC and verify it */
+ /* omit explicit iv */
+ out += iv;
+ len -= iv;
+
+ /* figure out payload length */
+ pad = out[len-1];
+ maxpad = len-(SHA_DIGEST_LENGTH+1);
+ maxpad |= (255-maxpad)>>(sizeof(maxpad)*8-8);
+ maxpad &= 255;
+
+ inp_len = len - (SHA_DIGEST_LENGTH+pad+1);
+ mask = (0-((inp_len-len)>>(sizeof(inp_len)*8-1)));
+ inp_len &= mask;
+ ret &= (int)mask;
+
+ key->aux.tls_aad[plen-2] = inp_len>>8;
+ key->aux.tls_aad[plen-1] = inp_len;
+
+ /* calculate HMAC */
key->md = key->head;
SHA1_Update(&key->md,key->aux.tls_aad,plen);
- SHA1_Update(&key->md,out+iv,len);
- SHA1_Final(mac,&key->md);
+#if 1
+ len -= SHA_DIGEST_LENGTH; /* amend mac */
+ if (len>=(256+SHA_CBLOCK)) {
+ j = (len-(256+SHA_CBLOCK))&(0-SHA_CBLOCK);
+ j += SHA_CBLOCK-key->md.num;
+ SHA1_Update(&key->md,out,j);
+ out += j;
+ len -= j;
+ inp_len -= j;
+ }
+
+ /* but pretend as if we hashed padded payload */
+ bitlen = key->md.Nl+(inp_len<<3); /* at most 18 bits */
+ mac.c[0] = 0;
+ mac.c[1] = (unsigned char)(bitlen>>16);
+ mac.c[2] = (unsigned char)(bitlen>>8);
+ mac.c[3] = (unsigned char)bitlen;
+ bitlen = mac.u[0];
+
+ mac.u[0]=0;
+ mac.u[1]=0;
+ mac.u[2]=0;
+ mac.u[3]=0;
+ mac.u[4]=0;
+
+ for (res=key->md.num, j=0;j<len;j++) {
+ size_t c = out[j];
+ mask = (j-inp_len)>>(sizeof(j)*8-8);
+ c &= mask;
+ c |= 0x80&~mask&~((inp_len-j)>>(sizeof(j)*8-8));
+ data->c[res++]=(unsigned char)c;
+
+ if (res!=SHA_CBLOCK) continue;
+
+ mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
+ data->u[SHA_LBLOCK-1] |= bitlen&mask;
+ sha1_block_data_order(&key->md,data,1);
+ mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
+ mac.u[0] |= key->md.h0 & mask;
+ mac.u[1] |= key->md.h1 & mask;
+ mac.u[2] |= key->md.h2 & mask;
+ mac.u[3] |= key->md.h3 & mask;
+ mac.u[4] |= key->md.h4 & mask;
+ res=0;
+ }
+
+ for(i=res;i<SHA_CBLOCK;i++,j++) data->c[i]=0;
+
+ if (res>SHA_CBLOCK-8) {
+ mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
+ data->u[SHA_LBLOCK-1] |= bitlen&mask;
+ sha1_block_data_order(&key->md,data,1);
+ mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
+ mac.u[0] |= key->md.h0 & mask;
+ mac.u[1] |= key->md.h1 & mask;
+ mac.u[2] |= key->md.h2 & mask;
+ mac.u[3] |= key->md.h3 & mask;
+ mac.u[4] |= key->md.h4 & mask;
+
+ memset(data,0,SHA_CBLOCK);
+ j+=64;
+ }
+ data->u[SHA_LBLOCK-1] = bitlen;
+ sha1_block_data_order(&key->md,data,1);
+ mask = 0-((j-inp_len-73)>>(sizeof(j)*8-1));
+ mac.u[0] |= key->md.h0 & mask;
+ mac.u[1] |= key->md.h1 & mask;
+ mac.u[2] |= key->md.h2 & mask;
+ mac.u[3] |= key->md.h3 & mask;
+ mac.u[4] |= key->md.h4 & mask;
+
+#ifdef BSWAP
+ mac.u[0] = BSWAP(mac.u[0]);
+ mac.u[1] = BSWAP(mac.u[1]);
+ mac.u[2] = BSWAP(mac.u[2]);
+ mac.u[3] = BSWAP(mac.u[3]);
+ mac.u[4] = BSWAP(mac.u[4]);
+#else
+ for (i=0;i<5;i++) {
+ res = mac.u[i];
+ mac.c[4*i+0]=(unsigned char)(res>>24);
+ mac.c[4*i+1]=(unsigned char)(res>>16);
+ mac.c[4*i+2]=(unsigned char)(res>>8);
+ mac.c[4*i+3]=(unsigned char)res;
+ }
+#endif
+ len += SHA_DIGEST_LENGTH;
+#else
+ SHA1_Update(&key->md,out,inp_len);
+ res = key->md.num;
+ SHA1_Final(mac.c,&key->md);
+
+ {
+ unsigned int inp_blocks, pad_blocks;
+
+ /* but pretend as if we hashed padded payload */
+ inp_blocks = 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1));
+ res += (unsigned int)(len-inp_len);
+ pad_blocks = res / SHA_CBLOCK;
+ res %= SHA_CBLOCK;
+ pad_blocks += 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1));
+ for (;inp_blocks<pad_blocks;inp_blocks++)
+ sha1_block_data_order(&key->md,data,1);
+ }
+#endif
key->md = key->tail;
- SHA1_Update(&key->md,mac,SHA_DIGEST_LENGTH);
- SHA1_Final(mac,&key->md);
+ SHA1_Update(&key->md,mac.c,SHA_DIGEST_LENGTH);
+ SHA1_Final(mac.c,&key->md);
- if (memcmp(out+iv+len,mac,SHA_DIGEST_LENGTH))
- return 0;
+ /* verify HMAC */
+ out += inp_len;
+ len -= inp_len;
+#if 1
+ {
+ unsigned char *p = out+len-1-maxpad-SHA_DIGEST_LENGTH;
+ size_t off = out-p;
+ unsigned int c, cmask;
+
+ maxpad += SHA_DIGEST_LENGTH;
+ for (res=0,i=0,j=0;j<maxpad;j++) {
+ c = p[j];
+ cmask = ((int)(j-off-SHA_DIGEST_LENGTH))>>(sizeof(int)*8-1);
+ res |= (c^pad)&~cmask; /* ... and padding */
+ cmask &= ((int)(off-1-j))>>(sizeof(int)*8-1);
+ res |= (c^mac.c[i])&cmask;
+ i += 1&cmask;
+ }
+ maxpad -= SHA_DIGEST_LENGTH;
+
+ res = 0-((0-res)>>(sizeof(res)*8-1));
+ ret &= (int)~res;
+ }
+#else
+ for (res=0,i=0;i<SHA_DIGEST_LENGTH;i++)
+ res |= out[i]^mac.c[i];
+ res = 0-((0-res)>>(sizeof(res)*8-1));
+ ret &= (int)~res;
+
+ /* verify padding */
+ pad = (pad&~res) | (maxpad&res);
+ out = out+len-1-pad;
+ for (res=0,i=0;i<pad;i++)
+ res |= out[i]^pad;
+
+ res = (0-res)>>(sizeof(res)*8-1);
+ ret &= (int)~res;
+#endif
+ return ret;
} else {
SHA1_Update(&key->md,out,len);
}
}
- key->payload_length = NO_PAYLOAD_LENGTH;
-
return 1;
}
@@ -309,6 +474,8 @@
SHA1_Init(&key->tail);
SHA1_Update(&key->tail,hmac_key,sizeof(hmac_key));
+ OPENSSL_cleanse(hmac_key,sizeof(hmac_key));
+
return 1;
}
case EVP_CTRL_AEAD_TLS1_AAD:
diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h
index 8096a72..e43a58e 100644
--- a/crypto/evp/evp.h
+++ b/crypto/evp/evp.h
@@ -402,7 +402,6 @@
/* Length of tag for TLS */
#define EVP_GCM_TLS_TAG_LEN 16
-
typedef struct evp_cipher_info_st
{
const EVP_CIPHER *cipher;
@@ -789,8 +788,8 @@
# define EVP_aes_128_cfb EVP_aes_128_cfb128
const EVP_CIPHER *EVP_aes_128_ofb(void);
const EVP_CIPHER *EVP_aes_128_ctr(void);
-const EVP_CIPHER *EVP_aes_128_gcm(void);
const EVP_CIPHER *EVP_aes_128_ccm(void);
+const EVP_CIPHER *EVP_aes_128_gcm(void);
const EVP_CIPHER *EVP_aes_128_xts(void);
const EVP_CIPHER *EVP_aes_192_ecb(void);
const EVP_CIPHER *EVP_aes_192_cbc(void);
@@ -800,8 +799,8 @@
# define EVP_aes_192_cfb EVP_aes_192_cfb128
const EVP_CIPHER *EVP_aes_192_ofb(void);
const EVP_CIPHER *EVP_aes_192_ctr(void);
-const EVP_CIPHER *EVP_aes_192_gcm(void);
const EVP_CIPHER *EVP_aes_192_ccm(void);
+const EVP_CIPHER *EVP_aes_192_gcm(void);
const EVP_CIPHER *EVP_aes_256_ecb(void);
const EVP_CIPHER *EVP_aes_256_cbc(void);
const EVP_CIPHER *EVP_aes_256_cfb1(void);
@@ -810,8 +809,8 @@
# define EVP_aes_256_cfb EVP_aes_256_cfb128
const EVP_CIPHER *EVP_aes_256_ofb(void);
const EVP_CIPHER *EVP_aes_256_ctr(void);
-const EVP_CIPHER *EVP_aes_256_gcm(void);
const EVP_CIPHER *EVP_aes_256_ccm(void);
+const EVP_CIPHER *EVP_aes_256_gcm(void);
const EVP_CIPHER *EVP_aes_256_xts(void);
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void);
@@ -1244,6 +1243,8 @@
int (*ctrl_str)(EVP_PKEY_CTX *ctx,
const char *type, const char *value));
+void EVP_add_alg_module(void);
+
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
@@ -1258,6 +1259,7 @@
#define EVP_F_AES_INIT_KEY 133
#define EVP_F_AES_XTS 172
#define EVP_F_AES_XTS_CIPHER 175
+#define EVP_F_ALG_MODULE_INIT 177
#define EVP_F_CAMELLIA_INIT_KEY 159
#define EVP_F_CMAC_INIT 173
#define EVP_F_D2I_PKEY 100
@@ -1351,15 +1353,19 @@
#define EVP_R_DIFFERENT_PARAMETERS 153
#define EVP_R_DISABLED_FOR_FIPS 163
#define EVP_R_ENCODE_ERROR 115
+#define EVP_R_ERROR_LOADING_SECTION 165
+#define EVP_R_ERROR_SETTING_FIPS_MODE 166
#define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119
#define EVP_R_EXPECTING_AN_RSA_KEY 127
#define EVP_R_EXPECTING_A_DH_KEY 128
#define EVP_R_EXPECTING_A_DSA_KEY 129
#define EVP_R_EXPECTING_A_ECDSA_KEY 141
#define EVP_R_EXPECTING_A_EC_KEY 142
+#define EVP_R_FIPS_MODE_NOT_SUPPORTED 167
#define EVP_R_INITIALIZATION_ERROR 134
#define EVP_R_INPUT_NOT_INITIALIZED 111
#define EVP_R_INVALID_DIGEST 152
+#define EVP_R_INVALID_FIPS_MODE 168
#define EVP_R_INVALID_KEY_LENGTH 130
#define EVP_R_INVALID_OPERATION 148
#define EVP_R_IV_TOO_LARGE 102
@@ -1384,6 +1390,7 @@
#define EVP_R_TOO_LARGE 164
#define EVP_R_UNKNOWN_CIPHER 160
#define EVP_R_UNKNOWN_DIGEST 161
+#define EVP_R_UNKNOWN_OPTION 169
#define EVP_R_UNKNOWN_PBE_ALGORITHM 121
#define EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS 135
#define EVP_R_UNSUPPORTED_ALGORITHM 156
diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c
new file mode 100644
index 0000000..2e4db30
--- /dev/null
+++ b/crypto/evp/evp_cnf.c
@@ -0,0 +1,125 @@
+/* evp_cnf.c */
+/* Written by Stephen Henson (steve@openssl.org) for the OpenSSL
+ * project 2007.
+ */
+/* ====================================================================
+ * Copyright (c) 2007 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <ctype.h>
+#include <openssl/crypto.h>
+#include "cryptlib.h"
+#include <openssl/conf.h>
+#include <openssl/dso.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
+
+
+/* Algorithm configuration module. */
+
+static int alg_module_init(CONF_IMODULE *md, const CONF *cnf)
+ {
+ int i;
+ const char *oid_section;
+ STACK_OF(CONF_VALUE) *sktmp;
+ CONF_VALUE *oval;
+ oid_section = CONF_imodule_get_value(md);
+ if(!(sktmp = NCONF_get_section(cnf, oid_section)))
+ {
+ EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_ERROR_LOADING_SECTION);
+ return 0;
+ }
+ for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++)
+ {
+ oval = sk_CONF_VALUE_value(sktmp, i);
+ if (!strcmp(oval->name, "fips_mode"))
+ {
+ int m;
+ if (!X509V3_get_value_bool(oval, &m))
+ {
+ EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_INVALID_FIPS_MODE);
+ return 0;
+ }
+ if (m > 0)
+ {
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode() && !FIPS_mode_set(1))
+ {
+ EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_ERROR_SETTING_FIPS_MODE);
+ return 0;
+ }
+#else
+ EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_FIPS_MODE_NOT_SUPPORTED);
+ return 0;
+#endif
+ }
+ }
+ else
+ {
+ EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_UNKNOWN_OPTION);
+ ERR_add_error_data(4, "name=", oval->name,
+ ", value=", oval->value);
+ }
+
+ }
+ return 1;
+ }
+
+void EVP_add_alg_module(void)
+ {
+ CONF_module_add("alg_section", alg_module_init, 0);
+ }
diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c
index db0f76d..08eab98 100644
--- a/crypto/evp/evp_err.c
+++ b/crypto/evp/evp_err.c
@@ -75,6 +75,7 @@
{ERR_FUNC(EVP_F_AES_INIT_KEY), "AES_INIT_KEY"},
{ERR_FUNC(EVP_F_AES_XTS), "AES_XTS"},
{ERR_FUNC(EVP_F_AES_XTS_CIPHER), "AES_XTS_CIPHER"},
+{ERR_FUNC(EVP_F_ALG_MODULE_INIT), "ALG_MODULE_INIT"},
{ERR_FUNC(EVP_F_CAMELLIA_INIT_KEY), "CAMELLIA_INIT_KEY"},
{ERR_FUNC(EVP_F_CMAC_INIT), "CMAC_INIT"},
{ERR_FUNC(EVP_F_D2I_PKEY), "D2I_PKEY"},
@@ -171,15 +172,19 @@
{ERR_REASON(EVP_R_DIFFERENT_PARAMETERS) ,"different parameters"},
{ERR_REASON(EVP_R_DISABLED_FOR_FIPS) ,"disabled for fips"},
{ERR_REASON(EVP_R_ENCODE_ERROR) ,"encode error"},
+{ERR_REASON(EVP_R_ERROR_LOADING_SECTION) ,"error loading section"},
+{ERR_REASON(EVP_R_ERROR_SETTING_FIPS_MODE),"error setting fips mode"},
{ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe cipherinit error"},
{ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY) ,"expecting an rsa key"},
{ERR_REASON(EVP_R_EXPECTING_A_DH_KEY) ,"expecting a dh key"},
{ERR_REASON(EVP_R_EXPECTING_A_DSA_KEY) ,"expecting a dsa key"},
{ERR_REASON(EVP_R_EXPECTING_A_ECDSA_KEY) ,"expecting a ecdsa key"},
{ERR_REASON(EVP_R_EXPECTING_A_EC_KEY) ,"expecting a ec key"},
+{ERR_REASON(EVP_R_FIPS_MODE_NOT_SUPPORTED),"fips mode not supported"},
{ERR_REASON(EVP_R_INITIALIZATION_ERROR) ,"initialization error"},
{ERR_REASON(EVP_R_INPUT_NOT_INITIALIZED) ,"input not initialized"},
{ERR_REASON(EVP_R_INVALID_DIGEST) ,"invalid digest"},
+{ERR_REASON(EVP_R_INVALID_FIPS_MODE) ,"invalid fips mode"},
{ERR_REASON(EVP_R_INVALID_KEY_LENGTH) ,"invalid key length"},
{ERR_REASON(EVP_R_INVALID_OPERATION) ,"invalid operation"},
{ERR_REASON(EVP_R_IV_TOO_LARGE) ,"iv too large"},
@@ -204,6 +209,7 @@
{ERR_REASON(EVP_R_TOO_LARGE) ,"too large"},
{ERR_REASON(EVP_R_UNKNOWN_CIPHER) ,"unknown cipher"},
{ERR_REASON(EVP_R_UNKNOWN_DIGEST) ,"unknown digest"},
+{ERR_REASON(EVP_R_UNKNOWN_OPTION) ,"unknown option"},
{ERR_REASON(EVP_R_UNKNOWN_PBE_ALGORITHM) ,"unknown pbe algorithm"},
{ERR_REASON(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS),"unsuported number of rounds"},
{ERR_REASON(EVP_R_UNSUPPORTED_ALGORITHM) ,"unsupported algorithm"},
diff --git a/crypto/evp/m_dss.c b/crypto/evp/m_dss.c
index 4ad63ad..6fb7e9a 100644
--- a/crypto/evp/m_dss.c
+++ b/crypto/evp/m_dss.c
@@ -60,7 +60,7 @@
#include "cryptlib.h"
#include <openssl/evp.h>
#include <openssl/objects.h>
-#include <openssl/x509.h>
+#include <openssl/sha.h>
#ifndef OPENSSL_NO_DSA
#include <openssl/dsa.h>
#endif
diff --git a/crypto/evp/m_dss1.c b/crypto/evp/m_dss1.c
index f80170e..2df362a 100644
--- a/crypto/evp/m_dss1.c
+++ b/crypto/evp/m_dss1.c
@@ -63,7 +63,7 @@
#include <openssl/evp.h>
#include <openssl/objects.h>
-#include <openssl/x509.h>
+#include <openssl/sha.h>
#ifndef OPENSSL_NO_DSA
#include <openssl/dsa.h>
#endif
diff --git a/crypto/evp/m_sha1.c b/crypto/evp/m_sha1.c
index 3cb11f1..bd0c01a 100644
--- a/crypto/evp/m_sha1.c
+++ b/crypto/evp/m_sha1.c
@@ -65,7 +65,7 @@
#include <openssl/evp.h>
#include <openssl/objects.h>
-#include <openssl/x509.h>
+#include <openssl/sha.h>
#ifndef OPENSSL_NO_RSA
#include <openssl/rsa.h>
#endif
diff --git a/crypto/evp/p_sign.c b/crypto/evp/p_sign.c
index dfa48c1..8afb664 100644
--- a/crypto/evp/p_sign.c
+++ b/crypto/evp/p_sign.c
@@ -80,7 +80,7 @@
{
unsigned char m[EVP_MAX_MD_SIZE];
unsigned int m_len;
- int i=0,ok=0,v;
+ int i = 0,ok = 0,v;
EVP_MD_CTX tmp_ctx;
EVP_PKEY_CTX *pkctx = NULL;
diff --git a/crypto/evp/p_verify.c b/crypto/evp/p_verify.c
index 5f5c409..c66d63c 100644
--- a/crypto/evp/p_verify.c
+++ b/crypto/evp/p_verify.c
@@ -67,7 +67,7 @@
{
unsigned char m[EVP_MAX_MD_SIZE];
unsigned int m_len;
- int i=-1,ok=0,v;
+ int i = 0,ok = 0,v;
EVP_MD_CTX tmp_ctx;
EVP_PKEY_CTX *pkctx = NULL;
diff --git a/crypto/md4/md4_dgst.c b/crypto/md4/md4_dgst.c
index 82c2cb2..b5b165b 100644
--- a/crypto/md4/md4_dgst.c
+++ b/crypto/md4/md4_dgst.c
@@ -106,22 +106,23 @@
for (;num--;)
{
- HOST_c2l(data,l); X( 0)=l; HOST_c2l(data,l); X( 1)=l;
+ (void)HOST_c2l(data,l); X( 0)=l;
+ (void)HOST_c2l(data,l); X( 1)=l;
/* Round 0 */
- R0(A,B,C,D,X( 0), 3,0); HOST_c2l(data,l); X( 2)=l;
- R0(D,A,B,C,X( 1), 7,0); HOST_c2l(data,l); X( 3)=l;
- R0(C,D,A,B,X( 2),11,0); HOST_c2l(data,l); X( 4)=l;
- R0(B,C,D,A,X( 3),19,0); HOST_c2l(data,l); X( 5)=l;
- R0(A,B,C,D,X( 4), 3,0); HOST_c2l(data,l); X( 6)=l;
- R0(D,A,B,C,X( 5), 7,0); HOST_c2l(data,l); X( 7)=l;
- R0(C,D,A,B,X( 6),11,0); HOST_c2l(data,l); X( 8)=l;
- R0(B,C,D,A,X( 7),19,0); HOST_c2l(data,l); X( 9)=l;
- R0(A,B,C,D,X( 8), 3,0); HOST_c2l(data,l); X(10)=l;
- R0(D,A,B,C,X( 9), 7,0); HOST_c2l(data,l); X(11)=l;
- R0(C,D,A,B,X(10),11,0); HOST_c2l(data,l); X(12)=l;
- R0(B,C,D,A,X(11),19,0); HOST_c2l(data,l); X(13)=l;
- R0(A,B,C,D,X(12), 3,0); HOST_c2l(data,l); X(14)=l;
- R0(D,A,B,C,X(13), 7,0); HOST_c2l(data,l); X(15)=l;
+ R0(A,B,C,D,X( 0), 3,0); (void)HOST_c2l(data,l); X( 2)=l;
+ R0(D,A,B,C,X( 1), 7,0); (void)HOST_c2l(data,l); X( 3)=l;
+ R0(C,D,A,B,X( 2),11,0); (void)HOST_c2l(data,l); X( 4)=l;
+ R0(B,C,D,A,X( 3),19,0); (void)HOST_c2l(data,l); X( 5)=l;
+ R0(A,B,C,D,X( 4), 3,0); (void)HOST_c2l(data,l); X( 6)=l;
+ R0(D,A,B,C,X( 5), 7,0); (void)HOST_c2l(data,l); X( 7)=l;
+ R0(C,D,A,B,X( 6),11,0); (void)HOST_c2l(data,l); X( 8)=l;
+ R0(B,C,D,A,X( 7),19,0); (void)HOST_c2l(data,l); X( 9)=l;
+ R0(A,B,C,D,X( 8), 3,0); (void)HOST_c2l(data,l); X(10)=l;
+ R0(D,A,B,C,X( 9), 7,0); (void)HOST_c2l(data,l); X(11)=l;
+ R0(C,D,A,B,X(10),11,0); (void)HOST_c2l(data,l); X(12)=l;
+ R0(B,C,D,A,X(11),19,0); (void)HOST_c2l(data,l); X(13)=l;
+ R0(A,B,C,D,X(12), 3,0); (void)HOST_c2l(data,l); X(14)=l;
+ R0(D,A,B,C,X(13), 7,0); (void)HOST_c2l(data,l); X(15)=l;
R0(C,D,A,B,X(14),11,0);
R0(B,C,D,A,X(15),19,0);
/* Round 1 */
diff --git a/crypto/md4/md4_locl.h b/crypto/md4/md4_locl.h
index c8085b0..99c3e50 100644
--- a/crypto/md4/md4_locl.h
+++ b/crypto/md4/md4_locl.h
@@ -77,10 +77,10 @@
#define HASH_FINAL MD4_Final
#define HASH_MAKE_STRING(c,s) do { \
unsigned long ll; \
- ll=(c)->A; HOST_l2c(ll,(s)); \
- ll=(c)->B; HOST_l2c(ll,(s)); \
- ll=(c)->C; HOST_l2c(ll,(s)); \
- ll=(c)->D; HOST_l2c(ll,(s)); \
+ ll=(c)->A; (void)HOST_l2c(ll,(s)); \
+ ll=(c)->B; (void)HOST_l2c(ll,(s)); \
+ ll=(c)->C; (void)HOST_l2c(ll,(s)); \
+ ll=(c)->D; (void)HOST_l2c(ll,(s)); \
} while (0)
#define HASH_BLOCK_DATA_ORDER md4_block_data_order
diff --git a/crypto/md5/asm/md5-x86_64.pl b/crypto/md5/asm/md5-x86_64.pl
index 8678854..f11224d 100755
--- a/crypto/md5/asm/md5-x86_64.pl
+++ b/crypto/md5/asm/md5-x86_64.pl
@@ -120,7 +120,8 @@
die "can't locate x86_64-xlate.pl";
no warnings qw(uninitialized);
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
$code .= <<EOF;
.text
diff --git a/crypto/md5/md5_locl.h b/crypto/md5/md5_locl.h
index 968d577..74d63d1 100644
--- a/crypto/md5/md5_locl.h
+++ b/crypto/md5/md5_locl.h
@@ -86,10 +86,10 @@
#define HASH_FINAL MD5_Final
#define HASH_MAKE_STRING(c,s) do { \
unsigned long ll; \
- ll=(c)->A; HOST_l2c(ll,(s)); \
- ll=(c)->B; HOST_l2c(ll,(s)); \
- ll=(c)->C; HOST_l2c(ll,(s)); \
- ll=(c)->D; HOST_l2c(ll,(s)); \
+ ll=(c)->A; (void)HOST_l2c(ll,(s)); \
+ ll=(c)->B; (void)HOST_l2c(ll,(s)); \
+ ll=(c)->C; (void)HOST_l2c(ll,(s)); \
+ ll=(c)->D; (void)HOST_l2c(ll,(s)); \
} while (0)
#define HASH_BLOCK_DATA_ORDER md5_block_data_order
diff --git a/crypto/mdc2/mdc2dgst.c b/crypto/mdc2/mdc2dgst.c
index b74bb1a..d66ed6a 100644
--- a/crypto/mdc2/mdc2dgst.c
+++ b/crypto/mdc2/mdc2dgst.c
@@ -59,9 +59,9 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <openssl/crypto.h>
#include <openssl/des.h>
#include <openssl/mdc2.h>
-#include <openssl/crypto.h>
#undef c2l
#define c2l(c,l) (l =((DES_LONG)(*((c)++))) , \
diff --git a/crypto/mem.c b/crypto/mem.c
index 21c0011..1cc62ea 100644
--- a/crypto/mem.c
+++ b/crypto/mem.c
@@ -121,10 +121,10 @@
static long (*get_debug_options_func)(void) = NULL;
#endif
-
int CRYPTO_set_mem_functions(void *(*m)(size_t), void *(*r)(void *, size_t),
void (*f)(void *))
{
+ /* Dummy call just to ensure OPENSSL_init() gets linked in */
OPENSSL_init();
if (!allow_customize)
return 0;
diff --git a/crypto/modes/asm/ghash-x86.pl b/crypto/modes/asm/ghash-x86.pl
index 6b09669..83c727e 100644
--- a/crypto/modes/asm/ghash-x86.pl
+++ b/crypto/modes/asm/ghash-x86.pl
@@ -635,7 +635,7 @@
{ my @lo = ("mm0","mm1","mm2");
my @hi = ("mm3","mm4","mm5");
my @tmp = ("mm6","mm7");
- my $off1=0,$off2=0,$i;
+ my ($off1,$off2,$i) = (0,0,);
&add ($Htbl,128); # optimize for size
&lea ("edi",&DWP(16+128,"esp"));
@@ -883,7 +883,7 @@
my ($Xhi,$Xi) = @_;
# 1st phase
- &movdqa ($T1,$Xi) #
+ &movdqa ($T1,$Xi); #
&psllq ($Xi,1);
&pxor ($Xi,$T1); #
&psllq ($Xi,5); #
@@ -1019,7 +1019,7 @@
&movdqa ($Xhn,$Xn);
&pxor ($Xhi,$T1); # "Ii+Xi", consume early
- &movdqa ($T1,$Xi) #&reduction_alg9($Xhi,$Xi); 1st phase
+ &movdqa ($T1,$Xi); #&reduction_alg9($Xhi,$Xi); 1st phase
&psllq ($Xi,1);
&pxor ($Xi,$T1); #
&psllq ($Xi,5); #
diff --git a/crypto/modes/asm/ghash-x86_64.pl b/crypto/modes/asm/ghash-x86_64.pl
index a5ae180..38d779e 100644
--- a/crypto/modes/asm/ghash-x86_64.pl
+++ b/crypto/modes/asm/ghash-x86_64.pl
@@ -50,7 +50,8 @@
( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
die "can't locate x86_64-xlate.pl";
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
# common register layout
$nlo="%rax";
diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c
index 7d6d034..0e6ff8b 100644
--- a/crypto/modes/gcm128.c
+++ b/crypto/modes/gcm128.c
@@ -723,7 +723,7 @@
# endif
gcm_init_4bit(ctx->Htable,ctx->H.u);
# if defined(GHASH_ASM_X86) /* x86 only */
-# if defined(OPENSSL_IA32_SSE2)
+# if defined(OPENSSL_IA32_SSE2)
if (OPENSSL_ia32cap_P[0]&(1<<25)) { /* check SSE bit */
# else
if (OPENSSL_ia32cap_P[0]&(1<<23)) { /* check MMX bit */
@@ -1398,7 +1398,7 @@
void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16]) = ctx->gmult;
#endif
- if (ctx->mres)
+ if (ctx->mres || ctx->ares)
GCM_MUL(ctx,Xi);
if (is_endian.little) {
diff --git a/crypto/objects/o_names.c b/crypto/objects/o_names.c
index 84380a9..4a548c2 100644
--- a/crypto/objects/o_names.c
+++ b/crypto/objects/o_names.c
@@ -73,7 +73,7 @@
name_funcs_stack=sk_NAME_FUNCS_new_null();
MemCheck_on();
}
- if ((name_funcs_stack == NULL))
+ if (name_funcs_stack == NULL)
{
/* ERROR */
return(0);
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index 415d67e..2767183 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -91,9 +91,12 @@
{
EVP_PKEY *skey;
skey = X509_get_pubkey(signer);
- ret = OCSP_BASICRESP_verify(bs, skey, 0);
- EVP_PKEY_free(skey);
- if(ret <= 0)
+ if (skey)
+ {
+ ret = OCSP_BASICRESP_verify(bs, skey, 0);
+ EVP_PKEY_free(skey);
+ }
+ if(!skey || ret <= 0)
{
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
goto end;
@@ -108,6 +111,7 @@
init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
if(!init_res)
{
+ ret = -1;
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB);
goto end;
}
diff --git a/crypto/opensslv.h b/crypto/opensslv.h
index 71be359..dbea4ad 100644
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -25,11 +25,11 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-#define OPENSSL_VERSION_NUMBER 0x1000103fL
+#define OPENSSL_VERSION_NUMBER 0x1000104fL
#ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1c-fips 10 May 2012"
+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1d-fips 5 Feb 2013"
#else
-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1c 10 May 2012"
+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1d 5 Feb 2013"
#endif
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
diff --git a/crypto/pem/pem_all.c b/crypto/pem/pem_all.c
index 3e7a609..eac0460 100644
--- a/crypto/pem/pem_all.c
+++ b/crypto/pem/pem_all.c
@@ -193,7 +193,61 @@
#endif
+#ifdef OPENSSL_FIPS
+
+int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
+ unsigned char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ if (FIPS_mode())
+ {
+ EVP_PKEY *k;
+ int ret;
+ k = EVP_PKEY_new();
+ if (!k)
+ return 0;
+ EVP_PKEY_set1_RSA(k, x);
+
+ ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+ EVP_PKEY_free(k);
+ return ret;
+ }
+ else
+ return PEM_ASN1_write_bio((i2d_of_void *)i2d_RSAPrivateKey,
+ PEM_STRING_RSA,bp,x,enc,kstr,klen,cb,u);
+}
+
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
+ unsigned char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ if (FIPS_mode())
+ {
+ EVP_PKEY *k;
+ int ret;
+ k = EVP_PKEY_new();
+ if (!k)
+ return 0;
+
+ EVP_PKEY_set1_RSA(k, x);
+
+ ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+ EVP_PKEY_free(k);
+ return ret;
+ }
+ else
+ return PEM_ASN1_write((i2d_of_void *)i2d_RSAPrivateKey,
+ PEM_STRING_RSA,fp,x,enc,kstr,klen,cb,u);
+}
+#endif
+
+#else
+
IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey)
+
+#endif
+
IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey)
IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY)
@@ -223,7 +277,59 @@
return pkey_get_dsa(pktmp, dsa); /* will free pktmp */
}
+#ifdef OPENSSL_FIPS
+
+int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
+ unsigned char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ if (FIPS_mode())
+ {
+ EVP_PKEY *k;
+ int ret;
+ k = EVP_PKEY_new();
+ if (!k)
+ return 0;
+ EVP_PKEY_set1_DSA(k, x);
+
+ ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+ EVP_PKEY_free(k);
+ return ret;
+ }
+ else
+ return PEM_ASN1_write_bio((i2d_of_void *)i2d_DSAPrivateKey,
+ PEM_STRING_DSA,bp,x,enc,kstr,klen,cb,u);
+}
+
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
+ unsigned char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ if (FIPS_mode())
+ {
+ EVP_PKEY *k;
+ int ret;
+ k = EVP_PKEY_new();
+ if (!k)
+ return 0;
+ EVP_PKEY_set1_DSA(k, x);
+ ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+ EVP_PKEY_free(k);
+ return ret;
+ }
+ else
+ return PEM_ASN1_write((i2d_of_void *)i2d_DSAPrivateKey,
+ PEM_STRING_DSA,fp,x,enc,kstr,klen,cb,u);
+}
+#endif
+
+#else
+
IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey)
+
+#endif
+
IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY)
#ifndef OPENSSL_NO_FP_API
@@ -269,8 +375,63 @@
IMPLEMENT_PEM_rw_const(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS, ECPKParameters)
+
+
+#ifdef OPENSSL_FIPS
+
+int PEM_write_bio_ECPrivateKey(BIO *bp, EC_KEY *x, const EVP_CIPHER *enc,
+ unsigned char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ if (FIPS_mode())
+ {
+ EVP_PKEY *k;
+ int ret;
+ k = EVP_PKEY_new();
+ if (!k)
+ return 0;
+ EVP_PKEY_set1_EC_KEY(k, x);
+
+ ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
+ EVP_PKEY_free(k);
+ return ret;
+ }
+ else
+ return PEM_ASN1_write_bio((i2d_of_void *)i2d_ECPrivateKey,
+ PEM_STRING_ECPRIVATEKEY,
+ bp,x,enc,kstr,klen,cb,u);
+}
+
+#ifndef OPENSSL_NO_FP_API
+int PEM_write_ECPrivateKey(FILE *fp, EC_KEY *x, const EVP_CIPHER *enc,
+ unsigned char *kstr, int klen,
+ pem_password_cb *cb, void *u)
+{
+ if (FIPS_mode())
+ {
+ EVP_PKEY *k;
+ int ret;
+ k = EVP_PKEY_new();
+ if (!k)
+ return 0;
+ EVP_PKEY_set1_EC_KEY(k, x);
+ ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
+ EVP_PKEY_free(k);
+ return ret;
+ }
+ else
+ return PEM_ASN1_write((i2d_of_void *)i2d_ECPrivateKey,
+ PEM_STRING_ECPRIVATEKEY,
+ fp,x,enc,kstr,klen,cb,u);
+}
+#endif
+
+#else
+
IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey)
+#endif
+
IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY)
#ifndef OPENSSL_NO_FP_API
diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index cfc89a9..5a421fc 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -394,7 +394,8 @@
goto err;
/* The 'iv' is used as the iv and as a salt. It is
* NOT taken from the BytesToKey function */
- EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL);
+ if (!EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL))
+ goto err;
if (kstr == (unsigned char *)buf) OPENSSL_cleanse(buf,PEM_BUFSIZE);
@@ -406,12 +407,15 @@
/* k=strlen(buf); */
EVP_CIPHER_CTX_init(&ctx);
- EVP_EncryptInit_ex(&ctx,enc,NULL,key,iv);
- EVP_EncryptUpdate(&ctx,data,&j,data,i);
- EVP_EncryptFinal_ex(&ctx,&(data[j]),&i);
+ ret = 1;
+ if (!EVP_EncryptInit_ex(&ctx,enc,NULL,key,iv)
+ || !EVP_EncryptUpdate(&ctx,data,&j,data,i)
+ || !EVP_EncryptFinal_ex(&ctx,&(data[j]),&i))
+ ret = 0;
EVP_CIPHER_CTX_cleanup(&ctx);
+ if (ret == 0)
+ goto err;
i+=j;
- ret=1;
}
else
{
@@ -459,14 +463,17 @@
ebcdic2ascii(buf, buf, klen);
#endif
- EVP_BytesToKey(cipher->cipher,EVP_md5(),&(cipher->iv[0]),
- (unsigned char *)buf,klen,1,key,NULL);
+ if (!EVP_BytesToKey(cipher->cipher,EVP_md5(),&(cipher->iv[0]),
+ (unsigned char *)buf,klen,1,key,NULL))
+ return 0;
j=(int)len;
EVP_CIPHER_CTX_init(&ctx);
- EVP_DecryptInit_ex(&ctx,cipher->cipher,NULL, key,&(cipher->iv[0]));
- EVP_DecryptUpdate(&ctx,data,&i,data,j);
- o=EVP_DecryptFinal_ex(&ctx,&(data[i]),&j);
+ o = EVP_DecryptInit_ex(&ctx,cipher->cipher,NULL, key,&(cipher->iv[0]));
+ if (o)
+ o = EVP_DecryptUpdate(&ctx,data,&i,data,j);
+ if (o)
+ o = EVP_DecryptFinal_ex(&ctx,&(data[i]),&j);
EVP_CIPHER_CTX_cleanup(&ctx);
OPENSSL_cleanse((char *)buf,sizeof(buf));
OPENSSL_cleanse((char *)key,sizeof(key));
diff --git a/crypto/pem/pem_seal.c b/crypto/pem/pem_seal.c
index 59690b5..b6b4e13 100644
--- a/crypto/pem/pem_seal.c
+++ b/crypto/pem/pem_seal.c
@@ -96,7 +96,8 @@
EVP_EncodeInit(&ctx->encode);
EVP_MD_CTX_init(&ctx->md);
- EVP_SignInit(&ctx->md,md_type);
+ if (!EVP_SignInit(&ctx->md,md_type))
+ goto err;
EVP_CIPHER_CTX_init(&ctx->cipher);
ret=EVP_SealInit(&ctx->cipher,type,ek,ekl,iv,pubk,npubk);
@@ -163,7 +164,8 @@
goto err;
}
- EVP_EncryptFinal_ex(&ctx->cipher,s,(int *)&i);
+ if (!EVP_EncryptFinal_ex(&ctx->cipher,s,(int *)&i))
+ goto err;
EVP_EncodeUpdate(&ctx->encode,out,&j,s,i);
*outl=j;
out+=j;
diff --git a/crypto/perlasm/cbc.pl b/crypto/perlasm/cbc.pl
index 6fc2510..24561e7 100644
--- a/crypto/perlasm/cbc.pl
+++ b/crypto/perlasm/cbc.pl
@@ -150,7 +150,7 @@
&set_label("PIC_point");
&blindpop("edx");
&lea("ecx",&DWP(&label("cbc_enc_jmp_table")."-".&label("PIC_point"),"edx"));
- &mov($count,&DWP(0,"ecx",$count,4))
+ &mov($count,&DWP(0,"ecx",$count,4));
&add($count,"edx");
&xor("ecx","ecx");
&xor("edx","edx");
diff --git a/crypto/perlasm/x86masm.pl b/crypto/perlasm/x86masm.pl
index 96b1b73..f937d07 100644
--- a/crypto/perlasm/x86masm.pl
+++ b/crypto/perlasm/x86masm.pl
@@ -33,6 +33,7 @@
sub ::call { &::emit("call",(&::islabel($_[0]) or "$nmdecor$_[0]")); }
sub ::call_ptr { &::emit("call",@_); }
sub ::jmp_ptr { &::emit("jmp",@_); }
+sub ::lock { &::data_byte(0xf0); }
sub get_mem
{ my($size,$addr,$reg1,$reg2,$idx)=@_;
diff --git a/crypto/pkcs12/p12_key.c b/crypto/pkcs12/p12_key.c
index c55c7b6..61d5850 100644
--- a/crypto/pkcs12/p12_key.c
+++ b/crypto/pkcs12/p12_key.c
@@ -176,24 +176,32 @@
out += u;
for (j = 0; j < v; j++) B[j] = Ai[j % u];
/* Work out B + 1 first then can use B as tmp space */
- if (!BN_bin2bn (B, v, Bpl1)) goto err;
- if (!BN_add_word (Bpl1, 1)) goto err;
+ if (!BN_bin2bn (B, v, Bpl1))
+ goto err;
+ if (!BN_add_word (Bpl1, 1))
+ goto err;
for (j = 0; j < Ilen ; j+=v) {
- if (!BN_bin2bn (I + j, v, Ij)) goto err;
- if (!BN_add (Ij, Ij, Bpl1)) goto err;
- BN_bn2bin (Ij, B);
+ if (!BN_bin2bn(I + j, v, Ij))
+ goto err;
+ if (!BN_add(Ij, Ij, Bpl1))
+ goto err;
+ if (!BN_bn2bin(Ij, B))
+ goto err;
Ijlen = BN_num_bytes (Ij);
/* If more than 2^(v*8) - 1 cut off MSB */
if (Ijlen > v) {
- BN_bn2bin (Ij, B);
+ if (!BN_bn2bin (Ij, B))
+ goto err;
memcpy (I + j, B + 1, v);
#ifndef PKCS12_BROKEN_KEYGEN
/* If less than v bytes pad with zeroes */
} else if (Ijlen < v) {
memset(I + j, 0, v - Ijlen);
- BN_bn2bin(Ij, I + j + v - Ijlen);
+ if (!BN_bn2bin(Ij, I + j + v - Ijlen))
+ goto err;
#endif
- } else BN_bn2bin (Ij, I + j);
+ } else if (!BN_bn2bin (Ij, I + j))
+ goto err;
}
}
diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c
index fcdd3f2..1e3bcb9 100644
--- a/crypto/rand/md_rand.c
+++ b/crypto/rand/md_rand.c
@@ -123,10 +123,10 @@
#include "e_os.h"
+#include <openssl/crypto.h>
#include <openssl/rand.h>
#include "rand_lcl.h"
-#include <openssl/crypto.h>
#include <openssl/err.h>
#ifdef BN_DEBUG
diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
index daf1dab..476a0cd 100644
--- a/crypto/rand/rand_lib.c
+++ b/crypto/rand/rand_lib.c
@@ -210,8 +210,11 @@
static void drbg_free_entropy(DRBG_CTX *ctx, unsigned char *out, size_t olen)
{
- OPENSSL_cleanse(out, olen);
- OPENSSL_free(out);
+ if (out)
+ {
+ OPENSSL_cleanse(out, olen);
+ OPENSSL_free(out);
+ }
}
/* Set "additional input" when generating random data. This uses the
diff --git a/crypto/rand/randfile.c b/crypto/rand/randfile.c
index 030e07f..7f14280 100644
--- a/crypto/rand/randfile.c
+++ b/crypto/rand/randfile.c
@@ -57,7 +57,9 @@
*/
/* We need to define this to get macros like S_IFBLK and S_IFCHR */
+#if !defined(OPENSSL_SYS_VXWORKS)
#define _XOPEN_SOURCE 500
+#endif
#include <errno.h>
#include <stdio.h>
diff --git a/crypto/rc4/asm/rc4-md5-x86_64.pl b/crypto/rc4/asm/rc4-md5-x86_64.pl
index 7f68409..272fa91 100644
--- a/crypto/rc4/asm/rc4-md5-x86_64.pl
+++ b/crypto/rc4/asm/rc4-md5-x86_64.pl
@@ -51,7 +51,8 @@
( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
die "can't locate x86_64-xlate.pl";
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
my ($dat,$in0,$out,$ctx,$inp,$len, $func,$nargs);
diff --git a/crypto/rc4/asm/rc4-x86_64.pl b/crypto/rc4/asm/rc4-x86_64.pl
index d6eac20..75750db 100755
--- a/crypto/rc4/asm/rc4-x86_64.pl
+++ b/crypto/rc4/asm/rc4-x86_64.pl
@@ -112,7 +112,8 @@
( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
die "can't locate x86_64-xlate.pl";
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
$dat="%rdi"; # arg1
$len="%rsi"; # arg2
diff --git a/crypto/ripemd/rmd_dgst.c b/crypto/ripemd/rmd_dgst.c
index 63f0d98..d8e72da 100644
--- a/crypto/ripemd/rmd_dgst.c
+++ b/crypto/ripemd/rmd_dgst.c
@@ -105,21 +105,21 @@
A=ctx->A; B=ctx->B; C=ctx->C; D=ctx->D; E=ctx->E;
- HOST_c2l(data,l); X( 0)=l; HOST_c2l(data,l); X( 1)=l;
- RIP1(A,B,C,D,E,WL00,SL00); HOST_c2l(data,l); X( 2)=l;
- RIP1(E,A,B,C,D,WL01,SL01); HOST_c2l(data,l); X( 3)=l;
- RIP1(D,E,A,B,C,WL02,SL02); HOST_c2l(data,l); X( 4)=l;
- RIP1(C,D,E,A,B,WL03,SL03); HOST_c2l(data,l); X( 5)=l;
- RIP1(B,C,D,E,A,WL04,SL04); HOST_c2l(data,l); X( 6)=l;
- RIP1(A,B,C,D,E,WL05,SL05); HOST_c2l(data,l); X( 7)=l;
- RIP1(E,A,B,C,D,WL06,SL06); HOST_c2l(data,l); X( 8)=l;
- RIP1(D,E,A,B,C,WL07,SL07); HOST_c2l(data,l); X( 9)=l;
- RIP1(C,D,E,A,B,WL08,SL08); HOST_c2l(data,l); X(10)=l;
- RIP1(B,C,D,E,A,WL09,SL09); HOST_c2l(data,l); X(11)=l;
- RIP1(A,B,C,D,E,WL10,SL10); HOST_c2l(data,l); X(12)=l;
- RIP1(E,A,B,C,D,WL11,SL11); HOST_c2l(data,l); X(13)=l;
- RIP1(D,E,A,B,C,WL12,SL12); HOST_c2l(data,l); X(14)=l;
- RIP1(C,D,E,A,B,WL13,SL13); HOST_c2l(data,l); X(15)=l;
+ (void)HOST_c2l(data,l); X( 0)=l;(void)HOST_c2l(data,l); X( 1)=l;
+ RIP1(A,B,C,D,E,WL00,SL00); (void)HOST_c2l(data,l); X( 2)=l;
+ RIP1(E,A,B,C,D,WL01,SL01); (void)HOST_c2l(data,l); X( 3)=l;
+ RIP1(D,E,A,B,C,WL02,SL02); (void)HOST_c2l(data,l); X( 4)=l;
+ RIP1(C,D,E,A,B,WL03,SL03); (void)HOST_c2l(data,l); X( 5)=l;
+ RIP1(B,C,D,E,A,WL04,SL04); (void)HOST_c2l(data,l); X( 6)=l;
+ RIP1(A,B,C,D,E,WL05,SL05); (void)HOST_c2l(data,l); X( 7)=l;
+ RIP1(E,A,B,C,D,WL06,SL06); (void)HOST_c2l(data,l); X( 8)=l;
+ RIP1(D,E,A,B,C,WL07,SL07); (void)HOST_c2l(data,l); X( 9)=l;
+ RIP1(C,D,E,A,B,WL08,SL08); (void)HOST_c2l(data,l); X(10)=l;
+ RIP1(B,C,D,E,A,WL09,SL09); (void)HOST_c2l(data,l); X(11)=l;
+ RIP1(A,B,C,D,E,WL10,SL10); (void)HOST_c2l(data,l); X(12)=l;
+ RIP1(E,A,B,C,D,WL11,SL11); (void)HOST_c2l(data,l); X(13)=l;
+ RIP1(D,E,A,B,C,WL12,SL12); (void)HOST_c2l(data,l); X(14)=l;
+ RIP1(C,D,E,A,B,WL13,SL13); (void)HOST_c2l(data,l); X(15)=l;
RIP1(B,C,D,E,A,WL14,SL14);
RIP1(A,B,C,D,E,WL15,SL15);
diff --git a/crypto/ripemd/rmd_locl.h b/crypto/ripemd/rmd_locl.h
index f14b346..2bd8957 100644
--- a/crypto/ripemd/rmd_locl.h
+++ b/crypto/ripemd/rmd_locl.h
@@ -88,11 +88,11 @@
#define HASH_FINAL RIPEMD160_Final
#define HASH_MAKE_STRING(c,s) do { \
unsigned long ll; \
- ll=(c)->A; HOST_l2c(ll,(s)); \
- ll=(c)->B; HOST_l2c(ll,(s)); \
- ll=(c)->C; HOST_l2c(ll,(s)); \
- ll=(c)->D; HOST_l2c(ll,(s)); \
- ll=(c)->E; HOST_l2c(ll,(s)); \
+ ll=(c)->A; (void)HOST_l2c(ll,(s)); \
+ ll=(c)->B; (void)HOST_l2c(ll,(s)); \
+ ll=(c)->C; (void)HOST_l2c(ll,(s)); \
+ ll=(c)->D; (void)HOST_l2c(ll,(s)); \
+ ll=(c)->E; (void)HOST_l2c(ll,(s)); \
} while (0)
#define HASH_BLOCK_DATA_ORDER ripemd160_block_data_order
diff --git a/crypto/rsa/rsa.h b/crypto/rsa/rsa.h
index 4814a2f..5f269e5 100644
--- a/crypto/rsa/rsa.h
+++ b/crypto/rsa/rsa.h
@@ -280,7 +280,7 @@
RSA * RSA_new(void);
RSA * RSA_new_method(ENGINE *engine);
-int RSA_size(const RSA *);
+int RSA_size(const RSA *rsa);
/* Deprecated version */
#ifndef OPENSSL_NO_DEPRECATED
diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c
index 2e1ddd4..88ee2cb 100644
--- a/crypto/rsa/rsa_eay.c
+++ b/crypto/rsa/rsa_eay.c
@@ -847,12 +847,12 @@
if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err;
/* If p < q it is occasionally possible for the correction of
- * adding 'p' if r0 is negative above to leave the result still
+ * adding 'p' if r0 is negative above to leave the result still
* negative. This can break the private key operations: the following
* second correction should *always* correct this rare occurrence.
* This will *never* happen with OpenSSL generated keys because
- * they ensure p > q [steve]
- */
+ * they ensure p > q [steve]
+ */
if (BN_is_negative(r0))
if (!BN_add(r0,r0,rsa->p)) goto err;
if (!BN_mul(r1,r0,rsa->q,ctx)) goto err;
diff --git a/crypto/sha/asm/sha1-armv4-large.S b/crypto/sha/asm/sha1-armv4-large.S
index 97ad8be..639ae78 100644
--- a/crypto/sha/asm/sha1-armv4-large.S
+++ b/crypto/sha/asm/sha1-armv4-large.S
@@ -145,7 +145,7 @@
add r3,r3,r10 @ E+=F_00_19(B,C,D)
teq r14,sp
bne .L_00_15 @ [((11+4)*5+2)*3]
- sub sp,sp,#5*4
+ sub sp,sp,#25*4
#if __ARM_ARCH__<7
ldrb r10,[r1,#2]
ldrb r9,[r1,#3]
@@ -241,7 +241,6 @@
add r3,r3,r10 @ E+=F_00_19(B,C,D)
ldr r8,.LK_20_39 @ [+15+16*4]
- sub sp,sp,#20*4
cmn sp,#0 @ [+3], clear carry to denote 20_39
.L_20_39_or_60_79:
ldr r9,[r14,#15*4]
diff --git a/crypto/sha/asm/sha1-armv4-large.pl b/crypto/sha/asm/sha1-armv4-large.pl
index db83c51..33da3e0 100644
--- a/crypto/sha/asm/sha1-armv4-large.pl
+++ b/crypto/sha/asm/sha1-armv4-large.pl
@@ -177,7 +177,7 @@
$code.=<<___;
teq $Xi,sp
bne .L_00_15 @ [((11+4)*5+2)*3]
- sub sp,sp,#5*4
+ sub sp,sp,#25*4
___
&BODY_00_15(@V); unshift(@V,pop(@V));
&BODY_16_19(@V); unshift(@V,pop(@V));
@@ -187,7 +187,6 @@
$code.=<<___;
ldr $K,.LK_20_39 @ [+15+16*4]
- sub sp,sp,#20*4
cmn sp,#0 @ [+3], clear carry to denote 20_39
.L_20_39_or_60_79:
___
diff --git a/crypto/sha/asm/sha1-ia64.pl b/crypto/sha/asm/sha1-ia64.pl
index db28f08..02d35d1 100644
--- a/crypto/sha/asm/sha1-ia64.pl
+++ b/crypto/sha/asm/sha1-ia64.pl
@@ -271,7 +271,8 @@
___
-{ my $i,@V=($A,$B,$C,$D,$E);
+{ my $i;
+ my @V=($A,$B,$C,$D,$E);
for($i=0;$i<16;$i++) { &BODY_00_15(\$code,$i,@V); unshift(@V,pop(@V)); }
for(;$i<20;$i++) { &BODY_16_19(\$code,$i,@V); unshift(@V,pop(@V)); }
diff --git a/crypto/sha/asm/sha1-sparcv9a.pl b/crypto/sha/asm/sha1-sparcv9a.pl
index 85e8d68..e65291b 100644
--- a/crypto/sha/asm/sha1-sparcv9a.pl
+++ b/crypto/sha/asm/sha1-sparcv9a.pl
@@ -549,7 +549,7 @@
# programmer detect if current CPU is VIS capable at run-time.
sub unvis {
my ($mnemonic,$rs1,$rs2,$rd)=@_;
-my $ref,$opf;
+my ($ref,$opf);
my %visopf = ( "fmul8ulx16" => 0x037,
"faligndata" => 0x048,
"fpadd32" => 0x052,
diff --git a/crypto/sha/asm/sha1-x86_64.pl b/crypto/sha/asm/sha1-x86_64.pl
index f27c1e3..cfdc45c 100755
--- a/crypto/sha/asm/sha1-x86_64.pl
+++ b/crypto/sha/asm/sha1-x86_64.pl
@@ -82,7 +82,8 @@
`ml64 2>&1` =~ /Version ([0-9]+)\./ &&
$1>=10);
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
$ctx="%rdi"; # 1st arg
$inp="%rsi"; # 2nd arg
diff --git a/crypto/sha/asm/sha512-586.pl b/crypto/sha/asm/sha512-586.pl
index 5b9f333..7eab6a5 100644
--- a/crypto/sha/asm/sha512-586.pl
+++ b/crypto/sha/asm/sha512-586.pl
@@ -142,9 +142,9 @@
&mov ("edx",$Ehi);
&mov ("esi","ecx");
- &shr ("ecx",9) # lo>>9
+ &shr ("ecx",9); # lo>>9
&mov ("edi","edx");
- &shr ("edx",9) # hi>>9
+ &shr ("edx",9); # hi>>9
&mov ("ebx","ecx");
&shl ("esi",14); # lo<<14
&mov ("eax","edx");
@@ -207,9 +207,9 @@
&mov ($Dhi,"ebx");
&mov ("esi","ecx");
- &shr ("ecx",2) # lo>>2
+ &shr ("ecx",2); # lo>>2
&mov ("edi","edx");
- &shr ("edx",2) # hi>>2
+ &shr ("edx",2); # hi>>2
&mov ("ebx","ecx");
&shl ("esi",4); # lo<<4
&mov ("eax","edx");
@@ -452,9 +452,9 @@
&mov ("edx",&DWP(8*(9+15+16-1)+4,"esp"));
&mov ("esi","ecx");
- &shr ("ecx",1) # lo>>1
+ &shr ("ecx",1); # lo>>1
&mov ("edi","edx");
- &shr ("edx",1) # hi>>1
+ &shr ("edx",1); # hi>>1
&mov ("eax","ecx");
&shl ("esi",24); # lo<<24
&mov ("ebx","edx");
@@ -488,9 +488,9 @@
&mov ("edx",&DWP(8*(9+15+16-14)+4,"esp"));
&mov ("esi","ecx");
- &shr ("ecx",6) # lo>>6
+ &shr ("ecx",6); # lo>>6
&mov ("edi","edx");
- &shr ("edx",6) # hi>>6
+ &shr ("edx",6); # hi>>6
&mov ("eax","ecx");
&shl ("esi",3); # lo<<3
&mov ("ebx","edx");
diff --git a/crypto/sha/asm/sha512-x86_64.pl b/crypto/sha/asm/sha512-x86_64.pl
index f611a2d..8d51678 100755
--- a/crypto/sha/asm/sha512-x86_64.pl
+++ b/crypto/sha/asm/sha512-x86_64.pl
@@ -51,7 +51,8 @@
( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
die "can't locate x86_64-xlate.pl";
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
if ($output =~ /512/) {
$func="sha512_block_data_order";
diff --git a/crypto/sha/sha1_one.c b/crypto/sha/sha1_one.c
index 7c65b60..c56ec94 100644
--- a/crypto/sha/sha1_one.c
+++ b/crypto/sha/sha1_one.c
@@ -58,8 +58,8 @@
#include <stdio.h>
#include <string.h>
-#include <openssl/sha.h>
#include <openssl/crypto.h>
+#include <openssl/sha.h>
#ifndef OPENSSL_NO_SHA1
unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md)
diff --git a/crypto/sha/sha1dgst.c b/crypto/sha/sha1dgst.c
index 81219af..a986902 100644
--- a/crypto/sha/sha1dgst.c
+++ b/crypto/sha/sha1dgst.c
@@ -56,8 +56,8 @@
* [including the GNU Public Licence.]
*/
-#include <openssl/opensslconf.h>
#include <openssl/crypto.h>
+#include <openssl/opensslconf.h>
#if !defined(OPENSSL_NO_SHA1) && !defined(OPENSSL_NO_SHA)
#undef SHA_0
diff --git a/crypto/sha/sha256.c b/crypto/sha/sha256.c
index f88d3d6..4eae074 100644
--- a/crypto/sha/sha256.c
+++ b/crypto/sha/sha256.c
@@ -88,17 +88,17 @@
switch ((c)->md_len) \
{ case SHA224_DIGEST_LENGTH: \
for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \
- { ll=(c)->h[nn]; HOST_l2c(ll,(s)); } \
+ { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
break; \
case SHA256_DIGEST_LENGTH: \
for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \
- { ll=(c)->h[nn]; HOST_l2c(ll,(s)); } \
+ { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
break; \
default: \
if ((c)->md_len > SHA256_DIGEST_LENGTH) \
return 0; \
for (nn=0;nn<(c)->md_len/4;nn++) \
- { ll=(c)->h[nn]; HOST_l2c(ll,(s)); } \
+ { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
break; \
} \
} while (0)
diff --git a/crypto/sha/sha_dgst.c b/crypto/sha/sha_dgst.c
index c946ad8..fb63b17 100644
--- a/crypto/sha/sha_dgst.c
+++ b/crypto/sha/sha_dgst.c
@@ -56,8 +56,8 @@
* [including the GNU Public Licence.]
*/
-#include <openssl/opensslconf.h>
#include <openssl/crypto.h>
+#include <openssl/opensslconf.h>
#if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA)
#undef SHA_1
diff --git a/crypto/sha/sha_locl.h b/crypto/sha/sha_locl.h
index 7a0c3ca..d673255 100644
--- a/crypto/sha/sha_locl.h
+++ b/crypto/sha/sha_locl.h
@@ -69,11 +69,11 @@
#define HASH_CBLOCK SHA_CBLOCK
#define HASH_MAKE_STRING(c,s) do { \
unsigned long ll; \
- ll=(c)->h0; HOST_l2c(ll,(s)); \
- ll=(c)->h1; HOST_l2c(ll,(s)); \
- ll=(c)->h2; HOST_l2c(ll,(s)); \
- ll=(c)->h3; HOST_l2c(ll,(s)); \
- ll=(c)->h4; HOST_l2c(ll,(s)); \
+ ll=(c)->h0; (void)HOST_l2c(ll,(s)); \
+ ll=(c)->h1; (void)HOST_l2c(ll,(s)); \
+ ll=(c)->h2; (void)HOST_l2c(ll,(s)); \
+ ll=(c)->h3; (void)HOST_l2c(ll,(s)); \
+ ll=(c)->h4; (void)HOST_l2c(ll,(s)); \
} while (0)
#if defined(SHA_0)
@@ -256,21 +256,21 @@
}
else
{
- HOST_c2l(data,l); X( 0)=l; HOST_c2l(data,l); X( 1)=l;
- BODY_00_15( 0,A,B,C,D,E,T,X( 0)); HOST_c2l(data,l); X( 2)=l;
- BODY_00_15( 1,T,A,B,C,D,E,X( 1)); HOST_c2l(data,l); X( 3)=l;
- BODY_00_15( 2,E,T,A,B,C,D,X( 2)); HOST_c2l(data,l); X( 4)=l;
- BODY_00_15( 3,D,E,T,A,B,C,X( 3)); HOST_c2l(data,l); X( 5)=l;
- BODY_00_15( 4,C,D,E,T,A,B,X( 4)); HOST_c2l(data,l); X( 6)=l;
- BODY_00_15( 5,B,C,D,E,T,A,X( 5)); HOST_c2l(data,l); X( 7)=l;
- BODY_00_15( 6,A,B,C,D,E,T,X( 6)); HOST_c2l(data,l); X( 8)=l;
- BODY_00_15( 7,T,A,B,C,D,E,X( 7)); HOST_c2l(data,l); X( 9)=l;
- BODY_00_15( 8,E,T,A,B,C,D,X( 8)); HOST_c2l(data,l); X(10)=l;
- BODY_00_15( 9,D,E,T,A,B,C,X( 9)); HOST_c2l(data,l); X(11)=l;
- BODY_00_15(10,C,D,E,T,A,B,X(10)); HOST_c2l(data,l); X(12)=l;
- BODY_00_15(11,B,C,D,E,T,A,X(11)); HOST_c2l(data,l); X(13)=l;
- BODY_00_15(12,A,B,C,D,E,T,X(12)); HOST_c2l(data,l); X(14)=l;
- BODY_00_15(13,T,A,B,C,D,E,X(13)); HOST_c2l(data,l); X(15)=l;
+ (void)HOST_c2l(data,l); X( 0)=l; (void)HOST_c2l(data,l); X( 1)=l;
+ BODY_00_15( 0,A,B,C,D,E,T,X( 0)); (void)HOST_c2l(data,l); X( 2)=l;
+ BODY_00_15( 1,T,A,B,C,D,E,X( 1)); (void)HOST_c2l(data,l); X( 3)=l;
+ BODY_00_15( 2,E,T,A,B,C,D,X( 2)); (void)HOST_c2l(data,l); X( 4)=l;
+ BODY_00_15( 3,D,E,T,A,B,C,X( 3)); (void)HOST_c2l(data,l); X( 5)=l;
+ BODY_00_15( 4,C,D,E,T,A,B,X( 4)); (void)HOST_c2l(data,l); X( 6)=l;
+ BODY_00_15( 5,B,C,D,E,T,A,X( 5)); (void)HOST_c2l(data,l); X( 7)=l;
+ BODY_00_15( 6,A,B,C,D,E,T,X( 6)); (void)HOST_c2l(data,l); X( 8)=l;
+ BODY_00_15( 7,T,A,B,C,D,E,X( 7)); (void)HOST_c2l(data,l); X( 9)=l;
+ BODY_00_15( 8,E,T,A,B,C,D,X( 8)); (void)HOST_c2l(data,l); X(10)=l;
+ BODY_00_15( 9,D,E,T,A,B,C,X( 9)); (void)HOST_c2l(data,l); X(11)=l;
+ BODY_00_15(10,C,D,E,T,A,B,X(10)); (void)HOST_c2l(data,l); X(12)=l;
+ BODY_00_15(11,B,C,D,E,T,A,X(11)); (void)HOST_c2l(data,l); X(13)=l;
+ BODY_00_15(12,A,B,C,D,E,T,X(12)); (void)HOST_c2l(data,l); X(14)=l;
+ BODY_00_15(13,T,A,B,C,D,E,X(13)); (void)HOST_c2l(data,l); X(15)=l;
BODY_00_15(14,E,T,A,B,C,D,X(14));
BODY_00_15(15,D,E,T,A,B,C,X(15));
}
diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c
index c8be907..4a3d13e 100644
--- a/crypto/srp/srp_vfy.c
+++ b/crypto/srp/srp_vfy.c
@@ -390,7 +390,7 @@
}
for (i = 0; i < sk_OPENSSL_PSTRING_num(tmpdb->data); i++)
{
- pp = (char **)sk_OPENSSL_PSTRING_value(tmpdb->data,i);
+ pp = sk_OPENSSL_PSTRING_value(tmpdb->data,i);
if (pp[DB_srptype][0] == DB_SRP_INDEX)
{
/*we add this couple in the internal Stack */
@@ -581,7 +581,8 @@
if (*salt == NULL)
{
char *tmp_salt;
- if ((tmp_salt = (char *)OPENSSL_malloc(SRP_RANDOM_SALT_LEN * 2)) == NULL)
+
+ if ((tmp_salt = OPENSSL_malloc(SRP_RANDOM_SALT_LEN * 2)) == NULL)
{
OPENSSL_free(vf);
goto err;
diff --git a/crypto/symhacks.h b/crypto/symhacks.h
index 403f592..07a412f 100644
--- a/crypto/symhacks.h
+++ b/crypto/symhacks.h
@@ -193,17 +193,17 @@
#undef SSL_CTX_set_srp_username_callback
#define SSL_CTX_set_srp_username_callback SSL_CTX_set_srp_un_cb
#undef ssl_add_clienthello_use_srtp_ext
-#define ssl_add_clienthello_use_srtp_ext ssl_add_clihello_use_srtp_ext
+#define ssl_add_clienthello_use_srtp_ext ssl_add_clihello_use_srtp_ext
#undef ssl_add_serverhello_use_srtp_ext
-#define ssl_add_serverhello_use_srtp_ext ssl_add_serhello_use_srtp_ext
+#define ssl_add_serverhello_use_srtp_ext ssl_add_serhello_use_srtp_ext
#undef ssl_parse_clienthello_use_srtp_ext
-#define ssl_parse_clienthello_use_srtp_ext ssl_parse_clihello_use_srtp_ext
+#define ssl_parse_clienthello_use_srtp_ext ssl_parse_clihello_use_srtp_ext
#undef ssl_parse_serverhello_use_srtp_ext
-#define ssl_parse_serverhello_use_srtp_ext ssl_parse_serhello_use_srtp_ext
+#define ssl_parse_serverhello_use_srtp_ext ssl_parse_serhello_use_srtp_ext
#undef SSL_CTX_set_next_protos_advertised_cb
-#define SSL_CTX_set_next_protos_advertised_cb SSL_CTX_set_next_protos_adv_cb
+#define SSL_CTX_set_next_protos_advertised_cb SSL_CTX_set_next_protos_adv_cb
#undef SSL_CTX_set_next_proto_select_cb
-#define SSL_CTX_set_next_proto_select_cb SSL_CTX_set_next_proto_sel_cb
+#define SSL_CTX_set_next_proto_select_cb SSL_CTX_set_next_proto_sel_cb
/* Hack some long ENGINE names */
#undef ENGINE_get_default_BN_mod_exp_crt
@@ -316,8 +316,6 @@
#define ec_GFp_simple_point_set_to_infinity ec_GFp_simple_pt_set_to_inf
#undef ec_GFp_simple_points_make_affine
#define ec_GFp_simple_points_make_affine ec_GFp_simple_pts_make_affine
-#undef ec_GFp_simple_group_get_curve_GFp
-#define ec_GFp_simple_group_get_curve_GFp ec_GFp_simple_grp_get_curve_GFp
#undef ec_GFp_simple_set_Jprojective_coordinates_GFp
#define ec_GFp_simple_set_Jprojective_coordinates_GFp \
ec_GFp_smp_set_Jproj_coords_GFp
diff --git a/crypto/ui/ui_openssl.c b/crypto/ui/ui_openssl.c
index 7165cb4..e6ccd34 100644
--- a/crypto/ui/ui_openssl.c
+++ b/crypto/ui/ui_openssl.c
@@ -122,9 +122,15 @@
* sigaction and fileno included. -pedantic would be more appropriate for
* the intended purposes, but we can't prevent users from adding -ansi.
*/
+#if defined(OPENSSL_SYSNAME_VXWORKS)
+#include <sys/types.h>
+#endif
+
#if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
+#ifndef _POSIX_C_SOURCE
#define _POSIX_C_SOURCE 2
#endif
+#endif
#include <signal.h>
#include <stdio.h>
#include <string.h>
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 7c2aaee..352aa37 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -86,10 +86,9 @@
EVP_MD_CTX_init(&ctx);
f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
- ret=strlen(f);
if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
goto err;
- if (!EVP_DigestUpdate(&ctx,(unsigned char *)f,ret))
+ if (!EVP_DigestUpdate(&ctx,(unsigned char *)f,strlen(f)))
goto err;
OPENSSL_free(f);
if(!EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data,
@@ -249,14 +248,14 @@
i2d_X509_NAME(x,NULL);
EVP_MD_CTX_init(&md_ctx);
EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL);
- EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length);
- EVP_DigestFinal_ex(&md_ctx,md,NULL);
+ if (EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL)
+ && EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length)
+ && EVP_DigestFinal_ex(&md_ctx,md,NULL))
+ ret=(((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
+ ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
+ )&0xffffffffL;
EVP_MD_CTX_cleanup(&md_ctx);
- ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
- ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
- )&0xffffffffL;
return(ret);
}
#endif
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index b0779db..12d71f5 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -872,7 +872,7 @@
{
ASN1_OCTET_STRING *exta, *extb;
int i;
- i = X509_CRL_get_ext_by_NID(a, nid, 0);
+ i = X509_CRL_get_ext_by_NID(a, nid, -1);
if (i >= 0)
{
/* Can't have multiple occurrences */
@@ -883,7 +883,7 @@
else
exta = NULL;
- i = X509_CRL_get_ext_by_NID(b, nid, 0);
+ i = X509_CRL_get_ext_by_NID(b, nid, -1);
if (i >= 0)
{
diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index 181bd34..ad68865 100644
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -474,11 +474,11 @@
for (i = 0; i < X509_get_ext_count(x); i++)
{
ex = X509_get_ext(x, i);
- if (!X509_EXTENSION_get_critical(ex))
- continue;
if (OBJ_obj2nid(X509_EXTENSION_get_object(ex))
== NID_freshest_crl)
x->ex_flags |= EXFLAG_FRESHEST;
+ if (!X509_EXTENSION_get_critical(ex))
+ continue;
if (!X509_supported_extension(ex))
{
x->ex_flags |= EXFLAG_CRITICAL;
diff --git a/crypto/x86_64cpuid.pl b/crypto/x86_64cpuid.pl
index 7b7b93b..6ebfd01 100644
--- a/crypto/x86_64cpuid.pl
+++ b/crypto/x86_64cpuid.pl
@@ -11,7 +11,8 @@
( $xlate="${dir}perlasm/x86_64-xlate.pl" and -f $xlate) or
die "can't locate x86_64-xlate.pl";
-open STDOUT,"| $^X $xlate $flavour $output";
+open OUT,"| \"$^X\" $xlate $flavour $output";
+*STDOUT=*OUT;
($arg1,$arg2,$arg3,$arg4)=$win64?("%rcx","%rdx","%r8", "%r9") : # Win64 order
("%rdi","%rsi","%rdx","%rcx"); # Unix order
diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl
index 39fd8f2..c18b0e2 100644
--- a/crypto/x86cpuid.pl
+++ b/crypto/x86cpuid.pl
@@ -165,7 +165,7 @@
&jnz (&label("nohalt")); # not enough privileges
&pushf ();
- &pop ("eax")
+ &pop ("eax");
&bt ("eax",9);
&jnc (&label("nohalt")); # interrupts are disabled
@@ -280,7 +280,7 @@
# arguments is 1 or 2!
&function_begin_B("OPENSSL_indirect_call");
{
- my $i,$max=7; # $max has to be chosen as 4*n-1
+ my ($max,$i)=(7,); # $max has to be chosen as 4*n-1
# in order to preserve eventual
# stack alignment
&push ("ebp");
diff --git a/import_openssl.sh b/import_openssl.sh
index bde07da..03e54c7 100755
--- a/import_openssl.sh
+++ b/import_openssl.sh
@@ -322,7 +322,7 @@
for i in $OPENSSL_PATCHES; do
if [ ! "$skip_patch" = "patches/$i" ]; then
echo "Applying patch $i"
- patch -p1 < ../patches/$i || die "Could not apply patches/$i. Fix source and run: $0 regenerate patches/$i"
+ patch -p1 --merge < ../patches/$i || die "Could not apply patches/$i. Fix source and run: $0 regenerate patches/$i"
else
echo "Skiping patch $i"
fi
diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h
index 793a325..f92fc51 100644
--- a/include/openssl/crypto.h
+++ b/include/openssl/crypto.h
@@ -488,10 +488,10 @@
long (**go)(void));
void *CRYPTO_malloc_locked(int num, const char *file, int line);
-void CRYPTO_free_locked(void *);
+void CRYPTO_free_locked(void *ptr);
void *CRYPTO_malloc(int num, const char *file, int line);
char *CRYPTO_strdup(const char *str, const char *file, int line);
-void CRYPTO_free(void *);
+void CRYPTO_free(void *ptr);
void *CRYPTO_realloc(void *addr,int num, const char *file, int line);
void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file,
int line);
diff --git a/include/openssl/dtls1.h b/include/openssl/dtls1.h
index 5008bf6..e65d501 100644
--- a/include/openssl/dtls1.h
+++ b/include/openssl/dtls1.h
@@ -57,8 +57,8 @@
*
*/
-#ifndef HEADER_DTLS1_H
-#define HEADER_DTLS1_H
+#ifndef HEADER_DTLS1_H
+#define HEADER_DTLS1_H
#include <openssl/buffer.h>
#include <openssl/pqueue.h>
@@ -72,8 +72,12 @@
#elif defined(OPENSSL_SYS_NETWARE) && !defined(_WINSOCK2API_)
#include <sys/timeval.h>
#else
+#if defined(OPENSSL_SYS_VXWORKS)
+#include <sys/times.h>
+#else
#include <sys/time.h>
#endif
+#endif
#ifdef __cplusplus
extern "C" {
diff --git a/include/openssl/ec.h b/include/openssl/ec.h
index 9d01325..dfe8710 100644
--- a/include/openssl/ec.h
+++ b/include/openssl/ec.h
@@ -274,10 +274,10 @@
void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag);
int EC_GROUP_get_asn1_flag(const EC_GROUP *group);
-void EC_GROUP_set_point_conversion_form(EC_GROUP *, point_conversion_form_t);
+void EC_GROUP_set_point_conversion_form(EC_GROUP *group, point_conversion_form_t form);
point_conversion_form_t EC_GROUP_get_point_conversion_form(const EC_GROUP *);
-unsigned char *EC_GROUP_get0_seed(const EC_GROUP *);
+unsigned char *EC_GROUP_get0_seed(const EC_GROUP *x);
size_t EC_GROUP_get_seed_len(const EC_GROUP *);
size_t EC_GROUP_set_seed(EC_GROUP *, const unsigned char *, size_t len);
@@ -626,8 +626,8 @@
*/
int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx);
-int EC_POINT_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
-int EC_POINTs_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
+int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx);
+int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx);
/** Computes r = generator * n sum_{i=0}^num p[i] * m[i]
* \param group underlying EC_GROUP object
@@ -800,16 +800,24 @@
int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub);
unsigned EC_KEY_get_enc_flags(const EC_KEY *key);
-void EC_KEY_set_enc_flags(EC_KEY *, unsigned int);
-point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *);
-void EC_KEY_set_conv_form(EC_KEY *, point_conversion_form_t);
+void EC_KEY_set_enc_flags(EC_KEY *eckey, unsigned int flags);
+point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key);
+void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform);
/* functions to set/get method specific data */
-void *EC_KEY_get_key_method_data(EC_KEY *,
+void *EC_KEY_get_key_method_data(EC_KEY *key,
void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
-void EC_KEY_insert_key_method_data(EC_KEY *, void *data,
+/** Sets the key method data of an EC_KEY object, if none has yet been set.
+ * \param key EC_KEY object
+ * \param data opaque data to install.
+ * \param dup_func a function that duplicates |data|.
+ * \param free_func a function that frees |data|.
+ * \param clear_free_func a function that wipes and frees |data|.
+ * \return the previously set data pointer, or NULL if |data| was inserted.
+ */
+void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
/* wrapper functions for the underlying EC_GROUP object */
-void EC_KEY_set_asn1_flag(EC_KEY *, int);
+void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);
/** Creates a table of pre-computed multiples of the generator to
* accelerate further EC_KEY operations.
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 8096a72..e43a58e 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -402,7 +402,6 @@
/* Length of tag for TLS */
#define EVP_GCM_TLS_TAG_LEN 16
-
typedef struct evp_cipher_info_st
{
const EVP_CIPHER *cipher;
@@ -789,8 +788,8 @@
# define EVP_aes_128_cfb EVP_aes_128_cfb128
const EVP_CIPHER *EVP_aes_128_ofb(void);
const EVP_CIPHER *EVP_aes_128_ctr(void);
-const EVP_CIPHER *EVP_aes_128_gcm(void);
const EVP_CIPHER *EVP_aes_128_ccm(void);
+const EVP_CIPHER *EVP_aes_128_gcm(void);
const EVP_CIPHER *EVP_aes_128_xts(void);
const EVP_CIPHER *EVP_aes_192_ecb(void);
const EVP_CIPHER *EVP_aes_192_cbc(void);
@@ -800,8 +799,8 @@
# define EVP_aes_192_cfb EVP_aes_192_cfb128
const EVP_CIPHER *EVP_aes_192_ofb(void);
const EVP_CIPHER *EVP_aes_192_ctr(void);
-const EVP_CIPHER *EVP_aes_192_gcm(void);
const EVP_CIPHER *EVP_aes_192_ccm(void);
+const EVP_CIPHER *EVP_aes_192_gcm(void);
const EVP_CIPHER *EVP_aes_256_ecb(void);
const EVP_CIPHER *EVP_aes_256_cbc(void);
const EVP_CIPHER *EVP_aes_256_cfb1(void);
@@ -810,8 +809,8 @@
# define EVP_aes_256_cfb EVP_aes_256_cfb128
const EVP_CIPHER *EVP_aes_256_ofb(void);
const EVP_CIPHER *EVP_aes_256_ctr(void);
-const EVP_CIPHER *EVP_aes_256_gcm(void);
const EVP_CIPHER *EVP_aes_256_ccm(void);
+const EVP_CIPHER *EVP_aes_256_gcm(void);
const EVP_CIPHER *EVP_aes_256_xts(void);
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void);
@@ -1244,6 +1243,8 @@
int (*ctrl_str)(EVP_PKEY_CTX *ctx,
const char *type, const char *value));
+void EVP_add_alg_module(void);
+
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
@@ -1258,6 +1259,7 @@
#define EVP_F_AES_INIT_KEY 133
#define EVP_F_AES_XTS 172
#define EVP_F_AES_XTS_CIPHER 175
+#define EVP_F_ALG_MODULE_INIT 177
#define EVP_F_CAMELLIA_INIT_KEY 159
#define EVP_F_CMAC_INIT 173
#define EVP_F_D2I_PKEY 100
@@ -1351,15 +1353,19 @@
#define EVP_R_DIFFERENT_PARAMETERS 153
#define EVP_R_DISABLED_FOR_FIPS 163
#define EVP_R_ENCODE_ERROR 115
+#define EVP_R_ERROR_LOADING_SECTION 165
+#define EVP_R_ERROR_SETTING_FIPS_MODE 166
#define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119
#define EVP_R_EXPECTING_AN_RSA_KEY 127
#define EVP_R_EXPECTING_A_DH_KEY 128
#define EVP_R_EXPECTING_A_DSA_KEY 129
#define EVP_R_EXPECTING_A_ECDSA_KEY 141
#define EVP_R_EXPECTING_A_EC_KEY 142
+#define EVP_R_FIPS_MODE_NOT_SUPPORTED 167
#define EVP_R_INITIALIZATION_ERROR 134
#define EVP_R_INPUT_NOT_INITIALIZED 111
#define EVP_R_INVALID_DIGEST 152
+#define EVP_R_INVALID_FIPS_MODE 168
#define EVP_R_INVALID_KEY_LENGTH 130
#define EVP_R_INVALID_OPERATION 148
#define EVP_R_IV_TOO_LARGE 102
@@ -1384,6 +1390,7 @@
#define EVP_R_TOO_LARGE 164
#define EVP_R_UNKNOWN_CIPHER 160
#define EVP_R_UNKNOWN_DIGEST 161
+#define EVP_R_UNKNOWN_OPTION 169
#define EVP_R_UNKNOWN_PBE_ALGORITHM 121
#define EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS 135
#define EVP_R_UNSUPPORTED_ALGORITHM 156
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index 71be359..dbea4ad 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -25,11 +25,11 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-#define OPENSSL_VERSION_NUMBER 0x1000103fL
+#define OPENSSL_VERSION_NUMBER 0x1000104fL
#ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1c-fips 10 May 2012"
+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1d-fips 5 Feb 2013"
#else
-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1c 10 May 2012"
+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1d 5 Feb 2013"
#endif
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
index 4814a2f..5f269e5 100644
--- a/include/openssl/rsa.h
+++ b/include/openssl/rsa.h
@@ -280,7 +280,7 @@
RSA * RSA_new(void);
RSA * RSA_new_method(ENGINE *engine);
-int RSA_size(const RSA *);
+int RSA_size(const RSA *rsa);
/* Deprecated version */
#ifndef OPENSSL_NO_DEPRECATED
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 1aaadf3..5695aae 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -493,6 +493,9 @@
char *psk_identity_hint;
char *psk_identity;
#endif
+ /* Used to indicate that session resumption is not allowed.
+ * Applications can also set this bit for a new session via
+ * not_resumable_session_cb to disable session caching and tickets. */
int not_resumable;
/* The cert is the certificate used to establish this connection */
@@ -535,7 +538,7 @@
#endif /* OPENSSL_NO_EC */
/* RFC4507 info */
unsigned char *tlsext_tick; /* Session ticket */
- size_t tlsext_ticklen; /* Session ticket length */
+ size_t tlsext_ticklen; /* Session ticket length */
long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
#endif
#ifndef OPENSSL_NO_SRP
@@ -931,6 +934,7 @@
/* Callback for status request */
int (*tlsext_status_cb)(SSL *ssl, void *arg);
void *tlsext_status_arg;
+
/* draft-rescorla-tls-opaque-prf-input-00.txt information */
int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg);
void *tlsext_opaque_prf_input_callback_arg;
@@ -956,6 +960,7 @@
#endif
#ifndef OPENSSL_NO_TLSEXT
+
# ifndef OPENSSL_NO_NEXTPROTONEG
/* Next protocol negotiation information */
/* (for experimental NPN extension). */
@@ -2262,6 +2267,7 @@
#define SSL_F_SSL_GET_NEW_SESSION 181
#define SSL_F_SSL_GET_PREV_SESSION 217
#define SSL_F_SSL_GET_SERVER_SEND_CERT 182
+#define SSL_F_SSL_GET_SERVER_SEND_PKEY 317
#define SSL_F_SSL_GET_SIGN_PKEY 183
#define SSL_F_SSL_INIT_WBIO_BUFFER 184
#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h
index 879be13..fee9671 100644
--- a/include/openssl/ssl3.h
+++ b/include/openssl/ssl3.h
@@ -355,10 +355,6 @@
/*r */ unsigned char *comp; /* only used with decompression - malloc()ed */
/*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */
/*r */ unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
-/*rw*/ unsigned int orig_len; /* How many bytes were available before padding
- was removed? This is used to implement the
- MAC check in constant time for CBC records.
- */
} SSL3_RECORD;
typedef struct ssl3_buffer_st
@@ -594,8 +590,10 @@
#define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT)
#define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT)
#define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT)
+#ifndef OPENSSL_NO_NEXTPROTONEG
#define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT)
#define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT)
+#endif
#define SSL3_ST_CW_CHANNEL_ID_A (0x210|SSL_ST_CONNECT)
#define SSL3_ST_CW_CHANNEL_ID_B (0x211|SSL_ST_CONNECT)
#define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT)
@@ -648,8 +646,10 @@
#define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT)
#define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT)
#define SSL3_ST_SR_POST_CLIENT_CERT (0x1BF|SSL_ST_ACCEPT)
+#ifndef OPENSSL_NO_NEXTPROTONEG
#define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT)
#define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT)
+#endif
#define SSL3_ST_SR_CHANNEL_ID_A (0x220|SSL_ST_ACCEPT)
#define SSL3_ST_SR_CHANNEL_ID_B (0x221|SSL_ST_ACCEPT)
#define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT)
@@ -676,7 +676,9 @@
#define SSL3_MT_CLIENT_KEY_EXCHANGE 16
#define SSL3_MT_FINISHED 20
#define SSL3_MT_CERTIFICATE_STATUS 22
+#ifndef OPENSSL_NO_NEXTPROTONEG
#define SSL3_MT_NEXT_PROTO 67
+#endif
#define SSL3_MT_ENCRYPTED_EXTENSIONS 203
#define DTLS1_MT_HELLO_VERIFY_REQUEST 3
diff --git a/include/openssl/symhacks.h b/include/openssl/symhacks.h
index 403f592..07a412f 100644
--- a/include/openssl/symhacks.h
+++ b/include/openssl/symhacks.h
@@ -193,17 +193,17 @@
#undef SSL_CTX_set_srp_username_callback
#define SSL_CTX_set_srp_username_callback SSL_CTX_set_srp_un_cb
#undef ssl_add_clienthello_use_srtp_ext
-#define ssl_add_clienthello_use_srtp_ext ssl_add_clihello_use_srtp_ext
+#define ssl_add_clienthello_use_srtp_ext ssl_add_clihello_use_srtp_ext
#undef ssl_add_serverhello_use_srtp_ext
-#define ssl_add_serverhello_use_srtp_ext ssl_add_serhello_use_srtp_ext
+#define ssl_add_serverhello_use_srtp_ext ssl_add_serhello_use_srtp_ext
#undef ssl_parse_clienthello_use_srtp_ext
-#define ssl_parse_clienthello_use_srtp_ext ssl_parse_clihello_use_srtp_ext
+#define ssl_parse_clienthello_use_srtp_ext ssl_parse_clihello_use_srtp_ext
#undef ssl_parse_serverhello_use_srtp_ext
-#define ssl_parse_serverhello_use_srtp_ext ssl_parse_serhello_use_srtp_ext
+#define ssl_parse_serverhello_use_srtp_ext ssl_parse_serhello_use_srtp_ext
#undef SSL_CTX_set_next_protos_advertised_cb
-#define SSL_CTX_set_next_protos_advertised_cb SSL_CTX_set_next_protos_adv_cb
+#define SSL_CTX_set_next_protos_advertised_cb SSL_CTX_set_next_protos_adv_cb
#undef SSL_CTX_set_next_proto_select_cb
-#define SSL_CTX_set_next_proto_select_cb SSL_CTX_set_next_proto_sel_cb
+#define SSL_CTX_set_next_proto_select_cb SSL_CTX_set_next_proto_sel_cb
/* Hack some long ENGINE names */
#undef ENGINE_get_default_BN_mod_exp_crt
@@ -316,8 +316,6 @@
#define ec_GFp_simple_point_set_to_infinity ec_GFp_simple_pt_set_to_inf
#undef ec_GFp_simple_points_make_affine
#define ec_GFp_simple_points_make_affine ec_GFp_simple_pts_make_affine
-#undef ec_GFp_simple_group_get_curve_GFp
-#define ec_GFp_simple_group_get_curve_GFp ec_GFp_simple_grp_get_curve_GFp
#undef ec_GFp_simple_set_Jprojective_coordinates_GFp
#define ec_GFp_simple_set_Jprojective_coordinates_GFp \
ec_GFp_smp_set_Jproj_coords_GFp
diff --git a/openssl.config b/openssl.config
index 9c20b62..e7009ea 100644
--- a/openssl.config
+++ b/openssl.config
@@ -175,8 +175,10 @@
include/openssl/cast.h \
include/openssl/cms.h \
include/openssl/idea.h \
+include/openssl/md2.h \
include/openssl/mdc2.h \
include/openssl/seed.h \
+include/openssl/store.h \
include/openssl/whrlpool.h \
install.com \
makevms.com \
@@ -201,13 +203,7 @@
progs.patch \
handshake_cutthrough.patch \
jsse.patch \
-sha1_armv4_large.patch \
-mips_private.patch \
channelid.patch \
-clang.patch \
-recursive_lock_fix.patch \
-0001-Add-and-use-a-constant-time-memcmp.patch \
-0002-Make-CBC-decoding-constant-time.patch \
"
OPENSSL_PATCHES_progs_SOURCES="\
@@ -243,10 +239,6 @@
ssl/ssl_sess.c \
"
-OPENSSL_PATCHES_mips_private_SOURCES="\
-crypto/aes/asm/aes-mips.pl \
-"
-
OPENSSL_PATCHES_channelid_SOURCES="\
crypto/evp/evp.h \
crypto/evp/p_lib.c \
@@ -262,11 +254,3 @@
ssl/t1_lib.c \
ssl/tls1.h \
"
-
-OPENSSL_PATCHES_clang_SOURCES="\
-crypto/bio/bss_dgram.c \
-crypto/cryptlib.c \
-"
-OPENSSL_PATCHES_recursive_lock_fix_SOURCES="\
-crypto/asn1/x_pubkey.c \
-"
diff --git a/openssl.version b/openssl.version
index 1616021..30f1cd2 100644
--- a/openssl.version
+++ b/openssl.version
@@ -1 +1 @@
-OPENSSL_VERSION=1.0.1c
+OPENSSL_VERSION=1.0.1d
diff --git a/patches/0001-Add-and-use-a-constant-time-memcmp.patch b/patches/0001-Add-and-use-a-constant-time-memcmp.patch
deleted file mode 100644
index a593d49..0000000
--- a/patches/0001-Add-and-use-a-constant-time-memcmp.patch
+++ /dev/null
@@ -1,155 +0,0 @@
-From 306d003174cb4e5994734b20d741867aeeebf918 Mon Sep 17 00:00:00 2001
-From: Adam Langley <agl@chromium.org>
-Date: Wed, 16 Jan 2013 11:02:35 -0500
-Subject: [PATCH 1/2] Add and use a constant-time memcmp.
-
-This change adds CRYPTO_memcmp, which compares two vectors of bytes in
-an amount of time that's independent of their contents. It also changes
-several MAC compares in the code to use this over the standard memcmp,
-which may leak information about the size of a matching prefix.
----
- crypto/cryptlib.c | 13 +++++++++++++
- crypto/crypto.h | 7 +++++++
- crypto/rsa/rsa_oaep.c | 2 +-
- ssl/d1_pkt.c | 2 +-
- ssl/s2_clnt.c | 2 +-
- ssl/s2_pkt.c | 3 +--
- ssl/s3_both.c | 2 +-
- ssl/s3_pkt.c | 2 +-
- ssl/t1_lib.c | 2 +-
- 9 files changed, 27 insertions(+), 8 deletions(-)
-
-diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c
-index a7cb420..304c6b7 100644
---- a/crypto/cryptlib.c
-+++ b/crypto/cryptlib.c
-@@ -925,3 +925,16 @@ void OpenSSLDie(const char *file,int line,const char *assertion)
- }
-
- void *OPENSSL_stderr(void) { return stderr; }
-+
-+int CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len)
-+ {
-+ size_t i;
-+ const unsigned char *a = in_a;
-+ const unsigned char *b = in_b;
-+ unsigned char x = 0;
-+
-+ for (i = 0; i < len; i++)
-+ x |= a[i] ^ b[i];
-+
-+ return x;
-+ }
-diff --git a/crypto/crypto.h b/crypto/crypto.h
-index 6160576..f92fc51 100644
---- a/crypto/crypto.h
-+++ b/crypto/crypto.h
-@@ -574,6 +574,13 @@ void OPENSSL_init(void);
- #define fips_cipher_abort(alg) while(0)
- #endif
-
-+/* CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It
-+ * takes an amount of time dependent on |len|, but independent of the contents
-+ * of |a| and |b|. Unlike memcmp, it cannot be used to put elements into a
-+ * defined order as the return value when a != b is undefined, other than to be
-+ * non-zero. */
-+int CRYPTO_memcmp(const void *a, const void *b, size_t len);
-+
- /* BEGIN ERROR CODES */
- /* The following lines are auto generated by the script mkerr.pl. Any changes
- * made after this point may be overwritten when the script is next run.
-diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
-index 553d212..af4d24a 100644
---- a/crypto/rsa/rsa_oaep.c
-+++ b/crypto/rsa/rsa_oaep.c
-@@ -149,7 +149,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
- if (!EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL))
- return -1;
-
-- if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
-+ if (CRYPTO_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
- goto decoding_err;
- else
- {
-diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
-index 987af60..5e2c56c 100644
---- a/ssl/d1_pkt.c
-+++ b/ssl/d1_pkt.c
-@@ -463,7 +463,7 @@ printf("\n");
- else
- rr->length = 0;
- i=s->method->ssl3_enc->mac(s,md,0);
-- if (i < 0 || mac == NULL || memcmp(md, mac, mac_size) != 0)
-+ if (i < 0 || mac == NULL || CRYPTO_memcmp(md,mac,mac_size) != 0)
- {
- decryption_failed_or_bad_record_mac = 1;
- }
-diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c
-index 76b690e..03b6cf9 100644
---- a/ssl/s2_clnt.c
-+++ b/ssl/s2_clnt.c
-@@ -939,7 +939,7 @@ static int get_server_verify(SSL *s)
- s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* SERVER-VERIFY */
- p += 1;
-
-- if (memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0)
-+ if (CRYPTO_memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0)
- {
- ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
- SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_CHALLENGE_IS_DIFFERENT);
-diff --git a/ssl/s2_pkt.c b/ssl/s2_pkt.c
-index ac963b2..8bb6ab8 100644
---- a/ssl/s2_pkt.c
-+++ b/ssl/s2_pkt.c
-@@ -269,8 +269,7 @@ static int ssl2_read_internal(SSL *s, void *buf, int len, int peek)
- s->s2->ract_data_length-=mac_size;
- ssl2_mac(s,mac,0);
- s->s2->ract_data_length-=s->s2->padding;
-- if ( (memcmp(mac,s->s2->mac_data,
-- (unsigned int)mac_size) != 0) ||
-+ if ( (CRYPTO_memcmp(mac,s->s2->mac_data,mac_size) != 0) ||
- (s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0))
- {
- SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE);
-diff --git a/ssl/s3_both.c b/ssl/s3_both.c
-index 918da35..ead01c8 100644
---- a/ssl/s3_both.c
-+++ b/ssl/s3_both.c
-@@ -265,7 +265,7 @@ int ssl3_get_finished(SSL *s, int a, int b)
- goto f_err;
- }
-
-- if (memcmp(p, s->s3->tmp.peer_finish_md, i) != 0)
-+ if (CRYPTO_memcmp(p, s->s3->tmp.peer_finish_md, i) != 0)
- {
- al=SSL_AD_DECRYPT_ERROR;
- SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED);
-diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
-index dca3458..3e11140 100644
---- a/ssl/s3_pkt.c
-+++ b/ssl/s3_pkt.c
-@@ -463,7 +463,7 @@ printf("\n");
- #endif
- }
- i=s->method->ssl3_enc->mac(s,md,0);
-- if (i < 0 || mac == NULL || memcmp(md, mac, (size_t)mac_size) != 0)
-+ if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
- {
- decryption_failed_or_bad_record_mac = 1;
- }
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index d8df062..27010dd 100644
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -2226,7 +2226,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
- HMAC_Update(&hctx, etick, eticklen);
- HMAC_Final(&hctx, tick_hmac, NULL);
- HMAC_CTX_cleanup(&hctx);
-- if (memcmp(tick_hmac, etick + eticklen, mlen))
-+ if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
- return 2;
- /* Attempt to decrypt session data */
- /* Move p after IV to start of encrypted ticket, update length */
---
-1.8.1
-
diff --git a/patches/0002-Make-CBC-decoding-constant-time.patch b/patches/0002-Make-CBC-decoding-constant-time.patch
deleted file mode 100644
index 1893aa2..0000000
--- a/patches/0002-Make-CBC-decoding-constant-time.patch
+++ /dev/null
@@ -1,1621 +0,0 @@
-From fb402b7cdeffc907a9464cb84aa1311b1f77832a Mon Sep 17 00:00:00 2001
-From: Adam Langley <agl@chromium.org>
-Date: Wed, 16 Jan 2013 11:18:19 -0500
-Subject: [PATCH 2/2] Make CBC decoding constant time.
-
-This patch makes the decoding of SSLv3 and TLS CBC records constant
-time. Without this, a timing side-channel can be used to build a padding
-oracle and mount Vaudenay's attack.
-
-This patch also disables the stitched AESNI+SHA mode pending a similar
-fix to that code.
-
-In order to be easy to backport, this change is implemented in ssl/,
-rather than as a generic AEAD mode. In the future this should be changed
-around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
----
- crypto/evp/c_allc.c | 2 +
- ssl/Makefile | 4 +-
- ssl/d1_enc.c | 59 ++---
- ssl/d1_pkt.c | 87 ++++---
- ssl/s3_cbc.c | 696 ++++++++++++++++++++++++++++++++++++++++++++++++++++
- ssl/s3_enc.c | 119 +++++----
- ssl/s3_pkt.c | 94 +++----
- ssl/ssl3.h | 4 +
- ssl/ssl_algs.c | 3 +
- ssl/ssl_locl.h | 34 +++
- ssl/t1_enc.c | 144 +++++------
- 11 files changed, 993 insertions(+), 253 deletions(-)
- create mode 100644 ssl/s3_cbc.c
-
-diff --git a/crypto/evp/c_allc.c b/crypto/evp/c_allc.c
-index 2a45d43..e230e60 100644
---- a/crypto/evp/c_allc.c
-+++ b/crypto/evp/c_allc.c
-@@ -195,11 +195,13 @@ void OpenSSL_add_all_ciphers(void)
- EVP_add_cipher(EVP_aes_256_xts());
- EVP_add_cipher_alias(SN_aes_256_cbc,"AES256");
- EVP_add_cipher_alias(SN_aes_256_cbc,"aes256");
-+#if 0 /* Disabled because of timing side-channel leaks. */
- #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
- EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
- EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
- #endif
- #endif
-+#endif
-
- #ifndef OPENSSL_NO_CAMELLIA
- EVP_add_cipher(EVP_camellia_128_ecb());
-diff --git a/ssl/Makefile b/ssl/Makefile
-index feaf3e3..bdb49e2 100644
---- a/ssl/Makefile
-+++ b/ssl/Makefile
-@@ -22,7 +22,7 @@ LIB=$(TOP)/libssl.a
- SHARED_LIB= libssl$(SHLIB_EXT)
- LIBSRC= \
- s2_meth.c s2_srvr.c s2_clnt.c s2_lib.c s2_enc.c s2_pkt.c \
-- s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c \
-+ s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c s3_cbc.c \
- s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c s23_pkt.c \
- t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c \
- d1_meth.c d1_srvr.c d1_clnt.c d1_lib.c d1_pkt.c \
-@@ -33,7 +33,7 @@ LIBSRC= \
- bio_ssl.c ssl_err.c kssl.c tls_srp.c t1_reneg.c
- LIBOBJ= \
- s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \
-- s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o \
-+ s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o s3_cbc.o \
- s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o s23_pkt.o \
- t1_meth.o t1_srvr.o t1_clnt.o t1_lib.o t1_enc.o \
- d1_meth.o d1_srvr.o d1_clnt.o d1_lib.o d1_pkt.o \
-diff --git a/ssl/d1_enc.c b/ssl/d1_enc.c
-index 07a5e97..712c464 100644
---- a/ssl/d1_enc.c
-+++ b/ssl/d1_enc.c
-@@ -126,20 +126,28 @@
- #include <openssl/des.h>
- #endif
-
-+/* dtls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
-+ *
-+ * Returns:
-+ * 0: (in non-constant time) if the record is publically invalid (i.e. too
-+ * short etc).
-+ * 1: if the record's padding is valid / the encryption was successful.
-+ * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
-+ * an internal error occured. */
- int dtls1_enc(SSL *s, int send)
- {
- SSL3_RECORD *rec;
- EVP_CIPHER_CTX *ds;
- unsigned long l;
-- int bs,i,ii,j,k,n=0;
-+ int bs,i,j,k,mac_size=0;
- const EVP_CIPHER *enc;
-
- if (send)
- {
- if (EVP_MD_CTX_md(s->write_hash))
- {
-- n=EVP_MD_CTX_size(s->write_hash);
-- if (n < 0)
-+ mac_size=EVP_MD_CTX_size(s->write_hash);
-+ if (mac_size < 0)
- return -1;
- }
- ds=s->enc_write_ctx;
-@@ -164,9 +172,8 @@ int dtls1_enc(SSL *s, int send)
- {
- if (EVP_MD_CTX_md(s->read_hash))
- {
-- n=EVP_MD_CTX_size(s->read_hash);
-- if (n < 0)
-- return -1;
-+ mac_size=EVP_MD_CTX_size(s->read_hash);
-+ OPENSSL_assert(mac_size >= 0);
- }
- ds=s->enc_read_ctx;
- rec= &(s->s3->rrec);
-@@ -231,7 +238,7 @@ int dtls1_enc(SSL *s, int send)
- if (!send)
- {
- if (l == 0 || l%bs != 0)
-- return -1;
-+ return 0;
- }
-
- EVP_Cipher(ds,rec->data,rec->input,l);
-@@ -246,43 +253,7 @@ int dtls1_enc(SSL *s, int send)
- #endif /* KSSL_DEBUG */
-
- if ((bs != 1) && !send)
-- {
-- ii=i=rec->data[l-1]; /* padding_length */
-- i++;
-- if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
-- {
-- /* First packet is even in size, so check */
-- if ((memcmp(s->s3->read_sequence,
-- "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
-- s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
-- if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
-- i--;
-- }
-- /* TLS 1.0 does not bound the number of padding bytes by the block size.
-- * All of them must have value 'padding_length'. */
-- if (i + bs > (int)rec->length)
-- {
-- /* Incorrect padding. SSLerr() and ssl3_alert are done
-- * by caller: we don't want to reveal whether this is
-- * a decryption error or a MAC verification failure
-- * (see http://www.openssl.org/~bodo/tls-cbc.txt)
-- */
-- return -1;
-- }
-- for (j=(int)(l-i); j<(int)l; j++)
-- {
-- if (rec->data[j] != ii)
-- {
-- /* Incorrect padding */
-- return -1;
-- }
-- }
-- rec->length-=i;
--
-- rec->data += bs; /* skip the implicit IV */
-- rec->input += bs;
-- rec->length -= bs;
-- }
-+ return tls1_cbc_remove_padding(s, rec, bs, mac_size);
- }
- return(1);
- }
-diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
-index 5e2c56c..02c881a 100644
---- a/ssl/d1_pkt.c
-+++ b/ssl/d1_pkt.c
-@@ -376,15 +376,11 @@ static int
- dtls1_process_record(SSL *s)
- {
- int i,al;
-- int clear=0;
- int enc_err;
- SSL_SESSION *sess;
- SSL3_RECORD *rr;
- unsigned int mac_size;
- unsigned char md[EVP_MAX_MD_SIZE];
-- int decryption_failed_or_bad_record_mac = 0;
-- unsigned char *mac = NULL;
--
-
- rr= &(s->s3->rrec);
- sess = s->session;
-@@ -414,14 +410,19 @@ dtls1_process_record(SSL *s)
-
- /* decrypt in place in 'rr->input' */
- rr->data=rr->input;
-+ rr->orig_len=rr->length;
-
- enc_err = s->method->ssl3_enc->enc(s,0);
-- if (enc_err <= 0)
-+ /* enc_err is:
-+ * 0: (in non-constant time) if the record is publically invalid.
-+ * 1: if the padding is valid
-+ * -1: if the padding is invalid */
-+ if (enc_err == 0)
- {
-- /* To minimize information leaked via timing, we will always
-- * perform all computations before discarding the message.
-- */
-- decryption_failed_or_bad_record_mac = 1;
-+ /* For DTLS we simply ignore bad packets. */
-+ rr->length = 0;
-+ s->packet_length = 0;
-+ goto err;
- }
-
- #ifdef TLS_DEBUG
-@@ -431,45 +432,59 @@ printf("\n");
- #endif
-
- /* r->length is now the compressed data plus mac */
-- if ( (sess == NULL) ||
-- (s->enc_read_ctx == NULL) ||
-- (s->read_hash == NULL))
-- clear=1;
--
-- if (!clear)
-+ if ((sess != NULL) &&
-+ (s->enc_read_ctx != NULL) &&
-+ (EVP_MD_CTX_md(s->read_hash) != NULL))
- {
-- /* !clear => s->read_hash != NULL => mac_size != -1 */
-- int t;
-- t=EVP_MD_CTX_size(s->read_hash);
-- OPENSSL_assert(t >= 0);
-- mac_size=t;
--
-- if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
-+ /* s->read_hash != NULL => mac_size != -1 */
-+ unsigned char *mac = NULL;
-+ unsigned char mac_tmp[EVP_MAX_MD_SIZE];
-+ mac_size=EVP_MD_CTX_size(s->read_hash);
-+ OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
-+
-+ /* orig_len is the length of the record before any padding was
-+ * removed. This is public information, as is the MAC in use,
-+ * therefore we can safely process the record in a different
-+ * amount of time if it's too short to possibly contain a MAC.
-+ */
-+ if (rr->orig_len < mac_size ||
-+ /* CBC records must have a padding length byte too. */
-+ (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
-+ rr->orig_len < mac_size+1))
- {
--#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
-- al=SSL_AD_RECORD_OVERFLOW;
-- SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
-+ al=SSL_AD_DECODE_ERROR;
-+ SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
- goto f_err;
--#else
-- decryption_failed_or_bad_record_mac = 1;
--#endif
- }
-- /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
-- if (rr->length >= mac_size)
-+
-+ if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
- {
-+ /* We update the length so that the TLS header bytes
-+ * can be constructed correctly but we need to extract
-+ * the MAC in constant time from within the record,
-+ * without leaking the contents of the padding bytes.
-+ * */
-+ mac = mac_tmp;
-+ ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
- rr->length -= mac_size;
-- mac = &rr->data[rr->length];
- }
- else
-- rr->length = 0;
-- i=s->method->ssl3_enc->mac(s,md,0);
-- if (i < 0 || mac == NULL || CRYPTO_memcmp(md,mac,mac_size) != 0)
- {
-- decryption_failed_or_bad_record_mac = 1;
-+ /* In this case there's no padding, so |rec->orig_len|
-+ * equals |rec->length| and we checked that there's
-+ * enough bytes for |mac_size| above. */
-+ rr->length -= mac_size;
-+ mac = &rr->data[rr->length];
- }
-+
-+ i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
-+ if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
-+ enc_err = -1;
-+ if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
-+ enc_err = -1;
- }
-
-- if (decryption_failed_or_bad_record_mac)
-+ if (enc_err < 0)
- {
- /* decryption failed, silently discard message */
- rr->length = 0;
-diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
-new file mode 100644
-index 0000000..e9b112c
---- /dev/null
-+++ b/ssl/s3_cbc.c
-@@ -0,0 +1,696 @@
-+/* ssl/s3_cbc.c */
-+/* ====================================================================
-+ * Copyright (c) 2012 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. All advertising materials mentioning features or use of this
-+ * software must display the following acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-+ *
-+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission. For written permission, please contact
-+ * openssl-core@openssl.org.
-+ *
-+ * 5. Products derived from this software may not be called "OpenSSL"
-+ * nor may "OpenSSL" appear in their names without prior written
-+ * permission of the OpenSSL Project.
-+ *
-+ * 6. Redistributions of any form whatsoever must retain the following
-+ * acknowledgment:
-+ * "This product includes software developed by the OpenSSL Project
-+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
-+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-+ * OF THE POSSIBILITY OF SUCH DAMAGE.
-+ * ====================================================================
-+ *
-+ * This product includes cryptographic software written by Eric Young
-+ * (eay@cryptsoft.com). This product includes software written by Tim
-+ * Hudson (tjh@cryptsoft.com).
-+ *
-+ */
-+
-+#include <stdint.h>
-+
-+#include "ssl_locl.h"
-+
-+#include <openssl/md5.h>
-+#include <openssl/sha.h>
-+
-+/* MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length
-+ * field. (SHA-384/512 have 128-bit length.) */
-+#define MAX_HASH_BIT_COUNT_BYTES 16
-+
-+/* MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support.
-+ * Currently SHA-384/512 has a 128-byte block size and that's the largest
-+ * supported by TLS.) */
-+#define MAX_HASH_BLOCK_SIZE 128
-+
-+/* Some utility functions are needed:
-+ *
-+ * These macros return the given value with the MSB copied to all the other
-+ * bits. They use the fact that arithmetic shift shifts-in the sign bit.
-+ * However, this is not ensured by the C standard so you may need to replace
-+ * them with something else on odd CPUs. */
-+#define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> (sizeof(int)*8-1) ) )
-+#define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x)))
-+
-+/* constant_time_ge returns 0xff if a>=b and 0x00 otherwise. */
-+static unsigned constant_time_ge(unsigned a, unsigned b)
-+ {
-+ a -= b;
-+ return DUPLICATE_MSB_TO_ALL(~a);
-+ }
-+
-+/* constant_time_eq_8 returns 0xff if a==b and 0x00 otherwise. */
-+static unsigned char constant_time_eq_8(unsigned char a, unsigned char b)
-+ {
-+ unsigned c = a ^ b;
-+ c--;
-+ return DUPLICATE_MSB_TO_ALL_8(c);
-+ }
-+
-+/* ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
-+ * record in |rec| by updating |rec->length| in constant time.
-+ *
-+ * block_size: the block size of the cipher used to encrypt the record.
-+ * returns:
-+ * 0: (in non-constant time) if the record is publicly invalid.
-+ * 1: if the padding was valid
-+ * -1: otherwise. */
-+int ssl3_cbc_remove_padding(const SSL* s,
-+ SSL3_RECORD *rec,
-+ unsigned block_size,
-+ unsigned mac_size)
-+ {
-+ unsigned padding_length, good;
-+ const unsigned overhead = 1 /* padding length byte */ + mac_size;
-+
-+ /* These lengths are all public so we can test them in non-constant
-+ * time. */
-+ if (overhead > rec->length)
-+ return 0;
-+
-+ padding_length = rec->data[rec->length-1];
-+ good = constant_time_ge(rec->length, padding_length+overhead);
-+ /* SSLv3 requires that the padding is minimal. */
-+ good &= constant_time_ge(block_size, padding_length+1);
-+ rec->length -= good & (padding_length+1);
-+ return (int)((good & 1) | (~good & -1));
-+}
-+
-+/* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
-+ * record in |rec| in constant time and returns 1 if the padding is valid and
-+ * -1 otherwise. It also removes any explicit IV from the start of the record
-+ * without leaking any timing about whether there was enough space after the
-+ * padding was removed.
-+ *
-+ * block_size: the block size of the cipher used to encrypt the record.
-+ * returns:
-+ * 0: (in non-constant time) if the record is publicly invalid.
-+ * 1: if the padding was valid
-+ * -1: otherwise. */
-+int tls1_cbc_remove_padding(const SSL* s,
-+ SSL3_RECORD *rec,
-+ unsigned block_size,
-+ unsigned mac_size)
-+ {
-+ unsigned padding_length, good, to_check, i;
-+ const char has_explicit_iv =
-+ s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION;
-+ const unsigned overhead = 1 /* padding length byte */ +
-+ mac_size +
-+ (has_explicit_iv ? block_size : 0);
-+
-+ /* These lengths are all public so we can test them in non-constant
-+ * time. */
-+ if (overhead > rec->length)
-+ return 0;
-+
-+ padding_length = rec->data[rec->length-1];
-+
-+ /* NB: if compression is in operation the first packet may not be of
-+ * even length so the padding bug check cannot be performed. This bug
-+ * workaround has been around since SSLeay so hopefully it is either
-+ * fixed now or no buggy implementation supports compression [steve]
-+ */
-+ if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) && !s->expand)
-+ {
-+ /* First packet is even in size, so check */
-+ if ((memcmp(s->s3->read_sequence, "\0\0\0\0\0\0\0\0",8) == 0) &&
-+ !(padding_length & 1))
-+ {
-+ s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
-+ }
-+ if ((s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) &&
-+ padding_length > 0)
-+ {
-+ padding_length--;
-+ }
-+ }
-+
-+ good = constant_time_ge(rec->length, overhead+padding_length);
-+ /* The padding consists of a length byte at the end of the record and
-+ * then that many bytes of padding, all with the same value as the
-+ * length byte. Thus, with the length byte included, there are i+1
-+ * bytes of padding.
-+ *
-+ * We can't check just |padding_length+1| bytes because that leaks
-+ * decrypted information. Therefore we always have to check the maximum
-+ * amount of padding possible. (Again, the length of the record is
-+ * public information so we can use it.) */
-+ to_check = 255; /* maximum amount of padding. */
-+ if (to_check > rec->length-1)
-+ to_check = rec->length-1;
-+
-+ for (i = 0; i < to_check; i++)
-+ {
-+ unsigned char mask = constant_time_ge(padding_length, i);
-+ unsigned char b = rec->data[rec->length-1-i];
-+ /* The final |padding_length+1| bytes should all have the value
-+ * |padding_length|. Therefore the XOR should be zero. */
-+ good &= ~(mask&(padding_length ^ b));
-+ }
-+
-+ /* If any of the final |padding_length+1| bytes had the wrong value,
-+ * one or more of the lower eight bits of |good| will be cleared. We
-+ * AND the bottom 8 bits together and duplicate the result to all the
-+ * bits. */
-+ good &= good >> 4;
-+ good &= good >> 2;
-+ good &= good >> 1;
-+ good <<= sizeof(good)*8-1;
-+ good = DUPLICATE_MSB_TO_ALL(good);
-+
-+ rec->length -= good & (padding_length+1);
-+
-+ /* We can always safely skip the explicit IV. We check at the beginning
-+ * of this function that the record has at least enough space for the
-+ * IV, MAC and padding length byte. (These can be checked in
-+ * non-constant time because it's all public information.) So, if the
-+ * padding was invalid, then we didn't change |rec->length| and this is
-+ * safe. If the padding was valid then we know that we have at least
-+ * overhead+padding_length bytes of space and so this is still safe
-+ * because overhead accounts for the explicit IV. */
-+ if (has_explicit_iv)
-+ {
-+ rec->data += block_size;
-+ rec->input += block_size;
-+ rec->length -= block_size;
-+ rec->orig_len -= block_size;
-+ }
-+
-+ return (int)((good & 1) | (~good & -1));
-+ }
-+
-+#if defined(_M_AMD64) || defined(__x86_64__)
-+#define CBC_MAC_ROTATE_IN_PLACE
-+#endif
-+
-+/* ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
-+ * constant time (independent of the concrete value of rec->length, which may
-+ * vary within a 256-byte window).
-+ *
-+ * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to
-+ * this function.
-+ *
-+ * On entry:
-+ * rec->orig_len >= md_size
-+ * md_size <= EVP_MAX_MD_SIZE
-+ *
-+ * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with
-+ * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into
-+ * a single cache-line, then the variable memory accesses don't actually affect
-+ * the timing. This has been tested to be true on Intel amd64 chips.
-+ */
-+void ssl3_cbc_copy_mac(unsigned char* out,
-+ const SSL3_RECORD *rec,
-+ unsigned md_size)
-+ {
-+#if defined(CBC_MAC_ROTATE_IN_PLACE)
-+ unsigned char rotated_mac_buf[EVP_MAX_MD_SIZE*2];
-+ unsigned char *rotated_mac;
-+#else
-+ unsigned char rotated_mac[EVP_MAX_MD_SIZE];
-+#endif
-+
-+ /* mac_end is the index of |rec->data| just after the end of the MAC. */
-+ unsigned mac_end = rec->length;
-+ unsigned mac_start = mac_end - md_size;
-+ /* scan_start contains the number of bytes that we can ignore because
-+ * the MAC's position can only vary by 255 bytes. */
-+ unsigned scan_start = 0;
-+ unsigned i, j;
-+ unsigned div_spoiler;
-+ unsigned rotate_offset;
-+
-+ OPENSSL_assert(rec->orig_len >= md_size);
-+ OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
-+
-+#if defined(CBC_MAC_ROTATE_IN_PLACE)
-+ rotated_mac = (unsigned char*) (((intptr_t)(rotated_mac_buf + 64)) & ~63);
-+#endif
-+
-+ /* This information is public so it's safe to branch based on it. */
-+ if (rec->orig_len > md_size + 255 + 1)
-+ scan_start = rec->orig_len - (md_size + 255 + 1);
-+ /* div_spoiler contains a multiple of md_size that is used to cause the
-+ * modulo operation to be constant time. Without this, the time varies
-+ * based on the amount of padding when running on Intel chips at least.
-+ *
-+ * The aim of right-shifting md_size is so that the compiler doesn't
-+ * figure out that it can remove div_spoiler as that would require it
-+ * to prove that md_size is always even, which I hope is beyond it. */
-+ div_spoiler = md_size >> 1;
-+ div_spoiler <<= (sizeof(div_spoiler)-1)*8;
-+ rotate_offset = (div_spoiler + mac_start - scan_start) % md_size;
-+
-+ memset(rotated_mac, 0, md_size);
-+ for (i = scan_start; i < rec->orig_len;)
-+ {
-+ for (j = 0; j < md_size && i < rec->orig_len; i++, j++)
-+ {
-+ unsigned char mac_started = constant_time_ge(i, mac_start);
-+ unsigned char mac_ended = constant_time_ge(i, mac_end);
-+ unsigned char b = 0;
-+ b = rec->data[i];
-+ rotated_mac[j] |= b & mac_started & ~mac_ended;
-+ }
-+ }
-+
-+ /* Now rotate the MAC */
-+#if defined(CBC_MAC_ROTATE_IN_PLACE)
-+ j = 0;
-+ for (i = 0; i < md_size; i++)
-+ {
-+ unsigned char offset = (div_spoiler + rotate_offset + i) % md_size;
-+ out[j++] = rotated_mac[offset];
-+ }
-+#else
-+ memset(out, 0, md_size);
-+ for (i = 0; i < md_size; i++)
-+ {
-+ unsigned char offset = (div_spoiler + md_size - rotate_offset + i) % md_size;
-+ for (j = 0; j < md_size; j++)
-+ out[j] |= rotated_mac[i] & constant_time_eq_8(j, offset);
-+ }
-+#endif
-+ }
-+
-+/* These functions serialize the state of a hash and thus perform the standard
-+ * "final" operation without adding the padding and length that such a function
-+ * typically does. */
-+static void tls1_md5_final_raw(void* ctx, unsigned char *md_out)
-+ {
-+ MD5_CTX *md5 = ctx;
-+ l2n(md5->A, md_out);
-+ l2n(md5->B, md_out);
-+ l2n(md5->C, md_out);
-+ l2n(md5->D, md_out);
-+ }
-+
-+static void tls1_sha1_final_raw(void* ctx, unsigned char *md_out)
-+ {
-+ SHA_CTX *sha1 = ctx;
-+ l2n(sha1->h0, md_out);
-+ l2n(sha1->h1, md_out);
-+ l2n(sha1->h2, md_out);
-+ l2n(sha1->h3, md_out);
-+ l2n(sha1->h4, md_out);
-+ }
-+
-+static void tls1_sha256_final_raw(void* ctx, unsigned char *md_out)
-+ {
-+ SHA256_CTX *sha256 = ctx;
-+ unsigned i;
-+
-+ for (i = 0; i < 8; i++)
-+ {
-+ l2n(sha256->h[i], md_out);
-+ }
-+ }
-+
-+static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out)
-+ {
-+ SHA512_CTX *sha512 = ctx;
-+ unsigned i;
-+
-+ for (i = 0; i < 8; i++)
-+ {
-+ l2n8(sha512->h[i], md_out);
-+ }
-+ }
-+
-+/* ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
-+ * which ssl3_cbc_digest_record supports. */
-+char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
-+ {
-+ switch (ctx->digest->type)
-+ {
-+ case NID_md5:
-+ case NID_sha1:
-+ case NID_sha224:
-+ case NID_sha256:
-+ case NID_sha384:
-+ case NID_sha512:
-+ return 1;
-+ default:
-+ return 0;
-+ }
-+ }
-+
-+/* ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS
-+ * record.
-+ *
-+ * ctx: the EVP_MD_CTX from which we take the hash function.
-+ * ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX.
-+ * md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
-+ * md_out_size: if non-NULL, the number of output bytes is written here.
-+ * header: the 13-byte, TLS record header.
-+ * data: the record data itself, less any preceeding explicit IV.
-+ * data_plus_mac_size: the secret, reported length of the data and MAC
-+ * once the padding has been removed.
-+ * data_plus_mac_plus_padding_size: the public length of the whole
-+ * record, including padding.
-+ * is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS.
-+ *
-+ * On entry: by virtue of having been through one of the remove_padding
-+ * functions, above, we know that data_plus_mac_size is large enough to contain
-+ * a padding byte and MAC. (If the padding was invalid, it might contain the
-+ * padding too. ) */
-+void ssl3_cbc_digest_record(
-+ const EVP_MD_CTX *ctx,
-+ unsigned char* md_out,
-+ size_t* md_out_size,
-+ const unsigned char header[13],
-+ const unsigned char *data,
-+ size_t data_plus_mac_size,
-+ size_t data_plus_mac_plus_padding_size,
-+ const unsigned char *mac_secret,
-+ unsigned mac_secret_length,
-+ char is_sslv3)
-+ {
-+ unsigned char md_state[sizeof(SHA512_CTX)];
-+ void (*md_final_raw)(void *ctx, unsigned char *md_out);
-+ void (*md_transform)(void *ctx, const unsigned char *block);
-+ unsigned md_size, md_block_size = 64;
-+ unsigned sslv3_pad_length = 40, header_length, variance_blocks,
-+ len, max_mac_bytes, num_blocks,
-+ num_starting_blocks, k, mac_end_offset, c, index_a, index_b;
-+ uint64_t bits;
-+ unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES];
-+ /* hmac_pad is the masked HMAC key. */
-+ unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE];
-+ unsigned char first_block[MAX_HASH_BLOCK_SIZE];
-+ unsigned char mac_out[EVP_MAX_MD_SIZE];
-+ unsigned i, j, md_out_size_u;
-+ EVP_MD_CTX md_ctx;
-+ /* mdLengthSize is the number of bytes in the length field that terminates
-+ * the hash. */
-+ unsigned md_length_size = 8;
-+
-+ /* This is a, hopefully redundant, check that allows us to forget about
-+ * many possible overflows later in this function. */
-+ OPENSSL_assert(data_plus_mac_plus_padding_size < 1024*1024);
-+
-+ switch (ctx->digest->type)
-+ {
-+ case NID_md5:
-+ MD5_Init((MD5_CTX*)md_state);
-+ md_final_raw = tls1_md5_final_raw;
-+ md_transform = (void(*)(void *ctx, const unsigned char *block)) MD5_Transform;
-+ md_size = 16;
-+ sslv3_pad_length = 48;
-+ break;
-+ case NID_sha1:
-+ SHA1_Init((SHA_CTX*)md_state);
-+ md_final_raw = tls1_sha1_final_raw;
-+ md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA1_Transform;
-+ md_size = 20;
-+ break;
-+ case NID_sha224:
-+ SHA224_Init((SHA256_CTX*)md_state);
-+ md_final_raw = tls1_sha256_final_raw;
-+ md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform;
-+ md_size = 224/8;
-+ break;
-+ case NID_sha256:
-+ SHA256_Init((SHA256_CTX*)md_state);
-+ md_final_raw = tls1_sha256_final_raw;
-+ md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform;
-+ md_size = 32;
-+ break;
-+ case NID_sha384:
-+ SHA384_Init((SHA512_CTX*)md_state);
-+ md_final_raw = tls1_sha512_final_raw;
-+ md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform;
-+ md_size = 384/8;
-+ md_block_size = 128;
-+ md_length_size = 16;
-+ break;
-+ case NID_sha512:
-+ SHA512_Init((SHA512_CTX*)md_state);
-+ md_final_raw = tls1_sha512_final_raw;
-+ md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform;
-+ md_size = 64;
-+ md_block_size = 128;
-+ md_length_size = 16;
-+ break;
-+ default:
-+ /* ssl3_cbc_record_digest_supported should have been
-+ * called first to check that the hash function is
-+ * supported. */
-+ OPENSSL_assert(0);
-+ if (md_out_size)
-+ *md_out_size = -1;
-+ return;
-+ }
-+
-+ OPENSSL_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES);
-+ OPENSSL_assert(md_block_size <= MAX_HASH_BLOCK_SIZE);
-+ OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
-+
-+ header_length = 13;
-+ if (is_sslv3)
-+ {
-+ header_length =
-+ mac_secret_length +
-+ sslv3_pad_length +
-+ 8 /* sequence number */ +
-+ 1 /* record type */ +
-+ 2 /* record length */;
-+ }
-+
-+ /* variance_blocks is the number of blocks of the hash that we have to
-+ * calculate in constant time because they could be altered by the
-+ * padding value.
-+ *
-+ * In SSLv3, the padding must be minimal so the end of the plaintext
-+ * varies by, at most, 15+20 = 35 bytes. (We conservatively assume that
-+ * the MAC size varies from 0..20 bytes.) In case the 9 bytes of hash
-+ * termination (0x80 + 64-bit length) don't fit in the final block, we
-+ * say that the final two blocks can vary based on the padding.
-+ *
-+ * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
-+ * required to be minimal. Therefore we say that the final six blocks
-+ * can vary based on the padding.
-+ *
-+ * Later in the function, if the message is short and there obviously
-+ * cannot be this many blocks then variance_blocks can be reduced. */
-+ variance_blocks = is_sslv3 ? 2 : 6;
-+ /* From now on we're dealing with the MAC, which conceptually has 13
-+ * bytes of `header' before the start of the data (TLS) or 71/75 bytes
-+ * (SSLv3) */
-+ len = data_plus_mac_plus_padding_size + header_length;
-+ /* max_mac_bytes contains the maximum bytes of bytes in the MAC, including
-+ * |header|, assuming that there's no padding. */
-+ max_mac_bytes = len - md_size - 1;
-+ /* num_blocks is the maximum number of hash blocks. */
-+ num_blocks = (max_mac_bytes + 1 + md_length_size + md_block_size - 1) / md_block_size;
-+ /* In order to calculate the MAC in constant time we have to handle
-+ * the final blocks specially because the padding value could cause the
-+ * end to appear somewhere in the final |variance_blocks| blocks and we
-+ * can't leak where. However, |num_starting_blocks| worth of data can
-+ * be hashed right away because no padding value can affect whether
-+ * they are plaintext. */
-+ num_starting_blocks = 0;
-+ /* k is the starting byte offset into the conceptual header||data where
-+ * we start processing. */
-+ k = 0;
-+ /* mac_end_offset is the index just past the end of the data to be
-+ * MACed. */
-+ mac_end_offset = data_plus_mac_size + header_length - md_size;
-+ /* c is the index of the 0x80 byte in the final hash block that
-+ * contains application data. */
-+ c = mac_end_offset % md_block_size;
-+ /* index_a is the hash block number that contains the 0x80 terminating
-+ * value. */
-+ index_a = mac_end_offset / md_block_size;
-+ /* index_b is the hash block number that contains the 64-bit hash
-+ * length, in bits. */
-+ index_b = (mac_end_offset + md_length_size) / md_block_size;
-+ /* bits is the hash-length in bits. It includes the additional hash
-+ * block for the masked HMAC key, or whole of |header| in the case of
-+ * SSLv3. */
-+
-+ /* For SSLv3, if we're going to have any starting blocks then we need
-+ * at least two because the header is larger than a single block. */
-+ if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0))
-+ {
-+ num_starting_blocks = num_blocks - variance_blocks;
-+ k = md_block_size*num_starting_blocks;
-+ }
-+
-+ bits = 8*mac_end_offset;
-+ if (!is_sslv3)
-+ {
-+ /* Compute the initial HMAC block. For SSLv3, the padding and
-+ * secret bytes are included in |header| because they take more
-+ * than a single block. */
-+ bits += 8*md_block_size;
-+ memset(hmac_pad, 0, md_block_size);
-+ OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad));
-+ memcpy(hmac_pad, mac_secret, mac_secret_length);
-+ for (i = 0; i < md_block_size; i++)
-+ hmac_pad[i] ^= 0x36;
-+
-+ md_transform(md_state, hmac_pad);
-+ }
-+
-+ j = 0;
-+ if (md_length_size == 16)
-+ {
-+ memset(length_bytes, 0, 8);
-+ j = 8;
-+ }
-+ for (i = 0; i < 8; i++)
-+ length_bytes[i+j] = bits >> (8*(7-i));
-+
-+ if (k > 0)
-+ {
-+ if (is_sslv3)
-+ {
-+ /* The SSLv3 header is larger than a single block.
-+ * overhang is the number of bytes beyond a single
-+ * block that the header consumes: either 7 bytes
-+ * (SHA1) or 11 bytes (MD5). */
-+ unsigned overhang = header_length-md_block_size;
-+ md_transform(md_state, header);
-+ memcpy(first_block, header + md_block_size, overhang);
-+ memcpy(first_block + overhang, data, md_block_size-overhang);
-+ md_transform(md_state, first_block);
-+ for (i = 1; i < k/md_block_size - 1; i++)
-+ md_transform(md_state, data + md_block_size*i - overhang);
-+ }
-+ else
-+ {
-+ /* k is a multiple of md_block_size. */
-+ memcpy(first_block, header, 13);
-+ memcpy(first_block+13, data, md_block_size-13);
-+ md_transform(md_state, first_block);
-+ for (i = 1; i < k/md_block_size; i++)
-+ md_transform(md_state, data + md_block_size*i - 13);
-+ }
-+ }
-+
-+ memset(mac_out, 0, sizeof(mac_out));
-+
-+ /* We now process the final hash blocks. For each block, we construct
-+ * it in constant time. If the |i==index_a| then we'll include the 0x80
-+ * bytes and zero pad etc. For each block we selectively copy it, in
-+ * constant time, to |mac_out|. */
-+ for (i = num_starting_blocks; i <= num_starting_blocks+variance_blocks; i++)
-+ {
-+ unsigned char block[MAX_HASH_BLOCK_SIZE];
-+ unsigned char is_block_a = constant_time_eq_8(i, index_a);
-+ unsigned char is_block_b = constant_time_eq_8(i, index_b);
-+ for (j = 0; j < md_block_size; j++)
-+ {
-+ unsigned char b = 0, is_past_c, is_past_cp1;
-+ if (k < header_length)
-+ b = header[k];
-+ else if (k < data_plus_mac_plus_padding_size + header_length)
-+ b = data[k-header_length];
-+ k++;
-+
-+ is_past_c = is_block_a & constant_time_ge(j, c);
-+ is_past_cp1 = is_block_a & constant_time_ge(j, c+1);
-+ /* If this is the block containing the end of the
-+ * application data, and we are at the offset for the
-+ * 0x80 value, then overwrite b with 0x80. */
-+ b = (b&~is_past_c) | (0x80&is_past_c);
-+ /* If this the the block containing the end of the
-+ * application data and we're past the 0x80 value then
-+ * just write zero. */
-+ b = b&~is_past_cp1;
-+ /* If this is index_b (the final block), but not
-+ * index_a (the end of the data), then the 64-bit
-+ * length didn't fit into index_a and we're having to
-+ * add an extra block of zeros. */
-+ b &= ~is_block_b | is_block_a;
-+
-+ /* The final bytes of one of the blocks contains the
-+ * length. */
-+ if (j >= md_block_size - md_length_size)
-+ {
-+ /* If this is index_b, write a length byte. */
-+ b = (b&~is_block_b) | (is_block_b&length_bytes[j-(md_block_size-md_length_size)]);
-+ }
-+ block[j] = b;
-+ }
-+
-+ md_transform(md_state, block);
-+ md_final_raw(md_state, block);
-+ /* If this is index_b, copy the hash value to |mac_out|. */
-+ for (j = 0; j < md_size; j++)
-+ mac_out[j] |= block[j]&is_block_b;
-+ }
-+
-+ EVP_MD_CTX_init(&md_ctx);
-+ EVP_DigestInit_ex(&md_ctx, ctx->digest, NULL /* engine */);
-+ if (is_sslv3)
-+ {
-+ /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */
-+ memset(hmac_pad, 0x5c, sslv3_pad_length);
-+
-+ EVP_DigestUpdate(&md_ctx, mac_secret, mac_secret_length);
-+ EVP_DigestUpdate(&md_ctx, hmac_pad, sslv3_pad_length);
-+ EVP_DigestUpdate(&md_ctx, mac_out, md_size);
-+ }
-+ else
-+ {
-+ /* Complete the HMAC in the standard manner. */
-+ for (i = 0; i < md_block_size; i++)
-+ hmac_pad[i] ^= 0x6a;
-+
-+ EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size);
-+ EVP_DigestUpdate(&md_ctx, mac_out, md_size);
-+ }
-+ EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u);
-+ if (md_out_size)
-+ *md_out_size = md_out_size_u;
-+ EVP_MD_CTX_cleanup(&md_ctx);
-+ }
-diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
-index c5df2cb..a0eac77 100644
---- a/ssl/s3_enc.c
-+++ b/ssl/s3_enc.c
-@@ -466,12 +466,21 @@ void ssl3_cleanup_key_block(SSL *s)
- s->s3->tmp.key_block_length=0;
- }
-
-+/* ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
-+ *
-+ * Returns:
-+ * 0: (in non-constant time) if the record is publically invalid (i.e. too
-+ * short etc).
-+ * 1: if the record's padding is valid / the encryption was successful.
-+ * -1: if the record's padding is invalid or, if sending, an internal error
-+ * occured.
-+ */
- int ssl3_enc(SSL *s, int send)
- {
- SSL3_RECORD *rec;
- EVP_CIPHER_CTX *ds;
- unsigned long l;
-- int bs,i;
-+ int bs,i,mac_size=0;
- const EVP_CIPHER *enc;
-
- if (send)
-@@ -522,32 +531,16 @@ int ssl3_enc(SSL *s, int send)
- if (!send)
- {
- if (l == 0 || l%bs != 0)
-- {
-- SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
-- ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
- return 0;
-- }
- /* otherwise, rec->length >= bs */
- }
-
- EVP_Cipher(ds,rec->data,rec->input,l);
-
-+ if (EVP_MD_CTX_md(s->read_hash) != NULL)
-+ mac_size = EVP_MD_CTX_size(s->read_hash);
- if ((bs != 1) && !send)
-- {
-- i=rec->data[l-1]+1;
-- /* SSL 3.0 bounds the number of padding bytes by the block size;
-- * padding bytes (except the last one) are arbitrary */
-- if (i > bs)
-- {
-- /* Incorrect padding. SSLerr() and ssl3_alert are done
-- * by caller: we don't want to reveal whether this is
-- * a decryption error or a MAC verification failure
-- * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
-- return -1;
-- }
-- /* now i <= bs <= rec->length */
-- rec->length-=i;
-- }
-+ return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
- }
- return(1);
- }
-@@ -716,7 +709,7 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
- EVP_MD_CTX md_ctx;
- const EVP_MD_CTX *hash;
- unsigned char *p,rec_char;
-- unsigned int md_size;
-+ size_t md_size;
- int npad;
- int t;
-
-@@ -741,28 +734,68 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int send)
- md_size=t;
- npad=(48/md_size)*md_size;
-
-- /* Chop the digest off the end :-) */
-- EVP_MD_CTX_init(&md_ctx);
--
-- EVP_MD_CTX_copy_ex( &md_ctx,hash);
-- EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
-- EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad);
-- EVP_DigestUpdate(&md_ctx,seq,8);
-- rec_char=rec->type;
-- EVP_DigestUpdate(&md_ctx,&rec_char,1);
-- p=md;
-- s2n(rec->length,p);
-- EVP_DigestUpdate(&md_ctx,md,2);
-- EVP_DigestUpdate(&md_ctx,rec->input,rec->length);
-- EVP_DigestFinal_ex( &md_ctx,md,NULL);
--
-- EVP_MD_CTX_copy_ex( &md_ctx,hash);
-- EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
-- EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad);
-- EVP_DigestUpdate(&md_ctx,md,md_size);
-- EVP_DigestFinal_ex( &md_ctx,md,&md_size);
--
-- EVP_MD_CTX_cleanup(&md_ctx);
-+ if (!send &&
-+ EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
-+ ssl3_cbc_record_digest_supported(hash))
-+ {
-+ /* This is a CBC-encrypted record. We must avoid leaking any
-+ * timing-side channel information about how many blocks of
-+ * data we are hashing because that gives an attacker a
-+ * timing-oracle. */
-+
-+ /* npad is, at most, 48 bytes and that's with MD5:
-+ * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
-+ *
-+ * With SHA-1 (the largest hash speced for SSLv3) the hash size
-+ * goes up 4, but npad goes down by 8, resulting in a smaller
-+ * total size. */
-+ unsigned char header[75];
-+ unsigned j = 0;
-+ memcpy(header+j, mac_sec, md_size);
-+ j += md_size;
-+ memcpy(header+j, ssl3_pad_1, npad);
-+ j += npad;
-+ memcpy(header+j, seq, 8);
-+ j += 8;
-+ header[j++] = rec->type;
-+ header[j++] = rec->length >> 8;
-+ header[j++] = rec->length & 0xff;
-+
-+ ssl3_cbc_digest_record(
-+ hash,
-+ md, &md_size,
-+ header, rec->input,
-+ rec->length + md_size, rec->orig_len,
-+ mac_sec, md_size,
-+ 1 /* is SSLv3 */);
-+ }
-+ else
-+ {
-+ unsigned int md_size_u;
-+ /* Chop the digest off the end :-) */
-+ EVP_MD_CTX_init(&md_ctx);
-+
-+ EVP_MD_CTX_copy_ex( &md_ctx,hash);
-+ EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
-+ EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad);
-+ EVP_DigestUpdate(&md_ctx,seq,8);
-+ rec_char=rec->type;
-+ EVP_DigestUpdate(&md_ctx,&rec_char,1);
-+ p=md;
-+ s2n(rec->length,p);
-+ EVP_DigestUpdate(&md_ctx,md,2);
-+ EVP_DigestUpdate(&md_ctx,rec->input,rec->length);
-+ EVP_DigestFinal_ex( &md_ctx,md,NULL);
-+
-+ EVP_MD_CTX_copy_ex( &md_ctx,hash);
-+ EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
-+ EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad);
-+ EVP_DigestUpdate(&md_ctx,md,md_size);
-+ EVP_DigestFinal_ex( &md_ctx,md,&md_size_u);
-+ md_size = md_size_u;
-+
-+ EVP_MD_CTX_cleanup(&md_ctx);
-+ }
-
- ssl3_record_sequence_update(seq);
- return(md_size);
-diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
-index 3e11140..dba6653 100644
---- a/ssl/s3_pkt.c
-+++ b/ssl/s3_pkt.c
-@@ -290,11 +290,8 @@ static int ssl3_get_record(SSL *s)
- unsigned char *p;
- unsigned char md[EVP_MAX_MD_SIZE];
- short version;
-- int mac_size;
-- int clear=0;
-+ unsigned mac_size;
- size_t extra;
-- int decryption_failed_or_bad_record_mac = 0;
-- unsigned char *mac = NULL;
-
- rr= &(s->s3->rrec);
- sess=s->session;
-@@ -401,19 +398,18 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
-
- /* decrypt in place in 'rr->input' */
- rr->data=rr->input;
-+ rr->orig_len=rr->length;
-
- enc_err = s->method->ssl3_enc->enc(s,0);
-- if (enc_err <= 0)
-+ /* enc_err is:
-+ * 0: (in non-constant time) if the record is publically invalid.
-+ * 1: if the padding is valid
-+ * -1: if the padding is invalid */
-+ if (enc_err == 0)
- {
-- if (enc_err == 0)
-- /* SSLerr() and ssl3_send_alert() have been called */
-- goto err;
--
-- /* Otherwise enc_err == -1, which indicates bad padding
-- * (rec->length has not been changed in this case).
-- * To minimize information leaked via timing, we will perform
-- * the MAC computation anyway. */
-- decryption_failed_or_bad_record_mac = 1;
-+ al=SSL_AD_DECRYPTION_FAILED;
-+ SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
-+ goto f_err;
- }
-
- #ifdef TLS_DEBUG
-@@ -423,53 +419,59 @@ printf("\n");
- #endif
-
- /* r->length is now the compressed data plus mac */
-- if ( (sess == NULL) ||
-- (s->enc_read_ctx == NULL) ||
-- (EVP_MD_CTX_md(s->read_hash) == NULL))
-- clear=1;
--
-- if (!clear)
-+ if ((sess != NULL) &&
-+ (s->enc_read_ctx != NULL) &&
-+ (EVP_MD_CTX_md(s->read_hash) != NULL))
- {
-- /* !clear => s->read_hash != NULL => mac_size != -1 */
-+ /* s->read_hash != NULL => mac_size != -1 */
-+ unsigned char *mac = NULL;
-+ unsigned char mac_tmp[EVP_MAX_MD_SIZE];
- mac_size=EVP_MD_CTX_size(s->read_hash);
-- OPENSSL_assert(mac_size >= 0);
-+ OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
-
-- if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
-+ /* orig_len is the length of the record before any padding was
-+ * removed. This is public information, as is the MAC in use,
-+ * therefore we can safely process the record in a different
-+ * amount of time if it's too short to possibly contain a MAC.
-+ */
-+ if (rr->orig_len < mac_size ||
-+ /* CBC records must have a padding length byte too. */
-+ (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
-+ rr->orig_len < mac_size+1))
- {
--#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
-- al=SSL_AD_RECORD_OVERFLOW;
-- SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
-+ al=SSL_AD_DECODE_ERROR;
-+ SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
- goto f_err;
--#else
-- decryption_failed_or_bad_record_mac = 1;
--#endif
- }
-- /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
-- if (rr->length >= (unsigned int)mac_size)
-+
-+ if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
- {
-+ /* We update the length so that the TLS header bytes
-+ * can be constructed correctly but we need to extract
-+ * the MAC in constant time from within the record,
-+ * without leaking the contents of the padding bytes.
-+ * */
-+ mac = mac_tmp;
-+ ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
- rr->length -= mac_size;
-- mac = &rr->data[rr->length];
- }
- else
- {
-- /* record (minus padding) is too short to contain a MAC */
--#if 0 /* OK only for stream ciphers */
-- al=SSL_AD_DECODE_ERROR;
-- SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
-- goto f_err;
--#else
-- decryption_failed_or_bad_record_mac = 1;
-- rr->length = 0;
--#endif
-+ /* In this case there's no padding, so |rec->orig_len|
-+ * equals |rec->length| and we checked that there's
-+ * enough bytes for |mac_size| above. */
-+ rr->length -= mac_size;
-+ mac = &rr->data[rr->length];
- }
-- i=s->method->ssl3_enc->mac(s,md,0);
-+
-+ i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
- if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
-- {
-- decryption_failed_or_bad_record_mac = 1;
-- }
-+ enc_err = -1;
-+ if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
-+ enc_err = -1;
- }
-
-- if (decryption_failed_or_bad_record_mac)
-+ if (enc_err < 0)
- {
- /* A separate 'decryption_failed' alert was introduced with TLS 1.0,
- * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
-diff --git a/ssl/ssl3.h b/ssl/ssl3.h
-index 247e88c..87d3e0f 100644
---- a/ssl/ssl3.h
-+++ b/ssl/ssl3.h
-@@ -355,6 +355,10 @@ typedef struct ssl3_record_st
- /*r */ unsigned char *comp; /* only used with decompression - malloc()ed */
- /*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */
- /*r */ unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
-+/*rw*/ unsigned int orig_len; /* How many bytes were available before padding
-+ was removed? This is used to implement the
-+ MAC check in constant time for CBC records.
-+ */
- } SSL3_RECORD;
-
- typedef struct ssl3_buffer_st
-diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c
-index d443143..41ccbaa 100644
---- a/ssl/ssl_algs.c
-+++ b/ssl/ssl_algs.c
-@@ -90,11 +90,14 @@ int SSL_library_init(void)
- EVP_add_cipher(EVP_aes_256_cbc());
- EVP_add_cipher(EVP_aes_128_gcm());
- EVP_add_cipher(EVP_aes_256_gcm());
-+#if 0 /* Disabled because of timing side-channel leaks. */
- #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
- EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
- EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
- #endif
- #endif
-+
-+#endif
- #ifndef OPENSSL_NO_CAMELLIA
- EVP_add_cipher(EVP_camellia_128_cbc());
- EVP_add_cipher(EVP_camellia_256_cbc());
-diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
-index 0572e10..dd8388c 100644
---- a/ssl/ssl_locl.h
-+++ b/ssl/ssl_locl.h
-@@ -215,6 +215,15 @@
- *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
- *((c)++)=(unsigned char)(((l) )&0xff))
-
-+#define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \
-+ *((c)++)=(unsigned char)(((l)>>48)&0xff), \
-+ *((c)++)=(unsigned char)(((l)>>40)&0xff), \
-+ *((c)++)=(unsigned char)(((l)>>32)&0xff), \
-+ *((c)++)=(unsigned char)(((l)>>24)&0xff), \
-+ *((c)++)=(unsigned char)(((l)>>16)&0xff), \
-+ *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
-+ *((c)++)=(unsigned char)(((l) )&0xff))
-+
- #define n2l6(c,l) (l =((BN_ULLONG)(*((c)++)))<<40, \
- l|=((BN_ULLONG)(*((c)++)))<<32, \
- l|=((BN_ULLONG)(*((c)++)))<<24, \
-@@ -1133,4 +1142,29 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al
- int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen);
- int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al);
-
-+/* s3_cbc.c */
-+void ssl3_cbc_copy_mac(unsigned char* out,
-+ const SSL3_RECORD *rec,
-+ unsigned md_size);
-+int ssl3_cbc_remove_padding(const SSL* s,
-+ SSL3_RECORD *rec,
-+ unsigned block_size,
-+ unsigned mac_size);
-+int tls1_cbc_remove_padding(const SSL* s,
-+ SSL3_RECORD *rec,
-+ unsigned block_size,
-+ unsigned mac_size);
-+char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
-+void ssl3_cbc_digest_record(
-+ const EVP_MD_CTX *ctx,
-+ unsigned char* md_out,
-+ size_t* md_out_size,
-+ const unsigned char header[13],
-+ const unsigned char *data,
-+ size_t data_plus_mac_size,
-+ size_t data_plus_mac_plus_padding_size,
-+ const unsigned char *mac_secret,
-+ unsigned mac_secret_length,
-+ char is_sslv3);
-+
- #endif
-diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
-index b37678f..bb46f7f 100644
---- a/ssl/t1_enc.c
-+++ b/ssl/t1_enc.c
-@@ -667,12 +667,21 @@ err:
- return(ret);
- }
-
-+/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
-+ *
-+ * Returns:
-+ * 0: (in non-constant time) if the record is publically invalid (i.e. too
-+ * short etc).
-+ * 1: if the record's padding is valid / the encryption was successful.
-+ * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
-+ * an internal error occured.
-+ */
- int tls1_enc(SSL *s, int send)
- {
- SSL3_RECORD *rec;
- EVP_CIPHER_CTX *ds;
- unsigned long l;
-- int bs,i,ii,j,k,pad=0;
-+ int bs,i,j,k,pad=0,ret,mac_size=0;
- const EVP_CIPHER *enc;
-
- if (send)
-@@ -729,11 +738,11 @@ int tls1_enc(SSL *s, int send)
- printf("tls1_enc(%d)\n", send);
- #endif /* KSSL_DEBUG */
-
-- if ((s->session == NULL) || (ds == NULL) ||
-- (enc == NULL))
-+ if ((s->session == NULL) || (ds == NULL) || (enc == NULL))
- {
- memmove(rec->data,rec->input,rec->length);
- rec->input=rec->data;
-+ ret = 1;
- }
- else
- {
-@@ -797,13 +806,13 @@ int tls1_enc(SSL *s, int send)
-
- #ifdef KSSL_DEBUG
- {
-- unsigned long ui;
-+ unsigned long ui;
- printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
-- ds,rec->data,rec->input,l);
-+ ds,rec->data,rec->input,l);
- printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
-- ds->buf_len, ds->cipher->key_len,
-- DES_KEY_SZ, DES_SCHEDULE_SZ,
-- ds->cipher->iv_len);
-+ ds->buf_len, ds->cipher->key_len,
-+ DES_KEY_SZ, DES_SCHEDULE_SZ,
-+ ds->cipher->iv_len);
- printf("\t\tIV: ");
- for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
- printf("\n");
-@@ -816,13 +825,7 @@ int tls1_enc(SSL *s, int send)
- if (!send)
- {
- if (l == 0 || l%bs != 0)
-- {
-- if (s->version >= TLS1_1_VERSION)
-- return -1;
-- SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
-- ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
- return 0;
-- }
- }
-
- i = EVP_Cipher(ds,rec->data,rec->input,l);
-@@ -839,68 +842,24 @@ int tls1_enc(SSL *s, int send)
-
- #ifdef KSSL_DEBUG
- {
-- unsigned long i;
-- printf("\trec->data=");
-+ unsigned long i;
-+ printf("\trec->data=");
- for (i=0; i<l; i++)
-- printf(" %02x", rec->data[i]); printf("\n");
-- }
-+ printf(" %02x", rec->data[i]); printf("\n");
-+ }
- #endif /* KSSL_DEBUG */
-
-+ ret = 1;
-+ if (EVP_MD_CTX_md(s->read_hash) != NULL)
-+ mac_size = EVP_MD_CTX_size(s->read_hash);
- if ((bs != 1) && !send)
-- {
-- ii=i=rec->data[l-1]; /* padding_length */
-- i++;
-- /* NB: if compression is in operation the first packet
-- * may not be of even length so the padding bug check
-- * cannot be performed. This bug workaround has been
-- * around since SSLeay so hopefully it is either fixed
-- * now or no buggy implementation supports compression
-- * [steve]
-- */
-- if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
-- && !s->expand)
-- {
-- /* First packet is even in size, so check */
-- if ((memcmp(s->s3->read_sequence,
-- "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
-- s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
-- if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
-- i--;
-- }
-- /* TLS 1.0 does not bound the number of padding bytes by the block size.
-- * All of them must have value 'padding_length'. */
-- if (i > (int)rec->length)
-- {
-- /* Incorrect padding. SSLerr() and ssl3_alert are done
-- * by caller: we don't want to reveal whether this is
-- * a decryption error or a MAC verification failure
-- * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
-- return -1;
-- }
-- for (j=(int)(l-i); j<(int)l; j++)
-- {
-- if (rec->data[j] != ii)
-- {
-- /* Incorrect padding */
-- return -1;
-- }
-- }
-- rec->length -=i;
-- if (s->version >= TLS1_1_VERSION
-- && EVP_CIPHER_CTX_mode(ds) == EVP_CIPH_CBC_MODE)
-- {
-- if (bs > (int)rec->length)
-- return -1;
-- rec->data += bs; /* skip the explicit IV */
-- rec->input += bs;
-- rec->length -= bs;
-- }
-- }
-+ ret = tls1_cbc_remove_padding(s, rec, bs, mac_size);
- if (pad && !send)
- rec->length -= pad;
- }
-- return(1);
-+ return ret;
- }
-+
- int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
- {
- unsigned int ret;
-@@ -993,7 +952,7 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
- size_t md_size;
- int i;
- EVP_MD_CTX hmac, *mac_ctx;
-- unsigned char buf[5];
-+ unsigned char header[13];
- int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM));
- int t;
-
-@@ -1014,12 +973,6 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
- OPENSSL_assert(t >= 0);
- md_size=t;
-
-- buf[0]=rec->type;
-- buf[1]=(unsigned char)(ssl->version>>8);
-- buf[2]=(unsigned char)(ssl->version);
-- buf[3]=rec->length>>8;
-- buf[4]=rec->length&0xff;
--
- /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
- if (stream_mac)
- {
-@@ -1038,17 +991,44 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
- s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
- memcpy (p,&seq[2],6);
-
-- EVP_DigestSignUpdate(mac_ctx,dtlsseq,8);
-+ memcpy(header, dtlsseq, 8);
- }
- else
-- EVP_DigestSignUpdate(mac_ctx,seq,8);
-+ memcpy(header, seq, 8);
-
-- EVP_DigestSignUpdate(mac_ctx,buf,5);
-- EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length);
-- t=EVP_DigestSignFinal(mac_ctx,md,&md_size);
-- OPENSSL_assert(t > 0);
-+ header[8]=rec->type;
-+ header[9]=(unsigned char)(ssl->version>>8);
-+ header[10]=(unsigned char)(ssl->version);
-+ header[11]=(rec->length)>>8;
-+ header[12]=(rec->length)&0xff;
-+
-+ if (!send &&
-+ EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
-+ ssl3_cbc_record_digest_supported(mac_ctx))
-+ {
-+ /* This is a CBC-encrypted record. We must avoid leaking any
-+ * timing-side channel information about how many blocks of
-+ * data we are hashing because that gives an attacker a
-+ * timing-oracle. */
-+ ssl3_cbc_digest_record(
-+ mac_ctx,
-+ md, &md_size,
-+ header, rec->input,
-+ rec->length + md_size, rec->orig_len,
-+ ssl->s3->read_mac_secret,
-+ ssl->s3->read_mac_secret_size,
-+ 0 /* not SSLv3 */);
-+ }
-+ else
-+ {
-+ EVP_DigestSignUpdate(mac_ctx,header,sizeof(header));
-+ EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length);
-+ t=EVP_DigestSignFinal(mac_ctx,md,&md_size);
-+ OPENSSL_assert(t > 0);
-+ }
-
-- if (!stream_mac) EVP_MD_CTX_cleanup(&hmac);
-+ if (!stream_mac)
-+ EVP_MD_CTX_cleanup(&hmac);
- #ifdef TLS_DEBUG
- printf("sec=");
- {unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
---
-1.8.1
-
diff --git a/patches/README b/patches/README
index a1d5313..6e2af83 100644
--- a/patches/README
+++ b/patches/README
@@ -14,44 +14,7 @@
Support for JSSE implementation based on OpenSSL.
-sha1_armv4_large.patch
-
-This patch eliminates memory stores to addresses below SP.
-
-
-mips_private.patch:
-
-Fix duplicate defines of labels AES_set_encrypt_key and AES_set_decrypt_key
-by prefixing Mips version with private_ .
-Revise import script to generate o32-abi .s files for Mips.
-
-
channelid.patch
Implements TLS Channel ID support as both a client and a server.
See http://tools.ietf.org/html/draft-balfanz-tls-channelid-00.
-
-
-clang.patch
-
-Fixes two minor compilation errors when building with the Clang compiler.
-
-
-recursive_lock_fix.patch
-
-Small fix to get rid of unwanted recursive mutex lock in X509_PUBKEY_get.
-See http://cvs.openssl.org/chngview?cn=22568 for upstream patch, and
-https://groups.google.com/d/topic/mailing.openssl.dev/4Z67vaaTChk/discussion
-for the most recent discussion.
-
-
-0001-Add-and-use-a-constant-time-memcmp.patch
-
-constant time memcmp
-
-
-0002-Make-CBC-decoding-constant-time.patch
-
-Make CBC decoding constant time CVE-2013-0169
-
-
diff --git a/patches/channelid.patch b/patches/channelid.patch
index be34cb8..03c6931 100644
--- a/patches/channelid.patch
+++ b/patches/channelid.patch
@@ -41,11 +41,10 @@
diff -ur openssl/ssl/s3_clnt.c openssl.channelid/ssl/s3_clnt.c
--- openssl/ssl/s3_clnt.c 2012-08-28 16:04:21.173349370 -0400
+++ openssl.channelid/ssl/s3_clnt.c 2012-08-28 16:04:42.563646142 -0400
-@@ -465,14 +465,14 @@
+@@ -465,13 +465,14 @@
SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
if (ret <= 0) goto end;
--
-#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
s->state=SSL3_ST_CW_FINISHED_A;
-#else
@@ -715,31 +714,35 @@
} SSL3_STATE;
#endif
-@@ -581,6 +592,8 @@
+@@ -581,7 +592,9 @@
#define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT)
#define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT)
#define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT)
+ #endif
+#define SSL3_ST_CW_CHANNEL_ID_A (0x210|SSL_ST_CONNECT)
+#define SSL3_ST_CW_CHANNEL_ID_B (0x211|SSL_ST_CONNECT)
#define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT)
#define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT)
/* read from server */
-@@ -631,8 +644,11 @@
+@@ -631,10 +644,13 @@
#define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT)
#define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT)
#define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT)
+#define SSL3_ST_SR_POST_CLIENT_CERT (0x1BF|SSL_ST_ACCEPT)
+ #ifndef OPENSSL_NO_NEXTPROTONEG
#define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT)
#define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT)
+ #endif
+#define SSL3_ST_SR_CHANNEL_ID_A (0x220|SSL_ST_ACCEPT)
+#define SSL3_ST_SR_CHANNEL_ID_B (0x221|SSL_ST_ACCEPT)
#define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT)
#define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT)
/* write to client */
-@@ -658,6 +674,7 @@
+@@ -658,7 +674,8 @@
#define SSL3_MT_FINISHED 20
#define SSL3_MT_CERTIFICATE_STATUS 22
#define SSL3_MT_NEXT_PROTO 67
+ #endif
+#define SSL3_MT_ENCRYPTED_EXTENSIONS 203
#define DTLS1_MT_HELLO_VERIFY_REQUEST 3
diff --git a/patches/clang.patch b/patches/clang.patch
deleted file mode 100644
index 285945e..0000000
--- a/patches/clang.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff --git a/openssl/crypto/bio/bss_dgram.c b/openssl/crypto/bio/bss_dgram.c
-index 71ebe98..a6d882b 100644
---- a/crypto/bio/bss_dgram.c
-+++ b/crypto/bio/bss_dgram.c
-@@ -378,7 +378,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
- bio_dgram_data *data = NULL;
- #if defined(IP_MTU_DISCOVER) || defined(IP_MTU)
- long sockopt_val = 0;
-- unsigned int sockopt_len = 0;
-+ socklen_t sockopt_len = 0;
- #endif
- #ifdef OPENSSL_SYS_LINUX
- socklen_t addr_len;
-diff --git a/openssl/crypto/cryptlib.c b/openssl/crypto/cryptlib.c
-index 387a987..5dfeec7 100644
---- a/crypto/cryptlib.c
-+++ b/crypto/cryptlib.c
-@@ -500,7 +500,7 @@ void CRYPTO_THREADID_current(CRYPTO_THREADID *id)
- CRYPTO_THREADID_set_numeric(id, (unsigned long)find_thread(NULL));
- #else
- /* For everything else, default to using the address of 'errno' */
-- CRYPTO_THREADID_set_pointer(id, &errno);
-+ CRYPTO_THREADID_set_pointer(id, (void*)&errno);
- #endif
- }
-
diff --git a/patches/jsse.patch b/patches/jsse.patch
index 80e5357..e4fa3b4 100644
--- a/patches/jsse.patch
+++ b/patches/jsse.patch
@@ -301,8 +301,8 @@
- else if (s->version == TLS1_1_VERSION)
+ else if (version == TLS1_1_VERSION)
return("TLSv1.1");
-- if (s->version == TLS1_VERSION)
-+ if (version == TLS1_VERSION)
+- else if (s->version == TLS1_VERSION)
++ else if (version == TLS1_VERSION)
return("TLSv1");
- else if (s->version == SSL3_VERSION)
+ else if (version == SSL3_VERSION)
diff --git a/patches/mips_private.patch b/patches/mips_private.patch
deleted file mode 100644
index 97c076a..0000000
--- a/patches/mips_private.patch
+++ /dev/null
@@ -1,64 +0,0 @@
---- openssl-1.0.1c.orig/crypto/aes/asm/aes-mips.pl 2011-11-14 20:55:23.000000000 +0000
-+++ openssl-1.0.1c/crypto/aes/asm/aes-mips.pl 2012-08-14 22:13:55.250604273 +0000
-@@ -1036,9 +1036,9 @@ _mips_AES_set_encrypt_key:
- nop
- .end _mips_AES_set_encrypt_key
-
--.globl AES_set_encrypt_key
--.ent AES_set_encrypt_key
--AES_set_encrypt_key:
-+.globl private_AES_set_encrypt_key
-+.ent private_AES_set_encrypt_key
-+private_AES_set_encrypt_key:
- .frame $sp,$FRAMESIZE,$ra
- .mask $SAVED_REGS_MASK,-$SZREG
- .set noreorder
-@@ -1060,7 +1060,7 @@ $code.=<<___ if ($flavour =~ /nubi/i); #
- ___
- $code.=<<___ if ($flavour !~ /o32/i); # non-o32 PIC-ification
- .cplocal $Tbl
-- .cpsetup $pf,$zero,AES_set_encrypt_key
-+ .cpsetup $pf,$zero,private_AES_set_encrypt_key
- ___
- $code.=<<___;
- .set reorder
-@@ -1083,7 +1083,7 @@ ___
- $code.=<<___;
- jr $ra
- $PTR_ADD $sp,$FRAMESIZE
--.end AES_set_encrypt_key
-+.end private_AES_set_encrypt_key
- ___
- �
- my ($head,$tail)=($inp,$bits);
-@@ -1091,9 +1091,9 @@ my ($tp1,$tp2,$tp4,$tp8,$tp9,$tpb,$tpd,$
- my ($m,$x80808080,$x7f7f7f7f,$x1b1b1b1b)=($at,$t0,$t1,$t2);
- $code.=<<___;
- .align 5
--.globl AES_set_decrypt_key
--.ent AES_set_decrypt_key
--AES_set_decrypt_key:
-+.globl private_AES_set_decrypt_key
-+.ent private_AES_set_decrypt_key
-+private_AES_set_decrypt_key:
- .frame $sp,$FRAMESIZE,$ra
- .mask $SAVED_REGS_MASK,-$SZREG
- .set noreorder
-@@ -1115,7 +1115,7 @@ $code.=<<___ if ($flavour =~ /nubi/i); #
- ___
- $code.=<<___ if ($flavour !~ /o32/i); # non-o32 PIC-ification
- .cplocal $Tbl
-- .cpsetup $pf,$zero,AES_set_decrypt_key
-+ .cpsetup $pf,$zero,private_AES_set_decrypt_key
- ___
- $code.=<<___;
- .set reorder
-@@ -1226,7 +1226,7 @@ ___
- $code.=<<___;
- jr $ra
- $PTR_ADD $sp,$FRAMESIZE
--.end AES_set_decrypt_key
-+.end private_AES_set_decrypt_key
- ___
- }}}
-
diff --git a/patches/recursive_lock_fix.patch b/patches/recursive_lock_fix.patch
deleted file mode 100644
index b2e8e2b..0000000
--- a/patches/recursive_lock_fix.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-Index: openssl/crypto/asn1/x_pubkey.c
-RCS File: /v/openssl/cvs/openssl/crypto/asn1/x_pubkey.c,v
-rcsdiff -q -kk '-r1.38.2.2' '-r1.38.2.3' -u '/v/openssl/cvs/openssl/crypto/asn1/x_pubkey.c,v' 2>/dev/null
---- x_pubkey.c 2012/02/28 14:47:36 1.38.2.2
-+++ x_pubkey.c 2012/05/11 13:49:15 1.38.2.3
-@@ -371,12 +371,15 @@
- CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY);
- if (key->pkey)
- {
-+ CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
- EVP_PKEY_free(ret);
- ret = key->pkey;
- }
- else
-+ {
- key->pkey = ret;
-- CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
-+ CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
-+ }
- CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY);
- return(ret);
- err:
diff --git a/patches/sha1_armv4_large.patch b/patches/sha1_armv4_large.patch
deleted file mode 100644
index 359ff94..0000000
--- a/patches/sha1_armv4_large.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-diff --git a/crypto/sha/asm/sha1-armv4-large.pl b/crypto/sha/asm/sha1-armv4-large.pl
-index 6e65fe3..79e3f61 100644
---- a/crypto/sha/asm/sha1-armv4-large.pl
-+++ b/crypto/sha/asm/sha1-armv4-large.pl
-@@ -161,6 +161,7 @@ for($i=0;$i<5;$i++) {
- $code.=<<___;
- teq $Xi,sp
- bne .L_00_15 @ [((11+4)*5+2)*3]
-+ sub sp,sp,#5*4
- ___
- &BODY_00_15(@V); unshift(@V,pop(@V));
- &BODY_16_19(@V); unshift(@V,pop(@V));
-@@ -170,7 +171,7 @@ ___
- $code.=<<___;
-
- ldr $K,.LK_20_39 @ [+15+16*4]
-- sub sp,sp,#25*4
-+ sub sp,sp,#20*4
- cmn sp,#0 @ [+3], clear carry to denote 20_39
- .L_20_39_or_60_79:
- ___
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 02c881a..b0302a7 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -379,7 +379,7 @@
int enc_err;
SSL_SESSION *sess;
SSL3_RECORD *rr;
- unsigned int mac_size;
+ unsigned int mac_size, orig_len;
unsigned char md[EVP_MAX_MD_SIZE];
rr= &(s->s3->rrec);
@@ -410,7 +410,7 @@
/* decrypt in place in 'rr->input' */
rr->data=rr->input;
- rr->orig_len=rr->length;
+ orig_len=rr->length;
enc_err = s->method->ssl3_enc->enc(s,0);
/* enc_err is:
@@ -447,13 +447,13 @@
* therefore we can safely process the record in a different
* amount of time if it's too short to possibly contain a MAC.
*/
- if (rr->orig_len < mac_size ||
+ if (orig_len < mac_size ||
/* CBC records must have a padding length byte too. */
(EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
- rr->orig_len < mac_size+1))
+ orig_len < mac_size+1))
{
al=SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
+ SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
goto f_err;
}
@@ -465,12 +465,12 @@
* without leaking the contents of the padding bytes.
* */
mac = mac_tmp;
- ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
+ ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
rr->length -= mac_size;
}
else
{
- /* In this case there's no padding, so |rec->orig_len|
+ /* In this case there's no padding, so |orig_len|
* equals |rec->length| and we checked that there's
* enough bytes for |mac_size| above. */
rr->length -= mac_size;
diff --git a/ssl/dtls1.h b/ssl/dtls1.h
index 5008bf6..e65d501 100644
--- a/ssl/dtls1.h
+++ b/ssl/dtls1.h
@@ -57,8 +57,8 @@
*
*/
-#ifndef HEADER_DTLS1_H
-#define HEADER_DTLS1_H
+#ifndef HEADER_DTLS1_H
+#define HEADER_DTLS1_H
#include <openssl/buffer.h>
#include <openssl/pqueue.h>
@@ -72,8 +72,12 @@
#elif defined(OPENSSL_SYS_NETWARE) && !defined(_WINSOCK2API_)
#include <sys/timeval.h>
#else
+#if defined(OPENSSL_SYS_VXWORKS)
+#include <sys/times.h>
+#else
#include <sys/time.h>
#endif
+#endif
#ifdef __cplusplus
extern "C" {
diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c
index 954f398..03b6cf9 100644
--- a/ssl/s2_clnt.c
+++ b/ssl/s2_clnt.c
@@ -359,12 +359,14 @@
SSL_R_PEER_ERROR);
return(-1);
}
-#ifdef __APPLE_CC__
- /* The Rhapsody 5.5 (a.k.a. MacOS X) compiler bug
- * workaround. <appro@fy.chalmers.se> */
- s->hit=(i=*(p++))?1:0;
-#else
+#if 0
s->hit=(*(p++))?1:0;
+ /* Some [PPC?] compilers fail to increment p in above
+ statement, e.g. one provided with Rhapsody 5.5, but
+ most recent example XL C 11.1 for AIX, even without
+ optimization flag... */
+#else
+ s->hit=(*p)?1:0; p++;
#endif
s->s2->tmp.cert_type= *(p++);
n2s(p,i);
diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c
index bc885e8..2cba426 100644
--- a/ssl/s2_srvr.c
+++ b/ssl/s2_srvr.c
@@ -1059,10 +1059,12 @@
EVP_PKEY *pkey=NULL;
EVP_MD_CTX_init(&ctx);
- EVP_VerifyInit_ex(&ctx,s->ctx->rsa_md5, NULL);
- EVP_VerifyUpdate(&ctx,s->s2->key_material,
- s->s2->key_material_length);
- EVP_VerifyUpdate(&ctx,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
+ if (!EVP_VerifyInit_ex(&ctx,s->ctx->rsa_md5, NULL)
+ || !EVP_VerifyUpdate(&ctx,s->s2->key_material,
+ s->s2->key_material_length)
+ || !EVP_VerifyUpdate(&ctx,ccd,
+ SSL2_MIN_CERT_CHALLENGE_LENGTH))
+ goto msg_end;
i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL);
buf2=OPENSSL_malloc((unsigned int)i);
@@ -1073,7 +1075,11 @@
}
p2=buf2;
i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&p2);
- EVP_VerifyUpdate(&ctx,buf2,(unsigned int)i);
+ if (!EVP_VerifyUpdate(&ctx,buf2,(unsigned int)i))
+ {
+ OPENSSL_free(buf2);
+ goto msg_end;
+ }
OPENSSL_free(buf2);
pkey=X509_get_pubkey(x509);
diff --git a/ssl/s3_both.c b/ssl/s3_both.c
index c775cd8..514ff85 100644
--- a/ssl/s3_both.c
+++ b/ssl/s3_both.c
@@ -204,7 +204,8 @@
#ifndef OPENSSL_NO_NEXTPROTONEG
/* ssl3_take_mac calculates the Finished MAC for the handshakes messages seen to far. */
-static void ssl3_take_mac(SSL *s) {
+static void ssl3_take_mac(SSL *s)
+ {
const char *sender;
int slen;
@@ -221,7 +222,7 @@
s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
sender,slen,s->s3->tmp.peer_finish_md);
-}
+ }
#endif
int ssl3_get_finished(SSL *s, int a, int b)
@@ -231,8 +232,9 @@
unsigned char *p;
#ifdef OPENSSL_NO_NEXTPROTONEG
- /* the mac has already been generated when we received the change
- * cipher spec message and is in s->s3->tmp.peer_finish_md. */
+ /* the mac has already been generated when we received the
+ * change cipher spec message and is in s->s3->tmp.peer_finish_md.
+ */
#endif
n=s->method->ssl_get_message(s,
@@ -544,12 +546,14 @@
s->init_num += i;
n -= i;
}
+
#ifndef OPENSSL_NO_NEXTPROTONEG
/* If receiving Finished, record MAC of prior handshake messages for
* Finished verification. */
if (*s->init_buf->data == SSL3_MT_FINISHED)
ssl3_take_mac(s);
#endif
+
/* Feed this message into MAC computation. */
if (*s->init_buf->data != SSL3_MT_ENCRYPTED_EXTENSIONS)
ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4);
diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
index e9b112c..3c2c165 100644
--- a/ssl/s3_cbc.c
+++ b/ssl/s3_cbc.c
@@ -53,8 +53,6 @@
*
*/
-#include <stdint.h>
-
#include "ssl_locl.h"
#include <openssl/md5.h>
@@ -118,7 +116,9 @@
good = constant_time_ge(rec->length, padding_length+overhead);
/* SSLv3 requires that the padding is minimal. */
good &= constant_time_ge(block_size, padding_length+1);
- rec->length -= good & (padding_length+1);
+ padding_length = good & (padding_length+1);
+ rec->length -= padding_length;
+ rec->type |= padding_length<<8; /* kludge: pass padding length */
return (int)((good & 1) | (~good & -1));
}
@@ -150,6 +150,21 @@
if (overhead > rec->length)
return 0;
+ /* We can always safely skip the explicit IV. We check at the beginning
+ * of this function that the record has at least enough space for the
+ * IV, MAC and padding length byte. (These can be checked in
+ * non-constant time because it's all public information.) So, if the
+ * padding was invalid, then we didn't change |rec->length| and this is
+ * safe. If the padding was valid then we know that we have at least
+ * overhead+padding_length bytes of space and so this is still safe
+ * because overhead accounts for the explicit IV. */
+ if (has_explicit_iv)
+ {
+ rec->data += block_size;
+ rec->input += block_size;
+ rec->length -= block_size;
+ }
+
padding_length = rec->data[rec->length-1];
/* NB: if compression is in operation the first packet may not be of
@@ -172,6 +187,13 @@
}
}
+ if (EVP_CIPHER_flags(s->enc_read_ctx->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER)
+ {
+ /* padding is already verified */
+ rec->length -= padding_length;
+ return 1;
+ }
+
good = constant_time_ge(rec->length, overhead+padding_length);
/* The padding consists of a length byte at the end of the record and
* then that many bytes of padding, all with the same value as the
@@ -205,23 +227,9 @@
good <<= sizeof(good)*8-1;
good = DUPLICATE_MSB_TO_ALL(good);
- rec->length -= good & (padding_length+1);
-
- /* We can always safely skip the explicit IV. We check at the beginning
- * of this function that the record has at least enough space for the
- * IV, MAC and padding length byte. (These can be checked in
- * non-constant time because it's all public information.) So, if the
- * padding was invalid, then we didn't change |rec->length| and this is
- * safe. If the padding was valid then we know that we have at least
- * overhead+padding_length bytes of space and so this is still safe
- * because overhead accounts for the explicit IV. */
- if (has_explicit_iv)
- {
- rec->data += block_size;
- rec->input += block_size;
- rec->length -= block_size;
- rec->orig_len -= block_size;
- }
+ padding_length = good & (padding_length+1);
+ rec->length -= padding_length;
+ rec->type |= padding_length<<8; /* kludge: pass padding length */
return (int)((good & 1) | (~good & -1));
}
@@ -248,7 +256,7 @@
*/
void ssl3_cbc_copy_mac(unsigned char* out,
const SSL3_RECORD *rec,
- unsigned md_size)
+ unsigned md_size,unsigned orig_len)
{
#if defined(CBC_MAC_ROTATE_IN_PLACE)
unsigned char rotated_mac_buf[EVP_MAX_MD_SIZE*2];
@@ -267,7 +275,7 @@
unsigned div_spoiler;
unsigned rotate_offset;
- OPENSSL_assert(rec->orig_len >= md_size);
+ OPENSSL_assert(orig_len >= md_size);
OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
#if defined(CBC_MAC_ROTATE_IN_PLACE)
@@ -275,8 +283,8 @@
#endif
/* This information is public so it's safe to branch based on it. */
- if (rec->orig_len > md_size + 255 + 1)
- scan_start = rec->orig_len - (md_size + 255 + 1);
+ if (orig_len > md_size + 255 + 1)
+ scan_start = orig_len - (md_size + 255 + 1);
/* div_spoiler contains a multiple of md_size that is used to cause the
* modulo operation to be constant time. Without this, the time varies
* based on the amount of padding when running on Intel chips at least.
@@ -289,9 +297,9 @@
rotate_offset = (div_spoiler + mac_start - scan_start) % md_size;
memset(rotated_mac, 0, md_size);
- for (i = scan_start; i < rec->orig_len;)
+ for (i = scan_start; i < orig_len;)
{
- for (j = 0; j < md_size && i < rec->orig_len; i++, j++)
+ for (j = 0; j < md_size && i < orig_len; i++, j++)
{
unsigned char mac_started = constant_time_ge(i, mac_start);
unsigned char mac_ended = constant_time_ge(i, mac_end);
@@ -341,7 +349,9 @@
l2n(sha1->h3, md_out);
l2n(sha1->h4, md_out);
}
+#define LARGEST_DIGEST_CTX SHA_CTX
+#ifndef OPENSSL_NO_SHA256
static void tls1_sha256_final_raw(void* ctx, unsigned char *md_out)
{
SHA256_CTX *sha256 = ctx;
@@ -352,7 +362,11 @@
l2n(sha256->h[i], md_out);
}
}
+#undef LARGEST_DIGEST_CTX
+#define LARGEST_DIGEST_CTX SHA256_CTX
+#endif
+#ifndef OPENSSL_NO_SHA512
static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out)
{
SHA512_CTX *sha512 = ctx;
@@ -363,19 +377,30 @@
l2n8(sha512->h[i], md_out);
}
}
+#undef LARGEST_DIGEST_CTX
+#define LARGEST_DIGEST_CTX SHA512_CTX
+#endif
/* ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
* which ssl3_cbc_digest_record supports. */
char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx)
{
- switch (ctx->digest->type)
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode())
+ return 0;
+#endif
+ switch (EVP_MD_CTX_type(ctx))
{
case NID_md5:
case NID_sha1:
+#ifndef OPENSSL_NO_SHA256
case NID_sha224:
case NID_sha256:
+#endif
+#ifndef OPENSSL_NO_SHA512
case NID_sha384:
case NID_sha512:
+#endif
return 1;
default:
return 0;
@@ -413,14 +438,15 @@
unsigned mac_secret_length,
char is_sslv3)
{
- unsigned char md_state[sizeof(SHA512_CTX)];
+ union { double align;
+ unsigned char c[sizeof(LARGEST_DIGEST_CTX)]; } md_state;
void (*md_final_raw)(void *ctx, unsigned char *md_out);
void (*md_transform)(void *ctx, const unsigned char *block);
unsigned md_size, md_block_size = 64;
unsigned sslv3_pad_length = 40, header_length, variance_blocks,
len, max_mac_bytes, num_blocks,
num_starting_blocks, k, mac_end_offset, c, index_a, index_b;
- uint64_t bits;
+ unsigned int bits; /* at most 18 bits */
unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES];
/* hmac_pad is the masked HMAC key. */
unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE];
@@ -436,35 +462,38 @@
* many possible overflows later in this function. */
OPENSSL_assert(data_plus_mac_plus_padding_size < 1024*1024);
- switch (ctx->digest->type)
+ switch (EVP_MD_CTX_type(ctx))
{
case NID_md5:
- MD5_Init((MD5_CTX*)md_state);
+ MD5_Init((MD5_CTX*)md_state.c);
md_final_raw = tls1_md5_final_raw;
md_transform = (void(*)(void *ctx, const unsigned char *block)) MD5_Transform;
md_size = 16;
sslv3_pad_length = 48;
break;
case NID_sha1:
- SHA1_Init((SHA_CTX*)md_state);
+ SHA1_Init((SHA_CTX*)md_state.c);
md_final_raw = tls1_sha1_final_raw;
md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA1_Transform;
md_size = 20;
break;
+#ifndef OPENSSL_NO_SHA256
case NID_sha224:
- SHA224_Init((SHA256_CTX*)md_state);
+ SHA224_Init((SHA256_CTX*)md_state.c);
md_final_raw = tls1_sha256_final_raw;
md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform;
md_size = 224/8;
break;
case NID_sha256:
- SHA256_Init((SHA256_CTX*)md_state);
+ SHA256_Init((SHA256_CTX*)md_state.c);
md_final_raw = tls1_sha256_final_raw;
md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform;
md_size = 32;
break;
+#endif
+#ifndef OPENSSL_NO_SHA512
case NID_sha384:
- SHA384_Init((SHA512_CTX*)md_state);
+ SHA384_Init((SHA512_CTX*)md_state.c);
md_final_raw = tls1_sha512_final_raw;
md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform;
md_size = 384/8;
@@ -472,13 +501,14 @@
md_length_size = 16;
break;
case NID_sha512:
- SHA512_Init((SHA512_CTX*)md_state);
+ SHA512_Init((SHA512_CTX*)md_state.c);
md_final_raw = tls1_sha512_final_raw;
md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform;
md_size = 64;
md_block_size = 128;
md_length_size = 16;
break;
+#endif
default:
/* ssl3_cbc_record_digest_supported should have been
* called first to check that the hash function is
@@ -577,17 +607,14 @@
for (i = 0; i < md_block_size; i++)
hmac_pad[i] ^= 0x36;
- md_transform(md_state, hmac_pad);
+ md_transform(md_state.c, hmac_pad);
}
- j = 0;
- if (md_length_size == 16)
- {
- memset(length_bytes, 0, 8);
- j = 8;
- }
- for (i = 0; i < 8; i++)
- length_bytes[i+j] = bits >> (8*(7-i));
+ memset(length_bytes,0,md_length_size-4);
+ length_bytes[md_length_size-4] = (unsigned char)(bits>>24);
+ length_bytes[md_length_size-3] = (unsigned char)(bits>>16);
+ length_bytes[md_length_size-2] = (unsigned char)(bits>>8);
+ length_bytes[md_length_size-1] = (unsigned char)bits;
if (k > 0)
{
@@ -598,21 +625,21 @@
* block that the header consumes: either 7 bytes
* (SHA1) or 11 bytes (MD5). */
unsigned overhang = header_length-md_block_size;
- md_transform(md_state, header);
+ md_transform(md_state.c, header);
memcpy(first_block, header + md_block_size, overhang);
memcpy(first_block + overhang, data, md_block_size-overhang);
- md_transform(md_state, first_block);
+ md_transform(md_state.c, first_block);
for (i = 1; i < k/md_block_size - 1; i++)
- md_transform(md_state, data + md_block_size*i - overhang);
+ md_transform(md_state.c, data + md_block_size*i - overhang);
}
else
{
/* k is a multiple of md_block_size. */
memcpy(first_block, header, 13);
memcpy(first_block+13, data, md_block_size-13);
- md_transform(md_state, first_block);
+ md_transform(md_state.c, first_block);
for (i = 1; i < k/md_block_size; i++)
- md_transform(md_state, data + md_block_size*i - 13);
+ md_transform(md_state.c, data + md_block_size*i - 13);
}
}
@@ -662,8 +689,8 @@
block[j] = b;
}
- md_transform(md_state, block);
- md_final_raw(md_state, block);
+ md_transform(md_state.c, block);
+ md_final_raw(md_state.c, block);
/* If this is index_b, copy the hash value to |mac_out|. */
for (j = 0; j < md_size; j++)
mac_out[j] |= block[j]&is_block_b;
@@ -694,3 +721,50 @@
*md_out_size = md_out_size_u;
EVP_MD_CTX_cleanup(&md_ctx);
}
+
+#ifdef OPENSSL_FIPS
+
+/* Due to the need to use EVP in FIPS mode we can't reimplement digests but
+ * we can ensure the number of blocks processed is equal for all cases
+ * by digesting additional data.
+ */
+
+void tls_fips_digest_extra(
+ const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx,
+ const unsigned char *data, size_t data_len, size_t orig_len)
+ {
+ size_t block_size, digest_pad, blocks_data, blocks_orig;
+ if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE)
+ return;
+ block_size = EVP_MD_CTX_block_size(mac_ctx);
+ /* We are in FIPS mode if we get this far so we know we have only SHA*
+ * digests and TLS to deal with.
+ * Minimum digest padding length is 17 for SHA384/SHA512 and 9
+ * otherwise.
+ * Additional header is 13 bytes. To get the number of digest blocks
+ * processed round up the amount of data plus padding to the nearest
+ * block length. Block length is 128 for SHA384/SHA512 and 64 otherwise.
+ * So we have:
+ * blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size
+ * equivalently:
+ * blocks = (payload_len + digest_pad + 12)/block_size + 1
+ * HMAC adds a constant overhead.
+ * We're ultimately only interested in differences so this becomes
+ * blocks = (payload_len + 29)/128
+ * for SHA384/SHA512 and
+ * blocks = (payload_len + 21)/64
+ * otherwise.
+ */
+ digest_pad = block_size == 64 ? 21 : 29;
+ blocks_orig = (orig_len + digest_pad)/block_size;
+ blocks_data = (data_len + digest_pad)/block_size;
+ /* MAC enough blocks to make up the difference between the original
+ * and actual lengths plus one extra block to ensure this is never a
+ * no op. The "data" pointer should always have enough space to
+ * perform this operation as it is large enough for a maximum
+ * length TLS buffer.
+ */
+ EVP_DigestSignUpdate(mac_ctx, data,
+ (blocks_orig - blocks_data + 1) * block_size);
+ }
+#endif
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index a0eac77..e3cd4f0 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -709,7 +709,7 @@
EVP_MD_CTX md_ctx;
const EVP_MD_CTX *hash;
unsigned char *p,rec_char;
- size_t md_size;
+ size_t md_size, orig_len;
int npad;
int t;
@@ -734,6 +734,10 @@
md_size=t;
npad=(48/md_size)*md_size;
+ /* kludge: ssl3_cbc_remove_padding passes padding length in rec->type */
+ orig_len = rec->length+md_size+((unsigned int)rec->type>>8);
+ rec->type &= 0xff;
+
if (!send &&
EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
ssl3_cbc_record_digest_supported(hash))
@@ -765,7 +769,7 @@
hash,
md, &md_size,
header, rec->input,
- rec->length + md_size, rec->orig_len,
+ rec->length + md_size, orig_len,
mac_sec, md_size,
1 /* is SSLv3 */);
}
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 50aa465..0be87e8 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -1125,7 +1125,7 @@
0, /* not implemented (non-ephemeral DH) */
TLS1_TXT_DH_DSS_WITH_AES_128_SHA256,
TLS1_CK_DH_DSS_WITH_AES_128_SHA256,
- SSL_kDHr,
+ SSL_kDHd,
SSL_aDH,
SSL_AES128,
SSL_SHA256,
@@ -1407,7 +1407,7 @@
0, /* not implemented (non-ephemeral DH) */
TLS1_TXT_DH_DSS_WITH_AES_256_SHA256,
TLS1_CK_DH_DSS_WITH_AES_256_SHA256,
- SSL_kDHr,
+ SSL_kDHd,
SSL_aDH,
SSL_AES256,
SSL_SHA256,
@@ -1958,7 +1958,7 @@
0,
TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256,
TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256,
- SSL_kDHr,
+ SSL_kDHd,
SSL_aDH,
SSL_AES128GCM,
SSL_AEAD,
@@ -1974,7 +1974,7 @@
0,
TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384,
TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384,
- SSL_kDHr,
+ SSL_kDHd,
SSL_aDH,
SSL_AES256GCM,
SSL_AEAD,
@@ -2669,7 +2669,7 @@
1,
TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256,
TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256,
- SSL_kECDHe,
+ SSL_kECDHr,
SSL_aECDH,
SSL_AES128,
SSL_SHA256,
@@ -2685,7 +2685,7 @@
1,
TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384,
TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384,
- SSL_kECDHe,
+ SSL_kECDHr,
SSL_aECDH,
SSL_AES256,
SSL_SHA384,
@@ -2799,7 +2799,7 @@
1,
TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256,
TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256,
- SSL_kECDHe,
+ SSL_kECDHr,
SSL_aECDH,
SSL_AES128GCM,
SSL_AEAD,
@@ -2815,7 +2815,7 @@
1,
TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384,
TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384,
- SSL_kECDHe,
+ SSL_kECDHr,
SSL_aECDH,
SSL_AES256GCM,
SSL_AEAD,
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 5289092..bf8da98 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -290,7 +290,7 @@
unsigned char *p;
unsigned char md[EVP_MAX_MD_SIZE];
short version;
- unsigned mac_size;
+ unsigned mac_size, orig_len;
size_t extra;
rr= &(s->s3->rrec);
@@ -398,7 +398,7 @@
/* decrypt in place in 'rr->input' */
rr->data=rr->input;
- rr->orig_len=rr->length;
+ orig_len=rr->length;
enc_err = s->method->ssl3_enc->enc(s,0);
/* enc_err is:
@@ -408,7 +408,7 @@
if (enc_err == 0)
{
al=SSL_AD_DECRYPTION_FAILED;
- SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
+ SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
goto f_err;
}
@@ -434,10 +434,10 @@
* therefore we can safely process the record in a different
* amount of time if it's too short to possibly contain a MAC.
*/
- if (rr->orig_len < mac_size ||
+ if (orig_len < mac_size ||
/* CBC records must have a padding length byte too. */
(EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
- rr->orig_len < mac_size+1))
+ orig_len < mac_size+1))
{
al=SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
@@ -452,12 +452,12 @@
* without leaking the contents of the padding bytes.
* */
mac = mac_tmp;
- ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
+ ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
rr->length -= mac_size;
}
else
{
- /* In this case there's no padding, so |rec->orig_len|
+ /* In this case there's no padding, so |orig_len|
* equals |rec->length| and we checked that there's
* enough bytes for |mac_size| above. */
rr->length -= mac_size;
@@ -746,6 +746,7 @@
* bytes and record version number > TLS 1.0
*/
if (s->state == SSL3_ST_CW_CLNT_HELLO_B
+ && !s->renegotiate
&& TLS1_get_version(s) > TLS1_VERSION)
*(p++) = 0x1;
else
@@ -1240,7 +1241,7 @@
goto f_err;
}
#ifdef SSL_AD_MISSING_SRP_USERNAME
- if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
+ else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
return(0);
#endif
}
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index c5c53dc..da1c2e8 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -194,7 +194,8 @@
{
if(s->srp_ctx.login == NULL)
{
- /* There isn't any srp login extension !!! */
+ /* RFC 5054 says SHOULD reject,
+ we do so if There is no srp login name */
ret = SSL3_AL_FATAL;
*al = SSL_AD_UNKNOWN_PSK_IDENTITY;
}
@@ -381,6 +382,7 @@
}
}
#endif
+
s->renegotiate = 2;
s->state=SSL3_ST_SW_SRVR_HELLO_A;
s->init_num=0;
@@ -1205,7 +1207,7 @@
goto f_err;
}
}
- if (ssl_check_clienthello_tlsext(s) <= 0) {
+ if (ssl_check_clienthello_tlsext_early(s) <= 0) {
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
goto err;
}
@@ -1427,6 +1429,16 @@
* s->tmp.new_cipher - the new cipher to use.
*/
+ /* Handles TLS extensions that we couldn't check earlier */
+ if (s->version >= SSL3_VERSION)
+ {
+ if (ssl_check_clienthello_tlsext_late(s) <= 0)
+ {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
+ goto err;
+ }
+ }
+
if (ret < 0) ret=1;
if (0)
{
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 1aaadf3..5695aae 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -493,6 +493,9 @@
char *psk_identity_hint;
char *psk_identity;
#endif
+ /* Used to indicate that session resumption is not allowed.
+ * Applications can also set this bit for a new session via
+ * not_resumable_session_cb to disable session caching and tickets. */
int not_resumable;
/* The cert is the certificate used to establish this connection */
@@ -535,7 +538,7 @@
#endif /* OPENSSL_NO_EC */
/* RFC4507 info */
unsigned char *tlsext_tick; /* Session ticket */
- size_t tlsext_ticklen; /* Session ticket length */
+ size_t tlsext_ticklen; /* Session ticket length */
long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
#endif
#ifndef OPENSSL_NO_SRP
@@ -931,6 +934,7 @@
/* Callback for status request */
int (*tlsext_status_cb)(SSL *ssl, void *arg);
void *tlsext_status_arg;
+
/* draft-rescorla-tls-opaque-prf-input-00.txt information */
int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg);
void *tlsext_opaque_prf_input_callback_arg;
@@ -956,6 +960,7 @@
#endif
#ifndef OPENSSL_NO_TLSEXT
+
# ifndef OPENSSL_NO_NEXTPROTONEG
/* Next protocol negotiation information */
/* (for experimental NPN extension). */
@@ -2262,6 +2267,7 @@
#define SSL_F_SSL_GET_NEW_SESSION 181
#define SSL_F_SSL_GET_PREV_SESSION 217
#define SSL_F_SSL_GET_SERVER_SEND_CERT 182
+#define SSL_F_SSL_GET_SERVER_SEND_PKEY 317
#define SSL_F_SSL_GET_SIGN_PKEY 183
#define SSL_F_SSL_INIT_WBIO_BUFFER 184
#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index 879be13..fee9671 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -355,10 +355,6 @@
/*r */ unsigned char *comp; /* only used with decompression - malloc()ed */
/*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */
/*r */ unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */
-/*rw*/ unsigned int orig_len; /* How many bytes were available before padding
- was removed? This is used to implement the
- MAC check in constant time for CBC records.
- */
} SSL3_RECORD;
typedef struct ssl3_buffer_st
@@ -594,8 +590,10 @@
#define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT)
#define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT)
#define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT)
+#ifndef OPENSSL_NO_NEXTPROTONEG
#define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT)
#define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT)
+#endif
#define SSL3_ST_CW_CHANNEL_ID_A (0x210|SSL_ST_CONNECT)
#define SSL3_ST_CW_CHANNEL_ID_B (0x211|SSL_ST_CONNECT)
#define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT)
@@ -648,8 +646,10 @@
#define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT)
#define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT)
#define SSL3_ST_SR_POST_CLIENT_CERT (0x1BF|SSL_ST_ACCEPT)
+#ifndef OPENSSL_NO_NEXTPROTONEG
#define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT)
#define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT)
+#endif
#define SSL3_ST_SR_CHANNEL_ID_A (0x220|SSL_ST_ACCEPT)
#define SSL3_ST_SR_CHANNEL_ID_B (0x221|SSL_ST_ACCEPT)
#define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT)
@@ -676,7 +676,9 @@
#define SSL3_MT_CLIENT_KEY_EXCHANGE 16
#define SSL3_MT_FINISHED 20
#define SSL3_MT_CERTIFICATE_STATUS 22
+#ifndef OPENSSL_NO_NEXTPROTONEG
#define SSL3_MT_NEXT_PROTO 67
+#endif
#define SSL3_MT_ENCRYPTED_EXTENSIONS 203
#define DTLS1_MT_HELLO_VERIFY_REQUEST 3
diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c
index 41ccbaa..9c34d19 100644
--- a/ssl/ssl_algs.c
+++ b/ssl/ssl_algs.c
@@ -90,12 +90,10 @@
EVP_add_cipher(EVP_aes_256_cbc());
EVP_add_cipher(EVP_aes_128_gcm());
EVP_add_cipher(EVP_aes_256_gcm());
-#if 0 /* Disabled because of timing side-channel leaks. */
#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
#endif
-#endif
#endif
#ifndef OPENSSL_NO_CAMELLIA
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 917be31..5123a89 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -164,14 +164,14 @@
{
/* Set digest values to defaults */
#ifndef OPENSSL_NO_DSA
- cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
+ cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
#endif
#ifndef OPENSSL_NO_RSA
cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
#endif
#ifndef OPENSSL_NO_ECDSA
- cert->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
+ cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
#endif
}
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 55deaaf..e8794d4 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -312,6 +312,7 @@
{0,SSL_TXT_SSLV2,0, 0,0,0,0,SSL_SSLV2, 0,0,0,0},
{0,SSL_TXT_SSLV3,0, 0,0,0,0,SSL_SSLV3, 0,0,0,0},
{0,SSL_TXT_TLSV1,0, 0,0,0,0,SSL_TLSV1, 0,0,0,0},
+ {0,SSL_TXT_TLSV1_2,0, 0,0,0,0,SSL_TLSV1_2, 0,0,0,0},
/* export flag */
{0,SSL_TXT_EXP,0, 0,0,0,0,0,SSL_EXPORT,0,0,0},
@@ -1150,9 +1151,9 @@
while ( ((ch >= 'A') && (ch <= 'Z')) ||
((ch >= '0') && (ch <= '9')) ||
((ch >= 'a') && (ch <= 'z')) ||
- (ch == '-'))
+ (ch == '-') || (ch == '.'))
#else
- while ( isalnum(ch) || (ch == '-'))
+ while ( isalnum(ch) || (ch == '-') || (ch == '.'))
#endif
{
ch = *(++l);
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index fbefce3..c40c718 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -230,6 +230,7 @@
{ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION), "SSL_GET_NEW_SESSION"},
{ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION), "SSL_GET_PREV_SESSION"},
{ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT), "SSL_GET_SERVER_SEND_CERT"},
+{ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_PKEY), "SSL_GET_SERVER_SEND_PKEY"},
{ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY), "SSL_GET_SIGN_PKEY"},
{ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"},
{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"},
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 4db0fef..c94ff26 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -2321,7 +2321,7 @@
#endif
/* THIS NEEDS CLEANING UP */
-X509 *ssl_get_server_send_cert(SSL *s)
+CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)
{
unsigned long alg_k,alg_a;
CERT *c;
@@ -2376,12 +2376,20 @@
i=SSL_PKEY_GOST01;
else /* if (alg_a & SSL_aNULL) */
{
- SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR);
+ SSLerr(SSL_F_SSL_GET_SERVER_SEND_PKEY,ERR_R_INTERNAL_ERROR);
return(NULL);
}
- if (c->pkeys[i].x509 == NULL) return(NULL);
- return(c->pkeys[i].x509);
+ return c->pkeys + i;
+ }
+
+X509 *ssl_get_server_send_cert(const SSL *s)
+ {
+ CERT_PKEY *cpk;
+ cpk = ssl_get_server_send_pkey(s);
+ if (!cpk)
+ return NULL;
+ return cpk->x509;
}
EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)
@@ -2642,7 +2650,7 @@
return("TLSv1.2");
else if (version == TLS1_1_VERSION)
return("TLSv1.1");
- if (version == TLS1_VERSION)
+ else if (version == TLS1_VERSION)
return("TLSv1");
else if (version == SSL3_VERSION)
return("SSLv3");
@@ -2837,7 +2845,9 @@
/* Fix this function so that it takes an optional type parameter */
X509 *SSL_get_certificate(const SSL *s)
{
- if (s->cert != NULL)
+ if (s->server)
+ return(ssl_get_server_send_cert(s));
+ else if (s->cert != NULL)
return(s->cert->key->x509);
else
return(NULL);
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 9ca3b4a..5f21726 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -841,7 +841,8 @@
int ssl_undefined_function(SSL *s);
int ssl_undefined_void_function(void);
int ssl_undefined_const_function(const SSL *s);
-X509 *ssl_get_server_send_cert(SSL *);
+CERT_PKEY *ssl_get_server_send_pkey(const SSL *s);
+X509 *ssl_get_server_send_cert(const SSL *);
EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd);
int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
@@ -1101,7 +1102,8 @@
int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
int ssl_prepare_clienthello_tlsext(SSL *s);
int ssl_prepare_serverhello_tlsext(SSL *s);
-int ssl_check_clienthello_tlsext(SSL *s);
+int ssl_check_clienthello_tlsext_early(SSL *s);
+int ssl_check_clienthello_tlsext_late(SSL *s);
int ssl_check_serverhello_tlsext(SSL *s);
#ifndef OPENSSL_NO_HEARTBEATS
@@ -1149,7 +1151,7 @@
/* s3_cbc.c */
void ssl3_cbc_copy_mac(unsigned char* out,
const SSL3_RECORD *rec,
- unsigned md_size);
+ unsigned md_size,unsigned orig_len);
int ssl3_cbc_remove_padding(const SSL* s,
SSL3_RECORD *rec,
unsigned block_size,
@@ -1171,4 +1173,8 @@
unsigned mac_secret_length,
char is_sslv3);
+void tls_fips_digest_extra(
+ const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx,
+ const unsigned char *data, size_t data_len, size_t orig_len);
+
#endif
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index c43f3e2..82f55b6 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -746,7 +746,7 @@
ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
- in=BIO_new(BIO_s_file_internal());
+ in = BIO_new(BIO_s_file_internal());
if (in == NULL)
{
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_BUF_LIB);
@@ -759,14 +759,16 @@
goto end;
}
- x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
+ x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback,
+ ctx->default_passwd_callback_userdata);
if (x == NULL)
{
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB);
goto end;
}
- ret=SSL_CTX_use_certificate(ctx,x);
+ ret = SSL_CTX_use_certificate(ctx, x);
+
if (ERR_peek_error() != 0)
ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */
if (ret)
@@ -778,13 +780,15 @@
int r;
unsigned long err;
- if (ctx->extra_certs != NULL)
+ if (ctx->extra_certs != NULL)
{
sk_X509_pop_free(ctx->extra_certs, X509_free);
ctx->extra_certs = NULL;
}
- while ((ca = PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata))
+ while ((ca = PEM_read_bio_X509(in, NULL,
+ ctx->default_passwd_callback,
+ ctx->default_passwd_callback_userdata))
!= NULL)
{
r = SSL_CTX_add_extra_chain_cert(ctx, ca);
diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index 02ce4ec..91169bb 100644
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -544,8 +544,8 @@
int comp = 0;
#ifndef OPENSSL_NO_COMP
COMP_METHOD *cm = NULL;
-#endif
STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
+#endif
int test_cipherlist = 0;
#ifdef OPENSSL_FIPS
int fips_mode=0;
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 643e3e6..809ad2e 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -361,7 +361,7 @@
{
int i;
for (i=0; i<s->s3->tmp.key_block_length; i++)
- printf("%02x", key_block[i]); printf("\n");
+ printf("%02x", s->s3->tmp.key_block[i]); printf("\n");
}
#endif /* KSSL_DEBUG */
@@ -949,7 +949,7 @@
SSL3_RECORD *rec;
unsigned char *seq;
EVP_MD_CTX *hash;
- size_t md_size;
+ size_t md_size, orig_len;
int i;
EVP_MD_CTX hmac, *mac_ctx;
unsigned char header[13];
@@ -996,6 +996,10 @@
else
memcpy(header, seq, 8);
+ /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */
+ orig_len = rec->length+md_size+((unsigned int)rec->type>>8);
+ rec->type &= 0xff;
+
header[8]=rec->type;
header[9]=(unsigned char)(ssl->version>>8);
header[10]=(unsigned char)(ssl->version);
@@ -1014,7 +1018,7 @@
mac_ctx,
md, &md_size,
header, rec->input,
- rec->length + md_size, rec->orig_len,
+ rec->length + md_size, orig_len,
ssl->s3->read_mac_secret,
ssl->s3->read_mac_secret_size,
0 /* not SSLv3 */);
@@ -1025,6 +1029,13 @@
EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length);
t=EVP_DigestSignFinal(mac_ctx,md,&md_size);
OPENSSL_assert(t > 0);
+#ifdef OPENSSL_FIPS
+ if (!send && FIPS_mode())
+ tls_fips_digest_extra(
+ ssl->enc_read_ctx,
+ mac_ctx, rec->input,
+ rec->length, orig_len);
+#endif
}
if (!stream_mac)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 9972b1a..90a88ce 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1097,7 +1097,8 @@
int ellipticcurvelist_length = (*(sdata++) << 8);
ellipticcurvelist_length += (*(sdata++));
- if (ellipticcurvelist_length != size - 2)
+ if (ellipticcurvelist_length != size - 2 ||
+ ellipticcurvelist_length < 1)
{
*al = TLS1_AD_DECODE_ERROR;
return 0;
@@ -1456,7 +1457,8 @@
unsigned char *sdata = data;
int ecpointformatlist_length = *(sdata++);
- if (ecpointformatlist_length != size - 1)
+ if (ecpointformatlist_length != size - 1 ||
+ ecpointformatlist_length < 1)
{
*al = TLS1_AD_DECODE_ERROR;
return 0;
@@ -1789,7 +1791,7 @@
return 1;
}
-int ssl_check_clienthello_tlsext(SSL *s)
+int ssl_check_clienthello_tlsext_early(SSL *s)
{
int ret=SSL_TLSEXT_ERR_NOACK;
int al = SSL_AD_UNRECOGNIZED_NAME;
@@ -1808,42 +1810,12 @@
else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
- /* If status request then ask callback what to do.
- * Note: this must be called after servername callbacks in case
- * the certificate has changed.
- */
- if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
- {
- int r;
- r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
- switch (r)
- {
- /* We don't want to send a status request response */
- case SSL_TLSEXT_ERR_NOACK:
- s->tlsext_status_expected = 0;
- break;
- /* status request response should be sent */
- case SSL_TLSEXT_ERR_OK:
- if (s->tlsext_ocsp_resp)
- s->tlsext_status_expected = 1;
- else
- s->tlsext_status_expected = 0;
- break;
- /* something bad happened */
- case SSL_TLSEXT_ERR_ALERT_FATAL:
- ret = SSL_TLSEXT_ERR_ALERT_FATAL;
- al = SSL_AD_INTERNAL_ERROR;
- goto err;
- }
- }
- else
- s->tlsext_status_expected = 0;
-
#ifdef TLSEXT_TYPE_opaque_prf_input
{
/* This sort of belongs into ssl_prepare_serverhello_tlsext(),
* but we might be sending an alert in response to the client hello,
- * so this has to happen here in ssl_check_clienthello_tlsext(). */
+ * so this has to happen here in
+ * ssl_check_clienthello_tlsext_early(). */
int r = 1;
@@ -1895,8 +1867,8 @@
}
}
-#endif
err:
+#endif
switch (ret)
{
case SSL_TLSEXT_ERR_ALERT_FATAL:
@@ -1914,6 +1886,71 @@
}
}
+int ssl_check_clienthello_tlsext_late(SSL *s)
+ {
+ int ret = SSL_TLSEXT_ERR_OK;
+ int al;
+
+ /* If status request then ask callback what to do.
+ * Note: this must be called after servername callbacks in case
+ * the certificate has changed, and must be called after the cipher
+ * has been chosen because this may influence which certificate is sent
+ */
+ if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
+ {
+ int r;
+ CERT_PKEY *certpkey;
+ certpkey = ssl_get_server_send_pkey(s);
+ /* If no certificate can't return certificate status */
+ if (certpkey == NULL)
+ {
+ s->tlsext_status_expected = 0;
+ return 1;
+ }
+ /* Set current certificate to one we will use so
+ * SSL_get_certificate et al can pick it up.
+ */
+ s->cert->key = certpkey;
+ r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
+ switch (r)
+ {
+ /* We don't want to send a status request response */
+ case SSL_TLSEXT_ERR_NOACK:
+ s->tlsext_status_expected = 0;
+ break;
+ /* status request response should be sent */
+ case SSL_TLSEXT_ERR_OK:
+ if (s->tlsext_ocsp_resp)
+ s->tlsext_status_expected = 1;
+ else
+ s->tlsext_status_expected = 0;
+ break;
+ /* something bad happened */
+ case SSL_TLSEXT_ERR_ALERT_FATAL:
+ ret = SSL_TLSEXT_ERR_ALERT_FATAL;
+ al = SSL_AD_INTERNAL_ERROR;
+ goto err;
+ }
+ }
+ else
+ s->tlsext_status_expected = 0;
+
+ err:
+ switch (ret)
+ {
+ case SSL_TLSEXT_ERR_ALERT_FATAL:
+ ssl3_send_alert(s,SSL3_AL_FATAL,al);
+ return -1;
+
+ case SSL_TLSEXT_ERR_ALERT_WARNING:
+ ssl3_send_alert(s,SSL3_AL_WARNING,al);
+ return 1;
+
+ default:
+ return 1;
+ }
+ }
+
int ssl_check_serverhello_tlsext(SSL *s)
{
int ret=SSL_TLSEXT_ERR_NOACK;
@@ -2440,7 +2477,7 @@
*/
#ifndef OPENSSL_NO_DSA
if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
- c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1();
+ c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
#endif
#ifndef OPENSSL_NO_RSA
if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
@@ -2451,7 +2488,7 @@
#endif
#ifndef OPENSSL_NO_ECDSA
if (!c->pkeys[SSL_PKEY_ECC].digest)
- c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa();
+ c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
#endif
return 1;
}
diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c
index 8512c4d..2315a7c 100644
--- a/ssl/tls_srp.c
+++ b/ssl/tls_srp.c
@@ -242,7 +242,8 @@
(s->srp_ctx.v == NULL))
return SSL3_AL_FATAL;
- RAND_bytes(b, sizeof(b));
+ if (RAND_bytes(b, sizeof(b)) <= 0)
+ return SSL3_AL_FATAL;
s->srp_ctx.b = BN_bin2bn(b,sizeof(b),NULL);
OPENSSL_cleanse(b,sizeof(b));