[Midnightbsd-cvs] src [7389] vendor-crypto/openssl/dist: openssl 1.0.1q
laffer1 at midnightbsd.org
laffer1 at midnightbsd.org
Sat Dec 5 12:55:33 EST 2015
Revision: 7389
http://svnweb.midnightbsd.org/src/?rev=7389
Author: laffer1
Date: 2015-12-05 12:55:33 -0500 (Sat, 05 Dec 2015)
Log Message:
-----------
openssl 1.0.1q
Modified Paths:
--------------
vendor-crypto/openssl/dist/CHANGES
vendor-crypto/openssl/dist/Configure
vendor-crypto/openssl/dist/FAQ
vendor-crypto/openssl/dist/Makefile
vendor-crypto/openssl/dist/Makefile.bak
vendor-crypto/openssl/dist/Makefile.org
vendor-crypto/openssl/dist/NEWS
vendor-crypto/openssl/dist/README
vendor-crypto/openssl/dist/apps/Makefile
vendor-crypto/openssl/dist/apps/apps.c
vendor-crypto/openssl/dist/apps/asn1pars.c
vendor-crypto/openssl/dist/apps/ca.c
vendor-crypto/openssl/dist/apps/ecparam.c
vendor-crypto/openssl/dist/apps/engine.c
vendor-crypto/openssl/dist/apps/md4.c
vendor-crypto/openssl/dist/apps/ocsp.c
vendor-crypto/openssl/dist/apps/pkcs12.c
vendor-crypto/openssl/dist/apps/s_client.c
vendor-crypto/openssl/dist/apps/s_server.c
vendor-crypto/openssl/dist/crypto/aes/asm/aes-586.pl
vendor-crypto/openssl/dist/crypto/aes/asm/aesni-x86.pl
vendor-crypto/openssl/dist/crypto/asn1/asn1_par.c
vendor-crypto/openssl/dist/crypto/asn1/d2i_pr.c
vendor-crypto/openssl/dist/crypto/asn1/tasn_dec.c
vendor-crypto/openssl/dist/crypto/asn1/x_bignum.c
vendor-crypto/openssl/dist/crypto/asn1/x_pubkey.c
vendor-crypto/openssl/dist/crypto/asn1/x_x509.c
vendor-crypto/openssl/dist/crypto/bio/b_dump.c
vendor-crypto/openssl/dist/crypto/bio/bio.h
vendor-crypto/openssl/dist/crypto/bio/bss_file.c
vendor-crypto/openssl/dist/crypto/bn/asm/armv4-gf2m.pl
vendor-crypto/openssl/dist/crypto/bn/asm/ia64.S
vendor-crypto/openssl/dist/crypto/bn/asm/s390x-gf2m.pl
vendor-crypto/openssl/dist/crypto/bn/asm/x86-gf2m.pl
vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-gcc.c
vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-gf2m.pl
vendor-crypto/openssl/dist/crypto/bn/bn_exp.c
vendor-crypto/openssl/dist/crypto/bn/bn_gcd.c
vendor-crypto/openssl/dist/crypto/bn/bn_gf2m.c
vendor-crypto/openssl/dist/crypto/bn/bn_mont.c
vendor-crypto/openssl/dist/crypto/bn/bn_recp.c
vendor-crypto/openssl/dist/crypto/bn/bn_x931p.c
vendor-crypto/openssl/dist/crypto/bn/bntest.c
vendor-crypto/openssl/dist/crypto/buffer/buf_str.c
vendor-crypto/openssl/dist/crypto/buffer/buffer.h
vendor-crypto/openssl/dist/crypto/cms/cms_enc.c
vendor-crypto/openssl/dist/crypto/cms/cms_pwri.c
vendor-crypto/openssl/dist/crypto/cms/cms_smime.c
vendor-crypto/openssl/dist/crypto/comp/c_zlib.c
vendor-crypto/openssl/dist/crypto/conf/conf_def.c
vendor-crypto/openssl/dist/crypto/conf/conf_sap.c
vendor-crypto/openssl/dist/crypto/cryptlib.c
vendor-crypto/openssl/dist/crypto/dsa/dsa_ameth.c
vendor-crypto/openssl/dist/crypto/dsa/dsa_gen.c
vendor-crypto/openssl/dist/crypto/ec/ec.h
vendor-crypto/openssl/dist/crypto/ec/ec_asn1.c
vendor-crypto/openssl/dist/crypto/ec/ec_key.c
vendor-crypto/openssl/dist/crypto/engine/eng_cryptodev.c
vendor-crypto/openssl/dist/crypto/engine/eng_list.c
vendor-crypto/openssl/dist/crypto/evp/e_aes.c
vendor-crypto/openssl/dist/crypto/evp/e_des3.c
vendor-crypto/openssl/dist/crypto/evp/encode.c
vendor-crypto/openssl/dist/crypto/evp/evp_key.c
vendor-crypto/openssl/dist/crypto/evp/evp_lib.c
vendor-crypto/openssl/dist/crypto/evp/evp_pbe.c
vendor-crypto/openssl/dist/crypto/evp/p_lib.c
vendor-crypto/openssl/dist/crypto/evp/pmeth_gn.c
vendor-crypto/openssl/dist/crypto/hmac/hm_ameth.c
vendor-crypto/openssl/dist/crypto/jpake/jpake.c
vendor-crypto/openssl/dist/crypto/mem_clr.c
vendor-crypto/openssl/dist/crypto/modes/asm/ghash-armv4.pl
vendor-crypto/openssl/dist/crypto/modes/asm/ghash-x86.pl
vendor-crypto/openssl/dist/crypto/ocsp/ocsp_lib.c
vendor-crypto/openssl/dist/crypto/ocsp/ocsp_prn.c
vendor-crypto/openssl/dist/crypto/opensslconf.h
vendor-crypto/openssl/dist/crypto/opensslconf.h.in
vendor-crypto/openssl/dist/crypto/opensslv.h
vendor-crypto/openssl/dist/crypto/pem/pem_info.c
vendor-crypto/openssl/dist/crypto/pem/pvkfmt.c
vendor-crypto/openssl/dist/crypto/pkcs12/p12_add.c
vendor-crypto/openssl/dist/crypto/pkcs12/p12_crpt.c
vendor-crypto/openssl/dist/crypto/pkcs12/p12_kiss.c
vendor-crypto/openssl/dist/crypto/pkcs12/p12_mutl.c
vendor-crypto/openssl/dist/crypto/pkcs7/pk7_doit.c
vendor-crypto/openssl/dist/crypto/rc4/asm/rc4-x86_64.pl
vendor-crypto/openssl/dist/crypto/rsa/rsa_ameth.c
vendor-crypto/openssl/dist/crypto/rsa/rsa_gen.c
vendor-crypto/openssl/dist/crypto/rsa/rsa_sign.c
vendor-crypto/openssl/dist/crypto/rsa/rsa_test.c
vendor-crypto/openssl/dist/crypto/sha/asm/sha1-586.pl
vendor-crypto/openssl/dist/crypto/sha/asm/sha256-586.pl
vendor-crypto/openssl/dist/crypto/sha/asm/sha512-586.pl
vendor-crypto/openssl/dist/crypto/sha/asm/sha512-parisc.pl
vendor-crypto/openssl/dist/crypto/sparccpuid.S
vendor-crypto/openssl/dist/crypto/srp/srp_vfy.c
vendor-crypto/openssl/dist/crypto/threads/mttest.c
vendor-crypto/openssl/dist/crypto/threads/pthread2.sh
vendor-crypto/openssl/dist/crypto/ts/ts_rsp_verify.c
vendor-crypto/openssl/dist/crypto/whrlpool/asm/wp-mmx.pl
vendor-crypto/openssl/dist/crypto/x509/Makefile
vendor-crypto/openssl/dist/crypto/x509/x509_cmp.c
vendor-crypto/openssl/dist/crypto/x509/x509_lu.c
vendor-crypto/openssl/dist/crypto/x509/x509_vfy.c
vendor-crypto/openssl/dist/crypto/x509v3/v3_cpols.c
vendor-crypto/openssl/dist/crypto/x509v3/v3_ncons.c
vendor-crypto/openssl/dist/crypto/x509v3/v3_pci.c
vendor-crypto/openssl/dist/crypto/x509v3/v3_pcia.c
vendor-crypto/openssl/dist/demos/easy_tls/README
vendor-crypto/openssl/dist/demos/engines/zencod/hw_zencod.c
vendor-crypto/openssl/dist/doc/apps/ciphers.pod
vendor-crypto/openssl/dist/doc/apps/dgst.pod
vendor-crypto/openssl/dist/doc/apps/genrsa.pod
vendor-crypto/openssl/dist/doc/apps/req.pod
vendor-crypto/openssl/dist/doc/apps/x509.pod
vendor-crypto/openssl/dist/doc/crypto/BIO_read.pod
vendor-crypto/openssl/dist/doc/crypto/BN_rand.pod
vendor-crypto/openssl/dist/doc/crypto/DSA_generate_parameters.pod
vendor-crypto/openssl/dist/doc/crypto/EVP_DigestVerifyInit.pod
vendor-crypto/openssl/dist/doc/crypto/EVP_SignInit.pod
vendor-crypto/openssl/dist/doc/crypto/X509_NAME_get_index_by_NID.pod
vendor-crypto/openssl/dist/doc/crypto/X509_STORE_CTX_new.pod
vendor-crypto/openssl/dist/doc/crypto/X509_verify_cert.pod
vendor-crypto/openssl/dist/doc/crypto/buffer.pod
vendor-crypto/openssl/dist/doc/crypto/d2i_X509_NAME.pod
vendor-crypto/openssl/dist/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
vendor-crypto/openssl/dist/e_os.h
vendor-crypto/openssl/dist/engines/e_chil.c
vendor-crypto/openssl/dist/openssl.spec
vendor-crypto/openssl/dist/ssl/Makefile
vendor-crypto/openssl/dist/ssl/bio_ssl.c
vendor-crypto/openssl/dist/ssl/d1_both.c
vendor-crypto/openssl/dist/ssl/d1_clnt.c
vendor-crypto/openssl/dist/ssl/d1_srvr.c
vendor-crypto/openssl/dist/ssl/s23_clnt.c
vendor-crypto/openssl/dist/ssl/s3_cbc.c
vendor-crypto/openssl/dist/ssl/s3_clnt.c
vendor-crypto/openssl/dist/ssl/s3_enc.c
vendor-crypto/openssl/dist/ssl/s3_lib.c
vendor-crypto/openssl/dist/ssl/s3_srvr.c
vendor-crypto/openssl/dist/ssl/ssl.h
vendor-crypto/openssl/dist/ssl/ssl3.h
vendor-crypto/openssl/dist/ssl/ssl_asn1.c
vendor-crypto/openssl/dist/ssl/ssl_cert.c
vendor-crypto/openssl/dist/ssl/ssl_ciph.c
vendor-crypto/openssl/dist/ssl/ssl_err.c
vendor-crypto/openssl/dist/ssl/ssl_lib.c
vendor-crypto/openssl/dist/ssl/ssl_locl.h
vendor-crypto/openssl/dist/ssl/ssl_rsa.c
vendor-crypto/openssl/dist/ssl/ssl_sess.c
vendor-crypto/openssl/dist/ssl/ssltest.c
vendor-crypto/openssl/dist/ssl/t1_enc.c
vendor-crypto/openssl/dist/ssl/t1_lib.c
vendor-crypto/openssl/dist/ssl/tls1.h
vendor-crypto/openssl/dist/test/Makefile
vendor-crypto/openssl/dist/test/bftest.c
vendor-crypto/openssl/dist/test/bntest.c
vendor-crypto/openssl/dist/test/casttest.c
vendor-crypto/openssl/dist/test/constant_time_test.c
vendor-crypto/openssl/dist/test/destest.c
vendor-crypto/openssl/dist/test/dhtest.c
vendor-crypto/openssl/dist/test/dsatest.c
vendor-crypto/openssl/dist/test/ecdhtest.c
vendor-crypto/openssl/dist/test/ecdsatest.c
vendor-crypto/openssl/dist/test/ectest.c
vendor-crypto/openssl/dist/test/enginetest.c
vendor-crypto/openssl/dist/test/evp_extra_test.c
vendor-crypto/openssl/dist/test/evp_test.c
vendor-crypto/openssl/dist/test/exptest.c
vendor-crypto/openssl/dist/test/heartbeat_test.c
vendor-crypto/openssl/dist/test/hmactest.c
vendor-crypto/openssl/dist/test/ideatest.c
vendor-crypto/openssl/dist/test/jpaketest.c
vendor-crypto/openssl/dist/test/md2test.c
vendor-crypto/openssl/dist/test/md4test.c
vendor-crypto/openssl/dist/test/md5test.c
vendor-crypto/openssl/dist/test/mdc2test.c
vendor-crypto/openssl/dist/test/randtest.c
vendor-crypto/openssl/dist/test/rc2test.c
vendor-crypto/openssl/dist/test/rc4test.c
vendor-crypto/openssl/dist/test/rc5test.c
vendor-crypto/openssl/dist/test/rmdtest.c
vendor-crypto/openssl/dist/test/rsa_test.c
vendor-crypto/openssl/dist/test/sha1test.c
vendor-crypto/openssl/dist/test/sha256t.c
vendor-crypto/openssl/dist/test/sha512t.c
vendor-crypto/openssl/dist/test/shatest.c
vendor-crypto/openssl/dist/test/srptest.c
vendor-crypto/openssl/dist/test/ssltest.c
vendor-crypto/openssl/dist/test/testssl
vendor-crypto/openssl/dist/test/wp_test.c
vendor-crypto/openssl/dist/util/indent.pro
vendor-crypto/openssl/dist/util/mk1mf.pl
vendor-crypto/openssl/dist/util/mkstack.pl
vendor-crypto/openssl/dist/util/pl/VC-32.pl
vendor-crypto/openssl/dist/util/selftest.pl
Added Paths:
-----------
vendor-crypto/openssl/dist/CONTRIBUTING
vendor-crypto/openssl/dist/appveyor.yml
vendor-crypto/openssl/dist/crypto/x509/verify_extra_test.c
vendor-crypto/openssl/dist/doc/dir-locals.example.el
vendor-crypto/openssl/dist/doc/openssl-c-indent.el
vendor-crypto/openssl/dist/ssl/clienthellotest.c
vendor-crypto/openssl/dist/test/certs/
vendor-crypto/openssl/dist/test/certs/bad.key
vendor-crypto/openssl/dist/test/certs/bad.pem
vendor-crypto/openssl/dist/test/certs/interCA.key
vendor-crypto/openssl/dist/test/certs/interCA.pem
vendor-crypto/openssl/dist/test/certs/leaf.key
vendor-crypto/openssl/dist/test/certs/leaf.pem
vendor-crypto/openssl/dist/test/certs/rootCA.key
vendor-crypto/openssl/dist/test/certs/rootCA.pem
vendor-crypto/openssl/dist/test/certs/roots.pem
vendor-crypto/openssl/dist/test/certs/subinterCA-ss.pem
vendor-crypto/openssl/dist/test/certs/subinterCA.key
vendor-crypto/openssl/dist/test/certs/subinterCA.pem
vendor-crypto/openssl/dist/test/certs/untrusted.pem
vendor-crypto/openssl/dist/test/clienthellotest.c
vendor-crypto/openssl/dist/test/verify_extra_test.c
vendor-crypto/openssl/dist/util/mkrc.pl
vendor-crypto/openssl/dist/util/toutf8.sh
Removed Paths:
-------------
vendor-crypto/openssl/dist/crypto/des/t/test
vendor-crypto/openssl/dist/include/
vendor-crypto/openssl/dist/perl/
Modified: vendor-crypto/openssl/dist/CHANGES
===================================================================
--- vendor-crypto/openssl/dist/CHANGES 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/CHANGES 2015-12-05 17:55:33 UTC (rev 7389)
@@ -2,8 +2,71 @@
OpenSSL CHANGES
_______________
+ Changes between 1.0.1p and 1.0.1q [3 Dec 2015]
+
+ *) Certificate verify crash with missing PSS parameter
+
+ The signature verification routines will crash with a NULL pointer
+ dereference if presented with an ASN.1 signature using the RSA PSS
+ algorithm and absent mask generation function parameter. Since these
+ routines are used to verify certificate signature algorithms this can be
+ used to crash any certificate verification operation and exploited in a
+ DoS attack. Any application which performs certificate verification is
+ vulnerable including OpenSSL clients and servers which enable client
+ authentication.
+
+ This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG).
+ (CVE-2015-3194)
+ [Stephen Henson]
+
+ *) X509_ATTRIBUTE memory leak
+
+ When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
+ memory. This structure is used by the PKCS#7 and CMS routines so any
+ application which reads PKCS#7 or CMS data from untrusted sources is
+ affected. SSL/TLS is not affected.
+
+ This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
+ libFuzzer.
+ (CVE-2015-3195)
+ [Stephen Henson]
+
+ *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
+ This changes the decoding behaviour for some invalid messages,
+ though the change is mostly in the more lenient direction, and
+ legacy behaviour is preserved as much as possible.
+ [Emilia Käsper]
+
+ *) In DSA_generate_parameters_ex, if the provided seed is too short,
+ return an error
+ [Rich Salz and Ismo Puustinen <ismo.puustinen at intel.com>]
+
+ Changes between 1.0.1o and 1.0.1p [9 Jul 2015]
+
+ *) Alternate chains certificate forgery
+
+ During certificate verfification, OpenSSL will attempt to find an
+ alternative certificate chain if the first attempt to build such a chain
+ fails. An error in the implementation of this logic can mean that an
+ attacker could cause certain checks on untrusted certificates to be
+ bypassed, such as the CA flag, enabling them to use a valid leaf
+ certificate to act as a CA and "issue" an invalid certificate.
+
+ This issue was reported to OpenSSL by Adam Langley/David Benjamin
+ (Google/BoringSSL).
+ (CVE-2015-1793)
+ [Matt Caswell]
+
+ *) Race condition handling PSK identify hint
+
+ If PSK identity hints are received by a multi-threaded client then
+ the values are wrongly updated in the parent SSL_CTX structure. This can
+ result in a race condition potentially leading to a double free of the
+ identify hint data.
+ (CVE-2015-3196)
+ [Stephen Henson]
+
Changes between 1.0.1n and 1.0.1o [12 Jun 2015]
-
*) Fix HMAC ABI incompatibility. The previous version introduced an ABI
incompatibility in the handling of HMAC. The previous ABI has now been
restored.
@@ -40,9 +103,9 @@
callbacks.
This issue was reported to OpenSSL by Robert Swiecki (Google), and
- independently by Hanno B\xF6ck.
+ independently by Hanno Böck.
(CVE-2015-1789)
- [Emilia K\xE4sper]
+ [Emilia Käsper]
*) PKCS7 crash with missing EnvelopedContent
@@ -56,7 +119,7 @@
This issue was reported to OpenSSL by Michal Zalewski (Google).
(CVE-2015-1790)
- [Emilia K\xE4sper]
+ [Emilia Käsper]
*) CMS verify infinite loop with unknown hash function
@@ -79,6 +142,9 @@
*) Reject DH handshakes with parameters shorter than 768 bits.
[Kurt Roeckx and Emilia Kasper]
+ *) dhparam: generate 2048-bit parameters by default.
+ [Kurt Roeckx and Emilia Kasper]
+
Changes between 1.0.1l and 1.0.1m [19 Mar 2015]
*) Segmentation fault in ASN1_TYPE_cmp fix
@@ -117,7 +183,7 @@
This issue was reported to OpenSSL by Michal Zalewski (Google).
(CVE-2015-0289)
- [Emilia K\xE4sper]
+ [Emilia Käsper]
*) DoS via reachable assert in SSLv2 servers fix
@@ -125,10 +191,10 @@
servers that both support SSLv2 and enable export cipher suites by sending
a specially crafted SSLv2 CLIENT-MASTER-KEY message.
- This issue was discovered by Sean Burford (Google) and Emilia K\xE4sper
+ This issue was discovered by Sean Burford (Google) and Emilia Käsper
(OpenSSL development team).
(CVE-2015-0293)
- [Emilia K\xE4sper]
+ [Emilia Käsper]
*) Use After Free following d2i_ECPrivatekey error fix
@@ -273,12 +339,12 @@
version does not match the session's version. Resuming with a different
version, while not strictly forbidden by the RFC, is of questionable
sanity and breaks all known clients.
- [David Benjamin, Emilia K\xE4sper]
+ [David Benjamin, Emilia Käsper]
*) Tighten handling of the ChangeCipherSpec (CCS) message: reject
early CCS messages during renegotiation. (Note that because
renegotiation is encrypted, this early CCS was not exploitable.)
- [Emilia K\xE4sper]
+ [Emilia Käsper]
*) Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
@@ -289,7 +355,7 @@
Similarly, ensure that the client requires a session ticket if one
was advertised in the ServerHello. Previously, a TLS client would
ignore a missing NewSessionTicket message.
- [Emilia K\xE4sper]
+ [Emilia Käsper]
Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
@@ -369,10 +435,10 @@
with a null pointer dereference (read) by specifying an anonymous (EC)DH
ciphersuite and sending carefully crafted handshake messages.
- Thanks to Felix Gr\xF6bert (Google) for discovering and researching this
+ Thanks to Felix Gröbert (Google) for discovering and researching this
issue.
(CVE-2014-3510)
- [Emilia K\xE4sper]
+ [Emilia Käsper]
*) By sending carefully crafted DTLS packets an attacker could cause openssl
to leak memory. This can be exploited through a Denial of Service attack.
@@ -409,7 +475,7 @@
properly negotiated with the client. This can be exploited through a
Denial of Service attack.
- Thanks to Joonas Kuorilehto and Riku Hietam\xE4ki (Codenomicon) for
+ Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
discovering and researching this issue.
(CVE-2014-5139)
[Steve Henson]
@@ -421,7 +487,7 @@
Thanks to Ivan Fratric (Google) for discovering this issue.
(CVE-2014-3508)
- [Emilia K\xE4sper, and Steve Henson]
+ [Emilia Käsper, and Steve Henson]
*) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
for corner cases. (Certain input points at infinity could lead to
@@ -451,15 +517,15 @@
client or server. This is potentially exploitable to run arbitrary
code on a vulnerable client or server.
- Thanks to J\xFCri Aedla for reporting this issue. (CVE-2014-0195)
- [J\xFCri Aedla, Steve Henson]
+ Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
+ [Jüri Aedla, Steve Henson]
*) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
are subject to a denial of service attack.
- Thanks to Felix Gr\xF6bert and Ivan Fratric at Google for discovering
+ Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
this issue. (CVE-2014-3470)
- [Felix Gr\xF6bert, Ivan Fratric, Steve Henson]
+ [Felix Gröbert, Ivan Fratric, Steve Henson]
*) Harmonize version and its documentation. -f flag is used to display
compilation flags.
@@ -538,9 +604,9 @@
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
- Emilia K\xE4sper for the initial patch.
+ Emilia Käsper for the initial patch.
(CVE-2013-0169)
- [Emilia K\xE4sper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+ [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
*) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
ciphersuites which can be exploited in a denial of service attack.
@@ -715,7 +781,7 @@
EC_GROUP_new_by_curve_name() will automatically use these (while
EC_GROUP_new_curve_GFp() currently prefers the more flexible
implementations).
- [Emilia K\xE4sper, Adam Langley, Bodo Moeller (Google)]
+ [Emilia Käsper, Adam Langley, Bodo Moeller (Google)]
*) Use type ossl_ssize_t instad of ssize_t which isn't available on
all platforms. Move ssize_t definition from e_os.h to the public
@@ -991,7 +1057,7 @@
[Adam Langley (Google)]
*) Fix spurious failures in ecdsatest.c.
- [Emilia K\xE4sper (Google)]
+ [Emilia Käsper (Google)]
*) Fix the BIO_f_buffer() implementation (which was mixing different
interpretations of the '..._len' fields).
@@ -1005,7 +1071,7 @@
lock to call BN_BLINDING_invert_ex, and avoids one use of
BN_BLINDING_update for each BN_BLINDING structure (previously,
the last update always remained unused).
- [Emilia K\xE4sper (Google)]
+ [Emilia Käsper (Google)]
*) In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
[Bob Buckholz (Google)]
@@ -1814,7 +1880,7 @@
*) Add RFC 3161 compliant time stamp request creation, response generation
and response verification functionality.
- [Zolt\xE1n Gl\xF3zik <zglozik at opentsa.org>, The OpenTSA Project]
+ [Zoltán Glózik <zglozik at opentsa.org>, The OpenTSA Project]
*) Add initial support for TLS extensions, specifically for the server_name
extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now
@@ -2982,7 +3048,7 @@
*) BN_CTX_get() should return zero-valued bignums, providing the same
initialised value as BN_new().
- [Geoff Thorpe, suggested by Ulf M\xF6ller]
+ [Geoff Thorpe, suggested by Ulf Möller]
*) Support for inhibitAnyPolicy certificate extension.
[Steve Henson]
@@ -3001,7 +3067,7 @@
some point, these tighter rules will become openssl's default to improve
maintainability, though the assert()s and other overheads will remain only
in debugging configurations. See bn.h for more details.
- [Geoff Thorpe, Nils Larsch, Ulf M\xF6ller]
+ [Geoff Thorpe, Nils Larsch, Ulf Möller]
*) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure
that can only be obtained through BN_CTX_new() (which implicitly
@@ -3068,7 +3134,7 @@
[Douglas Stebila (Sun Microsystems Laboratories)]
*) Add the possibility to load symbols globally with DSO.
- [G\xF6tz Babin-Ebell <babin-ebell at trustcenter.de> via Richard Levitte]
+ [Götz Babin-Ebell <babin-ebell at trustcenter.de> via Richard Levitte]
*) Add the functions ERR_set_mark() and ERR_pop_to_mark() for better
control of the error stack.
@@ -3783,7 +3849,7 @@
[Steve Henson]
*) Undo Cygwin change.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Added support for proxy certificates according to RFC 3820.
Because they may be a security thread to unaware applications,
@@ -3816,11 +3882,11 @@
[Stephen Henson, reported by UK NISCC]
*) Use Windows randomness collection on Cygwin.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Fix hang in EGD/PRNGD query when communication socket is closed
prematurely by EGD/PRNGD.
- [Darren Tucker <dtucker at zip.com.au> via Lutz J\xE4nicke, resolves #1014]
+ [Darren Tucker <dtucker at zip.com.au> via Lutz Jänicke, resolves #1014]
*) Prompt for pass phrases when appropriate for PKCS12 input format.
[Steve Henson]
@@ -4282,7 +4348,7 @@
pointers passed to them whenever necessary. Otherwise it is possible
the caller may have overwritten (or deallocated) the original string
data when a later ENGINE operation tries to use the stored values.
- [G\xF6tz Babin-Ebell <babinebell at trustcenter.de>]
+ [Götz Babin-Ebell <babinebell at trustcenter.de>]
*) Improve diagnostics in file reading and command-line digests.
[Ben Laurie aided and abetted by Solar Designer <solar at openwall.com>]
@@ -6387,7 +6453,7 @@
[Bodo Moeller]
*) BN_sqr() bug fix.
- [Ulf M\xF6ller, reported by Jim Ellis <jim.ellis at cavium.com>]
+ [Ulf Möller, reported by Jim Ellis <jim.ellis at cavium.com>]
*) Rabin-Miller test analyses assume uniformly distributed witnesses,
so use BN_pseudo_rand_range() instead of using BN_pseudo_rand()
@@ -6547,7 +6613,7 @@
[Bodo Moeller]
*) Fix OAEP check.
- [Ulf M\xF6ller, Bodo M\xF6ller]
+ [Ulf Möller, Bodo Möller]
*) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
@@ -6809,10 +6875,10 @@
[Bodo Moeller]
*) Use better test patterns in bntest.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) rand_win.c fix for Borland C.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) BN_rshift bugfix for n == 0.
[Bodo Moeller]
@@ -6957,7 +7023,7 @@
*) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR
BIO_ctrl (for BIO pairs).
- [Bodo M\xF6ller]
+ [Bodo Möller]
*) Add DSO method for VMS.
[Richard Levitte]
@@ -6964,7 +7030,7 @@
*) Bug fix: Montgomery multiplication could produce results with the
wrong sign.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Add RPM specification openssl.spec and modify it to build three
packages. The default package contains applications, application
@@ -6982,7 +7048,7 @@
*) Don't set the two most significant bits to one when generating a
random number < q in the DSA library.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) New SSL API mode 'SSL_MODE_AUTO_RETRY'. This disables the default
behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if
@@ -7248,7 +7314,7 @@
*) Randomness polling function for Win9x, as described in:
Peter Gutmann, Software Generation of Practically Strong
Random Numbers.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Fix so PRNG is seeded in req if using an already existing
DSA key.
@@ -7468,7 +7534,7 @@
[Steve Henson]
*) Eliminate non-ANSI declarations in crypto.h and stack.h.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Fix for SSL server purpose checking. Server checking was
rejecting certificates which had extended key usage present
@@ -7500,7 +7566,7 @@
[Bodo Moeller]
*) Bugfix for linux-elf makefile.one.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) RSA_get_default_method() will now cause a default
RSA_METHOD to be chosen if one doesn't exist already.
@@ -7589,7 +7655,7 @@
[Steve Henson]
*) des_quad_cksum() byte order bug fix.
- [Ulf M\xF6ller, using the problem description in krb4-0.9.7, where
+ [Ulf Möller, using the problem description in krb4-0.9.7, where
the solution is attributed to Derrick J Brashear <shadow at DEMENTIA.ORG>]
*) Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly
@@ -7690,7 +7756,7 @@
[Rolf Haberrecker <rolf at suse.de>]
*) Assembler module support for Mingw32.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Shared library support for HPUX (in shlib/).
[Lutz Jaenicke <Lutz.Jaenicke at aet.TU-Cottbus.DE> and Anonymous]
@@ -7709,7 +7775,7 @@
*) BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n]
case was implemented. This caused BN_div_recp() to fail occasionally.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Add an optional second argument to the set_label() in the perl
assembly language builder. If this argument exists and is set
@@ -7739,7 +7805,7 @@
[Steve Henson]
*) Fix potential buffer overrun problem in BIO_printf().
- [Ulf M\xF6ller, using public domain code by Patrick Powell; problem
+ [Ulf Möller, using public domain code by Patrick Powell; problem
pointed out by David Sacerdote <das33 at cornell.edu>]
*) Support EGD <http://www.lothar.com/tech/crypto/>. New functions
@@ -7746,7 +7812,7 @@
RAND_egd() and RAND_status(). In the command line application,
the EGD socket can be specified like a seed file using RANDFILE
or -rand.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures.
Some CAs (e.g. Verisign) distribute certificates in this form.
@@ -7779,7 +7845,7 @@
#define OPENSSL_ALGORITHM_DEFINES
#include <openssl/opensslconf.h>
defines all pertinent NO_<algo> symbols, such as NO_IDEA, NO_RSA, etc.
- [Richard Levitte, Ulf and Bodo M\xF6ller]
+ [Richard Levitte, Ulf and Bodo Möller]
*) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS
record layer.
@@ -7830,10 +7896,10 @@
*) Bug fix for BN_div_recp() for numerators with an even number of
bits.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) More tests in bntest.c, and changed test_bn output.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) ./config recognizes MacOS X now.
[Andy Polyakov]
@@ -7840,7 +7906,7 @@
*) Bug fix for BN_div() when the first words of num and divsor are
equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0).
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Add support for various broken PKCS#8 formats, and command line
options to produce them.
@@ -7848,11 +7914,11 @@
*) New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to
get temporary BIGNUMs from a BN_CTX.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont()
for p == 0.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Change the SSLeay_add_all_*() functions to OpenSSL_add_all_*() and
include a #define from the old name to the new. The original intent
@@ -7876,7 +7942,7 @@
*) Source code cleanups: use const where appropriate, eliminate casts,
use void * instead of char * in lhash.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Bugfix: ssl3_send_server_key_exchange was not restartable
(the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of
@@ -7921,13 +7987,13 @@
[Steve Henson]
*) New function BN_pseudo_rand().
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable)
bignum version of BN_from_montgomery() with the working code from
SSLeay 0.9.0 (the word based version is faster anyway), and clean up
the comments.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Avoid a race condition in s2_clnt.c (function get_server_hello) that
made it impossible to use the same SSL_SESSION data structure in
@@ -7937,7 +8003,7 @@
*) The return value of RAND_load_file() no longer counts bytes obtained
by stat(). RAND_load_file(..., -1) is new and uses the complete file
to seed the PRNG (previously an explicit byte count was required).
- [Ulf M\xF6ller, Bodo M\xF6ller]
+ [Ulf Möller, Bodo Möller]
*) Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes
used (char *) instead of (void *) and had casts all over the place.
@@ -7944,18 +8010,18 @@
[Steve Henson]
*) Make BN_generate_prime() return NULL on error if ret!=NULL.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Retain source code compatibility for BN_prime_checks macro:
BN_is_prime(..., BN_prime_checks, ...) now uses
BN_prime_checks_for_size to determine the appropriate number of
Rabin-Miller iterations.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Diffie-Hellman uses "safe" primes: DH_check() return code renamed to
DH_CHECK_P_NOT_SAFE_PRIME.
(Check if this is true? OpenPGP calls them "strong".)
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Merge the functionality of "dh" and "gendh" programs into a new program
"dhparam". The old programs are retained for now but will handle DH keys
@@ -8011,7 +8077,7 @@
*) Add missing #ifndefs that caused missing symbols when building libssl
as a shared library without RSA. Use #ifndef NO_SSL2 instead of
NO_RSA in ssl/s2*.c.
- [Kris Kennaway <kris at hub.freebsd.org>, modified by Ulf M\xF6ller]
+ [Kris Kennaway <kris at hub.freebsd.org>, modified by Ulf Möller]
*) Precautions against using the PRNG uninitialized: RAND_bytes() now
has a return value which indicates the quality of the random data
@@ -8020,7 +8086,7 @@
guaranteed to be unique but not unpredictable. RAND_add is like
RAND_seed, but takes an extra argument for an entropy estimate
(RAND_seed always assumes full entropy).
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Do more iterations of Rabin-Miller probable prime test (specifically,
3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
@@ -8050,7 +8116,7 @@
[Steve Henson]
*) Honor the no-xxx Configure options when creating .DEF files.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Add PKCS#10 attributes to field table: challengePassword,
unstructuredName and unstructuredAddress. These are taken from
@@ -8884,7 +8950,7 @@
*) More DES library cleanups: remove references to srand/rand and
delete an unused file.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Add support for the the free Netwide assembler (NASM) under Win32,
since not many people have MASM (ml) and it can be hard to obtain.
@@ -8973,7 +9039,7 @@
worked.
*) Fix problems with no-hmac etc.
- [Ulf M\xF6ller, pointed out by Brian Wellington <bwelling at tislabs.com>]
+ [Ulf Möller, pointed out by Brian Wellington <bwelling at tislabs.com>]
*) New functions RSA_get_default_method(), RSA_set_method() and
RSA_get_method(). These allows replacement of RSA_METHODs without having
@@ -9090,7 +9156,7 @@
[Ben Laurie]
*) DES library cleanups.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Add support for PKCS#5 v2.0 PBE algorithms. This will permit PKCS#8 to be
used with any cipher unlike PKCS#5 v1.5 which can at most handle 64 bit
@@ -9133,7 +9199,7 @@
[Christian Forster <fo at hawo.stw.uni-erlangen.de>]
*) config now generates no-xxx options for missing ciphers.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Support the EBCDIC character set (work in progress).
File ebcdic.c not yet included because it has a different license.
@@ -9246,7 +9312,7 @@
[Bodo Moeller]
*) Move openssl.cnf out of lib/.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Fix various things to let OpenSSL even pass ``egcc -pipe -O2 -Wall
-Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
@@ -9303,10 +9369,10 @@
[Ben Laurie]
*) Support Borland C++ builder.
- [Janez Jere <jj at void.si>, modified by Ulf M\xF6ller]
+ [Janez Jere <jj at void.si>, modified by Ulf Möller]
*) Support Mingw32.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) SHA-1 cleanups and performance enhancements.
[Andy Polyakov <appro at fy.chalmers.se>]
@@ -9315,7 +9381,7 @@
[Andy Polyakov <appro at fy.chalmers.se>]
*) Accept any -xxx and +xxx compiler options in Configure.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Update HPUX configuration.
[Anonymous]
@@ -9348,7 +9414,7 @@
[Bodo Moeller]
*) OAEP decoding bug fix.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Support INSTALL_PREFIX for package builders, as proposed by
David Harris.
@@ -9371,7 +9437,7 @@
[Niels Poppe <niels at netbox.org>]
*) New Configure option no-<cipher> (rsa, idea, rc5, ...).
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Add the PKCS#12 API documentation to openssl.txt. Preliminary support for
extension adding in x509 utility.
@@ -9378,7 +9444,7 @@
[Steve Henson]
*) Remove NOPROTO sections and error code comments.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Partial rewrite of the DEF file generator to now parse the ANSI
prototypes.
@@ -9385,7 +9451,7 @@
[Steve Henson]
*) New Configure options --prefix=DIR and --openssldir=DIR.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Complete rewrite of the error code script(s). It is all now handled
by one script at the top level which handles error code gathering,
@@ -9414,7 +9480,7 @@
[Steve Henson]
*) Move the autogenerated header file parts to crypto/opensslconf.h.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of
8 of keying material. Merlin has also confirmed interop with this fix
@@ -9432,13 +9498,13 @@
[Andy Polyakov <appro at fy.chalmers.se>]
*) Change functions to ANSI C.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Fix typos in error codes.
- [Martin Kraemer <Martin.Kraemer at MchP.Siemens.De>, Ulf M\xF6ller]
+ [Martin Kraemer <Martin.Kraemer at MchP.Siemens.De>, Ulf Möller]
*) Remove defunct assembler files from Configure.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) SPARC v8 assembler BIGNUM implementation.
[Andy Polyakov <appro at fy.chalmers.se>]
@@ -9475,7 +9541,7 @@
[Steve Henson]
*) New Configure option "rsaref".
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Don't auto-generate pem.h.
[Bodo Moeller]
@@ -9523,7 +9589,7 @@
*) New functions DSA_do_sign and DSA_do_verify to provide access to
the raw DSA values prior to ASN.1 encoding.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Tweaks to Configure
[Niels Poppe <niels at netbox.org>]
@@ -9533,11 +9599,11 @@
[Steve Henson]
*) New variables $(RANLIB) and $(PERL) in the Makefiles.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) New config option to avoid instructions that are illegal on the 80386.
The default code is faster, but requires at least a 486.
- [Ulf M\xF6ller]
+ [Ulf Möller]
*) Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and
SSL2_SERVER_VERSION (not used at all) macros, which are now the
@@ -10076,7 +10142,7 @@
Hagino <itojun at kame.net>]
*) File was opened incorrectly in randfile.c.
- [Ulf M\xF6ller <ulf at fitug.de>]
+ [Ulf Möller <ulf at fitug.de>]
*) Beginning of support for GeneralizedTime. d2i, i2d, check and print
functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or
@@ -10086,7 +10152,7 @@
[Steve Henson]
*) Correct Linux 1 recognition in config.
- [Ulf M\xF6ller <ulf at fitug.de>]
+ [Ulf Möller <ulf at fitug.de>]
*) Remove pointless MD5 hash when using DSA keys in ca.
[Anonymous <nobody at replay.com>]
@@ -10233,7 +10299,7 @@
*) Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but
was already fixed by Eric for 0.9.1 it seems.
- [Ben Laurie - pointed out by Ulf M\xF6ller <ulf at fitug.de>]
+ [Ben Laurie - pointed out by Ulf Möller <ulf at fitug.de>]
*) Autodetect FreeBSD3.
[Ben Laurie]
Added: vendor-crypto/openssl/dist/CONTRIBUTING
===================================================================
--- vendor-crypto/openssl/dist/CONTRIBUTING (rev 0)
+++ vendor-crypto/openssl/dist/CONTRIBUTING 2015-12-05 17:55:33 UTC (rev 7389)
@@ -0,0 +1,38 @@
+HOW TO CONTRIBUTE TO OpenSSL
+----------------------------
+
+Development is coordinated on the openssl-dev mailing list (see
+http://www.openssl.org for information on subscribing). If you
+would like to submit a patch, send it to rt at openssl.org with
+the string "[PATCH]" in the subject. Please be sure to include a
+textual explanation of what your patch does.
+
+You can also make GitHub pull requests. If you do this, please also send
+mail to rt at openssl.org with a brief description and a link to the PR so
+that we can more easily keep track of it.
+
+If you are unsure as to whether a feature will be useful for the general
+OpenSSL community please discuss it on the openssl-dev mailing list first.
+Someone may be already working on the same thing or there may be a good
+reason as to why that feature isn't implemented.
+
+Patches should be as up to date as possible, preferably relative to the
+current Git or the last snapshot. They should follow our coding style
+(see https://www.openssl.org/policies/codingstyle.html) and compile without
+warnings using the --strict-warnings flag. OpenSSL compiles on many varied
+platforms: try to ensure you only use portable features.
+
+Our preferred format for patch files is "git format-patch" output. For example
+to provide a patch file containing the last commit in your local git repository
+use the following command:
+
+# git format-patch --stdout HEAD^ >mydiffs.patch
+
+Another method of creating an acceptable patch file without using git is as
+follows:
+
+# cd openssl-work
+# [your changes]
+# ./Configure dist; make clean
+# cd ..
+# diff -ur openssl-orig openssl-work > mydiffs.patch
Modified: vendor-crypto/openssl/dist/Configure
===================================================================
--- vendor-crypto/openssl/dist/Configure 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/Configure 2015-12-05 17:55:33 UTC (rev 7389)
@@ -105,6 +105,8 @@
my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED";
+my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof -Qunused-arguments";
+
my $strict_warnings = 0;
my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL";
@@ -197,6 +199,7 @@
"debug-linux-generic32","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-linux-generic64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-linux-x86_64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"debug-linux-x86_64-clang","clang: -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"dist", "cc:-O::(unknown)::::::",
# Basic configs that should work on any (32 and less bit) box
@@ -361,6 +364,7 @@
"linux-ia64-ecc","ecc:-DL_ENDIAN -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"linux-x86_64-clang","clang: -m64 -DL_ENDIAN -O3 -Wall -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
#### So called "highgprs" target for z/Architecture CPUs
# "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
@@ -1574,12 +1578,21 @@
if ($strict_warnings)
{
+ my $ecc = $cc;
+ $ecc = "clang" if `$cc --version 2>&1` =~ /clang/;
my $wopt;
- die "ERROR --strict-warnings requires gcc" unless ($cc =~ /gcc$/);
+ die "ERROR --strict-warnings requires gcc or clang" unless ($ecc =~ /gcc$/ or $ecc =~ /clang$/);
foreach $wopt (split /\s+/, $gcc_devteam_warn)
{
- $cflags .= " $wopt" unless ($cflags =~ /$wopt/)
+ $cflags .= " $wopt" unless ($cflags =~ /(^|\s)$wopt(\s|$)/)
}
+ if ($ecc eq "clang")
+ {
+ foreach $wopt (split /\s+/, $clang_devteam_warn)
+ {
+ $cflags .= " $wopt" unless ($cflags =~ /(^|\s)$wopt(\s|$)/)
+ }
+ }
}
open(IN,'<Makefile.org') || die "unable to read Makefile.org:$!\n";
Modified: vendor-crypto/openssl/dist/FAQ
===================================================================
--- vendor-crypto/openssl/dist/FAQ 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/FAQ 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1,1039 +1,2 @@
-OpenSSL - Frequently Asked Questions
---------------------------------------
-
-[MISC] Miscellaneous questions
-
-* Which is the current version of OpenSSL?
-* Where is the documentation?
-* How can I contact the OpenSSL developers?
-* Where can I get a compiled version of OpenSSL?
-* Why aren't tools like 'autoconf' and 'libtool' used?
-* What is an 'engine' version?
-* How do I check the authenticity of the OpenSSL distribution?
-* How does the versioning scheme work?
-
-[LEGAL] Legal questions
-
-* Do I need patent licenses to use OpenSSL?
-* Can I use OpenSSL with GPL software?
-
-[USER] Questions on using the OpenSSL applications
-
-* Why do I get a "PRNG not seeded" error message?
-* Why do I get an "unable to write 'random state'" error message?
-* How do I create certificates or certificate requests?
-* Why can't I create certificate requests?
-* Why does <SSL program> fail with a certificate verify error?
-* Why can I only use weak ciphers when I connect to a server using OpenSSL?
-* How can I create DSA certificates?
-* Why can't I make an SSL connection using a DSA certificate?
-* How can I remove the passphrase on a private key?
-* Why can't I use OpenSSL certificates with SSL client authentication?
-* Why does my browser give a warning about a mismatched hostname?
-* How do I install a CA certificate into a browser?
-* Why is OpenSSL x509 DN output not conformant to RFC2253?
-* What is a "128 bit certificate"? Can I create one with OpenSSL?
-* Why does OpenSSL set the authority key identifier extension incorrectly?
-* How can I set up a bundle of commercial root CA certificates?
-
-[BUILD] Questions about building and testing OpenSSL
-
-* Why does the linker complain about undefined symbols?
-* Why does the OpenSSL test fail with "bc: command not found"?
-* Why does the OpenSSL test fail with "bc: 1 no implemented"?
-* Why does the OpenSSL test fail with "bc: stack empty"?
-* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
-* Why does the OpenSSL compilation fail with "ar: command not found"?
-* Why does the OpenSSL compilation fail on Win32 with VC++?
-* What is special about OpenSSL on Redhat?
-* Why does the OpenSSL compilation fail on MacOS X?
-* Why does the OpenSSL test suite fail on MacOS X?
-* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
-* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
-* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
-* Why does compiler fail to compile sha512.c?
-* Test suite still fails, what to do?
-* I think I've found a bug, what should I do?
-* I'm SURE I've found a bug, how do I report it?
-* I've found a security issue, how do I report it?
-
-[PROG] Questions about programming with OpenSSL
-
-* Is OpenSSL thread-safe?
-* I've compiled a program under Windows and it crashes: why?
-* How do I read or write a DER encoded buffer using the ASN1 functions?
-* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
-* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
-* I've called <some function> and it fails, why?
-* I just get a load of numbers for the error output, what do they mean?
-* Why do I get errors about unknown algorithms?
-* Why can't the OpenSSH configure script detect OpenSSL?
-* Can I use OpenSSL's SSL library with non-blocking I/O?
-* Why doesn't my server application receive a client certificate?
-* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
-* I think I've detected a memory leak, is this a bug?
-* Why does Valgrind complain about the use of uninitialized data?
-* Why doesn't a memory BIO work when a file does?
-* Where are the declarations and implementations of d2i_X509() etc?
-
-===============================================================================
-
-[MISC] ========================================================================
-
-* Which is the current version of OpenSSL?
-
-The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.1e was released on Feb 11th, 2013.
-
-In addition to the current stable release, you can also access daily
-snapshots of the OpenSSL development version at <URL:
-ftp://ftp.openssl.org/snapshot/>, or get it by anonymous Git access.
-
-
-* Where is the documentation?
-
-OpenSSL is a library that provides cryptographic functionality to
-applications such as secure web servers. Be sure to read the
-documentation of the application you want to use. The INSTALL file
-explains how to install this library.
-
-OpenSSL includes a command line utility that can be used to perform a
-variety of cryptographic functions. It is described in the openssl(1)
-manpage. Documentation for developers is currently being written. Many
-manual pages are available; overviews over libcrypto and
-libssl are given in the crypto(3) and ssl(3) manpages.
-
-The OpenSSL manpages are installed in /usr/local/ssl/man/ (or a
-different directory if you specified one as described in INSTALL).
-In addition, you can read the most current versions at
-<URL: http://www.openssl.org/docs/>. Note that the online documents refer
-to the very latest development versions of OpenSSL and may include features
-not present in released versions. If in doubt refer to the documentation
-that came with the version of OpenSSL you are using. The pod format
-documentation is included in each OpenSSL distribution under the docs
-directory.
-
-There is some documentation about certificate extensions and PKCS#12
-in doc/openssl.txt
-
-The original SSLeay documentation is included in OpenSSL as
-doc/ssleay.txt. It may be useful when none of the other resources
-help, but please note that it reflects the obsolete version SSLeay
-0.6.6.
-
-
-* How can I contact the OpenSSL developers?
-
-The README file describes how to submit bug reports and patches to
-OpenSSL. Information on the OpenSSL mailing lists is available from
-<URL: http://www.openssl.org>.
-
-
-* Where can I get a compiled version of OpenSSL?
-
-You can finder pointers to binary distributions in
-<URL: http://www.openssl.org/related/binaries.html> .
-
-Some applications that use OpenSSL are distributed in binary form.
-When using such an application, you don't need to install OpenSSL
-yourself; the application will include the required parts (e.g. DLLs).
-
-If you want to build OpenSSL on a Windows system and you don't have
-a C compiler, read the "Mingw32" section of INSTALL.W32 for information
-on how to obtain and install the free GNU C compiler.
-
-A number of Linux and *BSD distributions include OpenSSL.
-
-
-* Why aren't tools like 'autoconf' and 'libtool' used?
-
-autoconf will probably be used in future OpenSSL versions. If it was
-less Unix-centric, it might have been used much earlier.
-
-* What is an 'engine' version?
-
-With version 0.9.6 OpenSSL was extended to interface to external crypto
-hardware. This was realized in a special release '0.9.6-engine'. With
-version 0.9.7 the changes were merged into the main development line,
-so that the special release is no longer necessary.
-
-* How do I check the authenticity of the OpenSSL distribution?
-
-We provide MD5 digests and ASC signatures of each tarball.
-Use MD5 to check that a tarball from a mirror site is identical:
-
- md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5
-
-You can check authenticity using pgp or gpg. You need the OpenSSL team
-member public key used to sign it (download it from a key server, see a
-list of keys at <URL: http://www.openssl.org/about/>). Then
-just do:
-
- pgp TARBALL.asc
-
-* How does the versioning scheme work?
-
-After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter
-releases (e.g. 1.0.1a) can only contain bug and security fixes and no
-new features. Minor releases change the last number (e.g. 1.0.2) and
-can contain new features that retain binary compatibility. Changes to
-the middle number are considered major releases and neither source nor
-binary compatibility is guaranteed.
-
-Therefore the answer to the common question "when will feature X be
-backported to OpenSSL 1.0.0/0.9.8?" is "never" but it could appear
-in the next minor release.
-
-[LEGAL] =======================================================================
-
-* Do I need patent licenses to use OpenSSL?
-
-The patents section of the README file lists patents that may apply to
-you if you want to use OpenSSL. For information on intellectual
-property rights, please consult a lawyer. The OpenSSL team does not
-offer legal advice.
-
-You can configure OpenSSL so as not to use IDEA, MDC2 and RC5 by using
- ./config no-idea no-mdc2 no-rc5
-
-
-* Can I use OpenSSL with GPL software?
-
-On many systems including the major Linux and BSD distributions, yes (the
-GPL does not place restrictions on using libraries that are part of the
-normal operating system distribution).
-
-On other systems, the situation is less clear. Some GPL software copyright
-holders claim that you infringe on their rights if you use OpenSSL with
-their software on operating systems that don't normally include OpenSSL.
-
-If you develop open source software that uses OpenSSL, you may find it
-useful to choose an other license than the GPL, or state explicitly that
-"This program is released under the GPL with the additional exemption that
-compiling, linking, and/or using OpenSSL is allowed." If you are using
-GPL software developed by others, you may want to ask the copyright holder
-for permission to use their software with OpenSSL.
-
-
-[USER] ========================================================================
-
-* Why do I get a "PRNG not seeded" error message?
-
-Cryptographic software needs a source of unpredictable data to work
-correctly. Many open source operating systems provide a "randomness
-device" (/dev/urandom or /dev/random) that serves this purpose.
-All OpenSSL versions try to use /dev/urandom by default; starting with
-version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not
-available.
-
-On other systems, applications have to call the RAND_add() or
-RAND_seed() function with appropriate data before generating keys or
-performing public key encryption. (These functions initialize the
-pseudo-random number generator, PRNG.) Some broken applications do
-not do this. As of version 0.9.5, the OpenSSL functions that need
-randomness report an error if the random number generator has not been
-seeded with at least 128 bits of randomness. If this error occurs and
-is not discussed in the documentation of the application you are
-using, please contact the author of that application; it is likely
-that it never worked correctly. OpenSSL 0.9.5 and later make the
-error visible by refusing to perform potentially insecure encryption.
-
-If you are using Solaris 8, you can add /dev/urandom and /dev/random
-devices by installing patch 112438 (Sparc) or 112439 (x86), which are
-available via the Patchfinder at <URL: http://sunsolve.sun.com>
-(Solaris 9 includes these devices by default). For /dev/random support
-for earlier Solaris versions, see Sun's statement at
-<URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski>
-(the SUNWski package is available in patch 105710).
-
-On systems without /dev/urandom and /dev/random, it is a good idea to
-use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for
-details. Starting with version 0.9.7, OpenSSL will automatically look
-for an EGD socket at /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool and
-/etc/entropy.
-
-Most components of the openssl command line utility automatically try
-to seed the random number generator from a file. The name of the
-default seeding file is determined as follows: If environment variable
-RANDFILE is set, then it names the seeding file. Otherwise if
-environment variable HOME is set, then the seeding file is $HOME/.rnd.
-If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will
-use file .rnd in the current directory while OpenSSL 0.9.6a uses no
-default seeding file at all. OpenSSL 0.9.6b and later will behave
-similarly to 0.9.6a, but will use a default of "C:\" for HOME on
-Windows systems if the environment variable has not been set.
-
-If the default seeding file does not exist or is too short, the "PRNG
-not seeded" error message may occur.
-
-The openssl command line utility will write back a new state to the
-default seeding file (and create this file if necessary) unless
-there was no sufficient seeding.
-
-Pointing $RANDFILE to an Entropy Gathering Daemon socket does not work.
-Use the "-rand" option of the OpenSSL command line tools instead.
-The $RANDFILE environment variable and $HOME/.rnd are only used by the
-OpenSSL command line tools. Applications using the OpenSSL library
-provide their own configuration options to specify the entropy source,
-please check out the documentation coming the with application.
-
-
-* Why do I get an "unable to write 'random state'" error message?
-
-
-Sometimes the openssl command line utility does not abort with
-a "PRNG not seeded" error message, but complains that it is
-"unable to write 'random state'". This message refers to the
-default seeding file (see previous answer). A possible reason
-is that no default filename is known because neither RANDFILE
-nor HOME is set. (Versions up to 0.9.6 used file ".rnd" in the
-current directory in this case, but this has changed with 0.9.6a.)
-
-
-* How do I create certificates or certificate requests?
-
-Check out the CA.pl(1) manual page. This provides a simple wrapper round
-the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check
-out the manual pages for the individual utilities and the certificate
-extensions documentation (in ca(1), req(1), x509v3_config(5) )
-
-
-* Why can't I create certificate requests?
-
-You typically get the error:
-
- unable to find 'distinguished_name' in config
- problems making Certificate Request
-
-This is because it can't find the configuration file. Check out the
-DIAGNOSTICS section of req(1) for more information.
-
-
-* Why does <SSL program> fail with a certificate verify error?
-
-This problem is usually indicated by log messages saying something like
-"unable to get local issuer certificate" or "self signed certificate".
-When a certificate is verified its root CA must be "trusted" by OpenSSL
-this typically means that the CA certificate must be placed in a directory
-or file and the relevant program configured to read it. The OpenSSL program
-'verify' behaves in a similar way and issues similar error messages: check
-the verify(1) program manual page for more information.
-
-
-* Why can I only use weak ciphers when I connect to a server using OpenSSL?
-
-This is almost certainly because you are using an old "export grade" browser
-which only supports weak encryption. Upgrade your browser to support 128 bit
-ciphers.
-
-
-* How can I create DSA certificates?
-
-Check the CA.pl(1) manual page for a DSA certificate example.
-
-
-* Why can't I make an SSL connection to a server using a DSA certificate?
-
-Typically you'll see a message saying there are no shared ciphers when
-the same setup works fine with an RSA certificate. There are two possible
-causes. The client may not support connections to DSA servers most web
-browsers (including Netscape and MSIE) only support connections to servers
-supporting RSA cipher suites. The other cause is that a set of DH parameters
-has not been supplied to the server. DH parameters can be created with the
-dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example:
-check the source to s_server in apps/s_server.c for an example.
-
-
-* How can I remove the passphrase on a private key?
-
-Firstly you should be really *really* sure you want to do this. Leaving
-a private key unencrypted is a major security risk. If you decide that
-you do have to do this check the EXAMPLES sections of the rsa(1) and
-dsa(1) manual pages.
-
-
-* Why can't I use OpenSSL certificates with SSL client authentication?
-
-What will typically happen is that when a server requests authentication
-it will either not include your certificate or tell you that you have
-no client certificates (Netscape) or present you with an empty list box
-(MSIE). The reason for this is that when a server requests a client
-certificate it includes a list of CAs names which it will accept. Browsers
-will only let you select certificates from the list on the grounds that
-there is little point presenting a certificate which the server will
-reject.
-
-The solution is to add the relevant CA certificate to your servers "trusted
-CA list". How you do this depends on the server software in uses. You can
-print out the servers list of acceptable CAs using the OpenSSL s_client tool:
-
-openssl s_client -connect www.some.host:443 -prexit
-
-If your server only requests certificates on certain URLs then you may need
-to manually issue an HTTP GET command to get the list when s_client connects:
-
-GET /some/page/needing/a/certificate.html
-
-If your CA does not appear in the list then this confirms the problem.
-
-
-* Why does my browser give a warning about a mismatched hostname?
-
-Browsers expect the server's hostname to match the value in the commonName
-(CN) field of the certificate. If it does not then you get a warning.
-
-
-* How do I install a CA certificate into a browser?
-
-The usual way is to send the DER encoded certificate to the browser as
-MIME type application/x-x509-ca-cert, for example by clicking on an appropriate
-link. On MSIE certain extensions such as .der or .cacert may also work, or you
-can import the certificate using the certificate import wizard.
-
-You can convert a certificate to DER form using the command:
-
-openssl x509 -in ca.pem -outform DER -out ca.der
-
-Occasionally someone suggests using a command such as:
-
-openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem
-
-DO NOT DO THIS! This command will give away your CAs private key and
-reduces its security to zero: allowing anyone to forge certificates in
-whatever name they choose.
-
-* Why is OpenSSL x509 DN output not conformant to RFC2253?
-
-The ways to print out the oneline format of the DN (Distinguished Name) have
-been extended in version 0.9.7 of OpenSSL. Using the new X509_NAME_print_ex()
-interface, the "-nameopt" option could be introduded. See the manual
-page of the "openssl x509" commandline tool for details. The old behaviour
-has however been left as default for the sake of compatibility.
-
-* What is a "128 bit certificate"? Can I create one with OpenSSL?
-
-The term "128 bit certificate" is a highly misleading marketing term. It does
-*not* refer to the size of the public key in the certificate! A certificate
-containing a 128 bit RSA key would have negligible security.
-
-There were various other names such as "magic certificates", "SGC
-certificates", "step up certificates" etc.
-
-You can't generally create such a certificate using OpenSSL but there is no
-need to any more. Nowadays web browsers using unrestricted strong encryption
-are generally available.
-
-When there were tight restrictions on the export of strong encryption
-software from the US only weak encryption algorithms could be freely exported
-(initially 40 bit and then 56 bit). It was widely recognised that this was
-inadequate. A relaxation of the rules allowed the use of strong encryption but
-only to an authorised server.
-
-Two slighly different techniques were developed to support this, one used by
-Netscape was called "step up", the other used by MSIE was called "Server Gated
-Cryptography" (SGC). When a browser initially connected to a server it would
-check to see if the certificate contained certain extensions and was issued by
-an authorised authority. If these test succeeded it would reconnect using
-strong encryption.
-
-Only certain (initially one) certificate authorities could issue the
-certificates and they generally cost more than ordinary certificates.
-
-Although OpenSSL can create certificates containing the appropriate extensions
-the certificate would not come from a permitted authority and so would not
-be recognized.
-
-The export laws were later changed to allow almost unrestricted use of strong
-encryption so these certificates are now obsolete.
-
-
-* Why does OpenSSL set the authority key identifier (AKID) extension incorrectly?
-
-It doesn't: this extension is often the cause of confusion.
-
-Consider a certificate chain A->B->C so that A signs B and B signs C. Suppose
-certificate C contains AKID.
-
-The purpose of this extension is to identify the authority certificate B. This
-can be done either by including the subject key identifier of B or its issuer
-name and serial number.
-
-In this latter case because it is identifying certifcate B it must contain the
-issuer name and serial number of B.
-
-It is often wrongly assumed that it should contain the subject name of B. If it
-did this would be redundant information because it would duplicate the issuer
-name of C.
-
-
-* How can I set up a bundle of commercial root CA certificates?
-
-The OpenSSL software is shipped without any root CA certificate as the
-OpenSSL project does not have any policy on including or excluding
-any specific CA and does not intend to set up such a policy. Deciding
-about which CAs to support is up to application developers or
-administrators.
-
-Other projects do have other policies so you can for example extract the CA
-bundle used by Mozilla and/or modssl as described in this article:
-
- <URL: http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html>
-
-
-[BUILD] =======================================================================
-
-* Why does the linker complain about undefined symbols?
-
-Maybe the compilation was interrupted, and make doesn't notice that
-something is missing. Run "make clean; make".
-
-If you used ./Configure instead of ./config, make sure that you
-selected the right target. File formats may differ slightly between
-OS versions (for example sparcv8/sparcv9, or a.out/elf).
-
-In case you get errors about the following symbols, use the config
-option "no-asm", as described in INSTALL:
-
- BF_cbc_encrypt, BF_decrypt, BF_encrypt, CAST_cbc_encrypt,
- CAST_decrypt, CAST_encrypt, RC4, RC5_32_cbc_encrypt, RC5_32_decrypt,
- RC5_32_encrypt, bn_add_words, bn_div_words, bn_mul_add_words,
- bn_mul_comba4, bn_mul_comba8, bn_mul_words, bn_sqr_comba4,
- bn_sqr_comba8, bn_sqr_words, bn_sub_words, des_decrypt3,
- des_ede3_cbc_encrypt, des_encrypt, des_encrypt2, des_encrypt3,
- des_ncbc_encrypt, md5_block_asm_host_order, sha1_block_asm_data_order
-
-If none of these helps, you may want to try using the current snapshot.
-If the problem persists, please submit a bug report.
-
-
-* Why does the OpenSSL test fail with "bc: command not found"?
-
-You didn't install "bc", the Unix calculator. If you want to run the
-tests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor.
-
-
-* Why does the OpenSSL test fail with "bc: 1 no implemented"?
-
-On some SCO installations or versions, bc has a bug that gets triggered
-when you run the test suite (using "make test"). The message returned is
-"bc: 1 not implemented".
-
-The best way to deal with this is to find another implementation of bc
-and compile/install it. GNU bc (see <URL: http://www.gnu.org/software/software.html>
-for download instructions) can be safely used, for example.
-
-
-* Why does the OpenSSL test fail with "bc: stack empty"?
-
-On some DG/ux versions, bc seems to have a too small stack for calculations
-that the OpenSSL bntest throws at it. This gets triggered when you run the
-test suite (using "make test"). The message returned is "bc: stack empty".
-
-The best way to deal with this is to find another implementation of bc
-and compile/install it. GNU bc (see <URL: http://www.gnu.org/software/software.html>
-for download instructions) can be safely used, for example.
-
-
-* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
-
-On some Alpha installations running Tru64 Unix and Compaq C, the compilation
-of crypto/sha/sha_dgst.c fails with the message 'Fatal: Insufficient virtual
-memory to continue compilation.' As far as the tests have shown, this may be
-a compiler bug. What happens is that it eats up a lot of resident memory
-to build something, probably a table. The problem is clearly in the
-optimization code, because if one eliminates optimization completely (-O0),
-the compilation goes through (and the compiler consumes about 2MB of resident
-memory instead of 240MB or whatever one's limit is currently).
-
-There are three options to solve this problem:
-
-1. set your current data segment size soft limit higher. Experience shows
-that about 241000 kbytes seems to be enough on an AlphaServer DS10. You do
-this with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of
-kbytes to set the limit to.
-
-2. If you have a hard limit that is lower than what you need and you can't
-get it changed, you can compile all of OpenSSL with -O0 as optimization
-level. This is however not a very nice thing to do for those who expect to
-get the best result from OpenSSL. A bit more complicated solution is the
-following:
-
------ snip:start -----
- make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \
- sed -e 's/ -O[0-9] / -O0 /'`"
- rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'`
- make
------ snip:end -----
-
-This will only compile sha_dgst.c with -O0, the rest with the optimization
-level chosen by the configuration process. When the above is done, do the
-test and installation and you're set.
-
-3. Reconfigure the toolkit with no-sha0 option to leave out SHA0. It
-should not be used and is not used in SSL/TLS nor any other recognized
-protocol in either case.
-
-
-* Why does the OpenSSL compilation fail with "ar: command not found"?
-
-Getting this message is quite usual on Solaris 2, because Sun has hidden
-away 'ar' and other development commands in directories that aren't in
-$PATH by default. One of those directories is '/usr/ccs/bin'. The
-quickest way to fix this is to do the following (it assumes you use sh
-or any sh-compatible shell):
-
------ snip:start -----
- PATH=${PATH}:/usr/ccs/bin; export PATH
------ snip:end -----
-
-and then redo the compilation. What you should really do is make sure
-'/usr/ccs/bin' is permanently in your $PATH, for example through your
-'.profile' (again, assuming you use a sh-compatible shell).
-
-
-* Why does the OpenSSL compilation fail on Win32 with VC++?
-
-Sometimes, you may get reports from VC++ command line (cl) that it
-can't find standard include files like stdio.h and other weirdnesses.
-One possible cause is that the environment isn't correctly set up.
-To solve that problem for VC++ versions up to 6, one should run
-VCVARS32.BAT which is found in the 'bin' subdirectory of the VC++
-installation directory (somewhere under 'Program Files'). For VC++
-version 7 (and up?), which is also called VS.NET, the file is called
-VSVARS32.BAT instead.
-This needs to be done prior to running NMAKE, and the changes are only
-valid for the current DOS session.
-
-
-* What is special about OpenSSL on Redhat?
-
-Red Hat Linux (release 7.0 and later) include a preinstalled limited
-version of OpenSSL. For patent reasons, support for IDEA, RC5 and MDC2
-is disabled in this version. The same may apply to other Linux distributions.
-Users may therefore wish to install more or all of the features left out.
-
-To do this you MUST ensure that you do not overwrite the openssl that is in
-/usr/bin on your Red Hat machine. Several packages depend on this file,
-including sendmail and ssh. /usr/local/bin is a good alternative choice. The
-libraries that come with Red Hat 7.0 onwards have different names and so are
-not affected. (eg For Red Hat 7.2 they are /lib/libssl.so.0.9.6b and
-/lib/libcrypto.so.0.9.6b with symlinks /lib/libssl.so.2 and
-/lib/libcrypto.so.2 respectively).
-
-Please note that we have been advised by Red Hat attempting to recompile the
-openssl rpm with all the cryptography enabled will not work. All other
-packages depend on the original Red Hat supplied openssl package. It is also
-worth noting that due to the way Red Hat supplies its packages, updates to
-openssl on each distribution never change the package version, only the
-build number. For example, on Red Hat 7.1, the latest openssl package has
-version number 0.9.6 and build number 9 even though it contains all the
-relevant updates in packages up to and including 0.9.6b.
-
-A possible way around this is to persuade Red Hat to produce a non-US
-version of Red Hat Linux.
-
-FYI: Patent numbers and expiry dates of US patents:
-MDC-2: 4,908,861 13/03/2007
-IDEA: 5,214,703 25/05/2010
-RC5: 5,724,428 03/03/2015
-
-
-* Why does the OpenSSL compilation fail on MacOS X?
-
-If the failure happens when trying to build the "openssl" binary, with
-a large number of undefined symbols, it's very probable that you have
-OpenSSL 0.9.6b delivered with the operating system (you can find out by
-running '/usr/bin/openssl version') and that you were trying to build
-OpenSSL 0.9.7 or newer. The problem is that the loader ('ld') in
-MacOS X has a misfeature that's quite difficult to go around.
-Look in the file PROBLEMS for a more detailed explanation and for possible
-solutions.
-
-
-* Why does the OpenSSL test suite fail on MacOS X?
-
-If the failure happens when running 'make test' and the RC4 test fails,
-it's very probable that you have OpenSSL 0.9.6b delivered with the
-operating system (you can find out by running '/usr/bin/openssl version')
-and that you were trying to build OpenSSL 0.9.6d. The problem is that
-the loader ('ld') in MacOS X has a misfeature that's quite difficult to
-go around and has linked the programs "openssl" and the test programs
-with /usr/lib/libcrypto.dylib and /usr/lib/libssl.dylib instead of the
-libraries you just built.
-Look in the file PROBLEMS for a more detailed explanation and for possible
-solutions.
-
-* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
-
-Failure in BN_sqr test is most likely caused by a failure to configure the
-toolkit for current platform or lack of support for the platform in question.
-Run './config -t' and './apps/openssl version -p'. Do these platform
-identifiers match? If they don't, then you most likely failed to run
-./config and you're hereby advised to do so before filing a bug report.
-If ./config itself fails to run, then it's most likely problem with your
-local environment and you should turn to your system administrator (or
-similar). If identifiers match (and/or no alternative identifier is
-suggested by ./config script), then the platform is unsupported. There might
-or might not be a workaround. Most notably on SPARC64 platforms with GNU
-C compiler you should be able to produce a working build by running
-'./config -m32'. I understand that -m32 might not be what you want/need,
-but the build should be operational. For further details turn to
-<openssl-dev at openssl.org>.
-
-* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
-
-As of 0.9.7 assembler routines were overhauled for position independence
-of the machine code, which is essential for shared library support. For
-some reason OpenBSD is equipped with an out-of-date GNU assembler which
-finds the new code offensive. To work around the problem, configure with
-no-asm (and sacrifice a great deal of performance) or patch your assembler
-according to <URL: http://www.openssl.org/~appro/gas-1.92.3.OpenBSD.patch>.
-For your convenience a pre-compiled replacement binary is provided at
-<URL: http://www.openssl.org/~appro/gas-1.92.3.static.aout.bin>.
-Reportedly elder *BSD a.out platforms also suffer from this problem and
-remedy should be same. Provided binary is statically linked and should be
-working across wider range of *BSD branches, not just OpenBSD.
-
-* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
-
-If the test program in question fails withs SIGILL, Illegal Instruction
-exception, then you more than likely to run SSE2-capable CPU, such as
-Intel P4, under control of kernel which does not support SSE2
-instruction extentions. See accompanying INSTALL file and
-OPENSSL_ia32cap(3) documentation page for further information.
-
-* Why does compiler fail to compile sha512.c?
-
-OpenSSL SHA-512 implementation depends on compiler support for 64-bit
-integer type. Few elder compilers [ULTRIX cc, SCO compiler to mention a
-couple] lack support for this and therefore are incapable of compiling
-the module in question. The recommendation is to disable SHA-512 by
-adding no-sha512 to ./config [or ./Configure] command line. Another
-possible alternative might be to switch to GCC.
-
-* Test suite still fails, what to do?
-
-Another common reason for failure to complete some particular test is
-simply bad code generated by a buggy component in toolchain or deficiency
-in run-time environment. There are few cases documented in PROBLEMS file,
-consult it for possible workaround before you beat the drum. Even if you
-don't find solution or even mention there, do reserve for possibility of
-a compiler bug. Compiler bugs might appear in rather bizarre ways, they
-never make sense, and tend to emerge when you least expect them. In order
-to identify one, drop optimization level, e.g. by editing CFLAG line in
-top-level Makefile, recompile and re-run the test.
-
-* I think I've found a bug, what should I do?
-
-If you are a new user then it is quite likely you haven't found a bug and
-something is happening you aren't familiar with. Check this FAQ, the associated
-documentation and the mailing lists for similar queries. If you are still
-unsure whether it is a bug or not submit a query to the openssl-users mailing
-list.
-
-
-* I'm SURE I've found a bug, how do I report it?
-
-Bug reports with no security implications should be sent to the request
-tracker. This can be done by mailing the report to <rt at openssl.org> (or its
-alias <openssl-bugs at openssl.org>), please note that messages sent to the
-request tracker also appear in the public openssl-dev mailing list.
-
-The report should be in plain text. Any patches should be sent as
-plain text attachments because some mailers corrupt patches sent inline.
-If your issue affects multiple versions of OpenSSL check any patches apply
-cleanly and, if possible include patches to each affected version.
-
-The report should be given a meaningful subject line briefly summarising the
-issue. Just "bug in OpenSSL" or "bug in OpenSSL 0.9.8n" is not very helpful.
-
-By sending reports to the request tracker the bug can then be given a priority
-and assigned to the appropriate maintainer. The history of discussions can be
-accessed and if the issue has been addressed or a reason why not. If patches
-are only sent to openssl-dev they can be mislaid if a team member has to
-wade through months of old messages to review the discussion.
-
-See also <URL: http://www.openssl.org/support/rt.html>
-
-
-* I've found a security issue, how do I report it?
-
-If you think your bug has security implications then please send it to
-openssl-security at openssl.org if you don't get a prompt reply at least
-acknowledging receipt then resend or mail it directly to one of the
-more active team members (e.g. Steve).
-
-Note that bugs only present in the openssl utility are not in general
-considered to be security issues.
-
-[PROG] ========================================================================
-
-* Is OpenSSL thread-safe?
-
-Yes (with limitations: an SSL connection may not concurrently be used
-by multiple threads). On Windows and many Unix systems, OpenSSL
-automatically uses the multi-threaded versions of the standard
-libraries. If your platform is not one of these, consult the INSTALL
-file.
-
-Multi-threaded applications must provide two callback functions to
-OpenSSL by calling CRYPTO_set_locking_callback() and
-CRYPTO_set_id_callback(), for all versions of OpenSSL up to and
-including 0.9.8[abc...]. As of version 1.0.0, CRYPTO_set_id_callback()
-and associated APIs are deprecated by CRYPTO_THREADID_set_callback()
-and friends. This is described in the threads(3) manpage.
-
-* I've compiled a program under Windows and it crashes: why?
-
-This is usually because you've missed the comment in INSTALL.W32.
-Your application must link against the same version of the Win32
-C-Runtime against which your openssl libraries were linked. The
-default version for OpenSSL is /MD - "Multithreaded DLL".
-
-If you are using Microsoft Visual C++'s IDE (Visual Studio), in
-many cases, your new project most likely defaulted to "Debug
-Singlethreaded" - /ML. This is NOT interchangeable with /MD and your
-program will crash, typically on the first BIO related read or write
-operation.
-
-For each of the six possible link stage configurations within Win32,
-your application must link against the same by which OpenSSL was
-built. If you are using MS Visual C++ (Studio) this can be changed
-by:
-
- 1. Select Settings... from the Project Menu.
- 2. Select the C/C++ Tab.
- 3. Select "Code Generation from the "Category" drop down list box
- 4. Select the Appropriate library (see table below) from the "Use
- run-time library" drop down list box. Perform this step for both
- your debug and release versions of your application (look at the
- top left of the settings panel to change between the two)
-
- Single Threaded /ML - MS VC++ often defaults to
- this for the release
- version of a new project.
- Debug Single Threaded /MLd - MS VC++ often defaults to
- this for the debug version
- of a new project.
- Multithreaded /MT
- Debug Multithreaded /MTd
- Multithreaded DLL /MD - OpenSSL defaults to this.
- Debug Multithreaded DLL /MDd
-
-Note that debug and release libraries are NOT interchangeable. If you
-built OpenSSL with /MD your application must use /MD and cannot use /MDd.
-
-As per 0.9.8 the above limitation is eliminated for .DLLs. OpenSSL
-.DLLs compiled with some specific run-time option [we insist on the
-default /MD] can be deployed with application compiled with different
-option or even different compiler. But there is a catch! Instead of
-re-compiling OpenSSL toolkit, as you would have to with prior versions,
-you have to compile small C snippet with compiler and/or options of
-your choice. The snippet gets installed as
-<install-root>/include/openssl/applink.c and should be either added to
-your application project or simply #include-d in one [and only one]
-of your application source files. Failure to link this shim module
-into your application manifests itself as fatal "no OPENSSL_Applink"
-run-time error. An explicit reminder is due that in this situation
-[mixing compiler options] it is as important to add CRYPTO_malloc_init
-prior first call to OpenSSL.
-
-* How do I read or write a DER encoded buffer using the ASN1 functions?
-
-You have two options. You can either use a memory BIO in conjunction
-with the i2d_*_bio() or d2i_*_bio() functions or you can use the
-i2d_*(), d2i_*() functions directly. Since these are often the
-cause of grief here are some code fragments using PKCS7 as an example:
-
- unsigned char *buf, *p;
- int len;
-
- len = i2d_PKCS7(p7, NULL);
- buf = OPENSSL_malloc(len); /* or Malloc, error checking omitted */
- p = buf;
- i2d_PKCS7(p7, &p);
-
-At this point buf contains the len bytes of the DER encoding of
-p7.
-
-The opposite assumes we already have len bytes in buf:
-
- unsigned char *p;
- p = buf;
- p7 = d2i_PKCS7(NULL, &p, len);
-
-At this point p7 contains a valid PKCS7 structure of NULL if an error
-occurred. If an error occurred ERR_print_errors(bio) should give more
-information.
-
-The reason for the temporary variable 'p' is that the ASN1 functions
-increment the passed pointer so it is ready to read or write the next
-structure. This is often a cause of problems: without the temporary
-variable the buffer pointer is changed to point just after the data
-that has been read or written. This may well be uninitialized data
-and attempts to free the buffer will have unpredictable results
-because it no longer points to the same address.
-
-
-* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
-
-The short answer is yes, because DER is a special case of BER and OpenSSL
-ASN1 decoders can process BER.
-
-The longer answer is that ASN1 structures can be encoded in a number of
-different ways. One set of ways is the Basic Encoding Rules (BER) with various
-permissible encodings. A restriction of BER is the Distinguished Encoding
-Rules (DER): these uniquely specify how a given structure is encoded.
-
-Therefore, because DER is a special case of BER, DER is an acceptable encoding
-for BER.
-
-
-* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
-
-This usually happens when you try compiling something using the PKCS#12
-macros with a C++ compiler. There is hardly ever any need to use the
-PKCS#12 macros in a program, it is much easier to parse and create
-PKCS#12 files using the PKCS12_parse() and PKCS12_create() functions
-documented in doc/openssl.txt and with examples in demos/pkcs12. The
-'pkcs12' application has to use the macros because it prints out
-debugging information.
-
-
-* I've called <some function> and it fails, why?
-
-Before submitting a report or asking in one of the mailing lists, you
-should try to determine the cause. In particular, you should call
-ERR_print_errors() or ERR_print_errors_fp() after the failed call
-and see if the message helps. Note that the problem may occur earlier
-than you think -- you should check for errors after every call where
-it is possible, otherwise the actual problem may be hidden because
-some OpenSSL functions clear the error state.
-
-
-* I just get a load of numbers for the error output, what do they mean?
-
-The actual format is described in the ERR_print_errors() manual page.
-You should call the function ERR_load_crypto_strings() before hand and
-the message will be output in text form. If you can't do this (for example
-it is a pre-compiled binary) you can use the errstr utility on the error
-code itself (the hex digits after the second colon).
-
-
-* Why do I get errors about unknown algorithms?
-
-The cause is forgetting to load OpenSSL's table of algorithms with
-OpenSSL_add_all_algorithms(). See the manual page for more information. This
-can cause several problems such as being unable to read in an encrypted
-PEM file, unable to decrypt a PKCS#12 file or signature failure when
-verifying certificates.
-
-* Why can't the OpenSSH configure script detect OpenSSL?
-
-Several reasons for problems with the automatic detection exist.
-OpenSSH requires at least version 0.9.5a of the OpenSSL libraries.
-Sometimes the distribution has installed an older version in the system
-locations that is detected instead of a new one installed. The OpenSSL
-library might have been compiled for another CPU or another mode (32/64 bits).
-Permissions might be wrong.
-
-The general answer is to check the config.log file generated when running
-the OpenSSH configure script. It should contain the detailed information
-on why the OpenSSL library was not detected or considered incompatible.
-
-
-* Can I use OpenSSL's SSL library with non-blocking I/O?
-
-Yes; make sure to read the SSL_get_error(3) manual page!
-
-A pitfall to avoid: Don't assume that SSL_read() will just read from
-the underlying transport or that SSL_write() will just write to it --
-it is also possible that SSL_write() cannot do any useful work until
-there is data to read, or that SSL_read() cannot do anything until it
-is possible to send data. One reason for this is that the peer may
-request a new TLS/SSL handshake at any time during the protocol,
-requiring a bi-directional message exchange; both SSL_read() and
-SSL_write() will try to continue any pending handshake.
-
-
-* Why doesn't my server application receive a client certificate?
-
-Due to the TLS protocol definition, a client will only send a certificate,
-if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the
-SSL_CTX_set_verify() function to enable the use of client certificates.
-
-
-* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
-
-For OpenSSL 0.9.7 the OID table was extended and corrected. In earlier
-versions, uniqueIdentifier was incorrectly used for X.509 certificates.
-The correct name according to RFC2256 (LDAP) is x500UniqueIdentifier.
-Change your code to use the new name when compiling against OpenSSL 0.9.7.
-
-
-* I think I've detected a memory leak, is this a bug?
-
-In most cases the cause of an apparent memory leak is an OpenSSL internal table
-that is allocated when an application starts up. Since such tables do not grow
-in size over time they are harmless.
-
-These internal tables can be freed up when an application closes using various
-functions. Currently these include following:
-
-Thread-local cleanup functions:
-
- ERR_remove_state()
-
-Application-global cleanup functions that are aware of usage (and therefore
-thread-safe):
-
- ENGINE_cleanup() and CONF_modules_unload()
-
-"Brutal" (thread-unsafe) Application-global cleanup functions:
-
- ERR_free_strings(), EVP_cleanup() and CRYPTO_cleanup_all_ex_data().
-
-
-* Why does Valgrind complain about the use of uninitialized data?
-
-When OpenSSL's PRNG routines are called to generate random numbers the supplied
-buffer contents are mixed into the entropy pool: so it technically does not
-matter whether the buffer is initialized at this point or not. Valgrind (and
-other test tools) will complain about this. When using Valgrind, make sure the
-OpenSSL library has been compiled with the PURIFY macro defined (-DPURIFY)
-to get rid of these warnings.
-
-
-* Why doesn't a memory BIO work when a file does?
-
-This can occur in several cases for example reading an S/MIME email message.
-The reason is that a memory BIO can do one of two things when all the data
-has been read from it.
-
-The default behaviour is to indicate that no more data is available and that
-the call should be retried, this is to allow the application to fill up the BIO
-again if necessary.
-
-Alternatively it can indicate that no more data is available and that EOF has
-been reached.
-
-If a memory BIO is to behave in the same way as a file this second behaviour
-is needed. This must be done by calling:
-
- BIO_set_mem_eof_return(bio, 0);
-
-See the manual pages for more details.
-
-
-* Where are the declarations and implementations of d2i_X509() etc?
-
-These are defined and implemented by macros of the form:
-
-
- DECLARE_ASN1_FUNCTIONS(X509) and IMPLEMENT_ASN1_FUNCTIONS(X509)
-
-The implementation passes an ASN1 "template" defining the structure into an
-ASN1 interpreter using generalised functions such as ASN1_item_d2i().
-
-
-===============================================================================
+The FAQ is now maintained on the web:
+ https://www.openssl.org/docs/faq.html
Modified: vendor-crypto/openssl/dist/Makefile
===================================================================
--- vendor-crypto/openssl/dist/Makefile 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/Makefile 2015-12-05 17:55:33 UTC (rev 7389)
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
-VERSION=1.0.1o
+VERSION=1.0.1q
MAJOR=1
MINOR=0.1
SHLIB_VERSION_NUMBER=1.0.0
@@ -270,6 +270,7 @@
@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
sub_all: build_all
+
build_all: build_libs build_apps build_tests build_tools
build_libs: build_libcrypto build_libssl openssl.pc
@@ -279,15 +280,15 @@
build_crypto:
@dir=crypto; target=all; $(BUILD_ONE_CMD)
-build_ssl:
+build_ssl: build_crypto
@dir=ssl; target=all; $(BUILD_ONE_CMD)
-build_engines:
+build_engines: build_crypto
@dir=engines; target=all; $(BUILD_ONE_CMD)
-build_apps:
+build_apps: build_libs
@dir=apps; target=all; $(BUILD_ONE_CMD)
-build_tests:
+build_tests: build_libs
@dir=test; target=all; $(BUILD_ONE_CMD)
-build_tools:
+build_tools: build_libs
@dir=tools; target=all; $(BUILD_ONE_CMD)
all_testapps: build_libs build_testapps
@@ -500,25 +501,28 @@
# would occur. Therefore the list of files is temporarily stored into a file
# and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
# tar does not support the --files-from option.
-tar:
+TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list \
+ --owner openssl:0 --group openssl:0 \
+ --transform 's|^|openssl-$(VERSION)/|' \
+ -cvf -
+
+../$(TARFILE).list:
+ find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \
+ \! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \
+ \! -name '*test' \! -name '.#*' \! -name '*~' \
+ | sort > ../$(TARFILE).list
+
+tar: ../$(TARFILE).list
find . -type d -print | xargs chmod 755
find . -type f -print | xargs chmod a+r
find . -type f -perm -0100 -print | xargs chmod a+x
- find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \
- $(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \
- tardy --user_number=0 --user_name=openssl \
- --group_number=0 --group_name=openssl \
- --prefix=openssl-$(VERSION) - |\
- gzip --best >../$(TARFILE).gz; \
- rm -f ../$(TARFILE).list; \
+ $(TAR_COMMAND) | gzip --best >../$(TARFILE).gz
+ rm -f ../$(TARFILE).list
ls -l ../$(TARFILE).gz
-tar-snap:
- @$(TAR) $(TARFLAGS) -cvf - \
- `find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \! -name '*test' \! -name '.#*' \! -name '*~' | sort` |\
- tardy --user_number=0 --user_name=openssl \
- --group_number=0 --group_name=openssl \
- --prefix=openssl-$(VERSION) - > ../$(TARFILE);\
+tar-snap: ../$(TARFILE).list
+ $(TAR_COMMAND) > ../$(TARFILE)
+ rm -f ../$(TARFILE).list
ls -l ../$(TARFILE)
dist:
Modified: vendor-crypto/openssl/dist/Makefile.bak
===================================================================
--- vendor-crypto/openssl/dist/Makefile.bak 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/Makefile.bak 2015-12-05 17:55:33 UTC (rev 7389)
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
-VERSION=1.0.1o-dev
+VERSION=1.0.1q-dev
MAJOR=1
MINOR=0.1
SHLIB_VERSION_NUMBER=1.0.0
@@ -270,6 +270,7 @@
@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
sub_all: build_all
+
build_all: build_libs build_apps build_tests build_tools
build_libs: build_libcrypto build_libssl openssl.pc
@@ -279,15 +280,15 @@
build_crypto:
@dir=crypto; target=all; $(BUILD_ONE_CMD)
-build_ssl:
+build_ssl: build_crypto
@dir=ssl; target=all; $(BUILD_ONE_CMD)
-build_engines:
+build_engines: build_crypto
@dir=engines; target=all; $(BUILD_ONE_CMD)
-build_apps:
+build_apps: build_libs
@dir=apps; target=all; $(BUILD_ONE_CMD)
-build_tests:
+build_tests: build_libs
@dir=test; target=all; $(BUILD_ONE_CMD)
-build_tools:
+build_tools: build_libs
@dir=tools; target=all; $(BUILD_ONE_CMD)
all_testapps: build_libs build_testapps
@@ -500,25 +501,28 @@
# would occur. Therefore the list of files is temporarily stored into a file
# and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
# tar does not support the --files-from option.
-tar:
+TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list \
+ --owner openssl:0 --group openssl:0 \
+ --transform 's|^|openssl-$(VERSION)/|' \
+ -cvf -
+
+../$(TARFILE).list:
+ find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \
+ \! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \
+ \! -name '*test' \! -name '.#*' \! -name '*~' \
+ | sort > ../$(TARFILE).list
+
+tar: ../$(TARFILE).list
find . -type d -print | xargs chmod 755
find . -type f -print | xargs chmod a+r
find . -type f -perm -0100 -print | xargs chmod a+x
- find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \
- $(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \
- tardy --user_number=0 --user_name=openssl \
- --group_number=0 --group_name=openssl \
- --prefix=openssl-$(VERSION) - |\
- gzip --best >../$(TARFILE).gz; \
- rm -f ../$(TARFILE).list; \
+ $(TAR_COMMAND) | gzip --best >../$(TARFILE).gz
+ rm -f ../$(TARFILE).list
ls -l ../$(TARFILE).gz
-tar-snap:
- @$(TAR) $(TARFLAGS) -cvf - \
- `find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \! -name '*test' \! -name '.#*' \! -name '*~' | sort` |\
- tardy --user_number=0 --user_name=openssl \
- --group_number=0 --group_name=openssl \
- --prefix=openssl-$(VERSION) - > ../$(TARFILE);\
+tar-snap: ../$(TARFILE).list
+ $(TAR_COMMAND) > ../$(TARFILE)
+ rm -f ../$(TARFILE).list
ls -l ../$(TARFILE)
dist:
Modified: vendor-crypto/openssl/dist/Makefile.org
===================================================================
--- vendor-crypto/openssl/dist/Makefile.org 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/Makefile.org 2015-12-05 17:55:33 UTC (rev 7389)
@@ -268,6 +268,7 @@
@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
sub_all: build_all
+
build_all: build_libs build_apps build_tests build_tools
build_libs: build_libcrypto build_libssl openssl.pc
@@ -277,15 +278,15 @@
build_crypto:
@dir=crypto; target=all; $(BUILD_ONE_CMD)
-build_ssl:
+build_ssl: build_crypto
@dir=ssl; target=all; $(BUILD_ONE_CMD)
-build_engines:
+build_engines: build_crypto
@dir=engines; target=all; $(BUILD_ONE_CMD)
-build_apps:
+build_apps: build_libs
@dir=apps; target=all; $(BUILD_ONE_CMD)
-build_tests:
+build_tests: build_libs
@dir=test; target=all; $(BUILD_ONE_CMD)
-build_tools:
+build_tools: build_libs
@dir=tools; target=all; $(BUILD_ONE_CMD)
all_testapps: build_libs build_testapps
@@ -498,25 +499,28 @@
# would occur. Therefore the list of files is temporarily stored into a file
# and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
# tar does not support the --files-from option.
-tar:
+TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list \
+ --owner openssl:0 --group openssl:0 \
+ --transform 's|^|openssl-$(VERSION)/|' \
+ -cvf -
+
+../$(TARFILE).list:
+ find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \
+ \! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \
+ \! -name '*test' \! -name '.#*' \! -name '*~' \
+ | sort > ../$(TARFILE).list
+
+tar: ../$(TARFILE).list
find . -type d -print | xargs chmod 755
find . -type f -print | xargs chmod a+r
find . -type f -perm -0100 -print | xargs chmod a+x
- find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \
- $(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \
- tardy --user_number=0 --user_name=openssl \
- --group_number=0 --group_name=openssl \
- --prefix=openssl-$(VERSION) - |\
- gzip --best >../$(TARFILE).gz; \
- rm -f ../$(TARFILE).list; \
+ $(TAR_COMMAND) | gzip --best >../$(TARFILE).gz
+ rm -f ../$(TARFILE).list
ls -l ../$(TARFILE).gz
-tar-snap:
- @$(TAR) $(TARFLAGS) -cvf - \
- `find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \! -name '*test' \! -name '.#*' \! -name '*~' | sort` |\
- tardy --user_number=0 --user_name=openssl \
- --group_number=0 --group_name=openssl \
- --prefix=openssl-$(VERSION) - > ../$(TARFILE);\
+tar-snap: ../$(TARFILE).list
+ $(TAR_COMMAND) > ../$(TARFILE)
+ rm -f ../$(TARFILE).list
ls -l ../$(TARFILE)
dist:
Modified: vendor-crypto/openssl/dist/NEWS
===================================================================
--- vendor-crypto/openssl/dist/NEWS 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/NEWS 2015-12-05 17:55:33 UTC (rev 7389)
@@ -5,6 +5,19 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.0.1p and OpenSSL 1.0.1q [3 Dec 2015]
+
+ o Certificate verify crash with missing PSS parameter (CVE-2015-3194)
+ o X509_ATTRIBUTE memory leak (CVE-2015-3195)
+ o Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs
+ o In DSA_generate_parameters_ex, if the provided seed is too short,
+ return an error
+
+ Major changes between OpenSSL 1.0.1o and OpenSSL 1.0.1p [9 Jul 2015]
+
+ o Alternate chains certificate forgery (CVE-2015-1793)
+ o Race condition handling PSK identify hint (CVE-2015-3196)
+
Major changes between OpenSSL 1.0.1n and OpenSSL 1.0.1o [12 Jun 2015]
o Fix HMAC ABI incompatibility
Modified: vendor-crypto/openssl/dist/README
===================================================================
--- vendor-crypto/openssl/dist/README 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/README 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1,7 +1,7 @@
- OpenSSL 1.0.1o 12 Jun 2015
+ OpenSSL 1.0.1q 3 Dec 2015
- Copyright (c) 1998-2011 The OpenSSL Project
+ Copyright (c) 1998-2015 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.
@@ -10,17 +10,17 @@
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, fully featured, and Open Source toolkit implementing the
- Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
- protocols as well as a full-strength general purpose cryptography library.
- The project is managed by a worldwide community of volunteers that use the
- Internet to communicate, plan, and develop the OpenSSL toolkit and its
- related documentation.
+ Secure Sockets Layer (SSLv3) and Transport Layer Security (TLS) protocols as
+ well as a full-strength general purpose cryptograpic library. The project is
+ managed by a worldwide community of volunteers that use the Internet to
+ communicate, plan, and develop the OpenSSL toolkit and its related
+ documentation.
- OpenSSL is based on the excellent SSLeay library developed from Eric A. Young
+ OpenSSL is descended from the SSLeay library developed by Eric A. Young
and Tim J. Hudson. The OpenSSL toolkit is licensed under a dual-license (the
- OpenSSL license plus the SSLeay license) situation, which basically means
- that you are free to get and use it for commercial and non-commercial
- purposes as long as you fulfill the conditions of both licenses.
+ OpenSSL license plus the SSLeay license), which means that you are free to
+ get and use it for commercial and non-commercial purposes as long as you
+ fulfill the conditions of both licenses.
OVERVIEW
--------
@@ -28,116 +28,39 @@
The OpenSSL toolkit includes:
libssl.a:
- Implementation of SSLv2, SSLv3, TLSv1 and the required code to support
- both SSLv2, SSLv3 and TLSv1 in the one server and client.
+ Provides the client and server-side implementations for SSLv3 and TLS.
libcrypto.a:
- General encryption and X.509 v1/v3 stuff needed by SSL/TLS but not
- actually logically part of it. It includes routines for the following:
+ Provides general cryptographic and X.509 support needed by SSL/TLS but
+ not logically part of it.
- Ciphers
- libdes - EAY's libdes DES encryption package which was floating
- around the net for a few years, and was then relicensed by
- him as part of SSLeay. It includes 15 'modes/variations'
- of DES (1, 2 and 3 key versions of ecb, cbc, cfb and ofb;
- pcbc and a more general form of cfb and ofb) including desx
- in cbc mode, a fast crypt(3), and routines to read
- passwords from the keyboard.
- RC4 encryption,
- RC2 encryption - 4 different modes, ecb, cbc, cfb and ofb.
- Blowfish encryption - 4 different modes, ecb, cbc, cfb and ofb.
- IDEA encryption - 4 different modes, ecb, cbc, cfb and ofb.
-
- Digests
- MD5 and MD2 message digest algorithms, fast implementations,
- SHA (SHA-0) and SHA-1 message digest algorithms,
- MDC2 message digest. A DES based hash that is popular on smart cards.
-
- Public Key
- RSA encryption/decryption/generation.
- There is no limit on the number of bits.
- DSA encryption/decryption/generation.
- There is no limit on the number of bits.
- Diffie-Hellman key-exchange/key generation.
- There is no limit on the number of bits.
-
- X.509v3 certificates
- X509 encoding/decoding into/from binary ASN1 and a PEM
- based ASCII-binary encoding which supports encryption with a
- private key. Program to generate RSA and DSA certificate
- requests and to generate RSA and DSA certificates.
-
- Systems
- The normal digital envelope routines and base64 encoding. Higher
- level access to ciphers and digests by name. New ciphers can be
- loaded at run time. The BIO io system which is a simple non-blocking
- IO abstraction. Current methods supported are file descriptors,
- sockets, socket accept, socket connect, memory buffer, buffering, SSL
- client/server, file pointer, encryption, digest, non-blocking testing
- and null.
-
- Data structures
- A dynamically growing hashing system
- A simple stack.
- A Configuration loader that uses a format similar to MS .ini files.
-
openssl:
A command line tool that can be used for:
- Creation of RSA, DH and DSA key parameters
+ Creation of key parameters
Creation of X.509 certificates, CSRs and CRLs
- Calculation of Message Digests
- Encryption and Decryption with Ciphers
- SSL/TLS Client and Server Tests
+ Calculation of message digests
+ Encryption and decryption
+ SSL/TLS client and server tests
Handling of S/MIME signed or encrypted mail
+ And more...
-
- PATENTS
- -------
-
- Various companies hold various patents for various algorithms in various
- locations around the world. _YOU_ are responsible for ensuring that your use
- of any algorithms is legal by checking if there are any patents in your
- country. The file contains some of the patents that we know about or are
- rumored to exist. This is not a definitive list.
-
- RSA Security holds software patents on the RC5 algorithm. If you
- intend to use this cipher, you must contact RSA Security for
- licensing conditions. Their web page is http://www.rsasecurity.com/.
-
- RC4 is a trademark of RSA Security, so use of this label should perhaps
- only be used with RSA Security's permission.
-
- The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy,
- Japan, the Netherlands, Spain, Sweden, Switzerland, UK and the USA. They
- should be contacted if that algorithm is to be used; their web page is
- http://www.ascom.ch/.
-
- NTT and Mitsubishi have patents and pending patents on the Camellia
- algorithm, but allow use at no charge without requiring an explicit
- licensing agreement: http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html
-
INSTALLATION
------------
- To install this package under a Unix derivative, read the INSTALL file. For
- a Win32 platform, read the INSTALL.W32 file. For OpenVMS systems, read
- INSTALL.VMS.
+ See the appropriate file:
+ INSTALL Linux, Unix, etc.
+ INSTALL.DJGPP DOS platform with DJGPP
+ INSTALL.NW Netware
+ INSTALL.OS2 OS/2
+ INSTALL.VMS VMS
+ INSTALL.W32 Windows (32bit)
+ INSTALL.W64 Windows (64bit)
+ INSTALL.WCE Windows CE
- Read the documentation in the doc/ directory. It is quite rough, but it
- lists the functions; you will probably have to look at the code to work out
- how to use them. Look at the example programs.
-
- PROBLEMS
- --------
-
- For some platforms, there are some known problems that may affect the user
- or application author. We try to collect those in doc/PROBLEMS, with current
- thoughts on how they should be solved in a future of OpenSSL.
-
SUPPORT
-------
- See the OpenSSL website www.openssl.org for details of how to obtain
+ See the OpenSSL website www.openssl.org for details on how to obtain
commercial technical support.
If you have any problems with OpenSSL then please take the following steps
@@ -161,58 +84,35 @@
- Problem Description (steps that will reproduce the problem, if known)
- Stack Traceback (if the application dumps core)
- Report the bug to the OpenSSL project via the Request Tracker
- (http://www.openssl.org/support/rt.html) by mail to:
+ Email the report to:
- openssl-bugs at openssl.org
+ rt at openssl.org
- Note that the request tracker should NOT be used for general assistance
- or support queries. Just because something doesn't work the way you expect
- does not mean it is necessarily a bug in OpenSSL.
+ In order to avoid spam, this is a moderated mailing list, and it might
+ take a day for the ticket to show up. (We also scan posts to make sure
+ that security disclosures aren't publically posted by mistake.) Mail to
+ this address is recorded in the public RT (request tracker) database (see
+ https://www.openssl.org/support/rt.html for details) and also forwarded
+ the public openssl-dev mailing list. Confidential mail may be sent to
+ openssl-security at openssl.org (PGP key available from the key servers).
- Note that mail to openssl-bugs at openssl.org is recorded in the publicly
- readable request tracker database and is forwarded to a public
- mailing list. Confidential mail may be sent to openssl-security at openssl.org
- (PGP key available from the key servers).
+ Please do NOT use this for general assistance or support queries.
+ Just because something doesn't work the way you expect does not mean it
+ is necessarily a bug in OpenSSL.
+ You can also make GitHub pull requests. If you do this, please also send
+ mail to rt at openssl.org with a link to the PR so that we can more easily
+ keep track of it.
+
HOW TO CONTRIBUTE TO OpenSSL
----------------------------
- Development is coordinated on the openssl-dev mailing list (see
- http://www.openssl.org for information on subscribing). If you
- would like to submit a patch, send it to openssl-bugs at openssl.org with
- the string "[PATCH]" in the subject. Please be sure to include a
- textual explanation of what your patch does.
+ See CONTRIBUTING
- If you are unsure as to whether a feature will be useful for the general
- OpenSSL community please discuss it on the openssl-dev mailing list first.
- Someone may be already working on the same thing or there may be a good
- reason as to why that feature isn't implemented.
+ LEGALITIES
+ ----------
- Patches should be as up to date as possible, preferably relative to the
- current Git or the last snapshot. They should follow the coding style of
- OpenSSL and compile without warnings. Some of the core team developer targets
- can be used for testing purposes, (debug-steve64, debug-geoff etc). OpenSSL
- compiles on many varied platforms: try to ensure you only use portable
- features.
-
- Note: For legal reasons, contributions from the US can be accepted only
- if a TSU notification and a copy of the patch are sent to crypt at bis.doc.gov
- (formerly BXA) with a copy to the ENC Encryption Request Coordinator;
- please take some time to look at
- http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html [sic]
- and
- http://w3.access.gpo.gov/bis/ear/pdf/740.pdf (EAR Section 740.13(e))
- for the details. If "your encryption source code is too large to serve as
- an email attachment", they are glad to receive it by fax instead; hope you
- have a cheap long-distance plan.
-
- Our preferred format for changes is "diff -u" output. You might
- generate it like this:
-
- # cd openssl-work
- # [your changes]
- # ./Configure dist; make clean
- # cd ..
- # diff -ur openssl-orig openssl-work > mydiffs.patch
-
+ A number of nations, in particular the U.S., restrict the use or export
+ of cryptography. If you are potentially subject to such restrictions
+ you should seek competent professional legal advice before attempting to
+ develop or distribute cryptographic code.
Modified: vendor-crypto/openssl/dist/apps/Makefile
===================================================================
--- vendor-crypto/openssl/dist/apps/Makefile 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/apps/Makefile 2015-12-05 17:55:33 UTC (rev 7389)
@@ -135,7 +135,7 @@
depend: local_depend
@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
local_depend:
- @[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC); \
+ @[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC)
dclean:
$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
Modified: vendor-crypto/openssl/dist/apps/apps.c
===================================================================
--- vendor-crypto/openssl/dist/apps/apps.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/apps/apps.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -119,9 +119,6 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-#if !defined(OPENSSL_SYSNAME_WIN32) && !defined(NETWARE_CLIB)
-# include <strings.h>
-#endif
#include <sys/types.h>
#include <ctype.h>
#include <errno.h>
@@ -1247,7 +1244,11 @@
{"ca_default", XN_FLAG_MULTILINE, 0xffffffffL},
{NULL, 0, 0}
};
- return set_multi_opts(flags, arg, ex_tbl);
+ if (set_multi_opts(flags, arg, ex_tbl) == 0)
+ return 0;
+ if ((*flags & XN_FLAG_SEP_MASK) == 0)
+ *flags |= XN_FLAG_SEP_CPLUS_SPC;
+ return 1;
}
int set_ext_copy(int *copy_type, const char *arg)
Modified: vendor-crypto/openssl/dist/apps/asn1pars.c
===================================================================
--- vendor-crypto/openssl/dist/apps/asn1pars.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/apps/asn1pars.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -313,9 +313,9 @@
}
typ = ASN1_TYPE_get(at);
if ((typ == V_ASN1_OBJECT)
+ || (typ == V_ASN1_BOOLEAN)
|| (typ == V_ASN1_NULL)) {
- BIO_printf(bio_err, "Can't parse %s type\n",
- typ == V_ASN1_NULL ? "NULL" : "OBJECT");
+ BIO_printf(bio_err, "Can't parse %s type\n", ASN1_tag2str(typ));
ERR_print_errors(bio_err);
goto end;
}
Modified: vendor-crypto/openssl/dist/apps/ca.c
===================================================================
--- vendor-crypto/openssl/dist/apps/ca.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/apps/ca.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -99,25 +99,19 @@
#undef PROG
#define PROG ca_main
-#define BASE_SECTION "ca"
-#define CONFIG_FILE "openssl.cnf"
+#define BASE_SECTION "ca"
+#define CONFIG_FILE "openssl.cnf"
#define ENV_DEFAULT_CA "default_ca"
-#define STRING_MASK "string_mask"
+#define STRING_MASK "string_mask"
#define UTF8_IN "utf8"
-#define ENV_DIR "dir"
-#define ENV_CERTS "certs"
-#define ENV_CRL_DIR "crl_dir"
-#define ENV_CA_DB "CA_DB"
#define ENV_NEW_CERTS_DIR "new_certs_dir"
#define ENV_CERTIFICATE "certificate"
#define ENV_SERIAL "serial"
#define ENV_CRLNUMBER "crlnumber"
-#define ENV_CRL "crl"
#define ENV_PRIVATE_KEY "private_key"
-#define ENV_RANDFILE "RANDFILE"
#define ENV_DEFAULT_DAYS "default_days"
#define ENV_DEFAULT_STARTDATE "default_startdate"
#define ENV_DEFAULT_ENDDATE "default_enddate"
@@ -2520,6 +2514,8 @@
char **rrow, *a_tm_s;
a_tm = ASN1_UTCTIME_new();
+ if (a_tm == NULL)
+ return -1;
/* get actual time and make a string */
a_tm = X509_gmtime_adj(a_tm, 0);
Modified: vendor-crypto/openssl/dist/apps/ecparam.c
===================================================================
--- vendor-crypto/openssl/dist/apps/ecparam.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/apps/ecparam.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -413,14 +413,13 @@
}
if (check) {
- if (group == NULL)
- BIO_printf(bio_err, "no elliptic curve parameters\n");
BIO_printf(bio_err, "checking elliptic curve parameters: ");
if (!EC_GROUP_check(group, NULL)) {
BIO_printf(bio_err, "failed\n");
ERR_print_errors(bio_err);
- } else
- BIO_printf(bio_err, "ok\n");
+ goto end;
+ }
+ BIO_printf(bio_err, "ok\n");
}
Modified: vendor-crypto/openssl/dist/apps/engine.c
===================================================================
--- vendor-crypto/openssl/dist/apps/engine.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/apps/engine.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -99,8 +99,6 @@
static int append_buf(char **buf, const char *s, int *size, int step)
{
- int l = strlen(s);
-
if (*buf == NULL) {
*size = step;
*buf = OPENSSL_malloc(*size);
@@ -109,9 +107,6 @@
**buf = '\0';
}
- if (**buf != '\0')
- l += 2; /* ", " */
-
if (strlen(*buf) + strlen(s) >= (unsigned int)*size) {
*size += step;
*buf = OPENSSL_realloc(*buf, *size);
Modified: vendor-crypto/openssl/dist/apps/md4.c
===================================================================
--- vendor-crypto/openssl/dist/apps/md4.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/apps/md4.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/md4/md4.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/md4/md4.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/apps/ocsp.c
===================================================================
--- vendor-crypto/openssl/dist/apps/ocsp.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/apps/ocsp.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1220,8 +1220,8 @@
return NULL;
}
- if (BIO_get_fd(cbio, &fd) <= 0) {
- BIO_puts(err, "Can't get connection fd\n");
+ if (BIO_get_fd(cbio, &fd) < 0) {
+ BIO_puts(bio_err, "Can't get connection fd\n");
goto err;
}
Modified: vendor-crypto/openssl/dist/apps/pkcs12.c
===================================================================
--- vendor-crypto/openssl/dist/apps/pkcs12.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/apps/pkcs12.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -134,6 +134,13 @@
apps_startup();
+ enc = EVP_des_ede3_cbc();
+ if (bio_err == NULL)
+ bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+
+ if (!load_config(bio_err, NULL))
+ goto end;
+
# ifdef OPENSSL_FIPS
if (FIPS_mode())
cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
@@ -141,13 +148,6 @@
# endif
cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
- enc = EVP_des_ede3_cbc();
- if (bio_err == NULL)
- bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
-
- if (!load_config(bio_err, NULL))
- goto end;
-
args = argv + 1;
while (*args) {
Modified: vendor-crypto/openssl/dist/apps/s_client.c
===================================================================
--- vendor-crypto/openssl/dist/apps/s_client.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/apps/s_client.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1884,6 +1884,9 @@
EVP_PKEY_free(key);
if (pass)
OPENSSL_free(pass);
+#ifndef OPENSSL_NO_SRP
+ OPENSSL_free(srp_arg.srppassin);
+#endif
if (vpm)
X509_VERIFY_PARAM_free(vpm);
if (cbuf != NULL) {
Modified: vendor-crypto/openssl/dist/apps/s_server.c
===================================================================
--- vendor-crypto/openssl/dist/apps/s_server.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/apps/s_server.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -2654,6 +2654,21 @@
goto err;
} else {
BIO_printf(bio_s_out, "read R BLOCK\n");
+#ifndef OPENSSL_NO_SRP
+ if (BIO_should_io_special(io)
+ && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
+ BIO_printf(bio_s_out, "LOOKUP renego during read\n");
+ srp_callback_parm.user =
+ SRP_VBASE_get_by_user(srp_callback_parm.vb,
+ srp_callback_parm.login);
+ if (srp_callback_parm.user)
+ BIO_printf(bio_s_out, "LOOKUP done %s\n",
+ srp_callback_parm.user->info);
+ else
+ BIO_printf(bio_s_out, "LOOKUP not successful\n");
+ continue;
+ }
+#endif
#if defined(OPENSSL_SYS_NETWARE)
delay(1000);
#elif !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__)
Added: vendor-crypto/openssl/dist/appveyor.yml
===================================================================
--- vendor-crypto/openssl/dist/appveyor.yml (rev 0)
+++ vendor-crypto/openssl/dist/appveyor.yml 2015-12-05 17:55:33 UTC (rev 7389)
@@ -0,0 +1,60 @@
+platform:
+ - x86
+ - x64
+
+environment:
+ matrix:
+ - VSVER: 9
+ - VSVER: 10
+ - VSVER: 11
+ - VSVER: 12
+ - VSVER: 14
+
+configuration:
+ - plain
+ - shared
+
+matrix:
+ allow_failures:
+ - platform: x64
+ VSVER: 9
+ - platform: x64
+ VSVER: 10
+ - platform: x64
+ VSVER: 11
+
+before_build:
+ - ps: >-
+ If ($env:Platform -Match "x86") {
+ $env:VCVARS_PLATFORM="x86"
+ $env:TARGET="VC-WIN32"
+ $env:DO="do_ms"
+ } Else {
+ $env:VCVARS_PLATFORM="amd64"
+ $env:TARGET="VC-WIN64A"
+ $env:DO="do_win64a"
+ }
+ - ps: >-
+ If ($env:Configuration -Like "*shared*") {
+ $env:MAK="ntdll.mak"
+ } Else {
+ $env:MAK="nt.mak"
+ }
+ - ps: $env:VSCOMNTOOLS=(Get-Content ("env:VS" + "$env:VSVER" + "0COMNTOOLS"))
+ - call "%VSCOMNTOOLS%\..\..\VC\vcvarsall.bat" %VCVARS_PLATFORM%
+ - perl Configure %TARGET% no-asm
+ - call ms\%DO%
+
+build_script:
+ - nmake /f ms\%MAK%
+
+test_script:
+ - nmake /f ms\%MAK% test
+
+notifications:
+ - provider: Email
+ to:
+ - openssl-commits at openssl.org
+ on_build_success: false
+ on_build_failure: true
+ on_build_status_changed: true
Modified: vendor-crypto/openssl/dist/crypto/aes/asm/aes-586.pl
===================================================================
--- vendor-crypto/openssl/dist/crypto/aes/asm/aes-586.pl 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/aes/asm/aes-586.pl 2015-12-05 17:55:33 UTC (rev 7389)
@@ -45,7 +45,7 @@
# the undertaken effort was that it appeared that in tight IA-32
# register window little-endian flavor could achieve slightly higher
# Instruction Level Parallelism, and it indeed resulted in up to 15%
-# better performance on most recent \xB5-archs...
+# better performance on most recent µ-archs...
#
# Third version adds AES_cbc_encrypt implementation, which resulted in
# up to 40% performance imrovement of CBC benchmark results. 40% was
@@ -223,7 +223,7 @@
$speed_limit=512; # chunks smaller than $speed_limit are
# processed with compact routine in CBC mode
$small_footprint=1; # $small_footprint=1 code is ~5% slower [on
- # recent \xB5-archs], but ~5 times smaller!
+ # recent µ-archs], but ~5 times smaller!
# I favor compact code to minimize cache
# contention and in hope to "collect" 5% back
# in real-life applications...
@@ -562,7 +562,7 @@
# Performance is not actually extraordinary in comparison to pure
# x86 code. In particular encrypt performance is virtually the same.
# Decrypt performance on the other hand is 15-20% better on newer
-# \xB5-archs [but we're thankful for *any* improvement here], and ~50%
+# µ-archs [but we're thankful for *any* improvement here], and ~50%
# better on PIII:-) And additionally on the pros side this code
# eliminates redundant references to stack and thus relieves/
# minimizes the pressure on the memory bus.
Modified: vendor-crypto/openssl/dist/crypto/aes/asm/aesni-x86.pl
===================================================================
--- vendor-crypto/openssl/dist/crypto/aes/asm/aesni-x86.pl 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/aes/asm/aesni-x86.pl 2015-12-05 17:55:33 UTC (rev 7389)
@@ -74,7 +74,7 @@
$inout4="xmm6"; $in0="xmm6";
$inout5="xmm7"; $ivec="xmm7";
-# AESNI extenstion
+# AESNI extension
sub aeskeygenassist
{ my($dst,$src,$imm)=@_;
if ("$dst:$src" =~ /xmm([0-7]):xmm([0-7])/)
Modified: vendor-crypto/openssl/dist/crypto/asn1/asn1_par.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/asn1/asn1_par.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/asn1/asn1_par.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -62,6 +62,10 @@
#include <openssl/objects.h>
#include <openssl/asn1.h>
+#ifndef ASN1_PARSE_MAXDEPTH
+#define ASN1_PARSE_MAXDEPTH 128
+#endif
+
static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed,
int indent);
static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
@@ -128,6 +132,12 @@
#else
dump_indent = 6; /* Because we know BIO_dump_indent() */
#endif
+
+ if (depth > ASN1_PARSE_MAXDEPTH) {
+ BIO_puts(bp, "BAD RECURSION DEPTH\n");
+ return 0;
+ }
+
p = *pp;
tot = p + length;
op = p - 1;
Modified: vendor-crypto/openssl/dist/crypto/asn1/d2i_pr.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/asn1/d2i_pr.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/asn1/d2i_pr.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -72,6 +72,7 @@
long length)
{
EVP_PKEY *ret;
+ const unsigned char *p = *pp;
if ((a == NULL) || (*a == NULL)) {
if ((ret = EVP_PKEY_new()) == NULL) {
@@ -94,21 +95,23 @@
}
if (!ret->ameth->old_priv_decode ||
- !ret->ameth->old_priv_decode(ret, pp, length)) {
+ !ret->ameth->old_priv_decode(ret, &p, length)) {
if (ret->ameth->priv_decode) {
PKCS8_PRIV_KEY_INFO *p8 = NULL;
- p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, pp, length);
+ p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, length);
if (!p8)
goto err;
EVP_PKEY_free(ret);
ret = EVP_PKCS82PKEY(p8);
PKCS8_PRIV_KEY_INFO_free(p8);
-
+ if (ret == NULL)
+ goto err;
} else {
ASN1err(ASN1_F_D2I_PRIVATEKEY, ERR_R_ASN1_LIB);
goto err;
}
}
+ *pp = p;
if (a != NULL)
(*a) = ret;
return (ret);
@@ -136,6 +139,7 @@
* input is surrounded by an ASN1 SEQUENCE.
*/
inkey = d2i_ASN1_SEQUENCE_ANY(NULL, &p, length);
+ p = *pp;
/*
* Since we only need to discern "traditional format" RSA and DSA keys we
* can just count the elements.
@@ -146,7 +150,7 @@
keytype = EVP_PKEY_EC;
else if (sk_ASN1_TYPE_num(inkey) == 3) { /* This seems to be PKCS8, not
* traditional format */
- PKCS8_PRIV_KEY_INFO *p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, pp, length);
+ PKCS8_PRIV_KEY_INFO *p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, length);
EVP_PKEY *ret;
sk_ASN1_TYPE_pop_free(inkey, ASN1_TYPE_free);
@@ -157,6 +161,9 @@
}
ret = EVP_PKCS82PKEY(p8);
PKCS8_PRIV_KEY_INFO_free(p8);
+ if (ret == NULL)
+ return NULL;
+ *pp = p;
if (a) {
*a = ret;
}
Modified: vendor-crypto/openssl/dist/crypto/asn1/tasn_dec.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/asn1/tasn_dec.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/asn1/tasn_dec.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -180,6 +180,8 @@
int otag;
int ret = 0;
ASN1_VALUE **pchptr, *ptmpval;
+ int combine = aclass & ASN1_TFLG_COMBINE;
+ aclass &= ~ASN1_TFLG_COMBINE;
if (!pval)
return 0;
if (aux && aux->asn1_cb)
@@ -350,9 +352,9 @@
}
asn1_set_choice_selector(pval, i, it);
- *in = p;
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL))
goto auxerr;
+ *in = p;
return 1;
case ASN1_ITYPE_NDEF_SEQUENCE:
@@ -489,9 +491,9 @@
/* Save encoding */
if (!asn1_enc_save(pval, *in, p - *in, it))
goto auxerr;
- *in = p;
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL))
goto auxerr;
+ *in = p;
return 1;
default:
@@ -500,7 +502,8 @@
auxerr:
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
err:
- ASN1_item_ex_free(pval, it);
+ if (combine == 0)
+ ASN1_item_ex_free(pval, it);
if (errtt)
ERR_add_error_data(4, "Field=", errtt->field_name,
", Type=", it->sname);
@@ -689,7 +692,7 @@
} else {
/* Nothing special */
ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
- -1, 0, opt, ctx);
+ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
if (!ret) {
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
goto err;
Modified: vendor-crypto/openssl/dist/crypto/asn1/x_bignum.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/asn1/x_bignum.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/asn1/x_bignum.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -141,8 +141,9 @@
int utype, char *free_cont, const ASN1_ITEM *it)
{
BIGNUM *bn;
- if (!*pval)
- bn_new(pval, it);
+
+ if (*pval == NULL && !bn_new(pval, it))
+ return 0;
bn = (BIGNUM *)*pval;
if (!BN_bin2bn(cont, len, bn)) {
bn_free(pval, it);
Modified: vendor-crypto/openssl/dist/crypto/asn1/x_pubkey.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/asn1/x_pubkey.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/asn1/x_pubkey.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -188,7 +188,9 @@
{
X509_PUBKEY *xpk;
EVP_PKEY *pktmp;
- xpk = d2i_X509_PUBKEY(NULL, pp, length);
+ const unsigned char *q;
+ q = *pp;
+ xpk = d2i_X509_PUBKEY(NULL, &q, length);
if (!xpk)
return NULL;
pktmp = X509_PUBKEY_get(xpk);
@@ -195,6 +197,7 @@
X509_PUBKEY_free(xpk);
if (!pktmp)
return NULL;
+ *pp = q;
if (a) {
EVP_PKEY_free(*a);
*a = pktmp;
Modified: vendor-crypto/openssl/dist/crypto/asn1/x_x509.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/asn1/x_x509.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/asn1/x_x509.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -180,16 +180,15 @@
if (!a || *a == NULL) {
freeret = 1;
}
- ret = d2i_X509(a, pp, length);
+ ret = d2i_X509(a, &q, length);
/* If certificate unreadable then forget it */
if (!ret)
return NULL;
/* update length */
- length -= *pp - q;
- if (!length)
- return ret;
- if (!d2i_X509_CERT_AUX(&ret->aux, pp, length))
+ length -= q - *pp;
+ if (length > 0 && !d2i_X509_CERT_AUX(&ret->aux, &q, length))
goto err;
+ *pp = q;
return ret;
err:
if (freeret) {
Modified: vendor-crypto/openssl/dist/crypto/bio/b_dump.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/bio/b_dump.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/bio/b_dump.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -104,7 +104,6 @@
if ((rows * dump_width) < len)
rows++;
for (i = 0; i < rows; i++) {
- buf[0] = '\0'; /* start with empty string */
BUF_strlcpy(buf, str, sizeof buf);
BIO_snprintf(tmp, sizeof tmp, "%04x - ", i * dump_width);
BUF_strlcat(buf, tmp, sizeof buf);
Modified: vendor-crypto/openssl/dist/crypto/bio/bio.h
===================================================================
--- vendor-crypto/openssl/dist/crypto/bio/bio.h 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/bio/bio.h 2015-12-05 17:55:33 UTC (rev 7389)
@@ -290,7 +290,7 @@
* BIO_CB_RETURN flag indicates if it is after the call
*/
# define BIO_CB_RETURN 0x80
-# define BIO_CB_return(a) ((a)|BIO_CB_RETURN))
+# define BIO_CB_return(a) ((a)|BIO_CB_RETURN)
# define BIO_cb_pre(a) (!((a)&BIO_CB_RETURN))
# define BIO_cb_post(a) ((a)&BIO_CB_RETURN)
Modified: vendor-crypto/openssl/dist/crypto/bio/bss_file.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/bio/bss_file.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/bio/bss_file.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -115,9 +115,8 @@
NULL,
};
-BIO *BIO_new_file(const char *filename, const char *mode)
+static FILE *file_fopen(const char *filename, const char *mode)
{
- BIO *ret;
FILE *file = NULL;
# if defined(_WIN32) && defined(CP_UTF8)
@@ -164,6 +163,14 @@
# else
file = fopen(filename, mode);
# endif
+ return (file);
+}
+
+BIO *BIO_new_file(const char *filename, const char *mode)
+{
+ BIO *ret;
+ FILE *file = file_fopen(filename, mode);
+
if (file == NULL) {
SYSerr(SYS_F_FOPEN, get_last_sys_error());
ERR_add_error_data(5, "fopen('", filename, "','", mode, "')");
@@ -386,7 +393,7 @@
else
strcat(p, "t");
# endif
- fp = fopen(ptr, p);
+ fp = file_fopen(ptr, p);
if (fp == NULL) {
SYSerr(SYS_F_FOPEN, get_last_sys_error());
ERR_add_error_data(5, "fopen('", ptr, "','", p, "')");
Modified: vendor-crypto/openssl/dist/crypto/bn/asm/armv4-gf2m.pl
===================================================================
--- vendor-crypto/openssl/dist/crypto/bn/asm/armv4-gf2m.pl 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/bn/asm/armv4-gf2m.pl 2015-12-05 17:55:33 UTC (rev 7389)
@@ -41,13 +41,13 @@
.align 5
mul_1x1_neon:
vshl.u64 `&Dlo("q1")`,d16,#8 @ q1-q3 are slided $a
- vmull.p8 `&Q("d0")`,d16,d17 @ a\xB7bb
+ vmull.p8 `&Q("d0")`,d16,d17 @ a·bb
vshl.u64 `&Dlo("q2")`,d16,#16
- vmull.p8 q1,`&Dlo("q1")`,d17 @ a<<8\xB7bb
+ vmull.p8 q1,`&Dlo("q1")`,d17 @ a<<8·bb
vshl.u64 `&Dlo("q3")`,d16,#24
- vmull.p8 q2,`&Dlo("q2")`,d17 @ a<<16\xB7bb
+ vmull.p8 q2,`&Dlo("q2")`,d17 @ a<<16·bb
vshr.u64 `&Dlo("q1")`,#8
- vmull.p8 q3,`&Dlo("q3")`,d17 @ a<<24\xB7bb
+ vmull.p8 q3,`&Dlo("q3")`,d17 @ a<<24·bb
vshl.u64 `&Dhi("q1")`,#24
veor d0,`&Dlo("q1")`
vshr.u64 `&Dlo("q2")`,#16
@@ -158,7 +158,7 @@
################
# void bn_GF2m_mul_2x2(BN_ULONG *r,
# BN_ULONG a1,BN_ULONG a0,
-# BN_ULONG b1,BN_ULONG b0); # r[3..0]=a1a0\xB7b1b0
+# BN_ULONG b1,BN_ULONG b0); # r[3..0]=a1a0·b1b0
($A1,$B1,$A0,$B0,$A1B1,$A0B0)=map("d$_",(18..23));
@@ -184,20 +184,20 @@
vmov d16,$A1
vmov d17,$B1
- bl mul_1x1_neon @ a1\xB7b1
+ bl mul_1x1_neon @ a1·b1
vmov $A1B1,d0
vmov d16,$A0
vmov d17,$B0
- bl mul_1x1_neon @ a0\xB7b0
+ bl mul_1x1_neon @ a0·b0
vmov $A0B0,d0
veor d16,$A0,$A1
veor d17,$B0,$B1
veor $A0,$A0B0,$A1B1
- bl mul_1x1_neon @ (a0+a1)\xB7(b0+b1)
+ bl mul_1x1_neon @ (a0+a1)·(b0+b1)
- veor d0,$A0 @ (a0+a1)\xB7(b0+b1)-a0\xB7b0-a1\xB7b1
+ veor d0,$A0 @ (a0+a1)·(b0+b1)-a0·b0-a1·b1
vshl.u64 d1,d0,#32
vshr.u64 d0,d0,#32
veor $A0B0,d1
@@ -220,7 +220,7 @@
mov $mask,#7<<2
sub sp,sp,#32 @ allocate tab[8]
- bl mul_1x1_ialu @ a1\xB7b1
+ bl mul_1x1_ialu @ a1·b1
str $lo,[$ret,#8]
str $hi,[$ret,#12]
@@ -230,13 +230,13 @@
eor r2,r2,$a
eor $b,$b,r3
eor $a,$a,r2
- bl mul_1x1_ialu @ a0\xB7b0
+ bl mul_1x1_ialu @ a0·b0
str $lo,[$ret]
str $hi,[$ret,#4]
eor $a,$a,r2
eor $b,$b,r3
- bl mul_1x1_ialu @ (a1+a0)\xB7(b1+b0)
+ bl mul_1x1_ialu @ (a1+a0)·(b1+b0)
___
@r=map("r$_",(6..9));
$code.=<<___;
Modified: vendor-crypto/openssl/dist/crypto/bn/asm/ia64.S
===================================================================
--- vendor-crypto/openssl/dist/crypto/bn/asm/ia64.S 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/bn/asm/ia64.S 2015-12-05 17:55:33 UTC (rev 7389)
@@ -422,7 +422,7 @@
// This loop spins in 3*(n+10) ticks on Itanium and in 2*(n+10) on
// Itanium 2. Yes, unlike previous versions it scales:-) Previous
-// version was peforming *all* additions in IALU and was starving
+// version was performing *all* additions in IALU and was starving
// for those even on Itanium 2. In this version one addition is
// moved to FPU and is folded with multiplication. This is at cost
// of propogating the result from previous call to this subroutine
@@ -568,7 +568,7 @@
// I've estimated this routine to run in ~120 ticks, but in reality
// (i.e. according to ar.itc) it takes ~160 ticks. Are those extra
// cycles consumed for instructions fetch? Or did I misinterpret some
-// clause in Itanium \xB5-architecture manual? Comments are welcomed and
+// clause in Itanium µ-architecture manual? Comments are welcomed and
// highly appreciated.
//
// On Itanium 2 it takes ~190 ticks. This is because of stalls on
Modified: vendor-crypto/openssl/dist/crypto/bn/asm/s390x-gf2m.pl
===================================================================
--- vendor-crypto/openssl/dist/crypto/bn/asm/s390x-gf2m.pl 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/bn/asm/s390x-gf2m.pl 2015-12-05 17:55:33 UTC (rev 7389)
@@ -172,12 +172,12 @@
if ($SIZE_T==8) {
my @r=map("%r$_",(6..9));
$code.=<<___;
- bras $ra,_mul_1x1 # a1\xB7b1
+ bras $ra,_mul_1x1 # a1·b1
stmg $lo,$hi,16($rp)
lg $a,`$stdframe+128+4*$SIZE_T`($sp)
lg $b,`$stdframe+128+6*$SIZE_T`($sp)
- bras $ra,_mul_1x1 # a0\xB7b0
+ bras $ra,_mul_1x1 # a0·b0
stmg $lo,$hi,0($rp)
lg $a,`$stdframe+128+3*$SIZE_T`($sp)
@@ -184,7 +184,7 @@
lg $b,`$stdframe+128+5*$SIZE_T`($sp)
xg $a,`$stdframe+128+4*$SIZE_T`($sp)
xg $b,`$stdframe+128+6*$SIZE_T`($sp)
- bras $ra,_mul_1x1 # (a0+a1)\xB7(b0+b1)
+ bras $ra,_mul_1x1 # (a0+a1)·(b0+b1)
lmg @r[0], at r[3],0($rp)
xgr $lo,$hi
Modified: vendor-crypto/openssl/dist/crypto/bn/asm/x86-gf2m.pl
===================================================================
--- vendor-crypto/openssl/dist/crypto/bn/asm/x86-gf2m.pl 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/bn/asm/x86-gf2m.pl 2015-12-05 17:55:33 UTC (rev 7389)
@@ -14,7 +14,7 @@
# the time being... Except that it has three code paths: pure integer
# code suitable for any x86 CPU, MMX code suitable for PIII and later
# and PCLMULQDQ suitable for Westmere and later. Improvement varies
-# from one benchmark and \xB5-arch to another. Below are interval values
+# from one benchmark and µ-arch to another. Below are interval values
# for 163- and 571-bit ECDH benchmarks relative to compiler-generated
# code:
#
@@ -226,12 +226,12 @@
&push ("edi");
&mov ($a,&wparam(1));
&mov ($b,&wparam(3));
- &call ("_mul_1x1_mmx"); # a1\xB7b1
+ &call ("_mul_1x1_mmx"); # a1·b1
&movq ("mm7",$R);
&mov ($a,&wparam(2));
&mov ($b,&wparam(4));
- &call ("_mul_1x1_mmx"); # a0\xB7b0
+ &call ("_mul_1x1_mmx"); # a0·b0
&movq ("mm6",$R);
&mov ($a,&wparam(1));
@@ -238,10 +238,10 @@
&mov ($b,&wparam(3));
&xor ($a,&wparam(2));
&xor ($b,&wparam(4));
- &call ("_mul_1x1_mmx"); # (a0+a1)\xB7(b0+b1)
+ &call ("_mul_1x1_mmx"); # (a0+a1)·(b0+b1)
&pxor ($R,"mm7");
&mov ($a,&wparam(0));
- &pxor ($R,"mm6"); # (a0+a1)\xB7(b0+b1)-a1\xB7b1-a0\xB7b0
+ &pxor ($R,"mm6"); # (a0+a1)·(b0+b1)-a1·b1-a0·b0
&movq ($A,$R);
&psllq ($R,32);
@@ -266,13 +266,13 @@
&mov ($a,&wparam(1));
&mov ($b,&wparam(3));
- &call ("_mul_1x1_ialu"); # a1\xB7b1
+ &call ("_mul_1x1_ialu"); # a1·b1
&mov (&DWP(8,"esp"),$lo);
&mov (&DWP(12,"esp"),$hi);
&mov ($a,&wparam(2));
&mov ($b,&wparam(4));
- &call ("_mul_1x1_ialu"); # a0\xB7b0
+ &call ("_mul_1x1_ialu"); # a0·b0
&mov (&DWP(0,"esp"),$lo);
&mov (&DWP(4,"esp"),$hi);
@@ -280,7 +280,7 @@
&mov ($b,&wparam(3));
&xor ($a,&wparam(2));
&xor ($b,&wparam(4));
- &call ("_mul_1x1_ialu"); # (a0+a1)\xB7(b0+b1)
+ &call ("_mul_1x1_ialu"); # (a0+a1)·(b0+b1)
&mov ("ebp",&wparam(0));
@r=("ebx","ecx","edi","esi");
Modified: vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-gcc.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-gcc.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-gcc.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -66,7 +66,7 @@
# undef sqr
/*-
- * "m"(a), "+m"(r) is the way to favor DirectPath \xB5-code;
+ * "m"(a), "+m"(r) is the way to favor DirectPath µ-code;
* "g"(0) let the compiler to decide where does it
* want to keep the value of zero;
*/
Modified: vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-gf2m.pl
===================================================================
--- vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-gf2m.pl 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-gf2m.pl 2015-12-05 17:55:33 UTC (rev 7389)
@@ -13,7 +13,7 @@
# in bn_gf2m.c. It's kind of low-hanging mechanical port from C for
# the time being... Except that it has two code paths: code suitable
# for any x86_64 CPU and PCLMULQDQ one suitable for Westmere and
-# later. Improvement varies from one benchmark and \xB5-arch to another.
+# later. Improvement varies from one benchmark and µ-arch to another.
# Vanilla code path is at most 20% faster than compiler-generated code
# [not very impressive], while PCLMULQDQ - whole 85%-160% better on
# 163- and 571-bit ECDH benchmarks on Intel CPUs. Keep in mind that
@@ -184,13 +184,13 @@
$code.=<<___;
movdqa %xmm0,%xmm4
movdqa %xmm1,%xmm5
- pclmulqdq \$0,%xmm1,%xmm0 # a1\xB7b1
+ pclmulqdq \$0,%xmm1,%xmm0 # a1·b1
pxor %xmm2,%xmm4
pxor %xmm3,%xmm5
- pclmulqdq \$0,%xmm3,%xmm2 # a0\xB7b0
- pclmulqdq \$0,%xmm5,%xmm4 # (a0+a1)\xB7(b0+b1)
+ pclmulqdq \$0,%xmm3,%xmm2 # a0·b0
+ pclmulqdq \$0,%xmm5,%xmm4 # (a0+a1)·(b0+b1)
xorps %xmm0,%xmm4
- xorps %xmm2,%xmm4 # (a0+a1)\xB7(b0+b1)-a0\xB7b0-a1\xB7b1
+ xorps %xmm2,%xmm4 # (a0+a1)·(b0+b1)-a0·b0-a1·b1
movdqa %xmm4,%xmm5
pslldq \$8,%xmm4
psrldq \$8,%xmm5
@@ -225,13 +225,13 @@
mov \$0xf,$mask
mov $a1,$a
mov $b1,$b
- call _mul_1x1 # a1\xB7b1
+ call _mul_1x1 # a1·b1
mov $lo,16(%rsp)
mov $hi,24(%rsp)
mov 48(%rsp),$a
mov 64(%rsp),$b
- call _mul_1x1 # a0\xB7b0
+ call _mul_1x1 # a0·b0
mov $lo,0(%rsp)
mov $hi,8(%rsp)
@@ -239,7 +239,7 @@
mov 56(%rsp),$b
xor 48(%rsp),$a
xor 64(%rsp),$b
- call _mul_1x1 # (a0+a1)\xB7(b0+b1)
+ call _mul_1x1 # (a0+a1)·(b0+b1)
___
@r=("%rbx","%rcx","%rdi","%rsi");
$code.=<<___;
Modified: vendor-crypto/openssl/dist/crypto/bn/bn_exp.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/bn/bn_exp.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/bn/bn_exp.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -599,12 +599,13 @@
bn_check_top(p);
bn_check_top(m);
- top = m->top;
-
- if (!(m->d[0] & 1)) {
+ if (!BN_is_odd(m)) {
BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME, BN_R_CALLED_WITH_EVEN_MODULUS);
return (0);
}
+
+ top = m->top;
+
bits = BN_num_bits(p);
if (bits == 0) {
ret = BN_one(rr);
Modified: vendor-crypto/openssl/dist/crypto/bn/bn_gcd.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/bn/bn_gcd.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/bn/bn_gcd.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -583,6 +583,7 @@
* BN_div_no_branch will be called eventually.
*/
pB = &local_B;
+ local_B.flags = 0;
BN_with_flags(pB, B, BN_FLG_CONSTTIME);
if (!BN_nnmod(B, pB, A, ctx))
goto err;
@@ -610,6 +611,7 @@
* BN_div_no_branch will be called eventually.
*/
pA = &local_A;
+ local_A.flags = 0;
BN_with_flags(pA, A, BN_FLG_CONSTTIME);
/* (D, M) := (A/B, A%B) ... */
Modified: vendor-crypto/openssl/dist/crypto/bn/bn_gf2m.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/bn/bn_gf2m.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/bn/bn_gf2m.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -576,7 +576,7 @@
bn_check_top(a);
BN_CTX_start(ctx);
if ((s = BN_CTX_get(ctx)) == NULL)
- return 0;
+ goto err;
if (!bn_wexpand(s, 2 * a->top))
goto err;
@@ -700,18 +700,21 @@
int top = p->top;
BN_ULONG *udp, *bdp, *vdp, *cdp;
- bn_wexpand(u, top);
+ if (!bn_wexpand(u, top))
+ goto err;
udp = u->d;
for (i = u->top; i < top; i++)
udp[i] = 0;
u->top = top;
- bn_wexpand(b, top);
+ if (!bn_wexpand(b, top))
+ goto err;
bdp = b->d;
bdp[0] = 1;
for (i = 1; i < top; i++)
bdp[i] = 0;
b->top = top;
- bn_wexpand(c, top);
+ if (!bn_wexpand(c, top))
+ goto err;
cdp = c->d;
for (i = 0; i < top; i++)
cdp[i] = 0;
Modified: vendor-crypto/openssl/dist/crypto/bn/bn_mont.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/bn/bn_mont.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/bn/bn_mont.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -361,9 +361,9 @@
if (mont == NULL)
return;
- BN_free(&(mont->RR));
- BN_free(&(mont->N));
- BN_free(&(mont->Ni));
+ BN_clear_free(&(mont->RR));
+ BN_clear_free(&(mont->N));
+ BN_clear_free(&(mont->Ni));
if (mont->flags & BN_FLG_MALLOCED)
OPENSSL_free(mont);
}
@@ -373,6 +373,9 @@
int ret = 0;
BIGNUM *Ri, *R;
+ if (BN_is_zero(mod))
+ return 0;
+
BN_CTX_start(ctx);
if ((Ri = BN_CTX_get(ctx)) == NULL)
goto err;
Modified: vendor-crypto/openssl/dist/crypto/bn/bn_recp.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/bn/bn_recp.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/bn/bn_recp.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -152,8 +152,10 @@
if (BN_ucmp(m, &(recp->N)) < 0) {
BN_zero(d);
- if (!BN_copy(r, m))
+ if (!BN_copy(r, m)) {
+ BN_CTX_end(ctx);
return 0;
+ }
BN_CTX_end(ctx);
return (1);
}
Modified: vendor-crypto/openssl/dist/crypto/bn/bn_x931p.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/bn/bn_x931p.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/bn/bn_x931p.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -213,7 +213,7 @@
* exceeded.
*/
if (!BN_rand(Xp, nbits, 1, 0))
- return 0;
+ goto err;
BN_CTX_start(ctx);
t = BN_CTX_get(ctx);
@@ -220,7 +220,7 @@
for (i = 0; i < 1000; i++) {
if (!BN_rand(Xq, nbits, 1, 0))
- return 0;
+ goto err;
/* Check that |Xp - Xq| > 2^(nbits - 100) */
BN_sub(t, Xp, Xq);
if (BN_num_bits(t) > (nbits - 100))
@@ -234,6 +234,9 @@
return 0;
+ err:
+ BN_CTX_end(ctx);
+ return 0;
}
/*
Modified: vendor-crypto/openssl/dist/crypto/bn/bntest.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/bn/bntest.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/bn/bntest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -441,6 +441,14 @@
BN_init(&d);
BN_init(&e);
+ BN_one(&a);
+ BN_zero(&b);
+
+ if (BN_div(&d, &c, &a, &b, ctx)) {
+ fprintf(stderr, "Division by zero succeeded!\n");
+ return 0;
+ }
+
for (i = 0; i < num0 + num1; i++) {
if (i < num1) {
BN_bntest_rand(&a, 400, 0, 0);
@@ -516,9 +524,9 @@
do {
BN_bntest_rand(&a, 512, -1, 0);
BN_bntest_rand(&b, BN_BITS2, -1, 0);
- s = b.d[0];
- } while (!s);
+ } while (BN_is_zero(&b));
+ s = b.d[0];
BN_copy(&b, &a);
r = BN_div_word(&b, s);
@@ -781,6 +789,18 @@
if (mont == NULL)
return 0;
+ BN_zero(&n);
+ if (BN_MONT_CTX_set(mont, &n, ctx)) {
+ fprintf(stderr, "BN_MONT_CTX_set succeeded for zero modulus!\n");
+ return 0;
+ }
+
+ BN_set_word(&n, 16);
+ if (BN_MONT_CTX_set(mont, &n, ctx)) {
+ fprintf(stderr, "BN_MONT_CTX_set succeeded for even modulus!\n");
+ return 0;
+ }
+
BN_bntest_rand(&a, 100, 0, 0);
BN_bntest_rand(&b, 100, 0, 0);
for (i = 0; i < num2; i++) {
@@ -887,6 +907,14 @@
d = BN_new();
e = BN_new();
+ BN_one(a);
+ BN_one(b);
+ BN_zero(c);
+ if (BN_mod_mul(e, a, b, c, ctx)) {
+ fprintf(stderr, "BN_mod_mul with zero modulus succeeded!\n");
+ return 0;
+ }
+
for (j = 0; j < 3; j++) {
BN_bntest_rand(c, 1024, 0, 0);
for (i = 0; i < num0; i++) {
@@ -952,6 +980,14 @@
d = BN_new();
e = BN_new();
+ BN_one(a);
+ BN_one(b);
+ BN_zero(c);
+ if (BN_mod_exp(d, a, b, c, ctx)) {
+ fprintf(stderr, "BN_mod_exp with zero modulus succeeded!\n");
+ return 0;
+ }
+
BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
for (i = 0; i < num2; i++) {
BN_bntest_rand(a, 20 + i * 5, 0, 0);
@@ -999,6 +1035,22 @@
d = BN_new();
e = BN_new();
+ BN_one(a);
+ BN_one(b);
+ BN_zero(c);
+ if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
+ fprintf(stderr, "BN_mod_exp_mont_consttime with zero modulus "
+ "succeeded\n");
+ return 0;
+ }
+
+ BN_set_word(c, 16);
+ if (BN_mod_exp_mont_consttime(d, a, b, c, ctx, NULL)) {
+ fprintf(stderr, "BN_mod_exp_mont_consttime with even modulus "
+ "succeeded\n");
+ return 0;
+ }
+
BN_bntest_rand(c, 30, 0, 1); /* must be odd for montgomery */
for (i = 0; i < num2; i++) {
BN_bntest_rand(a, 20 + i * 5, 0, 0);
Modified: vendor-crypto/openssl/dist/crypto/buffer/buf_str.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/buffer/buf_str.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/buffer/buf_str.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -58,12 +58,13 @@
#include <stdio.h>
#include "cryptlib.h"
+#include <limits.h>
#include <openssl/buffer.h>
char *BUF_strdup(const char *str)
{
if (str == NULL)
- return (NULL);
+ return NULL;
return BUF_strndup(str, strlen(str));
}
@@ -72,14 +73,20 @@
char *ret;
if (str == NULL)
- return (NULL);
+ return NULL;
+ if (siz >= INT_MAX)
+ return NULL;
+
ret = OPENSSL_malloc(siz + 1);
if (ret == NULL) {
BUFerr(BUF_F_BUF_STRNDUP, ERR_R_MALLOC_FAILURE);
- return (NULL);
+ return NULL;
}
- BUF_strlcpy(ret, str, siz + 1);
+
+ memcpy(ret, str, siz);
+ ret[siz] = '\0';
+
return (ret);
}
@@ -87,13 +94,13 @@
{
void *ret;
- if (data == NULL)
- return (NULL);
+ if (data == NULL || siz >= INT_MAX)
+ return NULL;
ret = OPENSSL_malloc(siz);
if (ret == NULL) {
BUFerr(BUF_F_BUF_MEMDUP, ERR_R_MALLOC_FAILURE);
- return (NULL);
+ return NULL;
}
return memcpy(ret, data, siz);
}
Modified: vendor-crypto/openssl/dist/crypto/buffer/buffer.h
===================================================================
--- vendor-crypto/openssl/dist/crypto/buffer/buffer.h 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/buffer/buffer.h 2015-12-05 17:55:33 UTC (rev 7389)
@@ -85,7 +85,13 @@
int BUF_MEM_grow(BUF_MEM *str, size_t len);
int BUF_MEM_grow_clean(BUF_MEM *str, size_t len);
char *BUF_strdup(const char *str);
+
+/*
+ * Like strndup, but in addition, explicitly guarantees to never read past the
+ * first |siz| bytes of |str|.
+ */
char *BUF_strndup(const char *str, size_t siz);
+
void *BUF_memdup(const void *data, size_t siz);
void BUF_reverse(unsigned char *out, const unsigned char *in, size_t siz);
Modified: vendor-crypto/openssl/dist/crypto/cms/cms_enc.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/cms/cms_enc.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/cms/cms_enc.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -195,7 +195,7 @@
ok = 1;
err:
- if (ec->key && !keep_key) {
+ if (ec->key && (!keep_key || !ok)) {
OPENSSL_cleanse(ec->key, ec->keylen);
OPENSSL_free(ec->key);
ec->key = NULL;
Modified: vendor-crypto/openssl/dist/crypto/cms/cms_pwri.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/cms/cms_pwri.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/cms/cms_pwri.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -121,6 +121,9 @@
/* Setup algorithm identifier for cipher */
encalg = X509_ALGOR_new();
+ if (encalg == NULL) {
+ goto merr;
+ }
EVP_CIPHER_CTX_init(&ctx);
if (EVP_EncryptInit_ex(&ctx, kekciph, NULL, NULL, NULL) <= 0) {
Modified: vendor-crypto/openssl/dist/crypto/cms/cms_smime.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/cms/cms_smime.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/cms/cms_smime.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -714,7 +714,7 @@
BIO *cmsbio;
int ret = 0;
if (!(cmsbio = CMS_dataInit(cms, dcont))) {
- CMSerr(CMS_F_CMS_FINAL, ERR_R_MALLOC_FAILURE);
+ CMSerr(CMS_F_CMS_FINAL, CMS_R_CMS_LIB);
return 0;
}
Modified: vendor-crypto/openssl/dist/crypto/comp/c_zlib.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/comp/c_zlib.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/comp/c_zlib.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -404,8 +404,9 @@
void COMP_zlib_cleanup(void)
{
#ifdef ZLIB_SHARED
- if (zlib_dso)
+ if (zlib_dso != NULL)
DSO_free(zlib_dso);
+ zlib_dso = NULL;
#endif
}
Modified: vendor-crypto/openssl/dist/crypto/conf/conf_def.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/conf/conf_def.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/conf/conf_def.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -225,12 +225,11 @@
goto err;
}
- section = (char *)OPENSSL_malloc(10);
+ section = BUF_strdup("default");
if (section == NULL) {
CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE);
goto err;
}
- BUF_strlcpy(section, "default", 10);
if (_CONF_new_data(conf) == 0) {
CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE);
Modified: vendor-crypto/openssl/dist/crypto/conf/conf_sap.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/conf/conf_sap.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/conf/conf_sap.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -90,6 +90,7 @@
CONF_modules_load_file(NULL, config_name,
CONF_MFLAGS_DEFAULT_SECTION |
CONF_MFLAGS_IGNORE_MISSING_FILE);
+ openssl_configured = 1;
}
void OPENSSL_no_config()
Modified: vendor-crypto/openssl/dist/crypto/cryptlib.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/cryptlib.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/cryptlib.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -930,13 +930,29 @@
# if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333
/* this -------------v--- guards NT-specific calls */
if (check_winnt() && OPENSSL_isservice() > 0) {
- HANDLE h = RegisterEventSource(0, _T("OPENSSL"));
- const TCHAR *pmsg = buf;
- ReportEvent(h, EVENTLOG_ERROR_TYPE, 0, 0, 0, 1, 0, &pmsg, 0);
- DeregisterEventSource(h);
+ HANDLE hEventLog = RegisterEventSource(NULL, _T("OpenSSL"));
+
+ if (hEventLog != NULL) {
+ const TCHAR *pmsg = buf;
+
+ if (!ReportEvent(hEventLog, EVENTLOG_ERROR_TYPE, 0, 0, NULL,
+ 1, 0, &pmsg, NULL)) {
+#if defined(DEBUG)
+ /*
+ * We are in a situation where we tried to report a critical
+ * error and this failed for some reason. As a last resort,
+ * in debug builds, send output to the debugger or any other
+ * tool like DebugView which can monitor the output.
+ */
+ OutputDebugString(pmsg);
+#endif
+ }
+
+ (void)DeregisterEventSource(hEventLog);
+ }
} else
# endif
- MessageBox(NULL, buf, _T("OpenSSL: FATAL"), MB_OK | MB_ICONSTOP);
+ MessageBox(NULL, buf, _T("OpenSSL: FATAL"), MB_OK | MB_ICONERROR);
}
#else
void OPENSSL_showfatal(const char *fmta, ...)
Deleted: vendor-crypto/openssl/dist/crypto/des/t/test
===================================================================
--- vendor-crypto/openssl/dist/crypto/des/t/test 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/des/t/test 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1,27 +0,0 @@
-#!./perl
-
-BEGIN { push(@INC, qw(../../../lib ../../lib ../lib lib)); }
-
-use DES;
-
-$key='00000000';
-$ks=DES::set_key($key);
- at a=split(//,$ks);
-foreach (@a) { printf "%02x-",ord($_); }
-print "\n";
-
-
-$key=DES::random_key();
-print "($_)\n";
- at a=split(//,$key);
-foreach (@a) { printf "%02x-",ord($_); }
-print "\n";
-$str="this is and again into the breach";
-($k1,$k2)=DES::string_to_2keys($str);
- at a=split(//,$k1);
-foreach (@a) { printf "%02x-",ord($_); }
-print "\n";
- at a=split(//,$k2);
-foreach (@a) { printf "%02x-",ord($_); }
-print "\n";
-
Modified: vendor-crypto/openssl/dist/crypto/dsa/dsa_ameth.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/dsa/dsa_ameth.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/dsa/dsa_ameth.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -318,6 +318,7 @@
dplen = i2d_ASN1_INTEGER(prkey, &dp);
ASN1_STRING_clear_free(prkey);
+ prkey = NULL;
if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_dsa), 0,
V_ASN1_SEQUENCE, params, dp, dplen))
Modified: vendor-crypto/openssl/dist/crypto/dsa/dsa_gen.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/dsa/dsa_gen.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/dsa/dsa_gen.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -112,17 +112,9 @@
}
# endif
else {
- const EVP_MD *evpmd;
- size_t qbits = bits >= 2048 ? 256 : 160;
+ const EVP_MD *evpmd = bits >= 2048 ? EVP_sha256() : EVP_sha1();
+ size_t qbits = EVP_MD_size(evpmd) * 8;
- if (bits >= 2048) {
- qbits = 256;
- evpmd = EVP_sha256();
- } else {
- qbits = 160;
- evpmd = EVP_sha1();
- }
-
return dsa_builtin_paramgen(ret, bits, qbits, evpmd,
seed_in, seed_len, NULL, counter_ret,
h_ret, cb);
@@ -174,13 +166,14 @@
if (seed_in != NULL)
memcpy(seed, seed_in, seed_len);
- if ((ctx = BN_CTX_new()) == NULL)
+ if ((mont = BN_MONT_CTX_new()) == NULL)
goto err;
- if ((mont = BN_MONT_CTX_new()) == NULL)
+ if ((ctx = BN_CTX_new()) == NULL)
goto err;
BN_CTX_start(ctx);
+
r0 = BN_CTX_get(ctx);
g = BN_CTX_get(ctx);
W = BN_CTX_get(ctx);
@@ -201,7 +194,7 @@
if (!BN_GENCB_call(cb, 0, m++))
goto err;
- if (!seed_len) {
+ if (!seed_len || !seed_in) {
if (RAND_pseudo_bytes(seed, qsize) < 0)
goto err;
seed_is_random = 1;
Modified: vendor-crypto/openssl/dist/crypto/ec/ec.h
===================================================================
--- vendor-crypto/openssl/dist/crypto/ec/ec.h 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/ec/ec.h 2015-12-05 17:55:33 UTC (rev 7389)
@@ -106,7 +106,7 @@
/** the point is encoded as z||x, where the octet z specifies
* which solution of the quadratic equation y is */
POINT_CONVERSION_COMPRESSED = 2,
- /** the point is encoded as z||x||y, where z is the octet 0x02 */
+ /** the point is encoded as z||x||y, where z is the octet 0x04 */
POINT_CONVERSION_UNCOMPRESSED = 4,
/** the point is encoded as z||x||y, where the octet z specifies
* which solution of the quadratic equation y is */
Modified: vendor-crypto/openssl/dist/crypto/ec/ec_asn1.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/ec/ec_asn1.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/ec/ec_asn1.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -970,8 +970,9 @@
{
EC_GROUP *group = NULL;
ECPKPARAMETERS *params = NULL;
+ const unsigned char *p = *in;
- if ((params = d2i_ECPKPARAMETERS(NULL, in, len)) == NULL) {
+ if ((params = d2i_ECPKPARAMETERS(NULL, &p, len)) == NULL) {
ECerr(EC_F_D2I_ECPKPARAMETERS, EC_R_D2I_ECPKPARAMETERS_FAILURE);
ECPKPARAMETERS_free(params);
return NULL;
@@ -989,6 +990,7 @@
*a = group;
ECPKPARAMETERS_free(params);
+ *in = p;
return (group);
}
@@ -1016,8 +1018,9 @@
int ok = 0;
EC_KEY *ret = NULL;
EC_PRIVATEKEY *priv_key = NULL;
+ const unsigned char *p = *in;
- if ((priv_key = d2i_EC_PRIVATEKEY(NULL, in, len)) == NULL) {
+ if ((priv_key = d2i_EC_PRIVATEKEY(NULL, &p, len)) == NULL) {
ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
return NULL;
}
@@ -1096,6 +1099,7 @@
if (a)
*a = ret;
+ *in = p;
ok = 1;
err:
if (!ok) {
Modified: vendor-crypto/openssl/dist/crypto/ec/ec_key.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/ec/ec_key.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/ec/ec_key.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -366,7 +366,10 @@
BN_CTX *ctx = NULL;
BIGNUM *tx, *ty;
EC_POINT *point = NULL;
- int ok = 0, tmp_nid, is_char_two = 0;
+ int ok = 0;
+#ifndef OPENSSL_NO_EC2M
+ int tmp_nid, is_char_two = 0;
+#endif
if (!key || !key->group || !x || !y) {
ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES,
@@ -382,14 +385,15 @@
if (!point)
goto err;
+ tx = BN_CTX_get(ctx);
+ ty = BN_CTX_get(ctx);
+
+#ifndef OPENSSL_NO_EC2M
tmp_nid = EC_METHOD_get_field_type(EC_GROUP_method_of(key->group));
if (tmp_nid == NID_X9_62_characteristic_two_field)
is_char_two = 1;
- tx = BN_CTX_get(ctx);
- ty = BN_CTX_get(ctx);
-#ifndef OPENSSL_NO_EC2M
if (is_char_two) {
if (!EC_POINT_set_affine_coordinates_GF2m(key->group, point,
x, y, ctx))
Modified: vendor-crypto/openssl/dist/crypto/engine/eng_cryptodev.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/engine/eng_cryptodev.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/engine/eng_cryptodev.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1230,15 +1230,18 @@
if (cryptodev_asym(&kop, BN_num_bytes(dsa->q), r,
BN_num_bytes(dsa->q), s) == 0) {
dsaret = DSA_SIG_new();
+ if (dsaret == NULL)
+ goto err;
dsaret->r = r;
dsaret->s = s;
+ r = s = NULL;
} else {
const DSA_METHOD *meth = DSA_OpenSSL();
- BN_free(r);
- BN_free(s);
dsaret = (meth->dsa_do_sign) (dgst, dlen, dsa);
}
err:
+ BN_free(r);
+ BN_free(s);
kop.crk_param[0].crp_p = NULL;
zapparams(&kop);
return (dsaret);
Modified: vendor-crypto/openssl/dist/crypto/engine/eng_list.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/engine/eng_list.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/engine/eng_list.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -260,6 +260,7 @@
}
if ((e->id == NULL) || (e->name == NULL)) {
ENGINEerr(ENGINE_F_ENGINE_ADD, ENGINE_R_ID_OR_NAME_MISSING);
+ return 0;
}
CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
if (!engine_list_add(e)) {
Modified: vendor-crypto/openssl/dist/crypto/evp/e_aes.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/evp/e_aes.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/evp/e_aes.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1146,7 +1146,7 @@
case EVP_CTRL_CCM_SET_TAG:
if ((arg & 1) || arg < 4 || arg > 16)
return 0;
- if ((c->encrypt && ptr) || (!c->encrypt && !ptr))
+ if (c->encrypt && ptr)
return 0;
if (ptr) {
cctx->tag_set = 1;
Modified: vendor-crypto/openssl/dist/crypto/evp/e_des3.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/evp/e_des3.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/evp/e_des3.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -241,7 +241,7 @@
DES_cblock *deskey = (DES_cblock *)key;
# ifdef EVP_CHECK_DES_KEY
if (DES_set_key_checked(&deskey[0], &data(ctx)->ks1)
- ! !DES_set_key_checked(&deskey[1], &data(ctx)->ks2))
+ || DES_set_key_checked(&deskey[1], &data(ctx)->ks2))
return 0;
# else
DES_set_key_unchecked(&deskey[0], &data(ctx)->ks1);
Modified: vendor-crypto/openssl/dist/crypto/evp/encode.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/evp/encode.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/evp/encode.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -60,9 +60,9 @@
#include "cryptlib.h"
#include <openssl/evp.h>
+static unsigned char conv_ascii2bin(unsigned char a);
#ifndef CHARSET_EBCDIC
# define conv_bin2ascii(a) (data_bin2ascii[(a)&0x3f])
-# define conv_ascii2bin(a) (data_ascii2bin[(a)&0x7f])
#else
/*
* We assume that PEM encoded files are EBCDIC files (i.e., printable text
@@ -71,7 +71,6 @@
* as the underlying textstring data_bin2ascii[] is already EBCDIC)
*/
# define conv_bin2ascii(a) (data_bin2ascii[(a)&0x3f])
-# define conv_ascii2bin(a) (data_ascii2bin[os_toascii[a]&0x7f])
#endif
/*-
@@ -103,6 +102,7 @@
#define B64_WS 0xE0
#define B64_ERROR 0xFF
#define B64_NOT_BASE64(a) (((a)|0x13) == 0xF3)
+#define B64_BASE64(a) !B64_NOT_BASE64(a)
static const unsigned char data_ascii2bin[128] = {
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
@@ -123,6 +123,23 @@
0x31, 0x32, 0x33, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
};
+#ifndef CHARSET_EBCDIC
+static unsigned char conv_ascii2bin(unsigned char a)
+{
+ if (a & 0x80)
+ return B64_ERROR;
+ return data_ascii2bin[a];
+}
+#else
+static unsigned char conv_ascii2bin(unsigned char a)
+{
+ a = os_toascii[a];
+ if (a & 0x80)
+ return B64_ERROR;
+ return data_ascii2bin[a];
+}
+#endif
+
void EVP_EncodeInit(EVP_ENCODE_CTX *ctx)
{
ctx->length = 48;
@@ -218,8 +235,9 @@
void EVP_DecodeInit(EVP_ENCODE_CTX *ctx)
{
- ctx->length = 30;
+ /* Only ctx->num is used during decoding. */
ctx->num = 0;
+ ctx->length = 0;
ctx->line_num = 0;
ctx->expect_nl = 0;
}
@@ -228,139 +246,123 @@
* -1 for error
* 0 for last line
* 1 for full line
+ *
+ * Note: even though EVP_DecodeUpdate attempts to detect and report end of
+ * content, the context doesn't currently remember it and will accept more data
+ * in the next call. Therefore, the caller is responsible for checking and
+ * rejecting a 0 return value in the middle of content.
+ *
+ * Note: even though EVP_DecodeUpdate has historically tried to detect end of
+ * content based on line length, this has never worked properly. Therefore,
+ * we now return 0 when one of the following is true:
+ * - Padding or B64_EOF was detected and the last block is complete.
+ * - Input has zero-length.
+ * -1 is returned if:
+ * - Invalid characters are detected.
+ * - There is extra trailing padding, or data after padding.
+ * - B64_EOF is detected after an incomplete base64 block.
*/
int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
const unsigned char *in, int inl)
{
- int seof = -1, eof = 0, rv = -1, ret = 0, i, v, tmp, n, ln, exp_nl;
+ int seof = 0, eof = 0, rv = -1, ret = 0, i, v, tmp, n, decoded_len;
unsigned char *d;
n = ctx->num;
d = ctx->enc_data;
- ln = ctx->line_num;
- exp_nl = ctx->expect_nl;
- /* last line of input. */
- if ((inl == 0) || ((n == 0) && (conv_ascii2bin(in[0]) == B64_EOF))) {
+ if (n > 0 && d[n - 1] == '=') {
+ eof++;
+ if (n > 1 && d[n - 2] == '=')
+ eof++;
+ }
+
+ /* Legacy behaviour: an empty input chunk signals end of input. */
+ if (inl == 0) {
rv = 0;
goto end;
}
- /* We parse the input data */
for (i = 0; i < inl; i++) {
- /* If the current line is > 80 characters, scream alot */
- if (ln >= 80) {
- rv = -1;
- goto end;
- }
-
- /* Get char and put it into the buffer */
tmp = *(in++);
v = conv_ascii2bin(tmp);
- /* only save the good data :-) */
- if (!B64_NOT_BASE64(v)) {
- OPENSSL_assert(n < (int)sizeof(ctx->enc_data));
- d[n++] = tmp;
- ln++;
- } else if (v == B64_ERROR) {
+ if (v == B64_ERROR) {
rv = -1;
goto end;
}
- /*
- * have we seen a '=' which is 'definitly' the last input line. seof
- * will point to the character that holds it. and eof will hold how
- * many characters to chop off.
- */
if (tmp == '=') {
- if (seof == -1)
- seof = n;
eof++;
+ } else if (eof > 0 && B64_BASE64(v)) {
+ /* More data after padding. */
+ rv = -1;
+ goto end;
}
- if (v == B64_CR) {
- ln = 0;
- if (exp_nl)
- continue;
+ if (eof > 2) {
+ rv = -1;
+ goto end;
}
- /* eoln */
- if (v == B64_EOLN) {
- ln = 0;
- if (exp_nl) {
- exp_nl = 0;
- continue;
- }
+ if (v == B64_EOF) {
+ seof = 1;
+ goto tail;
}
- exp_nl = 0;
- /*
- * If we are at the end of input and it looks like a line, process
- * it.
- */
- if (((i + 1) == inl) && (((n & 3) == 0) || eof)) {
- v = B64_EOF;
- /*
- * In case things were given us in really small records (so two
- * '=' were given in separate updates), eof may contain the
- * incorrect number of ending bytes to skip, so let's redo the
- * count
- */
- eof = 0;
- if (d[n - 1] == '=')
- eof++;
- if (d[n - 2] == '=')
- eof++;
- /* There will never be more than two '=' */
+ /* Only save valid base64 characters. */
+ if (B64_BASE64(v)) {
+ if (n >= 64) {
+ /*
+ * We increment n once per loop, and empty the buffer as soon as
+ * we reach 64 characters, so this can only happen if someone's
+ * manually messed with the ctx. Refuse to write any more data.
+ */
+ rv = -1;
+ goto end;
+ }
+ OPENSSL_assert(n < (int)sizeof(ctx->enc_data));
+ d[n++] = tmp;
}
- if ((v == B64_EOF && (n & 3) == 0) || (n >= 64)) {
- /*
- * This is needed to work correctly on 64 byte input lines. We
- * process the line and then need to accept the '\n'
- */
- if ((v != B64_EOF) && (n >= 64))
- exp_nl = 1;
- if (n > 0) {
- v = EVP_DecodeBlock(out, d, n);
- n = 0;
- if (v < 0) {
- rv = 0;
- goto end;
- }
- if (eof > v) {
- rv = -1;
- goto end;
- }
- ret += (v - eof);
- } else {
- eof = 1;
- v = 0;
+ if (n == 64) {
+ decoded_len = EVP_DecodeBlock(out, d, n);
+ n = 0;
+ if (decoded_len < 0 || eof > decoded_len) {
+ rv = -1;
+ goto end;
}
+ ret += decoded_len - eof;
+ out += decoded_len - eof;
+ }
+ }
- /*
- * This is the case where we have had a short but valid input
- * line
- */
- if ((v < ctx->length) && eof) {
- rv = 0;
+ /*
+ * Legacy behaviour: if the current line is a full base64-block (i.e., has
+ * 0 mod 4 base64 characters), it is processed immediately. We keep this
+ * behaviour as applications may not be calling EVP_DecodeFinal properly.
+ */
+tail:
+ if (n > 0) {
+ if ((n & 3) == 0) {
+ decoded_len = EVP_DecodeBlock(out, d, n);
+ n = 0;
+ if (decoded_len < 0 || eof > decoded_len) {
+ rv = -1;
goto end;
- } else
- ctx->length = v;
-
- if (seof >= 0) {
- rv = 0;
- goto end;
}
- out += v;
+ ret += (decoded_len - eof);
+ } else if (seof) {
+ /* EOF in the middle of a base64 block. */
+ rv = -1;
+ goto end;
}
}
- rv = 1;
- end:
+
+ rv = seof || (n == 0 && eof) ? 0 : 1;
+end:
+ /* Legacy behaviour. This should probably rather be zeroed on error. */
*outl = ret;
ctx->num = n;
- ctx->line_num = ln;
- ctx->expect_nl = exp_nl;
return (rv);
}
Modified: vendor-crypto/openssl/dist/crypto/evp/evp_key.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/evp/evp_key.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/evp/evp_key.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -104,6 +104,8 @@
if ((prompt == NULL) && (prompt_string[0] != '\0'))
prompt = prompt_string;
ui = UI_new();
+ if (ui == NULL)
+ return -1;
UI_add_input_string(ui, prompt, 0, buf, min,
(len >= BUFSIZ) ? BUFSIZ - 1 : len);
if (verify)
@@ -137,7 +139,7 @@
EVP_MD_CTX_init(&c);
for (;;) {
if (!EVP_DigestInit_ex(&c, md, NULL))
- return 0;
+ goto err;
if (addmd++)
if (!EVP_DigestUpdate(&c, &(md_buf[0]), mds))
goto err;
@@ -188,6 +190,6 @@
rv = type->key_len;
err:
EVP_MD_CTX_cleanup(&c);
- OPENSSL_cleanse(&(md_buf[0]), EVP_MAX_MD_SIZE);
+ OPENSSL_cleanse(md_buf, sizeof(md_buf));
return rv;
}
Modified: vendor-crypto/openssl/dist/crypto/evp/evp_lib.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/evp/evp_lib.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/evp/evp_lib.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -67,9 +67,19 @@
if (c->cipher->set_asn1_parameters != NULL)
ret = c->cipher->set_asn1_parameters(c, type);
- else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1)
- ret = EVP_CIPHER_set_asn1_iv(c, type);
- else
+ else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) {
+ switch (EVP_CIPHER_CTX_mode(c)) {
+
+ case EVP_CIPH_GCM_MODE:
+ case EVP_CIPH_CCM_MODE:
+ case EVP_CIPH_XTS_MODE:
+ ret = -1;
+ break;
+
+ default:
+ ret = EVP_CIPHER_set_asn1_iv(c, type);
+ }
+ } else
ret = -1;
return (ret);
}
@@ -80,9 +90,20 @@
if (c->cipher->get_asn1_parameters != NULL)
ret = c->cipher->get_asn1_parameters(c, type);
- else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1)
- ret = EVP_CIPHER_get_asn1_iv(c, type);
- else
+ else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) {
+ switch (EVP_CIPHER_CTX_mode(c)) {
+
+ case EVP_CIPH_GCM_MODE:
+ case EVP_CIPH_CCM_MODE:
+ case EVP_CIPH_XTS_MODE:
+ ret = -1;
+ break;
+
+ default:
+ ret = EVP_CIPHER_get_asn1_iv(c, type);
+ break;
+ }
+ } else
ret = -1;
return (ret);
}
Modified: vendor-crypto/openssl/dist/crypto/evp/evp_pbe.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/evp/evp_pbe.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/evp/evp_pbe.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -228,12 +228,16 @@
int md_nid, EVP_PBE_KEYGEN *keygen)
{
EVP_PBE_CTL *pbe_tmp;
- if (!pbe_algs)
+
+ if (pbe_algs == NULL) {
pbe_algs = sk_EVP_PBE_CTL_new(pbe_cmp);
- if (!(pbe_tmp = (EVP_PBE_CTL *)OPENSSL_malloc(sizeof(EVP_PBE_CTL)))) {
- EVPerr(EVP_F_EVP_PBE_ALG_ADD_TYPE, ERR_R_MALLOC_FAILURE);
- return 0;
+ if (pbe_algs == NULL)
+ goto err;
}
+
+ if ((pbe_tmp = OPENSSL_malloc(sizeof(*pbe_tmp))) == NULL)
+ goto err;
+
pbe_tmp->pbe_type = pbe_type;
pbe_tmp->pbe_nid = pbe_nid;
pbe_tmp->cipher_nid = cipher_nid;
@@ -242,6 +246,10 @@
sk_EVP_PBE_CTL_push(pbe_algs, pbe_tmp);
return 1;
+
+ err:
+ EVPerr(EVP_F_EVP_PBE_ALG_ADD_TYPE, ERR_R_MALLOC_FAILURE);
+ return 0;
}
int EVP_PBE_alg_add(int nid, const EVP_CIPHER *cipher, const EVP_MD *md,
Modified: vendor-crypto/openssl/dist/crypto/evp/p_lib.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/evp/p_lib.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/evp/p_lib.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -253,7 +253,7 @@
int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key)
{
- if (!EVP_PKEY_set_type(pkey, type))
+ if (pkey == NULL || !EVP_PKEY_set_type(pkey, type))
return 0;
pkey->pkey.ptr = key;
return (key != NULL);
Modified: vendor-crypto/openssl/dist/crypto/evp/pmeth_gn.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/evp/pmeth_gn.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/evp/pmeth_gn.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -96,12 +96,17 @@
return -1;
}
- if (!ppkey)
+ if (ppkey == NULL)
return -1;
- if (!*ppkey)
+ if (*ppkey == NULL)
*ppkey = EVP_PKEY_new();
+ if (*ppkey == NULL) {
+ EVPerr(EVP_F_EVP_PKEY_PARAMGEN, ERR_R_MALLOC_FAILURE);
+ return -1;
+ }
+
ret = ctx->pmeth->paramgen(ctx, *ppkey);
if (ret <= 0) {
EVP_PKEY_free(*ppkey);
Modified: vendor-crypto/openssl/dist/crypto/hmac/hm_ameth.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/hmac/hm_ameth.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/hmac/hm_ameth.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -108,9 +108,14 @@
ASN1_OCTET_STRING *os;
os = ASN1_OCTET_STRING_new();
if (!os || !ASN1_OCTET_STRING_set(os, *pder, derlen))
- return 0;
- EVP_PKEY_assign(pkey, EVP_PKEY_HMAC, os);
+ goto err;
+ if (!EVP_PKEY_assign(pkey, EVP_PKEY_HMAC, os))
+ goto err;
return 1;
+
+ err:
+ ASN1_OCTET_STRING_free(os);
+ return 0;
}
static int old_hmac_encode(const EVP_PKEY *pkey, unsigned char **pder)
Modified: vendor-crypto/openssl/dist/crypto/jpake/jpake.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/jpake/jpake.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/jpake/jpake.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -218,6 +218,9 @@
BIGNUM *t3 = BN_new();
int ret = 0;
+ if (h == NULL || t1 == NULL || t2 == NULL || t3 == NULL)
+ goto end;
+
zkp_hash(h, zkpg, p, ctx->p.peer_name);
/* t1 = g^b */
@@ -233,6 +236,7 @@
else
JPAKEerr(JPAKE_F_VERIFY_ZKP, JPAKE_R_ZKP_VERIFY_FAILED);
+end:
/* cleanup */
BN_free(t3);
BN_free(t2);
Modified: vendor-crypto/openssl/dist/crypto/mem_clr.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/mem_clr.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/mem_clr.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -66,6 +66,10 @@
{
unsigned char *p = ptr;
size_t loop = len, ctr = cleanse_ctr;
+
+ if (ptr == NULL)
+ return;
+
while (loop--) {
*(p++) = (unsigned char)ctr;
ctr += (17 + ((size_t)p & 0xF));
Modified: vendor-crypto/openssl/dist/crypto/modes/asm/ghash-armv4.pl
===================================================================
--- vendor-crypto/openssl/dist/crypto/modes/asm/ghash-armv4.pl 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/modes/asm/ghash-armv4.pl 2015-12-05 17:55:33 UTC (rev 7389)
@@ -374,8 +374,8 @@
vdup.8 $xi,`&Dlo("$IN")`[0] @ broadcast lowest byte
.Linner_neon:
subs $cnt,$cnt,#1
- vmull.p8 $Qlo,$Hlo,$xi @ H.lo\xB7Xi[i]
- vmull.p8 $Qhi,$Hhi,$xi @ H.hi\xB7Xi[i]
+ vmull.p8 $Qlo,$Hlo,$xi @ H.lo·Xi[i]
+ vmull.p8 $Qhi,$Hhi,$xi @ H.hi·Xi[i]
vext.8 $IN,$zero,#1 @ IN>>=8
veor $Z,$Qpost @ modulo-scheduled part
@@ -388,7 +388,7 @@
vsli.8 $Zo,$T,#1 @ compose the "carry" byte
vext.8 $Z,$zero,#1 @ Z>>=8
- vmull.p8 $R,$Zo,$mod @ "carry"\xB70xe1
+ vmull.p8 $R,$Zo,$mod @ "carry"·0xe1
vshr.u8 $Zo,$T,#7 @ save Z's bottom bit
vext.8 $Qpost,$Qlo,$zero,#1 @ Qlo>>=8
veor $Z,$Qhi
Modified: vendor-crypto/openssl/dist/crypto/modes/asm/ghash-x86.pl
===================================================================
--- vendor-crypto/openssl/dist/crypto/modes/asm/ghash-x86.pl 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/modes/asm/ghash-x86.pl 2015-12-05 17:55:33 UTC (rev 7389)
@@ -346,7 +346,7 @@
# effective address calculation and finally merge of value to Z.hi.
# Reference to rem_4bit is scheduled so late that I had to >>4
# rem_4bit elements. This resulted in 20-45% procent improvement
-# on contemporary \xB5-archs.
+# on contemporary µ-archs.
{
my $cnt;
my $rem_4bit = "eax";
Modified: vendor-crypto/openssl/dist/crypto/ocsp/ocsp_lib.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/ocsp/ocsp_lib.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/ocsp/ocsp_lib.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -246,12 +246,6 @@
if ((p = strchr(p, ':'))) {
*p = 0;
port = p + 1;
- } else {
- /* Not found: set default port */
- if (*pssl)
- port = "443";
- else
- port = "80";
}
*pport = BUF_strdup(port);
Modified: vendor-crypto/openssl/dist/crypto/ocsp/ocsp_prn.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/ocsp/ocsp_prn.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/ocsp/ocsp_prn.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -212,8 +212,7 @@
return 1;
}
- i = ASN1_STRING_length(rb->response);
- if (!(br = OCSP_response_get1_basic(o)))
+ if ((br = OCSP_response_get1_basic(o)) == NULL)
goto err;
rd = br->tbsResponseData;
l = ASN1_INTEGER_get(rd->version);
Modified: vendor-crypto/openssl/dist/crypto/opensslconf.h
===================================================================
--- vendor-crypto/openssl/dist/crypto/opensslconf.h 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/opensslconf.h 2015-12-05 17:55:33 UTC (rev 7389)
@@ -185,7 +185,7 @@
#endif
#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
+#error YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
#endif
/* Unroll the inner loop, this sometimes helps, sometimes hinders.
@@ -204,7 +204,7 @@
optimization options. Older Sparc's work better with only UNROLL, but
there's no way to tell at compile time what it is you're running on */
-#if defined( sun ) /* Newer Sparc's */
+#if defined( __sun ) || defined ( sun ) /* Newer Sparc's */
# define DES_PTR
# define DES_RISC1
# define DES_UNROLL
Modified: vendor-crypto/openssl/dist/crypto/opensslconf.h.in
===================================================================
--- vendor-crypto/openssl/dist/crypto/opensslconf.h.in 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/opensslconf.h.in 2015-12-05 17:55:33 UTC (rev 7389)
@@ -101,7 +101,7 @@
#endif
#if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
+#error YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
#endif
/* Unroll the inner loop, this sometimes helps, sometimes hinders.
@@ -120,7 +120,7 @@
optimization options. Older Sparc's work better with only UNROLL, but
there's no way to tell at compile time what it is you're running on */
-#if defined( sun ) /* Newer Sparc's */
+#if defined( __sun ) || defined ( sun ) /* Newer Sparc's */
# define DES_PTR
# define DES_RISC1
# define DES_UNROLL
Modified: vendor-crypto/openssl/dist/crypto/opensslv.h
===================================================================
--- vendor-crypto/openssl/dist/crypto/opensslv.h 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/opensslv.h 2015-12-05 17:55:33 UTC (rev 7389)
@@ -30,11 +30,11 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x100010ffL
+# define OPENSSL_VERSION_NUMBER 0x1000111fL
# ifdef OPENSSL_FIPS
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1o-fips 12 Jun 2015"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1q-fips 3 Dec 2015"
# else
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1o 12 Jun 2015"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1q 3 Dec 2015"
# endif
# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
Modified: vendor-crypto/openssl/dist/crypto/pem/pem_info.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/pem/pem_info.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/pem/pem_info.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -172,6 +172,8 @@
xi->enc_len = 0;
xi->x_pkey = X509_PKEY_new();
+ if (xi->x_pkey == NULL)
+ goto err;
ptype = EVP_PKEY_RSA;
pp = &xi->x_pkey->dec_pkey;
if ((int)strlen(header) > 10) /* assume encrypted */
@@ -193,6 +195,8 @@
xi->enc_len = 0;
xi->x_pkey = X509_PKEY_new();
+ if (xi->x_pkey == NULL)
+ goto err;
ptype = EVP_PKEY_DSA;
pp = &xi->x_pkey->dec_pkey;
if ((int)strlen(header) > 10) /* assume encrypted */
@@ -214,6 +218,8 @@
xi->enc_len = 0;
xi->x_pkey = X509_PKEY_new();
+ if (xi->x_pkey == NULL)
+ goto err;
ptype = EVP_PKEY_EC;
pp = &xi->x_pkey->dec_pkey;
if ((int)strlen(header) > 10) /* assume encrypted */
Modified: vendor-crypto/openssl/dist/crypto/pem/pvkfmt.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/pem/pvkfmt.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/pem/pvkfmt.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -624,13 +624,11 @@
PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_PVK_TOO_SHORT);
return 0;
}
- length -= 20;
} else {
if (length < 24) {
PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_PVK_TOO_SHORT);
return 0;
}
- length -= 24;
pvk_magic = read_ledword(&p);
if (pvk_magic != MS_PVKMAGIC) {
PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_BAD_MAGIC_NUMBER);
@@ -692,16 +690,16 @@
inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u);
if (inlen <= 0) {
PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_PASSWORD_READ);
- return NULL;
+ goto err;
}
enctmp = OPENSSL_malloc(keylen + 8);
if (!enctmp) {
PEMerr(PEM_F_DO_PVK_BODY, ERR_R_MALLOC_FAILURE);
- return NULL;
+ goto err;
}
if (!derive_pvk_key(keybuf, p, saltlen,
(unsigned char *)psbuf, inlen))
- return NULL;
+ goto err;
p += saltlen;
/* Copy BLOBHEADER across, decrypt rest */
memcpy(enctmp, p, 8);
@@ -708,7 +706,7 @@
p += 8;
if (keylen < 8) {
PEMerr(PEM_F_DO_PVK_BODY, PEM_R_PVK_TOO_SHORT);
- return NULL;
+ goto err;
}
inlen = keylen - 8;
q = enctmp + 8;
Modified: vendor-crypto/openssl/dist/crypto/pkcs12/p12_add.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/pkcs12/p12_add.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/pkcs12/p12_add.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -75,15 +75,19 @@
bag->type = OBJ_nid2obj(nid1);
if (!ASN1_item_pack(obj, it, &bag->value.octet)) {
PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
- return NULL;
+ goto err;
}
if (!(safebag = PKCS12_SAFEBAG_new())) {
PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
- return NULL;
+ goto err;
}
safebag->value.bag = bag;
safebag->type = OBJ_nid2obj(nid2);
return safebag;
+
+ err:
+ PKCS12_BAGS_free(bag);
+ return NULL;
}
/* Turn PKCS8 object into a keybag */
@@ -127,6 +131,7 @@
PKCS8_encrypt(pbe_nid, pbe_ciph, pass, passlen, salt, saltlen, iter,
p8))) {
PKCS12err(PKCS12_F_PKCS12_MAKE_SHKEYBAG, ERR_R_MALLOC_FAILURE);
+ PKCS12_SAFEBAG_free(bag);
return NULL;
}
@@ -144,14 +149,18 @@
p7->type = OBJ_nid2obj(NID_pkcs7_data);
if (!(p7->d.data = M_ASN1_OCTET_STRING_new())) {
PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, ERR_R_MALLOC_FAILURE);
- return NULL;
+ goto err;
}
if (!ASN1_item_pack(sk, ASN1_ITEM_rptr(PKCS12_SAFEBAGS), &p7->d.data)) {
PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, PKCS12_R_CANT_PACK_STRUCTURE);
- return NULL;
+ goto err;
}
return p7;
+
+ err:
+ PKCS7_free(p7);
+ return NULL;
}
/* Unpack SAFEBAGS from PKCS#7 data ContentInfo */
@@ -181,7 +190,7 @@
if (!PKCS7_set_type(p7, NID_pkcs7_encrypted)) {
PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA,
PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE);
- return NULL;
+ goto err;
}
pbe_ciph = EVP_get_cipherbynid(pbe_nid);
@@ -193,7 +202,7 @@
if (!pbe) {
PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE);
- return NULL;
+ goto err;
}
X509_ALGOR_free(p7->d.encrypted->enc_data->algorithm);
p7->d.encrypted->enc_data->algorithm = pbe;
@@ -202,10 +211,14 @@
PKCS12_item_i2d_encrypt(pbe, ASN1_ITEM_rptr(PKCS12_SAFEBAGS), pass,
passlen, bags, 1))) {
PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, PKCS12_R_ENCRYPT_ERROR);
- return NULL;
+ goto err;
}
return p7;
+
+ err:
+ PKCS7_free(p7);
+ return NULL;
}
STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass,
Modified: vendor-crypto/openssl/dist/crypto/pkcs12/p12_crpt.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/pkcs12/p12_crpt.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/pkcs12/p12_crpt.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -77,6 +77,9 @@
const unsigned char *pbuf;
unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
+ if (cipher == NULL)
+ return 0;
+
/* Extract useful info from parameter */
if (param == NULL || param->type != V_ASN1_SEQUENCE ||
param->value.sequence == NULL) {
Modified: vendor-crypto/openssl/dist/crypto/pkcs12/p12_kiss.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/pkcs12/p12_kiss.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/pkcs12/p12_kiss.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -135,10 +135,12 @@
while ((x = sk_X509_pop(ocerts))) {
if (pkey && *pkey && cert && !*cert) {
+ ERR_set_mark();
if (X509_check_private_key(x, *pkey)) {
*cert = x;
x = NULL;
}
+ ERR_pop_to_mark();
}
if (ca && x) {
Modified: vendor-crypto/openssl/dist/crypto/pkcs12/p12_mutl.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/pkcs12/p12_mutl.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/pkcs12/p12_mutl.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -173,11 +173,11 @@
}
if (!saltlen)
saltlen = PKCS12_SALT_LEN;
- p12->mac->salt->length = saltlen;
- if (!(p12->mac->salt->data = OPENSSL_malloc(saltlen))) {
+ if ((p12->mac->salt->data = OPENSSL_malloc(saltlen)) == NULL) {
PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
return 0;
}
+ p12->mac->salt->length = saltlen;
if (!salt) {
if (RAND_pseudo_bytes(p12->mac->salt->data, saltlen) < 0)
return 0;
Modified: vendor-crypto/openssl/dist/crypto/pkcs7/pk7_doit.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/pkcs7/pk7_doit.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/pkcs7/pk7_doit.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -656,6 +656,8 @@
bio = BIO_new_mem_buf(data_body->data, data_body->length);
else {
bio = BIO_new(BIO_s_mem());
+ if (bio == NULL)
+ goto err;
BIO_set_mem_eof_return(bio, 0);
}
if (bio == NULL)
@@ -1156,7 +1158,6 @@
rsk = p7->d.signed_and_enveloped->recipientinfo;
if (rsk == NULL)
return NULL;
- ri = sk_PKCS7_RECIP_INFO_value(rsk, 0);
if (sk_PKCS7_RECIP_INFO_num(rsk) <= idx)
return (NULL);
ri = sk_PKCS7_RECIP_INFO_value(rsk, idx);
Modified: vendor-crypto/openssl/dist/crypto/rc4/asm/rc4-x86_64.pl
===================================================================
--- vendor-crypto/openssl/dist/crypto/rc4/asm/rc4-x86_64.pl 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/rc4/asm/rc4-x86_64.pl 2015-12-05 17:55:33 UTC (rev 7389)
@@ -56,7 +56,7 @@
# achieves respectful 432MBps on 2.8GHz processor now. For reference.
# If executed on Xeon, current RC4_CHAR code-path is 2.7x faster than
# RC4_INT code-path. While if executed on Opteron, it's only 25%
-# slower than the RC4_INT one [meaning that if CPU \xB5-arch detection
+# slower than the RC4_INT one [meaning that if CPU µ-arch detection
# is not implemented, then this final RC4_CHAR code-path should be
# preferred, as it provides better *all-round* performance].
Modified: vendor-crypto/openssl/dist/crypto/rsa/rsa_ameth.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/rsa/rsa_ameth.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/rsa/rsa_ameth.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -279,7 +279,7 @@
if (pss->maskGenAlgorithm) {
ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1
- && param->type == V_ASN1_SEQUENCE) {
+ && param && param->type == V_ASN1_SEQUENCE) {
p = param->value.sequence->data;
plen = param->value.sequence->length;
*pmaskHash = d2i_X509_ALGOR(NULL, &p, plen);
Modified: vendor-crypto/openssl/dist/crypto/rsa/rsa_gen.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/rsa/rsa_gen.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/rsa/rsa_gen.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -69,6 +69,8 @@
#include <openssl/rsa.h>
#ifdef OPENSSL_FIPS
# include <openssl/fips.h>
+extern int FIPS_rsa_x931_generate_key_ex(RSA *rsa, int bits, BIGNUM *e,
+ BN_GENCB *cb);
#endif
static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value,
@@ -94,7 +96,7 @@
return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
#ifdef OPENSSL_FIPS
if (FIPS_mode())
- return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb);
+ return FIPS_rsa_x931_generate_key_ex(rsa, bits, e_value, cb);
#endif
return rsa_builtin_keygen(rsa, bits, e_value, cb);
}
Modified: vendor-crypto/openssl/dist/crypto/rsa/rsa_sign.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/rsa/rsa_sign.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/rsa/rsa_sign.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -218,14 +218,13 @@
memcpy(rm, s + 2, 16);
*prm_len = 16;
ret = 1;
- } else if (memcmp(m, s + 2, 16))
+ } else if (memcmp(m, s + 2, 16)) {
RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
- else
+ } else {
ret = 1;
- }
-
- /* Special case: SSL signature */
- if (dtype == NID_md5_sha1) {
+ }
+ } else if (dtype == NID_md5_sha1) {
+ /* Special case: SSL signature */
if ((i != SSL_SIG_LENGTH) || memcmp(s, m, SSL_SIG_LENGTH))
RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_BAD_SIGNATURE);
else
Modified: vendor-crypto/openssl/dist/crypto/rsa/rsa_test.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/rsa/rsa_test.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/rsa/rsa_test.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -297,22 +297,30 @@
} else
printf("OAEP encryption/decryption ok\n");
- /* Try decrypting corrupted ciphertexts */
+ /* Try decrypting corrupted ciphertexts. */
for (n = 0; n < clen; ++n) {
- int b;
- unsigned char saved = ctext[n];
- for (b = 0; b < 256; ++b) {
- if (b == saved)
- continue;
- ctext[n] = b;
- num = RSA_private_decrypt(num, ctext, ptext, key,
+ ctext[n] ^= 1;
+ num = RSA_private_decrypt(clen, ctext, ptext, key,
RSA_PKCS1_OAEP_PADDING);
- if (num > 0) {
- printf("Corrupt data decrypted!\n");
- err = 1;
- }
+ if (num > 0) {
+ printf("Corrupt data decrypted!\n");
+ err = 1;
+ break;
}
+ ctext[n] ^= 1;
}
+
+ /* Test truncated ciphertexts, as well as negative length. */
+ for (n = -1; n < clen; ++n) {
+ num = RSA_private_decrypt(n, ctext, ptext, key,
+ RSA_PKCS1_OAEP_PADDING);
+ if (num > 0) {
+ printf("Truncated data decrypted!\n");
+ err = 1;
+ break;
+ }
+ }
+
next:
RSA_free(key);
}
Modified: vendor-crypto/openssl/dist/crypto/sha/asm/sha1-586.pl
===================================================================
--- vendor-crypto/openssl/dist/crypto/sha/asm/sha1-586.pl 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/sha/asm/sha1-586.pl 2015-12-05 17:55:33 UTC (rev 7389)
@@ -66,9 +66,9 @@
# switch to AVX alone improves performance by as little as 4% in
# comparison to SSSE3 code path. But below result doesn't look like
# 4% improvement... Trouble is that Sandy Bridge decodes 'ro[rl]' as
-# pair of \xB5-ops, and it's the additional \xB5-ops, two per round, that
+# pair of µ-ops, and it's the additional µ-ops, two per round, that
# make it run slower than Core2 and Westmere. But 'sh[rl]d' is decoded
-# as single \xB5-op by Sandy Bridge and it's replacing 'ro[rl]' with
+# as single µ-op by Sandy Bridge and it's replacing 'ro[rl]' with
# equivalent 'sh[rl]d' that is responsible for the impressive 5.1
# cycles per processed byte. But 'sh[rl]d' is not something that used
# to be fast, nor does it appear to be fast in upcoming Bulldozer
Modified: vendor-crypto/openssl/dist/crypto/sha/asm/sha256-586.pl
===================================================================
--- vendor-crypto/openssl/dist/crypto/sha/asm/sha256-586.pl 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/sha/asm/sha256-586.pl 2015-12-05 17:55:33 UTC (rev 7389)
@@ -21,7 +21,7 @@
# purposes.
#
# Performance improvement over compiler generated code varies from
-# 10% to 40% [see above]. Not very impressive on some \xB5-archs, but
+# 10% to 40% [see above]. Not very impressive on some µ-archs, but
# it's 5 times smaller and optimizies amount of writes.
$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
Modified: vendor-crypto/openssl/dist/crypto/sha/asm/sha512-586.pl
===================================================================
--- vendor-crypto/openssl/dist/crypto/sha/asm/sha512-586.pl 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/sha/asm/sha512-586.pl 2015-12-05 17:55:33 UTC (rev 7389)
@@ -23,7 +23,7 @@
#
# IALU code-path is optimized for elder Pentiums. On vanilla Pentium
# performance improvement over compiler generated code reaches ~60%,
-# while on PIII - ~35%. On newer \xB5-archs improvement varies from 15%
+# while on PIII - ~35%. On newer µ-archs improvement varies from 15%
# to 50%, but it's less important as they are expected to execute SSE2
# code-path, which is commonly ~2-3x faster [than compiler generated
# code]. SSE2 code-path is as fast as original sha512-sse2.pl, even
Modified: vendor-crypto/openssl/dist/crypto/sha/asm/sha512-parisc.pl
===================================================================
--- vendor-crypto/openssl/dist/crypto/sha/asm/sha512-parisc.pl 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/sha/asm/sha512-parisc.pl 2015-12-05 17:55:33 UTC (rev 7389)
@@ -19,7 +19,7 @@
# SHA512 performance is >2.9x better than gcc 3.2 generated code on
# PA-7100LC, PA-RISC 1.1 processor. Then implementation detects if the
# code is executed on PA-RISC 2.0 processor and switches to 64-bit
-# code path delivering adequate peformance even in "blended" 32-bit
+# code path delivering adequate performance even in "blended" 32-bit
# build. Though 64-bit code is not any faster than code generated by
# vendor compiler on PA-8600...
#
Modified: vendor-crypto/openssl/dist/crypto/sparccpuid.S
===================================================================
--- vendor-crypto/openssl/dist/crypto/sparccpuid.S 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/sparccpuid.S 2015-12-05 17:55:33 UTC (rev 7389)
@@ -123,7 +123,7 @@
fmovs %f1,%f3
fmovs %f0,%f2
- add %fp,BIAS,%i0 ! return pointer to caller\xB4s top of stack
+ add %fp,BIAS,%i0 ! return pointer to caller´s top of stack
ret
restore
Modified: vendor-crypto/openssl/dist/crypto/srp/srp_vfy.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/srp/srp_vfy.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/srp/srp_vfy.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -521,12 +521,12 @@
char **verifier, const char *N, const char *g)
{
int len;
- char *result = NULL;
- char *vf;
+ char *result = NULL, *vf = NULL;
BIGNUM *N_bn = NULL, *g_bn = NULL, *s = NULL, *v = NULL;
unsigned char tmp[MAX_LEN];
unsigned char tmp2[MAX_LEN];
char *defgNid = NULL;
+ int vfsize = 0;
if ((user == NULL) ||
(pass == NULL) || (salt == NULL) || (verifier == NULL))
@@ -564,16 +564,15 @@
goto err;
BN_bn2bin(v, tmp);
- if (((vf = OPENSSL_malloc(BN_num_bytes(v) * 2)) == NULL))
+ vfsize = BN_num_bytes(v) * 2;
+ if (((vf = OPENSSL_malloc(vfsize)) == NULL))
goto err;
t_tob64(vf, tmp, BN_num_bytes(v));
- *verifier = vf;
if (*salt == NULL) {
char *tmp_salt;
if ((tmp_salt = OPENSSL_malloc(SRP_RANDOM_SALT_LEN * 2)) == NULL) {
- OPENSSL_free(vf);
goto err;
}
t_tob64(tmp_salt, tmp2, SRP_RANDOM_SALT_LEN);
@@ -580,6 +579,8 @@
*salt = tmp_salt;
}
+ *verifier = vf;
+ vf = NULL;
result = defgNid;
err:
@@ -587,11 +588,21 @@
BN_free(N_bn);
BN_free(g_bn);
}
+ OPENSSL_cleanse(vf, vfsize);
+ OPENSSL_free(vf);
+ BN_clear_free(s);
+ BN_clear_free(v);
return result;
}
/*
- * create a verifier (*salt,*verifier,g and N are BIGNUMs)
+ * create a verifier (*salt,*verifier,g and N are BIGNUMs). If *salt != NULL
+ * then the provided salt will be used. On successful exit *verifier will point
+ * to a newly allocated BIGNUM containing the verifier and (if a salt was not
+ * provided) *salt will be populated with a newly allocated BIGNUM containing a
+ * random salt.
+ * The caller is responsible for freeing the allocated *salt and *verifier
+ * BIGNUMS.
*/
int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt,
BIGNUM **verifier, BIGNUM *N, BIGNUM *g)
@@ -600,6 +611,7 @@
BIGNUM *x = NULL;
BN_CTX *bn_ctx = BN_CTX_new();
unsigned char tmp2[MAX_LEN];
+ BIGNUM *salttmp = NULL;
if ((user == NULL) ||
(pass == NULL) ||
@@ -614,10 +626,12 @@
if (RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN) < 0)
goto err;
- *salt = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL);
+ salttmp = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL);
+ } else {
+ salttmp = *salt;
}
- x = SRP_Calc_x(*salt, user, pass);
+ x = SRP_Calc_x(salttmp, user, pass);
*verifier = BN_new();
if (*verifier == NULL)
@@ -631,9 +645,11 @@
srp_bn_print(*verifier);
result = 1;
+ *salt = salttmp;
err:
-
+ if (*salt != salttmp)
+ BN_clear_free(salttmp);
BN_clear_free(x);
BN_CTX_free(bn_ctx);
return result;
Modified: vendor-crypto/openssl/dist/crypto/threads/mttest.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/threads/mttest.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/threads/mttest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -56,7 +56,6 @@
* [including the GNU Public Licence.]
*/
-#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
@@ -86,17 +85,11 @@
#include <openssl/lhash.h>
#include <openssl/crypto.h>
#include <openssl/buffer.h>
-#include "../../e_os.h"
#include <openssl/x509.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/rand.h>
-#ifdef OPENSSL_NO_FP_API
-# define APPS_WIN16
-# include "../buffer/bss_file.c"
-#endif
-
#ifdef OPENSSL_SYS_NETWARE
# define TEST_SERVER_CERT "/openssl/apps/server.pem"
# define TEST_CLIENT_CERT "/openssl/apps/client.pem"
@@ -107,23 +100,23 @@
#define MAX_THREAD_NUMBER 100
-int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *xs);
+int verify_callback(int ok, X509_STORE_CTX *xs);
void thread_setup(void);
void thread_cleanup(void);
void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx);
-void irix_locking_callback(int mode, int type, char *file, int line);
-void solaris_locking_callback(int mode, int type, char *file, int line);
-void win32_locking_callback(int mode, int type, char *file, int line);
-void pthreads_locking_callback(int mode, int type, char *file, int line);
-void netware_locking_callback(int mode, int type, char *file, int line);
+void irix_locking_callback(int mode, int type, const char *file, int line);
+void solaris_locking_callback(int mode, int type, const char *file, int line);
+void win32_locking_callback(int mode, int type, const char *file, int line);
+void pthreads_locking_callback(int mode, int type, const char *file, int line);
+void netware_locking_callback(int mode, int type, const char *file, int line);
void beos_locking_callback(int mode, int type, const char *file, int line);
-unsigned long irix_thread_id(void);
-unsigned long solaris_thread_id(void);
-unsigned long pthreads_thread_id(void);
-unsigned long netware_thread_id(void);
-unsigned long beos_thread_id(void);
+void irix_thread_id(CRYPTO_THREADID *tid);
+void solaris_thread_id(CRYPTO_THREADID *tid);
+void pthreads_thread_id(CRYPTO_THREADID *tid);
+void netware_thread_id(CRYPTO_THREADID *tid);
+void beos_thread_id(CRYPTO_THREADID *tid);
#if defined(OPENSSL_SYS_NETWARE)
static MPKMutex *lock_cs;
@@ -149,39 +142,39 @@
"string to make the random number generator think it has entropy";
int doit(char *ctx[4]);
-static void print_stats(FILE *fp, SSL_CTX *ctx)
+static void print_stats(BIO *bio, SSL_CTX *ctx)
{
- fprintf(fp, "%4ld items in the session cache\n",
- SSL_CTX_sess_number(ctx));
- fprintf(fp, "%4d client connects (SSL_connect())\n",
- SSL_CTX_sess_connect(ctx));
- fprintf(fp, "%4d client connects that finished\n",
- SSL_CTX_sess_connect_good(ctx));
- fprintf(fp, "%4d server connects (SSL_accept())\n",
- SSL_CTX_sess_accept(ctx));
- fprintf(fp, "%4d server connects that finished\n",
- SSL_CTX_sess_accept_good(ctx));
- fprintf(fp, "%4d session cache hits\n", SSL_CTX_sess_hits(ctx));
- fprintf(fp, "%4d session cache misses\n", SSL_CTX_sess_misses(ctx));
- fprintf(fp, "%4d session cache timeouts\n", SSL_CTX_sess_timeouts(ctx));
+ BIO_printf(bio, "%4ld items in the session cache\n",
+ SSL_CTX_sess_number(ctx));
+ BIO_printf(bio, "%4d client connects (SSL_connect())\n",
+ SSL_CTX_sess_connect(ctx));
+ BIO_printf(bio, "%4d client connects that finished\n",
+ SSL_CTX_sess_connect_good(ctx));
+ BIO_printf(bio, "%4d server connects (SSL_accept())\n",
+ SSL_CTX_sess_accept(ctx));
+ BIO_printf(bio, "%4d server connects that finished\n",
+ SSL_CTX_sess_accept_good(ctx));
+ BIO_printf(bio, "%4d session cache hits\n", SSL_CTX_sess_hits(ctx));
+ BIO_printf(bio, "%4d session cache misses\n", SSL_CTX_sess_misses(ctx));
+ BIO_printf(bio, "%4d session cache timeouts\n", SSL_CTX_sess_timeouts(ctx));
}
static void sv_usage(void)
{
- fprintf(stderr, "usage: ssltest [args ...]\n");
- fprintf(stderr, "\n");
- fprintf(stderr, " -server_auth - check server certificate\n");
- fprintf(stderr, " -client_auth - do client authentication\n");
- fprintf(stderr, " -v - more output\n");
- fprintf(stderr, " -CApath arg - PEM format directory of CA's\n");
- fprintf(stderr, " -CAfile arg - PEM format file of CA's\n");
- fprintf(stderr, " -threads arg - number of threads\n");
- fprintf(stderr, " -loops arg - number of 'connections', per thread\n");
- fprintf(stderr, " -reconnect - reuse session-id's\n");
- fprintf(stderr, " -stats - server session-id cache stats\n");
- fprintf(stderr, " -cert arg - server certificate/key\n");
- fprintf(stderr, " -ccert arg - client certificate/key\n");
- fprintf(stderr, " -ssl3 - just SSLv3n\n");
+ BIO_printf(bio_err, "usage: ssltest [args ...]\n");
+ BIO_printf(bio_err, "\n");
+ BIO_printf(bio_err, " -server_auth - check server certificate\n");
+ BIO_printf(bio_err, " -client_auth - do client authentication\n");
+ BIO_printf(bio_err, " -v - more output\n");
+ BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
+ BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
+ BIO_printf(bio_err, " -threads arg - number of threads\n");
+ BIO_printf(bio_err, " -loops arg - number of 'connections', per thread\n");
+ BIO_printf(bio_err, " -reconnect - reuse session-id's\n");
+ BIO_printf(bio_err, " -stats - server session-id cache stats\n");
+ BIO_printf(bio_err, " -cert arg - server certificate/key\n");
+ BIO_printf(bio_err, " -ccert arg - client certificate/key\n");
+ BIO_printf(bio_err, " -ssl3 - just SSLv3n\n");
}
int main(int argc, char *argv[])
@@ -195,14 +188,14 @@
SSL_CTX *c_ctx = NULL;
char *scert = TEST_SERVER_CERT;
char *ccert = TEST_CLIENT_CERT;
- SSL_METHOD *ssl_method = SSLv23_method();
+ const SSL_METHOD *ssl_method = SSLv23_method();
RAND_seed(rnd_seed, sizeof rnd_seed);
if (bio_err == NULL)
- bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+ bio_err = BIO_new_fd(2, BIO_NOCLOSE);
if (bio_stdout == NULL)
- bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE);
+ bio_stdout = BIO_new_fd(1, BIO_NOCLOSE);
argc--;
argv++;
@@ -250,7 +243,7 @@
if (number_of_loops == 0)
number_of_loops = 1;
} else {
- fprintf(stderr, "unknown option %s\n", *argv);
+ BIO_printf(bio_err, "unknown option %s\n", *argv);
badop = 1;
break;
}
@@ -284,9 +277,12 @@
SSL_SESS_CACHE_SERVER);
if (!SSL_CTX_use_certificate_file(s_ctx, scert, SSL_FILETYPE_PEM)) {
+ BIO_printf(bio_err, "SSL_CTX_use_certificate_file (%s)\n", scert);
ERR_print_errors(bio_err);
+ goto end;
} else
if (!SSL_CTX_use_RSAPrivateKey_file(s_ctx, scert, SSL_FILETYPE_PEM)) {
+ BIO_printf(bio_err, "SSL_CTX_use_RSAPrivateKey_file (%s)\n", scert);
ERR_print_errors(bio_err);
goto end;
}
@@ -300,19 +296,19 @@
(!SSL_CTX_set_default_verify_paths(s_ctx)) ||
(!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) ||
(!SSL_CTX_set_default_verify_paths(c_ctx))) {
- fprintf(stderr, "SSL_load_verify_locations\n");
+ BIO_printf(bio_err, "SSL_load_verify_locations\n");
ERR_print_errors(bio_err);
goto end;
}
if (client_auth) {
- fprintf(stderr, "client authentication\n");
+ BIO_printf(bio_err, "client authentication\n");
SSL_CTX_set_verify(s_ctx,
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
verify_callback);
}
if (server_auth) {
- fprintf(stderr, "server authentication\n");
+ BIO_printf(bio_err, "server authentication\n");
SSL_CTX_set_verify(c_ctx, SSL_VERIFY_PEER, verify_callback);
}
@@ -322,24 +318,24 @@
end:
if (c_ctx != NULL) {
- fprintf(stderr, "Client SSL_CTX stats then free it\n");
- print_stats(stderr, c_ctx);
+ BIO_printf(bio_err, "Client SSL_CTX stats then free it\n");
+ print_stats(bio_err, c_ctx);
SSL_CTX_free(c_ctx);
}
if (s_ctx != NULL) {
- fprintf(stderr, "Server SSL_CTX stats then free it\n");
- print_stats(stderr, s_ctx);
+ BIO_printf(bio_err, "Server SSL_CTX stats then free it\n");
+ print_stats(bio_err, s_ctx);
if (cache_stats) {
- fprintf(stderr, "-----\n");
- lh_stats(SSL_CTX_sessions(s_ctx), stderr);
- fprintf(stderr, "-----\n");
- /*- lh_node_stats(SSL_CTX_sessions(s_ctx),stderr);
- fprintf(stderr,"-----\n"); */
- lh_node_usage_stats(SSL_CTX_sessions(s_ctx), stderr);
- fprintf(stderr, "-----\n");
+ BIO_printf(bio_err, "-----\n");
+ lh_SSL_SESSION_stats_bio(SSL_CTX_sessions(s_ctx), bio_err);
+ BIO_printf(bio_err, "-----\n");
+ /*- lh_SSL_SESSION_node_stats_bio(SSL_CTX_sessions(s_ctx),bio_err);
+ BIO_printf(bio_err,"-----\n"); */
+ lh_SSL_SESSION_node_usage_stats_bio(SSL_CTX_sessions(s_ctx), bio_err);
+ BIO_printf(bio_err, "-----\n");
}
SSL_CTX_free(s_ctx);
- fprintf(stderr, "done free\n");
+ BIO_printf(bio_err, "done free\n");
}
exit(ret);
return (0);
@@ -355,6 +351,7 @@
int i;
int ret;
char *ctx[4];
+ CRYPTO_THREADID thread_id;
ctx[0] = (char *)ssl_ctx[0];
ctx[1] = (char *)ssl_ctx[1];
@@ -367,22 +364,24 @@
ctx[3] = NULL;
}
- fprintf(stdout, "started thread %lu\n", CRYPTO_thread_id());
+ CRYPTO_THREADID_current(&thread_id);
+ BIO_printf(bio_stdout, "started thread %lu\n",
+ CRYPTO_THREADID_hash(&thread_id));
for (i = 0; i < number_of_loops; i++) {
-/*- fprintf(stderr,"%4d %2d ctx->ref (%3d,%3d)\n",
- CRYPTO_thread_id(),i,
- ssl_ctx[0]->references,
- ssl_ctx[1]->references); */
+/*- BIO_printf(bio_err,"%4d %2d ctx->ref (%3d,%3d)\n",
+ CRYPTO_THREADID_hash(&thread_id),i,
+ ssl_ctx[0]->references,
+ ssl_ctx[1]->references); */
/* pthread_delay_np(&tm); */
ret = doit(ctx);
if (ret != 0) {
- fprintf(stdout, "error[%d] %lu - %d\n",
- i, CRYPTO_thread_id(), ret);
+ BIO_printf(bio_stdout, "error[%d] %lu - %d\n",
+ i, CRYPTO_THREADID_hash(&thread_id), ret);
return (ret);
}
}
- fprintf(stdout, "DONE %lu\n", CRYPTO_thread_id());
+ BIO_printf(bio_stdout, "DONE %lu\n", CRYPTO_THREADID_hash(&thread_id));
if (reconnect) {
SSL_free((SSL *)ctx[2]);
SSL_free((SSL *)ctx[3]);
@@ -467,26 +466,26 @@
if (do_server && verbose) {
if (SSL_in_init(s_ssl))
- printf("server waiting in SSL_accept - %s\n",
- SSL_state_string_long(s_ssl));
+ BIO_printf(bio_stdout, "server waiting in SSL_accept - %s\n",
+ SSL_state_string_long(s_ssl));
else if (s_write)
- printf("server:SSL_write()\n");
+ BIO_printf(bio_stdout, "server:SSL_write()\n");
else
- printf("server:SSL_read()\n");
+ BIO_printf(bio_stdout, "server:SSL_read()\n");
}
if (do_client && verbose) {
if (SSL_in_init(c_ssl))
- printf("client waiting in SSL_connect - %s\n",
- SSL_state_string_long(c_ssl));
+ BIO_printf(bio_stdout, "client waiting in SSL_connect - %s\n",
+ SSL_state_string_long(c_ssl));
else if (c_write)
- printf("client:SSL_write()\n");
+ BIO_printf(bio_stdout, "client:SSL_write()\n");
else
- printf("client:SSL_read()\n");
+ BIO_printf(bio_stdout, "client:SSL_read()\n");
}
if (!do_client && !do_server) {
- fprintf(stdout, "ERROR IN STARTUP\n");
+ BIO_printf(bio_stdout, "ERROR IN STARTUP\n");
break;
}
if (do_client && !(done & C_DONE)) {
@@ -501,12 +500,12 @@
if (BIO_should_write(c_bio))
c_w = 1;
} else {
- fprintf(stderr, "ERROR in CLIENT\n");
+ BIO_printf(bio_err, "ERROR in CLIENT\n");
ERR_print_errors_fp(stderr);
return (1);
}
} else if (i == 0) {
- fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
+ BIO_printf(bio_err, "SSL CLIENT STARTUP FAILED\n");
return (1);
} else {
/* ok */
@@ -523,19 +522,19 @@
if (BIO_should_write(c_bio))
c_w = 1;
} else {
- fprintf(stderr, "ERROR in CLIENT\n");
+ BIO_printf(bio_err, "ERROR in CLIENT\n");
ERR_print_errors_fp(stderr);
return (1);
}
} else if (i == 0) {
- fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
+ BIO_printf(bio_err, "SSL CLIENT STARTUP FAILED\n");
return (1);
} else {
done |= C_DONE;
#ifdef undef
- fprintf(stdout, "CLIENT:from server:");
- fwrite(cbuf, 1, i, stdout);
- fflush(stdout);
+ BIO_printf(bio_stdout, "CLIENT:from server:");
+ BIO_write(bio_stdout, cbuf, i);
+ BIO_flush(bio_stdout);
#endif
}
}
@@ -553,20 +552,20 @@
if (BIO_should_write(s_bio))
s_w = 1;
} else {
- fprintf(stderr, "ERROR in SERVER\n");
+ BIO_printf(bio_err, "ERROR in SERVER\n");
ERR_print_errors_fp(stderr);
return (1);
}
} else if (i == 0) {
- fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
+ BIO_printf(bio_err, "SSL SERVER STARTUP FAILED\n");
return (1);
} else {
s_write = 1;
s_w = 1;
#ifdef undef
- fprintf(stdout, "SERVER:from client:");
- fwrite(sbuf, 1, i, stdout);
- fflush(stdout);
+ BIO_printf(bio_stdout, "SERVER:from client:");
+ BIO_write(bio_stdout, sbuf, i);
+ BIO_flush(bio_stdout);
#endif
}
} else {
@@ -580,12 +579,12 @@
if (BIO_should_write(s_bio))
s_w = 1;
} else {
- fprintf(stderr, "ERROR in SERVER\n");
+ BIO_printf(bio_err, "ERROR in SERVER\n");
ERR_print_errors_fp(stderr);
return (1);
}
} else if (i == 0) {
- fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
+ BIO_printf(bio_err, "SSL SERVER STARTUP FAILED\n");
return (1);
} else {
s_write = 0;
@@ -606,7 +605,7 @@
SSL_set_shutdown(s_ssl, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
#ifdef undef
- fprintf(stdout, "DONE\n");
+ BIO_printf(bio_stdout, "DONE\n");
#endif
err:
/*
@@ -640,7 +639,7 @@
return (0);
}
-int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
+int verify_callback(int ok, X509_STORE_CTX *ctx)
{
char *s, buf[256];
@@ -649,9 +648,9 @@
buf, 256);
if (s != NULL) {
if (ok)
- fprintf(stderr, "depth=%d %s\n", ctx->error_depth, buf);
+ BIO_printf(bio_err, "depth=%d %s\n", ctx->error_depth, buf);
else
- fprintf(stderr, "depth=%d error=%d %s\n",
+ BIO_printf(bio_err, "depth=%d error=%d %s\n",
ctx->error_depth, ctx->error, buf);
}
}
@@ -688,7 +687,7 @@
OPENSSL_free(lock_cs);
}
-void win32_locking_callback(int mode, int type, char *file, int line)
+void win32_locking_callback(int mode, int type, const char *file, int line)
{
if (mode & CRYPTO_LOCK) {
WaitForSingleObject(lock_cs[type], INFINITE);
@@ -717,7 +716,7 @@
(void *)ssl_ctx, 0L, &(thread_id[i]));
}
- printf("reaping\n");
+ BIO_printf(bio_stdout, "reaping\n");
for (i = 0; i < thread_number; i += 50) {
int j;
@@ -727,7 +726,7 @@
(CONST HANDLE *) & (thread_handle[i]),
TRUE, INFINITE)
== WAIT_FAILED) {
- fprintf(stderr, "WaitForMultipleObjects failed:%d\n",
+ BIO_printf(bio_err, "WaitForMultipleObjects failed:%d\n",
GetLastError());
exit(1);
}
@@ -743,7 +742,7 @@
ret = (ret + end.wSecond - start.wSecond);
ret += (end.wMilliseconds - start.wMilliseconds) / 1000.0;
- printf("win32 threads done - %.3f seconds\n", ret);
+ BIO_printf(bio_stdout, "win32 threads done - %.3f seconds\n", ret);
}
#endif /* OPENSSL_SYS_WIN32 */
@@ -768,8 +767,8 @@
mutex_init(&(lock_cs[i]), USYNC_THREAD, NULL);
}
- CRYPTO_set_id_callback((unsigned long (*)())solaris_thread_id);
- CRYPTO_set_locking_callback((void (*)())solaris_locking_callback);
+ CRYPTO_set_id_callback(solaris_thread_id);
+ CRYPTO_set_locking_callback(solaris_locking_callback);
}
void thread_cleanup(void)
@@ -778,34 +777,34 @@
CRYPTO_set_locking_callback(NULL);
- fprintf(stderr, "cleanup\n");
+ BIO_printf(bio_err, "cleanup\n");
for (i = 0; i < CRYPTO_num_locks(); i++) {
/* rwlock_destroy(&(lock_cs[i])); */
mutex_destroy(&(lock_cs[i]));
- fprintf(stderr, "%8ld:%s\n", lock_count[i], CRYPTO_get_lock_name(i));
+ BIO_printf(bio_err, "%8ld:%s\n", lock_count[i], CRYPTO_get_lock_name(i));
}
OPENSSL_free(lock_cs);
OPENSSL_free(lock_count);
- fprintf(stderr, "done cleanup\n");
+ BIO_printf(bio_err, "done cleanup\n");
}
-void solaris_locking_callback(int mode, int type, char *file, int line)
+void solaris_locking_callback(int mode, int type, const char *file, int line)
{
# ifdef undef
- fprintf(stderr, "thread=%4d mode=%s lock=%s %s:%d\n",
- CRYPTO_thread_id(),
- (mode & CRYPTO_LOCK) ? "l" : "u",
- (type & CRYPTO_READ) ? "r" : "w", file, line);
+ BIO_printf(bio_err, "thread=%4d mode=%s lock=%s %s:%d\n",
+ CRYPTO_thread_id(),
+ (mode & CRYPTO_LOCK) ? "l" : "u",
+ (type & CRYPTO_READ) ? "r" : "w", file, line);
# endif
/*-
if (CRYPTO_LOCK_SSL_CERT == type)
- fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n",
- CRYPTO_thread_id(),
- mode,file,line);
+ BIO_printf(bio_err,"(t,m,f,l) %ld %d %s %d\n",
+ CRYPTO_thread_id(),
+ mode,file,line);
*/
if (mode & CRYPTO_LOCK) {
/*-
@@ -837,21 +836,22 @@
(void *(*)())ndoit, (void *)ssl_ctx, 0L, &(thread_ctx[i]));
}
- printf("reaping\n");
+ BIO_printf(bio_stdout, "reaping\n");
for (i = 0; i < thread_number; i++) {
thr_join(thread_ctx[i], NULL, NULL);
}
- printf("solaris threads done (%d,%d)\n",
- s_ctx->references, c_ctx->references);
+#if 0 /* We can't currently find out the reference amount */
+ BIO_printf(bio_stdout, "solaris threads done (%d,%d)\n",
+ s_ctx->references, c_ctx->references);
+#else
+ BIO_printf(bio_stdout, "solaris threads done\n");
+#endif
}
-unsigned long solaris_thread_id(void)
+void solaris_thread_id(CRYPTO_THREADID *tid)
{
- unsigned long ret;
-
- ret = (unsigned long)thr_self();
- return (ret);
+ CRYPTO_THREADID_set_numeric((unsigned long)thr_self());
}
#endif /* SOLARIS */
@@ -880,8 +880,8 @@
lock_cs[i] = usnewsema(arena, 1);
}
- CRYPTO_set_id_callback((unsigned long (*)())irix_thread_id);
- CRYPTO_set_locking_callback((void (*)())irix_locking_callback);
+ CRYPTO_set_id_callback(irix_thread_id);
+ CRYPTO_set_locking_callback(irix_locking_callback);
}
void thread_cleanup(void)
@@ -899,13 +899,13 @@
OPENSSL_free(lock_cs);
}
-void irix_locking_callback(int mode, int type, char *file, int line)
+void irix_locking_callback(int mode, int type, const char *file, int line)
{
if (mode & CRYPTO_LOCK) {
- printf("lock %d\n", type);
+ BIO_printf(bio_stdout, "lock %d\n", type);
uspsema(lock_cs[type]);
} else {
- printf("unlock %d\n", type);
+ BIO_printf(bio_stdout, "unlock %d\n", type);
usvsema(lock_cs[type]);
}
}
@@ -924,21 +924,22 @@
PR_SADDR | PR_SFDS, (void *)ssl_ctx);
}
- printf("reaping\n");
+ BIO_printf(bio_stdout, "reaping\n");
for (i = 0; i < thread_number; i++) {
wait(NULL);
}
- printf("irix threads done (%d,%d)\n",
- s_ctx->references, c_ctx->references);
+#if 0 /* We can't currently find out the reference amount */
+ BIO_printf(bio_stdout, "irix threads done (%d,%d)\n",
+ s_ctx->references, c_ctx->references);
+#else
+ BIO_printf(bio_stdout, "irix threads done\n");
+#endif
}
unsigned long irix_thread_id(void)
{
- unsigned long ret;
-
- ret = (unsigned long)getpid();
- return (ret);
+ CRYPTO_THREADID_set_numeric((unsigned long)getpid());
}
#endif /* IRIX */
@@ -958,8 +959,8 @@
pthread_mutex_init(&(lock_cs[i]), NULL);
}
- CRYPTO_set_id_callback((unsigned long (*)())pthreads_thread_id);
- CRYPTO_set_locking_callback((void (*)())pthreads_locking_callback);
+ CRYPTO_THREADID_set_callback(pthreads_thread_id);
+ CRYPTO_set_locking_callback(pthreads_locking_callback);
}
void thread_cleanup(void)
@@ -967,30 +968,30 @@
int i;
CRYPTO_set_locking_callback(NULL);
- fprintf(stderr, "cleanup\n");
+ BIO_printf(bio_err, "cleanup\n");
for (i = 0; i < CRYPTO_num_locks(); i++) {
pthread_mutex_destroy(&(lock_cs[i]));
- fprintf(stderr, "%8ld:%s\n", lock_count[i], CRYPTO_get_lock_name(i));
+ BIO_printf(bio_err, "%8ld:%s\n", lock_count[i], CRYPTO_get_lock_name(i));
}
OPENSSL_free(lock_cs);
OPENSSL_free(lock_count);
- fprintf(stderr, "done cleanup\n");
+ BIO_printf(bio_err, "done cleanup\n");
}
-void pthreads_locking_callback(int mode, int type, char *file, int line)
+void pthreads_locking_callback(int mode, int type, const char *file, int line)
{
# ifdef undef
- fprintf(stderr, "thread=%4d mode=%s lock=%s %s:%d\n",
- CRYPTO_thread_id(),
- (mode & CRYPTO_LOCK) ? "l" : "u",
- (type & CRYPTO_READ) ? "r" : "w", file, line);
+ BIO_printf(bio_err, "thread=%4d mode=%s lock=%s %s:%d\n",
+ CRYPTO_thread_id(),
+ (mode & CRYPTO_LOCK) ? "l" : "u",
+ (type & CRYPTO_READ) ? "r" : "w", file, line);
# endif
/*-
if (CRYPTO_LOCK_SSL_CERT == type)
- fprintf(stderr,"(t,m,f,l) %ld %d %s %d\n",
- CRYPTO_thread_id(),
- mode,file,line);
+ BIO_printf(bio_err,"(t,m,f,l) %ld %d %s %d\n",
+ CRYPTO_thread_id(),
+ mode,file,line);
*/
if (mode & CRYPTO_LOCK) {
pthread_mutex_lock(&(lock_cs[type]));
@@ -1017,21 +1018,22 @@
(void *(*)())ndoit, (void *)ssl_ctx);
}
- printf("reaping\n");
+ BIO_printf(bio_stdout, "reaping\n");
for (i = 0; i < thread_number; i++) {
pthread_join(thread_ctx[i], NULL);
}
- printf("pthreads threads done (%d,%d)\n",
- s_ctx->references, c_ctx->references);
+#if 0 /* We can't currently find out the reference amount */
+ BIO_printf(bio_stdout, "pthreads threads done (%d,%d)\n",
+ s_ctx->references, c_ctx->references);
+#else
+ BIO_printf(bio_stdout, "pthreads threads done\n");
+#endif
}
-unsigned long pthreads_thread_id(void)
+void pthreads_thread_id(CRYPTO_THREADID *tid)
{
- unsigned long ret;
-
- ret = (unsigned long)pthread_self();
- return (ret);
+ CRYPTO_THREADID_set_numeric(tid, (unsigned long)pthread_self());
}
#endif /* PTHREADS */
@@ -1051,8 +1053,8 @@
ThreadSem = MPKSemaphoreAlloc("OpenSSL mttest semaphore", 0);
- CRYPTO_set_id_callback((unsigned long (*)())netware_thread_id);
- CRYPTO_set_locking_callback((void (*)())netware_locking_callback);
+ CRYPTO_set_id_callback(netware_thread_id);
+ CRYPTO_set_locking_callback(netware_locking_callback);
}
void thread_cleanup(void)
@@ -1061,11 +1063,11 @@
CRYPTO_set_locking_callback(NULL);
- fprintf(stdout, "thread_cleanup\n");
+ BIO_printf(bio_stdout, "thread_cleanup\n");
for (i = 0; i < CRYPTO_num_locks(); i++) {
MPKMutexFree(lock_cs[i]);
- fprintf(stdout, "%8ld:%s\n", lock_count[i], CRYPTO_get_lock_name(i));
+ BIO_printf(bio_stdout, "%8ld:%s\n", lock_count[i], CRYPTO_get_lock_name(i));
}
OPENSSL_free(lock_cs);
OPENSSL_free(lock_count);
@@ -1072,10 +1074,10 @@
MPKSemaphoreFree(ThreadSem);
- fprintf(stdout, "done cleanup\n");
+ BIO_printf(bio_stdout, "done cleanup\n");
}
-void netware_locking_callback(int mode, int type, char *file, int line)
+void netware_locking_callback(int mode, int type, const char *file, int line)
{
if (mode & CRYPTO_LOCK) {
MPKMutexLock(lock_cs[type]);
@@ -1097,22 +1099,23 @@
ThreadSwitchWithDelay();
}
- printf("reaping\n");
+ BIO_printf(bio_stdout, "reaping\n");
/* loop until all threads have signaled the semaphore */
for (i = 0; i < thread_number; i++) {
MPKSemaphoreWait(ThreadSem);
}
- printf("netware threads done (%d,%d)\n",
- s_ctx->references, c_ctx->references);
+#if 0 /* We can't currently find out the reference amount */
+ BIO_printf(bio_stdout, "netware threads done (%d,%d)\n",
+ s_ctx->references, c_ctx->references);
+#else
+ BIO_printf(bio_stdout, "netware threads done\n");
+#endif
}
unsigned long netware_thread_id(void)
{
- unsigned long ret;
-
- ret = (unsigned long)GetThreadID();
- return (ret);
+ CRYPTO_THREADID_set_numeric((unsigned long)GetThreadID());
}
#endif /* NETWARE */
@@ -1144,24 +1147,24 @@
int i;
CRYPTO_set_locking_callback(NULL);
- fprintf(stderr, "cleanup\n");
+ BIO_printf(bio_err, "cleanup\n");
for (i = 0; i < CRYPTO_num_locks(); i++) {
delete lock_cs[i];
- fprintf(stderr, "%8ld:%s\n", lock_count[i], CRYPTO_get_lock_name(i));
+ BIO_printf(bio_err, "%8ld:%s\n", lock_count[i], CRYPTO_get_lock_name(i));
}
OPENSSL_free(lock_cs);
OPENSSL_free(lock_count);
- fprintf(stderr, "done cleanup\n");
+ BIO_printf(bio_err, "done cleanup\n");
}
void beos_locking_callback(int mode, int type, const char *file, int line)
{
# if 0
- fprintf(stderr, "thread=%4d mode=%s lock=%s %s:%d\n",
- CRYPTO_thread_id(),
- (mode & CRYPTO_LOCK) ? "l" : "u",
- (type & CRYPTO_READ) ? "r" : "w", file, line);
+ BIO_printf(bio_err, "thread=%4d mode=%s lock=%s %s:%d\n",
+ CRYPTO_thread_id(),
+ (mode & CRYPTO_LOCK) ? "l" : "u",
+ (type & CRYPTO_READ) ? "r" : "w", file, line);
# endif
if (mode & CRYPTO_LOCK) {
lock_cs[type]->Lock();
@@ -1187,14 +1190,14 @@
resume_thread(thread_ctx[i]);
}
- printf("waiting...\n");
+ BIO_printf(bio_stdout, "waiting...\n");
for (i = 0; i < thread_number; i++) {
status_t result;
wait_for_thread(thread_ctx[i], &result);
}
- printf("beos threads done (%d,%d)\n",
- s_ctx->references, c_ctx->references);
+ BIO_printf(bio_stdout, "beos threads done (%d,%d)\n",
+ s_ctx->references, c_ctx->references);
}
unsigned long beos_thread_id(void)
Modified: vendor-crypto/openssl/dist/crypto/threads/pthread2.sh
===================================================================
--- vendor-crypto/openssl/dist/crypto/threads/pthread2.sh 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/threads/pthread2.sh 2015-12-05 17:55:33 UTC (rev 7389)
@@ -3,5 +3,4 @@
# build using pthreads where it's already built into the system
#
/bin/rm -f mttest
-gcc -DPTHREADS -I../../include -g mttest.c -o mttest -L../.. -lssl -lcrypto -lpthread
-
+gcc -DPTHREADS -I../../include -g mttest.c -o mttest -L../.. -lssl -lcrypto -lpthread -ldl
Modified: vendor-crypto/openssl/dist/crypto/ts/ts_rsp_verify.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/ts/ts_rsp_verify.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/ts/ts_rsp_verify.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -522,7 +522,7 @@
if (ASN1_BIT_STRING_get_bit(info->failure_info,
TS_failure_info[i].code)) {
if (!first)
- strcpy(failure_text, ",");
+ strcat(failure_text, ",");
else
first = 0;
strcat(failure_text, TS_failure_info[i].text);
Modified: vendor-crypto/openssl/dist/crypto/whrlpool/asm/wp-mmx.pl
===================================================================
--- vendor-crypto/openssl/dist/crypto/whrlpool/asm/wp-mmx.pl 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/whrlpool/asm/wp-mmx.pl 2015-12-05 17:55:33 UTC (rev 7389)
@@ -16,7 +16,7 @@
# table]. I stick to value of 2 for two reasons: 1. smaller table
# minimizes cache trashing and thus mitigates the hazard of side-
# channel leakage similar to AES cache-timing one; 2. performance
-# gap among different \xB5-archs is smaller.
+# gap among different µ-archs is smaller.
#
# Performance table lists rounded amounts of CPU cycles spent by
# whirlpool_block_mmx routine on single 64 byte input block, i.e.
Modified: vendor-crypto/openssl/dist/crypto/x509/Makefile
===================================================================
--- vendor-crypto/openssl/dist/crypto/x509/Makefile 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/x509/Makefile 2015-12-05 17:55:33 UTC (rev 7389)
@@ -13,7 +13,7 @@
CFLAGS= $(INCLUDES) $(CFLAG)
GENERAL=Makefile README
-TEST=
+TEST=verify_extra_test.c
APPS=
LIB=$(TOP)/libcrypto.a
Added: vendor-crypto/openssl/dist/crypto/x509/verify_extra_test.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/x509/verify_extra_test.c (rev 0)
+++ vendor-crypto/openssl/dist/crypto/x509/verify_extra_test.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -0,0 +1,209 @@
+/*
+ * Written by Matt Caswell for the OpenSSL project.
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core at openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay at cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh at cryptsoft.com).
+ *
+ */
+
+#include <stdio.h>
+#include <openssl/crypto.h>
+#include <openssl/bio.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#include <openssl/err.h>
+
+static STACK_OF(X509) *load_certs_from_file(const char *filename)
+{
+ STACK_OF(X509) *certs;
+ BIO *bio;
+ X509 *x;
+
+ bio = BIO_new_file(filename, "r");
+
+ if (bio == NULL) {
+ return NULL;
+ }
+
+ certs = sk_X509_new_null();
+ if (certs == NULL) {
+ BIO_free(bio);
+ return NULL;
+ }
+
+ ERR_set_mark();
+ do {
+ x = PEM_read_bio_X509(bio, NULL, 0, NULL);
+ if (x != NULL && !sk_X509_push(certs, x)) {
+ sk_X509_pop_free(certs, X509_free);
+ BIO_free(bio);
+ return NULL;
+ } else if (x == NULL) {
+ /*
+ * We probably just ran out of certs, so ignore any errors
+ * generated
+ */
+ ERR_pop_to_mark();
+ }
+ } while (x != NULL);
+
+ BIO_free(bio);
+
+ return certs;
+}
+
+/*
+ * Test for CVE-2015-1793 (Alternate Chains Certificate Forgery)
+ *
+ * Chain is as follows:
+ *
+ * rootCA (self-signed)
+ * |
+ * interCA
+ * |
+ * subinterCA subinterCA (self-signed)
+ * | |
+ * leaf ------------------
+ * |
+ * bad
+ *
+ * rootCA, interCA, subinterCA, subinterCA (ss) all have CA=TRUE
+ * leaf and bad have CA=FALSE
+ *
+ * subinterCA and subinterCA (ss) have the same subject name and keys
+ *
+ * interCA (but not rootCA) and subinterCA (ss) are in the trusted store
+ * (roots.pem)
+ * leaf and subinterCA are in the untrusted list (untrusted.pem)
+ * bad is the certificate being verified (bad.pem)
+ *
+ * Versions vulnerable to CVE-2015-1793 will fail to detect that leaf has
+ * CA=FALSE, and will therefore incorrectly verify bad
+ *
+ */
+static int test_alt_chains_cert_forgery(void)
+{
+ int ret = 0;
+ int i;
+ X509 *x = NULL;
+ STACK_OF(X509) *untrusted = NULL;
+ BIO *bio = NULL;
+ X509_STORE_CTX *sctx = NULL;
+ X509_STORE *store = NULL;
+ X509_LOOKUP *lookup = NULL;
+
+ store = X509_STORE_new();
+ if (store == NULL)
+ goto err;
+
+ lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
+ if (lookup == NULL)
+ goto err;
+ if(!X509_LOOKUP_load_file(lookup, "certs/roots.pem", X509_FILETYPE_PEM))
+ goto err;
+
+ untrusted = load_certs_from_file("certs/untrusted.pem");
+
+ if ((bio = BIO_new_file("certs/bad.pem", "r")) == NULL)
+ goto err;
+
+ if((x = PEM_read_bio_X509(bio, NULL, 0, NULL)) == NULL)
+ goto err;
+
+ sctx = X509_STORE_CTX_new();
+ if (sctx == NULL)
+ goto err;
+
+ if (!X509_STORE_CTX_init(sctx, store, x, untrusted))
+ goto err;
+
+ i = X509_verify_cert(sctx);
+
+ if(i == 0 && X509_STORE_CTX_get_error(sctx)
+ == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) {
+ /* This is the result we were expecting: Test passed */
+ ret = 1;
+ }
+ err:
+ X509_STORE_CTX_free(sctx);
+ X509_free(x);
+ BIO_free(bio);
+ sk_X509_pop_free(untrusted, X509_free);
+ X509_STORE_free(store);
+ if (ret != 1)
+ ERR_print_errors_fp(stderr);
+ return ret;
+}
+
+int main(void)
+{
+ CRYPTO_malloc_debug_init();
+ CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
+ CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+
+ ERR_load_crypto_strings();
+ OpenSSL_add_all_digests();
+
+ if (!test_alt_chains_cert_forgery()) {
+ fprintf(stderr, "Test alt chains cert forgery failed\n");
+ return 1;
+ }
+
+ EVP_cleanup();
+ CRYPTO_cleanup_all_ex_data();
+ ERR_remove_thread_state(NULL);
+ ERR_free_strings();
+ CRYPTO_mem_leaks_fp(stderr);
+
+ printf("PASS\n");
+ return 0;
+}
Modified: vendor-crypto/openssl/dist/crypto/x509/x509_cmp.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/x509/x509_cmp.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/x509/x509_cmp.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -179,11 +179,24 @@
*/
int X509_cmp(const X509 *a, const X509 *b)
{
+ int rv;
+
/* ensure hash is valid */
X509_check_purpose((X509 *)a, -1, 0);
X509_check_purpose((X509 *)b, -1, 0);
- return memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH);
+ rv = memcmp(a->sha1_hash, b->sha1_hash, SHA_DIGEST_LENGTH);
+ if (rv)
+ return rv;
+ /* Check for match against stored encoding too */
+ if (!a->cert_info->enc.modified && !b->cert_info->enc.modified) {
+ rv = (int)(a->cert_info->enc.len - b->cert_info->enc.len);
+ if (rv)
+ return rv;
+ return memcmp(a->cert_info->enc.enc, b->cert_info->enc.enc,
+ a->cert_info->enc.len);
+ }
+ return rv;
}
#endif
Modified: vendor-crypto/openssl/dist/crypto/x509/x509_lu.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/x509/x509_lu.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/x509/x509_lu.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -523,8 +523,6 @@
X509_OBJECT *obj, xobj;
sk = sk_X509_CRL_new_null();
CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
- /* Check cache first */
- idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt);
/*
* Always do lookup to possibly add new CRLs to cache
Modified: vendor-crypto/openssl/dist/crypto/x509/x509_vfy.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/x509/x509_vfy.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/x509/x509_vfy.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -162,6 +162,14 @@
X509err(X509_F_X509_VERIFY_CERT, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
return -1;
}
+ if (ctx->chain != NULL) {
+ /*
+ * This X509_STORE_CTX has already been used to verify a cert. We
+ * cannot do another one.
+ */
+ X509err(X509_F_X509_VERIFY_CERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
+ return -1;
+ }
cb = ctx->verify_cb;
@@ -169,15 +177,13 @@
* first we make sure the chain we are going to build is present and that
* the first entry is in place
*/
- if (ctx->chain == NULL) {
- if (((ctx->chain = sk_X509_new_null()) == NULL) ||
- (!sk_X509_push(ctx->chain, ctx->cert))) {
- X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
- goto end;
- }
- CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509);
- ctx->last_untrusted = 1;
+ if (((ctx->chain = sk_X509_new_null()) == NULL) ||
+ (!sk_X509_push(ctx->chain, ctx->cert))) {
+ X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
+ goto end;
}
+ CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509);
+ ctx->last_untrusted = 1;
/* We use a temporary STACK so we can chop and hack at it */
if (ctx->untrusted != NULL
@@ -306,7 +312,7 @@
* if the user hasn't switched off alternate chain checking
*/
retry = 0;
- if (j == ctx->last_untrusted &&
+ if (num == ctx->last_untrusted &&
!(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) {
while (j-- > 1) {
xtmp2 = sk_X509_value(ctx->chain, j - 1);
@@ -328,8 +334,8 @@
xtmp = sk_X509_pop(ctx->chain);
X509_free(xtmp);
num--;
- ctx->last_untrusted--;
}
+ ctx->last_untrusted = sk_X509_num(ctx->chain);
retry = 1;
break;
}
Modified: vendor-crypto/openssl/dist/crypto/x509v3/v3_cpols.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/x509v3/v3_cpols.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/x509v3/v3_cpols.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -186,6 +186,10 @@
goto err;
}
pol = POLICYINFO_new();
+ if (pol == NULL) {
+ X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
pol->policyid = pobj;
}
if (!sk_POLICYINFO_push(pols, pol)) {
Modified: vendor-crypto/openssl/dist/crypto/x509v3/v3_ncons.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/x509v3/v3_ncons.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/x509v3/v3_ncons.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -132,6 +132,8 @@
}
tval.value = val->value;
sub = GENERAL_SUBTREE_new();
+ if (sub == NULL)
+ goto memerr;
if (!v2i_GENERAL_NAME_ex(sub->base, method, ctx, &tval, 1))
goto err;
if (!*ptree)
Modified: vendor-crypto/openssl/dist/crypto/x509v3/v3_pci.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/x509v3/v3_pci.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/x509v3/v3_pci.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -3,7 +3,7 @@
* Contributed to the OpenSSL Project 2004 by Richard Levitte
* (richard at levitte.org)
*/
-/* Copyright (c) 2004 Kungliga Tekniska H\xF6gskolan
+/* Copyright (c) 2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
Modified: vendor-crypto/openssl/dist/crypto/x509v3/v3_pcia.c
===================================================================
--- vendor-crypto/openssl/dist/crypto/x509v3/v3_pcia.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/crypto/x509v3/v3_pcia.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -3,7 +3,7 @@
* Contributed to the OpenSSL Project 2004 by Richard Levitte
* (richard at levitte.org)
*/
-/* Copyright (c) 2004 Kungliga Tekniska H\xF6gskolan
+/* Copyright (c) 2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
Modified: vendor-crypto/openssl/dist/demos/easy_tls/README
===================================================================
--- vendor-crypto/openssl/dist/demos/easy_tls/README 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/demos/easy_tls/README 2015-12-05 17:55:33 UTC (rev 7389)
@@ -62,4 +62,4 @@
day, which means that future revisions will not be fully compatible to
the current version.
-Bodo M\xF6ller <bodo at openssl.org>
+Bodo Möller <bodo at openssl.org>
Modified: vendor-crypto/openssl/dist/demos/engines/zencod/hw_zencod.c
===================================================================
--- vendor-crypto/openssl/dist/demos/engines/zencod/hw_zencod.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/demos/engines/zencod/hw_zencod.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -610,7 +610,7 @@
ptr_zencod_rc4_cipher = ptr_rc4_1;
/*
- * We should peform a test to see if there is actually any unit runnig on
+ * We should perform a test to see if there is actually any unit runnig on
* the system ... Even if the cryptozen library is loaded the module coul
* not be loaded on the system ... For now we may just open and close the
* device !!
Modified: vendor-crypto/openssl/dist/doc/apps/ciphers.pod
===================================================================
--- vendor-crypto/openssl/dist/doc/apps/ciphers.pod 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/doc/apps/ciphers.pod 2015-12-05 17:55:33 UTC (rev 7389)
@@ -205,7 +205,7 @@
cipher suites using ephemeral ECDH key agreement, including anonymous
cipher suites.
-=item B<EECDHE>
+=item B<EECDH>
cipher suites using authenticated ephemeral ECDH key agreement.
Modified: vendor-crypto/openssl/dist/doc/apps/dgst.pod
===================================================================
--- vendor-crypto/openssl/dist/doc/apps/dgst.pod 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/doc/apps/dgst.pod 2015-12-05 17:55:33 UTC (rev 7389)
@@ -13,7 +13,6 @@
[B<-hex>]
[B<-binary>]
[B<-r>]
-[B<-hmac arg>]
[B<-non-fips-allow>]
[B<-out filename>]
[B<-sign filename>]
@@ -64,10 +63,6 @@
output the digest in the "coreutils" format used by programs like B<sha1sum>.
-=item B<-hmac arg>
-
-set the HMAC key to "arg".
-
=item B<-non-fips-allow>
Allow use of non FIPS digest when in FIPS mode. This has no effect when not in
Modified: vendor-crypto/openssl/dist/doc/apps/genrsa.pod
===================================================================
--- vendor-crypto/openssl/dist/doc/apps/genrsa.pod 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/doc/apps/genrsa.pod 2015-12-05 17:55:33 UTC (rev 7389)
@@ -10,17 +10,11 @@
[B<-out filename>]
[B<-passout arg>]
[B<-aes128>]
-[B<-aes128>]
[B<-aes192>]
[B<-aes256>]
[B<-camellia128>]
[B<-camellia192>]
[B<-camellia256>]
-[B<-aes192>]
-[B<-aes256>]
-[B<-camellia128>]
-[B<-camellia192>]
-[B<-camellia256>]
[B<-des>]
[B<-des3>]
[B<-idea>]
Modified: vendor-crypto/openssl/dist/doc/apps/req.pod
===================================================================
--- vendor-crypto/openssl/dist/doc/apps/req.pod 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/doc/apps/req.pod 2015-12-05 17:55:33 UTC (rev 7389)
@@ -490,7 +490,7 @@
The actual permitted field names are any object identifier short or
long names. These are compiled into OpenSSL and include the usual
values such as commonName, countryName, localityName, organizationName,
-organizationUnitName, stateOrProvinceName. Additionally emailAddress
+organizationalUnitName, stateOrProvinceName. Additionally emailAddress
is include as well as name, surname, givenName initials and dnQualifier.
Additional object identifiers can be defined with the B<oid_file> or
Modified: vendor-crypto/openssl/dist/doc/apps/x509.pod
===================================================================
--- vendor-crypto/openssl/dist/doc/apps/x509.pod 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/doc/apps/x509.pod 2015-12-05 17:55:33 UTC (rev 7389)
@@ -529,7 +529,8 @@
"space" additionally place a space after the separator to make it
more readable. The B<sep_multiline> uses a linefeed character for
the RDN separator and a spaced B<+> for the AVA separator. It also
-indents the fields by four characters.
+indents the fields by four characters. If no field separator is specified
+then B<sep_comma_plus_space> is used by default.
=item B<dn_rev>
Modified: vendor-crypto/openssl/dist/doc/crypto/BIO_read.pod
===================================================================
--- vendor-crypto/openssl/dist/doc/crypto/BIO_read.pod 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/doc/crypto/BIO_read.pod 2015-12-05 17:55:33 UTC (rev 7389)
@@ -9,9 +9,9 @@
#include <openssl/bio.h>
int BIO_read(BIO *b, void *buf, int len);
- int BIO_gets(BIO *b,char *buf, int size);
+ int BIO_gets(BIO *b, char *buf, int size);
int BIO_write(BIO *b, const void *buf, int len);
- int BIO_puts(BIO *b,const char *buf);
+ int BIO_puts(BIO *b, const char *buf);
=head1 DESCRIPTION
@@ -26,7 +26,7 @@
BIO_write() attempts to write B<len> bytes from B<buf> to BIO B<b>.
-BIO_puts() attempts to write a null terminated string B<buf> to BIO B<b>
+BIO_puts() attempts to write a null terminated string B<buf> to BIO B<b>.
=head1 RETURN VALUES
Modified: vendor-crypto/openssl/dist/doc/crypto/BN_rand.pod
===================================================================
--- vendor-crypto/openssl/dist/doc/crypto/BN_rand.pod 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/doc/crypto/BN_rand.pod 2015-12-05 17:55:33 UTC (rev 7389)
@@ -19,7 +19,7 @@
=head1 DESCRIPTION
BN_rand() generates a cryptographically strong pseudo-random number of
-B<bits> bits in length and stores it in B<rnd>. If B<top> is -1, the
+B<bits> in length and stores it in B<rnd>. If B<top> is -1, the
most significant bit of the random number can be zero. If B<top> is 0,
it is set to 1, and if B<top> is 1, the two most significant bits of
the number will be set to 1, so that the product of two such random
@@ -33,7 +33,7 @@
protocols, but usually not for key generation etc.
BN_rand_range() generates a cryptographically strong pseudo-random
-number B<rnd> in the range 0 <lt>= B<rnd> E<lt> B<range>.
+number B<rnd> in the range 0 E<lt>= B<rnd> E<lt> B<range>.
BN_pseudo_rand_range() does the same, but is based on BN_pseudo_rand(),
and hence numbers generated by it are not necessarily unpredictable.
Modified: vendor-crypto/openssl/dist/doc/crypto/DSA_generate_parameters.pod
===================================================================
--- vendor-crypto/openssl/dist/doc/crypto/DSA_generate_parameters.pod 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/doc/crypto/DSA_generate_parameters.pod 2015-12-05 17:55:33 UTC (rev 7389)
@@ -23,7 +23,7 @@
If B<seed> is B<NULL> or B<seed_len> E<lt> 20, the primes will be
generated at random. Otherwise, the seed is used to generate
them. If the given seed does not yield a prime q, a new random
-seed is chosen and placed at B<seed>.
+seed is chosen.
DSA_generate_parameters() places the iteration count in
*B<counter_ret> and a counter used for finding a generator in
Modified: vendor-crypto/openssl/dist/doc/crypto/EVP_DigestVerifyInit.pod
===================================================================
--- vendor-crypto/openssl/dist/doc/crypto/EVP_DigestVerifyInit.pod 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/doc/crypto/EVP_DigestVerifyInit.pod 2015-12-05 17:55:33 UTC (rev 7389)
@@ -37,10 +37,11 @@
or a negative value for failure. In particular a return value of -2 indicates
the operation is not supported by the public key algorithm.
-Unlike other functions the return value 0 from EVP_DigestVerifyFinal() only
-indicates that the signature did not verify successfully (that is tbs did
-not match the original data or the signature was of invalid form) it is not an
-indication of a more serious error.
+EVP_DigestVerifyFinal() returns 1 for success; any other value indicates
+failure. A return value of zero indicates that the signature did not verify
+successfully (that is, tbs did not match the original data or the signature had
+an invalid form), while other values indicate a more serious error (and
+sometimes also indicate an invalid signature form).
The error codes can be obtained from L<ERR_get_error(3)|ERR_get_error(3)>.
Modified: vendor-crypto/openssl/dist/doc/crypto/EVP_SignInit.pod
===================================================================
--- vendor-crypto/openssl/dist/doc/crypto/EVP_SignInit.pod 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/doc/crypto/EVP_SignInit.pod 2015-12-05 17:55:33 UTC (rev 7389)
@@ -2,7 +2,8 @@
=head1 NAME
-EVP_SignInit, EVP_SignUpdate, EVP_SignFinal - EVP signing functions
+EVP_SignInit, EVP_SignInit_ex, EVP_SignUpdate, EVP_SignFinal - EVP signing
+functions
=head1 SYNOPSIS
Modified: vendor-crypto/openssl/dist/doc/crypto/X509_NAME_get_index_by_NID.pod
===================================================================
--- vendor-crypto/openssl/dist/doc/crypto/X509_NAME_get_index_by_NID.pod 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/doc/crypto/X509_NAME_get_index_by_NID.pod 2015-12-05 17:55:33 UTC (rev 7389)
@@ -29,6 +29,7 @@
X509_NAME_get_index_by_NID() and X509_NAME_get_index_by_OBJ() retrieve
the next index matching B<nid> or B<obj> after B<lastpos>. B<lastpos>
should initially be set to -1. If there are no more entries -1 is returned.
+If B<nid> is invalid (doesn't correspond to a valid OID) then -2 is returned.
X509_NAME_entry_count() returns the total number of entries in B<name>.
@@ -63,6 +64,10 @@
the source code header files E<lt>openssl/obj_mac.hE<gt> and/or
E<lt>openssl/objects.hE<gt>.
+Applications which could pass invalid NIDs to X509_NAME_get_index_by_NID()
+should check for the return value of -2. Alternatively the NID validity
+can be determined first by checking OBJ_nid2obj(nid) is not NULL.
+
=head1 EXAMPLES
Process all entries:
@@ -95,6 +100,8 @@
X509_NAME_get_index_by_NID() and X509_NAME_get_index_by_OBJ()
return the index of the next matching entry or -1 if not found.
+X509_NAME_get_index_by_NID() can also return -2 if the supplied
+NID is invalid.
X509_NAME_entry_count() returns the total number of entries.
Modified: vendor-crypto/openssl/dist/doc/crypto/X509_STORE_CTX_new.pod
===================================================================
--- vendor-crypto/openssl/dist/doc/crypto/X509_STORE_CTX_new.pod 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/doc/crypto/X509_STORE_CTX_new.pod 2015-12-05 17:55:33 UTC (rev 7389)
@@ -39,10 +39,15 @@
is no longer valid.
X509_STORE_CTX_init() sets up B<ctx> for a subsequent verification operation.
-The trusted certificate store is set to B<store>, the end entity certificate
-to be verified is set to B<x509> and a set of additional certificates (which
-will be untrusted but may be used to build the chain) in B<chain>. Any or
-all of the B<store>, B<x509> and B<chain> parameters can be B<NULL>.
+It must be called before each call to X509_verify_cert(), i.e. a B<ctx> is only
+good for one call to X509_verify_cert(); if you want to verify a second
+certificate with the same B<ctx> then you must call X509_XTORE_CTX_cleanup()
+and then X509_STORE_CTX_init() again before the second call to
+X509_verify_cert(). The trusted certificate store is set to B<store>, the end
+entity certificate to be verified is set to B<x509> and a set of additional
+certificates (which will be untrusted but may be used to build the chain) in
+B<chain>. Any or all of the B<store>, B<x509> and B<chain> parameters can be
+B<NULL>.
X509_STORE_CTX_trusted_stack() sets the set of trusted certificates of B<ctx>
to B<sk>. This is an alternative way of specifying trusted certificates
Modified: vendor-crypto/openssl/dist/doc/crypto/X509_verify_cert.pod
===================================================================
--- vendor-crypto/openssl/dist/doc/crypto/X509_verify_cert.pod 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/doc/crypto/X509_verify_cert.pod 2015-12-05 17:55:33 UTC (rev 7389)
@@ -32,7 +32,8 @@
SSL/TLS code.
The negative return value from X509_verify_cert() can only occur if no
-certificate is set in B<ctx> (due to a programming error) or if a retry
+certificate is set in B<ctx> (due to a programming error); if X509_verify_cert()
+twice without reinitialising B<ctx> in between; or if a retry
operation is requested during internal lookups (which never happens with
standard lookup methods). It is however recommended that application check
for <= 0 return value on error.
Modified: vendor-crypto/openssl/dist/doc/crypto/buffer.pod
===================================================================
--- vendor-crypto/openssl/dist/doc/crypto/buffer.pod 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/doc/crypto/buffer.pod 2015-12-05 17:55:33 UTC (rev 7389)
@@ -2,9 +2,12 @@
=head1 NAME
-BUF_MEM_new, BUF_MEM_free, BUF_MEM_grow, BUF_strdup - simple
-character arrays structure
+BUF_MEM_new, BUF_MEM_new_ex, BUF_MEM_free, BUF_MEM_grow - simple
+character array structure
+BUF_strdup, BUF_strndup, BUF_memdup, BUF_strlcpy, BUF_strlcat -
+standard C library equivalents
+
=head1 SYNOPSIS
#include <openssl/buffer.h>
@@ -15,26 +18,21 @@
int BUF_MEM_grow(BUF_MEM *str, int len);
- char * BUF_strdup(const char *str);
+ char *BUF_strdup(const char *str);
+ char *BUF_strndup(const char *str, size_t siz);
+
+ void *BUF_memdup(const void *data, size_t siz);
+
+ size_t BUF_strlcpy(char *dst, const char *src, size_t size);
+
+ size_t BUF_strlcat(char *dst, const char *src, size_t size);
+
=head1 DESCRIPTION
The buffer library handles simple character arrays. Buffers are used for
various purposes in the library, most notably memory BIOs.
-The library uses the BUF_MEM structure defined in buffer.h:
-
- typedef struct buf_mem_st
- {
- int length; /* current number of bytes */
- char *data;
- int max; /* size of buffer */
- } BUF_MEM;
-
-B<length> is the current size of the buffer in bytes, B<max> is the amount of
-memory allocated to the buffer. There are three functions which handle these
-and one "miscellaneous" function.
-
BUF_MEM_new() allocates a new buffer of zero size.
BUF_MEM_free() frees up an already existing buffer. The data is zeroed
@@ -44,15 +42,18 @@
B<len>. Any data already in the buffer is preserved if it increases in
size.
-BUF_strdup() copies a null terminated string into a block of allocated
-memory and returns a pointer to the allocated block.
-Unlike the standard C library strdup() this function uses OPENSSL_malloc() and so
-should be used in preference to the standard library strdup() because it can
-be used for memory leak checking or replacing the malloc() function.
+BUF_strdup(), BUF_strndup(), BUF_memdup(), BUF_strlcpy() and
+BUF_strlcat() are equivalents of the standard C library functions. The
+dup() functions use OPENSSL_malloc() underneath and so should be used
+in preference to the standard library for memory leak checking or
+replacing the malloc() function.
-The memory allocated from BUF_strdup() should be freed up using the OPENSSL_free()
-function.
+Memory allocated from these functions should be freed up using the
+OPENSSL_free() function.
+BUF_strndup makes the explicit guarantee that it will never read past
+the first B<siz> bytes of B<str>.
+
=head1 RETURN VALUES
BUF_MEM_new() returns the buffer or NULL on error.
Modified: vendor-crypto/openssl/dist/doc/crypto/d2i_X509_NAME.pod
===================================================================
--- vendor-crypto/openssl/dist/doc/crypto/d2i_X509_NAME.pod 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/doc/crypto/d2i_X509_NAME.pod 2015-12-05 17:55:33 UTC (rev 7389)
@@ -14,7 +14,7 @@
=head1 DESCRIPTION
These functions decode and encode an B<X509_NAME> structure which is the
-the same as the B<Name> type defined in RFC2459 (and elsewhere) and used
+same as the B<Name> type defined in RFC2459 (and elsewhere) and used
for example in certificate subject and issuer names.
Othewise the functions behave in a similar way to d2i_X509() and i2d_X509()
Added: vendor-crypto/openssl/dist/doc/dir-locals.example.el
===================================================================
--- vendor-crypto/openssl/dist/doc/dir-locals.example.el (rev 0)
+++ vendor-crypto/openssl/dist/doc/dir-locals.example.el 2015-12-05 17:55:33 UTC (rev 7389)
@@ -0,0 +1,15 @@
+;;; This is an example of what a .dir-locals.el suitable for OpenSSL
+;;; development could look like.
+;;;
+;;; Apart from setting the CC mode style to "OpenSSL-II", it also
+;;; makes sure that tabs are never used for indentation in any file,
+;;; and that the fill column is 78.
+;;;
+;;; For more information see (info "(emacs) Directory Variables")
+
+((nil
+ (indent-tabs-mode . nil)
+ (fill-column . 78)
+ )
+ (c-mode
+ (c-file-style . "OpenSSL-II")))
Added: vendor-crypto/openssl/dist/doc/openssl-c-indent.el
===================================================================
--- vendor-crypto/openssl/dist/doc/openssl-c-indent.el (rev 0)
+++ vendor-crypto/openssl/dist/doc/openssl-c-indent.el 2015-12-05 17:55:33 UTC (rev 7389)
@@ -0,0 +1,62 @@
+;;; This Emacs Lisp file defines a C indentation style for OpenSSL.
+;;;
+;;; This definition is for the "CC mode" package, which is the default
+;;; mode for editing C source files in Emacs 20, not for the older
+;;; c-mode.el (which was the default in less recent releaes of Emacs 19).
+;;;
+;;; Recommended use is to add this line in your .emacs:
+;;;
+;;; (load (expand-file-name "~/PATH/TO/openssl-c-indent.el"))
+;;;
+;;; To activate this indentation style, visit a C file, type
+;;; M-x c-set-style <RET> (or C-c . for short), and enter "eay".
+;;; To toggle the auto-newline feature of CC mode, type C-c C-a.
+;;;
+;;; If you're a OpenSSL developer, you might find it more comfortable
+;;; to have this style be permanent in your OpenSSL development
+;;; directory. To have that, please perform this:
+;;;
+;;; M-x add-dir-local-variable <RET> c-mode <RET> c-file-style <RET>
+;;; "OpenSSL-II" <RET>
+;;;
+;;; A new buffer with .dir-locals.el will appear. Save it (C-x C-s).
+;;;
+;;; Alternatively, have a look at dir-locals.example.el
+
+;;; For suggesting improvements, please send e-mail to levitte at openssl.org.
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+;; Note, it could be easy to inherit from the "gnu" style... however,
+;; one never knows if that style will change somewhere in the future,
+;; so I've chosen to copy the "gnu" style values explicitely instead
+;; and mark them with a comment. // RLevitte 2015-08-31
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+(c-add-style "OpenSSL-II"
+ '((c-basic-offset . 4)
+ (indent-tabs-mode . nil)
+ (fill-column . 78)
+ (comment-column . 33)
+ (c-comment-only-line-offset 0 . 0) ; From "gnu" style
+ (c-hanging-braces-alist ; From "gnu" style
+ (substatement-open before after) ; From "gnu" style
+ (arglist-cont-nonempty)) ; From "gnu" style
+ (c-offsets-alist
+ (statement-block-intro . +) ; From "gnu" style
+ (knr-argdecl-intro . 0)
+ (knr-argdecl . 0)
+ (substatement-open . +) ; From "gnu" style
+ (substatement-label . 0) ; From "gnu" style
+ (label . 1)
+ (statement-case-open . +) ; From "gnu" style
+ (statement-cont . +) ; From "gnu" style
+ (arglist-intro . c-lineup-arglist-intro-after-paren) ; From "gnu" style
+ (arglist-close . c-lineup-arglist) ; From "gnu" style
+ (inline-open . 0) ; From "gnu" style
+ (brace-list-open . +) ; From "gnu" style
+ (topmost-intro-cont first c-lineup-topmost-intro-cont
+ c-lineup-gnu-DEFUN-intro-cont) ; From "gnu" style
+ )
+ (c-special-indent-hook . c-gnu-impose-minimum) ; From "gnu" style
+ (c-block-comment-prefix . "* ")
+ ))
Modified: vendor-crypto/openssl/dist/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
===================================================================
--- vendor-crypto/openssl/dist/doc/ssl/SSL_CTX_add_extra_chain_cert.pod 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/doc/ssl/SSL_CTX_add_extra_chain_cert.pod 2015-12-05 17:55:33 UTC (rev 7389)
@@ -2,29 +2,39 @@
=head1 NAME
-SSL_CTX_add_extra_chain_cert - add certificate to chain
+SSL_CTX_add_extra_chain_cert, SSL_CTX_clear_extra_chain_certs - add or clear
+extra chain certificates
=head1 SYNOPSIS
#include <openssl/ssl.h>
- long SSL_CTX_add_extra_chain_cert(SSL_CTX ctx, X509 *x509)
+ long SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x509);
+ long SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx);
=head1 DESCRIPTION
-SSL_CTX_add_extra_chain_cert() adds the certificate B<x509> to the certificate
-chain presented together with the certificate. Several certificates
-can be added one after the other.
+SSL_CTX_add_extra_chain_cert() adds the certificate B<x509> to the extra chain
+certificates associated with B<ctx>. Several certificates can be added one
+after another.
+SSL_CTX_clear_extra_chain_certs() clears all extra chain certificates
+associated with B<ctx>.
+
+These functions are implemented as macros.
+
=head1 NOTES
-When constructing the certificate chain, the chain will be formed from
-these certificates explicitly specified. If no chain is specified,
-the library will try to complete the chain from the available CA
-certificates in the trusted CA storage, see
+When sending a certificate chain, extra chain certificates are sent in order
+following the end entity certificate.
+
+If no chain is specified, the library will try to complete the chain from the
+available CA certificates in the trusted CA storage, see
L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>.
-The B<x509> certificate provided to SSL_CTX_add_extra_chain_cert() will be freed by the library when the B<SSL_CTX> is destroyed. An application B<should not> free the B<x509> object.
+The B<x509> certificate provided to SSL_CTX_add_extra_chain_cert() will be
+freed by the library when the B<SSL_CTX> is destroyed. An application
+B<should not> free the B<x509> object.
=head1 RESTRICTIONS
@@ -36,8 +46,9 @@
=head1 RETURN VALUES
-SSL_CTX_add_extra_chain_cert() returns 1 on success. Check out the
-error stack to find out the reason for failure otherwise.
+SSL_CTX_add_extra_chain_cert() and SSL_CTX_clear_extra_chain_certs() return
+1 on success and 0 for failure. Check out the error stack to find out the
+reason for failure.
=head1 SEE ALSO
Modified: vendor-crypto/openssl/dist/e_os.h
===================================================================
--- vendor-crypto/openssl/dist/e_os.h 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/e_os.h 2015-12-05 17:55:33 UTC (rev 7389)
@@ -315,7 +315,7 @@
# undef isxdigit
# endif
# if defined(_MSC_VER) && !defined(_DLL) && defined(stdin)
-# if _MSC_VER>=1300
+# if _MSC_VER>=1300 && _MSC_VER<1600
# undef stdin
# undef stdout
# undef stderr
@@ -323,7 +323,7 @@
# define stdin (&__iob_func()[0])
# define stdout (&__iob_func()[1])
# define stderr (&__iob_func()[2])
-# elif defined(I_CAN_LIVE_WITH_LNK4049)
+# elif _MSC_VER<1300 && defined(I_CAN_LIVE_WITH_LNK4049)
# undef stdin
# undef stdout
# undef stderr
@@ -612,7 +612,7 @@
# include <sys/select.h>
# endif
-# if defined(sun)
+# if defined(__sun) || defined(sun)
# include <sys/filio.h>
# else
# ifndef VMS
@@ -654,7 +654,7 @@
# endif
-# if defined(sun) && !defined(__svr4__) && !defined(__SVR4)
+# if (defined(__sun) || defined(sun)) && !defined(__svr4__) && !defined(__SVR4)
/* include headers first, so our defines don't break it */
# include <stdlib.h>
# include <string.h>
Modified: vendor-crypto/openssl/dist/engines/e_chil.c
===================================================================
--- vendor-crypto/openssl/dist/engines/e_chil.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/engines/e_chil.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -839,6 +839,10 @@
bn_fix_top(rtmp->n);
res = EVP_PKEY_new();
+ if (res == NULL) {
+ HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY, HWCRHK_R_CHIL_ERROR);
+ goto err;
+ }
EVP_PKEY_assign_RSA(res, rtmp);
# endif
Modified: vendor-crypto/openssl/dist/openssl.spec
===================================================================
--- vendor-crypto/openssl/dist/openssl.spec 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/openssl.spec 2015-12-05 17:55:33 UTC (rev 7389)
@@ -7,7 +7,7 @@
Summary: Secure Sockets Layer and cryptography libraries and tools
Name: openssl
#Version: %{libmaj}.%{libmin}.%{librel}
-Version: 1.0.1o
+Version: 1.0.1q
Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
License: OpenSSL
Group: System Environment/Libraries
Modified: vendor-crypto/openssl/dist/ssl/Makefile
===================================================================
--- vendor-crypto/openssl/dist/ssl/Makefile 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/Makefile 2015-12-05 17:55:33 UTC (rev 7389)
@@ -15,7 +15,7 @@
CFLAGS= $(INCLUDES) $(CFLAG)
GENERAL=Makefile README ssl-lib.com install.com
-TEST=ssltest.c heartbeat_test.c
+TEST=ssltest.c heartbeat_test.c clienthellotest.c
APPS=
LIB=$(TOP)/libssl.a
Modified: vendor-crypto/openssl/dist/ssl/bio_ssl.c
===================================================================
--- vendor-crypto/openssl/dist/ssl/bio_ssl.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/bio_ssl.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -419,6 +419,10 @@
BIO_set_flags(b, BIO_FLAGS_IO_SPECIAL | BIO_FLAGS_SHOULD_RETRY);
b->retry_reason = b->next_bio->retry_reason;
break;
+ case SSL_ERROR_WANT_X509_LOOKUP:
+ BIO_set_retry_special(b);
+ b->retry_reason = BIO_RR_SSL_X509_LOOKUP;
+ break;
default:
break;
}
Added: vendor-crypto/openssl/dist/ssl/clienthellotest.c
===================================================================
--- vendor-crypto/openssl/dist/ssl/clienthellotest.c (rev 0)
+++ vendor-crypto/openssl/dist/ssl/clienthellotest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -0,0 +1,218 @@
+/* Written by Matt Caswell for the OpenSSL Project */
+/* ====================================================================
+ * Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in
+ * the documentation and/or other materials provided with the
+ * distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ * software must display the following acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ * endorse or promote products derived from this software without
+ * prior written permission. For written permission, please contact
+ * openssl-core at openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ * nor may "OpenSSL" appear in their names without prior written
+ * permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ * acknowledgment:
+ * "This product includes software developed by the OpenSSL Project
+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay at cryptsoft.com). This product includes software written by Tim
+ * Hudson (tjh at cryptsoft.com).
+ *
+ */
+
+#include <string.h>
+
+#include <openssl/bio.h>
+#include <openssl/crypto.h>
+#include <openssl/evp.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+
+
+#define CLIENT_VERSION_LEN 2
+#define SESSION_ID_LEN_LEN 1
+#define CIPHERS_LEN_LEN 2
+#define COMPRESSION_LEN_LEN 1
+#define EXTENSIONS_LEN_LEN 2
+#define EXTENSION_TYPE_LEN 2
+#define EXTENSION_SIZE_LEN 2
+
+
+#define TOTAL_NUM_TESTS 2
+
+/*
+ * Test that explicitly setting ticket data results in it appearing in the
+ * ClientHello for TLS1.2
+ */
+#define TEST_SET_SESSION_TICK_DATA_TLS_1_2 0
+
+/*
+ * Test that explicitly setting ticket data results in it appearing in the
+ * ClientHello for a negotiated SSL/TLS version
+ */
+#define TEST_SET_SESSION_TICK_DATA_VER_NEG 1
+
+int main(int argc, char *argv[])
+{
+ SSL_CTX *ctx;
+ SSL *con;
+ BIO *rbio;
+ BIO *wbio;
+ BIO *err;
+ long len;
+ unsigned char *data;
+ unsigned char *dataend;
+ char *dummytick = "Hello World!";
+ unsigned int tmplen;
+ unsigned int type;
+ unsigned int size;
+ int testresult = 0;
+ int currtest = 0;
+
+ SSL_library_init();
+ SSL_load_error_strings();
+
+ err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+
+ CRYPTO_malloc_debug_init();
+ CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
+ CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
+
+ /*
+ * For each test set up an SSL_CTX and SSL and see what ClientHello gets
+ * produced when we try to connect
+ */
+ for (; currtest < TOTAL_NUM_TESTS; currtest++) {
+ testresult = 0;
+ if (currtest == TEST_SET_SESSION_TICK_DATA_TLS_1_2) {
+ ctx = SSL_CTX_new(TLSv1_2_method());
+ } else {
+ ctx = SSL_CTX_new(SSLv23_method());
+ }
+ con = SSL_new(ctx);
+
+ rbio = BIO_new(BIO_s_mem());
+ wbio = BIO_new(BIO_s_mem());
+ SSL_set_bio(con, rbio, wbio);
+ SSL_set_connect_state(con);
+
+ if (currtest == TEST_SET_SESSION_TICK_DATA_TLS_1_2
+ || currtest == TEST_SET_SESSION_TICK_DATA_VER_NEG) {
+ if (!SSL_set_session_ticket_ext(con, dummytick, strlen(dummytick)))
+ goto end;
+ }
+
+ if (SSL_connect(con) > 0) {
+ /* This shouldn't succeed because we don't have a server! */
+ goto end;
+ }
+
+ len = BIO_get_mem_data(wbio, (char **)&data);
+ dataend = data + len;
+
+ /* Skip the record header */
+ data += SSL3_RT_HEADER_LENGTH;
+ /* Skip the handshake message header */
+ data += SSL3_HM_HEADER_LENGTH;
+ /* Skip client version and random */
+ data += CLIENT_VERSION_LEN + SSL3_RANDOM_SIZE;
+ if (data + SESSION_ID_LEN_LEN > dataend)
+ goto end;
+ /* Skip session id */
+ tmplen = *data;
+ data += SESSION_ID_LEN_LEN + tmplen;
+ if (data + CIPHERS_LEN_LEN > dataend)
+ goto end;
+ /* Skip ciphers */
+ tmplen = ((*data) << 8) | *(data + 1);
+ data += CIPHERS_LEN_LEN + tmplen;
+ if (data + COMPRESSION_LEN_LEN > dataend)
+ goto end;
+ /* Skip compression */
+ tmplen = *data;
+ data += COMPRESSION_LEN_LEN + tmplen;
+ if (data + EXTENSIONS_LEN_LEN > dataend)
+ goto end;
+ /* Extensions len */
+ tmplen = ((*data) << 8) | *(data + 1);
+ data += EXTENSIONS_LEN_LEN;
+ if (data + tmplen > dataend)
+ goto end;
+
+ /* Loop through all extensions */
+ while (tmplen > EXTENSION_TYPE_LEN + EXTENSION_SIZE_LEN) {
+ type = ((*data) << 8) | *(data + 1);
+ data += EXTENSION_TYPE_LEN;
+ size = ((*data) << 8) | *(data + 1);
+ data += EXTENSION_SIZE_LEN;
+ if (data + size > dataend)
+ goto end;
+
+ if (type == TLSEXT_TYPE_session_ticket) {
+ if (currtest == TEST_SET_SESSION_TICK_DATA_TLS_1_2
+ || currtest == TEST_SET_SESSION_TICK_DATA_VER_NEG) {
+ if (size == strlen(dummytick)
+ && memcmp(data, dummytick, size) == 0) {
+ /* Ticket data is as we expected */
+ testresult = 1;
+ } else {
+ printf("Received session ticket is not as expected\n");
+ }
+ break;
+ }
+ }
+
+ tmplen -= EXTENSION_TYPE_LEN + EXTENSION_SIZE_LEN + size;
+ data += size;
+ }
+
+ end:
+ SSL_free(con);
+ SSL_CTX_free(ctx);
+ if (!testresult) {
+ printf("ClientHello test: FAILED (Test %d)\n", currtest);
+ break;
+ }
+ }
+
+ ERR_free_strings();
+ ERR_remove_thread_state(NULL);
+ EVP_cleanup();
+ CRYPTO_cleanup_all_ex_data();
+ CRYPTO_mem_leaks(err);
+
+ return testresult?0:1;
+}
Modified: vendor-crypto/openssl/dist/ssl/d1_both.c
===================================================================
--- vendor-crypto/openssl/dist/ssl/d1_both.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/d1_both.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1490,9 +1490,12 @@
{
int ret;
#ifndef OPENSSL_NO_SCTP
- if (BIO_dgram_is_sctp(SSL_get_wbio(s)) &&
+ BIO *wbio;
+
+ wbio = SSL_get_wbio(s);
+ if (wbio != NULL && BIO_dgram_is_sctp(wbio) &&
!(s->shutdown & SSL_SENT_SHUTDOWN)) {
- ret = BIO_dgram_sctp_wait_for_dry(SSL_get_wbio(s));
+ ret = BIO_dgram_sctp_wait_for_dry(wbio);
if (ret < 0)
return -1;
Modified: vendor-crypto/openssl/dist/ssl/d1_clnt.c
===================================================================
--- vendor-crypto/openssl/dist/ssl/d1_clnt.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/d1_clnt.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -299,13 +299,12 @@
#endif
case SSL3_ST_CW_CLNT_HELLO_A:
- case SSL3_ST_CW_CLNT_HELLO_B:
-
s->shutdown = 0;
/* every DTLS ClientHello resets Finished MAC */
ssl3_init_finished_mac(s);
+ case SSL3_ST_CW_CLNT_HELLO_B:
dtls1_start_timer(s);
ret = dtls1_client_hello(s);
if (ret <= 0)
@@ -350,11 +349,15 @@
sizeof(DTLS1_SCTP_AUTH_LABEL),
DTLS1_SCTP_AUTH_LABEL);
- SSL_export_keying_material(s, sctpauthkey,
+ if (SSL_export_keying_material(s, sctpauthkey,
sizeof(sctpauthkey),
labelbuffer,
sizeof(labelbuffer), NULL, 0,
- 0);
+ 0) <= 0) {
+ ret = -1;
+ s->state = SSL_ST_ERR;
+ goto end;
+ }
BIO_ctrl(SSL_get_wbio(s),
BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
@@ -362,6 +365,10 @@
#endif
s->state = SSL3_ST_CR_FINISHED_A;
+ if (s->tlsext_ticket_expected) {
+ /* receive renewed session ticket */
+ s->state = SSL3_ST_CR_SESSION_TICKET_A;
+ }
} else
s->state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A;
}
@@ -484,9 +491,13 @@
snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
DTLS1_SCTP_AUTH_LABEL);
- SSL_export_keying_material(s, sctpauthkey,
+ if (SSL_export_keying_material(s, sctpauthkey,
sizeof(sctpauthkey), labelbuffer,
- sizeof(labelbuffer), NULL, 0, 0);
+ sizeof(labelbuffer), NULL, 0, 0) <= 0) {
+ ret = -1;
+ s->state = SSL_ST_ERR;
+ goto end;
+ }
BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
sizeof(sctpauthkey), sctpauthkey);
Modified: vendor-crypto/openssl/dist/ssl/d1_srvr.c
===================================================================
--- vendor-crypto/openssl/dist/ssl/d1_srvr.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/d1_srvr.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -267,6 +267,19 @@
ssl3_init_finished_mac(s);
s->state = SSL3_ST_SR_CLNT_HELLO_A;
s->ctx->stats.sess_accept++;
+ } else if (!s->s3->send_connection_binding &&
+ !(s->options &
+ SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) {
+ /*
+ * Server attempting to renegotiate with client that doesn't
+ * support secure renegotiation.
+ */
+ SSLerr(SSL_F_DTLS1_ACCEPT,
+ SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
+ ret = -1;
+ s->state = SSL_ST_ERR;
+ goto end;
} else {
/*
* s->state == SSL_ST_RENEGOTIATE, we will just send a
@@ -405,9 +418,13 @@
snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
DTLS1_SCTP_AUTH_LABEL);
- SSL_export_keying_material(s, sctpauthkey,
- sizeof(sctpauthkey), labelbuffer,
- sizeof(labelbuffer), NULL, 0, 0);
+ if (SSL_export_keying_material(s, sctpauthkey,
+ sizeof(sctpauthkey), labelbuffer,
+ sizeof(labelbuffer), NULL, 0, 0) <= 0) {
+ ret = -1;
+ s->state = SSL_ST_ERR;
+ goto end;
+ }
BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
sizeof(sctpauthkey), sctpauthkey);
@@ -628,9 +645,13 @@
snprintf((char *)labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
DTLS1_SCTP_AUTH_LABEL);
- SSL_export_keying_material(s, sctpauthkey,
+ if (SSL_export_keying_material(s, sctpauthkey,
sizeof(sctpauthkey), labelbuffer,
- sizeof(labelbuffer), NULL, 0, 0);
+ sizeof(labelbuffer), NULL, 0, 0) <= 0) {
+ ret = -1;
+ s->state = SSL_ST_ERR;
+ goto end;
+ }
BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
sizeof(sctpauthkey), sctpauthkey);
Modified: vendor-crypto/openssl/dist/ssl/s23_clnt.c
===================================================================
--- vendor-crypto/openssl/dist/ssl/s23_clnt.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/s23_clnt.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -373,12 +373,13 @@
buf = (unsigned char *)s->init_buf->data;
if (s->state == SSL23_ST_CW_CLNT_HELLO_A) {
-#if 0
- /* don't reuse session-id's */
+ /*
+ * Since we're sending s23 client hello, we're not reusing a session, as
+ * we'd be using the method from the saved session instead
+ */
if (!ssl_get_new_session(s, 0)) {
- return (-1);
+ return -1;
}
-#endif
p = s->s3->client_random;
if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
@@ -439,9 +440,6 @@
/*
* put in the session-id length (zero since there is no reuse)
*/
-#if 0
- s->session->session_id_length = 0;
-#endif
s2n(0, d);
if (s->options & SSL_OP_NETSCAPE_CHALLENGE_BUG)
@@ -729,6 +727,8 @@
goto err;
}
+ s->session->ssl_version = s->version;
+
/* ensure that TLS_MAX_VERSION is up-to-date */
OPENSSL_assert(s->version <= TLS_MAX_VERSION);
@@ -784,13 +784,6 @@
}
s->init_num = 0;
- /*
- * Since, if we are sending a ssl23 client hello, we are not reusing a
- * session-id
- */
- if (!ssl_get_new_session(s, 0))
- goto err;
-
return (SSL_connect(s));
err:
return (-1);
Modified: vendor-crypto/openssl/dist/ssl/s3_cbc.c
===================================================================
--- vendor-crypto/openssl/dist/ssl/s3_cbc.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/s3_cbc.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -411,8 +411,9 @@
* functions, above, we know that data_plus_mac_size is large enough to contain
* a padding byte and MAC. (If the padding was invalid, it might contain the
* padding too. )
+ * Returns 1 on success or 0 on error
*/
-void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
+int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
unsigned char *md_out,
size_t *md_out_size,
const unsigned char header[13],
@@ -455,7 +456,8 @@
switch (EVP_MD_CTX_type(ctx)) {
case NID_md5:
- MD5_Init((MD5_CTX *)md_state.c);
+ if (MD5_Init((MD5_CTX *)md_state.c) <= 0)
+ return 0;
md_final_raw = tls1_md5_final_raw;
md_transform =
(void (*)(void *ctx, const unsigned char *block))MD5_Transform;
@@ -464,7 +466,8 @@
length_is_big_endian = 0;
break;
case NID_sha1:
- SHA1_Init((SHA_CTX *)md_state.c);
+ if (SHA1_Init((SHA_CTX *)md_state.c) <= 0)
+ return 0;
md_final_raw = tls1_sha1_final_raw;
md_transform =
(void (*)(void *ctx, const unsigned char *block))SHA1_Transform;
@@ -472,7 +475,8 @@
break;
#ifndef OPENSSL_NO_SHA256
case NID_sha224:
- SHA224_Init((SHA256_CTX *)md_state.c);
+ if (SHA224_Init((SHA256_CTX *)md_state.c) <= 0)
+ return 0;
md_final_raw = tls1_sha256_final_raw;
md_transform =
(void (*)(void *ctx, const unsigned char *block))SHA256_Transform;
@@ -479,7 +483,8 @@
md_size = 224 / 8;
break;
case NID_sha256:
- SHA256_Init((SHA256_CTX *)md_state.c);
+ if (SHA256_Init((SHA256_CTX *)md_state.c) <= 0)
+ return 0;
md_final_raw = tls1_sha256_final_raw;
md_transform =
(void (*)(void *ctx, const unsigned char *block))SHA256_Transform;
@@ -488,7 +493,8 @@
#endif
#ifndef OPENSSL_NO_SHA512
case NID_sha384:
- SHA384_Init((SHA512_CTX *)md_state.c);
+ if (SHA384_Init((SHA512_CTX *)md_state.c) <= 0)
+ return 0;
md_final_raw = tls1_sha512_final_raw;
md_transform =
(void (*)(void *ctx, const unsigned char *block))SHA512_Transform;
@@ -497,7 +503,8 @@
md_length_size = 16;
break;
case NID_sha512:
- SHA512_Init((SHA512_CTX *)md_state.c);
+ if (SHA512_Init((SHA512_CTX *)md_state.c) <= 0)
+ return 0;
md_final_raw = tls1_sha512_final_raw;
md_transform =
(void (*)(void *ctx, const unsigned char *block))SHA512_Transform;
@@ -514,7 +521,7 @@
OPENSSL_assert(0);
if (md_out_size)
*md_out_size = -1;
- return;
+ return 0;
}
OPENSSL_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES);
@@ -652,7 +659,7 @@
*/
if (header_length <= md_block_size) {
/* Should never happen */
- return;
+ return 0;
}
overhang = header_length - md_block_size;
md_transform(md_state.c, header);
@@ -733,26 +740,34 @@
}
EVP_MD_CTX_init(&md_ctx);
- EVP_DigestInit_ex(&md_ctx, ctx->digest, NULL /* engine */ );
+ if (EVP_DigestInit_ex(&md_ctx, ctx->digest, NULL /* engine */ ) <= 0)
+ goto err;
if (is_sslv3) {
/* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */
memset(hmac_pad, 0x5c, sslv3_pad_length);
- EVP_DigestUpdate(&md_ctx, mac_secret, mac_secret_length);
- EVP_DigestUpdate(&md_ctx, hmac_pad, sslv3_pad_length);
- EVP_DigestUpdate(&md_ctx, mac_out, md_size);
+ if (EVP_DigestUpdate(&md_ctx, mac_secret, mac_secret_length) <= 0
+ || EVP_DigestUpdate(&md_ctx, hmac_pad, sslv3_pad_length) <= 0
+ || EVP_DigestUpdate(&md_ctx, mac_out, md_size) <= 0)
+ goto err;
} else {
/* Complete the HMAC in the standard manner. */
for (i = 0; i < md_block_size; i++)
hmac_pad[i] ^= 0x6a;
- EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size);
- EVP_DigestUpdate(&md_ctx, mac_out, md_size);
+ if (EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size) <= 0
+ || EVP_DigestUpdate(&md_ctx, mac_out, md_size) <= 0)
+ goto err;
}
EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u);
if (md_out_size)
*md_out_size = md_out_size_u;
EVP_MD_CTX_cleanup(&md_ctx);
+
+ return 1;
+err:
+ EVP_MD_CTX_cleanup(&md_ctx);
+ return 0;
}
#ifdef OPENSSL_FIPS
Modified: vendor-crypto/openssl/dist/ssl/s3_clnt.c
===================================================================
--- vendor-crypto/openssl/dist/ssl/s3_clnt.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/s3_clnt.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1381,8 +1381,6 @@
#ifndef OPENSSL_NO_PSK
if (alg_k & SSL_kPSK) {
- char tmp_id_hint[PSK_MAX_IDENTITY_LEN + 1];
-
param_len = 2;
if (param_len > n) {
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
@@ -1408,17 +1406,8 @@
}
param_len += i;
- /*
- * If received PSK identity hint contains NULL characters, the hint
- * is truncated from the first NULL. p may not be ending with NULL,
- * so create a NULL-terminated string.
- */
- memcpy(tmp_id_hint, p, i);
- memset(tmp_id_hint + i, 0, PSK_MAX_IDENTITY_LEN + 1 - i);
- if (s->ctx->psk_identity_hint != NULL)
- OPENSSL_free(s->ctx->psk_identity_hint);
- s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
- if (s->ctx->psk_identity_hint == NULL) {
+ s->session->psk_identity_hint = BUF_strndup((char *)p, i);
+ if (s->session->psk_identity_hint == NULL) {
al = SSL_AD_HANDSHAKE_FAILURE;
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
goto f_err;
@@ -1635,6 +1624,12 @@
}
p += i;
+ if (BN_is_zero(dh->p)) {
+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_VALUE);
+ goto f_err;
+ }
+
+
if (2 > n - param_len) {
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
goto f_err;
@@ -1655,6 +1650,11 @@
}
p += i;
+ if (BN_is_zero(dh->g)) {
+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_VALUE);
+ goto f_err;
+ }
+
if (2 > n - param_len) {
SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
goto f_err;
@@ -1676,6 +1676,11 @@
p += i;
n -= param_len;
+ if (BN_is_zero(dh->pub_key)) {
+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_PUB_KEY_VALUE);
+ goto f_err;
+ }
+
# ifndef OPENSSL_NO_RSA
if (alg_a & SSL_aRSA)
pkey =
@@ -1878,14 +1883,20 @@
q = md_buf;
for (num = 2; num > 0; num--) {
EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- EVP_DigestInit_ex(&md_ctx, (num == 2)
- ? s->ctx->md5 : s->ctx->sha1, NULL);
- EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]),
- SSL3_RANDOM_SIZE);
- EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]),
- SSL3_RANDOM_SIZE);
- EVP_DigestUpdate(&md_ctx, param, param_len);
- EVP_DigestFinal_ex(&md_ctx, q, &size);
+ if (EVP_DigestInit_ex(&md_ctx,
+ (num == 2) ? s->ctx->md5 : s->ctx->sha1,
+ NULL) <= 0
+ || EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]),
+ SSL3_RANDOM_SIZE) <= 0
+ || EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]),
+ SSL3_RANDOM_SIZE) <= 0
+ || EVP_DigestUpdate(&md_ctx, param, param_len) <= 0
+ || EVP_DigestFinal_ex(&md_ctx, q, &size) <= 0) {
+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
+ al = SSL_AD_INTERNAL_ERROR;
+ goto f_err;
+ }
q += size;
j += size;
}
@@ -1904,12 +1915,16 @@
} else
#endif
{
- EVP_VerifyInit_ex(&md_ctx, md, NULL);
- EVP_VerifyUpdate(&md_ctx, &(s->s3->client_random[0]),
- SSL3_RANDOM_SIZE);
- EVP_VerifyUpdate(&md_ctx, &(s->s3->server_random[0]),
- SSL3_RANDOM_SIZE);
- EVP_VerifyUpdate(&md_ctx, param, param_len);
+ if (EVP_VerifyInit_ex(&md_ctx, md, NULL) <= 0
+ || EVP_VerifyUpdate(&md_ctx, &(s->s3->client_random[0]),
+ SSL3_RANDOM_SIZE) <= 0
+ || EVP_VerifyUpdate(&md_ctx, &(s->s3->server_random[0]),
+ SSL3_RANDOM_SIZE) <= 0
+ || EVP_VerifyUpdate(&md_ctx, param, param_len) <= 0) {
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_EVP_LIB);
+ goto f_err;
+ }
if (EVP_VerifyFinal(&md_ctx, p, (int)n, pkey) <= 0) {
/* bad signature */
al = SSL_AD_DECRYPT_ERROR;
@@ -2129,6 +2144,7 @@
long n;
const unsigned char *p;
unsigned char *d;
+ unsigned long ticket_lifetime_hint;
n = s->method->ssl_get_message(s,
SSL3_ST_CR_SESSION_TICKET_A,
@@ -2147,6 +2163,19 @@
p = d = (unsigned char *)s->init_msg;
+ n2l(p, ticket_lifetime_hint);
+ n2s(p, ticklen);
+ /* ticket_lifetime_hint + ticket_length + ticket */
+ if (ticklen + 6 != n) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
+ goto f_err;
+ }
+
+ /* Server is allowed to change its mind and send an empty ticket. */
+ if (ticklen == 0)
+ return 1;
+
if (s->session->session_id_length > 0) {
int i = s->session_ctx->session_cache_mode;
SSL_SESSION *new_sess;
@@ -2178,14 +2207,6 @@
s->session = new_sess;
}
- n2l(p, s->session->tlsext_tick_lifetime_hint);
- n2s(p, ticklen);
- /* ticket_lifetime_hint + ticket_length + ticket */
- if (ticklen + 6 != n) {
- al = SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
- goto f_err;
- }
if (s->session->tlsext_tick) {
OPENSSL_free(s->session->tlsext_tick);
s->session->tlsext_ticklen = 0;
@@ -2196,6 +2217,7 @@
goto err;
}
memcpy(s->session->tlsext_tick, p, ticklen);
+ s->session->tlsext_tick_lifetime_hint = ticket_lifetime_hint;
s->session->tlsext_ticklen = ticklen;
/*
* There are two ways to detect a resumed ticket session. One is to set
@@ -2365,6 +2387,7 @@
|| (pkey->pkey.rsa == NULL)) {
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
ERR_R_INTERNAL_ERROR);
+ EVP_PKEY_free(pkey);
goto err;
}
rsa = pkey->pkey.rsa;
@@ -2812,6 +2835,11 @@
pkey_ctx = EVP_PKEY_CTX_new(pub_key =
X509_get_pubkey(peer_cert), NULL);
+ if (pkey_ctx == NULL) {
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+ ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
/*
* If we have send a certificate, and certificate key
*
@@ -2821,10 +2849,13 @@
/* Otherwise, generate ephemeral key pair */
- EVP_PKEY_encrypt_init(pkey_ctx);
- /* Generate session key */
- if (RAND_bytes(premaster_secret, 32) <= 0) {
+ if (pkey_ctx == NULL
+ || EVP_PKEY_encrypt_init(pkey_ctx) <= 0
+ /* Generate session key */
+ || RAND_bytes(premaster_secret, 32) <= 0) {
EVP_PKEY_CTX_free(pkey_ctx);
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
goto err;
}
/*
@@ -2845,13 +2876,18 @@
* data
*/
ukm_hash = EVP_MD_CTX_create();
- EVP_DigestInit(ukm_hash,
- EVP_get_digestbynid(NID_id_GostR3411_94));
- EVP_DigestUpdate(ukm_hash, s->s3->client_random,
- SSL3_RANDOM_SIZE);
- EVP_DigestUpdate(ukm_hash, s->s3->server_random,
- SSL3_RANDOM_SIZE);
- EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len);
+ if (EVP_DigestInit(ukm_hash,
+ EVP_get_digestbynid(NID_id_GostR3411_94)) <= 0
+ || EVP_DigestUpdate(ukm_hash, s->s3->client_random,
+ SSL3_RANDOM_SIZE) <= 0
+ || EVP_DigestUpdate(ukm_hash, s->s3->server_random,
+ SSL3_RANDOM_SIZE) <= 0
+ || EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len) <= 0) {
+ EVP_MD_CTX_destroy(ukm_hash);
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
+ ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
EVP_MD_CTX_destroy(ukm_hash);
if (EVP_PKEY_CTX_ctrl
(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, EVP_PKEY_CTRL_SET_IV, 8,
@@ -2867,7 +2903,7 @@
*(p++) = V_ASN1_SEQUENCE | V_ASN1_CONSTRUCTED;
msglen = 255;
if (EVP_PKEY_encrypt(pkey_ctx, tmp, &msglen, premaster_secret, 32)
- < 0) {
+ <= 0) {
SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
SSL_R_LIBRARY_BUG);
goto err;
@@ -2951,7 +2987,7 @@
}
memset(identity, 0, sizeof(identity));
- psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint,
+ psk_len = s->psk_client_callback(s, s->session->psk_identity_hint,
identity, sizeof(identity) - 1,
psk_or_pre_ms,
sizeof(psk_or_pre_ms));
@@ -3068,7 +3104,10 @@
pkey = s->cert->key->privatekey;
/* Create context from key and test if sha1 is allowed as digest */
pctx = EVP_PKEY_CTX_new(pkey, NULL);
- EVP_PKEY_sign_init(pctx);
+ if (pctx == NULL || EVP_PKEY_sign_init(pctx) <= 0) {
+ SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) > 0) {
if (TLS1_get_version(s) < TLS1_2_VERSION)
s->method->ssl3_enc->cert_verify_mac(s,
@@ -3205,7 +3244,6 @@
* If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP;
* return(-1); We then get retied later
*/
- i = 0;
i = ssl_do_client_cert_cb(s, &x509, &pkey);
if (i < 0) {
s->rwstate = SSL_X509_LOOKUP;
Modified: vendor-crypto/openssl/dist/ssl/s3_enc.c
===================================================================
--- vendor-crypto/openssl/dist/ssl/s3_enc.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/s3_enc.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -253,7 +253,10 @@
EVP_CIPHER_CTX_init(s->enc_read_ctx);
dd = s->enc_read_ctx;
- ssl_replace_hash(&s->read_hash, m);
+ if (ssl_replace_hash(&s->read_hash, m) == NULL) {
+ SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
+ goto err2;
+ }
#ifndef OPENSSL_NO_COMP
/* COMPRESS */
if (s->expand != NULL) {
@@ -288,7 +291,10 @@
*/
EVP_CIPHER_CTX_init(s->enc_write_ctx);
dd = s->enc_write_ctx;
- ssl_replace_hash(&s->write_hash, m);
+ if (ssl_replace_hash(&s->write_hash, m) == NULL) {
+ SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
+ goto err2;
+ }
#ifndef OPENSSL_NO_COMP
/* COMPRESS */
if (s->compress != NULL) {
@@ -674,19 +680,21 @@
return 0;
npad = (48 / n) * n;
- if (sender != NULL)
- EVP_DigestUpdate(&ctx, sender, len);
- EVP_DigestUpdate(&ctx, s->session->master_key,
- s->session->master_key_length);
- EVP_DigestUpdate(&ctx, ssl3_pad_1, npad);
- EVP_DigestFinal_ex(&ctx, md_buf, &i);
+ if ((sender != NULL && EVP_DigestUpdate(&ctx, sender, len) <= 0)
+ || EVP_DigestUpdate(&ctx, s->session->master_key,
+ s->session->master_key_length) <= 0
+ || EVP_DigestUpdate(&ctx, ssl3_pad_1, npad) <= 0
+ || EVP_DigestFinal_ex(&ctx, md_buf, &i) <= 0
- EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL);
- EVP_DigestUpdate(&ctx, s->session->master_key,
- s->session->master_key_length);
- EVP_DigestUpdate(&ctx, ssl3_pad_2, npad);
- EVP_DigestUpdate(&ctx, md_buf, i);
- EVP_DigestFinal_ex(&ctx, p, &ret);
+ || EVP_DigestInit_ex(&ctx, EVP_MD_CTX_md(&ctx), NULL) <= 0
+ || EVP_DigestUpdate(&ctx, s->session->master_key,
+ s->session->master_key_length) <= 0
+ || EVP_DigestUpdate(&ctx, ssl3_pad_2, npad) <= 0
+ || EVP_DigestUpdate(&ctx, md_buf, i) <= 0
+ || EVP_DigestFinal_ex(&ctx, p, &ret) <= 0) {
+ SSLerr(SSL_F_SSL3_HANDSHAKE_MAC, ERR_R_INTERNAL_ERROR);
+ ret = 0;
+ }
EVP_MD_CTX_cleanup(&ctx);
@@ -758,33 +766,36 @@
header[j++] = rec->length & 0xff;
/* Final param == is SSLv3 */
- ssl3_cbc_digest_record(hash,
- md, &md_size,
- header, rec->input,
- rec->length + md_size, orig_len,
- mac_sec, md_size, 1);
+ if (ssl3_cbc_digest_record(hash,
+ md, &md_size,
+ header, rec->input,
+ rec->length + md_size, orig_len,
+ mac_sec, md_size, 1) <= 0)
+ return -1;
} else {
unsigned int md_size_u;
/* Chop the digest off the end :-) */
EVP_MD_CTX_init(&md_ctx);
- EVP_MD_CTX_copy_ex(&md_ctx, hash);
- EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
- EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad);
- EVP_DigestUpdate(&md_ctx, seq, 8);
rec_char = rec->type;
- EVP_DigestUpdate(&md_ctx, &rec_char, 1);
p = md;
s2n(rec->length, p);
- EVP_DigestUpdate(&md_ctx, md, 2);
- EVP_DigestUpdate(&md_ctx, rec->input, rec->length);
- EVP_DigestFinal_ex(&md_ctx, md, NULL);
-
- EVP_MD_CTX_copy_ex(&md_ctx, hash);
- EVP_DigestUpdate(&md_ctx, mac_sec, md_size);
- EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad);
- EVP_DigestUpdate(&md_ctx, md, md_size);
- EVP_DigestFinal_ex(&md_ctx, md, &md_size_u);
+ if (EVP_MD_CTX_copy_ex(&md_ctx, hash) <= 0
+ || EVP_DigestUpdate(&md_ctx, mac_sec, md_size) <= 0
+ || EVP_DigestUpdate(&md_ctx, ssl3_pad_1, npad) <= 0
+ || EVP_DigestUpdate(&md_ctx, seq, 8) <= 0
+ || EVP_DigestUpdate(&md_ctx, &rec_char, 1) <= 0
+ || EVP_DigestUpdate(&md_ctx, md, 2) <= 0
+ || EVP_DigestUpdate(&md_ctx, rec->input, rec->length) <= 0
+ || EVP_DigestFinal_ex(&md_ctx, md, NULL) <= 0
+ || EVP_MD_CTX_copy_ex(&md_ctx, hash) <= 0
+ || EVP_DigestUpdate(&md_ctx, mac_sec, md_size) <= 0
+ || EVP_DigestUpdate(&md_ctx, ssl3_pad_2, npad) <= 0
+ || EVP_DigestUpdate(&md_ctx, md, md_size) <= 0
+ || EVP_DigestFinal_ex(&md_ctx, md, &md_size_u) <= 0) {
+ EVP_MD_CTX_cleanup(&md_ctx);
+ return -1;
+ }
md_size = md_size_u;
EVP_MD_CTX_cleanup(&md_ctx);
@@ -826,17 +837,24 @@
EVP_MD_CTX_init(&ctx);
for (i = 0; i < 3; i++) {
- EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL);
- EVP_DigestUpdate(&ctx, salt[i], strlen((const char *)salt[i]));
- EVP_DigestUpdate(&ctx, p, len);
- EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]), SSL3_RANDOM_SIZE);
- EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]), SSL3_RANDOM_SIZE);
- EVP_DigestFinal_ex(&ctx, buf, &n);
+ if (EVP_DigestInit_ex(&ctx, s->ctx->sha1, NULL) <= 0
+ || EVP_DigestUpdate(&ctx, salt[i],
+ strlen((const char *)salt[i])) <= 0
+ || EVP_DigestUpdate(&ctx, p, len) <= 0
+ || EVP_DigestUpdate(&ctx, &(s->s3->client_random[0]),
+ SSL3_RANDOM_SIZE) <= 0
+ || EVP_DigestUpdate(&ctx, &(s->s3->server_random[0]),
+ SSL3_RANDOM_SIZE) <= 0
+ || EVP_DigestFinal_ex(&ctx, buf, &n) <= 0
- EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL);
- EVP_DigestUpdate(&ctx, p, len);
- EVP_DigestUpdate(&ctx, buf, n);
- EVP_DigestFinal_ex(&ctx, out, &n);
+ || EVP_DigestInit_ex(&ctx, s->ctx->md5, NULL) <= 0
+ || EVP_DigestUpdate(&ctx, p, len) <= 0
+ || EVP_DigestUpdate(&ctx, buf, n) <= 0
+ || EVP_DigestFinal_ex(&ctx, out, &n) <= 0) {
+ SSLerr(SSL_F_SSL3_GENERATE_MASTER_SECRET, ERR_R_INTERNAL_ERROR);
+ ret = 0;
+ break;
+ }
out += n;
ret += n;
}
Modified: vendor-crypto/openssl/dist/ssl/s3_lib.c
===================================================================
--- vendor-crypto/openssl/dist/ssl/s3_lib.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/s3_lib.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -2955,7 +2955,7 @@
void ssl3_free(SSL *s)
{
- if (s == NULL)
+ if (s == NULL || s->s3 == NULL)
return;
#ifdef TLSEXT_TYPE_opaque_prf_input
Modified: vendor-crypto/openssl/dist/ssl/s3_srvr.c
===================================================================
--- vendor-crypto/openssl/dist/ssl/s3_srvr.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/s3_srvr.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -383,7 +383,6 @@
*/
if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_CLIENTHELLO_TLSEXT);
- ret = SSL_TLSEXT_ERR_ALERT_FATAL;
ret = -1;
s->state = SSL_ST_ERR;
goto end;
@@ -967,7 +966,7 @@
int ssl3_get_client_hello(SSL *s)
{
- int i, j, ok, al, ret = -1;
+ int i, j, ok, al, ret = -1, cookie_valid = 0;
unsigned int cookie_len;
long n;
unsigned long id;
@@ -1155,8 +1154,7 @@
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_COOKIE_MISMATCH);
goto f_err;
}
-
- ret = 2;
+ cookie_valid = 1;
}
p += cookie_len;
@@ -1264,7 +1262,7 @@
#ifndef OPENSSL_NO_TLSEXT
/* TLS extensions */
if (s->version >= SSL3_VERSION) {
- if (!ssl_parse_clienthello_tlsext(s, &p, d, n, &al)) {
+ if (!ssl_parse_clienthello_tlsext(s, &p, d + n, &al)) {
/* 'al' set by ssl_parse_clienthello_tlsext */
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_PARSE_TLSEXT);
goto f_err;
@@ -1492,8 +1490,7 @@
}
}
- if (ret < 0)
- ret = 1;
+ ret = cookie_valid ? 2 : 1;
if (0) {
f_err:
ssl3_send_alert(s, SSL3_AL_FATAL, al);
@@ -1503,7 +1500,7 @@
if (ciphers != NULL)
sk_SSL_CIPHER_free(ciphers);
- return (ret);
+ return ret;
}
int ssl3_send_server_hello(SSL *s)
@@ -1987,14 +1984,22 @@
for (num = 2; num > 0; num--) {
EVP_MD_CTX_set_flags(&md_ctx,
EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- EVP_DigestInit_ex(&md_ctx, (num == 2)
- ? s->ctx->md5 : s->ctx->sha1, NULL);
- EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]),
- SSL3_RANDOM_SIZE);
- EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]),
- SSL3_RANDOM_SIZE);
- EVP_DigestUpdate(&md_ctx, &(d[4]), n);
- EVP_DigestFinal_ex(&md_ctx, q, (unsigned int *)&i);
+ if (EVP_DigestInit_ex(&md_ctx,
+ (num == 2) ? s->ctx->md5
+ : s->ctx->sha1,
+ NULL) <= 0
+ || EVP_DigestUpdate(&md_ctx, &(s->s3->client_random[0]),
+ SSL3_RANDOM_SIZE) <= 0
+ || EVP_DigestUpdate(&md_ctx, &(s->s3->server_random[0]),
+ SSL3_RANDOM_SIZE) <= 0
+ || EVP_DigestUpdate(&md_ctx, &(d[4]), n) <= 0
+ || EVP_DigestFinal_ex(&md_ctx, q,
+ (unsigned int *)&i) <= 0) {
+ SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,
+ ERR_LIB_EVP);
+ al = SSL_AD_INTERNAL_ERROR;
+ goto f_err;
+ }
q += i;
j += i;
}
@@ -2024,16 +2029,17 @@
#ifdef SSL_DEBUG
fprintf(stderr, "Using hash %s\n", EVP_MD_name(md));
#endif
- EVP_SignInit_ex(&md_ctx, md, NULL);
- EVP_SignUpdate(&md_ctx, &(s->s3->client_random[0]),
- SSL3_RANDOM_SIZE);
- EVP_SignUpdate(&md_ctx, &(s->s3->server_random[0]),
- SSL3_RANDOM_SIZE);
- EVP_SignUpdate(&md_ctx, &(d[4]), n);
- if (!EVP_SignFinal(&md_ctx, &(p[2]),
- (unsigned int *)&i, pkey)) {
+ if (EVP_SignInit_ex(&md_ctx, md, NULL) <= 0
+ || EVP_SignUpdate(&md_ctx, &(s->s3->client_random[0]),
+ SSL3_RANDOM_SIZE) <= 0
+ || EVP_SignUpdate(&md_ctx, &(s->s3->server_random[0]),
+ SSL3_RANDOM_SIZE) <= 0
+ || EVP_SignUpdate(&md_ctx, &(d[4]), n) <= 0
+ || EVP_SignFinal(&md_ctx, &(p[2]),
+ (unsigned int *)&i, pkey) <= 0) {
SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_LIB_EVP);
- goto err;
+ al = SSL_AD_INTERNAL_ERROR;
+ goto f_err;
}
s2n(i, p);
n += i + 2;
@@ -2792,7 +2798,7 @@
if (s->session->psk_identity != NULL)
OPENSSL_free(s->session->psk_identity);
- s->session->psk_identity = BUF_strdup((char *)p);
+ s->session->psk_identity = BUF_strndup((char *)p, i);
if (s->session->psk_identity == NULL) {
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
goto psk_err;
@@ -2879,7 +2885,15 @@
pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
pkey_ctx = EVP_PKEY_CTX_new(pk, NULL);
- EVP_PKEY_decrypt_init(pkey_ctx);
+ if (pkey_ctx == NULL) {
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
+ goto f_err;
+ }
+ if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR);
+ goto gerr;
+ }
/*
* If client certificate is present and is of the same type, maybe
* use it for key exchange. Don't mind errors from
@@ -3123,7 +3137,17 @@
unsigned char signature[64];
int idx;
EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new(pkey, NULL);
- EVP_PKEY_verify_init(pctx);
+ if (pctx == NULL) {
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_MALLOC_FAILURE);
+ goto f_err;
+ }
+ if (EVP_PKEY_verify_init(pctx) <= 0) {
+ EVP_PKEY_CTX_free(pctx);
+ al = SSL_AD_INTERNAL_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, ERR_R_INTERNAL_ERROR);
+ goto f_err;
+ }
if (i != 64) {
fprintf(stderr, "GOST signature length is %d", i);
}
Modified: vendor-crypto/openssl/dist/ssl/ssl.h
===================================================================
--- vendor-crypto/openssl/dist/ssl/ssl.h 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/ssl.h 2015-12-05 17:55:33 UTC (rev 7389)
@@ -2313,6 +2313,7 @@
# define SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC 292
# define SSL_F_SSL3_ENC 134
# define SSL_F_SSL3_GENERATE_KEY_BLOCK 238
+# define SSL_F_SSL3_GENERATE_MASTER_SECRET 388
# define SSL_F_SSL3_GET_CERTIFICATE_REQUEST 135
# define SSL_F_SSL3_GET_CERT_STATUS 289
# define SSL_F_SSL3_GET_CERT_VERIFY 136
@@ -2465,8 +2466,11 @@
# define SSL_R_BAD_DATA_RETURNED_BY_CALLBACK 106
# define SSL_R_BAD_DECOMPRESSION 107
# define SSL_R_BAD_DH_G_LENGTH 108
+# define SSL_R_BAD_DH_G_VALUE 375
# define SSL_R_BAD_DH_PUB_KEY_LENGTH 109
+# define SSL_R_BAD_DH_PUB_KEY_VALUE 393
# define SSL_R_BAD_DH_P_LENGTH 110
+# define SSL_R_BAD_DH_P_VALUE 395
# define SSL_R_BAD_DIGEST_LENGTH 111
# define SSL_R_BAD_DSA_SIGNATURE 112
# define SSL_R_BAD_ECC_CERT 304
Modified: vendor-crypto/openssl/dist/ssl/ssl3.h
===================================================================
--- vendor-crypto/openssl/dist/ssl/ssl3.h 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/ssl3.h 2015-12-05 17:55:33 UTC (rev 7389)
@@ -263,6 +263,8 @@
# define SSL3_SESSION_ID_SIZE 32
# define SSL3_RT_HEADER_LENGTH 5
+# define SSL3_HM_HEADER_LENGTH 4
+
# ifndef SSL3_ALIGN_PAYLOAD
/*
* Some will argue that this increases memory footprint, but it's not
Modified: vendor-crypto/openssl/dist/ssl/ssl_asn1.c
===================================================================
--- vendor-crypto/openssl/dist/ssl/ssl_asn1.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/ssl_asn1.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -121,7 +121,7 @@
int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
{
#define LSIZE2 (sizeof(long)*2)
- int v1 = 0, v2 = 0, v3 = 0, v4 = 0, v5 = 0, v7 = 0, v8 = 0;
+ int v1 = 0, v2 = 0, v3 = 0, v4 = 0, v5 = 0;
unsigned char buf[4], ibuf1[LSIZE2], ibuf2[LSIZE2];
unsigned char ibuf3[LSIZE2], ibuf4[LSIZE2], ibuf5[LSIZE2];
#ifndef OPENSSL_NO_TLSEXT
@@ -128,6 +128,9 @@
int v6 = 0, v9 = 0, v10 = 0;
unsigned char ibuf6[LSIZE2];
#endif
+#ifndef OPENSSL_NO_PSK
+ int v7 = 0, v8 = 0;
+#endif
#ifndef OPENSSL_NO_COMP
unsigned char cbuf;
int v11 = 0;
Modified: vendor-crypto/openssl/dist/ssl/ssl_cert.c
===================================================================
--- vendor-crypto/openssl/dist/ssl/ssl_cert.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/ssl_cert.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -206,6 +206,7 @@
memset(ret, 0, sizeof(CERT));
+ ret->references = 1;
ret->key = &ret->pkeys[cert->key - &cert->pkeys[0]];
/*
* or ret->key = ret->pkeys + (cert->key - cert->pkeys), if you find that
@@ -282,7 +283,6 @@
* chain is held inside SSL_CTX
*/
- ret->references = 1;
/*
* Set digests to defaults. NB: we don't copy existing values as they
* will be set during handshake.
Modified: vendor-crypto/openssl/dist/ssl/ssl_ciph.c
===================================================================
--- vendor-crypto/openssl/dist/ssl/ssl_ciph.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/ssl_ciph.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -356,10 +356,11 @@
const EVP_PKEY_ASN1_METHOD *ameth;
int pkey_id = 0;
ameth = EVP_PKEY_asn1_find_str(NULL, pkey_name, -1);
- if (ameth) {
- EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth);
+ if (ameth && EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL,
+ ameth) > 0) {
+ return pkey_id;
}
- return pkey_id;
+ return 0;
}
#else
@@ -371,7 +372,9 @@
int pkey_id = 0;
ameth = EVP_PKEY_asn1_find_str(&tmpeng, pkey_name, -1);
if (ameth) {
- EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth);
+ if (EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL,
+ ameth) <= 0)
+ pkey_id = 0;
}
if (tmpeng)
ENGINE_finish(tmpeng);
Modified: vendor-crypto/openssl/dist/ssl/ssl_err.c
===================================================================
--- vendor-crypto/openssl/dist/ssl/ssl_err.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/ssl_err.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -162,6 +162,8 @@
{ERR_FUNC(SSL_F_SSL3_ENC), "SSL3_ENC"},
{ERR_FUNC(SSL_F_SSL3_CHECK_FINISHED), "SSL3_CHECK_FINISHED"},
{ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "SSL3_GENERATE_KEY_BLOCK"},
+ {ERR_FUNC(SSL_F_SSL3_GENERATE_MASTER_SECRET),
+ "ssl3_generate_master_secret"},
{ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST),
"SSL3_GET_CERTIFICATE_REQUEST"},
{ERR_FUNC(SSL_F_SSL3_GET_CERT_STATUS), "SSL3_GET_CERT_STATUS"},
@@ -369,8 +371,11 @@
"bad data returned by callback"},
{ERR_REASON(SSL_R_BAD_DECOMPRESSION), "bad decompression"},
{ERR_REASON(SSL_R_BAD_DH_G_LENGTH), "bad dh g length"},
+ {ERR_REASON(SSL_R_BAD_DH_G_VALUE), "bad dh g value"},
{ERR_REASON(SSL_R_BAD_DH_PUB_KEY_LENGTH), "bad dh pub key length"},
+ {ERR_REASON(SSL_R_BAD_DH_PUB_KEY_VALUE), "bad dh pub key value"},
{ERR_REASON(SSL_R_BAD_DH_P_LENGTH), "bad dh p length"},
+ {ERR_REASON(SSL_R_BAD_DH_P_VALUE), "bad dh p value"},
{ERR_REASON(SSL_R_BAD_DIGEST_LENGTH), "bad digest length"},
{ERR_REASON(SSL_R_BAD_DSA_SIGNATURE), "bad dsa signature"},
{ERR_REASON(SSL_R_BAD_ECC_CERT), "bad ecc cert"},
Modified: vendor-crypto/openssl/dist/ssl/ssl_lib.c
===================================================================
--- vendor-crypto/openssl/dist/ssl/ssl_lib.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/ssl_lib.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -307,6 +307,7 @@
s->options = ctx->options;
s->mode = ctx->mode;
s->max_cert_list = ctx->max_cert_list;
+ s->references = 1;
if (ctx->cert != NULL) {
/*
@@ -375,7 +376,6 @@
if (!s->method->ssl_new(s))
goto err;
- s->references = 1;
s->server = (ctx->method->ssl_accept == ssl_undefined_function) ? 0 : 1;
SSL_clear(s);
@@ -3283,8 +3283,11 @@
{
ssl_clear_hash_ctx(hash);
*hash = EVP_MD_CTX_create();
- if (md)
- EVP_DigestInit_ex(*hash, md, NULL);
+ if (*hash == NULL || (md && EVP_DigestInit_ex(*hash, md, NULL) <= 0)) {
+ EVP_MD_CTX_destroy(*hash);
+ *hash = NULL;
+ return NULL;
+ }
return *hash;
}
Modified: vendor-crypto/openssl/dist/ssl/ssl_locl.h
===================================================================
--- vendor-crypto/openssl/dist/ssl/ssl_locl.h 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/ssl_locl.h 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1154,7 +1154,7 @@
unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf,
unsigned char *limit);
int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data,
- unsigned char *d, int n, int *al);
+ unsigned char *limit, int *al);
int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data,
unsigned char *d, int n, int *al);
int ssl_prepare_clienthello_tlsext(SSL *s);
@@ -1218,15 +1218,15 @@
SSL3_RECORD *rec,
unsigned block_size, unsigned mac_size);
char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
-void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
- unsigned char *md_out,
- size_t *md_out_size,
- const unsigned char header[13],
- const unsigned char *data,
- size_t data_plus_mac_size,
- size_t data_plus_mac_plus_padding_size,
- const unsigned char *mac_secret,
- unsigned mac_secret_length, char is_sslv3);
+int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx,
+ unsigned char *md_out,
+ size_t *md_out_size,
+ const unsigned char header[13],
+ const unsigned char *data,
+ size_t data_plus_mac_size,
+ size_t data_plus_mac_plus_padding_size,
+ const unsigned char *mac_secret,
+ unsigned mac_secret_length, char is_sslv3);
void tls_fips_digest_extra(const EVP_CIPHER_CTX *cipher_ctx,
EVP_MD_CTX *mac_ctx, const unsigned char *data,
Modified: vendor-crypto/openssl/dist/ssl/ssl_rsa.c
===================================================================
--- vendor-crypto/openssl/dist/ssl/ssl_rsa.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/ssl_rsa.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -160,7 +160,10 @@
}
RSA_up_ref(rsa);
- EVP_PKEY_assign_RSA(pkey, rsa);
+ if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) {
+ RSA_free(rsa);
+ return 0;
+ }
ret = ssl_set_pkey(ssl->cert, pkey);
EVP_PKEY_free(pkey);
@@ -181,6 +184,15 @@
if (c->pkeys[i].x509 != NULL) {
EVP_PKEY *pktmp;
pktmp = X509_get_pubkey(c->pkeys[i].x509);
+ if (pktmp == NULL) {
+ SSLerr(SSL_F_SSL_SET_PKEY, ERR_R_MALLOC_FAILURE);
+ EVP_PKEY_free(pktmp);
+ return 0;
+ }
+ /*
+ * The return code from EVP_PKEY_copy_parameters is deliberately
+ * ignored. Some EVP_PKEY types cannot do this.
+ */
EVP_PKEY_copy_parameters(pktmp, pkey);
EVP_PKEY_free(pktmp);
ERR_clear_error();
@@ -382,6 +394,10 @@
}
if (c->pkeys[i].privatekey != NULL) {
+ /*
+ * The return code from EVP_PKEY_copy_parameters is deliberately
+ * ignored. Some EVP_PKEY types cannot do this.
+ */
EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);
ERR_clear_error();
@@ -502,7 +518,10 @@
}
RSA_up_ref(rsa);
- EVP_PKEY_assign_RSA(pkey, rsa);
+ if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) {
+ RSA_free(rsa);
+ return 0;
+ }
ret = ssl_set_pkey(ctx->cert, pkey);
EVP_PKEY_free(pkey);
Modified: vendor-crypto/openssl/dist/ssl/ssl_sess.c
===================================================================
--- vendor-crypto/openssl/dist/ssl/ssl_sess.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/ssl_sess.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -256,8 +256,8 @@
dest->tlsext_ecpointformatlist = NULL;
dest->tlsext_ellipticcurvelist = NULL;
# endif
+ dest->tlsext_tick = NULL;
#endif
- dest->tlsext_tick = NULL;
#ifndef OPENSSL_NO_SRP
dest->srp_username = NULL;
#endif
@@ -324,7 +324,6 @@
goto err;
}
# endif
-#endif
if (ticket != 0) {
dest->tlsext_tick = BUF_memdup(src->tlsext_tick, src->tlsext_ticklen);
@@ -334,6 +333,7 @@
dest->tlsext_tick_lifetime_hint = 0;
dest->tlsext_ticklen = 0;
}
+#endif
#ifndef OPENSSL_NO_SRP
if (src->srp_username) {
Modified: vendor-crypto/openssl/dist/ssl/ssltest.c
===================================================================
--- vendor-crypto/openssl/dist/ssl/ssltest.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/ssltest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -142,6 +142,7 @@
/* Or gethostname won't be declared properly on Linux and GNU platforms. */
#define _BSD_SOURCE 1
+#define _DEFAULT_SOURCE 1
#include <assert.h>
#include <errno.h>
Modified: vendor-crypto/openssl/dist/ssl/t1_enc.c
===================================================================
--- vendor-crypto/openssl/dist/ssl/t1_enc.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/t1_enc.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -385,6 +385,8 @@
EVP_CIPHER_CTX_init(s->enc_read_ctx);
dd = s->enc_read_ctx;
mac_ctx = ssl_replace_hash(&s->read_hash, NULL);
+ if (mac_ctx == NULL)
+ goto err;
#ifndef OPENSSL_NO_COMP
if (s->expand != NULL) {
COMP_CTX_free(s->expand);
@@ -423,11 +425,14 @@
dd = s->enc_write_ctx;
if (SSL_IS_DTLS(s)) {
mac_ctx = EVP_MD_CTX_create();
- if (!mac_ctx)
+ if (mac_ctx == NULL)
goto err;
s->write_hash = mac_ctx;
- } else
+ } else {
mac_ctx = ssl_replace_hash(&s->write_hash, NULL);
+ if (mac_ctx == NULL)
+ goto err;
+ }
#ifndef OPENSSL_NO_COMP
if (s->compress != NULL) {
COMP_CTX_free(s->compress);
@@ -500,7 +505,12 @@
if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
mac_secret, *mac_secret_size);
- EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key);
+ if (mac_key == NULL
+ || EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key) <= 0) {
+ EVP_PKEY_free(mac_key);
+ SSLerr(SSL_F_TLS1_CHANGE_CIPHER_STATE, ERR_R_INTERNAL_ERROR);
+ goto err2;
+ }
EVP_PKEY_free(mac_key);
}
#ifdef TLS_DEBUG
@@ -913,8 +923,9 @@
}
EVP_MD_CTX_init(&ctx);
- EVP_MD_CTX_copy_ex(&ctx, d);
- EVP_DigestFinal_ex(&ctx, out, &ret);
+ if (EVP_MD_CTX_copy_ex(&ctx, d) <=0
+ || EVP_DigestFinal_ex(&ctx, out, &ret) <= 0)
+ ret = 0;
EVP_MD_CTX_cleanup(&ctx);
return ((int)ret);
}
@@ -1041,17 +1052,24 @@
* are hashing because that gives an attacker a timing-oracle.
*/
/* Final param == not SSLv3 */
- ssl3_cbc_digest_record(mac_ctx,
- md, &md_size,
- header, rec->input,
- rec->length + md_size, orig_len,
- ssl->s3->read_mac_secret,
- ssl->s3->read_mac_secret_size, 0);
+ if (ssl3_cbc_digest_record(mac_ctx,
+ md, &md_size,
+ header, rec->input,
+ rec->length + md_size, orig_len,
+ ssl->s3->read_mac_secret,
+ ssl->s3->read_mac_secret_size, 0) <= 0) {
+ if (!stream_mac)
+ EVP_MD_CTX_cleanup(&hmac);
+ return -1;
+ }
} else {
- EVP_DigestSignUpdate(mac_ctx, header, sizeof(header));
- EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length);
- t = EVP_DigestSignFinal(mac_ctx, md, &md_size);
- OPENSSL_assert(t > 0);
+ if (EVP_DigestSignUpdate(mac_ctx, header, sizeof(header)) <= 0
+ || EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length) <= 0
+ || EVP_DigestSignFinal(mac_ctx, md, &md_size) <= 0) {
+ if (!stream_mac)
+ EVP_MD_CTX_cleanup(&hmac);
+ return -1;
+ }
#ifdef OPENSSL_FIPS
if (!send && FIPS_mode())
tls_fips_digest_extra(ssl->enc_read_ctx,
Modified: vendor-crypto/openssl/dist/ssl/t1_lib.c
===================================================================
--- vendor-crypto/openssl/dist/ssl/t1_lib.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/t1_lib.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -913,7 +913,7 @@
* 10.8..10.8.3 (which don't work).
*/
static void ssl_check_for_safari(SSL *s, const unsigned char *data,
- const unsigned char *d, int n)
+ const unsigned char *limit)
{
unsigned short type, size;
static const unsigned char kSafariExtensionsBlock[] = {
@@ -942,11 +942,11 @@
0x02, 0x03, /* SHA-1/ECDSA */
};
- if (data >= (d + n - 2))
+ if (data >= (limit - 2))
return;
data += 2;
- if (data > (d + n - 4))
+ if (data > (limit - 4))
return;
n2s(data, type);
n2s(data, size);
@@ -954,7 +954,7 @@
if (type != TLSEXT_TYPE_server_name)
return;
- if (data + size > d + n)
+ if (data + size > limit)
return;
data += size;
@@ -962,7 +962,7 @@
const size_t len1 = sizeof(kSafariExtensionsBlock);
const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
- if (data + len1 + len2 != d + n)
+ if (data + len1 + len2 != limit)
return;
if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
return;
@@ -971,7 +971,7 @@
} else {
const size_t len = sizeof(kSafariExtensionsBlock);
- if (data + len != d + n)
+ if (data + len != limit)
return;
if (memcmp(data, kSafariExtensionsBlock, len) != 0)
return;
@@ -981,8 +981,8 @@
}
# endif /* !OPENSSL_NO_EC */
-int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
- int n, int *al)
+int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p,
+ unsigned char *limit, int *al)
{
unsigned short type;
unsigned short size;
@@ -1004,7 +1004,7 @@
# ifndef OPENSSL_NO_EC
if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
- ssl_check_for_safari(s, data, d, n);
+ ssl_check_for_safari(s, data, limit);
# endif /* !OPENSSL_NO_EC */
# ifndef OPENSSL_NO_SRP
@@ -1016,22 +1016,22 @@
s->srtp_profile = NULL;
- if (data == d + n)
+ if (data == limit)
goto ri_check;
- if (data > (d + n - 2))
+ if (data > (limit - 2))
goto err;
n2s(data, len);
- if (data > (d + n - len))
+ if (data + len != limit)
goto err;
- while (data <= (d + n - 4)) {
+ while (data <= (limit - 4)) {
n2s(data, type);
n2s(data, size);
- if (data + size > (d + n))
+ if (data + size > (limit))
goto err;
# if 0
fprintf(stderr, "Received extension type %d size %d\n", type, size);
@@ -1396,7 +1396,7 @@
}
/* Spurious data on the end */
- if (data != d + n)
+ if (data != limit)
goto err;
*p = data;
@@ -2291,10 +2291,13 @@
/* Check key name matches */
if (memcmp(etick, tctx->tlsext_tick_key_name, 16))
return 2;
- HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
- tlsext_tick_md(), NULL);
- EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
- tctx->tlsext_tick_aes_key, etick + 16);
+ if (HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
+ tlsext_tick_md(), NULL) <= 0
+ || EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
+ tctx->tlsext_tick_aes_key,
+ etick + 16) <= 0) {
+ goto err;
+ }
}
/*
* Attempt to process session ticket, first conduct sanity and integrity
@@ -2302,13 +2305,14 @@
*/
mlen = HMAC_size(&hctx);
if (mlen < 0) {
- EVP_CIPHER_CTX_cleanup(&ctx);
- return -1;
+ goto err;
}
eticklen -= mlen;
/* Check HMAC of encrypted ticket */
- HMAC_Update(&hctx, etick, eticklen);
- HMAC_Final(&hctx, tick_hmac, NULL);
+ if (HMAC_Update(&hctx, etick, eticklen) <= 0
+ || HMAC_Final(&hctx, tick_hmac, NULL) <= 0) {
+ goto err;
+ }
HMAC_CTX_cleanup(&hctx);
if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) {
EVP_CIPHER_CTX_cleanup(&ctx);
@@ -2319,11 +2323,10 @@
p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
sdec = OPENSSL_malloc(eticklen);
- if (!sdec) {
+ if (!sdec || EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) {
EVP_CIPHER_CTX_cleanup(&ctx);
return -1;
}
- EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen);
if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
EVP_CIPHER_CTX_cleanup(&ctx);
OPENSSL_free(sdec);
@@ -2356,6 +2359,10 @@
* For session parse failure, indicate that we need to send a new ticket.
*/
return 2;
+err:
+ EVP_CIPHER_CTX_cleanup(&ctx);
+ HMAC_CTX_cleanup(&hctx);
+ return -1;
}
/* Tables to translate from NIDs to TLS v1.2 ids */
Modified: vendor-crypto/openssl/dist/ssl/tls1.h
===================================================================
--- vendor-crypto/openssl/dist/ssl/tls1.h 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/ssl/tls1.h 2015-12-05 17:55:33 UTC (rev 7389)
@@ -235,8 +235,7 @@
/*
* ExtensionType value for TLS padding extension.
- * http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
- * http://tools.ietf.org/html/draft-agl-tls-padding-03
+ * http://tools.ietf.org/html/draft-agl-tls-padding
*/
# define TLSEXT_TYPE_padding 21
@@ -261,12 +260,12 @@
# define TLSEXT_TYPE_next_proto_neg 13172
# endif
-/* NameType value from RFC 3546 */
+/* NameType value from RFC3546 */
# define TLSEXT_NAMETYPE_host_name 0
-/* status request value from RFC 3546 */
+/* status request value from RFC3546 */
# define TLSEXT_STATUSTYPE_ocsp 1
-/* ECPointFormat values from draft-ietf-tls-ecc-12 */
+/* ECPointFormat values from RFC4492 */
# define TLSEXT_ECPOINTFORMAT_first 0
# define TLSEXT_ECPOINTFORMAT_uncompressed 0
# define TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime 1
@@ -273,8 +272,7 @@
# define TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 2
# define TLSEXT_ECPOINTFORMAT_last 2
-/* Signature and hash algorithms from RFC 5246 */
-
+/* Signature and hash algorithms from RFC5246 */
# define TLSEXT_signature_anonymous 0
# define TLSEXT_signature_rsa 1
# define TLSEXT_signature_dsa 2
@@ -404,7 +402,6 @@
# define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA 0x03000066
/* AES ciphersuites from RFC3268 */
-
# define TLS1_CK_RSA_WITH_AES_128_SHA 0x0300002F
# define TLS1_CK_DH_DSS_WITH_AES_128_SHA 0x03000030
# define TLS1_CK_DH_RSA_WITH_AES_128_SHA 0x03000031
@@ -570,7 +567,7 @@
# define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA "DHE-RSA-AES256-SHA"
# define TLS1_TXT_ADH_WITH_AES_256_SHA "ADH-AES256-SHA"
-/* ECC ciphersuites from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) */
+/* ECC ciphersuites from RFC4492 */
# define TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA "ECDH-ECDSA-NULL-SHA"
# define TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA "ECDH-ECDSA-RC4-SHA"
# define TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA "ECDH-ECDSA-DES-CBC3-SHA"
Modified: vendor-crypto/openssl/dist/test/Makefile
===================================================================
--- vendor-crypto/openssl/dist/test/Makefile 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/Makefile 2015-12-05 17:55:33 UTC (rev 7389)
@@ -66,6 +66,8 @@
ASN1TEST= asn1test
HEARTBEATTEST= heartbeat_test
CONSTTIMETEST= constant_time_test
+VERIFYEXTRATEST= verify_extra_test
+CLIENTHELLOTEST= clienthellotest
TESTS= alltests
@@ -77,7 +79,8 @@
$(RANDTEST)$(EXE_EXT) $(DHTEST)$(EXE_EXT) $(ENGINETEST)$(EXE_EXT) \
$(BFTEST)$(EXE_EXT) $(CASTTEST)$(EXE_EXT) $(SSLTEST)$(EXE_EXT) $(EXPTEST)$(EXE_EXT) $(DSATEST)$(EXE_EXT) $(RSATEST)$(EXE_EXT) \
$(EVPTEST)$(EXE_EXT) $(EVPEXTRATEST)$(EXE_EXT) $(IGETEST)$(EXE_EXT) $(JPAKETEST)$(EXE_EXT) $(SRPTEST)$(EXE_EXT) \
- $(ASN1TEST)$(EXE_EXT) $(HEARTBEATTEST)$(EXE_EXT) $(CONSTTIMETEST)$(EXE_EXT)
+ $(ASN1TEST)$(EXE_EXT) $(HEARTBEATTEST)$(EXE_EXT) $(CONSTTIMETEST)$(EXE_EXT) $(VERIFYEXTRATEST)$(EXE_EXT) \
+ $(CLIENTHELLOTEST)$(EXE_EXT)
# $(METHTEST)$(EXE_EXT)
@@ -90,7 +93,8 @@
$(RANDTEST).o $(DHTEST).o $(ENGINETEST).o $(CASTTEST).o \
$(BFTEST).o $(SSLTEST).o $(DSATEST).o $(EXPTEST).o $(RSATEST).o \
$(EVPTEST).o $(EVPEXTRATEST).o $(IGETEST).o $(JPAKETEST).o $(ASN1TEST).o \
- $(HEARTBEATTEST).o $(CONSTTIMETEST).o
+ $(HEARTBEATTEST).o $(CONSTTIMETEST).o $(VERIFYEXTRATEST).o \
+ $(CLIENTHELLOTEST).o
SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \
$(MD2TEST).c $(MD4TEST).c $(MD5TEST).c \
@@ -100,7 +104,8 @@
$(RANDTEST).c $(DHTEST).c $(ENGINETEST).c $(CASTTEST).c \
$(BFTEST).c $(SSLTEST).c $(DSATEST).c $(EXPTEST).c $(RSATEST).c \
$(EVPTEST).c $(EVPEXTRATEST).c $(IGETEST).c $(JPAKETEST).c $(SRPTEST).c $(ASN1TEST).c \
- $(HEARTBEATTEST).c $(CONSTTIMETEST).c
+ $(HEARTBEATTEST).c $(CONSTTIMETEST).c $(VERIFYEXTRATEST).c \
+ $(CLIENTHELLOTEST).c
EXHEADER=
HEADER= $(EXHEADER)
@@ -143,7 +148,8 @@
test_enc test_x509 test_rsa test_crl test_sid \
test_gen test_req test_pkcs7 test_verify test_dh test_dsa \
test_ss test_ca test_engine test_evp test_evp_extra test_ssl test_tsa test_ige \
- test_jpake test_srp test_cms test_heartbeat test_constant_time
+ test_jpake test_srp test_cms test_heartbeat test_constant_time test_verify_extra \
+ test_clienthello
test_evp:
../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt
@@ -334,6 +340,14 @@
@echo "Test constant time utilites"
../util/shlib_wrap.sh ./$(CONSTTIMETEST)
+test_verify_extra: $(VERIFYEXTRATEST)$(EXE_EXT)
+ @echo $(START) $@
+ ../util/shlib_wrap.sh ./$(VERIFYEXTRATEST)
+
+test_clienthello: $(CLIENTHELLOTEST)$(EXE_EXT)
+ @echo $(START) $@
+ ../util/shlib_wrap.sh ./$(CLIENTHELLOTEST)
+
lint:
lint -DLINT $(INCLUDES) $(SRC)>fluff
@@ -502,6 +516,12 @@
$(CONSTTIMETEST)$(EXE_EXT): $(CONSTTIMETEST).o
@target=$(CONSTTIMETEST) $(BUILD_CMD)
+$(VERIFYEXTRATEST)$(EXE_EXT): $(VERIFYEXTRATEST).o
+ @target=$(VERIFYEXTRATEST) $(BUILD_CMD)
+
+$(CLIENTHELLOTEST)$(EXE_EXT): $(CLIENTHELLOTEST).o
+ @target=$(CLIENTHELLOTEST) $(BUILD_CMD)
+
#$(AESTEST).o: $(AESTEST).c
# $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
@@ -547,6 +567,26 @@
bntest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h bntest.c
casttest.o: ../e_os.h ../include/openssl/cast.h ../include/openssl/e_os2.h
casttest.o: ../include/openssl/opensslconf.h casttest.c
+clienthellotest.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+clienthellotest.o: ../include/openssl/buffer.h ../include/openssl/comp.h
+clienthellotest.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+clienthellotest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+clienthellotest.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+clienthellotest.o: ../include/openssl/err.h ../include/openssl/evp.h
+clienthellotest.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+clienthellotest.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+clienthellotest.o: ../include/openssl/objects.h
+clienthellotest.o: ../include/openssl/opensslconf.h
+clienthellotest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+clienthellotest.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+clienthellotest.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
+clienthellotest.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+clienthellotest.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
+clienthellotest.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+clienthellotest.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+clienthellotest.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+clienthellotest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+clienthellotest.o: clienthellotest.c
constant_time_test.o: ../crypto/constant_time_locl.h ../e_os.h
constant_time_test.o: ../include/openssl/e_os2.h
constant_time_test.o: ../include/openssl/opensslconf.h constant_time_test.c
@@ -792,6 +832,21 @@
ssltest.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
ssltest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
ssltest.o: ../include/openssl/x509v3.h ssltest.c
+verify_extra_test.o: ../include/openssl/asn1.h ../include/openssl/bio.h
+verify_extra_test.o: ../include/openssl/buffer.h ../include/openssl/crypto.h
+verify_extra_test.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+verify_extra_test.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+verify_extra_test.o: ../include/openssl/err.h ../include/openssl/evp.h
+verify_extra_test.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+verify_extra_test.o: ../include/openssl/objects.h
+verify_extra_test.o: ../include/openssl/opensslconf.h
+verify_extra_test.o: ../include/openssl/opensslv.h
+verify_extra_test.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+verify_extra_test.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+verify_extra_test.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+verify_extra_test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+verify_extra_test.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+verify_extra_test.o: verify_extra_test.c
wp_test.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
wp_test.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
wp_test.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h
Modified: vendor-crypto/openssl/dist/test/bftest.c
===================================================================
--- vendor-crypto/openssl/dist/test/bftest.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/bftest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/bf/bftest.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/bf/bftest.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/bntest.c
===================================================================
--- vendor-crypto/openssl/dist/test/bntest.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/bntest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/bn/bntest.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/bn/bntest.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/casttest.c
===================================================================
--- vendor-crypto/openssl/dist/test/casttest.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/casttest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/cast/casttest.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/cast/casttest.c
\ No newline at end of file
Added: vendor-crypto/openssl/dist/test/certs/bad.key
===================================================================
--- vendor-crypto/openssl/dist/test/certs/bad.key (rev 0)
+++ vendor-crypto/openssl/dist/test/certs/bad.key 2015-12-05 17:55:33 UTC (rev 7389)
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAwTqNko5vQiQ5BQohPJ3sySrjT6JedjsKtt1OZ8ndR2C1asUi
+HgpVO8QDHKID88Qklx6UCieeKAwIY0VzqWzTyZWTwdqTU9t8arHHJu7IcFlmWsAL
+fwTmARWJmpY+K8fGnQx1Kxfi6nQJ8Whq4bcAqJ2HXzG69Wjs3Ki70ScNbQ9RUwXJ
+n/FeNrsphKAv5K22zBqjWAQdYMg6vtKZAXCET8jw6OkPVnUb/QvyoBEijWt0+HBh
+7wLkSUvMj/7fc88+xtvGqZPyG2Py4DdWW1stpgiZ3TTohEk84t1u5L3qQaRQmVE6
+y5RMImyVY8hegC4zc6aGZDFRv8MR+gk6prcuUwIDAQABAoIBAEkz4YZwJ34rMt7R
+452PRrE/ajY1EQxBeeGlHZr8QrRT0ubMIAy5ZWjq7TLfvhePaz1E/FiMgcIyLMtO
++G5rKCDqZbu/DqlqMUxKZWQ+efj2JWyj7LcGKAypGCRUXuE/IeNFYO4ecnzX0Rx/
+rl4scjdu1mYd9PIb+f/ufJjT7qYtykmwlb0MbEJ25yjTC4iHzacvFLJgdXrPp8b9
+ZGlVBKyuk9ZrZDC8/a4QrKt7Hp2SqqO4WqaTgM1G+cQFYuVBmj74bQhJHMmQ+Opr
+5KXwBKEHMtJkq1GPVZ34W90V82d+8MJAxymuPomwRXKl1dKgnvny+0eobXkiBDcF
+XCBCmIECgYEA8c/fE7Sa1vLZriw0Meq+TxU5hru4YM6OmQ+idc6diCp2U9lW+KJr
+YrIRTZFcmhEGmRjAEZrdK0oFY7h5RhsZ+gTftmNZuL8WJCK9+y2DE9dB++md3oVC
+PK0d4SmQKsivOTTeiK/VYFGoLc8t8Ud/anu2Q1kFdC+7cH/TrRseV4MCgYEAzJDw
+MTil055rYlrAAH8ePEuONomu2MoZRRCX/tWuVvz+eIzA35mryW3OR45l5qNluQoZ
+AdpVE68kBak2wIrF2oyWcF1s8VzSbAJCoqK42lKiSGVDVnr6jb69WUujCkYUZIwR
+Q20QYBUUQu0JiFBU22tRgILIAK+rRah37EP4RPECgYBN3hKH1fDGpw1R+QoVyPHf
+pYYQzQJiqiFhSJeYOCCiaIoSFjrbdfH+pjjMMbMQKctmIYI4KRZvijaSFiV3XeLP
+kCI6KWQLCf2nRUjISa+cBAVLib88mMzrnROyHiA+psFGOrAuc/DSQ3lUxxKUT+HH
++G6I4XHQKE7Du2X+qGzs4QKBgBZyJNjRxWhF7rR5Dq4/RHsLM0yKqPPCoSkx2+ur
+WJjU47sofpVKUE4mzUaOumGnNicqk3nfkgw54HL6kTZpQ7JqUKt9pNGLBM+zI8qi
+njPec04MRmo7zjg1YKNmqDodXGl38QD7+5r/VRzO04fwgI8e5G98aiOhIuLezGHR
+R3GRAoGAAyhwtKoC87fSGrpyZQ16UAYuqNy0fVAQtrDgRgP5Nu4esr9QxS/hWjcR
+8s2P82wsR4gZna6l6vSz4awGVG4PGKnVjteAtZxok3nBHxPmRke5o7IpdObPjpQP
+RJNZYbJ9G/PbYDhciEoTjVyig6Ol5BRe9stSbO7+JIxEYr7VSpA=
+-----END RSA PRIVATE KEY-----
Added: vendor-crypto/openssl/dist/test/certs/bad.pem
===================================================================
--- vendor-crypto/openssl/dist/test/certs/bad.pem (rev 0)
+++ vendor-crypto/openssl/dist/test/certs/bad.pem 2015-12-05 17:55:33 UTC (rev 7389)
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDdzCCAl+gAwIBAgIJAJgwOOciuxjSMA0GCSqGSIb3DQEBCwUAMFQxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQxDTALBgNVBAMTBGxlYWYwHhcNMTUwNzAyMTMyMDQ2WhcN
+MzUwNzAyMTMyMDQ2WjBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0
+ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQwwCgYDVQQDEwNi
+YWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBOo2Sjm9CJDkFCiE8
+nezJKuNPol52Owq23U5nyd1HYLVqxSIeClU7xAMcogPzxCSXHpQKJ54oDAhjRXOp
+bNPJlZPB2pNT23xqsccm7shwWWZawAt/BOYBFYmalj4rx8adDHUrF+LqdAnxaGrh
+twConYdfMbr1aOzcqLvRJw1tD1FTBcmf8V42uymEoC/krbbMGqNYBB1gyDq+0pkB
+cIRPyPDo6Q9WdRv9C/KgESKNa3T4cGHvAuRJS8yP/t9zzz7G28apk/IbY/LgN1Zb
+Wy2mCJndNOiESTzi3W7kvepBpFCZUTrLlEwibJVjyF6ALjNzpoZkMVG/wxH6CTqm
+ty5TAgMBAAGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFJoH29IULbskIG8BwYp4
+9yD+q7wbMB8GA1UdIwQYMBaAFBwdxP7xJUYhGU31hO4z2uXPtRl/MA0GCSqGSIb3
+DQEBCwUAA4IBAQBl0tHkWMBHW6r3ywBlWWFdok04xlt2QD8eA4ywwz97t/8JgLht
+OpuHO1bQtrZR6bxAgYT1+yHQnYBTfjKxFq+S9EP6nxBe94mEgizLmMv9pf7x5q+H
+pfT8ejcY54E/oXlFXSbLDE1BDpfgkWll2/TIsTRJNoM2n8mytEdPqzRburwWnoFR
+VchcfO968asdc9/8glSLJSNO+Wh9vQlbtcPzfbd4ZVE5E/P6drQzSwNjWvHQdswJ
+ujkY1zkTP2rtVBGN4OyOfkE6enVKpt5lN6AqjEMhJ5i/yFM/jDndTrgd/JkAvyUJ
+O2ELtifCd8DeSYNA9Qm8/MEUYq1xXQrGJHCE
+-----END CERTIFICATE-----
Added: vendor-crypto/openssl/dist/test/certs/interCA.key
===================================================================
--- vendor-crypto/openssl/dist/test/certs/interCA.key (rev 0)
+++ vendor-crypto/openssl/dist/test/certs/interCA.key 2015-12-05 17:55:33 UTC (rev 7389)
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAu7NHo76UDp738A/nuEfvVkKL7a7Kjk8PJIYkRKouSZZgBW6Q
+xBWptfJ6UZLeoDnBjJ47hc7s+ohLkJnnsodAalgMKTIFjDLXhMyzgGqpBJf/ydvl
+oEWwP/KZsB32z1v3fn926euBaA9YUAHpwc15i8VaIREPQQPsRA0ZC/3AN2PpPztQ
+vTkYUkKyTbAfWhN8ymxR3fZjph+GjUrBfDp90qpUVTgkIp3uXOgAkndB1BI2MvWj
+m6mOO8kjVC281auculTozLNFvthv16q3FZMc3/W1aslQa6wCa529+f8v4itM1oCQ
+T/h14cK+ZjE7zbhIqwXlWLs/uoVHq1G7iYa9BQIDAQABAoIBABa8FldNBB3pP1rC
+cmytud2W3eACJeKqzMi9vrLachTTs/m0dLBrd0zke9BZm8GIfVsM52TDtYx66bww
+CBJls3WuCHsM5gMfPV+Gc8+AG8zEpGTMz7lj938nYVolpvliyE14Hu0ia2AxS58V
+PD0PKEO3ubz7lf9n/DwZ4gjDyX5r1Cq+thwPlIf4PbEcGHk5SYxNm2DGR0DNL676
+X7CrRu3JBa2mY+moTV/pMrjvwAInmSxs4RBO7ggdYEief/4cBYyzMdiQ1v0UxvdO
+674dBJJFG32akPrnPqza7U41ivoDPlgCpKWHDaZadI0Joozd2pw0Mq0a8cyig0BJ
+Wa3d9xkCgYEA9T3j8F52u+QMaMzV1VENUAwo0Sqhk8xU0r/4l5PsvCjOuJ7NZkkW
+EQnNOI++zaPCeBRV55X0A5E8Pi3uEdKt6m+wsncJzGEVNRwixfd0Ul7Itntq7u9L
+/DHTlwpQ4t4PLNu8/uSBDN9A2slY2WsoXkJsdYPgjkrS2rYkt5bHFN8CgYEAw+8w
+Qw/zTCBmerzYLJSsjz9rcD2hTtDw72UF1rvEg4QP/9v0I/OU7Lu0ds0KmKJcJfay
+ZDMeBT8tW6LFztqdFi24tKISfodfYdET32lNd4QnMtWhoqXXXNiJY5gQC16YmSJm
+R7Dgw9hBrr0323/lhhwDDysq1lgD9QbUVEacJpsCgYAoau/TIK5u3vHQn9mqE3af
+N7HObzk785QTO8JLsPx2Mj+Hm9x8PBVf736cEMzAdXnKcoeJ6GPT5q7IDKfM1i0F
+kyzK7OV3gpSNMTrl55eLL8XilUqVYGjkgo29udyE11Ym7XwjgiNmrLCynjZ/drKr
+fkUDxR1QNjK0CwrYGwhqfwKBgQDAYGn3foK4nRthqWdrJjLjlzZLBwgJldbqhjsc
+YlIJezImWnU0k2YGpioDd0DPKqLlV3pCLXptVmGXlpM3jags7YlsObGE8C+zoBAu
+DHtWPLgsDltckg6Jh8YltlkSgLe9q2vXOhEF2aBsDDb62nGmonxSeWTe/Z4tB56U
+fJu2vwKBgFnGbZIcH8sDR7Vwh0sjSKnFkZ1v0T4qsBKpDz9yCvZVIgIFXPkKnALT
++OEpQTuLVN/MZxVlc8qo8UFflJprDsK1/Rm3iPaw+lwErswgddNUKNLnLPjlxcEe
+nTinsfyf4i48+IW55UFVU118nyufNeDdasoU6SSBH/MdeNq4hrTa
+-----END RSA PRIVATE KEY-----
Added: vendor-crypto/openssl/dist/test/certs/interCA.pem
===================================================================
--- vendor-crypto/openssl/dist/test/certs/interCA.pem (rev 0)
+++ vendor-crypto/openssl/dist/test/certs/interCA.pem 2015-12-05 17:55:33 UTC (rev 7389)
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgDCCAmigAwIBAgIJANnoWlLlEsTgMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnJvb3RDQTAeFw0xNTA3MDIxMzE3MDVa
+Fw0zNTA3MDIxMzE3MDVaMFcxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0
+YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMT
+B2ludGVyQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7s0ejvpQO
+nvfwD+e4R+9WQovtrsqOTw8khiREqi5JlmAFbpDEFam18npRkt6gOcGMnjuFzuz6
+iEuQmeeyh0BqWAwpMgWMMteEzLOAaqkEl//J2+WgRbA/8pmwHfbPW/d+f3bp64Fo
+D1hQAenBzXmLxVohEQ9BA+xEDRkL/cA3Y+k/O1C9ORhSQrJNsB9aE3zKbFHd9mOm
+H4aNSsF8On3SqlRVOCQine5c6ACSd0HUEjYy9aObqY47ySNULbzVq5y6VOjMs0W+
+2G/XqrcVkxzf9bVqyVBrrAJrnb35/y/iK0zWgJBP+HXhwr5mMTvNuEirBeVYuz+6
+hUerUbuJhr0FAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFBj61iO5
+j11dE30+j6iRx9lhwBcuMB8GA1UdIwQYMBaAFIVWiTXinwAa4YYDC0uvdhJrM239
+MA0GCSqGSIb3DQEBCwUAA4IBAQDAU0MvL/yZpmibhxUsoSsa97UJbejn5IbxpPzZ
+4WHw8lsoUGs12ZHzQJ9LxkZVeuccFXy9yFEHW56GTlkBmD2qrddlmQCfQ3m8jtZ9
+Hh5feKAyrqfmfsWF5QPjAmdj/MFdq+yMJVosDftkmUmaBHjzbvbcq1sWh/6drH8U
+7pdYRpfeEY8dHSU6FHwVN/H8VaBB7vYYc2wXwtk8On7z2ocIVHn9RPkcLwmwJjb/
+e4jmcYiyZev22KXQudeHc4w6crWiEFkVspomn5PqDmza3rkdB3baXFVZ6sd23ufU
+wjkiKKtwRBwU+5tCCagQZoeQ5dZXQThkiH2XEIOCOLxyD/tb
+-----END CERTIFICATE-----
Added: vendor-crypto/openssl/dist/test/certs/leaf.key
===================================================================
--- vendor-crypto/openssl/dist/test/certs/leaf.key (rev 0)
+++ vendor-crypto/openssl/dist/test/certs/leaf.key 2015-12-05 17:55:33 UTC (rev 7389)
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAv0Qo9WC/BKA70LtQJdwVGSXqr9dut3cQmiFzTb/SaWldjOT1
+sRNDFxSzdTJjU/8cIDEZvaTIwRxP/dtVQLjc+4jzrUwz93NuZYlsEWUEUg4Lrnfs
+0Nz50yHk4rJhVxWjb8Ii/wRBViWHFExP7CwTkXiTclC1bCqTuWkjxF3thTfTsttR
+yY7qNkz2JpNx0guD8v4otQoYjA5AEZvK4IXLwOwxol5xBTMvIrvvff2kkh+c7OC2
+QVbUTow/oppjqIKCx2maNHCtLFTJELf3fwtRJLJsy4fKGP0/6kpZc8Sp88WK4B4F
+auF9IV1CmoAJUC1vJxhagHIKfVtFjUWs8GPobQIDAQABAoIBAB1fCiskQDElqgnT
+uesWcOb7u55lJstlrVb97Ab0fgtR8tvADTq0Colw1F4a7sXnVxpab+l/dJSzFFWX
+aPAXc1ftH/5sxU4qm7lb8Qx6xr8TCRgxslwgkvypJ8zoN6p32DFBTr56mM3x1Vx4
+m41Y92hPa9USL8n8f9LpImT1R5Q9ShI/RUCowPyzhC6OGkFSBJu72nyA3WK0znXn
+q5TNsTRdJLOug7eoJJvhOPfy3neNQV0f2jQ+2wDKCYvn6i4j9FSLgYC/vorqofEd
+vFBHxl374117F6DXdBChyD4CD5vsplB0zcExRUCT5+iBqf5uc8CbLHeyNk6vSaf5
+BljHWsECgYEA93QnlKsVycgCQqHt2q8EIZ5p7ksGYRVfBEzgetsNdpxvSwrLyLQE
+L5AKG3upndOofCeJnLuQF1j954FjCs5Y+8Sy2H1D1EPrHSBp4ig2F5aOxT3vYROd
+v+/mF4ZUzlIlv3jNDz5IoLaxm9vhXTtLLUtQyTueGDmqwlht0Kr3/gcCgYEAxd86
+Q23jT4DmJqUl+g0lWdc2dgej0jwFfJ2BEw/Q55vHjqj96oAX5QQZFOUhZU8Otd/D
+lLzlsFn0pOaSW/RB4l5Kv8ab+ZpxfAV6Gq47nlfzmEGGx4wcoL0xkHufiXg0sqaG
+UtEMSKFhxPQZhWojUimK/+YIF69molxA6G9miOsCgYEA8mICSytxwh55qE74rtXz
+1AJZfKJcc0f9tDahQ3XBsEb29Kh0h/lciEIsxFLTB9dFF6easb0/HL98pQElxHXu
+z14SWOAKSqbka7lOPcppgZ1l52oNSiduw4z28mAQPbBVbUGkiqPVfCa3vhUYoLvt
+nUZCsXoGF3CVBJydpGFzXI0CgYEAtt3Jg72PoM8YZEimI0R462F4xHXlEYtE6tjJ
+C+vG/fU65P4Kw+ijrJQv9d6YEX+RscXdg51bjLJl5OvuAStopCLOZBPR3Ei+bobF
+RNkW4gyYZHLSc6JqZqbSopuNYkeENEKvyuPFvW3f5FxPJbxkbi9UdZCKlBEXAh/O
+IMGregcCgYBC8bS7zk6KNDy8q2uC/m/g6LRMxpb8G4jsrcLoyuJs3zDckBjQuLJQ
+IOMXcQBWN1h+DKekF2ecr3fJAJyEv4pU4Ct2r/ZTYFMdJTyAbjw0mqOjUR4nsdOh
+t/vCbt0QW3HXYTcVdCnFqBtelKnI12KoC0jAO9EAJGZ6kE/NwG6dQg==
+-----END RSA PRIVATE KEY-----
Added: vendor-crypto/openssl/dist/test/certs/leaf.pem
===================================================================
--- vendor-crypto/openssl/dist/test/certs/leaf.pem (rev 0)
+++ vendor-crypto/openssl/dist/test/certs/leaf.pem 2015-12-05 17:55:33 UTC (rev 7389)
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDfjCCAmagAwIBAgIJAKRNsDKacUqNMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQxEzARBgNVBAMTCnN1YmludGVyQ0EwHhcNMTUwNzAyMTMx
+OTQ5WhcNMzUwNzAyMTMxOTQ5WjBUMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29t
+ZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQ0wCwYD
+VQQDEwRsZWFmMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv0Qo9WC/
+BKA70LtQJdwVGSXqr9dut3cQmiFzTb/SaWldjOT1sRNDFxSzdTJjU/8cIDEZvaTI
+wRxP/dtVQLjc+4jzrUwz93NuZYlsEWUEUg4Lrnfs0Nz50yHk4rJhVxWjb8Ii/wRB
+ViWHFExP7CwTkXiTclC1bCqTuWkjxF3thTfTsttRyY7qNkz2JpNx0guD8v4otQoY
+jA5AEZvK4IXLwOwxol5xBTMvIrvvff2kkh+c7OC2QVbUTow/oppjqIKCx2maNHCt
+LFTJELf3fwtRJLJsy4fKGP0/6kpZc8Sp88WK4B4FauF9IV1CmoAJUC1vJxhagHIK
+fVtFjUWs8GPobQIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQcHcT+8SVG
+IRlN9YTuM9rlz7UZfzAfBgNVHSMEGDAWgBTpZ30QdMGarrhMPwk+HHAV3R8aTzAN
+BgkqhkiG9w0BAQsFAAOCAQEAGjmSkF8is+v0/RLcnSRiCXENz+yNi4pFCAt6dOtT
+6Gtpqa1tY5It9lVppfWb26JrygMIzOr/fB0r1Q7FtZ/7Ft3P6IXVdk3GDO0QsORD
+2dRAejhYpc5c7joHxAw9oRfKrEqE+ihVPUTcfcIuBaalvuhkpQRmKP71ws5DVzOw
+QhnMd0TtIrbKHaNQ4kNsmSY5fQolwB0LtNfTus7OEFdcZWhOXrWImKXN9jewPKdV
+mSG34NfXOnA6qx0eQg06z+TkdrptH6j1Va2vS1/bL+h1GxjpTHlvTGaZYxaloIjw
+y/EzY5jygRoABnR3eBm15CYZwwKL9izIq1H3OhymEi/Ycg==
+-----END CERTIFICATE-----
Added: vendor-crypto/openssl/dist/test/certs/rootCA.key
===================================================================
--- vendor-crypto/openssl/dist/test/certs/rootCA.key (rev 0)
+++ vendor-crypto/openssl/dist/test/certs/rootCA.key 2015-12-05 17:55:33 UTC (rev 7389)
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAwPFrd4isNd/7c1MvkoAvdBYyTfUQIG9sOo7R3GvhLj7DBA+/
+m8TJEtHkC0WX5QbNZjrh4OIr36LE7HvTPTyK/150oKunA2oWW16SxH5beYpp1LyD
+Xq5CknSlK+cAwanc1bFTBw9z946tFD4lnuUe5syRzZUMgEQgw/0Xz5E9YxAcFFv7
+w6jBiLJ3/5zb/GpERET3hewILNTfgaN5yf4em5MWU7eXq75PGqXi+kYF5A2cKqTM
+uR4hoGzEq1mwQDm7+Yit/d+NtAuvfkHgITzIM0VJhC+TBu79T+1P87yb3vwlXlXV
+ddTFezpANQafxIS0bJMMrzdar7ZBTSYjHLgCswIDAQABAoIBAC1EdwJEfqLlOgmE
+qtSkXn3N919y76Wsfqf+eh5M8Tf4YajCSSIyuTpBJE/AtDJ3thkWF4i7h6+gcLNL
+GfR0D+h6MMLBgx259iTZu3V+b9fEMbBHykqcd+IEm/wA5pyJTdaVE/XEGmEqiFEH
+g6wT9XwQ4uRo49X0JfvVlZCNcumapYfPY+BwPQloydm/cLtgUtc1RKUCG7i27aHM
+VaUm+NdYZIwwCQs0Aof/h7PkEWvHq0idaxY9qkLbbZHb1Np/IkmvqCo/PSS1whDj
+/KIQGJDBGuXX/V+cZ+DYkCXAq1fCto9MjarEVmlLW5Hr5QojdbpvwsxSmrGfCqdH
+bfc/9gECgYEA6y6EcYBuvCibmO4G2OA1sNSe5lJF911xUHuUl3CRORdeVFDi9Ch+
+LKzE+XEOlvA+qFSIA/KztevX3dvmvvBMwu0PUWDtBKJZ1mXt4Mgo63MHpYnKIzWz
+YuDaMKpvbl3iTFJlKPUkPlv+/uDccd0QYYvk4gbBrWVQDghV3ya9LqMCgYEA0gW6
+Cu5yRWodehCh0z8VtFfOGDkhZEav6B5mZvyDCk5f+zVeRlsTJwY4BsgnoMUJ+SjQ
+iQwQX3FbWrwcyYPOIA+ja6Hisgb9p/f+hxsQOOhN9nFsk2MNIHkwrMRcE8pj7pc1
+uBoYqpdX8blEs8wkJI+bTI3/SIZw6vjbogSqbLECgYEAhXuQho9byoXN0p3+2ude
+8e+sBJPbzEuH/iM2MkIc2ueNjZOfTO8Sti6VWfK2UisnlQjtbjg5kd67Vdvy+pqP
+Ju/ACvNVc5TmIo8V1cglmYVfaLBtP1DCcTOoA4ko196Hi8QUUIvat14lu+pKlIHh
+Q0xQa41kLhNbvaszegWVyLsCgYEAxhuGySbw/U9CbNDhhL1eANZOXoUNXWRcK6z5
+VS3dgcw6N2C5A86G+2mfUa5dywXyCWgZhRyvGQh5btZApUlCFvYJZc63Ysy7WkTQ
+f6rkm3ltiQimrURirn4CjwVOAZEIwJc7oeRj3g6Scz4acysd8KrRh93trwC55LtH
+mcWi6JECgYAlqCQvaAnvaWpR0RX7m/UMpqWOVgIperGR7hrN3d04RaWG4yv1+66T
+xANNBA8aDxhFwXjAKev4iOE/rp8SEjYXh3lbKmx+p9dk8REUdIFqoClX9tqctW9g
+AkDF34S0mSE4T34zhs2+InfohJa6ojsuiNJSQMBPBxfr6wV2C+UWMQ==
+-----END RSA PRIVATE KEY-----
Added: vendor-crypto/openssl/dist/test/certs/rootCA.pem
===================================================================
--- vendor-crypto/openssl/dist/test/certs/rootCA.pem (rev 0)
+++ vendor-crypto/openssl/dist/test/certs/rootCA.pem 2015-12-05 17:55:33 UTC (rev 7389)
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDfzCCAmegAwIBAgIJAIhDKcvC6xWaMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnJvb3RDQTAeFw0xNTA3MDIxMzE1MTFa
+Fw0zNTA3MDIxMzE1MTFaMFYxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0
+YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDzANBgNVBAMM
+BnJvb3RDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMDxa3eIrDXf
++3NTL5KAL3QWMk31ECBvbDqO0dxr4S4+wwQPv5vEyRLR5AtFl+UGzWY64eDiK9+i
+xOx70z08iv9edKCrpwNqFlteksR+W3mKadS8g16uQpJ0pSvnAMGp3NWxUwcPc/eO
+rRQ+JZ7lHubMkc2VDIBEIMP9F8+RPWMQHBRb+8OowYiyd/+c2/xqRERE94XsCCzU
+34Gjecn+HpuTFlO3l6u+Txql4vpGBeQNnCqkzLkeIaBsxKtZsEA5u/mIrf3fjbQL
+r35B4CE8yDNFSYQvkwbu/U/tT/O8m978JV5V1XXUxXs6QDUGn8SEtGyTDK83Wq+2
+QU0mIxy4ArMCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUhVaJNeKf
+ABrhhgMLS692Emszbf0wHwYDVR0jBBgwFoAUhVaJNeKfABrhhgMLS692Emszbf0w
+DQYJKoZIhvcNAQELBQADggEBADIKvyoK4rtPQ86I2lo5EDeAuzctXi2I3SZpnOe0
+mCCxJeZhWW0S7JuHvlfhEgXFBPEXzhS4HJLUlZUsWyiJ+3KcINMygaiF7MgIe6hZ
+WzpsMatS4mbNFElc89M+YryRFrQc9d1Uqjxhl3ms5MhDNcMP/PNwHa/wnIoqkpNI
+qtDoR741wcZ7bdr6XVdF8+pBjzbBPPRSf24x3bqavHBWcTjcSVcM/ZEXxeqH5SN0
+GbK2mQxrogX4UWjtl+DfYvl+ejpEcYNXKEmIabUUHtpG42544cuPtZizLW5bt/aT
+JBQfpPZpvf9MUlACxUONFOLQdZ8SXpSJ0e93iX2J2Z52mSQ=
+-----END CERTIFICATE-----
Added: vendor-crypto/openssl/dist/test/certs/roots.pem
===================================================================
--- vendor-crypto/openssl/dist/test/certs/roots.pem (rev 0)
+++ vendor-crypto/openssl/dist/test/certs/roots.pem 2015-12-05 17:55:33 UTC (rev 7389)
@@ -0,0 +1,42 @@
+-----BEGIN CERTIFICATE-----
+MIIDgDCCAmigAwIBAgIJANnoWlLlEsTgMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnJvb3RDQTAeFw0xNTA3MDIxMzE3MDVa
+Fw0zNTA3MDIxMzE3MDVaMFcxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0
+YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMT
+B2ludGVyQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7s0ejvpQO
+nvfwD+e4R+9WQovtrsqOTw8khiREqi5JlmAFbpDEFam18npRkt6gOcGMnjuFzuz6
+iEuQmeeyh0BqWAwpMgWMMteEzLOAaqkEl//J2+WgRbA/8pmwHfbPW/d+f3bp64Fo
+D1hQAenBzXmLxVohEQ9BA+xEDRkL/cA3Y+k/O1C9ORhSQrJNsB9aE3zKbFHd9mOm
+H4aNSsF8On3SqlRVOCQine5c6ACSd0HUEjYy9aObqY47ySNULbzVq5y6VOjMs0W+
+2G/XqrcVkxzf9bVqyVBrrAJrnb35/y/iK0zWgJBP+HXhwr5mMTvNuEirBeVYuz+6
+hUerUbuJhr0FAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFBj61iO5
+j11dE30+j6iRx9lhwBcuMB8GA1UdIwQYMBaAFIVWiTXinwAa4YYDC0uvdhJrM239
+MA0GCSqGSIb3DQEBCwUAA4IBAQDAU0MvL/yZpmibhxUsoSsa97UJbejn5IbxpPzZ
+4WHw8lsoUGs12ZHzQJ9LxkZVeuccFXy9yFEHW56GTlkBmD2qrddlmQCfQ3m8jtZ9
+Hh5feKAyrqfmfsWF5QPjAmdj/MFdq+yMJVosDftkmUmaBHjzbvbcq1sWh/6drH8U
+7pdYRpfeEY8dHSU6FHwVN/H8VaBB7vYYc2wXwtk8On7z2ocIVHn9RPkcLwmwJjb/
+e4jmcYiyZev22KXQudeHc4w6crWiEFkVspomn5PqDmza3rkdB3baXFVZ6sd23ufU
+wjkiKKtwRBwU+5tCCagQZoeQ5dZXQThkiH2XEIOCOLxyD/tb
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDhzCCAm+gAwIBAgIJAJTed6XmFiu/MA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQxEzARBgNVBAMMCnN1YmludGVyQ0EwHhcNMTUwNzAyMTMy
+MTU4WhcNMzUwNzAyMTMyMTU4WjBaMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29t
+ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYD
+VQQDDApzdWJpbnRlckNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+/zQjvhbU7RWDsRaEkVUBZWR/PqZ49GoE9p3OyRN4pkt1c1yb2ARVkYZP5e9gHb04
+wPVz2+FYy+2mNkl+uAZbcK5w5fWO3WJIEn57he4MkWu3ew1nJeSv3na8gyOoCheG
+64kWVbA2YL92mR7QoSCo4SP7RmykLrwj6TlDxqgH6DxKSD/CpdCHE3DKAzAiri3G
+Vc90OJAszYHlje4/maVIOayGROVET3xa5cbtRJl8IBgmqhMywtz4hhY/XZTvdEn2
+90aL857Hk7JjogA7mLKi07yKzknMxHV+k6JX7xJEttkcNQRFHONWZG1T4mRY1Drh
+6VbJGb+0GNIldNLQqigkfwIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQW
+BBTpZ30QdMGarrhMPwk+HHAV3R8aTzAfBgNVHSMEGDAWgBTpZ30QdMGarrhMPwk+
+HHAV3R8aTzANBgkqhkiG9w0BAQsFAAOCAQEAF8UAMtV1DClUWRw1h+THdAhjeo8S
+9BOp6QphtlYuc9o+tQri5m+WqbyUZKIBEtumNhFb7QI1e4hO64y1kKbSs2AjWcJ2
+QxAyGiMM3wl2UfxPohDtgNhm0GFgQ1tUTeSnW3kAom9NqI7U/2lPpLh4rrFYTepR
+wy0FV3NpRuHPtJE0VfqYnwWiTRdCJ7w1XzknKOUSHP/hRbyJVlwQp3VEQ9SIOYU6
+C+QEVGIgQiST6MRlCvoNP43guaRtrMuBZJaHKy/hLPvkdRpXHoUeKQFDuH77sZsF
+sBv3EHNKoBvpSpSJndZN6UcH7Z1yn41Y6AnO4u492jiRAjQpP9+Nf/x1eg==
+-----END CERTIFICATE-----
Added: vendor-crypto/openssl/dist/test/certs/subinterCA-ss.pem
===================================================================
--- vendor-crypto/openssl/dist/test/certs/subinterCA-ss.pem (rev 0)
+++ vendor-crypto/openssl/dist/test/certs/subinterCA-ss.pem 2015-12-05 17:55:33 UTC (rev 7389)
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhzCCAm+gAwIBAgIJAJTed6XmFiu/MA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQxEzARBgNVBAMMCnN1YmludGVyQ0EwHhcNMTUwNzAyMTMy
+MTU4WhcNMzUwNzAyMTMyMTU4WjBaMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29t
+ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYD
+VQQDDApzdWJpbnRlckNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+/zQjvhbU7RWDsRaEkVUBZWR/PqZ49GoE9p3OyRN4pkt1c1yb2ARVkYZP5e9gHb04
+wPVz2+FYy+2mNkl+uAZbcK5w5fWO3WJIEn57he4MkWu3ew1nJeSv3na8gyOoCheG
+64kWVbA2YL92mR7QoSCo4SP7RmykLrwj6TlDxqgH6DxKSD/CpdCHE3DKAzAiri3G
+Vc90OJAszYHlje4/maVIOayGROVET3xa5cbtRJl8IBgmqhMywtz4hhY/XZTvdEn2
+90aL857Hk7JjogA7mLKi07yKzknMxHV+k6JX7xJEttkcNQRFHONWZG1T4mRY1Drh
+6VbJGb+0GNIldNLQqigkfwIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQW
+BBTpZ30QdMGarrhMPwk+HHAV3R8aTzAfBgNVHSMEGDAWgBTpZ30QdMGarrhMPwk+
+HHAV3R8aTzANBgkqhkiG9w0BAQsFAAOCAQEAF8UAMtV1DClUWRw1h+THdAhjeo8S
+9BOp6QphtlYuc9o+tQri5m+WqbyUZKIBEtumNhFb7QI1e4hO64y1kKbSs2AjWcJ2
+QxAyGiMM3wl2UfxPohDtgNhm0GFgQ1tUTeSnW3kAom9NqI7U/2lPpLh4rrFYTepR
+wy0FV3NpRuHPtJE0VfqYnwWiTRdCJ7w1XzknKOUSHP/hRbyJVlwQp3VEQ9SIOYU6
+C+QEVGIgQiST6MRlCvoNP43guaRtrMuBZJaHKy/hLPvkdRpXHoUeKQFDuH77sZsF
+sBv3EHNKoBvpSpSJndZN6UcH7Z1yn41Y6AnO4u492jiRAjQpP9+Nf/x1eg==
+-----END CERTIFICATE-----
Added: vendor-crypto/openssl/dist/test/certs/subinterCA.key
===================================================================
--- vendor-crypto/openssl/dist/test/certs/subinterCA.key (rev 0)
+++ vendor-crypto/openssl/dist/test/certs/subinterCA.key 2015-12-05 17:55:33 UTC (rev 7389)
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA/zQjvhbU7RWDsRaEkVUBZWR/PqZ49GoE9p3OyRN4pkt1c1yb
+2ARVkYZP5e9gHb04wPVz2+FYy+2mNkl+uAZbcK5w5fWO3WJIEn57he4MkWu3ew1n
+JeSv3na8gyOoCheG64kWVbA2YL92mR7QoSCo4SP7RmykLrwj6TlDxqgH6DxKSD/C
+pdCHE3DKAzAiri3GVc90OJAszYHlje4/maVIOayGROVET3xa5cbtRJl8IBgmqhMy
+wtz4hhY/XZTvdEn290aL857Hk7JjogA7mLKi07yKzknMxHV+k6JX7xJEttkcNQRF
+HONWZG1T4mRY1Drh6VbJGb+0GNIldNLQqigkfwIDAQABAoIBAQDg14MWGu+F4gqg
+nwI1OPt95UjmXaz7Sd0NmoNxTKJjgN/9v33emBL7n6YNIxU/nlK+ToLBGo0tPjfO
+ZHoskA1H/aiiMfKowcpV4PHbUZvpE0oYM/rIu+7mxR3ZPDT0jz3jjmgLHrEKFCXd
+SfTtwOSJVzYvGdCdDE1nUXiRMcGlrJYxPf+0k3sGK7G90rYJkgffz92yuJote/s5
+P5nsK1h30yjKaWEzvf3ABladplykFN3GkICRGaCq0Nj5YWiG7qX9H9smYrioG0VH
+VqgIbV2sHnmUYZaOTmC0RnwDWSZR25xOHVbugZ7rGnf4NdoM2S/oTI/SAXcDsaDX
+lDpiEEuBAoGBAP/TISpeDRtUWzfVQxH+wbMdSbABjawf5sT7op7IsWsurY7u+KVh
+ubhaSdeR7YbTyVUqbAc4mg9TIZxDe6+/I2S8LibQAa8wnv5aR1iPj/tZJOKrtu+Z
+uHUyXMDR+8pIjQS0N+ukFp0tw9nicPNUt23JpqDFMvpASF+kUlnHOWAvAoGBAP9g
+5rDid235QnnAhNJGkxE1ZwICPSo66AD/kF8XsMnAVasR0EPJCQ1+Zmh7wsXGq6Im
+S65F4m0tsw4jeD67D1o5yuAnk/LLcdOdHW1w7iHuIhYKuWf1fqsOIqJLy7gdzwj4
+hImECoE40cqlLTge7xByxeHJwKF9ssXcwHFBIJyxAoGBAI5SeyUC5e/KYmURdBrS
+zBhFtvUAKD0WEmCMTdBgfrPOaCgYsqPvVk9Fi8cuHCLiOCP1UdxClRLpgM1ajbkc
+cShduJ9HIWjBd/KxbvfKBqQi1+5y8Xci4gfxWMC9EYNcEXgIewPRafNPvqG85HG7
+M8EUamsOymmG0bzDwjzIJRdpAoGAOUoVtmy3ehZG0WVc5ocqitu+BfdWnViln0O1
+sX9xC3F4Rm4ymGJLA5ntg1bwNMoCytdodun6h5+O4YcXfIseQJFib7KxP/Bf0qcW
+aOzCnx36y5MQUMAD8H+1SU9TnjQhs9N8eBUE/kQu3BT99e8KllgJCEPoUNIP/s8s
+5LtFg6ECgYEAgLwJoJ3hBwr0LmUi3kpFYdbZ+tAKIvKQH3xYMnQulOqtlXJFy0bu
+ZcIAwsigRUqdCC2JuyAUw52HCtVVlpQjNs4BnUzaKooLOCm3w3i6X27mnHE0200S
+zqC0rcB0xNz/IltGc7IP+T8UK5xX38uhJ/vUW75OvAjqheJSBwR9h5c=
+-----END RSA PRIVATE KEY-----
Added: vendor-crypto/openssl/dist/test/certs/subinterCA.pem
===================================================================
--- vendor-crypto/openssl/dist/test/certs/subinterCA.pem (rev 0)
+++ vendor-crypto/openssl/dist/test/certs/subinterCA.pem 2015-12-05 17:55:33 UTC (rev 7389)
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhDCCAmygAwIBAgIJAJkv2OGshkmUMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMTB2ludGVyQ0EwHhcNMTUwNzAyMTMxODIz
+WhcNMzUwNzAyMTMxODIzWjBaMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1T
+dGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYDVQQD
+EwpzdWJpbnRlckNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/zQj
+vhbU7RWDsRaEkVUBZWR/PqZ49GoE9p3OyRN4pkt1c1yb2ARVkYZP5e9gHb04wPVz
+2+FYy+2mNkl+uAZbcK5w5fWO3WJIEn57he4MkWu3ew1nJeSv3na8gyOoCheG64kW
+VbA2YL92mR7QoSCo4SP7RmykLrwj6TlDxqgH6DxKSD/CpdCHE3DKAzAiri3GVc90
+OJAszYHlje4/maVIOayGROVET3xa5cbtRJl8IBgmqhMywtz4hhY/XZTvdEn290aL
+857Hk7JjogA7mLKi07yKzknMxHV+k6JX7xJEttkcNQRFHONWZG1T4mRY1Drh6VbJ
+Gb+0GNIldNLQqigkfwIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTp
+Z30QdMGarrhMPwk+HHAV3R8aTzAfBgNVHSMEGDAWgBQY+tYjuY9dXRN9Po+okcfZ
+YcAXLjANBgkqhkiG9w0BAQsFAAOCAQEAgVUsOf9rdHlQDw4clP8GMY7QahfXbvd8
+8o++P18KeInQXH6+sCg0axZXzhOmKwn+Ina3EsOP7xk4aKIYwJ4A1xBuT7fKxquQ
+pbJyjkEBsNRVLC9t4gOA0FC791v5bOCZjyff5uN+hy8r0828nVxha6CKLqwrPd+E
+mC7DtilSZIgO2vwbTBL6ifmw9n1dd/Bl8Wdjnl7YJqTIf0Ozc2SZSMRUq9ryn4Wq
+YrjRl8NwioGb1LfjEJ0wJi2ngL3IgaN94qmDn10OJs8hlsufwP1n+Bca3fsl0m5U
+gUMG+CXxbF0kdCKZ9kQb1MJE4vOk6zfyBGQndmQnxHjt5botI/xpXg==
+-----END CERTIFICATE-----
Added: vendor-crypto/openssl/dist/test/certs/untrusted.pem
===================================================================
--- vendor-crypto/openssl/dist/test/certs/untrusted.pem (rev 0)
+++ vendor-crypto/openssl/dist/test/certs/untrusted.pem 2015-12-05 17:55:33 UTC (rev 7389)
@@ -0,0 +1,42 @@
+-----BEGIN CERTIFICATE-----
+MIIDhDCCAmygAwIBAgIJAJkv2OGshkmUMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMTB2ludGVyQ0EwHhcNMTUwNzAyMTMxODIz
+WhcNMzUwNzAyMTMxODIzWjBaMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1T
+dGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYDVQQD
+EwpzdWJpbnRlckNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/zQj
+vhbU7RWDsRaEkVUBZWR/PqZ49GoE9p3OyRN4pkt1c1yb2ARVkYZP5e9gHb04wPVz
+2+FYy+2mNkl+uAZbcK5w5fWO3WJIEn57he4MkWu3ew1nJeSv3na8gyOoCheG64kW
+VbA2YL92mR7QoSCo4SP7RmykLrwj6TlDxqgH6DxKSD/CpdCHE3DKAzAiri3GVc90
+OJAszYHlje4/maVIOayGROVET3xa5cbtRJl8IBgmqhMywtz4hhY/XZTvdEn290aL
+857Hk7JjogA7mLKi07yKzknMxHV+k6JX7xJEttkcNQRFHONWZG1T4mRY1Drh6VbJ
+Gb+0GNIldNLQqigkfwIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTp
+Z30QdMGarrhMPwk+HHAV3R8aTzAfBgNVHSMEGDAWgBQY+tYjuY9dXRN9Po+okcfZ
+YcAXLjANBgkqhkiG9w0BAQsFAAOCAQEAgVUsOf9rdHlQDw4clP8GMY7QahfXbvd8
+8o++P18KeInQXH6+sCg0axZXzhOmKwn+Ina3EsOP7xk4aKIYwJ4A1xBuT7fKxquQ
+pbJyjkEBsNRVLC9t4gOA0FC791v5bOCZjyff5uN+hy8r0828nVxha6CKLqwrPd+E
+mC7DtilSZIgO2vwbTBL6ifmw9n1dd/Bl8Wdjnl7YJqTIf0Ozc2SZSMRUq9ryn4Wq
+YrjRl8NwioGb1LfjEJ0wJi2ngL3IgaN94qmDn10OJs8hlsufwP1n+Bca3fsl0m5U
+gUMG+CXxbF0kdCKZ9kQb1MJE4vOk6zfyBGQndmQnxHjt5botI/xpXg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDfjCCAmagAwIBAgIJAKRNsDKacUqNMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQxEzARBgNVBAMTCnN1YmludGVyQ0EwHhcNMTUwNzAyMTMx
+OTQ5WhcNMzUwNzAyMTMxOTQ5WjBUMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29t
+ZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQ0wCwYD
+VQQDEwRsZWFmMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv0Qo9WC/
+BKA70LtQJdwVGSXqr9dut3cQmiFzTb/SaWldjOT1sRNDFxSzdTJjU/8cIDEZvaTI
+wRxP/dtVQLjc+4jzrUwz93NuZYlsEWUEUg4Lrnfs0Nz50yHk4rJhVxWjb8Ii/wRB
+ViWHFExP7CwTkXiTclC1bCqTuWkjxF3thTfTsttRyY7qNkz2JpNx0guD8v4otQoY
+jA5AEZvK4IXLwOwxol5xBTMvIrvvff2kkh+c7OC2QVbUTow/oppjqIKCx2maNHCt
+LFTJELf3fwtRJLJsy4fKGP0/6kpZc8Sp88WK4B4FauF9IV1CmoAJUC1vJxhagHIK
+fVtFjUWs8GPobQIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQcHcT+8SVG
+IRlN9YTuM9rlz7UZfzAfBgNVHSMEGDAWgBTpZ30QdMGarrhMPwk+HHAV3R8aTzAN
+BgkqhkiG9w0BAQsFAAOCAQEAGjmSkF8is+v0/RLcnSRiCXENz+yNi4pFCAt6dOtT
+6Gtpqa1tY5It9lVppfWb26JrygMIzOr/fB0r1Q7FtZ/7Ft3P6IXVdk3GDO0QsORD
+2dRAejhYpc5c7joHxAw9oRfKrEqE+ihVPUTcfcIuBaalvuhkpQRmKP71ws5DVzOw
+QhnMd0TtIrbKHaNQ4kNsmSY5fQolwB0LtNfTus7OEFdcZWhOXrWImKXN9jewPKdV
+mSG34NfXOnA6qx0eQg06z+TkdrptH6j1Va2vS1/bL+h1GxjpTHlvTGaZYxaloIjw
+y/EzY5jygRoABnR3eBm15CYZwwKL9izIq1H3OhymEi/Ycg==
+-----END CERTIFICATE-----
Added: vendor-crypto/openssl/dist/test/clienthellotest.c
===================================================================
--- vendor-crypto/openssl/dist/test/clienthellotest.c (rev 0)
+++ vendor-crypto/openssl/dist/test/clienthellotest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -0,0 +1 @@
+link openssl-1.0.1q/../ssl/clienthellotest.c
\ No newline at end of file
Property changes on: vendor-crypto/openssl/dist/test/clienthellotest.c
___________________________________________________________________
Added: svn:special
## -0,0 +1 ##
+*
\ No newline at end of property
Modified: vendor-crypto/openssl/dist/test/constant_time_test.c
===================================================================
--- vendor-crypto/openssl/dist/test/constant_time_test.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/constant_time_test.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/constant_time_test.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/constant_time_test.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/destest.c
===================================================================
--- vendor-crypto/openssl/dist/test/destest.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/destest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/des/destest.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/des/destest.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/dhtest.c
===================================================================
--- vendor-crypto/openssl/dist/test/dhtest.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/dhtest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/dh/dhtest.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/dh/dhtest.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/dsatest.c
===================================================================
--- vendor-crypto/openssl/dist/test/dsatest.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/dsatest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/dsa/dsatest.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/dsa/dsatest.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/ecdhtest.c
===================================================================
--- vendor-crypto/openssl/dist/test/ecdhtest.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/ecdhtest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/ecdh/ecdhtest.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/ecdh/ecdhtest.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/ecdsatest.c
===================================================================
--- vendor-crypto/openssl/dist/test/ecdsatest.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/ecdsatest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/ecdsa/ecdsatest.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/ecdsa/ecdsatest.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/ectest.c
===================================================================
--- vendor-crypto/openssl/dist/test/ectest.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/ectest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/ec/ectest.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/ec/ectest.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/enginetest.c
===================================================================
--- vendor-crypto/openssl/dist/test/enginetest.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/enginetest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/engine/enginetest.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/engine/enginetest.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/evp_extra_test.c
===================================================================
--- vendor-crypto/openssl/dist/test/evp_extra_test.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/evp_extra_test.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/evp/evp_extra_test.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/evp/evp_extra_test.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/evp_test.c
===================================================================
--- vendor-crypto/openssl/dist/test/evp_test.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/evp_test.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/evp/evp_test.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/evp/evp_test.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/exptest.c
===================================================================
--- vendor-crypto/openssl/dist/test/exptest.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/exptest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/bn/exptest.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/bn/exptest.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/heartbeat_test.c
===================================================================
--- vendor-crypto/openssl/dist/test/heartbeat_test.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/heartbeat_test.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../ssl/heartbeat_test.c
\ No newline at end of file
+link openssl-1.0.1q/../ssl/heartbeat_test.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/hmactest.c
===================================================================
--- vendor-crypto/openssl/dist/test/hmactest.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/hmactest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/hmac/hmactest.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/hmac/hmactest.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/ideatest.c
===================================================================
--- vendor-crypto/openssl/dist/test/ideatest.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/ideatest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/idea/ideatest.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/idea/ideatest.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/jpaketest.c
===================================================================
--- vendor-crypto/openssl/dist/test/jpaketest.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/jpaketest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link dummytest.c
\ No newline at end of file
+link openssl-1.0.1q/dummytest.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/md2test.c
===================================================================
--- vendor-crypto/openssl/dist/test/md2test.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/md2test.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link dummytest.c
\ No newline at end of file
+link openssl-1.0.1q/dummytest.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/md4test.c
===================================================================
--- vendor-crypto/openssl/dist/test/md4test.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/md4test.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/md4/md4test.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/md4/md4test.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/md5test.c
===================================================================
--- vendor-crypto/openssl/dist/test/md5test.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/md5test.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/md5/md5test.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/md5/md5test.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/mdc2test.c
===================================================================
--- vendor-crypto/openssl/dist/test/mdc2test.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/mdc2test.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/mdc2/mdc2test.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/mdc2/mdc2test.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/randtest.c
===================================================================
--- vendor-crypto/openssl/dist/test/randtest.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/randtest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/rand/randtest.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/rand/randtest.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/rc2test.c
===================================================================
--- vendor-crypto/openssl/dist/test/rc2test.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/rc2test.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/rc2/rc2test.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/rc2/rc2test.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/rc4test.c
===================================================================
--- vendor-crypto/openssl/dist/test/rc4test.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/rc4test.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/rc4/rc4test.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/rc4/rc4test.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/rc5test.c
===================================================================
--- vendor-crypto/openssl/dist/test/rc5test.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/rc5test.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link dummytest.c
\ No newline at end of file
+link openssl-1.0.1q/dummytest.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/rmdtest.c
===================================================================
--- vendor-crypto/openssl/dist/test/rmdtest.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/rmdtest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/ripemd/rmdtest.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/ripemd/rmdtest.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/rsa_test.c
===================================================================
--- vendor-crypto/openssl/dist/test/rsa_test.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/rsa_test.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/rsa/rsa_test.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/rsa/rsa_test.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/sha1test.c
===================================================================
--- vendor-crypto/openssl/dist/test/sha1test.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/sha1test.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/sha/sha1test.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/sha/sha1test.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/sha256t.c
===================================================================
--- vendor-crypto/openssl/dist/test/sha256t.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/sha256t.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/sha/sha256t.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/sha/sha256t.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/sha512t.c
===================================================================
--- vendor-crypto/openssl/dist/test/sha512t.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/sha512t.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/sha/sha512t.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/sha/sha512t.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/shatest.c
===================================================================
--- vendor-crypto/openssl/dist/test/shatest.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/shatest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/sha/shatest.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/sha/shatest.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/srptest.c
===================================================================
--- vendor-crypto/openssl/dist/test/srptest.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/srptest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/srp/srptest.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/srp/srptest.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/ssltest.c
===================================================================
--- vendor-crypto/openssl/dist/test/ssltest.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/ssltest.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../ssl/ssltest.c
\ No newline at end of file
+link openssl-1.0.1q/../ssl/ssltest.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/test/testssl
===================================================================
--- vendor-crypto/openssl/dist/test/testssl 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/testssl 2015-12-05 17:55:33 UTC (rev 7389)
@@ -120,16 +120,15 @@
$ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
test_cipher() {
- local cipher=$1
- local protocol=$2
- echo "Testing $cipher"
+ _cipher=$1
+ echo "Testing $_cipher"
prot=""
- if [ $protocol = "SSLv3" ] ; then
+ if [ $2 = "SSLv3" ] ; then
prot="-ssl3"
fi
- $ssltest -cipher $cipher $prot
+ $ssltest -cipher $_cipher $prot
if [ $? -ne 0 ] ; then
- echo "Failed $cipher"
+ echo "Failed $_cipher"
exit 1
fi
}
@@ -199,16 +198,16 @@
echo skipping SRP tests
else
echo test tls1 with SRP
- $ssltest -tls1 -cipher SRP -srpuser test -srppass abc123
+ $ssltest -tls1 -cipher SRP -srpuser test -srppass abc123 || exit 1
echo test tls1 with SRP via BIO pair
- $ssltest -bio_pair -tls1 -cipher SRP -srpuser test -srppass abc123
+ $ssltest -bio_pair -tls1 -cipher SRP -srpuser test -srppass abc123 || exit 1
echo test tls1 with SRP auth
- $ssltest -tls1 -cipher aSRP -srpuser test -srppass abc123
+ $ssltest -tls1 -cipher aSRP -srpuser test -srppass abc123 || exit 1
echo test tls1 with SRP auth via BIO pair
- $ssltest -bio_pair -tls1 -cipher aSRP -srpuser test -srppass abc123
+ $ssltest -bio_pair -tls1 -cipher aSRP -srpuser test -srppass abc123 || exit 1
fi
exit 0
Added: vendor-crypto/openssl/dist/test/verify_extra_test.c
===================================================================
--- vendor-crypto/openssl/dist/test/verify_extra_test.c (rev 0)
+++ vendor-crypto/openssl/dist/test/verify_extra_test.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -0,0 +1 @@
+link openssl-1.0.1q/../crypto/x509/verify_extra_test.c
\ No newline at end of file
Property changes on: vendor-crypto/openssl/dist/test/verify_extra_test.c
___________________________________________________________________
Added: svn:special
## -0,0 +1 ##
+*
\ No newline at end of property
Modified: vendor-crypto/openssl/dist/test/wp_test.c
===================================================================
--- vendor-crypto/openssl/dist/test/wp_test.c 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/test/wp_test.c 2015-12-05 17:55:33 UTC (rev 7389)
@@ -1 +1 @@
-link ../crypto/whrlpool/wp_test.c
\ No newline at end of file
+link openssl-1.0.1q/../crypto/whrlpool/wp_test.c
\ No newline at end of file
Modified: vendor-crypto/openssl/dist/util/indent.pro
===================================================================
--- vendor-crypto/openssl/dist/util/indent.pro 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/util/indent.pro 2015-12-05 17:55:33 UTC (rev 7389)
@@ -749,3 +749,19 @@
-T ssl_trace_tbl
-T _stdcall
-T tls12_lookup
+-T OPTIONS
+-T OPT_PAIR
+-T uint64_t
+-T int64_t
+-T uint32_t
+-T int32_t
+-T uint16_t
+-T int16_t
+-T uint8_t
+-T int8_t
+-T STRINT_PAIR
+-T felem
+-T felem_bytearray
+-T SH_LIST
+-T PACKET
+-T RECORD_LAYER
Modified: vendor-crypto/openssl/dist/util/mk1mf.pl
===================================================================
--- vendor-crypto/openssl/dist/util/mk1mf.pl 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/util/mk1mf.pl 2015-12-05 17:55:33 UTC (rev 7389)
@@ -424,7 +424,7 @@
$defs= <<"EOF";
# This makefile has been automatically generated from the OpenSSL distribution.
# This single makefile will build the complete OpenSSL distribution and
-# by default leave the 'intertesting' output files in .${o}out and the stuff
+# by default leave the 'interesting' output files in .${o}out and the stuff
# that needs deleting in .${o}tmp.
# The file was generated by running 'make makefile.one', which
# does a 'make files', which writes all the environment variables from all
Added: vendor-crypto/openssl/dist/util/mkrc.pl
===================================================================
--- vendor-crypto/openssl/dist/util/mkrc.pl (rev 0)
+++ vendor-crypto/openssl/dist/util/mkrc.pl 2015-12-05 17:55:33 UTC (rev 7389)
@@ -0,0 +1,71 @@
+#!/bin/env perl
+#
+open FD,"crypto/opensslv.h";
+while(<FD>) {
+ if (/OPENSSL_VERSION_NUMBER\s+(0x[0-9a-f]+)/i) {
+ $ver = hex($1);
+ $v1 = ($ver>>28);
+ $v2 = ($ver>>20)&0xff;
+ $v3 = ($ver>>12)&0xff;
+ $v4 = ($ver>> 4)&0xff;
+ $beta = $ver&0xf;
+ $version = "$v1.$v2.$v3";
+ if ($beta==0xf) { $version .= chr(ord('a')+$v4-1) if ($v4); }
+ elsif ($beta==0){ $version .= "-dev"; }
+ else { $version .= "-beta$beta"; }
+ last;
+ }
+}
+close(FD);
+
+$filename = $ARGV[0]; $filename =~ /(.*)\.([^.]+)$/;
+$basename = $1;
+$extname = $2;
+
+if ($extname =~ /dll/i) { $description = "OpenSSL shared library"; }
+else { $description = "OpenSSL application"; }
+
+print <<___;
+#include <winver.h>
+
+LANGUAGE 0x09,0x01
+
+1 VERSIONINFO
+ FILEVERSION $v1,$v2,$v3,$v4
+ PRODUCTVERSION $v1,$v2,$v3,$v4
+ FILEFLAGSMASK 0x3fL
+#ifdef _DEBUG
+ FILEFLAGS 0x01L
+#else
+ FILEFLAGS 0x00L
+#endif
+ FILEOS VOS__WINDOWS32
+ FILETYPE VFT_DLL
+ FILESUBTYPE 0x0L
+BEGIN
+ BLOCK "StringFileInfo"
+ BEGIN
+ BLOCK "040904b0"
+ BEGIN
+ // Required:
+ VALUE "CompanyName", "The OpenSSL Project, http://www.openssl.org/\\0"
+ VALUE "FileDescription", "$description\\0"
+ VALUE "FileVersion", "$version\\0"
+ VALUE "InternalName", "$basename\\0"
+ VALUE "OriginalFilename", "$filename\\0"
+ VALUE "ProductName", "The OpenSSL Toolkit\\0"
+ VALUE "ProductVersion", "$version\\0"
+ // Optional:
+ //VALUE "Comments", "\\0"
+ VALUE "LegalCopyright", "Copyright © 1998-2006 The OpenSSL Project. Copyright © 1995-1998 Eric A. Young, Tim J. Hudson. All rights reserved.\\0"
+ //VALUE "LegalTrademarks", "\\0"
+ //VALUE "PrivateBuild", "\\0"
+ //VALUE "SpecialBuild", "\\0"
+ END
+ END
+ BLOCK "VarFileInfo"
+ BEGIN
+ VALUE "Translation", 0x409, 0x4b0
+ END
+END
+___
Modified: vendor-crypto/openssl/dist/util/mkstack.pl
===================================================================
--- vendor-crypto/openssl/dist/util/mkstack.pl 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/util/mkstack.pl 2015-12-05 17:55:33 UTC (rev 7389)
@@ -97,7 +97,7 @@
EOF
}
- foreach $type_thing (sort @sstacklst) {
+ foreach $type_thing (sort { $a->[0] cmp $b->[0]} @sstacklst) {
my $t1 = $type_thing->[0];
my $t2 = $type_thing->[1];
$new_stackfile .= <<EOF;
Modified: vendor-crypto/openssl/dist/util/pl/VC-32.pl
===================================================================
--- vendor-crypto/openssl/dist/util/pl/VC-32.pl 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/util/pl/VC-32.pl 2015-12-05 17:55:33 UTC (rev 7389)
@@ -342,15 +342,17 @@
local($ret,$_);
$file =~ s/\//$o/g if $o ne '/';
$n=&bname($target);
- $ret.="$target: $files $dep_libs\n";
+ $ret.="$target: $files $dep_libs";
if ($standalone == 1)
{
+ $ret.=" \$(OBJ_D)${o}applink.obj\n";
$ret.=" \$(LINK) \$(LFLAGS) $efile$target @<<\n\t";
- $ret.= "\$(EX_LIBS) " if ($files =~ /O_FIPSCANISTER/ && !$fipscanisterbuild);
+ $ret.= "\$(EX_LIBS) \$(OBJ_D)${o}applink.obj " if ($files =~ /O_FIPSCANISTER/ && !$fipscanisterbuild);
$ret.="$files $libs\n<<\n";
}
elsif ($standalone == 2)
{
+ $ret.="\n";
$ret.="\tSET FIPS_LINK=\$(LINK)\n";
$ret.="\tSET FIPS_CC=\$(CC)\n";
$ret.="\tSET FIPS_CC_ARGS=/Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\n";
@@ -363,6 +365,7 @@
}
else
{
+ $ret.="\n";
$ret.="\t\$(LINK) \$(LFLAGS) $efile$target @<<\n";
$ret.="\t\$(APP_EX_OBJ) $files $libs\n<<\n";
}
Modified: vendor-crypto/openssl/dist/util/selftest.pl
===================================================================
--- vendor-crypto/openssl/dist/util/selftest.pl 2015-12-01 10:49:51 UTC (rev 7388)
+++ vendor-crypto/openssl/dist/util/selftest.pl 2015-12-05 17:55:33 UTC (rev 7389)
@@ -199,3 +199,4 @@
}
print "\nTest report in file $report\n";
+die if $ok != 2;
Added: vendor-crypto/openssl/dist/util/toutf8.sh
===================================================================
--- vendor-crypto/openssl/dist/util/toutf8.sh (rev 0)
+++ vendor-crypto/openssl/dist/util/toutf8.sh 2015-12-05 17:55:33 UTC (rev 7389)
@@ -0,0 +1,17 @@
+#! /bin/sh
+#
+# Very simple script to detect and convert files that we want to re-encode to UTF8
+
+git ls-tree -r --name-only HEAD | \
+ while read F; do
+ charset=`file -bi "$F" | sed -e 's|.*charset=||'`
+ if [ "$charset" != "utf-8" -a "$charset" != "binary" -a "$charset" != "us-ascii" ]; then
+ iconv -f ISO-8859-1 -t UTF8 < "$F" > "$F.utf8" && \
+ ( cmp -s "$F" "$F.utf8" || \
+ ( echo "$F"
+ mv "$F" "$F.iso-8859-1"
+ mv "$F.utf8" "$F"
+ )
+ )
+ fi
+ done
More information about the Midnightbsd-cvs
mailing list