diff --git a/crypto/external/bsd/openssl/dist/CHANGES b/crypto/external/bsd/openssl/dist/CHANGES index 9302f586a31d..4fcfd1d4be45 100644 --- a/crypto/external/bsd/openssl/dist/CHANGES +++ b/crypto/external/bsd/openssl/dist/CHANGES @@ -2,6 +2,35 @@ OpenSSL CHANGES _______________ + Changes between 1.0.1f and 1.0.1g [7 Apr 2014] + + *) A missing bounds check in the handling of the TLS heartbeat extension + can be used to reveal up to 64k of memory to a connected client or + server. + + Thanks for Neel Mehta of Google Security for discovering this bug and to + Adam Langley and Bodo Moeller for + preparing the fix (CVE-2014-0160) + [Adam Langley, Bodo Moeller] + + *) Fix for the attack described in the paper "Recovering OpenSSL + ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" + by Yuval Yarom and Naomi Benger. Details can be obtained from: + http://eprint.iacr.org/2014/140 + + Thanks to Yuval Yarom and Naomi Benger for discovering this + flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076) + [Yuval Yarom and Naomi Benger] + + *) TLS pad extension: draft-agl-tls-padding-03 + + Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the + TLS client Hello record length value would otherwise be > 255 and + less that 512 pad with a dummy extension containing zeroes so it + is at least 512 bytes long. + + [Adam Langley, Steve Henson] + Changes between 1.0.1e and 1.0.1f [6 Jan 2014] *) Fix for TLS record tampering bug. A carefully crafted invalid diff --git a/crypto/external/bsd/openssl/dist/FAQ b/crypto/external/bsd/openssl/dist/FAQ index 35780f807bd6..59d135396edc 100644 --- a/crypto/external/bsd/openssl/dist/FAQ +++ b/crypto/external/bsd/openssl/dist/FAQ @@ -768,6 +768,9 @@ openssl-security@openssl.org if you don't get a prompt reply at least acknowledging receipt then resend or mail it directly to one of the more active team members (e.g. Steve). +Note that bugs only present in the openssl utility are not in general +considered to be security issues. + [PROG] ======================================================================== * Is OpenSSL thread-safe? diff --git a/crypto/external/bsd/openssl/dist/Makefile b/crypto/external/bsd/openssl/dist/Makefile index 0709da035f30..4a40b701d908 100644 --- a/crypto/external/bsd/openssl/dist/Makefile +++ b/crypto/external/bsd/openssl/dist/Makefile @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.1f +VERSION=1.0.1g MAJOR=1 MINOR=0.1 SHLIB_VERSION_NUMBER=1.0.0 @@ -304,8 +304,8 @@ libcrypto$(SHLIB_EXT): libcrypto.a fips_premain_dso$(EXE_EXT) FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \ export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \ fi; \ - $(MAKE) -e SHLIBDIRS=crypto CC=$${CC:-$(CC)} build-shared; \ - touch -c fips_premain_dso$(EXE_EXT); \ + $(MAKE) -e SHLIBDIRS=crypto CC="$${CC:-$(CC)}" build-shared && \ + (touch -c fips_premain_dso$(EXE_EXT) || :); \ else \ echo "There's no support for shared libraries on this platform" >&2; \ exit 1; \ diff --git a/crypto/external/bsd/openssl/dist/Makefile.org b/crypto/external/bsd/openssl/dist/Makefile.org index a9e27273d341..c92806f9201f 100644 --- a/crypto/external/bsd/openssl/dist/Makefile.org +++ b/crypto/external/bsd/openssl/dist/Makefile.org @@ -302,8 +302,8 @@ libcrypto$(SHLIB_EXT): libcrypto.a fips_premain_dso$(EXE_EXT) FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \ export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \ fi; \ - $(MAKE) -e SHLIBDIRS=crypto CC=$${CC:-$(CC)} build-shared; \ - touch -c fips_premain_dso$(EXE_EXT); \ + $(MAKE) -e SHLIBDIRS=crypto CC="$${CC:-$(CC)}" build-shared && \ + (touch -c fips_premain_dso$(EXE_EXT) || :); \ else \ echo "There's no support for shared libraries on this platform" >&2; \ exit 1; \ diff --git a/crypto/external/bsd/openssl/dist/NEWS b/crypto/external/bsd/openssl/dist/NEWS index 909fea96cf74..ed486d146d96 100644 --- a/crypto/external/bsd/openssl/dist/NEWS +++ b/crypto/external/bsd/openssl/dist/NEWS @@ -5,8 +5,15 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014] + + o Fix for CVE-2014-0160 + o Add TLS padding extension workaround for broken servers. + o Fix for CVE-2014-0076 + Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014] + o Don't include gmt_unix_time in TLS server and client random values o Fix for TLS record tampering bug CVE-2013-4353 o Fix for TLS version checking bug CVE-2013-6449 o Fix for DTLS retransmission bug CVE-2013-6450 diff --git a/crypto/external/bsd/openssl/dist/README b/crypto/external/bsd/openssl/dist/README index 05b670c5d9fc..10b74d19d24a 100644 --- a/crypto/external/bsd/openssl/dist/README +++ b/crypto/external/bsd/openssl/dist/README @@ -1,5 +1,5 @@ - OpenSSL 1.0.1f 6 Jan 2014 + OpenSSL 1.0.1g 7 Apr 2014 Copyright (c) 1998-2011 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/crypto/external/bsd/openssl/dist/apps/apps.c b/crypto/external/bsd/openssl/dist/apps/apps.c index 1096eee4cfae..b76db10a5e5b 100644 --- a/crypto/external/bsd/openssl/dist/apps/apps.c +++ b/crypto/external/bsd/openssl/dist/apps/apps.c @@ -586,12 +586,12 @@ int password_callback(char *buf, int bufsiz, int verify, if (ok >= 0) ok = UI_add_input_string(ui,prompt,ui_flags,buf, - PW_MIN_LENGTH,BUFSIZ-1); + PW_MIN_LENGTH,bufsiz-1); if (ok >= 0 && verify) { buff = (char *)OPENSSL_malloc(bufsiz); ok = UI_add_verify_string(ui,prompt,ui_flags,buff, - PW_MIN_LENGTH,BUFSIZ-1, buf); + PW_MIN_LENGTH,bufsiz-1, buf); } if (ok >= 0) do @@ -2841,7 +2841,7 @@ double app_tminterval(int stop,int usertime) if (proc==NULL) { - if (GetVersion() < 0x80000000) + if (check_winnt()) proc = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE, GetCurrentProcessId()); if (proc==NULL) proc = (HANDLE)-1; diff --git a/crypto/external/bsd/openssl/dist/apps/crl.c b/crypto/external/bsd/openssl/dist/apps/crl.c index c395b2afd5d4..8797d300cf13 100644 --- a/crypto/external/bsd/openssl/dist/apps/crl.c +++ b/crypto/external/bsd/openssl/dist/apps/crl.c @@ -81,6 +81,9 @@ static const char *crl_usage[]={ " -in arg - input file - default stdin\n", " -out arg - output file - default stdout\n", " -hash - print hash value\n", +#ifndef OPENSSL_NO_MD5 +" -hash_old - print old-style (MD5) hash value\n", +#endif " -fingerprint - print the crl fingerprint\n", " -issuer - print issuer DN\n", " -lastupdate - lastUpdate field\n", @@ -108,6 +111,9 @@ int MAIN(int argc, char **argv) int informat,outformat; char *infile=NULL,*outfile=NULL; int hash=0,issuer=0,lastupdate=0,nextupdate=0,noout=0,text=0; +#ifndef OPENSSL_NO_MD5 + int hash_old=0; +#endif int fingerprint = 0, crlnumber = 0; const char **pp; X509_STORE *store = NULL; @@ -192,6 +198,10 @@ int MAIN(int argc, char **argv) text = 1; else if (strcmp(*argv,"-hash") == 0) hash= ++num; +#ifndef OPENSSL_NO_MD5 + else if (strcmp(*argv,"-hash_old") == 0) + hash_old= ++num; +#endif else if (strcmp(*argv,"-nameopt") == 0) { if (--argc < 1) goto bad; @@ -304,6 +314,14 @@ bad: BIO_printf(bio_out,"%08lx\n", X509_NAME_hash(X509_CRL_get_issuer(x))); } +#ifndef OPENSSL_NO_MD5 + if (hash_old == i) + { + BIO_printf(bio_out,"%08lx\n", + X509_NAME_hash_old( + X509_CRL_get_issuer(x))); + } +#endif if (lastupdate == i) { BIO_printf(bio_out,"lastUpdate="); diff --git a/crypto/external/bsd/openssl/dist/apps/dgst.c b/crypto/external/bsd/openssl/dist/apps/dgst.c index 81bd870f991a..f4aec779c1db 100644 --- a/crypto/external/bsd/openssl/dist/apps/dgst.c +++ b/crypto/external/bsd/openssl/dist/apps/dgst.c @@ -427,9 +427,9 @@ int MAIN(int argc, char **argv) goto end; } if (do_verify) - r = EVP_DigestVerifyInit(mctx, &pctx, md, e, sigkey); + r = EVP_DigestVerifyInit(mctx, &pctx, md, NULL, sigkey); else - r = EVP_DigestSignInit(mctx, &pctx, md, e, sigkey); + r = EVP_DigestSignInit(mctx, &pctx, md, NULL, sigkey); if (!r) { BIO_printf(bio_err, "Error setting context\n"); diff --git a/crypto/external/bsd/openssl/dist/apps/ecparam.c b/crypto/external/bsd/openssl/dist/apps/ecparam.c index 465480bedd01..976ebef12ba3 100644 --- a/crypto/external/bsd/openssl/dist/apps/ecparam.c +++ b/crypto/external/bsd/openssl/dist/apps/ecparam.c @@ -105,7 +105,7 @@ * in the asn1 der encoding * possible values: named_curve (default) * explicit - * -no_seed - if 'explicit' parameters are choosen do not use the seed + * -no_seed - if 'explicit' parameters are chosen do not use the seed * -genkey - generate ec key * -rand file - files to use for random number input * -engine e - use engine e, possibly a hardware device @@ -286,7 +286,7 @@ bad: BIO_printf(bio_err, " " " explicit\n"); BIO_printf(bio_err, " -no_seed if 'explicit'" - " parameters are choosen do not" + " parameters are chosen do not" " use the seed\n"); BIO_printf(bio_err, " -genkey generate ec" " key\n"); diff --git a/crypto/external/bsd/openssl/dist/apps/req.c b/crypto/external/bsd/openssl/dist/apps/req.c index 85526581cefe..5e034a85e802 100644 --- a/crypto/external/bsd/openssl/dist/apps/req.c +++ b/crypto/external/bsd/openssl/dist/apps/req.c @@ -644,6 +644,11 @@ bad: if (inrand) app_RAND_load_files(inrand); + if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey)) + { + newkey=DEFAULT_KEY_LENGTH; + } + if (keyalg) { genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey, @@ -652,12 +657,6 @@ bad: goto end; } - if (newkey <= 0) - { - if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey)) - newkey=DEFAULT_KEY_LENGTH; - } - if (newkey < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA)) { BIO_printf(bio_err,"private key length is too short,\n"); @@ -1649,6 +1648,8 @@ static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, int *pkey_type, keylen = atol(p + 1); *pkeylen = keylen; } + else + keylen = *pkeylen; } else if (p) paramfile = p + 1; diff --git a/crypto/external/bsd/openssl/dist/crypto/aes/asm/vpaes-x86_64.pl b/crypto/external/bsd/openssl/dist/crypto/aes/asm/vpaes-x86_64.pl index 41f2e46f60c6..bd7f45b85091 100644 --- a/crypto/external/bsd/openssl/dist/crypto/aes/asm/vpaes-x86_64.pl +++ b/crypto/external/bsd/openssl/dist/crypto/aes/asm/vpaes-x86_64.pl @@ -1060,7 +1060,7 @@ _vpaes_consts: .Lk_dsbo: # decryption sbox final output .quad 0x1387EA537EF94000, 0xC7AA6DB9D4943E2D .quad 0x12D7560F93441D00, 0xCA4B8159D8C58E9C -.asciz "Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg (Stanford University)" +.asciz "Vector Permutation AES for x86_64/SSSE3, Mike Hamburg (Stanford University)" .align 64 .size _vpaes_consts,.-_vpaes_consts ___ diff --git a/crypto/external/bsd/openssl/dist/crypto/asn1/asn1_err.c b/crypto/external/bsd/openssl/dist/crypto/asn1/asn1_err.c index 1a30bf119bd2..aa60203ba808 100644 --- a/crypto/external/bsd/openssl/dist/crypto/asn1/asn1_err.c +++ b/crypto/external/bsd/openssl/dist/crypto/asn1/asn1_err.c @@ -305,7 +305,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]= {ERR_REASON(ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE),"unknown public key type"}, {ERR_REASON(ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM),"unknown signature algorithm"}, {ERR_REASON(ASN1_R_UNKNOWN_TAG) ,"unknown tag"}, -{ERR_REASON(ASN1_R_UNKOWN_FORMAT) ,"unkown format"}, +{ERR_REASON(ASN1_R_UNKOWN_FORMAT) ,"unknown format"}, {ERR_REASON(ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE),"unsupported any defined by type"}, {ERR_REASON(ASN1_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"}, {ERR_REASON(ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM),"unsupported encryption algorithm"}, diff --git a/crypto/external/bsd/openssl/dist/crypto/cms/cms_lib.c b/crypto/external/bsd/openssl/dist/crypto/cms/cms_lib.c index b62d1bfac02b..ba08279a0461 100644 --- a/crypto/external/bsd/openssl/dist/crypto/cms/cms_lib.c +++ b/crypto/external/bsd/openssl/dist/crypto/cms/cms_lib.c @@ -463,8 +463,6 @@ int CMS_add0_cert(CMS_ContentInfo *cms, X509 *cert) STACK_OF(CMS_CertificateChoices) **pcerts; int i; pcerts = cms_get0_certificate_choices(cms); - if (!pcerts) - return 0; if (!pcerts) return 0; for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++) diff --git a/crypto/external/bsd/openssl/dist/crypto/engine/eng_list.c b/crypto/external/bsd/openssl/dist/crypto/engine/eng_list.c index 27846edb1e9a..95c858960b81 100644 --- a/crypto/external/bsd/openssl/dist/crypto/engine/eng_list.c +++ b/crypto/external/bsd/openssl/dist/crypto/engine/eng_list.c @@ -408,6 +408,7 @@ ENGINE *ENGINE_by_id(const char *id) !ENGINE_ctrl_cmd_string(iterator, "DIR_LOAD", "2", 0) || !ENGINE_ctrl_cmd_string(iterator, "DIR_ADD", load_dir, 0) || + !ENGINE_ctrl_cmd_string(iterator, "LIST_ADD", "1", 0) || !ENGINE_ctrl_cmd_string(iterator, "LOAD", NULL, 0)) goto notfound; return iterator; diff --git a/crypto/external/bsd/openssl/dist/crypto/evp/bio_b64.c b/crypto/external/bsd/openssl/dist/crypto/evp/bio_b64.c index 72a2a67277a3..ac6d441aadb9 100644 --- a/crypto/external/bsd/openssl/dist/crypto/evp/bio_b64.c +++ b/crypto/external/bsd/openssl/dist/crypto/evp/bio_b64.c @@ -264,7 +264,7 @@ static int b64_read(BIO *b, char *out, int outl) } /* we fell off the end without starting */ - if (j == i) + if ((j == i) && (num == 0)) { /* Is this is one long chunk?, if so, keep on * reading until a new line. */ diff --git a/crypto/external/bsd/openssl/dist/crypto/modes/gcm128.c b/crypto/external/bsd/openssl/dist/crypto/modes/gcm128.c index 250063de86cc..e1dc2b0f4760 100644 --- a/crypto/external/bsd/openssl/dist/crypto/modes/gcm128.c +++ b/crypto/external/bsd/openssl/dist/crypto/modes/gcm128.c @@ -810,7 +810,11 @@ void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx,const unsigned char *iv,size_t len) GCM_MUL(ctx,Yi); if (is_endian.little) +#ifdef BSWAP4 + ctr = BSWAP4(ctx->Yi.d[3]); +#else ctr = GETU32(ctx->Yi.c+12); +#endif else ctr = ctx->Yi.d[3]; } @@ -818,7 +822,11 @@ void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx,const unsigned char *iv,size_t len) (*ctx->block)(ctx->Yi.c,ctx->EK0.c,ctx->key); ++ctr; if (is_endian.little) +#ifdef BSWAP4 + ctx->Yi.d[3] = BSWAP4(ctr); +#else PUTU32(ctx->Yi.c+12,ctr); +#endif else ctx->Yi.d[3] = ctr; } @@ -913,7 +921,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, } if (is_endian.little) +#ifdef BSWAP4 + ctr = BSWAP4(ctx->Yi.d[3]); +#else ctr = GETU32(ctx->Yi.c+12); +#endif else ctr = ctx->Yi.d[3]; @@ -947,7 +959,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, (*block)(ctx->Yi.c,ctx->EKi.c,key); ++ctr; if (is_endian.little) +#ifdef BSWAP4 + ctx->Yi.d[3] = BSWAP4(ctr); +#else PUTU32(ctx->Yi.c+12,ctr); +#endif else ctx->Yi.d[3] = ctr; for (i=0; i<16/sizeof(size_t); ++i) @@ -969,7 +985,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, (*block)(ctx->Yi.c,ctx->EKi.c,key); ++ctr; if (is_endian.little) +#ifdef BSWAP4 + ctx->Yi.d[3] = BSWAP4(ctr); +#else PUTU32(ctx->Yi.c+12,ctr); +#endif else ctx->Yi.d[3] = ctr; for (i=0; i<16/sizeof(size_t); ++i) @@ -988,7 +1008,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, (*block)(ctx->Yi.c,ctx->EKi.c,key); ++ctr; if (is_endian.little) +#ifdef BSWAP4 + ctx->Yi.d[3] = BSWAP4(ctr); +#else PUTU32(ctx->Yi.c+12,ctr); +#endif else ctx->Yi.d[3] = ctr; for (i=0; i<16/sizeof(size_t); ++i) @@ -1004,7 +1028,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, (*block)(ctx->Yi.c,ctx->EKi.c,key); ++ctr; if (is_endian.little) +#ifdef BSWAP4 + ctx->Yi.d[3] = BSWAP4(ctr); +#else PUTU32(ctx->Yi.c+12,ctr); +#endif else ctx->Yi.d[3] = ctr; while (len--) { @@ -1022,7 +1050,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx, (*block)(ctx->Yi.c,ctx->EKi.c,key); ++ctr; if (is_endian.little) +#ifdef BSWAP4 + ctx->Yi.d[3] = BSWAP4(ctr); +#else PUTU32(ctx->Yi.c+12,ctr); +#endif else ctx->Yi.d[3] = ctr; } @@ -1066,7 +1098,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, } if (is_endian.little) +#ifdef BSWAP4 + ctr = BSWAP4(ctx->Yi.d[3]); +#else ctr = GETU32(ctx->Yi.c+12); +#endif else ctr = ctx->Yi.d[3]; @@ -1103,7 +1139,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, (*block)(ctx->Yi.c,ctx->EKi.c,key); ++ctr; if (is_endian.little) +#ifdef BSWAP4 + ctx->Yi.d[3] = BSWAP4(ctr); +#else PUTU32(ctx->Yi.c+12,ctr); +#endif else ctx->Yi.d[3] = ctr; for (i=0; i<16/sizeof(size_t); ++i) @@ -1123,7 +1163,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, (*block)(ctx->Yi.c,ctx->EKi.c,key); ++ctr; if (is_endian.little) +#ifdef BSWAP4 + ctx->Yi.d[3] = BSWAP4(ctr); +#else PUTU32(ctx->Yi.c+12,ctr); +#endif else ctx->Yi.d[3] = ctr; for (i=0; i<16/sizeof(size_t); ++i) @@ -1141,7 +1185,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, (*block)(ctx->Yi.c,ctx->EKi.c,key); ++ctr; if (is_endian.little) +#ifdef BSWAP4 + ctx->Yi.d[3] = BSWAP4(ctr); +#else PUTU32(ctx->Yi.c+12,ctr); +#endif else ctx->Yi.d[3] = ctr; for (i=0; i<16/sizeof(size_t); ++i) { @@ -1159,7 +1207,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, (*block)(ctx->Yi.c,ctx->EKi.c,key); ++ctr; if (is_endian.little) +#ifdef BSWAP4 + ctx->Yi.d[3] = BSWAP4(ctr); +#else PUTU32(ctx->Yi.c+12,ctr); +#endif else ctx->Yi.d[3] = ctr; while (len--) { @@ -1180,7 +1232,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx, (*block)(ctx->Yi.c,ctx->EKi.c,key); ++ctr; if (is_endian.little) +#ifdef BSWAP4 + ctx->Yi.d[3] = BSWAP4(ctr); +#else PUTU32(ctx->Yi.c+12,ctr); +#endif else ctx->Yi.d[3] = ctr; } @@ -1225,7 +1281,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, } if (is_endian.little) +#ifdef BSWAP4 + ctr = BSWAP4(ctx->Yi.d[3]); +#else ctr = GETU32(ctx->Yi.c+12); +#endif else ctr = ctx->Yi.d[3]; @@ -1247,7 +1307,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, (*stream)(in,out,GHASH_CHUNK/16,key,ctx->Yi.c); ctr += GHASH_CHUNK/16; if (is_endian.little) +#ifdef BSWAP4 + ctx->Yi.d[3] = BSWAP4(ctr); +#else PUTU32(ctx->Yi.c+12,ctr); +#endif else ctx->Yi.d[3] = ctr; GHASH(ctx,out,GHASH_CHUNK); @@ -1262,7 +1326,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, (*stream)(in,out,j,key,ctx->Yi.c); ctr += (unsigned int)j; if (is_endian.little) +#ifdef BSWAP4 + ctx->Yi.d[3] = BSWAP4(ctr); +#else PUTU32(ctx->Yi.c+12,ctr); +#endif else ctx->Yi.d[3] = ctr; in += i; @@ -1282,7 +1350,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx, (*ctx->block)(ctx->Yi.c,ctx->EKi.c,key); ++ctr; if (is_endian.little) +#ifdef BSWAP4 + ctx->Yi.d[3] = BSWAP4(ctr); +#else PUTU32(ctx->Yi.c+12,ctr); +#endif else ctx->Yi.d[3] = ctr; while (len--) { @@ -1324,7 +1396,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, } if (is_endian.little) +#ifdef BSWAP4 + ctr = BSWAP4(ctx->Yi.d[3]); +#else ctr = GETU32(ctx->Yi.c+12); +#endif else ctr = ctx->Yi.d[3]; @@ -1349,7 +1425,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, (*stream)(in,out,GHASH_CHUNK/16,key,ctx->Yi.c); ctr += GHASH_CHUNK/16; if (is_endian.little) +#ifdef BSWAP4 + ctx->Yi.d[3] = BSWAP4(ctr); +#else PUTU32(ctx->Yi.c+12,ctr); +#endif else ctx->Yi.d[3] = ctr; out += GHASH_CHUNK; @@ -1375,7 +1455,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, (*stream)(in,out,j,key,ctx->Yi.c); ctr += (unsigned int)j; if (is_endian.little) +#ifdef BSWAP4 + ctx->Yi.d[3] = BSWAP4(ctr); +#else PUTU32(ctx->Yi.c+12,ctr); +#endif else ctx->Yi.d[3] = ctr; out += i; @@ -1386,7 +1470,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx, (*ctx->block)(ctx->Yi.c,ctx->EKi.c,key); ++ctr; if (is_endian.little) +#ifdef BSWAP4 + ctx->Yi.d[3] = BSWAP4(ctr); +#else PUTU32(ctx->Yi.c+12,ctr); +#endif else ctx->Yi.d[3] = ctr; while (len--) { diff --git a/crypto/external/bsd/openssl/dist/crypto/rand/rand_win.c b/crypto/external/bsd/openssl/dist/crypto/rand/rand_win.c index 5d134e186bb0..34ffcd23f9a0 100644 --- a/crypto/external/bsd/openssl/dist/crypto/rand/rand_win.c +++ b/crypto/external/bsd/openssl/dist/crypto/rand/rand_win.c @@ -750,7 +750,7 @@ static void readscreen(void) int y; /* y-coordinate of screen lines to grab */ int n = 16; /* number of screen lines to grab at a time */ - if (GetVersion() < 0x80000000 && OPENSSL_isservice()>0) + if (check_winnt() && OPENSSL_isservice()>0) return; /* Create a screen DC and a memory DC compatible to screen DC */ diff --git a/crypto/external/bsd/openssl/dist/crypto/symhacks.h b/crypto/external/bsd/openssl/dist/crypto/symhacks.h index 07a412f84586..bd2f000d597f 100644 --- a/crypto/external/bsd/openssl/dist/crypto/symhacks.h +++ b/crypto/external/bsd/openssl/dist/crypto/symhacks.h @@ -204,6 +204,12 @@ #define SSL_CTX_set_next_protos_advertised_cb SSL_CTX_set_next_protos_adv_cb #undef SSL_CTX_set_next_proto_select_cb #define SSL_CTX_set_next_proto_select_cb SSL_CTX_set_next_proto_sel_cb +#undef ssl3_cbc_record_digest_supported +#define ssl3_cbc_record_digest_supported ssl3_cbc_record_digest_support +#undef ssl_check_clienthello_tlsext_late +#define ssl_check_clienthello_tlsext_late ssl_check_clihello_tlsext_late +#undef ssl_check_clienthello_tlsext_early +#define ssl_check_clienthello_tlsext_early ssl_check_clihello_tlsext_early /* Hack some long ENGINE names */ #undef ENGINE_get_default_BN_mod_exp_crt diff --git a/crypto/external/bsd/openssl/dist/crypto/x509/by_dir.c b/crypto/external/bsd/openssl/dist/crypto/x509/by_dir.c index 27ca5150c195..c6602dae4f58 100644 --- a/crypto/external/bsd/openssl/dist/crypto/x509/by_dir.c +++ b/crypto/external/bsd/openssl/dist/crypto/x509/by_dir.c @@ -218,7 +218,7 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type) s=dir; p=s; - for (;;p++) + do { if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0')) { @@ -264,9 +264,7 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type) return 0; } } - if (*p == '\0') - break; - } + } while (*p++ != '\0'); return 1; } diff --git a/crypto/external/bsd/openssl/dist/demos/cms/cms_comp.c b/crypto/external/bsd/openssl/dist/demos/cms/cms_comp.c index b7943e813b3a..01bf092546fc 100644 --- a/crypto/external/bsd/openssl/dist/demos/cms/cms_comp.c +++ b/crypto/external/bsd/openssl/dist/demos/cms/cms_comp.c @@ -10,7 +10,7 @@ int main(int argc, char **argv) int ret = 1; /* - * On OpenSSL 0.9.9 only: + * On OpenSSL 1.0.0+ only: * for streaming set CMS_STREAM */ int flags = CMS_STREAM; diff --git a/crypto/external/bsd/openssl/dist/demos/cms/cms_dec.c b/crypto/external/bsd/openssl/dist/demos/cms/cms_dec.c index 7ddf653269a3..9fee0a3ebfc4 100644 --- a/crypto/external/bsd/openssl/dist/demos/cms/cms_dec.c +++ b/crypto/external/bsd/openssl/dist/demos/cms/cms_dec.c @@ -47,7 +47,7 @@ int main(int argc, char **argv) goto err; /* Decrypt S/MIME message */ - if (!CMS_decrypt(cms, rkey, rcert, out, NULL, 0)) + if (!CMS_decrypt(cms, rkey, rcert, NULL, out, 0)) goto err; ret = 0; diff --git a/crypto/external/bsd/openssl/dist/demos/cms/cms_sign.c b/crypto/external/bsd/openssl/dist/demos/cms/cms_sign.c index 42f762034b7e..6823c34a0e3e 100644 --- a/crypto/external/bsd/openssl/dist/demos/cms/cms_sign.c +++ b/crypto/external/bsd/openssl/dist/demos/cms/cms_sign.c @@ -12,7 +12,7 @@ int main(int argc, char **argv) int ret = 1; /* For simple S/MIME signing use CMS_DETACHED. - * On OpenSSL 0.9.9 only: + * On OpenSSL 1.0.0 only: * for streaming detached set CMS_DETACHED|CMS_STREAM * for streaming non-detached set CMS_STREAM */ diff --git a/crypto/external/bsd/openssl/dist/doc/apps/config.pod b/crypto/external/bsd/openssl/dist/doc/apps/config.pod index ace34b62bd2e..25c5381b9d6b 100644 --- a/crypto/external/bsd/openssl/dist/doc/apps/config.pod +++ b/crypto/external/bsd/openssl/dist/doc/apps/config.pod @@ -119,7 +119,7 @@ variable points to a section containing further ENGINE configuration information. The section pointed to by B is a table of engine names (though see -B below) and further sections containing configuration informations +B below) and further sections containing configuration information specific to each ENGINE. Each ENGINE specific section is used to set default algorithms, load diff --git a/crypto/external/bsd/openssl/dist/doc/apps/crl.pod b/crypto/external/bsd/openssl/dist/doc/apps/crl.pod index a40c873b9568..1ad76a5f8c13 100644 --- a/crypto/external/bsd/openssl/dist/doc/apps/crl.pod +++ b/crypto/external/bsd/openssl/dist/doc/apps/crl.pod @@ -62,6 +62,11 @@ don't output the encoded version of the CRL. output a hash of the issuer name. This can be use to lookup CRLs in a directory by issuer name. +=item B<-hash_old> + +outputs the "hash" of the CRL issuer name using the older algorithm +as used by OpenSSL versions before 1.0.0. + =item B<-issuer> output the issuer name. diff --git a/crypto/external/bsd/openssl/dist/doc/apps/ec.pod b/crypto/external/bsd/openssl/dist/doc/apps/ec.pod index ba6dc4689bf0..5c7b45d4e75e 100644 --- a/crypto/external/bsd/openssl/dist/doc/apps/ec.pod +++ b/crypto/external/bsd/openssl/dist/doc/apps/ec.pod @@ -41,7 +41,7 @@ PKCS#8 private key format use the B command. This specifies the input format. The B option with a private key uses an ASN.1 DER encoded SEC1 private key. When used with a public key it -uses the SubjectPublicKeyInfo structur as specified in RFC 3280. +uses the SubjectPublicKeyInfo structure as specified in RFC 3280. The B form is the default format: it consists of the B format base64 encoded with additional header and footer lines. In the case of a private key PKCS#8 format is also accepted. diff --git a/crypto/external/bsd/openssl/dist/doc/apps/pkcs12.pod b/crypto/external/bsd/openssl/dist/doc/apps/pkcs12.pod index f69a5c5a4cda..8e0d91798ac4 100644 --- a/crypto/external/bsd/openssl/dist/doc/apps/pkcs12.pod +++ b/crypto/external/bsd/openssl/dist/doc/apps/pkcs12.pod @@ -67,7 +67,7 @@ by default. The filename to write certificates and private keys to, standard output by default. They are all written in PEM format. -=item B<-pass arg>, B<-passin arg> +=item B<-passin arg> the PKCS#12 file (i.e. input file) password source. For more information about the format of B see the B section in @@ -75,10 +75,15 @@ L. =item B<-passout arg> -pass phrase source to encrypt any outputed private keys with. For more +pass phrase source to encrypt any outputted private keys with. For more information about the format of B see the B section in L. +=item B<-password arg> + +With -export, -password is equivalent to -passout. +Otherwise, -password is equivalent to -passin. + =item B<-noout> this option inhibits output of the keys and certificates to the output file diff --git a/crypto/external/bsd/openssl/dist/doc/apps/req.pod b/crypto/external/bsd/openssl/dist/doc/apps/req.pod index ff48bbdf2855..0730d117b39c 100644 --- a/crypto/external/bsd/openssl/dist/doc/apps/req.pod +++ b/crypto/external/bsd/openssl/dist/doc/apps/req.pod @@ -303,7 +303,7 @@ Reverses effect of B<-asn1-kludge> =item B<-newhdr> -Adds the word B to the PEM file header and footer lines on the outputed +Adds the word B to the PEM file header and footer lines on the outputted request. Some software (Netscape certificate server) and some CAs need this. =item B<-batch> diff --git a/crypto/external/bsd/openssl/dist/doc/apps/s_client.pod b/crypto/external/bsd/openssl/dist/doc/apps/s_client.pod index 4ebf7b585474..3215b2e8c96f 100644 --- a/crypto/external/bsd/openssl/dist/doc/apps/s_client.pod +++ b/crypto/external/bsd/openssl/dist/doc/apps/s_client.pod @@ -10,6 +10,7 @@ s_client - SSL/TLS client program B B [B<-connect host:port>] [B<-verify depth>] +[B<-verify_return_error>] [B<-cert filename>] [B<-certform DER|PEM>] [B<-key filename>] @@ -90,6 +91,11 @@ Currently the verify operation continues after errors so all the problems with a certificate chain can be seen. As a side effect the connection will never fail due to a server certificate verify failure. +=item B<-verify_return_error> + +Return verification errors instead of continuing. This will typically +abort the handshake with a fatal error. + =item B<-CApath directory> The directory to use for server certificate verification. This directory @@ -286,6 +292,13 @@ Since the SSLv23 client hello cannot include compression methods or extensions these will only be supported if its use is disabled, for example by using the B<-no_sslv2> option. +The B utility is a test tool and is designed to continue the +handshake after any certificate verification errors. As a result it will +accept any certificate chain (trusted or not) sent by the peer. None test +applications should B do this as it makes them vulnerable to a MITM +attack. This behaviour can be changed by with the B<-verify_return_error> +option: any verify errors are then returned aborting the handshake. + =head1 BUGS Because this program has a lot of options and also because some of @@ -293,9 +306,6 @@ the techniques used are rather old, the C source of s_client is rather hard to read and not a model of how things should be done. A typical SSL client program would be much simpler. -The B<-verify> option should really exit if the server verification -fails. - The B<-prexit> option is a bit of a hack. We should really report information whenever a session is renegotiated. diff --git a/crypto/external/bsd/openssl/dist/doc/apps/s_server.pod b/crypto/external/bsd/openssl/dist/doc/apps/s_server.pod index 3e503e17e107..6758ba308016 100644 --- a/crypto/external/bsd/openssl/dist/doc/apps/s_server.pod +++ b/crypto/external/bsd/openssl/dist/doc/apps/s_server.pod @@ -111,7 +111,7 @@ by using an appropriate certificate. =item B<-dcertform format>, B<-dkeyform format>, B<-dpass arg> -addtional certificate and private key format and passphrase respectively. +additional certificate and private key format and passphrase respectively. =item B<-nocert> diff --git a/crypto/external/bsd/openssl/dist/doc/apps/ts.pod b/crypto/external/bsd/openssl/dist/doc/apps/ts.pod index 7fb6caa96e54..d6aa47d3144d 100644 --- a/crypto/external/bsd/openssl/dist/doc/apps/ts.pod +++ b/crypto/external/bsd/openssl/dist/doc/apps/ts.pod @@ -352,7 +352,7 @@ switch always overrides the settings in the config file. This is the main section and it specifies the name of another section that contains all the options for the B<-reply> command. This default -section can be overriden with the B<-section> command line switch. (Optional) +section can be overridden with the B<-section> command line switch. (Optional) =item B @@ -453,7 +453,7 @@ included. Default is no. (Optional) =head1 ENVIRONMENT VARIABLES B contains the path of the configuration file and can be -overriden by the B<-config> command line option. +overridden by the B<-config> command line option. =head1 EXAMPLES diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/BN_BLINDING_new.pod b/crypto/external/bsd/openssl/dist/doc/crypto/BN_BLINDING_new.pod index 5f51fdb47065..da06e4446125 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/BN_BLINDING_new.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/BN_BLINDING_new.pod @@ -48,7 +48,7 @@ necessary parameters are set, by re-creating the blinding parameters. BN_BLINDING_convert_ex() multiplies B with the blinding factor B. If B is not NULL a copy the inverse blinding factor B will be -returned in B (this is useful if a B object is shared amoung +returned in B (this is useful if a B object is shared among several threads). BN_BLINDING_invert_ex() multiplies B with the inverse blinding factor B. If B is not NULL it will be used as the inverse blinding. diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/ERR_get_error.pod b/crypto/external/bsd/openssl/dist/doc/crypto/ERR_get_error.pod index 34443045fc0d..828ecf529b2e 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/ERR_get_error.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/ERR_get_error.pod @@ -52,8 +52,11 @@ ERR_get_error_line_data(), ERR_peek_error_line_data() and ERR_get_last_error_line_data() store additional data and flags associated with the error code in *B and *B, unless these are B. *B contains a string -if *B&B. If it has been allocated by OPENSSL_malloc(), -*B&B is true. +if *B&B is true. + +An application B free the *B pointer (or any other pointers +returned by these functions) with OPENSSL_free() as freeing is handled +automatically by the error library. =head1 RETURN VALUES diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/EVP_BytesToKey.pod b/crypto/external/bsd/openssl/dist/doc/crypto/EVP_BytesToKey.pod index d375c46e03d5..0ea7d55c0f1f 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/EVP_BytesToKey.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/EVP_BytesToKey.pod @@ -17,7 +17,7 @@ EVP_BytesToKey - password based encryption routine EVP_BytesToKey() derives a key and IV from various parameters. B is the cipher to derive the key and IV for. B is the message digest to use. -The B paramter is used as a salt in the derivation: it should point to +The B parameter is used as a salt in the derivation: it should point to an 8 byte buffer or NULL if no salt is used. B is a buffer containing B bytes which is used to derive the keying data. B is the iteration count to use. The derived key and IV will be written to B diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/EVP_EncryptInit.pod b/crypto/external/bsd/openssl/dist/doc/crypto/EVP_EncryptInit.pod index 8271d3dfc417..1c4bf184a1b0 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/EVP_EncryptInit.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/EVP_EncryptInit.pod @@ -152,7 +152,7 @@ does not remain in memory. EVP_EncryptInit(), EVP_DecryptInit() and EVP_CipherInit() behave in a similar way to EVP_EncryptInit_ex(), EVP_DecryptInit_ex and -EVP_CipherInit_ex() except the B paramter does not need to be +EVP_CipherInit_ex() except the B parameter does not need to be initialized and they always use the default cipher implementation. EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal() behave in a diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/crypto/external/bsd/openssl/dist/doc/crypto/X509_VERIFY_PARAM_set_flags.pod index b68eece03387..46cac2bea2be 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/X509_VERIFY_PARAM_set_flags.pod @@ -113,7 +113,7 @@ a special status code is set to the verification callback. This permits it to examine the valid policy tree and perform additional checks or simply log it for debugging purposes. -By default some addtional features such as indirect CRLs and CRLs signed by +By default some additional features such as indirect CRLs and CRLs signed by different keys are disabled. If B is set they are enabled. diff --git a/crypto/external/bsd/openssl/dist/doc/crypto/pem.pod b/crypto/external/bsd/openssl/dist/doc/crypto/pem.pod index d5b189611956..54414a3f6f37 100644 --- a/crypto/external/bsd/openssl/dist/doc/crypto/pem.pod +++ b/crypto/external/bsd/openssl/dist/doc/crypto/pem.pod @@ -201,7 +201,7 @@ handle PKCS#8 format encrypted and unencrypted keys too. PEM_write_bio_PKCS8PrivateKey() and PEM_write_PKCS8PrivateKey() write a private key in an EVP_PKEY structure in PKCS#8 EncryptedPrivateKeyInfo format using PKCS#5 v2.0 password based encryption -algorithms. The B argument specifies the encryption algoritm to +algorithms. The B argument specifies the encryption algorithm to use: unlike all other PEM routines the encryption is applied at the PKCS#8 level and not in the PEM headers. If B is NULL then no encryption is used and a PKCS#8 PrivateKeyInfo structure is used instead. diff --git a/crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_set_verify.pod b/crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_set_verify.pod index 81566839d3d8..6fd6c0321551 100644 --- a/crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_set_verify.pod +++ b/crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_set_verify.pod @@ -169,8 +169,8 @@ that will always continue the TLS/SSL handshake regardless of verification failure, if wished. The callback realizes a verification depth limit with more informational output. -All verification errors are printed, informations about the certificate chain -are printed on request. +All verification errors are printed; information about the certificate chain +is printed on request. The example is realized for a server that does allow but not require client certificates. diff --git a/crypto/external/bsd/openssl/dist/doc/ssl/SSL_set_shutdown.pod b/crypto/external/bsd/openssl/dist/doc/ssl/SSL_set_shutdown.pod index 011a022a12c3..fe013085d39d 100644 --- a/crypto/external/bsd/openssl/dist/doc/ssl/SSL_set_shutdown.pod +++ b/crypto/external/bsd/openssl/dist/doc/ssl/SSL_set_shutdown.pod @@ -24,7 +24,7 @@ The shutdown state of an ssl connection is a bitmask of: =over 4 -=item 0 +=item Z<>0 No shutdown setting, yet. diff --git a/crypto/external/bsd/openssl/dist/e_os.h b/crypto/external/bsd/openssl/dist/e_os.h index 79c139257340..6a0aad1de72f 100644 --- a/crypto/external/bsd/openssl/dist/e_os.h +++ b/crypto/external/bsd/openssl/dist/e_os.h @@ -368,6 +368,13 @@ static unsigned int _strlen31(const char *str) # define DEFAULT_HOME "C:" # endif +/* Avoid Windows 8 SDK GetVersion deprecated problems */ +#if defined(_MSC_VER) && _MSC_VER>=1800 +# define check_winnt() (1) +#else +# define check_winnt() (GetVersion() < 0x80000000) +#endif + #else /* The non-microsoft world */ # ifdef OPENSSL_SYS_VMS diff --git a/crypto/external/bsd/openssl/dist/engines/ccgost/gosthash.c b/crypto/external/bsd/openssl/dist/engines/ccgost/gosthash.c index 8c278aa6452e..91b2ce8829d8 100644 --- a/crypto/external/bsd/openssl/dist/engines/ccgost/gosthash.c +++ b/crypto/external/bsd/openssl/dist/engines/ccgost/gosthash.c @@ -180,8 +180,6 @@ int start_hash(gost_hash_ctx *ctx) */ int hash_block(gost_hash_ctx *ctx,const byte *block, size_t length) { - const byte *curptr=block; - const byte *barrier=block+(length-32);/* Last byte we can safely hash*/ if (ctx->left) { /*There are some bytes from previous step*/ @@ -196,24 +194,25 @@ int hash_block(gost_hash_ctx *ctx,const byte *block, size_t length) { return 1; } - curptr=block+add_bytes; + block+=add_bytes; + length-=add_bytes; hash_step(ctx->cipher_ctx,ctx->H,ctx->remainder); add_blocks(32,ctx->S,ctx->remainder); ctx->len+=32; ctx->left=0; } - while (curptr<=barrier) + while (length>=32) { - hash_step(ctx->cipher_ctx,ctx->H,curptr); + hash_step(ctx->cipher_ctx,ctx->H,block); - add_blocks(32,ctx->S,curptr); + add_blocks(32,ctx->S,block); ctx->len+=32; - curptr+=32; + block+=32; + length-=32; } - if (curptr!=block+length) + if (length) { - ctx->left=block+length-curptr; - memcpy(ctx->remainder,curptr,ctx->left); + memcpy(ctx->remainder,block,ctx->left=length); } return 1; } diff --git a/crypto/external/bsd/openssl/dist/ms/do_win64a.bat b/crypto/external/bsd/openssl/dist/ms/do_win64a.bat index ff8b19ccfd20..8768dc61be20 100755 --- a/crypto/external/bsd/openssl/dist/ms/do_win64a.bat +++ b/crypto/external/bsd/openssl/dist/ms/do_win64a.bat @@ -1,6 +1,6 @@ perl util\mkfiles.pl >MINFO -cmd /c "nasm -f win64 -v" >NUL: 2>&1 +cmd /c "nasm -f win64 -v" >NUL 2>&1 if %errorlevel% neq 0 goto ml64 perl ms\uplink-x86_64.pl nasm > ms\uptable.asm diff --git a/crypto/external/bsd/openssl/dist/openssl.spec b/crypto/external/bsd/openssl/dist/openssl.spec index 9436e9984e27..44147ce64a2c 100644 --- a/crypto/external/bsd/openssl/dist/openssl.spec +++ b/crypto/external/bsd/openssl/dist/openssl.spec @@ -7,7 +7,7 @@ Release: 1 Summary: Secure Sockets Layer and cryptography libraries and tools Name: openssl #Version: %{libmaj}.%{libmin}.%{librel} -Version: 1.0.1f +Version: 1.0.1g Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz License: OpenSSL Group: System Environment/Libraries diff --git a/crypto/external/bsd/openssl/dist/ssl/d1_both.c b/crypto/external/bsd/openssl/dist/ssl/d1_both.c index 7a5596a6b373..2e8cf681ed09 100644 --- a/crypto/external/bsd/openssl/dist/ssl/d1_both.c +++ b/crypto/external/bsd/openssl/dist/ssl/d1_both.c @@ -1459,26 +1459,36 @@ dtls1_process_heartbeat(SSL *s) unsigned int payload; unsigned int padding = 16; /* Use minimum padding */ - /* Read type and payload length first */ - hbtype = *p++; - n2s(p, payload); - pl = p; - if (s->msg_callback) s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, &s->s3->rrec.data[0], s->s3->rrec.length, s, s->msg_callback_arg); + /* Read type and payload length first */ + if (1 + 2 + 16 > s->s3->rrec.length) + return 0; /* silently discard */ + hbtype = *p++; + n2s(p, payload); + if (1 + 2 + payload + 16 > s->s3->rrec.length) + return 0; /* silently discard per RFC 6520 sec. 4 */ + pl = p; + if (hbtype == TLS1_HB_REQUEST) { unsigned char *buffer, *bp; + unsigned int write_length = 1 /* heartbeat type */ + + 2 /* heartbeat length */ + + payload + padding; int r; + if (write_length > SSL3_RT_MAX_PLAIN_LENGTH) + return 0; + /* Allocate memory for the response, size is 1 byte * message type, plus 2 bytes payload length, plus * payload, plus padding */ - buffer = OPENSSL_malloc(1 + 2 + payload + padding); + buffer = OPENSSL_malloc(write_length); bp = buffer; /* Enter response type, length and copy payload */ @@ -1489,11 +1499,11 @@ dtls1_process_heartbeat(SSL *s) /* Random padding */ RAND_pseudo_bytes(bp, padding); - r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); + r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length); if (r >= 0 && s->msg_callback) s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, - buffer, 3 + payload + padding, + buffer, write_length, s, s->msg_callback_arg); OPENSSL_free(buffer); diff --git a/crypto/external/bsd/openssl/dist/ssl/kssl.h b/crypto/external/bsd/openssl/dist/ssl/kssl.h index 8242fd5eeb65..e4df84307313 100644 --- a/crypto/external/bsd/openssl/dist/ssl/kssl.h +++ b/crypto/external/bsd/openssl/dist/ssl/kssl.h @@ -70,6 +70,15 @@ #include #include #include +#ifdef OPENSSL_SYS_WIN32 +/* These can sometimes get redefined indirectly by krb5 header files + * after they get undefed in ossl_typ.h + */ +#undef X509_NAME +#undef X509_EXTENSIONS +#undef OCSP_REQUEST +#undef OCSP_RESPONSE +#endif #ifdef __cplusplus extern "C" { diff --git a/crypto/external/bsd/openssl/dist/ssl/ssl-lib.com b/crypto/external/bsd/openssl/dist/ssl/ssl-lib.com index a77f7707f279..c7bc6fbd701c 100644 --- a/crypto/external/bsd/openssl/dist/ssl/ssl-lib.com +++ b/crypto/external/bsd/openssl/dist/ssl/ssl-lib.com @@ -214,7 +214,7 @@ $! $! Define The Different SSL "library" Files. $! $ LIB_SSL = "s2_meth,s2_srvr,s2_clnt,s2_lib,s2_enc,s2_pkt,"+ - - "s3_meth,s3_srvr,s3_clnt,s3_lib,s3_enc,s3_pkt,s3_both,"+ - + "s3_meth,s3_srvr,s3_clnt,s3_lib,s3_enc,s3_pkt,s3_both,s3_cbc,"+ - "s23_meth,s23_srvr,s23_clnt,s23_lib,s23_pkt,"+ - "t1_meth,t1_srvr,t1_clnt,t1_lib,t1_enc,"+ - "d1_meth,d1_srvr,d1_clnt,d1_lib,d1_pkt,"+ - @@ -857,7 +857,7 @@ $ CCDEFS = "TCPIP_TYPE_''P4'" $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS $ CCEXTRAFLAGS = "" $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS -$ CCDISABLEWARNINGS = "" !!! "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR" +$ CCDISABLEWARNINGS = "MAYLOSEDATA3" !!! "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR" $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN - CCDISABLEWARNINGS = CCDISABLEWARNINGS + "," + USER_CCDISABLEWARNINGS $! diff --git a/crypto/external/bsd/openssl/dist/ssl/tls1.h b/crypto/external/bsd/openssl/dist/ssl/tls1.h index c39c267f0b66..c992091e305e 100644 --- a/crypto/external/bsd/openssl/dist/ssl/tls1.h +++ b/crypto/external/bsd/openssl/dist/ssl/tls1.h @@ -230,6 +230,12 @@ extern "C" { /* ExtensionType value from RFC5620 */ #define TLSEXT_TYPE_heartbeat 15 +/* ExtensionType value for TLS padding extension. + * http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml + * http://tools.ietf.org/html/draft-agl-tls-padding-03 + */ +#define TLSEXT_TYPE_padding 21 + /* ExtensionType value from RFC4507 */ #define TLSEXT_TYPE_session_ticket 35 diff --git a/crypto/external/bsd/openssl/dist/util/libeay.num b/crypto/external/bsd/openssl/dist/util/libeay.num index 6debdb60a89b..aa86b2b8b1bf 100755 --- a/crypto/external/bsd/openssl/dist/util/libeay.num +++ b/crypto/external/bsd/openssl/dist/util/libeay.num @@ -3511,6 +3511,7 @@ BIO_set_callback 3903 EXIST::FUNCTION: d2i_ASIdOrRange 3904 EXIST::FUNCTION:RFC3779 i2d_ASIdentifiers 3905 EXIST::FUNCTION:RFC3779 CRYPTO_memcmp 3906 EXIST::FUNCTION: +BN_consttime_swap 3907 EXIST::FUNCTION: SEED_decrypt 3908 EXIST::FUNCTION:SEED SEED_encrypt 3909 EXIST::FUNCTION:SEED SEED_cbc_encrypt 3910 EXIST::FUNCTION:SEED diff --git a/crypto/external/bsd/openssl/dist/util/pl/BC-32.pl b/crypto/external/bsd/openssl/dist/util/pl/BC-32.pl index 5ea8f62c6d58..5b12bd76a191 100644 --- a/crypto/external/bsd/openssl/dist/util/pl/BC-32.pl +++ b/crypto/external/bsd/openssl/dist/util/pl/BC-32.pl @@ -18,7 +18,7 @@ $out_def="out32"; $tmp_def="tmp32"; $inc_def="inc32"; #enable max error messages, disable most common warnings -$cflags="-DWIN32_LEAN_AND_MEAN -q -w-ccc -w-rch -w-pia -w-aus -w-par -w-inl -c -tWC -tWM -DOPENSSL_SYSNAME_WIN32 -DL_ENDIAN -DDSO_WIN32 -D_stricmp=stricmp -D_strnicmp=strnicmp "; +$cflags="-DWIN32_LEAN_AND_MEAN -q -w-ccc -w-rch -w-pia -w-aus -w-par -w-inl -c -tWC -tWM -DOPENSSL_SYSNAME_WIN32 -DL_ENDIAN -DDSO_WIN32 -D_stricmp=stricmp -D_strnicmp=strnicmp -D_timeb=timeb -D_ftime=ftime "; if ($debug) { $cflags.="-Od -y -v -vi- -D_DEBUG"; @@ -38,7 +38,7 @@ $efile=""; $exep='.exe'; if ($no_sock) { $ex_libs=""; } -else { $ex_libs="cw32mt.lib import32.lib"; } +else { $ex_libs="cw32mt.lib import32.lib crypt32.lib ws2_32.lib"; } # static library stuff $mklib='tlib /P64'; @@ -51,8 +51,8 @@ $lfile=''; $shlib_ex_obj=""; $app_ex_obj="c0x32.obj"; -$asm='nasmw -f obj -d__omf__'; -$asm.=" /Zi" if $debug; +$asm=(`nasm -v 2>NUL` ge `nasmw -v 2>NUL`?"nasm":"nasmw")." -f obj -d__omf__"; +$asm.=" -g" if $debug; $afile='-o'; $bn_mulw_obj=''; diff --git a/crypto/external/bsd/openssl/dist/util/pl/VC-32.pl b/crypto/external/bsd/openssl/dist/util/pl/VC-32.pl index 6c550f54aedf..3705fc73b70c 100644 --- a/crypto/external/bsd/openssl/dist/util/pl/VC-32.pl +++ b/crypto/external/bsd/openssl/dist/util/pl/VC-32.pl @@ -27,6 +27,8 @@ $zlib_lib="zlib1.lib"; $l_flags =~ s/-L("\[^"]+")/\/libpath:$1/g; $l_flags =~ s/-L(\S+)/\/libpath:$1/g; +my $ff = ""; + # C compiler stuff $cc='cl'; if ($FLAVOR =~ /WIN64/) @@ -126,6 +128,7 @@ else # Win32 $base_cflags= " $mf_cflag"; my $f = $shlib || $fips ?' /MD':' /MT'; $lib_cflag='/Zl' if (!$shlib); # remove /DEFAULTLIBs from static lib + $ff = "/fixed"; $opt_cflags=$f.' /Ox /O2 /Ob2'; $dbg_cflags=$f.'d /Od -DDEBUG -D_DEBUG'; $lflags="/nologo /subsystem:console /opt:ref"; @@ -318,7 +321,7 @@ sub do_lib_rule $ret.="\tSET FIPS_SHA1_EXE=\$(FIPS_SHA1_EXE)\n"; $ret.="\tSET FIPS_TARGET=$target\n"; $ret.="\tSET FIPSLIB_D=\$(FIPSLIB_D)\n"; - $ret.="\t\$(FIPSLINK) \$(MLFLAGS) /map $base_arg $efile$target "; + $ret.="\t\$(FIPSLINK) \$(MLFLAGS) $ff /map $base_arg $efile$target "; $ret.="$name @<<\n \$(SHLIB_EX_OBJ) $objs \$(EX_LIBS) "; $ret.="\$(OBJ_D)${o}fips_premain.obj $ex\n<<\n"; } @@ -355,7 +358,7 @@ sub do_link_rule $ret.="\tSET FIPS_TARGET=$target\n"; $ret.="\tSET FIPS_SHA1_EXE=\$(FIPS_SHA1_EXE)\n"; $ret.="\tSET FIPSLIB_D=\$(FIPSLIB_D)\n"; - $ret.="\t\$(FIPSLINK) \$(LFLAGS) /map $efile$target @<<\n"; + $ret.="\t\$(FIPSLINK) \$(LFLAGS) $ff /map $efile$target @<<\n"; $ret.="\t\$(APP_EX_OBJ) $files \$(OBJ_D)${o}fips_premain.obj $libs\n<<\n"; } else