Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

merge conflicts, bump libraries to 11 for consistency.

This commit is contained in:
christos 2016-03-02 01:52:35 +00:00
parent 603f28d89d
commit 338c254400
23 changed files with 403 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

134
crypto/external/bsd/openssl/dist/CHANGES vendored
View File

@ -2,6 +2,138 @@
OpenSSL CHANGES OpenSSL CHANGES
_______________ _______________
Changes between 1.0.1r and 1.0.1s [1 Mar 2016]
* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
Builds that are not configured with "enable-weak-ssl-ciphers" will not
provide any "EXPORT" or "LOW" strength ciphers.
[Viktor Dukhovni]
* Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2
is by default disabled at build-time. Builds that are not configured with
"enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
will need to explicitly call either of:
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
as appropriate. Even if either of those is used, or the application
explicitly uses the version-specific SSLv2_method() or its client and
server variants, SSLv2 ciphers vulnerable to exhaustive search key
recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
ciphers, and SSLv2 56-bit DES are no longer available.
(CVE-2016-0800)
[Viktor Dukhovni]
*) Fix a double-free in DSA code
A double free bug was discovered when OpenSSL parses malformed DSA private
keys and could lead to a DoS attack or memory corruption for applications
that receive DSA private keys from untrusted sources. This scenario is
considered rare.
This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using
libFuzzer.
(CVE-2016-0705)
[Stephen Henson]
*) Disable SRP fake user seed to address a server memory leak.
Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
SRP_VBASE_get_by_user had inconsistent memory management behaviour.
In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user
was changed to ignore the "fake user" SRP seed, even if the seed
is configured.
Users should use SRP_VBASE_get1_by_user instead. Note that in
SRP_VBASE_get1_by_user, caller must free the returned value. Note
also that even though configuring the SRP seed attempts to hide
invalid usernames by continuing the handshake with fake
credentials, this behaviour is not constant time and no strong
guarantees are made that the handshake is indistinguishable from
that of a valid user.
(CVE-2016-0798)
[Emilia Käsper]
*) Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
In the BN_hex2bn function the number of hex digits is calculated using an
int value |i|. Later |bn_expand| is called with a value of |i * 4|. For
large values of |i| this can result in |bn_expand| not allocating any
memory because |i * 4| is negative. This can leave the internal BIGNUM data
field as NULL leading to a subsequent NULL ptr deref. For very large values
of |i|, the calculation |i * 4| could be a positive value smaller than |i|.
In this case memory is allocated to the internal BIGNUM data field, but it
is insufficiently sized leading to heap corruption. A similar issue exists
in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn
is ever called by user applications with very large untrusted hex/dec data.
This is anticipated to be a rare occurrence.
All OpenSSL internal usage of these functions use data that is not expected
to be untrusted, e.g. config file data or application command line
arguments. If user developed applications generate config file data based
on untrusted data then it is possible that this could also lead to security
consequences. This is also anticipated to be rare.
This issue was reported to OpenSSL by Guido Vranken.
(CVE-2016-0797)
[Matt Caswell]
*) Fix memory issues in BIO_*printf functions
The internal |fmtstr| function used in processing a "%s" format string in
the BIO_*printf functions could overflow while calculating the length of a
string and cause an OOB read when printing very long strings.
Additionally the internal |doapr_outch| function can attempt to write to an
OOB memory location (at an offset from the NULL pointer) in the event of a
memory allocation failure. In 1.0.2 and below this could be caused where
the size of a buffer to be allocated is greater than INT_MAX. E.g. this
could be in processing a very long "%s" format string. Memory leaks can
also occur.
The first issue may mask the second issue dependent on compiler behaviour.
These problems could enable attacks where large amounts of untrusted data
is passed to the BIO_*printf functions. If applications use these functions
in this way then they could be vulnerable. OpenSSL itself uses these
functions when printing out human-readable dumps of ASN.1 data. Therefore
applications that print this data could be vulnerable if the data is from
untrusted sources. OpenSSL command line applications could also be
vulnerable where they print out ASN.1 data, or if untrusted data is passed
as command line arguments.
Libssl is not considered directly vulnerable. Additionally certificates etc
received via remote connections via libssl are also unlikely to be able to
trigger these issues because of message size limits enforced within libssl.
This issue was reported to OpenSSL Guido Vranken.
(CVE-2016-0799)
[Matt Caswell]
*) Side channel attack on modular exponentiation
A side-channel attack was found which makes use of cache-bank conflicts on
the Intel Sandy-Bridge microarchitecture which could lead to the recovery
of RSA keys. The ability to exploit this issue is limited as it relies on
an attacker who has control of code in a thread running on the same
hyper-threaded core as the victim thread which is performing decryptions.
This issue was reported to OpenSSL by Yuval Yarom, The University of
Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
Nadia Heninger, University of Pennsylvania with more information at
http://cachebleed.info.
(CVE-2016-0702)
[Andy Polyakov]
*) Change the req app to generate a 2048-bit RSA/DSA key by default,
if no keysize is specified with default_bits. This fixes an
omission in an earlier change that changed all RSA/DSA key generation
apps to use 2048 bits by default.
[Emilia Käsper]
Changes between 1.0.1q and 1.0.1r [28 Jan 2016] Changes between 1.0.1q and 1.0.1r [28 Jan 2016]
*) Protection for DH small subgroup attacks *) Protection for DH small subgroup attacks
@ -62,7 +194,7 @@
[Emilia Käsper] [Emilia Käsper]
*) In DSA_generate_parameters_ex, if the provided seed is too short, *) In DSA_generate_parameters_ex, if the provided seed is too short,
return an error use a random seed, as already documented.
[Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>] [Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
Changes between 1.0.1o and 1.0.1p [9 Jul 2015] Changes between 1.0.1o and 1.0.1p [9 Jul 2015]

8
crypto/external/bsd/openssl/dist/Configure vendored
View File

@ -58,6 +58,10 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimenta
# library and will be loaded in run-time by the OpenSSL library. # library and will be loaded in run-time by the OpenSSL library.
# sctp include SCTP support # sctp include SCTP support
# 386 generate 80386 code # 386 generate 80386 code
# enable-weak-ssl-ciphers
# Enable EXPORT and LOW SSLv3 ciphers that are disabled by
# default. Note, weak SSLv2 ciphers are unconditionally
# disabled.
# no-sse2 disables IA-32 SSE2 code, above option implies no-sse2 # no-sse2 disables IA-32 SSE2 code, above option implies no-sse2
# no-<cipher> build without specified algorithm (rsa, idea, rc5, ...) # no-<cipher> build without specified algorithm (rsa, idea, rc5, ...)
# -<xxx> +<xxx> compiler options are passed through # -<xxx> +<xxx> compiler options are passed through
@ -724,10 +728,12 @@ my %disabled = ( # "what" => "comment" [or special keyword "experimental
"md2" => "default", "md2" => "default",
"rc5" => "default", "rc5" => "default",
"rfc3779" => "default", "rfc3779" => "default",
"sctp" => "default", "sctp" => "default",
"shared" => "default", "shared" => "default",
"ssl2" => "default",
"store" => "experimental", "store" => "experimental",
"unit-test" => "default", "unit-test" => "default",
"weak-ssl-ciphers" => "default",
"zlib" => "default", "zlib" => "default",
"zlib-dynamic" => "default" "zlib-dynamic" => "default"
); );

6
crypto/external/bsd/openssl/dist/Makefile vendored
View File

@ -4,7 +4,7 @@
## Makefile for OpenSSL ## Makefile for OpenSSL
## ##
VERSION=1.0.1r VERSION=1.0.1s
MAJOR=1 MAJOR=1
MINOR=0.1 MINOR=0.1
SHLIB_VERSION_NUMBER=1.0.0 SHLIB_VERSION_NUMBER=1.0.0
@ -13,7 +13,7 @@ SHLIB_MAJOR=1
SHLIB_MINOR=0.0 SHLIB_MINOR=0.0
SHLIB_EXT= SHLIB_EXT=
PLATFORM=dist PLATFORM=dist
OPTIONS= no-ec_nistp_64_gcc_128 no-gmp no-jpake no-krb5 no-md2 no-rc5 no-rfc3779 no-sctp no-shared no-store no-unit-test no-zlib no-zlib-dynamic static-engine OPTIONS= no-ec_nistp_64_gcc_128 no-gmp no-jpake no-krb5 no-md2 no-rc5 no-rfc3779 no-sctp no-shared no-ssl2 no-store no-unit-test no-weak-ssl-ciphers no-zlib no-zlib-dynamic static-engine
CONFIGURE_ARGS=dist CONFIGURE_ARGS=dist
SHLIB_TARGET= SHLIB_TARGET=
@ -61,7 +61,7 @@ OPENSSLDIR=/usr/local/ssl
CC= cc CC= cc
CFLAG= -O CFLAG= -O
DEPFLAG= -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST DEPFLAG= -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL2 -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST -DOPENSSL_NO_WEAK_SSL_CIPHERS
PEX_LIBS= PEX_LIBS=
EX_LIBS= EX_LIBS=
EXE_EXT= EXE_EXT=

13
crypto/external/bsd/openssl/dist/NEWS vendored
View File

@ -5,6 +5,19 @@
This file gives a brief overview of the major changes between each OpenSSL This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file. release. For more details please read the CHANGES file.
Major changes between OpenSSL 1.0.1r and OpenSSL 1.0.1s [1 Mar 2016]
o Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
o Disable SSLv2 default build, default negotiation and weak ciphers
(CVE-2016-0800)
o Fix a double-free in DSA code (CVE-2016-0705)
o Disable SRP fake user seed to address a server memory leak
(CVE-2016-0798)
o Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
(CVE-2016-0797)
o Fix memory issues in BIO_*printf functions (CVE-2016-0799)
o Fix side channel attack on modular exponentiation (CVE-2016-0702)
Major changes between OpenSSL 1.0.1q and OpenSSL 1.0.1r [28 Jan 2016] Major changes between OpenSSL 1.0.1q and OpenSSL 1.0.1r [28 Jan 2016]
o Protection for DH small subgroup attacks o Protection for DH small subgroup attacks

2
crypto/external/bsd/openssl/dist/README vendored
View File

@ -1,5 +1,5 @@
OpenSSL 1.0.1r 28 Jan 2016 OpenSSL 1.0.1s 1 Mar 2016
Copyright (c) 1998-2015 The OpenSSL Project Copyright (c) 1998-2015 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

39
crypto/external/bsd/openssl/dist/apps/s_server.c vendored
View File

@ -416,6 +416,8 @@ typedef struct srpsrvparm_st {
static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg) static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
{ {
srpsrvparm *p = (srpsrvparm *) arg; srpsrvparm *p = (srpsrvparm *) arg;
int ret = SSL3_AL_FATAL;
if (p->login == NULL && p->user == NULL) { if (p->login == NULL && p->user == NULL) {
p->login = SSL_get_srp_username(s); p->login = SSL_get_srp_username(s);
BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login); BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login);
@ -424,21 +426,25 @@ static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
if (p->user == NULL) { if (p->user == NULL) {
BIO_printf(bio_err, "User %s doesn't exist\n", p->login); BIO_printf(bio_err, "User %s doesn't exist\n", p->login);
return SSL3_AL_FATAL; goto err;
} }
if (SSL_set_srp_server_param if (SSL_set_srp_server_param
(s, p->user->N, p->user->g, p->user->s, p->user->v, (s, p->user->N, p->user->g, p->user->s, p->user->v,
p->user->info) < 0) { p->user->info) < 0) {
*ad = SSL_AD_INTERNAL_ERROR; *ad = SSL_AD_INTERNAL_ERROR;
return SSL3_AL_FATAL; goto err;
} }
BIO_printf(bio_err, BIO_printf(bio_err,
"SRP parameters set: username = \"%s\" info=\"%s\" \n", "SRP parameters set: username = \"%s\" info=\"%s\" \n",
p->login, p->user->info); p->login, p->user->info);
/* need to check whether there are memory leaks */ ret = SSL_ERROR_NONE;
err:
SRP_user_pwd_free(p->user);
p->user = NULL; p->user = NULL;
p->login = NULL; p->login = NULL;
return SSL_ERROR_NONE; return ret;
} }
#endif #endif
@ -2249,9 +2255,10 @@ static int sv_body(char *hostname, int s, unsigned char *context)
#ifndef OPENSSL_NO_SRP #ifndef OPENSSL_NO_SRP
while (SSL_get_error(con, k) == SSL_ERROR_WANT_X509_LOOKUP) { while (SSL_get_error(con, k) == SSL_ERROR_WANT_X509_LOOKUP) {
BIO_printf(bio_s_out, "LOOKUP renego during write\n"); BIO_printf(bio_s_out, "LOOKUP renego during write\n");
SRP_user_pwd_free(srp_callback_parm.user);
srp_callback_parm.user = srp_callback_parm.user =
SRP_VBASE_get_by_user(srp_callback_parm.vb, SRP_VBASE_get1_by_user(srp_callback_parm.vb,
srp_callback_parm.login); srp_callback_parm.login);
if (srp_callback_parm.user) if (srp_callback_parm.user)
BIO_printf(bio_s_out, "LOOKUP done %s\n", BIO_printf(bio_s_out, "LOOKUP done %s\n",
srp_callback_parm.user->info); srp_callback_parm.user->info);
@ -2305,9 +2312,10 @@ static int sv_body(char *hostname, int s, unsigned char *context)
#ifndef OPENSSL_NO_SRP #ifndef OPENSSL_NO_SRP
while (SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) { while (SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
BIO_printf(bio_s_out, "LOOKUP renego during read\n"); BIO_printf(bio_s_out, "LOOKUP renego during read\n");
SRP_user_pwd_free(srp_callback_parm.user);
srp_callback_parm.user = srp_callback_parm.user =
SRP_VBASE_get_by_user(srp_callback_parm.vb, SRP_VBASE_get1_by_user(srp_callback_parm.vb,
srp_callback_parm.login); srp_callback_parm.login);
if (srp_callback_parm.user) if (srp_callback_parm.user)
BIO_printf(bio_s_out, "LOOKUP done %s\n", BIO_printf(bio_s_out, "LOOKUP done %s\n",
srp_callback_parm.user->info); srp_callback_parm.user->info);
@ -2392,9 +2400,10 @@ static int init_ssl_connection(SSL *con)
while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) { while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
BIO_printf(bio_s_out, "LOOKUP during accept %s\n", BIO_printf(bio_s_out, "LOOKUP during accept %s\n",
srp_callback_parm.login); srp_callback_parm.login);
SRP_user_pwd_free(srp_callback_parm.user);
srp_callback_parm.user = srp_callback_parm.user =
SRP_VBASE_get_by_user(srp_callback_parm.vb, SRP_VBASE_get1_by_user(srp_callback_parm.vb,
srp_callback_parm.login); srp_callback_parm.login);
if (srp_callback_parm.user) if (srp_callback_parm.user)
BIO_printf(bio_s_out, "LOOKUP done %s\n", BIO_printf(bio_s_out, "LOOKUP done %s\n",
srp_callback_parm.user->info); srp_callback_parm.user->info);
@ -2621,9 +2630,10 @@ static int www_body(char *hostname, int s, unsigned char *context)
&& SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) { && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
BIO_printf(bio_s_out, "LOOKUP during accept %s\n", BIO_printf(bio_s_out, "LOOKUP during accept %s\n",
srp_callback_parm.login); srp_callback_parm.login);
SRP_user_pwd_free(srp_callback_parm.user);
srp_callback_parm.user = srp_callback_parm.user =
SRP_VBASE_get_by_user(srp_callback_parm.vb, SRP_VBASE_get1_by_user(srp_callback_parm.vb,
srp_callback_parm.login); srp_callback_parm.login);
if (srp_callback_parm.user) if (srp_callback_parm.user)
BIO_printf(bio_s_out, "LOOKUP done %s\n", BIO_printf(bio_s_out, "LOOKUP done %s\n",
srp_callback_parm.user->info); srp_callback_parm.user->info);
@ -2663,9 +2673,10 @@ static int www_body(char *hostname, int s, unsigned char *context)
if (BIO_should_io_special(io) if (BIO_should_io_special(io)
&& BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) { && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
BIO_printf(bio_s_out, "LOOKUP renego during read\n"); BIO_printf(bio_s_out, "LOOKUP renego during read\n");
SRP_user_pwd_free(srp_callback_parm.user);
srp_callback_parm.user = srp_callback_parm.user =
SRP_VBASE_get_by_user(srp_callback_parm.vb, SRP_VBASE_get1_by_user(srp_callback_parm.vb,
srp_callback_parm.login); srp_callback_parm.login);
if (srp_callback_parm.user) if (srp_callback_parm.user)
BIO_printf(bio_s_out, "LOOKUP done %s\n", BIO_printf(bio_s_out, "LOOKUP done %s\n",
srp_callback_parm.user->info); srp_callback_parm.user->info);

14
crypto/external/bsd/openssl/dist/crypto/bn/bn.h vendored
View File

@ -125,6 +125,7 @@
#ifndef HEADER_BN_H #ifndef HEADER_BN_H
# define HEADER_BN_H # define HEADER_BN_H
# include <limits.h>
# include <openssl/e_os2.h> # include <openssl/e_os2.h>
# ifndef OPENSSL_NO_FP_API # ifndef OPENSSL_NO_FP_API
# include <stdio.h> /* FILE */ # include <stdio.h> /* FILE */
@ -739,8 +740,17 @@ const BIGNUM *BN_get0_nist_prime_521(void);
/* library internal functions */ /* library internal functions */
# define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\ # define bn_expand(a,bits) \
(a):bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2)) ( \
bits > (INT_MAX - BN_BITS2 + 1) ? \
NULL \
: \
(((bits+BN_BITS2-1)/BN_BITS2) <= (a)->dmax) ? \
(a) \
: \
bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2) \
)
# define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words))) # define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words)))
BIGNUM *bn_expand2(BIGNUM *a, int words); BIGNUM *bn_expand2(BIGNUM *a, int words);
# ifndef OPENSSL_NO_DEPRECATED # ifndef OPENSSL_NO_DEPRECATED

75
crypto/external/bsd/openssl/dist/crypto/bn/bn_exp.c vendored
View File

@ -110,6 +110,7 @@
*/ */
#include "cryptlib.h" #include "cryptlib.h"
#include "constant_time_locl.h"
#include "bn_lcl.h" #include "bn_lcl.h"
#include <stdlib.h> #include <stdlib.h>
@ -550,15 +551,17 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
static int MOD_EXP_CTIME_COPY_TO_PREBUF(const BIGNUM *b, int top, static int MOD_EXP_CTIME_COPY_TO_PREBUF(const BIGNUM *b, int top,
unsigned char *buf, int idx, unsigned char *buf, int idx,
int width) int window)
{ {
size_t i, j; int i, j;
int width = 1 << window;
BN_ULONG *table = (BN_ULONG *)buf;
if (top > b->top) if (top > b->top)
top = b->top; /* this works because 'buf' is explicitly top = b->top; /* this works because 'buf' is explicitly
* zeroed */ * zeroed */
for (i = 0, j = idx; i < top * sizeof b->d[0]; i++, j += width) { for (i = 0, j = idx; i < top; i++, j += width) {
buf[j] = ((unsigned char *)b->d)[i]; table[j] = b->d[i];
} }
return 1; return 1;
@ -566,15 +569,51 @@ static int MOD_EXP_CTIME_COPY_TO_PREBUF(const BIGNUM *b, int top,
static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
unsigned char *buf, int idx, unsigned char *buf, int idx,
int width) int window)
{ {
size_t i, j; int i, j;
int width = 1 << window;
volatile BN_ULONG *table = (volatile BN_ULONG *)buf;
if (bn_wexpand(b, top) == NULL) if (bn_wexpand(b, top) == NULL)
return 0; return 0;
for (i = 0, j = idx; i < top * sizeof b->d[0]; i++, j += width) { if (window <= 3) {
((unsigned char *)b->d)[i] = buf[j]; for (i = 0; i < top; i++, table += width) {
BN_ULONG acc = 0;
for (j = 0; j < width; j++) {
acc |= table[j] &
((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1));
}
b->d[i] = acc;
}
} else {
int xstride = 1 << (window - 2);
BN_ULONG y0, y1, y2, y3;
i = idx >> (window - 2); /* equivalent of idx / xstride */
idx &= xstride - 1; /* equivalent of idx % xstride */
y0 = (BN_ULONG)0 - (constant_time_eq_int(i,0)&1);
y1 = (BN_ULONG)0 - (constant_time_eq_int(i,1)&1);
y2 = (BN_ULONG)0 - (constant_time_eq_int(i,2)&1);
y3 = (BN_ULONG)0 - (constant_time_eq_int(i,3)&1);
for (i = 0; i < top; i++, table += width) {
BN_ULONG acc = 0;
for (j = 0; j < xstride; j++) {
acc |= ( (table[j + 0 * xstride] & y0) |
(table[j + 1 * xstride] & y1) |
(table[j + 2 * xstride] & y2) |
(table[j + 3 * xstride] & y3) )
& ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1));
}
b->d[i] = acc;
}
} }
b->top = top; b->top = top;
@ -804,9 +843,9 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
} else } else
#endif #endif
{ {
if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 0, numPowers)) if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 0, window))
goto err; goto err;
if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am, top, powerbuf, 1, numPowers)) if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am, top, powerbuf, 1, window))
goto err; goto err;
/* /*
@ -818,15 +857,15 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
if (window > 1) { if (window > 1) {
if (!BN_mod_mul_montgomery(&tmp, &am, &am, mont, ctx)) if (!BN_mod_mul_montgomery(&tmp, &am, &am, mont, ctx))
goto err; goto err;
if (!MOD_EXP_CTIME_COPY_TO_PREBUF if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 2,
(&tmp, top, powerbuf, 2, numPowers)) window))
goto err; goto err;
for (i = 3; i < numPowers; i++) { for (i = 3; i < numPowers; i++) {
/* Calculate a^i = a^(i-1) * a */ /* Calculate a^i = a^(i-1) * a */
if (!BN_mod_mul_montgomery(&tmp, &am, &tmp, mont, ctx)) if (!BN_mod_mul_montgomery(&tmp, &am, &tmp, mont, ctx))
goto err; goto err;
if (!MOD_EXP_CTIME_COPY_TO_PREBUF if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, i,
(&tmp, top, powerbuf, i, numPowers)) window))
goto err; goto err;
} }
} }
@ -834,8 +873,8 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
bits--; bits--;
for (wvalue = 0, i = bits % window; i >= 0; i--, bits--) for (wvalue = 0, i = bits % window; i >= 0; i--, bits--)
wvalue = (wvalue << 1) + BN_is_bit_set(p, bits); wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
if (!MOD_EXP_CTIME_COPY_FROM_PREBUF if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&tmp, top, powerbuf, wvalue,
(&tmp, top, powerbuf, wvalue, numPowers)) window))
goto err; goto err;
/* /*
@ -855,8 +894,8 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
/* /*
* Fetch the appropriate pre-computed value from the pre-buf * Fetch the appropriate pre-computed value from the pre-buf
*/ */
if (!MOD_EXP_CTIME_COPY_FROM_PREBUF if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&am, top, powerbuf, wvalue,
(&am, top, powerbuf, wvalue, numPowers)) window))
goto err; goto err;
/* Multiply the result into the intermediate result */ /* Multiply the result into the intermediate result */

24
crypto/external/bsd/openssl/dist/crypto/dsa/dsa_ameth.c vendored
View File

@ -191,6 +191,8 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
STACK_OF(ASN1_TYPE) *ndsa = NULL; STACK_OF(ASN1_TYPE) *ndsa = NULL;
DSA *dsa = NULL; DSA *dsa = NULL;
int ret = 0;
if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8)) if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8))
return 0; return 0;
X509_ALGOR_get0(NULL, &ptype, &pval, palg); X509_ALGOR_get0(NULL, &ptype, &pval, palg);
@ -262,23 +264,21 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
} }
EVP_PKEY_assign_DSA(pkey, dsa); EVP_PKEY_assign_DSA(pkey, dsa);
ret = 1;
goto done;
decerr:
DSAerr(DSA_F_DSA_PRIV_DECODE, EVP_R_DECODE_ERROR);
dsaerr:
DSA_free(dsa);
done:
BN_CTX_free(ctx); BN_CTX_free(ctx);
if (ndsa) if (ndsa)
sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
else else
ASN1_STRING_clear_free(privkey); ASN1_STRING_clear_free(privkey);
return ret;
return 1;
decerr:
DSAerr(DSA_F_DSA_PRIV_DECODE, EVP_R_DECODE_ERROR);
dsaerr:
BN_CTX_free(ctx);
if (privkey)
ASN1_STRING_clear_free(privkey);
sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
DSA_free(dsa);
return 0;
} }
static int dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) static int dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)

18
crypto/external/bsd/openssl/dist/crypto/opensslconf.h vendored
View File

@ -30,6 +30,12 @@ extern "C" {
#ifndef OPENSSL_NO_RFC3779 #ifndef OPENSSL_NO_RFC3779
# define OPENSSL_NO_RFC3779 # define OPENSSL_NO_RFC3779
#endif #endif
#ifndef OPENSSL_NO_SCTP
# define OPENSSL_NO_SCTP
#endif
#ifndef OPENSSL_NO_SSL2
# define OPENSSL_NO_SSL2
#endif
#ifndef OPENSSL_NO_STORE #ifndef OPENSSL_NO_STORE
# define OPENSSL_NO_STORE # define OPENSSL_NO_STORE
#endif #endif
@ -40,9 +46,15 @@ extern "C" {
#ifndef OPENSSL_NO_SCTP #ifndef OPENSSL_NO_SCTP
# define OPENSSL_NO_SCTP # define OPENSSL_NO_SCTP
#endif #endif
#ifndef OPENSSL_NO_SSL2
# define OPENSSL_NO_SSL2
#endif
#endif /* __NetBSD__ */ #endif /* __NetBSD__ */
#define OPENSSL_CPUID_OBJ #define OPENSSL_CPUID_OBJ
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
# define OPENSSL_NO_WEAK_SSL_CIPHERS
#endif
#endif /* OPENSSL_DOING_MAKEDEPEND */ #endif /* OPENSSL_DOING_MAKEDEPEND */
@ -82,12 +94,18 @@ extern "C" {
# if defined(OPENSSL_NO_SCTP) && !defined(NO_SCTP) # if defined(OPENSSL_NO_SCTP) && !defined(NO_SCTP)
# define NO_SCTP # define NO_SCTP
# endif # endif
# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2)
# define NO_SSL2
# endif
# if defined(OPENSSL_NO_STORE) && !defined(NO_STORE) # if defined(OPENSSL_NO_STORE) && !defined(NO_STORE)
# define NO_STORE # define NO_STORE
# endif # endif
# if defined(OPENSSL_NO_UNIT_TEST) && !defined(NO_UNIT_TEST) # if defined(OPENSSL_NO_UNIT_TEST) && !defined(NO_UNIT_TEST)
# define NO_UNIT_TEST # define NO_UNIT_TEST
# endif # endif
# if defined(OPENSSL_NO_WEAK_SSL_CIPHERS) && !defined(NO_WEAK_SSL_CIPHERS)
# define NO_WEAK_SSL_CIPHERS
# endif
#endif #endif
/* crypto/opensslconf.h.in */ /* crypto/opensslconf.h.in */

6
crypto/external/bsd/openssl/dist/crypto/opensslv.h vendored
View File

@ -30,11 +30,11 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta) * major minor fix final patch/beta)
*/ */
# define OPENSSL_VERSION_NUMBER 0x1000112fL # define OPENSSL_VERSION_NUMBER 0x1000113fL
# ifdef OPENSSL_FIPS # ifdef OPENSSL_FIPS
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1r-fips 28 Jan 2016" # define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1s-fips 1 Mar 2016"
# else # else
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1r 28 Jan 2016" # define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1s 1 Mar 2016"
# endif # endif
# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT

4
crypto/external/bsd/openssl/dist/crypto/rsa/rsa_sign.c vendored
View File

@ -84,7 +84,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
return 0; return 0;
} }
#endif #endif
if (rsa->meth->rsa_sign) { if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) {
return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa); return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
} }
/* Special case: SSL signature, just check the length */ /* Special case: SSL signature, just check the length */
@ -304,7 +304,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
const unsigned char *sigbuf, unsigned int siglen, RSA *rsa) const unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
{ {
if (rsa->meth->rsa_verify) { if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) {
return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa); return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa);
} }

2
crypto/external/bsd/openssl/dist/crypto/threads/mttest.c vendored
View File

@ -211,8 +211,10 @@ int main(int argc, char *argv[])
cache_stats = 1; cache_stats = 1;
else if (strcmp(*argv, "-ssl3") == 0) else if (strcmp(*argv, "-ssl3") == 0)
ssl_method = SSLv3_method(); ssl_method = SSLv3_method();
#ifndef OPENSSL_NO_SSL2
else if (strcmp(*argv, "-ssl2") == 0) else if (strcmp(*argv, "-ssl2") == 0)
ssl_method = SSLv2_method(); ssl_method = SSLv2_method();
#endif
else if (strcmp(*argv, "-CApath") == 0) { else if (strcmp(*argv, "-CApath") == 0) {
if (--argc < 1) if (--argc < 1)
goto bad; goto bad;

2
crypto/external/bsd/openssl/dist/openssl.spec vendored
View File

@ -7,7 +7,7 @@ Release: 1
Summary: Secure Sockets Layer and cryptography libraries and tools Summary: Secure Sockets Layer and cryptography libraries and tools
Name: openssl Name: openssl
#Version: %{libmaj}.%{libmin}.%{librel} #Version: %{libmaj}.%{libmin}.%{librel}
Version: 1.0.1r Version: 1.0.1s
Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
License: OpenSSL License: OpenSSL
Group: System Environment/Libraries Group: System Environment/Libraries

67
crypto/external/bsd/openssl/dist/ssl/Makefile vendored
View File

@ -420,14 +420,14 @@ s2_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
s2_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h s2_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
s2_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h s2_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
s2_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h s2_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
s2_clnt.o: ../include/openssl/pqueue.h ../include/openssl/rand.h s2_clnt.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
s2_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h s2_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
s2_clnt.o: ../include/openssl/sha.h ../include/openssl/srtp.h s2_clnt.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
s2_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h s2_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
s2_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s2_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
s2_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s2_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
s2_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h s2_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_clnt.c
s2_clnt.o: ../include/openssl/x509_vfy.h s2_clnt.c ssl_locl.h s2_clnt.o: ssl_locl.h
s2_enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s2_enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
s2_enc.o: ../include/openssl/buffer.h ../include/openssl/comp.h s2_enc.o: ../include/openssl/buffer.h ../include/openssl/comp.h
s2_enc.o: ../include/openssl/crypto.h ../include/openssl/dsa.h s2_enc.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@ -456,18 +456,18 @@ s2_lib.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
s2_lib.o: ../include/openssl/ecdsa.h ../include/openssl/err.h s2_lib.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
s2_lib.o: ../include/openssl/evp.h ../include/openssl/hmac.h s2_lib.o: ../include/openssl/evp.h ../include/openssl/hmac.h
s2_lib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h s2_lib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
s2_lib.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h s2_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
s2_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h s2_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
s2_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h s2_lib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
s2_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h s2_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
s2_lib.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h s2_lib.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
s2_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h s2_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
s2_lib.o: ../include/openssl/sha.h ../include/openssl/srtp.h s2_lib.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
s2_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h s2_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
s2_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h s2_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
s2_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s2_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
s2_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h s2_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_lib.c
s2_lib.o: ../include/openssl/x509_vfy.h s2_lib.c ssl_locl.h s2_lib.o: ssl_locl.h
s2_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s2_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
s2_meth.o: ../include/openssl/buffer.h ../include/openssl/comp.h s2_meth.o: ../include/openssl/buffer.h ../include/openssl/comp.h
s2_meth.o: ../include/openssl/crypto.h ../include/openssl/dsa.h s2_meth.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
@ -508,20 +508,19 @@ s2_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
s2_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s2_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
s2_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_pkt.c s2_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_pkt.c
s2_pkt.o: ssl_locl.h s2_pkt.o: ssl_locl.h
s2_srvr.o: ../crypto/constant_time_locl.h ../e_os.h ../include/openssl/asn1.h s2_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
s2_srvr.o: ../include/openssl/bio.h ../include/openssl/buffer.h s2_srvr.o: ../include/openssl/buffer.h ../include/openssl/comp.h
s2_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h s2_srvr.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
s2_srvr.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h s2_srvr.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
s2_srvr.o: ../include/openssl/e_os2.h ../include/openssl/ec.h s2_srvr.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
s2_srvr.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h s2_srvr.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
s2_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h s2_srvr.o: ../include/openssl/evp.h ../include/openssl/hmac.h
s2_srvr.o: ../include/openssl/hmac.h ../include/openssl/kssl.h s2_srvr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
s2_srvr.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h s2_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
s2_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h s2_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
s2_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h s2_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
s2_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h s2_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
s2_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h s2_srvr.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
s2_srvr.o: ../include/openssl/rand.h ../include/openssl/rsa.h
s2_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h s2_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
s2_srvr.o: ../include/openssl/srtp.h ../include/openssl/ssl.h s2_srvr.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
s2_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h s2_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h

6
crypto/external/bsd/openssl/dist/ssl/s2_lib.c vendored
View File

@ -156,6 +156,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
128, 128,
}, },
# if 0
/* RC4_128_EXPORT40_WITH_MD5 */ /* RC4_128_EXPORT40_WITH_MD5 */
{ {
1, 1,
@ -171,6 +172,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
40, 40,
128, 128,
}, },
# endif
/* RC2_128_CBC_WITH_MD5 */ /* RC2_128_CBC_WITH_MD5 */
{ {
@ -188,6 +190,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
128, 128,
}, },
# if 0
/* RC2_128_CBC_EXPORT40_WITH_MD5 */ /* RC2_128_CBC_EXPORT40_WITH_MD5 */
{ {
1, 1,
@ -203,6 +206,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
40, 40,
128, 128,
}, },
# endif
# ifndef OPENSSL_NO_IDEA # ifndef OPENSSL_NO_IDEA
/* IDEA_128_CBC_WITH_MD5 */ /* IDEA_128_CBC_WITH_MD5 */
@ -222,6 +226,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
}, },
# endif # endif
# if 0
/* DES_64_CBC_WITH_MD5 */ /* DES_64_CBC_WITH_MD5 */
{ {
1, 1,
@ -237,6 +242,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
56, 56,
56, 56,
}, },
# endif
/* DES_192_EDE3_CBC_WITH_MD5 */ /* DES_192_EDE3_CBC_WITH_MD5 */
{ {

54
crypto/external/bsd/openssl/dist/ssl/s3_lib.c vendored
View File

@ -203,6 +203,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
}, },
/* Cipher 03 */ /* Cipher 03 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
SSL3_TXT_RSA_RC4_40_MD5, SSL3_TXT_RSA_RC4_40_MD5,
@ -217,6 +218,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
40, 40,
128, 128,
}, },
#endif
/* Cipher 04 */ /* Cipher 04 */
{ {
@ -251,6 +253,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
}, },
/* Cipher 06 */ /* Cipher 06 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
SSL3_TXT_RSA_RC2_40_MD5, SSL3_TXT_RSA_RC2_40_MD5,
@ -265,6 +268,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
40, 40,
128, 128,
}, },
#endif
/* Cipher 07 */ /* Cipher 07 */
#ifndef OPENSSL_NO_IDEA #ifndef OPENSSL_NO_IDEA
@ -285,6 +289,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
#endif #endif
/* Cipher 08 */ /* Cipher 08 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
SSL3_TXT_RSA_DES_40_CBC_SHA, SSL3_TXT_RSA_DES_40_CBC_SHA,
@ -299,8 +304,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
40, 40,
56, 56,
}, },
#endif
/* Cipher 09 */ /* Cipher 09 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
SSL3_TXT_RSA_DES_64_CBC_SHA, SSL3_TXT_RSA_DES_64_CBC_SHA,
@ -315,6 +322,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
56, 56,
56, 56,
}, },
#endif
/* Cipher 0A */ /* Cipher 0A */
{ {
@ -334,6 +342,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
/* The DH ciphers */ /* The DH ciphers */
/* Cipher 0B */ /* Cipher 0B */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
0, 0,
SSL3_TXT_DH_DSS_DES_40_CBC_SHA, SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
@ -348,8 +357,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
40, 40,
56, 56,
}, },
#endif
/* Cipher 0C */ /* Cipher 0C */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
0, /* not implemented (non-ephemeral DH) */ 0, /* not implemented (non-ephemeral DH) */
SSL3_TXT_DH_DSS_DES_64_CBC_SHA, SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
@ -364,6 +375,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
56, 56,
56, 56,
}, },
#endif
/* Cipher 0D */ /* Cipher 0D */
{ {
@ -382,6 +394,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
}, },
/* Cipher 0E */ /* Cipher 0E */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
0, /* not implemented (non-ephemeral DH) */ 0, /* not implemented (non-ephemeral DH) */
SSL3_TXT_DH_RSA_DES_40_CBC_SHA, SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
@ -396,8 +409,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
40, 40,
56, 56,
}, },
#endif
/* Cipher 0F */ /* Cipher 0F */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
0, /* not implemented (non-ephemeral DH) */ 0, /* not implemented (non-ephemeral DH) */
SSL3_TXT_DH_RSA_DES_64_CBC_SHA, SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
@ -412,6 +427,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
56, 56,
56, 56,
}, },
#endif
/* Cipher 10 */ /* Cipher 10 */
{ {
@ -431,6 +447,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
/* The Ephemeral DH ciphers */ /* The Ephemeral DH ciphers */
/* Cipher 11 */ /* Cipher 11 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
SSL3_TXT_EDH_DSS_DES_40_CBC_SHA, SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
@ -445,8 +462,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
40, 40,
56, 56,
}, },
#endif
/* Cipher 12 */ /* Cipher 12 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
SSL3_TXT_EDH_DSS_DES_64_CBC_SHA, SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
@ -461,6 +480,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
56, 56,
56, 56,
}, },
#endif
/* Cipher 13 */ /* Cipher 13 */
{ {
@ -479,6 +499,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
}, },
/* Cipher 14 */ /* Cipher 14 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
SSL3_TXT_EDH_RSA_DES_40_CBC_SHA, SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
@ -493,8 +514,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
40, 40,
56, 56,
}, },
#endif
/* Cipher 15 */ /* Cipher 15 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
SSL3_TXT_EDH_RSA_DES_64_CBC_SHA, SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
@ -509,6 +532,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
56, 56,
56, 56,
}, },
#endif
/* Cipher 16 */ /* Cipher 16 */
{ {
@ -527,6 +551,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
}, },
/* Cipher 17 */ /* Cipher 17 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
SSL3_TXT_ADH_RC4_40_MD5, SSL3_TXT_ADH_RC4_40_MD5,
@ -541,6 +566,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
40, 40,
128, 128,
}, },
#endif
/* Cipher 18 */ /* Cipher 18 */
{ {
@ -559,6 +585,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
}, },
/* Cipher 19 */ /* Cipher 19 */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
SSL3_TXT_ADH_DES_40_CBC_SHA, SSL3_TXT_ADH_DES_40_CBC_SHA,
@ -573,8 +600,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
40, 40,
128, 128,
}, },
#endif
/* Cipher 1A */ /* Cipher 1A */
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
SSL3_TXT_ADH_DES_64_CBC_SHA, SSL3_TXT_ADH_DES_64_CBC_SHA,
@ -589,6 +618,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
56, 56,
56, 56,
}, },
#endif
/* Cipher 1B */ /* Cipher 1B */
{ {
@ -660,6 +690,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
#ifndef OPENSSL_NO_KRB5 #ifndef OPENSSL_NO_KRB5
/* The Kerberos ciphers*/ /* The Kerberos ciphers*/
/* Cipher 1E */ /* Cipher 1E */
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
SSL3_TXT_KRB5_DES_64_CBC_SHA, SSL3_TXT_KRB5_DES_64_CBC_SHA,
@ -674,6 +705,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
56, 56,
56, 56,
}, },
# endif
/* Cipher 1F */ /* Cipher 1F */
{ {
@ -724,6 +756,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
}, },
/* Cipher 22 */ /* Cipher 22 */
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
SSL3_TXT_KRB5_DES_64_CBC_MD5, SSL3_TXT_KRB5_DES_64_CBC_MD5,
@ -738,6 +771,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
56, 56,
56, 56,
}, },
# endif
/* Cipher 23 */ /* Cipher 23 */
{ {
@ -788,6 +822,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
}, },
/* Cipher 26 */ /* Cipher 26 */
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
SSL3_TXT_KRB5_DES_40_CBC_SHA, SSL3_TXT_KRB5_DES_40_CBC_SHA,
@ -802,8 +837,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
40, 40,
56, 56,
}, },
# endif
/* Cipher 27 */ /* Cipher 27 */
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
SSL3_TXT_KRB5_RC2_40_CBC_SHA, SSL3_TXT_KRB5_RC2_40_CBC_SHA,
@ -818,8 +855,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
40, 40,
128, 128,
}, },
# endif
/* Cipher 28 */ /* Cipher 28 */
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
SSL3_TXT_KRB5_RC4_40_SHA, SSL3_TXT_KRB5_RC4_40_SHA,
@ -834,8 +873,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
40, 40,
128, 128,
}, },
# endif
/* Cipher 29 */ /* Cipher 29 */
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
SSL3_TXT_KRB5_DES_40_CBC_MD5, SSL3_TXT_KRB5_DES_40_CBC_MD5,
@ -850,8 +891,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
40, 40,
56, 56,
}, },
# endif
/* Cipher 2A */ /* Cipher 2A */
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
SSL3_TXT_KRB5_RC2_40_CBC_MD5, SSL3_TXT_KRB5_RC2_40_CBC_MD5,
@ -866,8 +909,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
40, 40,
128, 128,
}, },
# endif
/* Cipher 2B */ /* Cipher 2B */
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
SSL3_TXT_KRB5_RC4_40_MD5, SSL3_TXT_KRB5_RC4_40_MD5,
@ -882,6 +927,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
40, 40,
128, 128,
}, },
# endif
#endif /* OPENSSL_NO_KRB5 */ #endif /* OPENSSL_NO_KRB5 */
/* New AES ciphersuites */ /* New AES ciphersuites */
@ -1305,6 +1351,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
# endif # endif
/* Cipher 62 */ /* Cipher 62 */
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA, TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
@ -1319,8 +1366,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
56, 56,
56, 56,
}, },
# endif
/* Cipher 63 */ /* Cipher 63 */
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
@ -1335,8 +1384,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
56, 56,
56, 56,
}, },
# endif
/* Cipher 64 */ /* Cipher 64 */
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA, TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
@ -1351,8 +1402,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
56, 56,
128, 128,
}, },
# endif
/* Cipher 65 */ /* Cipher 65 */
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
{ {
1, 1,
TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
@ -1367,6 +1420,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
56, 56,
128, 128,
}, },
# endif
/* Cipher 66 */ /* Cipher 66 */
{ {

7
crypto/external/bsd/openssl/dist/ssl/ssl_lib.c vendored
View File

@ -1896,6 +1896,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
*/ */
ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
/*
* Disable SSLv2 by default, callers that want to enable SSLv2 will have to
* explicitly clear this option via either of SSL_CTX_clear_options() or
* SSL_clear_options().
*/
ret->options |= SSL_OP_NO_SSLv2;
return (ret); return (ret);
err: err:
SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE); SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);

4
crypto/external/bsd/openssl/dist/util/mk1mf.pl vendored
View File

@ -281,6 +281,7 @@ $cflags.=" -DOPENSSL_NO_HW" if $no_hw;
$cflags.=" -DOPENSSL_FIPS" if $fips; $cflags.=" -DOPENSSL_FIPS" if $fips;
$cflags.=" -DOPENSSL_NO_JPAKE" if $no_jpake; $cflags.=" -DOPENSSL_NO_JPAKE" if $no_jpake;
$cflags.=" -DOPENSSL_NO_EC2M" if $no_ec2m; $cflags.=" -DOPENSSL_NO_EC2M" if $no_ec2m;
$cflags.=" -DOPENSSL_NO_WEAK_SSL_CIPHERS" if $no_weak_ssl;
$cflags.= " -DZLIB" if $zlib_opt; $cflags.= " -DZLIB" if $zlib_opt;
$cflags.= " -DZLIB_SHARED" if $zlib_opt == 2; $cflags.= " -DZLIB_SHARED" if $zlib_opt == 2;
@ -459,7 +460,7 @@ EX_LIBS=$ex_libs
# The OpenSSL directory # The OpenSSL directory
SRC_D=$src_dir SRC_D=$src_dir
LINK=$link LINK_CMD=$link
LFLAGS=$lflags LFLAGS=$lflags
RSC=$rsc RSC=$rsc
@ -1122,6 +1123,7 @@ sub read_options
"no-ec2m" => \$no_ec2m, "no-ec2m" => \$no_ec2m,
"no-jpake" => \$no_jpake, "no-jpake" => \$no_jpake,
"no-ec_nistp_64_gcc_128" => 0, "no-ec_nistp_64_gcc_128" => 0,
"no-weak-ssl-ciphers" => \$no_weak_ssl,
"no-err" => \$no_err, "no-err" => \$no_err,
"no-sock" => \$no_sock, "no-sock" => \$no_sock,
"no-krb5" => \$no_krb5, "no-krb5" => \$no_krb5,

6
crypto/external/bsd/openssl/lib/libcrypto/shlib_version vendored
View File

@ -1,5 +1,5 @@
# $NetBSD: shlib_version,v 1.10 2015/01/13 09:14:57 spz Exp $ # $NetBSD: shlib_version,v 1.11 2016/03/02 01:52:36 christos Exp $
# Remember to update distrib/sets/lists/base/shl.* when changing # Remember to update distrib/sets/lists/base/shl.* when changing
# #
major=8 major=11
minor=4 minor=0

4
crypto/external/bsd/openssl/lib/libcrypto_rc5/shlib_version vendored
View File

@ -1,5 +1,5 @@
# $NetBSD: shlib_version,v 1.1 2012/07/10 18:59:22 christos Exp $ # $NetBSD: shlib_version,v 1.2 2016/03/02 01:52:36 christos Exp $
# Remember to update distrib/sets/lists/base/shl.* when changing # Remember to update distrib/sets/lists/base/shl.* when changing
# #
major=7 major=11
minor=0 minor=0

6
crypto/external/bsd/openssl/lib/libdes/shlib_version vendored
View File

@ -1,9 +1,9 @@
# $NetBSD: shlib_version,v 1.2 2014/01/11 18:34:37 christos Exp $ # $NetBSD: shlib_version,v 1.3 2016/03/02 01:52:36 christos Exp $
# Remember to update distrib/sets/lists/base/shl.* when changing # Remember to update distrib/sets/lists/base/shl.* when changing
# #
# This library is currently only a symbolic link to libcrypto, so # This library is currently only a symbolic link to libcrypto, so
# make sure you update the version numbers here whenever you # make sure you update the version numbers here whenever you
# change them there. # change them there.
# #
major=8 major=11
minor=2 minor=0

6
crypto/external/bsd/openssl/lib/libssl/shlib_version vendored
View File

@ -1,5 +1,5 @@
# $NetBSD: shlib_version,v 1.11 2015/01/13 09:14:58 spz Exp $ # $NetBSD: shlib_version,v 1.12 2016/03/02 01:52:36 christos Exp $
# Remember to update distrib/sets/lists/base/shl.* when changing # Remember to update distrib/sets/lists/base/shl.* when changing
# #
major=10 major=11
minor=5 minor=0