merge conflicts, bump libraries to 11 for consistency.
This commit is contained in:
parent
603f28d89d
commit
338c254400
134
crypto/external/bsd/openssl/dist/CHANGES
vendored
134
crypto/external/bsd/openssl/dist/CHANGES
vendored
@ -2,6 +2,138 @@
|
||||
OpenSSL CHANGES
|
||||
_______________
|
||||
|
||||
Changes between 1.0.1r and 1.0.1s [1 Mar 2016]
|
||||
|
||||
* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
|
||||
Builds that are not configured with "enable-weak-ssl-ciphers" will not
|
||||
provide any "EXPORT" or "LOW" strength ciphers.
|
||||
[Viktor Dukhovni]
|
||||
|
||||
* Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2
|
||||
is by default disabled at build-time. Builds that are not configured with
|
||||
"enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used,
|
||||
users who want to negotiate SSLv2 via the version-flexible SSLv23_method()
|
||||
will need to explicitly call either of:
|
||||
|
||||
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
|
||||
or
|
||||
SSL_clear_options(ssl, SSL_OP_NO_SSLv2);
|
||||
|
||||
as appropriate. Even if either of those is used, or the application
|
||||
explicitly uses the version-specific SSLv2_method() or its client and
|
||||
server variants, SSLv2 ciphers vulnerable to exhaustive search key
|
||||
recovery have been removed. Specifically, the SSLv2 40-bit EXPORT
|
||||
ciphers, and SSLv2 56-bit DES are no longer available.
|
||||
(CVE-2016-0800)
|
||||
[Viktor Dukhovni]
|
||||
|
||||
*) Fix a double-free in DSA code
|
||||
|
||||
A double free bug was discovered when OpenSSL parses malformed DSA private
|
||||
keys and could lead to a DoS attack or memory corruption for applications
|
||||
that receive DSA private keys from untrusted sources. This scenario is
|
||||
considered rare.
|
||||
|
||||
This issue was reported to OpenSSL by Adam Langley(Google/BoringSSL) using
|
||||
libFuzzer.
|
||||
(CVE-2016-0705)
|
||||
[Stephen Henson]
|
||||
|
||||
*) Disable SRP fake user seed to address a server memory leak.
|
||||
|
||||
Add a new method SRP_VBASE_get1_by_user that handles the seed properly.
|
||||
|
||||
SRP_VBASE_get_by_user had inconsistent memory management behaviour.
|
||||
In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user
|
||||
was changed to ignore the "fake user" SRP seed, even if the seed
|
||||
is configured.
|
||||
|
||||
Users should use SRP_VBASE_get1_by_user instead. Note that in
|
||||
SRP_VBASE_get1_by_user, caller must free the returned value. Note
|
||||
also that even though configuring the SRP seed attempts to hide
|
||||
invalid usernames by continuing the handshake with fake
|
||||
credentials, this behaviour is not constant time and no strong
|
||||
guarantees are made that the handshake is indistinguishable from
|
||||
that of a valid user.
|
||||
(CVE-2016-0798)
|
||||
[Emilia Käsper]
|
||||
|
||||
*) Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
|
||||
|
||||
In the BN_hex2bn function the number of hex digits is calculated using an
|
||||
int value |i|. Later |bn_expand| is called with a value of |i * 4|. For
|
||||
large values of |i| this can result in |bn_expand| not allocating any
|
||||
memory because |i * 4| is negative. This can leave the internal BIGNUM data
|
||||
field as NULL leading to a subsequent NULL ptr deref. For very large values
|
||||
of |i|, the calculation |i * 4| could be a positive value smaller than |i|.
|
||||
In this case memory is allocated to the internal BIGNUM data field, but it
|
||||
is insufficiently sized leading to heap corruption. A similar issue exists
|
||||
in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn
|
||||
is ever called by user applications with very large untrusted hex/dec data.
|
||||
This is anticipated to be a rare occurrence.
|
||||
|
||||
All OpenSSL internal usage of these functions use data that is not expected
|
||||
to be untrusted, e.g. config file data or application command line
|
||||
arguments. If user developed applications generate config file data based
|
||||
on untrusted data then it is possible that this could also lead to security
|
||||
consequences. This is also anticipated to be rare.
|
||||
|
||||
This issue was reported to OpenSSL by Guido Vranken.
|
||||
(CVE-2016-0797)
|
||||
[Matt Caswell]
|
||||
|
||||
*) Fix memory issues in BIO_*printf functions
|
||||
|
||||
The internal |fmtstr| function used in processing a "%s" format string in
|
||||
the BIO_*printf functions could overflow while calculating the length of a
|
||||
string and cause an OOB read when printing very long strings.
|
||||
|
||||
Additionally the internal |doapr_outch| function can attempt to write to an
|
||||
OOB memory location (at an offset from the NULL pointer) in the event of a
|
||||
memory allocation failure. In 1.0.2 and below this could be caused where
|
||||
the size of a buffer to be allocated is greater than INT_MAX. E.g. this
|
||||
could be in processing a very long "%s" format string. Memory leaks can
|
||||
also occur.
|
||||
|
||||
The first issue may mask the second issue dependent on compiler behaviour.
|
||||
These problems could enable attacks where large amounts of untrusted data
|
||||
is passed to the BIO_*printf functions. If applications use these functions
|
||||
in this way then they could be vulnerable. OpenSSL itself uses these
|
||||
functions when printing out human-readable dumps of ASN.1 data. Therefore
|
||||
applications that print this data could be vulnerable if the data is from
|
||||
untrusted sources. OpenSSL command line applications could also be
|
||||
vulnerable where they print out ASN.1 data, or if untrusted data is passed
|
||||
as command line arguments.
|
||||
|
||||
Libssl is not considered directly vulnerable. Additionally certificates etc
|
||||
received via remote connections via libssl are also unlikely to be able to
|
||||
trigger these issues because of message size limits enforced within libssl.
|
||||
|
||||
This issue was reported to OpenSSL Guido Vranken.
|
||||
(CVE-2016-0799)
|
||||
[Matt Caswell]
|
||||
|
||||
*) Side channel attack on modular exponentiation
|
||||
|
||||
A side-channel attack was found which makes use of cache-bank conflicts on
|
||||
the Intel Sandy-Bridge microarchitecture which could lead to the recovery
|
||||
of RSA keys. The ability to exploit this issue is limited as it relies on
|
||||
an attacker who has control of code in a thread running on the same
|
||||
hyper-threaded core as the victim thread which is performing decryptions.
|
||||
|
||||
This issue was reported to OpenSSL by Yuval Yarom, The University of
|
||||
Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and
|
||||
Nadia Heninger, University of Pennsylvania with more information at
|
||||
http://cachebleed.info.
|
||||
(CVE-2016-0702)
|
||||
[Andy Polyakov]
|
||||
|
||||
*) Change the req app to generate a 2048-bit RSA/DSA key by default,
|
||||
if no keysize is specified with default_bits. This fixes an
|
||||
omission in an earlier change that changed all RSA/DSA key generation
|
||||
apps to use 2048 bits by default.
|
||||
[Emilia Käsper]
|
||||
|
||||
Changes between 1.0.1q and 1.0.1r [28 Jan 2016]
|
||||
|
||||
*) Protection for DH small subgroup attacks
|
||||
@ -62,7 +194,7 @@
|
||||
[Emilia Käsper]
|
||||
|
||||
*) In DSA_generate_parameters_ex, if the provided seed is too short,
|
||||
return an error
|
||||
use a random seed, as already documented.
|
||||
[Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
|
||||
|
||||
Changes between 1.0.1o and 1.0.1p [9 Jul 2015]
|
||||
|
8
crypto/external/bsd/openssl/dist/Configure
vendored
8
crypto/external/bsd/openssl/dist/Configure
vendored
@ -58,6 +58,10 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimenta
|
||||
# library and will be loaded in run-time by the OpenSSL library.
|
||||
# sctp include SCTP support
|
||||
# 386 generate 80386 code
|
||||
# enable-weak-ssl-ciphers
|
||||
# Enable EXPORT and LOW SSLv3 ciphers that are disabled by
|
||||
# default. Note, weak SSLv2 ciphers are unconditionally
|
||||
# disabled.
|
||||
# no-sse2 disables IA-32 SSE2 code, above option implies no-sse2
|
||||
# no-<cipher> build without specified algorithm (rsa, idea, rc5, ...)
|
||||
# -<xxx> +<xxx> compiler options are passed through
|
||||
@ -724,10 +728,12 @@ my %disabled = ( # "what" => "comment" [or special keyword "experimental
|
||||
"md2" => "default",
|
||||
"rc5" => "default",
|
||||
"rfc3779" => "default",
|
||||
"sctp" => "default",
|
||||
"sctp" => "default",
|
||||
"shared" => "default",
|
||||
"ssl2" => "default",
|
||||
"store" => "experimental",
|
||||
"unit-test" => "default",
|
||||
"weak-ssl-ciphers" => "default",
|
||||
"zlib" => "default",
|
||||
"zlib-dynamic" => "default"
|
||||
);
|
||||
|
6
crypto/external/bsd/openssl/dist/Makefile
vendored
6
crypto/external/bsd/openssl/dist/Makefile
vendored
@ -4,7 +4,7 @@
|
||||
## Makefile for OpenSSL
|
||||
##
|
||||
|
||||
VERSION=1.0.1r
|
||||
VERSION=1.0.1s
|
||||
MAJOR=1
|
||||
MINOR=0.1
|
||||
SHLIB_VERSION_NUMBER=1.0.0
|
||||
@ -13,7 +13,7 @@ SHLIB_MAJOR=1
|
||||
SHLIB_MINOR=0.0
|
||||
SHLIB_EXT=
|
||||
PLATFORM=dist
|
||||
OPTIONS= no-ec_nistp_64_gcc_128 no-gmp no-jpake no-krb5 no-md2 no-rc5 no-rfc3779 no-sctp no-shared no-store no-unit-test no-zlib no-zlib-dynamic static-engine
|
||||
OPTIONS= no-ec_nistp_64_gcc_128 no-gmp no-jpake no-krb5 no-md2 no-rc5 no-rfc3779 no-sctp no-shared no-ssl2 no-store no-unit-test no-weak-ssl-ciphers no-zlib no-zlib-dynamic static-engine
|
||||
CONFIGURE_ARGS=dist
|
||||
SHLIB_TARGET=
|
||||
|
||||
@ -61,7 +61,7 @@ OPENSSLDIR=/usr/local/ssl
|
||||
|
||||
CC= cc
|
||||
CFLAG= -O
|
||||
DEPFLAG= -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST
|
||||
DEPFLAG= -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL2 -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST -DOPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
PEX_LIBS=
|
||||
EX_LIBS=
|
||||
EXE_EXT=
|
||||
|
13
crypto/external/bsd/openssl/dist/NEWS
vendored
13
crypto/external/bsd/openssl/dist/NEWS
vendored
@ -5,6 +5,19 @@
|
||||
This file gives a brief overview of the major changes between each OpenSSL
|
||||
release. For more details please read the CHANGES file.
|
||||
|
||||
Major changes between OpenSSL 1.0.1r and OpenSSL 1.0.1s [1 Mar 2016]
|
||||
|
||||
o Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
|
||||
o Disable SSLv2 default build, default negotiation and weak ciphers
|
||||
(CVE-2016-0800)
|
||||
o Fix a double-free in DSA code (CVE-2016-0705)
|
||||
o Disable SRP fake user seed to address a server memory leak
|
||||
(CVE-2016-0798)
|
||||
o Fix BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
|
||||
(CVE-2016-0797)
|
||||
o Fix memory issues in BIO_*printf functions (CVE-2016-0799)
|
||||
o Fix side channel attack on modular exponentiation (CVE-2016-0702)
|
||||
|
||||
Major changes between OpenSSL 1.0.1q and OpenSSL 1.0.1r [28 Jan 2016]
|
||||
|
||||
o Protection for DH small subgroup attacks
|
||||
|
2
crypto/external/bsd/openssl/dist/README
vendored
2
crypto/external/bsd/openssl/dist/README
vendored
@ -1,5 +1,5 @@
|
||||
|
||||
OpenSSL 1.0.1r 28 Jan 2016
|
||||
OpenSSL 1.0.1s 1 Mar 2016
|
||||
|
||||
Copyright (c) 1998-2015 The OpenSSL Project
|
||||
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||||
|
39
crypto/external/bsd/openssl/dist/apps/s_server.c
vendored
39
crypto/external/bsd/openssl/dist/apps/s_server.c
vendored
@ -416,6 +416,8 @@ typedef struct srpsrvparm_st {
|
||||
static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
|
||||
{
|
||||
srpsrvparm *p = (srpsrvparm *) arg;
|
||||
int ret = SSL3_AL_FATAL;
|
||||
|
||||
if (p->login == NULL && p->user == NULL) {
|
||||
p->login = SSL_get_srp_username(s);
|
||||
BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login);
|
||||
@ -424,21 +426,25 @@ static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
|
||||
|
||||
if (p->user == NULL) {
|
||||
BIO_printf(bio_err, "User %s doesn't exist\n", p->login);
|
||||
return SSL3_AL_FATAL;
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (SSL_set_srp_server_param
|
||||
(s, p->user->N, p->user->g, p->user->s, p->user->v,
|
||||
p->user->info) < 0) {
|
||||
*ad = SSL_AD_INTERNAL_ERROR;
|
||||
return SSL3_AL_FATAL;
|
||||
goto err;
|
||||
}
|
||||
BIO_printf(bio_err,
|
||||
"SRP parameters set: username = \"%s\" info=\"%s\" \n",
|
||||
p->login, p->user->info);
|
||||
/* need to check whether there are memory leaks */
|
||||
ret = SSL_ERROR_NONE;
|
||||
|
||||
err:
|
||||
SRP_user_pwd_free(p->user);
|
||||
p->user = NULL;
|
||||
p->login = NULL;
|
||||
return SSL_ERROR_NONE;
|
||||
return ret;
|
||||
}
|
||||
|
||||
#endif
|
||||
@ -2249,9 +2255,10 @@ static int sv_body(char *hostname, int s, unsigned char *context)
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
while (SSL_get_error(con, k) == SSL_ERROR_WANT_X509_LOOKUP) {
|
||||
BIO_printf(bio_s_out, "LOOKUP renego during write\n");
|
||||
SRP_user_pwd_free(srp_callback_parm.user);
|
||||
srp_callback_parm.user =
|
||||
SRP_VBASE_get_by_user(srp_callback_parm.vb,
|
||||
srp_callback_parm.login);
|
||||
SRP_VBASE_get1_by_user(srp_callback_parm.vb,
|
||||
srp_callback_parm.login);
|
||||
if (srp_callback_parm.user)
|
||||
BIO_printf(bio_s_out, "LOOKUP done %s\n",
|
||||
srp_callback_parm.user->info);
|
||||
@ -2305,9 +2312,10 @@ static int sv_body(char *hostname, int s, unsigned char *context)
|
||||
#ifndef OPENSSL_NO_SRP
|
||||
while (SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
|
||||
BIO_printf(bio_s_out, "LOOKUP renego during read\n");
|
||||
SRP_user_pwd_free(srp_callback_parm.user);
|
||||
srp_callback_parm.user =
|
||||
SRP_VBASE_get_by_user(srp_callback_parm.vb,
|
||||
srp_callback_parm.login);
|
||||
SRP_VBASE_get1_by_user(srp_callback_parm.vb,
|
||||
srp_callback_parm.login);
|
||||
if (srp_callback_parm.user)
|
||||
BIO_printf(bio_s_out, "LOOKUP done %s\n",
|
||||
srp_callback_parm.user->info);
|
||||
@ -2392,9 +2400,10 @@ static int init_ssl_connection(SSL *con)
|
||||
while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
|
||||
BIO_printf(bio_s_out, "LOOKUP during accept %s\n",
|
||||
srp_callback_parm.login);
|
||||
SRP_user_pwd_free(srp_callback_parm.user);
|
||||
srp_callback_parm.user =
|
||||
SRP_VBASE_get_by_user(srp_callback_parm.vb,
|
||||
srp_callback_parm.login);
|
||||
SRP_VBASE_get1_by_user(srp_callback_parm.vb,
|
||||
srp_callback_parm.login);
|
||||
if (srp_callback_parm.user)
|
||||
BIO_printf(bio_s_out, "LOOKUP done %s\n",
|
||||
srp_callback_parm.user->info);
|
||||
@ -2621,9 +2630,10 @@ static int www_body(char *hostname, int s, unsigned char *context)
|
||||
&& SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
|
||||
BIO_printf(bio_s_out, "LOOKUP during accept %s\n",
|
||||
srp_callback_parm.login);
|
||||
SRP_user_pwd_free(srp_callback_parm.user);
|
||||
srp_callback_parm.user =
|
||||
SRP_VBASE_get_by_user(srp_callback_parm.vb,
|
||||
srp_callback_parm.login);
|
||||
SRP_VBASE_get1_by_user(srp_callback_parm.vb,
|
||||
srp_callback_parm.login);
|
||||
if (srp_callback_parm.user)
|
||||
BIO_printf(bio_s_out, "LOOKUP done %s\n",
|
||||
srp_callback_parm.user->info);
|
||||
@ -2663,9 +2673,10 @@ static int www_body(char *hostname, int s, unsigned char *context)
|
||||
if (BIO_should_io_special(io)
|
||||
&& BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
|
||||
BIO_printf(bio_s_out, "LOOKUP renego during read\n");
|
||||
SRP_user_pwd_free(srp_callback_parm.user);
|
||||
srp_callback_parm.user =
|
||||
SRP_VBASE_get_by_user(srp_callback_parm.vb,
|
||||
srp_callback_parm.login);
|
||||
SRP_VBASE_get1_by_user(srp_callback_parm.vb,
|
||||
srp_callback_parm.login);
|
||||
if (srp_callback_parm.user)
|
||||
BIO_printf(bio_s_out, "LOOKUP done %s\n",
|
||||
srp_callback_parm.user->info);
|
||||
|
14
crypto/external/bsd/openssl/dist/crypto/bn/bn.h
vendored
14
crypto/external/bsd/openssl/dist/crypto/bn/bn.h
vendored
@ -125,6 +125,7 @@
|
||||
#ifndef HEADER_BN_H
|
||||
# define HEADER_BN_H
|
||||
|
||||
# include <limits.h>
|
||||
# include <openssl/e_os2.h>
|
||||
# ifndef OPENSSL_NO_FP_API
|
||||
# include <stdio.h> /* FILE */
|
||||
@ -739,8 +740,17 @@ const BIGNUM *BN_get0_nist_prime_521(void);
|
||||
|
||||
/* library internal functions */
|
||||
|
||||
# define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\
|
||||
(a):bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2))
|
||||
# define bn_expand(a,bits) \
|
||||
( \
|
||||
bits > (INT_MAX - BN_BITS2 + 1) ? \
|
||||
NULL \
|
||||
: \
|
||||
(((bits+BN_BITS2-1)/BN_BITS2) <= (a)->dmax) ? \
|
||||
(a) \
|
||||
: \
|
||||
bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2) \
|
||||
)
|
||||
|
||||
# define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words)))
|
||||
BIGNUM *bn_expand2(BIGNUM *a, int words);
|
||||
# ifndef OPENSSL_NO_DEPRECATED
|
||||
|
@ -110,6 +110,7 @@
|
||||
*/
|
||||
|
||||
#include "cryptlib.h"
|
||||
#include "constant_time_locl.h"
|
||||
#include "bn_lcl.h"
|
||||
|
||||
#include <stdlib.h>
|
||||
@ -550,15 +551,17 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
||||
|
||||
static int MOD_EXP_CTIME_COPY_TO_PREBUF(const BIGNUM *b, int top,
|
||||
unsigned char *buf, int idx,
|
||||
int width)
|
||||
int window)
|
||||
{
|
||||
size_t i, j;
|
||||
int i, j;
|
||||
int width = 1 << window;
|
||||
BN_ULONG *table = (BN_ULONG *)buf;
|
||||
|
||||
if (top > b->top)
|
||||
top = b->top; /* this works because 'buf' is explicitly
|
||||
* zeroed */
|
||||
for (i = 0, j = idx; i < top * sizeof b->d[0]; i++, j += width) {
|
||||
buf[j] = ((unsigned char *)b->d)[i];
|
||||
for (i = 0, j = idx; i < top; i++, j += width) {
|
||||
table[j] = b->d[i];
|
||||
}
|
||||
|
||||
return 1;
|
||||
@ -566,15 +569,51 @@ static int MOD_EXP_CTIME_COPY_TO_PREBUF(const BIGNUM *b, int top,
|
||||
|
||||
static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
|
||||
unsigned char *buf, int idx,
|
||||
int width)
|
||||
int window)
|
||||
{
|
||||
size_t i, j;
|
||||
int i, j;
|
||||
int width = 1 << window;
|
||||
volatile BN_ULONG *table = (volatile BN_ULONG *)buf;
|
||||
|
||||
if (bn_wexpand(b, top) == NULL)
|
||||
return 0;
|
||||
|
||||
for (i = 0, j = idx; i < top * sizeof b->d[0]; i++, j += width) {
|
||||
((unsigned char *)b->d)[i] = buf[j];
|
||||
if (window <= 3) {
|
||||
for (i = 0; i < top; i++, table += width) {
|
||||
BN_ULONG acc = 0;
|
||||
|
||||
for (j = 0; j < width; j++) {
|
||||
acc |= table[j] &
|
||||
((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1));
|
||||
}
|
||||
|
||||
b->d[i] = acc;
|
||||
}
|
||||
} else {
|
||||
int xstride = 1 << (window - 2);
|
||||
BN_ULONG y0, y1, y2, y3;
|
||||
|
||||
i = idx >> (window - 2); /* equivalent of idx / xstride */
|
||||
idx &= xstride - 1; /* equivalent of idx % xstride */
|
||||
|
||||
y0 = (BN_ULONG)0 - (constant_time_eq_int(i,0)&1);
|
||||
y1 = (BN_ULONG)0 - (constant_time_eq_int(i,1)&1);
|
||||
y2 = (BN_ULONG)0 - (constant_time_eq_int(i,2)&1);
|
||||
y3 = (BN_ULONG)0 - (constant_time_eq_int(i,3)&1);
|
||||
|
||||
for (i = 0; i < top; i++, table += width) {
|
||||
BN_ULONG acc = 0;
|
||||
|
||||
for (j = 0; j < xstride; j++) {
|
||||
acc |= ( (table[j + 0 * xstride] & y0) |
|
||||
(table[j + 1 * xstride] & y1) |
|
||||
(table[j + 2 * xstride] & y2) |
|
||||
(table[j + 3 * xstride] & y3) )
|
||||
& ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1));
|
||||
}
|
||||
|
||||
b->d[i] = acc;
|
||||
}
|
||||
}
|
||||
|
||||
b->top = top;
|
||||
@ -804,9 +843,9 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 0, numPowers))
|
||||
if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 0, window))
|
||||
goto err;
|
||||
if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am, top, powerbuf, 1, numPowers))
|
||||
if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am, top, powerbuf, 1, window))
|
||||
goto err;
|
||||
|
||||
/*
|
||||
@ -818,15 +857,15 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
||||
if (window > 1) {
|
||||
if (!BN_mod_mul_montgomery(&tmp, &am, &am, mont, ctx))
|
||||
goto err;
|
||||
if (!MOD_EXP_CTIME_COPY_TO_PREBUF
|
||||
(&tmp, top, powerbuf, 2, numPowers))
|
||||
if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 2,
|
||||
window))
|
||||
goto err;
|
||||
for (i = 3; i < numPowers; i++) {
|
||||
/* Calculate a^i = a^(i-1) * a */
|
||||
if (!BN_mod_mul_montgomery(&tmp, &am, &tmp, mont, ctx))
|
||||
goto err;
|
||||
if (!MOD_EXP_CTIME_COPY_TO_PREBUF
|
||||
(&tmp, top, powerbuf, i, numPowers))
|
||||
if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, i,
|
||||
window))
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
@ -834,8 +873,8 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
||||
bits--;
|
||||
for (wvalue = 0, i = bits % window; i >= 0; i--, bits--)
|
||||
wvalue = (wvalue << 1) + BN_is_bit_set(p, bits);
|
||||
if (!MOD_EXP_CTIME_COPY_FROM_PREBUF
|
||||
(&tmp, top, powerbuf, wvalue, numPowers))
|
||||
if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&tmp, top, powerbuf, wvalue,
|
||||
window))
|
||||
goto err;
|
||||
|
||||
/*
|
||||
@ -855,8 +894,8 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
|
||||
/*
|
||||
* Fetch the appropriate pre-computed value from the pre-buf
|
||||
*/
|
||||
if (!MOD_EXP_CTIME_COPY_FROM_PREBUF
|
||||
(&am, top, powerbuf, wvalue, numPowers))
|
||||
if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&am, top, powerbuf, wvalue,
|
||||
window))
|
||||
goto err;
|
||||
|
||||
/* Multiply the result into the intermediate result */
|
||||
|
@ -191,6 +191,8 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
|
||||
STACK_OF(ASN1_TYPE) *ndsa = NULL;
|
||||
DSA *dsa = NULL;
|
||||
|
||||
int ret = 0;
|
||||
|
||||
if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8))
|
||||
return 0;
|
||||
X509_ALGOR_get0(NULL, &ptype, &pval, palg);
|
||||
@ -262,23 +264,21 @@ static int dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8)
|
||||
}
|
||||
|
||||
EVP_PKEY_assign_DSA(pkey, dsa);
|
||||
|
||||
ret = 1;
|
||||
goto done;
|
||||
|
||||
decerr:
|
||||
DSAerr(DSA_F_DSA_PRIV_DECODE, EVP_R_DECODE_ERROR);
|
||||
dsaerr:
|
||||
DSA_free(dsa);
|
||||
done:
|
||||
BN_CTX_free(ctx);
|
||||
if (ndsa)
|
||||
sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
|
||||
else
|
||||
ASN1_STRING_clear_free(privkey);
|
||||
|
||||
return 1;
|
||||
|
||||
decerr:
|
||||
DSAerr(DSA_F_DSA_PRIV_DECODE, EVP_R_DECODE_ERROR);
|
||||
dsaerr:
|
||||
BN_CTX_free(ctx);
|
||||
if (privkey)
|
||||
ASN1_STRING_clear_free(privkey);
|
||||
sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
|
||||
DSA_free(dsa);
|
||||
return 0;
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
|
||||
|
@ -30,6 +30,12 @@ extern "C" {
|
||||
#ifndef OPENSSL_NO_RFC3779
|
||||
# define OPENSSL_NO_RFC3779
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_SCTP
|
||||
# define OPENSSL_NO_SCTP
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_SSL2
|
||||
# define OPENSSL_NO_SSL2
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_STORE
|
||||
# define OPENSSL_NO_STORE
|
||||
#endif
|
||||
@ -40,9 +46,15 @@ extern "C" {
|
||||
#ifndef OPENSSL_NO_SCTP
|
||||
# define OPENSSL_NO_SCTP
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_SSL2
|
||||
# define OPENSSL_NO_SSL2
|
||||
#endif
|
||||
#endif /* __NetBSD__ */
|
||||
|
||||
#define OPENSSL_CPUID_OBJ
|
||||
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
# define OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
#endif
|
||||
|
||||
#endif /* OPENSSL_DOING_MAKEDEPEND */
|
||||
|
||||
@ -82,12 +94,18 @@ extern "C" {
|
||||
# if defined(OPENSSL_NO_SCTP) && !defined(NO_SCTP)
|
||||
# define NO_SCTP
|
||||
# endif
|
||||
# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2)
|
||||
# define NO_SSL2
|
||||
# endif
|
||||
# if defined(OPENSSL_NO_STORE) && !defined(NO_STORE)
|
||||
# define NO_STORE
|
||||
# endif
|
||||
# if defined(OPENSSL_NO_UNIT_TEST) && !defined(NO_UNIT_TEST)
|
||||
# define NO_UNIT_TEST
|
||||
# endif
|
||||
# if defined(OPENSSL_NO_WEAK_SSL_CIPHERS) && !defined(NO_WEAK_SSL_CIPHERS)
|
||||
# define NO_WEAK_SSL_CIPHERS
|
||||
# endif
|
||||
#endif
|
||||
|
||||
/* crypto/opensslconf.h.in */
|
||||
|
@ -30,11 +30,11 @@ extern "C" {
|
||||
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
||||
* major minor fix final patch/beta)
|
||||
*/
|
||||
# define OPENSSL_VERSION_NUMBER 0x1000112fL
|
||||
# define OPENSSL_VERSION_NUMBER 0x1000113fL
|
||||
# ifdef OPENSSL_FIPS
|
||||
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1r-fips 28 Jan 2016"
|
||||
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1s-fips 1 Mar 2016"
|
||||
# else
|
||||
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1r 28 Jan 2016"
|
||||
# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1s 1 Mar 2016"
|
||||
# endif
|
||||
# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
|
||||
|
||||
|
@ -84,7 +84,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
if (rsa->meth->rsa_sign) {
|
||||
if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) {
|
||||
return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa);
|
||||
}
|
||||
/* Special case: SSL signature, just check the length */
|
||||
@ -304,7 +304,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
|
||||
const unsigned char *sigbuf, unsigned int siglen, RSA *rsa)
|
||||
{
|
||||
|
||||
if (rsa->meth->rsa_verify) {
|
||||
if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) {
|
||||
return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa);
|
||||
}
|
||||
|
||||
|
@ -211,8 +211,10 @@ int main(int argc, char *argv[])
|
||||
cache_stats = 1;
|
||||
else if (strcmp(*argv, "-ssl3") == 0)
|
||||
ssl_method = SSLv3_method();
|
||||
#ifndef OPENSSL_NO_SSL2
|
||||
else if (strcmp(*argv, "-ssl2") == 0)
|
||||
ssl_method = SSLv2_method();
|
||||
#endif
|
||||
else if (strcmp(*argv, "-CApath") == 0) {
|
||||
if (--argc < 1)
|
||||
goto bad;
|
||||
|
@ -7,7 +7,7 @@ Release: 1
|
||||
Summary: Secure Sockets Layer and cryptography libraries and tools
|
||||
Name: openssl
|
||||
#Version: %{libmaj}.%{libmin}.%{librel}
|
||||
Version: 1.0.1r
|
||||
Version: 1.0.1s
|
||||
Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
|
||||
License: OpenSSL
|
||||
Group: System Environment/Libraries
|
||||
|
67
crypto/external/bsd/openssl/dist/ssl/Makefile
vendored
67
crypto/external/bsd/openssl/dist/ssl/Makefile
vendored
@ -420,14 +420,14 @@ s2_clnt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
|
||||
s2_clnt.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
|
||||
s2_clnt.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
|
||||
s2_clnt.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
|
||||
s2_clnt.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
|
||||
s2_clnt.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
|
||||
s2_clnt.o: ../include/openssl/sha.h ../include/openssl/srtp.h
|
||||
s2_clnt.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
|
||||
s2_clnt.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
|
||||
s2_clnt.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
|
||||
s2_clnt.o: ../include/openssl/tls1.h ../include/openssl/x509.h
|
||||
s2_clnt.o: ../include/openssl/x509_vfy.h s2_clnt.c ssl_locl.h
|
||||
s2_clnt.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
|
||||
s2_clnt.o: ../include/openssl/safestack.h ../include/openssl/sha.h
|
||||
s2_clnt.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
|
||||
s2_clnt.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
|
||||
s2_clnt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
|
||||
s2_clnt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
|
||||
s2_clnt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_clnt.c
|
||||
s2_clnt.o: ssl_locl.h
|
||||
s2_enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
|
||||
s2_enc.o: ../include/openssl/buffer.h ../include/openssl/comp.h
|
||||
s2_enc.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
|
||||
@ -456,18 +456,18 @@ s2_lib.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
|
||||
s2_lib.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
|
||||
s2_lib.o: ../include/openssl/evp.h ../include/openssl/hmac.h
|
||||
s2_lib.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
|
||||
s2_lib.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h
|
||||
s2_lib.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
|
||||
s2_lib.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
|
||||
s2_lib.o: ../include/openssl/pem.h ../include/openssl/pem2.h
|
||||
s2_lib.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
|
||||
s2_lib.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
|
||||
s2_lib.o: ../include/openssl/sha.h ../include/openssl/srtp.h
|
||||
s2_lib.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
|
||||
s2_lib.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
|
||||
s2_lib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
|
||||
s2_lib.o: ../include/openssl/tls1.h ../include/openssl/x509.h
|
||||
s2_lib.o: ../include/openssl/x509_vfy.h s2_lib.c ssl_locl.h
|
||||
s2_lib.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
|
||||
s2_lib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
|
||||
s2_lib.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
|
||||
s2_lib.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
|
||||
s2_lib.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
|
||||
s2_lib.o: ../include/openssl/safestack.h ../include/openssl/sha.h
|
||||
s2_lib.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
|
||||
s2_lib.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
|
||||
s2_lib.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
|
||||
s2_lib.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
|
||||
s2_lib.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_lib.c
|
||||
s2_lib.o: ssl_locl.h
|
||||
s2_meth.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
|
||||
s2_meth.o: ../include/openssl/buffer.h ../include/openssl/comp.h
|
||||
s2_meth.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
|
||||
@ -508,20 +508,19 @@ s2_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
|
||||
s2_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
|
||||
s2_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_pkt.c
|
||||
s2_pkt.o: ssl_locl.h
|
||||
s2_srvr.o: ../crypto/constant_time_locl.h ../e_os.h ../include/openssl/asn1.h
|
||||
s2_srvr.o: ../include/openssl/bio.h ../include/openssl/buffer.h
|
||||
s2_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h
|
||||
s2_srvr.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
|
||||
s2_srvr.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
|
||||
s2_srvr.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
|
||||
s2_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h
|
||||
s2_srvr.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
|
||||
s2_srvr.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
|
||||
s2_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
|
||||
s2_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
|
||||
s2_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
|
||||
s2_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
|
||||
s2_srvr.o: ../include/openssl/rand.h ../include/openssl/rsa.h
|
||||
s2_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
|
||||
s2_srvr.o: ../include/openssl/buffer.h ../include/openssl/comp.h
|
||||
s2_srvr.o: ../include/openssl/crypto.h ../include/openssl/dsa.h
|
||||
s2_srvr.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
|
||||
s2_srvr.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
|
||||
s2_srvr.o: ../include/openssl/ecdsa.h ../include/openssl/err.h
|
||||
s2_srvr.o: ../include/openssl/evp.h ../include/openssl/hmac.h
|
||||
s2_srvr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
|
||||
s2_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
|
||||
s2_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
|
||||
s2_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
|
||||
s2_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
|
||||
s2_srvr.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
|
||||
s2_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
|
||||
s2_srvr.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
|
||||
s2_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
|
||||
|
@ -156,6 +156,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
|
||||
128,
|
||||
},
|
||||
|
||||
# if 0
|
||||
/* RC4_128_EXPORT40_WITH_MD5 */
|
||||
{
|
||||
1,
|
||||
@ -171,6 +172,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
|
||||
40,
|
||||
128,
|
||||
},
|
||||
# endif
|
||||
|
||||
/* RC2_128_CBC_WITH_MD5 */
|
||||
{
|
||||
@ -188,6 +190,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
|
||||
128,
|
||||
},
|
||||
|
||||
# if 0
|
||||
/* RC2_128_CBC_EXPORT40_WITH_MD5 */
|
||||
{
|
||||
1,
|
||||
@ -203,6 +206,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
|
||||
40,
|
||||
128,
|
||||
},
|
||||
# endif
|
||||
|
||||
# ifndef OPENSSL_NO_IDEA
|
||||
/* IDEA_128_CBC_WITH_MD5 */
|
||||
@ -222,6 +226,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
|
||||
},
|
||||
# endif
|
||||
|
||||
# if 0
|
||||
/* DES_64_CBC_WITH_MD5 */
|
||||
{
|
||||
1,
|
||||
@ -237,6 +242,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
|
||||
56,
|
||||
56,
|
||||
},
|
||||
# endif
|
||||
|
||||
/* DES_192_EDE3_CBC_WITH_MD5 */
|
||||
{
|
||||
|
54
crypto/external/bsd/openssl/dist/ssl/s3_lib.c
vendored
54
crypto/external/bsd/openssl/dist/ssl/s3_lib.c
vendored
@ -203,6 +203,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
},
|
||||
|
||||
/* Cipher 03 */
|
||||
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_RSA_RC4_40_MD5,
|
||||
@ -217,6 +218,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
40,
|
||||
128,
|
||||
},
|
||||
#endif
|
||||
|
||||
/* Cipher 04 */
|
||||
{
|
||||
@ -251,6 +253,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
},
|
||||
|
||||
/* Cipher 06 */
|
||||
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_RSA_RC2_40_MD5,
|
||||
@ -265,6 +268,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
40,
|
||||
128,
|
||||
},
|
||||
#endif
|
||||
|
||||
/* Cipher 07 */
|
||||
#ifndef OPENSSL_NO_IDEA
|
||||
@ -285,6 +289,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
#endif
|
||||
|
||||
/* Cipher 08 */
|
||||
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_RSA_DES_40_CBC_SHA,
|
||||
@ -299,8 +304,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
40,
|
||||
56,
|
||||
},
|
||||
#endif
|
||||
|
||||
/* Cipher 09 */
|
||||
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_RSA_DES_64_CBC_SHA,
|
||||
@ -315,6 +322,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
56,
|
||||
56,
|
||||
},
|
||||
#endif
|
||||
|
||||
/* Cipher 0A */
|
||||
{
|
||||
@ -334,6 +342,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
|
||||
/* The DH ciphers */
|
||||
/* Cipher 0B */
|
||||
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
0,
|
||||
SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
|
||||
@ -348,8 +357,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
40,
|
||||
56,
|
||||
},
|
||||
#endif
|
||||
|
||||
/* Cipher 0C */
|
||||
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
0, /* not implemented (non-ephemeral DH) */
|
||||
SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
|
||||
@ -364,6 +375,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
56,
|
||||
56,
|
||||
},
|
||||
#endif
|
||||
|
||||
/* Cipher 0D */
|
||||
{
|
||||
@ -382,6 +394,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
},
|
||||
|
||||
/* Cipher 0E */
|
||||
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
0, /* not implemented (non-ephemeral DH) */
|
||||
SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
|
||||
@ -396,8 +409,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
40,
|
||||
56,
|
||||
},
|
||||
#endif
|
||||
|
||||
/* Cipher 0F */
|
||||
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
0, /* not implemented (non-ephemeral DH) */
|
||||
SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
|
||||
@ -412,6 +427,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
56,
|
||||
56,
|
||||
},
|
||||
#endif
|
||||
|
||||
/* Cipher 10 */
|
||||
{
|
||||
@ -431,6 +447,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
|
||||
/* The Ephemeral DH ciphers */
|
||||
/* Cipher 11 */
|
||||
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
|
||||
@ -445,8 +462,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
40,
|
||||
56,
|
||||
},
|
||||
#endif
|
||||
|
||||
/* Cipher 12 */
|
||||
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
|
||||
@ -461,6 +480,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
56,
|
||||
56,
|
||||
},
|
||||
#endif
|
||||
|
||||
/* Cipher 13 */
|
||||
{
|
||||
@ -479,6 +499,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
},
|
||||
|
||||
/* Cipher 14 */
|
||||
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
|
||||
@ -493,8 +514,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
40,
|
||||
56,
|
||||
},
|
||||
#endif
|
||||
|
||||
/* Cipher 15 */
|
||||
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
|
||||
@ -509,6 +532,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
56,
|
||||
56,
|
||||
},
|
||||
#endif
|
||||
|
||||
/* Cipher 16 */
|
||||
{
|
||||
@ -527,6 +551,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
},
|
||||
|
||||
/* Cipher 17 */
|
||||
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_ADH_RC4_40_MD5,
|
||||
@ -541,6 +566,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
40,
|
||||
128,
|
||||
},
|
||||
#endif
|
||||
|
||||
/* Cipher 18 */
|
||||
{
|
||||
@ -559,6 +585,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
},
|
||||
|
||||
/* Cipher 19 */
|
||||
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_ADH_DES_40_CBC_SHA,
|
||||
@ -573,8 +600,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
40,
|
||||
128,
|
||||
},
|
||||
#endif
|
||||
|
||||
/* Cipher 1A */
|
||||
#ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_ADH_DES_64_CBC_SHA,
|
||||
@ -589,6 +618,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
56,
|
||||
56,
|
||||
},
|
||||
#endif
|
||||
|
||||
/* Cipher 1B */
|
||||
{
|
||||
@ -660,6 +690,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
#ifndef OPENSSL_NO_KRB5
|
||||
/* The Kerberos ciphers*/
|
||||
/* Cipher 1E */
|
||||
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_KRB5_DES_64_CBC_SHA,
|
||||
@ -674,6 +705,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
56,
|
||||
56,
|
||||
},
|
||||
# endif
|
||||
|
||||
/* Cipher 1F */
|
||||
{
|
||||
@ -724,6 +756,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
},
|
||||
|
||||
/* Cipher 22 */
|
||||
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_KRB5_DES_64_CBC_MD5,
|
||||
@ -738,6 +771,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
56,
|
||||
56,
|
||||
},
|
||||
# endif
|
||||
|
||||
/* Cipher 23 */
|
||||
{
|
||||
@ -788,6 +822,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
},
|
||||
|
||||
/* Cipher 26 */
|
||||
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_KRB5_DES_40_CBC_SHA,
|
||||
@ -802,8 +837,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
40,
|
||||
56,
|
||||
},
|
||||
# endif
|
||||
|
||||
/* Cipher 27 */
|
||||
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_KRB5_RC2_40_CBC_SHA,
|
||||
@ -818,8 +855,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
40,
|
||||
128,
|
||||
},
|
||||
# endif
|
||||
|
||||
/* Cipher 28 */
|
||||
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_KRB5_RC4_40_SHA,
|
||||
@ -834,8 +873,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
40,
|
||||
128,
|
||||
},
|
||||
# endif
|
||||
|
||||
/* Cipher 29 */
|
||||
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_KRB5_DES_40_CBC_MD5,
|
||||
@ -850,8 +891,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
40,
|
||||
56,
|
||||
},
|
||||
# endif
|
||||
|
||||
/* Cipher 2A */
|
||||
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_KRB5_RC2_40_CBC_MD5,
|
||||
@ -866,8 +909,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
40,
|
||||
128,
|
||||
},
|
||||
# endif
|
||||
|
||||
/* Cipher 2B */
|
||||
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
SSL3_TXT_KRB5_RC4_40_MD5,
|
||||
@ -882,6 +927,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
40,
|
||||
128,
|
||||
},
|
||||
# endif
|
||||
#endif /* OPENSSL_NO_KRB5 */
|
||||
|
||||
/* New AES ciphersuites */
|
||||
@ -1305,6 +1351,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
# endif
|
||||
|
||||
/* Cipher 62 */
|
||||
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
|
||||
@ -1319,8 +1366,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
56,
|
||||
56,
|
||||
},
|
||||
# endif
|
||||
|
||||
/* Cipher 63 */
|
||||
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
|
||||
@ -1335,8 +1384,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
56,
|
||||
56,
|
||||
},
|
||||
# endif
|
||||
|
||||
/* Cipher 64 */
|
||||
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
|
||||
@ -1351,8 +1402,10 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
56,
|
||||
128,
|
||||
},
|
||||
# endif
|
||||
|
||||
/* Cipher 65 */
|
||||
# ifndef OPENSSL_NO_WEAK_SSL_CIPHERS
|
||||
{
|
||||
1,
|
||||
TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
|
||||
@ -1367,6 +1420,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
|
||||
56,
|
||||
128,
|
||||
},
|
||||
# endif
|
||||
|
||||
/* Cipher 66 */
|
||||
{
|
||||
|
@ -1896,6 +1896,13 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
|
||||
*/
|
||||
ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
|
||||
|
||||
/*
|
||||
* Disable SSLv2 by default, callers that want to enable SSLv2 will have to
|
||||
* explicitly clear this option via either of SSL_CTX_clear_options() or
|
||||
* SSL_clear_options().
|
||||
*/
|
||||
ret->options |= SSL_OP_NO_SSLv2;
|
||||
|
||||
return (ret);
|
||||
err:
|
||||
SSLerr(SSL_F_SSL_CTX_NEW, ERR_R_MALLOC_FAILURE);
|
||||
|
@ -281,6 +281,7 @@ $cflags.=" -DOPENSSL_NO_HW" if $no_hw;
|
||||
$cflags.=" -DOPENSSL_FIPS" if $fips;
|
||||
$cflags.=" -DOPENSSL_NO_JPAKE" if $no_jpake;
|
||||
$cflags.=" -DOPENSSL_NO_EC2M" if $no_ec2m;
|
||||
$cflags.=" -DOPENSSL_NO_WEAK_SSL_CIPHERS" if $no_weak_ssl;
|
||||
$cflags.= " -DZLIB" if $zlib_opt;
|
||||
$cflags.= " -DZLIB_SHARED" if $zlib_opt == 2;
|
||||
|
||||
@ -459,7 +460,7 @@ EX_LIBS=$ex_libs
|
||||
# The OpenSSL directory
|
||||
SRC_D=$src_dir
|
||||
|
||||
LINK=$link
|
||||
LINK_CMD=$link
|
||||
LFLAGS=$lflags
|
||||
RSC=$rsc
|
||||
|
||||
@ -1122,6 +1123,7 @@ sub read_options
|
||||
"no-ec2m" => \$no_ec2m,
|
||||
"no-jpake" => \$no_jpake,
|
||||
"no-ec_nistp_64_gcc_128" => 0,
|
||||
"no-weak-ssl-ciphers" => \$no_weak_ssl,
|
||||
"no-err" => \$no_err,
|
||||
"no-sock" => \$no_sock,
|
||||
"no-krb5" => \$no_krb5,
|
||||
|
@ -1,5 +1,5 @@
|
||||
# $NetBSD: shlib_version,v 1.10 2015/01/13 09:14:57 spz Exp $
|
||||
# $NetBSD: shlib_version,v 1.11 2016/03/02 01:52:36 christos Exp $
|
||||
# Remember to update distrib/sets/lists/base/shl.* when changing
|
||||
#
|
||||
major=8
|
||||
minor=4
|
||||
major=11
|
||||
minor=0
|
||||
|
@ -1,5 +1,5 @@
|
||||
# $NetBSD: shlib_version,v 1.1 2012/07/10 18:59:22 christos Exp $
|
||||
# $NetBSD: shlib_version,v 1.2 2016/03/02 01:52:36 christos Exp $
|
||||
# Remember to update distrib/sets/lists/base/shl.* when changing
|
||||
#
|
||||
major=7
|
||||
major=11
|
||||
minor=0
|
||||
|
@ -1,9 +1,9 @@
|
||||
# $NetBSD: shlib_version,v 1.2 2014/01/11 18:34:37 christos Exp $
|
||||
# $NetBSD: shlib_version,v 1.3 2016/03/02 01:52:36 christos Exp $
|
||||
# Remember to update distrib/sets/lists/base/shl.* when changing
|
||||
#
|
||||
# This library is currently only a symbolic link to libcrypto, so
|
||||
# make sure you update the version numbers here whenever you
|
||||
# change them there.
|
||||
#
|
||||
major=8
|
||||
minor=2
|
||||
major=11
|
||||
minor=0
|
||||
|
@ -1,5 +1,5 @@
|
||||
# $NetBSD: shlib_version,v 1.11 2015/01/13 09:14:58 spz Exp $
|
||||
# $NetBSD: shlib_version,v 1.12 2016/03/02 01:52:36 christos Exp $
|
||||
# Remember to update distrib/sets/lists/base/shl.* when changing
|
||||
#
|
||||
major=10
|
||||
minor=5
|
||||
major=11
|
||||
minor=0
|
||||
|
Loading…
Reference in New Issue
Block a user