Import OpenSSL 1.0.1g.

Approved by:	benl (maintainer)
This commit is contained in:
Jung-uk Kim 2014-04-08 20:15:18 +00:00
parent 2dc7f78169
commit 06369e3974
59 changed files with 419 additions and 107 deletions

29
CHANGES
View File

@ -2,6 +2,35 @@
OpenSSL CHANGES
_______________
Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
*) A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.
Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix (CVE-2014-0160)
[Adam Langley, Bodo Moeller]
*) Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140
Thanks to Yuval Yarom and Naomi Benger for discovering this
flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
[Yuval Yarom and Naomi Benger]
*) TLS pad extension: draft-agl-tls-padding-03
Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
TLS client Hello record length value would otherwise be > 255 and
less that 512 pad with a dummy extension containing zeroes so it
is at least 512 bytes long.
[Adam Langley, Steve Henson]
Changes between 1.0.1e and 1.0.1f [6 Jan 2014]
*) Fix for TLS record tampering bug. A carefully crafted invalid

View File

@ -526,7 +526,7 @@ my %table=(
# 'perl Configure VC-WIN32' with '-DUNICODE -D_UNICODE'
"VC-WIN32","cl:-W3 -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
# Unified CE target
"debug-VC-WIN32","cl:-W3 -WX -Gs0 -GF -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
"debug-VC-WIN32","cl:-W3 -Gs0 -GF -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE:::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${x86_asm}:win32n:win32",
"VC-CE","cl::::WINCE::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${no_asm}:win32",
# Borland C++ 4.5

3
FAQ
View File

@ -768,6 +768,9 @@ openssl-security@openssl.org if you don't get a prompt reply at least
acknowledging receipt then resend or mail it directly to one of the
more active team members (e.g. Steve).
Note that bugs only present in the openssl utility are not in general
considered to be security issues.
[PROG] ========================================================================
* Is OpenSSL thread-safe?

View File

@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/SubversionPrimer/VendorImports
# Xlist
setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist
setenv FSVN "svn+ssh://svn.freebsd.org/base"
setenv OSSLVER 1.0.1f
# OSSLTAG format: v1_0_1f
setenv OSSLVER 1.0.1g
# OSSLTAG format: v1_0_1g
###setenv OSSLTAG v`echo ${OSSLVER} | tr . _`

View File

@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
VERSION=1.0.1f
VERSION=1.0.1g
MAJOR=1
MINOR=0.1
SHLIB_VERSION_NUMBER=1.0.0
@ -304,8 +304,8 @@ libcrypto$(SHLIB_EXT): libcrypto.a fips_premain_dso$(EXE_EXT)
FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \
export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \
fi; \
$(MAKE) -e SHLIBDIRS=crypto CC=$${CC:-$(CC)} build-shared; \
touch -c fips_premain_dso$(EXE_EXT); \
$(MAKE) -e SHLIBDIRS=crypto CC="$${CC:-$(CC)}" build-shared && \
(touch -c fips_premain_dso$(EXE_EXT) || :); \
else \
echo "There's no support for shared libraries on this platform" >&2; \
exit 1; \

View File

@ -302,8 +302,8 @@ libcrypto$(SHLIB_EXT): libcrypto.a fips_premain_dso$(EXE_EXT)
FIPSLD_CC="$(CC)"; CC=$(FIPSDIR)/bin/fipsld; \
export CC FIPSLD_CC FIPSLD_LIBCRYPTO; \
fi; \
$(MAKE) -e SHLIBDIRS=crypto CC=$${CC:-$(CC)} build-shared; \
touch -c fips_premain_dso$(EXE_EXT); \
$(MAKE) -e SHLIBDIRS=crypto CC="$${CC:-$(CC)}" build-shared && \
(touch -c fips_premain_dso$(EXE_EXT) || :); \
else \
echo "There's no support for shared libraries on this platform" >&2; \
exit 1; \

7
NEWS
View File

@ -5,8 +5,15 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]
o Fix for CVE-2014-0160
o Add TLS padding extension workaround for broken servers.
o Fix for CVE-2014-0076
Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014]
o Don't include gmt_unix_time in TLS server and client random values
o Fix for TLS record tampering bug CVE-2013-4353
o Fix for TLS version checking bug CVE-2013-6449
o Fix for DTLS retransmission bug CVE-2013-6450

2
README
View File

@ -1,5 +1,5 @@
OpenSSL 1.0.1f 6 Jan 2014
OpenSSL 1.0.1g 7 Apr 2014
Copyright (c) 1998-2011 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

View File

@ -586,12 +586,12 @@ int password_callback(char *buf, int bufsiz, int verify,
if (ok >= 0)
ok = UI_add_input_string(ui,prompt,ui_flags,buf,
PW_MIN_LENGTH,BUFSIZ-1);
PW_MIN_LENGTH,bufsiz-1);
if (ok >= 0 && verify)
{
buff = (char *)OPENSSL_malloc(bufsiz);
ok = UI_add_verify_string(ui,prompt,ui_flags,buff,
PW_MIN_LENGTH,BUFSIZ-1, buf);
PW_MIN_LENGTH,bufsiz-1, buf);
}
if (ok >= 0)
do
@ -2841,7 +2841,7 @@ double app_tminterval(int stop,int usertime)
if (proc==NULL)
{
if (GetVersion() < 0x80000000)
if (check_winnt())
proc = OpenProcess(PROCESS_QUERY_INFORMATION,FALSE,
GetCurrentProcessId());
if (proc==NULL) proc = (HANDLE)-1;

View File

@ -81,6 +81,9 @@ static const char *crl_usage[]={
" -in arg - input file - default stdin\n",
" -out arg - output file - default stdout\n",
" -hash - print hash value\n",
#ifndef OPENSSL_NO_MD5
" -hash_old - print old-style (MD5) hash value\n",
#endif
" -fingerprint - print the crl fingerprint\n",
" -issuer - print issuer DN\n",
" -lastupdate - lastUpdate field\n",
@ -108,6 +111,9 @@ int MAIN(int argc, char **argv)
int informat,outformat;
char *infile=NULL,*outfile=NULL;
int hash=0,issuer=0,lastupdate=0,nextupdate=0,noout=0,text=0;
#ifndef OPENSSL_NO_MD5
int hash_old=0;
#endif
int fingerprint = 0, crlnumber = 0;
const char **pp;
X509_STORE *store = NULL;
@ -192,6 +198,10 @@ int MAIN(int argc, char **argv)
text = 1;
else if (strcmp(*argv,"-hash") == 0)
hash= ++num;
#ifndef OPENSSL_NO_MD5
else if (strcmp(*argv,"-hash_old") == 0)
hash_old= ++num;
#endif
else if (strcmp(*argv,"-nameopt") == 0)
{
if (--argc < 1) goto bad;
@ -304,6 +314,14 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_out,"%08lx\n",
X509_NAME_hash(X509_CRL_get_issuer(x)));
}
#ifndef OPENSSL_NO_MD5
if (hash_old == i)
{
BIO_printf(bio_out,"%08lx\n",
X509_NAME_hash_old(
X509_CRL_get_issuer(x)));
}
#endif
if (lastupdate == i)
{
BIO_printf(bio_out,"lastUpdate=");

View File

@ -427,9 +427,9 @@ int MAIN(int argc, char **argv)
goto end;
}
if (do_verify)
r = EVP_DigestVerifyInit(mctx, &pctx, md, e, sigkey);
r = EVP_DigestVerifyInit(mctx, &pctx, md, NULL, sigkey);
else
r = EVP_DigestSignInit(mctx, &pctx, md, e, sigkey);
r = EVP_DigestSignInit(mctx, &pctx, md, NULL, sigkey);
if (!r)
{
BIO_printf(bio_err, "Error setting context\n");

View File

@ -105,7 +105,7 @@
* in the asn1 der encoding
* possible values: named_curve (default)
* explicit
* -no_seed - if 'explicit' parameters are choosen do not use the seed
* -no_seed - if 'explicit' parameters are chosen do not use the seed
* -genkey - generate ec key
* -rand file - files to use for random number input
* -engine e - use engine e, possibly a hardware device
@ -286,7 +286,7 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err, " "
" explicit\n");
BIO_printf(bio_err, " -no_seed if 'explicit'"
" parameters are choosen do not"
" parameters are chosen do not"
" use the seed\n");
BIO_printf(bio_err, " -genkey generate ec"
" key\n");

View File

@ -644,6 +644,11 @@ int MAIN(int argc, char **argv)
if (inrand)
app_RAND_load_files(inrand);
if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey))
{
newkey=DEFAULT_KEY_LENGTH;
}
if (keyalg)
{
genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey,
@ -652,12 +657,6 @@ int MAIN(int argc, char **argv)
goto end;
}
if (newkey <= 0)
{
if (!NCONF_get_number(req_conf,SECTION,BITS, &newkey))
newkey=DEFAULT_KEY_LENGTH;
}
if (newkey < MIN_KEY_LENGTH && (pkey_type == EVP_PKEY_RSA || pkey_type == EVP_PKEY_DSA))
{
BIO_printf(bio_err,"private key length is too short,\n");
@ -1649,6 +1648,8 @@ static EVP_PKEY_CTX *set_keygen_ctx(BIO *err, const char *gstr, int *pkey_type,
keylen = atol(p + 1);
*pkeylen = keylen;
}
else
keylen = *pkeylen;
}
else if (p)
paramfile = p + 1;

View File

@ -1060,7 +1060,7 @@ _vpaes_consts:
.Lk_dsbo: # decryption sbox final output
.quad 0x1387EA537EF94000, 0xC7AA6DB9D4943E2D
.quad 0x12D7560F93441D00, 0xCA4B8159D8C58E9C
.asciz "Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg (Stanford University)"
.asciz "Vector Permutation AES for x86_64/SSSE3, Mike Hamburg (Stanford University)"
.align 64
.size _vpaes_consts,.-_vpaes_consts
___

View File

@ -305,7 +305,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
{ERR_REASON(ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE),"unknown public key type"},
{ERR_REASON(ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM),"unknown signature algorithm"},
{ERR_REASON(ASN1_R_UNKNOWN_TAG) ,"unknown tag"},
{ERR_REASON(ASN1_R_UNKOWN_FORMAT) ,"unkown format"},
{ERR_REASON(ASN1_R_UNKOWN_FORMAT) ,"unknown format"},
{ERR_REASON(ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE),"unsupported any defined by type"},
{ERR_REASON(ASN1_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"},
{ERR_REASON(ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM),"unsupported encryption algorithm"},

View File

@ -245,7 +245,7 @@ static int MS_CALLBACK slg_puts(BIO *bp, const char *str)
static void xopenlog(BIO* bp, char* name, int level)
{
if (GetVersion() < 0x80000000)
if (check_winnt())
bp->ptr = RegisterEventSourceA(NULL,name);
else
bp->ptr = NULL;

View File

@ -538,6 +538,8 @@ BIGNUM *BN_mod_inverse(BIGNUM *ret,
BIGNUM *BN_mod_sqrt(BIGNUM *ret,
const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
void BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords);
/* Deprecated versions */
#ifndef OPENSSL_NO_DEPRECATED
BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,
@ -774,11 +776,20 @@ int RAND_pseudo_bytes(unsigned char *buf,int num);
#define bn_fix_top(a) bn_check_top(a)
#define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2)
#define bn_wcheck_size(bn, words) \
do { \
const BIGNUM *_bnum2 = (bn); \
assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \
} while(0)
#else /* !BN_DEBUG */
#define bn_pollute(a)
#define bn_check_top(a)
#define bn_fix_top(a) bn_correct_top(a)
#define bn_check_size(bn, bits)
#define bn_wcheck_size(bn, words)
#endif

View File

@ -824,3 +824,55 @@ int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b,
}
return bn_cmp_words(a,b,cl);
}
/*
* Constant-time conditional swap of a and b.
* a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
* nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
* and that no more than nwords are used by either a or b.
* a and b cannot be the same number
*/
void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
{
BN_ULONG t;
int i;
bn_wcheck_size(a, nwords);
bn_wcheck_size(b, nwords);
assert(a != b);
assert((condition & (condition - 1)) == 0);
assert(sizeof(BN_ULONG) >= sizeof(int));
condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
t = (a->top^b->top) & condition;
a->top ^= t;
b->top ^= t;
#define BN_CONSTTIME_SWAP(ind) \
do { \
t = (a->d[ind] ^ b->d[ind]) & condition; \
a->d[ind] ^= t; \
b->d[ind] ^= t; \
} while (0)
switch (nwords) {
default:
for (i = 10; i < nwords; i++)
BN_CONSTTIME_SWAP(i);
/* Fallthrough */
case 10: BN_CONSTTIME_SWAP(9); /* Fallthrough */
case 9: BN_CONSTTIME_SWAP(8); /* Fallthrough */
case 8: BN_CONSTTIME_SWAP(7); /* Fallthrough */
case 7: BN_CONSTTIME_SWAP(6); /* Fallthrough */
case 6: BN_CONSTTIME_SWAP(5); /* Fallthrough */
case 5: BN_CONSTTIME_SWAP(4); /* Fallthrough */
case 4: BN_CONSTTIME_SWAP(3); /* Fallthrough */
case 3: BN_CONSTTIME_SWAP(2); /* Fallthrough */
case 2: BN_CONSTTIME_SWAP(1); /* Fallthrough */
case 1: BN_CONSTTIME_SWAP(0);
}
#undef BN_CONSTTIME_SWAP
}

View File

@ -463,8 +463,6 @@ int CMS_add0_cert(CMS_ContentInfo *cms, X509 *cert)
STACK_OF(CMS_CertificateChoices) **pcerts;
int i;
pcerts = cms_get0_certificate_choices(cms);
if (!pcerts)
return 0;
if (!pcerts)
return 0;
for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++)

View File

@ -889,7 +889,7 @@ void OPENSSL_showfatal (const char *fmta,...)
#if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333
/* this -------------v--- guards NT-specific calls */
if (GetVersion() < 0x80000000 && OPENSSL_isservice() > 0)
if (check_winnt() && OPENSSL_isservice() > 0)
{ HANDLE h = RegisterEventSource(0,_T("OPENSSL"));
const TCHAR *pmsg=buf;
ReportEvent(h,EVENTLOG_ERROR_TYPE,0,0,0,1,0,&pmsg,0);

View File

@ -208,11 +208,15 @@ static int gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIG
return ret;
}
/* Computes scalar*point and stores the result in r.
* point can not equal r.
* Uses algorithm 2P of
* Uses a modified algorithm 2P of
* Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
* GF(2^m) without precomputation" (CHES '99, LNCS 1717).
*
* To protect against side-channel attack the function uses constant time swap,
* avoiding conditional branches.
*/
static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
const EC_POINT *point, BN_CTX *ctx)
@ -246,6 +250,11 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
x2 = &r->X;
z2 = &r->Y;
bn_wexpand(x1, group->field.top);
bn_wexpand(z1, group->field.top);
bn_wexpand(x2, group->field.top);
bn_wexpand(z2, group->field.top);
if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */
if (!BN_one(z1)) goto err; /* z1 = 1 */
if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */
@ -270,16 +279,12 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
word = scalar->d[i];
while (mask)
{
if (word & mask)
{
if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err;
if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err;
}
else
{
if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
}
BN_consttime_swap(word & mask, x1, x2, group->field.top);
BN_consttime_swap(word & mask, z1, z2, group->field.top);
if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
BN_consttime_swap(word & mask, x1, x2, group->field.top);
BN_consttime_swap(word & mask, z1, z2, group->field.top);
mask >>= 1;
}
mask = BN_TBIT;

View File

@ -408,6 +408,7 @@ ENGINE *ENGINE_by_id(const char *id)
!ENGINE_ctrl_cmd_string(iterator, "DIR_LOAD", "2", 0) ||
!ENGINE_ctrl_cmd_string(iterator, "DIR_ADD",
load_dir, 0) ||
!ENGINE_ctrl_cmd_string(iterator, "LIST_ADD", "1", 0) ||
!ENGINE_ctrl_cmd_string(iterator, "LOAD", NULL, 0))
goto notfound;
return iterator;

View File

@ -264,7 +264,7 @@ static int b64_read(BIO *b, char *out, int outl)
}
/* we fell off the end without starting */
if (j == i)
if ((j == i) && (num == 0))
{
/* Is this is one long chunk?, if so, keep on
* reading until a new line. */

View File

@ -810,7 +810,11 @@ void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx,const unsigned char *iv,size_t len)
GCM_MUL(ctx,Yi);
if (is_endian.little)
#ifdef BSWAP4
ctr = BSWAP4(ctx->Yi.d[3]);
#else
ctr = GETU32(ctx->Yi.c+12);
#endif
else
ctr = ctx->Yi.d[3];
}
@ -818,7 +822,11 @@ void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx,const unsigned char *iv,size_t len)
(*ctx->block)(ctx->Yi.c,ctx->EK0.c,ctx->key);
++ctr;
if (is_endian.little)
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c+12,ctr);
#endif
else
ctx->Yi.d[3] = ctr;
}
@ -913,7 +921,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
}
if (is_endian.little)
#ifdef BSWAP4
ctr = BSWAP4(ctx->Yi.d[3]);
#else
ctr = GETU32(ctx->Yi.c+12);
#endif
else
ctr = ctx->Yi.d[3];
@ -947,7 +959,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
(*block)(ctx->Yi.c,ctx->EKi.c,key);
++ctr;
if (is_endian.little)
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c+12,ctr);
#endif
else
ctx->Yi.d[3] = ctr;
for (i=0; i<16/sizeof(size_t); ++i)
@ -969,7 +985,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
(*block)(ctx->Yi.c,ctx->EKi.c,key);
++ctr;
if (is_endian.little)
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c+12,ctr);
#endif
else
ctx->Yi.d[3] = ctr;
for (i=0; i<16/sizeof(size_t); ++i)
@ -988,7 +1008,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
(*block)(ctx->Yi.c,ctx->EKi.c,key);
++ctr;
if (is_endian.little)
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c+12,ctr);
#endif
else
ctx->Yi.d[3] = ctr;
for (i=0; i<16/sizeof(size_t); ++i)
@ -1004,7 +1028,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
(*block)(ctx->Yi.c,ctx->EKi.c,key);
++ctr;
if (is_endian.little)
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c+12,ctr);
#endif
else
ctx->Yi.d[3] = ctr;
while (len--) {
@ -1022,7 +1050,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
(*block)(ctx->Yi.c,ctx->EKi.c,key);
++ctr;
if (is_endian.little)
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c+12,ctr);
#endif
else
ctx->Yi.d[3] = ctr;
}
@ -1066,7 +1098,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
}
if (is_endian.little)
#ifdef BSWAP4
ctr = BSWAP4(ctx->Yi.d[3]);
#else
ctr = GETU32(ctx->Yi.c+12);
#endif
else
ctr = ctx->Yi.d[3];
@ -1103,7 +1139,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
(*block)(ctx->Yi.c,ctx->EKi.c,key);
++ctr;
if (is_endian.little)
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c+12,ctr);
#endif
else
ctx->Yi.d[3] = ctr;
for (i=0; i<16/sizeof(size_t); ++i)
@ -1123,7 +1163,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
(*block)(ctx->Yi.c,ctx->EKi.c,key);
++ctr;
if (is_endian.little)
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c+12,ctr);
#endif
else
ctx->Yi.d[3] = ctr;
for (i=0; i<16/sizeof(size_t); ++i)
@ -1141,7 +1185,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
(*block)(ctx->Yi.c,ctx->EKi.c,key);
++ctr;
if (is_endian.little)
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c+12,ctr);
#endif
else
ctx->Yi.d[3] = ctr;
for (i=0; i<16/sizeof(size_t); ++i) {
@ -1159,7 +1207,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
(*block)(ctx->Yi.c,ctx->EKi.c,key);
++ctr;
if (is_endian.little)
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c+12,ctr);
#endif
else
ctx->Yi.d[3] = ctr;
while (len--) {
@ -1180,7 +1232,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
(*block)(ctx->Yi.c,ctx->EKi.c,key);
++ctr;
if (is_endian.little)
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c+12,ctr);
#endif
else
ctx->Yi.d[3] = ctr;
}
@ -1225,7 +1281,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
}
if (is_endian.little)
#ifdef BSWAP4
ctr = BSWAP4(ctx->Yi.d[3]);
#else
ctr = GETU32(ctx->Yi.c+12);
#endif
else
ctr = ctx->Yi.d[3];
@ -1247,7 +1307,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
(*stream)(in,out,GHASH_CHUNK/16,key,ctx->Yi.c);
ctr += GHASH_CHUNK/16;
if (is_endian.little)
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c+12,ctr);
#endif
else
ctx->Yi.d[3] = ctr;
GHASH(ctx,out,GHASH_CHUNK);
@ -1262,7 +1326,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
(*stream)(in,out,j,key,ctx->Yi.c);
ctr += (unsigned int)j;
if (is_endian.little)
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c+12,ctr);
#endif
else
ctx->Yi.d[3] = ctr;
in += i;
@ -1282,7 +1350,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
(*ctx->block)(ctx->Yi.c,ctx->EKi.c,key);
++ctr;
if (is_endian.little)
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c+12,ctr);
#endif
else
ctx->Yi.d[3] = ctr;
while (len--) {
@ -1324,7 +1396,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
}
if (is_endian.little)
#ifdef BSWAP4
ctr = BSWAP4(ctx->Yi.d[3]);
#else
ctr = GETU32(ctx->Yi.c+12);
#endif
else
ctr = ctx->Yi.d[3];
@ -1349,7 +1425,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
(*stream)(in,out,GHASH_CHUNK/16,key,ctx->Yi.c);
ctr += GHASH_CHUNK/16;
if (is_endian.little)
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c+12,ctr);
#endif
else
ctx->Yi.d[3] = ctr;
out += GHASH_CHUNK;
@ -1375,7 +1455,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
(*stream)(in,out,j,key,ctx->Yi.c);
ctr += (unsigned int)j;
if (is_endian.little)
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c+12,ctr);
#endif
else
ctx->Yi.d[3] = ctr;
out += i;
@ -1386,7 +1470,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
(*ctx->block)(ctx->Yi.c,ctx->EKi.c,key);
++ctr;
if (is_endian.little)
#ifdef BSWAP4
ctx->Yi.d[3] = BSWAP4(ctr);
#else
PUTU32(ctx->Yi.c+12,ctr);
#endif
else
ctx->Yi.d[3] = ctr;
while (len--) {

View File

@ -25,11 +25,11 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
#define OPENSSL_VERSION_NUMBER 0x1000106fL
#define OPENSSL_VERSION_NUMBER 0x1000107fL
#ifdef OPENSSL_FIPS
#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1f-fips 6 Jan 2014"
#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1g-fips 7 Apr 2014"
#else
#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1f 6 Jan 2014"
#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1g 7 Apr 2014"
#endif
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT

View File

@ -198,6 +198,9 @@ static void ssleay_rand_add(const void *buf, int num, double add)
EVP_MD_CTX m;
int do_not_lock;
if (!num)
return;
/*
* (Based on the rand(3) manpage)
*

View File

@ -204,6 +204,12 @@
#define SSL_CTX_set_next_protos_advertised_cb SSL_CTX_set_next_protos_adv_cb
#undef SSL_CTX_set_next_proto_select_cb
#define SSL_CTX_set_next_proto_select_cb SSL_CTX_set_next_proto_sel_cb
#undef ssl3_cbc_record_digest_supported
#define ssl3_cbc_record_digest_supported ssl3_cbc_record_digest_support
#undef ssl_check_clienthello_tlsext_late
#define ssl_check_clienthello_tlsext_late ssl_check_clihello_tlsext_late
#undef ssl_check_clienthello_tlsext_early
#define ssl_check_clienthello_tlsext_early ssl_check_clihello_tlsext_early
/* Hack some long ENGINE names */
#undef ENGINE_get_default_BN_mod_exp_crt

View File

@ -218,7 +218,7 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
s=dir;
p=s;
for (;;p++)
do
{
if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0'))
{
@ -264,9 +264,7 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
return 0;
}
}
if (*p == '\0')
break;
}
} while (*p++ != '\0');
return 1;
}

View File

@ -1462,10 +1462,9 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
* a certificate was revoked. This has since been changed since
* critical extension can change the meaning of CRL entries.
*/
if (crl->flags & EXFLAG_CRITICAL)
if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
&& (crl->flags & EXFLAG_CRITICAL))
{
if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
return 1;
ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
ok = ctx->verify_cb(0, ctx);
if(!ok)

View File

@ -119,7 +119,7 @@ variable points to a section containing further ENGINE configuration
information.
The section pointed to by B<engines> is a table of engine names (though see
B<engine_id> below) and further sections containing configuration informations
B<engine_id> below) and further sections containing configuration information
specific to each ENGINE.
Each ENGINE specific section is used to set default algorithms, load

View File

@ -62,6 +62,11 @@ don't output the encoded version of the CRL.
output a hash of the issuer name. This can be use to lookup CRLs in
a directory by issuer name.
=item B<-hash_old>
outputs the "hash" of the CRL issuer name using the older algorithm
as used by OpenSSL versions before 1.0.0.
=item B<-issuer>
output the issuer name.

View File

@ -41,7 +41,7 @@ PKCS#8 private key format use the B<pkcs8> command.
This specifies the input format. The B<DER> option with a private key uses
an ASN.1 DER encoded SEC1 private key. When used with a public key it
uses the SubjectPublicKeyInfo structur as specified in RFC 3280.
uses the SubjectPublicKeyInfo structure as specified in RFC 3280.
The B<PEM> form is the default format: it consists of the B<DER> format base64
encoded with additional header and footer lines. In the case of a private key
PKCS#8 format is also accepted.

View File

@ -67,7 +67,7 @@ by default.
The filename to write certificates and private keys to, standard output by
default. They are all written in PEM format.
=item B<-pass arg>, B<-passin arg>
=item B<-passin arg>
the PKCS#12 file (i.e. input file) password source. For more information about
the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
@ -75,10 +75,15 @@ L<openssl(1)|openssl(1)>.
=item B<-passout arg>
pass phrase source to encrypt any outputed private keys with. For more
pass phrase source to encrypt any outputted private keys with. For more
information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section
in L<openssl(1)|openssl(1)>.
=item B<-password arg>
With -export, -password is equivalent to -passout.
Otherwise, -password is equivalent to -passin.
=item B<-noout>
this option inhibits output of the keys and certificates to the output file

View File

@ -303,7 +303,7 @@ Reverses effect of B<-asn1-kludge>
=item B<-newhdr>
Adds the word B<NEW> to the PEM file header and footer lines on the outputed
Adds the word B<NEW> to the PEM file header and footer lines on the outputted
request. Some software (Netscape certificate server) and some CAs need this.
=item B<-batch>

View File

@ -10,6 +10,7 @@ s_client - SSL/TLS client program
B<openssl> B<s_client>
[B<-connect host:port>]
[B<-verify depth>]
[B<-verify_return_error>]
[B<-cert filename>]
[B<-certform DER|PEM>]
[B<-key filename>]
@ -90,6 +91,11 @@ Currently the verify operation continues after errors so all the problems
with a certificate chain can be seen. As a side effect the connection
will never fail due to a server certificate verify failure.
=item B<-verify_return_error>
Return verification errors instead of continuing. This will typically
abort the handshake with a fatal error.
=item B<-CApath directory>
The directory to use for server certificate verification. This directory
@ -286,6 +292,13 @@ Since the SSLv23 client hello cannot include compression methods or extensions
these will only be supported if its use is disabled, for example by using the
B<-no_sslv2> option.
The B<s_client> utility is a test tool and is designed to continue the
handshake after any certificate verification errors. As a result it will
accept any certificate chain (trusted or not) sent by the peer. None test
applications should B<not> do this as it makes them vulnerable to a MITM
attack. This behaviour can be changed by with the B<-verify_return_error>
option: any verify errors are then returned aborting the handshake.
=head1 BUGS
Because this program has a lot of options and also because some of
@ -293,9 +306,6 @@ the techniques used are rather old, the C source of s_client is rather
hard to read and not a model of how things should be done. A typical
SSL client program would be much simpler.
The B<-verify> option should really exit if the server verification
fails.
The B<-prexit> option is a bit of a hack. We should really report
information whenever a session is renegotiated.

View File

@ -111,7 +111,7 @@ by using an appropriate certificate.
=item B<-dcertform format>, B<-dkeyform format>, B<-dpass arg>
addtional certificate and private key format and passphrase respectively.
additional certificate and private key format and passphrase respectively.
=item B<-nocert>

View File

@ -352,7 +352,7 @@ switch always overrides the settings in the config file.
This is the main section and it specifies the name of another section
that contains all the options for the B<-reply> command. This default
section can be overriden with the B<-section> command line switch. (Optional)
section can be overridden with the B<-section> command line switch. (Optional)
=item B<oid_file>
@ -453,7 +453,7 @@ included. Default is no. (Optional)
=head1 ENVIRONMENT VARIABLES
B<OPENSSL_CONF> contains the path of the configuration file and can be
overriden by the B<-config> command line option.
overridden by the B<-config> command line option.
=head1 EXAMPLES

View File

@ -124,7 +124,7 @@ The name of an EGD socket to get random data from. (Optional)
=item [request]...
List of files containing B<RFC 3161> DER-encoded time stamp requests. If no
requests are specifed only one request will be sent to the server and it will be
requests are specified only one request will be sent to the server and it will be
read from the standard input. (Optional)
=back

View File

@ -48,7 +48,7 @@ necessary parameters are set, by re-creating the blinding parameters.
BN_BLINDING_convert_ex() multiplies B<n> with the blinding factor B<A>.
If B<r> is not NULL a copy the inverse blinding factor B<Ai> will be
returned in B<r> (this is useful if a B<RSA> object is shared amoung
returned in B<r> (this is useful if a B<RSA> object is shared among
several threads). BN_BLINDING_invert_ex() multiplies B<n> with the
inverse blinding factor B<Ai>. If B<r> is not NULL it will be used as
the inverse blinding.

View File

@ -52,8 +52,11 @@ ERR_get_error_line_data(), ERR_peek_error_line_data() and
ERR_get_last_error_line_data() store additional data and flags
associated with the error code in *B<data>
and *B<flags>, unless these are B<NULL>. *B<data> contains a string
if *B<flags>&B<ERR_TXT_STRING>. If it has been allocated by OPENSSL_malloc(),
*B<flags>&B<ERR_TXT_MALLOCED> is true.
if *B<flags>&B<ERR_TXT_STRING> is true.
An application B<MUST NOT> free the *B<data> pointer (or any other pointers
returned by these functions) with OPENSSL_free() as freeing is handled
automatically by the error library.
=head1 RETURN VALUES

View File

@ -17,7 +17,7 @@ EVP_BytesToKey - password based encryption routine
EVP_BytesToKey() derives a key and IV from various parameters. B<type> is
the cipher to derive the key and IV for. B<md> is the message digest to use.
The B<salt> paramter is used as a salt in the derivation: it should point to
The B<salt> parameter is used as a salt in the derivation: it should point to
an 8 byte buffer or NULL if no salt is used. B<data> is a buffer containing
B<datal> bytes which is used to derive the keying data. B<count> is the
iteration count to use. The derived key and IV will be written to B<key>

View File

@ -152,7 +152,7 @@ does not remain in memory.
EVP_EncryptInit(), EVP_DecryptInit() and EVP_CipherInit() behave in a
similar way to EVP_EncryptInit_ex(), EVP_DecryptInit_ex and
EVP_CipherInit_ex() except the B<ctx> paramter does not need to be
EVP_CipherInit_ex() except the B<ctx> parameter does not need to be
initialized and they always use the default cipher implementation.
EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal() behave in a

View File

@ -113,7 +113,7 @@ a special status code is set to the verification callback. This permits it
to examine the valid policy tree and perform additional checks or simply
log it for debugging purposes.
By default some addtional features such as indirect CRLs and CRLs signed by
By default some additional features such as indirect CRLs and CRLs signed by
different keys are disabled. If B<X509_V_FLAG_EXTENDED_CRL_SUPPORT> is set
they are enabled.

View File

@ -201,7 +201,7 @@ handle PKCS#8 format encrypted and unencrypted keys too.
PEM_write_bio_PKCS8PrivateKey() and PEM_write_PKCS8PrivateKey()
write a private key in an EVP_PKEY structure in PKCS#8
EncryptedPrivateKeyInfo format using PKCS#5 v2.0 password based encryption
algorithms. The B<cipher> argument specifies the encryption algoritm to
algorithms. The B<cipher> argument specifies the encryption algorithm to
use: unlike all other PEM routines the encryption is applied at the
PKCS#8 level and not in the PEM headers. If B<cipher> is NULL then no
encryption is used and a PKCS#8 PrivateKeyInfo structure is used instead.

View File

@ -169,8 +169,8 @@ that will always continue the TLS/SSL handshake regardless of verification
failure, if wished. The callback realizes a verification depth limit with
more informational output.
All verification errors are printed, informations about the certificate chain
are printed on request.
All verification errors are printed; information about the certificate chain
is printed on request.
The example is realized for a server that does allow but not require client
certificates.

View File

@ -24,7 +24,7 @@ The shutdown state of an ssl connection is a bitmask of:
=over 4
=item 0
=item Z<>0
No shutdown setting, yet.

7
e_os.h
View File

@ -368,6 +368,13 @@ static unsigned int _strlen31(const char *str)
# define DEFAULT_HOME "C:"
# endif
/* Avoid Windows 8 SDK GetVersion deprecated problems */
#if defined(_MSC_VER) && _MSC_VER>=1800
# define check_winnt() (1)
#else
# define check_winnt() (GetVersion() < 0x80000000)
#endif
#else /* The non-microsoft world */
# ifdef OPENSSL_SYS_VMS

View File

@ -180,8 +180,6 @@ int start_hash(gost_hash_ctx *ctx)
*/
int hash_block(gost_hash_ctx *ctx,const byte *block, size_t length)
{
const byte *curptr=block;
const byte *barrier=block+(length-32);/* Last byte we can safely hash*/
if (ctx->left)
{
/*There are some bytes from previous step*/
@ -196,24 +194,25 @@ int hash_block(gost_hash_ctx *ctx,const byte *block, size_t length)
{
return 1;
}
curptr=block+add_bytes;
block+=add_bytes;
length-=add_bytes;
hash_step(ctx->cipher_ctx,ctx->H,ctx->remainder);
add_blocks(32,ctx->S,ctx->remainder);
ctx->len+=32;
ctx->left=0;
}
while (curptr<=barrier)
while (length>=32)
{
hash_step(ctx->cipher_ctx,ctx->H,curptr);
hash_step(ctx->cipher_ctx,ctx->H,block);
add_blocks(32,ctx->S,curptr);
add_blocks(32,ctx->S,block);
ctx->len+=32;
curptr+=32;
block+=32;
length-=32;
}
if (curptr!=block+length)
if (length)
{
ctx->left=block+length-curptr;
memcpy(ctx->remainder,curptr,ctx->left);
memcpy(ctx->remainder,block,ctx->left=length);
}
return 1;
}

View File

@ -1459,26 +1459,36 @@ dtls1_process_heartbeat(SSL *s)
unsigned int payload;
unsigned int padding = 16; /* Use minimum padding */
/* Read type and payload length first */
hbtype = *p++;
n2s(p, payload);
pl = p;
if (s->msg_callback)
s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
&s->s3->rrec.data[0], s->s3->rrec.length,
s, s->msg_callback_arg);
/* Read type and payload length first */
if (1 + 2 + 16 > s->s3->rrec.length)
return 0; /* silently discard */
hbtype = *p++;
n2s(p, payload);
if (1 + 2 + payload + 16 > s->s3->rrec.length)
return 0; /* silently discard per RFC 6520 sec. 4 */
pl = p;
if (hbtype == TLS1_HB_REQUEST)
{
unsigned char *buffer, *bp;
unsigned int write_length = 1 /* heartbeat type */ +
2 /* heartbeat length */ +
payload + padding;
int r;
if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
return 0;
/* Allocate memory for the response, size is 1 byte
* message type, plus 2 bytes payload length, plus
* payload, plus padding
*/
buffer = OPENSSL_malloc(1 + 2 + payload + padding);
buffer = OPENSSL_malloc(write_length);
bp = buffer;
/* Enter response type, length and copy payload */
@ -1489,11 +1499,11 @@ dtls1_process_heartbeat(SSL *s)
/* Random padding */
RAND_pseudo_bytes(bp, padding);
r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
if (r >= 0 && s->msg_callback)
s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
buffer, 3 + payload + padding,
buffer, write_length,
s, s->msg_callback_arg);
OPENSSL_free(buffer);

View File

@ -70,6 +70,15 @@
#include <stdio.h>
#include <ctype.h>
#include <krb5.h>
#ifdef OPENSSL_SYS_WIN32
/* These can sometimes get redefined indirectly by krb5 header files
* after they get undefed in ossl_typ.h
*/
#undef X509_NAME
#undef X509_EXTENSIONS
#undef OCSP_REQUEST
#undef OCSP_RESPONSE
#endif
#ifdef __cplusplus
extern "C" {

View File

@ -283,7 +283,7 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len)
send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0;
if (send_time)
{
unsigned long Time = time(NULL);
unsigned long Time = (unsigned long)time(NULL);
unsigned char *p = result;
l2n(Time, p);
return RAND_pseudo_bytes(p, len-4);

View File

@ -1830,7 +1830,7 @@ int ssl3_send_server_key_exchange(SSL *s)
SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
goto f_err;
}
for (i=0; r[i] != NULL && i<4; i++)
for (i=0; i < 4 && r[i] != NULL; i++)
{
nr[i]=BN_num_bytes(r[i]);
#ifndef OPENSSL_NO_SRP
@ -1866,7 +1866,7 @@ int ssl3_send_server_key_exchange(SSL *s)
d=(unsigned char *)s->init_buf->data;
p= &(d[4]);
for (i=0; r[i] != NULL && i<4; i++)
for (i=0; i < 4 && r[i] != NULL; i++)
{
#ifndef OPENSSL_NO_SRP
if ((i == 2) && (type & SSL_kSRP))

View File

@ -915,7 +915,7 @@ struct ssl_ctx_st
*/
unsigned int max_send_fragment;
#ifndef OPENSSL_ENGINE
#ifndef OPENSSL_NO_ENGINE
/* Engine to pass requests for client certs to
*/
ENGINE *client_cert_engine;

View File

@ -986,7 +986,8 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
}
else
{
EVP_MD_CTX_copy(&hmac,hash);
if (!EVP_MD_CTX_copy(&hmac,hash))
return -1;
mac_ctx = &hmac;
}

View File

@ -662,6 +662,36 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
}
#endif
#ifdef TLSEXT_TYPE_padding
/* Add padding to workaround bugs in F5 terminators.
* See https://tools.ietf.org/html/draft-agl-tls-padding-03
*
* NB: because this code works out the length of all existing
* extensions it MUST always appear last.
*/
{
int hlen = ret - (unsigned char *)s->init_buf->data;
/* The code in s23_clnt.c to build ClientHello messages includes the
* 5-byte record header in the buffer, while the code in s3_clnt.c does
* not. */
if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
hlen -= 5;
if (hlen > 0xff && hlen < 0x200)
{
hlen = 0x200 - hlen;
if (hlen >= 4)
hlen -= 4;
else
hlen = 0;
s2n(TLSEXT_TYPE_padding, ret);
s2n(hlen, ret);
memset(ret, 0, hlen);
ret += hlen;
}
}
#endif
if ((extdatalen = ret-p-2)== 0)
return p;
@ -1261,7 +1291,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
}
}
else if (type == TLSEXT_TYPE_status_request &&
s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb)
s->version != DTLS1_VERSION)
{
if (size < 5)
@ -2558,16 +2588,20 @@ tls1_process_heartbeat(SSL *s)
unsigned int payload;
unsigned int padding = 16; /* Use minimum padding */
/* Read type and payload length first */
hbtype = *p++;
n2s(p, payload);
pl = p;
if (s->msg_callback)
s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
&s->s3->rrec.data[0], s->s3->rrec.length,
s, s->msg_callback_arg);
/* Read type and payload length first */
if (1 + 2 + 16 > s->s3->rrec.length)
return 0; /* silently discard */
hbtype = *p++;
n2s(p, payload);
if (1 + 2 + payload + 16 > s->s3->rrec.length)
return 0; /* silently discard per RFC 6520 sec. 4 */
pl = p;
if (hbtype == TLS1_HB_REQUEST)
{
unsigned char *buffer, *bp;

View File

@ -230,6 +230,12 @@ extern "C" {
/* ExtensionType value from RFC5620 */
#define TLSEXT_TYPE_heartbeat 15
/* ExtensionType value for TLS padding extension.
* http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
* http://tools.ietf.org/html/draft-agl-tls-padding-03
*/
#define TLSEXT_TYPE_padding 21
/* ExtensionType value from RFC4507 */
#define TLSEXT_TYPE_session_ticket 35

View File

@ -3511,6 +3511,7 @@ BIO_set_callback 3903 EXIST::FUNCTION:
d2i_ASIdOrRange 3904 EXIST::FUNCTION:RFC3779
i2d_ASIdentifiers 3905 EXIST::FUNCTION:RFC3779
CRYPTO_memcmp 3906 EXIST::FUNCTION:
BN_consttime_swap 3907 EXIST::FUNCTION:
SEED_decrypt 3908 EXIST::FUNCTION:SEED
SEED_encrypt 3909 EXIST::FUNCTION:SEED
SEED_cbc_encrypt 3910 EXIST::FUNCTION:SEED

View File

@ -18,7 +18,7 @@ $out_def="out32";
$tmp_def="tmp32";
$inc_def="inc32";
#enable max error messages, disable most common warnings
$cflags="-DWIN32_LEAN_AND_MEAN -q -w-ccc -w-rch -w-pia -w-aus -w-par -w-inl -c -tWC -tWM -DOPENSSL_SYSNAME_WIN32 -DL_ENDIAN -DDSO_WIN32 -D_stricmp=stricmp -D_strnicmp=strnicmp ";
$cflags="-DWIN32_LEAN_AND_MEAN -q -w-ccc -w-rch -w-pia -w-aus -w-par -w-inl -c -tWC -tWM -DOPENSSL_SYSNAME_WIN32 -DL_ENDIAN -DDSO_WIN32 -D_stricmp=stricmp -D_strnicmp=strnicmp -D_timeb=timeb -D_ftime=ftime ";
if ($debug)
{
$cflags.="-Od -y -v -vi- -D_DEBUG";
@ -38,7 +38,7 @@ $efile="";
$exep='.exe';
if ($no_sock)
{ $ex_libs=""; }
else { $ex_libs="cw32mt.lib import32.lib"; }
else { $ex_libs="cw32mt.lib import32.lib crypt32.lib ws2_32.lib"; }
# static library stuff
$mklib='tlib /P64';
@ -51,8 +51,8 @@ $lfile='';
$shlib_ex_obj="";
$app_ex_obj="c0x32.obj";
$asm='nasmw -f obj -d__omf__';
$asm.=" /Zi" if $debug;
$asm=(`nasm -v 2>NUL` ge `nasmw -v 2>NUL`?"nasm":"nasmw")." -f obj -d__omf__";
$asm.=" -g" if $debug;
$afile='-o';
$bn_mulw_obj='';

View File

@ -27,6 +27,8 @@ $zlib_lib="zlib1.lib";
$l_flags =~ s/-L("\[^"]+")/\/libpath:$1/g;
$l_flags =~ s/-L(\S+)/\/libpath:$1/g;
my $ff = "";
# C compiler stuff
$cc='cl';
if ($FLAVOR =~ /WIN64/)
@ -126,6 +128,7 @@ else # Win32
$base_cflags= " $mf_cflag";
my $f = $shlib || $fips ?' /MD':' /MT';
$lib_cflag='/Zl' if (!$shlib); # remove /DEFAULTLIBs from static lib
$ff = "/fixed";
$opt_cflags=$f.' /Ox /O2 /Ob2';
$dbg_cflags=$f.'d /Od -DDEBUG -D_DEBUG';
$lflags="/nologo /subsystem:console /opt:ref";
@ -318,7 +321,7 @@ sub do_lib_rule
$ret.="\tSET FIPS_SHA1_EXE=\$(FIPS_SHA1_EXE)\n";
$ret.="\tSET FIPS_TARGET=$target\n";
$ret.="\tSET FIPSLIB_D=\$(FIPSLIB_D)\n";
$ret.="\t\$(FIPSLINK) \$(MLFLAGS) /map $base_arg $efile$target ";
$ret.="\t\$(FIPSLINK) \$(MLFLAGS) $ff /map $base_arg $efile$target ";
$ret.="$name @<<\n \$(SHLIB_EX_OBJ) $objs \$(EX_LIBS) ";
$ret.="\$(OBJ_D)${o}fips_premain.obj $ex\n<<\n";
}
@ -355,7 +358,7 @@ sub do_link_rule
$ret.="\tSET FIPS_TARGET=$target\n";
$ret.="\tSET FIPS_SHA1_EXE=\$(FIPS_SHA1_EXE)\n";
$ret.="\tSET FIPSLIB_D=\$(FIPSLIB_D)\n";
$ret.="\t\$(FIPSLINK) \$(LFLAGS) /map $efile$target @<<\n";
$ret.="\t\$(FIPSLINK) \$(LFLAGS) $ff /map $efile$target @<<\n";
$ret.="\t\$(APP_EX_OBJ) $files \$(OBJ_D)${o}fips_premain.obj $libs\n<<\n";
}
else