deps: downgrade openssl to v1.0.0f

Several people have reported issues with IIS and Resin servers (or maybe
SSL terminators sitting in front of those servers) that are fixed by
downgrading OpenSSL. The AESNI performance improvements were nice but
stability is more important. Downgrade OpenSSL from 1.0.1e to 1.0.0f.

Fixes #5360 (and others).

1 files changed, 4 insertions, 57 deletions

diff --git a/deps/openssl/openssl/crypto/cms/cms_smime.c b/deps/openssl/openssl/crypto/cms/cms_smime.c
index 8c56e3a852..4a799eb897 100644
--- a/deps/openssl/openssl/crypto/cms/cms_smime.c
+++ b/deps/openssl/openssl/crypto/cms/cms_smime.c
@@ -611,10 +611,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
 	STACK_OF(CMS_RecipientInfo) *ris;
 	CMS_RecipientInfo *ri;
 	int i, r;
-	int debug = 0;
 	ris = CMS_get0_RecipientInfos(cms);
-	if (ris)
-		debug = cms->d.envelopedData->encryptedContentInfo->debug;
 	for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++)
 		{
 		ri = sk_CMS_RecipientInfo_value(ris, i);
@@ -628,38 +625,17 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
 			CMS_RecipientInfo_set0_pkey(ri, pk);
 			r = CMS_RecipientInfo_decrypt(cms, ri);
 			CMS_RecipientInfo_set0_pkey(ri, NULL);
+			if (r > 0)
+				return 1;
 			if (cert)
 				{
-				/* If not debugging clear any error and
-				 * return success to avoid leaking of
-				 * information useful to MMA
-				 */
-				if (!debug)
-					{
-					ERR_clear_error();
-					return 1;
-					}
-				if (r > 0)
-					return 1;
 				CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY,
 						CMS_R_DECRYPT_ERROR);
 				return 0;
 				}
-			/* If no cert and not debugging don't leave loop
-			 * after first successful decrypt. Always attempt
-			 * to decrypt all recipients to avoid leaking timing
-			 * of a successful decrypt.
-			 */
-			else if (r > 0 && debug)
-				return 1;
+			ERR_clear_error();
 			}
 		}
-	/* If no cert and not debugging always return success */
-	if (!cert && !debug)
-		{
-		ERR_clear_error();
-		return 1;
-		}
 
 	CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY, CMS_R_NO_MATCHING_RECIPIENT);
 	return 0;
@@ -704,30 +680,6 @@ int CMS_decrypt_set1_key(CMS_ContentInfo *cms,
 	return 0;
 
 	}
-
-int CMS_decrypt_set1_password(CMS_ContentInfo *cms, 
-				unsigned char *pass, ossl_ssize_t passlen)
-	{
-	STACK_OF(CMS_RecipientInfo) *ris;
-	CMS_RecipientInfo *ri;
-	int i, r;
-	ris = CMS_get0_RecipientInfos(cms);
-	for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++)
-		{
-		ri = sk_CMS_RecipientInfo_value(ris, i);
-		if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_PASS)
-				continue;
-		CMS_RecipientInfo_set0_password(ri, pass, passlen);
-		r = CMS_RecipientInfo_decrypt(cms, ri);
-		CMS_RecipientInfo_set0_password(ri, NULL, 0);
-		if (r > 0)
-			return 1;
-		}
-
-	CMSerr(CMS_F_CMS_DECRYPT_SET1_PASSWORD, CMS_R_NO_MATCHING_RECIPIENT);
-	return 0;
-
-	}
 	
 int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert,
 				BIO *dcont, BIO *out,
@@ -742,14 +694,9 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert,
 		}
 	if (!dcont && !check_content(cms))
 		return 0;
-	if (flags & CMS_DEBUG_DECRYPT)
-		cms->d.envelopedData->encryptedContentInfo->debug = 1;
-	else
-		cms->d.envelopedData->encryptedContentInfo->debug = 0;
-	if (!pk && !cert && !dcont && !out)
-		return 1;
 	if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert))
 		return 0;
+
 	cont = CMS_dataInit(cms, dcont);
 	if (!cont)
 		return 0;