diff options
| author | Myles Borins <mborins@us.ibm.com> | 2016-01-29 11:30:16 -0800 |
|---|---|---|
| committer | Shigeki Ohtsu <ohtsu@iij.ad.jp> | 2016-01-31 15:07:12 +0900 |
| commit | 1f434787fcb36b2dea36dbfebc8ff7f899b6d262 (patch) | |
| tree | 89fbd0f262a3ba0a2557df53a30e1a3807e1a3b4 /deps/openssl | |
| parent | 6cbbfef994930bc47581d592124e82b58e55ac7b (diff) | |
| download | android-node-v8-1f434787fcb36b2dea36dbfebc8ff7f899b6d262.tar.gz android-node-v8-1f434787fcb36b2dea36dbfebc8ff7f899b6d262.tar.bz2 android-node-v8-1f434787fcb36b2dea36dbfebc8ff7f899b6d262.zip | |
deps: upgrade openssl sources to 1.0.2f
This replaces all sources of openssl-1.0.2f.tar.gz
into deps/openssl/openssl
Fix: https://github.com/nodejs/node/issues/4857
PR-URL: https://github.com/nodejs/node/pull/4961
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
deps: copy openssl header files to include dir
All symlink files in deps/openssl/openssl/include/openssl/ are removed
and replaced with real header files to avoid issues on Windows.
Two files of opensslconf.h in crypto and include dir are replaced to
refer config/opensslconf.h.
Fix: https://github.com/nodejs/node/issues/4857
PR-URL: https://github.com/nodejs/node/pull/4961
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
deps: fix openssl assembly error on ia32 win32
`x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and
perhaps others) are requiring .686 .
Fixes: https://github.com/nodejs/node/issues/589
PR-URL: https://github.com/nodejs/node/pull/1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
deps: fix asm build error of openssl in x86_win32
See
https://mta.openssl.org/pipermail/openssl-dev/2015-February/000651.html
iojs needs to stop using masm and move to nasm or yasm on Win32.
Fixes: https://github.com/nodejs/node/issues/589
PR-URL: https://github.com/nodejs/node/pull/1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
openssl: fix keypress requirement in apps on win32
Reapply b910613792dac946b295855963869933a9089044 .
Fixes: https://github.com/nodejs/node/issues/589
PR-URL: https://github.com/nodejs/node/pull/1389
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
docs: update openssl UPDATING guide
the guide is now current with the steps taken to update
openssl to v1.0.2f
PR-URL: https://github.com/nodejs/node/pull/4961
Reviewed-By: Myles Borins <mborins@us.ibm.com>
Diffstat (limited to 'deps/openssl')
199 files changed, 1216 insertions, 564 deletions
diff --git a/deps/openssl/doc/UPGRADING.md b/deps/openssl/doc/UPGRADING.md index aac92f730a..5c8919d2cf 100644 --- a/deps/openssl/doc/UPGRADING.md +++ b/deps/openssl/doc/UPGRADING.md @@ -1,8 +1,8 @@ ## How to upgrade openssl library in Node.js -This document describes the procedure to upgrade openssl from 1.0.2a -to 1.0.2c in Node.js. - +This document describes the procedure to upgrade openssl from 1.0.2e +to 1.0.2f in Node.js. This procedure might be applied to upgrading +any versions in 1.0.2. ### Build System and Upgrading Overview The openssl build system is based on the `Configure` perl script in @@ -31,6 +31,8 @@ The tested platform in CI are also listed. | --dest-os | --dest-cpu | conf | asm | openssl target | CI | |---------- |----------- |----- |----- |------------------- |--- | +| aix | ppc | o | x(*2)| aix-gcc | o | +| aix | ppc64 | o | x(*2)| aix64-gcc | o | | linux | ia32 | o | o |linux-elf | o | | linux | x32 | o | x(*2)|linux-x32 | x | | linux | x64 | o | o |linux-x86_64 | o | @@ -91,48 +93,197 @@ https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/crypto/sha/asm/sha5 otherwise asm_obsolete are used. The following is the detail instruction steps how to upgrade openssl -version from 1.0.2a to 1.0.2c in node. +version from 1.0.2e to 1.0.2f in node. + +*This needs to run Linux +enviroment.* ### 1. Replace openssl source in `deps/openssl/openssl` Remove old openssl sources in `deps/openssl/openssl` . Get original openssl sources from -https://www.openssl.org/source/openssl-1.0.2c.tar.gz and extract all +https://www.openssl.org/source/openssl-1.0.2f.tar.gz and extract all files into `deps/openssl/openssl` . -### 2. Apply private patches -There are three kinds of private patches to be applied in openssl-1.0.2c. - -- The two fixes of assembly error on ia32 win32. masm is no longer - supported in openssl. We should move to use nasm or yasm in future - version of node. - -- The fix of openssl-cli built on win. Key press requirement of - openssl-cli in win causes timeout failures of several tests. +```sh +ohtsu@ubuntu:~/github/node$ cd deps/openssl/ +ohtsu@ubuntu:~/github/node/deps/openssl$ rm -rf openssl +ohtsu@ubuntu:~/github/node/deps/openssl$ tar zxf ~/tmp/openssl-1.0.2f.tar.gz +ohtsu@ubuntu:~/github/node/deps/openssl$ mv openssl-1.0.2f openssl +ohtsu@ubuntu:~/github/node/deps/openssl$ git add --all openssl +ohtsu@ubuntu:~/github/node/deps/openssl$ git commit openssl +```` +The commit message can be -- A new `-no_rand_screen` option to openssl s_client. This makes test - time of test-tls-server-verify be much faster. +>deps: upgrade openssl sources to 1.0.2f +> +>This replaces all sources of openssl-1.0.2f.tar.gz into +>deps/openssl/openssl -### 3. Replace openssl header files in `deps/openssl/openssl/include/openssl` +### 2. Replace openssl header files in `deps/openssl/openssl/include/openssl` all header files in `deps/openssl/openssl/include/openssl/*.h` are symbolic links in the distributed release tar.gz. They cause issues in Windows. They are copied from the real files of symlink origin into the include directory. During installation, they also copied into `PREFIX/node/include` by tools/install.py. +`deps/openssl/openssl/include/openssl/opensslconf.h` and +`deps/openssl/openssl/crypto/opensslconf.h` needs to be changed so as +to refer the platform independent file of `deps/openssl/config/opensslconf.h` + +The following shell script (copy_symlink.sh) is my tool for working +this procedures to invoke it in the `deps/openssl/openssl/include/openssl/`. + +```sh +#!/bin/bash +for var in "$@" +do + if [ -L $var ]; then + origin=`readlink $var` + rm $var + cp $origin $var + fi +done +rm opensslconf.h +echo '#include "../../crypto/opensslconf.h"' > opensslconf.h +rm ../../crypto/opensslconf.h +echo '#include "../../config/opensslconf.h"' > ../../crypto/opensslconf.h +```` + +This step somehow gets troublesome since openssl-1.0.2f because +symlink headers are removed in tar.gz file and we have to execute +./config script to generate them. The config script also generate +unnecessary platform dependent files in the repository so that we have +to clean up them after committing header files. + +```sh +ohtsu@ubuntu:~/github/node/deps/openssl$ cd openssl/ +ohtsu@ubuntu:~/github/node/deps/openssl/openssl$ ./config + +make[1]: Leaving directory `/home/ohtsu/github/node/deps/openssl/openssl/test' + +Configured for linux-x86_64. +ohtsu@ubuntu:~/github/node/deps/openssl/openssl$ cd include/openssl/ +ohtsu@ubuntu:~/github/node/deps/openssl/openssl/include/openssl$ ~/copy_symlink.sh *.h +ohtsu@ubuntu:~/github/node/deps/openssl/openssl/include/openssl$ cd ../.. +ohtsu@ubuntu:~/github/node/deps/openssl/openssl$ git add include +ohtsu@ubuntu:~/github/node/deps/openssl/openssl$ git commit include/ crypto/opensslconf.h +ohtsu@ubuntu:~/github/node/deps/openssl/openssl$ git clean -f +ohtsu@ubuntu:~/github/node/deps/openssl/openssl$ git checkout Makefile Makefile.bak +```` +The commit message can be + +>deps: copy all openssl header files to include dir +> +>All symlink files in `deps/openssl/openssl/include/openssl/` +>are removed and replaced with real header files to avoid +>issues on Windows. Two files of opensslconf.h in crypto and +>include dir are replaced to refer config/opensslconf.h. + +### 3. Apply floating patches +At the time of writing, there are four floating patches to be applied +to openssl. + +- Two fixes for assembly errors on ia32 win32. + +- One fix for openssl-cli built on win. Key press requirement of + openssl-cli in win causes timeout failures of several tests. + +- Adding a new `-no_rand_screen` option to openssl s_client. This + makes test time of test-tls-server-verify be much faster. + +These fixes can be applied via cherry-pick. The first three will merge without conflict. +The last commit can be landed using a recursive strategy that prefers newer changes. + +```sh +git cherry-pick c66c3d9fa3f5bab0bdfe363dd947136cf8a3907f +git cherry-pick 42a8de2ac66b6953cbc731fdb0b128b8019643b2 +git cherry-pick 2eb170874aa5e84e71b62caab7ac9792fd59c10f +git cherry-pick --strategy=recursive -X theirs 664a659 +``` + +If you attempted to cherry-pick the last commit you would have the following conflict + +``` +# do not do this +git cherry-pick 664a6596960655e214fef25e74d3285097703e95 +error: could not apply 664a659... deps: add -no_rand_screen to openssl s_client +hint: after resolving the conflicts, mark the corrected paths +hint: with 'git add <paths>' or 'git rm <paths>' +hint: and commit the result with 'git commit' +git cherry-pi +``` + +the conflict is in `deps/openssl/openssl/apps/app_rand.c` as below. + +```sh +ohtsu@omb:openssl$ git diff +diff --cc deps/openssl/openssl/apps/app_rand.c +index 7f40bba,b6fe294..0000000 +--- a/deps/openssl/openssl/apps/app_rand.c ++++ b/deps/openssl/openssl/apps/app_rand.c +@@@ -124,7 -124,16 +124,20 @@@ int app_RAND_load_file(const char *file + char buffer[200]; + + #ifdef OPENSSL_SYS_WINDOWS + ++<<<<<<< HEAD + + RAND_screen(); + ++======= + + /* + + * allocate 2 to dont_warn not to use RAND_screen() via + + * -no_rand_screen option in s_client + + */ + + if (dont_warn != 2) { + + BIO_printf(bio_e, "Loading 'screen' into random state -"); + + BIO_flush(bio_e); + + RAND_screen(); + + BIO_printf(bio_e, " done\n"); + + } + ++>>>>>>> 664a659... deps: add -no_rand_screen to openssl s_client + #endif + + if (file == NULL) +```` + +We want to opt for the changes from 664a659 instead of the changes present on HEAD. +`git cherry-pick --strategy=recursive -X theirs` will do just that! ### 4. Change `opensslconf.h` so as to fit each platform. -No change. +opensslconf.h includes defines and macros which are platform +dependent. Each files can be generated via `deps/openssl/config/Makefile` +We can regenerate them and commit them if any diffs exist. + +```sh +ohtsu@ubuntu:~/github/node/deps/openssl$ cd config +ohtsu@ubuntu:~/github/node/deps/openssl/config$ make clean +find archs -name opensslconf.h -exec rm "{}" \; +ohtsu@ubuntu:~/github/node/deps/openssl/config$ make +cd ../openssl; perl ./Configure no-shared no-symlinks aix-gcc > /dev/null +ohtsu@ubuntu:~/github/node/deps/openssl/config$ git diff +ohtsu@ubuntu:~/github/node/deps/openssl/config$ git commit . +```` +The commit message can be + +>deps: update openssl config files +> +>Regenerate config files for supported platforms with Makefile. ### 5. Update openssl.gyp and openssl.gypi -No change. +This process is needed when source files are removed, renamed and added. +It seldom happen in the minor bug fix release. Build errors would be +thrown if it happens. In case of build errors, we need to check source +files in Makefiles of its platform and change openssl.gyp or +openssl.gypi according to the changes of source files. Please contact +@shigeki if it is needed. ### 6. ASM files for openssl We provide two sets of asm files. One is for the latest assembler -and the other is the older one. +and the other is the older one. sections 6.1 and 6.2 describe the two +types of files. Section 6.3 explains the steps to update the files. +In the case of upgrading 1.0.2f there were no changes to the asm files. ### 6.1. asm files for the latest compiler This was made in `deps/openssl/asm/Makefile` - Updated asm files for each platforms which are required in - openssl-1.0.2c. + openssl-1.0.2f. - Some perl files need CC and ASM envs. Added a check if these envs exist. Followed asm files are to be generated with CC=gcc and ASM=nasm on Linux. See @@ -148,8 +299,9 @@ This was made in `deps/openssl/asm/Makefile` With export environments of CC=gcc and ASM=nasm, then type make command and check if new asm files are generated. +If you don't have nasm please install it such as `apt-get install nasm`. -### 6.2.asm files for the older compiler +### 6.2. asm files for the older compiler For older assembler, the version check of CC and ASM should be skipped in generating asm file with perl scripts. Copy files from `deps/openssl/asm` into @@ -158,3 +310,42 @@ into this directories and remove the check of CC and ASM envs. Without environments of CC and ASM, then type make command and check if new asm files for older compilers are generated. + +The following steps includes version check of gcc and nasm. + +### 6.3 steps + +```sh +ohtsu@ubuntu:~/github/node/deps/openssl/config$ cd ../asm +ohtsu@ubuntu:~/github/node/deps/openssl/asm$ gcc --version +gcc (Ubuntu 4.8.4-2ubuntu1~14.04) 4.8.4 +Copyright (C) 2013 Free Software Foundation, Inc. +This is free software; see the source for copying conditions. There is NO +warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +ohtsu@ubuntu:~/github/node/deps/openssl/asm$ nasm -v +NASM version 2.10.09 compiled on Dec 29 2013 +ohtsu@ubuntu:~/github/node/deps/openssl/asm$ export CC=gcc +ohtsu@ubuntu:~/github/node/deps/openssl/asm$ export ASM=nasm +ohtsu@ubuntu:~/github/node/deps/openssl/asm$ make clean +find . -iname '*.asm' -exec rm "{}" \; +find . -iname '*.s' -exec rm "{}" \; +find . -iname '*.S' -exec rm "{}" \; +ohtsu@ubuntu:~/github/node/deps/openssl/asm$ make +ohtsu@ubuntu:~/github/node/deps/openssl/asm$ cd ../asm_obsolete/ +ohtsu@ubuntu:~/github/node/deps/openssl/asm_obsolete$ unset CC +ohtsu@ubuntu:~/github/node/deps/openssl/asm_obsolete$ unset ASM +ohtsu@ubuntu:~/github/node/deps/openssl/asm_obsolete$ make clean +find . -iname '*.asm' -exec rm "{}" \; +find . -iname '*.s' -exec rm "{}" \; +find . -iname '*.S' -exec rm "{}" \; +ohtsu@ubuntu:~/github/node/deps/openssl$ git status +ohtsu@ubuntu:~/github/node/deps/openssl$ git commit asm asm_obsolete +```` +The commit message can be + +>deps: update openssl asm and asm_obsolete files +> +>Regenerate asm files with Makefile and CC=gcc and ASM=gcc where +>gcc-4.8.4. Also asm files in asm_obsolete dir to support old compiler +>and assembler are regenerated without CC and ASM envs. diff --git a/deps/openssl/openssl/ACKNOWLEDGMENTS b/deps/openssl/openssl/ACKNOWLEDGMENTS index 59c6f01f97..d21dccbb79 100644 --- a/deps/openssl/openssl/ACKNOWLEDGMENTS +++ b/deps/openssl/openssl/ACKNOWLEDGMENTS @@ -1,30 +1,2 @@ -The OpenSSL project depends on volunteer efforts and financial support from -the end user community. That support comes in the form of donations and paid -sponsorships, software support contracts, paid consulting services -and commissioned software development. - -Since all these activities support the continued development and improvement -of OpenSSL we consider all these clients and customers as sponsors of the -OpenSSL project. - -We would like to identify and thank the following such sponsors for their past -or current significant support of the OpenSSL project: - -Major support: - - Qualys http://www.qualys.com/ - -Very significant support: - - OpenGear: http://www.opengear.com/ - -Significant support: - - PSW Group: http://www.psw.net/ - Acano Ltd. http://acano.com/ - -Please note that we ask permission to identify sponsors and that some sponsors -we consider eligible for inclusion here have requested to remain anonymous. - -Additional sponsorship or financial support is always welcome: for more -information please contact the OpenSSL Software Foundation. +Please https://www.openssl.org/community/thanks.html for the current +acknowledgements. diff --git a/deps/openssl/openssl/CHANGES b/deps/openssl/openssl/CHANGES index 584f0dbd45..aa1f60d144 100644 --- a/deps/openssl/openssl/CHANGES +++ b/deps/openssl/openssl/CHANGES @@ -2,6 +2,54 @@ OpenSSL CHANGES _______________ + Changes between 1.0.2e and 1.0.2f [28 Jan 2016] + + *) DH small subgroups + + Historically OpenSSL only ever generated DH parameters based on "safe" + primes. More recently (in version 1.0.2) support was provided for + generating X9.42 style parameter files such as those required for RFC 5114 + support. The primes used in such files may not be "safe". Where an + application is using DH configured with parameters based on primes that are + not "safe" then an attacker could use this fact to find a peer's private + DH exponent. This attack requires that the attacker complete multiple + handshakes in which the peer uses the same private DH exponent. For example + this could be used to discover a TLS server's private DH exponent if it's + reusing the private DH exponent or it's using a static DH ciphersuite. + + OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in + TLS. It is not on by default. If the option is not set then the server + reuses the same private DH exponent for the life of the server process and + would be vulnerable to this attack. It is believed that many popular + applications do set this option and would therefore not be at risk. + + The fix for this issue adds an additional check where a "q" parameter is + available (as is the case in X9.42 based parameters). This detects the + only known attack, and is the only possible defense for static DH + ciphersuites. This could have some performance impact. + + Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by + default and cannot be disabled. This could have some performance impact. + + This issue was reported to OpenSSL by Antonio Sanso (Adobe). + (CVE-2016-0701) + [Matt Caswell] + + *) SSLv2 doesn't block disabled ciphers + + A malicious client can negotiate SSLv2 ciphers that have been disabled on + the server and complete SSLv2 handshakes even if all SSLv2 ciphers have + been disabled, provided that the SSLv2 protocol was not also disabled via + SSL_OP_NO_SSLv2. + + This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram + and Sebastian Schinzel. + (CVE-2015-3197) + [Viktor Dukhovni] + + *) Reject DH handshakes with parameters shorter than 1024 bits. + [Kurt Roeckx] + Changes between 1.0.2d and 1.0.2e [3 Dec 2015] *) BN_mod_exp may produce incorrect results on x86_64 diff --git a/deps/openssl/openssl/Configure b/deps/openssl/openssl/Configure index ac86cd6cf6..4a715dc437 100755 --- a/deps/openssl/openssl/Configure +++ b/deps/openssl/openssl/Configure @@ -124,6 +124,9 @@ my $clang_disabled_warnings = "-Wno-unused-parameter -Wno-missing-field-initiali # -Wextended-offsetof my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof -Qunused-arguments"; +# Warn that "make depend" should be run? +my $warn_make_depend = 0; + my $strict_warnings = 0; my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL"; @@ -1513,7 +1516,7 @@ if ($target =~ /\-icc$/) # Intel C compiler # linker only when --prefix is not /usr. if ($target =~ /^BSD\-/) { - $shared_ldflag.=" -Wl,-rpath,\$(LIBRPATH)" if ($prefix !~ m|^/usr[/]*$|); + $shared_ldflag.=" -Wl,-rpath,\$\$(LIBRPATH)" if ($prefix !~ m|^/usr[/]*$|); } if ($sys_id ne "") @@ -2028,14 +2031,8 @@ EOF &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s'); } if ($depflags ne $default_depflags && !$make_depend) { - print <<EOF; - -Since you've disabled or enabled at least one algorithm, you need to do -the following before building: - - make depend -EOF - } + $warn_make_depend++; + } } # create the ms/version32.rc file if needed @@ -2114,12 +2111,18 @@ EOF print <<\EOF if ($no_shared_warn); -You gave the option 'shared'. Normally, that would give you shared libraries. -Unfortunately, the OpenSSL configuration doesn't include shared library support -for this platform yet, so it will pretend you gave the option 'no-shared'. If -you can inform the developpers (openssl-dev\@openssl.org) how to support shared -libraries on this platform, they will at least look at it and try their best -(but please first make sure you have tried with a current version of OpenSSL). +You gave the option 'shared', which is not supported on this platform, so +we will pretend you gave the option 'no-shared'. If you know how to implement +shared libraries, please let us know (but please first make sure you have +tried with a current version of OpenSSL). +EOF + +print <<EOF if ($warn_make_depend); + +*** Because of configuration changes, you MUST do the following before +*** building: + + make depend EOF exit(0); diff --git a/deps/openssl/openssl/INSTALL b/deps/openssl/openssl/INSTALL index 1325079f2a..679b30d4c7 100644 --- a/deps/openssl/openssl/INSTALL +++ b/deps/openssl/openssl/INSTALL @@ -164,10 +164,10 @@ standard headers). If it is a problem with OpenSSL itself, please report the problem to <openssl-bugs@openssl.org> (note that your message will be recorded in the request tracker publicly readable - via http://www.openssl.org/support/rt.html and will be forwarded to a - public mailing list). Include the output of "make report" in your message. - Please check out the request tracker. Maybe the bug was already - reported or has already been fixed. + at https://www.openssl.org/community/index.html#bugs and will be + forwarded to a public mailing list). Include the output of "make + report" in your message. Please check out the request tracker. Maybe + the bug was already reported or has already been fixed. [If you encounter assembler error messages, try the "no-asm" configuration option as an immediate fix.] diff --git a/deps/openssl/openssl/LICENSE b/deps/openssl/openssl/LICENSE index e47d101f10..fb03713dd1 100644 --- a/deps/openssl/openssl/LICENSE +++ b/deps/openssl/openssl/LICENSE @@ -12,7 +12,7 @@ --------------- /* ==================================================================== - * Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2016 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/deps/openssl/openssl/Makefile b/deps/openssl/openssl/Makefile index e2bbb475c7..ee04c02cc1 100644 --- a/deps/openssl/openssl/Makefile +++ b/deps/openssl/openssl/Makefile @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.2e +VERSION=1.0.2f MAJOR=1 MINOR=0.2 SHLIB_VERSION_NUMBER=1.0.0 @@ -182,8 +182,7 @@ SHARED_LDFLAGS= GENERAL= Makefile BASENAME= openssl NAME= $(BASENAME)-$(VERSION) -TARFILE= $(NAME).tar -WTARFILE= $(NAME)-win.tar +TARFILE= ../$(NAME).tar EXHEADER= e_os2.h HEADER= e_os.h @@ -501,38 +500,35 @@ TABLE: Configure # would occur. Therefore the list of files is temporarily stored into a file # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal # tar does not support the --files-from option. -TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list \ - --owner openssl:0 --group openssl:0 \ - --transform 's|^|openssl-$(VERSION)/|' \ +TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from $(TARFILE).list \ + --owner 0 --group 0 \ + --transform 's|^|$(NAME)/|' \ -cvf - -../$(TARFILE).list: +$(TARFILE).list: find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \ \! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \ - \! -name '*test' \! -name '.#*' \! -name '*~' \ - | sort > ../$(TARFILE).list + \( \! -name '*test' -o -name bctest -o -name pod2mantest \) \ + \! -name '.#*' \! -name '*~' \! -type l \ + | sort > $(TARFILE).list -tar: ../$(TARFILE).list +tar: $(TARFILE).list find . -type d -print | xargs chmod 755 find . -type f -print | xargs chmod a+r find . -type f -perm -0100 -print | xargs chmod a+x - $(TAR_COMMAND) | gzip --best >../$(TARFILE).gz - rm -f ../$(TARFILE).list - ls -l ../$(TARFILE).gz + $(TAR_COMMAND) | gzip --best > $(TARFILE).gz + rm -f $(TARFILE).list + ls -l $(TARFILE).gz -tar-snap: ../$(TARFILE).list - $(TAR_COMMAND) > ../$(TARFILE) - rm -f ../$(TARFILE).list - ls -l ../$(TARFILE) +tar-snap: $(TARFILE).list + $(TAR_COMMAND) > $(TARFILE) + rm -f $(TARFILE).list + ls -l $(TARFILE) dist: $(PERL) Configure dist - @$(MAKE) dist_pem_h @$(MAKE) SDIRS='$(SDIRS)' clean - @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' tar - -dist_pem_h: - (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean) + @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar install: all install_docs install_sw diff --git a/deps/openssl/openssl/Makefile.bak b/deps/openssl/openssl/Makefile.bak index 27eb08cf31..96d8e0f199 100644 --- a/deps/openssl/openssl/Makefile.bak +++ b/deps/openssl/openssl/Makefile.bak @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.2e-dev +VERSION=1.0.2f-dev MAJOR=1 MINOR=0.2 SHLIB_VERSION_NUMBER=1.0.0 @@ -182,8 +182,7 @@ SHARED_LDFLAGS= GENERAL= Makefile BASENAME= openssl NAME= $(BASENAME)-$(VERSION) -TARFILE= $(NAME).tar -WTARFILE= $(NAME)-win.tar +TARFILE= ../$(NAME).tar EXHEADER= e_os2.h HEADER= e_os.h @@ -501,38 +500,35 @@ TABLE: Configure # would occur. Therefore the list of files is temporarily stored into a file # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal # tar does not support the --files-from option. -TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list \ - --owner openssl:0 --group openssl:0 \ - --transform 's|^|openssl-$(VERSION)/|' \ +TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from $(TARFILE).list \ + --owner 0 --group 0 \ + --transform 's|^|$(NAME)/|' \ -cvf - -../$(TARFILE).list: +$(TARFILE).list: find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \ \! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \ - \! -name '*test' \! -name '.#*' \! -name '*~' \ - | sort > ../$(TARFILE).list + \( \! -name '*test' -o -name bctest -o -name pod2mantest \) \ + \! -name '.#*' \! -name '*~' \! -type l \ + | sort > $(TARFILE).list -tar: ../$(TARFILE).list +tar: $(TARFILE).list find . -type d -print | xargs chmod 755 find . -type f -print | xargs chmod a+r find . -type f -perm -0100 -print | xargs chmod a+x - $(TAR_COMMAND) | gzip --best >../$(TARFILE).gz - rm -f ../$(TARFILE).list - ls -l ../$(TARFILE).gz + $(TAR_COMMAND) | gzip --best > $(TARFILE).gz + rm -f $(TARFILE).list + ls -l $(TARFILE).gz -tar-snap: ../$(TARFILE).list - $(TAR_COMMAND) > ../$(TARFILE) - rm -f ../$(TARFILE).list - ls -l ../$(TARFILE) +tar-snap: $(TARFILE).list + $(TAR_COMMAND) > $(TARFILE) + rm -f $(TARFILE).list + ls -l $(TARFILE) dist: $(PERL) Configure dist - @$(MAKE) dist_pem_h @$(MAKE) SDIRS='$(SDIRS)' clean - @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' tar - -dist_pem_h: - (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean) + @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar install: all install_docs install_sw diff --git a/deps/openssl/openssl/Makefile.org b/deps/openssl/openssl/Makefile.org index 0333644415..76fdbdf6ac 100644 --- a/deps/openssl/openssl/Makefile.org +++ b/deps/openssl/openssl/Makefile.org @@ -180,8 +180,7 @@ SHARED_LDFLAGS= GENERAL= Makefile BASENAME= openssl NAME= $(BASENAME)-$(VERSION) -TARFILE= $(NAME).tar -WTARFILE= $(NAME)-win.tar +TARFILE= ../$(NAME).tar EXHEADER= e_os2.h HEADER= e_os.h @@ -499,38 +498,35 @@ TABLE: Configure # would occur. Therefore the list of files is temporarily stored into a file # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal # tar does not support the --files-from option. -TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list \ - --owner openssl:0 --group openssl:0 \ - --transform 's|^|openssl-$(VERSION)/|' \ +TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from $(TARFILE).list \ + --owner 0 --group 0 \ + --transform 's|^|$(NAME)/|' \ -cvf - -../$(TARFILE).list: +$(TARFILE).list: find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \ \! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \ - \! -name '*test' \! -name '.#*' \! -name '*~' \ - | sort > ../$(TARFILE).list + \( \! -name '*test' -o -name bctest -o -name pod2mantest \) \ + \! -name '.#*' \! -name '*~' \! -type l \ + | sort > $(TARFILE).list -tar: ../$(TARFILE).list +tar: $(TARFILE).list find . -type d -print | xargs chmod 755 find . -type f -print | xargs chmod a+r find . -type f -perm -0100 -print | xargs chmod a+x - $(TAR_COMMAND) | gzip --best >../$(TARFILE).gz - rm -f ../$(TARFILE).list - ls -l ../$(TARFILE).gz + $(TAR_COMMAND) | gzip --best > $(TARFILE).gz + rm -f $(TARFILE).list + ls -l $(TARFILE).gz -tar-snap: ../$(TARFILE).list - $(TAR_COMMAND) > ../$(TARFILE) - rm -f ../$(TARFILE).list - ls -l ../$(TARFILE) +tar-snap: $(TARFILE).list + $(TAR_COMMAND) > $(TARFILE) + rm -f $(TARFILE).list + ls -l $(TARFILE) dist: $(PERL) Configure dist - @$(MAKE) dist_pem_h @$(MAKE) SDIRS='$(SDIRS)' clean - @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' tar - -dist_pem_h: - (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean) + @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar install: all install_docs install_sw diff --git a/deps/openssl/openssl/NEWS b/deps/openssl/openssl/NEWS index e1c78f834f..06c77025e9 100644 --- a/deps/openssl/openssl/NEWS +++ b/deps/openssl/openssl/NEWS @@ -5,6 +5,11 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016] + + o DH small subgroups (CVE-2016-0701) + o SSLv2 doesn't block disabled ciphers (CVE-2015-3197) + Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015] o BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193) diff --git a/deps/openssl/openssl/README b/deps/openssl/openssl/README index 49c4c9f147..1e9869daee 100644 --- a/deps/openssl/openssl/README +++ b/deps/openssl/openssl/README @@ -1,5 +1,5 @@ - OpenSSL 1.0.2e 3 Dec 2015 + OpenSSL 1.0.2f 28 Jan 2016 Copyright (c) 1998-2015 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson @@ -90,11 +90,12 @@ In order to avoid spam, this is a moderated mailing list, and it might take a day for the ticket to show up. (We also scan posts to make sure - that security disclosures aren't publically posted by mistake.) Mail to - this address is recorded in the public RT (request tracker) database (see - https://www.openssl.org/support/rt.html for details) and also forwarded - the public openssl-dev mailing list. Confidential mail may be sent to - openssl-security@openssl.org (PGP key available from the key servers). + that security disclosures aren't publically posted by mistake.) Mail + to this address is recorded in the public RT (request tracker) database + (see https://www.openssl.org/community/index.html#bugs for details) and + also forwarded the public openssl-dev mailing list. Confidential mail + may be sent to openssl-security@openssl.org (PGP key available from the + key servers). Please do NOT use this for general assistance or support queries. Just because something doesn't work the way you expect does not mean it diff --git a/deps/openssl/openssl/apps/app_rand.c b/deps/openssl/openssl/apps/app_rand.c index ef0dd2ba8c..7f40bba764 100644 --- a/deps/openssl/openssl/apps/app_rand.c +++ b/deps/openssl/openssl/apps/app_rand.c @@ -124,13 +124,7 @@ int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn) char buffer[200]; #ifdef OPENSSL_SYS_WINDOWS - /* - * allocate 2 to dont_warn not to use RAND_screen() via - * -no_rand_screen option in s_client - */ - if (dont_warn != 2) { - RAND_screen(); - } + RAND_screen(); #endif if (file == NULL) diff --git a/deps/openssl/openssl/apps/engine.c b/deps/openssl/openssl/apps/engine.c index 460ec60cb1..f54631b50d 100644 --- a/deps/openssl/openssl/apps/engine.c +++ b/deps/openssl/openssl/apps/engine.c @@ -1,4 +1,4 @@ -/* apps/engine.c -*- mode: C; c-file-style: "eay" -*- */ +/* apps/engine.c */ /* * Written by Richard Levitte <richard@levitte.org> for the OpenSSL project * 2000. diff --git a/deps/openssl/openssl/apps/md4.c b/deps/openssl/openssl/apps/md4.c deleted file mode 120000 index 03269af9bc..0000000000 --- a/deps/openssl/openssl/apps/md4.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/md4/md4.c
\ No newline at end of file diff --git a/deps/openssl/openssl/apps/ocsp.c b/deps/openssl/openssl/apps/ocsp.c index 6ed255d4b5..5da51df514 100644 --- a/deps/openssl/openssl/apps/ocsp.c +++ b/deps/openssl/openssl/apps/ocsp.c @@ -1041,7 +1041,7 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, bs = OCSP_BASICRESP_new(); thisupd = X509_gmtime_adj(NULL, 0); if (ndays != -1) - nextupd = X509_gmtime_adj(NULL, nmin * 60 + ndays * 3600 * 24); + nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL); /* Examine each certificate id in the request */ for (i = 0; i < id_count; i++) { diff --git a/deps/openssl/openssl/apps/pkcs12.c b/deps/openssl/openssl/apps/pkcs12.c index e41b445a50..cbb75b7d5f 100644 --- a/deps/openssl/openssl/apps/pkcs12.c +++ b/deps/openssl/openssl/apps/pkcs12.c @@ -79,7 +79,8 @@ const EVP_CIPHER *enc; # define CLCERTS 0x8 # define CACERTS 0x10 -int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain); +static int get_cert_chain(X509 *cert, X509_STORE *store, + STACK_OF(X509) **chain); int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, int options, char *pempass); int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags, @@ -594,7 +595,7 @@ int MAIN(int argc, char **argv) vret = get_cert_chain(ucert, store, &chain2); X509_STORE_free(store); - if (!vret) { + if (vret == X509_V_OK) { /* Exclude verified certificate */ for (i = 1; i < sk_X509_num(chain2); i++) sk_X509_push(certs, sk_X509_value(chain2, i)); @@ -602,7 +603,7 @@ int MAIN(int argc, char **argv) X509_free(sk_X509_value(chain2, 0)); sk_X509_free(chain2); } else { - if (vret >= 0) + if (vret != X509_V_ERR_UNSPECIFIED) BIO_printf(bio_err, "Error %s getting chain.\n", X509_verify_cert_error_string(vret)); else @@ -906,36 +907,25 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass, /* Given a single certificate return a verified chain or NULL if error */ -/* Hope this is OK .... */ - -int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain) +static int get_cert_chain(X509 *cert, X509_STORE *store, + STACK_OF(X509) **chain) { X509_STORE_CTX store_ctx; - STACK_OF(X509) *chn; + STACK_OF(X509) *chn = NULL; int i = 0; - /* - * FIXME: Should really check the return status of X509_STORE_CTX_init - * for an error, but how that fits into the return value of this function - * is less obvious. - */ - X509_STORE_CTX_init(&store_ctx, store, cert, NULL); - if (X509_verify_cert(&store_ctx) <= 0) { - i = X509_STORE_CTX_get_error(&store_ctx); - if (i == 0) - /* - * avoid returning 0 if X509_verify_cert() did not set an - * appropriate error value in the context - */ - i = -1; - chn = NULL; - goto err; - } else + if (!X509_STORE_CTX_init(&store_ctx, store, cert, NULL)) { + *chain = NULL; + return X509_V_ERR_UNSPECIFIED; + } + + if (X509_verify_cert(&store_ctx) > 0) chn = X509_STORE_CTX_get1_chain(&store_ctx); - err: + else if ((i = X509_STORE_CTX_get_error(&store_ctx)) == 0) + i = X509_V_ERR_UNSPECIFIED; + X509_STORE_CTX_cleanup(&store_ctx); *chain = chn; - return i; } diff --git a/deps/openssl/openssl/apps/pkeyutl.c b/deps/openssl/openssl/apps/pkeyutl.c index aaa90740ad..501fd6304a 100644 --- a/deps/openssl/openssl/apps/pkeyutl.c +++ b/deps/openssl/openssl/apps/pkeyutl.c @@ -74,10 +74,11 @@ static void usage(void); static EVP_PKEY_CTX *init_ctx(int *pkeysize, char *keyfile, int keyform, int key_type, - char *passargin, int pkey_op, ENGINE *e); + char *passargin, int pkey_op, ENGINE *e, + int impl); static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform, - const char *file); + const char *file, ENGINE* e); static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op, unsigned char *out, size_t *poutlen, @@ -97,6 +98,7 @@ int MAIN(int argc, char **argv) EVP_PKEY_CTX *ctx = NULL; char *passargin = NULL; int keysize = -1; + int engine_impl = 0; unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL; size_t buf_outlen; @@ -137,7 +139,7 @@ int MAIN(int argc, char **argv) else { ctx = init_ctx(&keysize, *(++argv), keyform, key_type, - passargin, pkey_op, e); + passargin, pkey_op, e, engine_impl); if (!ctx) { BIO_puts(bio_err, "Error initializing context\n"); ERR_print_errors(bio_err); @@ -147,7 +149,7 @@ int MAIN(int argc, char **argv) } else if (!strcmp(*argv, "-peerkey")) { if (--argc < 1) badarg = 1; - else if (!setup_peer(bio_err, ctx, peerform, *(++argv))) + else if (!setup_peer(bio_err, ctx, peerform, *(++argv), e)) badarg = 1; } else if (!strcmp(*argv, "-passin")) { if (--argc < 1) @@ -171,6 +173,8 @@ int MAIN(int argc, char **argv) badarg = 1; else e = setup_engine(bio_err, *(++argv), 0); + } else if (!strcmp(*argv, "-engine_impl")) { + engine_impl = 1; } #endif else if (!strcmp(*argv, "-pubin")) @@ -368,7 +372,8 @@ static void usage() BIO_printf(bio_err, "-hexdump hex dump output\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err, - "-engine e use engine e, possibly a hardware device.\n"); + "-engine e use engine e, maybe a hardware device, for loading keys.\n"); + BIO_printf(bio_err, "-engine_impl also use engine given by -engine for crypto operations\n"); #endif BIO_printf(bio_err, "-passin arg pass phrase source\n"); @@ -376,10 +381,12 @@ static void usage() static EVP_PKEY_CTX *init_ctx(int *pkeysize, char *keyfile, int keyform, int key_type, - char *passargin, int pkey_op, ENGINE *e) + char *passargin, int pkey_op, ENGINE *e, + int engine_impl) { EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *ctx = NULL; + ENGINE *impl = NULL; char *passin = NULL; int rv = -1; X509 *x; @@ -419,7 +426,12 @@ static EVP_PKEY_CTX *init_ctx(int *pkeysize, if (!pkey) goto end; - ctx = EVP_PKEY_CTX_new(pkey, e); +#ifndef OPENSSL_NO_ENGINE + if (engine_impl) + impl = e; +#endif + + ctx = EVP_PKEY_CTX_new(pkey, impl); EVP_PKEY_free(pkey); @@ -467,16 +479,20 @@ static EVP_PKEY_CTX *init_ctx(int *pkeysize, } static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform, - const char *file) + const char *file, ENGINE* e) { EVP_PKEY *peer = NULL; + ENGINE* engine = NULL; int ret; if (!ctx) { BIO_puts(err, "-peerkey command before -inkey\n"); return 0; } - peer = load_pubkey(bio_err, file, peerform, 0, NULL, NULL, "Peer Key"); + if (peerform == FORMAT_ENGINE) + engine = e; + + peer = load_pubkey(bio_err, file, peerform, 0, NULL, engine, "Peer Key"); if (!peer) { BIO_printf(bio_err, "Error reading peer key %s\n", file); diff --git a/deps/openssl/openssl/apps/s_client.c b/deps/openssl/openssl/apps/s_client.c index 95fe6d48c7..022ca6cf6b 100644 --- a/deps/openssl/openssl/apps/s_client.c +++ b/deps/openssl/openssl/apps/s_client.c @@ -236,7 +236,6 @@ static BIO *bio_c_msg = NULL; static int c_quiet = 0; static int c_ign_eof = 0; static int c_brief = 0; -static int c_no_rand_screen = 0; #ifndef OPENSSL_NO_PSK /* Default PSK identity and key */ @@ -316,7 +315,7 @@ static void sc_usage(void) " -connect host:port - who to connect to (default is %s:%s)\n", SSL_HOST_NAME, PORT_STR); BIO_printf(bio_err, - " -verify_host host - check peer certificate matches \"host\"\n"); + " -verify_hostname host - check peer certificate matches \"host\"\n"); BIO_printf(bio_err, " -verify_email email - check peer certificate matches \"email\"\n"); BIO_printf(bio_err, @@ -457,10 +456,6 @@ static void sc_usage(void) " -keymatexport label - Export keying material using label\n"); BIO_printf(bio_err, " -keymatexportlen len - Export len bytes of keying material (default 20)\n"); -#ifdef OPENSSL_SYS_WINDOWS - BIO_printf(bio_err, - " -no_rand_screen - Do not use RAND_screen() to initialize random state\n"); -#endif } #ifndef OPENSSL_NO_TLSEXT @@ -1140,10 +1135,6 @@ int MAIN(int argc, char **argv) keymatexportlen = atoi(*(++argv)); if (keymatexportlen == 0) goto bad; -#ifdef OPENSSL_SYS_WINDOWS - } else if (strcmp(*argv, "-no_rand_screen") == 0) { - c_no_rand_screen = 1; -#endif } else { BIO_printf(bio_err, "unknown option %s\n", *argv); badop = 1; @@ -1249,7 +1240,7 @@ int MAIN(int argc, char **argv) if (!load_excert(&exc, bio_err)) goto end; - if (!app_RAND_load_file(NULL, bio_err, ++c_no_rand_screen) && inrand == NULL + if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL && !RAND_status()) { BIO_printf(bio_err, "warning, not much extra random data, consider using the -rand option\n"); diff --git a/deps/openssl/openssl/apps/s_server.c b/deps/openssl/openssl/apps/s_server.c index f19532b75f..65cbaaf6eb 100644 --- a/deps/openssl/openssl/apps/s_server.c +++ b/deps/openssl/openssl/apps/s_server.c @@ -498,7 +498,7 @@ static void sv_usage(void) BIO_printf(bio_err, " -accept arg - port to accept on (default is %d)\n", PORT); BIO_printf(bio_err, - " -verify_host host - check peer certificate matches \"host\"\n"); + " -verify_hostname host - check peer certificate matches \"host\"\n"); BIO_printf(bio_err, " -verify_email email - check peer certificate matches \"email\"\n"); BIO_printf(bio_err, diff --git a/deps/openssl/openssl/apps/speed.c b/deps/openssl/openssl/apps/speed.c index 3697b71ec1..95adcc19cc 100644 --- a/deps/openssl/openssl/apps/speed.c +++ b/deps/openssl/openssl/apps/speed.c @@ -1,4 +1,4 @@ -/* apps/speed.c -*- mode:C; c-file-style: "eay" -*- */ +/* apps/speed.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * diff --git a/deps/openssl/openssl/apps/x509.c b/deps/openssl/openssl/apps/x509.c index 864a60dda2..7c215bced0 100644 --- a/deps/openssl/openssl/apps/x509.c +++ b/deps/openssl/openssl/apps/x509.c @@ -1226,12 +1226,7 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, if (X509_gmtime_adj(X509_get_notBefore(x), 0) == NULL) goto err; - /* Lets just make it 12:00am GMT, Jan 1 1970 */ - /* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */ - /* 28 days to be certified */ - - if (X509_gmtime_adj(X509_get_notAfter(x), (long)60 * 60 * 24 * days) == - NULL) + if (X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL) == NULL) goto err; if (!X509_set_pubkey(x, pkey)) diff --git a/deps/openssl/openssl/crypto/aes/aes.h b/deps/openssl/openssl/crypto/aes/aes.h index 87bf60f6f2..faa66c4914 100644 --- a/deps/openssl/openssl/crypto/aes/aes.h +++ b/deps/openssl/openssl/crypto/aes/aes.h @@ -1,4 +1,4 @@ -/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/aes/aes.h */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/aes/aes_cbc.c b/deps/openssl/openssl/crypto/aes/aes_cbc.c index e39231f17c..805d0e260a 100644 --- a/deps/openssl/openssl/crypto/aes/aes_cbc.c +++ b/deps/openssl/openssl/crypto/aes/aes_cbc.c @@ -1,4 +1,4 @@ -/* crypto/aes/aes_cbc.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/aes/aes_cbc.c */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/aes/aes_cfb.c b/deps/openssl/openssl/crypto/aes/aes_cfb.c index 1c79ce2dba..1225000963 100644 --- a/deps/openssl/openssl/crypto/aes/aes_cfb.c +++ b/deps/openssl/openssl/crypto/aes/aes_cfb.c @@ -1,4 +1,4 @@ -/* crypto/aes/aes_cfb.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/aes/aes_cfb.c */ /* ==================================================================== * Copyright (c) 2002-2006 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/aes/aes_core.c b/deps/openssl/openssl/crypto/aes/aes_core.c index 2ddb0860d7..7019b5d7aa 100644 --- a/deps/openssl/openssl/crypto/aes/aes_core.c +++ b/deps/openssl/openssl/crypto/aes/aes_core.c @@ -1,4 +1,4 @@ -/* crypto/aes/aes_core.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/aes/aes_core.c */ /** * rijndael-alg-fst.c * diff --git a/deps/openssl/openssl/crypto/aes/aes_ctr.c b/deps/openssl/openssl/crypto/aes/aes_ctr.c index 3ee3822998..9e760c4b12 100644 --- a/deps/openssl/openssl/crypto/aes/aes_ctr.c +++ b/deps/openssl/openssl/crypto/aes/aes_ctr.c @@ -1,4 +1,4 @@ -/* crypto/aes/aes_ctr.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/aes/aes_ctr.c */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/aes/aes_ecb.c b/deps/openssl/openssl/crypto/aes/aes_ecb.c index 2e0d20ca22..52151a5c70 100644 --- a/deps/openssl/openssl/crypto/aes/aes_ecb.c +++ b/deps/openssl/openssl/crypto/aes/aes_ecb.c @@ -1,4 +1,4 @@ -/* crypto/aes/aes_ecb.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/aes/aes_ecb.c */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/aes/aes_ige.c b/deps/openssl/openssl/crypto/aes/aes_ige.c index cf31c9bba4..8f2b770647 100644 --- a/deps/openssl/openssl/crypto/aes/aes_ige.c +++ b/deps/openssl/openssl/crypto/aes/aes_ige.c @@ -1,4 +1,4 @@ -/* crypto/aes/aes_ige.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/aes/aes_ige.c */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/aes/aes_locl.h b/deps/openssl/openssl/crypto/aes/aes_locl.h index fabfd02ac0..7acd74ec16 100644 --- a/deps/openssl/openssl/crypto/aes/aes_locl.h +++ b/deps/openssl/openssl/crypto/aes/aes_locl.h @@ -1,4 +1,4 @@ -/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/aes/aes.h */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/aes/aes_misc.c b/deps/openssl/openssl/crypto/aes/aes_misc.c index ab948ad85e..fafad4d6f5 100644 --- a/deps/openssl/openssl/crypto/aes/aes_misc.c +++ b/deps/openssl/openssl/crypto/aes/aes_misc.c @@ -1,4 +1,4 @@ -/* crypto/aes/aes_misc.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/aes/aes_misc.c */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/aes/aes_ofb.c b/deps/openssl/openssl/crypto/aes/aes_ofb.c index e6153f99ba..64a08caaec 100644 --- a/deps/openssl/openssl/crypto/aes/aes_ofb.c +++ b/deps/openssl/openssl/crypto/aes/aes_ofb.c @@ -1,4 +1,4 @@ -/* crypto/aes/aes_ofb.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/aes/aes_ofb.c */ /* ==================================================================== * Copyright (c) 2002-2006 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/aes/aes_x86core.c b/deps/openssl/openssl/crypto/aes/aes_x86core.c index c869ed7198..b5dd697677 100644 --- a/deps/openssl/openssl/crypto/aes/aes_x86core.c +++ b/deps/openssl/openssl/crypto/aes/aes_x86core.c @@ -1,4 +1,4 @@ -/* crypto/aes/aes_core.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/aes/aes_core.c */ /** * rijndael-alg-fst.c * diff --git a/deps/openssl/openssl/crypto/aes/asm/aesni-mb-x86_64.pl b/deps/openssl/openssl/crypto/aes/asm/aesni-mb-x86_64.pl index 5a100fa898..d7ad7882c4 100644 --- a/deps/openssl/openssl/crypto/aes/asm/aesni-mb-x86_64.pl +++ b/deps/openssl/openssl/crypto/aes/asm/aesni-mb-x86_64.pl @@ -63,7 +63,7 @@ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $avx = ($1>=10) + ($1>=11); } -if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/) { +if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([3-9]\.[0-9]+)/) { $avx = ($2>=3.0) + ($2>3.0); } diff --git a/deps/openssl/openssl/crypto/aes/asm/aesni-sha1-x86_64.pl b/deps/openssl/openssl/crypto/aes/asm/aesni-sha1-x86_64.pl index c803cdebc1..8c84260856 100644 --- a/deps/openssl/openssl/crypto/aes/asm/aesni-sha1-x86_64.pl +++ b/deps/openssl/openssl/crypto/aes/asm/aesni-sha1-x86_64.pl @@ -94,7 +94,7 @@ $avx=1 if (!$avx && $win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) && $avx=1 if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && `ml64 2>&1` =~ /Version ([0-9]+)\./ && $1>=10); -$avx=1 if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/ && $2>=3.0); +$avx=1 if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([3-9]\.[0-9]+)/ && $2>=3.0); $shaext=1; ### set to zero if compiling for 1.0.1 diff --git a/deps/openssl/openssl/crypto/aes/asm/aesni-sha256-x86_64.pl b/deps/openssl/openssl/crypto/aes/asm/aesni-sha256-x86_64.pl index bfe29268c7..72f44ecf62 100644 --- a/deps/openssl/openssl/crypto/aes/asm/aesni-sha256-x86_64.pl +++ b/deps/openssl/openssl/crypto/aes/asm/aesni-sha256-x86_64.pl @@ -59,7 +59,7 @@ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $avx = ($1>=10) + ($1>=12); } -if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/) { +if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([3-9]\.[0-9]+)/) { $avx = ($2>=3.0) + ($2>3.0); } diff --git a/deps/openssl/openssl/crypto/bio/bio.h b/deps/openssl/openssl/crypto/bio/bio.h index f78796b069..6e2293bc66 100644 --- a/deps/openssl/openssl/crypto/bio/bio.h +++ b/deps/openssl/openssl/crypto/bio/bio.h @@ -479,11 +479,11 @@ struct bio_dgram_sctp_prinfo { # define BIO_get_conn_hostname(b) BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,0) # define BIO_get_conn_port(b) BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,1) # define BIO_get_conn_ip(b) BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,2) -# define BIO_get_conn_int_port(b) BIO_int_ctrl(b,BIO_C_GET_CONNECT,3,0) +# define BIO_get_conn_int_port(b) BIO_ctrl(b,BIO_C_GET_CONNECT,3,0,NULL) # define BIO_set_nbio(b,n) BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL) -/* BIO_s_accept_socket() */ +/* BIO_s_accept() */ # define BIO_set_accept_port(b,name) BIO_ctrl(b,BIO_C_SET_ACCEPT,0,(char *)name) # define BIO_get_accept_port(b) BIO_ptr_ctrl(b,BIO_C_GET_ACCEPT,0) /* #define BIO_set_nbio(b,n) BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL) */ @@ -496,6 +496,7 @@ struct bio_dgram_sctp_prinfo { # define BIO_set_bind_mode(b,mode) BIO_ctrl(b,BIO_C_SET_BIND_MODE,mode,NULL) # define BIO_get_bind_mode(b,mode) BIO_ctrl(b,BIO_C_GET_BIND_MODE,0,NULL) +/* BIO_s_accept() and BIO_s_connect() */ # define BIO_do_connect(b) BIO_do_handshake(b) # define BIO_do_accept(b) BIO_do_handshake(b) # define BIO_do_handshake(b) BIO_ctrl(b,BIO_C_DO_STATE_MACHINE,0,NULL) @@ -515,12 +516,15 @@ struct bio_dgram_sctp_prinfo { # define BIO_get_url(b,url) BIO_ctrl(b,BIO_C_GET_PROXY_PARAM,2,(char *)(url)) # define BIO_get_no_connect_return(b) BIO_ctrl(b,BIO_C_GET_PROXY_PARAM,5,NULL) +/* BIO_s_datagram(), BIO_s_fd(), BIO_s_socket(), BIO_s_accept() and BIO_s_connect() */ # define BIO_set_fd(b,fd,c) BIO_int_ctrl(b,BIO_C_SET_FD,c,fd) # define BIO_get_fd(b,c) BIO_ctrl(b,BIO_C_GET_FD,0,(char *)c) +/* BIO_s_file() */ # define BIO_set_fp(b,fp,c) BIO_ctrl(b,BIO_C_SET_FILE_PTR,c,(char *)fp) # define BIO_get_fp(b,fpp) BIO_ctrl(b,BIO_C_GET_FILE_PTR,0,(char *)fpp) +/* BIO_s_fd() and BIO_s_file() */ # define BIO_seek(b,ofs) (int)BIO_ctrl(b,BIO_C_FILE_SEEK,ofs,NULL) # define BIO_tell(b) (int)BIO_ctrl(b,BIO_C_FILE_TELL,0,NULL) diff --git a/deps/openssl/openssl/crypto/bio/bss_bio.c b/deps/openssl/openssl/crypto/bio/bss_bio.c index d629a37a5a..4d8727f8f8 100644 --- a/deps/openssl/openssl/crypto/bio/bss_bio.c +++ b/deps/openssl/openssl/crypto/bio/bss_bio.c @@ -1,4 +1,4 @@ -/* crypto/bio/bss_bio.c -*- Mode: C; c-file-style: "eay" -*- */ +/* crypto/bio/bss_bio.c */ /* ==================================================================== * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/bio/bss_conn.c b/deps/openssl/openssl/crypto/bio/bss_conn.c index 42d0afffbc..7d15ad29dc 100644 --- a/deps/openssl/openssl/crypto/bio/bss_conn.c +++ b/deps/openssl/openssl/crypto/bio/bss_conn.c @@ -419,7 +419,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) { BIO *dbio; int *ip; - const char **pptr; + const char **pptr = NULL; long ret = 1; BIO_CONNECT *data; @@ -442,19 +442,28 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr) case BIO_C_GET_CONNECT: if (ptr != NULL) { pptr = (const char **)ptr; - if (num == 0) { - *pptr = data->param_hostname; + } - } else if (num == 1) { - *pptr = data->param_port; - } else if (num == 2) { - *pptr = (char *)&(data->ip[0]); - } else if (num == 3) { - *((int *)ptr) = data->port; + if (b->init) { + if (pptr != NULL) { + ret = 1; + if (num == 0) { + *pptr = data->param_hostname; + } else if (num == 1) { + *pptr = data->param_port; + } else if (num == 2) { + *pptr = (char *)&(data->ip[0]); + } else { + ret = 0; + } + } + if (num == 3) { + ret = data->port; } - if ((!b->init) || (ptr == NULL)) + } else { + if (pptr != NULL) *pptr = "not initialized"; - ret = 1; + ret = 0; } break; case BIO_C_SET_CONNECT: diff --git a/deps/openssl/openssl/crypto/bio/bss_dgram.c b/deps/openssl/openssl/crypto/bio/bss_dgram.c index 7fcd831da0..bdd7bf88ea 100644 --- a/deps/openssl/openssl/crypto/bio/bss_dgram.c +++ b/deps/openssl/openssl/crypto/bio/bss_dgram.c @@ -519,10 +519,8 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) switch (cmd) { case BIO_CTRL_RESET: num = 0; - case BIO_C_FILE_SEEK: ret = 0; break; - case BIO_C_FILE_TELL: case BIO_CTRL_INFO: ret = 0; break; diff --git a/deps/openssl/openssl/crypto/bn/asm/rsaz-x86_64.pl b/deps/openssl/openssl/crypto/bn/asm/rsaz-x86_64.pl index 12b571c282..091cdc2069 100755 --- a/deps/openssl/openssl/crypto/bn/asm/rsaz-x86_64.pl +++ b/deps/openssl/openssl/crypto/bn/asm/rsaz-x86_64.pl @@ -113,7 +113,7 @@ if (!$addx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $addx = ($1>=12); } -if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9])\.([0-9]+)/) { +if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([3-9])\.([0-9]+)/) { my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10 $addx = ($ver>=3.03); } diff --git a/deps/openssl/openssl/crypto/bn/asm/x86_64-mont.pl b/deps/openssl/openssl/crypto/bn/asm/x86_64-mont.pl index 725833d022..e82e451388 100755 --- a/deps/openssl/openssl/crypto/bn/asm/x86_64-mont.pl +++ b/deps/openssl/openssl/crypto/bn/asm/x86_64-mont.pl @@ -68,7 +68,7 @@ if (!$addx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $addx = ($1>=12); } -if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9])\.([0-9]+)/) { +if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([3-9])\.([0-9]+)/) { my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10 $addx = ($ver>=3.03); } diff --git a/deps/openssl/openssl/crypto/bn/asm/x86_64-mont5.pl b/deps/openssl/openssl/crypto/bn/asm/x86_64-mont5.pl index 64e668f140..292409c4ff 100755 --- a/deps/openssl/openssl/crypto/bn/asm/x86_64-mont5.pl +++ b/deps/openssl/openssl/crypto/bn/asm/x86_64-mont5.pl @@ -53,7 +53,7 @@ if (!$addx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $addx = ($1>=12); } -if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9])\.([0-9]+)/) { +if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([3-9])\.([0-9]+)/) { my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10 $addx = ($ver>=3.03); } diff --git a/deps/openssl/openssl/crypto/bn/bn_exp.c b/deps/openssl/openssl/crypto/bn/bn_exp.c index 50cf3231b0..6d30d1e0ff 100644 --- a/deps/openssl/openssl/crypto/bn/bn_exp.c +++ b/deps/openssl/openssl/crypto/bn/bn_exp.c @@ -282,9 +282,14 @@ int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, } bits = BN_num_bits(p); - if (bits == 0) { - ret = BN_one(r); + /* x**0 mod 1 is still zero. */ + if (BN_is_one(m)) { + ret = 1; + BN_zero(r); + } else { + ret = BN_one(r); + } return ret; } @@ -418,7 +423,13 @@ int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, } bits = BN_num_bits(p); if (bits == 0) { - ret = BN_one(rr); + /* x**0 mod 1 is still zero. */ + if (BN_is_one(m)) { + ret = 1; + BN_zero(rr); + } else { + ret = BN_one(rr); + } return ret; } @@ -639,7 +650,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, * precomputation memory layout to limit data-dependency to a minimum to * protect secret exponents (cf. the hyper-threading timing attacks pointed * out by Colin Percival, - * http://www.daemong-consideredperthreading-considered-harmful/) + * http://www.daemonology.net/hyperthreading-considered-harmful/) */ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, @@ -671,7 +682,13 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, bits = BN_num_bits(p); if (bits == 0) { - ret = BN_one(rr); + /* x**0 mod 1 is still zero. */ + if (BN_is_one(m)) { + ret = 1; + BN_zero(rr); + } else { + ret = BN_one(rr); + } return ret; } @@ -1182,8 +1199,9 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, if (BN_is_one(m)) { ret = 1; BN_zero(rr); - } else + } else { ret = BN_one(rr); + } return ret; } if (a == 0) { @@ -1297,9 +1315,14 @@ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, } bits = BN_num_bits(p); - - if (bits == 0) { - ret = BN_one(r); + if (bits == 0) { + /* x**0 mod 1 is still zero. */ + if (BN_is_one(m)) { + ret = 1; + BN_zero(r); + } else { + ret = BN_one(r); + } return ret; } diff --git a/deps/openssl/openssl/crypto/bn/exptest.c b/deps/openssl/openssl/crypto/bn/exptest.c index 8b3a4bae43..ac611c2e26 100644 --- a/deps/openssl/openssl/crypto/bn/exptest.c +++ b/deps/openssl/openssl/crypto/bn/exptest.c @@ -73,14 +73,34 @@ static const char rnd_seed[] = "string to make the random number generator think it has entropy"; /* + * Test that r == 0 in test_exp_mod_zero(). Returns one on success, + * returns zero and prints debug output otherwise. + */ +static int a_is_zero_mod_one(const char *method, const BIGNUM *r, + const BIGNUM *a) { + if (!BN_is_zero(r)) { + fprintf(stderr, "%s failed:\n", method); + fprintf(stderr, "a ** 0 mod 1 = r (should be 0)\n"); + fprintf(stderr, "a = "); + BN_print_fp(stderr, a); + fprintf(stderr, "\nr = "); + BN_print_fp(stderr, r); + fprintf(stderr, "\n"); + return 0; + } + return 1; +} + +/* * test_exp_mod_zero tests that x**0 mod 1 == 0. It returns zero on success. */ static int test_exp_mod_zero() { BIGNUM a, p, m; BIGNUM r; + BN_ULONG one_word = 1; BN_CTX *ctx = BN_CTX_new(); - int ret = 1; + int ret = 1, failed = 0; BN_init(&m); BN_one(&m); @@ -92,21 +112,65 @@ static int test_exp_mod_zero() BN_zero(&p); BN_init(&r); - BN_mod_exp(&r, &a, &p, &m, ctx); - BN_CTX_free(ctx); - if (BN_is_zero(&r)) - ret = 0; - else { - printf("1**0 mod 1 = "); - BN_print_fp(stdout, &r); - printf(", should be 0\n"); + if (!BN_rand(&a, 1024, 0, 0)) + goto err; + + if (!BN_mod_exp(&r, &a, &p, &m, ctx)) + goto err; + + if (!a_is_zero_mod_one("BN_mod_exp", &r, &a)) + failed = 1; + + if (!BN_mod_exp_recp(&r, &a, &p, &m, ctx)) + goto err; + + if (!a_is_zero_mod_one("BN_mod_exp_recp", &r, &a)) + failed = 1; + + if (!BN_mod_exp_simple(&r, &a, &p, &m, ctx)) + goto err; + + if (!a_is_zero_mod_one("BN_mod_exp_simple", &r, &a)) + failed = 1; + + if (!BN_mod_exp_mont(&r, &a, &p, &m, ctx, NULL)) + goto err; + + if (!a_is_zero_mod_one("BN_mod_exp_mont", &r, &a)) + failed = 1; + + if (!BN_mod_exp_mont_consttime(&r, &a, &p, &m, ctx, NULL)) { + goto err; + } + + if (!a_is_zero_mod_one("BN_mod_exp_mont_consttime", &r, &a)) + failed = 1; + + /* + * A different codepath exists for single word multiplication + * in non-constant-time only. + */ + if (!BN_mod_exp_mont_word(&r, one_word, &p, &m, ctx, NULL)) + goto err; + + if (!BN_is_zero(&r)) { + fprintf(stderr, "BN_mod_exp_mont_word failed:\n"); + fprintf(stderr, "1 ** 0 mod 1 = r (should be 0)\n"); + fprintf(stderr, "r = "); + BN_print_fp(stderr, &r); + fprintf(stderr, "\n"); + return 0; } + ret = failed; + + err: BN_free(&r); BN_free(&a); BN_free(&p); BN_free(&m); + BN_CTX_free(ctx); return ret; } diff --git a/deps/openssl/openssl/crypto/camellia/camellia.c b/deps/openssl/openssl/crypto/camellia/camellia.c index b4a6766c62..719fa61cf6 100644 --- a/deps/openssl/openssl/crypto/camellia/camellia.c +++ b/deps/openssl/openssl/crypto/camellia/camellia.c @@ -1,4 +1,4 @@ -/* crypto/camellia/camellia.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/camellia/camellia.c */ /* ==================================================================== * Copyright 2006 NTT (Nippon Telegraph and Telephone Corporation) . * ALL RIGHTS RESERVED. @@ -67,7 +67,7 @@ /* * Algorithm Specification - * http://info.isl.llia/specicrypt/eng/camellia/specifications.html + * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html */ /* diff --git a/deps/openssl/openssl/crypto/camellia/camellia.h b/deps/openssl/openssl/crypto/camellia/camellia.h index 9be7c0fd99..45e8d25b1d 100644 --- a/deps/openssl/openssl/crypto/camellia/camellia.h +++ b/deps/openssl/openssl/crypto/camellia/camellia.h @@ -1,4 +1,4 @@ -/* crypto/camellia/camellia.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/camellia/camellia.h */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/camellia/cmll_cbc.c b/deps/openssl/openssl/crypto/camellia/cmll_cbc.c index a4907ca05f..4017e00d92 100644 --- a/deps/openssl/openssl/crypto/camellia/cmll_cbc.c +++ b/deps/openssl/openssl/crypto/camellia/cmll_cbc.c @@ -1,4 +1,4 @@ -/* crypto/camellia/camellia_cbc.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/camellia/camellia_cbc.c */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/camellia/cmll_cfb.c b/deps/openssl/openssl/crypto/camellia/cmll_cfb.c index 59b85225c3..78f2ae4566 100644 --- a/deps/openssl/openssl/crypto/camellia/cmll_cfb.c +++ b/deps/openssl/openssl/crypto/camellia/cmll_cfb.c @@ -1,4 +1,4 @@ -/* crypto/camellia/camellia_cfb.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/camellia/camellia_cfb.c */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/camellia/cmll_ctr.c b/deps/openssl/openssl/crypto/camellia/cmll_ctr.c index b8f523d446..95e26621b7 100644 --- a/deps/openssl/openssl/crypto/camellia/cmll_ctr.c +++ b/deps/openssl/openssl/crypto/camellia/cmll_ctr.c @@ -1,4 +1,4 @@ -/* crypto/camellia/camellia_ctr.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/camellia/camellia_ctr.c */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/camellia/cmll_ecb.c b/deps/openssl/openssl/crypto/camellia/cmll_ecb.c index 16f1af86ac..b030791b27 100644 --- a/deps/openssl/openssl/crypto/camellia/cmll_ecb.c +++ b/deps/openssl/openssl/crypto/camellia/cmll_ecb.c @@ -1,4 +1,4 @@ -/* crypto/camellia/camellia_ecb.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/camellia/camellia_ecb.c */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/camellia/cmll_locl.h b/deps/openssl/openssl/crypto/camellia/cmll_locl.h index 4e4707b621..2bd79b8c4e 100644 --- a/deps/openssl/openssl/crypto/camellia/cmll_locl.h +++ b/deps/openssl/openssl/crypto/camellia/cmll_locl.h @@ -1,4 +1,4 @@ -/* crypto/camellia/camellia_locl.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/camellia/camellia_locl.h */ /* ==================================================================== * Copyright 2006 NTT (Nippon Telegraph and Telephone Corporation) . * ALL RIGHTS RESERVED. diff --git a/deps/openssl/openssl/crypto/camellia/cmll_misc.c b/deps/openssl/openssl/crypto/camellia/cmll_misc.c index cbd250227b..694d2fac8f 100644 --- a/deps/openssl/openssl/crypto/camellia/cmll_misc.c +++ b/deps/openssl/openssl/crypto/camellia/cmll_misc.c @@ -1,4 +1,4 @@ -/* crypto/camellia/camellia_misc.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/camellia/camellia_misc.c */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/camellia/cmll_ofb.c b/deps/openssl/openssl/crypto/camellia/cmll_ofb.c index 46c3ae2af7..85eb892156 100644 --- a/deps/openssl/openssl/crypto/camellia/cmll_ofb.c +++ b/deps/openssl/openssl/crypto/camellia/cmll_ofb.c @@ -1,4 +1,4 @@ -/* crypto/camellia/camellia_ofb.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/camellia/camellia_ofb.c */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/camellia/cmll_utl.c b/deps/openssl/openssl/crypto/camellia/cmll_utl.c index d19ee19317..d5eb6b4d68 100644 --- a/deps/openssl/openssl/crypto/camellia/cmll_utl.c +++ b/deps/openssl/openssl/crypto/camellia/cmll_utl.c @@ -1,4 +1,4 @@ -/* crypto/camellia/cmll_utl.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/camellia/cmll_utl.c */ /* ==================================================================== * Copyright (c) 2011 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/des/des_old.c b/deps/openssl/openssl/crypto/des/des_old.c index 54b0968e66..c5c5a00f00 100644 --- a/deps/openssl/openssl/crypto/des/des_old.c +++ b/deps/openssl/openssl/crypto/des/des_old.c @@ -1,4 +1,4 @@ -/* crypto/des/des_old.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/des/des_old.c */ /*- * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING diff --git a/deps/openssl/openssl/crypto/des/des_old.h b/deps/openssl/openssl/crypto/des/des_old.h index f1e1e2cb09..ee7607a241 100644 --- a/deps/openssl/openssl/crypto/des/des_old.h +++ b/deps/openssl/openssl/crypto/des/des_old.h @@ -1,4 +1,4 @@ -/* crypto/des/des_old.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/des/des_old.h */ /*- * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING diff --git a/deps/openssl/openssl/crypto/des/des_old2.c b/deps/openssl/openssl/crypto/des/des_old2.c index f7d28a6713..247ff8dcf8 100644 --- a/deps/openssl/openssl/crypto/des/des_old2.c +++ b/deps/openssl/openssl/crypto/des/des_old2.c @@ -1,4 +1,4 @@ -/* crypto/des/des_old.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/des/des_old.c */ /* * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING The diff --git a/deps/openssl/openssl/crypto/dh/dh.h b/deps/openssl/openssl/crypto/dh/dh.h index b177673281..5498a9dc10 100644 --- a/deps/openssl/openssl/crypto/dh/dh.h +++ b/deps/openssl/openssl/crypto/dh/dh.h @@ -174,6 +174,7 @@ struct dh_st { /* DH_check_pub_key error codes */ # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 # define DH_CHECK_PUBKEY_TOO_LARGE 0x02 +# define DH_CHECK_PUBKEY_INVALID 0x03 /* * primes p where (p-1)/2 is prime too are called "safe"; we define this for diff --git a/deps/openssl/openssl/crypto/dh/dh_check.c b/deps/openssl/openssl/crypto/dh/dh_check.c index 347467c6a4..5adedc0d26 100644 --- a/deps/openssl/openssl/crypto/dh/dh_check.c +++ b/deps/openssl/openssl/crypto/dh/dh_check.c @@ -151,23 +151,38 @@ int DH_check(const DH *dh, int *ret) int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) { int ok = 0; - BIGNUM *q = NULL; + BIGNUM *tmp = NULL; + BN_CTX *ctx = NULL; *ret = 0; - q = BN_new(); - if (q == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) goto err; - BN_set_word(q, 1); - if (BN_cmp(pub_key, q) <= 0) + BN_CTX_start(ctx); + tmp = BN_CTX_get(ctx); + if (tmp == NULL) + goto err; + BN_set_word(tmp, 1); + if (BN_cmp(pub_key, tmp) <= 0) *ret |= DH_CHECK_PUBKEY_TOO_SMALL; - BN_copy(q, dh->p); - BN_sub_word(q, 1); - if (BN_cmp(pub_key, q) >= 0) + BN_copy(tmp, dh->p); + BN_sub_word(tmp, 1); + if (BN_cmp(pub_key, tmp) >= 0) *ret |= DH_CHECK_PUBKEY_TOO_LARGE; + if (dh->q != NULL) { + /* Check pub_key^q == 1 mod p */ + if (!BN_mod_exp(tmp, pub_key, dh->q, dh->p, ctx)) + goto err; + if (!BN_is_one(tmp)) + *ret |= DH_CHECK_PUBKEY_INVALID; + } + ok = 1; err: - if (q != NULL) - BN_free(q); + if (ctx != NULL) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } return (ok); } diff --git a/deps/openssl/openssl/crypto/dh/dhtest.c b/deps/openssl/openssl/crypto/dh/dhtest.c index 6fe8ff4c0c..c5d3d87ea5 100644 --- a/deps/openssl/openssl/crypto/dh/dhtest.c +++ b/deps/openssl/openssl/crypto/dh/dhtest.c @@ -471,6 +471,31 @@ static const unsigned char dhtest_2048_256_Z[] = { 0xC2, 0x6C, 0x5D, 0x7C }; +static const unsigned char dhtest_rfc5114_2048_224_bad_y[] = { + 0x45, 0x32, 0x5F, 0x51, 0x07, 0xE5, 0xDF, 0x1C, 0xD6, 0x02, 0x82, 0xB3, + 0x32, 0x8F, 0xA4, 0x0F, 0x87, 0xB8, 0x41, 0xFE, 0xB9, 0x35, 0xDE, 0xAD, + 0xC6, 0x26, 0x85, 0xB4, 0xFF, 0x94, 0x8C, 0x12, 0x4C, 0xBF, 0x5B, 0x20, + 0xC4, 0x46, 0xA3, 0x26, 0xEB, 0xA4, 0x25, 0xB7, 0x68, 0x8E, 0xCC, 0x67, + 0xBA, 0xEA, 0x58, 0xD0, 0xF2, 0xE9, 0xD2, 0x24, 0x72, 0x60, 0xDA, 0x88, + 0x18, 0x9C, 0xE0, 0x31, 0x6A, 0xAD, 0x50, 0x6D, 0x94, 0x35, 0x8B, 0x83, + 0x4A, 0x6E, 0xFA, 0x48, 0x73, 0x0F, 0x83, 0x87, 0xFF, 0x6B, 0x66, 0x1F, + 0xA8, 0x82, 0xC6, 0x01, 0xE5, 0x80, 0xB5, 0xB0, 0x52, 0xD0, 0xE9, 0xD8, + 0x72, 0xF9, 0x7D, 0x5B, 0x8B, 0xA5, 0x4C, 0xA5, 0x25, 0x95, 0x74, 0xE2, + 0x7A, 0x61, 0x4E, 0xA7, 0x8F, 0x12, 0xE2, 0xD2, 0x9D, 0x8C, 0x02, 0x70, + 0x34, 0x44, 0x32, 0xC7, 0xB2, 0xF3, 0xB9, 0xFE, 0x17, 0x2B, 0xD6, 0x1F, + 0x8B, 0x7E, 0x4A, 0xFA, 0xA3, 0xB5, 0x3E, 0x7A, 0x81, 0x9A, 0x33, 0x66, + 0x62, 0xA4, 0x50, 0x18, 0x3E, 0xA2, 0x5F, 0x00, 0x07, 0xD8, 0x9B, 0x22, + 0xE4, 0xEC, 0x84, 0xD5, 0xEB, 0x5A, 0xF3, 0x2A, 0x31, 0x23, 0xD8, 0x44, + 0x22, 0x2A, 0x8B, 0x37, 0x44, 0xCC, 0xC6, 0x87, 0x4B, 0xBE, 0x50, 0x9D, + 0x4A, 0xC4, 0x8E, 0x45, 0xCF, 0x72, 0x4D, 0xC0, 0x89, 0xB3, 0x72, 0xED, + 0x33, 0x2C, 0xBC, 0x7F, 0x16, 0x39, 0x3B, 0xEB, 0xD2, 0xDD, 0xA8, 0x01, + 0x73, 0x84, 0x62, 0xB9, 0x29, 0xD2, 0xC9, 0x51, 0x32, 0x9E, 0x7A, 0x6A, + 0xCF, 0xC1, 0x0A, 0xDB, 0x0E, 0xE0, 0x62, 0x77, 0x6F, 0x59, 0x62, 0x72, + 0x5A, 0x69, 0xA6, 0x5B, 0x70, 0xCA, 0x65, 0xC4, 0x95, 0x6F, 0x9A, 0xC2, + 0xDF, 0x72, 0x6D, 0xB1, 0x1E, 0x54, 0x7B, 0x51, 0xB4, 0xEF, 0x7F, 0x89, + 0x93, 0x74, 0x89, 0x59 +}; + typedef struct { DH *(*get_param) (void); const unsigned char *xA; @@ -503,10 +528,15 @@ static const rfc5114_td rfctd[] = { static int run_rfc5114_tests(void) { int i; + DH *dhA = NULL; + DH *dhB = NULL; + unsigned char *Z1 = NULL; + unsigned char *Z2 = NULL; + const rfc5114_td *td = NULL; + BIGNUM *bady = NULL; + for (i = 0; i < (int)(sizeof(rfctd) / sizeof(rfc5114_td)); i++) { - DH *dhA, *dhB; - unsigned char *Z1 = NULL, *Z2 = NULL; - const rfc5114_td *td = rfctd + i; + td = rfctd + i; /* Set up DH structures setting key components */ dhA = td->get_param(); dhB = td->get_param(); @@ -549,14 +579,63 @@ static int run_rfc5114_tests(void) DH_free(dhB); OPENSSL_free(Z1); OPENSSL_free(Z2); + dhA = NULL; + dhB = NULL; + Z1 = NULL; + Z2 = NULL; + } + /* Now i == OSSL_NELEM(rfctd) */ + /* RFC5114 uses unsafe primes, so now test an invalid y value */ + dhA = DH_get_2048_224(); + if (dhA == NULL) + goto bad_err; + Z1 = OPENSSL_malloc(DH_size(dhA)); + if (Z1 == NULL) + goto bad_err; + + bady = BN_bin2bn(dhtest_rfc5114_2048_224_bad_y, + sizeof(dhtest_rfc5114_2048_224_bad_y), NULL); + if (bady == NULL) + goto bad_err; + + if (!DH_generate_key(dhA)) + goto bad_err; + + if (DH_compute_key(Z1, bady, dhA) != -1) { + /* + * DH_compute_key should fail with -1. If we get here we unexpectedly + * allowed an invalid y value + */ + goto err; } + /* We'll have a stale error on the queue from the above test so clear it */ + ERR_clear_error(); + + printf("RFC5114 parameter test %d OK\n", i + 1); + + BN_free(bady); + DH_free(dhA); + OPENSSL_free(Z1); + return 1; bad_err: + BN_free(bady); + DH_free(dhA); + DH_free(dhB); + OPENSSL_free(Z1); + OPENSSL_free(Z2); + fprintf(stderr, "Initalisation error RFC5114 set %d\n", i + 1); ERR_print_errors_fp(stderr); return 0; err: + BN_free(bady); + DH_free(dhA); + DH_free(dhB); + OPENSSL_free(Z1); + OPENSSL_free(Z2); + fprintf(stderr, "Test failed RFC5114 set %d\n", i + 1); return 0; } diff --git a/deps/openssl/openssl/crypto/dsa/dsa_ossl.c b/deps/openssl/openssl/crypto/dsa/dsa_ossl.c index f0ec8faa84..efc4f1b6ae 100644 --- a/deps/openssl/openssl/crypto/dsa/dsa_ossl.c +++ b/deps/openssl/openssl/crypto/dsa/dsa_ossl.c @@ -187,9 +187,6 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) if (!BN_mod_mul(s, s, kinv, dsa->q, ctx)) goto err; - ret = DSA_SIG_new(); - if (ret == NULL) - goto err; /* * Redo if r or s is zero as required by FIPS 186-3: this is very * unlikely. @@ -201,11 +198,14 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) } goto redo; } + ret = DSA_SIG_new(); + if (ret == NULL) + goto err; ret->r = r; ret->s = s; err: - if (!ret) { + if (ret == NULL) { DSAerr(DSA_F_DSA_DO_SIGN, reason); BN_free(r); BN_free(s); diff --git a/deps/openssl/openssl/crypto/dso/dso.h b/deps/openssl/openssl/crypto/dso/dso.h index 7c4a1dc4a6..c9013f5cea 100644 --- a/deps/openssl/openssl/crypto/dso/dso.h +++ b/deps/openssl/openssl/crypto/dso/dso.h @@ -1,4 +1,4 @@ -/* dso.h -*- mode:C; c-file-style: "eay" -*- */ +/* dso.h */ /* * Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL project * 2000. diff --git a/deps/openssl/openssl/crypto/dso/dso_dl.c b/deps/openssl/openssl/crypto/dso/dso_dl.c index 0087ac54af..ceedf66e88 100644 --- a/deps/openssl/openssl/crypto/dso/dso_dl.c +++ b/deps/openssl/openssl/crypto/dso/dso_dl.c @@ -1,4 +1,4 @@ -/* dso_dl.c -*- mode:C; c-file-style: "eay" -*- */ +/* dso_dl.c */ /* * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project * 2000. diff --git a/deps/openssl/openssl/crypto/dso/dso_dlfcn.c b/deps/openssl/openssl/crypto/dso/dso_dlfcn.c index f629f0380d..78df723ffb 100644 --- a/deps/openssl/openssl/crypto/dso/dso_dlfcn.c +++ b/deps/openssl/openssl/crypto/dso/dso_dlfcn.c @@ -1,4 +1,4 @@ -/* dso_dlfcn.c -*- mode:C; c-file-style: "eay" -*- */ +/* dso_dlfcn.c */ /* * Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL project * 2000. diff --git a/deps/openssl/openssl/crypto/dso/dso_lib.c b/deps/openssl/openssl/crypto/dso/dso_lib.c index 09b8eafcca..3312450eae 100644 --- a/deps/openssl/openssl/crypto/dso/dso_lib.c +++ b/deps/openssl/openssl/crypto/dso/dso_lib.c @@ -1,4 +1,4 @@ -/* dso_lib.c -*- mode:C; c-file-style: "eay" -*- */ +/* dso_lib.c */ /* * Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL project * 2000. diff --git a/deps/openssl/openssl/crypto/dso/dso_vms.c b/deps/openssl/openssl/crypto/dso/dso_vms.c index d0794b8fb0..1efd84b945 100644 --- a/deps/openssl/openssl/crypto/dso/dso_vms.c +++ b/deps/openssl/openssl/crypto/dso/dso_vms.c @@ -1,4 +1,4 @@ -/* dso_vms.c -*- mode:C; c-file-style: "eay" -*- */ +/* dso_vms.c */ /* * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project * 2000. diff --git a/deps/openssl/openssl/crypto/dso/dso_win32.c b/deps/openssl/openssl/crypto/dso/dso_win32.c index c65234e9c4..706e754a3f 100644 --- a/deps/openssl/openssl/crypto/dso/dso_win32.c +++ b/deps/openssl/openssl/crypto/dso/dso_win32.c @@ -1,4 +1,4 @@ -/* dso_win32.c -*- mode:C; c-file-style: "eay" -*- */ +/* dso_win32.c */ /* * Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL project * 2000. diff --git a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-x86_64.pl b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-x86_64.pl index 648c969be6..e6acfd59f0 100755 --- a/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-x86_64.pl +++ b/deps/openssl/openssl/crypto/ec/asm/ecp_nistz256-x86_64.pl @@ -81,7 +81,7 @@ if (!$addx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $addx = ($1>=12); } -if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9])\.([0-9]+)/) { +if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([3-9])\.([0-9]+)/) { my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10 $avx = ($ver>=3.0) + ($ver>=3.01); $addx = ($ver>=3.03); diff --git a/deps/openssl/openssl/crypto/ec/ec2_smpl.c b/deps/openssl/openssl/crypto/ec/ec2_smpl.c index 077c7fc8dd..5b27b91fcc 100644 --- a/deps/openssl/openssl/crypto/ec/ec2_smpl.c +++ b/deps/openssl/openssl/crypto/ec/ec2_smpl.c @@ -746,6 +746,7 @@ int ec_GF2m_simple_make_affine(const EC_GROUP *group, EC_POINT *point, goto err; if (!BN_one(&point->Z)) goto err; + point->Z_is_one = 1; ret = 1; diff --git a/deps/openssl/openssl/crypto/ec/ec_key.c b/deps/openssl/openssl/crypto/ec/ec_key.c index c784b6fd30..bc94ab5661 100644 --- a/deps/openssl/openssl/crypto/ec/ec_key.c +++ b/deps/openssl/openssl/crypto/ec/ec_key.c @@ -387,6 +387,8 @@ int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, tx = BN_CTX_get(ctx); ty = BN_CTX_get(ctx); + if (ty == NULL) + goto err; #ifndef OPENSSL_NO_EC2M tmp_nid = EC_METHOD_get_field_type(EC_GROUP_method_of(key->group)); diff --git a/deps/openssl/openssl/crypto/ec/ecp_nistz256_table.c b/deps/openssl/openssl/crypto/ec/ecp_nistz256_table.c index 216d024e01..2f0797db6b 100644 --- a/deps/openssl/openssl/crypto/ec/ecp_nistz256_table.c +++ b/deps/openssl/openssl/crypto/ec/ecp_nistz256_table.c @@ -17,7 +17,7 @@ __attribute((aligned(4096))) #elif defined(_MSC_VER) __declspec(align(4096)) #elif defined(__SUNPRO_C) -# pragma align 4096(ecp_nistz256_precomputed) +# pragma align 64(ecp_nistz256_precomputed) #endif static const BN_ULONG ecp_nistz256_precomputed[37][64 * sizeof(P256_POINT_AFFINE) / diff --git a/deps/openssl/openssl/crypto/ec/ectest.c b/deps/openssl/openssl/crypto/ec/ectest.c index fede530bc1..efab0b07b1 100644 --- a/deps/openssl/openssl/crypto/ec/ectest.c +++ b/deps/openssl/openssl/crypto/ec/ectest.c @@ -1591,7 +1591,7 @@ struct nistp_test_params { int degree; /* * Qx, Qy and D are taken from - * http://csrcdocut.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf + * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf * Otherwise, values are standard curve parameters from FIPS 180-3 */ const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d; diff --git a/deps/openssl/openssl/crypto/engine/eng_all.c b/deps/openssl/openssl/crypto/engine/eng_all.c index 195a3a9554..48ad0d26b4 100644 --- a/deps/openssl/openssl/crypto/engine/eng_all.c +++ b/deps/openssl/openssl/crypto/engine/eng_all.c @@ -1,4 +1,4 @@ -/* crypto/engine/eng_all.c -*- mode: C; c-file-style: "eay" -*- */ +/* crypto/engine/eng_all.c */ /* * Written by Richard Levitte <richard@levitte.org> for the OpenSSL project * 2000. diff --git a/deps/openssl/openssl/crypto/evp/e_camellia.c b/deps/openssl/openssl/crypto/evp/e_camellia.c index f9c8401367..f273f9c947 100644 --- a/deps/openssl/openssl/crypto/evp/e_camellia.c +++ b/deps/openssl/openssl/crypto/evp/e_camellia.c @@ -1,4 +1,4 @@ -/* crypto/evp/e_camellia.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/evp/e_camellia.c */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/evp/e_old.c b/deps/openssl/openssl/crypto/evp/e_old.c index c93f5a5481..a23d143b7f 100644 --- a/deps/openssl/openssl/crypto/evp/e_old.c +++ b/deps/openssl/openssl/crypto/evp/e_old.c @@ -1,4 +1,4 @@ -/* crypto/evp/e_old.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/evp/e_old.c */ /* * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project * 2004. diff --git a/deps/openssl/openssl/crypto/evp/e_seed.c b/deps/openssl/openssl/crypto/evp/e_seed.c index c948a8f391..7249d1b1ee 100644 --- a/deps/openssl/openssl/crypto/evp/e_seed.c +++ b/deps/openssl/openssl/crypto/evp/e_seed.c @@ -1,4 +1,4 @@ -/* crypto/evp/e_seed.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/evp/e_seed.c */ /* ==================================================================== * Copyright (c) 2007 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/mem_clr.c b/deps/openssl/openssl/crypto/mem_clr.c index 1a06636d0c..ab85344eef 100644 --- a/deps/openssl/openssl/crypto/mem_clr.c +++ b/deps/openssl/openssl/crypto/mem_clr.c @@ -1,4 +1,4 @@ -/* crypto/mem_clr.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/mem_clr.c */ /* * Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL project * 2002. diff --git a/deps/openssl/openssl/crypto/modes/asm/aesni-gcm-x86_64.pl b/deps/openssl/openssl/crypto/modes/asm/aesni-gcm-x86_64.pl index 4be25571ea..bd6bf72fe4 100644 --- a/deps/openssl/openssl/crypto/modes/asm/aesni-gcm-x86_64.pl +++ b/deps/openssl/openssl/crypto/modes/asm/aesni-gcm-x86_64.pl @@ -56,7 +56,7 @@ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $avx = ($1>=10) + ($1>=11); } -if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/) { +if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([3-9]\.[0-9]+)/) { $avx = ($2>=3.0) + ($2>3.0); } diff --git a/deps/openssl/openssl/crypto/modes/asm/ghash-x86_64.pl b/deps/openssl/openssl/crypto/modes/asm/ghash-x86_64.pl index 0bcb6d4e02..4ff2d39aa7 100644 --- a/deps/openssl/openssl/crypto/modes/asm/ghash-x86_64.pl +++ b/deps/openssl/openssl/crypto/modes/asm/ghash-x86_64.pl @@ -105,7 +105,7 @@ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $avx = ($1>=10) + ($1>=11); } -if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/) { +if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([3-9]\.[0-9]+)/) { $avx = ($2>=3.0) + ($2>3.0); } diff --git a/deps/openssl/openssl/crypto/o_dir.c b/deps/openssl/openssl/crypto/o_dir.c index 26242444c8..f9dbed8711 100644 --- a/deps/openssl/openssl/crypto/o_dir.c +++ b/deps/openssl/openssl/crypto/o_dir.c @@ -1,4 +1,4 @@ -/* crypto/o_dir.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/o_dir.c */ /* * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project * 2004. diff --git a/deps/openssl/openssl/crypto/o_dir.h b/deps/openssl/openssl/crypto/o_dir.h index d55431194e..bf45a14d02 100644 --- a/deps/openssl/openssl/crypto/o_dir.h +++ b/deps/openssl/openssl/crypto/o_dir.h @@ -1,4 +1,4 @@ -/* crypto/o_dir.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/o_dir.h */ /* * Copied from Richard Levitte's (richard@levitte.org) LP library. All * symbol names have been changed, with permission from the author. diff --git a/deps/openssl/openssl/crypto/o_dir_test.c b/deps/openssl/openssl/crypto/o_dir_test.c index 7cdbbbc403..60436b72ce 100644 --- a/deps/openssl/openssl/crypto/o_dir_test.c +++ b/deps/openssl/openssl/crypto/o_dir_test.c @@ -1,4 +1,4 @@ -/* crypto/o_dir.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/o_dir.h */ /* * Copied from Richard Levitte's (richard@levitte.org) LP library. All * symbol names have been changed, with permission from the author. diff --git a/deps/openssl/openssl/crypto/o_str.c b/deps/openssl/openssl/crypto/o_str.c index 4e2d096704..7e61cde85a 100644 --- a/deps/openssl/openssl/crypto/o_str.c +++ b/deps/openssl/openssl/crypto/o_str.c @@ -1,4 +1,4 @@ -/* crypto/o_str.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/o_str.c */ /* * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project * 2003. diff --git a/deps/openssl/openssl/crypto/o_str.h b/deps/openssl/openssl/crypto/o_str.h index 5313528ed9..fa512eb397 100644 --- a/deps/openssl/openssl/crypto/o_str.h +++ b/deps/openssl/openssl/crypto/o_str.h @@ -1,4 +1,4 @@ -/* crypto/o_str.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/o_str.h */ /* * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project * 2003. diff --git a/deps/openssl/openssl/crypto/o_time.c b/deps/openssl/openssl/crypto/o_time.c index 58413fe97d..635dae184d 100644 --- a/deps/openssl/openssl/crypto/o_time.c +++ b/deps/openssl/openssl/crypto/o_time.c @@ -1,4 +1,4 @@ -/* crypto/o_time.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/o_time.c */ /* * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project * 2001. diff --git a/deps/openssl/openssl/crypto/o_time.h b/deps/openssl/openssl/crypto/o_time.h index a83a3d247d..f192c6dccf 100644 --- a/deps/openssl/openssl/crypto/o_time.h +++ b/deps/openssl/openssl/crypto/o_time.h @@ -1,4 +1,4 @@ -/* crypto/o_time.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/o_time.h */ /* * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project * 2001. diff --git a/deps/openssl/openssl/crypto/opensslv.h b/deps/openssl/openssl/crypto/opensslv.h index abcef15b17..03b8c48437 100644 --- a/deps/openssl/openssl/crypto/opensslv.h +++ b/deps/openssl/openssl/crypto/opensslv.h @@ -30,11 +30,11 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x1000205fL +# define OPENSSL_VERSION_NUMBER 0x1000206fL # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2e-fips 3 Dec 2015" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2f-fips 28 Jan 2016" # else -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2e 3 Dec 2015" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2f 28 Jan 2016" # endif # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/deps/openssl/openssl/crypto/rand/rand_vms.c b/deps/openssl/openssl/crypto/rand/rand_vms.c index a7179a4ba1..0e10c363e2 100644 --- a/deps/openssl/openssl/crypto/rand/rand_vms.c +++ b/deps/openssl/openssl/crypto/rand/rand_vms.c @@ -1,4 +1,4 @@ -/* crypto/rand/rand_vms.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/rand/rand_vms.c */ /* * Written by Richard Levitte <richard@levitte.org> for the OpenSSL project * 2000. diff --git a/deps/openssl/openssl/crypto/rc4/rc4_utl.c b/deps/openssl/openssl/crypto/rc4/rc4_utl.c index 7c6a15f1c7..cbd4a24e4b 100644 --- a/deps/openssl/openssl/crypto/rc4/rc4_utl.c +++ b/deps/openssl/openssl/crypto/rc4/rc4_utl.c @@ -1,4 +1,4 @@ -/* crypto/rc4/rc4_utl.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/rc4/rc4_utl.c */ /* ==================================================================== * Copyright (c) 2011 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/rsa/rsa_chk.c b/deps/openssl/openssl/crypto/rsa/rsa_chk.c index f4383860b5..607faa0017 100644 --- a/deps/openssl/openssl/crypto/rsa/rsa_chk.c +++ b/deps/openssl/openssl/crypto/rsa/rsa_chk.c @@ -1,4 +1,4 @@ -/* crypto/rsa/rsa_chk.c -*- Mode: C; c-file-style: "eay" -*- */ +/* crypto/rsa/rsa_chk.c */ /* ==================================================================== * Copyright (c) 1999 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/rsa/rsa_sign.c b/deps/openssl/openssl/crypto/rsa/rsa_sign.c index 82ca8324df..ed63a1d8b0 100644 --- a/deps/openssl/openssl/crypto/rsa/rsa_sign.c +++ b/deps/openssl/openssl/crypto/rsa/rsa_sign.c @@ -84,7 +84,7 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len, return 0; } #endif - if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) { + if (rsa->meth->rsa_sign) { return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa); } /* Special case: SSL signature, just check the length */ @@ -293,7 +293,7 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len, const unsigned char *sigbuf, unsigned int siglen, RSA *rsa) { - if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_verify) { + if (rsa->meth->rsa_verify) { return rsa->meth->rsa_verify(dtype, m, m_len, sigbuf, siglen, rsa); } diff --git a/deps/openssl/openssl/crypto/seed/seed_cbc.c b/deps/openssl/openssl/crypto/seed/seed_cbc.c index 33e6887740..ee1115b4c1 100644 --- a/deps/openssl/openssl/crypto/seed/seed_cbc.c +++ b/deps/openssl/openssl/crypto/seed/seed_cbc.c @@ -1,4 +1,4 @@ -/* crypto/seed/seed_cbc.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/seed/seed_cbc.c */ /* ==================================================================== * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/seed/seed_cfb.c b/deps/openssl/openssl/crypto/seed/seed_cfb.c index 3437d7b4e1..b6a5648b35 100644 --- a/deps/openssl/openssl/crypto/seed/seed_cfb.c +++ b/deps/openssl/openssl/crypto/seed/seed_cfb.c @@ -1,4 +1,4 @@ -/* crypto/seed/seed_cfb.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/seed/seed_cfb.c */ /* ==================================================================== * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/seed/seed_ecb.c b/deps/openssl/openssl/crypto/seed/seed_ecb.c index 937a31b42a..9363d55080 100644 --- a/deps/openssl/openssl/crypto/seed/seed_ecb.c +++ b/deps/openssl/openssl/crypto/seed/seed_ecb.c @@ -1,4 +1,4 @@ -/* crypto/seed/seed_ecb.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/seed/seed_ecb.c */ /* ==================================================================== * Copyright (c) 2007 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/seed/seed_ofb.c b/deps/openssl/openssl/crypto/seed/seed_ofb.c index 6974302ce8..48b71224c5 100644 --- a/deps/openssl/openssl/crypto/seed/seed_ofb.c +++ b/deps/openssl/openssl/crypto/seed/seed_ofb.c @@ -1,4 +1,4 @@ -/* crypto/seed/seed_ofb.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/seed/seed_ofb.c */ /* ==================================================================== * Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/sha/asm/sha1-mb-x86_64.pl b/deps/openssl/openssl/crypto/sha/asm/sha1-mb-x86_64.pl index f856bb888b..a8d8708d4b 100644 --- a/deps/openssl/openssl/crypto/sha/asm/sha1-mb-x86_64.pl +++ b/deps/openssl/openssl/crypto/sha/asm/sha1-mb-x86_64.pl @@ -58,7 +58,7 @@ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $avx = ($1>=10) + ($1>=11); } -if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/) { +if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([3-9]\.[0-9]+)/) { $avx = ($2>=3.0) + ($2>3.0); } diff --git a/deps/openssl/openssl/crypto/sha/asm/sha1-x86_64.pl b/deps/openssl/openssl/crypto/sha/asm/sha1-x86_64.pl index 9a6acc347d..5f375fc688 100755 --- a/deps/openssl/openssl/crypto/sha/asm/sha1-x86_64.pl +++ b/deps/openssl/openssl/crypto/sha/asm/sha1-x86_64.pl @@ -107,7 +107,7 @@ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $avx = ($1>=10) + ($1>=11); } -if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([2-9]\.[0-9]+)/) { +if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([2-9]\.[0-9]+)/) { $avx = ($2>=3.0) + ($2>3.0); } diff --git a/deps/openssl/openssl/crypto/sha/asm/sha256-mb-x86_64.pl b/deps/openssl/openssl/crypto/sha/asm/sha256-mb-x86_64.pl index 3d37ae31ad..9770286b95 100644 --- a/deps/openssl/openssl/crypto/sha/asm/sha256-mb-x86_64.pl +++ b/deps/openssl/openssl/crypto/sha/asm/sha256-mb-x86_64.pl @@ -59,7 +59,7 @@ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $avx = ($1>=10) + ($1>=11); } -if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/) { +if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([3-9]\.[0-9]+)/) { $avx = ($2>=3.0) + ($2>3.0); } diff --git a/deps/openssl/openssl/crypto/sha/asm/sha512-x86_64.pl b/deps/openssl/openssl/crypto/sha/asm/sha512-x86_64.pl index 58665667f1..78e445f3fe 100755 --- a/deps/openssl/openssl/crypto/sha/asm/sha512-x86_64.pl +++ b/deps/openssl/openssl/crypto/sha/asm/sha512-x86_64.pl @@ -124,7 +124,7 @@ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && $avx = ($1>=10) + ($1>=11); } -if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([3-9]\.[0-9]+)/) { +if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([3-9]\.[0-9]+)/) { $avx = ($2>=3.0) + ($2>3.0); } diff --git a/deps/openssl/openssl/crypto/sha/sha1test.c b/deps/openssl/openssl/crypto/sha/sha1test.c index 0052a95c7d..551a348df3 100644 --- a/deps/openssl/openssl/crypto/sha/sha1test.c +++ b/deps/openssl/openssl/crypto/sha/sha1test.c @@ -157,8 +157,8 @@ int main(int argc, char *argv[]) if (err) printf("ERROR: %d\n", err); # endif - EXIT(err); EVP_MD_CTX_cleanup(&c); + EXIT(err); return (0); } diff --git a/deps/openssl/openssl/crypto/store/store.h b/deps/openssl/openssl/crypto/store/store.h index 8343341049..ce3709d9f0 100644 --- a/deps/openssl/openssl/crypto/store/store.h +++ b/deps/openssl/openssl/crypto/store/store.h @@ -1,4 +1,4 @@ -/* crypto/store/store.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/store/store.h */ /* * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project * 2003. diff --git a/deps/openssl/openssl/crypto/store/str_lib.c b/deps/openssl/openssl/crypto/store/str_lib.c index 227b797b59..e3d5da9388 100644 --- a/deps/openssl/openssl/crypto/store/str_lib.c +++ b/deps/openssl/openssl/crypto/store/str_lib.c @@ -1,4 +1,4 @@ -/* crypto/store/str_lib.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/store/str_lib.c */ /* * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project * 2003. diff --git a/deps/openssl/openssl/crypto/store/str_locl.h b/deps/openssl/openssl/crypto/store/str_locl.h index ac55784df0..c0b40f0db6 100644 --- a/deps/openssl/openssl/crypto/store/str_locl.h +++ b/deps/openssl/openssl/crypto/store/str_locl.h @@ -1,4 +1,4 @@ -/* crypto/store/str_locl.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/store/str_locl.h */ /* * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project * 2003. diff --git a/deps/openssl/openssl/crypto/store/str_mem.c b/deps/openssl/openssl/crypto/store/str_mem.c index 8edd0eb41b..6eee5bba29 100644 --- a/deps/openssl/openssl/crypto/store/str_mem.c +++ b/deps/openssl/openssl/crypto/store/str_mem.c @@ -1,4 +1,4 @@ -/* crypto/store/str_mem.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/store/str_mem.c */ /* * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project * 2003. diff --git a/deps/openssl/openssl/crypto/store/str_meth.c b/deps/openssl/openssl/crypto/store/str_meth.c index d83a6de0fc..c83fbc565a 100644 --- a/deps/openssl/openssl/crypto/store/str_meth.c +++ b/deps/openssl/openssl/crypto/store/str_meth.c @@ -1,4 +1,4 @@ -/* crypto/store/str_meth.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/store/str_meth.c */ /* * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project * 2003. diff --git a/deps/openssl/openssl/crypto/ts/ts_rsp_verify.c b/deps/openssl/openssl/crypto/ts/ts_rsp_verify.c index da8991173c..29aa5a497e 100644 --- a/deps/openssl/openssl/crypto/ts/ts_rsp_verify.c +++ b/deps/openssl/openssl/crypto/ts/ts_rsp_verify.c @@ -255,7 +255,8 @@ static int TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, /* chain is an out argument. */ *chain = NULL; - X509_STORE_CTX_init(&cert_ctx, store, signer, untrusted); + if (!X509_STORE_CTX_init(&cert_ctx, store, signer, untrusted)) + return 0; X509_STORE_CTX_set_purpose(&cert_ctx, X509_PURPOSE_TIMESTAMP_SIGN); i = X509_verify_cert(&cert_ctx); if (i <= 0) { diff --git a/deps/openssl/openssl/crypto/ui/ui.h b/deps/openssl/openssl/crypto/ui/ui.h index b917edab3a..0dc16330b8 100644 --- a/deps/openssl/openssl/crypto/ui/ui.h +++ b/deps/openssl/openssl/crypto/ui/ui.h @@ -1,4 +1,4 @@ -/* crypto/ui/ui.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/ui/ui.h */ /* * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project * 2001. diff --git a/deps/openssl/openssl/crypto/ui/ui_compat.c b/deps/openssl/openssl/crypto/ui/ui_compat.c index 0ca5284f91..e79d54eea6 100644 --- a/deps/openssl/openssl/crypto/ui/ui_compat.c +++ b/deps/openssl/openssl/crypto/ui/ui_compat.c @@ -1,4 +1,4 @@ -/* crypto/ui/ui_compat.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/ui/ui_compat.c */ /* ==================================================================== * Copyright (c) 2001-2002 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/ui/ui_compat.h b/deps/openssl/openssl/crypto/ui/ui_compat.h index 42fb9ff650..bf541542c0 100644 --- a/deps/openssl/openssl/crypto/ui/ui_compat.h +++ b/deps/openssl/openssl/crypto/ui/ui_compat.h @@ -1,4 +1,4 @@ -/* crypto/ui/ui.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/ui/ui.h */ /* * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project * 2001. diff --git a/deps/openssl/openssl/crypto/ui/ui_lib.c b/deps/openssl/openssl/crypto/ui/ui_lib.c index 5ddd7317e5..2f580352ce 100644 --- a/deps/openssl/openssl/crypto/ui/ui_lib.c +++ b/deps/openssl/openssl/crypto/ui/ui_lib.c @@ -1,4 +1,4 @@ -/* crypto/ui/ui_lib.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/ui/ui_lib.c */ /* * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project * 2001. diff --git a/deps/openssl/openssl/crypto/ui/ui_locl.h b/deps/openssl/openssl/crypto/ui/ui_locl.h index 0d919cd7b1..bebc13abfc 100644 --- a/deps/openssl/openssl/crypto/ui/ui_locl.h +++ b/deps/openssl/openssl/crypto/ui/ui_locl.h @@ -1,4 +1,4 @@ -/* crypto/ui/ui.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/ui/ui.h */ /* * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project * 2001. diff --git a/deps/openssl/openssl/crypto/ui/ui_openssl.c b/deps/openssl/openssl/crypto/ui/ui_openssl.c index 5d66276418..9ab259b8f6 100644 --- a/deps/openssl/openssl/crypto/ui/ui_openssl.c +++ b/deps/openssl/openssl/crypto/ui/ui_openssl.c @@ -1,4 +1,4 @@ -/* crypto/ui/ui_openssl.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/ui/ui_openssl.c */ /* * Written by Richard Levitte (richard@levitte.org) and others for the * OpenSSL project 2001. diff --git a/deps/openssl/openssl/crypto/ui/ui_util.c b/deps/openssl/openssl/crypto/ui/ui_util.c index f65f80d71d..0f290115d0 100644 --- a/deps/openssl/openssl/crypto/ui/ui_util.c +++ b/deps/openssl/openssl/crypto/ui/ui_util.c @@ -1,4 +1,4 @@ -/* crypto/ui/ui_util.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/ui/ui_util.c */ /* ==================================================================== * Copyright (c) 2001-2002 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/crypto/x509/x509_vfy.c b/deps/openssl/openssl/crypto/x509/x509_vfy.c index ab94948f01..0429767032 100644 --- a/deps/openssl/openssl/crypto/x509/x509_vfy.c +++ b/deps/openssl/openssl/crypto/x509/x509_vfy.c @@ -2283,9 +2283,10 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, ctx->current_reasons = 0; ctx->tree = NULL; ctx->parent = NULL; + /* Zero ex_data to make sure we're cleanup-safe */ + memset(&ctx->ex_data, 0, sizeof(ctx->ex_data)); ctx->param = X509_VERIFY_PARAM_new(); - if (!ctx->param) { X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); return 0; @@ -2294,7 +2295,6 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, /* * Inherit callbacks and flags from X509_STORE if not set use defaults. */ - if (store) ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param); else @@ -2302,6 +2302,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, if (store) { ctx->verify_cb = store->verify_cb; + /* Seems to always be 0 in OpenSSL, else must be idempotent */ ctx->cleanup = store->cleanup; } else ctx->cleanup = 0; @@ -2312,7 +2313,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, if (ret == 0) { X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); - return 0; + goto err; } if (store && store->check_issued) @@ -2367,19 +2368,18 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, ctx->check_policy = check_policy; + if (CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, + &ctx->ex_data)) + return 1; + X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); + + err: /* - * This memset() can't make any sense anyway, so it's removed. As - * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a - * corresponding "new" here and remove this bogus initialisation. + * On error clean up allocated storage, if the store context was not + * allocated with X509_STORE_CTX_new() this is our last chance to do so. */ - /* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */ - if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, - &(ctx->ex_data))) { - OPENSSL_free(ctx); - X509err(X509_F_X509_STORE_CTX_INIT, ERR_R_MALLOC_FAILURE); - return 0; - } - return 1; + X509_STORE_CTX_cleanup(ctx); + return 0; } /* @@ -2395,8 +2395,17 @@ void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) { - if (ctx->cleanup) + /* + * We need to be idempotent because, unfortunately, free() also calls + * cleanup(), so the natural call sequence new(), init(), cleanup(), free() + * calls cleanup() for the same object twice! Thus we must zero the + * pointers below after they're freed! + */ + /* Seems to always be 0 in OpenSSL, do this at most once. */ + if (ctx->cleanup != NULL) { ctx->cleanup(ctx); + ctx->cleanup = NULL; + } if (ctx->param != NULL) { if (ctx->parent == NULL) X509_VERIFY_PARAM_free(ctx->param); diff --git a/deps/openssl/openssl/crypto/x509/x509_vfy.h b/deps/openssl/openssl/crypto/x509/x509_vfy.h index bd8613c62b..2663e1c0a3 100644 --- a/deps/openssl/openssl/crypto/x509/x509_vfy.h +++ b/deps/openssl/openssl/crypto/x509/x509_vfy.h @@ -313,7 +313,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); X509_LOOKUP_ctrl((x),X509_L_ADD_DIR,(name),(long)(type),NULL) # define X509_V_OK 0 -/* illegal error (for uninitialized values, to avoid X509_V_OK): 1 */ +# define X509_V_ERR_UNSPECIFIED 1 # define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2 # define X509_V_ERR_UNABLE_TO_GET_CRL 3 diff --git a/deps/openssl/openssl/crypto/x509/x509_vpm.c b/deps/openssl/openssl/crypto/x509/x509_vpm.c index 592a8a5f6a..1ac15a881a 100644 --- a/deps/openssl/openssl/crypto/x509/x509_vpm.c +++ b/deps/openssl/openssl/crypto/x509/x509_vpm.c @@ -94,11 +94,11 @@ static int int_x509_param_set_hosts(X509_VERIFY_PARAM_ID *id, int mode, * Refuse names with embedded NUL bytes, except perhaps as final byte. * XXX: Do we need to push an error onto the error stack? */ - if (namelen == 0) + if (namelen == 0 || name == NULL) namelen = name ? strlen(name) : 0; else if (name && memchr(name, '\0', namelen > 1 ? namelen - 1 : namelen)) return 0; - if (name && name[namelen - 1] == '\0') + if (namelen > 0 && name[namelen - 1] == '\0') --namelen; if (mode == SET_HOST && id->hosts) { diff --git a/deps/openssl/openssl/crypto/x509v3/v3_pci.c b/deps/openssl/openssl/crypto/x509v3/v3_pci.c index 48ac0959cb..34cad53cb5 100644 --- a/deps/openssl/openssl/crypto/x509v3/v3_pci.c +++ b/deps/openssl/openssl/crypto/x509v3/v3_pci.c @@ -1,4 +1,4 @@ -/* v3_pci.c -*- mode:C; c-file-style: "eay" -*- */ +/* v3_pci.c */ /* * Contributed to the OpenSSL Project 2004 by Richard Levitte * (richard@levitte.org) diff --git a/deps/openssl/openssl/crypto/x509v3/v3_pcia.c b/deps/openssl/openssl/crypto/x509v3/v3_pcia.c index 43fd362aed..e53c82e8dc 100644 --- a/deps/openssl/openssl/crypto/x509v3/v3_pcia.c +++ b/deps/openssl/openssl/crypto/x509v3/v3_pcia.c @@ -1,4 +1,4 @@ -/* v3_pcia.c -*- mode:C; c-file-style: "eay" -*- */ +/* v3_pcia.c */ /* * Contributed to the OpenSSL Project 2004 by Richard Levitte * (richard@levitte.org) diff --git a/deps/openssl/openssl/crypto/x509v3/v3_utl.c b/deps/openssl/openssl/crypto/x509v3/v3_utl.c index 4d1ecc58bf..43b9cb9c58 100644 --- a/deps/openssl/openssl/crypto/x509v3/v3_utl.c +++ b/deps/openssl/openssl/crypto/x509v3/v3_utl.c @@ -841,7 +841,8 @@ static const unsigned char *valid_star(const unsigned char *p, size_t len, state = LABEL_START; ++dots; } else if (p[i] == '-') { - if ((state & LABEL_HYPHEN) != 0) + /* no domain/subdomain starts with '-' */ + if ((state & LABEL_START) != 0) return NULL; state |= LABEL_HYPHEN; } else diff --git a/deps/openssl/openssl/crypto/x509v3/v3nametest.c b/deps/openssl/openssl/crypto/x509v3/v3nametest.c index 7b5c1c8e51..ac5c9ff432 100644 --- a/deps/openssl/openssl/crypto/x509v3/v3nametest.c +++ b/deps/openssl/openssl/crypto/x509v3/v3nametest.c @@ -6,12 +6,16 @@ static const char *const names[] = { "a", "b", ".", "*", "@", ".a", "a.", ".b", "b.", ".*", "*.", "*@", "@*", "a@", "@a", "b@", "..", + "-example.com", "example-.com", "@@", "**", "*.com", "*com", "*.*.com", "*com", "com*", "*example.com", "*@example.com", "test@*.example.com", "example.com", "www.example.com", "test.www.example.com", "*.example.com", "*.www.example.com", "test.*.example.com", "www.*.com", ".www.example.com", "*www.example.com", "example.net", "xn--rger-koa.example.com", + "*.xn--rger-koa.example.com", "www.xn--rger-koa.example.com", + "*.good--example.com", "www.good--example.com", + "*.xn--bar.com", "xn--foo.xn--bar.com", "a.example.com", "b.example.com", "postmaster@example.com", "Postmaster@example.com", "postmaster@EXAMPLE.COM", @@ -27,6 +31,9 @@ static const char *const exceptions[] = { "set CN: host: [*.www.example.com] matches [.www.example.com]", "set CN: host: [*www.example.com] matches [www.example.com]", "set CN: host: [test.www.example.com] matches [.www.example.com]", + "set CN: host: [*.xn--rger-koa.example.com] matches [www.xn--rger-koa.example.com]", + "set CN: host: [*.xn--bar.com] matches [xn--foo.xn--bar.com]", + "set CN: host: [*.good--example.com] matches [www.good--example.com]", "set CN: host-no-wildcards: [*.www.example.com] matches [.www.example.com]", "set CN: host-no-wildcards: [test.www.example.com] matches [.www.example.com]", "set emailAddress: email: [postmaster@example.com] does not match [Postmaster@example.com]", @@ -43,6 +50,9 @@ static const char *const exceptions[] = { "set dnsName: host: [*.www.example.com] matches [.www.example.com]", "set dnsName: host: [*www.example.com] matches [www.example.com]", "set dnsName: host: [test.www.example.com] matches [.www.example.com]", + "set dnsName: host: [*.xn--rger-koa.example.com] matches [www.xn--rger-koa.example.com]", + "set dnsName: host: [*.xn--bar.com] matches [xn--foo.xn--bar.com]", + "set dnsName: host: [*.good--example.com] matches [www.good--example.com]", "set rfc822Name: email: [postmaster@example.com] does not match [Postmaster@example.com]", "set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@example.com]", "set rfc822Name: email: [Postmaster@example.com] does not match [postmaster@EXAMPLE.COM]", diff --git a/deps/openssl/openssl/demos/easy_tls/easy-tls.c b/deps/openssl/openssl/demos/easy_tls/easy-tls.c index 5682e91a47..ebcadafa7b 100644 --- a/deps/openssl/openssl/demos/easy_tls/easy-tls.c +++ b/deps/openssl/openssl/demos/easy_tls/easy-tls.c @@ -1,4 +1,4 @@ -/* -*- Mode: C; c-file-style: "bsd" -*- */ +/* */ /*- * easy-tls.c -- generic TLS proxy. * $Id: easy-tls.c,v 1.4 2002/03/05 09:07:16 bodo Exp $ diff --git a/deps/openssl/openssl/demos/easy_tls/easy-tls.h b/deps/openssl/openssl/demos/easy_tls/easy-tls.h index 1c587b861c..b88d21c57b 100644 --- a/deps/openssl/openssl/demos/easy_tls/easy-tls.h +++ b/deps/openssl/openssl/demos/easy_tls/easy-tls.h @@ -1,4 +1,4 @@ -/* -*- Mode: C; c-file-style: "bsd" -*- */ +/* */ /*- * easy-tls.h -- generic TLS proxy. * $Id: easy-tls.h,v 1.1 2001/09/17 19:06:59 bodo Exp $ diff --git a/deps/openssl/openssl/demos/tunala/tunala.c b/deps/openssl/openssl/demos/tunala/tunala.c index 11a7c5bb14..3ceea02fad 100644 --- a/deps/openssl/openssl/demos/tunala/tunala.c +++ b/deps/openssl/openssl/demos/tunala/tunala.c @@ -1154,7 +1154,7 @@ static int tunala_item_io(tunala_selector_t * selector, tunala_item_t * item) /* * This function name is attributed to the term donated by David Schwartz * on openssl-dev, message-ID: - * <NCBBLIEPOCbmasEKBEAKEEDGLIAA.davids@webmaster.com>. :-) + * <NCBBLIEPOCNJOAEKBEAKEEDGLIAA.davids@webmaster.com>. :-) */ if (!state_machine_churn(&item->sm)) /* diff --git a/deps/openssl/openssl/doc/apps/s_time.pod b/deps/openssl/openssl/doc/apps/s_time.pod index 5a38aa2e03..9082d876fe 100644 --- a/deps/openssl/openssl/doc/apps/s_time.pod +++ b/deps/openssl/openssl/doc/apps/s_time.pod @@ -26,7 +26,7 @@ B<openssl> B<s_time> =head1 DESCRIPTION -The B<s_client> command implements a generic SSL/TLS client which connects to a +The B<s_time> command implements a generic SSL/TLS client which connects to a remote host using SSL/TLS. It can request a page from the server and includes the time to transfer the payload data in its timing measurements. It measures the number of connections within a given timeframe, the amount of data @@ -127,7 +127,7 @@ and the link speed determine how many connections B<s_time> can establish. =head1 NOTES -B<s_client> can be used to measure the performance of an SSL connection. +B<s_time> can be used to measure the performance of an SSL connection. To connect to an SSL HTTP server and get the default page the command openssl s_time -connect servername:443 -www / -CApath yourdir -CAfile yourfile.pem -cipher commoncipher [-ssl3] diff --git a/deps/openssl/openssl/doc/crypto/BIO_s_connect.pod b/deps/openssl/openssl/doc/crypto/BIO_s_connect.pod index 18ece4c91f..345a468a5d 100644 --- a/deps/openssl/openssl/doc/crypto/BIO_s_connect.pod +++ b/deps/openssl/openssl/doc/crypto/BIO_s_connect.pod @@ -21,8 +21,8 @@ BIO_set_nbio, BIO_do_connect - connect BIO long BIO_set_conn_int_port(BIO *b, char *port); char *BIO_get_conn_hostname(BIO *b); char *BIO_get_conn_port(BIO *b); - char *BIO_get_conn_ip(BIO *b, dummy); - long BIO_get_conn_int_port(BIO *b, int port); + char *BIO_get_conn_ip(BIO *b); + long BIO_get_conn_int_port(BIO *b); long BIO_set_nbio(BIO *b, long n); diff --git a/deps/openssl/openssl/doc/ssl/SSL_CTX_set1_verify_cert_store.pod b/deps/openssl/openssl/doc/ssl/SSL_CTX_set1_verify_cert_store.pod index 493cca4819..3e3a4fa90c 100644 --- a/deps/openssl/openssl/doc/ssl/SSL_CTX_set1_verify_cert_store.pod +++ b/deps/openssl/openssl/doc/ssl/SSL_CTX_set1_verify_cert_store.pod @@ -17,10 +17,10 @@ verification or chain store int SSL_CTX_set0_chain_cert_store(SSL_CTX *ctx, X509_STORE *st); int SSL_CTX_set1_chain_cert_store(SSL_CTX *ctx, X509_STORE *st); - int SSL_set0_verify_cert_store(SSL_CTX *ctx, X509_STORE *st); - int SSL_set1_verify_cert_store(SSL_CTX *ctx, X509_STORE *st); - int SSL_set0_chain_cert_store(SSL_CTX *ctx, X509_STORE *st); - int SSL_set1_chain_cert_store(SSL_CTX *ctx, X509_STORE *st); + int SSL_set0_verify_cert_store(SSL *ctx, X509_STORE *st); + int SSL_set1_verify_cert_store(SSL *ctx, X509_STORE *st); + int SSL_set0_chain_cert_store(SSL *ctx, X509_STORE *st); + int SSL_set1_chain_cert_store(SSL *ctx, X509_STORE *st); =head1 DESCRIPTION diff --git a/deps/openssl/openssl/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod b/deps/openssl/openssl/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod new file mode 100644 index 0000000000..b8147baecf --- /dev/null +++ b/deps/openssl/openssl/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod @@ -0,0 +1,73 @@ +=pod + +=head1 NAME + +SSL_CTX_set_tlsext_status_cb, SSL_CTX_set_tlsext_status_arg, +SSL_set_tlsext_status_type, SSL_get_tlsext_status_ocsp_resp, +SSL_set_tlsext_status_ocsp_resp - OCSP Certificate Status Request functions + +=head1 SYNOPSIS + + #include <openssl/tls1.h> + + long SSL_CTX_set_tlsext_status_cb(SSL_CTX *ctx, + int (*callback)(SSL *, void *)); + long SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg); + + long SSL_set_tlsext_status_type(SSL *s, int type); + + long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp); + long SSL_set_tlsext_status_ocsp_resp(ssl, unsigned char *resp, int len); + +=head1 DESCRIPTION + +A client application may request that a server send back an OCSP status response +(also known as OCSP stapling). To do so the client should call the +SSL_set_tlsext_status_type() function prior to the start of the handshake. +Currently the only supported type is B<TLSEXT_STATUSTYPE_ocsp>. This value +should be passed in the B<type> argument. The client should additionally provide +a callback function to decide what to do with the returned OCSP response by +calling SSL_CTX_set_tlsext_status_cb(). The callback function should determine +whether the returned OCSP response is acceptable or not. The callback will be +passed as an argument the value previously set via a call to +SSL_CTX_set_tlsext_status_arg(). Note that the callback will not be called in +the event of a handshake where session resumption occurs (because there are no +Certificates exchanged in such a handshake). + +The response returned by the server can be obtained via a call to +SSL_get_tlsext_status_ocsp_resp(). The value B<*resp> will be updated to point +to the OCSP response data and the return value will be the length of that data. +Typically a callback would obtain an OCSP_RESPONSE object from this data via a +call to the d2i_OCSP_RESPONSE() function. If the server has not provided any +response data then B<*resp> will be NULL and the return value from +SSL_get_tlsext_status_ocsp_resp() will be -1. + +A server application must also call the SSL_CTX_set_tlsext_status_cb() function +if it wants to be able to provide clients with OCSP Certificate Status +responses. Typically the server callback would obtain the server certificate +that is being sent back to the client via a call to SSL_get_certificate(); +obtain the OCSP response to be sent back; and then set that response data by +calling SSL_set_tlsext_status_ocsp_resp(). A pointer to the response data should +be provided in the B<resp> argument, and the length of that data should be in +the B<len> argument. + +=head1 RETURN VALUES + +The callback when used on the client side should return a negative value on +error; 0 if the response is not acceptable (in which case the handshake will +fail) or a positive value if it is acceptable. + +The callback when used on the server side should return with either +SSL_TLSEXT_ERR_OK (meaning that the OCSP response that has been set should be +returned), SSL_TLSEXT_ERR_NOACK (meaning that an OCSP response should not be +returned) or SSL_TLSEXT_ERR_ALERT_FATAL (meaning that a fatal error has +occurred). + +SSL_CTX_set_tlsext_status_cb(), SSL_CTX_set_tlsext_status_arg(), +SSL_set_tlsext_status_type() and SSL_set_tlsext_status_ocsp_resp() return 0 on +error or 1 on success. + +SSL_get_tlsext_status_ocsp_resp() returns the length of the OCSP response data +or -1 if there is no OCSP response data. + +=cut diff --git a/deps/openssl/openssl/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod b/deps/openssl/openssl/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod index b754c16a86..234fbc8450 100644 --- a/deps/openssl/openssl/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod +++ b/deps/openssl/openssl/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod @@ -48,25 +48,8 @@ even if he gets hold of the normal (certified) key, as this key was only used for signing. In order to perform a DH key exchange the server must use a DH group -(DH parameters) and generate a DH key. -The server will always generate a new DH key during the negotiation -if either the DH parameters are supplied via callback or the -SSL_OP_SINGLE_DH_USE option of SSL_CTX_set_options(3) is set (or both). -It will immediately create a DH key if DH parameters are supplied via -SSL_CTX_set_tmp_dh() and SSL_OP_SINGLE_DH_USE is not set. -In this case, -it may happen that a key is generated on initialization without later -being needed, while on the other hand the computer time during the -negotiation is being saved. - -If "strong" primes were used to generate the DH parameters, it is not strictly -necessary to generate a new key for each handshake but it does improve forward -secrecy. If it is not assured that "strong" primes were used, -SSL_OP_SINGLE_DH_USE must be used in order to prevent small subgroup -attacks. Always using SSL_OP_SINGLE_DH_USE has an impact on the -computer time needed during negotiation, but it is not very large, so -application authors/users should consider always enabling this option. -The option is required to implement perfect forward secrecy (PFS). +(DH parameters) and generate a DH key. The server will always generate +a new DH key during the negotiation. As generating DH parameters is extremely time consuming, an application should not generate the parameters on the fly but supply the parameters. @@ -93,10 +76,9 @@ can supply the DH parameters via a callback function. Previous versions of the callback used B<is_export> and B<keylength> parameters to control parameter generation for export and non-export cipher suites. Modern servers that do not support export ciphersuites -are advised to either use SSL_CTX_set_tmp_dh() in combination with -SSL_OP_SINGLE_DH_USE, or alternatively, use the callback but ignore -B<keylength> and B<is_export> and simply supply at least 2048-bit -parameters in the callback. +are advised to either use SSL_CTX_set_tmp_dh() or alternatively, use +the callback but ignore B<keylength> and B<is_export> and simply +supply at least 2048-bit parameters in the callback. =head1 EXAMPLES @@ -128,7 +110,6 @@ partly left out.) if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1) { /* Error. */ } - SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); ... =head1 RETURN VALUES diff --git a/deps/openssl/openssl/engines/e_chil.c b/deps/openssl/openssl/engines/e_chil.c index 72d14fe383..5dfab51345 100644 --- a/deps/openssl/openssl/engines/e_chil.c +++ b/deps/openssl/openssl/engines/e_chil.c @@ -1,4 +1,4 @@ -/* crypto/engine/e_chil.c -*- mode: C; c-file-style: "eay" -*- */ +/* crypto/engine/e_chil.c */ /* * Written by Richard Levitte (richard@levitte.org), Geoff Thorpe * (geoff@geoffthorpe.net) and Dr Stephen N Henson (steve@openssl.org) for diff --git a/deps/openssl/openssl/include/openssl/aes.h b/deps/openssl/openssl/include/openssl/aes.h index 87bf60f6f2..faa66c4914 100644 --- a/deps/openssl/openssl/include/openssl/aes.h +++ b/deps/openssl/openssl/include/openssl/aes.h @@ -1,4 +1,4 @@ -/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/aes/aes.h */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/include/openssl/bio.h b/deps/openssl/openssl/include/openssl/bio.h index f78796b069..6e2293bc66 100644 --- a/deps/openssl/openssl/include/openssl/bio.h +++ b/deps/openssl/openssl/include/openssl/bio.h @@ -479,11 +479,11 @@ struct bio_dgram_sctp_prinfo { # define BIO_get_conn_hostname(b) BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,0) # define BIO_get_conn_port(b) BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,1) # define BIO_get_conn_ip(b) BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,2) -# define BIO_get_conn_int_port(b) BIO_int_ctrl(b,BIO_C_GET_CONNECT,3,0) +# define BIO_get_conn_int_port(b) BIO_ctrl(b,BIO_C_GET_CONNECT,3,0,NULL) # define BIO_set_nbio(b,n) BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL) -/* BIO_s_accept_socket() */ +/* BIO_s_accept() */ # define BIO_set_accept_port(b,name) BIO_ctrl(b,BIO_C_SET_ACCEPT,0,(char *)name) # define BIO_get_accept_port(b) BIO_ptr_ctrl(b,BIO_C_GET_ACCEPT,0) /* #define BIO_set_nbio(b,n) BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL) */ @@ -496,6 +496,7 @@ struct bio_dgram_sctp_prinfo { # define BIO_set_bind_mode(b,mode) BIO_ctrl(b,BIO_C_SET_BIND_MODE,mode,NULL) # define BIO_get_bind_mode(b,mode) BIO_ctrl(b,BIO_C_GET_BIND_MODE,0,NULL) +/* BIO_s_accept() and BIO_s_connect() */ # define BIO_do_connect(b) BIO_do_handshake(b) # define BIO_do_accept(b) BIO_do_handshake(b) # define BIO_do_handshake(b) BIO_ctrl(b,BIO_C_DO_STATE_MACHINE,0,NULL) @@ -515,12 +516,15 @@ struct bio_dgram_sctp_prinfo { # define BIO_get_url(b,url) BIO_ctrl(b,BIO_C_GET_PROXY_PARAM,2,(char *)(url)) # define BIO_get_no_connect_return(b) BIO_ctrl(b,BIO_C_GET_PROXY_PARAM,5,NULL) +/* BIO_s_datagram(), BIO_s_fd(), BIO_s_socket(), BIO_s_accept() and BIO_s_connect() */ # define BIO_set_fd(b,fd,c) BIO_int_ctrl(b,BIO_C_SET_FD,c,fd) # define BIO_get_fd(b,c) BIO_ctrl(b,BIO_C_GET_FD,0,(char *)c) +/* BIO_s_file() */ # define BIO_set_fp(b,fp,c) BIO_ctrl(b,BIO_C_SET_FILE_PTR,c,(char *)fp) # define BIO_get_fp(b,fpp) BIO_ctrl(b,BIO_C_GET_FILE_PTR,0,(char *)fpp) +/* BIO_s_fd() and BIO_s_file() */ # define BIO_seek(b,ofs) (int)BIO_ctrl(b,BIO_C_FILE_SEEK,ofs,NULL) # define BIO_tell(b) (int)BIO_ctrl(b,BIO_C_FILE_TELL,0,NULL) diff --git a/deps/openssl/openssl/include/openssl/camellia.h b/deps/openssl/openssl/include/openssl/camellia.h index 9be7c0fd99..45e8d25b1d 100644 --- a/deps/openssl/openssl/include/openssl/camellia.h +++ b/deps/openssl/openssl/include/openssl/camellia.h @@ -1,4 +1,4 @@ -/* crypto/camellia/camellia.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/camellia/camellia.h */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/include/openssl/des_old.h b/deps/openssl/openssl/include/openssl/des_old.h index f1e1e2cb09..ee7607a241 100644 --- a/deps/openssl/openssl/include/openssl/des_old.h +++ b/deps/openssl/openssl/include/openssl/des_old.h @@ -1,4 +1,4 @@ -/* crypto/des/des_old.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/des/des_old.h */ /*- * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING diff --git a/deps/openssl/openssl/include/openssl/dh.h b/deps/openssl/openssl/include/openssl/dh.h index b177673281..5498a9dc10 100644 --- a/deps/openssl/openssl/include/openssl/dh.h +++ b/deps/openssl/openssl/include/openssl/dh.h @@ -174,6 +174,7 @@ struct dh_st { /* DH_check_pub_key error codes */ # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 # define DH_CHECK_PUBKEY_TOO_LARGE 0x02 +# define DH_CHECK_PUBKEY_INVALID 0x03 /* * primes p where (p-1)/2 is prime too are called "safe"; we define this for diff --git a/deps/openssl/openssl/include/openssl/dso.h b/deps/openssl/openssl/include/openssl/dso.h index 7c4a1dc4a6..c9013f5cea 100644 --- a/deps/openssl/openssl/include/openssl/dso.h +++ b/deps/openssl/openssl/include/openssl/dso.h @@ -1,4 +1,4 @@ -/* dso.h -*- mode:C; c-file-style: "eay" -*- */ +/* dso.h */ /* * Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL project * 2000. diff --git a/deps/openssl/openssl/include/openssl/kssl.h b/deps/openssl/openssl/include/openssl/kssl.h index 9a57672801..ae8a51f472 100644 --- a/deps/openssl/openssl/include/openssl/kssl.h +++ b/deps/openssl/openssl/include/openssl/kssl.h @@ -1,4 +1,4 @@ -/* ssl/kssl.h -*- mode: C; c-file-style: "eay" -*- */ +/* ssl/kssl.h */ /* * Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project * 2000. project 2000. diff --git a/deps/openssl/openssl/include/openssl/opensslv.h b/deps/openssl/openssl/include/openssl/opensslv.h index abcef15b17..03b8c48437 100644 --- a/deps/openssl/openssl/include/openssl/opensslv.h +++ b/deps/openssl/openssl/include/openssl/opensslv.h @@ -30,11 +30,11 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x1000205fL +# define OPENSSL_VERSION_NUMBER 0x1000206fL # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2e-fips 3 Dec 2015" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2f-fips 28 Jan 2016" # else -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2e 3 Dec 2015" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2f 28 Jan 2016" # endif # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/deps/openssl/openssl/include/openssl/ssl.h b/deps/openssl/openssl/include/openssl/ssl.h index afec1f5bf2..ae8c92575e 100644 --- a/deps/openssl/openssl/include/openssl/ssl.h +++ b/deps/openssl/openssl/include/openssl/ssl.h @@ -625,7 +625,7 @@ struct ssl_session_st { # define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L /* If set, always create a new key when using tmp_ecdh parameters */ # define SSL_OP_SINGLE_ECDH_USE 0x00080000L -/* If set, always create a new key when using tmp_dh parameters */ +/* Does nothing: retained for compatibility */ # define SSL_OP_SINGLE_DH_USE 0x00100000L /* Does nothing: retained for compatibiity */ # define SSL_OP_EPHEMERAL_RSA 0x0 @@ -2092,7 +2092,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) # define SSL_CTX_set1_sigalgs_list(ctx, s) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)s) # define SSL_set1_sigalgs(ctx, slist, slistlen) \ - SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS,clistlen,(int *)slist) + SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS,slistlen,(int *)slist) # define SSL_set1_sigalgs_list(ctx, s) \ SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)s) # define SSL_CTX_set1_client_sigalgs(ctx, slist, slistlen) \ @@ -2713,6 +2713,7 @@ void ERR_load_SSL_strings(void); # define SSL_F_SSL3_SETUP_KEY_BLOCK 157 # define SSL_F_SSL3_SETUP_READ_BUFFER 156 # define SSL_F_SSL3_SETUP_WRITE_BUFFER 291 +# define SSL_F_SSL3_SHUTDOWN 396 # define SSL_F_SSL3_WRITE_BYTES 158 # define SSL_F_SSL3_WRITE_PENDING 159 # define SSL_F_SSL_ADD_CERT_CHAIN 318 @@ -3056,6 +3057,7 @@ void ERR_load_SSL_strings(void); # define SSL_R_SERVERHELLO_TLSEXT 275 # define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277 # define SSL_R_SHORT_READ 219 +# define SSL_R_SHUTDOWN_WHILE_IN_INIT 407 # define SSL_R_SIGNATURE_ALGORITHMS_ERROR 360 # define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 # define SSL_R_SRP_A_CALC 361 diff --git a/deps/openssl/openssl/include/openssl/ui.h b/deps/openssl/openssl/include/openssl/ui.h index b917edab3a..0dc16330b8 100644 --- a/deps/openssl/openssl/include/openssl/ui.h +++ b/deps/openssl/openssl/include/openssl/ui.h @@ -1,4 +1,4 @@ -/* crypto/ui/ui.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/ui/ui.h */ /* * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project * 2001. diff --git a/deps/openssl/openssl/include/openssl/ui_compat.h b/deps/openssl/openssl/include/openssl/ui_compat.h index 42fb9ff650..bf541542c0 100644 --- a/deps/openssl/openssl/include/openssl/ui_compat.h +++ b/deps/openssl/openssl/include/openssl/ui_compat.h @@ -1,4 +1,4 @@ -/* crypto/ui/ui.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/ui/ui.h */ /* * Written by Richard Levitte (richard@levitte.org) for the OpenSSL project * 2001. diff --git a/deps/openssl/openssl/include/openssl/x509_vfy.h b/deps/openssl/openssl/include/openssl/x509_vfy.h index bd8613c62b..2663e1c0a3 100644 --- a/deps/openssl/openssl/include/openssl/x509_vfy.h +++ b/deps/openssl/openssl/include/openssl/x509_vfy.h @@ -313,7 +313,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); X509_LOOKUP_ctrl((x),X509_L_ADD_DIR,(name),(long)(type),NULL) # define X509_V_OK 0 -/* illegal error (for uninitialized values, to avoid X509_V_OK): 1 */ +# define X509_V_ERR_UNSPECIFIED 1 # define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2 # define X509_V_ERR_UNABLE_TO_GET_CRL 3 diff --git a/deps/openssl/openssl/openssl.spec b/deps/openssl/openssl/openssl.spec index 45e737ad15..72ace12c44 100644 --- a/deps/openssl/openssl/openssl.spec +++ b/deps/openssl/openssl/openssl.spec @@ -6,7 +6,7 @@ Release: 1 Summary: Secure Sockets Layer and cryptography libraries and tools Name: openssl -Version: 1.0.2e +Version: 1.0.2f Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz License: OpenSSL Group: System Environment/Libraries diff --git a/deps/openssl/openssl/ssl/d1_both.c b/deps/openssl/openssl/ssl/d1_both.c index c2c8d57e9d..d1fc716d5c 100644 --- a/deps/openssl/openssl/ssl/d1_both.c +++ b/deps/openssl/openssl/ssl/d1_both.c @@ -295,8 +295,44 @@ int dtls1_do_write(SSL *s, int type) blocksize = 0; frag_off = 0; + s->rwstate = SSL_NOTHING; + /* s->init_num shouldn't ever be < 0...but just in case */ while (s->init_num > 0) { + if (type == SSL3_RT_HANDSHAKE && s->init_off != 0) { + /* We must be writing a fragment other than the first one */ + + if (frag_off > 0) { + /* This is the first attempt at writing out this fragment */ + + if (s->init_off <= DTLS1_HM_HEADER_LENGTH) { + /* + * Each fragment that was already sent must at least have + * contained the message header plus one other byte. + * Therefore |init_off| must have progressed by at least + * |DTLS1_HM_HEADER_LENGTH + 1| bytes. If not something went + * wrong. + */ + return -1; + } + + /* + * Adjust |init_off| and |init_num| to allow room for a new + * message header for this fragment. + */ + s->init_off -= DTLS1_HM_HEADER_LENGTH; + s->init_num += DTLS1_HM_HEADER_LENGTH; + } else { + /* + * We must have been called again after a retry so use the + * fragment offset from our last attempt. We do not need + * to adjust |init_off| and |init_num| as above, because + * that should already have been done before the retry. + */ + frag_off = s->d1->w_msg_hdr.frag_off; + } + } + used_len = BIO_wpending(SSL_get_wbio(s)) + DTLS1_RT_HEADER_LENGTH + mac_size + blocksize; if (s->d1->mtu > used_len) @@ -309,8 +345,10 @@ int dtls1_do_write(SSL *s, int type) * grr.. we could get an error if MTU picked was wrong */ ret = BIO_flush(SSL_get_wbio(s)); - if (ret <= 0) + if (ret <= 0) { + s->rwstate = SSL_WRITING; return ret; + } used_len = DTLS1_RT_HEADER_LENGTH + mac_size + blocksize; if (s->d1->mtu > used_len + DTLS1_HM_HEADER_LENGTH) { curr_mtu = s->d1->mtu - used_len; @@ -336,25 +374,6 @@ int dtls1_do_write(SSL *s, int type) * XDTLS: this function is too long. split out the CCS part */ if (type == SSL3_RT_HANDSHAKE) { - if (s->init_off != 0) { - OPENSSL_assert(s->init_off > DTLS1_HM_HEADER_LENGTH); - s->init_off -= DTLS1_HM_HEADER_LENGTH; - s->init_num += DTLS1_HM_HEADER_LENGTH; - - /* - * We just checked that s->init_num > 0 so this cast should - * be safe - */ - if (((unsigned int)s->init_num) > curr_mtu) - len = curr_mtu; - else - len = s->init_num; - } - - /* Shouldn't ever happen */ - if (len > INT_MAX) - len = INT_MAX; - if (len < DTLS1_HM_HEADER_LENGTH) { /* * len is so small that we really can't do anything sensible @@ -442,7 +461,16 @@ int dtls1_do_write(SSL *s, int type) } s->init_off += ret; s->init_num -= ret; - frag_off += (ret -= DTLS1_HM_HEADER_LENGTH); + ret -= DTLS1_HM_HEADER_LENGTH; + frag_off += ret; + + /* + * We save the fragment offset for the next fragment so we have it + * available in case of an IO retry. We don't know the length of the + * next fragment yet so just set that to 0 for now. It will be + * updated again later. + */ + dtls1_fix_message_header(s, frag_off, 0); } } return (0); diff --git a/deps/openssl/openssl/ssl/kssl.c b/deps/openssl/openssl/ssl/kssl.c index cf585679dc..f2839bdcd7 100644 --- a/deps/openssl/openssl/ssl/kssl.c +++ b/deps/openssl/openssl/ssl/kssl.c @@ -1,4 +1,4 @@ -/* ssl/kssl.c -*- mode: C; c-file-style: "eay" -*- */ +/* ssl/kssl.c */ /* * Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project * 2000. diff --git a/deps/openssl/openssl/ssl/kssl.h b/deps/openssl/openssl/ssl/kssl.h index 9a57672801..ae8a51f472 100644 --- a/deps/openssl/openssl/ssl/kssl.h +++ b/deps/openssl/openssl/ssl/kssl.h @@ -1,4 +1,4 @@ -/* ssl/kssl.h -*- mode: C; c-file-style: "eay" -*- */ +/* ssl/kssl.h */ /* * Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project * 2000. project 2000. diff --git a/deps/openssl/openssl/ssl/kssl_lcl.h b/deps/openssl/openssl/ssl/kssl_lcl.h index 46dcef22d1..8e6a6d69e9 100644 --- a/deps/openssl/openssl/ssl/kssl_lcl.h +++ b/deps/openssl/openssl/ssl/kssl_lcl.h @@ -1,4 +1,4 @@ -/* ssl/kssl.h -*- mode: C; c-file-style: "eay" -*- */ +/* ssl/kssl.h */ /* * Written by Vern Staats <staatsvr@asc.hpc.mil> for the OpenSSL project * 2000. project 2000. diff --git a/deps/openssl/openssl/ssl/s2_srvr.c b/deps/openssl/openssl/ssl/s2_srvr.c index 4289272b73..07e9df8282 100644 --- a/deps/openssl/openssl/ssl/s2_srvr.c +++ b/deps/openssl/openssl/ssl/s2_srvr.c @@ -402,7 +402,7 @@ static int get_client_master_key(SSL *s) } cp = ssl2_get_cipher_by_char(p); - if (cp == NULL) { + if (cp == NULL || sk_SSL_CIPHER_find(s->session->ciphers, cp) < 0) { ssl2_return_error(s, SSL2_PE_NO_CIPHER); SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_CIPHER_MATCH); return (-1); @@ -598,6 +598,11 @@ static int get_client_hello(SSL *s) s->s2->tmp.cipher_spec_length = i; n2s(p, i); s->s2->tmp.session_id_length = i; + if ((i < 0) || (i > SSL_MAX_SSL_SESSION_ID_LENGTH)) { + ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); + SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); + return -1; + } n2s(p, i); s->s2->challenge_length = i; if ((i < SSL2_MIN_CHALLENGE_LENGTH) || @@ -687,8 +692,12 @@ static int get_client_hello(SSL *s) prio = cs; allow = cl; } + + /* Generate list of SSLv2 ciphers shared between client and server */ for (z = 0; z < sk_SSL_CIPHER_num(prio); z++) { - if (sk_SSL_CIPHER_find(allow, sk_SSL_CIPHER_value(prio, z)) < 0) { + const SSL_CIPHER *cp = sk_SSL_CIPHER_value(prio, z); + if ((cp->algorithm_ssl & SSL_SSLV2) == 0 || + sk_SSL_CIPHER_find(allow, cp) < 0) { (void)sk_SSL_CIPHER_delete(prio, z); z--; } @@ -697,6 +706,13 @@ static int get_client_hello(SSL *s) sk_SSL_CIPHER_free(s->session->ciphers); s->session->ciphers = prio; } + + /* Make sure we have at least one cipher in common */ + if (sk_SSL_CIPHER_num(s->session->ciphers) == 0) { + ssl2_return_error(s, SSL2_PE_NO_CIPHER); + SSLerr(SSL_F_GET_CLIENT_HELLO, SSL_R_NO_CIPHER_MATCH); + return -1; + } /* * s->session->ciphers should now have a list of ciphers that are on * both the client and server. This list is ordered by the order the diff --git a/deps/openssl/openssl/ssl/s3_clnt.c b/deps/openssl/openssl/ssl/s3_clnt.c index bc5254c811..04cc9f54a9 100644 --- a/deps/openssl/openssl/ssl/s3_clnt.c +++ b/deps/openssl/openssl/ssl/s3_clnt.c @@ -2350,37 +2350,44 @@ int ssl3_get_cert_status(SSL *s) n = s->method->ssl_get_message(s, SSL3_ST_CR_CERT_STATUS_A, SSL3_ST_CR_CERT_STATUS_B, - SSL3_MT_CERTIFICATE_STATUS, 16384, &ok); + -1, 16384, &ok); if (!ok) return ((int)n); - if (n < 4) { - /* need at least status type + length */ - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_LENGTH_MISMATCH); - goto f_err; - } - p = (unsigned char *)s->init_msg; - if (*p++ != TLSEXT_STATUSTYPE_ocsp) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_UNSUPPORTED_STATUS_TYPE); - goto f_err; - } - n2l3(p, resplen); - if (resplen + 4 != n) { - al = SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_LENGTH_MISMATCH); - goto f_err; - } - if (s->tlsext_ocsp_resp) - OPENSSL_free(s->tlsext_ocsp_resp); - s->tlsext_ocsp_resp = BUF_memdup(p, resplen); - if (!s->tlsext_ocsp_resp) { - al = SSL_AD_INTERNAL_ERROR; - SSLerr(SSL_F_SSL3_GET_CERT_STATUS, ERR_R_MALLOC_FAILURE); - goto f_err; + + if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_STATUS) { + /* + * The CertificateStatus message is optional even if + * tlsext_status_expected is set + */ + s->s3->tmp.reuse_message = 1; + } else { + if (n < 4) { + /* need at least status type + length */ + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_LENGTH_MISMATCH); + goto f_err; + } + p = (unsigned char *)s->init_msg; + if (*p++ != TLSEXT_STATUSTYPE_ocsp) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_UNSUPPORTED_STATUS_TYPE); + goto f_err; + } + n2l3(p, resplen); + if (resplen + 4 != n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CERT_STATUS, SSL_R_LENGTH_MISMATCH); + goto f_err; + } + s->tlsext_ocsp_resp = BUF_memdup(p, resplen); + if (s->tlsext_ocsp_resp == NULL) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_SSL3_GET_CERT_STATUS, ERR_R_MALLOC_FAILURE); + goto f_err; + } + s->tlsext_ocsp_resplen = resplen; } - s->tlsext_ocsp_resplen = resplen; if (s->ctx->tlsext_status_cb) { int ret; ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); @@ -3603,7 +3610,7 @@ int ssl3_check_cert_and_algorithm(SSL *s) DH_free(dh_srvr); } - if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768) + if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 1024) || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL); goto f_err; diff --git a/deps/openssl/openssl/ssl/s3_lib.c b/deps/openssl/openssl/ssl/s3_lib.c index 64793d6af3..f846cb5b7b 100644 --- a/deps/openssl/openssl/ssl/s3_lib.c +++ b/deps/openssl/openssl/ssl/s3_lib.c @@ -3206,13 +3206,6 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); return (ret); } - if (!(s->options & SSL_OP_SINGLE_DH_USE)) { - if (!DH_generate_key(dh)) { - DH_free(dh); - SSLerr(SSL_F_SSL3_CTRL, ERR_R_DH_LIB); - return (ret); - } - } if (s->cert->dh_tmp != NULL) DH_free(s->cert->dh_tmp); s->cert->dh_tmp = dh; @@ -3263,6 +3256,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) #ifndef OPENSSL_NO_TLSEXT case SSL_CTRL_SET_TLSEXT_HOSTNAME: if (larg == TLSEXT_NAMETYPE_host_name) { + size_t len; + if (s->tlsext_hostname != NULL) OPENSSL_free(s->tlsext_hostname); s->tlsext_hostname = NULL; @@ -3270,7 +3265,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) ret = 1; if (parg == NULL) break; - if (strlen((char *)parg) > TLSEXT_MAXLEN_host_name) { + len = strlen((char *)parg); + if (len == 0 || len > TLSEXT_MAXLEN_host_name) { SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME); return 0; } @@ -3710,13 +3706,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_DH_LIB); return 0; } - if (!(ctx->options & SSL_OP_SINGLE_DH_USE)) { - if (!DH_generate_key(new)) { - SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_DH_LIB); - DH_free(new); - return 0; - } - } if (cert->dh_tmp != NULL) DH_free(cert->dh_tmp); cert->dh_tmp = new; @@ -4337,6 +4326,21 @@ int ssl3_shutdown(SSL *s) } #endif } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { + if (SSL_in_init(s)) { + /* + * We can't shutdown properly if we are in the middle of a + * handshake. Doing so is problematic because the peer may send a + * CCS before it acts on our close_notify. However we should not + * continue to process received handshake messages or CCS once our + * close_notify has been sent. Therefore any close_notify from + * the peer will be unreadable because we have not moved to the next + * cipher state. Its best just to avoid this can-of-worms. Return + * an error if we are wanting to wait for a close_notify from the + * peer and we are in init. + */ + SSLerr(SSL_F_SSL3_SHUTDOWN, SSL_R_SHUTDOWN_WHILE_IN_INIT); + return -1; + } /* * If we are waiting for a close from our peer, we are closed */ diff --git a/deps/openssl/openssl/ssl/s3_srvr.c b/deps/openssl/openssl/ssl/s3_srvr.c index ee83105b75..ab28702ee9 100644 --- a/deps/openssl/openssl/ssl/s3_srvr.c +++ b/deps/openssl/openssl/ssl/s3_srvr.c @@ -1,4 +1,4 @@ -/* ssl/s3_srvr.c -*- mode:C; c-file-style: "eay" -*- */ +/* ssl/s3_srvr.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1004,6 +1004,12 @@ int ssl3_get_client_hello(SSL *s) goto f_err; } + if ((j < 0) || (j > SSL_MAX_SSL_SESSION_ID_LENGTH)) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); + goto f_err; + } + s->hit = 0; /* * Versions before 0.9.7 always allow clients to resume sessions in @@ -1681,20 +1687,9 @@ int ssl3_send_server_key_exchange(SSL *s) } s->s3->tmp.dh = dh; - if ((dhp->pub_key == NULL || - dhp->priv_key == NULL || - (s->options & SSL_OP_SINGLE_DH_USE))) { - if (!DH_generate_key(dh)) { - SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB); - goto err; - } - } else { - dh->pub_key = BN_dup(dhp->pub_key); - dh->priv_key = BN_dup(dhp->priv_key); - if ((dh->pub_key == NULL) || (dh->priv_key == NULL)) { - SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB); - goto err; - } + if (!DH_generate_key(dh)) { + SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE, ERR_R_DH_LIB); + goto err; } r[0] = dh->p; r[1] = dh->g; diff --git a/deps/openssl/openssl/ssl/ssl.h b/deps/openssl/openssl/ssl/ssl.h index afec1f5bf2..ae8c92575e 100644 --- a/deps/openssl/openssl/ssl/ssl.h +++ b/deps/openssl/openssl/ssl/ssl.h @@ -625,7 +625,7 @@ struct ssl_session_st { # define SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x00040000L /* If set, always create a new key when using tmp_ecdh parameters */ # define SSL_OP_SINGLE_ECDH_USE 0x00080000L -/* If set, always create a new key when using tmp_dh parameters */ +/* Does nothing: retained for compatibility */ # define SSL_OP_SINGLE_DH_USE 0x00100000L /* Does nothing: retained for compatibiity */ # define SSL_OP_EPHEMERAL_RSA 0x0 @@ -2092,7 +2092,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) # define SSL_CTX_set1_sigalgs_list(ctx, s) \ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)s) # define SSL_set1_sigalgs(ctx, slist, slistlen) \ - SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS,clistlen,(int *)slist) + SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS,slistlen,(int *)slist) # define SSL_set1_sigalgs_list(ctx, s) \ SSL_ctrl(ctx,SSL_CTRL_SET_SIGALGS_LIST,0,(char *)s) # define SSL_CTX_set1_client_sigalgs(ctx, slist, slistlen) \ @@ -2713,6 +2713,7 @@ void ERR_load_SSL_strings(void); # define SSL_F_SSL3_SETUP_KEY_BLOCK 157 # define SSL_F_SSL3_SETUP_READ_BUFFER 156 # define SSL_F_SSL3_SETUP_WRITE_BUFFER 291 +# define SSL_F_SSL3_SHUTDOWN 396 # define SSL_F_SSL3_WRITE_BYTES 158 # define SSL_F_SSL3_WRITE_PENDING 159 # define SSL_F_SSL_ADD_CERT_CHAIN 318 @@ -3056,6 +3057,7 @@ void ERR_load_SSL_strings(void); # define SSL_R_SERVERHELLO_TLSEXT 275 # define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277 # define SSL_R_SHORT_READ 219 +# define SSL_R_SHUTDOWN_WHILE_IN_INIT 407 # define SSL_R_SIGNATURE_ALGORITHMS_ERROR 360 # define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 # define SSL_R_SRP_A_CALC 361 diff --git a/deps/openssl/openssl/ssl/ssl_err.c b/deps/openssl/openssl/ssl/ssl_err.c index 6d1366f2a5..dd3b2afd1e 100644 --- a/deps/openssl/openssl/ssl/ssl_err.c +++ b/deps/openssl/openssl/ssl/ssl_err.c @@ -206,6 +206,7 @@ static ERR_STRING_DATA SSL_str_functs[] = { {ERR_FUNC(SSL_F_SSL3_SETUP_KEY_BLOCK), "ssl3_setup_key_block"}, {ERR_FUNC(SSL_F_SSL3_SETUP_READ_BUFFER), "ssl3_setup_read_buffer"}, {ERR_FUNC(SSL_F_SSL3_SETUP_WRITE_BUFFER), "ssl3_setup_write_buffer"}, + {ERR_FUNC(SSL_F_SSL3_SHUTDOWN), "ssl3_shutdown"}, {ERR_FUNC(SSL_F_SSL3_WRITE_BYTES), "ssl3_write_bytes"}, {ERR_FUNC(SSL_F_SSL3_WRITE_PENDING), "ssl3_write_pending"}, {ERR_FUNC(SSL_F_SSL_ADD_CERT_CHAIN), "ssl_add_cert_chain"}, @@ -647,6 +648,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = { {ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED), "session id context uninitialized"}, {ERR_REASON(SSL_R_SHORT_READ), "short read"}, + {ERR_REASON(SSL_R_SHUTDOWN_WHILE_IN_INIT), "shutdown while in init"}, {ERR_REASON(SSL_R_SIGNATURE_ALGORITHMS_ERROR), "signature algorithms error"}, {ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE), diff --git a/deps/openssl/openssl/ssl/ssl_lib.c b/deps/openssl/openssl/ssl/ssl_lib.c index f2071db937..2744be8ad8 100644 --- a/deps/openssl/openssl/ssl/ssl_lib.c +++ b/deps/openssl/openssl/ssl/ssl_lib.c @@ -1060,10 +1060,7 @@ int SSL_shutdown(SSL *s) return -1; } - if ((s != NULL) && !SSL_in_init(s)) - return (s->method->ssl_shutdown(s)); - else - return (1); + return s->method->ssl_shutdown(s); } int SSL_renegotiate(SSL *s) diff --git a/deps/openssl/openssl/ssl/ssl_sess.c b/deps/openssl/openssl/ssl/ssl_sess.c index 68390d3108..b182998343 100644 --- a/deps/openssl/openssl/ssl/ssl_sess.c +++ b/deps/openssl/openssl/ssl/ssl_sess.c @@ -573,9 +573,6 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, int r; #endif - if (len < 0 || len > SSL_MAX_SSL_SESSION_ID_LENGTH) - goto err; - if (session_id + len > limit) { fatal = 1; goto err; diff --git a/deps/openssl/openssl/ssl/t1_enc.c b/deps/openssl/openssl/ssl/t1_enc.c index f46544b4d7..514fcb3e4e 100644 --- a/deps/openssl/openssl/ssl/t1_enc.c +++ b/deps/openssl/openssl/ssl/t1_enc.c @@ -1155,7 +1155,7 @@ int tls1_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, so = s->s3->server_opaque_prf_input; /* * must be same as col (see - * draft-resc-00.txts-opaque-prf-input-00.txt, section 3.1) + * draft-rescorla-tls-opaque-prf-input-00.txt, section 3.1) */ sol = s->s3->client_opaque_prf_input_len; } diff --git a/deps/openssl/openssl/ssl/t1_lib.c b/deps/openssl/openssl/ssl/t1_lib.c index 3176d1e3ba..d9ba99d735 100644 --- a/deps/openssl/openssl/ssl/t1_lib.c +++ b/deps/openssl/openssl/ssl/t1_lib.c @@ -3157,22 +3157,20 @@ int ssl_check_serverhello_tlsext(SSL *s) } # endif + OPENSSL_free(s->tlsext_ocsp_resp); + s->tlsext_ocsp_resp = NULL; + s->tlsext_ocsp_resplen = -1; /* * If we've requested certificate status and we wont get one tell the * callback */ if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) - && s->ctx && s->ctx->tlsext_status_cb) { + && !(s->hit) && s->ctx && s->ctx->tlsext_status_cb) { int r; /* - * Set resp to NULL, resplen to -1 so callback knows there is no - * response. + * Call callback with resp == NULL and resplen == -1 so callback + * knows there is no response */ - if (s->tlsext_ocsp_resp) { - OPENSSL_free(s->tlsext_ocsp_resp); - s->tlsext_ocsp_resp = NULL; - } - s->tlsext_ocsp_resplen = -1; r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); if (r == 0) { al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; @@ -3583,7 +3581,7 @@ static int tls12_get_pkey_idx(unsigned char sig_alg) static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid, int *psignhash_nid, const unsigned char *data) { - int sign_nid = 0, hash_nid = 0; + int sign_nid = NID_undef, hash_nid = NID_undef; if (!phash_nid && !psign_nid && !psignhash_nid) return; if (phash_nid || psignhash_nid) { @@ -3599,9 +3597,9 @@ static void tls1_lookup_sigalg(int *phash_nid, int *psign_nid, *psign_nid = sign_nid; } if (psignhash_nid) { - if (sign_nid && hash_nid) - OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, sign_nid); - else + if (sign_nid == NID_undef || hash_nid == NID_undef + || OBJ_find_sigid_by_algs(psignhash_nid, hash_nid, + sign_nid) <= 0) *psignhash_nid = NID_undef; } } diff --git a/deps/openssl/openssl/test/bctest b/deps/openssl/openssl/test/bctest new file mode 100755 index 0000000000..bdb3218f7a --- /dev/null +++ b/deps/openssl/openssl/test/bctest @@ -0,0 +1,111 @@ +#!/bin/sh + +# This script is used by test/Makefile.ssl to check whether a sane 'bc' +# is installed. +# ('make test_bn' should not try to run 'bc' if it does not exist or if +# it is a broken 'bc' version that is known to cause trouble.) +# +# If 'bc' works, we also test if it knows the 'print' command. +# +# In any case, output an appropriate command line for running (or not +# running) bc. + + +IFS=: +try_without_dir=true +# First we try "bc", then "$dir/bc" for each item in $PATH. +for dir in dummy:$PATH; do + if [ "$try_without_dir" = true ]; then + # first iteration + bc=bc + try_without_dir=false + else + # second and later iterations + bc="$dir/bc" + if [ ! -f "$bc" ]; then # '-x' is not available on Ultrix + bc='' + fi + fi + + if [ ! "$bc" = '' ]; then + failure=none + + + # Test for SunOS 5.[78] bc bug + "$bc" >tmp.bctest <<\EOF +obase=16 +ibase=16 +a=AD88C418F31B3FC712D0425001D522B3AE9134FF3A98C13C1FCC1682211195406C1A6C66C6A\ +CEEC1A0EC16950233F77F1C2F2363D56DD71A36C57E0B2511FC4BA8F22D261FE2E9356D99AF57\ +10F3817C0E05BF79C423C3F66FDF321BE8D3F18F625D91B670931C1EF25F28E489BDA1C5422D1\ +C3F6F7A1AD21585746ECC4F10A14A778AF56F08898E965E9909E965E0CB6F85B514150C644759\ +3BE731877B16EA07B552088FF2EA728AC5E0FF3A23EB939304519AB8B60F2C33D6BA0945B66F0\ +4FC3CADF855448B24A9D7640BCF473E +b=DCE91E7D120B983EA9A104B5A96D634DD644C37657B1C7860B45E6838999B3DCE5A555583C6\ +9209E41F413422954175A06E67FFEF6746DD652F0F48AEFECC3D8CAC13523BDAAD3F5AF4212BD\ +8B3CD64126E1A82E190228020C05B91C8B141F1110086FC2A4C6ED631EBA129D04BB9A19FC53D\ +3ED0E2017D60A68775B75481449 +(a/b)*b + (a%b) - a +EOF + if [ 0 != "`cat tmp.bctest`" ]; then + failure=SunOStest + fi + + + if [ "$failure" = none ]; then + # Test for SCO bc bug. + "$bc" >tmp.bctest <<\EOF +obase=16 +ibase=16 +-FFDD63BA1A4648F0D804F8A1C66C53F0D2110590E8A3907EC73B4AEC6F15AC177F176F2274D2\ +9DC8022EA0D7DD3ABE9746D2D46DD3EA5B5F6F69DF12877E0AC5E7F5ADFACEE54573F5D256A06\ +11B5D2BC24947724E22AE4EC3FB0C39D9B4694A01AFE5E43B4D99FB9812A0E4A5773D8B254117\ +1239157EC6E3D8D50199 * -FFDD63BA1A4648F0D804F8A1C66C53F0D2110590E8A3907EC73B4\ +AEC6F15AC177F176F2274D29DC8022EA0D7DD3ABE9746D2D46DD3EA5B5F6F69DF12877E0AC5E7\ +F5ADFACEE54573F5D256A0611B5D2BC24947724E22AE4EC3FB0C39D9B4694A01AFE5E43B4D99F\ +B9812A0E4A5773D8B2541171239157EC6E3D8D50199 - FFBACC221682DA464B6D7F123482522\ +02EDAEDCA38C3B69E9B7BBCD6165A9CD8716C4903417F23C09A85B851961F92C217258CEEB866\ +85EFCC5DD131853A02C07A873B8E2AF2E40C6D5ED598CD0E8F35AD49F3C3A17FDB7653E4E2DC4\ +A8D23CC34686EE4AD01F7407A7CD74429AC6D36DBF0CB6A3E302D0E5BDFCD048A3B90C1BE5AA8\ +E16C3D5884F9136B43FF7BB443764153D4AEC176C681B078F4CC53D6EB6AB76285537DDEE7C18\ +8C72441B52EDBDDBC77E02D34E513F2AABF92F44109CAFE8242BD0ECBAC5604A94B02EA44D43C\ +04E9476E6FBC48043916BFA1485C6093603600273C9C33F13114D78064AE42F3DC466C7DA543D\ +89C8D71 +AD534AFBED2FA39EE9F40E20FCF9E2C861024DB98DDCBA1CD118C49CA55EEBC20D6BA51B2271C\ +928B693D6A73F67FEB1B4571448588B46194617D25D910C6A9A130CC963155CF34079CB218A44\ +8A1F57E276D92A33386DDCA3D241DB78C8974ABD71DD05B0FA555709C9910D745185E6FE108E3\ +37F1907D0C56F8BFBF52B9704 % -E557905B56B13441574CAFCE2BD257A750B1A8B2C88D0E36\ +E18EF7C38DAC80D3948E17ED63AFF3B3467866E3B89D09A81B3D16B52F6A3C7134D3C6F5123E9\ +F617E3145BBFBE9AFD0D6E437EA4FF6F04BC67C4F1458B4F0F47B64 - 1C2BBBB19B74E86FD32\ +9E8DB6A8C3B1B9986D57ED5419C2E855F7D5469E35E76334BB42F4C43E3F3A31B9697C171DAC4\ +D97935A7E1A14AD209D6CF811F55C6DB83AA9E6DFECFCD6669DED7171EE22A40C6181615CAF3F\ +5296964 +EOF + if [ "0 +0" != "`cat tmp.bctest`" ]; then + failure=SCOtest + fi + fi + + + if [ "$failure" = none ]; then + # bc works; now check if it knows the 'print' command. + if [ "OK" = "`echo 'print \"OK\"' | $bc 2>/dev/null`" ] + then + echo "$bc" + else + echo "sed 's/print.*//' | $bc" + fi + exit 0 + fi + + echo "$bc does not work properly ('$failure' failed). Looking for another bc ..." >&2 + fi +done + +echo "No working bc found. Consider installing GNU bc." >&2 +if [ "$1" = ignore ]; then + echo "cat >/dev/null" + exit 0 +fi +exit 1 diff --git a/deps/openssl/openssl/test/bftest.c b/deps/openssl/openssl/test/bftest.c deleted file mode 120000 index eb8c15de7e..0000000000 --- a/deps/openssl/openssl/test/bftest.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/bf/bftest.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/bntest.c b/deps/openssl/openssl/test/bntest.c deleted file mode 120000 index 1f781768a9..0000000000 --- a/deps/openssl/openssl/test/bntest.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/bn/bntest.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/casttest.c b/deps/openssl/openssl/test/casttest.c deleted file mode 120000 index 823c4bb36c..0000000000 --- a/deps/openssl/openssl/test/casttest.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/cast/casttest.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/clienthellotest.c b/deps/openssl/openssl/test/clienthellotest.c deleted file mode 120000 index ae25f16c43..0000000000 --- a/deps/openssl/openssl/test/clienthellotest.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../ssl/clienthellotest.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/constant_time_test.c b/deps/openssl/openssl/test/constant_time_test.c deleted file mode 120000 index 4f9a6aa6e5..0000000000 --- a/deps/openssl/openssl/test/constant_time_test.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/constant_time_test.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/destest.c b/deps/openssl/openssl/test/destest.c deleted file mode 120000 index fd77cd5ca8..0000000000 --- a/deps/openssl/openssl/test/destest.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/des/destest.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/dhtest.c b/deps/openssl/openssl/test/dhtest.c deleted file mode 120000 index 7c3e64db0d..0000000000 --- a/deps/openssl/openssl/test/dhtest.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/dh/dhtest.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/dsatest.c b/deps/openssl/openssl/test/dsatest.c deleted file mode 120000 index 1a181759a1..0000000000 --- a/deps/openssl/openssl/test/dsatest.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/dsa/dsatest.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/ecdhtest.c b/deps/openssl/openssl/test/ecdhtest.c deleted file mode 120000 index 5e24a98a67..0000000000 --- a/deps/openssl/openssl/test/ecdhtest.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/ecdh/ecdhtest.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/ecdsatest.c b/deps/openssl/openssl/test/ecdsatest.c deleted file mode 120000 index c2bbe4f91b..0000000000 --- a/deps/openssl/openssl/test/ecdsatest.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/ecdsa/ecdsatest.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/ectest.c b/deps/openssl/openssl/test/ectest.c deleted file mode 120000 index e25805f3e0..0000000000 --- a/deps/openssl/openssl/test/ectest.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/ec/ectest.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/enginetest.c b/deps/openssl/openssl/test/enginetest.c deleted file mode 120000 index 7eb1831ea3..0000000000 --- a/deps/openssl/openssl/test/enginetest.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/engine/enginetest.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/evp_extra_test.c b/deps/openssl/openssl/test/evp_extra_test.c deleted file mode 120000 index 7be69e4f57..0000000000 --- a/deps/openssl/openssl/test/evp_extra_test.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/evp/evp_extra_test.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/evp_test.c b/deps/openssl/openssl/test/evp_test.c deleted file mode 120000 index 969b2dfaca..0000000000 --- a/deps/openssl/openssl/test/evp_test.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/evp/evp_test.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/exptest.c b/deps/openssl/openssl/test/exptest.c deleted file mode 120000 index cea2f17017..0000000000 --- a/deps/openssl/openssl/test/exptest.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/bn/exptest.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/heartbeat_test.c b/deps/openssl/openssl/test/heartbeat_test.c deleted file mode 120000 index 836fb8a6d7..0000000000 --- a/deps/openssl/openssl/test/heartbeat_test.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../ssl/heartbeat_test.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/hmactest.c b/deps/openssl/openssl/test/hmactest.c deleted file mode 120000 index a646bcdd43..0000000000 --- a/deps/openssl/openssl/test/hmactest.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/hmac/hmactest.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/ideatest.c b/deps/openssl/openssl/test/ideatest.c deleted file mode 120000 index ba9935815c..0000000000 --- a/deps/openssl/openssl/test/ideatest.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/idea/ideatest.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/igetest.c b/deps/openssl/openssl/test/igetest.c index 0c7b3573d0..08f361a0a8 100644 --- a/deps/openssl/openssl/test/igetest.c +++ b/deps/openssl/openssl/test/igetest.c @@ -1,4 +1,4 @@ -/* test/igetest.c -*- mode:C; c-file-style: "eay" -*- */ +/* test/igetest.c */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * diff --git a/deps/openssl/openssl/test/jpaketest.c b/deps/openssl/openssl/test/jpaketest.c deleted file mode 120000 index 1b5e260fab..0000000000 --- a/deps/openssl/openssl/test/jpaketest.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/dummytest.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/md2test.c b/deps/openssl/openssl/test/md2test.c deleted file mode 120000 index 1b5e260fab..0000000000 --- a/deps/openssl/openssl/test/md2test.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/dummytest.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/md4test.c b/deps/openssl/openssl/test/md4test.c deleted file mode 120000 index 88e2eb82c7..0000000000 --- a/deps/openssl/openssl/test/md4test.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/md4/md4test.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/md5test.c b/deps/openssl/openssl/test/md5test.c deleted file mode 120000 index 62779aedff..0000000000 --- a/deps/openssl/openssl/test/md5test.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/md5/md5test.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/mdc2test.c b/deps/openssl/openssl/test/mdc2test.c deleted file mode 120000 index 89c5faf92e..0000000000 --- a/deps/openssl/openssl/test/mdc2test.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/mdc2/mdc2test.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/randtest.c b/deps/openssl/openssl/test/randtest.c deleted file mode 120000 index 7094f41bd0..0000000000 --- a/deps/openssl/openssl/test/randtest.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/rand/randtest.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/rc2test.c b/deps/openssl/openssl/test/rc2test.c deleted file mode 120000 index 4101b4f4e8..0000000000 --- a/deps/openssl/openssl/test/rc2test.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/rc2/rc2test.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/rc4test.c b/deps/openssl/openssl/test/rc4test.c deleted file mode 120000 index d3c90794b3..0000000000 --- a/deps/openssl/openssl/test/rc4test.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/rc4/rc4test.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/rc5test.c b/deps/openssl/openssl/test/rc5test.c deleted file mode 120000 index 1b5e260fab..0000000000 --- a/deps/openssl/openssl/test/rc5test.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/dummytest.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/rmdtest.c b/deps/openssl/openssl/test/rmdtest.c deleted file mode 120000 index 1744939e0f..0000000000 --- a/deps/openssl/openssl/test/rmdtest.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/ripemd/rmdtest.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/rsa_test.c b/deps/openssl/openssl/test/rsa_test.c deleted file mode 120000 index 4bc7c76809..0000000000 --- a/deps/openssl/openssl/test/rsa_test.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/rsa/rsa_test.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/sha1test.c b/deps/openssl/openssl/test/sha1test.c deleted file mode 120000 index 172c67cc8d..0000000000 --- a/deps/openssl/openssl/test/sha1test.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/sha/sha1test.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/sha256t.c b/deps/openssl/openssl/test/sha256t.c deleted file mode 120000 index 2f356c921b..0000000000 --- a/deps/openssl/openssl/test/sha256t.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/sha/sha256t.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/sha512t.c b/deps/openssl/openssl/test/sha512t.c deleted file mode 120000 index fbab5ab848..0000000000 --- a/deps/openssl/openssl/test/sha512t.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/sha/sha512t.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/shatest.c b/deps/openssl/openssl/test/shatest.c deleted file mode 120000 index b0bffa74fd..0000000000 --- a/deps/openssl/openssl/test/shatest.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/sha/shatest.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/srptest.c b/deps/openssl/openssl/test/srptest.c deleted file mode 120000 index 4f8b8f850c..0000000000 --- a/deps/openssl/openssl/test/srptest.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/srp/srptest.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/ssltest.c b/deps/openssl/openssl/test/ssltest.c deleted file mode 120000 index 9ee1c02f16..0000000000 --- a/deps/openssl/openssl/test/ssltest.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../ssl/ssltest.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/v3nametest.c b/deps/openssl/openssl/test/v3nametest.c deleted file mode 120000 index 05ac941158..0000000000 --- a/deps/openssl/openssl/test/v3nametest.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/x509v3/v3nametest.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/verify_extra_test.c b/deps/openssl/openssl/test/verify_extra_test.c deleted file mode 120000 index 0d94843bbf..0000000000 --- a/deps/openssl/openssl/test/verify_extra_test.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/x509/verify_extra_test.c
\ No newline at end of file diff --git a/deps/openssl/openssl/test/wp_test.c b/deps/openssl/openssl/test/wp_test.c deleted file mode 120000 index a0a05266b1..0000000000 --- a/deps/openssl/openssl/test/wp_test.c +++ /dev/null @@ -1 +0,0 @@ -openssl-1.0.2e/../crypto/whrlpool/wp_test.c
\ No newline at end of file diff --git a/deps/openssl/openssl/util/domd b/deps/openssl/openssl/util/domd index 6a628c7f96..95bb1b06e2 100755 --- a/deps/openssl/openssl/util/domd +++ b/deps/openssl/openssl/util/domd @@ -14,8 +14,8 @@ if [ "$MAKEDEPEND" = "" ]; then MAKEDEPEND=makedepend; fi cp Makefile Makefile.save # fake the presence of Kerberos touch $TOP/krb5.h -if ${MAKEDEPEND} --version 2>&1 | grep -q "clang" || - echo $MAKEDEPEND | grep -q "gcc"; then +if ${MAKEDEPEND} --version 2>&1 | grep "clang" > /dev/null || + echo $MAKEDEPEND | grep "gcc" > /dev/null; then args="" while [ $# -gt 0 ]; do if [ "$1" != "--" ]; then args="$args $1"; fi diff --git a/deps/openssl/openssl/util/pl/VC-32.pl b/deps/openssl/openssl/util/pl/VC-32.pl index 284fe0381e..0f5547f056 100644 --- a/deps/openssl/openssl/util/pl/VC-32.pl +++ b/deps/openssl/openssl/util/pl/VC-32.pl @@ -361,9 +361,13 @@ sub do_link_rule $ret.="$target: $files $dep_libs"; if ($standalone == 1) { - $ret.=" \$(OBJ_D)${o}applink.obj\n"; + $ret.=" \$(OBJ_D)${o}applink.obj" if $shlib; + $ret.="\n"; $ret.=" \$(LINK) \$(LFLAGS) $efile$target @<<\n\t"; - $ret.= "\$(EX_LIBS) \$(OBJ_D)${o}applink.obj " if ($files =~ /O_FIPSCANISTER/ && !$fipscanisterbuild); + if ($files =~ /O_FIPSCANISTER/ && !$fipscanisterbuild) { + $ret.= "\$(EX_LIBS) "; + $ret.= "\$(OBJ_D)${o}applink.obj " if $shlib; + } $ret.="$files $libs\n<<\n"; } elsif ($standalone == 2) diff --git a/deps/openssl/openssl/util/pod2mantest b/deps/openssl/openssl/util/pod2mantest new file mode 100755 index 0000000000..384e683df4 --- /dev/null +++ b/deps/openssl/openssl/util/pod2mantest @@ -0,0 +1,58 @@ +#!/bin/sh + +# This script is used by test/Makefile to check whether a sane 'pod2man' +# is installed. +# ('make install' should not try to run 'pod2man' if it does not exist or if +# it is a broken 'pod2man' version that is known to cause trouble. if we find +# the system 'pod2man' to be broken, we use our own copy instead) +# +# In any case, output an appropriate command line for running (or not +# running) pod2man. + + +IFS=: +if test "$OSTYPE" = "msdosdjgpp"; then IFS=";"; fi + +try_without_dir=true +# First we try "pod2man", then "$dir/pod2man" for each item in $PATH. +for dir in dummy${IFS}$PATH; do + if [ "$try_without_dir" = true ]; then + # first iteration + pod2man=pod2man + try_without_dir=false + else + # second and later iterations + pod2man="$dir/pod2man" + if [ ! -f "$pod2man" ]; then # '-x' is not available on Ultrix + pod2man='' + fi + fi + + if [ ! "$pod2man" = '' ]; then + failure=none + + if "$pod2man" --section=1 --center=OpenSSL --release=dev pod2mantest.pod | fgrep OpenSSL >/dev/null; then + : + else + failure=BasicTest + fi + + if [ "$failure" = none ]; then + if "$pod2man" --section=1 --center=OpenSSL --release=dev pod2mantest.pod | grep '^MARKER - ' >/dev/null; then + failure=MultilineTest + fi + fi + + + if [ "$failure" = none ]; then + echo "$pod2man" + exit 0 + fi + + echo "$pod2man does not work properly ('$failure' failed). Looking for another pod2man ..." >&2 + fi +done + +echo "No working pod2man found. Consider installing a new version." >&2 +echo "As a workaround, we'll use a bundled old copy of pod2man.pl." >&2 +echo "$1 ../../util/pod2man.pl" |