Date: Thu, 28 Jan 2016 18:44:11 +0000 (UTC) From: Jung-uk Kim <jkim@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r295003 - in vendor-crypto/openssl/dist-1.0.1: . apps crypto crypto/aes crypto/bio crypto/bn crypto/camellia crypto/des crypto/dsa crypto/dso crypto/ec crypto/engine crypto/evp crypto/r... Message-ID: <201601281844.u0SIiBpr073600@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jkim Date: Thu Jan 28 18:44:11 2016 New Revision: 295003 URL: https://svnweb.freebsd.org/changeset/base/295003 Log: Import OpenSSL 1.0.1r. Added: vendor-crypto/openssl/dist-1.0.1/doc/ssl/SSL_CTX_set_tlsext_status_cb.pod vendor-crypto/openssl/dist-1.0.1/util/pod2mantest (contents, props changed) Modified: vendor-crypto/openssl/dist-1.0.1/ACKNOWLEDGMENTS vendor-crypto/openssl/dist-1.0.1/CHANGES vendor-crypto/openssl/dist-1.0.1/Configure vendor-crypto/openssl/dist-1.0.1/FREEBSD-upgrade vendor-crypto/openssl/dist-1.0.1/INSTALL vendor-crypto/openssl/dist-1.0.1/LICENSE vendor-crypto/openssl/dist-1.0.1/Makefile vendor-crypto/openssl/dist-1.0.1/Makefile.org vendor-crypto/openssl/dist-1.0.1/NEWS vendor-crypto/openssl/dist-1.0.1/README vendor-crypto/openssl/dist-1.0.1/apps/engine.c vendor-crypto/openssl/dist-1.0.1/apps/ocsp.c vendor-crypto/openssl/dist-1.0.1/apps/pkcs12.c vendor-crypto/openssl/dist-1.0.1/apps/speed.c vendor-crypto/openssl/dist-1.0.1/apps/x509.c vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes.h vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_cbc.c vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_cfb.c vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_core.c vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ctr.c vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ecb.c vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ige.c vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_locl.h vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_misc.c vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ofb.c vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_x86core.c vendor-crypto/openssl/dist-1.0.1/crypto/bio/bio.h vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_bio.c vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_conn.c vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_dgram.c vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_exp.c vendor-crypto/openssl/dist-1.0.1/crypto/bn/exptest.c vendor-crypto/openssl/dist-1.0.1/crypto/camellia/camellia.c vendor-crypto/openssl/dist-1.0.1/crypto/camellia/camellia.h vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_cbc.c vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_cfb.c vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ctr.c vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ecb.c vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_locl.h vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_misc.c vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ofb.c vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_utl.c vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old.c vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old.h vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old2.c vendor-crypto/openssl/dist-1.0.1/crypto/dsa/dsa_ossl.c vendor-crypto/openssl/dist-1.0.1/crypto/dso/dso.h vendor-crypto/openssl/dist-1.0.1/crypto/dso/dso_dl.c vendor-crypto/openssl/dist-1.0.1/crypto/dso/dso_dlfcn.c vendor-crypto/openssl/dist-1.0.1/crypto/dso/dso_lib.c vendor-crypto/openssl/dist-1.0.1/crypto/ec/ectest.c vendor-crypto/openssl/dist-1.0.1/crypto/engine/eng_all.c vendor-crypto/openssl/dist-1.0.1/crypto/evp/e_camellia.c vendor-crypto/openssl/dist-1.0.1/crypto/evp/e_old.c vendor-crypto/openssl/dist-1.0.1/crypto/evp/e_seed.c vendor-crypto/openssl/dist-1.0.1/crypto/mem_clr.c vendor-crypto/openssl/dist-1.0.1/crypto/o_dir.c vendor-crypto/openssl/dist-1.0.1/crypto/o_dir.h vendor-crypto/openssl/dist-1.0.1/crypto/o_dir_test.c vendor-crypto/openssl/dist-1.0.1/crypto/o_str.c vendor-crypto/openssl/dist-1.0.1/crypto/o_str.h vendor-crypto/openssl/dist-1.0.1/crypto/o_time.c vendor-crypto/openssl/dist-1.0.1/crypto/o_time.h vendor-crypto/openssl/dist-1.0.1/crypto/opensslv.h vendor-crypto/openssl/dist-1.0.1/crypto/rc4/rc4_utl.c vendor-crypto/openssl/dist-1.0.1/crypto/rsa/rsa_chk.c vendor-crypto/openssl/dist-1.0.1/crypto/rsa/rsa_sign.c vendor-crypto/openssl/dist-1.0.1/crypto/seed/seed_cbc.c vendor-crypto/openssl/dist-1.0.1/crypto/seed/seed_cfb.c vendor-crypto/openssl/dist-1.0.1/crypto/seed/seed_ecb.c vendor-crypto/openssl/dist-1.0.1/crypto/seed/seed_ofb.c vendor-crypto/openssl/dist-1.0.1/crypto/sha/sha1test.c vendor-crypto/openssl/dist-1.0.1/crypto/store/store.h vendor-crypto/openssl/dist-1.0.1/crypto/store/str_lib.c vendor-crypto/openssl/dist-1.0.1/crypto/store/str_locl.h vendor-crypto/openssl/dist-1.0.1/crypto/store/str_mem.c vendor-crypto/openssl/dist-1.0.1/crypto/store/str_meth.c vendor-crypto/openssl/dist-1.0.1/crypto/ts/ts_rsp_verify.c vendor-crypto/openssl/dist-1.0.1/crypto/ui/ui.h vendor-crypto/openssl/dist-1.0.1/crypto/ui/ui_compat.c vendor-crypto/openssl/dist-1.0.1/crypto/ui/ui_compat.h vendor-crypto/openssl/dist-1.0.1/crypto/ui/ui_lib.c vendor-crypto/openssl/dist-1.0.1/crypto/ui/ui_locl.h vendor-crypto/openssl/dist-1.0.1/crypto/ui/ui_openssl.c vendor-crypto/openssl/dist-1.0.1/crypto/ui/ui_util.c vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509_vfy.c vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509_vfy.h vendor-crypto/openssl/dist-1.0.1/crypto/x509v3/v3_pci.c vendor-crypto/openssl/dist-1.0.1/crypto/x509v3/v3_pcia.c vendor-crypto/openssl/dist-1.0.1/doc/apps/s_time.pod vendor-crypto/openssl/dist-1.0.1/doc/crypto/BIO_s_connect.pod vendor-crypto/openssl/dist-1.0.1/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod vendor-crypto/openssl/dist-1.0.1/engines/e_chil.c vendor-crypto/openssl/dist-1.0.1/ssl/d1_both.c vendor-crypto/openssl/dist-1.0.1/ssl/kssl.c vendor-crypto/openssl/dist-1.0.1/ssl/kssl.h vendor-crypto/openssl/dist-1.0.1/ssl/kssl_lcl.h vendor-crypto/openssl/dist-1.0.1/ssl/s2_srvr.c vendor-crypto/openssl/dist-1.0.1/ssl/s3_clnt.c vendor-crypto/openssl/dist-1.0.1/ssl/s3_lib.c vendor-crypto/openssl/dist-1.0.1/ssl/s3_srvr.c vendor-crypto/openssl/dist-1.0.1/ssl/ssl.h vendor-crypto/openssl/dist-1.0.1/ssl/ssl_sess.c vendor-crypto/openssl/dist-1.0.1/ssl/t1_enc.c vendor-crypto/openssl/dist-1.0.1/ssl/t1_lib.c vendor-crypto/openssl/dist-1.0.1/util/pl/VC-32.pl Modified: vendor-crypto/openssl/dist-1.0.1/ACKNOWLEDGMENTS ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/ACKNOWLEDGMENTS Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/ACKNOWLEDGMENTS Thu Jan 28 18:44:11 2016 (r295003) @@ -1,30 +1,2 @@ -The OpenSSL project depends on volunteer efforts and financial support from -the end user community. That support comes in the form of donations and paid -sponsorships, software support contracts, paid consulting services -and commissioned software development. - -Since all these activities support the continued development and improvement -of OpenSSL we consider all these clients and customers as sponsors of the -OpenSSL project. - -We would like to identify and thank the following such sponsors for their past -or current significant support of the OpenSSL project: - -Major support: - - Qualys http://www.qualys.com/ - -Very significant support: - - OpenGear: http://www.opengear.com/ - -Significant support: - - PSW Group: http://www.psw.net/ - Acano Ltd. http://acano.com/ - -Please note that we ask permission to identify sponsors and that some sponsors -we consider eligible for inclusion here have requested to remain anonymous. - -Additional sponsorship or financial support is always welcome: for more -information please contact the OpenSSL Software Foundation. +Please https://www.openssl.org/community/thanks.html for the current +acknowledgements. Modified: vendor-crypto/openssl/dist-1.0.1/CHANGES ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/CHANGES Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/CHANGES Thu Jan 28 18:44:11 2016 (r295003) @@ -2,6 +2,30 @@ OpenSSL CHANGES _______________ + Changes between 1.0.1q and 1.0.1r [28 Jan 2016] + + *) Protection for DH small subgroup attacks + + As a precautionary measure the SSL_OP_SINGLE_DH_USE option has been + switched on by default and cannot be disabled. This could have some + performance impact. + [Matt Caswell] + + *) SSLv2 doesn't block disabled ciphers + + A malicious client can negotiate SSLv2 ciphers that have been disabled on + the server and complete SSLv2 handshakes even if all SSLv2 ciphers have + been disabled, provided that the SSLv2 protocol was not also disabled via + SSL_OP_NO_SSLv2. + + This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram + and Sebastian Schinzel. + (CVE-2015-3197) + [Viktor Dukhovni] + + *) Reject DH handshakes with parameters shorter than 1024 bits. + [Kurt Roeckx] + Changes between 1.0.1p and 1.0.1q [3 Dec 2015] *) Certificate verify crash with missing PSS parameter Modified: vendor-crypto/openssl/dist-1.0.1/Configure ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/Configure Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/Configure Thu Jan 28 18:44:11 2016 (r295003) @@ -105,6 +105,9 @@ my $usage="Usage: Configure [no-<cipher> my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED"; +# Warn that "make depend" should be run? +my $warn_make_depend = 0; + my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof -Qunused-arguments"; my $strict_warnings = 0; @@ -1446,7 +1449,7 @@ if ($target =~ /\-icc$/) # Intel C compi # linker only when --prefix is not /usr. if ($target =~ /^BSD\-/) { - $shared_ldflag.=" -Wl,-rpath,\$(LIBRPATH)" if ($prefix !~ m|^/usr[/]*$|); + $shared_ldflag.=" -Wl,-rpath,\$\$(LIBRPATH)" if ($prefix !~ m|^/usr[/]*$|); } if ($sys_id ne "") @@ -1953,14 +1956,8 @@ EOF &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s'); } if ($depflags ne $default_depflags && !$make_depend) { - print <<EOF; - -Since you've disabled or enabled at least one algorithm, you need to do -the following before building: - - make depend -EOF - } + $warn_make_depend++; + } } # create the ms/version32.rc file if needed @@ -2039,12 +2036,18 @@ EOF print <<\EOF if ($no_shared_warn); -You gave the option 'shared'. Normally, that would give you shared libraries. -Unfortunately, the OpenSSL configuration doesn't include shared library support -for this platform yet, so it will pretend you gave the option 'no-shared'. If -you can inform the developpers (openssl-dev\@openssl.org) how to support shared -libraries on this platform, they will at least look at it and try their best -(but please first make sure you have tried with a current version of OpenSSL). +You gave the option 'shared', which is not supported on this platform, so +we will pretend you gave the option 'no-shared'. If you know how to implement +shared libraries, please let us know (but please first make sure you have +tried with a current version of OpenSSL). +EOF + +print <<EOF if ($warn_make_depend); + +*** Because of configuration changes, you MUST do the following before +*** building: + + make depend EOF exit(0); Modified: vendor-crypto/openssl/dist-1.0.1/FREEBSD-upgrade ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/FREEBSD-upgrade Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/FREEBSD-upgrade Thu Jan 28 18:44:11 2016 (r295003) @@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/Subv # Xlist setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist setenv FSVN "svn+ssh://svn.freebsd.org/base" -setenv OSSLVER 1.0.1q -# OSSLTAG format: v1_0_1q +setenv OSSLVER 1.0.1r +# OSSLTAG format: v1_0_1r ###setenv OSSLTAG v`echo ${OSSLVER} | tr . _` Modified: vendor-crypto/openssl/dist-1.0.1/INSTALL ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/INSTALL Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/INSTALL Thu Jan 28 18:44:11 2016 (r295003) @@ -164,10 +164,10 @@ standard headers). If it is a problem with OpenSSL itself, please report the problem to <openssl-bugs@openssl.org> (note that your message will be recorded in the request tracker publicly readable - via http://www.openssl.org/support/rt.html and will be forwarded to a - public mailing list). Include the output of "make report" in your message. - Please check out the request tracker. Maybe the bug was already - reported or has already been fixed. + at https://www.openssl.org/community/index.html#bugs and will be + forwarded to a public mailing list). Include the output of "make + report" in your message. Please check out the request tracker. Maybe + the bug was already reported or has already been fixed. [If you encounter assembler error messages, try the "no-asm" configuration option as an immediate fix.] Modified: vendor-crypto/openssl/dist-1.0.1/LICENSE ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/LICENSE Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/LICENSE Thu Jan 28 18:44:11 2016 (r295003) @@ -12,7 +12,7 @@ --------------- /* ==================================================================== - * Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2016 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions Modified: vendor-crypto/openssl/dist-1.0.1/Makefile ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/Makefile Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/Makefile Thu Jan 28 18:44:11 2016 (r295003) @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.1q +VERSION=1.0.1r MAJOR=1 MINOR=0.1 SHLIB_VERSION_NUMBER=1.0.0 @@ -181,8 +181,7 @@ SHARED_LDFLAGS= GENERAL= Makefile BASENAME= openssl NAME= $(BASENAME)-$(VERSION) -TARFILE= $(NAME).tar -WTARFILE= $(NAME)-win.tar +TARFILE= ../$(NAME).tar EXHEADER= e_os2.h HEADER= e_os.h @@ -501,38 +500,35 @@ TABLE: Configure # would occur. Therefore the list of files is temporarily stored into a file # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal # tar does not support the --files-from option. -TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list \ - --owner openssl:0 --group openssl:0 \ - --transform 's|^|openssl-$(VERSION)/|' \ +TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from $(TARFILE).list \ + --owner 0 --group 0 \ + --transform 's|^|$(NAME)/|' \ -cvf - -../$(TARFILE).list: +$(TARFILE).list: find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \ \! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \ - \! -name '*test' \! -name '.#*' \! -name '*~' \ - | sort > ../$(TARFILE).list + \( \! -name '*test' -o -name bctest -o -name pod2mantest \) \ + \! -name '.#*' \! -name '*~' \! -type l \ + | sort > $(TARFILE).list -tar: ../$(TARFILE).list +tar: $(TARFILE).list find . -type d -print | xargs chmod 755 find . -type f -print | xargs chmod a+r find . -type f -perm -0100 -print | xargs chmod a+x - $(TAR_COMMAND) | gzip --best >../$(TARFILE).gz - rm -f ../$(TARFILE).list - ls -l ../$(TARFILE).gz - -tar-snap: ../$(TARFILE).list - $(TAR_COMMAND) > ../$(TARFILE) - rm -f ../$(TARFILE).list - ls -l ../$(TARFILE) + $(TAR_COMMAND) | gzip --best > $(TARFILE).gz + rm -f $(TARFILE).list + ls -l $(TARFILE).gz + +tar-snap: $(TARFILE).list + $(TAR_COMMAND) > $(TARFILE) + rm -f $(TARFILE).list + ls -l $(TARFILE) dist: $(PERL) Configure dist - @$(MAKE) dist_pem_h @$(MAKE) SDIRS='$(SDIRS)' clean - @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' tar - -dist_pem_h: - (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean) + @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar install: all install_docs install_sw Modified: vendor-crypto/openssl/dist-1.0.1/Makefile.org ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/Makefile.org Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/Makefile.org Thu Jan 28 18:44:11 2016 (r295003) @@ -179,8 +179,7 @@ SHARED_LDFLAGS= GENERAL= Makefile BASENAME= openssl NAME= $(BASENAME)-$(VERSION) -TARFILE= $(NAME).tar -WTARFILE= $(NAME)-win.tar +TARFILE= ../$(NAME).tar EXHEADER= e_os2.h HEADER= e_os.h @@ -499,38 +498,35 @@ TABLE: Configure # would occur. Therefore the list of files is temporarily stored into a file # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal # tar does not support the --files-from option. -TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list \ - --owner openssl:0 --group openssl:0 \ - --transform 's|^|openssl-$(VERSION)/|' \ +TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from $(TARFILE).list \ + --owner 0 --group 0 \ + --transform 's|^|$(NAME)/|' \ -cvf - -../$(TARFILE).list: +$(TARFILE).list: find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \ \! -name '*.so' \! -name '*.so.*' \! -name 'openssl' \ - \! -name '*test' \! -name '.#*' \! -name '*~' \ - | sort > ../$(TARFILE).list + \( \! -name '*test' -o -name bctest -o -name pod2mantest \) \ + \! -name '.#*' \! -name '*~' \! -type l \ + | sort > $(TARFILE).list -tar: ../$(TARFILE).list +tar: $(TARFILE).list find . -type d -print | xargs chmod 755 find . -type f -print | xargs chmod a+r find . -type f -perm -0100 -print | xargs chmod a+x - $(TAR_COMMAND) | gzip --best >../$(TARFILE).gz - rm -f ../$(TARFILE).list - ls -l ../$(TARFILE).gz - -tar-snap: ../$(TARFILE).list - $(TAR_COMMAND) > ../$(TARFILE) - rm -f ../$(TARFILE).list - ls -l ../$(TARFILE) + $(TAR_COMMAND) | gzip --best > $(TARFILE).gz + rm -f $(TARFILE).list + ls -l $(TARFILE).gz + +tar-snap: $(TARFILE).list + $(TAR_COMMAND) > $(TARFILE) + rm -f $(TARFILE).list + ls -l $(TARFILE) dist: $(PERL) Configure dist - @$(MAKE) dist_pem_h @$(MAKE) SDIRS='$(SDIRS)' clean - @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' tar - -dist_pem_h: - (cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean) + @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar install: all install_docs install_sw Modified: vendor-crypto/openssl/dist-1.0.1/NEWS ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/NEWS Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/NEWS Thu Jan 28 18:44:11 2016 (r295003) @@ -5,6 +5,11 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.1q and OpenSSL 1.0.1r [28 Jan 2016] + + o Protection for DH small subgroup attacks + o SSLv2 doesn't block disabled ciphers (CVE-2015-3197) + Major changes between OpenSSL 1.0.1p and OpenSSL 1.0.1q [3 Dec 2015] o Certificate verify crash with missing PSS parameter (CVE-2015-3194) Modified: vendor-crypto/openssl/dist-1.0.1/README ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/README Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/README Thu Jan 28 18:44:11 2016 (r295003) @@ -1,5 +1,5 @@ - OpenSSL 1.0.1q 3 Dec 2015 + OpenSSL 1.0.1r 28 Jan 2016 Copyright (c) 1998-2015 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson @@ -90,11 +90,12 @@ In order to avoid spam, this is a moderated mailing list, and it might take a day for the ticket to show up. (We also scan posts to make sure - that security disclosures aren't publically posted by mistake.) Mail to - this address is recorded in the public RT (request tracker) database (see - https://www.openssl.org/support/rt.html for details) and also forwarded - the public openssl-dev mailing list. Confidential mail may be sent to - openssl-security@openssl.org (PGP key available from the key servers). + that security disclosures aren't publically posted by mistake.) Mail + to this address is recorded in the public RT (request tracker) database + (see https://www.openssl.org/community/index.html#bugs for details) and + also forwarded the public openssl-dev mailing list. Confidential mail + may be sent to openssl-security@openssl.org (PGP key available from the + key servers). Please do NOT use this for general assistance or support queries. Just because something doesn't work the way you expect does not mean it Modified: vendor-crypto/openssl/dist-1.0.1/apps/engine.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/apps/engine.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/apps/engine.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* apps/engine.c -*- mode: C; c-file-style: "eay" -*- */ +/* apps/engine.c */ /* * Written by Richard Levitte <richard@levitte.org> for the OpenSSL project * 2000. Modified: vendor-crypto/openssl/dist-1.0.1/apps/ocsp.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/apps/ocsp.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/apps/ocsp.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1003,7 +1003,7 @@ static int make_ocsp_response(OCSP_RESPO bs = OCSP_BASICRESP_new(); thisupd = X509_gmtime_adj(NULL, 0); if (ndays != -1) - nextupd = X509_gmtime_adj(NULL, nmin * 60 + ndays * 3600 * 24); + nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL); /* Examine each certificate id in the request */ for (i = 0; i < id_count; i++) { Modified: vendor-crypto/openssl/dist-1.0.1/apps/pkcs12.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/apps/pkcs12.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/apps/pkcs12.c Thu Jan 28 18:44:11 2016 (r295003) @@ -79,7 +79,8 @@ const EVP_CIPHER *enc; # define CLCERTS 0x8 # define CACERTS 0x10 -int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain); +static int get_cert_chain(X509 *cert, X509_STORE *store, + STACK_OF(X509) **chain); int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, int options, char *pempass); int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags, @@ -594,7 +595,7 @@ int MAIN(int argc, char **argv) vret = get_cert_chain(ucert, store, &chain2); X509_STORE_free(store); - if (!vret) { + if (vret == X509_V_OK) { /* Exclude verified certificate */ for (i = 1; i < sk_X509_num(chain2); i++) sk_X509_push(certs, sk_X509_value(chain2, i)); @@ -602,7 +603,7 @@ int MAIN(int argc, char **argv) X509_free(sk_X509_value(chain2, 0)); sk_X509_free(chain2); } else { - if (vret >= 0) + if (vret != X509_V_ERR_UNSPECIFIED) BIO_printf(bio_err, "Error %s getting chain.\n", X509_verify_cert_error_string(vret)); else @@ -906,36 +907,25 @@ int dump_certs_pkeys_bag(BIO *out, PKCS1 /* Given a single certificate return a verified chain or NULL if error */ -/* Hope this is OK .... */ - -int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain) +static int get_cert_chain(X509 *cert, X509_STORE *store, + STACK_OF(X509) **chain) { X509_STORE_CTX store_ctx; - STACK_OF(X509) *chn; + STACK_OF(X509) *chn = NULL; int i = 0; - /* - * FIXME: Should really check the return status of X509_STORE_CTX_init - * for an error, but how that fits into the return value of this function - * is less obvious. - */ - X509_STORE_CTX_init(&store_ctx, store, cert, NULL); - if (X509_verify_cert(&store_ctx) <= 0) { - i = X509_STORE_CTX_get_error(&store_ctx); - if (i == 0) - /* - * avoid returning 0 if X509_verify_cert() did not set an - * appropriate error value in the context - */ - i = -1; - chn = NULL; - goto err; - } else + if (!X509_STORE_CTX_init(&store_ctx, store, cert, NULL)) { + *chain = NULL; + return X509_V_ERR_UNSPECIFIED; + } + + if (X509_verify_cert(&store_ctx) > 0) chn = X509_STORE_CTX_get1_chain(&store_ctx); - err: + else if ((i = X509_STORE_CTX_get_error(&store_ctx)) == 0) + i = X509_V_ERR_UNSPECIFIED; + X509_STORE_CTX_cleanup(&store_ctx); *chain = chn; - return i; } Modified: vendor-crypto/openssl/dist-1.0.1/apps/speed.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/apps/speed.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/apps/speed.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* apps/speed.c -*- mode:C; c-file-style: "eay" -*- */ +/* apps/speed.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * Modified: vendor-crypto/openssl/dist-1.0.1/apps/x509.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/apps/x509.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/apps/x509.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1170,12 +1170,7 @@ static int sign(X509 *x, EVP_PKEY *pkey, if (X509_gmtime_adj(X509_get_notBefore(x), 0) == NULL) goto err; - /* Lets just make it 12:00am GMT, Jan 1 1970 */ - /* memcpy(x->cert_info->validity->notBefore,"700101120000Z",13); */ - /* 28 days to be certified */ - - if (X509_gmtime_adj(X509_get_notAfter(x), (long)60 * 60 * 24 * days) == - NULL) + if (X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL) == NULL) goto err; if (!X509_set_pubkey(x, pkey)) Modified: vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes.h ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes.h Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes.h Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/aes/aes.h */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * Modified: vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_cbc.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_cbc.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_cbc.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/aes/aes_cbc.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/aes/aes_cbc.c */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * Modified: vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_cfb.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_cfb.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_cfb.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/aes/aes_cfb.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/aes/aes_cfb.c */ /* ==================================================================== * Copyright (c) 2002-2006 The OpenSSL Project. All rights reserved. * Modified: vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_core.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_core.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_core.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/aes/aes_core.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/aes/aes_core.c */ /** * rijndael-alg-fst.c * Modified: vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ctr.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ctr.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ctr.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/aes/aes_ctr.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/aes/aes_ctr.c */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * Modified: vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ecb.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ecb.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ecb.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/aes/aes_ecb.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/aes/aes_ecb.c */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * Modified: vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ige.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ige.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ige.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/aes/aes_ige.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/aes/aes_ige.c */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * Modified: vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_locl.h ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_locl.h Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_locl.h Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/aes/aes.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/aes/aes.h */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * Modified: vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_misc.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_misc.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_misc.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/aes/aes_misc.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/aes/aes_misc.c */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * Modified: vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ofb.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ofb.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_ofb.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/aes/aes_ofb.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/aes/aes_ofb.c */ /* ==================================================================== * Copyright (c) 2002-2006 The OpenSSL Project. All rights reserved. * Modified: vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_x86core.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_x86core.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/aes/aes_x86core.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/aes/aes_core.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/aes/aes_core.c */ /** * rijndael-alg-fst.c * Modified: vendor-crypto/openssl/dist-1.0.1/crypto/bio/bio.h ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/bio/bio.h Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/bio/bio.h Thu Jan 28 18:44:11 2016 (r295003) @@ -478,11 +478,11 @@ struct bio_dgram_sctp_prinfo { # define BIO_get_conn_hostname(b) BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,0) # define BIO_get_conn_port(b) BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,1) # define BIO_get_conn_ip(b) BIO_ptr_ctrl(b,BIO_C_GET_CONNECT,2) -# define BIO_get_conn_int_port(b) BIO_int_ctrl(b,BIO_C_GET_CONNECT,3,0) +# define BIO_get_conn_int_port(b) BIO_ctrl(b,BIO_C_GET_CONNECT,3,0,NULL) # define BIO_set_nbio(b,n) BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL) -/* BIO_s_accept_socket() */ +/* BIO_s_accept() */ # define BIO_set_accept_port(b,name) BIO_ctrl(b,BIO_C_SET_ACCEPT,0,(char *)name) # define BIO_get_accept_port(b) BIO_ptr_ctrl(b,BIO_C_GET_ACCEPT,0) /* #define BIO_set_nbio(b,n) BIO_ctrl(b,BIO_C_SET_NBIO,(n),NULL) */ @@ -495,6 +495,7 @@ struct bio_dgram_sctp_prinfo { # define BIO_set_bind_mode(b,mode) BIO_ctrl(b,BIO_C_SET_BIND_MODE,mode,NULL) # define BIO_get_bind_mode(b,mode) BIO_ctrl(b,BIO_C_GET_BIND_MODE,0,NULL) +/* BIO_s_accept() and BIO_s_connect() */ # define BIO_do_connect(b) BIO_do_handshake(b) # define BIO_do_accept(b) BIO_do_handshake(b) # define BIO_do_handshake(b) BIO_ctrl(b,BIO_C_DO_STATE_MACHINE,0,NULL) @@ -514,12 +515,15 @@ struct bio_dgram_sctp_prinfo { # define BIO_get_url(b,url) BIO_ctrl(b,BIO_C_GET_PROXY_PARAM,2,(char *)(url)) # define BIO_get_no_connect_return(b) BIO_ctrl(b,BIO_C_GET_PROXY_PARAM,5,NULL) +/* BIO_s_datagram(), BIO_s_fd(), BIO_s_socket(), BIO_s_accept() and BIO_s_connect() */ # define BIO_set_fd(b,fd,c) BIO_int_ctrl(b,BIO_C_SET_FD,c,fd) # define BIO_get_fd(b,c) BIO_ctrl(b,BIO_C_GET_FD,0,(char *)c) +/* BIO_s_file() */ # define BIO_set_fp(b,fp,c) BIO_ctrl(b,BIO_C_SET_FILE_PTR,c,(char *)fp) # define BIO_get_fp(b,fpp) BIO_ctrl(b,BIO_C_GET_FILE_PTR,0,(char *)fpp) +/* BIO_s_fd() and BIO_s_file() */ # define BIO_seek(b,ofs) (int)BIO_ctrl(b,BIO_C_FILE_SEEK,ofs,NULL) # define BIO_tell(b) (int)BIO_ctrl(b,BIO_C_FILE_TELL,0,NULL) Modified: vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_bio.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_bio.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_bio.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/bio/bss_bio.c -*- Mode: C; c-file-style: "eay" -*- */ +/* crypto/bio/bss_bio.c */ /* ==================================================================== * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * Modified: vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_conn.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_conn.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_conn.c Thu Jan 28 18:44:11 2016 (r295003) @@ -419,7 +419,7 @@ static long conn_ctrl(BIO *b, int cmd, l { BIO *dbio; int *ip; - const char **pptr; + const char **pptr = NULL; long ret = 1; BIO_CONNECT *data; @@ -442,19 +442,28 @@ static long conn_ctrl(BIO *b, int cmd, l case BIO_C_GET_CONNECT: if (ptr != NULL) { pptr = (const char **)ptr; - if (num == 0) { - *pptr = data->param_hostname; + } - } else if (num == 1) { - *pptr = data->param_port; - } else if (num == 2) { - *pptr = (char *)&(data->ip[0]); - } else if (num == 3) { - *((int *)ptr) = data->port; + if (b->init) { + if (pptr != NULL) { + ret = 1; + if (num == 0) { + *pptr = data->param_hostname; + } else if (num == 1) { + *pptr = data->param_port; + } else if (num == 2) { + *pptr = (char *)&(data->ip[0]); + } else { + ret = 0; + } + } + if (num == 3) { + ret = data->port; } - if ((!b->init) || (ptr == NULL)) + } else { + if (pptr != NULL) *pptr = "not initialized"; - ret = 1; + ret = 0; } break; case BIO_C_SET_CONNECT: Modified: vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_dgram.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_dgram.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_dgram.c Thu Jan 28 18:44:11 2016 (r295003) @@ -515,10 +515,8 @@ static long dgram_ctrl(BIO *b, int cmd, switch (cmd) { case BIO_CTRL_RESET: num = 0; - case BIO_C_FILE_SEEK: ret = 0; break; - case BIO_C_FILE_TELL: case BIO_CTRL_INFO: ret = 0; break; Modified: vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_exp.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_exp.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_exp.c Thu Jan 28 18:44:11 2016 (r295003) @@ -271,9 +271,14 @@ int BN_mod_exp_recp(BIGNUM *r, const BIG } bits = BN_num_bits(p); - if (bits == 0) { - ret = BN_one(r); + /* x**0 mod 1 is still zero. */ + if (BN_is_one(m)) { + ret = 1; + BN_zero(r); + } else { + ret = BN_one(r); + } return ret; } @@ -407,7 +412,13 @@ int BN_mod_exp_mont(BIGNUM *rr, const BI } bits = BN_num_bits(p); if (bits == 0) { - ret = BN_one(rr); + /* x**0 mod 1 is still zero. */ + if (BN_is_one(m)) { + ret = 1; + BN_zero(rr); + } else { + ret = BN_one(rr); + } return ret; } @@ -579,7 +590,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBU * precomputation memory layout to limit data-dependency to a minimum to * protect secret exponents (cf. the hyper-threading timing attacks pointed * out by Colin Percival, - * http://www.daemong-consideredperthreading-considered-harmful/) + * http://www.daemonology.net/hyperthreading-considered-harmful/) */ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, @@ -608,7 +619,13 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr bits = BN_num_bits(p); if (bits == 0) { - ret = BN_one(rr); + /* x**0 mod 1 is still zero. */ + if (BN_is_one(m)) { + ret = 1; + BN_zero(rr); + } else { + ret = BN_one(rr); + } return ret; } @@ -908,8 +925,9 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ if (BN_is_one(m)) { ret = 1; BN_zero(rr); - } else + } else { ret = BN_one(rr); + } return ret; } if (a == 0) { @@ -1023,9 +1041,14 @@ int BN_mod_exp_simple(BIGNUM *r, const B } bits = BN_num_bits(p); - - if (bits == 0) { - ret = BN_one(r); + if (bits == 0) { + /* x**0 mod 1 is still zero. */ + if (BN_is_one(m)) { + ret = 1; + BN_zero(r); + } else { + ret = BN_one(r); + } return ret; } Modified: vendor-crypto/openssl/dist-1.0.1/crypto/bn/exptest.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/bn/exptest.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/bn/exptest.c Thu Jan 28 18:44:11 2016 (r295003) @@ -73,14 +73,34 @@ static const char rnd_seed[] = "string to make the random number generator think it has entropy"; /* + * Test that r == 0 in test_exp_mod_zero(). Returns one on success, + * returns zero and prints debug output otherwise. + */ +static int a_is_zero_mod_one(const char *method, const BIGNUM *r, + const BIGNUM *a) { + if (!BN_is_zero(r)) { + fprintf(stderr, "%s failed:\n", method); + fprintf(stderr, "a ** 0 mod 1 = r (should be 0)\n"); + fprintf(stderr, "a = "); + BN_print_fp(stderr, a); + fprintf(stderr, "\nr = "); + BN_print_fp(stderr, r); + fprintf(stderr, "\n"); + return 0; + } + return 1; +} + +/* * test_exp_mod_zero tests that x**0 mod 1 == 0. It returns zero on success. */ static int test_exp_mod_zero() { BIGNUM a, p, m; BIGNUM r; + BN_ULONG one_word = 1; BN_CTX *ctx = BN_CTX_new(); - int ret = 1; + int ret = 1, failed = 0; BN_init(&m); BN_one(&m); @@ -92,21 +112,65 @@ static int test_exp_mod_zero() BN_zero(&p); BN_init(&r); - BN_mod_exp(&r, &a, &p, &m, ctx); - BN_CTX_free(ctx); - if (BN_is_zero(&r)) - ret = 0; - else { - printf("1**0 mod 1 = "); - BN_print_fp(stdout, &r); - printf(", should be 0\n"); + if (!BN_rand(&a, 1024, 0, 0)) + goto err; + + if (!BN_mod_exp(&r, &a, &p, &m, ctx)) + goto err; + + if (!a_is_zero_mod_one("BN_mod_exp", &r, &a)) + failed = 1; + + if (!BN_mod_exp_recp(&r, &a, &p, &m, ctx)) + goto err; + + if (!a_is_zero_mod_one("BN_mod_exp_recp", &r, &a)) + failed = 1; + + if (!BN_mod_exp_simple(&r, &a, &p, &m, ctx)) + goto err; + + if (!a_is_zero_mod_one("BN_mod_exp_simple", &r, &a)) + failed = 1; + + if (!BN_mod_exp_mont(&r, &a, &p, &m, ctx, NULL)) + goto err; + + if (!a_is_zero_mod_one("BN_mod_exp_mont", &r, &a)) + failed = 1; + + if (!BN_mod_exp_mont_consttime(&r, &a, &p, &m, ctx, NULL)) { + goto err; + } + + if (!a_is_zero_mod_one("BN_mod_exp_mont_consttime", &r, &a)) + failed = 1; + + /* + * A different codepath exists for single word multiplication + * in non-constant-time only. + */ + if (!BN_mod_exp_mont_word(&r, one_word, &p, &m, ctx, NULL)) + goto err; + + if (!BN_is_zero(&r)) { + fprintf(stderr, "BN_mod_exp_mont_word failed:\n"); + fprintf(stderr, "1 ** 0 mod 1 = r (should be 0)\n"); + fprintf(stderr, "r = "); + BN_print_fp(stderr, &r); + fprintf(stderr, "\n"); + return 0; } + ret = failed; + + err: BN_free(&r); BN_free(&a); BN_free(&p); BN_free(&m); + BN_CTX_free(ctx); return ret; } Modified: vendor-crypto/openssl/dist-1.0.1/crypto/camellia/camellia.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/camellia/camellia.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/camellia/camellia.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/camellia/camellia.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/camellia/camellia.c */ /* ==================================================================== * Copyright 2006 NTT (Nippon Telegraph and Telephone Corporation) . * ALL RIGHTS RESERVED. @@ -67,7 +67,7 @@ /* * Algorithm Specification - * http://info.isl.llia/specicrypt/eng/camellia/specifications.html + * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html */ /* Modified: vendor-crypto/openssl/dist-1.0.1/crypto/camellia/camellia.h ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/camellia/camellia.h Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/camellia/camellia.h Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/camellia/camellia.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/camellia/camellia.h */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * Modified: vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_cbc.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_cbc.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_cbc.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/camellia/camellia_cbc.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/camellia/camellia_cbc.c */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * Modified: vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_cfb.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_cfb.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_cfb.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/camellia/camellia_cfb.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/camellia/camellia_cfb.c */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * Modified: vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ctr.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ctr.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ctr.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/camellia/camellia_ctr.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/camellia/camellia_ctr.c */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * Modified: vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ecb.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ecb.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ecb.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/camellia/camellia_ecb.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/camellia/camellia_ecb.c */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * Modified: vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_locl.h ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_locl.h Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_locl.h Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/camellia/camellia_locl.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/camellia/camellia_locl.h */ /* ==================================================================== * Copyright 2006 NTT (Nippon Telegraph and Telephone Corporation) . * ALL RIGHTS RESERVED. Modified: vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_misc.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_misc.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_misc.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/camellia/camellia_misc.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/camellia/camellia_misc.c */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * Modified: vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ofb.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ofb.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_ofb.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/camellia/camellia_ofb.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/camellia/camellia_ofb.c */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * Modified: vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_utl.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_utl.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/camellia/cmll_utl.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/camellia/cmll_utl.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/camellia/cmll_utl.c */ /* ==================================================================== * Copyright (c) 2011 The OpenSSL Project. All rights reserved. * Modified: vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/des/des_old.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/des/des_old.c */ /*- * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING Modified: vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old.h ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old.h Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old.h Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/des/des_old.h -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/des/des_old.h */ /*- * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING Modified: vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old2.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old2.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/des/des_old2.c Thu Jan 28 18:44:11 2016 (r295003) @@ -1,4 +1,4 @@ -/* crypto/des/des_old.c -*- mode:C; c-file-style: "eay" -*- */ +/* crypto/des/des_old.c */ /* * WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING The Modified: vendor-crypto/openssl/dist-1.0.1/crypto/dsa/dsa_ossl.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/dsa/dsa_ossl.c Thu Jan 28 18:42:39 2016 (r295002) +++ vendor-crypto/openssl/dist-1.0.1/crypto/dsa/dsa_ossl.c Thu Jan 28 18:44:11 2016 (r295003) @@ -187,9 +187,6 @@ static DSA_SIG *dsa_do_sign(const unsign if (!BN_mod_mul(s, s, kinv, dsa->q, ctx)) goto err; - ret = DSA_SIG_new(); - if (ret == NULL) - goto err; *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201601281844.u0SIiBpr073600>