summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordjm <>2012-01-05 23:01:39 +0000
committerdjm <>2012-01-05 23:01:39 +0000
commit1323613b1aa20bc25bc1ca71f1926d7e11788b87 (patch)
tree866512933d8f0c1ea5465d0169915b36c1ca3cae
parent01b1f5ed381fe1d6d9a28e1b11285d194d167080 (diff)
downloadopenbsd-1323613b1aa20bc25bc1ca71f1926d7e11788b87.tar.gz
openbsd-1323613b1aa20bc25bc1ca71f1926d7e11788b87.tar.bz2
openbsd-1323613b1aa20bc25bc1ca71f1926d7e11788b87.zip
OpenSSL 1.0.0f: merge
Diffstat (limited to '')
-rw-r--r--src/lib/libcrypto/bio/bf_buff.c15
-rw-r--r--src/lib/libcrypto/bio/bio.h9
-rw-r--r--src/lib/libcrypto/bn/bn_blind.c37
-rw-r--r--src/lib/libcrypto/ec/ec2_smpl.c2
-rw-r--r--src/lib/libcrypto/opensslv.h6
-rw-r--r--src/lib/libcrypto/rand/rand_unix.c108
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c80
-rw-r--r--src/lib/libcrypto/util/mkerr.pl2
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c2
-rw-r--r--src/lib/libcrypto/x509v3/v3_addr.c125
-rw-r--r--src/lib/libssl/d1_pkt.c26
-rw-r--r--src/lib/libssl/d1_srvr.c2
-rw-r--r--src/lib/libssl/doc/openssl.cnf2
-rw-r--r--src/lib/libssl/s3_clnt.c6
-rw-r--r--src/lib/libssl/s3_lib.c3
-rw-r--r--src/lib/libssl/s3_srvr.c11
-rw-r--r--src/lib/libssl/src/CHANGES77
-rw-r--r--src/lib/libssl/src/Configure6
-rw-r--r--src/lib/libssl/src/FAQ2
-rw-r--r--src/lib/libssl/src/Makefile2
-rw-r--r--src/lib/libssl/src/NEWS8
-rw-r--r--src/lib/libssl/src/README2
-rw-r--r--src/lib/libssl/src/VMS/mkshared.com26
-rw-r--r--src/lib/libssl/src/apps/openssl-vms.cnf2
-rw-r--r--src/lib/libssl/src/apps/openssl.cnf2
-rw-r--r--src/lib/libssl/src/apps/x509.c2
-rw-r--r--src/lib/libssl/src/crypto/bio/bf_buff.c15
-rw-r--r--src/lib/libssl/src/crypto/bio/bio.h9
-rw-r--r--src/lib/libssl/src/crypto/bn/bn_blind.c37
-rw-r--r--src/lib/libssl/src/crypto/ec/ec2_smpl.c2
-rw-r--r--src/lib/libssl/src/crypto/opensslv.h6
-rw-r--r--src/lib/libssl/src/crypto/rand/rand_unix.c108
-rw-r--r--src/lib/libssl/src/crypto/rsa/rsa_eay.c80
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_vfy.c2
-rw-r--r--src/lib/libssl/src/crypto/x509v3/v3_addr.c125
-rw-r--r--src/lib/libssl/src/doc/ssl/SSL_clear.pod14
-rw-r--r--src/lib/libssl/src/e_os2.h8
-rw-r--r--src/lib/libssl/src/openssl.spec2
-rw-r--r--src/lib/libssl/src/ssl/d1_pkt.c26
-rw-r--r--src/lib/libssl/src/ssl/d1_srvr.c2
-rw-r--r--src/lib/libssl/src/ssl/s3_clnt.c6
-rw-r--r--src/lib/libssl/src/ssl/s3_enc.c3
-rw-r--r--src/lib/libssl/src/ssl/s3_lib.c3
-rw-r--r--src/lib/libssl/src/ssl/s3_srvr.c11
-rw-r--r--src/lib/libssl/src/ssl/ssl.h2
-rw-r--r--src/lib/libssl/src/ssl/ssl3.h11
-rw-r--r--src/lib/libssl/src/ssl/ssl_ciph.c1
-rw-r--r--src/lib/libssl/src/ssl/ssl_err.c4
-rw-r--r--src/lib/libssl/src/ssl/ssl_lib.c3
-rw-r--r--src/lib/libssl/src/ssl/ssl_locl.h1
-rw-r--r--src/lib/libssl/src/ssl/t1_lib.c6
-rw-r--r--src/lib/libssl/src/test/testssl8
-rw-r--r--src/lib/libssl/src/util/mkerr.pl2
-rw-r--r--src/lib/libssl/ssl.h2
-rw-r--r--src/lib/libssl/ssl3.h11
-rw-r--r--src/lib/libssl/ssl_ciph.c1
-rw-r--r--src/lib/libssl/ssl_err.c4
-rw-r--r--src/lib/libssl/ssl_lib.c3
-rw-r--r--src/lib/libssl/ssl_locl.h1
-rw-r--r--src/lib/libssl/t1_lib.c6
-rw-r--r--src/lib/libssl/test/testssl8
61 files changed, 782 insertions, 316 deletions
diff --git a/src/lib/libcrypto/bio/bf_buff.c b/src/lib/libcrypto/bio/bf_buff.c
index c1fd75aaad..4b5a132d8a 100644
--- a/src/lib/libcrypto/bio/bf_buff.c
+++ b/src/lib/libcrypto/bio/bf_buff.c
@@ -209,7 +209,7 @@ start:
209 /* add to buffer and return */ 209 /* add to buffer and return */
210 if (i >= inl) 210 if (i >= inl)
211 { 211 {
212 memcpy(&(ctx->obuf[ctx->obuf_len]),in,inl); 212 memcpy(&(ctx->obuf[ctx->obuf_off+ctx->obuf_len]),in,inl);
213 ctx->obuf_len+=inl; 213 ctx->obuf_len+=inl;
214 return(num+inl); 214 return(num+inl);
215 } 215 }
@@ -219,7 +219,7 @@ start:
219 { 219 {
220 if (i > 0) /* lets fill it up if we can */ 220 if (i > 0) /* lets fill it up if we can */
221 { 221 {
222 memcpy(&(ctx->obuf[ctx->obuf_len]),in,i); 222 memcpy(&(ctx->obuf[ctx->obuf_off+ctx->obuf_len]),in,i);
223 in+=i; 223 in+=i;
224 inl-=i; 224 inl-=i;
225 num+=i; 225 num+=i;
@@ -294,9 +294,9 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr)
294 case BIO_C_GET_BUFF_NUM_LINES: 294 case BIO_C_GET_BUFF_NUM_LINES:
295 ret=0; 295 ret=0;
296 p1=ctx->ibuf; 296 p1=ctx->ibuf;
297 for (i=ctx->ibuf_off; i<ctx->ibuf_len; i++) 297 for (i=0; i<ctx->ibuf_len; i++)
298 { 298 {
299 if (p1[i] == '\n') ret++; 299 if (p1[ctx->ibuf_off + i] == '\n') ret++;
300 } 300 }
301 break; 301 break;
302 case BIO_CTRL_WPENDING: 302 case BIO_CTRL_WPENDING:
@@ -399,17 +399,18 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr)
399 for (;;) 399 for (;;)
400 { 400 {
401 BIO_clear_retry_flags(b); 401 BIO_clear_retry_flags(b);
402 if (ctx->obuf_len > ctx->obuf_off) 402 if (ctx->obuf_len > 0)
403 { 403 {
404 r=BIO_write(b->next_bio, 404 r=BIO_write(b->next_bio,
405 &(ctx->obuf[ctx->obuf_off]), 405 &(ctx->obuf[ctx->obuf_off]),
406 ctx->obuf_len-ctx->obuf_off); 406 ctx->obuf_len);
407#if 0 407#if 0
408fprintf(stderr,"FLUSH [%3d] %3d -> %3d\n",ctx->obuf_off,ctx->obuf_len-ctx->obuf_off,r); 408fprintf(stderr,"FLUSH [%3d] %3d -> %3d\n",ctx->obuf_off,ctx->obuf_len,r);
409#endif 409#endif
410 BIO_copy_next_retry(b); 410 BIO_copy_next_retry(b);
411 if (r <= 0) return((long)r); 411 if (r <= 0) return((long)r);
412 ctx->obuf_off+=r; 412 ctx->obuf_off+=r;
413 ctx->obuf_len-=r;
413 } 414 }
414 else 415 else
415 { 416 {
diff --git a/src/lib/libcrypto/bio/bio.h b/src/lib/libcrypto/bio/bio.h
index 152802fbdf..ab47abcf14 100644
--- a/src/lib/libcrypto/bio/bio.h
+++ b/src/lib/libcrypto/bio/bio.h
@@ -306,6 +306,15 @@ DECLARE_STACK_OF(BIO)
306 306
307typedef struct bio_f_buffer_ctx_struct 307typedef struct bio_f_buffer_ctx_struct
308 { 308 {
309 /* Buffers are setup like this:
310 *
311 * <---------------------- size ----------------------->
312 * +---------------------------------------------------+
313 * | consumed | remaining | free space |
314 * +---------------------------------------------------+
315 * <-- off --><------- len ------->
316 */
317
309 /* BIO *bio; */ /* this is now in the BIO struct */ 318 /* BIO *bio; */ /* this is now in the BIO struct */
310 int ibuf_size; /* how big is the input buffer */ 319 int ibuf_size; /* how big is the input buffer */
311 int obuf_size; /* how big is the output buffer */ 320 int obuf_size; /* how big is the output buffer */
diff --git a/src/lib/libcrypto/bn/bn_blind.c b/src/lib/libcrypto/bn/bn_blind.c
index e060592fdc..9ed8bc2b40 100644
--- a/src/lib/libcrypto/bn/bn_blind.c
+++ b/src/lib/libcrypto/bn/bn_blind.c
@@ -126,7 +126,7 @@ struct bn_blinding_st
126 * used only by crypto/rsa/rsa_eay.c, rsa_lib.c */ 126 * used only by crypto/rsa/rsa_eay.c, rsa_lib.c */
127#endif 127#endif
128 CRYPTO_THREADID tid; 128 CRYPTO_THREADID tid;
129 unsigned int counter; 129 int counter;
130 unsigned long flags; 130 unsigned long flags;
131 BN_MONT_CTX *m_ctx; 131 BN_MONT_CTX *m_ctx;
132 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, 132 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
@@ -160,7 +160,10 @@ BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
160 if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0) 160 if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
161 BN_set_flags(ret->mod, BN_FLG_CONSTTIME); 161 BN_set_flags(ret->mod, BN_FLG_CONSTTIME);
162 162
163 ret->counter = BN_BLINDING_COUNTER; 163 /* Set the counter to the special value -1
164 * to indicate that this is never-used fresh blinding
165 * that does not need updating before first use. */
166 ret->counter = -1;
164 CRYPTO_THREADID_current(&ret->tid); 167 CRYPTO_THREADID_current(&ret->tid);
165 return(ret); 168 return(ret);
166err: 169err:
@@ -190,7 +193,10 @@ int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
190 goto err; 193 goto err;
191 } 194 }
192 195
193 if (--(b->counter) == 0 && b->e != NULL && 196 if (b->counter == -1)
197 b->counter = 0;
198
199 if (++b->counter == BN_BLINDING_COUNTER && b->e != NULL &&
194 !(b->flags & BN_BLINDING_NO_RECREATE)) 200 !(b->flags & BN_BLINDING_NO_RECREATE))
195 { 201 {
196 /* re-create blinding parameters */ 202 /* re-create blinding parameters */
@@ -205,8 +211,8 @@ int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
205 211
206 ret=1; 212 ret=1;
207err: 213err:
208 if (b->counter == 0) 214 if (b->counter == BN_BLINDING_COUNTER)
209 b->counter = BN_BLINDING_COUNTER; 215 b->counter = 0;
210 return(ret); 216 return(ret);
211 } 217 }
212 218
@@ -227,6 +233,12 @@ int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
227 return(0); 233 return(0);
228 } 234 }
229 235
236 if (b->counter == -1)
237 /* Fresh blinding, doesn't need updating. */
238 b->counter = 0;
239 else if (!BN_BLINDING_update(b,ctx))
240 return(0);
241
230 if (r != NULL) 242 if (r != NULL)
231 { 243 {
232 if (!BN_copy(r, b->Ai)) ret=0; 244 if (!BN_copy(r, b->Ai)) ret=0;
@@ -247,22 +259,19 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ct
247 int ret; 259 int ret;
248 260
249 bn_check_top(n); 261 bn_check_top(n);
250 if ((b->A == NULL) || (b->Ai == NULL))
251 {
252 BNerr(BN_F_BN_BLINDING_INVERT_EX,BN_R_NOT_INITIALIZED);
253 return(0);
254 }
255 262
256 if (r != NULL) 263 if (r != NULL)
257 ret = BN_mod_mul(n, n, r, b->mod, ctx); 264 ret = BN_mod_mul(n, n, r, b->mod, ctx);
258 else 265 else
259 ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
260
261 if (ret >= 0)
262 { 266 {
263 if (!BN_BLINDING_update(b,ctx)) 267 if (b->Ai == NULL)
268 {
269 BNerr(BN_F_BN_BLINDING_INVERT_EX,BN_R_NOT_INITIALIZED);
264 return(0); 270 return(0);
271 }
272 ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
265 } 273 }
274
266 bn_check_top(n); 275 bn_check_top(n);
267 return(ret); 276 return(ret);
268 } 277 }
diff --git a/src/lib/libcrypto/ec/ec2_smpl.c b/src/lib/libcrypto/ec/ec2_smpl.c
index af94458ca7..03deae6674 100644
--- a/src/lib/libcrypto/ec/ec2_smpl.c
+++ b/src/lib/libcrypto/ec/ec2_smpl.c
@@ -887,7 +887,7 @@ int ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_
887 field_sqr = group->meth->field_sqr; 887 field_sqr = group->meth->field_sqr;
888 888
889 /* only support affine coordinates */ 889 /* only support affine coordinates */
890 if (!point->Z_is_one) goto err; 890 if (!point->Z_is_one) return -1;
891 891
892 if (ctx == NULL) 892 if (ctx == NULL)
893 { 893 {
diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h
index 310a3387be..d6d61a0c7d 100644
--- a/src/lib/libcrypto/opensslv.h
+++ b/src/lib/libcrypto/opensslv.h
@@ -25,11 +25,11 @@
25 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for 25 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
26 * major minor fix final patch/beta) 26 * major minor fix final patch/beta)
27 */ 27 */
28#define OPENSSL_VERSION_NUMBER 0x1000005fL 28#define OPENSSL_VERSION_NUMBER 0x1000006fL
29#ifdef OPENSSL_FIPS 29#ifdef OPENSSL_FIPS
30#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0e-fips 6 Sep 2011" 30#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0f-fips 4 Jan 2012"
31#else 31#else
32#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0e 6 Sep 2011" 32#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0f 4 Jan 2012"
33#endif 33#endif
34#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT 34#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
35 35
diff --git a/src/lib/libcrypto/rand/rand_unix.c b/src/lib/libcrypto/rand/rand_unix.c
index 4bb9666e49..3316388443 100644
--- a/src/lib/libcrypto/rand/rand_unix.c
+++ b/src/lib/libcrypto/rand/rand_unix.c
@@ -133,47 +133,87 @@
133# define FD_SETSIZE (8*sizeof(fd_set)) 133# define FD_SETSIZE (8*sizeof(fd_set))
134#endif 134#endif
135 135
136#ifdef __VOS__ 136#if defined(OPENSSL_SYS_VOS)
137
138/* The following algorithm repeatedly samples the real-time clock
139 (RTC) to generate a sequence of unpredictable data. The algorithm
140 relies upon the uneven execution speed of the code (due to factors
141 such as cache misses, interrupts, bus activity, and scheduling) and
142 upon the rather large relative difference between the speed of the
143 clock and the rate at which it can be read.
144
145 If this code is ported to an environment where execution speed is
146 more constant or where the RTC ticks at a much slower rate, or the
147 clock can be read with fewer instructions, it is likely that the
148 results would be far more predictable.
149
150 As a precaution, we generate 4 times the minimum required amount of
151 seed data. */
152
137int RAND_poll(void) 153int RAND_poll(void)
138{ 154{
139 unsigned char buf[ENTROPY_NEEDED]; 155 short int code;
156 gid_t curr_gid;
140 pid_t curr_pid; 157 pid_t curr_pid;
141 uid_t curr_uid; 158 uid_t curr_uid;
142 static int first=1; 159 int i, k;
143 int i;
144 long rnd = 0;
145 struct timespec ts; 160 struct timespec ts;
146 unsigned seed; 161 unsigned char v;
147
148/* The VOS random() function starts from a static seed so its
149 initial value is predictable. If random() returns the
150 initial value, reseed it with dynamic data. The VOS
151 real-time clock has a granularity of 1 nsec so it should be
152 reasonably difficult to predict its exact value. Do not
153 gratuitously reseed the PRNG because other code in this
154 process or thread may be using it. */
155
156 if (first) {
157 first = 0;
158 rnd = random ();
159 if (rnd == 1804289383) {
160 clock_gettime (CLOCK_REALTIME, &ts);
161 curr_pid = getpid();
162 curr_uid = getuid();
163 seed = ts.tv_sec ^ ts.tv_nsec ^ curr_pid ^ curr_uid;
164 srandom (seed);
165 }
166 }
167 162
168 for (i = 0; i < sizeof(buf); i++) { 163#ifdef OPENSSL_SYS_VOS_HPPA
169 if (i % 4 == 0) 164 long duration;
170 rnd = random(); 165 extern void s$sleep (long *_duration, short int *_code);
171 buf[i] = rnd; 166#else
172 rnd >>= 8; 167#ifdef OPENSSL_SYS_VOS_IA32
173 } 168 long long duration;
174 RAND_add(buf, sizeof(buf), ENTROPY_NEEDED); 169 extern void s$sleep2 (long long *_duration, short int *_code);
175 memset(buf, 0, sizeof(buf)); 170#else
171#error "Unsupported Platform."
172#endif /* OPENSSL_SYS_VOS_IA32 */
173#endif /* OPENSSL_SYS_VOS_HPPA */
176 174
175 /* Seed with the gid, pid, and uid, to ensure *some*
176 variation between different processes. */
177
178 curr_gid = getgid();
179 RAND_add (&curr_gid, sizeof curr_gid, 1);
180 curr_gid = 0;
181
182 curr_pid = getpid();
183 RAND_add (&curr_pid, sizeof curr_pid, 1);
184 curr_pid = 0;
185
186 curr_uid = getuid();
187 RAND_add (&curr_uid, sizeof curr_uid, 1);
188 curr_uid = 0;
189
190 for (i=0; i<(ENTROPY_NEEDED*4); i++)
191 {
192 /* burn some cpu; hope for interrupts, cache
193 collisions, bus interference, etc. */
194 for (k=0; k<99; k++)
195 ts.tv_nsec = random ();
196
197#ifdef OPENSSL_SYS_VOS_HPPA
198 /* sleep for 1/1024 of a second (976 us). */
199 duration = 1;
200 s$sleep (&duration, &code);
201#else
202#ifdef OPENSSL_SYS_VOS_IA32
203 /* sleep for 1/65536 of a second (15 us). */
204 duration = 1;
205 s$sleep2 (&duration, &code);
206#endif /* OPENSSL_SYS_VOS_IA32 */
207#endif /* OPENSSL_SYS_VOS_HPPA */
208
209 /* get wall clock time. */
210 clock_gettime (CLOCK_REALTIME, &ts);
211
212 /* take 8 bits */
213 v = (unsigned char) (ts.tv_nsec % 256);
214 RAND_add (&v, sizeof v, 1);
215 v = 0;
216 }
177 return 1; 217 return 1;
178} 218}
179#elif defined __OpenBSD__ 219#elif defined __OpenBSD__
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index 7c941885f0..2e1ddd48d3 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -314,51 +314,56 @@ static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
314 return ret; 314 return ret;
315} 315}
316 316
317static int rsa_blinding_convert(BN_BLINDING *b, int local, BIGNUM *f, 317static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
318 BIGNUM *r, BN_CTX *ctx) 318 BN_CTX *ctx)
319{ 319 {
320 if (local) 320 if (unblind == NULL)
321 /* Local blinding: store the unblinding factor
322 * in BN_BLINDING. */
321 return BN_BLINDING_convert_ex(f, NULL, b, ctx); 323 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
322 else 324 else
323 { 325 {
324 int ret; 326 /* Shared blinding: store the unblinding factor
325 CRYPTO_r_lock(CRYPTO_LOCK_RSA_BLINDING); 327 * outside BN_BLINDING. */
326 ret = BN_BLINDING_convert_ex(f, r, b, ctx);
327 CRYPTO_r_unlock(CRYPTO_LOCK_RSA_BLINDING);
328 return ret;
329 }
330}
331
332static int rsa_blinding_invert(BN_BLINDING *b, int local, BIGNUM *f,
333 BIGNUM *r, BN_CTX *ctx)
334{
335 if (local)
336 return BN_BLINDING_invert_ex(f, NULL, b, ctx);
337 else
338 {
339 int ret; 328 int ret;
340 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 329 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
341 ret = BN_BLINDING_invert_ex(f, r, b, ctx); 330 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
342 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 331 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
343 return ret; 332 return ret;
344 } 333 }
345} 334 }
335
336static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
337 BN_CTX *ctx)
338 {
339 /* For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
340 * will use the unblinding factor stored in BN_BLINDING.
341 * If BN_BLINDING is shared between threads, unblind must be non-null:
342 * BN_BLINDING_invert_ex will then use the local unblinding factor,
343 * and will only read the modulus from BN_BLINDING.
344 * In both cases it's safe to access the blinding without a lock.
345 */
346 return BN_BLINDING_invert_ex(f, unblind, b, ctx);
347 }
346 348
347/* signing */ 349/* signing */
348static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 350static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
349 unsigned char *to, RSA *rsa, int padding) 351 unsigned char *to, RSA *rsa, int padding)
350 { 352 {
351 BIGNUM *f, *ret, *br, *res; 353 BIGNUM *f, *ret, *res;
352 int i,j,k,num=0,r= -1; 354 int i,j,k,num=0,r= -1;
353 unsigned char *buf=NULL; 355 unsigned char *buf=NULL;
354 BN_CTX *ctx=NULL; 356 BN_CTX *ctx=NULL;
355 int local_blinding = 0; 357 int local_blinding = 0;
358 /* Used only if the blinding structure is shared. A non-NULL unblind
359 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
360 * the unblinding factor outside the blinding structure. */
361 BIGNUM *unblind = NULL;
356 BN_BLINDING *blinding = NULL; 362 BN_BLINDING *blinding = NULL;
357 363
358 if ((ctx=BN_CTX_new()) == NULL) goto err; 364 if ((ctx=BN_CTX_new()) == NULL) goto err;
359 BN_CTX_start(ctx); 365 BN_CTX_start(ctx);
360 f = BN_CTX_get(ctx); 366 f = BN_CTX_get(ctx);
361 br = BN_CTX_get(ctx);
362 ret = BN_CTX_get(ctx); 367 ret = BN_CTX_get(ctx);
363 num = BN_num_bytes(rsa->n); 368 num = BN_num_bytes(rsa->n);
364 buf = OPENSSL_malloc(num); 369 buf = OPENSSL_malloc(num);
@@ -406,8 +411,15 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
406 } 411 }
407 412
408 if (blinding != NULL) 413 if (blinding != NULL)
409 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx)) 414 {
415 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL))
416 {
417 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
418 goto err;
419 }
420 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
410 goto err; 421 goto err;
422 }
411 423
412 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 424 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
413 ((rsa->p != NULL) && 425 ((rsa->p != NULL) &&
@@ -441,7 +453,7 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
441 } 453 }
442 454
443 if (blinding) 455 if (blinding)
444 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx)) 456 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
445 goto err; 457 goto err;
446 458
447 if (padding == RSA_X931_PADDING) 459 if (padding == RSA_X931_PADDING)
@@ -480,18 +492,21 @@ err:
480static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 492static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
481 unsigned char *to, RSA *rsa, int padding) 493 unsigned char *to, RSA *rsa, int padding)
482 { 494 {
483 BIGNUM *f, *ret, *br; 495 BIGNUM *f, *ret;
484 int j,num=0,r= -1; 496 int j,num=0,r= -1;
485 unsigned char *p; 497 unsigned char *p;
486 unsigned char *buf=NULL; 498 unsigned char *buf=NULL;
487 BN_CTX *ctx=NULL; 499 BN_CTX *ctx=NULL;
488 int local_blinding = 0; 500 int local_blinding = 0;
501 /* Used only if the blinding structure is shared. A non-NULL unblind
502 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
503 * the unblinding factor outside the blinding structure. */
504 BIGNUM *unblind = NULL;
489 BN_BLINDING *blinding = NULL; 505 BN_BLINDING *blinding = NULL;
490 506
491 if((ctx = BN_CTX_new()) == NULL) goto err; 507 if((ctx = BN_CTX_new()) == NULL) goto err;
492 BN_CTX_start(ctx); 508 BN_CTX_start(ctx);
493 f = BN_CTX_get(ctx); 509 f = BN_CTX_get(ctx);
494 br = BN_CTX_get(ctx);
495 ret = BN_CTX_get(ctx); 510 ret = BN_CTX_get(ctx);
496 num = BN_num_bytes(rsa->n); 511 num = BN_num_bytes(rsa->n);
497 buf = OPENSSL_malloc(num); 512 buf = OPENSSL_malloc(num);
@@ -529,8 +544,15 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
529 } 544 }
530 545
531 if (blinding != NULL) 546 if (blinding != NULL)
532 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx)) 547 {
548 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL))
549 {
550 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
533 goto err; 551 goto err;
552 }
553 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
554 goto err;
555 }
534 556
535 /* do the decrypt */ 557 /* do the decrypt */
536 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 558 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
@@ -564,7 +586,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
564 } 586 }
565 587
566 if (blinding) 588 if (blinding)
567 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx)) 589 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
568 goto err; 590 goto err;
569 591
570 p=buf; 592 p=buf;
diff --git a/src/lib/libcrypto/util/mkerr.pl b/src/lib/libcrypto/util/mkerr.pl
index 2c99467d34..aec401c773 100644
--- a/src/lib/libcrypto/util/mkerr.pl
+++ b/src/lib/libcrypto/util/mkerr.pl
@@ -769,7 +769,7 @@ EOF
769 undef %err_reason_strings; 769 undef %err_reason_strings;
770} 770}
771 771
772if($debug && defined(%notrans)) { 772if($debug && %notrans) {
773 print STDERR "The following function codes were not translated:\n"; 773 print STDERR "The following function codes were not translated:\n";
774 foreach(sort keys %notrans) 774 foreach(sort keys %notrans)
775 { 775 {
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 5a0b0249b4..701ec565e9 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1732,7 +1732,7 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1732 atm.length=sizeof(buff2); 1732 atm.length=sizeof(buff2);
1733 atm.data=(unsigned char *)buff2; 1733 atm.data=(unsigned char *)buff2;
1734 1734
1735 if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL) 1735 if (X509_time_adj(&atm, offset*60, cmp_time) == NULL)
1736 return 0; 1736 return 0;
1737 1737
1738 if (ctm->type == V_ASN1_UTCTIME) 1738 if (ctm->type == V_ASN1_UTCTIME)
diff --git a/src/lib/libcrypto/x509v3/v3_addr.c b/src/lib/libcrypto/x509v3/v3_addr.c
index 0d70e8696d..df46a4983b 100644
--- a/src/lib/libcrypto/x509v3/v3_addr.c
+++ b/src/lib/libcrypto/x509v3/v3_addr.c
@@ -142,12 +142,13 @@ unsigned int v3_addr_get_afi(const IPAddressFamily *f)
142 * Expand the bitstring form of an address into a raw byte array. 142 * Expand the bitstring form of an address into a raw byte array.
143 * At the moment this is coded for simplicity, not speed. 143 * At the moment this is coded for simplicity, not speed.
144 */ 144 */
145static void addr_expand(unsigned char *addr, 145static int addr_expand(unsigned char *addr,
146 const ASN1_BIT_STRING *bs, 146 const ASN1_BIT_STRING *bs,
147 const int length, 147 const int length,
148 const unsigned char fill) 148 const unsigned char fill)
149{ 149{
150 OPENSSL_assert(bs->length >= 0 && bs->length <= length); 150 if (bs->length < 0 || bs->length > length)
151 return 0;
151 if (bs->length > 0) { 152 if (bs->length > 0) {
152 memcpy(addr, bs->data, bs->length); 153 memcpy(addr, bs->data, bs->length);
153 if ((bs->flags & 7) != 0) { 154 if ((bs->flags & 7) != 0) {
@@ -159,6 +160,7 @@ static void addr_expand(unsigned char *addr,
159 } 160 }
160 } 161 }
161 memset(addr + bs->length, fill, length - bs->length); 162 memset(addr + bs->length, fill, length - bs->length);
163 return 1;
162} 164}
163 165
164/* 166/*
@@ -181,15 +183,13 @@ static int i2r_address(BIO *out,
181 return 0; 183 return 0;
182 switch (afi) { 184 switch (afi) {
183 case IANA_AFI_IPV4: 185 case IANA_AFI_IPV4:
184 if (bs->length > 4) 186 if (!addr_expand(addr, bs, 4, fill))
185 return 0; 187 return 0;
186 addr_expand(addr, bs, 4, fill);
187 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]); 188 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
188 break; 189 break;
189 case IANA_AFI_IPV6: 190 case IANA_AFI_IPV6:
190 if (bs->length > 16) 191 if (!addr_expand(addr, bs, 16, fill))
191 return 0; 192 return 0;
192 addr_expand(addr, bs, 16, fill);
193 for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2) 193 for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2)
194 ; 194 ;
195 for (i = 0; i < n; i += 2) 195 for (i = 0; i < n; i += 2)
@@ -315,6 +315,12 @@ static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,
315/* 315/*
316 * Sort comparison function for a sequence of IPAddressOrRange 316 * Sort comparison function for a sequence of IPAddressOrRange
317 * elements. 317 * elements.
318 *
319 * There's no sane answer we can give if addr_expand() fails, and an
320 * assertion failure on externally supplied data is seriously uncool,
321 * so we just arbitrarily declare that if given invalid inputs this
322 * function returns -1. If this messes up your preferred sort order
323 * for garbage input, tough noogies.
318 */ 324 */
319static int IPAddressOrRange_cmp(const IPAddressOrRange *a, 325static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
320 const IPAddressOrRange *b, 326 const IPAddressOrRange *b,
@@ -326,22 +332,26 @@ static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
326 332
327 switch (a->type) { 333 switch (a->type) {
328 case IPAddressOrRange_addressPrefix: 334 case IPAddressOrRange_addressPrefix:
329 addr_expand(addr_a, a->u.addressPrefix, length, 0x00); 335 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
336 return -1;
330 prefixlen_a = addr_prefixlen(a->u.addressPrefix); 337 prefixlen_a = addr_prefixlen(a->u.addressPrefix);
331 break; 338 break;
332 case IPAddressOrRange_addressRange: 339 case IPAddressOrRange_addressRange:
333 addr_expand(addr_a, a->u.addressRange->min, length, 0x00); 340 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
341 return -1;
334 prefixlen_a = length * 8; 342 prefixlen_a = length * 8;
335 break; 343 break;
336 } 344 }
337 345
338 switch (b->type) { 346 switch (b->type) {
339 case IPAddressOrRange_addressPrefix: 347 case IPAddressOrRange_addressPrefix:
340 addr_expand(addr_b, b->u.addressPrefix, length, 0x00); 348 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
349 return -1;
341 prefixlen_b = addr_prefixlen(b->u.addressPrefix); 350 prefixlen_b = addr_prefixlen(b->u.addressPrefix);
342 break; 351 break;
343 case IPAddressOrRange_addressRange: 352 case IPAddressOrRange_addressRange:
344 addr_expand(addr_b, b->u.addressRange->min, length, 0x00); 353 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
354 return -1;
345 prefixlen_b = length * 8; 355 prefixlen_b = length * 8;
346 break; 356 break;
347 } 357 }
@@ -383,6 +393,7 @@ static int range_should_be_prefix(const unsigned char *min,
383 unsigned char mask; 393 unsigned char mask;
384 int i, j; 394 int i, j;
385 395
396 OPENSSL_assert(memcmp(min, max, length) <= 0);
386 for (i = 0; i < length && min[i] == max[i]; i++) 397 for (i = 0; i < length && min[i] == max[i]; i++)
387 ; 398 ;
388 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) 399 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--)
@@ -601,10 +612,10 @@ static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
601 return NULL; 612 return NULL;
602 switch (afi) { 613 switch (afi) {
603 case IANA_AFI_IPV4: 614 case IANA_AFI_IPV4:
604 sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp); 615 (void) sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
605 break; 616 break;
606 case IANA_AFI_IPV6: 617 case IANA_AFI_IPV6:
607 sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp); 618 (void) sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
608 break; 619 break;
609 } 620 }
610 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges; 621 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
@@ -656,22 +667,22 @@ int v3_addr_add_range(IPAddrBlocks *addr,
656/* 667/*
657 * Extract min and max values from an IPAddressOrRange. 668 * Extract min and max values from an IPAddressOrRange.
658 */ 669 */
659static void extract_min_max(IPAddressOrRange *aor, 670static int extract_min_max(IPAddressOrRange *aor,
660 unsigned char *min, 671 unsigned char *min,
661 unsigned char *max, 672 unsigned char *max,
662 int length) 673 int length)
663{ 674{
664 OPENSSL_assert(aor != NULL && min != NULL && max != NULL); 675 if (aor == NULL || min == NULL || max == NULL)
676 return 0;
665 switch (aor->type) { 677 switch (aor->type) {
666 case IPAddressOrRange_addressPrefix: 678 case IPAddressOrRange_addressPrefix:
667 addr_expand(min, aor->u.addressPrefix, length, 0x00); 679 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
668 addr_expand(max, aor->u.addressPrefix, length, 0xFF); 680 addr_expand(max, aor->u.addressPrefix, length, 0xFF));
669 return;
670 case IPAddressOrRange_addressRange: 681 case IPAddressOrRange_addressRange:
671 addr_expand(min, aor->u.addressRange->min, length, 0x00); 682 return (addr_expand(min, aor->u.addressRange->min, length, 0x00) &&
672 addr_expand(max, aor->u.addressRange->max, length, 0xFF); 683 addr_expand(max, aor->u.addressRange->max, length, 0xFF));
673 return;
674 } 684 }
685 return 0;
675} 686}
676 687
677/* 688/*
@@ -687,9 +698,10 @@ int v3_addr_get_range(IPAddressOrRange *aor,
687 if (aor == NULL || min == NULL || max == NULL || 698 if (aor == NULL || min == NULL || max == NULL ||
688 afi_length == 0 || length < afi_length || 699 afi_length == 0 || length < afi_length ||
689 (aor->type != IPAddressOrRange_addressPrefix && 700 (aor->type != IPAddressOrRange_addressPrefix &&
690 aor->type != IPAddressOrRange_addressRange)) 701 aor->type != IPAddressOrRange_addressRange) ||
702 !extract_min_max(aor, min, max, afi_length))
691 return 0; 703 return 0;
692 extract_min_max(aor, min, max, afi_length); 704
693 return afi_length; 705 return afi_length;
694} 706}
695 707
@@ -771,8 +783,9 @@ int v3_addr_is_canonical(IPAddrBlocks *addr)
771 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 783 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
772 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1); 784 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);
773 785
774 extract_min_max(a, a_min, a_max, length); 786 if (!extract_min_max(a, a_min, a_max, length) ||
775 extract_min_max(b, b_min, b_max, length); 787 !extract_min_max(b, b_min, b_max, length))
788 return 0;
776 789
777 /* 790 /*
778 * Punt misordered list, overlapping start, or inverted range. 791 * Punt misordered list, overlapping start, or inverted range.
@@ -800,14 +813,17 @@ int v3_addr_is_canonical(IPAddrBlocks *addr)
800 } 813 }
801 814
802 /* 815 /*
803 * Check final range to see if it should be a prefix. 816 * Check range to see if it's inverted or should be a
817 * prefix.
804 */ 818 */
805 j = sk_IPAddressOrRange_num(aors) - 1; 819 j = sk_IPAddressOrRange_num(aors) - 1;
806 { 820 {
807 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 821 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
808 if (a->type == IPAddressOrRange_addressRange) { 822 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
809 extract_min_max(a, a_min, a_max, length); 823 if (!extract_min_max(a, a_min, a_max, length))
810 if (range_should_be_prefix(a_min, a_max, length) >= 0) 824 return 0;
825 if (memcmp(a_min, a_max, length) > 0 ||
826 range_should_be_prefix(a_min, a_max, length) >= 0)
811 return 0; 827 return 0;
812 } 828 }
813 } 829 }
@@ -841,8 +857,16 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
841 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 857 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
842 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 858 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
843 859
844 extract_min_max(a, a_min, a_max, length); 860 if (!extract_min_max(a, a_min, a_max, length) ||
845 extract_min_max(b, b_min, b_max, length); 861 !extract_min_max(b, b_min, b_max, length))
862 return 0;
863
864 /*
865 * Punt inverted ranges.
866 */
867 if (memcmp(a_min, a_max, length) > 0 ||
868 memcmp(b_min, b_max, length) > 0)
869 return 0;
846 870
847 /* 871 /*
848 * Punt overlaps. 872 * Punt overlaps.
@@ -860,8 +884,8 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
860 IPAddressOrRange *merged; 884 IPAddressOrRange *merged;
861 if (!make_addressRange(&merged, a_min, b_max, length)) 885 if (!make_addressRange(&merged, a_min, b_max, length))
862 return 0; 886 return 0;
863 sk_IPAddressOrRange_set(aors, i, merged); 887 (void) sk_IPAddressOrRange_set(aors, i, merged);
864 sk_IPAddressOrRange_delete(aors, i + 1); 888 (void) sk_IPAddressOrRange_delete(aors, i + 1);
865 IPAddressOrRange_free(a); 889 IPAddressOrRange_free(a);
866 IPAddressOrRange_free(b); 890 IPAddressOrRange_free(b);
867 --i; 891 --i;
@@ -869,6 +893,20 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
869 } 893 }
870 } 894 }
871 895
896 /*
897 * Check for inverted final range.
898 */
899 j = sk_IPAddressOrRange_num(aors) - 1;
900 {
901 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
902 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
903 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
904 extract_min_max(a, a_min, a_max, length);
905 if (memcmp(a_min, a_max, length) > 0)
906 return 0;
907 }
908 }
909
872 return 1; 910 return 1;
873} 911}
874 912
@@ -885,7 +923,7 @@ int v3_addr_canonize(IPAddrBlocks *addr)
885 v3_addr_get_afi(f))) 923 v3_addr_get_afi(f)))
886 return 0; 924 return 0;
887 } 925 }
888 sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); 926 (void) sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
889 sk_IPAddressFamily_sort(addr); 927 sk_IPAddressFamily_sort(addr);
890 OPENSSL_assert(v3_addr_is_canonical(addr)); 928 OPENSSL_assert(v3_addr_is_canonical(addr));
891 return 1; 929 return 1;
@@ -1017,6 +1055,11 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
1017 X509V3_conf_err(val); 1055 X509V3_conf_err(val);
1018 goto err; 1056 goto err;
1019 } 1057 }
1058 if (memcmp(min, max, length_from_afi(afi)) > 0) {
1059 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
1060 X509V3_conf_err(val);
1061 goto err;
1062 }
1020 if (!v3_addr_add_range(addr, afi, safi, min, max)) { 1063 if (!v3_addr_add_range(addr, afi, safi, min, max)) {
1021 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 1064 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1022 goto err; 1065 goto err;
@@ -1102,13 +1145,15 @@ static int addr_contains(IPAddressOrRanges *parent,
1102 1145
1103 p = 0; 1146 p = 0;
1104 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) { 1147 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
1105 extract_min_max(sk_IPAddressOrRange_value(child, c), 1148 if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
1106 c_min, c_max, length); 1149 c_min, c_max, length))
1150 return -1;
1107 for (;; p++) { 1151 for (;; p++) {
1108 if (p >= sk_IPAddressOrRange_num(parent)) 1152 if (p >= sk_IPAddressOrRange_num(parent))
1109 return 0; 1153 return 0;
1110 extract_min_max(sk_IPAddressOrRange_value(parent, p), 1154 if (!extract_min_max(sk_IPAddressOrRange_value(parent, p),
1111 p_min, p_max, length); 1155 p_min, p_max, length))
1156 return 0;
1112 if (memcmp(p_max, c_max, length) < 0) 1157 if (memcmp(p_max, c_max, length) < 0)
1113 continue; 1158 continue;
1114 if (memcmp(p_min, c_min, length) > 0) 1159 if (memcmp(p_min, c_min, length) > 0)
@@ -1130,7 +1175,7 @@ int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
1130 return 1; 1175 return 1;
1131 if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b)) 1176 if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
1132 return 0; 1177 return 0;
1133 sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); 1178 (void) sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
1134 for (i = 0; i < sk_IPAddressFamily_num(a); i++) { 1179 for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
1135 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); 1180 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
1136 int j = sk_IPAddressFamily_find(b, fa); 1181 int j = sk_IPAddressFamily_find(b, fa);
@@ -1195,7 +1240,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
1195 } 1240 }
1196 if (!v3_addr_is_canonical(ext)) 1241 if (!v3_addr_is_canonical(ext))
1197 validation_err(X509_V_ERR_INVALID_EXTENSION); 1242 validation_err(X509_V_ERR_INVALID_EXTENSION);
1198 sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); 1243 (void) sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
1199 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { 1244 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
1200 X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE); 1245 X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE);
1201 ret = 0; 1246 ret = 0;
@@ -1221,7 +1266,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
1221 } 1266 }
1222 continue; 1267 continue;
1223 } 1268 }
1224 sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp); 1269 (void) sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
1225 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { 1270 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1226 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); 1271 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1227 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc); 1272 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index 39aac73e10..e0c0f0cc9a 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -375,6 +375,7 @@ dtls1_process_record(SSL *s)
375 SSL3_RECORD *rr; 375 SSL3_RECORD *rr;
376 unsigned int mac_size; 376 unsigned int mac_size;
377 unsigned char md[EVP_MAX_MD_SIZE]; 377 unsigned char md[EVP_MAX_MD_SIZE];
378 int decryption_failed_or_bad_record_mac = 0;
378 379
379 380
380 rr= &(s->s3->rrec); 381 rr= &(s->s3->rrec);
@@ -409,13 +410,10 @@ dtls1_process_record(SSL *s)
409 enc_err = s->method->ssl3_enc->enc(s,0); 410 enc_err = s->method->ssl3_enc->enc(s,0);
410 if (enc_err <= 0) 411 if (enc_err <= 0)
411 { 412 {
412 /* decryption failed, silently discard message */ 413 /* To minimize information leaked via timing, we will always
413 if (enc_err < 0) 414 * perform all computations before discarding the message.
414 { 415 */
415 rr->length = 0; 416 decryption_failed_or_bad_record_mac = 1;
416 s->packet_length = 0;
417 }
418 goto err;
419 } 417 }
420 418
421#ifdef TLS_DEBUG 419#ifdef TLS_DEBUG
@@ -445,7 +443,7 @@ printf("\n");
445 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); 443 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
446 goto f_err; 444 goto f_err;
447#else 445#else
448 goto err; 446 decryption_failed_or_bad_record_mac = 1;
449#endif 447#endif
450 } 448 }
451 /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ 449 /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
@@ -456,17 +454,25 @@ printf("\n");
456 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); 454 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
457 goto f_err; 455 goto f_err;
458#else 456#else
459 goto err; 457 decryption_failed_or_bad_record_mac = 1;
460#endif 458#endif
461 } 459 }
462 rr->length-=mac_size; 460 rr->length-=mac_size;
463 i=s->method->ssl3_enc->mac(s,md,0); 461 i=s->method->ssl3_enc->mac(s,md,0);
464 if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0) 462 if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
465 { 463 {
466 goto err; 464 decryption_failed_or_bad_record_mac = 1;
467 } 465 }
468 } 466 }
469 467
468 if (decryption_failed_or_bad_record_mac)
469 {
470 /* decryption failed, silently discard message */
471 rr->length = 0;
472 s->packet_length = 0;
473 goto err;
474 }
475
470 /* r->length is now just compressed */ 476 /* r->length is now just compressed */
471 if (s->expand != NULL) 477 if (s->expand != NULL)
472 { 478 {
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index a6a4c87ea6..149983be30 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1271,7 +1271,7 @@ int dtls1_send_server_key_exchange(SSL *s)
1271 EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL); 1271 EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL);
1272 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1272 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1273 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1273 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1274 EVP_SignUpdate(&md_ctx,&(d[4]),n); 1274 EVP_SignUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
1275 if (!EVP_SignFinal(&md_ctx,&(p[2]), 1275 if (!EVP_SignFinal(&md_ctx,&(p[2]),
1276 (unsigned int *)&i,pkey)) 1276 (unsigned int *)&i,pkey))
1277 { 1277 {
diff --git a/src/lib/libssl/doc/openssl.cnf b/src/lib/libssl/doc/openssl.cnf
index 9d2cd5bfa5..18760c6e67 100644
--- a/src/lib/libssl/doc/openssl.cnf
+++ b/src/lib/libssl/doc/openssl.cnf
@@ -145,7 +145,7 @@ localityName = Locality Name (eg, city)
145organizationalUnitName = Organizational Unit Name (eg, section) 145organizationalUnitName = Organizational Unit Name (eg, section)
146#organizationalUnitName_default = 146#organizationalUnitName_default =
147 147
148commonName = Common Name (eg, YOUR name) 148commonName = Common Name (e.g. server FQDN or YOUR name)
149commonName_max = 64 149commonName_max = 64
150 150
151emailAddress = Email Address 151emailAddress = Email Address
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 50bd415b56..53223bd38d 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -953,7 +953,7 @@ int ssl3_get_server_hello(SSL *s)
953 /* wrong packet length */ 953 /* wrong packet length */
954 al=SSL_AD_DECODE_ERROR; 954 al=SSL_AD_DECODE_ERROR;
955 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH); 955 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
956 goto err; 956 goto f_err;
957 } 957 }
958 958
959 return(1); 959 return(1);
@@ -1837,7 +1837,7 @@ int ssl3_get_new_session_ticket(SSL *s)
1837 if (n < 6) 1837 if (n < 6)
1838 { 1838 {
1839 /* need at least ticket_lifetime_hint + ticket length */ 1839 /* need at least ticket_lifetime_hint + ticket length */
1840 al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR; 1840 al = SSL_AD_DECODE_ERROR;
1841 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 1841 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
1842 goto f_err; 1842 goto f_err;
1843 } 1843 }
@@ -1848,7 +1848,7 @@ int ssl3_get_new_session_ticket(SSL *s)
1848 /* ticket_lifetime_hint + ticket_length + ticket */ 1848 /* ticket_lifetime_hint + ticket_length + ticket */
1849 if (ticklen + 6 != n) 1849 if (ticklen + 6 != n)
1850 { 1850 {
1851 al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR; 1851 al = SSL_AD_DECODE_ERROR;
1852 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 1852 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
1853 goto f_err; 1853 goto f_err;
1854 } 1854 }
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 62c791cb72..1130244aeb 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -2177,6 +2177,7 @@ void ssl3_clear(SSL *s)
2177 { 2177 {
2178 unsigned char *rp,*wp; 2178 unsigned char *rp,*wp;
2179 size_t rlen, wlen; 2179 size_t rlen, wlen;
2180 int init_extra;
2180 2181
2181#ifdef TLSEXT_TYPE_opaque_prf_input 2182#ifdef TLSEXT_TYPE_opaque_prf_input
2182 if (s->s3->client_opaque_prf_input != NULL) 2183 if (s->s3->client_opaque_prf_input != NULL)
@@ -2215,6 +2216,7 @@ void ssl3_clear(SSL *s)
2215 wp = s->s3->wbuf.buf; 2216 wp = s->s3->wbuf.buf;
2216 rlen = s->s3->rbuf.len; 2217 rlen = s->s3->rbuf.len;
2217 wlen = s->s3->wbuf.len; 2218 wlen = s->s3->wbuf.len;
2219 init_extra = s->s3->init_extra;
2218 if (s->s3->handshake_buffer) { 2220 if (s->s3->handshake_buffer) {
2219 BIO_free(s->s3->handshake_buffer); 2221 BIO_free(s->s3->handshake_buffer);
2220 s->s3->handshake_buffer = NULL; 2222 s->s3->handshake_buffer = NULL;
@@ -2227,6 +2229,7 @@ void ssl3_clear(SSL *s)
2227 s->s3->wbuf.buf = wp; 2229 s->s3->wbuf.buf = wp;
2228 s->s3->rbuf.len = rlen; 2230 s->s3->rbuf.len = rlen;
2229 s->s3->wbuf.len = wlen; 2231 s->s3->wbuf.len = wlen;
2232 s->s3->init_extra = init_extra;
2230 2233
2231 ssl_free_wbio_buffer(s); 2234 ssl_free_wbio_buffer(s);
2232 2235
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index c3b5ff33ff..d734c359fb 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -258,6 +258,7 @@ int ssl3_accept(SSL *s)
258 } 258 }
259 259
260 s->init_num=0; 260 s->init_num=0;
261 s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
261 262
262 if (s->state != SSL_ST_RENEGOTIATE) 263 if (s->state != SSL_ST_RENEGOTIATE)
263 { 264 {
@@ -755,6 +756,14 @@ int ssl3_check_client_hello(SSL *s)
755 int ok; 756 int ok;
756 long n; 757 long n;
757 758
759 /* We only allow the client to restart the handshake once per
760 * negotiation. */
761 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
762 {
763 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
764 return -1;
765 }
766
758 /* this function is called when we really expect a Certificate message, 767 /* this function is called when we really expect a Certificate message,
759 * so permit appropriate message length */ 768 * so permit appropriate message length */
760 n=s->method->ssl_get_message(s, 769 n=s->method->ssl_get_message(s,
@@ -783,6 +792,7 @@ int ssl3_check_client_hello(SSL *s)
783 s->s3->tmp.ecdh = NULL; 792 s->s3->tmp.ecdh = NULL;
784 } 793 }
785#endif 794#endif
795 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
786 return 2; 796 return 2;
787 } 797 }
788 return 1; 798 return 1;
@@ -2130,6 +2140,7 @@ int ssl3_get_client_key_exchange(SSL *s)
2130 if (i <= 0) 2140 if (i <= 0)
2131 { 2141 {
2132 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2142 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2143 BN_clear_free(pub);
2133 goto err; 2144 goto err;
2134 } 2145 }
2135 2146
diff --git a/src/lib/libssl/src/CHANGES b/src/lib/libssl/src/CHANGES
index a0de5abb60..03e744a049 100644
--- a/src/lib/libssl/src/CHANGES
+++ b/src/lib/libssl/src/CHANGES
@@ -2,6 +2,63 @@
2 OpenSSL CHANGES 2 OpenSSL CHANGES
3 _______________ 3 _______________
4 4
5 Changes between 1.0.0e and 1.0.0f [4 Jan 2012]
6
7 *) Nadhem Alfardan and Kenny Paterson have discovered an extension
8 of the Vaudenay padding oracle attack on CBC mode encryption
9 which enables an efficient plaintext recovery attack against
10 the OpenSSL implementation of DTLS. Their attack exploits timing
11 differences arising during decryption processing. A research
12 paper describing this attack can be found at:
13 http://www.isg.rhul.ac.uk/~kp/dtls.pdf
14 Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
15 Security Group at Royal Holloway, University of London
16 (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
17 <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
18 for preparing the fix. (CVE-2011-4108)
19 [Robin Seggelmann, Michael Tuexen]
20
21 *) Clear bytes used for block padding of SSL 3.0 records.
22 (CVE-2011-4576)
23 [Adam Langley (Google)]
24
25 *) Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619)
26 [Adam Langley (Google)]
27
28 *) Check parameters are not NULL in GOST ENGINE. (CVE-2012-0027)
29 [Andrey Kulikov <amdeich@gmail.com>]
30
31 *) Prevent malformed RFC3779 data triggering an assertion failure.
32 Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
33 and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)
34 [Rob Austein <sra@hactrn.net>]
35
36 *) Improved PRNG seeding for VOS.
37 [Paul Green <Paul.Green@stratus.com>]
38
39 *) Fix ssl_ciph.c set-up race.
40 [Adam Langley (Google)]
41
42 *) Fix spurious failures in ecdsatest.c.
43 [Emilia Käsper (Google)]
44
45 *) Fix the BIO_f_buffer() implementation (which was mixing different
46 interpretations of the '..._len' fields).
47 [Adam Langley (Google)]
48
49 *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
50 BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
51 threads won't reuse the same blinding coefficients.
52
53 This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
54 lock to call BN_BLINDING_invert_ex, and avoids one use of
55 BN_BLINDING_update for each BN_BLINDING structure (previously,
56 the last update always remained unused).
57 [Emilia Käsper (Google)]
58
59 *) In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
60 [Bob Buckholz (Google)]
61
5 Changes between 1.0.0d and 1.0.0e [6 Sep 2011] 62 Changes between 1.0.0d and 1.0.0e [6 Sep 2011]
6 63
7 *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted 64 *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
@@ -909,6 +966,26 @@
909 966
910 Changes between 0.9.8r and 0.9.8s [xx XXX xxxx] 967 Changes between 0.9.8r and 0.9.8s [xx XXX xxxx]
911 968
969 *) Fix ssl_ciph.c set-up race.
970 [Adam Langley (Google)]
971
972 *) Fix spurious failures in ecdsatest.c.
973 [Emilia Käsper (Google)]
974
975 *) Fix the BIO_f_buffer() implementation (which was mixing different
976 interpretations of the '..._len' fields).
977 [Adam Langley (Google)]
978
979 *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
980 BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
981 threads won't reuse the same blinding coefficients.
982
983 This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
984 lock to call BN_BLINDING_invert_ex, and avoids one use of
985 BN_BLINDING_update for each BN_BLINDING structure (previously,
986 the last update always remained unused).
987 [Emilia Käsper (Google)]
988
912 *) Fix SSL memory handling for (EC)DH ciphersuites, in particular 989 *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
913 for multi-threaded use of ECDH. 990 for multi-threaded use of ECDH.
914 [Adam Langley (Google)] 991 [Adam Langley (Google)]
diff --git a/src/lib/libssl/src/Configure b/src/lib/libssl/src/Configure
index 429ab2e5eb..7941c93f64 100644
--- a/src/lib/libssl/src/Configure
+++ b/src/lib/libssl/src/Configure
@@ -196,8 +196,8 @@ my %table=(
196"cc", "cc:-O::(unknown)::::::", 196"cc", "cc:-O::(unknown)::::::",
197 197
198####VOS Configurations 198####VOS Configurations
199"vos-gcc","gcc:-O3 -Wall -D_POSIX_C_SOURCE=200112L -D_BSD -D_VOS_EXTENDED_NAMES -DB_ENDIAN::(unknown):VOS:-Wl,-map:BN_LLONG:${no_asm}:::::.so:", 199"vos-gcc","gcc:-O3 -Wall -DOPENSSL_SYSNAME_VOS -D_POSIX_C_SOURCE=200112L -D_BSD -D_VOS_EXTENDED_NAMES -DB_ENDIAN::(unknown):VOS:-Wl,-map:BN_LLONG:${no_asm}:::::.so:",
200"debug-vos-gcc","gcc:-O0 -g -Wall -D_POSIX_C_SOURCE=200112L -D_BSD -D_VOS_EXTENDED_NAMES -DB_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG::(unknown):VOS:-Wl,-map:BN_LLONG:${no_asm}:::::.so:", 200"debug-vos-gcc","gcc:-O0 -g -Wall -DOPENSSL_SYSNAME_VOS -D_POSIX_C_SOURCE=200112L -D_BSD -D_VOS_EXTENDED_NAMES -DB_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG::(unknown):VOS:-Wl,-map:BN_LLONG:${no_asm}:::::.so:",
201 201
202#### Solaris x86 with GNU C setups 202#### Solaris x86 with GNU C setups
203# -DOPENSSL_NO_INLINE_ASM switches off inline assembler. We have to do it 203# -DOPENSSL_NO_INLINE_ASM switches off inline assembler. We have to do it
@@ -553,7 +553,7 @@ my %table=(
553"darwin64-ppc-cc","cc:-arch ppc64 -O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc64_asm}:osx64:dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", 553"darwin64-ppc-cc","cc:-arch ppc64 -O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc64_asm}:osx64:dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
554"darwin-i386-cc","cc:-arch i386 -O3 -fomit-frame-pointer -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:${x86_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", 554"darwin-i386-cc","cc:-arch i386 -O3 -fomit-frame-pointer -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:${x86_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
555"debug-darwin-i386-cc","cc:-arch i386 -g3 -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:${x86_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", 555"debug-darwin-i386-cc","cc:-arch i386 -g3 -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:${x86_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
556"darwin64-x86_64-cc","cc:-arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", 556"darwin64-x86_64-cc","cc:-arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
557"debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc32_asm}:osx32:dlfcn:darwin-shared:-fPIC:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", 557"debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc32_asm}:osx32:dlfcn:darwin-shared:-fPIC:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
558 558
559##### A/UX 559##### A/UX
diff --git a/src/lib/libssl/src/FAQ b/src/lib/libssl/src/FAQ
index fe54856a62..3b07cd363d 100644
--- a/src/lib/libssl/src/FAQ
+++ b/src/lib/libssl/src/FAQ
@@ -82,7 +82,7 @@ OpenSSL - Frequently Asked Questions
82* Which is the current version of OpenSSL? 82* Which is the current version of OpenSSL?
83 83
84The current version is available from <URL: http://www.openssl.org>. 84The current version is available from <URL: http://www.openssl.org>.
85OpenSSL 1.0.0e was released on Sep 6th, 2011. 85OpenSSL 1.0.0f was released on Jan 4th, 2012.
86 86
87In addition to the current stable release, you can also access daily 87In addition to the current stable release, you can also access daily
88snapshots of the OpenSSL development version at <URL: 88snapshots of the OpenSSL development version at <URL:
diff --git a/src/lib/libssl/src/Makefile b/src/lib/libssl/src/Makefile
index 445e15d671..8fe888587e 100644
--- a/src/lib/libssl/src/Makefile
+++ b/src/lib/libssl/src/Makefile
@@ -4,7 +4,7 @@
4## Makefile for OpenSSL 4## Makefile for OpenSSL
5## 5##
6 6
7VERSION=1.0.0e 7VERSION=1.0.0f
8MAJOR=1 8MAJOR=1
9MINOR=0.0 9MINOR=0.0
10SHLIB_VERSION_NUMBER=1.0.0 10SHLIB_VERSION_NUMBER=1.0.0
diff --git a/src/lib/libssl/src/NEWS b/src/lib/libssl/src/NEWS
index 672810dcc7..1fb25c626c 100644
--- a/src/lib/libssl/src/NEWS
+++ b/src/lib/libssl/src/NEWS
@@ -5,6 +5,14 @@
5 This file gives a brief overview of the major changes between each OpenSSL 5 This file gives a brief overview of the major changes between each OpenSSL
6 release. For more details please read the CHANGES file. 6 release. For more details please read the CHANGES file.
7 7
8 Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.0f:
9
10 o Fix for DTLS plaintext recovery attack CVE-2011-4108
11 o Clear block padding bytes of SSL 3.0 records CVE-2011-4576
12 o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619
13 o Check parameters are not NULL in GOST ENGINE CVE-2012-0027
14 o Check for malformed RFC3779 data CVE-2011-4577
15
8 Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e: 16 Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e:
9 17
10 o Fix for CRL vulnerability issue CVE-2011-3207 18 o Fix for CRL vulnerability issue CVE-2011-3207
diff --git a/src/lib/libssl/src/README b/src/lib/libssl/src/README
index 898437989a..50d54d5706 100644
--- a/src/lib/libssl/src/README
+++ b/src/lib/libssl/src/README
@@ -1,5 +1,5 @@
1 1
2 OpenSSL 1.0.0e 6 Sep 2011 2 OpenSSL 1.0.0f 4 Jan 2012
3 3
4 Copyright (c) 1998-2011 The OpenSSL Project 4 Copyright (c) 1998-2011 The OpenSSL Project
5 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson 5 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/src/lib/libssl/src/VMS/mkshared.com b/src/lib/libssl/src/VMS/mkshared.com
index 794e1de62a..b0d1fdaac3 100644
--- a/src/lib/libssl/src/VMS/mkshared.com
+++ b/src/lib/libssl/src/VMS/mkshared.com
@@ -6,6 +6,7 @@ $! P2: Zlib object library path (optional).
6$! 6$!
7$! Input: [.UTIL]LIBEAY.NUM,[.xxx.EXE.CRYPTO]SSL_LIBCRYPTO[32].OLB 7$! Input: [.UTIL]LIBEAY.NUM,[.xxx.EXE.CRYPTO]SSL_LIBCRYPTO[32].OLB
8$! [.UTIL]SSLEAY.NUM,[.xxx.EXE.SSL]SSL_LIBSSL[32].OLB 8$! [.UTIL]SSLEAY.NUM,[.xxx.EXE.SSL]SSL_LIBSSL[32].OLB
9$! [.CRYPTO.xxx]OPENSSLCONF.H
9$! Output: [.xxx.EXE.CRYPTO]SSL_LIBCRYPTO_SHR[32].OPT,.MAP,.EXE 10$! Output: [.xxx.EXE.CRYPTO]SSL_LIBCRYPTO_SHR[32].OPT,.MAP,.EXE
10$! [.xxx.EXE.SSL]SSL_LIBSSL_SRH[32].OPT,.MAP,.EXE 11$! [.xxx.EXE.SSL]SSL_LIBSSL_SRH[32].OPT,.MAP,.EXE
11$! 12$!
@@ -70,6 +71,9 @@ $ endif
70$ endif 71$ endif
71$ endif 72$ endif
72$! 73$!
74$! ----- Prepare info for processing: disabled algorithms info
75$ gosub read_disabled_algorithms_info
76$!
73$ ZLIB = p2 77$ ZLIB = p2
74$ zlib_lib = "" 78$ zlib_lib = ""
75$ if (ZLIB .nes. "") 79$ if (ZLIB .nes. "")
@@ -384,8 +388,7 @@ $ alg_i = alg_i + 1
384$ if alg_entry .eqs. "" then goto loop2 388$ if alg_entry .eqs. "" then goto loop2
385$ if alg_entry .nes. "," 389$ if alg_entry .nes. ","
386$ then 390$ then
387$ if alg_entry .eqs. "KRB5" then goto loop ! Special for now 391$ if disabled_algorithms - ("," + alg_entry + ",") .nes disabled_algorithms then goto loop
388$ if alg_entry .eqs. "STATIC_ENGINE" then goto loop ! Special for now
389$ if f$trnlnm("OPENSSL_NO_"+alg_entry) .nes. "" then goto loop 392$ if f$trnlnm("OPENSSL_NO_"+alg_entry) .nes. "" then goto loop
390$ goto loop2 393$ goto loop2
391$ endif 394$ endif
@@ -452,3 +455,22 @@ $ endif
452$ endloop_rvi: 455$ endloop_rvi:
453$ close vf 456$ close vf
454$ return 457$ return
458$
459$! The disabled algorithms reader
460$ read_disabled_algorithms_info:
461$ disabled_algorithms = ","
462$ open /read cf [.CRYPTO.'ARCH']OPENSSLCONF.H
463$ loop_rci:
464$ read/err=endloop_rci/end=endloop_rci cf rci_line
465$ rci_line = f$edit(rci_line,"TRIM,COMPRESS")
466$ rci_ei = 0
467$ if f$extract(0,9,rci_line) .eqs. "# define " then rci_ei = 2
468$ if f$extract(0,8,rci_line) .eqs. "#define " then rci_ei = 1
469$ if rci_ei .eq. 0 then goto loop_rci
470$ rci_e = f$element(rci_ei," ",rci_line)
471$ if f$extract(0,11,rci_e) .nes. "OPENSSL_NO_" then goto loop_rci
472$ disabled_algorithms = disabled_algorithms + f$extract(11,999,rci_e) + ","
473$ goto loop_rci
474$ endloop_rci:
475$ close cf
476$ return
diff --git a/src/lib/libssl/src/apps/openssl-vms.cnf b/src/lib/libssl/src/apps/openssl-vms.cnf
index 20ed61bc3e..45e46a0fb4 100644
--- a/src/lib/libssl/src/apps/openssl-vms.cnf
+++ b/src/lib/libssl/src/apps/openssl-vms.cnf
@@ -145,7 +145,7 @@ localityName = Locality Name (eg, city)
145organizationalUnitName = Organizational Unit Name (eg, section) 145organizationalUnitName = Organizational Unit Name (eg, section)
146#organizationalUnitName_default = 146#organizationalUnitName_default =
147 147
148commonName = Common Name (eg, YOUR name) 148commonName = Common Name (e.g. server FQDN or YOUR name)
149commonName_max = 64 149commonName_max = 64
150 150
151emailAddress = Email Address 151emailAddress = Email Address
diff --git a/src/lib/libssl/src/apps/openssl.cnf b/src/lib/libssl/src/apps/openssl.cnf
index 9d2cd5bfa5..18760c6e67 100644
--- a/src/lib/libssl/src/apps/openssl.cnf
+++ b/src/lib/libssl/src/apps/openssl.cnf
@@ -145,7 +145,7 @@ localityName = Locality Name (eg, city)
145organizationalUnitName = Organizational Unit Name (eg, section) 145organizationalUnitName = Organizational Unit Name (eg, section)
146#organizationalUnitName_default = 146#organizationalUnitName_default =
147 147
148commonName = Common Name (eg, YOUR name) 148commonName = Common Name (e.g. server FQDN or YOUR name)
149commonName_max = 64 149commonName_max = 64
150 150
151emailAddress = Email Address 151emailAddress = Email Address
diff --git a/src/lib/libssl/src/apps/x509.c b/src/lib/libssl/src/apps/x509.c
index ed1e8c69ad..9f5eaeb6be 100644
--- a/src/lib/libssl/src/apps/x509.c
+++ b/src/lib/libssl/src/apps/x509.c
@@ -987,7 +987,7 @@ bad:
987 else 987 else
988 { 988 {
989 pk=load_key(bio_err, 989 pk=load_key(bio_err,
990 keyfile, FORMAT_PEM, 0, 990 keyfile, keyformat, 0,
991 passin, e, "request key"); 991 passin, e, "request key");
992 if (pk == NULL) goto end; 992 if (pk == NULL) goto end;
993 } 993 }
diff --git a/src/lib/libssl/src/crypto/bio/bf_buff.c b/src/lib/libssl/src/crypto/bio/bf_buff.c
index c1fd75aaad..4b5a132d8a 100644
--- a/src/lib/libssl/src/crypto/bio/bf_buff.c
+++ b/src/lib/libssl/src/crypto/bio/bf_buff.c
@@ -209,7 +209,7 @@ start:
209 /* add to buffer and return */ 209 /* add to buffer and return */
210 if (i >= inl) 210 if (i >= inl)
211 { 211 {
212 memcpy(&(ctx->obuf[ctx->obuf_len]),in,inl); 212 memcpy(&(ctx->obuf[ctx->obuf_off+ctx->obuf_len]),in,inl);
213 ctx->obuf_len+=inl; 213 ctx->obuf_len+=inl;
214 return(num+inl); 214 return(num+inl);
215 } 215 }
@@ -219,7 +219,7 @@ start:
219 { 219 {
220 if (i > 0) /* lets fill it up if we can */ 220 if (i > 0) /* lets fill it up if we can */
221 { 221 {
222 memcpy(&(ctx->obuf[ctx->obuf_len]),in,i); 222 memcpy(&(ctx->obuf[ctx->obuf_off+ctx->obuf_len]),in,i);
223 in+=i; 223 in+=i;
224 inl-=i; 224 inl-=i;
225 num+=i; 225 num+=i;
@@ -294,9 +294,9 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr)
294 case BIO_C_GET_BUFF_NUM_LINES: 294 case BIO_C_GET_BUFF_NUM_LINES:
295 ret=0; 295 ret=0;
296 p1=ctx->ibuf; 296 p1=ctx->ibuf;
297 for (i=ctx->ibuf_off; i<ctx->ibuf_len; i++) 297 for (i=0; i<ctx->ibuf_len; i++)
298 { 298 {
299 if (p1[i] == '\n') ret++; 299 if (p1[ctx->ibuf_off + i] == '\n') ret++;
300 } 300 }
301 break; 301 break;
302 case BIO_CTRL_WPENDING: 302 case BIO_CTRL_WPENDING:
@@ -399,17 +399,18 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr)
399 for (;;) 399 for (;;)
400 { 400 {
401 BIO_clear_retry_flags(b); 401 BIO_clear_retry_flags(b);
402 if (ctx->obuf_len > ctx->obuf_off) 402 if (ctx->obuf_len > 0)
403 { 403 {
404 r=BIO_write(b->next_bio, 404 r=BIO_write(b->next_bio,
405 &(ctx->obuf[ctx->obuf_off]), 405 &(ctx->obuf[ctx->obuf_off]),
406 ctx->obuf_len-ctx->obuf_off); 406 ctx->obuf_len);
407#if 0 407#if 0
408fprintf(stderr,"FLUSH [%3d] %3d -> %3d\n",ctx->obuf_off,ctx->obuf_len-ctx->obuf_off,r); 408fprintf(stderr,"FLUSH [%3d] %3d -> %3d\n",ctx->obuf_off,ctx->obuf_len,r);
409#endif 409#endif
410 BIO_copy_next_retry(b); 410 BIO_copy_next_retry(b);
411 if (r <= 0) return((long)r); 411 if (r <= 0) return((long)r);
412 ctx->obuf_off+=r; 412 ctx->obuf_off+=r;
413 ctx->obuf_len-=r;
413 } 414 }
414 else 415 else
415 { 416 {
diff --git a/src/lib/libssl/src/crypto/bio/bio.h b/src/lib/libssl/src/crypto/bio/bio.h
index 152802fbdf..ab47abcf14 100644
--- a/src/lib/libssl/src/crypto/bio/bio.h
+++ b/src/lib/libssl/src/crypto/bio/bio.h
@@ -306,6 +306,15 @@ DECLARE_STACK_OF(BIO)
306 306
307typedef struct bio_f_buffer_ctx_struct 307typedef struct bio_f_buffer_ctx_struct
308 { 308 {
309 /* Buffers are setup like this:
310 *
311 * <---------------------- size ----------------------->
312 * +---------------------------------------------------+
313 * | consumed | remaining | free space |
314 * +---------------------------------------------------+
315 * <-- off --><------- len ------->
316 */
317
309 /* BIO *bio; */ /* this is now in the BIO struct */ 318 /* BIO *bio; */ /* this is now in the BIO struct */
310 int ibuf_size; /* how big is the input buffer */ 319 int ibuf_size; /* how big is the input buffer */
311 int obuf_size; /* how big is the output buffer */ 320 int obuf_size; /* how big is the output buffer */
diff --git a/src/lib/libssl/src/crypto/bn/bn_blind.c b/src/lib/libssl/src/crypto/bn/bn_blind.c
index e060592fdc..9ed8bc2b40 100644
--- a/src/lib/libssl/src/crypto/bn/bn_blind.c
+++ b/src/lib/libssl/src/crypto/bn/bn_blind.c
@@ -126,7 +126,7 @@ struct bn_blinding_st
126 * used only by crypto/rsa/rsa_eay.c, rsa_lib.c */ 126 * used only by crypto/rsa/rsa_eay.c, rsa_lib.c */
127#endif 127#endif
128 CRYPTO_THREADID tid; 128 CRYPTO_THREADID tid;
129 unsigned int counter; 129 int counter;
130 unsigned long flags; 130 unsigned long flags;
131 BN_MONT_CTX *m_ctx; 131 BN_MONT_CTX *m_ctx;
132 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, 132 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
@@ -160,7 +160,10 @@ BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
160 if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0) 160 if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
161 BN_set_flags(ret->mod, BN_FLG_CONSTTIME); 161 BN_set_flags(ret->mod, BN_FLG_CONSTTIME);
162 162
163 ret->counter = BN_BLINDING_COUNTER; 163 /* Set the counter to the special value -1
164 * to indicate that this is never-used fresh blinding
165 * that does not need updating before first use. */
166 ret->counter = -1;
164 CRYPTO_THREADID_current(&ret->tid); 167 CRYPTO_THREADID_current(&ret->tid);
165 return(ret); 168 return(ret);
166err: 169err:
@@ -190,7 +193,10 @@ int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
190 goto err; 193 goto err;
191 } 194 }
192 195
193 if (--(b->counter) == 0 && b->e != NULL && 196 if (b->counter == -1)
197 b->counter = 0;
198
199 if (++b->counter == BN_BLINDING_COUNTER && b->e != NULL &&
194 !(b->flags & BN_BLINDING_NO_RECREATE)) 200 !(b->flags & BN_BLINDING_NO_RECREATE))
195 { 201 {
196 /* re-create blinding parameters */ 202 /* re-create blinding parameters */
@@ -205,8 +211,8 @@ int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
205 211
206 ret=1; 212 ret=1;
207err: 213err:
208 if (b->counter == 0) 214 if (b->counter == BN_BLINDING_COUNTER)
209 b->counter = BN_BLINDING_COUNTER; 215 b->counter = 0;
210 return(ret); 216 return(ret);
211 } 217 }
212 218
@@ -227,6 +233,12 @@ int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
227 return(0); 233 return(0);
228 } 234 }
229 235
236 if (b->counter == -1)
237 /* Fresh blinding, doesn't need updating. */
238 b->counter = 0;
239 else if (!BN_BLINDING_update(b,ctx))
240 return(0);
241
230 if (r != NULL) 242 if (r != NULL)
231 { 243 {
232 if (!BN_copy(r, b->Ai)) ret=0; 244 if (!BN_copy(r, b->Ai)) ret=0;
@@ -247,22 +259,19 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ct
247 int ret; 259 int ret;
248 260
249 bn_check_top(n); 261 bn_check_top(n);
250 if ((b->A == NULL) || (b->Ai == NULL))
251 {
252 BNerr(BN_F_BN_BLINDING_INVERT_EX,BN_R_NOT_INITIALIZED);
253 return(0);
254 }
255 262
256 if (r != NULL) 263 if (r != NULL)
257 ret = BN_mod_mul(n, n, r, b->mod, ctx); 264 ret = BN_mod_mul(n, n, r, b->mod, ctx);
258 else 265 else
259 ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
260
261 if (ret >= 0)
262 { 266 {
263 if (!BN_BLINDING_update(b,ctx)) 267 if (b->Ai == NULL)
268 {
269 BNerr(BN_F_BN_BLINDING_INVERT_EX,BN_R_NOT_INITIALIZED);
264 return(0); 270 return(0);
271 }
272 ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
265 } 273 }
274
266 bn_check_top(n); 275 bn_check_top(n);
267 return(ret); 276 return(ret);
268 } 277 }
diff --git a/src/lib/libssl/src/crypto/ec/ec2_smpl.c b/src/lib/libssl/src/crypto/ec/ec2_smpl.c
index af94458ca7..03deae6674 100644
--- a/src/lib/libssl/src/crypto/ec/ec2_smpl.c
+++ b/src/lib/libssl/src/crypto/ec/ec2_smpl.c
@@ -887,7 +887,7 @@ int ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_
887 field_sqr = group->meth->field_sqr; 887 field_sqr = group->meth->field_sqr;
888 888
889 /* only support affine coordinates */ 889 /* only support affine coordinates */
890 if (!point->Z_is_one) goto err; 890 if (!point->Z_is_one) return -1;
891 891
892 if (ctx == NULL) 892 if (ctx == NULL)
893 { 893 {
diff --git a/src/lib/libssl/src/crypto/opensslv.h b/src/lib/libssl/src/crypto/opensslv.h
index 310a3387be..d6d61a0c7d 100644
--- a/src/lib/libssl/src/crypto/opensslv.h
+++ b/src/lib/libssl/src/crypto/opensslv.h
@@ -25,11 +25,11 @@
25 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for 25 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
26 * major minor fix final patch/beta) 26 * major minor fix final patch/beta)
27 */ 27 */
28#define OPENSSL_VERSION_NUMBER 0x1000005fL 28#define OPENSSL_VERSION_NUMBER 0x1000006fL
29#ifdef OPENSSL_FIPS 29#ifdef OPENSSL_FIPS
30#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0e-fips 6 Sep 2011" 30#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0f-fips 4 Jan 2012"
31#else 31#else
32#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0e 6 Sep 2011" 32#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0f 4 Jan 2012"
33#endif 33#endif
34#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT 34#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
35 35
diff --git a/src/lib/libssl/src/crypto/rand/rand_unix.c b/src/lib/libssl/src/crypto/rand/rand_unix.c
index 4bb9666e49..3316388443 100644
--- a/src/lib/libssl/src/crypto/rand/rand_unix.c
+++ b/src/lib/libssl/src/crypto/rand/rand_unix.c
@@ -133,47 +133,87 @@
133# define FD_SETSIZE (8*sizeof(fd_set)) 133# define FD_SETSIZE (8*sizeof(fd_set))
134#endif 134#endif
135 135
136#ifdef __VOS__ 136#if defined(OPENSSL_SYS_VOS)
137
138/* The following algorithm repeatedly samples the real-time clock
139 (RTC) to generate a sequence of unpredictable data. The algorithm
140 relies upon the uneven execution speed of the code (due to factors
141 such as cache misses, interrupts, bus activity, and scheduling) and
142 upon the rather large relative difference between the speed of the
143 clock and the rate at which it can be read.
144
145 If this code is ported to an environment where execution speed is
146 more constant or where the RTC ticks at a much slower rate, or the
147 clock can be read with fewer instructions, it is likely that the
148 results would be far more predictable.
149
150 As a precaution, we generate 4 times the minimum required amount of
151 seed data. */
152
137int RAND_poll(void) 153int RAND_poll(void)
138{ 154{
139 unsigned char buf[ENTROPY_NEEDED]; 155 short int code;
156 gid_t curr_gid;
140 pid_t curr_pid; 157 pid_t curr_pid;
141 uid_t curr_uid; 158 uid_t curr_uid;
142 static int first=1; 159 int i, k;
143 int i;
144 long rnd = 0;
145 struct timespec ts; 160 struct timespec ts;
146 unsigned seed; 161 unsigned char v;
147
148/* The VOS random() function starts from a static seed so its
149 initial value is predictable. If random() returns the
150 initial value, reseed it with dynamic data. The VOS
151 real-time clock has a granularity of 1 nsec so it should be
152 reasonably difficult to predict its exact value. Do not
153 gratuitously reseed the PRNG because other code in this
154 process or thread may be using it. */
155
156 if (first) {
157 first = 0;
158 rnd = random ();
159 if (rnd == 1804289383) {
160 clock_gettime (CLOCK_REALTIME, &ts);
161 curr_pid = getpid();
162 curr_uid = getuid();
163 seed = ts.tv_sec ^ ts.tv_nsec ^ curr_pid ^ curr_uid;
164 srandom (seed);
165 }
166 }
167 162
168 for (i = 0; i < sizeof(buf); i++) { 163#ifdef OPENSSL_SYS_VOS_HPPA
169 if (i % 4 == 0) 164 long duration;
170 rnd = random(); 165 extern void s$sleep (long *_duration, short int *_code);
171 buf[i] = rnd; 166#else
172 rnd >>= 8; 167#ifdef OPENSSL_SYS_VOS_IA32
173 } 168 long long duration;
174 RAND_add(buf, sizeof(buf), ENTROPY_NEEDED); 169 extern void s$sleep2 (long long *_duration, short int *_code);
175 memset(buf, 0, sizeof(buf)); 170#else
171#error "Unsupported Platform."
172#endif /* OPENSSL_SYS_VOS_IA32 */
173#endif /* OPENSSL_SYS_VOS_HPPA */
176 174
175 /* Seed with the gid, pid, and uid, to ensure *some*
176 variation between different processes. */
177
178 curr_gid = getgid();
179 RAND_add (&curr_gid, sizeof curr_gid, 1);
180 curr_gid = 0;
181
182 curr_pid = getpid();
183 RAND_add (&curr_pid, sizeof curr_pid, 1);
184 curr_pid = 0;
185
186 curr_uid = getuid();
187 RAND_add (&curr_uid, sizeof curr_uid, 1);
188 curr_uid = 0;
189
190 for (i=0; i<(ENTROPY_NEEDED*4); i++)
191 {
192 /* burn some cpu; hope for interrupts, cache
193 collisions, bus interference, etc. */
194 for (k=0; k<99; k++)
195 ts.tv_nsec = random ();
196
197#ifdef OPENSSL_SYS_VOS_HPPA
198 /* sleep for 1/1024 of a second (976 us). */
199 duration = 1;
200 s$sleep (&duration, &code);
201#else
202#ifdef OPENSSL_SYS_VOS_IA32
203 /* sleep for 1/65536 of a second (15 us). */
204 duration = 1;
205 s$sleep2 (&duration, &code);
206#endif /* OPENSSL_SYS_VOS_IA32 */
207#endif /* OPENSSL_SYS_VOS_HPPA */
208
209 /* get wall clock time. */
210 clock_gettime (CLOCK_REALTIME, &ts);
211
212 /* take 8 bits */
213 v = (unsigned char) (ts.tv_nsec % 256);
214 RAND_add (&v, sizeof v, 1);
215 v = 0;
216 }
177 return 1; 217 return 1;
178} 218}
179#elif defined __OpenBSD__ 219#elif defined __OpenBSD__
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_eay.c b/src/lib/libssl/src/crypto/rsa/rsa_eay.c
index 7c941885f0..2e1ddd48d3 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_eay.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_eay.c
@@ -314,51 +314,56 @@ static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
314 return ret; 314 return ret;
315} 315}
316 316
317static int rsa_blinding_convert(BN_BLINDING *b, int local, BIGNUM *f, 317static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
318 BIGNUM *r, BN_CTX *ctx) 318 BN_CTX *ctx)
319{ 319 {
320 if (local) 320 if (unblind == NULL)
321 /* Local blinding: store the unblinding factor
322 * in BN_BLINDING. */
321 return BN_BLINDING_convert_ex(f, NULL, b, ctx); 323 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
322 else 324 else
323 { 325 {
324 int ret; 326 /* Shared blinding: store the unblinding factor
325 CRYPTO_r_lock(CRYPTO_LOCK_RSA_BLINDING); 327 * outside BN_BLINDING. */
326 ret = BN_BLINDING_convert_ex(f, r, b, ctx);
327 CRYPTO_r_unlock(CRYPTO_LOCK_RSA_BLINDING);
328 return ret;
329 }
330}
331
332static int rsa_blinding_invert(BN_BLINDING *b, int local, BIGNUM *f,
333 BIGNUM *r, BN_CTX *ctx)
334{
335 if (local)
336 return BN_BLINDING_invert_ex(f, NULL, b, ctx);
337 else
338 {
339 int ret; 328 int ret;
340 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 329 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
341 ret = BN_BLINDING_invert_ex(f, r, b, ctx); 330 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
342 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 331 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
343 return ret; 332 return ret;
344 } 333 }
345} 334 }
335
336static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
337 BN_CTX *ctx)
338 {
339 /* For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
340 * will use the unblinding factor stored in BN_BLINDING.
341 * If BN_BLINDING is shared between threads, unblind must be non-null:
342 * BN_BLINDING_invert_ex will then use the local unblinding factor,
343 * and will only read the modulus from BN_BLINDING.
344 * In both cases it's safe to access the blinding without a lock.
345 */
346 return BN_BLINDING_invert_ex(f, unblind, b, ctx);
347 }
346 348
347/* signing */ 349/* signing */
348static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 350static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
349 unsigned char *to, RSA *rsa, int padding) 351 unsigned char *to, RSA *rsa, int padding)
350 { 352 {
351 BIGNUM *f, *ret, *br, *res; 353 BIGNUM *f, *ret, *res;
352 int i,j,k,num=0,r= -1; 354 int i,j,k,num=0,r= -1;
353 unsigned char *buf=NULL; 355 unsigned char *buf=NULL;
354 BN_CTX *ctx=NULL; 356 BN_CTX *ctx=NULL;
355 int local_blinding = 0; 357 int local_blinding = 0;
358 /* Used only if the blinding structure is shared. A non-NULL unblind
359 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
360 * the unblinding factor outside the blinding structure. */
361 BIGNUM *unblind = NULL;
356 BN_BLINDING *blinding = NULL; 362 BN_BLINDING *blinding = NULL;
357 363
358 if ((ctx=BN_CTX_new()) == NULL) goto err; 364 if ((ctx=BN_CTX_new()) == NULL) goto err;
359 BN_CTX_start(ctx); 365 BN_CTX_start(ctx);
360 f = BN_CTX_get(ctx); 366 f = BN_CTX_get(ctx);
361 br = BN_CTX_get(ctx);
362 ret = BN_CTX_get(ctx); 367 ret = BN_CTX_get(ctx);
363 num = BN_num_bytes(rsa->n); 368 num = BN_num_bytes(rsa->n);
364 buf = OPENSSL_malloc(num); 369 buf = OPENSSL_malloc(num);
@@ -406,8 +411,15 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
406 } 411 }
407 412
408 if (blinding != NULL) 413 if (blinding != NULL)
409 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx)) 414 {
415 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL))
416 {
417 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
418 goto err;
419 }
420 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
410 goto err; 421 goto err;
422 }
411 423
412 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 424 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
413 ((rsa->p != NULL) && 425 ((rsa->p != NULL) &&
@@ -441,7 +453,7 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
441 } 453 }
442 454
443 if (blinding) 455 if (blinding)
444 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx)) 456 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
445 goto err; 457 goto err;
446 458
447 if (padding == RSA_X931_PADDING) 459 if (padding == RSA_X931_PADDING)
@@ -480,18 +492,21 @@ err:
480static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 492static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
481 unsigned char *to, RSA *rsa, int padding) 493 unsigned char *to, RSA *rsa, int padding)
482 { 494 {
483 BIGNUM *f, *ret, *br; 495 BIGNUM *f, *ret;
484 int j,num=0,r= -1; 496 int j,num=0,r= -1;
485 unsigned char *p; 497 unsigned char *p;
486 unsigned char *buf=NULL; 498 unsigned char *buf=NULL;
487 BN_CTX *ctx=NULL; 499 BN_CTX *ctx=NULL;
488 int local_blinding = 0; 500 int local_blinding = 0;
501 /* Used only if the blinding structure is shared. A non-NULL unblind
502 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
503 * the unblinding factor outside the blinding structure. */
504 BIGNUM *unblind = NULL;
489 BN_BLINDING *blinding = NULL; 505 BN_BLINDING *blinding = NULL;
490 506
491 if((ctx = BN_CTX_new()) == NULL) goto err; 507 if((ctx = BN_CTX_new()) == NULL) goto err;
492 BN_CTX_start(ctx); 508 BN_CTX_start(ctx);
493 f = BN_CTX_get(ctx); 509 f = BN_CTX_get(ctx);
494 br = BN_CTX_get(ctx);
495 ret = BN_CTX_get(ctx); 510 ret = BN_CTX_get(ctx);
496 num = BN_num_bytes(rsa->n); 511 num = BN_num_bytes(rsa->n);
497 buf = OPENSSL_malloc(num); 512 buf = OPENSSL_malloc(num);
@@ -529,8 +544,15 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
529 } 544 }
530 545
531 if (blinding != NULL) 546 if (blinding != NULL)
532 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx)) 547 {
548 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL))
549 {
550 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
533 goto err; 551 goto err;
552 }
553 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
554 goto err;
555 }
534 556
535 /* do the decrypt */ 557 /* do the decrypt */
536 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 558 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
@@ -564,7 +586,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
564 } 586 }
565 587
566 if (blinding) 588 if (blinding)
567 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx)) 589 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
568 goto err; 590 goto err;
569 591
570 p=buf; 592 p=buf;
diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c
index 5a0b0249b4..701ec565e9 100644
--- a/src/lib/libssl/src/crypto/x509/x509_vfy.c
+++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c
@@ -1732,7 +1732,7 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1732 atm.length=sizeof(buff2); 1732 atm.length=sizeof(buff2);
1733 atm.data=(unsigned char *)buff2; 1733 atm.data=(unsigned char *)buff2;
1734 1734
1735 if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL) 1735 if (X509_time_adj(&atm, offset*60, cmp_time) == NULL)
1736 return 0; 1736 return 0;
1737 1737
1738 if (ctm->type == V_ASN1_UTCTIME) 1738 if (ctm->type == V_ASN1_UTCTIME)
diff --git a/src/lib/libssl/src/crypto/x509v3/v3_addr.c b/src/lib/libssl/src/crypto/x509v3/v3_addr.c
index 0d70e8696d..df46a4983b 100644
--- a/src/lib/libssl/src/crypto/x509v3/v3_addr.c
+++ b/src/lib/libssl/src/crypto/x509v3/v3_addr.c
@@ -142,12 +142,13 @@ unsigned int v3_addr_get_afi(const IPAddressFamily *f)
142 * Expand the bitstring form of an address into a raw byte array. 142 * Expand the bitstring form of an address into a raw byte array.
143 * At the moment this is coded for simplicity, not speed. 143 * At the moment this is coded for simplicity, not speed.
144 */ 144 */
145static void addr_expand(unsigned char *addr, 145static int addr_expand(unsigned char *addr,
146 const ASN1_BIT_STRING *bs, 146 const ASN1_BIT_STRING *bs,
147 const int length, 147 const int length,
148 const unsigned char fill) 148 const unsigned char fill)
149{ 149{
150 OPENSSL_assert(bs->length >= 0 && bs->length <= length); 150 if (bs->length < 0 || bs->length > length)
151 return 0;
151 if (bs->length > 0) { 152 if (bs->length > 0) {
152 memcpy(addr, bs->data, bs->length); 153 memcpy(addr, bs->data, bs->length);
153 if ((bs->flags & 7) != 0) { 154 if ((bs->flags & 7) != 0) {
@@ -159,6 +160,7 @@ static void addr_expand(unsigned char *addr,
159 } 160 }
160 } 161 }
161 memset(addr + bs->length, fill, length - bs->length); 162 memset(addr + bs->length, fill, length - bs->length);
163 return 1;
162} 164}
163 165
164/* 166/*
@@ -181,15 +183,13 @@ static int i2r_address(BIO *out,
181 return 0; 183 return 0;
182 switch (afi) { 184 switch (afi) {
183 case IANA_AFI_IPV4: 185 case IANA_AFI_IPV4:
184 if (bs->length > 4) 186 if (!addr_expand(addr, bs, 4, fill))
185 return 0; 187 return 0;
186 addr_expand(addr, bs, 4, fill);
187 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]); 188 BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
188 break; 189 break;
189 case IANA_AFI_IPV6: 190 case IANA_AFI_IPV6:
190 if (bs->length > 16) 191 if (!addr_expand(addr, bs, 16, fill))
191 return 0; 192 return 0;
192 addr_expand(addr, bs, 16, fill);
193 for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2) 193 for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2)
194 ; 194 ;
195 for (i = 0; i < n; i += 2) 195 for (i = 0; i < n; i += 2)
@@ -315,6 +315,12 @@ static int i2r_IPAddrBlocks(const X509V3_EXT_METHOD *method,
315/* 315/*
316 * Sort comparison function for a sequence of IPAddressOrRange 316 * Sort comparison function for a sequence of IPAddressOrRange
317 * elements. 317 * elements.
318 *
319 * There's no sane answer we can give if addr_expand() fails, and an
320 * assertion failure on externally supplied data is seriously uncool,
321 * so we just arbitrarily declare that if given invalid inputs this
322 * function returns -1. If this messes up your preferred sort order
323 * for garbage input, tough noogies.
318 */ 324 */
319static int IPAddressOrRange_cmp(const IPAddressOrRange *a, 325static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
320 const IPAddressOrRange *b, 326 const IPAddressOrRange *b,
@@ -326,22 +332,26 @@ static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
326 332
327 switch (a->type) { 333 switch (a->type) {
328 case IPAddressOrRange_addressPrefix: 334 case IPAddressOrRange_addressPrefix:
329 addr_expand(addr_a, a->u.addressPrefix, length, 0x00); 335 if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
336 return -1;
330 prefixlen_a = addr_prefixlen(a->u.addressPrefix); 337 prefixlen_a = addr_prefixlen(a->u.addressPrefix);
331 break; 338 break;
332 case IPAddressOrRange_addressRange: 339 case IPAddressOrRange_addressRange:
333 addr_expand(addr_a, a->u.addressRange->min, length, 0x00); 340 if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
341 return -1;
334 prefixlen_a = length * 8; 342 prefixlen_a = length * 8;
335 break; 343 break;
336 } 344 }
337 345
338 switch (b->type) { 346 switch (b->type) {
339 case IPAddressOrRange_addressPrefix: 347 case IPAddressOrRange_addressPrefix:
340 addr_expand(addr_b, b->u.addressPrefix, length, 0x00); 348 if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
349 return -1;
341 prefixlen_b = addr_prefixlen(b->u.addressPrefix); 350 prefixlen_b = addr_prefixlen(b->u.addressPrefix);
342 break; 351 break;
343 case IPAddressOrRange_addressRange: 352 case IPAddressOrRange_addressRange:
344 addr_expand(addr_b, b->u.addressRange->min, length, 0x00); 353 if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
354 return -1;
345 prefixlen_b = length * 8; 355 prefixlen_b = length * 8;
346 break; 356 break;
347 } 357 }
@@ -383,6 +393,7 @@ static int range_should_be_prefix(const unsigned char *min,
383 unsigned char mask; 393 unsigned char mask;
384 int i, j; 394 int i, j;
385 395
396 OPENSSL_assert(memcmp(min, max, length) <= 0);
386 for (i = 0; i < length && min[i] == max[i]; i++) 397 for (i = 0; i < length && min[i] == max[i]; i++)
387 ; 398 ;
388 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--) 399 for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--)
@@ -601,10 +612,10 @@ static IPAddressOrRanges *make_prefix_or_range(IPAddrBlocks *addr,
601 return NULL; 612 return NULL;
602 switch (afi) { 613 switch (afi) {
603 case IANA_AFI_IPV4: 614 case IANA_AFI_IPV4:
604 sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp); 615 (void) sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
605 break; 616 break;
606 case IANA_AFI_IPV6: 617 case IANA_AFI_IPV6:
607 sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp); 618 (void) sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
608 break; 619 break;
609 } 620 }
610 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges; 621 f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
@@ -656,22 +667,22 @@ int v3_addr_add_range(IPAddrBlocks *addr,
656/* 667/*
657 * Extract min and max values from an IPAddressOrRange. 668 * Extract min and max values from an IPAddressOrRange.
658 */ 669 */
659static void extract_min_max(IPAddressOrRange *aor, 670static int extract_min_max(IPAddressOrRange *aor,
660 unsigned char *min, 671 unsigned char *min,
661 unsigned char *max, 672 unsigned char *max,
662 int length) 673 int length)
663{ 674{
664 OPENSSL_assert(aor != NULL && min != NULL && max != NULL); 675 if (aor == NULL || min == NULL || max == NULL)
676 return 0;
665 switch (aor->type) { 677 switch (aor->type) {
666 case IPAddressOrRange_addressPrefix: 678 case IPAddressOrRange_addressPrefix:
667 addr_expand(min, aor->u.addressPrefix, length, 0x00); 679 return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
668 addr_expand(max, aor->u.addressPrefix, length, 0xFF); 680 addr_expand(max, aor->u.addressPrefix, length, 0xFF));
669 return;
670 case IPAddressOrRange_addressRange: 681 case IPAddressOrRange_addressRange:
671 addr_expand(min, aor->u.addressRange->min, length, 0x00); 682 return (addr_expand(min, aor->u.addressRange->min, length, 0x00) &&
672 addr_expand(max, aor->u.addressRange->max, length, 0xFF); 683 addr_expand(max, aor->u.addressRange->max, length, 0xFF));
673 return;
674 } 684 }
685 return 0;
675} 686}
676 687
677/* 688/*
@@ -687,9 +698,10 @@ int v3_addr_get_range(IPAddressOrRange *aor,
687 if (aor == NULL || min == NULL || max == NULL || 698 if (aor == NULL || min == NULL || max == NULL ||
688 afi_length == 0 || length < afi_length || 699 afi_length == 0 || length < afi_length ||
689 (aor->type != IPAddressOrRange_addressPrefix && 700 (aor->type != IPAddressOrRange_addressPrefix &&
690 aor->type != IPAddressOrRange_addressRange)) 701 aor->type != IPAddressOrRange_addressRange) ||
702 !extract_min_max(aor, min, max, afi_length))
691 return 0; 703 return 0;
692 extract_min_max(aor, min, max, afi_length); 704
693 return afi_length; 705 return afi_length;
694} 706}
695 707
@@ -771,8 +783,9 @@ int v3_addr_is_canonical(IPAddrBlocks *addr)
771 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 783 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
772 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1); 784 IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);
773 785
774 extract_min_max(a, a_min, a_max, length); 786 if (!extract_min_max(a, a_min, a_max, length) ||
775 extract_min_max(b, b_min, b_max, length); 787 !extract_min_max(b, b_min, b_max, length))
788 return 0;
776 789
777 /* 790 /*
778 * Punt misordered list, overlapping start, or inverted range. 791 * Punt misordered list, overlapping start, or inverted range.
@@ -800,14 +813,17 @@ int v3_addr_is_canonical(IPAddrBlocks *addr)
800 } 813 }
801 814
802 /* 815 /*
803 * Check final range to see if it should be a prefix. 816 * Check range to see if it's inverted or should be a
817 * prefix.
804 */ 818 */
805 j = sk_IPAddressOrRange_num(aors) - 1; 819 j = sk_IPAddressOrRange_num(aors) - 1;
806 { 820 {
807 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j); 821 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
808 if (a->type == IPAddressOrRange_addressRange) { 822 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
809 extract_min_max(a, a_min, a_max, length); 823 if (!extract_min_max(a, a_min, a_max, length))
810 if (range_should_be_prefix(a_min, a_max, length) >= 0) 824 return 0;
825 if (memcmp(a_min, a_max, length) > 0 ||
826 range_should_be_prefix(a_min, a_max, length) >= 0)
811 return 0; 827 return 0;
812 } 828 }
813 } 829 }
@@ -841,8 +857,16 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
841 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN]; 857 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
842 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN]; 858 unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
843 859
844 extract_min_max(a, a_min, a_max, length); 860 if (!extract_min_max(a, a_min, a_max, length) ||
845 extract_min_max(b, b_min, b_max, length); 861 !extract_min_max(b, b_min, b_max, length))
862 return 0;
863
864 /*
865 * Punt inverted ranges.
866 */
867 if (memcmp(a_min, a_max, length) > 0 ||
868 memcmp(b_min, b_max, length) > 0)
869 return 0;
846 870
847 /* 871 /*
848 * Punt overlaps. 872 * Punt overlaps.
@@ -860,8 +884,8 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
860 IPAddressOrRange *merged; 884 IPAddressOrRange *merged;
861 if (!make_addressRange(&merged, a_min, b_max, length)) 885 if (!make_addressRange(&merged, a_min, b_max, length))
862 return 0; 886 return 0;
863 sk_IPAddressOrRange_set(aors, i, merged); 887 (void) sk_IPAddressOrRange_set(aors, i, merged);
864 sk_IPAddressOrRange_delete(aors, i + 1); 888 (void) sk_IPAddressOrRange_delete(aors, i + 1);
865 IPAddressOrRange_free(a); 889 IPAddressOrRange_free(a);
866 IPAddressOrRange_free(b); 890 IPAddressOrRange_free(b);
867 --i; 891 --i;
@@ -869,6 +893,20 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
869 } 893 }
870 } 894 }
871 895
896 /*
897 * Check for inverted final range.
898 */
899 j = sk_IPAddressOrRange_num(aors) - 1;
900 {
901 IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
902 if (a != NULL && a->type == IPAddressOrRange_addressRange) {
903 unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
904 extract_min_max(a, a_min, a_max, length);
905 if (memcmp(a_min, a_max, length) > 0)
906 return 0;
907 }
908 }
909
872 return 1; 910 return 1;
873} 911}
874 912
@@ -885,7 +923,7 @@ int v3_addr_canonize(IPAddrBlocks *addr)
885 v3_addr_get_afi(f))) 923 v3_addr_get_afi(f)))
886 return 0; 924 return 0;
887 } 925 }
888 sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); 926 (void) sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
889 sk_IPAddressFamily_sort(addr); 927 sk_IPAddressFamily_sort(addr);
890 OPENSSL_assert(v3_addr_is_canonical(addr)); 928 OPENSSL_assert(v3_addr_is_canonical(addr));
891 return 1; 929 return 1;
@@ -1017,6 +1055,11 @@ static void *v2i_IPAddrBlocks(const struct v3_ext_method *method,
1017 X509V3_conf_err(val); 1055 X509V3_conf_err(val);
1018 goto err; 1056 goto err;
1019 } 1057 }
1058 if (memcmp(min, max, length_from_afi(afi)) > 0) {
1059 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
1060 X509V3_conf_err(val);
1061 goto err;
1062 }
1020 if (!v3_addr_add_range(addr, afi, safi, min, max)) { 1063 if (!v3_addr_add_range(addr, afi, safi, min, max)) {
1021 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE); 1064 X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
1022 goto err; 1065 goto err;
@@ -1102,13 +1145,15 @@ static int addr_contains(IPAddressOrRanges *parent,
1102 1145
1103 p = 0; 1146 p = 0;
1104 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) { 1147 for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
1105 extract_min_max(sk_IPAddressOrRange_value(child, c), 1148 if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
1106 c_min, c_max, length); 1149 c_min, c_max, length))
1150 return -1;
1107 for (;; p++) { 1151 for (;; p++) {
1108 if (p >= sk_IPAddressOrRange_num(parent)) 1152 if (p >= sk_IPAddressOrRange_num(parent))
1109 return 0; 1153 return 0;
1110 extract_min_max(sk_IPAddressOrRange_value(parent, p), 1154 if (!extract_min_max(sk_IPAddressOrRange_value(parent, p),
1111 p_min, p_max, length); 1155 p_min, p_max, length))
1156 return 0;
1112 if (memcmp(p_max, c_max, length) < 0) 1157 if (memcmp(p_max, c_max, length) < 0)
1113 continue; 1158 continue;
1114 if (memcmp(p_min, c_min, length) > 0) 1159 if (memcmp(p_min, c_min, length) > 0)
@@ -1130,7 +1175,7 @@ int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b)
1130 return 1; 1175 return 1;
1131 if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b)) 1176 if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
1132 return 0; 1177 return 0;
1133 sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp); 1178 (void) sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
1134 for (i = 0; i < sk_IPAddressFamily_num(a); i++) { 1179 for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
1135 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); 1180 IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
1136 int j = sk_IPAddressFamily_find(b, fa); 1181 int j = sk_IPAddressFamily_find(b, fa);
@@ -1195,7 +1240,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
1195 } 1240 }
1196 if (!v3_addr_is_canonical(ext)) 1241 if (!v3_addr_is_canonical(ext))
1197 validation_err(X509_V_ERR_INVALID_EXTENSION); 1242 validation_err(X509_V_ERR_INVALID_EXTENSION);
1198 sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp); 1243 (void) sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
1199 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) { 1244 if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
1200 X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE); 1245 X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE);
1201 ret = 0; 1246 ret = 0;
@@ -1221,7 +1266,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx,
1221 } 1266 }
1222 continue; 1267 continue;
1223 } 1268 }
1224 sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp); 1269 (void) sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
1225 for (j = 0; j < sk_IPAddressFamily_num(child); j++) { 1270 for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
1226 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j); 1271 IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
1227 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc); 1272 int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
diff --git a/src/lib/libssl/src/doc/ssl/SSL_clear.pod b/src/lib/libssl/src/doc/ssl/SSL_clear.pod
index 8e077e31c9..d4df1bfac3 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_clear.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_clear.pod
@@ -39,10 +39,16 @@ for a description of the method's properties.
39SSL_clear() resets the SSL object to allow for another connection. The 39SSL_clear() resets the SSL object to allow for another connection. The
40reset operation however keeps several settings of the last sessions 40reset operation however keeps several settings of the last sessions
41(some of these settings were made automatically during the last 41(some of these settings were made automatically during the last
42handshake). It only makes sense when opening a new session (or reusing 42handshake). It only makes sense for a new connection with the exact
43an old one) with the same peer that shares these settings. 43same peer that shares these settings, and may fail if that peer
44SSL_clear() is not a short form for the sequence 44changes its settings between connections. Use the sequence
45L<SSL_free(3)|SSL_free(3)>; L<SSL_new(3)|SSL_new(3)>; . 45L<SSL_get_session(3)|SSL_get_session(3)>;
46L<SSL_new(3)|SSL_new(3)>;
47L<SSL_set_session(3)|SSL_set_session(3)>;
48L<SSL_free(3)|SSL_free(3)>
49instead to avoid such failures
50(or simply L<SSL_free(3)|SSL_free(3)>; L<SSL_new(3)|SSL_new(3)>
51if session reuse is not desired).
46 52
47=head1 RETURN VALUES 53=head1 RETURN VALUES
48 54
diff --git a/src/lib/libssl/src/e_os2.h b/src/lib/libssl/src/e_os2.h
index 4c785c62cf..d30724d304 100644
--- a/src/lib/libssl/src/e_os2.h
+++ b/src/lib/libssl/src/e_os2.h
@@ -193,8 +193,14 @@ extern "C" {
193#endif 193#endif
194 194
195/* --------------------------------- VOS ----------------------------------- */ 195/* --------------------------------- VOS ----------------------------------- */
196#ifdef OPENSSL_SYSNAME_VOS 196#if defined(__VOS__) || defined(OPENSSL_SYSNAME_VOS)
197# define OPENSSL_SYS_VOS 197# define OPENSSL_SYS_VOS
198#ifdef __HPPA__
199# define OPENSSL_SYS_VOS_HPPA
200#endif
201#ifdef __IA32__
202# define OPENSSL_SYS_VOS_IA32
203#endif
198#endif 204#endif
199 205
200/* ------------------------------- VxWorks --------------------------------- */ 206/* ------------------------------- VxWorks --------------------------------- */
diff --git a/src/lib/libssl/src/openssl.spec b/src/lib/libssl/src/openssl.spec
index e4db875539..703cea2a5f 100644
--- a/src/lib/libssl/src/openssl.spec
+++ b/src/lib/libssl/src/openssl.spec
@@ -2,7 +2,7 @@
2%define libmaj 1 2%define libmaj 1
3%define libmin 0 3%define libmin 0
4%define librel 0 4%define librel 0
5%define librev e 5%define librev f
6Release: 1 6Release: 1
7 7
8%define openssldir /var/ssl 8%define openssldir /var/ssl
diff --git a/src/lib/libssl/src/ssl/d1_pkt.c b/src/lib/libssl/src/ssl/d1_pkt.c
index 39aac73e10..e0c0f0cc9a 100644
--- a/src/lib/libssl/src/ssl/d1_pkt.c
+++ b/src/lib/libssl/src/ssl/d1_pkt.c
@@ -375,6 +375,7 @@ dtls1_process_record(SSL *s)
375 SSL3_RECORD *rr; 375 SSL3_RECORD *rr;
376 unsigned int mac_size; 376 unsigned int mac_size;
377 unsigned char md[EVP_MAX_MD_SIZE]; 377 unsigned char md[EVP_MAX_MD_SIZE];
378 int decryption_failed_or_bad_record_mac = 0;
378 379
379 380
380 rr= &(s->s3->rrec); 381 rr= &(s->s3->rrec);
@@ -409,13 +410,10 @@ dtls1_process_record(SSL *s)
409 enc_err = s->method->ssl3_enc->enc(s,0); 410 enc_err = s->method->ssl3_enc->enc(s,0);
410 if (enc_err <= 0) 411 if (enc_err <= 0)
411 { 412 {
412 /* decryption failed, silently discard message */ 413 /* To minimize information leaked via timing, we will always
413 if (enc_err < 0) 414 * perform all computations before discarding the message.
414 { 415 */
415 rr->length = 0; 416 decryption_failed_or_bad_record_mac = 1;
416 s->packet_length = 0;
417 }
418 goto err;
419 } 417 }
420 418
421#ifdef TLS_DEBUG 419#ifdef TLS_DEBUG
@@ -445,7 +443,7 @@ printf("\n");
445 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); 443 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
446 goto f_err; 444 goto f_err;
447#else 445#else
448 goto err; 446 decryption_failed_or_bad_record_mac = 1;
449#endif 447#endif
450 } 448 }
451 /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ 449 /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
@@ -456,17 +454,25 @@ printf("\n");
456 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); 454 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
457 goto f_err; 455 goto f_err;
458#else 456#else
459 goto err; 457 decryption_failed_or_bad_record_mac = 1;
460#endif 458#endif
461 } 459 }
462 rr->length-=mac_size; 460 rr->length-=mac_size;
463 i=s->method->ssl3_enc->mac(s,md,0); 461 i=s->method->ssl3_enc->mac(s,md,0);
464 if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0) 462 if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
465 { 463 {
466 goto err; 464 decryption_failed_or_bad_record_mac = 1;
467 } 465 }
468 } 466 }
469 467
468 if (decryption_failed_or_bad_record_mac)
469 {
470 /* decryption failed, silently discard message */
471 rr->length = 0;
472 s->packet_length = 0;
473 goto err;
474 }
475
470 /* r->length is now just compressed */ 476 /* r->length is now just compressed */
471 if (s->expand != NULL) 477 if (s->expand != NULL)
472 { 478 {
diff --git a/src/lib/libssl/src/ssl/d1_srvr.c b/src/lib/libssl/src/ssl/d1_srvr.c
index a6a4c87ea6..149983be30 100644
--- a/src/lib/libssl/src/ssl/d1_srvr.c
+++ b/src/lib/libssl/src/ssl/d1_srvr.c
@@ -1271,7 +1271,7 @@ int dtls1_send_server_key_exchange(SSL *s)
1271 EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL); 1271 EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL);
1272 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1272 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1273 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1273 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1274 EVP_SignUpdate(&md_ctx,&(d[4]),n); 1274 EVP_SignUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
1275 if (!EVP_SignFinal(&md_ctx,&(p[2]), 1275 if (!EVP_SignFinal(&md_ctx,&(p[2]),
1276 (unsigned int *)&i,pkey)) 1276 (unsigned int *)&i,pkey))
1277 { 1277 {
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 50bd415b56..53223bd38d 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -953,7 +953,7 @@ int ssl3_get_server_hello(SSL *s)
953 /* wrong packet length */ 953 /* wrong packet length */
954 al=SSL_AD_DECODE_ERROR; 954 al=SSL_AD_DECODE_ERROR;
955 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH); 955 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
956 goto err; 956 goto f_err;
957 } 957 }
958 958
959 return(1); 959 return(1);
@@ -1837,7 +1837,7 @@ int ssl3_get_new_session_ticket(SSL *s)
1837 if (n < 6) 1837 if (n < 6)
1838 { 1838 {
1839 /* need at least ticket_lifetime_hint + ticket length */ 1839 /* need at least ticket_lifetime_hint + ticket length */
1840 al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR; 1840 al = SSL_AD_DECODE_ERROR;
1841 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 1841 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
1842 goto f_err; 1842 goto f_err;
1843 } 1843 }
@@ -1848,7 +1848,7 @@ int ssl3_get_new_session_ticket(SSL *s)
1848 /* ticket_lifetime_hint + ticket_length + ticket */ 1848 /* ticket_lifetime_hint + ticket_length + ticket */
1849 if (ticklen + 6 != n) 1849 if (ticklen + 6 != n)
1850 { 1850 {
1851 al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR; 1851 al = SSL_AD_DECODE_ERROR;
1852 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 1852 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
1853 goto f_err; 1853 goto f_err;
1854 } 1854 }
diff --git a/src/lib/libssl/src/ssl/s3_enc.c b/src/lib/libssl/src/ssl/s3_enc.c
index 58386e1ba0..b14597076d 100644
--- a/src/lib/libssl/src/ssl/s3_enc.c
+++ b/src/lib/libssl/src/ssl/s3_enc.c
@@ -511,6 +511,9 @@ int ssl3_enc(SSL *s, int send)
511 511
512 /* we need to add 'i-1' padding bytes */ 512 /* we need to add 'i-1' padding bytes */
513 l+=i; 513 l+=i;
514 /* the last of these zero bytes will be overwritten
515 * with the padding length. */
516 memset(&rec->input[rec->length], 0, i);
514 rec->length+=i; 517 rec->length+=i;
515 rec->input[l-1]=(i-1); 518 rec->input[l-1]=(i-1);
516 } 519 }
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index 62c791cb72..1130244aeb 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -2177,6 +2177,7 @@ void ssl3_clear(SSL *s)
2177 { 2177 {
2178 unsigned char *rp,*wp; 2178 unsigned char *rp,*wp;
2179 size_t rlen, wlen; 2179 size_t rlen, wlen;
2180 int init_extra;
2180 2181
2181#ifdef TLSEXT_TYPE_opaque_prf_input 2182#ifdef TLSEXT_TYPE_opaque_prf_input
2182 if (s->s3->client_opaque_prf_input != NULL) 2183 if (s->s3->client_opaque_prf_input != NULL)
@@ -2215,6 +2216,7 @@ void ssl3_clear(SSL *s)
2215 wp = s->s3->wbuf.buf; 2216 wp = s->s3->wbuf.buf;
2216 rlen = s->s3->rbuf.len; 2217 rlen = s->s3->rbuf.len;
2217 wlen = s->s3->wbuf.len; 2218 wlen = s->s3->wbuf.len;
2219 init_extra = s->s3->init_extra;
2218 if (s->s3->handshake_buffer) { 2220 if (s->s3->handshake_buffer) {
2219 BIO_free(s->s3->handshake_buffer); 2221 BIO_free(s->s3->handshake_buffer);
2220 s->s3->handshake_buffer = NULL; 2222 s->s3->handshake_buffer = NULL;
@@ -2227,6 +2229,7 @@ void ssl3_clear(SSL *s)
2227 s->s3->wbuf.buf = wp; 2229 s->s3->wbuf.buf = wp;
2228 s->s3->rbuf.len = rlen; 2230 s->s3->rbuf.len = rlen;
2229 s->s3->wbuf.len = wlen; 2231 s->s3->wbuf.len = wlen;
2232 s->s3->init_extra = init_extra;
2230 2233
2231 ssl_free_wbio_buffer(s); 2234 ssl_free_wbio_buffer(s);
2232 2235
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index c3b5ff33ff..d734c359fb 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -258,6 +258,7 @@ int ssl3_accept(SSL *s)
258 } 258 }
259 259
260 s->init_num=0; 260 s->init_num=0;
261 s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
261 262
262 if (s->state != SSL_ST_RENEGOTIATE) 263 if (s->state != SSL_ST_RENEGOTIATE)
263 { 264 {
@@ -755,6 +756,14 @@ int ssl3_check_client_hello(SSL *s)
755 int ok; 756 int ok;
756 long n; 757 long n;
757 758
759 /* We only allow the client to restart the handshake once per
760 * negotiation. */
761 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
762 {
763 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
764 return -1;
765 }
766
758 /* this function is called when we really expect a Certificate message, 767 /* this function is called when we really expect a Certificate message,
759 * so permit appropriate message length */ 768 * so permit appropriate message length */
760 n=s->method->ssl_get_message(s, 769 n=s->method->ssl_get_message(s,
@@ -783,6 +792,7 @@ int ssl3_check_client_hello(SSL *s)
783 s->s3->tmp.ecdh = NULL; 792 s->s3->tmp.ecdh = NULL;
784 } 793 }
785#endif 794#endif
795 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
786 return 2; 796 return 2;
787 } 797 }
788 return 1; 798 return 1;
@@ -2130,6 +2140,7 @@ int ssl3_get_client_key_exchange(SSL *s)
2130 if (i <= 0) 2140 if (i <= 0)
2131 { 2141 {
2132 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2142 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2143 BN_clear_free(pub);
2133 goto err; 2144 goto err;
2134 } 2145 }
2135 2146
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h
index e4c3f65010..8f922eea72 100644
--- a/src/lib/libssl/src/ssl/ssl.h
+++ b/src/lib/libssl/src/ssl/ssl.h
@@ -1882,6 +1882,7 @@ void ERR_load_SSL_strings(void);
1882#define SSL_F_SSL3_CALLBACK_CTRL 233 1882#define SSL_F_SSL3_CALLBACK_CTRL 233
1883#define SSL_F_SSL3_CHANGE_CIPHER_STATE 129 1883#define SSL_F_SSL3_CHANGE_CIPHER_STATE 129
1884#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130 1884#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130
1885#define SSL_F_SSL3_CHECK_CLIENT_HELLO 304
1885#define SSL_F_SSL3_CLIENT_HELLO 131 1886#define SSL_F_SSL3_CLIENT_HELLO 131
1886#define SSL_F_SSL3_CONNECT 132 1887#define SSL_F_SSL3_CONNECT 132
1887#define SSL_F_SSL3_CTRL 213 1888#define SSL_F_SSL3_CTRL 213
@@ -2139,6 +2140,7 @@ void ERR_load_SSL_strings(void);
2139#define SSL_R_MISSING_TMP_RSA_KEY 172 2140#define SSL_R_MISSING_TMP_RSA_KEY 172
2140#define SSL_R_MISSING_TMP_RSA_PKEY 173 2141#define SSL_R_MISSING_TMP_RSA_PKEY 173
2141#define SSL_R_MISSING_VERIFY_MESSAGE 174 2142#define SSL_R_MISSING_VERIFY_MESSAGE 174
2143#define SSL_R_MULTIPLE_SGC_RESTARTS 346
2142#define SSL_R_NON_SSLV2_INITIAL_PACKET 175 2144#define SSL_R_NON_SSLV2_INITIAL_PACKET 175
2143#define SSL_R_NO_CERTIFICATES_RETURNED 176 2145#define SSL_R_NO_CERTIFICATES_RETURNED 176
2144#define SSL_R_NO_CERTIFICATE_ASSIGNED 177 2146#define SSL_R_NO_CERTIFICATE_ASSIGNED 177
diff --git a/src/lib/libssl/src/ssl/ssl3.h b/src/lib/libssl/src/ssl/ssl3.h
index baaa89e717..9c2c41287a 100644
--- a/src/lib/libssl/src/ssl/ssl3.h
+++ b/src/lib/libssl/src/ssl/ssl3.h
@@ -379,6 +379,17 @@ typedef struct ssl3_buffer_st
379#define SSL3_FLAGS_POP_BUFFER 0x0004 379#define SSL3_FLAGS_POP_BUFFER 0x0004
380#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 380#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
381#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 381#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
382
383/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
384 * restart a handshake because of MS SGC and so prevents us
385 * from restarting the handshake in a loop. It's reset on a
386 * renegotiation, so effectively limits the client to one restart
387 * per negotiation. This limits the possibility of a DDoS
388 * attack where the client handshakes in a loop using SGC to
389 * restart. Servers which permit renegotiation can still be
390 * effected, but we can't prevent that.
391 */
392#define SSL3_FLAGS_SGC_RESTART_DONE 0x0040
382 393
383typedef struct ssl3_state_st 394typedef struct ssl3_state_st
384 { 395 {
diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c
index a8ce186b78..54ba7ef5b4 100644
--- a/src/lib/libssl/src/ssl/ssl_ciph.c
+++ b/src/lib/libssl/src/ssl/ssl_ciph.c
@@ -446,6 +446,7 @@ static void load_builtin_compressions(void)
446 sk_SSL_COMP_push(ssl_comp_methods,comp); 446 sk_SSL_COMP_push(ssl_comp_methods,comp);
447 } 447 }
448 } 448 }
449 sk_SSL_COMP_sort(ssl_comp_methods);
449 } 450 }
450 MemCheck_on(); 451 MemCheck_on();
451 } 452 }
diff --git a/src/lib/libssl/src/ssl/ssl_err.c b/src/lib/libssl/src/ssl/ssl_err.c
index 0eed464749..e9be77109f 100644
--- a/src/lib/libssl/src/ssl/ssl_err.c
+++ b/src/lib/libssl/src/ssl/ssl_err.c
@@ -1,6 +1,6 @@
1/* ssl/ssl_err.c */ 1/* ssl/ssl_err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2009 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -137,6 +137,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
137{ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"}, 137{ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"},
138{ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"}, 138{ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"},
139{ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"}, 139{ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"},
140{ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO), "SSL3_CHECK_CLIENT_HELLO"},
140{ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"}, 141{ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"},
141{ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"}, 142{ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"},
142{ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"}, 143{ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"},
@@ -397,6 +398,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
397{ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY) ,"missing tmp rsa key"}, 398{ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY) ,"missing tmp rsa key"},
398{ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY) ,"missing tmp rsa pkey"}, 399{ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY) ,"missing tmp rsa pkey"},
399{ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"}, 400{ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"},
401{ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS) ,"multiple sgc restarts"},
400{ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"}, 402{ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"},
401{ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"}, 403{ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"},
402{ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"}, 404{ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"},
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index a3c9309488..7755476de3 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -1054,6 +1054,9 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
1054 s->max_cert_list=larg; 1054 s->max_cert_list=larg;
1055 return(l); 1055 return(l);
1056 case SSL_CTRL_SET_MTU: 1056 case SSL_CTRL_SET_MTU:
1057 if (larg < (long)dtls1_min_mtu())
1058 return 0;
1059
1057 if (SSL_version(s) == DTLS1_VERSION || 1060 if (SSL_version(s) == DTLS1_VERSION ||
1058 SSL_version(s) == DTLS1_BAD_VER) 1061 SSL_version(s) == DTLS1_BAD_VER)
1059 { 1062 {
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h
index 4c78393f3f..cea622a2a6 100644
--- a/src/lib/libssl/src/ssl/ssl_locl.h
+++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -950,6 +950,7 @@ void dtls1_stop_timer(SSL *s);
950int dtls1_is_timer_expired(SSL *s); 950int dtls1_is_timer_expired(SSL *s);
951void dtls1_double_timeout(SSL *s); 951void dtls1_double_timeout(SSL *s);
952int dtls1_send_newsession_ticket(SSL *s); 952int dtls1_send_newsession_ticket(SSL *s);
953unsigned int dtls1_min_mtu(void);
953 954
954/* some client-only functions */ 955/* some client-only functions */
955int ssl3_client_hello(SSL *s); 956int ssl3_client_hello(SSL *s);
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c
index 85371c87b8..26cbae449e 100644
--- a/src/lib/libssl/src/ssl/t1_lib.c
+++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -971,6 +971,12 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
971 sdata = data; 971 sdata = data;
972 if (dsize > 0) 972 if (dsize > 0)
973 { 973 {
974 if (s->tlsext_ocsp_exts)
975 {
976 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
977 X509_EXTENSION_free);
978 }
979
974 s->tlsext_ocsp_exts = 980 s->tlsext_ocsp_exts =
975 d2i_X509_EXTENSIONS(NULL, 981 d2i_X509_EXTENSIONS(NULL,
976 &sdata, dsize); 982 &sdata, dsize);
diff --git a/src/lib/libssl/src/test/testssl b/src/lib/libssl/src/test/testssl
index f9d7c5d65f..b55364ae88 100644
--- a/src/lib/libssl/src/test/testssl
+++ b/src/lib/libssl/src/test/testssl
@@ -100,8 +100,8 @@ echo test sslv2/sslv3 via BIO pair
100$ssltest $extra || exit 1 100$ssltest $extra || exit 1
101 101
102if [ $dsa_cert = NO ]; then 102if [ $dsa_cert = NO ]; then
103 echo test sslv2/sslv3 w/o DHE via BIO pair 103 echo 'test sslv2/sslv3 w/o (EC)DHE via BIO pair'
104 $ssltest -bio_pair -no_dhe $extra || exit 1 104 $ssltest -bio_pair -no_dhe -no_ecdhe $extra || exit 1
105fi 105fi
106 106
107echo test sslv2/sslv3 with 1024bit DHE via BIO pair 107echo test sslv2/sslv3 with 1024bit DHE via BIO pair
@@ -131,8 +131,8 @@ fi
131if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then 131if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
132 echo skipping RSA tests 132 echo skipping RSA tests
133else 133else
134 echo test tls1 with 1024bit RSA, no DHE, multiple handshakes 134 echo 'test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes'
135 ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1 135 ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1
136 136
137 if ../util/shlib_wrap.sh ../apps/openssl no-dh; then 137 if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
138 echo skipping RSA+DHE tests 138 echo skipping RSA+DHE tests
diff --git a/src/lib/libssl/src/util/mkerr.pl b/src/lib/libssl/src/util/mkerr.pl
index 2c99467d34..aec401c773 100644
--- a/src/lib/libssl/src/util/mkerr.pl
+++ b/src/lib/libssl/src/util/mkerr.pl
@@ -769,7 +769,7 @@ EOF
769 undef %err_reason_strings; 769 undef %err_reason_strings;
770} 770}
771 771
772if($debug && defined(%notrans)) { 772if($debug && %notrans) {
773 print STDERR "The following function codes were not translated:\n"; 773 print STDERR "The following function codes were not translated:\n";
774 foreach(sort keys %notrans) 774 foreach(sort keys %notrans)
775 { 775 {
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index e4c3f65010..8f922eea72 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1882,6 +1882,7 @@ void ERR_load_SSL_strings(void);
1882#define SSL_F_SSL3_CALLBACK_CTRL 233 1882#define SSL_F_SSL3_CALLBACK_CTRL 233
1883#define SSL_F_SSL3_CHANGE_CIPHER_STATE 129 1883#define SSL_F_SSL3_CHANGE_CIPHER_STATE 129
1884#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130 1884#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130
1885#define SSL_F_SSL3_CHECK_CLIENT_HELLO 304
1885#define SSL_F_SSL3_CLIENT_HELLO 131 1886#define SSL_F_SSL3_CLIENT_HELLO 131
1886#define SSL_F_SSL3_CONNECT 132 1887#define SSL_F_SSL3_CONNECT 132
1887#define SSL_F_SSL3_CTRL 213 1888#define SSL_F_SSL3_CTRL 213
@@ -2139,6 +2140,7 @@ void ERR_load_SSL_strings(void);
2139#define SSL_R_MISSING_TMP_RSA_KEY 172 2140#define SSL_R_MISSING_TMP_RSA_KEY 172
2140#define SSL_R_MISSING_TMP_RSA_PKEY 173 2141#define SSL_R_MISSING_TMP_RSA_PKEY 173
2141#define SSL_R_MISSING_VERIFY_MESSAGE 174 2142#define SSL_R_MISSING_VERIFY_MESSAGE 174
2143#define SSL_R_MULTIPLE_SGC_RESTARTS 346
2142#define SSL_R_NON_SSLV2_INITIAL_PACKET 175 2144#define SSL_R_NON_SSLV2_INITIAL_PACKET 175
2143#define SSL_R_NO_CERTIFICATES_RETURNED 176 2145#define SSL_R_NO_CERTIFICATES_RETURNED 176
2144#define SSL_R_NO_CERTIFICATE_ASSIGNED 177 2146#define SSL_R_NO_CERTIFICATE_ASSIGNED 177
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
index baaa89e717..9c2c41287a 100644
--- a/src/lib/libssl/ssl3.h
+++ b/src/lib/libssl/ssl3.h
@@ -379,6 +379,17 @@ typedef struct ssl3_buffer_st
379#define SSL3_FLAGS_POP_BUFFER 0x0004 379#define SSL3_FLAGS_POP_BUFFER 0x0004
380#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 380#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
381#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 381#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
382
383/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
384 * restart a handshake because of MS SGC and so prevents us
385 * from restarting the handshake in a loop. It's reset on a
386 * renegotiation, so effectively limits the client to one restart
387 * per negotiation. This limits the possibility of a DDoS
388 * attack where the client handshakes in a loop using SGC to
389 * restart. Servers which permit renegotiation can still be
390 * effected, but we can't prevent that.
391 */
392#define SSL3_FLAGS_SGC_RESTART_DONE 0x0040
382 393
383typedef struct ssl3_state_st 394typedef struct ssl3_state_st
384 { 395 {
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index a8ce186b78..54ba7ef5b4 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -446,6 +446,7 @@ static void load_builtin_compressions(void)
446 sk_SSL_COMP_push(ssl_comp_methods,comp); 446 sk_SSL_COMP_push(ssl_comp_methods,comp);
447 } 447 }
448 } 448 }
449 sk_SSL_COMP_sort(ssl_comp_methods);
449 } 450 }
450 MemCheck_on(); 451 MemCheck_on();
451 } 452 }
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
index 0eed464749..e9be77109f 100644
--- a/src/lib/libssl/ssl_err.c
+++ b/src/lib/libssl/ssl_err.c
@@ -1,6 +1,6 @@
1/* ssl/ssl_err.c */ 1/* ssl/ssl_err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2009 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -137,6 +137,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
137{ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"}, 137{ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"},
138{ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"}, 138{ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"},
139{ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"}, 139{ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"},
140{ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO), "SSL3_CHECK_CLIENT_HELLO"},
140{ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"}, 141{ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"},
141{ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"}, 142{ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"},
142{ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"}, 143{ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"},
@@ -397,6 +398,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
397{ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY) ,"missing tmp rsa key"}, 398{ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY) ,"missing tmp rsa key"},
398{ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY) ,"missing tmp rsa pkey"}, 399{ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY) ,"missing tmp rsa pkey"},
399{ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"}, 400{ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"},
401{ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS) ,"multiple sgc restarts"},
400{ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"}, 402{ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"},
401{ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"}, 403{ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"},
402{ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"}, 404{ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"},
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index a3c9309488..7755476de3 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1054,6 +1054,9 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
1054 s->max_cert_list=larg; 1054 s->max_cert_list=larg;
1055 return(l); 1055 return(l);
1056 case SSL_CTRL_SET_MTU: 1056 case SSL_CTRL_SET_MTU:
1057 if (larg < (long)dtls1_min_mtu())
1058 return 0;
1059
1057 if (SSL_version(s) == DTLS1_VERSION || 1060 if (SSL_version(s) == DTLS1_VERSION ||
1058 SSL_version(s) == DTLS1_BAD_VER) 1061 SSL_version(s) == DTLS1_BAD_VER)
1059 { 1062 {
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 4c78393f3f..cea622a2a6 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -950,6 +950,7 @@ void dtls1_stop_timer(SSL *s);
950int dtls1_is_timer_expired(SSL *s); 950int dtls1_is_timer_expired(SSL *s);
951void dtls1_double_timeout(SSL *s); 951void dtls1_double_timeout(SSL *s);
952int dtls1_send_newsession_ticket(SSL *s); 952int dtls1_send_newsession_ticket(SSL *s);
953unsigned int dtls1_min_mtu(void);
953 954
954/* some client-only functions */ 955/* some client-only functions */
955int ssl3_client_hello(SSL *s); 956int ssl3_client_hello(SSL *s);
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 85371c87b8..26cbae449e 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -971,6 +971,12 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
971 sdata = data; 971 sdata = data;
972 if (dsize > 0) 972 if (dsize > 0)
973 { 973 {
974 if (s->tlsext_ocsp_exts)
975 {
976 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
977 X509_EXTENSION_free);
978 }
979
974 s->tlsext_ocsp_exts = 980 s->tlsext_ocsp_exts =
975 d2i_X509_EXTENSIONS(NULL, 981 d2i_X509_EXTENSIONS(NULL,
976 &sdata, dsize); 982 &sdata, dsize);
diff --git a/src/lib/libssl/test/testssl b/src/lib/libssl/test/testssl
index f9d7c5d65f..b55364ae88 100644
--- a/src/lib/libssl/test/testssl
+++ b/src/lib/libssl/test/testssl
@@ -100,8 +100,8 @@ echo test sslv2/sslv3 via BIO pair
100$ssltest $extra || exit 1 100$ssltest $extra || exit 1
101 101
102if [ $dsa_cert = NO ]; then 102if [ $dsa_cert = NO ]; then
103 echo test sslv2/sslv3 w/o DHE via BIO pair 103 echo 'test sslv2/sslv3 w/o (EC)DHE via BIO pair'
104 $ssltest -bio_pair -no_dhe $extra || exit 1 104 $ssltest -bio_pair -no_dhe -no_ecdhe $extra || exit 1
105fi 105fi
106 106
107echo test sslv2/sslv3 with 1024bit DHE via BIO pair 107echo test sslv2/sslv3 with 1024bit DHE via BIO pair
@@ -131,8 +131,8 @@ fi
131if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then 131if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
132 echo skipping RSA tests 132 echo skipping RSA tests
133else 133else
134 echo test tls1 with 1024bit RSA, no DHE, multiple handshakes 134 echo 'test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes'
135 ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1 135 ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1
136 136
137 if ../util/shlib_wrap.sh ../apps/openssl no-dh; then 137 if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
138 echo skipping RSA+DHE tests 138 echo skipping RSA+DHE tests
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-27 09:49:20 +0000