summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordjm <>2012-01-05 22:59:13 +0000
committerdjm <>2012-01-05 22:59:13 +0000
commit731838c66b52c0ae5888333005b74115a620aa96 (patch)
tree112a26c17bdf32e5d76181791e536ba74549e6dc
parent113f799ec7d1728f0a5d7ab5b0e3b42e3de56407 (diff)
downloadopenbsd-731838c66b52c0ae5888333005b74115a620aa96.tar.gz
openbsd-731838c66b52c0ae5888333005b74115a620aa96.tar.bz2
openbsd-731838c66b52c0ae5888333005b74115a620aa96.zip
OpenSSL 1.0.0f: import upstream source
Diffstat
-rw-r--r--src/lib/libcrypto/bio/bf_buff.c15
-rw-r--r--src/lib/libcrypto/bio/bio.h9
-rw-r--r--src/lib/libcrypto/bn/asm/ppc.pl2
-rwxr-xr-xsrc/lib/libcrypto/bn/asm/x86-mont.pl4
-rw-r--r--src/lib/libcrypto/bn/bn_blind.c37
-rw-r--r--src/lib/libcrypto/ec/ec2_smpl.c2
-rw-r--r--src/lib/libcrypto/opensslv.h6
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c80
-rw-r--r--src/lib/libcrypto/util/mkerr.pl2
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c2
-rw-r--r--src/lib/libssl/d1_both.c23
-rw-r--r--src/lib/libssl/d1_lib.c9
-rw-r--r--src/lib/libssl/d1_pkt.c26
-rw-r--r--src/lib/libssl/d1_srvr.c2
-rw-r--r--src/lib/libssl/doc/openssl.cnf2
-rw-r--r--src/lib/libssl/s3_clnt.c6
-rw-r--r--src/lib/libssl/s3_lib.c3
-rw-r--r--src/lib/libssl/s3_srvr.c11
-rw-r--r--src/lib/libssl/ssl.h2
-rw-r--r--src/lib/libssl/ssl3.h11
-rw-r--r--src/lib/libssl/ssl_ciph.c1
-rw-r--r--src/lib/libssl/ssl_err.c4
-rw-r--r--src/lib/libssl/ssl_lib.c3
-rw-r--r--src/lib/libssl/ssl_locl.h1
-rw-r--r--src/lib/libssl/t1_lib.c6
-rw-r--r--src/lib/libssl/test/testssl8
26 files changed, 191 insertions, 86 deletions
diff --git a/src/lib/libcrypto/bio/bf_buff.c b/src/lib/libcrypto/bio/bf_buff.c
index c1fd75aaad..4b5a132d8a 100644
--- a/src/lib/libcrypto/bio/bf_buff.c
+++ b/src/lib/libcrypto/bio/bf_buff.c
@@ -209,7 +209,7 @@ start:
209 /* add to buffer and return */ 209 /* add to buffer and return */
210 if (i >= inl) 210 if (i >= inl)
211 { 211 {
212 memcpy(&(ctx->obuf[ctx->obuf_len]),in,inl); 212 memcpy(&(ctx->obuf[ctx->obuf_off+ctx->obuf_len]),in,inl);
213 ctx->obuf_len+=inl; 213 ctx->obuf_len+=inl;
214 return(num+inl); 214 return(num+inl);
215 } 215 }
@@ -219,7 +219,7 @@ start:
219 { 219 {
220 if (i > 0) /* lets fill it up if we can */ 220 if (i > 0) /* lets fill it up if we can */
221 { 221 {
222 memcpy(&(ctx->obuf[ctx->obuf_len]),in,i); 222 memcpy(&(ctx->obuf[ctx->obuf_off+ctx->obuf_len]),in,i);
223 in+=i; 223 in+=i;
224 inl-=i; 224 inl-=i;
225 num+=i; 225 num+=i;
@@ -294,9 +294,9 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr)
294 case BIO_C_GET_BUFF_NUM_LINES: 294 case BIO_C_GET_BUFF_NUM_LINES:
295 ret=0; 295 ret=0;
296 p1=ctx->ibuf; 296 p1=ctx->ibuf;
297 for (i=ctx->ibuf_off; i<ctx->ibuf_len; i++) 297 for (i=0; i<ctx->ibuf_len; i++)
298 { 298 {
299 if (p1[i] == '\n') ret++; 299 if (p1[ctx->ibuf_off + i] == '\n') ret++;
300 } 300 }
301 break; 301 break;
302 case BIO_CTRL_WPENDING: 302 case BIO_CTRL_WPENDING:
@@ -399,17 +399,18 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr)
399 for (;;) 399 for (;;)
400 { 400 {
401 BIO_clear_retry_flags(b); 401 BIO_clear_retry_flags(b);
402 if (ctx->obuf_len > ctx->obuf_off) 402 if (ctx->obuf_len > 0)
403 { 403 {
404 r=BIO_write(b->next_bio, 404 r=BIO_write(b->next_bio,
405 &(ctx->obuf[ctx->obuf_off]), 405 &(ctx->obuf[ctx->obuf_off]),
406 ctx->obuf_len-ctx->obuf_off); 406 ctx->obuf_len);
407#if 0 407#if 0
408fprintf(stderr,"FLUSH [%3d] %3d -> %3d\n",ctx->obuf_off,ctx->obuf_len-ctx->obuf_off,r); 408fprintf(stderr,"FLUSH [%3d] %3d -> %3d\n",ctx->obuf_off,ctx->obuf_len,r);
409#endif 409#endif
410 BIO_copy_next_retry(b); 410 BIO_copy_next_retry(b);
411 if (r <= 0) return((long)r); 411 if (r <= 0) return((long)r);
412 ctx->obuf_off+=r; 412 ctx->obuf_off+=r;
413 ctx->obuf_len-=r;
413 } 414 }
414 else 415 else
415 { 416 {
diff --git a/src/lib/libcrypto/bio/bio.h b/src/lib/libcrypto/bio/bio.h
index 152802fbdf..ab47abcf14 100644
--- a/src/lib/libcrypto/bio/bio.h
+++ b/src/lib/libcrypto/bio/bio.h
@@ -306,6 +306,15 @@ DECLARE_STACK_OF(BIO)
306 306
307typedef struct bio_f_buffer_ctx_struct 307typedef struct bio_f_buffer_ctx_struct
308 { 308 {
309 /* Buffers are setup like this:
310 *
311 * <---------------------- size ----------------------->
312 * +---------------------------------------------------+
313 * | consumed | remaining | free space |
314 * +---------------------------------------------------+
315 * <-- off --><------- len ------->
316 */
317
309 /* BIO *bio; */ /* this is now in the BIO struct */ 318 /* BIO *bio; */ /* this is now in the BIO struct */
310 int ibuf_size; /* how big is the input buffer */ 319 int ibuf_size; /* how big is the input buffer */
311 int obuf_size; /* how big is the output buffer */ 320 int obuf_size; /* how big is the output buffer */
diff --git a/src/lib/libcrypto/bn/asm/ppc.pl b/src/lib/libcrypto/bn/asm/ppc.pl
index 37c65d3511..f4093177e6 100644
--- a/src/lib/libcrypto/bn/asm/ppc.pl
+++ b/src/lib/libcrypto/bn/asm/ppc.pl
@@ -949,7 +949,7 @@ $data=<<EOF;
949 addze r11,r0 949 addze r11,r0
950 #mul_add_c(a[3],b[2],c3,c1,c2); 950 #mul_add_c(a[3],b[2],c3,c1,c2);
951 $LD r6,`3*$BNSZ`(r4) 951 $LD r6,`3*$BNSZ`(r4)
952 $LD r7,`2*$BNSZ`(r4) 952 $LD r7,`2*$BNSZ`(r5)
953 $UMULL r8,r6,r7 953 $UMULL r8,r6,r7
954 $UMULH r9,r6,r7 954 $UMULH r9,r6,r7
955 addc r12,r8,r12 955 addc r12,r8,r12
diff --git a/src/lib/libcrypto/bn/asm/x86-mont.pl b/src/lib/libcrypto/bn/asm/x86-mont.pl
index 5cd3cd2ed5..e8f6b05084 100755
--- a/src/lib/libcrypto/bn/asm/x86-mont.pl
+++ b/src/lib/libcrypto/bn/asm/x86-mont.pl
@@ -527,8 +527,10 @@ $sbit=$num;
527 &jle (&label("sqradd")); 527 &jle (&label("sqradd"));
528 528
529 &mov ($carry,"edx"); 529 &mov ($carry,"edx");
530 &lea ("edx",&DWP(0,$sbit,"edx",2)); 530 &add ("edx","edx");
531 &shr ($carry,31); 531 &shr ($carry,31);
532 &add ("edx",$sbit);
533 &adc ($carry,0);
532&set_label("sqrlast"); 534&set_label("sqrlast");
533 &mov ($word,$_n0); 535 &mov ($word,$_n0);
534 &mov ($inp,$_np); 536 &mov ($inp,$_np);
diff --git a/src/lib/libcrypto/bn/bn_blind.c b/src/lib/libcrypto/bn/bn_blind.c
index e060592fdc..9ed8bc2b40 100644
--- a/src/lib/libcrypto/bn/bn_blind.c
+++ b/src/lib/libcrypto/bn/bn_blind.c
@@ -126,7 +126,7 @@ struct bn_blinding_st
126 * used only by crypto/rsa/rsa_eay.c, rsa_lib.c */ 126 * used only by crypto/rsa/rsa_eay.c, rsa_lib.c */
127#endif 127#endif
128 CRYPTO_THREADID tid; 128 CRYPTO_THREADID tid;
129 unsigned int counter; 129 int counter;
130 unsigned long flags; 130 unsigned long flags;
131 BN_MONT_CTX *m_ctx; 131 BN_MONT_CTX *m_ctx;
132 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, 132 int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
@@ -160,7 +160,10 @@ BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
160 if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0) 160 if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
161 BN_set_flags(ret->mod, BN_FLG_CONSTTIME); 161 BN_set_flags(ret->mod, BN_FLG_CONSTTIME);
162 162
163 ret->counter = BN_BLINDING_COUNTER; 163 /* Set the counter to the special value -1
164 * to indicate that this is never-used fresh blinding
165 * that does not need updating before first use. */
166 ret->counter = -1;
164 CRYPTO_THREADID_current(&ret->tid); 167 CRYPTO_THREADID_current(&ret->tid);
165 return(ret); 168 return(ret);
166err: 169err:
@@ -190,7 +193,10 @@ int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
190 goto err; 193 goto err;
191 } 194 }
192 195
193 if (--(b->counter) == 0 && b->e != NULL && 196 if (b->counter == -1)
197 b->counter = 0;
198
199 if (++b->counter == BN_BLINDING_COUNTER && b->e != NULL &&
194 !(b->flags & BN_BLINDING_NO_RECREATE)) 200 !(b->flags & BN_BLINDING_NO_RECREATE))
195 { 201 {
196 /* re-create blinding parameters */ 202 /* re-create blinding parameters */
@@ -205,8 +211,8 @@ int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
205 211
206 ret=1; 212 ret=1;
207err: 213err:
208 if (b->counter == 0) 214 if (b->counter == BN_BLINDING_COUNTER)
209 b->counter = BN_BLINDING_COUNTER; 215 b->counter = 0;
210 return(ret); 216 return(ret);
211 } 217 }
212 218
@@ -227,6 +233,12 @@ int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
227 return(0); 233 return(0);
228 } 234 }
229 235
236 if (b->counter == -1)
237 /* Fresh blinding, doesn't need updating. */
238 b->counter = 0;
239 else if (!BN_BLINDING_update(b,ctx))
240 return(0);
241
230 if (r != NULL) 242 if (r != NULL)
231 { 243 {
232 if (!BN_copy(r, b->Ai)) ret=0; 244 if (!BN_copy(r, b->Ai)) ret=0;
@@ -247,22 +259,19 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ct
247 int ret; 259 int ret;
248 260
249 bn_check_top(n); 261 bn_check_top(n);
250 if ((b->A == NULL) || (b->Ai == NULL))
251 {
252 BNerr(BN_F_BN_BLINDING_INVERT_EX,BN_R_NOT_INITIALIZED);
253 return(0);
254 }
255 262
256 if (r != NULL) 263 if (r != NULL)
257 ret = BN_mod_mul(n, n, r, b->mod, ctx); 264 ret = BN_mod_mul(n, n, r, b->mod, ctx);
258 else 265 else
259 ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
260
261 if (ret >= 0)
262 { 266 {
263 if (!BN_BLINDING_update(b,ctx)) 267 if (b->Ai == NULL)
268 {
269 BNerr(BN_F_BN_BLINDING_INVERT_EX,BN_R_NOT_INITIALIZED);
264 return(0); 270 return(0);
271 }
272 ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
265 } 273 }
274
266 bn_check_top(n); 275 bn_check_top(n);
267 return(ret); 276 return(ret);
268 } 277 }
diff --git a/src/lib/libcrypto/ec/ec2_smpl.c b/src/lib/libcrypto/ec/ec2_smpl.c
index af94458ca7..03deae6674 100644
--- a/src/lib/libcrypto/ec/ec2_smpl.c
+++ b/src/lib/libcrypto/ec/ec2_smpl.c
@@ -887,7 +887,7 @@ int ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_
887 field_sqr = group->meth->field_sqr; 887 field_sqr = group->meth->field_sqr;
888 888
889 /* only support affine coordinates */ 889 /* only support affine coordinates */
890 if (!point->Z_is_one) goto err; 890 if (!point->Z_is_one) return -1;
891 891
892 if (ctx == NULL) 892 if (ctx == NULL)
893 { 893 {
diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h
index 310a3387be..d6d61a0c7d 100644
--- a/src/lib/libcrypto/opensslv.h
+++ b/src/lib/libcrypto/opensslv.h
@@ -25,11 +25,11 @@
25 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for 25 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
26 * major minor fix final patch/beta) 26 * major minor fix final patch/beta)
27 */ 27 */
28#define OPENSSL_VERSION_NUMBER 0x1000005fL 28#define OPENSSL_VERSION_NUMBER 0x1000006fL
29#ifdef OPENSSL_FIPS 29#ifdef OPENSSL_FIPS
30#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0e-fips 6 Sep 2011" 30#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0f-fips 4 Jan 2012"
31#else 31#else
32#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0e 6 Sep 2011" 32#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0f 4 Jan 2012"
33#endif 33#endif
34#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT 34#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
35 35
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index 7c941885f0..2e1ddd48d3 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -314,51 +314,56 @@ static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
314 return ret; 314 return ret;
315} 315}
316 316
317static int rsa_blinding_convert(BN_BLINDING *b, int local, BIGNUM *f, 317static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
318 BIGNUM *r, BN_CTX *ctx) 318 BN_CTX *ctx)
319{ 319 {
320 if (local) 320 if (unblind == NULL)
321 /* Local blinding: store the unblinding factor
322 * in BN_BLINDING. */
321 return BN_BLINDING_convert_ex(f, NULL, b, ctx); 323 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
322 else 324 else
323 { 325 {
324 int ret; 326 /* Shared blinding: store the unblinding factor
325 CRYPTO_r_lock(CRYPTO_LOCK_RSA_BLINDING); 327 * outside BN_BLINDING. */
326 ret = BN_BLINDING_convert_ex(f, r, b, ctx);
327 CRYPTO_r_unlock(CRYPTO_LOCK_RSA_BLINDING);
328 return ret;
329 }
330}
331
332static int rsa_blinding_invert(BN_BLINDING *b, int local, BIGNUM *f,
333 BIGNUM *r, BN_CTX *ctx)
334{
335 if (local)
336 return BN_BLINDING_invert_ex(f, NULL, b, ctx);
337 else
338 {
339 int ret; 328 int ret;
340 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING); 329 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
341 ret = BN_BLINDING_invert_ex(f, r, b, ctx); 330 ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
342 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING); 331 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
343 return ret; 332 return ret;
344 } 333 }
345} 334 }
335
336static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
337 BN_CTX *ctx)
338 {
339 /* For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
340 * will use the unblinding factor stored in BN_BLINDING.
341 * If BN_BLINDING is shared between threads, unblind must be non-null:
342 * BN_BLINDING_invert_ex will then use the local unblinding factor,
343 * and will only read the modulus from BN_BLINDING.
344 * In both cases it's safe to access the blinding without a lock.
345 */
346 return BN_BLINDING_invert_ex(f, unblind, b, ctx);
347 }
346 348
347/* signing */ 349/* signing */
348static int RSA_eay_private_encrypt(int flen, const unsigned char *from, 350static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
349 unsigned char *to, RSA *rsa, int padding) 351 unsigned char *to, RSA *rsa, int padding)
350 { 352 {
351 BIGNUM *f, *ret, *br, *res; 353 BIGNUM *f, *ret, *res;
352 int i,j,k,num=0,r= -1; 354 int i,j,k,num=0,r= -1;
353 unsigned char *buf=NULL; 355 unsigned char *buf=NULL;
354 BN_CTX *ctx=NULL; 356 BN_CTX *ctx=NULL;
355 int local_blinding = 0; 357 int local_blinding = 0;
358 /* Used only if the blinding structure is shared. A non-NULL unblind
359 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
360 * the unblinding factor outside the blinding structure. */
361 BIGNUM *unblind = NULL;
356 BN_BLINDING *blinding = NULL; 362 BN_BLINDING *blinding = NULL;
357 363
358 if ((ctx=BN_CTX_new()) == NULL) goto err; 364 if ((ctx=BN_CTX_new()) == NULL) goto err;
359 BN_CTX_start(ctx); 365 BN_CTX_start(ctx);
360 f = BN_CTX_get(ctx); 366 f = BN_CTX_get(ctx);
361 br = BN_CTX_get(ctx);
362 ret = BN_CTX_get(ctx); 367 ret = BN_CTX_get(ctx);
363 num = BN_num_bytes(rsa->n); 368 num = BN_num_bytes(rsa->n);
364 buf = OPENSSL_malloc(num); 369 buf = OPENSSL_malloc(num);
@@ -406,8 +411,15 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
406 } 411 }
407 412
408 if (blinding != NULL) 413 if (blinding != NULL)
409 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx)) 414 {
415 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL))
416 {
417 RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
418 goto err;
419 }
420 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
410 goto err; 421 goto err;
422 }
411 423
412 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 424 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
413 ((rsa->p != NULL) && 425 ((rsa->p != NULL) &&
@@ -441,7 +453,7 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
441 } 453 }
442 454
443 if (blinding) 455 if (blinding)
444 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx)) 456 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
445 goto err; 457 goto err;
446 458
447 if (padding == RSA_X931_PADDING) 459 if (padding == RSA_X931_PADDING)
@@ -480,18 +492,21 @@ err:
480static int RSA_eay_private_decrypt(int flen, const unsigned char *from, 492static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
481 unsigned char *to, RSA *rsa, int padding) 493 unsigned char *to, RSA *rsa, int padding)
482 { 494 {
483 BIGNUM *f, *ret, *br; 495 BIGNUM *f, *ret;
484 int j,num=0,r= -1; 496 int j,num=0,r= -1;
485 unsigned char *p; 497 unsigned char *p;
486 unsigned char *buf=NULL; 498 unsigned char *buf=NULL;
487 BN_CTX *ctx=NULL; 499 BN_CTX *ctx=NULL;
488 int local_blinding = 0; 500 int local_blinding = 0;
501 /* Used only if the blinding structure is shared. A non-NULL unblind
502 * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
503 * the unblinding factor outside the blinding structure. */
504 BIGNUM *unblind = NULL;
489 BN_BLINDING *blinding = NULL; 505 BN_BLINDING *blinding = NULL;
490 506
491 if((ctx = BN_CTX_new()) == NULL) goto err; 507 if((ctx = BN_CTX_new()) == NULL) goto err;
492 BN_CTX_start(ctx); 508 BN_CTX_start(ctx);
493 f = BN_CTX_get(ctx); 509 f = BN_CTX_get(ctx);
494 br = BN_CTX_get(ctx);
495 ret = BN_CTX_get(ctx); 510 ret = BN_CTX_get(ctx);
496 num = BN_num_bytes(rsa->n); 511 num = BN_num_bytes(rsa->n);
497 buf = OPENSSL_malloc(num); 512 buf = OPENSSL_malloc(num);
@@ -529,8 +544,15 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
529 } 544 }
530 545
531 if (blinding != NULL) 546 if (blinding != NULL)
532 if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx)) 547 {
548 if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL))
549 {
550 RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
533 goto err; 551 goto err;
552 }
553 if (!rsa_blinding_convert(blinding, f, unblind, ctx))
554 goto err;
555 }
534 556
535 /* do the decrypt */ 557 /* do the decrypt */
536 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || 558 if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
@@ -564,7 +586,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
564 } 586 }
565 587
566 if (blinding) 588 if (blinding)
567 if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx)) 589 if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
568 goto err; 590 goto err;
569 591
570 p=buf; 592 p=buf;
diff --git a/src/lib/libcrypto/util/mkerr.pl b/src/lib/libcrypto/util/mkerr.pl
index 2c99467d34..aec401c773 100644
--- a/src/lib/libcrypto/util/mkerr.pl
+++ b/src/lib/libcrypto/util/mkerr.pl
@@ -769,7 +769,7 @@ EOF
769 undef %err_reason_strings; 769 undef %err_reason_strings;
770} 770}
771 771
772if($debug && defined(%notrans)) { 772if($debug && %notrans) {
773 print STDERR "The following function codes were not translated:\n"; 773 print STDERR "The following function codes were not translated:\n";
774 foreach(sort keys %notrans) 774 foreach(sort keys %notrans)
775 { 775 {
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 5a0b0249b4..701ec565e9 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1732,7 +1732,7 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1732 atm.length=sizeof(buff2); 1732 atm.length=sizeof(buff2);
1733 atm.data=(unsigned char *)buff2; 1733 atm.data=(unsigned char *)buff2;
1734 1734
1735 if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL) 1735 if (X509_time_adj(&atm, offset*60, cmp_time) == NULL)
1736 return 0; 1736 return 0;
1737 1737
1738 if (ctm->type == V_ASN1_UTCTIME) 1738 if (ctm->type == V_ASN1_UTCTIME)
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index 2180c6d4da..9f898d6997 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -158,7 +158,6 @@ static unsigned char bitmask_end_values[] = {0xff, 0x01, 0x03, 0x07, 0x0f, 0x1
158/* XDTLS: figure out the right values */ 158/* XDTLS: figure out the right values */
159static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28}; 159static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28};
160 160
161static unsigned int dtls1_min_mtu(void);
162static unsigned int dtls1_guess_mtu(unsigned int curr_mtu); 161static unsigned int dtls1_guess_mtu(unsigned int curr_mtu);
163static void dtls1_fix_message_header(SSL *s, unsigned long frag_off, 162static void dtls1_fix_message_header(SSL *s, unsigned long frag_off,
164 unsigned long frag_len); 163 unsigned long frag_len);
@@ -264,11 +263,10 @@ int dtls1_do_write(SSL *s, int type)
264 return ret; 263 return ret;
265 mtu = s->d1->mtu - (DTLS1_HM_HEADER_LENGTH + DTLS1_RT_HEADER_LENGTH); 264 mtu = s->d1->mtu - (DTLS1_HM_HEADER_LENGTH + DTLS1_RT_HEADER_LENGTH);
266 } 265 }
267
268 OPENSSL_assert(mtu > 0); /* should have something reasonable now */
269
270#endif 266#endif
271 267
268 OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu()); /* should have something reasonable now */
269
272 if ( s->init_off == 0 && type == SSL3_RT_HANDSHAKE) 270 if ( s->init_off == 0 && type == SSL3_RT_HANDSHAKE)
273 OPENSSL_assert(s->init_num == 271 OPENSSL_assert(s->init_num ==
274 (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH); 272 (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH);
@@ -795,7 +793,13 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
795 *ok = 0; 793 *ok = 0;
796 return i; 794 return i;
797 } 795 }
798 OPENSSL_assert(i == DTLS1_HM_HEADER_LENGTH); 796 /* Handshake fails if message header is incomplete */
797 if (i != DTLS1_HM_HEADER_LENGTH)
798 {
799 al=SSL_AD_UNEXPECTED_MESSAGE;
800 SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_UNEXPECTED_MESSAGE);
801 goto f_err;
802 }
799 803
800 /* parse the message fragment header */ 804 /* parse the message fragment header */
801 dtls1_get_message_header(wire, &msg_hdr); 805 dtls1_get_message_header(wire, &msg_hdr);
@@ -867,7 +871,12 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
867 871
868 /* XDTLS: an incorrectly formatted fragment should cause the 872 /* XDTLS: an incorrectly formatted fragment should cause the
869 * handshake to fail */ 873 * handshake to fail */
870 OPENSSL_assert(i == (int)frag_len); 874 if (i != (int)frag_len)
875 {
876 al=SSL3_AD_ILLEGAL_PARAMETER;
877 SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL3_AD_ILLEGAL_PARAMETER);
878 goto f_err;
879 }
871 880
872 *ok = 1; 881 *ok = 1;
873 882
@@ -1367,7 +1376,7 @@ dtls1_write_message_header(SSL *s, unsigned char *p)
1367 return p; 1376 return p;
1368 } 1377 }
1369 1378
1370static unsigned int 1379unsigned int
1371dtls1_min_mtu(void) 1380dtls1_min_mtu(void)
1372 { 1381 {
1373 return (g_probable_mtu[(sizeof(g_probable_mtu) / 1382 return (g_probable_mtu[(sizeof(g_probable_mtu) /
diff --git a/src/lib/libssl/d1_lib.c b/src/lib/libssl/d1_lib.c
index 48e8b6ffbb..c3b77c889b 100644
--- a/src/lib/libssl/d1_lib.c
+++ b/src/lib/libssl/d1_lib.c
@@ -204,7 +204,8 @@ void dtls1_clear(SSL *s)
204 pqueue buffered_messages; 204 pqueue buffered_messages;
205 pqueue sent_messages; 205 pqueue sent_messages;
206 pqueue buffered_app_data; 206 pqueue buffered_app_data;
207 207 unsigned int mtu;
208
208 if (s->d1) 209 if (s->d1)
209 { 210 {
210 unprocessed_rcds = s->d1->unprocessed_rcds.q; 211 unprocessed_rcds = s->d1->unprocessed_rcds.q;
@@ -212,6 +213,7 @@ void dtls1_clear(SSL *s)
212 buffered_messages = s->d1->buffered_messages; 213 buffered_messages = s->d1->buffered_messages;
213 sent_messages = s->d1->sent_messages; 214 sent_messages = s->d1->sent_messages;
214 buffered_app_data = s->d1->buffered_app_data.q; 215 buffered_app_data = s->d1->buffered_app_data.q;
216 mtu = s->d1->mtu;
215 217
216 dtls1_clear_queues(s); 218 dtls1_clear_queues(s);
217 219
@@ -222,6 +224,11 @@ void dtls1_clear(SSL *s)
222 s->d1->cookie_len = sizeof(s->d1->cookie); 224 s->d1->cookie_len = sizeof(s->d1->cookie);
223 } 225 }
224 226
227 if (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)
228 {
229 s->d1->mtu = mtu;
230 }
231
225 s->d1->unprocessed_rcds.q = unprocessed_rcds; 232 s->d1->unprocessed_rcds.q = unprocessed_rcds;
226 s->d1->processed_rcds.q = processed_rcds; 233 s->d1->processed_rcds.q = processed_rcds;
227 s->d1->buffered_messages = buffered_messages; 234 s->d1->buffered_messages = buffered_messages;
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index 39aac73e10..e0c0f0cc9a 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -375,6 +375,7 @@ dtls1_process_record(SSL *s)
375 SSL3_RECORD *rr; 375 SSL3_RECORD *rr;
376 unsigned int mac_size; 376 unsigned int mac_size;
377 unsigned char md[EVP_MAX_MD_SIZE]; 377 unsigned char md[EVP_MAX_MD_SIZE];
378 int decryption_failed_or_bad_record_mac = 0;
378 379
379 380
380 rr= &(s->s3->rrec); 381 rr= &(s->s3->rrec);
@@ -409,13 +410,10 @@ dtls1_process_record(SSL *s)
409 enc_err = s->method->ssl3_enc->enc(s,0); 410 enc_err = s->method->ssl3_enc->enc(s,0);
410 if (enc_err <= 0) 411 if (enc_err <= 0)
411 { 412 {
412 /* decryption failed, silently discard message */ 413 /* To minimize information leaked via timing, we will always
413 if (enc_err < 0) 414 * perform all computations before discarding the message.
414 { 415 */
415 rr->length = 0; 416 decryption_failed_or_bad_record_mac = 1;
416 s->packet_length = 0;
417 }
418 goto err;
419 } 417 }
420 418
421#ifdef TLS_DEBUG 419#ifdef TLS_DEBUG
@@ -445,7 +443,7 @@ printf("\n");
445 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); 443 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
446 goto f_err; 444 goto f_err;
447#else 445#else
448 goto err; 446 decryption_failed_or_bad_record_mac = 1;
449#endif 447#endif
450 } 448 }
451 /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ 449 /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
@@ -456,17 +454,25 @@ printf("\n");
456 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); 454 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
457 goto f_err; 455 goto f_err;
458#else 456#else
459 goto err; 457 decryption_failed_or_bad_record_mac = 1;
460#endif 458#endif
461 } 459 }
462 rr->length-=mac_size; 460 rr->length-=mac_size;
463 i=s->method->ssl3_enc->mac(s,md,0); 461 i=s->method->ssl3_enc->mac(s,md,0);
464 if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0) 462 if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
465 { 463 {
466 goto err; 464 decryption_failed_or_bad_record_mac = 1;
467 } 465 }
468 } 466 }
469 467
468 if (decryption_failed_or_bad_record_mac)
469 {
470 /* decryption failed, silently discard message */
471 rr->length = 0;
472 s->packet_length = 0;
473 goto err;
474 }
475
470 /* r->length is now just compressed */ 476 /* r->length is now just compressed */
471 if (s->expand != NULL) 477 if (s->expand != NULL)
472 { 478 {
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index a6a4c87ea6..149983be30 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -1271,7 +1271,7 @@ int dtls1_send_server_key_exchange(SSL *s)
1271 EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL); 1271 EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL);
1272 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); 1272 EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
1273 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); 1273 EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
1274 EVP_SignUpdate(&md_ctx,&(d[4]),n); 1274 EVP_SignUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
1275 if (!EVP_SignFinal(&md_ctx,&(p[2]), 1275 if (!EVP_SignFinal(&md_ctx,&(p[2]),
1276 (unsigned int *)&i,pkey)) 1276 (unsigned int *)&i,pkey))
1277 { 1277 {
diff --git a/src/lib/libssl/doc/openssl.cnf b/src/lib/libssl/doc/openssl.cnf
index 9d2cd5bfa5..18760c6e67 100644
--- a/src/lib/libssl/doc/openssl.cnf
+++ b/src/lib/libssl/doc/openssl.cnf
@@ -145,7 +145,7 @@ localityName = Locality Name (eg, city)
145organizationalUnitName = Organizational Unit Name (eg, section) 145organizationalUnitName = Organizational Unit Name (eg, section)
146#organizationalUnitName_default = 146#organizationalUnitName_default =
147 147
148commonName = Common Name (eg, YOUR name) 148commonName = Common Name (e.g. server FQDN or YOUR name)
149commonName_max = 64 149commonName_max = 64
150 150
151emailAddress = Email Address 151emailAddress = Email Address
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index 50bd415b56..53223bd38d 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -953,7 +953,7 @@ int ssl3_get_server_hello(SSL *s)
953 /* wrong packet length */ 953 /* wrong packet length */
954 al=SSL_AD_DECODE_ERROR; 954 al=SSL_AD_DECODE_ERROR;
955 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH); 955 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
956 goto err; 956 goto f_err;
957 } 957 }
958 958
959 return(1); 959 return(1);
@@ -1837,7 +1837,7 @@ int ssl3_get_new_session_ticket(SSL *s)
1837 if (n < 6) 1837 if (n < 6)
1838 { 1838 {
1839 /* need at least ticket_lifetime_hint + ticket length */ 1839 /* need at least ticket_lifetime_hint + ticket length */
1840 al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR; 1840 al = SSL_AD_DECODE_ERROR;
1841 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 1841 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
1842 goto f_err; 1842 goto f_err;
1843 } 1843 }
@@ -1848,7 +1848,7 @@ int ssl3_get_new_session_ticket(SSL *s)
1848 /* ticket_lifetime_hint + ticket_length + ticket */ 1848 /* ticket_lifetime_hint + ticket_length + ticket */
1849 if (ticklen + 6 != n) 1849 if (ticklen + 6 != n)
1850 { 1850 {
1851 al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR; 1851 al = SSL_AD_DECODE_ERROR;
1852 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH); 1852 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
1853 goto f_err; 1853 goto f_err;
1854 } 1854 }
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index 62c791cb72..1130244aeb 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -2177,6 +2177,7 @@ void ssl3_clear(SSL *s)
2177 { 2177 {
2178 unsigned char *rp,*wp; 2178 unsigned char *rp,*wp;
2179 size_t rlen, wlen; 2179 size_t rlen, wlen;
2180 int init_extra;
2180 2181
2181#ifdef TLSEXT_TYPE_opaque_prf_input 2182#ifdef TLSEXT_TYPE_opaque_prf_input
2182 if (s->s3->client_opaque_prf_input != NULL) 2183 if (s->s3->client_opaque_prf_input != NULL)
@@ -2215,6 +2216,7 @@ void ssl3_clear(SSL *s)
2215 wp = s->s3->wbuf.buf; 2216 wp = s->s3->wbuf.buf;
2216 rlen = s->s3->rbuf.len; 2217 rlen = s->s3->rbuf.len;
2217 wlen = s->s3->wbuf.len; 2218 wlen = s->s3->wbuf.len;
2219 init_extra = s->s3->init_extra;
2218 if (s->s3->handshake_buffer) { 2220 if (s->s3->handshake_buffer) {
2219 BIO_free(s->s3->handshake_buffer); 2221 BIO_free(s->s3->handshake_buffer);
2220 s->s3->handshake_buffer = NULL; 2222 s->s3->handshake_buffer = NULL;
@@ -2227,6 +2229,7 @@ void ssl3_clear(SSL *s)
2227 s->s3->wbuf.buf = wp; 2229 s->s3->wbuf.buf = wp;
2228 s->s3->rbuf.len = rlen; 2230 s->s3->rbuf.len = rlen;
2229 s->s3->wbuf.len = wlen; 2231 s->s3->wbuf.len = wlen;
2232 s->s3->init_extra = init_extra;
2230 2233
2231 ssl_free_wbio_buffer(s); 2234 ssl_free_wbio_buffer(s);
2232 2235
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index c3b5ff33ff..d734c359fb 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -258,6 +258,7 @@ int ssl3_accept(SSL *s)
258 } 258 }
259 259
260 s->init_num=0; 260 s->init_num=0;
261 s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
261 262
262 if (s->state != SSL_ST_RENEGOTIATE) 263 if (s->state != SSL_ST_RENEGOTIATE)
263 { 264 {
@@ -755,6 +756,14 @@ int ssl3_check_client_hello(SSL *s)
755 int ok; 756 int ok;
756 long n; 757 long n;
757 758
759 /* We only allow the client to restart the handshake once per
760 * negotiation. */
761 if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
762 {
763 SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
764 return -1;
765 }
766
758 /* this function is called when we really expect a Certificate message, 767 /* this function is called when we really expect a Certificate message,
759 * so permit appropriate message length */ 768 * so permit appropriate message length */
760 n=s->method->ssl_get_message(s, 769 n=s->method->ssl_get_message(s,
@@ -783,6 +792,7 @@ int ssl3_check_client_hello(SSL *s)
783 s->s3->tmp.ecdh = NULL; 792 s->s3->tmp.ecdh = NULL;
784 } 793 }
785#endif 794#endif
795 s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
786 return 2; 796 return 2;
787 } 797 }
788 return 1; 798 return 1;
@@ -2130,6 +2140,7 @@ int ssl3_get_client_key_exchange(SSL *s)
2130 if (i <= 0) 2140 if (i <= 0)
2131 { 2141 {
2132 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB); 2142 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
2143 BN_clear_free(pub);
2133 goto err; 2144 goto err;
2134 } 2145 }
2135 2146
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index e4c3f65010..8f922eea72 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1882,6 +1882,7 @@ void ERR_load_SSL_strings(void);
1882#define SSL_F_SSL3_CALLBACK_CTRL 233 1882#define SSL_F_SSL3_CALLBACK_CTRL 233
1883#define SSL_F_SSL3_CHANGE_CIPHER_STATE 129 1883#define SSL_F_SSL3_CHANGE_CIPHER_STATE 129
1884#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130 1884#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130
1885#define SSL_F_SSL3_CHECK_CLIENT_HELLO 304
1885#define SSL_F_SSL3_CLIENT_HELLO 131 1886#define SSL_F_SSL3_CLIENT_HELLO 131
1886#define SSL_F_SSL3_CONNECT 132 1887#define SSL_F_SSL3_CONNECT 132
1887#define SSL_F_SSL3_CTRL 213 1888#define SSL_F_SSL3_CTRL 213
@@ -2139,6 +2140,7 @@ void ERR_load_SSL_strings(void);
2139#define SSL_R_MISSING_TMP_RSA_KEY 172 2140#define SSL_R_MISSING_TMP_RSA_KEY 172
2140#define SSL_R_MISSING_TMP_RSA_PKEY 173 2141#define SSL_R_MISSING_TMP_RSA_PKEY 173
2141#define SSL_R_MISSING_VERIFY_MESSAGE 174 2142#define SSL_R_MISSING_VERIFY_MESSAGE 174
2143#define SSL_R_MULTIPLE_SGC_RESTARTS 346
2142#define SSL_R_NON_SSLV2_INITIAL_PACKET 175 2144#define SSL_R_NON_SSLV2_INITIAL_PACKET 175
2143#define SSL_R_NO_CERTIFICATES_RETURNED 176 2145#define SSL_R_NO_CERTIFICATES_RETURNED 176
2144#define SSL_R_NO_CERTIFICATE_ASSIGNED 177 2146#define SSL_R_NO_CERTIFICATE_ASSIGNED 177
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
index baaa89e717..9c2c41287a 100644
--- a/src/lib/libssl/ssl3.h
+++ b/src/lib/libssl/ssl3.h
@@ -379,6 +379,17 @@ typedef struct ssl3_buffer_st
379#define SSL3_FLAGS_POP_BUFFER 0x0004 379#define SSL3_FLAGS_POP_BUFFER 0x0004
380#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 380#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
381#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 381#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
382
383/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
384 * restart a handshake because of MS SGC and so prevents us
385 * from restarting the handshake in a loop. It's reset on a
386 * renegotiation, so effectively limits the client to one restart
387 * per negotiation. This limits the possibility of a DDoS
388 * attack where the client handshakes in a loop using SGC to
389 * restart. Servers which permit renegotiation can still be
390 * effected, but we can't prevent that.
391 */
392#define SSL3_FLAGS_SGC_RESTART_DONE 0x0040
382 393
383typedef struct ssl3_state_st 394typedef struct ssl3_state_st
384 { 395 {
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index a8ce186b78..54ba7ef5b4 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -446,6 +446,7 @@ static void load_builtin_compressions(void)
446 sk_SSL_COMP_push(ssl_comp_methods,comp); 446 sk_SSL_COMP_push(ssl_comp_methods,comp);
447 } 447 }
448 } 448 }
449 sk_SSL_COMP_sort(ssl_comp_methods);
449 } 450 }
450 MemCheck_on(); 451 MemCheck_on();
451 } 452 }
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
index 0eed464749..e9be77109f 100644
--- a/src/lib/libssl/ssl_err.c
+++ b/src/lib/libssl/ssl_err.c
@@ -1,6 +1,6 @@
1/* ssl/ssl_err.c */ 1/* ssl/ssl_err.c */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright (c) 1999-2009 The OpenSSL Project. All rights reserved. 3 * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
4 * 4 *
5 * Redistribution and use in source and binary forms, with or without 5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions 6 * modification, are permitted provided that the following conditions
@@ -137,6 +137,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
137{ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"}, 137{ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"},
138{ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"}, 138{ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"},
139{ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"}, 139{ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"},
140{ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO), "SSL3_CHECK_CLIENT_HELLO"},
140{ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"}, 141{ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"},
141{ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"}, 142{ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"},
142{ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"}, 143{ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"},
@@ -397,6 +398,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
397{ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY) ,"missing tmp rsa key"}, 398{ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY) ,"missing tmp rsa key"},
398{ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY) ,"missing tmp rsa pkey"}, 399{ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY) ,"missing tmp rsa pkey"},
399{ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"}, 400{ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"},
401{ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS) ,"multiple sgc restarts"},
400{ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"}, 402{ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"},
401{ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"}, 403{ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"},
402{ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"}, 404{ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"},
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 46732791fd..8e89911f48 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1054,6 +1054,9 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
1054 s->max_cert_list=larg; 1054 s->max_cert_list=larg;
1055 return(l); 1055 return(l);
1056 case SSL_CTRL_SET_MTU: 1056 case SSL_CTRL_SET_MTU:
1057 if (larg < (long)dtls1_min_mtu())
1058 return 0;
1059
1057 if (SSL_version(s) == DTLS1_VERSION || 1060 if (SSL_version(s) == DTLS1_VERSION ||
1058 SSL_version(s) == DTLS1_BAD_VER) 1061 SSL_version(s) == DTLS1_BAD_VER)
1059 { 1062 {
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 4c78393f3f..cea622a2a6 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -950,6 +950,7 @@ void dtls1_stop_timer(SSL *s);
950int dtls1_is_timer_expired(SSL *s); 950int dtls1_is_timer_expired(SSL *s);
951void dtls1_double_timeout(SSL *s); 951void dtls1_double_timeout(SSL *s);
952int dtls1_send_newsession_ticket(SSL *s); 952int dtls1_send_newsession_ticket(SSL *s);
953unsigned int dtls1_min_mtu(void);
953 954
954/* some client-only functions */ 955/* some client-only functions */
955int ssl3_client_hello(SSL *s); 956int ssl3_client_hello(SSL *s);
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 85371c87b8..26cbae449e 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -971,6 +971,12 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
971 sdata = data; 971 sdata = data;
972 if (dsize > 0) 972 if (dsize > 0)
973 { 973 {
974 if (s->tlsext_ocsp_exts)
975 {
976 sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
977 X509_EXTENSION_free);
978 }
979
974 s->tlsext_ocsp_exts = 980 s->tlsext_ocsp_exts =
975 d2i_X509_EXTENSIONS(NULL, 981 d2i_X509_EXTENSIONS(NULL,
976 &sdata, dsize); 982 &sdata, dsize);
diff --git a/src/lib/libssl/test/testssl b/src/lib/libssl/test/testssl
index f9d7c5d65f..b55364ae88 100644
--- a/src/lib/libssl/test/testssl
+++ b/src/lib/libssl/test/testssl
@@ -100,8 +100,8 @@ echo test sslv2/sslv3 via BIO pair
100$ssltest $extra || exit 1 100$ssltest $extra || exit 1
101 101
102if [ $dsa_cert = NO ]; then 102if [ $dsa_cert = NO ]; then
103 echo test sslv2/sslv3 w/o DHE via BIO pair 103 echo 'test sslv2/sslv3 w/o (EC)DHE via BIO pair'
104 $ssltest -bio_pair -no_dhe $extra || exit 1 104 $ssltest -bio_pair -no_dhe -no_ecdhe $extra || exit 1
105fi 105fi
106 106
107echo test sslv2/sslv3 with 1024bit DHE via BIO pair 107echo test sslv2/sslv3 with 1024bit DHE via BIO pair
@@ -131,8 +131,8 @@ fi
131if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then 131if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
132 echo skipping RSA tests 132 echo skipping RSA tests
133else 133else
134 echo test tls1 with 1024bit RSA, no DHE, multiple handshakes 134 echo 'test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes'
135 ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1 135 ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1
136 136
137 if ../util/shlib_wrap.sh ../apps/openssl no-dh; then 137 if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
138 echo skipping RSA+DHE tests 138 echo skipping RSA+DHE tests
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 14:59:10 +0000