summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/libcrypto/aes/asm/aes-mips.pl20
-rw-r--r--src/lib/libcrypto/aes/asm/aes-parisc.pl3
-rw-r--r--src/lib/libcrypto/aes/asm/aes-s390x.pl95
-rwxr-xr-xsrc/lib/libcrypto/aes/asm/aes-x86_64.pl3
-rw-r--r--src/lib/libcrypto/aes/asm/aesni-sha1-x86_64.pl3
-rw-r--r--src/lib/libcrypto/aes/asm/aesni-x86_64.pl3
-rw-r--r--src/lib/libcrypto/aes/asm/bsaes-x86_64.pl76
-rw-r--r--src/lib/libcrypto/aes/asm/vpaes-x86_64.pl5
-rw-r--r--src/lib/libcrypto/armcap.c2
-rw-r--r--src/lib/libcrypto/asn1/a_int.c2
-rw-r--r--src/lib/libcrypto/asn1/a_strex.c1
-rw-r--r--src/lib/libcrypto/asn1/a_verify.c6
-rw-r--r--src/lib/libcrypto/asn1/asn1_err.c2
-rw-r--r--src/lib/libcrypto/asn1/x_pubkey.c5
-rw-r--r--src/lib/libcrypto/bio/bss_dgram.c91
-rw-r--r--src/lib/libcrypto/bio/bss_log.c2
-rw-r--r--src/lib/libcrypto/bn/asm/mips-mont.pl2
-rw-r--r--src/lib/libcrypto/bn/asm/mips.pl46
-rw-r--r--src/lib/libcrypto/bn/asm/modexp512-x86_64.pl3
-rw-r--r--src/lib/libcrypto/bn/asm/parisc-mont.pl4
-rw-r--r--src/lib/libcrypto/bn/asm/x86_64-gf2m.pl3
-rwxr-xr-xsrc/lib/libcrypto/bn/asm/x86_64-mont.pl3
-rwxr-xr-xsrc/lib/libcrypto/bn/asm/x86_64-mont5.pl7
-rw-r--r--src/lib/libcrypto/bn/bn.h11
-rw-r--r--src/lib/libcrypto/bn/bn_div.c2
-rw-r--r--src/lib/libcrypto/bn/bn_gcd.c1
-rw-r--r--src/lib/libcrypto/bn/bn_lcl.h11
-rw-r--r--src/lib/libcrypto/bn/bn_lib.c52
-rw-r--r--src/lib/libcrypto/bn/bn_nist.c55
-rw-r--r--src/lib/libcrypto/bn/bn_word.c25
-rw-r--r--src/lib/libcrypto/buffer/buffer.c4
-rw-r--r--src/lib/libcrypto/buffer/buffer.h2
-rw-r--r--src/lib/libcrypto/camellia/asm/cmll-x86_64.pl3
-rw-r--r--src/lib/libcrypto/cms/cms_cd.c2
-rw-r--r--src/lib/libcrypto/cms/cms_enc.c2
-rw-r--r--src/lib/libcrypto/cms/cms_lib.c4
-rw-r--r--src/lib/libcrypto/conf/conf_mall.c1
-rw-r--r--src/lib/libcrypto/cryptlib.c18
-rw-r--r--src/lib/libcrypto/cryptlib.h2
-rw-r--r--src/lib/libcrypto/crypto.h11
-rw-r--r--src/lib/libcrypto/des/set_key.c3
-rw-r--r--src/lib/libcrypto/des/str2key.c2
-rw-r--r--src/lib/libcrypto/doc/ERR_get_error.pod7
-rw-r--r--src/lib/libcrypto/doc/EVP_BytesToKey.pod2
-rw-r--r--src/lib/libcrypto/doc/EVP_EncryptInit.pod2
-rw-r--r--src/lib/libcrypto/doc/EVP_PKEY_CTX_ctrl.pod2
-rw-r--r--src/lib/libcrypto/doc/EVP_PKEY_decrypt.pod2
-rw-r--r--src/lib/libcrypto/doc/EVP_PKEY_derive.pod2
-rw-r--r--src/lib/libcrypto/doc/EVP_PKEY_encrypt.pod2
-rw-r--r--src/lib/libcrypto/doc/EVP_PKEY_get_default_digest.pod2
-rw-r--r--src/lib/libcrypto/doc/EVP_PKEY_keygen.pod2
-rw-r--r--src/lib/libcrypto/doc/EVP_PKEY_sign.pod2
-rw-r--r--src/lib/libcrypto/doc/EVP_PKEY_verify.pod2
-rw-r--r--src/lib/libcrypto/doc/EVP_PKEY_verify_recover.pod103
-rw-r--r--src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod2
-rw-r--r--src/lib/libcrypto/doc/X509_VERIFY_PARAM_set_flags.pod2
-rw-r--r--src/lib/libcrypto/ec/ec.h28
-rw-r--r--src/lib/libcrypto/ec/ec2_mult.c27
-rw-r--r--src/lib/libcrypto/ec/ec_ameth.c2
-rw-r--r--src/lib/libcrypto/ec/ec_asn1.c6
-rw-r--r--src/lib/libcrypto/ec/ec_key.c13
-rw-r--r--src/lib/libcrypto/ec/ec_lib.c10
-rw-r--r--src/lib/libcrypto/ec/ec_pmeth.c2
-rw-r--r--src/lib/libcrypto/ec/ecp_mont.c1
-rw-r--r--src/lib/libcrypto/ecdh/ech_key.c3
-rw-r--r--src/lib/libcrypto/ecdh/ech_lib.c11
-rw-r--r--src/lib/libcrypto/ecdsa/ecs_lib.c11
-rw-r--r--src/lib/libcrypto/engine/eng_list.c1
-rw-r--r--src/lib/libcrypto/err/err_all.c19
-rw-r--r--src/lib/libcrypto/evp/bio_b64.c2
-rw-r--r--src/lib/libcrypto/evp/digest.c8
-rw-r--r--src/lib/libcrypto/evp/e_aes.c21
-rw-r--r--src/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c217
-rw-r--r--src/lib/libcrypto/evp/e_des3.c6
-rw-r--r--src/lib/libcrypto/evp/evp.h15
-rw-r--r--src/lib/libcrypto/evp/evp_err.c6
-rw-r--r--src/lib/libcrypto/evp/m_dss.c2
-rw-r--r--src/lib/libcrypto/evp/m_dss1.c2
-rw-r--r--src/lib/libcrypto/evp/m_sha1.c2
-rw-r--r--src/lib/libcrypto/evp/p5_crpt2.c40
-rw-r--r--src/lib/libcrypto/evp/p_sign.c2
-rw-r--r--src/lib/libcrypto/evp/p_verify.c2
-rw-r--r--src/lib/libcrypto/md4/md4_dgst.c31
-rw-r--r--src/lib/libcrypto/md4/md4_locl.h8
-rwxr-xr-xsrc/lib/libcrypto/md5/asm/md5-x86_64.pl3
-rw-r--r--src/lib/libcrypto/md5/md5_locl.h8
-rw-r--r--src/lib/libcrypto/modes/asm/ghash-alpha.pl25
-rw-r--r--src/lib/libcrypto/modes/asm/ghash-parisc.pl1
-rw-r--r--src/lib/libcrypto/modes/asm/ghash-x86.pl6
-rw-r--r--src/lib/libcrypto/modes/asm/ghash-x86_64.pl3
-rw-r--r--src/lib/libcrypto/modes/cbc128.c25
-rw-r--r--src/lib/libcrypto/modes/ccm128.c2
-rw-r--r--src/lib/libcrypto/modes/cts128.c28
-rw-r--r--src/lib/libcrypto/modes/gcm128.c196
-rw-r--r--src/lib/libcrypto/modes/modes_lcl.h9
-rw-r--r--src/lib/libcrypto/objects/o_names.c2
-rw-r--r--src/lib/libcrypto/ocsp/ocsp_vfy.c10
-rw-r--r--src/lib/libcrypto/opensslv.h6
-rw-r--r--src/lib/libcrypto/pariscid.pl41
-rw-r--r--src/lib/libcrypto/pem/pem_all.c161
-rw-r--r--src/lib/libcrypto/pem/pem_info.c1
-rw-r--r--src/lib/libcrypto/pem/pem_lib.c27
-rw-r--r--src/lib/libcrypto/pem/pem_seal.c6
-rw-r--r--src/lib/libcrypto/perlasm/cbc.pl2
-rw-r--r--src/lib/libcrypto/pkcs12/p12_crt.c7
-rw-r--r--src/lib/libcrypto/pkcs12/p12_key.c24
-rw-r--r--src/lib/libcrypto/pkcs7/bio_pk7.c2
-rw-r--r--src/lib/libcrypto/ppccap.c11
-rw-r--r--src/lib/libcrypto/rand/rand.h1
-rw-r--r--src/lib/libcrypto/rand/rand_err.c1
-rw-r--r--src/lib/libcrypto/rand/rand_lib.c15
-rw-r--r--src/lib/libcrypto/rand/randfile.c2
-rw-r--r--src/lib/libcrypto/rc4/asm/rc4-md5-x86_64.pl3
-rw-r--r--src/lib/libcrypto/rc4/asm/rc4-parisc.pl3
-rwxr-xr-xsrc/lib/libcrypto/rc4/asm/rc4-x86_64.pl3
-rw-r--r--src/lib/libcrypto/ripemd/rmd_dgst.c30
-rw-r--r--src/lib/libcrypto/ripemd/rmd_locl.h10
-rw-r--r--src/lib/libcrypto/rsa/rsa.h2
-rw-r--r--src/lib/libcrypto/rsa/rsa_ameth.c8
-rw-r--r--src/lib/libcrypto/rsa/rsa_chk.c6
-rw-r--r--src/lib/libcrypto/rsa/rsa_eay.c6
-rw-r--r--src/lib/libcrypto/rsa/rsa_oaep.c2
-rw-r--r--src/lib/libcrypto/rsa/rsa_pmeth.c2
-rw-r--r--src/lib/libcrypto/sha/asm/sha1-armv4-large.pl2
-rw-r--r--src/lib/libcrypto/sha/asm/sha1-ia64.pl3
-rw-r--r--src/lib/libcrypto/sha/asm/sha1-parisc.pl3
-rw-r--r--src/lib/libcrypto/sha/asm/sha1-sparcv9a.pl2
-rwxr-xr-xsrc/lib/libcrypto/sha/asm/sha1-x86_64.pl7
-rw-r--r--src/lib/libcrypto/sha/asm/sha512-586.pl16
-rw-r--r--src/lib/libcrypto/sha/asm/sha512-mips.pl2
-rwxr-xr-xsrc/lib/libcrypto/sha/asm/sha512-parisc.pl2
-rwxr-xr-xsrc/lib/libcrypto/sha/asm/sha512-x86_64.pl3
-rw-r--r--src/lib/libcrypto/sha/sha1_one.c2
-rw-r--r--src/lib/libcrypto/sha/sha1dgst.c2
-rw-r--r--src/lib/libcrypto/sha/sha256.c6
-rw-r--r--src/lib/libcrypto/sha/sha512.c9
-rw-r--r--src/lib/libcrypto/sha/sha_locl.h40
-rw-r--r--src/lib/libcrypto/sparccpuid.S4
-rw-r--r--src/lib/libcrypto/ui/ui_openssl.c6
-rw-r--r--src/lib/libcrypto/whrlpool/asm/wp-mmx.pl2
-rw-r--r--src/lib/libcrypto/whrlpool/asm/wp-x86_64.pl3
-rw-r--r--src/lib/libcrypto/x509/by_dir.c6
-rw-r--r--src/lib/libcrypto/x509/x509_cmp.c15
-rw-r--r--src/lib/libcrypto/x509/x509_vfy.c20
-rw-r--r--src/lib/libcrypto/x509/x_all.c2
-rw-r--r--src/lib/libcrypto/x509v3/v3_purp.c4
-rw-r--r--src/lib/libcrypto/x86_64cpuid.pl3
-rw-r--r--src/lib/libcrypto/x86cpuid.pl6
-rw-r--r--src/lib/libssl/d1_both.c39
-rw-r--r--src/lib/libssl/d1_clnt.c36
-rw-r--r--src/lib/libssl/d1_enc.c59
-rw-r--r--src/lib/libssl/d1_lib.c1
-rw-r--r--src/lib/libssl/d1_pkt.c98
-rw-r--r--src/lib/libssl/d1_srtp.c5
-rw-r--r--src/lib/libssl/d1_srvr.c29
-rw-r--r--src/lib/libssl/dtls1.h8
-rw-r--r--src/lib/libssl/s23_clnt.c29
-rw-r--r--src/lib/libssl/s3_both.c22
-rw-r--r--src/lib/libssl/s3_clnt.c11
-rw-r--r--src/lib/libssl/s3_lib.c36
-rw-r--r--src/lib/libssl/s3_pkt.c111
-rw-r--r--src/lib/libssl/s3_srvr.c39
-rw-r--r--src/lib/libssl/ssl.h21
-rw-r--r--src/lib/libssl/ssl3.h15
-rw-r--r--src/lib/libssl/ssl_algs.c1
-rw-r--r--src/lib/libssl/ssl_cert.c4
-rw-r--r--src/lib/libssl/ssl_ciph.c5
-rw-r--r--src/lib/libssl/ssl_err.c1
-rw-r--r--src/lib/libssl/ssl_lib.c26
-rw-r--r--src/lib/libssl/ssl_locl.h47
-rw-r--r--src/lib/libssl/ssl_rsa.c14
-rw-r--r--src/lib/libssl/t1_enc.c190
-rw-r--r--src/lib/libssl/t1_lib.c283
-rw-r--r--src/lib/libssl/test/cms-test.pl4
-rw-r--r--src/lib/libssl/test/testssl17
-rw-r--r--src/lib/libssl/tls1.h6
176 files changed, 2294 insertions, 963 deletions
diff --git a/src/lib/libcrypto/aes/asm/aes-mips.pl b/src/lib/libcrypto/aes/asm/aes-mips.pl
index 2ce6deffc8..e52395421b 100644
--- a/src/lib/libcrypto/aes/asm/aes-mips.pl
+++ b/src/lib/libcrypto/aes/asm/aes-mips.pl
@@ -1036,9 +1036,9 @@ _mips_AES_set_encrypt_key:
1036 nop 1036 nop
1037.end _mips_AES_set_encrypt_key 1037.end _mips_AES_set_encrypt_key
1038 1038
1039.globl AES_set_encrypt_key 1039.globl private_AES_set_encrypt_key
1040.ent AES_set_encrypt_key 1040.ent private_AES_set_encrypt_key
1041AES_set_encrypt_key: 1041private_AES_set_encrypt_key:
1042 .frame $sp,$FRAMESIZE,$ra 1042 .frame $sp,$FRAMESIZE,$ra
1043 .mask $SAVED_REGS_MASK,-$SZREG 1043 .mask $SAVED_REGS_MASK,-$SZREG
1044 .set noreorder 1044 .set noreorder
@@ -1060,7 +1060,7 @@ $code.=<<___ if ($flavour =~ /nubi/i); # optimize non-nubi prologue
1060___ 1060___
1061$code.=<<___ if ($flavour !~ /o32/i); # non-o32 PIC-ification 1061$code.=<<___ if ($flavour !~ /o32/i); # non-o32 PIC-ification
1062 .cplocal $Tbl 1062 .cplocal $Tbl
1063 .cpsetup $pf,$zero,AES_set_encrypt_key 1063 .cpsetup $pf,$zero,private_AES_set_encrypt_key
1064___ 1064___
1065$code.=<<___; 1065$code.=<<___;
1066 .set reorder 1066 .set reorder
@@ -1083,7 +1083,7 @@ ___
1083$code.=<<___; 1083$code.=<<___;
1084 jr $ra 1084 jr $ra
1085 $PTR_ADD $sp,$FRAMESIZE 1085 $PTR_ADD $sp,$FRAMESIZE
1086.end AES_set_encrypt_key 1086.end private_AES_set_encrypt_key
1087___ 1087___
1088 1088
1089my ($head,$tail)=($inp,$bits); 1089my ($head,$tail)=($inp,$bits);
@@ -1091,9 +1091,9 @@ my ($tp1,$tp2,$tp4,$tp8,$tp9,$tpb,$tpd,$tpe)=($a4,$a5,$a6,$a7,$s0,$s1,$s2,$s3);
1091my ($m,$x80808080,$x7f7f7f7f,$x1b1b1b1b)=($at,$t0,$t1,$t2); 1091my ($m,$x80808080,$x7f7f7f7f,$x1b1b1b1b)=($at,$t0,$t1,$t2);
1092$code.=<<___; 1092$code.=<<___;
1093.align 5 1093.align 5
1094.globl AES_set_decrypt_key 1094.globl private_AES_set_decrypt_key
1095.ent AES_set_decrypt_key 1095.ent private_AES_set_decrypt_key
1096AES_set_decrypt_key: 1096private_AES_set_decrypt_key:
1097 .frame $sp,$FRAMESIZE,$ra 1097 .frame $sp,$FRAMESIZE,$ra
1098 .mask $SAVED_REGS_MASK,-$SZREG 1098 .mask $SAVED_REGS_MASK,-$SZREG
1099 .set noreorder 1099 .set noreorder
@@ -1115,7 +1115,7 @@ $code.=<<___ if ($flavour =~ /nubi/i); # optimize non-nubi prologue
1115___ 1115___
1116$code.=<<___ if ($flavour !~ /o32/i); # non-o32 PIC-ification 1116$code.=<<___ if ($flavour !~ /o32/i); # non-o32 PIC-ification
1117 .cplocal $Tbl 1117 .cplocal $Tbl
1118 .cpsetup $pf,$zero,AES_set_decrypt_key 1118 .cpsetup $pf,$zero,private_AES_set_decrypt_key
1119___ 1119___
1120$code.=<<___; 1120$code.=<<___;
1121 .set reorder 1121 .set reorder
@@ -1226,7 +1226,7 @@ ___
1226$code.=<<___; 1226$code.=<<___;
1227 jr $ra 1227 jr $ra
1228 $PTR_ADD $sp,$FRAMESIZE 1228 $PTR_ADD $sp,$FRAMESIZE
1229.end AES_set_decrypt_key 1229.end private_AES_set_decrypt_key
1230___ 1230___
1231}}} 1231}}}
1232 1232
diff --git a/src/lib/libcrypto/aes/asm/aes-parisc.pl b/src/lib/libcrypto/aes/asm/aes-parisc.pl
index c36b6a2270..714dcfbbe3 100644
--- a/src/lib/libcrypto/aes/asm/aes-parisc.pl
+++ b/src/lib/libcrypto/aes/asm/aes-parisc.pl
@@ -1015,7 +1015,8 @@ foreach (split("\n",$code)) {
1015 $SIZE_T==4 ? sprintf("extru%s,%d,8,",$1,31-$2) 1015 $SIZE_T==4 ? sprintf("extru%s,%d,8,",$1,31-$2)
1016 : sprintf("extrd,u%s,%d,8,",$1,63-$2)/e; 1016 : sprintf("extrd,u%s,%d,8,",$1,63-$2)/e;
1017 1017
1018 s/,\*/,/ if ($SIZE_T==4); 1018 s/,\*/,/ if ($SIZE_T==4);
1019 s/\bbv\b(.*\(%r2\))/bve$1/ if ($SIZE_T==8);
1019 print $_,"\n"; 1020 print $_,"\n";
1020} 1021}
1021close STDOUT; 1022close STDOUT;
diff --git a/src/lib/libcrypto/aes/asm/aes-s390x.pl b/src/lib/libcrypto/aes/asm/aes-s390x.pl
index 445a1e6762..e75dcd0315 100644
--- a/src/lib/libcrypto/aes/asm/aes-s390x.pl
+++ b/src/lib/libcrypto/aes/asm/aes-s390x.pl
@@ -1598,11 +1598,11 @@ $code.=<<___ if(1);
1598 lghi $s1,0x7f 1598 lghi $s1,0x7f
1599 nr $s1,%r0 1599 nr $s1,%r0
1600 lghi %r0,0 # query capability vector 1600 lghi %r0,0 # query capability vector
1601 la %r1,2*$SIZE_T($sp) 1601 la %r1,$tweak-16($sp)
1602 .long 0xb92e0042 # km %r4,%r2 1602 .long 0xb92e0042 # km %r4,%r2
1603 llihh %r1,0x8000 1603 llihh %r1,0x8000
1604 srlg %r1,%r1,32($s1) # check for 32+function code 1604 srlg %r1,%r1,32($s1) # check for 32+function code
1605 ng %r1,2*$SIZE_T($sp) 1605 ng %r1,$tweak-16($sp)
1606 lgr %r0,$s0 # restore the function code 1606 lgr %r0,$s0 # restore the function code
1607 la %r1,0($key1) # restore $key1 1607 la %r1,0($key1) # restore $key1
1608 jz .Lxts_km_vanilla 1608 jz .Lxts_km_vanilla
@@ -1628,7 +1628,7 @@ $code.=<<___ if(1);
1628 1628
1629 lrvg $s0,$tweak+0($sp) # load the last tweak 1629 lrvg $s0,$tweak+0($sp) # load the last tweak
1630 lrvg $s1,$tweak+8($sp) 1630 lrvg $s1,$tweak+8($sp)
1631 stmg %r0,%r3,$tweak-32(%r1) # wipe copy of the key 1631 stmg %r0,%r3,$tweak-32($sp) # wipe copy of the key
1632 1632
1633 nill %r0,0xffdf # switch back to original function code 1633 nill %r0,0xffdf # switch back to original function code
1634 la %r1,0($key1) # restore pointer to $key1 1634 la %r1,0($key1) # restore pointer to $key1
@@ -1684,11 +1684,9 @@ $code.=<<___;
1684 lghi $i1,0x87 1684 lghi $i1,0x87
1685 srag $i2,$s1,63 # broadcast upper bit 1685 srag $i2,$s1,63 # broadcast upper bit
1686 ngr $i1,$i2 # rem 1686 ngr $i1,$i2 # rem
1687 srlg $i2,$s0,63 # carry bit from lower half 1687 algr $s0,$s0
1688 sllg $s0,$s0,1 1688 alcgr $s1,$s1
1689 sllg $s1,$s1,1
1690 xgr $s0,$i1 1689 xgr $s0,$i1
1691 ogr $s1,$i2
1692.Lxts_km_start: 1690.Lxts_km_start:
1693 lrvgr $i1,$s0 # flip byte order 1691 lrvgr $i1,$s0 # flip byte order
1694 lrvgr $i2,$s1 1692 lrvgr $i2,$s1
@@ -1745,11 +1743,9 @@ $code.=<<___;
1745 lghi $i1,0x87 1743 lghi $i1,0x87
1746 srag $i2,$s1,63 # broadcast upper bit 1744 srag $i2,$s1,63 # broadcast upper bit
1747 ngr $i1,$i2 # rem 1745 ngr $i1,$i2 # rem
1748 srlg $i2,$s0,63 # carry bit from lower half 1746 algr $s0,$s0
1749 sllg $s0,$s0,1 1747 alcgr $s1,$s1
1750 sllg $s1,$s1,1
1751 xgr $s0,$i1 1748 xgr $s0,$i1
1752 ogr $s1,$i2
1753 1749
1754 ltr $len,$len # clear zero flag 1750 ltr $len,$len # clear zero flag
1755 br $ra 1751 br $ra
@@ -1781,8 +1777,8 @@ $code.=<<___ if (!$softonly);
1781 clr %r0,%r1 1777 clr %r0,%r1
1782 jl .Lxts_enc_software 1778 jl .Lxts_enc_software
1783 1779
1780 st${g} $ra,5*$SIZE_T($sp)
1784 stm${g} %r6,$s3,6*$SIZE_T($sp) 1781 stm${g} %r6,$s3,6*$SIZE_T($sp)
1785 st${g} $ra,14*$SIZE_T($sp)
1786 1782
1787 sllg $len,$len,4 # $len&=~15 1783 sllg $len,$len,4 # $len&=~15
1788 slgr $out,$inp 1784 slgr $out,$inp
@@ -1830,9 +1826,9 @@ $code.=<<___ if (!$softonly);
1830 stg $i2,8($i3) 1826 stg $i2,8($i3)
1831 1827
1832.Lxts_enc_km_done: 1828.Lxts_enc_km_done:
1833 l${g} $ra,14*$SIZE_T($sp) 1829 stg $sp,$tweak+0($sp) # wipe tweak
1834 st${g} $sp,$tweak($sp) # wipe tweak 1830 stg $sp,$tweak+8($sp)
1835 st${g} $sp,$tweak($sp) 1831 l${g} $ra,5*$SIZE_T($sp)
1836 lm${g} %r6,$s3,6*$SIZE_T($sp) 1832 lm${g} %r6,$s3,6*$SIZE_T($sp)
1837 br $ra 1833 br $ra
1838.align 16 1834.align 16
@@ -1843,12 +1839,11 @@ $code.=<<___;
1843 1839
1844 slgr $out,$inp 1840 slgr $out,$inp
1845 1841
1846 xgr $s0,$s0 # clear upper half 1842 l${g} $s3,$stdframe($sp) # ivp
1847 xgr $s1,$s1 1843 llgf $s0,0($s3) # load iv
1848 lrv $s0,$stdframe+4($sp) # load secno 1844 llgf $s1,4($s3)
1849 lrv $s1,$stdframe+0($sp) 1845 llgf $s2,8($s3)
1850 xgr $s2,$s2 1846 llgf $s3,12($s3)
1851 xgr $s3,$s3
1852 stm${g} %r2,%r5,2*$SIZE_T($sp) 1847 stm${g} %r2,%r5,2*$SIZE_T($sp)
1853 la $key,0($key2) 1848 la $key,0($key2)
1854 larl $tbl,AES_Te 1849 larl $tbl,AES_Te
@@ -1864,11 +1859,9 @@ $code.=<<___;
1864 lghi %r1,0x87 1859 lghi %r1,0x87
1865 srag %r0,$s3,63 # broadcast upper bit 1860 srag %r0,$s3,63 # broadcast upper bit
1866 ngr %r1,%r0 # rem 1861 ngr %r1,%r0 # rem
1867 srlg %r0,$s1,63 # carry bit from lower half 1862 algr $s1,$s1
1868 sllg $s1,$s1,1 1863 alcgr $s3,$s3
1869 sllg $s3,$s3,1
1870 xgr $s1,%r1 1864 xgr $s1,%r1
1871 ogr $s3,%r0
1872 lrvgr $s1,$s1 # flip byte order 1865 lrvgr $s1,$s1 # flip byte order
1873 lrvgr $s3,$s3 1866 lrvgr $s3,$s3
1874 srlg $s0,$s1,32 # smash the tweak to 4x32-bits 1867 srlg $s0,$s1,32 # smash the tweak to 4x32-bits
@@ -1917,11 +1910,9 @@ $code.=<<___;
1917 lghi %r1,0x87 1910 lghi %r1,0x87
1918 srag %r0,$s3,63 # broadcast upper bit 1911 srag %r0,$s3,63 # broadcast upper bit
1919 ngr %r1,%r0 # rem 1912 ngr %r1,%r0 # rem
1920 srlg %r0,$s1,63 # carry bit from lower half 1913 algr $s1,$s1
1921 sllg $s1,$s1,1 1914 alcgr $s3,$s3
1922 sllg $s3,$s3,1
1923 xgr $s1,%r1 1915 xgr $s1,%r1
1924 ogr $s3,%r0
1925 lrvgr $s1,$s1 # flip byte order 1916 lrvgr $s1,$s1 # flip byte order
1926 lrvgr $s3,$s3 1917 lrvgr $s3,$s3
1927 srlg $s0,$s1,32 # smash the tweak to 4x32-bits 1918 srlg $s0,$s1,32 # smash the tweak to 4x32-bits
@@ -1956,7 +1947,8 @@ $code.=<<___;
1956.size AES_xts_encrypt,.-AES_xts_encrypt 1947.size AES_xts_encrypt,.-AES_xts_encrypt
1957___ 1948___
1958# void AES_xts_decrypt(const char *inp,char *out,size_t len, 1949# void AES_xts_decrypt(const char *inp,char *out,size_t len,
1959# const AES_KEY *key1, const AES_KEY *key2,u64 secno); 1950# const AES_KEY *key1, const AES_KEY *key2,
1951# const unsigned char iv[16]);
1960# 1952#
1961$code.=<<___; 1953$code.=<<___;
1962.globl AES_xts_decrypt 1954.globl AES_xts_decrypt
@@ -1988,8 +1980,8 @@ $code.=<<___ if (!$softonly);
1988 clr %r0,%r1 1980 clr %r0,%r1
1989 jl .Lxts_dec_software 1981 jl .Lxts_dec_software
1990 1982
1983 st${g} $ra,5*$SIZE_T($sp)
1991 stm${g} %r6,$s3,6*$SIZE_T($sp) 1984 stm${g} %r6,$s3,6*$SIZE_T($sp)
1992 st${g} $ra,14*$SIZE_T($sp)
1993 1985
1994 nill $len,0xfff0 # $len&=~15 1986 nill $len,0xfff0 # $len&=~15
1995 slgr $out,$inp 1987 slgr $out,$inp
@@ -2028,11 +2020,9 @@ $code.=<<___ if (!$softonly);
2028 lghi $i1,0x87 2020 lghi $i1,0x87
2029 srag $i2,$s1,63 # broadcast upper bit 2021 srag $i2,$s1,63 # broadcast upper bit
2030 ngr $i1,$i2 # rem 2022 ngr $i1,$i2 # rem
2031 srlg $i2,$s0,63 # carry bit from lower half 2023 algr $s0,$s0
2032 sllg $s0,$s0,1 2024 alcgr $s1,$s1
2033 sllg $s1,$s1,1
2034 xgr $s0,$i1 2025 xgr $s0,$i1
2035 ogr $s1,$i2
2036 lrvgr $i1,$s0 # flip byte order 2026 lrvgr $i1,$s0 # flip byte order
2037 lrvgr $i2,$s1 2027 lrvgr $i2,$s1
2038 2028
@@ -2075,9 +2065,9 @@ $code.=<<___ if (!$softonly);
2075 stg $s2,0($i3) 2065 stg $s2,0($i3)
2076 stg $s3,8($i3) 2066 stg $s3,8($i3)
2077.Lxts_dec_km_done: 2067.Lxts_dec_km_done:
2078 l${g} $ra,14*$SIZE_T($sp) 2068 stg $sp,$tweak+0($sp) # wipe tweak
2079 st${g} $sp,$tweak($sp) # wipe tweak 2069 stg $sp,$tweak+8($sp)
2080 st${g} $sp,$tweak($sp) 2070 l${g} $ra,5*$SIZE_T($sp)
2081 lm${g} %r6,$s3,6*$SIZE_T($sp) 2071 lm${g} %r6,$s3,6*$SIZE_T($sp)
2082 br $ra 2072 br $ra
2083.align 16 2073.align 16
@@ -2089,12 +2079,11 @@ $code.=<<___;
2089 srlg $len,$len,4 2079 srlg $len,$len,4
2090 slgr $out,$inp 2080 slgr $out,$inp
2091 2081
2092 xgr $s0,$s0 # clear upper half 2082 l${g} $s3,$stdframe($sp) # ivp
2093 xgr $s1,$s1 2083 llgf $s0,0($s3) # load iv
2094 lrv $s0,$stdframe+4($sp) # load secno 2084 llgf $s1,4($s3)
2095 lrv $s1,$stdframe+0($sp) 2085 llgf $s2,8($s3)
2096 xgr $s2,$s2 2086 llgf $s3,12($s3)
2097 xgr $s3,$s3
2098 stm${g} %r2,%r5,2*$SIZE_T($sp) 2087 stm${g} %r2,%r5,2*$SIZE_T($sp)
2099 la $key,0($key2) 2088 la $key,0($key2)
2100 larl $tbl,AES_Te 2089 larl $tbl,AES_Te
@@ -2113,11 +2102,9 @@ $code.=<<___;
2113 lghi %r1,0x87 2102 lghi %r1,0x87
2114 srag %r0,$s3,63 # broadcast upper bit 2103 srag %r0,$s3,63 # broadcast upper bit
2115 ngr %r1,%r0 # rem 2104 ngr %r1,%r0 # rem
2116 srlg %r0,$s1,63 # carry bit from lower half 2105 algr $s1,$s1
2117 sllg $s1,$s1,1 2106 alcgr $s3,$s3
2118 sllg $s3,$s3,1
2119 xgr $s1,%r1 2107 xgr $s1,%r1
2120 ogr $s3,%r0
2121 lrvgr $s1,$s1 # flip byte order 2108 lrvgr $s1,$s1 # flip byte order
2122 lrvgr $s3,$s3 2109 lrvgr $s3,$s3
2123 srlg $s0,$s1,32 # smash the tweak to 4x32-bits 2110 srlg $s0,$s1,32 # smash the tweak to 4x32-bits
@@ -2156,11 +2143,9 @@ $code.=<<___;
2156 lghi %r1,0x87 2143 lghi %r1,0x87
2157 srag %r0,$s3,63 # broadcast upper bit 2144 srag %r0,$s3,63 # broadcast upper bit
2158 ngr %r1,%r0 # rem 2145 ngr %r1,%r0 # rem
2159 srlg %r0,$s1,63 # carry bit from lower half 2146 algr $s1,$s1
2160 sllg $s1,$s1,1 2147 alcgr $s3,$s3
2161 sllg $s3,$s3,1
2162 xgr $s1,%r1 2148 xgr $s1,%r1
2163 ogr $s3,%r0
2164 lrvgr $i2,$s1 # flip byte order 2149 lrvgr $i2,$s1 # flip byte order
2165 lrvgr $i3,$s3 2150 lrvgr $i3,$s3
2166 stmg $i2,$i3,$tweak($sp) # save the 1st tweak 2151 stmg $i2,$i3,$tweak($sp) # save the 1st tweak
@@ -2176,11 +2161,9 @@ $code.=<<___;
2176 lghi %r1,0x87 2161 lghi %r1,0x87
2177 srag %r0,$s3,63 # broadcast upper bit 2162 srag %r0,$s3,63 # broadcast upper bit
2178 ngr %r1,%r0 # rem 2163 ngr %r1,%r0 # rem
2179 srlg %r0,$s1,63 # carry bit from lower half 2164 algr $s1,$s1
2180 sllg $s1,$s1,1 2165 alcgr $s3,$s3
2181 sllg $s3,$s3,1
2182 xgr $s1,%r1 2166 xgr $s1,%r1
2183 ogr $s3,%r0
2184 lrvgr $s1,$s1 # flip byte order 2167 lrvgr $s1,$s1 # flip byte order
2185 lrvgr $s3,$s3 2168 lrvgr $s3,$s3
2186 srlg $s0,$s1,32 # smash the tweak to 4x32-bits 2169 srlg $s0,$s1,32 # smash the tweak to 4x32-bits
diff --git a/src/lib/libcrypto/aes/asm/aes-x86_64.pl b/src/lib/libcrypto/aes/asm/aes-x86_64.pl
index 48fa857d5b..34cbb5d844 100755
--- a/src/lib/libcrypto/aes/asm/aes-x86_64.pl
+++ b/src/lib/libcrypto/aes/asm/aes-x86_64.pl
@@ -36,7 +36,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
36( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or 36( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
37die "can't locate x86_64-xlate.pl"; 37die "can't locate x86_64-xlate.pl";
38 38
39open STDOUT,"| $^X $xlate $flavour $output"; 39open OUT,"| \"$^X\" $xlate $flavour $output";
40*STDOUT=*OUT;
40 41
41$verticalspin=1; # unlike 32-bit version $verticalspin performs 42$verticalspin=1; # unlike 32-bit version $verticalspin performs
42 # ~15% better on both AMD and Intel cores 43 # ~15% better on both AMD and Intel cores
diff --git a/src/lib/libcrypto/aes/asm/aesni-sha1-x86_64.pl b/src/lib/libcrypto/aes/asm/aesni-sha1-x86_64.pl
index c6f6b3334a..3c8f6c19e7 100644
--- a/src/lib/libcrypto/aes/asm/aesni-sha1-x86_64.pl
+++ b/src/lib/libcrypto/aes/asm/aesni-sha1-x86_64.pl
@@ -69,7 +69,8 @@ $avx=1 if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
69 `ml64 2>&1` =~ /Version ([0-9]+)\./ && 69 `ml64 2>&1` =~ /Version ([0-9]+)\./ &&
70 $1>=10); 70 $1>=10);
71 71
72open STDOUT,"| $^X $xlate $flavour $output"; 72open OUT,"| \"$^X\" $xlate $flavour $output";
73*STDOUT=*OUT;
73 74
74# void aesni_cbc_sha1_enc(const void *inp, 75# void aesni_cbc_sha1_enc(const void *inp,
75# void *out, 76# void *out,
diff --git a/src/lib/libcrypto/aes/asm/aesni-x86_64.pl b/src/lib/libcrypto/aes/asm/aesni-x86_64.pl
index 499f3b3f42..0dbb194b8d 100644
--- a/src/lib/libcrypto/aes/asm/aesni-x86_64.pl
+++ b/src/lib/libcrypto/aes/asm/aesni-x86_64.pl
@@ -172,7 +172,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
172( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or 172( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
173die "can't locate x86_64-xlate.pl"; 173die "can't locate x86_64-xlate.pl";
174 174
175open STDOUT,"| $^X $xlate $flavour $output"; 175open OUT,"| \"$^X\" $xlate $flavour $output";
176*STDOUT=*OUT;
176 177
177$movkey = $PREFIX eq "aesni" ? "movups" : "movups"; 178$movkey = $PREFIX eq "aesni" ? "movups" : "movups";
178@_4args=$win64? ("%rcx","%rdx","%r8", "%r9") : # Win64 order 179@_4args=$win64? ("%rcx","%rdx","%r8", "%r9") : # Win64 order
diff --git a/src/lib/libcrypto/aes/asm/bsaes-x86_64.pl b/src/lib/libcrypto/aes/asm/bsaes-x86_64.pl
index c9c6312fa7..41b90f0844 100644
--- a/src/lib/libcrypto/aes/asm/bsaes-x86_64.pl
+++ b/src/lib/libcrypto/aes/asm/bsaes-x86_64.pl
@@ -83,9 +83,9 @@
83# Add decryption procedure. Performance in CPU cycles spent to decrypt 83# Add decryption procedure. Performance in CPU cycles spent to decrypt
84# one byte out of 4096-byte buffer with 128-bit key is: 84# one byte out of 4096-byte buffer with 128-bit key is:
85# 85#
86# Core 2 11.0 86# Core 2 9.83
87# Nehalem 9.16 87# Nehalem 7.74
88# Atom 20.9 88# Atom 19.0
89# 89#
90# November 2011. 90# November 2011.
91# 91#
@@ -105,7 +105,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
105( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or 105( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
106die "can't locate x86_64-xlate.pl"; 106die "can't locate x86_64-xlate.pl";
107 107
108open STDOUT,"| $^X $xlate $flavour $output"; 108open OUT,"| \"$^X\" $xlate $flavour $output";
109*STDOUT=*OUT;
109 110
110my ($inp,$out,$len,$key,$ivp)=("%rdi","%rsi","%rdx","%rcx"); 111my ($inp,$out,$len,$key,$ivp)=("%rdi","%rsi","%rdx","%rcx");
111my @XMM=map("%xmm$_",(15,0..14)); # best on Atom, +10% over (0..15) 112my @XMM=map("%xmm$_",(15,0..14)); # best on Atom, +10% over (0..15)
@@ -455,6 +456,7 @@ sub MixColumns {
455# modified to emit output in order suitable for feeding back to aesenc[last] 456# modified to emit output in order suitable for feeding back to aesenc[last]
456my @x=@_[0..7]; 457my @x=@_[0..7];
457my @t=@_[8..15]; 458my @t=@_[8..15];
459my $inv=@_[16]; # optional
458$code.=<<___; 460$code.=<<___;
459 pshufd \$0x93, @x[0], @t[0] # x0 <<< 32 461 pshufd \$0x93, @x[0], @t[0] # x0 <<< 32
460 pshufd \$0x93, @x[1], @t[1] 462 pshufd \$0x93, @x[1], @t[1]
@@ -496,7 +498,8 @@ $code.=<<___;
496 pxor @t[4], @t[0] 498 pxor @t[4], @t[0]
497 pshufd \$0x4E, @x[2], @x[6] 499 pshufd \$0x4E, @x[2], @x[6]
498 pxor @t[5], @t[1] 500 pxor @t[5], @t[1]
499 501___
502$code.=<<___ if (!$inv);
500 pxor @t[3], @x[4] 503 pxor @t[3], @x[4]
501 pxor @t[7], @x[5] 504 pxor @t[7], @x[5]
502 pxor @t[6], @x[3] 505 pxor @t[6], @x[3]
@@ -504,9 +507,20 @@ $code.=<<___;
504 pxor @t[2], @x[6] 507 pxor @t[2], @x[6]
505 movdqa @t[1], @x[7] 508 movdqa @t[1], @x[7]
506___ 509___
510$code.=<<___ if ($inv);
511 pxor @x[4], @t[3]
512 pxor @t[7], @x[5]
513 pxor @x[3], @t[6]
514 movdqa @t[0], @x[3]
515 pxor @t[2], @x[6]
516 movdqa @t[6], @x[2]
517 movdqa @t[1], @x[7]
518 movdqa @x[6], @x[4]
519 movdqa @t[3], @x[6]
520___
507} 521}
508 522
509sub InvMixColumns { 523sub InvMixColumns_orig {
510my @x=@_[0..7]; 524my @x=@_[0..7];
511my @t=@_[8..15]; 525my @t=@_[8..15];
512 526
@@ -660,6 +674,54 @@ $code.=<<___;
660___ 674___
661} 675}
662 676
677sub InvMixColumns {
678my @x=@_[0..7];
679my @t=@_[8..15];
680
681# Thanks to Jussi Kivilinna for providing pointer to
682#
683# | 0e 0b 0d 09 | | 02 03 01 01 | | 05 00 04 00 |
684# | 09 0e 0b 0d | = | 01 02 03 01 | x | 00 05 00 04 |
685# | 0d 09 0e 0b | | 01 01 02 03 | | 04 00 05 00 |
686# | 0b 0d 09 0e | | 03 01 01 02 | | 00 04 00 05 |
687
688$code.=<<___;
689 # multiplication by 0x05-0x00-0x04-0x00
690 pshufd \$0x4E, @x[0], @t[0]
691 pshufd \$0x4E, @x[6], @t[6]
692 pxor @x[0], @t[0]
693 pshufd \$0x4E, @x[7], @t[7]
694 pxor @x[6], @t[6]
695 pshufd \$0x4E, @x[1], @t[1]
696 pxor @x[7], @t[7]
697 pshufd \$0x4E, @x[2], @t[2]
698 pxor @x[1], @t[1]
699 pshufd \$0x4E, @x[3], @t[3]
700 pxor @x[2], @t[2]
701 pxor @t[6], @x[0]
702 pxor @t[6], @x[1]
703 pshufd \$0x4E, @x[4], @t[4]
704 pxor @x[3], @t[3]
705 pxor @t[0], @x[2]
706 pxor @t[1], @x[3]
707 pshufd \$0x4E, @x[5], @t[5]
708 pxor @x[4], @t[4]
709 pxor @t[7], @x[1]
710 pxor @t[2], @x[4]
711 pxor @x[5], @t[5]
712
713 pxor @t[7], @x[2]
714 pxor @t[6], @x[3]
715 pxor @t[6], @x[4]
716 pxor @t[3], @x[5]
717 pxor @t[4], @x[6]
718 pxor @t[7], @x[4]
719 pxor @t[7], @x[5]
720 pxor @t[5], @x[7]
721___
722 &MixColumns (@x,@t,1); # flipped 2<->3 and 4<->6
723}
724
663sub aesenc { # not used 725sub aesenc { # not used
664my @b=@_[0..7]; 726my @b=@_[0..7];
665my @t=@_[8..15]; 727my @t=@_[8..15];
@@ -2027,6 +2089,8 @@ ___
2027# const unsigned char iv[16]); 2089# const unsigned char iv[16]);
2028# 2090#
2029my ($twmask,$twres,$twtmp)=@XMM[13..15]; 2091my ($twmask,$twres,$twtmp)=@XMM[13..15];
2092$arg6=~s/d$//;
2093
2030$code.=<<___; 2094$code.=<<___;
2031.globl bsaes_xts_encrypt 2095.globl bsaes_xts_encrypt
2032.type bsaes_xts_encrypt,\@abi-omnipotent 2096.type bsaes_xts_encrypt,\@abi-omnipotent
diff --git a/src/lib/libcrypto/aes/asm/vpaes-x86_64.pl b/src/lib/libcrypto/aes/asm/vpaes-x86_64.pl
index 37998db5e1..bd7f45b850 100644
--- a/src/lib/libcrypto/aes/asm/vpaes-x86_64.pl
+++ b/src/lib/libcrypto/aes/asm/vpaes-x86_64.pl
@@ -56,7 +56,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
56( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or 56( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
57die "can't locate x86_64-xlate.pl"; 57die "can't locate x86_64-xlate.pl";
58 58
59open STDOUT,"| $^X $xlate $flavour $output"; 59open OUT,"| \"$^X\" $xlate $flavour $output";
60*STDOUT=*OUT;
60 61
61$PREFIX="vpaes"; 62$PREFIX="vpaes";
62 63
@@ -1059,7 +1060,7 @@ _vpaes_consts:
1059.Lk_dsbo: # decryption sbox final output 1060.Lk_dsbo: # decryption sbox final output
1060 .quad 0x1387EA537EF94000, 0xC7AA6DB9D4943E2D 1061 .quad 0x1387EA537EF94000, 0xC7AA6DB9D4943E2D
1061 .quad 0x12D7560F93441D00, 0xCA4B8159D8C58E9C 1062 .quad 0x12D7560F93441D00, 0xCA4B8159D8C58E9C
1062.asciz "Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg (Stanford University)" 1063.asciz "Vector Permutation AES for x86_64/SSSE3, Mike Hamburg (Stanford University)"
1063.align 64 1064.align 64
1064.size _vpaes_consts,.-_vpaes_consts 1065.size _vpaes_consts,.-_vpaes_consts
1065___ 1066___
diff --git a/src/lib/libcrypto/armcap.c b/src/lib/libcrypto/armcap.c
index 5258d2fbdd..9abaf396e5 100644
--- a/src/lib/libcrypto/armcap.c
+++ b/src/lib/libcrypto/armcap.c
@@ -23,7 +23,7 @@ unsigned int _armv7_tick(void);
23 23
24unsigned int OPENSSL_rdtsc(void) 24unsigned int OPENSSL_rdtsc(void)
25 { 25 {
26 if (OPENSSL_armcap_P|ARMV7_TICK) 26 if (OPENSSL_armcap_P & ARMV7_TICK)
27 return _armv7_tick(); 27 return _armv7_tick();
28 else 28 else
29 return 0; 29 return 0;
diff --git a/src/lib/libcrypto/asn1/a_int.c b/src/lib/libcrypto/asn1/a_int.c
index ad0d2506f6..297c45a9ff 100644
--- a/src/lib/libcrypto/asn1/a_int.c
+++ b/src/lib/libcrypto/asn1/a_int.c
@@ -116,7 +116,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
116 int pad=0,ret,i,neg; 116 int pad=0,ret,i,neg;
117 unsigned char *p,*n,pb=0; 117 unsigned char *p,*n,pb=0;
118 118
119 if ((a == NULL) || (a->data == NULL)) return(0); 119 if (a == NULL) return(0);
120 neg=a->type & V_ASN1_NEG; 120 neg=a->type & V_ASN1_NEG;
121 if (a->length == 0) 121 if (a->length == 0)
122 ret=1; 122 ret=1;
diff --git a/src/lib/libcrypto/asn1/a_strex.c b/src/lib/libcrypto/asn1/a_strex.c
index 264ebf2393..ead37ac325 100644
--- a/src/lib/libcrypto/asn1/a_strex.c
+++ b/src/lib/libcrypto/asn1/a_strex.c
@@ -567,6 +567,7 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
567 if(mbflag == -1) return -1; 567 if(mbflag == -1) return -1;
568 mbflag |= MBSTRING_FLAG; 568 mbflag |= MBSTRING_FLAG;
569 stmp.data = NULL; 569 stmp.data = NULL;
570 stmp.length = 0;
570 ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING); 571 ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
571 if(ret < 0) return ret; 572 if(ret < 0) return ret;
572 *out = stmp.data; 573 *out = stmp.data;
diff --git a/src/lib/libcrypto/asn1/a_verify.c b/src/lib/libcrypto/asn1/a_verify.c
index 432722e409..fc84cd3d19 100644
--- a/src/lib/libcrypto/asn1/a_verify.c
+++ b/src/lib/libcrypto/asn1/a_verify.c
@@ -140,6 +140,12 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
140 140
141 int mdnid, pknid; 141 int mdnid, pknid;
142 142
143 if (!pkey)
144 {
145 ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_PASSED_NULL_PARAMETER);
146 return -1;
147 }
148
143 EVP_MD_CTX_init(&ctx); 149 EVP_MD_CTX_init(&ctx);
144 150
145 /* Convert signature OID into digest and public key OIDs */ 151 /* Convert signature OID into digest and public key OIDs */
diff --git a/src/lib/libcrypto/asn1/asn1_err.c b/src/lib/libcrypto/asn1/asn1_err.c
index 1a30bf119b..aa60203ba8 100644
--- a/src/lib/libcrypto/asn1/asn1_err.c
+++ b/src/lib/libcrypto/asn1/asn1_err.c
@@ -305,7 +305,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
305{ERR_REASON(ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE),"unknown public key type"}, 305{ERR_REASON(ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE),"unknown public key type"},
306{ERR_REASON(ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM),"unknown signature algorithm"}, 306{ERR_REASON(ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM),"unknown signature algorithm"},
307{ERR_REASON(ASN1_R_UNKNOWN_TAG) ,"unknown tag"}, 307{ERR_REASON(ASN1_R_UNKNOWN_TAG) ,"unknown tag"},
308{ERR_REASON(ASN1_R_UNKOWN_FORMAT) ,"unkown format"}, 308{ERR_REASON(ASN1_R_UNKOWN_FORMAT) ,"unknown format"},
309{ERR_REASON(ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE),"unsupported any defined by type"}, 309{ERR_REASON(ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE),"unsupported any defined by type"},
310{ERR_REASON(ASN1_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"}, 310{ERR_REASON(ASN1_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"},
311{ERR_REASON(ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM),"unsupported encryption algorithm"}, 311{ERR_REASON(ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM),"unsupported encryption algorithm"},
diff --git a/src/lib/libcrypto/asn1/x_pubkey.c b/src/lib/libcrypto/asn1/x_pubkey.c
index 627ec87f9f..b649e1fcf9 100644
--- a/src/lib/libcrypto/asn1/x_pubkey.c
+++ b/src/lib/libcrypto/asn1/x_pubkey.c
@@ -175,12 +175,15 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
175 CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY); 175 CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY);
176 if (key->pkey) 176 if (key->pkey)
177 { 177 {
178 CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
178 EVP_PKEY_free(ret); 179 EVP_PKEY_free(ret);
179 ret = key->pkey; 180 ret = key->pkey;
180 } 181 }
181 else 182 else
183 {
182 key->pkey = ret; 184 key->pkey = ret;
183 CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); 185 CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
186 }
184 CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY); 187 CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY);
185 188
186 return ret; 189 return ret;
diff --git a/src/lib/libcrypto/bio/bss_dgram.c b/src/lib/libcrypto/bio/bss_dgram.c
index 1b1e4bec81..54c012c47d 100644
--- a/src/lib/libcrypto/bio/bss_dgram.c
+++ b/src/lib/libcrypto/bio/bss_dgram.c
@@ -77,10 +77,20 @@
77#define OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE 0xc0 77#define OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE 0xc0
78#endif 78#endif
79 79
80#ifdef OPENSSL_SYS_LINUX 80#if defined(OPENSSL_SYS_LINUX) && !defined(IP_MTU)
81#define IP_MTU 14 /* linux is lame */ 81#define IP_MTU 14 /* linux is lame */
82#endif 82#endif
83 83
84#if defined(__FreeBSD__) && defined(IN6_IS_ADDR_V4MAPPED)
85/* Standard definition causes type-punning problems. */
86#undef IN6_IS_ADDR_V4MAPPED
87#define s6_addr32 __u6_addr.__u6_addr32
88#define IN6_IS_ADDR_V4MAPPED(a) \
89 (((a)->s6_addr32[0] == 0) && \
90 ((a)->s6_addr32[1] == 0) && \
91 ((a)->s6_addr32[2] == htonl(0x0000ffff)))
92#endif
93
84#ifdef WATT32 94#ifdef WATT32
85#define sock_write SockWrite /* Watt-32 uses same names */ 95#define sock_write SockWrite /* Watt-32 uses same names */
86#define sock_read SockRead 96#define sock_read SockRead
@@ -255,7 +265,7 @@ static void dgram_adjust_rcv_timeout(BIO *b)
255 { 265 {
256#if defined(SO_RCVTIMEO) 266#if defined(SO_RCVTIMEO)
257 bio_dgram_data *data = (bio_dgram_data *)b->ptr; 267 bio_dgram_data *data = (bio_dgram_data *)b->ptr;
258 int sz = sizeof(int); 268 union { size_t s; int i; } sz = {0};
259 269
260 /* Is a timer active? */ 270 /* Is a timer active? */
261 if (data->next_timeout.tv_sec > 0 || data->next_timeout.tv_usec > 0) 271 if (data->next_timeout.tv_sec > 0 || data->next_timeout.tv_usec > 0)
@@ -265,8 +275,10 @@ static void dgram_adjust_rcv_timeout(BIO *b)
265 /* Read current socket timeout */ 275 /* Read current socket timeout */
266#ifdef OPENSSL_SYS_WINDOWS 276#ifdef OPENSSL_SYS_WINDOWS
267 int timeout; 277 int timeout;
278
279 sz.i = sizeof(timeout);
268 if (getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, 280 if (getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO,
269 (void*)&timeout, &sz) < 0) 281 (void*)&timeout, &sz.i) < 0)
270 { perror("getsockopt"); } 282 { perror("getsockopt"); }
271 else 283 else
272 { 284 {
@@ -274,9 +286,12 @@ static void dgram_adjust_rcv_timeout(BIO *b)
274 data->socket_timeout.tv_usec = (timeout % 1000) * 1000; 286 data->socket_timeout.tv_usec = (timeout % 1000) * 1000;
275 } 287 }
276#else 288#else
289 sz.i = sizeof(data->socket_timeout);
277 if ( getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, 290 if ( getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO,
278 &(data->socket_timeout), (void *)&sz) < 0) 291 &(data->socket_timeout), (void *)&sz) < 0)
279 { perror("getsockopt"); } 292 { perror("getsockopt"); }
293 else if (sizeof(sz.s)!=sizeof(sz.i) && sz.i==0)
294 OPENSSL_assert(sz.s<=sizeof(data->socket_timeout));
280#endif 295#endif
281 296
282 /* Get current time */ 297 /* Get current time */
@@ -445,11 +460,10 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
445 int *ip; 460 int *ip;
446 struct sockaddr *to = NULL; 461 struct sockaddr *to = NULL;
447 bio_dgram_data *data = NULL; 462 bio_dgram_data *data = NULL;
448#if defined(IP_MTU_DISCOVER) || defined(IP_MTU) 463#if defined(OPENSSL_SYS_LINUX) && (defined(IP_MTU_DISCOVER) || defined(IP_MTU))
449 long sockopt_val = 0; 464 int sockopt_val = 0;
450 unsigned int sockopt_len = 0; 465 socklen_t sockopt_len; /* assume that system supporting IP_MTU is
451#endif 466 * modern enough to define socklen_t */
452#ifdef OPENSSL_SYS_LINUX
453 socklen_t addr_len; 467 socklen_t addr_len;
454 union { 468 union {
455 struct sockaddr sa; 469 struct sockaddr sa;
@@ -531,7 +545,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
531 break; 545 break;
532 /* (Linux)kernel sets DF bit on outgoing IP packets */ 546 /* (Linux)kernel sets DF bit on outgoing IP packets */
533 case BIO_CTRL_DGRAM_MTU_DISCOVER: 547 case BIO_CTRL_DGRAM_MTU_DISCOVER:
534#ifdef OPENSSL_SYS_LINUX 548#if defined(OPENSSL_SYS_LINUX) && defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DO)
535 addr_len = (socklen_t)sizeof(addr); 549 addr_len = (socklen_t)sizeof(addr);
536 memset((void *)&addr, 0, sizeof(addr)); 550 memset((void *)&addr, 0, sizeof(addr));
537 if (getsockname(b->num, &addr.sa, &addr_len) < 0) 551 if (getsockname(b->num, &addr.sa, &addr_len) < 0)
@@ -539,7 +553,6 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
539 ret = 0; 553 ret = 0;
540 break; 554 break;
541 } 555 }
542 sockopt_len = sizeof(sockopt_val);
543 switch (addr.sa.sa_family) 556 switch (addr.sa.sa_family)
544 { 557 {
545 case AF_INET: 558 case AF_INET:
@@ -548,7 +561,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
548 &sockopt_val, sizeof(sockopt_val))) < 0) 561 &sockopt_val, sizeof(sockopt_val))) < 0)
549 perror("setsockopt"); 562 perror("setsockopt");
550 break; 563 break;
551#if OPENSSL_USE_IPV6 && defined(IPV6_MTU_DISCOVER) 564#if OPENSSL_USE_IPV6 && defined(IPV6_MTU_DISCOVER) && defined(IPV6_PMTUDISC_DO)
552 case AF_INET6: 565 case AF_INET6:
553 sockopt_val = IPV6_PMTUDISC_DO; 566 sockopt_val = IPV6_PMTUDISC_DO;
554 if ((ret = setsockopt(b->num, IPPROTO_IPV6, IPV6_MTU_DISCOVER, 567 if ((ret = setsockopt(b->num, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
@@ -565,7 +578,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
565 break; 578 break;
566#endif 579#endif
567 case BIO_CTRL_DGRAM_QUERY_MTU: 580 case BIO_CTRL_DGRAM_QUERY_MTU:
568#ifdef OPENSSL_SYS_LINUX 581#if defined(OPENSSL_SYS_LINUX) && defined(IP_MTU)
569 addr_len = (socklen_t)sizeof(addr); 582 addr_len = (socklen_t)sizeof(addr);
570 memset((void *)&addr, 0, sizeof(addr)); 583 memset((void *)&addr, 0, sizeof(addr));
571 if (getsockname(b->num, &addr.sa, &addr_len) < 0) 584 if (getsockname(b->num, &addr.sa, &addr_len) < 0)
@@ -727,12 +740,15 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
727#endif 740#endif
728 break; 741 break;
729 case BIO_CTRL_DGRAM_GET_RECV_TIMEOUT: 742 case BIO_CTRL_DGRAM_GET_RECV_TIMEOUT:
730#ifdef OPENSSL_SYS_WINDOWS
731 { 743 {
732 int timeout, sz = sizeof(timeout); 744 union { size_t s; int i; } sz = {0};
745#ifdef OPENSSL_SYS_WINDOWS
746 int timeout;
733 struct timeval *tv = (struct timeval *)ptr; 747 struct timeval *tv = (struct timeval *)ptr;
748
749 sz.i = sizeof(timeout);
734 if (getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, 750 if (getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO,
735 (void*)&timeout, &sz) < 0) 751 (void*)&timeout, &sz.i) < 0)
736 { perror("getsockopt"); ret = -1; } 752 { perror("getsockopt"); ret = -1; }
737 else 753 else
738 { 754 {
@@ -740,12 +756,20 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
740 tv->tv_usec = (timeout % 1000) * 1000; 756 tv->tv_usec = (timeout % 1000) * 1000;
741 ret = sizeof(*tv); 757 ret = sizeof(*tv);
742 } 758 }
743 }
744#else 759#else
760 sz.i = sizeof(struct timeval);
745 if ( getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, 761 if ( getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO,
746 ptr, (void *)&ret) < 0) 762 ptr, (void *)&sz) < 0)
747 { perror("getsockopt"); ret = -1; } 763 { perror("getsockopt"); ret = -1; }
764 else if (sizeof(sz.s)!=sizeof(sz.i) && sz.i==0)
765 {
766 OPENSSL_assert(sz.s<=sizeof(struct timeval));
767 ret = (int)sz.s;
768 }
769 else
770 ret = sz.i;
748#endif 771#endif
772 }
749 break; 773 break;
750#endif 774#endif
751#if defined(SO_SNDTIMEO) 775#if defined(SO_SNDTIMEO)
@@ -765,12 +789,15 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
765#endif 789#endif
766 break; 790 break;
767 case BIO_CTRL_DGRAM_GET_SEND_TIMEOUT: 791 case BIO_CTRL_DGRAM_GET_SEND_TIMEOUT:
768#ifdef OPENSSL_SYS_WINDOWS
769 { 792 {
770 int timeout, sz = sizeof(timeout); 793 union { size_t s; int i; } sz = {0};
794#ifdef OPENSSL_SYS_WINDOWS
795 int timeout;
771 struct timeval *tv = (struct timeval *)ptr; 796 struct timeval *tv = (struct timeval *)ptr;
797
798 sz.i = sizeof(timeout);
772 if (getsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO, 799 if (getsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO,
773 (void*)&timeout, &sz) < 0) 800 (void*)&timeout, &sz.i) < 0)
774 { perror("getsockopt"); ret = -1; } 801 { perror("getsockopt"); ret = -1; }
775 else 802 else
776 { 803 {
@@ -778,12 +805,20 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
778 tv->tv_usec = (timeout % 1000) * 1000; 805 tv->tv_usec = (timeout % 1000) * 1000;
779 ret = sizeof(*tv); 806 ret = sizeof(*tv);
780 } 807 }
781 }
782#else 808#else
809 sz.i = sizeof(struct timeval);
783 if ( getsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO, 810 if ( getsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO,
784 ptr, (void *)&ret) < 0) 811 ptr, (void *)&sz) < 0)
785 { perror("getsockopt"); ret = -1; } 812 { perror("getsockopt"); ret = -1; }
813 else if (sizeof(sz.s)!=sizeof(sz.i) && sz.i==0)
814 {
815 OPENSSL_assert(sz.s<=sizeof(struct timeval));
816 ret = (int)sz.s;
817 }
818 else
819 ret = sz.i;
786#endif 820#endif
821 }
787 break; 822 break;
788#endif 823#endif
789 case BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP: 824 case BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP:
@@ -871,8 +906,8 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag)
871 memset(authchunks, 0, sizeof(sockopt_len)); 906 memset(authchunks, 0, sizeof(sockopt_len));
872 ret = getsockopt(fd, IPPROTO_SCTP, SCTP_LOCAL_AUTH_CHUNKS, authchunks, &sockopt_len); 907 ret = getsockopt(fd, IPPROTO_SCTP, SCTP_LOCAL_AUTH_CHUNKS, authchunks, &sockopt_len);
873 OPENSSL_assert(ret >= 0); 908 OPENSSL_assert(ret >= 0);
874 909
875 for (p = (unsigned char*) authchunks + sizeof(sctp_assoc_t); 910 for (p = (unsigned char*) authchunks->gauth_chunks;
876 p < (unsigned char*) authchunks + sockopt_len; 911 p < (unsigned char*) authchunks + sockopt_len;
877 p += sizeof(uint8_t)) 912 p += sizeof(uint8_t))
878 { 913 {
@@ -955,7 +990,6 @@ static int dgram_sctp_free(BIO *a)
955#ifdef SCTP_AUTHENTICATION_EVENT 990#ifdef SCTP_AUTHENTICATION_EVENT
956void dgram_sctp_handle_auth_free_key_event(BIO *b, union sctp_notification *snp) 991void dgram_sctp_handle_auth_free_key_event(BIO *b, union sctp_notification *snp)
957 { 992 {
958 unsigned int sockopt_len = 0;
959 int ret; 993 int ret;
960 struct sctp_authkey_event* authkeyevent = &snp->sn_auth_event; 994 struct sctp_authkey_event* authkeyevent = &snp->sn_auth_event;
961 995
@@ -965,9 +999,8 @@ void dgram_sctp_handle_auth_free_key_event(BIO *b, union sctp_notification *snp)
965 999
966 /* delete key */ 1000 /* delete key */
967 authkeyid.scact_keynumber = authkeyevent->auth_keynumber; 1001 authkeyid.scact_keynumber = authkeyevent->auth_keynumber;
968 sockopt_len = sizeof(struct sctp_authkeyid);
969 ret = setsockopt(b->num, IPPROTO_SCTP, SCTP_AUTH_DELETE_KEY, 1002 ret = setsockopt(b->num, IPPROTO_SCTP, SCTP_AUTH_DELETE_KEY,
970 &authkeyid, sockopt_len); 1003 &authkeyid, sizeof(struct sctp_authkeyid));
971 } 1004 }
972 } 1005 }
973#endif 1006#endif
@@ -1164,7 +1197,7 @@ static int dgram_sctp_read(BIO *b, char *out, int outl)
1164 ii = getsockopt(b->num, IPPROTO_SCTP, SCTP_PEER_AUTH_CHUNKS, authchunks, &optlen); 1197 ii = getsockopt(b->num, IPPROTO_SCTP, SCTP_PEER_AUTH_CHUNKS, authchunks, &optlen);
1165 OPENSSL_assert(ii >= 0); 1198 OPENSSL_assert(ii >= 0);
1166 1199
1167 for (p = (unsigned char*) authchunks + sizeof(sctp_assoc_t); 1200 for (p = (unsigned char*) authchunks->gauth_chunks;
1168 p < (unsigned char*) authchunks + optlen; 1201 p < (unsigned char*) authchunks + optlen;
1169 p += sizeof(uint8_t)) 1202 p += sizeof(uint8_t))
1170 { 1203 {
@@ -1298,7 +1331,7 @@ static long dgram_sctp_ctrl(BIO *b, int cmd, long num, void *ptr)
1298 { 1331 {
1299 long ret=1; 1332 long ret=1;
1300 bio_dgram_sctp_data *data = NULL; 1333 bio_dgram_sctp_data *data = NULL;
1301 unsigned int sockopt_len = 0; 1334 socklen_t sockopt_len = 0;
1302 struct sctp_authkeyid authkeyid; 1335 struct sctp_authkeyid authkeyid;
1303 struct sctp_authkey *authkey; 1336 struct sctp_authkey *authkey;
1304 1337
diff --git a/src/lib/libcrypto/bio/bss_log.c b/src/lib/libcrypto/bio/bss_log.c
index b7dce5c1a2..2227b2b52d 100644
--- a/src/lib/libcrypto/bio/bss_log.c
+++ b/src/lib/libcrypto/bio/bss_log.c
@@ -245,7 +245,7 @@ static int MS_CALLBACK slg_puts(BIO *bp, const char *str)
245 245
246static void xopenlog(BIO* bp, char* name, int level) 246static void xopenlog(BIO* bp, char* name, int level)
247{ 247{
248 if (GetVersion() < 0x80000000) 248 if (check_winnt())
249 bp->ptr = RegisterEventSourceA(NULL,name); 249 bp->ptr = RegisterEventSourceA(NULL,name);
250 else 250 else
251 bp->ptr = NULL; 251 bp->ptr = NULL;
diff --git a/src/lib/libcrypto/bn/asm/mips-mont.pl b/src/lib/libcrypto/bn/asm/mips-mont.pl
index b944a12b8e..caae04ed3a 100644
--- a/src/lib/libcrypto/bn/asm/mips-mont.pl
+++ b/src/lib/libcrypto/bn/asm/mips-mont.pl
@@ -133,7 +133,7 @@ $code.=<<___;
133 bnez $at,1f 133 bnez $at,1f
134 li $t0,0 134 li $t0,0
135 slt $at,$num,17 # on in-order CPU 135 slt $at,$num,17 # on in-order CPU
136 bnezl $at,bn_mul_mont_internal 136 bnez $at,bn_mul_mont_internal
137 nop 137 nop
1381: jr $ra 1381: jr $ra
139 li $a0,0 139 li $a0,0
diff --git a/src/lib/libcrypto/bn/asm/mips.pl b/src/lib/libcrypto/bn/asm/mips.pl
index c162a3ec23..d2f3ef7bbf 100644
--- a/src/lib/libcrypto/bn/asm/mips.pl
+++ b/src/lib/libcrypto/bn/asm/mips.pl
@@ -140,10 +140,10 @@ $code.=<<___;
140 .set reorder 140 .set reorder
141 li $minus4,-4 141 li $minus4,-4
142 and $ta0,$a2,$minus4 142 and $ta0,$a2,$minus4
143 $LD $t0,0($a1)
144 beqz $ta0,.L_bn_mul_add_words_tail 143 beqz $ta0,.L_bn_mul_add_words_tail
145 144
146.L_bn_mul_add_words_loop: 145.L_bn_mul_add_words_loop:
146 $LD $t0,0($a1)
147 $MULTU $t0,$a3 147 $MULTU $t0,$a3
148 $LD $t1,0($a0) 148 $LD $t1,0($a0)
149 $LD $t2,$BNSZ($a1) 149 $LD $t2,$BNSZ($a1)
@@ -200,10 +200,9 @@ $code.=<<___;
200 $ADDU $v0,$ta2 200 $ADDU $v0,$ta2
201 sltu $at,$ta3,$at 201 sltu $at,$ta3,$at
202 $ST $ta3,-$BNSZ($a0) 202 $ST $ta3,-$BNSZ($a0)
203 $ADDU $v0,$at
204 .set noreorder 203 .set noreorder
205 bgtzl $ta0,.L_bn_mul_add_words_loop 204 bgtz $ta0,.L_bn_mul_add_words_loop
206 $LD $t0,0($a1) 205 $ADDU $v0,$at
207 206
208 beqz $a2,.L_bn_mul_add_words_return 207 beqz $a2,.L_bn_mul_add_words_return
209 nop 208 nop
@@ -300,10 +299,10 @@ $code.=<<___;
300 .set reorder 299 .set reorder
301 li $minus4,-4 300 li $minus4,-4
302 and $ta0,$a2,$minus4 301 and $ta0,$a2,$minus4
303 $LD $t0,0($a1)
304 beqz $ta0,.L_bn_mul_words_tail 302 beqz $ta0,.L_bn_mul_words_tail
305 303
306.L_bn_mul_words_loop: 304.L_bn_mul_words_loop:
305 $LD $t0,0($a1)
307 $MULTU $t0,$a3 306 $MULTU $t0,$a3
308 $LD $t2,$BNSZ($a1) 307 $LD $t2,$BNSZ($a1)
309 $LD $ta0,2*$BNSZ($a1) 308 $LD $ta0,2*$BNSZ($a1)
@@ -341,10 +340,9 @@ $code.=<<___;
341 $ADDU $v0,$at 340 $ADDU $v0,$at
342 sltu $ta3,$v0,$at 341 sltu $ta3,$v0,$at
343 $ST $v0,-$BNSZ($a0) 342 $ST $v0,-$BNSZ($a0)
344 $ADDU $v0,$ta3,$ta2
345 .set noreorder 343 .set noreorder
346 bgtzl $ta0,.L_bn_mul_words_loop 344 bgtz $ta0,.L_bn_mul_words_loop
347 $LD $t0,0($a1) 345 $ADDU $v0,$ta3,$ta2
348 346
349 beqz $a2,.L_bn_mul_words_return 347 beqz $a2,.L_bn_mul_words_return
350 nop 348 nop
@@ -429,10 +427,10 @@ $code.=<<___;
429 .set reorder 427 .set reorder
430 li $minus4,-4 428 li $minus4,-4
431 and $ta0,$a2,$minus4 429 and $ta0,$a2,$minus4
432 $LD $t0,0($a1)
433 beqz $ta0,.L_bn_sqr_words_tail 430 beqz $ta0,.L_bn_sqr_words_tail
434 431
435.L_bn_sqr_words_loop: 432.L_bn_sqr_words_loop:
433 $LD $t0,0($a1)
436 $MULTU $t0,$t0 434 $MULTU $t0,$t0
437 $LD $t2,$BNSZ($a1) 435 $LD $t2,$BNSZ($a1)
438 $LD $ta0,2*$BNSZ($a1) 436 $LD $ta0,2*$BNSZ($a1)
@@ -463,11 +461,10 @@ $code.=<<___;
463 mflo $ta3 461 mflo $ta3
464 mfhi $ta2 462 mfhi $ta2
465 $ST $ta3,-2*$BNSZ($a0) 463 $ST $ta3,-2*$BNSZ($a0)
466 $ST $ta2,-$BNSZ($a0)
467 464
468 .set noreorder 465 .set noreorder
469 bgtzl $ta0,.L_bn_sqr_words_loop 466 bgtz $ta0,.L_bn_sqr_words_loop
470 $LD $t0,0($a1) 467 $ST $ta2,-$BNSZ($a0)
471 468
472 beqz $a2,.L_bn_sqr_words_return 469 beqz $a2,.L_bn_sqr_words_return
473 nop 470 nop
@@ -547,10 +544,10 @@ $code.=<<___;
547 .set reorder 544 .set reorder
548 li $minus4,-4 545 li $minus4,-4
549 and $at,$a3,$minus4 546 and $at,$a3,$minus4
550 $LD $t0,0($a1)
551 beqz $at,.L_bn_add_words_tail 547 beqz $at,.L_bn_add_words_tail
552 548
553.L_bn_add_words_loop: 549.L_bn_add_words_loop:
550 $LD $t0,0($a1)
554 $LD $ta0,0($a2) 551 $LD $ta0,0($a2)
555 subu $a3,4 552 subu $a3,4
556 $LD $t1,$BNSZ($a1) 553 $LD $t1,$BNSZ($a1)
@@ -589,11 +586,10 @@ $code.=<<___;
589 $ADDU $t3,$ta3,$v0 586 $ADDU $t3,$ta3,$v0
590 sltu $v0,$t3,$ta3 587 sltu $v0,$t3,$ta3
591 $ST $t3,-$BNSZ($a0) 588 $ST $t3,-$BNSZ($a0)
592 $ADDU $v0,$t9
593 589
594 .set noreorder 590 .set noreorder
595 bgtzl $at,.L_bn_add_words_loop 591 bgtz $at,.L_bn_add_words_loop
596 $LD $t0,0($a1) 592 $ADDU $v0,$t9
597 593
598 beqz $a3,.L_bn_add_words_return 594 beqz $a3,.L_bn_add_words_return
599 nop 595 nop
@@ -679,10 +675,10 @@ $code.=<<___;
679 .set reorder 675 .set reorder
680 li $minus4,-4 676 li $minus4,-4
681 and $at,$a3,$minus4 677 and $at,$a3,$minus4
682 $LD $t0,0($a1)
683 beqz $at,.L_bn_sub_words_tail 678 beqz $at,.L_bn_sub_words_tail
684 679
685.L_bn_sub_words_loop: 680.L_bn_sub_words_loop:
681 $LD $t0,0($a1)
686 $LD $ta0,0($a2) 682 $LD $ta0,0($a2)
687 subu $a3,4 683 subu $a3,4
688 $LD $t1,$BNSZ($a1) 684 $LD $t1,$BNSZ($a1)
@@ -722,11 +718,10 @@ $code.=<<___;
722 $SUBU $t3,$ta3,$v0 718 $SUBU $t3,$ta3,$v0
723 sgtu $v0,$t3,$ta3 719 sgtu $v0,$t3,$ta3
724 $ST $t3,-$BNSZ($a0) 720 $ST $t3,-$BNSZ($a0)
725 $ADDU $v0,$t9
726 721
727 .set noreorder 722 .set noreorder
728 bgtzl $at,.L_bn_sub_words_loop 723 bgtz $at,.L_bn_sub_words_loop
729 $LD $t0,0($a1) 724 $ADDU $v0,$t9
730 725
731 beqz $a3,.L_bn_sub_words_return 726 beqz $a3,.L_bn_sub_words_return
732 nop 727 nop
@@ -819,7 +814,7 @@ ___
819$code.=<<___; 814$code.=<<___;
820 .set reorder 815 .set reorder
821 move $ta3,$ra 816 move $ta3,$ra
822 bal bn_div_words 817 bal bn_div_words_internal
823 move $ra,$ta3 818 move $ra,$ta3
824 $MULTU $ta2,$v0 819 $MULTU $ta2,$v0
825 $LD $t2,-2*$BNSZ($a3) 820 $LD $t2,-2*$BNSZ($a3)
@@ -840,8 +835,9 @@ $code.=<<___;
840 sltu $ta0,$a1,$a2 835 sltu $ta0,$a1,$a2
841 or $t8,$ta0 836 or $t8,$ta0
842 .set noreorder 837 .set noreorder
843 beqzl $at,.L_bn_div_3_words_inner_loop 838 beqz $at,.L_bn_div_3_words_inner_loop
844 $SUBU $v0,1 839 $SUBU $v0,1
840 $ADDU $v0,1
845 .set reorder 841 .set reorder
846.L_bn_div_3_words_inner_loop_done: 842.L_bn_div_3_words_inner_loop_done:
847 .set noreorder 843 .set noreorder
@@ -902,7 +898,8 @@ $code.=<<___;
902 and $t2,$a0 898 and $t2,$a0
903 $SRL $at,$a1,$t1 899 $SRL $at,$a1,$t1
904 .set noreorder 900 .set noreorder
905 bnezl $t2,.+8 901 beqz $t2,.+12
902 nop
906 break 6 # signal overflow 903 break 6 # signal overflow
907 .set reorder 904 .set reorder
908 $SLL $a0,$t9 905 $SLL $a0,$t9
@@ -917,7 +914,8 @@ $code.=<<___;
917 $SRL $DH,$a2,4*$BNSZ # bits 914 $SRL $DH,$a2,4*$BNSZ # bits
918 sgeu $at,$a0,$a2 915 sgeu $at,$a0,$a2
919 .set noreorder 916 .set noreorder
920 bnezl $at,.+8 917 beqz $at,.+12
918 nop
921 $SUBU $a0,$a2 919 $SUBU $a0,$a2
922 .set reorder 920 .set reorder
923 921
diff --git a/src/lib/libcrypto/bn/asm/modexp512-x86_64.pl b/src/lib/libcrypto/bn/asm/modexp512-x86_64.pl
index 54aeb01921..bfd6e97541 100644
--- a/src/lib/libcrypto/bn/asm/modexp512-x86_64.pl
+++ b/src/lib/libcrypto/bn/asm/modexp512-x86_64.pl
@@ -68,7 +68,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
68( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or 68( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
69die "can't locate x86_64-xlate.pl"; 69die "can't locate x86_64-xlate.pl";
70 70
71open STDOUT,"| $^X $xlate $flavour $output"; 71open OUT,"| \"$^X\" $xlate $flavour $output";
72*STDOUT=*OUT;
72 73
73use strict; 74use strict;
74my $code=".text\n\n"; 75my $code=".text\n\n";
diff --git a/src/lib/libcrypto/bn/asm/parisc-mont.pl b/src/lib/libcrypto/bn/asm/parisc-mont.pl
index 4a766a87fb..c02ef6f014 100644
--- a/src/lib/libcrypto/bn/asm/parisc-mont.pl
+++ b/src/lib/libcrypto/bn/asm/parisc-mont.pl
@@ -40,7 +40,7 @@
40# of arithmetic operations, most notably multiplications. It requires 40# of arithmetic operations, most notably multiplications. It requires
41# more memory references, most notably to tp[num], but this doesn't 41# more memory references, most notably to tp[num], but this doesn't
42# seem to exhaust memory port capacity. And indeed, dedicated PA-RISC 42# seem to exhaust memory port capacity. And indeed, dedicated PA-RISC
43# 2.0 code path, provides virtually same performance as pa-risc2[W].s: 43# 2.0 code path provides virtually same performance as pa-risc2[W].s:
44# it's ~10% better for shortest key length and ~10% worse for longest 44# it's ~10% better for shortest key length and ~10% worse for longest
45# one. 45# one.
46# 46#
@@ -988,6 +988,8 @@ foreach (split("\n",$code)) {
988 # assemble 2.0 instructions in 32-bit mode... 988 # assemble 2.0 instructions in 32-bit mode...
989 s/^\s+([a-z]+)([\S]*)\s+([\S]*)/&assemble($1,$2,$3)/e if ($BN_SZ==4); 989 s/^\s+([a-z]+)([\S]*)\s+([\S]*)/&assemble($1,$2,$3)/e if ($BN_SZ==4);
990 990
991 s/\bbv\b/bve/gm if ($SIZE_T==8);
992
991 print $_,"\n"; 993 print $_,"\n";
992} 994}
993close STDOUT; 995close STDOUT;
diff --git a/src/lib/libcrypto/bn/asm/x86_64-gf2m.pl b/src/lib/libcrypto/bn/asm/x86_64-gf2m.pl
index 1658acbbdd..226c66c35e 100644
--- a/src/lib/libcrypto/bn/asm/x86_64-gf2m.pl
+++ b/src/lib/libcrypto/bn/asm/x86_64-gf2m.pl
@@ -31,7 +31,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
31( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or 31( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
32die "can't locate x86_64-xlate.pl"; 32die "can't locate x86_64-xlate.pl";
33 33
34open STDOUT,"| $^X $xlate $flavour $output"; 34open OUT,"| \"$^X\" $xlate $flavour $output";
35*STDOUT=*OUT;
35 36
36($lo,$hi)=("%rax","%rdx"); $a=$lo; 37($lo,$hi)=("%rax","%rdx"); $a=$lo;
37($i0,$i1)=("%rsi","%rdi"); 38($i0,$i1)=("%rsi","%rdi");
diff --git a/src/lib/libcrypto/bn/asm/x86_64-mont.pl b/src/lib/libcrypto/bn/asm/x86_64-mont.pl
index 5d79b35e1c..17fb94c84c 100755
--- a/src/lib/libcrypto/bn/asm/x86_64-mont.pl
+++ b/src/lib/libcrypto/bn/asm/x86_64-mont.pl
@@ -40,7 +40,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
40( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or 40( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
41die "can't locate x86_64-xlate.pl"; 41die "can't locate x86_64-xlate.pl";
42 42
43open STDOUT,"| $^X $xlate $flavour $output"; 43open OUT,"| \"$^X\" $xlate $flavour $output";
44*STDOUT=*OUT;
44 45
45# int bn_mul_mont( 46# int bn_mul_mont(
46$rp="%rdi"; # BN_ULONG *rp, 47$rp="%rdi"; # BN_ULONG *rp,
diff --git a/src/lib/libcrypto/bn/asm/x86_64-mont5.pl b/src/lib/libcrypto/bn/asm/x86_64-mont5.pl
index 057cda28aa..dae0fe2453 100755
--- a/src/lib/libcrypto/bn/asm/x86_64-mont5.pl
+++ b/src/lib/libcrypto/bn/asm/x86_64-mont5.pl
@@ -28,7 +28,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
28( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or 28( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
29die "can't locate x86_64-xlate.pl"; 29die "can't locate x86_64-xlate.pl";
30 30
31open STDOUT,"| $^X $xlate $flavour $output"; 31open OUT,"| \"$^X\" $xlate $flavour $output";
32*STDOUT=*OUT;
32 33
33# int bn_mul_mont_gather5( 34# int bn_mul_mont_gather5(
34$rp="%rdi"; # BN_ULONG *rp, 35$rp="%rdi"; # BN_ULONG *rp,
@@ -900,8 +901,8 @@ $code.=<<___;
900 jnz .Lgather 901 jnz .Lgather
901___ 902___
902$code.=<<___ if ($win64); 903$code.=<<___ if ($win64);
903 movaps %xmm6,(%rsp) 904 movaps (%rsp),%xmm6
904 movaps %xmm7,0x10(%rsp) 905 movaps 0x10(%rsp),%xmm7
905 lea 0x28(%rsp),%rsp 906 lea 0x28(%rsp),%rsp
906___ 907___
907$code.=<<___; 908$code.=<<___;
diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h
index f34248ec4f..21a1a3fe35 100644
--- a/src/lib/libcrypto/bn/bn.h
+++ b/src/lib/libcrypto/bn/bn.h
@@ -538,6 +538,8 @@ BIGNUM *BN_mod_inverse(BIGNUM *ret,
538BIGNUM *BN_mod_sqrt(BIGNUM *ret, 538BIGNUM *BN_mod_sqrt(BIGNUM *ret,
539 const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx); 539 const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
540 540
541void BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords);
542
541/* Deprecated versions */ 543/* Deprecated versions */
542#ifndef OPENSSL_NO_DEPRECATED 544#ifndef OPENSSL_NO_DEPRECATED
543BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe, 545BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,
@@ -774,11 +776,20 @@ int RAND_pseudo_bytes(unsigned char *buf,int num);
774 776
775#define bn_fix_top(a) bn_check_top(a) 777#define bn_fix_top(a) bn_check_top(a)
776 778
779#define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2)
780#define bn_wcheck_size(bn, words) \
781 do { \
782 const BIGNUM *_bnum2 = (bn); \
783 assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \
784 } while(0)
785
777#else /* !BN_DEBUG */ 786#else /* !BN_DEBUG */
778 787
779#define bn_pollute(a) 788#define bn_pollute(a)
780#define bn_check_top(a) 789#define bn_check_top(a)
781#define bn_fix_top(a) bn_correct_top(a) 790#define bn_fix_top(a) bn_correct_top(a)
791#define bn_check_size(bn, bits)
792#define bn_wcheck_size(bn, words)
782 793
783#endif 794#endif
784 795
diff --git a/src/lib/libcrypto/bn/bn_div.c b/src/lib/libcrypto/bn/bn_div.c
index 52b3304293..7b2403185e 100644
--- a/src/lib/libcrypto/bn/bn_div.c
+++ b/src/lib/libcrypto/bn/bn_div.c
@@ -141,6 +141,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
141 * 141 *
142 * <appro@fy.chalmers.se> 142 * <appro@fy.chalmers.se>
143 */ 143 */
144#undef bn_div_words
144# define bn_div_words(n0,n1,d0) \ 145# define bn_div_words(n0,n1,d0) \
145 ({ asm volatile ( \ 146 ({ asm volatile ( \
146 "divl %4" \ 147 "divl %4" \
@@ -155,6 +156,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
155 * Same story here, but it's 128-bit by 64-bit division. Wow! 156 * Same story here, but it's 128-bit by 64-bit division. Wow!
156 * <appro@fy.chalmers.se> 157 * <appro@fy.chalmers.se>
157 */ 158 */
159# undef bn_div_words
158# define bn_div_words(n0,n1,d0) \ 160# define bn_div_words(n0,n1,d0) \
159 ({ asm volatile ( \ 161 ({ asm volatile ( \
160 "divq %4" \ 162 "divq %4" \
diff --git a/src/lib/libcrypto/bn/bn_gcd.c b/src/lib/libcrypto/bn/bn_gcd.c
index 4a352119ba..a808f53178 100644
--- a/src/lib/libcrypto/bn/bn_gcd.c
+++ b/src/lib/libcrypto/bn/bn_gcd.c
@@ -205,6 +205,7 @@ err:
205/* solves ax == 1 (mod n) */ 205/* solves ax == 1 (mod n) */
206static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in, 206static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
207 const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx); 207 const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx);
208
208BIGNUM *BN_mod_inverse(BIGNUM *in, 209BIGNUM *BN_mod_inverse(BIGNUM *in,
209 const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx) 210 const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
210 { 211 {
diff --git a/src/lib/libcrypto/bn/bn_lcl.h b/src/lib/libcrypto/bn/bn_lcl.h
index eecfd8cc99..817c773b65 100644
--- a/src/lib/libcrypto/bn/bn_lcl.h
+++ b/src/lib/libcrypto/bn/bn_lcl.h
@@ -282,16 +282,23 @@ extern "C" {
282# endif 282# endif
283# elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)) 283# elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG))
284# if defined(__GNUC__) && __GNUC__>=2 284# if defined(__GNUC__) && __GNUC__>=2
285# define BN_UMULT_HIGH(a,b) ({ \ 285# if __GNUC__>=4 && __GNUC_MINOR__>=4 /* "h" constraint is no more since 4.4 */
286# define BN_UMULT_HIGH(a,b) (((__uint128_t)(a)*(b))>>64)
287# define BN_UMULT_LOHI(low,high,a,b) ({ \
288 __uint128_t ret=(__uint128_t)(a)*(b); \
289 (high)=ret>>64; (low)=ret; })
290# else
291# define BN_UMULT_HIGH(a,b) ({ \
286 register BN_ULONG ret; \ 292 register BN_ULONG ret; \
287 asm ("dmultu %1,%2" \ 293 asm ("dmultu %1,%2" \
288 : "=h"(ret) \ 294 : "=h"(ret) \
289 : "r"(a), "r"(b) : "l"); \ 295 : "r"(a), "r"(b) : "l"); \
290 ret; }) 296 ret; })
291# define BN_UMULT_LOHI(low,high,a,b) \ 297# define BN_UMULT_LOHI(low,high,a,b)\
292 asm ("dmultu %2,%3" \ 298 asm ("dmultu %2,%3" \
293 : "=l"(low),"=h"(high) \ 299 : "=l"(low),"=h"(high) \
294 : "r"(a), "r"(b)); 300 : "r"(a), "r"(b));
301# endif
295# endif 302# endif
296# endif /* cpu */ 303# endif /* cpu */
297#endif /* OPENSSL_NO_ASM */ 304#endif /* OPENSSL_NO_ASM */
diff --git a/src/lib/libcrypto/bn/bn_lib.c b/src/lib/libcrypto/bn/bn_lib.c
index 7a5676de69..5461e6ee7d 100644
--- a/src/lib/libcrypto/bn/bn_lib.c
+++ b/src/lib/libcrypto/bn/bn_lib.c
@@ -824,3 +824,55 @@ int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b,
824 } 824 }
825 return bn_cmp_words(a,b,cl); 825 return bn_cmp_words(a,b,cl);
826 } 826 }
827
828/*
829 * Constant-time conditional swap of a and b.
830 * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
831 * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
832 * and that no more than nwords are used by either a or b.
833 * a and b cannot be the same number
834 */
835void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
836 {
837 BN_ULONG t;
838 int i;
839
840 bn_wcheck_size(a, nwords);
841 bn_wcheck_size(b, nwords);
842
843 assert(a != b);
844 assert((condition & (condition - 1)) == 0);
845 assert(sizeof(BN_ULONG) >= sizeof(int));
846
847 condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
848
849 t = (a->top^b->top) & condition;
850 a->top ^= t;
851 b->top ^= t;
852
853#define BN_CONSTTIME_SWAP(ind) \
854 do { \
855 t = (a->d[ind] ^ b->d[ind]) & condition; \
856 a->d[ind] ^= t; \
857 b->d[ind] ^= t; \
858 } while (0)
859
860
861 switch (nwords) {
862 default:
863 for (i = 10; i < nwords; i++)
864 BN_CONSTTIME_SWAP(i);
865 /* Fallthrough */
866 case 10: BN_CONSTTIME_SWAP(9); /* Fallthrough */
867 case 9: BN_CONSTTIME_SWAP(8); /* Fallthrough */
868 case 8: BN_CONSTTIME_SWAP(7); /* Fallthrough */
869 case 7: BN_CONSTTIME_SWAP(6); /* Fallthrough */
870 case 6: BN_CONSTTIME_SWAP(5); /* Fallthrough */
871 case 5: BN_CONSTTIME_SWAP(4); /* Fallthrough */
872 case 4: BN_CONSTTIME_SWAP(3); /* Fallthrough */
873 case 3: BN_CONSTTIME_SWAP(2); /* Fallthrough */
874 case 2: BN_CONSTTIME_SWAP(1); /* Fallthrough */
875 case 1: BN_CONSTTIME_SWAP(0);
876 }
877#undef BN_CONSTTIME_SWAP
878}
diff --git a/src/lib/libcrypto/bn/bn_nist.c b/src/lib/libcrypto/bn/bn_nist.c
index 43caee4770..e22968d4a3 100644
--- a/src/lib/libcrypto/bn/bn_nist.c
+++ b/src/lib/libcrypto/bn/bn_nist.c
@@ -286,26 +286,25 @@ const BIGNUM *BN_get0_nist_prime_521(void)
286 } 286 }
287 287
288 288
289static void nist_cp_bn_0(BN_ULONG *buf, BN_ULONG *a, int top, int max) 289static void nist_cp_bn_0(BN_ULONG *dst, const BN_ULONG *src, int top, int max)
290 { 290 {
291 int i; 291 int i;
292 BN_ULONG *_tmp1 = (buf), *_tmp2 = (a);
293 292
294#ifdef BN_DEBUG 293#ifdef BN_DEBUG
295 OPENSSL_assert(top <= max); 294 OPENSSL_assert(top <= max);
296#endif 295#endif
297 for (i = (top); i != 0; i--) 296 for (i = 0; i < top; i++)
298 *_tmp1++ = *_tmp2++; 297 dst[i] = src[i];
299 for (i = (max) - (top); i != 0; i--) 298 for (; i < max; i++)
300 *_tmp1++ = (BN_ULONG) 0; 299 dst[i] = 0;
301 } 300 }
302 301
303static void nist_cp_bn(BN_ULONG *buf, BN_ULONG *a, int top) 302static void nist_cp_bn(BN_ULONG *dst, const BN_ULONG *src, int top)
304 { 303 {
305 int i; 304 int i;
306 BN_ULONG *_tmp1 = (buf), *_tmp2 = (a); 305
307 for (i = (top); i != 0; i--) 306 for (i = 0; i < top; i++)
308 *_tmp1++ = *_tmp2++; 307 dst[i] = src[i];
309 } 308 }
310 309
311#if BN_BITS2 == 64 310#if BN_BITS2 == 64
@@ -451,8 +450,9 @@ int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
451 */ 450 */
452 mask = 0-(PTR_SIZE_INT)bn_sub_words(c_d,r_d,_nist_p_192[0],BN_NIST_192_TOP); 451 mask = 0-(PTR_SIZE_INT)bn_sub_words(c_d,r_d,_nist_p_192[0],BN_NIST_192_TOP);
453 mask &= 0-(PTR_SIZE_INT)carry; 452 mask &= 0-(PTR_SIZE_INT)carry;
453 res = c_d;
454 res = (BN_ULONG *) 454 res = (BN_ULONG *)
455 (((PTR_SIZE_INT)c_d&~mask) | ((PTR_SIZE_INT)r_d&mask)); 455 (((PTR_SIZE_INT)res&~mask) | ((PTR_SIZE_INT)r_d&mask));
456 nist_cp_bn(r_d, res, BN_NIST_192_TOP); 456 nist_cp_bn(r_d, res, BN_NIST_192_TOP);
457 r->top = BN_NIST_192_TOP; 457 r->top = BN_NIST_192_TOP;
458 bn_correct_top(r); 458 bn_correct_top(r);
@@ -479,8 +479,11 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
479 int top = a->top, i; 479 int top = a->top, i;
480 int carry; 480 int carry;
481 BN_ULONG *r_d, *a_d = a->d; 481 BN_ULONG *r_d, *a_d = a->d;
482 BN_ULONG buf[BN_NIST_224_TOP], 482 union {
483 c_d[BN_NIST_224_TOP], 483 BN_ULONG bn[BN_NIST_224_TOP];
484 unsigned int ui[BN_NIST_224_TOP*sizeof(BN_ULONG)/sizeof(unsigned int)];
485 } buf;
486 BN_ULONG c_d[BN_NIST_224_TOP],
484 *res; 487 *res;
485 PTR_SIZE_INT mask; 488 PTR_SIZE_INT mask;
486 union { bn_addsub_f f; PTR_SIZE_INT p; } u; 489 union { bn_addsub_f f; PTR_SIZE_INT p; } u;
@@ -519,18 +522,18 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
519 /* copy upper 256 bits of 448 bit number ... */ 522 /* copy upper 256 bits of 448 bit number ... */
520 nist_cp_bn_0(c_d, a_d + (BN_NIST_224_TOP-1), top - (BN_NIST_224_TOP-1), BN_NIST_224_TOP); 523 nist_cp_bn_0(c_d, a_d + (BN_NIST_224_TOP-1), top - (BN_NIST_224_TOP-1), BN_NIST_224_TOP);
521 /* ... and right shift by 32 to obtain upper 224 bits */ 524 /* ... and right shift by 32 to obtain upper 224 bits */
522 nist_set_224(buf, c_d, 14, 13, 12, 11, 10, 9, 8); 525 nist_set_224(buf.bn, c_d, 14, 13, 12, 11, 10, 9, 8);
523 /* truncate lower part to 224 bits too */ 526 /* truncate lower part to 224 bits too */
524 r_d[BN_NIST_224_TOP-1] &= BN_MASK2l; 527 r_d[BN_NIST_224_TOP-1] &= BN_MASK2l;
525#else 528#else
526 nist_cp_bn_0(buf, a_d + BN_NIST_224_TOP, top - BN_NIST_224_TOP, BN_NIST_224_TOP); 529 nist_cp_bn_0(buf.bn, a_d + BN_NIST_224_TOP, top - BN_NIST_224_TOP, BN_NIST_224_TOP);
527#endif 530#endif
528 531
529#if defined(NIST_INT64) && BN_BITS2!=64 532#if defined(NIST_INT64) && BN_BITS2!=64
530 { 533 {
531 NIST_INT64 acc; /* accumulator */ 534 NIST_INT64 acc; /* accumulator */
532 unsigned int *rp=(unsigned int *)r_d; 535 unsigned int *rp=(unsigned int *)r_d;
533 const unsigned int *bp=(const unsigned int *)buf; 536 const unsigned int *bp=(const unsigned int *)buf.ui;
534 537
535 acc = rp[0]; acc -= bp[7-7]; 538 acc = rp[0]; acc -= bp[7-7];
536 acc -= bp[11-7]; rp[0] = (unsigned int)acc; acc >>= 32; 539 acc -= bp[11-7]; rp[0] = (unsigned int)acc; acc >>= 32;
@@ -565,13 +568,13 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
565 { 568 {
566 BN_ULONG t_d[BN_NIST_224_TOP]; 569 BN_ULONG t_d[BN_NIST_224_TOP];
567 570
568 nist_set_224(t_d, buf, 10, 9, 8, 7, 0, 0, 0); 571 nist_set_224(t_d, buf.bn, 10, 9, 8, 7, 0, 0, 0);
569 carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP); 572 carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP);
570 nist_set_224(t_d, buf, 0, 13, 12, 11, 0, 0, 0); 573 nist_set_224(t_d, buf.bn, 0, 13, 12, 11, 0, 0, 0);
571 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP); 574 carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP);
572 nist_set_224(t_d, buf, 13, 12, 11, 10, 9, 8, 7); 575 nist_set_224(t_d, buf.bn, 13, 12, 11, 10, 9, 8, 7);
573 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP); 576 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP);
574 nist_set_224(t_d, buf, 0, 0, 0, 0, 13, 12, 11); 577 nist_set_224(t_d, buf.bn, 0, 0, 0, 0, 13, 12, 11);
575 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP); 578 carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP);
576 579
577#if BN_BITS2==64 580#if BN_BITS2==64
@@ -606,7 +609,8 @@ int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
606 /* otherwise it's effectively same as in BN_nist_mod_192... */ 609 /* otherwise it's effectively same as in BN_nist_mod_192... */
607 mask = 0-(PTR_SIZE_INT)(*u.f)(c_d,r_d,_nist_p_224[0],BN_NIST_224_TOP); 610 mask = 0-(PTR_SIZE_INT)(*u.f)(c_d,r_d,_nist_p_224[0],BN_NIST_224_TOP);
608 mask &= 0-(PTR_SIZE_INT)carry; 611 mask &= 0-(PTR_SIZE_INT)carry;
609 res = (BN_ULONG *)(((PTR_SIZE_INT)c_d&~mask) | 612 res = c_d;
613 res = (BN_ULONG *)(((PTR_SIZE_INT)res&~mask) |
610 ((PTR_SIZE_INT)r_d&mask)); 614 ((PTR_SIZE_INT)r_d&mask));
611 nist_cp_bn(r_d, res, BN_NIST_224_TOP); 615 nist_cp_bn(r_d, res, BN_NIST_224_TOP);
612 r->top = BN_NIST_224_TOP; 616 r->top = BN_NIST_224_TOP;
@@ -805,7 +809,8 @@ int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
805 809
806 mask = 0-(PTR_SIZE_INT)(*u.f)(c_d,r_d,_nist_p_256[0],BN_NIST_256_TOP); 810 mask = 0-(PTR_SIZE_INT)(*u.f)(c_d,r_d,_nist_p_256[0],BN_NIST_256_TOP);
807 mask &= 0-(PTR_SIZE_INT)carry; 811 mask &= 0-(PTR_SIZE_INT)carry;
808 res = (BN_ULONG *)(((PTR_SIZE_INT)c_d&~mask) | 812 res = c_d;
813 res = (BN_ULONG *)(((PTR_SIZE_INT)res&~mask) |
809 ((PTR_SIZE_INT)r_d&mask)); 814 ((PTR_SIZE_INT)r_d&mask));
810 nist_cp_bn(r_d, res, BN_NIST_256_TOP); 815 nist_cp_bn(r_d, res, BN_NIST_256_TOP);
811 r->top = BN_NIST_256_TOP; 816 r->top = BN_NIST_256_TOP;
@@ -1026,7 +1031,8 @@ int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
1026 1031
1027 mask = 0-(PTR_SIZE_INT)(*u.f)(c_d,r_d,_nist_p_384[0],BN_NIST_384_TOP); 1032 mask = 0-(PTR_SIZE_INT)(*u.f)(c_d,r_d,_nist_p_384[0],BN_NIST_384_TOP);
1028 mask &= 0-(PTR_SIZE_INT)carry; 1033 mask &= 0-(PTR_SIZE_INT)carry;
1029 res = (BN_ULONG *)(((PTR_SIZE_INT)c_d&~mask) | 1034 res = c_d;
1035 res = (BN_ULONG *)(((PTR_SIZE_INT)res&~mask) |
1030 ((PTR_SIZE_INT)r_d&mask)); 1036 ((PTR_SIZE_INT)r_d&mask));
1031 nist_cp_bn(r_d, res, BN_NIST_384_TOP); 1037 nist_cp_bn(r_d, res, BN_NIST_384_TOP);
1032 r->top = BN_NIST_384_TOP; 1038 r->top = BN_NIST_384_TOP;
@@ -1092,7 +1098,8 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
1092 1098
1093 bn_add_words(r_d,r_d,t_d,BN_NIST_521_TOP); 1099 bn_add_words(r_d,r_d,t_d,BN_NIST_521_TOP);
1094 mask = 0-(PTR_SIZE_INT)bn_sub_words(t_d,r_d,_nist_p_521,BN_NIST_521_TOP); 1100 mask = 0-(PTR_SIZE_INT)bn_sub_words(t_d,r_d,_nist_p_521,BN_NIST_521_TOP);
1095 res = (BN_ULONG *)(((PTR_SIZE_INT)t_d&~mask) | 1101 res = t_d;
1102 res = (BN_ULONG *)(((PTR_SIZE_INT)res&~mask) |
1096 ((PTR_SIZE_INT)r_d&mask)); 1103 ((PTR_SIZE_INT)r_d&mask));
1097 nist_cp_bn(r_d,res,BN_NIST_521_TOP); 1104 nist_cp_bn(r_d,res,BN_NIST_521_TOP);
1098 r->top = BN_NIST_521_TOP; 1105 r->top = BN_NIST_521_TOP;
diff --git a/src/lib/libcrypto/bn/bn_word.c b/src/lib/libcrypto/bn/bn_word.c
index ee7b87c45c..de83a15b99 100644
--- a/src/lib/libcrypto/bn/bn_word.c
+++ b/src/lib/libcrypto/bn/bn_word.c
@@ -144,26 +144,17 @@ int BN_add_word(BIGNUM *a, BN_ULONG w)
144 a->neg=!(a->neg); 144 a->neg=!(a->neg);
145 return(i); 145 return(i);
146 } 146 }
147 /* Only expand (and risk failing) if it's possibly necessary */ 147 for (i=0;w!=0 && i<a->top;i++)
148 if (((BN_ULONG)(a->d[a->top - 1] + 1) == 0) &&
149 (bn_wexpand(a,a->top+1) == NULL))
150 return(0);
151 i=0;
152 for (;;)
153 { 148 {
154 if (i >= a->top) 149 a->d[i] = l = (a->d[i]+w)&BN_MASK2;
155 l=w; 150 w = (w>l)?1:0;
156 else
157 l=(a->d[i]+w)&BN_MASK2;
158 a->d[i]=l;
159 if (w > l)
160 w=1;
161 else
162 break;
163 i++;
164 } 151 }
165 if (i >= a->top) 152 if (w && i==a->top)
153 {
154 if (bn_wexpand(a,a->top+1) == NULL) return 0;
166 a->top++; 155 a->top++;
156 a->d[i]=w;
157 }
167 bn_check_top(a); 158 bn_check_top(a);
168 return(1); 159 return(1);
169 } 160 }
diff --git a/src/lib/libcrypto/buffer/buffer.c b/src/lib/libcrypto/buffer/buffer.c
index d7aa79ad7f..d4a4ce43b3 100644
--- a/src/lib/libcrypto/buffer/buffer.c
+++ b/src/lib/libcrypto/buffer/buffer.c
@@ -179,14 +179,14 @@ int BUF_MEM_grow_clean(BUF_MEM *str, size_t len)
179 return(len); 179 return(len);
180 } 180 }
181 181
182void BUF_reverse(unsigned char *out, unsigned char *in, size_t size) 182void BUF_reverse(unsigned char *out, const unsigned char *in, size_t size)
183 { 183 {
184 size_t i; 184 size_t i;
185 if (in) 185 if (in)
186 { 186 {
187 out += size - 1; 187 out += size - 1;
188 for (i = 0; i < size; i++) 188 for (i = 0; i < size; i++)
189 *in++ = *out--; 189 *out-- = *in++;
190 } 190 }
191 else 191 else
192 { 192 {
diff --git a/src/lib/libcrypto/buffer/buffer.h b/src/lib/libcrypto/buffer/buffer.h
index 178e418282..f8da32b485 100644
--- a/src/lib/libcrypto/buffer/buffer.h
+++ b/src/lib/libcrypto/buffer/buffer.h
@@ -88,7 +88,7 @@ int BUF_MEM_grow_clean(BUF_MEM *str, size_t len);
88char * BUF_strdup(const char *str); 88char * BUF_strdup(const char *str);
89char * BUF_strndup(const char *str, size_t siz); 89char * BUF_strndup(const char *str, size_t siz);
90void * BUF_memdup(const void *data, size_t siz); 90void * BUF_memdup(const void *data, size_t siz);
91void BUF_reverse(unsigned char *out, unsigned char *in, size_t siz); 91void BUF_reverse(unsigned char *out, const unsigned char *in, size_t siz);
92 92
93/* safe string functions */ 93/* safe string functions */
94size_t BUF_strlcpy(char *dst,const char *src,size_t siz); 94size_t BUF_strlcpy(char *dst,const char *src,size_t siz);
diff --git a/src/lib/libcrypto/camellia/asm/cmll-x86_64.pl b/src/lib/libcrypto/camellia/asm/cmll-x86_64.pl
index 76955e4726..9f4b82fa48 100644
--- a/src/lib/libcrypto/camellia/asm/cmll-x86_64.pl
+++ b/src/lib/libcrypto/camellia/asm/cmll-x86_64.pl
@@ -40,7 +40,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
40( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or 40( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
41die "can't locate x86_64-xlate.pl"; 41die "can't locate x86_64-xlate.pl";
42 42
43open STDOUT,"| $^X $xlate $flavour $output"; 43open OUT,"| \"$^X\" $xlate $flavour $output";
44*STDOUT=*OUT;
44 45
45sub hi() { my $r=shift; $r =~ s/%[er]([a-d])x/%\1h/; $r; } 46sub hi() { my $r=shift; $r =~ s/%[er]([a-d])x/%\1h/; $r; }
46sub lo() { my $r=shift; $r =~ s/%[er]([a-d])x/%\1l/; 47sub lo() { my $r=shift; $r =~ s/%[er]([a-d])x/%\1l/;
diff --git a/src/lib/libcrypto/cms/cms_cd.c b/src/lib/libcrypto/cms/cms_cd.c
index a5fc2c4e2b..2021688101 100644
--- a/src/lib/libcrypto/cms/cms_cd.c
+++ b/src/lib/libcrypto/cms/cms_cd.c
@@ -58,7 +58,9 @@
58#include <openssl/err.h> 58#include <openssl/err.h>
59#include <openssl/cms.h> 59#include <openssl/cms.h>
60#include <openssl/bio.h> 60#include <openssl/bio.h>
61#ifndef OPENSSL_NO_COMP
61#include <openssl/comp.h> 62#include <openssl/comp.h>
63#endif
62#include "cms_lcl.h" 64#include "cms_lcl.h"
63 65
64DECLARE_ASN1_ITEM(CMS_CompressedData) 66DECLARE_ASN1_ITEM(CMS_CompressedData)
diff --git a/src/lib/libcrypto/cms/cms_enc.c b/src/lib/libcrypto/cms/cms_enc.c
index f873ce3794..bebeaf29c7 100644
--- a/src/lib/libcrypto/cms/cms_enc.c
+++ b/src/lib/libcrypto/cms/cms_enc.c
@@ -74,7 +74,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
74 X509_ALGOR *calg = ec->contentEncryptionAlgorithm; 74 X509_ALGOR *calg = ec->contentEncryptionAlgorithm;
75 unsigned char iv[EVP_MAX_IV_LENGTH], *piv = NULL; 75 unsigned char iv[EVP_MAX_IV_LENGTH], *piv = NULL;
76 unsigned char *tkey = NULL; 76 unsigned char *tkey = NULL;
77 size_t tkeylen; 77 size_t tkeylen = 0;
78 78
79 int ok = 0; 79 int ok = 0;
80 80
diff --git a/src/lib/libcrypto/cms/cms_lib.c b/src/lib/libcrypto/cms/cms_lib.c
index f88e8f3b52..ba08279a04 100644
--- a/src/lib/libcrypto/cms/cms_lib.c
+++ b/src/lib/libcrypto/cms/cms_lib.c
@@ -411,9 +411,7 @@ int cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain,
411 * algorithm OID instead of digest. 411 * algorithm OID instead of digest.
412 */ 412 */
413 || EVP_MD_pkey_type(EVP_MD_CTX_md(mtmp)) == nid) 413 || EVP_MD_pkey_type(EVP_MD_CTX_md(mtmp)) == nid)
414 {
415 return EVP_MD_CTX_copy_ex(mctx, mtmp); 414 return EVP_MD_CTX_copy_ex(mctx, mtmp);
416 }
417 chain = BIO_next(chain); 415 chain = BIO_next(chain);
418 } 416 }
419 } 417 }
@@ -467,8 +465,6 @@ int CMS_add0_cert(CMS_ContentInfo *cms, X509 *cert)
467 pcerts = cms_get0_certificate_choices(cms); 465 pcerts = cms_get0_certificate_choices(cms);
468 if (!pcerts) 466 if (!pcerts)
469 return 0; 467 return 0;
470 if (!pcerts)
471 return 0;
472 for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++) 468 for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++)
473 { 469 {
474 cch = sk_CMS_CertificateChoices_value(*pcerts, i); 470 cch = sk_CMS_CertificateChoices_value(*pcerts, i);
diff --git a/src/lib/libcrypto/conf/conf_mall.c b/src/lib/libcrypto/conf/conf_mall.c
index c6f4cb2d55..213890e0c2 100644
--- a/src/lib/libcrypto/conf/conf_mall.c
+++ b/src/lib/libcrypto/conf/conf_mall.c
@@ -76,5 +76,6 @@ void OPENSSL_load_builtin_modules(void)
76#ifndef OPENSSL_NO_ENGINE 76#ifndef OPENSSL_NO_ENGINE
77 ENGINE_add_conf_module(); 77 ENGINE_add_conf_module();
78#endif 78#endif
79 EVP_add_alg_module();
79 } 80 }
80 81
diff --git a/src/lib/libcrypto/cryptlib.c b/src/lib/libcrypto/cryptlib.c
index 766ea8cac7..0b77d8b7d0 100644
--- a/src/lib/libcrypto/cryptlib.c
+++ b/src/lib/libcrypto/cryptlib.c
@@ -504,7 +504,7 @@ void CRYPTO_THREADID_current(CRYPTO_THREADID *id)
504 CRYPTO_THREADID_set_numeric(id, (unsigned long)find_thread(NULL)); 504 CRYPTO_THREADID_set_numeric(id, (unsigned long)find_thread(NULL));
505#else 505#else
506 /* For everything else, default to using the address of 'errno' */ 506 /* For everything else, default to using the address of 'errno' */
507 CRYPTO_THREADID_set_pointer(id, &errno); 507 CRYPTO_THREADID_set_pointer(id, (void*)&errno);
508#endif 508#endif
509 } 509 }
510 510
@@ -704,6 +704,7 @@ void OPENSSL_cpuid_setup(void)
704 } 704 }
705 else 705 else
706 vec = OPENSSL_ia32_cpuid(); 706 vec = OPENSSL_ia32_cpuid();
707
707 /* 708 /*
708 * |(1<<10) sets a reserved bit to signal that variable 709 * |(1<<10) sets a reserved bit to signal that variable
709 * was initialized already... This is to avoid interference 710 * was initialized already... This is to avoid interference
@@ -888,7 +889,7 @@ void OPENSSL_showfatal (const char *fmta,...)
888 889
889#if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333 890#if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333
890 /* this -------------v--- guards NT-specific calls */ 891 /* this -------------v--- guards NT-specific calls */
891 if (GetVersion() < 0x80000000 && OPENSSL_isservice() > 0) 892 if (check_winnt() && OPENSSL_isservice() > 0)
892 { HANDLE h = RegisterEventSource(0,_T("OPENSSL")); 893 { HANDLE h = RegisterEventSource(0,_T("OPENSSL"));
893 const TCHAR *pmsg=buf; 894 const TCHAR *pmsg=buf;
894 ReportEvent(h,EVENTLOG_ERROR_TYPE,0,0,0,1,0,&pmsg,0); 895 ReportEvent(h,EVENTLOG_ERROR_TYPE,0,0,0,1,0,&pmsg,0);
@@ -924,3 +925,16 @@ void OpenSSLDie(const char *file,int line,const char *assertion)
924 } 925 }
925 926
926void *OPENSSL_stderr(void) { return stderr; } 927void *OPENSSL_stderr(void) { return stderr; }
928
929int CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len)
930 {
931 size_t i;
932 const unsigned char *a = in_a;
933 const unsigned char *b = in_b;
934 unsigned char x = 0;
935
936 for (i = 0; i < len; i++)
937 x |= a[i] ^ b[i];
938
939 return x;
940 }
diff --git a/src/lib/libcrypto/cryptlib.h b/src/lib/libcrypto/cryptlib.h
index 1761f6b668..d26f9630ea 100644
--- a/src/lib/libcrypto/cryptlib.h
+++ b/src/lib/libcrypto/cryptlib.h
@@ -100,7 +100,7 @@ extern "C" {
100 100
101void OPENSSL_cpuid_setup(void); 101void OPENSSL_cpuid_setup(void);
102extern unsigned int OPENSSL_ia32cap_P[]; 102extern unsigned int OPENSSL_ia32cap_P[];
103void OPENSSL_showfatal(const char *,...); 103void OPENSSL_showfatal(const char *fmta,...);
104void *OPENSSL_stderr(void); 104void *OPENSSL_stderr(void);
105extern int OPENSSL_NONPIC_relocated; 105extern int OPENSSL_NONPIC_relocated;
106 106
diff --git a/src/lib/libcrypto/crypto.h b/src/lib/libcrypto/crypto.h
index 6aeda0a9ac..f92fc5182d 100644
--- a/src/lib/libcrypto/crypto.h
+++ b/src/lib/libcrypto/crypto.h
@@ -488,10 +488,10 @@ void CRYPTO_get_mem_debug_functions(void (**m)(void *,int,const char *,int,int),
488 long (**go)(void)); 488 long (**go)(void));
489 489
490void *CRYPTO_malloc_locked(int num, const char *file, int line); 490void *CRYPTO_malloc_locked(int num, const char *file, int line);
491void CRYPTO_free_locked(void *); 491void CRYPTO_free_locked(void *ptr);
492void *CRYPTO_malloc(int num, const char *file, int line); 492void *CRYPTO_malloc(int num, const char *file, int line);
493char *CRYPTO_strdup(const char *str, const char *file, int line); 493char *CRYPTO_strdup(const char *str, const char *file, int line);
494void CRYPTO_free(void *); 494void CRYPTO_free(void *ptr);
495void *CRYPTO_realloc(void *addr,int num, const char *file, int line); 495void *CRYPTO_realloc(void *addr,int num, const char *file, int line);
496void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file, 496void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file,
497 int line); 497 int line);
@@ -574,6 +574,13 @@ void OPENSSL_init(void);
574#define fips_cipher_abort(alg) while(0) 574#define fips_cipher_abort(alg) while(0)
575#endif 575#endif
576 576
577/* CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It
578 * takes an amount of time dependent on |len|, but independent of the contents
579 * of |a| and |b|. Unlike memcmp, it cannot be used to put elements into a
580 * defined order as the return value when a != b is undefined, other than to be
581 * non-zero. */
582int CRYPTO_memcmp(const void *a, const void *b, size_t len);
583
577/* BEGIN ERROR CODES */ 584/* BEGIN ERROR CODES */
578/* The following lines are auto generated by the script mkerr.pl. Any changes 585/* The following lines are auto generated by the script mkerr.pl. Any changes
579 * made after this point may be overwritten when the script is next run. 586 * made after this point may be overwritten when the script is next run.
diff --git a/src/lib/libcrypto/des/set_key.c b/src/lib/libcrypto/des/set_key.c
index d3e69ca8b5..da4d62e112 100644
--- a/src/lib/libcrypto/des/set_key.c
+++ b/src/lib/libcrypto/des/set_key.c
@@ -63,9 +63,8 @@
63 * 1.1 added norm_expand_bits 63 * 1.1 added norm_expand_bits
64 * 1.0 First working version 64 * 1.0 First working version
65 */ 65 */
66#include "des_locl.h"
67
68#include <openssl/crypto.h> 66#include <openssl/crypto.h>
67#include "des_locl.h"
69 68
70OPENSSL_IMPLEMENT_GLOBAL(int,DES_check_key,0) /* defaults to false */ 69OPENSSL_IMPLEMENT_GLOBAL(int,DES_check_key,0) /* defaults to false */
71 70
diff --git a/src/lib/libcrypto/des/str2key.c b/src/lib/libcrypto/des/str2key.c
index 9c2054bda6..1077f99d1b 100644
--- a/src/lib/libcrypto/des/str2key.c
+++ b/src/lib/libcrypto/des/str2key.c
@@ -56,8 +56,8 @@
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58 58
59#include "des_locl.h"
60#include <openssl/crypto.h> 59#include <openssl/crypto.h>
60#include "des_locl.h"
61 61
62void DES_string_to_key(const char *str, DES_cblock *key) 62void DES_string_to_key(const char *str, DES_cblock *key)
63 { 63 {
diff --git a/src/lib/libcrypto/doc/ERR_get_error.pod b/src/lib/libcrypto/doc/ERR_get_error.pod
index 34443045fc..828ecf529b 100644
--- a/src/lib/libcrypto/doc/ERR_get_error.pod
+++ b/src/lib/libcrypto/doc/ERR_get_error.pod
@@ -52,8 +52,11 @@ ERR_get_error_line_data(), ERR_peek_error_line_data() and
52ERR_get_last_error_line_data() store additional data and flags 52ERR_get_last_error_line_data() store additional data and flags
53associated with the error code in *B<data> 53associated with the error code in *B<data>
54and *B<flags>, unless these are B<NULL>. *B<data> contains a string 54and *B<flags>, unless these are B<NULL>. *B<data> contains a string
55if *B<flags>&B<ERR_TXT_STRING>. If it has been allocated by OPENSSL_malloc(), 55if *B<flags>&B<ERR_TXT_STRING> is true.
56*B<flags>&B<ERR_TXT_MALLOCED> is true. 56
57An application B<MUST NOT> free the *B<data> pointer (or any other pointers
58returned by these functions) with OPENSSL_free() as freeing is handled
59automatically by the error library.
57 60
58=head1 RETURN VALUES 61=head1 RETURN VALUES
59 62
diff --git a/src/lib/libcrypto/doc/EVP_BytesToKey.pod b/src/lib/libcrypto/doc/EVP_BytesToKey.pod
index d375c46e03..0ea7d55c0f 100644
--- a/src/lib/libcrypto/doc/EVP_BytesToKey.pod
+++ b/src/lib/libcrypto/doc/EVP_BytesToKey.pod
@@ -17,7 +17,7 @@ EVP_BytesToKey - password based encryption routine
17 17
18EVP_BytesToKey() derives a key and IV from various parameters. B<type> is 18EVP_BytesToKey() derives a key and IV from various parameters. B<type> is
19the cipher to derive the key and IV for. B<md> is the message digest to use. 19the cipher to derive the key and IV for. B<md> is the message digest to use.
20The B<salt> paramter is used as a salt in the derivation: it should point to 20The B<salt> parameter is used as a salt in the derivation: it should point to
21an 8 byte buffer or NULL if no salt is used. B<data> is a buffer containing 21an 8 byte buffer or NULL if no salt is used. B<data> is a buffer containing
22B<datal> bytes which is used to derive the keying data. B<count> is the 22B<datal> bytes which is used to derive the keying data. B<count> is the
23iteration count to use. The derived key and IV will be written to B<key> 23iteration count to use. The derived key and IV will be written to B<key>
diff --git a/src/lib/libcrypto/doc/EVP_EncryptInit.pod b/src/lib/libcrypto/doc/EVP_EncryptInit.pod
index 8271d3dfc4..1c4bf184a1 100644
--- a/src/lib/libcrypto/doc/EVP_EncryptInit.pod
+++ b/src/lib/libcrypto/doc/EVP_EncryptInit.pod
@@ -152,7 +152,7 @@ does not remain in memory.
152 152
153EVP_EncryptInit(), EVP_DecryptInit() and EVP_CipherInit() behave in a 153EVP_EncryptInit(), EVP_DecryptInit() and EVP_CipherInit() behave in a
154similar way to EVP_EncryptInit_ex(), EVP_DecryptInit_ex and 154similar way to EVP_EncryptInit_ex(), EVP_DecryptInit_ex and
155EVP_CipherInit_ex() except the B<ctx> paramter does not need to be 155EVP_CipherInit_ex() except the B<ctx> parameter does not need to be
156initialized and they always use the default cipher implementation. 156initialized and they always use the default cipher implementation.
157 157
158EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal() behave in a 158EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal() behave in a
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_CTX_ctrl.pod b/src/lib/libcrypto/doc/EVP_PKEY_CTX_ctrl.pod
index f2f455990f..13b91f1e6e 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_CTX_ctrl.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_CTX_ctrl.pod
@@ -117,7 +117,7 @@ L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
117L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>, 117L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
118L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>, 118L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
119L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>, 119L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
120L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>, 120L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
121L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> 121L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
122L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)> 122L<EVP_PKEY_keygen(3)|EVP_PKEY_keygen(3)>
123 123
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_decrypt.pod b/src/lib/libcrypto/doc/EVP_PKEY_decrypt.pod
index 42b2a8c44e..847983237b 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_decrypt.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_decrypt.pod
@@ -83,7 +83,7 @@ L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
83L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>, 83L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
84L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>, 84L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
85L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>, 85L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
86L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>, 86L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
87L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> 87L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
88 88
89=head1 HISTORY 89=head1 HISTORY
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_derive.pod b/src/lib/libcrypto/doc/EVP_PKEY_derive.pod
index d9d6d76c72..27464be571 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_derive.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_derive.pod
@@ -84,7 +84,7 @@ L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
84L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>, 84L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
85L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>, 85L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
86L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>, 86L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
87L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>, 87L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
88 88
89=head1 HISTORY 89=head1 HISTORY
90 90
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_encrypt.pod b/src/lib/libcrypto/doc/EVP_PKEY_encrypt.pod
index 91c9c5d0a5..e495a81242 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_encrypt.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_encrypt.pod
@@ -83,7 +83,7 @@ L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
83L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>, 83L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
84L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>, 84L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
85L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>, 85L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
86L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>, 86L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
87L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> 87L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
88 88
89=head1 HISTORY 89=head1 HISTORY
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_get_default_digest.pod b/src/lib/libcrypto/doc/EVP_PKEY_get_default_digest.pod
index 1a9c7954c5..8ff597d44a 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_get_default_digest.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_get_default_digest.pod
@@ -32,7 +32,7 @@ public key algorithm.
32L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>, 32L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
33L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>, 33L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
34L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>, 34L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
35L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>, 35L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
36 36
37=head1 HISTORY 37=head1 HISTORY
38 38
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_keygen.pod b/src/lib/libcrypto/doc/EVP_PKEY_keygen.pod
index 37c6fe9503..fd431ace6d 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_keygen.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_keygen.pod
@@ -151,7 +151,7 @@ L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
151L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>, 151L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
152L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>, 152L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
153L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>, 153L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
154L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>, 154L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
155L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> 155L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
156 156
157=head1 HISTORY 157=head1 HISTORY
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_sign.pod b/src/lib/libcrypto/doc/EVP_PKEY_sign.pod
index 2fb52c3486..a044f2c131 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_sign.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_sign.pod
@@ -86,7 +86,7 @@ L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
86L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>, 86L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
87L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>, 87L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
88L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>, 88L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
89L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>, 89L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
90L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> 90L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
91 91
92=head1 HISTORY 92=head1 HISTORY
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_verify.pod b/src/lib/libcrypto/doc/EVP_PKEY_verify.pod
index f93e5fc6c3..90612ba2f0 100644
--- a/src/lib/libcrypto/doc/EVP_PKEY_verify.pod
+++ b/src/lib/libcrypto/doc/EVP_PKEY_verify.pod
@@ -81,7 +81,7 @@ L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
81L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>, 81L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
82L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>, 82L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
83L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>, 83L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
84L<EVP_PKEY_verifyrecover(3)|EVP_PKEY_verifyrecover(3)>, 84L<EVP_PKEY_verify_recover(3)|EVP_PKEY_verify_recover(3)>,
85L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)> 85L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
86 86
87=head1 HISTORY 87=head1 HISTORY
diff --git a/src/lib/libcrypto/doc/EVP_PKEY_verify_recover.pod b/src/lib/libcrypto/doc/EVP_PKEY_verify_recover.pod
new file mode 100644
index 0000000000..23a28a9c43
--- /dev/null
+++ b/src/lib/libcrypto/doc/EVP_PKEY_verify_recover.pod
@@ -0,0 +1,103 @@
1=pod
2
3=head1 NAME
4
5EVP_PKEY_verify_recover_init, EVP_PKEY_verify_recover - recover signature using a public key algorithm
6
7=head1 SYNOPSIS
8
9 #include <openssl/evp.h>
10
11 int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx);
12 int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx,
13 unsigned char *rout, size_t *routlen,
14 const unsigned char *sig, size_t siglen);
15
16=head1 DESCRIPTION
17
18The EVP_PKEY_verify_recover_init() function initializes a public key algorithm
19context using key B<pkey> for a verify recover operation.
20
21The EVP_PKEY_verify_recover() function recovers signed data
22using B<ctx>. The signature is specified using the B<sig> and
23B<siglen> parameters. If B<rout> is B<NULL> then the maximum size of the output
24buffer is written to the B<routlen> parameter. If B<rout> is not B<NULL> then
25before the call the B<routlen> parameter should contain the length of the
26B<rout> buffer, if the call is successful recovered data is written to
27B<rout> and the amount of data written to B<routlen>.
28
29=head1 NOTES
30
31Normally an application is only interested in whether a signature verification
32operation is successful in those cases the EVP_verify() function should be
33used.
34
35Sometimes however it is useful to obtain the data originally signed using a
36signing operation. Only certain public key algorithms can recover a signature
37in this way (for example RSA in PKCS padding mode).
38
39After the call to EVP_PKEY_verify_recover_init() algorithm specific control
40operations can be performed to set any appropriate parameters for the
41operation.
42
43The function EVP_PKEY_verify_recover() can be called more than once on the same
44context if several operations are performed using the same parameters.
45
46=head1 RETURN VALUES
47
48EVP_PKEY_verify_recover_init() and EVP_PKEY_verify_recover() return 1 for success
49and 0 or a negative value for failure. In particular a return value of -2
50indicates the operation is not supported by the public key algorithm.
51
52=head1 EXAMPLE
53
54Recover digest originally signed using PKCS#1 and SHA256 digest:
55
56 #include <openssl/evp.h>
57 #include <openssl/rsa.h>
58
59 EVP_PKEY_CTX *ctx;
60 unsigned char *rout, *sig;
61 size_t routlen, siglen;
62 EVP_PKEY *verify_key;
63 /* NB: assumes verify_key, sig and siglen are already set up
64 * and that verify_key is an RSA public key
65 */
66 ctx = EVP_PKEY_CTX_new(verify_key);
67 if (!ctx)
68 /* Error occurred */
69 if (EVP_PKEY_verify_recover_init(ctx) <= 0)
70 /* Error */
71 if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0)
72 /* Error */
73 if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0)
74 /* Error */
75
76 /* Determine buffer length */
77 if (EVP_PKEY_verify_recover(ctx, NULL, &routlen, sig, siglen) <= 0)
78 /* Error */
79
80 rout = OPENSSL_malloc(routlen);
81
82 if (!rout)
83 /* malloc failure */
84
85 if (EVP_PKEY_verify_recover(ctx, rout, &routlen, sig, siglen) <= 0)
86 /* Error */
87
88 /* Recovered data is routlen bytes written to buffer rout */
89
90=head1 SEE ALSO
91
92L<EVP_PKEY_CTX_new(3)|EVP_PKEY_CTX_new(3)>,
93L<EVP_PKEY_encrypt(3)|EVP_PKEY_encrypt(3)>,
94L<EVP_PKEY_decrypt(3)|EVP_PKEY_decrypt(3)>,
95L<EVP_PKEY_sign(3)|EVP_PKEY_sign(3)>,
96L<EVP_PKEY_verify(3)|EVP_PKEY_verify(3)>,
97L<EVP_PKEY_derive(3)|EVP_PKEY_derive(3)>
98
99=head1 HISTORY
100
101These functions were first added to OpenSSL 1.0.0.
102
103=cut
diff --git a/src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod b/src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod
index a883f6c097..60e8332ae9 100644
--- a/src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod
+++ b/src/lib/libcrypto/doc/X509_STORE_CTX_get_error.pod
@@ -278,6 +278,8 @@ happen if extended CRL checking is enabled.
278an application specific error. This will never be returned unless explicitly 278an application specific error. This will never be returned unless explicitly
279set by an application. 279set by an application.
280 280
281=back
282
281=head1 NOTES 283=head1 NOTES
282 284
283The above functions should be used instead of directly referencing the fields 285The above functions should be used instead of directly referencing the fields
diff --git a/src/lib/libcrypto/doc/X509_VERIFY_PARAM_set_flags.pod b/src/lib/libcrypto/doc/X509_VERIFY_PARAM_set_flags.pod
index b68eece033..46cac2bea2 100644
--- a/src/lib/libcrypto/doc/X509_VERIFY_PARAM_set_flags.pod
+++ b/src/lib/libcrypto/doc/X509_VERIFY_PARAM_set_flags.pod
@@ -113,7 +113,7 @@ a special status code is set to the verification callback. This permits it
113to examine the valid policy tree and perform additional checks or simply 113to examine the valid policy tree and perform additional checks or simply
114log it for debugging purposes. 114log it for debugging purposes.
115 115
116By default some addtional features such as indirect CRLs and CRLs signed by 116By default some additional features such as indirect CRLs and CRLs signed by
117different keys are disabled. If B<X509_V_FLAG_EXTENDED_CRL_SUPPORT> is set 117different keys are disabled. If B<X509_V_FLAG_EXTENDED_CRL_SUPPORT> is set
118they are enabled. 118they are enabled.
119 119
diff --git a/src/lib/libcrypto/ec/ec.h b/src/lib/libcrypto/ec/ec.h
index 9d01325af3..dfe8710d33 100644
--- a/src/lib/libcrypto/ec/ec.h
+++ b/src/lib/libcrypto/ec/ec.h
@@ -274,10 +274,10 @@ int EC_GROUP_get_curve_name(const EC_GROUP *group);
274void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag); 274void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag);
275int EC_GROUP_get_asn1_flag(const EC_GROUP *group); 275int EC_GROUP_get_asn1_flag(const EC_GROUP *group);
276 276
277void EC_GROUP_set_point_conversion_form(EC_GROUP *, point_conversion_form_t); 277void EC_GROUP_set_point_conversion_form(EC_GROUP *group, point_conversion_form_t form);
278point_conversion_form_t EC_GROUP_get_point_conversion_form(const EC_GROUP *); 278point_conversion_form_t EC_GROUP_get_point_conversion_form(const EC_GROUP *);
279 279
280unsigned char *EC_GROUP_get0_seed(const EC_GROUP *); 280unsigned char *EC_GROUP_get0_seed(const EC_GROUP *x);
281size_t EC_GROUP_get_seed_len(const EC_GROUP *); 281size_t EC_GROUP_get_seed_len(const EC_GROUP *);
282size_t EC_GROUP_set_seed(EC_GROUP *, const unsigned char *, size_t len); 282size_t EC_GROUP_set_seed(EC_GROUP *, const unsigned char *, size_t len);
283 283
@@ -626,8 +626,8 @@ int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *c
626 */ 626 */
627int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx); 627int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx);
628 628
629int EC_POINT_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *); 629int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx);
630int EC_POINTs_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *); 630int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx);
631 631
632/** Computes r = generator * n sum_{i=0}^num p[i] * m[i] 632/** Computes r = generator * n sum_{i=0}^num p[i] * m[i]
633 * \param group underlying EC_GROUP object 633 * \param group underlying EC_GROUP object
@@ -800,16 +800,24 @@ const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key);
800int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub); 800int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub);
801 801
802unsigned EC_KEY_get_enc_flags(const EC_KEY *key); 802unsigned EC_KEY_get_enc_flags(const EC_KEY *key);
803void EC_KEY_set_enc_flags(EC_KEY *, unsigned int); 803void EC_KEY_set_enc_flags(EC_KEY *eckey, unsigned int flags);
804point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *); 804point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key);
805void EC_KEY_set_conv_form(EC_KEY *, point_conversion_form_t); 805void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform);
806/* functions to set/get method specific data */ 806/* functions to set/get method specific data */
807void *EC_KEY_get_key_method_data(EC_KEY *, 807void *EC_KEY_get_key_method_data(EC_KEY *key,
808 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)); 808 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
809void EC_KEY_insert_key_method_data(EC_KEY *, void *data, 809/** Sets the key method data of an EC_KEY object, if none has yet been set.
810 * \param key EC_KEY object
811 * \param data opaque data to install.
812 * \param dup_func a function that duplicates |data|.
813 * \param free_func a function that frees |data|.
814 * \param clear_free_func a function that wipes and frees |data|.
815 * \return the previously set data pointer, or NULL if |data| was inserted.
816 */
817void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
810 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)); 818 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
811/* wrapper functions for the underlying EC_GROUP object */ 819/* wrapper functions for the underlying EC_GROUP object */
812void EC_KEY_set_asn1_flag(EC_KEY *, int); 820void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);
813 821
814/** Creates a table of pre-computed multiples of the generator to 822/** Creates a table of pre-computed multiples of the generator to
815 * accelerate further EC_KEY operations. 823 * accelerate further EC_KEY operations.
diff --git a/src/lib/libcrypto/ec/ec2_mult.c b/src/lib/libcrypto/ec/ec2_mult.c
index 26f4a783fc..1c575dc47a 100644
--- a/src/lib/libcrypto/ec/ec2_mult.c
+++ b/src/lib/libcrypto/ec/ec2_mult.c
@@ -208,11 +208,15 @@ static int gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIG
208 return ret; 208 return ret;
209 } 209 }
210 210
211
211/* Computes scalar*point and stores the result in r. 212/* Computes scalar*point and stores the result in r.
212 * point can not equal r. 213 * point can not equal r.
213 * Uses algorithm 2P of 214 * Uses a modified algorithm 2P of
214 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over 215 * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
215 * GF(2^m) without precomputation" (CHES '99, LNCS 1717). 216 * GF(2^m) without precomputation" (CHES '99, LNCS 1717).
217 *
218 * To protect against side-channel attack the function uses constant time swap,
219 * avoiding conditional branches.
216 */ 220 */
217static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, 221static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
218 const EC_POINT *point, BN_CTX *ctx) 222 const EC_POINT *point, BN_CTX *ctx)
@@ -246,6 +250,11 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
246 x2 = &r->X; 250 x2 = &r->X;
247 z2 = &r->Y; 251 z2 = &r->Y;
248 252
253 bn_wexpand(x1, group->field.top);
254 bn_wexpand(z1, group->field.top);
255 bn_wexpand(x2, group->field.top);
256 bn_wexpand(z2, group->field.top);
257
249 if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */ 258 if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */
250 if (!BN_one(z1)) goto err; /* z1 = 1 */ 259 if (!BN_one(z1)) goto err; /* z1 = 1 */
251 if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */ 260 if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */
@@ -270,16 +279,12 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
270 word = scalar->d[i]; 279 word = scalar->d[i];
271 while (mask) 280 while (mask)
272 { 281 {
273 if (word & mask) 282 BN_consttime_swap(word & mask, x1, x2, group->field.top);
274 { 283 BN_consttime_swap(word & mask, z1, z2, group->field.top);
275 if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err; 284 if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
276 if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err; 285 if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
277 } 286 BN_consttime_swap(word & mask, x1, x2, group->field.top);
278 else 287 BN_consttime_swap(word & mask, z1, z2, group->field.top);
279 {
280 if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
281 if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
282 }
283 mask >>= 1; 288 mask >>= 1;
284 } 289 }
285 mask = BN_TBIT; 290 mask = BN_TBIT;
diff --git a/src/lib/libcrypto/ec/ec_ameth.c b/src/lib/libcrypto/ec/ec_ameth.c
index 83909c1853..0ce4524076 100644
--- a/src/lib/libcrypto/ec/ec_ameth.c
+++ b/src/lib/libcrypto/ec/ec_ameth.c
@@ -88,7 +88,7 @@ static int eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key)
88 if (!pstr) 88 if (!pstr)
89 return 0; 89 return 0;
90 pstr->length = i2d_ECParameters(ec_key, &pstr->data); 90 pstr->length = i2d_ECParameters(ec_key, &pstr->data);
91 if (pstr->length < 0) 91 if (pstr->length <= 0)
92 { 92 {
93 ASN1_STRING_free(pstr); 93 ASN1_STRING_free(pstr);
94 ECerr(EC_F_ECKEY_PARAM2TYPE, ERR_R_EC_LIB); 94 ECerr(EC_F_ECKEY_PARAM2TYPE, ERR_R_EC_LIB);
diff --git a/src/lib/libcrypto/ec/ec_asn1.c b/src/lib/libcrypto/ec/ec_asn1.c
index 175eec5342..145807b611 100644
--- a/src/lib/libcrypto/ec/ec_asn1.c
+++ b/src/lib/libcrypto/ec/ec_asn1.c
@@ -89,7 +89,8 @@ int EC_GROUP_get_trinomial_basis(const EC_GROUP *group, unsigned int *k)
89 if (group == NULL) 89 if (group == NULL)
90 return 0; 90 return 0;
91 91
92 if (EC_GROUP_method_of(group)->group_set_curve != ec_GF2m_simple_group_set_curve 92 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
93 NID_X9_62_characteristic_two_field
93 || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] == 0))) 94 || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] == 0)))
94 { 95 {
95 ECerr(EC_F_EC_GROUP_GET_TRINOMIAL_BASIS, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 96 ECerr(EC_F_EC_GROUP_GET_TRINOMIAL_BASIS, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
@@ -107,7 +108,8 @@ int EC_GROUP_get_pentanomial_basis(const EC_GROUP *group, unsigned int *k1,
107 if (group == NULL) 108 if (group == NULL)
108 return 0; 109 return 0;
109 110
110 if (EC_GROUP_method_of(group)->group_set_curve != ec_GF2m_simple_group_set_curve 111 if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
112 NID_X9_62_characteristic_two_field
111 || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] != 0) && (group->poly[3] != 0) && (group->poly[4] == 0))) 113 || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] != 0) && (group->poly[3] != 0) && (group->poly[4] == 0)))
112 { 114 {
113 ECerr(EC_F_EC_GROUP_GET_PENTANOMIAL_BASIS, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 115 ECerr(EC_F_EC_GROUP_GET_PENTANOMIAL_BASIS, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
diff --git a/src/lib/libcrypto/ec/ec_key.c b/src/lib/libcrypto/ec/ec_key.c
index bf9fd2dc2c..7fa247593d 100644
--- a/src/lib/libcrypto/ec/ec_key.c
+++ b/src/lib/libcrypto/ec/ec_key.c
@@ -520,18 +520,27 @@ void EC_KEY_set_conv_form(EC_KEY *key, point_conversion_form_t cform)
520void *EC_KEY_get_key_method_data(EC_KEY *key, 520void *EC_KEY_get_key_method_data(EC_KEY *key,
521 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)) 521 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
522 { 522 {
523 return EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func); 523 void *ret;
524
525 CRYPTO_r_lock(CRYPTO_LOCK_EC);
526 ret = EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func);
527 CRYPTO_r_unlock(CRYPTO_LOCK_EC);
528
529 return ret;
524 } 530 }
525 531
526void EC_KEY_insert_key_method_data(EC_KEY *key, void *data, 532void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
527 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)) 533 void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
528 { 534 {
529 EC_EXTRA_DATA *ex_data; 535 EC_EXTRA_DATA *ex_data;
536
530 CRYPTO_w_lock(CRYPTO_LOCK_EC); 537 CRYPTO_w_lock(CRYPTO_LOCK_EC);
531 ex_data = EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func); 538 ex_data = EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func);
532 if (ex_data == NULL) 539 if (ex_data == NULL)
533 EC_EX_DATA_set_data(&key->method_data, data, dup_func, free_func, clear_free_func); 540 EC_EX_DATA_set_data(&key->method_data, data, dup_func, free_func, clear_free_func);
534 CRYPTO_w_unlock(CRYPTO_LOCK_EC); 541 CRYPTO_w_unlock(CRYPTO_LOCK_EC);
542
543 return ex_data;
535 } 544 }
536 545
537void EC_KEY_set_asn1_flag(EC_KEY *key, int flag) 546void EC_KEY_set_asn1_flag(EC_KEY *key, int flag)
diff --git a/src/lib/libcrypto/ec/ec_lib.c b/src/lib/libcrypto/ec/ec_lib.c
index 25247b5803..de9a0cc2b3 100644
--- a/src/lib/libcrypto/ec/ec_lib.c
+++ b/src/lib/libcrypto/ec/ec_lib.c
@@ -480,10 +480,10 @@ int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ctx)
480 if (EC_METHOD_get_field_type(EC_GROUP_method_of(a)) != 480 if (EC_METHOD_get_field_type(EC_GROUP_method_of(a)) !=
481 EC_METHOD_get_field_type(EC_GROUP_method_of(b))) 481 EC_METHOD_get_field_type(EC_GROUP_method_of(b)))
482 return 1; 482 return 1;
483 /* compare the curve name (if present) */ 483 /* compare the curve name (if present in both) */
484 if (EC_GROUP_get_curve_name(a) && EC_GROUP_get_curve_name(b) && 484 if (EC_GROUP_get_curve_name(a) && EC_GROUP_get_curve_name(b) &&
485 EC_GROUP_get_curve_name(a) == EC_GROUP_get_curve_name(b)) 485 EC_GROUP_get_curve_name(a) != EC_GROUP_get_curve_name(b))
486 return 0; 486 return 1;
487 487
488 if (!ctx) 488 if (!ctx)
489 ctx_new = ctx = BN_CTX_new(); 489 ctx_new = ctx = BN_CTX_new();
@@ -993,12 +993,12 @@ int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN
993 if (group->meth->point_cmp == 0) 993 if (group->meth->point_cmp == 0)
994 { 994 {
995 ECerr(EC_F_EC_POINT_CMP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); 995 ECerr(EC_F_EC_POINT_CMP, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
996 return 0; 996 return -1;
997 } 997 }
998 if ((group->meth != a->meth) || (a->meth != b->meth)) 998 if ((group->meth != a->meth) || (a->meth != b->meth))
999 { 999 {
1000 ECerr(EC_F_EC_POINT_CMP, EC_R_INCOMPATIBLE_OBJECTS); 1000 ECerr(EC_F_EC_POINT_CMP, EC_R_INCOMPATIBLE_OBJECTS);
1001 return 0; 1001 return -1;
1002 } 1002 }
1003 return group->meth->point_cmp(group, a, b, ctx); 1003 return group->meth->point_cmp(group, a, b, ctx);
1004 } 1004 }
diff --git a/src/lib/libcrypto/ec/ec_pmeth.c b/src/lib/libcrypto/ec/ec_pmeth.c
index d1ed66c37e..66ee397d86 100644
--- a/src/lib/libcrypto/ec/ec_pmeth.c
+++ b/src/lib/libcrypto/ec/ec_pmeth.c
@@ -188,7 +188,7 @@ static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
188 188
189 pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec); 189 pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec);
190 190
191 /* NB: unlike PKS#3 DH, if *outlen is less than maximum size this is 191 /* NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is
192 * not an error, the result is truncated. 192 * not an error, the result is truncated.
193 */ 193 */
194 194
diff --git a/src/lib/libcrypto/ec/ecp_mont.c b/src/lib/libcrypto/ec/ecp_mont.c
index 079e47431b..f04f132c7a 100644
--- a/src/lib/libcrypto/ec/ecp_mont.c
+++ b/src/lib/libcrypto/ec/ecp_mont.c
@@ -114,7 +114,6 @@ const EC_METHOD *EC_GFp_mont_method(void)
114 ec_GFp_mont_field_decode, 114 ec_GFp_mont_field_decode,
115 ec_GFp_mont_field_set_to_one }; 115 ec_GFp_mont_field_set_to_one };
116 116
117
118 return &ret; 117 return &ret;
119#endif 118#endif
120 } 119 }
diff --git a/src/lib/libcrypto/ecdh/ech_key.c b/src/lib/libcrypto/ecdh/ech_key.c
index f44da9298b..2988899ea2 100644
--- a/src/lib/libcrypto/ecdh/ech_key.c
+++ b/src/lib/libcrypto/ecdh/ech_key.c
@@ -68,9 +68,6 @@
68 */ 68 */
69 69
70#include "ech_locl.h" 70#include "ech_locl.h"
71#ifndef OPENSSL_NO_ENGINE
72#include <openssl/engine.h>
73#endif
74 71
75int ECDH_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, 72int ECDH_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
76 EC_KEY *eckey, 73 EC_KEY *eckey,
diff --git a/src/lib/libcrypto/ecdh/ech_lib.c b/src/lib/libcrypto/ecdh/ech_lib.c
index dadbfd3c49..0644431b75 100644
--- a/src/lib/libcrypto/ecdh/ech_lib.c
+++ b/src/lib/libcrypto/ecdh/ech_lib.c
@@ -222,8 +222,15 @@ ECDH_DATA *ecdh_check(EC_KEY *key)
222 ecdh_data = (ECDH_DATA *)ecdh_data_new(); 222 ecdh_data = (ECDH_DATA *)ecdh_data_new();
223 if (ecdh_data == NULL) 223 if (ecdh_data == NULL)
224 return NULL; 224 return NULL;
225 EC_KEY_insert_key_method_data(key, (void *)ecdh_data, 225 data = EC_KEY_insert_key_method_data(key, (void *)ecdh_data,
226 ecdh_data_dup, ecdh_data_free, ecdh_data_free); 226 ecdh_data_dup, ecdh_data_free, ecdh_data_free);
227 if (data != NULL)
228 {
229 /* Another thread raced us to install the key_method
230 * data and won. */
231 ecdh_data_free(ecdh_data);
232 ecdh_data = (ECDH_DATA *)data;
233 }
227 } 234 }
228 else 235 else
229 ecdh_data = (ECDH_DATA *)data; 236 ecdh_data = (ECDH_DATA *)data;
diff --git a/src/lib/libcrypto/ecdsa/ecs_lib.c b/src/lib/libcrypto/ecdsa/ecs_lib.c
index e477da430b..814a6bf404 100644
--- a/src/lib/libcrypto/ecdsa/ecs_lib.c
+++ b/src/lib/libcrypto/ecdsa/ecs_lib.c
@@ -200,8 +200,15 @@ ECDSA_DATA *ecdsa_check(EC_KEY *key)
200 ecdsa_data = (ECDSA_DATA *)ecdsa_data_new(); 200 ecdsa_data = (ECDSA_DATA *)ecdsa_data_new();
201 if (ecdsa_data == NULL) 201 if (ecdsa_data == NULL)
202 return NULL; 202 return NULL;
203 EC_KEY_insert_key_method_data(key, (void *)ecdsa_data, 203 data = EC_KEY_insert_key_method_data(key, (void *)ecdsa_data,
204 ecdsa_data_dup, ecdsa_data_free, ecdsa_data_free); 204 ecdsa_data_dup, ecdsa_data_free, ecdsa_data_free);
205 if (data != NULL)
206 {
207 /* Another thread raced us to install the key_method
208 * data and won. */
209 ecdsa_data_free(ecdsa_data);
210 ecdsa_data = (ECDSA_DATA *)data;
211 }
205 } 212 }
206 else 213 else
207 ecdsa_data = (ECDSA_DATA *)data; 214 ecdsa_data = (ECDSA_DATA *)data;
diff --git a/src/lib/libcrypto/engine/eng_list.c b/src/lib/libcrypto/engine/eng_list.c
index 27846edb1e..95c858960b 100644
--- a/src/lib/libcrypto/engine/eng_list.c
+++ b/src/lib/libcrypto/engine/eng_list.c
@@ -408,6 +408,7 @@ ENGINE *ENGINE_by_id(const char *id)
408 !ENGINE_ctrl_cmd_string(iterator, "DIR_LOAD", "2", 0) || 408 !ENGINE_ctrl_cmd_string(iterator, "DIR_LOAD", "2", 0) ||
409 !ENGINE_ctrl_cmd_string(iterator, "DIR_ADD", 409 !ENGINE_ctrl_cmd_string(iterator, "DIR_ADD",
410 load_dir, 0) || 410 load_dir, 0) ||
411 !ENGINE_ctrl_cmd_string(iterator, "LIST_ADD", "1", 0) ||
411 !ENGINE_ctrl_cmd_string(iterator, "LOAD", NULL, 0)) 412 !ENGINE_ctrl_cmd_string(iterator, "LOAD", NULL, 0))
412 goto notfound; 413 goto notfound;
413 return iterator; 414 return iterator;
diff --git a/src/lib/libcrypto/err/err_all.c b/src/lib/libcrypto/err/err_all.c
index bd8946d8ba..8eb547d98d 100644
--- a/src/lib/libcrypto/err/err_all.c
+++ b/src/lib/libcrypto/err/err_all.c
@@ -64,7 +64,9 @@
64#endif 64#endif
65#include <openssl/buffer.h> 65#include <openssl/buffer.h>
66#include <openssl/bio.h> 66#include <openssl/bio.h>
67#ifndef OPENSSL_NO_COMP
67#include <openssl/comp.h> 68#include <openssl/comp.h>
69#endif
68#ifndef OPENSSL_NO_RSA 70#ifndef OPENSSL_NO_RSA
69#include <openssl/rsa.h> 71#include <openssl/rsa.h>
70#endif 72#endif
@@ -95,6 +97,9 @@
95#include <openssl/ui.h> 97#include <openssl/ui.h>
96#include <openssl/ocsp.h> 98#include <openssl/ocsp.h>
97#include <openssl/err.h> 99#include <openssl/err.h>
100#ifdef OPENSSL_FIPS
101#include <openssl/fips.h>
102#endif
98#include <openssl/ts.h> 103#include <openssl/ts.h>
99#ifndef OPENSSL_NO_CMS 104#ifndef OPENSSL_NO_CMS
100#include <openssl/cms.h> 105#include <openssl/cms.h>
@@ -102,11 +107,6 @@
102#ifndef OPENSSL_NO_JPAKE 107#ifndef OPENSSL_NO_JPAKE
103#include <openssl/jpake.h> 108#include <openssl/jpake.h>
104#endif 109#endif
105#include <openssl/comp.h>
106
107#ifdef OPENSSL_FIPS
108#include <openssl/fips.h>
109#endif
110 110
111void ERR_load_crypto_strings(void) 111void ERR_load_crypto_strings(void)
112 { 112 {
@@ -130,7 +130,9 @@ void ERR_load_crypto_strings(void)
130 ERR_load_ASN1_strings(); 130 ERR_load_ASN1_strings();
131 ERR_load_CONF_strings(); 131 ERR_load_CONF_strings();
132 ERR_load_CRYPTO_strings(); 132 ERR_load_CRYPTO_strings();
133#ifndef OPENSSL_NO_COMP
133 ERR_load_COMP_strings(); 134 ERR_load_COMP_strings();
135#endif
134#ifndef OPENSSL_NO_EC 136#ifndef OPENSSL_NO_EC
135 ERR_load_EC_strings(); 137 ERR_load_EC_strings();
136#endif 138#endif
@@ -153,15 +155,14 @@ void ERR_load_crypto_strings(void)
153#endif 155#endif
154 ERR_load_OCSP_strings(); 156 ERR_load_OCSP_strings();
155 ERR_load_UI_strings(); 157 ERR_load_UI_strings();
158#ifdef OPENSSL_FIPS
159 ERR_load_FIPS_strings();
160#endif
156#ifndef OPENSSL_NO_CMS 161#ifndef OPENSSL_NO_CMS
157 ERR_load_CMS_strings(); 162 ERR_load_CMS_strings();
158#endif 163#endif
159#ifndef OPENSSL_NO_JPAKE 164#ifndef OPENSSL_NO_JPAKE
160 ERR_load_JPAKE_strings(); 165 ERR_load_JPAKE_strings();
161#endif 166#endif
162 ERR_load_COMP_strings();
163#endif
164#ifdef OPENSSL_FIPS
165 ERR_load_FIPS_strings();
166#endif 167#endif
167 } 168 }
diff --git a/src/lib/libcrypto/evp/bio_b64.c b/src/lib/libcrypto/evp/bio_b64.c
index 72a2a67277..ac6d441aad 100644
--- a/src/lib/libcrypto/evp/bio_b64.c
+++ b/src/lib/libcrypto/evp/bio_b64.c
@@ -264,7 +264,7 @@ static int b64_read(BIO *b, char *out, int outl)
264 } 264 }
265 265
266 /* we fell off the end without starting */ 266 /* we fell off the end without starting */
267 if (j == i) 267 if ((j == i) && (num == 0))
268 { 268 {
269 /* Is this is one long chunk?, if so, keep on 269 /* Is this is one long chunk?, if so, keep on
270 * reading until a new line. */ 270 * reading until a new line. */
diff --git a/src/lib/libcrypto/evp/digest.c b/src/lib/libcrypto/evp/digest.c
index 467e6b5ae9..d14e8e48d5 100644
--- a/src/lib/libcrypto/evp/digest.c
+++ b/src/lib/libcrypto/evp/digest.c
@@ -267,6 +267,7 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
267 return FIPS_digestfinal(ctx, md, size); 267 return FIPS_digestfinal(ctx, md, size);
268#else 268#else
269 int ret; 269 int ret;
270
270 OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); 271 OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
271 ret=ctx->digest->final(ctx,md); 272 ret=ctx->digest->final(ctx,md);
272 if (size != NULL) 273 if (size != NULL)
@@ -365,8 +366,11 @@ int EVP_Digest(const void *data, size_t count,
365 366
366void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) 367void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx)
367 { 368 {
368 EVP_MD_CTX_cleanup(ctx); 369 if (ctx)
369 OPENSSL_free(ctx); 370 {
371 EVP_MD_CTX_cleanup(ctx);
372 OPENSSL_free(ctx);
373 }
370 } 374 }
371 375
372/* This call frees resources associated with the context */ 376/* This call frees resources associated with the context */
diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
index 1e4af0cb75..c7869b69ef 100644
--- a/src/lib/libcrypto/evp/e_aes.c
+++ b/src/lib/libcrypto/evp/e_aes.c
@@ -842,7 +842,10 @@ static int aes_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
842 gctx->ctr = NULL; 842 gctx->ctr = NULL;
843 break; 843 break;
844 } 844 }
845 else
845#endif 846#endif
847 (void)0; /* terminate potentially open 'else' */
848
846 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks); 849 AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
847 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt); 850 CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
848#ifdef AES_CTR_ASM 851#ifdef AES_CTR_ASM
@@ -969,8 +972,6 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
969 972
970 if (!gctx->iv_set) 973 if (!gctx->iv_set)
971 return -1; 974 return -1;
972 if (!ctx->encrypt && gctx->taglen < 0)
973 return -1;
974 if (in) 975 if (in)
975 { 976 {
976 if (out == NULL) 977 if (out == NULL)
@@ -1012,6 +1013,8 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
1012 { 1013 {
1013 if (!ctx->encrypt) 1014 if (!ctx->encrypt)
1014 { 1015 {
1016 if (gctx->taglen < 0)
1017 return -1;
1015 if (CRYPTO_gcm128_finish(&gctx->gcm, 1018 if (CRYPTO_gcm128_finish(&gctx->gcm,
1016 ctx->buf, gctx->taglen) != 0) 1019 ctx->buf, gctx->taglen) != 0)
1017 return -1; 1020 return -1;
@@ -1083,14 +1086,17 @@ static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1083 xctx->xts.block1 = (block128_f)vpaes_decrypt; 1086 xctx->xts.block1 = (block128_f)vpaes_decrypt;
1084 } 1087 }
1085 1088
1086 vpaes_set_encrypt_key(key + ctx->key_len/2, 1089 vpaes_set_encrypt_key(key + ctx->key_len/2,
1087 ctx->key_len * 4, &xctx->ks2); 1090 ctx->key_len * 4, &xctx->ks2);
1088 xctx->xts.block2 = (block128_f)vpaes_encrypt; 1091 xctx->xts.block2 = (block128_f)vpaes_encrypt;
1089 1092
1090 xctx->xts.key1 = &xctx->ks1; 1093 xctx->xts.key1 = &xctx->ks1;
1091 break; 1094 break;
1092 } 1095 }
1096 else
1093#endif 1097#endif
1098 (void)0; /* terminate potentially open 'else' */
1099
1094 if (enc) 1100 if (enc)
1095 { 1101 {
1096 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1); 1102 AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
@@ -1217,6 +1223,7 @@ static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
1217 vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks); 1223 vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks);
1218 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, 1224 CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L,
1219 &cctx->ks, (block128_f)vpaes_encrypt); 1225 &cctx->ks, (block128_f)vpaes_encrypt);
1226 cctx->str = NULL;
1220 cctx->key_set = 1; 1227 cctx->key_set = 1;
1221 break; 1228 break;
1222 } 1229 }
diff --git a/src/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c b/src/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c
index 710fb79baf..fb2c884a78 100644
--- a/src/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c
+++ b/src/lib/libcrypto/evp/e_aes_cbc_hmac_sha1.c
@@ -1,5 +1,5 @@
1/* ==================================================================== 1/* ====================================================================
2 * Copyright (c) 2011 The OpenSSL Project. All rights reserved. 2 * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved.
3 * 3 *
4 * Redistribution and use in source and binary forms, with or without 4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions 5 * modification, are permitted provided that the following conditions
@@ -90,6 +90,10 @@ typedef struct
90 defined(_M_AMD64) || defined(_M_X64) || \ 90 defined(_M_AMD64) || defined(_M_X64) || \
91 defined(__INTEL__) ) 91 defined(__INTEL__) )
92 92
93#if defined(__GNUC__) && __GNUC__>=2 && !defined(PEDANTIC)
94# define BSWAP(x) ({ unsigned int r=(x); asm ("bswapl %0":"=r"(r):"0"(r)); r; })
95#endif
96
93extern unsigned int OPENSSL_ia32cap_P[2]; 97extern unsigned int OPENSSL_ia32cap_P[2];
94#define AESNI_CAPABLE (1<<(57-32)) 98#define AESNI_CAPABLE (1<<(57-32))
95 99
@@ -167,6 +171,9 @@ static void sha1_update(SHA_CTX *c,const void *data,size_t len)
167 SHA1_Update(c,ptr,res); 171 SHA1_Update(c,ptr,res);
168} 172}
169 173
174#ifdef SHA1_Update
175#undef SHA1_Update
176#endif
170#define SHA1_Update sha1_update 177#define SHA1_Update sha1_update
171 178
172static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 179static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
@@ -184,6 +191,8 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
184 sha_off = SHA_CBLOCK-key->md.num; 191 sha_off = SHA_CBLOCK-key->md.num;
185#endif 192#endif
186 193
194 key->payload_length = NO_PAYLOAD_LENGTH;
195
187 if (len%AES_BLOCK_SIZE) return 0; 196 if (len%AES_BLOCK_SIZE) return 0;
188 197
189 if (ctx->encrypt) { 198 if (ctx->encrypt) {
@@ -234,47 +243,211 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
234 &key->ks,ctx->iv,1); 243 &key->ks,ctx->iv,1);
235 } 244 }
236 } else { 245 } else {
237 unsigned char mac[SHA_DIGEST_LENGTH]; 246 union { unsigned int u[SHA_DIGEST_LENGTH/sizeof(unsigned int)];
247 unsigned char c[32+SHA_DIGEST_LENGTH]; } mac, *pmac;
248
249 /* arrange cache line alignment */
250 pmac = (void *)(((size_t)mac.c+31)&((size_t)0-32));
238 251
239 /* decrypt HMAC|padding at once */ 252 /* decrypt HMAC|padding at once */
240 aesni_cbc_encrypt(in,out,len, 253 aesni_cbc_encrypt(in,out,len,
241 &key->ks,ctx->iv,0); 254 &key->ks,ctx->iv,0);
242 255
243 if (plen) { /* "TLS" mode of operation */ 256 if (plen) { /* "TLS" mode of operation */
244 /* figure out payload length */ 257 size_t inp_len, mask, j, i;
245 if (len<(size_t)(out[len-1]+1+SHA_DIGEST_LENGTH)) 258 unsigned int res, maxpad, pad, bitlen;
246 return 0; 259 int ret = 1;
247 260 union { unsigned int u[SHA_LBLOCK];
248 len -= (out[len-1]+1+SHA_DIGEST_LENGTH); 261 unsigned char c[SHA_CBLOCK]; }
262 *data = (void *)key->md.data;
249 263
250 if ((key->aux.tls_aad[plen-4]<<8|key->aux.tls_aad[plen-3]) 264 if ((key->aux.tls_aad[plen-4]<<8|key->aux.tls_aad[plen-3])
251 >= TLS1_1_VERSION) { 265 >= TLS1_1_VERSION)
252 len -= AES_BLOCK_SIZE;
253 iv = AES_BLOCK_SIZE; 266 iv = AES_BLOCK_SIZE;
254 }
255 267
256 key->aux.tls_aad[plen-2] = len>>8; 268 if (len<(iv+SHA_DIGEST_LENGTH+1))
257 key->aux.tls_aad[plen-1] = len; 269 return 0;
270
271 /* omit explicit iv */
272 out += iv;
273 len -= iv;
274
275 /* figure out payload length */
276 pad = out[len-1];
277 maxpad = len-(SHA_DIGEST_LENGTH+1);
278 maxpad |= (255-maxpad)>>(sizeof(maxpad)*8-8);
279 maxpad &= 255;
280
281 inp_len = len - (SHA_DIGEST_LENGTH+pad+1);
282 mask = (0-((inp_len-len)>>(sizeof(inp_len)*8-1)));
283 inp_len &= mask;
284 ret &= (int)mask;
285
286 key->aux.tls_aad[plen-2] = inp_len>>8;
287 key->aux.tls_aad[plen-1] = inp_len;
258 288
259 /* calculate HMAC and verify it */ 289 /* calculate HMAC */
260 key->md = key->head; 290 key->md = key->head;
261 SHA1_Update(&key->md,key->aux.tls_aad,plen); 291 SHA1_Update(&key->md,key->aux.tls_aad,plen);
262 SHA1_Update(&key->md,out+iv,len);
263 SHA1_Final(mac,&key->md);
264 292
293#if 1
294 len -= SHA_DIGEST_LENGTH; /* amend mac */
295 if (len>=(256+SHA_CBLOCK)) {
296 j = (len-(256+SHA_CBLOCK))&(0-SHA_CBLOCK);
297 j += SHA_CBLOCK-key->md.num;
298 SHA1_Update(&key->md,out,j);
299 out += j;
300 len -= j;
301 inp_len -= j;
302 }
303
304 /* but pretend as if we hashed padded payload */
305 bitlen = key->md.Nl+(inp_len<<3); /* at most 18 bits */
306#ifdef BSWAP
307 bitlen = BSWAP(bitlen);
308#else
309 mac.c[0] = 0;
310 mac.c[1] = (unsigned char)(bitlen>>16);
311 mac.c[2] = (unsigned char)(bitlen>>8);
312 mac.c[3] = (unsigned char)bitlen;
313 bitlen = mac.u[0];
314#endif
315
316 pmac->u[0]=0;
317 pmac->u[1]=0;
318 pmac->u[2]=0;
319 pmac->u[3]=0;
320 pmac->u[4]=0;
321
322 for (res=key->md.num, j=0;j<len;j++) {
323 size_t c = out[j];
324 mask = (j-inp_len)>>(sizeof(j)*8-8);
325 c &= mask;
326 c |= 0x80&~mask&~((inp_len-j)>>(sizeof(j)*8-8));
327 data->c[res++]=(unsigned char)c;
328
329 if (res!=SHA_CBLOCK) continue;
330
331 /* j is not incremented yet */
332 mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1));
333 data->u[SHA_LBLOCK-1] |= bitlen&mask;
334 sha1_block_data_order(&key->md,data,1);
335 mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1));
336 pmac->u[0] |= key->md.h0 & mask;
337 pmac->u[1] |= key->md.h1 & mask;
338 pmac->u[2] |= key->md.h2 & mask;
339 pmac->u[3] |= key->md.h3 & mask;
340 pmac->u[4] |= key->md.h4 & mask;
341 res=0;
342 }
343
344 for(i=res;i<SHA_CBLOCK;i++,j++) data->c[i]=0;
345
346 if (res>SHA_CBLOCK-8) {
347 mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
348 data->u[SHA_LBLOCK-1] |= bitlen&mask;
349 sha1_block_data_order(&key->md,data,1);
350 mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
351 pmac->u[0] |= key->md.h0 & mask;
352 pmac->u[1] |= key->md.h1 & mask;
353 pmac->u[2] |= key->md.h2 & mask;
354 pmac->u[3] |= key->md.h3 & mask;
355 pmac->u[4] |= key->md.h4 & mask;
356
357 memset(data,0,SHA_CBLOCK);
358 j+=64;
359 }
360 data->u[SHA_LBLOCK-1] = bitlen;
361 sha1_block_data_order(&key->md,data,1);
362 mask = 0-((j-inp_len-73)>>(sizeof(j)*8-1));
363 pmac->u[0] |= key->md.h0 & mask;
364 pmac->u[1] |= key->md.h1 & mask;
365 pmac->u[2] |= key->md.h2 & mask;
366 pmac->u[3] |= key->md.h3 & mask;
367 pmac->u[4] |= key->md.h4 & mask;
368
369#ifdef BSWAP
370 pmac->u[0] = BSWAP(pmac->u[0]);
371 pmac->u[1] = BSWAP(pmac->u[1]);
372 pmac->u[2] = BSWAP(pmac->u[2]);
373 pmac->u[3] = BSWAP(pmac->u[3]);
374 pmac->u[4] = BSWAP(pmac->u[4]);
375#else
376 for (i=0;i<5;i++) {
377 res = pmac->u[i];
378 pmac->c[4*i+0]=(unsigned char)(res>>24);
379 pmac->c[4*i+1]=(unsigned char)(res>>16);
380 pmac->c[4*i+2]=(unsigned char)(res>>8);
381 pmac->c[4*i+3]=(unsigned char)res;
382 }
383#endif
384 len += SHA_DIGEST_LENGTH;
385#else
386 SHA1_Update(&key->md,out,inp_len);
387 res = key->md.num;
388 SHA1_Final(pmac->c,&key->md);
389
390 {
391 unsigned int inp_blocks, pad_blocks;
392
393 /* but pretend as if we hashed padded payload */
394 inp_blocks = 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1));
395 res += (unsigned int)(len-inp_len);
396 pad_blocks = res / SHA_CBLOCK;
397 res %= SHA_CBLOCK;
398 pad_blocks += 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1));
399 for (;inp_blocks<pad_blocks;inp_blocks++)
400 sha1_block_data_order(&key->md,data,1);
401 }
402#endif
265 key->md = key->tail; 403 key->md = key->tail;
266 SHA1_Update(&key->md,mac,SHA_DIGEST_LENGTH); 404 SHA1_Update(&key->md,pmac->c,SHA_DIGEST_LENGTH);
267 SHA1_Final(mac,&key->md); 405 SHA1_Final(pmac->c,&key->md);
268 406
269 if (memcmp(out+iv+len,mac,SHA_DIGEST_LENGTH)) 407 /* verify HMAC */
270 return 0; 408 out += inp_len;
409 len -= inp_len;
410#if 1
411 {
412 unsigned char *p = out+len-1-maxpad-SHA_DIGEST_LENGTH;
413 size_t off = out-p;
414 unsigned int c, cmask;
415
416 maxpad += SHA_DIGEST_LENGTH;
417 for (res=0,i=0,j=0;j<maxpad;j++) {
418 c = p[j];
419 cmask = ((int)(j-off-SHA_DIGEST_LENGTH))>>(sizeof(int)*8-1);
420 res |= (c^pad)&~cmask; /* ... and padding */
421 cmask &= ((int)(off-1-j))>>(sizeof(int)*8-1);
422 res |= (c^pmac->c[i])&cmask;
423 i += 1&cmask;
424 }
425 maxpad -= SHA_DIGEST_LENGTH;
426
427 res = 0-((0-res)>>(sizeof(res)*8-1));
428 ret &= (int)~res;
429 }
430#else
431 for (res=0,i=0;i<SHA_DIGEST_LENGTH;i++)
432 res |= out[i]^pmac->c[i];
433 res = 0-((0-res)>>(sizeof(res)*8-1));
434 ret &= (int)~res;
435
436 /* verify padding */
437 pad = (pad&~res) | (maxpad&res);
438 out = out+len-1-pad;
439 for (res=0,i=0;i<pad;i++)
440 res |= out[i]^pad;
441
442 res = (0-res)>>(sizeof(res)*8-1);
443 ret &= (int)~res;
444#endif
445 return ret;
271 } else { 446 } else {
272 SHA1_Update(&key->md,out,len); 447 SHA1_Update(&key->md,out,len);
273 } 448 }
274 } 449 }
275 450
276 key->payload_length = NO_PAYLOAD_LENGTH;
277
278 return 1; 451 return 1;
279 } 452 }
280 453
@@ -309,6 +482,8 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void
309 SHA1_Init(&key->tail); 482 SHA1_Init(&key->tail);
310 SHA1_Update(&key->tail,hmac_key,sizeof(hmac_key)); 483 SHA1_Update(&key->tail,hmac_key,sizeof(hmac_key));
311 484
485 OPENSSL_cleanse(hmac_key,sizeof(hmac_key));
486
312 return 1; 487 return 1;
313 } 488 }
314 case EVP_CTRL_AEAD_TLS1_AAD: 489 case EVP_CTRL_AEAD_TLS1_AAD:
diff --git a/src/lib/libcrypto/evp/e_des3.c b/src/lib/libcrypto/evp/e_des3.c
index 1e69972662..8d7b7de292 100644
--- a/src/lib/libcrypto/evp/e_des3.c
+++ b/src/lib/libcrypto/evp/e_des3.c
@@ -101,7 +101,7 @@ static int des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
101static int des_ede_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 101static int des_ede_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
102 const unsigned char *in, size_t inl) 102 const unsigned char *in, size_t inl)
103{ 103{
104 if (inl>=EVP_MAXCHUNK) 104 while (inl>=EVP_MAXCHUNK)
105 { 105 {
106 DES_ede3_ofb64_encrypt(in, out, (long)EVP_MAXCHUNK, 106 DES_ede3_ofb64_encrypt(in, out, (long)EVP_MAXCHUNK,
107 &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, 107 &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3,
@@ -132,7 +132,7 @@ static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
132 printf("\n"); 132 printf("\n");
133 } 133 }
134#endif /* KSSL_DEBUG */ 134#endif /* KSSL_DEBUG */
135 if (inl>=EVP_MAXCHUNK) 135 while (inl>=EVP_MAXCHUNK)
136 { 136 {
137 DES_ede3_cbc_encrypt(in, out, (long)EVP_MAXCHUNK, 137 DES_ede3_cbc_encrypt(in, out, (long)EVP_MAXCHUNK,
138 &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, 138 &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3,
@@ -151,7 +151,7 @@ static int des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
151static int des_ede_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, 151static int des_ede_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
152 const unsigned char *in, size_t inl) 152 const unsigned char *in, size_t inl)
153{ 153{
154 if (inl>=EVP_MAXCHUNK) 154 while (inl>=EVP_MAXCHUNK)
155 { 155 {
156 DES_ede3_cfb64_encrypt(in, out, (long)EVP_MAXCHUNK, 156 DES_ede3_cfb64_encrypt(in, out, (long)EVP_MAXCHUNK,
157 &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, 157 &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3,
diff --git a/src/lib/libcrypto/evp/evp.h b/src/lib/libcrypto/evp/evp.h
index 0d1b20a7d3..faeb3c24e6 100644
--- a/src/lib/libcrypto/evp/evp.h
+++ b/src/lib/libcrypto/evp/evp.h
@@ -402,7 +402,6 @@ struct evp_cipher_st
402/* Length of tag for TLS */ 402/* Length of tag for TLS */
403#define EVP_GCM_TLS_TAG_LEN 16 403#define EVP_GCM_TLS_TAG_LEN 16
404 404
405
406typedef struct evp_cipher_info_st 405typedef struct evp_cipher_info_st
407 { 406 {
408 const EVP_CIPHER *cipher; 407 const EVP_CIPHER *cipher;
@@ -789,8 +788,8 @@ const EVP_CIPHER *EVP_aes_128_cfb128(void);
789# define EVP_aes_128_cfb EVP_aes_128_cfb128 788# define EVP_aes_128_cfb EVP_aes_128_cfb128
790const EVP_CIPHER *EVP_aes_128_ofb(void); 789const EVP_CIPHER *EVP_aes_128_ofb(void);
791const EVP_CIPHER *EVP_aes_128_ctr(void); 790const EVP_CIPHER *EVP_aes_128_ctr(void);
792const EVP_CIPHER *EVP_aes_128_gcm(void);
793const EVP_CIPHER *EVP_aes_128_ccm(void); 791const EVP_CIPHER *EVP_aes_128_ccm(void);
792const EVP_CIPHER *EVP_aes_128_gcm(void);
794const EVP_CIPHER *EVP_aes_128_xts(void); 793const EVP_CIPHER *EVP_aes_128_xts(void);
795const EVP_CIPHER *EVP_aes_192_ecb(void); 794const EVP_CIPHER *EVP_aes_192_ecb(void);
796const EVP_CIPHER *EVP_aes_192_cbc(void); 795const EVP_CIPHER *EVP_aes_192_cbc(void);
@@ -800,8 +799,8 @@ const EVP_CIPHER *EVP_aes_192_cfb128(void);
800# define EVP_aes_192_cfb EVP_aes_192_cfb128 799# define EVP_aes_192_cfb EVP_aes_192_cfb128
801const EVP_CIPHER *EVP_aes_192_ofb(void); 800const EVP_CIPHER *EVP_aes_192_ofb(void);
802const EVP_CIPHER *EVP_aes_192_ctr(void); 801const EVP_CIPHER *EVP_aes_192_ctr(void);
803const EVP_CIPHER *EVP_aes_192_gcm(void);
804const EVP_CIPHER *EVP_aes_192_ccm(void); 802const EVP_CIPHER *EVP_aes_192_ccm(void);
803const EVP_CIPHER *EVP_aes_192_gcm(void);
805const EVP_CIPHER *EVP_aes_256_ecb(void); 804const EVP_CIPHER *EVP_aes_256_ecb(void);
806const EVP_CIPHER *EVP_aes_256_cbc(void); 805const EVP_CIPHER *EVP_aes_256_cbc(void);
807const EVP_CIPHER *EVP_aes_256_cfb1(void); 806const EVP_CIPHER *EVP_aes_256_cfb1(void);
@@ -810,8 +809,8 @@ const EVP_CIPHER *EVP_aes_256_cfb128(void);
810# define EVP_aes_256_cfb EVP_aes_256_cfb128 809# define EVP_aes_256_cfb EVP_aes_256_cfb128
811const EVP_CIPHER *EVP_aes_256_ofb(void); 810const EVP_CIPHER *EVP_aes_256_ofb(void);
812const EVP_CIPHER *EVP_aes_256_ctr(void); 811const EVP_CIPHER *EVP_aes_256_ctr(void);
813const EVP_CIPHER *EVP_aes_256_gcm(void);
814const EVP_CIPHER *EVP_aes_256_ccm(void); 812const EVP_CIPHER *EVP_aes_256_ccm(void);
813const EVP_CIPHER *EVP_aes_256_gcm(void);
815const EVP_CIPHER *EVP_aes_256_xts(void); 814const EVP_CIPHER *EVP_aes_256_xts(void);
816#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) 815#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
817const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void); 816const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void);
@@ -1243,6 +1242,8 @@ void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth,
1243 int (*ctrl_str)(EVP_PKEY_CTX *ctx, 1242 int (*ctrl_str)(EVP_PKEY_CTX *ctx,
1244 const char *type, const char *value)); 1243 const char *type, const char *value));
1245 1244
1245void EVP_add_alg_module(void);
1246
1246/* BEGIN ERROR CODES */ 1247/* BEGIN ERROR CODES */
1247/* The following lines are auto generated by the script mkerr.pl. Any changes 1248/* The following lines are auto generated by the script mkerr.pl. Any changes
1248 * made after this point may be overwritten when the script is next run. 1249 * made after this point may be overwritten when the script is next run.
@@ -1257,6 +1258,7 @@ void ERR_load_EVP_strings(void);
1257#define EVP_F_AES_INIT_KEY 133 1258#define EVP_F_AES_INIT_KEY 133
1258#define EVP_F_AES_XTS 172 1259#define EVP_F_AES_XTS 172
1259#define EVP_F_AES_XTS_CIPHER 175 1260#define EVP_F_AES_XTS_CIPHER 175
1261#define EVP_F_ALG_MODULE_INIT 177
1260#define EVP_F_CAMELLIA_INIT_KEY 159 1262#define EVP_F_CAMELLIA_INIT_KEY 159
1261#define EVP_F_CMAC_INIT 173 1263#define EVP_F_CMAC_INIT 173
1262#define EVP_F_D2I_PKEY 100 1264#define EVP_F_D2I_PKEY 100
@@ -1350,15 +1352,19 @@ void ERR_load_EVP_strings(void);
1350#define EVP_R_DIFFERENT_PARAMETERS 153 1352#define EVP_R_DIFFERENT_PARAMETERS 153
1351#define EVP_R_DISABLED_FOR_FIPS 163 1353#define EVP_R_DISABLED_FOR_FIPS 163
1352#define EVP_R_ENCODE_ERROR 115 1354#define EVP_R_ENCODE_ERROR 115
1355#define EVP_R_ERROR_LOADING_SECTION 165
1356#define EVP_R_ERROR_SETTING_FIPS_MODE 166
1353#define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119 1357#define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119
1354#define EVP_R_EXPECTING_AN_RSA_KEY 127 1358#define EVP_R_EXPECTING_AN_RSA_KEY 127
1355#define EVP_R_EXPECTING_A_DH_KEY 128 1359#define EVP_R_EXPECTING_A_DH_KEY 128
1356#define EVP_R_EXPECTING_A_DSA_KEY 129 1360#define EVP_R_EXPECTING_A_DSA_KEY 129
1357#define EVP_R_EXPECTING_A_ECDSA_KEY 141 1361#define EVP_R_EXPECTING_A_ECDSA_KEY 141
1358#define EVP_R_EXPECTING_A_EC_KEY 142 1362#define EVP_R_EXPECTING_A_EC_KEY 142
1363#define EVP_R_FIPS_MODE_NOT_SUPPORTED 167
1359#define EVP_R_INITIALIZATION_ERROR 134 1364#define EVP_R_INITIALIZATION_ERROR 134
1360#define EVP_R_INPUT_NOT_INITIALIZED 111 1365#define EVP_R_INPUT_NOT_INITIALIZED 111
1361#define EVP_R_INVALID_DIGEST 152 1366#define EVP_R_INVALID_DIGEST 152
1367#define EVP_R_INVALID_FIPS_MODE 168
1362#define EVP_R_INVALID_KEY_LENGTH 130 1368#define EVP_R_INVALID_KEY_LENGTH 130
1363#define EVP_R_INVALID_OPERATION 148 1369#define EVP_R_INVALID_OPERATION 148
1364#define EVP_R_IV_TOO_LARGE 102 1370#define EVP_R_IV_TOO_LARGE 102
@@ -1383,6 +1389,7 @@ void ERR_load_EVP_strings(void);
1383#define EVP_R_TOO_LARGE 164 1389#define EVP_R_TOO_LARGE 164
1384#define EVP_R_UNKNOWN_CIPHER 160 1390#define EVP_R_UNKNOWN_CIPHER 160
1385#define EVP_R_UNKNOWN_DIGEST 161 1391#define EVP_R_UNKNOWN_DIGEST 161
1392#define EVP_R_UNKNOWN_OPTION 169
1386#define EVP_R_UNKNOWN_PBE_ALGORITHM 121 1393#define EVP_R_UNKNOWN_PBE_ALGORITHM 121
1387#define EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS 135 1394#define EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS 135
1388#define EVP_R_UNSUPPORTED_ALGORITHM 156 1395#define EVP_R_UNSUPPORTED_ALGORITHM 156
diff --git a/src/lib/libcrypto/evp/evp_err.c b/src/lib/libcrypto/evp/evp_err.c
index db0f76d59b..08eab9882f 100644
--- a/src/lib/libcrypto/evp/evp_err.c
+++ b/src/lib/libcrypto/evp/evp_err.c
@@ -75,6 +75,7 @@ static ERR_STRING_DATA EVP_str_functs[]=
75{ERR_FUNC(EVP_F_AES_INIT_KEY), "AES_INIT_KEY"}, 75{ERR_FUNC(EVP_F_AES_INIT_KEY), "AES_INIT_KEY"},
76{ERR_FUNC(EVP_F_AES_XTS), "AES_XTS"}, 76{ERR_FUNC(EVP_F_AES_XTS), "AES_XTS"},
77{ERR_FUNC(EVP_F_AES_XTS_CIPHER), "AES_XTS_CIPHER"}, 77{ERR_FUNC(EVP_F_AES_XTS_CIPHER), "AES_XTS_CIPHER"},
78{ERR_FUNC(EVP_F_ALG_MODULE_INIT), "ALG_MODULE_INIT"},
78{ERR_FUNC(EVP_F_CAMELLIA_INIT_KEY), "CAMELLIA_INIT_KEY"}, 79{ERR_FUNC(EVP_F_CAMELLIA_INIT_KEY), "CAMELLIA_INIT_KEY"},
79{ERR_FUNC(EVP_F_CMAC_INIT), "CMAC_INIT"}, 80{ERR_FUNC(EVP_F_CMAC_INIT), "CMAC_INIT"},
80{ERR_FUNC(EVP_F_D2I_PKEY), "D2I_PKEY"}, 81{ERR_FUNC(EVP_F_D2I_PKEY), "D2I_PKEY"},
@@ -171,15 +172,19 @@ static ERR_STRING_DATA EVP_str_reasons[]=
171{ERR_REASON(EVP_R_DIFFERENT_PARAMETERS) ,"different parameters"}, 172{ERR_REASON(EVP_R_DIFFERENT_PARAMETERS) ,"different parameters"},
172{ERR_REASON(EVP_R_DISABLED_FOR_FIPS) ,"disabled for fips"}, 173{ERR_REASON(EVP_R_DISABLED_FOR_FIPS) ,"disabled for fips"},
173{ERR_REASON(EVP_R_ENCODE_ERROR) ,"encode error"}, 174{ERR_REASON(EVP_R_ENCODE_ERROR) ,"encode error"},
175{ERR_REASON(EVP_R_ERROR_LOADING_SECTION) ,"error loading section"},
176{ERR_REASON(EVP_R_ERROR_SETTING_FIPS_MODE),"error setting fips mode"},
174{ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe cipherinit error"}, 177{ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe cipherinit error"},
175{ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY) ,"expecting an rsa key"}, 178{ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY) ,"expecting an rsa key"},
176{ERR_REASON(EVP_R_EXPECTING_A_DH_KEY) ,"expecting a dh key"}, 179{ERR_REASON(EVP_R_EXPECTING_A_DH_KEY) ,"expecting a dh key"},
177{ERR_REASON(EVP_R_EXPECTING_A_DSA_KEY) ,"expecting a dsa key"}, 180{ERR_REASON(EVP_R_EXPECTING_A_DSA_KEY) ,"expecting a dsa key"},
178{ERR_REASON(EVP_R_EXPECTING_A_ECDSA_KEY) ,"expecting a ecdsa key"}, 181{ERR_REASON(EVP_R_EXPECTING_A_ECDSA_KEY) ,"expecting a ecdsa key"},
179{ERR_REASON(EVP_R_EXPECTING_A_EC_KEY) ,"expecting a ec key"}, 182{ERR_REASON(EVP_R_EXPECTING_A_EC_KEY) ,"expecting a ec key"},
183{ERR_REASON(EVP_R_FIPS_MODE_NOT_SUPPORTED),"fips mode not supported"},
180{ERR_REASON(EVP_R_INITIALIZATION_ERROR) ,"initialization error"}, 184{ERR_REASON(EVP_R_INITIALIZATION_ERROR) ,"initialization error"},
181{ERR_REASON(EVP_R_INPUT_NOT_INITIALIZED) ,"input not initialized"}, 185{ERR_REASON(EVP_R_INPUT_NOT_INITIALIZED) ,"input not initialized"},
182{ERR_REASON(EVP_R_INVALID_DIGEST) ,"invalid digest"}, 186{ERR_REASON(EVP_R_INVALID_DIGEST) ,"invalid digest"},
187{ERR_REASON(EVP_R_INVALID_FIPS_MODE) ,"invalid fips mode"},
183{ERR_REASON(EVP_R_INVALID_KEY_LENGTH) ,"invalid key length"}, 188{ERR_REASON(EVP_R_INVALID_KEY_LENGTH) ,"invalid key length"},
184{ERR_REASON(EVP_R_INVALID_OPERATION) ,"invalid operation"}, 189{ERR_REASON(EVP_R_INVALID_OPERATION) ,"invalid operation"},
185{ERR_REASON(EVP_R_IV_TOO_LARGE) ,"iv too large"}, 190{ERR_REASON(EVP_R_IV_TOO_LARGE) ,"iv too large"},
@@ -204,6 +209,7 @@ static ERR_STRING_DATA EVP_str_reasons[]=
204{ERR_REASON(EVP_R_TOO_LARGE) ,"too large"}, 209{ERR_REASON(EVP_R_TOO_LARGE) ,"too large"},
205{ERR_REASON(EVP_R_UNKNOWN_CIPHER) ,"unknown cipher"}, 210{ERR_REASON(EVP_R_UNKNOWN_CIPHER) ,"unknown cipher"},
206{ERR_REASON(EVP_R_UNKNOWN_DIGEST) ,"unknown digest"}, 211{ERR_REASON(EVP_R_UNKNOWN_DIGEST) ,"unknown digest"},
212{ERR_REASON(EVP_R_UNKNOWN_OPTION) ,"unknown option"},
207{ERR_REASON(EVP_R_UNKNOWN_PBE_ALGORITHM) ,"unknown pbe algorithm"}, 213{ERR_REASON(EVP_R_UNKNOWN_PBE_ALGORITHM) ,"unknown pbe algorithm"},
208{ERR_REASON(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS),"unsuported number of rounds"}, 214{ERR_REASON(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS),"unsuported number of rounds"},
209{ERR_REASON(EVP_R_UNSUPPORTED_ALGORITHM) ,"unsupported algorithm"}, 215{ERR_REASON(EVP_R_UNSUPPORTED_ALGORITHM) ,"unsupported algorithm"},
diff --git a/src/lib/libcrypto/evp/m_dss.c b/src/lib/libcrypto/evp/m_dss.c
index 4ad63ada6f..6fb7e9a861 100644
--- a/src/lib/libcrypto/evp/m_dss.c
+++ b/src/lib/libcrypto/evp/m_dss.c
@@ -60,7 +60,7 @@
60#include "cryptlib.h" 60#include "cryptlib.h"
61#include <openssl/evp.h> 61#include <openssl/evp.h>
62#include <openssl/objects.h> 62#include <openssl/objects.h>
63#include <openssl/x509.h> 63#include <openssl/sha.h>
64#ifndef OPENSSL_NO_DSA 64#ifndef OPENSSL_NO_DSA
65#include <openssl/dsa.h> 65#include <openssl/dsa.h>
66#endif 66#endif
diff --git a/src/lib/libcrypto/evp/m_dss1.c b/src/lib/libcrypto/evp/m_dss1.c
index f80170efeb..2df362a670 100644
--- a/src/lib/libcrypto/evp/m_dss1.c
+++ b/src/lib/libcrypto/evp/m_dss1.c
@@ -63,7 +63,7 @@
63 63
64#include <openssl/evp.h> 64#include <openssl/evp.h>
65#include <openssl/objects.h> 65#include <openssl/objects.h>
66#include <openssl/x509.h> 66#include <openssl/sha.h>
67#ifndef OPENSSL_NO_DSA 67#ifndef OPENSSL_NO_DSA
68#include <openssl/dsa.h> 68#include <openssl/dsa.h>
69#endif 69#endif
diff --git a/src/lib/libcrypto/evp/m_sha1.c b/src/lib/libcrypto/evp/m_sha1.c
index 3cb11f1ebb..bd0c01ad3c 100644
--- a/src/lib/libcrypto/evp/m_sha1.c
+++ b/src/lib/libcrypto/evp/m_sha1.c
@@ -65,7 +65,7 @@
65 65
66#include <openssl/evp.h> 66#include <openssl/evp.h>
67#include <openssl/objects.h> 67#include <openssl/objects.h>
68#include <openssl/x509.h> 68#include <openssl/sha.h>
69#ifndef OPENSSL_NO_RSA 69#ifndef OPENSSL_NO_RSA
70#include <openssl/rsa.h> 70#include <openssl/rsa.h>
71#endif 71#endif
diff --git a/src/lib/libcrypto/evp/p5_crpt2.c b/src/lib/libcrypto/evp/p5_crpt2.c
index 975d004df4..fe3c6c8813 100644
--- a/src/lib/libcrypto/evp/p5_crpt2.c
+++ b/src/lib/libcrypto/evp/p5_crpt2.c
@@ -85,19 +85,24 @@ int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
85 unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4]; 85 unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4];
86 int cplen, j, k, tkeylen, mdlen; 86 int cplen, j, k, tkeylen, mdlen;
87 unsigned long i = 1; 87 unsigned long i = 1;
88 HMAC_CTX hctx; 88 HMAC_CTX hctx_tpl, hctx;
89 89
90 mdlen = EVP_MD_size(digest); 90 mdlen = EVP_MD_size(digest);
91 if (mdlen < 0) 91 if (mdlen < 0)
92 return 0; 92 return 0;
93 93
94 HMAC_CTX_init(&hctx); 94 HMAC_CTX_init(&hctx_tpl);
95 p = out; 95 p = out;
96 tkeylen = keylen; 96 tkeylen = keylen;
97 if(!pass) 97 if(!pass)
98 passlen = 0; 98 passlen = 0;
99 else if(passlen == -1) 99 else if(passlen == -1)
100 passlen = strlen(pass); 100 passlen = strlen(pass);
101 if (!HMAC_Init_ex(&hctx_tpl, pass, passlen, digest, NULL))
102 {
103 HMAC_CTX_cleanup(&hctx_tpl);
104 return 0;
105 }
101 while(tkeylen) 106 while(tkeylen)
102 { 107 {
103 if(tkeylen > mdlen) 108 if(tkeylen > mdlen)
@@ -111,19 +116,36 @@ int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
111 itmp[1] = (unsigned char)((i >> 16) & 0xff); 116 itmp[1] = (unsigned char)((i >> 16) & 0xff);
112 itmp[2] = (unsigned char)((i >> 8) & 0xff); 117 itmp[2] = (unsigned char)((i >> 8) & 0xff);
113 itmp[3] = (unsigned char)(i & 0xff); 118 itmp[3] = (unsigned char)(i & 0xff);
114 if (!HMAC_Init_ex(&hctx, pass, passlen, digest, NULL) 119 if (!HMAC_CTX_copy(&hctx, &hctx_tpl))
115 || !HMAC_Update(&hctx, salt, saltlen)
116 || !HMAC_Update(&hctx, itmp, 4)
117 || !HMAC_Final(&hctx, digtmp, NULL))
118 { 120 {
121 HMAC_CTX_cleanup(&hctx_tpl);
122 return 0;
123 }
124 if (!HMAC_Update(&hctx, salt, saltlen)
125 || !HMAC_Update(&hctx, itmp, 4)
126 || !HMAC_Final(&hctx, digtmp, NULL))
127 {
128 HMAC_CTX_cleanup(&hctx_tpl);
119 HMAC_CTX_cleanup(&hctx); 129 HMAC_CTX_cleanup(&hctx);
120 return 0; 130 return 0;
121 } 131 }
132 HMAC_CTX_cleanup(&hctx);
122 memcpy(p, digtmp, cplen); 133 memcpy(p, digtmp, cplen);
123 for(j = 1; j < iter; j++) 134 for(j = 1; j < iter; j++)
124 { 135 {
125 HMAC(digest, pass, passlen, 136 if (!HMAC_CTX_copy(&hctx, &hctx_tpl))
126 digtmp, mdlen, digtmp, NULL); 137 {
138 HMAC_CTX_cleanup(&hctx_tpl);
139 return 0;
140 }
141 if (!HMAC_Update(&hctx, digtmp, mdlen)
142 || !HMAC_Final(&hctx, digtmp, NULL))
143 {
144 HMAC_CTX_cleanup(&hctx_tpl);
145 HMAC_CTX_cleanup(&hctx);
146 return 0;
147 }
148 HMAC_CTX_cleanup(&hctx);
127 for(k = 0; k < cplen; k++) 149 for(k = 0; k < cplen; k++)
128 p[k] ^= digtmp[k]; 150 p[k] ^= digtmp[k];
129 } 151 }
@@ -131,7 +153,7 @@ int PKCS5_PBKDF2_HMAC(const char *pass, int passlen,
131 i++; 153 i++;
132 p+= cplen; 154 p+= cplen;
133 } 155 }
134 HMAC_CTX_cleanup(&hctx); 156 HMAC_CTX_cleanup(&hctx_tpl);
135#ifdef DEBUG_PKCS5V2 157#ifdef DEBUG_PKCS5V2
136 fprintf(stderr, "Password:\n"); 158 fprintf(stderr, "Password:\n");
137 h__dump (pass, passlen); 159 h__dump (pass, passlen);
diff --git a/src/lib/libcrypto/evp/p_sign.c b/src/lib/libcrypto/evp/p_sign.c
index dfa48c157c..8afb664306 100644
--- a/src/lib/libcrypto/evp/p_sign.c
+++ b/src/lib/libcrypto/evp/p_sign.c
@@ -80,7 +80,7 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, unsigned int *siglen,
80 { 80 {
81 unsigned char m[EVP_MAX_MD_SIZE]; 81 unsigned char m[EVP_MAX_MD_SIZE];
82 unsigned int m_len; 82 unsigned int m_len;
83 int i=0,ok=0,v; 83 int i = 0,ok = 0,v;
84 EVP_MD_CTX tmp_ctx; 84 EVP_MD_CTX tmp_ctx;
85 EVP_PKEY_CTX *pkctx = NULL; 85 EVP_PKEY_CTX *pkctx = NULL;
86 86
diff --git a/src/lib/libcrypto/evp/p_verify.c b/src/lib/libcrypto/evp/p_verify.c
index 5f5c409f45..c66d63ccf8 100644
--- a/src/lib/libcrypto/evp/p_verify.c
+++ b/src/lib/libcrypto/evp/p_verify.c
@@ -67,7 +67,7 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf,
67 { 67 {
68 unsigned char m[EVP_MAX_MD_SIZE]; 68 unsigned char m[EVP_MAX_MD_SIZE];
69 unsigned int m_len; 69 unsigned int m_len;
70 int i=-1,ok=0,v; 70 int i = 0,ok = 0,v;
71 EVP_MD_CTX tmp_ctx; 71 EVP_MD_CTX tmp_ctx;
72 EVP_PKEY_CTX *pkctx = NULL; 72 EVP_PKEY_CTX *pkctx = NULL;
73 73
diff --git a/src/lib/libcrypto/md4/md4_dgst.c b/src/lib/libcrypto/md4/md4_dgst.c
index 82c2cb2d98..b5b165b052 100644
--- a/src/lib/libcrypto/md4/md4_dgst.c
+++ b/src/lib/libcrypto/md4/md4_dgst.c
@@ -106,22 +106,23 @@ void md4_block_data_order (MD4_CTX *c, const void *data_, size_t num)
106 106
107 for (;num--;) 107 for (;num--;)
108 { 108 {
109 HOST_c2l(data,l); X( 0)=l; HOST_c2l(data,l); X( 1)=l; 109 (void)HOST_c2l(data,l); X( 0)=l;
110 (void)HOST_c2l(data,l); X( 1)=l;
110 /* Round 0 */ 111 /* Round 0 */
111 R0(A,B,C,D,X( 0), 3,0); HOST_c2l(data,l); X( 2)=l; 112 R0(A,B,C,D,X( 0), 3,0); (void)HOST_c2l(data,l); X( 2)=l;
112 R0(D,A,B,C,X( 1), 7,0); HOST_c2l(data,l); X( 3)=l; 113 R0(D,A,B,C,X( 1), 7,0); (void)HOST_c2l(data,l); X( 3)=l;
113 R0(C,D,A,B,X( 2),11,0); HOST_c2l(data,l); X( 4)=l; 114 R0(C,D,A,B,X( 2),11,0); (void)HOST_c2l(data,l); X( 4)=l;
114 R0(B,C,D,A,X( 3),19,0); HOST_c2l(data,l); X( 5)=l; 115 R0(B,C,D,A,X( 3),19,0); (void)HOST_c2l(data,l); X( 5)=l;
115 R0(A,B,C,D,X( 4), 3,0); HOST_c2l(data,l); X( 6)=l; 116 R0(A,B,C,D,X( 4), 3,0); (void)HOST_c2l(data,l); X( 6)=l;
116 R0(D,A,B,C,X( 5), 7,0); HOST_c2l(data,l); X( 7)=l; 117 R0(D,A,B,C,X( 5), 7,0); (void)HOST_c2l(data,l); X( 7)=l;
117 R0(C,D,A,B,X( 6),11,0); HOST_c2l(data,l); X( 8)=l; 118 R0(C,D,A,B,X( 6),11,0); (void)HOST_c2l(data,l); X( 8)=l;
118 R0(B,C,D,A,X( 7),19,0); HOST_c2l(data,l); X( 9)=l; 119 R0(B,C,D,A,X( 7),19,0); (void)HOST_c2l(data,l); X( 9)=l;
119 R0(A,B,C,D,X( 8), 3,0); HOST_c2l(data,l); X(10)=l; 120 R0(A,B,C,D,X( 8), 3,0); (void)HOST_c2l(data,l); X(10)=l;
120 R0(D,A,B,C,X( 9), 7,0); HOST_c2l(data,l); X(11)=l; 121 R0(D,A,B,C,X( 9), 7,0); (void)HOST_c2l(data,l); X(11)=l;
121 R0(C,D,A,B,X(10),11,0); HOST_c2l(data,l); X(12)=l; 122 R0(C,D,A,B,X(10),11,0); (void)HOST_c2l(data,l); X(12)=l;
122 R0(B,C,D,A,X(11),19,0); HOST_c2l(data,l); X(13)=l; 123 R0(B,C,D,A,X(11),19,0); (void)HOST_c2l(data,l); X(13)=l;
123 R0(A,B,C,D,X(12), 3,0); HOST_c2l(data,l); X(14)=l; 124 R0(A,B,C,D,X(12), 3,0); (void)HOST_c2l(data,l); X(14)=l;
124 R0(D,A,B,C,X(13), 7,0); HOST_c2l(data,l); X(15)=l; 125 R0(D,A,B,C,X(13), 7,0); (void)HOST_c2l(data,l); X(15)=l;
125 R0(C,D,A,B,X(14),11,0); 126 R0(C,D,A,B,X(14),11,0);
126 R0(B,C,D,A,X(15),19,0); 127 R0(B,C,D,A,X(15),19,0);
127 /* Round 1 */ 128 /* Round 1 */
diff --git a/src/lib/libcrypto/md4/md4_locl.h b/src/lib/libcrypto/md4/md4_locl.h
index c8085b0ead..99c3e5004c 100644
--- a/src/lib/libcrypto/md4/md4_locl.h
+++ b/src/lib/libcrypto/md4/md4_locl.h
@@ -77,10 +77,10 @@ void md4_block_data_order (MD4_CTX *c, const void *p,size_t num);
77#define HASH_FINAL MD4_Final 77#define HASH_FINAL MD4_Final
78#define HASH_MAKE_STRING(c,s) do { \ 78#define HASH_MAKE_STRING(c,s) do { \
79 unsigned long ll; \ 79 unsigned long ll; \
80 ll=(c)->A; HOST_l2c(ll,(s)); \ 80 ll=(c)->A; (void)HOST_l2c(ll,(s)); \
81 ll=(c)->B; HOST_l2c(ll,(s)); \ 81 ll=(c)->B; (void)HOST_l2c(ll,(s)); \
82 ll=(c)->C; HOST_l2c(ll,(s)); \ 82 ll=(c)->C; (void)HOST_l2c(ll,(s)); \
83 ll=(c)->D; HOST_l2c(ll,(s)); \ 83 ll=(c)->D; (void)HOST_l2c(ll,(s)); \
84 } while (0) 84 } while (0)
85#define HASH_BLOCK_DATA_ORDER md4_block_data_order 85#define HASH_BLOCK_DATA_ORDER md4_block_data_order
86 86
diff --git a/src/lib/libcrypto/md5/asm/md5-x86_64.pl b/src/lib/libcrypto/md5/asm/md5-x86_64.pl
index 867885435e..f11224d172 100755
--- a/src/lib/libcrypto/md5/asm/md5-x86_64.pl
+++ b/src/lib/libcrypto/md5/asm/md5-x86_64.pl
@@ -120,7 +120,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; my $dir=$1; my $xlate;
120die "can't locate x86_64-xlate.pl"; 120die "can't locate x86_64-xlate.pl";
121 121
122no warnings qw(uninitialized); 122no warnings qw(uninitialized);
123open STDOUT,"| $^X $xlate $flavour $output"; 123open OUT,"| \"$^X\" $xlate $flavour $output";
124*STDOUT=*OUT;
124 125
125$code .= <<EOF; 126$code .= <<EOF;
126.text 127.text
diff --git a/src/lib/libcrypto/md5/md5_locl.h b/src/lib/libcrypto/md5/md5_locl.h
index 968d577995..74d63d1f9c 100644
--- a/src/lib/libcrypto/md5/md5_locl.h
+++ b/src/lib/libcrypto/md5/md5_locl.h
@@ -86,10 +86,10 @@ void md5_block_data_order (MD5_CTX *c, const void *p,size_t num);
86#define HASH_FINAL MD5_Final 86#define HASH_FINAL MD5_Final
87#define HASH_MAKE_STRING(c,s) do { \ 87#define HASH_MAKE_STRING(c,s) do { \
88 unsigned long ll; \ 88 unsigned long ll; \
89 ll=(c)->A; HOST_l2c(ll,(s)); \ 89 ll=(c)->A; (void)HOST_l2c(ll,(s)); \
90 ll=(c)->B; HOST_l2c(ll,(s)); \ 90 ll=(c)->B; (void)HOST_l2c(ll,(s)); \
91 ll=(c)->C; HOST_l2c(ll,(s)); \ 91 ll=(c)->C; (void)HOST_l2c(ll,(s)); \
92 ll=(c)->D; HOST_l2c(ll,(s)); \ 92 ll=(c)->D; (void)HOST_l2c(ll,(s)); \
93 } while (0) 93 } while (0)
94#define HASH_BLOCK_DATA_ORDER md5_block_data_order 94#define HASH_BLOCK_DATA_ORDER md5_block_data_order
95 95
diff --git a/src/lib/libcrypto/modes/asm/ghash-alpha.pl b/src/lib/libcrypto/modes/asm/ghash-alpha.pl
index 6358b2750f..aa36029386 100644
--- a/src/lib/libcrypto/modes/asm/ghash-alpha.pl
+++ b/src/lib/libcrypto/modes/asm/ghash-alpha.pl
@@ -266,8 +266,8 @@ gcm_gmult_4bit:
266 ldq $Xlo,8($Xi) 266 ldq $Xlo,8($Xi)
267 ldq $Xhi,0($Xi) 267 ldq $Xhi,0($Xi)
268 268
269 br $rem_4bit,.Lpic1 269 bsr $t0,picmeup
270.Lpic1: lda $rem_4bit,rem_4bit-.Lpic1($rem_4bit) 270 nop
271___ 271___
272 272
273 &loop(); 273 &loop();
@@ -341,8 +341,8 @@ gcm_ghash_4bit:
341 ldq $Xhi,0($Xi) 341 ldq $Xhi,0($Xi)
342 ldq $Xlo,8($Xi) 342 ldq $Xlo,8($Xi)
343 343
344 br $rem_4bit,.Lpic2 344 bsr $t0,picmeup
345.Lpic2: lda $rem_4bit,rem_4bit-.Lpic2($rem_4bit) 345 nop
346 346
347.Louter: 347.Louter:
348 extql $inhi,$inp,$inhi 348 extql $inhi,$inp,$inhi
@@ -436,11 +436,20 @@ $code.=<<___;
436.end gcm_ghash_4bit 436.end gcm_ghash_4bit
437 437
438.align 4 438.align 4
439.ent picmeup
440picmeup:
441 .frame sp,0,$t0
442 .prologue 0
443 br $rem_4bit,.Lpic
444.Lpic: lda $rem_4bit,12($rem_4bit)
445 ret ($t0)
446.end picmeup
447 nop
439rem_4bit: 448rem_4bit:
440 .quad 0x0000<<48, 0x1C20<<48, 0x3840<<48, 0x2460<<48 449 .long 0,0x0000<<16, 0,0x1C20<<16, 0,0x3840<<16, 0,0x2460<<16
441 .quad 0x7080<<48, 0x6CA0<<48, 0x48C0<<48, 0x54E0<<48 450 .long 0,0x7080<<16, 0,0x6CA0<<16, 0,0x48C0<<16, 0,0x54E0<<16
442 .quad 0xE100<<48, 0xFD20<<48, 0xD940<<48, 0xC560<<48 451 .long 0,0xE100<<16, 0,0xFD20<<16, 0,0xD940<<16, 0,0xC560<<16
443 .quad 0x9180<<48, 0x8DA0<<48, 0xA9C0<<48, 0xB5E0<<48 452 .long 0,0x9180<<16, 0,0x8DA0<<16, 0,0xA9C0<<16, 0,0xB5E0<<16
444.ascii "GHASH for Alpha, CRYPTOGAMS by <appro\@openssl.org>" 453.ascii "GHASH for Alpha, CRYPTOGAMS by <appro\@openssl.org>"
445.align 4 454.align 4
446 455
diff --git a/src/lib/libcrypto/modes/asm/ghash-parisc.pl b/src/lib/libcrypto/modes/asm/ghash-parisc.pl
index 8c7454ee93..d5ad96b403 100644
--- a/src/lib/libcrypto/modes/asm/ghash-parisc.pl
+++ b/src/lib/libcrypto/modes/asm/ghash-parisc.pl
@@ -724,6 +724,7 @@ foreach (split("\n",$code)) {
724 s/cmpb,\*/comb,/; 724 s/cmpb,\*/comb,/;
725 s/,\*/,/; 725 s/,\*/,/;
726 } 726 }
727 s/\bbv\b/bve/ if ($SIZE_T==8);
727 print $_,"\n"; 728 print $_,"\n";
728} 729}
729 730
diff --git a/src/lib/libcrypto/modes/asm/ghash-x86.pl b/src/lib/libcrypto/modes/asm/ghash-x86.pl
index 6b09669d47..83c727e07f 100644
--- a/src/lib/libcrypto/modes/asm/ghash-x86.pl
+++ b/src/lib/libcrypto/modes/asm/ghash-x86.pl
@@ -635,7 +635,7 @@ sub mmx_loop() {
635 { my @lo = ("mm0","mm1","mm2"); 635 { my @lo = ("mm0","mm1","mm2");
636 my @hi = ("mm3","mm4","mm5"); 636 my @hi = ("mm3","mm4","mm5");
637 my @tmp = ("mm6","mm7"); 637 my @tmp = ("mm6","mm7");
638 my $off1=0,$off2=0,$i; 638 my ($off1,$off2,$i) = (0,0,);
639 639
640 &add ($Htbl,128); # optimize for size 640 &add ($Htbl,128); # optimize for size
641 &lea ("edi",&DWP(16+128,"esp")); 641 &lea ("edi",&DWP(16+128,"esp"));
@@ -883,7 +883,7 @@ sub reduction_alg9 { # 17/13 times faster than Intel version
883my ($Xhi,$Xi) = @_; 883my ($Xhi,$Xi) = @_;
884 884
885 # 1st phase 885 # 1st phase
886 &movdqa ($T1,$Xi) # 886 &movdqa ($T1,$Xi); #
887 &psllq ($Xi,1); 887 &psllq ($Xi,1);
888 &pxor ($Xi,$T1); # 888 &pxor ($Xi,$T1); #
889 &psllq ($Xi,5); # 889 &psllq ($Xi,5); #
@@ -1019,7 +1019,7 @@ my ($Xhi,$Xi) = @_;
1019 &movdqa ($Xhn,$Xn); 1019 &movdqa ($Xhn,$Xn);
1020 &pxor ($Xhi,$T1); # "Ii+Xi", consume early 1020 &pxor ($Xhi,$T1); # "Ii+Xi", consume early
1021 1021
1022 &movdqa ($T1,$Xi) #&reduction_alg9($Xhi,$Xi); 1st phase 1022 &movdqa ($T1,$Xi); #&reduction_alg9($Xhi,$Xi); 1st phase
1023 &psllq ($Xi,1); 1023 &psllq ($Xi,1);
1024 &pxor ($Xi,$T1); # 1024 &pxor ($Xi,$T1); #
1025 &psllq ($Xi,5); # 1025 &psllq ($Xi,5); #
diff --git a/src/lib/libcrypto/modes/asm/ghash-x86_64.pl b/src/lib/libcrypto/modes/asm/ghash-x86_64.pl
index a5ae180882..38d779edbc 100644
--- a/src/lib/libcrypto/modes/asm/ghash-x86_64.pl
+++ b/src/lib/libcrypto/modes/asm/ghash-x86_64.pl
@@ -50,7 +50,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
50( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or 50( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
51die "can't locate x86_64-xlate.pl"; 51die "can't locate x86_64-xlate.pl";
52 52
53open STDOUT,"| $^X $xlate $flavour $output"; 53open OUT,"| \"$^X\" $xlate $flavour $output";
54*STDOUT=*OUT;
54 55
55# common register layout 56# common register layout
56$nlo="%rax"; 57$nlo="%rax";
diff --git a/src/lib/libcrypto/modes/cbc128.c b/src/lib/libcrypto/modes/cbc128.c
index 3d3782cbe1..0e54f75470 100644
--- a/src/lib/libcrypto/modes/cbc128.c
+++ b/src/lib/libcrypto/modes/cbc128.c
@@ -117,7 +117,7 @@ void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
117 unsigned char ivec[16], block128_f block) 117 unsigned char ivec[16], block128_f block)
118{ 118{
119 size_t n; 119 size_t n;
120 union { size_t align; unsigned char c[16]; } tmp; 120 union { size_t t[16/sizeof(size_t)]; unsigned char c[16]; } tmp;
121 121
122 assert(in && out && key && ivec); 122 assert(in && out && key && ivec);
123 123
@@ -137,11 +137,13 @@ void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
137 out += 16; 137 out += 16;
138 } 138 }
139 } 139 }
140 else { 140 else if (16%sizeof(size_t) == 0) { /* always true */
141 while (len>=16) { 141 while (len>=16) {
142 size_t *out_t=(size_t *)out, *iv_t=(size_t *)iv;
143
142 (*block)(in, out, key); 144 (*block)(in, out, key);
143 for(n=0; n<16; n+=sizeof(size_t)) 145 for(n=0; n<16/sizeof(size_t); n++)
144 *(size_t *)(out+n) ^= *(size_t *)(iv+n); 146 out_t[n] ^= iv_t[n];
145 iv = in; 147 iv = in;
146 len -= 16; 148 len -= 16;
147 in += 16; 149 in += 16;
@@ -165,15 +167,16 @@ void CRYPTO_cbc128_decrypt(const unsigned char *in, unsigned char *out,
165 out += 16; 167 out += 16;
166 } 168 }
167 } 169 }
168 else { 170 else if (16%sizeof(size_t) == 0) { /* always true */
169 size_t c;
170 while (len>=16) { 171 while (len>=16) {
172 size_t c, *out_t=(size_t *)out, *ivec_t=(size_t *)ivec;
173 const size_t *in_t=(const size_t *)in;
174
171 (*block)(in, tmp.c, key); 175 (*block)(in, tmp.c, key);
172 for(n=0; n<16; n+=sizeof(size_t)) { 176 for(n=0; n<16/sizeof(size_t); n++) {
173 c = *(size_t *)(in+n); 177 c = in_t[n];
174 *(size_t *)(out+n) = 178 out_t[n] = tmp.t[n] ^ ivec_t[n];
175 *(size_t *)(tmp.c+n) ^ *(size_t *)(ivec+n); 179 ivec_t[n] = c;
176 *(size_t *)(ivec+n) = c;
177 } 180 }
178 len -= 16; 181 len -= 16;
179 in += 16; 182 in += 16;
diff --git a/src/lib/libcrypto/modes/ccm128.c b/src/lib/libcrypto/modes/ccm128.c
index c9b35e5b35..3ce11d0d98 100644
--- a/src/lib/libcrypto/modes/ccm128.c
+++ b/src/lib/libcrypto/modes/ccm128.c
@@ -87,7 +87,7 @@ int CRYPTO_ccm128_setiv(CCM128_CONTEXT *ctx,
87 ctx->nonce.c[11] = (u8)(mlen>>(32%(sizeof(mlen)*8))); 87 ctx->nonce.c[11] = (u8)(mlen>>(32%(sizeof(mlen)*8)));
88 } 88 }
89 else 89 else
90 *(u32*)(&ctx->nonce.c[8]) = 0; 90 ctx->nonce.u[1] = 0;
91 91
92 ctx->nonce.c[12] = (u8)(mlen>>24); 92 ctx->nonce.c[12] = (u8)(mlen>>24);
93 ctx->nonce.c[13] = (u8)(mlen>>16); 93 ctx->nonce.c[13] = (u8)(mlen>>16);
diff --git a/src/lib/libcrypto/modes/cts128.c b/src/lib/libcrypto/modes/cts128.c
index c0e1f3696c..2d583de6f6 100644
--- a/src/lib/libcrypto/modes/cts128.c
+++ b/src/lib/libcrypto/modes/cts128.c
@@ -108,12 +108,8 @@ size_t CRYPTO_cts128_encrypt(const unsigned char *in, unsigned char *out,
108 (*cbc)(in,out-16,residue,key,ivec,1); 108 (*cbc)(in,out-16,residue,key,ivec,1);
109 memcpy(out,tmp.c,residue); 109 memcpy(out,tmp.c,residue);
110#else 110#else
111 { 111 memset(tmp.c,0,sizeof(tmp));
112 size_t n;
113 for (n=0; n<16; n+=sizeof(size_t))
114 *(size_t *)(tmp.c+n) = 0;
115 memcpy(tmp.c,in,residue); 112 memcpy(tmp.c,in,residue);
116 }
117 memcpy(out,out-16,residue); 113 memcpy(out,out-16,residue);
118 (*cbc)(tmp.c,out-16,16,key,ivec,1); 114 (*cbc)(tmp.c,out-16,16,key,ivec,1);
119#endif 115#endif
@@ -144,12 +140,8 @@ size_t CRYPTO_nistcts128_encrypt(const unsigned char *in, unsigned char *out,
144#if defined(CBC_HANDLES_TRUNCATED_IO) 140#if defined(CBC_HANDLES_TRUNCATED_IO)
145 (*cbc)(in,out-16+residue,residue,key,ivec,1); 141 (*cbc)(in,out-16+residue,residue,key,ivec,1);
146#else 142#else
147 { 143 memset(tmp.c,0,sizeof(tmp));
148 size_t n;
149 for (n=0; n<16; n+=sizeof(size_t))
150 *(size_t *)(tmp.c+n) = 0;
151 memcpy(tmp.c,in,residue); 144 memcpy(tmp.c,in,residue);
152 }
153 (*cbc)(tmp.c,out-16+residue,16,key,ivec,1); 145 (*cbc)(tmp.c,out-16+residue,16,key,ivec,1);
154#endif 146#endif
155 return len+residue; 147 return len+residue;
@@ -177,8 +169,7 @@ size_t CRYPTO_cts128_decrypt_block(const unsigned char *in, unsigned char *out,
177 169
178 (*block)(in,tmp.c+16,key); 170 (*block)(in,tmp.c+16,key);
179 171
180 for (n=0; n<16; n+=sizeof(size_t)) 172 memcpy(tmp.c,tmp.c+16,16);
181 *(size_t *)(tmp.c+n) = *(size_t *)(tmp.c+16+n);
182 memcpy(tmp.c,in+16,residue); 173 memcpy(tmp.c,in+16,residue);
183 (*block)(tmp.c,tmp.c,key); 174 (*block)(tmp.c,tmp.c,key);
184 175
@@ -220,8 +211,7 @@ size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in, unsigned char *o
220 211
221 (*block)(in+residue,tmp.c+16,key); 212 (*block)(in+residue,tmp.c+16,key);
222 213
223 for (n=0; n<16; n+=sizeof(size_t)) 214 memcpy(tmp.c,tmp.c+16,16);
224 *(size_t *)(tmp.c+n) = *(size_t *)(tmp.c+16+n);
225 memcpy(tmp.c,in,residue); 215 memcpy(tmp.c,in,residue);
226 (*block)(tmp.c,tmp.c,key); 216 (*block)(tmp.c,tmp.c,key);
227 217
@@ -240,7 +230,7 @@ size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in, unsigned char *o
240size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out, 230size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
241 size_t len, const void *key, 231 size_t len, const void *key,
242 unsigned char ivec[16], cbc128_f cbc) 232 unsigned char ivec[16], cbc128_f cbc)
243{ size_t residue, n; 233{ size_t residue;
244 union { size_t align; unsigned char c[32]; } tmp; 234 union { size_t align; unsigned char c[32]; } tmp;
245 235
246 assert (in && out && key && ivec); 236 assert (in && out && key && ivec);
@@ -257,8 +247,7 @@ size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
257 out += len; 247 out += len;
258 } 248 }
259 249
260 for (n=16; n<32; n+=sizeof(size_t)) 250 memset(tmp.c,0,sizeof(tmp));
261 *(size_t *)(tmp.c+n) = 0;
262 /* this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0] */ 251 /* this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0] */
263 (*cbc)(in,tmp.c,16,key,tmp.c+16,0); 252 (*cbc)(in,tmp.c,16,key,tmp.c+16,0);
264 253
@@ -275,7 +264,7 @@ size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out,
275size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out, 264size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out,
276 size_t len, const void *key, 265 size_t len, const void *key,
277 unsigned char ivec[16], cbc128_f cbc) 266 unsigned char ivec[16], cbc128_f cbc)
278{ size_t residue, n; 267{ size_t residue;
279 union { size_t align; unsigned char c[32]; } tmp; 268 union { size_t align; unsigned char c[32]; } tmp;
280 269
281 assert (in && out && key && ivec); 270 assert (in && out && key && ivec);
@@ -297,8 +286,7 @@ size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out,
297 out += len; 286 out += len;
298 } 287 }
299 288
300 for (n=16; n<32; n+=sizeof(size_t)) 289 memset(tmp.c,0,sizeof(tmp));
301 *(size_t *)(tmp.c+n) = 0;
302 /* this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0] */ 290 /* this places in[16] at &tmp.c[16] and decrypted block at &tmp.c[0] */
303 (*cbc)(in+residue,tmp.c,16,key,tmp.c+16,0); 291 (*cbc)(in+residue,tmp.c,16,key,tmp.c+16,0);
304 292
diff --git a/src/lib/libcrypto/modes/gcm128.c b/src/lib/libcrypto/modes/gcm128.c
index 7d6d034970..e1dc2b0f47 100644
--- a/src/lib/libcrypto/modes/gcm128.c
+++ b/src/lib/libcrypto/modes/gcm128.c
@@ -723,7 +723,7 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx,void *key,block128_f block)
723# endif 723# endif
724 gcm_init_4bit(ctx->Htable,ctx->H.u); 724 gcm_init_4bit(ctx->Htable,ctx->H.u);
725# if defined(GHASH_ASM_X86) /* x86 only */ 725# if defined(GHASH_ASM_X86) /* x86 only */
726# if defined(OPENSSL_IA32_SSE2) 726# if defined(OPENSSL_IA32_SSE2)
727 if (OPENSSL_ia32cap_P[0]&(1<<25)) { /* check SSE bit */ 727 if (OPENSSL_ia32cap_P[0]&(1<<25)) { /* check SSE bit */
728# else 728# else
729 if (OPENSSL_ia32cap_P[0]&(1<<23)) { /* check MMX bit */ 729 if (OPENSSL_ia32cap_P[0]&(1<<23)) { /* check MMX bit */
@@ -810,7 +810,11 @@ void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx,const unsigned char *iv,size_t len)
810 GCM_MUL(ctx,Yi); 810 GCM_MUL(ctx,Yi);
811 811
812 if (is_endian.little) 812 if (is_endian.little)
813#ifdef BSWAP4
814 ctr = BSWAP4(ctx->Yi.d[3]);
815#else
813 ctr = GETU32(ctx->Yi.c+12); 816 ctr = GETU32(ctx->Yi.c+12);
817#endif
814 else 818 else
815 ctr = ctx->Yi.d[3]; 819 ctr = ctx->Yi.d[3];
816 } 820 }
@@ -818,7 +822,11 @@ void CRYPTO_gcm128_setiv(GCM128_CONTEXT *ctx,const unsigned char *iv,size_t len)
818 (*ctx->block)(ctx->Yi.c,ctx->EK0.c,ctx->key); 822 (*ctx->block)(ctx->Yi.c,ctx->EK0.c,ctx->key);
819 ++ctr; 823 ++ctr;
820 if (is_endian.little) 824 if (is_endian.little)
825#ifdef BSWAP4
826 ctx->Yi.d[3] = BSWAP4(ctr);
827#else
821 PUTU32(ctx->Yi.c+12,ctr); 828 PUTU32(ctx->Yi.c+12,ctr);
829#endif
822 else 830 else
823 ctx->Yi.d[3] = ctr; 831 ctx->Yi.d[3] = ctr;
824} 832}
@@ -913,7 +921,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
913 } 921 }
914 922
915 if (is_endian.little) 923 if (is_endian.little)
924#ifdef BSWAP4
925 ctr = BSWAP4(ctx->Yi.d[3]);
926#else
916 ctr = GETU32(ctx->Yi.c+12); 927 ctr = GETU32(ctx->Yi.c+12);
928#endif
917 else 929 else
918 ctr = ctx->Yi.d[3]; 930 ctr = ctx->Yi.d[3];
919 931
@@ -941,15 +953,21 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
941 size_t j=GHASH_CHUNK; 953 size_t j=GHASH_CHUNK;
942 954
943 while (j) { 955 while (j) {
956 size_t *out_t=(size_t *)out;
957 const size_t *in_t=(const size_t *)in;
958
944 (*block)(ctx->Yi.c,ctx->EKi.c,key); 959 (*block)(ctx->Yi.c,ctx->EKi.c,key);
945 ++ctr; 960 ++ctr;
946 if (is_endian.little) 961 if (is_endian.little)
962#ifdef BSWAP4
963 ctx->Yi.d[3] = BSWAP4(ctr);
964#else
947 PUTU32(ctx->Yi.c+12,ctr); 965 PUTU32(ctx->Yi.c+12,ctr);
966#endif
948 else 967 else
949 ctx->Yi.d[3] = ctr; 968 ctx->Yi.d[3] = ctr;
950 for (i=0; i<16; i+=sizeof(size_t)) 969 for (i=0; i<16/sizeof(size_t); ++i)
951 *(size_t *)(out+i) = 970 out_t[i] = in_t[i] ^ ctx->EKi.t[i];
952 *(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
953 out += 16; 971 out += 16;
954 in += 16; 972 in += 16;
955 j -= 16; 973 j -= 16;
@@ -961,15 +979,21 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
961 size_t j=i; 979 size_t j=i;
962 980
963 while (len>=16) { 981 while (len>=16) {
982 size_t *out_t=(size_t *)out;
983 const size_t *in_t=(const size_t *)in;
984
964 (*block)(ctx->Yi.c,ctx->EKi.c,key); 985 (*block)(ctx->Yi.c,ctx->EKi.c,key);
965 ++ctr; 986 ++ctr;
966 if (is_endian.little) 987 if (is_endian.little)
988#ifdef BSWAP4
989 ctx->Yi.d[3] = BSWAP4(ctr);
990#else
967 PUTU32(ctx->Yi.c+12,ctr); 991 PUTU32(ctx->Yi.c+12,ctr);
992#endif
968 else 993 else
969 ctx->Yi.d[3] = ctr; 994 ctx->Yi.d[3] = ctr;
970 for (i=0; i<16; i+=sizeof(size_t)) 995 for (i=0; i<16/sizeof(size_t); ++i)
971 *(size_t *)(out+i) = 996 out_t[i] = in_t[i] ^ ctx->EKi.t[i];
972 *(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
973 out += 16; 997 out += 16;
974 in += 16; 998 in += 16;
975 len -= 16; 999 len -= 16;
@@ -978,16 +1002,22 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
978 } 1002 }
979#else 1003#else
980 while (len>=16) { 1004 while (len>=16) {
1005 size_t *out_t=(size_t *)out;
1006 const size_t *in_t=(const size_t *)in;
1007
981 (*block)(ctx->Yi.c,ctx->EKi.c,key); 1008 (*block)(ctx->Yi.c,ctx->EKi.c,key);
982 ++ctr; 1009 ++ctr;
983 if (is_endian.little) 1010 if (is_endian.little)
1011#ifdef BSWAP4
1012 ctx->Yi.d[3] = BSWAP4(ctr);
1013#else
984 PUTU32(ctx->Yi.c+12,ctr); 1014 PUTU32(ctx->Yi.c+12,ctr);
1015#endif
985 else 1016 else
986 ctx->Yi.d[3] = ctr; 1017 ctx->Yi.d[3] = ctr;
987 for (i=0; i<16; i+=sizeof(size_t)) 1018 for (i=0; i<16/sizeof(size_t); ++i)
988 *(size_t *)(ctx->Xi.c+i) ^= 1019 ctx->Xi.t[i] ^=
989 *(size_t *)(out+i) = 1020 out_t[i] = in_t[i]^ctx->EKi.t[i];
990 *(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
991 GCM_MUL(ctx,Xi); 1021 GCM_MUL(ctx,Xi);
992 out += 16; 1022 out += 16;
993 in += 16; 1023 in += 16;
@@ -998,7 +1028,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
998 (*block)(ctx->Yi.c,ctx->EKi.c,key); 1028 (*block)(ctx->Yi.c,ctx->EKi.c,key);
999 ++ctr; 1029 ++ctr;
1000 if (is_endian.little) 1030 if (is_endian.little)
1031#ifdef BSWAP4
1032 ctx->Yi.d[3] = BSWAP4(ctr);
1033#else
1001 PUTU32(ctx->Yi.c+12,ctr); 1034 PUTU32(ctx->Yi.c+12,ctr);
1035#endif
1002 else 1036 else
1003 ctx->Yi.d[3] = ctr; 1037 ctx->Yi.d[3] = ctr;
1004 while (len--) { 1038 while (len--) {
@@ -1016,7 +1050,11 @@ int CRYPTO_gcm128_encrypt(GCM128_CONTEXT *ctx,
1016 (*block)(ctx->Yi.c,ctx->EKi.c,key); 1050 (*block)(ctx->Yi.c,ctx->EKi.c,key);
1017 ++ctr; 1051 ++ctr;
1018 if (is_endian.little) 1052 if (is_endian.little)
1053#ifdef BSWAP4
1054 ctx->Yi.d[3] = BSWAP4(ctr);
1055#else
1019 PUTU32(ctx->Yi.c+12,ctr); 1056 PUTU32(ctx->Yi.c+12,ctr);
1057#endif
1020 else 1058 else
1021 ctx->Yi.d[3] = ctr; 1059 ctx->Yi.d[3] = ctr;
1022 } 1060 }
@@ -1060,7 +1098,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
1060 } 1098 }
1061 1099
1062 if (is_endian.little) 1100 if (is_endian.little)
1101#ifdef BSWAP4
1102 ctr = BSWAP4(ctx->Yi.d[3]);
1103#else
1063 ctr = GETU32(ctx->Yi.c+12); 1104 ctr = GETU32(ctx->Yi.c+12);
1105#endif
1064 else 1106 else
1065 ctr = ctx->Yi.d[3]; 1107 ctr = ctx->Yi.d[3];
1066 1108
@@ -1091,15 +1133,21 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
1091 1133
1092 GHASH(ctx,in,GHASH_CHUNK); 1134 GHASH(ctx,in,GHASH_CHUNK);
1093 while (j) { 1135 while (j) {
1136 size_t *out_t=(size_t *)out;
1137 const size_t *in_t=(const size_t *)in;
1138
1094 (*block)(ctx->Yi.c,ctx->EKi.c,key); 1139 (*block)(ctx->Yi.c,ctx->EKi.c,key);
1095 ++ctr; 1140 ++ctr;
1096 if (is_endian.little) 1141 if (is_endian.little)
1142#ifdef BSWAP4
1143 ctx->Yi.d[3] = BSWAP4(ctr);
1144#else
1097 PUTU32(ctx->Yi.c+12,ctr); 1145 PUTU32(ctx->Yi.c+12,ctr);
1146#endif
1098 else 1147 else
1099 ctx->Yi.d[3] = ctr; 1148 ctx->Yi.d[3] = ctr;
1100 for (i=0; i<16; i+=sizeof(size_t)) 1149 for (i=0; i<16/sizeof(size_t); ++i)
1101 *(size_t *)(out+i) = 1150 out_t[i] = in_t[i]^ctx->EKi.t[i];
1102 *(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
1103 out += 16; 1151 out += 16;
1104 in += 16; 1152 in += 16;
1105 j -= 16; 1153 j -= 16;
@@ -1109,15 +1157,21 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
1109 if ((i = (len&(size_t)-16))) { 1157 if ((i = (len&(size_t)-16))) {
1110 GHASH(ctx,in,i); 1158 GHASH(ctx,in,i);
1111 while (len>=16) { 1159 while (len>=16) {
1160 size_t *out_t=(size_t *)out;
1161 const size_t *in_t=(const size_t *)in;
1162
1112 (*block)(ctx->Yi.c,ctx->EKi.c,key); 1163 (*block)(ctx->Yi.c,ctx->EKi.c,key);
1113 ++ctr; 1164 ++ctr;
1114 if (is_endian.little) 1165 if (is_endian.little)
1166#ifdef BSWAP4
1167 ctx->Yi.d[3] = BSWAP4(ctr);
1168#else
1115 PUTU32(ctx->Yi.c+12,ctr); 1169 PUTU32(ctx->Yi.c+12,ctr);
1170#endif
1116 else 1171 else
1117 ctx->Yi.d[3] = ctr; 1172 ctx->Yi.d[3] = ctr;
1118 for (i=0; i<16; i+=sizeof(size_t)) 1173 for (i=0; i<16/sizeof(size_t); ++i)
1119 *(size_t *)(out+i) = 1174 out_t[i] = in_t[i]^ctx->EKi.t[i];
1120 *(size_t *)(in+i)^*(size_t *)(ctx->EKi.c+i);
1121 out += 16; 1175 out += 16;
1122 in += 16; 1176 in += 16;
1123 len -= 16; 1177 len -= 16;
@@ -1125,16 +1179,23 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
1125 } 1179 }
1126#else 1180#else
1127 while (len>=16) { 1181 while (len>=16) {
1182 size_t *out_t=(size_t *)out;
1183 const size_t *in_t=(const size_t *)in;
1184
1128 (*block)(ctx->Yi.c,ctx->EKi.c,key); 1185 (*block)(ctx->Yi.c,ctx->EKi.c,key);
1129 ++ctr; 1186 ++ctr;
1130 if (is_endian.little) 1187 if (is_endian.little)
1188#ifdef BSWAP4
1189 ctx->Yi.d[3] = BSWAP4(ctr);
1190#else
1131 PUTU32(ctx->Yi.c+12,ctr); 1191 PUTU32(ctx->Yi.c+12,ctr);
1192#endif
1132 else 1193 else
1133 ctx->Yi.d[3] = ctr; 1194 ctx->Yi.d[3] = ctr;
1134 for (i=0; i<16; i+=sizeof(size_t)) { 1195 for (i=0; i<16/sizeof(size_t); ++i) {
1135 size_t c = *(size_t *)(in+i); 1196 size_t c = in[i];
1136 *(size_t *)(out+i) = c^*(size_t *)(ctx->EKi.c+i); 1197 out[i] = c^ctx->EKi.t[i];
1137 *(size_t *)(ctx->Xi.c+i) ^= c; 1198 ctx->Xi.t[i] ^= c;
1138 } 1199 }
1139 GCM_MUL(ctx,Xi); 1200 GCM_MUL(ctx,Xi);
1140 out += 16; 1201 out += 16;
@@ -1146,7 +1207,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
1146 (*block)(ctx->Yi.c,ctx->EKi.c,key); 1207 (*block)(ctx->Yi.c,ctx->EKi.c,key);
1147 ++ctr; 1208 ++ctr;
1148 if (is_endian.little) 1209 if (is_endian.little)
1210#ifdef BSWAP4
1211 ctx->Yi.d[3] = BSWAP4(ctr);
1212#else
1149 PUTU32(ctx->Yi.c+12,ctr); 1213 PUTU32(ctx->Yi.c+12,ctr);
1214#endif
1150 else 1215 else
1151 ctx->Yi.d[3] = ctr; 1216 ctx->Yi.d[3] = ctr;
1152 while (len--) { 1217 while (len--) {
@@ -1167,7 +1232,11 @@ int CRYPTO_gcm128_decrypt(GCM128_CONTEXT *ctx,
1167 (*block)(ctx->Yi.c,ctx->EKi.c,key); 1232 (*block)(ctx->Yi.c,ctx->EKi.c,key);
1168 ++ctr; 1233 ++ctr;
1169 if (is_endian.little) 1234 if (is_endian.little)
1235#ifdef BSWAP4
1236 ctx->Yi.d[3] = BSWAP4(ctr);
1237#else
1170 PUTU32(ctx->Yi.c+12,ctr); 1238 PUTU32(ctx->Yi.c+12,ctr);
1239#endif
1171 else 1240 else
1172 ctx->Yi.d[3] = ctr; 1241 ctx->Yi.d[3] = ctr;
1173 } 1242 }
@@ -1212,7 +1281,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
1212 } 1281 }
1213 1282
1214 if (is_endian.little) 1283 if (is_endian.little)
1284#ifdef BSWAP4
1285 ctr = BSWAP4(ctx->Yi.d[3]);
1286#else
1215 ctr = GETU32(ctx->Yi.c+12); 1287 ctr = GETU32(ctx->Yi.c+12);
1288#endif
1216 else 1289 else
1217 ctr = ctx->Yi.d[3]; 1290 ctr = ctx->Yi.d[3];
1218 1291
@@ -1234,7 +1307,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
1234 (*stream)(in,out,GHASH_CHUNK/16,key,ctx->Yi.c); 1307 (*stream)(in,out,GHASH_CHUNK/16,key,ctx->Yi.c);
1235 ctr += GHASH_CHUNK/16; 1308 ctr += GHASH_CHUNK/16;
1236 if (is_endian.little) 1309 if (is_endian.little)
1310#ifdef BSWAP4
1311 ctx->Yi.d[3] = BSWAP4(ctr);
1312#else
1237 PUTU32(ctx->Yi.c+12,ctr); 1313 PUTU32(ctx->Yi.c+12,ctr);
1314#endif
1238 else 1315 else
1239 ctx->Yi.d[3] = ctr; 1316 ctx->Yi.d[3] = ctr;
1240 GHASH(ctx,out,GHASH_CHUNK); 1317 GHASH(ctx,out,GHASH_CHUNK);
@@ -1249,7 +1326,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
1249 (*stream)(in,out,j,key,ctx->Yi.c); 1326 (*stream)(in,out,j,key,ctx->Yi.c);
1250 ctr += (unsigned int)j; 1327 ctr += (unsigned int)j;
1251 if (is_endian.little) 1328 if (is_endian.little)
1329#ifdef BSWAP4
1330 ctx->Yi.d[3] = BSWAP4(ctr);
1331#else
1252 PUTU32(ctx->Yi.c+12,ctr); 1332 PUTU32(ctx->Yi.c+12,ctr);
1333#endif
1253 else 1334 else
1254 ctx->Yi.d[3] = ctr; 1335 ctx->Yi.d[3] = ctr;
1255 in += i; 1336 in += i;
@@ -1269,7 +1350,11 @@ int CRYPTO_gcm128_encrypt_ctr32(GCM128_CONTEXT *ctx,
1269 (*ctx->block)(ctx->Yi.c,ctx->EKi.c,key); 1350 (*ctx->block)(ctx->Yi.c,ctx->EKi.c,key);
1270 ++ctr; 1351 ++ctr;
1271 if (is_endian.little) 1352 if (is_endian.little)
1353#ifdef BSWAP4
1354 ctx->Yi.d[3] = BSWAP4(ctr);
1355#else
1272 PUTU32(ctx->Yi.c+12,ctr); 1356 PUTU32(ctx->Yi.c+12,ctr);
1357#endif
1273 else 1358 else
1274 ctx->Yi.d[3] = ctr; 1359 ctx->Yi.d[3] = ctr;
1275 while (len--) { 1360 while (len--) {
@@ -1311,7 +1396,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
1311 } 1396 }
1312 1397
1313 if (is_endian.little) 1398 if (is_endian.little)
1399#ifdef BSWAP4
1400 ctr = BSWAP4(ctx->Yi.d[3]);
1401#else
1314 ctr = GETU32(ctx->Yi.c+12); 1402 ctr = GETU32(ctx->Yi.c+12);
1403#endif
1315 else 1404 else
1316 ctr = ctx->Yi.d[3]; 1405 ctr = ctx->Yi.d[3];
1317 1406
@@ -1336,7 +1425,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
1336 (*stream)(in,out,GHASH_CHUNK/16,key,ctx->Yi.c); 1425 (*stream)(in,out,GHASH_CHUNK/16,key,ctx->Yi.c);
1337 ctr += GHASH_CHUNK/16; 1426 ctr += GHASH_CHUNK/16;
1338 if (is_endian.little) 1427 if (is_endian.little)
1428#ifdef BSWAP4
1429 ctx->Yi.d[3] = BSWAP4(ctr);
1430#else
1339 PUTU32(ctx->Yi.c+12,ctr); 1431 PUTU32(ctx->Yi.c+12,ctr);
1432#endif
1340 else 1433 else
1341 ctx->Yi.d[3] = ctr; 1434 ctx->Yi.d[3] = ctr;
1342 out += GHASH_CHUNK; 1435 out += GHASH_CHUNK;
@@ -1362,7 +1455,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
1362 (*stream)(in,out,j,key,ctx->Yi.c); 1455 (*stream)(in,out,j,key,ctx->Yi.c);
1363 ctr += (unsigned int)j; 1456 ctr += (unsigned int)j;
1364 if (is_endian.little) 1457 if (is_endian.little)
1458#ifdef BSWAP4
1459 ctx->Yi.d[3] = BSWAP4(ctr);
1460#else
1365 PUTU32(ctx->Yi.c+12,ctr); 1461 PUTU32(ctx->Yi.c+12,ctr);
1462#endif
1366 else 1463 else
1367 ctx->Yi.d[3] = ctr; 1464 ctx->Yi.d[3] = ctr;
1368 out += i; 1465 out += i;
@@ -1373,7 +1470,11 @@ int CRYPTO_gcm128_decrypt_ctr32(GCM128_CONTEXT *ctx,
1373 (*ctx->block)(ctx->Yi.c,ctx->EKi.c,key); 1470 (*ctx->block)(ctx->Yi.c,ctx->EKi.c,key);
1374 ++ctr; 1471 ++ctr;
1375 if (is_endian.little) 1472 if (is_endian.little)
1473#ifdef BSWAP4
1474 ctx->Yi.d[3] = BSWAP4(ctr);
1475#else
1376 PUTU32(ctx->Yi.c+12,ctr); 1476 PUTU32(ctx->Yi.c+12,ctr);
1477#endif
1377 else 1478 else
1378 ctx->Yi.d[3] = ctr; 1479 ctx->Yi.d[3] = ctr;
1379 while (len--) { 1480 while (len--) {
@@ -1398,7 +1499,7 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx,const unsigned char *tag,
1398 void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16]) = ctx->gmult; 1499 void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16]) = ctx->gmult;
1399#endif 1500#endif
1400 1501
1401 if (ctx->mres) 1502 if (ctx->mres || ctx->ares)
1402 GCM_MUL(ctx,Xi); 1503 GCM_MUL(ctx,Xi);
1403 1504
1404 if (is_endian.little) { 1505 if (is_endian.little) {
@@ -1669,6 +1770,46 @@ static const u8 IV18[]={0x93,0x13,0x22,0x5d,0xf8,0x84,0x06,0xe5,0x55,0x90,0x9c,0
1669 0xa2,0x41,0x89,0x97,0x20,0x0e,0xf8,0x2e,0x44,0xae,0x7e,0x3f}, 1770 0xa2,0x41,0x89,0x97,0x20,0x0e,0xf8,0x2e,0x44,0xae,0x7e,0x3f},
1670 T18[]= {0xa4,0x4a,0x82,0x66,0xee,0x1c,0x8e,0xb0,0xc8,0xb5,0xd4,0xcf,0x5a,0xe9,0xf1,0x9a}; 1771 T18[]= {0xa4,0x4a,0x82,0x66,0xee,0x1c,0x8e,0xb0,0xc8,0xb5,0xd4,0xcf,0x5a,0xe9,0xf1,0x9a};
1671 1772
1773/* Test Case 19 */
1774#define K19 K1
1775#define P19 P1
1776#define IV19 IV1
1777#define C19 C1
1778static const u8 A19[]= {0xd9,0x31,0x32,0x25,0xf8,0x84,0x06,0xe5,0xa5,0x59,0x09,0xc5,0xaf,0xf5,0x26,0x9a,
1779 0x86,0xa7,0xa9,0x53,0x15,0x34,0xf7,0xda,0x2e,0x4c,0x30,0x3d,0x8a,0x31,0x8a,0x72,
1780 0x1c,0x3c,0x0c,0x95,0x95,0x68,0x09,0x53,0x2f,0xcf,0x0e,0x24,0x49,0xa6,0xb5,0x25,
1781 0xb1,0x6a,0xed,0xf5,0xaa,0x0d,0xe6,0x57,0xba,0x63,0x7b,0x39,0x1a,0xaf,0xd2,0x55,
1782 0x52,0x2d,0xc1,0xf0,0x99,0x56,0x7d,0x07,0xf4,0x7f,0x37,0xa3,0x2a,0x84,0x42,0x7d,
1783 0x64,0x3a,0x8c,0xdc,0xbf,0xe5,0xc0,0xc9,0x75,0x98,0xa2,0xbd,0x25,0x55,0xd1,0xaa,
1784 0x8c,0xb0,0x8e,0x48,0x59,0x0d,0xbb,0x3d,0xa7,0xb0,0x8b,0x10,0x56,0x82,0x88,0x38,
1785 0xc5,0xf6,0x1e,0x63,0x93,0xba,0x7a,0x0a,0xbc,0xc9,0xf6,0x62,0x89,0x80,0x15,0xad},
1786 T19[]= {0x5f,0xea,0x79,0x3a,0x2d,0x6f,0x97,0x4d,0x37,0xe6,0x8e,0x0c,0xb8,0xff,0x94,0x92};
1787
1788/* Test Case 20 */
1789#define K20 K1
1790#define A20 A1
1791static const u8 IV20[64]={0xff,0xff,0xff,0xff}, /* this results in 0xff in counter LSB */
1792 P20[288],
1793 C20[]= {0x56,0xb3,0x37,0x3c,0xa9,0xef,0x6e,0x4a,0x2b,0x64,0xfe,0x1e,0x9a,0x17,0xb6,0x14,
1794 0x25,0xf1,0x0d,0x47,0xa7,0x5a,0x5f,0xce,0x13,0xef,0xc6,0xbc,0x78,0x4a,0xf2,0x4f,
1795 0x41,0x41,0xbd,0xd4,0x8c,0xf7,0xc7,0x70,0x88,0x7a,0xfd,0x57,0x3c,0xca,0x54,0x18,
1796 0xa9,0xae,0xff,0xcd,0x7c,0x5c,0xed,0xdf,0xc6,0xa7,0x83,0x97,0xb9,0xa8,0x5b,0x49,
1797 0x9d,0xa5,0x58,0x25,0x72,0x67,0xca,0xab,0x2a,0xd0,0xb2,0x3c,0xa4,0x76,0xa5,0x3c,
1798 0xb1,0x7f,0xb4,0x1c,0x4b,0x8b,0x47,0x5c,0xb4,0xf3,0xf7,0x16,0x50,0x94,0xc2,0x29,
1799 0xc9,0xe8,0xc4,0xdc,0x0a,0x2a,0x5f,0xf1,0x90,0x3e,0x50,0x15,0x11,0x22,0x13,0x76,
1800 0xa1,0xcd,0xb8,0x36,0x4c,0x50,0x61,0xa2,0x0c,0xae,0x74,0xbc,0x4a,0xcd,0x76,0xce,
1801 0xb0,0xab,0xc9,0xfd,0x32,0x17,0xef,0x9f,0x8c,0x90,0xbe,0x40,0x2d,0xdf,0x6d,0x86,
1802 0x97,0xf4,0xf8,0x80,0xdf,0xf1,0x5b,0xfb,0x7a,0x6b,0x28,0x24,0x1e,0xc8,0xfe,0x18,
1803 0x3c,0x2d,0x59,0xe3,0xf9,0xdf,0xff,0x65,0x3c,0x71,0x26,0xf0,0xac,0xb9,0xe6,0x42,
1804 0x11,0xf4,0x2b,0xae,0x12,0xaf,0x46,0x2b,0x10,0x70,0xbe,0xf1,0xab,0x5e,0x36,0x06,
1805 0x87,0x2c,0xa1,0x0d,0xee,0x15,0xb3,0x24,0x9b,0x1a,0x1b,0x95,0x8f,0x23,0x13,0x4c,
1806 0x4b,0xcc,0xb7,0xd0,0x32,0x00,0xbc,0xe4,0x20,0xa2,0xf8,0xeb,0x66,0xdc,0xf3,0x64,
1807 0x4d,0x14,0x23,0xc1,0xb5,0x69,0x90,0x03,0xc1,0x3e,0xce,0xf4,0xbf,0x38,0xa3,0xb6,
1808 0x0e,0xed,0xc3,0x40,0x33,0xba,0xc1,0x90,0x27,0x83,0xdc,0x6d,0x89,0xe2,0xe7,0x74,
1809 0x18,0x8a,0x43,0x9c,0x7e,0xbc,0xc0,0x67,0x2d,0xbd,0xa4,0xdd,0xcf,0xb2,0x79,0x46,
1810 0x13,0xb0,0xbe,0x41,0x31,0x5e,0xf7,0x78,0x70,0x8a,0x70,0xee,0x7d,0x75,0x16,0x5c},
1811 T20[]= {0x8b,0x30,0x7f,0x6b,0x33,0x28,0x6d,0x0a,0xb0,0x26,0xa9,0xed,0x3f,0xe1,0xe8,0x5f};
1812
1672#define TEST_CASE(n) do { \ 1813#define TEST_CASE(n) do { \
1673 u8 out[sizeof(P##n)]; \ 1814 u8 out[sizeof(P##n)]; \
1674 AES_set_encrypt_key(K##n,sizeof(K##n)*8,&key); \ 1815 AES_set_encrypt_key(K##n,sizeof(K##n)*8,&key); \
@@ -1713,6 +1854,8 @@ int main()
1713 TEST_CASE(16); 1854 TEST_CASE(16);
1714 TEST_CASE(17); 1855 TEST_CASE(17);
1715 TEST_CASE(18); 1856 TEST_CASE(18);
1857 TEST_CASE(19);
1858 TEST_CASE(20);
1716 1859
1717#ifdef OPENSSL_CPUID_OBJ 1860#ifdef OPENSSL_CPUID_OBJ
1718 { 1861 {
@@ -1743,11 +1886,16 @@ int main()
1743 ctr_t/(double)sizeof(buf), 1886 ctr_t/(double)sizeof(buf),
1744 (gcm_t-ctr_t)/(double)sizeof(buf)); 1887 (gcm_t-ctr_t)/(double)sizeof(buf));
1745#ifdef GHASH 1888#ifdef GHASH
1746 GHASH(&ctx,buf.c,sizeof(buf)); 1889 {
1890 void (*gcm_ghash_p)(u64 Xi[2],const u128 Htable[16],
1891 const u8 *inp,size_t len) = ctx.ghash;
1892
1893 GHASH((&ctx),buf.c,sizeof(buf));
1747 start = OPENSSL_rdtsc(); 1894 start = OPENSSL_rdtsc();
1748 for (i=0;i<100;++i) GHASH(&ctx,buf.c,sizeof(buf)); 1895 for (i=0;i<100;++i) GHASH((&ctx),buf.c,sizeof(buf));
1749 gcm_t = OPENSSL_rdtsc() - start; 1896 gcm_t = OPENSSL_rdtsc() - start;
1750 printf("%.2f\n",gcm_t/(double)sizeof(buf)/(double)i); 1897 printf("%.2f\n",gcm_t/(double)sizeof(buf)/(double)i);
1898 }
1751#endif 1899#endif
1752 } 1900 }
1753#endif 1901#endif
diff --git a/src/lib/libcrypto/modes/modes_lcl.h b/src/lib/libcrypto/modes/modes_lcl.h
index b6dc3c336f..9d83e12844 100644
--- a/src/lib/libcrypto/modes/modes_lcl.h
+++ b/src/lib/libcrypto/modes/modes_lcl.h
@@ -29,10 +29,7 @@ typedef unsigned char u8;
29#if defined(__i386) || defined(__i386__) || \ 29#if defined(__i386) || defined(__i386__) || \
30 defined(__x86_64) || defined(__x86_64__) || \ 30 defined(__x86_64) || defined(__x86_64__) || \
31 defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64) || \ 31 defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64) || \
32 defined(__s390__) || defined(__s390x__) || \ 32 defined(__s390__) || defined(__s390x__)
33 ( (defined(__arm__) || defined(__arm)) && \
34 (defined(__ARM_ARCH_7__) || defined(__ARM_ARCH_7A__) || \
35 defined(__ARM_ARCH_7R__) || defined(__ARM_ARCH_7M__)) )
36# undef STRICT_ALIGNMENT 33# undef STRICT_ALIGNMENT
37#endif 34#endif
38 35
@@ -101,8 +98,8 @@ typedef struct { u64 hi,lo; } u128;
101 98
102struct gcm128_context { 99struct gcm128_context {
103 /* Following 6 names follow names in GCM specification */ 100 /* Following 6 names follow names in GCM specification */
104 union { u64 u[2]; u32 d[4]; u8 c[16]; } Yi,EKi,EK0,len, 101 union { u64 u[2]; u32 d[4]; u8 c[16]; size_t t[16/sizeof(size_t)]; }
105 Xi,H; 102 Yi,EKi,EK0,len,Xi,H;
106 /* Relative position of Xi, H and pre-computed Htable is used 103 /* Relative position of Xi, H and pre-computed Htable is used
107 * in some assembler modules, i.e. don't change the order! */ 104 * in some assembler modules, i.e. don't change the order! */
108#if TABLE_BITS==8 105#if TABLE_BITS==8
diff --git a/src/lib/libcrypto/objects/o_names.c b/src/lib/libcrypto/objects/o_names.c
index 84380a96a9..4a548c2ed4 100644
--- a/src/lib/libcrypto/objects/o_names.c
+++ b/src/lib/libcrypto/objects/o_names.c
@@ -73,7 +73,7 @@ int OBJ_NAME_new_index(unsigned long (*hash_func)(const char *),
73 name_funcs_stack=sk_NAME_FUNCS_new_null(); 73 name_funcs_stack=sk_NAME_FUNCS_new_null();
74 MemCheck_on(); 74 MemCheck_on();
75 } 75 }
76 if ((name_funcs_stack == NULL)) 76 if (name_funcs_stack == NULL)
77 { 77 {
78 /* ERROR */ 78 /* ERROR */
79 return(0); 79 return(0);
diff --git a/src/lib/libcrypto/ocsp/ocsp_vfy.c b/src/lib/libcrypto/ocsp/ocsp_vfy.c
index 415d67e61c..276718304d 100644
--- a/src/lib/libcrypto/ocsp/ocsp_vfy.c
+++ b/src/lib/libcrypto/ocsp/ocsp_vfy.c
@@ -91,9 +91,12 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
91 { 91 {
92 EVP_PKEY *skey; 92 EVP_PKEY *skey;
93 skey = X509_get_pubkey(signer); 93 skey = X509_get_pubkey(signer);
94 ret = OCSP_BASICRESP_verify(bs, skey, 0); 94 if (skey)
95 EVP_PKEY_free(skey); 95 {
96 if(ret <= 0) 96 ret = OCSP_BASICRESP_verify(bs, skey, 0);
97 EVP_PKEY_free(skey);
98 }
99 if(!skey || ret <= 0)
97 { 100 {
98 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE); 101 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
99 goto end; 102 goto end;
@@ -108,6 +111,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
108 init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs); 111 init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
109 if(!init_res) 112 if(!init_res)
110 { 113 {
114 ret = -1;
111 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB); 115 OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB);
112 goto end; 116 goto end;
113 } 117 }
diff --git a/src/lib/libcrypto/opensslv.h b/src/lib/libcrypto/opensslv.h
index 71be3590af..ebe7180723 100644
--- a/src/lib/libcrypto/opensslv.h
+++ b/src/lib/libcrypto/opensslv.h
@@ -25,11 +25,11 @@
25 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for 25 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
26 * major minor fix final patch/beta) 26 * major minor fix final patch/beta)
27 */ 27 */
28#define OPENSSL_VERSION_NUMBER 0x1000103fL 28#define OPENSSL_VERSION_NUMBER 0x1000107fL
29#ifdef OPENSSL_FIPS 29#ifdef OPENSSL_FIPS
30#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1c-fips 10 May 2012" 30#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1g-fips 7 Apr 2014"
31#else 31#else
32#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1c 10 May 2012" 32#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1g 7 Apr 2014"
33#endif 33#endif
34#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT 34#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
35 35
diff --git a/src/lib/libcrypto/pariscid.pl b/src/lib/libcrypto/pariscid.pl
index 477ec9b87d..bfc56fdc7f 100644
--- a/src/lib/libcrypto/pariscid.pl
+++ b/src/lib/libcrypto/pariscid.pl
@@ -97,33 +97,33 @@ OPENSSL_cleanse
97 .PROC 97 .PROC
98 .CALLINFO NO_CALLS 98 .CALLINFO NO_CALLS
99 .ENTRY 99 .ENTRY
100 cmpib,*= 0,$len,Ldone 100 cmpib,*= 0,$len,L\$done
101 nop 101 nop
102 cmpib,*>>= 15,$len,Little 102 cmpib,*>>= 15,$len,L\$ittle
103 ldi $SIZE_T-1,%r1 103 ldi $SIZE_T-1,%r1
104 104
105Lalign 105L\$align
106 and,*<> $inp,%r1,%r28 106 and,*<> $inp,%r1,%r28
107 b,n Laligned 107 b,n L\$aligned
108 stb %r0,0($inp) 108 stb %r0,0($inp)
109 ldo -1($len),$len 109 ldo -1($len),$len
110 b Lalign 110 b L\$align
111 ldo 1($inp),$inp 111 ldo 1($inp),$inp
112 112
113Laligned 113L\$aligned
114 andcm $len,%r1,%r28 114 andcm $len,%r1,%r28
115Lot 115L\$ot
116 $ST %r0,0($inp) 116 $ST %r0,0($inp)
117 addib,*<> -$SIZE_T,%r28,Lot 117 addib,*<> -$SIZE_T,%r28,L\$ot
118 ldo $SIZE_T($inp),$inp 118 ldo $SIZE_T($inp),$inp
119 119
120 and,*<> $len,%r1,$len 120 and,*<> $len,%r1,$len
121 b,n Ldone 121 b,n L\$done
122Little 122L\$ittle
123 stb %r0,0($inp) 123 stb %r0,0($inp)
124 addib,*<> -1,$len,Little 124 addib,*<> -1,$len,L\$ittle
125 ldo 1($inp),$inp 125 ldo 1($inp),$inp
126Ldone 126L\$done
127 bv ($rp) 127 bv ($rp)
128 .EXIT 128 .EXIT
129 nop 129 nop
@@ -151,7 +151,7 @@ OPENSSL_instrument_bus
151 ldw 0($out),$tick 151 ldw 0($out),$tick
152 add $diff,$tick,$tick 152 add $diff,$tick,$tick
153 stw $tick,0($out) 153 stw $tick,0($out)
154Loop 154L\$oop
155 mfctl %cr16,$tick 155 mfctl %cr16,$tick
156 sub $tick,$lasttick,$diff 156 sub $tick,$lasttick,$diff
157 copy $tick,$lasttick 157 copy $tick,$lasttick
@@ -161,7 +161,7 @@ Loop
161 add $diff,$tick,$tick 161 add $diff,$tick,$tick
162 stw $tick,0($out) 162 stw $tick,0($out)
163 163
164 addib,<> -1,$cnt,Loop 164 addib,<> -1,$cnt,L\$oop
165 addi 4,$out,$out 165 addi 4,$out,$out
166 166
167 bv ($rp) 167 bv ($rp)
@@ -190,14 +190,14 @@ OPENSSL_instrument_bus2
190 mfctl %cr16,$tick 190 mfctl %cr16,$tick
191 sub $tick,$lasttick,$diff 191 sub $tick,$lasttick,$diff
192 copy $tick,$lasttick 192 copy $tick,$lasttick
193Loop2 193L\$oop2
194 copy $diff,$lastdiff 194 copy $diff,$lastdiff
195 fdc 0($out) 195 fdc 0($out)
196 ldw 0($out),$tick 196 ldw 0($out),$tick
197 add $diff,$tick,$tick 197 add $diff,$tick,$tick
198 stw $tick,0($out) 198 stw $tick,0($out)
199 199
200 addib,= -1,$max,Ldone2 200 addib,= -1,$max,L\$done2
201 nop 201 nop
202 202
203 mfctl %cr16,$tick 203 mfctl %cr16,$tick
@@ -208,17 +208,18 @@ Loop2
208 208
209 ldi 1,%r1 209 ldi 1,%r1
210 xor %r1,$tick,$tick 210 xor %r1,$tick,$tick
211 addb,<> $tick,$cnt,Loop2 211 addb,<> $tick,$cnt,L\$oop2
212 shladd,l $tick,2,$out,$out 212 shladd,l $tick,2,$out,$out
213Ldone2 213L\$done2
214 bv ($rp) 214 bv ($rp)
215 .EXIT 215 .EXIT
216 add $rv,$cnt,$rv 216 add $rv,$cnt,$rv
217 .PROCEND 217 .PROCEND
218___ 218___
219} 219}
220$code =~ s/cmpib,\*/comib,/gm if ($SIZE_T==4); 220$code =~ s/cmpib,\*/comib,/gm if ($SIZE_T==4);
221$code =~ s/,\*/,/gm if ($SIZE_T==4); 221$code =~ s/,\*/,/gm if ($SIZE_T==4);
222$code =~ s/\bbv\b/bve/gm if ($SIZE_T==8);
222print $code; 223print $code;
223close STDOUT; 224close STDOUT;
224 225
diff --git a/src/lib/libcrypto/pem/pem_all.c b/src/lib/libcrypto/pem/pem_all.c
index 3e7a6093ad..eac0460e3e 100644
--- a/src/lib/libcrypto/pem/pem_all.c
+++ b/src/lib/libcrypto/pem/pem_all.c
@@ -193,7 +193,61 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb,
193 193
194#endif 194#endif
195 195
196#ifdef OPENSSL_FIPS
197
198int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc,
199 unsigned char *kstr, int klen,
200 pem_password_cb *cb, void *u)
201{
202 if (FIPS_mode())
203 {
204 EVP_PKEY *k;
205 int ret;
206 k = EVP_PKEY_new();
207 if (!k)
208 return 0;
209 EVP_PKEY_set1_RSA(k, x);
210
211 ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
212 EVP_PKEY_free(k);
213 return ret;
214 }
215 else
216 return PEM_ASN1_write_bio((i2d_of_void *)i2d_RSAPrivateKey,
217 PEM_STRING_RSA,bp,x,enc,kstr,klen,cb,u);
218}
219
220#ifndef OPENSSL_NO_FP_API
221int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc,
222 unsigned char *kstr, int klen,
223 pem_password_cb *cb, void *u)
224{
225 if (FIPS_mode())
226 {
227 EVP_PKEY *k;
228 int ret;
229 k = EVP_PKEY_new();
230 if (!k)
231 return 0;
232
233 EVP_PKEY_set1_RSA(k, x);
234
235 ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
236 EVP_PKEY_free(k);
237 return ret;
238 }
239 else
240 return PEM_ASN1_write((i2d_of_void *)i2d_RSAPrivateKey,
241 PEM_STRING_RSA,fp,x,enc,kstr,klen,cb,u);
242}
243#endif
244
245#else
246
196IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey) 247IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey)
248
249#endif
250
197IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey) 251IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey)
198IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY) 252IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY)
199 253
@@ -223,7 +277,59 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa, pem_password_cb *cb,
223 return pkey_get_dsa(pktmp, dsa); /* will free pktmp */ 277 return pkey_get_dsa(pktmp, dsa); /* will free pktmp */
224} 278}
225 279
280#ifdef OPENSSL_FIPS
281
282int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc,
283 unsigned char *kstr, int klen,
284 pem_password_cb *cb, void *u)
285{
286 if (FIPS_mode())
287 {
288 EVP_PKEY *k;
289 int ret;
290 k = EVP_PKEY_new();
291 if (!k)
292 return 0;
293 EVP_PKEY_set1_DSA(k, x);
294
295 ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
296 EVP_PKEY_free(k);
297 return ret;
298 }
299 else
300 return PEM_ASN1_write_bio((i2d_of_void *)i2d_DSAPrivateKey,
301 PEM_STRING_DSA,bp,x,enc,kstr,klen,cb,u);
302}
303
304#ifndef OPENSSL_NO_FP_API
305int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc,
306 unsigned char *kstr, int klen,
307 pem_password_cb *cb, void *u)
308{
309 if (FIPS_mode())
310 {
311 EVP_PKEY *k;
312 int ret;
313 k = EVP_PKEY_new();
314 if (!k)
315 return 0;
316 EVP_PKEY_set1_DSA(k, x);
317 ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
318 EVP_PKEY_free(k);
319 return ret;
320 }
321 else
322 return PEM_ASN1_write((i2d_of_void *)i2d_DSAPrivateKey,
323 PEM_STRING_DSA,fp,x,enc,kstr,klen,cb,u);
324}
325#endif
326
327#else
328
226IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey) 329IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey)
330
331#endif
332
227IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY) 333IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY)
228 334
229#ifndef OPENSSL_NO_FP_API 335#ifndef OPENSSL_NO_FP_API
@@ -269,8 +375,63 @@ EC_KEY *PEM_read_bio_ECPrivateKey(BIO *bp, EC_KEY **key, pem_password_cb *cb,
269 375
270IMPLEMENT_PEM_rw_const(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS, ECPKParameters) 376IMPLEMENT_PEM_rw_const(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS, ECPKParameters)
271 377
378
379
380#ifdef OPENSSL_FIPS
381
382int PEM_write_bio_ECPrivateKey(BIO *bp, EC_KEY *x, const EVP_CIPHER *enc,
383 unsigned char *kstr, int klen,
384 pem_password_cb *cb, void *u)
385{
386 if (FIPS_mode())
387 {
388 EVP_PKEY *k;
389 int ret;
390 k = EVP_PKEY_new();
391 if (!k)
392 return 0;
393 EVP_PKEY_set1_EC_KEY(k, x);
394
395 ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u);
396 EVP_PKEY_free(k);
397 return ret;
398 }
399 else
400 return PEM_ASN1_write_bio((i2d_of_void *)i2d_ECPrivateKey,
401 PEM_STRING_ECPRIVATEKEY,
402 bp,x,enc,kstr,klen,cb,u);
403}
404
405#ifndef OPENSSL_NO_FP_API
406int PEM_write_ECPrivateKey(FILE *fp, EC_KEY *x, const EVP_CIPHER *enc,
407 unsigned char *kstr, int klen,
408 pem_password_cb *cb, void *u)
409{
410 if (FIPS_mode())
411 {
412 EVP_PKEY *k;
413 int ret;
414 k = EVP_PKEY_new();
415 if (!k)
416 return 0;
417 EVP_PKEY_set1_EC_KEY(k, x);
418 ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u);
419 EVP_PKEY_free(k);
420 return ret;
421 }
422 else
423 return PEM_ASN1_write((i2d_of_void *)i2d_ECPrivateKey,
424 PEM_STRING_ECPRIVATEKEY,
425 fp,x,enc,kstr,klen,cb,u);
426}
427#endif
428
429#else
430
272IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey) 431IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey)
273 432
433#endif
434
274IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY) 435IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY)
275 436
276#ifndef OPENSSL_NO_FP_API 437#ifndef OPENSSL_NO_FP_API
diff --git a/src/lib/libcrypto/pem/pem_info.c b/src/lib/libcrypto/pem/pem_info.c
index 1b2be527ed..cc7f24a9c1 100644
--- a/src/lib/libcrypto/pem/pem_info.c
+++ b/src/lib/libcrypto/pem/pem_info.c
@@ -167,6 +167,7 @@ start:
167#ifndef OPENSSL_NO_RSA 167#ifndef OPENSSL_NO_RSA
168 if (strcmp(name,PEM_STRING_RSA) == 0) 168 if (strcmp(name,PEM_STRING_RSA) == 0)
169 { 169 {
170 d2i=(D2I_OF(void))d2i_RSAPrivateKey;
170 if (xi->x_pkey != NULL) 171 if (xi->x_pkey != NULL)
171 { 172 {
172 if (!sk_X509_INFO_push(ret,xi)) goto err; 173 if (!sk_X509_INFO_push(ret,xi)) goto err;
diff --git a/src/lib/libcrypto/pem/pem_lib.c b/src/lib/libcrypto/pem/pem_lib.c
index cfc89a9921..5a421fc4b6 100644
--- a/src/lib/libcrypto/pem/pem_lib.c
+++ b/src/lib/libcrypto/pem/pem_lib.c
@@ -394,7 +394,8 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
394 goto err; 394 goto err;
395 /* The 'iv' is used as the iv and as a salt. It is 395 /* The 'iv' is used as the iv and as a salt. It is
396 * NOT taken from the BytesToKey function */ 396 * NOT taken from the BytesToKey function */
397 EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL); 397 if (!EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL))
398 goto err;
398 399
399 if (kstr == (unsigned char *)buf) OPENSSL_cleanse(buf,PEM_BUFSIZE); 400 if (kstr == (unsigned char *)buf) OPENSSL_cleanse(buf,PEM_BUFSIZE);
400 401
@@ -406,12 +407,15 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
406 /* k=strlen(buf); */ 407 /* k=strlen(buf); */
407 408
408 EVP_CIPHER_CTX_init(&ctx); 409 EVP_CIPHER_CTX_init(&ctx);
409 EVP_EncryptInit_ex(&ctx,enc,NULL,key,iv); 410 ret = 1;
410 EVP_EncryptUpdate(&ctx,data,&j,data,i); 411 if (!EVP_EncryptInit_ex(&ctx,enc,NULL,key,iv)
411 EVP_EncryptFinal_ex(&ctx,&(data[j]),&i); 412 || !EVP_EncryptUpdate(&ctx,data,&j,data,i)
413 || !EVP_EncryptFinal_ex(&ctx,&(data[j]),&i))
414 ret = 0;
412 EVP_CIPHER_CTX_cleanup(&ctx); 415 EVP_CIPHER_CTX_cleanup(&ctx);
416 if (ret == 0)
417 goto err;
413 i+=j; 418 i+=j;
414 ret=1;
415 } 419 }
416 else 420 else
417 { 421 {
@@ -459,14 +463,17 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen,
459 ebcdic2ascii(buf, buf, klen); 463 ebcdic2ascii(buf, buf, klen);
460#endif 464#endif
461 465
462 EVP_BytesToKey(cipher->cipher,EVP_md5(),&(cipher->iv[0]), 466 if (!EVP_BytesToKey(cipher->cipher,EVP_md5(),&(cipher->iv[0]),
463 (unsigned char *)buf,klen,1,key,NULL); 467 (unsigned char *)buf,klen,1,key,NULL))
468 return 0;
464 469
465 j=(int)len; 470 j=(int)len;
466 EVP_CIPHER_CTX_init(&ctx); 471 EVP_CIPHER_CTX_init(&ctx);
467 EVP_DecryptInit_ex(&ctx,cipher->cipher,NULL, key,&(cipher->iv[0])); 472 o = EVP_DecryptInit_ex(&ctx,cipher->cipher,NULL, key,&(cipher->iv[0]));
468 EVP_DecryptUpdate(&ctx,data,&i,data,j); 473 if (o)
469 o=EVP_DecryptFinal_ex(&ctx,&(data[i]),&j); 474 o = EVP_DecryptUpdate(&ctx,data,&i,data,j);
475 if (o)
476 o = EVP_DecryptFinal_ex(&ctx,&(data[i]),&j);
470 EVP_CIPHER_CTX_cleanup(&ctx); 477 EVP_CIPHER_CTX_cleanup(&ctx);
471 OPENSSL_cleanse((char *)buf,sizeof(buf)); 478 OPENSSL_cleanse((char *)buf,sizeof(buf));
472 OPENSSL_cleanse((char *)key,sizeof(key)); 479 OPENSSL_cleanse((char *)key,sizeof(key));
diff --git a/src/lib/libcrypto/pem/pem_seal.c b/src/lib/libcrypto/pem/pem_seal.c
index 59690b56ae..b6b4e13498 100644
--- a/src/lib/libcrypto/pem/pem_seal.c
+++ b/src/lib/libcrypto/pem/pem_seal.c
@@ -96,7 +96,8 @@ int PEM_SealInit(PEM_ENCODE_SEAL_CTX *ctx, EVP_CIPHER *type, EVP_MD *md_type,
96 EVP_EncodeInit(&ctx->encode); 96 EVP_EncodeInit(&ctx->encode);
97 97
98 EVP_MD_CTX_init(&ctx->md); 98 EVP_MD_CTX_init(&ctx->md);
99 EVP_SignInit(&ctx->md,md_type); 99 if (!EVP_SignInit(&ctx->md,md_type))
100 goto err;
100 101
101 EVP_CIPHER_CTX_init(&ctx->cipher); 102 EVP_CIPHER_CTX_init(&ctx->cipher);
102 ret=EVP_SealInit(&ctx->cipher,type,ek,ekl,iv,pubk,npubk); 103 ret=EVP_SealInit(&ctx->cipher,type,ek,ekl,iv,pubk,npubk);
@@ -163,7 +164,8 @@ int PEM_SealFinal(PEM_ENCODE_SEAL_CTX *ctx, unsigned char *sig, int *sigl,
163 goto err; 164 goto err;
164 } 165 }
165 166
166 EVP_EncryptFinal_ex(&ctx->cipher,s,(int *)&i); 167 if (!EVP_EncryptFinal_ex(&ctx->cipher,s,(int *)&i))
168 goto err;
167 EVP_EncodeUpdate(&ctx->encode,out,&j,s,i); 169 EVP_EncodeUpdate(&ctx->encode,out,&j,s,i);
168 *outl=j; 170 *outl=j;
169 out+=j; 171 out+=j;
diff --git a/src/lib/libcrypto/perlasm/cbc.pl b/src/lib/libcrypto/perlasm/cbc.pl
index 6fc2510905..24561e759a 100644
--- a/src/lib/libcrypto/perlasm/cbc.pl
+++ b/src/lib/libcrypto/perlasm/cbc.pl
@@ -150,7 +150,7 @@ sub cbc
150&set_label("PIC_point"); 150&set_label("PIC_point");
151 &blindpop("edx"); 151 &blindpop("edx");
152 &lea("ecx",&DWP(&label("cbc_enc_jmp_table")."-".&label("PIC_point"),"edx")); 152 &lea("ecx",&DWP(&label("cbc_enc_jmp_table")."-".&label("PIC_point"),"edx"));
153 &mov($count,&DWP(0,"ecx",$count,4)) 153 &mov($count,&DWP(0,"ecx",$count,4));
154 &add($count,"edx"); 154 &add($count,"edx");
155 &xor("ecx","ecx"); 155 &xor("ecx","ecx");
156 &xor("edx","edx"); 156 &xor("edx","edx");
diff --git a/src/lib/libcrypto/pkcs12/p12_crt.c b/src/lib/libcrypto/pkcs12/p12_crt.c
index 96b131defa..a34915d02d 100644
--- a/src/lib/libcrypto/pkcs12/p12_crt.c
+++ b/src/lib/libcrypto/pkcs12/p12_crt.c
@@ -90,7 +90,14 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert,
90 90
91 /* Set defaults */ 91 /* Set defaults */
92 if (!nid_cert) 92 if (!nid_cert)
93 {
94#ifdef OPENSSL_FIPS
95 if (FIPS_mode())
96 nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
97 else
98#endif
93 nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC; 99 nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
100 }
94 if (!nid_key) 101 if (!nid_key)
95 nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; 102 nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
96 if (!iter) 103 if (!iter)
diff --git a/src/lib/libcrypto/pkcs12/p12_key.c b/src/lib/libcrypto/pkcs12/p12_key.c
index c55c7b60b3..61d58502fd 100644
--- a/src/lib/libcrypto/pkcs12/p12_key.c
+++ b/src/lib/libcrypto/pkcs12/p12_key.c
@@ -176,24 +176,32 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
176 out += u; 176 out += u;
177 for (j = 0; j < v; j++) B[j] = Ai[j % u]; 177 for (j = 0; j < v; j++) B[j] = Ai[j % u];
178 /* Work out B + 1 first then can use B as tmp space */ 178 /* Work out B + 1 first then can use B as tmp space */
179 if (!BN_bin2bn (B, v, Bpl1)) goto err; 179 if (!BN_bin2bn (B, v, Bpl1))
180 if (!BN_add_word (Bpl1, 1)) goto err; 180 goto err;
181 if (!BN_add_word (Bpl1, 1))
182 goto err;
181 for (j = 0; j < Ilen ; j+=v) { 183 for (j = 0; j < Ilen ; j+=v) {
182 if (!BN_bin2bn (I + j, v, Ij)) goto err; 184 if (!BN_bin2bn(I + j, v, Ij))
183 if (!BN_add (Ij, Ij, Bpl1)) goto err; 185 goto err;
184 BN_bn2bin (Ij, B); 186 if (!BN_add(Ij, Ij, Bpl1))
187 goto err;
188 if (!BN_bn2bin(Ij, B))
189 goto err;
185 Ijlen = BN_num_bytes (Ij); 190 Ijlen = BN_num_bytes (Ij);
186 /* If more than 2^(v*8) - 1 cut off MSB */ 191 /* If more than 2^(v*8) - 1 cut off MSB */
187 if (Ijlen > v) { 192 if (Ijlen > v) {
188 BN_bn2bin (Ij, B); 193 if (!BN_bn2bin (Ij, B))
194 goto err;
189 memcpy (I + j, B + 1, v); 195 memcpy (I + j, B + 1, v);
190#ifndef PKCS12_BROKEN_KEYGEN 196#ifndef PKCS12_BROKEN_KEYGEN
191 /* If less than v bytes pad with zeroes */ 197 /* If less than v bytes pad with zeroes */
192 } else if (Ijlen < v) { 198 } else if (Ijlen < v) {
193 memset(I + j, 0, v - Ijlen); 199 memset(I + j, 0, v - Ijlen);
194 BN_bn2bin(Ij, I + j + v - Ijlen); 200 if (!BN_bn2bin(Ij, I + j + v - Ijlen))
201 goto err;
195#endif 202#endif
196 } else BN_bn2bin (Ij, I + j); 203 } else if (!BN_bn2bin (Ij, I + j))
204 goto err;
197 } 205 }
198 } 206 }
199 207
diff --git a/src/lib/libcrypto/pkcs7/bio_pk7.c b/src/lib/libcrypto/pkcs7/bio_pk7.c
index c8d06d6cdc..0fd31e730f 100644
--- a/src/lib/libcrypto/pkcs7/bio_pk7.c
+++ b/src/lib/libcrypto/pkcs7/bio_pk7.c
@@ -56,7 +56,7 @@
56#include <openssl/pkcs7.h> 56#include <openssl/pkcs7.h>
57#include <openssl/bio.h> 57#include <openssl/bio.h>
58 58
59#ifndef OPENSSL_SYSNAME_NETWARE 59#if !defined(OPENSSL_SYSNAME_NETWARE) && !defined(OPENSSL_SYSNAME_VXWORKS)
60#include <memory.h> 60#include <memory.h>
61#endif 61#endif
62#include <stdio.h> 62#include <stdio.h>
diff --git a/src/lib/libcrypto/ppccap.c b/src/lib/libcrypto/ppccap.c
index ab89ccaa12..f71ba66aa3 100644
--- a/src/lib/libcrypto/ppccap.c
+++ b/src/lib/libcrypto/ppccap.c
@@ -3,6 +3,7 @@
3#include <string.h> 3#include <string.h>
4#include <setjmp.h> 4#include <setjmp.h>
5#include <signal.h> 5#include <signal.h>
6#include <unistd.h>
6#include <crypto.h> 7#include <crypto.h>
7#include <openssl/bn.h> 8#include <openssl/bn.h>
8 9
@@ -53,6 +54,7 @@ static sigjmp_buf ill_jmp;
53static void ill_handler (int sig) { siglongjmp(ill_jmp,sig); } 54static void ill_handler (int sig) { siglongjmp(ill_jmp,sig); }
54 55
55void OPENSSL_ppc64_probe(void); 56void OPENSSL_ppc64_probe(void);
57void OPENSSL_altivec_probe(void);
56 58
57void OPENSSL_cpuid_setup(void) 59void OPENSSL_cpuid_setup(void)
58 { 60 {
@@ -82,6 +84,15 @@ void OPENSSL_cpuid_setup(void)
82 84
83 OPENSSL_ppccap_P = 0; 85 OPENSSL_ppccap_P = 0;
84 86
87#if defined(_AIX)
88 if (sizeof(size_t)==4
89# if defined(_SC_AIX_KERNEL_BITMODE)
90 && sysconf(_SC_AIX_KERNEL_BITMODE)!=64
91# endif
92 )
93 return;
94#endif
95
85 memset(&ill_act,0,sizeof(ill_act)); 96 memset(&ill_act,0,sizeof(ill_act));
86 ill_act.sa_handler = ill_handler; 97 ill_act.sa_handler = ill_handler;
87 ill_act.sa_mask = all_masked; 98 ill_act.sa_mask = all_masked;
diff --git a/src/lib/libcrypto/rand/rand.h b/src/lib/libcrypto/rand/rand.h
index dc8fcf94c5..bb5520e80a 100644
--- a/src/lib/libcrypto/rand/rand.h
+++ b/src/lib/libcrypto/rand/rand.h
@@ -138,6 +138,7 @@ void ERR_load_RAND_strings(void);
138#define RAND_F_SSLEAY_RAND_BYTES 100 138#define RAND_F_SSLEAY_RAND_BYTES 100
139 139
140/* Reason codes. */ 140/* Reason codes. */
141#define RAND_R_DUAL_EC_DRBG_DISABLED 104
141#define RAND_R_ERROR_INITIALISING_DRBG 102 142#define RAND_R_ERROR_INITIALISING_DRBG 102
142#define RAND_R_ERROR_INSTANTIATING_DRBG 103 143#define RAND_R_ERROR_INSTANTIATING_DRBG 103
143#define RAND_R_NO_FIPS_RANDOM_METHOD_SET 101 144#define RAND_R_NO_FIPS_RANDOM_METHOD_SET 101
diff --git a/src/lib/libcrypto/rand/rand_err.c b/src/lib/libcrypto/rand/rand_err.c
index b8586c8f4a..c4c80fc8cc 100644
--- a/src/lib/libcrypto/rand/rand_err.c
+++ b/src/lib/libcrypto/rand/rand_err.c
@@ -78,6 +78,7 @@ static ERR_STRING_DATA RAND_str_functs[]=
78 78
79static ERR_STRING_DATA RAND_str_reasons[]= 79static ERR_STRING_DATA RAND_str_reasons[]=
80 { 80 {
81{ERR_REASON(RAND_R_DUAL_EC_DRBG_DISABLED),"dual ec drbg disabled"},
81{ERR_REASON(RAND_R_ERROR_INITIALISING_DRBG),"error initialising drbg"}, 82{ERR_REASON(RAND_R_ERROR_INITIALISING_DRBG),"error initialising drbg"},
82{ERR_REASON(RAND_R_ERROR_INSTANTIATING_DRBG),"error instantiating drbg"}, 83{ERR_REASON(RAND_R_ERROR_INSTANTIATING_DRBG),"error instantiating drbg"},
83{ERR_REASON(RAND_R_NO_FIPS_RANDOM_METHOD_SET),"no fips random method set"}, 84{ERR_REASON(RAND_R_NO_FIPS_RANDOM_METHOD_SET),"no fips random method set"},
diff --git a/src/lib/libcrypto/rand/rand_lib.c b/src/lib/libcrypto/rand/rand_lib.c
index daf1dab973..5ac0e14caf 100644
--- a/src/lib/libcrypto/rand/rand_lib.c
+++ b/src/lib/libcrypto/rand/rand_lib.c
@@ -210,8 +210,11 @@ static size_t drbg_get_entropy(DRBG_CTX *ctx, unsigned char **pout,
210 210
211static void drbg_free_entropy(DRBG_CTX *ctx, unsigned char *out, size_t olen) 211static void drbg_free_entropy(DRBG_CTX *ctx, unsigned char *out, size_t olen)
212 { 212 {
213 OPENSSL_cleanse(out, olen); 213 if (out)
214 OPENSSL_free(out); 214 {
215 OPENSSL_cleanse(out, olen);
216 OPENSSL_free(out);
217 }
215 } 218 }
216 219
217/* Set "additional input" when generating random data. This uses the 220/* Set "additional input" when generating random data. This uses the
@@ -266,6 +269,14 @@ int RAND_init_fips(void)
266 DRBG_CTX *dctx; 269 DRBG_CTX *dctx;
267 size_t plen; 270 size_t plen;
268 unsigned char pers[32], *p; 271 unsigned char pers[32], *p;
272#ifndef OPENSSL_ALLOW_DUAL_EC_DRBG
273 if (fips_drbg_type >> 16)
274 {
275 RANDerr(RAND_F_RAND_INIT_FIPS, RAND_R_DUAL_EC_DRBG_DISABLED);
276 return 0;
277 }
278#endif
279
269 dctx = FIPS_get_default_drbg(); 280 dctx = FIPS_get_default_drbg();
270 if (FIPS_drbg_init(dctx, fips_drbg_type, fips_drbg_flags) <= 0) 281 if (FIPS_drbg_init(dctx, fips_drbg_type, fips_drbg_flags) <= 0)
271 { 282 {
diff --git a/src/lib/libcrypto/rand/randfile.c b/src/lib/libcrypto/rand/randfile.c
index 030e07f418..7f1428072d 100644
--- a/src/lib/libcrypto/rand/randfile.c
+++ b/src/lib/libcrypto/rand/randfile.c
@@ -57,7 +57,9 @@
57 */ 57 */
58 58
59/* We need to define this to get macros like S_IFBLK and S_IFCHR */ 59/* We need to define this to get macros like S_IFBLK and S_IFCHR */
60#if !defined(OPENSSL_SYS_VXWORKS)
60#define _XOPEN_SOURCE 500 61#define _XOPEN_SOURCE 500
62#endif
61 63
62#include <errno.h> 64#include <errno.h>
63#include <stdio.h> 65#include <stdio.h>
diff --git a/src/lib/libcrypto/rc4/asm/rc4-md5-x86_64.pl b/src/lib/libcrypto/rc4/asm/rc4-md5-x86_64.pl
index 7f684092d4..272fa91e1a 100644
--- a/src/lib/libcrypto/rc4/asm/rc4-md5-x86_64.pl
+++ b/src/lib/libcrypto/rc4/asm/rc4-md5-x86_64.pl
@@ -51,7 +51,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; my $dir=$1; my $xlate;
51( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or 51( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
52die "can't locate x86_64-xlate.pl"; 52die "can't locate x86_64-xlate.pl";
53 53
54open STDOUT,"| $^X $xlate $flavour $output"; 54open OUT,"| \"$^X\" $xlate $flavour $output";
55*STDOUT=*OUT;
55 56
56my ($dat,$in0,$out,$ctx,$inp,$len, $func,$nargs); 57my ($dat,$in0,$out,$ctx,$inp,$len, $func,$nargs);
57 58
diff --git a/src/lib/libcrypto/rc4/asm/rc4-parisc.pl b/src/lib/libcrypto/rc4/asm/rc4-parisc.pl
index 9165067080..ad7e65651c 100644
--- a/src/lib/libcrypto/rc4/asm/rc4-parisc.pl
+++ b/src/lib/libcrypto/rc4/asm/rc4-parisc.pl
@@ -307,7 +307,8 @@ L\$opts
307 .STRINGZ "RC4 for PA-RISC, CRYPTOGAMS by <appro\@openssl.org>" 307 .STRINGZ "RC4 for PA-RISC, CRYPTOGAMS by <appro\@openssl.org>"
308___ 308___
309$code =~ s/\`([^\`]*)\`/eval $1/gem; 309$code =~ s/\`([^\`]*)\`/eval $1/gem;
310$code =~ s/cmpib,\*/comib,/gm if ($SIZE_T==4); 310$code =~ s/cmpib,\*/comib,/gm if ($SIZE_T==4);
311$code =~ s/\bbv\b/bve/gm if ($SIZE_T==8);
311 312
312print $code; 313print $code;
313close STDOUT; 314close STDOUT;
diff --git a/src/lib/libcrypto/rc4/asm/rc4-x86_64.pl b/src/lib/libcrypto/rc4/asm/rc4-x86_64.pl
index d6eac205e9..75750dbf33 100755
--- a/src/lib/libcrypto/rc4/asm/rc4-x86_64.pl
+++ b/src/lib/libcrypto/rc4/asm/rc4-x86_64.pl
@@ -112,7 +112,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
112( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or 112( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
113die "can't locate x86_64-xlate.pl"; 113die "can't locate x86_64-xlate.pl";
114 114
115open STDOUT,"| $^X $xlate $flavour $output"; 115open OUT,"| \"$^X\" $xlate $flavour $output";
116*STDOUT=*OUT;
116 117
117$dat="%rdi"; # arg1 118$dat="%rdi"; # arg1
118$len="%rsi"; # arg2 119$len="%rsi"; # arg2
diff --git a/src/lib/libcrypto/ripemd/rmd_dgst.c b/src/lib/libcrypto/ripemd/rmd_dgst.c
index 63f0d983f7..d8e72da51b 100644
--- a/src/lib/libcrypto/ripemd/rmd_dgst.c
+++ b/src/lib/libcrypto/ripemd/rmd_dgst.c
@@ -105,21 +105,21 @@ void ripemd160_block_data_order (RIPEMD160_CTX *ctx, const void *p, size_t num)
105 105
106 A=ctx->A; B=ctx->B; C=ctx->C; D=ctx->D; E=ctx->E; 106 A=ctx->A; B=ctx->B; C=ctx->C; D=ctx->D; E=ctx->E;
107 107
108 HOST_c2l(data,l); X( 0)=l; HOST_c2l(data,l); X( 1)=l; 108 (void)HOST_c2l(data,l); X( 0)=l;(void)HOST_c2l(data,l); X( 1)=l;
109 RIP1(A,B,C,D,E,WL00,SL00); HOST_c2l(data,l); X( 2)=l; 109 RIP1(A,B,C,D,E,WL00,SL00); (void)HOST_c2l(data,l); X( 2)=l;
110 RIP1(E,A,B,C,D,WL01,SL01); HOST_c2l(data,l); X( 3)=l; 110 RIP1(E,A,B,C,D,WL01,SL01); (void)HOST_c2l(data,l); X( 3)=l;
111 RIP1(D,E,A,B,C,WL02,SL02); HOST_c2l(data,l); X( 4)=l; 111 RIP1(D,E,A,B,C,WL02,SL02); (void)HOST_c2l(data,l); X( 4)=l;
112 RIP1(C,D,E,A,B,WL03,SL03); HOST_c2l(data,l); X( 5)=l; 112 RIP1(C,D,E,A,B,WL03,SL03); (void)HOST_c2l(data,l); X( 5)=l;
113 RIP1(B,C,D,E,A,WL04,SL04); HOST_c2l(data,l); X( 6)=l; 113 RIP1(B,C,D,E,A,WL04,SL04); (void)HOST_c2l(data,l); X( 6)=l;
114 RIP1(A,B,C,D,E,WL05,SL05); HOST_c2l(data,l); X( 7)=l; 114 RIP1(A,B,C,D,E,WL05,SL05); (void)HOST_c2l(data,l); X( 7)=l;
115 RIP1(E,A,B,C,D,WL06,SL06); HOST_c2l(data,l); X( 8)=l; 115 RIP1(E,A,B,C,D,WL06,SL06); (void)HOST_c2l(data,l); X( 8)=l;
116 RIP1(D,E,A,B,C,WL07,SL07); HOST_c2l(data,l); X( 9)=l; 116 RIP1(D,E,A,B,C,WL07,SL07); (void)HOST_c2l(data,l); X( 9)=l;
117 RIP1(C,D,E,A,B,WL08,SL08); HOST_c2l(data,l); X(10)=l; 117 RIP1(C,D,E,A,B,WL08,SL08); (void)HOST_c2l(data,l); X(10)=l;
118 RIP1(B,C,D,E,A,WL09,SL09); HOST_c2l(data,l); X(11)=l; 118 RIP1(B,C,D,E,A,WL09,SL09); (void)HOST_c2l(data,l); X(11)=l;
119 RIP1(A,B,C,D,E,WL10,SL10); HOST_c2l(data,l); X(12)=l; 119 RIP1(A,B,C,D,E,WL10,SL10); (void)HOST_c2l(data,l); X(12)=l;
120 RIP1(E,A,B,C,D,WL11,SL11); HOST_c2l(data,l); X(13)=l; 120 RIP1(E,A,B,C,D,WL11,SL11); (void)HOST_c2l(data,l); X(13)=l;
121 RIP1(D,E,A,B,C,WL12,SL12); HOST_c2l(data,l); X(14)=l; 121 RIP1(D,E,A,B,C,WL12,SL12); (void)HOST_c2l(data,l); X(14)=l;
122 RIP1(C,D,E,A,B,WL13,SL13); HOST_c2l(data,l); X(15)=l; 122 RIP1(C,D,E,A,B,WL13,SL13); (void)HOST_c2l(data,l); X(15)=l;
123 RIP1(B,C,D,E,A,WL14,SL14); 123 RIP1(B,C,D,E,A,WL14,SL14);
124 RIP1(A,B,C,D,E,WL15,SL15); 124 RIP1(A,B,C,D,E,WL15,SL15);
125 125
diff --git a/src/lib/libcrypto/ripemd/rmd_locl.h b/src/lib/libcrypto/ripemd/rmd_locl.h
index f14b346e66..2bd8957d14 100644
--- a/src/lib/libcrypto/ripemd/rmd_locl.h
+++ b/src/lib/libcrypto/ripemd/rmd_locl.h
@@ -88,11 +88,11 @@ void ripemd160_block_data_order (RIPEMD160_CTX *c, const void *p,size_t num);
88#define HASH_FINAL RIPEMD160_Final 88#define HASH_FINAL RIPEMD160_Final
89#define HASH_MAKE_STRING(c,s) do { \ 89#define HASH_MAKE_STRING(c,s) do { \
90 unsigned long ll; \ 90 unsigned long ll; \
91 ll=(c)->A; HOST_l2c(ll,(s)); \ 91 ll=(c)->A; (void)HOST_l2c(ll,(s)); \
92 ll=(c)->B; HOST_l2c(ll,(s)); \ 92 ll=(c)->B; (void)HOST_l2c(ll,(s)); \
93 ll=(c)->C; HOST_l2c(ll,(s)); \ 93 ll=(c)->C; (void)HOST_l2c(ll,(s)); \
94 ll=(c)->D; HOST_l2c(ll,(s)); \ 94 ll=(c)->D; (void)HOST_l2c(ll,(s)); \
95 ll=(c)->E; HOST_l2c(ll,(s)); \ 95 ll=(c)->E; (void)HOST_l2c(ll,(s)); \
96 } while (0) 96 } while (0)
97#define HASH_BLOCK_DATA_ORDER ripemd160_block_data_order 97#define HASH_BLOCK_DATA_ORDER ripemd160_block_data_order
98 98
diff --git a/src/lib/libcrypto/rsa/rsa.h b/src/lib/libcrypto/rsa/rsa.h
index 4814a2fc15..5f269e577a 100644
--- a/src/lib/libcrypto/rsa/rsa.h
+++ b/src/lib/libcrypto/rsa/rsa.h
@@ -280,7 +280,7 @@ struct rsa_st
280 280
281RSA * RSA_new(void); 281RSA * RSA_new(void);
282RSA * RSA_new_method(ENGINE *engine); 282RSA * RSA_new_method(ENGINE *engine);
283int RSA_size(const RSA *); 283int RSA_size(const RSA *rsa);
284 284
285/* Deprecated version */ 285/* Deprecated version */
286#ifndef OPENSSL_NO_DEPRECATED 286#ifndef OPENSSL_NO_DEPRECATED
diff --git a/src/lib/libcrypto/rsa/rsa_ameth.c b/src/lib/libcrypto/rsa/rsa_ameth.c
index 2460910ab2..5a2062f903 100644
--- a/src/lib/libcrypto/rsa/rsa_ameth.c
+++ b/src/lib/libcrypto/rsa/rsa_ameth.c
@@ -351,27 +351,27 @@ static int rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss,
351 351
352 if (!BIO_indent(bp, indent, 128)) 352 if (!BIO_indent(bp, indent, 128))
353 goto err; 353 goto err;
354 if (BIO_puts(bp, "Salt Length: ") <= 0) 354 if (BIO_puts(bp, "Salt Length: 0x") <= 0)
355 goto err; 355 goto err;
356 if (pss->saltLength) 356 if (pss->saltLength)
357 { 357 {
358 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0) 358 if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
359 goto err; 359 goto err;
360 } 360 }
361 else if (BIO_puts(bp, "20 (default)") <= 0) 361 else if (BIO_puts(bp, "0x14 (default)") <= 0)
362 goto err; 362 goto err;
363 BIO_puts(bp, "\n"); 363 BIO_puts(bp, "\n");
364 364
365 if (!BIO_indent(bp, indent, 128)) 365 if (!BIO_indent(bp, indent, 128))
366 goto err; 366 goto err;
367 if (BIO_puts(bp, "Trailer Field: ") <= 0) 367 if (BIO_puts(bp, "Trailer Field: 0x") <= 0)
368 goto err; 368 goto err;
369 if (pss->trailerField) 369 if (pss->trailerField)
370 { 370 {
371 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0) 371 if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0)
372 goto err; 372 goto err;
373 } 373 }
374 else if (BIO_puts(bp, "0xbc (default)") <= 0) 374 else if (BIO_puts(bp, "BC (default)") <= 0)
375 goto err; 375 goto err;
376 BIO_puts(bp, "\n"); 376 BIO_puts(bp, "\n");
377 377
diff --git a/src/lib/libcrypto/rsa/rsa_chk.c b/src/lib/libcrypto/rsa/rsa_chk.c
index 9d848db8c6..cc30e77132 100644
--- a/src/lib/libcrypto/rsa/rsa_chk.c
+++ b/src/lib/libcrypto/rsa/rsa_chk.c
@@ -59,6 +59,12 @@ int RSA_check_key(const RSA *key)
59 BN_CTX *ctx; 59 BN_CTX *ctx;
60 int r; 60 int r;
61 int ret=1; 61 int ret=1;
62
63 if (!key->p || !key->q || !key->n || !key->e || !key->d)
64 {
65 RSAerr(RSA_F_RSA_CHECK_KEY, RSA_R_VALUE_MISSING);
66 return 0;
67 }
62 68
63 i = BN_new(); 69 i = BN_new();
64 j = BN_new(); 70 j = BN_new();
diff --git a/src/lib/libcrypto/rsa/rsa_eay.c b/src/lib/libcrypto/rsa/rsa_eay.c
index 2e1ddd48d3..88ee2cb557 100644
--- a/src/lib/libcrypto/rsa/rsa_eay.c
+++ b/src/lib/libcrypto/rsa/rsa_eay.c
@@ -847,12 +847,12 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
847 if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err; 847 if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err;
848 848
849 /* If p < q it is occasionally possible for the correction of 849 /* If p < q it is occasionally possible for the correction of
850 * adding 'p' if r0 is negative above to leave the result still 850 * adding 'p' if r0 is negative above to leave the result still
851 * negative. This can break the private key operations: the following 851 * negative. This can break the private key operations: the following
852 * second correction should *always* correct this rare occurrence. 852 * second correction should *always* correct this rare occurrence.
853 * This will *never* happen with OpenSSL generated keys because 853 * This will *never* happen with OpenSSL generated keys because
854 * they ensure p > q [steve] 854 * they ensure p > q [steve]
855 */ 855 */
856 if (BN_is_negative(r0)) 856 if (BN_is_negative(r0))
857 if (!BN_add(r0,r0,rsa->p)) goto err; 857 if (!BN_add(r0,r0,rsa->p)) goto err;
858 if (!BN_mul(r1,r0,rsa->q,ctx)) goto err; 858 if (!BN_mul(r1,r0,rsa->q,ctx)) goto err;
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
index 553d212ebe..af4d24a56e 100644
--- a/src/lib/libcrypto/rsa/rsa_oaep.c
+++ b/src/lib/libcrypto/rsa/rsa_oaep.c
@@ -149,7 +149,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
149 if (!EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL)) 149 if (!EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL))
150 return -1; 150 return -1;
151 151
152 if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad) 152 if (CRYPTO_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
153 goto decoding_err; 153 goto decoding_err;
154 else 154 else
155 { 155 {
diff --git a/src/lib/libcrypto/rsa/rsa_pmeth.c b/src/lib/libcrypto/rsa/rsa_pmeth.c
index 5b2ecf56ad..157aa5c41d 100644
--- a/src/lib/libcrypto/rsa/rsa_pmeth.c
+++ b/src/lib/libcrypto/rsa/rsa_pmeth.c
@@ -611,6 +611,8 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
611 pm = RSA_NO_PADDING; 611 pm = RSA_NO_PADDING;
612 else if (!strcmp(value, "oeap")) 612 else if (!strcmp(value, "oeap"))
613 pm = RSA_PKCS1_OAEP_PADDING; 613 pm = RSA_PKCS1_OAEP_PADDING;
614 else if (!strcmp(value, "oaep"))
615 pm = RSA_PKCS1_OAEP_PADDING;
614 else if (!strcmp(value, "x931")) 616 else if (!strcmp(value, "x931"))
615 pm = RSA_X931_PADDING; 617 pm = RSA_X931_PADDING;
616 else if (!strcmp(value, "pss")) 618 else if (!strcmp(value, "pss"))
diff --git a/src/lib/libcrypto/sha/asm/sha1-armv4-large.pl b/src/lib/libcrypto/sha/asm/sha1-armv4-large.pl
index fe8207f77f..33da3e0e3c 100644
--- a/src/lib/libcrypto/sha/asm/sha1-armv4-large.pl
+++ b/src/lib/libcrypto/sha/asm/sha1-armv4-large.pl
@@ -177,6 +177,7 @@ for($i=0;$i<5;$i++) {
177$code.=<<___; 177$code.=<<___;
178 teq $Xi,sp 178 teq $Xi,sp
179 bne .L_00_15 @ [((11+4)*5+2)*3] 179 bne .L_00_15 @ [((11+4)*5+2)*3]
180 sub sp,sp,#25*4
180___ 181___
181 &BODY_00_15(@V); unshift(@V,pop(@V)); 182 &BODY_00_15(@V); unshift(@V,pop(@V));
182 &BODY_16_19(@V); unshift(@V,pop(@V)); 183 &BODY_16_19(@V); unshift(@V,pop(@V));
@@ -186,7 +187,6 @@ ___
186$code.=<<___; 187$code.=<<___;
187 188
188 ldr $K,.LK_20_39 @ [+15+16*4] 189 ldr $K,.LK_20_39 @ [+15+16*4]
189 sub sp,sp,#25*4
190 cmn sp,#0 @ [+3], clear carry to denote 20_39 190 cmn sp,#0 @ [+3], clear carry to denote 20_39
191.L_20_39_or_60_79: 191.L_20_39_or_60_79:
192___ 192___
diff --git a/src/lib/libcrypto/sha/asm/sha1-ia64.pl b/src/lib/libcrypto/sha/asm/sha1-ia64.pl
index db28f0805a..02d35d1614 100644
--- a/src/lib/libcrypto/sha/asm/sha1-ia64.pl
+++ b/src/lib/libcrypto/sha/asm/sha1-ia64.pl
@@ -271,7 +271,8 @@ tmp6=loc13;
271 271
272___ 272___
273 273
274{ my $i,@V=($A,$B,$C,$D,$E); 274{ my $i;
275 my @V=($A,$B,$C,$D,$E);
275 276
276 for($i=0;$i<16;$i++) { &BODY_00_15(\$code,$i,@V); unshift(@V,pop(@V)); } 277 for($i=0;$i<16;$i++) { &BODY_00_15(\$code,$i,@V); unshift(@V,pop(@V)); }
277 for(;$i<20;$i++) { &BODY_16_19(\$code,$i,@V); unshift(@V,pop(@V)); } 278 for(;$i<20;$i++) { &BODY_16_19(\$code,$i,@V); unshift(@V,pop(@V)); }
diff --git a/src/lib/libcrypto/sha/asm/sha1-parisc.pl b/src/lib/libcrypto/sha/asm/sha1-parisc.pl
index 6d7bf495b2..6e5a328a6f 100644
--- a/src/lib/libcrypto/sha/asm/sha1-parisc.pl
+++ b/src/lib/libcrypto/sha/asm/sha1-parisc.pl
@@ -254,6 +254,7 @@ $code.=<<___;
254___ 254___
255 255
256$code =~ s/\`([^\`]*)\`/eval $1/gem; 256$code =~ s/\`([^\`]*)\`/eval $1/gem;
257$code =~ s/,\*/,/gm if ($SIZE_T==4); 257$code =~ s/,\*/,/gm if ($SIZE_T==4);
258$code =~ s/\bbv\b/bve/gm if ($SIZE_T==8);
258print $code; 259print $code;
259close STDOUT; 260close STDOUT;
diff --git a/src/lib/libcrypto/sha/asm/sha1-sparcv9a.pl b/src/lib/libcrypto/sha/asm/sha1-sparcv9a.pl
index 85e8d68086..e65291bbd9 100644
--- a/src/lib/libcrypto/sha/asm/sha1-sparcv9a.pl
+++ b/src/lib/libcrypto/sha/asm/sha1-sparcv9a.pl
@@ -549,7 +549,7 @@ ___
549# programmer detect if current CPU is VIS capable at run-time. 549# programmer detect if current CPU is VIS capable at run-time.
550sub unvis { 550sub unvis {
551my ($mnemonic,$rs1,$rs2,$rd)=@_; 551my ($mnemonic,$rs1,$rs2,$rd)=@_;
552my $ref,$opf; 552my ($ref,$opf);
553my %visopf = ( "fmul8ulx16" => 0x037, 553my %visopf = ( "fmul8ulx16" => 0x037,
554 "faligndata" => 0x048, 554 "faligndata" => 0x048,
555 "fpadd32" => 0x052, 555 "fpadd32" => 0x052,
diff --git a/src/lib/libcrypto/sha/asm/sha1-x86_64.pl b/src/lib/libcrypto/sha/asm/sha1-x86_64.pl
index f27c1e3fb0..f15c7ec39b 100755
--- a/src/lib/libcrypto/sha/asm/sha1-x86_64.pl
+++ b/src/lib/libcrypto/sha/asm/sha1-x86_64.pl
@@ -82,7 +82,8 @@ $avx=1 if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
82 `ml64 2>&1` =~ /Version ([0-9]+)\./ && 82 `ml64 2>&1` =~ /Version ([0-9]+)\./ &&
83 $1>=10); 83 $1>=10);
84 84
85open STDOUT,"| $^X $xlate $flavour $output"; 85open OUT,"| \"$^X\" $xlate $flavour $output";
86*STDOUT=*OUT;
86 87
87$ctx="%rdi"; # 1st arg 88$ctx="%rdi"; # 1st arg
88$inp="%rsi"; # 2nd arg 89$inp="%rsi"; # 2nd arg
@@ -744,7 +745,7 @@ $code.=<<___;
744 mov %rdi,$ctx # reassigned argument 745 mov %rdi,$ctx # reassigned argument
745 mov %rsi,$inp # reassigned argument 746 mov %rsi,$inp # reassigned argument
746 mov %rdx,$num # reassigned argument 747 mov %rdx,$num # reassigned argument
747 vzeroall 748 vzeroupper
748 749
749 shl \$6,$num 750 shl \$6,$num
750 add $inp,$num 751 add $inp,$num
@@ -1037,7 +1038,7 @@ ___
1037 &Xtail_avx(\&body_20_39); 1038 &Xtail_avx(\&body_20_39);
1038 1039
1039$code.=<<___; 1040$code.=<<___;
1040 vzeroall 1041 vzeroupper
1041 1042
1042 add 0($ctx),$A # update context 1043 add 0($ctx),$A # update context
1043 add 4($ctx),@T[0] 1044 add 4($ctx),@T[0]
diff --git a/src/lib/libcrypto/sha/asm/sha512-586.pl b/src/lib/libcrypto/sha/asm/sha512-586.pl
index 5b9f3337ad..7eab6a5b88 100644
--- a/src/lib/libcrypto/sha/asm/sha512-586.pl
+++ b/src/lib/libcrypto/sha/asm/sha512-586.pl
@@ -142,9 +142,9 @@ sub BODY_00_15_x86 {
142 &mov ("edx",$Ehi); 142 &mov ("edx",$Ehi);
143 &mov ("esi","ecx"); 143 &mov ("esi","ecx");
144 144
145 &shr ("ecx",9) # lo>>9 145 &shr ("ecx",9); # lo>>9
146 &mov ("edi","edx"); 146 &mov ("edi","edx");
147 &shr ("edx",9) # hi>>9 147 &shr ("edx",9); # hi>>9
148 &mov ("ebx","ecx"); 148 &mov ("ebx","ecx");
149 &shl ("esi",14); # lo<<14 149 &shl ("esi",14); # lo<<14
150 &mov ("eax","edx"); 150 &mov ("eax","edx");
@@ -207,9 +207,9 @@ sub BODY_00_15_x86 {
207 &mov ($Dhi,"ebx"); 207 &mov ($Dhi,"ebx");
208 &mov ("esi","ecx"); 208 &mov ("esi","ecx");
209 209
210 &shr ("ecx",2) # lo>>2 210 &shr ("ecx",2); # lo>>2
211 &mov ("edi","edx"); 211 &mov ("edi","edx");
212 &shr ("edx",2) # hi>>2 212 &shr ("edx",2); # hi>>2
213 &mov ("ebx","ecx"); 213 &mov ("ebx","ecx");
214 &shl ("esi",4); # lo<<4 214 &shl ("esi",4); # lo<<4
215 &mov ("eax","edx"); 215 &mov ("eax","edx");
@@ -452,9 +452,9 @@ if ($sse2) {
452 &mov ("edx",&DWP(8*(9+15+16-1)+4,"esp")); 452 &mov ("edx",&DWP(8*(9+15+16-1)+4,"esp"));
453 &mov ("esi","ecx"); 453 &mov ("esi","ecx");
454 454
455 &shr ("ecx",1) # lo>>1 455 &shr ("ecx",1); # lo>>1
456 &mov ("edi","edx"); 456 &mov ("edi","edx");
457 &shr ("edx",1) # hi>>1 457 &shr ("edx",1); # hi>>1
458 &mov ("eax","ecx"); 458 &mov ("eax","ecx");
459 &shl ("esi",24); # lo<<24 459 &shl ("esi",24); # lo<<24
460 &mov ("ebx","edx"); 460 &mov ("ebx","edx");
@@ -488,9 +488,9 @@ if ($sse2) {
488 &mov ("edx",&DWP(8*(9+15+16-14)+4,"esp")); 488 &mov ("edx",&DWP(8*(9+15+16-14)+4,"esp"));
489 &mov ("esi","ecx"); 489 &mov ("esi","ecx");
490 490
491 &shr ("ecx",6) # lo>>6 491 &shr ("ecx",6); # lo>>6
492 &mov ("edi","edx"); 492 &mov ("edi","edx");
493 &shr ("edx",6) # hi>>6 493 &shr ("edx",6); # hi>>6
494 &mov ("eax","ecx"); 494 &mov ("eax","ecx");
495 &shl ("esi",3); # lo<<3 495 &shl ("esi",3); # lo<<3
496 &mov ("ebx","edx"); 496 &mov ("ebx","edx");
diff --git a/src/lib/libcrypto/sha/asm/sha512-mips.pl b/src/lib/libcrypto/sha/asm/sha512-mips.pl
index ba5b250890..ffa053bb7d 100644
--- a/src/lib/libcrypto/sha/asm/sha512-mips.pl
+++ b/src/lib/libcrypto/sha/asm/sha512-mips.pl
@@ -351,7 +351,7 @@ $code.=<<___;
351 $ST $G,6*$SZ($ctx) 351 $ST $G,6*$SZ($ctx)
352 $ST $H,7*$SZ($ctx) 352 $ST $H,7*$SZ($ctx)
353 353
354 bnel $inp,@X[15],.Loop 354 bne $inp,@X[15],.Loop
355 $PTR_SUB $Ktbl,`($rounds-16)*$SZ` # rewind $Ktbl 355 $PTR_SUB $Ktbl,`($rounds-16)*$SZ` # rewind $Ktbl
356 356
357 $REG_L $ra,$FRAMESIZE-1*$SZREG($sp) 357 $REG_L $ra,$FRAMESIZE-1*$SZREG($sp)
diff --git a/src/lib/libcrypto/sha/asm/sha512-parisc.pl b/src/lib/libcrypto/sha/asm/sha512-parisc.pl
index e24ee58ae9..fc0e15b3c0 100755
--- a/src/lib/libcrypto/sha/asm/sha512-parisc.pl
+++ b/src/lib/libcrypto/sha/asm/sha512-parisc.pl
@@ -785,6 +785,8 @@ foreach (split("\n",$code)) {
785 785
786 s/cmpb,\*/comb,/ if ($SIZE_T==4); 786 s/cmpb,\*/comb,/ if ($SIZE_T==4);
787 787
788 s/\bbv\b/bve/ if ($SIZE_T==8);
789
788 print $_,"\n"; 790 print $_,"\n";
789} 791}
790 792
diff --git a/src/lib/libcrypto/sha/asm/sha512-x86_64.pl b/src/lib/libcrypto/sha/asm/sha512-x86_64.pl
index f611a2d898..8d51678557 100755
--- a/src/lib/libcrypto/sha/asm/sha512-x86_64.pl
+++ b/src/lib/libcrypto/sha/asm/sha512-x86_64.pl
@@ -51,7 +51,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
51( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or 51( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
52die "can't locate x86_64-xlate.pl"; 52die "can't locate x86_64-xlate.pl";
53 53
54open STDOUT,"| $^X $xlate $flavour $output"; 54open OUT,"| \"$^X\" $xlate $flavour $output";
55*STDOUT=*OUT;
55 56
56if ($output =~ /512/) { 57if ($output =~ /512/) {
57 $func="sha512_block_data_order"; 58 $func="sha512_block_data_order";
diff --git a/src/lib/libcrypto/sha/sha1_one.c b/src/lib/libcrypto/sha/sha1_one.c
index 7c65b60276..c56ec94020 100644
--- a/src/lib/libcrypto/sha/sha1_one.c
+++ b/src/lib/libcrypto/sha/sha1_one.c
@@ -58,8 +58,8 @@
58 58
59#include <stdio.h> 59#include <stdio.h>
60#include <string.h> 60#include <string.h>
61#include <openssl/sha.h>
62#include <openssl/crypto.h> 61#include <openssl/crypto.h>
62#include <openssl/sha.h>
63 63
64#ifndef OPENSSL_NO_SHA1 64#ifndef OPENSSL_NO_SHA1
65unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md) 65unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md)
diff --git a/src/lib/libcrypto/sha/sha1dgst.c b/src/lib/libcrypto/sha/sha1dgst.c
index 81219af088..a98690225f 100644
--- a/src/lib/libcrypto/sha/sha1dgst.c
+++ b/src/lib/libcrypto/sha/sha1dgst.c
@@ -56,8 +56,8 @@
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58 58
59#include <openssl/opensslconf.h>
60#include <openssl/crypto.h> 59#include <openssl/crypto.h>
60#include <openssl/opensslconf.h>
61#if !defined(OPENSSL_NO_SHA1) && !defined(OPENSSL_NO_SHA) 61#if !defined(OPENSSL_NO_SHA1) && !defined(OPENSSL_NO_SHA)
62 62
63#undef SHA_0 63#undef SHA_0
diff --git a/src/lib/libcrypto/sha/sha256.c b/src/lib/libcrypto/sha/sha256.c
index f88d3d6dad..4eae074849 100644
--- a/src/lib/libcrypto/sha/sha256.c
+++ b/src/lib/libcrypto/sha/sha256.c
@@ -88,17 +88,17 @@ int SHA224_Final (unsigned char *md, SHA256_CTX *c)
88 switch ((c)->md_len) \ 88 switch ((c)->md_len) \
89 { case SHA224_DIGEST_LENGTH: \ 89 { case SHA224_DIGEST_LENGTH: \
90 for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \ 90 for (nn=0;nn<SHA224_DIGEST_LENGTH/4;nn++) \
91 { ll=(c)->h[nn]; HOST_l2c(ll,(s)); } \ 91 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
92 break; \ 92 break; \
93 case SHA256_DIGEST_LENGTH: \ 93 case SHA256_DIGEST_LENGTH: \
94 for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \ 94 for (nn=0;nn<SHA256_DIGEST_LENGTH/4;nn++) \
95 { ll=(c)->h[nn]; HOST_l2c(ll,(s)); } \ 95 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
96 break; \ 96 break; \
97 default: \ 97 default: \
98 if ((c)->md_len > SHA256_DIGEST_LENGTH) \ 98 if ((c)->md_len > SHA256_DIGEST_LENGTH) \
99 return 0; \ 99 return 0; \
100 for (nn=0;nn<(c)->md_len/4;nn++) \ 100 for (nn=0;nn<(c)->md_len/4;nn++) \
101 { ll=(c)->h[nn]; HOST_l2c(ll,(s)); } \ 101 { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \
102 break; \ 102 break; \
103 } \ 103 } \
104 } while (0) 104 } while (0)
diff --git a/src/lib/libcrypto/sha/sha512.c b/src/lib/libcrypto/sha/sha512.c
index 50dd7dc744..50c229ddeb 100644
--- a/src/lib/libcrypto/sha/sha512.c
+++ b/src/lib/libcrypto/sha/sha512.c
@@ -232,7 +232,14 @@ int SHA384_Update (SHA512_CTX *c, const void *data, size_t len)
232{ return SHA512_Update (c,data,len); } 232{ return SHA512_Update (c,data,len); }
233 233
234void SHA512_Transform (SHA512_CTX *c, const unsigned char *data) 234void SHA512_Transform (SHA512_CTX *c, const unsigned char *data)
235{ sha512_block_data_order (c,data,1); } 235 {
236#ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA
237 if ((size_t)data%sizeof(c->u.d[0]) != 0)
238 memcpy(c->u.p,data,sizeof(c->u.p)),
239 data = c->u.p;
240#endif
241 sha512_block_data_order (c,data,1);
242 }
236 243
237unsigned char *SHA384(const unsigned char *d, size_t n, unsigned char *md) 244unsigned char *SHA384(const unsigned char *d, size_t n, unsigned char *md)
238 { 245 {
diff --git a/src/lib/libcrypto/sha/sha_locl.h b/src/lib/libcrypto/sha/sha_locl.h
index 7a0c3ca8d8..d673255f78 100644
--- a/src/lib/libcrypto/sha/sha_locl.h
+++ b/src/lib/libcrypto/sha/sha_locl.h
@@ -69,11 +69,11 @@
69#define HASH_CBLOCK SHA_CBLOCK 69#define HASH_CBLOCK SHA_CBLOCK
70#define HASH_MAKE_STRING(c,s) do { \ 70#define HASH_MAKE_STRING(c,s) do { \
71 unsigned long ll; \ 71 unsigned long ll; \
72 ll=(c)->h0; HOST_l2c(ll,(s)); \ 72 ll=(c)->h0; (void)HOST_l2c(ll,(s)); \
73 ll=(c)->h1; HOST_l2c(ll,(s)); \ 73 ll=(c)->h1; (void)HOST_l2c(ll,(s)); \
74 ll=(c)->h2; HOST_l2c(ll,(s)); \ 74 ll=(c)->h2; (void)HOST_l2c(ll,(s)); \
75 ll=(c)->h3; HOST_l2c(ll,(s)); \ 75 ll=(c)->h3; (void)HOST_l2c(ll,(s)); \
76 ll=(c)->h4; HOST_l2c(ll,(s)); \ 76 ll=(c)->h4; (void)HOST_l2c(ll,(s)); \
77 } while (0) 77 } while (0)
78 78
79#if defined(SHA_0) 79#if defined(SHA_0)
@@ -256,21 +256,21 @@ static void HASH_BLOCK_DATA_ORDER (SHA_CTX *c, const void *p, size_t num)
256 } 256 }
257 else 257 else
258 { 258 {
259 HOST_c2l(data,l); X( 0)=l; HOST_c2l(data,l); X( 1)=l; 259 (void)HOST_c2l(data,l); X( 0)=l; (void)HOST_c2l(data,l); X( 1)=l;
260 BODY_00_15( 0,A,B,C,D,E,T,X( 0)); HOST_c2l(data,l); X( 2)=l; 260 BODY_00_15( 0,A,B,C,D,E,T,X( 0)); (void)HOST_c2l(data,l); X( 2)=l;
261 BODY_00_15( 1,T,A,B,C,D,E,X( 1)); HOST_c2l(data,l); X( 3)=l; 261 BODY_00_15( 1,T,A,B,C,D,E,X( 1)); (void)HOST_c2l(data,l); X( 3)=l;
262 BODY_00_15( 2,E,T,A,B,C,D,X( 2)); HOST_c2l(data,l); X( 4)=l; 262 BODY_00_15( 2,E,T,A,B,C,D,X( 2)); (void)HOST_c2l(data,l); X( 4)=l;
263 BODY_00_15( 3,D,E,T,A,B,C,X( 3)); HOST_c2l(data,l); X( 5)=l; 263 BODY_00_15( 3,D,E,T,A,B,C,X( 3)); (void)HOST_c2l(data,l); X( 5)=l;
264 BODY_00_15( 4,C,D,E,T,A,B,X( 4)); HOST_c2l(data,l); X( 6)=l; 264 BODY_00_15( 4,C,D,E,T,A,B,X( 4)); (void)HOST_c2l(data,l); X( 6)=l;
265 BODY_00_15( 5,B,C,D,E,T,A,X( 5)); HOST_c2l(data,l); X( 7)=l; 265 BODY_00_15( 5,B,C,D,E,T,A,X( 5)); (void)HOST_c2l(data,l); X( 7)=l;
266 BODY_00_15( 6,A,B,C,D,E,T,X( 6)); HOST_c2l(data,l); X( 8)=l; 266 BODY_00_15( 6,A,B,C,D,E,T,X( 6)); (void)HOST_c2l(data,l); X( 8)=l;
267 BODY_00_15( 7,T,A,B,C,D,E,X( 7)); HOST_c2l(data,l); X( 9)=l; 267 BODY_00_15( 7,T,A,B,C,D,E,X( 7)); (void)HOST_c2l(data,l); X( 9)=l;
268 BODY_00_15( 8,E,T,A,B,C,D,X( 8)); HOST_c2l(data,l); X(10)=l; 268 BODY_00_15( 8,E,T,A,B,C,D,X( 8)); (void)HOST_c2l(data,l); X(10)=l;
269 BODY_00_15( 9,D,E,T,A,B,C,X( 9)); HOST_c2l(data,l); X(11)=l; 269 BODY_00_15( 9,D,E,T,A,B,C,X( 9)); (void)HOST_c2l(data,l); X(11)=l;
270 BODY_00_15(10,C,D,E,T,A,B,X(10)); HOST_c2l(data,l); X(12)=l; 270 BODY_00_15(10,C,D,E,T,A,B,X(10)); (void)HOST_c2l(data,l); X(12)=l;
271 BODY_00_15(11,B,C,D,E,T,A,X(11)); HOST_c2l(data,l); X(13)=l; 271 BODY_00_15(11,B,C,D,E,T,A,X(11)); (void)HOST_c2l(data,l); X(13)=l;
272 BODY_00_15(12,A,B,C,D,E,T,X(12)); HOST_c2l(data,l); X(14)=l; 272 BODY_00_15(12,A,B,C,D,E,T,X(12)); (void)HOST_c2l(data,l); X(14)=l;
273 BODY_00_15(13,T,A,B,C,D,E,X(13)); HOST_c2l(data,l); X(15)=l; 273 BODY_00_15(13,T,A,B,C,D,E,X(13)); (void)HOST_c2l(data,l); X(15)=l;
274 BODY_00_15(14,E,T,A,B,C,D,X(14)); 274 BODY_00_15(14,E,T,A,B,C,D,X(14));
275 BODY_00_15(15,D,E,T,A,B,C,X(15)); 275 BODY_00_15(15,D,E,T,A,B,C,X(15));
276 } 276 }
diff --git a/src/lib/libcrypto/sparccpuid.S b/src/lib/libcrypto/sparccpuid.S
index ae61f7f5ce..0cc247e489 100644
--- a/src/lib/libcrypto/sparccpuid.S
+++ b/src/lib/libcrypto/sparccpuid.S
@@ -235,10 +235,10 @@ _sparcv9_rdtick:
235.global _sparcv9_vis1_probe 235.global _sparcv9_vis1_probe
236.align 8 236.align 8
237_sparcv9_vis1_probe: 237_sparcv9_vis1_probe:
238 .word 0x81b00d80 !fxor %f0,%f0,%f0
239 add %sp,BIAS+2,%o1 238 add %sp,BIAS+2,%o1
240 retl
241 .word 0xc19a5a40 !ldda [%o1]ASI_FP16_P,%f0 239 .word 0xc19a5a40 !ldda [%o1]ASI_FP16_P,%f0
240 retl
241 .word 0x81b00d80 !fxor %f0,%f0,%f0
242.type _sparcv9_vis1_probe,#function 242.type _sparcv9_vis1_probe,#function
243.size _sparcv9_vis1_probe,.-_sparcv9_vis1_probe 243.size _sparcv9_vis1_probe,.-_sparcv9_vis1_probe
244 244
diff --git a/src/lib/libcrypto/ui/ui_openssl.c b/src/lib/libcrypto/ui/ui_openssl.c
index 5832a73cf5..a38c7581e6 100644
--- a/src/lib/libcrypto/ui/ui_openssl.c
+++ b/src/lib/libcrypto/ui/ui_openssl.c
@@ -122,9 +122,15 @@
122 * sigaction and fileno included. -pedantic would be more appropriate for 122 * sigaction and fileno included. -pedantic would be more appropriate for
123 * the intended purposes, but we can't prevent users from adding -ansi. 123 * the intended purposes, but we can't prevent users from adding -ansi.
124 */ 124 */
125#if defined(OPENSSL_SYSNAME_VXWORKS)
126#include <sys/types.h>
127#endif
128
125#if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS) 129#if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
130#ifndef _POSIX_C_SOURCE
126#define _POSIX_C_SOURCE 2 131#define _POSIX_C_SOURCE 2
127#endif 132#endif
133#endif
128#include <signal.h> 134#include <signal.h>
129#include <stdio.h> 135#include <stdio.h>
130#include <string.h> 136#include <string.h>
diff --git a/src/lib/libcrypto/whrlpool/asm/wp-mmx.pl b/src/lib/libcrypto/whrlpool/asm/wp-mmx.pl
index 32cf16380b..cb2381c22b 100644
--- a/src/lib/libcrypto/whrlpool/asm/wp-mmx.pl
+++ b/src/lib/libcrypto/whrlpool/asm/wp-mmx.pl
@@ -119,7 +119,7 @@ $tbl="ebp";
119 &mov ("eax",&DWP(0,"esp")); 119 &mov ("eax",&DWP(0,"esp"));
120 &mov ("ebx",&DWP(4,"esp")); 120 &mov ("ebx",&DWP(4,"esp"));
121for($i=0;$i<8;$i++) { 121for($i=0;$i<8;$i++) {
122 my $func = ($i==0)? movq : pxor; 122 my $func = ($i==0)? \&movq : \&pxor;
123 &movb (&LB("ecx"),&LB("eax")); 123 &movb (&LB("ecx"),&LB("eax"));
124 &movb (&LB("edx"),&HB("eax")); 124 &movb (&LB("edx"),&HB("eax"));
125 &scale ("esi","ecx"); 125 &scale ("esi","ecx");
diff --git a/src/lib/libcrypto/whrlpool/asm/wp-x86_64.pl b/src/lib/libcrypto/whrlpool/asm/wp-x86_64.pl
index 87c0843dc1..24b2ff60c3 100644
--- a/src/lib/libcrypto/whrlpool/asm/wp-x86_64.pl
+++ b/src/lib/libcrypto/whrlpool/asm/wp-x86_64.pl
@@ -41,7 +41,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; my $dir=$1; my $xlate;
41( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or 41( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
42die "can't locate x86_64-xlate.pl"; 42die "can't locate x86_64-xlate.pl";
43 43
44open STDOUT,"| $^X $xlate $flavour $output"; 44open OUT,"| \"$^X\" $xlate $flavour $output";
45*STDOUT=*OUT;
45 46
46sub L() { $code.=".byte ".join(',',@_)."\n"; } 47sub L() { $code.=".byte ".join(',',@_)."\n"; }
47sub LL(){ $code.=".byte ".join(',',@_).",".join(',',@_)."\n"; } 48sub LL(){ $code.=".byte ".join(',',@_).",".join(',',@_)."\n"; }
diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c
index 27ca5150c1..c6602dae4f 100644
--- a/src/lib/libcrypto/x509/by_dir.c
+++ b/src/lib/libcrypto/x509/by_dir.c
@@ -218,7 +218,7 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
218 218
219 s=dir; 219 s=dir;
220 p=s; 220 p=s;
221 for (;;p++) 221 do
222 { 222 {
223 if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0')) 223 if ((*p == LIST_SEPARATOR_CHAR) || (*p == '\0'))
224 { 224 {
@@ -264,9 +264,7 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type)
264 return 0; 264 return 0;
265 } 265 }
266 } 266 }
267 if (*p == '\0') 267 } while (*p++ != '\0');
268 break;
269 }
270 return 1; 268 return 1;
271 } 269 }
272 270
diff --git a/src/lib/libcrypto/x509/x509_cmp.c b/src/lib/libcrypto/x509/x509_cmp.c
index 7c2aaee2e9..352aa37434 100644
--- a/src/lib/libcrypto/x509/x509_cmp.c
+++ b/src/lib/libcrypto/x509/x509_cmp.c
@@ -86,10 +86,9 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
86 86
87 EVP_MD_CTX_init(&ctx); 87 EVP_MD_CTX_init(&ctx);
88 f=X509_NAME_oneline(a->cert_info->issuer,NULL,0); 88 f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
89 ret=strlen(f);
90 if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) 89 if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
91 goto err; 90 goto err;
92 if (!EVP_DigestUpdate(&ctx,(unsigned char *)f,ret)) 91 if (!EVP_DigestUpdate(&ctx,(unsigned char *)f,strlen(f)))
93 goto err; 92 goto err;
94 OPENSSL_free(f); 93 OPENSSL_free(f);
95 if(!EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data, 94 if(!EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data,
@@ -249,14 +248,14 @@ unsigned long X509_NAME_hash_old(X509_NAME *x)
249 i2d_X509_NAME(x,NULL); 248 i2d_X509_NAME(x,NULL);
250 EVP_MD_CTX_init(&md_ctx); 249 EVP_MD_CTX_init(&md_ctx);
251 EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); 250 EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
252 EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL); 251 if (EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL)
253 EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length); 252 && EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length)
254 EVP_DigestFinal_ex(&md_ctx,md,NULL); 253 && EVP_DigestFinal_ex(&md_ctx,md,NULL))
254 ret=(((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
255 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
256 )&0xffffffffL;
255 EVP_MD_CTX_cleanup(&md_ctx); 257 EVP_MD_CTX_cleanup(&md_ctx);
256 258
257 ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)|
258 ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
259 )&0xffffffffL;
260 return(ret); 259 return(ret);
261 } 260 }
262#endif 261#endif
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index b0779db023..920066aeba 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -694,6 +694,7 @@ static int check_cert(X509_STORE_CTX *ctx)
694 X509_CRL *crl = NULL, *dcrl = NULL; 694 X509_CRL *crl = NULL, *dcrl = NULL;
695 X509 *x; 695 X509 *x;
696 int ok, cnum; 696 int ok, cnum;
697 unsigned int last_reasons;
697 cnum = ctx->error_depth; 698 cnum = ctx->error_depth;
698 x = sk_X509_value(ctx->chain, cnum); 699 x = sk_X509_value(ctx->chain, cnum);
699 ctx->current_cert = x; 700 ctx->current_cert = x;
@@ -702,6 +703,7 @@ static int check_cert(X509_STORE_CTX *ctx)
702 ctx->current_reasons = 0; 703 ctx->current_reasons = 0;
703 while (ctx->current_reasons != CRLDP_ALL_REASONS) 704 while (ctx->current_reasons != CRLDP_ALL_REASONS)
704 { 705 {
706 last_reasons = ctx->current_reasons;
705 /* Try to retrieve relevant CRL */ 707 /* Try to retrieve relevant CRL */
706 if (ctx->get_crl) 708 if (ctx->get_crl)
707 ok = ctx->get_crl(ctx, &crl, x); 709 ok = ctx->get_crl(ctx, &crl, x);
@@ -745,6 +747,15 @@ static int check_cert(X509_STORE_CTX *ctx)
745 X509_CRL_free(dcrl); 747 X509_CRL_free(dcrl);
746 crl = NULL; 748 crl = NULL;
747 dcrl = NULL; 749 dcrl = NULL;
750 /* If reasons not updated we wont get anywhere by
751 * another iteration, so exit loop.
752 */
753 if (last_reasons == ctx->current_reasons)
754 {
755 ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
756 ok = ctx->verify_cb(0, ctx);
757 goto err;
758 }
748 } 759 }
749 err: 760 err:
750 X509_CRL_free(crl); 761 X509_CRL_free(crl);
@@ -872,7 +883,7 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
872 { 883 {
873 ASN1_OCTET_STRING *exta, *extb; 884 ASN1_OCTET_STRING *exta, *extb;
874 int i; 885 int i;
875 i = X509_CRL_get_ext_by_NID(a, nid, 0); 886 i = X509_CRL_get_ext_by_NID(a, nid, -1);
876 if (i >= 0) 887 if (i >= 0)
877 { 888 {
878 /* Can't have multiple occurrences */ 889 /* Can't have multiple occurrences */
@@ -883,7 +894,7 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
883 else 894 else
884 exta = NULL; 895 exta = NULL;
885 896
886 i = X509_CRL_get_ext_by_NID(b, nid, 0); 897 i = X509_CRL_get_ext_by_NID(b, nid, -1);
887 898
888 if (i >= 0) 899 if (i >= 0)
889 { 900 {
@@ -1451,10 +1462,9 @@ static int cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x)
1451 * a certificate was revoked. This has since been changed since 1462 * a certificate was revoked. This has since been changed since
1452 * critical extension can change the meaning of CRL entries. 1463 * critical extension can change the meaning of CRL entries.
1453 */ 1464 */
1454 if (crl->flags & EXFLAG_CRITICAL) 1465 if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
1466 && (crl->flags & EXFLAG_CRITICAL))
1455 { 1467 {
1456 if (ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL)
1457 return 1;
1458 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION; 1468 ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION;
1459 ok = ctx->verify_cb(0, ctx); 1469 ok = ctx->verify_cb(0, ctx);
1460 if(!ok) 1470 if(!ok)
diff --git a/src/lib/libcrypto/x509/x_all.c b/src/lib/libcrypto/x509/x_all.c
index b94aeeb873..e06602d65a 100644
--- a/src/lib/libcrypto/x509/x_all.c
+++ b/src/lib/libcrypto/x509/x_all.c
@@ -97,6 +97,7 @@ int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
97 97
98int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx) 98int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
99 { 99 {
100 x->cert_info->enc.modified = 1;
100 return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF), 101 return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF),
101 x->cert_info->signature, 102 x->cert_info->signature,
102 x->sig_alg, x->signature, x->cert_info, ctx); 103 x->sig_alg, x->signature, x->cert_info, ctx);
@@ -123,6 +124,7 @@ int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md)
123 124
124int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx) 125int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
125 { 126 {
127 x->crl->enc.modified = 1;
126 return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO), 128 return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO),
127 x->crl->sig_alg, x->sig_alg, x->signature, x->crl, ctx); 129 x->crl->sig_alg, x->sig_alg, x->signature, x->crl, ctx);
128 } 130 }
diff --git a/src/lib/libcrypto/x509v3/v3_purp.c b/src/lib/libcrypto/x509v3/v3_purp.c
index 181bd34979..ad688657e0 100644
--- a/src/lib/libcrypto/x509v3/v3_purp.c
+++ b/src/lib/libcrypto/x509v3/v3_purp.c
@@ -474,11 +474,11 @@ static void x509v3_cache_extensions(X509 *x)
474 for (i = 0; i < X509_get_ext_count(x); i++) 474 for (i = 0; i < X509_get_ext_count(x); i++)
475 { 475 {
476 ex = X509_get_ext(x, i); 476 ex = X509_get_ext(x, i);
477 if (!X509_EXTENSION_get_critical(ex))
478 continue;
479 if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) 477 if (OBJ_obj2nid(X509_EXTENSION_get_object(ex))
480 == NID_freshest_crl) 478 == NID_freshest_crl)
481 x->ex_flags |= EXFLAG_FRESHEST; 479 x->ex_flags |= EXFLAG_FRESHEST;
480 if (!X509_EXTENSION_get_critical(ex))
481 continue;
482 if (!X509_supported_extension(ex)) 482 if (!X509_supported_extension(ex))
483 { 483 {
484 x->ex_flags |= EXFLAG_CRITICAL; 484 x->ex_flags |= EXFLAG_CRITICAL;
diff --git a/src/lib/libcrypto/x86_64cpuid.pl b/src/lib/libcrypto/x86_64cpuid.pl
index 7b7b93b223..6ebfd017ea 100644
--- a/src/lib/libcrypto/x86_64cpuid.pl
+++ b/src/lib/libcrypto/x86_64cpuid.pl
@@ -11,7 +11,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
11( $xlate="${dir}perlasm/x86_64-xlate.pl" and -f $xlate) or 11( $xlate="${dir}perlasm/x86_64-xlate.pl" and -f $xlate) or
12die "can't locate x86_64-xlate.pl"; 12die "can't locate x86_64-xlate.pl";
13 13
14open STDOUT,"| $^X $xlate $flavour $output"; 14open OUT,"| \"$^X\" $xlate $flavour $output";
15*STDOUT=*OUT;
15 16
16($arg1,$arg2,$arg3,$arg4)=$win64?("%rcx","%rdx","%r8", "%r9") : # Win64 order 17($arg1,$arg2,$arg3,$arg4)=$win64?("%rcx","%rdx","%r8", "%r9") : # Win64 order
17 ("%rdi","%rsi","%rdx","%rcx"); # Unix order 18 ("%rdi","%rsi","%rdx","%rcx"); # Unix order
diff --git a/src/lib/libcrypto/x86cpuid.pl b/src/lib/libcrypto/x86cpuid.pl
index 39fd8f2293..b270b44337 100644
--- a/src/lib/libcrypto/x86cpuid.pl
+++ b/src/lib/libcrypto/x86cpuid.pl
@@ -67,6 +67,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
67 &inc ("esi"); # number of cores 67 &inc ("esi"); # number of cores
68 68
69 &mov ("eax",1); 69 &mov ("eax",1);
70 &xor ("ecx","ecx");
70 &cpuid (); 71 &cpuid ();
71 &bt ("edx",28); 72 &bt ("edx",28);
72 &jnc (&label("generic")); 73 &jnc (&label("generic"));
@@ -91,6 +92,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
91 92
92&set_label("nocacheinfo"); 93&set_label("nocacheinfo");
93 &mov ("eax",1); 94 &mov ("eax",1);
95 &xor ("ecx","ecx");
94 &cpuid (); 96 &cpuid ();
95 &and ("edx",0xbfefffff); # force reserved bits #20, #30 to 0 97 &and ("edx",0xbfefffff); # force reserved bits #20, #30 to 0
96 &cmp ("ebp",0); 98 &cmp ("ebp",0);
@@ -165,7 +167,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
165 &jnz (&label("nohalt")); # not enough privileges 167 &jnz (&label("nohalt")); # not enough privileges
166 168
167 &pushf (); 169 &pushf ();
168 &pop ("eax") 170 &pop ("eax");
169 &bt ("eax",9); 171 &bt ("eax",9);
170 &jnc (&label("nohalt")); # interrupts are disabled 172 &jnc (&label("nohalt")); # interrupts are disabled
171 173
@@ -280,7 +282,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
280# arguments is 1 or 2! 282# arguments is 1 or 2!
281&function_begin_B("OPENSSL_indirect_call"); 283&function_begin_B("OPENSSL_indirect_call");
282 { 284 {
283 my $i,$max=7; # $max has to be chosen as 4*n-1 285 my ($max,$i)=(7,); # $max has to be chosen as 4*n-1
284 # in order to preserve eventual 286 # in order to preserve eventual
285 # stack alignment 287 # stack alignment
286 &push ("ebp"); 288 &push ("ebp");
diff --git a/src/lib/libssl/d1_both.c b/src/lib/libssl/d1_both.c
index de8bab873f..2e8cf681ed 100644
--- a/src/lib/libssl/d1_both.c
+++ b/src/lib/libssl/d1_both.c
@@ -214,6 +214,12 @@ dtls1_hm_fragment_new(unsigned long frag_len, int reassembly)
214static void 214static void
215dtls1_hm_fragment_free(hm_fragment *frag) 215dtls1_hm_fragment_free(hm_fragment *frag)
216 { 216 {
217
218 if (frag->msg_header.is_ccs)
219 {
220 EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx);
221 EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash);
222 }
217 if (frag->fragment) OPENSSL_free(frag->fragment); 223 if (frag->fragment) OPENSSL_free(frag->fragment);
218 if (frag->reassembly) OPENSSL_free(frag->reassembly); 224 if (frag->reassembly) OPENSSL_free(frag->reassembly);
219 OPENSSL_free(frag); 225 OPENSSL_free(frag);
@@ -313,9 +319,10 @@ int dtls1_do_write(SSL *s, int type)
313 s->init_off -= DTLS1_HM_HEADER_LENGTH; 319 s->init_off -= DTLS1_HM_HEADER_LENGTH;
314 s->init_num += DTLS1_HM_HEADER_LENGTH; 320 s->init_num += DTLS1_HM_HEADER_LENGTH;
315 321
316 /* write atleast DTLS1_HM_HEADER_LENGTH bytes */ 322 if ( s->init_num > curr_mtu)
317 if ( len <= DTLS1_HM_HEADER_LENGTH) 323 len = curr_mtu;
318 len += DTLS1_HM_HEADER_LENGTH; 324 else
325 len = s->init_num;
319 } 326 }
320 327
321 dtls1_fix_message_header(s, frag_off, 328 dtls1_fix_message_header(s, frag_off,
@@ -1452,26 +1459,36 @@ dtls1_process_heartbeat(SSL *s)
1452 unsigned int payload; 1459 unsigned int payload;
1453 unsigned int padding = 16; /* Use minimum padding */ 1460 unsigned int padding = 16; /* Use minimum padding */
1454 1461
1455 /* Read type and payload length first */
1456 hbtype = *p++;
1457 n2s(p, payload);
1458 pl = p;
1459
1460 if (s->msg_callback) 1462 if (s->msg_callback)
1461 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, 1463 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
1462 &s->s3->rrec.data[0], s->s3->rrec.length, 1464 &s->s3->rrec.data[0], s->s3->rrec.length,
1463 s, s->msg_callback_arg); 1465 s, s->msg_callback_arg);
1464 1466
1467 /* Read type and payload length first */
1468 if (1 + 2 + 16 > s->s3->rrec.length)
1469 return 0; /* silently discard */
1470 hbtype = *p++;
1471 n2s(p, payload);
1472 if (1 + 2 + payload + 16 > s->s3->rrec.length)
1473 return 0; /* silently discard per RFC 6520 sec. 4 */
1474 pl = p;
1475
1465 if (hbtype == TLS1_HB_REQUEST) 1476 if (hbtype == TLS1_HB_REQUEST)
1466 { 1477 {
1467 unsigned char *buffer, *bp; 1478 unsigned char *buffer, *bp;
1479 unsigned int write_length = 1 /* heartbeat type */ +
1480 2 /* heartbeat length */ +
1481 payload + padding;
1468 int r; 1482 int r;
1469 1483
1484 if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
1485 return 0;
1486
1470 /* Allocate memory for the response, size is 1 byte 1487 /* Allocate memory for the response, size is 1 byte
1471 * message type, plus 2 bytes payload length, plus 1488 * message type, plus 2 bytes payload length, plus
1472 * payload, plus padding 1489 * payload, plus padding
1473 */ 1490 */
1474 buffer = OPENSSL_malloc(1 + 2 + payload + padding); 1491 buffer = OPENSSL_malloc(write_length);
1475 bp = buffer; 1492 bp = buffer;
1476 1493
1477 /* Enter response type, length and copy payload */ 1494 /* Enter response type, length and copy payload */
@@ -1482,11 +1499,11 @@ dtls1_process_heartbeat(SSL *s)
1482 /* Random padding */ 1499 /* Random padding */
1483 RAND_pseudo_bytes(bp, padding); 1500 RAND_pseudo_bytes(bp, padding);
1484 1501
1485 r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); 1502 r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
1486 1503
1487 if (r >= 0 && s->msg_callback) 1504 if (r >= 0 && s->msg_callback)
1488 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, 1505 s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
1489 buffer, 3 + payload + padding, 1506 buffer, write_length,
1490 s, s->msg_callback_arg); 1507 s, s->msg_callback_arg);
1491 1508
1492 OPENSSL_free(buffer); 1509 OPENSSL_free(buffer);
diff --git a/src/lib/libssl/d1_clnt.c b/src/lib/libssl/d1_clnt.c
index a6ed09c51d..48e5e06bde 100644
--- a/src/lib/libssl/d1_clnt.c
+++ b/src/lib/libssl/d1_clnt.c
@@ -538,13 +538,6 @@ int dtls1_connect(SSL *s)
538 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); 538 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
539 if (ret <= 0) goto end; 539 if (ret <= 0) goto end;
540 540
541#ifndef OPENSSL_NO_SCTP
542 /* Change to new shared key of SCTP-Auth,
543 * will be ignored if no SCTP used.
544 */
545 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
546#endif
547
548 s->state=SSL3_ST_CW_FINISHED_A; 541 s->state=SSL3_ST_CW_FINISHED_A;
549 s->init_num=0; 542 s->init_num=0;
550 543
@@ -571,6 +564,16 @@ int dtls1_connect(SSL *s)
571 goto end; 564 goto end;
572 } 565 }
573 566
567#ifndef OPENSSL_NO_SCTP
568 if (s->hit)
569 {
570 /* Change to new shared key of SCTP-Auth,
571 * will be ignored if no SCTP used.
572 */
573 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
574 }
575#endif
576
574 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE); 577 dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
575 break; 578 break;
576 579
@@ -613,6 +616,13 @@ int dtls1_connect(SSL *s)
613 } 616 }
614 else 617 else
615 { 618 {
619#ifndef OPENSSL_NO_SCTP
620 /* Change to new shared key of SCTP-Auth,
621 * will be ignored if no SCTP used.
622 */
623 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
624#endif
625
616#ifndef OPENSSL_NO_TLSEXT 626#ifndef OPENSSL_NO_TLSEXT
617 /* Allow NewSessionTicket if ticket expected */ 627 /* Allow NewSessionTicket if ticket expected */
618 if (s->tlsext_ticket_expected) 628 if (s->tlsext_ticket_expected)
@@ -773,7 +783,7 @@ int dtls1_client_hello(SSL *s)
773 unsigned char *buf; 783 unsigned char *buf;
774 unsigned char *p,*d; 784 unsigned char *p,*d;
775 unsigned int i,j; 785 unsigned int i,j;
776 unsigned long Time,l; 786 unsigned long l;
777 SSL_COMP *comp; 787 SSL_COMP *comp;
778 788
779 buf=(unsigned char *)s->init_buf->data; 789 buf=(unsigned char *)s->init_buf->data;
@@ -798,13 +808,11 @@ int dtls1_client_hello(SSL *s)
798 808
799 /* if client_random is initialized, reuse it, we are 809 /* if client_random is initialized, reuse it, we are
800 * required to use same upon reply to HelloVerify */ 810 * required to use same upon reply to HelloVerify */
801 for (i=0;p[i]=='\0' && i<sizeof(s->s3->client_random);i++) ; 811 for (i=0;p[i]=='\0' && i<sizeof(s->s3->client_random);i++)
812 ;
802 if (i==sizeof(s->s3->client_random)) 813 if (i==sizeof(s->s3->client_random))
803 { 814 ssl_fill_hello_random(s, 0, p,
804 Time=(unsigned long)time(NULL); /* Time */ 815 sizeof(s->s3->client_random));
805 l2n(Time,p);
806 RAND_pseudo_bytes(p,sizeof(s->s3->client_random)-4);
807 }
808 816
809 /* Do the message type and length last */ 817 /* Do the message type and length last */
810 d=p= &(buf[DTLS1_HM_HEADER_LENGTH]); 818 d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
diff --git a/src/lib/libssl/d1_enc.c b/src/lib/libssl/d1_enc.c
index 07a5e97ce5..712c4647f2 100644
--- a/src/lib/libssl/d1_enc.c
+++ b/src/lib/libssl/d1_enc.c
@@ -126,20 +126,28 @@
126#include <openssl/des.h> 126#include <openssl/des.h>
127#endif 127#endif
128 128
129/* dtls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
130 *
131 * Returns:
132 * 0: (in non-constant time) if the record is publically invalid (i.e. too
133 * short etc).
134 * 1: if the record's padding is valid / the encryption was successful.
135 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
136 * an internal error occured. */
129int dtls1_enc(SSL *s, int send) 137int dtls1_enc(SSL *s, int send)
130 { 138 {
131 SSL3_RECORD *rec; 139 SSL3_RECORD *rec;
132 EVP_CIPHER_CTX *ds; 140 EVP_CIPHER_CTX *ds;
133 unsigned long l; 141 unsigned long l;
134 int bs,i,ii,j,k,n=0; 142 int bs,i,j,k,mac_size=0;
135 const EVP_CIPHER *enc; 143 const EVP_CIPHER *enc;
136 144
137 if (send) 145 if (send)
138 { 146 {
139 if (EVP_MD_CTX_md(s->write_hash)) 147 if (EVP_MD_CTX_md(s->write_hash))
140 { 148 {
141 n=EVP_MD_CTX_size(s->write_hash); 149 mac_size=EVP_MD_CTX_size(s->write_hash);
142 if (n < 0) 150 if (mac_size < 0)
143 return -1; 151 return -1;
144 } 152 }
145 ds=s->enc_write_ctx; 153 ds=s->enc_write_ctx;
@@ -164,9 +172,8 @@ int dtls1_enc(SSL *s, int send)
164 { 172 {
165 if (EVP_MD_CTX_md(s->read_hash)) 173 if (EVP_MD_CTX_md(s->read_hash))
166 { 174 {
167 n=EVP_MD_CTX_size(s->read_hash); 175 mac_size=EVP_MD_CTX_size(s->read_hash);
168 if (n < 0) 176 OPENSSL_assert(mac_size >= 0);
169 return -1;
170 } 177 }
171 ds=s->enc_read_ctx; 178 ds=s->enc_read_ctx;
172 rec= &(s->s3->rrec); 179 rec= &(s->s3->rrec);
@@ -231,7 +238,7 @@ int dtls1_enc(SSL *s, int send)
231 if (!send) 238 if (!send)
232 { 239 {
233 if (l == 0 || l%bs != 0) 240 if (l == 0 || l%bs != 0)
234 return -1; 241 return 0;
235 } 242 }
236 243
237 EVP_Cipher(ds,rec->data,rec->input,l); 244 EVP_Cipher(ds,rec->data,rec->input,l);
@@ -246,43 +253,7 @@ int dtls1_enc(SSL *s, int send)
246#endif /* KSSL_DEBUG */ 253#endif /* KSSL_DEBUG */
247 254
248 if ((bs != 1) && !send) 255 if ((bs != 1) && !send)
249 { 256 return tls1_cbc_remove_padding(s, rec, bs, mac_size);
250 ii=i=rec->data[l-1]; /* padding_length */
251 i++;
252 if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
253 {
254 /* First packet is even in size, so check */
255 if ((memcmp(s->s3->read_sequence,
256 "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
257 s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
258 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
259 i--;
260 }
261 /* TLS 1.0 does not bound the number of padding bytes by the block size.
262 * All of them must have value 'padding_length'. */
263 if (i + bs > (int)rec->length)
264 {
265 /* Incorrect padding. SSLerr() and ssl3_alert are done
266 * by caller: we don't want to reveal whether this is
267 * a decryption error or a MAC verification failure
268 * (see http://www.openssl.org/~bodo/tls-cbc.txt)
269 */
270 return -1;
271 }
272 for (j=(int)(l-i); j<(int)l; j++)
273 {
274 if (rec->data[j] != ii)
275 {
276 /* Incorrect padding */
277 return -1;
278 }
279 }
280 rec->length-=i;
281
282 rec->data += bs; /* skip the implicit IV */
283 rec->input += bs;
284 rec->length -= bs;
285 }
286 } 257 }
287 return(1); 258 return(1);
288 } 259 }
diff --git a/src/lib/libssl/d1_lib.c b/src/lib/libssl/d1_lib.c
index f61f718183..106939f241 100644
--- a/src/lib/libssl/d1_lib.c
+++ b/src/lib/libssl/d1_lib.c
@@ -196,6 +196,7 @@ void dtls1_free(SSL *s)
196 pqueue_free(s->d1->buffered_app_data.q); 196 pqueue_free(s->d1->buffered_app_data.q);
197 197
198 OPENSSL_free(s->d1); 198 OPENSSL_free(s->d1);
199 s->d1 = NULL;
199 } 200 }
200 201
201void dtls1_clear(SSL *s) 202void dtls1_clear(SSL *s)
diff --git a/src/lib/libssl/d1_pkt.c b/src/lib/libssl/d1_pkt.c
index 987af60835..8186462d4a 100644
--- a/src/lib/libssl/d1_pkt.c
+++ b/src/lib/libssl/d1_pkt.c
@@ -376,15 +376,11 @@ static int
376dtls1_process_record(SSL *s) 376dtls1_process_record(SSL *s)
377{ 377{
378 int i,al; 378 int i,al;
379 int clear=0;
380 int enc_err; 379 int enc_err;
381 SSL_SESSION *sess; 380 SSL_SESSION *sess;
382 SSL3_RECORD *rr; 381 SSL3_RECORD *rr;
383 unsigned int mac_size; 382 unsigned int mac_size, orig_len;
384 unsigned char md[EVP_MAX_MD_SIZE]; 383 unsigned char md[EVP_MAX_MD_SIZE];
385 int decryption_failed_or_bad_record_mac = 0;
386 unsigned char *mac = NULL;
387
388 384
389 rr= &(s->s3->rrec); 385 rr= &(s->s3->rrec);
390 sess = s->session; 386 sess = s->session;
@@ -416,12 +412,16 @@ dtls1_process_record(SSL *s)
416 rr->data=rr->input; 412 rr->data=rr->input;
417 413
418 enc_err = s->method->ssl3_enc->enc(s,0); 414 enc_err = s->method->ssl3_enc->enc(s,0);
419 if (enc_err <= 0) 415 /* enc_err is:
416 * 0: (in non-constant time) if the record is publically invalid.
417 * 1: if the padding is valid
418 * -1: if the padding is invalid */
419 if (enc_err == 0)
420 { 420 {
421 /* To minimize information leaked via timing, we will always 421 /* For DTLS we simply ignore bad packets. */
422 * perform all computations before discarding the message. 422 rr->length = 0;
423 */ 423 s->packet_length = 0;
424 decryption_failed_or_bad_record_mac = 1; 424 goto err;
425 } 425 }
426 426
427#ifdef TLS_DEBUG 427#ifdef TLS_DEBUG
@@ -431,45 +431,62 @@ printf("\n");
431#endif 431#endif
432 432
433 /* r->length is now the compressed data plus mac */ 433 /* r->length is now the compressed data plus mac */
434 if ( (sess == NULL) || 434 if ((sess != NULL) &&
435 (s->enc_read_ctx == NULL) || 435 (s->enc_read_ctx != NULL) &&
436 (s->read_hash == NULL)) 436 (EVP_MD_CTX_md(s->read_hash) != NULL))
437 clear=1;
438
439 if (!clear)
440 { 437 {
441 /* !clear => s->read_hash != NULL => mac_size != -1 */ 438 /* s->read_hash != NULL => mac_size != -1 */
442 int t; 439 unsigned char *mac = NULL;
443 t=EVP_MD_CTX_size(s->read_hash); 440 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
444 OPENSSL_assert(t >= 0); 441 mac_size=EVP_MD_CTX_size(s->read_hash);
445 mac_size=t; 442 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
446 443
447 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) 444 /* kludge: *_cbc_remove_padding passes padding length in rr->type */
445 orig_len = rr->length+((unsigned int)rr->type>>8);
446
447 /* orig_len is the length of the record before any padding was
448 * removed. This is public information, as is the MAC in use,
449 * therefore we can safely process the record in a different
450 * amount of time if it's too short to possibly contain a MAC.
451 */
452 if (orig_len < mac_size ||
453 /* CBC records must have a padding length byte too. */
454 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
455 orig_len < mac_size+1))
448 { 456 {
449#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */ 457 al=SSL_AD_DECODE_ERROR;
450 al=SSL_AD_RECORD_OVERFLOW; 458 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
451 SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
452 goto f_err; 459 goto f_err;
453#else
454 decryption_failed_or_bad_record_mac = 1;
455#endif
456 } 460 }
457 /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ 461
458 if (rr->length >= mac_size) 462 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
459 { 463 {
464 /* We update the length so that the TLS header bytes
465 * can be constructed correctly but we need to extract
466 * the MAC in constant time from within the record,
467 * without leaking the contents of the padding bytes.
468 * */
469 mac = mac_tmp;
470 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
460 rr->length -= mac_size; 471 rr->length -= mac_size;
461 mac = &rr->data[rr->length];
462 } 472 }
463 else 473 else
464 rr->length = 0;
465 i=s->method->ssl3_enc->mac(s,md,0);
466 if (i < 0 || mac == NULL || memcmp(md, mac, mac_size) != 0)
467 { 474 {
468 decryption_failed_or_bad_record_mac = 1; 475 /* In this case there's no padding, so |orig_len|
476 * equals |rec->length| and we checked that there's
477 * enough bytes for |mac_size| above. */
478 rr->length -= mac_size;
479 mac = &rr->data[rr->length];
469 } 480 }
481
482 i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
483 if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
484 enc_err = -1;
485 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
486 enc_err = -1;
470 } 487 }
471 488
472 if (decryption_failed_or_bad_record_mac) 489 if (enc_err < 0)
473 { 490 {
474 /* decryption failed, silently discard message */ 491 /* decryption failed, silently discard message */
475 rr->length = 0; 492 rr->length = 0;
@@ -830,6 +847,12 @@ start:
830 } 847 }
831 } 848 }
832 849
850 if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE)
851 {
852 rr->length = 0;
853 goto start;
854 }
855
833 /* we now have a packet which can be read and processed */ 856 /* we now have a packet which can be read and processed */
834 857
835 if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec, 858 if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
@@ -1034,6 +1057,7 @@ start:
1034 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && 1057 !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
1035 !s->s3->renegotiate) 1058 !s->s3->renegotiate)
1036 { 1059 {
1060 s->d1->handshake_read_seq++;
1037 s->new_session = 1; 1061 s->new_session = 1;
1038 ssl3_renegotiate(s); 1062 ssl3_renegotiate(s);
1039 if (ssl3_renegotiate_check(s)) 1063 if (ssl3_renegotiate_check(s))
diff --git a/src/lib/libssl/d1_srtp.c b/src/lib/libssl/d1_srtp.c
index 928935bd8b..ab9c41922c 100644
--- a/src/lib/libssl/d1_srtp.c
+++ b/src/lib/libssl/d1_srtp.c
@@ -115,11 +115,12 @@
115 Copyright (C) 2011, RTFM, Inc. 115 Copyright (C) 2011, RTFM, Inc.
116*/ 116*/
117 117
118#ifndef OPENSSL_NO_SRTP
119
120#include <stdio.h> 118#include <stdio.h>
121#include <openssl/objects.h> 119#include <openssl/objects.h>
122#include "ssl_locl.h" 120#include "ssl_locl.h"
121
122#ifndef OPENSSL_NO_SRTP
123
123#include "srtp.h" 124#include "srtp.h"
124 125
125 126
diff --git a/src/lib/libssl/d1_srvr.c b/src/lib/libssl/d1_srvr.c
index 29421da9aa..9975e20873 100644
--- a/src/lib/libssl/d1_srvr.c
+++ b/src/lib/libssl/d1_srvr.c
@@ -276,10 +276,11 @@ int dtls1_accept(SSL *s)
276 case SSL3_ST_SW_HELLO_REQ_B: 276 case SSL3_ST_SW_HELLO_REQ_B:
277 277
278 s->shutdown=0; 278 s->shutdown=0;
279 dtls1_clear_record_buffer(s);
279 dtls1_start_timer(s); 280 dtls1_start_timer(s);
280 ret=dtls1_send_hello_request(s); 281 ret=dtls1_send_hello_request(s);
281 if (ret <= 0) goto end; 282 if (ret <= 0) goto end;
282 s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C; 283 s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
283 s->state=SSL3_ST_SW_FLUSH; 284 s->state=SSL3_ST_SW_FLUSH;
284 s->init_num=0; 285 s->init_num=0;
285 286
@@ -721,10 +722,13 @@ int dtls1_accept(SSL *s)
721 if (ret <= 0) goto end; 722 if (ret <= 0) goto end;
722 723
723#ifndef OPENSSL_NO_SCTP 724#ifndef OPENSSL_NO_SCTP
724 /* Change to new shared key of SCTP-Auth, 725 if (!s->hit)
725 * will be ignored if no SCTP used. 726 {
726 */ 727 /* Change to new shared key of SCTP-Auth,
727 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL); 728 * will be ignored if no SCTP used.
729 */
730 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
731 }
728#endif 732#endif
729 733
730 s->state=SSL3_ST_SW_FINISHED_A; 734 s->state=SSL3_ST_SW_FINISHED_A;
@@ -749,7 +753,16 @@ int dtls1_accept(SSL *s)
749 if (ret <= 0) goto end; 753 if (ret <= 0) goto end;
750 s->state=SSL3_ST_SW_FLUSH; 754 s->state=SSL3_ST_SW_FLUSH;
751 if (s->hit) 755 if (s->hit)
756 {
752 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; 757 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
758
759#ifndef OPENSSL_NO_SCTP
760 /* Change to new shared key of SCTP-Auth,
761 * will be ignored if no SCTP used.
762 */
763 BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
764#endif
765 }
753 else 766 else
754 { 767 {
755 s->s3->tmp.next_state=SSL_ST_OK; 768 s->s3->tmp.next_state=SSL_ST_OK;
@@ -912,15 +925,13 @@ int dtls1_send_server_hello(SSL *s)
912 unsigned char *p,*d; 925 unsigned char *p,*d;
913 int i; 926 int i;
914 unsigned int sl; 927 unsigned int sl;
915 unsigned long l,Time; 928 unsigned long l;
916 929
917 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) 930 if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
918 { 931 {
919 buf=(unsigned char *)s->init_buf->data; 932 buf=(unsigned char *)s->init_buf->data;
920 p=s->s3->server_random; 933 p=s->s3->server_random;
921 Time=(unsigned long)time(NULL); /* Time */ 934 ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE);
922 l2n(Time,p);
923 RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4);
924 /* Do the message type and length last */ 935 /* Do the message type and length last */
925 d=p= &(buf[DTLS1_HM_HEADER_LENGTH]); 936 d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
926 937
diff --git a/src/lib/libssl/dtls1.h b/src/lib/libssl/dtls1.h
index 5008bf6081..e65d501191 100644
--- a/src/lib/libssl/dtls1.h
+++ b/src/lib/libssl/dtls1.h
@@ -57,8 +57,8 @@
57 * 57 *
58 */ 58 */
59 59
60#ifndef HEADER_DTLS1_H 60#ifndef HEADER_DTLS1_H
61#define HEADER_DTLS1_H 61#define HEADER_DTLS1_H
62 62
63#include <openssl/buffer.h> 63#include <openssl/buffer.h>
64#include <openssl/pqueue.h> 64#include <openssl/pqueue.h>
@@ -72,8 +72,12 @@
72#elif defined(OPENSSL_SYS_NETWARE) && !defined(_WINSOCK2API_) 72#elif defined(OPENSSL_SYS_NETWARE) && !defined(_WINSOCK2API_)
73#include <sys/timeval.h> 73#include <sys/timeval.h>
74#else 74#else
75#if defined(OPENSSL_SYS_VXWORKS)
76#include <sys/times.h>
77#else
75#include <sys/time.h> 78#include <sys/time.h>
76#endif 79#endif
80#endif
77 81
78#ifdef __cplusplus 82#ifdef __cplusplus
79extern "C" { 83extern "C" {
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index 47673e740a..2b93c639dd 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -269,12 +269,35 @@ static int ssl23_no_ssl2_ciphers(SSL *s)
269 return 1; 269 return 1;
270 } 270 }
271 271
272/* Fill a ClientRandom or ServerRandom field of length len. Returns <= 0
273 * on failure, 1 on success. */
274int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len)
275 {
276 int send_time = 0;
277
278 if (len < 4)
279 return 0;
280 if (server)
281 send_time = (s->mode & SSL_MODE_SEND_SERVERHELLO_TIME) != 0;
282 else
283 send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0;
284 if (send_time)
285 {
286 unsigned long Time = (unsigned long)time(NULL);
287 unsigned char *p = result;
288 l2n(Time, p);
289 return RAND_pseudo_bytes(p, len-4);
290 }
291 else
292 return RAND_pseudo_bytes(result, len);
293 }
294
272static int ssl23_client_hello(SSL *s) 295static int ssl23_client_hello(SSL *s)
273 { 296 {
274 unsigned char *buf; 297 unsigned char *buf;
275 unsigned char *p,*d; 298 unsigned char *p,*d;
276 int i,ch_len; 299 int i,ch_len;
277 unsigned long Time,l; 300 unsigned long l;
278 int ssl2_compat; 301 int ssl2_compat;
279 int version = 0, version_major, version_minor; 302 int version = 0, version_major, version_minor;
280#ifndef OPENSSL_NO_COMP 303#ifndef OPENSSL_NO_COMP
@@ -355,9 +378,7 @@ static int ssl23_client_hello(SSL *s)
355#endif 378#endif
356 379
357 p=s->s3->client_random; 380 p=s->s3->client_random;
358 Time=(unsigned long)time(NULL); /* Time */ 381 if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
359 l2n(Time,p);
360 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
361 return -1; 382 return -1;
362 383
363 if (version == TLS1_2_VERSION) 384 if (version == TLS1_2_VERSION)
diff --git a/src/lib/libssl/s3_both.c b/src/lib/libssl/s3_both.c
index b63460a56d..53b9390fdd 100644
--- a/src/lib/libssl/s3_both.c
+++ b/src/lib/libssl/s3_both.c
@@ -161,6 +161,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
161 161
162 i=s->method->ssl3_enc->final_finish_mac(s, 162 i=s->method->ssl3_enc->final_finish_mac(s,
163 sender,slen,s->s3->tmp.finish_md); 163 sender,slen,s->s3->tmp.finish_md);
164 if (i == 0)
165 return 0;
164 s->s3->tmp.finish_md_len = i; 166 s->s3->tmp.finish_md_len = i;
165 memcpy(p, s->s3->tmp.finish_md, i); 167 memcpy(p, s->s3->tmp.finish_md, i);
166 p+=i; 168 p+=i;
@@ -204,10 +206,15 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
204 206
205#ifndef OPENSSL_NO_NEXTPROTONEG 207#ifndef OPENSSL_NO_NEXTPROTONEG
206/* ssl3_take_mac calculates the Finished MAC for the handshakes messages seen to far. */ 208/* ssl3_take_mac calculates the Finished MAC for the handshakes messages seen to far. */
207static void ssl3_take_mac(SSL *s) { 209static void ssl3_take_mac(SSL *s)
210 {
208 const char *sender; 211 const char *sender;
209 int slen; 212 int slen;
210 213 /* If no new cipher setup return immediately: other functions will
214 * set the appropriate error.
215 */
216 if (s->s3->tmp.new_cipher == NULL)
217 return;
211 if (s->state & SSL_ST_CONNECT) 218 if (s->state & SSL_ST_CONNECT)
212 { 219 {
213 sender=s->method->ssl3_enc->server_finished_label; 220 sender=s->method->ssl3_enc->server_finished_label;
@@ -221,7 +228,7 @@ static void ssl3_take_mac(SSL *s) {
221 228
222 s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, 229 s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
223 sender,slen,s->s3->tmp.peer_finish_md); 230 sender,slen,s->s3->tmp.peer_finish_md);
224} 231 }
225#endif 232#endif
226 233
227int ssl3_get_finished(SSL *s, int a, int b) 234int ssl3_get_finished(SSL *s, int a, int b)
@@ -231,8 +238,9 @@ int ssl3_get_finished(SSL *s, int a, int b)
231 unsigned char *p; 238 unsigned char *p;
232 239
233#ifdef OPENSSL_NO_NEXTPROTONEG 240#ifdef OPENSSL_NO_NEXTPROTONEG
234 /* the mac has already been generated when we received the change 241 /* the mac has already been generated when we received the
235 * cipher spec message and is in s->s3->tmp.peer_finish_md. */ 242 * change cipher spec message and is in s->s3->tmp.peer_finish_md.
243 */
236#endif 244#endif
237 245
238 n=s->method->ssl_get_message(s, 246 n=s->method->ssl_get_message(s,
@@ -263,7 +271,7 @@ int ssl3_get_finished(SSL *s, int a, int b)
263 goto f_err; 271 goto f_err;
264 } 272 }
265 273
266 if (memcmp(p, s->s3->tmp.peer_finish_md, i) != 0) 274 if (CRYPTO_memcmp(p, s->s3->tmp.peer_finish_md, i) != 0)
267 { 275 {
268 al=SSL_AD_DECRYPT_ERROR; 276 al=SSL_AD_DECRYPT_ERROR;
269 SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED); 277 SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED);
@@ -537,12 +545,14 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
537 s->init_num += i; 545 s->init_num += i;
538 n -= i; 546 n -= i;
539 } 547 }
548
540#ifndef OPENSSL_NO_NEXTPROTONEG 549#ifndef OPENSSL_NO_NEXTPROTONEG
541 /* If receiving Finished, record MAC of prior handshake messages for 550 /* If receiving Finished, record MAC of prior handshake messages for
542 * Finished verification. */ 551 * Finished verification. */
543 if (*s->init_buf->data == SSL3_MT_FINISHED) 552 if (*s->init_buf->data == SSL3_MT_FINISHED)
544 ssl3_take_mac(s); 553 ssl3_take_mac(s);
545#endif 554#endif
555
546 /* Feed this message into MAC computation. */ 556 /* Feed this message into MAC computation. */
547 ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4); 557 ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4);
548 if (s->msg_callback) 558 if (s->msg_callback)
diff --git a/src/lib/libssl/s3_clnt.c b/src/lib/libssl/s3_clnt.c
index b80d052e1f..a6b3c01afa 100644
--- a/src/lib/libssl/s3_clnt.c
+++ b/src/lib/libssl/s3_clnt.c
@@ -459,7 +459,6 @@ int ssl3_connect(SSL *s)
459 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); 459 SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
460 if (ret <= 0) goto end; 460 if (ret <= 0) goto end;
461 461
462
463#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) 462#if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
464 s->state=SSL3_ST_CW_FINISHED_A; 463 s->state=SSL3_ST_CW_FINISHED_A;
465#else 464#else
@@ -656,7 +655,7 @@ int ssl3_client_hello(SSL *s)
656 unsigned char *buf; 655 unsigned char *buf;
657 unsigned char *p,*d; 656 unsigned char *p,*d;
658 int i; 657 int i;
659 unsigned long Time,l; 658 unsigned long l;
660#ifndef OPENSSL_NO_COMP 659#ifndef OPENSSL_NO_COMP
661 int j; 660 int j;
662 SSL_COMP *comp; 661 SSL_COMP *comp;
@@ -681,9 +680,8 @@ int ssl3_client_hello(SSL *s)
681 /* else use the pre-loaded session */ 680 /* else use the pre-loaded session */
682 681
683 p=s->s3->client_random; 682 p=s->s3->client_random;
684 Time=(unsigned long)time(NULL); /* Time */ 683
685 l2n(Time,p); 684 if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
686 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
687 goto err; 685 goto err;
688 686
689 /* Do the message type and length last */ 687 /* Do the message type and length last */
@@ -987,7 +985,10 @@ int ssl3_get_server_hello(SSL *s)
987 * client authentication. 985 * client authentication.
988 */ 986 */
989 if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s)) 987 if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s))
988 {
989 al = SSL_AD_INTERNAL_ERROR;
990 goto f_err; 990 goto f_err;
991 }
991 /* lets get the compression algorithm */ 992 /* lets get the compression algorithm */
992 /* COMPRESSION */ 993 /* COMPRESSION */
993#ifdef OPENSSL_NO_COMP 994#ifdef OPENSSL_NO_COMP
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c
index fb60cde8ee..c4ef2738d7 100644
--- a/src/lib/libssl/s3_lib.c
+++ b/src/lib/libssl/s3_lib.c
@@ -1125,7 +1125,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1125 0, /* not implemented (non-ephemeral DH) */ 1125 0, /* not implemented (non-ephemeral DH) */
1126 TLS1_TXT_DH_DSS_WITH_AES_128_SHA256, 1126 TLS1_TXT_DH_DSS_WITH_AES_128_SHA256,
1127 TLS1_CK_DH_DSS_WITH_AES_128_SHA256, 1127 TLS1_CK_DH_DSS_WITH_AES_128_SHA256,
1128 SSL_kDHr, 1128 SSL_kDHd,
1129 SSL_aDH, 1129 SSL_aDH,
1130 SSL_AES128, 1130 SSL_AES128,
1131 SSL_SHA256, 1131 SSL_SHA256,
@@ -1407,7 +1407,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1407 0, /* not implemented (non-ephemeral DH) */ 1407 0, /* not implemented (non-ephemeral DH) */
1408 TLS1_TXT_DH_DSS_WITH_AES_256_SHA256, 1408 TLS1_TXT_DH_DSS_WITH_AES_256_SHA256,
1409 TLS1_CK_DH_DSS_WITH_AES_256_SHA256, 1409 TLS1_CK_DH_DSS_WITH_AES_256_SHA256,
1410 SSL_kDHr, 1410 SSL_kDHd,
1411 SSL_aDH, 1411 SSL_aDH,
1412 SSL_AES256, 1412 SSL_AES256,
1413 SSL_SHA256, 1413 SSL_SHA256,
@@ -1683,7 +1683,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1683 SSL_3DES, 1683 SSL_3DES,
1684 SSL_SHA1, 1684 SSL_SHA1,
1685 SSL_TLSV1, 1685 SSL_TLSV1,
1686 SSL_NOT_EXP|SSL_HIGH, 1686 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1687 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1687 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1688 168, 1688 168,
1689 168, 1689 168,
@@ -1699,7 +1699,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1699 SSL_AES128, 1699 SSL_AES128,
1700 SSL_SHA1, 1700 SSL_SHA1,
1701 SSL_TLSV1, 1701 SSL_TLSV1,
1702 SSL_NOT_EXP|SSL_HIGH, 1702 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1703 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1703 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1704 128, 1704 128,
1705 128, 1705 128,
@@ -1715,7 +1715,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1715 SSL_AES256, 1715 SSL_AES256,
1716 SSL_SHA1, 1716 SSL_SHA1,
1717 SSL_TLSV1, 1717 SSL_TLSV1,
1718 SSL_NOT_EXP|SSL_HIGH, 1718 SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
1719 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 1719 SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
1720 256, 1720 256,
1721 256, 1721 256,
@@ -1958,7 +1958,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1958 0, 1958 0,
1959 TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256, 1959 TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256,
1960 TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256, 1960 TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256,
1961 SSL_kDHr, 1961 SSL_kDHd,
1962 SSL_aDH, 1962 SSL_aDH,
1963 SSL_AES128GCM, 1963 SSL_AES128GCM,
1964 SSL_AEAD, 1964 SSL_AEAD,
@@ -1974,7 +1974,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
1974 0, 1974 0,
1975 TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384, 1975 TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384,
1976 TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384, 1976 TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384,
1977 SSL_kDHr, 1977 SSL_kDHd,
1978 SSL_aDH, 1978 SSL_aDH,
1979 SSL_AES256GCM, 1979 SSL_AES256GCM,
1980 SSL_AEAD, 1980 SSL_AEAD,
@@ -2669,7 +2669,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
2669 1, 2669 1,
2670 TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256, 2670 TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256,
2671 TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256, 2671 TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256,
2672 SSL_kECDHe, 2672 SSL_kECDHr,
2673 SSL_aECDH, 2673 SSL_aECDH,
2674 SSL_AES128, 2674 SSL_AES128,
2675 SSL_SHA256, 2675 SSL_SHA256,
@@ -2685,7 +2685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
2685 1, 2685 1,
2686 TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384, 2686 TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384,
2687 TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384, 2687 TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384,
2688 SSL_kECDHe, 2688 SSL_kECDHr,
2689 SSL_aECDH, 2689 SSL_aECDH,
2690 SSL_AES256, 2690 SSL_AES256,
2691 SSL_SHA384, 2691 SSL_SHA384,
@@ -2799,7 +2799,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
2799 1, 2799 1,
2800 TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256, 2800 TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256,
2801 TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256, 2801 TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256,
2802 SSL_kECDHe, 2802 SSL_kECDHr,
2803 SSL_aECDH, 2803 SSL_aECDH,
2804 SSL_AES128GCM, 2804 SSL_AES128GCM,
2805 SSL_AEAD, 2805 SSL_AEAD,
@@ -2815,7 +2815,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
2815 1, 2815 1,
2816 TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384, 2816 TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384,
2817 TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384, 2817 TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384,
2818 SSL_kECDHe, 2818 SSL_kECDHr,
2819 SSL_aECDH, 2819 SSL_aECDH,
2820 SSL_AES256GCM, 2820 SSL_AES256GCM,
2821 SSL_AEAD, 2821 SSL_AEAD,
@@ -3037,6 +3037,11 @@ void ssl3_clear(SSL *s)
3037 s->s3->tmp.ecdh = NULL; 3037 s->s3->tmp.ecdh = NULL;
3038 } 3038 }
3039#endif 3039#endif
3040#ifndef OPENSSL_NO_TLSEXT
3041#ifndef OPENSSL_NO_EC
3042 s->s3->is_probably_safari = 0;
3043#endif /* !OPENSSL_NO_EC */
3044#endif /* !OPENSSL_NO_TLSEXT */
3040 3045
3041 rp = s->s3->rbuf.buf; 3046 rp = s->s3->rbuf.buf;
3042 wp = s->s3->wbuf.buf; 3047 wp = s->s3->wbuf.buf;
@@ -4016,6 +4021,13 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
4016 ii=sk_SSL_CIPHER_find(allow,c); 4021 ii=sk_SSL_CIPHER_find(allow,c);
4017 if (ii >= 0) 4022 if (ii >= 0)
4018 { 4023 {
4024#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_TLSEXT)
4025 if ((alg_k & SSL_kEECDH) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari)
4026 {
4027 if (!ret) ret=sk_SSL_CIPHER_value(allow,ii);
4028 continue;
4029 }
4030#endif
4019 ret=sk_SSL_CIPHER_value(allow,ii); 4031 ret=sk_SSL_CIPHER_value(allow,ii);
4020 break; 4032 break;
4021 } 4033 }
@@ -4274,7 +4286,7 @@ need to go to SSL_ST_ACCEPT.
4274long ssl_get_algorithm2(SSL *s) 4286long ssl_get_algorithm2(SSL *s)
4275 { 4287 {
4276 long alg2 = s->s3->tmp.new_cipher->algorithm2; 4288 long alg2 = s->s3->tmp.new_cipher->algorithm2;
4277 if (TLS1_get_version(s) >= TLS1_2_VERSION && 4289 if (s->method->version == TLS1_2_VERSION &&
4278 alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) 4290 alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
4279 return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; 4291 return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
4280 return alg2; 4292 return alg2;
diff --git a/src/lib/libssl/s3_pkt.c b/src/lib/libssl/s3_pkt.c
index adf8c387cc..96ba63262e 100644
--- a/src/lib/libssl/s3_pkt.c
+++ b/src/lib/libssl/s3_pkt.c
@@ -290,11 +290,8 @@ static int ssl3_get_record(SSL *s)
290 unsigned char *p; 290 unsigned char *p;
291 unsigned char md[EVP_MAX_MD_SIZE]; 291 unsigned char md[EVP_MAX_MD_SIZE];
292 short version; 292 short version;
293 int mac_size; 293 unsigned mac_size, orig_len;
294 int clear=0;
295 size_t extra; 294 size_t extra;
296 int decryption_failed_or_bad_record_mac = 0;
297 unsigned char *mac = NULL;
298 295
299 rr= &(s->s3->rrec); 296 rr= &(s->s3->rrec);
300 sess=s->session; 297 sess=s->session;
@@ -338,7 +335,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
338 if (version != s->version) 335 if (version != s->version)
339 { 336 {
340 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); 337 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
341 if ((s->version & 0xFF00) == (version & 0xFF00)) 338 if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash)
342 /* Send back error using their minor version number :-) */ 339 /* Send back error using their minor version number :-) */
343 s->version = (unsigned short)version; 340 s->version = (unsigned short)version;
344 al=SSL_AD_PROTOCOL_VERSION; 341 al=SSL_AD_PROTOCOL_VERSION;
@@ -403,17 +400,15 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
403 rr->data=rr->input; 400 rr->data=rr->input;
404 401
405 enc_err = s->method->ssl3_enc->enc(s,0); 402 enc_err = s->method->ssl3_enc->enc(s,0);
406 if (enc_err <= 0) 403 /* enc_err is:
404 * 0: (in non-constant time) if the record is publically invalid.
405 * 1: if the padding is valid
406 * -1: if the padding is invalid */
407 if (enc_err == 0)
407 { 408 {
408 if (enc_err == 0) 409 al=SSL_AD_DECRYPTION_FAILED;
409 /* SSLerr() and ssl3_send_alert() have been called */ 410 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
410 goto err; 411 goto f_err;
411
412 /* Otherwise enc_err == -1, which indicates bad padding
413 * (rec->length has not been changed in this case).
414 * To minimize information leaked via timing, we will perform
415 * the MAC computation anyway. */
416 decryption_failed_or_bad_record_mac = 1;
417 } 412 }
418 413
419#ifdef TLS_DEBUG 414#ifdef TLS_DEBUG
@@ -423,53 +418,62 @@ printf("\n");
423#endif 418#endif
424 419
425 /* r->length is now the compressed data plus mac */ 420 /* r->length is now the compressed data plus mac */
426 if ( (sess == NULL) || 421 if ((sess != NULL) &&
427 (s->enc_read_ctx == NULL) || 422 (s->enc_read_ctx != NULL) &&
428 (EVP_MD_CTX_md(s->read_hash) == NULL)) 423 (EVP_MD_CTX_md(s->read_hash) != NULL))
429 clear=1;
430
431 if (!clear)
432 { 424 {
433 /* !clear => s->read_hash != NULL => mac_size != -1 */ 425 /* s->read_hash != NULL => mac_size != -1 */
426 unsigned char *mac = NULL;
427 unsigned char mac_tmp[EVP_MAX_MD_SIZE];
434 mac_size=EVP_MD_CTX_size(s->read_hash); 428 mac_size=EVP_MD_CTX_size(s->read_hash);
435 OPENSSL_assert(mac_size >= 0); 429 OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
436 430
437 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size) 431 /* kludge: *_cbc_remove_padding passes padding length in rr->type */
432 orig_len = rr->length+((unsigned int)rr->type>>8);
433
434 /* orig_len is the length of the record before any padding was
435 * removed. This is public information, as is the MAC in use,
436 * therefore we can safely process the record in a different
437 * amount of time if it's too short to possibly contain a MAC.
438 */
439 if (orig_len < mac_size ||
440 /* CBC records must have a padding length byte too. */
441 (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
442 orig_len < mac_size+1))
438 { 443 {
439#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */ 444 al=SSL_AD_DECODE_ERROR;
440 al=SSL_AD_RECORD_OVERFLOW; 445 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
441 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
442 goto f_err; 446 goto f_err;
443#else
444 decryption_failed_or_bad_record_mac = 1;
445#endif
446 } 447 }
447 /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ 448
448 if (rr->length >= (unsigned int)mac_size) 449 if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
449 { 450 {
451 /* We update the length so that the TLS header bytes
452 * can be constructed correctly but we need to extract
453 * the MAC in constant time from within the record,
454 * without leaking the contents of the padding bytes.
455 * */
456 mac = mac_tmp;
457 ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len);
450 rr->length -= mac_size; 458 rr->length -= mac_size;
451 mac = &rr->data[rr->length];
452 } 459 }
453 else 460 else
454 { 461 {
455 /* record (minus padding) is too short to contain a MAC */ 462 /* In this case there's no padding, so |orig_len|
456#if 0 /* OK only for stream ciphers */ 463 * equals |rec->length| and we checked that there's
457 al=SSL_AD_DECODE_ERROR; 464 * enough bytes for |mac_size| above. */
458 SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); 465 rr->length -= mac_size;
459 goto f_err; 466 mac = &rr->data[rr->length];
460#else
461 decryption_failed_or_bad_record_mac = 1;
462 rr->length = 0;
463#endif
464 }
465 i=s->method->ssl3_enc->mac(s,md,0);
466 if (i < 0 || mac == NULL || memcmp(md, mac, (size_t)mac_size) != 0)
467 {
468 decryption_failed_or_bad_record_mac = 1;
469 } 467 }
468
469 i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
470 if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
471 enc_err = -1;
472 if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size)
473 enc_err = -1;
470 } 474 }
471 475
472 if (decryption_failed_or_bad_record_mac) 476 if (enc_err < 0)
473 { 477 {
474 /* A separate 'decryption_failed' alert was introduced with TLS 1.0, 478 /* A separate 'decryption_failed' alert was introduced with TLS 1.0,
475 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption 479 * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
@@ -744,6 +748,7 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
744 * bytes and record version number > TLS 1.0 748 * bytes and record version number > TLS 1.0
745 */ 749 */
746 if (s->state == SSL3_ST_CW_CLNT_HELLO_B 750 if (s->state == SSL3_ST_CW_CLNT_HELLO_B
751 && !s->renegotiate
747 && TLS1_get_version(s) > TLS1_VERSION) 752 && TLS1_get_version(s) > TLS1_VERSION)
748 *(p++) = 0x1; 753 *(p++) = 0x1;
749 else 754 else
@@ -1238,7 +1243,7 @@ start:
1238 goto f_err; 1243 goto f_err;
1239 } 1244 }
1240#ifdef SSL_AD_MISSING_SRP_USERNAME 1245#ifdef SSL_AD_MISSING_SRP_USERNAME
1241 if (alert_descr == SSL_AD_MISSING_SRP_USERNAME) 1246 else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
1242 return(0); 1247 return(0);
1243#endif 1248#endif
1244 } 1249 }
@@ -1454,8 +1459,14 @@ int ssl3_do_change_cipher_spec(SSL *s)
1454 slen=s->method->ssl3_enc->client_finished_label_len; 1459 slen=s->method->ssl3_enc->client_finished_label_len;
1455 } 1460 }
1456 1461
1457 s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, 1462 i = s->method->ssl3_enc->final_finish_mac(s,
1458 sender,slen,s->s3->tmp.peer_finish_md); 1463 sender,slen,s->s3->tmp.peer_finish_md);
1464 if (i == 0)
1465 {
1466 SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
1467 return 0;
1468 }
1469 s->s3->tmp.peer_finish_md_len = i;
1459 1470
1460 return(1); 1471 return(1);
1461 } 1472 }
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 118939fabb..9ac19c05f2 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -191,7 +191,8 @@ static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
191 { 191 {
192 if(s->srp_ctx.login == NULL) 192 if(s->srp_ctx.login == NULL)
193 { 193 {
194 /* There isn't any srp login extension !!! */ 194 /* RFC 5054 says SHOULD reject,
195 we do so if There is no srp login name */
195 ret = SSL3_AL_FATAL; 196 ret = SSL3_AL_FATAL;
196 *al = SSL_AD_UNKNOWN_PSK_IDENTITY; 197 *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
197 } 198 }
@@ -378,6 +379,7 @@ int ssl3_accept(SSL *s)
378 } 379 }
379 } 380 }
380#endif 381#endif
382
381 s->renegotiate = 2; 383 s->renegotiate = 2;
382 s->state=SSL3_ST_SW_SRVR_HELLO_A; 384 s->state=SSL3_ST_SW_SRVR_HELLO_A;
383 s->init_num=0; 385 s->init_num=0;
@@ -956,7 +958,8 @@ int ssl3_get_client_hello(SSL *s)
956 (s->version != DTLS1_VERSION && s->client_version < s->version)) 958 (s->version != DTLS1_VERSION && s->client_version < s->version))
957 { 959 {
958 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); 960 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
959 if ((s->client_version>>8) == SSL3_VERSION_MAJOR) 961 if ((s->client_version>>8) == SSL3_VERSION_MAJOR &&
962 !s->enc_write_ctx && !s->write_hash)
960 { 963 {
961 /* similar to ssl3_get_record, send alert using remote version number */ 964 /* similar to ssl3_get_record, send alert using remote version number */
962 s->version = s->client_version; 965 s->version = s->client_version;
@@ -1181,7 +1184,7 @@ int ssl3_get_client_hello(SSL *s)
1181 goto f_err; 1184 goto f_err;
1182 } 1185 }
1183 } 1186 }
1184 if (ssl_check_clienthello_tlsext(s) <= 0) { 1187 if (ssl_check_clienthello_tlsext_early(s) <= 0) {
1185 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); 1188 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT);
1186 goto err; 1189 goto err;
1187 } 1190 }
@@ -1191,12 +1194,9 @@ int ssl3_get_client_hello(SSL *s)
1191 * server_random before calling tls_session_secret_cb in order to allow 1194 * server_random before calling tls_session_secret_cb in order to allow
1192 * SessionTicket processing to use it in key derivation. */ 1195 * SessionTicket processing to use it in key derivation. */
1193 { 1196 {
1194 unsigned long Time;
1195 unsigned char *pos; 1197 unsigned char *pos;
1196 Time=(unsigned long)time(NULL); /* Time */
1197 pos=s->s3->server_random; 1198 pos=s->s3->server_random;
1198 l2n(Time,pos); 1199 if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0)
1199 if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0)
1200 { 1200 {
1201 al=SSL_AD_INTERNAL_ERROR; 1201 al=SSL_AD_INTERNAL_ERROR;
1202 goto f_err; 1202 goto f_err;
@@ -1389,7 +1389,10 @@ int ssl3_get_client_hello(SSL *s)
1389 if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER)) 1389 if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER))
1390 { 1390 {
1391 if (!ssl3_digest_cached_records(s)) 1391 if (!ssl3_digest_cached_records(s))
1392 {
1393 al = SSL_AD_INTERNAL_ERROR;
1392 goto f_err; 1394 goto f_err;
1395 }
1393 } 1396 }
1394 1397
1395 /* we now have the following setup. 1398 /* we now have the following setup.
@@ -1403,6 +1406,16 @@ int ssl3_get_client_hello(SSL *s)
1403 * s->tmp.new_cipher - the new cipher to use. 1406 * s->tmp.new_cipher - the new cipher to use.
1404 */ 1407 */
1405 1408
1409 /* Handles TLS extensions that we couldn't check earlier */
1410 if (s->version >= SSL3_VERSION)
1411 {
1412 if (ssl_check_clienthello_tlsext_late(s) <= 0)
1413 {
1414 SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
1415 goto err;
1416 }
1417 }
1418
1406 if (ret < 0) ret=1; 1419 if (ret < 0) ret=1;
1407 if (0) 1420 if (0)
1408 { 1421 {
@@ -1420,19 +1433,13 @@ int ssl3_send_server_hello(SSL *s)
1420 unsigned char *p,*d; 1433 unsigned char *p,*d;
1421 int i,sl; 1434 int i,sl;
1422 unsigned long l; 1435 unsigned long l;
1423#ifdef OPENSSL_NO_TLSEXT
1424 unsigned long Time;
1425#endif
1426 1436
1427 if (s->state == SSL3_ST_SW_SRVR_HELLO_A) 1437 if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
1428 { 1438 {
1429 buf=(unsigned char *)s->init_buf->data; 1439 buf=(unsigned char *)s->init_buf->data;
1430#ifdef OPENSSL_NO_TLSEXT 1440#ifdef OPENSSL_NO_TLSEXT
1431 p=s->s3->server_random; 1441 p=s->s3->server_random;
1432 /* Generate server_random if it was not needed previously */ 1442 if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0)
1433 Time=(unsigned long)time(NULL); /* Time */
1434 l2n(Time,p);
1435 if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
1436 return -1; 1443 return -1;
1437#endif 1444#endif
1438 /* Do the message type and length last */ 1445 /* Do the message type and length last */
@@ -1823,7 +1830,7 @@ int ssl3_send_server_key_exchange(SSL *s)
1823 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); 1830 SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE);
1824 goto f_err; 1831 goto f_err;
1825 } 1832 }
1826 for (i=0; r[i] != NULL && i<4; i++) 1833 for (i=0; i < 4 && r[i] != NULL; i++)
1827 { 1834 {
1828 nr[i]=BN_num_bytes(r[i]); 1835 nr[i]=BN_num_bytes(r[i]);
1829#ifndef OPENSSL_NO_SRP 1836#ifndef OPENSSL_NO_SRP
@@ -1859,7 +1866,7 @@ int ssl3_send_server_key_exchange(SSL *s)
1859 d=(unsigned char *)s->init_buf->data; 1866 d=(unsigned char *)s->init_buf->data;
1860 p= &(d[4]); 1867 p= &(d[4]);
1861 1868
1862 for (i=0; r[i] != NULL && i<4; i++) 1869 for (i=0; i < 4 && r[i] != NULL; i++)
1863 { 1870 {
1864#ifndef OPENSSL_NO_SRP 1871#ifndef OPENSSL_NO_SRP
1865 if ((i == 2) && (type & SSL_kSRP)) 1872 if ((i == 2) && (type & SSL_kSRP))
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 8b0c2a2dac..7219a0e64b 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -493,6 +493,9 @@ struct ssl_session_st
493 char *psk_identity_hint; 493 char *psk_identity_hint;
494 char *psk_identity; 494 char *psk_identity;
495#endif 495#endif
496 /* Used to indicate that session resumption is not allowed.
497 * Applications can also set this bit for a new session via
498 * not_resumable_session_cb to disable session caching and tickets. */
496 int not_resumable; 499 int not_resumable;
497 500
498 /* The cert is the certificate used to establish this connection */ 501 /* The cert is the certificate used to establish this connection */
@@ -535,7 +538,7 @@ struct ssl_session_st
535#endif /* OPENSSL_NO_EC */ 538#endif /* OPENSSL_NO_EC */
536 /* RFC4507 info */ 539 /* RFC4507 info */
537 unsigned char *tlsext_tick; /* Session ticket */ 540 unsigned char *tlsext_tick; /* Session ticket */
538 size_t tlsext_ticklen; /* Session ticket length */ 541 size_t tlsext_ticklen; /* Session ticket length */
539 long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ 542 long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
540#endif 543#endif
541#ifndef OPENSSL_NO_SRP 544#ifndef OPENSSL_NO_SRP
@@ -552,11 +555,14 @@ struct ssl_session_st
552#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L 555#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
553#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L 556#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
554#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L 557#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
555#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */ 558#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L
556#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L 559#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
557#define SSL_OP_TLS_D5_BUG 0x00000100L 560#define SSL_OP_TLS_D5_BUG 0x00000100L
558#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L 561#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L
559 562
563/* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */
564#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0
565
560/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added 566/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
561 * in OpenSSL 0.9.6d. Usually (depending on the application protocol) 567 * in OpenSSL 0.9.6d. Usually (depending on the application protocol)
562 * the workaround is not needed. Unfortunately some broken SSL/TLS 568 * the workaround is not needed. Unfortunately some broken SSL/TLS
@@ -638,6 +644,12 @@ struct ssl_session_st
638 * TLS only.) "Released" buffers are put onto a free-list in the context 644 * TLS only.) "Released" buffers are put onto a free-list in the context
639 * or just freed (depending on the context's setting for freelist_max_len). */ 645 * or just freed (depending on the context's setting for freelist_max_len). */
640#define SSL_MODE_RELEASE_BUFFERS 0x00000010L 646#define SSL_MODE_RELEASE_BUFFERS 0x00000010L
647/* Send the current time in the Random fields of the ClientHello and
648 * ServerHello records for compatibility with hypothetical implementations
649 * that require it.
650 */
651#define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020L
652#define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040L
641 653
642/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, 654/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
643 * they cannot be used to clear bits. */ 655 * they cannot be used to clear bits. */
@@ -903,7 +915,7 @@ struct ssl_ctx_st
903 */ 915 */
904 unsigned int max_send_fragment; 916 unsigned int max_send_fragment;
905 917
906#ifndef OPENSSL_ENGINE 918#ifndef OPENSSL_NO_ENGINE
907 /* Engine to pass requests for client certs to 919 /* Engine to pass requests for client certs to
908 */ 920 */
909 ENGINE *client_cert_engine; 921 ENGINE *client_cert_engine;
@@ -927,6 +939,7 @@ struct ssl_ctx_st
927 /* Callback for status request */ 939 /* Callback for status request */
928 int (*tlsext_status_cb)(SSL *ssl, void *arg); 940 int (*tlsext_status_cb)(SSL *ssl, void *arg);
929 void *tlsext_status_arg; 941 void *tlsext_status_arg;
942
930 /* draft-rescorla-tls-opaque-prf-input-00.txt information */ 943 /* draft-rescorla-tls-opaque-prf-input-00.txt information */
931 int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg); 944 int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg);
932 void *tlsext_opaque_prf_input_callback_arg; 945 void *tlsext_opaque_prf_input_callback_arg;
@@ -952,6 +965,7 @@ struct ssl_ctx_st
952#endif 965#endif
953 966
954#ifndef OPENSSL_NO_TLSEXT 967#ifndef OPENSSL_NO_TLSEXT
968
955# ifndef OPENSSL_NO_NEXTPROTONEG 969# ifndef OPENSSL_NO_NEXTPROTONEG
956 /* Next protocol negotiation information */ 970 /* Next protocol negotiation information */
957 /* (for experimental NPN extension). */ 971 /* (for experimental NPN extension). */
@@ -2206,6 +2220,7 @@ void ERR_load_SSL_strings(void);
2206#define SSL_F_SSL_GET_NEW_SESSION 181 2220#define SSL_F_SSL_GET_NEW_SESSION 181
2207#define SSL_F_SSL_GET_PREV_SESSION 217 2221#define SSL_F_SSL_GET_PREV_SESSION 217
2208#define SSL_F_SSL_GET_SERVER_SEND_CERT 182 2222#define SSL_F_SSL_GET_SERVER_SEND_CERT 182
2223#define SSL_F_SSL_GET_SERVER_SEND_PKEY 317
2209#define SSL_F_SSL_GET_SIGN_PKEY 183 2224#define SSL_F_SSL_GET_SIGN_PKEY 183
2210#define SSL_F_SSL_INIT_WBIO_BUFFER 184 2225#define SSL_F_SSL_INIT_WBIO_BUFFER 184
2211#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 2226#define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
index 112e627de0..cb8b2492ec 100644
--- a/src/lib/libssl/ssl3.h
+++ b/src/lib/libssl/ssl3.h
@@ -539,6 +539,15 @@ typedef struct ssl3_state_st
539 /* Set if we saw the Next Protocol Negotiation extension from our peer. */ 539 /* Set if we saw the Next Protocol Negotiation extension from our peer. */
540 int next_proto_neg_seen; 540 int next_proto_neg_seen;
541#endif 541#endif
542
543#ifndef OPENSSL_NO_TLSEXT
544#ifndef OPENSSL_NO_EC
545 /* This is set to true if we believe that this is a version of Safari
546 * running on OS X 10.6 or newer. We wish to know this because Safari
547 * on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */
548 char is_probably_safari;
549#endif /* !OPENSSL_NO_EC */
550#endif /* !OPENSSL_NO_TLSEXT */
542 } SSL3_STATE; 551 } SSL3_STATE;
543 552
544#endif 553#endif
@@ -578,8 +587,10 @@ typedef struct ssl3_state_st
578#define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT) 587#define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT)
579#define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT) 588#define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT)
580#define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT) 589#define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT)
590#ifndef OPENSSL_NO_NEXTPROTONEG
581#define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT) 591#define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT)
582#define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT) 592#define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT)
593#endif
583#define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT) 594#define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT)
584#define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT) 595#define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT)
585/* read from server */ 596/* read from server */
@@ -629,8 +640,10 @@ typedef struct ssl3_state_st
629#define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT) 640#define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT)
630#define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT) 641#define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT)
631#define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT) 642#define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT)
643#ifndef OPENSSL_NO_NEXTPROTONEG
632#define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT) 644#define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT)
633#define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT) 645#define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT)
646#endif
634#define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT) 647#define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT)
635#define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT) 648#define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT)
636/* write to client */ 649/* write to client */
@@ -655,7 +668,9 @@ typedef struct ssl3_state_st
655#define SSL3_MT_CLIENT_KEY_EXCHANGE 16 668#define SSL3_MT_CLIENT_KEY_EXCHANGE 16
656#define SSL3_MT_FINISHED 20 669#define SSL3_MT_FINISHED 20
657#define SSL3_MT_CERTIFICATE_STATUS 22 670#define SSL3_MT_CERTIFICATE_STATUS 22
671#ifndef OPENSSL_NO_NEXTPROTONEG
658#define SSL3_MT_NEXT_PROTO 67 672#define SSL3_MT_NEXT_PROTO 67
673#endif
659#define DTLS1_MT_HELLO_VERIFY_REQUEST 3 674#define DTLS1_MT_HELLO_VERIFY_REQUEST 3
660 675
661 676
diff --git a/src/lib/libssl/ssl_algs.c b/src/lib/libssl/ssl_algs.c
index d443143c59..9c34d19725 100644
--- a/src/lib/libssl/ssl_algs.c
+++ b/src/lib/libssl/ssl_algs.c
@@ -94,6 +94,7 @@ int SSL_library_init(void)
94 EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1()); 94 EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1());
95 EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1()); 95 EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1());
96#endif 96#endif
97
97#endif 98#endif
98#ifndef OPENSSL_NO_CAMELLIA 99#ifndef OPENSSL_NO_CAMELLIA
99 EVP_add_cipher(EVP_camellia_128_cbc()); 100 EVP_add_cipher(EVP_camellia_128_cbc());
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c
index 917be31876..5123a89182 100644
--- a/src/lib/libssl/ssl_cert.c
+++ b/src/lib/libssl/ssl_cert.c
@@ -164,14 +164,14 @@ static void ssl_cert_set_default_md(CERT *cert)
164 { 164 {
165 /* Set digest values to defaults */ 165 /* Set digest values to defaults */
166#ifndef OPENSSL_NO_DSA 166#ifndef OPENSSL_NO_DSA
167 cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1(); 167 cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
168#endif 168#endif
169#ifndef OPENSSL_NO_RSA 169#ifndef OPENSSL_NO_RSA
170 cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); 170 cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1();
171 cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); 171 cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1();
172#endif 172#endif
173#ifndef OPENSSL_NO_ECDSA 173#ifndef OPENSSL_NO_ECDSA
174 cert->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa(); 174 cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
175#endif 175#endif
176 } 176 }
177 177
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index 92d1e94d6a..0aba8e048c 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -312,6 +312,7 @@ static const SSL_CIPHER cipher_aliases[]={
312 {0,SSL_TXT_SSLV2,0, 0,0,0,0,SSL_SSLV2, 0,0,0,0}, 312 {0,SSL_TXT_SSLV2,0, 0,0,0,0,SSL_SSLV2, 0,0,0,0},
313 {0,SSL_TXT_SSLV3,0, 0,0,0,0,SSL_SSLV3, 0,0,0,0}, 313 {0,SSL_TXT_SSLV3,0, 0,0,0,0,SSL_SSLV3, 0,0,0,0},
314 {0,SSL_TXT_TLSV1,0, 0,0,0,0,SSL_TLSV1, 0,0,0,0}, 314 {0,SSL_TXT_TLSV1,0, 0,0,0,0,SSL_TLSV1, 0,0,0,0},
315 {0,SSL_TXT_TLSV1_2,0, 0,0,0,0,SSL_TLSV1_2, 0,0,0,0},
315 316
316 /* export flag */ 317 /* export flag */
317 {0,SSL_TXT_EXP,0, 0,0,0,0,0,SSL_EXPORT,0,0,0}, 318 {0,SSL_TXT_EXP,0, 0,0,0,0,0,SSL_EXPORT,0,0,0},
@@ -1150,9 +1151,9 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
1150 while ( ((ch >= 'A') && (ch <= 'Z')) || 1151 while ( ((ch >= 'A') && (ch <= 'Z')) ||
1151 ((ch >= '0') && (ch <= '9')) || 1152 ((ch >= '0') && (ch <= '9')) ||
1152 ((ch >= 'a') && (ch <= 'z')) || 1153 ((ch >= 'a') && (ch <= 'z')) ||
1153 (ch == '-')) 1154 (ch == '-') || (ch == '.'))
1154#else 1155#else
1155 while ( isalnum(ch) || (ch == '-')) 1156 while ( isalnum(ch) || (ch == '-') || (ch == '.'))
1156#endif 1157#endif
1157 { 1158 {
1158 ch = *(++l); 1159 ch = *(++l);
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
index 2577c6895a..370fb57e3b 100644
--- a/src/lib/libssl/ssl_err.c
+++ b/src/lib/libssl/ssl_err.c
@@ -228,6 +228,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
228{ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION), "SSL_GET_NEW_SESSION"}, 228{ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION), "SSL_GET_NEW_SESSION"},
229{ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION), "SSL_GET_PREV_SESSION"}, 229{ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION), "SSL_GET_PREV_SESSION"},
230{ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT), "SSL_GET_SERVER_SEND_CERT"}, 230{ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT), "SSL_GET_SERVER_SEND_CERT"},
231{ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_PKEY), "SSL_GET_SERVER_SEND_PKEY"},
231{ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY), "SSL_GET_SIGN_PKEY"}, 232{ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY), "SSL_GET_SIGN_PKEY"},
232{ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"}, 233{ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"},
233{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"}, 234{ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"},
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index f82d071d6e..6dbc3c1f7d 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -597,8 +597,10 @@ void SSL_free(SSL *s)
597 OPENSSL_free(s->next_proto_negotiated); 597 OPENSSL_free(s->next_proto_negotiated);
598#endif 598#endif
599 599
600#ifndef OPENSSL_NO_SRTP
600 if (s->srtp_profiles) 601 if (s->srtp_profiles)
601 sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles); 602 sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles);
603#endif
602 604
603 OPENSSL_free(s); 605 OPENSSL_free(s);
604 } 606 }
@@ -1795,7 +1797,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
1795 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data); 1797 CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
1796 1798
1797 ret->extra_certs=NULL; 1799 ret->extra_certs=NULL;
1798 ret->comp_methods=SSL_COMP_get_compression_methods(); 1800 /* No compression for DTLS */
1801 if (meth->version != DTLS1_VERSION)
1802 ret->comp_methods=SSL_COMP_get_compression_methods();
1799 1803
1800 ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; 1804 ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
1801 1805
@@ -1952,8 +1956,10 @@ void SSL_CTX_free(SSL_CTX *a)
1952 a->comp_methods = NULL; 1956 a->comp_methods = NULL;
1953#endif 1957#endif
1954 1958
1959#ifndef OPENSSL_NO_SRTP
1955 if (a->srtp_profiles) 1960 if (a->srtp_profiles)
1956 sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles); 1961 sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles);
1962#endif
1957 1963
1958#ifndef OPENSSL_NO_PSK 1964#ifndef OPENSSL_NO_PSK
1959 if (a->psk_identity_hint) 1965 if (a->psk_identity_hint)
@@ -2287,7 +2293,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s)
2287#endif 2293#endif
2288 2294
2289/* THIS NEEDS CLEANING UP */ 2295/* THIS NEEDS CLEANING UP */
2290X509 *ssl_get_server_send_cert(SSL *s) 2296CERT_PKEY *ssl_get_server_send_pkey(const SSL *s)
2291 { 2297 {
2292 unsigned long alg_k,alg_a; 2298 unsigned long alg_k,alg_a;
2293 CERT *c; 2299 CERT *c;
@@ -2342,12 +2348,20 @@ X509 *ssl_get_server_send_cert(SSL *s)
2342 i=SSL_PKEY_GOST01; 2348 i=SSL_PKEY_GOST01;
2343 else /* if (alg_a & SSL_aNULL) */ 2349 else /* if (alg_a & SSL_aNULL) */
2344 { 2350 {
2345 SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR); 2351 SSLerr(SSL_F_SSL_GET_SERVER_SEND_PKEY,ERR_R_INTERNAL_ERROR);
2346 return(NULL); 2352 return(NULL);
2347 } 2353 }
2348 if (c->pkeys[i].x509 == NULL) return(NULL);
2349 2354
2350 return(c->pkeys[i].x509); 2355 return c->pkeys + i;
2356 }
2357
2358X509 *ssl_get_server_send_cert(const SSL *s)
2359 {
2360 CERT_PKEY *cpk;
2361 cpk = ssl_get_server_send_pkey(s);
2362 if (!cpk)
2363 return NULL;
2364 return cpk->x509;
2351 } 2365 }
2352 2366
2353EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd) 2367EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd)
@@ -2608,7 +2622,7 @@ const char *SSL_get_version(const SSL *s)
2608 return("TLSv1.2"); 2622 return("TLSv1.2");
2609 else if (s->version == TLS1_1_VERSION) 2623 else if (s->version == TLS1_1_VERSION)
2610 return("TLSv1.1"); 2624 return("TLSv1.1");
2611 if (s->version == TLS1_VERSION) 2625 else if (s->version == TLS1_VERSION)
2612 return("TLSv1"); 2626 return("TLSv1");
2613 else if (s->version == SSL3_VERSION) 2627 else if (s->version == SSL3_VERSION)
2614 return("SSLv3"); 2628 return("SSLv3");
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index d87fd51cfa..e485907748 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -215,6 +215,15 @@
215 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ 215 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
216 *((c)++)=(unsigned char)(((l) )&0xff)) 216 *((c)++)=(unsigned char)(((l) )&0xff))
217 217
218#define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \
219 *((c)++)=(unsigned char)(((l)>>48)&0xff), \
220 *((c)++)=(unsigned char)(((l)>>40)&0xff), \
221 *((c)++)=(unsigned char)(((l)>>32)&0xff), \
222 *((c)++)=(unsigned char)(((l)>>24)&0xff), \
223 *((c)++)=(unsigned char)(((l)>>16)&0xff), \
224 *((c)++)=(unsigned char)(((l)>> 8)&0xff), \
225 *((c)++)=(unsigned char)(((l) )&0xff))
226
218#define n2l6(c,l) (l =((BN_ULLONG)(*((c)++)))<<40, \ 227#define n2l6(c,l) (l =((BN_ULLONG)(*((c)++)))<<40, \
219 l|=((BN_ULLONG)(*((c)++)))<<32, \ 228 l|=((BN_ULLONG)(*((c)++)))<<32, \
220 l|=((BN_ULLONG)(*((c)++)))<<24, \ 229 l|=((BN_ULLONG)(*((c)++)))<<24, \
@@ -612,6 +621,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data;
612extern SSL3_ENC_METHOD SSLv3_enc_data; 621extern SSL3_ENC_METHOD SSLv3_enc_data;
613extern SSL3_ENC_METHOD DTLSv1_enc_data; 622extern SSL3_ENC_METHOD DTLSv1_enc_data;
614 623
624#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION)
625
615#define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \ 626#define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \
616 s_get_meth) \ 627 s_get_meth) \
617const SSL_METHOD *func_name(void) \ 628const SSL_METHOD *func_name(void) \
@@ -830,13 +841,15 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
830int ssl_undefined_function(SSL *s); 841int ssl_undefined_function(SSL *s);
831int ssl_undefined_void_function(void); 842int ssl_undefined_void_function(void);
832int ssl_undefined_const_function(const SSL *s); 843int ssl_undefined_const_function(const SSL *s);
833X509 *ssl_get_server_send_cert(SSL *); 844CERT_PKEY *ssl_get_server_send_pkey(const SSL *s);
845X509 *ssl_get_server_send_cert(const SSL *);
834EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd); 846EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd);
835int ssl_cert_type(X509 *x,EVP_PKEY *pkey); 847int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
836void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); 848void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher);
837STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); 849STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
838int ssl_verify_alarm_type(long type); 850int ssl_verify_alarm_type(long type);
839void ssl_load_ciphers(void); 851void ssl_load_ciphers(void);
852int ssl_fill_hello_random(SSL *s, int server, unsigned char *field, int len);
840 853
841int ssl2_enc_init(SSL *s, int client); 854int ssl2_enc_init(SSL *s, int client);
842int ssl2_generate_key_material(SSL *s); 855int ssl2_generate_key_material(SSL *s);
@@ -1088,7 +1101,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d,
1088int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); 1101int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al);
1089int ssl_prepare_clienthello_tlsext(SSL *s); 1102int ssl_prepare_clienthello_tlsext(SSL *s);
1090int ssl_prepare_serverhello_tlsext(SSL *s); 1103int ssl_prepare_serverhello_tlsext(SSL *s);
1091int ssl_check_clienthello_tlsext(SSL *s); 1104int ssl_check_clienthello_tlsext_early(SSL *s);
1105int ssl_check_clienthello_tlsext_late(SSL *s);
1092int ssl_check_serverhello_tlsext(SSL *s); 1106int ssl_check_serverhello_tlsext(SSL *s);
1093 1107
1094#ifndef OPENSSL_NO_HEARTBEATS 1108#ifndef OPENSSL_NO_HEARTBEATS
@@ -1131,4 +1145,33 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al
1131int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen); 1145int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen);
1132int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al); 1146int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al);
1133 1147
1148/* s3_cbc.c */
1149void ssl3_cbc_copy_mac(unsigned char* out,
1150 const SSL3_RECORD *rec,
1151 unsigned md_size,unsigned orig_len);
1152int ssl3_cbc_remove_padding(const SSL* s,
1153 SSL3_RECORD *rec,
1154 unsigned block_size,
1155 unsigned mac_size);
1156int tls1_cbc_remove_padding(const SSL* s,
1157 SSL3_RECORD *rec,
1158 unsigned block_size,
1159 unsigned mac_size);
1160char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx);
1161void ssl3_cbc_digest_record(
1162 const EVP_MD_CTX *ctx,
1163 unsigned char* md_out,
1164 size_t* md_out_size,
1165 const unsigned char header[13],
1166 const unsigned char *data,
1167 size_t data_plus_mac_size,
1168 size_t data_plus_mac_plus_padding_size,
1169 const unsigned char *mac_secret,
1170 unsigned mac_secret_length,
1171 char is_sslv3);
1172
1173void tls_fips_digest_extra(
1174 const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx,
1175 const unsigned char *data, size_t data_len, size_t orig_len);
1176
1134#endif 1177#endif
diff --git a/src/lib/libssl/ssl_rsa.c b/src/lib/libssl/ssl_rsa.c
index c0960b5712..60e7b66859 100644
--- a/src/lib/libssl/ssl_rsa.c
+++ b/src/lib/libssl/ssl_rsa.c
@@ -710,7 +710,7 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
710 710
711 ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */ 711 ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
712 712
713 in=BIO_new(BIO_s_file_internal()); 713 in = BIO_new(BIO_s_file_internal());
714 if (in == NULL) 714 if (in == NULL)
715 { 715 {
716 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_BUF_LIB); 716 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_BUF_LIB);
@@ -723,14 +723,16 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
723 goto end; 723 goto end;
724 } 724 }
725 725
726 x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata); 726 x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback,
727 ctx->default_passwd_callback_userdata);
727 if (x == NULL) 728 if (x == NULL)
728 { 729 {
729 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB); 730 SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB);
730 goto end; 731 goto end;
731 } 732 }
732 733
733 ret=SSL_CTX_use_certificate(ctx,x); 734 ret = SSL_CTX_use_certificate(ctx, x);
735
734 if (ERR_peek_error() != 0) 736 if (ERR_peek_error() != 0)
735 ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */ 737 ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */
736 if (ret) 738 if (ret)
@@ -742,13 +744,15 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
742 int r; 744 int r;
743 unsigned long err; 745 unsigned long err;
744 746
745 if (ctx->extra_certs != NULL) 747 if (ctx->extra_certs != NULL)
746 { 748 {
747 sk_X509_pop_free(ctx->extra_certs, X509_free); 749 sk_X509_pop_free(ctx->extra_certs, X509_free);
748 ctx->extra_certs = NULL; 750 ctx->extra_certs = NULL;
749 } 751 }
750 752
751 while ((ca = PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata)) 753 while ((ca = PEM_read_bio_X509(in, NULL,
754 ctx->default_passwd_callback,
755 ctx->default_passwd_callback_userdata))
752 != NULL) 756 != NULL)
753 { 757 {
754 r = SSL_CTX_add_extra_chain_cert(ctx, ca); 758 r = SSL_CTX_add_extra_chain_cert(ctx, ca);
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index f7bdeb3b9d..0c4cddedf8 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -361,7 +361,7 @@ int tls1_change_cipher_state(SSL *s, int which)
361 { 361 {
362 int i; 362 int i;
363 for (i=0; i<s->s3->tmp.key_block_length; i++) 363 for (i=0; i<s->s3->tmp.key_block_length; i++)
364 printf("%02x", key_block[i]); printf("\n"); 364 printf("%02x", s->s3->tmp.key_block[i]); printf("\n");
365 } 365 }
366#endif /* KSSL_DEBUG */ 366#endif /* KSSL_DEBUG */
367 367
@@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int which)
414 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; 414 s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
415 else 415 else
416 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; 416 s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
417 if (s->enc_write_ctx != NULL) 417 if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s))
418 reuse_dd = 1; 418 reuse_dd = 1;
419 else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) 419 else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL)
420 goto err; 420 goto err;
421 else
422 /* make sure it's intialized in case we exit later with an error */
423 EVP_CIPHER_CTX_init(s->enc_write_ctx);
424 dd= s->enc_write_ctx; 421 dd= s->enc_write_ctx;
425 mac_ctx = ssl_replace_hash(&s->write_hash,NULL); 422 if (SSL_IS_DTLS(s))
423 {
424 mac_ctx = EVP_MD_CTX_create();
425 if (!mac_ctx)
426 goto err;
427 s->write_hash = mac_ctx;
428 }
429 else
430 mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
426#ifndef OPENSSL_NO_COMP 431#ifndef OPENSSL_NO_COMP
427 if (s->compress != NULL) 432 if (s->compress != NULL)
428 { 433 {
@@ -667,12 +672,21 @@ err:
667 return(ret); 672 return(ret);
668 } 673 }
669 674
675/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
676 *
677 * Returns:
678 * 0: (in non-constant time) if the record is publically invalid (i.e. too
679 * short etc).
680 * 1: if the record's padding is valid / the encryption was successful.
681 * -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
682 * an internal error occured.
683 */
670int tls1_enc(SSL *s, int send) 684int tls1_enc(SSL *s, int send)
671 { 685 {
672 SSL3_RECORD *rec; 686 SSL3_RECORD *rec;
673 EVP_CIPHER_CTX *ds; 687 EVP_CIPHER_CTX *ds;
674 unsigned long l; 688 unsigned long l;
675 int bs,i,ii,j,k,pad=0; 689 int bs,i,j,k,pad=0,ret,mac_size=0;
676 const EVP_CIPHER *enc; 690 const EVP_CIPHER *enc;
677 691
678 if (send) 692 if (send)
@@ -729,11 +743,11 @@ int tls1_enc(SSL *s, int send)
729 printf("tls1_enc(%d)\n", send); 743 printf("tls1_enc(%d)\n", send);
730#endif /* KSSL_DEBUG */ 744#endif /* KSSL_DEBUG */
731 745
732 if ((s->session == NULL) || (ds == NULL) || 746 if ((s->session == NULL) || (ds == NULL) || (enc == NULL))
733 (enc == NULL))
734 { 747 {
735 memmove(rec->data,rec->input,rec->length); 748 memmove(rec->data,rec->input,rec->length);
736 rec->input=rec->data; 749 rec->input=rec->data;
750 ret = 1;
737 } 751 }
738 else 752 else
739 { 753 {
@@ -797,13 +811,13 @@ int tls1_enc(SSL *s, int send)
797 811
798#ifdef KSSL_DEBUG 812#ifdef KSSL_DEBUG
799 { 813 {
800 unsigned long ui; 814 unsigned long ui;
801 printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n", 815 printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n",
802 ds,rec->data,rec->input,l); 816 ds,rec->data,rec->input,l);
803 printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n", 817 printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n",
804 ds->buf_len, ds->cipher->key_len, 818 ds->buf_len, ds->cipher->key_len,
805 DES_KEY_SZ, DES_SCHEDULE_SZ, 819 DES_KEY_SZ, DES_SCHEDULE_SZ,
806 ds->cipher->iv_len); 820 ds->cipher->iv_len);
807 printf("\t\tIV: "); 821 printf("\t\tIV: ");
808 for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]); 822 for (i=0; i<ds->cipher->iv_len; i++) printf("%02X", ds->iv[i]);
809 printf("\n"); 823 printf("\n");
@@ -816,13 +830,7 @@ int tls1_enc(SSL *s, int send)
816 if (!send) 830 if (!send)
817 { 831 {
818 if (l == 0 || l%bs != 0) 832 if (l == 0 || l%bs != 0)
819 {
820 if (s->version >= TLS1_1_VERSION)
821 return -1;
822 SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
823 ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
824 return 0; 833 return 0;
825 }
826 } 834 }
827 835
828 i = EVP_Cipher(ds,rec->data,rec->input,l); 836 i = EVP_Cipher(ds,rec->data,rec->input,l);
@@ -839,68 +847,24 @@ int tls1_enc(SSL *s, int send)
839 847
840#ifdef KSSL_DEBUG 848#ifdef KSSL_DEBUG
841 { 849 {
842 unsigned long i; 850 unsigned long i;
843 printf("\trec->data="); 851 printf("\trec->data=");
844 for (i=0; i<l; i++) 852 for (i=0; i<l; i++)
845 printf(" %02x", rec->data[i]); printf("\n"); 853 printf(" %02x", rec->data[i]); printf("\n");
846 } 854 }
847#endif /* KSSL_DEBUG */ 855#endif /* KSSL_DEBUG */
848 856
857 ret = 1;
858 if (EVP_MD_CTX_md(s->read_hash) != NULL)
859 mac_size = EVP_MD_CTX_size(s->read_hash);
849 if ((bs != 1) && !send) 860 if ((bs != 1) && !send)
850 { 861 ret = tls1_cbc_remove_padding(s, rec, bs, mac_size);
851 ii=i=rec->data[l-1]; /* padding_length */
852 i++;
853 /* NB: if compression is in operation the first packet
854 * may not be of even length so the padding bug check
855 * cannot be performed. This bug workaround has been
856 * around since SSLeay so hopefully it is either fixed
857 * now or no buggy implementation supports compression
858 * [steve]
859 */
860 if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
861 && !s->expand)
862 {
863 /* First packet is even in size, so check */
864 if ((memcmp(s->s3->read_sequence,
865 "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
866 s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
867 if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
868 i--;
869 }
870 /* TLS 1.0 does not bound the number of padding bytes by the block size.
871 * All of them must have value 'padding_length'. */
872 if (i > (int)rec->length)
873 {
874 /* Incorrect padding. SSLerr() and ssl3_alert are done
875 * by caller: we don't want to reveal whether this is
876 * a decryption error or a MAC verification failure
877 * (see http://www.openssl.org/~bodo/tls-cbc.txt) */
878 return -1;
879 }
880 for (j=(int)(l-i); j<(int)l; j++)
881 {
882 if (rec->data[j] != ii)
883 {
884 /* Incorrect padding */
885 return -1;
886 }
887 }
888 rec->length -=i;
889 if (s->version >= TLS1_1_VERSION
890 && EVP_CIPHER_CTX_mode(ds) == EVP_CIPH_CBC_MODE)
891 {
892 if (bs > (int)rec->length)
893 return -1;
894 rec->data += bs; /* skip the explicit IV */
895 rec->input += bs;
896 rec->length -= bs;
897 }
898 }
899 if (pad && !send) 862 if (pad && !send)
900 rec->length -= pad; 863 rec->length -= pad;
901 } 864 }
902 return(1); 865 return ret;
903 } 866 }
867
904int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) 868int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out)
905 { 869 {
906 unsigned int ret; 870 unsigned int ret;
@@ -956,18 +920,19 @@ int tls1_final_finish_mac(SSL *s,
956 if (mask & ssl_get_algorithm2(s)) 920 if (mask & ssl_get_algorithm2(s))
957 { 921 {
958 int hashsize = EVP_MD_size(md); 922 int hashsize = EVP_MD_size(md);
959 if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) 923 EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx];
924 if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
960 { 925 {
961 /* internal error: 'buf' is too small for this cipersuite! */ 926 /* internal error: 'buf' is too small for this cipersuite! */
962 err = 1; 927 err = 1;
963 } 928 }
964 else 929 else
965 { 930 {
966 EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]); 931 if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) ||
967 EVP_DigestFinal_ex(&ctx,q,&i); 932 !EVP_DigestFinal_ex(&ctx,q,&i) ||
968 if (i != (unsigned int)hashsize) /* can't really happen */ 933 (i != (unsigned int)hashsize))
969 err = 1; 934 err = 1;
970 q+=i; 935 q+=hashsize;
971 } 936 }
972 } 937 }
973 } 938 }
@@ -990,10 +955,10 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
990 SSL3_RECORD *rec; 955 SSL3_RECORD *rec;
991 unsigned char *seq; 956 unsigned char *seq;
992 EVP_MD_CTX *hash; 957 EVP_MD_CTX *hash;
993 size_t md_size; 958 size_t md_size, orig_len;
994 int i; 959 int i;
995 EVP_MD_CTX hmac, *mac_ctx; 960 EVP_MD_CTX hmac, *mac_ctx;
996 unsigned char buf[5]; 961 unsigned char header[13];
997 int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM)); 962 int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM));
998 int t; 963 int t;
999 964
@@ -1014,12 +979,6 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
1014 OPENSSL_assert(t >= 0); 979 OPENSSL_assert(t >= 0);
1015 md_size=t; 980 md_size=t;
1016 981
1017 buf[0]=rec->type;
1018 buf[1]=(unsigned char)(ssl->version>>8);
1019 buf[2]=(unsigned char)(ssl->version);
1020 buf[3]=rec->length>>8;
1021 buf[4]=rec->length&0xff;
1022
1023 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ 982 /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */
1024 if (stream_mac) 983 if (stream_mac)
1025 { 984 {
@@ -1027,7 +986,8 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
1027 } 986 }
1028 else 987 else
1029 { 988 {
1030 EVP_MD_CTX_copy(&hmac,hash); 989 if (!EVP_MD_CTX_copy(&hmac,hash))
990 return -1;
1031 mac_ctx = &hmac; 991 mac_ctx = &hmac;
1032 } 992 }
1033 993
@@ -1038,17 +998,55 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
1038 s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p); 998 s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
1039 memcpy (p,&seq[2],6); 999 memcpy (p,&seq[2],6);
1040 1000
1041 EVP_DigestSignUpdate(mac_ctx,dtlsseq,8); 1001 memcpy(header, dtlsseq, 8);
1042 } 1002 }
1043 else 1003 else
1044 EVP_DigestSignUpdate(mac_ctx,seq,8); 1004 memcpy(header, seq, 8);
1005
1006 /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */
1007 orig_len = rec->length+md_size+((unsigned int)rec->type>>8);
1008 rec->type &= 0xff;
1045 1009
1046 EVP_DigestSignUpdate(mac_ctx,buf,5); 1010 header[8]=rec->type;
1047 EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length); 1011 header[9]=(unsigned char)(ssl->version>>8);
1048 t=EVP_DigestSignFinal(mac_ctx,md,&md_size); 1012 header[10]=(unsigned char)(ssl->version);
1049 OPENSSL_assert(t > 0); 1013 header[11]=(rec->length)>>8;
1014 header[12]=(rec->length)&0xff;
1015
1016 if (!send &&
1017 EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
1018 ssl3_cbc_record_digest_supported(mac_ctx))
1019 {
1020 /* This is a CBC-encrypted record. We must avoid leaking any
1021 * timing-side channel information about how many blocks of
1022 * data we are hashing because that gives an attacker a
1023 * timing-oracle. */
1024 ssl3_cbc_digest_record(
1025 mac_ctx,
1026 md, &md_size,
1027 header, rec->input,
1028 rec->length + md_size, orig_len,
1029 ssl->s3->read_mac_secret,
1030 ssl->s3->read_mac_secret_size,
1031 0 /* not SSLv3 */);
1032 }
1033 else
1034 {
1035 EVP_DigestSignUpdate(mac_ctx,header,sizeof(header));
1036 EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length);
1037 t=EVP_DigestSignFinal(mac_ctx,md,&md_size);
1038 OPENSSL_assert(t > 0);
1039#ifdef OPENSSL_FIPS
1040 if (!send && FIPS_mode())
1041 tls_fips_digest_extra(
1042 ssl->enc_read_ctx,
1043 mac_ctx, rec->input,
1044 rec->length, orig_len);
1045#endif
1046 }
1050 1047
1051 if (!stream_mac) EVP_MD_CTX_cleanup(&hmac); 1048 if (!stream_mac)
1049 EVP_MD_CTX_cleanup(&hmac);
1052#ifdef TLS_DEBUG 1050#ifdef TLS_DEBUG
1053printf("sec="); 1051printf("sec=");
1054{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); } 1052{unsigned int z; for (z=0; z<md_size; z++) printf("%02X ",mac_sec[z]); printf("\n"); }
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c
index 27c8e3460d..bddffd92cc 100644
--- a/src/lib/libssl/t1_lib.c
+++ b/src/lib/libssl/t1_lib.c
@@ -342,19 +342,11 @@ static unsigned char tls12_sigalgs[] = {
342#ifndef OPENSSL_NO_SHA 342#ifndef OPENSSL_NO_SHA
343 tlsext_sigalg(TLSEXT_hash_sha1) 343 tlsext_sigalg(TLSEXT_hash_sha1)
344#endif 344#endif
345#ifndef OPENSSL_NO_MD5
346 tlsext_sigalg_rsa(TLSEXT_hash_md5)
347#endif
348}; 345};
349 346
350int tls12_get_req_sig_algs(SSL *s, unsigned char *p) 347int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
351 { 348 {
352 size_t slen = sizeof(tls12_sigalgs); 349 size_t slen = sizeof(tls12_sigalgs);
353#ifdef OPENSSL_FIPS
354 /* If FIPS mode don't include MD5 which is last */
355 if (FIPS_mode())
356 slen -= 2;
357#endif
358 if (p) 350 if (p)
359 memcpy(p, tls12_sigalgs, slen); 351 memcpy(p, tls12_sigalgs, slen);
360 return (int)slen; 352 return (int)slen;
@@ -649,6 +641,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
649 } 641 }
650#endif 642#endif
651 643
644#ifndef OPENSSL_NO_SRTP
652 if(SSL_get_srtp_profiles(s)) 645 if(SSL_get_srtp_profiles(s))
653 { 646 {
654 int el; 647 int el;
@@ -667,6 +660,37 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
667 } 660 }
668 ret += el; 661 ret += el;
669 } 662 }
663#endif
664
665#ifdef TLSEXT_TYPE_padding
666 /* Add padding to workaround bugs in F5 terminators.
667 * See https://tools.ietf.org/html/draft-agl-tls-padding-03
668 *
669 * NB: because this code works out the length of all existing
670 * extensions it MUST always appear last.
671 */
672 {
673 int hlen = ret - (unsigned char *)s->init_buf->data;
674 /* The code in s23_clnt.c to build ClientHello messages includes the
675 * 5-byte record header in the buffer, while the code in s3_clnt.c does
676 * not. */
677 if (s->state == SSL23_ST_CW_CLNT_HELLO_A)
678 hlen -= 5;
679 if (hlen > 0xff && hlen < 0x200)
680 {
681 hlen = 0x200 - hlen;
682 if (hlen >= 4)
683 hlen -= 4;
684 else
685 hlen = 0;
686
687 s2n(TLSEXT_TYPE_padding, ret);
688 s2n(hlen, ret);
689 memset(ret, 0, hlen);
690 ret += hlen;
691 }
692 }
693#endif
670 694
671 if ((extdatalen = ret-p-2)== 0) 695 if ((extdatalen = ret-p-2)== 0)
672 return p; 696 return p;
@@ -781,6 +805,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
781 } 805 }
782#endif 806#endif
783 807
808#ifndef OPENSSL_NO_SRTP
784 if(s->srtp_profile) 809 if(s->srtp_profile)
785 { 810 {
786 int el; 811 int el;
@@ -799,6 +824,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
799 } 824 }
800 ret+=el; 825 ret+=el;
801 } 826 }
827#endif
802 828
803 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) 829 if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81)
804 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) 830 && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG))
@@ -862,6 +888,89 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
862 return ret; 888 return ret;
863 } 889 }
864 890
891#ifndef OPENSSL_NO_EC
892/* ssl_check_for_safari attempts to fingerprint Safari using OS X
893 * SecureTransport using the TLS extension block in |d|, of length |n|.
894 * Safari, since 10.6, sends exactly these extensions, in this order:
895 * SNI,
896 * elliptic_curves
897 * ec_point_formats
898 *
899 * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
900 * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
901 * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
902 * 10.8..10.8.3 (which don't work).
903 */
904static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
905 unsigned short type, size;
906 static const unsigned char kSafariExtensionsBlock[] = {
907 0x00, 0x0a, /* elliptic_curves extension */
908 0x00, 0x08, /* 8 bytes */
909 0x00, 0x06, /* 6 bytes of curve ids */
910 0x00, 0x17, /* P-256 */
911 0x00, 0x18, /* P-384 */
912 0x00, 0x19, /* P-521 */
913
914 0x00, 0x0b, /* ec_point_formats */
915 0x00, 0x02, /* 2 bytes */
916 0x01, /* 1 point format */
917 0x00, /* uncompressed */
918 };
919
920 /* The following is only present in TLS 1.2 */
921 static const unsigned char kSafariTLS12ExtensionsBlock[] = {
922 0x00, 0x0d, /* signature_algorithms */
923 0x00, 0x0c, /* 12 bytes */
924 0x00, 0x0a, /* 10 bytes */
925 0x05, 0x01, /* SHA-384/RSA */
926 0x04, 0x01, /* SHA-256/RSA */
927 0x02, 0x01, /* SHA-1/RSA */
928 0x04, 0x03, /* SHA-256/ECDSA */
929 0x02, 0x03, /* SHA-1/ECDSA */
930 };
931
932 if (data >= (d+n-2))
933 return;
934 data += 2;
935
936 if (data > (d+n-4))
937 return;
938 n2s(data,type);
939 n2s(data,size);
940
941 if (type != TLSEXT_TYPE_server_name)
942 return;
943
944 if (data+size > d+n)
945 return;
946 data += size;
947
948 if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
949 {
950 const size_t len1 = sizeof(kSafariExtensionsBlock);
951 const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
952
953 if (data + len1 + len2 != d+n)
954 return;
955 if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
956 return;
957 if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
958 return;
959 }
960 else
961 {
962 const size_t len = sizeof(kSafariExtensionsBlock);
963
964 if (data + len != d+n)
965 return;
966 if (memcmp(data, kSafariExtensionsBlock, len) != 0)
967 return;
968 }
969
970 s->s3->is_probably_safari = 1;
971}
972#endif /* !OPENSSL_NO_EC */
973
865int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) 974int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
866 { 975 {
867 unsigned short type; 976 unsigned short type;
@@ -882,6 +991,11 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
882 SSL_TLSEXT_HB_DONT_SEND_REQUESTS); 991 SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
883#endif 992#endif
884 993
994#ifndef OPENSSL_NO_EC
995 if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
996 ssl_check_for_safari(s, data, d, n);
997#endif /* !OPENSSL_NO_EC */
998
885 if (data >= (d+n-2)) 999 if (data >= (d+n-2))
886 goto ri_check; 1000 goto ri_check;
887 n2s(data,len); 1001 n2s(data,len);
@@ -1077,7 +1191,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1077 int ellipticcurvelist_length = (*(sdata++) << 8); 1191 int ellipticcurvelist_length = (*(sdata++) << 8);
1078 ellipticcurvelist_length += (*(sdata++)); 1192 ellipticcurvelist_length += (*(sdata++));
1079 1193
1080 if (ellipticcurvelist_length != size - 2) 1194 if (ellipticcurvelist_length != size - 2 ||
1195 ellipticcurvelist_length < 1)
1081 { 1196 {
1082 *al = TLS1_AD_DECODE_ERROR; 1197 *al = TLS1_AD_DECODE_ERROR;
1083 return 0; 1198 return 0;
@@ -1176,7 +1291,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1176 } 1291 }
1177 } 1292 }
1178 else if (type == TLSEXT_TYPE_status_request && 1293 else if (type == TLSEXT_TYPE_status_request &&
1179 s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) 1294 s->version != DTLS1_VERSION)
1180 { 1295 {
1181 1296
1182 if (size < 5) 1297 if (size < 5)
@@ -1328,12 +1443,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1328#endif 1443#endif
1329 1444
1330 /* session ticket processed earlier */ 1445 /* session ticket processed earlier */
1446#ifndef OPENSSL_NO_SRTP
1331 else if (type == TLSEXT_TYPE_use_srtp) 1447 else if (type == TLSEXT_TYPE_use_srtp)
1332 { 1448 {
1333 if(ssl_parse_clienthello_use_srtp_ext(s, data, size, 1449 if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
1334 al)) 1450 al))
1335 return 0; 1451 return 0;
1336 } 1452 }
1453#endif
1337 1454
1338 data+=size; 1455 data+=size;
1339 } 1456 }
@@ -1433,7 +1550,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1433 unsigned char *sdata = data; 1550 unsigned char *sdata = data;
1434 int ecpointformatlist_length = *(sdata++); 1551 int ecpointformatlist_length = *(sdata++);
1435 1552
1436 if (ecpointformatlist_length != size - 1) 1553 if (ecpointformatlist_length != size - 1 ||
1554 ecpointformatlist_length < 1)
1437 { 1555 {
1438 *al = TLS1_AD_DECODE_ERROR; 1556 *al = TLS1_AD_DECODE_ERROR;
1439 return 0; 1557 return 0;
@@ -1527,7 +1645,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1527 unsigned char selected_len; 1645 unsigned char selected_len;
1528 1646
1529 /* We must have requested it. */ 1647 /* We must have requested it. */
1530 if ((s->ctx->next_proto_select_cb == NULL)) 1648 if (s->ctx->next_proto_select_cb == NULL)
1531 { 1649 {
1532 *al = TLS1_AD_UNSUPPORTED_EXTENSION; 1650 *al = TLS1_AD_UNSUPPORTED_EXTENSION;
1533 return 0; 1651 return 0;
@@ -1577,12 +1695,14 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
1577 } 1695 }
1578 } 1696 }
1579#endif 1697#endif
1698#ifndef OPENSSL_NO_SRTP
1580 else if (type == TLSEXT_TYPE_use_srtp) 1699 else if (type == TLSEXT_TYPE_use_srtp)
1581 { 1700 {
1582 if(ssl_parse_serverhello_use_srtp_ext(s, data, size, 1701 if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
1583 al)) 1702 al))
1584 return 0; 1703 return 0;
1585 } 1704 }
1705#endif
1586 1706
1587 data+=size; 1707 data+=size;
1588 } 1708 }
@@ -1763,7 +1883,7 @@ int ssl_prepare_serverhello_tlsext(SSL *s)
1763 return 1; 1883 return 1;
1764 } 1884 }
1765 1885
1766int ssl_check_clienthello_tlsext(SSL *s) 1886int ssl_check_clienthello_tlsext_early(SSL *s)
1767 { 1887 {
1768 int ret=SSL_TLSEXT_ERR_NOACK; 1888 int ret=SSL_TLSEXT_ERR_NOACK;
1769 int al = SSL_AD_UNRECOGNIZED_NAME; 1889 int al = SSL_AD_UNRECOGNIZED_NAME;
@@ -1782,42 +1902,12 @@ int ssl_check_clienthello_tlsext(SSL *s)
1782 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) 1902 else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0)
1783 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); 1903 ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg);
1784 1904
1785 /* If status request then ask callback what to do.
1786 * Note: this must be called after servername callbacks in case
1787 * the certificate has changed.
1788 */
1789 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1790 {
1791 int r;
1792 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
1793 switch (r)
1794 {
1795 /* We don't want to send a status request response */
1796 case SSL_TLSEXT_ERR_NOACK:
1797 s->tlsext_status_expected = 0;
1798 break;
1799 /* status request response should be sent */
1800 case SSL_TLSEXT_ERR_OK:
1801 if (s->tlsext_ocsp_resp)
1802 s->tlsext_status_expected = 1;
1803 else
1804 s->tlsext_status_expected = 0;
1805 break;
1806 /* something bad happened */
1807 case SSL_TLSEXT_ERR_ALERT_FATAL:
1808 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
1809 al = SSL_AD_INTERNAL_ERROR;
1810 goto err;
1811 }
1812 }
1813 else
1814 s->tlsext_status_expected = 0;
1815
1816#ifdef TLSEXT_TYPE_opaque_prf_input 1905#ifdef TLSEXT_TYPE_opaque_prf_input
1817 { 1906 {
1818 /* This sort of belongs into ssl_prepare_serverhello_tlsext(), 1907 /* This sort of belongs into ssl_prepare_serverhello_tlsext(),
1819 * but we might be sending an alert in response to the client hello, 1908 * but we might be sending an alert in response to the client hello,
1820 * so this has to happen here in ssl_check_clienthello_tlsext(). */ 1909 * so this has to happen here in
1910 * ssl_check_clienthello_tlsext_early(). */
1821 1911
1822 int r = 1; 1912 int r = 1;
1823 1913
@@ -1869,8 +1959,8 @@ int ssl_check_clienthello_tlsext(SSL *s)
1869 } 1959 }
1870 } 1960 }
1871 1961
1872#endif
1873 err: 1962 err:
1963#endif
1874 switch (ret) 1964 switch (ret)
1875 { 1965 {
1876 case SSL_TLSEXT_ERR_ALERT_FATAL: 1966 case SSL_TLSEXT_ERR_ALERT_FATAL:
@@ -1888,6 +1978,71 @@ int ssl_check_clienthello_tlsext(SSL *s)
1888 } 1978 }
1889 } 1979 }
1890 1980
1981int ssl_check_clienthello_tlsext_late(SSL *s)
1982 {
1983 int ret = SSL_TLSEXT_ERR_OK;
1984 int al;
1985
1986 /* If status request then ask callback what to do.
1987 * Note: this must be called after servername callbacks in case
1988 * the certificate has changed, and must be called after the cipher
1989 * has been chosen because this may influence which certificate is sent
1990 */
1991 if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb)
1992 {
1993 int r;
1994 CERT_PKEY *certpkey;
1995 certpkey = ssl_get_server_send_pkey(s);
1996 /* If no certificate can't return certificate status */
1997 if (certpkey == NULL)
1998 {
1999 s->tlsext_status_expected = 0;
2000 return 1;
2001 }
2002 /* Set current certificate to one we will use so
2003 * SSL_get_certificate et al can pick it up.
2004 */
2005 s->cert->key = certpkey;
2006 r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
2007 switch (r)
2008 {
2009 /* We don't want to send a status request response */
2010 case SSL_TLSEXT_ERR_NOACK:
2011 s->tlsext_status_expected = 0;
2012 break;
2013 /* status request response should be sent */
2014 case SSL_TLSEXT_ERR_OK:
2015 if (s->tlsext_ocsp_resp)
2016 s->tlsext_status_expected = 1;
2017 else
2018 s->tlsext_status_expected = 0;
2019 break;
2020 /* something bad happened */
2021 case SSL_TLSEXT_ERR_ALERT_FATAL:
2022 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
2023 al = SSL_AD_INTERNAL_ERROR;
2024 goto err;
2025 }
2026 }
2027 else
2028 s->tlsext_status_expected = 0;
2029
2030 err:
2031 switch (ret)
2032 {
2033 case SSL_TLSEXT_ERR_ALERT_FATAL:
2034 ssl3_send_alert(s,SSL3_AL_FATAL,al);
2035 return -1;
2036
2037 case SSL_TLSEXT_ERR_ALERT_WARNING:
2038 ssl3_send_alert(s,SSL3_AL_WARNING,al);
2039 return 1;
2040
2041 default:
2042 return 1;
2043 }
2044 }
2045
1891int ssl_check_serverhello_tlsext(SSL *s) 2046int ssl_check_serverhello_tlsext(SSL *s)
1892 { 2047 {
1893 int ret=SSL_TLSEXT_ERR_NOACK; 2048 int ret=SSL_TLSEXT_ERR_NOACK;
@@ -2189,7 +2344,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
2189 HMAC_Update(&hctx, etick, eticklen); 2344 HMAC_Update(&hctx, etick, eticklen);
2190 HMAC_Final(&hctx, tick_hmac, NULL); 2345 HMAC_Final(&hctx, tick_hmac, NULL);
2191 HMAC_CTX_cleanup(&hctx); 2346 HMAC_CTX_cleanup(&hctx);
2192 if (memcmp(tick_hmac, etick + eticklen, mlen)) 2347 if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
2193 return 2; 2348 return 2;
2194 /* Attempt to decrypt session data */ 2349 /* Attempt to decrypt session data */
2195 /* Move p after IV to start of encrypted ticket, update length */ 2350 /* Move p after IV to start of encrypted ticket, update length */
@@ -2319,14 +2474,6 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg)
2319 { 2474 {
2320 switch(hash_alg) 2475 switch(hash_alg)
2321 { 2476 {
2322#ifndef OPENSSL_NO_MD5
2323 case TLSEXT_hash_md5:
2324#ifdef OPENSSL_FIPS
2325 if (FIPS_mode())
2326 return NULL;
2327#endif
2328 return EVP_md5();
2329#endif
2330#ifndef OPENSSL_NO_SHA 2477#ifndef OPENSSL_NO_SHA
2331 case TLSEXT_hash_sha1: 2478 case TLSEXT_hash_sha1:
2332 return EVP_sha1(); 2479 return EVP_sha1();
@@ -2414,7 +2561,7 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2414 */ 2561 */
2415#ifndef OPENSSL_NO_DSA 2562#ifndef OPENSSL_NO_DSA
2416 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) 2563 if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest)
2417 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1(); 2564 c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1();
2418#endif 2565#endif
2419#ifndef OPENSSL_NO_RSA 2566#ifndef OPENSSL_NO_RSA
2420 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) 2567 if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest)
@@ -2425,7 +2572,7 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize)
2425#endif 2572#endif
2426#ifndef OPENSSL_NO_ECDSA 2573#ifndef OPENSSL_NO_ECDSA
2427 if (!c->pkeys[SSL_PKEY_ECC].digest) 2574 if (!c->pkeys[SSL_PKEY_ECC].digest)
2428 c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa(); 2575 c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1();
2429#endif 2576#endif
2430 return 1; 2577 return 1;
2431 } 2578 }
@@ -2441,16 +2588,20 @@ tls1_process_heartbeat(SSL *s)
2441 unsigned int payload; 2588 unsigned int payload;
2442 unsigned int padding = 16; /* Use minimum padding */ 2589 unsigned int padding = 16; /* Use minimum padding */
2443 2590
2444 /* Read type and payload length first */
2445 hbtype = *p++;
2446 n2s(p, payload);
2447 pl = p;
2448
2449 if (s->msg_callback) 2591 if (s->msg_callback)
2450 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, 2592 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
2451 &s->s3->rrec.data[0], s->s3->rrec.length, 2593 &s->s3->rrec.data[0], s->s3->rrec.length,
2452 s, s->msg_callback_arg); 2594 s, s->msg_callback_arg);
2453 2595
2596 /* Read type and payload length first */
2597 if (1 + 2 + 16 > s->s3->rrec.length)
2598 return 0; /* silently discard */
2599 hbtype = *p++;
2600 n2s(p, payload);
2601 if (1 + 2 + payload + 16 > s->s3->rrec.length)
2602 return 0; /* silently discard per RFC 6520 sec. 4 */
2603 pl = p;
2604
2454 if (hbtype == TLS1_HB_REQUEST) 2605 if (hbtype == TLS1_HB_REQUEST)
2455 { 2606 {
2456 unsigned char *buffer, *bp; 2607 unsigned char *buffer, *bp;
diff --git a/src/lib/libssl/test/cms-test.pl b/src/lib/libssl/test/cms-test.pl
index c938bcf00d..dfef799be2 100644
--- a/src/lib/libssl/test/cms-test.pl
+++ b/src/lib/libssl/test/cms-test.pl
@@ -415,8 +415,10 @@ sub run_smime_tests {
415} 415}
416 416
417sub cmp_files { 417sub cmp_files {
418 use FileHandle;
418 my ( $f1, $f2 ) = @_; 419 my ( $f1, $f2 ) = @_;
419 my ( $fp1, $fp2 ); 420 my $fp1 = FileHandle->new();
421 my $fp2 = FileHandle->new();
420 422
421 my ( $rd1, $rd2 ); 423 my ( $rd1, $rd2 );
422 424
diff --git a/src/lib/libssl/test/testssl b/src/lib/libssl/test/testssl
index 5ae4dc8720..4e8542b556 100644
--- a/src/lib/libssl/test/testssl
+++ b/src/lib/libssl/test/testssl
@@ -119,6 +119,23 @@ $ssltest -bio_pair -server_auth -client_auth $CA $extra || exit 1
119echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify 119echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify
120$ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1 120$ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
121 121
122echo "Testing ciphersuites"
123for protocol in TLSv1.2 SSLv3; do
124 echo "Testing ciphersuites for $protocol"
125 for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do
126 echo "Testing $cipher"
127 prot=""
128 if [ $protocol = "SSLv3" ] ; then
129 prot="-ssl3"
130 fi
131 $ssltest -cipher $cipher $prot
132 if [ $? -ne 0 ] ; then
133 echo "Failed $cipher"
134 exit 1
135 fi
136 done
137done
138
122############################################################################# 139#############################################################################
123 140
124if ../util/shlib_wrap.sh ../apps/openssl no-dh; then 141if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
diff --git a/src/lib/libssl/tls1.h b/src/lib/libssl/tls1.h
index c39c267f0b..c992091e30 100644
--- a/src/lib/libssl/tls1.h
+++ b/src/lib/libssl/tls1.h
@@ -230,6 +230,12 @@ extern "C" {
230/* ExtensionType value from RFC5620 */ 230/* ExtensionType value from RFC5620 */
231#define TLSEXT_TYPE_heartbeat 15 231#define TLSEXT_TYPE_heartbeat 15
232 232
233/* ExtensionType value for TLS padding extension.
234 * http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
235 * http://tools.ietf.org/html/draft-agl-tls-padding-03
236 */
237#define TLSEXT_TYPE_padding 21
238
233/* ExtensionType value from RFC4507 */ 239/* ExtensionType value from RFC4507 */
234#define TLSEXT_TYPE_session_ticket 35 240#define TLSEXT_TYPE_session_ticket 35
235 241
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-01 06:39:58 +0000