[Pkg-openssl-changes] r676 - in openssl/branches/1.0.1/debian: . patches

Kurt Roeckx kroeckx at moszumanska.debian.org
Sat Jun 14 21:49:17 UTC 2014


Author: kroeckx
Date: 2014-06-14 21:49:17 +0000 (Sat, 14 Jun 2014)
New Revision: 676

Modified:
   openssl/branches/1.0.1/debian/changelog
   openssl/branches/1.0.1/debian/patches/git_snapshot.patch
Log:
New upstream git snapshot
 - Allows CCS after finished message, needed for some renegiotation cases.
   (Closes: #751093)


Modified: openssl/branches/1.0.1/debian/changelog
===================================================================
--- openssl/branches/1.0.1/debian/changelog	2014-06-09 09:25:26 UTC (rev 675)
+++ openssl/branches/1.0.1/debian/changelog	2014-06-14 21:49:17 UTC (rev 676)
@@ -1,3 +1,11 @@
+openssl (1.0.1h-3) unstable; urgency=medium
+
+  * New upstream git snapshot
+    - Allows CCS after finished message, needed for some renegiotation cases.
+      (Closes: #751093)
+
+ -- Kurt Roeckx <kurt at roeckx.be>  Sat, 14 Jun 2014 22:23:21 +0200
+
 openssl (1.0.1h-2) unstable; urgency=medium
 
   * Use upstream git snapshot:

Modified: openssl/branches/1.0.1/debian/patches/git_snapshot.patch
===================================================================
--- openssl/branches/1.0.1/debian/patches/git_snapshot.patch	2014-06-09 09:25:26 UTC (rev 675)
+++ openssl/branches/1.0.1/debian/patches/git_snapshot.patch	2014-06-14 21:49:17 UTC (rev 676)
@@ -44,6 +44,34 @@
  
   Copyright (c) 1998-2011 The OpenSSL Project
   Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
+diff --git a/apps/enc.c b/apps/enc.c
+index 19ea3df..c6a211b 100644
+--- a/apps/enc.c
++++ b/apps/enc.c
+@@ -67,7 +67,9 @@
+ #include <openssl/x509.h>
+ #include <openssl/rand.h>
+ #include <openssl/pem.h>
++#ifndef OPENSSL_NO_COMP
+ #include <openssl/comp.h>
++#endif
+ #include <ctype.h>
+ 
+ int set_hex(char *in,unsigned char *out,int size);
+diff --git a/crypto/ocsp/ocsp_ht.c b/crypto/ocsp/ocsp_ht.c
+index af5fc16..b4126ad 100644
+--- a/crypto/ocsp/ocsp_ht.c
++++ b/crypto/ocsp/ocsp_ht.c
+@@ -490,6 +490,9 @@ OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req)
+ 
+ 	ctx = OCSP_sendreq_new(b, path, req, -1);
+ 
++	if (!ctx)
++		return NULL;
++
+ 	do
+ 		{
+ 		rv = OCSP_sendreq_nbio(&resp, ctx);
 diff --git a/crypto/opensslv.h b/crypto/opensslv.h
 index c3b6ace..a59982e 100644
 --- a/crypto/opensslv.h
@@ -75,6 +103,282 @@
  #endif
  
  #ifdef _WIN32
+diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
+index f44aa00..6086d0a 100644
+--- a/doc/apps/ciphers.pod
++++ b/doc/apps/ciphers.pod
+@@ -36,7 +36,7 @@ SSL v2 and for SSL v3/TLS v1.
+ 
+ =item B<-V>
+ 
+-Like B<-V>, but include cipher suite codes in output (hex format).
++Like B<-v>, but include cipher suite codes in output (hex format).
+ 
+ =item B<-ssl3>
+ 
+@@ -116,8 +116,8 @@ specified.
+ =item B<COMPLEMENTOFDEFAULT>
+ 
+ the ciphers included in B<ALL>, but not enabled by default. Currently
+-this is B<ADH>. Note that this rule does not cover B<eNULL>, which is
+-not included by B<ALL> (use B<COMPLEMENTOFALL> if necessary).
++this is B<ADH> and B<AECDH>. Note that this rule does not cover B<eNULL>,
++which is not included by B<ALL> (use B<COMPLEMENTOFALL> if necessary).
+ 
+ =item B<ALL>
+ 
+@@ -165,21 +165,58 @@ included.
+ =item B<aNULL>
+ 
+ the cipher suites offering no authentication. This is currently the anonymous
+-DH algorithms. These cipher suites are vulnerable to a "man in the middle"
+-attack and so their use is normally discouraged.
++DH algorithms and anonymous ECDH algorithms. These cipher suites are vulnerable
++to a "man in the middle" attack and so their use is normally discouraged.
+ 
+ =item B<kRSA>, B<RSA>
+ 
+ cipher suites using RSA key exchange.
+ 
++=item B<kDHr>, B<kDHd>, B<kDH>
++
++cipher suites using DH key agreement and DH certificates signed by CAs with RSA
++and DSS keys or either respectively. Not implemented.
++
+ =item B<kEDH>
+ 
+-cipher suites using ephemeral DH key agreement.
++cipher suites using ephemeral DH key agreement, including anonymous cipher
++suites.
+ 
+-=item B<kDHr>, B<kDHd>
++=item B<EDH>
+ 
+-cipher suites using DH key agreement and DH certificates signed by CAs with RSA
+-and DSS keys respectively. Not implemented.
++cipher suites using authenticated ephemeral DH key agreement.
++
++=item B<ADH>
++
++anonymous DH cipher suites, note that this does not include anonymous Elliptic
++Curve DH (ECDH) cipher suites.
++
++=item B<DH>
++
++cipher suites using DH, including anonymous DH, ephemeral DH and fixed DH.
++
++=item B<kECDHr>, B<kECDHe>, B<kECDH>
++
++cipher suites using fixed ECDH key agreement signed by CAs with RSA and ECDSA
++keys or either respectively.
++
++=item B<kEECDH>
++
++cipher suites using ephemeral ECDH key agreement, including anonymous
++cipher suites.
++
++=item B<EECDHE>
++
++cipher suites using authenticated ephemeral ECDH key agreement.
++
++=item B<AECDH>
++
++anonymous Elliptic Curve Diffie Hellman cipher suites.
++
++=item B<ECDH>
++
++cipher suites using ECDH key exchange, including anonymous, ephemeral and
++fixed ECDH.
+ 
+ =item B<aRSA>
+ 
+@@ -194,30 +231,39 @@ cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
+ cipher suites effectively using DH authentication, i.e. the certificates carry
+ DH keys.  Not implemented.
+ 
++=item B<aECDH>
++
++cipher suites effectively using ECDH authentication, i.e. the certificates
++carry ECDH keys.
++
++=item B<aECDSA>, B<ECDSA>
++
++cipher suites using ECDSA authentication, i.e. the certificates carry ECDSA
++keys.
++
+ =item B<kFZA>, B<aFZA>, B<eFZA>, B<FZA>
+ 
+ ciphers suites using FORTEZZA key exchange, authentication, encryption or all
+ FORTEZZA algorithms. Not implemented.
+ 
+-=item B<TLSv1>, B<SSLv3>, B<SSLv2>
+-
+-TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively.
++=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>, B<SSLv2>
+ 
+-=item B<DH>
+-
+-cipher suites using DH, including anonymous DH.
++TLS v1.2, TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively. Note:
++there are no ciphersuites specific to TLS v1.1.
+ 
+-=item B<ADH>
++=item B<AES128>, B<AES256>, B<AES>
+ 
+-anonymous DH cipher suites.
++cipher suites using 128 bit AES, 256 bit AES or either 128 or 256 bit AES.
+ 
+-=item B<AES>
++=item B<AESGCM>
+ 
+-cipher suites using AES.
++AES in Galois Counter Mode (GCM): these ciphersuites are only supported
++in TLS v1.2.
+ 
+-=item B<CAMELLIA>
++=item B<CAMELLIA128>, B<CAMELLIA256>, B<CAMELLIA>
+ 
+-cipher suites using Camellia.
++cipher suites using 128 bit CAMELLIA, 256 bit CAMELLIA or either 128 or 256 bit
++CAMELLIA.
+ 
+ =item B<3DES>
+ 
+@@ -251,6 +297,10 @@ cipher suites using MD5.
+ 
+ cipher suites using SHA1.
+ 
++=item B<SHA256>, B<SHA384>
++
++ciphersuites using SHA256 or SHA384.
++
+ =item B<aGOST> 
+ 
+ cipher suites using GOST R 34.10 (either 2001 or 94) for authenticaction
+@@ -277,6 +327,9 @@ cipher suites, using HMAC based on GOST R 34.11-94.
+ 
+ cipher suites using GOST 28147-89 MAC B<instead of> HMAC.
+ 
++=item B<PSK>
++
++cipher suites using pre-shared keys (PSK).
+ 
+ =back
+ 
+@@ -423,7 +476,100 @@ Note: these ciphers can also be used in SSL v3.
+  TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA  EXP1024-DHE-DSS-RC4-SHA
+  TLS_DHE_DSS_WITH_RC4_128_SHA            DHE-DSS-RC4-SHA
+ 
+-=head2 SSL v2.0 cipher suites.
++=head2 Elliptic curve cipher suites.
++
++ TLS_ECDH_RSA_WITH_NULL_SHA              ECDH-RSA-NULL-SHA
++ TLS_ECDH_RSA_WITH_RC4_128_SHA           ECDH-RSA-RC4-SHA
++ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA      ECDH-RSA-DES-CBC3-SHA
++ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA       ECDH-RSA-AES128-SHA
++ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA       ECDH-RSA-AES256-SHA
++
++ TLS_ECDH_ECDSA_WITH_NULL_SHA            ECDH-ECDSA-NULL-SHA
++ TLS_ECDH_ECDSA_WITH_RC4_128_SHA         ECDH-ECDSA-RC4-SHA
++ TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA    ECDH-ECDSA-DES-CBC3-SHA
++ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA     ECDH-ECDSA-AES128-SHA
++ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA     ECDH-ECDSA-AES256-SHA
++
++ TLS_ECDHE_RSA_WITH_NULL_SHA             ECDHE-RSA-NULL-SHA
++ TLS_ECDHE_RSA_WITH_RC4_128_SHA          ECDHE-RSA-RC4-SHA
++ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA     ECDHE-RSA-DES-CBC3-SHA
++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA      ECDHE-RSA-AES128-SHA
++ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA      ECDHE-RSA-AES256-SHA
++
++ TLS_ECDHE_ECDSA_WITH_NULL_SHA           ECDHE-ECDSA-NULL-SHA
++ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA        ECDHE-ECDSA-RC4-SHA
++ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA   ECDHE-ECDSA-DES-CBC3-SHA
++ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA    ECDHE-ECDSA-AES128-SHA
++ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA    ECDHE-ECDSA-AES256-SHA
++
++ TLS_ECDH_anon_WITH_NULL_SHA             AECDH-NULL-SHA
++ TLS_ECDH_anon_WITH_RC4_128_SHA          AECDH-RC4-SHA
++ TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA     AECDH-DES-CBC3-SHA
++ TLS_ECDH_anon_WITH_AES_128_CBC_SHA      AECDH-AES128-SHA
++ TLS_ECDH_anon_WITH_AES_256_CBC_SHA      AECDH-AES256-SHA
++
++=head2 TLS v1.2 cipher suites
++
++ TLS_RSA_WITH_NULL_SHA256                  NULL-SHA256
++
++ TLS_RSA_WITH_AES_128_CBC_SHA256           AES128-SHA256
++ TLS_RSA_WITH_AES_256_CBC_SHA256           AES256-SHA256
++ TLS_RSA_WITH_AES_128_GCM_SHA256           AES128-GCM-SHA256
++ TLS_RSA_WITH_AES_256_GCM_SHA384           AES256-GCM-SHA384
++
++ TLS_DH_RSA_WITH_AES_128_CBC_SHA256        Not implemented.
++ TLS_DH_RSA_WITH_AES_256_CBC_SHA256        Not implemented.
++ TLS_DH_RSA_WITH_AES_128_GCM_SHA256        Not implemented.
++ TLS_DH_RSA_WITH_AES_256_GCM_SHA384        Not implemented.
++
++ TLS_DH_DSS_WITH_AES_128_CBC_SHA256        Not implemented.
++ TLS_DH_DSS_WITH_AES_256_CBC_SHA256        Not implemented.
++ TLS_DH_DSS_WITH_AES_128_GCM_SHA256        Not implemented.
++ TLS_DH_DSS_WITH_AES_256_GCM_SHA384        Not implemented.
++
++ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256       DHE-RSA-AES128-SHA256
++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256       DHE-RSA-AES256-SHA256
++ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256       DHE-RSA-AES128-GCM-SHA256
++ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384       DHE-RSA-AES256-GCM-SHA384
++
++ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256       DHE-DSS-AES128-SHA256
++ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256       DHE-DSS-AES256-SHA256
++ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256       DHE-DSS-AES128-GCM-SHA256
++ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384       DHE-DSS-AES256-GCM-SHA384
++
++ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256      ECDH-RSA-AES128-SHA256
++ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384      ECDH-RSA-AES256-SHA384
++ TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256      ECDH-RSA-AES128-GCM-SHA256
++ TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384      ECDH-RSA-AES256-GCM-SHA384
++
++ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256    ECDH-ECDSA-AES128-SHA256
++ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384    ECDH-ECDSA-AES256-SHA384
++ TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256    ECDH-ECDSA-AES128-GCM-SHA256
++ TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384    ECDH-ECDSA-AES256-GCM-SHA384
++
++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256     ECDHE-RSA-AES128-SHA256
++ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384     ECDHE-RSA-AES256-SHA384
++ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256     ECDHE-RSA-AES128-GCM-SHA256
++ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384     ECDHE-RSA-AES256-GCM-SHA384
++
++ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256   ECDHE-ECDSA-AES128-SHA256
++ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384   ECDHE-ECDSA-AES256-SHA384
++ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256   ECDHE-ECDSA-AES128-GCM-SHA256
++ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384   ECDHE-ECDSA-AES256-GCM-SHA384
++
++ TLS_DH_anon_WITH_AES_128_CBC_SHA256       ADH-AES128-SHA256
++ TLS_DH_anon_WITH_AES_256_CBC_SHA256       ADH-AES256-SHA256
++ TLS_DH_anon_WITH_AES_128_GCM_SHA256       ADH-AES128-GCM-SHA256
++ TLS_DH_anon_WITH_AES_256_GCM_SHA384       ADH-AES256-GCM-SHA384
++
++=head2 Pre shared keying (PSK) cipheruites
++
++ TLS_PSK_WITH_RC4_128_SHA                  PSK-RC4-SHA
++ TLS_PSK_WITH_3DES_EDE_CBC_SHA             PSK-3DES-EDE-CBC-SHA
++ TLS_PSK_WITH_AES_128_CBC_SHA              PSK-AES128-CBC-SHA
++ TLS_PSK_WITH_AES_256_CBC_SHA              PSK-AES256-CBC-SHA
++
++=head2 Deprecated SSL v2.0 cipher suites.
+ 
+  SSL_CK_RC4_128_WITH_MD5                 RC4-MD5
+  SSL_CK_RC4_128_EXPORT40_WITH_MD5        EXP-RC4-MD5
+@@ -452,6 +598,11 @@ strength:
+ 
+  openssl ciphers -v 'ALL:!ADH:@STRENGTH'
+ 
++Include all ciphers except ones with no encryption (eNULL) or no
++authentication (aNULL):
++
++ openssl ciphers -v 'ALL:!aNULL'
++
+ Include only 3DES ciphers and then place RSA ciphers last:
+ 
+  openssl ciphers -v '3DES:+RSA'
 diff --git a/doc/crypto/EVP_DigestInit.pod b/doc/crypto/EVP_DigestInit.pod
 index 367691c..310c65e 100644
 --- a/doc/crypto/EVP_DigestInit.pod
@@ -104,11 +408,73 @@
  Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
  License: OpenSSL
  Group: System Environment/Libraries
+diff --git a/ssl/d1_both.c b/ssl/d1_both.c
+index 04aa231..c1eb970 100644
+--- a/ssl/d1_both.c
++++ b/ssl/d1_both.c
+@@ -1180,6 +1180,8 @@ dtls1_buffer_message(SSL *s, int is_ccs)
+ 	OPENSSL_assert(s->init_off == 0);
+ 
+ 	frag = dtls1_hm_fragment_new(s->init_num, 0);
++	if (!frag)
++		return 0;
+ 
+ 	memcpy(frag->fragment, s->init_buf->data, s->init_num);
+ 
+diff --git a/ssl/heartbeat_test.c b/ssl/heartbeat_test.c
+index d8cc559..a0a3690 100644
+--- a/ssl/heartbeat_test.c
++++ b/ssl/heartbeat_test.c
+@@ -38,6 +38,7 @@
+  * http://mike-bland.com/tags/heartbleed.html
+  */
+ 
++#include "../test/testutil.h"
+ #include "../ssl/ssl_locl.h"
+ #include <ctype.h>
+ #include <stdio.h>
+@@ -263,13 +264,10 @@ static int honest_payload_size(unsigned char payload_buf[])
+ 	}
+ 
+ #define SETUP_HEARTBEAT_TEST_FIXTURE(type)\
+-	HEARTBEAT_TEST_FIXTURE fixture = set_up_##type(__func__);\
+-	int result = 0
++  SETUP_TEST_FIXTURE(HEARTBEAT_TEST_FIXTURE, set_up_##type)
+ 
+ #define EXECUTE_HEARTBEAT_TEST()\
+-	if (execute_heartbeat(fixture) != 0) result = 1;\
+-	tear_down(fixture);\
+-	return result
++  EXECUTE_TEST(execute_heartbeat, tear_down)
+ 
+ static int test_dtls1_not_bleeding()
+ 	{
+diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c
+index 9914604..c0bdae5 100644
+--- a/ssl/s2_lib.c
++++ b/ssl/s2_lib.c
+@@ -250,7 +250,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[]={
+ 	SSL_SSLV2,
+ 	SSL_NOT_EXP|SSL_HIGH,
+ 	0,
+-	168,
++	112,
+ 	168,
+ 	},
+ 
 diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
-index 0457af8..167bfc6 100644
+index 0457af8..2afb892 100644
 --- a/ssl/s3_clnt.c
 +++ b/ssl/s3_clnt.c
-@@ -901,6 +901,7 @@ int ssl3_get_server_hello(SSL *s)
+@@ -510,6 +510,7 @@ int ssl3_connect(SSL *s)
+ 				s->method->ssl3_enc->client_finished_label,
+ 				s->method->ssl3_enc->client_finished_label_len);
+ 			if (ret <= 0) goto end;
++			s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ 			s->state=SSL3_ST_CW_FLUSH;
+ 
+ 			/* clear flags */
+@@ -901,6 +902,7 @@ int ssl3_get_server_hello(SSL *s)
  			{
  			s->session->cipher = pref_cipher ?
  				pref_cipher : ssl_get_cipher_by_char(s, p+j);
@@ -116,6 +482,277 @@
  			}
  		}
  #endif /* OPENSSL_NO_TLSEXT */
+diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
+index e3cd4f0..9962677 100644
+--- a/ssl/s3_enc.c
++++ b/ssl/s3_enc.c
+@@ -642,10 +642,18 @@ int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p)
+ int ssl3_final_finish_mac(SSL *s, 
+ 	     const char *sender, int len, unsigned char *p)
+ 	{
+-	int ret;
++	int ret, sha1len;
+ 	ret=ssl3_handshake_mac(s,NID_md5,sender,len,p);
++	if(ret == 0)
++		return 0;
++
+ 	p+=ret;
+-	ret+=ssl3_handshake_mac(s,NID_sha1,sender,len,p);
++
++	sha1len=ssl3_handshake_mac(s,NID_sha1,sender,len,p);
++	if(sha1len == 0)
++		return 0;
++
++	ret+=sha1len;
+ 	return(ret);
+ 	}
+ static int ssl3_handshake_mac(SSL *s, int md_nid,
+diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
+index c4ef273..4835bef 100644
+--- a/ssl/s3_lib.c
++++ b/ssl/s3_lib.c
+@@ -328,7 +328,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ 	SSL_SSLV3,
+ 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+-	168,
++	112,
+ 	168,
+ 	},
+ 
+@@ -377,7 +377,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ 	SSL_SSLV3,
+ 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+-	168,
++	112,
+ 	168,
+ 	},
+ 
+@@ -425,7 +425,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ 	SSL_SSLV3,
+ 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+-	168,
++	112,
+ 	168,
+ 	},
+ 
+@@ -474,7 +474,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ 	SSL_SSLV3,
+ 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+-	168,
++	112,
+ 	168,
+ 	},
+ 
+@@ -522,7 +522,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ 	SSL_SSLV3,
+ 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+-	168,
++	112,
+ 	168,
+ 	},
+ 
+@@ -602,7 +602,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ 	SSL_SSLV3,
+ 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+-	168,
++	112,
+ 	168,
+ 	},
+ 
+@@ -687,7 +687,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ 	SSL_SSLV3,
+ 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+-	168,
++	112,
+ 	168,
+ 	},
+ 
+@@ -751,7 +751,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ 	SSL_SSLV3,
+ 	SSL_NOT_EXP|SSL_HIGH,
+ 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+-	168,
++	112,
+ 	168,
+ 	},
+ 
+@@ -1685,7 +1685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ 	SSL_TLSV1,
+ 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+-	168,
++	112,
+ 	168,
+ 	},
+ 
+@@ -2062,7 +2062,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ 	SSL_TLSV1,
+ 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+-	168,
++	112,
+ 	168,
+ 	},
+ 
+@@ -2142,7 +2142,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ 	SSL_TLSV1,
+ 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+-	168,
++	112,
+ 	168,
+ 	},
+ 
+@@ -2222,7 +2222,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ 	SSL_TLSV1,
+ 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+-	168,
++	112,
+ 	168,
+ 	},
+ 
+@@ -2302,7 +2302,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ 	SSL_TLSV1,
+ 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+-	168,
++	112,
+ 	168,
+ 	},
+ 
+@@ -2382,7 +2382,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ 	SSL_TLSV1,
+ 	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+-	168,
++	112,
+ 	168,
+ 	},
+ 
+@@ -2426,13 +2426,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ 	TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
+ 	TLS1_CK_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
+ 	SSL_kSRP,
+-	SSL_aNULL,
++	SSL_aSRP,
+ 	SSL_3DES,
+ 	SSL_SHA1,
+ 	SSL_TLSV1,
+ 	SSL_NOT_EXP|SSL_HIGH,
+ 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+-	168,
++	112,
+ 	168,
+ 	},
+ 
+@@ -2448,7 +2448,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ 	SSL_TLSV1,
+ 	SSL_NOT_EXP|SSL_HIGH,
+ 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+-	168,
++	112,
+ 	168,
+ 	},
+ 
+@@ -2464,7 +2464,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ 	SSL_TLSV1,
+ 	SSL_NOT_EXP|SSL_HIGH,
+ 	SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+-	168,
++	112,
+ 	168,
+ 	},
+ 
+@@ -2474,7 +2474,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ 	TLS1_TXT_SRP_SHA_WITH_AES_128_CBC_SHA,
+ 	TLS1_CK_SRP_SHA_WITH_AES_128_CBC_SHA,
+ 	SSL_kSRP,
+-	SSL_aNULL,
++	SSL_aSRP,
+ 	SSL_AES128,
+ 	SSL_SHA1,
+ 	SSL_TLSV1,
+@@ -2522,7 +2522,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ 	TLS1_TXT_SRP_SHA_WITH_AES_256_CBC_SHA,
+ 	TLS1_CK_SRP_SHA_WITH_AES_256_CBC_SHA,
+ 	SSL_kSRP,
+-	SSL_aNULL,
++	SSL_aSRP,
+ 	SSL_AES256,
+ 	SSL_SHA1,
+ 	SSL_TLSV1,
+diff --git a/ssl/ssl.h b/ssl/ssl.h
+index 4c1242c..a9b15d4 100644
+--- a/ssl/ssl.h
++++ b/ssl/ssl.h
+@@ -264,6 +264,7 @@ extern "C" {
+ #define SSL_TXT_aGOST94	"aGOST94"
+ #define SSL_TXT_aGOST01 "aGOST01"
+ #define SSL_TXT_aGOST  "aGOST"
++#define SSL_TXT_aSRP            "aSRP"
+ 
+ #define	SSL_TXT_DSS		"DSS"
+ #define SSL_TXT_DH		"DH"
+diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
+index 0aba8e0..58f58e0 100644
+--- a/ssl/ssl_ciph.c
++++ b/ssl/ssl_ciph.c
+@@ -270,6 +270,7 @@ static const SSL_CIPHER cipher_aliases[]={
+ 	{0,SSL_TXT_aGOST94,0,0,SSL_aGOST94,0,0,0,0,0,0,0},
+ 	{0,SSL_TXT_aGOST01,0,0,SSL_aGOST01,0,0,0,0,0,0,0},
+ 	{0,SSL_TXT_aGOST,0,0,SSL_aGOST94|SSL_aGOST01,0,0,0,0,0,0,0},
++	{0,SSL_TXT_aSRP,0,    0,SSL_aSRP,  0,0,0,0,0,0,0},
+ 
+ 	/* aliases combining key exchange and server authentication */
+ 	{0,SSL_TXT_EDH,0,     SSL_kEDH,~SSL_aNULL,0,0,0,0,0,0,0},
+@@ -562,7 +563,7 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+ 		break;
+ 		}
+ 
+-	if ((i < 0) || (i > SSL_ENC_NUM_IDX))
++	if ((i < 0) || (i >= SSL_ENC_NUM_IDX))
+ 		*enc=NULL;
+ 	else
+ 		{
+@@ -596,7 +597,7 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+ 		i= -1;
+ 		break;
+ 		}
+-	if ((i < 0) || (i > SSL_MD_NUM_IDX))
++	if ((i < 0) || (i >= SSL_MD_NUM_IDX))
+ 	{
+ 		*md=NULL; 
+ 		if (mac_pkey_type!=NULL) *mac_pkey_type = NID_undef;
+@@ -1628,6 +1629,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
+ 	case SSL_aPSK:
+ 		au="PSK";
+ 		break;
++	case SSL_aSRP:
++		au="SRP";
++		break;
+ 	default:
+ 		au="unknown";
+ 		break;
+diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
+index e485907..eb4d8f2 100644
+--- a/ssl/ssl_locl.h
++++ b/ssl/ssl_locl.h
+@@ -311,6 +311,7 @@
+ #define SSL_aPSK                0x00000080L /* PSK auth */
+ #define SSL_aGOST94				0x00000100L /* GOST R 34.10-94 signature auth */
+ #define SSL_aGOST01 			0x00000200L /* GOST R 34.10-2001 signature auth */
++#define SSL_aSRP 		0x00000400L /* SRP auth */
+ 
+ 
+ /* Bits for algorithm_enc (symmetric encryption) */
 diff --git a/test/Makefile b/test/Makefile
 index 005f2e8..3e9f819 100644
 --- a/test/Makefile
@@ -143,3 +780,125 @@
  
  #$(AESTEST).o: $(AESTEST).c
  #	$(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
+diff --git a/test/testutil.h b/test/testutil.h
+new file mode 100644
+index 0000000..3e9cb84
+--- /dev/null
++++ b/test/testutil.h
+@@ -0,0 +1,116 @@
++/* test/testutil.h */
++/*
++ * Utilities for writing OpenSSL unit tests.
++ *
++ * More information:
++ * http://wiki.openssl.org/index.php/How_To_Write_Unit_Tests_For_OpenSSL
++ *
++ * Author: Mike Bland (mbland at acm.org)
++ * Date:   2014-06-07
++ * ====================================================================
++ * Copyright (c) 2014 The OpenSSL Project.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in
++ *    the documentation and/or other materials provided with the
++ *    distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ *    software must display the following acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ *    endorse or promote products derived from this software without
++ *    prior written permission. For written permission, please contact
++ *    licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ *    nor may "OpenSSL" appear in their names without prior written
++ *    permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ *    acknowledgment:
++ *    "This product includes software developed by the OpenSSL Project
++ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#ifndef HEADER_TESTUTIL_H
++#define HEADER_TESTUTIL_H
++
++/* SETUP_TEST_FIXTURE and EXECUTE_TEST macros for test case functions.
++ *
++ * SETUP_TEST_FIXTURE will call set_up() to create a new TEST_FIXTURE_TYPE
++ * object called "fixture". It will also allocate the "result" variable used
++ * by EXECUTE_TEST. set_up() should take a const char* specifying the test
++ * case name and return a TEST_FIXTURE_TYPE by value.
++ *
++ * EXECUTE_TEST will pass fixture to execute_func() by value, call
++ * tear_down(), and return the result of execute_func(). execute_func() should
++ * take a TEST_FIXTURE_TYPE by value and return zero on success or one on
++ * failure.
++ *
++ * Unit tests can define their own SETUP_TEST_FIXTURE and EXECUTE_TEST
++ * variations like so:
++ *
++ * #define SETUP_FOOBAR_TEST_FIXTURE()\
++ *   SETUP_TEST_FIXTURE(FOOBAR_TEST_FIXTURE, set_up_foobar)
++ *
++ * #define EXECUTE_FOOBAR_TEST()\
++ *   EXECUTE_TEST(execute_foobar, tear_down_foobar)
++ *
++ * Then test case functions can take the form:
++ *
++ * static int test_foobar_feature()
++ * 	{
++ * 	SETUP_FOOBAR_TEST_FIXTURE();
++ *	[...set individual members of fixture...]
++ * 	EXECUTE_FOOBAR_TEST();
++ * 	}
++ */
++#define SETUP_TEST_FIXTURE(TEST_FIXTURE_TYPE, set_up)\
++	TEST_FIXTURE_TYPE fixture = set_up(TEST_CASE_NAME);\
++	int result = 0
++
++#define EXECUTE_TEST(execute_func, tear_down)\
++	if (execute_func(fixture) != 0) result = 1;\
++	tear_down(fixture);\
++	return result
++
++/* TEST_CASE_NAME is defined as the name of the test case function where
++ * possible; otherwise we get by with the file name and line number.
++ */
++#if __STDC_VERSION__ < 199901L
++#if defined(_MSC_VER)
++#define TEST_CASE_NAME __FUNCTION__
++#else
++#define testutil_stringify_helper(s) #s
++#define testutil_stringify(s) testutil_stringify_helper(s)
++#define TEST_CASE_NAME __FILE__ ":" testutil_stringify(__LINE__)
++#endif /* _MSC_VER */
++#else
++#define TEST_CASE_NAME __func__
++#endif /* __STDC_VERSION__ */
++
++#endif /* HEADER_TESTUTIL_H */




More information about the Pkg-openssl-changes mailing list