[Pkg-openssl-changes] r676 - in openssl/branches/1.0.1/debian: . patches
Kurt Roeckx
kroeckx at moszumanska.debian.org
Sat Jun 14 21:49:17 UTC 2014
Author: kroeckx
Date: 2014-06-14 21:49:17 +0000 (Sat, 14 Jun 2014)
New Revision: 676
Modified:
openssl/branches/1.0.1/debian/changelog
openssl/branches/1.0.1/debian/patches/git_snapshot.patch
Log:
New upstream git snapshot
- Allows CCS after finished message, needed for some renegiotation cases.
(Closes: #751093)
Modified: openssl/branches/1.0.1/debian/changelog
===================================================================
--- openssl/branches/1.0.1/debian/changelog 2014-06-09 09:25:26 UTC (rev 675)
+++ openssl/branches/1.0.1/debian/changelog 2014-06-14 21:49:17 UTC (rev 676)
@@ -1,3 +1,11 @@
+openssl (1.0.1h-3) unstable; urgency=medium
+
+ * New upstream git snapshot
+ - Allows CCS after finished message, needed for some renegiotation cases.
+ (Closes: #751093)
+
+ -- Kurt Roeckx <kurt at roeckx.be> Sat, 14 Jun 2014 22:23:21 +0200
+
openssl (1.0.1h-2) unstable; urgency=medium
* Use upstream git snapshot:
Modified: openssl/branches/1.0.1/debian/patches/git_snapshot.patch
===================================================================
--- openssl/branches/1.0.1/debian/patches/git_snapshot.patch 2014-06-09 09:25:26 UTC (rev 675)
+++ openssl/branches/1.0.1/debian/patches/git_snapshot.patch 2014-06-14 21:49:17 UTC (rev 676)
@@ -44,6 +44,34 @@
Copyright (c) 1998-2011 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
+diff --git a/apps/enc.c b/apps/enc.c
+index 19ea3df..c6a211b 100644
+--- a/apps/enc.c
++++ b/apps/enc.c
+@@ -67,7 +67,9 @@
+ #include <openssl/x509.h>
+ #include <openssl/rand.h>
+ #include <openssl/pem.h>
++#ifndef OPENSSL_NO_COMP
+ #include <openssl/comp.h>
++#endif
+ #include <ctype.h>
+
+ int set_hex(char *in,unsigned char *out,int size);
+diff --git a/crypto/ocsp/ocsp_ht.c b/crypto/ocsp/ocsp_ht.c
+index af5fc16..b4126ad 100644
+--- a/crypto/ocsp/ocsp_ht.c
++++ b/crypto/ocsp/ocsp_ht.c
+@@ -490,6 +490,9 @@ OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req)
+
+ ctx = OCSP_sendreq_new(b, path, req, -1);
+
++ if (!ctx)
++ return NULL;
++
+ do
+ {
+ rv = OCSP_sendreq_nbio(&resp, ctx);
diff --git a/crypto/opensslv.h b/crypto/opensslv.h
index c3b6ace..a59982e 100644
--- a/crypto/opensslv.h
@@ -75,6 +103,282 @@
#endif
#ifdef _WIN32
+diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod
+index f44aa00..6086d0a 100644
+--- a/doc/apps/ciphers.pod
++++ b/doc/apps/ciphers.pod
+@@ -36,7 +36,7 @@ SSL v2 and for SSL v3/TLS v1.
+
+ =item B<-V>
+
+-Like B<-V>, but include cipher suite codes in output (hex format).
++Like B<-v>, but include cipher suite codes in output (hex format).
+
+ =item B<-ssl3>
+
+@@ -116,8 +116,8 @@ specified.
+ =item B<COMPLEMENTOFDEFAULT>
+
+ the ciphers included in B<ALL>, but not enabled by default. Currently
+-this is B<ADH>. Note that this rule does not cover B<eNULL>, which is
+-not included by B<ALL> (use B<COMPLEMENTOFALL> if necessary).
++this is B<ADH> and B<AECDH>. Note that this rule does not cover B<eNULL>,
++which is not included by B<ALL> (use B<COMPLEMENTOFALL> if necessary).
+
+ =item B<ALL>
+
+@@ -165,21 +165,58 @@ included.
+ =item B<aNULL>
+
+ the cipher suites offering no authentication. This is currently the anonymous
+-DH algorithms. These cipher suites are vulnerable to a "man in the middle"
+-attack and so their use is normally discouraged.
++DH algorithms and anonymous ECDH algorithms. These cipher suites are vulnerable
++to a "man in the middle" attack and so their use is normally discouraged.
+
+ =item B<kRSA>, B<RSA>
+
+ cipher suites using RSA key exchange.
+
++=item B<kDHr>, B<kDHd>, B<kDH>
++
++cipher suites using DH key agreement and DH certificates signed by CAs with RSA
++and DSS keys or either respectively. Not implemented.
++
+ =item B<kEDH>
+
+-cipher suites using ephemeral DH key agreement.
++cipher suites using ephemeral DH key agreement, including anonymous cipher
++suites.
+
+-=item B<kDHr>, B<kDHd>
++=item B<EDH>
+
+-cipher suites using DH key agreement and DH certificates signed by CAs with RSA
+-and DSS keys respectively. Not implemented.
++cipher suites using authenticated ephemeral DH key agreement.
++
++=item B<ADH>
++
++anonymous DH cipher suites, note that this does not include anonymous Elliptic
++Curve DH (ECDH) cipher suites.
++
++=item B<DH>
++
++cipher suites using DH, including anonymous DH, ephemeral DH and fixed DH.
++
++=item B<kECDHr>, B<kECDHe>, B<kECDH>
++
++cipher suites using fixed ECDH key agreement signed by CAs with RSA and ECDSA
++keys or either respectively.
++
++=item B<kEECDH>
++
++cipher suites using ephemeral ECDH key agreement, including anonymous
++cipher suites.
++
++=item B<EECDHE>
++
++cipher suites using authenticated ephemeral ECDH key agreement.
++
++=item B<AECDH>
++
++anonymous Elliptic Curve Diffie Hellman cipher suites.
++
++=item B<ECDH>
++
++cipher suites using ECDH key exchange, including anonymous, ephemeral and
++fixed ECDH.
+
+ =item B<aRSA>
+
+@@ -194,30 +231,39 @@ cipher suites using DSS authentication, i.e. the certificates carry DSS keys.
+ cipher suites effectively using DH authentication, i.e. the certificates carry
+ DH keys. Not implemented.
+
++=item B<aECDH>
++
++cipher suites effectively using ECDH authentication, i.e. the certificates
++carry ECDH keys.
++
++=item B<aECDSA>, B<ECDSA>
++
++cipher suites using ECDSA authentication, i.e. the certificates carry ECDSA
++keys.
++
+ =item B<kFZA>, B<aFZA>, B<eFZA>, B<FZA>
+
+ ciphers suites using FORTEZZA key exchange, authentication, encryption or all
+ FORTEZZA algorithms. Not implemented.
+
+-=item B<TLSv1>, B<SSLv3>, B<SSLv2>
+-
+-TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively.
++=item B<TLSv1.2>, B<TLSv1>, B<SSLv3>, B<SSLv2>
+
+-=item B<DH>
+-
+-cipher suites using DH, including anonymous DH.
++TLS v1.2, TLS v1.0, SSL v3.0 or SSL v2.0 cipher suites respectively. Note:
++there are no ciphersuites specific to TLS v1.1.
+
+-=item B<ADH>
++=item B<AES128>, B<AES256>, B<AES>
+
+-anonymous DH cipher suites.
++cipher suites using 128 bit AES, 256 bit AES or either 128 or 256 bit AES.
+
+-=item B<AES>
++=item B<AESGCM>
+
+-cipher suites using AES.
++AES in Galois Counter Mode (GCM): these ciphersuites are only supported
++in TLS v1.2.
+
+-=item B<CAMELLIA>
++=item B<CAMELLIA128>, B<CAMELLIA256>, B<CAMELLIA>
+
+-cipher suites using Camellia.
++cipher suites using 128 bit CAMELLIA, 256 bit CAMELLIA or either 128 or 256 bit
++CAMELLIA.
+
+ =item B<3DES>
+
+@@ -251,6 +297,10 @@ cipher suites using MD5.
+
+ cipher suites using SHA1.
+
++=item B<SHA256>, B<SHA384>
++
++ciphersuites using SHA256 or SHA384.
++
+ =item B<aGOST>
+
+ cipher suites using GOST R 34.10 (either 2001 or 94) for authenticaction
+@@ -277,6 +327,9 @@ cipher suites, using HMAC based on GOST R 34.11-94.
+
+ cipher suites using GOST 28147-89 MAC B<instead of> HMAC.
+
++=item B<PSK>
++
++cipher suites using pre-shared keys (PSK).
+
+ =back
+
+@@ -423,7 +476,100 @@ Note: these ciphers can also be used in SSL v3.
+ TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA EXP1024-DHE-DSS-RC4-SHA
+ TLS_DHE_DSS_WITH_RC4_128_SHA DHE-DSS-RC4-SHA
+
+-=head2 SSL v2.0 cipher suites.
++=head2 Elliptic curve cipher suites.
++
++ TLS_ECDH_RSA_WITH_NULL_SHA ECDH-RSA-NULL-SHA
++ TLS_ECDH_RSA_WITH_RC4_128_SHA ECDH-RSA-RC4-SHA
++ TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA ECDH-RSA-DES-CBC3-SHA
++ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA ECDH-RSA-AES128-SHA
++ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA ECDH-RSA-AES256-SHA
++
++ TLS_ECDH_ECDSA_WITH_NULL_SHA ECDH-ECDSA-NULL-SHA
++ TLS_ECDH_ECDSA_WITH_RC4_128_SHA ECDH-ECDSA-RC4-SHA
++ TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA ECDH-ECDSA-DES-CBC3-SHA
++ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA ECDH-ECDSA-AES128-SHA
++ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA ECDH-ECDSA-AES256-SHA
++
++ TLS_ECDHE_RSA_WITH_NULL_SHA ECDHE-RSA-NULL-SHA
++ TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDHE-RSA-RC4-SHA
++ TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDHE-RSA-DES-CBC3-SHA
++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE-RSA-AES128-SHA
++ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE-RSA-AES256-SHA
++
++ TLS_ECDHE_ECDSA_WITH_NULL_SHA ECDHE-ECDSA-NULL-SHA
++ TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ECDHE-ECDSA-RC4-SHA
++ TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ECDHE-ECDSA-DES-CBC3-SHA
++ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE-ECDSA-AES128-SHA
++ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDHE-ECDSA-AES256-SHA
++
++ TLS_ECDH_anon_WITH_NULL_SHA AECDH-NULL-SHA
++ TLS_ECDH_anon_WITH_RC4_128_SHA AECDH-RC4-SHA
++ TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA AECDH-DES-CBC3-SHA
++ TLS_ECDH_anon_WITH_AES_128_CBC_SHA AECDH-AES128-SHA
++ TLS_ECDH_anon_WITH_AES_256_CBC_SHA AECDH-AES256-SHA
++
++=head2 TLS v1.2 cipher suites
++
++ TLS_RSA_WITH_NULL_SHA256 NULL-SHA256
++
++ TLS_RSA_WITH_AES_128_CBC_SHA256 AES128-SHA256
++ TLS_RSA_WITH_AES_256_CBC_SHA256 AES256-SHA256
++ TLS_RSA_WITH_AES_128_GCM_SHA256 AES128-GCM-SHA256
++ TLS_RSA_WITH_AES_256_GCM_SHA384 AES256-GCM-SHA384
++
++ TLS_DH_RSA_WITH_AES_128_CBC_SHA256 Not implemented.
++ TLS_DH_RSA_WITH_AES_256_CBC_SHA256 Not implemented.
++ TLS_DH_RSA_WITH_AES_128_GCM_SHA256 Not implemented.
++ TLS_DH_RSA_WITH_AES_256_GCM_SHA384 Not implemented.
++
++ TLS_DH_DSS_WITH_AES_128_CBC_SHA256 Not implemented.
++ TLS_DH_DSS_WITH_AES_256_CBC_SHA256 Not implemented.
++ TLS_DH_DSS_WITH_AES_128_GCM_SHA256 Not implemented.
++ TLS_DH_DSS_WITH_AES_256_GCM_SHA384 Not implemented.
++
++ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DHE-RSA-AES128-SHA256
++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DHE-RSA-AES256-SHA256
++ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DHE-RSA-AES128-GCM-SHA256
++ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DHE-RSA-AES256-GCM-SHA384
++
++ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 DHE-DSS-AES128-SHA256
++ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 DHE-DSS-AES256-SHA256
++ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 DHE-DSS-AES128-GCM-SHA256
++ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 DHE-DSS-AES256-GCM-SHA384
++
++ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 ECDH-RSA-AES128-SHA256
++ TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 ECDH-RSA-AES256-SHA384
++ TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 ECDH-RSA-AES128-GCM-SHA256
++ TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 ECDH-RSA-AES256-GCM-SHA384
++
++ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 ECDH-ECDSA-AES128-SHA256
++ TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 ECDH-ECDSA-AES256-SHA384
++ TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 ECDH-ECDSA-AES128-GCM-SHA256
++ TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 ECDH-ECDSA-AES256-GCM-SHA384
++
++ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE-RSA-AES128-SHA256
++ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDHE-RSA-AES256-SHA384
++ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256
++ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE-RSA-AES256-GCM-SHA384
++
++ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE-ECDSA-AES128-SHA256
++ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE-ECDSA-AES256-SHA384
++ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256
++ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE-ECDSA-AES256-GCM-SHA384
++
++ TLS_DH_anon_WITH_AES_128_CBC_SHA256 ADH-AES128-SHA256
++ TLS_DH_anon_WITH_AES_256_CBC_SHA256 ADH-AES256-SHA256
++ TLS_DH_anon_WITH_AES_128_GCM_SHA256 ADH-AES128-GCM-SHA256
++ TLS_DH_anon_WITH_AES_256_GCM_SHA384 ADH-AES256-GCM-SHA384
++
++=head2 Pre shared keying (PSK) cipheruites
++
++ TLS_PSK_WITH_RC4_128_SHA PSK-RC4-SHA
++ TLS_PSK_WITH_3DES_EDE_CBC_SHA PSK-3DES-EDE-CBC-SHA
++ TLS_PSK_WITH_AES_128_CBC_SHA PSK-AES128-CBC-SHA
++ TLS_PSK_WITH_AES_256_CBC_SHA PSK-AES256-CBC-SHA
++
++=head2 Deprecated SSL v2.0 cipher suites.
+
+ SSL_CK_RC4_128_WITH_MD5 RC4-MD5
+ SSL_CK_RC4_128_EXPORT40_WITH_MD5 EXP-RC4-MD5
+@@ -452,6 +598,11 @@ strength:
+
+ openssl ciphers -v 'ALL:!ADH:@STRENGTH'
+
++Include all ciphers except ones with no encryption (eNULL) or no
++authentication (aNULL):
++
++ openssl ciphers -v 'ALL:!aNULL'
++
+ Include only 3DES ciphers and then place RSA ciphers last:
+
+ openssl ciphers -v '3DES:+RSA'
diff --git a/doc/crypto/EVP_DigestInit.pod b/doc/crypto/EVP_DigestInit.pod
index 367691c..310c65e 100644
--- a/doc/crypto/EVP_DigestInit.pod
@@ -104,11 +408,73 @@
Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
License: OpenSSL
Group: System Environment/Libraries
+diff --git a/ssl/d1_both.c b/ssl/d1_both.c
+index 04aa231..c1eb970 100644
+--- a/ssl/d1_both.c
++++ b/ssl/d1_both.c
+@@ -1180,6 +1180,8 @@ dtls1_buffer_message(SSL *s, int is_ccs)
+ OPENSSL_assert(s->init_off == 0);
+
+ frag = dtls1_hm_fragment_new(s->init_num, 0);
++ if (!frag)
++ return 0;
+
+ memcpy(frag->fragment, s->init_buf->data, s->init_num);
+
+diff --git a/ssl/heartbeat_test.c b/ssl/heartbeat_test.c
+index d8cc559..a0a3690 100644
+--- a/ssl/heartbeat_test.c
++++ b/ssl/heartbeat_test.c
+@@ -38,6 +38,7 @@
+ * http://mike-bland.com/tags/heartbleed.html
+ */
+
++#include "../test/testutil.h"
+ #include "../ssl/ssl_locl.h"
+ #include <ctype.h>
+ #include <stdio.h>
+@@ -263,13 +264,10 @@ static int honest_payload_size(unsigned char payload_buf[])
+ }
+
+ #define SETUP_HEARTBEAT_TEST_FIXTURE(type)\
+- HEARTBEAT_TEST_FIXTURE fixture = set_up_##type(__func__);\
+- int result = 0
++ SETUP_TEST_FIXTURE(HEARTBEAT_TEST_FIXTURE, set_up_##type)
+
+ #define EXECUTE_HEARTBEAT_TEST()\
+- if (execute_heartbeat(fixture) != 0) result = 1;\
+- tear_down(fixture);\
+- return result
++ EXECUTE_TEST(execute_heartbeat, tear_down)
+
+ static int test_dtls1_not_bleeding()
+ {
+diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c
+index 9914604..c0bdae5 100644
+--- a/ssl/s2_lib.c
++++ b/ssl/s2_lib.c
+@@ -250,7 +250,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[]={
+ SSL_SSLV2,
+ SSL_NOT_EXP|SSL_HIGH,
+ 0,
+- 168,
++ 112,
+ 168,
+ },
+
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
-index 0457af8..167bfc6 100644
+index 0457af8..2afb892 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
-@@ -901,6 +901,7 @@ int ssl3_get_server_hello(SSL *s)
+@@ -510,6 +510,7 @@ int ssl3_connect(SSL *s)
+ s->method->ssl3_enc->client_finished_label,
+ s->method->ssl3_enc->client_finished_label_len);
+ if (ret <= 0) goto end;
++ s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ s->state=SSL3_ST_CW_FLUSH;
+
+ /* clear flags */
+@@ -901,6 +902,7 @@ int ssl3_get_server_hello(SSL *s)
{
s->session->cipher = pref_cipher ?
pref_cipher : ssl_get_cipher_by_char(s, p+j);
@@ -116,6 +482,277 @@
}
}
#endif /* OPENSSL_NO_TLSEXT */
+diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
+index e3cd4f0..9962677 100644
+--- a/ssl/s3_enc.c
++++ b/ssl/s3_enc.c
+@@ -642,10 +642,18 @@ int ssl3_cert_verify_mac(SSL *s, int md_nid, unsigned char *p)
+ int ssl3_final_finish_mac(SSL *s,
+ const char *sender, int len, unsigned char *p)
+ {
+- int ret;
++ int ret, sha1len;
+ ret=ssl3_handshake_mac(s,NID_md5,sender,len,p);
++ if(ret == 0)
++ return 0;
++
+ p+=ret;
+- ret+=ssl3_handshake_mac(s,NID_sha1,sender,len,p);
++
++ sha1len=ssl3_handshake_mac(s,NID_sha1,sender,len,p);
++ if(sha1len == 0)
++ return 0;
++
++ ret+=sha1len;
+ return(ret);
+ }
+ static int ssl3_handshake_mac(SSL *s, int md_nid,
+diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
+index c4ef273..4835bef 100644
+--- a/ssl/s3_lib.c
++++ b/ssl/s3_lib.c
+@@ -328,7 +328,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ SSL_SSLV3,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 168,
++ 112,
+ 168,
+ },
+
+@@ -377,7 +377,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ SSL_SSLV3,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 168,
++ 112,
+ 168,
+ },
+
+@@ -425,7 +425,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ SSL_SSLV3,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 168,
++ 112,
+ 168,
+ },
+
+@@ -474,7 +474,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ SSL_SSLV3,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 168,
++ 112,
+ 168,
+ },
+
+@@ -522,7 +522,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ SSL_SSLV3,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 168,
++ 112,
+ 168,
+ },
+
+@@ -602,7 +602,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ SSL_SSLV3,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 168,
++ 112,
+ 168,
+ },
+
+@@ -687,7 +687,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ SSL_SSLV3,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 168,
++ 112,
+ 168,
+ },
+
+@@ -751,7 +751,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ SSL_SSLV3,
+ SSL_NOT_EXP|SSL_HIGH,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 168,
++ 112,
+ 168,
+ },
+
+@@ -1685,7 +1685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ SSL_TLSV1,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 168,
++ 112,
+ 168,
+ },
+
+@@ -2062,7 +2062,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ SSL_TLSV1,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 168,
++ 112,
+ 168,
+ },
+
+@@ -2142,7 +2142,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ SSL_TLSV1,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 168,
++ 112,
+ 168,
+ },
+
+@@ -2222,7 +2222,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ SSL_TLSV1,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 168,
++ 112,
+ 168,
+ },
+
+@@ -2302,7 +2302,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ SSL_TLSV1,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 168,
++ 112,
+ 168,
+ },
+
+@@ -2382,7 +2382,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ SSL_TLSV1,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 168,
++ 112,
+ 168,
+ },
+
+@@ -2426,13 +2426,13 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
+ TLS1_CK_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
+ SSL_kSRP,
+- SSL_aNULL,
++ SSL_aSRP,
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_TLSV1,
+ SSL_NOT_EXP|SSL_HIGH,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 168,
++ 112,
+ 168,
+ },
+
+@@ -2448,7 +2448,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ SSL_TLSV1,
+ SSL_NOT_EXP|SSL_HIGH,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 168,
++ 112,
+ 168,
+ },
+
+@@ -2464,7 +2464,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ SSL_TLSV1,
+ SSL_NOT_EXP|SSL_HIGH,
+ SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
+- 168,
++ 112,
+ 168,
+ },
+
+@@ -2474,7 +2474,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ TLS1_TXT_SRP_SHA_WITH_AES_128_CBC_SHA,
+ TLS1_CK_SRP_SHA_WITH_AES_128_CBC_SHA,
+ SSL_kSRP,
+- SSL_aNULL,
++ SSL_aSRP,
+ SSL_AES128,
+ SSL_SHA1,
+ SSL_TLSV1,
+@@ -2522,7 +2522,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
+ TLS1_TXT_SRP_SHA_WITH_AES_256_CBC_SHA,
+ TLS1_CK_SRP_SHA_WITH_AES_256_CBC_SHA,
+ SSL_kSRP,
+- SSL_aNULL,
++ SSL_aSRP,
+ SSL_AES256,
+ SSL_SHA1,
+ SSL_TLSV1,
+diff --git a/ssl/ssl.h b/ssl/ssl.h
+index 4c1242c..a9b15d4 100644
+--- a/ssl/ssl.h
++++ b/ssl/ssl.h
+@@ -264,6 +264,7 @@ extern "C" {
+ #define SSL_TXT_aGOST94 "aGOST94"
+ #define SSL_TXT_aGOST01 "aGOST01"
+ #define SSL_TXT_aGOST "aGOST"
++#define SSL_TXT_aSRP "aSRP"
+
+ #define SSL_TXT_DSS "DSS"
+ #define SSL_TXT_DH "DH"
+diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
+index 0aba8e0..58f58e0 100644
+--- a/ssl/ssl_ciph.c
++++ b/ssl/ssl_ciph.c
+@@ -270,6 +270,7 @@ static const SSL_CIPHER cipher_aliases[]={
+ {0,SSL_TXT_aGOST94,0,0,SSL_aGOST94,0,0,0,0,0,0,0},
+ {0,SSL_TXT_aGOST01,0,0,SSL_aGOST01,0,0,0,0,0,0,0},
+ {0,SSL_TXT_aGOST,0,0,SSL_aGOST94|SSL_aGOST01,0,0,0,0,0,0,0},
++ {0,SSL_TXT_aSRP,0, 0,SSL_aSRP, 0,0,0,0,0,0,0},
+
+ /* aliases combining key exchange and server authentication */
+ {0,SSL_TXT_EDH,0, SSL_kEDH,~SSL_aNULL,0,0,0,0,0,0,0},
+@@ -562,7 +563,7 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+ break;
+ }
+
+- if ((i < 0) || (i > SSL_ENC_NUM_IDX))
++ if ((i < 0) || (i >= SSL_ENC_NUM_IDX))
+ *enc=NULL;
+ else
+ {
+@@ -596,7 +597,7 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+ i= -1;
+ break;
+ }
+- if ((i < 0) || (i > SSL_MD_NUM_IDX))
++ if ((i < 0) || (i >= SSL_MD_NUM_IDX))
+ {
+ *md=NULL;
+ if (mac_pkey_type!=NULL) *mac_pkey_type = NID_undef;
+@@ -1628,6 +1629,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
+ case SSL_aPSK:
+ au="PSK";
+ break;
++ case SSL_aSRP:
++ au="SRP";
++ break;
+ default:
+ au="unknown";
+ break;
+diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
+index e485907..eb4d8f2 100644
+--- a/ssl/ssl_locl.h
++++ b/ssl/ssl_locl.h
+@@ -311,6 +311,7 @@
+ #define SSL_aPSK 0x00000080L /* PSK auth */
+ #define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */
+ #define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */
++#define SSL_aSRP 0x00000400L /* SRP auth */
+
+
+ /* Bits for algorithm_enc (symmetric encryption) */
diff --git a/test/Makefile b/test/Makefile
index 005f2e8..3e9f819 100644
--- a/test/Makefile
@@ -143,3 +780,125 @@
#$(AESTEST).o: $(AESTEST).c
# $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c
+diff --git a/test/testutil.h b/test/testutil.h
+new file mode 100644
+index 0000000..3e9cb84
+--- /dev/null
++++ b/test/testutil.h
+@@ -0,0 +1,116 @@
++/* test/testutil.h */
++/*
++ * Utilities for writing OpenSSL unit tests.
++ *
++ * More information:
++ * http://wiki.openssl.org/index.php/How_To_Write_Unit_Tests_For_OpenSSL
++ *
++ * Author: Mike Bland (mbland at acm.org)
++ * Date: 2014-06-07
++ * ====================================================================
++ * Copyright (c) 2014 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing at OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ */
++
++#ifndef HEADER_TESTUTIL_H
++#define HEADER_TESTUTIL_H
++
++/* SETUP_TEST_FIXTURE and EXECUTE_TEST macros for test case functions.
++ *
++ * SETUP_TEST_FIXTURE will call set_up() to create a new TEST_FIXTURE_TYPE
++ * object called "fixture". It will also allocate the "result" variable used
++ * by EXECUTE_TEST. set_up() should take a const char* specifying the test
++ * case name and return a TEST_FIXTURE_TYPE by value.
++ *
++ * EXECUTE_TEST will pass fixture to execute_func() by value, call
++ * tear_down(), and return the result of execute_func(). execute_func() should
++ * take a TEST_FIXTURE_TYPE by value and return zero on success or one on
++ * failure.
++ *
++ * Unit tests can define their own SETUP_TEST_FIXTURE and EXECUTE_TEST
++ * variations like so:
++ *
++ * #define SETUP_FOOBAR_TEST_FIXTURE()\
++ * SETUP_TEST_FIXTURE(FOOBAR_TEST_FIXTURE, set_up_foobar)
++ *
++ * #define EXECUTE_FOOBAR_TEST()\
++ * EXECUTE_TEST(execute_foobar, tear_down_foobar)
++ *
++ * Then test case functions can take the form:
++ *
++ * static int test_foobar_feature()
++ * {
++ * SETUP_FOOBAR_TEST_FIXTURE();
++ * [...set individual members of fixture...]
++ * EXECUTE_FOOBAR_TEST();
++ * }
++ */
++#define SETUP_TEST_FIXTURE(TEST_FIXTURE_TYPE, set_up)\
++ TEST_FIXTURE_TYPE fixture = set_up(TEST_CASE_NAME);\
++ int result = 0
++
++#define EXECUTE_TEST(execute_func, tear_down)\
++ if (execute_func(fixture) != 0) result = 1;\
++ tear_down(fixture);\
++ return result
++
++/* TEST_CASE_NAME is defined as the name of the test case function where
++ * possible; otherwise we get by with the file name and line number.
++ */
++#if __STDC_VERSION__ < 199901L
++#if defined(_MSC_VER)
++#define TEST_CASE_NAME __FUNCTION__
++#else
++#define testutil_stringify_helper(s) #s
++#define testutil_stringify(s) testutil_stringify_helper(s)
++#define TEST_CASE_NAME __FILE__ ":" testutil_stringify(__LINE__)
++#endif /* _MSC_VER */
++#else
++#define TEST_CASE_NAME __func__
++#endif /* __STDC_VERSION__ */
++
++#endif /* HEADER_TESTUTIL_H */
More information about the Pkg-openssl-changes
mailing list