[Pkg-openssl-changes] r715 - in openssl/branches/squeeze/debian: . patches
Kurt Roeckx
kroeckx at moszumanska.debian.org
Sun Jan 11 13:02:46 UTC 2015
Author: kroeckx
Date: 2015-01-11 13:02:12 +0000 (Sun, 11 Jan 2015)
New Revision: 715
Added:
openssl/branches/squeeze/debian/patches/0001-Return-error-when-a-bit-string-indicates-an-invalid-.patch
openssl/branches/squeeze/debian/patches/0002-Add-ASN1_TYPE_cmp-and-X509_ALGOR_cmp.patch
openssl/branches/squeeze/debian/patches/0004-Fix-various-certificate-fingerprint-issues.patch
openssl/branches/squeeze/debian/patches/0005-ECDH-downgrade-bug-fix.patch
openssl/branches/squeeze/debian/patches/0006-Only-allow-ephemeral-RSA-keys-in-export-ciphersuites.patch
openssl/branches/squeeze/debian/patches/0007-use-correct-function-name.patch
openssl/branches/squeeze/debian/patches/0009-fix-error-discrepancy.patch
openssl/branches/squeeze/debian/patches/0010-Fix-for-CVE-2014-3570.patch
openssl/branches/squeeze/debian/patches/0011-Fix-crash-in-dtls1_get_record-whilst-in-the-listen-s.patch
openssl/branches/squeeze/debian/patches/0012-Follow-on-from-CVE-2014-3571.-This-fixes-the-code-th.patch
openssl/branches/squeeze/debian/patches/0013-Fix-typo.patch
Modified:
openssl/branches/squeeze/debian/changelog
openssl/branches/squeeze/debian/patches/series
Log:
Fix various security issues.
Modified: openssl/branches/squeeze/debian/changelog
===================================================================
--- openssl/branches/squeeze/debian/changelog 2015-01-11 12:45:22 UTC (rev 714)
+++ openssl/branches/squeeze/debian/changelog 2015-01-11 13:02:12 UTC (rev 715)
@@ -1,3 +1,14 @@
+openssl (0.9.8o-4squeeze19) squeeze-lts; urgency=medium
+
+ * Fix CVE-2014-8275
+ * Fix CVE-2014-3572
+ * Fix CVE-2015-0204
+ * Fix CVE-2014-3570
+ * Fix CVE-2014-3571
+ * Fix typo related to CVE-2015-0205
+
+ -- Kurt Roeckx <kurt at roeckx.be> Sun, 11 Jan 2015 13:27:41 +0100
+
openssl (0.9.8o-4squeeze18) squeeze-lts; urgency=medium
* Fix CVE-2014-3567
Added: openssl/branches/squeeze/debian/patches/0001-Return-error-when-a-bit-string-indicates-an-invalid-.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/0001-Return-error-when-a-bit-string-indicates-an-invalid-.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/0001-Return-error-when-a-bit-string-indicates-an-invalid-.patch 2015-01-11 13:02:12 UTC (rev 715)
@@ -0,0 +1,63 @@
+From 7fae32f6d69baf27ef69d92499c59c8a3277f3e3 Mon Sep 17 00:00:00 2001
+From: Kurt Roeckx <kurt at roeckx.be>
+Date: Mon, 15 Dec 2014 17:15:16 +0100
+Subject: [PATCH 01/15] Return error when a bit string indicates an invalid
+ amount of bits left
+
+Reviewed-by: Matt Caswell <matt at openssl.org>
+(cherry picked from commit 86edf13b1c97526c0cf63c37342aaa01f5442688)
+---
+ crypto/asn1/a_bitstr.c | 7 ++++++-
+ crypto/asn1/asn1.h | 1 +
+ crypto/asn1/asn1_err.c | 1 +
+ 3 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c
+index 0fb9ce0..665fc09 100644
+--- a/crypto/asn1/a_bitstr.c
++++ b/crypto/asn1/a_bitstr.c
+@@ -136,11 +136,16 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
+
+ p= *pp;
+ i= *(p++);
++ if (i > 7)
++ {
++ i=ASN1_R_INVALID_BIT_STRING_BITS_LEFT;
++ goto err;
++ }
+ /* We do this to preserve the settings. If we modify
+ * the settings, via the _set_bit function, we will recalculate
+ * on output */
+ ret->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */
+- ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|(i&0x07)); /* set */
++ ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|i); /* set */
+
+ if (len-- > 1) /* using one because of the bits left byte */
+ {
+diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h
+index 4add41e..aeb3f4c 100644
+--- a/crypto/asn1/asn1.h
++++ b/crypto/asn1/asn1.h
+@@ -1260,6 +1260,7 @@ void ERR_load_ASN1_strings(void);
+ #define ASN1_R_ILLEGAL_TIME_VALUE 184
+ #define ASN1_R_INTEGER_NOT_ASCII_FORMAT 185
+ #define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG 128
++#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT 220
+ #define ASN1_R_INVALID_BMPSTRING_LENGTH 129
+ #define ASN1_R_INVALID_DIGIT 130
+ #define ASN1_R_INVALID_MIME_TYPE 200
+diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c
+index afe037d..92b4f8f 100644
+--- a/crypto/asn1/asn1_err.c
++++ b/crypto/asn1/asn1_err.c
+@@ -235,6 +235,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
+ {ERR_REASON(ASN1_R_ILLEGAL_TIME_VALUE) ,"illegal time value"},
+ {ERR_REASON(ASN1_R_INTEGER_NOT_ASCII_FORMAT),"integer not ascii format"},
+ {ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG),"integer too large for long"},
++{ERR_REASON(ASN1_R_INVALID_BIT_STRING_BITS_LEFT),"invalid bit string bits left"},
+ {ERR_REASON(ASN1_R_INVALID_BMPSTRING_LENGTH),"invalid bmpstring length"},
+ {ERR_REASON(ASN1_R_INVALID_DIGIT) ,"invalid digit"},
+ {ERR_REASON(ASN1_R_INVALID_MIME_TYPE) ,"invalid mime type"},
+--
+2.1.4
+
Added: openssl/branches/squeeze/debian/patches/0002-Add-ASN1_TYPE_cmp-and-X509_ALGOR_cmp.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/0002-Add-ASN1_TYPE_cmp-and-X509_ALGOR_cmp.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/0002-Add-ASN1_TYPE_cmp-and-X509_ALGOR_cmp.patch 2015-01-11 13:02:12 UTC (rev 715)
@@ -0,0 +1,116 @@
+From c22e2dd6e52899926d1f1ee3a2b5b9570d03130f Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Sun, 14 Dec 2014 23:14:15 +0000
+Subject: [PATCH 02/15] Add ASN1_TYPE_cmp and X509_ALGOR_cmp.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+(these are needed for certificate fingerprint fixes)
+Reviewed-by: Emilia Käsper <emilia at openssl.org>
+---
+ crypto/asn1/a_type.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
+ crypto/asn1/asn1.h | 1 +
+ crypto/asn1/x_algor.c | 10 ++++++++++
+ crypto/x509/x509.h | 1 +
+ 4 files changed, 58 insertions(+)
+
+diff --git a/crypto/asn1/a_type.c b/crypto/asn1/a_type.c
+index 36becea..b7a95ad 100644
+--- a/crypto/asn1/a_type.c
++++ b/crypto/asn1/a_type.c
+@@ -108,3 +108,49 @@ int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value)
+
+ IMPLEMENT_STACK_OF(ASN1_TYPE)
+ IMPLEMENT_ASN1_SET_OF(ASN1_TYPE)
++
++/* Returns 0 if they are equal, != 0 otherwise. */
++int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b)
++ {
++ int result = -1;
++
++ if (!a || !b || a->type != b->type) return -1;
++
++ switch (a->type)
++ {
++ case V_ASN1_OBJECT:
++ result = OBJ_cmp(a->value.object, b->value.object);
++ break;
++ case V_ASN1_NULL:
++ result = 0; /* They do not have content. */
++ break;
++ case V_ASN1_INTEGER:
++ case V_ASN1_NEG_INTEGER:
++ case V_ASN1_ENUMERATED:
++ case V_ASN1_NEG_ENUMERATED:
++ case V_ASN1_BIT_STRING:
++ case V_ASN1_OCTET_STRING:
++ case V_ASN1_SEQUENCE:
++ case V_ASN1_SET:
++ case V_ASN1_NUMERICSTRING:
++ case V_ASN1_PRINTABLESTRING:
++ case V_ASN1_T61STRING:
++ case V_ASN1_VIDEOTEXSTRING:
++ case V_ASN1_IA5STRING:
++ case V_ASN1_UTCTIME:
++ case V_ASN1_GENERALIZEDTIME:
++ case V_ASN1_GRAPHICSTRING:
++ case V_ASN1_VISIBLESTRING:
++ case V_ASN1_GENERALSTRING:
++ case V_ASN1_UNIVERSALSTRING:
++ case V_ASN1_BMPSTRING:
++ case V_ASN1_UTF8STRING:
++ case V_ASN1_OTHER:
++ default:
++ result = ASN1_STRING_cmp((ASN1_STRING *) a->value.ptr,
++ (ASN1_STRING *) b->value.ptr);
++ break;
++ }
++
++ return result;
++ }
+diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h
+index aeb3f4c..bd7af2d 100644
+--- a/crypto/asn1/asn1.h
++++ b/crypto/asn1/asn1.h
+@@ -769,6 +769,7 @@ DECLARE_ASN1_FUNCTIONS_fname(ASN1_TYPE, ASN1_ANY, ASN1_TYPE)
+ int ASN1_TYPE_get(ASN1_TYPE *a);
+ void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value);
+ int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value);
++int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b);
+
+ ASN1_OBJECT * ASN1_OBJECT_new(void );
+ void ASN1_OBJECT_free(ASN1_OBJECT *a);
+diff --git a/crypto/asn1/x_algor.c b/crypto/asn1/x_algor.c
+index 99e5342..acc41ba 100644
+--- a/crypto/asn1/x_algor.c
++++ b/crypto/asn1/x_algor.c
+@@ -128,3 +128,13 @@ void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval,
+ }
+ }
+
++int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b)
++ {
++ int rv;
++ rv = OBJ_cmp(a->algorithm, b->algorithm);
++ if (rv)
++ return rv;
++ if (!a->parameter && !b->parameter)
++ return 0;
++ return ASN1_TYPE_cmp(a->parameter, b->parameter);
++ }
+diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
+index c34689a..e77ee69 100644
+--- a/crypto/x509/x509.h
++++ b/crypto/x509/x509.h
+@@ -870,6 +870,7 @@ X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn);
+ int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval);
+ void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval,
+ X509_ALGOR *algor);
++int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b);
+
+ X509_NAME *X509_NAME_dup(X509_NAME *xn);
+ X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne);
+--
+2.1.4
+
Added: openssl/branches/squeeze/debian/patches/0004-Fix-various-certificate-fingerprint-issues.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/0004-Fix-various-certificate-fingerprint-issues.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/0004-Fix-various-certificate-fingerprint-issues.patch 2015-01-11 13:02:12 UTC (rev 715)
@@ -0,0 +1,171 @@
+From ec2fede9467ae1a65f452d3a39f7fbc4891d9285 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Sat, 20 Dec 2014 15:09:50 +0000
+Subject: [PATCH 04/15] Fix various certificate fingerprint issues.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+By using non-DER or invalid encodings outside the signed portion of a
+certificate the fingerprint can be changed without breaking the signature.
+Although no details of the signed portion of the certificate can be changed
+this can cause problems with some applications: e.g. those using the
+certificate fingerprint for blacklists.
+
+1. Reject signatures with non zero unused bits.
+
+If the BIT STRING containing the signature has non zero unused bits reject
+the signature. All current signature algorithms require zero unused bits.
+
+2. Check certificate algorithm consistency.
+
+Check the AlgorithmIdentifier inside TBS matches the one in the
+certificate signature. NB: this will result in signature failure
+errors for some broken certificates.
+
+3. Check DSA/ECDSA signatures use DER.
+
+Reencode DSA/ECDSA signatures and compare with the original received
+signature. Return an error if there is a mismatch.
+
+This will reject various cases including garbage after signature
+(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
+program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
+(negative or with leading zeroes).
+
+CVE-2014-8275
+Reviewed-by: Emilia Käsper <emilia at openssl.org>
+
+(cherry picked from commit 208a6012be3077d83df4475f32dd1b1446f3a02e)
+
+Conflicts:
+ crypto/dsa/dsa_vrf.c
+---
+ crypto/asn1/a_verify.c | 12 ++++++++++++
+ crypto/dsa/dsa_asn1.c | 16 ++++++++++++++--
+ crypto/ecdsa/ecs_vrf.c | 15 ++++++++++++++-
+ crypto/x509/x_all.c | 2 ++
+ 5 files changed, 78 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
+index 7ded69b..3ef363d 100644
+--- a/crypto/asn1/a_verify.c
++++ b/crypto/asn1/a_verify.c
+@@ -89,6 +89,12 @@ int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *a, ASN1_BIT_STRING *signature,
+ ASN1err(ASN1_F_ASN1_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
+ goto err;
+ }
++
++ if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7)
++ {
++ ASN1err(ASN1_F_ASN1_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
++ goto err;
++ }
+
+ inl=i2d(data,NULL);
+ buf_in=OPENSSL_malloc((unsigned int)inl);
+@@ -144,6 +150,12 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
+ return -1;
+ }
+
++ if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7)
++ {
++ ASN1err(ASN1_F_ASN1_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
++ return -1;
++ }
++
+ EVP_MD_CTX_init(&ctx);
+ i=OBJ_obj2nid(a->algorithm);
+ type=EVP_get_digestbyname(OBJ_nid2sn(i));
+diff --git a/crypto/dsa/dsa_asn1.c b/crypto/dsa/dsa_asn1.c
+index bc7d7a0..08d4772 100644
+--- a/crypto/dsa/dsa_asn1.c
++++ b/crypto/dsa/dsa_asn1.c
+@@ -200,7 +200,11 @@ int DSA_verify(int type, const unsigned char *dgst, int dgst_len,
+ const unsigned char *sigbuf, int siglen, DSA *dsa)
+ {
+ DSA_SIG *s;
++ const unsigned char *p = sigbuf;
++ unsigned char *der = NULL;
++ int derlen = -1;
+ int ret=-1;
++
+ #ifdef OPENSSL_FIPS
+ if(FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
+ {
+@@ -211,10 +215,18 @@ int DSA_verify(int type, const unsigned char *dgst, int dgst_len,
+
+ s = DSA_SIG_new();
+ if (s == NULL) return(ret);
+- if (d2i_DSA_SIG(&s,&sigbuf,siglen) == NULL) goto err;
++ if (d2i_DSA_SIG(&s,&p,siglen) == NULL) goto err;
++ /* Ensure signature uses DER and doesn't have trailing garbage */
++ derlen = i2d_DSA_SIG(s, &der);
++ if (derlen != siglen || memcmp(sigbuf, der, derlen))
++ goto err;
+ ret=DSA_do_verify(dgst,dgst_len,s,dsa);
+ err:
++ if (derlen > 0)
++ {
++ OPENSSL_cleanse(der, derlen);
++ OPENSSL_free(der);
++ }
+ DSA_SIG_free(s);
+ return(ret);
+ }
+-
+diff --git a/crypto/ecdsa/ecs_vrf.c b/crypto/ecdsa/ecs_vrf.c
+index ef9acf7..2836efe 100644
+--- a/crypto/ecdsa/ecs_vrf.c
++++ b/crypto/ecdsa/ecs_vrf.c
+@@ -57,6 +57,7 @@
+ */
+
+ #include "ecs_locl.h"
++#include "cryptlib.h"
+ #ifndef OPENSSL_NO_ENGINE
+ #include <openssl/engine.h>
+ #endif
+@@ -84,13 +85,25 @@ int ECDSA_verify(int type, const unsigned char *dgst, int dgst_len,
+ const unsigned char *sigbuf, int sig_len, EC_KEY *eckey)
+ {
+ ECDSA_SIG *s;
++ const unsigned char *p = sigbuf;
++ unsigned char *der = NULL;
++ int derlen = -1;
+ int ret=-1;
+
+ s = ECDSA_SIG_new();
+ if (s == NULL) return(ret);
+- if (d2i_ECDSA_SIG(&s, &sigbuf, sig_len) == NULL) goto err;
++ if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL) goto err;
++ /* Ensure signature uses DER and doesn't have trailing garbage */
++ derlen = i2d_ECDSA_SIG(s, &der);
++ if (derlen != sig_len || memcmp(sigbuf, der, derlen))
++ goto err;
+ ret=ECDSA_do_verify(dgst, dgst_len, s, eckey);
+ err:
++ if (derlen > 0)
++ {
++ OPENSSL_cleanse(der, derlen);
++ OPENSSL_free(der);
++ }
+ ECDSA_SIG_free(s);
+ return(ret);
+ }
+diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
+index c7b07f7..f4c68fc 100644
+--- a/crypto/x509/x_all.c
++++ b/crypto/x509/x_all.c
+@@ -73,6 +73,8 @@
+
+ int X509_verify(X509 *a, EVP_PKEY *r)
+ {
++ if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature))
++ return 0;
+ return(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF),a->sig_alg,
+ a->signature,a->cert_info,r));
+ }
+--
+2.1.4
+
Added: openssl/branches/squeeze/debian/patches/0005-ECDH-downgrade-bug-fix.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/0005-ECDH-downgrade-bug-fix.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/0005-ECDH-downgrade-bug-fix.patch 2015-01-11 13:02:12 UTC (rev 715)
@@ -0,0 +1,56 @@
+From e42a2abadc90664e2615dc63ba7f79cf163f780a Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Fri, 24 Oct 2014 12:30:33 +0100
+Subject: [PATCH 05/15] ECDH downgrade bug fix.
+
+Fix bug where an OpenSSL client would accept a handshake using an
+ephemeral ECDH ciphersuites with the server key exchange message omitted.
+
+Thanks to Karthikeyan Bhargavan for reporting this issue.
+
+CVE-2014-3572
+Reviewed-by: Matt Caswell <matt at openssl.org>
+
+(cherry picked from commit b15f8769644b00ef7283521593360b7b2135cb63)
+
+Conflicts:
+ ssl/s3_clnt.c
+---
+ ssl/s3_clnt.c | 15 +++++++++++++--
+ 2 files changed, 20 insertions(+), 2 deletions(-)
+
+Index: openssl-0.9.8o/ssl/s3_clnt.c
+===================================================================
+--- openssl-0.9.8o.orig/ssl/s3_clnt.c 2015-01-11 12:53:34.484758441 +0000
++++ openssl-0.9.8o/ssl/s3_clnt.c 2015-01-11 12:54:01.200171717 +0000
+@@ -1113,8 +1113,21 @@
+
+ if (!ok) return((int)n);
+
++ alg=s->s3->tmp.new_cipher->algorithms;
++ EVP_MD_CTX_init(&md_ctx);
++
+ if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
+ {
++ /*
++ * Can't skip server key exchange if this is an ephemeral
++ * ciphersuite.
++ */
++ if (alg & (SSL_kEDH|SSL_kECDHE))
++ {
++ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
++ al = SSL_AD_UNEXPECTED_MESSAGE;
++ goto f_err;
++ }
+ s->s3->tmp.reuse_message=1;
+ return(1);
+ }
+@@ -1151,8 +1164,6 @@
+ }
+
+ param_len=0;
+- alg=s->s3->tmp.new_cipher->algorithms;
+- EVP_MD_CTX_init(&md_ctx);
+
+ #ifndef OPENSSL_NO_RSA
+ if (alg & SSL_kRSA)
Added: openssl/branches/squeeze/debian/patches/0006-Only-allow-ephemeral-RSA-keys-in-export-ciphersuites.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/0006-Only-allow-ephemeral-RSA-keys-in-export-ciphersuites.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/0006-Only-allow-ephemeral-RSA-keys-in-export-ciphersuites.patch 2015-01-11 13:02:12 UTC (rev 715)
@@ -0,0 +1,186 @@
+From 72f181539118828ca966a0f8d03f6428e2bcf0d6 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Thu, 23 Oct 2014 17:09:57 +0100
+Subject: [PATCH 06/15] Only allow ephemeral RSA keys in export ciphersuites.
+
+OpenSSL clients would tolerate temporary RSA keys in non-export
+ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which
+enabled this server side. Remove both options as they are a
+protocol violation.
+
+Thanks to Karthikeyan Bhargavan for reporting this issue.
+(CVE-2015-0204)
+Reviewed-by: Matt Caswell <matt at openssl.org>
+Reviewed-by: Tim Hudson <tjh at openssl.org>
+
+(cherry picked from commit 4b4c1fcc88aec8c9e001b0a0077d3cd4de1ed0e6)
+
+Conflicts:
+ doc/ssl/SSL_CTX_set_options.pod
+ ssl/d1_srvr.c
+ ssl/s3_srvr.c
+---
+ doc/ssl/SSL_CTX_set_options.pod | 10 +---------
+ doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod | 23 ++++++++---------------
+ ssl/d1_srvr.c | 16 ++--------------
+ ssl/s3_clnt.c | 7 +++++++
+ ssl/s3_srvr.c | 16 ++--------------
+ ssl/ssl.h | 5 ++---
+ 7 files changed, 30 insertions(+), 55 deletions(-)
+
+diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
+index a2a570b..307b157 100644
+--- a/doc/ssl/SSL_CTX_set_options.pod
++++ b/doc/ssl/SSL_CTX_set_options.pod
+@@ -152,15 +152,7 @@ temporary/ephemeral DH parameters are used.
+
+ =item SSL_OP_EPHEMERAL_RSA
+
+-Always use ephemeral (temporary) RSA key when doing RSA operations
+-(see L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>).
+-According to the specifications this is only done, when a RSA key
+-can only be used for signature operations (namely under export ciphers
+-with restricted RSA keylength). By setting this option, ephemeral
+-RSA keys are always used. This option breaks compatibility with the
+-SSL/TLS specifications and may lead to interoperability problems with
+-clients and should therefore never be used. Ciphers with EDH (ephemeral
+-Diffie-Hellman) key exchange should be used instead.
++This option is no longer implemented and is treated as no op.
+
+ =item SSL_OP_CIPHER_SERVER_PREFERENCE
+
+diff --git a/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod b/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
+index 534643c..8794eb7 100644
+--- a/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
++++ b/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
+@@ -74,21 +74,14 @@ exchange and use EDH (Ephemeral Diffie-Hellman) key exchange instead
+ in order to achieve forward secrecy (see
+ L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
+
+-On OpenSSL servers ephemeral RSA key exchange is therefore disabled by default
+-and must be explicitly enabled using the SSL_OP_EPHEMERAL_RSA option of
+-L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, violating the TLS/SSL
+-standard. When ephemeral RSA key exchange is required for export ciphers,
+-it will automatically be used without this option!
+-
+-An application may either directly specify the key or can supply the key via
+-a callback function. The callback approach has the advantage, that the
+-callback may generate the key only in case it is actually needed. As the
+-generation of a RSA key is however costly, it will lead to a significant
+-delay in the handshake procedure. Another advantage of the callback function
+-is that it can supply keys of different size (e.g. for SSL_OP_EPHEMERAL_RSA
+-usage) while the explicit setting of the key is only useful for key size of
+-512 bits to satisfy the export restricted ciphers and does give away key length
+-if a longer key would be allowed.
++An application may either directly specify the key or can supply the key via a
++callback function. The callback approach has the advantage, that the callback
++may generate the key only in case it is actually needed. As the generation of a
++RSA key is however costly, it will lead to a significant delay in the handshake
++procedure. Another advantage of the callback function is that it can supply
++keys of different size while the explicit setting of the key is only useful for
++key size of 512 bits to satisfy the export restricted ciphers and does give
++away key length if a longer key would be allowed.
+
+ The B<tmp_rsa_callback> is called with the B<keylength> needed and
+ the B<is_export> information. The B<is_export> flag is set, when the
+diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
+index 0e6bf46..0e9bb20 100644
+--- a/ssl/d1_srvr.c
++++ b/ssl/d1_srvr.c
+@@ -371,23 +371,11 @@ int dtls1_accept(SSL *s)
+
+ /* clear this, it may get reset by
+ * send_server_key_exchange */
+- if ((s->options & SSL_OP_EPHEMERAL_RSA)
+-#ifndef OPENSSL_NO_KRB5
+- && !(l & SSL_KRB5)
+-#endif /* OPENSSL_NO_KRB5 */
+- )
+- /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
+- * even when forbidden by protocol specs
+- * (handshake may fail as clients are not required to
+- * be able to handle this) */
+- s->s3->tmp.use_rsa_tmp=1;
+- else
+- s->s3->tmp.use_rsa_tmp=0;
++ s->s3->tmp.use_rsa_tmp=0;
+
+ /* only send if a DH key exchange, fortezza or
+ * RSA but we have a sign only certificate */
+- if (s->s3->tmp.use_rsa_tmp
+- || (l & (SSL_DH|SSL_kFZA))
++ if ((l & (SSL_DH|SSL_kFZA))
+ || ((l & SSL_kRSA)
+ && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
+ || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)
+diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
+index 256fc94..2402a06 100644
+--- a/ssl/s3_clnt.c
++++ b/ssl/s3_clnt.c
+@@ -1180,6 +1180,13 @@ int ssl3_get_key_exchange(SSL *s)
+ #ifndef OPENSSL_NO_RSA
+ if (alg & SSL_kRSA)
+ {
++ /* Temporary RSA keys only allowed in export ciphersuites */
++ if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher))
++ {
++ al=SSL_AD_UNEXPECTED_MESSAGE;
++ SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNEXPECTED_MESSAGE);
++ goto f_err;
++ }
+ if ((rsa=RSA_new()) == NULL)
+ {
+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
+diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
+index ca3e77a..18832e9 100644
+--- a/ssl/s3_srvr.c
++++ b/ssl/s3_srvr.c
+@@ -355,18 +355,7 @@ int ssl3_accept(SSL *s)
+
+ /* clear this, it may get reset by
+ * send_server_key_exchange */
+- if ((s->options & SSL_OP_EPHEMERAL_RSA)
+-#ifndef OPENSSL_NO_KRB5
+- && !(l & SSL_KRB5)
+-#endif /* OPENSSL_NO_KRB5 */
+- )
+- /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
+- * even when forbidden by protocol specs
+- * (handshake may fail as clients are not required to
+- * be able to handle this) */
+- s->s3->tmp.use_rsa_tmp=1;
+- else
+- s->s3->tmp.use_rsa_tmp=0;
++ s->s3->tmp.use_rsa_tmp=0;
+
+
+ /* only send if a DH key exchange, fortezza or
+@@ -378,8 +367,7 @@ int ssl3_accept(SSL *s)
+ * server certificate contains the server's
+ * public key for key exchange.
+ */
+- if (s->s3->tmp.use_rsa_tmp
+- || (l & SSL_kECDHE)
++ if ((l & SSL_kECDHE)
+ || (l & (SSL_DH|SSL_kFZA))
+ || ((l & SSL_kRSA)
+ && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
+diff --git a/ssl/ssl.h b/ssl/ssl.h
+index 4ea0d80..8420100 100644
+--- a/ssl/ssl.h
++++ b/ssl/ssl.h
+@@ -526,9 +526,8 @@ typedef struct ssl_session_st
+ #define SSL_OP_SINGLE_ECDH_USE 0x00080000L
+ /* If set, always create a new key when using tmp_dh parameters */
+ #define SSL_OP_SINGLE_DH_USE 0x00100000L
+-/* Set to always use the tmp_rsa key when doing RSA operations,
+- * even when this violates protocol specs */
+-#define SSL_OP_EPHEMERAL_RSA 0x00200000L
++/* Does nothing: retained for compatibiity */
++#define SSL_OP_EPHEMERAL_RSA 0x0
+ /* Set on servers to choose the cipher according to the server's
+ * preferences */
+ #define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
+--
+2.1.4
+
Added: openssl/branches/squeeze/debian/patches/0007-use-correct-function-name.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/0007-use-correct-function-name.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/0007-use-correct-function-name.patch 2015-01-11 13:02:12 UTC (rev 715)
@@ -0,0 +1,28 @@
+From 11f719da38c5e9aa509aa518d11f71355cca7cd1 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Tue, 6 Jan 2015 20:55:38 +0000
+Subject: [PATCH 07/15] use correct function name
+
+Reviewed-by: Rich Salz <rsalz at openssl.org>
+Reviewed-by: Matt Caswell <matt at openssl.org>
+(cherry picked from commit cb62ab4b17818fe66d2fed0a7fe71969131c811b)
+---
+ crypto/asn1/a_verify.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
+index 3ef363d..a04aa8b 100644
+--- a/crypto/asn1/a_verify.c
++++ b/crypto/asn1/a_verify.c
+@@ -152,7 +152,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
+
+ if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7)
+ {
+- ASN1err(ASN1_F_ASN1_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
++ ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
+ return -1;
+ }
+
+--
+2.1.4
+
Added: openssl/branches/squeeze/debian/patches/0009-fix-error-discrepancy.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/0009-fix-error-discrepancy.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/0009-fix-error-discrepancy.patch 2015-01-11 13:02:12 UTC (rev 715)
@@ -0,0 +1,27 @@
+From df70302441a507da88d1761c47e80295247521a8 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Wed, 7 Jan 2015 17:36:17 +0000
+Subject: [PATCH 09/15] fix error discrepancy
+
+Reviewed-by: Matt Caswell <matt at openssl.org>
+(cherry picked from commit 4a4d4158572fd8b3dc641851b8378e791df7972d)
+---
+ ssl/s3_clnt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
+index 2402a06..3352e2d 100644
+--- a/ssl/s3_clnt.c
++++ b/ssl/s3_clnt.c
+@@ -1184,7 +1184,7 @@ int ssl3_get_key_exchange(SSL *s)
+ if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher))
+ {
+ al=SSL_AD_UNEXPECTED_MESSAGE;
+- SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNEXPECTED_MESSAGE);
++ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
+ goto f_err;
+ }
+ if ((rsa=RSA_new()) == NULL)
+--
+2.1.4
+
Added: openssl/branches/squeeze/debian/patches/0010-Fix-for-CVE-2014-3570.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/0010-Fix-for-CVE-2014-3570.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/0010-Fix-for-CVE-2014-3570.patch 2015-01-11 13:02:12 UTC (rev 715)
@@ -0,0 +1,1034 @@
+From 4b4c0a19211bf73d81de52de697a1a9dc60aed82 Mon Sep 17 00:00:00 2001
+From: Andy Polyakov <appro at openssl.org>
+Date: Mon, 5 Jan 2015 14:52:56 +0100
+Subject: [PATCH 10/15] Fix for CVE-2014-3570.
+
+Reviewed-by: Emilia Kasper <emilia at openssl.org>
+(cherry picked from commit e793809ba50c1e90ab592fb640a856168e50f3de)
+---
+ crypto/bn/asm/mips3.s | 514 ++++++++++++++++++++++-----------------------
+ crypto/bn/asm/x86_64-gcc.c | 34 ++-
+ crypto/bn/bn_asm.c | 16 +-
+ crypto/bn/bntest.c | 102 ++++++---
+ 4 files changed, 360 insertions(+), 306 deletions(-)
+
+diff --git a/crypto/bn/asm/mips3.s b/crypto/bn/asm/mips3.s
+index dca4105..8ced51b 100644
+--- a/crypto/bn/asm/mips3.s
++++ b/crypto/bn/asm/mips3.s
+@@ -1584,17 +1584,17 @@ LEAF(bn_sqr_comba8)
+ dmultu a_2,a_0 /* mul_add_c2(a[2],b[0],c3,c1,c2); */
+ mflo t_1
+ mfhi t_2
+- slt c_2,t_2,zero
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_3,t_1
+ sltu AT,c_3,t_1
+- daddu t_2,AT
++ daddu c_3,t_1
++ daddu AT,t_2
++ sltu t_1,c_3,t_1
++ daddu c_1,AT
++ daddu t_2,t_1
++ sltu c_2,c_1,AT
+ daddu c_1,t_2
+- sltu AT,c_1,t_2
+- daddu c_2,AT
++ sltu t_2,c_1,t_2
++ daddu c_2,t_2
+ dmultu a_1,a_1 /* mul_add_c(a[1],b[1],c3,c1,c2); */
+ mflo t_1
+ mfhi t_2
+@@ -1609,63 +1609,63 @@ LEAF(bn_sqr_comba8)
+ dmultu a_0,a_3 /* mul_add_c2(a[0],b[3],c1,c2,c3); */
+ mflo t_1
+ mfhi t_2
+- slt c_3,t_2,zero
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_1,t_1
+ sltu AT,c_1,t_1
+- daddu t_2,AT
++ daddu c_1,t_1
++ daddu AT,t_2
++ sltu t_1,c_1,t_1
++ daddu c_2,AT
++ daddu t_2,t_1
++ sltu c_3,c_2,AT
+ daddu c_2,t_2
+- sltu AT,c_2,t_2
+- daddu c_3,AT
++ sltu t_2,c_2,t_2
++ daddu c_3,t_2
+ dmultu a_1,a_2 /* mul_add_c2(a[1],b[2],c1,c2,c3); */
+ mflo t_1
+ mfhi t_2
+- slt AT,t_2,zero
+- daddu c_3,AT
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_1,t_1
+ sltu AT,c_1,t_1
+- daddu t_2,AT
++ daddu c_1,t_1
++ daddu AT,t_2
++ sltu t_1,c_1,t_1
++ daddu c_2,AT
++ daddu t_2,t_1
++ sltu AT,c_2,AT
+ daddu c_2,t_2
+- sltu AT,c_2,t_2
+ daddu c_3,AT
++ sltu t_2,c_2,t_2
++ daddu c_3,t_2
+ sd c_1,24(a0)
+
+ dmultu a_4,a_0 /* mul_add_c2(a[4],b[0],c2,c3,c1); */
+ mflo t_1
+ mfhi t_2
+- slt c_1,t_2,zero
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_2,t_1
+ sltu AT,c_2,t_1
+- daddu t_2,AT
++ daddu c_2,t_1
++ daddu AT,t_2
++ sltu t_1,c_2,t_1
++ daddu c_3,AT
++ daddu t_2,t_1
++ sltu c_1,c_3,AT
+ daddu c_3,t_2
+- sltu AT,c_3,t_2
+- daddu c_1,AT
++ sltu t_2,c_3,t_2
++ daddu c_1,t_2
+ dmultu a_3,a_1 /* mul_add_c2(a[3],b[1],c2,c3,c1); */
+ mflo t_1
+ mfhi t_2
+- slt AT,t_2,zero
+- daddu c_1,AT
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_2,t_1
+ sltu AT,c_2,t_1
+- daddu t_2,AT
++ daddu c_2,t_1
++ daddu AT,t_2
++ sltu t_1,c_2,t_1
++ daddu c_3,AT
++ daddu t_2,t_1
++ sltu AT,c_3,AT
+ daddu c_3,t_2
+- sltu AT,c_3,t_2
+ daddu c_1,AT
++ sltu t_2,c_3,t_2
++ daddu c_1,t_2
+ dmultu a_2,a_2 /* mul_add_c(a[2],b[2],c2,c3,c1); */
+ mflo t_1
+ mfhi t_2
+@@ -1680,93 +1680,93 @@ LEAF(bn_sqr_comba8)
+ dmultu a_0,a_5 /* mul_add_c2(a[0],b[5],c3,c1,c2); */
+ mflo t_1
+ mfhi t_2
+- slt c_2,t_2,zero
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_3,t_1
+ sltu AT,c_3,t_1
+- daddu t_2,AT
++ daddu c_3,t_1
++ daddu AT,t_2
++ sltu t_1,c_3,t_1
++ daddu c_1,AT
++ daddu t_2,t_1
++ sltu c_2,c_1,AT
+ daddu c_1,t_2
+- sltu AT,c_1,t_2
+- daddu c_2,AT
++ sltu t_2,c_1,t_2
++ daddu c_2,t_2
+ dmultu a_1,a_4 /* mul_add_c2(a[1],b[4],c3,c1,c2); */
+ mflo t_1
+ mfhi t_2
+- slt AT,t_2,zero
+- daddu c_2,AT
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_3,t_1
+ sltu AT,c_3,t_1
+- daddu t_2,AT
++ daddu c_3,t_1
++ daddu AT,t_2
++ sltu t_1,c_3,t_1
++ daddu c_1,AT
++ daddu t_2,t_1
++ sltu AT,c_1,AT
+ daddu c_1,t_2
+- sltu AT,c_1,t_2
+ daddu c_2,AT
++ sltu t_2,c_1,t_2
++ daddu c_2,t_2
+ dmultu a_2,a_3 /* mul_add_c2(a[2],b[3],c3,c1,c2); */
+ mflo t_1
+ mfhi t_2
+- slt AT,t_2,zero
+- daddu c_2,AT
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_3,t_1
+ sltu AT,c_3,t_1
+- daddu t_2,AT
++ daddu c_3,t_1
++ daddu AT,t_2
++ sltu t_1,c_3,t_1
++ daddu c_1,AT
++ daddu t_2,t_1
++ sltu AT,c_1,AT
+ daddu c_1,t_2
+- sltu AT,c_1,t_2
+ daddu c_2,AT
++ sltu t_2,c_1,t_2
++ daddu c_2,t_2
+ sd c_3,40(a0)
+
+ dmultu a_6,a_0 /* mul_add_c2(a[6],b[0],c1,c2,c3); */
+ mflo t_1
+ mfhi t_2
+- slt c_3,t_2,zero
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_1,t_1
+ sltu AT,c_1,t_1
+- daddu t_2,AT
++ daddu c_1,t_1
++ daddu AT,t_2
++ sltu t_1,c_1,t_1
++ daddu c_2,AT
++ daddu t_2,t_1
++ sltu c_3,c_2,AT
+ daddu c_2,t_2
+- sltu AT,c_2,t_2
+- daddu c_3,AT
++ sltu t_2,c_2,t_2
++ daddu c_3,t_2
+ dmultu a_5,a_1 /* mul_add_c2(a[5],b[1],c1,c2,c3); */
+ mflo t_1
+ mfhi t_2
+- slt AT,t_2,zero
+- daddu c_3,AT
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_1,t_1
+ sltu AT,c_1,t_1
+- daddu t_2,AT
++ daddu c_1,t_1
++ daddu AT,t_2
++ sltu t_1,c_1,t_1
++ daddu c_2,AT
++ daddu t_2,t_1
++ sltu AT,c_2,AT
+ daddu c_2,t_2
+- sltu AT,c_2,t_2
+ daddu c_3,AT
++ sltu t_2,c_2,t_2
++ daddu c_3,t_2
+ dmultu a_4,a_2 /* mul_add_c2(a[4],b[2],c1,c2,c3); */
+ mflo t_1
+ mfhi t_2
+- slt AT,t_2,zero
+- daddu c_3,AT
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_1,t_1
+ sltu AT,c_1,t_1
+- daddu t_2,AT
++ daddu c_1,t_1
++ daddu AT,t_2
++ sltu t_1,c_1,t_1
++ daddu c_2,AT
++ daddu t_2,t_1
++ sltu AT,c_2,AT
+ daddu c_2,t_2
+- sltu AT,c_2,t_2
+ daddu c_3,AT
++ sltu t_2,c_2,t_2
++ daddu c_3,t_2
+ dmultu a_3,a_3 /* mul_add_c(a[3],b[3],c1,c2,c3); */
+ mflo t_1
+ mfhi t_2
+@@ -1781,108 +1781,108 @@ LEAF(bn_sqr_comba8)
+ dmultu a_0,a_7 /* mul_add_c2(a[0],b[7],c2,c3,c1); */
+ mflo t_1
+ mfhi t_2
+- slt c_1,t_2,zero
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_2,t_1
+ sltu AT,c_2,t_1
+- daddu t_2,AT
++ daddu c_2,t_1
++ daddu AT,t_2
++ sltu t_1,c_2,t_1
++ daddu c_3,AT
++ daddu t_2,t_1
++ sltu c_1,c_3,AT
+ daddu c_3,t_2
+- sltu AT,c_3,t_2
+- daddu c_1,AT
++ sltu t_2,c_3,t_2
++ daddu c_1,t_2
+ dmultu a_1,a_6 /* mul_add_c2(a[1],b[6],c2,c3,c1); */
+ mflo t_1
+ mfhi t_2
+- slt AT,t_2,zero
+- daddu c_1,AT
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_2,t_1
+ sltu AT,c_2,t_1
+- daddu t_2,AT
++ daddu c_2,t_1
++ daddu AT,t_2
++ sltu t_1,c_2,t_1
++ daddu c_3,AT
++ daddu t_2,t_1
++ sltu AT,c_3,AT
+ daddu c_3,t_2
+- sltu AT,c_3,t_2
+ daddu c_1,AT
++ sltu t_2,c_3,t_2
++ daddu c_1,t_2
+ dmultu a_2,a_5 /* mul_add_c2(a[2],b[5],c2,c3,c1); */
+ mflo t_1
+ mfhi t_2
+- slt AT,t_2,zero
+- daddu c_1,AT
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_2,t_1
+ sltu AT,c_2,t_1
+- daddu t_2,AT
++ daddu c_2,t_1
++ daddu AT,t_2
++ sltu t_1,c_2,t_1
++ daddu c_3,AT
++ daddu t_2,t_1
++ sltu AT,c_3,AT
+ daddu c_3,t_2
+- sltu AT,c_3,t_2
+ daddu c_1,AT
++ sltu t_2,c_3,t_2
++ daddu c_1,t_2
+ dmultu a_3,a_4 /* mul_add_c2(a[3],b[4],c2,c3,c1); */
+ mflo t_1
+ mfhi t_2
+- slt AT,t_2,zero
+- daddu c_1,AT
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_2,t_1
+ sltu AT,c_2,t_1
+- daddu t_2,AT
++ daddu c_2,t_1
++ daddu AT,t_2
++ sltu t_1,c_2,t_1
++ daddu c_3,AT
++ daddu t_2,t_1
++ sltu AT,c_3,AT
+ daddu c_3,t_2
+- sltu AT,c_3,t_2
+ daddu c_1,AT
++ sltu t_2,c_3,t_2
++ daddu c_1,t_2
+ sd c_2,56(a0)
+
+ dmultu a_7,a_1 /* mul_add_c2(a[7],b[1],c3,c1,c2); */
+ mflo t_1
+ mfhi t_2
+- slt c_2,t_2,zero
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_3,t_1
+ sltu AT,c_3,t_1
+- daddu t_2,AT
++ daddu c_3,t_1
++ daddu AT,t_2
++ sltu t_1,c_3,t_1
++ daddu c_1,AT
++ daddu t_2,t_1
++ sltu c_2,c_1,AT
+ daddu c_1,t_2
+- sltu AT,c_1,t_2
+- daddu c_2,AT
++ sltu t_2,c_1,t_2
++ daddu c_2,t_2
+ dmultu a_6,a_2 /* mul_add_c2(a[6],b[2],c3,c1,c2); */
+ mflo t_1
+ mfhi t_2
+- slt AT,t_2,zero
+- daddu c_2,AT
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_3,t_1
+ sltu AT,c_3,t_1
+- daddu t_2,AT
++ daddu c_3,t_1
++ daddu AT,t_2
++ sltu t_1,c_3,t_1
++ daddu c_1,AT
++ daddu t_2,t_1
++ sltu AT,c_1,AT
+ daddu c_1,t_2
+- sltu AT,c_1,t_2
+ daddu c_2,AT
++ sltu t_2,c_1,t_2
++ daddu c_2,t_2
+ dmultu a_5,a_3 /* mul_add_c2(a[5],b[3],c3,c1,c2); */
+ mflo t_1
+ mfhi t_2
+- slt AT,t_2,zero
+- daddu c_2,AT
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_3,t_1
+ sltu AT,c_3,t_1
+- daddu t_2,AT
++ daddu c_3,t_1
++ daddu AT,t_2
++ sltu t_1,c_3,t_1
++ daddu c_1,AT
++ daddu t_2,t_1
++ sltu AT,c_1,AT
+ daddu c_1,t_2
+- sltu AT,c_1,t_2
+ daddu c_2,AT
++ sltu t_2,c_1,t_2
++ daddu c_2,t_2
+ dmultu a_4,a_4 /* mul_add_c(a[4],b[4],c3,c1,c2); */
+ mflo t_1
+ mfhi t_2
+@@ -1897,78 +1897,78 @@ LEAF(bn_sqr_comba8)
+ dmultu a_2,a_7 /* mul_add_c2(a[2],b[7],c1,c2,c3); */
+ mflo t_1
+ mfhi t_2
+- slt c_3,t_2,zero
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_1,t_1
+ sltu AT,c_1,t_1
+- daddu t_2,AT
++ daddu c_1,t_1
++ daddu AT,t_2
++ sltu t_1,c_1,t_1
++ daddu c_2,AT
++ daddu t_2,t_1
++ sltu c_3,c_2,AT
+ daddu c_2,t_2
+- sltu AT,c_2,t_2
+- daddu c_3,AT
++ sltu t_2,c_2,t_2
++ daddu c_3,t_2
+ dmultu a_3,a_6 /* mul_add_c2(a[3],b[6],c1,c2,c3); */
+ mflo t_1
+ mfhi t_2
+- slt AT,t_2,zero
+- daddu c_3,AT
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_1,t_1
+ sltu AT,c_1,t_1
+- daddu t_2,AT
++ daddu c_1,t_1
++ daddu AT,t_2
++ sltu t_1,c_1,t_1
++ daddu c_2,AT
++ daddu t_2,t_1
++ sltu AT,c_2,AT
+ daddu c_2,t_2
+- sltu AT,c_2,t_2
+ daddu c_3,AT
++ sltu t_2,c_2,t_2
++ daddu c_3,t_2
+ dmultu a_4,a_5 /* mul_add_c2(a[4],b[5],c1,c2,c3); */
+ mflo t_1
+ mfhi t_2
+- slt AT,t_2,zero
+- daddu c_3,AT
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_1,t_1
+ sltu AT,c_1,t_1
+- daddu t_2,AT
++ daddu c_1,t_1
++ daddu AT,t_2
++ sltu t_1,c_1,t_1
++ daddu c_2,AT
++ daddu t_2,t_1
++ sltu AT,c_2,AT
+ daddu c_2,t_2
+- sltu AT,c_2,t_2
+ daddu c_3,AT
++ sltu t_2,c_2,t_2
++ daddu c_3,t_2
+ sd c_1,72(a0)
+
+ dmultu a_7,a_3 /* mul_add_c2(a[7],b[3],c2,c3,c1); */
+ mflo t_1
+ mfhi t_2
+- slt c_1,t_2,zero
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_2,t_1
+ sltu AT,c_2,t_1
+- daddu t_2,AT
++ daddu c_2,t_1
++ daddu AT,t_2
++ sltu t_1,c_2,t_1
++ daddu c_3,AT
++ daddu t_2,t_1
++ sltu c_1,c_3,AT
+ daddu c_3,t_2
+- sltu AT,c_3,t_2
+- daddu c_1,AT
++ sltu t_2,c_3,t_2
++ daddu c_1,t_2
+ dmultu a_6,a_4 /* mul_add_c2(a[6],b[4],c2,c3,c1); */
+ mflo t_1
+ mfhi t_2
+- slt AT,t_2,zero
+- daddu c_1,AT
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_2,t_1
+ sltu AT,c_2,t_1
+- daddu t_2,AT
++ daddu c_2,t_1
++ daddu AT,t_2
++ sltu t_1,c_2,t_1
++ daddu c_3,AT
++ daddu t_2,t_1
++ sltu AT,c_3,AT
+ daddu c_3,t_2
+- sltu AT,c_3,t_2
+ daddu c_1,AT
++ sltu t_2,c_3,t_2
++ daddu c_1,t_2
+ dmultu a_5,a_5 /* mul_add_c(a[5],b[5],c2,c3,c1); */
+ mflo t_1
+ mfhi t_2
+@@ -1983,48 +1983,48 @@ LEAF(bn_sqr_comba8)
+ dmultu a_4,a_7 /* mul_add_c2(a[4],b[7],c3,c1,c2); */
+ mflo t_1
+ mfhi t_2
+- slt c_2,t_2,zero
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_3,t_1
+ sltu AT,c_3,t_1
+- daddu t_2,AT
++ daddu c_3,t_1
++ daddu AT,t_2
++ sltu t_1,c_3,t_1
++ daddu c_1,AT
++ daddu t_2,t_1
++ sltu c_2,c_1,AT
+ daddu c_1,t_2
+- sltu AT,c_1,t_2
+- daddu c_2,AT
++ sltu t_2,c_1,t_2
++ daddu c_2,t_2
+ dmultu a_5,a_6 /* mul_add_c2(a[5],b[6],c3,c1,c2); */
+ mflo t_1
+ mfhi t_2
+- slt AT,t_2,zero
+- daddu c_2,AT
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_3,t_1
+ sltu AT,c_3,t_1
+- daddu t_2,AT
++ daddu c_3,t_1
++ daddu AT,t_2
++ sltu t_1,c_3,t_1
++ daddu c_1,AT
++ daddu t_2,t_1
++ sltu AT,c_1,AT
+ daddu c_1,t_2
+- sltu AT,c_1,t_2
+ daddu c_2,AT
++ sltu t_2,c_1,t_2
++ daddu c_2,t_2
+ sd c_3,88(a0)
+
+ dmultu a_7,a_5 /* mul_add_c2(a[7],b[5],c1,c2,c3); */
+ mflo t_1
+ mfhi t_2
+- slt c_3,t_2,zero
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_1,t_1
+ sltu AT,c_1,t_1
+- daddu t_2,AT
++ daddu c_1,t_1
++ daddu AT,t_2
++ sltu t_1,c_1,t_1
++ daddu c_2,AT
++ daddu t_2,t_1
++ sltu c_3,c_2,AT
+ daddu c_2,t_2
+- sltu AT,c_2,t_2
+- daddu c_3,AT
++ sltu t_2,c_2,t_2
++ daddu c_3,t_2
+ dmultu a_6,a_6 /* mul_add_c(a[6],b[6],c1,c2,c3); */
+ mflo t_1
+ mfhi t_2
+@@ -2039,17 +2039,17 @@ LEAF(bn_sqr_comba8)
+ dmultu a_6,a_7 /* mul_add_c2(a[6],b[7],c2,c3,c1); */
+ mflo t_1
+ mfhi t_2
+- slt c_1,t_2,zero
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_2,t_1
+ sltu AT,c_2,t_1
+- daddu t_2,AT
++ daddu c_2,t_1
++ daddu AT,t_2
++ sltu t_1,c_2,t_1
++ daddu c_3,AT
++ daddu t_2,t_1
++ sltu c_1,c_3,AT
+ daddu c_3,t_2
+- sltu AT,c_3,t_2
+- daddu c_1,AT
++ sltu t_2,c_3,t_2
++ daddu c_1,t_2
+ sd c_2,104(a0)
+
+ dmultu a_7,a_7 /* mul_add_c(a[7],b[7],c3,c1,c2); */
+@@ -2070,9 +2070,9 @@ LEAF(bn_sqr_comba4)
+ .set reorder
+ ld a_0,0(a1)
+ ld a_1,8(a1)
++ dmultu a_0,a_0 /* mul_add_c(a[0],b[0],c1,c2,c3); */
+ ld a_2,16(a1)
+ ld a_3,24(a1)
+- dmultu a_0,a_0 /* mul_add_c(a[0],b[0],c1,c2,c3); */
+ mflo c_1
+ mfhi c_2
+ sd c_1,0(a0)
+@@ -2093,17 +2093,17 @@ LEAF(bn_sqr_comba4)
+ dmultu a_2,a_0 /* mul_add_c2(a[2],b[0],c3,c1,c2); */
+ mflo t_1
+ mfhi t_2
+- slt c_2,t_2,zero
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_3,t_1
+ sltu AT,c_3,t_1
+- daddu t_2,AT
++ daddu c_3,t_1
++ daddu AT,t_2
++ sltu t_1,c_3,t_1
++ daddu c_1,AT
++ daddu t_2,t_1
++ sltu c_2,c_1,AT
+ daddu c_1,t_2
+- sltu AT,c_1,t_2
+- daddu c_2,AT
++ sltu t_2,c_1,t_2
++ daddu c_2,t_2
+ dmultu a_1,a_1 /* mul_add_c(a[1],b[1],c3,c1,c2); */
+ mflo t_1
+ mfhi t_2
+@@ -2118,48 +2118,48 @@ LEAF(bn_sqr_comba4)
+ dmultu a_0,a_3 /* mul_add_c2(a[0],b[3],c1,c2,c3); */
+ mflo t_1
+ mfhi t_2
+- slt c_3,t_2,zero
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_1,t_1
+ sltu AT,c_1,t_1
+- daddu t_2,AT
++ daddu c_1,t_1
++ daddu AT,t_2
++ sltu t_1,c_1,t_1
++ daddu c_2,AT
++ daddu t_2,t_1
++ sltu c_3,c_2,AT
+ daddu c_2,t_2
+- sltu AT,c_2,t_2
+- daddu c_3,AT
++ sltu t_2,c_2,t_2
++ daddu c_3,t_2
+ dmultu a_1,a_2 /* mul_add_c(a2[1],b[2],c1,c2,c3); */
+ mflo t_1
+ mfhi t_2
+- slt AT,t_2,zero
+- daddu c_3,AT
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_1,t_1
+ sltu AT,c_1,t_1
+- daddu t_2,AT
++ daddu c_1,t_1
++ daddu AT,t_2
++ sltu t_1,c_1,t_1
++ daddu c_2,AT
++ daddu t_2,t_1
++ sltu AT,c_2,AT
+ daddu c_2,t_2
+- sltu AT,c_2,t_2
+ daddu c_3,AT
++ sltu t_2,c_2,t_2
++ daddu c_3,t_2
+ sd c_1,24(a0)
+
+ dmultu a_3,a_1 /* mul_add_c2(a[3],b[1],c2,c3,c1); */
+ mflo t_1
+ mfhi t_2
+- slt c_1,t_2,zero
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_2,t_1
+ sltu AT,c_2,t_1
+- daddu t_2,AT
++ daddu c_2,t_1
++ daddu AT,t_2
++ sltu t_1,c_2,t_1
++ daddu c_3,AT
++ daddu t_2,t_1
++ sltu c_1,c_3,AT
+ daddu c_3,t_2
+- sltu AT,c_3,t_2
+- daddu c_1,AT
++ sltu t_2,c_3,t_2
++ daddu c_1,t_2
+ dmultu a_2,a_2 /* mul_add_c(a[2],b[2],c2,c3,c1); */
+ mflo t_1
+ mfhi t_2
+@@ -2174,17 +2174,17 @@ LEAF(bn_sqr_comba4)
+ dmultu a_2,a_3 /* mul_add_c2(a[2],b[3],c3,c1,c2); */
+ mflo t_1
+ mfhi t_2
+- slt c_2,t_2,zero
+- dsll t_2,1
+- slt a2,t_1,zero
+- daddu t_2,a2
+- dsll t_1,1
+ daddu c_3,t_1
+ sltu AT,c_3,t_1
+- daddu t_2,AT
++ daddu c_3,t_1
++ daddu AT,t_2
++ sltu t_1,c_3,t_1
++ daddu c_1,AT
++ daddu t_2,t_1
++ sltu c_2,c_1,AT
+ daddu c_1,t_2
+- sltu AT,c_1,t_2
+- daddu c_2,AT
++ sltu t_2,c_1,t_2
++ daddu c_2,t_2
+ sd c_3,40(a0)
+
+ dmultu a_3,a_3 /* mul_add_c(a[3],b[3],c1,c2,c3); */
+diff --git a/crypto/bn/asm/x86_64-gcc.c b/crypto/bn/asm/x86_64-gcc.c
+index 2d80f19..eba8304 100644
+--- a/crypto/bn/asm/x86_64-gcc.c
++++ b/crypto/bn/asm/x86_64-gcc.c
+@@ -269,6 +269,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
+ /* sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0) */
+ /* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0) */
+
++/*
++ * Keep in mind that carrying into high part of multiplication result
++ * can not overflow, because it cannot be all-ones.
++ */
+ #if 0
+ /* original macros are kept for reference purposes */
+ #define mul_add_c(a,b,c0,c1,c2) { \
+@@ -283,10 +287,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
+ BN_ULONG ta=(a),tb=(b),t0; \
+ t1 = BN_UMULT_HIGH(ta,tb); \
+ t0 = ta * tb; \
+- t2 = t1+t1; c2 += (t2<t1)?1:0; \
+- t1 = t0+t0; t2 += (t1<t0)?1:0; \
+- c0 += t1; t2 += (c0<t1)?1:0; \
++ c0 += t0; t2 = t1+((c0<t0)?1:0);\
+ c1 += t2; c2 += (c1<t2)?1:0; \
++ c0 += t0; t1 += (c0<t0)?1:0; \
++ c1 += t1; c2 += (c1<t1)?1:0; \
+ }
+ #else
+ #define mul_add_c(a,b,c0,c1,c2) do { \
+@@ -324,22 +328,14 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
+ : "=a"(t1),"=d"(t2) \
+ : "a"(a),"m"(b) \
+ : "cc"); \
+- asm ("addq %0,%0; adcq %2,%1" \
+- : "+d"(t2),"+r"(c2) \
+- : "g"(0) \
+- : "cc"); \
+- asm ("addq %0,%0; adcq %2,%1" \
+- : "+a"(t1),"+d"(t2) \
+- : "g"(0) \
+- : "cc"); \
+- asm ("addq %2,%0; adcq %3,%1" \
+- : "+r"(c0),"+d"(t2) \
+- : "a"(t1),"g"(0) \
+- : "cc"); \
+- asm ("addq %2,%0; adcq %3,%1" \
+- : "+r"(c1),"+r"(c2) \
+- : "d"(t2),"g"(0) \
+- : "cc"); \
++ asm ("addq %3,%0; adcq %4,%1; adcq %5,%2" \
++ : "+r"(c0),"+r"(c1),"+r"(c2) \
++ : "r"(t1),"r"(t2),"g"(0) \
++ : "cc"); \
++ asm ("addq %3,%0; adcq %4,%1; adcq %5,%2" \
++ : "+r"(c0),"+r"(c1),"+r"(c2) \
++ : "r"(t1),"r"(t2),"g"(0) \
++ : "cc"); \
+ } while (0)
+ #endif
+
+diff --git a/crypto/bn/bn_asm.c b/crypto/bn/bn_asm.c
+index 99bc2de..b95b003 100644
+--- a/crypto/bn/bn_asm.c
++++ b/crypto/bn/bn_asm.c
+@@ -431,6 +431,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
+ /* sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0) */
+ /* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0) */
+
++/*
++ * Keep in mind that carrying into high part of multiplication result
++ * can not overflow, because it cannot be all-ones.
++ */
+ #ifdef BN_LLONG
+ #define mul_add_c(a,b,c0,c1,c2) \
+ t=(BN_ULLONG)a*b; \
+@@ -471,10 +475,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
+ #define mul_add_c2(a,b,c0,c1,c2) { \
+ BN_ULONG ta=(a),tb=(b),t0; \
+ BN_UMULT_LOHI(t0,t1,ta,tb); \
+- t2 = t1+t1; c2 += (t2<t1)?1:0; \
+- t1 = t0+t0; t2 += (t1<t0)?1:0; \
+- c0 += t1; t2 += (c0<t1)?1:0; \
++ c0 += t0; t2 = t1+((c0<t0)?1:0);\
+ c1 += t2; c2 += (c1<t2)?1:0; \
++ c0 += t0; t1 += (c0<t0)?1:0; \
++ c1 += t1; c2 += (c1<t1)?1:0; \
+ }
+
+ #define sqr_add_c(a,i,c0,c1,c2) { \
+@@ -501,10 +505,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
+ BN_ULONG ta=(a),tb=(b),t0; \
+ t1 = BN_UMULT_HIGH(ta,tb); \
+ t0 = ta * tb; \
+- t2 = t1+t1; c2 += (t2<t1)?1:0; \
+- t1 = t0+t0; t2 += (t1<t0)?1:0; \
+- c0 += t1; t2 += (c0<t1)?1:0; \
++ c0 += t0; t2 = t1+((c0<t0)?1:0);\
+ c1 += t2; c2 += (c1<t2)?1:0; \
++ c0 += t0; t1 += (c0<t0)?1:0; \
++ c1 += t1; c2 += (c1<t1)?1:0; \
+ }
+
+ #define sqr_add_c(a,i,c0,c1,c2) { \
+diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c
+index d41daac..9138c2f 100644
+--- a/crypto/bn/bntest.c
++++ b/crypto/bn/bntest.c
+@@ -676,44 +676,98 @@ int test_mul(BIO *bp)
+
+ int test_sqr(BIO *bp, BN_CTX *ctx)
+ {
+- BIGNUM a,c,d,e;
+- int i;
++ BIGNUM *a,*c,*d,*e;
++ int i, ret = 0;
+
+- BN_init(&a);
+- BN_init(&c);
+- BN_init(&d);
+- BN_init(&e);
++ a = BN_new();
++ c = BN_new();
++ d = BN_new();
++ e = BN_new();
++ if (a == NULL || c == NULL || d == NULL || e == NULL)
++ {
++ goto err;
++ }
+
+ for (i=0; i<num0; i++)
+ {
+- BN_bntest_rand(&a,40+i*10,0,0);
+- a.neg=rand_neg();
+- BN_sqr(&c,&a,ctx);
++ BN_bntest_rand(a,40+i*10,0,0);
++ a->neg=rand_neg();
++ BN_sqr(c,a,ctx);
+ if (bp != NULL)
+ {
+ if (!results)
+ {
+- BN_print(bp,&a);
++ BN_print(bp,a);
+ BIO_puts(bp," * ");
+- BN_print(bp,&a);
++ BN_print(bp,a);
+ BIO_puts(bp," - ");
+ }
+- BN_print(bp,&c);
++ BN_print(bp,c);
+ BIO_puts(bp,"\n");
+ }
+- BN_div(&d,&e,&c,&a,ctx);
+- BN_sub(&d,&d,&a);
+- if(!BN_is_zero(&d) || !BN_is_zero(&e))
+- {
+- fprintf(stderr,"Square test failed!\n");
+- return 0;
+- }
++ BN_div(d,e,c,a,ctx);
++ BN_sub(d,d,a);
++ if(!BN_is_zero(d) || !BN_is_zero(e))
++ {
++ fprintf(stderr,"Square test failed!\n");
++ goto err;
++ }
+ }
+- BN_free(&a);
+- BN_free(&c);
+- BN_free(&d);
+- BN_free(&e);
+- return(1);
++
++ /* Regression test for a BN_sqr overflow bug. */
++ BN_hex2bn(&a,
++ "80000000000000008000000000000001FFFFFFFFFFFFFFFE0000000000000000");
++ BN_sqr(c, a, ctx);
++ if (bp != NULL)
++ {
++ if (!results)
++ {
++ BN_print(bp,a);
++ BIO_puts(bp," * ");
++ BN_print(bp,a);
++ BIO_puts(bp," - ");
++ }
++ BN_print(bp,c);
++ BIO_puts(bp,"\n");
++ }
++ BN_mul(d, a, a, ctx);
++ if (BN_cmp(c, d))
++ {
++ fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
++ "different results!\n");
++ goto err;
++ }
++
++ /* Regression test for a BN_sqr overflow bug. */
++ BN_hex2bn(&a,
++ "80000000000000000000000080000001FFFFFFFE000000000000000000000000");
++ BN_sqr(c, a, ctx);
++ if (bp != NULL)
++ {
++ if (!results)
++ {
++ BN_print(bp,a);
++ BIO_puts(bp," * ");
++ BN_print(bp,a);
++ BIO_puts(bp," - ");
++ }
++ BN_print(bp,c);
++ BIO_puts(bp,"\n");
++ }
++ BN_mul(d, a, a, ctx);
++ if (BN_cmp(c, d))
++ {
++ fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
++ "different results!\n");
++ goto err;
++ }
++ ret = 1;
++err:
++ if (a != NULL) BN_free(a);
++ if (c != NULL) BN_free(c);
++ if (d != NULL) BN_free(d);
++ if (e != NULL) BN_free(e);
++ return ret;
+ }
+
+ int test_mont(BIO *bp, BN_CTX *ctx)
+--
+2.1.4
+
Added: openssl/branches/squeeze/debian/patches/0011-Fix-crash-in-dtls1_get_record-whilst-in-the-listen-s.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/0011-Fix-crash-in-dtls1_get_record-whilst-in-the-listen-s.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/0011-Fix-crash-in-dtls1_get_record-whilst-in-the-listen-s.patch 2015-01-11 13:02:12 UTC (rev 715)
@@ -0,0 +1,47 @@
+From 46bf0ba87665c5aa215673d87e9ee7dd4ce28359 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Sat, 3 Jan 2015 00:45:13 +0000
+Subject: [PATCH 11/15] Fix crash in dtls1_get_record whilst in the listen
+ state where you get two separate reads performed - one for the header and one
+ for the body of the handshake record.
+
+CVE-2014-3571
+
+Reviewed-by: Matt Caswell <matt at openssl.org>
+
+Conflicts:
+ ssl/s3_pkt.c
+---
+ ssl/d1_pkt.c | 2 --
+ ssl/s3_pkt.c | 2 ++
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
+index d12604e..5eac25fb 100644
+--- a/ssl/d1_pkt.c
++++ b/ssl/d1_pkt.c
+@@ -595,8 +595,6 @@ again:
+ /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
+ i=rr->length;
+ n=ssl3_read_n(s,i,i,1);
+- if (n <= 0) return(n); /* error or non-blocking io */
+-
+ /* this packet contained a partial record, dump it */
+ if ( n != i)
+ {
+diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
+index a3b45fb..1adc301 100644
+--- a/ssl/s3_pkt.c
++++ b/ssl/s3_pkt.c
+@@ -147,6 +147,8 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
+ * at once (as long as it fits into the buffer). */
+ if (SSL_version(s) == DTLS1_VERSION)
+ {
++ if (s->s3->rbuf.left == 0 && extend)
++ return 0;
+ if ( s->s3->rbuf.left > 0 && n > s->s3->rbuf.left)
+ n = s->s3->rbuf.left;
+ }
+--
+2.1.4
+
Added: openssl/branches/squeeze/debian/patches/0012-Follow-on-from-CVE-2014-3571.-This-fixes-the-code-th.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/0012-Follow-on-from-CVE-2014-3571.-This-fixes-the-code-th.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/0012-Follow-on-from-CVE-2014-3571.-This-fixes-the-code-th.patch 2015-01-11 13:02:12 UTC (rev 715)
@@ -0,0 +1,34 @@
+From 50befdb659585b9840264c77708d2dc638624137 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt at openssl.org>
+Date: Sat, 3 Jan 2015 00:54:35 +0000
+Subject: [PATCH 12/15] Follow on from CVE-2014-3571. This fixes the code that
+ was the original source of the crash due to p being NULL. Steve's fix
+ prevents this situation from occuring - however this is by no means obvious
+ by looking at the code for dtls1_get_record. This fix just makes things look
+ a bit more sane.
+
+Conflicts:
+ ssl/d1_pkt.c
+
+Reviewed-by: Dr Stephen Henson <steve at openssl.org>
+---
+ ssl/d1_pkt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
+index 5eac25fb..bc478c2 100644
+--- a/ssl/d1_pkt.c
++++ b/ssl/d1_pkt.c
+@@ -624,7 +624,8 @@ again:
+ * would be dropped unnecessarily.
+ */
+ if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&
+- *p == SSL3_MT_CLIENT_HELLO) &&
++ s->packet_length > DTLS1_RT_HEADER_LENGTH &&
++ s->packet[DTLS1_RT_HEADER_LENGTH] == SSL3_MT_CLIENT_HELLO) &&
+ ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num)))
+ {
+ rr->length = 0;
+--
+2.1.4
+
Added: openssl/branches/squeeze/debian/patches/0013-Fix-typo.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/0013-Fix-typo.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/0013-Fix-typo.patch 2015-01-11 13:02:12 UTC (rev 715)
@@ -0,0 +1,33 @@
+From a4aa18879917d9bd45f52ac110c69303a852b7db Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Tue, 6 Jan 2015 14:28:34 +0000
+Subject: [PATCH 13/15] Fix typo.
+
+Fix typo in ssl3_get_cert_verify: we can only skip certificate verify
+message if certificate is absent.
+
+NB: OpenSSL 0.9.8 is NOT vulnerable to CVE-2015-0205 as it doesn't
+support DH certificates and this typo prohibits skipping of
+certificate verify message for sign only certificates anyway.
+
+Reviewed-by: Matt Caswell <matt at openssl.org>
+---
+ ssl/s3_srvr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
+index 18832e9..496ae80 100644
+--- a/ssl/s3_srvr.c
++++ b/ssl/s3_srvr.c
+@@ -2400,7 +2400,7 @@ int ssl3_get_cert_verify(SSL *s)
+ if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY)
+ {
+ s->s3->tmp.reuse_message=1;
+- if ((peer != NULL) && (type | EVP_PKT_SIGN))
++ if (peer != NULL)
+ {
+ al=SSL_AD_UNEXPECTED_MESSAGE;
+ SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
+--
+2.1.4
+
Modified: openssl/branches/squeeze/debian/patches/series
===================================================================
--- openssl/branches/squeeze/debian/patches/series 2015-01-11 12:45:22 UTC (rev 714)
+++ openssl/branches/squeeze/debian/patches/series 2015-01-11 13:02:12 UTC (rev 715)
@@ -60,3 +60,15 @@
CVE-2014-3568.patch
CVE-2014-3567.patch
CVE-2014-3569.patch
+0001-Return-error-when-a-bit-string-indicates-an-invalid-.patch
+0002-Add-ASN1_TYPE_cmp-and-X509_ALGOR_cmp.patch
+0004-Fix-various-certificate-fingerprint-issues.patch
+0005-ECDH-downgrade-bug-fix.patch
+0006-Only-allow-ephemeral-RSA-keys-in-export-ciphersuites.patch
+0007-use-correct-function-name.patch
+0009-fix-error-discrepancy.patch
+0010-Fix-for-CVE-2014-3570.patch
+0011-Fix-crash-in-dtls1_get_record-whilst-in-the-listen-s.patch
+0012-Follow-on-from-CVE-2014-3571.-This-fixes-the-code-th.patch
+0013-Fix-typo.patch
+
More information about the Pkg-openssl-changes
mailing list