[Pkg-openssl-changes] r844 - in openssl/branches/wheezy/debian: . patches
Kurt Roeckx
kroeckx at moszumanska.debian.org
Sun Sep 25 10:01:09 UTC 2016
Author: kroeckx
Date: 2016-09-25 10:01:08 +0000 (Sun, 25 Sep 2016)
New Revision: 844
Added:
openssl/branches/wheezy/debian/patches/CVE-2016-2177.patch
openssl/branches/wheezy/debian/patches/CVE-2016-2178.patch
openssl/branches/wheezy/debian/patches/CVE-2016-2179.patch
openssl/branches/wheezy/debian/patches/CVE-2016-2180.patch
openssl/branches/wheezy/debian/patches/CVE-2016-2181.patch
openssl/branches/wheezy/debian/patches/CVE-2016-2182.patch
openssl/branches/wheezy/debian/patches/CVE-2016-2183.patch
openssl/branches/wheezy/debian/patches/CVE-2016-6302.patch
openssl/branches/wheezy/debian/patches/CVE-2016-6303.patch
openssl/branches/wheezy/debian/patches/CVE-2016-6304.patch
openssl/branches/wheezy/debian/patches/CVE-2016-6306.patch
openssl/branches/wheezy/debian/patches/Fix-name-length-limit-check.patch
openssl/branches/wheezy/debian/patches/Update-S-MIME-certificates.patch
openssl/branches/wheezy/debian/patches/defaults.patch
Removed:
openssl/branches/wheezy/debian/patches/0001-Check-public-key-is-not-NULL.patch
openssl/branches/wheezy/debian/patches/0001-Fix-a-failure-to-NULL-a-pointer-freed-on-error.patch
openssl/branches/wheezy/debian/patches/0001-Make-DTLS-always-act-as-if-read_ahead-is-set.-The-ac.patch
openssl/branches/wheezy/debian/patches/0001-Remove-export-ciphers-from-the-DEFAULT-cipher-list.patch
openssl/branches/wheezy/debian/patches/0001-evp-prevent-underflow-in-base64-decoding.patch
openssl/branches/wheezy/debian/patches/0001-fix-warning.patch
openssl/branches/wheezy/debian/patches/0002-Free-up-ADB-and-CHOICE-if-already-initialised.patch
openssl/branches/wheezy/debian/patches/0003-Free-up-passed-ASN.1-structure-if-reused.patch
openssl/branches/wheezy/debian/patches/0004-Fix-ASN1_TYPE_cmp.patch
openssl/branches/wheezy/debian/patches/0005-PKCS-7-avoid-NULL-pointer-dereferences-with-missing-.patch
openssl/branches/wheezy/debian/patches/0006-Fix-reachable-assert-in-SSLv2-servers.patch
openssl/branches/wheezy/debian/patches/0008-Fix-a-failure-to-NULL-a-pointer-freed-on-error.patch
openssl/branches/wheezy/debian/patches/0082-Return-error-when-a-bit-string-indicates-an-invalid-.patch
openssl/branches/wheezy/debian/patches/0094-Fix-various-certificate-fingerprint-issues.patch
openssl/branches/wheezy/debian/patches/0095-Constify-ASN1_TYPE_cmp-add-X509_ALGOR_cmp.patch
openssl/branches/wheezy/debian/patches/0098-ECDH-downgrade-bug-fix.patch
openssl/branches/wheezy/debian/patches/0099-Only-allow-ephemeral-RSA-keys-in-export-ciphersuites.patch
openssl/branches/wheezy/debian/patches/0102-use-correct-function-name.patch
openssl/branches/wheezy/debian/patches/0107-fix-error-discrepancy.patch
openssl/branches/wheezy/debian/patches/0108-Fix-for-CVE-2014-3570.patch
openssl/branches/wheezy/debian/patches/0109-Fix-crash-in-dtls1_get_record-whilst-in-the-listen-s.patch
openssl/branches/wheezy/debian/patches/0110-Follow-on-from-CVE-2014-3571.-This-fixes-the-code-th.patch
openssl/branches/wheezy/debian/patches/0111-Unauthenticated-DH-client-certificate-fix.patch
openssl/branches/wheezy/debian/patches/0112-A-memory-leak-can-occur-in-dtls1_buffer_record-if-ei.patch
openssl/branches/wheezy/debian/patches/Added-comment-for-the-frag-reassembly-NULL-case-as-p.patch
openssl/branches/wheezy/debian/patches/Applying-same-fix-as-in-dtls1_process_out_of_seq_mes.patch
openssl/branches/wheezy/debian/patches/Avoid-double-free-when-processing-DTLS-packets.patch
openssl/branches/wheezy/debian/patches/CVE-2010-5298.patch
openssl/branches/wheezy/debian/patches/CVE-2012-4929.patch
openssl/branches/wheezy/debian/patches/CVE-2013-4353.patch
openssl/branches/wheezy/debian/patches/CVE-2013-6449.patch
openssl/branches/wheezy/debian/patches/CVE-2013-6450.patch
openssl/branches/wheezy/debian/patches/CVE-2014-0076.patch
openssl/branches/wheezy/debian/patches/CVE-2014-0160.patch
openssl/branches/wheezy/debian/patches/CVE-2014-0195.patch
openssl/branches/wheezy/debian/patches/CVE-2014-0198.patch
openssl/branches/wheezy/debian/patches/CVE-2014-0221.patch
openssl/branches/wheezy/debian/patches/CVE-2014-0224.patch
openssl/branches/wheezy/debian/patches/CVE-2014-3470.patch
openssl/branches/wheezy/debian/patches/CVE-2014-8176.patch
openssl/branches/wheezy/debian/patches/CVE-2014-XXXX-Extension-checking-fixes.patch
openssl/branches/wheezy/debian/patches/CVE-2015-1788.patch
openssl/branches/wheezy/debian/patches/CVE-2015-1789.patch
openssl/branches/wheezy/debian/patches/CVE-2015-1790.patch
openssl/branches/wheezy/debian/patches/CVE-2015-1791.patch
openssl/branches/wheezy/debian/patches/CVE-2015-1792.patch
openssl/branches/wheezy/debian/patches/CVE-2015-3194.patch
openssl/branches/wheezy/debian/patches/CVE-2015-3195.patch
openssl/branches/wheezy/debian/patches/CVE-2015-3196.patch
openssl/branches/wheezy/debian/patches/CVE-2015-4000.patch
openssl/branches/wheezy/debian/patches/CVE-2015-7575.patch
openssl/branches/wheezy/debian/patches/CVE-2016-0702.patch
openssl/branches/wheezy/debian/patches/CVE-2016-0705.patch
openssl/branches/wheezy/debian/patches/CVE-2016-0797.patch
openssl/branches/wheezy/debian/patches/CVE-2016-0798.patch
openssl/branches/wheezy/debian/patches/CVE-2016-0799.patch
openssl/branches/wheezy/debian/patches/CVE-2016-2105.patch
openssl/branches/wheezy/debian/patches/CVE-2016-2106.patch
openssl/branches/wheezy/debian/patches/CVE-2016-2107.patch
openssl/branches/wheezy/debian/patches/CVE-2016-2108.patch
openssl/branches/wheezy/debian/patches/CVE-2016-2109.patch
openssl/branches/wheezy/debian/patches/CVE-2016-2176.patch
openssl/branches/wheezy/debian/patches/Check-SRP-parameters-early.patch
openssl/branches/wheezy/debian/patches/Disable-EXPORT-and-LOW-ciphers.patch
openssl/branches/wheezy/debian/patches/ECDHE-ECDSA_Safari.patch
openssl/branches/wheezy/debian/patches/Fix-DTLS-anonymous-EC-DH-denial-of-service.patch
openssl/branches/wheezy/debian/patches/Fix-DTLS-handshake-message-size-checks.patch
openssl/branches/wheezy/debian/patches/Fix-OID-handling.patch
openssl/branches/wheezy/debian/patches/Fix-SRP-buffer-overrun-vulnerability.patch
openssl/branches/wheezy/debian/patches/Fix-SRP-ciphersuite-DoS-vulnerability.patch
openssl/branches/wheezy/debian/patches/Fix-for-SRTP-Memory-Leak.patch
openssl/branches/wheezy/debian/patches/Fix-for-session-tickets-memory-leak.patch
openssl/branches/wheezy/debian/patches/Fix-memory-leak-from-zero-length-DTLS-fragments.patch
openssl/branches/wheezy/debian/patches/Fix-no-ssl3-configuration-option.patch
openssl/branches/wheezy/debian/patches/Fix-protocol-downgrade-bug-in-case-of-fragmented-pac.patch
openssl/branches/wheezy/debian/patches/Fix-race-condition-in-ssl_parse_serverhello_tlsext.patch
openssl/branches/wheezy/debian/patches/Fix-return-code-for-truncated-DTLS-fragment.patch
openssl/branches/wheezy/debian/patches/Keep-old-method-in-case-of-an-unsupported-protocol.patch
openssl/branches/wheezy/debian/patches/Remove-some-duplicate-DTLS-code.patch
openssl/branches/wheezy/debian/patches/SRP-ciphersuite-correction.patch
openssl/branches/wheezy/debian/patches/Support-TLS_FALLBACK_SCSV.patch
openssl/branches/wheezy/debian/patches/aesni-mac.patch
openssl/branches/wheezy/debian/patches/cpuid.patch
openssl/branches/wheezy/debian/patches/default_bits.patch
openssl/branches/wheezy/debian/patches/dgst_hmac.patch
openssl/branches/wheezy/debian/patches/disable_dual_ec_drbg.patch
openssl/branches/wheezy/debian/patches/disable_rdrand.patch
openssl/branches/wheezy/debian/patches/disable_sslv3.patch
openssl/branches/wheezy/debian/patches/dont_change_version.patch
openssl/branches/wheezy/debian/patches/dtls_version.patch
openssl/branches/wheezy/debian/patches/get_certificate.patch
openssl/branches/wheezy/debian/patches/gnu_source.patch
openssl/branches/wheezy/debian/patches/libdoc-manpgs-pod-spell.patch
openssl/branches/wheezy/debian/patches/libssl-misspell.patch
openssl/branches/wheezy/debian/patches/make-targets.patch
openssl/branches/wheezy/debian/patches/openssl-pod-misspell.patch
openssl/branches/wheezy/debian/patches/pkcs12-doc.patch
openssl/branches/wheezy/debian/patches/pod_ec.misspell.patch
openssl/branches/wheezy/debian/patches/pod_pksc12.misspell.patch
openssl/branches/wheezy/debian/patches/pod_req_misspell2.patch
openssl/branches/wheezy/debian/patches/pod_s_server.misspell.patch
openssl/branches/wheezy/debian/patches/pod_x509setflags.misspell.patch
openssl/branches/wheezy/debian/patches/rehash_pod.patch
openssl/branches/wheezy/debian/patches/ssltest_no_sslv2.patch
Modified:
openssl/branches/wheezy/debian/changelog
openssl/branches/wheezy/debian/patches/block_digicert_malaysia.patch
openssl/branches/wheezy/debian/patches/block_diginotar.patch
openssl/branches/wheezy/debian/patches/c_rehash-compat.patch
openssl/branches/wheezy/debian/patches/ca.patch
openssl/branches/wheezy/debian/patches/config-hurd.patch
openssl/branches/wheezy/debian/patches/debian-targets.patch
openssl/branches/wheezy/debian/patches/engines-path.patch
openssl/branches/wheezy/debian/patches/man-dir.patch
openssl/branches/wheezy/debian/patches/man-section.patch
openssl/branches/wheezy/debian/patches/no-rpath.patch
openssl/branches/wheezy/debian/patches/no-symbolic.patch
openssl/branches/wheezy/debian/patches/pic.patch
openssl/branches/wheezy/debian/patches/rehash-crt.patch
openssl/branches/wheezy/debian/patches/series
openssl/branches/wheezy/debian/patches/shared-lib-ext.patch
openssl/branches/wheezy/debian/patches/stddef.patch
openssl/branches/wheezy/debian/patches/valgrind.patch
openssl/branches/wheezy/debian/patches/version-script.patch
openssl/branches/wheezy/debian/rules
Log:
New upstream version + security updates, based on jessie.
Modified: openssl/branches/wheezy/debian/changelog
===================================================================
--- openssl/branches/wheezy/debian/changelog 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/changelog 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,3 +1,21 @@
+openssl (1.0.1t-1+deb7u1) wheezy-security; urgency=medium
+
+ * New upstream version, based on the version in jessie.
+ - Remove patches applied upstream
+ * Fix CVE-2016-2177
+ * Fix CVE-2016-2178
+ * Fix CVE-2016-2179
+ * Fix CVE-2016-2180
+ * Fix CVE-2016-2181
+ * Fix CVE-2016-2182
+ * Fix CVE-2016-2183
+ * Fix CVE-2016-6302
+ * Fix CVE-2016-6303
+ * Fix CVE-2016-6304
+ * Fix CVE-2016-6306
+
+ -- Kurt Roeckx <kurt at roeckx.be> Sun, 25 Sep 2016 11:15:41 +0200
+
openssl (1.0.1e-2+deb7u21) wheezy-security; urgency=medium
* Fix CVE-2016-2105
Deleted: openssl/branches/wheezy/debian/patches/0001-Check-public-key-is-not-NULL.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0001-Check-public-key-is-not-NULL.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0001-Check-public-key-is-not-NULL.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,27 +0,0 @@
-From 51527f1e3564f210e984fe5b654c45d34e4f03d7 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Wed, 18 Feb 2015 00:34:59 +0000
-Subject: [PATCH] Check public key is not NULL.
-
-CVE-2015-0288
-PR#3708
-
-Reviewed-by: Matt Caswell <matt at openssl.org>
-(cherry picked from commit 28a00bcd8e318da18031b2ac8778c64147cd54f9)
----
- crypto/x509/x509_req.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-Index: openssl-1.0.1e/crypto/x509/x509_req.c
-===================================================================
---- openssl-1.0.1e.orig/crypto/x509/x509_req.c
-+++ openssl-1.0.1e/crypto/x509/x509_req.c
-@@ -92,6 +92,8 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_
- goto err;
-
- pktmp = X509_get_pubkey(x);
-+ if (pktmp == NULL)
-+ goto err;
- i=X509_REQ_set_pubkey(ret,pktmp);
- EVP_PKEY_free(pktmp);
- if (!i) goto err;
Deleted: openssl/branches/wheezy/debian/patches/0001-Fix-a-failure-to-NULL-a-pointer-freed-on-error.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0001-Fix-a-failure-to-NULL-a-pointer-freed-on-error.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0001-Fix-a-failure-to-NULL-a-pointer-freed-on-error.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,45 +0,0 @@
-From 89117535f1bb3ea72a17933b703271587d7aaf0b Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt at openssl.org>
-Date: Mon, 9 Feb 2015 11:38:41 +0000
-Subject: [PATCH] Fix a failure to NULL a pointer freed on error.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Inspired by BoringSSL commit 517073cd4b by Eric Roman <eroman at chromium.org>
-
-CVE-2015-0209
-
-Reviewed-by: Emilia Käsper <emilia at openssl.org>
----
- crypto/ec/ec_asn1.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-Index: openssl-1.0.1e/crypto/ec/ec_asn1.c
-===================================================================
---- openssl-1.0.1e.orig/crypto/ec/ec_asn1.c
-+++ openssl-1.0.1e/crypto/ec/ec_asn1.c
-@@ -1140,8 +1140,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
- ERR_R_MALLOC_FAILURE);
- goto err;
- }
-- if (a)
-- *a = ret;
- }
- else
- ret = *a;
-@@ -1206,11 +1204,13 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
- }
- }
-
-+ if (a)
-+ *a = ret;
- ok = 1;
- err:
- if (!ok)
- {
-- if (ret)
-+ if (ret && (a == NULL || *a != ret))
- EC_KEY_free(ret);
- ret = NULL;
- }
Deleted: openssl/branches/wheezy/debian/patches/0001-Make-DTLS-always-act-as-if-read_ahead-is-set.-The-ac.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0001-Make-DTLS-always-act-as-if-read_ahead-is-set.-The-ac.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0001-Make-DTLS-always-act-as-if-read_ahead-is-set.-The-ac.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,28 +0,0 @@
-From 1895583835239bc44c3f6584e48f0279ad884f3b Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt at openssl.org>
-Date: Mon, 26 Jan 2015 16:47:36 +0000
-Subject: [PATCH] Make DTLS always act as if read_ahead is set. The actual
- value of read_ahead is ignored for DTLS.
-
-RT#3657
-
-Reviewed-by: Andy Polyakov <appro at openssl.org>
-(cherry picked from commit 8dd4ad0ff5d1d07ec4b6dd5d5104131269a472aa)
----
- ssl/s3_pkt.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-Index: openssl-1.0.1e/ssl/s3_pkt.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/s3_pkt.c
-+++ openssl-1.0.1e/ssl/s3_pkt.c
-@@ -217,7 +217,8 @@ int ssl3_read_n(SSL *s, int n, int max,
- return -1;
- }
-
-- if (!s->read_ahead)
-+ /* We always act like read_ahead is set for DTLS */
-+ if (!s->read_ahead && !SSL_IS_DTLS(s))
- /* ignore max parameter */
- max = n;
- else
Deleted: openssl/branches/wheezy/debian/patches/0001-Remove-export-ciphers-from-the-DEFAULT-cipher-list.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0001-Remove-export-ciphers-from-the-DEFAULT-cipher-list.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0001-Remove-export-ciphers-from-the-DEFAULT-cipher-list.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,81 +0,0 @@
-From bc2e18a3c818ae7e2d8c996b6648aa4ae8e3ee28 Mon Sep 17 00:00:00 2001
-From: Kurt Roeckx <kurt at roeckx.be>
-Date: Wed, 4 Mar 2015 21:57:52 +0100
-Subject: [PATCH] Remove export ciphers from the DEFAULT cipher list
-
-They are moved to the COMPLEMENTOFDEFAULT instead.
-This also fixes SSLv2 to be part of COMPLEMENTOFDEFAULT.
-
-Reviewed-by: Rich Salz <rsalz at openssl.org>
-(cherry picked from commit f417997a324037025be61737288e40e171a8218c)
-
-Conflicts:
- ssl/ssl_ciph.c
----
- CHANGES | 3 ++-
- doc/apps/ciphers.pod | 4 ++--
- ssl/ssl.h | 2 +-
- ssl/ssl_ciph.c | 11 ++++++++---
- 4 files changed, 13 insertions(+), 7 deletions(-)
-
-Index: openssl-1.0.1e/doc/apps/ciphers.pod
-===================================================================
---- openssl-1.0.1e.orig/doc/apps/ciphers.pod
-+++ openssl-1.0.1e/doc/apps/ciphers.pod
-@@ -109,8 +109,8 @@ The following is a list of all permitted
-
- =item B<DEFAULT>
-
--the default cipher list. This is determined at compile time and, as of OpenSSL
--1.0.0, is normally B<ALL:!aNULL:!eNULL>. This must be the first cipher string
-+the default cipher list. This is determined at compile time and
-+is normally B<ALL:!EXPORT:!aNULL:!eNULL:!SSLv2>. This must be the firstcipher string
- specified.
-
- =item B<COMPLEMENTOFDEFAULT>
-Index: openssl-1.0.1e/ssl/ssl.h
-===================================================================
---- openssl-1.0.1e.orig/ssl/ssl.h
-+++ openssl-1.0.1e/ssl/ssl.h
-@@ -332,7 +332,7 @@ extern "C" {
- /* The following cipher list is used by default.
- * It also is substituted when an application-defined cipher list string
- * starts with 'DEFAULT'. */
--#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2"
-+#define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
- /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
- * starts with a reasonable order, and all we have to do for DEFAULT is
- * throwing out anonymous and unencrypted ciphersuites!
-Index: openssl-1.0.1e/ssl/ssl_ciph.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/ssl_ciph.c
-+++ openssl-1.0.1e/ssl/ssl_ciph.c
-@@ -230,7 +230,7 @@ static const SSL_CIPHER cipher_aliases[]
- {0,SSL_TXT_CMPALL,0, 0,0,SSL_eNULL,0,0,0,0,0,0},
-
- /* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in ALL!) */
-- {0,SSL_TXT_CMPDEF,0, SSL_kEDH|SSL_kEECDH,SSL_aNULL,~SSL_eNULL,0,0,0,0,0,0},
-+ {0, SSL_TXT_CMPDEF, 0, 0, SSL_aNULL, ~SSL_eNULL, 0, ~SSL_SSLV2, SSL_EXP_MASK, 0, 0, 0},
-
- /* key exchange aliases
- * (some of those using only a single bit here combine
-@@ -976,6 +976,10 @@ static void ssl_cipher_apply_rule(unsign
- printf("\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength);
- #endif
-
-+ if (algo_strength == SSL_EXP_MASK && SSL_C_IS_EXPORT(cp))
-+ goto ok;
-+ if (alg_ssl == ~SSL_SSLV2 && cp->algorithm_ssl == SSL_SSLV2)
-+ goto ok;
- if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
- continue;
- if (alg_auth && !(alg_auth & cp->algorithm_auth))
-@@ -992,6 +996,8 @@ static void ssl_cipher_apply_rule(unsign
- continue;
- }
-
-+ ok:
-+
- #ifdef CIPHER_DEBUG
- printf("Action = %d\n", rule);
- #endif
Deleted: openssl/branches/wheezy/debian/patches/0001-evp-prevent-underflow-in-base64-decoding.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0001-evp-prevent-underflow-in-base64-decoding.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0001-evp-prevent-underflow-in-base64-decoding.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,30 +0,0 @@
-From fce3821111e3307a599d2378f2cca2ef2097c6c4 Mon Sep 17 00:00:00 2001
-From: Geoff Thorpe <geoff at openssl.org>
-Date: Sun, 4 May 2014 18:44:14 -0400
-Subject: [PATCH] evp: prevent underflow in base64 decoding
-
-This patch resolves RT ticket #2608.
-
-Thanks to Robert Dugal for originally spotting this, and to David
-Ramos for noticing that the ball had been dropped.
-
-Signed-off-by: Geoff Thorpe <geoff at openssl.org>
----
- crypto/evp/encode.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c
-index e278a1b..a4f7674 100644
---- a/crypto/evp/encode.c
-+++ b/crypto/evp/encode.c
-@@ -324,6 +324,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
- v=EVP_DecodeBlock(out,d,n);
- n=0;
- if (v < 0) { rv=0; goto end; }
-+ if (eof > v) { rv=-1; goto end; }
- ret+=(v-eof);
- }
- else
---
-2.1.4
-
Deleted: openssl/branches/wheezy/debian/patches/0001-fix-warning.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0001-fix-warning.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0001-fix-warning.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,29 +0,0 @@
-From a67303954caa923e8bf2f2bdf04882e9cbc45cc1 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Sun, 8 Mar 2015 17:31:48 +0000
-Subject: [PATCH 1/6] fix warning
-
-Reviewed-by: Richard Levitte <levitte at openssl.org>
-(cherry picked from commit d6ca1cee8b6efac5906ac66443d1ca67fe689ff8)
----
- ssl/ssl_locl.h | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-Index: openssl-1.0.1e/ssl/ssl_locl.h
-===================================================================
---- openssl-1.0.1e.orig/ssl/ssl_locl.h
-+++ openssl-1.0.1e/ssl/ssl_locl.h
-@@ -346,10 +346,10 @@
- #define SSL_AEAD 0x00000040L
-
- /* Bits for algorithm_ssl (protocol version) */
--#define SSL_SSLV2 0x00000001L
--#define SSL_SSLV3 0x00000002L
-+#define SSL_SSLV2 0x00000001UL
-+#define SSL_SSLV3 0x00000002UL
- #define SSL_TLSV1 SSL_SSLV3 /* for now */
--#define SSL_TLSV1_2 0x00000004L
-+#define SSL_TLSV1_2 0x00000004UL
-
-
- /* Bits for algorithm2 (handshake digests and other extra flags) */
Deleted: openssl/branches/wheezy/debian/patches/0002-Free-up-ADB-and-CHOICE-if-already-initialised.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0002-Free-up-ADB-and-CHOICE-if-already-initialised.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0002-Free-up-ADB-and-CHOICE-if-already-initialised.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,58 +0,0 @@
-From a9f34a7aac5fd89f33a34fb71e954b85fbf35875 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Mon, 23 Feb 2015 02:32:44 +0000
-Subject: [PATCH 2/6] Free up ADB and CHOICE if already initialised.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-CVE-2015-0287
-
-Reviewed-by: Tim Hudson <tjh at openssl.org>
-Reviewed-by: Emilia Käsper <emilia at openssl.org>
----
- crypto/asn1/tasn_dec.c | 24 +++++++++++++++++++++---
- 1 file changed, 21 insertions(+), 3 deletions(-)
-
-Index: openssl-1.0.1e/crypto/asn1/tasn_dec.c
-===================================================================
---- openssl-1.0.1e.orig/crypto/asn1/tasn_dec.c
-+++ openssl-1.0.1e/crypto/asn1/tasn_dec.c
-@@ -317,9 +317,16 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
- if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
- goto auxerr;
-
-- /* Allocate structure */
-- if (!*pval && !ASN1_item_ex_new(pval, it))
-- {
-+ if (*pval) {
-+ /* Free up and zero CHOICE value if initialised */
-+ i = asn1_get_choice_selector(pval, it);
-+ if ((i >= 0) && (i < it->tcount)) {
-+ tt = it->templates + i;
-+ pchptr = asn1_get_field_ptr(pval, tt);
-+ ASN1_template_free(pchptr, tt);
-+ asn1_set_choice_selector(pval, -1, it);
-+ }
-+ } else if (!ASN1_item_ex_new(pval, it)) {
- ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
- ERR_R_NESTED_ASN1_ERROR);
- goto err;
-@@ -413,6 +420,17 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
- if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
- goto auxerr;
-
-+ /* Free up and zero any ADB found */
-+ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
-+ if (tt->flags & ASN1_TFLG_ADB_MASK) {
-+ const ASN1_TEMPLATE *seqtt;
-+ ASN1_VALUE **pseqval;
-+ seqtt = asn1_do_adb(pval, tt, 1);
-+ pseqval = asn1_get_field_ptr(pval, seqtt);
-+ ASN1_template_free(pseqval, seqtt);
-+ }
-+ }
-+
- /* Get each field entry */
- for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
- {
Deleted: openssl/branches/wheezy/debian/patches/0003-Free-up-passed-ASN.1-structure-if-reused.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0003-Free-up-passed-ASN.1-structure-if-reused.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0003-Free-up-passed-ASN.1-structure-if-reused.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,75 +0,0 @@
-From 1a87b757b9f755f687492f6b9f685be8e0cd82b0 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Mon, 23 Feb 2015 12:57:50 +0000
-Subject: [PATCH 3/6] Free up passed ASN.1 structure if reused.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Change the "reuse" behaviour in ASN1_item_d2i: if successful the old
-structure is freed and a pointer to the new one used. If it is not
-successful then the passed structure is untouched.
-
-Exception made for primitive types so ssl_asn1.c still works.
-
-Reviewed-by: Tim Hudson <tjh at openssl.org>
-Reviewed-by: Emilia Käsper <emilia at openssl.org>
----
- crypto/asn1/tasn_dec.c | 14 ++++++++++----
- doc/crypto/d2i_X509.pod | 9 +++++++--
- 2 files changed, 17 insertions(+), 6 deletions(-)
-
-Index: openssl-1.0.1e/crypto/asn1/tasn_dec.c
-===================================================================
---- openssl-1.0.1e.orig/crypto/asn1/tasn_dec.c
-+++ openssl-1.0.1e/crypto/asn1/tasn_dec.c
-@@ -130,11 +130,17 @@ ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **p
- {
- ASN1_TLC c;
- ASN1_VALUE *ptmpval = NULL;
-- if (!pval)
-- pval = &ptmpval;
- asn1_tlc_clear_nc(&c);
-- if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0)
-- return *pval;
-+ if (pval && *pval && it->itype == ASN1_ITYPE_PRIMITIVE)
-+ ptmpval = *pval;
-+ if (ASN1_item_ex_d2i(&ptmpval, in, len, it, -1, 0, 0, &c) > 0) {
-+ if (pval && it->itype != ASN1_ITYPE_PRIMITIVE) {
-+ if (*pval)
-+ ASN1_item_free(*pval, it);
-+ *pval = ptmpval;
-+ }
-+ return ptmpval;
-+ }
- return NULL;
- }
-
-Index: openssl-1.0.1e/doc/crypto/d2i_X509.pod
-===================================================================
---- openssl-1.0.1e.orig/doc/crypto/d2i_X509.pod
-+++ openssl-1.0.1e/doc/crypto/d2i_X509.pod
-@@ -199,6 +199,12 @@ B<*px> is valid is broken and some parts
- persist if they are not present in the new one. As a result the use
- of this "reuse" behaviour is strongly discouraged.
-
-+Current versions of OpenSSL will not modify B<*px> if an error occurs.
-+If parsing succeeds then B<*px> is freed (if it is not NULL) and then
-+set to the value of the newly decoded structure. As a result B<*px>
-+B<must not> be allocated on the stack or an attempt will be made to
-+free an invalid pointer.
-+
- i2d_X509() will not return an error in many versions of OpenSSL,
- if mandatory fields are not initialized due to a programming error
- then the encoded structure may contain invalid data or omit the
-@@ -210,7 +216,9 @@ always succeed.
-
- d2i_X509(), d2i_X509_bio() and d2i_X509_fp() return a valid B<X509> structure
- or B<NULL> if an error occurs. The error code that can be obtained by
--L<ERR_get_error(3)|ERR_get_error(3)>.
-+L<ERR_get_error(3)|ERR_get_error(3)>. If the "reuse" capability has been used
-+with a valid X509 structure being passed in via B<px> then the object is not
-+modified in the event of error.
-
- i2d_X509() returns the number of bytes successfully encoded or a negative
- value if an error occurs. The error code can be obtained by
Deleted: openssl/branches/wheezy/debian/patches/0004-Fix-ASN1_TYPE_cmp.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0004-Fix-ASN1_TYPE_cmp.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0004-Fix-ASN1_TYPE_cmp.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,30 +0,0 @@
-From ee5a1253285e5c9f406c8b57b0686319b70c07d8 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Mon, 9 Mar 2015 23:11:45 +0000
-Subject: [PATCH 4/6] Fix ASN1_TYPE_cmp
-
-Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
-can be triggered during certificate verification so could be a DoS attack
-against a client or a server enabling client authentication.
-
-CVE-2015-0286
-
-Reviewed-by: Richard Levitte <levitte at openssl.org>
----
- crypto/asn1/a_type.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-Index: openssl-1.0.1e/crypto/asn1/a_type.c
-===================================================================
---- openssl-1.0.1e.orig/crypto/asn1/a_type.c
-+++ openssl-1.0.1e/crypto/asn1/a_type.c
-@@ -124,6 +124,9 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co
- case V_ASN1_OBJECT:
- result = OBJ_cmp(a->value.object, b->value.object);
- break;
-+ case V_ASN1_BOOLEAN:
-+ result = a->value.boolean - b->value.boolean;
-+ break;
- case V_ASN1_NULL:
- result = 0; /* They do not have content. */
- break;
Deleted: openssl/branches/wheezy/debian/patches/0005-PKCS-7-avoid-NULL-pointer-dereferences-with-missing-.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0005-PKCS-7-avoid-NULL-pointer-dereferences-with-missing-.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0005-PKCS-7-avoid-NULL-pointer-dereferences-with-missing-.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,195 +0,0 @@
-From d3d52c73544bba800c2a8f5ef3376358158cf2ca Mon Sep 17 00:00:00 2001
-From: Emilia Kasper <emilia at openssl.org>
-Date: Fri, 27 Feb 2015 16:52:23 +0100
-Subject: [PATCH 5/6] PKCS#7: avoid NULL pointer dereferences with missing
- content
-
-In PKCS#7, the ASN.1 content component is optional.
-This typically applies to inner content (detached signatures),
-however we must also handle unexpected missing outer content
-correctly.
-
-This patch only addresses functions reachable from parsing,
-decryption and verification, and functions otherwise associated
-with reading potentially untrusted data.
-
-Correcting all low-level API calls requires further work.
-
-CVE-2015-0289
-
-Thanks to Michal Zalewski (Google) for reporting this issue.
-
-Reviewed-by: Steve Henson <steve at openssl.org>
----
- crypto/pkcs7/pk7_doit.c | 87 +++++++++++++++++++++++++++++++++++++++++--------
- crypto/pkcs7/pk7_lib.c | 3 ++
- 2 files changed, 76 insertions(+), 14 deletions(-)
-
-Index: openssl-1.0.1e/crypto/pkcs7/pk7_doit.c
-===================================================================
---- openssl-1.0.1e.orig/crypto/pkcs7/pk7_doit.c
-+++ openssl-1.0.1e/crypto/pkcs7/pk7_doit.c
-@@ -272,6 +272,25 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
- PKCS7_RECIP_INFO *ri=NULL;
- ASN1_OCTET_STRING *os=NULL;
-
-+ if (p7 == NULL) {
-+ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER);
-+ return NULL;
-+ }
-+ /*
-+ * The content field in the PKCS7 ContentInfo is optional, but that really
-+ * only applies to inner content (precisely, detached signatures).
-+ *
-+ * When reading content, missing outer content is therefore treated as an
-+ * error.
-+ *
-+ * When creating content, PKCS7_content_new() must be called before
-+ * calling this method, so a NULL p7->d is always an error.
-+ */
-+ if (p7->d.ptr == NULL) {
-+ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT);
-+ return NULL;
-+ }
-+
- i=OBJ_obj2nid(p7->type);
- p7->state=PKCS7_S_HEADER;
-
-@@ -433,6 +452,16 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
- unsigned char *ek = NULL, *tkey = NULL;
- int eklen = 0, tkeylen = 0;
-
-+ if (p7 == NULL) {
-+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER);
-+ return NULL;
-+ }
-+
-+ if (p7->d.ptr == NULL) {
-+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
-+ return NULL;
-+ }
-+
- i=OBJ_obj2nid(p7->type);
- p7->state=PKCS7_S_HEADER;
-
-@@ -747,6 +776,16 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
- STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;
- ASN1_OCTET_STRING *os=NULL;
-
-+ if (p7 == NULL) {
-+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER);
-+ return 0;
-+ }
-+
-+ if (p7->d.ptr == NULL) {
-+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT);
-+ return 0;
-+ }
-+
- EVP_MD_CTX_init(&ctx_tmp);
- i=OBJ_obj2nid(p7->type);
- p7->state=PKCS7_S_HEADER;
-@@ -791,6 +830,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
- /* If detached data then the content is excluded */
- if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
- M_ASN1_OCTET_STRING_free(os);
-+ os = NULL;
- p7->d.sign->contents->d.data = NULL;
- }
- break;
-@@ -801,6 +841,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
- if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached)
- {
- M_ASN1_OCTET_STRING_free(os);
-+ os = NULL;
- p7->d.digest->contents->d.data = NULL;
- }
- break;
-@@ -873,24 +914,31 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
- M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len);
- }
-
-- if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF))
-- {
-- char *cont;
-- long contlen;
-- btmp=BIO_find_type(bio,BIO_TYPE_MEM);
-- if (btmp == NULL)
-- {
-- PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
-- goto err;
-- }
-- contlen = BIO_get_mem_data(btmp, &cont);
-- /* Mark the BIO read only then we can use its copy of the data
-- * instead of making an extra copy.
-- */
-- BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
-- BIO_set_mem_eof_return(btmp, 0);
-- ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
-- }
-+ if (!PKCS7_is_detached(p7)) {
-+ /*
-+ * NOTE(emilia): I think we only reach os == NULL here because detached
-+ * digested data support is broken.
-+ */
-+ if (os == NULL)
-+ goto err;
-+ if (!(os->flags & ASN1_STRING_FLAG_NDEF)) {
-+ char *cont;
-+ long contlen;
-+ btmp = BIO_find_type(bio, BIO_TYPE_MEM);
-+ if (btmp == NULL) {
-+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
-+ goto err;
-+ }
-+ contlen = BIO_get_mem_data(btmp, &cont);
-+ /*
-+ * Mark the BIO read only then we can use its copy of the data
-+ * instead of making an extra copy.
-+ */
-+ BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
-+ BIO_set_mem_eof_return(btmp, 0);
-+ ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
-+ }
-+ }
- ret=1;
- err:
- EVP_MD_CTX_cleanup(&ctx_tmp);
-@@ -965,6 +1013,16 @@ int PKCS7_dataVerify(X509_STORE *cert_st
- STACK_OF(X509) *cert;
- X509 *x509;
-
-+ if (p7 == NULL) {
-+ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER);
-+ return 0;
-+ }
-+
-+ if (p7->d.ptr == NULL) {
-+ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT);
-+ return 0;
-+ }
-+
- if (PKCS7_type_is_signed(p7))
- {
- cert=p7->d.sign->cert;
-Index: openssl-1.0.1e/crypto/pkcs7/pk7_lib.c
-===================================================================
---- openssl-1.0.1e.orig/crypto/pkcs7/pk7_lib.c
-+++ openssl-1.0.1e/crypto/pkcs7/pk7_lib.c
-@@ -71,6 +71,7 @@ long PKCS7_ctrl(PKCS7 *p7, int cmd, long
-
- switch (cmd)
- {
-+ /* NOTE(emilia): does not support detached digested data. */
- case PKCS7_OP_SET_DETACHED_SIGNATURE:
- if (nid == NID_pkcs7_signed)
- {
-@@ -459,6 +460,8 @@ int PKCS7_set_digest(PKCS7 *p7, const EV
-
- STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
- {
-+ if (p7 == NULL || p7->d.ptr == NULL)
-+ return NULL;
- if (PKCS7_type_is_signed(p7))
- {
- return(p7->d.sign->signer_info);
Deleted: openssl/branches/wheezy/debian/patches/0006-Fix-reachable-assert-in-SSLv2-servers.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0006-Fix-reachable-assert-in-SSLv2-servers.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0006-Fix-reachable-assert-in-SSLv2-servers.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,130 +0,0 @@
-From a40c1bcb8c37fbad24d8f28f0fb0204d76f0fee2 Mon Sep 17 00:00:00 2001
-From: Emilia Kasper <emilia at openssl.org>
-Date: Wed, 4 Mar 2015 09:05:02 -0800
-Subject: [PATCH 6/6] Fix reachable assert in SSLv2 servers.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This assert is reachable for servers that support SSLv2 and export ciphers.
-Therefore, such servers can be DoSed by sending a specially crafted
-SSLv2 CLIENT-MASTER-KEY.
-
-Also fix s2_srvr.c to error out early if the key lengths are malformed.
-These lengths are sent unencrypted, so this does not introduce an oracle.
-
-CVE-2015-0293
-
-This issue was discovered by Sean Burford (Google) and Emilia Käsper of
-the OpenSSL development team.
-
-Reviewed-by: Richard Levitte <levitte at openssl.org>
-Reviewed-by: Tim Hudson <tjh at openssl.org>
----
- ssl/s2_lib.c | 2 +-
- ssl/s2_srvr.c | 57 +++++++++++++++++++++++++++++++++++++++++++++------------
- 2 files changed, 46 insertions(+), 13 deletions(-)
-
-Index: openssl-1.0.1e/ssl/s2_lib.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/s2_lib.c
-+++ openssl-1.0.1e/ssl/s2_lib.c
-@@ -488,7 +488,7 @@ int ssl2_generate_key_material(SSL *s)
-
- OPENSSL_assert(s->session->master_key_length >= 0
- && s->session->master_key_length
-- < (int)sizeof(s->session->master_key));
-+ <= (int)sizeof(s->session->master_key));
- EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length);
- EVP_DigestUpdate(&ctx,&c,1);
- c++;
-Index: openssl-1.0.1e/ssl/s2_srvr.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/s2_srvr.c
-+++ openssl-1.0.1e/ssl/s2_srvr.c
-@@ -446,9 +446,6 @@ static int get_client_master_key(SSL *s)
- SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
- return(-1);
- }
-- i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc,
-- &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
-- (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
-
- is_export=SSL_C_IS_EXPORT(s->session->cipher);
-
-@@ -467,21 +464,60 @@ static int get_client_master_key(SSL *s)
- else
- ek=5;
-
-+ /*
-+ * The format of the CLIENT-MASTER-KEY message is
-+ * 1 byte message type
-+ * 3 bytes cipher
-+ * 2-byte clear key length (stored in s->s2->tmp.clear)
-+ * 2-byte encrypted key length (stored in s->s2->tmp.enc)
-+ * 2-byte key args length (IV etc)
-+ * clear key
-+ * encrypted key
-+ * key args
-+ *
-+ * If the cipher is an export cipher, then the encrypted key bytes
-+ * are a fixed portion of the total key (5 or 8 bytes). The size of
-+ * this portion is in |ek|. If the cipher is not an export cipher,
-+ * then the entire key material is encrypted (i.e., clear key length
-+ * must be zero).
-+ */
-+ if ((!is_export && s->s2->tmp.clear != 0) ||
-+ (is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c))) {
-+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
-+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH);
-+ return -1;
-+ }
-+ /*
-+ * The encrypted blob must decrypt to the encrypted portion of the key.
-+ * Decryption can't be expanding, so if we don't have enough encrypted
-+ * bytes to fit the key in the buffer, stop now.
-+ */
-+ if ((is_export && s->s2->tmp.enc < ek) ||
-+ (!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c))) {
-+ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
-+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT);
-+ return -1;
-+ }
-+
-+ i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
-+ &(p[s->s2->tmp.clear]),
-+ &(p[s->s2->tmp.clear]),
-+ (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING :
-+ RSA_PKCS1_PADDING);
-+
- /* bad decrypt */
- #if 1
- /* If a bad decrypt, continue with protocol but with a
- * random master secret (Bleichenbacher attack) */
-- if ((i < 0) ||
-- ((!is_export && (i != EVP_CIPHER_key_length(c)))
-- || (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i !=
-- (unsigned int)EVP_CIPHER_key_length(c))))))
-+ if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c))
-+ || (is_export && i != ek))) {
- {
- ERR_clear_error();
- if (is_export)
- i=ek;
- else
- i=EVP_CIPHER_key_length(c);
-- if (RAND_pseudo_bytes(p,i) <= 0)
-+ if (RAND_pseudo_bytes(&p[s->s2->tmp.clear], i) <= 0)
- return 0;
- }
- #else
-@@ -505,7 +541,8 @@ static int get_client_master_key(SSL *s)
- }
- #endif
-
-- if (is_export) i+=s->s2->tmp.clear;
-+ if (is_export)
-+ i = EVP_CIPHER_key_length(c);
-
- if (i > SSL_MAX_MASTER_KEY_LENGTH)
- {
Deleted: openssl/branches/wheezy/debian/patches/0008-Fix-a-failure-to-NULL-a-pointer-freed-on-error.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0008-Fix-a-failure-to-NULL-a-pointer-freed-on-error.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0008-Fix-a-failure-to-NULL-a-pointer-freed-on-error.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,73 +0,0 @@
-From a4517be9e348634ac64f9cf093131e13e8c03e38 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt at openssl.org>
-Date: Thu, 19 Mar 2015 10:16:32 +0000
-Subject: [PATCH 08/12] Fix a failure to NULL a pointer freed on error.
-
-Reported by the LibreSSL project as a follow on to CVE-2015-0209
-
-Reviewed-by: Richard Levitte <levitte at openssl.org>
----
- crypto/asn1/x_x509.c | 12 +++++++++++-
- crypto/ec/ec_asn1.c | 7 +++++--
- 2 files changed, 16 insertions(+), 3 deletions(-)
-
-Index: openssl-1.0.1e/crypto/asn1/x_x509.c
-===================================================================
---- openssl-1.0.1e.orig/crypto/asn1/x_x509.c 2013-02-11 15:26:04.000000000 +0000
-+++ openssl-1.0.1e/crypto/asn1/x_x509.c 2015-03-19 18:07:02.689136145 +0000
-@@ -170,8 +170,14 @@
- {
- const unsigned char *q;
- X509 *ret;
-+ int freeret = 0;
-+
- /* Save start position */
- q = *pp;
-+
-+ if(!a || *a == NULL) {
-+ freeret = 1;
-+ }
- ret = d2i_X509(a, pp, length);
- /* If certificate unreadable then forget it */
- if(!ret) return NULL;
-@@ -181,7 +187,11 @@
- if(!d2i_X509_CERT_AUX(&ret->aux, pp, length)) goto err;
- return ret;
- err:
-- X509_free(ret);
-+ if(freeret) {
-+ X509_free(ret);
-+ if (a)
-+ *a = NULL;
-+ }
- return NULL;
- }
-
-Index: openssl-1.0.1e/crypto/ec/ec_asn1.c
-===================================================================
---- openssl-1.0.1e.orig/crypto/ec/ec_asn1.c 2015-03-19 18:06:21.000000000 +0000
-+++ openssl-1.0.1e/crypto/ec/ec_asn1.c 2015-03-19 18:09:11.394282947 +0000
-@@ -1358,8 +1358,6 @@
- ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
- return NULL;
- }
-- if (a)
-- *a = ret;
- }
- else
- ret = *a;
-@@ -1367,9 +1365,14 @@
- if (!d2i_ECPKParameters(&ret->group, in, len))
- {
- ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB);
-+ if (a == NULL || *a != ret)
-+ EC_KEY_free(ret);
- return NULL;
- }
-
-+ if (a)
-+ *a = ret;
-+
- return ret;
- }
-
Deleted: openssl/branches/wheezy/debian/patches/0082-Return-error-when-a-bit-string-indicates-an-invalid-.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0082-Return-error-when-a-bit-string-indicates-an-invalid-.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0082-Return-error-when-a-bit-string-indicates-an-invalid-.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,62 +0,0 @@
-From 86edf13b1c97526c0cf63c37342aaa01f5442688 Mon Sep 17 00:00:00 2001
-From: Kurt Roeckx <kurt at roeckx.be>
-Date: Mon, 15 Dec 2014 17:15:16 +0100
-Subject: [PATCH 082/117] Return error when a bit string indicates an invalid
- amount of bits left
-
-Reviewed-by: Matt Caswell <matt at openssl.org>
----
- crypto/asn1/a_bitstr.c | 7 ++++++-
- crypto/asn1/asn1.h | 1 +
- crypto/asn1/asn1_err.c | 1 +
- 3 files changed, 8 insertions(+), 1 deletion(-)
-
-diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c
-index 3417996..4117a67 100644
---- a/crypto/asn1/a_bitstr.c
-+++ b/crypto/asn1/a_bitstr.c
-@@ -136,11 +136,16 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
-
- p= *pp;
- i= *(p++);
-+ if (i > 7)
-+ {
-+ i=ASN1_R_INVALID_BIT_STRING_BITS_LEFT;
-+ goto err;
-+ }
- /* We do this to preserve the settings. If we modify
- * the settings, via the _set_bit function, we will recalculate
- * on output */
- ret->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */
-- ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|(i&0x07)); /* set */
-+ ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|i); /* set */
-
- if (len-- > 1) /* using one because of the bits left byte */
- {
-diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h
-index 89a2ad4..672c97f 100644
---- a/crypto/asn1/asn1.h
-+++ b/crypto/asn1/asn1.h
-@@ -1329,6 +1329,7 @@ void ERR_load_ASN1_strings(void);
- #define ASN1_R_ILLEGAL_TIME_VALUE 184
- #define ASN1_R_INTEGER_NOT_ASCII_FORMAT 185
- #define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG 128
-+#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT 220
- #define ASN1_R_INVALID_BMPSTRING_LENGTH 129
- #define ASN1_R_INVALID_DIGIT 130
- #define ASN1_R_INVALID_MIME_TYPE 205
-diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c
-index 73686de..568a841 100644
---- a/crypto/asn1/asn1_err.c
-+++ b/crypto/asn1/asn1_err.c
-@@ -246,6 +246,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
- {ERR_REASON(ASN1_R_ILLEGAL_TIME_VALUE) ,"illegal time value"},
- {ERR_REASON(ASN1_R_INTEGER_NOT_ASCII_FORMAT),"integer not ascii format"},
- {ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG),"integer too large for long"},
-+{ERR_REASON(ASN1_R_INVALID_BIT_STRING_BITS_LEFT),"invalid bit string bits left"},
- {ERR_REASON(ASN1_R_INVALID_BMPSTRING_LENGTH),"invalid bmpstring length"},
- {ERR_REASON(ASN1_R_INVALID_DIGIT) ,"invalid digit"},
- {ERR_REASON(ASN1_R_INVALID_MIME_TYPE) ,"invalid mime type"},
---
-2.1.4
-
Deleted: openssl/branches/wheezy/debian/patches/0094-Fix-various-certificate-fingerprint-issues.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0094-Fix-various-certificate-fingerprint-issues.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0094-Fix-various-certificate-fingerprint-issues.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,162 +0,0 @@
-From a8565530e27718760220df469f0a071c85b9e731 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Sat, 20 Dec 2014 15:09:50 +0000
-Subject: [PATCH 094/117] Fix various certificate fingerprint issues.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-By using non-DER or invalid encodings outside the signed portion of a
-certificate the fingerprint can be changed without breaking the signature.
-Although no details of the signed portion of the certificate can be changed
-this can cause problems with some applications: e.g. those using the
-certificate fingerprint for blacklists.
-
-1. Reject signatures with non zero unused bits.
-
-If the BIT STRING containing the signature has non zero unused bits reject
-the signature. All current signature algorithms require zero unused bits.
-
-2. Check certificate algorithm consistency.
-
-Check the AlgorithmIdentifier inside TBS matches the one in the
-certificate signature. NB: this will result in signature failure
-errors for some broken certificates.
-
-3. Check DSA/ECDSA signatures use DER.
-
-Reencode DSA/ECDSA signatures and compare with the original received
-signature. Return an error if there is a mismatch.
-
-This will reject various cases including garbage after signature
-(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
-program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
-(negative or with leading zeroes).
-
-CVE-2014-8275
-Reviewed-by: Emilia Käsper <emilia at openssl.org>
-
-(cherry picked from commit 684400ce192dac51df3d3e92b61830a6ef90be3e)
----
- crypto/asn1/a_verify.c | 12 ++++++++++++
- crypto/dsa/dsa_asn1.c | 14 +++++++++++++-
- crypto/ecdsa/ecs_vrf.c | 15 ++++++++++++++-
- crypto/x509/x_all.c | 2 ++
- 5 files changed, 78 insertions(+), 2 deletions(-)
-
-diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
-index fc84cd3..a571009 100644
---- a/crypto/asn1/a_verify.c
-+++ b/crypto/asn1/a_verify.c
-@@ -90,6 +90,12 @@ int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *a, ASN1_BIT_STRING *signature,
- ASN1err(ASN1_F_ASN1_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
- goto err;
- }
-+
-+ if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7)
-+ {
-+ ASN1err(ASN1_F_ASN1_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
-+ goto err;
-+ }
-
- inl=i2d(data,NULL);
- buf_in=OPENSSL_malloc((unsigned int)inl);
-@@ -146,6 +152,12 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
- return -1;
- }
-
-+ if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7)
-+ {
-+ ASN1err(ASN1_F_ASN1_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
-+ return -1;
-+ }
-+
- EVP_MD_CTX_init(&ctx);
-
- /* Convert signature OID into digest and public key OIDs */
-diff --git a/crypto/dsa/dsa_asn1.c b/crypto/dsa/dsa_asn1.c
-index 6058534..473af87 100644
---- a/crypto/dsa/dsa_asn1.c
-+++ b/crypto/dsa/dsa_asn1.c
-@@ -176,13 +176,25 @@ int DSA_verify(int type, const unsigned char *dgst, int dgst_len,
- const unsigned char *sigbuf, int siglen, DSA *dsa)
- {
- DSA_SIG *s;
-+ const unsigned char *p = sigbuf;
-+ unsigned char *der = NULL;
-+ int derlen = -1;
- int ret=-1;
-
- s = DSA_SIG_new();
- if (s == NULL) return(ret);
-- if (d2i_DSA_SIG(&s,&sigbuf,siglen) == NULL) goto err;
-+ if (d2i_DSA_SIG(&s,&p,siglen) == NULL) goto err;
-+ /* Ensure signature uses DER and doesn't have trailing garbage */
-+ derlen = i2d_DSA_SIG(s, &der);
-+ if (derlen != siglen || memcmp(sigbuf, der, derlen))
-+ goto err;
- ret=DSA_do_verify(dgst,dgst_len,s,dsa);
- err:
-+ if (derlen > 0)
-+ {
-+ OPENSSL_cleanse(der, derlen);
-+ OPENSSL_free(der);
-+ }
- DSA_SIG_free(s);
- return(ret);
- }
-diff --git a/crypto/ecdsa/ecs_vrf.c b/crypto/ecdsa/ecs_vrf.c
-index ef9acf7..2836efe 100644
---- a/crypto/ecdsa/ecs_vrf.c
-+++ b/crypto/ecdsa/ecs_vrf.c
-@@ -57,6 +57,7 @@
- */
-
- #include "ecs_locl.h"
-+#include "cryptlib.h"
- #ifndef OPENSSL_NO_ENGINE
- #include <openssl/engine.h>
- #endif
-@@ -84,13 +85,25 @@ int ECDSA_verify(int type, const unsigned char *dgst, int dgst_len,
- const unsigned char *sigbuf, int sig_len, EC_KEY *eckey)
- {
- ECDSA_SIG *s;
-+ const unsigned char *p = sigbuf;
-+ unsigned char *der = NULL;
-+ int derlen = -1;
- int ret=-1;
-
- s = ECDSA_SIG_new();
- if (s == NULL) return(ret);
-- if (d2i_ECDSA_SIG(&s, &sigbuf, sig_len) == NULL) goto err;
-+ if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL) goto err;
-+ /* Ensure signature uses DER and doesn't have trailing garbage */
-+ derlen = i2d_ECDSA_SIG(s, &der);
-+ if (derlen != sig_len || memcmp(sigbuf, der, derlen))
-+ goto err;
- ret=ECDSA_do_verify(dgst, dgst_len, s, eckey);
- err:
-+ if (derlen > 0)
-+ {
-+ OPENSSL_cleanse(der, derlen);
-+ OPENSSL_free(der);
-+ }
- ECDSA_SIG_free(s);
- return(ret);
- }
-diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
-index e06602d..fef55f8 100644
---- a/crypto/x509/x_all.c
-+++ b/crypto/x509/x_all.c
-@@ -72,6 +72,8 @@
-
- int X509_verify(X509 *a, EVP_PKEY *r)
- {
-+ if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature))
-+ return 0;
- return(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF),a->sig_alg,
- a->signature,a->cert_info,r));
- }
---
-2.1.4
-
Deleted: openssl/branches/wheezy/debian/patches/0095-Constify-ASN1_TYPE_cmp-add-X509_ALGOR_cmp.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0095-Constify-ASN1_TYPE_cmp-add-X509_ALGOR_cmp.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0095-Constify-ASN1_TYPE_cmp-add-X509_ALGOR_cmp.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,77 +0,0 @@
-From 5951cc004b96cd681ffdf39d3fc9238a1ff597ae Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Sun, 14 Dec 2014 23:14:15 +0000
-Subject: [PATCH 095/117] Constify ASN1_TYPE_cmp add X509_ALGOR_cmp.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Reviewed-by: Emilia Käsper <emilia at openssl.org>
-(cherry picked from commit 4c52816d35681c0533c25fdd3abb4b7c6962302d)
----
- crypto/asn1/a_type.c | 2 +-
- crypto/asn1/asn1.h | 2 +-
- crypto/asn1/x_algor.c | 11 +++++++++++
- crypto/x509/x509.h | 1 +
- 4 files changed, 14 insertions(+), 2 deletions(-)
-
-diff --git a/crypto/asn1/a_type.c b/crypto/asn1/a_type.c
-index a45d2f9..5e1bc76 100644
---- a/crypto/asn1/a_type.c
-+++ b/crypto/asn1/a_type.c
-@@ -113,7 +113,7 @@ IMPLEMENT_STACK_OF(ASN1_TYPE)
- IMPLEMENT_ASN1_SET_OF(ASN1_TYPE)
-
- /* Returns 0 if they are equal, != 0 otherwise. */
--int ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b)
-+int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b)
- {
- int result = -1;
-
-diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h
-index 672c97f..3c45d5d 100644
---- a/crypto/asn1/asn1.h
-+++ b/crypto/asn1/asn1.h
-@@ -776,7 +776,7 @@ DECLARE_ASN1_FUNCTIONS_fname(ASN1_TYPE, ASN1_ANY, ASN1_TYPE)
- int ASN1_TYPE_get(ASN1_TYPE *a);
- void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value);
- int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value);
--int ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b);
-+int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b);
-
- ASN1_OBJECT * ASN1_OBJECT_new(void );
- void ASN1_OBJECT_free(ASN1_OBJECT *a);
-diff --git a/crypto/asn1/x_algor.c b/crypto/asn1/x_algor.c
-index 274e456..57cc956 100644
---- a/crypto/asn1/x_algor.c
-+++ b/crypto/asn1/x_algor.c
-@@ -142,3 +142,14 @@ void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md)
- X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_MD_type(md)), param_type, NULL);
-
- }
-+
-+int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b)
-+ {
-+ int rv;
-+ rv = OBJ_cmp(a->algorithm, b->algorithm);
-+ if (rv)
-+ return rv;
-+ if (!a->parameter && !b->parameter)
-+ return 0;
-+ return ASN1_TYPE_cmp(a->parameter, b->parameter);
-+ }
-diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
-index 092dd74..ed767f8 100644
---- a/crypto/x509/x509.h
-+++ b/crypto/x509/x509.h
-@@ -768,6 +768,7 @@ int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval);
- void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval,
- X509_ALGOR *algor);
- void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md);
-+int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b);
-
- X509_NAME *X509_NAME_dup(X509_NAME *xn);
- X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne);
---
-2.1.4
-
Deleted: openssl/branches/wheezy/debian/patches/0098-ECDH-downgrade-bug-fix.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0098-ECDH-downgrade-bug-fix.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0098-ECDH-downgrade-bug-fix.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,69 +0,0 @@
-From ef28c6d6767a6a30df5add36171894c96628fe98 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Fri, 24 Oct 2014 12:30:33 +0100
-Subject: [PATCH 098/117] ECDH downgrade bug fix.
-
-Fix bug where an OpenSSL client would accept a handshake using an
-ephemeral ECDH ciphersuites with the server key exchange message omitted.
-
-Thanks to Karthikeyan Bhargavan for reporting this issue.
-
-CVE-2014-3572
-Reviewed-by: Matt Caswell <matt at openssl.org>
-
-(cherry picked from commit b15f8769644b00ef7283521593360b7b2135cb63)
----
- ssl/s3_clnt.c | 18 +++++++++++++++---
- 2 files changed, 22 insertions(+), 3 deletions(-)
-
-Index: openssl-1.0.1e/ssl/s3_clnt.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/s3_clnt.c 2015-01-08 20:43:25.000000000 +0000
-+++ openssl-1.0.1e/ssl/s3_clnt.c 2015-01-08 20:47:39.587041282 +0000
-@@ -1296,6 +1296,8 @@
- int encoded_pt_len = 0;
- #endif
-
-+ EVP_MD_CTX_init(&md_ctx);
-+
- /* use same message size as in ssl3_get_certificate_request()
- * as ServerKeyExchange message may be skipped */
- n=s->method->ssl_get_message(s,
-@@ -1306,14 +1308,26 @@
- &ok);
- if (!ok) return((int)n);
-
-+ alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
-+
- if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
- {
-+ /*
-+ * Can't skip server key exchange if this is an ephemeral
-+ * ciphersuite.
-+ */
-+ if (alg_k & (SSL_kEDH|SSL_kEECDH))
-+ {
-+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
-+ al = SSL_AD_UNEXPECTED_MESSAGE;
-+ goto f_err;
-+ }
- #ifndef OPENSSL_NO_PSK
- /* In plain PSK ciphersuite, ServerKeyExchange can be
- omitted if no identity hint is sent. Set
- session->sess_cert anyway to avoid problems
- later.*/
-- if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)
-+ if (alg_k & SSL_kPSK)
- {
- s->session->sess_cert=ssl_sess_cert_new();
- if (s->ctx->psk_identity_hint)
-@@ -1356,9 +1370,7 @@
- }
-
- param_len=0;
-- alg_k=s->s3->tmp.new_cipher->algorithm_mkey;
- alg_a=s->s3->tmp.new_cipher->algorithm_auth;
-- EVP_MD_CTX_init(&md_ctx);
-
- #ifndef OPENSSL_NO_PSK
- if (alg_k & SSL_kPSK)
Deleted: openssl/branches/wheezy/debian/patches/0099-Only-allow-ephemeral-RSA-keys-in-export-ciphersuites.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0099-Only-allow-ephemeral-RSA-keys-in-export-ciphersuites.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0099-Only-allow-ephemeral-RSA-keys-in-export-ciphersuites.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,194 +0,0 @@
-From 37580f43b5a39f5f4e920d17273fab9713d3a744 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Thu, 23 Oct 2014 17:09:57 +0100
-Subject: [PATCH 099/117] Only allow ephemeral RSA keys in export ciphersuites.
-
-OpenSSL clients would tolerate temporary RSA keys in non-export
-ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which
-enabled this server side. Remove both options as they are a
-protocol violation.
-
-Thanks to Karthikeyan Bhargavan for reporting this issue.
-(CVE-2015-0204)
-Reviewed-by: Matt Caswell <matt at openssl.org>
-Reviewed-by: Tim Hudson <tjh at openssl.org>
-
-(cherry picked from commit 4b4c1fcc88aec8c9e001b0a0077d3cd4de1ed0e6)
-
-Conflicts:
- doc/ssl/SSL_CTX_set_options.pod
----
- doc/ssl/SSL_CTX_set_options.pod | 10 +---------
- doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod | 23 ++++++++---------------
- ssl/d1_srvr.c | 21 ++++++---------------
- ssl/s3_clnt.c | 7 +++++++
- ssl/s3_srvr.c | 21 ++++++---------------
- ssl/ssl.h | 5 ++---
- 7 files changed, 38 insertions(+), 57 deletions(-)
-
-diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
-index 6e6b5e6..e80a72c 100644
---- a/doc/ssl/SSL_CTX_set_options.pod
-+++ b/doc/ssl/SSL_CTX_set_options.pod
-@@ -158,15 +158,7 @@ temporary/ephemeral DH parameters are used.
-
- =item SSL_OP_EPHEMERAL_RSA
-
--Always use ephemeral (temporary) RSA key when doing RSA operations
--(see L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>).
--According to the specifications this is only done, when a RSA key
--can only be used for signature operations (namely under export ciphers
--with restricted RSA keylength). By setting this option, ephemeral
--RSA keys are always used. This option breaks compatibility with the
--SSL/TLS specifications and may lead to interoperability problems with
--clients and should therefore never be used. Ciphers with EDH (ephemeral
--Diffie-Hellman) key exchange should be used instead.
-+This option is no longer implemented and is treated as no op.
-
- =item SSL_OP_CIPHER_SERVER_PREFERENCE
-
-diff --git a/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod b/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
-index 534643c..8794eb7 100644
---- a/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
-+++ b/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
-@@ -74,21 +74,14 @@ exchange and use EDH (Ephemeral Diffie-Hellman) key exchange instead
- in order to achieve forward secrecy (see
- L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
-
--On OpenSSL servers ephemeral RSA key exchange is therefore disabled by default
--and must be explicitly enabled using the SSL_OP_EPHEMERAL_RSA option of
--L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, violating the TLS/SSL
--standard. When ephemeral RSA key exchange is required for export ciphers,
--it will automatically be used without this option!
--
--An application may either directly specify the key or can supply the key via
--a callback function. The callback approach has the advantage, that the
--callback may generate the key only in case it is actually needed. As the
--generation of a RSA key is however costly, it will lead to a significant
--delay in the handshake procedure. Another advantage of the callback function
--is that it can supply keys of different size (e.g. for SSL_OP_EPHEMERAL_RSA
--usage) while the explicit setting of the key is only useful for key size of
--512 bits to satisfy the export restricted ciphers and does give away key length
--if a longer key would be allowed.
-+An application may either directly specify the key or can supply the key via a
-+callback function. The callback approach has the advantage, that the callback
-+may generate the key only in case it is actually needed. As the generation of a
-+RSA key is however costly, it will lead to a significant delay in the handshake
-+procedure. Another advantage of the callback function is that it can supply
-+keys of different size while the explicit setting of the key is only useful for
-+key size of 512 bits to satisfy the export restricted ciphers and does give
-+away key length if a longer key would be allowed.
-
- The B<tmp_rsa_callback> is called with the B<keylength> needed and
- the B<is_export> information. The B<is_export> flag is set, when the
-diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
-index e40701e..da4c21e 100644
---- a/ssl/d1_srvr.c
-+++ b/ssl/d1_srvr.c
-@@ -454,24 +454,15 @@ int dtls1_accept(SSL *s)
- case SSL3_ST_SW_KEY_EXCH_B:
- alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
-
-- /* clear this, it may get reset by
-- * send_server_key_exchange */
-- if ((s->options & SSL_OP_EPHEMERAL_RSA)
--#ifndef OPENSSL_NO_KRB5
-- && !(alg_k & SSL_kKRB5)
--#endif /* OPENSSL_NO_KRB5 */
-- )
-- /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
-- * even when forbidden by protocol specs
-- * (handshake may fail as clients are not required to
-- * be able to handle this) */
-- s->s3->tmp.use_rsa_tmp=1;
-- else
-- s->s3->tmp.use_rsa_tmp=0;
-+ /*
-+ * clear this, it may get reset by
-+ * send_server_key_exchange
-+ */
-+ s->s3->tmp.use_rsa_tmp=0;
-
- /* only send if a DH key exchange or
- * RSA but we have a sign only certificate */
-- if (s->s3->tmp.use_rsa_tmp
-+ if (0
- /* PSK: send ServerKeyExchange if PSK identity
- * hint if provided */
- #ifndef OPENSSL_NO_PSK
-diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
-index 43ffc77..023c679 100644
---- a/ssl/s3_clnt.c
-+++ b/ssl/s3_clnt.c
-@@ -1537,6 +1537,13 @@ int ssl3_get_key_exchange(SSL *s)
- #ifndef OPENSSL_NO_RSA
- if (alg_k & SSL_kRSA)
- {
-+ /* Temporary RSA keys only allowed in export ciphersuites */
-+ if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher))
-+ {
-+ al=SSL_AD_UNEXPECTED_MESSAGE;
-+ SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNEXPECTED_MESSAGE);
-+ goto f_err;
-+ }
- if ((rsa=RSA_new()) == NULL)
- {
- SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);
-diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
-index ac2cc3d..d883f86 100644
---- a/ssl/s3_srvr.c
-+++ b/ssl/s3_srvr.c
-@@ -447,20 +447,11 @@ int ssl3_accept(SSL *s)
- case SSL3_ST_SW_KEY_EXCH_B:
- alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
-
-- /* clear this, it may get reset by
-- * send_server_key_exchange */
-- if ((s->options & SSL_OP_EPHEMERAL_RSA)
--#ifndef OPENSSL_NO_KRB5
-- && !(alg_k & SSL_kKRB5)
--#endif /* OPENSSL_NO_KRB5 */
-- )
-- /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
-- * even when forbidden by protocol specs
-- * (handshake may fail as clients are not required to
-- * be able to handle this) */
-- s->s3->tmp.use_rsa_tmp=1;
-- else
-- s->s3->tmp.use_rsa_tmp=0;
-+ /*
-+ * clear this, it may get reset by
-+ * send_server_key_exchange
-+ */
-+ s->s3->tmp.use_rsa_tmp=0;
-
-
- /* only send if a DH key exchange, fortezza or
-@@ -474,7 +465,7 @@ int ssl3_accept(SSL *s)
- * server certificate contains the server's
- * public key for key exchange.
- */
-- if (s->s3->tmp.use_rsa_tmp
-+ if (0
- /* PSK: send ServerKeyExchange if PSK identity
- * hint if provided */
- #ifndef OPENSSL_NO_PSK
-diff --git a/ssl/ssl.h b/ssl/ssl.h
-index a6a1c77..2ba5923 100644
---- a/ssl/ssl.h
-+++ b/ssl/ssl.h
-@@ -596,9 +596,8 @@ struct ssl_session_st
- #define SSL_OP_SINGLE_ECDH_USE 0x00080000L
- /* If set, always create a new key when using tmp_dh parameters */
- #define SSL_OP_SINGLE_DH_USE 0x00100000L
--/* Set to always use the tmp_rsa key when doing RSA operations,
-- * even when this violates protocol specs */
--#define SSL_OP_EPHEMERAL_RSA 0x00200000L
-+/* Does nothing: retained for compatibiity */
-+#define SSL_OP_EPHEMERAL_RSA 0x0
- /* Set on servers to choose the cipher according to the server's
- * preferences */
- #define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L
---
-2.1.4
-
Deleted: openssl/branches/wheezy/debian/patches/0102-use-correct-function-name.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0102-use-correct-function-name.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0102-use-correct-function-name.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,28 +0,0 @@
-From 178c562a4621162dbe19a7c34fa2ad558684f40e Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Tue, 6 Jan 2015 20:55:38 +0000
-Subject: [PATCH 102/117] use correct function name
-
-Reviewed-by: Rich Salz <rsalz at openssl.org>
-Reviewed-by: Matt Caswell <matt at openssl.org>
-(cherry picked from commit cb62ab4b17818fe66d2fed0a7fe71969131c811b)
----
- crypto/asn1/a_verify.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
-index a571009..78dde1d 100644
---- a/crypto/asn1/a_verify.c
-+++ b/crypto/asn1/a_verify.c
-@@ -154,7 +154,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
-
- if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7)
- {
-- ASN1err(ASN1_F_ASN1_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
-+ ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
- return -1;
- }
-
---
-2.1.4
-
Deleted: openssl/branches/wheezy/debian/patches/0107-fix-error-discrepancy.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0107-fix-error-discrepancy.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0107-fix-error-discrepancy.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,27 +0,0 @@
-From ffd14272c4c82f68a07b2e2192538adb560fa684 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Wed, 7 Jan 2015 17:36:17 +0000
-Subject: [PATCH 107/117] fix error discrepancy
-
-Reviewed-by: Matt Caswell <matt at openssl.org>
-(cherry picked from commit 4a4d4158572fd8b3dc641851b8378e791df7972d)
----
- ssl/s3_clnt.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
-index 023c679..7692716 100644
---- a/ssl/s3_clnt.c
-+++ b/ssl/s3_clnt.c
-@@ -1541,7 +1541,7 @@ int ssl3_get_key_exchange(SSL *s)
- if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher))
- {
- al=SSL_AD_UNEXPECTED_MESSAGE;
-- SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,SSL_R_UNEXPECTED_MESSAGE);
-+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
- goto f_err;
- }
- if ((rsa=RSA_new()) == NULL)
---
-2.1.4
-
Deleted: openssl/branches/wheezy/debian/patches/0108-Fix-for-CVE-2014-3570.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0108-Fix-for-CVE-2014-3570.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0108-Fix-for-CVE-2014-3570.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,3155 +0,0 @@
-From e078642ddea29bbb6ba29788a6a513796387fbbb Mon Sep 17 00:00:00 2001
-From: Andy Polyakov <appro at openssl.org>
-Date: Mon, 5 Jan 2015 14:52:56 +0100
-Subject: [PATCH 108/117] Fix for CVE-2014-3570.
-
-Reviewed-by: Emilia Kasper <emilia at openssl.org>
-(cherry picked from commit e793809ba50c1e90ab592fb640a856168e50f3de)
-(with 1.0.1-specific addendum)
----
- crypto/bn/asm/mips.pl | 611 +++---------
- crypto/bn/asm/mips3.s | 2201 --------------------------------------------
- crypto/bn/asm/x86_64-gcc.c | 34 +-
- crypto/bn/bn_asm.c | 16 +-
- crypto/bn/bntest.c | 102 +-
- 5 files changed, 234 insertions(+), 2730 deletions(-)
- delete mode 100644 crypto/bn/asm/mips3.s
-
-diff --git a/crypto/bn/asm/mips.pl b/crypto/bn/asm/mips.pl
-index d2f3ef7..215c9a7 100644
---- a/crypto/bn/asm/mips.pl
-+++ b/crypto/bn/asm/mips.pl
-@@ -1872,6 +1872,41 @@ ___
-
- ($a_4,$a_5,$a_6,$a_7)=($b_0,$b_1,$b_2,$b_3);
-
-+sub add_c2 () {
-+my ($hi,$lo,$c0,$c1,$c2,
-+ $warm, # !$warm denotes first call with specific sequence of
-+ # $c_[XYZ] when there is no Z-carry to accumulate yet;
-+ $an,$bn # these two are arguments for multiplication which
-+ # result is used in *next* step [which is why it's
-+ # commented as "forward multiplication" below];
-+ )=@_;
-+$code.=<<___;
-+ mflo $lo
-+ mfhi $hi
-+ $ADDU $c0,$lo
-+ sltu $at,$c0,$lo
-+ $MULTU $an,$bn # forward multiplication
-+ $ADDU $c0,$lo
-+ $ADDU $at,$hi
-+ sltu $lo,$c0,$lo
-+ $ADDU $c1,$at
-+ $ADDU $hi,$lo
-+___
-+$code.=<<___ if (!$warm);
-+ sltu $c2,$c1,$at
-+ $ADDU $c1,$hi
-+ sltu $hi,$c1,$hi
-+ $ADDU $c2,$hi
-+___
-+$code.=<<___ if ($warm);
-+ sltu $at,$c1,$at
-+ $ADDU $c1,$hi
-+ $ADDU $c2,$at
-+ sltu $hi,$c1,$hi
-+ $ADDU $c2,$hi
-+___
-+}
-+
- $code.=<<___;
-
- .align 5
-@@ -1920,21 +1955,10 @@ $code.=<<___;
- sltu $at,$c_2,$t_1
- $ADDU $c_3,$t_2,$at
- $ST $c_2,$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_2,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_1,$a_1 # mul_add_c(a[1],b[1],c3,c1,c2);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_3,$t_1
-- sltu $at,$c_3,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_1,$t_2
-- sltu $at,$c_1,$t_2
-- $ADDU $c_2,$at
-+___
-+ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0,
-+ $a_1,$a_1); # mul_add_c(a[1],b[1],c3,c1,c2);
-+$code.=<<___;
- mflo $t_1
- mfhi $t_2
- $ADDU $c_3,$t_1
-@@ -1945,67 +1969,19 @@ $code.=<<___;
- sltu $at,$c_1,$t_2
- $ADDU $c_2,$at
- $ST $c_3,2*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_3,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_1,$a_2 # mul_add_c2(a[1],b[2],c1,c2,c3);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_1,$t_1
-- sltu $at,$c_1,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_2,$t_2
-- sltu $at,$c_2,$t_2
-- $ADDU $c_3,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_3,$at
-- $MULTU $a_4,$a_0 # mul_add_c2(a[4],b[0],c2,c3,c1);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_1,$t_1
-- sltu $at,$c_1,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_2,$t_2
-- sltu $at,$c_2,$t_2
-- $ADDU $c_3,$at
-+___
-+ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0,
-+ $a_1,$a_2); # mul_add_c2(a[1],b[2],c1,c2,c3);
-+ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1,
-+ $a_4,$a_0); # mul_add_c2(a[4],b[0],c2,c3,c1);
-+$code.=<<___;
- $ST $c_1,3*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_1,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_3,$a_1 # mul_add_c2(a[3],b[1],c2,c3,c1);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_2,$t_1
-- sltu $at,$c_2,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_3,$t_2
-- sltu $at,$c_3,$t_2
-- $ADDU $c_1,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_1,$at
-- $MULTU $a_2,$a_2 # mul_add_c(a[2],b[2],c2,c3,c1);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_2,$t_1
-- sltu $at,$c_2,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_3,$t_2
-- sltu $at,$c_3,$t_2
-- $ADDU $c_1,$at
-+___
-+ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0,
-+ $a_3,$a_1); # mul_add_c2(a[3],b[1],c2,c3,c1);
-+ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1,
-+ $a_2,$a_2); # mul_add_c(a[2],b[2],c2,c3,c1);
-+$code.=<<___;
- mflo $t_1
- mfhi $t_2
- $ADDU $c_2,$t_1
-@@ -2016,97 +1992,23 @@ $code.=<<___;
- sltu $at,$c_3,$t_2
- $ADDU $c_1,$at
- $ST $c_2,4*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_2,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_1,$a_4 # mul_add_c2(a[1],b[4],c3,c1,c2);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_3,$t_1
-- sltu $at,$c_3,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_1,$t_2
-- sltu $at,$c_1,$t_2
-- $ADDU $c_2,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_2,$at
-- $MULTU $a_2,$a_3 # mul_add_c2(a[2],b[3],c3,c1,c2);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_3,$t_1
-- sltu $at,$c_3,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_1,$t_2
-- sltu $at,$c_1,$t_2
-- $ADDU $c_2,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $MULTU $a_6,$a_0 # mul_add_c2(a[6],b[0],c1,c2,c3);
-- $ADDU $c_2,$at
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_3,$t_1
-- sltu $at,$c_3,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_1,$t_2
-- sltu $at,$c_1,$t_2
-- $ADDU $c_2,$at
-+___
-+ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0,
-+ $a_1,$a_4); # mul_add_c2(a[1],b[4],c3,c1,c2);
-+ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1,
-+ $a_2,$a_3); # mul_add_c2(a[2],b[3],c3,c1,c2);
-+ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1,
-+ $a_6,$a_0); # mul_add_c2(a[6],b[0],c1,c2,c3);
-+$code.=<<___;
- $ST $c_3,5*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_3,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_5,$a_1 # mul_add_c2(a[5],b[1],c1,c2,c3);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_1,$t_1
-- sltu $at,$c_1,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_2,$t_2
-- sltu $at,$c_2,$t_2
-- $ADDU $c_3,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_3,$at
-- $MULTU $a_4,$a_2 # mul_add_c2(a[4],b[2],c1,c2,c3);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_1,$t_1
-- sltu $at,$c_1,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_2,$t_2
-- sltu $at,$c_2,$t_2
-- $ADDU $c_3,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_3,$at
-- $MULTU $a_3,$a_3 # mul_add_c(a[3],b[3],c1,c2,c3);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_1,$t_1
-- sltu $at,$c_1,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_2,$t_2
-- sltu $at,$c_2,$t_2
-- $ADDU $c_3,$at
-+___
-+ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0,
-+ $a_5,$a_1); # mul_add_c2(a[5],b[1],c1,c2,c3);
-+ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1,
-+ $a_4,$a_2); # mul_add_c2(a[4],b[2],c1,c2,c3);
-+ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1,
-+ $a_3,$a_3); # mul_add_c(a[3],b[3],c1,c2,c3);
-+$code.=<<___;
- mflo $t_1
- mfhi $t_2
- $ADDU $c_1,$t_1
-@@ -2117,112 +2019,25 @@ $code.=<<___;
- sltu $at,$c_2,$t_2
- $ADDU $c_3,$at
- $ST $c_1,6*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_1,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_1,$a_6 # mul_add_c2(a[1],b[6],c2,c3,c1);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_2,$t_1
-- sltu $at,$c_2,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_3,$t_2
-- sltu $at,$c_3,$t_2
-- $ADDU $c_1,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_1,$at
-- $MULTU $a_2,$a_5 # mul_add_c2(a[2],b[5],c2,c3,c1);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_2,$t_1
-- sltu $at,$c_2,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_3,$t_2
-- sltu $at,$c_3,$t_2
-- $ADDU $c_1,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_1,$at
-- $MULTU $a_3,$a_4 # mul_add_c2(a[3],b[4],c2,c3,c1);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_2,$t_1
-- sltu $at,$c_2,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_3,$t_2
-- sltu $at,$c_3,$t_2
-- $ADDU $c_1,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_1,$at
-- $MULTU $a_7,$a_1 # mul_add_c2(a[7],b[1],c3,c1,c2);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_2,$t_1
-- sltu $at,$c_2,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_3,$t_2
-- sltu $at,$c_3,$t_2
-- $ADDU $c_1,$at
-+___
-+ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0,
-+ $a_1,$a_6); # mul_add_c2(a[1],b[6],c2,c3,c1);
-+ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1,
-+ $a_2,$a_5); # mul_add_c2(a[2],b[5],c2,c3,c1);
-+ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1,
-+ $a_3,$a_4); # mul_add_c2(a[3],b[4],c2,c3,c1);
-+ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1,
-+ $a_7,$a_1); # mul_add_c2(a[7],b[1],c3,c1,c2);
-+$code.=<<___;
- $ST $c_2,7*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_2,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_6,$a_2 # mul_add_c2(a[6],b[2],c3,c1,c2);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_3,$t_1
-- sltu $at,$c_3,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_1,$t_2
-- sltu $at,$c_1,$t_2
-- $ADDU $c_2,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_2,$at
-- $MULTU $a_5,$a_3 # mul_add_c2(a[5],b[3],c3,c1,c2);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_3,$t_1
-- sltu $at,$c_3,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_1,$t_2
-- sltu $at,$c_1,$t_2
-- $ADDU $c_2,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_2,$at
-- $MULTU $a_4,$a_4 # mul_add_c(a[4],b[4],c3,c1,c2);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_3,$t_1
-- sltu $at,$c_3,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_1,$t_2
-- sltu $at,$c_1,$t_2
-- $ADDU $c_2,$at
-+___
-+ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0,
-+ $a_6,$a_2); # mul_add_c2(a[6],b[2],c3,c1,c2);
-+ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1,
-+ $a_5,$a_3); # mul_add_c2(a[5],b[3],c3,c1,c2);
-+ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1,
-+ $a_4,$a_4); # mul_add_c(a[4],b[4],c3,c1,c2);
-+$code.=<<___;
- mflo $t_1
- mfhi $t_2
- $ADDU $c_3,$t_1
-@@ -2233,82 +2048,21 @@ $code.=<<___;
- sltu $at,$c_1,$t_2
- $ADDU $c_2,$at
- $ST $c_3,8*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_3,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_3,$a_6 # mul_add_c2(a[3],b[6],c1,c2,c3);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_1,$t_1
-- sltu $at,$c_1,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_2,$t_2
-- sltu $at,$c_2,$t_2
-- $ADDU $c_3,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_3,$at
-- $MULTU $a_4,$a_5 # mul_add_c2(a[4],b[5],c1,c2,c3);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_1,$t_1
-- sltu $at,$c_1,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_2,$t_2
-- sltu $at,$c_2,$t_2
-- $ADDU $c_3,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_3,$at
-- $MULTU $a_7,$a_3 # mul_add_c2(a[7],b[3],c2,c3,c1);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_1,$t_1
-- sltu $at,$c_1,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_2,$t_2
-- sltu $at,$c_2,$t_2
-- $ADDU $c_3,$at
-+___
-+ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0,
-+ $a_3,$a_6); # mul_add_c2(a[3],b[6],c1,c2,c3);
-+ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1,
-+ $a_4,$a_5); # mul_add_c2(a[4],b[5],c1,c2,c3);
-+ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1,
-+ $a_7,$a_3); # mul_add_c2(a[7],b[3],c2,c3,c1);
-+$code.=<<___;
- $ST $c_1,9*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_1,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_6,$a_4 # mul_add_c2(a[6],b[4],c2,c3,c1);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_2,$t_1
-- sltu $at,$c_2,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_3,$t_2
-- sltu $at,$c_3,$t_2
-- $ADDU $c_1,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_1,$at
-- $MULTU $a_5,$a_5 # mul_add_c(a[5],b[5],c2,c3,c1);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_2,$t_1
-- sltu $at,$c_2,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_3,$t_2
-- sltu $at,$c_3,$t_2
-- $ADDU $c_1,$at
-+___
-+ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0,
-+ $a_6,$a_4); # mul_add_c2(a[6],b[4],c2,c3,c1);
-+ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1,
-+ $a_5,$a_5); # mul_add_c(a[5],b[5],c2,c3,c1);
-+$code.=<<___;
- mflo $t_1
- mfhi $t_2
- $ADDU $c_2,$t_1
-@@ -2319,52 +2073,17 @@ $code.=<<___;
- sltu $at,$c_3,$t_2
- $ADDU $c_1,$at
- $ST $c_2,10*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_2,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_5,$a_6 # mul_add_c2(a[5],b[6],c3,c1,c2);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_3,$t_1
-- sltu $at,$c_3,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_1,$t_2
-- sltu $at,$c_1,$t_2
-- $ADDU $c_2,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_2,$at
-- $MULTU $a_7,$a_5 # mul_add_c2(a[7],b[5],c1,c2,c3);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_3,$t_1
-- sltu $at,$c_3,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_1,$t_2
-- sltu $at,$c_1,$t_2
-- $ADDU $c_2,$at
-+___
-+ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0,
-+ $a_5,$a_6); # mul_add_c2(a[5],b[6],c3,c1,c2);
-+ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1,
-+ $a_7,$a_5); # mul_add_c2(a[7],b[5],c1,c2,c3);
-+$code.=<<___;
- $ST $c_3,11*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_3,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_6,$a_6 # mul_add_c(a[6],b[6],c1,c2,c3);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_1,$t_1
-- sltu $at,$c_1,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_2,$t_2
-- sltu $at,$c_2,$t_2
-- $ADDU $c_3,$at
-+___
-+ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0,
-+ $a_6,$a_6); # mul_add_c(a[6],b[6],c1,c2,c3);
-+$code.=<<___;
- mflo $t_1
- mfhi $t_2
- $ADDU $c_1,$t_1
-@@ -2375,21 +2094,10 @@ $code.=<<___;
- sltu $at,$c_2,$t_2
- $ADDU $c_3,$at
- $ST $c_1,12*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_1,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_7,$a_7 # mul_add_c(a[7],b[7],c3,c1,c2);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_2,$t_1
-- sltu $at,$c_2,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_3,$t_2
-- sltu $at,$c_3,$t_2
-- $ADDU $c_1,$at
-+___
-+ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0,
-+ $a_7,$a_7); # mul_add_c(a[7],b[7],c3,c1,c2);
-+$code.=<<___;
- $ST $c_2,13*$BNSZ($a0)
-
- mflo $t_1
-@@ -2457,21 +2165,10 @@ $code.=<<___;
- sltu $at,$c_2,$t_1
- $ADDU $c_3,$t_2,$at
- $ST $c_2,$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_2,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_1,$a_1 # mul_add_c(a[1],b[1],c3,c1,c2);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_3,$t_1
-- sltu $at,$c_3,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_1,$t_2
-- sltu $at,$c_1,$t_2
-- $ADDU $c_2,$at
-+___
-+ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0,
-+ $a_1,$a_1); # mul_add_c(a[1],b[1],c3,c1,c2);
-+$code.=<<___;
- mflo $t_1
- mfhi $t_2
- $ADDU $c_3,$t_1
-@@ -2482,52 +2179,17 @@ $code.=<<___;
- sltu $at,$c_1,$t_2
- $ADDU $c_2,$at
- $ST $c_3,2*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_3,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_1,$a_2 # mul_add_c(a2[1],b[2],c1,c2,c3);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_1,$t_1
-- sltu $at,$c_1,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_2,$t_2
-- sltu $at,$c_2,$t_2
-- $ADDU $c_3,$at
-- mflo $t_1
-- mfhi $t_2
-- slt $at,$t_2,$zero
-- $ADDU $c_3,$at
-- $MULTU $a_3,$a_1 # mul_add_c2(a[3],b[1],c2,c3,c1);
-- $SLL $t_2,1
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_1,$t_1
-- sltu $at,$c_1,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_2,$t_2
-- sltu $at,$c_2,$t_2
-- $ADDU $c_3,$at
-+___
-+ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0,
-+ $a_1,$a_2); # mul_add_c2(a2[1],b[2],c1,c2,c3);
-+ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1,
-+ $a_3,$a_1); # mul_add_c2(a[3],b[1],c2,c3,c1);
-+$code.=<<___;
- $ST $c_1,3*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_1,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_2,$a_2 # mul_add_c(a[2],b[2],c2,c3,c1);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_2,$t_1
-- sltu $at,$c_2,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_3,$t_2
-- sltu $at,$c_3,$t_2
-- $ADDU $c_1,$at
-+___
-+ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0,
-+ $a_2,$a_2); # mul_add_c(a[2],b[2],c2,c3,c1);
-+$code.=<<___;
- mflo $t_1
- mfhi $t_2
- $ADDU $c_2,$t_1
-@@ -2538,21 +2200,10 @@ $code.=<<___;
- sltu $at,$c_3,$t_2
- $ADDU $c_1,$at
- $ST $c_2,4*$BNSZ($a0)
--
-- mflo $t_1
-- mfhi $t_2
-- slt $c_2,$t_2,$zero
-- $SLL $t_2,1
-- $MULTU $a_3,$a_3 # mul_add_c(a[3],b[3],c1,c2,c3);
-- slt $a2,$t_1,$zero
-- $ADDU $t_2,$a2
-- $SLL $t_1,1
-- $ADDU $c_3,$t_1
-- sltu $at,$c_3,$t_1
-- $ADDU $t_2,$at
-- $ADDU $c_1,$t_2
-- sltu $at,$c_1,$t_2
-- $ADDU $c_2,$at
-+___
-+ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0,
-+ $a_3,$a_3); # mul_add_c(a[3],b[3],c1,c2,c3);
-+$code.=<<___;
- $ST $c_3,5*$BNSZ($a0)
-
- mflo $t_1
-diff --git a/crypto/bn/asm/mips3.s b/crypto/bn/asm/mips3.s
-deleted file mode 100644
-index dca4105..0000000
---- a/crypto/bn/asm/mips3.s
-+++ /dev/null
-@@ -1,2201 +0,0 @@
--.rdata
--.asciiz "mips3.s, Version 1.1"
--.asciiz "MIPS III/IV ISA artwork by Andy Polyakov <appro at fy.chalmers.se>"
--
--/*
-- * ====================================================================
-- * Written by Andy Polyakov <appro at fy.chalmers.se> for the OpenSSL
-- * project.
-- *
-- * Rights for redistribution and usage in source and binary forms are
-- * granted according to the OpenSSL license. Warranty of any kind is
-- * disclaimed.
-- * ====================================================================
-- */
--
--/*
-- * This is my modest contributon to the OpenSSL project (see
-- * http://www.openssl.org/ for more information about it) and is
-- * a drop-in MIPS III/IV ISA replacement for crypto/bn/bn_asm.c
-- * module. For updates see http://fy.chalmers.se/~appro/hpe/.
-- *
-- * The module is designed to work with either of the "new" MIPS ABI(5),
-- * namely N32 or N64, offered by IRIX 6.x. It's not ment to work under
-- * IRIX 5.x not only because it doesn't support new ABIs but also
-- * because 5.x kernels put R4x00 CPU into 32-bit mode and all those
-- * 64-bit instructions (daddu, dmultu, etc.) found below gonna only
-- * cause illegal instruction exception:-(
-- *
-- * In addition the code depends on preprocessor flags set up by MIPSpro
-- * compiler driver (either as or cc) and therefore (probably?) can't be
-- * compiled by the GNU assembler. GNU C driver manages fine though...
-- * I mean as long as -mmips-as is specified or is the default option,
-- * because then it simply invokes /usr/bin/as which in turn takes
-- * perfect care of the preprocessor definitions. Another neat feature
-- * offered by the MIPSpro assembler is an optimization pass. This gave
-- * me the opportunity to have the code looking more regular as all those
-- * architecture dependent instruction rescheduling details were left to
-- * the assembler. Cool, huh?
-- *
-- * Performance improvement is astonishing! 'apps/openssl speed rsa dsa'
-- * goes way over 3 times faster!
-- *
-- * <appro at fy.chalmers.se>
-- */
--#include <asm.h>
--#include <regdef.h>
--
--#if _MIPS_ISA>=4
--#define MOVNZ(cond,dst,src) \
-- movn dst,src,cond
--#else
--#define MOVNZ(cond,dst,src) \
-- .set noreorder; \
-- bnezl cond,.+8; \
-- move dst,src; \
-- .set reorder
--#endif
--
--.text
--
--.set noat
--.set reorder
--
--#define MINUS4 v1
--
--.align 5
--LEAF(bn_mul_add_words)
-- .set noreorder
-- bgtzl a2,.L_bn_mul_add_words_proceed
-- ld t0,0(a1)
-- jr ra
-- move v0,zero
-- .set reorder
--
--.L_bn_mul_add_words_proceed:
-- li MINUS4,-4
-- and ta0,a2,MINUS4
-- move v0,zero
-- beqz ta0,.L_bn_mul_add_words_tail
--
--.L_bn_mul_add_words_loop:
-- dmultu t0,a3
-- ld t1,0(a0)
-- ld t2,8(a1)
-- ld t3,8(a0)
-- ld ta0,16(a1)
-- ld ta1,16(a0)
-- daddu t1,v0
-- sltu v0,t1,v0 /* All manuals say it "compares 32-bit
-- * values", but it seems to work fine
-- * even on 64-bit registers. */
-- mflo AT
-- mfhi t0
-- daddu t1,AT
-- daddu v0,t0
-- sltu AT,t1,AT
-- sd t1,0(a0)
-- daddu v0,AT
--
-- dmultu t2,a3
-- ld ta2,24(a1)
-- ld ta3,24(a0)
-- daddu t3,v0
-- sltu v0,t3,v0
-- mflo AT
-- mfhi t2
-- daddu t3,AT
-- daddu v0,t2
-- sltu AT,t3,AT
-- sd t3,8(a0)
-- daddu v0,AT
--
-- dmultu ta0,a3
-- subu a2,4
-- PTR_ADD a0,32
-- PTR_ADD a1,32
-- daddu ta1,v0
-- sltu v0,ta1,v0
-- mflo AT
-- mfhi ta0
-- daddu ta1,AT
-- daddu v0,ta0
-- sltu AT,ta1,AT
-- sd ta1,-16(a0)
-- daddu v0,AT
--
--
-- dmultu ta2,a3
-- and ta0,a2,MINUS4
-- daddu ta3,v0
-- sltu v0,ta3,v0
-- mflo AT
-- mfhi ta2
-- daddu ta3,AT
-- daddu v0,ta2
-- sltu AT,ta3,AT
-- sd ta3,-8(a0)
-- daddu v0,AT
-- .set noreorder
-- bgtzl ta0,.L_bn_mul_add_words_loop
-- ld t0,0(a1)
--
-- bnezl a2,.L_bn_mul_add_words_tail
-- ld t0,0(a1)
-- .set reorder
--
--.L_bn_mul_add_words_return:
-- jr ra
--
--.L_bn_mul_add_words_tail:
-- dmultu t0,a3
-- ld t1,0(a0)
-- subu a2,1
-- daddu t1,v0
-- sltu v0,t1,v0
-- mflo AT
-- mfhi t0
-- daddu t1,AT
-- daddu v0,t0
-- sltu AT,t1,AT
-- sd t1,0(a0)
-- daddu v0,AT
-- beqz a2,.L_bn_mul_add_words_return
--
-- ld t0,8(a1)
-- dmultu t0,a3
-- ld t1,8(a0)
-- subu a2,1
-- daddu t1,v0
-- sltu v0,t1,v0
-- mflo AT
-- mfhi t0
-- daddu t1,AT
-- daddu v0,t0
-- sltu AT,t1,AT
-- sd t1,8(a0)
-- daddu v0,AT
-- beqz a2,.L_bn_mul_add_words_return
--
-- ld t0,16(a1)
-- dmultu t0,a3
-- ld t1,16(a0)
-- daddu t1,v0
-- sltu v0,t1,v0
-- mflo AT
-- mfhi t0
-- daddu t1,AT
-- daddu v0,t0
-- sltu AT,t1,AT
-- sd t1,16(a0)
-- daddu v0,AT
-- jr ra
--END(bn_mul_add_words)
--
--.align 5
--LEAF(bn_mul_words)
-- .set noreorder
-- bgtzl a2,.L_bn_mul_words_proceed
-- ld t0,0(a1)
-- jr ra
-- move v0,zero
-- .set reorder
--
--.L_bn_mul_words_proceed:
-- li MINUS4,-4
-- and ta0,a2,MINUS4
-- move v0,zero
-- beqz ta0,.L_bn_mul_words_tail
--
--.L_bn_mul_words_loop:
-- dmultu t0,a3
-- ld t2,8(a1)
-- ld ta0,16(a1)
-- ld ta2,24(a1)
-- mflo AT
-- mfhi t0
-- daddu v0,AT
-- sltu t1,v0,AT
-- sd v0,0(a0)
-- daddu v0,t1,t0
--
-- dmultu t2,a3
-- subu a2,4
-- PTR_ADD a0,32
-- PTR_ADD a1,32
-- mflo AT
-- mfhi t2
-- daddu v0,AT
-- sltu t3,v0,AT
-- sd v0,-24(a0)
-- daddu v0,t3,t2
--
-- dmultu ta0,a3
-- mflo AT
-- mfhi ta0
-- daddu v0,AT
-- sltu ta1,v0,AT
-- sd v0,-16(a0)
-- daddu v0,ta1,ta0
--
--
-- dmultu ta2,a3
-- and ta0,a2,MINUS4
-- mflo AT
-- mfhi ta2
-- daddu v0,AT
-- sltu ta3,v0,AT
-- sd v0,-8(a0)
-- daddu v0,ta3,ta2
-- .set noreorder
-- bgtzl ta0,.L_bn_mul_words_loop
-- ld t0,0(a1)
--
-- bnezl a2,.L_bn_mul_words_tail
-- ld t0,0(a1)
-- .set reorder
--
--.L_bn_mul_words_return:
-- jr ra
--
--.L_bn_mul_words_tail:
-- dmultu t0,a3
-- subu a2,1
-- mflo AT
-- mfhi t0
-- daddu v0,AT
-- sltu t1,v0,AT
-- sd v0,0(a0)
-- daddu v0,t1,t0
-- beqz a2,.L_bn_mul_words_return
--
-- ld t0,8(a1)
-- dmultu t0,a3
-- subu a2,1
-- mflo AT
-- mfhi t0
-- daddu v0,AT
-- sltu t1,v0,AT
-- sd v0,8(a0)
-- daddu v0,t1,t0
-- beqz a2,.L_bn_mul_words_return
--
-- ld t0,16(a1)
-- dmultu t0,a3
-- mflo AT
-- mfhi t0
-- daddu v0,AT
-- sltu t1,v0,AT
-- sd v0,16(a0)
-- daddu v0,t1,t0
-- jr ra
--END(bn_mul_words)
--
--.align 5
--LEAF(bn_sqr_words)
-- .set noreorder
-- bgtzl a2,.L_bn_sqr_words_proceed
-- ld t0,0(a1)
-- jr ra
-- move v0,zero
-- .set reorder
--
--.L_bn_sqr_words_proceed:
-- li MINUS4,-4
-- and ta0,a2,MINUS4
-- move v0,zero
-- beqz ta0,.L_bn_sqr_words_tail
--
--.L_bn_sqr_words_loop:
-- dmultu t0,t0
-- ld t2,8(a1)
-- ld ta0,16(a1)
-- ld ta2,24(a1)
-- mflo t1
-- mfhi t0
-- sd t1,0(a0)
-- sd t0,8(a0)
--
-- dmultu t2,t2
-- subu a2,4
-- PTR_ADD a0,64
-- PTR_ADD a1,32
-- mflo t3
-- mfhi t2
-- sd t3,-48(a0)
-- sd t2,-40(a0)
--
-- dmultu ta0,ta0
-- mflo ta1
-- mfhi ta0
-- sd ta1,-32(a0)
-- sd ta0,-24(a0)
--
--
-- dmultu ta2,ta2
-- and ta0,a2,MINUS4
-- mflo ta3
-- mfhi ta2
-- sd ta3,-16(a0)
-- sd ta2,-8(a0)
--
-- .set noreorder
-- bgtzl ta0,.L_bn_sqr_words_loop
-- ld t0,0(a1)
--
-- bnezl a2,.L_bn_sqr_words_tail
-- ld t0,0(a1)
-- .set reorder
--
--.L_bn_sqr_words_return:
-- move v0,zero
-- jr ra
--
--.L_bn_sqr_words_tail:
-- dmultu t0,t0
-- subu a2,1
-- mflo t1
-- mfhi t0
-- sd t1,0(a0)
-- sd t0,8(a0)
-- beqz a2,.L_bn_sqr_words_return
--
-- ld t0,8(a1)
-- dmultu t0,t0
-- subu a2,1
-- mflo t1
-- mfhi t0
-- sd t1,16(a0)
-- sd t0,24(a0)
-- beqz a2,.L_bn_sqr_words_return
--
-- ld t0,16(a1)
-- dmultu t0,t0
-- mflo t1
-- mfhi t0
-- sd t1,32(a0)
-- sd t0,40(a0)
-- jr ra
--END(bn_sqr_words)
--
--.align 5
--LEAF(bn_add_words)
-- .set noreorder
-- bgtzl a3,.L_bn_add_words_proceed
-- ld t0,0(a1)
-- jr ra
-- move v0,zero
-- .set reorder
--
--.L_bn_add_words_proceed:
-- li MINUS4,-4
-- and AT,a3,MINUS4
-- move v0,zero
-- beqz AT,.L_bn_add_words_tail
--
--.L_bn_add_words_loop:
-- ld ta0,0(a2)
-- subu a3,4
-- ld t1,8(a1)
-- and AT,a3,MINUS4
-- ld t2,16(a1)
-- PTR_ADD a2,32
-- ld t3,24(a1)
-- PTR_ADD a0,32
-- ld ta1,-24(a2)
-- PTR_ADD a1,32
-- ld ta2,-16(a2)
-- ld ta3,-8(a2)
-- daddu ta0,t0
-- sltu t8,ta0,t0
-- daddu t0,ta0,v0
-- sltu v0,t0,ta0
-- sd t0,-32(a0)
-- daddu v0,t8
--
-- daddu ta1,t1
-- sltu t9,ta1,t1
-- daddu t1,ta1,v0
-- sltu v0,t1,ta1
-- sd t1,-24(a0)
-- daddu v0,t9
--
-- daddu ta2,t2
-- sltu t8,ta2,t2
-- daddu t2,ta2,v0
-- sltu v0,t2,ta2
-- sd t2,-16(a0)
-- daddu v0,t8
--
-- daddu ta3,t3
-- sltu t9,ta3,t3
-- daddu t3,ta3,v0
-- sltu v0,t3,ta3
-- sd t3,-8(a0)
-- daddu v0,t9
--
-- .set noreorder
-- bgtzl AT,.L_bn_add_words_loop
-- ld t0,0(a1)
--
-- bnezl a3,.L_bn_add_words_tail
-- ld t0,0(a1)
-- .set reorder
--
--.L_bn_add_words_return:
-- jr ra
--
--.L_bn_add_words_tail:
-- ld ta0,0(a2)
-- daddu ta0,t0
-- subu a3,1
-- sltu t8,ta0,t0
-- daddu t0,ta0,v0
-- sltu v0,t0,ta0
-- sd t0,0(a0)
-- daddu v0,t8
-- beqz a3,.L_bn_add_words_return
--
-- ld t1,8(a1)
-- ld ta1,8(a2)
-- daddu ta1,t1
-- subu a3,1
-- sltu t9,ta1,t1
-- daddu t1,ta1,v0
-- sltu v0,t1,ta1
-- sd t1,8(a0)
-- daddu v0,t9
-- beqz a3,.L_bn_add_words_return
--
-- ld t2,16(a1)
-- ld ta2,16(a2)
-- daddu ta2,t2
-- sltu t8,ta2,t2
-- daddu t2,ta2,v0
-- sltu v0,t2,ta2
-- sd t2,16(a0)
-- daddu v0,t8
-- jr ra
--END(bn_add_words)
--
--.align 5
--LEAF(bn_sub_words)
-- .set noreorder
-- bgtzl a3,.L_bn_sub_words_proceed
-- ld t0,0(a1)
-- jr ra
-- move v0,zero
-- .set reorder
--
--.L_bn_sub_words_proceed:
-- li MINUS4,-4
-- and AT,a3,MINUS4
-- move v0,zero
-- beqz AT,.L_bn_sub_words_tail
--
--.L_bn_sub_words_loop:
-- ld ta0,0(a2)
-- subu a3,4
-- ld t1,8(a1)
-- and AT,a3,MINUS4
-- ld t2,16(a1)
-- PTR_ADD a2,32
-- ld t3,24(a1)
-- PTR_ADD a0,32
-- ld ta1,-24(a2)
-- PTR_ADD a1,32
-- ld ta2,-16(a2)
-- ld ta3,-8(a2)
-- sltu t8,t0,ta0
-- dsubu t0,ta0
-- dsubu ta0,t0,v0
-- sd ta0,-32(a0)
-- MOVNZ (t0,v0,t8)
--
-- sltu t9,t1,ta1
-- dsubu t1,ta1
-- dsubu ta1,t1,v0
-- sd ta1,-24(a0)
-- MOVNZ (t1,v0,t9)
--
--
-- sltu t8,t2,ta2
-- dsubu t2,ta2
-- dsubu ta2,t2,v0
-- sd ta2,-16(a0)
-- MOVNZ (t2,v0,t8)
--
-- sltu t9,t3,ta3
-- dsubu t3,ta3
-- dsubu ta3,t3,v0
-- sd ta3,-8(a0)
-- MOVNZ (t3,v0,t9)
--
-- .set noreorder
-- bgtzl AT,.L_bn_sub_words_loop
-- ld t0,0(a1)
--
-- bnezl a3,.L_bn_sub_words_tail
-- ld t0,0(a1)
-- .set reorder
--
--.L_bn_sub_words_return:
-- jr ra
--
--.L_bn_sub_words_tail:
-- ld ta0,0(a2)
-- subu a3,1
-- sltu t8,t0,ta0
-- dsubu t0,ta0
-- dsubu ta0,t0,v0
-- MOVNZ (t0,v0,t8)
-- sd ta0,0(a0)
-- beqz a3,.L_bn_sub_words_return
--
-- ld t1,8(a1)
-- subu a3,1
-- ld ta1,8(a2)
-- sltu t9,t1,ta1
-- dsubu t1,ta1
-- dsubu ta1,t1,v0
-- MOVNZ (t1,v0,t9)
-- sd ta1,8(a0)
-- beqz a3,.L_bn_sub_words_return
--
-- ld t2,16(a1)
-- ld ta2,16(a2)
-- sltu t8,t2,ta2
-- dsubu t2,ta2
-- dsubu ta2,t2,v0
-- MOVNZ (t2,v0,t8)
-- sd ta2,16(a0)
-- jr ra
--END(bn_sub_words)
--
--#undef MINUS4
--
--.align 5
--LEAF(bn_div_3_words)
-- .set reorder
-- move a3,a0 /* we know that bn_div_words doesn't
-- * touch a3, ta2, ta3 and preserves a2
-- * so that we can save two arguments
-- * and return address in registers
-- * instead of stack:-)
-- */
-- ld a0,(a3)
-- move ta2,a1
-- ld a1,-8(a3)
-- bne a0,a2,.L_bn_div_3_words_proceed
-- li v0,-1
-- jr ra
--.L_bn_div_3_words_proceed:
-- move ta3,ra
-- bal bn_div_words
-- move ra,ta3
-- dmultu ta2,v0
-- ld t2,-16(a3)
-- move ta0,zero
-- mfhi t1
-- mflo t0
-- sltu t8,t1,v1
--.L_bn_div_3_words_inner_loop:
-- bnez t8,.L_bn_div_3_words_inner_loop_done
-- sgeu AT,t2,t0
-- seq t9,t1,v1
-- and AT,t9
-- sltu t3,t0,ta2
-- daddu v1,a2
-- dsubu t1,t3
-- dsubu t0,ta2
-- sltu t8,t1,v1
-- sltu ta0,v1,a2
-- or t8,ta0
-- .set noreorder
-- beqzl AT,.L_bn_div_3_words_inner_loop
-- dsubu v0,1
-- .set reorder
--.L_bn_div_3_words_inner_loop_done:
-- jr ra
--END(bn_div_3_words)
--
--.align 5
--LEAF(bn_div_words)
-- .set noreorder
-- bnezl a2,.L_bn_div_words_proceed
-- move v1,zero
-- jr ra
-- li v0,-1 /* I'd rather signal div-by-zero
-- * which can be done with 'break 7' */
--
--.L_bn_div_words_proceed:
-- bltz a2,.L_bn_div_words_body
-- move t9,v1
-- dsll a2,1
-- bgtz a2,.-4
-- addu t9,1
--
-- .set reorder
-- negu t1,t9
-- li t2,-1
-- dsll t2,t1
-- and t2,a0
-- dsrl AT,a1,t1
-- .set noreorder
-- bnezl t2,.+8
-- break 6 /* signal overflow */
-- .set reorder
-- dsll a0,t9
-- dsll a1,t9
-- or a0,AT
--
--#define QT ta0
--#define HH ta1
--#define DH v1
--.L_bn_div_words_body:
-- dsrl DH,a2,32
-- sgeu AT,a0,a2
-- .set noreorder
-- bnezl AT,.+8
-- dsubu a0,a2
-- .set reorder
--
-- li QT,-1
-- dsrl HH,a0,32
-- dsrl QT,32 /* q=0xffffffff */
-- beq DH,HH,.L_bn_div_words_skip_div1
-- ddivu zero,a0,DH
-- mflo QT
--.L_bn_div_words_skip_div1:
-- dmultu a2,QT
-- dsll t3,a0,32
-- dsrl AT,a1,32
-- or t3,AT
-- mflo t0
-- mfhi t1
--.L_bn_div_words_inner_loop1:
-- sltu t2,t3,t0
-- seq t8,HH,t1
-- sltu AT,HH,t1
-- and t2,t8
-- sltu v0,t0,a2
-- or AT,t2
-- .set noreorder
-- beqz AT,.L_bn_div_words_inner_loop1_done
-- dsubu t1,v0
-- dsubu t0,a2
-- b .L_bn_div_words_inner_loop1
-- dsubu QT,1
-- .set reorder
--.L_bn_div_words_inner_loop1_done:
--
-- dsll a1,32
-- dsubu a0,t3,t0
-- dsll v0,QT,32
--
-- li QT,-1
-- dsrl HH,a0,32
-- dsrl QT,32 /* q=0xffffffff */
-- beq DH,HH,.L_bn_div_words_skip_div2
-- ddivu zero,a0,DH
-- mflo QT
--.L_bn_div_words_skip_div2:
--#undef DH
-- dmultu a2,QT
-- dsll t3,a0,32
-- dsrl AT,a1,32
-- or t3,AT
-- mflo t0
-- mfhi t1
--.L_bn_div_words_inner_loop2:
-- sltu t2,t3,t0
-- seq t8,HH,t1
-- sltu AT,HH,t1
-- and t2,t8
-- sltu v1,t0,a2
-- or AT,t2
-- .set noreorder
-- beqz AT,.L_bn_div_words_inner_loop2_done
-- dsubu t1,v1
-- dsubu t0,a2
-- b .L_bn_div_words_inner_loop2
-- dsubu QT,1
-- .set reorder
--.L_bn_div_words_inner_loop2_done:
--#undef HH
--
-- dsubu a0,t3,t0
-- or v0,QT
-- dsrl v1,a0,t9 /* v1 contains remainder if anybody wants it */
-- dsrl a2,t9 /* restore a2 */
-- jr ra
--#undef QT
--END(bn_div_words)
--
--#define a_0 t0
--#define a_1 t1
--#define a_2 t2
--#define a_3 t3
--#define b_0 ta0
--#define b_1 ta1
--#define b_2 ta2
--#define b_3 ta3
--
--#define a_4 s0
--#define a_5 s2
--#define a_6 s4
--#define a_7 a1 /* once we load a[7] we don't need a anymore */
--#define b_4 s1
--#define b_5 s3
--#define b_6 s5
--#define b_7 a2 /* once we load b[7] we don't need b anymore */
--
--#define t_1 t8
--#define t_2 t9
--
--#define c_1 v0
--#define c_2 v1
--#define c_3 a3
--
--#define FRAME_SIZE 48
--
--.align 5
--LEAF(bn_mul_comba8)
-- .set noreorder
-- PTR_SUB sp,FRAME_SIZE
-- .frame sp,64,ra
-- .set reorder
-- ld a_0,0(a1) /* If compiled with -mips3 option on
-- * R5000 box assembler barks on this
-- * line with "shouldn't have mult/div
-- * as last instruction in bb (R10K
-- * bug)" warning. If anybody out there
-- * has a clue about how to circumvent
-- * this do send me a note.
-- * <appro at fy.chalmers.se>
-- */
-- ld b_0,0(a2)
-- ld a_1,8(a1)
-- ld a_2,16(a1)
-- ld a_3,24(a1)
-- ld b_1,8(a2)
-- ld b_2,16(a2)
-- ld b_3,24(a2)
-- dmultu a_0,b_0 /* mul_add_c(a[0],b[0],c1,c2,c3); */
-- sd s0,0(sp)
-- sd s1,8(sp)
-- sd s2,16(sp)
-- sd s3,24(sp)
-- sd s4,32(sp)
-- sd s5,40(sp)
-- mflo c_1
-- mfhi c_2
--
-- dmultu a_0,b_1 /* mul_add_c(a[0],b[1],c2,c3,c1); */
-- ld a_4,32(a1)
-- ld a_5,40(a1)
-- ld a_6,48(a1)
-- ld a_7,56(a1)
-- ld b_4,32(a2)
-- ld b_5,40(a2)
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu c_3,t_2,AT
-- dmultu a_1,b_0 /* mul_add_c(a[1],b[0],c2,c3,c1); */
-- ld b_6,48(a2)
-- ld b_7,56(a2)
-- sd c_1,0(a0) /* r[0]=c1; */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu c_1,c_3,t_2
-- sd c_2,8(a0) /* r[1]=c2; */
--
-- dmultu a_2,b_0 /* mul_add_c(a[2],b[0],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- dmultu a_1,b_1 /* mul_add_c(a[1],b[1],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu c_2,c_1,t_2
-- dmultu a_0,b_2 /* mul_add_c(a[0],b[2],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,16(a0) /* r[2]=c3; */
--
-- dmultu a_0,b_3 /* mul_add_c(a[0],b[3],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu c_3,c_2,t_2
-- dmultu a_1,b_2 /* mul_add_c(a[1],b[2],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_2,b_1 /* mul_add_c(a[2],b[1],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_3,b_0 /* mul_add_c(a[3],b[0],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- sd c_1,24(a0) /* r[3]=c1; */
--
-- dmultu a_4,b_0 /* mul_add_c(a[4],b[0],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu c_1,c_3,t_2
-- dmultu a_3,b_1 /* mul_add_c(a[3],b[1],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_2,b_2 /* mul_add_c(a[2],b[2],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_1,b_3 /* mul_add_c(a[1],b[3],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_0,b_4 /* mul_add_c(a[0],b[4],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- sd c_2,32(a0) /* r[4]=c2; */
--
-- dmultu a_0,b_5 /* mul_add_c(a[0],b[5],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu c_2,c_1,t_2
-- dmultu a_1,b_4 /* mul_add_c(a[1],b[4],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_2,b_3 /* mul_add_c(a[2],b[3],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_3,b_2 /* mul_add_c(a[3],b[2],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_4,b_1 /* mul_add_c(a[4],b[1],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_5,b_0 /* mul_add_c(a[5],b[0],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,40(a0) /* r[5]=c3; */
--
-- dmultu a_6,b_0 /* mul_add_c(a[6],b[0],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu c_3,c_2,t_2
-- dmultu a_5,b_1 /* mul_add_c(a[5],b[1],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_4,b_2 /* mul_add_c(a[4],b[2],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_3,b_3 /* mul_add_c(a[3],b[3],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_2,b_4 /* mul_add_c(a[2],b[4],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_1,b_5 /* mul_add_c(a[1],b[5],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_0,b_6 /* mul_add_c(a[0],b[6],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- sd c_1,48(a0) /* r[6]=c1; */
--
-- dmultu a_0,b_7 /* mul_add_c(a[0],b[7],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu c_1,c_3,t_2
-- dmultu a_1,b_6 /* mul_add_c(a[1],b[6],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_2,b_5 /* mul_add_c(a[2],b[5],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_3,b_4 /* mul_add_c(a[3],b[4],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_4,b_3 /* mul_add_c(a[4],b[3],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_5,b_2 /* mul_add_c(a[5],b[2],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_6,b_1 /* mul_add_c(a[6],b[1],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_7,b_0 /* mul_add_c(a[7],b[0],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- sd c_2,56(a0) /* r[7]=c2; */
--
-- dmultu a_7,b_1 /* mul_add_c(a[7],b[1],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu c_2,c_1,t_2
-- dmultu a_6,b_2 /* mul_add_c(a[6],b[2],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_5,b_3 /* mul_add_c(a[5],b[3],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_4,b_4 /* mul_add_c(a[4],b[4],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_3,b_5 /* mul_add_c(a[3],b[5],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_2,b_6 /* mul_add_c(a[2],b[6],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_1,b_7 /* mul_add_c(a[1],b[7],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,64(a0) /* r[8]=c3; */
--
-- dmultu a_2,b_7 /* mul_add_c(a[2],b[7],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu c_3,c_2,t_2
-- dmultu a_3,b_6 /* mul_add_c(a[3],b[6],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_4,b_5 /* mul_add_c(a[4],b[5],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_5,b_4 /* mul_add_c(a[5],b[4],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_6,b_3 /* mul_add_c(a[6],b[3],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_7,b_2 /* mul_add_c(a[7],b[2],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- sd c_1,72(a0) /* r[9]=c1; */
--
-- dmultu a_7,b_3 /* mul_add_c(a[7],b[3],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu c_1,c_3,t_2
-- dmultu a_6,b_4 /* mul_add_c(a[6],b[4],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_5,b_5 /* mul_add_c(a[5],b[5],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_4,b_6 /* mul_add_c(a[4],b[6],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_3,b_7 /* mul_add_c(a[3],b[7],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- sd c_2,80(a0) /* r[10]=c2; */
--
-- dmultu a_4,b_7 /* mul_add_c(a[4],b[7],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu c_2,c_1,t_2
-- dmultu a_5,b_6 /* mul_add_c(a[5],b[6],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_6,b_5 /* mul_add_c(a[6],b[5],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_7,b_4 /* mul_add_c(a[7],b[4],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,88(a0) /* r[11]=c3; */
--
-- dmultu a_7,b_5 /* mul_add_c(a[7],b[5],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu c_3,c_2,t_2
-- dmultu a_6,b_6 /* mul_add_c(a[6],b[6],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_5,b_7 /* mul_add_c(a[5],b[7],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- sd c_1,96(a0) /* r[12]=c1; */
--
-- dmultu a_6,b_7 /* mul_add_c(a[6],b[7],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu c_1,c_3,t_2
-- dmultu a_7,b_6 /* mul_add_c(a[7],b[6],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- sd c_2,104(a0) /* r[13]=c2; */
--
-- dmultu a_7,b_7 /* mul_add_c(a[7],b[7],c3,c1,c2); */
-- ld s0,0(sp)
-- ld s1,8(sp)
-- ld s2,16(sp)
-- ld s3,24(sp)
-- ld s4,32(sp)
-- ld s5,40(sp)
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sd c_3,112(a0) /* r[14]=c3; */
-- sd c_1,120(a0) /* r[15]=c1; */
--
-- PTR_ADD sp,FRAME_SIZE
--
-- jr ra
--END(bn_mul_comba8)
--
--.align 5
--LEAF(bn_mul_comba4)
-- .set reorder
-- ld a_0,0(a1)
-- ld b_0,0(a2)
-- ld a_1,8(a1)
-- ld a_2,16(a1)
-- dmultu a_0,b_0 /* mul_add_c(a[0],b[0],c1,c2,c3); */
-- ld a_3,24(a1)
-- ld b_1,8(a2)
-- ld b_2,16(a2)
-- ld b_3,24(a2)
-- mflo c_1
-- mfhi c_2
-- sd c_1,0(a0)
--
-- dmultu a_0,b_1 /* mul_add_c(a[0],b[1],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu c_3,t_2,AT
-- dmultu a_1,b_0 /* mul_add_c(a[1],b[0],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu c_1,c_3,t_2
-- sd c_2,8(a0)
--
-- dmultu a_2,b_0 /* mul_add_c(a[2],b[0],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- dmultu a_1,b_1 /* mul_add_c(a[1],b[1],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu c_2,c_1,t_2
-- dmultu a_0,b_2 /* mul_add_c(a[0],b[2],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,16(a0)
--
-- dmultu a_0,b_3 /* mul_add_c(a[0],b[3],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu c_3,c_2,t_2
-- dmultu a_1,b_2 /* mul_add_c(a[1],b[2],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_2,b_1 /* mul_add_c(a[2],b[1],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_3,b_0 /* mul_add_c(a[3],b[0],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- sd c_1,24(a0)
--
-- dmultu a_3,b_1 /* mul_add_c(a[3],b[1],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu c_1,c_3,t_2
-- dmultu a_2,b_2 /* mul_add_c(a[2],b[2],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_1,b_3 /* mul_add_c(a[1],b[3],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- sd c_2,32(a0)
--
-- dmultu a_2,b_3 /* mul_add_c(a[2],b[3],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu c_2,c_1,t_2
-- dmultu a_3,b_2 /* mul_add_c(a[3],b[2],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,40(a0)
--
-- dmultu a_3,b_3 /* mul_add_c(a[3],b[3],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sd c_1,48(a0)
-- sd c_2,56(a0)
--
-- jr ra
--END(bn_mul_comba4)
--
--#undef a_4
--#undef a_5
--#undef a_6
--#undef a_7
--#define a_4 b_0
--#define a_5 b_1
--#define a_6 b_2
--#define a_7 b_3
--
--.align 5
--LEAF(bn_sqr_comba8)
-- .set reorder
-- ld a_0,0(a1)
-- ld a_1,8(a1)
-- ld a_2,16(a1)
-- ld a_3,24(a1)
--
-- dmultu a_0,a_0 /* mul_add_c(a[0],b[0],c1,c2,c3); */
-- ld a_4,32(a1)
-- ld a_5,40(a1)
-- ld a_6,48(a1)
-- ld a_7,56(a1)
-- mflo c_1
-- mfhi c_2
-- sd c_1,0(a0)
--
-- dmultu a_0,a_1 /* mul_add_c2(a[0],b[1],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt c_1,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu c_3,t_2,AT
-- sd c_2,8(a0)
--
-- dmultu a_2,a_0 /* mul_add_c2(a[2],b[0],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- slt c_2,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_1,a_1 /* mul_add_c(a[1],b[1],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,16(a0)
--
-- dmultu a_0,a_3 /* mul_add_c2(a[0],b[3],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- slt c_3,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_1,a_2 /* mul_add_c2(a[1],b[2],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_3,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- sd c_1,24(a0)
--
-- dmultu a_4,a_0 /* mul_add_c2(a[4],b[0],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt c_1,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_3,a_1 /* mul_add_c2(a[3],b[1],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_1,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_2,a_2 /* mul_add_c(a[2],b[2],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- sd c_2,32(a0)
--
-- dmultu a_0,a_5 /* mul_add_c2(a[0],b[5],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- slt c_2,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_1,a_4 /* mul_add_c2(a[1],b[4],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_2,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_2,a_3 /* mul_add_c2(a[2],b[3],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_2,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,40(a0)
--
-- dmultu a_6,a_0 /* mul_add_c2(a[6],b[0],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- slt c_3,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_5,a_1 /* mul_add_c2(a[5],b[1],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_3,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_4,a_2 /* mul_add_c2(a[4],b[2],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_3,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_3,a_3 /* mul_add_c(a[3],b[3],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- sd c_1,48(a0)
--
-- dmultu a_0,a_7 /* mul_add_c2(a[0],b[7],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt c_1,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_1,a_6 /* mul_add_c2(a[1],b[6],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_1,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_2,a_5 /* mul_add_c2(a[2],b[5],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_1,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_3,a_4 /* mul_add_c2(a[3],b[4],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_1,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- sd c_2,56(a0)
--
-- dmultu a_7,a_1 /* mul_add_c2(a[7],b[1],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- slt c_2,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_6,a_2 /* mul_add_c2(a[6],b[2],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_2,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_5,a_3 /* mul_add_c2(a[5],b[3],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_2,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_4,a_4 /* mul_add_c(a[4],b[4],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,64(a0)
--
-- dmultu a_2,a_7 /* mul_add_c2(a[2],b[7],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- slt c_3,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_3,a_6 /* mul_add_c2(a[3],b[6],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_3,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_4,a_5 /* mul_add_c2(a[4],b[5],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_3,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- sd c_1,72(a0)
--
-- dmultu a_7,a_3 /* mul_add_c2(a[7],b[3],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt c_1,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_6,a_4 /* mul_add_c2(a[6],b[4],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_1,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_5,a_5 /* mul_add_c(a[5],b[5],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- sd c_2,80(a0)
--
-- dmultu a_4,a_7 /* mul_add_c2(a[4],b[7],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- slt c_2,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_5,a_6 /* mul_add_c2(a[5],b[6],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_2,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,88(a0)
--
-- dmultu a_7,a_5 /* mul_add_c2(a[7],b[5],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- slt c_3,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_6,a_6 /* mul_add_c(a[6],b[6],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- sd c_1,96(a0)
--
-- dmultu a_6,a_7 /* mul_add_c2(a[6],b[7],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt c_1,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- sd c_2,104(a0)
--
-- dmultu a_7,a_7 /* mul_add_c(a[7],b[7],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sd c_3,112(a0)
-- sd c_1,120(a0)
--
-- jr ra
--END(bn_sqr_comba8)
--
--.align 5
--LEAF(bn_sqr_comba4)
-- .set reorder
-- ld a_0,0(a1)
-- ld a_1,8(a1)
-- ld a_2,16(a1)
-- ld a_3,24(a1)
-- dmultu a_0,a_0 /* mul_add_c(a[0],b[0],c1,c2,c3); */
-- mflo c_1
-- mfhi c_2
-- sd c_1,0(a0)
--
-- dmultu a_0,a_1 /* mul_add_c2(a[0],b[1],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt c_1,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu c_3,t_2,AT
-- sd c_2,8(a0)
--
-- dmultu a_2,a_0 /* mul_add_c2(a[2],b[0],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- slt c_2,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- dmultu a_1,a_1 /* mul_add_c(a[1],b[1],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,16(a0)
--
-- dmultu a_0,a_3 /* mul_add_c2(a[0],b[3],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- slt c_3,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- dmultu a_1,a_2 /* mul_add_c(a2[1],b[2],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- slt AT,t_2,zero
-- daddu c_3,AT
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sltu AT,c_2,t_2
-- daddu c_3,AT
-- sd c_1,24(a0)
--
-- dmultu a_3,a_1 /* mul_add_c2(a[3],b[1],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- slt c_1,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- dmultu a_2,a_2 /* mul_add_c(a[2],b[2],c2,c3,c1); */
-- mflo t_1
-- mfhi t_2
-- daddu c_2,t_1
-- sltu AT,c_2,t_1
-- daddu t_2,AT
-- daddu c_3,t_2
-- sltu AT,c_3,t_2
-- daddu c_1,AT
-- sd c_2,32(a0)
--
-- dmultu a_2,a_3 /* mul_add_c2(a[2],b[3],c3,c1,c2); */
-- mflo t_1
-- mfhi t_2
-- slt c_2,t_2,zero
-- dsll t_2,1
-- slt a2,t_1,zero
-- daddu t_2,a2
-- dsll t_1,1
-- daddu c_3,t_1
-- sltu AT,c_3,t_1
-- daddu t_2,AT
-- daddu c_1,t_2
-- sltu AT,c_1,t_2
-- daddu c_2,AT
-- sd c_3,40(a0)
--
-- dmultu a_3,a_3 /* mul_add_c(a[3],b[3],c1,c2,c3); */
-- mflo t_1
-- mfhi t_2
-- daddu c_1,t_1
-- sltu AT,c_1,t_1
-- daddu t_2,AT
-- daddu c_2,t_2
-- sd c_1,48(a0)
-- sd c_2,56(a0)
--
-- jr ra
--END(bn_sqr_comba4)
-diff --git a/crypto/bn/asm/x86_64-gcc.c b/crypto/bn/asm/x86_64-gcc.c
-index 31476ab..2d39407 100644
---- a/crypto/bn/asm/x86_64-gcc.c
-+++ b/crypto/bn/asm/x86_64-gcc.c
-@@ -273,6 +273,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
- /* sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0) */
- /* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0) */
-
-+/*
-+ * Keep in mind that carrying into high part of multiplication result
-+ * can not overflow, because it cannot be all-ones.
-+ */
- #if 0
- /* original macros are kept for reference purposes */
- #define mul_add_c(a,b,c0,c1,c2) { \
-@@ -287,10 +291,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
- BN_ULONG ta=(a),tb=(b),t0; \
- t1 = BN_UMULT_HIGH(ta,tb); \
- t0 = ta * tb; \
-- t2 = t1+t1; c2 += (t2<t1)?1:0; \
-- t1 = t0+t0; t2 += (t1<t0)?1:0; \
-- c0 += t1; t2 += (c0<t1)?1:0; \
-+ c0 += t0; t2 = t1+((c0<t0)?1:0);\
- c1 += t2; c2 += (c1<t2)?1:0; \
-+ c0 += t0; t1 += (c0<t0)?1:0; \
-+ c1 += t1; c2 += (c1<t1)?1:0; \
- }
- #else
- #define mul_add_c(a,b,c0,c1,c2) do { \
-@@ -328,22 +332,14 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
- : "=a"(t1),"=d"(t2) \
- : "a"(a),"m"(b) \
- : "cc"); \
-- asm ("addq %0,%0; adcq %2,%1" \
-- : "+d"(t2),"+r"(c2) \
-- : "g"(0) \
-- : "cc"); \
-- asm ("addq %0,%0; adcq %2,%1" \
-- : "+a"(t1),"+d"(t2) \
-- : "g"(0) \
-- : "cc"); \
-- asm ("addq %2,%0; adcq %3,%1" \
-- : "+r"(c0),"+d"(t2) \
-- : "a"(t1),"g"(0) \
-- : "cc"); \
-- asm ("addq %2,%0; adcq %3,%1" \
-- : "+r"(c1),"+r"(c2) \
-- : "d"(t2),"g"(0) \
-- : "cc"); \
-+ asm ("addq %3,%0; adcq %4,%1; adcq %5,%2" \
-+ : "+r"(c0),"+r"(c1),"+r"(c2) \
-+ : "r"(t1),"r"(t2),"g"(0) \
-+ : "cc"); \
-+ asm ("addq %3,%0; adcq %4,%1; adcq %5,%2" \
-+ : "+r"(c0),"+r"(c1),"+r"(c2) \
-+ : "r"(t1),"r"(t2),"g"(0) \
-+ : "cc"); \
- } while (0)
- #endif
-
-diff --git a/crypto/bn/bn_asm.c b/crypto/bn/bn_asm.c
-index c43c91c..a33b634 100644
---- a/crypto/bn/bn_asm.c
-+++ b/crypto/bn/bn_asm.c
-@@ -438,6 +438,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
- /* sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0) */
- /* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0) */
-
-+/*
-+ * Keep in mind that carrying into high part of multiplication result
-+ * can not overflow, because it cannot be all-ones.
-+ */
- #ifdef BN_LLONG
- #define mul_add_c(a,b,c0,c1,c2) \
- t=(BN_ULLONG)a*b; \
-@@ -478,10 +482,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
- #define mul_add_c2(a,b,c0,c1,c2) { \
- BN_ULONG ta=(a),tb=(b),t0; \
- BN_UMULT_LOHI(t0,t1,ta,tb); \
-- t2 = t1+t1; c2 += (t2<t1)?1:0; \
-- t1 = t0+t0; t2 += (t1<t0)?1:0; \
-- c0 += t1; t2 += (c0<t1)?1:0; \
-+ c0 += t0; t2 = t1+((c0<t0)?1:0);\
- c1 += t2; c2 += (c1<t2)?1:0; \
-+ c0 += t0; t1 += (c0<t0)?1:0; \
-+ c1 += t1; c2 += (c1<t1)?1:0; \
- }
-
- #define sqr_add_c(a,i,c0,c1,c2) { \
-@@ -508,10 +512,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
- BN_ULONG ta=(a),tb=(b),t0; \
- t1 = BN_UMULT_HIGH(ta,tb); \
- t0 = ta * tb; \
-- t2 = t1+t1; c2 += (t2<t1)?1:0; \
-- t1 = t0+t0; t2 += (t1<t0)?1:0; \
-- c0 += t1; t2 += (c0<t1)?1:0; \
-+ c0 += t0; t2 = t1+((c0<t0)?1:0);\
- c1 += t2; c2 += (c1<t2)?1:0; \
-+ c0 += t0; t1 += (c0<t0)?1:0; \
-+ c1 += t1; c2 += (c1<t1)?1:0; \
- }
-
- #define sqr_add_c(a,i,c0,c1,c2) { \
-diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c
-index 7771e92..48bc633 100644
---- a/crypto/bn/bntest.c
-+++ b/crypto/bn/bntest.c
-@@ -678,44 +678,98 @@ int test_mul(BIO *bp)
-
- int test_sqr(BIO *bp, BN_CTX *ctx)
- {
-- BIGNUM a,c,d,e;
-- int i;
-+ BIGNUM *a,*c,*d,*e;
-+ int i, ret = 0;
-
-- BN_init(&a);
-- BN_init(&c);
-- BN_init(&d);
-- BN_init(&e);
-+ a = BN_new();
-+ c = BN_new();
-+ d = BN_new();
-+ e = BN_new();
-+ if (a == NULL || c == NULL || d == NULL || e == NULL)
-+ {
-+ goto err;
-+ }
-
- for (i=0; i<num0; i++)
- {
-- BN_bntest_rand(&a,40+i*10,0,0);
-- a.neg=rand_neg();
-- BN_sqr(&c,&a,ctx);
-+ BN_bntest_rand(a,40+i*10,0,0);
-+ a->neg=rand_neg();
-+ BN_sqr(c,a,ctx);
- if (bp != NULL)
- {
- if (!results)
- {
-- BN_print(bp,&a);
-+ BN_print(bp,a);
- BIO_puts(bp," * ");
-- BN_print(bp,&a);
-+ BN_print(bp,a);
- BIO_puts(bp," - ");
- }
-- BN_print(bp,&c);
-+ BN_print(bp,c);
- BIO_puts(bp,"\n");
- }
-- BN_div(&d,&e,&c,&a,ctx);
-- BN_sub(&d,&d,&a);
-- if(!BN_is_zero(&d) || !BN_is_zero(&e))
-- {
-- fprintf(stderr,"Square test failed!\n");
-- return 0;
-- }
-+ BN_div(d,e,c,a,ctx);
-+ BN_sub(d,d,a);
-+ if(!BN_is_zero(d) || !BN_is_zero(e))
-+ {
-+ fprintf(stderr,"Square test failed!\n");
-+ goto err;
-+ }
- }
-- BN_free(&a);
-- BN_free(&c);
-- BN_free(&d);
-- BN_free(&e);
-- return(1);
-+
-+ /* Regression test for a BN_sqr overflow bug. */
-+ BN_hex2bn(&a,
-+ "80000000000000008000000000000001FFFFFFFFFFFFFFFE0000000000000000");
-+ BN_sqr(c, a, ctx);
-+ if (bp != NULL)
-+ {
-+ if (!results)
-+ {
-+ BN_print(bp,a);
-+ BIO_puts(bp," * ");
-+ BN_print(bp,a);
-+ BIO_puts(bp," - ");
-+ }
-+ BN_print(bp,c);
-+ BIO_puts(bp,"\n");
-+ }
-+ BN_mul(d, a, a, ctx);
-+ if (BN_cmp(c, d))
-+ {
-+ fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
-+ "different results!\n");
-+ goto err;
-+ }
-+
-+ /* Regression test for a BN_sqr overflow bug. */
-+ BN_hex2bn(&a,
-+ "80000000000000000000000080000001FFFFFFFE000000000000000000000000");
-+ BN_sqr(c, a, ctx);
-+ if (bp != NULL)
-+ {
-+ if (!results)
-+ {
-+ BN_print(bp,a);
-+ BIO_puts(bp," * ");
-+ BN_print(bp,a);
-+ BIO_puts(bp," - ");
-+ }
-+ BN_print(bp,c);
-+ BIO_puts(bp,"\n");
-+ }
-+ BN_mul(d, a, a, ctx);
-+ if (BN_cmp(c, d))
-+ {
-+ fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
-+ "different results!\n");
-+ goto err;
-+ }
-+ ret = 1;
-+err:
-+ if (a != NULL) BN_free(a);
-+ if (c != NULL) BN_free(c);
-+ if (d != NULL) BN_free(d);
-+ if (e != NULL) BN_free(e);
-+ return ret;
- }
-
- int test_mont(BIO *bp, BN_CTX *ctx)
---
-2.1.4
-
Deleted: openssl/branches/wheezy/debian/patches/0109-Fix-crash-in-dtls1_get_record-whilst-in-the-listen-s.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0109-Fix-crash-in-dtls1_get_record-whilst-in-the-listen-s.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0109-Fix-crash-in-dtls1_get_record-whilst-in-the-listen-s.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,44 +0,0 @@
-From 8d7aab986b499f34d9e1bc58fbfd77f05c38116e Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Sat, 3 Jan 2015 00:45:13 +0000
-Subject: [PATCH 109/117] Fix crash in dtls1_get_record whilst in the listen
- state where you get two separate reads performed - one for the header and one
- for the body of the handshake record.
-
-CVE-2014-3571
-
-Reviewed-by: Matt Caswell <matt at openssl.org>
----
- ssl/d1_pkt.c | 2 --
- ssl/s3_pkt.c | 2 ++
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
-index edd17df..d717260 100644
---- a/ssl/d1_pkt.c
-+++ b/ssl/d1_pkt.c
-@@ -642,8 +642,6 @@ again:
- /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
- i=rr->length;
- n=ssl3_read_n(s,i,i,1);
-- if (n <= 0) return(n); /* error or non-blocking io */
--
- /* this packet contained a partial record, dump it */
- if ( n != i)
- {
-diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
-index d1cd752..1ec9e6e 100644
---- a/ssl/s3_pkt.c
-+++ b/ssl/s3_pkt.c
-@@ -183,6 +183,8 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
- * at once (as long as it fits into the buffer). */
- if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
- {
-+ if (left == 0 && extend)
-+ return 0;
- if (left > 0 && n > left)
- n = left;
- }
---
-2.1.4
-
Deleted: openssl/branches/wheezy/debian/patches/0110-Follow-on-from-CVE-2014-3571.-This-fixes-the-code-th.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0110-Follow-on-from-CVE-2014-3571.-This-fixes-the-code-th.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0110-Follow-on-from-CVE-2014-3571.-This-fixes-the-code-th.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,31 +0,0 @@
-From 45fe66b8ba026186aa5d8ef1e0e6010ea74d5c0b Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt at openssl.org>
-Date: Sat, 3 Jan 2015 00:54:35 +0000
-Subject: [PATCH 110/117] Follow on from CVE-2014-3571. This fixes the code
- that was the original source of the crash due to p being NULL. Steve's fix
- prevents this situation from occuring - however this is by no means obvious
- by looking at the code for dtls1_get_record. This fix just makes things look
- a bit more sane.
-
-Reviewed-by: Dr Steve Henson <steve at openssl.org>
----
- ssl/d1_pkt.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
-index d717260..73ce488 100644
---- a/ssl/d1_pkt.c
-+++ b/ssl/d1_pkt.c
-@@ -676,7 +676,8 @@ again:
- * would be dropped unnecessarily.
- */
- if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&
-- *p == SSL3_MT_CLIENT_HELLO) &&
-+ s->packet_length > DTLS1_RT_HEADER_LENGTH &&
-+ s->packet[DTLS1_RT_HEADER_LENGTH] == SSL3_MT_CLIENT_HELLO) &&
- !dtls1_record_replay_check(s, bitmap))
- {
- rr->length = 0;
---
-2.1.4
-
Deleted: openssl/branches/wheezy/debian/patches/0111-Unauthenticated-DH-client-certificate-fix.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0111-Unauthenticated-DH-client-certificate-fix.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0111-Unauthenticated-DH-client-certificate-fix.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,38 +0,0 @@
-From 98a0f9660d374f58f79ee0efcc8c1672a805e8e8 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Thu, 23 Oct 2014 20:36:17 +0100
-Subject: [PATCH 111/117] Unauthenticated DH client certificate fix.
-
-Fix to prevent use of DH client certificates without sending
-certificate verify message.
-
-If we've used a client certificate to generate the premaster secret
-ssl3_get_client_key_exchange returns 2 and ssl3_get_cert_verify is
-never called.
-
-We can only skip the certificate verify message in
-ssl3_get_cert_verify if the client didn't send a certificate.
-
-Thanks to Karthikeyan Bhargavan for reporting this issue.
-CVE-2015-0205
-Reviewed-by: Matt Caswell <matt at openssl.org>
----
- ssl/s3_srvr.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
-index d883f86..fadca74 100644
---- a/ssl/s3_srvr.c
-+++ b/ssl/s3_srvr.c
-@@ -3014,7 +3014,7 @@ int ssl3_get_cert_verify(SSL *s)
- if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY)
- {
- s->s3->tmp.reuse_message=1;
-- if ((peer != NULL) && (type & EVP_PKT_SIGN))
-+ if (peer != NULL)
- {
- al=SSL_AD_UNEXPECTED_MESSAGE;
- SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
---
-2.1.4
-
Deleted: openssl/branches/wheezy/debian/patches/0112-A-memory-leak-can-occur-in-dtls1_buffer_record-if-ei.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0112-A-memory-leak-can-occur-in-dtls1_buffer_record-if-ei.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/0112-A-memory-leak-can-occur-in-dtls1_buffer_record-if-ei.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,127 +0,0 @@
-From 04685bc949e90a877656cf5020b6d4f90a9636a6 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt at openssl.org>
-Date: Wed, 7 Jan 2015 14:18:13 +0000
-Subject: [PATCH 112/117] A memory leak can occur in dtls1_buffer_record if
- either of the calls to ssl3_setup_buffers or pqueue_insert fail. The former
- will fail if there is a malloc failure, whilst the latter will fail if
- attempting to add a duplicate record to the queue. This should never happen
- because duplicate records should be detected and dropped before any attempt
- to add them to the queue. Unfortunately records that arrive that are for the
- next epoch are not being recorded correctly, and therefore replays are not
- being detected. Additionally, these "should not happen" failures that can
- occur in dtls1_buffer_record are not being treated as fatal and therefore an
- attacker could exploit this by sending repeated replay records for the next
- epoch, eventually causing a DoS through memory exhaustion.
-
-Thanks to Chris Mueller for reporting this issue and providing initial
-analysis and a patch. Further analysis and the final patch was performed by
-Matt Caswell from the OpenSSL development team.
-
-CVE-2015-0206
-
-Reviewed-by: Dr Stephen Henson <steve at openssl.org>
----
- ssl/d1_pkt.c | 30 +++++++++++++++++++++---------
- 1 file changed, 21 insertions(+), 9 deletions(-)
-
-Index: openssl-1.0.1e/ssl/d1_pkt.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/d1_pkt.c 2015-01-08 20:50:22.000000000 +0000
-+++ openssl-1.0.1e/ssl/d1_pkt.c 2015-01-08 20:53:54.679118046 +0000
-@@ -212,7 +212,7 @@
- /* Limit the size of the queue to prevent DOS attacks */
- if (pqueue_size(queue->q) >= 100)
- return 0;
--
-+
- rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA));
- item = pitem_new(priority, rdata);
- if (rdata == NULL || item == NULL)
-@@ -242,9 +242,11 @@
- /* insert should not fail, since duplicates are dropped */
- if (pqueue_insert(queue->q, item) == NULL)
- {
-+ if (rdata->rbuf.buf != NULL)
-+ OPENSSL_free(rdata->rbuf.buf);
- OPENSSL_free(rdata);
- pitem_free(item);
-- return(0);
-+ return(-1);
- }
-
- s->packet = NULL;
-@@ -255,9 +257,11 @@
- if (!ssl3_setup_buffers(s))
- {
- SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR);
-+ if (rdata->rbuf.buf != NULL)
-+ OPENSSL_free(rdata->rbuf.buf);
- OPENSSL_free(rdata);
- pitem_free(item);
-- return(0);
-+ return(-1);
- }
-
- return(1);
-@@ -313,8 +317,9 @@
- dtls1_get_unprocessed_record(s);
- if ( ! dtls1_process_record(s))
- return(0);
-- dtls1_buffer_record(s, &(s->d1->processed_rcds),
-- s->s3->rrec.seq_num);
-+ if(dtls1_buffer_record(s, &(s->d1->processed_rcds),
-+ s->s3->rrec.seq_num)<0)
-+ return -1;
- }
- }
-
-@@ -529,7 +534,6 @@
-
- /* we have pulled in a full packet so zero things */
- s->packet_length=0;
-- dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */
- return(1);
-
- f_err:
-@@ -562,7 +566,8 @@
-
- /* The epoch may have changed. If so, process all the
- * pending records. This is a non-blocking operation. */
-- dtls1_process_buffered_records(s);
-+ if(dtls1_process_buffered_records(s)<0)
-+ return -1;
-
- /* if we're renegotiating, then there may be buffered records */
- if (dtls1_get_processed_record(s))
-@@ -699,7 +704,9 @@
- {
- if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen)
- {
-- dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num);
-+ if(dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num)<0)
-+ return -1;
-+ dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */
- }
- rr->length = 0;
- s->packet_length = 0;
-@@ -712,6 +719,7 @@
- s->packet_length = 0; /* dump this record */
- goto again; /* get another record */
- }
-+ dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */
-
- return(1);
-
-@@ -857,7 +865,11 @@
- * buffer the application data for later processing rather
- * than dropping the connection.
- */
-- dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num);
-+ if(dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num)<0)
-+ {
-+ SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR);
-+ return -1;
-+ }
- rr->length = 0;
- goto start;
- }
Deleted: openssl/branches/wheezy/debian/patches/Added-comment-for-the-frag-reassembly-NULL-case-as-p.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/Added-comment-for-the-frag-reassembly-NULL-case-as-p.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/Added-comment-for-the-frag-reassembly-NULL-case-as-p.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,31 +0,0 @@
-From 5788f66455b533a734df3b3f816f79be2a44da32 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt at openssl.org>
-Date: Thu, 24 Jul 2014 23:33:34 +0100
-Subject: [PATCH 02/16] Added comment for the frag->reassembly == NULL case as
- per feedback from Emilia
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Reviewed-by: Emilia Käsper <emilia at openssl.org>
----
- ssl/d1_both.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/ssl/d1_both.c b/ssl/d1_both.c
-index cdb83b6..6559dfc 100644
---- a/ssl/d1_both.c
-+++ b/ssl/d1_both.c
-@@ -639,7 +639,8 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
-
-
- /* If message is already reassembled, this must be a
-- * retransmit and can be dropped.
-+ * retransmit and can be dropped. In this case item != NULL and so frag
-+ * does not need to be freed.
- */
- if (frag->reassembly == NULL)
- {
---
-2.0.1
-
Deleted: openssl/branches/wheezy/debian/patches/Applying-same-fix-as-in-dtls1_process_out_of_seq_mes.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/Applying-same-fix-as-in-dtls1_process_out_of_seq_mes.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/Applying-same-fix-as-in-dtls1_process_out_of_seq_mes.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,36 +0,0 @@
-From cbcb11f5cd46024ff0f1136572d978dc4f50144a Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt at openssl.org>
-Date: Thu, 24 Jul 2014 23:54:28 +0100
-Subject: [PATCH 06/16] Applying same fix as in
- dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok
- to be clear, but the return value would still be the number of bytes read.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Problem identified by Emilia Käsper, based on previous issue/patch by Adam
-Langley.
-
-Reviewed-by: Emilia Käsper <emilia at openssl.org>
----
- ssl/d1_both.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/ssl/d1_both.c b/ssl/d1_both.c
-index ac0fcaa..ea8f340 100644
---- a/ssl/d1_both.c
-+++ b/ssl/d1_both.c
-@@ -663,7 +663,9 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
- /* read the body of the fragment (header has already been read */
- i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
- frag->fragment + msg_hdr->frag_off,frag_len,0);
-- if (i<=0 || (unsigned long)i!=frag_len)
-+ if ((unsigned long)i!=frag_len)
-+ i=-1;
-+ if (i<=0)
- goto err;
-
- RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off,
---
-2.0.1
-
Deleted: openssl/branches/wheezy/debian/patches/Avoid-double-free-when-processing-DTLS-packets.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/Avoid-double-free-when-processing-DTLS-packets.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/Avoid-double-free-when-processing-DTLS-packets.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,52 +0,0 @@
-From 897c36077a1b6e8b78852ed23a6f4bcc92155753 Mon Sep 17 00:00:00 2001
-From: Adam Langley <agl at imperialviolet.org>
-Date: Fri, 6 Jun 2014 14:19:21 -0700
-Subject: [PATCH 01/16] Avoid double free when processing DTLS packets.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The |item| variable, in both of these cases, may contain a pointer to a
-|pitem| structure within |s->d1->buffered_messages|. It was being freed
-in the error case while still being in |buffered_messages|. When the
-error later caused the |SSL*| to be destroyed, the item would be double
-freed.
-
-Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
-inconsistent with the other error paths (but correct).
-
-Fixes CVE-2014-3505
-
-Reviewed-by: Matt Caswell <matt at openssl.org>
-Reviewed-by: Emilia Käsper <emilia at openssl.org>
----
- ssl/d1_both.c | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/ssl/d1_both.c b/ssl/d1_both.c
-index c1eb970..cdb83b6 100644
---- a/ssl/d1_both.c
-+++ b/ssl/d1_both.c
-@@ -693,8 +693,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
- return DTLS1_HM_FRAGMENT_RETRY;
-
- err:
-- if (frag != NULL) dtls1_hm_fragment_free(frag);
-- if (item != NULL) OPENSSL_free(item);
-+ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
- *ok = 0;
- return i;
- }
-@@ -778,8 +777,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
- return DTLS1_HM_FRAGMENT_RETRY;
-
- err:
-- if ( frag != NULL) dtls1_hm_fragment_free(frag);
-- if ( item != NULL) OPENSSL_free(item);
-+ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
- *ok = 0;
- return i;
- }
---
-2.0.1
-
Deleted: openssl/branches/wheezy/debian/patches/CVE-2010-5298.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2010-5298.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2010-5298.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,27 +0,0 @@
-From db978be7388852059cf54e42539a363d549c5bfd Mon Sep 17 00:00:00 2001
-From: Kurt Roeckx <kurt at roeckx.be>
-Date: Sun, 13 Apr 2014 15:05:30 +0200
-Subject: [PATCH] Don't release the buffer when there still is data in it
-
-RT: 2167, 3265
----
- ssl/s3_pkt.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
-index b9e45c7..32e9207 100644
---- a/ssl/s3_pkt.c
-+++ b/ssl/s3_pkt.c
-@@ -1055,7 +1055,8 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
- {
- s->rstate=SSL_ST_READ_HEADER;
- rr->off=0;
-- if (s->mode & SSL_MODE_RELEASE_BUFFERS)
-+ if (s->mode & SSL_MODE_RELEASE_BUFFERS &&
-+ s->s3->rbuf.left == 0)
- ssl3_release_read_buffer(s);
- }
- }
---
-1.9.1
-
Deleted: openssl/branches/wheezy/debian/patches/CVE-2012-4929.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2012-4929.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2012-4929.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,17 +0,0 @@
-Subject: Disable zlib compression by default
-
-This fixes CVE-2012-4929 (CRiME).
-
-Index: openssl-1.0.1e/ssl/ssl_ciph.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/ssl_ciph.c
-+++ openssl-1.0.1e/ssl/ssl_ciph.c
-@@ -455,7 +455,7 @@ static void load_builtin_compressions(vo
-
- MemCheck_off();
- ssl_comp_methods=sk_SSL_COMP_new(sk_comp_cmp);
-- if (ssl_comp_methods != NULL)
-+ if (ssl_comp_methods != NULL && getenv("OPENSSL_NO_DEFAULT_ZLIB") == NULL)
- {
- comp=(SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP));
- if (comp != NULL)
Deleted: openssl/branches/wheezy/debian/patches/CVE-2013-4353.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2013-4353.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2013-4353.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,25 +0,0 @@
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Mon, 6 Jan 2014 14:35:04 +0000
-Subject: [PATCH] Fix for TLS record tampering bug CVE-2013-4353
-Origin: upstream, commit:197e0ea817ad64820789d86711d55ff50d71f631
-
-diff --git a/ssl/s3_both.c b/ssl/s3_both.c
-index 1e5dcab..53b9390 100644
---- a/ssl/s3_both.c
-+++ b/ssl/s3_both.c
-@@ -210,7 +210,11 @@ static void ssl3_take_mac(SSL *s)
- {
- const char *sender;
- int slen;
--
-+ /* If no new cipher setup return immediately: other functions will
-+ * set the appropriate error.
-+ */
-+ if (s->s3->tmp.new_cipher == NULL)
-+ return;
- if (s->state & SSL_ST_CONNECT)
- {
- sender=s->method->ssl3_enc->server_finished_label;
---
-1.8.5.2
-
Deleted: openssl/branches/wheezy/debian/patches/CVE-2013-6449.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2013-6449.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2013-6449.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,83 +0,0 @@
-Author: Dr. Stephen Henson <steve at openssl.org>
-Date: Thu Dec 19 14:37:39 2013 +0000
-Subject: Fix CVE-2013-6449
-
-This is a combination of upstream commits:
-0294b2be5f4c11e60620c0018674ff0e17b14238
-ca989269a2876bae79393bd54c3e72d49975fc75
-
-diff --git a/ssl/s3_both.c b/ssl/s3_both.c
-index ead01c8..1e5dcab 100644
---- a/ssl/s3_both.c
-+++ b/ssl/s3_both.c
-@@ -161,6 +161,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
-
- i=s->method->ssl3_enc->final_finish_mac(s,
- sender,slen,s->s3->tmp.finish_md);
-+ if (i == 0)
-+ return 0;
- s->s3->tmp.finish_md_len = i;
- memcpy(p, s->s3->tmp.finish_md, i);
- p+=i;
-diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
-index 804291e..c4bc4e7 100644
---- a/ssl/s3_pkt.c
-+++ b/ssl/s3_pkt.c
-@@ -1459,8 +1459,14 @@ int ssl3_do_change_cipher_spec(SSL *s)
- slen=s->method->ssl3_enc->client_finished_label_len;
- }
-
-- s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
-+ i = s->method->ssl3_enc->final_finish_mac(s,
- sender,slen,s->s3->tmp.peer_finish_md);
-+ if (i == 0)
-+ {
-+ SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
-+ return 0;
-+ }
-+ s->s3->tmp.peer_finish_md_len = i;
-
- return(1);
- }
-diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
-index 809ad2e..72015f5 100644
---- a/ssl/t1_enc.c
-+++ b/ssl/t1_enc.c
-@@ -915,18 +915,19 @@ int tls1_final_finish_mac(SSL *s,
- if (mask & ssl_get_algorithm2(s))
- {
- int hashsize = EVP_MD_size(md);
-- if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
-+ EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx];
-+ if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
- {
- /* internal error: 'buf' is too small for this cipersuite! */
- err = 1;
- }
- else
- {
-- EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]);
-- EVP_DigestFinal_ex(&ctx,q,&i);
-- if (i != (unsigned int)hashsize) /* can't really happen */
-+ if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) ||
-+ !EVP_DigestFinal_ex(&ctx,q,&i) ||
-+ (i != (unsigned int)hashsize))
- err = 1;
-- q+=i;
-+ q+=hashsize;
- }
- }
- }
-diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
-index bf832bb..c4ef273 100644
---- a/ssl/s3_lib.c
-+++ b/ssl/s3_lib.c
-@@ -4286,7 +4286,7 @@ need to go to SSL_ST_ACCEPT.
- long ssl_get_algorithm2(SSL *s)
- {
- long alg2 = s->s3->tmp.new_cipher->algorithm2;
-- if (TLS1_get_version(s) >= TLS1_2_VERSION &&
-+ if (s->method->version == TLS1_2_VERSION &&
- alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
- return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
- return alg2;
Deleted: openssl/branches/wheezy/debian/patches/CVE-2013-6450.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2013-6450.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2013-6450.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,94 +0,0 @@
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Fri, 20 Dec 2013 15:26:50 +0000
-Subject: [PATCH] Fix DTLS retransmission from previous session.
-Origin: upstream, commit:34628967f1e65dc8f34e000f0f5518e21afbfc7b, commit:a6c62f0c25a756c263a80ce52afbae888028e986
-
-For DTLS we might need to retransmit messages from the previous session
-so keep a copy of write context in DTLS retransmission buffers instead
-of replacing it after sending CCS. CVE-2013-6450.
----
- CHANGES | 5 +++++
- ssl/d1_both.c | 6 ++++++
- ssl/ssl_locl.h | 2 ++
- ssl/t1_enc.c | 17 +++++++++++------
- 4 files changed, 24 insertions(+), 6 deletions(-)
-
-Index: openssl-1.0.1e/ssl/d1_both.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/d1_both.c 2013-12-23 17:57:07.916566103 +0100
-+++ openssl-1.0.1e/ssl/d1_both.c 2013-12-23 17:57:07.888566708 +0100
-@@ -214,6 +214,12 @@
- static void
- dtls1_hm_fragment_free(hm_fragment *frag)
- {
-+
-+ if (frag->msg_header.is_ccs)
-+ {
-+ EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx);
-+ EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash);
-+ }
- if (frag->fragment) OPENSSL_free(frag->fragment);
- if (frag->reassembly) OPENSSL_free(frag->reassembly);
- OPENSSL_free(frag);
-Index: openssl-1.0.1e/ssl/ssl_locl.h
-===================================================================
---- openssl-1.0.1e.orig/ssl/ssl_locl.h 2013-12-23 17:57:07.916566103 +0100
-+++ openssl-1.0.1e/ssl/ssl_locl.h 2013-12-23 17:57:07.888566708 +0100
-@@ -621,6 +621,8 @@
- extern SSL3_ENC_METHOD SSLv3_enc_data;
- extern SSL3_ENC_METHOD DTLSv1_enc_data;
-
-+#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION)
-+
- #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \
- s_get_meth) \
- const SSL_METHOD *func_name(void) \
-Index: openssl-1.0.1e/ssl/t1_enc.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/t1_enc.c 2013-12-23 17:57:07.916566103 +0100
-+++ openssl-1.0.1e/ssl/t1_enc.c 2013-12-23 17:57:07.888566708 +0100
-@@ -414,15 +414,20 @@
- s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
- else
- s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
-- if (s->enc_write_ctx != NULL)
-+ if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s))
- reuse_dd = 1;
-- else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
-+ else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL)
- goto err;
-- else
-- /* make sure it's intialized in case we exit later with an error */
-- EVP_CIPHER_CTX_init(s->enc_write_ctx);
- dd= s->enc_write_ctx;
-- mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
-+ if (SSL_IS_DTLS(s))
-+ {
-+ mac_ctx = EVP_MD_CTX_create();
-+ if (!mac_ctx)
-+ goto err;
-+ s->write_hash = mac_ctx;
-+ }
-+ else
-+ mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
- #ifndef OPENSSL_NO_COMP
- if (s->compress != NULL)
- {
-diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
-index 6fc469f..d14e8e4 100644
---- a/crypto/evp/digest.c
-+++ b/crypto/evp/digest.c
-@@ -366,8 +366,11 @@ int EVP_Digest(const void *data, size_t count,
-
- void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx)
- {
-- EVP_MD_CTX_cleanup(ctx);
-- OPENSSL_free(ctx);
-+ if (ctx)
-+ {
-+ EVP_MD_CTX_cleanup(ctx);
-+ OPENSSL_free(ctx);
-+ }
- }
-
- /* This call frees resources associated with the context */
Deleted: openssl/branches/wheezy/debian/patches/CVE-2014-0076.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2014-0076.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2014-0076.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,177 +0,0 @@
-From f9b6c0ba4c02497782f801e3c45688f3efaac55c Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Wed, 12 Mar 2014 14:16:19 +0000
-Subject: [PATCH] Fix for CVE-2014-0076
-
-Fix for the attack described in the paper "Recovering OpenSSL
-ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
-by Yuval Yarom and Naomi Benger. Details can be obtained from:
-http://eprint.iacr.org/2014/140
-
-Thanks to Yuval Yarom and Naomi Benger for discovering this
-flaw and to Yuval Yarom for supplying a fix.
-(cherry picked from commit 2198be3483259de374f91e57d247d0fc667aef29)
-
-Conflicts:
-
- CHANGES
----
- CHANGES | 9 +++++++++
- crypto/bn/bn.h | 11 +++++++++++
- crypto/bn/bn_lib.c | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++
- crypto/ec/ec2_mult.c | 27 ++++++++++++++++-----------
- 4 files changed, 88 insertions(+), 11 deletions(-)
-
-diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h
-index 7c23c01..b3518cb 100644
---- a/crypto/bn/bn.h
-+++ b/crypto/bn/bn.h
-@@ -538,6 +538,8 @@ BIGNUM *BN_mod_inverse(BIGNUM *ret,
- BIGNUM *BN_mod_sqrt(BIGNUM *ret,
- const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
-
-+void BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords);
-+
- /* Deprecated versions */
- #ifndef OPENSSL_NO_DEPRECATED
- BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,
-@@ -774,11 +776,20 @@ int RAND_pseudo_bytes(unsigned char *buf,int num);
-
- #define bn_fix_top(a) bn_check_top(a)
-
-+#define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2)
-+#define bn_wcheck_size(bn, words) \
-+ do { \
-+ const BIGNUM *_bnum2 = (bn); \
-+ assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \
-+ } while(0)
-+
- #else /* !BN_DEBUG */
-
- #define bn_pollute(a)
- #define bn_check_top(a)
- #define bn_fix_top(a) bn_correct_top(a)
-+#define bn_check_size(bn, bits)
-+#define bn_wcheck_size(bn, words)
-
- #endif
-
-diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c
-index f77fdb7..72da073 100644
---- a/crypto/bn/bn_lib.c
-+++ b/crypto/bn/bn_lib.c
-@@ -824,3 +824,55 @@ int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b,
- }
- return bn_cmp_words(a,b,cl);
- }
-+
-+/*
-+ * Constant-time conditional swap of a and b.
-+ * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
-+ * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
-+ * and that no more than nwords are used by either a or b.
-+ * a and b cannot be the same number
-+ */
-+void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
-+ {
-+ BN_ULONG t;
-+ int i;
-+
-+ bn_wcheck_size(a, nwords);
-+ bn_wcheck_size(b, nwords);
-+
-+ assert(a != b);
-+ assert((condition & (condition - 1)) == 0);
-+ assert(sizeof(BN_ULONG) >= sizeof(int));
-+
-+ condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
-+
-+ t = (a->top^b->top) & condition;
-+ a->top ^= t;
-+ b->top ^= t;
-+
-+#define BN_CONSTTIME_SWAP(ind) \
-+ do { \
-+ t = (a->d[ind] ^ b->d[ind]) & condition; \
-+ a->d[ind] ^= t; \
-+ b->d[ind] ^= t; \
-+ } while (0)
-+
-+
-+ switch (nwords) {
-+ default:
-+ for (i = 10; i < nwords; i++)
-+ BN_CONSTTIME_SWAP(i);
-+ /* Fallthrough */
-+ case 10: BN_CONSTTIME_SWAP(9); /* Fallthrough */
-+ case 9: BN_CONSTTIME_SWAP(8); /* Fallthrough */
-+ case 8: BN_CONSTTIME_SWAP(7); /* Fallthrough */
-+ case 7: BN_CONSTTIME_SWAP(6); /* Fallthrough */
-+ case 6: BN_CONSTTIME_SWAP(5); /* Fallthrough */
-+ case 5: BN_CONSTTIME_SWAP(4); /* Fallthrough */
-+ case 4: BN_CONSTTIME_SWAP(3); /* Fallthrough */
-+ case 3: BN_CONSTTIME_SWAP(2); /* Fallthrough */
-+ case 2: BN_CONSTTIME_SWAP(1); /* Fallthrough */
-+ case 1: BN_CONSTTIME_SWAP(0);
-+ }
-+#undef BN_CONSTTIME_SWAP
-+}
-diff --git a/crypto/ec/ec2_mult.c b/crypto/ec/ec2_mult.c
-index f41665a..06405d0 100644
---- a/crypto/ec/ec2_mult.c
-+++ b/crypto/ec/ec2_mult.c
-@@ -208,11 +208,15 @@ static int gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIG
- return ret;
- }
-
-+
- /* Computes scalar*point and stores the result in r.
- * point can not equal r.
-- * Uses algorithm 2P of
-+ * Uses a modified algorithm 2P of
- * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
- * GF(2^m) without precomputation" (CHES '99, LNCS 1717).
-+ *
-+ * To protect against side-channel attack the function uses constant time swap,
-+ * avoiding conditional branches.
- */
- static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
- const EC_POINT *point, BN_CTX *ctx)
-@@ -246,6 +250,11 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
- x2 = &r->X;
- z2 = &r->Y;
-
-+ bn_wexpand(x1, group->field.top);
-+ bn_wexpand(z1, group->field.top);
-+ bn_wexpand(x2, group->field.top);
-+ bn_wexpand(z2, group->field.top);
-+
- if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */
- if (!BN_one(z1)) goto err; /* z1 = 1 */
- if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */
-@@ -270,16 +279,12 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
- word = scalar->d[i];
- while (mask)
- {
-- if (word & mask)
-- {
-- if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err;
-- if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err;
-- }
-- else
-- {
-- if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
-- if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
-- }
-+ BN_consttime_swap(word & mask, x1, x2, group->field.top);
-+ BN_consttime_swap(word & mask, z1, z2, group->field.top);
-+ if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
-+ if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
-+ BN_consttime_swap(word & mask, x1, x2, group->field.top);
-+ BN_consttime_swap(word & mask, z1, z2, group->field.top);
- mask >>= 1;
- }
- mask = BN_TBIT;
---
-1.9.1
-
Deleted: openssl/branches/wheezy/debian/patches/CVE-2014-0160.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2014-0160.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2014-0160.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,112 +0,0 @@
-From 96db9023b881d7cd9f379b0c154650d6c108e9a3 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Sun, 6 Apr 2014 00:51:06 +0100
-Subject: [PATCH] Add heartbeat extension bounds check.
-
-A missing bounds check in the handling of the TLS heartbeat extension
-can be used to reveal up to 64k of memory to a connected client or
-server.
-
-Thanks for Neel Mehta of Google Security for discovering this bug and to
-Adam Langley <agl at chromium.org> and Bodo Moeller <bmoeller at acm.org> for
-preparing the fix (CVE-2014-0160)
----
- CHANGES | 9 +++++++++
- ssl/d1_both.c | 26 ++++++++++++++++++--------
- ssl/t1_lib.c | 14 +++++++++-----
- 3 files changed, 36 insertions(+), 13 deletions(-)
-
-diff --git a/ssl/d1_both.c b/ssl/d1_both.c
-index 7a5596a..2e8cf68 100644
---- a/ssl/d1_both.c
-+++ b/ssl/d1_both.c
-@@ -1459,26 +1459,36 @@ dtls1_process_heartbeat(SSL *s)
- unsigned int payload;
- unsigned int padding = 16; /* Use minimum padding */
-
-- /* Read type and payload length first */
-- hbtype = *p++;
-- n2s(p, payload);
-- pl = p;
--
- if (s->msg_callback)
- s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
- &s->s3->rrec.data[0], s->s3->rrec.length,
- s, s->msg_callback_arg);
-
-+ /* Read type and payload length first */
-+ if (1 + 2 + 16 > s->s3->rrec.length)
-+ return 0; /* silently discard */
-+ hbtype = *p++;
-+ n2s(p, payload);
-+ if (1 + 2 + payload + 16 > s->s3->rrec.length)
-+ return 0; /* silently discard per RFC 6520 sec. 4 */
-+ pl = p;
-+
- if (hbtype == TLS1_HB_REQUEST)
- {
- unsigned char *buffer, *bp;
-+ unsigned int write_length = 1 /* heartbeat type */ +
-+ 2 /* heartbeat length */ +
-+ payload + padding;
- int r;
-
-+ if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
-+ return 0;
-+
- /* Allocate memory for the response, size is 1 byte
- * message type, plus 2 bytes payload length, plus
- * payload, plus padding
- */
-- buffer = OPENSSL_malloc(1 + 2 + payload + padding);
-+ buffer = OPENSSL_malloc(write_length);
- bp = buffer;
-
- /* Enter response type, length and copy payload */
-@@ -1489,11 +1499,11 @@ dtls1_process_heartbeat(SSL *s)
- /* Random padding */
- RAND_pseudo_bytes(bp, padding);
-
-- r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
-+ r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
-
- if (r >= 0 && s->msg_callback)
- s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
-- buffer, 3 + payload + padding,
-+ buffer, write_length,
- s, s->msg_callback_arg);
-
- OPENSSL_free(buffer);
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index b82fada..bddffd9 100644
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -2588,16 +2588,20 @@ tls1_process_heartbeat(SSL *s)
- unsigned int payload;
- unsigned int padding = 16; /* Use minimum padding */
-
-- /* Read type and payload length first */
-- hbtype = *p++;
-- n2s(p, payload);
-- pl = p;
--
- if (s->msg_callback)
- s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
- &s->s3->rrec.data[0], s->s3->rrec.length,
- s, s->msg_callback_arg);
-
-+ /* Read type and payload length first */
-+ if (1 + 2 + 16 > s->s3->rrec.length)
-+ return 0; /* silently discard */
-+ hbtype = *p++;
-+ n2s(p, payload);
-+ if (1 + 2 + payload + 16 > s->s3->rrec.length)
-+ return 0; /* silently discard per RFC 6520 sec. 4 */
-+ pl = p;
-+
- if (hbtype == TLS1_HB_REQUEST)
- {
- unsigned char *buffer, *bp;
---
-1.9.1
-
Deleted: openssl/branches/wheezy/debian/patches/CVE-2014-0195.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2014-0195.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2014-0195.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,33 +0,0 @@
-From: Dr. Stephen Henson <steve at openssl.org>
-Date: Tue May 13 18:48:31 2014 +0100
-Subject: Fix for CVE-2014-0195
-
- A buffer overrun attack can be triggered by sending invalid DTLS fragments
- to an OpenSSL DTLS client or server. This is potentially exploitable to
- run arbitrary code on a vulnerable client or server.
-
- Fixed by adding consistency check for DTLS fragments.
-
- Thanks to Jüri Aedla for reporting this issue.
-
-Index: openssl-1.0.1e/ssl/d1_both.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/d1_both.c 2014-06-04 18:34:30.110610095 +0000
-+++ openssl-1.0.1e/ssl/d1_both.c 2014-06-04 18:34:38.762427320 +0000
-@@ -626,7 +626,16 @@
- frag->msg_header.frag_off = 0;
- }
- else
-+ {
- frag = (hm_fragment*) item->data;
-+ if (frag->msg_header.msg_len != msg_hdr->msg_len)
-+ {
-+ item = NULL;
-+ frag = NULL;
-+ goto err;
-+ }
-+ }
-+
-
- /* If message is already reassembled, this must be a
- * retransmit and can be dropped.
Deleted: openssl/branches/wheezy/debian/patches/CVE-2014-0198.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2014-0198.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2014-0198.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,37 +0,0 @@
-From b107586c0c3447ea22dba8698ebbcd81bb29d48c Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt at openssl.org>
-Date: Mon, 12 May 2014 00:38:37 +0100
-Subject: [PATCH] Fixed NULL pointer dereference. See PR#3321
-
----
- ssl/s3_pkt.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
-index 40eb0dd..d961d12 100644
---- a/ssl/s3_pkt.c
-+++ b/ssl/s3_pkt.c
-@@ -657,9 +657,6 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
- SSL3_BUFFER *wb=&(s->s3->wbuf);
- SSL_SESSION *sess;
-
-- if (wb->buf == NULL)
-- if (!ssl3_setup_write_buffer(s))
-- return -1;
-
- /* first check if there is a SSL3_BUFFER still being written
- * out. This will happen with non blocking IO */
-@@ -675,6 +672,10 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
- /* if it went, fall through and send more stuff */
- }
-
-+ if (wb->buf == NULL)
-+ if (!ssl3_setup_write_buffer(s))
-+ return -1;
-+
- if (len == 0 && !create_empty_fragment)
- return 0;
-
---
-2.0.0.rc0
-
Deleted: openssl/branches/wheezy/debian/patches/CVE-2014-0221.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2014-0221.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2014-0221.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,31 +0,0 @@
-From: Dr. Stephen Henson <steve at openssl.org>
-Date: Fri May 16 13:00:45 2014 +0100
-Subject: Fix CVE-2014-0221
-
- Unnecessary recursion when receiving a DTLS hello request can be used to
- crash a DTLS client. Fixed by handling DTLS hello request without recursion.
-
- Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
-
-Index: openssl-1.0.1e/ssl/d1_both.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/d1_both.c 2014-06-04 18:34:30.326605532 +0000
-+++ openssl-1.0.1e/ssl/d1_both.c 2014-06-04 18:34:30.334605363 +0000
-@@ -792,6 +792,7 @@
- int i,al;
- struct hm_header_st msg_hdr;
-
-+ redo:
- /* see if we have the required fragment already */
- if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok)
- {
-@@ -850,8 +851,7 @@
- s->msg_callback_arg);
-
- s->init_num = 0;
-- return dtls1_get_message_fragment(s, st1, stn,
-- max, ok);
-+ goto redo;
- }
- else /* Incorrectly formated Hello request */
- {
Deleted: openssl/branches/wheezy/debian/patches/CVE-2014-0224.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2014-0224.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2014-0224.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,119 +0,0 @@
-From: Dr. Stephen Henson <steve at openssl.org>
-Date: Fri May 16 12:55:16 2014 +0100
-Subject: Fix for CVE-2014-0224
-
- Only accept change cipher spec when it is expected instead of at any
- time. This prevents premature setting of session keys before the master
- secret is determined which an attacker could use as a MITM attack.
-
- Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
- and providing the initial fix this patch is based on.
-
-Index: openssl-1.0.1e/ssl/s3_pkt.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/s3_pkt.c
-+++ openssl-1.0.1e/ssl/s3_pkt.c
-@@ -1299,6 +1299,15 @@ start:
- goto f_err;
- }
-
-+ if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
-+ {
-+ al=SSL_AD_UNEXPECTED_MESSAGE;
-+ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
-+ goto f_err;
-+ }
-+
-+ s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
-+
- rr->length=0;
-
- if (s->msg_callback)
-@@ -1433,7 +1442,7 @@ int ssl3_do_change_cipher_spec(SSL *s)
-
- if (s->s3->tmp.key_block == NULL)
- {
-- if (s->session == NULL)
-+ if (s->session == NULL || s->session->master_key_length == 0)
- {
- /* might happen if dtls1_read_bytes() calls this */
- SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY);
-Index: openssl-1.0.1e/ssl/s3_clnt.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/s3_clnt.c
-+++ openssl-1.0.1e/ssl/s3_clnt.c
-@@ -510,6 +510,7 @@ int ssl3_connect(SSL *s)
- s->method->ssl3_enc->client_finished_label,
- s->method->ssl3_enc->client_finished_label_len);
- if (ret <= 0) goto end;
-+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
- s->state=SSL3_ST_CW_FLUSH;
-
- /* clear flags */
-@@ -559,6 +560,7 @@ int ssl3_connect(SSL *s)
- case SSL3_ST_CR_FINISHED_A:
- case SSL3_ST_CR_FINISHED_B:
-
-+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
- ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
- SSL3_ST_CR_FINISHED_B);
- if (ret <= 0) goto end;
-@@ -901,6 +903,7 @@ int ssl3_get_server_hello(SSL *s)
- {
- s->session->cipher = pref_cipher ?
- pref_cipher : ssl_get_cipher_by_char(s, p+j);
-+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
- }
- }
- #endif /* OPENSSL_NO_TLSEXT */
-@@ -916,6 +919,7 @@ int ssl3_get_server_hello(SSL *s)
- SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
- goto f_err;
- }
-+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
- s->hit=1;
- }
- else /* a miss or crap from the other end */
-Index: openssl-1.0.1e/ssl/s3_srvr.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/s3_srvr.c
-+++ openssl-1.0.1e/ssl/s3_srvr.c
-@@ -673,6 +673,7 @@ int ssl3_accept(SSL *s)
- case SSL3_ST_SR_CERT_VRFY_A:
- case SSL3_ST_SR_CERT_VRFY_B:
-
-+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
- /* we should decide if we expected this one */
- ret=ssl3_get_cert_verify(s);
- if (ret <= 0) goto end;
-@@ -700,6 +701,7 @@ int ssl3_accept(SSL *s)
-
- case SSL3_ST_SR_FINISHED_A:
- case SSL3_ST_SR_FINISHED_B:
-+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
- ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
- SSL3_ST_SR_FINISHED_B);
- if (ret <= 0) goto end;
-@@ -770,7 +772,10 @@ int ssl3_accept(SSL *s)
- s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
- #else
- if (s->s3->next_proto_neg_seen)
-+ {
-+ s->s3->flags |= SSL3_FLAGS_CCS_OK;
- s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A;
-+ }
- else
- s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
- #endif
-Index: openssl-1.0.1e/ssl/ssl3.h
-===================================================================
---- openssl-1.0.1e.orig/ssl/ssl3.h
-+++ openssl-1.0.1e/ssl/ssl3.h
-@@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st
- #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
- #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
- #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020
-+#define SSL3_FLAGS_CCS_OK 0x0080
-
- /* SSL3_FLAGS_SGC_RESTART_DONE is set when we
- * restart a handshake because of MS SGC and so prevents us
Deleted: openssl/branches/wheezy/debian/patches/CVE-2014-3470.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2014-3470.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2014-3470.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,26 +0,0 @@
-commit 4ad43d511f6cf064c66eb4bfd0fb0919b5dd8a86
-Author: Dr. Stephen Henson <steve at openssl.org>
-Date: Thu May 29 15:00:05 2014 +0100
-
- Fix CVE-2014-3470
-
- Check session_cert is not NULL before dereferencing it.
-
-Index: openssl-1.0.1e/ssl/s3_clnt.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/s3_clnt.c 2014-06-04 18:34:30.298606124 +0000
-+++ openssl-1.0.1e/ssl/s3_clnt.c 2014-06-04 18:34:30.318605702 +0000
-@@ -2513,6 +2513,13 @@
- int ecdh_clnt_cert = 0;
- int field_size = 0;
-
-+ if (s->session->sess_cert == NULL)
-+ {
-+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
-+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
-+ goto err;
-+ }
-+
- /* Did we send out the client's
- * ECDH share for use in premaster
- * computation as part of client certificate?
Deleted: openssl/branches/wheezy/debian/patches/CVE-2014-8176.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2014-8176.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2014-8176.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,34 +0,0 @@
-From b79e6e3a276634582012d531f4150a5fcf84fab3 Mon Sep 17 00:00:00 2001
-From: zhu qun-ying <qunying at yahoo.com>
-Date: Mon, 2 Jun 2014 14:38:52 +0100
-Subject: [PATCH] Free up s->d1->buffered_app_data.q properly.
-
-PR#3286
-(cherry picked from commit 71e95000afb2227fe5cac1c79ae884338bcd8d0b)
----
- ssl/d1_lib.c | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
-index 97f325f..ebee368 100644
---- a/ssl/d1_lib.c
-+++ b/ssl/d1_lib.c
-@@ -175,9 +175,12 @@ static void dtls1_clear_queues(SSL *s)
-
- while ( (item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL)
- {
-- frag = (hm_fragment *)item->data;
-- OPENSSL_free(frag->fragment);
-- OPENSSL_free(frag);
-+ rdata = (DTLS1_RECORD_DATA *) item->data;
-+ if (rdata->rbuf.buf)
-+ {
-+ OPENSSL_free(rdata->rbuf.buf);
-+ }
-+ OPENSSL_free(item->data);
- pitem_free(item);
- }
- }
---
-2.1.4
-
Deleted: openssl/branches/wheezy/debian/patches/CVE-2014-XXXX-Extension-checking-fixes.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2014-XXXX-Extension-checking-fixes.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2014-XXXX-Extension-checking-fixes.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,40 +0,0 @@
-From 300b9f0b704048f60776881f1d378c74d9c32fbd Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Tue, 15 Apr 2014 18:48:54 +0100
-Subject: [PATCH] Extension checking fixes.
-
-When looking for an extension we need to set the last found
-position to -1 to properly search all extensions.
-
-PR#3309.
----
- crypto/x509v3/v3_purp.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
-index 6c40c7d..5f931db 100644
---- a/crypto/x509v3/v3_purp.c
-+++ b/crypto/x509v3/v3_purp.c
-@@ -389,8 +389,8 @@ static void x509v3_cache_extensions(X509 *x)
- /* Handle proxy certificates */
- if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
- if (x->ex_flags & EXFLAG_CA
-- || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
-- || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
-+ || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0
-+ || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
- x->ex_flags |= EXFLAG_INVALID;
- }
- if (pci->pcPathLengthConstraint) {
-@@ -670,7 +670,7 @@ static int check_purpose_timestamp_sign(const X509_PURPOSE *xp, const X509 *x,
- return 0;
-
- /* Extended Key Usage MUST be critical */
-- i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0);
-+ i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1);
- if (i_ext >= 0)
- {
- X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);
---
-1.9.1
-
Deleted: openssl/branches/wheezy/debian/patches/CVE-2015-1788.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2015-1788.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2015-1788.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,45 +0,0 @@
-From f61bbf8da532038ed0eae16a9a11771f3da22d30 Mon Sep 17 00:00:00 2001
-From: Andy Polyakov <appro at openssl.org>
-Date: Thu, 11 Jun 2015 00:18:01 +0200
-Subject: [PATCH] bn/bn_gf2m.c: avoid infinite loop wich malformed ECParamters.
-
-CVE-2015-1788
-
-Reviewed-by: Matt Caswell <matt at openssl.org>
-(cherry picked from commit 4924b37ee01f71ae19c94a8934b80eeb2f677932)
----
- crypto/bn/bn_gf2m.c | 15 ++++++++++-----
- 1 file changed, 10 insertions(+), 5 deletions(-)
-
-Index: openssl-1.0.1k/crypto/bn/bn_gf2m.c
-===================================================================
---- openssl-1.0.1k.orig/crypto/bn/bn_gf2m.c
-+++ openssl-1.0.1k/crypto/bn/bn_gf2m.c
-@@ -568,9 +568,10 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIG
- }
- #else
- {
-- int i, ubits = BN_num_bits(u),
-- vbits = BN_num_bits(v), /* v is copy of p */
-- top = p->top;
-+ int i;
-+ int ubits = BN_num_bits(u);
-+ int vbits = BN_num_bits(v); /* v is copy of p */
-+ int top = p->top;
- BN_ULONG *udp,*bdp,*vdp,*cdp;
-
- bn_wexpand(u,top); udp = u->d;
-@@ -611,7 +612,12 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIG
- ubits--;
- }
-
-- if (ubits<=BN_BITS2 && udp[0]==1) break;
-+ if (ubits <= BN_BITS2) {
-+ if (udp[0] == 0) /* poly was reducible */
-+ goto err;
-+ if (udp[0] == 1)
-+ break;
-+ }
-
- if (ubits<vbits)
- {
Deleted: openssl/branches/wheezy/debian/patches/CVE-2015-1789.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2015-1789.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2015-1789.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,134 +0,0 @@
-From 370ac320301e28bb615cee80124c042649c95d14 Mon Sep 17 00:00:00 2001
-From: Emilia Kasper <emilia at openssl.org>
-Date: Wed, 8 Apr 2015 16:56:43 +0200
-Subject: [PATCH] Fix length checks in X509_cmp_time to avoid out-of-bounds
- reads.
-
-Also tighten X509_cmp_time to reject more than three fractional
-seconds in the time; and to reject trailing garbage after the offset.
-
-CVE-2015-1789
-
-Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
-Reviewed-by: Richard Levitte <levitte at openssl.org>
----
- crypto/x509/x509_vfy.c | 57 +++++++++++++++++++++++++++++++++++++++++---------
- 1 file changed, 47 insertions(+), 10 deletions(-)
-
-Index: openssl-1.0.1k/crypto/x509/x509_vfy.c
-===================================================================
---- openssl-1.0.1k.orig/crypto/x509/x509_vfy.c
-+++ openssl-1.0.1k/crypto/x509/x509_vfy.c
-@@ -1712,54 +1712,93 @@ int X509_cmp_time(const ASN1_TIME *ctm,
- ASN1_TIME atm;
- long offset;
- char buff1[24],buff2[24],*p;
-- int i,j;
-+ int i,j,remaining;
-
- p=buff1;
-- i=ctm->length;
-+ remaining = ctm->length;
- str=(char *)ctm->data;
-+ /*
-+ * Note that the following (historical) code allows much more slack in the
-+ * time format than RFC5280. In RFC5280, the representation is fixed:
-+ * UTCTime: YYMMDDHHMMSSZ
-+ * GeneralizedTime: YYYYMMDDHHMMSSZ
-+ */
- if (ctm->type == V_ASN1_UTCTIME)
- {
-- if ((i < 11) || (i > 17)) return 0;
-+ /* YYMMDDHHMM[SS]Z or YYMMDDHHMM[SS](+-)hhmm */
-+ int min_length = sizeof("YYMMDDHHMMZ") - 1;
-+ int max_length = sizeof("YYMMDDHHMMSS+hhmm") - 1;
-+ if (remaining < min_length || remaining > max_length)
-+ return 0;
- memcpy(p,str,10);
- p+=10;
- str+=10;
-+ remaining -= 10;
- }
- else
- {
-- if (i < 13) return 0;
-+ /* YYYYMMDDHHMM[SS[.fff]]Z or YYYYMMDDHHMM[SS[.f[f[f]]]](+-)hhmm */
-+ int min_length = sizeof("YYYYMMDDHHMMZ") - 1;
-+ int max_length = sizeof("YYYYMMDDHHMMSS.fff+hhmm") - 1;
-+ if (remaining < min_length || remaining > max_length)
-+ return 0;
- memcpy(p,str,12);
- p+=12;
- str+=12;
-+ remaining -= 12;
- }
-
- if ((*str == 'Z') || (*str == '-') || (*str == '+'))
- { *(p++)='0'; *(p++)='0'; }
- else
- {
-+ /* SS (seconds) */
-+ if (remaining < 2)
-+ return 0;
- *(p++)= *(str++);
- *(p++)= *(str++);
-- /* Skip any fractional seconds... */
-- if (*str == '.')
-+ remaining -= 2;
-+ /*
-+ * Skip any (up to three) fractional seconds...
-+ * TODO(emilia): in RFC5280, fractional seconds are forbidden.
-+ * Can we just kill them altogether?
-+ */
-+ if (remaining && *str == '.')
- {
- str++;
-- while ((*str >= '0') && (*str <= '9')) str++;
-+ remaining--;
-+ for (i = 0; i < 3 && remaining; i++, str++, remaining--)
-+ {
-+ if (*str < '0' || *str > '9')
-+ break;
-+ }
- }
--
- }
- *(p++)='Z';
- *(p++)='\0';
-
-- if (*str == 'Z')
-- offset=0;
-- else
-- {
-- if ((*str != '+') && (*str != '-'))
-- return 0;
-- offset=((str[1]-'0')*10+(str[2]-'0'))*60;
-- offset+=(str[3]-'0')*10+(str[4]-'0');
-- if (*str == '-')
-- offset= -offset;
-- }
-+ /* We now need either a terminating 'Z' or an offset. */
-+ if (!remaining)
-+ return 0;
-+ if (*str == 'Z') {
-+ if (remaining != 1)
-+ return 0;
-+ offset=0;
-+ } else {
-+ /* (+-)HHMM */
-+ if ((*str != '+') && (*str != '-'))
-+ return 0;
-+ /* Historical behaviour: the (+-)hhmm offset is forbidden in RFC5280. */
-+ if (remaining != 5)
-+ return 0;
-+ if (str[1] < '0' || str[1] > '9' || str[2] < '0' || str[2] > '9' ||
-+ str[3] < '0' || str[3] > '9' || str[4] < '0' || str[4] > '9')
-+ return 0;
-+ offset=((str[1]-'0')*10+(str[2]-'0'))*60;
-+ offset+=(str[3]-'0')*10+(str[4]-'0');
-+ if (*str == '-')
-+ offset= -offset;
-+ }
- atm.type=ctm->type;
- atm.flags = 0;
- atm.length=sizeof(buff2);
Deleted: openssl/branches/wheezy/debian/patches/CVE-2015-1790.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2015-1790.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2015-1790.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,66 +0,0 @@
-From 5fbc59cac60db4d7c3172152b8bdafe0c675fabd Mon Sep 17 00:00:00 2001
-From: Emilia Kasper <emilia at openssl.org>
-Date: Tue, 12 May 2015 19:00:30 +0200
-Subject: [PATCH] PKCS#7: Fix NULL dereference with missing EncryptedContent.
-
-CVE-2015-1790
-
-Reviewed-by: Rich Salz <rsalz at openssl.org>
----
- crypto/pkcs7/pk7_doit.c | 16 +++++++++++++++-
- 1 file changed, 15 insertions(+), 1 deletion(-)
-
-Index: openssl-1.0.1e/crypto/pkcs7/pk7_doit.c
-===================================================================
---- openssl-1.0.1e.orig/crypto/pkcs7/pk7_doit.c 2015-06-13 10:23:02.711151000 +0000
-+++ openssl-1.0.1e/crypto/pkcs7/pk7_doit.c 2015-06-13 10:23:05.231096980 +0000
-@@ -468,12 +468,19 @@
- switch (i)
- {
- case NID_pkcs7_signed:
-+ /*
-+ * p7->d.sign->contents is a PKCS7 structure consisting of a contentType
-+ * field and optional content.
-+ * data_body is NULL if that structure has no (=detached) content
-+ * or if the contentType is wrong (i.e., not "data").
-+ */
- data_body=PKCS7_get_octet_string(p7->d.sign->contents);
- md_sk=p7->d.sign->md_algs;
- break;
- case NID_pkcs7_signedAndEnveloped:
- rsk=p7->d.signed_and_enveloped->recipientinfo;
- md_sk=p7->d.signed_and_enveloped->md_algs;
-+ /* data_body is NULL if the optional EncryptedContent is missing. */
- data_body=p7->d.signed_and_enveloped->enc_data->enc_data;
- enc_alg=p7->d.signed_and_enveloped->enc_data->algorithm;
- evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm);
-@@ -486,6 +493,7 @@
- case NID_pkcs7_enveloped:
- rsk=p7->d.enveloped->recipientinfo;
- enc_alg=p7->d.enveloped->enc_data->algorithm;
-+ /* data_body is NULL if the optional EncryptedContent is missing. */
- data_body=p7->d.enveloped->enc_data->enc_data;
- evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm);
- if (evp_cipher == NULL)
-@@ -499,6 +507,12 @@
- goto err;
- }
-
-+ /* Detached content must be supplied via in_bio instead. */
-+ if (data_body == NULL && in_bio == NULL) {
-+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
-+ goto err;
-+ }
-+
- /* We will be checking the signature */
- if (md_sk != NULL)
- {
-@@ -655,7 +669,7 @@
- }
-
- #if 1
-- if (PKCS7_is_detached(p7) || (in_bio != NULL))
-+ if (in_bio != NULL)
- {
- bio=in_bio;
- }
Deleted: openssl/branches/wheezy/debian/patches/CVE-2015-1791.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2015-1791.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2015-1791.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,222 +0,0 @@
-This is a combination of the following upstream commits:
-98ece4eebfb6cd45cc8d550c6ac0022965071afc
-dcad51bc13c9b716d9a66248bcc4038c071ff158
-708cf593587e2fda67dae9782991ff9fccc781eb
-
-
-Index: openssl-1.0.1k/ssl/s3_clnt.c
-===================================================================
---- openssl-1.0.1k.orig/ssl/s3_clnt.c
-+++ openssl-1.0.1k/ssl/s3_clnt.c
-@@ -2191,6 +2191,38 @@ int ssl3_get_new_session_ticket(SSL *s)
- }
-
- p=d=(unsigned char *)s->init_msg;
-+
-+ if (s->session->session_id_length > 0) {
-+ int i = s->session_ctx->session_cache_mode;
-+ SSL_SESSION *new_sess;
-+ /*
-+ * We reused an existing session, so we need to replace it with a new
-+ * one
-+ */
-+ if (i & SSL_SESS_CACHE_CLIENT) {
-+ /*
-+ * Remove the old session from the cache
-+ */
-+ if (i & SSL_SESS_CACHE_NO_INTERNAL_STORE) {
-+ if (s->session_ctx->remove_session_cb != NULL)
-+ s->session_ctx->remove_session_cb(s->session_ctx,
-+ s->session);
-+ } else {
-+ /* We carry on if this fails */
-+ SSL_CTX_remove_session(s->session_ctx, s->session);
-+ }
-+ }
-+
-+ if ((new_sess = ssl_session_dup(s->session, 0)) == 0) {
-+ al = SSL_AD_INTERNAL_ERROR;
-+ SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
-+ goto f_err;
-+ }
-+
-+ SSL_SESSION_free(s->session);
-+ s->session = new_sess;
-+ }
-+
- n2l(p, s->session->tlsext_tick_lifetime_hint);
- n2s(p, ticklen);
- /* ticket_lifetime_hint + ticket_length + ticket */
-Index: openssl-1.0.1k/ssl/ssl.h
-===================================================================
---- openssl-1.0.1k.orig/ssl/ssl.h
-+++ openssl-1.0.1k/ssl/ssl.h
-@@ -2263,6 +2263,7 @@ void ERR_load_SSL_strings(void);
- #define SSL_F_SSL_READ 223
- #define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187
- #define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188
-+#define SSL_F_SSL_SESSION_DUP 348
- #define SSL_F_SSL_SESSION_NEW 189
- #define SSL_F_SSL_SESSION_PRINT_FP 190
- #define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312
-Index: openssl-1.0.1k/ssl/ssl_err.c
-===================================================================
---- openssl-1.0.1k.orig/ssl/ssl_err.c
-+++ openssl-1.0.1k/ssl/ssl_err.c
-@@ -245,6 +245,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
- {ERR_FUNC(SSL_F_SSL_READ), "SSL_read"},
- {ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT), "SSL_RSA_PRIVATE_DECRYPT"},
- {ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT), "SSL_RSA_PUBLIC_ENCRYPT"},
-+{ERR_FUNC(SSL_F_SSL_SESSION_DUP), "ssl_session_dup"},
- {ERR_FUNC(SSL_F_SSL_SESSION_NEW), "SSL_SESSION_new"},
- {ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"},
- {ERR_FUNC(SSL_F_SSL_SESSION_SET1_ID_CONTEXT), "SSL_SESSION_set1_id_context"},
-Index: openssl-1.0.1k/ssl/ssl_locl.h
-===================================================================
---- openssl-1.0.1k.orig/ssl/ssl_locl.h
-+++ openssl-1.0.1k/ssl/ssl_locl.h
-@@ -831,6 +831,7 @@ void ssl_sess_cert_free(SESS_CERT *sc);
- int ssl_set_peer_cert_type(SESS_CERT *c, int type);
- int ssl_get_new_session(SSL *s, int session);
- int ssl_get_prev_session(SSL *s, unsigned char *session,int len, const unsigned char *limit);
-+SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket);
- int ssl_cipher_id_cmp(const SSL_CIPHER *a,const SSL_CIPHER *b);
- DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER,
- ssl_cipher_id);
-Index: openssl-1.0.1k/ssl/ssl_sess.c
-===================================================================
---- openssl-1.0.1k.orig/ssl/ssl_sess.c
-+++ openssl-1.0.1k/ssl/ssl_sess.c
-@@ -224,6 +224,132 @@ SSL_SESSION *SSL_SESSION_new(void)
- return(ss);
- }
-
-+
-+/*
-+ * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
-+ * ticket == 0 then no ticket information is duplicated, otherwise it is.
-+ */
-+SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
-+{
-+ SSL_SESSION *dest;
-+
-+ dest = OPENSSL_malloc(sizeof(*src));
-+ if (dest == NULL) {
-+ goto err;
-+ }
-+ memcpy(dest, src, sizeof(*dest));
-+
-+ /*
-+ * Set the various pointers to NULL so that we can call SSL_SESSION_free in
-+ * the case of an error whilst halfway through constructing dest
-+ */
-+#ifndef OPENSSL_NO_PSK
-+ dest->psk_identity_hint = NULL;
-+ dest->psk_identity = NULL;
-+#endif
-+ dest->ciphers = NULL;
-+#ifndef OPENSSL_NO_TLSEXT
-+ dest->tlsext_hostname = NULL;
-+# ifndef OPENSSL_NO_EC
-+ dest->tlsext_ecpointformatlist = NULL;
-+ dest->tlsext_ellipticcurvelist = NULL;
-+# endif
-+#endif
-+ dest->tlsext_tick = NULL;
-+#ifndef OPENSSL_NO_SRP
-+ dest->srp_username = NULL;
-+#endif
-+ memset(&dest->ex_data, 0, sizeof(dest->ex_data));
-+
-+ /* We deliberately don't copy the prev and next pointers */
-+ dest->prev = NULL;
-+ dest->next = NULL;
-+
-+ dest->references = 1;
-+
-+ if (src->sess_cert != NULL)
-+ CRYPTO_add(&src->sess_cert->references, 1, CRYPTO_LOCK_SSL_SESS_CERT);
-+
-+ if (src->peer != NULL)
-+ CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509);
-+
-+#ifndef OPENSSL_NO_PSK
-+ if (src->psk_identity_hint) {
-+ dest->psk_identity_hint = BUF_strdup(src->psk_identity_hint);
-+ if (dest->psk_identity_hint == NULL) {
-+ goto err;
-+ }
-+ }
-+ if (src->psk_identity) {
-+ dest->psk_identity = BUF_strdup(src->psk_identity);
-+ if (dest->psk_identity == NULL) {
-+ goto err;
-+ }
-+ }
-+#endif
-+
-+ if(src->ciphers != NULL) {
-+ dest->ciphers = sk_SSL_CIPHER_dup(src->ciphers);
-+ if (dest->ciphers == NULL)
-+ goto err;
-+ }
-+
-+ if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION,
-+ &dest->ex_data, &src->ex_data)) {
-+ goto err;
-+ }
-+
-+#ifndef OPENSSL_NO_TLSEXT
-+ if (src->tlsext_hostname) {
-+ dest->tlsext_hostname = BUF_strdup(src->tlsext_hostname);
-+ if (dest->tlsext_hostname == NULL) {
-+ goto err;
-+ }
-+ }
-+# ifndef OPENSSL_NO_EC
-+ if (src->tlsext_ecpointformatlist) {
-+ dest->tlsext_ecpointformatlist =
-+ BUF_memdup(src->tlsext_ecpointformatlist,
-+ src->tlsext_ecpointformatlist_length);
-+ if (dest->tlsext_ecpointformatlist == NULL)
-+ goto err;
-+ }
-+ if (src->tlsext_ellipticcurvelist) {
-+ dest->tlsext_ellipticcurvelist =
-+ BUF_memdup(src->tlsext_ellipticcurvelist,
-+ src->tlsext_ellipticcurvelist_length);
-+ if (dest->tlsext_ellipticcurvelist == NULL)
-+ goto err;
-+ }
-+# endif
-+#endif
-+
-+ if (ticket != 0) {
-+ dest->tlsext_tick = BUF_memdup(src->tlsext_tick, src->tlsext_ticklen);
-+ if(dest->tlsext_tick == NULL)
-+ goto err;
-+ } else {
-+ dest->tlsext_tick_lifetime_hint = 0;
-+ dest->tlsext_ticklen = 0;
-+ }
-+
-+#ifndef OPENSSL_NO_SRP
-+ if (src->srp_username) {
-+ dest->srp_username = BUF_strdup(src->srp_username);
-+ if (dest->srp_username == NULL) {
-+ goto err;
-+ }
-+ }
-+#endif
-+
-+ return dest;
-+err:
-+ SSLerr(SSL_F_SSL_SESSION_DUP, ERR_R_MALLOC_FAILURE);
-+ SSL_SESSION_free(dest);
-+ return NULL;
-+}
-+
-+
- const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
- {
- if(len)
Deleted: openssl/branches/wheezy/debian/patches/CVE-2015-1792.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2015-1792.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2015-1792.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,28 +0,0 @@
-From dd90a91d8771fd1ad5083fd46a2b3da16a587757 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Fri, 5 Jun 2015 12:11:25 +0100
-Subject: [PATCH] Fix infinite loop in CMS
-
-Fix loop in do_free_upto if cmsbio is NULL: this will happen when attempting
-to verify and a digest is not recognised. Reported by Johannes Bauer.
-
-CVE-2015-1792
-
-Reviewed-by: Matt Caswell <matt at openssl.org>
----
- crypto/cms/cms_smime.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: openssl-1.0.1k/crypto/cms/cms_smime.c
-===================================================================
---- openssl-1.0.1k.orig/crypto/cms/cms_smime.c
-+++ openssl-1.0.1k/crypto/cms/cms_smime.c
-@@ -141,7 +141,7 @@ static void do_free_upto(BIO *f, BIO *up
- BIO_free(f);
- f = tbio;
- }
-- while (f != upto);
-+ while (f && f != upto);
- }
- else
- BIO_free_all(f);
Deleted: openssl/branches/wheezy/debian/patches/CVE-2015-3194.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2015-3194.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2015-3194.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,34 +0,0 @@
-From f81aa391f469c695e56f080dcde70e4bba3fd7be Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Fri, 2 Oct 2015 13:10:29 +0100
-Subject: [PATCH 2/2] Add PSS parameter check.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Avoid seg fault by checking mgf1 parameter is not NULL. This can be
-triggered during certificate verification so could be a DoS attack
-against a client or a server enabling client authentication.
-
-Thanks to Loïc Jonas Etienne (Qnective AG) for discovering this bug.
-
-CVE-2015-3194
-
-Reviewed-by: Matt Caswell <matt at openssl.org>
----
- crypto/rsa/rsa_ameth.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: openssl-1.0.1k/crypto/rsa/rsa_ameth.c
-===================================================================
---- openssl-1.0.1k.orig/crypto/rsa/rsa_ameth.c
-+++ openssl-1.0.1k/crypto/rsa/rsa_ameth.c
-@@ -287,7 +287,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(co
- {
- ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
- if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1
-- && param->type == V_ASN1_SEQUENCE)
-+ && param && param->type == V_ASN1_SEQUENCE)
- {
- p = param->value.sequence->data;
- plen = param->value.sequence->length;
Deleted: openssl/branches/wheezy/debian/patches/CVE-2015-3195.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2015-3195.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2015-3195.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,55 +0,0 @@
-From 7c13530c14867bc09d478b30148884aa16891e15 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Tue, 10 Nov 2015 19:03:07 +0000
-Subject: [PATCH 1/2] Fix leak with ASN.1 combine.
-
-When parsing a combined structure pass a flag to the decode routine
-so on error a pointer to the parent structure is not zeroed as
-this will leak any additional components in the parent.
-
-This can leak memory in any application parsing PKCS#7 or CMS structures.
-
-CVE-2015-3195.
-
-Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
-libFuzzer.
-
-PR#4131
-
-Reviewed-by: Richard Levitte <levitte at openssl.org>
----
- crypto/asn1/tasn_dec.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-Index: openssl-1.0.1k/crypto/asn1/tasn_dec.c
-===================================================================
---- openssl-1.0.1k.orig/crypto/asn1/tasn_dec.c
-+++ openssl-1.0.1k/crypto/asn1/tasn_dec.c
-@@ -169,6 +169,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
- int otag;
- int ret = 0;
- ASN1_VALUE **pchptr, *ptmpval;
-+ int combine = aclass & ASN1_TFLG_COMBINE;
-+ aclass &= ~ASN1_TFLG_COMBINE;
- if (!pval)
- return 0;
- if (aux && aux->asn1_cb)
-@@ -534,7 +536,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
- auxerr:
- ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
- err:
-- ASN1_item_ex_free(pval, it);
-+ if (combine == 0)
-+ ASN1_item_ex_free(pval, it);
- if (errtt)
- ERR_add_error_data(4, "Field=", errtt->field_name,
- ", Type=", it->sname);
-@@ -762,7 +765,7 @@ static int asn1_template_noexp_d2i(ASN1_
- {
- /* Nothing special */
- ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
-- -1, 0, opt, ctx);
-+ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
- if (!ret)
- {
- ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
Deleted: openssl/branches/wheezy/debian/patches/CVE-2015-3196.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2015-3196.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2015-3196.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,72 +0,0 @@
-From d6be3124f22870f1888c532523b74ea5d89795eb Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Wed, 1 Jul 2015 23:40:03 +0100
-Subject: [PATCH] Fix PSK handling.
-
-The PSK identity hint should be stored in the SSL_SESSION structure
-and not in the parent context (which will overwrite values used
-by other SSL structures with the same SSL_CTX).
-
-Use BUF_strndup when copying identity as it may not be null terminated.
-
-Reviewed-by: Tim Hudson <tjh at openssl.org>
-(cherry picked from commit 3c66a669dfc7b3792f7af0758ea26fe8502ce70c)
----
- ssl/s3_clnt.c | 17 +++--------------
- ssl/s3_srvr.c | 2 +-
- 2 files changed, 4 insertions(+), 15 deletions(-)
-
-Index: openssl-1.0.1e/ssl/s3_clnt.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/s3_clnt.c
-+++ openssl-1.0.1e/ssl/s3_clnt.c
-@@ -1375,8 +1375,6 @@ int ssl3_get_key_exchange(SSL *s)
- #ifndef OPENSSL_NO_PSK
- if (alg_k & SSL_kPSK)
- {
-- char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1];
--
- al=SSL_AD_HANDSHAKE_FAILURE;
- n2s(p,i);
- param_len=i+2;
-@@ -1397,16 +1395,8 @@ int ssl3_get_key_exchange(SSL *s)
- SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH);
- goto f_err;
- }
-- /* If received PSK identity hint contains NULL
-- * characters, the hint is truncated from the first
-- * NULL. p may not be ending with NULL, so create a
-- * NULL-terminated string. */
-- memcpy(tmp_id_hint, p, i);
-- memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i);
-- if (s->ctx->psk_identity_hint != NULL)
-- OPENSSL_free(s->ctx->psk_identity_hint);
-- s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
-- if (s->ctx->psk_identity_hint == NULL)
-+ s->session->psk_identity_hint = BUF_strndup((char *)p, i);
-+ if (s->session->psk_identity_hint == NULL)
- {
- SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
- goto f_err;
-@@ -2912,7 +2902,7 @@ int ssl3_send_client_key_exchange(SSL *s
- goto err;
- }
-
-- psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint,
-+ psk_len = s->psk_client_callback(s, s->session->psk_identity_hint,
- identity, PSK_MAX_IDENTITY_LEN,
- psk_or_pre_ms, sizeof(psk_or_pre_ms));
- if (psk_len > PSK_MAX_PSK_LEN)
-Index: openssl-1.0.1e/ssl/s3_srvr.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/s3_srvr.c
-+++ openssl-1.0.1e/ssl/s3_srvr.c
-@@ -2742,7 +2742,7 @@ int ssl3_get_client_key_exchange(SSL *s)
-
- if (s->session->psk_identity != NULL)
- OPENSSL_free(s->session->psk_identity);
-- s->session->psk_identity = BUF_strdup((char *)p);
-+ s->session->psk_identity = BUF_strndup((char *)p, i);
- if (s->session->psk_identity == NULL)
- {
- SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
Deleted: openssl/branches/wheezy/debian/patches/CVE-2015-4000.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2015-4000.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2015-4000.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,91 +0,0 @@
-From 63830384e90d9b36d2793d4891501ec024827433 Mon Sep 17 00:00:00 2001
-From: Emilia Kasper <emilia at openssl.org>
-Date: Tue, 19 May 2015 12:05:22 +0200
-Subject: [PATCH] client: reject handshakes with DH parameters < 768 bits.
-
-Since the client has no way of communicating her supported parameter
-range to the server, connections to servers that choose weak DH will
-simply fail.
-
-Reviewed-by: Kurt Roeckx <kurt at openssl.org>
----
- CHANGES | 3 ++-
- ssl/s3_clnt.c | 22 ++++++++++++++++------
- ssl/ssl.h | 1 +
- ssl/ssl_err.c | 1 +
- 4 files changed, 20 insertions(+), 7 deletions(-)
-
-Index: openssl-1.0.1k/ssl/s3_clnt.c
-===================================================================
---- openssl-1.0.1k.orig/ssl/s3_clnt.c
-+++ openssl-1.0.1k/ssl/s3_clnt.c
-@@ -3425,25 +3425,32 @@ int ssl3_check_cert_and_algorithm(SSL *s
- }
- #endif
- #ifndef OPENSSL_NO_DH
-- if ((alg_k & SSL_kEDH) &&
-- !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL)))
-- {
-- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY);
-- goto f_err;
-- }
-- else if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA))
-- {
-- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT);
-- goto f_err;
-- }
-+ if ((alg_k & SSL_kEDH) && dh == NULL) {
-+ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR);
-+ goto f_err;
-+ }
-+ if ((alg_k & SSL_kDHr) && !has_bits(i, EVP_PK_DH | EVP_PKS_RSA)) {
-+ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,
-+ SSL_R_MISSING_DH_RSA_CERT);
-+ goto f_err;
-+ }
- #ifndef OPENSSL_NO_DSA
-- else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
-+ if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA))
- {
- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT);
- goto f_err;
- }
- #endif
--#endif
-+ /* Check DHE only: static DH not implemented. */
-+ if (alg_k & SSL_kEDH) {
-+ int dh_size = BN_num_bits(dh->p);
-+ if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768)
-+ || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) {
-+ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL);
-+ goto f_err;
-+ }
-+ }
-+#endif /* !OPENSSL_NO_DH */
-
- if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP))
- {
-Index: openssl-1.0.1k/ssl/ssl.h
-===================================================================
---- openssl-1.0.1k.orig/ssl/ssl.h
-+++ openssl-1.0.1k/ssl/ssl.h
-@@ -2378,6 +2378,7 @@ void ERR_load_SSL_strings(void);
- #define SSL_R_DATA_LENGTH_TOO_LONG 146
- #define SSL_R_DECRYPTION_FAILED 147
- #define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 281
-+#define SSL_R_DH_KEY_TOO_SMALL 372
- #define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148
- #define SSL_R_DIGEST_CHECK_FAILED 149
- #define SSL_R_DTLS_MESSAGE_TOO_BIG 334
-Index: openssl-1.0.1k/ssl/ssl_err.c
-===================================================================
---- openssl-1.0.1k.orig/ssl/ssl_err.c
-+++ openssl-1.0.1k/ssl/ssl_err.c
-@@ -363,6 +363,7 @@ static ERR_STRING_DATA SSL_str_reasons[]
- {ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG) ,"data length too long"},
- {ERR_REASON(SSL_R_DECRYPTION_FAILED) ,"decryption failed"},
- {ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC),"decryption failed or bad record mac"},
-+{ERR_REASON(SSL_R_DH_KEY_TOO_SMALL), "dh key too small"},
- {ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG),"dh public value length is wrong"},
- {ERR_REASON(SSL_R_DIGEST_CHECK_FAILED) ,"digest check failed"},
- {ERR_REASON(SSL_R_DTLS_MESSAGE_TOO_BIG) ,"dtls message too big"},
Deleted: openssl/branches/wheezy/debian/patches/CVE-2015-7575.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2015-7575.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2015-7575.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,59 +0,0 @@
-From 5e1ff664f95ab4c9176b3e86b5111e5777bad61a Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Tue, 15 Oct 2013 14:15:54 +0100
-Subject: [PATCH] Don't use RSA+MD5 with TLS 1.2
-
-Since the TLS 1.2 supported signature algorithms extension is less
-sophisticaed in OpenSSL 1.0.1 this has to be done in two stages.
-
-RSA+MD5 is removed from supported signature algorithms extension:
-any compliant implementation should never use RSA+MD5 as a result.
-
-To cover the case of a broken implementation using RSA+MD5 anyway
-disable lookup of MD5 algorithm in TLS 1.2.
----
- ssl/t1_lib.c | 16 ----------------
- 1 file changed, 16 deletions(-)
-
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index f93216d..33afdeb 100644
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -342,19 +342,11 @@ static unsigned char tls12_sigalgs[] = {
- #ifndef OPENSSL_NO_SHA
- tlsext_sigalg(TLSEXT_hash_sha1)
- #endif
--#ifndef OPENSSL_NO_MD5
-- tlsext_sigalg_rsa(TLSEXT_hash_md5)
--#endif
- };
-
- int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
- {
- size_t slen = sizeof(tls12_sigalgs);
--#ifdef OPENSSL_FIPS
-- /* If FIPS mode don't include MD5 which is last */
-- if (FIPS_mode())
-- slen -= 2;
--#endif
- if (p)
- memcpy(p, tls12_sigalgs, slen);
- return (int)slen;
-@@ -2452,14 +2444,6 @@ const EVP_MD *tls12_get_hash(unsigned char hash_alg)
- {
- switch(hash_alg)
- {
--#ifndef OPENSSL_NO_MD5
-- case TLSEXT_hash_md5:
--#ifdef OPENSSL_FIPS
-- if (FIPS_mode())
-- return NULL;
--#endif
-- return EVP_md5();
--#endif
- #ifndef OPENSSL_NO_SHA
- case TLSEXT_hash_sha1:
- return EVP_sha1();
---
-2.1.4
-
Deleted: openssl/branches/wheezy/debian/patches/CVE-2016-0702.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2016-0702.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2016-0702.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,1103 +0,0 @@
-Index: openssl-1.0.1e/crypto/bn/asm/x86_64-mont5.pl
-===================================================================
---- openssl-1.0.1e.orig/crypto/bn/asm/x86_64-mont5.pl
-+++ openssl-1.0.1e/crypto/bn/asm/x86_64-mont5.pl
-@@ -66,60 +66,113 @@ bn_mul_mont_gather5:
- .align 16
- .Lmul_enter:
- mov ${num}d,${num}d
-- mov `($win64?56:8)`(%rsp),%r10d # load 7th argument
-+ movd `($win64?56:8)`(%rsp),%xmm5 # load 7th argument
-+ lea .Linc(%rip),%r10
- push %rbx
- push %rbp
- push %r12
- push %r13
- push %r14
- push %r15
--___
--$code.=<<___ if ($win64);
-- lea -0x28(%rsp),%rsp
-- movaps %xmm6,(%rsp)
-- movaps %xmm7,0x10(%rsp)
-+
- .Lmul_alloca:
--___
--$code.=<<___;
- mov %rsp,%rax
- lea 2($num),%r11
- neg %r11
-- lea (%rsp,%r11,8),%rsp # tp=alloca(8*(num+2))
-+ lea -264(%rsp,%r11,8),%rsp # tp=alloca(8*(num+2)+256+8)
- and \$-1024,%rsp # minimize TLB usage
-
- mov %rax,8(%rsp,$num,8) # tp[num+1]=%rsp
- .Lmul_body:
-- mov $bp,%r12 # reassign $bp
-+ lea 128($bp),%r12 # reassign $bp (+size optimization)
- ___
- $bp="%r12";
- $STRIDE=2**5*8; # 5 is "window size"
- $N=$STRIDE/4; # should match cache line size
- $code.=<<___;
-- mov %r10,%r11
-- shr \$`log($N/8)/log(2)`,%r10
-- and \$`$N/8-1`,%r11
-- not %r10
-- lea .Lmagic_masks(%rip),%rax
-- and \$`2**5/($N/8)-1`,%r10 # 5 is "window size"
-- lea 96($bp,%r11,8),$bp # pointer within 1st cache line
-- movq 0(%rax,%r10,8),%xmm4 # set of masks denoting which
-- movq 8(%rax,%r10,8),%xmm5 # cache line contains element
-- movq 16(%rax,%r10,8),%xmm6 # denoted by 7th argument
-- movq 24(%rax,%r10,8),%xmm7
--
-- movq `0*$STRIDE/4-96`($bp),%xmm0
-- movq `1*$STRIDE/4-96`($bp),%xmm1
-- pand %xmm4,%xmm0
-- movq `2*$STRIDE/4-96`($bp),%xmm2
-- pand %xmm5,%xmm1
-- movq `3*$STRIDE/4-96`($bp),%xmm3
-- pand %xmm6,%xmm2
-- por %xmm1,%xmm0
-- pand %xmm7,%xmm3
-+ movdqa 0(%r10),%xmm0 # 00000001000000010000000000000000
-+ movdqa 16(%r10),%xmm1 # 00000002000000020000000200000002
-+ lea 24-112(%rsp,$num,8),%r10# place the mask after tp[num+3] (+ICache optimization)
-+ and \$-16,%r10
-+
-+ pshufd \$0,%xmm5,%xmm5 # broadcast index
-+ movdqa %xmm1,%xmm4
-+ movdqa %xmm1,%xmm2
-+___
-+########################################################################
-+# calculate mask by comparing 0..31 to index and save result to stack
-+#
-+$code.=<<___;
-+ paddd %xmm0,%xmm1
-+ pcmpeqd %xmm5,%xmm0 # compare to 1,0
-+ .byte 0x67
-+ movdqa %xmm4,%xmm3
-+___
-+for($k=0;$k<$STRIDE/16-4;$k+=4) {
-+$code.=<<___;
-+ paddd %xmm1,%xmm2
-+ pcmpeqd %xmm5,%xmm1 # compare to 3,2
-+ movdqa %xmm0,`16*($k+0)+112`(%r10)
-+ movdqa %xmm4,%xmm0
-+
-+ paddd %xmm2,%xmm3
-+ pcmpeqd %xmm5,%xmm2 # compare to 5,4
-+ movdqa %xmm1,`16*($k+1)+112`(%r10)
-+ movdqa %xmm4,%xmm1
-+
-+ paddd %xmm3,%xmm0
-+ pcmpeqd %xmm5,%xmm3 # compare to 7,6
-+ movdqa %xmm2,`16*($k+2)+112`(%r10)
-+ movdqa %xmm4,%xmm2
-+
-+ paddd %xmm0,%xmm1
-+ pcmpeqd %xmm5,%xmm0
-+ movdqa %xmm3,`16*($k+3)+112`(%r10)
-+ movdqa %xmm4,%xmm3
-+___
-+}
-+$code.=<<___; # last iteration can be optimized
-+ paddd %xmm1,%xmm2
-+ pcmpeqd %xmm5,%xmm1
-+ movdqa %xmm0,`16*($k+0)+112`(%r10)
-+
-+ paddd %xmm2,%xmm3
-+ .byte 0x67
-+ pcmpeqd %xmm5,%xmm2
-+ movdqa %xmm1,`16*($k+1)+112`(%r10)
-+
-+ pcmpeqd %xmm5,%xmm3
-+ movdqa %xmm2,`16*($k+2)+112`(%r10)
-+ pand `16*($k+0)-128`($bp),%xmm0 # while it's still in register
-+
-+ pand `16*($k+1)-128`($bp),%xmm1
-+ pand `16*($k+2)-128`($bp),%xmm2
-+ movdqa %xmm3,`16*($k+3)+112`(%r10)
-+ pand `16*($k+3)-128`($bp),%xmm3
- por %xmm2,%xmm0
-+ por %xmm3,%xmm1
-+___
-+for($k=0;$k<$STRIDE/16-4;$k+=4) {
-+$code.=<<___;
-+ movdqa `16*($k+0)-128`($bp),%xmm4
-+ movdqa `16*($k+1)-128`($bp),%xmm5
-+ movdqa `16*($k+2)-128`($bp),%xmm2
-+ pand `16*($k+0)+112`(%r10),%xmm4
-+ movdqa `16*($k+3)-128`($bp),%xmm3
-+ pand `16*($k+1)+112`(%r10),%xmm5
-+ por %xmm4,%xmm0
-+ pand `16*($k+2)+112`(%r10),%xmm2
-+ por %xmm5,%xmm1
-+ pand `16*($k+3)+112`(%r10),%xmm3
-+ por %xmm2,%xmm0
-+ por %xmm3,%xmm1
-+___
-+}
-+$code.=<<___;
-+ por %xmm1,%xmm0
-+ pshufd \$0x4e,%xmm0,%xmm1
-+ por %xmm1,%xmm0
- lea $STRIDE($bp),$bp
-- por %xmm3,%xmm0
--
- movq %xmm0,$m0 # m0=bp[0]
-
- mov ($n0),$n0 # pull n0[0] value
-@@ -128,29 +181,14 @@ $code.=<<___;
- xor $i,$i # i=0
- xor $j,$j # j=0
-
-- movq `0*$STRIDE/4-96`($bp),%xmm0
-- movq `1*$STRIDE/4-96`($bp),%xmm1
-- pand %xmm4,%xmm0
-- movq `2*$STRIDE/4-96`($bp),%xmm2
-- pand %xmm5,%xmm1
--
- mov $n0,$m1
- mulq $m0 # ap[0]*bp[0]
- mov %rax,$lo0
- mov ($np),%rax
-
-- movq `3*$STRIDE/4-96`($bp),%xmm3
-- pand %xmm6,%xmm2
-- por %xmm1,%xmm0
-- pand %xmm7,%xmm3
--
- imulq $lo0,$m1 # "tp[0]"*n0
- mov %rdx,$hi0
-
-- por %xmm2,%xmm0
-- lea $STRIDE($bp),$bp
-- por %xmm3,%xmm0
--
- mulq $m1 # np[0]*m1
- add %rax,$lo0 # discarded
- mov 8($ap),%rax
-@@ -183,8 +221,6 @@ $code.=<<___;
- cmp $num,$j
- jne .L1st
-
-- movq %xmm0,$m0 # bp[1]
--
- add %rax,$hi1
- mov ($ap),%rax # ap[0]
- adc \$0,%rdx
-@@ -204,33 +240,46 @@ $code.=<<___;
- jmp .Louter
- .align 16
- .Louter:
-+ lea 24+128(%rsp,$num,8),%rdx # where 256-byte mask is (+size optimization)
-+ and \$-16,%rdx
-+ pxor %xmm4,%xmm4
-+ pxor %xmm5,%xmm5
-+___
-+for($k=0;$k<$STRIDE/16;$k+=4) {
-+$code.=<<___;
-+ movdqa `16*($k+0)-128`($bp),%xmm0
-+ movdqa `16*($k+1)-128`($bp),%xmm1
-+ movdqa `16*($k+2)-128`($bp),%xmm2
-+ movdqa `16*($k+3)-128`($bp),%xmm3
-+ pand `16*($k+0)-128`(%rdx),%xmm0
-+ pand `16*($k+1)-128`(%rdx),%xmm1
-+ por %xmm0,%xmm4
-+ pand `16*($k+2)-128`(%rdx),%xmm2
-+ por %xmm1,%xmm5
-+ pand `16*($k+3)-128`(%rdx),%xmm3
-+ por %xmm2,%xmm4
-+ por %xmm3,%xmm5
-+___
-+}
-+$code.=<<___;
-+ por %xmm5,%xmm4
-+ pshufd \$0x4e,%xmm4,%xmm0
-+ por %xmm4,%xmm0
-+ lea $STRIDE($bp),$bp
-+ movq %xmm0,$m0 # m0=bp[i]
-+
- xor $j,$j # j=0
- mov $n0,$m1
- mov (%rsp),$lo0
-
-- movq `0*$STRIDE/4-96`($bp),%xmm0
-- movq `1*$STRIDE/4-96`($bp),%xmm1
-- pand %xmm4,%xmm0
-- movq `2*$STRIDE/4-96`($bp),%xmm2
-- pand %xmm5,%xmm1
--
- mulq $m0 # ap[0]*bp[i]
- add %rax,$lo0 # ap[0]*bp[i]+tp[0]
- mov ($np),%rax
- adc \$0,%rdx
-
-- movq `3*$STRIDE/4-96`($bp),%xmm3
-- pand %xmm6,%xmm2
-- por %xmm1,%xmm0
-- pand %xmm7,%xmm3
--
- imulq $lo0,$m1 # tp[0]*n0
- mov %rdx,$hi0
-
-- por %xmm2,%xmm0
-- lea $STRIDE($bp),$bp
-- por %xmm3,%xmm0
--
- mulq $m1 # np[0]*m1
- add %rax,$lo0 # discarded
- mov 8($ap),%rax
-@@ -266,8 +315,6 @@ $code.=<<___;
- cmp $num,$j
- jne .Linner
-
-- movq %xmm0,$m0 # bp[i+1]
--
- add %rax,$hi1
- mov ($ap),%rax # ap[0]
- adc \$0,%rdx
-@@ -321,13 +368,7 @@ $code.=<<___;
-
- mov 8(%rsp,$num,8),%rsi # restore %rsp
- mov \$1,%rax
--___
--$code.=<<___ if ($win64);
-- movaps (%rsi),%xmm6
-- movaps 0x10(%rsi),%xmm7
-- lea 0x28(%rsi),%rsi
--___
--$code.=<<___;
-+
- mov (%rsi),%r15
- mov 8(%rsi),%r14
- mov 16(%rsi),%r13
-@@ -348,91 +389,130 @@ $code.=<<___;
- bn_mul4x_mont_gather5:
- .Lmul4x_enter:
- mov ${num}d,${num}d
-- mov `($win64?56:8)`(%rsp),%r10d # load 7th argument
-+ movd `($win64?56:8)`(%rsp),%xmm5 # load 7th argument
-+ lea .Linc(%rip),%r10
- push %rbx
- push %rbp
- push %r12
- push %r13
- push %r14
- push %r15
--___
--$code.=<<___ if ($win64);
-- lea -0x28(%rsp),%rsp
-- movaps %xmm6,(%rsp)
-- movaps %xmm7,0x10(%rsp)
-+
- .Lmul4x_alloca:
--___
--$code.=<<___;
- mov %rsp,%rax
- lea 4($num),%r11
- neg %r11
-- lea (%rsp,%r11,8),%rsp # tp=alloca(8*(num+4))
-+ lea -256(%rsp,%r11,8),%rsp # tp=alloca(8*(num+4)+256)
- and \$-1024,%rsp # minimize TLB usage
-
- mov %rax,8(%rsp,$num,8) # tp[num+1]=%rsp
- .Lmul4x_body:
- mov $rp,16(%rsp,$num,8) # tp[num+2]=$rp
-- mov %rdx,%r12 # reassign $bp
-+ lea 128(%rdx),%r12 # reassign $bp (+size optimization)
- ___
- $bp="%r12";
- $STRIDE=2**5*8; # 5 is "window size"
- $N=$STRIDE/4; # should match cache line size
- $code.=<<___;
-- mov %r10,%r11
-- shr \$`log($N/8)/log(2)`,%r10
-- and \$`$N/8-1`,%r11
-- not %r10
-- lea .Lmagic_masks(%rip),%rax
-- and \$`2**5/($N/8)-1`,%r10 # 5 is "window size"
-- lea 96($bp,%r11,8),$bp # pointer within 1st cache line
-- movq 0(%rax,%r10,8),%xmm4 # set of masks denoting which
-- movq 8(%rax,%r10,8),%xmm5 # cache line contains element
-- movq 16(%rax,%r10,8),%xmm6 # denoted by 7th argument
-- movq 24(%rax,%r10,8),%xmm7
--
-- movq `0*$STRIDE/4-96`($bp),%xmm0
-- movq `1*$STRIDE/4-96`($bp),%xmm1
-- pand %xmm4,%xmm0
-- movq `2*$STRIDE/4-96`($bp),%xmm2
-- pand %xmm5,%xmm1
-- movq `3*$STRIDE/4-96`($bp),%xmm3
-- pand %xmm6,%xmm2
-- por %xmm1,%xmm0
-- pand %xmm7,%xmm3
-+ movdqa 0(%r10),%xmm0 # 00000001000000010000000000000000
-+ movdqa 16(%r10),%xmm1 # 00000002000000020000000200000002
-+ lea 32-112(%rsp,$num,8),%r10# place the mask after tp[num+4] (+ICache optimization)
-+
-+ pshufd \$0,%xmm5,%xmm5 # broadcast index
-+ movdqa %xmm1,%xmm4
-+ .byte 0x67,0x67
-+ movdqa %xmm1,%xmm2
-+___
-+########################################################################
-+# calculate mask by comparing 0..31 to index and save result to stack
-+#
-+$code.=<<___;
-+ paddd %xmm0,%xmm1
-+ pcmpeqd %xmm5,%xmm0 # compare to 1,0
-+ .byte 0x67
-+ movdqa %xmm4,%xmm3
-+___
-+for($k=0;$k<$STRIDE/16-4;$k+=4) {
-+$code.=<<___;
-+ paddd %xmm1,%xmm2
-+ pcmpeqd %xmm5,%xmm1 # compare to 3,2
-+ movdqa %xmm0,`16*($k+0)+112`(%r10)
-+ movdqa %xmm4,%xmm0
-+
-+ paddd %xmm2,%xmm3
-+ pcmpeqd %xmm5,%xmm2 # compare to 5,4
-+ movdqa %xmm1,`16*($k+1)+112`(%r10)
-+ movdqa %xmm4,%xmm1
-+
-+ paddd %xmm3,%xmm0
-+ pcmpeqd %xmm5,%xmm3 # compare to 7,6
-+ movdqa %xmm2,`16*($k+2)+112`(%r10)
-+ movdqa %xmm4,%xmm2
-+
-+ paddd %xmm0,%xmm1
-+ pcmpeqd %xmm5,%xmm0
-+ movdqa %xmm3,`16*($k+3)+112`(%r10)
-+ movdqa %xmm4,%xmm3
-+___
-+}
-+$code.=<<___; # last iteration can be optimized
-+ paddd %xmm1,%xmm2
-+ pcmpeqd %xmm5,%xmm1
-+ movdqa %xmm0,`16*($k+0)+112`(%r10)
-+
-+ paddd %xmm2,%xmm3
-+ .byte 0x67
-+ pcmpeqd %xmm5,%xmm2
-+ movdqa %xmm1,`16*($k+1)+112`(%r10)
-+
-+ pcmpeqd %xmm5,%xmm3
-+ movdqa %xmm2,`16*($k+2)+112`(%r10)
-+ pand `16*($k+0)-128`($bp),%xmm0 # while it's still in register
-+
-+ pand `16*($k+1)-128`($bp),%xmm1
-+ pand `16*($k+2)-128`($bp),%xmm2
-+ movdqa %xmm3,`16*($k+3)+112`(%r10)
-+ pand `16*($k+3)-128`($bp),%xmm3
-+ por %xmm2,%xmm0
-+ por %xmm3,%xmm1
-+___
-+for($k=0;$k<$STRIDE/16-4;$k+=4) {
-+$code.=<<___;
-+ movdqa `16*($k+0)-128`($bp),%xmm4
-+ movdqa `16*($k+1)-128`($bp),%xmm5
-+ movdqa `16*($k+2)-128`($bp),%xmm2
-+ pand `16*($k+0)+112`(%r10),%xmm4
-+ movdqa `16*($k+3)-128`($bp),%xmm3
-+ pand `16*($k+1)+112`(%r10),%xmm5
-+ por %xmm4,%xmm0
-+ pand `16*($k+2)+112`(%r10),%xmm2
-+ por %xmm5,%xmm1
-+ pand `16*($k+3)+112`(%r10),%xmm3
- por %xmm2,%xmm0
-+ por %xmm3,%xmm1
-+___
-+}
-+$code.=<<___;
-+ por %xmm1,%xmm0
-+ pshufd \$0x4e,%xmm0,%xmm1
-+ por %xmm1,%xmm0
- lea $STRIDE($bp),$bp
-- por %xmm3,%xmm0
--
- movq %xmm0,$m0 # m0=bp[0]
-+
- mov ($n0),$n0 # pull n0[0] value
- mov ($ap),%rax
-
- xor $i,$i # i=0
- xor $j,$j # j=0
-
-- movq `0*$STRIDE/4-96`($bp),%xmm0
-- movq `1*$STRIDE/4-96`($bp),%xmm1
-- pand %xmm4,%xmm0
-- movq `2*$STRIDE/4-96`($bp),%xmm2
-- pand %xmm5,%xmm1
--
- mov $n0,$m1
- mulq $m0 # ap[0]*bp[0]
- mov %rax,$A[0]
- mov ($np),%rax
-
-- movq `3*$STRIDE/4-96`($bp),%xmm3
-- pand %xmm6,%xmm2
-- por %xmm1,%xmm0
-- pand %xmm7,%xmm3
--
- imulq $A[0],$m1 # "tp[0]"*n0
- mov %rdx,$A[1]
-
-- por %xmm2,%xmm0
-- lea $STRIDE($bp),$bp
-- por %xmm3,%xmm0
--
- mulq $m1 # np[0]*m1
- add %rax,$A[0] # discarded
- mov 8($ap),%rax
-@@ -550,8 +630,6 @@ $code.=<<___;
- mov $N[1],-16(%rsp,$j,8) # tp[j-1]
- mov %rdx,$N[0]
-
-- movq %xmm0,$m0 # bp[1]
--
- xor $N[1],$N[1]
- add $A[0],$N[0]
- adc \$0,$N[1]
-@@ -561,12 +639,34 @@ $code.=<<___;
- lea 1($i),$i # i++
- .align 4
- .Louter4x:
-+ lea 32+128(%rsp,$num,8),%rdx # where 256-byte mask is (+size optimization)
-+ pxor %xmm4,%xmm4
-+ pxor %xmm5,%xmm5
-+___
-+for($k=0;$k<$STRIDE/16;$k+=4) {
-+$code.=<<___;
-+ movdqa `16*($k+0)-128`($bp),%xmm0
-+ movdqa `16*($k+1)-128`($bp),%xmm1
-+ movdqa `16*($k+2)-128`($bp),%xmm2
-+ movdqa `16*($k+3)-128`($bp),%xmm3
-+ pand `16*($k+0)-128`(%rdx),%xmm0
-+ pand `16*($k+1)-128`(%rdx),%xmm1
-+ por %xmm0,%xmm4
-+ pand `16*($k+2)-128`(%rdx),%xmm2
-+ por %xmm1,%xmm5
-+ pand `16*($k+3)-128`(%rdx),%xmm3
-+ por %xmm2,%xmm4
-+ por %xmm3,%xmm5
-+___
-+}
-+$code.=<<___;
-+ por %xmm5,%xmm4
-+ pshufd \$0x4e,%xmm4,%xmm0
-+ por %xmm4,%xmm0
-+ lea $STRIDE($bp),$bp
-+ movq %xmm0,$m0 # m0=bp[i]
-+
- xor $j,$j # j=0
-- movq `0*$STRIDE/4-96`($bp),%xmm0
-- movq `1*$STRIDE/4-96`($bp),%xmm1
-- pand %xmm4,%xmm0
-- movq `2*$STRIDE/4-96`($bp),%xmm2
-- pand %xmm5,%xmm1
-
- mov (%rsp),$A[0]
- mov $n0,$m1
-@@ -575,18 +675,9 @@ $code.=<<___;
- mov ($np),%rax
- adc \$0,%rdx
-
-- movq `3*$STRIDE/4-96`($bp),%xmm3
-- pand %xmm6,%xmm2
-- por %xmm1,%xmm0
-- pand %xmm7,%xmm3
--
- imulq $A[0],$m1 # tp[0]*n0
- mov %rdx,$A[1]
-
-- por %xmm2,%xmm0
-- lea $STRIDE($bp),$bp
-- por %xmm3,%xmm0
--
- mulq $m1 # np[0]*m1
- add %rax,$A[0] # "$N[0]", discarded
- mov 8($ap),%rax
-@@ -718,7 +809,6 @@ $code.=<<___;
- mov $N[0],-24(%rsp,$j,8) # tp[j-1]
- mov %rdx,$N[0]
-
-- movq %xmm0,$m0 # bp[i+1]
- mov $N[1],-16(%rsp,$j,8) # tp[j-1]
-
- xor $N[1],$N[1]
-@@ -809,13 +899,7 @@ ___
- $code.=<<___;
- mov 8(%rsp,$num,8),%rsi # restore %rsp
- mov \$1,%rax
--___
--$code.=<<___ if ($win64);
-- movaps (%rsi),%xmm6
-- movaps 0x10(%rsi),%xmm7
-- lea 0x28(%rsi),%rsi
--___
--$code.=<<___;
-+
- mov (%rsi),%r15
- mov 8(%rsi),%r14
- mov 16(%rsi),%r13
-@@ -830,8 +914,8 @@ ___
- }}}
-
- {
--my ($inp,$num,$tbl,$idx)=$win64?("%rcx","%rdx","%r8", "%r9") : # Win64 order
-- ("%rdi","%rsi","%rdx","%rcx"); # Unix order
-+my ($inp,$num,$tbl,$idx)=$win64?("%rcx","%rdx","%r8", "%r9d") : # Win64 order
-+ ("%rdi","%rsi","%rdx","%ecx"); # Unix order
- my $out=$inp;
- my $STRIDE=2**5*8;
- my $N=$STRIDE/4;
-@@ -859,53 +943,89 @@ bn_scatter5:
- .type bn_gather5,\@abi-omnipotent
- .align 16
- bn_gather5:
--___
--$code.=<<___ if ($win64);
--.LSEH_begin_bn_gather5:
-+.LSEH_begin_bn_gather5: # Win64 thing, but harmless in other cases
- # I can't trust assembler to use specific encoding:-(
-- .byte 0x48,0x83,0xec,0x28 #sub \$0x28,%rsp
-- .byte 0x0f,0x29,0x34,0x24 #movaps %xmm6,(%rsp)
-- .byte 0x0f,0x29,0x7c,0x24,0x10 #movdqa %xmm7,0x10(%rsp)
--___
--$code.=<<___;
-- mov $idx,%r11
-- shr \$`log($N/8)/log(2)`,$idx
-- and \$`$N/8-1`,%r11
-- not $idx
-- lea .Lmagic_masks(%rip),%rax
-- and \$`2**5/($N/8)-1`,$idx # 5 is "window size"
-- lea 96($tbl,%r11,8),$tbl # pointer within 1st cache line
-- movq 0(%rax,$idx,8),%xmm4 # set of masks denoting which
-- movq 8(%rax,$idx,8),%xmm5 # cache line contains element
-- movq 16(%rax,$idx,8),%xmm6 # denoted by 7th argument
-- movq 24(%rax,$idx,8),%xmm7
-+ .byte 0x4c,0x8d,0x14,0x24 # lea (%rsp),%r10
-+ .byte 0x48,0x81,0xec,0x08,0x01,0x00,0x00 # sub $0x108,%rsp
-+ lea .Linc(%rip),%rax
-+ and \$-16,%rsp # shouldn't be formally required
-+
-+ movd $idx,%xmm5
-+ movdqa 0(%rax),%xmm0 # 00000001000000010000000000000000
-+ movdqa 16(%rax),%xmm1 # 00000002000000020000000200000002
-+ lea 128($tbl),%r11 # size optimization
-+ lea 128(%rsp),%rax # size optimization
-+
-+ pshufd \$0,%xmm5,%xmm5 # broadcast $idx
-+ movdqa %xmm1,%xmm4
-+ movdqa %xmm1,%xmm2
-+___
-+########################################################################
-+# calculate mask by comparing 0..31 to $idx and save result to stack
-+#
-+for($i=0;$i<$STRIDE/16;$i+=4) {
-+$code.=<<___;
-+ paddd %xmm0,%xmm1
-+ pcmpeqd %xmm5,%xmm0 # compare to 1,0
-+___
-+$code.=<<___ if ($i);
-+ movdqa %xmm3,`16*($i-1)-128`(%rax)
-+___
-+$code.=<<___;
-+ movdqa %xmm4,%xmm3
-+
-+ paddd %xmm1,%xmm2
-+ pcmpeqd %xmm5,%xmm1 # compare to 3,2
-+ movdqa %xmm0,`16*($i+0)-128`(%rax)
-+ movdqa %xmm4,%xmm0
-+
-+ paddd %xmm2,%xmm3
-+ pcmpeqd %xmm5,%xmm2 # compare to 5,4
-+ movdqa %xmm1,`16*($i+1)-128`(%rax)
-+ movdqa %xmm4,%xmm1
-+
-+ paddd %xmm3,%xmm0
-+ pcmpeqd %xmm5,%xmm3 # compare to 7,6
-+ movdqa %xmm2,`16*($i+2)-128`(%rax)
-+ movdqa %xmm4,%xmm2
-+___
-+}
-+$code.=<<___;
-+ movdqa %xmm3,`16*($i-1)-128`(%rax)
- jmp .Lgather
--.align 16
--.Lgather:
-- movq `0*$STRIDE/4-96`($tbl),%xmm0
-- movq `1*$STRIDE/4-96`($tbl),%xmm1
-- pand %xmm4,%xmm0
-- movq `2*$STRIDE/4-96`($tbl),%xmm2
-- pand %xmm5,%xmm1
-- movq `3*$STRIDE/4-96`($tbl),%xmm3
-- pand %xmm6,%xmm2
-- por %xmm1,%xmm0
-- pand %xmm7,%xmm3
-- por %xmm2,%xmm0
-- lea $STRIDE($tbl),$tbl
-- por %xmm3,%xmm0
-
-+.align 32
-+.Lgather:
-+ pxor %xmm4,%xmm4
-+ pxor %xmm5,%xmm5
-+___
-+for($i=0;$i<$STRIDE/16;$i+=4) {
-+$code.=<<___;
-+ movdqa `16*($i+0)-128`(%r11),%xmm0
-+ movdqa `16*($i+1)-128`(%r11),%xmm1
-+ movdqa `16*($i+2)-128`(%r11),%xmm2
-+ pand `16*($i+0)-128`(%rax),%xmm0
-+ movdqa `16*($i+3)-128`(%r11),%xmm3
-+ pand `16*($i+1)-128`(%rax),%xmm1
-+ por %xmm0,%xmm4
-+ pand `16*($i+2)-128`(%rax),%xmm2
-+ por %xmm1,%xmm5
-+ pand `16*($i+3)-128`(%rax),%xmm3
-+ por %xmm2,%xmm4
-+ por %xmm3,%xmm5
-+___
-+}
-+$code.=<<___;
-+ por %xmm5,%xmm4
-+ lea $STRIDE(%r11),%r11
-+ pshufd \$0x4e,%xmm4,%xmm0
-+ por %xmm4,%xmm0
- movq %xmm0,($out) # m0=bp[0]
- lea 8($out),$out
- sub \$1,$num
- jnz .Lgather
--___
--$code.=<<___ if ($win64);
-- movaps %xmm6,(%rsp)
-- movaps %xmm7,0x10(%rsp)
-- lea 0x28(%rsp),%rsp
--___
--$code.=<<___;
-+
-+ lea (%r10),%rsp
- ret
- .LSEH_end_bn_gather5:
- .size bn_gather5,.-bn_gather5
-@@ -913,9 +1033,9 @@ ___
- }
- $code.=<<___;
- .align 64
--.Lmagic_masks:
-- .long 0,0, 0,0, 0,0, -1,-1
-- .long 0,0, 0,0, 0,0, 0,0
-+.Linc:
-+ .long 0,0, 1,1
-+ .long 2,2, 2,2
- .asciz "Montgomery Multiplication with scatter/gather for x86_64, CRYPTOGAMS by <appro\@openssl.org>"
- ___
-
-@@ -954,7 +1074,7 @@ mul_handler:
- cmp %r10,%rbx # context->Rip<end of prologue label
- jb .Lcommon_seh_tail
-
-- lea `40+48`(%rax),%rax
-+ lea 48(%rax),%rax
-
- mov 4(%r11),%r10d # HandlerData[1]
- lea (%rsi,%r10),%r10 # end of alloca label
-@@ -971,9 +1091,7 @@ mul_handler:
- mov 192($context),%r10 # pull $num
- mov 8(%rax,%r10,8),%rax # pull saved stack pointer
-
-- movaps (%rax),%xmm0
-- movaps 16(%rax),%xmm1
-- lea `40+48`(%rax),%rax
-+ lea 48(%rax),%rax
-
- mov -8(%rax),%rbx
- mov -16(%rax),%rbp
-@@ -987,8 +1105,6 @@ mul_handler:
- mov %r13,224($context) # restore context->R13
- mov %r14,232($context) # restore context->R14
- mov %r15,240($context) # restore context->R15
-- movups %xmm0,512($context) # restore context->Xmm6
-- movups %xmm1,528($context) # restore context->Xmm7
-
- .Lcommon_seh_tail:
- mov 8(%rax),%rdi
-@@ -1057,10 +1173,9 @@ mul_handler:
- .rva .Lmul4x_alloca,.Lmul4x_body,.Lmul4x_epilogue # HandlerData[]
- .align 8
- .LSEH_info_bn_gather5:
-- .byte 0x01,0x0d,0x05,0x00
-- .byte 0x0d,0x78,0x01,0x00 #movaps 0x10(rsp),xmm7
-- .byte 0x08,0x68,0x00,0x00 #movaps (rsp),xmm6
-- .byte 0x04,0x42,0x00,0x00 #sub rsp,0x28
-+ .byte 0x01,0x0b,0x03,0x0a
-+ .byte 0x0b,0x01,0x21,0x00 # sub rsp,0x108
-+ .byte 0x04,0xa3,0x00,0x00 # lea r10,(rsp), set_frame r10
- .align 8
- ___
- }
-Index: openssl-1.0.1e/crypto/bn/bn_exp.c
-===================================================================
---- openssl-1.0.1e.orig/crypto/bn/bn_exp.c
-+++ openssl-1.0.1e/crypto/bn/bn_exp.c
-@@ -111,6 +111,7 @@
-
-
- #include "cryptlib.h"
-+#include "constant_time_locl.h"
- #include "bn_lcl.h"
-
- #include <stdlib.h>
-@@ -534,31 +535,67 @@ err:
- * as cache lines are concerned. The following functions are used to transfer a BIGNUM
- * from/to that table. */
-
--static int MOD_EXP_CTIME_COPY_TO_PREBUF(const BIGNUM *b, int top, unsigned char *buf, int idx, int width)
-+static int MOD_EXP_CTIME_COPY_TO_PREBUF(const BIGNUM *b, int top, unsigned char *buf, int idx, int window)
- {
-- size_t i, j;
-+ int i, j;
-+ int width = 1 << window;
-+ BN_ULONG *table = (BN_ULONG *)buf;
-
- if (top > b->top)
- top = b->top; /* this works because 'buf' is explicitly zeroed */
-- for (i = 0, j=idx; i < top * sizeof b->d[0]; i++, j+=width)
-- {
-- buf[j] = ((unsigned char*)b->d)[i];
-- }
-+ for (i = 0, j = idx; i < top; i++, j += width) {
-+ table[j] = b->d[i];
-+ }
-
- return 1;
- }
-
--static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int width)
-+static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int window)
- {
-- size_t i, j;
-+ int i, j;
-+ int width = 1 << window;
-+ volatile BN_ULONG *table = (volatile BN_ULONG *)buf;
-
- if (bn_wexpand(b, top) == NULL)
- return 0;
-
-- for (i=0, j=idx; i < top * sizeof b->d[0]; i++, j+=width)
-- {
-- ((unsigned char*)b->d)[i] = buf[j];
-- }
-+ if (window <= 3) {
-+ for (i = 0; i < top; i++, table += width) {
-+ BN_ULONG acc = 0;
-+
-+ for (j = 0; j < width; j++) {
-+ acc |= table[j] &
-+ ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1));
-+ }
-+
-+ b->d[i] = acc;
-+ }
-+ } else {
-+ int xstride = 1 << (window - 2);
-+ BN_ULONG y0, y1, y2, y3;
-+
-+ i = idx >> (window - 2); /* equivalent of idx / xstride */
-+ idx &= xstride - 1; /* equivalent of idx % xstride */
-+
-+ y0 = (BN_ULONG)0 - (constant_time_eq_int(i,0)&1);
-+ y1 = (BN_ULONG)0 - (constant_time_eq_int(i,1)&1);
-+ y2 = (BN_ULONG)0 - (constant_time_eq_int(i,2)&1);
-+ y3 = (BN_ULONG)0 - (constant_time_eq_int(i,3)&1);
-+
-+ for (i = 0; i < top; i++, table += width) {
-+ BN_ULONG acc = 0;
-+
-+ for (j = 0; j < xstride; j++) {
-+ acc |= ( (table[j + 0 * xstride] & y0) |
-+ (table[j + 1 * xstride] & y1) |
-+ (table[j + 2 * xstride] & y2) |
-+ (table[j + 3 * xstride] & y3) )
-+ & ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1));
-+ }
-+
-+ b->d[i] = acc;
-+ }
-+ }
-
- b->top = top;
- bn_correct_top(b);
-@@ -767,8 +804,8 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr
- else
- #endif
- {
-- if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 0, numPowers)) goto err;
-- if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am, top, powerbuf, 1, numPowers)) goto err;
-+ if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 0, window)) goto err;
-+ if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am, top, powerbuf, 1, window)) goto err;
-
- /* If the window size is greater than 1, then calculate
- * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1)
-@@ -778,20 +815,20 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr
- if (window > 1)
- {
- if (!BN_mod_mul_montgomery(&tmp,&am,&am,mont,ctx)) goto err;
-- if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 2, numPowers)) goto err;
-+ if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 2, window)) goto err;
- for (i=3; i<numPowers; i++)
- {
- /* Calculate a^i = a^(i-1) * a */
- if (!BN_mod_mul_montgomery(&tmp,&am,&tmp,mont,ctx))
- goto err;
-- if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, i, numPowers)) goto err;
-+ if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, i, window)) goto err;
- }
- }
-
- bits--;
- for (wvalue=0, i=bits%window; i>=0; i--,bits--)
- wvalue = (wvalue<<1)+BN_is_bit_set(p,bits);
-- if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&tmp,top,powerbuf,wvalue,numPowers)) goto err;
-+ if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&tmp,top,powerbuf,wvalue,window)) goto err;
-
- /* Scan the exponent one window at a time starting from the most
- * significant bits.
-@@ -808,7 +845,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr
- }
-
- /* Fetch the appropriate pre-computed value from the pre-buf */
-- if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&am, top, powerbuf, wvalue, numPowers)) goto err;
-+ if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&am, top, powerbuf, wvalue, window)) goto err;
-
- /* Multiply the result into the intermediate result */
- if (!BN_mod_mul_montgomery(&tmp,&tmp,&am,mont,ctx)) goto err;
-Index: openssl-1.0.1e/crypto/perlasm/x86_64-xlate.pl
-===================================================================
---- openssl-1.0.1e.orig/crypto/perlasm/x86_64-xlate.pl
-+++ openssl-1.0.1e/crypto/perlasm/x86_64-xlate.pl
-@@ -121,7 +121,7 @@ my %globals;
- $self->{sz} = "";
- } elsif ($self->{op} =~ /^v/) { # VEX
- $self->{sz} = "";
-- } elsif ($self->{op} =~ /movq/ && $line =~ /%xmm/) {
-+ } elsif ($self->{op} =~ /mov[dq]/ && $line =~ /%xmm/) {
- $self->{sz} = "";
- } elsif ($self->{op} =~ /([a-z]{3,})([qlwb])$/) {
- $self->{op} = $1;
-Index: openssl-1.0.1e/crypto/constant_time_locl.h
-===================================================================
---- /dev/null
-+++ openssl-1.0.1e/crypto/constant_time_locl.h
-@@ -0,0 +1,206 @@
-+/* crypto/constant_time_locl.h */
-+/*
-+ * Utilities for constant-time cryptography.
-+ *
-+ * Author: Emilia Kasper (emilia at openssl.org)
-+ * Based on previous work by Bodo Moeller, Emilia Kasper, Adam Langley
-+ * (Google).
-+ * ====================================================================
-+ * Copyright (c) 2014 The OpenSSL Project. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in the
-+ * documentation and/or other materials provided with the distribution.
-+ * 3. All advertising materials mentioning features or use of this software
-+ * must display the following acknowledgement:
-+ * "This product includes cryptographic software written by
-+ * Eric Young (eay at cryptsoft.com)"
-+ * The word 'cryptographic' can be left out if the rouines from the library
-+ * being used are not cryptographic related :-).
-+ * 4. If you include any Windows specific code (or a derivative thereof) from
-+ * the apps directory (application code) you must include an acknowledgement:
-+ * "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
-+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
-+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-+ * SUCH DAMAGE.
-+ *
-+ * The licence and distribution terms for any publically available version or
-+ * derivative of this code cannot be changed. i.e. this code cannot simply be
-+ * copied and put under another distribution licence
-+ * [including the GNU Public Licence.]
-+ */
-+
-+#ifndef HEADER_CONSTANT_TIME_LOCL_H
-+#define HEADER_CONSTANT_TIME_LOCL_H
-+
-+#include "e_os.h" /* For 'inline' */
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif
-+
-+/*
-+ * The boolean methods return a bitmask of all ones (0xff...f) for true
-+ * and 0 for false. This is useful for choosing a value based on the result
-+ * of a conditional in constant time. For example,
-+ *
-+ * if (a < b) {
-+ * c = a;
-+ * } else {
-+ * c = b;
-+ * }
-+ *
-+ * can be written as
-+ *
-+ * unsigned int lt = constant_time_lt(a, b);
-+ * c = constant_time_select(lt, a, b);
-+ */
-+
-+/*
-+ * Returns the given value with the MSB copied to all the other
-+ * bits. Uses the fact that arithmetic shift shifts-in the sign bit.
-+ * However, this is not ensured by the C standard so you may need to
-+ * replace this with something else on odd CPUs.
-+ */
-+static inline unsigned int constant_time_msb(unsigned int a);
-+
-+/*
-+ * Returns 0xff..f if a < b and 0 otherwise.
-+ */
-+static inline unsigned int constant_time_lt(unsigned int a, unsigned int b);
-+/* Convenience method for getting an 8-bit mask. */
-+static inline unsigned char constant_time_lt_8(unsigned int a, unsigned int b);
-+
-+/*
-+ * Returns 0xff..f if a >= b and 0 otherwise.
-+ */
-+static inline unsigned int constant_time_ge(unsigned int a, unsigned int b);
-+/* Convenience method for getting an 8-bit mask. */
-+static inline unsigned char constant_time_ge_8(unsigned int a, unsigned int b);
-+
-+/*
-+ * Returns 0xff..f if a == 0 and 0 otherwise.
-+ */
-+static inline unsigned int constant_time_is_zero(unsigned int a);
-+/* Convenience method for getting an 8-bit mask. */
-+static inline unsigned char constant_time_is_zero_8(unsigned int a);
-+
-+
-+/*
-+ * Returns 0xff..f if a == b and 0 otherwise.
-+ */
-+static inline unsigned int constant_time_eq(unsigned int a, unsigned int b);
-+/* Convenience method for getting an 8-bit mask. */
-+static inline unsigned char constant_time_eq_8(unsigned int a, unsigned int b);
-+/* Signed integers. */
-+static inline unsigned int constant_time_eq_int(int a, int b);
-+/* Convenience method for getting an 8-bit mask. */
-+static inline unsigned char constant_time_eq_int_8(int a, int b);
-+
-+
-+/*
-+ * Returns (mask & a) | (~mask & b).
-+ *
-+ * When |mask| is all 1s or all 0s (as returned by the methods above),
-+ * the select methods return either |a| (if |mask| is nonzero) or |b|
-+ * (if |mask| is zero).
-+ */
-+static inline unsigned int constant_time_select(unsigned int mask,
-+ unsigned int a, unsigned int b);
-+/* Convenience method for unsigned chars. */
-+static inline unsigned char constant_time_select_8(unsigned char mask,
-+ unsigned char a, unsigned char b);
-+/* Convenience method for signed integers. */
-+static inline int constant_time_select_int(unsigned int mask, int a, int b);
-+
-+static inline unsigned int constant_time_msb(unsigned int a)
-+ {
-+ return 0-(a >> (sizeof(a) * 8 - 1));
-+ }
-+
-+static inline unsigned int constant_time_lt(unsigned int a, unsigned int b)
-+ {
-+ return constant_time_msb(a^((a^b)|((a-b)^b)));
-+ }
-+
-+static inline unsigned char constant_time_lt_8(unsigned int a, unsigned int b)
-+ {
-+ return (unsigned char)(constant_time_lt(a, b));
-+ }
-+
-+static inline unsigned int constant_time_ge(unsigned int a, unsigned int b)
-+ {
-+ return ~constant_time_lt(a, b);
-+ }
-+
-+static inline unsigned char constant_time_ge_8(unsigned int a, unsigned int b)
-+ {
-+ return (unsigned char)(constant_time_ge(a, b));
-+ }
-+
-+static inline unsigned int constant_time_is_zero(unsigned int a)
-+ {
-+ return constant_time_msb(~a & (a - 1));
-+ }
-+
-+static inline unsigned char constant_time_is_zero_8(unsigned int a)
-+ {
-+ return (unsigned char)(constant_time_is_zero(a));
-+ }
-+
-+static inline unsigned int constant_time_eq(unsigned int a, unsigned int b)
-+ {
-+ return constant_time_is_zero(a ^ b);
-+ }
-+
-+static inline unsigned char constant_time_eq_8(unsigned int a, unsigned int b)
-+ {
-+ return (unsigned char)(constant_time_eq(a, b));
-+ }
-+
-+static inline unsigned int constant_time_eq_int(int a, int b)
-+ {
-+ return constant_time_eq((unsigned)(a), (unsigned)(b));
-+ }
-+
-+static inline unsigned char constant_time_eq_int_8(int a, int b)
-+ {
-+ return constant_time_eq_8((unsigned)(a), (unsigned)(b));
-+ }
-+
-+static inline unsigned int constant_time_select(unsigned int mask,
-+ unsigned int a, unsigned int b)
-+ {
-+ return (mask & a) | (~mask & b);
-+ }
-+
-+static inline unsigned char constant_time_select_8(unsigned char mask,
-+ unsigned char a, unsigned char b)
-+ {
-+ return (unsigned char)(constant_time_select(mask, a, b));
-+ }
-+
-+static inline int constant_time_select_int(unsigned int mask, int a, int b)
-+ {
-+ return (int)(constant_time_select(mask, (unsigned)(a), (unsigned)(b)));
-+ }
-+
-+#ifdef __cplusplus
-+}
-+#endif
-+
-+#endif /* HEADER_CONSTANT_TIME_LOCL_H */
Deleted: openssl/branches/wheezy/debian/patches/CVE-2016-0705.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2016-0705.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2016-0705.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,66 +0,0 @@
-From 6c88c71b4e4825c7bc0489306d062d017634eb88 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Thu, 18 Feb 2016 12:47:23 +0000
-Subject: [PATCH] Fix double free in DSA private key parsing.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fix double free bug when parsing malformed DSA private keys.
-
-Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
-libFuzzer.
-
-CVE-2016-0705
-
-Reviewed-by: Emilia Käsper <emilia at openssl.org>
----
- crypto/dsa/dsa_ameth.c | 20 ++++++++++----------
- 1 file changed, 10 insertions(+), 10 deletions(-)
-
-Index: openssl-1.0.1k/crypto/dsa/dsa_ameth.c
-===================================================================
---- openssl-1.0.1k.orig/crypto/dsa/dsa_ameth.c
-+++ openssl-1.0.1k/crypto/dsa/dsa_ameth.c
-@@ -201,6 +201,8 @@ static int dsa_priv_decode(EVP_PKEY *pke
- STACK_OF(ASN1_TYPE) *ndsa = NULL;
- DSA *dsa = NULL;
-
-+ int ret = 0;
-+
- if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8))
- return 0;
- X509_ALGOR_get0(NULL, &ptype, &pval, palg);
-@@ -281,23 +283,21 @@ static int dsa_priv_decode(EVP_PKEY *pke
- }
-
- EVP_PKEY_assign_DSA(pkey, dsa);
-- BN_CTX_free (ctx);
-- if(ndsa)
-- sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
-- else
-- ASN1_INTEGER_free(privkey);
-
-- return 1;
-+ ret = 1;
-+ goto done;
-
- decerr:
- DSAerr(DSA_F_DSA_PRIV_DECODE, EVP_R_DECODE_ERROR);
- dsaerr:
-- BN_CTX_free (ctx);
-- if (privkey)
-- ASN1_INTEGER_free(privkey);
-- sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
- DSA_free(dsa);
-- return 0;
-+ done:
-+ BN_CTX_free (ctx);
-+ if (ndsa)
-+ sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free);
-+ else
-+ ASN1_INTEGER_free(privkey);
-+ return ret;
- }
-
- static int dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey)
Deleted: openssl/branches/wheezy/debian/patches/CVE-2016-0797.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2016-0797.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2016-0797.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,98 +0,0 @@
-From 8f8d7d2796ca710184453ba4a300ad7d54d7f1a1 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt at openssl.org>
-Date: Mon, 22 Feb 2016 10:27:18 +0000
-Subject: [PATCH] Fix BN_hex2bn/BN_dec2bn NULL ptr/heap corruption
-
----
- crypto/bn/bn.h | 14 ++++++++++++--
- crypto/bn/bn_print.c | 13 +++++++++----
- 2 files changed, 21 insertions(+), 6 deletions(-)
-
-Index: openssl-1.0.1k/crypto/bn/bn.h
-===================================================================
---- openssl-1.0.1k.orig/crypto/bn/bn.h
-+++ openssl-1.0.1k/crypto/bn/bn.h
-@@ -125,6 +125,7 @@
- #ifndef HEADER_BN_H
- #define HEADER_BN_H
-
-+#include <limits.h>
- #include <openssl/e_os2.h>
- #ifndef OPENSSL_NO_FP_API
- #include <stdio.h> /* FILE */
-@@ -696,8 +697,17 @@ const BIGNUM *BN_get0_nist_prime_521(voi
-
- /* library internal functions */
-
--#define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\
-- (a):bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2))
-+# define bn_expand(a,bits) \
-+ ( \
-+ bits > (INT_MAX - BN_BITS2 + 1) ? \
-+ NULL \
-+ : \
-+ (((bits+BN_BITS2-1)/BN_BITS2) <= (a)->dmax) ? \
-+ (a) \
-+ : \
-+ bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2) \
-+ )
-+
- #define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words)))
- BIGNUM *bn_expand2(BIGNUM *a, int words);
- #ifndef OPENSSL_NO_DEPRECATED
-Index: openssl-1.0.1k/crypto/bn/bn_print.c
-===================================================================
---- openssl-1.0.1k.orig/crypto/bn/bn_print.c
-+++ openssl-1.0.1k/crypto/bn/bn_print.c
-@@ -58,6 +58,7 @@
-
- #include <stdio.h>
- #include <ctype.h>
-+#include <limits.h>
- #include "cryptlib.h"
- #include <openssl/buffer.h>
- #include "bn_lcl.h"
-@@ -180,8 +181,10 @@ int BN_hex2bn(BIGNUM **bn, const char *a
-
- if (*a == '-') { neg=1; a++; }
-
-- for (i=0; isxdigit((unsigned char) a[i]); i++)
-- ;
-+ for (i = 0; i <= (INT_MAX/4) && isxdigit((unsigned char)a[i]); i++)
-+ ;
-+ if (i > INT_MAX/4)
-+ goto err;
-
- num=i+neg;
- if (bn == NULL) return(num);
-@@ -197,7 +200,7 @@ int BN_hex2bn(BIGNUM **bn, const char *a
- BN_zero(ret);
- }
-
-- /* i is the number of hex digests; */
-+ /* i is the number of hex digits */
- if (bn_expand(ret,i*4) == NULL) goto err;
-
- j=i; /* least significant 'hex' */
-@@ -246,8 +249,10 @@ int BN_dec2bn(BIGNUM **bn, const char *a
- if ((a == NULL) || (*a == '\0')) return(0);
- if (*a == '-') { neg=1; a++; }
-
-- for (i=0; isdigit((unsigned char) a[i]); i++)
-- ;
-+ for (i = 0; i <= (INT_MAX/4) && isdigit((unsigned char)a[i]); i++)
-+ ;
-+ if (i > INT_MAX/4)
-+ goto err;
-
- num=i+neg;
- if (bn == NULL) return(num);
-@@ -264,7 +269,7 @@ int BN_dec2bn(BIGNUM **bn, const char *a
- BN_zero(ret);
- }
-
-- /* i is the number of digests, a bit of an over expand; */
-+ /* i is the number of digits, a bit of an over expand */
- if (bn_expand(ret,i*4) == NULL) goto err;
-
- j=BN_DEC_NUM-(i%BN_DEC_NUM);
Deleted: openssl/branches/wheezy/debian/patches/CVE-2016-0798.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2016-0798.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2016-0798.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,263 +0,0 @@
-From 259b664f950c2ba66fbf4b0fe5281327904ead21 Mon Sep 17 00:00:00 2001
-From: Emilia Kasper <emilia at openssl.org>
-Date: Wed, 24 Feb 2016 12:59:59 +0100
-Subject: [PATCH] CVE-2016-0798: avoid memory leak in SRP
-
-The SRP user database lookup method SRP_VBASE_get_by_user had confusing
-memory management semantics; the returned pointer was sometimes newly
-allocated, and sometimes owned by the callee. The calling code has no
-way of distinguishing these two cases.
-
-Specifically, SRP servers that configure a secret seed to hide valid
-login information are vulnerable to a memory leak: an attacker
-connecting with an invalid username can cause a memory leak of around
-300 bytes per connection.
-
-Servers that do not configure SRP, or configure SRP but do not configure
-a seed are not vulnerable.
-
-In Apache, the seed directive is known as SSLSRPUnknownUserSeed.
-
-To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user
-is now disabled even if the user has configured a seed.
-
-Applications are advised to migrate to SRP_VBASE_get1_by_user. However,
-note that OpenSSL makes no strong guarantees about the
-indistinguishability of valid and invalid logins. In particular,
-computations are currently not carried out in constant time.
-
-Reviewed-by: Rich Salz <rsalz at openssl.org>
----
- CHANGES | 19 ++++++++++++++++++
- apps/s_server.c | 49 +++++++++++++++++++++++++++-----------------
- crypto/srp/srp.h | 10 +++++++++
- crypto/srp/srp_vfy.c | 57 +++++++++++++++++++++++++++++++++++++++++++++++-----
- util/libeay.num | 2 ++
- 5 files changed, 114 insertions(+), 23 deletions(-)
-
-Index: openssl-1.0.1e/apps/s_server.c
-===================================================================
---- openssl-1.0.1e.orig/apps/s_server.c
-+++ openssl-1.0.1e/apps/s_server.c
-@@ -395,6 +395,8 @@ typedef struct srpsrvparm_st
- static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
- {
- srpsrvparm *p = (srpsrvparm *)arg;
-+ int ret = SSL3_AL_FATAL;
-+
- if (p->login == NULL && p->user == NULL )
- {
- p->login = SSL_get_srp_username(s);
-@@ -405,19 +407,22 @@ static int MS_CALLBACK ssl_srp_server_pa
- if (p->user == NULL)
- {
- BIO_printf(bio_err, "User %s doesn't exist\n", p->login);
-- return SSL3_AL_FATAL;
-+ goto err;
- }
- if (SSL_set_srp_server_param(s, p->user->N, p->user->g, p->user->s, p->user->v,
- p->user->info) < 0)
- {
- *ad = SSL_AD_INTERNAL_ERROR;
-- return SSL3_AL_FATAL;
-+ goto err;
- }
- BIO_printf(bio_err, "SRP parameters set: username = \"%s\" info=\"%s\" \n", p->login,p->user->info);
-- /* need to check whether there are memory leaks */
-+ ret = SSL_ERROR_NONE;
-+
-+err:
-+ SRP_user_pwd_free(p->user);
- p->user = NULL;
- p->login = NULL;
-- return SSL_ERROR_NONE;
-+ return ret;
- }
-
- #endif
-@@ -2254,7 +2259,8 @@ static int sv_body(char *hostname, int s
- while (SSL_get_error(con,k) == SSL_ERROR_WANT_X509_LOOKUP)
- {
- BIO_printf(bio_s_out,"LOOKUP renego during write\n");
-- srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login);
-+ SRP_user_pwd_free(srp_callback_parm.user);
-+ srp_callback_parm.user = SRP_VBASE_get1_by_user(srp_callback_parm.vb, srp_callback_parm.login);
- if (srp_callback_parm.user)
- BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info);
- else
-@@ -2313,7 +2319,8 @@ again:
- while (SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP)
- {
- BIO_printf(bio_s_out,"LOOKUP renego during read\n");
-- srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login);
-+ SRP_user_pwd_free(srp_callback_parm.user);
-+ srp_callback_parm.user = SRP_VBASE_get1_by_user(srp_callback_parm.vb, srp_callback_parm.login);
- if (srp_callback_parm.user)
- BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info);
- else
-@@ -2402,7 +2409,8 @@ static int init_ssl_connection(SSL *con)
- while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP)
- {
- BIO_printf(bio_s_out,"LOOKUP during accept %s\n",srp_callback_parm.login);
-- srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login);
-+ SRP_user_pwd_free(srp_callback_parm.user);
-+ srp_callback_parm.user = SRP_VBASE_get1_by_user(srp_callback_parm.vb, srp_callback_parm.login);
- if (srp_callback_parm.user)
- BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info);
- else
-@@ -2644,7 +2652,8 @@ static int www_body(char *hostname, int
- while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP)
- {
- BIO_printf(bio_s_out,"LOOKUP during accept %s\n",srp_callback_parm.login);
-- srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login);
-+ SRP_user_pwd_free(srp_callback_parm.user);
-+ srp_callback_parm.user = SRP_VBASE_get1_by_user(srp_callback_parm.vb, srp_callback_parm.login);
- if (srp_callback_parm.user)
- BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info);
- else
-Index: openssl-1.0.1e/crypto/srp/srp.h
-===================================================================
---- openssl-1.0.1e.orig/crypto/srp/srp.h
-+++ openssl-1.0.1e/crypto/srp/srp.h
-@@ -83,16 +83,21 @@ DECLARE_STACK_OF(SRP_gN_cache)
-
- typedef struct SRP_user_pwd_st
- {
-+ /* Owned by us. */
- char *id;
- BIGNUM *s;
- BIGNUM *v;
-+ /* Not owned by us. */
- const BIGNUM *g;
- const BIGNUM *N;
-+ /* Owned by us. */
- char *info;
- } SRP_user_pwd;
-
- DECLARE_STACK_OF(SRP_user_pwd)
-
-+void SRP_user_pwd_free(SRP_user_pwd *user_pwd);
-+
- typedef struct SRP_VBASE_st
- {
- STACK_OF(SRP_user_pwd) *users_pwd;
-@@ -118,6 +123,12 @@ SRP_VBASE *SRP_VBASE_new(char *seed_key)
- int SRP_VBASE_free(SRP_VBASE *vb);
- int SRP_VBASE_init(SRP_VBASE *vb, char * verifier_file);
- SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username);
-+
-+/* This method ignores the configured seed and fails for an unknown user. */
-+SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username);
-+/* NOTE: unlike in SRP_VBASE_get_by_user, caller owns the returned pointer.*/
-+SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username);
-+
- char *SRP_create_verifier(const char *user, const char *pass, char **salt,
- char **verifier, const char *N, const char *g);
- int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, BIGNUM **verifier, BIGNUM *N, BIGNUM *g);
-Index: openssl-1.0.1e/crypto/srp/srp_vfy.c
-===================================================================
---- openssl-1.0.1e.orig/crypto/srp/srp_vfy.c
-+++ openssl-1.0.1e/crypto/srp/srp_vfy.c
-@@ -179,7 +179,7 @@ static char *t_tob64(char *dst, const un
- return olddst;
- }
-
--static void SRP_user_pwd_free(SRP_user_pwd *user_pwd)
-+void SRP_user_pwd_free(SRP_user_pwd *user_pwd)
- {
- if (user_pwd == NULL)
- return;
-@@ -241,6 +241,24 @@ static int SRP_user_pwd_set_sv_BN(SRP_us
- return (vinfo->s != NULL && vinfo->v != NULL) ;
- }
-
-+static SRP_user_pwd *srp_user_pwd_dup(SRP_user_pwd *src)
-+{
-+ SRP_user_pwd *ret;
-+
-+ if (src == NULL)
-+ return NULL;
-+ if ((ret = SRP_user_pwd_new()) == NULL)
-+ return NULL;
-+
-+ SRP_user_pwd_set_gN(ret, src->g, src->N);
-+ if (!SRP_user_pwd_set_ids(ret, src->id, src->info)
-+ || !SRP_user_pwd_set_sv_BN(ret, BN_dup(src->s), BN_dup(src->v))) {
-+ SRP_user_pwd_free(ret);
-+ return NULL;
-+ }
-+ return ret;
-+}
-+
- SRP_VBASE *SRP_VBASE_new(char *seed_key)
- {
- SRP_VBASE *vb = (SRP_VBASE *) OPENSSL_malloc(sizeof(SRP_VBASE));
-@@ -472,22 +490,51 @@ int SRP_VBASE_init(SRP_VBASE *vb, char *
- }
-
-
--SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username)
-+static SRP_user_pwd *find_user(SRP_VBASE *vb, char *username)
- {
- int i;
- SRP_user_pwd *user;
-- unsigned char digv[SHA_DIGEST_LENGTH];
-- unsigned char digs[SHA_DIGEST_LENGTH];
-- EVP_MD_CTX ctxt;
-
- if (vb == NULL)
- return NULL;
-+
- for(i = 0; i < sk_SRP_user_pwd_num(vb->users_pwd); i++)
- {
- user = sk_SRP_user_pwd_value(vb->users_pwd, i);
- if (strcmp(user->id,username)==0)
- return user;
- }
-+
-+ return NULL;
-+ }
-+
-+/*
-+ * This method ignores the configured seed and fails for an unknown user.
-+ * Ownership of the returned pointer is not released to the caller.
-+ * In other words, caller must not free the result.
-+ */
-+SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username)
-+{
-+ return find_user(vb, username);
-+}
-+
-+/*
-+ * Ownership of the returned pointer is released to the caller.
-+ * In other words, caller must free the result once done.
-+ */
-+SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username)
-+{
-+ SRP_user_pwd *user;
-+ unsigned char digv[SHA_DIGEST_LENGTH];
-+ unsigned char digs[SHA_DIGEST_LENGTH];
-+ EVP_MD_CTX ctxt;
-+
-+ if (vb == NULL)
-+ return NULL;
-+
-+ if ((user = find_user(vb, username)) != NULL)
-+ return srp_user_pwd_dup(user);
-+
- if ((vb->seed_key == NULL) ||
- (vb->default_g == NULL) ||
- (vb->default_N == NULL))
-Index: openssl-1.0.1e/util/libeay.num
-===================================================================
---- openssl-1.0.1e.orig/util/libeay.num
-+++ openssl-1.0.1e/util/libeay.num
-@@ -1806,6 +1806,8 @@ d2i_ASN1_SET_OF_PKCS12_SAFEBAG
- ASN1_UTCTIME_get 2350 NOEXIST::FUNCTION:
- X509_REQ_digest 2362 EXIST::FUNCTION:EVP
- X509_CRL_digest 2391 EXIST::FUNCTION:EVP
-+SRP_VBASE_get1_by_user 2393 EXIST::FUNCTION:SRP
-+SRP_user_pwd_free 2394 EXIST::FUNCTION:SRP
- d2i_ASN1_SET_OF_PKCS7 2397 NOEXIST::FUNCTION:
- EVP_CIPHER_CTX_set_key_length 2399 EXIST::FUNCTION:
- EVP_CIPHER_CTX_ctrl 2400 EXIST::FUNCTION:
Deleted: openssl/branches/wheezy/debian/patches/CVE-2016-0799.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2016-0799.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2016-0799.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,449 +0,0 @@
-From 578b956fe741bf8e84055547b1e83c28dd902c73 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt at openssl.org>
-Date: Thu, 25 Feb 2016 13:09:46 +0000
-Subject: [PATCH] Fix memory issues in BIO_*printf functions
-
-The internal |fmtstr| function used in processing a "%s" format string
-in the BIO_*printf functions could overflow while calculating the length
-of a string and cause an OOB read when printing very long strings.
-
-Additionally the internal |doapr_outch| function can attempt to write to
-an OOB memory location (at an offset from the NULL pointer) in the event of
-a memory allocation failure. In 1.0.2 and below this could be caused where
-the size of a buffer to be allocated is greater than INT_MAX. E.g. this
-could be in processing a very long "%s" format string. Memory leaks can also
-occur.
-
-These issues will only occur on certain platforms where sizeof(size_t) >
-sizeof(int). E.g. many 64 bit systems. The first issue may mask the second
-issue dependent on compiler behaviour.
-
-These problems could enable attacks where large amounts of untrusted data
-is passed to the BIO_*printf functions. If applications use these functions
-in this way then they could be vulnerable. OpenSSL itself uses these
-functions when printing out human-readable dumps of ASN.1 data. Therefore
-applications that print this data could be vulnerable if the data is from
-untrusted sources. OpenSSL command line applications could also be
-vulnerable where they print out ASN.1 data, or if untrusted data is passed
-as command line arguments.
-
-Libssl is not considered directly vulnerable. Additionally certificates etc
-received via remote connections via libssl are also unlikely to be able to
-trigger these issues because of message size limits enforced within libssl.
-
-CVE-2016-0799
-
-Issue reported by Guido Vranken.
-
-Reviewed-by: Andy Polyakov <appro at openssl.org>
----
- crypto/bio/b_print.c | 187 ++++++++++++++++++++++++++++++++-------------------
- 1 file changed, 116 insertions(+), 71 deletions(-)
-
-Index: openssl-1.0.1k/crypto/bio/b_print.c
-===================================================================
---- openssl-1.0.1k.orig/crypto/bio/b_print.c
-+++ openssl-1.0.1k/crypto/bio/b_print.c
-@@ -125,14 +125,14 @@
- #define LLONG long
- #endif
-
--static void fmtstr (char **, char **, size_t *, size_t *,
-+static int fmtstr (char **, char **, size_t *, size_t *,
- const char *, int, int, int);
--static void fmtint (char **, char **, size_t *, size_t *,
-+static int fmtint (char **, char **, size_t *, size_t *,
- LLONG, int, int, int, int);
--static void fmtfp (char **, char **, size_t *, size_t *,
-+static int fmtfp (char **, char **, size_t *, size_t *,
- LDOUBLE, int, int, int);
--static void doapr_outch (char **, char **, size_t *, size_t *, int);
--static void _dopr(char **sbuffer, char **buffer,
-+static int doapr_outch (char **, char **, size_t *, size_t *, int);
-+static int _dopr(char **sbuffer, char **buffer,
- size_t *maxlen, size_t *retlen, int *truncated,
- const char *format, va_list args);
-
-@@ -165,7 +165,7 @@ static void _dopr(char **sbuffer, char *
- #define char_to_int(p) (p - '0')
- #define OSSL_MAX(p,q) ((p >= q) ? p : q)
-
--static void
-+static int
- _dopr(
- char **sbuffer,
- char **buffer,
-@@ -200,7 +200,8 @@ _dopr(
- if (ch == '%')
- state = DP_S_FLAGS;
- else
-- doapr_outch(sbuffer,buffer, &currlen, maxlen, ch);
-+ if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch))
-+ return 0;
- ch = *format++;
- break;
- case DP_S_FLAGS:
-@@ -306,8 +307,9 @@ _dopr(
- value = va_arg(args, int);
- break;
- }
-- fmtint(sbuffer, buffer, &currlen, maxlen,
-- value, 10, min, max, flags);
-+ if (!fmtint(sbuffer, buffer, &currlen, maxlen, value, 10, min,
-+ max, flags))
-+ return 0;
- break;
- case 'X':
- flags |= DP_F_UP;
-@@ -332,17 +334,19 @@ _dopr(
- unsigned int);
- break;
- }
-- fmtint(sbuffer, buffer, &currlen, maxlen, value,
-- ch == 'o' ? 8 : (ch == 'u' ? 10 : 16),
-- min, max, flags);
-+ if (!fmtint(sbuffer, buffer, &currlen, maxlen, value,
-+ ch == 'o' ? 8 : (ch == 'u' ? 10 : 16),
-+ min, max, flags))
-+ return 0;
- break;
- case 'f':
- if (cflags == DP_C_LDOUBLE)
- fvalue = va_arg(args, LDOUBLE);
- else
- fvalue = va_arg(args, double);
-- fmtfp(sbuffer, buffer, &currlen, maxlen,
-- fvalue, min, max, flags);
-+ if (!fmtfp(sbuffer, buffer, &currlen, maxlen, fvalue, min, max,
-+ flags))
-+ return 0;
- break;
- case 'E':
- flags |= DP_F_UP;
-@@ -361,8 +365,9 @@ _dopr(
- fvalue = va_arg(args, double);
- break;
- case 'c':
-- doapr_outch(sbuffer, buffer, &currlen, maxlen,
-- va_arg(args, int));
-+ if(!doapr_outch(sbuffer, buffer, &currlen, maxlen,
-+ va_arg(args, int)))
-+ return 0;
- break;
- case 's':
- strvalue = va_arg(args, char *);
-@@ -372,13 +377,15 @@ _dopr(
- else
- max = *maxlen;
- }
-- fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue,
-- flags, min, max);
-+ if (!fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue,
-+ flags, min, max))
-+ return 0;
- break;
- case 'p':
- value = (long)va_arg(args, void *);
-- fmtint(sbuffer, buffer, &currlen, maxlen,
-- value, 16, min, max, flags|DP_F_NUM);
-+ if (!fmtint(sbuffer, buffer, &currlen, maxlen,
-+ value, 16, min, max, flags | DP_F_NUM))
-+ return 0;
- break;
- case 'n': /* XXX */
- if (cflags == DP_C_SHORT) {
-@@ -400,7 +407,8 @@ _dopr(
- }
- break;
- case '%':
-- doapr_outch(sbuffer, buffer, &currlen, maxlen, ch);
-+ if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch))
-+ return 0;
- break;
- case 'w':
- /* not supported yet, treat as next char */
-@@ -424,12 +432,13 @@ _dopr(
- *truncated = (currlen > *maxlen - 1);
- if (*truncated)
- currlen = *maxlen - 1;
-- doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0');
-+ if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0'))
-+ return 0;
- *retlen = currlen - 1;
-- return;
-+ return 1;
- }
-
--static void
-+static int
- fmtstr(
- char **sbuffer,
- char **buffer,
-@@ -440,36 +449,44 @@ fmtstr(
- int min,
- int max)
- {
-- int padlen, strln;
-+ int padlen;
-+ size_t strln;
- int cnt = 0;
-
- if (value == 0)
- value = "<NULL>";
-- for (strln = 0; value[strln]; ++strln)
-- ;
-+
-+ strln = strlen(value);
-+ if (strln > INT_MAX)
-+ strln = INT_MAX;
-+
- padlen = min - strln;
-- if (padlen < 0)
-+ if (min < 0 || padlen < 0)
- padlen = 0;
- if (flags & DP_F_MINUS)
- padlen = -padlen;
-
- while ((padlen > 0) && (cnt < max)) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
-+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
-+ return 0;
- --padlen;
- ++cnt;
- }
- while (*value && (cnt < max)) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, *value++);
-+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *value++))
-+ return 0;
- ++cnt;
- }
- while ((padlen < 0) && (cnt < max)) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
-+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
-+ return 0;
- ++padlen;
- ++cnt;
- }
-+ return 1;
- }
-
--static void
-+static int
- fmtint(
- char **sbuffer,
- char **buffer,
-@@ -533,37 +550,44 @@ fmtint(
-
- /* spaces */
- while (spadlen > 0) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
-+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
-+ return 0;
- --spadlen;
- }
-
- /* sign */
- if (signvalue)
-- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
-+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
-+ return 0;
-
- /* prefix */
- while (*prefix) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix);
-+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix))
-+ return 0;
- prefix++;
- }
-
- /* zeros */
- if (zpadlen > 0) {
- while (zpadlen > 0) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
-+ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
-+ return 0;
- --zpadlen;
- }
- }
- /* digits */
-- while (place > 0)
-- doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place]);
-+ while (place > 0) {
-+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place]))
-+ return 0;
-+ }
-
- /* left justified spaces */
- while (spadlen < 0) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
-+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
-+ return 0;
- ++spadlen;
- }
-- return;
-+ return 1;
- }
-
- static LDOUBLE
-@@ -597,7 +621,7 @@ roundv(LDOUBLE value)
- return intpart;
- }
-
--static void
-+static int
- fmtfp(
- char **sbuffer,
- char **buffer,
-@@ -682,47 +706,60 @@ fmtfp(
-
- if ((flags & DP_F_ZERO) && (padlen > 0)) {
- if (signvalue) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
-+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
-+ return 0;
- --padlen;
- signvalue = 0;
- }
- while (padlen > 0) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
-+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
-+ return 0;
- --padlen;
- }
- }
- while (padlen > 0) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
-+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
-+ return 0;
- --padlen;
- }
-- if (signvalue)
-- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);
-+ if (signvalue && !doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue))
-+ return 0;
-
-- while (iplace > 0)
-- doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace]);
-+ while (iplace > 0) {
-+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace]))
-+ return 0;
-+ }
-
- /*
- * Decimal point. This should probably use locale to find the correct
- * char to print out.
- */
- if (max > 0 || (flags & DP_F_NUM)) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, '.');
-+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '.'))
-+ return 0;
-
-- while (fplace > 0)
-- doapr_outch(sbuffer, buffer, currlen, maxlen, fconvert[--fplace]);
-+ while (fplace > 0) {
-+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, fconvert[--fplace]))
-+ return 0;
-+ }
- }
- while (zpadlen > 0) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, '0');
-+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0'))
-+ return 0;
- --zpadlen;
- }
-
- while (padlen < 0) {
-- doapr_outch(sbuffer, buffer, currlen, maxlen, ' ');
-+ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' '))
-+ return 0;
- ++padlen;
- }
-+ return 1;
- }
-
--static void
-+#define BUFFER_INC 1024
-+
-+static int
- doapr_outch(
- char **sbuffer,
- char **buffer,
-@@ -733,24 +770,27 @@ doapr_outch(
- /* If we haven't at least one buffer, someone has doe a big booboo */
- assert(*sbuffer != NULL || buffer != NULL);
-
-- if (buffer) {
-- while (*currlen >= *maxlen) {
-- if (*buffer == NULL) {
-- if (*maxlen == 0)
-- *maxlen = 1024;
-- *buffer = OPENSSL_malloc(*maxlen);
-- if (*currlen > 0) {
-- assert(*sbuffer != NULL);
-- memcpy(*buffer, *sbuffer, *currlen);
-- }
-- *sbuffer = NULL;
-- } else {
-- *maxlen += 1024;
-- *buffer = OPENSSL_realloc(*buffer, *maxlen);
-- }
-- }
-- /* What to do if *buffer is NULL? */
-- assert(*sbuffer != NULL || *buffer != NULL);
-+ if (buffer && *currlen == *maxlen) {
-+ if (*maxlen > INT_MAX - BUFFER_INC)
-+ return 0;
-+
-+ *maxlen += BUFFER_INC;
-+ if (*buffer == NULL) {
-+ *buffer = OPENSSL_malloc(*maxlen);
-+ if (*buffer == NULL)
-+ return 0;
-+ if (*currlen > 0) {
-+ assert(*sbuffer != NULL);
-+ memcpy(*buffer, *sbuffer, *currlen);
-+ }
-+ *sbuffer = NULL;
-+ } else {
-+ char *tmpbuf;
-+ tmpbuf = OPENSSL_realloc(*buffer, *maxlen);
-+ if (tmpbuf == NULL)
-+ return 0;
-+ *buffer = tmpbuf;
-+ }
- }
-
- if (*currlen < *maxlen) {
-@@ -760,7 +800,7 @@ doapr_outch(
- (*buffer)[(*currlen)++] = (char)c;
- }
-
-- return;
-+ return 1;
- }
-
- /***************************************************************************/
-@@ -792,8 +832,11 @@ int BIO_vprintf (BIO *bio, const char *f
-
- dynbuf = NULL;
- CRYPTO_push_info("doapr()");
-- _dopr(&hugebufp, &dynbuf, &hugebufsize,
-- &retlen, &ignored, format, args);
-+ if (!_dopr(&hugebufp, &dynbuf, &hugebufsize,
-+ &retlen, &ignored, format, args)) {
-+ OPENSSL_free(dynbuf);
-+ return -1;
-+ }
- if (dynbuf)
- {
- ret=BIO_write(bio, dynbuf, (int)retlen);
-@@ -829,7 +872,8 @@ int BIO_vsnprintf(char *buf, size_t n, c
- size_t retlen;
- int truncated;
-
-- _dopr(&buf, NULL, &n, &retlen, &truncated, format, args);
-+ if(!_dopr(&buf, NULL, &n, &retlen, &truncated, format, args))
-+ return -1;
-
- if (truncated)
- /* In case of truncation, return -1 like traditional snprintf.
Deleted: openssl/branches/wheezy/debian/patches/CVE-2016-2105.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2016-2105.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2016-2105.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,42 +0,0 @@
-From 5b814481f3573fa9677f3a31ee51322e2a22ee6a Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt at openssl.org>
-Date: Fri, 4 Mar 2016 10:17:17 +0000
-Subject: [PATCH] Avoid overflow in EVP_EncodeUpdate
-
-An overflow can occur in the EVP_EncodeUpdate function which is used for
-Base64 encoding of binary data. If an attacker is able to supply very large
-amounts of input data then a length check can overflow resulting in a heap
-corruption. Due to the very large amounts of data involved this will most
-likely result in a crash.
-
-Internally to OpenSSL the EVP_EncodeUpdate function is primarly used by the
-PEM_write_bio* family of functions. These are mainly used within the
-OpenSSL command line applications, so any application which processes
-data from an untrusted source and outputs it as a PEM file should be
-considered vulnerable to this issue.
-
-User applications that call these APIs directly with large amounts of
-untrusted data may also be vulnerable.
-
-Issue reported by Guido Vranken.
-
-CVE-2016-2105
-
-Reviewed-by: Richard Levitte <levitte at openssl.org>
----
- crypto/evp/encode.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: openssl-1.0.1k/crypto/evp/encode.c
-===================================================================
---- openssl-1.0.1k.orig/crypto/evp/encode.c
-+++ openssl-1.0.1k/crypto/evp/encode.c
-@@ -137,7 +137,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct
- *outl=0;
- if (inl == 0) return;
- OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data));
-- if ((ctx->num+inl) < ctx->length)
-+ if (ctx->length - ctx->num > inl)
- {
- memcpy(&(ctx->enc_data[ctx->num]),in,inl);
- ctx->num+=inl;
Deleted: openssl/branches/wheezy/debian/patches/CVE-2016-2106.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2016-2106.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2016-2106.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,60 +0,0 @@
-From 56ea22458f3f5f1d0148b0a97957de4d56f3d328 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt at openssl.org>
-Date: Thu, 3 Mar 2016 23:36:23 +0000
-Subject: [PATCH] Fix encrypt overflow
-
-An overflow can occur in the EVP_EncryptUpdate function. If an attacker is
-able to supply very large amounts of input data after a previous call to
-EVP_EncryptUpdate with a partial block then a length check can overflow
-resulting in a heap corruption.
-
-Following an analysis of all OpenSSL internal usage of the
-EVP_EncryptUpdate function all usage is one of two forms.
-
-The first form is like this:
-EVP_EncryptInit()
-EVP_EncryptUpdate()
-
-i.e. where the EVP_EncryptUpdate() call is known to be the first called
-function after an EVP_EncryptInit(), and therefore that specific call
-must be safe.
-
-The second form is where the length passed to EVP_EncryptUpdate() can be
-seen from the code to be some small value and therefore there is no
-possibility of an overflow.
-
-Since all instances are one of these two forms, I believe that there can
-be no overflows in internal code due to this problem.
-
-It should be noted that EVP_DecryptUpdate() can call EVP_EncryptUpdate()
-in certain code paths. Also EVP_CipherUpdate() is a synonym for
-EVP_EncryptUpdate(). Therefore I have checked all instances of these
-calls too, and came to the same conclusion, i.e. there are no instances
-in internal usage where an overflow could occur.
-
-This could still represent a security issue for end user code that calls
-this function directly.
-
-CVE-2016-2106
-
-Issue reported by Guido Vranken.
-
-Reviewed-by: Tim Hudson <tjh at openssl.org>
-(cherry picked from commit 3f3582139fbb259a1c3cbb0a25236500a409bf26)
----
- crypto/evp/evp_enc.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Index: openssl-1.0.1k/crypto/evp/evp_enc.c
-===================================================================
---- openssl-1.0.1k.orig/crypto/evp/evp_enc.c
-+++ openssl-1.0.1k/crypto/evp/evp_enc.c
-@@ -343,7 +343,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ct
- OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
- if (i != 0)
- {
-- if (i+inl < bl)
-+ if (bl - i > inl)
- {
- memcpy(&(ctx->buf[i]),in,inl);
- ctx->buf_len+=inl;
Deleted: openssl/branches/wheezy/debian/patches/CVE-2016-2107.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2016-2107.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2016-2107.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,38 +0,0 @@
-From 4159f311671cf3bac03815e5de44681eb758304a Mon Sep 17 00:00:00 2001
-From: Kurt Roeckx <kurt at roeckx.be>
-Date: Sat, 16 Apr 2016 23:08:56 +0200
-Subject: [PATCH] Check that we have enough padding characters.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Reviewed-by: Emilia Käsper <emilia at openssl.org>
-
-CVE-2016-2107
-
-MR: #2572
----
- crypto/evp/e_aes_cbc_hmac_sha1.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-Index: openssl-1.0.1k/crypto/evp/e_aes_cbc_hmac_sha1.c
-===================================================================
---- openssl-1.0.1k.orig/crypto/evp/e_aes_cbc_hmac_sha1.c
-+++ openssl-1.0.1k/crypto/evp/e_aes_cbc_hmac_sha1.c
-@@ -59,6 +59,7 @@
- #include <openssl/aes.h>
- #include <openssl/sha.h>
- #include "evp_locl.h"
-+#include "constant_time_locl.h"
-
- #ifndef EVP_CIPH_FLAG_AEAD_CIPHER
- #define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000
-@@ -278,6 +279,8 @@ static int aesni_cbc_hmac_sha1_cipher(EV
- maxpad |= (255-maxpad)>>(sizeof(maxpad)*8-8);
- maxpad &= 255;
-
-+ ret &= constant_time_ge(maxpad, pad);
-+
- inp_len = len - (SHA_DIGEST_LENGTH+pad+1);
- mask = (0-((inp_len-len)>>(sizeof(inp_len)*8-1)));
- inp_len &= mask;
Deleted: openssl/branches/wheezy/debian/patches/CVE-2016-2108.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2016-2108.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2016-2108.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,73 +0,0 @@
-Index: openssl-1.0.1k/crypto/asn1/a_int.c
-===================================================================
---- openssl-1.0.1k.orig/crypto/asn1/a_int.c
-+++ openssl-1.0.1k/crypto/asn1/a_int.c
-@@ -124,6 +124,8 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, un
- {
- ret=a->length;
- i=a->data[0];
-+ if (ret == 1 && i == 0)
-+ neg = 0;
- if (!neg && (i > 127)) {
- pad=1;
- pb=0;
-@@ -157,7 +159,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, un
- p += a->length - 1;
- i = a->length;
- /* Copy zeros to destination as long as source is zero */
-- while(!*n) {
-+ while (!*n && i > 1) {
- *(p--) = 0;
- n--;
- i--;
-@@ -415,7 +417,7 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(const B
- ASN1err(ASN1_F_BN_TO_ASN1_INTEGER,ERR_R_NESTED_ASN1_ERROR);
- goto err;
- }
-- if (BN_is_negative(bn))
-+ if (BN_is_negative(bn) && !BN_is_zero(bn))
- ret->type = V_ASN1_NEG_INTEGER;
- else ret->type=V_ASN1_INTEGER;
- j=BN_num_bits(bn);
-Index: openssl-1.0.1k/crypto/asn1/a_type.c
-===================================================================
---- openssl-1.0.1k.orig/crypto/asn1/a_type.c
-+++ openssl-1.0.1k/crypto/asn1/a_type.c
-@@ -131,9 +131,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co
- result = 0; /* They do not have content. */
- break;
- case V_ASN1_INTEGER:
-- case V_ASN1_NEG_INTEGER:
- case V_ASN1_ENUMERATED:
-- case V_ASN1_NEG_ENUMERATED:
- case V_ASN1_BIT_STRING:
- case V_ASN1_OCTET_STRING:
- case V_ASN1_SEQUENCE:
-Index: openssl-1.0.1k/crypto/asn1/tasn_dec.c
-===================================================================
---- openssl-1.0.1k.orig/crypto/asn1/tasn_dec.c
-+++ openssl-1.0.1k/crypto/asn1/tasn_dec.c
-@@ -1014,9 +1014,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const
- break;
-
- case V_ASN1_INTEGER:
-- case V_ASN1_NEG_INTEGER:
- case V_ASN1_ENUMERATED:
-- case V_ASN1_NEG_ENUMERATED:
- tint = (ASN1_INTEGER **)pval;
- if (!c2i_ASN1_INTEGER(tint, &cont, len))
- goto err;
-Index: openssl-1.0.1k/crypto/asn1/tasn_enc.c
-===================================================================
---- openssl-1.0.1k.orig/crypto/asn1/tasn_enc.c
-+++ openssl-1.0.1k/crypto/asn1/tasn_enc.c
-@@ -643,9 +643,7 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsig
- break;
-
- case V_ASN1_INTEGER:
-- case V_ASN1_NEG_INTEGER:
- case V_ASN1_ENUMERATED:
-- case V_ASN1_NEG_ENUMERATED:
- /* These are all have the same content format
- * as ASN1_INTEGER
- */
Deleted: openssl/branches/wheezy/debian/patches/CVE-2016-2109.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2016-2109.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2016-2109.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,93 +0,0 @@
-From 3d411057a5e28530fffc40b257698f453c89aa87 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Mon, 11 Apr 2016 13:57:20 +0100
-Subject: [PATCH] Harden ASN.1 BIO handling of large amounts of data.
-
-If the ASN.1 BIO is presented with a large length field read it in
-chunks of increasing size checking for EOF on each read. This prevents
-small files allocating excessive amounts of data.
-
-CVE-2016-2109
-
-Thanks to Brian Carpenter for reporting this issue.
-
-Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
-(cherry picked from commit c62981390d6cf9e3d612c489b8b77c2913b25807)
----
- crypto/asn1/a_d2i_fp.c | 36 ++++++++++++++++++++++++++----------
- 1 file changed, 26 insertions(+), 10 deletions(-)
-
-Index: openssl-1.0.1k/crypto/asn1/a_d2i_fp.c
-===================================================================
---- openssl-1.0.1k.orig/crypto/asn1/a_d2i_fp.c
-+++ openssl-1.0.1k/crypto/asn1/a_d2i_fp.c
-@@ -139,6 +139,7 @@ void *ASN1_item_d2i_fp(const ASN1_ITEM *
- #endif
-
- #define HEADER_SIZE 8
-+#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
- static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
- {
- BUF_MEM *b;
-@@ -230,6 +231,8 @@ static int asn1_d2i_read_bio(BIO *in, BU
- want=c.slen;
- if (want > (len-off))
- {
-+ size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;
-+
- want-=(len-off);
- if (want > INT_MAX /* BIO_read takes an int length */ ||
- len+want < len)
-@@ -237,25 +240,36 @@ static int asn1_d2i_read_bio(BIO *in, BU
- ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG);
- goto err;
- }
-- if (!BUF_MEM_grow_clean(b,len+want))
-- {
-- ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE);
-- goto err;
-- }
- while (want > 0)
- {
-- i=BIO_read(in,&(b->data[len]),want);
-- if (i <= 0)
-- {
-- ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
-- ASN1_R_NOT_ENOUGH_DATA);
-- goto err;
-- }
-- /* This can't overflow because
-- * |len+want| didn't overflow. */
-- len+=i;
-- want-=i;
-+ /*
-+ * Read content in chunks of increasing size
-+ * so we can return an error for EOF without
-+ * having to allocate the entire content length
-+ * in one go.
-+ */
-+ size_t chunk = want > chunk_max ? chunk_max : want;
-+
-+ if (!BUF_MEM_grow_clean(b, len + chunk)) {
-+ ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE);
-+ goto err;
- }
-+ want -= chunk;
-+ while (chunk > 0) {
-+ i = BIO_read(in, &(b->data[len]), chunk);
-+ if (i <= 0) {
-+ ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
-+ ASN1_R_NOT_ENOUGH_DATA);
-+ goto err;
-+ }
-+ /* This can't overflow because
-+ * |len+want| didn't overflow. */
-+ len+=i;
-+ chunk -= i;
-+ }
-+ if (chunk_max < INT_MAX/2)
-+ chunk_max *= 2;
-+ }
- }
- if (off + c.slen < off)
- {
Deleted: openssl/branches/wheezy/debian/patches/CVE-2016-2176.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2016-2176.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/CVE-2016-2176.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,35 +0,0 @@
-From 2919516136a4227d9e6d8f2fe66ef976aaf8c561 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt at openssl.org>
-Date: Thu, 28 Apr 2016 10:46:55 +0100
-Subject: [PATCH] Prevent EBCDIC overread for very long strings
-
-ASN1 Strings that are over 1024 bytes can cause an overread in
-applications using the X509_NAME_oneline() function on EBCDIC systems.
-This could result in arbitrary stack data being returned in the buffer.
-
-Issue reported by Guido Vranken.
-
-CVE-2016-2176
-
-Reviewed-by: Andy Polyakov <appro at openssl.org>
----
- crypto/x509/x509_obj.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-Index: openssl-1.0.1k/crypto/x509/x509_obj.c
-===================================================================
---- openssl-1.0.1k.orig/crypto/x509/x509_obj.c
-+++ openssl-1.0.1k/crypto/x509/x509_obj.c
-@@ -121,9 +121,9 @@ int i;
- type == V_ASN1_TELETEXSTRING ||
- type == V_ASN1_VISIBLESTRING ||
- type == V_ASN1_IA5STRING) {
-- ascii2ebcdic(ebcdic_buf, q,
-- (num > sizeof ebcdic_buf)
-- ? sizeof ebcdic_buf : num);
-+ if (num > (int)sizeof(ebcdic_buf))
-+ num = sizeof(ebcdic_buf);
-+ ascii2ebcdic(ebcdic_buf, q, num);
- q=ebcdic_buf;
- }
- #endif
Added: openssl/branches/wheezy/debian/patches/CVE-2016-2177.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2016-2177.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/CVE-2016-2177.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -0,0 +1,256 @@
+From 6f35f6deb5ca7daebe289f86477e061ce3ee5f46 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt at openssl.org>
+Date: Thu, 5 May 2016 11:10:26 +0100
+Subject: [PATCH] Avoid some undefined pointer arithmetic
+
+A common idiom in the codebase is:
+
+if (p + len > limit)
+{
+ return; /* Too long */
+}
+
+Where "p" points to some malloc'd data of SIZE bytes and
+limit == p + SIZE
+
+"len" here could be from some externally supplied data (e.g. from a TLS
+message).
+
+The rules of C pointer arithmetic are such that "p + len" is only well
+defined where len <= SIZE. Therefore the above idiom is actually
+undefined behaviour.
+
+For example this could cause problems if some malloc implementation
+provides an address for "p" such that "p + len" actually overflows for
+values of len that are too big and therefore p + len < limit!
+
+Issue reported by Guido Vranken.
+
+CVE-2016-2177
+
+Reviewed-by: Rich Salz <rsalz at openssl.org>
+---
+ ssl/s3_srvr.c | 14 +++++++-------
+ ssl/ssl_sess.c | 2 +-
+ ssl/t1_lib.c | 48 ++++++++++++++++++++++++++----------------------
+ 3 files changed, 34 insertions(+), 30 deletions(-)
+
+diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
+index 04cf93a..6c74caa 100644
+--- a/ssl/s3_srvr.c
++++ b/ssl/s3_srvr.c
+@@ -1040,7 +1040,7 @@ int ssl3_get_client_hello(SSL *s)
+
+ session_length = *(p + SSL3_RANDOM_SIZE);
+
+- if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) {
++ if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+ goto f_err;
+@@ -1058,7 +1058,7 @@ int ssl3_get_client_hello(SSL *s)
+ /* get the session-id */
+ j = *(p++);
+
+- if (p + j > d + n) {
++ if ((d + n) - p < j) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+ goto f_err;
+@@ -1114,14 +1114,14 @@ int ssl3_get_client_hello(SSL *s)
+
+ if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
+ /* cookie stuff */
+- if (p + 1 > d + n) {
++ if ((d + n) - p < 1) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+ goto f_err;
+ }
+ cookie_len = *(p++);
+
+- if (p + cookie_len > d + n) {
++ if ((d + n ) - p < cookie_len) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+ goto f_err;
+@@ -1166,7 +1166,7 @@ int ssl3_get_client_hello(SSL *s)
+ p += cookie_len;
+ }
+
+- if (p + 2 > d + n) {
++ if ((d + n ) - p < 2) {
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
+ goto f_err;
+@@ -1180,7 +1180,7 @@ int ssl3_get_client_hello(SSL *s)
+ }
+
+ /* i bytes of cipher data + 1 byte for compression length later */
+- if ((p + i + 1) > (d + n)) {
++ if ((d + n) - p < i + 1) {
+ /* not enough data */
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+@@ -1246,7 +1246,7 @@ int ssl3_get_client_hello(SSL *s)
+
+ /* compression */
+ i = *(p++);
+- if ((p + i) > (d + n)) {
++ if ((d + n) - p < i) {
+ /* not enough data */
+ al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
+diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
+index 48fc451..a97d060 100644
+--- a/ssl/ssl_sess.c
++++ b/ssl/ssl_sess.c
+@@ -602,7 +602,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
+ int r;
+ #endif
+
+- if (session_id + len > limit) {
++ if (limit - session_id < len) {
+ fatal = 1;
+ goto err;
+ }
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index 0bdb77d..8ed1793 100644
+--- a/ssl/t1_lib.c
++++ b/ssl/t1_lib.c
+@@ -942,11 +942,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+ 0x02, 0x03, /* SHA-1/ECDSA */
+ };
+
+- if (data >= (limit - 2))
++ if (limit - data <= 2)
+ return;
+ data += 2;
+
+- if (data > (limit - 4))
++ if (limit - data < 4)
+ return;
+ n2s(data, type);
+ n2s(data, size);
+@@ -954,7 +954,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+ if (type != TLSEXT_TYPE_server_name)
+ return;
+
+- if (data + size > limit)
++ if (limit - data < size)
+ return;
+ data += size;
+
+@@ -962,7 +962,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+ const size_t len1 = sizeof(kSafariExtensionsBlock);
+ const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
+
+- if (data + len1 + len2 != limit)
++ if (limit - data != (int)(len1 + len2))
+ return;
+ if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
+ return;
+@@ -971,7 +971,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
+ } else {
+ const size_t len = sizeof(kSafariExtensionsBlock);
+
+- if (data + len != limit)
++ if (limit - data != (int)(len))
+ return;
+ if (memcmp(data, kSafariExtensionsBlock, len) != 0)
+ return;
+@@ -1019,19 +1019,19 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p,
+ if (data == limit)
+ goto ri_check;
+
+- if (data > (limit - 2))
++ if (limit - data < 2)
+ goto err;
+
+ n2s(data, len);
+
+- if (data + len != limit)
++ if (limit - data != len)
+ goto err;
+
+- while (data <= (limit - 4)) {
++ while (limit - data >= 4) {
+ n2s(data, type);
+ n2s(data, size);
+
+- if (data + size > (limit))
++ if (limit - data < size)
+ goto err;
+ # if 0
+ fprintf(stderr, "Received extension type %d size %d\n", type, size);
+@@ -1460,20 +1460,20 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
+ SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
+ # endif
+
+- if (data >= (d + n - 2))
++ if ((d + n) - data <= 2)
+ goto ri_check;
+
+ n2s(data, length);
+- if (data + length != d + n) {
++ if ((d + n) - data != length) {
+ *al = SSL_AD_DECODE_ERROR;
+ return 0;
+ }
+
+- while (data <= (d + n - 4)) {
++ while ((d + n) - data >= 4) {
+ n2s(data, type);
+ n2s(data, size);
+
+- if (data + size > (d + n))
++ if ((d + n) - data < size)
+ goto ri_check;
+
+ if (s->tlsext_debug_cb)
+@@ -2179,29 +2179,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
+ /* Skip past DTLS cookie */
+ if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
+ i = *(p++);
+- p += i;
+- if (p >= limit)
++
++ if (limit - p <= i)
+ return -1;
++
++ p += i;
+ }
+ /* Skip past cipher list */
+ n2s(p, i);
+- p += i;
+- if (p >= limit)
++ if (limit - p <= i)
+ return -1;
++ p += i;
++
+ /* Skip past compression algorithm list */
+ i = *(p++);
+- p += i;
+- if (p > limit)
++ if (limit - p < i)
+ return -1;
++ p += i;
++
+ /* Now at start of extensions */
+- if ((p + 2) >= limit)
++ if (limit - p <= 2)
+ return 0;
+ n2s(p, i);
+- while ((p + 4) <= limit) {
++ while (limit - p >= 4) {
+ unsigned short type, size;
+ n2s(p, type);
+ n2s(p, size);
+- if (p + size > limit)
++ if (limit - p < size)
+ return 0;
+ if (type == TLSEXT_TYPE_session_ticket) {
+ int r;
+--
+2.9.3
+
Added: openssl/branches/wheezy/debian/patches/CVE-2016-2178.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2016-2178.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/CVE-2016-2178.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -0,0 +1,23 @@
+diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
+index 9a3772e..06cd2a2 100644
+--- a/crypto/dsa/dsa_ossl.c
++++ b/crypto/dsa/dsa_ossl.c
+@@ -247,7 +247,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
+ do
+ if (!BN_rand_range(&k, dsa->q))
+ goto err;
+- while (BN_is_zero(&k)) ;
++ while (BN_is_zero(&k));
++
+ if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
+ BN_set_flags(&k, BN_FLG_CONSTTIME);
+ }
+@@ -264,6 +266,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
+ if (!BN_copy(&kq, &k))
+ goto err;
+
++ BN_set_flags(&kq, BN_FLG_CONSTTIME);
++
+ /*
+ * We do not want timing information to leak the length of k, so we
+ * compute g^k using an equivalent exponent of fixed length. (This
Added: openssl/branches/wheezy/debian/patches/CVE-2016-2179.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2016-2179.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/CVE-2016-2179.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -0,0 +1,253 @@
+From 00a4c1421407b6ac796688871b0a49a179c694d9 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt at openssl.org>
+Date: Thu, 30 Jun 2016 13:17:08 +0100
+Subject: [PATCH] Fix DTLS buffered message DoS attack
+
+DTLS can handle out of order record delivery. Additionally since
+handshake messages can be bigger than will fit into a single packet, the
+messages can be fragmented across multiple records (as with normal TLS).
+That means that the messages can arrive mixed up, and we have to
+reassemble them. We keep a queue of buffered messages that are "from the
+future", i.e. messages we're not ready to deal with yet but have arrived
+early. The messages held there may not be full yet - they could be one
+or more fragments that are still in the process of being reassembled.
+
+The code assumes that we will eventually complete the reassembly and
+when that occurs the complete message is removed from the queue at the
+point that we need to use it.
+
+However, DTLS is also tolerant of packet loss. To get around that DTLS
+messages can be retransmitted. If we receive a full (non-fragmented)
+message from the peer after previously having received a fragment of
+that message, then we ignore the message in the queue and just use the
+non-fragmented version. At that point the queued message will never get
+removed.
+
+Additionally the peer could send "future" messages that we never get to
+in order to complete the handshake. Each message has a sequence number
+(starting from 0). We will accept a message fragment for the current
+message sequence number, or for any sequence up to 10 into the future.
+However if the Finished message has a sequence number of 2, anything
+greater than that in the queue is just left there.
+
+So, in those two ways we can end up with "orphaned" data in the queue
+that will never get removed - except when the connection is closed. At
+that point all the queues are flushed.
+
+An attacker could seek to exploit this by filling up the queues with
+lots of large messages that are never going to be used in order to
+attempt a DoS by memory exhaustion.
+
+I will assume that we are only concerned with servers here. It does not
+seem reasonable to be concerned about a memory exhaustion attack on a
+client. They are unlikely to process enough connections for this to be
+an issue.
+
+A "long" handshake with many messages might be 5 messages long (in the
+incoming direction), e.g. ClientHello, Certificate, ClientKeyExchange,
+CertificateVerify, Finished. So this would be message sequence numbers 0
+to 4. Additionally we can buffer up to 10 messages in the future.
+Therefore the maximum number of messages that an attacker could send
+that could get orphaned would typically be 15.
+
+The maximum size that a DTLS message is allowed to be is defined by
+max_cert_list, which by default is 100k. Therefore the maximum amount of
+"orphaned" memory per connection is 1500k.
+
+Message sequence numbers get reset after the Finished message, so
+renegotiation will not extend the maximum number of messages that can be
+orphaned per connection.
+
+As noted above, the queues do get cleared when the connection is closed.
+Therefore in order to mount an effective attack, an attacker would have
+to open many simultaneous connections.
+
+Issue reported by Quan Luo.
+
+CVE-2016-2179
+
+Reviewed-by: Richard Levitte <levitte at openssl.org>
+---
+ ssl/d1_both.c | 32 ++++++++++++++++----------------
+ ssl/d1_clnt.c | 1 +
+ ssl/d1_lib.c | 37 ++++++++++++++++++++++++++-----------
+ ssl/d1_srvr.c | 3 ++-
+ ssl/ssl_locl.h | 3 ++-
+ 5 files changed, 47 insertions(+), 29 deletions(-)
+
+diff --git a/ssl/d1_both.c b/ssl/d1_both.c
+index 1614d88..ae292c4 100644
+--- a/ssl/d1_both.c
++++ b/ssl/d1_both.c
+@@ -614,11 +614,23 @@ static int dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
+ int al;
+
+ *ok = 0;
+- item = pqueue_peek(s->d1->buffered_messages);
+- if (item == NULL)
+- return 0;
++ do {
++ item = pqueue_peek(s->d1->buffered_messages);
++ if (item == NULL)
++ return 0;
++
++ frag = (hm_fragment *)item->data;
++
++ if (frag->msg_header.seq < s->d1->handshake_read_seq) {
++ /* This is a stale message that has been buffered so clear it */
++ pqueue_pop(s->d1->buffered_messages);
++ dtls1_hm_fragment_free(frag);
++ pitem_free(item);
++ item = NULL;
++ frag = NULL;
++ }
++ } while (item == NULL);
+
+- frag = (hm_fragment *)item->data;
+
+ /* Don't return if reassembly still in progress */
+ if (frag->reassembly != NULL)
+@@ -1416,18 +1428,6 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off,
+ return ret;
+ }
+
+-/* call this function when the buffered messages are no longer needed */
+-void dtls1_clear_record_buffer(SSL *s)
+-{
+- pitem *item;
+-
+- for (item = pqueue_pop(s->d1->sent_messages);
+- item != NULL; item = pqueue_pop(s->d1->sent_messages)) {
+- dtls1_hm_fragment_free((hm_fragment *)item->data);
+- pitem_free(item);
+- }
+-}
+-
+ unsigned char *dtls1_set_message_header(SSL *s, unsigned char *p,
+ unsigned char mt, unsigned long len,
+ unsigned long frag_off,
+diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
+index eb371a2..e1f167b 100644
+--- a/ssl/d1_clnt.c
++++ b/ssl/d1_clnt.c
+@@ -751,6 +751,7 @@ int dtls1_connect(SSL *s)
+ /* done with handshaking */
+ s->d1->handshake_read_seq = 0;
+ s->d1->next_handshake_write_seq = 0;
++ dtls1_clear_received_buffer(s);
+ goto end;
+ /* break; */
+
+diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
+index 011d7b7..99984df 100644
+--- a/ssl/d1_lib.c
++++ b/ssl/d1_lib.c
+@@ -144,7 +144,6 @@ int dtls1_new(SSL *s)
+ static void dtls1_clear_queues(SSL *s)
+ {
+ pitem *item = NULL;
+- hm_fragment *frag = NULL;
+ DTLS1_RECORD_DATA *rdata;
+
+ while ((item = pqueue_pop(s->d1->unprocessed_rcds.q)) != NULL) {
+@@ -165,28 +164,44 @@ static void dtls1_clear_queues(SSL *s)
+ pitem_free(item);
+ }
+
++ while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) {
++ rdata = (DTLS1_RECORD_DATA *)item->data;
++ if (rdata->rbuf.buf) {
++ OPENSSL_free(rdata->rbuf.buf);
++ }
++ OPENSSL_free(item->data);
++ pitem_free(item);
++ }
++
++ dtls1_clear_received_buffer(s);
++ dtls1_clear_sent_buffer(s);
++}
++
++void dtls1_clear_received_buffer(SSL *s)
++{
++ pitem *item = NULL;
++ hm_fragment *frag = NULL;
++
+ while ((item = pqueue_pop(s->d1->buffered_messages)) != NULL) {
+ frag = (hm_fragment *)item->data;
+ dtls1_hm_fragment_free(frag);
+ pitem_free(item);
+ }
++}
++
++void dtls1_clear_sent_buffer(SSL *s)
++{
++ pitem *item = NULL;
++ hm_fragment *frag = NULL;
+
+ while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) {
+ frag = (hm_fragment *)item->data;
+ dtls1_hm_fragment_free(frag);
+ pitem_free(item);
+ }
+-
+- while ((item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) {
+- rdata = (DTLS1_RECORD_DATA *)item->data;
+- if (rdata->rbuf.buf) {
+- OPENSSL_free(rdata->rbuf.buf);
+- }
+- OPENSSL_free(item->data);
+- pitem_free(item);
+- }
+ }
+
++
+ void dtls1_free(SSL *s)
+ {
+ ssl3_free(s);
+@@ -420,7 +435,7 @@ void dtls1_stop_timer(SSL *s)
+ BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0,
+ &(s->d1->next_timeout));
+ /* Clear retransmission buffer */
+- dtls1_clear_record_buffer(s);
++ dtls1_clear_sent_buffer(s);
+ }
+
+ int dtls1_check_timeout_num(SSL *s)
+diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
+index 60af230..bc30433 100644
+--- a/ssl/d1_srvr.c
++++ b/ssl/d1_srvr.c
+@@ -295,7 +295,7 @@ int dtls1_accept(SSL *s)
+ case SSL3_ST_SW_HELLO_REQ_B:
+
+ s->shutdown = 0;
+- dtls1_clear_record_buffer(s);
++ dtls1_clear_sent_buffer(s);
+ dtls1_start_timer(s);
+ ret = dtls1_send_hello_request(s);
+ if (ret <= 0)
+@@ -866,6 +866,7 @@ int dtls1_accept(SSL *s)
+ /* next message is server hello */
+ s->d1->handshake_write_seq = 0;
+ s->d1->next_handshake_write_seq = 0;
++ dtls1_clear_received_buffer(s);
+ goto end;
+ /* break; */
+
+diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
+index d57b902..7b1fd1f 100644
+--- a/ssl/ssl_locl.h
++++ b/ssl/ssl_locl.h
+@@ -1026,7 +1026,8 @@ int dtls1_retransmit_message(SSL *s, unsigned short seq,
+ unsigned long frag_off, int *found);
+ int dtls1_get_queue_priority(unsigned short seq, int is_ccs);
+ int dtls1_retransmit_buffered_messages(SSL *s);
+-void dtls1_clear_record_buffer(SSL *s);
++void dtls1_clear_received_buffer(SSL *s);
++void dtls1_clear_sent_buffer(SSL *s);
+ void dtls1_get_message_header(unsigned char *data,
+ struct hm_header_st *msg_hdr);
+ void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr);
+--
+2.9.3
+
Added: openssl/branches/wheezy/debian/patches/CVE-2016-2180.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2016-2180.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/CVE-2016-2180.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -0,0 +1,39 @@
+From 6adf409c7432b90c06d9890787fe56c48f2a16e7 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Thu, 21 Jul 2016 15:24:16 +0100
+Subject: [PATCH] Fix OOB read in TS_OBJ_print_bio().
+
+TS_OBJ_print_bio() misuses OBJ_txt2obj: it should print the result
+as a null terminated buffer. The length value returned is the total
+length the complete text reprsentation would need not the amount of
+data written.
+
+CVE-2016-2180
+
+Thanks to Shi Lei for reporting this bug.
+
+Reviewed-by: Matt Caswell <matt at openssl.org>
+(cherry picked from commit 0ed26acce328ec16a3aa635f1ca37365e8c7403a)
+---
+ crypto/ts/ts_lib.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/ts/ts_lib.c b/crypto/ts/ts_lib.c
+index c51538a..e0f1063 100644
+--- a/crypto/ts/ts_lib.c
++++ b/crypto/ts/ts_lib.c
+@@ -90,9 +90,8 @@ int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj)
+ {
+ char obj_txt[128];
+
+- int len = OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
+- BIO_write(bio, obj_txt, len);
+- BIO_write(bio, "\n", 1);
++ OBJ_obj2txt(obj_txt, sizeof(obj_txt), obj, 0);
++ BIO_printf(bio, "%s\n", obj_txt);
+
+ return 1;
+ }
+--
+2.9.3
+
Added: openssl/branches/wheezy/debian/patches/CVE-2016-2181.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2016-2181.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/CVE-2016-2181.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -0,0 +1,209 @@
+diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
+index ea93a8e..d3ceae0 100644
+--- a/ssl/d1_pkt.c
++++ b/ssl/d1_pkt.c
+@@ -194,7 +194,7 @@ static int dtls1_record_needs_buffering(SSL *s, SSL3_RECORD *rr,
+ #endif
+ static int dtls1_buffer_record(SSL *s, record_pqueue *q,
+ unsigned char *priority);
+-static int dtls1_process_record(SSL *s);
++static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap);
+
+ /* copy buffered record into SSL structure */
+ static int dtls1_copy_record(SSL *s, pitem *item)
+@@ -319,21 +319,70 @@ static int dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue)
+ static int dtls1_process_buffered_records(SSL *s)
+ {
+ pitem *item;
++ SSL3_BUFFER *rb;
++ SSL3_RECORD *rr;
++ DTLS1_BITMAP *bitmap;
++ unsigned int is_next_epoch;
++ int replayok = 1;
+
+ item = pqueue_peek(s->d1->unprocessed_rcds.q);
+ if (item) {
+ /* Check if epoch is current. */
+ if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
+- return (1); /* Nothing to do. */
++ return 1; /* Nothing to do. */
++
++ rr = &s->s3->rrec;
++ rb = &s->s3->rbuf;
++
++ if (rb->left > 0) {
++ /*
++ * We've still got data from the current packet to read. There could
++ * be a record from the new epoch in it - so don't overwrite it
++ * with the unprocessed records yet (we'll do it when we've
++ * finished reading the current packet).
++ */
++ return 1;
++ }
++
+
+ /* Process all the records. */
+ while (pqueue_peek(s->d1->unprocessed_rcds.q)) {
+ dtls1_get_unprocessed_record(s);
+- if (!dtls1_process_record(s))
+- return (0);
++ bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch);
++ if (bitmap == NULL) {
++ /*
++ * Should not happen. This will only ever be NULL when the
++ * current record is from a different epoch. But that cannot
++ * be the case because we already checked the epoch above
++ */
++ SSLerr(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS,
++ ERR_R_INTERNAL_ERROR);
++ return 0;
++ }
++#ifndef OPENSSL_NO_SCTP
++ /* Only do replay check if no SCTP bio */
++ if (!BIO_dgram_is_sctp(SSL_get_rbio(s)))
++#endif
++ {
++ /*
++ * Check whether this is a repeat, or aged record. We did this
++ * check once already when we first received the record - but
++ * we might have updated the window since then due to
++ * records we subsequently processed.
++ */
++ replayok = dtls1_record_replay_check(s, bitmap);
++ }
++
++ if (!replayok || !dtls1_process_record(s, bitmap)) {
++ /* dump this record */
++ rr->length = 0;
++ s->packet_length = 0;
++ continue;
++ }
++
+ if (dtls1_buffer_record(s, &(s->d1->processed_rcds),
+ s->s3->rrec.seq_num) < 0)
+- return -1;
++ return 0;
+ }
+ }
+
+@@ -344,7 +393,7 @@ static int dtls1_process_buffered_records(SSL *s)
+ s->d1->processed_rcds.epoch = s->d1->r_epoch;
+ s->d1->unprocessed_rcds.epoch = s->d1->r_epoch + 1;
+
+- return (1);
++ return 1;
+ }
+
+ #if 0
+@@ -391,7 +440,7 @@ static int dtls1_get_buffered_record(SSL *s)
+
+ #endif
+
+-static int dtls1_process_record(SSL *s)
++static int dtls1_process_record(SSL *s, DTLS1_BITMAP *bitmap)
+ {
+ int i, al;
+ int enc_err;
+@@ -551,6 +600,10 @@ static int dtls1_process_record(SSL *s)
+
+ /* we have pulled in a full packet so zero things */
+ s->packet_length = 0;
++
++ /* Mark receipt of record. */
++ dtls1_record_bitmap_update(s, bitmap);
++
+ return (1);
+
+ f_err:
+@@ -581,11 +634,12 @@ int dtls1_get_record(SSL *s)
+
+ rr = &(s->s3->rrec);
+
++ again:
+ /*
+ * The epoch may have changed. If so, process all the pending records.
+ * This is a non-blocking operation.
+ */
+- if (dtls1_process_buffered_records(s) < 0)
++ if (!dtls1_process_buffered_records(s))
+ return -1;
+
+ /* if we're renegotiating, then there may be buffered records */
+@@ -593,7 +647,6 @@ int dtls1_get_record(SSL *s)
+ return 1;
+
+ /* get something from the wire */
+- again:
+ /* check if we have the header */
+ if ((s->rstate != SSL_ST_READ_BODY) ||
+ (s->packet_length < DTLS1_RT_HEADER_LENGTH)) {
+@@ -717,20 +770,17 @@ int dtls1_get_record(SSL *s)
+ if (dtls1_buffer_record
+ (s, &(s->d1->unprocessed_rcds), rr->seq_num) < 0)
+ return -1;
+- /* Mark receipt of record. */
+- dtls1_record_bitmap_update(s, bitmap);
+ }
+ rr->length = 0;
+ s->packet_length = 0;
+ goto again;
+ }
+
+- if (!dtls1_process_record(s)) {
++ if (!dtls1_process_record(s, bitmap)) {
+ rr->length = 0;
+ s->packet_length = 0; /* dump this record */
+ goto again; /* get another record */
+ }
+- dtls1_record_bitmap_update(s, bitmap); /* Mark receipt of record. */
+
+ return (1);
+
+@@ -1815,8 +1865,13 @@ static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr,
+ if (rr->epoch == s->d1->r_epoch)
+ return &s->d1->bitmap;
+
+- /* Only HM and ALERT messages can be from the next epoch */
++ /*
++ * Only HM and ALERT messages can be from the next epoch and only if we
++ * have already processed all of the unprocessed records from the last
++ * epoch
++ */
+ else if (rr->epoch == (unsigned long)(s->d1->r_epoch + 1) &&
++ s->d1->unprocessed_rcds.epoch != s->d1->r_epoch &&
+ (rr->type == SSL3_RT_HANDSHAKE || rr->type == SSL3_RT_ALERT)) {
+ *is_next_epoch = 1;
+ return &s->d1->next_bitmap;
+diff --git a/ssl/ssl.h b/ssl/ssl.h
+index d6c475c..8094450 100644
+--- a/ssl/ssl.h
++++ b/ssl/ssl.h
+@@ -2256,6 +2256,7 @@ void ERR_load_SSL_strings(void);
+ # define SSL_F_DTLS1_HEARTBEAT 305
+ # define SSL_F_DTLS1_OUTPUT_CERT_CHAIN 255
+ # define SSL_F_DTLS1_PREPROCESS_FRAGMENT 288
++# define SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS 404
+ # define SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE 256
+ # define SSL_F_DTLS1_PROCESS_RECORD 257
+ # define SSL_F_DTLS1_READ_BYTES 258
+diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
+index caa671a..ed679d1 100644
+--- a/ssl/ssl_err.c
++++ b/ssl/ssl_err.c
+@@ -1,6 +1,6 @@
+ /* ssl/ssl_err.c */
+ /* ====================================================================
+- * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
++ * Copyright (c) 1999-2016 The OpenSSL Project. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+@@ -93,6 +93,8 @@ static ERR_STRING_DATA SSL_str_functs[] = {
+ {ERR_FUNC(SSL_F_DTLS1_HEARTBEAT), "DTLS1_HEARTBEAT"},
+ {ERR_FUNC(SSL_F_DTLS1_OUTPUT_CERT_CHAIN), "DTLS1_OUTPUT_CERT_CHAIN"},
+ {ERR_FUNC(SSL_F_DTLS1_PREPROCESS_FRAGMENT), "DTLS1_PREPROCESS_FRAGMENT"},
++ {ERR_FUNC(SSL_F_DTLS1_PROCESS_BUFFERED_RECORDS),
++ "DTLS1_PROCESS_BUFFERED_RECORDS"},
+ {ERR_FUNC(SSL_F_DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE),
+ "DTLS1_PROCESS_OUT_OF_SEQ_MESSAGE"},
+ {ERR_FUNC(SSL_F_DTLS1_PROCESS_RECORD), "DTLS1_PROCESS_RECORD"},
Added: openssl/branches/wheezy/debian/patches/CVE-2016-2182.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2016-2182.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/CVE-2016-2182.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -0,0 +1,39 @@
+Index: openssl-1.0.1t/crypto/bn/bn_print.c
+===================================================================
+--- openssl-1.0.1t.orig/crypto/bn/bn_print.c
++++ openssl-1.0.1t/crypto/bn/bn_print.c
+@@ -111,6 +111,7 @@ char *BN_bn2dec(const BIGNUM *a)
+ char *p;
+ BIGNUM *t = NULL;
+ BN_ULONG *bn_data = NULL, *lp;
++ int bn_data_num;
+
+ /*-
+ * get an upper bound for the length of the decimal integer
+@@ -120,9 +121,9 @@ char *BN_bn2dec(const BIGNUM *a)
+ */
+ i = BN_num_bits(a) * 3;
+ num = (i / 10 + i / 1000 + 1) + 1;
+- bn_data =
+- (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG));
+- buf = (char *)OPENSSL_malloc(num + 3);
++ bn_data_num = num / BN_DEC_NUM + 1;
++ bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG));
++ buf = OPENSSL_malloc(num + 3);
+ if ((buf == NULL) || (bn_data == NULL)) {
+ BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE);
+ goto err;
+@@ -140,9 +141,12 @@ char *BN_bn2dec(const BIGNUM *a)
+ if (BN_is_negative(t))
+ *p++ = '-';
+
+- i = 0;
+ while (!BN_is_zero(t)) {
++ if (lp - bn_data >= bn_data_num)
++ goto err;
+ *lp = BN_div_word(t, BN_DEC_CONV);
++ if (*lp == (BN_ULONG)-1)
++ goto err;
+ lp++;
+ }
+ lp--;
Added: openssl/branches/wheezy/debian/patches/CVE-2016-2183.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2016-2183.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/CVE-2016-2183.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -0,0 +1,176 @@
+From e95f5e03f6f1f8d3f6cbe4b7fa48e57b4cf8fd60 Mon Sep 17 00:00:00 2001
+From: Rich Salz <rsalz at openssl.org>
+Date: Thu, 18 Aug 2016 09:26:52 -0400
+Subject: [PATCH] SWEET32 (CVE-2016-2183): Move DES from HIGH to MEDIUM
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
+Reviewed-by: Emilia Käsper <emilia at openssl.org>
+(cherry picked from commit 0fff5065884d5ac61123a604bbcee30a53c808ff)
+---
+ CHANGES | 4 +++-
+ ssl/s3_lib.c | 34 +++++++++++++++++-----------------
+ 2 files changed, 20 insertions(+), 18 deletions(-)
+
+diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
+index 35d6587..6b1822d 100644
+--- a/ssl/s3_lib.c
++++ b/ssl/s3_lib.c
+@@ -334,7 +334,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_SSLV3,
+- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -387,7 +387,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_SSLV3,
+- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -439,7 +439,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_SSLV3,
+- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -492,7 +492,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_SSLV3,
+- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -544,7 +544,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_SSLV3,
+- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -630,7 +630,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_SSLV3,
+- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -717,7 +717,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_SSLV3,
+- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -783,7 +783,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_MD5,
+ SSL_SSLV3,
+- SSL_NOT_EXP | SSL_HIGH,
++ SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -1733,7 +1733,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_TLSV1,
+- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -2110,7 +2110,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_TLSV1,
+- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -2190,7 +2190,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_TLSV1,
+- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -2270,7 +2270,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_TLSV1,
+- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -2350,7 +2350,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_TLSV1,
+- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -2430,7 +2430,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_TLSV1,
+- SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
++ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM | SSL_FIPS,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -2480,7 +2480,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_TLSV1,
+- SSL_NOT_EXP | SSL_HIGH,
++ SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -2496,7 +2496,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_TLSV1,
+- SSL_NOT_EXP | SSL_HIGH,
++ SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+@@ -2512,7 +2512,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
+ SSL_3DES,
+ SSL_SHA1,
+ SSL_TLSV1,
+- SSL_NOT_EXP | SSL_HIGH,
++ SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
+ 112,
+ 168,
+--
+2.9.3
+
Added: openssl/branches/wheezy/debian/patches/CVE-2016-6302.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2016-6302.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/CVE-2016-6302.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -0,0 +1,52 @@
+From 1bbe48ab149893a78bf99c8eb8895c928900a16f Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Tue, 23 Aug 2016 18:14:54 +0100
+Subject: [PATCH] Sanity check ticket length.
+
+If a ticket callback changes the HMAC digest to SHA512 the existing
+sanity checks are not sufficient and an attacker could perform a DoS
+attack with a malformed ticket. Add additional checks based on
+HMAC size.
+
+Thanks to Shi Lei for reporting this bug.
+
+CVE-2016-6302
+
+Reviewed-by: Rich Salz <rsalz at openssl.org>
+(cherry picked from commit baaabfd8fdcec04a691695fad9a664bea43202b6)
+---
+ ssl/t1_lib.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index d961e4a..7680491 100644
+--- a/ssl/t1_lib.c
++++ b/ssl/t1_lib.c
+@@ -2273,9 +2273,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
+ HMAC_CTX hctx;
+ EVP_CIPHER_CTX ctx;
+ SSL_CTX *tctx = s->initial_ctx;
+- /* Need at least keyname + iv + some encrypted data */
+- if (eticklen < 48)
+- return 2;
++
+ /* Initialize session ticket encryption and HMAC contexts */
+ HMAC_CTX_init(&hctx);
+ EVP_CIPHER_CTX_init(&ctx);
+@@ -2309,6 +2307,13 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
+ if (mlen < 0) {
+ goto err;
+ }
++ /* Sanity check ticket length: must exceed keyname + IV + HMAC */
++ if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) {
++ HMAC_CTX_cleanup(&hctx);
++ EVP_CIPHER_CTX_cleanup(&ctx);
++ return 2;
++ }
++
+ eticklen -= mlen;
+ /* Check HMAC of encrypted ticket */
+ if (HMAC_Update(&hctx, etick, eticklen) <= 0
+--
+2.9.3
+
Added: openssl/branches/wheezy/debian/patches/CVE-2016-6303.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2016-6303.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/CVE-2016-6303.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -0,0 +1,31 @@
+From 2b4029e68fd7002d2307e6c3cde0f3784eef9c83 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Fri, 19 Aug 2016 23:28:29 +0100
+Subject: [PATCH] Avoid overflow in MDC2_Update()
+
+Thanks to Shi Lei for reporting this issue.
+
+CVE-2016-6303
+
+Reviewed-by: Matt Caswell <matt at openssl.org>
+(cherry picked from commit 55d83bf7c10c7b205fffa23fa7c3977491e56c07)
+---
+ crypto/mdc2/mdc2dgst.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/mdc2/mdc2dgst.c b/crypto/mdc2/mdc2dgst.c
+index 6615cf8..2dce493 100644
+--- a/crypto/mdc2/mdc2dgst.c
++++ b/crypto/mdc2/mdc2dgst.c
+@@ -91,7 +91,7 @@ int MDC2_Update(MDC2_CTX *c, const unsigned char *in, size_t len)
+
+ i = c->num;
+ if (i != 0) {
+- if (i + len < MDC2_BLOCK) {
++ if (len < MDC2_BLOCK - i) {
+ /* partial block */
+ memcpy(&(c->data[i]), in, len);
+ c->num += (int)len;
+--
+2.9.3
+
Added: openssl/branches/wheezy/debian/patches/CVE-2016-6304.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2016-6304.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/CVE-2016-6304.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -0,0 +1,70 @@
+From 73e8ae66b0b7d6534699492d127d457d2540a762 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt at openssl.org>
+Date: Fri, 9 Sep 2016 10:08:45 +0100
+Subject: [PATCH] Fix OCSP Status Request extension unbounded memory growth
+
+A malicious client can send an excessively large OCSP Status Request
+extension. If that client continually requests renegotiation,
+sending a large OCSP Status Request extension each time, then there will
+be unbounded memory growth on the server. This will eventually lead to a
+Denial Of Service attack through memory exhaustion. Servers with a
+default configuration are vulnerable even if they do not support OCSP.
+Builds using the "no-ocsp" build time option are not affected.
+
+I have also checked other extensions to see if they suffer from a similar
+problem but I could not find any other issues.
+
+CVE-2016-6304
+
+Issue reported by Shi Lei.
+
+Reviewed-by: Rich Salz <rsalz at openssl.org>
+---
+ ssl/t1_lib.c | 24 +++++++++++++++++-------
+ 1 file changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
+index 7680491..4bc13ca 100644
+--- a/ssl/t1_lib.c
++++ b/ssl/t1_lib.c
+@@ -1284,6 +1284,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p,
+ size -= 2;
+ if (dsize > size)
+ goto err;
++
++ /*
++ * We remove any OCSP_RESPIDs from a previous handshake
++ * to prevent unbounded memory growth - CVE-2016-6304
++ */
++ sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids,
++ OCSP_RESPID_free);
++ if (dsize > 0) {
++ s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
++ if (s->tlsext_ocsp_ids == NULL) {
++ *al = SSL_AD_INTERNAL_ERROR;
++ return 0;
++ }
++ } else {
++ s->tlsext_ocsp_ids = NULL;
++ }
++
+ while (dsize > 0) {
+ OCSP_RESPID *id;
+ int idsize;
+@@ -1303,13 +1320,6 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p,
+ OCSP_RESPID_free(id);
+ goto err;
+ }
+- if (!s->tlsext_ocsp_ids
+- && !(s->tlsext_ocsp_ids =
+- sk_OCSP_RESPID_new_null())) {
+- OCSP_RESPID_free(id);
+- *al = SSL_AD_INTERNAL_ERROR;
+- return 0;
+- }
+ if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
+ OCSP_RESPID_free(id);
+ *al = SSL_AD_INTERNAL_ERROR;
+--
+2.9.3
+
Added: openssl/branches/wheezy/debian/patches/CVE-2016-6306.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/CVE-2016-6306.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/CVE-2016-6306.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -0,0 +1,102 @@
+From 52e623c4cb06fffa9d5e75c60b34b4bc130b12e9 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Sat, 17 Sep 2016 12:36:58 +0100
+Subject: [PATCH] Fix small OOB reads.
+
+In ssl3_get_client_certificate, ssl3_get_server_certificate and
+ssl3_get_certificate_request check we have enough room
+before reading a length.
+
+Thanks to Shi Lei (Gear Team, Qihoo 360 Inc.) for reporting these bugs.
+
+CVE-2016-6306
+
+Reviewed-by: Richard Levitte <levitte at openssl.org>
+Reviewed-by: Matt Caswell <matt at openssl.org>
+(cherry picked from commit ff553f837172ecb2b5c8eca257ec3c5619a4b299)
+---
+ ssl/s3_clnt.c | 11 +++++++++++
+ ssl/s3_srvr.c | 6 ++++++
+ 2 files changed, 17 insertions(+)
+
+Index: openssl-1.0.1t/ssl/s3_clnt.c
+===================================================================
+--- openssl-1.0.1t.orig/ssl/s3_clnt.c
++++ openssl-1.0.1t/ssl/s3_clnt.c
+@@ -1143,6 +1143,12 @@ int ssl3_get_server_certificate(SSL *s)
+ goto f_err;
+ }
+ for (nc = 0; nc < llen;) {
++ if (nc + 3 > llen) {
++ al = SSL_AD_DECODE_ERROR;
++ SSLerr(SSL_F_SSL3_GET_SERVER_CERTIFICATE,
++ SSL_R_CERT_LENGTH_MISMATCH);
++ goto f_err;
++ }
+ n2l3(p, l);
+ if ((l + nc + 3) > llen) {
+ al = SSL_AD_DECODE_ERROR;
+@@ -2072,6 +2078,11 @@ int ssl3_get_certificate_request(SSL *s)
+ }
+
+ for (nc = 0; nc < llen;) {
++ if (nc + 2 > llen) {
++ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR);
++ SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, SSL_R_CA_DN_TOO_LONG);
++ goto err;
++ }
+ n2s(p, l);
+ if ((l + nc + 2) > llen) {
+ if ((s->options & SSL_OP_NETSCAPE_CA_DN_BUG))
+Index: openssl-1.0.1t/ssl/s3_srvr.c
+===================================================================
+--- openssl-1.0.1t.orig/ssl/s3_srvr.c
++++ openssl-1.0.1t/ssl/s3_srvr.c
+@@ -3237,6 +3237,12 @@ int ssl3_get_client_certificate(SSL *s)
+ goto f_err;
+ }
+ for (nc = 0; nc < llen;) {
++ if (nc + 3 > llen) {
++ al = SSL_AD_DECODE_ERROR;
++ SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
++ SSL_R_CERT_LENGTH_MISMATCH);
++ goto f_err;
++ }
+ n2l3(p, l);
+ if ((l + nc + 3) > llen) {
+ al = SSL_AD_DECODE_ERROR;
+Index: openssl-1.0.1t/ssl/d1_both.c
+===================================================================
+--- openssl-1.0.1t.orig/ssl/d1_both.c
++++ openssl-1.0.1t/ssl/d1_both.c
+@@ -577,9 +577,12 @@ static int dtls1_preprocess_fragment(SSL
+ /*
+ * msg_len is limited to 2^24, but is effectively checked against max
+ * above
++ *
++ * Make buffer slightly larger than message length as a precaution
++ * against small OOB reads e.g. CVE-2016-6306
+ */
+ if (!BUF_MEM_grow_clean
+- (s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) {
++ (s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH + 16)) {
+ SSLerr(SSL_F_DTLS1_PREPROCESS_FRAGMENT, ERR_R_BUF_LIB);
+ return SSL_AD_INTERNAL_ERROR;
+ }
+Index: openssl-1.0.1t/ssl/s3_both.c
+===================================================================
+--- openssl-1.0.1t.orig/ssl/s3_both.c
++++ openssl-1.0.1t/ssl/s3_both.c
+@@ -502,7 +502,11 @@ long ssl3_get_message(SSL *s, int st1, i
+ SSLerr(SSL_F_SSL3_GET_MESSAGE, SSL_R_EXCESSIVE_MESSAGE_SIZE);
+ goto f_err;
+ }
+- if (l && !BUF_MEM_grow_clean(s->init_buf, (int)l + 4)) {
++ /*
++ * Make buffer slightly larger than message length as a precaution
++ * against small OOB reads e.g. CVE-2016-6306
++ */
++ if (l && !BUF_MEM_grow_clean(s->init_buf, (int)l + 4 + 16)) {
+ SSLerr(SSL_F_SSL3_GET_MESSAGE, ERR_R_BUF_LIB);
+ goto err;
+ }
Deleted: openssl/branches/wheezy/debian/patches/Check-SRP-parameters-early.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/Check-SRP-parameters-early.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/Check-SRP-parameters-early.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,156 +0,0 @@
-From d9da3ec088a3442fc2d73cb5a8d95c2edd105bc4 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Fri, 1 Aug 2014 14:56:56 +0100
-Subject: [PATCH 14/16] Check SRP parameters early.
-
-Check SRP parameters when they are received so we can send back an
-appropriate alert.
-Reviewed-by: Kurt Roeckx <kurt at openssl.org>
----
- ssl/s3_clnt.c | 6 ++++++
- ssl/s3_srvr.c | 7 +++++++
- ssl/ssl.h | 1 +
- ssl/ssl_err.c | 1 +
- ssl/ssl_locl.h | 3 +++
- ssl/tls_srp.c | 48 +++++++++++++++++++++++++++++++++++++-----------
- 6 files changed, 55 insertions(+), 11 deletions(-)
-
-Index: openssl-1.0.1e/ssl/s3_clnt.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/s3_clnt.c 2014-08-06 18:43:44.000000000 +0000
-+++ openssl-1.0.1e/ssl/s3_clnt.c 2014-08-06 18:43:56.805003347 +0000
-@@ -1470,6 +1470,12 @@
- p+=i;
- n-=param_len;
-
-+ if (!srp_verify_server_param(s, &al))
-+ {
-+ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_BAD_SRP_PARAMETERS);
-+ goto f_err;
-+ }
-+
- /* We must check if there is a certificate */
- #ifndef OPENSSL_NO_RSA
- if (alg_a & SSL_aRSA)
-Index: openssl-1.0.1e/ssl/s3_srvr.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/s3_srvr.c 2014-08-06 18:41:01.000000000 +0000
-+++ openssl-1.0.1e/ssl/s3_srvr.c 2014-08-06 18:43:56.889001598 +0000
-@@ -2799,6 +2799,13 @@
- SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_BN_LIB);
- goto err;
- }
-+ if (BN_ucmp(s->srp_ctx.A, s->srp_ctx.N) >= 0
-+ || BN_is_zero(s->srp_ctx.A))
-+ {
-+ al=SSL_AD_ILLEGAL_PARAMETER;
-+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_SRP_PARAMETERS);
-+ goto f_err;
-+ }
- if (s->session->srp_username != NULL)
- OPENSSL_free(s->session->srp_username);
- s->session->srp_username = BUF_strdup(s->srp_ctx.login);
-Index: openssl-1.0.1e/ssl/ssl.h
-===================================================================
---- openssl-1.0.1e.orig/ssl/ssl.h 2014-08-06 18:43:44.000000000 +0000
-+++ openssl-1.0.1e/ssl/ssl.h 2014-08-06 18:43:56.893001514 +0000
-@@ -2313,6 +2313,7 @@
- #define SSL_R_BAD_SRP_B_LENGTH 348
- #define SSL_R_BAD_SRP_G_LENGTH 349
- #define SSL_R_BAD_SRP_N_LENGTH 350
-+#define SSL_R_BAD_SRP_PARAMETERS 371
- #define SSL_R_BAD_SRP_S_LENGTH 351
- #define SSL_R_BAD_SRTP_MKI_VALUE 352
- #define SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST 353
-Index: openssl-1.0.1e/ssl/ssl_err.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/ssl_err.c 2013-02-11 15:26:04.000000000 +0000
-+++ openssl-1.0.1e/ssl/ssl_err.c 2014-08-06 18:43:56.893001514 +0000
-@@ -329,6 +329,7 @@
- {ERR_REASON(SSL_R_BAD_SRP_B_LENGTH) ,"bad srp b length"},
- {ERR_REASON(SSL_R_BAD_SRP_G_LENGTH) ,"bad srp g length"},
- {ERR_REASON(SSL_R_BAD_SRP_N_LENGTH) ,"bad srp n length"},
-+{ERR_REASON(SSL_R_BAD_SRP_PARAMETERS) ,"bad srp parameters"},
- {ERR_REASON(SSL_R_BAD_SRP_S_LENGTH) ,"bad srp s length"},
- {ERR_REASON(SSL_R_BAD_SRTP_MKI_VALUE) ,"bad srtp mki value"},
- {ERR_REASON(SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST),"bad srtp protection profile list"},
-Index: openssl-1.0.1e/ssl/ssl_locl.h
-===================================================================
---- openssl-1.0.1e.orig/ssl/ssl_locl.h 2014-08-06 18:43:44.000000000 +0000
-+++ openssl-1.0.1e/ssl/ssl_locl.h 2014-08-06 18:44:41.368075207 +0000
-@@ -1174,4 +1174,6 @@
- const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx,
- const unsigned char *data, size_t data_len, size_t orig_len);
-
-+int srp_verify_server_param(SSL *s, int *al);
-+
- #endif
-Index: openssl-1.0.1e/ssl/tls_srp.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/tls_srp.c 2013-02-11 15:26:04.000000000 +0000
-+++ openssl-1.0.1e/ssl/tls_srp.c 2014-08-06 18:43:56.893001514 +0000
-@@ -408,16 +408,46 @@
- return ret;
- }
-
--int SRP_Calc_A_param(SSL *s)
-+int srp_verify_server_param(SSL *s, int *al)
- {
-- unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH];
-+ SRP_CTX *srp = &s->srp_ctx;
-+ /* Sanity check parameters: we can quickly check B % N == 0
-+ * by checking B != 0 since B < N
-+ */
-+ if (BN_ucmp(srp->g, srp->N) >=0 || BN_ucmp(srp->B, srp->N) >= 0
-+ || BN_is_zero(srp->B))
-+ {
-+ *al = SSL3_AD_ILLEGAL_PARAMETER;
-+ return 0;
-+ }
-+
-+ if (BN_num_bits(srp->N) < srp->strength)
-+ {
-+ *al = TLS1_AD_INSUFFICIENT_SECURITY;
-+ return 0;
-+ }
-+
-+ if (srp->SRP_verify_param_callback)
-+ {
-+ if (srp->SRP_verify_param_callback(s, srp->SRP_cb_arg) <= 0)
-+ {
-+ *al = TLS1_AD_INSUFFICIENT_SECURITY;
-+ return 0;
-+ }
-+ }
-+ else if(!SRP_check_known_gN_param(srp->g, srp->N))
-+ {
-+ *al = TLS1_AD_INSUFFICIENT_SECURITY;
-+ return 0;
-+ }
-
-- if (BN_num_bits(s->srp_ctx.N) < s->srp_ctx.strength)
-- return -1;
-+ return 1;
-+ }
-+
-
-- if (s->srp_ctx.SRP_verify_param_callback ==NULL &&
-- !SRP_check_known_gN_param(s->srp_ctx.g,s->srp_ctx.N))
-- return -1 ;
-+int SRP_Calc_A_param(SSL *s)
-+ {
-+ unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH];
-
- RAND_bytes(rnd, sizeof(rnd));
- s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a);
-@@ -426,10 +456,6 @@
- if (!(s->srp_ctx.A = SRP_Calc_A(s->srp_ctx.a,s->srp_ctx.N,s->srp_ctx.g)))
- return -1;
-
-- /* We can have a callback to verify SRP param!! */
-- if (s->srp_ctx.SRP_verify_param_callback !=NULL)
-- return s->srp_ctx.SRP_verify_param_callback(s,s->srp_ctx.SRP_cb_arg);
--
- return 1;
- }
-
Deleted: openssl/branches/wheezy/debian/patches/Disable-EXPORT-and-LOW-ciphers.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/Disable-EXPORT-and-LOW-ciphers.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/Disable-EXPORT-and-LOW-ciphers.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,624 +0,0 @@
-Index: openssl-1.0.1e/doc/apps/ciphers.pod
-===================================================================
---- openssl-1.0.1e.orig/doc/apps/ciphers.pod
-+++ openssl-1.0.1e/doc/apps/ciphers.pod
-@@ -139,34 +139,46 @@ than 128 bits, and some cipher suites wi
-
- =item B<LOW>
-
--"low" encryption cipher suites, currently those using 64 or 56 bit encryption algorithms
--but excluding export cipher suites.
-+Low strength encryption cipher suites, currently those using 64 or 56 bit
-+encryption algorithms but excluding export cipher suites.
-+These are disabled in default builds.
-
- =item B<EXP>, B<EXPORT>
-
--export encryption algorithms. Including 40 and 56 bits algorithms.
-+Export strength encryption algorithms. Including 40 and 56 bits algorithms.
-+These are disabled in default builds.
-
- =item B<EXPORT40>
-
--40 bit export encryption algorithms
-+40-bit export encryption algorithms
-+These are disabled in default builds.
-
- =item B<EXPORT56>
-
--56 bit export encryption algorithms. In OpenSSL 0.9.8c and later the set of
-+56-bit export encryption algorithms. In OpenSSL 0.9.8c and later the set of
- 56 bit export ciphers is empty unless OpenSSL has been explicitly configured
- with support for experimental ciphers.
-+These are disabled in default builds.
-
- =item B<eNULL>, B<NULL>
-
--the "NULL" ciphers that is those offering no encryption. Because these offer no
--encryption at all and are a security risk they are disabled unless explicitly
--included.
-+The "NULL" ciphers that is those offering no encryption. Because these offer no
-+encryption at all and are a security risk they are not enabled via either the
-+B<DEFAULT> or B<ALL> cipher strings.
-+Be careful when building cipherlists out of lower-level primitives such as
-+B<kRSA> or B<aECDSA> as these do overlap with the B<eNULL> ciphers.
-+When in doubt, include B<!eNULL> in your cipherlist.
-
- =item B<aNULL>
-
--the cipher suites offering no authentication. This is currently the anonymous
--DH algorithms. These cipher suites are vulnerable to a "man in the middle"
--attack and so their use is normally discouraged.
-+The cipher suites offering no authentication. This is currently the anonymous
-+DH algorithms and anonymous ECDH algorithms. These cipher suites are vulnerable
-+to a "man in the middle" attack and so their use is normally discouraged.
-+These are excluded from the B<DEFAULT> ciphers, but included in the B<ALL>
-+ciphers.
-+Be careful when building cipherlists out of lower-level primitives such as
-+B<kDHE> or B<AES> as these do overlap with the B<aNULL> ciphers.
-+When in doubt, include B<!aNULL> in your cipherlist.
-
- =item B<kRSA>, B<RSA>
-
-Index: openssl-1.0.1e/ssl/s3_lib.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/s3_lib.c
-+++ openssl-1.0.1e/ssl/s3_lib.c
-@@ -202,22 +202,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- 0,
- },
-
--/* Cipher 03 */
-- {
-- 1,
-- SSL3_TXT_RSA_RC4_40_MD5,
-- SSL3_CK_RSA_RC4_40_MD5,
-- SSL_kRSA,
-- SSL_aRSA,
-- SSL_RC4,
-- SSL_MD5,
-- SSL_SSLV3,
-- SSL_EXPORT|SSL_EXP40,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 40,
-- 128,
-- },
--
- /* Cipher 04 */
- {
- 1,
-@@ -250,22 +234,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- 128,
- },
-
--/* Cipher 06 */
-- {
-- 1,
-- SSL3_TXT_RSA_RC2_40_MD5,
-- SSL3_CK_RSA_RC2_40_MD5,
-- SSL_kRSA,
-- SSL_aRSA,
-- SSL_RC2,
-- SSL_MD5,
-- SSL_SSLV3,
-- SSL_EXPORT|SSL_EXP40,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 40,
-- 128,
-- },
--
- /* Cipher 07 */
- #ifndef OPENSSL_NO_IDEA
- {
-@@ -284,38 +252,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- },
- #endif
-
--/* Cipher 08 */
-- {
-- 1,
-- SSL3_TXT_RSA_DES_40_CBC_SHA,
-- SSL3_CK_RSA_DES_40_CBC_SHA,
-- SSL_kRSA,
-- SSL_aRSA,
-- SSL_DES,
-- SSL_SHA1,
-- SSL_SSLV3,
-- SSL_EXPORT|SSL_EXP40,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 40,
-- 56,
-- },
--
--/* Cipher 09 */
-- {
-- 1,
-- SSL3_TXT_RSA_DES_64_CBC_SHA,
-- SSL3_CK_RSA_DES_64_CBC_SHA,
-- SSL_kRSA,
-- SSL_aRSA,
-- SSL_DES,
-- SSL_SHA1,
-- SSL_SSLV3,
-- SSL_NOT_EXP|SSL_LOW,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 56,
-- 56,
-- },
--
- /* Cipher 0A */
- {
- 1,
-@@ -332,39 +268,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- 168,
- },
-
--/* The DH ciphers */
--/* Cipher 0B */
-- {
-- 0,
-- SSL3_TXT_DH_DSS_DES_40_CBC_SHA,
-- SSL3_CK_DH_DSS_DES_40_CBC_SHA,
-- SSL_kDHd,
-- SSL_aDH,
-- SSL_DES,
-- SSL_SHA1,
-- SSL_SSLV3,
-- SSL_EXPORT|SSL_EXP40,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 40,
-- 56,
-- },
--
--/* Cipher 0C */
-- {
-- 0, /* not implemented (non-ephemeral DH) */
-- SSL3_TXT_DH_DSS_DES_64_CBC_SHA,
-- SSL3_CK_DH_DSS_DES_64_CBC_SHA,
-- SSL_kDHd,
-- SSL_aDH,
-- SSL_DES,
-- SSL_SHA1,
-- SSL_SSLV3,
-- SSL_NOT_EXP|SSL_LOW,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 56,
-- 56,
-- },
--
- /* Cipher 0D */
- {
- 0, /* not implemented (non-ephemeral DH) */
-@@ -381,38 +284,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- 168,
- },
-
--/* Cipher 0E */
-- {
-- 0, /* not implemented (non-ephemeral DH) */
-- SSL3_TXT_DH_RSA_DES_40_CBC_SHA,
-- SSL3_CK_DH_RSA_DES_40_CBC_SHA,
-- SSL_kDHr,
-- SSL_aDH,
-- SSL_DES,
-- SSL_SHA1,
-- SSL_SSLV3,
-- SSL_EXPORT|SSL_EXP40,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 40,
-- 56,
-- },
--
--/* Cipher 0F */
-- {
-- 0, /* not implemented (non-ephemeral DH) */
-- SSL3_TXT_DH_RSA_DES_64_CBC_SHA,
-- SSL3_CK_DH_RSA_DES_64_CBC_SHA,
-- SSL_kDHr,
-- SSL_aDH,
-- SSL_DES,
-- SSL_SHA1,
-- SSL_SSLV3,
-- SSL_NOT_EXP|SSL_LOW,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 56,
-- 56,
-- },
--
- /* Cipher 10 */
- {
- 0, /* not implemented (non-ephemeral DH) */
-@@ -430,38 +301,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- },
-
- /* The Ephemeral DH ciphers */
--/* Cipher 11 */
-- {
-- 1,
-- SSL3_TXT_EDH_DSS_DES_40_CBC_SHA,
-- SSL3_CK_EDH_DSS_DES_40_CBC_SHA,
-- SSL_kEDH,
-- SSL_aDSS,
-- SSL_DES,
-- SSL_SHA1,
-- SSL_SSLV3,
-- SSL_EXPORT|SSL_EXP40,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 40,
-- 56,
-- },
--
--/* Cipher 12 */
-- {
-- 1,
-- SSL3_TXT_EDH_DSS_DES_64_CBC_SHA,
-- SSL3_CK_EDH_DSS_DES_64_CBC_SHA,
-- SSL_kEDH,
-- SSL_aDSS,
-- SSL_DES,
-- SSL_SHA1,
-- SSL_SSLV3,
-- SSL_NOT_EXP|SSL_LOW,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 56,
-- 56,
-- },
--
- /* Cipher 13 */
- {
- 1,
-@@ -478,38 +317,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- 168,
- },
-
--/* Cipher 14 */
-- {
-- 1,
-- SSL3_TXT_EDH_RSA_DES_40_CBC_SHA,
-- SSL3_CK_EDH_RSA_DES_40_CBC_SHA,
-- SSL_kEDH,
-- SSL_aRSA,
-- SSL_DES,
-- SSL_SHA1,
-- SSL_SSLV3,
-- SSL_EXPORT|SSL_EXP40,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 40,
-- 56,
-- },
--
--/* Cipher 15 */
-- {
-- 1,
-- SSL3_TXT_EDH_RSA_DES_64_CBC_SHA,
-- SSL3_CK_EDH_RSA_DES_64_CBC_SHA,
-- SSL_kEDH,
-- SSL_aRSA,
-- SSL_DES,
-- SSL_SHA1,
-- SSL_SSLV3,
-- SSL_NOT_EXP|SSL_LOW,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 56,
-- 56,
-- },
--
- /* Cipher 16 */
- {
- 1,
-@@ -526,22 +333,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- 168,
- },
-
--/* Cipher 17 */
-- {
-- 1,
-- SSL3_TXT_ADH_RC4_40_MD5,
-- SSL3_CK_ADH_RC4_40_MD5,
-- SSL_kEDH,
-- SSL_aNULL,
-- SSL_RC4,
-- SSL_MD5,
-- SSL_SSLV3,
-- SSL_EXPORT|SSL_EXP40,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 40,
-- 128,
-- },
--
- /* Cipher 18 */
- {
- 1,
-@@ -558,38 +349,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- 128,
- },
-
--/* Cipher 19 */
-- {
-- 1,
-- SSL3_TXT_ADH_DES_40_CBC_SHA,
-- SSL3_CK_ADH_DES_40_CBC_SHA,
-- SSL_kEDH,
-- SSL_aNULL,
-- SSL_DES,
-- SSL_SHA1,
-- SSL_SSLV3,
-- SSL_EXPORT|SSL_EXP40,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 40,
-- 128,
-- },
--
--/* Cipher 1A */
-- {
-- 1,
-- SSL3_TXT_ADH_DES_64_CBC_SHA,
-- SSL3_CK_ADH_DES_64_CBC_SHA,
-- SSL_kEDH,
-- SSL_aNULL,
-- SSL_DES,
-- SSL_SHA1,
-- SSL_SSLV3,
-- SSL_NOT_EXP|SSL_LOW,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 56,
-- 56,
-- },
--
- /* Cipher 1B */
- {
- 1,
-@@ -659,22 +418,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
-
- #ifndef OPENSSL_NO_KRB5
- /* The Kerberos ciphers*/
--/* Cipher 1E */
-- {
-- 1,
-- SSL3_TXT_KRB5_DES_64_CBC_SHA,
-- SSL3_CK_KRB5_DES_64_CBC_SHA,
-- SSL_kKRB5,
-- SSL_aKRB5,
-- SSL_DES,
-- SSL_SHA1,
-- SSL_SSLV3,
-- SSL_NOT_EXP|SSL_LOW,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 56,
-- 56,
-- },
--
- /* Cipher 1F */
- {
- 1,
-@@ -723,22 +466,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- 128,
- },
-
--/* Cipher 22 */
-- {
-- 1,
-- SSL3_TXT_KRB5_DES_64_CBC_MD5,
-- SSL3_CK_KRB5_DES_64_CBC_MD5,
-- SSL_kKRB5,
-- SSL_aKRB5,
-- SSL_DES,
-- SSL_MD5,
-- SSL_SSLV3,
-- SSL_NOT_EXP|SSL_LOW,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 56,
-- 56,
-- },
--
- /* Cipher 23 */
- {
- 1,
-@@ -786,102 +513,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
- 128,
- 128,
- },
--
--/* Cipher 26 */
-- {
-- 1,
-- SSL3_TXT_KRB5_DES_40_CBC_SHA,
-- SSL3_CK_KRB5_DES_40_CBC_SHA,
-- SSL_kKRB5,
-- SSL_aKRB5,
-- SSL_DES,
-- SSL_SHA1,
-- SSL_SSLV3,
-- SSL_EXPORT|SSL_EXP40,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 40,
-- 56,
-- },
--
--/* Cipher 27 */
-- {
-- 1,
-- SSL3_TXT_KRB5_RC2_40_CBC_SHA,
-- SSL3_CK_KRB5_RC2_40_CBC_SHA,
-- SSL_kKRB5,
-- SSL_aKRB5,
-- SSL_RC2,
-- SSL_SHA1,
-- SSL_SSLV3,
-- SSL_EXPORT|SSL_EXP40,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 40,
-- 128,
-- },
--
--/* Cipher 28 */
-- {
-- 1,
-- SSL3_TXT_KRB5_RC4_40_SHA,
-- SSL3_CK_KRB5_RC4_40_SHA,
-- SSL_kKRB5,
-- SSL_aKRB5,
-- SSL_RC4,
-- SSL_SHA1,
-- SSL_SSLV3,
-- SSL_EXPORT|SSL_EXP40,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 40,
-- 128,
-- },
--
--/* Cipher 29 */
-- {
-- 1,
-- SSL3_TXT_KRB5_DES_40_CBC_MD5,
-- SSL3_CK_KRB5_DES_40_CBC_MD5,
-- SSL_kKRB5,
-- SSL_aKRB5,
-- SSL_DES,
-- SSL_MD5,
-- SSL_SSLV3,
-- SSL_EXPORT|SSL_EXP40,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 40,
-- 56,
-- },
--
--/* Cipher 2A */
-- {
-- 1,
-- SSL3_TXT_KRB5_RC2_40_CBC_MD5,
-- SSL3_CK_KRB5_RC2_40_CBC_MD5,
-- SSL_kKRB5,
-- SSL_aKRB5,
-- SSL_RC2,
-- SSL_MD5,
-- SSL_SSLV3,
-- SSL_EXPORT|SSL_EXP40,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 40,
-- 128,
-- },
--
--/* Cipher 2B */
-- {
-- 1,
-- SSL3_TXT_KRB5_RC4_40_MD5,
-- SSL3_CK_KRB5_RC4_40_MD5,
-- SSL_kKRB5,
-- SSL_aKRB5,
-- SSL_RC4,
-- SSL_MD5,
-- SSL_SSLV3,
-- SSL_EXPORT|SSL_EXP40,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 40,
-- 128,
-- },
- #endif /* OPENSSL_NO_KRB5 */
-
- /* New AES ciphersuites */
-@@ -1270,104 +901,6 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
-
- #if TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES
- /* New TLS Export CipherSuites from expired ID */
--#if 0
-- /* Cipher 60 */
-- {
-- 1,
-- TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_MD5,
-- TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_MD5,
-- SSL_kRSA,
-- SSL_aRSA,
-- SSL_RC4,
-- SSL_MD5,
-- SSL_TLSV1,
-- SSL_EXPORT|SSL_EXP56,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 56,
-- 128,
-- },
--
-- /* Cipher 61 */
-- {
-- 1,
-- TLS1_TXT_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
-- TLS1_CK_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5,
-- SSL_kRSA,
-- SSL_aRSA,
-- SSL_RC2,
-- SSL_MD5,
-- SSL_TLSV1,
-- SSL_EXPORT|SSL_EXP56,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 56,
-- 128,
-- },
--#endif
--
-- /* Cipher 62 */
-- {
-- 1,
-- TLS1_TXT_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-- TLS1_CK_RSA_EXPORT1024_WITH_DES_CBC_SHA,
-- SSL_kRSA,
-- SSL_aRSA,
-- SSL_DES,
-- SSL_SHA1,
-- SSL_TLSV1,
-- SSL_EXPORT|SSL_EXP56,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 56,
-- 56,
-- },
--
-- /* Cipher 63 */
-- {
-- 1,
-- TLS1_TXT_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
-- TLS1_CK_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA,
-- SSL_kEDH,
-- SSL_aDSS,
-- SSL_DES,
-- SSL_SHA1,
-- SSL_TLSV1,
-- SSL_EXPORT|SSL_EXP56,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 56,
-- 56,
-- },
--
-- /* Cipher 64 */
-- {
-- 1,
-- TLS1_TXT_RSA_EXPORT1024_WITH_RC4_56_SHA,
-- TLS1_CK_RSA_EXPORT1024_WITH_RC4_56_SHA,
-- SSL_kRSA,
-- SSL_aRSA,
-- SSL_RC4,
-- SSL_SHA1,
-- SSL_TLSV1,
-- SSL_EXPORT|SSL_EXP56,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 56,
-- 128,
-- },
--
-- /* Cipher 65 */
-- {
-- 1,
-- TLS1_TXT_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
-- TLS1_CK_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA,
-- SSL_kEDH,
-- SSL_aDSS,
-- SSL_RC4,
-- SSL_SHA1,
-- SSL_TLSV1,
-- SSL_EXPORT|SSL_EXP56,
-- SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
-- 56,
-- 128,
-- },
--
- /* Cipher 66 */
- {
- 1,
Deleted: openssl/branches/wheezy/debian/patches/ECDHE-ECDSA_Safari.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/ECDHE-ECDSA_Safari.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/ECDHE-ECDSA_Safari.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,201 +0,0 @@
-From: Rob Stradling <rob at comodo.com>
-Date: Thu, 5 Sep 2013 13:09:03 +0100
-Subject: [PATCH] Don't prefer ECDHE-ECDSA ciphers when the client appears to
- be Safari on OS X. OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA
- ciphers.
-Origin: upstream, commit:4b61f6d2a675fdb57dc93991e7b332a745b44d1f, commit:937f125efc80d7a4e80a5a02ec0eae02ea0b55ac, commit:f4a51970d245a61e991a0c2e196853e81a1a6c53
-
-
-Index: openssl-1.0.1e/doc/ssl/SSL_CTX_set_options.pod
-===================================================================
---- openssl-1.0.1e.orig/doc/ssl/SSL_CTX_set_options.pod
-+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_options.pod
-@@ -88,9 +88,10 @@ As of OpenSSL 0.9.8q and 1.0.0c, this op
-
- ...
-
--=item SSL_OP_MSIE_SSLV2_RSA_PADDING
-+=item SSL_OP_SAFARI_ECDHE_ECDSA_BUG
-
--As of OpenSSL 0.9.7h and 0.9.8a, this option has no effect.
-+Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
-+OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
-
- =item SSL_OP_SSLEAY_080_CLIENT_DH_BUG
-
-Index: openssl-1.0.1e/ssl/s3_lib.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/s3_lib.c
-+++ openssl-1.0.1e/ssl/s3_lib.c
-@@ -3037,6 +3037,11 @@ void ssl3_clear(SSL *s)
- s->s3->tmp.ecdh = NULL;
- }
- #endif
-+#ifndef OPENSSL_NO_TLSEXT
-+#ifndef OPENSSL_NO_EC
-+ s->s3->is_probably_safari = 0;
-+#endif /* OPENSSL_NO_EC */
-+#endif /* OPENSSL_NO_TLSEXT */
-
- rp = s->s3->rbuf.buf;
- wp = s->s3->wbuf.buf;
-@@ -4016,6 +4021,13 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, S
- ii=sk_SSL_CIPHER_find(allow,c);
- if (ii >= 0)
- {
-+#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_TLSEXT)
-+ if ((alg_k & SSL_kEECDH) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari)
-+ {
-+ if (!ret) ret=sk_SSL_CIPHER_value(allow,ii);
-+ continue;
-+ }
-+#endif
- ret=sk_SSL_CIPHER_value(allow,ii);
- break;
- }
-Index: openssl-1.0.1e/ssl/ssl.h
-===================================================================
---- openssl-1.0.1e.orig/ssl/ssl.h
-+++ openssl-1.0.1e/ssl/ssl.h
-@@ -555,11 +555,14 @@ struct ssl_session_st
- #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
- #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
- #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
--#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */
-+#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L
- #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
- #define SSL_OP_TLS_D5_BUG 0x00000100L
- #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L
-
-+/* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */
-+#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0
-+
- /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
- * in OpenSSL 0.9.6d. Usually (depending on the application protocol)
- * the workaround is not needed. Unfortunately some broken SSL/TLS
-Index: openssl-1.0.1e/ssl/ssl3.h
-===================================================================
---- openssl-1.0.1e.orig/ssl/ssl3.h
-+++ openssl-1.0.1e/ssl/ssl3.h
-@@ -539,6 +539,15 @@ typedef struct ssl3_state_st
- /* Set if we saw the Next Protocol Negotiation extension from our peer. */
- int next_proto_neg_seen;
- #endif
-+
-+#ifndef OPENSSL_NO_TLSEXT
-+#ifndef OPENSSL_NO_EC
-+ /* This is set to true if we believe that this is a version of Safari
-+ * running on OS X 10.6 or newer. We wish to know this because Safari
-+ * on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */
-+ char is_probably_safari;
-+#endif /* OPENSSL_NO_EC */
-+#endif /* OPENSSL_NO_TLSEXT */
- } SSL3_STATE;
-
- #endif
-Index: openssl-1.0.1e/ssl/t1_lib.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/t1_lib.c
-+++ openssl-1.0.1e/ssl/t1_lib.c
-@@ -866,6 +866,89 @@ unsigned char *ssl_add_serverhello_tlsex
- return ret;
- }
-
-+#ifndef OPENSSL_NO_EC
-+/* ssl_check_for_safari attempts to fingerprint Safari using OS X
-+ * SecureTransport using the TLS extension block in |d|, of length |n|.
-+ * Safari, since 10.6, sends exactly these extensions, in this order:
-+ * SNI,
-+ * elliptic_curves
-+ * ec_point_formats
-+ *
-+ * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
-+ * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
-+ * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
-+ * 10.8..10.8.3 (which don't work).
-+ */
-+static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
-+ unsigned short type, size;
-+ static const unsigned char kSafariExtensionsBlock[] = {
-+ 0x00, 0x0a, /* elliptic_curves extension */
-+ 0x00, 0x08, /* 8 bytes */
-+ 0x00, 0x06, /* 6 bytes of curve ids */
-+ 0x00, 0x17, /* P-256 */
-+ 0x00, 0x18, /* P-384 */
-+ 0x00, 0x19, /* P-521 */
-+
-+ 0x00, 0x0b, /* ec_point_formats */
-+ 0x00, 0x02, /* 2 bytes */
-+ 0x01, /* 1 point format */
-+ 0x00, /* uncompressed */
-+ };
-+
-+ /* The following is only present in TLS 1.2 */
-+ static const unsigned char kSafariTLS12ExtensionsBlock[] = {
-+ 0x00, 0x0d, /* signature_algorithms */
-+ 0x00, 0x0c, /* 12 bytes */
-+ 0x00, 0x0a, /* 10 bytes */
-+ 0x05, 0x01, /* SHA-384/RSA */
-+ 0x04, 0x01, /* SHA-256/RSA */
-+ 0x02, 0x01, /* SHA-1/RSA */
-+ 0x04, 0x03, /* SHA-256/ECDSA */
-+ 0x02, 0x03, /* SHA-1/ECDSA */
-+ };
-+
-+ if (data >= (d+n-2))
-+ return;
-+ data += 2;
-+
-+ if (data > (d+n-4))
-+ return;
-+ n2s(data,type);
-+ n2s(data,size);
-+
-+ if (type != TLSEXT_TYPE_server_name)
-+ return;
-+
-+ if (data+size > d+n)
-+ return;
-+ data += size;
-+
-+ if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
-+ {
-+ const size_t len1 = sizeof(kSafariExtensionsBlock);
-+ const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
-+
-+ if (data + len1 + len2 != d+n)
-+ return;
-+ if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
-+ return;
-+ if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
-+ return;
-+ }
-+ else
-+ {
-+ const size_t len = sizeof(kSafariExtensionsBlock);
-+
-+ if (data + len != d+n)
-+ return;
-+ if (memcmp(data, kSafariExtensionsBlock, len) != 0)
-+ return;
-+ }
-+
-+ s->s3->is_probably_safari = 1;
-+}
-+#endif /* OPENSSL_NO_EC */
-+
- int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
- {
- unsigned short type;
-@@ -886,6 +969,11 @@ int ssl_parse_clienthello_tlsext(SSL *s,
- SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
- #endif
-
-+#ifndef OPENSSL_NO_EC
-+ if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
-+ ssl_check_for_safari(s, data, d, n);
-+#endif /* OPENSSL_NO_EC */
-+
- if (data >= (d+n-2))
- goto ri_check;
- n2s(data,len);
Deleted: openssl/branches/wheezy/debian/patches/Fix-DTLS-anonymous-EC-DH-denial-of-service.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/Fix-DTLS-anonymous-EC-DH-denial-of-service.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/Fix-DTLS-anonymous-EC-DH-denial-of-service.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,86 +0,0 @@
-From 1937c518574d81dcdc46c5c2e26541668db19c3e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Emilia=20K=C3=A4sper?= <emilia at openssl.org>
-Date: Thu, 24 Jul 2014 22:15:29 +0200
-Subject: [PATCH 09/16] Fix DTLS anonymous EC(DH) denial of service
-
-CVE-2014-3510
-
-Reviewed-by: Dr. Stephen Henson <steve at openssl.org>
----
- ssl/d1_clnt.c | 23 +++++++++++++++++++++--
- ssl/s3_clnt.c | 7 +++++++
- 2 files changed, 28 insertions(+), 2 deletions(-)
-
-diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
-index 65dbb4a..fd6562c 100644
---- a/ssl/d1_clnt.c
-+++ b/ssl/d1_clnt.c
-@@ -996,6 +996,13 @@ int dtls1_send_client_key_exchange(SSL *s)
- RSA *rsa;
- unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
-
-+ if (s->session->sess_cert == NULL)
-+ {
-+ /* We should always have a server certificate with SSL_kRSA. */
-+ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
-+ goto err;
-+ }
-+
- if (s->session->sess_cert->peer_rsa_tmp != NULL)
- rsa=s->session->sess_cert->peer_rsa_tmp;
- else
-@@ -1186,6 +1193,13 @@ int dtls1_send_client_key_exchange(SSL *s)
- {
- DH *dh_srvr,*dh_clnt;
-
-+ if (s->session->sess_cert == NULL)
-+ {
-+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
-+ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
-+ goto err;
-+ }
-+
- if (s->session->sess_cert->peer_dh_tmp != NULL)
- dh_srvr=s->session->sess_cert->peer_dh_tmp;
- else
-@@ -1245,6 +1259,13 @@ int dtls1_send_client_key_exchange(SSL *s)
- int ecdh_clnt_cert = 0;
- int field_size = 0;
-
-+ if (s->session->sess_cert == NULL)
-+ {
-+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
-+ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
-+ goto err;
-+ }
-+
- /* Did we send out the client's
- * ECDH share for use in premaster
- * computation as part of client certificate?
-@@ -1720,5 +1741,3 @@ int dtls1_send_client_certificate(SSL *s)
- /* SSL3_ST_CW_CERT_D */
- return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
- }
--
--
-diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
-index 2afb892..df05f78 100644
---- a/ssl/s3_clnt.c
-+++ b/ssl/s3_clnt.c
-@@ -2253,6 +2253,13 @@ int ssl3_send_client_key_exchange(SSL *s)
- RSA *rsa;
- unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
-
-+ if (s->session->sess_cert == NULL)
-+ {
-+ /* We should always have a server certificate with SSL_kRSA. */
-+ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
-+ goto err;
-+ }
-+
- if (s->session->sess_cert->peer_rsa_tmp != NULL)
- rsa=s->session->sess_cert->peer_rsa_tmp;
- else
---
-2.0.1
-
Deleted: openssl/branches/wheezy/debian/patches/Fix-DTLS-handshake-message-size-checks.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/Fix-DTLS-handshake-message-size-checks.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/Fix-DTLS-handshake-message-size-checks.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,87 +0,0 @@
-From 211122a40e13a2dcd17bc61ea18fd68518179991 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt at openssl.org>
-Date: Fri, 6 Jun 2014 14:25:52 -0700
-Subject: [PATCH 03/16] Fix DTLS handshake message size checks.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In |dtls1_reassemble_fragment|, the value of
-|msg_hdr->frag_off+frag_len| was being checked against the maximum
-handshake message size, but then |msg_len| bytes were allocated for the
-fragment buffer. This means that so long as the fragment was within the
-allowed size, the pending handshake message could consume 16MB + 2MB
-(for the reassembly bitmap). Approx 10 outstanding handshake messages
-are allowed, meaning that an attacker could consume ~180MB per DTLS
-connection.
-
-In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
-check was applied.
-
-Fixes CVE-2014-3506
-
-Wholly based on patch by Adam Langley with one minor amendment.
-
-Reviewed-by: Emilia Käsper <emilia at openssl.org>
----
- ssl/d1_both.c | 29 ++++++++++++++++-------------
- 1 file changed, 16 insertions(+), 13 deletions(-)
-
-diff --git a/ssl/d1_both.c b/ssl/d1_both.c
-index 6559dfc..b9e15df 100644
---- a/ssl/d1_both.c
-+++ b/ssl/d1_both.c
-@@ -587,6 +587,16 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
- return 0;
- }
-
-+/* dtls1_max_handshake_message_len returns the maximum number of bytes
-+ * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but may
-+ * be greater if the maximum certificate list size requires it. */
-+static unsigned long dtls1_max_handshake_message_len(const SSL *s)
-+ {
-+ unsigned long max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
-+ if (max_len < (unsigned long)s->max_cert_list)
-+ return s->max_cert_list;
-+ return max_len;
-+ }
-
- static int
- dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
-@@ -595,20 +605,10 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
- pitem *item = NULL;
- int i = -1, is_complete;
- unsigned char seq64be[8];
-- unsigned long frag_len = msg_hdr->frag_len, max_len;
--
-- if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
-- goto err;
--
-- /* Determine maximum allowed message size. Depends on (user set)
-- * maximum certificate length, but 16k is minimum.
-- */
-- if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < s->max_cert_list)
-- max_len = s->max_cert_list;
-- else
-- max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
-+ unsigned long frag_len = msg_hdr->frag_len;
-
-- if ((msg_hdr->frag_off+frag_len) > max_len)
-+ if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len ||
-+ msg_hdr->msg_len > dtls1_max_handshake_message_len(s))
- goto err;
-
- /* Try to find item in queue */
-@@ -749,6 +749,9 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
- if (frag_len && frag_len < msg_hdr->msg_len)
- return dtls1_reassemble_fragment(s, msg_hdr, ok);
-
-+ if (frag_len > dtls1_max_handshake_message_len(s))
-+ goto err;
-+
- frag = dtls1_hm_fragment_new(frag_len, 0);
- if ( frag == NULL)
- goto err;
---
-2.0.1
-
Deleted: openssl/branches/wheezy/debian/patches/Fix-OID-handling.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/Fix-OID-handling.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/Fix-OID-handling.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,138 +0,0 @@
-From ef1991a1e3aab245fc35fd7a7076876182fc1fa6 Mon Sep 17 00:00:00 2001
-From: Emilia Kasper <emilia at openssl.org>
-Date: Wed, 2 Jul 2014 19:02:33 +0200
-Subject: [PATCH 10/16] Fix OID handling:
-
-- Upon parsing, reject OIDs with invalid base-128 encoding.
-- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function.
-
-CVE-2014-3508
-
-Reviewed-by: Dr. Stephen Henson <steve at openssl.org>
-Reviewed-by: Kurt Roeckx <kurt at openssl.org>
-Reviewed-by: Tim Hudson <tjh at openssl.org>
----
- crypto/asn1/a_object.c | 30 +++++++++++++++++++++---------
- crypto/objects/obj_dat.c | 16 +++++++++-------
- 2 files changed, 30 insertions(+), 16 deletions(-)
-
-diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c
-index 3978c91..77b2768 100644
---- a/crypto/asn1/a_object.c
-+++ b/crypto/asn1/a_object.c
-@@ -283,17 +283,29 @@ err:
- ASN1err(ASN1_F_D2I_ASN1_OBJECT,i);
- return(NULL);
- }
-+
- ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
- long len)
- {
- ASN1_OBJECT *ret=NULL;
- const unsigned char *p;
- unsigned char *data;
-- int i;
-- /* Sanity check OID encoding: can't have leading 0x80 in
-- * subidentifiers, see: X.690 8.19.2
-+ int i, length;
-+
-+ /* Sanity check OID encoding.
-+ * Need at least one content octet.
-+ * MSB must be clear in the last octet.
-+ * can't have leading 0x80 in subidentifiers, see: X.690 8.19.2
- */
-- for (i = 0, p = *pp; i < len; i++, p++)
-+ if (len <= 0 || len > INT_MAX || pp == NULL || (p = *pp) == NULL ||
-+ p[len - 1] & 0x80)
-+ {
-+ ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_INVALID_OBJECT_ENCODING);
-+ return NULL;
-+ }
-+ /* Now 0 < len <= INT_MAX, so the cast is safe. */
-+ length = (int)len;
-+ for (i = 0; i < length; i++, p++)
- {
- if (*p == 0x80 && (!i || !(p[-1] & 0x80)))
- {
-@@ -316,23 +328,23 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
- data = (unsigned char *)ret->data;
- ret->data = NULL;
- /* once detached we can change it */
-- if ((data == NULL) || (ret->length < len))
-+ if ((data == NULL) || (ret->length < length))
- {
- ret->length=0;
- if (data != NULL) OPENSSL_free(data);
-- data=(unsigned char *)OPENSSL_malloc(len ? (int)len : 1);
-+ data=(unsigned char *)OPENSSL_malloc(length);
- if (data == NULL)
- { i=ERR_R_MALLOC_FAILURE; goto err; }
- ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA;
- }
-- memcpy(data,p,(int)len);
-+ memcpy(data,p,length);
- /* reattach data to object, after which it remains const */
- ret->data =data;
-- ret->length=(int)len;
-+ ret->length=length;
- ret->sn=NULL;
- ret->ln=NULL;
- /* ret->flags=ASN1_OBJECT_FLAG_DYNAMIC; we know it is dynamic */
-- p+=len;
-+ p+=length;
-
- if (a != NULL) (*a)=ret;
- *pp=p;
-diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
-index 8a342ba..0b2f442 100644
---- a/crypto/objects/obj_dat.c
-+++ b/crypto/objects/obj_dat.c
-@@ -471,11 +471,12 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
- const unsigned char *p;
- char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2];
-
-- if ((a == NULL) || (a->data == NULL)) {
-- buf[0]='\0';
-- return(0);
-- }
-+ /* Ensure that, at every state, |buf| is NUL-terminated. */
-+ if (buf && buf_len > 0)
-+ buf[0] = '\0';
-
-+ if ((a == NULL) || (a->data == NULL))
-+ return(0);
-
- if (!no_name && (nid=OBJ_obj2nid(a)) != NID_undef)
- {
-@@ -554,9 +555,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
- i=(int)(l/40);
- l-=(long)(i*40);
- }
-- if (buf && (buf_len > 0))
-+ if (buf && (buf_len > 1))
- {
- *buf++ = i + '0';
-+ *buf = '\0';
- buf_len--;
- }
- n++;
-@@ -571,9 +573,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
- i = strlen(bndec);
- if (buf)
- {
-- if (buf_len > 0)
-+ if (buf_len > 1)
- {
- *buf++ = '.';
-+ *buf = '\0';
- buf_len--;
- }
- BUF_strlcpy(buf,bndec,buf_len);
-@@ -807,4 +810,3 @@ err:
- OPENSSL_free(buf);
- return(ok);
- }
--
---
-2.0.1
-
Deleted: openssl/branches/wheezy/debian/patches/Fix-SRP-buffer-overrun-vulnerability.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/Fix-SRP-buffer-overrun-vulnerability.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/Fix-SRP-buffer-overrun-vulnerability.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,42 +0,0 @@
-From 47f27247f70d06830fe562d027c2aee60fe7ec6d Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Thu, 31 Jul 2014 20:56:22 +0100
-Subject: [PATCH 13/16] Fix SRP buffer overrun vulnerability.
-
-Invalid parameters passed to the SRP code can be overrun an internal
-buffer. Add sanity check that g, A, B < N to SRP code.
-
-Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
-Group for reporting this issue.
-Reviewed-by: Kurt Roeckx <kurt at openssl.org>
----
- crypto/srp/srp_lib.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/crypto/srp/srp_lib.c b/crypto/srp/srp_lib.c
-index 7c1dcc5..83d417a 100644
---- a/crypto/srp/srp_lib.c
-+++ b/crypto/srp/srp_lib.c
-@@ -89,6 +89,9 @@ static BIGNUM *srp_Calc_k(BIGNUM *N, BIGNUM *g)
- int longg ;
- int longN = BN_num_bytes(N);
-
-+ if (BN_ucmp(g, N) >= 0)
-+ return NULL;
-+
- if ((tmp = OPENSSL_malloc(longN)) == NULL)
- return NULL;
- BN_bn2bin(N,tmp) ;
-@@ -121,6 +124,9 @@ BIGNUM *SRP_Calc_u(BIGNUM *A, BIGNUM *B, BIGNUM *N)
- if ((A == NULL) ||(B == NULL) || (N == NULL))
- return NULL;
-
-+ if (BN_ucmp(A, N) >= 0 || BN_ucmp(B, N) >= 0)
-+ return NULL;
-+
- longN= BN_num_bytes(N);
-
- if ((cAB = OPENSSL_malloc(2*longN)) == NULL)
---
-2.0.1
-
Deleted: openssl/branches/wheezy/debian/patches/Fix-SRP-ciphersuite-DoS-vulnerability.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/Fix-SRP-ciphersuite-DoS-vulnerability.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/Fix-SRP-ciphersuite-DoS-vulnerability.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,61 +0,0 @@
-From b27973b2f58870488a05a1a3704f150a9d3af785 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Tue, 29 Jul 2014 21:23:30 +0100
-Subject: [PATCH 12/16] Fix SRP ciphersuite DoS vulnerability.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If a client attempted to use an SRP ciphersuite and it had not been
-set up correctly it would crash with a null pointer read. A malicious
-server could exploit this in a DoS attack.
-
-Thanks to Joonas Kuorilehto and Riku Hietamäki from Codenomicon
-for reporting this issue.
-
-CVE-2014-5139
-Reviewed-by: Tim Hudson <tjh at openssl.org>
----
- ssl/s3_clnt.c | 9 +++++++++
- ssl/ssl_lib.c | 5 +++++
- 2 files changed, 14 insertions(+)
-
-diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
-index df05f78..0aba7e5 100644
---- a/ssl/s3_clnt.c
-+++ b/ssl/s3_clnt.c
-@@ -954,6 +954,15 @@ int ssl3_get_server_hello(SSL *s)
- SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
- goto f_err;
- }
-+#ifndef OPENSSL_NO_SRP
-+ if (((c->algorithm_mkey & SSL_kSRP) || (c->algorithm_auth & SSL_aSRP)) &&
-+ !(s->srp_ctx.srp_Mask & SSL_kSRP))
-+ {
-+ al=SSL_AD_ILLEGAL_PARAMETER;
-+ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_WRONG_CIPHER_RETURNED);
-+ goto f_err;
-+ }
-+#endif /* OPENSSL_NO_SRP */
- p+=ssl_put_cipher_by_char(s,NULL,NULL);
-
- sk=ssl_get_ciphers_by_id(s);
-diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
-index ef6258c..82a2c80 100644
---- a/ssl/ssl_lib.c
-+++ b/ssl/ssl_lib.c
-@@ -1406,6 +1406,11 @@ int ssl_cipher_list_to_bytes(SSL *s,STACK_OF(SSL_CIPHER) *sk,unsigned char *p,
- s->psk_client_callback == NULL)
- continue;
- #endif /* OPENSSL_NO_PSK */
-+#ifndef OPENSSL_NO_SRP
-+ if (((c->algorithm_mkey & SSL_kSRP) || (c->algorithm_auth & SSL_aSRP)) &&
-+ !(s->srp_ctx.srp_Mask & SSL_kSRP))
-+ continue;
-+#endif /* OPENSSL_NO_SRP */
- j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
- p+=j;
- }
---
-2.0.1
-
Deleted: openssl/branches/wheezy/debian/patches/Fix-for-SRTP-Memory-Leak.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/Fix-for-SRTP-Memory-Leak.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/Fix-for-SRTP-Memory-Leak.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,210 +0,0 @@
-From 2b0532f3984324ebe1236a63d15893792384328d Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt at openssl.org>
-Date: Wed, 15 Oct 2014 01:20:38 +0100
-Subject: [PATCH 1/4] Fix for SRTP Memory Leak
-
-CVE-2014-3513
-
-This issue was reported to OpenSSL on 26th September 2014, based on an origi
-issue and patch developed by the LibreSSL project. Further analysis of the i
-was performed by the OpenSSL team.
-
-The fix was developed by the OpenSSL team.
-
-Reviewed-by: Tim Hudson <tjh at openssl.org>
----
- ssl/d1_srtp.c | 93 ++++++++++++++++++++---------------------------------------
- ssl/t1_lib.c | 9 +++---
- 2 files changed, 36 insertions(+), 66 deletions(-)
-
-diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c
-index ab9c419..535539b 100644
---- a/ssl/d1_srtp.c
-+++ b/ssl/d1_srtp.c
-@@ -168,25 +168,6 @@ static int find_profile_by_name(char *profile_name,
- return 1;
- }
-
--static int find_profile_by_num(unsigned profile_num,
-- SRTP_PROTECTION_PROFILE **pptr)
-- {
-- SRTP_PROTECTION_PROFILE *p;
--
-- p=srtp_known_profiles;
-- while(p->name)
-- {
-- if(p->id == profile_num)
-- {
-- *pptr=p;
-- return 0;
-- }
-- p++;
-- }
--
-- return 1;
-- }
--
- static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) **out)
- {
- STACK_OF(SRTP_PROTECTION_PROFILE) *profiles;
-@@ -209,11 +190,19 @@ static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTE
- if(!find_profile_by_name(ptr,&p,
- col ? col-ptr : (int)strlen(ptr)))
- {
-+ if (sk_SRTP_PROTECTION_PROFILE_find(profiles,p) >= 0)
-+ {
-+ SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST);
-+ sk_SRTP_PROTECTION_PROFILE_free(profiles);
-+ return 1;
-+ }
-+
- sk_SRTP_PROTECTION_PROFILE_push(profiles,p);
- }
- else
- {
- SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE);
-+ sk_SRTP_PROTECTION_PROFILE_free(profiles);
- return 1;
- }
-
-@@ -305,13 +294,12 @@ int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int max
-
- int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al)
- {
-- SRTP_PROTECTION_PROFILE *cprof,*sprof;
-- STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0,*srvr;
-+ SRTP_PROTECTION_PROFILE *sprof;
-+ STACK_OF(SRTP_PROTECTION_PROFILE) *srvr;
- int ct;
- int mki_len;
-- int i,j;
-- int id;
-- int ret;
-+ int i, srtp_pref;
-+ unsigned int id;
-
- /* Length value + the MKI length */
- if(len < 3)
-@@ -341,22 +329,32 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al
- return 1;
- }
-
-+ srvr=SSL_get_srtp_profiles(s);
-+ s->srtp_profile = NULL;
-+ /* Search all profiles for a match initially */
-+ srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr);
-
-- clnt=sk_SRTP_PROTECTION_PROFILE_new_null();
--
- while(ct)
- {
- n2s(d,id);
- ct-=2;
- len-=2;
-
-- if(!find_profile_by_num(id,&cprof))
-+ /*
-+ * Only look for match in profiles of higher preference than
-+ * current match.
-+ * If no profiles have been have been configured then this
-+ * does nothing.
-+ */
-+ for (i = 0; i < srtp_pref; i++)
- {
-- sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof);
-- }
-- else
-- {
-- ; /* Ignore */
-+ sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i);
-+ if (sprof->id == id)
-+ {
-+ s->srtp_profile = sprof;
-+ srtp_pref = i;
-+ break;
-+ }
- }
- }
-
-@@ -371,36 +369,7 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al
- return 1;
- }
-
-- srvr=SSL_get_srtp_profiles(s);
--
-- /* Pick our most preferred profile. If no profiles have been
-- configured then the outer loop doesn't run
-- (sk_SRTP_PROTECTION_PROFILE_num() = -1)
-- and so we just return without doing anything */
-- for(i=0;i<sk_SRTP_PROTECTION_PROFILE_num(srvr);i++)
-- {
-- sprof=sk_SRTP_PROTECTION_PROFILE_value(srvr,i);
--
-- for(j=0;j<sk_SRTP_PROTECTION_PROFILE_num(clnt);j++)
-- {
-- cprof=sk_SRTP_PROTECTION_PROFILE_value(clnt,j);
--
-- if(cprof->id==sprof->id)
-- {
-- s->srtp_profile=sprof;
-- *al=0;
-- ret=0;
-- goto done;
-- }
-- }
-- }
--
-- ret=0;
--
--done:
-- if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt);
--
-- return ret;
-+ return 0;
- }
-
- int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen)
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index 022a4fb..12ee3c9 100644
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -643,7 +643,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *buf, unsigned c
- #endif
-
- #ifndef OPENSSL_NO_SRTP
-- if(SSL_get_srtp_profiles(s))
-+ if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s))
- {
- int el;
-
-@@ -806,7 +806,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *buf, unsigned c
- #endif
-
- #ifndef OPENSSL_NO_SRTP
-- if(s->srtp_profile)
-+ if(SSL_IS_DTLS(s) && s->srtp_profile)
- {
- int el;
-
-@@ -1444,7 +1444,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
-
- /* session ticket processed earlier */
- #ifndef OPENSSL_NO_SRTP
-- else if (type == TLSEXT_TYPE_use_srtp)
-+ else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)
-+ && type == TLSEXT_TYPE_use_srtp)
- {
- if(ssl_parse_clienthello_use_srtp_ext(s, data, size,
- al))
-@@ -1698,7 +1699,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
- }
- #endif
- #ifndef OPENSSL_NO_SRTP
-- else if (type == TLSEXT_TYPE_use_srtp)
-+ else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp)
- {
- if(ssl_parse_serverhello_use_srtp_ext(s, data, size,
- al))
---
-2.1.1
-
Deleted: openssl/branches/wheezy/debian/patches/Fix-for-session-tickets-memory-leak.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/Fix-for-session-tickets-memory-leak.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/Fix-for-session-tickets-memory-leak.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,32 +0,0 @@
-From 7fd4ce6a997be5f5c9e744ac527725c2850de203 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Wed, 15 Oct 2014 01:53:55 +0100
-Subject: [PATCH 3/4] Fix for session tickets memory leak.
-
-CVE-2014-3567
-
-Reviewed-by: Rich Salz <rsalz at openssl.org>
-Reviewed-by: Matt Caswell <matt at openssl.org>
-(cherry picked from commit 5dc6070a03779cd524f0e67f76c945cb0ac38320)
----
- ssl/t1_lib.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index 12ee3c9..d6aff4b 100644
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -2348,7 +2348,10 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
- HMAC_Final(&hctx, tick_hmac, NULL);
- HMAC_CTX_cleanup(&hctx);
- if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen))
-+ {
-+ EVP_CIPHER_CTX_cleanup(&ctx);
- return 2;
-+ }
- /* Attempt to decrypt session data */
- /* Move p after IV to start of encrypted ticket, update length */
- p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
---
-2.1.1
-
Deleted: openssl/branches/wheezy/debian/patches/Fix-memory-leak-from-zero-length-DTLS-fragments.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/Fix-memory-leak-from-zero-length-DTLS-fragments.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/Fix-memory-leak-from-zero-length-DTLS-fragments.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,79 +0,0 @@
-From 9dbf4e95ef9491329877c628c51bcc8e644c9622 Mon Sep 17 00:00:00 2001
-From: Adam Langley <agl at imperialviolet.org>
-Date: Fri, 6 Jun 2014 14:30:33 -0700
-Subject: [PATCH 04/16] Fix memory leak from zero-length DTLS fragments.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-The |pqueue_insert| function can fail if one attempts to insert a
-duplicate sequence number. When handling a fragment of an out of
-sequence message, |dtls1_process_out_of_seq_message| would not call
-|dtls1_reassemble_fragment| if the fragment's length was zero. It would
-then allocate a fresh fragment and attempt to insert it, but ignore the
-return value, leaking the fragment.
-
-This allows an attacker to exhaust the memory of a DTLS peer.
-
-Fixes CVE-2014-3507
-
-Reviewed-by: Matt Caswell <matt at openssl.org>
-Reviewed-by: Emilia Käsper <emilia at openssl.org>
----
- ssl/d1_both.c | 22 +++++++++++++++++++---
- 1 file changed, 19 insertions(+), 3 deletions(-)
-
-Index: openssl-1.0.1e/ssl/d1_both.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/d1_both.c 2014-08-06 18:42:03.000000000 +0000
-+++ openssl-1.0.1e/ssl/d1_both.c 2014-08-06 18:42:09.111245837 +0000
-@@ -610,6 +610,9 @@
- msg_hdr->msg_len > dtls1_max_handshake_message_len(s))
- goto err;
-
-+ if (frag_len == 0)
-+ return DTLS1_HM_FRAGMENT_RETRY;
-+
- /* Try to find item in queue */
- memset(seq64be,0,sizeof(seq64be));
- seq64be[6] = (unsigned char) (msg_hdr->seq>>8);
-@@ -687,7 +690,12 @@
- i = -1;
- }
-
-- pqueue_insert(s->d1->buffered_messages, item);
-+ item = pqueue_insert(s->d1->buffered_messages, item);
-+ /* pqueue_insert fails iff a duplicate item is inserted.
-+ * However, |item| cannot be a duplicate. If it were,
-+ * |pqueue_find|, above, would have returned it and control
-+ * would never have reached this branch. */
-+ OPENSSL_assert(item != NULL);
- }
-
- return DTLS1_HM_FRAGMENT_RETRY;
-@@ -745,7 +753,7 @@
- }
- else
- {
-- if (frag_len && frag_len < msg_hdr->msg_len)
-+ if (frag_len < msg_hdr->msg_len)
- return dtls1_reassemble_fragment(s, msg_hdr, ok);
-
- if (frag_len > dtls1_max_handshake_message_len(s))
-@@ -774,7 +782,15 @@
- if ( item == NULL)
- goto err;
-
-- pqueue_insert(s->d1->buffered_messages, item);
-+ item = pqueue_insert(s->d1->buffered_messages, item);
-+ /* pqueue_insert fails iff a duplicate item is inserted.
-+ * However, |item| cannot be a duplicate. If it were,
-+ * |pqueue_find|, above, would have returned it. Then, either
-+ * |frag_len| != |msg_hdr->msg_len| in which case |item| is set
-+ * to NULL and it will have been processed with
-+ * |dtls1_reassemble_fragment|, above, or the record will have
-+ * been discarded. */
-+ OPENSSL_assert(item != NULL);
- }
-
- return DTLS1_HM_FRAGMENT_RETRY;
Added: openssl/branches/wheezy/debian/patches/Fix-name-length-limit-check.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/Fix-name-length-limit-check.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/Fix-name-length-limit-check.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -0,0 +1,40 @@
+From b583c1bd069f6928c3973dc6d6864930f6c4bb3e Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Wed, 4 May 2016 16:09:06 +0100
+Subject: [PATCH] Fix name length limit check.
+
+The name length limit check in x509_name_ex_d2i() includes
+the containing structure as well as the actual X509_NAME. This will
+cause large CRLs to be rejected.
+
+Fix by limiting the length passed to ASN1_item_ex_d2i() which will
+then return an error if the passed X509_NAME exceeds the length.
+
+RT#4531
+
+Reviewed-by: Rich Salz <rsalz at openssl.org>
+(cherry picked from commit 4e0d184ac1dde845ba9574872e2ae5c903c81dff)
+---
+ crypto/asn1/x_name.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c
+index a858c29..26378fd 100644
+--- a/crypto/asn1/x_name.c
++++ b/crypto/asn1/x_name.c
+@@ -199,10 +199,8 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
+ int i, j, ret;
+ STACK_OF(X509_NAME_ENTRY) *entries;
+ X509_NAME_ENTRY *entry;
+- if (len > X509_NAME_MAX) {
+- ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
+- return 0;
+- }
++ if (len > X509_NAME_MAX)
++ len = X509_NAME_MAX;
+ q = p;
+
+ /* Get internal representation of Name */
+--
+2.8.1
+
Deleted: openssl/branches/wheezy/debian/patches/Fix-no-ssl3-configuration-option.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/Fix-no-ssl3-configuration-option.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/Fix-no-ssl3-configuration-option.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,98 +0,0 @@
-From 26a59d9b46574e457870197dffa802871b4c8fc7 Mon Sep 17 00:00:00 2001
-From: Geoff Thorpe <geoff at openssl.org>
-Date: Wed, 15 Oct 2014 03:25:50 -0400
-Subject: [PATCH 4/4] Fix no-ssl3 configuration option
-
-CVE-2014-3568
-
-Reviewed-by: Emilia Kasper <emilia at openssl.org>
-Reviewed-by: Rich Salz <rsalz at openssl.org>
----
- ssl/s23_clnt.c | 9 +++++++--
- ssl/s23_srvr.c | 18 +++++++++---------
- 2 files changed, 16 insertions(+), 11 deletions(-)
-
-diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
-index d4e43c3..86ab3de 100644
---- a/ssl/s23_clnt.c
-+++ b/ssl/s23_clnt.c
-@@ -125,9 +125,11 @@ static const SSL_METHOD *ssl23_get_client_method(int ver)
- if (ver == SSL2_VERSION)
- return(SSLv2_client_method());
- #endif
-+#ifndef OPENSSL_NO_SSL3
- if (ver == SSL3_VERSION)
- return(SSLv3_client_method());
-- else if (ver == TLS1_VERSION)
-+#endif
-+ if (ver == TLS1_VERSION)
- return(TLSv1_client_method());
- else if (ver == TLS1_1_VERSION)
- return(TLSv1_1_client_method());
-@@ -698,6 +700,7 @@ static int ssl23_get_server_hello(SSL *s)
- {
- /* we have sslv3 or tls1 (server hello or alert) */
-
-+#ifndef OPENSSL_NO_SSL3
- if ((p[2] == SSL3_VERSION_MINOR) &&
- !(s->options & SSL_OP_NO_SSLv3))
- {
-@@ -712,7 +715,9 @@ static int ssl23_get_server_hello(SSL *s)
- s->version=SSL3_VERSION;
- s->method=SSLv3_client_method();
- }
-- else if ((p[2] == TLS1_VERSION_MINOR) &&
-+ else
-+#endif
-+ if ((p[2] == TLS1_VERSION_MINOR) &&
- !(s->options & SSL_OP_NO_TLSv1))
- {
- s->version=TLS1_VERSION;
-diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
-index 567a6b1..93ca7d5 100644
---- a/ssl/s23_srvr.c
-+++ b/ssl/s23_srvr.c
-@@ -127,9 +127,11 @@ static const SSL_METHOD *ssl23_get_server_method(int ver)
- if (ver == SSL2_VERSION)
- return(SSLv2_server_method());
- #endif
-+#ifndef OPENSSL_NO_SSL3
- if (ver == SSL3_VERSION)
- return(SSLv3_server_method());
-- else if (ver == TLS1_VERSION)
-+#endif
-+ if (ver == TLS1_VERSION)
- return(TLSv1_server_method());
- else if (ver == TLS1_1_VERSION)
- return(TLSv1_1_server_method());
-@@ -600,6 +602,12 @@ int ssl23_get_client_hello(SSL *s)
- if ((type == 2) || (type == 3))
- {
- /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
-+ s->method = ssl23_get_server_method(s->version);
-+ if (s->method == NULL)
-+ {
-+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
-+ goto err;
-+ }
-
- if (!ssl_init_wbio_buffer(s,1)) goto err;
-
-@@ -627,14 +635,6 @@ int ssl23_get_client_hello(SSL *s)
- s->s3->rbuf.left=0;
- s->s3->rbuf.offset=0;
- }
-- if (s->version == TLS1_2_VERSION)
-- s->method = TLSv1_2_server_method();
-- else if (s->version == TLS1_1_VERSION)
-- s->method = TLSv1_1_server_method();
-- else if (s->version == TLS1_VERSION)
-- s->method = TLSv1_server_method();
-- else
-- s->method = SSLv3_server_method();
- #if 0 /* ssl3_get_client_hello does this */
- s->client_version=(v[0]<<8)|v[1];
- #endif
---
-2.1.1
-
Deleted: openssl/branches/wheezy/debian/patches/Fix-protocol-downgrade-bug-in-case-of-fragmented-pac.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/Fix-protocol-downgrade-bug-in-case-of-fragmented-pac.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/Fix-protocol-downgrade-bug-in-case-of-fragmented-pac.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,86 +0,0 @@
-From 9c1a0fa0cf487693dac882ae771a1a28edca4477 Mon Sep 17 00:00:00 2001
-From: David Benjamin <davidben at google.com>
-Date: Wed, 23 Jul 2014 22:32:21 +0200
-Subject: [PATCH 08/16] Fix protocol downgrade bug in case of fragmented
- packets
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-CVE-2014-3511
-
-Reviewed-by: Emilia Käsper <emilia at openssl.org>
-Reviewed-by: Bodo Möller <bodo at openssl.org>
----
- ssl/s23_srvr.c | 30 +++++++++++++++++++++++-------
- 1 file changed, 23 insertions(+), 7 deletions(-)
-
-diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
-index 4877849..2901a6b 100644
---- a/ssl/s23_srvr.c
-+++ b/ssl/s23_srvr.c
-@@ -348,23 +348,19 @@ int ssl23_get_client_hello(SSL *s)
- * Client Hello message, this would be difficult, and we'd have
- * to read more records to find out.
- * No known SSL 3.0 client fragments ClientHello like this,
-- * so we simply assume TLS 1.0 to avoid protocol version downgrade
-- * attacks. */
-+ * so we simply reject such connections to avoid
-+ * protocol version downgrade attacks. */
- if (p[3] == 0 && p[4] < 6)
- {
--#if 0
- SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL);
- goto err;
--#else
-- v[1] = TLS1_VERSION_MINOR;
--#endif
- }
- /* if major version number > 3 set minor to a value
- * which will use the highest version 3 we support.
- * If TLS 2.0 ever appears we will need to revise
- * this....
- */
-- else if (p[9] > SSL3_VERSION_MAJOR)
-+ if (p[9] > SSL3_VERSION_MAJOR)
- v[1]=0xff;
- else
- v[1]=p[10]; /* minor version according to client_version */
-@@ -444,14 +440,34 @@ int ssl23_get_client_hello(SSL *s)
- v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
- v[1] = p[4];
-
-+ /* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
-+ * header is sent directly on the wire, not wrapped as a TLS
-+ * record. It's format is:
-+ * Byte Content
-+ * 0-1 msg_length
-+ * 2 msg_type
-+ * 3-4 version
-+ * 5-6 cipher_spec_length
-+ * 7-8 session_id_length
-+ * 9-10 challenge_length
-+ * ... ...
-+ */
- n=((p[0]&0x7f)<<8)|p[1];
- if (n > (1024*4))
- {
- SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);
- goto err;
- }
-+ if (n < 9)
-+ {
-+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH);
-+ goto err;
-+ }
-
- j=ssl23_read_bytes(s,n+2);
-+ /* We previously read 11 bytes, so if j > 0, we must have
-+ * j == n+2 == s->packet_length. We have at least 11 valid
-+ * packet bytes. */
- if (j <= 0) return(j);
-
- ssl3_finish_mac(s, s->packet+2, s->packet_length-2);
---
-2.0.1
-
Deleted: openssl/branches/wheezy/debian/patches/Fix-race-condition-in-ssl_parse_serverhello_tlsext.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/Fix-race-condition-in-ssl_parse_serverhello_tlsext.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/Fix-race-condition-in-ssl_parse_serverhello_tlsext.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,45 +0,0 @@
-From d30b9cb1ac7ec41188689363bbef94d7023b21e3 Mon Sep 17 00:00:00 2001
-From: Gabor Tyukasz <Gabor.Tyukasz at logmein.com>
-Date: Wed, 23 Jul 2014 23:42:06 +0200
-Subject: [PATCH 11/16] Fix race condition in ssl_parse_serverhello_tlsext
-
-CVE-2014-3509
-Reviewed-by: Tim Hudson <tjh at openssl.org>
-Reviewed-by: Dr. Stephen Henson <steve at openssl.org>
----
- ssl/t1_lib.c | 17 ++++++++++-------
- 1 file changed, 10 insertions(+), 7 deletions(-)
-
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index 8167a51..022a4fb 100644
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -1555,15 +1555,18 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
- *al = TLS1_AD_DECODE_ERROR;
- return 0;
- }
-- s->session->tlsext_ecpointformatlist_length = 0;
-- if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
-- if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
-+ if (!s->hit)
- {
-- *al = TLS1_AD_INTERNAL_ERROR;
-- return 0;
-+ s->session->tlsext_ecpointformatlist_length = 0;
-+ if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
-+ if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
-+ {
-+ *al = TLS1_AD_INTERNAL_ERROR;
-+ return 0;
-+ }
-+ s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
-+ memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
- }
-- s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
-- memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
- #if 0
- fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist ");
- sdata = s->session->tlsext_ecpointformatlist;
---
-2.0.1
-
Deleted: openssl/branches/wheezy/debian/patches/Fix-return-code-for-truncated-DTLS-fragment.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/Fix-return-code-for-truncated-DTLS-fragment.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/Fix-return-code-for-truncated-DTLS-fragment.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,43 +0,0 @@
-From 4118b13c0c191e3d5dcd5c73e37b19b49c5381e1 Mon Sep 17 00:00:00 2001
-From: Adam Langley <agl at imperialviolet.org>
-Date: Fri, 6 Jun 2014 14:44:20 -0700
-Subject: [PATCH 05/16] Fix return code for truncated DTLS fragment.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Previously, a truncated DTLS fragment in
-|dtls1_process_out_of_seq_message| would cause *ok to be cleared, but
-the return value would still be the number of bytes read. This would
-cause |dtls1_get_message| not to consider it an error and it would
-continue processing as normal until the calling function noticed that
-*ok was zero.
-
-I can't see an exploit here because |dtls1_get_message| uses
-|s->init_num| as the length, which will always be zero from what I can
-see.
-
-Reviewed-by: Matt Caswell <matt at openssl.org>
-Reviewed-by: Emilia Käsper <emilia at openssl.org>
----
- ssl/d1_both.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/ssl/d1_both.c b/ssl/d1_both.c
-index bb52d92..ac0fcaa 100644
---- a/ssl/d1_both.c
-+++ b/ssl/d1_both.c
-@@ -771,7 +771,9 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
- /* read the body of the fragment (header has already been read */
- i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
- frag->fragment,frag_len,0);
-- if (i<=0 || (unsigned long)i!=frag_len)
-+ if ((unsigned long)i!=frag_len)
-+ i = -1;
-+ if (i<=0)
- goto err;
- }
-
---
-2.0.1
-
Deleted: openssl/branches/wheezy/debian/patches/Keep-old-method-in-case-of-an-unsupported-protocol.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/Keep-old-method-in-case-of-an-unsupported-protocol.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/Keep-old-method-in-case-of-an-unsupported-protocol.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,44 +0,0 @@
-From 392fa7a952e97d82eac6958c81ed1e256e6b8ca5 Mon Sep 17 00:00:00 2001
-From: Kurt Roeckx <kurt at roeckx.be>
-Date: Tue, 21 Oct 2014 20:45:15 +0200
-Subject: [PATCH] Keep old method in case of an unsupported protocol
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When we're configured with no-ssl3 and we receive an SSL v3 Client Hello, we set
-the method to NULL. We didn't used to do that, and it breaks things. This is a
-regression introduced in 62f45cc27d07187b59551e4fad3db4e52ea73f2c. Keep the old
-method since the code is not able to deal with a NULL method at this time.
-
-CVE-2014-3569, PR#3571
-
-Reviewed-by: Emilia Käsper <emilia at openssl.org>
----
- ssl/s23_srvr.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
-index 38960ba..858420d 100644
---- a/ssl/s23_srvr.c
-+++ b/ssl/s23_srvr.c
-@@ -615,12 +615,14 @@ int ssl23_get_client_hello(SSL *s)
- if ((type == 2) || (type == 3))
- {
- /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
-- s->method = ssl23_get_server_method(s->version);
-- if (s->method == NULL)
-+ const SSL_METHOD *new_method;
-+ new_method = ssl23_get_server_method(s->version);
-+ if (new_method == NULL)
- {
- SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
- goto err;
- }
-+ s->method = new_method;
-
- if (!ssl_init_wbio_buffer(s,1)) goto err;
-
---
-2.1.4
-
Deleted: openssl/branches/wheezy/debian/patches/Remove-some-duplicate-DTLS-code.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/Remove-some-duplicate-DTLS-code.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/Remove-some-duplicate-DTLS-code.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,86 +0,0 @@
-From c3d1cad0a04b8ed785f57508c2fd8eb8c314bcc7 Mon Sep 17 00:00:00 2001
-From: Adam Langley <agl at imperialviolet.org>
-Date: Fri, 6 Jun 2014 14:47:07 -0700
-Subject: [PATCH 07/16] Remove some duplicate DTLS code.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-In a couple of functions, a sequence number would be calculated twice.
-
-Additionally, in |dtls1_process_out_of_seq_message|, we know that
-|frag_len| <= |msg_hdr->msg_len| so the later tests for |frag_len <
-msg_hdr->msg_len| can be more clearly written as |frag_len !=
-msg_hdr->msg_len|, since that's the only remaining case.
-
-Reviewed-by: Matt Caswell <matt at openssl.org>
-Reviewed-by: Emilia Käsper <emilia at openssl.org>
----
- ssl/d1_both.c | 16 ++++------------
- 1 file changed, 4 insertions(+), 12 deletions(-)
-
-diff --git a/ssl/d1_both.c b/ssl/d1_both.c
-index ea8f340..89cdca8 100644
---- a/ssl/d1_both.c
-+++ b/ssl/d1_both.c
-@@ -599,7 +599,7 @@ static unsigned long dtls1_max_handshake_message_len(const SSL *s)
- }
-
- static int
--dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
-+dtls1_reassemble_fragment(SSL *s, const struct hm_header_st* msg_hdr, int *ok)
- {
- hm_fragment *frag = NULL;
- pitem *item = NULL;
-@@ -682,10 +682,6 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
-
- if (item == NULL)
- {
-- memset(seq64be,0,sizeof(seq64be));
-- seq64be[6] = (unsigned char)(msg_hdr->seq>>8);
-- seq64be[7] = (unsigned char)(msg_hdr->seq);
--
- item = pitem_new(seq64be, frag);
- if (item == NULL)
- {
-@@ -711,7 +707,7 @@ err:
-
-
- static int
--dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
-+dtls1_process_out_of_seq_message(SSL *s, const struct hm_header_st* msg_hdr, int *ok)
- {
- int i=-1;
- hm_fragment *frag = NULL;
-@@ -731,7 +727,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
- /* If we already have an entry and this one is a fragment,
- * don't discard it and rather try to reassemble it.
- */
-- if (item != NULL && frag_len < msg_hdr->msg_len)
-+ if (item != NULL && frag_len != msg_hdr->msg_len)
- item = NULL;
-
- /* Discard the message if sequence number was already there, is
-@@ -756,7 +752,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
- }
- else
- {
-- if (frag_len < msg_hdr->msg_len)
-+ if (frag_len != msg_hdr->msg_len)
- return dtls1_reassemble_fragment(s, msg_hdr, ok);
-
- if (frag_len > dtls1_max_handshake_message_len(s))
-@@ -779,10 +775,6 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
- goto err;
- }
-
-- memset(seq64be,0,sizeof(seq64be));
-- seq64be[6] = (unsigned char)(msg_hdr->seq>>8);
-- seq64be[7] = (unsigned char)(msg_hdr->seq);
--
- item = pitem_new(seq64be, frag);
- if ( item == NULL)
- goto err;
---
-2.0.1
-
Deleted: openssl/branches/wheezy/debian/patches/SRP-ciphersuite-correction.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/SRP-ciphersuite-correction.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/SRP-ciphersuite-correction.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,95 +0,0 @@
-From 18c7f2fce8a82b13506cac7ca69fc333baf76408 Mon Sep 17 00:00:00 2001
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Mon, 9 Jun 2014 12:03:12 +0100
-Subject: [PATCH] SRP ciphersuite correction.
-
-SRP ciphersuites do not have no authentication. They have authentication
-based on SRP. Add new SRP authentication flag and cipher string.
-(cherry picked from commit a86b88acc373ac1fb0ca709a5fb8a8fa74683f67)
----
- ssl/s3_lib.c | 6 +++---
- ssl/ssl.h | 1 +
- ssl/ssl_ciph.c | 4 ++++
- ssl/ssl_locl.h | 1 +
- 4 files changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
-index 36dd1f6..4835bef 100644
---- a/ssl/s3_lib.c
-+++ b/ssl/s3_lib.c
-@@ -2426,7 +2426,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
- TLS1_TXT_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
- TLS1_CK_SRP_SHA_WITH_3DES_EDE_CBC_SHA,
- SSL_kSRP,
-- SSL_aNULL,
-+ SSL_aSRP,
- SSL_3DES,
- SSL_SHA1,
- SSL_TLSV1,
-@@ -2474,7 +2474,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
- TLS1_TXT_SRP_SHA_WITH_AES_128_CBC_SHA,
- TLS1_CK_SRP_SHA_WITH_AES_128_CBC_SHA,
- SSL_kSRP,
-- SSL_aNULL,
-+ SSL_aSRP,
- SSL_AES128,
- SSL_SHA1,
- SSL_TLSV1,
-@@ -2522,7 +2522,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
- TLS1_TXT_SRP_SHA_WITH_AES_256_CBC_SHA,
- TLS1_CK_SRP_SHA_WITH_AES_256_CBC_SHA,
- SSL_kSRP,
-- SSL_aNULL,
-+ SSL_aSRP,
- SSL_AES256,
- SSL_SHA1,
- SSL_TLSV1,
-diff --git a/ssl/ssl.h b/ssl/ssl.h
-index 4c1242c..a9b15d4 100644
---- a/ssl/ssl.h
-+++ b/ssl/ssl.h
-@@ -264,6 +264,7 @@ extern "C" {
- #define SSL_TXT_aGOST94 "aGOST94"
- #define SSL_TXT_aGOST01 "aGOST01"
- #define SSL_TXT_aGOST "aGOST"
-+#define SSL_TXT_aSRP "aSRP"
-
- #define SSL_TXT_DSS "DSS"
- #define SSL_TXT_DH "DH"
-diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
-index 0aba8e0..06da26a 100644
---- a/ssl/ssl_ciph.c
-+++ b/ssl/ssl_ciph.c
-@@ -270,6 +270,7 @@ static const SSL_CIPHER cipher_aliases[]={
- {0,SSL_TXT_aGOST94,0,0,SSL_aGOST94,0,0,0,0,0,0,0},
- {0,SSL_TXT_aGOST01,0,0,SSL_aGOST01,0,0,0,0,0,0,0},
- {0,SSL_TXT_aGOST,0,0,SSL_aGOST94|SSL_aGOST01,0,0,0,0,0,0,0},
-+ {0,SSL_TXT_aSRP,0, 0,SSL_aSRP, 0,0,0,0,0,0,0},
-
- /* aliases combining key exchange and server authentication */
- {0,SSL_TXT_EDH,0, SSL_kEDH,~SSL_aNULL,0,0,0,0,0,0,0},
-@@ -1628,6 +1629,9 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
- case SSL_aPSK:
- au="PSK";
- break;
-+ case SSL_aSRP:
-+ au="SRP";
-+ break;
- default:
- au="unknown";
- break;
-diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
-index e485907..eb4d8f2 100644
---- a/ssl/ssl_locl.h
-+++ b/ssl/ssl_locl.h
-@@ -311,6 +311,7 @@
- #define SSL_aPSK 0x00000080L /* PSK auth */
- #define SSL_aGOST94 0x00000100L /* GOST R 34.10-94 signature auth */
- #define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */
-+#define SSL_aSRP 0x00000400L /* SRP auth */
-
-
- /* Bits for algorithm_enc (symmetric encryption) */
---
-2.0.1
-
Deleted: openssl/branches/wheezy/debian/patches/Support-TLS_FALLBACK_SCSV.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/Support-TLS_FALLBACK_SCSV.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/Support-TLS_FALLBACK_SCSV.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,534 +0,0 @@
-From 6bfe55380abbf7528e04e59f18921bd6c896af1c Mon Sep 17 00:00:00 2001
-From: Bodo Moeller <bodo at openssl.org>
-Date: Wed, 15 Oct 2014 04:05:42 +0200
-Subject: [PATCH] Support TLS_FALLBACK_SCSV.
-
-Reviewed-by: Rich Salz <rsalz at openssl.org>
----
- CHANGES | 6 ++++++
- apps/s_client.c | 10 +++++++++
- crypto/err/openssl.ec | 1 +
- ssl/d1_lib.c | 10 +++++++++
- ssl/dtls1.h | 3 ++-
- ssl/s23_clnt.c | 3 +++
- ssl/s23_srvr.c | 3 +++
- ssl/s2_lib.c | 4 +++-
- ssl/s3_enc.c | 2 +-
- ssl/s3_lib.c | 29 ++++++++++++++++++++++++-
- ssl/ssl.h | 9 ++++++++
- ssl/ssl3.h | 7 +++++-
- ssl/ssl_err.c | 2 ++
- ssl/ssl_lib.c | 60 +++++++++++++++++++++++++++++++++++++++------------
- ssl/t1_enc.c | 1 +
- ssl/tls1.h | 15 +++++++------
- 16 files changed, 140 insertions(+), 25 deletions(-)
-
-Index: openssl-1.0.1e/apps/s_client.c
-===================================================================
---- openssl-1.0.1e.orig/apps/s_client.c 2013-02-11 15:26:04.000000000 +0000
-+++ openssl-1.0.1e/apps/s_client.c 2014-10-15 17:48:07.272419336 +0000
-@@ -335,6 +335,7 @@
- BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
- BIO_printf(bio_err," -tls1 - just use TLSv1\n");
- BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
-+ BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n");
- BIO_printf(bio_err," -mtu - set the link layer MTU\n");
- BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
- BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
-@@ -615,6 +616,7 @@
- char *sess_out = NULL;
- struct sockaddr peer;
- int peerlen = sizeof(peer);
-+ int fallback_scsv = 0;
- int enable_timeouts = 0 ;
- long socket_mtu = 0;
- #ifndef OPENSSL_NO_JPAKE
-@@ -829,6 +831,10 @@
- socket_mtu = atol(*(++argv));
- }
- #endif
-+ else if (strcmp(*argv,"-fallback_scsv") == 0)
-+ {
-+ fallback_scsv = 1;
-+ }
- else if (strcmp(*argv,"-bugs") == 0)
- bugs=1;
- else if (strcmp(*argv,"-keyform") == 0)
-@@ -1233,6 +1239,10 @@
- SSL_set_session(con, sess);
- SSL_SESSION_free(sess);
- }
-+
-+ if (fallback_scsv)
-+ SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
-+
- #ifndef OPENSSL_NO_TLSEXT
- if (servername != NULL)
- {
-Index: openssl-1.0.1e/crypto/err/openssl.ec
-===================================================================
---- openssl-1.0.1e.orig/crypto/err/openssl.ec 2013-02-11 15:26:04.000000000 +0000
-+++ openssl-1.0.1e/crypto/err/openssl.ec 2014-10-15 17:46:43.878259185 +0000
-@@ -71,6 +71,7 @@
- R SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070
- R SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
- R SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
-+R SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086
- R SSL_R_TLSV1_ALERT_USER_CANCELLED 1090
- R SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
- R SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110
-Index: openssl-1.0.1e/ssl/d1_lib.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/d1_lib.c 2013-02-11 15:26:04.000000000 +0000
-+++ openssl-1.0.1e/ssl/d1_lib.c 2014-10-15 17:46:43.878259185 +0000
-@@ -262,6 +262,16 @@
- case DTLS_CTRL_LISTEN:
- ret = dtls1_listen(s, parg);
- break;
-+ case SSL_CTRL_CHECK_PROTO_VERSION:
-+ /* For library-internal use; checks that the current protocol
-+ * is the highest enabled version (according to s->ctx->method,
-+ * as version negotiation may have changed s->method). */
-+#if DTLS_MAX_VERSION != DTLS1_VERSION
-+# error Code needs update for DTLS_method() support beyond DTLS1_VERSION.
-+#endif
-+ /* Just one protocol version is supported so far;
-+ * fail closed if the version is not as expected. */
-+ return s->version == DTLS_MAX_VERSION;
-
- default:
- ret = ssl3_ctrl(s, cmd, larg, parg);
-Index: openssl-1.0.1e/ssl/dtls1.h
-===================================================================
---- openssl-1.0.1e.orig/ssl/dtls1.h 2013-02-11 15:26:04.000000000 +0000
-+++ openssl-1.0.1e/ssl/dtls1.h 2014-10-15 17:46:43.878259185 +0000
-@@ -84,6 +84,8 @@
- #endif
-
- #define DTLS1_VERSION 0xFEFF
-+#define DTLS_MAX_VERSION DTLS1_VERSION
-+
- #define DTLS1_BAD_VER 0x0100
-
- #if 0
-@@ -284,4 +286,3 @@
- }
- #endif
- #endif
--
-Index: openssl-1.0.1e/ssl/s23_clnt.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/s23_clnt.c 2013-02-11 15:26:04.000000000 +0000
-+++ openssl-1.0.1e/ssl/s23_clnt.c 2014-10-15 17:46:43.878259185 +0000
-@@ -715,6 +715,9 @@
- goto err;
- }
-
-+ /* ensure that TLS_MAX_VERSION is up-to-date */
-+ OPENSSL_assert(s->version <= TLS_MAX_VERSION);
-+
- if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING)
- {
- /* fatal alert */
-Index: openssl-1.0.1e/ssl/s23_srvr.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/s23_srvr.c 2014-10-15 17:46:21.000000000 +0000
-+++ openssl-1.0.1e/ssl/s23_srvr.c 2014-10-15 17:46:43.878259185 +0000
-@@ -421,6 +421,9 @@
- }
- }
-
-+ /* ensure that TLS_MAX_VERSION is up-to-date */
-+ OPENSSL_assert(s->version <= TLS_MAX_VERSION);
-+
- #ifdef OPENSSL_FIPS
- if (FIPS_mode() && (s->version < TLS1_VERSION))
- {
-Index: openssl-1.0.1e/ssl/s2_lib.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/s2_lib.c 2013-02-11 15:26:04.000000000 +0000
-+++ openssl-1.0.1e/ssl/s2_lib.c 2014-10-15 17:46:43.878259185 +0000
-@@ -391,6 +391,8 @@
- case SSL_CTRL_GET_SESSION_REUSED:
- ret=s->hit;
- break;
-+ case SSL_CTRL_CHECK_PROTO_VERSION:
-+ return ssl3_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, larg, parg);
- default:
- break;
- }
-@@ -437,7 +439,7 @@
- if (p != NULL)
- {
- l=c->id;
-- if ((l & 0xff000000) != 0x02000000) return(0);
-+ if ((l & 0xff000000) != 0x02000000 && l != SSL3_CK_FALLBACK_SCSV) return(0);
- p[0]=((unsigned char)(l>>16L))&0xFF;
- p[1]=((unsigned char)(l>> 8L))&0xFF;
- p[2]=((unsigned char)(l ))&0xFF;
-Index: openssl-1.0.1e/ssl/s3_enc.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/s3_enc.c 2013-02-11 15:26:04.000000000 +0000
-+++ openssl-1.0.1e/ssl/s3_enc.c 2014-10-15 17:46:43.878259185 +0000
-@@ -892,7 +892,7 @@
- case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(SSL3_AD_HANDSHAKE_FAILURE);
- case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(SSL3_AD_HANDSHAKE_FAILURE);
- case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
-+ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK);
- default: return(-1);
- }
- }
--
-Index: openssl-1.0.1e/ssl/s3_lib.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/s3_lib.c 2014-10-15 17:46:21.000000000 +0000
-+++ openssl-1.0.1e/ssl/s3_lib.c 2014-10-15 17:46:43.878259185 +0000
-@@ -3355,6 +3355,33 @@
- #endif
-
- #endif /* !OPENSSL_NO_TLSEXT */
-+
-+ case SSL_CTRL_CHECK_PROTO_VERSION:
-+ /* For library-internal use; checks that the current protocol
-+ * is the highest enabled version (according to s->ctx->method,
-+ * as version negotiation may have changed s->method). */
-+ if (s->version == s->ctx->method->version)
-+ return 1;
-+ /* Apparently we're using a version-flexible SSL_METHOD
-+ * (not at its highest protocol version). */
-+ if (s->ctx->method->version == SSLv23_method()->version)
-+ {
-+#if TLS_MAX_VERSION != TLS1_2_VERSION
-+# error Code needs update for SSLv23_method() support beyond TLS1_2_VERSION.
-+#endif
-+ if (!(s->options & SSL_OP_NO_TLSv1_2))
-+ return s->version == TLS1_2_VERSION;
-+ if (!(s->options & SSL_OP_NO_TLSv1_1))
-+ return s->version == TLS1_1_VERSION;
-+ if (!(s->options & SSL_OP_NO_TLSv1))
-+ return s->version == TLS1_VERSION;
-+ if (!(s->options & SSL_OP_NO_SSLv3))
-+ return s->version == SSL3_VERSION;
-+ if (!(s->options & SSL_OP_NO_SSLv2))
-+ return s->version == SSL2_VERSION;
-+ }
-+ return 0; /* Unexpected state; fail closed. */
-+
- default:
- break;
- }
-@@ -3714,6 +3741,7 @@
- break;
- #endif
- #endif
-+
- default:
- return(0);
- }
-@@ -4291,4 +4319,3 @@
- return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
- return alg2;
- }
--
-Index: openssl-1.0.1e/ssl/ssl.h
-===================================================================
---- openssl-1.0.1e.orig/ssl/ssl.h 2014-10-15 17:46:21.000000000 +0000
-+++ openssl-1.0.1e/ssl/ssl.h 2014-10-15 17:50:19.817503265 +0000
-@@ -645,6 +645,10 @@
- * TLS only.) "Released" buffers are put onto a free-list in the context
- * or just freed (depending on the context's setting for freelist_max_len). */
- #define SSL_MODE_RELEASE_BUFFERS 0x00000010L
-+/* Send TLS_FALLBACK_SCSV in the ClientHello.
-+ * To be set by applications that reconnect with a downgraded protocol
-+ * version; see draft-ietf-tls-downgrade-scsv-00 for details. */
-+#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L
-
- /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
- * they cannot be used to clear bits. */
-@@ -1503,6 +1507,7 @@
- #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
- #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
- #define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
-+#define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */
-
- #define SSL_ERROR_NONE 0
- #define SSL_ERROR_SSL 1
-@@ -1613,6 +1618,8 @@
- #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82
- #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83
-
-+#define SSL_CTRL_CHECK_PROTO_VERSION 119
-+
- #define DTLSv1_get_timeout(ssl, arg) \
- SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg)
- #define DTLSv1_handle_timeout(ssl) \
-@@ -2367,6 +2374,7 @@
- #define SSL_R_HTTPS_PROXY_REQUEST 155
- #define SSL_R_HTTP_REQUEST 156
- #define SSL_R_ILLEGAL_PADDING 283
-+#define SSL_R_INAPPROPRIATE_FALLBACK 373
- #define SSL_R_INCONSISTENT_COMPRESSION 340
- #define SSL_R_INVALID_CHALLENGE_LENGTH 158
- #define SSL_R_INVALID_COMMAND 280
-@@ -2513,6 +2521,7 @@
- #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021
- #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051
- #define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060
-+#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086
- #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071
- #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
- #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100
-Index: openssl-1.0.1e/ssl/ssl3.h
-===================================================================
---- openssl-1.0.1e.orig/ssl/ssl3.h 2014-10-15 17:46:21.000000000 +0000
-+++ openssl-1.0.1e/ssl/ssl3.h 2014-10-15 17:46:43.882259097 +0000
-@@ -128,9 +128,14 @@
- extern "C" {
- #endif
-
--/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
-+/* Signalling cipher suite value from RFC 5746
-+ * (TLS_EMPTY_RENEGOTIATION_INFO_SCSV) */
- #define SSL3_CK_SCSV 0x030000FF
-
-+/* Signalling cipher suite value from draft-ietf-tls-downgrade-scsv-00
-+ * (TLS_FALLBACK_SCSV) */
-+#define SSL3_CK_FALLBACK_SCSV 0x03005600
-+
- #define SSL3_CK_RSA_NULL_MD5 0x03000001
- #define SSL3_CK_RSA_NULL_SHA 0x03000002
- #define SSL3_CK_RSA_RC4_40_MD5 0x03000003
-Index: openssl-1.0.1e/ssl/ssl_err.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/ssl_err.c 2014-10-15 17:46:21.000000000 +0000
-+++ openssl-1.0.1e/ssl/ssl_err.c 2014-10-15 17:46:43.882259097 +0000
-@@ -383,6 +383,7 @@
- {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"},
- {ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"},
- {ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"},
-+{ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK),"inappropriate fallback"},
- {ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION),"inconsistent compression"},
- {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"},
- {ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"},
-@@ -529,6 +530,7 @@
- {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"},
- {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"},
- {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"},
-+{ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),"tlsv1 alert inappropriate fallback"},
- {ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"},
- {ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"},
- {ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"},
-Index: openssl-1.0.1e/ssl/ssl_lib.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/ssl_lib.c 2014-10-15 17:46:21.000000000 +0000
-+++ openssl-1.0.1e/ssl/ssl_lib.c 2014-10-15 17:46:43.882259097 +0000
-@@ -1383,6 +1383,8 @@
-
- if (sk == NULL) return(0);
- q=p;
-+ if (put_cb == NULL)
-+ put_cb = s->method->put_cipher_by_char;
-
- for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
- {
-@@ -1407,24 +1409,36 @@
- !(s->srp_ctx.srp_Mask & SSL_kSRP))
- continue;
- #endif /* OPENSSL_NO_SRP */
-- j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p);
-+ j = put_cb(c,p);
- p+=j;
- }
-- /* If p == q, no ciphers and caller indicates an error. Otherwise
-- * add SCSV if not renegotiating.
-- */
-- if (p != q && !s->renegotiate)
-+ /* If p == q, no ciphers; caller indicates an error.
-+ * Otherwise, add applicable SCSVs. */
-+ if (p != q)
- {
-- static SSL_CIPHER scsv =
-+ if (!s->renegotiate)
- {
-- 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
-- };
-- j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p);
-- p+=j;
-+ static SSL_CIPHER scsv =
-+ {
-+ 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
-+ };
-+ j = put_cb(&scsv,p);
-+ p+=j;
- #ifdef OPENSSL_RI_DEBUG
-- fprintf(stderr, "SCSV sent by client\n");
-+ fprintf(stderr, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n");
- #endif
-- }
-+ }
-+
-+ if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV)
-+ {
-+ static SSL_CIPHER scsv =
-+ {
-+ 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0
-+ };
-+ j = put_cb(&scsv,p);
-+ p+=j;
-+ }
-+ }
-
- return(p-q);
- }
-@@ -1435,11 +1449,12 @@
- const SSL_CIPHER *c;
- STACK_OF(SSL_CIPHER) *sk;
- int i,n;
-+
- if (s->s3)
- s->s3->send_connection_binding = 0;
-
- n=ssl_put_cipher_by_char(s,NULL,NULL);
-- if ((num%n) != 0)
-+ if (n == 0 || (num%n) != 0)
- {
- SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST);
- return(NULL);
-@@ -1454,7 +1469,7 @@
-
- for (i=0; i<num; i+=n)
- {
-- /* Check for SCSV */
-+ /* Check for TLS_EMPTY_RENEGOTIATION_INFO_SCSV */
- if (s->s3 && (n != 3 || !p[0]) &&
- (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) &&
- (p[n-1] == (SSL3_CK_SCSV & 0xff)))
-@@ -1474,6 +1489,23 @@
- continue;
- }
-
-+ /* Check for TLS_FALLBACK_SCSV */
-+ if ((n != 3 || !p[0]) &&
-+ (p[n-2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) &&
-+ (p[n-1] == (SSL3_CK_FALLBACK_SCSV & 0xff)))
-+ {
-+ /* The SCSV indicates that the client previously tried a higher version.
-+ * Fail if the current version is an unexpected downgrade. */
-+ if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL))
-+ {
-+ SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_INAPPROPRIATE_FALLBACK);
-+ if (s->s3)
-+ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK);
-+ goto err;
-+ }
-+ continue;
-+ }
-+
- c=ssl_get_cipher_by_char(s,p);
- p+=n;
- if (c != NULL)
-Index: openssl-1.0.1e/ssl/t1_enc.c
-===================================================================
---- openssl-1.0.1e.orig/ssl/t1_enc.c 2014-10-15 17:46:21.000000000 +0000
-+++ openssl-1.0.1e/ssl/t1_enc.c 2014-10-15 17:46:43.882259097 +0000
-@@ -1244,6 +1244,7 @@
- case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE);
- case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
- case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY);
-+ case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK);
- #if 0 /* not appropriate for TLS, not used for DTLS */
- case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return
- (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE);
-Index: openssl-1.0.1e/ssl/tls1.h
-===================================================================
---- openssl-1.0.1e.orig/ssl/tls1.h 2013-02-11 15:26:04.000000000 +0000
-+++ openssl-1.0.1e/ssl/tls1.h 2014-10-15 17:46:43.882259097 +0000
-@@ -159,17 +159,19 @@
-
- #define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0
-
-+#define TLS1_VERSION 0x0301
-+#define TLS1_1_VERSION 0x0302
- #define TLS1_2_VERSION 0x0303
--#define TLS1_2_VERSION_MAJOR 0x03
--#define TLS1_2_VERSION_MINOR 0x03
-+#define TLS_MAX_VERSION TLS1_2_VERSION
-+
-+#define TLS1_VERSION_MAJOR 0x03
-+#define TLS1_VERSION_MINOR 0x01
-
--#define TLS1_1_VERSION 0x0302
- #define TLS1_1_VERSION_MAJOR 0x03
- #define TLS1_1_VERSION_MINOR 0x02
-
--#define TLS1_VERSION 0x0301
--#define TLS1_VERSION_MAJOR 0x03
--#define TLS1_VERSION_MINOR 0x01
-+#define TLS1_2_VERSION_MAJOR 0x03
-+#define TLS1_2_VERSION_MINOR 0x03
-
- #define TLS1_get_version(s) \
- ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0)
-@@ -187,6 +189,7 @@
- #define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */
- #define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */
- #define TLS1_AD_INTERNAL_ERROR 80 /* fatal */
-+#define TLS1_AD_INAPPROPRIATE_FALLBACK 86 /* fatal */
- #define TLS1_AD_USER_CANCELLED 90
- #define TLS1_AD_NO_RENEGOTIATION 100
- /* codes 110-114 are from RFC3546 */
-Index: openssl-1.0.1e/doc/apps/s_client.pod
-===================================================================
---- openssl-1.0.1e.orig/doc/apps/s_client.pod 2013-02-11 15:26:04.000000000 +0000
-+++ openssl-1.0.1e/doc/apps/s_client.pod 2014-10-15 17:46:43.882259097 +0000
-@@ -34,6 +34,9 @@
- [B<-no_ssl2>]
- [B<-no_ssl3>]
- [B<-no_tls1>]
-+[B<-no_tls1_1>]
-+[B<-no_tls1_2>]
-+[B<-fallback_scsv>]
- [B<-bugs>]
- [B<-cipher cipherlist>]
- [B<-starttls protocol>]
-@@ -176,16 +179,19 @@
- given as a hexadecimal number without leading 0x, for example -psk
- 1a2b3c4d.
-
--=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>
-+=item B<-ssl2>, B<-ssl3>, B<-tls1>, B<-no_ssl2>, B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>
-
- these options disable the use of certain SSL or TLS protocols. By default
- the initial handshake uses a method which should be compatible with all
- servers and permit them to use SSL v3, SSL v2 or TLS as appropriate.
-
--Unfortunately there are a lot of ancient and broken servers in use which
-+Unfortunately there are still ancient and broken servers in use which
- cannot handle this technique and will fail to connect. Some servers only
--work if TLS is turned off with the B<-no_tls> option others will only
--support SSL v2 and may need the B<-ssl2> option.
-+work if TLS is turned off.
-+
-+=item B<-fallback_scsv>
-+
-+Send TLS_FALLBACK_SCSV in the ClientHello.
-
- =item B<-bugs>
-
-Index: openssl-1.0.1e/doc/ssl/SSL_CTX_set_mode.pod
-===================================================================
---- openssl-1.0.1e.orig/doc/ssl/SSL_CTX_set_mode.pod 2013-02-11 15:26:04.000000000 +0000
-+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_mode.pod 2014-10-15 17:46:43.882259097 +0000
-@@ -71,6 +71,12 @@
- save around 34k per idle SSL connection.
- This flag has no effect on SSL v2 connections, or on DTLS connections.
-
-+=item SSL_MODE_FALLBACK_SCSV
-+
-+Send TLS_FALLBACK_SCSV in the ClientHello.
-+To be set by applications that reconnect with a downgraded protocol
-+version; see draft-ietf-tls-downgrade-scsv-00 for details.
-+
- =back
-
- =head1 RETURN VALUES
Added: openssl/branches/wheezy/debian/patches/Update-S-MIME-certificates.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/Update-S-MIME-certificates.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/Update-S-MIME-certificates.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -0,0 +1,596 @@
+From 24762dee178bace3c39d6bdbea44f0455d9a240b Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Wed, 11 May 2016 18:00:52 +0100
+Subject: [PATCH] Update S/MIME certificates.
+
+Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
+---
+ test/smime-certs/smdsa1.pem | 75 ++++++++++++++++++++++++++-------------------
+ test/smime-certs/smdsa2.pem | 75 ++++++++++++++++++++++++++-------------------
+ test/smime-certs/smdsa3.pem | 75 ++++++++++++++++++++++++++-------------------
+ test/smime-certs/smroot.pem | 75 ++++++++++++++++++++++++++++-----------------
+ test/smime-certs/smrsa1.pem | 74 +++++++++++++++++++++++++++-----------------
+ test/smime-certs/smrsa2.pem | 74 +++++++++++++++++++++++++++-----------------
+ test/smime-certs/smrsa3.pem | 74 +++++++++++++++++++++++++++-----------------
+ 7 files changed, 317 insertions(+), 205 deletions(-)
+
+diff --git a/test/smime-certs/smdsa1.pem b/test/smime-certs/smdsa1.pem
+index d5677dbfbec4..b424f6704ed9 100644
+--- a/test/smime-certs/smdsa1.pem
++++ b/test/smime-certs/smdsa1.pem
+@@ -1,34 +1,47 @@
+------BEGIN DSA PRIVATE KEY-----
+-MIIBuwIBAAKBgQDFJfsIPOIawMO5biw+AoYUhNVxReBOLQosU3Qv4B8krac0BNr3
+-OjSGLh1wZxHqhlAE0QmasTaKojuk20nNWeFnczSz6vDl0IVJEhS8VYor5kt9gLqt
+-GcoAgsf4gRDIutJyQDaNn3IVY89uXUVIoexvQeLQDBCgQPC5O8rJdqBwtwIVAK2J
+-jt+dqk07eQUE59koYUEKyNorAoGBAI4IEpusf8G14kCHmRtnHXM2tG5EWJDmW6Qt
+-wjqvWp1GKUx5WFy1tVWR9nl5rL0Di+kNdENo+SkKj7h3uDulGOI6T0mQYbV2h1IK
+-+FMOGnOqvZ8eNTE2n4PGTo5puZ63LBm+QYrQsrNiUY4vakLFQ2rEK/SLwdsDFK4Z
+-SJCBQw5zAoGATQlPPF+OeU8nu3rsdXGDiZdJzOkuCce3KQfTABA9C+Dk4CVcvBdd
+-YRLGpnykumkNTO1sTO+4/Gphsuje1ujK9td4UEhdYqylCe5QjEMrszDlJtelDQF9
+-C0yhdjKGTP0kxofLhsGckcuQvcKEKffT2pDDKJIy4vWQO0UyJl1vjLcCFG2uiGGx
+-9fMUZq1v0ePD4Wo0Xkxo
+------END DSA PRIVATE KEY-----
++-----BEGIN PRIVATE KEY-----
++MIICZQIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6
++k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou
++zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO
++wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK
++v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC
++0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA
++rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM
++zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx
++DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy
++xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9
++ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h
++Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+
++TQMsxQQjAiEAkolGvb/76X3vm5Ov09ezqyBYt9cdj/FLH7DyMkxO7X0=
++-----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIIDpDCCAw2gAwIBAgIJAMtotfHYdEsWMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDlaFw0xNjA1MTAxMzUzMDlaMEUx
++MIIFkDCCBHigAwIBAgIJANk5lu6mSyBDMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
++BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
++TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx
+ CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
+-ZXN0IFMvTUlNRSBFRSBEU0EgIzEwggG3MIIBLAYHKoZIzjgEATCCAR8CgYEAxSX7
+-CDziGsDDuW4sPgKGFITVcUXgTi0KLFN0L+AfJK2nNATa9zo0hi4dcGcR6oZQBNEJ
+-mrE2iqI7pNtJzVnhZ3M0s+rw5dCFSRIUvFWKK+ZLfYC6rRnKAILH+IEQyLrSckA2
+-jZ9yFWPPbl1FSKHsb0Hi0AwQoEDwuTvKyXagcLcCFQCtiY7fnapNO3kFBOfZKGFB
+-CsjaKwKBgQCOCBKbrH/BteJAh5kbZx1zNrRuRFiQ5lukLcI6r1qdRilMeVhctbVV
+-kfZ5eay9A4vpDXRDaPkpCo+4d7g7pRjiOk9JkGG1dodSCvhTDhpzqr2fHjUxNp+D
+-xk6OabmetywZvkGK0LKzYlGOL2pCxUNqxCv0i8HbAxSuGUiQgUMOcwOBhAACgYBN
+-CU88X455Tye7eux1cYOJl0nM6S4Jx7cpB9MAED0L4OTgJVy8F11hEsamfKS6aQ1M
+-7WxM77j8amGy6N7W6Mr213hQSF1irKUJ7lCMQyuzMOUm16UNAX0LTKF2MoZM/STG
+-h8uGwZyRy5C9woQp99PakMMokjLi9ZA7RTImXW+Mt6OBgzCBgDAdBgNVHQ4EFgQU
+-4Qfbhpi5yqXaXuCLXj427mR25MkwHwYDVR0jBBgwFoAUE89Lp7uJLrM4Vxd2xput
+-aFvl7RcwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBsAwIAYDVR0RBBkwF4EV
+-c21pbWVkc2ExQG9wZW5zc2wub3JnMA0GCSqGSIb3DQEBBQUAA4GBAFrdUzKK1pWO
+-kd02S423KUBc4GWWyiGlVoEO7WxVhHLJ8sm67X7OtJOwe0UGt+Nc5qLtyJYSirw8
+-phjiTdNpQCTJ8+Kc56tWkJ6H7NAI4vTJtPL5BM/EmeYrVSU9JI9xhqpyKw9IBD+n
+-hRJ79W9FaiJRvaAOX+TkyTukJrxAWRyv
++ZXN0IFMvTUlNRSBFRSBEU0EgIzEwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8
++uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS
++7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS
++wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1
+++Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9
++Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D
++AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb
++0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu
++g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4
++0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv
++yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf
++7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P
++aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAGXSQADbuRIZBjiQ6NikwZl+x
++EDEffIE0RWbvwf1tfWxw4ZvanO/djyz5FePO0AIJDBCLUjr9D32nkmIG1Hu3dWgV
++86knQsM6uFiMSzY9nkJGZOlH3w4NHLE78pk75xR1sg1MEZr4x/t+a/ea9Y4AXklE
++DCcaHtpMGeAx3ZAqSKec+zQOOA73JWP1/gYHGdYyTQpQtwRTsh0Gi5mOOdpoJ0vp
++O83xYbFCZ+ZZKX1RWOjJe2OQBRtw739q1nRga1VMLAT/LFSQsSE3IOp8hiWbjnit
++1SE6q3II2a/aHZH/x4OzszfmtQfmerty3eQSq3bgajfxCsccnRjSbLeNiazRSKNg
++MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFNHQYTOO
++xaZ/N68OpxqjHKuatw6sMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs
++MA0GCSqGSIb3DQEBBQUAA4IBAQAAiLociMMXcLkO/uKjAjCIQMrsghrOrxn4ZGBx
++d/mCTeqPxhcrX2UorwxVCKI2+Dmz5dTC2xKprtvkiIadJamJmxYYzeF1pgRriFN3
++MkmMMkTbe/ekSvSeMtHQ2nHDCAJIaA/k9akWfA0+26Ec25/JKMrl3LttllsJMK1z
++Xj7TcQpAIWORKWSNxY/ezM34+9ABHDZB2waubFqS+irlZsn38aZRuUI0K67fuuIt
++17vMUBqQpe2hfNAjpZ8dIpEdAGjQ6izV2uwP1lXbiaK9U4dvUqmwyCIPniX7Hpaf
++0VnX0mEViXMT6vWZTjLBUv0oKmO7xBkWHIaaX6oyF32pK5AO
+ -----END CERTIFICATE-----
+diff --git a/test/smime-certs/smdsa2.pem b/test/smime-certs/smdsa2.pem
+index ef86c115d7f9..648447fc89a1 100644
+--- a/test/smime-certs/smdsa2.pem
++++ b/test/smime-certs/smdsa2.pem
+@@ -1,34 +1,47 @@
+------BEGIN DSA PRIVATE KEY-----
+-MIIBvAIBAAKBgQDFJfsIPOIawMO5biw+AoYUhNVxReBOLQosU3Qv4B8krac0BNr3
+-OjSGLh1wZxHqhlAE0QmasTaKojuk20nNWeFnczSz6vDl0IVJEhS8VYor5kt9gLqt
+-GcoAgsf4gRDIutJyQDaNn3IVY89uXUVIoexvQeLQDBCgQPC5O8rJdqBwtwIVAK2J
+-jt+dqk07eQUE59koYUEKyNorAoGBAI4IEpusf8G14kCHmRtnHXM2tG5EWJDmW6Qt
+-wjqvWp1GKUx5WFy1tVWR9nl5rL0Di+kNdENo+SkKj7h3uDulGOI6T0mQYbV2h1IK
+-+FMOGnOqvZ8eNTE2n4PGTo5puZ63LBm+QYrQsrNiUY4vakLFQ2rEK/SLwdsDFK4Z
+-SJCBQw5zAoGBAIPmO8BtJ+Yac58trrPwq9b/6VW3jQTWzTLWSH84/QQdqQa+Pz3v
+-It/+hHM0daNF5uls8ICsPL1aLXmRx0pHvIyb0aAzYae4T4Jv/COPDMTdKbA1uitJ
+-VbkGZrm+LIrs7I9lOkb4T0vI6kL/XdOCXY1469zsqCgJ/O2ibn6mq0nWAhR716o2
+-Nf8SimTZYB0/CKje6M5ufA==
+------END DSA PRIVATE KEY-----
++-----BEGIN PRIVATE KEY-----
++MIICZAIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6
++k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou
++zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO
++wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK
++v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC
++0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA
++rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM
++zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx
++DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy
++xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9
++ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h
++Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+
++TQMsxQQiAiAdCUJ5n2Q9hIynN8BMpnRcdfH696BKejGx+2Mr2kfnnA==
++-----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIIDpTCCAw6gAwIBAgIJAMtotfHYdEsXMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDlaFw0xNjA1MTAxMzUzMDlaMEUx
++MIIFkDCCBHigAwIBAgIJANk5lu6mSyBEMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
++BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
++TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx
+ CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
+-ZXN0IFMvTUlNRSBFRSBEU0EgIzIwggG4MIIBLAYHKoZIzjgEATCCAR8CgYEAxSX7
+-CDziGsDDuW4sPgKGFITVcUXgTi0KLFN0L+AfJK2nNATa9zo0hi4dcGcR6oZQBNEJ
+-mrE2iqI7pNtJzVnhZ3M0s+rw5dCFSRIUvFWKK+ZLfYC6rRnKAILH+IEQyLrSckA2
+-jZ9yFWPPbl1FSKHsb0Hi0AwQoEDwuTvKyXagcLcCFQCtiY7fnapNO3kFBOfZKGFB
+-CsjaKwKBgQCOCBKbrH/BteJAh5kbZx1zNrRuRFiQ5lukLcI6r1qdRilMeVhctbVV
+-kfZ5eay9A4vpDXRDaPkpCo+4d7g7pRjiOk9JkGG1dodSCvhTDhpzqr2fHjUxNp+D
+-xk6OabmetywZvkGK0LKzYlGOL2pCxUNqxCv0i8HbAxSuGUiQgUMOcwOBhQACgYEA
+-g+Y7wG0n5hpzny2us/Cr1v/pVbeNBNbNMtZIfzj9BB2pBr4/Pe8i3/6EczR1o0Xm
+-6WzwgKw8vVoteZHHSke8jJvRoDNhp7hPgm/8I48MxN0psDW6K0lVuQZmub4siuzs
+-j2U6RvhPS8jqQv9d04JdjXjr3OyoKAn87aJufqarSdajgYMwgYAwHQYDVR0OBBYE
+-FHsAGNfVltSYUq4hC+YVYwsYtA+dMB8GA1UdIwQYMBaAFBPPS6e7iS6zOFcXdsab
+-rWhb5e0XMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgbAMCAGA1UdEQQZMBeB
+-FXNtaW1lZHNhMkBvcGVuc3NsLm9yZzANBgkqhkiG9w0BAQUFAAOBgQCx9BtCbaYF
+-FXjLClkuKXbESaDZA1biPgY25i00FsUzARuhCpqD2v+0tu5c33ZzIhL6xlvBRU5l
+-6Atw/xpZhae+hdBEtxPJoGekLLrHOau7Md3XwDjV4lFgcEJkWZoaSOOIK+4D5jF0
+-jZWtHjnwEzuLYlo7ScHSsbcQfjH0M1TP5A==
++ZXN0IFMvTUlNRSBFRSBEU0EgIzIwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8
++uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS
++7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS
++wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1
+++Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9
++Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D
++AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb
++0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu
++g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4
++0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv
++yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf
++7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P
++aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAItQlFu0t7Mw1HHROuuwKLS+E
++h2WNNZP96MLQTygOVlqgaJY+1mJLzvl/51LLH6YezX0t89Z2Dm/3SOJEdNrdbIEt
++tbu5rzymXxFhc8uaIYZFhST38oQwJOjM8wFitAQESe6/9HZjkexMqSqx/r5aEKTa
++LBinqA1BJRI72So1/1dv8P99FavPADdj8V7fAccReKEQKnfnwA7mrnD+OlIqFKFn
++3wCGk8Sw7tSJ9g6jgCI+zFwrKn2w+w+iot/Ogxl9yMAtKmAd689IAZr5GPPvV2y0
++KOogCiUYgSTSawZhr+rjyFavfI5dBWzMq4tKx/zAi6MJ+6hGJjJ8jHoT9JAPmaNg
++MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFGaxw04k
++qpufeGZC+TTBq8oMnXyrMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs
++MA0GCSqGSIb3DQEBBQUAA4IBAQCk2Xob1ICsdHYx/YsBzY6E1eEwcI4RZbZ3hEXp
++VA72/Mbz60gjv1OwE5Ay4j+xG7IpTio6y2A9ZNepGpzidYcsL/Lx9Sv1LlN0Ukzb
++uk6Czd2sZJp+PFMTTrgCd5rXKnZs/0D84Vci611vGMA1hnUnbAnBBmgLXe9pDNRV
++6mhmCLLjJ4GOr5Wxt/hhknr7V2e1VMx3Q47GZhc0o/gExfhxXA8+gicM0nEYNakD
++2A1F0qDhQGakjuofANHhjdUDqKJ1sxurAy80fqb0ddzJt2el89iXKN+aXx/zEX96
++GI5ON7z/bkVwIi549lUOpWb2Mved61NBzCLKVP7HSuEIsC/I
+ -----END CERTIFICATE-----
+diff --git a/test/smime-certs/smdsa3.pem b/test/smime-certs/smdsa3.pem
+index eeb848dabc50..77acc5e46ffc 100644
+--- a/test/smime-certs/smdsa3.pem
++++ b/test/smime-certs/smdsa3.pem
+@@ -1,34 +1,47 @@
+------BEGIN DSA PRIVATE KEY-----
+-MIIBvAIBAAKBgQDFJfsIPOIawMO5biw+AoYUhNVxReBOLQosU3Qv4B8krac0BNr3
+-OjSGLh1wZxHqhlAE0QmasTaKojuk20nNWeFnczSz6vDl0IVJEhS8VYor5kt9gLqt
+-GcoAgsf4gRDIutJyQDaNn3IVY89uXUVIoexvQeLQDBCgQPC5O8rJdqBwtwIVAK2J
+-jt+dqk07eQUE59koYUEKyNorAoGBAI4IEpusf8G14kCHmRtnHXM2tG5EWJDmW6Qt
+-wjqvWp1GKUx5WFy1tVWR9nl5rL0Di+kNdENo+SkKj7h3uDulGOI6T0mQYbV2h1IK
+-+FMOGnOqvZ8eNTE2n4PGTo5puZ63LBm+QYrQsrNiUY4vakLFQ2rEK/SLwdsDFK4Z
+-SJCBQw5zAoGAYzOpPmh8Je1IDauEXhgaLz14wqYUHHcrj2VWVJ6fRm8GhdQFJSI7
+-GUk08pgKZSKic2lNqxuzW7/vFxKQ/nvzfytY16b+2i+BR4Q6yvMzCebE1hHVg0Ju
+-TwfUMwoFEOhYP6ZwHSUiQl9IBMH9TNJCMwYMxfY+VOrURFsjGTRUgpwCFQCIGt5g
+-Y+XZd0Sv69CatDIRYWvaIA==
+------END DSA PRIVATE KEY-----
++-----BEGIN PRIVATE KEY-----
++MIICZQIBADCCAjkGByqGSM44BAEwggIsAoIBAQCQfLlNdehPnTrGIMhw4rk0uua6
++k1nCG3zcyfXli17BdB2k0HBPaTA3a3ZHfOt1Awy0Uu0wZ3gdPr9z0I64hnJXIGou
++zIanZ7nYRImHtX5JMFbXeyxo1Owd2Zs3oEk9nQUoUsMxvmYC/ghPL5Zx1pPxcHCO
++wzWxoG4yZMjimXOc1/W7zvK/4/g/Cz9fItD3zdcydfgM/hK0/CeYQ21xfhqf4mjK
++v9plnCcWgToGI+7H8VK80MFbkO2QKRz3vP1/TjK6PRm9sEeB5b10+SvGv2j2w+CC
++0fXL4s6n7PtBlm/bww8xL1/Az8kwejUcII1Dc8uNwwISwGbwaGBvl7IHpm21AiEA
++rodZi+nCKZdTL8IgCjX3n0DuhPRkVQPjz/B6VweLW9MCggEAfimkUNwnsGFp7mKM
++zJKhHoQkMB1qJzyIHjDzQ/J1xjfoF6i27afw1/WKboND5eseZhlhA2TO5ZJB6nGx
++DOE9lVQxYVml++cQj6foHh1TVJAgGl4mWuveW/Rz+NEhpK4zVeEsfMrbkBypPByy
++xzF1Z49t568xdIo+e8jLI8FjEdXOIUg4ehB3NY6SL8r4oJ49j/sJWfHcDoWH/LK9
++ZaBF8NpflJe3F40S8RDvM8j2HC+y2Q4QyKk1DXGiH+7yQLGWzr3M73kC3UBnnH0h
++Hxb7ISDCT7dCw/lH1nCbVFBOM0ASI26SSsFSXQrvD2kryRcTZ0KkyyhhoPODWpU+
++TQMsxQQjAiEArJr6p2zTbhRppQurHGTdmdYHqrDdZH4MCsD9tQCw1xY=
++-----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIIDpDCCAw2gAwIBAgIJAMtotfHYdEsYMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDlaFw0xNjA1MTAxMzUzMDlaMEUx
++MIIFkDCCBHigAwIBAgIJANk5lu6mSyBFMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
++BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
++TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzFaFw0yMzA1MjYxNzI4MzFaMEUx
+ CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
+-ZXN0IFMvTUlNRSBFRSBEU0EgIzMwggG3MIIBLAYHKoZIzjgEATCCAR8CgYEAxSX7
+-CDziGsDDuW4sPgKGFITVcUXgTi0KLFN0L+AfJK2nNATa9zo0hi4dcGcR6oZQBNEJ
+-mrE2iqI7pNtJzVnhZ3M0s+rw5dCFSRIUvFWKK+ZLfYC6rRnKAILH+IEQyLrSckA2
+-jZ9yFWPPbl1FSKHsb0Hi0AwQoEDwuTvKyXagcLcCFQCtiY7fnapNO3kFBOfZKGFB
+-CsjaKwKBgQCOCBKbrH/BteJAh5kbZx1zNrRuRFiQ5lukLcI6r1qdRilMeVhctbVV
+-kfZ5eay9A4vpDXRDaPkpCo+4d7g7pRjiOk9JkGG1dodSCvhTDhpzqr2fHjUxNp+D
+-xk6OabmetywZvkGK0LKzYlGOL2pCxUNqxCv0i8HbAxSuGUiQgUMOcwOBhAACgYBj
+-M6k+aHwl7UgNq4ReGBovPXjCphQcdyuPZVZUnp9GbwaF1AUlIjsZSTTymAplIqJz
+-aU2rG7Nbv+8XEpD+e/N/K1jXpv7aL4FHhDrK8zMJ5sTWEdWDQm5PB9QzCgUQ6Fg/
+-pnAdJSJCX0gEwf1M0kIzBgzF9j5U6tREWyMZNFSCnKOBgzCBgDAdBgNVHQ4EFgQU
+-VhpVXqQ/EzUMdxLvP7o9EhJ8h70wHwYDVR0jBBgwFoAUE89Lp7uJLrM4Vxd2xput
+-aFvl7RcwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBsAwIAYDVR0RBBkwF4EV
+-c21pbWVkc2EzQG9wZW5zc2wub3JnMA0GCSqGSIb3DQEBBQUAA4GBACM9e75EQa8m
+-k/AZkH/tROqf3yeqijULl9x8FjFatqoY+29OM6oMGM425IqSkKd2ipz7OxO0SShu
+-rE0O3edS7DvYBwvhWPviRaYBMyZ4iFJVup+fOzoYK/j/bASxS3BHQBwb2r4rhe25
+-OlTyyFEk7DJyW18YFOG97S1P52oQ5f5x
++ZXN0IFMvTUlNRSBFRSBEU0EgIzMwggNGMIICOQYHKoZIzjgEATCCAiwCggEBAJB8
++uU116E+dOsYgyHDiuTS65rqTWcIbfNzJ9eWLXsF0HaTQcE9pMDdrdkd863UDDLRS
++7TBneB0+v3PQjriGclcgai7MhqdnudhEiYe1fkkwVtd7LGjU7B3ZmzegST2dBShS
++wzG+ZgL+CE8vlnHWk/FwcI7DNbGgbjJkyOKZc5zX9bvO8r/j+D8LP18i0PfN1zJ1
+++Az+ErT8J5hDbXF+Gp/iaMq/2mWcJxaBOgYj7sfxUrzQwVuQ7ZApHPe8/X9OMro9
++Gb2wR4HlvXT5K8a/aPbD4ILR9cvizqfs+0GWb9vDDzEvX8DPyTB6NRwgjUNzy43D
++AhLAZvBoYG+XsgembbUCIQCuh1mL6cIpl1MvwiAKNfefQO6E9GRVA+PP8HpXB4tb
++0wKCAQB+KaRQ3CewYWnuYozMkqEehCQwHWonPIgeMPND8nXGN+gXqLbtp/DX9Ypu
++g0Pl6x5mGWEDZM7lkkHqcbEM4T2VVDFhWaX75xCPp+geHVNUkCAaXiZa695b9HP4
++0SGkrjNV4Sx8ytuQHKk8HLLHMXVnj23nrzF0ij57yMsjwWMR1c4hSDh6EHc1jpIv
++yvignj2P+wlZ8dwOhYf8sr1loEXw2l+Ul7cXjRLxEO8zyPYcL7LZDhDIqTUNcaIf
++7vJAsZbOvczveQLdQGecfSEfFvshIMJPt0LD+UfWcJtUUE4zQBIjbpJKwVJdCu8P
++aSvJFxNnQqTLKGGg84NalT5NAyzFA4IBBQACggEAcXvtfiJfIZ0wgGpN72ZeGrJ9
++msUXOxow7w3fDbP8r8nfVkBNbfha8rx0eY6fURFVZzIOd8EHGKypcH1gS6eZNucf
++zgsH1g5r5cRahMZmgGXBEBsWrh2IaDG7VSKt+9ghz27EKgjAQCzyHQL5FCJgR2p7
++cv0V4SRqgiAGYlJ191k2WtLOsVd8kX//jj1l8TUgE7TqpuSEpaSyQ4nzJROpZWZp
++N1RwFmCURReykABU/Nzin/+rZnvZrp8WoXSXEqxeB4mShRSaH57xFnJCpRwKJ4qS
++2uhATzJaKH7vu63k3DjftbSBVh+32YXwtHc+BGjs8S2aDtCW3FtDA7Z6J8BIxaNg
++MF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0OBBYEFMJxatDE
++FCEFGl4uoiQQ1050Ju9RMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZs
++MA0GCSqGSIb3DQEBBQUAA4IBAQBGZD1JnMep39KMOhD0iBTmyjhtcnRemckvRask
++pS/CqPwo+M+lPNdxpLU2w9b0QhPnj0yAS/BS1yBjsLGY4DP156k4Q3QOhwsrTmrK
++YOxg0w7DOpkv5g11YLJpHsjSOwg5uIMoefL8mjQK6XOFOmQXHJrUtGulu+fs6FlM
++khGJcW4xYVPK0x/mHvTT8tQaTTkgTdVHObHF5Dyx/F9NMpB3RFguQPk2kT4lJc4i
++Up8T9mLzaxz6xc4wwh8h70Zw81lkGYhX+LRk3sfd/REq9x4QXQNP9t9qU1CgrBzv
++4orzt9cda4r+rleSg2XjWnXzMydE6DuwPVPZlqnLbSYUy660
+ -----END CERTIFICATE-----
+diff --git a/test/smime-certs/smroot.pem b/test/smime-certs/smroot.pem
+index a59eb2684ca4..d1a253f40958 100644
+--- a/test/smime-certs/smroot.pem
++++ b/test/smime-certs/smroot.pem
+@@ -1,30 +1,49 @@
+------BEGIN RSA PRIVATE KEY-----
+-MIICXAIBAAKBgQDBV1Z/Q5gPF7lojc8pKUdyz5+Jf2B3vs4he6egekugWnoJduki
+-9Lnae/JchB/soIX0co3nLc11NuFFlnAWJNMDJr08l5AHAJLYNHevF5l/f9oDQwvZ
+-speKh1xpIAJNqCTzVeQ/ZLx6/GccIXV/xDuKIiovqJTPgR5WPkYKaw++lQIDAQAB
+-AoGALXnUj5SflJU4+B2652ydMKUjWl0KnL/VjkyejgGV/j6py8Ybaixz9q8Gv7oY
+-JDlRqMC1HfZJCFQDQrHy5VJ+CywA/H9WrqKo/Ch9U4tJAZtkig1Cmay/BAYixVu0
+-xBeim10aKF6hxHH4Chg9We+OCuzWBWJhqveNjuDedL/i7JUCQQDlejovcwBUCbhJ
+-U12qKOwlaboolWbl7yF3XdckTJZg7+1UqQHZH5jYZlLZyZxiaC92SNV0SyTLJZnS
+-Jh5CO+VDAkEA16/pPcuVtMMz/R6SSPpRSIAa1stLs0mFSs3NpR4pdm0n42mu05pO
+-1tJEt3a1g7zkreQBf53+Dwb+lA841EkjRwJBAIFmt0DifKDnCkBu/jZh9SfzwsH3
+-3Zpzik+hXxxdA7+ODCrdUul449vDd5zQD5t+XKU61QNLDGhxv5e9XvrCg7kCQH/a
+-3ldsVF0oDaxxL+QkxoREtCQ5tLEd1u7F2q6Tl56FDE0pe6Ih6bQ8RtG+g9EI60IN
+-U7oTrOO5kLWx5E0q4ccCQAZVgoenn9MhRU1agKOCuM6LT2DxReTu4XztJzynej+8
+-0J93n3ebanB1MlRpn1XJwhQ7gAC8ImaQKLJK5jdJzFc=
+------END RSA PRIVATE KEY-----
++-----BEGIN PRIVATE KEY-----
++MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCyyQXED5HyVWwq
++nXyzmY317yMUJrIfsKvREG2C691dJNHgNg+oq5sjt/fzkyS84AvdOiicAsao4cYL
++DulthaLpbC7msEBhvwAil0FNb5g3ERupe1KuTdUV1UuD/i6S2VoaNXUBBn1rD9Wc
++BBc0lnx/4Wt92eQTI6925pt7ZHPQw2Olp7TQDElyi5qPxCem4uT0g3zbZsWqmmsI
++MXbu+K3dEprzqA1ucKXbxUmZNkMwVs2XCmlLxrRUj8C3/zENtH17HWCznhR/IVcV
++kgIuklkeiDsEhbWvUQumVXR7oPh/CPZAbjGqq5mVueHSHrp7brBVZKHZvoUka28Q
++LWitq1W5AgMBAAECggEASkRnOMKfBeOmQy2Yl6K57eeg0sYgSDnDpd0FINWJ5x9c
++b58FcjOXBodtYKlHIY6QXx3BsM0WaSEge4d+QBi7S+u8r+eXVwNYswXSArDQsk9R
++Bl5MQkvisGciL3pvLmFLpIeASyS/BLJXMbAhU58PqK+jT2wr6idwxBuXivJ3ichu
++ISdT1s2aMmnD86ulCD2DruZ4g0mmk5ffV+Cdj+WWkyvEaJW2GRYov2qdaqwSOxV4
++Yve9qStvEIWAf2cISQjbnw2Ww6Z5ebrqlOz9etkmwIly6DTbrIneBnoqJlFFWGlF
++ghuzc5RE2w1GbcKSOt0qXH44MTf/j0r86dlu7UIxgQKBgQDq0pEaiZuXHi9OQAOp
++PsDEIznCU1bcTDJewANHag5DPEnMKLltTNyLaBRulMypI+CrDbou0nDr29VOzfXx
++mNvi/c7RttOBOx7kXKvu0JUFKe2oIWRsg0KsyMX7UFMVaHFgrW+8DhQc7HK7URiw
++nitOnA7YwIHRF9BMmcWcLFEYBQKBgQDC6LPbXV8COKO0YCfGXPnE7EZGD/p0Q92Z
++8CoSefphEScSdO1IpxFXG7fOZ4x2GQb9q7D3IvaeKAqNjUjkuyxdB30lIWDBwSWw
++fFgsa2SZwD5P60G/ar50YJr6LiF333aUMDVmC9swFfZERAEmGUz2NTrPWQdIx/lu
++PyDtUR75JQKBgHaoCCJ8vl5SJl1IA5GV4Bo8IoeLTSzsY9d09zMy6BoZcMD1Ix2T
++5S2cXhayoegl9PT6bsYSGHVWFCdJ86ktMI826TcXRzDaCvYhzc9THroJQcnfdbtP
++aHWezkv7fsAmkoPjn75K7ubeo+r7Q5qbkg6a1PW58N8TRXIvkackzaVxAoGBALAq
++qh3U+AHG9dgbrPeyo6KkuCOtX39ks8/mbfCDRZYkbb9V5f5r2tVz3R93IlK/7jyr
++yWimtmde46Lrl33922w+T5OW5qBZllo9GWkUrDn3s5qClcuQjJIdmxYTSfbSCJiK
++NkmE39lHkG5FVRB9f71tgTlWS6ox7TYDYxx83NTtAoGAUJPAkGt4yGAN4Pdebv53
++bSEpAAULBHntiqDEOu3lVColHuZIucml/gbTpQDruE4ww4wE7dOhY8Q4wEBVYbRI
++vHkSiWpJUvZCuKG8Foh5pm9hU0qb+rbQV7NhLJ02qn1AMGO3F/WKrHPPY8/b9YhQ
++KfvPCYimQwBjVrEnSntLPR0=
++-----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIICaTCCAdKgAwIBAgIJAP6VN47boiXRMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDdaFw0xNjA1MTExMzUzMDdaMEQx
+-CzAJBgNVBAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRU
+-ZXN0IFMvTUlNRSBSU0EgUm9vdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+-wVdWf0OYDxe5aI3PKSlHcs+fiX9gd77OIXunoHpLoFp6CXbpIvS52nvyXIQf7KCF
+-9HKN5y3NdTbhRZZwFiTTAya9PJeQBwCS2DR3rxeZf3/aA0ML2bKXiodcaSACTagk
+-81XkP2S8evxnHCF1f8Q7iiIqL6iUz4EeVj5GCmsPvpUCAwEAAaNjMGEwHQYDVR0O
+-BBYEFBPPS6e7iS6zOFcXdsabrWhb5e0XMB8GA1UdIwQYMBaAFBPPS6e7iS6zOFcX
+-dsabrWhb5e0XMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqG
+-SIb3DQEBBQUAA4GBAIECprq5viDvnDbkyOaiSr9ubMUmWqvycfAJMdPZRKcOZczS
+-l+L9R9lF3JSqbt3knOe9u6bGDBOTY2285PdCCuHRVMk2Af1f6El1fqAlRUwNqipp
+-r68sWFuRqrcRNtk6QQvXfkOhrqQBuDa7te/OVQLa2lGN9Dr2mQsD8ijctatG
++MIIDbjCCAlagAwIBAgIJAMc+8VKBJ/S9MA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
++BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
++TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MjlaFw0yMzA3MTUxNzI4MjlaMEQx
++CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRU
++ZXN0IFMvTUlNRSBSU0EgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
++ggEBALLJBcQPkfJVbCqdfLOZjfXvIxQmsh+wq9EQbYLr3V0k0eA2D6irmyO39/OT
++JLzgC906KJwCxqjhxgsO6W2FoulsLuawQGG/ACKXQU1vmDcRG6l7Uq5N1RXVS4P+
++LpLZWho1dQEGfWsP1ZwEFzSWfH/ha33Z5BMjr3bmm3tkc9DDY6WntNAMSXKLmo/E
++J6bi5PSDfNtmxaqaawgxdu74rd0SmvOoDW5wpdvFSZk2QzBWzZcKaUvGtFSPwLf/
++MQ20fXsdYLOeFH8hVxWSAi6SWR6IOwSFta9RC6ZVdHug+H8I9kBuMaqrmZW54dIe
++untusFVkodm+hSRrbxAtaK2rVbkCAwEAAaNjMGEwHQYDVR0OBBYEFMmRUwpjexZb
++i71E8HaIqSTm5bZsMB8GA1UdIwQYMBaAFMmRUwpjexZbi71E8HaIqSTm5bZsMA8G
++A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IB
++AQAwpIVWQey2u/XoQSMSu0jd0EZvU+lhLaFrDy/AHQeG3yX1+SAOM6f6w+efPvyb
++Op1NPI9UkMPb4PCg9YC7jgYokBkvAcI7J4FcuDKMVhyCD3cljp0ouuKruvEf4FBl
++zyQ9pLqA97TuG8g1hLTl8G90NzTRcmKpmhs18BmCxiqHcTfoIpb3QvPkDX8R7LVt
++9BUGgPY+8ELCgw868TuHh/Cnc67gBtRjBp0sCYVzGZmKsO5f1XdHrAZKYN5mEp0C
++7/OqcDoFqORTquLeycg1At/9GqhDEgxNrqA+YEsPbLGAfsNuXUsXs2ubpGsOZxKt
++Emsny2ah6fU2z7PztrUy/A80
+ -----END CERTIFICATE-----
+diff --git a/test/smime-certs/smrsa1.pem b/test/smime-certs/smrsa1.pem
+index 2cf3148e334b..d0d0b9e66b01 100644
+--- a/test/smime-certs/smrsa1.pem
++++ b/test/smime-certs/smrsa1.pem
+@@ -1,31 +1,49 @@
+------BEGIN RSA PRIVATE KEY-----
+-MIICXgIBAAKBgQC6A978j4pmPgUtUQqF+bjh6vdhwGOGZSD7xXgFTMjm88twfv+E
+-ixkq2KXSDjD0ZXoQbdOaSbvGRQrIJpG2NGiKAFdYNrP025kCCdh5wF/aEI7KLEm7
+-JlHwXpQsuj4wkMgmkFjL3Ty4Z55aNH+2pPQIa0k+ENJXm2gDuhqgBmduAwIDAQAB
+-AoGBAJMuYu51aO2THyeHGwt81uOytcCbqGP7eoib62ZOJhxPRGYjpmuqX+R9/V5i
+-KiwGavm63JYUx0WO9YP+uIZxm1BUATzkgkS74u5LP6ajhkZh6/Bck1oIYYkbVOXl
+-JVrdENuH6U7nupznsyYgONByo+ykFPVUGmutgiaC7NMVo/MxAkEA6KLejWXdCIEn
+-xr7hGph9NlvY9xuRIMexRV/WrddcFfCdjI1PciIupgrIkR65M9yr7atm1iU6/aRf
+-KOr8rLZsSQJBAMyyXN71NsDNx4BP6rtJ/LJMP0BylznWkA7zWfGCbAYn9VhZVlSY
+-Eu9Gyr7quD1ix7G3kInKVYOEEOpockBLz+sCQQCedyMmKjcQLfpMVYW8uhbAynvW
+-h36qV5yXZxszO7nMcCTBsxhk5IfmLv5EbCs3+p9avCDGyoGOeUMg+kC33WORAkAg
+-oUIarH4o5+SoeJTTfCzTA0KF9H5U0vYt2+73h7HOnWoHxl3zqDZEfEVvf50U8/0f
+-QELDJETTbScBJtsnkq43AkEA38etvoZ2i4FJvvo7R/9gWBHVEcrGzcsCBYrNnIR1
+-SZLRwHEGaiOK1wxMsWzqp7PJwL9z/M8A8DyOFBx3GPOniA==
+------END RSA PRIVATE KEY-----
++-----BEGIN PRIVATE KEY-----
++MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDXr9uzB/20QXKC
++xhkfNnJvl2xl1hzdOcrQmAqo+AAAcA/D49ImuJDVQRaK2bcj54XB26i1kXuOrxID
++3/etUb8yudfx8OAVwh8G0xVA4zhr8uXW85W2tBr4v0Lt+W6lSd6Hmfrk4GmE9LTU
++/vzl9HUPW6SZShN1G0nY6oeUXvLi0vasEUKv3a51T6JFYg4c7qt5RCk/w8kwrQ0D
++orQwCdkOPEIiC4b+nPStF12SVm5bx8rbYzioxuY/PdSebvt0APeqgRxSpCxqYnHs
++CoNeHzSrGXcP0COzFeUOz2tdrhmH09JLbGZs4nbojPxMkjpJSv3/ekDG2CHYxXSH
++XxpJstxZAgMBAAECggEASY4xsJaTEPwY3zxLqPdag2/yibBBW7ivz/9p80HQTlXp
++KnbxXj8nNXLjCytAZ8A3P2t316PrrTdLP4ML5lGwkM4MNPhek00GY79syhozTa0i
++cPHVJt+5Kwee/aVI9JmCiGAczh0yHyOM3+6ttIZvvXMVaSl4BUHvJ0ikQBc5YdzL
++s6VM2gCOR6K6n+39QHDI/T7WwO9FFSNnpWFOCHwAWtyBMlleVj+xeZX8OZ/aT+35
++27yjsGNBftWKku29VDineiQC+o+fZGJs6w4JZHoBSP8TfxP8fRCFVNA281G78Xak
++cEnKXwZ54bpoSa3ThKl+56J6NHkkfRGb8Rgt/ipJYQKBgQD5DKb82mLw85iReqsT
++8bkp408nPOBGz7KYnQsZqAVNGfehM02+dcN5z+w0jOj6GMPLPg5whlEo/O+rt9ze
++j6c2+8/+B4Bt5oqCKoOCIndH68jl65+oUxFkcHYxa3zYKGC9Uvb+x2BtBmYgvDRG
++ew6I2Q3Zyd2ThZhJygUZpsjsbQKBgQDdtNiGTkgWOm+WuqBI1LT5cQfoPfgI7/da
++ZA+37NBUQRe0cM7ddEcNqx7E3uUa1JJOoOYv65VyGI33Ul+evI8h5WE5bupcCEFk
++LolzbMc4YQUlsySY9eUXM8jQtfVtaWhuQaABt97l+9oADkrhA+YNdEu2yiz3T6W+
++msI5AnvkHQKBgDEjuPMdF/aY6dqSjJzjzfgg3KZOUaZHJuML4XvPdjRPUlfhKo7Q
++55/qUZ3Qy8tFBaTderXjGrJurc+A+LiFOaYUq2ZhDosguOWUA9yydjyfnkUXZ6or
++sbvSoM+BeOGhnezdKNT+e90nLRF6cQoTD7war6vwM6L+8hxlGvqDuRNFAoGAD4K8
++d0D4yB1Uez4ZQp8m/iCLRhM3zCBFtNw1QU/fD1Xye5w8zL96zRkAsRNLAgKHLdsR
++355iuTXAkOIBcJCOjveGQsdgvAmT0Zdz5FBi663V91o+IDlryqDD1t40CnCKbtRG
++hng/ruVczg4x7OYh7SUKuwIP/UlkNh6LogNreX0CgYBQF9troLex6X94VTi1V5hu
++iCwzDT6AJj63cS3VRO2ait3ZiLdpKdSNNW2WrlZs8FZr/mVutGEcWho8BugGMWST
++1iZkYwly9Xfjnpd0I00ZIlr2/B3+ZsK8w5cOW5Lpb7frol6+BkDnBjbNZI5kQndn
++zQpuMJliRlrq/5JkIbH6SA==
++-----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIICizCCAfSgAwIBAgIJAMtotfHYdEsTMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDhaFw0xNjA1MTAxMzUzMDhaMEUx
++MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBAMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
++BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
++TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx
+ CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
+-ZXN0IFMvTUlNRSBFRSBSU0EgIzEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
+-ALoD3vyPimY+BS1RCoX5uOHq92HAY4ZlIPvFeAVMyObzy3B+/4SLGSrYpdIOMPRl
+-ehBt05pJu8ZFCsgmkbY0aIoAV1g2s/TbmQIJ2HnAX9oQjsosSbsmUfBelCy6PjCQ
+-yCaQWMvdPLhnnlo0f7ak9AhrST4Q0lebaAO6GqAGZ24DAgMBAAGjgYMwgYAwHQYD
+-VR0OBBYEFE2vMvKz5jrC7Lbdg68XwZ95iL/QMB8GA1UdIwQYMBaAFBPPS6e7iS6z
+-OFcXdsabrWhb5e0XMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMCAGA1Ud
+-EQQZMBeBFXNtaW1lcnNhMUBvcGVuc3NsLm9yZzANBgkqhkiG9w0BAQUFAAOBgQAi
+-O3GOkUl646oLnOimc36i9wxZ1tejsqs8vMjJ0Pym6Uq9FE2JoGzJ6OhB1GOsEVmj
+-9cQ5UNQcRYL3cqOFtl6f4Dpu/lhzfbaqgmLjv29G1mS0uuTZrixhlyCXjwcbOkNC
+-I/+wvHHENYIK5+T/79M9LaZ2Qk4F9MNE1VMljdz9Qw==
++ZXN0IFMvTUlNRSBFRSBSU0EgIzEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
++AoIBAQDXr9uzB/20QXKCxhkfNnJvl2xl1hzdOcrQmAqo+AAAcA/D49ImuJDVQRaK
++2bcj54XB26i1kXuOrxID3/etUb8yudfx8OAVwh8G0xVA4zhr8uXW85W2tBr4v0Lt
+++W6lSd6Hmfrk4GmE9LTU/vzl9HUPW6SZShN1G0nY6oeUXvLi0vasEUKv3a51T6JF
++Yg4c7qt5RCk/w8kwrQ0DorQwCdkOPEIiC4b+nPStF12SVm5bx8rbYzioxuY/PdSe
++bvt0APeqgRxSpCxqYnHsCoNeHzSrGXcP0COzFeUOz2tdrhmH09JLbGZs4nbojPxM
++kjpJSv3/ekDG2CHYxXSHXxpJstxZAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD
++VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBTmjc+lrTQuYx/VBOBGjMvufajvhDAfBgNV
++HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA
++dr2IRXcFtlF16kKWs1VTaFIHHNQrfSVHBkhKblPX3f/0s/i3eXgwKUu7Hnb6T3/o
++E8L+e4ioQNhahTLt9ruJNHWA/QDwOfkqM3tshCs2xOD1Cpy7Bd3Dn0YBrHKyNXRK
++WelGp+HetSXJGW4IZJP7iES7Um0DGktLabhZbe25EnthRDBjNnaAmcofHECWESZp
++lEHczGZfS9tRbzOCofxvgLbF64H7wYSyjAe6R8aain0VRbIusiD4tCHX/lOMh9xT
++GNBW8zTL+tV9H1unjPMORLnT0YQ3oAyEND0jCu0ACA1qGl+rzxhF6bQcTUNEbRMu
++9Hjq6s316fk4Ne0EUF3PbA==
+ -----END CERTIFICATE-----
+diff --git a/test/smime-certs/smrsa2.pem b/test/smime-certs/smrsa2.pem
+index d41f69c82f67..2f17cb2978f4 100644
+--- a/test/smime-certs/smrsa2.pem
++++ b/test/smime-certs/smrsa2.pem
+@@ -1,31 +1,49 @@
+------BEGIN RSA PRIVATE KEY-----
+-MIICWwIBAAKBgQCwBfryW4Vu5U9wNIDKspJO/N9YF4CcTlrCUyzVlKgb+8urHlSe
+-59i5verR9IOCCXkemjOzZ/3nALTGqYZlnEvHp0Rjk+KdKXnKBIB+SRPpeu3LcXMT
+-WPgsThPa0UQxedNKG0g6aG+kLhsDlFBCoxd09jJtSpb9jmroJOq0ZYEHLwIDAQAB
+-AoGAKa/w4677Je1W5+r3SYoLDnvi5TkDs4D3C6ipKJgBTEdQz+DqB4w/DpZE4551
+-+rkFn1LDxcxuHGRVa+tAMhZW97fwq9YUbjVZEyOz79qrX+BMyl/NbHkf1lIKDo3q
+-dWalzQvop7nbzeLC+VmmviwZfLQUbA61AQl3jm4dswT4XykCQQDloDadEv/28NTx
+-bvvywvyGuvJkCkEIycm4JrIInvwsd76h/chZ3oymrqzc7hkEtK6kThqlS5y+WXl6
+-QzPruTKTAkEAxD2ro/VUoN+scIVaLmn0RBmZ67+9Pdn6pNSfjlK3s0T0EM6/iUWS
+-M06l6L9wFS3/ceu1tIifsh9BeqOGTa+udQJARIFnybTBaIqw/NZ/lA1YCVn8tpvY
+-iyaoZ6gjtS65TQrsdKeh/i3HCHNUXxUpoZ3F/H7QtD+6o49ODou+EbVOwQJAVmex
+-A2gp8wuJKaINqxIL81AybZLnCCzKJ3lXJ5tUNyLNM/lUbGStktm2Q1zHRQwTxV07
+-jFn7trn8YrtNjzcjYQJAUKIJRt38A8Jw3HoPT+D0WS2IgxjVL0eYGsZX1lyeammG
+-6rfnQ3u5uP7mEK2EH2o8mDUpAE0gclWBU9UkKxJsGA==
+------END RSA PRIVATE KEY-----
++-----BEGIN PRIVATE KEY-----
++MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDcYC4tS2Uvn1Z2
++iDgtfkJA5tAqgbN6X4yK02RtVH5xekV9+6+eTt/9S+iFAzAnwqR/UB1R67ETrsWq
++V8u9xLg5fHIwIkmu9/6P31UU9cghO7J1lcrhHvooHaFpcXepPWQacpuBq2VvcKRD
++lDfVmdM5z6eS3dSZPTOMMP/xk4nhZB8mcw27qiccPieS0PZ9EZB63T1gmwaK1Rd5
++U94Pl0+zpDqhViuXmBfiIDWjjz0BzHnHSz5Rg4S3oXF1NcojhptIWyI0r7dgn5J3
++NxC4kgKdjzysxo6iWd0nLgz7h0jUdj79EOis4fg9G4f0EFWyQf7iDxGaA93Y9ePB
++Jv5iFZVZAgMBAAECggEBAILIPX856EHb0KclbhlpfY4grFcdg9LS04grrcTISQW1
++J3p9nBpZ+snKe6I8Yx6lf5PiipPsSLlCliHiWpIzJZVQCkAQiSPiHttpEYgP2IYI
++dH8dtznkdVbLRthZs0bnnPmpHCpW+iqpcYJ9eqkz0cvUNUGOjjWmwWmoRqwp/8CW
++3S1qbkQiCh0Mk2fQeGar76R06kXQ9MKDEj14zyS3rJX+cokjEoMSlH8Sbmdh2mJz
++XlNZcvqmeGJZwQWgbVVHOMUuZaKJiFa+lqvOdppbqSx0AsCRq6vjmjEYQEoOefYK
++3IJM9IvqW5UNx0Cy4kQdjhZFFwMO/ALD3QyF21iP4gECgYEA+isQiaWdaY4UYxwK
++Dg+pnSCKD7UGZUaCUIv9ds3CbntMOONFe0FxPsgcc4jRYQYj1rpQiFB8F11+qXGa
++P/IHcnjr2+mTrNY4I9Bt1Lg+pHSS8QCgzeueFybYMLaSsXUo7tGwpvw6UUb6/YWI
++LNCzZbrCLg1KZjGODhhxtvN45ZkCgYEA4YNSe+GMZlxgsvxbLs86WOm6DzJUPvxN
++bWmni0+Oe0cbevgGEUjDVc895uMFnpvlgO49/C0AYJ+VVbStjIMgAeMnWj6OZoSX
++q49rI8KmKUxKgORZiiaMqGWQ7Rxv68+4S8WANsjFxoUrE6dNV3uYDIUsiSLbZeI8
++38KVTcLohcECgYEAiOdyWHGq0G4xl/9rPUCzCMsa4velNV09yYiiwBZgVgfhsawm
++hQpOSBZJA60XMGqkyEkT81VgY4UF4QLLcD0qeCnWoXWVHFvrQyY4RNZDacpl87/t
++QGO2E2NtolL3umesa+2TJ/8Whw46Iu2llSjtVDm9NGiPk5eA7xPPf1iEi9kCgYAb
++0EmVE91wJoaarLtGS7LDkpgrFacEWbPnAbfzW62UENIX2Y1OBm5pH/Vfi7J+vHWS
++8E9e0eIRCL2vY2hgQy/oa67H151SkZnvQ/IP6Ar8Xvd1bDSK8HQ6tMQqKm63Y9g0
++KDjHCP4znOsSMnk8h/bZ3HcAtvbeWwftBR/LBnYNQQKBgA1leIXLLHRoX0VtS/7e
++y7Xmn7gepj+gDbSuCs5wGtgw0RB/1z/S3QoS2TCbZzKPBo20+ivoRP7gcuFhduFR
++hT8V87esr/QzLVpjLedQDW8Xb7GiO3BsU/gVC9VcngenbL7JObl3NgvdreIYo6+n
++yrLyf+8hjm6H6zkjqiOkHAl+
++-----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIICizCCAfSgAwIBAgIJAMtotfHYdEsUMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDhaFw0xNjA1MTAxMzUzMDhaMEUx
++MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBBMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
++BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
++TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx
+ CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
+-ZXN0IFMvTUlNRSBFRSBSU0EgIzIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
+-ALAF+vJbhW7lT3A0gMqykk7831gXgJxOWsJTLNWUqBv7y6seVJ7n2Lm96tH0g4IJ
+-eR6aM7Nn/ecAtMaphmWcS8enRGOT4p0pecoEgH5JE+l67ctxcxNY+CxOE9rRRDF5
+-00obSDpob6QuGwOUUEKjF3T2Mm1Klv2Oaugk6rRlgQcvAgMBAAGjgYMwgYAwHQYD
+-VR0OBBYEFIL/u+mEvaw7RuKLRuElfVkxSQjYMB8GA1UdIwQYMBaAFBPPS6e7iS6z
+-OFcXdsabrWhb5e0XMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMCAGA1Ud
+-EQQZMBeBFXNtaW1lcnNhMkBvcGVuc3NsLm9yZzANBgkqhkiG9w0BAQUFAAOBgQC2
+-rXR5bm/9RtOMQPleNpd3y6uUX3oy+0CafK5Yl3PMnItjjnKJ0l1/DbLbDj2twehe
+-ewaB8CROcBCA3AMLSmGvPKgUCFMGtWam3328M4fBHzon5ka7qDXzM+imkAly/Yx2
+-YNdR/aNOug+5sXygHmTSKqiCpQjOIClzXoPVVeEVHw==
++ZXN0IFMvTUlNRSBFRSBSU0EgIzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
++AoIBAQDcYC4tS2Uvn1Z2iDgtfkJA5tAqgbN6X4yK02RtVH5xekV9+6+eTt/9S+iF
++AzAnwqR/UB1R67ETrsWqV8u9xLg5fHIwIkmu9/6P31UU9cghO7J1lcrhHvooHaFp
++cXepPWQacpuBq2VvcKRDlDfVmdM5z6eS3dSZPTOMMP/xk4nhZB8mcw27qiccPieS
++0PZ9EZB63T1gmwaK1Rd5U94Pl0+zpDqhViuXmBfiIDWjjz0BzHnHSz5Rg4S3oXF1
++NcojhptIWyI0r7dgn5J3NxC4kgKdjzysxo6iWd0nLgz7h0jUdj79EOis4fg9G4f0
++EFWyQf7iDxGaA93Y9ePBJv5iFZVZAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD
++VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBT0arpyYMHXDPVL7MvzE+lx71L7sjAfBgNV
++HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA
++I8nM42am3aImkZyrw8iGkaGhKyi/dfajSWx6B9izBUh+3FleBnUxxOA+mn7M8C47
++Ne18iaaWK8vEux9KYTIY8BzXQZL1AuZ896cXEc6bGKsME37JSsocfuB5BIGWlYLv
++/ON5/SJ0iVFj4fAp8z7Vn5qxRJj9BhZDxaO1Raa6cz6pm0imJy9v8y01TI6HsK8c
++XJQLs7/U4Qb91K+IDNX/lgW3hzWjifNpIpT5JyY3DUgbkD595LFV5DDMZd0UOqcv
++6cyN42zkX8a0TWr3i5wu7pw4k1oD19RbUyljyleEp0DBauIct4GARdBGgi5y1H2i
++NzYzLAPBkHCMY0Is3KKIBw==
+ -----END CERTIFICATE-----
+diff --git a/test/smime-certs/smrsa3.pem b/test/smime-certs/smrsa3.pem
+index c8cbe55151ef..14c27f64aa90 100644
+--- a/test/smime-certs/smrsa3.pem
++++ b/test/smime-certs/smrsa3.pem
+@@ -1,31 +1,49 @@
+------BEGIN RSA PRIVATE KEY-----
+-MIICXAIBAAKBgQC6syTZtZNe1hRScFc4PUVyVLsr7+C1HDIZnOHmwFoLayX6RHwy
+-ep/TkdwiPHnemVLuwvpSjLMLZkXy/J764kSHJrNeVl3UvmCVCOm40hAtK1+F39pM
+-h8phkbPPD7i+hwq4/Vs79o46nzwbVKmzgoZBJhZ+codujUSYM3LjJ4aq+wIDAQAB
+-AoGAE1Zixrnr3bLGwBMqtYSDIOhtyos59whImCaLr17U9MHQWS+mvYO98if1aQZi
+-iQ/QazJ+wvYXxWJ+dEB+JvYwqrGeuAU6He/rAb4OShG4FPVU2D19gzRnaButWMeT
+-/1lgXV08hegGBL7RQNaN7b0viFYMcKnSghleMP0/q+Y/oaECQQDkXEwDYJW13X9p
+-ijS20ykWdY5lLknjkHRhhOYux0rlhOqsyMZjoUmwI2m0qj9yrIysKhrk4MZaM/uC
+-hy0xp3hdAkEA0Uv/UY0Kwsgc+W6YxeypECtg1qCE6FBib8n4iFy/6VcWqhvE5xrs
+-OdhKv9/p6aLjLneGd1sU+F8eS9LGyKIbNwJBAJPgbNzXA7uUZriqZb5qeTXxBDfj
+-RLfXSHYKAKEULxz3+JvRHB9SR4yHMiFrCdExiZrHXUkPgYLSHLGG5a4824UCQD6T
+-9XvhquUARkGCAuWy0/3Eqoihp/t6BWSdQ9Upviu7YUhtUxsyXo0REZB7F4pGrJx5
+-GlhXgFaewgUzuUHFzlMCQCzJMMWslWpoLntnR6sMhBMhBFHSw+Y5CbxBmFrdtSkd
+-VdtNO1VuDCTxjjW7W3Khj7LX4KZ1ye/5jfAgnnnXisc=
+------END RSA PRIVATE KEY-----
++-----BEGIN PRIVATE KEY-----
++MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCyK+BTAOJKJjji
++OhY60NeZjzGGZxEBfCm62n0mwkzusW/V/e63uwj6uOVCFoVBz5doMf3M6QIS2jL3
++Aw6Qs5+vcuLA0gHrqIwjYQz1UZ5ETLKLKbQw6YOIVfsFSTxytUVpfcByrubWiLKX
++63theG1/IVokDK/9/k52Kyt+wcCjuRb7AJQFj2OLDRuWm/gavozkK103gQ+dUq4H
++XamZMtTq1EhQOfc0IUeCOEL6xz4jzlHHfzLdkvb7Enhav2sXDfOmZp/DYf9IqS7l
++vFkkINPVbYFBTexaPZlFwmpGRjkmoyH/w+Jlcpzs+w6p1diWRpaSn62bbkRN49j6
++L2dVb+DfAgMBAAECggEAciwDl6zdVT6g/PbT/+SMA+7qgYHSN+1koEQaJpgjzGEP
++lUUfj8TewCtzXaIoyj9IepBuXryBg6snNXpT/w3bqgYon/7zFBvxkUpDj4A5tvKf
++BuY2fZFlpBvUu1Ju1eKrFCptBBBoA9mc+BUB/ze4ktrAdJFcxZoMlVScjqGB3GdR
++OHw2x9BdWGCJBhiu9VHhAAb/LVWi6xgDumYSWZwN2yovg+7J91t5bsENeBRHycK+
++i5dNFh1umIK9N0SH6bpHPnLHrCRchrQ6ZRRxL4ZBKA9jFRDeI7OOsJuCvhGyJ1se
++snsLjr/Ahg00aiHCcC1SPQ6pmXAVBCG7hf4AX82V4QKBgQDaFDE+Fcpv84mFo4s9
++wn4CZ8ymoNIaf5zPl/gpH7MGots4NT5+Ns+6zzJQ6TEpDjTPx+vDaabP7QGXwVZn
++8NAHYvCQK37b+u9HrOt256YYRDOmnJFSbsJdmqzMEzpTNmQ8GuI37cZCS9CmSMv+
++ab/plcwuv0cJRSC83NN2AFyu1QKBgQDRJzKIBQlpprF9rA0D5ZjLVW4OH18A0Mmm
++oanw7qVutBaM4taFN4M851WnNIROyYIlkk2fNgW57Y4M8LER4zLrjU5HY4lB0BMX
++LQWDbyz4Y7L4lVnnEKfQxWFt9avNZwiCxCxEKy/n/icmVCzc91j9uwKcupdzrN6E
++yzPd1s5y4wKBgQCkJvzmAdsOp9/Fg1RFWcgmIWHvrzBXl+U+ceLveZf1j9K5nYJ7
++2OBGer4iH1XM1I+2M4No5XcWHg3L4FEdDixY0wXHT6Y/CcThS+015Kqmq3fBmyrc
++RNjzQoF9X5/QkSmkAIx1kvpgXtcgw70htRIrToGSUpKzDKDW6NYXhbA+PQKBgDJK
++KH5IJ8E9kYPUMLT1Kc4KVpISvPcnPLVSPdhuqVx69MkfadFSTb4BKbkwiXegQCjk
++isFzbeEM25EE9q6EYKP+sAm+RyyJ6W0zKBY4TynSXyAiWSGUAaXTL+AOqCaVVZiL
++rtEdSUGQ/LzclIT0/HLV2oTw4KWxtTdc3LXEhpNdAoGBAM3LckiHENqtoeK2gVNw
++IPeEuruEqoN4n+XltbEEv6Ymhxrs6T6HSKsEsLhqsUiIvIzH43KMm45SNYTn5eZh
++yzYMXLmervN7c1jJe2Y2MYv6hE+Ypj1xGW4w7s8WNKmVzLv97beisD9AZrS7sXfF
++RvOAi5wVkYylDxV4238MAZIq
++-----END PRIVATE KEY-----
+ -----BEGIN CERTIFICATE-----
+-MIICizCCAfSgAwIBAgIJAMtotfHYdEsVMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
+-BAYTAlVLMRYwFAYDVQQKEw1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDExRUZXN0IFMv
+-TUlNRSBSU0EgUm9vdDAeFw0wODAyMjIxMzUzMDlaFw0xNjA1MTAxMzUzMDlaMEUx
++MIIDbDCCAlSgAwIBAgIJANk5lu6mSyBCMA0GCSqGSIb3DQEBBQUAMEQxCzAJBgNV
++BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR0wGwYDVQQDDBRUZXN0IFMv
++TUlNRSBSU0EgUm9vdDAeFw0xMzA3MTcxNzI4MzBaFw0yMzA1MjYxNzI4MzBaMEUx
+ CzAJBgNVBAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMR4wHAYDVQQDDBVU
+-ZXN0IFMvTUlNRSBFRSBSU0EgIzMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
+-ALqzJNm1k17WFFJwVzg9RXJUuyvv4LUcMhmc4ebAWgtrJfpEfDJ6n9OR3CI8ed6Z
+-Uu7C+lKMswtmRfL8nvriRIcms15WXdS+YJUI6bjSEC0rX4Xf2kyHymGRs88PuL6H
+-Crj9Wzv2jjqfPBtUqbOChkEmFn5yh26NRJgzcuMnhqr7AgMBAAGjgYMwgYAwHQYD
+-VR0OBBYEFDsSFjNtYZzd0tTHafNS7tneQQj6MB8GA1UdIwQYMBaAFBPPS6e7iS6z
+-OFcXdsabrWhb5e0XMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMCAGA1Ud
+-EQQZMBeBFXNtaW1lcnNhM0BvcGVuc3NsLm9yZzANBgkqhkiG9w0BAQUFAAOBgQBE
+-tUDB+1Dqigu4p1xtdq7JRK6S+gfA7RWmhz0j2scb2zhpS12h37JLHsidGeKAzZYq
+-jUjOrH/j3xcV5AnuJoqImJaN23nzzxtR4qGGX2mrq6EtObzdEGgCUaizsGM+0slJ
+-PYxcy8KeY/63B1BpYhj2RjGkL6HrvuAaxVORa3acoA==
++ZXN0IFMvTUlNRSBFRSBSU0EgIzMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
++AoIBAQCyK+BTAOJKJjjiOhY60NeZjzGGZxEBfCm62n0mwkzusW/V/e63uwj6uOVC
++FoVBz5doMf3M6QIS2jL3Aw6Qs5+vcuLA0gHrqIwjYQz1UZ5ETLKLKbQw6YOIVfsF
++STxytUVpfcByrubWiLKX63theG1/IVokDK/9/k52Kyt+wcCjuRb7AJQFj2OLDRuW
++m/gavozkK103gQ+dUq4HXamZMtTq1EhQOfc0IUeCOEL6xz4jzlHHfzLdkvb7Enha
++v2sXDfOmZp/DYf9IqS7lvFkkINPVbYFBTexaPZlFwmpGRjkmoyH/w+Jlcpzs+w6p
++1diWRpaSn62bbkRN49j6L2dVb+DfAgMBAAGjYDBeMAwGA1UdEwEB/wQCMAAwDgYD
++VR0PAQH/BAQDAgXgMB0GA1UdDgQWBBQ6CkW5sa6HrBsWvuPOvMjyL5AnsDAfBgNV
++HSMEGDAWgBTJkVMKY3sWW4u9RPB2iKkk5uW2bDANBgkqhkiG9w0BAQUFAAOCAQEA
++JhcrD7AKafVzlncA3cZ6epAruj1xwcfiE+EbuAaeWEGjoSltmevcjgoIxvijRVcp
++sCbNmHJZ/siQlqzWjjf3yoERvLDqngJZZpQeocMIbLRQf4wgLAuiBcvT52wTE+sa
++VexeETDy5J1OW3wE4A3rkdBp6hLaymlijFNnd5z/bP6w3AcIMWm45yPm0skM8RVr
++O3UstEFYD/iy+p+Y/YZDoxYQSW5Vl+NkpGmc5bzet8gQz4JeXtH3z5zUGoDM4XK7
++tXP3yUi2eecCbyjh/wgaQiVdylr1Kv3mxXcTl+cFO22asDkh0R/y72nTCu5fSILY
++CscFo2Z2pYROGtZDmYqhRw==
+ -----END CERTIFICATE-----
+--
+2.8.1
+
Deleted: openssl/branches/wheezy/debian/patches/aesni-mac.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/aesni-mac.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/aesni-mac.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,26 +0,0 @@
-From: Andy Polyakov <appro at openssl.org>
-Date: Mon, 18 Mar 2013 19:29:41 +0100
-Subject: e_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI plaforms.
-Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=9ab3ce124616cb12bd39c6aa1e1bde0f46969b29
-Bug-Debian: http://bugs.debian.org/701868
-Bug: http://rt.openssl.org/Ticket/Display.html?id=3002&user=guest&pass=guest
-
-diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c
-index 483e04b..fb2c884 100644
---- a/crypto/evp/e_aes_cbc_hmac_sha1.c
-+++ b/crypto/evp/e_aes_cbc_hmac_sha1.c
-@@ -328,10 +328,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
-
- if (res!=SHA_CBLOCK) continue;
-
-- mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
-+ /* j is not incremented yet */
-+ mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1));
- data->u[SHA_LBLOCK-1] |= bitlen&mask;
- sha1_block_data_order(&key->md,data,1);
-- mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
-+ mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1));
- pmac->u[0] |= key->md.h0 & mask;
- pmac->u[1] |= key->md.h1 & mask;
- pmac->u[2] |= key->md.h2 & mask;
-
Modified: openssl/branches/wheezy/debian/patches/block_digicert_malaysia.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/block_digicert_malaysia.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/block_digicert_malaysia.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -5,22 +5,24 @@
Origin: vendor
Last-Update: 2011-11-05
-Index: openssl-1.0.0e/crypto/x509/x509_vfy.c
-===================================================================
---- openssl-1.0.0e.orig/crypto/x509/x509_vfy.c
-+++ openssl-1.0.0e/crypto/x509/x509_vfy.c
-@@ -833,10 +833,11 @@ static int check_ca_blacklist(X509_STORE
- for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
- {
+---
+ crypto/x509/x509_vfy.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/crypto/x509/x509_vfy.c
++++ b/crypto/x509/x509_vfy.c
+@@ -855,10 +855,11 @@ static int check_ca_blacklist(X509_STORE
+ /* Check all certificates against the blacklist */
+ for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
x = sk_X509_value(ctx->chain, i);
- /* Mark DigiNotar certificates as revoked, no matter
- * where in the chain they are.
+ /* Mark certificates containing the following names as
+ * revoked, no matter where in the chain they are.
*/
-- if (x->name && strstr(x->name, "DigiNotar"))
+- if (x->name && strstr(x->name, "DigiNotar")) {
+ if (x->name && (strstr(x->name, "DigiNotar") ||
-+ strstr(x->name, "Digicert Sdn. Bhd.")))
- {
++ strstr(x->name, "Digicert Sdn. Bhd."))) {
ctx->error = X509_V_ERR_CERT_REVOKED;
ctx->error_depth = i;
+ ctx->current_cert = x;
Modified: openssl/branches/wheezy/debian/patches/block_diginotar.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/block_diginotar.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/block_diginotar.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -10,10 +10,12 @@
This is not meant as final patch.
-Index: openssl-1.0.0d/crypto/x509/x509_vfy.c
-===================================================================
---- openssl-1.0.0d.orig/crypto/x509/x509_vfy.c
-+++ openssl-1.0.0d/crypto/x509/x509_vfy.c
+---
+ crypto/x509/x509_vfy.c | 26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+--- a/crypto/x509/x509_vfy.c
++++ b/crypto/x509/x509_vfy.c
@@ -117,6 +117,7 @@ static int check_trust(X509_STORE_CTX *c
static int check_revocation(X509_STORE_CTX *ctx);
static int check_cert(X509_STORE_CTX *ctx);
@@ -21,44 +23,43 @@
+static int check_ca_blacklist(X509_STORE_CTX *ctx);
static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
- unsigned int *preasons,
-@@ -374,6 +375,9 @@ int X509_verify_cert(X509_STORE_CTX *ctx
- ok=internal_verify(ctx);
- if(!ok) goto end;
+ unsigned int *preasons, X509_CRL *crl, X509 *x);
+@@ -409,6 +410,10 @@ int X509_verify_cert(X509_STORE_CTX *ctx
+ if (!ok)
+ goto end;
-+ ok = check_ca_blacklist(ctx);
-+ if(!ok) goto end;
++ ok = check_ca_blacklist(ctx);
++ if(!ok)
++ goto end;
+
#ifndef OPENSSL_NO_RFC3779
- /* RFC 3779 path validation, now that CRL check has been done */
- ok = v3_asid_validate_path(ctx);
-@@ -820,6 +824,29 @@ static int check_crl_time(X509_STORE_CTX
- return 1;
- }
+ /* RFC 3779 path validation, now that CRL check has been done */
+ ok = v3_asid_validate_path(ctx);
+@@ -843,6 +848,27 @@ static int check_crl_time(X509_STORE_CTX
+ return 1;
+ }
+static int check_ca_blacklist(X509_STORE_CTX *ctx)
-+ {
++{
+ X509 *x;
+ int i;
+ /* Check all certificates against the blacklist */
-+ for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--)
-+ {
++ for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) {
+ x = sk_X509_value(ctx->chain, i);
+ /* Mark DigiNotar certificates as revoked, no matter
+ * where in the chain they are.
+ */
-+ if (x->name && strstr(x->name, "DigiNotar"))
-+ {
++ if (x->name && strstr(x->name, "DigiNotar")) {
+ ctx->error = X509_V_ERR_CERT_REVOKED;
+ ctx->error_depth = i;
+ ctx->current_cert = x;
+ if (!ctx->verify_cb(0,ctx))
+ return 0;
-+ }
+ }
++ }
+ return 1;
-+ }
++}
+
static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
- X509 **pissuer, int *pscore, unsigned int *preasons,
- STACK_OF(X509_CRL) *crls)
+ X509 **pissuer, int *pscore, unsigned int *preasons,
+ STACK_OF(X509_CRL) *crls)
Modified: openssl/branches/wheezy/debian/patches/c_rehash-compat.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/c_rehash-compat.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/c_rehash-compat.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -5,13 +5,11 @@
---
tools/c_rehash.in | 8 +++++++-
- 1 files changed, 7 insertions(+), 1 deletions(-)
+ 1 file changed, 7 insertions(+), 1 deletion(-)
-Index: openssl-1.0.0d/tools/c_rehash.in
-===================================================================
---- openssl-1.0.0d.orig/tools/c_rehash.in 2011-04-13 20:41:28.000000000 +0000
-+++ openssl-1.0.0d/tools/c_rehash.in 2011-04-13 20:41:28.000000000 +0000
-@@ -86,6 +86,7 @@
+--- a/tools/c_rehash.in
++++ b/tools/c_rehash.in
+@@ -86,6 +86,7 @@ sub hash_dir {
}
}
link_hash_cert($fname) if($cert);
@@ -19,7 +17,7 @@
link_hash_crl($fname) if($crl);
}
}
-@@ -119,8 +120,9 @@
+@@ -119,8 +120,9 @@ sub check_file {
sub link_hash_cert {
my $fname = $_[0];
@@ -30,7 +28,7 @@
chomp $hash;
chomp $fprint;
$fprint =~ s/^.*=//;
-@@ -150,6 +152,10 @@
+@@ -150,6 +152,10 @@ sub link_hash_cert {
$hashlist{$hash} = $fprint;
}
Modified: openssl/branches/wheezy/debian/patches/ca.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/ca.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/ca.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,8 +1,10 @@
-Index: openssl-0.9.8m/apps/CA.pl.in
-===================================================================
---- openssl-0.9.8m.orig/apps/CA.pl.in 2006-04-28 00:28:51.000000000 +0000
-+++ openssl-0.9.8m/apps/CA.pl.in 2010-02-27 00:36:51.000000000 +0000
-@@ -65,6 +65,7 @@
+---
+ apps/CA.pl.in | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/apps/CA.pl.in
++++ b/apps/CA.pl.in
+@@ -65,6 +65,7 @@ if(defined $ENV{OPENSSL}) {
foreach (@ARGV) {
if ( /^(-\?|-h|-help)$/ ) {
print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
@@ -10,7 +12,7 @@
exit 0;
} elsif (/^-newcert$/) {
# create a certificate
-@@ -165,6 +166,7 @@
+@@ -165,6 +166,7 @@ foreach (@ARGV) {
} else {
print STDERR "Unknown arg $_\n";
print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
Modified: openssl/branches/wheezy/debian/patches/config-hurd.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/config-hurd.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/config-hurd.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,8 +1,10 @@
-Index: openssl-1.0.0c/config
-===================================================================
---- openssl-1.0.0c.orig/config 2010-12-12 16:09:43.000000000 +0100
-+++ openssl-1.0.0c/config 2010-12-12 16:09:48.000000000 +0100
-@@ -170,8 +170,8 @@
+---
+ config | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/config
++++ b/config
+@@ -170,8 +170,8 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${
echo "${MACHINE}-whatever-linux1"; exit 0
;;
Deleted: openssl/branches/wheezy/debian/patches/cpuid.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/cpuid.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/cpuid.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,27 +0,0 @@
-From: Andy Polyakov <appro at openssl.org>
-Date: Mon, 4 Mar 2013 19:05:04 +0000 (+0100)
-Subject: x86cpuid.pl: make it work with older CPUs.
-Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=5702e965d759dde8a098d8108660721ba2b93a7d
-Bug-Debian: http://bugs.debian.org/699692
-Bug: http://rt.openssl.org/Ticket/Display.html?id=3005&user=guest&pass=guest
-
-diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl
-index 3b6c469..e8a7518 100644
---- a/crypto/x86cpuid.pl
-+++ b/crypto/x86cpuid.pl
-@@ -69,6 +69,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
- &inc ("esi"); # number of cores
-
- &mov ("eax",1);
-+ &xor ("ecx","ecx");
- &cpuid ();
- &bt ("edx",28);
- &jnc (&label("generic"));
-@@ -102,6 +103,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
-
- &set_label("nocacheinfo");
- &mov ("eax",1);
-+ &xor ("ecx","ecx");
- &cpuid ();
- &and ("edx",0xbfefffff); # force reserved bits #20, #30 to 0
- &cmp ("ebp",0);
Modified: openssl/branches/wheezy/debian/patches/debian-targets.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/debian-targets.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/debian-targets.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,8 +1,10 @@
-Index: openssl-1.0.1e/Configure
-===================================================================
---- openssl-1.0.1e.orig/Configure 2013-05-20 16:54:11.000000000 +0200
-+++ openssl-1.0.1e/Configure 2013-05-20 16:54:11.000000000 +0200
-@@ -105,6 +105,10 @@
+---
+ Configure | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 53 insertions(+)
+
+--- a/Configure
++++ b/Configure
+@@ -109,6 +109,10 @@ my $usage="Usage: Configure [no-<cipher>
my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED";
@@ -10,10 +12,10 @@
+my $debian_cflags = `dpkg-buildflags --get CFLAGS` . `dpkg-buildflags --get CPPFLAGS` . `dpkg-buildflags --get LDFLAGS` . "-Wa,--noexecstack -Wall";
+$debian_cflags =~ s/\n/ /g;
+
- my $strict_warnings = 0;
+ # Warn that "make depend" should be run?
+ my $warn_make_depend = 0;
- my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL";
-@@ -340,6 +344,47 @@
+@@ -350,6 +354,55 @@ my %table=(
"osf1-alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so",
"tru64-alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared::-msym:.so",
@@ -21,6 +23,7 @@
+"debian-alpha","gcc:-DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debian-alpha-ev4","gcc:-DTERMIO ${debian_cflags} -mcpu=ev4::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debian-alpha-ev5","gcc:-DTERMIO ${debian_cflags} -mcpu=ev5::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-arm64","gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debian-armel","gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debian-armhf","gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debian-amd64", "gcc:-m64 -DL_ENDIAN -DTERMIO ${debian_cflags} -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
@@ -37,17 +40,23 @@
+"debian-m68k","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG MD2_CHAR RC4_INDEX:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debian-mips", "gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debian-mipsel", "gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-mipsn32", "mips64-linux-gnuabin32-gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-mipsn32el", "mips64el-linux-gnuabin32-gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-mips64", "mips64-linux-gnuabi64-gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-mips64el", "mips64el-linux-gnuabi64-gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debian-netbsd-i386", "gcc:-DL_ENDIAN -DTERMIOS ${debian_cflags} -m486::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debian-netbsd-m68k", "gcc:-DB_ENDIAN -DTERMIOS ${debian_cflags}::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debian-netbsd-sparc", "gcc:-DB_ENDIAN -DTERMIOS ${debian_cflags} -mv8::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debian-openbsd-alpha","gcc:-DTERMIOS ${debian_cflags}::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debian-openbsd-i386", "gcc:-DL_ENDIAN -DTERMIOS ${debian_cflags} -m486::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debian-openbsd-mips","gcc:-DL_ENDIAN ${debian_cflags}::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-or1k", "gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG DES_RISC1:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debian-powerpc","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debian-powerpcspe","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debian-ppc64","gcc:-m64 -DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-ppc64el","gcc:-m64 -DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debian-s390","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-+"debian-s390x","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-s390x","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debian-sh3", "gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debian-sh4", "gcc:-DL_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debian-sh3eb", "gcc:-DB_ENDIAN -DTERMIO ${debian_cflags}::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -57,6 +66,7 @@
+"debian-sparc-v8","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags} -mcpu=v8 -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debian-sparc-v9","gcc:-DB_ENDIAN -DTERMIO ${debian_cflags} -mcpu=v9 -Wa,-Av8plus -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debian-sparc64","gcc:-m64 -DB_ENDIAN -DTERMIO ${debian_cflags} -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"debian-x32","gcc:-mx32 -DL_ENDIAN -DTERMIO ${debian_cflags} -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
+
####
#### Variety of LINUX:-)
Deleted: openssl/branches/wheezy/debian/patches/default_bits.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/default_bits.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/default_bits.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,11 +0,0 @@
---- openssl/apps/openssl.cnf 2012-06-06 00:51:47.000000000 +0200
-+++ openssl/apps/openssl.cnf 2012-06-06 00:53:48.000000000 +0200
-@@ -105,7 +105,7 @@
-
- ####################################################################
- [ req ]
--default_bits = 1024
-+default_bits = 2048
- default_keyfile = privkey.pem
- distinguished_name = req_distinguished_name
- attributes = req_attributes
Added: openssl/branches/wheezy/debian/patches/defaults.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/defaults.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/defaults.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -0,0 +1,79 @@
+From: Kurt Roeckx <kurt at roeckx.be>
+Subject: Change default bit size and digest
+Date: Fri, 01 Nov 2013 20:47:14 +0100
+
+---
+ apps/genrsa.c | 2 +-
+ apps/openssl.cnf | 2 +-
+ crypto/dsa/dsa_ameth.c | 2 +-
+ crypto/ec/ec_ameth.c | 2 +-
+ crypto/hmac/hm_ameth.c | 2 +-
+ crypto/rsa/rsa_ameth.c | 2 +-
+ 6 files changed, 6 insertions(+), 6 deletions(-)
+
+--- a/apps/genrsa.c
++++ b/apps/genrsa.c
+@@ -80,7 +80,7 @@
+ # include <openssl/pem.h>
+ # include <openssl/rand.h>
+
+-# define DEFBITS 1024
++# define DEFBITS 2048
+ # undef PROG
+ # define PROG genrsa_main
+
+--- a/apps/openssl.cnf
++++ b/apps/openssl.cnf
+@@ -103,7 +103,7 @@ emailAddress = optional
+
+ ####################################################################
+ [ req ]
+-default_bits = 1024
++default_bits = 2048
+ default_keyfile = privkey.pem
+ distinguished_name = req_distinguished_name
+ attributes = req_attributes
+--- a/crypto/dsa/dsa_ameth.c
++++ b/crypto/dsa/dsa_ameth.c
+@@ -605,7 +605,7 @@ static int dsa_pkey_ctrl(EVP_PKEY *pkey,
+ #endif
+
+ case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
+- *(int *)arg2 = NID_sha1;
++ *(int *)arg2 = NID_sha256;
+ return 2;
+
+ default:
+--- a/crypto/ec/ec_ameth.c
++++ b/crypto/ec/ec_ameth.c
+@@ -583,7 +583,7 @@ static int ec_pkey_ctrl(EVP_PKEY *pkey,
+ #endif
+
+ case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
+- *(int *)arg2 = NID_sha1;
++ *(int *)arg2 = NID_sha256;
+ return 2;
+
+ default:
+--- a/crypto/hmac/hm_ameth.c
++++ b/crypto/hmac/hm_ameth.c
+@@ -87,7 +87,7 @@ static int hmac_pkey_ctrl(EVP_PKEY *pkey
+ {
+ switch (op) {
+ case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
+- *(int *)arg2 = NID_sha1;
++ *(int *)arg2 = NID_sha256;
+ return 1;
+
+ default:
+--- a/crypto/rsa/rsa_ameth.c
++++ b/crypto/rsa/rsa_ameth.c
+@@ -411,7 +411,7 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey,
+ #endif
+
+ case ASN1_PKEY_CTRL_DEFAULT_MD_NID:
+- *(int *)arg2 = NID_sha1;
++ *(int *)arg2 = NID_sha256;
+ return 1;
+
+ default:
Deleted: openssl/branches/wheezy/debian/patches/dgst_hmac.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/dgst_hmac.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/dgst_hmac.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,51 +0,0 @@
-From: Thorsten Glaser <tg at mirbsd.de>
-Date: Fri, 22 May 2009 16:28:05 +0000 (UTC)
-Subject: Document openssl dgst -hmac option
-
-I've committed the thing below in MirBSD; since the apps code
-changes very little between OpenSSL versions, it will probably
-apply to the Debian package as well. I'm open for better wor-
-ding though, especially considering the FIPS option, which I
-found as undocumented too.
-
-Index: openssl-1.0.0d/doc/apps/dgst.pod
-===================================================================
---- openssl-1.0.0d.orig/doc/apps/dgst.pod 2009-04-10 16:42:27.000000000 +0000
-+++ openssl-1.0.0d/doc/apps/dgst.pod 2011-06-13 11:00:04.000000000 +0000
-@@ -12,6 +12,8 @@
- [B<-d>]
- [B<-hex>]
- [B<-binary>]
-+[B<-hmac arg>]
-+[B<-non-fips-allow>]
- [B<-out filename>]
- [B<-sign filename>]
- [B<-keyform arg>]
-@@ -54,6 +56,14 @@
-
- output the digest or signature in binary form.
-
-+=item B<-hmac arg>
-+
-+set the HMAC key to "arg".
-+
-+=item B<-non-fips-allow>
-+
-+allow use of non FIPS digest.
-+
- =item B<-out filename>
-
- filename to output to, or standard output by default.
-Index: openssl-1.0.0d/apps/dgst.c
-===================================================================
---- openssl-1.0.0d.orig/apps/dgst.c 2010-02-12 17:07:24.000000000 +0000
-+++ openssl-1.0.0d/apps/dgst.c 2011-06-13 11:00:04.000000000 +0000
-@@ -268,6 +268,8 @@
- BIO_printf(bio_err,"-d to output debug info\n");
- BIO_printf(bio_err,"-hex output as hex dump\n");
- BIO_printf(bio_err,"-binary output in binary form\n");
-+ BIO_printf(bio_err,"-hmac arg set the HMAC key to arg\n");
-+ BIO_printf(bio_err,"-non-fips-allow allow use of non FIPS digest\n");
- BIO_printf(bio_err,"-sign file sign digest using private key in file\n");
- BIO_printf(bio_err,"-verify file verify a signature using public key in file\n");
- BIO_printf(bio_err,"-prverify file verify a signature using private key in file\n");
Deleted: openssl/branches/wheezy/debian/patches/disable_dual_ec_drbg.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/disable_dual_ec_drbg.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/disable_dual_ec_drbg.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,59 +0,0 @@
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Mon, 16 Sep 2013 05:23:44 +0100
-Subject: [PATCH] Disable Dual EC DRBG.
-Origin: upstream, commit:a4870de5aaef562c0947494b410a2387f3a6d04d
-
-Return an error if an attempt is made to enable the Dual EC DRBG: it
-is not used by default.
----
- crypto/rand/rand.h | 1 +
- crypto/rand/rand_err.c | 1 +
- crypto/rand/rand_lib.c | 8 ++++++++
- 3 files changed, 10 insertions(+)
-
-diff --git a/crypto/rand/rand.h b/crypto/rand/rand.h
-index dc8fcf9..bb5520e 100644
---- a/crypto/rand/rand.h
-+++ b/crypto/rand/rand.h
-@@ -138,6 +138,7 @@ void ERR_load_RAND_strings(void);
- #define RAND_F_SSLEAY_RAND_BYTES 100
-
- /* Reason codes. */
-+#define RAND_R_DUAL_EC_DRBG_DISABLED 104
- #define RAND_R_ERROR_INITIALISING_DRBG 102
- #define RAND_R_ERROR_INSTANTIATING_DRBG 103
- #define RAND_R_NO_FIPS_RANDOM_METHOD_SET 101
-diff --git a/crypto/rand/rand_err.c b/crypto/rand/rand_err.c
-index b8586c8..c4c80fc 100644
---- a/crypto/rand/rand_err.c
-+++ b/crypto/rand/rand_err.c
-@@ -78,6 +78,7 @@ static ERR_STRING_DATA RAND_str_functs[]=
-
- static ERR_STRING_DATA RAND_str_reasons[]=
- {
-+{ERR_REASON(RAND_R_DUAL_EC_DRBG_DISABLED),"dual ec drbg disabled"},
- {ERR_REASON(RAND_R_ERROR_INITIALISING_DRBG),"error initialising drbg"},
- {ERR_REASON(RAND_R_ERROR_INSTANTIATING_DRBG),"error instantiating drbg"},
- {ERR_REASON(RAND_R_NO_FIPS_RANDOM_METHOD_SET),"no fips random method set"},
-diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c
-index 476a0cd..5ac0e14 100644
---- a/crypto/rand/rand_lib.c
-+++ b/crypto/rand/rand_lib.c
-@@ -269,6 +269,14 @@ int RAND_init_fips(void)
- DRBG_CTX *dctx;
- size_t plen;
- unsigned char pers[32], *p;
-+#ifndef OPENSSL_ALLOW_DUAL_EC_DRBG
-+ if (fips_drbg_type >> 16)
-+ {
-+ RANDerr(RAND_F_RAND_INIT_FIPS, RAND_R_DUAL_EC_DRBG_DISABLED);
-+ return 0;
-+ }
-+#endif
-+
- dctx = FIPS_get_default_drbg();
- if (FIPS_drbg_init(dctx, fips_drbg_type, fips_drbg_flags) <= 0)
- {
---
-1.8.5.1
-
Deleted: openssl/branches/wheezy/debian/patches/disable_rdrand.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/disable_rdrand.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/disable_rdrand.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,26 +0,0 @@
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Wed, 11 Dec 2013 14:45:12 +0000
-Subject: [PATCH] Don't use rdrand engine as default unless explicitly
- requested.
-Origin: upstream, commit:1c2c5e402a757a63d690bd2390bd6b8b491ef184
-
-
----
- crypto/engine/eng_rdrand.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/crypto/engine/eng_rdrand.c b/crypto/engine/eng_rdrand.c
-index a9ba5ae..4e9e91d 100644
---- a/crypto/engine/eng_rdrand.c
-+++ b/crypto/engine/eng_rdrand.c
-@@ -104,6 +104,7 @@ static int bind_helper(ENGINE *e)
- {
- if (!ENGINE_set_id(e, engine_e_rdrand_id) ||
- !ENGINE_set_name(e, engine_e_rdrand_name) ||
-+ !ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL) ||
- !ENGINE_set_init_function(e, rdrand_init) ||
- !ENGINE_set_RAND(e, &rdrand_meth) )
- return 0;
---
-1.8.5.1
-
Deleted: openssl/branches/wheezy/debian/patches/disable_sslv3.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/disable_sslv3.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/disable_sslv3.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,14 +0,0 @@
-diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
-index d09bb7d..bc3cbc7 100644
---- a/ssl/ssl_lib.c
-+++ b/ssl/ssl_lib.c
-@@ -2060,6 +2060,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
- */
- ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
-
-+ if (getenv("OPENSSL_ALLOW_SSLv3") == NULL)
-+ ret->options |= SSL_OP_NO_SSLv3;
-+
- return(ret);
- err:
- SSLerr(SSL_F_SSL_CTX_NEW,ERR_R_MALLOC_FAILURE);
Deleted: openssl/branches/wheezy/debian/patches/dont_change_version.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/dont_change_version.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/dont_change_version.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,47 +0,0 @@
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Tue, 24 Dec 2013 18:17:00 +0000
-Subject: [PATCH] Don't change version number if session established
-Origin: upstream, commit:f3dcc8411e518fb0835c7d72df4a58718205260d
-
-When sending an invalid version number alert don't change the
-version number to the client version if a session is already
-established.
-
-Thanks to Marek Majkowski for additional analysis of this issue.
-
-PR#3191
----
- ssl/s3_pkt.c | 2 +-
- ssl/s3_srvr.c | 3 ++-
- 2 files changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
-index c4bc4e7..96ba632 100644
---- a/ssl/s3_pkt.c
-+++ b/ssl/s3_pkt.c
-@@ -335,7 +335,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length);
- if (version != s->version)
- {
- SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
-- if ((s->version & 0xFF00) == (version & 0xFF00))
-+ if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash)
- /* Send back error using their minor version number :-) */
- s->version = (unsigned short)version;
- al=SSL_AD_PROTOCOL_VERSION;
-diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
-index e5a8b3f..52efed3 100644
---- a/ssl/s3_srvr.c
-+++ b/ssl/s3_srvr.c
-@@ -958,7 +958,8 @@ int ssl3_get_client_hello(SSL *s)
- (s->version != DTLS1_VERSION && s->client_version < s->version))
- {
- SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
-- if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
-+ if ((s->client_version>>8) == SSL3_VERSION_MAJOR &&
-+ !s->enc_write_ctx && !s->write_hash)
- {
- /* similar to ssl3_get_record, send alert using remote version number */
- s->version = s->client_version;
---
-1.8.5.2
-
Deleted: openssl/branches/wheezy/debian/patches/dtls_version.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/dtls_version.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/dtls_version.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,25 +0,0 @@
-From: David Woodhouse <dwmw2 at infradead.org>
-Date: Tue, 12 Feb 2013 14:55:32 +0000
-Subject: Check DTLS_BAD_VER for version number.
-Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=9fe4603b8245425a4c46986ed000fca054231253
-Bug-Debian: http://bugs.debian.org/701826
-Bug: http://rt.openssl.org/Ticket/Display.html?id=2984&user=guest&pass=guest
-
-The version check for DTLS1_VERSION was redundant as
-DTLS1_VERSION > TLS1_1_VERSION, however we do need to
-check for DTLS1_BAD_VER for compatibility.
-
-diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
-index 02edf3f..443a31e 100644
---- a/ssl/s3_cbc.c
-+++ b/ssl/s3_cbc.c
-@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
- unsigned padding_length, good, to_check, i;
- const unsigned overhead = 1 /* padding length byte */ + mac_size;
- /* Check if version requires explicit IV */
-- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
-+ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
- {
- /* These lengths are all public so we can test them in
- * non-constant time.
-
Modified: openssl/branches/wheezy/debian/patches/engines-path.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/engines-path.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/engines-path.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,8 +1,24 @@
-Index: openssl-1.0.0c/Makefile.org
-===================================================================
---- openssl-1.0.0c.orig/Makefile.org 2010-01-27 17:06:58.000000000 +0100
-+++ openssl-1.0.0c/Makefile.org 2010-12-13 19:41:03.000000000 +0100
-@@ -497,7 +497,7 @@
+---
+ Configure | 2 +-
+ Makefile.org | 2 +-
+ engines/Makefile | 10 +++++-----
+ engines/ccgost/Makefile | 6 +++---
+ 4 files changed, 10 insertions(+), 10 deletions(-)
+
+--- a/Configure
++++ b/Configure
+@@ -1866,7 +1866,7 @@ while (<IN>)
+ }
+ elsif (/^#define\s+ENGINESDIR/)
+ {
+- my $foo = "$prefix/$libdir/engines";
++ my $foo = "$prefix/$libdir/openssl-1.0.0/engines";
+ $foo =~ s/\\/\\\\/g;
+ print OUT "#define ENGINESDIR \"$foo\"\n";
+ }
+--- a/Makefile.org
++++ b/Makefile.org
+@@ -543,7 +543,7 @@ install: all install_docs install_sw
install_sw:
@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
@@ -11,11 +27,9 @@
$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
-Index: openssl-1.0.0c/engines/Makefile
-===================================================================
---- openssl-1.0.0c.orig/engines/Makefile 2010-08-24 23:46:34.000000000 +0200
-+++ openssl-1.0.0c/engines/Makefile 2010-12-12 19:16:22.000000000 +0100
-@@ -107,7 +107,7 @@
+--- a/engines/Makefile
++++ b/engines/Makefile
+@@ -107,7 +107,7 @@ lib: $(LIBOBJ)
@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
@if [ -n "$(SHARED_LIBS)" ]; then \
set -e; \
@@ -24,7 +38,7 @@
for l in $(LIBNAMES); do \
( echo installing $$l; \
pfx=lib; \
-@@ -119,13 +119,13 @@
+@@ -119,13 +119,13 @@ lib: $(LIBOBJ)
*DSO_WIN32*) sfx="eay32.dll"; pfx=;; \
*) sfx=".bad";; \
esac; \
@@ -42,24 +56,9 @@
done; \
fi
@target=install; $(RECURSIVE_MAKE)
-Index: openssl-1.0.0c/Configure
-===================================================================
---- openssl-1.0.0c.orig/Configure 2010-12-12 19:16:22.000000000 +0100
-+++ openssl-1.0.0c/Configure 2010-12-13 19:40:53.000000000 +0100
-@@ -1732,7 +1732,7 @@
- }
- elsif (/^#define\s+ENGINESDIR/)
- {
-- my $foo = "$prefix/$libdir/engines";
-+ my $foo = "$prefix/$libdir/openssl-1.0.0/engines";
- $foo =~ s/\\/\\\\/g;
- print OUT "#define ENGINESDIR \"$foo\"\n";
- }
-Index: openssl-1.0.0c/engines/ccgost/Makefile
-===================================================================
---- openssl-1.0.0c.orig/engines/ccgost/Makefile 2010-12-13 19:41:14.000000000 +0100
-+++ openssl-1.0.0c/engines/ccgost/Makefile 2010-12-13 19:42:21.000000000 +0100
-@@ -53,13 +53,13 @@
+--- a/engines/ccgost/Makefile
++++ b/engines/ccgost/Makefile
+@@ -53,13 +53,13 @@ lib: $(LIBOBJ)
*DSO_WIN32*) sfx="eay32.dll"; pfx=;; \
*) sfx=".bad";; \
esac; \
Deleted: openssl/branches/wheezy/debian/patches/get_certificate.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/get_certificate.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/get_certificate.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,27 +0,0 @@
-From: "Dr. Stephen Henson" <steve at openssl.org>
-Date: Mon, 11 Feb 2013 18:24:03 +0000
-Subject: Fix for SSL_get_certificate
-Origin: upstream: http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=147dbb2fe3bead7a10e2f280261b661ce7af7adc
-Bug-Debian: http://bugs.debian.org/703031
-
-
-Now we set the current certificate to the one used by a server
-there is no need to call ssl_get_server_send_cert which will
-fail if we haven't sent a certificate yet.
-
-diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
-index 14d143d..ff5a85a 100644
---- a/ssl/ssl_lib.c
-+++ b/ssl/ssl_lib.c
-@@ -2792,9 +2792,7 @@ void ssl_clear_cipher_ctx(SSL *s)
- /* Fix this function so that it takes an optional type parameter */
- X509 *SSL_get_certificate(const SSL *s)
- {
-- if (s->server)
-- return(ssl_get_server_send_cert(s));
-- else if (s->cert != NULL)
-+ if (s->cert != NULL)
- return(s->cert->key->x509);
- else
- return(NULL);
-
Deleted: openssl/branches/wheezy/debian/patches/gnu_source.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/gnu_source.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/gnu_source.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,24 +0,0 @@
-From: Kurt Roeckx <kurt at roeckx.be>
-Subject: Always define _GNU_SOURCE
-
-We need this atleast for kfreebsd because they also use glibc.
-There shouldn't be a problem defining this on systems not using
-glibc.
-
-Index: openssl-1.0.0c.obsolete.0.297891860202984/crypto/dso/dso_dlfcn.c
-===================================================================
---- openssl-1.0.0c.obsolete.0.297891860202984.orig/crypto/dso/dso_dlfcn.c 2010-12-19 16:18:36.000000000 +0100
-+++ openssl-1.0.0c.obsolete.0.297891860202984/crypto/dso/dso_dlfcn.c 2010-12-19 16:19:01.000000000 +0100
-@@ -60,10 +60,8 @@
- that handle _GNU_SOURCE and other similar macros. Defining it later
- is simply too late, because those headers are protected from re-
- inclusion. */
--#ifdef __linux
--# ifndef _GNU_SOURCE
--# define _GNU_SOURCE /* make sure dladdr is declared */
--# endif
-+#ifndef _GNU_SOURCE
-+# define _GNU_SOURCE /* make sure dladdr is declared */
- #endif
-
- #include <stdio.h>
Deleted: openssl/branches/wheezy/debian/patches/libdoc-manpgs-pod-spell.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/libdoc-manpgs-pod-spell.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/libdoc-manpgs-pod-spell.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,236 +0,0 @@
---- a/doc/crypto/ASN1_generate_nconf.pod
-+++ b/doc/crypto/ASN1_generate_nconf.pod
-@@ -61,7 +61,7 @@
- =item B<INTEGER>, B<INT>
-
- Encodes an ASN1 B<INTEGER> type. The B<value> string represents
--the value of the integer, it can be preceeded by a minus sign and
-+the value of the integer, it can be preceded by a minus sign and
- is normally interpreted as a decimal value unless the prefix B<0x>
- is included.
-
---- a/doc/crypto/BN_BLINDING_new.pod
-+++ b/doc/crypto/BN_BLINDING_new.pod
-@@ -48,7 +48,7 @@
-
- BN_BLINDING_convert_ex() multiplies B<n> with the blinding factor B<A>.
- If B<r> is not NULL a copy the inverse blinding factor B<Ai> will be
--returned in B<r> (this is useful if a B<RSA> object is shared amoung
-+returned in B<r> (this is useful if a B<RSA> object is shared among
- several threads). BN_BLINDING_invert_ex() multiplies B<n> with the
- inverse blinding factor B<Ai>. If B<r> is not NULL it will be used as
- the inverse blinding.
---- a/doc/crypto/EVP_BytesToKey.pod
-+++ b/doc/crypto/EVP_BytesToKey.pod
-@@ -17,7 +17,7 @@
-
- EVP_BytesToKey() derives a key and IV from various parameters. B<type> is
- the cipher to derive the key and IV for. B<md> is the message digest to use.
--The B<salt> paramter is used as a salt in the derivation: it should point to
-+The B<salt> parameter is used as a salt in the derivation: it should point to
- an 8 byte buffer or NULL if no salt is used. B<data> is a buffer containing
- B<datal> bytes which is used to derive the keying data. B<count> is the
- iteration count to use. The derived key and IV will be written to B<key>
---- a/doc/crypto/EVP_EncryptInit.pod
-+++ b/doc/crypto/EVP_EncryptInit.pod
-@@ -152,7 +152,7 @@
-
- EVP_EncryptInit(), EVP_DecryptInit() and EVP_CipherInit() behave in a
- similar way to EVP_EncryptInit_ex(), EVP_DecryptInit_ex and
--EVP_CipherInit_ex() except the B<ctx> paramter does not need to be
-+EVP_CipherInit_ex() except the B<ctx> parameter does not need to be
- initialized and they always use the default cipher implementation.
-
- EVP_EncryptFinal(), EVP_DecryptFinal() and EVP_CipherFinal() behave in a
---- a/doc/crypto/EVP_PKEY_cmp.pod
-+++ b/doc/crypto/EVP_PKEY_cmp.pod
-@@ -26,7 +26,7 @@
- The funcion EVP_PKEY_cmp_parameters() compares the parameters of keys
- B<a> and B<b>.
-
--The funcion EVP_PKEY_cmp() compares the public key components and paramters
-+The funcion EVP_PKEY_cmp() compares the public key components and parameters
- (if present) of keys B<a> and B<b>.
-
- =head1 NOTES
---- a/doc/crypto/X509_STORE_CTX_get_error.pod
-+++ b/doc/crypto/X509_STORE_CTX_get_error.pod
-@@ -278,6 +278,8 @@
- an application specific error. This will never be returned unless explicitly
- set by an application.
-
-+=back
-+
- =head1 NOTES
-
- The above functions should be used instead of directly referencing the fields
---- a/doc/crypto/pem.pod
-+++ b/doc/crypto/pem.pod
-@@ -201,7 +201,7 @@
- PEM_write_bio_PKCS8PrivateKey() and PEM_write_PKCS8PrivateKey()
- write a private key in an EVP_PKEY structure in PKCS#8
- EncryptedPrivateKeyInfo format using PKCS#5 v2.0 password based encryption
--algorithms. The B<cipher> argument specifies the encryption algoritm to
-+algorithms. The B<cipher> argument specifies the encryption algorithm to
- use: unlike all other PEM routines the encryption is applied at the
- PKCS#8 level and not in the PEM headers. If B<cipher> is NULL then no
- encryption is used and a PKCS#8 PrivateKeyInfo structure is used instead.
---- a/doc/ssl/SSL_CTX_set_client_CA_list.pod
-+++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod
-@@ -70,6 +70,10 @@
-
- The operation succeeded.
-
-+=back
-+
-+=over 4
-+
- =item 0
-
- A failure while manipulating the STACK_OF(X509_NAME) object occurred or
---- a/doc/ssl/SSL_CTX_set_verify.pod
-+++ b/doc/ssl/SSL_CTX_set_verify.pod
-@@ -169,8 +169,8 @@
- failure, if wished. The callback realizes a verification depth limit with
- more informational output.
-
--All verification errors are printed, informations about the certificate chain
--are printed on request.
-+All verification errors are printed; information about the certificate chain
-+is printed on request.
- The example is realized for a server that does allow but not require client
- certificates.
-
---- a/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
-+++ b/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
-@@ -81,6 +81,8 @@
-
- Return values from the server callback are interpreted as follows:
-
-+=over 4
-+
- =item > 0
-
- PSK identity was found and the server callback has provided the PSK
-@@ -94,9 +96,15 @@
- connection will fail with decryption_error before it will be finished
- completely.
-
-+=back
-+
-+=over 4
-+
- =item 0
-
- PSK identity was not found. An "unknown_psk_identity" alert message
- will be sent and the connection setup fails.
-
-+=back
-+
- =cut
---- a/doc/ssl/SSL_accept.pod
-+++ b/doc/ssl/SSL_accept.pod
-@@ -49,12 +49,20 @@
- The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
- established.
-
-+=back
-+
-+=over 4
-+
- =item 0
-
- The TLS/SSL handshake was not successful but was shut down controlled and
- by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
- return value B<ret> to find out the reason.
-
-+=back
-+
-+=over 4
-+
- =item E<lt>0
-
- The TLS/SSL handshake was not successful because a fatal error occurred either
---- a/doc/ssl/SSL_connect.pod
-+++ b/doc/ssl/SSL_connect.pod
-@@ -41,10 +41,13 @@
-
- =over 4
-
--=item 1
-+=item E<lt>0
-
--The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
--established.
-+The TLS/SSL handshake was not successful, because a fatal error occurred either
-+at the protocol level or a connection failure occurred. The shutdown was
-+not clean. It can also occur of action is need to continue the operation
-+for non-blocking BIOs. Call SSL_get_error() with the return value B<ret>
-+to find out the reason.
-
- =item 0
-
-@@ -52,13 +55,10 @@
- by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
- return value B<ret> to find out the reason.
-
--=item E<lt>0
-+=item 1
-
--The TLS/SSL handshake was not successful, because a fatal error occurred either
--at the protocol level or a connection failure occurred. The shutdown was
--not clean. It can also occur of action is need to continue the operation
--for non-blocking BIOs. Call SSL_get_error() with the return value B<ret>
--to find out the reason.
-+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
-+established.
-
- =back
-
---- a/doc/ssl/SSL_do_handshake.pod
-+++ b/doc/ssl/SSL_do_handshake.pod
-@@ -50,12 +50,20 @@
- The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
- established.
-
-+=back
-+
-+=over 4
-+
- =item 0
-
- The TLS/SSL handshake was not successful but was shut down controlled and
- by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
- return value B<ret> to find out the reason.
-
-+=back
-+
-+=over 4
-+
- =item E<lt>0
-
- The TLS/SSL handshake was not successful because a fatal error occurred either
---- a/doc/ssl/SSL_shutdown.pod
-+++ b/doc/ssl/SSL_shutdown.pod
-@@ -97,6 +97,10 @@
- The shutdown was successfully completed. The "close notify" alert was sent
- and the peer's "close notify" alert was received.
-
-+=back
-+
-+=over 4
-+
- =item 0
-
- The shutdown is not yet finished. Call SSL_shutdown() for a second time,
-@@ -104,6 +108,10 @@
- The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an
- erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
-
-+=back
-+
-+=over 4
-+
- =item -1
-
- The shutdown was not successful because a fatal error occurred either
Deleted: openssl/branches/wheezy/debian/patches/libssl-misspell.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/libssl-misspell.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/libssl-misspell.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,11 +0,0 @@
---- a/crypto/asn1/asn1_err.c
-+++ b/crypto/asn1/asn1_err.c
-@@ -302,7 +302,7 @@
- {ERR_REASON(ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE),"unknown public key type"},
- {ERR_REASON(ASN1_R_UNKNOWN_SIGNATURE_ALGORITHM),"unknown signature algorithm"},
- {ERR_REASON(ASN1_R_UNKNOWN_TAG) ,"unknown tag"},
--{ERR_REASON(ASN1_R_UNKOWN_FORMAT) ,"unkown format"},
-+{ERR_REASON(ASN1_R_UNKOWN_FORMAT) ,"unknown format"},
- {ERR_REASON(ASN1_R_UNSUPPORTED_ANY_DEFINED_BY_TYPE),"unsupported any defined by type"},
- {ERR_REASON(ASN1_R_UNSUPPORTED_CIPHER) ,"unsupported cipher"},
- {ERR_REASON(ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM),"unsupported encryption algorithm"},
Deleted: openssl/branches/wheezy/debian/patches/make-targets.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/make-targets.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/make-targets.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,13 +0,0 @@
-Index: openssl-1.0.1/Makefile.org
-===================================================================
---- openssl-1.0.1.orig/Makefile.org 2012-03-17 09:41:07.000000000 +0000
-+++ openssl-1.0.1/Makefile.org 2012-03-17 09:41:21.000000000 +0000
-@@ -135,7 +135,7 @@
-
- BASEADDR=
-
--DIRS= crypto ssl engines apps test tools
-+DIRS= crypto ssl engines apps tools
- ENGDIRS= ccgost
- SHLIBDIRS= crypto ssl
-
Modified: openssl/branches/wheezy/debian/patches/man-dir.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/man-dir.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/man-dir.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,8 +1,10 @@
-Index: openssl-1.0.0c/Makefile.org
-===================================================================
---- openssl-1.0.0c.orig/Makefile.org 2010-12-12 16:11:27.000000000 +0100
-+++ openssl-1.0.0c/Makefile.org 2010-12-12 16:11:37.000000000 +0100
-@@ -131,7 +131,7 @@
+---
+ Makefile.org | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Makefile.org
++++ b/Makefile.org
+@@ -157,7 +157,7 @@ TESTS = alltests
MAKEFILE= Makefile
Modified: openssl/branches/wheezy/debian/patches/man-section.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/man-section.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/man-section.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,8 +1,10 @@
-Index: openssl-1.0.0c/Makefile.org
-===================================================================
---- openssl-1.0.0c.orig/Makefile.org 2010-12-12 16:11:37.000000000 +0100
-+++ openssl-1.0.0c/Makefile.org 2010-12-12 16:13:28.000000000 +0100
-@@ -134,7 +134,8 @@
+---
+ Makefile.org | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/Makefile.org
++++ b/Makefile.org
+@@ -160,7 +160,8 @@ MAKEFILE= Makefile
MANDIR=/usr/share/man
MAN1=1
MAN3=3
@@ -12,7 +14,7 @@
HTMLSUFFIX=html
HTMLDIR=$(OPENSSLDIR)/html
SHELL=/bin/sh
-@@ -606,7 +607,7 @@
+@@ -642,7 +643,7 @@ install: all install_docs install_sw
echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
(cd `$(PERL) util/dirname.pl $$i`; \
sh -c "$$pod2man \
@@ -21,7 +23,7 @@
--release=$(VERSION) `basename $$i`") \
> $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
$(PERL) util/extract-names.pl < $$i | \
-@@ -623,7 +624,7 @@
+@@ -659,7 +660,7 @@ install: all install_docs install_sw
echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
(cd `$(PERL) util/dirname.pl $$i`; \
sh -c "$$pod2man \
Modified: openssl/branches/wheezy/debian/patches/no-rpath.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/no-rpath.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/no-rpath.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,8 +1,10 @@
-Index: openssl-1.0.0c/Makefile.shared
-===================================================================
---- openssl-1.0.0c.orig/Makefile.shared 2010-08-21 13:36:49.000000000 +0200
-+++ openssl-1.0.0c/Makefile.shared 2010-12-12 16:13:36.000000000 +0100
-@@ -153,7 +153,7 @@
+---
+ Makefile.shared | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Makefile.shared
++++ b/Makefile.shared
+@@ -153,7 +153,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
Modified: openssl/branches/wheezy/debian/patches/no-symbolic.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/no-symbolic.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/no-symbolic.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,8 +1,10 @@
-Index: openssl-1.0.0c/Makefile.shared
-===================================================================
---- openssl-1.0.0c.orig/Makefile.shared 2010-12-12 16:13:36.000000000 +0100
-+++ openssl-1.0.0c/Makefile.shared 2010-12-12 16:13:44.000000000 +0100
-@@ -151,7 +151,7 @@
+---
+ Makefile.shared | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Makefile.shared
++++ b/Makefile.shared
+@@ -151,7 +151,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
SHLIB_SUFFIX=; \
ALLSYMSFLAGS='-Wl,--whole-archive'; \
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
Deleted: openssl/branches/wheezy/debian/patches/openssl-pod-misspell.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/openssl-pod-misspell.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/openssl-pod-misspell.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,122 +0,0 @@
-Index: openssl-1.0.1/apps/ca.c
-===================================================================
---- openssl-1.0.1.orig/apps/ca.c 2012-01-12 16:28:02.000000000 +0000
-+++ openssl-1.0.1/apps/ca.c 2012-03-17 09:31:48.000000000 +0000
-@@ -148,7 +148,7 @@
- static const char *ca_usage[]={
- "usage: ca args\n",
- "\n",
--" -verbose - Talk alot while doing things\n",
-+" -verbose - Talk a lot while doing things\n",
- " -config file - A config file\n",
- " -name arg - The particular CA definition to use\n",
- " -gencrl - Generate a new CRL\n",
-Index: openssl-1.0.1/apps/ecparam.c
-===================================================================
---- openssl-1.0.1.orig/apps/ecparam.c 2010-06-15 17:25:02.000000000 +0000
-+++ openssl-1.0.1/apps/ecparam.c 2012-03-17 09:31:48.000000000 +0000
-@@ -105,7 +105,7 @@
- * in the asn1 der encoding
- * possible values: named_curve (default)
- * explicit
-- * -no_seed - if 'explicit' parameters are choosen do not use the seed
-+ * -no_seed - if 'explicit' parameters are chosen do not use the seed
- * -genkey - generate ec key
- * -rand file - files to use for random number input
- * -engine e - use engine e, possibly a hardware device
-@@ -286,7 +286,7 @@
- BIO_printf(bio_err, " "
- " explicit\n");
- BIO_printf(bio_err, " -no_seed if 'explicit'"
-- " parameters are choosen do not"
-+ " parameters are chosen do not"
- " use the seed\n");
- BIO_printf(bio_err, " -genkey generate ec"
- " key\n");
-Index: openssl-1.0.1/crypto/evp/encode.c
-===================================================================
---- openssl-1.0.1.orig/crypto/evp/encode.c 2010-06-15 17:25:09.000000000 +0000
-+++ openssl-1.0.1/crypto/evp/encode.c 2012-03-17 09:31:48.000000000 +0000
-@@ -250,7 +250,7 @@
- /* We parse the input data */
- for (i=0; i<inl; i++)
- {
-- /* If the current line is > 80 characters, scream alot */
-+ /* If the current line is > 80 characters, scream a lot */
- if (ln >= 80) { rv= -1; goto end; }
-
- /* Get char and put it into the buffer */
-Index: openssl-1.0.1/doc/apps/config.pod
-===================================================================
---- openssl-1.0.1.orig/doc/apps/config.pod 2004-11-25 17:47:29.000000000 +0000
-+++ openssl-1.0.1/doc/apps/config.pod 2012-03-17 09:31:48.000000000 +0000
-@@ -119,7 +119,7 @@
- information.
-
- The section pointed to by B<engines> is a table of engine names (though see
--B<engine_id> below) and further sections containing configuration informations
-+B<engine_id> below) and further sections containing configuration information
- specific to each ENGINE.
-
- Each ENGINE specific section is used to set default algorithms, load
-Index: openssl-1.0.1/doc/apps/req.pod
-===================================================================
---- openssl-1.0.1.orig/doc/apps/req.pod 2009-04-10 16:42:28.000000000 +0000
-+++ openssl-1.0.1/doc/apps/req.pod 2012-03-17 09:31:48.000000000 +0000
-@@ -159,7 +159,7 @@
- the algorithm is determined by the parameters. B<algname:file> use algorithm
- B<algname> and parameter file B<file>: the two algorithms must match or an
- error occurs. B<algname> just uses algorithm B<algname>, and parameters,
--if neccessary should be specified via B<-pkeyopt> parameter.
-+if necessary should be specified via B<-pkeyopt> parameter.
-
- B<dsa:filename> generates a DSA key using the parameters
- in the file B<filename>. B<ec:filename> generates EC key (usable both with
-Index: openssl-1.0.1/doc/apps/ts.pod
-===================================================================
---- openssl-1.0.1.orig/doc/apps/ts.pod 2009-04-10 11:25:54.000000000 +0000
-+++ openssl-1.0.1/doc/apps/ts.pod 2012-03-17 09:31:48.000000000 +0000
-@@ -352,7 +352,7 @@
-
- This is the main section and it specifies the name of another section
- that contains all the options for the B<-reply> command. This default
--section can be overriden with the B<-section> command line switch. (Optional)
-+section can be overridden with the B<-section> command line switch. (Optional)
-
- =item B<oid_file>
-
-@@ -453,7 +453,7 @@
- =head1 ENVIRONMENT VARIABLES
-
- B<OPENSSL_CONF> contains the path of the configuration file and can be
--overriden by the B<-config> command line option.
-+overridden by the B<-config> command line option.
-
- =head1 EXAMPLES
-
-Index: openssl-1.0.1/doc/apps/tsget.pod
-===================================================================
---- openssl-1.0.1.orig/doc/apps/tsget.pod 2010-01-05 17:17:20.000000000 +0000
-+++ openssl-1.0.1/doc/apps/tsget.pod 2012-03-17 09:31:48.000000000 +0000
-@@ -124,7 +124,7 @@
- =item [request]...
-
- List of files containing B<RFC 3161> DER-encoded time stamp requests. If no
--requests are specifed only one request will be sent to the server and it will be
-+requests are specified only one request will be sent to the server and it will be
- read from the standard input. (Optional)
-
- =back
-Index: openssl-1.0.1/doc/apps/x509v3_config.pod
-===================================================================
---- openssl-1.0.1.orig/doc/apps/x509v3_config.pod 2006-11-07 13:44:03.000000000 +0000
-+++ openssl-1.0.1/doc/apps/x509v3_config.pod 2012-03-17 09:31:48.000000000 +0000
-@@ -174,7 +174,7 @@
-
- The value of B<dirName> should point to a section containing the distinguished
- name to use as a set of name value pairs. Multi values AVAs can be formed by
--preceeding the name with a B<+> character.
-+preceding the name with a B<+> character.
-
- otherName can include arbitrary data associated with an OID: the value
- should be the OID followed by a semicolon and the content in standard
Modified: openssl/branches/wheezy/debian/patches/pic.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/pic.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/pic.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,8 +1,13 @@
-Index: openssl-1.0.1c/crypto/des/asm/desboth.pl
-===================================================================
---- openssl-1.0.1c.orig/crypto/des/asm/desboth.pl 2001-10-24 23:20:56.000000000 +0200
-+++ openssl-1.0.1c/crypto/des/asm/desboth.pl 2012-07-29 14:15:26.000000000 +0200
-@@ -16,6 +16,11 @@
+---
+ crypto/des/asm/desboth.pl | 17 ++++++++++++++---
+ crypto/perlasm/cbc.pl | 24 ++++++++++++++++++++----
+ crypto/perlasm/x86gas.pl | 16 ++++++++++++++++
+ crypto/x86cpuid.pl | 10 +++++-----
+ 4 files changed, 55 insertions(+), 12 deletions(-)
+
+--- a/crypto/des/asm/desboth.pl
++++ b/crypto/des/asm/desboth.pl
+@@ -16,6 +16,11 @@ sub DES_encrypt3
&push("edi");
@@ -14,7 +19,7 @@
&comment("");
&comment("Load the data words");
&mov($L,&DWP(0,"ebx","",0));
-@@ -47,15 +52,21 @@
+@@ -47,15 +52,21 @@ sub DES_encrypt3
&mov(&swtmp(2), (DWC(($enc)?"1":"0")));
&mov(&swtmp(1), "eax");
&mov(&swtmp(0), "ebx");
@@ -39,11 +44,9 @@
&stack_pop(3);
&mov($L,&DWP(0,"ebx","",0));
-Index: openssl-1.0.1c/crypto/perlasm/cbc.pl
-===================================================================
---- openssl-1.0.1c.orig/crypto/perlasm/cbc.pl 2011-07-13 08:22:46.000000000 +0200
-+++ openssl-1.0.1c/crypto/perlasm/cbc.pl 2012-07-29 14:15:26.000000000 +0200
-@@ -122,7 +122,11 @@
+--- a/crypto/perlasm/cbc.pl
++++ b/crypto/perlasm/cbc.pl
+@@ -122,7 +122,11 @@ sub cbc
&mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call
&mov(&DWP($data_off+4,"esp","",0), "ebx"); #
@@ -56,7 +59,7 @@
&mov("eax", &DWP($data_off,"esp","",0));
&mov("ebx", &DWP($data_off+4,"esp","",0));
-@@ -185,7 +189,11 @@
+@@ -185,7 +189,11 @@ sub cbc
&mov(&DWP($data_off,"esp","",0), "eax"); # put in array for call
&mov(&DWP($data_off+4,"esp","",0), "ebx"); #
@@ -69,7 +72,7 @@
&mov("eax", &DWP($data_off,"esp","",0));
&mov("ebx", &DWP($data_off+4,"esp","",0));
-@@ -218,7 +226,11 @@
+@@ -218,7 +226,11 @@ sub cbc
&mov(&DWP($data_off,"esp","",0), "eax"); # put back
&mov(&DWP($data_off+4,"esp","",0), "ebx"); #
@@ -82,7 +85,7 @@
&mov("eax", &DWP($data_off,"esp","",0)); # get return
&mov("ebx", &DWP($data_off+4,"esp","",0)); #
-@@ -261,7 +273,11 @@
+@@ -261,7 +273,11 @@ sub cbc
&mov(&DWP($data_off,"esp","",0), "eax"); # put back
&mov(&DWP($data_off+4,"esp","",0), "ebx"); #
@@ -95,11 +98,9 @@
&mov("eax", &DWP($data_off,"esp","",0)); # get return
&mov("ebx", &DWP($data_off+4,"esp","",0)); #
-Index: openssl-1.0.1c/crypto/perlasm/x86gas.pl
-===================================================================
---- openssl-1.0.1c.orig/crypto/perlasm/x86gas.pl 2011-12-09 20:16:35.000000000 +0100
-+++ openssl-1.0.1c/crypto/perlasm/x86gas.pl 2012-07-29 14:15:26.000000000 +0200
-@@ -161,6 +161,7 @@
+--- a/crypto/perlasm/x86gas.pl
++++ b/crypto/perlasm/x86gas.pl
+@@ -161,6 +161,7 @@ sub ::file_end
if ($::macosx) { push (@out,"$tmp,2\n"); }
elsif ($::elf) { push (@out,"$tmp,4\n"); }
else { push (@out,"$tmp\n"); }
@@ -107,7 +108,7 @@
}
push(@out,$initseg) if ($initseg);
}
-@@ -218,8 +219,23 @@
+@@ -218,8 +219,23 @@ sub ::initseg
elsif ($::elf)
{ $initseg.=<<___;
.section .init
@@ -131,11 +132,9 @@
}
elsif ($::coff)
{ $initseg.=<<___; # applies to both Cygwin and Mingw
-Index: openssl-1.0.1c/crypto/x86cpuid.pl
-===================================================================
---- openssl-1.0.1c.orig/crypto/x86cpuid.pl 2012-02-28 15:20:34.000000000 +0100
-+++ openssl-1.0.1c/crypto/x86cpuid.pl 2012-07-29 14:15:26.000000000 +0200
-@@ -8,6 +8,8 @@
+--- a/crypto/x86cpuid.pl
++++ b/crypto/x86cpuid.pl
+@@ -8,6 +8,8 @@ require "x86asm.pl";
for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
@@ -144,7 +143,7 @@
&function_begin("OPENSSL_ia32_cpuid");
&xor ("edx","edx");
&pushf ();
-@@ -139,9 +141,7 @@
+@@ -141,9 +143,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
&set_label("nocpuid");
&function_end("OPENSSL_ia32_cpuid");
@@ -155,7 +154,7 @@
&xor ("eax","eax");
&xor ("edx","edx");
&picmeup("ecx","OPENSSL_ia32cap_P");
-@@ -155,7 +155,7 @@
+@@ -157,7 +157,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
# This works in Ring 0 only [read DJGPP+MS-DOS+privileged DPMI host],
# but it's safe to call it on any [supported] 32-bit platform...
# Just check for [non-]zero return value...
@@ -164,7 +163,7 @@
&picmeup("ecx","OPENSSL_ia32cap_P");
&bt (&DWP(0,"ecx"),4);
&jnc (&label("nohalt")); # no TSC
-@@ -222,7 +222,7 @@
+@@ -224,7 +224,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
&ret ();
&function_end_B("OPENSSL_far_spin");
Deleted: openssl/branches/wheezy/debian/patches/pkcs12-doc.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/pkcs12-doc.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/pkcs12-doc.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,36 +0,0 @@
-This is another documentation issue ...
-
-apps/pkcs12.c accepts -password as an argument. The document author
-almost certainly meant to write "-password, -passin".
-
-However, that is not correct, either. Actually the code treats
--password as equivalent to -passin, EXCEPT when -export is also
-specified, in which case -password as equivalent to -passout. The patch
-below makes this explicit.
-
-
-Index: openssl-1.0.0d/doc/apps/pkcs12.pod
-===================================================================
---- openssl-1.0.0d.orig/doc/apps/pkcs12.pod 2011-06-13 10:46:06.000000000 +0000
-+++ openssl-1.0.0d/doc/apps/pkcs12.pod 2011-06-13 10:47:36.000000000 +0000
-@@ -67,7 +67,7 @@
- The filename to write certificates and private keys to, standard output by
- default. They are all written in PEM format.
-
--=item B<-pass arg>, B<-passin arg>
-+=item B<-passin arg>
-
- the PKCS#12 file (i.e. input file) password source. For more information about
- the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section in
-@@ -79,6 +79,11 @@
- information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section
- in L<openssl(1)|openssl(1)>.
-
-+=item B<-password arg>
-+
-+With -export, -password is equivalent to -passout.
-+Otherwise, -password is equivalent to -passin.
-+
- =item B<-noout>
-
- this option inhibits output of the keys and certificates to the output file
Deleted: openssl/branches/wheezy/debian/patches/pod_ec.misspell.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/pod_ec.misspell.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/pod_ec.misspell.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,11 +0,0 @@
---- a/doc/apps/ec.pod
-+++ b/doc/apps/ec.pod
-@@ -41,7 +41,7 @@
-
- This specifies the input format. The B<DER> option with a private key uses
- an ASN.1 DER encoded SEC1 private key. When used with a public key it
--uses the SubjectPublicKeyInfo structur as specified in RFC 3280.
-+uses the SubjectPublicKeyInfo structure as specified in RFC 3280.
- The B<PEM> form is the default format: it consists of the B<DER> format base64
- encoded with additional header and footer lines. In the case of a private key
- PKCS#8 format is also accepted.
Deleted: openssl/branches/wheezy/debian/patches/pod_pksc12.misspell.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/pod_pksc12.misspell.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/pod_pksc12.misspell.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,11 +0,0 @@
---- a/doc/apps/pkcs12.pod
-+++ b/doc/apps/pkcs12.pod
-@@ -75,7 +75,7 @@
-
- =item B<-passout arg>
-
--pass phrase source to encrypt any outputed private keys with. For more
-+pass phrase source to encrypt any outputted private keys with. For more
- information about the format of B<arg> see the B<PASS PHRASE ARGUMENTS> section
- in L<openssl(1)|openssl(1)>.
-
Deleted: openssl/branches/wheezy/debian/patches/pod_req_misspell2.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/pod_req_misspell2.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/pod_req_misspell2.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,12 +0,0 @@
-diff --git a/doc/apps/req.pod b/doc/apps/req.pod
---- a/doc/apps/req.pod
-+++ b/doc/apps/req.pod
-@@ -303,7 +303,7 @@
-
- =item B<-newhdr>
-
--Adds the word B<NEW> to the PEM file header and footer lines on the outputed
-+Adds the word B<NEW> to the PEM file header and footer lines on the outputted
- request. Some software (Netscape certificate server) and some CAs need this.
-
- =item B<-batch>
Deleted: openssl/branches/wheezy/debian/patches/pod_s_server.misspell.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/pod_s_server.misspell.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/pod_s_server.misspell.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,11 +0,0 @@
---- a/doc/apps/s_server.pod
-+++ b/doc/apps/s_server.pod
-@@ -111,7 +111,7 @@
-
- =item B<-dcertform format>, B<-dkeyform format>, B<-dpass arg>
-
--addtional certificate and private key format and passphrase respectively.
-+additional certificate and private key format and passphrase respectively.
-
- =item B<-nocert>
-
Deleted: openssl/branches/wheezy/debian/patches/pod_x509setflags.misspell.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/pod_x509setflags.misspell.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/pod_x509setflags.misspell.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,11 +0,0 @@
---- a/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
-+++ b/doc/crypto/X509_VERIFY_PARAM_set_flags.pod
-@@ -113,7 +113,7 @@
- to examine the valid policy tree and perform additional checks or simply
- log it for debugging purposes.
-
--By default some addtional features such as indirect CRLs and CRLs signed by
-+By default some additional features such as indirect CRLs and CRLs signed by
- different keys are disabled. If B<X509_V_FLAG_EXTENDED_CRL_SUPPORT> is set
- they are enabled.
-
Modified: openssl/branches/wheezy/debian/patches/rehash-crt.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/rehash-crt.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/rehash-crt.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,8 +1,10 @@
-Index: openssl-1.0.0c/tools/c_rehash.in
-===================================================================
---- openssl-1.0.0c.orig/tools/c_rehash.in 2010-04-15 01:07:28.000000000 +0200
-+++ openssl-1.0.0c/tools/c_rehash.in 2010-12-12 17:10:51.000000000 +0100
-@@ -75,12 +75,15 @@
+---
+ tools/c_rehash.in | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/tools/c_rehash.in
++++ b/tools/c_rehash.in
+@@ -75,12 +75,15 @@ sub hash_dir {
}
}
closedir DIR;
@@ -21,7 +23,7 @@
}
link_hash_cert($fname) if($cert);
link_hash_crl($fname) if($crl);
-@@ -153,6 +156,9 @@
+@@ -153,6 +156,9 @@ sub link_hash_crl {
my $fname = $_[0];
$fname =~ s/'/'\\''/g;
my ($hash, $fprint) = `"$openssl" crl -hash -fingerprint -noout -in '$fname'`;
Deleted: openssl/branches/wheezy/debian/patches/rehash_pod.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/rehash_pod.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/rehash_pod.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,60 +0,0 @@
-Index: openssl-0.9.8k/doc/apps/c_rehash.pod
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ openssl-0.9.8k/doc/apps/c_rehash.pod 2009-07-19 11:36:27.000000000 +0200
-@@ -0,0 +1,55 @@
-+
-+=pod
-+
-+=head1 NAME
-+
-+c_rehash - Create symbolic links to files named by the hash values
-+
-+=head1 SYNOPSIS
-+
-+B<c_rehash>
-+[directory] ...
-+
-+=head1 DESCRIPTION
-+
-+c_rehash scans directories and takes a hash value of each .pem and .crt file in the directory. It then creates symbolic links for each of the files named by the hash value. This is useful as many programs require directories to be set up like this in order to find the certificates they require.
-+
-+If any directories are named on the command line then these directories are processed in turn. If not then and the environment variable SSL_CERT_DIR is defined then that is consulted. This variable should be a colon (:) separated list of directories, all of which will be processed. If neither of these conditions are true then /usr/lib/ssl/certs is processed.
-+
-+For each directory that is to be processed he user must have write permissions on the directory, if they do not then nothing will be printed for that directory.
-+
-+Note that this program deletes all the symbolic links that look like ones that it creates before processing a directory. Beware that if you run the program on a directory that contains symbolic links for other purposes that are named in the same format as those created by this program they will be lost.
-+
-+The hashes for certificate files are of the form <hash>.<n> where n is an integer. If the hash value already exists then n will be incremented, unless the file is a duplicate. Duplicates are detected using the fingerprint of the certificate. A warning will be printed if a duplicate is detected. The hashes for CRL files are of the form <hash>.r<n> and have the same behavior.
-+
-+The program will also warn if there are files with extension .pem which are not certificate or CRL files.
-+
-+The program uses the openssl program to compute the hashes and fingerprints. It expects the executable to be named openssl and be on the PATH, or in the /usr/lib/ssl/bin directory. If the OPENSSL environment variable is defined then this is used instead as the executable that provides the hashes and fingerprints. When called as $OPENSSL x509 -hash -fingerprint -noout -in $file it must output the hash of $file on the first line followed by the fingerprint on the second line, optionally prefixed with some text and an equals sign (=).
-+
-+=head1 OPTIONS
-+
-+None
-+
-+=head1 ENVIRONMENT
-+
-+=over 4
-+
-+=item B<OPENSSL>
-+
-+The name (and path) of an executable to use to generate hashes and fingerprints (see above).
-+
-+=item B<SSL_CERT_DIR>
-+
-+Colon separated list of directories to operate on. Ignored if directories are listed on the command line.
-+
-+=back
-+
-+=head1 SEE ALSO
-+
-+L<openssl(1)|openssl(1)>, L<x509(1)|x509(1)>
-+
-+=head1 BUGS
-+
-+No known bugs
-+
-+=cut
Modified: openssl/branches/wheezy/debian/patches/series
===================================================================
--- openssl/branches/wheezy/debian/patches/series 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/series 2016-09-25 10:01:08 UTC (rev 844)
@@ -2,7 +2,6 @@
config-hurd.patch
debian-targets.patch
engines-path.patch
-make-targets.patch
man-dir.patch
man-section.patch
no-rpath.patch
@@ -10,114 +9,25 @@
pic.patch
valgrind.patch
rehash-crt.patch
-rehash_pod.patch
shared-lib-ext.patch
stddef.patch
version-script.patch
-gnu_source.patch
c_rehash-compat.patch
-libdoc-manpgs-pod-spell.patch
-libssl-misspell.patch
-openssl-pod-misspell.patch
-pod_req_misspell2.patch
-pod_pksc12.misspell.patch
-pod_s_server.misspell.patch
-pod_x509setflags.misspell.patch
-pod_ec.misspell.patch
-pkcs12-doc.patch
-dgst_hmac.patch
block_diginotar.patch
block_digicert_malaysia.patch
c_rehash-multi.patch
#padlock_conf.patch
-default_bits.patch
-ssltest_no_sslv2.patch
-cpuid.patch
-aesni-mac.patch
-dtls_version.patch
-get_certificate.patch
-CVE-2013-6449.patch
-CVE-2013-6450.patch
-disable_rdrand.patch
-disable_dual_ec_drbg.patch
-CVE-2013-4353.patch
-dont_change_version.patch
-CVE-2014-0160.patch
-CVE-2010-5298.patch
-CVE-2014-XXXX-Extension-checking-fixes.patch
-CVE-2014-0076.patch
-ECDHE-ECDSA_Safari.patch
-CVE-2014-0198.patch
-CVE-2014-0224.patch
-CVE-2014-3470.patch
-CVE-2014-0195.patch
-CVE-2014-0221.patch
-CVE-2012-4929.patch
-Avoid-double-free-when-processing-DTLS-packets.patch
-Added-comment-for-the-frag-reassembly-NULL-case-as-p.patch
-Fix-DTLS-handshake-message-size-checks.patch
-Fix-memory-leak-from-zero-length-DTLS-fragments.patch
-Fix-return-code-for-truncated-DTLS-fragment.patch
-Applying-same-fix-as-in-dtls1_process_out_of_seq_mes.patch
-Remove-some-duplicate-DTLS-code.patch
-Fix-protocol-downgrade-bug-in-case-of-fragmented-pac.patch
-Fix-DTLS-anonymous-EC-DH-denial-of-service.patch
-Fix-OID-handling.patch
-Fix-race-condition-in-ssl_parse_serverhello_tlsext.patch
-SRP-ciphersuite-correction.patch
-Fix-SRP-ciphersuite-DoS-vulnerability.patch
-Fix-SRP-buffer-overrun-vulnerability.patch
-Check-SRP-parameters-early.patch
-Support-TLS_FALLBACK_SCSV.patch
-Fix-for-SRTP-Memory-Leak.patch
-Fix-for-session-tickets-memory-leak.patch
-Fix-no-ssl3-configuration-option.patch
-#disable_sslv3.patch
-Keep-old-method-in-case-of-an-unsupported-protocol.patch
-0082-Return-error-when-a-bit-string-indicates-an-invalid-.patch
-0094-Fix-various-certificate-fingerprint-issues.patch
-0095-Constify-ASN1_TYPE_cmp-add-X509_ALGOR_cmp.patch
-0098-ECDH-downgrade-bug-fix.patch
-0099-Only-allow-ephemeral-RSA-keys-in-export-ciphersuites.patch
-0102-use-correct-function-name.patch
-0107-fix-error-discrepancy.patch
-0108-Fix-for-CVE-2014-3570.patch
-0109-Fix-crash-in-dtls1_get_record-whilst-in-the-listen-s.patch
-0110-Follow-on-from-CVE-2014-3571.-This-fixes-the-code-th.patch
-0111-Unauthenticated-DH-client-certificate-fix.patch
-0112-A-memory-leak-can-occur-in-dtls1_buffer_record-if-ei.patch
-0006-Fix-reachable-assert-in-SSLv2-servers.patch
-0005-PKCS-7-avoid-NULL-pointer-dereferences-with-missing-.patch
-0004-Fix-ASN1_TYPE_cmp.patch
-#0003-Free-up-passed-ASN.1-structure-if-reused.patch
-0002-Free-up-ADB-and-CHOICE-if-already-initialised.patch
-0001-fix-warning.patch
-0001-Remove-export-ciphers-from-the-DEFAULT-cipher-list.patch
-0001-Make-DTLS-always-act-as-if-read_ahead-is-set.-The-ac.patch
-0001-Fix-a-failure-to-NULL-a-pointer-freed-on-error.patch
-0001-Check-public-key-is-not-NULL.patch
-0001-evp-prevent-underflow-in-base64-decoding.patch
-0008-Fix-a-failure-to-NULL-a-pointer-freed-on-error.patch
-CVE-2015-1791.patch
-CVE-2015-1792.patch
-CVE-2015-1789.patch
-CVE-2015-1790.patch
-CVE-2015-1788.patch
-CVE-2015-4000.patch
-CVE-2014-8176.patch
-CVE-2015-3194.patch
-CVE-2015-3195.patch
-CVE-2015-3196.patch
-CVE-2015-7575.patch
-Disable-EXPORT-and-LOW-ciphers.patch
-CVE-2016-0797.patch
-CVE-2016-0798.patch
-CVE-2016-0799.patch
-CVE-2016-0702.patch
-CVE-2016-0705.patch
-CVE-2016-2108.patch
-CVE-2016-2107.patch
-CVE-2016-2105.patch
-CVE-2016-2176.patch
-CVE-2016-2106.patch
-CVE-2016-2109.patch
+defaults.patch
+Update-S-MIME-certificates.patch
+Fix-name-length-limit-check.patch
+CVE-2016-2177.patch
+CVE-2016-2178.patch
+CVE-2016-2179.patch
+CVE-2016-2180.patch
+CVE-2016-2181.patch
+CVE-2016-2182.patch
+CVE-2016-2183.patch
+CVE-2016-6302.patch
+CVE-2016-6303.patch
+CVE-2016-6304.patch
+CVE-2016-6306.patch
Modified: openssl/branches/wheezy/debian/patches/shared-lib-ext.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/shared-lib-ext.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/shared-lib-ext.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,8 +1,10 @@
-Index: openssl-1.0.0c/Configure
-===================================================================
---- openssl-1.0.0c.orig/Configure 2010-12-12 16:10:12.000000000 +0100
-+++ openssl-1.0.0c/Configure 2010-12-12 17:12:38.000000000 +0100
-@@ -1605,7 +1605,8 @@
+---
+ Configure | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/Configure
++++ b/Configure
+@@ -1733,7 +1733,8 @@ while (<IN>)
elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
{
my $sotmp = $1;
Deleted: openssl/branches/wheezy/debian/patches/ssltest_no_sslv2.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/ssltest_no_sslv2.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/ssltest_no_sslv2.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,24 +0,0 @@
-From: Dr. Stephen Henson <steve at openssl.org>
-Date: Mon Feb 11 18:17:50 2013 +0000
-Origin: upstream, commit:cbf9b4aed3e209fe8a39e1d6f55aaf46d1369dc4
-Subject: Fix in ssltest is no-ssl2 configured
-
-diff --git a/ssl/ssltest.c b/ssl/ssltest.c
-index 316bbb0..4f80be8 100644
---- a/ssl/ssltest.c
-+++ b/ssl/ssltest.c
-@@ -881,7 +881,13 @@ bad:
- meth=SSLv23_method();
- #else
- #ifdef OPENSSL_NO_SSL2
-- meth=SSLv3_method();
-+ if (tls1)
-+ meth=TLSv1_method();
-+ else
-+ if (ssl3)
-+ meth=SSLv3_method();
-+ else
-+ meth=SSLv23_method();
- #else
- meth=SSLv2_method();
- #endif
Modified: openssl/branches/wheezy/debian/patches/stddef.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/stddef.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/stddef.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,12 +1,16 @@
-Index: openssl-0.9.8k/crypto/sha/sha.h
-===================================================================
---- openssl-0.9.8k.orig/crypto/sha/sha.h 2008-09-16 12:47:28.000000000 +0200
-+++ openssl-0.9.8k/crypto/sha/sha.h 2009-07-19 11:36:28.000000000 +0200
-@@ -59,6 +59,7 @@
+---
+ crypto/sha/sha.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/crypto/sha/sha.h
++++ b/crypto/sha/sha.h
+@@ -59,8 +59,8 @@
#ifndef HEADER_SHA_H
- #define HEADER_SHA_H
+ # define HEADER_SHA_H
-+#include <stddef.h>
- #include <openssl/e_os2.h>
- #include <stddef.h>
+-# include <openssl/e_os2.h>
+ # include <stddef.h>
++# include <openssl/e_os2.h>
+ #ifdef __cplusplus
+ extern "C" {
Modified: openssl/branches/wheezy/debian/patches/valgrind.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/valgrind.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/valgrind.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,20 +1,22 @@
-Index: openssl-1.0.0c/crypto/rand/md_rand.c
-===================================================================
---- openssl-1.0.0c.orig/crypto/rand/md_rand.c 2010-06-16 15:17:22.000000000 +0200
-+++ openssl-1.0.0c/crypto/rand/md_rand.c 2010-12-12 17:02:50.000000000 +0100
-@@ -476,6 +476,7 @@
- MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
+---
+ crypto/rand/md_rand.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/crypto/rand/md_rand.c
++++ b/crypto/rand/md_rand.c
+@@ -480,6 +480,7 @@ int ssleay_rand_bytes(unsigned char *buf
+ MD_Update(&m, (unsigned char *)&(md_c[0]), sizeof(md_c));
- #ifndef PURIFY /* purify complains */
+ #ifndef PURIFY /* purify complains */
+#if 0
- /* The following line uses the supplied buffer as a small
- * source of entropy: since this buffer is often uninitialised
- * it may cause programs such as purify or valgrind to
-@@ -485,6 +486,7 @@
- */
- MD_Update(&m,buf,j);
+ /*
+ * The following line uses the supplied buffer as a small source of
+ * entropy: since this buffer is often uninitialised it may cause
+@@ -489,6 +490,7 @@ int ssleay_rand_bytes(unsigned char *buf
+ */
+ MD_Update(&m, buf, j);
#endif
+#endif
- k=(st_idx+MD_DIGEST_LENGTH/2)-st_num;
- if (k > 0)
+ k = (st_idx + MD_DIGEST_LENGTH / 2) - st_num;
+ if (k > 0) {
Modified: openssl/branches/wheezy/debian/patches/version-script.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/version-script.patch 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/patches/version-script.patch 2016-09-25 10:01:08 UTC (rev 844)
@@ -1,8 +1,13 @@
-Index: openssl-1.0.1d/Configure
-===================================================================
---- openssl-1.0.1d.orig/Configure 2013-02-06 19:41:43.000000000 +0100
-+++ openssl-1.0.1d/Configure 2013-02-06 19:41:43.000000000 +0100
-@@ -1621,6 +1621,8 @@
+---
+ Configure | 2
+ engines/ccgost/openssl.ld | 10
+ engines/openssl.ld | 10
+ openssl.ld | 4626 ++++++++++++++++++++++++++++++++++++++++++++++
+ 4 files changed, 4648 insertions(+)
+
+--- a/Configure
++++ b/Configure
+@@ -1635,6 +1635,8 @@ if ($strict_warnings)
}
}
@@ -11,10 +16,34 @@
open(IN,'<Makefile.org') || die "unable to read Makefile.org:$!\n";
unlink("$Makefile.new") || die "unable to remove old $Makefile.new:$!\n" if -e "$Makefile.new";
open(OUT,">$Makefile.new") || die "unable to create $Makefile.new:$!\n";
-Index: openssl-1.0.1d/openssl.ld
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ openssl-1.0.1d/openssl.ld 2013-02-06 19:44:25.000000000 +0100
+--- /dev/null
++++ b/engines/ccgost/openssl.ld
+@@ -0,0 +1,10 @@
++OPENSSL_1.0.0 {
++ global:
++ bind_engine;
++ v_check;
++ OPENSSL_init;
++ OPENSSL_finish;
++ local:
++ *;
++};
++
+--- /dev/null
++++ b/engines/openssl.ld
+@@ -0,0 +1,10 @@
++OPENSSL_1.0.0 {
++ global:
++ bind_engine;
++ v_check;
++ OPENSSL_init;
++ OPENSSL_finish;
++ local:
++ *;
++};
++
+--- /dev/null
++++ b/openssl.ld
@@ -0,0 +1,4626 @@
+OPENSSL_1.0.0 {
+ global:
@@ -4637,38 +4666,8 @@
+} OPENSSL_1.0.1;
+
+OPENSSL_1.0.1s {
-+ global:
-+ SRP_VBASE_get1_by_user;
-+ SRP_user_pwd_free;
++ global:
++ SRP_VBASE_get1_by_user;
++ SRP_user_pwd_free;
+} OPENSSL_1.0.1d;
+
-Index: openssl-1.0.1d/engines/openssl.ld
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ openssl-1.0.1d/engines/openssl.ld 2013-02-06 19:41:43.000000000 +0100
-@@ -0,0 +1,10 @@
-+OPENSSL_1.0.0 {
-+ global:
-+ bind_engine;
-+ v_check;
-+ OPENSSL_init;
-+ OPENSSL_finish;
-+ local:
-+ *;
-+};
-+
-Index: openssl-1.0.1d/engines/ccgost/openssl.ld
-===================================================================
---- /dev/null 1970-01-01 00:00:00.000000000 +0000
-+++ openssl-1.0.1d/engines/ccgost/openssl.ld 2013-02-06 19:41:43.000000000 +0100
-@@ -0,0 +1,10 @@
-+OPENSSL_1.0.0 {
-+ global:
-+ bind_engine;
-+ v_check;
-+ OPENSSL_init;
-+ OPENSSL_finish;
-+ local:
-+ *;
-+};
-+
Modified: openssl/branches/wheezy/debian/rules
===================================================================
--- openssl/branches/wheezy/debian/rules 2016-09-23 17:50:00 UTC (rev 843)
+++ openssl/branches/wheezy/debian/rules 2016-09-25 10:01:08 UTC (rev 844)
@@ -38,6 +38,7 @@
# perl util/ssldir.pl /usr/lib/ssl
# chmod +x debian/libtool
./Configure no-shared $(CONFARGS) debian-$(DEB_HOST_ARCH)
+ make depend
make -f Makefile all
make test
mv libcrypto.a libcrypto.static
@@ -85,6 +86,10 @@
-rm -f libcrypto.* libssl.*
-cd test && rm -f .rnd tmp.bntest tmp.bctest *.o *.obj lib tags core .pure .nfs* *.old *.bak fluff bntest ectest ecdsatest ecdhtest ideatest md2test md4test md5test hmactest rc2test rc4test rc5test destest shatest sha1test sha256t sha512t mdc2test rmdtest randtest dhtest enginetest bftest casttest ssltest exptest dsatest rsa_test evp_test *.ss *.srl log dummytest newkey.pem igetest
-rm Makefile apps/CA.pl tools/c_rehash crypto/opensslconf.h crypto/x86_64cpuid.S
+ rm -f test/asn1test test/wp_test test/srptest test/jpaketest
+ rm -f certs/demo/*.0
+ rm -rf crypto/aes/aes-armv4.S crypto/bn/armv4-gf2m.S crypto/modes/ghash-armv4.S crypto/sha/*.S
+ find . -type l -exec rm '{}' \;
dh_clean
install: build
More information about the Pkg-openssl-changes
mailing list