From 67d9a56251c4491beacb666ba5833574d0cf0d12 Mon Sep 17 00:00:00 2001 From: James M Snell Date: Thu, 2 Apr 2015 15:16:40 -0700 Subject: [PATCH 01/17] tls: disable RC4, add --cipher-list command line switch Disable RC4 in the default cipher list Add the `--cipher-list` command line switch and `NODE_CIPHER_LIST` environment variable to completely override the default cipher list. Add the `--enable-legacy-cipher-list` and `NODE_LEGACY_CIPHER_LIST` environment variable to selectively enable the default cipher list from previous node.js releases. Reviewed-By: James M Snell PR-URL: https://github.com/joyent/node/pull/14413 --- doc/api/tls.markdown | 66 ++++++++++++++++++++++++--- lib/tls.js | 14 ++++-- src/node.cc | 41 +++++++++++++++++ src/node_crypto.cc | 25 ++++++++++- src/node_crypto.h | 20 +++++++++ test/simple/test-tls-cipher-list.js | 70 +++++++++++++++++++++++++++++ test/simple/test-tls-getcipher.js | 2 +- 7 files changed, 226 insertions(+), 12 deletions(-) create mode 100644 test/simple/test-tls-cipher-list.js diff --git a/doc/api/tls.markdown b/doc/api/tls.markdown index fbd97e88a65..49b37106e27 100644 --- a/doc/api/tls.markdown +++ b/doc/api/tls.markdown @@ -109,6 +109,60 @@ handshake extensions allowing you: * SNI - to use one TLS server for multiple hostnames with different SSL certificates. +## Modifying the Default Cipher Suite + +Node.js is built with a default suite of enabled and disabled ciphers. +Currently, the default cipher suite is: + + ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH + +This default can be overridden entirely using the `--cipher-list` command line +switch or `NODE_CIPHER_LIST` environment variable. For instance: + + node --cipher-list=ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384 + +Setting the environment variable would have the same effect: + + NODE_CIPHER_LIST=ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384 + +CAUTION: The default cipher suite has been carefully selected to reflect current +security best practices and risk mitigation. Changing the default cipher suite +can have a significant impact on the security of an application. The +`--cipher-list` and `NODE_CIPHER_LIST` options should only be used if +absolutely necessary. + +### Using Legacy Default Cipher Suite ### + +It is possible for the built-in default cipher suite to change from one release +of Node.js to another. For instance, v0.10.39 uses a different default than +v0.10.38. Such changes can cause issues with applications written to assume +certain specific defaults. To help buffer applications against such changes, +the `--enable-legacy-cipher-list` command line switch or `NODE_LEGACY_CIPHER_LIST` +environment variable can be set to specify a specific preset default: + + # Use the v0.10.38 defaults + node --enable-legacy-cipher-list=v0.10.38 + // or + NODE_LEGACY_CIPHER_LIST=v0.10.38 + +Currently, the values supported for the `enable-legacy-cipher-list` switch and +`NODE_LEGACY_CIPHER_LIST` environment variable include: + + v0.10.38 - To enable the default cipher suite used in v0.10.38 + + ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH + +These legacy cipher suites are also made available for use via the +`getLegacyCiphers()` method: + + var tls = require('tls'); + console.log(tls.getLegacyCiphers('v0.10.38')); + +CAUTION: Changes to the default cipher suite are typically made in order to +strengthen the default security for applications running within Node.js. +Reverting back to the defaults used by older releases can weaken the security +of your applications. The legacy cipher suites should only be used if absolutely +necessary. ## tls.getCiphers() @@ -151,13 +205,13 @@ automatically set as a listener for the [secureConnection][] event. The conjunction with the `honorCipherOrder` option described below to prioritize the non-CBC cipher. - Defaults to `AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH`. + Defaults to `ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH`. Consult the [OpenSSL cipher list format documentation] for details on the format. ECDH (Elliptic Curve Diffie-Hellman) ciphers are not yet supported. `AES128-GCM-SHA256` is used when node.js is linked against OpenSSL 1.0.1 - or newer and the client speaks TLS 1.2, RC4 is used as a secure fallback. + or newer and the client speaks TLS 1.2. **NOTE**: Previous revisions of this section suggested `AES256-SHA` as an acceptable cipher. Unfortunately, `AES256-SHA` is a CBC cipher and therefore @@ -333,7 +387,7 @@ Here is an example of a client of echo server as described previously: // These are necessary only if using the client certificate authentication key: fs.readFileSync('client-key.pem'), cert: fs.readFileSync('client-cert.pem'), - + // This is necessary only if the server uses the self-signed certificate ca: [ fs.readFileSync('server-cert.pem') ] }; @@ -525,7 +579,7 @@ A ClearTextStream is the `clear` member of a SecurePair object. ### Event: 'secureConnect' -This event is emitted after a new connection has been successfully handshaked. +This event is emitted after a new connection has been successfully handshaked. The listener will be called no matter if the server's certificate was authorized or not. It is up to the user to test `cleartextStream.authorized` to see if the server certificate was signed by one of the specified CAs. @@ -550,14 +604,14 @@ some properties corresponding to the field of the certificate. Example: - { subject: + { subject: { C: 'UK', ST: 'Acknack Ltd', L: 'Rhys Jones', O: 'node.js', OU: 'Test TLS Certificate', CN: 'localhost' }, - issuer: + issuer: { C: 'UK', ST: 'Acknack Ltd', L: 'Rhys Jones', diff --git a/lib/tls.js b/lib/tls.js index e3b90832236..9f53ad82aef 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -19,6 +19,8 @@ // OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE // USE OR OTHER DEALINGS IN THE SOFTWARE. +var _crypto = process.binding('crypto'); + var crypto = require('crypto'); var util = require('util'); var net = require('net'); @@ -31,8 +33,9 @@ var constants = require('constants'); var Timer = process.binding('timer_wrap').Timer; -var DEFAULT_CIPHERS = 'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:' + // TLS 1.2 - 'RC4:HIGH:!MD5:!aNULL:!EDH'; // TLS 1.0 +var DEFAULT_CIPHERS = _crypto.DEFAULT_CIPHER_LIST; + +exports.getLegacyCiphers = _crypto.getLegacyCiphers; // Allow {CLIENT_RENEG_LIMIT} client-initiated session renegotiations // every {CLIENT_RENEG_WINDOW} seconds. An error event is emitted if more @@ -44,7 +47,7 @@ exports.CLIENT_RENEG_WINDOW = 600; exports.SLAB_BUFFER_SIZE = 10 * 1024 * 1024; exports.getCiphers = function() { - var names = process.binding('crypto').getSSLCiphers(); + var names = _crypto.getSSLCiphers(); // Drop all-caps names in favor of their lowercase aliases, var ctx = {}; names.forEach(function(name) { @@ -65,7 +68,7 @@ if (process.env.NODE_DEBUG && /tls/.test(process.env.NODE_DEBUG)) { var Connection = null; try { - Connection = process.binding('crypto').Connection; + Connection = _crypto.Connection; } catch (e) { throw new Error('node.js not compiled with openssl crypto support.'); } @@ -1335,6 +1338,9 @@ exports.connect = function(/* [port, host], options, cb */) { var defaults = { rejectUnauthorized: '0' !== process.env.NODE_TLS_REJECT_UNAUTHORIZED }; + if (DEFAULT_CIPHERS != _crypto.getLegacyCiphers('v0.10.38')) { + defaults.ciphers = DEFAULT_CIPHERS; + } options = util._extend(defaults, options || {}); options.secureOptions = crypto._getSecureOptions(options.secureProtocol, diff --git a/src/node.cc b/src/node.cc index e80c1a573f5..4ba39b111d6 100644 --- a/src/node.cc +++ b/src/node.cc @@ -2566,6 +2566,9 @@ static void PrintHelp() { " --max-stack-size=val set max v8 stack size (bytes)\n" " --enable-ssl2 enable ssl2\n" " --enable-ssl3 enable ssl3\n" + " --cipher-list=val specify the default TLS cipher list\n" + " --enable-legacy-cipher-list=val \n" + " set to v0.10.38 to use the v0.10.38 list\n" "\n" "Environment variables:\n" #ifdef _WIN32 @@ -2577,6 +2580,9 @@ static void PrintHelp() { "NODE_MODULE_CONTEXTS Set to 1 to load modules in their own\n" " global contexts.\n" "NODE_DISABLE_COLORS Set to 1 to disable colors in the REPL\n" + "NODE_CIPHER_LIST Override the default TLS cipher list\n" + "NODE_LEGACY_CIPHER_LIST\n" + " Set to v0.10.38 to use the v0.10.38 list\n" "\n" "Documentation can be found at http://nodejs.org/\n"); } @@ -2584,6 +2590,7 @@ static void PrintHelp() { // Parse node command line arguments. static void ParseArgs(int argc, char **argv) { int i; + bool using_legacy_cipher_list = false; // TODO use parse opts for (i = 1; i < argc; i++) { @@ -2652,6 +2659,21 @@ static void ParseArgs(int argc, char **argv) { } else if (strcmp(arg, "--throw-deprecation") == 0) { argv[i] = const_cast(""); throw_deprecation = true; + } else if (strncmp(arg, "--cipher-list=", 14) == 0) { + if (!using_legacy_cipher_list) { + DEFAULT_CIPHER_LIST = arg + 14; + } + argv[i] = const_cast(""); + } else if (strncmp(arg, "--enable-legacy-cipher-list=", 28) == 0) { + const char * legacy_list = legacy_cipher_list(arg+28); + if (legacy_list != NULL) { + using_legacy_cipher_list = true; + DEFAULT_CIPHER_LIST = legacy_list; + } else { + fprintf(stderr, "Error: An unknown legacy cipher list was specified\n"); + exit(9); + } + argv[i] = const_cast(""); } else if (argv[i][0] != '-') { break; } @@ -2946,6 +2968,25 @@ char** Init(int argc, char *argv[]) { v8argv[option_end_index + 1] = const_cast("v8debug"); } + const char * cipher_list = getenv("NODE_CIPHER_LIST"); + if (cipher_list != NULL) { + DEFAULT_CIPHER_LIST = cipher_list; + } + // Allow the NODE_LEGACY_CIPHER_LIST envar to override the other + // cipher list options. NODE_LEGACY_CIPHER_LIST=v0.10.38 will use + // the cipher list from v0.10.38 + const char * leg_cipher_id = getenv("NODE_LEGACY_CIPHER_LIST"); + if (leg_cipher_id != NULL) { + const char * leg_cipher_list = + legacy_cipher_list(leg_cipher_id); + if (leg_cipher_list != NULL) { + DEFAULT_CIPHER_LIST = leg_cipher_list; + } else { + fprintf(stderr, "Error: An unknown legacy cipher list was specified\n"); + exit(9); + } + } + // For the normal stack which moves from high to low addresses when frames // are pushed, we can compute the limit as stack_size bytes below the // the address of a stack variable (e.g. &stack_var) as an approximation diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 7a3922a797f..c1e943fef49 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -71,6 +71,7 @@ const char* root_certs[] = { bool SSL2_ENABLE = false; bool SSL3_ENABLE = false; +const char * DEFAULT_CIPHER_LIST = DEFAULT_CIPHER_LIST_HEAD; namespace crypto { @@ -802,7 +803,7 @@ size_t ClientHelloParser::Write(const uint8_t* data, size_t len) { HandleScope scope; assert(state_ != kEnded); - + // Just accumulate data, everything will be pushed to BIO later if (state_ == kPaused) return 0; @@ -4190,6 +4191,21 @@ static void array_push_back(const TypeName* md, arr->Set(arr->Length(), String::New(from)); } +// borrowed from v8 +// (see http://v8.googlecode.com/svn/trunk/samples/shell.cc) +const char* ToCString(const node::Utf8Value& value) { + return *value ? *value : ""; +} + +Handle DefaultCiphers(const Arguments& args) { + HandleScope scope; + node::Utf8Value key(args[0]); + const char * list = legacy_cipher_list(ToCString(key)); + if (list == NULL) { + list = DEFAULT_CIPHER_LIST_HEAD; + } + return scope.Close(v8::String::New(list)); +} Handle GetCiphers(const Arguments& args) { HandleScope scope; @@ -4264,6 +4280,13 @@ void InitCrypto(Handle target) { NODE_DEFINE_CONSTANT(target, SSL3_ENABLE); NODE_DEFINE_CONSTANT(target, SSL2_ENABLE); + + (target)->ForceSet( + v8::String::New("DEFAULT_CIPHER_LIST"), + v8::String::New(DEFAULT_CIPHER_LIST), + static_cast(v8::ReadOnly | v8::DontDelete)); + + NODE_SET_METHOD(target, "getLegacyCiphers", DefaultCiphers); } } // namespace crypto diff --git a/src/node_crypto.h b/src/node_crypto.h index 54b9b88e437..0b360cfa36b 100644 --- a/src/node_crypto.h +++ b/src/node_crypto.h @@ -27,6 +27,7 @@ #include "node_object_wrap.h" #include "v8.h" +#include #include #include #include @@ -43,10 +44,29 @@ #define EVP_F_EVP_DECRYPTFINAL 101 +#define DEFAULT_CIPHER_LIST_V10_38 "ECDHE-RSA-AES128-SHA256:" \ + "AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH" + +#define DEFAULT_CIPHER_LIST_HEAD "ECDHE-RSA-AES128-SHA256:" \ + "AES128-GCM-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH" + +static inline const char * legacy_cipher_list(const char * ver) { + if (ver == NULL) { + return NULL; + } + if (strncmp(ver, "v0.10.38", 8) == 0) { + return DEFAULT_CIPHER_LIST_V10_38; + } else { + return NULL; + } +} + + namespace node { extern bool SSL2_ENABLE; extern bool SSL3_ENABLE; +extern const char * DEFAULT_CIPHER_LIST; namespace crypto { diff --git a/test/simple/test-tls-cipher-list.js b/test/simple/test-tls-cipher-list.js new file mode 100644 index 00000000000..ac2169537b8 --- /dev/null +++ b/test/simple/test-tls-cipher-list.js @@ -0,0 +1,70 @@ +// Copyright Joyent, Inc. and other Node contributors. +// +// Permission is hereby granted, free of charge, to any person obtaining a +// copy of this software and associated documentation files (the +// "Software"), to deal in the Software without restriction, including +// without limitation the rights to use, copy, modify, merge, publish, +// distribute, sublicense, and/or sell copies of the Software, and to permit +// persons to whom the Software is furnished to do so, subject to the +// following conditions: +// +// The above copyright notice and this permission notice shall be included +// in all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN +// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE +// USE OR OTHER DEALINGS IN THE SOFTWARE. + +var spawn = require('child_process').spawn; +var assert = require('assert'); +var tls = require('tls'); +var crypto = process.binding('crypto'); + +function doTest(checklist, env, useswitch) { + var options; + if (env && useswitch === 1) { + options = {env:env}; + } + var args = ['-e', 'console.log(process.binding(\'crypto\').DEFAULT_CIPHER_LIST)']; + + switch(useswitch) { + case 1: + // Test --cipher-test + args.unshift('--cipher-list=' + env); + break; + case 2: + // Test --enable-legacy-cipher-list + args.unshift('--enable-legacy-cipher-list=' + env); + break; + case 3: + // Test NODE_LEGACY_CIPHER_LIST + if (env) options = {env:{"NODE_LEGACY_CIPHER_LIST": env}}; + break; + default: + // Test NODE_CIPHER_LIST + if (env) options = {env:env}; + } + + var out = ''; + spawn(process.execPath, args, options). + stdout. + on('data', function(data) { + out += data; + }). + on('end', function() { + assert.equal(out.trim(), checklist); + }); +} + +doTest(crypto.DEFAULT_CIPHER_LIST); // test the default +doTest('ABC', {'NODE_CIPHER_LIST':'ABC'}); // test the envar +doTest('ABC', 'ABC', 1); // test the --cipher-list switch + +['v0.10.38'].forEach(function(ver) { + doTest(tls.getLegacyCiphers(ver), ver, 2); + doTest(tls.getLegacyCiphers(ver), ver, 3); +}); diff --git a/test/simple/test-tls-getcipher.js b/test/simple/test-tls-getcipher.js index 22a280e5874..8fb9d528731 100644 --- a/test/simple/test-tls-getcipher.js +++ b/test/simple/test-tls-getcipher.js @@ -49,7 +49,7 @@ server.listen(common.PORT, '127.0.0.1', function() { rejectUnauthorized: false }, function() { var cipher = client.getCipher(); - assert.equal(cipher.name, cipher_list[0]); + assert.equal(cipher.name, cipher_list[1]); assert(cipher_version_pattern.test(cipher.version)); client.end(); server.close(); From 02a549ed2b2afe85d8ff0335b6684ad54023afb7 Mon Sep 17 00:00:00 2001 From: James M Snell Date: Mon, 6 Apr 2015 11:32:22 -0700 Subject: [PATCH 02/17] tls: make the --enable-legacy-cipher-list help less verbose Per feedback on the commit, make the PrintHelp for --enable-legacy-cipher-list less verbose. Reviewed-By: James M Snell PR-URL: https://github.com/joyent/node/pull/14413 --- src/node.cc | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/node.cc b/src/node.cc index 4ba39b111d6..81e123e571f 100644 --- a/src/node.cc +++ b/src/node.cc @@ -2567,8 +2567,7 @@ static void PrintHelp() { " --enable-ssl2 enable ssl2\n" " --enable-ssl3 enable ssl3\n" " --cipher-list=val specify the default TLS cipher list\n" - " --enable-legacy-cipher-list=val \n" - " set to v0.10.38 to use the v0.10.38 list\n" + " --enable-legacy-cipher-list=v0.10.38 \n" "\n" "Environment variables:\n" #ifdef _WIN32 @@ -2581,8 +2580,7 @@ static void PrintHelp() { " global contexts.\n" "NODE_DISABLE_COLORS Set to 1 to disable colors in the REPL\n" "NODE_CIPHER_LIST Override the default TLS cipher list\n" - "NODE_LEGACY_CIPHER_LIST\n" - " Set to v0.10.38 to use the v0.10.38 list\n" + "NODE_LEGACY_CIPHER_LIST=v0.10.38\n" "\n" "Documentation can be found at http://nodejs.org/\n"); } From de904033fa95f0993bd8583108ac0efcda8947af Mon Sep 17 00:00:00 2001 From: Paulo McNally Date: Wed, 8 Apr 2015 09:00:23 -0600 Subject: [PATCH 03/17] doc: add link to workflow in api docs menu Added link to workflow guidelines page in API docs' navigation menu. Fixes https://github.com/joyent/node-website/issues/102. Reviewed-By: Julien Gilli PR-URL: https://github.com/joyent/node/pull/14570 --- doc/template.html | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/template.html b/doc/template.html index b1f4463e64e..475dc9fa0a2 100644 --- a/doc/template.html +++ b/doc/template.html @@ -30,6 +30,7 @@
  • About Docs
  • Tutorials
  • Contributing
  • +
  • Workflow
  • Localization
  • API Docs
  • From 9800e0b42838e5c95f02422f138ce16c2e8eed3f Mon Sep 17 00:00:00 2001 From: AlexKVal Date: Wed, 15 Apr 2015 19:01:11 +0300 Subject: [PATCH 04/17] docs: clarify usage of stream.Writable.write Add separate sample code for the write-after-end case to avoid confusion. PR: #15517 PR-URL: https://github.com/joyent/node/pull/15517 Reviewed-By: Julien Gilli --- doc/api/stream.markdown | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/doc/api/stream.markdown b/doc/api/stream.markdown index 3230a59276c..e0f7d72bab8 100644 --- a/doc/api/stream.markdown +++ b/doc/api/stream.markdown @@ -517,14 +517,20 @@ function writeOneMillionTimes(writer, data, encoding, callback) { Call this method when no more data will be written to the stream. If supplied, the callback is attached as a listener on the `finish` event. -Calling [`write()`][] after calling [`end()`][] will raise an error. - ```javascript // write 'hello, ' and then end with 'world!' var file = fs.createWriteStream('example.txt'); file.write('hello, '); file.end('world!'); -// writing more now is not allowed! +``` + +Calling [`write()`][] after calling [`end()`][] will raise an error: + +```javascript +// end with 'world!' and then write with 'hello, ' will raise an error +var file = fs.createWriteStream('example.txt'); +file.end('world!'); +file.write('hello, '); ``` #### Event: 'finish' From 9d19dfbfdb2253e0bf42b55c7c1bbd618f40bf3c Mon Sep 17 00:00:00 2001 From: Oguz Bastemur Date: Thu, 26 Mar 2015 00:06:28 +0100 Subject: [PATCH 05/17] install: fix source path for openssl headers PR: #14089 PR-URL: https://github.com/joyent/node/pull/14089 Reviewed-By: Trevor Norris Reviewed-By: James M Snell Reviewed-By: Julien Gilli --- tools/install.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/install.py b/tools/install.py index 25bd3493d4f..9419fa1b187 100755 --- a/tools/install.py +++ b/tools/install.py @@ -157,7 +157,7 @@ def files(action): if 'false' == variables.get('node_shared_openssl'): action(['deps/openssl/config/opensslconf.h'], 'include/node/openssl/') - subdir_files('deps/openssl/include/openssl', 'include/node/openssl/', action) + subdir_files('deps/openssl/openssl/include/openssl', 'include/node/openssl/', action) if 'false' == variables.get('node_shared_v8'): subdir_files('deps/v8/include', 'include/node/', action) From 4028669531bcd30d6082bf0dfdb8d73ddb0717c6 Mon Sep 17 00:00:00 2001 From: Oguz Bastemur Date: Mon, 6 Apr 2015 09:57:39 +0200 Subject: [PATCH 06/17] install: make sure opensslconf.h is overwritten PR: #14089 PR-URL: https://github.com/joyent/node/pull/14089 Reviewed-By: Trevor Norris Reviewed-By: James M Snell Reviewed-By: Julien Gilli --- tools/install.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/install.py b/tools/install.py index 9419fa1b187..c8316b92ca1 100755 --- a/tools/install.py +++ b/tools/install.py @@ -156,8 +156,8 @@ def files(action): subdir_files('deps/uv/include', 'include/node/', action) if 'false' == variables.get('node_shared_openssl'): - action(['deps/openssl/config/opensslconf.h'], 'include/node/openssl/') subdir_files('deps/openssl/openssl/include/openssl', 'include/node/openssl/', action) + action(['deps/openssl/config/opensslconf.h'], 'include/node/openssl/') if 'false' == variables.get('node_shared_v8'): subdir_files('deps/v8/include', 'include/node/', action) From ad9947e3fa19f5f48a7872461ad79763b6ee5a51 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Reis?= Date: Thu, 30 Apr 2015 14:42:45 +0100 Subject: [PATCH 07/17] win,msi: Added empty InstallExecuteSequence group This is needed so that we can backport 668bde8ac0d16382cbc98c904d8b5f55fd9fd9f0 from io.js with a clean merge. PR-URL: https://github.com/joyent/node/pull/25100 Reviewed-By: Julien Gilli Fixes: https://github.com/joyent/node/issues/4356 --- tools/msvs/msi/product.wxs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tools/msvs/msi/product.wxs b/tools/msvs/msi/product.wxs index 977be2ce40e..1d674aaa068 100755 --- a/tools/msvs/msi/product.wxs +++ b/tools/msvs/msi/product.wxs @@ -237,6 +237,9 @@ + + + From e7c84f82c730bddb7450dc56065aab11b93ffd30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mathias=20K=C3=BCsel?= Date: Tue, 27 Jan 2015 16:01:23 +0100 Subject: [PATCH 08/17] win,msi: broadcast WM_SETTINGCHANGE after install Backport 668bde8ac0d16382cbc98c904d8b5f55fd9fd9f0 from io.js. Original commit message follows: In theory the msi should broadcast a 'WM_SETTINGCHANGE' message to all windows after modifying the PATH environment variable. This ensures that the new PATH is visible to other processes without restarting windows (although it's still necessary to close and reopen active console windows). Unfortunately, the broadcast doesn't always happen, for unknown reasons. That's why this patch adds a custom action that unconditionally broadcasts a WM_SETTINGCHANGE message. Bug: https://github.com/iojs/io.js/issues/603 PR: https://github.com/iojs/io.js/pull/613 Reviewed-by: Bert Belder (cherry picked from commit 668bde8ac0d16382cbc98c904d8b5f55fd9fd9f0) --Node.js commmit metadata-- PR-URL: https://github.com/joyent/node/pull/25100 Reviewed-By: Julien Gilli Fixes: https://github.com/joyent/node/issues/4356 --- .gitignore | 1 + tools/msvs/msi/custom_actions.c | 42 ++++++ tools/msvs/msi/custom_actions.def | 4 + tools/msvs/msi/custom_actions.vcxproj | 181 ++++++++++++++++++++++++++ tools/msvs/msi/nodemsi.sln | 10 ++ tools/msvs/msi/nodemsi.wixproj | 10 ++ tools/msvs/msi/product.wxs | 10 ++ 7 files changed, 258 insertions(+) create mode 100644 tools/msvs/msi/custom_actions.c create mode 100644 tools/msvs/msi/custom_actions.def create mode 100644 tools/msvs/msi/custom_actions.vcxproj diff --git a/.gitignore b/.gitignore index 672d08ac3dc..93e41e5753d 100644 --- a/.gitignore +++ b/.gitignore @@ -28,6 +28,7 @@ Release/ *.suo *.vcproj *.vcxproj +!custom_actions.vcxproj *.vcxproj.user *.vcxproj.filters UpgradeLog*.XML diff --git a/tools/msvs/msi/custom_actions.c b/tools/msvs/msi/custom_actions.c new file mode 100644 index 00000000000..5e7d617f387 --- /dev/null +++ b/tools/msvs/msi/custom_actions.c @@ -0,0 +1,42 @@ + +#define WIN32_LEAN_AND_MEAN + +#include +#include +#include + + +UINT WINAPI BroadcastEnvironmentUpdate(MSIHANDLE hInstall) { + HRESULT hr = S_OK; + UINT er = ERROR_SUCCESS; + + hr = WcaInitialize(hInstall, "BroadcastEnvironmentUpdate"); + ExitOnFailure(hr, "Failed to initialize"); + + SendMessageTimeoutW(HWND_BROADCAST, + WM_SETTINGCHANGE, + 0, + (LPARAM) L"Environment", + SMTO_ABORTIFHUNG, + 5000, + NULL); + +LExit: + er = SUCCEEDED(hr) ? ERROR_SUCCESS : ERROR_INSTALL_FAILURE; + return WcaFinalize(er); +} + + +BOOL WINAPI DllMain(HINSTANCE hInst, ULONG ulReason, VOID* dummy) { + switch (ulReason) { + case DLL_PROCESS_ATTACH: + WcaGlobalInitialize(hInst); + break; + + case DLL_PROCESS_DETACH: + WcaGlobalFinalize(); + break; + } + + return TRUE; +} diff --git a/tools/msvs/msi/custom_actions.def b/tools/msvs/msi/custom_actions.def new file mode 100644 index 00000000000..29e0933e379 --- /dev/null +++ b/tools/msvs/msi/custom_actions.def @@ -0,0 +1,4 @@ +LIBRARY "custom_actions" + +EXPORTS +BroadcastEnvironmentUpdate \ No newline at end of file diff --git a/tools/msvs/msi/custom_actions.vcxproj b/tools/msvs/msi/custom_actions.vcxproj new file mode 100644 index 00000000000..e014a6981f5 --- /dev/null +++ b/tools/msvs/msi/custom_actions.vcxproj @@ -0,0 +1,181 @@ + + + + + Debug + Win32 + + + Debug + x64 + + + Release + Win32 + + + Release + x64 + + + + {B70585F8-DAB7-40FA-9904-13CF53A73A06} + BroadcastPathUpdateCustomAction + Win32Proj + custom_actions + + + + DynamicLibrary + v120 + Unicode + true + + + DynamicLibrary + v120 + Unicode + true + + + DynamicLibrary + v120 + Unicode + + + DynamicLibrary + v120 + Unicode + + + + + + + + + + + + + + + + + + + <_ProjectFileVersion>12.0.30501.0 + + + true + + + true + + + false + + + false + + + + Disabled + $(WIX)sdk\VS2013\inc;%(AdditionalIncludeDirectories) + WIN32;_DEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) + EnableFastChecks + MultiThreadedDebug + NotUsing + Level3 + ProgramDatabase + + + msi.lib;dutil.lib;wcautil.lib;version.lib;%(AdditionalDependencies) + $(WIX)sdk\VS2013\lib\x86;%(AdditionalLibraryDirectories) + custom_actions.def + true + Windows + + + + + Disabled + $(WIX)sdk\VS2013\inc;%(AdditionalIncludeDirectories) + WIN32;_DEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) + EnableFastChecks + MultiThreadedDebug + NotUsing + Level3 + ProgramDatabase + + + msi.lib;dutil.lib;wcautil.lib;version.lib;%(AdditionalDependencies) + $(WIX)sdk\VS2013\lib\x64;%(AdditionalLibraryDirectories) + custom_actions.def + true + Windows + + + + + MaxSpeed + true + $(WIX)sdk\VS2013\inc;%(AdditionalIncludeDirectories) + WIN32;NDEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) + MultiThreaded + true + Level3 + ProgramDatabase + NotUsing + + + + + + + msi.lib;dutil.lib;wcautil.lib;version.lib;%(AdditionalDependencies) + $(WIX)sdk\VS2013\lib\x86;%(AdditionalLibraryDirectories) + custom_actions.def + true + Windows + true + true + + + + + MaxSpeed + true + $(WIX)sdk\VS2013\inc;%(AdditionalIncludeDirectories) + WIN32;NDEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions) + MultiThreaded + true + Level3 + ProgramDatabase + NotUsing + + + + + + + msi.lib;dutil.lib;wcautil.lib;version.lib;%(AdditionalDependencies) + $(WIX)sdk\VS2013\lib\x64;%(AdditionalLibraryDirectories) + custom_actions.def + true + Windows + true + true + + + + + + + + + + + + + \ No newline at end of file diff --git a/tools/msvs/msi/nodemsi.sln b/tools/msvs/msi/nodemsi.sln index f95b00f879c..9a3bab3f5cb 100644 --- a/tools/msvs/msi/nodemsi.sln +++ b/tools/msvs/msi/nodemsi.sln @@ -3,6 +3,8 @@ Microsoft Visual Studio Solution File, Format Version 11.00 # Visual Studio 2010 Project("{930C7802-8A8C-48F9-8165-68863BCCD9DD}") = "nodemsi", "nodemsi.wixproj", "{1D808FF0-B5A9-4BE9-859D-B334B6F48BE2}" EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "custom_actions", "custom_actions.vcxproj", "{B70585F8-DAB7-40FA-9904-13CF53A73A06}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -19,6 +21,14 @@ Global {1D808FF0-B5A9-4BE9-859D-B334B6F48BE2}.Release|x64.Build.0 = Release|x64 {1D808FF0-B5A9-4BE9-859D-B334B6F48BE2}.Release|x86.ActiveCfg = Release|x86 {1D808FF0-B5A9-4BE9-859D-B334B6F48BE2}.Release|x86.Build.0 = Release|x86 + {B70585F8-DAB7-40FA-9904-13CF53A73A06}.Debug|x64.ActiveCfg = Debug|x64 + {B70585F8-DAB7-40FA-9904-13CF53A73A06}.Debug|x64.Build.0 = Debug|x64 + {B70585F8-DAB7-40FA-9904-13CF53A73A06}.Debug|x86.ActiveCfg = Debug|Win32 + {B70585F8-DAB7-40FA-9904-13CF53A73A06}.Debug|x86.Build.0 = Debug|Win32 + {B70585F8-DAB7-40FA-9904-13CF53A73A06}.Release|x64.ActiveCfg = Release|x64 + {B70585F8-DAB7-40FA-9904-13CF53A73A06}.Release|x64.Build.0 = Release|x64 + {B70585F8-DAB7-40FA-9904-13CF53A73A06}.Release|x86.ActiveCfg = Release|Win32 + {B70585F8-DAB7-40FA-9904-13CF53A73A06}.Release|x86.Build.0 = Release|Win32 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/tools/msvs/msi/nodemsi.wixproj b/tools/msvs/msi/nodemsi.wixproj index 1059bccb22d..8d17a6cfb4a 100644 --- a/tools/msvs/msi/nodemsi.wixproj +++ b/tools/msvs/msi/nodemsi.wixproj @@ -56,6 +56,16 @@ + + + custom_actions + {b70585f8-dab7-40fa-9904-13cf53a73a06} + True + True + Binaries;Content;Satellites + INSTALLFOLDER + + diff --git a/tools/msvs/msi/product.wxs b/tools/msvs/msi/product.wxs index 1d674aaa068..e7c55edd9af 100755 --- a/tools/msvs/msi/product.wxs +++ b/tools/msvs/msi/product.wxs @@ -237,7 +237,17 @@ + + + + + From d38e865fce93c00cb128034202fb1e26987efdbc Mon Sep 17 00:00:00 2001 From: Julien Gilli Date: Mon, 20 Apr 2015 18:43:23 -0700 Subject: [PATCH 09/17] timers: fix timeout when added in timer's callback When a timer is added in another timer's callback, its underlying timer handle will be started with a timeout that is actually incorrect. The reason is that the value that represents the current time is not updated between the time the original callback is called and the time the added timer is processed by timers.listOnTimeout. That leads the logic in timers.listOnTimeout to do an incorrect computation that makes the added timer fire with a timeout of scheduledTimeout + timeSpentInCallback. This change fixes that and make timers scheduled within other timers' callbacks fire as expected. Fixes #9333 and #15447. PR: #17203 PR-URL: https://github.com/joyent/node/pull/17203 Reviewed-By: Fedor Indutny --- lib/timers.js | 11 ++- test/common.js | 8 ++ test/simple/test-timers-blocking-callback.js | 99 ++++++++++++++++++++ 3 files changed, 117 insertions(+), 1 deletion(-) create mode 100644 test/simple/test-timers-blocking-callback.js diff --git a/lib/timers.js b/lib/timers.js index 5acff077260..83493eb609e 100644 --- a/lib/timers.js +++ b/lib/timers.js @@ -83,10 +83,19 @@ function listOnTimeout() { debug('timeout callback ' + msecs); var now = Timer.now(); - debug('now: ' + now); + debug('now: %d', now); var first; while (first = L.peek(list)) { + // If the previous iteration caused a timer to be added, + // update the value of "now" so that timing computations are + // done correctly. See test/simple/test-timers-blocking-callback.js + // for more information. + if (now < first._monotonicStartTime) { + now = Timer.now(); + debug('now: %d', now); + } + var diff = now - first._monotonicStartTime; if (diff < msecs) { list.start(msecs - diff, 0); diff --git a/test/common.js b/test/common.js index 92a4183944c..fe2f30cb194 100644 --- a/test/common.js +++ b/test/common.js @@ -218,3 +218,11 @@ exports.hasMultiLocalhost = function hasMultiLocalhost() { t.close(); return ret === 0; }; + +exports.busyLoop = function busyLoop(time) { + var startTime = new Date().getTime(); + var stopTime = startTime + time; + while (new Date().getTime() < stopTime) { + ; + } +}; diff --git a/test/simple/test-timers-blocking-callback.js b/test/simple/test-timers-blocking-callback.js new file mode 100644 index 00000000000..c4a6dedb229 --- /dev/null +++ b/test/simple/test-timers-blocking-callback.js @@ -0,0 +1,99 @@ +// Copyright Joyent, Inc. and other Node contributors. +// +// Permission is hereby granted, free of charge, to any person obtaining a +// copy of this software and associated documentation files (the +// "Software"), to deal in the Software without restriction, including +// without limitation the rights to use, copy, modify, merge, publish, +// distribute, sublicense, and/or sell copies of the Software, and to permit +// persons to whom the Software is furnished to do so, subject to the +// following conditions: +// +// The above copyright notice and this permission notice shall be included +// in all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN +// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE +// USE OR OTHER DEALINGS IN THE SOFTWARE. + +/* + * This is a regression test for https://github.com/joyent/node/issues/15447 + * and https://github.com/joyent/node/issues/9333. + * + * When a timer is added in another timer's callback, its underlying timer + * handle was started with a timeout that was actually incorrect. + * + * The reason was that the value that represents the current time was not + * updated between the time the original callback was called and the time + * the added timer was processed by timers.listOnTimeout. That lead the + * logic in timers.listOnTimeout to do an incorrect computation that made + * the added timer fire with a timeout of scheduledTimeout + + * timeSpentInCallback. + * + * This test makes sure that a timer added by another timer's callback + * fire with the expected timeout. + * + * It makes sure that it works when the timers list for a given timeout is + * empty (see testAddingTimerToEmptyTimersList) and when the timers list + * is not empty (see testAddingTimerToNonEmptyTimersList). + */ + +var assert = require('assert'); +var common = require('../common'); + +var TIMEOUT = 100; + +var nbBlockingCallbackCalls = 0; +var latestDelay = 0; +var timeCallbackScheduled = 0; + +function initTest() { + nbBlockingCallbackCalls = 0; + latestDelay = 0; + timeCallbackScheduled = 0; +} + +function blockingCallback(callback) { + ++nbBlockingCallbackCalls; + + if (nbBlockingCallbackCalls > 1) { + latestDelay = new Date().getTime() - timeCallbackScheduled; + // Even if timers can fire later than when they've been scheduled + // to fire, they should more than 50% later with a timeout of + // 100ms. Firing later than that would mean that we hit the regression + // highlighted in + // https://github.com/joyent/node/issues/15447 and + // https://github.com/joyent/node/issues/9333. + assert(latestDelay < TIMEOUT * 1.5); + if (callback) + return callback(); + } else { + // block by busy-looping to trigger the issue + common.busyLoop(TIMEOUT); + + timeCallbackScheduled = new Date().getTime(); + setTimeout(blockingCallback, TIMEOUT); + } +} + +function testAddingTimerToEmptyTimersList(callback) { + initTest(); + // Call setTimeout just once to make sure the timers list is + // empty when blockingCallback is called. + setTimeout(blockingCallback.bind(global, callback), TIMEOUT); +} + +function testAddingTimerToNonEmptyTimersList() { + initTest(); + // Call setTimeout twice with the same timeout to make + // sure the timers list is not empty when blockingCallback is called. + setTimeout(blockingCallback, TIMEOUT); + setTimeout(blockingCallback, TIMEOUT); +} + +// Run the test for the empty timers list case, and then for the non-empty +// timers list one +testAddingTimerToEmptyTimersList(testAddingTimerToNonEmptyTimersList); From 456c22f63f3d7ba9880d6034bdecb90777a42475 Mon Sep 17 00:00:00 2001 From: Shigeki Ohtsu Date: Sat, 13 Jun 2015 02:07:23 +0900 Subject: [PATCH 10/17] deps: upgrade to openssl-1.0.1o This just replaces all sources of openssl-1.0.1o.tar.gz into deps/openssl/openssl. PR: #25523 PR-URL: https://github.com/joyent/node/pull/25523 Reviewed-By: Julien Gilli --- deps/openssl/openssl/CHANGES | 77 +++ deps/openssl/openssl/Configure | 10 +- deps/openssl/openssl/Makefile | 28 +- deps/openssl/openssl/Makefile.bak | 28 +- deps/openssl/openssl/Makefile.org | 26 +- deps/openssl/openssl/NEWS | 12 + deps/openssl/openssl/README | 2 +- deps/openssl/openssl/apps/Makefile | 19 +- deps/openssl/openssl/apps/apps.c | 6 +- deps/openssl/openssl/apps/asn1pars.c | 2 +- deps/openssl/openssl/apps/ca.c | 10 +- deps/openssl/openssl/apps/cms.c | 2 + deps/openssl/openssl/apps/dhparam.c | 4 +- deps/openssl/openssl/apps/enc.c | 13 +- deps/openssl/openssl/apps/gendh.c | 2 +- deps/openssl/openssl/apps/ocsp.c | 2 + deps/openssl/openssl/apps/s_cb.c | 3 +- deps/openssl/openssl/apps/s_client.c | 35 +- deps/openssl/openssl/apps/s_server.c | 73 ++- deps/openssl/openssl/apps/s_time.c | 2 +- deps/openssl/openssl/apps/smime.c | 2 + deps/openssl/openssl/apps/srp.c | 4 +- deps/openssl/openssl/apps/verify.c | 2 +- deps/openssl/openssl/crypto/Makefile | 11 +- deps/openssl/openssl/crypto/aes/Makefile | 2 + deps/openssl/openssl/crypto/asn1/Makefile | 2 + deps/openssl/openssl/crypto/asn1/a_int.c | 6 +- deps/openssl/openssl/crypto/asn1/asn1_gen.c | 40 +- deps/openssl/openssl/crypto/asn1/asn_mime.c | 3 +- deps/openssl/openssl/crypto/asn1/bio_ndef.c | 4 +- deps/openssl/openssl/crypto/asn1/tasn_new.c | 3 - deps/openssl/openssl/crypto/asn1/tasn_prn.c | 2 +- deps/openssl/openssl/crypto/asn1/x_x509.c | 4 +- deps/openssl/openssl/crypto/bf/Makefile | 2 + deps/openssl/openssl/crypto/bio/Makefile | 2 + deps/openssl/openssl/crypto/bio/b_print.c | 45 +- deps/openssl/openssl/crypto/bio/bf_nbio.c | 6 +- deps/openssl/openssl/crypto/bio/bio_lib.c | 8 +- deps/openssl/openssl/crypto/bio/bss_dgram.c | 21 +- deps/openssl/openssl/crypto/bn/Makefile | 2 + deps/openssl/openssl/crypto/bn/bn.h | 5 + deps/openssl/openssl/crypto/bn/bn_err.c | 6 +- deps/openssl/openssl/crypto/bn/bn_gf2m.c | 15 +- deps/openssl/openssl/crypto/bn/bn_lcl.h | 2 +- deps/openssl/openssl/crypto/bn/bn_print.c | 7 +- deps/openssl/openssl/crypto/bn/bn_rand.c | 10 +- deps/openssl/openssl/crypto/bn/bn_shift.c | 10 + deps/openssl/openssl/crypto/buffer/Makefile | 2 + deps/openssl/openssl/crypto/buffer/buffer.c | 2 +- deps/openssl/openssl/crypto/camellia/Makefile | 2 + deps/openssl/openssl/crypto/cast/Makefile | 2 + deps/openssl/openssl/crypto/cmac/Makefile | 2 + deps/openssl/openssl/crypto/cmac/cmac.c | 2 + deps/openssl/openssl/crypto/cms/Makefile | 2 + deps/openssl/openssl/crypto/cms/cms_pwri.c | 7 +- deps/openssl/openssl/crypto/cms/cms_smime.c | 2 +- deps/openssl/openssl/crypto/comp/Makefile | 2 + deps/openssl/openssl/crypto/conf/Makefile | 2 + deps/openssl/openssl/crypto/cryptlib.c | 2 - deps/openssl/openssl/crypto/des/Makefile | 2 + deps/openssl/openssl/crypto/des/des.c | 6 +- deps/openssl/openssl/crypto/des/enc_writ.c | 7 +- deps/openssl/openssl/crypto/dh/Makefile | 2 + deps/openssl/openssl/crypto/dh/dh_ameth.c | 2 +- deps/openssl/openssl/crypto/dsa/Makefile | 2 + deps/openssl/openssl/crypto/dsa/dsa_gen.c | 3 +- deps/openssl/openssl/crypto/dsa/dsa_ossl.c | 8 +- deps/openssl/openssl/crypto/dso/Makefile | 2 + deps/openssl/openssl/crypto/dso/dso_lib.c | 2 +- deps/openssl/openssl/crypto/dso/dso_vms.c | 2 +- deps/openssl/openssl/crypto/ec/Makefile | 2 + deps/openssl/openssl/crypto/ec/ec2_oct.c | 2 +- deps/openssl/openssl/crypto/ec/ec_asn1.c | 20 +- deps/openssl/openssl/crypto/ec/ec_check.c | 2 +- deps/openssl/openssl/crypto/ec/ec_key.c | 2 +- deps/openssl/openssl/crypto/ec/ec_lcl.h | 8 - deps/openssl/openssl/crypto/ec/ec_lib.c | 7 + deps/openssl/openssl/crypto/ec/eck_prn.c | 4 +- deps/openssl/openssl/crypto/ec/ecp_oct.c | 2 +- deps/openssl/openssl/crypto/ec/ectest.c | 24 +- deps/openssl/openssl/crypto/ecdh/Makefile | 2 + deps/openssl/openssl/crypto/ecdsa/Makefile | 2 + deps/openssl/openssl/crypto/ecdsa/ecdsatest.c | 4 +- deps/openssl/openssl/crypto/engine/Makefile | 2 + .../openssl/openssl/crypto/engine/eng_table.c | 6 +- deps/openssl/openssl/crypto/err/Makefile | 2 + deps/openssl/openssl/crypto/evp/Makefile | 2 + deps/openssl/openssl/crypto/evp/bio_ok.c | 3 +- deps/openssl/openssl/crypto/evp/e_aes.c | 7 +- .../openssl/crypto/evp/e_aes_cbc_hmac_sha1.c | 9 +- .../openssl/crypto/evp/e_rc4_hmac_md5.c | 10 +- deps/openssl/openssl/crypto/evp/encode.c | 2 +- deps/openssl/openssl/crypto/evp/evp.h | 4 +- deps/openssl/openssl/crypto/evp/p_seal.c | 5 +- deps/openssl/openssl/crypto/hmac/Makefile | 2 + deps/openssl/openssl/crypto/hmac/hmac.c | 19 +- deps/openssl/openssl/crypto/hmac/hmactest.c | 179 ++++++- deps/openssl/openssl/crypto/idea/Makefile | 2 + deps/openssl/openssl/crypto/jpake/Makefile | 2 + deps/openssl/openssl/crypto/krb5/Makefile | 2 + deps/openssl/openssl/crypto/lhash/Makefile | 2 + deps/openssl/openssl/crypto/md2/Makefile | 2 + deps/openssl/openssl/crypto/md32_common.h | 4 +- deps/openssl/openssl/crypto/md4/Makefile | 2 + deps/openssl/openssl/crypto/md5/Makefile | 2 + deps/openssl/openssl/crypto/mdc2/Makefile | 2 + deps/openssl/openssl/crypto/mem.c | 3 + deps/openssl/openssl/crypto/modes/Makefile | 2 + deps/openssl/openssl/crypto/modes/gcm128.c | 2 +- deps/openssl/openssl/crypto/objects/Makefile | 2 + deps/openssl/openssl/crypto/objects/o_names.c | 2 +- deps/openssl/openssl/crypto/objects/obj_dat.c | 7 +- .../openssl/crypto/objects/objects.README | 8 +- .../openssl/openssl/crypto/objects/objects.pl | 2 +- deps/openssl/openssl/crypto/ocsp/Makefile | 2 + deps/openssl/openssl/crypto/ocsp/ocsp_ext.c | 4 +- deps/openssl/openssl/crypto/ocsp/ocsp_vfy.c | 21 +- deps/openssl/openssl/crypto/opensslconf.h | 242 +++++++++- deps/openssl/openssl/crypto/opensslv.h | 6 +- deps/openssl/openssl/crypto/pem/Makefile | 2 + deps/openssl/openssl/crypto/pem/pem_lib.c | 2 +- deps/openssl/openssl/crypto/pem/pem_pk8.c | 2 + .../openssl/openssl/crypto/perlasm/x86masm.pl | 2 +- deps/openssl/openssl/crypto/pkcs12/Makefile | 2 + deps/openssl/openssl/crypto/pkcs12/p12_mutl.c | 3 +- deps/openssl/openssl/crypto/pkcs7/Makefile | 2 + deps/openssl/openssl/crypto/pkcs7/pk7_doit.c | 16 +- deps/openssl/openssl/crypto/pqueue/Makefile | 2 + deps/openssl/openssl/crypto/rand/Makefile | 2 + deps/openssl/openssl/crypto/rand/rand_os2.c | 2 +- deps/openssl/openssl/crypto/rc2/Makefile | 2 + deps/openssl/openssl/crypto/rc4/Makefile | 2 + deps/openssl/openssl/crypto/rc5/Makefile | 2 + deps/openssl/openssl/crypto/ripemd/Makefile | 2 + deps/openssl/openssl/crypto/rsa/Makefile | 2 + deps/openssl/openssl/crypto/rsa/rsa_pmeth.c | 8 +- deps/openssl/openssl/crypto/seed/Makefile | 2 + deps/openssl/openssl/crypto/sha/Makefile | 2 + .../openssl/crypto/sha/asm/sha256-x86_64.pl | 438 ------------------ .../openssl/crypto/sha/asm/sha512-x86_64.pl | 36 +- deps/openssl/openssl/crypto/srp/Makefile | 2 + deps/openssl/openssl/crypto/srp/srp_vfy.c | 9 +- deps/openssl/openssl/crypto/stack/Makefile | 2 + deps/openssl/openssl/crypto/store/Makefile | 2 + deps/openssl/openssl/crypto/threads/th-lock.c | 12 +- deps/openssl/openssl/crypto/ts/Makefile | 2 + deps/openssl/openssl/crypto/txt_db/Makefile | 2 + deps/openssl/openssl/crypto/ui/Makefile | 2 + deps/openssl/openssl/crypto/whrlpool/Makefile | 2 + deps/openssl/openssl/crypto/x509/Makefile | 2 + deps/openssl/openssl/crypto/x509/x509_lu.c | 2 + deps/openssl/openssl/crypto/x509/x509_vfy.c | 226 ++++++--- deps/openssl/openssl/crypto/x509/x509_vfy.h | 6 + deps/openssl/openssl/crypto/x509/x509_vpm.c | 2 + deps/openssl/openssl/crypto/x509/x509type.c | 3 - deps/openssl/openssl/crypto/x509v3/Makefile | 2 + deps/openssl/openssl/crypto/x509v3/v3_alt.c | 18 +- deps/openssl/openssl/crypto/x509v3/v3_cpols.c | 8 +- deps/openssl/openssl/crypto/x509v3/v3_utl.c | 4 + .../openssl/openssl/demos/easy_tls/easy-tls.c | 3 +- deps/openssl/openssl/doc/apps/cms.pod | 5 +- deps/openssl/openssl/doc/apps/config.pod | 53 +++ deps/openssl/openssl/doc/apps/dhparam.pod | 13 +- deps/openssl/openssl/doc/apps/ocsp.pod | 11 + deps/openssl/openssl/doc/apps/s_client.pod | 7 +- deps/openssl/openssl/doc/apps/s_server.pod | 9 + deps/openssl/openssl/doc/apps/smime.pod | 4 +- deps/openssl/openssl/doc/apps/verify.pod | 13 + deps/openssl/openssl/doc/crypto/BN_rand.pod | 3 +- .../openssl/openssl/doc/crypto/BN_set_bit.pod | 8 +- .../crypto/X509_VERIFY_PARAM_set_flags.pod | 8 +- deps/openssl/openssl/doc/crypto/pem.pod | 27 +- .../doc/ssl/SSL_CTX_set_tmp_dh_callback.pod | 106 ++--- deps/openssl/openssl/e_os2.h | 8 +- deps/openssl/openssl/engines/Makefile | 13 +- deps/openssl/openssl/engines/ccgost/Makefile | 18 +- .../openssl/engines/ccgost/e_gost_err.c | 3 +- .../openssl/engines/ccgost/e_gost_err.h | 1 + .../openssl/openssl/engines/ccgost/gost2001.c | 229 +++++++-- .../openssl/engines/ccgost/gost94_keyx.c | 6 +- .../openssl/engines/ccgost/gost_ameth.c | 36 +- .../openssl/engines/ccgost/gost_pmeth.c | 2 +- .../openssl/engines/ccgost/gost_sign.c | 87 +++- deps/openssl/openssl/engines/e_sureware.c | 27 +- deps/openssl/openssl/include/openssl/aes.h | 2 +- deps/openssl/openssl/include/openssl/asn1.h | 2 +- .../openssl/include/openssl/asn1_mac.h | 2 +- deps/openssl/openssl/include/openssl/asn1t.h | 2 +- deps/openssl/openssl/include/openssl/bio.h | 2 +- .../openssl/include/openssl/blowfish.h | 2 +- deps/openssl/openssl/include/openssl/bn.h | 2 +- deps/openssl/openssl/include/openssl/buffer.h | 2 +- .../openssl/include/openssl/camellia.h | 2 +- deps/openssl/openssl/include/openssl/cast.h | 2 +- deps/openssl/openssl/include/openssl/cmac.h | 2 +- deps/openssl/openssl/include/openssl/cms.h | 2 +- deps/openssl/openssl/include/openssl/comp.h | 2 +- deps/openssl/openssl/include/openssl/conf.h | 2 +- .../openssl/include/openssl/conf_api.h | 2 +- deps/openssl/openssl/include/openssl/crypto.h | 2 +- deps/openssl/openssl/include/openssl/des.h | 2 +- .../openssl/openssl/include/openssl/des_old.h | 2 +- deps/openssl/openssl/include/openssl/dh.h | 2 +- deps/openssl/openssl/include/openssl/dsa.h | 2 +- deps/openssl/openssl/include/openssl/dso.h | 2 +- deps/openssl/openssl/include/openssl/dtls1.h | 2 +- deps/openssl/openssl/include/openssl/e_os2.h | 2 +- deps/openssl/openssl/include/openssl/ebcdic.h | 2 +- deps/openssl/openssl/include/openssl/ec.h | 2 +- deps/openssl/openssl/include/openssl/ecdh.h | 2 +- deps/openssl/openssl/include/openssl/ecdsa.h | 2 +- deps/openssl/openssl/include/openssl/engine.h | 2 +- deps/openssl/openssl/include/openssl/err.h | 2 +- deps/openssl/openssl/include/openssl/evp.h | 2 +- deps/openssl/openssl/include/openssl/hmac.h | 2 +- deps/openssl/openssl/include/openssl/idea.h | 2 +- .../openssl/include/openssl/krb5_asn.h | 2 +- deps/openssl/openssl/include/openssl/kssl.h | 2 +- deps/openssl/openssl/include/openssl/lhash.h | 2 +- deps/openssl/openssl/include/openssl/md4.h | 2 +- deps/openssl/openssl/include/openssl/md5.h | 2 +- deps/openssl/openssl/include/openssl/mdc2.h | 2 +- deps/openssl/openssl/include/openssl/modes.h | 2 +- .../openssl/openssl/include/openssl/obj_mac.h | 2 +- .../openssl/openssl/include/openssl/objects.h | 2 +- deps/openssl/openssl/include/openssl/ocsp.h | 2 +- .../openssl/include/openssl/opensslconf.h | 2 +- .../openssl/include/openssl/opensslv.h | 2 +- .../openssl/include/openssl/ossl_typ.h | 2 +- deps/openssl/openssl/include/openssl/pem.h | 2 +- deps/openssl/openssl/include/openssl/pem2.h | 2 +- deps/openssl/openssl/include/openssl/pkcs12.h | 2 +- deps/openssl/openssl/include/openssl/pkcs7.h | 2 +- deps/openssl/openssl/include/openssl/pqueue.h | 2 +- deps/openssl/openssl/include/openssl/rand.h | 2 +- deps/openssl/openssl/include/openssl/rc2.h | 2 +- deps/openssl/openssl/include/openssl/rc4.h | 2 +- deps/openssl/openssl/include/openssl/ripemd.h | 2 +- deps/openssl/openssl/include/openssl/rsa.h | 2 +- .../openssl/include/openssl/safestack.h | 2 +- deps/openssl/openssl/include/openssl/seed.h | 2 +- deps/openssl/openssl/include/openssl/sha.h | 2 +- deps/openssl/openssl/include/openssl/srp.h | 2 +- deps/openssl/openssl/include/openssl/srtp.h | 2 +- deps/openssl/openssl/include/openssl/ssl.h | 2 +- deps/openssl/openssl/include/openssl/ssl2.h | 2 +- deps/openssl/openssl/include/openssl/ssl23.h | 2 +- deps/openssl/openssl/include/openssl/ssl3.h | 2 +- deps/openssl/openssl/include/openssl/stack.h | 2 +- .../openssl/include/openssl/symhacks.h | 2 +- deps/openssl/openssl/include/openssl/tls1.h | 2 +- deps/openssl/openssl/include/openssl/ts.h | 2 +- deps/openssl/openssl/include/openssl/txt_db.h | 2 +- deps/openssl/openssl/include/openssl/ui.h | 2 +- .../openssl/include/openssl/ui_compat.h | 2 +- .../openssl/include/openssl/whrlpool.h | 2 +- deps/openssl/openssl/include/openssl/x509.h | 2 +- .../openssl/include/openssl/x509_vfy.h | 2 +- deps/openssl/openssl/include/openssl/x509v3.h | 2 +- deps/openssl/openssl/openssl.spec | 2 +- deps/openssl/openssl/ssl/Makefile | 54 +-- deps/openssl/openssl/ssl/d1_both.c | 46 +- deps/openssl/openssl/ssl/d1_clnt.c | 10 + deps/openssl/openssl/ssl/d1_lib.c | 3 + deps/openssl/openssl/ssl/d1_pkt.c | 2 +- deps/openssl/openssl/ssl/d1_srvr.c | 28 +- deps/openssl/openssl/ssl/s2_pkt.c | 14 + deps/openssl/openssl/ssl/s2_srvr.c | 104 ++--- deps/openssl/openssl/ssl/s3_both.c | 2 +- deps/openssl/openssl/ssl/s3_cbc.c | 16 +- deps/openssl/openssl/ssl/s3_clnt.c | 273 +++++++++-- deps/openssl/openssl/ssl/s3_pkt.c | 13 +- deps/openssl/openssl/ssl/s3_srvr.c | 230 ++++++--- deps/openssl/openssl/ssl/ssl.h | 4 + deps/openssl/openssl/ssl/ssl_err.c | 3 + deps/openssl/openssl/ssl/ssl_lib.c | 8 +- deps/openssl/openssl/ssl/ssl_locl.h | 1 + deps/openssl/openssl/ssl/ssl_sess.c | 131 +++++- deps/openssl/openssl/ssl/ssl_stat.c | 6 + deps/openssl/openssl/ssl/ssltest.c | 20 +- deps/openssl/openssl/ssl/t1_enc.c | 9 +- deps/openssl/openssl/ssl/t1_lib.c | 174 +++---- deps/openssl/openssl/ssl/tls_srp.c | 3 +- deps/openssl/openssl/test/Makefile | 17 +- deps/openssl/openssl/test/testssl | 38 +- deps/openssl/openssl/tools/Makefile | 2 + deps/openssl/openssl/util/mk1mf.pl | 2 +- deps/openssl/openssl/util/mkerr.pl | 21 +- deps/openssl/openssl/util/pl/BC-32.pl | 2 +- deps/openssl/openssl/util/pl/VC-32.pl | 2 +- 290 files changed, 2762 insertions(+), 1474 deletions(-) delete mode 100755 deps/openssl/openssl/crypto/sha/asm/sha256-x86_64.pl mode change 100644 => 120000 deps/openssl/openssl/include/openssl/aes.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/asn1.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/asn1_mac.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/asn1t.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/bio.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/blowfish.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/bn.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/buffer.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/camellia.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/cast.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/cmac.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/cms.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/comp.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/conf.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/conf_api.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/crypto.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/des.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/des_old.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/dh.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/dsa.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/dso.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/dtls1.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/e_os2.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/ebcdic.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/ec.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/ecdh.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/ecdsa.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/engine.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/err.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/evp.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/hmac.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/idea.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/krb5_asn.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/kssl.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/lhash.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/md4.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/md5.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/mdc2.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/modes.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/obj_mac.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/objects.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/ocsp.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/opensslconf.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/opensslv.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/ossl_typ.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/pem.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/pem2.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/pkcs12.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/pkcs7.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/pqueue.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/rand.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/rc2.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/rc4.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/ripemd.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/rsa.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/safestack.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/seed.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/sha.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/srp.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/srtp.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/ssl.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/ssl2.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/ssl23.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/ssl3.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/stack.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/symhacks.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/tls1.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/ts.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/txt_db.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/ui.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/ui_compat.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/whrlpool.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/x509.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/x509_vfy.h mode change 100644 => 120000 deps/openssl/openssl/include/openssl/x509v3.h diff --git a/deps/openssl/openssl/CHANGES b/deps/openssl/openssl/CHANGES index 74179ab8723..d92f55969c8 100644 --- a/deps/openssl/openssl/CHANGES +++ b/deps/openssl/openssl/CHANGES @@ -2,6 +2,83 @@ OpenSSL CHANGES _______________ + Changes between 1.0.1n and 1.0.1o [12 Jun 2015] + + *) Fix HMAC ABI incompatibility. The previous version introduced an ABI + incompatibility in the handling of HMAC. The previous ABI has now been + restored. + + Changes between 1.0.1m and 1.0.1n [11 Jun 2015] + + *) Malformed ECParameters causes infinite loop + + When processing an ECParameters structure OpenSSL enters an infinite loop + if the curve specified is over a specially malformed binary polynomial + field. + + This can be used to perform denial of service against any + system which processes public keys, certificate requests or + certificates. This includes TLS clients and TLS servers with + client authentication enabled. + + This issue was reported to OpenSSL by Joseph Barr-Pixton. + (CVE-2015-1788) + [Andy Polyakov] + + *) Exploitable out-of-bounds read in X509_cmp_time + + X509_cmp_time does not properly check the length of the ASN1_TIME + string and can read a few bytes out of bounds. In addition, + X509_cmp_time accepts an arbitrary number of fractional seconds in the + time string. + + An attacker can use this to craft malformed certificates and CRLs of + various sizes and potentially cause a segmentation fault, resulting in + a DoS on applications that verify certificates or CRLs. TLS clients + that verify CRLs are affected. TLS clients and servers with client + authentication enabled may be affected if they use custom verification + callbacks. + + This issue was reported to OpenSSL by Robert Swiecki (Google), and + independently by Hanno B�ck. + (CVE-2015-1789) + [Emilia K�sper] + + *) PKCS7 crash with missing EnvelopedContent + + The PKCS#7 parsing code does not handle missing inner EncryptedContent + correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs + with missing content and trigger a NULL pointer dereference on parsing. + + Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 + structures from untrusted sources are affected. OpenSSL clients and + servers are not affected. + + This issue was reported to OpenSSL by Michal Zalewski (Google). + (CVE-2015-1790) + [Emilia K�sper] + + *) CMS verify infinite loop with unknown hash function + + When verifying a signedData message the CMS code can enter an infinite loop + if presented with an unknown hash function OID. This can be used to perform + denial of service against any system which verifies signedData messages using + the CMS code. + This issue was reported to OpenSSL by Johannes Bauer. + (CVE-2015-1792) + [Stephen Henson] + + *) Race condition handling NewSessionTicket + + If a NewSessionTicket is received by a multi-threaded client when attempting to + reuse a previous ticket then a race condition can occur potentially leading to + a double free of the ticket data. + (CVE-2015-1791) + [Matt Caswell] + + *) Reject DH handshakes with parameters shorter than 768 bits. + [Kurt Roeckx and Emilia Kasper] + Changes between 1.0.1l and 1.0.1m [19 Mar 2015] *) Segmentation fault in ASN1_TYPE_cmp fix diff --git a/deps/openssl/openssl/Configure b/deps/openssl/openssl/Configure index d7ecf973c0a..60ec3783e60 100755 --- a/deps/openssl/openssl/Configure +++ b/deps/openssl/openssl/Configure @@ -230,12 +230,12 @@ my %table=( #### SPARC Solaris with GNU C setups "solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparcv8-gcc","gcc:-mcpu=v8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # -m32 should be safe to add as long as driver recognizes -mcpu=ultrasparc "solaris-sparcv9-gcc","gcc:-m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "solaris64-sparcv9-gcc","gcc:-m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/64", #### -"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=v8 -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -O -g -mcpu=ultrasparc -pedantic -ansi -Wall -Wshadow -Wno-long-long -D__EXTENSIONS__ -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### SPARC Solaris with Sun C setups @@ -252,7 +252,7 @@ my %table=( #### SunOS configs, assuming sparc for the gcc one. #"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:${no_asm}::", -"sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:${no_asm}::", +"sunos-gcc","gcc:-O3 -mcpu=v8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:${no_asm}::", #### IRIX 5.x configs # -mips2 flag is added by ./config when appropriate. @@ -379,7 +379,7 @@ my %table=( #### SPARC Linux setups # Ray Miller has patiently # assisted with debugging of following two configs. -"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # it's a real mess with -mcpu=ultrasparc option under Linux, but # -Wa,-Av8plus should do the trick no matter what. "linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -413,7 +413,7 @@ my %table=( "BSD-x86", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "BSD-x86-elf", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-BSD-x86-elf", "gcc:-DL_ENDIAN -O3 -Wall -g::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"BSD-sparcv8", "gcc:-DB_ENDIAN -O3 -mv8 -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${sparcv8_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"BSD-sparcv8", "gcc:-DB_ENDIAN -O3 -mcpu=v8 -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${sparcv8_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "BSD-generic64","gcc:-O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # -DMD32_REG_T=int doesn't actually belong in sparc64 target, it diff --git a/deps/openssl/openssl/Makefile b/deps/openssl/openssl/Makefile index d3f31f0764c..0b3badbd99f 100644 --- a/deps/openssl/openssl/Makefile +++ b/deps/openssl/openssl/Makefile @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.1m +VERSION=1.0.1o MAJOR=1 MINOR=0.1 SHLIB_VERSION_NUMBER=1.0.0 @@ -186,7 +186,7 @@ WTARFILE= $(NAME)-win.tar EXHEADER= e_os2.h HEADER= e_os.h -all: Makefile build_all openssl.pc libssl.pc libcrypto.pc +all: Makefile build_all # as we stick to -e, CLEARENV ensures that local variables in lower # Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn @@ -272,7 +272,10 @@ reflect: sub_all: build_all build_all: build_libs build_apps build_tests build_tools -build_libs: build_crypto build_ssl build_engines +build_libs: build_libcrypto build_libssl openssl.pc + +build_libcrypto: build_crypto build_engines libcrypto.pc +build_libssl: build_ssl libssl.pc build_crypto: @dir=crypto; target=all; $(BUILD_ONE_CMD) @@ -461,6 +464,9 @@ tests: rehash report: @$(PERL) util/selftest.pl +update: errors stacks util/libeay.num util/ssleay.num TABLE + @set -e; target=update; $(RECURSIVE_BUILD_CMD) + depend: @set -e; target=depend; $(RECURSIVE_BUILD_CMD) @@ -485,26 +491,10 @@ util/libeay.num:: util/ssleay.num:: $(PERL) util/mkdef.pl ssl update -crypto/objects/obj_dat.h: crypto/objects/obj_dat.pl crypto/objects/obj_mac.h - $(PERL) crypto/objects/obj_dat.pl crypto/objects/obj_mac.h crypto/objects/obj_dat.h -crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num - $(PERL) crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h -crypto/objects/obj_xref.h: crypto/objects/objxref.pl crypto/objects/obj_xref.txt crypto/objects/obj_mac.num - $(PERL) crypto/objects/objxref.pl crypto/objects/obj_mac.num crypto/objects/obj_xref.txt >crypto/objects/obj_xref.h - -apps/openssl-vms.cnf: apps/openssl.cnf - $(PERL) VMS/VMSify-conf.pl < apps/openssl.cnf > apps/openssl-vms.cnf - -crypto/bn/bn_prime.h: crypto/bn/bn_prime.pl - $(PERL) crypto/bn/bn_prime.pl >crypto/bn/bn_prime.h - - TABLE: Configure (echo 'Output of `Configure TABLE'"':"; \ $(PERL) Configure TABLE) > TABLE -update: errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h crypto/objects/obj_xref.h apps/openssl-vms.cnf crypto/bn/bn_prime.h TABLE depend - # Build distribution tar-file. As the list of files returned by "find" is # pretty long, on several platforms a "too many arguments" error or similar # would occur. Therefore the list of files is temporarily stored into a file diff --git a/deps/openssl/openssl/Makefile.bak b/deps/openssl/openssl/Makefile.bak index 6e30d434504..29cc85e7689 100644 --- a/deps/openssl/openssl/Makefile.bak +++ b/deps/openssl/openssl/Makefile.bak @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.1m-dev +VERSION=1.0.1o-dev MAJOR=1 MINOR=0.1 SHLIB_VERSION_NUMBER=1.0.0 @@ -186,7 +186,7 @@ WTARFILE= $(NAME)-win.tar EXHEADER= e_os2.h HEADER= e_os.h -all: Makefile build_all openssl.pc libssl.pc libcrypto.pc +all: Makefile build_all # as we stick to -e, CLEARENV ensures that local variables in lower # Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn @@ -272,7 +272,10 @@ reflect: sub_all: build_all build_all: build_libs build_apps build_tests build_tools -build_libs: build_crypto build_ssl build_engines +build_libs: build_libcrypto build_libssl openssl.pc + +build_libcrypto: build_crypto build_engines libcrypto.pc +build_libssl: build_ssl libssl.pc build_crypto: @dir=crypto; target=all; $(BUILD_ONE_CMD) @@ -461,6 +464,9 @@ tests: rehash report: @$(PERL) util/selftest.pl +update: errors stacks util/libeay.num util/ssleay.num TABLE + @set -e; target=update; $(RECURSIVE_BUILD_CMD) + depend: @set -e; target=depend; $(RECURSIVE_BUILD_CMD) @@ -485,26 +491,10 @@ util/libeay.num:: util/ssleay.num:: $(PERL) util/mkdef.pl ssl update -crypto/objects/obj_dat.h: crypto/objects/obj_dat.pl crypto/objects/obj_mac.h - $(PERL) crypto/objects/obj_dat.pl crypto/objects/obj_mac.h crypto/objects/obj_dat.h -crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num - $(PERL) crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h -crypto/objects/obj_xref.h: crypto/objects/objxref.pl crypto/objects/obj_xref.txt crypto/objects/obj_mac.num - $(PERL) crypto/objects/objxref.pl crypto/objects/obj_mac.num crypto/objects/obj_xref.txt >crypto/objects/obj_xref.h - -apps/openssl-vms.cnf: apps/openssl.cnf - $(PERL) VMS/VMSify-conf.pl < apps/openssl.cnf > apps/openssl-vms.cnf - -crypto/bn/bn_prime.h: crypto/bn/bn_prime.pl - $(PERL) crypto/bn/bn_prime.pl >crypto/bn/bn_prime.h - - TABLE: Configure (echo 'Output of `Configure TABLE'"':"; \ $(PERL) Configure TABLE) > TABLE -update: errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h crypto/objects/obj_xref.h apps/openssl-vms.cnf crypto/bn/bn_prime.h TABLE depend - # Build distribution tar-file. As the list of files returned by "find" is # pretty long, on several platforms a "too many arguments" error or similar # would occur. Therefore the list of files is temporarily stored into a file diff --git a/deps/openssl/openssl/Makefile.org b/deps/openssl/openssl/Makefile.org index c92806f9201..cf82487f43a 100644 --- a/deps/openssl/openssl/Makefile.org +++ b/deps/openssl/openssl/Makefile.org @@ -184,7 +184,7 @@ WTARFILE= $(NAME)-win.tar EXHEADER= e_os2.h HEADER= e_os.h -all: Makefile build_all openssl.pc libssl.pc libcrypto.pc +all: Makefile build_all # as we stick to -e, CLEARENV ensures that local variables in lower # Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn @@ -270,7 +270,10 @@ reflect: sub_all: build_all build_all: build_libs build_apps build_tests build_tools -build_libs: build_crypto build_ssl build_engines +build_libs: build_libcrypto build_libssl openssl.pc + +build_libcrypto: build_crypto build_engines libcrypto.pc +build_libssl: build_ssl libssl.pc build_crypto: @dir=crypto; target=all; $(BUILD_ONE_CMD) @@ -459,6 +462,9 @@ tests: rehash report: @$(PERL) util/selftest.pl +update: errors stacks util/libeay.num util/ssleay.num TABLE + @set -e; target=update; $(RECURSIVE_BUILD_CMD) + depend: @set -e; target=depend; $(RECURSIVE_BUILD_CMD) @@ -483,26 +489,10 @@ util/libeay.num:: util/ssleay.num:: $(PERL) util/mkdef.pl ssl update -crypto/objects/obj_dat.h: crypto/objects/obj_dat.pl crypto/objects/obj_mac.h - $(PERL) crypto/objects/obj_dat.pl crypto/objects/obj_mac.h crypto/objects/obj_dat.h -crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num - $(PERL) crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h -crypto/objects/obj_xref.h: crypto/objects/objxref.pl crypto/objects/obj_xref.txt crypto/objects/obj_mac.num - $(PERL) crypto/objects/objxref.pl crypto/objects/obj_mac.num crypto/objects/obj_xref.txt >crypto/objects/obj_xref.h - -apps/openssl-vms.cnf: apps/openssl.cnf - $(PERL) VMS/VMSify-conf.pl < apps/openssl.cnf > apps/openssl-vms.cnf - -crypto/bn/bn_prime.h: crypto/bn/bn_prime.pl - $(PERL) crypto/bn/bn_prime.pl >crypto/bn/bn_prime.h - - TABLE: Configure (echo 'Output of `Configure TABLE'"':"; \ $(PERL) Configure TABLE) > TABLE -update: errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h crypto/objects/obj_xref.h apps/openssl-vms.cnf crypto/bn/bn_prime.h TABLE depend - # Build distribution tar-file. As the list of files returned by "find" is # pretty long, on several platforms a "too many arguments" error or similar # would occur. Therefore the list of files is temporarily stored into a file diff --git a/deps/openssl/openssl/NEWS b/deps/openssl/openssl/NEWS index 12616d2c1ff..fb69ad3e5da 100644 --- a/deps/openssl/openssl/NEWS +++ b/deps/openssl/openssl/NEWS @@ -5,6 +5,18 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.1n and OpenSSL 1.0.1o [12 Jun 2015] + + o Fix HMAC ABI incompatibility + + Major changes between OpenSSL 1.0.1m and OpenSSL 1.0.1n [11 Jun 2015] + + o Malformed ECParameters causes infinite loop (CVE-2015-1788) + o Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789) + o PKCS7 crash with missing EnvelopedContent (CVE-2015-1790) + o CMS verify infinite loop with unknown hash function (CVE-2015-1792) + o Race condition handling NewSessionTicket (CVE-2015-1791) + Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.1m [19 Mar 2015] o Segmentation fault in ASN1_TYPE_cmp fix (CVE-2015-0286) diff --git a/deps/openssl/openssl/README b/deps/openssl/openssl/README index ecdcfb2370d..bf3b71540d5 100644 --- a/deps/openssl/openssl/README +++ b/deps/openssl/openssl/README @@ -1,5 +1,5 @@ - OpenSSL 1.0.1m 19 Mar 2015 + OpenSSL 1.0.1o 12 Jun 2015 Copyright (c) 1998-2011 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/deps/openssl/openssl/apps/Makefile b/deps/openssl/openssl/apps/Makefile index 72657ea6587..cafe55458dd 100644 --- a/deps/openssl/openssl/apps/Makefile +++ b/deps/openssl/openssl/apps/Makefile @@ -94,6 +94,9 @@ req: sreq.o $(A_OBJ) $(DLIBCRYPTO) sreq.o: req.c $(CC) -c $(INCLUDES) $(CFLAG) -o sreq.o req.c +openssl-vms.cnf: openssl.cnf + $(PERL) $(TOP)/VMS/VMSify-conf.pl < openssl.cnf > openssl-vms.cnf + files: $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO @@ -127,12 +130,12 @@ links: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff -depend: - @if [ -z "$(THIS)" ]; then \ - $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; \ - else \ - $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC); \ - fi +update: openssl-vms.cnf local_depend + +depend: local_depend + @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi +local_depend: + @[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC); \ dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new @@ -144,10 +147,10 @@ clean: rm -f req $(DLIBSSL): - (cd ..; $(MAKE) DIRS=ssl all) + (cd ..; $(MAKE) build_libssl) $(DLIBCRYPTO): - (cd ..; $(MAKE) DIRS=crypto all) + (cd ..; $(MAKE) build_libcrypto) $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL) $(RM) $(EXE) diff --git a/deps/openssl/openssl/apps/apps.c b/deps/openssl/openssl/apps/apps.c index 9862afde3a7..68012383483 100644 --- a/deps/openssl/openssl/apps/apps.c +++ b/deps/openssl/openssl/apps/apps.c @@ -572,7 +572,7 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp) char *prompt = NULL; prompt = UI_construct_prompt(ui, "pass phrase", prompt_info); - if(!prompt) { + if (!prompt) { BIO_printf(bio_err, "Out of memory\n"); UI_free(ui); return 0; @@ -586,7 +586,7 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp) PW_MIN_LENGTH, bufsiz - 1); if (ok >= 0 && verify) { buff = (char *)OPENSSL_malloc(bufsiz); - if(!buff) { + if (!buff) { BIO_printf(bio_err, "Out of memory\n"); UI_free(ui); OPENSSL_free(prompt); @@ -2238,6 +2238,8 @@ int args_verify(char ***pargs, int *pargc, flags |= X509_V_FLAG_NOTIFY_POLICY; else if (!strcmp(arg, "-check_ss_sig")) flags |= X509_V_FLAG_CHECK_SS_SIGNATURE; + else if (!strcmp(arg, "-no_alt_chains")) + flags |= X509_V_FLAG_NO_ALT_CHAINS; else return 0; diff --git a/deps/openssl/openssl/apps/asn1pars.c b/deps/openssl/openssl/apps/asn1pars.c index 7a0f1694328..11b07875943 100644 --- a/deps/openssl/openssl/apps/asn1pars.c +++ b/deps/openssl/openssl/apps/asn1pars.c @@ -375,7 +375,7 @@ static int do_generate(BIO *bio, char *genstr, char *genconf, BUF_MEM *buf) { CONF *cnf = NULL; int len; - long errline; + long errline = 0; unsigned char *p; ASN1_TYPE *atyp = NULL; diff --git a/deps/openssl/openssl/apps/ca.c b/deps/openssl/openssl/apps/ca.c index 5d29a64c57a..97ad0c1ffe9 100644 --- a/deps/openssl/openssl/apps/ca.c +++ b/deps/openssl/openssl/apps/ca.c @@ -558,7 +558,7 @@ int MAIN(int argc, char **argv) #ifdef OPENSSL_SYS_VMS len = strlen(s) + sizeof(CONFIG_FILE); tofree = OPENSSL_malloc(len); - if(!tofree) { + if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); goto err; } @@ -566,7 +566,7 @@ int MAIN(int argc, char **argv) #else len = strlen(s) + sizeof(CONFIG_FILE) + 1; tofree = OPENSSL_malloc(len); - if(!tofree) { + if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); goto err; } @@ -2803,7 +2803,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_GENERALIZEDTIME *comp_time = NULL; tmp = BUF_strdup(str); - if(!tmp) { + if (!tmp) { BIO_printf(bio_err, "memory allocation failure\n"); goto err; } @@ -2825,7 +2825,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, if (prevtm) { *prevtm = ASN1_UTCTIME_new(); - if(!*prevtm) { + if (!*prevtm) { BIO_printf(bio_err, "memory allocation failure\n"); goto err; } @@ -2869,7 +2869,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, goto err; } comp_time = ASN1_GENERALIZEDTIME_new(); - if(!comp_time) { + if (!comp_time) { BIO_printf(bio_err, "memory allocation failure\n"); goto err; } diff --git a/deps/openssl/openssl/apps/cms.c b/deps/openssl/openssl/apps/cms.c index 0cc4b46d8e2..d7645c0d62b 100644 --- a/deps/openssl/openssl/apps/cms.c +++ b/deps/openssl/openssl/apps/cms.c @@ -580,6 +580,8 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "-CApath dir trusted certificates directory\n"); BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); + BIO_printf(bio_err, + "-no_alt_chains only ever use the first certificate chain found\n"); BIO_printf(bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); BIO_printf(bio_err, diff --git a/deps/openssl/openssl/apps/dhparam.c b/deps/openssl/openssl/apps/dhparam.c index f86311c28fd..d3b6d58ad2e 100644 --- a/deps/openssl/openssl/apps/dhparam.c +++ b/deps/openssl/openssl/apps/dhparam.c @@ -130,7 +130,7 @@ # undef PROG # define PROG dhparam_main -# define DEFBITS 512 +# define DEFBITS 2048 /*- * -inform arg - input format - default PEM (DER or PEM) @@ -254,7 +254,7 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, " -5 generate parameters using 5 as the generator value\n"); BIO_printf(bio_err, - " numbits number of bits in to generate (default 512)\n"); + " numbits number of bits in to generate (default 2048)\n"); # ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err, " -engine e use engine e, possibly a hardware device.\n"); diff --git a/deps/openssl/openssl/apps/enc.c b/deps/openssl/openssl/apps/enc.c index 5c2cf7a4acf..7b7c70b132d 100644 --- a/deps/openssl/openssl/apps/enc.c +++ b/deps/openssl/openssl/apps/enc.c @@ -548,9 +548,14 @@ int MAIN(int argc, char **argv) else OPENSSL_cleanse(str, strlen(str)); } - if ((hiv != NULL) && !set_hex(hiv, iv, sizeof iv)) { - BIO_printf(bio_err, "invalid hex iv value\n"); - goto end; + if (hiv != NULL) { + int siz = EVP_CIPHER_iv_length(cipher); + if (siz == 0) { + BIO_printf(bio_err, "warning: iv not use by this cipher\n"); + } else if (!set_hex(hiv, iv, sizeof iv)) { + BIO_printf(bio_err, "invalid hex iv value\n"); + goto end; + } } if ((hiv == NULL) && (str == NULL) && EVP_CIPHER_iv_length(cipher) != 0) { @@ -562,7 +567,7 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "iv undefined\n"); goto end; } - if ((hkey != NULL) && !set_hex(hkey, key, sizeof key)) { + if ((hkey != NULL) && !set_hex(hkey, key, EVP_CIPHER_key_length(cipher))) { BIO_printf(bio_err, "invalid hex key value\n"); goto end; } diff --git a/deps/openssl/openssl/apps/gendh.c b/deps/openssl/openssl/apps/gendh.c index adaa101783d..fef6f1b1774 100644 --- a/deps/openssl/openssl/apps/gendh.c +++ b/deps/openssl/openssl/apps/gendh.c @@ -80,7 +80,7 @@ # include # include -# define DEFBITS 512 +# define DEFBITS 2048 # undef PROG # define PROG gendh_main diff --git a/deps/openssl/openssl/apps/ocsp.c b/deps/openssl/openssl/apps/ocsp.c index 71def2611af..572f0643e13 100644 --- a/deps/openssl/openssl/apps/ocsp.c +++ b/deps/openssl/openssl/apps/ocsp.c @@ -518,6 +518,8 @@ int MAIN(int argc, char **argv) "-CApath dir trusted certificates directory\n"); BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); + BIO_printf(bio_err, + "-no_alt_chains only ever use the first certificate chain found\n"); BIO_printf(bio_err, "-VAfile file validator certificates file\n"); BIO_printf(bio_err, diff --git a/deps/openssl/openssl/apps/s_cb.c b/deps/openssl/openssl/apps/s_cb.c index 7918500a6cd..fabf9cfb222 100644 --- a/deps/openssl/openssl/apps/s_cb.c +++ b/deps/openssl/openssl/apps/s_cb.c @@ -111,6 +111,7 @@ #include #include +#include /* for memcpy() */ #define USE_SOCKETS #define NON_MAIN #include "apps.h" @@ -747,7 +748,7 @@ int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie, /* Initialize a random secret */ if (!cookie_initialized) { - if (!RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH)) { + if (RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH) <= 0) { BIO_printf(bio_err, "error setting random cookie secret\n"); return 0; } diff --git a/deps/openssl/openssl/apps/s_client.c b/deps/openssl/openssl/apps/s_client.c index b34d38afea5..28737b6d1e6 100644 --- a/deps/openssl/openssl/apps/s_client.c +++ b/deps/openssl/openssl/apps/s_client.c @@ -180,13 +180,6 @@ typedef unsigned int u_int; # include #endif -/* Use Windows API with STD_INPUT_HANDLE when checking for input? - Don't look at OPENSSL_SYS_MSDOS for this, since it is always defined if - OPENSSL_SYS_WINDOWS is defined */ -#if defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_WINCE) && defined(STD_INPUT_HANDLE) -#define OPENSSL_USE_STD_INPUT_HANDLE -#endif - #undef PROG #define PROG s_client_main @@ -329,6 +322,8 @@ static void sc_usage(void) " -pass arg - private key file pass phrase source\n"); BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); + BIO_printf(bio_err, + " -no_alt_chains - only ever use the first certificate chain found\n"); BIO_printf(bio_err, " -reconnect - Drop and re-make the connection with the same Session-ID\n"); BIO_printf(bio_err, @@ -554,7 +549,7 @@ static char *MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg) PW_CB_DATA cb_tmp; int l; - if(!pass) { + if (!pass) { BIO_printf(bio_err, "Malloc failure\n"); return NULL; } @@ -1184,13 +1179,12 @@ int MAIN(int argc, char **argv) if (!set_cert_key_stuff(ctx, cert, key)) goto end; - if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) || - (!SSL_CTX_set_default_verify_paths(ctx))) { - /* - * BIO_printf(bio_err,"error setting default verify locations\n"); - */ + if ((CAfile || CApath) + && !SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) { + ERR_print_errors(bio_err); + } + if (!SSL_CTX_set_default_verify_paths(ctx)) { ERR_print_errors(bio_err); - /* goto end; */ } #ifndef OPENSSL_NO_TLSEXT if (servername != NULL) { @@ -1590,7 +1584,10 @@ int MAIN(int argc, char **argv) tv.tv_usec = 0; i = select(width, (void *)&readfds, (void *)&writefds, NULL, &tv); -#if defined(OPENSSL_USE_STD_INPUT_HANDLE) +# if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS) + if (!i && (!_kbhit() || !read_tty)) + continue; +# else if (!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle @@ -1598,8 +1595,6 @@ int MAIN(int argc, char **argv) 0))) || !read_tty)) continue; -#else - if(!i && (!_kbhit() || !read_tty) ) continue; # endif } else i = select(width, (void *)&readfds, (void *)&writefds, @@ -1798,12 +1793,12 @@ int MAIN(int argc, char **argv) } } #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) -#if defined(OPENSSL_USE_STD_INPUT_HANDLE) +# if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS) + else if (_kbhit()) +# else else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) -#else - else if (_kbhit()) # endif #elif defined (OPENSSL_SYS_NETWARE) else if (_kbhit()) diff --git a/deps/openssl/openssl/apps/s_server.c b/deps/openssl/openssl/apps/s_server.c index bcf5c331371..b58e5e07c41 100644 --- a/deps/openssl/openssl/apps/s_server.c +++ b/deps/openssl/openssl/apps/s_server.c @@ -219,7 +219,7 @@ static int generate_session_id(const SSL *ssl, unsigned char *id, unsigned int *id_len); #ifndef OPENSSL_NO_DH static DH *load_dh_param(const char *dhfile); -static DH *get_dh512(void); +static DH *get_dh2048(void); #endif #ifdef MONOLITH @@ -227,30 +227,48 @@ static void s_server_init(void); #endif #ifndef OPENSSL_NO_DH -static unsigned char dh512_p[] = { - 0xDA, 0x58, 0x3C, 0x16, 0xD9, 0x85, 0x22, 0x89, 0xD0, 0xE4, 0xAF, 0x75, - 0x6F, 0x4C, 0xCA, 0x92, 0xDD, 0x4B, 0xE5, 0x33, 0xB8, 0x04, 0xFB, 0x0F, - 0xED, 0x94, 0xEF, 0x9C, 0x8A, 0x44, 0x03, 0xED, 0x57, 0x46, 0x50, 0xD3, - 0x69, 0x99, 0xDB, 0x29, 0xD7, 0x76, 0x27, 0x6B, 0xA2, 0xD3, 0xD4, 0x12, - 0xE2, 0x18, 0xF4, 0xDD, 0x1E, 0x08, 0x4C, 0xF6, 0xD8, 0x00, 0x3E, 0x7C, - 0x47, 0x74, 0xE8, 0x33, +static unsigned char dh2048_p[] = { + 0xF6,0x42,0x57,0xB7,0x08,0x7F,0x08,0x17,0x72,0xA2,0xBA,0xD6, + 0xA9,0x42,0xF3,0x05,0xE8,0xF9,0x53,0x11,0x39,0x4F,0xB6,0xF1, + 0x6E,0xB9,0x4B,0x38,0x20,0xDA,0x01,0xA7,0x56,0xA3,0x14,0xE9, + 0x8F,0x40,0x55,0xF3,0xD0,0x07,0xC6,0xCB,0x43,0xA9,0x94,0xAD, + 0xF7,0x4C,0x64,0x86,0x49,0xF8,0x0C,0x83,0xBD,0x65,0xE9,0x17, + 0xD4,0xA1,0xD3,0x50,0xF8,0xF5,0x59,0x5F,0xDC,0x76,0x52,0x4F, + 0x3D,0x3D,0x8D,0xDB,0xCE,0x99,0xE1,0x57,0x92,0x59,0xCD,0xFD, + 0xB8,0xAE,0x74,0x4F,0xC5,0xFC,0x76,0xBC,0x83,0xC5,0x47,0x30, + 0x61,0xCE,0x7C,0xC9,0x66,0xFF,0x15,0xF9,0xBB,0xFD,0x91,0x5E, + 0xC7,0x01,0xAA,0xD3,0x5B,0x9E,0x8D,0xA0,0xA5,0x72,0x3A,0xD4, + 0x1A,0xF0,0xBF,0x46,0x00,0x58,0x2B,0xE5,0xF4,0x88,0xFD,0x58, + 0x4E,0x49,0xDB,0xCD,0x20,0xB4,0x9D,0xE4,0x91,0x07,0x36,0x6B, + 0x33,0x6C,0x38,0x0D,0x45,0x1D,0x0F,0x7C,0x88,0xB3,0x1C,0x7C, + 0x5B,0x2D,0x8E,0xF6,0xF3,0xC9,0x23,0xC0,0x43,0xF0,0xA5,0x5B, + 0x18,0x8D,0x8E,0xBB,0x55,0x8C,0xB8,0x5D,0x38,0xD3,0x34,0xFD, + 0x7C,0x17,0x57,0x43,0xA3,0x1D,0x18,0x6C,0xDE,0x33,0x21,0x2C, + 0xB5,0x2A,0xFF,0x3C,0xE1,0xB1,0x29,0x40,0x18,0x11,0x8D,0x7C, + 0x84,0xA7,0x0A,0x72,0xD6,0x86,0xC4,0x03,0x19,0xC8,0x07,0x29, + 0x7A,0xCA,0x95,0x0C,0xD9,0x96,0x9F,0xAB,0xD0,0x0A,0x50,0x9B, + 0x02,0x46,0xD3,0x08,0x3D,0x66,0xA4,0x5D,0x41,0x9F,0x9C,0x7C, + 0xBD,0x89,0x4B,0x22,0x19,0x26,0xBA,0xAB,0xA2,0x5E,0xC3,0x55, + 0xE9,0x32,0x0B,0x3B, }; -static unsigned char dh512_g[] = { +static unsigned char dh2048_g[] = { 0x02, }; -static DH *get_dh512(void) +DH *get_dh2048() { - DH *dh = NULL; + DH *dh; if ((dh = DH_new()) == NULL) - return (NULL); - dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); - dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); - if ((dh->p == NULL) || (dh->g == NULL)) - return (NULL); - return (dh); + return NULL; + dh->p=BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL); + dh->g=BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL); + if (dh->p == NULL || dh->g == NULL) { + DH_free(dh); + return NULL; + } + return dh; } #endif @@ -522,6 +540,8 @@ static void sv_usage(void) BIO_printf(bio_err, " -state - Print the SSL states\n"); BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); + BIO_printf(bio_err, + " -no_alt_chains - only ever use the first certificate chain found\n"); BIO_printf(bio_err, " -nocert - Don't use any certificates (Anon-DH)\n"); BIO_printf(bio_err, @@ -720,7 +740,7 @@ static int ebcdic_write(BIO *b, const char *in, int inl) num = inl; wbuf = (EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num); - if(!wbuf) + if (!wbuf) return 0; OPENSSL_free(b->ptr); @@ -998,7 +1018,7 @@ int MAIN(int argc, char *argv[]) int off = 0; int no_tmp_rsa = 0, no_dhe = 0, nocert = 0; #ifndef OPENSSL_NO_ECDH - int no_ecdhe; + int no_ecdhe = 0; #endif int state = 0; const SSL_METHOD *meth = NULL; @@ -1654,7 +1674,11 @@ int MAIN(int argc, char *argv[]) BIO_printf(bio_s_out, "Setting temp DH parameters\n"); } else { BIO_printf(bio_s_out, "Using default temp DH parameters\n"); - dh = get_dh512(); + dh = get_dh2048(); + if (dh == NULL) { + ERR_print_errors(bio_err); + goto end; + } } (void)BIO_flush(bio_s_out); @@ -2251,8 +2275,10 @@ static int sv_body(char *hostname, int s, unsigned char *context) ret = 1; goto err; } - l += k; - i -= k; + if (k > 0) { + l += k; + i -= k; + } if (i <= 0) break; } @@ -2916,7 +2942,8 @@ static int generate_session_id(const SSL *ssl, unsigned char *id, { unsigned int count = 0; do { - RAND_pseudo_bytes(id, *id_len); + if (RAND_pseudo_bytes(id, *id_len) < 0) + return 0; /* * Prefix the session_id with the required prefix. NB: If our prefix * is too long, clip it - but there will be worse effects anyway, eg. diff --git a/deps/openssl/openssl/apps/s_time.c b/deps/openssl/openssl/apps/s_time.c index a40997a22e5..38788f7130c 100644 --- a/deps/openssl/openssl/apps/s_time.c +++ b/deps/openssl/openssl/apps/s_time.c @@ -302,7 +302,7 @@ static int parseArgs(int argc, char **argv) if (--argc < 1) goto bad; maxTime = atoi(*(++argv)); - if(maxTime <= 0) { + if (maxTime <= 0) { BIO_printf(bio_err, "time must be > 0\n"); badop = 1; } diff --git a/deps/openssl/openssl/apps/smime.c b/deps/openssl/openssl/apps/smime.c index 7b351f601cb..53e43c5e732 100644 --- a/deps/openssl/openssl/apps/smime.c +++ b/deps/openssl/openssl/apps/smime.c @@ -441,6 +441,8 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "-CApath dir trusted certificates directory\n"); BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); + BIO_printf(bio_err, + "-no_alt_chains only ever use the first certificate chain found\n"); BIO_printf(bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); BIO_printf(bio_err, diff --git a/deps/openssl/openssl/apps/srp.c b/deps/openssl/openssl/apps/srp.c index c679448ee7c..c0ff4171cab 100644 --- a/deps/openssl/openssl/apps/srp.c +++ b/deps/openssl/openssl/apps/srp.c @@ -435,7 +435,7 @@ int MAIN(int argc, char **argv) # ifdef OPENSSL_SYS_VMS len = strlen(s) + sizeof(CONFIG_FILE); tofree = OPENSSL_malloc(len); - if(!tofree) { + if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); goto err; } @@ -443,7 +443,7 @@ int MAIN(int argc, char **argv) # else len = strlen(s) + sizeof(CONFIG_FILE) + 1; tofree = OPENSSL_malloc(len); - if(!tofree) { + if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); goto err; } diff --git a/deps/openssl/openssl/apps/verify.c b/deps/openssl/openssl/apps/verify.c index 7295c769f30..e29f9bb7e09 100644 --- a/deps/openssl/openssl/apps/verify.c +++ b/deps/openssl/openssl/apps/verify.c @@ -227,7 +227,7 @@ int MAIN(int argc, char **argv) if (ret == 1) { BIO_printf(bio_err, "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]"); - BIO_printf(bio_err, " [-attime timestamp]"); + BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err, " [-engine e]"); #endif diff --git a/deps/openssl/openssl/crypto/Makefile b/deps/openssl/openssl/crypto/Makefile index 2355661f40f..618c95878ce 100644 --- a/deps/openssl/openssl/crypto/Makefile +++ b/deps/openssl/openssl/crypto/Makefile @@ -125,12 +125,17 @@ install: lint: @target=lint; $(RECURSIVE_MAKE) -depend: +update: local_depend + @[ -z "$(THIS)" ] || (set -e; target=update; $(RECURSIVE_MAKE) ) + @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi + +depend: local_depend + @[ -z "$(THIS)" ] || (set -e; target=depend; $(RECURSIVE_MAKE) ) + @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi +local_depend: @[ -z "$(THIS)" -o -f buildinf.h ] || touch buildinf.h # fake buildinf.h if it does not exist @[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDE) $(DEPFLAG) -- $(PROGS) $(LIBSRC) @[ -z "$(THIS)" -o -s buildinf.h ] || rm buildinf.h - @[ -z "$(THIS)" ] || (set -e; target=depend; $(RECURSIVE_MAKE) ) - @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi clean: rm -f buildinf.h *.s *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff diff --git a/deps/openssl/openssl/crypto/aes/Makefile b/deps/openssl/openssl/crypto/aes/Makefile index 45ede0a0b45..b3a95812af3 100644 --- a/deps/openssl/openssl/crypto/aes/Makefile +++ b/deps/openssl/openssl/crypto/aes/Makefile @@ -106,6 +106,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/asn1/Makefile b/deps/openssl/openssl/crypto/asn1/Makefile index f7787005d45..d774f782123 100644 --- a/deps/openssl/openssl/crypto/asn1/Makefile +++ b/deps/openssl/openssl/crypto/asn1/Makefile @@ -93,6 +93,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by top Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/asn1/a_int.c b/deps/openssl/openssl/crypto/asn1/a_int.c index 70c2b8e62c4..7e26704a547 100644 --- a/deps/openssl/openssl/crypto/asn1/a_int.c +++ b/deps/openssl/openssl/crypto/asn1/a_int.c @@ -124,6 +124,8 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp) else { ret = a->length; i = a->data[0]; + if (ret == 1 && i == 0) + neg = 0; if (!neg && (i > 127)) { pad = 1; pb = 0; @@ -162,7 +164,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp) p += a->length - 1; i = a->length; /* Copy zeros to destination as long as source is zero */ - while (!*n) { + while (!*n && i > 1) { *(p--) = 0; n--; i--; @@ -419,7 +421,7 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai) ASN1err(ASN1_F_BN_TO_ASN1_INTEGER, ERR_R_NESTED_ASN1_ERROR); goto err; } - if (BN_is_negative(bn)) + if (BN_is_negative(bn) && !BN_is_zero(bn)) ret->type = V_ASN1_NEG_INTEGER; else ret->type = V_ASN1_INTEGER; diff --git a/deps/openssl/openssl/crypto/asn1/asn1_gen.c b/deps/openssl/openssl/crypto/asn1/asn1_gen.c index 11b582dd374..65749239b1a 100644 --- a/deps/openssl/openssl/crypto/asn1/asn1_gen.c +++ b/deps/openssl/openssl/crypto/asn1/asn1_gen.c @@ -74,6 +74,8 @@ #define ASN1_GEN_STR(str,val) {str, sizeof(str) - 1, val} #define ASN1_FLAG_EXP_MAX 20 +/* Maximum number of nested sequences */ +#define ASN1_GEN_SEQ_MAX_DEPTH 50 /* Input formats */ @@ -110,13 +112,16 @@ typedef struct { int exp_count; } tag_exp_arg; +static ASN1_TYPE *generate_v3(char *str, X509V3_CTX *cnf, int depth, + int *perr); static int bitstr_cb(const char *elem, int len, void *bitstr); static int asn1_cb(const char *elem, int len, void *bitstr); static int append_exp(tag_exp_arg *arg, int exp_tag, int exp_class, int exp_constructed, int exp_pad, int imp_ok); static int parse_tagging(const char *vstart, int vlen, int *ptag, int *pclass); -static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf); +static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf, + int depth, int *perr); static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype); static int asn1_str2tag(const char *tagstr, int len); @@ -132,6 +137,16 @@ ASN1_TYPE *ASN1_generate_nconf(char *str, CONF *nconf) } ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf) +{ + int err = 0; + ASN1_TYPE *ret = generate_v3(str, cnf, 0, &err); + if (err) + ASN1err(ASN1_F_ASN1_GENERATE_V3, err); + return ret; +} + +static ASN1_TYPE *generate_v3(char *str, X509V3_CTX *cnf, int depth, + int *perr) { ASN1_TYPE *ret; tag_exp_arg asn1_tags; @@ -152,17 +167,22 @@ ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf) asn1_tags.imp_class = -1; asn1_tags.format = ASN1_GEN_FORMAT_ASCII; asn1_tags.exp_count = 0; - if (CONF_parse_list(str, ',', 1, asn1_cb, &asn1_tags) != 0) + if (CONF_parse_list(str, ',', 1, asn1_cb, &asn1_tags) != 0) { + *perr = ASN1_R_UNKNOWN_TAG; return NULL; + } if ((asn1_tags.utype == V_ASN1_SEQUENCE) || (asn1_tags.utype == V_ASN1_SET)) { if (!cnf) { - ASN1err(ASN1_F_ASN1_GENERATE_V3, - ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG); + *perr = ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG; return NULL; } - ret = asn1_multi(asn1_tags.utype, asn1_tags.str, cnf); + if (depth >= ASN1_GEN_SEQ_MAX_DEPTH) { + *perr = ASN1_R_ILLEGAL_NESTED_TAGGING; + return NULL; + } + ret = asn1_multi(asn1_tags.utype, asn1_tags.str, cnf, depth, perr); } else ret = asn1_str2type(asn1_tags.str, asn1_tags.format, asn1_tags.utype); @@ -280,7 +300,7 @@ static int asn1_cb(const char *elem, int len, void *bitstr) int tmp_tag, tmp_class; if (elem == NULL) - return 0; + return -1; for (i = 0, p = elem; i < len; p++, i++) { /* Look for the ':' in name value pairs */ @@ -353,7 +373,7 @@ static int asn1_cb(const char *elem, int len, void *bitstr) break; case ASN1_GEN_FLAG_FORMAT: - if(!vstart) { + if (!vstart) { ASN1err(ASN1_F_ASN1_CB, ASN1_R_UNKNOWN_FORMAT); return -1; } @@ -435,7 +455,8 @@ static int parse_tagging(const char *vstart, int vlen, int *ptag, int *pclass) /* Handle multiple types: SET and SEQUENCE */ -static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf) +static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf, + int depth, int *perr) { ASN1_TYPE *ret = NULL; STACK_OF(ASN1_TYPE) *sk = NULL; @@ -454,7 +475,8 @@ static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf) goto bad; for (i = 0; i < sk_CONF_VALUE_num(sect); i++) { ASN1_TYPE *typ = - ASN1_generate_v3(sk_CONF_VALUE_value(sect, i)->value, cnf); + generate_v3(sk_CONF_VALUE_value(sect, i)->value, cnf, + depth + 1, perr); if (!typ) goto bad; if (!sk_ASN1_TYPE_push(sk, typ)) diff --git a/deps/openssl/openssl/crypto/asn1/asn_mime.c b/deps/openssl/openssl/crypto/asn1/asn_mime.c index 7e2f28e6d5e..96110c540f3 100644 --- a/deps/openssl/openssl/crypto/asn1/asn_mime.c +++ b/deps/openssl/openssl/crypto/asn1/asn_mime.c @@ -289,7 +289,8 @@ int SMIME_write_ASN1(BIO *bio, ASN1_VALUE *val, BIO *data, int flags, if ((flags & SMIME_DETACHED) && data) { /* We want multipart/signed */ /* Generate a random boundary */ - RAND_pseudo_bytes((unsigned char *)bound, 32); + if (RAND_pseudo_bytes((unsigned char *)bound, 32) < 0) + return 0; for (i = 0; i < 32; i++) { c = bound[i] & 0xf; if (c < 10) diff --git a/deps/openssl/openssl/crypto/asn1/bio_ndef.c b/deps/openssl/openssl/crypto/asn1/bio_ndef.c index 4a73ca9eac5..31949b87940 100644 --- a/deps/openssl/openssl/crypto/asn1/bio_ndef.c +++ b/deps/openssl/openssl/crypto/asn1/bio_ndef.c @@ -162,7 +162,7 @@ static int ndef_prefix(BIO *b, unsigned char **pbuf, int *plen, void *parg) derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it); p = OPENSSL_malloc(derlen); - if(!p) + if (!p) return 0; ndef_aux->derbuf = p; @@ -232,7 +232,7 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg) derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it); p = OPENSSL_malloc(derlen); - if(!p) + if (!p) return 0; ndef_aux->derbuf = p; diff --git a/deps/openssl/openssl/crypto/asn1/tasn_new.c b/deps/openssl/openssl/crypto/asn1/tasn_new.c index 7d2964f0230..b0c73beeb57 100644 --- a/deps/openssl/openssl/crypto/asn1/tasn_new.c +++ b/deps/openssl/openssl/crypto/asn1/tasn_new.c @@ -100,9 +100,6 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, else asn1_cb = 0; - if (!combine) - *pval = NULL; - #ifdef CRYPTO_MDEBUG if (it->sname) CRYPTO_push_info(it->sname); diff --git a/deps/openssl/openssl/crypto/asn1/tasn_prn.c b/deps/openssl/openssl/crypto/asn1/tasn_prn.c index 7c54f9d1d4a..5e7d53e9854 100644 --- a/deps/openssl/openssl/crypto/asn1/tasn_prn.c +++ b/deps/openssl/openssl/crypto/asn1/tasn_prn.c @@ -290,7 +290,7 @@ static int asn1_item_print_ctx(BIO *out, ASN1_VALUE **fld, int indent, for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { const ASN1_TEMPLATE *seqtt; seqtt = asn1_do_adb(fld, tt, 1); - if(!seqtt) + if (!seqtt) return 0; tmpfld = asn1_get_field_ptr(fld, seqtt); if (!asn1_template_print_ctx(out, tmpfld, diff --git a/deps/openssl/openssl/crypto/asn1/x_x509.c b/deps/openssl/openssl/crypto/asn1/x_x509.c index d51b76e79e1..f56e837b3a0 100644 --- a/deps/openssl/openssl/crypto/asn1/x_x509.c +++ b/deps/openssl/openssl/crypto/asn1/x_x509.c @@ -177,7 +177,7 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) /* Save start position */ q = *pp; - if(!a || *a == NULL) { + if (!a || *a == NULL) { freeret = 1; } ret = d2i_X509(a, pp, length); @@ -192,7 +192,7 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length) goto err; return ret; err: - if(freeret) { + if (freeret) { X509_free(ret); if (a) *a = NULL; diff --git a/deps/openssl/openssl/crypto/bf/Makefile b/deps/openssl/openssl/crypto/bf/Makefile index d01bfaa3155..6dd2015537f 100644 --- a/deps/openssl/openssl/crypto/bf/Makefile +++ b/deps/openssl/openssl/crypto/bf/Makefile @@ -72,6 +72,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/bio/Makefile b/deps/openssl/openssl/crypto/bio/Makefile index c395d804968..ef526f6beb2 100644 --- a/deps/openssl/openssl/crypto/bio/Makefile +++ b/deps/openssl/openssl/crypto/bio/Makefile @@ -73,6 +73,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/bio/b_print.c b/deps/openssl/openssl/crypto/bio/b_print.c index c2cf6e619ee..7c81e25d482 100644 --- a/deps/openssl/openssl/crypto/bio/b_print.c +++ b/deps/openssl/openssl/crypto/bio/b_print.c @@ -704,32 +704,29 @@ doapr_outch(char **sbuffer, /* If we haven't at least one buffer, someone has doe a big booboo */ assert(*sbuffer != NULL || buffer != NULL); - if (buffer) { - while (*currlen >= *maxlen) { - if (*buffer == NULL) { - if (*maxlen == 0) - *maxlen = 1024; - *buffer = OPENSSL_malloc(*maxlen); - if(!*buffer) { - /* Panic! Can't really do anything sensible. Just return */ - return; - } - if (*currlen > 0) { - assert(*sbuffer != NULL); - memcpy(*buffer, *sbuffer, *currlen); - } - *sbuffer = NULL; - } else { - *maxlen += 1024; - *buffer = OPENSSL_realloc(*buffer, *maxlen); - if(!*buffer) { - /* Panic! Can't really do anything sensible. Just return */ - return; - } + /* |currlen| must always be <= |*maxlen| */ + assert(*currlen <= *maxlen); + + if (buffer && *currlen == *maxlen) { + *maxlen += 1024; + if (*buffer == NULL) { + *buffer = OPENSSL_malloc(*maxlen); + if (!*buffer) { + /* Panic! Can't really do anything sensible. Just return */ + return; + } + if (*currlen > 0) { + assert(*sbuffer != NULL); + memcpy(*buffer, *sbuffer, *currlen); + } + *sbuffer = NULL; + } else { + *buffer = OPENSSL_realloc(*buffer, *maxlen); + if (!*buffer) { + /* Panic! Can't really do anything sensible. Just return */ + return; } } - /* What to do if *buffer is NULL? */ - assert(*sbuffer != NULL || *buffer != NULL); } if (*currlen < *maxlen) { diff --git a/deps/openssl/openssl/crypto/bio/bf_nbio.c b/deps/openssl/openssl/crypto/bio/bf_nbio.c index da88a8a1bfb..a04f32a0081 100644 --- a/deps/openssl/openssl/crypto/bio/bf_nbio.c +++ b/deps/openssl/openssl/crypto/bio/bf_nbio.c @@ -139,7 +139,8 @@ static int nbiof_read(BIO *b, char *out, int outl) BIO_clear_retry_flags(b); #if 1 - RAND_pseudo_bytes(&n, 1); + if (RAND_pseudo_bytes(&n, 1) < 0) + return -1; num = (n & 0x07); if (outl > num) @@ -178,7 +179,8 @@ static int nbiof_write(BIO *b, const char *in, int inl) num = nt->lwn; nt->lwn = 0; } else { - RAND_pseudo_bytes(&n, 1); + if (RAND_pseudo_bytes(&n, 1) < 0) + return -1; num = (n & 7); } diff --git a/deps/openssl/openssl/crypto/bio/bio_lib.c b/deps/openssl/openssl/crypto/bio/bio_lib.c index 5267010cb0d..07934f8a667 100644 --- a/deps/openssl/openssl/crypto/bio/bio_lib.c +++ b/deps/openssl/openssl/crypto/bio/bio_lib.c @@ -536,8 +536,10 @@ BIO *BIO_dup_chain(BIO *in) /* copy app data */ if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_BIO, &new_bio->ex_data, - &bio->ex_data)) + &bio->ex_data)) { + BIO_free(new_bio); goto err; + } if (ret == NULL) { eoc = new_bio; @@ -549,8 +551,8 @@ BIO *BIO_dup_chain(BIO *in) } return (ret); err: - if (ret != NULL) - BIO_free(ret); + BIO_free_all(ret); + return (NULL); } diff --git a/deps/openssl/openssl/crypto/bio/bss_dgram.c b/deps/openssl/openssl/crypto/bio/bss_dgram.c index b495db26e14..e3e3dd0503a 100644 --- a/deps/openssl/openssl/crypto/bio/bss_dgram.c +++ b/deps/openssl/openssl/crypto/bio/bss_dgram.c @@ -299,16 +299,17 @@ static void dgram_adjust_rcv_timeout(BIO *b) /* Calculate time left until timer expires */ memcpy(&timeleft, &(data->next_timeout), sizeof(struct timeval)); - timeleft.tv_sec -= timenow.tv_sec; - timeleft.tv_usec -= timenow.tv_usec; - if (timeleft.tv_usec < 0) { + if (timeleft.tv_usec < timenow.tv_usec) { + timeleft.tv_usec = 1000000 - timenow.tv_usec + timeleft.tv_usec; timeleft.tv_sec--; - timeleft.tv_usec += 1000000; + } else { + timeleft.tv_usec -= timenow.tv_usec; } - - if (timeleft.tv_sec < 0) { + if (timeleft.tv_sec < timenow.tv_sec) { timeleft.tv_sec = 0; timeleft.tv_usec = 1; + } else { + timeleft.tv_sec -= timenow.tv_sec; } /* @@ -953,7 +954,7 @@ BIO *BIO_new_dgram_sctp(int fd, int close_flag) */ sockopt_len = (socklen_t) (sizeof(sctp_assoc_t) + 256 * sizeof(uint8_t)); authchunks = OPENSSL_malloc(sockopt_len); - if(!authchunks) { + if (!authchunks) { BIO_vfree(bio); return (NULL); } @@ -1293,7 +1294,7 @@ static int dgram_sctp_read(BIO *b, char *out, int outl) (socklen_t) (sizeof(sctp_assoc_t) + 256 * sizeof(uint8_t)); authchunks = OPENSSL_malloc(optlen); if (!authchunks) { - BIOerr(BIO_F_DGRAM_SCTP_READ, ERR_R_MALLOC_ERROR); + BIOerr(BIO_F_DGRAM_SCTP_READ, ERR_R_MALLOC_FAILURE); return -1; } memset(authchunks, 0, sizeof(optlen)); @@ -1364,8 +1365,8 @@ static int dgram_sctp_write(BIO *b, const char *in, int inl) if (data->save_shutdown && !BIO_dgram_sctp_wait_for_dry(b)) { char *tmp; data->saved_message.bio = b; - if(!(tmp = OPENSSL_malloc(inl))) { - BIOerr(BIO_F_DGRAM_SCTP_WRITE, ERR_R_MALLOC_ERROR); + if (!(tmp = OPENSSL_malloc(inl))) { + BIOerr(BIO_F_DGRAM_SCTP_WRITE, ERR_R_MALLOC_FAILURE); return -1; } if (data->saved_message.data) diff --git a/deps/openssl/openssl/crypto/bn/Makefile b/deps/openssl/openssl/crypto/bn/Makefile index 6dd136be5d6..3d0158c15ae 100644 --- a/deps/openssl/openssl/crypto/bn/Makefile +++ b/deps/openssl/openssl/crypto/bn/Makefile @@ -167,6 +167,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: bn_prime.h depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/bn/bn.h b/deps/openssl/openssl/crypto/bn/bn.h index 7d57e9834ab..47d8c71d9ed 100644 --- a/deps/openssl/openssl/crypto/bn/bn.h +++ b/deps/openssl/openssl/crypto/bn/bn.h @@ -797,6 +797,7 @@ int RAND_pseudo_bytes(unsigned char *buf, int num); * wouldn't be constructed with top!=dmax. */ \ BN_ULONG *_not_const; \ memcpy(&_not_const, &_bnum1->d, sizeof(BN_ULONG*)); \ + /* Debug only - safe to ignore error return */ \ RAND_pseudo_bytes(&_tmp_char, 1); \ memset((unsigned char *)(_not_const + _bnum1->top), _tmp_char, \ (_bnum1->dmax - _bnum1->top) * sizeof(BN_ULONG)); \ @@ -910,6 +911,7 @@ void ERR_load_BN_strings(void); # define BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR 135 # define BN_F_BN_GF2M_MOD_SQR 136 # define BN_F_BN_GF2M_MOD_SQRT 137 +# define BN_F_BN_LSHIFT 145 # define BN_F_BN_MOD_EXP2_MONT 118 # define BN_F_BN_MOD_EXP_MONT 109 # define BN_F_BN_MOD_EXP_MONT_CONSTTIME 124 @@ -925,12 +927,14 @@ void ERR_load_BN_strings(void); # define BN_F_BN_NEW 113 # define BN_F_BN_RAND 114 # define BN_F_BN_RAND_RANGE 122 +# define BN_F_BN_RSHIFT 146 # define BN_F_BN_USUB 115 /* Reason codes. */ # define BN_R_ARG2_LT_ARG3 100 # define BN_R_BAD_RECIPROCAL 101 # define BN_R_BIGNUM_TOO_LONG 114 +# define BN_R_BITS_TOO_SMALL 118 # define BN_R_CALLED_WITH_EVEN_MODULUS 102 # define BN_R_DIV_BY_ZERO 103 # define BN_R_ENCODING_ERROR 104 @@ -938,6 +942,7 @@ void ERR_load_BN_strings(void); # define BN_R_INPUT_NOT_REDUCED 110 # define BN_R_INVALID_LENGTH 106 # define BN_R_INVALID_RANGE 115 +# define BN_R_INVALID_SHIFT 119 # define BN_R_NOT_A_SQUARE 111 # define BN_R_NOT_INITIALIZED 107 # define BN_R_NO_INVERSE 108 diff --git a/deps/openssl/openssl/crypto/bn/bn_err.c b/deps/openssl/openssl/crypto/bn/bn_err.c index faa7e226ba9..e7a703826ee 100644 --- a/deps/openssl/openssl/crypto/bn/bn_err.c +++ b/deps/openssl/openssl/crypto/bn/bn_err.c @@ -1,6 +1,6 @@ /* crypto/bn/bn_err.c */ /* ==================================================================== - * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -94,6 +94,7 @@ static ERR_STRING_DATA BN_str_functs[] = { {ERR_FUNC(BN_F_BN_GF2M_MOD_SOLVE_QUAD_ARR), "BN_GF2m_mod_solve_quad_arr"}, {ERR_FUNC(BN_F_BN_GF2M_MOD_SQR), "BN_GF2m_mod_sqr"}, {ERR_FUNC(BN_F_BN_GF2M_MOD_SQRT), "BN_GF2m_mod_sqrt"}, + {ERR_FUNC(BN_F_BN_LSHIFT), "BN_lshift"}, {ERR_FUNC(BN_F_BN_MOD_EXP2_MONT), "BN_mod_exp2_mont"}, {ERR_FUNC(BN_F_BN_MOD_EXP_MONT), "BN_mod_exp_mont"}, {ERR_FUNC(BN_F_BN_MOD_EXP_MONT_CONSTTIME), "BN_mod_exp_mont_consttime"}, @@ -109,6 +110,7 @@ static ERR_STRING_DATA BN_str_functs[] = { {ERR_FUNC(BN_F_BN_NEW), "BN_new"}, {ERR_FUNC(BN_F_BN_RAND), "BN_rand"}, {ERR_FUNC(BN_F_BN_RAND_RANGE), "BN_rand_range"}, + {ERR_FUNC(BN_F_BN_RSHIFT), "BN_rshift"}, {ERR_FUNC(BN_F_BN_USUB), "BN_usub"}, {0, NULL} }; @@ -117,6 +119,7 @@ static ERR_STRING_DATA BN_str_reasons[] = { {ERR_REASON(BN_R_ARG2_LT_ARG3), "arg2 lt arg3"}, {ERR_REASON(BN_R_BAD_RECIPROCAL), "bad reciprocal"}, {ERR_REASON(BN_R_BIGNUM_TOO_LONG), "bignum too long"}, + {ERR_REASON(BN_R_BITS_TOO_SMALL), "bits too small"}, {ERR_REASON(BN_R_CALLED_WITH_EVEN_MODULUS), "called with even modulus"}, {ERR_REASON(BN_R_DIV_BY_ZERO), "div by zero"}, {ERR_REASON(BN_R_ENCODING_ERROR), "encoding error"}, @@ -125,6 +128,7 @@ static ERR_STRING_DATA BN_str_reasons[] = { {ERR_REASON(BN_R_INPUT_NOT_REDUCED), "input not reduced"}, {ERR_REASON(BN_R_INVALID_LENGTH), "invalid length"}, {ERR_REASON(BN_R_INVALID_RANGE), "invalid range"}, + {ERR_REASON(BN_R_INVALID_SHIFT), "invalid shift"}, {ERR_REASON(BN_R_NOT_A_SQUARE), "not a square"}, {ERR_REASON(BN_R_NOT_INITIALIZED), "not initialized"}, {ERR_REASON(BN_R_NO_INVERSE), "no inverse"}, diff --git a/deps/openssl/openssl/crypto/bn/bn_gf2m.c b/deps/openssl/openssl/crypto/bn/bn_gf2m.c index aeee49a0156..a0ba8de31ad 100644 --- a/deps/openssl/openssl/crypto/bn/bn_gf2m.c +++ b/deps/openssl/openssl/crypto/bn/bn_gf2m.c @@ -694,9 +694,10 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) } # else { - int i, ubits = BN_num_bits(u), vbits = BN_num_bits(v), /* v is copy - * of p */ - top = p->top; + int i; + int ubits = BN_num_bits(u); + int vbits = BN_num_bits(v); /* v is copy of p */ + int top = p->top; BN_ULONG *udp, *bdp, *vdp, *cdp; bn_wexpand(u, top); @@ -740,8 +741,12 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) ubits--; } - if (ubits <= BN_BITS2 && udp[0] == 1) - break; + if (ubits <= BN_BITS2) { + if (udp[0] == 0) /* poly was reducible */ + goto err; + if (udp[0] == 1) + break; + } if (ubits < vbits) { i = ubits; diff --git a/deps/openssl/openssl/crypto/bn/bn_lcl.h b/deps/openssl/openssl/crypto/bn/bn_lcl.h index 1059d1d4b5c..904a723497d 100644 --- a/deps/openssl/openssl/crypto/bn/bn_lcl.h +++ b/deps/openssl/openssl/crypto/bn/bn_lcl.h @@ -276,7 +276,7 @@ unsigned __int64 _umul128(unsigned __int64 a, unsigned __int64 b, # endif # elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)) # if defined(__GNUC__) && __GNUC__>=2 -# if __GNUC__>=4 && __GNUC_MINOR__>=4 +# if __GNUC__>4 || (__GNUC__>=4 && __GNUC_MINOR__>=4) /* "h" constraint is no more since 4.4 */ # define BN_UMULT_HIGH(a,b) (((__uint128_t)(a)*(b))>>64) # define BN_UMULT_LOHI(low,high,a,b) ({ \ diff --git a/deps/openssl/openssl/crypto/bn/bn_print.c b/deps/openssl/openssl/crypto/bn/bn_print.c index 4dcaae32bf5..ab10b957ba2 100644 --- a/deps/openssl/openssl/crypto/bn/bn_print.c +++ b/deps/openssl/openssl/crypto/bn/bn_print.c @@ -71,7 +71,12 @@ char *BN_bn2hex(const BIGNUM *a) char *buf; char *p; - buf = (char *)OPENSSL_malloc(a->top * BN_BYTES * 2 + 2); + if (a->neg && BN_is_zero(a)) { + /* "-0" == 3 bytes including NULL terminator */ + buf = OPENSSL_malloc(3); + } else { + buf = OPENSSL_malloc(a->top * BN_BYTES * 2 + 2); + } if (buf == NULL) { BNerr(BN_F_BN_BN2HEX, ERR_R_MALLOC_FAILURE); goto err; diff --git a/deps/openssl/openssl/crypto/bn/bn_rand.c b/deps/openssl/openssl/crypto/bn/bn_rand.c index 7ac71ec8ed0..f9fb2e9e45e 100644 --- a/deps/openssl/openssl/crypto/bn/bn_rand.c +++ b/deps/openssl/openssl/crypto/bn/bn_rand.c @@ -121,6 +121,11 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) int ret = 0, bit, bytes, mask; time_t tim; + if (bits < 0 || (bits == 1 && top > 0)) { + BNerr(BN_F_BNRAND, BN_R_BITS_TOO_SMALL); + return 0; + } + if (bits == 0) { BN_zero(rnd); return 1; @@ -157,7 +162,8 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) unsigned char c; for (i = 0; i < bytes; i++) { - RAND_pseudo_bytes(&c, 1); + if (RAND_pseudo_bytes(&c, 1) < 0) + goto err; if (c >= 128 && i > 0) buf[i] = buf[i - 1]; else if (c < 42) @@ -168,7 +174,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) } #endif - if (top != -1) { + if (top >= 0) { if (top) { if (bit == 0) { buf[0] = 1; diff --git a/deps/openssl/openssl/crypto/bn/bn_shift.c b/deps/openssl/openssl/crypto/bn/bn_shift.c index 4f3e8ffed7b..9673d9a3063 100644 --- a/deps/openssl/openssl/crypto/bn/bn_shift.c +++ b/deps/openssl/openssl/crypto/bn/bn_shift.c @@ -137,6 +137,11 @@ int BN_lshift(BIGNUM *r, const BIGNUM *a, int n) bn_check_top(r); bn_check_top(a); + if (n < 0) { + BNerr(BN_F_BN_LSHIFT, BN_R_INVALID_SHIFT); + return 0; + } + r->neg = a->neg; nw = n / BN_BITS2; if (bn_wexpand(r, a->top + nw + 1) == NULL) @@ -174,6 +179,11 @@ int BN_rshift(BIGNUM *r, const BIGNUM *a, int n) bn_check_top(r); bn_check_top(a); + if (n < 0) { + BNerr(BN_F_BN_RSHIFT, BN_R_INVALID_SHIFT); + return 0; + } + nw = n / BN_BITS2; rb = n % BN_BITS2; lb = BN_BITS2 - rb; diff --git a/deps/openssl/openssl/crypto/buffer/Makefile b/deps/openssl/openssl/crypto/buffer/Makefile index 2efba47f070..352efb841ff 100644 --- a/deps/openssl/openssl/crypto/buffer/Makefile +++ b/deps/openssl/openssl/crypto/buffer/Makefile @@ -61,6 +61,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/buffer/buffer.c b/deps/openssl/openssl/crypto/buffer/buffer.c index d287e340a2b..eff3e081576 100644 --- a/deps/openssl/openssl/crypto/buffer/buffer.c +++ b/deps/openssl/openssl/crypto/buffer/buffer.c @@ -88,7 +88,7 @@ void BUF_MEM_free(BUF_MEM *a) return; if (a->data != NULL) { - memset(a->data, 0, (unsigned int)a->max); + OPENSSL_cleanse(a->data, a->max); OPENSSL_free(a->data); } OPENSSL_free(a); diff --git a/deps/openssl/openssl/crypto/camellia/Makefile b/deps/openssl/openssl/crypto/camellia/Makefile index 6ce6fc99cd2..228f1dc713d 100644 --- a/deps/openssl/openssl/crypto/camellia/Makefile +++ b/deps/openssl/openssl/crypto/camellia/Makefile @@ -73,6 +73,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/cast/Makefile b/deps/openssl/openssl/crypto/cast/Makefile index f3f4859886a..4c4b5e9baa5 100644 --- a/deps/openssl/openssl/crypto/cast/Makefile +++ b/deps/openssl/openssl/crypto/cast/Makefile @@ -69,6 +69,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/cmac/Makefile b/deps/openssl/openssl/crypto/cmac/Makefile index 54e7cc39d52..6a284086764 100644 --- a/deps/openssl/openssl/crypto/cmac/Makefile +++ b/deps/openssl/openssl/crypto/cmac/Makefile @@ -61,6 +61,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/cmac/cmac.c b/deps/openssl/openssl/crypto/cmac/cmac.c index c5597a3f73b..774e6dc9190 100644 --- a/deps/openssl/openssl/crypto/cmac/cmac.c +++ b/deps/openssl/openssl/crypto/cmac/cmac.c @@ -126,6 +126,8 @@ EVP_CIPHER_CTX *CMAC_CTX_get0_cipher_ctx(CMAC_CTX *ctx) void CMAC_CTX_free(CMAC_CTX *ctx) { + if (!ctx) + return; CMAC_CTX_cleanup(ctx); OPENSSL_free(ctx); } diff --git a/deps/openssl/openssl/crypto/cms/Makefile b/deps/openssl/openssl/crypto/cms/Makefile index 9820adb2127..b124b5dbf21 100644 --- a/deps/openssl/openssl/crypto/cms/Makefile +++ b/deps/openssl/openssl/crypto/cms/Makefile @@ -67,6 +67,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/cms/cms_pwri.c b/deps/openssl/openssl/crypto/cms/cms_pwri.c index 076b5457892..a8322dcdf1a 100644 --- a/deps/openssl/openssl/crypto/cms/cms_pwri.c +++ b/deps/openssl/openssl/crypto/cms/cms_pwri.c @@ -231,7 +231,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen, return 0; } tmp = OPENSSL_malloc(inlen); - if(!tmp) + if (!tmp) return 0; /* setup IV by decrypting last two blocks */ EVP_DecryptUpdate(ctx, tmp + inlen - 2 * blocklen, &outl, @@ -297,8 +297,9 @@ static int kek_wrap_key(unsigned char *out, size_t *outlen, out[3] = in[2] ^ 0xFF; memcpy(out + 4, in, inlen); /* Add random padding to end */ - if (olen > inlen + 4) - RAND_pseudo_bytes(out + 4 + inlen, olen - 4 - inlen); + if (olen > inlen + 4 + && RAND_pseudo_bytes(out + 4 + inlen, olen - 4 - inlen) < 0) + return 0; /* Encrypt twice */ EVP_EncryptUpdate(ctx, out, &dummy, out, olen); EVP_EncryptUpdate(ctx, out, &dummy, out, olen); diff --git a/deps/openssl/openssl/crypto/cms/cms_smime.c b/deps/openssl/openssl/crypto/cms/cms_smime.c index 8851603f6fb..8b37560821a 100644 --- a/deps/openssl/openssl/crypto/cms/cms_smime.c +++ b/deps/openssl/openssl/crypto/cms/cms_smime.c @@ -131,7 +131,7 @@ static void do_free_upto(BIO *f, BIO *upto) BIO_free(f); f = tbio; } - while (f != upto); + while (f && f != upto); } else BIO_free_all(f); } diff --git a/deps/openssl/openssl/crypto/comp/Makefile b/deps/openssl/openssl/crypto/comp/Makefile index efda832dce4..a1e9464a11f 100644 --- a/deps/openssl/openssl/crypto/comp/Makefile +++ b/deps/openssl/openssl/crypto/comp/Makefile @@ -64,6 +64,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/conf/Makefile b/deps/openssl/openssl/crypto/conf/Makefile index 78bb3241065..d5f5c582414 100644 --- a/deps/openssl/openssl/crypto/conf/Makefile +++ b/deps/openssl/openssl/crypto/conf/Makefile @@ -64,6 +64,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/cryptlib.c b/deps/openssl/openssl/crypto/cryptlib.c index 6353bbe3bc2..c654a5c84f2 100644 --- a/deps/openssl/openssl/crypto/cryptlib.c +++ b/deps/openssl/openssl/crypto/cryptlib.c @@ -806,8 +806,6 @@ int OPENSSL_isservice(void) if (_OPENSSL_isservice.p != (void *)-1) return (*_OPENSSL_isservice.f) (); - (void)GetDesktopWindow(); /* return value is ignored */ - h = GetProcessWindowStation(); if (h == NULL) return -1; diff --git a/deps/openssl/openssl/crypto/des/Makefile b/deps/openssl/openssl/crypto/des/Makefile index a6e1001329a..fbc77c163cd 100644 --- a/deps/openssl/openssl/crypto/des/Makefile +++ b/deps/openssl/openssl/crypto/des/Makefile @@ -94,6 +94,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/des/des.c b/deps/openssl/openssl/crypto/des/des.c index 2bff281258e..586aed72378 100644 --- a/deps/openssl/openssl/crypto/des/des.c +++ b/deps/openssl/openssl/crypto/des/des.c @@ -455,8 +455,10 @@ void doencryption(void) rem = l % 8; len = l - rem; if (feof(DES_IN)) { - for (i = 7 - rem; i > 0; i--) - RAND_pseudo_bytes(buf + l++, 1); + for (i = 7 - rem; i > 0; i--) { + if (RAND_pseudo_bytes(buf + l++, 1) < 0) + goto problems; + } buf[l++] = rem; ex = 1; len += rem; diff --git a/deps/openssl/openssl/crypto/des/enc_writ.c b/deps/openssl/openssl/crypto/des/enc_writ.c index b4eecc38120..bfaabde516a 100644 --- a/deps/openssl/openssl/crypto/des/enc_writ.c +++ b/deps/openssl/openssl/crypto/des/enc_writ.c @@ -96,6 +96,9 @@ int DES_enc_write(int fd, const void *_buf, int len, const unsigned char *cp; static int start = 1; + if (len < 0) + return -1; + if (outbuf == NULL) { outbuf = OPENSSL_malloc(BSIZE + HDRSIZE); if (outbuf == NULL) @@ -132,7 +135,9 @@ int DES_enc_write(int fd, const void *_buf, int len, if (len < 8) { cp = shortbuf; memcpy(shortbuf, buf, len); - RAND_pseudo_bytes(shortbuf + len, 8 - len); + if (RAND_pseudo_bytes(shortbuf + len, 8 - len) < 0) { + return -1; + } rnum = 8; } else { cp = buf; diff --git a/deps/openssl/openssl/crypto/dh/Makefile b/deps/openssl/openssl/crypto/dh/Makefile index f23b4f7fde8..6d574f407d3 100644 --- a/deps/openssl/openssl/crypto/dh/Makefile +++ b/deps/openssl/openssl/crypto/dh/Makefile @@ -63,6 +63,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/dh/dh_ameth.c b/deps/openssl/openssl/crypto/dh/dh_ameth.c index 1dec1098358..873eb2e22de 100644 --- a/deps/openssl/openssl/crypto/dh/dh_ameth.c +++ b/deps/openssl/openssl/crypto/dh/dh_ameth.c @@ -135,7 +135,7 @@ static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) dh = pkey->pkey.dh; str = ASN1_STRING_new(); - if(!str) { + if (!str) { DHerr(DH_F_DH_PUB_ENCODE, ERR_R_MALLOC_FAILURE); goto err; } diff --git a/deps/openssl/openssl/crypto/dsa/Makefile b/deps/openssl/openssl/crypto/dsa/Makefile index 5fef4ca5adf..81092013773 100644 --- a/deps/openssl/openssl/crypto/dsa/Makefile +++ b/deps/openssl/openssl/crypto/dsa/Makefile @@ -63,6 +63,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/dsa/dsa_gen.c b/deps/openssl/openssl/crypto/dsa/dsa_gen.c index c808ab60972..d686ab0af77 100644 --- a/deps/openssl/openssl/crypto/dsa/dsa_gen.c +++ b/deps/openssl/openssl/crypto/dsa/dsa_gen.c @@ -202,7 +202,8 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, goto err; if (!seed_len) { - RAND_pseudo_bytes(seed, qsize); + if (RAND_pseudo_bytes(seed, qsize) < 0) + goto err; seed_is_random = 1; } else { seed_is_random = 0; diff --git a/deps/openssl/openssl/crypto/dsa/dsa_ossl.c b/deps/openssl/openssl/crypto/dsa/dsa_ossl.c index b30eab0319f..6edb26d9739 100644 --- a/deps/openssl/openssl/crypto/dsa/dsa_ossl.c +++ b/deps/openssl/openssl/crypto/dsa/dsa_ossl.c @@ -106,23 +106,23 @@ static DSA_METHOD openssl_dsa_meth = { #define DSA_MOD_EXP(err_instr,dsa,rr,a1,p1,a2,p2,m,ctx,in_mont) \ do { \ int _tmp_res53; \ - if((dsa)->meth->dsa_mod_exp) \ + if ((dsa)->meth->dsa_mod_exp) \ _tmp_res53 = (dsa)->meth->dsa_mod_exp((dsa), (rr), (a1), (p1), \ (a2), (p2), (m), (ctx), (in_mont)); \ else \ _tmp_res53 = BN_mod_exp2_mont((rr), (a1), (p1), (a2), (p2), \ (m), (ctx), (in_mont)); \ - if(!_tmp_res53) err_instr; \ + if (!_tmp_res53) err_instr; \ } while(0) #define DSA_BN_MOD_EXP(err_instr,dsa,r,a,p,m,ctx,m_ctx) \ do { \ int _tmp_res53; \ - if((dsa)->meth->bn_mod_exp) \ + if ((dsa)->meth->bn_mod_exp) \ _tmp_res53 = (dsa)->meth->bn_mod_exp((dsa), (r), (a), (p), \ (m), (ctx), (m_ctx)); \ else \ _tmp_res53 = BN_mod_exp_mont((r), (a), (p), (m), (ctx), (m_ctx)); \ - if(!_tmp_res53) err_instr; \ + if (!_tmp_res53) err_instr; \ } while(0) const DSA_METHOD *DSA_OpenSSL(void) diff --git a/deps/openssl/openssl/crypto/dso/Makefile b/deps/openssl/openssl/crypto/dso/Makefile index fb2709ed63a..36b8ead041c 100644 --- a/deps/openssl/openssl/crypto/dso/Makefile +++ b/deps/openssl/openssl/crypto/dso/Makefile @@ -63,6 +63,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/dso/dso_lib.c b/deps/openssl/openssl/crypto/dso/dso_lib.c index d2a48bb6640..09b8eafccac 100644 --- a/deps/openssl/openssl/crypto/dso/dso_lib.c +++ b/deps/openssl/openssl/crypto/dso/dso_lib.c @@ -285,7 +285,7 @@ DSO_FUNC_TYPE DSO_bind_func(DSO *dso, const char *symname) * honest. For one thing, I think I have to return a negative value for any * error because possible DSO_ctrl() commands may return values such as * "size"s that can legitimately be zero (making the standard - * "if(DSO_cmd(...))" form that works almost everywhere else fail at odd + * "if (DSO_cmd(...))" form that works almost everywhere else fail at odd * times. I'd prefer "output" values to be passed by reference and the return * value as success/failure like usual ... but we conform when we must... :-) */ diff --git a/deps/openssl/openssl/crypto/dso/dso_vms.c b/deps/openssl/openssl/crypto/dso/dso_vms.c index 0eff96ec22f..d0794b8fb04 100644 --- a/deps/openssl/openssl/crypto/dso/dso_vms.c +++ b/deps/openssl/openssl/crypto/dso/dso_vms.c @@ -539,7 +539,7 @@ static char *vms_name_converter(DSO *dso, const char *filename) { int len = strlen(filename); char *not_translated = OPENSSL_malloc(len + 1); - if(not_translated) + if (not_translated) strcpy(not_translated, filename); return (not_translated); } diff --git a/deps/openssl/openssl/crypto/ec/Makefile b/deps/openssl/openssl/crypto/ec/Makefile index f85fc845ca2..2753b28bec0 100644 --- a/deps/openssl/openssl/crypto/ec/Makefile +++ b/deps/openssl/openssl/crypto/ec/Makefile @@ -70,6 +70,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/ec/ec2_oct.c b/deps/openssl/openssl/crypto/ec/ec2_oct.c index c245d886dad..0d04cc69230 100644 --- a/deps/openssl/openssl/crypto/ec/ec2_oct.c +++ b/deps/openssl/openssl/crypto/ec/ec2_oct.c @@ -387,7 +387,7 @@ int ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, } /* test required by X9.62 */ - if (!EC_POINT_is_on_curve(group, point, ctx)) { + if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { ECerr(EC_F_EC_GF2M_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE); goto err; } diff --git a/deps/openssl/openssl/crypto/ec/ec_asn1.c b/deps/openssl/openssl/crypto/ec/ec_asn1.c index b4b0e9f3b82..4ad8494981b 100644 --- a/deps/openssl/openssl/crypto/ec/ec_asn1.c +++ b/deps/openssl/openssl/crypto/ec/ec_asn1.c @@ -1114,7 +1114,7 @@ int i2d_ECPrivateKey(EC_KEY *a, unsigned char **out) { int ret = 0, ok = 0; unsigned char *buffer = NULL; - size_t buf_len = 0, tmp_len; + size_t buf_len = 0, tmp_len, bn_len; EC_PRIVATEKEY *priv_key = NULL; if (a == NULL || a->group == NULL || a->priv_key == NULL || @@ -1130,18 +1130,32 @@ int i2d_ECPrivateKey(EC_KEY *a, unsigned char **out) priv_key->version = a->version; - buf_len = (size_t)BN_num_bytes(a->priv_key); + bn_len = (size_t)BN_num_bytes(a->priv_key); + + /* Octetstring may need leading zeros if BN is to short */ + + buf_len = (EC_GROUP_get_degree(a->group) + 7) / 8; + + if (bn_len > buf_len) { + ECerr(EC_F_I2D_ECPRIVATEKEY, EC_R_BUFFER_TOO_SMALL); + goto err; + } + buffer = OPENSSL_malloc(buf_len); if (buffer == NULL) { ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE); goto err; } - if (!BN_bn2bin(a->priv_key, buffer)) { + if (!BN_bn2bin(a->priv_key, buffer + buf_len - bn_len)) { ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_BN_LIB); goto err; } + if (buf_len - bn_len > 0) { + memset(buffer, 0, buf_len - bn_len); + } + if (!M_ASN1_OCTET_STRING_set(priv_key->privateKey, buffer, buf_len)) { ECerr(EC_F_I2D_ECPRIVATEKEY, ERR_R_ASN1_LIB); goto err; diff --git a/deps/openssl/openssl/crypto/ec/ec_check.c b/deps/openssl/openssl/crypto/ec/ec_check.c index d3f534999e0..dd6f0ac4099 100644 --- a/deps/openssl/openssl/crypto/ec/ec_check.c +++ b/deps/openssl/openssl/crypto/ec/ec_check.c @@ -85,7 +85,7 @@ int EC_GROUP_check(const EC_GROUP *group, BN_CTX *ctx) ECerr(EC_F_EC_GROUP_CHECK, EC_R_UNDEFINED_GENERATOR); goto err; } - if (!EC_POINT_is_on_curve(group, group->generator, ctx)) { + if (EC_POINT_is_on_curve(group, group->generator, ctx) <= 0) { ECerr(EC_F_EC_GROUP_CHECK, EC_R_POINT_IS_NOT_ON_CURVE); goto err; } diff --git a/deps/openssl/openssl/crypto/ec/ec_key.c b/deps/openssl/openssl/crypto/ec/ec_key.c index ebdffc82127..55ce3fe9beb 100644 --- a/deps/openssl/openssl/crypto/ec/ec_key.c +++ b/deps/openssl/openssl/crypto/ec/ec_key.c @@ -314,7 +314,7 @@ int EC_KEY_check_key(const EC_KEY *eckey) goto err; /* testing whether the pub_key is on the elliptic curve */ - if (!EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx)) { + if (EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx) <= 0) { ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_POINT_IS_NOT_ON_CURVE); goto err; } diff --git a/deps/openssl/openssl/crypto/ec/ec_lcl.h b/deps/openssl/openssl/crypto/ec/ec_lcl.h index 319e651f67f..d79ed1e4d92 100644 --- a/deps/openssl/openssl/crypto/ec/ec_lcl.h +++ b/deps/openssl/openssl/crypto/ec/ec_lcl.h @@ -451,14 +451,6 @@ int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx); int ec_GF2m_have_precompute_mult(const EC_GROUP *group); -/* method functions in ec2_mult.c */ -int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, - const BIGNUM *scalar, size_t num, - const EC_POINT *points[], const BIGNUM *scalars[], - BN_CTX *); -int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx); -int ec_GF2m_have_precompute_mult(const EC_GROUP *group); - #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 /* method functions in ecp_nistp224.c */ int ec_GFp_nistp224_group_init(EC_GROUP *group); diff --git a/deps/openssl/openssl/crypto/ec/ec_lib.c b/deps/openssl/openssl/crypto/ec/ec_lib.c index 9a54f41e4e1..e2275207ed2 100644 --- a/deps/openssl/openssl/crypto/ec/ec_lib.c +++ b/deps/openssl/openssl/crypto/ec/ec_lib.c @@ -934,6 +934,13 @@ int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) return group->meth->is_at_infinity(group, point); } +/* + * Check whether an EC_POINT is on the curve or not. Note that the return + * value for this function should NOT be treated as a boolean. Return values: + * 1: The point is on the curve + * 0: The point is not on the curve + * -1: An error occurred + */ int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx) { diff --git a/deps/openssl/openssl/crypto/ec/eck_prn.c b/deps/openssl/openssl/crypto/ec/eck_prn.c index a911a0ac408..5ef12ec0244 100644 --- a/deps/openssl/openssl/crypto/ec/eck_prn.c +++ b/deps/openssl/openssl/crypto/ec/eck_prn.c @@ -338,12 +338,14 @@ static int print_bin(BIO *fp, const char *name, const unsigned char *buf, if (buf == NULL) return 1; - if (off) { + if (off > 0) { if (off > 128) off = 128; memset(str, ' ', off); if (BIO_write(fp, str, off) <= 0) return 0; + } else { + off = 0; } if (BIO_printf(fp, "%s", name) <= 0) diff --git a/deps/openssl/openssl/crypto/ec/ecp_oct.c b/deps/openssl/openssl/crypto/ec/ecp_oct.c index e5cec8be826..1bc3f39ad15 100644 --- a/deps/openssl/openssl/crypto/ec/ecp_oct.c +++ b/deps/openssl/openssl/crypto/ec/ecp_oct.c @@ -413,7 +413,7 @@ int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point, } /* test required by X9.62 */ - if (!EC_POINT_is_on_curve(group, point, ctx)) { + if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { ECerr(EC_F_EC_GFP_SIMPLE_OCT2POINT, EC_R_POINT_IS_NOT_ON_CURVE); goto err; } diff --git a/deps/openssl/openssl/crypto/ec/ectest.c b/deps/openssl/openssl/crypto/ec/ectest.c index a18b32761a2..fede530bc13 100644 --- a/deps/openssl/openssl/crypto/ec/ectest.c +++ b/deps/openssl/openssl/crypto/ec/ectest.c @@ -412,7 +412,7 @@ static void prime_field_tests(void) ABORT; if (!EC_POINT_set_compressed_coordinates_GFp(group, Q, x, 1, ctx)) ABORT; - if (!EC_POINT_is_on_curve(group, Q, ctx)) { + if (EC_POINT_is_on_curve(group, Q, ctx) <= 0) { if (!EC_POINT_get_affine_coordinates_GFp(group, Q, x, y, ctx)) ABORT; fprintf(stderr, "Point is not on curve: x = 0x"); @@ -544,7 +544,7 @@ static void prime_field_tests(void) ABORT; if (!EC_POINT_set_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT; - if (!EC_POINT_is_on_curve(group, P, ctx)) + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; if (!BN_hex2bn(&z, "0100000000000000000001F4C8F927AED3CA752257")) ABORT; @@ -593,7 +593,7 @@ static void prime_field_tests(void) ABORT; if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT; - if (!EC_POINT_is_on_curve(group, P, ctx)) + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831")) ABORT; @@ -646,7 +646,7 @@ static void prime_field_tests(void) ABORT; if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) ABORT; - if (!EC_POINT_is_on_curve(group, P, ctx)) + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; if (!BN_hex2bn (&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D")) @@ -705,7 +705,7 @@ static void prime_field_tests(void) ABORT; if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT; - if (!EC_POINT_is_on_curve(group, P, ctx)) + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E" "84F3B9CAC2FC632551")) @@ -761,7 +761,7 @@ static void prime_field_tests(void) ABORT; if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT; - if (!EC_POINT_is_on_curve(group, P, ctx)) + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973")) @@ -820,7 +820,7 @@ static void prime_field_tests(void) ABORT; if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) ABORT; - if (!EC_POINT_is_on_curve(group, P, ctx)) + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5" @@ -864,7 +864,7 @@ static void prime_field_tests(void) ABORT; if (!EC_POINT_dbl(group, P, P, ctx)) ABORT; - if (!EC_POINT_is_on_curve(group, P, ctx)) + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; if (!EC_POINT_invert(group, Q, ctx)) ABORT; /* P = -2Q */ @@ -1008,7 +1008,7 @@ static void prime_field_tests(void) # define CHAR2_CURVE_TEST_INTERNAL(_name, _p, _a, _b, _x, _y, _y_bit, _order, _cof, _degree, _variable) \ if (!BN_hex2bn(&x, _x)) ABORT; \ if (!EC_POINT_set_compressed_coordinates_GF2m(group, P, x, _y_bit, ctx)) ABORT; \ - if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT; \ + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; \ if (!BN_hex2bn(&z, _order)) ABORT; \ if (!BN_hex2bn(&cof, _cof)) ABORT; \ if (!EC_GROUP_set_generator(group, P, z, cof)) ABORT; \ @@ -1026,7 +1026,7 @@ static void prime_field_tests(void) if (!BN_hex2bn(&x, _x)) ABORT; \ if (!BN_hex2bn(&y, _y)) ABORT; \ if (!EC_POINT_set_affine_coordinates_GF2m(group, P, x, y, ctx)) ABORT; \ - if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT; \ + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; \ if (!BN_hex2bn(&z, _order)) ABORT; \ if (!BN_hex2bn(&cof, _cof)) ABORT; \ if (!EC_GROUP_set_generator(group, P, z, cof)) ABORT; \ @@ -1157,7 +1157,7 @@ static void char2_field_tests(void) if (!EC_POINT_set_affine_coordinates_GF2m(group, Q, x, y, ctx)) ABORT; # endif - if (!EC_POINT_is_on_curve(group, Q, ctx)) { + if (EC_POINT_is_on_curve(group, Q, ctx) <= 0) { /* Change test based on whether binary point compression is enabled or not. */ # ifdef OPENSSL_EC_BIN_PT_COMP if (!EC_POINT_get_affine_coordinates_GF2m(group, Q, x, y, ctx)) @@ -1378,7 +1378,7 @@ static void char2_field_tests(void) ABORT; if (!EC_POINT_dbl(group, P, P, ctx)) ABORT; - if (!EC_POINT_is_on_curve(group, P, ctx)) + if (EC_POINT_is_on_curve(group, P, ctx) <= 0) ABORT; if (!EC_POINT_invert(group, Q, ctx)) ABORT; /* P = -2Q */ diff --git a/deps/openssl/openssl/crypto/ecdh/Makefile b/deps/openssl/openssl/crypto/ecdh/Makefile index ba05fea05ca..f0766356a13 100644 --- a/deps/openssl/openssl/crypto/ecdh/Makefile +++ b/deps/openssl/openssl/crypto/ecdh/Makefile @@ -62,6 +62,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/ecdsa/Makefile b/deps/openssl/openssl/crypto/ecdsa/Makefile index e89e0c010c6..4ce00e8f930 100644 --- a/deps/openssl/openssl/crypto/ecdsa/Makefile +++ b/deps/openssl/openssl/crypto/ecdsa/Makefile @@ -62,6 +62,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/ecdsa/ecdsatest.c b/deps/openssl/openssl/crypto/ecdsa/ecdsatest.c index b2d78f3d55e..0f301f86d9e 100644 --- a/deps/openssl/openssl/crypto/ecdsa/ecdsatest.c +++ b/deps/openssl/openssl/crypto/ecdsa/ecdsatest.c @@ -296,8 +296,8 @@ int test_builtin(BIO *out) int nid, ret = 0; /* fill digest values with some random data */ - if (!RAND_pseudo_bytes(digest, 20) || - !RAND_pseudo_bytes(wrong_digest, 20)) { + if (RAND_pseudo_bytes(digest, 20) <= 0 || + RAND_pseudo_bytes(wrong_digest, 20) <= 0) { BIO_printf(out, "ERROR: unable to get random data\n"); goto builtin_err; } diff --git a/deps/openssl/openssl/crypto/engine/Makefile b/deps/openssl/openssl/crypto/engine/Makefile index d29bdd09a09..8ceb747fabd 100644 --- a/deps/openssl/openssl/crypto/engine/Makefile +++ b/deps/openssl/openssl/crypto/engine/Makefile @@ -71,6 +71,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/engine/eng_table.c b/deps/openssl/openssl/crypto/engine/eng_table.c index 2e1a7e855ae..27d31f70c85 100644 --- a/deps/openssl/openssl/crypto/engine/eng_table.c +++ b/deps/openssl/openssl/crypto/engine/eng_table.c @@ -351,6 +351,8 @@ void engine_table_doall(ENGINE_TABLE *table, engine_table_doall_cb *cb, ENGINE_PILE_DOALL dall; dall.cb = cb; dall.arg = arg; - lh_ENGINE_PILE_doall_arg(&table->piles, LHASH_DOALL_ARG_FN(int_cb), - ENGINE_PILE_DOALL, &dall); + if (table) + lh_ENGINE_PILE_doall_arg(&table->piles, + LHASH_DOALL_ARG_FN(int_cb), + ENGINE_PILE_DOALL, &dall); } diff --git a/deps/openssl/openssl/crypto/err/Makefile b/deps/openssl/openssl/crypto/err/Makefile index 862b23ba176..b6f3ef1778d 100644 --- a/deps/openssl/openssl/crypto/err/Makefile +++ b/deps/openssl/openssl/crypto/err/Makefile @@ -61,6 +61,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/evp/Makefile b/deps/openssl/openssl/crypto/evp/Makefile index ef75678ad84..ed1502d3a69 100644 --- a/deps/openssl/openssl/crypto/evp/Makefile +++ b/deps/openssl/openssl/crypto/evp/Makefile @@ -86,6 +86,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/evp/bio_ok.c b/deps/openssl/openssl/crypto/evp/bio_ok.c index a4550349be1..5c32e35e17b 100644 --- a/deps/openssl/openssl/crypto/evp/bio_ok.c +++ b/deps/openssl/openssl/crypto/evp/bio_ok.c @@ -491,7 +491,8 @@ static int sig_out(BIO *b) * FIXME: there's absolutely no guarantee this makes any sense at all, * particularly now EVP_MD_CTX has been restructured. */ - RAND_pseudo_bytes(md->md_data, md->digest->md_size); + if (RAND_pseudo_bytes(md->md_data, md->digest->md_size) < 0) + goto berr; memcpy(&(ctx->buf[ctx->buf_len]), md->md_data, md->digest->md_size); longswap(&(ctx->buf[ctx->buf_len]), md->digest->md_size); ctx->buf_len += md->digest->md_size; diff --git a/deps/openssl/openssl/crypto/evp/e_aes.c b/deps/openssl/openssl/crypto/evp/e_aes.c index 245c18a6939..1ede7bd39ec 100644 --- a/deps/openssl/openssl/crypto/evp/e_aes.c +++ b/deps/openssl/openssl/crypto/evp/e_aes.c @@ -50,6 +50,7 @@ #include #ifndef OPENSSL_NO_AES +#include # include # include # include @@ -753,7 +754,7 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) case EVP_CTRL_AEAD_TLS1_AAD: /* Save the AAD for later use */ - if (arg != 13) + if (arg != EVP_AEAD_TLS1_AAD_LEN) return 0; memcpy(c->buf, ptr, arg); gctx->tls_aad_len = arg; @@ -914,7 +915,7 @@ static int aes_gcm_tls_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, /* Retrieve tag */ CRYPTO_gcm128_tag(&gctx->gcm, ctx->buf, EVP_GCM_TLS_TAG_LEN); /* If tag mismatch wipe buffer */ - if (memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) { + if (CRYPTO_memcmp(ctx->buf, in + len, EVP_GCM_TLS_TAG_LEN)) { OPENSSL_cleanse(out, len); goto err; } @@ -1259,7 +1260,7 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, !CRYPTO_ccm128_decrypt(ccm, in, out, len)) { unsigned char tag[16]; if (CRYPTO_ccm128_tag(ccm, tag, cctx->M)) { - if (!memcmp(tag, ctx->buf, cctx->M)) + if (!CRYPTO_memcmp(tag, ctx->buf, cctx->M)) rv = len; } } diff --git a/deps/openssl/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c b/deps/openssl/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c index 3f8a5ae3912..d1f5928f628 100644 --- a/deps/openssl/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c +++ b/deps/openssl/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c @@ -503,7 +503,12 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, case EVP_CTRL_AEAD_TLS1_AAD: { unsigned char *p = ptr; - unsigned int len = p[arg - 2] << 8 | p[arg - 1]; + unsigned int len; + + if (arg != EVP_AEAD_TLS1_AAD_LEN) + return -1; + + len = p[arg - 2] << 8 | p[arg - 1]; if (ctx->encrypt) { key->payload_length = len; @@ -520,8 +525,6 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, AES_BLOCK_SIZE) & -AES_BLOCK_SIZE) - len); } else { - if (arg > 13) - arg = 13; memcpy(key->aux.tls_aad, ptr, arg); key->payload_length = arg; diff --git a/deps/openssl/openssl/crypto/evp/e_rc4_hmac_md5.c b/deps/openssl/openssl/crypto/evp/e_rc4_hmac_md5.c index 80735d345ad..2da11178294 100644 --- a/deps/openssl/openssl/crypto/evp/e_rc4_hmac_md5.c +++ b/deps/openssl/openssl/crypto/evp/e_rc4_hmac_md5.c @@ -54,6 +54,7 @@ #if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_MD5) +# include # include # include # include @@ -210,7 +211,7 @@ static int rc4_hmac_md5_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, MD5_Update(&key->md, mac, MD5_DIGEST_LENGTH); MD5_Final(mac, &key->md); - if (memcmp(out + plen, mac, MD5_DIGEST_LENGTH)) + if (CRYPTO_memcmp(out + plen, mac, MD5_DIGEST_LENGTH)) return 0; } else { MD5_Update(&key->md, out + md5_off, len - md5_off); @@ -258,7 +259,12 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, case EVP_CTRL_AEAD_TLS1_AAD: { unsigned char *p = ptr; - unsigned int len = p[arg - 2] << 8 | p[arg - 1]; + unsigned int len; + + if (arg != EVP_AEAD_TLS1_AAD_LEN) + return -1; + + len = p[arg - 2] << 8 | p[arg - 1]; if (!ctx->encrypt) { len -= MD5_DIGEST_LENGTH; diff --git a/deps/openssl/openssl/crypto/evp/encode.c b/deps/openssl/openssl/crypto/evp/encode.c index d1d8a07c14a..5c5988fc45e 100644 --- a/deps/openssl/openssl/crypto/evp/encode.c +++ b/deps/openssl/openssl/crypto/evp/encode.c @@ -137,7 +137,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, unsigned int total = 0; *outl = 0; - if (inl == 0) + if (inl <= 0) return; OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); if ((ctx->num + inl) < ctx->length) { diff --git a/deps/openssl/openssl/crypto/evp/evp.h b/deps/openssl/openssl/crypto/evp/evp.h index b00997b1495..6cf98acc0b7 100644 --- a/deps/openssl/openssl/crypto/evp/evp.h +++ b/deps/openssl/openssl/crypto/evp/evp.h @@ -103,7 +103,6 @@ # define EVP_PKS_RSA 0x0100 # define EVP_PKS_DSA 0x0200 # define EVP_PKS_EC 0x0400 -# define EVP_PKT_EXP 0x1000 /* <= 512 bit key */ # define EVP_PKEY_NONE NID_undef # define EVP_PKEY_RSA NID_rsaEncryption @@ -409,6 +408,9 @@ struct evp_cipher_st { /* Set the GCM invocation field, decrypt only */ # define EVP_CTRL_GCM_SET_IV_INV 0x18 +/* RFC 5246 defines additional data to be 13 bytes in length */ +# define EVP_AEAD_TLS1_AAD_LEN 13 + /* GCM TLS constants */ /* Length of fixed part of IV derived from PRF */ # define EVP_GCM_TLS_FIXED_IV_LEN 4 diff --git a/deps/openssl/openssl/crypto/evp/p_seal.c b/deps/openssl/openssl/crypto/evp/p_seal.c index caabbf406f4..ba9dfff2157 100644 --- a/deps/openssl/openssl/crypto/evp/p_seal.c +++ b/deps/openssl/openssl/crypto/evp/p_seal.c @@ -82,8 +82,9 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, return 1; if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0) return 0; - if (EVP_CIPHER_CTX_iv_length(ctx)) - RAND_pseudo_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)); + if (EVP_CIPHER_CTX_iv_length(ctx) + && RAND_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx)) <= 0) + return 0; if (!EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv)) return 0; diff --git a/deps/openssl/openssl/crypto/hmac/Makefile b/deps/openssl/openssl/crypto/hmac/Makefile index 0e91709f64c..52e39e58607 100644 --- a/deps/openssl/openssl/crypto/hmac/Makefile +++ b/deps/openssl/openssl/crypto/hmac/Makefile @@ -61,6 +61,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/hmac/hmac.c b/deps/openssl/openssl/crypto/hmac/hmac.c index 54778165510..33d88be1179 100644 --- a/deps/openssl/openssl/crypto/hmac/hmac.c +++ b/deps/openssl/openssl/crypto/hmac/hmac.c @@ -87,12 +87,18 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, return FIPS_hmac_init_ex(ctx, key, len, md, NULL); } #endif + /* If we are changing MD then we must have a key */ + if (md != NULL && md != ctx->md && (key == NULL || len < 0)) + return 0; if (md != NULL) { reset = 1; ctx->md = md; - } else + } else if (ctx->md) { md = ctx->md; + } else { + return 0; + } if (key != NULL) { reset = 1; @@ -107,7 +113,8 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, &ctx->key_length)) goto err; } else { - OPENSSL_assert(len >= 0 && len <= (int)sizeof(ctx->key)); + if (len < 0 || len > (int)sizeof(ctx->key)) + return 0; memcpy(ctx->key, key, len); ctx->key_length = len; } @@ -151,6 +158,9 @@ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len) if (FIPS_mode() && !ctx->i_ctx.engine) return FIPS_hmac_update(ctx, data, len); #endif + if (!ctx->md) + return 0; + return EVP_DigestUpdate(&ctx->md_ctx, data, len); } @@ -163,6 +173,9 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len) return FIPS_hmac_final(ctx, md, len); #endif + if (!ctx->md) + goto err; + if (!EVP_DigestFinal_ex(&ctx->md_ctx, buf, &i)) goto err; if (!EVP_MD_CTX_copy_ex(&ctx->md_ctx, &ctx->o_ctx)) @@ -181,6 +194,7 @@ void HMAC_CTX_init(HMAC_CTX *ctx) EVP_MD_CTX_init(&ctx->i_ctx); EVP_MD_CTX_init(&ctx->o_ctx); EVP_MD_CTX_init(&ctx->md_ctx); + ctx->md = NULL; } int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx) @@ -232,6 +246,7 @@ unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len, HMAC_CTX_cleanup(&c); return md; err: + HMAC_CTX_cleanup(&c); return NULL; } diff --git a/deps/openssl/openssl/crypto/hmac/hmactest.c b/deps/openssl/openssl/crypto/hmac/hmactest.c index 3d130a03ed0..271d0ebf264 100644 --- a/deps/openssl/openssl/crypto/hmac/hmactest.c +++ b/deps/openssl/openssl/crypto/hmac/hmactest.c @@ -85,7 +85,7 @@ static struct test_st { unsigned char data[64]; int data_len; unsigned char *digest; -} test[4] = { +} test[8] = { { "", 0, "More text test vectors to stuff up EBCDIC machines :-)", 54, (unsigned char *)"e9139d1e6ee064ef8cf514fc7dc83e86", @@ -113,10 +113,27 @@ static struct test_st { 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd }, 50, (unsigned char *)"56be34521d144c88dbb8c733f0e8b3f6", }, + { + "", 0, "My test data", 12, + (unsigned char *)"61afdecb95429ef494d61fdee15990cabf0826fc" + }, + { + "", 0, "My test data", 12, + (unsigned char *)"2274b195d90ce8e03406f4b526a47e0787a88a65479938f1a5baa3ce0f079776" + }, + { + "123456", 6, "My test data", 12, + (unsigned char *)"bab53058ae861a7f191abe2d0145cbb123776a6369ee3f9d79ce455667e411dd" + }, + { + "12345", 5, "My test data again", 12, + (unsigned char *)"7dbe8c764c068e3bcd6e6b0fbcd5e6fc197b15bb" + } }; # endif -static char *pt(unsigned char *md); +static char *pt(unsigned char *md, unsigned int len); + int main(int argc, char *argv[]) { # ifndef OPENSSL_NO_MD5 @@ -124,6 +141,9 @@ int main(int argc, char *argv[]) char *p; # endif int err = 0; + HMAC_CTX ctx, ctx2; + unsigned char buf[EVP_MAX_MD_SIZE]; + unsigned int len; # ifdef OPENSSL_NO_MD5 printf("test skipped: MD5 disabled\n"); @@ -139,27 +159,172 @@ int main(int argc, char *argv[]) for (i = 0; i < 4; i++) { p = pt(HMAC(EVP_md5(), test[i].key, test[i].key_len, - test[i].data, test[i].data_len, NULL, NULL)); + test[i].data, test[i].data_len, NULL, NULL), + MD5_DIGEST_LENGTH); if (strcmp(p, (char *)test[i].digest) != 0) { - printf("error calculating HMAC on %d entry'\n", i); + printf("Error calculating HMAC on %d entry'\n", i); printf("got %s instead of %s\n", p, test[i].digest); err++; } else printf("test %d ok\n", i); } # endif /* OPENSSL_NO_MD5 */ + +/* test4 */ + HMAC_CTX_init(&ctx); + if (HMAC_Init_ex(&ctx, NULL, 0, NULL, NULL)) { + printf("Should fail to initialise HMAC with empty MD and key (test 4)\n"); + err++; + goto test5; + } + if (HMAC_Update(&ctx, test[4].data, test[4].data_len)) { + printf("Should fail HMAC_Update with ctx not set up (test 4)\n"); + err++; + goto test5; + } + if (HMAC_Init_ex(&ctx, NULL, 0, EVP_sha1(), NULL)) { + printf("Should fail to initialise HMAC with empty key (test 4)\n"); + err++; + goto test5; + } + if (HMAC_Update(&ctx, test[4].data, test[4].data_len)) { + printf("Should fail HMAC_Update with ctx not set up (test 4)\n"); + err++; + goto test5; + } + printf("test 4 ok\n"); +test5: + HMAC_CTX_init(&ctx); + if (HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, NULL, NULL)) { + printf("Should fail to initialise HMAC with empty MD (test 5)\n"); + err++; + goto test6; + } + if (HMAC_Update(&ctx, test[4].data, test[4].data_len)) { + printf("Should fail HMAC_Update with ctx not set up (test 5)\n"); + err++; + goto test6; + } + if (HMAC_Init_ex(&ctx, test[4].key, -1, EVP_sha1(), NULL)) { + printf("Should fail to initialise HMAC with invalid key len(test 5)\n"); + err++; + goto test6; + } + if (!HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, EVP_sha1(), NULL)) { + printf("Failed to initialise HMAC (test 5)\n"); + err++; + goto test6; + } + if (!HMAC_Update(&ctx, test[4].data, test[4].data_len)) { + printf("Error updating HMAC with data (test 5)\n"); + err++; + goto test6; + } + if (!HMAC_Final(&ctx, buf, &len)) { + printf("Error finalising data (test 5)\n"); + err++; + goto test6; + } + p = pt(buf, len); + if (strcmp(p, (char *)test[4].digest) != 0) { + printf("Error calculating interim HMAC on test 5\n"); + printf("got %s instead of %s\n", p, test[4].digest); + err++; + goto test6; + } + if (HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL)) { + printf("Should disallow changing MD without a new key (test 5)\n"); + err++; + goto test6; + } + if (!HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, EVP_sha256(), NULL)) { + printf("Failed to reinitialise HMAC (test 5)\n"); + err++; + goto test6; + } + if (!HMAC_Update(&ctx, test[5].data, test[5].data_len)) { + printf("Error updating HMAC with data (sha256) (test 5)\n"); + err++; + goto test6; + } + if (!HMAC_Final(&ctx, buf, &len)) { + printf("Error finalising data (sha256) (test 5)\n"); + err++; + goto test6; + } + p = pt(buf, len); + if (strcmp(p, (char *)test[5].digest) != 0) { + printf("Error calculating 2nd interim HMAC on test 5\n"); + printf("got %s instead of %s\n", p, test[5].digest); + err++; + goto test6; + } + if (!HMAC_Init_ex(&ctx, test[6].key, test[6].key_len, NULL, NULL)) { + printf("Failed to reinitialise HMAC with key (test 5)\n"); + err++; + goto test6; + } + if (!HMAC_Update(&ctx, test[6].data, test[6].data_len)) { + printf("Error updating HMAC with data (new key) (test 5)\n"); + err++; + goto test6; + } + if (!HMAC_Final(&ctx, buf, &len)) { + printf("Error finalising data (new key) (test 5)\n"); + err++; + goto test6; + } + p = pt(buf, len); + if (strcmp(p, (char *)test[6].digest) != 0) { + printf("error calculating HMAC on test 5\n"); + printf("got %s instead of %s\n", p, test[6].digest); + err++; + } else { + printf("test 5 ok\n"); + } +test6: + HMAC_CTX_init(&ctx); + if (!HMAC_Init_ex(&ctx, test[7].key, test[7].key_len, EVP_sha1(), NULL)) { + printf("Failed to initialise HMAC (test 6)\n"); + err++; + goto end; + } + if (!HMAC_Update(&ctx, test[7].data, test[7].data_len)) { + printf("Error updating HMAC with data (test 6)\n"); + err++; + goto end; + } + if (!HMAC_CTX_copy(&ctx2, &ctx)) { + printf("Failed to copy HMAC_CTX (test 6)\n"); + err++; + goto end; + } + if (!HMAC_Final(&ctx2, buf, &len)) { + printf("Error finalising data (test 6)\n"); + err++; + goto end; + } + p = pt(buf, len); + if (strcmp(p, (char *)test[7].digest) != 0) { + printf("Error calculating HMAC on test 6\n"); + printf("got %s instead of %s\n", p, test[7].digest); + err++; + } else { + printf("test 6 ok\n"); + } +end: EXIT(err); return (0); } # ifndef OPENSSL_NO_MD5 -static char *pt(unsigned char *md) +static char *pt(unsigned char *md, unsigned int len) { - int i; + unsigned int i; static char buf[80]; - for (i = 0; i < MD5_DIGEST_LENGTH; i++) + for (i = 0; i < len; i++) sprintf(&(buf[i * 2]), "%02x", md[i]); return (buf); } diff --git a/deps/openssl/openssl/crypto/idea/Makefile b/deps/openssl/openssl/crypto/idea/Makefile index 8af0acdad97..3dc23e48dd4 100644 --- a/deps/openssl/openssl/crypto/idea/Makefile +++ b/deps/openssl/openssl/crypto/idea/Makefile @@ -61,6 +61,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/jpake/Makefile b/deps/openssl/openssl/crypto/jpake/Makefile index 110c49ce0b4..5193fd98353 100644 --- a/deps/openssl/openssl/crypto/jpake/Makefile +++ b/deps/openssl/openssl/crypto/jpake/Makefile @@ -32,6 +32,8 @@ install: chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \ done; +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/krb5/Makefile b/deps/openssl/openssl/crypto/krb5/Makefile index 14077390d69..8b9a01a296c 100644 --- a/deps/openssl/openssl/crypto/krb5/Makefile +++ b/deps/openssl/openssl/crypto/krb5/Makefile @@ -62,6 +62,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/lhash/Makefile b/deps/openssl/openssl/crypto/lhash/Makefile index 82bddac4745..c7f4365f0ab 100644 --- a/deps/openssl/openssl/crypto/lhash/Makefile +++ b/deps/openssl/openssl/crypto/lhash/Makefile @@ -61,6 +61,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/md2/Makefile b/deps/openssl/openssl/crypto/md2/Makefile index 17f878aeb7d..b63011085f8 100644 --- a/deps/openssl/openssl/crypto/md2/Makefile +++ b/deps/openssl/openssl/crypto/md2/Makefile @@ -61,6 +61,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/md32_common.h b/deps/openssl/openssl/crypto/md32_common.h index c1efb45f1c3..1823833419c 100644 --- a/deps/openssl/openssl/crypto/md32_common.h +++ b/deps/openssl/openssl/crypto/md32_common.h @@ -142,8 +142,10 @@ */ #undef ROTATE #ifndef PEDANTIC -# if defined(_MSC_VER) || defined(__ICC) +# if defined(_MSC_VER) # define ROTATE(a,n) _lrotl(a,n) +# elif defined(__ICC) +# define ROTATE(a,n) _rotl(a,n) # elif defined(__MWERKS__) # if defined(__POWERPC__) # define ROTATE(a,n) __rlwinm(a,n,0,31) diff --git a/deps/openssl/openssl/crypto/md4/Makefile b/deps/openssl/openssl/crypto/md4/Makefile index e6f1e4478c0..3ee436176ba 100644 --- a/deps/openssl/openssl/crypto/md4/Makefile +++ b/deps/openssl/openssl/crypto/md4/Makefile @@ -62,6 +62,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/md5/Makefile b/deps/openssl/openssl/crypto/md5/Makefile index b9e2ce9a386..0f87dbd5423 100644 --- a/deps/openssl/openssl/crypto/md5/Makefile +++ b/deps/openssl/openssl/crypto/md5/Makefile @@ -76,6 +76,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/mdc2/Makefile b/deps/openssl/openssl/crypto/mdc2/Makefile index 141553149d5..c2d0c5b7cd5 100644 --- a/deps/openssl/openssl/crypto/mdc2/Makefile +++ b/deps/openssl/openssl/crypto/mdc2/Makefile @@ -61,6 +61,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/mem.c b/deps/openssl/openssl/crypto/mem.c index 2ce3e894877..fdad49b76ec 100644 --- a/deps/openssl/openssl/crypto/mem.c +++ b/deps/openssl/openssl/crypto/mem.c @@ -365,6 +365,9 @@ char *CRYPTO_strdup(const char *str, const char *file, int line) { char *ret = CRYPTO_malloc(strlen(str) + 1, file, line); + if (ret == NULL) + return NULL; + strcpy(ret, str); return ret; } diff --git a/deps/openssl/openssl/crypto/modes/Makefile b/deps/openssl/openssl/crypto/modes/Makefile index 3d8bafd5716..e278fa6a252 100644 --- a/deps/openssl/openssl/crypto/modes/Makefile +++ b/deps/openssl/openssl/crypto/modes/Makefile @@ -89,6 +89,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/modes/gcm128.c b/deps/openssl/openssl/crypto/modes/gcm128.c index f69f2c9db6b..0ee569fb7af 100644 --- a/deps/openssl/openssl/crypto/modes/gcm128.c +++ b/deps/openssl/openssl/crypto/modes/gcm128.c @@ -1622,7 +1622,7 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx, const unsigned char *tag, ctx->Xi.u[1] ^= ctx->EK0.u[1]; if (tag && len <= sizeof(ctx->Xi)) - return memcmp(ctx->Xi.c, tag, len); + return CRYPTO_memcmp(ctx->Xi.c, tag, len); else return -1; } diff --git a/deps/openssl/openssl/crypto/objects/Makefile b/deps/openssl/openssl/crypto/objects/Makefile index a8aedbd4228..f93d2f9d264 100644 --- a/deps/openssl/openssl/crypto/objects/Makefile +++ b/deps/openssl/openssl/crypto/objects/Makefile @@ -74,6 +74,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: obj_dat.h obj_mac.h obj_xref.h depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/objects/o_names.c b/deps/openssl/openssl/crypto/objects/o_names.c index c6774f4578d..24859926ace 100644 --- a/deps/openssl/openssl/crypto/objects/o_names.c +++ b/deps/openssl/openssl/crypto/objects/o_names.c @@ -313,7 +313,7 @@ void OBJ_NAME_do_all_sorted(int type, d.names = OPENSSL_malloc(lh_OBJ_NAME_num_items(names_lh) * sizeof *d.names); /* Really should return an error if !d.names...but its a void function! */ - if(d.names) { + if (d.names) { d.n = 0; OBJ_NAME_do_all(type, do_all_sorted_fn, &d); diff --git a/deps/openssl/openssl/crypto/objects/obj_dat.c b/deps/openssl/openssl/crypto/objects/obj_dat.c index e42a1c147de..aca382a6e9f 100644 --- a/deps/openssl/openssl/crypto/objects/obj_dat.c +++ b/deps/openssl/openssl/crypto/objects/obj_dat.c @@ -142,7 +142,7 @@ static unsigned long added_obj_hash(const ADDED_OBJ *ca) return 0; } ret &= 0x3fffffffL; - ret |= ca->type << 30L; + ret |= ((unsigned long)ca->type) << 30L; return (ret); } @@ -400,6 +400,8 @@ static int obj_cmp(const ASN1_OBJECT *const *ap, const unsigned int *bp) j = (a->length - b->length); if (j) return (j); + if (a->length == 0) + return 0; return (memcmp(a->data, b->data, a->length)); } @@ -415,6 +417,9 @@ int OBJ_obj2nid(const ASN1_OBJECT *a) if (a->nid != 0) return (a->nid); + if (a->length == 0) + return NID_undef; + if (added != NULL) { ad.type = ADDED_DATA; ad.obj = (ASN1_OBJECT *)a; /* XXX: ugly but harmless */ diff --git a/deps/openssl/openssl/crypto/objects/objects.README b/deps/openssl/openssl/crypto/objects/objects.README index 4d745508d83..cb1d216ce8a 100644 --- a/deps/openssl/openssl/crypto/objects/objects.README +++ b/deps/openssl/openssl/crypto/objects/objects.README @@ -8,9 +8,9 @@ The basic syntax for adding an object is as follows: 1 2 3 4 : shortName : Long Name - If the long name doesn't contain spaces, or no short name - exists, the long name is used as basis for the base name - in C. Otherwise, the short name is used. + If Long Name contains only word characters and hyphen-minus + (0x2D) or full stop (0x2E) then Long Name is used as basis + for the base name in C. Otherwise, the shortName is used. The base name (let's call it 'base') will then be used to create the C macros SN_base, LN_base, NID_base and OBJ_base. @@ -22,7 +22,7 @@ Then there are some extra commands: !Alias foo 1 2 3 4 - This juts makes a name foo for an OID. The C macro + This just makes a name foo for an OID. The C macro OBJ_foo will be created as a result. !Cname foo diff --git a/deps/openssl/openssl/crypto/objects/objects.pl b/deps/openssl/openssl/crypto/objects/objects.pl index d0ed459d3dc..389dc348373 100644 --- a/deps/openssl/openssl/crypto/objects/objects.pl +++ b/deps/openssl/openssl/crypto/objects/objects.pl @@ -67,7 +67,7 @@ $myoid = &process_oid($myoid); } - if ($Cname eq "" && !($myln =~ / /)) + if ($Cname eq "" && ($myln =~ /^[_A-Za-z][\w.-]*$/ )) { $Cname = $myln; $Cname =~ s/\./_/g; diff --git a/deps/openssl/openssl/crypto/ocsp/Makefile b/deps/openssl/openssl/crypto/ocsp/Makefile index 60c414cf4da..96a1b156b9f 100644 --- a/deps/openssl/openssl/crypto/ocsp/Makefile +++ b/deps/openssl/openssl/crypto/ocsp/Makefile @@ -64,6 +64,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/ocsp/ocsp_ext.c b/deps/openssl/openssl/crypto/ocsp/ocsp_ext.c index 849cb2f7627..c19648c7329 100644 --- a/deps/openssl/openssl/crypto/ocsp/ocsp_ext.c +++ b/deps/openssl/openssl/crypto/ocsp/ocsp_ext.c @@ -361,8 +361,8 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL); if (val) memcpy(tmpval, val, len); - else - RAND_pseudo_bytes(tmpval, len); + else if (RAND_pseudo_bytes(tmpval, len) < 0) + goto err; if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, &os, 0, X509V3_ADD_REPLACE)) goto err; diff --git a/deps/openssl/openssl/crypto/ocsp/ocsp_vfy.c b/deps/openssl/openssl/crypto/ocsp/ocsp_vfy.c index 6c0ccb565db..d4a257c33bb 100644 --- a/deps/openssl/openssl/crypto/ocsp/ocsp_vfy.c +++ b/deps/openssl/openssl/crypto/ocsp/ocsp_vfy.c @@ -83,6 +83,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, { X509 *signer, *x; STACK_OF(X509) *chain = NULL; + STACK_OF(X509) *untrusted = NULL; X509_STORE_CTX ctx; int i, ret = 0; ret = ocsp_find_signer(&signer, bs, certs, st, flags); @@ -107,10 +108,20 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, } if (!(flags & OCSP_NOVERIFY)) { int init_res; - if (flags & OCSP_NOCHAIN) - init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL); - else - init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs); + if (flags & OCSP_NOCHAIN) { + untrusted = NULL; + } else if (bs->certs && certs) { + untrusted = sk_X509_dup(bs->certs); + for (i = 0; i < sk_X509_num(certs); i++) { + if (!sk_X509_push(untrusted, sk_X509_value(certs, i))) { + OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE); + goto end; + } + } + } else { + untrusted = bs->certs; + } + init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted); if (!init_res) { ret = -1; OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB); @@ -161,6 +172,8 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, end: if (chain) sk_X509_pop_free(chain, X509_free); + if (bs->certs && certs) + sk_X509_free(untrusted); return ret; } diff --git a/deps/openssl/openssl/crypto/opensslconf.h b/deps/openssl/openssl/crypto/opensslconf.h index 76c99d433ab..7513d14c753 100644 --- a/deps/openssl/openssl/crypto/opensslconf.h +++ b/deps/openssl/openssl/crypto/opensslconf.h @@ -1 +1,241 @@ -#include "../../config/opensslconf.h" +/* opensslconf.h */ +/* WARNING: Generated automatically from opensslconf.h.in by Configure. */ + +#ifdef __cplusplus +extern "C" { +#endif +/* OpenSSL was configured with the following options: */ +#ifndef OPENSSL_DOING_MAKEDEPEND + + +#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 +# define OPENSSL_NO_EC_NISTP_64_GCC_128 +#endif +#ifndef OPENSSL_NO_GMP +# define OPENSSL_NO_GMP +#endif +#ifndef OPENSSL_NO_JPAKE +# define OPENSSL_NO_JPAKE +#endif +#ifndef OPENSSL_NO_KRB5 +# define OPENSSL_NO_KRB5 +#endif +#ifndef OPENSSL_NO_MD2 +# define OPENSSL_NO_MD2 +#endif +#ifndef OPENSSL_NO_RC5 +# define OPENSSL_NO_RC5 +#endif +#ifndef OPENSSL_NO_RFC3779 +# define OPENSSL_NO_RFC3779 +#endif +#ifndef OPENSSL_NO_SCTP +# define OPENSSL_NO_SCTP +#endif +#ifndef OPENSSL_NO_STORE +# define OPENSSL_NO_STORE +#endif +#ifndef OPENSSL_NO_UNIT_TEST +# define OPENSSL_NO_UNIT_TEST +#endif + +#endif /* OPENSSL_DOING_MAKEDEPEND */ + +#ifndef OPENSSL_NO_DYNAMIC_ENGINE +# define OPENSSL_NO_DYNAMIC_ENGINE +#endif + +/* The OPENSSL_NO_* macros are also defined as NO_* if the application + asks for it. This is a transient feature that is provided for those + who haven't had the time to do the appropriate changes in their + applications. */ +#ifdef OPENSSL_ALGORITHM_DEFINES +# if defined(OPENSSL_NO_EC_NISTP_64_GCC_128) && !defined(NO_EC_NISTP_64_GCC_128) +# define NO_EC_NISTP_64_GCC_128 +# endif +# if defined(OPENSSL_NO_GMP) && !defined(NO_GMP) +# define NO_GMP +# endif +# if defined(OPENSSL_NO_JPAKE) && !defined(NO_JPAKE) +# define NO_JPAKE +# endif +# if defined(OPENSSL_NO_KRB5) && !defined(NO_KRB5) +# define NO_KRB5 +# endif +# if defined(OPENSSL_NO_MD2) && !defined(NO_MD2) +# define NO_MD2 +# endif +# if defined(OPENSSL_NO_RC5) && !defined(NO_RC5) +# define NO_RC5 +# endif +# if defined(OPENSSL_NO_RFC3779) && !defined(NO_RFC3779) +# define NO_RFC3779 +# endif +# if defined(OPENSSL_NO_SCTP) && !defined(NO_SCTP) +# define NO_SCTP +# endif +# if defined(OPENSSL_NO_STORE) && !defined(NO_STORE) +# define NO_STORE +# endif +# if defined(OPENSSL_NO_UNIT_TEST) && !defined(NO_UNIT_TEST) +# define NO_UNIT_TEST +# endif +#endif + +/* crypto/opensslconf.h.in */ + +/* Generate 80386 code? */ +#undef I386_ONLY + +#if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */ +#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) +#define ENGINESDIR "/usr/local/ssl/lib/engines" +#define OPENSSLDIR "/usr/local/ssl" +#endif +#endif + +#undef OPENSSL_UNISTD +#define OPENSSL_UNISTD + +#undef OPENSSL_EXPORT_VAR_AS_FUNCTION + +#if defined(HEADER_IDEA_H) && !defined(IDEA_INT) +#define IDEA_INT unsigned int +#endif + +#if defined(HEADER_MD2_H) && !defined(MD2_INT) +#define MD2_INT unsigned int +#endif + +#if defined(HEADER_RC2_H) && !defined(RC2_INT) +/* I need to put in a mod for the alpha - eay */ +#define RC2_INT unsigned int +#endif + +#if defined(HEADER_RC4_H) +#if !defined(RC4_INT) +/* using int types make the structure larger but make the code faster + * on most boxes I have tested - up to %20 faster. */ +/* + * I don't know what does "most" mean, but declaring "int" is a must on: + * - Intel P6 because partial register stalls are very expensive; + * - elder Alpha because it lacks byte load/store instructions; + */ +#define RC4_INT unsigned int +#endif +#if !defined(RC4_CHUNK) +/* + * This enables code handling data aligned at natural CPU word + * boundary. See crypto/rc4/rc4_enc.c for further details. + */ +#undef RC4_CHUNK +#endif +#endif + +#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG) +/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a + * %20 speed up (longs are 8 bytes, int's are 4). */ +#ifndef DES_LONG +#define DES_LONG unsigned long +#endif +#endif + +#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) +#define CONFIG_HEADER_BN_H +#undef BN_LLONG + +/* Should we define BN_DIV2W here? */ + +/* Only one for the following should be defined */ +#undef SIXTY_FOUR_BIT_LONG +#undef SIXTY_FOUR_BIT +#define THIRTY_TWO_BIT +#endif + +#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) +#define CONFIG_HEADER_RC4_LOCL_H +/* if this is defined data[i] is used instead of *data, this is a %20 + * speedup on x86 */ +#undef RC4_INDEX +#endif + +#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) +#define CONFIG_HEADER_BF_LOCL_H +#undef BF_PTR +#endif /* HEADER_BF_LOCL_H */ + +#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H) +#define CONFIG_HEADER_DES_LOCL_H +#ifndef DES_DEFAULT_OPTIONS +/* the following is tweaked from a config script, that is why it is a + * protected undef/define */ +#ifndef DES_PTR +#undef DES_PTR +#endif + +/* This helps C compiler generate the correct code for multiple functional + * units. It reduces register dependancies at the expense of 2 more + * registers */ +#ifndef DES_RISC1 +#undef DES_RISC1 +#endif + +#ifndef DES_RISC2 +#undef DES_RISC2 +#endif + +#if defined(DES_RISC1) && defined(DES_RISC2) +YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! +#endif + +/* Unroll the inner loop, this sometimes helps, sometimes hinders. + * Very mucy CPU dependant */ +#ifndef DES_UNROLL +#undef DES_UNROLL +#endif + +/* These default values were supplied by + * Peter Gutman + * They are only used if nothing else has been defined */ +#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL) +/* Special defines which change the way the code is built depending on the + CPU and OS. For SGI machines you can use _MIPS_SZLONG (32 or 64) to find + even newer MIPS CPU's, but at the moment one size fits all for + optimization options. Older Sparc's work better with only UNROLL, but + there's no way to tell at compile time what it is you're running on */ + +#if defined( sun ) /* Newer Sparc's */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#elif defined( __ultrix ) /* Older MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined( __osf1__ ) /* Alpha */ +# define DES_PTR +# define DES_RISC2 +#elif defined ( _AIX ) /* RS6000 */ + /* Unknown */ +#elif defined( __hpux ) /* HP-PA */ + /* Unknown */ +#elif defined( __aux ) /* 68K */ + /* Unknown */ +#elif defined( __dgux ) /* 88K (but P6 in latest boxes) */ +# define DES_UNROLL +#elif defined( __sgi ) /* Newer MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined(i386) || defined(__i386__) /* x86 boxes, should be gcc */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#endif /* Systems-specific speed defines */ +#endif + +#endif /* DES_DEFAULT_OPTIONS */ +#endif /* HEADER_DES_LOCL_H */ +#ifdef __cplusplus +} +#endif diff --git a/deps/openssl/openssl/crypto/opensslv.h b/deps/openssl/openssl/crypto/opensslv.h index daf3905dfba..84d0bf9d1f4 100644 --- a/deps/openssl/openssl/crypto/opensslv.h +++ b/deps/openssl/openssl/crypto/opensslv.h @@ -30,11 +30,11 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x100010dfL +# define OPENSSL_VERSION_NUMBER 0x100010ffL # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1m-fips 19 Mar 2015" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1o-fips 12 Jun 2015" # else -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1m 19 Mar 2015" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1o 12 Jun 2015" # endif # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/deps/openssl/openssl/crypto/pem/Makefile b/deps/openssl/openssl/crypto/pem/Makefile index 2cc7801529e..7a930eeae77 100644 --- a/deps/openssl/openssl/crypto/pem/Makefile +++ b/deps/openssl/openssl/crypto/pem/Makefile @@ -64,6 +64,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/pem/pem_lib.c b/deps/openssl/openssl/crypto/pem/pem_lib.c index febb53ed0ee..55071616e20 100644 --- a/deps/openssl/openssl/crypto/pem/pem_lib.c +++ b/deps/openssl/openssl/crypto/pem/pem_lib.c @@ -435,7 +435,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen, pem_password_cb *callback, void *u) { - int i, j, o, klen; + int i = 0, j, o, klen; long len; EVP_CIPHER_CTX ctx; unsigned char key[EVP_MAX_KEY_LENGTH]; diff --git a/deps/openssl/openssl/crypto/pem/pem_pk8.c b/deps/openssl/openssl/crypto/pem/pem_pk8.c index b98c76c4a99..5747c7366e3 100644 --- a/deps/openssl/openssl/crypto/pem/pem_pk8.c +++ b/deps/openssl/openssl/crypto/pem/pem_pk8.c @@ -138,6 +138,8 @@ static int do_pk8pkey(BIO *bp, EVP_PKEY *x, int isder, int nid, if (kstr == buf) OPENSSL_cleanse(buf, klen); PKCS8_PRIV_KEY_INFO_free(p8inf); + if (p8 == NULL) + return 0; if (isder) ret = i2d_PKCS8_bio(bp, p8); else diff --git a/deps/openssl/openssl/crypto/perlasm/x86masm.pl b/deps/openssl/openssl/crypto/perlasm/x86masm.pl index 6b33b146f0f..f937d07c87d 100644 --- a/deps/openssl/openssl/crypto/perlasm/x86masm.pl +++ b/deps/openssl/openssl/crypto/perlasm/x86masm.pl @@ -80,7 +80,7 @@ sub ::file IF \@Version LT 800 ECHO MASM version 8.00 or later is strongly recommended. ENDIF -.686 +.486 .MODEL FLAT OPTION DOTNAME IF \@Version LT 800 diff --git a/deps/openssl/openssl/crypto/pkcs12/Makefile b/deps/openssl/openssl/crypto/pkcs12/Makefile index 3a7498fe7ad..be5f8c5d21d 100644 --- a/deps/openssl/openssl/crypto/pkcs12/Makefile +++ b/deps/openssl/openssl/crypto/pkcs12/Makefile @@ -67,6 +67,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/pkcs12/p12_mutl.c b/deps/openssl/openssl/crypto/pkcs12/p12_mutl.c index 256b210ccee..5ab4bf290e1 100644 --- a/deps/openssl/openssl/crypto/pkcs12/p12_mutl.c +++ b/deps/openssl/openssl/crypto/pkcs12/p12_mutl.c @@ -60,6 +60,7 @@ #ifndef OPENSSL_NO_HMAC # include # include "cryptlib.h" +# include # include # include # include @@ -123,7 +124,7 @@ int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen) return 0; } if ((maclen != (unsigned int)p12->mac->dinfo->digest->length) - || memcmp(mac, p12->mac->dinfo->digest->data, maclen)) + || CRYPTO_memcmp(mac, p12->mac->dinfo->digest->data, maclen)) return 0; return 1; } diff --git a/deps/openssl/openssl/crypto/pkcs7/Makefile b/deps/openssl/openssl/crypto/pkcs7/Makefile index effe05fc043..decf5e0203e 100644 --- a/deps/openssl/openssl/crypto/pkcs7/Makefile +++ b/deps/openssl/openssl/crypto/pkcs7/Makefile @@ -68,6 +68,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/pkcs7/pk7_doit.c b/deps/openssl/openssl/crypto/pkcs7/pk7_doit.c index 31a1b983f1d..c8d7db01bd7 100644 --- a/deps/openssl/openssl/crypto/pkcs7/pk7_doit.c +++ b/deps/openssl/openssl/crypto/pkcs7/pk7_doit.c @@ -445,6 +445,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) switch (i) { case NID_pkcs7_signed: + /* + * p7->d.sign->contents is a PKCS7 structure consisting of a contentType + * field and optional content. + * data_body is NULL if that structure has no (=detached) content + * or if the contentType is wrong (i.e., not "data"). + */ data_body = PKCS7_get_octet_string(p7->d.sign->contents); if (!PKCS7_is_detached(p7) && data_body == NULL) { PKCS7err(PKCS7_F_PKCS7_DATADECODE, @@ -456,6 +462,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) case NID_pkcs7_signedAndEnveloped: rsk = p7->d.signed_and_enveloped->recipientinfo; md_sk = p7->d.signed_and_enveloped->md_algs; + /* data_body is NULL if the optional EncryptedContent is missing. */ data_body = p7->d.signed_and_enveloped->enc_data->enc_data; enc_alg = p7->d.signed_and_enveloped->enc_data->algorithm; evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm); @@ -468,6 +475,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) case NID_pkcs7_enveloped: rsk = p7->d.enveloped->recipientinfo; enc_alg = p7->d.enveloped->enc_data->algorithm; + /* data_body is NULL if the optional EncryptedContent is missing. */ data_body = p7->d.enveloped->enc_data->enc_data; evp_cipher = EVP_get_cipherbyobj(enc_alg->algorithm); if (evp_cipher == NULL) { @@ -481,6 +489,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) goto err; } + /* Detached content must be supplied via in_bio instead. */ + if (data_body == NULL && in_bio == NULL) { + PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT); + goto err; + } + /* We will be checking the signature */ if (md_sk != NULL) { for (i = 0; i < sk_X509_ALGOR_num(md_sk); i++) { @@ -623,7 +637,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) etmp = NULL; } #if 1 - if (PKCS7_is_detached(p7) || (in_bio != NULL)) { + if (in_bio != NULL) { bio = in_bio; } else { # if 0 diff --git a/deps/openssl/openssl/crypto/pqueue/Makefile b/deps/openssl/openssl/crypto/pqueue/Makefile index fb36a0c876e..a59b5a9395b 100644 --- a/deps/openssl/openssl/crypto/pqueue/Makefile +++ b/deps/openssl/openssl/crypto/pqueue/Makefile @@ -61,6 +61,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/rand/Makefile b/deps/openssl/openssl/crypto/rand/Makefile index 27694aa6649..df44369a082 100644 --- a/deps/openssl/openssl/crypto/rand/Makefile +++ b/deps/openssl/openssl/crypto/rand/Makefile @@ -63,6 +63,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/rand/rand_os2.c b/deps/openssl/openssl/crypto/rand/rand_os2.c index 02148d5bf94..706ab1e8172 100644 --- a/deps/openssl/openssl/crypto/rand/rand_os2.c +++ b/deps/openssl/openssl/crypto/rand/rand_os2.c @@ -149,7 +149,7 @@ int RAND_poll(void) if (DosQuerySysState) { char *buffer = OPENSSL_malloc(256 * 1024); - if(!buffer) + if (!buffer) return 0; if (DosQuerySysState(0x1F, 0, 0, 0, buffer, 256 * 1024) == 0) { diff --git a/deps/openssl/openssl/crypto/rc2/Makefile b/deps/openssl/openssl/crypto/rc2/Makefile index 8a9d49ab5eb..b3727a4a6d4 100644 --- a/deps/openssl/openssl/crypto/rc2/Makefile +++ b/deps/openssl/openssl/crypto/rc2/Makefile @@ -61,6 +61,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/rc4/Makefile b/deps/openssl/openssl/crypto/rc4/Makefile index 1614d479619..f3d6e0dc040 100644 --- a/deps/openssl/openssl/crypto/rc4/Makefile +++ b/deps/openssl/openssl/crypto/rc4/Makefile @@ -89,6 +89,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/rc5/Makefile b/deps/openssl/openssl/crypto/rc5/Makefile index 8a8b00eb89e..6ca0037c681 100644 --- a/deps/openssl/openssl/crypto/rc5/Makefile +++ b/deps/openssl/openssl/crypto/rc5/Makefile @@ -69,6 +69,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/ripemd/Makefile b/deps/openssl/openssl/crypto/ripemd/Makefile index 25140b2a73e..1c3f094bb08 100644 --- a/deps/openssl/openssl/crypto/ripemd/Makefile +++ b/deps/openssl/openssl/crypto/ripemd/Makefile @@ -69,6 +69,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/rsa/Makefile b/deps/openssl/openssl/crypto/rsa/Makefile index e8121a49675..79c7c421bc0 100644 --- a/deps/openssl/openssl/crypto/rsa/Makefile +++ b/deps/openssl/openssl/crypto/rsa/Makefile @@ -67,6 +67,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/rsa/rsa_pmeth.c b/deps/openssl/openssl/crypto/rsa/rsa_pmeth.c index d61d6e8b66a..6a7c67cdb86 100644 --- a/deps/openssl/openssl/crypto/rsa/rsa_pmeth.c +++ b/deps/openssl/openssl/crypto/rsa/rsa_pmeth.c @@ -228,8 +228,14 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, return ret; ret = sltmp; } else if (rctx->pad_mode == RSA_X931_PADDING) { - if (!setup_tbuf(rctx, ctx)) + if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) { + RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_KEY_SIZE_TOO_SMALL); + return -1; + } + if (!setup_tbuf(rctx, ctx)) { + RSAerr(RSA_F_PKEY_RSA_SIGN, ERR_R_MALLOC_FAILURE); return -1; + } memcpy(rctx->tbuf, tbs, tbslen); rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(rctx->md)); ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, diff --git a/deps/openssl/openssl/crypto/seed/Makefile b/deps/openssl/openssl/crypto/seed/Makefile index 4bc55e49164..70d3d45a2be 100644 --- a/deps/openssl/openssl/crypto/seed/Makefile +++ b/deps/openssl/openssl/crypto/seed/Makefile @@ -62,6 +62,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/sha/Makefile b/deps/openssl/openssl/crypto/sha/Makefile index 2eb2b7af992..ceb8094b0cb 100644 --- a/deps/openssl/openssl/crypto/sha/Makefile +++ b/deps/openssl/openssl/crypto/sha/Makefile @@ -117,6 +117,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/sha/asm/sha256-x86_64.pl b/deps/openssl/openssl/crypto/sha/asm/sha256-x86_64.pl deleted file mode 100755 index 205a8e6f9a0..00000000000 --- a/deps/openssl/openssl/crypto/sha/asm/sha256-x86_64.pl +++ /dev/null @@ -1,438 +0,0 @@ -#!/usr/bin/env perl -# -# ==================================================================== -# Written by Andy Polyakov for the OpenSSL -# project. Rights for redistribution and usage in source and binary -# forms are granted according to the OpenSSL license. -# ==================================================================== -# -# sha256/512_block procedure for x86_64. -# -# 40% improvement over compiler-generated code on Opteron. On EM64T -# sha256 was observed to run >80% faster and sha512 - >40%. No magical -# tricks, just straight implementation... I really wonder why gcc -# [being armed with inline assembler] fails to generate as fast code. -# The only thing which is cool about this module is that it's very -# same instruction sequence used for both SHA-256 and SHA-512. In -# former case the instructions operate on 32-bit operands, while in -# latter - on 64-bit ones. All I had to do is to get one flavor right, -# the other one passed the test right away:-) -# -# sha256_block runs in ~1005 cycles on Opteron, which gives you -# asymptotic performance of 64*1000/1005=63.7MBps times CPU clock -# frequency in GHz. sha512_block runs in ~1275 cycles, which results -# in 128*1000/1275=100MBps per GHz. Is there room for improvement? -# Well, if you compare it to IA-64 implementation, which maintains -# X[16] in register bank[!], tends to 4 instructions per CPU clock -# cycle and runs in 1003 cycles, 1275 is very good result for 3-way -# issue Opteron pipeline and X[16] maintained in memory. So that *if* -# there is a way to improve it, *then* the only way would be to try to -# offload X[16] updates to SSE unit, but that would require "deeper" -# loop unroll, which in turn would naturally cause size blow-up, not -# to mention increased complexity! And once again, only *if* it's -# actually possible to noticeably improve overall ILP, instruction -# level parallelism, on a given CPU implementation in this case. -# -# Special note on Intel EM64T. While Opteron CPU exhibits perfect -# perfromance ratio of 1.5 between 64- and 32-bit flavors [see above], -# [currently available] EM64T CPUs apparently are far from it. On the -# contrary, 64-bit version, sha512_block, is ~30% *slower* than 32-bit -# sha256_block:-( This is presumably because 64-bit shifts/rotates -# apparently are not atomic instructions, but implemented in microcode. - -$flavour = shift; -$output = shift; -if ($flavour =~ /\./) { $output = $flavour; undef $flavour; } - -$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/); - -$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or -( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or -die "can't locate x86_64-xlate.pl"; - -open OUT,"| \"$^X\" $xlate $flavour $output"; -*STDOUT=*OUT; - -$func="sha256_block_data_order"; -$TABLE="K256"; -$SZ=4; -@ROT=($A,$B,$C,$D,$E,$F,$G,$H)=("%eax","%ebx","%ecx","%edx", - "%r8d","%r9d","%r10d","%r11d"); -($T1,$a0,$a1,$a2)=("%r12d","%r13d","%r14d","%r15d"); -@Sigma0=( 2,13,22); -@Sigma1=( 6,11,25); -@sigma0=( 7,18, 3); -@sigma1=(17,19,10); -$rounds=64; - - -$ctx="%rdi"; # 1st arg -$round="%rdi"; # zaps $ctx -$inp="%rsi"; # 2nd arg -$Tbl="%rbp"; - -$_ctx="16*$SZ+0*8(%rsp)"; -$_inp="16*$SZ+1*8(%rsp)"; -$_end="16*$SZ+2*8(%rsp)"; -$_rsp="16*$SZ+3*8(%rsp)"; -$framesz="16*$SZ+4*8"; - - -sub ROUND_00_15() -{ my ($i,$a,$b,$c,$d,$e,$f,$g,$h) = @_; - -$code.=<<___; - ror \$`$Sigma1[2]-$Sigma1[1]`,$a0 - mov $f,$a2 - mov $T1,`$SZ*($i&0xf)`(%rsp) - - ror \$`$Sigma0[2]-$Sigma0[1]`,$a1 - xor $e,$a0 - xor $g,$a2 # f^g - - ror \$`$Sigma1[1]-$Sigma1[0]`,$a0 - add $h,$T1 # T1+=h - xor $a,$a1 - - add ($Tbl,$round,$SZ),$T1 # T1+=K[round] - and $e,$a2 # (f^g)&e - mov $b,$h - - ror \$`$Sigma0[1]-$Sigma0[0]`,$a1 - xor $e,$a0 - xor $g,$a2 # Ch(e,f,g)=((f^g)&e)^g - - xor $c,$h # b^c - xor $a,$a1 - add $a2,$T1 # T1+=Ch(e,f,g) - mov $b,$a2 - - ror \$$Sigma1[0],$a0 # Sigma1(e) - and $a,$h # h=(b^c)&a - and $c,$a2 # b&c - - ror \$$Sigma0[0],$a1 # Sigma0(a) - add $a0,$T1 # T1+=Sigma1(e) - add $a2,$h # h+=b&c (completes +=Maj(a,b,c) - - add $T1,$d # d+=T1 - add $T1,$h # h+=T1 - lea 1($round),$round # round++ - add $a1,$h # h+=Sigma0(a) - -___ -} - -sub ROUND_16_XX() -{ my ($i,$a,$b,$c,$d,$e,$f,$g,$h) = @_; - -$code.=<<___; - mov `$SZ*(($i+1)&0xf)`(%rsp),$a0 - mov `$SZ*(($i+14)&0xf)`(%rsp),$a1 - mov $a0,$T1 - mov $a1,$a2 - - ror \$`$sigma0[1]-$sigma0[0]`,$T1 - xor $a0,$T1 - shr \$$sigma0[2],$a0 - - ror \$$sigma0[0],$T1 - xor $T1,$a0 # sigma0(X[(i+1)&0xf]) - mov `$SZ*(($i+9)&0xf)`(%rsp),$T1 - - ror \$`$sigma1[1]-$sigma1[0]`,$a2 - xor $a1,$a2 - shr \$$sigma1[2],$a1 - - ror \$$sigma1[0],$a2 - add $a0,$T1 - xor $a2,$a1 # sigma1(X[(i+14)&0xf]) - - add `$SZ*($i&0xf)`(%rsp),$T1 - mov $e,$a0 - add $a1,$T1 - mov $a,$a1 -___ - &ROUND_00_15(@_); -} - -$code=<<___; -.text - -.globl $func -.type $func,\@function,4 -.align 16 -$func: - push %rbx - push %rbp - push %r12 - push %r13 - push %r14 - push %r15 - mov %rsp,%r11 # copy %rsp - shl \$4,%rdx # num*16 - sub \$$framesz,%rsp - lea ($inp,%rdx,$SZ),%rdx # inp+num*16*$SZ - and \$-64,%rsp # align stack frame - mov $ctx,$_ctx # save ctx, 1st arg - mov $inp,$_inp # save inp, 2nd arh - mov %rdx,$_end # save end pointer, "3rd" arg - mov %r11,$_rsp # save copy of %rsp -.Lprologue: - - lea $TABLE(%rip),$Tbl - - mov $SZ*0($ctx),$A - mov $SZ*1($ctx),$B - mov $SZ*2($ctx),$C - mov $SZ*3($ctx),$D - mov $SZ*4($ctx),$E - mov $SZ*5($ctx),$F - mov $SZ*6($ctx),$G - mov $SZ*7($ctx),$H - jmp .Lloop - -.align 16 -.Lloop: - xor $round,$round -___ - for($i=0;$i<16;$i++) { - $code.=" mov $SZ*$i($inp),$T1\n"; - $code.=" mov @ROT[4],$a0\n"; - $code.=" mov @ROT[0],$a1\n"; - $code.=" bswap $T1\n"; - &ROUND_00_15($i,@ROT); - unshift(@ROT,pop(@ROT)); - } -$code.=<<___; - jmp .Lrounds_16_xx -.align 16 -.Lrounds_16_xx: -___ - for(;$i<32;$i++) { - &ROUND_16_XX($i,@ROT); - unshift(@ROT,pop(@ROT)); - } - -$code.=<<___; - cmp \$$rounds,$round - jb .Lrounds_16_xx - - mov $_ctx,$ctx - lea 16*$SZ($inp),$inp - - add $SZ*0($ctx),$A - add $SZ*1($ctx),$B - add $SZ*2($ctx),$C - add $SZ*3($ctx),$D - add $SZ*4($ctx),$E - add $SZ*5($ctx),$F - add $SZ*6($ctx),$G - add $SZ*7($ctx),$H - - cmp $_end,$inp - - mov $A,$SZ*0($ctx) - mov $B,$SZ*1($ctx) - mov $C,$SZ*2($ctx) - mov $D,$SZ*3($ctx) - mov $E,$SZ*4($ctx) - mov $F,$SZ*5($ctx) - mov $G,$SZ*6($ctx) - mov $H,$SZ*7($ctx) - jb .Lloop - - mov $_rsp,%rsi - mov (%rsi),%r15 - mov 8(%rsi),%r14 - mov 16(%rsi),%r13 - mov 24(%rsi),%r12 - mov 32(%rsi),%rbp - mov 40(%rsi),%rbx - lea 48(%rsi),%rsp -.Lepilogue: - ret -.size $func,.-$func -___ - -if ($SZ==4) { -$code.=<<___; -.align 64 -.type $TABLE,\@object -$TABLE: - .long 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5 - .long 0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5 - .long 0xd807aa98,0x12835b01,0x243185be,0x550c7dc3 - .long 0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174 - .long 0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc - .long 0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da - .long 0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7 - .long 0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967 - .long 0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13 - .long 0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85 - .long 0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3 - .long 0xd192e819,0xd6990624,0xf40e3585,0x106aa070 - .long 0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5 - .long 0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3 - .long 0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208 - .long 0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2 -___ -} else { -$code.=<<___; -.align 64 -.type $TABLE,\@object -$TABLE: - .quad 0x428a2f98d728ae22,0x7137449123ef65cd - .quad 0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc - .quad 0x3956c25bf348b538,0x59f111f1b605d019 - .quad 0x923f82a4af194f9b,0xab1c5ed5da6d8118 - .quad 0xd807aa98a3030242,0x12835b0145706fbe - .quad 0x243185be4ee4b28c,0x550c7dc3d5ffb4e2 - .quad 0x72be5d74f27b896f,0x80deb1fe3b1696b1 - .quad 0x9bdc06a725c71235,0xc19bf174cf692694 - .quad 0xe49b69c19ef14ad2,0xefbe4786384f25e3 - .quad 0x0fc19dc68b8cd5b5,0x240ca1cc77ac9c65 - .quad 0x2de92c6f592b0275,0x4a7484aa6ea6e483 - .quad 0x5cb0a9dcbd41fbd4,0x76f988da831153b5 - .quad 0x983e5152ee66dfab,0xa831c66d2db43210 - .quad 0xb00327c898fb213f,0xbf597fc7beef0ee4 - .quad 0xc6e00bf33da88fc2,0xd5a79147930aa725 - .quad 0x06ca6351e003826f,0x142929670a0e6e70 - .quad 0x27b70a8546d22ffc,0x2e1b21385c26c926 - .quad 0x4d2c6dfc5ac42aed,0x53380d139d95b3df - .quad 0x650a73548baf63de,0x766a0abb3c77b2a8 - .quad 0x81c2c92e47edaee6,0x92722c851482353b - .quad 0xa2bfe8a14cf10364,0xa81a664bbc423001 - .quad 0xc24b8b70d0f89791,0xc76c51a30654be30 - .quad 0xd192e819d6ef5218,0xd69906245565a910 - .quad 0xf40e35855771202a,0x106aa07032bbd1b8 - .quad 0x19a4c116b8d2d0c8,0x1e376c085141ab53 - .quad 0x2748774cdf8eeb99,0x34b0bcb5e19b48a8 - .quad 0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb - .quad 0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3 - .quad 0x748f82ee5defb2fc,0x78a5636f43172f60 - .quad 0x84c87814a1f0ab72,0x8cc702081a6439ec - .quad 0x90befffa23631e28,0xa4506cebde82bde9 - .quad 0xbef9a3f7b2c67915,0xc67178f2e372532b - .quad 0xca273eceea26619c,0xd186b8c721c0c207 - .quad 0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178 - .quad 0x06f067aa72176fba,0x0a637dc5a2c898a6 - .quad 0x113f9804bef90dae,0x1b710b35131c471b - .quad 0x28db77f523047d84,0x32caab7b40c72493 - .quad 0x3c9ebe0a15c9bebc,0x431d67c49c100d4c - .quad 0x4cc5d4becb3e42b6,0x597f299cfc657e2a - .quad 0x5fcb6fab3ad6faec,0x6c44198c4a475817 -___ -} - -# EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame, -# CONTEXT *context,DISPATCHER_CONTEXT *disp) -if ($win64) { -$rec="%rcx"; -$frame="%rdx"; -$context="%r8"; -$disp="%r9"; - -$code.=<<___; -.extern __imp_RtlVirtualUnwind -.type se_handler,\@abi-omnipotent -.align 16 -se_handler: - push %rsi - push %rdi - push %rbx - push %rbp - push %r12 - push %r13 - push %r14 - push %r15 - pushfq - sub \$64,%rsp - - mov 120($context),%rax # pull context->Rax - mov 248($context),%rbx # pull context->Rip - - lea .Lprologue(%rip),%r10 - cmp %r10,%rbx # context->Rip<.Lprologue - jb .Lin_prologue - - mov 152($context),%rax # pull context->Rsp - - lea .Lepilogue(%rip),%r10 - cmp %r10,%rbx # context->Rip>=.Lepilogue - jae .Lin_prologue - - mov 16*$SZ+3*8(%rax),%rax # pull $_rsp - lea 48(%rax),%rax - - mov -8(%rax),%rbx - mov -16(%rax),%rbp - mov -24(%rax),%r12 - mov -32(%rax),%r13 - mov -40(%rax),%r14 - mov -48(%rax),%r15 - mov %rbx,144($context) # restore context->Rbx - mov %rbp,160($context) # restore context->Rbp - mov %r12,216($context) # restore context->R12 - mov %r13,224($context) # restore context->R13 - mov %r14,232($context) # restore context->R14 - mov %r15,240($context) # restore context->R15 - -.Lin_prologue: - mov 8(%rax),%rdi - mov 16(%rax),%rsi - mov %rax,152($context) # restore context->Rsp - mov %rsi,168($context) # restore context->Rsi - mov %rdi,176($context) # restore context->Rdi - - mov 40($disp),%rdi # disp->ContextRecord - mov $context,%rsi # context - mov \$154,%ecx # sizeof(CONTEXT) - .long 0xa548f3fc # cld; rep movsq - - mov $disp,%rsi - xor %rcx,%rcx # arg1, UNW_FLAG_NHANDLER - mov 8(%rsi),%rdx # arg2, disp->ImageBase - mov 0(%rsi),%r8 # arg3, disp->ControlPc - mov 16(%rsi),%r9 # arg4, disp->FunctionEntry - mov 40(%rsi),%r10 # disp->ContextRecord - lea 56(%rsi),%r11 # &disp->HandlerData - lea 24(%rsi),%r12 # &disp->EstablisherFrame - mov %r10,32(%rsp) # arg5 - mov %r11,40(%rsp) # arg6 - mov %r12,48(%rsp) # arg7 - mov %rcx,56(%rsp) # arg8, (NULL) - call *__imp_RtlVirtualUnwind(%rip) - - mov \$1,%eax # ExceptionContinueSearch - add \$64,%rsp - popfq - pop %r15 - pop %r14 - pop %r13 - pop %r12 - pop %rbp - pop %rbx - pop %rdi - pop %rsi - ret -.size se_handler,.-se_handler - -.section .pdata -.align 4 - .rva .LSEH_begin_$func - .rva .LSEH_end_$func - .rva .LSEH_info_$func - -.section .xdata -.align 8 -.LSEH_info_$func: - .byte 9,0,0,0 - .rva se_handler -___ -} - -$code =~ s/\`([^\`]*)\`/eval $1/gem; -print $code; -close STDOUT; diff --git a/deps/openssl/openssl/crypto/sha/asm/sha512-x86_64.pl b/deps/openssl/openssl/crypto/sha/asm/sha512-x86_64.pl index 86c593a2c83..8d516785578 100755 --- a/deps/openssl/openssl/crypto/sha/asm/sha512-x86_64.pl +++ b/deps/openssl/openssl/crypto/sha/asm/sha512-x86_64.pl @@ -54,17 +54,31 @@ open OUT,"| \"$^X\" $xlate $flavour $output"; *STDOUT=*OUT; -$func="sha512_block_data_order"; -$TABLE="K512"; -$SZ=8; -@ROT=($A,$B,$C,$D,$E,$F,$G,$H)=("%rax","%rbx","%rcx","%rdx", - "%r8", "%r9", "%r10","%r11"); -($T1,$a0,$a1,$a2)=("%r12","%r13","%r14","%r15"); -@Sigma0=(28,34,39); -@Sigma1=(14,18,41); -@sigma0=(1, 8, 7); -@sigma1=(19,61, 6); -$rounds=80; +if ($output =~ /512/) { + $func="sha512_block_data_order"; + $TABLE="K512"; + $SZ=8; + @ROT=($A,$B,$C,$D,$E,$F,$G,$H)=("%rax","%rbx","%rcx","%rdx", + "%r8", "%r9", "%r10","%r11"); + ($T1,$a0,$a1,$a2)=("%r12","%r13","%r14","%r15"); + @Sigma0=(28,34,39); + @Sigma1=(14,18,41); + @sigma0=(1, 8, 7); + @sigma1=(19,61, 6); + $rounds=80; +} else { + $func="sha256_block_data_order"; + $TABLE="K256"; + $SZ=4; + @ROT=($A,$B,$C,$D,$E,$F,$G,$H)=("%eax","%ebx","%ecx","%edx", + "%r8d","%r9d","%r10d","%r11d"); + ($T1,$a0,$a1,$a2)=("%r12d","%r13d","%r14d","%r15d"); + @Sigma0=( 2,13,22); + @Sigma1=( 6,11,25); + @sigma0=( 7,18, 3); + @sigma1=(17,19,10); + $rounds=64; +} $ctx="%rdi"; # 1st arg $round="%rdi"; # zaps $ctx diff --git a/deps/openssl/openssl/crypto/srp/Makefile b/deps/openssl/openssl/crypto/srp/Makefile index 41859d46fa7..763953384b1 100644 --- a/deps/openssl/openssl/crypto/srp/Makefile +++ b/deps/openssl/openssl/crypto/srp/Makefile @@ -61,6 +61,8 @@ srptest: top srptest.c $(LIB) lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/srp/srp_vfy.c b/deps/openssl/openssl/crypto/srp/srp_vfy.c index 701b5cd0115..50f75d7e4c9 100644 --- a/deps/openssl/openssl/crypto/srp/srp_vfy.c +++ b/deps/openssl/openssl/crypto/srp/srp_vfy.c @@ -497,7 +497,8 @@ SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username) if (!SRP_user_pwd_set_ids(user, username, NULL)) goto err; - RAND_pseudo_bytes(digv, SHA_DIGEST_LENGTH); + if (RAND_pseudo_bytes(digv, SHA_DIGEST_LENGTH) < 0) + goto err; EVP_MD_CTX_init(&ctxt); EVP_DigestInit_ex(&ctxt, EVP_sha1(), NULL); EVP_DigestUpdate(&ctxt, vb->seed_key, strlen(vb->seed_key)); @@ -549,7 +550,8 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, } if (*salt == NULL) { - RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN); + if (RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN) < 0) + goto err; s = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); } else { @@ -609,7 +611,8 @@ int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, srp_bn_print(g); if (*salt == NULL) { - RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN); + if (RAND_pseudo_bytes(tmp2, SRP_RANDOM_SALT_LEN) < 0) + goto err; *salt = BN_bin2bn(tmp2, SRP_RANDOM_SALT_LEN, NULL); } diff --git a/deps/openssl/openssl/crypto/stack/Makefile b/deps/openssl/openssl/crypto/stack/Makefile index 5327692ac89..b069c93237a 100644 --- a/deps/openssl/openssl/crypto/stack/Makefile +++ b/deps/openssl/openssl/crypto/stack/Makefile @@ -61,6 +61,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/store/Makefile b/deps/openssl/openssl/crypto/store/Makefile index 0dcfd7857a3..5bc7ca71f03 100644 --- a/deps/openssl/openssl/crypto/store/Makefile +++ b/deps/openssl/openssl/crypto/store/Makefile @@ -63,6 +63,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/threads/th-lock.c b/deps/openssl/openssl/crypto/threads/th-lock.c index 28884c2d44f..cc8cf2581d6 100644 --- a/deps/openssl/openssl/crypto/threads/th-lock.c +++ b/deps/openssl/openssl/crypto/threads/th-lock.c @@ -117,7 +117,7 @@ void CRYPTO_thread_setup(void) int i; lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(HANDLE)); - if(!lock_cs) { + if (!lock_cs) { /* Nothing we can do about this...void function! */ return; } @@ -172,7 +172,7 @@ void CRYPTO_thread_setup(void) # else lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(rwlock_t)); # endif - if(!lock_cs) { + if (!lock_cs) { /* Nothing we can do about this...void function! */ return; } @@ -260,7 +260,7 @@ void CRYPTO_thread_setup(void) char filename[20]; lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(usema_t *)); - if(!lock_cs) { + if (!lock_cs) { /* Nothing we can do about this...void function! */ return; } @@ -328,11 +328,11 @@ void CRYPTO_thread_setup(void) lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(pthread_mutex_t)); lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long)); - if(!lock_cs || !lock_count) { + if (!lock_cs || !lock_count) { /* Nothing we can do about this...void function! */ - if(lock_cs) + if (lock_cs) OPENSSL_free(lock_cs); - if(lock_count) + if (lock_count) OPENSSL_free(lock_count); return; } diff --git a/deps/openssl/openssl/crypto/ts/Makefile b/deps/openssl/openssl/crypto/ts/Makefile index c18234555be..cf991efe464 100644 --- a/deps/openssl/openssl/crypto/ts/Makefile +++ b/deps/openssl/openssl/crypto/ts/Makefile @@ -73,6 +73,8 @@ tags: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/txt_db/Makefile b/deps/openssl/openssl/crypto/txt_db/Makefile index e6f30331d8d..4f70b199a5d 100644 --- a/deps/openssl/openssl/crypto/txt_db/Makefile +++ b/deps/openssl/openssl/crypto/txt_db/Makefile @@ -61,6 +61,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by top Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/ui/Makefile b/deps/openssl/openssl/crypto/ui/Makefile index a685659fb4c..b28fcca6d96 100644 --- a/deps/openssl/openssl/crypto/ui/Makefile +++ b/deps/openssl/openssl/crypto/ui/Makefile @@ -65,6 +65,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/whrlpool/Makefile b/deps/openssl/openssl/crypto/whrlpool/Makefile index f4d46e4d17b..befd6d6f36e 100644 --- a/deps/openssl/openssl/crypto/whrlpool/Makefile +++ b/deps/openssl/openssl/crypto/whrlpool/Makefile @@ -74,6 +74,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/x509/Makefile b/deps/openssl/openssl/crypto/x509/Makefile index 72c82278f43..af3c2551404 100644 --- a/deps/openssl/openssl/crypto/x509/Makefile +++ b/deps/openssl/openssl/crypto/x509/Makefile @@ -71,6 +71,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/x509/x509_lu.c b/deps/openssl/openssl/crypto/x509/x509_lu.c index a910636f823..8415d1d8b35 100644 --- a/deps/openssl/openssl/crypto/x509/x509_lu.c +++ b/deps/openssl/openssl/crypto/x509/x509_lu.c @@ -216,6 +216,8 @@ X509_STORE *X509_STORE_new(void) static void cleanup(X509_OBJECT *a) { + if (!a) + return; if (a->type == X509_LU_X509) { X509_free(a->data.x509); } else if (a->type == X509_LU_CRL) { diff --git a/deps/openssl/openssl/crypto/x509/x509_vfy.c b/deps/openssl/openssl/crypto/x509/x509_vfy.c index 136bfbda617..16db4c025a1 100644 --- a/deps/openssl/openssl/crypto/x509/x509_vfy.c +++ b/deps/openssl/openssl/crypto/x509/x509_vfy.c @@ -151,11 +151,11 @@ static int x509_subject_cmp(X509 **a, X509 **b) int X509_verify_cert(X509_STORE_CTX *ctx) { - X509 *x, *xtmp, *chain_ss = NULL; + X509 *x, *xtmp, *xtmp2, *chain_ss = NULL; int bad_chain = 0; X509_VERIFY_PARAM *param = ctx->param; int depth, i, ok = 0; - int num; + int num, j, retry; int (*cb) (int xok, X509_STORE_CTX *xctx); STACK_OF(X509) *sktmp = NULL; if (ctx->cert == NULL) { @@ -224,85 +224,118 @@ int X509_verify_cert(X509_STORE_CTX *ctx) break; } + /* Remember how many untrusted certs we have */ + j = num; /* * at this point, chain should contain a list of untrusted certificates. * We now need to add at least one trusted one, if possible, otherwise we * complain. */ - /* - * Examine last certificate in chain and see if it is self signed. - */ - - i = sk_X509_num(ctx->chain); - x = sk_X509_value(ctx->chain, i - 1); - if (ctx->check_issued(ctx, x, x)) { - /* we have a self signed certificate */ - if (sk_X509_num(ctx->chain) == 1) { - /* - * We have a single self signed certificate: see if we can find - * it in the store. We must have an exact match to avoid possible - * impersonation. - */ - ok = ctx->get_issuer(&xtmp, ctx, x); - if ((ok <= 0) || X509_cmp(x, xtmp)) { - ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; - ctx->current_cert = x; - ctx->error_depth = i - 1; - if (ok == 1) - X509_free(xtmp); - bad_chain = 1; - ok = cb(0, ctx); - if (!ok) - goto end; + do { + /* + * Examine last certificate in chain and see if it is self signed. + */ + i = sk_X509_num(ctx->chain); + x = sk_X509_value(ctx->chain, i - 1); + if (ctx->check_issued(ctx, x, x)) { + /* we have a self signed certificate */ + if (sk_X509_num(ctx->chain) == 1) { + /* + * We have a single self signed certificate: see if we can + * find it in the store. We must have an exact match to avoid + * possible impersonation. + */ + ok = ctx->get_issuer(&xtmp, ctx, x); + if ((ok <= 0) || X509_cmp(x, xtmp)) { + ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; + ctx->current_cert = x; + ctx->error_depth = i - 1; + if (ok == 1) + X509_free(xtmp); + bad_chain = 1; + ok = cb(0, ctx); + if (!ok) + goto end; + } else { + /* + * We have a match: replace certificate with store + * version so we get any trust settings. + */ + X509_free(x); + x = xtmp; + (void)sk_X509_set(ctx->chain, i - 1, x); + ctx->last_untrusted = 0; + } } else { /* - * We have a match: replace certificate with store version so - * we get any trust settings. + * extract and save self signed certificate for later use */ - X509_free(x); - x = xtmp; - (void)sk_X509_set(ctx->chain, i - 1, x); - ctx->last_untrusted = 0; + chain_ss = sk_X509_pop(ctx->chain); + ctx->last_untrusted--; + num--; + j--; + x = sk_X509_value(ctx->chain, num - 1); } - } else { - /* - * extract and save self signed certificate for later use - */ - chain_ss = sk_X509_pop(ctx->chain); - ctx->last_untrusted--; - num--; - x = sk_X509_value(ctx->chain, num - 1); } - } - - /* We now lookup certs from the certificate store */ - for (;;) { - /* If we have enough, we break */ - if (depth < num) - break; - - /* If we are self signed, we break */ - if (ctx->check_issued(ctx, x, x)) - break; - - ok = ctx->get_issuer(&xtmp, ctx, x); + /* We now lookup certs from the certificate store */ + for (;;) { + /* If we have enough, we break */ + if (depth < num) + break; + /* If we are self signed, we break */ + if (ctx->check_issued(ctx, x, x)) + break; + ok = ctx->get_issuer(&xtmp, ctx, x); + if (ok < 0) + return ok; + if (ok == 0) + break; + x = xtmp; + if (!sk_X509_push(ctx->chain, x)) { + X509_free(xtmp); + X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); + return 0; + } + num++; + } - if (ok < 0) - return ok; - if (ok == 0) - break; + /* + * If we haven't got a least one certificate from our store then check + * if there is an alternative chain that could be used. We only do this + * if the user hasn't switched off alternate chain checking + */ + retry = 0; + if (j == ctx->last_untrusted && + !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) { + while (j-- > 1) { + xtmp2 = sk_X509_value(ctx->chain, j - 1); + ok = ctx->get_issuer(&xtmp, ctx, xtmp2); + if (ok < 0) + goto end; + /* Check if we found an alternate chain */ + if (ok > 0) { + /* + * Free up the found cert we'll add it again later + */ + X509_free(xtmp); - x = xtmp; - if (!sk_X509_push(ctx->chain, x)) { - X509_free(xtmp); - X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); - return 0; + /* + * Dump all the certs above this point - we've found an + * alternate chain + */ + while (num > j) { + xtmp = sk_X509_pop(ctx->chain); + X509_free(xtmp); + num--; + ctx->last_untrusted--; + } + retry = 1; + break; + } + } } - num++; - } - - /* we now have our chain, lets check it... */ + } while (retry); /* Is last certificate looked up self signed? */ if (!ctx->check_issued(ctx, x, x)) { @@ -1604,47 +1637,84 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) ASN1_TIME atm; long offset; char buff1[24], buff2[24], *p; - int i, j; + int i, j, remaining; p = buff1; - i = ctm->length; + remaining = ctm->length; str = (char *)ctm->data; + /* + * Note that the following (historical) code allows much more slack in the + * time format than RFC5280. In RFC5280, the representation is fixed: + * UTCTime: YYMMDDHHMMSSZ + * GeneralizedTime: YYYYMMDDHHMMSSZ + */ if (ctm->type == V_ASN1_UTCTIME) { - if ((i < 11) || (i > 17)) + /* YYMMDDHHMM[SS]Z or YYMMDDHHMM[SS](+-)hhmm */ + int min_length = sizeof("YYMMDDHHMMZ") - 1; + int max_length = sizeof("YYMMDDHHMMSS+hhmm") - 1; + if (remaining < min_length || remaining > max_length) return 0; memcpy(p, str, 10); p += 10; str += 10; + remaining -= 10; } else { - if (i < 13) + /* YYYYMMDDHHMM[SS[.fff]]Z or YYYYMMDDHHMM[SS[.f[f[f]]]](+-)hhmm */ + int min_length = sizeof("YYYYMMDDHHMMZ") - 1; + int max_length = sizeof("YYYYMMDDHHMMSS.fff+hhmm") - 1; + if (remaining < min_length || remaining > max_length) return 0; memcpy(p, str, 12); p += 12; str += 12; + remaining -= 12; } if ((*str == 'Z') || (*str == '-') || (*str == '+')) { *(p++) = '0'; *(p++) = '0'; } else { + /* SS (seconds) */ + if (remaining < 2) + return 0; *(p++) = *(str++); *(p++) = *(str++); - /* Skip any fractional seconds... */ - if (*str == '.') { + remaining -= 2; + /* + * Skip any (up to three) fractional seconds... + * TODO(emilia): in RFC5280, fractional seconds are forbidden. + * Can we just kill them altogether? + */ + if (remaining && *str == '.') { str++; - while ((*str >= '0') && (*str <= '9')) - str++; + remaining--; + for (i = 0; i < 3 && remaining; i++, str++, remaining--) { + if (*str < '0' || *str > '9') + break; + } } } *(p++) = 'Z'; *(p++) = '\0'; - if (*str == 'Z') + /* We now need either a terminating 'Z' or an offset. */ + if (!remaining) + return 0; + if (*str == 'Z') { + if (remaining != 1) + return 0; offset = 0; - else { + } else { + /* (+-)HHMM */ if ((*str != '+') && (*str != '-')) return 0; + /* Historical behaviour: the (+-)hhmm offset is forbidden in RFC5280. */ + if (remaining != 5) + return 0; + if (str[1] < '0' || str[1] > '9' || str[2] < '0' || str[2] > '9' || + str[3] < '0' || str[3] > '9' || str[4] < '0' || str[4] > '9') + return 0; offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60; offset += (str[3] - '0') * 10 + (str[4] - '0'); if (*str == '-') @@ -1921,6 +1991,8 @@ X509_STORE_CTX *X509_STORE_CTX_new(void) void X509_STORE_CTX_free(X509_STORE_CTX *ctx) { + if (!ctx) + return; X509_STORE_CTX_cleanup(ctx); OPENSSL_free(ctx); } diff --git a/deps/openssl/openssl/crypto/x509/x509_vfy.h b/deps/openssl/openssl/crypto/x509/x509_vfy.h index 1f8c0eccbf3..aacdf55aa27 100644 --- a/deps/openssl/openssl/crypto/x509/x509_vfy.h +++ b/deps/openssl/openssl/crypto/x509/x509_vfy.h @@ -405,6 +405,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); # define X509_V_FLAG_USE_DELTAS 0x2000 /* Check selfsigned CA signature */ # define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 +/* + * If the initial chain is not trusted, do not attempt to build an alternative + * chain. Alternate chain checking was introduced in 1.0.1n/1.0.2b. Setting + * this flag will force the behaviour to match that of previous versions. + */ +# define X509_V_FLAG_NO_ALT_CHAINS 0x100000 # define X509_VP_FLAG_DEFAULT 0x1 # define X509_VP_FLAG_OVERWRITE 0x2 diff --git a/deps/openssl/openssl/crypto/x509/x509_vpm.c b/deps/openssl/openssl/crypto/x509/x509_vpm.c index d0543662c08..6b0bf8a6e69 100644 --- a/deps/openssl/openssl/crypto/x509/x509_vpm.c +++ b/deps/openssl/openssl/crypto/x509/x509_vpm.c @@ -100,6 +100,8 @@ X509_VERIFY_PARAM *X509_VERIFY_PARAM_new(void) void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) { + if (param == NULL) + return; x509_verify_param_zero(param); OPENSSL_free(param); } diff --git a/deps/openssl/openssl/crypto/x509/x509type.c b/deps/openssl/openssl/crypto/x509/x509type.c index 033175257a7..9219f753bf9 100644 --- a/deps/openssl/openssl/crypto/x509/x509type.c +++ b/deps/openssl/openssl/crypto/x509/x509type.c @@ -121,9 +121,6 @@ int X509_certificate_type(X509 *x, EVP_PKEY *pkey) } } - /* /8 because it's 1024 bits we look for, not bytes */ - if (EVP_PKEY_size(pk) <= 1024 / 8) - ret |= EVP_PKT_EXP; if (pkey == NULL) EVP_PKEY_free(pk); return (ret); diff --git a/deps/openssl/openssl/crypto/x509v3/Makefile b/deps/openssl/openssl/crypto/x509v3/Makefile index 556ef351bf8..05125aba278 100644 --- a/deps/openssl/openssl/crypto/x509v3/Makefile +++ b/deps/openssl/openssl/crypto/x509v3/Makefile @@ -71,6 +71,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) diff --git a/deps/openssl/openssl/crypto/x509v3/v3_alt.c b/deps/openssl/openssl/crypto/x509v3/v3_alt.c index 807867b918c..22ec202846e 100644 --- a/deps/openssl/openssl/crypto/x509v3/v3_alt.c +++ b/deps/openssl/openssl/crypto/x509v3/v3_alt.c @@ -584,24 +584,26 @@ static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx) static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx) { - int ret; - STACK_OF(CONF_VALUE) *sk; - X509_NAME *nm; + int ret = 0; + STACK_OF(CONF_VALUE) *sk = NULL; + X509_NAME *nm = NULL; if (!(nm = X509_NAME_new())) - return 0; + goto err; sk = X509V3_get_section(ctx, value); if (!sk) { X509V3err(X509V3_F_DO_DIRNAME, X509V3_R_SECTION_NOT_FOUND); ERR_add_error_data(2, "section=", value); - X509_NAME_free(nm); - return 0; + goto err; } /* FIXME: should allow other character types... */ ret = X509V3_NAME_from_section(nm, sk, MBSTRING_ASC); if (!ret) - X509_NAME_free(nm); + goto err; gen->d.dirn = nm; - X509V3_section_free(ctx, sk); +err: + if (ret == 0) + X509_NAME_free(nm); + X509V3_section_free(ctx, sk); return ret; } diff --git a/deps/openssl/openssl/crypto/x509v3/v3_cpols.c b/deps/openssl/openssl/crypto/x509v3/v3_cpols.c index dca6ab2ec93..0febc1b3edc 100644 --- a/deps/openssl/openssl/crypto/x509v3/v3_cpols.c +++ b/deps/openssl/openssl/crypto/x509v3/v3_cpols.c @@ -230,11 +230,11 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx, goto merr; if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual)) goto merr; - if(!(qual->pqualid = OBJ_nid2obj(NID_id_qt_cps))) { + if (!(qual->pqualid = OBJ_nid2obj(NID_id_qt_cps))) { X509V3err(X509V3_F_POLICY_SECTION, ERR_R_INTERNAL_ERROR); goto err; } - if(!(qual->d.cpsuri = M_ASN1_IA5STRING_new())) + if (!(qual->d.cpsuri = M_ASN1_IA5STRING_new())) goto merr; if (!ASN1_STRING_set(qual->d.cpsuri, cnf->value, strlen(cnf->value))) @@ -294,7 +294,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, POLICYQUALINFO *qual; if (!(qual = POLICYQUALINFO_new())) goto merr; - if(!(qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice))) { + if (!(qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice))) { X509V3err(X509V3_F_NOTICE_SECTION, ERR_R_INTERNAL_ERROR); goto err; } @@ -304,7 +304,7 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx, for (i = 0; i < sk_CONF_VALUE_num(unot); i++) { cnf = sk_CONF_VALUE_value(unot, i); if (!strcmp(cnf->name, "explicitText")) { - if(!(not->exptext = M_ASN1_VISIBLESTRING_new())) + if (!(not->exptext = M_ASN1_VISIBLESTRING_new())) goto merr; if (!ASN1_STRING_set(not->exptext, cnf->value, strlen(cnf->value))) diff --git a/deps/openssl/openssl/crypto/x509v3/v3_utl.c b/deps/openssl/openssl/crypto/x509v3/v3_utl.c index 65dd1e2fb35..94aaebba3e3 100644 --- a/deps/openssl/openssl/crypto/x509v3/v3_utl.c +++ b/deps/openssl/openssl/crypto/x509v3/v3_utl.c @@ -285,6 +285,10 @@ STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line) int state; /* We are going to modify the line so copy it first */ linebuf = BUF_strdup(line); + if (linebuf == NULL) { + X509V3err(X509V3_F_X509V3_PARSE_LIST, ERR_R_MALLOC_FAILURE); + goto err; + } state = HDR_NAME; ntmp = NULL; /* Go through all characters */ diff --git a/deps/openssl/openssl/demos/easy_tls/easy-tls.c b/deps/openssl/openssl/demos/easy_tls/easy-tls.c index acc688aaf4b..5682e91a479 100644 --- a/deps/openssl/openssl/demos/easy_tls/easy-tls.c +++ b/deps/openssl/openssl/demos/easy_tls/easy-tls.c @@ -761,7 +761,8 @@ SSL_CTX *tls_create_ctx(struct tls_create_ctx_args a, void *apparg) if (tls_dhe1024 == NULL) { int i; - RAND_bytes((unsigned char *)&i, sizeof i); + if (RAND_bytes((unsigned char *)&i, sizeof i) <= 0) + goto err_return; /* * make sure that i is non-negative -- pick one of the provided * seeds diff --git a/deps/openssl/openssl/doc/apps/cms.pod b/deps/openssl/openssl/doc/apps/cms.pod index 75b698834a2..9a24082ba2c 100644 --- a/deps/openssl/openssl/doc/apps/cms.pod +++ b/deps/openssl/openssl/doc/apps/cms.pod @@ -35,6 +35,7 @@ B B [B<-print>] [B<-CAfile file>] [B<-CApath dir>] +[B<-no_alt_chains>] [B<-md digest>] [B<-[cipher]>] [B<-nointern>] @@ -406,7 +407,7 @@ portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate's email address matches that specified in the From: address. -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains> Set various certificate chain valiadition option. See the L|verify(1)> manual page for details. @@ -614,4 +615,6 @@ The use of multiple B<-signer> options and the B<-resign> command were first added in OpenSSL 1.0.0 +The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. + =cut diff --git a/deps/openssl/openssl/doc/apps/config.pod b/deps/openssl/openssl/doc/apps/config.pod index d5cce54f44a..e12591528c0 100644 --- a/deps/openssl/openssl/doc/apps/config.pod +++ b/deps/openssl/openssl/doc/apps/config.pod @@ -277,6 +277,59 @@ priority and B used if neither is defined: # The above value is used if TEMP isn't in the environment tmpfile=${ENV::TEMP}/tmp.filename +Simple OpenSSL library configuration example to enter FIPS mode: + + # Default appname: should match "appname" parameter (if any) + # supplied to CONF_modules_load_file et al. + openssl_conf = openssl_conf_section + + [openssl_conf_section] + # Configuration module list + alg_section = evp_sect + + [evp_sect] + # Set to "yes" to enter FIPS mode if supported + fips_mode = yes + +Note: in the above example you will get an error in non FIPS capable versions +of OpenSSL. + +More complex OpenSSL library configuration. Add OID and don't enter FIPS mode: + + # Default appname: should match "appname" parameter (if any) + # supplied to CONF_modules_load_file et al. + openssl_conf = openssl_conf_section + + [openssl_conf_section] + # Configuration module list + alg_section = evp_sect + oid_section = new_oids + + [evp_sect] + # This will have no effect as FIPS mode is off by default. + # Set to "yes" to enter FIPS mode, if supported + fips_mode = no + + [new_oids] + # New OID, just short name + newoid1 = 1.2.3.4.1 + # New OID shortname and long name + newoid2 = New OID 2 long name, 1.2.3.4.2 + +The above examples can be used with with any application supporting library +configuration if "openssl_conf" is modified to match the appropriate "appname". + +For example if the second sample file above is saved to "example.cnf" then +the command line: + + OPENSSL_CONF=example.cnf openssl asn1parse -genstr OID:1.2.3.4.1 + +will output: + + 0:d=0 hl=2 l= 4 prim: OBJECT :newoid1 + +showing that the OID "newoid1" has been added as "1.2.3.4.1". + =head1 BUGS Currently there is no way to include characters using the octal B<\nnn> diff --git a/deps/openssl/openssl/doc/apps/dhparam.pod b/deps/openssl/openssl/doc/apps/dhparam.pod index 6e27cf5c151..1cd4c76663c 100644 --- a/deps/openssl/openssl/doc/apps/dhparam.pod +++ b/deps/openssl/openssl/doc/apps/dhparam.pod @@ -71,8 +71,10 @@ check if the parameters are valid primes and generator. =item B<-2>, B<-5> -The generator to use, either 2 or 5. 2 is the default. If present then the -input file is ignored and parameters are generated instead. +The generator to use, either 2 or 5. If present then the +input file is ignored and parameters are generated instead. If not +present but B is present, parameters are generated with the +default generator 2. =item B<-rand> I @@ -85,9 +87,10 @@ all others. =item I this option specifies that a parameter set should be generated of size -I. It must be the last option. If not present then a value of 512 -is used. If this option is present then the input file is ignored and -parameters are generated instead. +I. It must be the last option. If this option is present then +the input file is ignored and parameters are generated instead. If +this option is not present but a generator (B<-2> or B<-5>) is +present, parameters are generated with a default length of 2048 bits. =item B<-noout> diff --git a/deps/openssl/openssl/doc/apps/ocsp.pod b/deps/openssl/openssl/doc/apps/ocsp.pod index 2372b373cdc..fdb900c3c4d 100644 --- a/deps/openssl/openssl/doc/apps/ocsp.pod +++ b/deps/openssl/openssl/doc/apps/ocsp.pod @@ -29,6 +29,7 @@ B B [B<-path>] [B<-CApath dir>] [B<-CAfile file>] +[B<-no_alt_chains>]] [B<-VAfile file>] [B<-validity_period n>] [B<-status_age n>] @@ -143,6 +144,10 @@ connection timeout to the OCSP responder in seconds file or pathname containing trusted CA certificates. These are used to verify the signature on the OCSP response. +=item B<-no_alt_chains> + +See L|verify(1)> manual page for details. + =item B<-verify_other file> file containing additional certificates to search when attempting to locate @@ -379,3 +384,9 @@ second file. openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem -reqin req.der -respout resp.der + +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. + +=cut diff --git a/deps/openssl/openssl/doc/apps/s_client.pod b/deps/openssl/openssl/doc/apps/s_client.pod index b021c730c02..d92ec9367f6 100644 --- a/deps/openssl/openssl/doc/apps/s_client.pod +++ b/deps/openssl/openssl/doc/apps/s_client.pod @@ -19,6 +19,7 @@ B B [B<-pass arg>] [B<-CApath directory>] [B<-CAfile filename>] +[B<-no_alt_chains>] [B<-reconnect>] [B<-pause>] [B<-showcerts>] @@ -116,7 +117,7 @@ also used when building the client certificate chain. A file containing trusted certificates to use during server authentication and to use when attempting to build the client certificate chain. -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains> Set various certificate chain valiadition option. See the L|verify(1)> manual page for details. @@ -347,4 +348,8 @@ information whenever a session is renegotiated. L, L, L +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. + =cut diff --git a/deps/openssl/openssl/doc/apps/s_server.pod b/deps/openssl/openssl/doc/apps/s_server.pod index 2105b603b7b..491038eca3f 100644 --- a/deps/openssl/openssl/doc/apps/s_server.pod +++ b/deps/openssl/openssl/doc/apps/s_server.pod @@ -33,6 +33,7 @@ B B [B<-state>] [B<-CApath directory>] [B<-CAfile filename>] +[B<-no_alt_chains>] [B<-nocert>] [B<-cipher cipherlist>] [B<-serverpref>] @@ -178,6 +179,10 @@ and to use when attempting to build the server certificate chain. The list is also used in the list of acceptable client CAs passed to the client when a certificate is requested. +=item B<-no_alt_chains> + +See the L|verify(1)> manual page for details. + =item B<-state> prints out the SSL session states. @@ -398,4 +403,8 @@ unknown cipher suites a client says it supports. L, L, L +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. + =cut diff --git a/deps/openssl/openssl/doc/apps/smime.pod b/deps/openssl/openssl/doc/apps/smime.pod index d39a59a90d8..94a88238520 100644 --- a/deps/openssl/openssl/doc/apps/smime.pod +++ b/deps/openssl/openssl/doc/apps/smime.pod @@ -15,6 +15,7 @@ B B [B<-pk7out>] [B<-[cipher]>] [B<-in file>] +[B<-no_alt_chains>] [B<-certfile file>] [B<-signer file>] [B<-recip file>] @@ -259,7 +260,7 @@ portion of a message so they may be included manually. If signing then many S/MIME mail clients check the signers certificate's email address matches that specified in the From: address. -=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> +=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains> Set various options of certificate chain verification. See L|verify(1)> manual page for details. @@ -441,5 +442,6 @@ structures may cause parsing errors. The use of multiple B<-signer> options and the B<-resign> command were first added in OpenSSL 1.0.0 +The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. =cut diff --git a/deps/openssl/openssl/doc/apps/verify.pod b/deps/openssl/openssl/doc/apps/verify.pod index 0c8e4926ccf..18eeee04b93 100644 --- a/deps/openssl/openssl/doc/apps/verify.pod +++ b/deps/openssl/openssl/doc/apps/verify.pod @@ -22,6 +22,7 @@ B B [B<-extended_crl>] [B<-use_deltas>] [B<-policy_print>] +[B<-no_alt_chains>] [B<-untrusted file>] [B<-help>] [B<-issuer_checks>] @@ -108,6 +109,14 @@ Set policy variable inhibit-any-policy (see RFC5280). Set policy variable inhibit-policy-mapping (see RFC5280). +=item B<-no_alt_chains> + +When building a certificate chain, if the first certificate chain found is not +trusted, then OpenSSL will continue to check to see if an alternative chain can +be found that is trusted. With this option that behaviour is suppressed so that +only the first chain found is ever used. Using this option will force the +behaviour to match that of previous OpenSSL versions. + =item B<-policy_print> Print out diagnostics related to policy processing. @@ -409,4 +418,8 @@ B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes. L +=head1 HISTORY + +The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. + =cut diff --git a/deps/openssl/openssl/doc/crypto/BN_rand.pod b/deps/openssl/openssl/doc/crypto/BN_rand.pod index 81f93c2eb3a..3b2796c5df4 100644 --- a/deps/openssl/openssl/doc/crypto/BN_rand.pod +++ b/deps/openssl/openssl/doc/crypto/BN_rand.pod @@ -24,7 +24,8 @@ most significant bit of the random number can be zero. If B is 0, it is set to 1, and if B is 1, the two most significant bits of the number will be set to 1, so that the product of two such random numbers will always have 2*B length. If B is true, the -number will be odd. +number will be odd. The value of B must be zero or greater. If B is +1 then B cannot also be 1. BN_pseudo_rand() does the same, but pseudo-random numbers generated by this function are not necessarily unpredictable. They can be used for diff --git a/deps/openssl/openssl/doc/crypto/BN_set_bit.pod b/deps/openssl/openssl/doc/crypto/BN_set_bit.pod index b7c47b9b015..a32cca2cee6 100644 --- a/deps/openssl/openssl/doc/crypto/BN_set_bit.pod +++ b/deps/openssl/openssl/doc/crypto/BN_set_bit.pod @@ -37,12 +37,12 @@ BN_mask_bits() truncates B to an B bit number shorter than B bits. BN_lshift() shifts B left by B bits and places the result in -B (C). BN_lshift1() shifts B left by one and places -the result in B (C). +B (C). Note that B must be non-negative. BN_lshift1() shifts +B left by one and places the result in B (C). BN_rshift() shifts B right by B bits and places the result in -B (C). BN_rshift1() shifts B right by one and places -the result in B (C). +B (C). Note that B must be non-negative. BN_rshift1() shifts +B right by one and places the result in B (C). For the shift functions, B and B may be the same variable. diff --git a/deps/openssl/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod b/deps/openssl/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod index 46cac2bea2b..9d86d4642c2 100644 --- a/deps/openssl/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +++ b/deps/openssl/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod @@ -133,6 +133,12 @@ verification. If this flag is set then additional status codes will be sent to the verification callback and it B be prepared to handle such cases without assuming they are hard errors. +The B flag suppresses checking for alternative +chains. By default, when building a certificate chain, if the first certificate +chain found is not trusted, then OpenSSL will continue to check to see if an +alternative chain can be found that is trusted. With this flag set the behaviour +will match that of OpenSSL versions prior to 1.0.1n and 1.0.2b. + =head1 NOTES The above functions should be used to manipulate verification parameters @@ -166,6 +172,6 @@ L =head1 HISTORY -TBA +The B flag was added in OpenSSL 1.0.1n and 1.0.2b =cut diff --git a/deps/openssl/openssl/doc/crypto/pem.pod b/deps/openssl/openssl/doc/crypto/pem.pod index 21e9fe3b98a..763eb6f5339 100644 --- a/deps/openssl/openssl/doc/crypto/pem.pod +++ b/deps/openssl/openssl/doc/crypto/pem.pod @@ -2,7 +2,29 @@ =head1 NAME -PEM, PEM_read_bio_PrivateKey, PEM_read_PrivateKey, PEM_write_bio_PrivateKey, PEM_write_PrivateKey, PEM_write_bio_PKCS8PrivateKey, PEM_write_PKCS8PrivateKey, PEM_write_bio_PKCS8PrivateKey_nid, PEM_write_PKCS8PrivateKey_nid, PEM_read_bio_PUBKEY, PEM_read_PUBKEY, PEM_write_bio_PUBKEY, PEM_write_PUBKEY, PEM_read_bio_RSAPrivateKey, PEM_read_RSAPrivateKey, PEM_write_bio_RSAPrivateKey, PEM_write_RSAPrivateKey, PEM_read_bio_RSAPublicKey, PEM_read_RSAPublicKey, PEM_write_bio_RSAPublicKey, PEM_write_RSAPublicKey, PEM_read_bio_RSA_PUBKEY, PEM_read_RSA_PUBKEY, PEM_write_bio_RSA_PUBKEY, PEM_write_RSA_PUBKEY, PEM_read_bio_DSAPrivateKey, PEM_read_DSAPrivateKey, PEM_write_bio_DSAPrivateKey, PEM_write_DSAPrivateKey, PEM_read_bio_DSA_PUBKEY, PEM_read_DSA_PUBKEY, PEM_write_bio_DSA_PUBKEY, PEM_write_DSA_PUBKEY, PEM_read_bio_DSAparams, PEM_read_DSAparams, PEM_write_bio_DSAparams, PEM_write_DSAparams, PEM_read_bio_DHparams, PEM_read_DHparams, PEM_write_bio_DHparams, PEM_write_DHparams, PEM_read_bio_X509, PEM_read_X509, PEM_write_bio_X509, PEM_write_X509, PEM_read_bio_X509_AUX, PEM_read_X509_AUX, PEM_write_bio_X509_AUX, PEM_write_X509_AUX, PEM_read_bio_X509_REQ, PEM_read_X509_REQ, PEM_write_bio_X509_REQ, PEM_write_X509_REQ, PEM_write_bio_X509_REQ_NEW, PEM_write_X509_REQ_NEW, PEM_read_bio_X509_CRL, PEM_read_X509_CRL, PEM_write_bio_X509_CRL, PEM_write_X509_CRL, PEM_read_bio_PKCS7, PEM_read_PKCS7, PEM_write_bio_PKCS7, PEM_write_PKCS7, PEM_read_bio_NETSCAPE_CERT_SEQUENCE, PEM_read_NETSCAPE_CERT_SEQUENCE, PEM_write_bio_NETSCAPE_CERT_SEQUENCE, PEM_write_NETSCAPE_CERT_SEQUENCE - PEM routines +PEM, PEM_read_bio_PrivateKey, PEM_read_PrivateKey, PEM_write_bio_PrivateKey, +PEM_write_PrivateKey, PEM_write_bio_PKCS8PrivateKey, PEM_write_PKCS8PrivateKey, +PEM_write_bio_PKCS8PrivateKey_nid, PEM_write_PKCS8PrivateKey_nid, +PEM_read_bio_PUBKEY, PEM_read_PUBKEY, PEM_write_bio_PUBKEY, PEM_write_PUBKEY, +PEM_read_bio_RSAPrivateKey, PEM_read_RSAPrivateKey, +PEM_write_bio_RSAPrivateKey, PEM_write_RSAPrivateKey, +PEM_read_bio_RSAPublicKey, PEM_read_RSAPublicKey, PEM_write_bio_RSAPublicKey, +PEM_write_RSAPublicKey, PEM_read_bio_RSA_PUBKEY, PEM_read_RSA_PUBKEY, +PEM_write_bio_RSA_PUBKEY, PEM_write_RSA_PUBKEY, PEM_read_bio_DSAPrivateKey, +PEM_read_DSAPrivateKey, PEM_write_bio_DSAPrivateKey, PEM_write_DSAPrivateKey, +PEM_read_bio_DSA_PUBKEY, PEM_read_DSA_PUBKEY, PEM_write_bio_DSA_PUBKEY, +PEM_write_DSA_PUBKEY, PEM_read_bio_DSAparams, PEM_read_DSAparams, +PEM_write_bio_DSAparams, PEM_write_DSAparams, PEM_read_bio_DHparams, +PEM_read_DHparams, PEM_write_bio_DHparams, PEM_write_DHparams, +PEM_read_bio_X509, PEM_read_X509, PEM_write_bio_X509, PEM_write_X509, +PEM_read_bio_X509_AUX, PEM_read_X509_AUX, PEM_write_bio_X509_AUX, +PEM_write_X509_AUX, PEM_read_bio_X509_REQ, PEM_read_X509_REQ, +PEM_write_bio_X509_REQ, PEM_write_X509_REQ, PEM_write_bio_X509_REQ_NEW, +PEM_write_X509_REQ_NEW, PEM_read_bio_X509_CRL, PEM_read_X509_CRL, +PEM_write_bio_X509_CRL, PEM_write_X509_CRL, PEM_read_bio_PKCS7, PEM_read_PKCS7, +PEM_write_bio_PKCS7, PEM_write_PKCS7, PEM_read_bio_NETSCAPE_CERT_SEQUENCE, +PEM_read_NETSCAPE_CERT_SEQUENCE, PEM_write_bio_NETSCAPE_CERT_SEQUENCE, +PEM_write_NETSCAPE_CERT_SEQUENCE - PEM routines =head1 SYNOPSIS @@ -239,7 +261,8 @@ SubjectPublicKeyInfo structure and an error occurs if the public key is not DSA. The B functions process DSA parameters using a DSA -structure. The parameters are encoded using a foobar structure. +structure. The parameters are encoded using a Dss-Parms structure +as defined in RFC2459. The B functions process DH parameters using a DH structure. The parameters are encoded using a PKCS#3 DHparameter diff --git a/deps/openssl/openssl/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod b/deps/openssl/openssl/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod index 7a27eef50b1..b754c16a86e 100644 --- a/deps/openssl/openssl/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod +++ b/deps/openssl/openssl/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod @@ -61,12 +61,12 @@ negotiation is being saved. If "strong" primes were used to generate the DH parameters, it is not strictly necessary to generate a new key for each handshake but it does improve forward -secrecy. If it is not assured, that "strong" primes were used (see especially -the section about DSA parameters below), SSL_OP_SINGLE_DH_USE must be used -in order to prevent small subgroup attacks. Always using SSL_OP_SINGLE_DH_USE -has an impact on the computer time needed during negotiation, but it is not -very large, so application authors/users should consider to always enable -this option. +secrecy. If it is not assured that "strong" primes were used, +SSL_OP_SINGLE_DH_USE must be used in order to prevent small subgroup +attacks. Always using SSL_OP_SINGLE_DH_USE has an impact on the +computer time needed during negotiation, but it is not very large, so +application authors/users should consider always enabling this option. +The option is required to implement perfect forward secrecy (PFS). As generating DH parameters is extremely time consuming, an application should not generate the parameters on the fly but supply the parameters. @@ -74,82 +74,62 @@ DH parameters can be reused, as the actual key is newly generated during the negotiation. The risk in reusing DH parameters is that an attacker may specialize on a very often used DH group. Applications should therefore generate their own DH parameters during the installation process using the -openssl L application. In order to reduce the computer -time needed for this generation, it is possible to use DSA parameters -instead (see L), but in this case SSL_OP_SINGLE_DH_USE -is mandatory. +openssl L application. This application +guarantees that "strong" primes are used. -Application authors may compile in DH parameters. Files dh512.pem, -dh1024.pem, dh2048.pem, and dh4096.pem in the 'apps' directory of current +Files dh2048.pem, and dh4096.pem in the 'apps' directory of the current version of the OpenSSL distribution contain the 'SKIP' DH parameters, which use safe primes and were generated verifiably pseudo-randomly. These files can be converted into C code using the B<-C> option of the -L application. -Authors may also generate their own set of parameters using -L, but a user may not be sure how the parameters were -generated. The generation of DH parameters during installation is therefore -recommended. +L application. Generation of custom DH +parameters during installation should still be preferred to stop an +attacker from specializing on a commonly used group. Files dh1024.pem +and dh512.pem contain old parameters that must not be used by +applications. An application may either directly specify the DH parameters or -can supply the DH parameters via a callback function. The callback approach -has the advantage, that the callback may supply DH parameters for different -key lengths. +can supply the DH parameters via a callback function. -The B is called with the B needed and -the B information. The B flag is set, when the -ephemeral DH key exchange is performed with an export cipher. +Previous versions of the callback used B and B +parameters to control parameter generation for export and non-export +cipher suites. Modern servers that do not support export ciphersuites +are advised to either use SSL_CTX_set_tmp_dh() in combination with +SSL_OP_SINGLE_DH_USE, or alternatively, use the callback but ignore +B and B and simply supply at least 2048-bit +parameters in the callback. =head1 EXAMPLES -Handle DH parameters for key lengths of 512 and 1024 bits. (Error handling +Setup DH parameters with a key length of 2048 bits. (Error handling partly left out.) - ... - /* Set up ephemeral DH stuff */ - DH *dh_512 = NULL; - DH *dh_1024 = NULL; - FILE *paramfile; + Command-line parameter generation: + $ openssl dhparam -out dh_param_2048.pem 2048 + + Code for setting up parameters during server initialization: ... - /* "openssl dhparam -out dh_param_512.pem -2 512" */ - paramfile = fopen("dh_param_512.pem", "r"); + SSL_CTX ctx = SSL_CTX_new(); + ... + + /* Set up ephemeral DH parameters. */ + DH *dh_2048 = NULL; + FILE *paramfile; + paramfile = fopen("dh_param_2048.pem", "r"); if (paramfile) { - dh_512 = PEM_read_DHparams(paramfile, NULL, NULL, NULL); + dh_2048 = PEM_read_DHparams(paramfile, NULL, NULL, NULL); fclose(paramfile); + } else { + /* Error. */ } - /* "openssl dhparam -out dh_param_1024.pem -2 1024" */ - paramfile = fopen("dh_param_1024.pem", "r"); - if (paramfile) { - dh_1024 = PEM_read_DHparams(paramfile, NULL, NULL, NULL); - fclose(paramfile); + if (dh_2048 == NULL) { + /* Error. */ } - ... - - /* "openssl dhparam -C -2 512" etc... */ - DH *get_dh512() { ... } - DH *get_dh1024() { ... } - - DH *tmp_dh_callback(SSL *s, int is_export, int keylength) - { - DH *dh_tmp=NULL; - - switch (keylength) { - case 512: - if (!dh_512) - dh_512 = get_dh512(); - dh_tmp = dh_512; - break; - case 1024: - if (!dh_1024) - dh_1024 = get_dh1024(); - dh_tmp = dh_1024; - break; - default: - /* Generating a key on the fly is very costly, so use what is there */ - setup_dh_parameters_like_above(); - } - return(dh_tmp); + if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1) { + /* Error. */ } + SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); + ... =head1 RETURN VALUES diff --git a/deps/openssl/openssl/e_os2.h b/deps/openssl/openssl/e_os2.h index d400ac77cf1..2b1b78ffea2 100644 --- a/deps/openssl/openssl/e_os2.h +++ b/deps/openssl/openssl/e_os2.h @@ -109,6 +109,12 @@ extern "C" { # undef OPENSSL_SYS_UNIX # define OPENSSL_SYS_WIN32 # endif +# if defined(_WIN64) || defined(OPENSSL_SYSNAME_WIN64) +# undef OPENSSL_SYS_UNIX +# if !defined(OPENSSL_SYS_WIN64) +# define OPENSSL_SYS_WIN64 +# endif +# endif # if defined(OPENSSL_SYSNAME_WINNT) # undef OPENSSL_SYS_UNIX # define OPENSSL_SYS_WINNT @@ -121,7 +127,7 @@ extern "C" { # endif /* Anything that tries to look like Microsoft is "Windows" */ -# if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINNT) || defined(OPENSSL_SYS_WINCE) +# if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN64) || defined(OPENSSL_SYS_WINNT) || defined(OPENSSL_SYS_WINCE) # undef OPENSSL_SYS_UNIX # define OPENSSL_SYS_WINDOWS # ifndef OPENSSL_SYS_MSDOS diff --git a/deps/openssl/openssl/engines/Makefile b/deps/openssl/openssl/engines/Makefile index 2fa9534401b..23bd2f37f89 100644 --- a/deps/openssl/openssl/engines/Makefile +++ b/deps/openssl/openssl/engines/Makefile @@ -146,12 +146,15 @@ lint: lint -DLINT $(INCLUDES) $(SRC)>fluff @target=lint; $(RECURSIVE_MAKE) -depend: - @if [ -z "$(THIS)" ]; then \ - $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; \ - fi - @[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) +update: local_depend + @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi + @[ -z "$(THIS)" ] || (set -e; target=update; $(RECURSIVE_MAKE) ) + +depend: local_depend + @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi @[ -z "$(THIS)" ] || (set -e; target=depend; $(RECURSIVE_MAKE) ) +local_depend: + @[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new diff --git a/deps/openssl/openssl/engines/ccgost/Makefile b/deps/openssl/openssl/engines/ccgost/Makefile index d661c108285..4e183a467b4 100644 --- a/deps/openssl/openssl/engines/ccgost/Makefile +++ b/deps/openssl/openssl/engines/ccgost/Makefile @@ -66,12 +66,13 @@ links: tests: -depend: - @if [ -z "$(THIS)" ]; then \ - $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; \ - else \ - $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC); \ - fi +update: local_depend + @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi + +depend: local_depend + @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi +local_depend: + @[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) files: @@ -262,8 +263,9 @@ gost_sign.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h gost_sign.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h gost_sign.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h gost_sign.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h -gost_sign.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h -gost_sign.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +gost_sign.o: ../../include/openssl/err.h ../../include/openssl/evp.h +gost_sign.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h +gost_sign.o: ../../include/openssl/objects.h gost_sign.o: ../../include/openssl/opensslconf.h gost_sign.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h gost_sign.o: ../../include/openssl/pkcs7.h ../../include/openssl/rand.h diff --git a/deps/openssl/openssl/engines/ccgost/e_gost_err.c b/deps/openssl/openssl/engines/ccgost/e_gost_err.c index 3201b648fb2..80ef58f8ca3 100644 --- a/deps/openssl/openssl/engines/ccgost/e_gost_err.c +++ b/deps/openssl/openssl/engines/ccgost/e_gost_err.c @@ -1,6 +1,6 @@ /* e_gost_err.c */ /* ==================================================================== - * Copyright (c) 1999-2009 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -90,6 +90,7 @@ static ERR_STRING_DATA GOST_str_functs[] = { {ERR_FUNC(GOST_F_GOST_IMIT_CTRL), "GOST_IMIT_CTRL"}, {ERR_FUNC(GOST_F_GOST_IMIT_FINAL), "GOST_IMIT_FINAL"}, {ERR_FUNC(GOST_F_GOST_IMIT_UPDATE), "GOST_IMIT_UPDATE"}, + {ERR_FUNC(GOST_F_GOST_SIGN_KEYGEN), "GOST_SIGN_KEYGEN"}, {ERR_FUNC(GOST_F_PARAM_COPY_GOST01), "PARAM_COPY_GOST01"}, {ERR_FUNC(GOST_F_PARAM_COPY_GOST94), "PARAM_COPY_GOST94"}, {ERR_FUNC(GOST_F_PKEY_GOST01CP_DECRYPT), "PKEY_GOST01CP_DECRYPT"}, diff --git a/deps/openssl/openssl/engines/ccgost/e_gost_err.h b/deps/openssl/openssl/engines/ccgost/e_gost_err.h index 92be558452f..a2018ec4de9 100644 --- a/deps/openssl/openssl/engines/ccgost/e_gost_err.h +++ b/deps/openssl/openssl/engines/ccgost/e_gost_err.h @@ -90,6 +90,7 @@ void ERR_GOST_error(int function, int reason, char *file, int line); # define GOST_F_GOST_IMIT_CTRL 114 # define GOST_F_GOST_IMIT_FINAL 140 # define GOST_F_GOST_IMIT_UPDATE 115 +# define GOST_F_GOST_SIGN_KEYGEN 142 # define GOST_F_PARAM_COPY_GOST01 116 # define GOST_F_PARAM_COPY_GOST94 117 # define GOST_F_PKEY_GOST01CP_DECRYPT 118 diff --git a/deps/openssl/openssl/engines/ccgost/gost2001.c b/deps/openssl/openssl/engines/ccgost/gost2001.c index 2b96694821e..9536295430d 100644 --- a/deps/openssl/openssl/engines/ccgost/gost2001.c +++ b/deps/openssl/openssl/engines/ccgost/gost2001.c @@ -41,6 +41,11 @@ int fill_GOST2001_params(EC_KEY *eckey, int nid) BN_CTX *ctx = BN_CTX_new(); int ok = 0; + if(!ctx) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_MALLOC_FAILURE); + goto err; + } + BN_CTX_start(ctx); p = BN_CTX_get(ctx); a = BN_CTX_get(ctx); @@ -48,6 +53,10 @@ int fill_GOST2001_params(EC_KEY *eckey, int nid) x = BN_CTX_get(ctx); y = BN_CTX_get(ctx); q = BN_CTX_get(ctx); + if(!p || !a || !b || !x || !y || !q) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_MALLOC_FAILURE); + goto err; + } while (params->nid != NID_undef && params->nid != nid) params++; if (params->nid == NID_undef) { @@ -55,18 +64,33 @@ int fill_GOST2001_params(EC_KEY *eckey, int nid) GOST_R_UNSUPPORTED_PARAMETER_SET); goto err; } - BN_hex2bn(&p, params->p); - BN_hex2bn(&a, params->a); - BN_hex2bn(&b, params->b); + if(!BN_hex2bn(&p, params->p) + || !BN_hex2bn(&a, params->a) + || !BN_hex2bn(&b, params->b)) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, + ERR_R_INTERNAL_ERROR); + goto err; + } grp = EC_GROUP_new_curve_GFp(p, a, b, ctx); + if(!grp) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_MALLOC_FAILURE); + goto err; + } P = EC_POINT_new(grp); + if(!P) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_MALLOC_FAILURE); + goto err; + } - BN_hex2bn(&x, params->x); - BN_hex2bn(&y, params->y); - EC_POINT_set_affine_coordinates_GFp(grp, P, x, y, ctx); - BN_hex2bn(&q, params->q); + if(!BN_hex2bn(&x, params->x) + || !BN_hex2bn(&y, params->y) + || !EC_POINT_set_affine_coordinates_GFp(grp, P, x, y, ctx) + || !BN_hex2bn(&q, params->q)) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_INTERNAL_ERROR); + goto err; + } #ifdef DEBUG_KEYS fprintf(stderr, "Set params index %d oid %s\nq=", (params - R3410_2001_paramset), OBJ_nid2sn(params->nid)); @@ -74,16 +98,23 @@ int fill_GOST2001_params(EC_KEY *eckey, int nid) fprintf(stderr, "\n"); #endif - EC_GROUP_set_generator(grp, P, q, NULL); + if(!EC_GROUP_set_generator(grp, P, q, NULL)) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_INTERNAL_ERROR); + goto err; + } EC_GROUP_set_curve_name(grp, params->nid); - - EC_KEY_set_group(eckey, grp); + if(!EC_KEY_set_group(eckey, grp)) { + GOSTerr(GOST_F_FILL_GOST2001_PARAMS, ERR_R_INTERNAL_ERROR); + goto err; + } ok = 1; err: - EC_POINT_free(P); - EC_GROUP_free(grp); - BN_CTX_end(ctx); - BN_CTX_free(ctx); + if (P) EC_POINT_free(P); + if (grp) EC_GROUP_free(grp); + if (ctx) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } return ok; } @@ -94,7 +125,7 @@ int fill_GOST2001_params(EC_KEY *eckey, int nid) */ DSA_SIG *gost2001_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) { - DSA_SIG *newsig = NULL; + DSA_SIG *newsig = NULL, *ret = NULL; BIGNUM *md = hashsum2bn(dgst); BIGNUM *order = NULL; const EC_GROUP *group; @@ -103,6 +134,10 @@ DSA_SIG *gost2001_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) NULL, *e = NULL; EC_POINT *C = NULL; BN_CTX *ctx = BN_CTX_new(); + if(!ctx || !md) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } BN_CTX_start(ctx); OPENSSL_assert(dlen == 32); newsig = DSA_SIG_new(); @@ -111,11 +146,25 @@ DSA_SIG *gost2001_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) goto err; } group = EC_KEY_get0_group(eckey); + if(!group) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); + goto err; + } order = BN_CTX_get(ctx); - EC_GROUP_get_order(group, order, ctx); + if(!order || !EC_GROUP_get_order(group, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); + goto err; + } priv_key = EC_KEY_get0_private_key(eckey); + if(!priv_key) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); + goto err; + } e = BN_CTX_get(ctx); - BN_mod(e, md, order, ctx); + if(!e || !BN_mod(e, md, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); + goto err; + } #ifdef DEBUG_SIGN fprintf(stderr, "digest as bignum="); BN_print_fp(stderr, md); @@ -128,55 +177,80 @@ DSA_SIG *gost2001_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) } k = BN_CTX_get(ctx); C = EC_POINT_new(group); + if(!k || !C) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } do { do { if (!BN_rand_range(k, order)) { GOSTerr(GOST_F_GOST2001_DO_SIGN, GOST_R_RANDOM_NUMBER_GENERATOR_FAILED); - DSA_SIG_free(newsig); - newsig = NULL; goto err; } if (!EC_POINT_mul(group, C, k, NULL, NULL, ctx)) { GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_EC_LIB); - DSA_SIG_free(newsig); - newsig = NULL; goto err; } if (!X) X = BN_CTX_get(ctx); + if (!r) + r = BN_CTX_get(ctx); + if (!X || !r) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } if (!EC_POINT_get_affine_coordinates_GFp(group, C, X, NULL, ctx)) { GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_EC_LIB); - DSA_SIG_free(newsig); - newsig = NULL; goto err; } - if (!r) - r = BN_CTX_get(ctx); - BN_nnmod(r, X, order, ctx); + + if(!BN_nnmod(r, X, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); + goto err; + } } while (BN_is_zero(r)); /* s = (r*priv_key+k*e) mod order */ if (!tmp) tmp = BN_CTX_get(ctx); - BN_mod_mul(tmp, priv_key, r, order, ctx); if (!tmp2) tmp2 = BN_CTX_get(ctx); - BN_mod_mul(tmp2, k, e, order, ctx); if (!s) s = BN_CTX_get(ctx); - BN_mod_add(s, tmp, tmp2, order, ctx); + if (!tmp || !tmp2 || !s) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } + + if(!BN_mod_mul(tmp, priv_key, r, order, ctx) + || !BN_mod_mul(tmp2, k, e, order, ctx) + || !BN_mod_add(s, tmp, tmp2, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_INTERNAL_ERROR); + goto err; + } } while (BN_is_zero(s)); newsig->s = BN_dup(s); newsig->r = BN_dup(r); + if(!newsig->s || !newsig->r) { + GOSTerr(GOST_F_GOST2001_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } + + ret = newsig; err: - BN_CTX_end(ctx); - BN_CTX_free(ctx); - EC_POINT_free(C); - BN_free(md); - return newsig; + if(ctx) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } + if (C) EC_POINT_free(C); + if (md) BN_free(md); + if (!ret && newsig) { + DSA_SIG_free(newsig); + } + return ret; } /* @@ -196,6 +270,11 @@ int gost2001_do_verify(const unsigned char *dgst, int dgst_len, const EC_POINT *pub_key = NULL; int ok = 0; + if(!ctx || !group) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_INTERNAL_ERROR); + goto err; + } + BN_CTX_start(ctx); order = BN_CTX_get(ctx); e = BN_CTX_get(ctx); @@ -205,9 +284,17 @@ int gost2001_do_verify(const unsigned char *dgst, int dgst_len, X = BN_CTX_get(ctx); R = BN_CTX_get(ctx); v = BN_CTX_get(ctx); + if(!order || !e || !z1 || !z2 || !tmp || !X || !R || !v) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_MALLOC_FAILURE); + goto err; + } - EC_GROUP_get_order(group, order, ctx); pub_key = EC_KEY_get0_public_key(ec); + if(!pub_key || !EC_GROUP_get_order(group, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_INTERNAL_ERROR); + goto err; + } + if (BN_is_zero(sig->s) || BN_is_zero(sig->r) || (BN_cmp(sig->s, order) >= 1) || (BN_cmp(sig->r, order) >= 1)) { GOSTerr(GOST_F_GOST2001_DO_VERIFY, @@ -217,19 +304,28 @@ int gost2001_do_verify(const unsigned char *dgst, int dgst_len, } md = hashsum2bn(dgst); - BN_mod(e, md, order, ctx); + if(!md || !BN_mod(e, md, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_INTERNAL_ERROR); + goto err; + } #ifdef DEBUG_SIGN fprintf(stderr, "digest as bignum: "); BN_print_fp(stderr, md); fprintf(stderr, "\ndigest mod q: "); BN_print_fp(stderr, e); #endif - if (BN_is_zero(e)) - BN_one(e); + if (BN_is_zero(e) && !BN_one(e)) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_INTERNAL_ERROR); + goto err; + } v = BN_mod_inverse(v, e, order, ctx); - BN_mod_mul(z1, sig->s, v, order, ctx); - BN_sub(tmp, order, sig->r); - BN_mod_mul(z2, tmp, v, order, ctx); + if(!v + || !BN_mod_mul(z1, sig->s, v, order, ctx) + || !BN_sub(tmp, order, sig->r) + || !BN_mod_mul(z2, tmp, v, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_INTERNAL_ERROR); + goto err; + } #ifdef DEBUG_SIGN fprintf(stderr, "\nInverted digest value: "); BN_print_fp(stderr, v); @@ -239,6 +335,10 @@ int gost2001_do_verify(const unsigned char *dgst, int dgst_len, BN_print_fp(stderr, z2); #endif C = EC_POINT_new(group); + if (!C) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_MALLOC_FAILURE); + goto err; + } if (!EC_POINT_mul(group, C, z1, pub_key, z2, ctx)) { GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_EC_LIB); goto err; @@ -247,7 +347,10 @@ int gost2001_do_verify(const unsigned char *dgst, int dgst_len, GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_EC_LIB); goto err; } - BN_mod(R, X, order, ctx); + if(!BN_mod(R, X, order, ctx)) { + GOSTerr(GOST_F_GOST2001_DO_VERIFY, ERR_R_INTERNAL_ERROR); + goto err; + } #ifdef DEBUG_SIGN fprintf(stderr, "\nX="); BN_print_fp(stderr, X); @@ -261,10 +364,12 @@ int gost2001_do_verify(const unsigned char *dgst, int dgst_len, ok = 1; } err: - EC_POINT_free(C); - BN_CTX_end(ctx); - BN_CTX_free(ctx); - BN_free(md); + if (C) EC_POINT_free(C); + if (ctx) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } + if (md) BN_free(md); return ok; } @@ -287,6 +392,10 @@ int gost2001_compute_public(EC_KEY *ec) return 0; } ctx = BN_CTX_new(); + if(!ctx) { + GOSTerr(GOST_F_GOST2001_COMPUTE_PUBLIC, ERR_R_MALLOC_FAILURE); + goto err; + } BN_CTX_start(ctx); if (!(priv_key = EC_KEY_get0_private_key(ec))) { GOSTerr(GOST_F_GOST2001_COMPUTE_PUBLIC, ERR_R_EC_LIB); @@ -294,6 +403,10 @@ int gost2001_compute_public(EC_KEY *ec) } pub_key = EC_POINT_new(group); + if(!pub_key) { + GOSTerr(GOST_F_GOST2001_COMPUTE_PUBLIC, ERR_R_MALLOC_FAILURE); + goto err; + } if (!EC_POINT_mul(group, pub_key, priv_key, NULL, NULL, ctx)) { GOSTerr(GOST_F_GOST2001_COMPUTE_PUBLIC, ERR_R_EC_LIB); goto err; @@ -304,9 +417,11 @@ int gost2001_compute_public(EC_KEY *ec) } ok = 256; err: - BN_CTX_end(ctx); - EC_POINT_free(pub_key); - BN_CTX_free(ctx); + if (pub_key) EC_POINT_free(pub_key); + if (ctx) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } return ok; } @@ -320,7 +435,13 @@ int gost2001_keygen(EC_KEY *ec) { BIGNUM *order = BN_new(), *d = BN_new(); const EC_GROUP *group = EC_KEY_get0_group(ec); - EC_GROUP_get_order(group, order, NULL); + + if(!group || !EC_GROUP_get_order(group, order, NULL)) { + GOSTerr(GOST_F_GOST2001_KEYGEN, ERR_R_INTERNAL_ERROR); + BN_free(d); + BN_free(order); + return 0; + } do { if (!BN_rand_range(d, order)) { @@ -332,7 +453,13 @@ int gost2001_keygen(EC_KEY *ec) } } while (BN_is_zero(d)); - EC_KEY_set_private_key(ec, d); + + if(!EC_KEY_set_private_key(ec, d)) { + GOSTerr(GOST_F_GOST2001_KEYGEN, ERR_R_INTERNAL_ERROR); + BN_free(d); + BN_free(order); + return 0; + } BN_free(d); BN_free(order); return gost2001_compute_public(ec); diff --git a/deps/openssl/openssl/engines/ccgost/gost94_keyx.c b/deps/openssl/openssl/engines/ccgost/gost94_keyx.c index 85f4bc89982..ce57f17cbf3 100644 --- a/deps/openssl/openssl/engines/ccgost/gost94_keyx.c +++ b/deps/openssl/openssl/engines/ccgost/gost94_keyx.c @@ -104,6 +104,7 @@ int pkey_GOST94cp_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, struct gost_pmeth_data *data = EVP_PKEY_CTX_get_data(ctx); gost_ctx cctx; int key_is_ephemeral = 1; + int tmp_outlen; EVP_PKEY *mykey = EVP_PKEY_CTX_get0_peerkey(ctx); /* Do not use vizir cipher parameters with cryptopro */ @@ -174,12 +175,13 @@ int pkey_GOST94cp_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, } ASN1_OBJECT_free(gkt->key_agreement_info->cipher); gkt->key_agreement_info->cipher = OBJ_nid2obj(param->nid); - *outlen = i2d_GOST_KEY_TRANSPORT(gkt, out ? &out : NULL); - if (*outlen <= 0) { + tmp_outlen = i2d_GOST_KEY_TRANSPORT(gkt, out ? &out : NULL); + if (tmp_outlen <= 0) { GOSTerr(GOST_F_PKEY_GOST94CP_ENCRYPT, GOST_R_ERROR_PACKING_KEY_TRANSPORT_INFO); goto err; } + *outlen = tmp_outlen; if (!key_is_ephemeral) { /* Set control "public key from client certificate used" */ if (EVP_PKEY_CTX_ctrl(ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 3, NULL) <= diff --git a/deps/openssl/openssl/engines/ccgost/gost_ameth.c b/deps/openssl/openssl/engines/ccgost/gost_ameth.c index 713a0face51..b7c5354c1ae 100644 --- a/deps/openssl/openssl/engines/ccgost/gost_ameth.c +++ b/deps/openssl/openssl/engines/ccgost/gost_ameth.c @@ -115,7 +115,10 @@ static int decode_gost_algor_params(EVP_PKEY *pkey, X509_ALGOR *palg) } param_nid = OBJ_obj2nid(gkp->key_params); GOST_KEY_PARAMS_free(gkp); - EVP_PKEY_set_type(pkey, pkey_nid); + if(!EVP_PKEY_set_type(pkey, pkey_nid)) { + GOSTerr(GOST_F_DECODE_GOST_ALGOR_PARAMS, ERR_R_INTERNAL_ERROR); + return 0; + } switch (pkey_nid) { case NID_id_GostR3410_94: { @@ -552,9 +555,19 @@ static int param_copy_gost01(EVP_PKEY *to, const EVP_PKEY *from) } if (!eto) { eto = EC_KEY_new(); - EVP_PKEY_assign(to, EVP_PKEY_base_id(from), eto); + if(!eto) { + GOSTerr(GOST_F_PARAM_COPY_GOST01, ERR_R_MALLOC_FAILURE); + return 0; + } + if(!EVP_PKEY_assign(to, EVP_PKEY_base_id(from), eto)) { + GOSTerr(GOST_F_PARAM_COPY_GOST01, ERR_R_INTERNAL_ERROR); + return 0; + } + } + if(!EC_KEY_set_group(eto, EC_KEY_get0_group(efrom))) { + GOSTerr(GOST_F_PARAM_COPY_GOST01, ERR_R_INTERNAL_ERROR); + return 0; } - EC_KEY_set_group(eto, EC_KEY_get0_group(efrom)); if (EC_KEY_get0_private_key(eto)) { gost2001_compute_public(eto); } @@ -729,8 +742,21 @@ static int pub_encode_gost01(X509_PUBKEY *pub, const EVP_PKEY *pk) } X = BN_new(); Y = BN_new(); - EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ec), - pub_key, X, Y, NULL); + if(!X || !Y) { + GOSTerr(GOST_F_PUB_ENCODE_GOST01, ERR_R_MALLOC_FAILURE); + if(X) BN_free(X); + if(Y) BN_free(Y); + BN_free(order); + return 0; + } + if(!EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ec), + pub_key, X, Y, NULL)) { + GOSTerr(GOST_F_PUB_ENCODE_GOST01, ERR_R_INTERNAL_ERROR); + BN_free(X); + BN_free(Y); + BN_free(order); + return 0; + } data_len = 2 * BN_num_bytes(order); BN_free(order); databuf = OPENSSL_malloc(data_len); diff --git a/deps/openssl/openssl/engines/ccgost/gost_pmeth.c b/deps/openssl/openssl/engines/ccgost/gost_pmeth.c index 9af7b06d43a..b6275b25588 100644 --- a/deps/openssl/openssl/engines/ccgost/gost_pmeth.c +++ b/deps/openssl/openssl/engines/ccgost/gost_pmeth.c @@ -502,7 +502,7 @@ static int pkey_gost_mac_ctrl_str(EVP_PKEY_CTX *ctx, long keylen; int ret; unsigned char *keybuf = string_to_hex(value, &keylen); - if (keylen != 32) { + if (!keybuf || keylen != 32) { GOSTerr(GOST_F_PKEY_GOST_MAC_CTRL_STR, GOST_R_INVALID_MAC_KEY_LENGTH); OPENSSL_free(keybuf); diff --git a/deps/openssl/openssl/engines/ccgost/gost_sign.c b/deps/openssl/openssl/engines/ccgost/gost_sign.c index 0116e47400b..07ad921ab53 100644 --- a/deps/openssl/openssl/engines/ccgost/gost_sign.c +++ b/deps/openssl/openssl/engines/ccgost/gost_sign.c @@ -12,6 +12,7 @@ #include #include #include +#include #include "gost_params.h" #include "gost_lcl.h" @@ -52,11 +53,16 @@ void dump_dsa_sig(const char *message, DSA_SIG *sig) DSA_SIG *gost_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { BIGNUM *k = NULL, *tmp = NULL, *tmp2 = NULL; - DSA_SIG *newsig = DSA_SIG_new(); + DSA_SIG *newsig = NULL, *ret = NULL; BIGNUM *md = hashsum2bn(dgst); /* check if H(M) mod q is zero */ BN_CTX *ctx = BN_CTX_new(); + if(!ctx) { + GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } BN_CTX_start(ctx); + newsig = DSA_SIG_new(); if (!newsig) { GOSTerr(GOST_F_GOST_DO_SIGN, GOST_R_NO_MEMORY); goto err; @@ -64,6 +70,10 @@ DSA_SIG *gost_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) tmp = BN_CTX_get(ctx); k = BN_CTX_get(ctx); tmp2 = BN_CTX_get(ctx); + if(!tmp || !k || !tmp2) { + GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } BN_mod(tmp, md, dsa->q, ctx); if (BN_is_zero(tmp)) { BN_one(md); @@ -76,24 +86,41 @@ DSA_SIG *gost_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) BN_rand_range(k, dsa->q); /* generate r = (a^x mod p) mod q */ BN_mod_exp(tmp, dsa->g, k, dsa->p, ctx); - if (!(newsig->r)) + if (!(newsig->r)) { newsig->r = BN_new(); + if(!newsig->r) { + GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } + } BN_mod(newsig->r, tmp, dsa->q, ctx); } while (BN_is_zero(newsig->r)); /* generate s = (xr + k(Hm)) mod q */ BN_mod_mul(tmp, dsa->priv_key, newsig->r, dsa->q, ctx); BN_mod_mul(tmp2, k, md, dsa->q, ctx); - if (!newsig->s) + if (!newsig->s) { newsig->s = BN_new(); + if(!newsig->s) { + GOSTerr(GOST_F_GOST_DO_SIGN, ERR_R_MALLOC_FAILURE); + goto err; + } + } BN_mod_add(newsig->s, tmp, tmp2, dsa->q, ctx); } while (BN_is_zero(newsig->s)); + + ret = newsig; err: BN_free(md); - BN_CTX_end(ctx); - BN_CTX_free(ctx); - return newsig; + if(ctx) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } + if(!ret && newsig) { + DSA_SIG_free(newsig); + } + return ret; } /* @@ -135,17 +162,21 @@ int pack_sign_cp(DSA_SIG *s, int order, unsigned char *sig, size_t *siglen) int gost_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) { - BIGNUM *md, *tmp = NULL; + BIGNUM *md = NULL, *tmp = NULL; BIGNUM *q2 = NULL; BIGNUM *u = NULL, *v = NULL, *z1 = NULL, *z2 = NULL; BIGNUM *tmp2 = NULL, *tmp3 = NULL; - int ok; + int ok = 0; BN_CTX *ctx = BN_CTX_new(); + if(!ctx) { + GOSTerr(GOST_F_GOST_DO_VERIFY, ERR_R_MALLOC_FAILURE); + goto err; + } BN_CTX_start(ctx); if (BN_cmp(sig->s, dsa->q) >= 1 || BN_cmp(sig->r, dsa->q) >= 1) { GOSTerr(GOST_F_GOST_DO_VERIFY, GOST_R_SIGNATURE_PARTS_GREATER_THAN_Q); - return 0; + goto err; } md = hashsum2bn(dgst); @@ -157,6 +188,10 @@ int gost_do_verify(const unsigned char *dgst, int dgst_len, tmp2 = BN_CTX_get(ctx); tmp3 = BN_CTX_get(ctx); u = BN_CTX_get(ctx); + if(!tmp || !v || !q2 || !z1 || !z2 || !tmp2 || !tmp3 || !u) { + GOSTerr(GOST_F_GOST_DO_VERIFY, ERR_R_MALLOC_FAILURE); + goto err; + } BN_mod(tmp, md, dsa->q, ctx); if (BN_is_zero(tmp)) { @@ -172,15 +207,18 @@ int gost_do_verify(const unsigned char *dgst, int dgst_len, BN_mod_exp(tmp2, dsa->pub_key, z2, dsa->p, ctx); BN_mod_mul(tmp3, tmp, tmp2, dsa->p, ctx); BN_mod(u, tmp3, dsa->q, ctx); - ok = BN_cmp(u, sig->r); + ok = (BN_cmp(u, sig->r) == 0); - BN_free(md); - BN_CTX_end(ctx); - BN_CTX_free(ctx); - if (ok != 0) { + if (!ok) { GOSTerr(GOST_F_GOST_DO_VERIFY, GOST_R_SIGNATURE_MISMATCH); } - return (ok == 0); +err: + if(md) BN_free(md); + if(ctx) { + BN_CTX_end(ctx); + BN_CTX_free(ctx); + } + return ok; } /* @@ -190,13 +228,24 @@ int gost_do_verify(const unsigned char *dgst, int dgst_len, int gost94_compute_public(DSA *dsa) { /* Now fill algorithm parameters with correct values */ - BN_CTX *ctx = BN_CTX_new(); + BN_CTX *ctx; if (!dsa->g) { GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC, GOST_R_KEY_IS_NOT_INITALIZED); return 0; } - /* Compute public key y = a^x mod p */ + ctx = BN_CTX_new(); + if(!ctx) { + GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC, ERR_R_MALLOC_FAILURE); + return 0; + } + dsa->pub_key = BN_new(); + if(!dsa->pub_key) { + GOSTerr(GOST_F_GOST94_COMPUTE_PUBLIC, ERR_R_MALLOC_FAILURE); + BN_CTX_free(ctx); + return 0; + } + /* Compute public key y = a^x mod p */ BN_mod_exp(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx); BN_CTX_free(ctx); return 1; @@ -243,6 +292,10 @@ int fill_GOST94_params(DSA *dsa, int nid) int gost_sign_keygen(DSA *dsa) { dsa->priv_key = BN_new(); + if(!dsa->priv_key) { + GOSTerr(GOST_F_GOST_SIGN_KEYGEN, ERR_R_MALLOC_FAILURE); + return 0; + } BN_rand_range(dsa->priv_key, dsa->q); return gost94_compute_public(dsa); } diff --git a/deps/openssl/openssl/engines/e_sureware.c b/deps/openssl/openssl/engines/e_sureware.c index 1005dfc903d..8a23763f75d 100644 --- a/deps/openssl/openssl/engines/e_sureware.c +++ b/deps/openssl/openssl/engines/e_sureware.c @@ -712,10 +712,12 @@ static EVP_PKEY *sureware_load_public(ENGINE *e, const char *key_id, /* set public big nums */ rsatmp->e = BN_new(); rsatmp->n = BN_new(); + if(!rsatmp->e || !rsatmp->n) + goto err; bn_expand2(rsatmp->e, el / sizeof(BN_ULONG)); bn_expand2(rsatmp->n, el / sizeof(BN_ULONG)); - if (!rsatmp->e || rsatmp->e->dmax != (int)(el / sizeof(BN_ULONG)) || - !rsatmp->n || rsatmp->n->dmax != (int)(el / sizeof(BN_ULONG))) + if (rsatmp->e->dmax != (int)(el / sizeof(BN_ULONG)) || + rsatmp->n->dmax != (int)(el / sizeof(BN_ULONG))) goto err; ret = p_surewarehk_Load_Rsa_Pubkey(msg, key_id, el, (unsigned long *)rsatmp->n->d, @@ -752,15 +754,16 @@ static EVP_PKEY *sureware_load_public(ENGINE *e, const char *key_id, dsatmp->p = BN_new(); dsatmp->q = BN_new(); dsatmp->g = BN_new(); + if(!dsatmp->pub_key || !dsatmp->p || !dsatmp->q || !dsatmp->g) + goto err; bn_expand2(dsatmp->pub_key, el / sizeof(BN_ULONG)); bn_expand2(dsatmp->p, el / sizeof(BN_ULONG)); bn_expand2(dsatmp->q, 20 / sizeof(BN_ULONG)); bn_expand2(dsatmp->g, el / sizeof(BN_ULONG)); - if (!dsatmp->pub_key - || dsatmp->pub_key->dmax != (int)(el / sizeof(BN_ULONG)) - || !dsatmp->p || dsatmp->p->dmax != (int)(el / sizeof(BN_ULONG)) - || !dsatmp->q || dsatmp->q->dmax != 20 / sizeof(BN_ULONG) - || !dsatmp->g || dsatmp->g->dmax != (int)(el / sizeof(BN_ULONG))) + if (dsatmp->pub_key->dmax != (int)(el / sizeof(BN_ULONG)) + || dsatmp->p->dmax != (int)(el / sizeof(BN_ULONG)) + || dsatmp->q->dmax != 20 / sizeof(BN_ULONG) + || dsatmp->g->dmax != (int)(el / sizeof(BN_ULONG))) goto err; ret = p_surewarehk_Load_Dsa_Pubkey(msg, key_id, el, @@ -1038,10 +1041,12 @@ static DSA_SIG *surewarehk_dsa_do_sign(const unsigned char *from, int flen, } psign->r = BN_new(); psign->s = BN_new(); + if(!psign->r || !psign->s) + goto err; bn_expand2(psign->r, 20 / sizeof(BN_ULONG)); bn_expand2(psign->s, 20 / sizeof(BN_ULONG)); - if (!psign->r || psign->r->dmax != 20 / sizeof(BN_ULONG) || - !psign->s || psign->s->dmax != 20 / sizeof(BN_ULONG)) + if (psign->r->dmax != 20 / sizeof(BN_ULONG) || + psign->s->dmax != 20 / sizeof(BN_ULONG)) goto err; ret = p_surewarehk_Dsa_Sign(msg, flen, from, (unsigned long *)psign->r->d, @@ -1070,9 +1075,9 @@ static int surewarehk_modexp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, char msg[64] = "ENGINE_modexp"; if (!p_surewarehk_Mod_Exp) { SUREWAREerr(SUREWARE_F_SUREWAREHK_MODEXP, ENGINE_R_NOT_INITIALISED); - } else { + } else if (r) { bn_expand2(r, m->top); - if (r && r->dmax == m->top) { + if (r->dmax == m->top) { /* do it */ ret = p_surewarehk_Mod_Exp(msg, m->top * sizeof(BN_ULONG), diff --git a/deps/openssl/openssl/include/openssl/aes.h b/deps/openssl/openssl/include/openssl/aes.h deleted file mode 100644 index f646d41f060..00000000000 --- a/deps/openssl/openssl/include/openssl/aes.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/aes/aes.h" diff --git a/deps/openssl/openssl/include/openssl/aes.h b/deps/openssl/openssl/include/openssl/aes.h new file mode 120000 index 00000000000..f555c13ed7b --- /dev/null +++ b/deps/openssl/openssl/include/openssl/aes.h @@ -0,0 +1 @@ +../../crypto/aes/aes.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/asn1.h b/deps/openssl/openssl/include/openssl/asn1.h deleted file mode 100644 index 5432ed8dc83..00000000000 --- a/deps/openssl/openssl/include/openssl/asn1.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/asn1/asn1.h" diff --git a/deps/openssl/openssl/include/openssl/asn1.h b/deps/openssl/openssl/include/openssl/asn1.h new file mode 120000 index 00000000000..dd514954a11 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/asn1.h @@ -0,0 +1 @@ +../../crypto/asn1/asn1.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/asn1_mac.h b/deps/openssl/openssl/include/openssl/asn1_mac.h deleted file mode 100644 index 214787c4774..00000000000 --- a/deps/openssl/openssl/include/openssl/asn1_mac.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/asn1/asn1_mac.h" diff --git a/deps/openssl/openssl/include/openssl/asn1_mac.h b/deps/openssl/openssl/include/openssl/asn1_mac.h new file mode 120000 index 00000000000..97781d99331 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/asn1_mac.h @@ -0,0 +1 @@ +../../crypto/asn1/asn1_mac.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/asn1t.h b/deps/openssl/openssl/include/openssl/asn1t.h deleted file mode 100644 index 4de87a9c610..00000000000 --- a/deps/openssl/openssl/include/openssl/asn1t.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/asn1/asn1t.h" diff --git a/deps/openssl/openssl/include/openssl/asn1t.h b/deps/openssl/openssl/include/openssl/asn1t.h new file mode 120000 index 00000000000..31c87c38853 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/asn1t.h @@ -0,0 +1 @@ +../../crypto/asn1/asn1t.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/bio.h b/deps/openssl/openssl/include/openssl/bio.h deleted file mode 100644 index 34f8a2df07e..00000000000 --- a/deps/openssl/openssl/include/openssl/bio.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/bio/bio.h" diff --git a/deps/openssl/openssl/include/openssl/bio.h b/deps/openssl/openssl/include/openssl/bio.h new file mode 120000 index 00000000000..c598b6f73a7 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/bio.h @@ -0,0 +1 @@ +../../crypto/bio/bio.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/blowfish.h b/deps/openssl/openssl/include/openssl/blowfish.h deleted file mode 100644 index 8d515feb058..00000000000 --- a/deps/openssl/openssl/include/openssl/blowfish.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/bf/blowfish.h" diff --git a/deps/openssl/openssl/include/openssl/blowfish.h b/deps/openssl/openssl/include/openssl/blowfish.h new file mode 120000 index 00000000000..88bf9223423 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/blowfish.h @@ -0,0 +1 @@ +../../crypto/bf/blowfish.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/bn.h b/deps/openssl/openssl/include/openssl/bn.h deleted file mode 100644 index f47d65a93f4..00000000000 --- a/deps/openssl/openssl/include/openssl/bn.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/bn/bn.h" diff --git a/deps/openssl/openssl/include/openssl/bn.h b/deps/openssl/openssl/include/openssl/bn.h new file mode 120000 index 00000000000..5c251c135af --- /dev/null +++ b/deps/openssl/openssl/include/openssl/bn.h @@ -0,0 +1 @@ +../../crypto/bn/bn.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/buffer.h b/deps/openssl/openssl/include/openssl/buffer.h deleted file mode 100644 index 1d2c2a2ec1b..00000000000 --- a/deps/openssl/openssl/include/openssl/buffer.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/buffer/buffer.h" diff --git a/deps/openssl/openssl/include/openssl/buffer.h b/deps/openssl/openssl/include/openssl/buffer.h new file mode 120000 index 00000000000..76ea7114a2b --- /dev/null +++ b/deps/openssl/openssl/include/openssl/buffer.h @@ -0,0 +1 @@ +../../crypto/buffer/buffer.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/camellia.h b/deps/openssl/openssl/include/openssl/camellia.h deleted file mode 100644 index 5a0a141eed5..00000000000 --- a/deps/openssl/openssl/include/openssl/camellia.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/camellia/camellia.h" diff --git a/deps/openssl/openssl/include/openssl/camellia.h b/deps/openssl/openssl/include/openssl/camellia.h new file mode 120000 index 00000000000..ad10f9792b6 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/camellia.h @@ -0,0 +1 @@ +../../crypto/camellia/camellia.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/cast.h b/deps/openssl/openssl/include/openssl/cast.h deleted file mode 100644 index 12cf92c4a9b..00000000000 --- a/deps/openssl/openssl/include/openssl/cast.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/cast/cast.h" diff --git a/deps/openssl/openssl/include/openssl/cast.h b/deps/openssl/openssl/include/openssl/cast.h new file mode 120000 index 00000000000..b775ab04b81 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/cast.h @@ -0,0 +1 @@ +../../crypto/cast/cast.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/cmac.h b/deps/openssl/openssl/include/openssl/cmac.h deleted file mode 100644 index a7579aeabdd..00000000000 --- a/deps/openssl/openssl/include/openssl/cmac.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/cmac/cmac.h" diff --git a/deps/openssl/openssl/include/openssl/cmac.h b/deps/openssl/openssl/include/openssl/cmac.h new file mode 120000 index 00000000000..bfb70c46830 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/cmac.h @@ -0,0 +1 @@ +../../crypto/cmac/cmac.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/cms.h b/deps/openssl/openssl/include/openssl/cms.h deleted file mode 100644 index 8687c7fe467..00000000000 --- a/deps/openssl/openssl/include/openssl/cms.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/cms/cms.h" diff --git a/deps/openssl/openssl/include/openssl/cms.h b/deps/openssl/openssl/include/openssl/cms.h new file mode 120000 index 00000000000..0f651adde2c --- /dev/null +++ b/deps/openssl/openssl/include/openssl/cms.h @@ -0,0 +1 @@ +../../crypto/cms/cms.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/comp.h b/deps/openssl/openssl/include/openssl/comp.h deleted file mode 100644 index d14e36cc36b..00000000000 --- a/deps/openssl/openssl/include/openssl/comp.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/comp/comp.h" diff --git a/deps/openssl/openssl/include/openssl/comp.h b/deps/openssl/openssl/include/openssl/comp.h new file mode 120000 index 00000000000..712c9d4ae58 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/comp.h @@ -0,0 +1 @@ +../../crypto/comp/comp.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/conf.h b/deps/openssl/openssl/include/openssl/conf.h deleted file mode 100644 index 3882c82f8d0..00000000000 --- a/deps/openssl/openssl/include/openssl/conf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/conf/conf.h" diff --git a/deps/openssl/openssl/include/openssl/conf.h b/deps/openssl/openssl/include/openssl/conf.h new file mode 120000 index 00000000000..44156b189b0 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/conf.h @@ -0,0 +1 @@ +../../crypto/conf/conf.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/conf_api.h b/deps/openssl/openssl/include/openssl/conf_api.h deleted file mode 100644 index 03933578574..00000000000 --- a/deps/openssl/openssl/include/openssl/conf_api.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/conf/conf_api.h" diff --git a/deps/openssl/openssl/include/openssl/conf_api.h b/deps/openssl/openssl/include/openssl/conf_api.h new file mode 120000 index 00000000000..26b42198a86 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/conf_api.h @@ -0,0 +1 @@ +../../crypto/conf/conf_api.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/crypto.h b/deps/openssl/openssl/include/openssl/crypto.h deleted file mode 100644 index 7e3d91e42f0..00000000000 --- a/deps/openssl/openssl/include/openssl/crypto.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/crypto.h" diff --git a/deps/openssl/openssl/include/openssl/crypto.h b/deps/openssl/openssl/include/openssl/crypto.h new file mode 120000 index 00000000000..2f3f63cb016 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/crypto.h @@ -0,0 +1 @@ +../../crypto/crypto.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/des.h b/deps/openssl/openssl/include/openssl/des.h deleted file mode 100644 index 1d6631e9b6a..00000000000 --- a/deps/openssl/openssl/include/openssl/des.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/des/des.h" diff --git a/deps/openssl/openssl/include/openssl/des.h b/deps/openssl/openssl/include/openssl/des.h new file mode 120000 index 00000000000..5eb7c88b38a --- /dev/null +++ b/deps/openssl/openssl/include/openssl/des.h @@ -0,0 +1 @@ +../../crypto/des/des.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/des_old.h b/deps/openssl/openssl/include/openssl/des_old.h deleted file mode 100644 index e5828733cca..00000000000 --- a/deps/openssl/openssl/include/openssl/des_old.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/des/des_old.h" diff --git a/deps/openssl/openssl/include/openssl/des_old.h b/deps/openssl/openssl/include/openssl/des_old.h new file mode 120000 index 00000000000..97098988052 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/des_old.h @@ -0,0 +1 @@ +../../crypto/des/des_old.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/dh.h b/deps/openssl/openssl/include/openssl/dh.h deleted file mode 100644 index f70a767ac90..00000000000 --- a/deps/openssl/openssl/include/openssl/dh.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/dh/dh.h" diff --git a/deps/openssl/openssl/include/openssl/dh.h b/deps/openssl/openssl/include/openssl/dh.h new file mode 120000 index 00000000000..c0eacb5eb35 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/dh.h @@ -0,0 +1 @@ +../../crypto/dh/dh.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/dsa.h b/deps/openssl/openssl/include/openssl/dsa.h deleted file mode 100644 index 0365acfe665..00000000000 --- a/deps/openssl/openssl/include/openssl/dsa.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/dsa/dsa.h" diff --git a/deps/openssl/openssl/include/openssl/dsa.h b/deps/openssl/openssl/include/openssl/dsa.h new file mode 120000 index 00000000000..ad4695f9b6a --- /dev/null +++ b/deps/openssl/openssl/include/openssl/dsa.h @@ -0,0 +1 @@ +../../crypto/dsa/dsa.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/dso.h b/deps/openssl/openssl/include/openssl/dso.h deleted file mode 100644 index f3c8de23065..00000000000 --- a/deps/openssl/openssl/include/openssl/dso.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/dso/dso.h" diff --git a/deps/openssl/openssl/include/openssl/dso.h b/deps/openssl/openssl/include/openssl/dso.h new file mode 120000 index 00000000000..b1f215dafc8 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/dso.h @@ -0,0 +1 @@ +../../crypto/dso/dso.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/dtls1.h b/deps/openssl/openssl/include/openssl/dtls1.h deleted file mode 100644 index ac8ab57453c..00000000000 --- a/deps/openssl/openssl/include/openssl/dtls1.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../ssl/dtls1.h" diff --git a/deps/openssl/openssl/include/openssl/dtls1.h b/deps/openssl/openssl/include/openssl/dtls1.h new file mode 120000 index 00000000000..95aef9913ab --- /dev/null +++ b/deps/openssl/openssl/include/openssl/dtls1.h @@ -0,0 +1 @@ +../../ssl/dtls1.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/e_os2.h b/deps/openssl/openssl/include/openssl/e_os2.h deleted file mode 100644 index ab3f1ee44f4..00000000000 --- a/deps/openssl/openssl/include/openssl/e_os2.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../e_os2.h" diff --git a/deps/openssl/openssl/include/openssl/e_os2.h b/deps/openssl/openssl/include/openssl/e_os2.h new file mode 120000 index 00000000000..0e8c0399248 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/e_os2.h @@ -0,0 +1 @@ +../../e_os2.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ebcdic.h b/deps/openssl/openssl/include/openssl/ebcdic.h deleted file mode 100644 index 6dedc7051d2..00000000000 --- a/deps/openssl/openssl/include/openssl/ebcdic.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/ebcdic.h" diff --git a/deps/openssl/openssl/include/openssl/ebcdic.h b/deps/openssl/openssl/include/openssl/ebcdic.h new file mode 120000 index 00000000000..a7ee60e0aee --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ebcdic.h @@ -0,0 +1 @@ +../../crypto/ebcdic.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ec.h b/deps/openssl/openssl/include/openssl/ec.h deleted file mode 100644 index 7d206145260..00000000000 --- a/deps/openssl/openssl/include/openssl/ec.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/ec/ec.h" diff --git a/deps/openssl/openssl/include/openssl/ec.h b/deps/openssl/openssl/include/openssl/ec.h new file mode 120000 index 00000000000..245497eda7c --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ec.h @@ -0,0 +1 @@ +../../crypto/ec/ec.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ecdh.h b/deps/openssl/openssl/include/openssl/ecdh.h deleted file mode 100644 index ad6e3dc9c7e..00000000000 --- a/deps/openssl/openssl/include/openssl/ecdh.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/ecdh/ecdh.h" diff --git a/deps/openssl/openssl/include/openssl/ecdh.h b/deps/openssl/openssl/include/openssl/ecdh.h new file mode 120000 index 00000000000..3fd1c3ba39f --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ecdh.h @@ -0,0 +1 @@ +../../crypto/ecdh/ecdh.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ecdsa.h b/deps/openssl/openssl/include/openssl/ecdsa.h deleted file mode 100644 index da451230932..00000000000 --- a/deps/openssl/openssl/include/openssl/ecdsa.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/ecdsa/ecdsa.h" diff --git a/deps/openssl/openssl/include/openssl/ecdsa.h b/deps/openssl/openssl/include/openssl/ecdsa.h new file mode 120000 index 00000000000..e48acc669ce --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ecdsa.h @@ -0,0 +1 @@ +../../crypto/ecdsa/ecdsa.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/engine.h b/deps/openssl/openssl/include/openssl/engine.h deleted file mode 100644 index 2dceaac6c78..00000000000 --- a/deps/openssl/openssl/include/openssl/engine.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/engine/engine.h" diff --git a/deps/openssl/openssl/include/openssl/engine.h b/deps/openssl/openssl/include/openssl/engine.h new file mode 120000 index 00000000000..a02073e32aa --- /dev/null +++ b/deps/openssl/openssl/include/openssl/engine.h @@ -0,0 +1 @@ +../../crypto/engine/engine.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/err.h b/deps/openssl/openssl/include/openssl/err.h deleted file mode 100644 index caf89a936cd..00000000000 --- a/deps/openssl/openssl/include/openssl/err.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/err/err.h" diff --git a/deps/openssl/openssl/include/openssl/err.h b/deps/openssl/openssl/include/openssl/err.h new file mode 120000 index 00000000000..20f65bd9c8c --- /dev/null +++ b/deps/openssl/openssl/include/openssl/err.h @@ -0,0 +1 @@ +../../crypto/err/err.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/evp.h b/deps/openssl/openssl/include/openssl/evp.h deleted file mode 100644 index dd7bcda8f3c..00000000000 --- a/deps/openssl/openssl/include/openssl/evp.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/evp/evp.h" diff --git a/deps/openssl/openssl/include/openssl/evp.h b/deps/openssl/openssl/include/openssl/evp.h new file mode 120000 index 00000000000..7e3a904ae95 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/evp.h @@ -0,0 +1 @@ +../../crypto/evp/evp.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/hmac.h b/deps/openssl/openssl/include/openssl/hmac.h deleted file mode 100644 index 202128bf52c..00000000000 --- a/deps/openssl/openssl/include/openssl/hmac.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/hmac/hmac.h" diff --git a/deps/openssl/openssl/include/openssl/hmac.h b/deps/openssl/openssl/include/openssl/hmac.h new file mode 120000 index 00000000000..de19ba7ede0 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/hmac.h @@ -0,0 +1 @@ +../../crypto/hmac/hmac.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/idea.h b/deps/openssl/openssl/include/openssl/idea.h deleted file mode 100644 index bdf697d6805..00000000000 --- a/deps/openssl/openssl/include/openssl/idea.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/idea/idea.h" diff --git a/deps/openssl/openssl/include/openssl/idea.h b/deps/openssl/openssl/include/openssl/idea.h new file mode 120000 index 00000000000..724fa345811 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/idea.h @@ -0,0 +1 @@ +../../crypto/idea/idea.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/krb5_asn.h b/deps/openssl/openssl/include/openssl/krb5_asn.h deleted file mode 100644 index 0d3feea281f..00000000000 --- a/deps/openssl/openssl/include/openssl/krb5_asn.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/krb5/krb5_asn.h" diff --git a/deps/openssl/openssl/include/openssl/krb5_asn.h b/deps/openssl/openssl/include/openssl/krb5_asn.h new file mode 120000 index 00000000000..1172e522e4f --- /dev/null +++ b/deps/openssl/openssl/include/openssl/krb5_asn.h @@ -0,0 +1 @@ +../../crypto/krb5/krb5_asn.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/kssl.h b/deps/openssl/openssl/include/openssl/kssl.h deleted file mode 100644 index 719634aad90..00000000000 --- a/deps/openssl/openssl/include/openssl/kssl.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../ssl/kssl.h" diff --git a/deps/openssl/openssl/include/openssl/kssl.h b/deps/openssl/openssl/include/openssl/kssl.h new file mode 120000 index 00000000000..2e5c2cd4dcb --- /dev/null +++ b/deps/openssl/openssl/include/openssl/kssl.h @@ -0,0 +1 @@ +../../ssl/kssl.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/lhash.h b/deps/openssl/openssl/include/openssl/lhash.h deleted file mode 100644 index 2d3db87cd5d..00000000000 --- a/deps/openssl/openssl/include/openssl/lhash.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/lhash/lhash.h" diff --git a/deps/openssl/openssl/include/openssl/lhash.h b/deps/openssl/openssl/include/openssl/lhash.h new file mode 120000 index 00000000000..56eb09918c7 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/lhash.h @@ -0,0 +1 @@ +../../crypto/lhash/lhash.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/md4.h b/deps/openssl/openssl/include/openssl/md4.h deleted file mode 100644 index 611806e5eaf..00000000000 --- a/deps/openssl/openssl/include/openssl/md4.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/md4/md4.h" diff --git a/deps/openssl/openssl/include/openssl/md4.h b/deps/openssl/openssl/include/openssl/md4.h new file mode 120000 index 00000000000..4ff863e7fc9 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/md4.h @@ -0,0 +1 @@ +../../crypto/md4/md4.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/md5.h b/deps/openssl/openssl/include/openssl/md5.h deleted file mode 100644 index aa8cd0bf863..00000000000 --- a/deps/openssl/openssl/include/openssl/md5.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/md5/md5.h" diff --git a/deps/openssl/openssl/include/openssl/md5.h b/deps/openssl/openssl/include/openssl/md5.h new file mode 120000 index 00000000000..26fa47eb5ce --- /dev/null +++ b/deps/openssl/openssl/include/openssl/md5.h @@ -0,0 +1 @@ +../../crypto/md5/md5.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/mdc2.h b/deps/openssl/openssl/include/openssl/mdc2.h deleted file mode 100644 index ac284a179a0..00000000000 --- a/deps/openssl/openssl/include/openssl/mdc2.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/mdc2/mdc2.h" diff --git a/deps/openssl/openssl/include/openssl/mdc2.h b/deps/openssl/openssl/include/openssl/mdc2.h new file mode 120000 index 00000000000..0bc32f121cb --- /dev/null +++ b/deps/openssl/openssl/include/openssl/mdc2.h @@ -0,0 +1 @@ +../../crypto/mdc2/mdc2.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/modes.h b/deps/openssl/openssl/include/openssl/modes.h deleted file mode 100644 index f57fcfea800..00000000000 --- a/deps/openssl/openssl/include/openssl/modes.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/modes/modes.h" diff --git a/deps/openssl/openssl/include/openssl/modes.h b/deps/openssl/openssl/include/openssl/modes.h new file mode 120000 index 00000000000..ccc172827f1 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/modes.h @@ -0,0 +1 @@ +../../crypto/modes/modes.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/obj_mac.h b/deps/openssl/openssl/include/openssl/obj_mac.h deleted file mode 100644 index 3890fa9bc41..00000000000 --- a/deps/openssl/openssl/include/openssl/obj_mac.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/objects/obj_mac.h" diff --git a/deps/openssl/openssl/include/openssl/obj_mac.h b/deps/openssl/openssl/include/openssl/obj_mac.h new file mode 120000 index 00000000000..0f443c828bc --- /dev/null +++ b/deps/openssl/openssl/include/openssl/obj_mac.h @@ -0,0 +1 @@ +../../crypto/objects/obj_mac.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/objects.h b/deps/openssl/openssl/include/openssl/objects.h deleted file mode 100644 index 5365a044bdc..00000000000 --- a/deps/openssl/openssl/include/openssl/objects.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/objects/objects.h" diff --git a/deps/openssl/openssl/include/openssl/objects.h b/deps/openssl/openssl/include/openssl/objects.h new file mode 120000 index 00000000000..7bd145ca086 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/objects.h @@ -0,0 +1 @@ +../../crypto/objects/objects.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ocsp.h b/deps/openssl/openssl/include/openssl/ocsp.h deleted file mode 100644 index 50e2885cedb..00000000000 --- a/deps/openssl/openssl/include/openssl/ocsp.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/ocsp/ocsp.h" diff --git a/deps/openssl/openssl/include/openssl/ocsp.h b/deps/openssl/openssl/include/openssl/ocsp.h new file mode 120000 index 00000000000..08288c84a65 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ocsp.h @@ -0,0 +1 @@ +../../crypto/ocsp/ocsp.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/opensslconf.h b/deps/openssl/openssl/include/openssl/opensslconf.h deleted file mode 100644 index 221be629b72..00000000000 --- a/deps/openssl/openssl/include/openssl/opensslconf.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/opensslconf.h" diff --git a/deps/openssl/openssl/include/openssl/opensslconf.h b/deps/openssl/openssl/include/openssl/opensslconf.h new file mode 120000 index 00000000000..25d2bea96c8 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/opensslconf.h @@ -0,0 +1 @@ +../../crypto/opensslconf.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/opensslv.h b/deps/openssl/openssl/include/openssl/opensslv.h deleted file mode 100644 index c39a0c3882d..00000000000 --- a/deps/openssl/openssl/include/openssl/opensslv.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/opensslv.h" diff --git a/deps/openssl/openssl/include/openssl/opensslv.h b/deps/openssl/openssl/include/openssl/opensslv.h new file mode 120000 index 00000000000..f314f5fc717 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/opensslv.h @@ -0,0 +1 @@ +../../crypto/opensslv.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ossl_typ.h b/deps/openssl/openssl/include/openssl/ossl_typ.h deleted file mode 100644 index ddd7e580dd6..00000000000 --- a/deps/openssl/openssl/include/openssl/ossl_typ.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/ossl_typ.h" diff --git a/deps/openssl/openssl/include/openssl/ossl_typ.h b/deps/openssl/openssl/include/openssl/ossl_typ.h new file mode 120000 index 00000000000..e8f42456e14 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ossl_typ.h @@ -0,0 +1 @@ +../../crypto/ossl_typ.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/pem.h b/deps/openssl/openssl/include/openssl/pem.h deleted file mode 100644 index 5bcc5c59eed..00000000000 --- a/deps/openssl/openssl/include/openssl/pem.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/pem/pem.h" diff --git a/deps/openssl/openssl/include/openssl/pem.h b/deps/openssl/openssl/include/openssl/pem.h new file mode 120000 index 00000000000..ca371423e7b --- /dev/null +++ b/deps/openssl/openssl/include/openssl/pem.h @@ -0,0 +1 @@ +../../crypto/pem/pem.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/pem2.h b/deps/openssl/openssl/include/openssl/pem2.h deleted file mode 100644 index bcd3acf856b..00000000000 --- a/deps/openssl/openssl/include/openssl/pem2.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/pem/pem2.h" diff --git a/deps/openssl/openssl/include/openssl/pem2.h b/deps/openssl/openssl/include/openssl/pem2.h new file mode 120000 index 00000000000..c734dbdc3f3 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/pem2.h @@ -0,0 +1 @@ +../../crypto/pem/pem2.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/pkcs12.h b/deps/openssl/openssl/include/openssl/pkcs12.h deleted file mode 100644 index 0b5fbbfe863..00000000000 --- a/deps/openssl/openssl/include/openssl/pkcs12.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/pkcs12/pkcs12.h" diff --git a/deps/openssl/openssl/include/openssl/pkcs12.h b/deps/openssl/openssl/include/openssl/pkcs12.h new file mode 120000 index 00000000000..eebba777899 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/pkcs12.h @@ -0,0 +1 @@ +../../crypto/pkcs12/pkcs12.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/pkcs7.h b/deps/openssl/openssl/include/openssl/pkcs7.h deleted file mode 100644 index 2e19d7c4c9b..00000000000 --- a/deps/openssl/openssl/include/openssl/pkcs7.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/pkcs7/pkcs7.h" diff --git a/deps/openssl/openssl/include/openssl/pkcs7.h b/deps/openssl/openssl/include/openssl/pkcs7.h new file mode 120000 index 00000000000..73e1b23f77e --- /dev/null +++ b/deps/openssl/openssl/include/openssl/pkcs7.h @@ -0,0 +1 @@ +../../crypto/pkcs7/pkcs7.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/pqueue.h b/deps/openssl/openssl/include/openssl/pqueue.h deleted file mode 100644 index 9681ff52cd2..00000000000 --- a/deps/openssl/openssl/include/openssl/pqueue.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/pqueue/pqueue.h" diff --git a/deps/openssl/openssl/include/openssl/pqueue.h b/deps/openssl/openssl/include/openssl/pqueue.h new file mode 120000 index 00000000000..93817c2dfcd --- /dev/null +++ b/deps/openssl/openssl/include/openssl/pqueue.h @@ -0,0 +1 @@ +../../crypto/pqueue/pqueue.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/rand.h b/deps/openssl/openssl/include/openssl/rand.h deleted file mode 100644 index 9d1521bd4e3..00000000000 --- a/deps/openssl/openssl/include/openssl/rand.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/rand/rand.h" diff --git a/deps/openssl/openssl/include/openssl/rand.h b/deps/openssl/openssl/include/openssl/rand.h new file mode 120000 index 00000000000..11231f85239 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/rand.h @@ -0,0 +1 @@ +../../crypto/rand/rand.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/rc2.h b/deps/openssl/openssl/include/openssl/rc2.h deleted file mode 100644 index f2f2bd1f21c..00000000000 --- a/deps/openssl/openssl/include/openssl/rc2.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/rc2/rc2.h" diff --git a/deps/openssl/openssl/include/openssl/rc2.h b/deps/openssl/openssl/include/openssl/rc2.h new file mode 120000 index 00000000000..bb5a05c5d1e --- /dev/null +++ b/deps/openssl/openssl/include/openssl/rc2.h @@ -0,0 +1 @@ +../../crypto/rc2/rc2.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/rc4.h b/deps/openssl/openssl/include/openssl/rc4.h deleted file mode 100644 index 306de2f406e..00000000000 --- a/deps/openssl/openssl/include/openssl/rc4.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/rc4/rc4.h" diff --git a/deps/openssl/openssl/include/openssl/rc4.h b/deps/openssl/openssl/include/openssl/rc4.h new file mode 120000 index 00000000000..ef7deeb7d4a --- /dev/null +++ b/deps/openssl/openssl/include/openssl/rc4.h @@ -0,0 +1 @@ +../../crypto/rc4/rc4.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ripemd.h b/deps/openssl/openssl/include/openssl/ripemd.h deleted file mode 100644 index 11351fc819d..00000000000 --- a/deps/openssl/openssl/include/openssl/ripemd.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/ripemd/ripemd.h" diff --git a/deps/openssl/openssl/include/openssl/ripemd.h b/deps/openssl/openssl/include/openssl/ripemd.h new file mode 120000 index 00000000000..200f562fa7d --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ripemd.h @@ -0,0 +1 @@ +../../crypto/ripemd/ripemd.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/rsa.h b/deps/openssl/openssl/include/openssl/rsa.h deleted file mode 100644 index 975e5d355ab..00000000000 --- a/deps/openssl/openssl/include/openssl/rsa.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/rsa/rsa.h" diff --git a/deps/openssl/openssl/include/openssl/rsa.h b/deps/openssl/openssl/include/openssl/rsa.h new file mode 120000 index 00000000000..3e5a6547543 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/rsa.h @@ -0,0 +1 @@ +../../crypto/rsa/rsa.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/safestack.h b/deps/openssl/openssl/include/openssl/safestack.h deleted file mode 100644 index 8a282b858ba..00000000000 --- a/deps/openssl/openssl/include/openssl/safestack.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/stack/safestack.h" diff --git a/deps/openssl/openssl/include/openssl/safestack.h b/deps/openssl/openssl/include/openssl/safestack.h new file mode 120000 index 00000000000..8ca5b4cc7c5 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/safestack.h @@ -0,0 +1 @@ +../../crypto/stack/safestack.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/seed.h b/deps/openssl/openssl/include/openssl/seed.h deleted file mode 100644 index bbbf596df86..00000000000 --- a/deps/openssl/openssl/include/openssl/seed.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/seed/seed.h" diff --git a/deps/openssl/openssl/include/openssl/seed.h b/deps/openssl/openssl/include/openssl/seed.h new file mode 120000 index 00000000000..05d04a50bf8 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/seed.h @@ -0,0 +1 @@ +../../crypto/seed/seed.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/sha.h b/deps/openssl/openssl/include/openssl/sha.h deleted file mode 100644 index ab9d94c3868..00000000000 --- a/deps/openssl/openssl/include/openssl/sha.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/sha/sha.h" diff --git a/deps/openssl/openssl/include/openssl/sha.h b/deps/openssl/openssl/include/openssl/sha.h new file mode 120000 index 00000000000..3025cd5d7e5 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/sha.h @@ -0,0 +1 @@ +../../crypto/sha/sha.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/srp.h b/deps/openssl/openssl/include/openssl/srp.h deleted file mode 100644 index 8217476779e..00000000000 --- a/deps/openssl/openssl/include/openssl/srp.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/srp/srp.h" diff --git a/deps/openssl/openssl/include/openssl/srp.h b/deps/openssl/openssl/include/openssl/srp.h new file mode 120000 index 00000000000..16b73ebd3dd --- /dev/null +++ b/deps/openssl/openssl/include/openssl/srp.h @@ -0,0 +1 @@ +../../crypto/srp/srp.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/srtp.h b/deps/openssl/openssl/include/openssl/srtp.h deleted file mode 100644 index e185494a523..00000000000 --- a/deps/openssl/openssl/include/openssl/srtp.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../ssl/srtp.h" diff --git a/deps/openssl/openssl/include/openssl/srtp.h b/deps/openssl/openssl/include/openssl/srtp.h new file mode 120000 index 00000000000..9800e4ee402 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/srtp.h @@ -0,0 +1 @@ +../../ssl/srtp.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ssl.h b/deps/openssl/openssl/include/openssl/ssl.h deleted file mode 100644 index 0b0589c639a..00000000000 --- a/deps/openssl/openssl/include/openssl/ssl.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../ssl/ssl.h" diff --git a/deps/openssl/openssl/include/openssl/ssl.h b/deps/openssl/openssl/include/openssl/ssl.h new file mode 120000 index 00000000000..e87d9be8fc6 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ssl.h @@ -0,0 +1 @@ +../../ssl/ssl.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ssl2.h b/deps/openssl/openssl/include/openssl/ssl2.h deleted file mode 100644 index 11b22055ea7..00000000000 --- a/deps/openssl/openssl/include/openssl/ssl2.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../ssl/ssl2.h" diff --git a/deps/openssl/openssl/include/openssl/ssl2.h b/deps/openssl/openssl/include/openssl/ssl2.h new file mode 120000 index 00000000000..72876883c63 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ssl2.h @@ -0,0 +1 @@ +../../ssl/ssl2.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ssl23.h b/deps/openssl/openssl/include/openssl/ssl23.h deleted file mode 100644 index fe4dae6661f..00000000000 --- a/deps/openssl/openssl/include/openssl/ssl23.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../ssl/ssl23.h" diff --git a/deps/openssl/openssl/include/openssl/ssl23.h b/deps/openssl/openssl/include/openssl/ssl23.h new file mode 120000 index 00000000000..5605052d701 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ssl23.h @@ -0,0 +1 @@ +../../ssl/ssl23.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ssl3.h b/deps/openssl/openssl/include/openssl/ssl3.h deleted file mode 100644 index 0fb66a6f752..00000000000 --- a/deps/openssl/openssl/include/openssl/ssl3.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../ssl/ssl3.h" diff --git a/deps/openssl/openssl/include/openssl/ssl3.h b/deps/openssl/openssl/include/openssl/ssl3.h new file mode 120000 index 00000000000..5ae2507f28a --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ssl3.h @@ -0,0 +1 @@ +../../ssl/ssl3.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/stack.h b/deps/openssl/openssl/include/openssl/stack.h deleted file mode 100644 index 295968cc186..00000000000 --- a/deps/openssl/openssl/include/openssl/stack.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/stack/stack.h" diff --git a/deps/openssl/openssl/include/openssl/stack.h b/deps/openssl/openssl/include/openssl/stack.h new file mode 120000 index 00000000000..61d342fcdc5 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/stack.h @@ -0,0 +1 @@ +../../crypto/stack/stack.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/symhacks.h b/deps/openssl/openssl/include/openssl/symhacks.h deleted file mode 100644 index f946f4ffc6f..00000000000 --- a/deps/openssl/openssl/include/openssl/symhacks.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/symhacks.h" diff --git a/deps/openssl/openssl/include/openssl/symhacks.h b/deps/openssl/openssl/include/openssl/symhacks.h new file mode 120000 index 00000000000..4a1a6913cf7 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/symhacks.h @@ -0,0 +1 @@ +../../crypto/symhacks.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/tls1.h b/deps/openssl/openssl/include/openssl/tls1.h deleted file mode 100644 index c43a70ff31f..00000000000 --- a/deps/openssl/openssl/include/openssl/tls1.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../ssl/tls1.h" diff --git a/deps/openssl/openssl/include/openssl/tls1.h b/deps/openssl/openssl/include/openssl/tls1.h new file mode 120000 index 00000000000..53d998fbd86 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/tls1.h @@ -0,0 +1 @@ +../../ssl/tls1.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ts.h b/deps/openssl/openssl/include/openssl/ts.h deleted file mode 100644 index fe8a2cb51a2..00000000000 --- a/deps/openssl/openssl/include/openssl/ts.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/ts/ts.h" diff --git a/deps/openssl/openssl/include/openssl/ts.h b/deps/openssl/openssl/include/openssl/ts.h new file mode 120000 index 00000000000..a75d99db1a8 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ts.h @@ -0,0 +1 @@ +../../crypto/ts/ts.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/txt_db.h b/deps/openssl/openssl/include/openssl/txt_db.h deleted file mode 100644 index 167621b6fa8..00000000000 --- a/deps/openssl/openssl/include/openssl/txt_db.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/txt_db/txt_db.h" diff --git a/deps/openssl/openssl/include/openssl/txt_db.h b/deps/openssl/openssl/include/openssl/txt_db.h new file mode 120000 index 00000000000..f672e35520c --- /dev/null +++ b/deps/openssl/openssl/include/openssl/txt_db.h @@ -0,0 +1 @@ +../../crypto/txt_db/txt_db.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ui.h b/deps/openssl/openssl/include/openssl/ui.h deleted file mode 100644 index 43dd3ae83a5..00000000000 --- a/deps/openssl/openssl/include/openssl/ui.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/ui/ui.h" diff --git a/deps/openssl/openssl/include/openssl/ui.h b/deps/openssl/openssl/include/openssl/ui.h new file mode 120000 index 00000000000..b07defad72b --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ui.h @@ -0,0 +1 @@ +../../crypto/ui/ui.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ui_compat.h b/deps/openssl/openssl/include/openssl/ui_compat.h deleted file mode 100644 index c83f160d802..00000000000 --- a/deps/openssl/openssl/include/openssl/ui_compat.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/ui/ui_compat.h" diff --git a/deps/openssl/openssl/include/openssl/ui_compat.h b/deps/openssl/openssl/include/openssl/ui_compat.h new file mode 120000 index 00000000000..d8c74b7c5d7 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ui_compat.h @@ -0,0 +1 @@ +../../crypto/ui/ui_compat.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/whrlpool.h b/deps/openssl/openssl/include/openssl/whrlpool.h deleted file mode 100644 index e2424fadde2..00000000000 --- a/deps/openssl/openssl/include/openssl/whrlpool.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/whrlpool/whrlpool.h" diff --git a/deps/openssl/openssl/include/openssl/whrlpool.h b/deps/openssl/openssl/include/openssl/whrlpool.h new file mode 120000 index 00000000000..125a0816f50 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/whrlpool.h @@ -0,0 +1 @@ +../../crypto/whrlpool/whrlpool.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/x509.h b/deps/openssl/openssl/include/openssl/x509.h deleted file mode 100644 index a4651a28652..00000000000 --- a/deps/openssl/openssl/include/openssl/x509.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/x509/x509.h" diff --git a/deps/openssl/openssl/include/openssl/x509.h b/deps/openssl/openssl/include/openssl/x509.h new file mode 120000 index 00000000000..b2b85c52486 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/x509.h @@ -0,0 +1 @@ +../../crypto/x509/x509.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/x509_vfy.h b/deps/openssl/openssl/include/openssl/x509_vfy.h deleted file mode 100644 index b897aa087bd..00000000000 --- a/deps/openssl/openssl/include/openssl/x509_vfy.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/x509/x509_vfy.h" diff --git a/deps/openssl/openssl/include/openssl/x509_vfy.h b/deps/openssl/openssl/include/openssl/x509_vfy.h new file mode 120000 index 00000000000..bb99ad49811 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/x509_vfy.h @@ -0,0 +1 @@ +../../crypto/x509/x509_vfy.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/x509v3.h b/deps/openssl/openssl/include/openssl/x509v3.h deleted file mode 100644 index 363795e55a2..00000000000 --- a/deps/openssl/openssl/include/openssl/x509v3.h +++ /dev/null @@ -1 +0,0 @@ -#include "../../crypto/x509v3/x509v3.h" diff --git a/deps/openssl/openssl/include/openssl/x509v3.h b/deps/openssl/openssl/include/openssl/x509v3.h new file mode 120000 index 00000000000..63d12f9dc5f --- /dev/null +++ b/deps/openssl/openssl/include/openssl/x509v3.h @@ -0,0 +1 @@ +../../crypto/x509v3/x509v3.h \ No newline at end of file diff --git a/deps/openssl/openssl/openssl.spec b/deps/openssl/openssl/openssl.spec index 40ac462c7ff..3e8f3a9d620 100644 --- a/deps/openssl/openssl/openssl.spec +++ b/deps/openssl/openssl/openssl.spec @@ -7,7 +7,7 @@ Release: 1 Summary: Secure Sockets Layer and cryptography libraries and tools Name: openssl #Version: %{libmaj}.%{libmin}.%{librel} -Version: 1.0.1m +Version: 1.0.1o Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz License: OpenSSL Group: System Environment/Libraries diff --git a/deps/openssl/openssl/ssl/Makefile b/deps/openssl/openssl/ssl/Makefile index 8dd390e67f9..29d9e4528fc 100644 --- a/deps/openssl/openssl/ssl/Makefile +++ b/deps/openssl/openssl/ssl/Makefile @@ -89,12 +89,13 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff -depend: - @if [ -z "$(THIS)" ]; then \ - $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; \ - else \ - $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC); \ - fi +update: local_depend + @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi + +depend: local_depend + @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi +local_depend: + @[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new @@ -507,26 +508,27 @@ s2_pkt.o: ../include/openssl/ssl3.h ../include/openssl/stack.h s2_pkt.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h s2_pkt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_pkt.c s2_pkt.o: ssl_locl.h -s2_srvr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h -s2_srvr.o: ../include/openssl/buffer.h ../include/openssl/comp.h -s2_srvr.o: ../include/openssl/crypto.h ../include/openssl/dsa.h -s2_srvr.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h -s2_srvr.o: ../include/openssl/ec.h ../include/openssl/ecdh.h -s2_srvr.o: ../include/openssl/ecdsa.h ../include/openssl/err.h -s2_srvr.o: ../include/openssl/evp.h ../include/openssl/hmac.h -s2_srvr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -s2_srvr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h -s2_srvr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h -s2_srvr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h -s2_srvr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h -s2_srvr.o: ../include/openssl/pqueue.h ../include/openssl/rand.h -s2_srvr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h -s2_srvr.o: ../include/openssl/sha.h ../include/openssl/srtp.h -s2_srvr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h -s2_srvr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h -s2_srvr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h -s2_srvr.o: ../include/openssl/tls1.h ../include/openssl/x509.h -s2_srvr.o: ../include/openssl/x509_vfy.h s2_srvr.c ssl_locl.h +s2_srvr.o: ../crypto/constant_time_locl.h ../e_os.h ../include/openssl/asn1.h +s2_srvr.o: ../include/openssl/bio.h ../include/openssl/buffer.h +s2_srvr.o: ../include/openssl/comp.h ../include/openssl/crypto.h +s2_srvr.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h +s2_srvr.o: ../include/openssl/e_os2.h ../include/openssl/ec.h +s2_srvr.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h +s2_srvr.o: ../include/openssl/err.h ../include/openssl/evp.h +s2_srvr.o: ../include/openssl/hmac.h ../include/openssl/kssl.h +s2_srvr.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +s2_srvr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +s2_srvr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s2_srvr.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s2_srvr.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h +s2_srvr.o: ../include/openssl/rand.h ../include/openssl/rsa.h +s2_srvr.o: ../include/openssl/safestack.h ../include/openssl/sha.h +s2_srvr.o: ../include/openssl/srtp.h ../include/openssl/ssl.h +s2_srvr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h +s2_srvr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h +s2_srvr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h +s2_srvr.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h s2_srvr.c +s2_srvr.o: ssl_locl.h s3_both.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s3_both.o: ../include/openssl/buffer.h ../include/openssl/comp.h s3_both.o: ../include/openssl/crypto.h ../include/openssl/dsa.h diff --git a/deps/openssl/openssl/ssl/d1_both.c b/deps/openssl/openssl/ssl/d1_both.c index c18ec03bd14..8dd8ea33ca7 100644 --- a/deps/openssl/openssl/ssl/d1_both.c +++ b/deps/openssl/openssl/ssl/d1_both.c @@ -485,6 +485,12 @@ long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) return i; } + if (mt >= 0 && s->s3->tmp.message_type != mt) { + al = SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_DTLS1_GET_MESSAGE, SSL_R_UNEXPECTED_MESSAGE); + goto f_err; + } + p = (unsigned char *)s->init_buf->data; msg_len = msg_hdr->msg_len; @@ -869,6 +875,20 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) /* parse the message fragment header */ dtls1_get_message_header(wire, &msg_hdr); + len = msg_hdr.msg_len; + frag_off = msg_hdr.frag_off; + frag_len = msg_hdr.frag_len; + + /* + * We must have at least frag_len bytes left in the record to be read. + * Fragments must not span records. + */ + if (frag_len > s->s3->rrec.length) { + al = SSL3_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT, SSL_R_BAD_LENGTH); + goto f_err; + } + /* * if this is a future (or stale) message it gets buffered * (or dropped)--no further processing at this time @@ -879,10 +899,6 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) && !(s->d1->listen && msg_hdr.seq == 1)) return dtls1_process_out_of_seq_message(s, &msg_hdr, ok); - len = msg_hdr.msg_len; - frag_off = msg_hdr.frag_off; - frag_len = msg_hdr.frag_len; - if (frag_len && frag_len < len) return dtls1_reassemble_fragment(s, &msg_hdr, ok); @@ -913,17 +929,16 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) if ((al = dtls1_preprocess_fragment(s, &msg_hdr, max))) goto f_err; - /* XDTLS: ressurect this when restart is in place */ - s->state = stn; - if (frag_len > 0) { unsigned char *p = (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &p[frag_off], frag_len, 0); + /* - * XDTLS: fix this--message fragments cannot span multiple packets + * This shouldn't ever fail due to NBIO because we already checked + * that we have enough data in the record */ if (i <= 0) { s->rwstate = SSL_READING; @@ -944,6 +959,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) } *ok = 1; + s->state = stn; /* * Note that s->init_num is *not* used as current offset in @@ -1540,7 +1556,10 @@ int dtls1_process_heartbeat(SSL *s) memcpy(bp, pl, payload); bp += payload; /* Random padding */ - RAND_pseudo_bytes(bp, padding); + if (RAND_pseudo_bytes(bp, padding) < 0) { + OPENSSL_free(buffer); + return -1; + } r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length); @@ -1574,7 +1593,7 @@ int dtls1_process_heartbeat(SSL *s) int dtls1_heartbeat(SSL *s) { unsigned char *buf, *p; - int ret; + int ret = -1; unsigned int payload = 18; /* Sequence number + random bytes */ unsigned int padding = 16; /* Use minimum padding */ @@ -1622,10 +1641,12 @@ int dtls1_heartbeat(SSL *s) /* Sequence number */ s2n(s->tlsext_hb_seq, p); /* 16 random bytes */ - RAND_pseudo_bytes(p, 16); + if (RAND_pseudo_bytes(p, 16) < 0) + goto err; p += 16; /* Random padding */ - RAND_pseudo_bytes(p, padding); + if (RAND_pseudo_bytes(p, padding) < 0) + goto err; ret = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding); if (ret >= 0) { @@ -1638,6 +1659,7 @@ int dtls1_heartbeat(SSL *s) s->tlsext_hb_pending = 1; } +err: OPENSSL_free(buf); return ret; diff --git a/deps/openssl/openssl/ssl/d1_clnt.c b/deps/openssl/openssl/ssl/d1_clnt.c index 1394781c047..377c1e61f75 100644 --- a/deps/openssl/openssl/ssl/d1_clnt.c +++ b/deps/openssl/openssl/ssl/d1_clnt.c @@ -212,6 +212,7 @@ int dtls1_connect(SSL *s) (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00)) { SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR); ret = -1; + s->state = SSL_ST_ERR; goto end; } @@ -221,10 +222,12 @@ int dtls1_connect(SSL *s) if (s->init_buf == NULL) { if ((buf = BUF_MEM_new()) == NULL) { ret = -1; + s->state = SSL_ST_ERR; goto end; } if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } s->init_buf = buf; @@ -233,12 +236,14 @@ int dtls1_connect(SSL *s) if (!ssl3_setup_buffers(s)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } /* setup buffing BIO */ if (!ssl_init_wbio_buffer(s, 0)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } @@ -417,6 +422,7 @@ int dtls1_connect(SSL *s) */ if (!ssl3_check_cert_and_algorithm(s)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } break; @@ -548,6 +554,7 @@ int dtls1_connect(SSL *s) #endif if (!s->method->ssl3_enc->setup_key_block(s)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } @@ -555,6 +562,7 @@ int dtls1_connect(SSL *s) SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } #ifndef OPENSSL_NO_SCTP @@ -735,6 +743,7 @@ int dtls1_connect(SSL *s) goto end; /* break; */ + case SSL_ST_ERR: default: SSLerr(SSL_F_DTLS1_CONNECT, SSL_R_UNKNOWN_STATE); ret = -1; @@ -945,6 +954,7 @@ static int dtls1_get_hello_verify(SSL *s) f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); + s->state = SSL_ST_ERR; return -1; } diff --git a/deps/openssl/openssl/ssl/d1_lib.c b/deps/openssl/openssl/ssl/d1_lib.c index 94acb15de63..011d7b7cbe6 100644 --- a/deps/openssl/openssl/ssl/d1_lib.c +++ b/deps/openssl/openssl/ssl/d1_lib.c @@ -496,6 +496,9 @@ int dtls1_listen(SSL *s, struct sockaddr *client) { int ret; + /* Ensure there is no state left over from a previous invocation */ + SSL_clear(s); + SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE); s->d1->listen = 1; diff --git a/deps/openssl/openssl/ssl/d1_pkt.c b/deps/openssl/openssl/ssl/d1_pkt.c index 7b49a7dd7a6..d659ed428e6 100644 --- a/deps/openssl/openssl/ssl/d1_pkt.c +++ b/deps/openssl/openssl/ssl/d1_pkt.c @@ -1065,7 +1065,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) (s->d1->handshake_fragment[3] != 0)) { al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_DTLS1_READ_BYTES, SSL_R_BAD_HELLO_REQUEST); - goto err; + goto f_err; } /* diff --git a/deps/openssl/openssl/ssl/d1_srvr.c b/deps/openssl/openssl/ssl/d1_srvr.c index c4ec9fe1084..41c7dc519f1 100644 --- a/deps/openssl/openssl/ssl/d1_srvr.c +++ b/deps/openssl/openssl/ssl/d1_srvr.c @@ -224,11 +224,13 @@ int dtls1_accept(SSL *s) if (s->init_buf == NULL) { if ((buf = BUF_MEM_new()) == NULL) { ret = -1; + s->state = SSL_ST_ERR; goto end; } if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { BUF_MEM_free(buf); ret = -1; + s->state = SSL_ST_ERR; goto end; } s->init_buf = buf; @@ -236,6 +238,7 @@ int dtls1_accept(SSL *s) if (!ssl3_setup_buffers(s)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } @@ -257,6 +260,7 @@ int dtls1_accept(SSL *s) #endif if (!ssl_init_wbio_buffer(s, 1)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } @@ -470,7 +474,7 @@ int dtls1_accept(SSL *s) #ifndef OPENSSL_NO_PSK || ((alg_k & SSL_kPSK) && s->ctx->psk_identity_hint) #endif - || (alg_k & (SSL_kEDH | SSL_kDHr | SSL_kDHd)) + || (alg_k & SSL_kEDH) || (alg_k & SSL_kEECDH) || ((alg_k & SSL_kRSA) && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL @@ -665,15 +669,6 @@ int dtls1_accept(SSL *s) case SSL3_ST_SR_CERT_VRFY_A: case SSL3_ST_SR_CERT_VRFY_B: - /* - * This *should* be the first time we enable CCS, but be - * extra careful about surrounding code changes. We need - * to set this here because we don't know if we're - * expecting a CertificateVerify or not. - */ - if (!s->s3->change_cipher_spec) - s->d1->change_cipher_spec_ok = 1; - /* we should decide if we expected this one */ ret = ssl3_get_cert_verify(s); if (ret <= 0) goto end; @@ -690,11 +685,10 @@ int dtls1_accept(SSL *s) case SSL3_ST_SR_FINISHED_A: case SSL3_ST_SR_FINISHED_B: /* - * Enable CCS for resumed handshakes. - * In a full handshake, we end up here through - * SSL3_ST_SR_CERT_VRFY_B, so change_cipher_spec_ok was - * already set. Receiving a CCS clears the flag, so make - * sure not to re-enable it to ban duplicates. + * Enable CCS. Receiving a CCS clears the flag, so make + * sure not to re-enable it to ban duplicates. This *should* be the + * first time we have received one - but we check anyway to be + * cautious. * s->s3->change_cipher_spec is set when a CCS is * processed in d1_pkt.c, and remains set until * the client's Finished message is read. @@ -744,6 +738,7 @@ int dtls1_accept(SSL *s) s->session->cipher = s->s3->tmp.new_cipher; if (!s->method->ssl3_enc->setup_key_block(s)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } @@ -772,6 +767,7 @@ int dtls1_accept(SSL *s) SSL3_CHANGE_CIPHER_SERVER_WRITE)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } @@ -852,6 +848,7 @@ int dtls1_accept(SSL *s) goto end; /* break; */ + case SSL_ST_ERR: default: SSLerr(SSL_F_DTLS1_ACCEPT, SSL_R_UNKNOWN_STATE); ret = -1; @@ -932,6 +929,7 @@ int dtls1_send_hello_verify_request(SSL *s) &(s->d1->cookie_len)) == 0) { SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST, ERR_R_INTERNAL_ERROR); + s->state = SSL_ST_ERR; return 0; } diff --git a/deps/openssl/openssl/ssl/s2_pkt.c b/deps/openssl/openssl/ssl/s2_pkt.c index 614b9a35d2e..7a618881343 100644 --- a/deps/openssl/openssl/ssl/s2_pkt.c +++ b/deps/openssl/openssl/ssl/s2_pkt.c @@ -576,6 +576,20 @@ static int n_do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len) s->s2->padding = p; s->s2->mac_data = &(s->s2->wbuf[3]); s->s2->wact_data = &(s->s2->wbuf[3 + mac_size]); + + /* + * It would be clearer to write this as follows: + * if (mac_size + len + p > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER) + * However |len| is user input that could in theory be very large. We + * know |mac_size| and |p| are small, so to avoid any possibility of + * overflow we write it like this. + * + * In theory this should never fail because the logic above should have + * modified |len| if it is too big. But we are being cautious. + */ + if (len > (SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER - (mac_size + p))) { + return -1; + } /* we copy the data into s->s2->wbuf */ memcpy(s->s2->wact_data, buf, len); if (p) diff --git a/deps/openssl/openssl/ssl/s2_srvr.c b/deps/openssl/openssl/ssl/s2_srvr.c index 19bb48c9cd4..4289272b73d 100644 --- a/deps/openssl/openssl/ssl/s2_srvr.c +++ b/deps/openssl/openssl/ssl/s2_srvr.c @@ -111,6 +111,7 @@ #include "ssl_locl.h" #ifndef OPENSSL_NO_SSL2 +#include "../crypto/constant_time_locl.h" # include # include # include @@ -372,12 +373,15 @@ int ssl2_accept(SSL *s) static int get_client_master_key(SSL *s) { int is_export, i, n, keya; - unsigned int ek; + unsigned int num_encrypted_key_bytes, key_length; unsigned long len; unsigned char *p; const SSL_CIPHER *cp; const EVP_CIPHER *c; const EVP_MD *md; + unsigned char rand_premaster_secret[SSL_MAX_MASTER_KEY_LENGTH]; + unsigned char decrypt_good; + size_t j; p = (unsigned char *)s->init_buf->data; if (s->state == SSL2_ST_GET_CLIENT_MASTER_KEY_A) { @@ -465,12 +469,6 @@ static int get_client_master_key(SSL *s) return (0); } - if (s->session->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC) { - is_export = 1; - ek = 8; - } else - ek = 5; - /* * The format of the CLIENT-MASTER-KEY message is * 1 byte message type @@ -484,12 +482,27 @@ static int get_client_master_key(SSL *s) * * If the cipher is an export cipher, then the encrypted key bytes * are a fixed portion of the total key (5 or 8 bytes). The size of - * this portion is in |ek|. If the cipher is not an export cipher, - * then the entire key material is encrypted (i.e., clear key length - * must be zero). + * this portion is in |num_encrypted_key_bytes|. If the cipher is not an + * export cipher, then the entire key material is encrypted (i.e., clear + * key length must be zero). */ - if ((!is_export && s->s2->tmp.clear != 0) || - (is_export && s->s2->tmp.clear + ek != (unsigned int)EVP_CIPHER_key_length(c))) { + key_length = (unsigned int)EVP_CIPHER_key_length(c); + if (key_length > SSL_MAX_MASTER_KEY_LENGTH) { + ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); + SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); + return -1; + } + + if (s->session->cipher->algorithm2 & SSL2_CF_8_BYTE_ENC) { + is_export = 1; + num_encrypted_key_bytes = 8; + } else if (is_export) { + num_encrypted_key_bytes = 5; + } else { + num_encrypted_key_bytes = key_length; + } + + if (s->s2->tmp.clear + num_encrypted_key_bytes != key_length) { ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH); return -1; @@ -499,64 +512,49 @@ static int get_client_master_key(SSL *s) * Decryption can't be expanding, so if we don't have enough encrypted * bytes to fit the key in the buffer, stop now. */ - if ((is_export && s->s2->tmp.enc < ek) || - (!is_export && s->s2->tmp.enc < (unsigned int)EVP_CIPHER_key_length(c))) { + if (s->s2->tmp.enc < num_encrypted_key_bytes) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT); return -1; } + /* + * We must not leak whether a decryption failure occurs because of + * Bleichenbacher's attack on PKCS #1 v1.5 RSA padding (see RFC 2246, + * section 7.4.7.1). The code follows that advice of the TLS RFC and + * generates a random premaster secret for the case that the decrypt + * fails. See https://tools.ietf.org/html/rfc5246#section-7.4.7.1 + */ + + /* + * should be RAND_bytes, but we cannot work around a failure. + */ + if (RAND_pseudo_bytes(rand_premaster_secret, + (int)num_encrypted_key_bytes) <= 0) + return 0; + i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc, &(p[s->s2->tmp.clear]), &(p[s->s2->tmp.clear]), (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING : RSA_PKCS1_PADDING); - - /* bad decrypt */ -# if 1 + ERR_clear_error(); /* * If a bad decrypt, continue with protocol but with a random master * secret (Bleichenbacher attack) */ - if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c)) - || (is_export && i != (int)ek))) { - ERR_clear_error(); - if (is_export) - i = ek; - else - i = EVP_CIPHER_key_length(c); - if (RAND_pseudo_bytes(&p[s->s2->tmp.clear], i) <= 0) - return 0; - } -# else - if (i < 0) { - error = 1; - SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_BAD_RSA_DECRYPT); - } - /* incorrect number of key bytes for non export cipher */ - else if ((!is_export && (i != EVP_CIPHER_key_length(c))) - || (is_export && ((i != ek) || (s->s2->tmp.clear + i != - EVP_CIPHER_key_length(c))))) { - error = 1; - SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_WRONG_NUMBER_OF_KEY_BITS); - } - if (error) { - ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); - return (-1); + decrypt_good = constant_time_eq_int_8(i, (int)num_encrypted_key_bytes); + for (j = 0; j < num_encrypted_key_bytes; j++) { + p[s->s2->tmp.clear + j] = + constant_time_select_8(decrypt_good, p[s->s2->tmp.clear + j], + rand_premaster_secret[j]); } -# endif - if (is_export) - i = EVP_CIPHER_key_length(c); + s->session->master_key_length = (int)key_length; + memcpy(s->session->master_key, p, key_length); + OPENSSL_cleanse(p, key_length); - if (i > SSL_MAX_MASTER_KEY_LENGTH) { - ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); - SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, ERR_R_INTERNAL_ERROR); - return -1; - } - s->session->master_key_length = i; - memcpy(s->session->master_key, p, (unsigned int)i); - return (1); + return 1; } static int get_client_hello(SSL *s) diff --git a/deps/openssl/openssl/ssl/s3_both.c b/deps/openssl/openssl/ssl/s3_both.c index 77374f41eeb..107b460f27b 100644 --- a/deps/openssl/openssl/ssl/s3_both.c +++ b/deps/openssl/openssl/ssl/s3_both.c @@ -169,7 +169,7 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) i = s->method->ssl3_enc->final_finish_mac(s, sender, slen, s->s3->tmp.finish_md); - if (i == 0) + if (i <= 0) return 0; s->s3->tmp.finish_md_len = i; memcpy(p, s->s3->tmp.finish_md, i); diff --git a/deps/openssl/openssl/ssl/s3_cbc.c b/deps/openssl/openssl/ssl/s3_cbc.c index 598d27edccb..2fb71f277e9 100644 --- a/deps/openssl/openssl/ssl/s3_cbc.c +++ b/deps/openssl/openssl/ssl/s3_cbc.c @@ -149,7 +149,7 @@ int tls1_cbc_remove_padding(const SSL *s, */ if ((s->options & SSL_OP_TLS_BLOCK_PADDING_BUG) && !s->expand) { /* First packet is even in size, so check */ - if ((memcmp(s->s3->read_sequence, "\0\0\0\0\0\0\0\0", 8) == 0) && + if ((CRYPTO_memcmp(s->s3->read_sequence, "\0\0\0\0\0\0\0\0", 8) == 0) && !(padding_length & 1)) { s->s3->flags |= TLS1_FLAGS_TLS_PADDING_BUG; } @@ -639,12 +639,22 @@ void ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, if (k > 0) { if (is_sslv3) { + unsigned overhang; + /* * The SSLv3 header is larger than a single block. overhang is * the number of bytes beyond a single block that the header - * consumes: either 7 bytes (SHA1) or 11 bytes (MD5). + * consumes: either 7 bytes (SHA1) or 11 bytes (MD5). There are no + * ciphersuites in SSLv3 that are not SHA1 or MD5 based and + * therefore we can be confident that the header_length will be + * greater than |md_block_size|. However we add a sanity check just + * in case */ - unsigned overhang = header_length - md_block_size; + if (header_length <= md_block_size) { + /* Should never happen */ + return; + } + overhang = header_length - md_block_size; md_transform(md_state.c, header); memcpy(first_block, header + md_block_size, overhang); memcpy(first_block + overhang, data, md_block_size - overhang); diff --git a/deps/openssl/openssl/ssl/s3_clnt.c b/deps/openssl/openssl/ssl/s3_clnt.c index 0e5acecabb0..0879a0f8baa 100644 --- a/deps/openssl/openssl/ssl/s3_clnt.c +++ b/deps/openssl/openssl/ssl/s3_clnt.c @@ -168,6 +168,9 @@ #endif static int ca_dn_cmp(const X509_NAME *const *a, const X509_NAME *const *b); +#ifndef OPENSSL_NO_TLSEXT +static int ssl3_check_finished(SSL *s); +#endif #ifndef OPENSSL_NO_SSL3_METHOD static const SSL_METHOD *ssl3_get_client_method(int ver) @@ -235,6 +238,7 @@ int ssl3_connect(SSL *s) if ((s->version & 0xff00) != 0x0300) { SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR); + s->state = SSL_ST_ERR; ret = -1; goto end; } @@ -245,10 +249,12 @@ int ssl3_connect(SSL *s) if (s->init_buf == NULL) { if ((buf = BUF_MEM_new()) == NULL) { ret = -1; + s->state = SSL_ST_ERR; goto end; } if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } s->init_buf = buf; @@ -263,6 +269,7 @@ int ssl3_connect(SSL *s) /* setup buffing BIO */ if (!ssl_init_wbio_buffer(s, 0)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } @@ -317,12 +324,24 @@ int ssl3_connect(SSL *s) case SSL3_ST_CR_CERT_A: case SSL3_ST_CR_CERT_B: +#ifndef OPENSSL_NO_TLSEXT + /* Noop (ret = 0) for everything but EAP-FAST. */ + ret = ssl3_check_finished(s); + if (ret < 0) + goto end; + if (ret == 1) { + s->hit = 1; + s->state = SSL3_ST_CR_FINISHED_A; + s->init_num = 0; + break; + } +#endif /* Check if it is anon DH/ECDH, SRP auth */ /* or PSK */ if (! (s->s3->tmp. new_cipher->algorithm_auth & (SSL_aNULL | SSL_aSRP)) -&& !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { + && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK)) { ret = ssl3_get_server_certificate(s); if (ret <= 0) goto end; @@ -358,6 +377,7 @@ int ssl3_connect(SSL *s) */ if (!ssl3_check_cert_and_algorithm(s)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } break; @@ -381,6 +401,7 @@ int ssl3_connect(SSL *s) if ((ret = SRP_Calc_A_param(s)) <= 0) { SSLerr(SSL_F_SSL3_CONNECT, SSL_R_SRP_A_CALC); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + s->state = SSL_ST_ERR; goto end; } } @@ -472,6 +493,7 @@ int ssl3_connect(SSL *s) #endif if (!s->method->ssl3_enc->setup_key_block(s)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } @@ -479,6 +501,7 @@ int ssl3_connect(SSL *s) SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } @@ -553,7 +576,8 @@ int ssl3_connect(SSL *s) case SSL3_ST_CR_FINISHED_A: case SSL3_ST_CR_FINISHED_B: - s->s3->flags |= SSL3_FLAGS_CCS_OK; + if (!s->s3->change_cipher_spec) + s->s3->flags |= SSL3_FLAGS_CCS_OK; ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A, SSL3_ST_CR_FINISHED_B); if (ret <= 0) @@ -612,6 +636,7 @@ int ssl3_connect(SSL *s) goto end; /* break; */ + case SSL_ST_ERR: default: SSLerr(SSL_F_SSL3_CONNECT, SSL_R_UNKNOWN_STATE); ret = -1; @@ -658,9 +683,17 @@ int ssl3_client_hello(SSL *s) buf = (unsigned char *)s->init_buf->data; if (s->state == SSL3_ST_CW_CLNT_HELLO_A) { SSL_SESSION *sess = s->session; - if ((sess == NULL) || - (sess->ssl_version != s->version) || - !sess->session_id_length || (sess->not_resumable)) { + if ((sess == NULL) || (sess->ssl_version != s->version) || +#ifdef OPENSSL_NO_TLSEXT + !sess->session_id_length || +#else + /* + * In the case of EAP-FAST, we can have a pre-shared + * "ticket" without a session ID. + */ + (!sess->session_id_length && !sess->tlsext_tick) || +#endif + (sess->not_resumable)) { if (!ssl_get_new_session(s, 0)) goto err; } @@ -798,6 +831,7 @@ int ssl3_client_hello(SSL *s) /* SSL3_ST_CW_CLNT_HELLO_B */ return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); err: + s->state = SSL_ST_ERR; return (-1); } @@ -867,10 +901,19 @@ int ssl3_get_server_hello(SSL *s) } #ifndef OPENSSL_NO_TLSEXT /* - * check if we want to resume the session based on external pre-shared - * secret + * Check if we can resume the session based on external pre-shared secret. + * EAP-FAST (RFC 4851) supports two types of session resumption. + * Resumption based on server-side state works with session IDs. + * Resumption based on pre-shared Protected Access Credentials (PACs) + * works by overriding the SessionTicket extension at the application + * layer, and does not send a session ID. (We do not know whether EAP-FAST + * servers would honour the session ID.) Therefore, the session ID alone + * is not a reliable indicator of session resumption, so we first check if + * we can resume, and later peek at the next handshake message to see if the + * server wants to resume. */ - if (s->version >= TLS1_VERSION && s->tls_session_secret_cb) { + if (s->version >= TLS1_VERSION && s->tls_session_secret_cb && + s->session->tlsext_tick) { SSL_CIPHER *pref_cipher = NULL; s->session->master_key_length = sizeof(s->session->master_key); if (s->tls_session_secret_cb(s, s->session->master_key, @@ -879,12 +922,15 @@ int ssl3_get_server_hello(SSL *s) s->tls_session_secret_cb_arg)) { s->session->cipher = pref_cipher ? pref_cipher : ssl_get_cipher_by_char(s, p + j); - s->hit = 1; + } else { + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, ERR_R_INTERNAL_ERROR); + al = SSL_AD_INTERNAL_ERROR; + goto f_err; } } #endif /* OPENSSL_NO_TLSEXT */ - if (!s->hit && j != 0 && j == s->session->session_id_length + if (j != 0 && j == s->session->session_id_length && memcmp(p, s->session->session_id, j) == 0) { if (s->sid_ctx_length != s->session->sid_ctx_length || memcmp(s->session->sid_ctx, s->sid_ctx, s->sid_ctx_length)) { @@ -895,12 +941,13 @@ int ssl3_get_server_hello(SSL *s) goto f_err; } s->hit = 1; - } - /* a miss or crap from the other end */ - if (!s->hit) { + } else { /* - * If we were trying for session-id reuse, make a new SSL_SESSION so - * we don't stuff up other people + * If we were trying for session-id reuse but the server + * didn't echo the ID, make a new SSL_SESSION. + * In the case of EAP-FAST and PAC, we do not send a session ID, + * so the PAC-based session secret is always preserved. It'll be + * overwritten if the server refuses resumption. */ if (s->session->session_id_length > 0) { if (!ssl_get_new_session(s, 0)) { @@ -1045,6 +1092,7 @@ int ssl3_get_server_hello(SSL *s) f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: + s->state = SSL_ST_ERR; return (-1); } @@ -1223,8 +1271,10 @@ int ssl3_get_server_certificate(SSL *s) if (0) { f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); - } err: + s->state = SSL_ST_ERR; + } + EVP_PKEY_free(pkey); X509_free(x); sk_X509_pop_free(sk, X509_free); @@ -1546,6 +1596,13 @@ int ssl3_get_key_exchange(SSL *s) SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_INTERNAL_ERROR); goto err; } + + if (EVP_PKEY_bits(pkey) <= SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) { + al = SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE); + goto f_err; + } + s->session->sess_cert->peer_rsa_tmp = rsa; rsa = NULL; } @@ -1894,6 +1951,7 @@ int ssl3_get_key_exchange(SSL *s) EC_KEY_free(ecdh); #endif EVP_MD_CTX_cleanup(&md_ctx); + s->state = SSL_ST_ERR; return (-1); } @@ -2050,7 +2108,10 @@ int ssl3_get_certificate_request(SSL *s) ca_sk = NULL; ret = 1; + goto done; err: + s->state = SSL_ST_ERR; + done: if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk, X509_NAME_free); return (ret); @@ -2085,6 +2146,38 @@ int ssl3_get_new_session_ticket(SSL *s) } p = d = (unsigned char *)s->init_msg; + + if (s->session->session_id_length > 0) { + int i = s->session_ctx->session_cache_mode; + SSL_SESSION *new_sess; + /* + * We reused an existing session, so we need to replace it with a new + * one + */ + if (i & SSL_SESS_CACHE_CLIENT) { + /* + * Remove the old session from the cache + */ + if (i & SSL_SESS_CACHE_NO_INTERNAL_STORE) { + if (s->session_ctx->remove_session_cb != NULL) + s->session_ctx->remove_session_cb(s->session_ctx, + s->session); + } else { + /* We carry on if this fails */ + SSL_CTX_remove_session(s->session_ctx, s->session); + } + } + + if ((new_sess = ssl_session_dup(s->session, 0)) == 0) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); + goto f_err; + } + + SSL_SESSION_free(s->session); + s->session = new_sess; + } + n2l(p, s->session->tlsext_tick_lifetime_hint); n2s(p, ticklen); /* ticket_lifetime_hint + ticket_length + ticket */ @@ -2127,6 +2220,7 @@ int ssl3_get_new_session_ticket(SSL *s) f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: + s->state = SSL_ST_ERR; return (-1); } @@ -2187,6 +2281,7 @@ int ssl3_get_cert_status(SSL *s) return 1; f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); + s->state = SSL_ST_ERR; return (-1); } #endif @@ -2208,6 +2303,7 @@ int ssl3_get_server_done(SSL *s) /* should contain no data */ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); SSLerr(SSL_F_SSL3_GET_SERVER_DONE, SSL_R_LENGTH_MISMATCH); + s->state = SSL_ST_ERR; return -1; } ret = 1; @@ -2506,8 +2602,6 @@ int ssl3_send_client_key_exchange(SSL *s) n += 2; DH_free(dh_clnt); - - /* perhaps clean things up a bit EAY EAY EAY EAY */ } #endif @@ -2729,7 +2823,10 @@ int ssl3_send_client_key_exchange(SSL *s) EVP_PKEY_encrypt_init(pkey_ctx); /* Generate session key */ - RAND_bytes(premaster_secret, 32); + if (RAND_bytes(premaster_secret, 32) <= 0) { + EVP_PKEY_CTX_free(pkey_ctx); + goto err; + } /* * If we have client certificate, use its secret as peer key */ @@ -2948,6 +3045,7 @@ int ssl3_send_client_key_exchange(SSL *s) EC_KEY_free(clnt_ecdh); EVP_PKEY_free(srvr_pub_pkey); #endif + s->state = SSL_ST_ERR; return (-1); } @@ -3081,6 +3179,7 @@ int ssl3_send_client_verify(SSL *s) err: EVP_MD_CTX_cleanup(&mctx); EVP_PKEY_CTX_free(pctx); + s->state = SSL_ST_ERR; return (-1); } @@ -3149,6 +3248,7 @@ int ssl3_send_client_certificate(SSL *s) if (!l) { SSLerr(SSL_F_SSL3_SEND_CLIENT_CERTIFICATE, ERR_R_INTERNAL_ERROR); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR); + s->state = SSL_ST_ERR; return 0; } s->init_num = (int)l; @@ -3165,6 +3265,7 @@ int ssl3_check_cert_and_algorithm(SSL *s) int i, idx; long alg_k, alg_a; EVP_PKEY *pkey = NULL; + int pkey_bits; SESS_CERT *sc; #ifndef OPENSSL_NO_RSA RSA *rsa; @@ -3172,6 +3273,7 @@ int ssl3_check_cert_and_algorithm(SSL *s) #ifndef OPENSSL_NO_DH DH *dh; #endif + int al = SSL_AD_HANDSHAKE_FAILURE; alg_k = s->s3->tmp.new_cipher->algorithm_mkey; alg_a = s->s3->tmp.new_cipher->algorithm_auth; @@ -3207,6 +3309,7 @@ int ssl3_check_cert_and_algorithm(SSL *s) } #endif pkey = X509_get_pubkey(sc->peer_pkeys[idx].x509); + pkey_bits = EVP_PKEY_bits(pkey); i = X509_certificate_type(sc->peer_pkeys[idx].x509, pkey); EVP_PKEY_free(pkey); @@ -3224,38 +3327,71 @@ int ssl3_check_cert_and_algorithm(SSL *s) } #endif #ifndef OPENSSL_NO_RSA - if ((alg_k & SSL_kRSA) && - !(has_bits(i, EVP_PK_RSA | EVP_PKT_ENC) || (rsa != NULL))) { - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, - SSL_R_MISSING_RSA_ENCRYPTING_CERT); - goto f_err; + if (alg_k & SSL_kRSA) { + if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && + !has_bits(i, EVP_PK_RSA | EVP_PKT_ENC)) { + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, + SSL_R_MISSING_RSA_ENCRYPTING_CERT); + goto f_err; + } else if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)) { + if (pkey_bits <= SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) { + if (!has_bits(i, EVP_PK_RSA | EVP_PKT_ENC)) { + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, + SSL_R_MISSING_RSA_ENCRYPTING_CERT); + goto f_err; + } + if (rsa != NULL) { + /* server key exchange is not allowed. */ + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR); + goto f_err; + } + } + } } #endif #ifndef OPENSSL_NO_DH - if ((alg_k & SSL_kEDH) && - !(has_bits(i, EVP_PK_DH | EVP_PKT_EXCH) || (dh != NULL))) { - SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_KEY); + if ((alg_k & SSL_kEDH) && dh == NULL) { + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, ERR_R_INTERNAL_ERROR); goto f_err; - } else if ((alg_k & SSL_kDHr) && !has_bits(i, EVP_PK_DH | EVP_PKS_RSA)) { + } + if ((alg_k & SSL_kDHr) && !has_bits(i, EVP_PK_DH | EVP_PKS_RSA)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_RSA_CERT); goto f_err; } # ifndef OPENSSL_NO_DSA - else if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH | EVP_PKS_DSA)) { + if ((alg_k & SSL_kDHd) && !has_bits(i, EVP_PK_DH | EVP_PKS_DSA)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_DH_DSA_CERT); goto f_err; } # endif -#endif - if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i, EVP_PKT_EXP)) { + /* Check DHE only: static DH not implemented. */ + if (alg_k & SSL_kEDH) { + int dh_size = BN_num_bits(dh->p); + if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768) + || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) { + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL); + goto f_err; + } + } +#endif /* !OPENSSL_NO_DH */ + + if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && + pkey_bits > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) { #ifndef OPENSSL_NO_RSA if (alg_k & SSL_kRSA) { - if (rsa == NULL - || RSA_size(rsa) * 8 > + if (rsa == NULL) { + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, + SSL_R_MISSING_EXPORT_TMP_RSA_KEY); + goto f_err; + } else if (BN_num_bits(rsa->n) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) { + /* We have a temporary RSA key but it's too large. */ + al = SSL_AD_EXPORT_RESTRICTION; SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_EXPORT_TMP_RSA_KEY); goto f_err; @@ -3263,14 +3399,21 @@ int ssl3_check_cert_and_algorithm(SSL *s) } else #endif #ifndef OPENSSL_NO_DH - if (alg_k & (SSL_kEDH | SSL_kDHr | SSL_kDHd)) { - if (dh == NULL - || DH_size(dh) * 8 > + if (alg_k & SSL_kEDH) { + if (BN_num_bits(dh->p) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) { + /* We have a temporary DH key but it's too large. */ + al = SSL_AD_EXPORT_RESTRICTION; SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_MISSING_EXPORT_TMP_DH_KEY); goto f_err; } + } else if (alg_k & (SSL_kDHr | SSL_kDHd)) { + /* The cert should have had an export DH key. */ + al = SSL_AD_EXPORT_RESTRICTION; + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, + SSL_R_MISSING_EXPORT_TMP_DH_KEY); + goto f_err; } else #endif { @@ -3281,12 +3424,62 @@ int ssl3_check_cert_and_algorithm(SSL *s) } return (1); f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); + ssl3_send_alert(s, SSL3_AL_FATAL, al); err: return (0); } -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) +#ifndef OPENSSL_NO_TLSEXT +/* + * Normally, we can tell if the server is resuming the session from + * the session ID. EAP-FAST (RFC 4851), however, relies on the next server + * message after the ServerHello to determine if the server is resuming. + * Therefore, we allow EAP-FAST to peek ahead. + * ssl3_check_finished returns 1 if we are resuming from an external + * pre-shared secret, we have a "ticket" and the next server handshake message + * is Finished; and 0 otherwise. It returns -1 upon an error. + */ +static int ssl3_check_finished(SSL *s) +{ + int ok = 0; + + if (s->version < TLS1_VERSION || !s->tls_session_secret_cb || + !s->session->tlsext_tick) + return 0; + + /* Need to permit this temporarily, in case the next message is Finished. */ + s->s3->flags |= SSL3_FLAGS_CCS_OK; + /* + * This function is called when we might get a Certificate message instead, + * so permit appropriate message length. + * We ignore the return value as we're only interested in the message type + * and not its length. + */ + s->method->ssl_get_message(s, + SSL3_ST_CR_CERT_A, + SSL3_ST_CR_CERT_B, + -1, s->max_cert_list, &ok); + s->s3->flags &= ~SSL3_FLAGS_CCS_OK; + + if (!ok) + return -1; + + s->s3->tmp.reuse_message = 1; + + if (s->s3->tmp.message_type == SSL3_MT_FINISHED) + return 1; + + /* If we're not done, then the CCS arrived early and we should bail. */ + if (s->s3->change_cipher_spec) { + SSLerr(SSL_F_SSL3_CHECK_FINISHED, SSL_R_CCS_RECEIVED_EARLY); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); + return -1; + } + + return 0; +} + +# ifndef OPENSSL_NO_NEXTPROTONEG int ssl3_send_next_proto(SSL *s) { unsigned int len, padding_len; @@ -3309,8 +3502,8 @@ int ssl3_send_next_proto(SSL *s) return ssl3_do_write(s, SSL3_RT_HANDSHAKE); } -#endif /* !OPENSSL_NO_TLSEXT && - * !OPENSSL_NO_NEXTPROTONEG */ +#endif /* !OPENSSL_NO_NEXTPROTONEG */ +#endif /* !OPENSSL_NO_TLSEXT */ int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) { diff --git a/deps/openssl/openssl/ssl/s3_pkt.c b/deps/openssl/openssl/ssl/s3_pkt.c index 7c9f20c8f99..25cf929a55d 100644 --- a/deps/openssl/openssl/ssl/s3_pkt.c +++ b/deps/openssl/openssl/ssl/s3_pkt.c @@ -347,11 +347,22 @@ static int ssl3_get_record(SSL *s) if (version != s->version) { SSLerr(SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER); if ((s->version & 0xFF00) == (version & 0xFF00) - && !s->enc_write_ctx && !s->write_hash) + && !s->enc_write_ctx && !s->write_hash) { + if (rr->type == SSL3_RT_ALERT) { + /* + * The record is using an incorrect version number, but + * what we've got appears to be an alert. We haven't + * read the body yet to check whether its a fatal or + * not - but chances are it is. We probably shouldn't + * send a fatal alert back. We'll just end. + */ + goto err; + } /* * Send back error using their minor version number :-) */ s->version = (unsigned short)version; + } al = SSL_AD_PROTOCOL_VERSION; goto f_err; } diff --git a/deps/openssl/openssl/ssl/s3_srvr.c b/deps/openssl/openssl/ssl/s3_srvr.c index b8f91bc9455..9aa329260ae 100644 --- a/deps/openssl/openssl/ssl/s3_srvr.c +++ b/deps/openssl/openssl/ssl/s3_srvr.c @@ -266,6 +266,7 @@ int ssl3_accept(SSL *s) if ((s->version >> 8) != 3) { SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); + s->state = SSL_ST_ERR; return -1; } s->type = SSL_ST_ACCEPT; @@ -273,11 +274,13 @@ int ssl3_accept(SSL *s) if (s->init_buf == NULL) { if ((buf = BUF_MEM_new()) == NULL) { ret = -1; + s->state = SSL_ST_ERR; goto end; } if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { BUF_MEM_free(buf); ret = -1; + s->state = SSL_ST_ERR; goto end; } s->init_buf = buf; @@ -285,6 +288,7 @@ int ssl3_accept(SSL *s) if (!ssl3_setup_buffers(s)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } @@ -303,6 +307,7 @@ int ssl3_accept(SSL *s) */ if (!ssl_init_wbio_buffer(s, 1)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } @@ -320,6 +325,7 @@ int ssl3_accept(SSL *s) SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); ret = -1; + s->state = SSL_ST_ERR; goto end; } else { /* @@ -379,6 +385,7 @@ int ssl3_accept(SSL *s) SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_CLIENTHELLO_TLSEXT); ret = SSL_TLSEXT_ERR_ALERT_FATAL; ret = -1; + s->state = SSL_ST_ERR; goto end; } } @@ -529,9 +536,12 @@ int ssl3_accept(SSL *s) skip = 1; s->s3->tmp.cert_request = 0; s->state = SSL3_ST_SW_SRVR_DONE_A; - if (s->s3->handshake_buffer) - if (!ssl3_digest_cached_records(s)) + if (s->s3->handshake_buffer) { + if (!ssl3_digest_cached_records(s)) { + s->state = SSL_ST_ERR; return -1; + } + } } else { s->s3->tmp.cert_request = 1; ret = ssl3_send_certificate_request(s); @@ -629,11 +639,14 @@ int ssl3_accept(SSL *s) */ if (!s->s3->handshake_buffer) { SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR); + s->state = SSL_ST_ERR; return -1; } s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; - if (!ssl3_digest_cached_records(s)) + if (!ssl3_digest_cached_records(s)) { + s->state = SSL_ST_ERR; return -1; + } } else { int offset = 0; int dgst_num; @@ -647,9 +660,12 @@ int ssl3_accept(SSL *s) * CertificateVerify should be generalized. But it is next * step */ - if (s->s3->handshake_buffer) - if (!ssl3_digest_cached_records(s)) + if (s->s3->handshake_buffer) { + if (!ssl3_digest_cached_records(s)) { + s->state = SSL_ST_ERR; return -1; + } + } for (dgst_num = 0; dgst_num < SSL_MAX_DIGEST; dgst_num++) if (s->s3->handshake_dgst[dgst_num]) { int dgst_size; @@ -665,6 +681,7 @@ int ssl3_accept(SSL *s) dgst_size = EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]); if (dgst_size < 0) { + s->state = SSL_ST_ERR; ret = -1; goto end; } @@ -675,15 +692,6 @@ int ssl3_accept(SSL *s) case SSL3_ST_SR_CERT_VRFY_A: case SSL3_ST_SR_CERT_VRFY_B: - /* - * This *should* be the first time we enable CCS, but be - * extra careful about surrounding code changes. We need - * to set this here because we don't know if we're - * expecting a CertificateVerify or not. - */ - if (!s->s3->change_cipher_spec) - s->s3->flags |= SSL3_FLAGS_CCS_OK; - /* we should decide if we expected this one */ ret = ssl3_get_cert_verify(s); if (ret <= 0) goto end; @@ -703,11 +711,10 @@ int ssl3_accept(SSL *s) case SSL3_ST_SR_NEXT_PROTO_A: case SSL3_ST_SR_NEXT_PROTO_B: /* - * Enable CCS for resumed handshakes with NPN. - * In a full handshake with NPN, we end up here through - * SSL3_ST_SR_CERT_VRFY_B, where SSL3_FLAGS_CCS_OK was - * already set. Receiving a CCS clears the flag, so make - * sure not to re-enable it to ban duplicates. + * Enable CCS for NPN. Receiving a CCS clears the flag, so make + * sure not to re-enable it to ban duplicates. This *should* be the + * first time we have received one - but we check anyway to be + * cautious. * s->s3->change_cipher_spec is set when a CCS is * processed in s3_pkt.c, and remains set until * the client's Finished message is read. @@ -726,10 +733,8 @@ int ssl3_accept(SSL *s) case SSL3_ST_SR_FINISHED_A: case SSL3_ST_SR_FINISHED_B: /* - * Enable CCS for resumed handshakes without NPN. - * In a full handshake, we end up here through - * SSL3_ST_SR_CERT_VRFY_B, where SSL3_FLAGS_CCS_OK was - * already set. Receiving a CCS clears the flag, so make + * Enable CCS for handshakes without NPN. In NPN the CCS flag has + * already been set. Receiving a CCS clears the flag, so make * sure not to re-enable it to ban duplicates. * s->s3->change_cipher_spec is set when a CCS is * processed in s3_pkt.c, and remains set until @@ -779,6 +784,7 @@ int ssl3_accept(SSL *s) s->session->cipher = s->s3->tmp.new_cipher; if (!s->method->ssl3_enc->setup_key_block(s)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } @@ -795,6 +801,7 @@ int ssl3_accept(SSL *s) SSL3_CHANGE_CIPHER_SERVER_WRITE)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } @@ -857,6 +864,7 @@ int ssl3_accept(SSL *s) goto end; /* break; */ + case SSL_ST_ERR: default: SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNKNOWN_STATE); ret = -1; @@ -991,6 +999,16 @@ int ssl3_get_client_hello(SSL *s) s->first_packet = 0; d = p = (unsigned char *)s->init_msg; + /* + * 2 bytes for client version, SSL3_RANDOM_SIZE bytes for random, 1 byte + * for session id length + */ + if (n < 2 + SSL3_RANDOM_SIZE + 1) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + /* * use version from inside client hello, not from record header (may * differ: see RFC 2246, Appendix E, second paragraph) @@ -1022,6 +1040,12 @@ int ssl3_get_client_hello(SSL *s) unsigned int session_length, cookie_length; session_length = *(p + SSL3_RANDOM_SIZE); + + if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } cookie_length = *(p + SSL3_RANDOM_SIZE + session_length + 1); if (cookie_length == 0) @@ -1035,6 +1059,12 @@ int ssl3_get_client_hello(SSL *s) /* get the session-id */ j = *(p++); + if (p + j > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + s->hit = 0; /* * Versions before 0.9.7 always allow clients to resume sessions in @@ -1079,8 +1109,19 @@ int ssl3_get_client_hello(SSL *s) if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) { /* cookie stuff */ + if (p + 1 > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } cookie_len = *(p++); + if (p + cookie_len > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } + /* * The ClientHello may contain a cookie even if the * HelloVerify message has not been sent--make sure that it @@ -1121,27 +1162,33 @@ int ssl3_get_client_hello(SSL *s) p += cookie_len; } + if (p + 2 > d + n) { + al = SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT); + goto f_err; + } n2s(p, i); - if ((i == 0) && (j != 0)) { - /* we need a cipher if we are not resuming a session */ + + if (i == 0) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_SPECIFIED); goto f_err; } - if ((p + i) >= (d + n)) { + + /* i bytes of cipher data + 1 byte for compression length later */ + if ((p + i + 1) > (d + n)) { /* not enough data */ al = SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH); goto f_err; } - if ((i > 0) && (ssl_bytes_to_cipher_list(s, p, i, &(ciphers)) - == NULL)) { + if (ssl_bytes_to_cipher_list(s, p, i, &(ciphers)) == NULL) { goto err; } p += i; /* If it is a hit, check that the cipher is in the list */ - if ((s->hit) && (i > 0)) { + if (s->hit) { j = 0; id = s->session->cipher->id; @@ -1377,8 +1424,8 @@ int ssl3_get_client_hello(SSL *s) sk_SSL_CIPHER_free(s->session->ciphers); s->session->ciphers = ciphers; if (ciphers == NULL) { - al = SSL_AD_ILLEGAL_PARAMETER; - SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_NO_CIPHERS_PASSED); + al = SSL_AD_INTERNAL_ERROR; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); goto f_err; } ciphers = NULL; @@ -1450,8 +1497,10 @@ int ssl3_get_client_hello(SSL *s) if (0) { f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); - } err: + s->state = SSL_ST_ERR; + } + if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers); return (ret); @@ -1468,8 +1517,10 @@ int ssl3_send_server_hello(SSL *s) buf = (unsigned char *)s->init_buf->data; #ifdef OPENSSL_NO_TLSEXT p = s->s3->server_random; - if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) + if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) { + s->state = SSL_ST_ERR; return -1; + } #endif /* Do the message type and length last */ d = p = &(buf[4]); @@ -1504,6 +1555,7 @@ int ssl3_send_server_hello(SSL *s) sl = s->session->session_id_length; if (sl > (int)sizeof(s->session->session_id)) { SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); + s->state = SSL_ST_ERR; return -1; } *(p++) = sl; @@ -1526,6 +1578,7 @@ int ssl3_send_server_hello(SSL *s) #ifndef OPENSSL_NO_TLSEXT if (ssl_prepare_serverhello_tlsext(s) <= 0) { SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, SSL_R_SERVERHELLO_TLSEXT); + s->state = SSL_ST_ERR; return -1; } if ((p = @@ -1533,6 +1586,7 @@ int ssl3_send_server_hello(SSL *s) buf + SSL3_RT_MAX_PLAIN_LENGTH)) == NULL) { SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR); + s->state = SSL_ST_ERR; return -1; } #endif @@ -2016,6 +2070,7 @@ int ssl3_send_server_key_exchange(SSL *s) BN_CTX_free(bn_ctx); #endif EVP_MD_CTX_cleanup(&md_ctx); + s->state = SSL_ST_ERR; return (-1); } @@ -2113,6 +2168,7 @@ int ssl3_send_certificate_request(SSL *s) /* SSL3_ST_SW_CERT_REQ_B */ return (ssl3_do_write(s, SSL3_RT_HANDSHAKE)); err: + s->state = SSL_ST_ERR; return (-1); } @@ -2367,6 +2423,7 @@ int ssl3_get_client_key_exchange(SSL *s) int padl, outl; krb5_timestamp authtime = 0; krb5_ticket_times ttimes; + int kerr = 0; EVP_CIPHER_CTX_init(&ciph_ctx); @@ -2470,23 +2527,27 @@ int ssl3_get_client_key_exchange(SSL *s) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DECRYPTION_FAILED); - goto err; + kerr = 1; + goto kclean; } if (outl > SSL_MAX_MASTER_KEY_LENGTH) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DATA_LENGTH_TOO_LONG); - goto err; + kerr = 1; + goto kclean; } if (!EVP_DecryptFinal_ex(&ciph_ctx, &(pms[outl]), &padl)) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DECRYPTION_FAILED); - goto err; + kerr = 1; + goto kclean; } outl += padl; if (outl > SSL_MAX_MASTER_KEY_LENGTH) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_R_DATA_LENGTH_TOO_LONG); - goto err; + kerr = 1; + goto kclean; } if (!((pms[0] == (s->client_version >> 8)) && (pms[1] == (s->client_version & 0xff)))) { @@ -2503,7 +2564,8 @@ int ssl3_get_client_key_exchange(SSL *s) if (!(s->options & SSL_OP_TLS_ROLLBACK_BUG)) { SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, SSL_AD_DECODE_ERROR); - goto err; + kerr = 1; + goto kclean; } } @@ -2529,6 +2591,11 @@ int ssl3_get_client_key_exchange(SSL *s) * kssl_ctx = kssl_ctx_free(kssl_ctx); * if (s->kssl_ctx) s->kssl_ctx = NULL; */ + + kclean: + OPENSSL_cleanse(pms, sizeof(pms)); + if (kerr) + goto err; } else #endif /* OPENSSL_NO_KRB5 */ @@ -2847,6 +2914,7 @@ int ssl3_get_client_key_exchange(SSL *s) s-> session->master_key, premaster_secret, 32); + OPENSSL_cleanse(premaster_secret, sizeof(premaster_secret)); /* Check if pubkey from client certificate was used */ if (EVP_PKEY_CTX_ctrl (pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) @@ -2879,6 +2947,7 @@ int ssl3_get_client_key_exchange(SSL *s) EC_KEY_free(srvr_ecdh); BN_CTX_free(bn_ctx); #endif + s->state = SSL_ST_ERR; return (-1); } @@ -2894,39 +2963,31 @@ int ssl3_get_cert_verify(SSL *s) EVP_MD_CTX mctx; EVP_MD_CTX_init(&mctx); + /* + * We should only process a CertificateVerify message if we have received + * a Certificate from the client. If so then |s->session->peer| will be non + * NULL. In some instances a CertificateVerify message is not required even + * if the peer has sent a Certificate (e.g. such as in the case of static + * DH). In that case the ClientKeyExchange processing will skip the + * CertificateVerify state so we should not arrive here. + */ + if (s->session->peer == NULL) { + ret = 1; + goto end; + } + n = s->method->ssl_get_message(s, SSL3_ST_SR_CERT_VRFY_A, SSL3_ST_SR_CERT_VRFY_B, - -1, SSL3_RT_MAX_PLAIN_LENGTH, &ok); + SSL3_MT_CERTIFICATE_VERIFY, + SSL3_RT_MAX_PLAIN_LENGTH, &ok); if (!ok) return ((int)n); - if (s->session->peer != NULL) { - peer = s->session->peer; - pkey = X509_get_pubkey(peer); - type = X509_certificate_type(peer, pkey); - } else { - peer = NULL; - pkey = NULL; - } - - if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) { - s->s3->tmp.reuse_message = 1; - if (peer != NULL) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_MISSING_VERIFY_MESSAGE); - goto f_err; - } - ret = 1; - goto end; - } - - if (peer == NULL) { - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_NO_CLIENT_CERT_RECEIVED); - al = SSL_AD_UNEXPECTED_MESSAGE; - goto f_err; - } + peer = s->session->peer; + pkey = X509_get_pubkey(peer); + type = X509_certificate_type(peer, pkey); if (!(type & EVP_PKT_SIGN)) { SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, @@ -2935,12 +2996,6 @@ int ssl3_get_cert_verify(SSL *s) goto f_err; } - if (s->s3->change_cipher_spec) { - SSLerr(SSL_F_SSL3_GET_CERT_VERIFY, SSL_R_CCS_RECEIVED_EARLY); - al = SSL_AD_UNEXPECTED_MESSAGE; - goto f_err; - } - /* we now have a signature that we need to verify */ p = (unsigned char *)s->init_msg; /* Check for broken implementations of GOST ciphersuites */ @@ -3093,6 +3148,7 @@ int ssl3_get_cert_verify(SSL *s) if (0) { f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); + s->state = SSL_ST_ERR; } end: if (s->s3->handshake_buffer) { @@ -3251,8 +3307,10 @@ int ssl3_get_client_certificate(SSL *s) if (0) { f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); - } err: + s->state = SSL_ST_ERR; + } + if (x != NULL) X509_free(x); if (sk != NULL) @@ -3273,6 +3331,7 @@ int ssl3_send_server_certificate(SSL *s) (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5)) { SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); + s->state = SSL_ST_ERR; return (0); } } @@ -3280,6 +3339,7 @@ int ssl3_send_server_certificate(SSL *s) l = ssl3_output_cert_chain(s, x); if (!l) { SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE, ERR_R_INTERNAL_ERROR); + s->state = SSL_ST_ERR; return (0); } s->state = SSL3_ST_SW_CERT_B; @@ -3315,11 +3375,15 @@ int ssl3_send_newsession_ticket(SSL *s) * Some length values are 16 bits, so forget it if session is too * long */ - if (slen_full == 0 || slen_full > 0xFF00) + if (slen_full == 0 || slen_full > 0xFF00) { + s->state = SSL_ST_ERR; return -1; + } senc = OPENSSL_malloc(slen_full); - if (!senc) + if (!senc) { + s->state = SSL_ST_ERR; return -1; + } EVP_CIPHER_CTX_init(&ctx); HMAC_CTX_init(&hctx); @@ -3442,6 +3506,7 @@ int ssl3_send_newsession_ticket(SSL *s) OPENSSL_free(senc); EVP_CIPHER_CTX_cleanup(&ctx); HMAC_CTX_cleanup(&hctx); + s->state = SSL_ST_ERR; return -1; } @@ -3455,8 +3520,10 @@ int ssl3_send_cert_status(SSL *s) * 1 (ocsp response type) + 3 (ocsp response length) * + (ocsp response) */ - if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) + if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) { + s->state = SSL_ST_ERR; return -1; + } p = (unsigned char *)s->init_buf->data; @@ -3499,6 +3566,7 @@ int ssl3_get_next_proto(SSL *s) if (!s->s3->next_proto_neg_seen) { SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION); + s->state = SSL_ST_ERR; return -1; } @@ -3518,11 +3586,14 @@ int ssl3_get_next_proto(SSL *s) */ if (!s->s3->change_cipher_spec) { SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS); + s->state = SSL_ST_ERR; return -1; } - if (n < 2) + if (n < 2) { + s->state = SSL_ST_ERR; return 0; /* The body must be > 1 bytes long */ + } p = (unsigned char *)s->init_msg; @@ -3534,15 +3605,20 @@ int ssl3_get_next_proto(SSL *s) * uint8 padding[padding_len]; */ proto_len = p[0]; - if (proto_len + 2 > s->init_num) + if (proto_len + 2 > s->init_num) { + s->state = SSL_ST_ERR; return 0; + } padding_len = p[proto_len + 1]; - if (proto_len + padding_len + 2 != s->init_num) + if (proto_len + padding_len + 2 != s->init_num) { + s->state = SSL_ST_ERR; return 0; + } s->next_proto_negotiated = OPENSSL_malloc(proto_len); if (!s->next_proto_negotiated) { SSLerr(SSL_F_SSL3_GET_NEXT_PROTO, ERR_R_MALLOC_FAILURE); + s->state = SSL_ST_ERR; return 0; } memcpy(s->next_proto_negotiated, p + 1, proto_len); diff --git a/deps/openssl/openssl/ssl/ssl.h b/deps/openssl/openssl/ssl/ssl.h index b93b67b14bb..d2ab0c074c9 100644 --- a/deps/openssl/openssl/ssl/ssl.h +++ b/deps/openssl/openssl/ssl/ssl.h @@ -1544,6 +1544,7 @@ extern "C" { # define SSL_ST_BEFORE 0x4000 # define SSL_ST_OK 0x03 # define SSL_ST_RENEGOTIATE (0x04|SSL_ST_INIT) +# define SSL_ST_ERR 0x05 # define SSL_CB_LOOP 0x01 # define SSL_CB_EXIT 0x02 @@ -2303,6 +2304,7 @@ void ERR_load_SSL_strings(void); # define SSL_F_SSL3_CHANGE_CIPHER_STATE 129 # define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130 # define SSL_F_SSL3_CHECK_CLIENT_HELLO 304 +# define SSL_F_SSL3_CHECK_FINISHED 339 # define SSL_F_SSL3_CLIENT_HELLO 131 # define SSL_F_SSL3_CONNECT 132 # define SSL_F_SSL3_CTRL 213 @@ -2408,6 +2410,7 @@ void ERR_load_SSL_strings(void); # define SSL_F_SSL_READ 223 # define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187 # define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188 +# define SSL_F_SSL_SESSION_DUP 348 # define SSL_F_SSL_SESSION_NEW 189 # define SSL_F_SSL_SESSION_PRINT_FP 190 # define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312 @@ -2522,6 +2525,7 @@ void ERR_load_SSL_strings(void); # define SSL_R_DATA_LENGTH_TOO_LONG 146 # define SSL_R_DECRYPTION_FAILED 147 # define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 281 +# define SSL_R_DH_KEY_TOO_SMALL 372 # define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148 # define SSL_R_DIGEST_CHECK_FAILED 149 # define SSL_R_DTLS_MESSAGE_TOO_BIG 334 diff --git a/deps/openssl/openssl/ssl/ssl_err.c b/deps/openssl/openssl/ssl/ssl_err.c index ac7312e31ba..88621b72500 100644 --- a/deps/openssl/openssl/ssl/ssl_err.c +++ b/deps/openssl/openssl/ssl/ssl_err.c @@ -160,6 +160,7 @@ static ERR_STRING_DATA SSL_str_functs[] = { {ERR_FUNC(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC), "SSL3_DO_CHANGE_CIPHER_SPEC"}, {ERR_FUNC(SSL_F_SSL3_ENC), "SSL3_ENC"}, + {ERR_FUNC(SSL_F_SSL3_CHECK_FINISHED), "SSL3_CHECK_FINISHED"}, {ERR_FUNC(SSL_F_SSL3_GENERATE_KEY_BLOCK), "SSL3_GENERATE_KEY_BLOCK"}, {ERR_FUNC(SSL_F_SSL3_GET_CERTIFICATE_REQUEST), "SSL3_GET_CERTIFICATE_REQUEST"}, @@ -298,6 +299,7 @@ static ERR_STRING_DATA SSL_str_functs[] = { {ERR_FUNC(SSL_F_SSL_READ), "SSL_read"}, {ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT), "SSL_RSA_PRIVATE_DECRYPT"}, {ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT), "SSL_RSA_PUBLIC_ENCRYPT"}, + {ERR_FUNC(SSL_F_SSL_SESSION_DUP), "ssl_session_dup"}, {ERR_FUNC(SSL_F_SSL_SESSION_NEW), "SSL_SESSION_new"}, {ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"}, {ERR_FUNC(SSL_F_SSL_SESSION_SET1_ID_CONTEXT), @@ -440,6 +442,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = { {ERR_REASON(SSL_R_DECRYPTION_FAILED), "decryption failed"}, {ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC), "decryption failed or bad record mac"}, + {ERR_REASON(SSL_R_DH_KEY_TOO_SMALL), "dh key too small"}, {ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG), "dh public value length is wrong"}, {ERR_REASON(SSL_R_DIGEST_CHECK_FAILED), "digest check failed"}, diff --git a/deps/openssl/openssl/ssl/ssl_lib.c b/deps/openssl/openssl/ssl/ssl_lib.c index dead126184a..e11746a6950 100644 --- a/deps/openssl/openssl/ssl/ssl_lib.c +++ b/deps/openssl/openssl/ssl/ssl_lib.c @@ -1440,9 +1440,13 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); return (NULL); } - if ((skp == NULL) || (*skp == NULL)) + if ((skp == NULL) || (*skp == NULL)) { sk = sk_SSL_CIPHER_new_null(); /* change perhaps later */ - else { + if(sk == NULL) { + SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST, ERR_R_MALLOC_FAILURE); + return NULL; + } + } else { sk = *skp; sk_SSL_CIPHER_zero(sk); } diff --git a/deps/openssl/openssl/ssl/ssl_locl.h b/deps/openssl/openssl/ssl/ssl_locl.h index aff3b65d170..a7f3f8dad4a 100644 --- a/deps/openssl/openssl/ssl/ssl_locl.h +++ b/deps/openssl/openssl/ssl/ssl_locl.h @@ -865,6 +865,7 @@ int ssl_set_peer_cert_type(SESS_CERT *c, int type); int ssl_get_new_session(SSL *s, int session); int ssl_get_prev_session(SSL *s, unsigned char *session, int len, const unsigned char *limit); +SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket); int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b); DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id); int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap, diff --git a/deps/openssl/openssl/ssl/ssl_sess.c b/deps/openssl/openssl/ssl/ssl_sess.c index fb4e8c52598..1ad9dc79493 100644 --- a/deps/openssl/openssl/ssl/ssl_sess.c +++ b/deps/openssl/openssl/ssl/ssl_sess.c @@ -227,6 +227,130 @@ SSL_SESSION *SSL_SESSION_new(void) return (ss); } +/* + * Create a new SSL_SESSION and duplicate the contents of |src| into it. If + * ticket == 0 then no ticket information is duplicated, otherwise it is. + */ +SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) +{ + SSL_SESSION *dest; + + dest = OPENSSL_malloc(sizeof(*src)); + if (dest == NULL) { + goto err; + } + memcpy(dest, src, sizeof(*dest)); + + /* + * Set the various pointers to NULL so that we can call SSL_SESSION_free in + * the case of an error whilst halfway through constructing dest + */ +#ifndef OPENSSL_NO_PSK + dest->psk_identity_hint = NULL; + dest->psk_identity = NULL; +#endif + dest->ciphers = NULL; +#ifndef OPENSSL_NO_TLSEXT + dest->tlsext_hostname = NULL; +# ifndef OPENSSL_NO_EC + dest->tlsext_ecpointformatlist = NULL; + dest->tlsext_ellipticcurvelist = NULL; +# endif +#endif + dest->tlsext_tick = NULL; +#ifndef OPENSSL_NO_SRP + dest->srp_username = NULL; +#endif + memset(&dest->ex_data, 0, sizeof(dest->ex_data)); + + /* We deliberately don't copy the prev and next pointers */ + dest->prev = NULL; + dest->next = NULL; + + dest->references = 1; + + if (src->sess_cert != NULL) + CRYPTO_add(&src->sess_cert->references, 1, CRYPTO_LOCK_SSL_SESS_CERT); + + if (src->peer != NULL) + CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509); + +#ifndef OPENSSL_NO_PSK + if (src->psk_identity_hint) { + dest->psk_identity_hint = BUF_strdup(src->psk_identity_hint); + if (dest->psk_identity_hint == NULL) { + goto err; + } + } + if (src->psk_identity) { + dest->psk_identity = BUF_strdup(src->psk_identity); + if (dest->psk_identity == NULL) { + goto err; + } + } +#endif + + if(src->ciphers != NULL) { + dest->ciphers = sk_SSL_CIPHER_dup(src->ciphers); + if (dest->ciphers == NULL) + goto err; + } + + if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, + &dest->ex_data, &src->ex_data)) { + goto err; + } + +#ifndef OPENSSL_NO_TLSEXT + if (src->tlsext_hostname) { + dest->tlsext_hostname = BUF_strdup(src->tlsext_hostname); + if (dest->tlsext_hostname == NULL) { + goto err; + } + } +# ifndef OPENSSL_NO_EC + if (src->tlsext_ecpointformatlist) { + dest->tlsext_ecpointformatlist = + BUF_memdup(src->tlsext_ecpointformatlist, + src->tlsext_ecpointformatlist_length); + if (dest->tlsext_ecpointformatlist == NULL) + goto err; + } + if (src->tlsext_ellipticcurvelist) { + dest->tlsext_ellipticcurvelist = + BUF_memdup(src->tlsext_ellipticcurvelist, + src->tlsext_ellipticcurvelist_length); + if (dest->tlsext_ellipticcurvelist == NULL) + goto err; + } +# endif +#endif + + if (ticket != 0) { + dest->tlsext_tick = BUF_memdup(src->tlsext_tick, src->tlsext_ticklen); + if(dest->tlsext_tick == NULL) + goto err; + } else { + dest->tlsext_tick_lifetime_hint = 0; + dest->tlsext_ticklen = 0; + } + +#ifndef OPENSSL_NO_SRP + if (src->srp_username) { + dest->srp_username = BUF_strdup(src->srp_username); + if (dest->srp_username == NULL) { + goto err; + } + } +#endif + + return dest; +err: + SSLerr(SSL_F_SSL_SESSION_DUP, ERR_R_MALLOC_FAILURE); + SSL_SESSION_free(dest); + return NULL; +} + const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) { @@ -478,9 +602,14 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, int r; #endif - if (len > SSL_MAX_SSL_SESSION_ID_LENGTH) + if (len < 0 || len > SSL_MAX_SSL_SESSION_ID_LENGTH) goto err; + if (session_id + len > limit) { + fatal = 1; + goto err; + } + if (len == 0) try_session_cache = 0; diff --git a/deps/openssl/openssl/ssl/ssl_stat.c b/deps/openssl/openssl/ssl/ssl_stat.c index d725d783423..1b9069f978d 100644 --- a/deps/openssl/openssl/ssl/ssl_stat.c +++ b/deps/openssl/openssl/ssl/ssl_stat.c @@ -117,6 +117,9 @@ const char *SSL_state_string_long(const SSL *s) case SSL_ST_OK | SSL_ST_ACCEPT: str = "ok/accept SSL initialization"; break; + case SSL_ST_ERR: + str = "error"; + break; #ifndef OPENSSL_NO_SSL2 case SSL2_ST_CLIENT_START_ENCRYPTION: str = "SSLv2 client start encryption"; @@ -496,6 +499,9 @@ const char *SSL_state_string(const SSL *s) case SSL_ST_OK: str = "SSLOK "; break; + case SSL_ST_ERR: + str = "SSLERR"; + break; #ifndef OPENSSL_NO_SSL2 case SSL2_ST_CLIENT_START_ENCRYPTION: str = "2CSENC"; diff --git a/deps/openssl/openssl/ssl/ssltest.c b/deps/openssl/openssl/ssl/ssltest.c index 8efbff738e8..6a0c293aa5a 100644 --- a/deps/openssl/openssl/ssl/ssltest.c +++ b/deps/openssl/openssl/ssl/ssltest.c @@ -336,7 +336,9 @@ static void sv_usage(void) " -bytes - number of bytes to swap between client/server\n"); #ifndef OPENSSL_NO_DH fprintf(stderr, - " -dhe1024 - use 1024 bit key (safe prime) for DHE\n"); + " -dhe512 - use 512 bit key for DHE (to test failure)\n"); + fprintf(stderr, + " -dhe1024 - use 1024 bit key (safe prime) for DHE (default, no-op)\n"); fprintf(stderr, " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n"); fprintf(stderr, " -no_dhe - disable DHE\n"); @@ -531,7 +533,7 @@ int main(int argc, char *argv[]) long bytes = 256L; #ifndef OPENSSL_NO_DH DH *dh; - int dhe1024 = 0, dhe1024dsa = 0; + int dhe512 = 0, dhe1024dsa = 0; #endif #ifndef OPENSSL_NO_ECDH EC_KEY *ecdh = NULL; @@ -611,19 +613,19 @@ int main(int argc, char *argv[]) debug = 1; else if (strcmp(*argv, "-reuse") == 0) reuse = 1; - else if (strcmp(*argv, "-dhe1024") == 0) { + else if (strcmp(*argv, "-dhe512") == 0) { #ifndef OPENSSL_NO_DH - dhe1024 = 1; + dhe512 = 1; #else fprintf(stderr, - "ignoring -dhe1024, since I'm compiled without DH\n"); + "ignoring -dhe512, since I'm compiled without DH\n"); #endif } else if (strcmp(*argv, "-dhe1024dsa") == 0) { #ifndef OPENSSL_NO_DH dhe1024dsa = 1; #else fprintf(stderr, - "ignoring -dhe1024, since I'm compiled without DH\n"); + "ignoring -dhe1024dsa, since I'm compiled without DH\n"); #endif } else if (strcmp(*argv, "-no_dhe") == 0) no_dhe = 1; @@ -905,10 +907,10 @@ int main(int argc, char *argv[]) */ SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); dh = get_dh1024dsa(); - } else if (dhe1024) - dh = get_dh1024(); - else + } else if (dhe512) dh = get_dh512(); + else + dh = get_dh1024(); SSL_CTX_set_tmp_dh(s_ctx, dh); DH_free(dh); } diff --git a/deps/openssl/openssl/ssl/t1_enc.c b/deps/openssl/openssl/ssl/t1_enc.c index 4e2845fa6ec..8f45294e557 100644 --- a/deps/openssl/openssl/ssl/t1_enc.c +++ b/deps/openssl/openssl/ssl/t1_enc.c @@ -261,7 +261,7 @@ static int tls1_PRF(long digest_mask, if ((m << TLS1_PRF_DGST_SHIFT) & digest_mask) count++; } - if(!count) { + if (!count) { /* Should never happen */ SSLerr(SSL_F_TLS1_PRF, ERR_R_INTERNAL_ERROR); goto err; @@ -785,7 +785,7 @@ int tls1_enc(SSL *s, int send) bs = EVP_CIPHER_block_size(ds->cipher); if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { - unsigned char buf[13], *seq; + unsigned char buf[EVP_AEAD_TLS1_AAD_LEN], *seq; seq = send ? s->s3->write_sequence : s->s3->read_sequence; @@ -809,7 +809,10 @@ int tls1_enc(SSL *s, int send) buf[10] = (unsigned char)(s->version); buf[11] = rec->length >> 8; buf[12] = rec->length & 0xff; - pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf); + pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, + EVP_AEAD_TLS1_AAD_LEN, buf); + if (pad <= 0) + return -1; if (send) { l += pad; rec->length += pad; diff --git a/deps/openssl/openssl/ssl/t1_lib.c b/deps/openssl/openssl/ssl/t1_lib.c index 243a70f7a60..d70b93feadf 100644 --- a/deps/openssl/openssl/ssl/t1_lib.c +++ b/deps/openssl/openssl/ssl/t1_lib.c @@ -1016,19 +1016,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, s->srtp_profile = NULL; - if (data >= (d + n - 2)) + if (data == d + n) goto ri_check; + + if (data > (d + n - 2)) + goto err; + n2s(data, len); if (data > (d + n - len)) - goto ri_check; + goto err; while (data <= (d + n - 4)) { n2s(data, type); n2s(data, size); if (data + size > (d + n)) - goto ri_check; + goto err; # if 0 fprintf(stderr, "Received extension type %d size %d\n", type, size); # endif @@ -1064,16 +1068,12 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int servname_type; int dsize; - if (size < 2) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } + if (size < 2) + goto err; n2s(data, dsize); size -= 2; - if (dsize > size) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } + if (dsize > size) + goto err; sdata = data; while (dsize > 3) { @@ -1081,18 +1081,16 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, n2s(sdata, len); dsize -= 3; - if (len > dsize) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } + if (len > dsize) + goto err; + if (s->servername_done == 0) switch (servname_type) { case TLSEXT_NAMETYPE_host_name: if (!s->hit) { - if (s->session->tlsext_hostname) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } + if (s->session->tlsext_hostname) + goto err; + if (len > TLSEXT_MAXLEN_host_name) { *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; @@ -1126,31 +1124,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, dsize -= len; } - if (dsize != 0) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } + if (dsize != 0) + goto err; } # ifndef OPENSSL_NO_SRP else if (type == TLSEXT_TYPE_srp) { - if (size <= 0 || ((len = data[0])) != (size - 1)) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - if (s->srp_ctx.login != NULL) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } + if (size == 0 || ((len = data[0])) != (size - 1)) + goto err; + if (s->srp_ctx.login != NULL) + goto err; if ((s->srp_ctx.login = OPENSSL_malloc(len + 1)) == NULL) return -1; memcpy(s->srp_ctx.login, &data[1], len); s->srp_ctx.login[len] = '\0'; - if (strlen(s->srp_ctx.login) != len) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } + if (strlen(s->srp_ctx.login) != len) + goto err; } # endif @@ -1159,10 +1149,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, unsigned char *sdata = data; int ecpointformatlist_length = *(sdata++); - if (ecpointformatlist_length != size - 1) { - *al = TLS1_AD_DECODE_ERROR; - return 0; - } + if (ecpointformatlist_length != size - 1) + goto err; if (!s->hit) { if (s->session->tlsext_ecpointformatlist) { OPENSSL_free(s->session->tlsext_ecpointformatlist); @@ -1196,15 +1184,13 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, if (ellipticcurvelist_length != size - 2 || ellipticcurvelist_length < 1 || /* Each NamedCurve is 2 bytes. */ - ellipticcurvelist_length & 1) { - *al = TLS1_AD_DECODE_ERROR; - return 0; - } + ellipticcurvelist_length & 1) + goto err; + if (!s->hit) { - if (s->session->tlsext_ellipticcurvelist) { - *al = TLS1_AD_DECODE_ERROR; - return 0; - } + if (s->session->tlsext_ellipticcurvelist) + goto err; + s->session->tlsext_ellipticcurvelist_length = 0; if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) { @@ -1273,28 +1259,20 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, renegotiate_seen = 1; } else if (type == TLSEXT_TYPE_signature_algorithms) { int dsize; - if (sigalg_seen || size < 2) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } + if (sigalg_seen || size < 2) + goto err; sigalg_seen = 1; n2s(data, dsize); size -= 2; - if (dsize != size || dsize & 1) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } - if (!tls1_process_sigalgs(s, data, dsize)) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } + if (dsize != size || dsize & 1) + goto err; + if (!tls1_process_sigalgs(s, data, dsize)) + goto err; } else if (type == TLSEXT_TYPE_status_request && s->version != DTLS1_VERSION) { - if (size < 5) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } + if (size < 5) + goto err; s->tlsext_status_type = *data++; size--; @@ -1304,35 +1282,26 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, /* Read in responder_id_list */ n2s(data, dsize); size -= 2; - if (dsize > size) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } + if (dsize > size) + goto err; while (dsize > 0) { OCSP_RESPID *id; int idsize; - if (dsize < 4) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } + if (dsize < 4) + goto err; n2s(data, idsize); dsize -= 2 + idsize; size -= 2 + idsize; - if (dsize < 0) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } + if (dsize < 0) + goto err; sdata = data; data += idsize; id = d2i_OCSP_RESPID(NULL, &sdata, idsize); - if (!id) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } + if (!id) + goto err; if (data != sdata) { OCSP_RESPID_free(id); - *al = SSL_AD_DECODE_ERROR; - return 0; + goto err; } if (!s->tlsext_ocsp_ids && !(s->tlsext_ocsp_ids = @@ -1349,16 +1318,12 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, } /* Read in request_extensions */ - if (size < 2) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } + if (size < 2) + goto err; n2s(data, dsize); size -= 2; - if (dsize != size) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } + if (dsize != size) + goto err; sdata = data; if (dsize > 0) { if (s->tlsext_ocsp_exts) { @@ -1368,10 +1333,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, s->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, &sdata, dsize); - if (!s->tlsext_ocsp_exts || (data + dsize != sdata)) { - *al = SSL_AD_DECODE_ERROR; - return 0; - } + if (!s->tlsext_ocsp_exts || (data + dsize != sdata)) + goto err; } } /* @@ -1432,6 +1395,10 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, data += size; } + /* Spurious data on the end */ + if (data != d + n) + goto err; + *p = data; ri_check: @@ -1447,6 +1414,9 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, } return 1; +err: + *al = SSL_AD_DECODE_ERROR; + return 0; } # ifndef OPENSSL_NO_NEXTPROTONEG @@ -2612,7 +2582,10 @@ int tls1_process_heartbeat(SSL *s) memcpy(bp, pl, payload); bp += payload; /* Random padding */ - RAND_pseudo_bytes(bp, padding); + if (RAND_pseudo_bytes(bp, padding) < 0) { + OPENSSL_free(buffer); + return -1; + } r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); @@ -2647,7 +2620,7 @@ int tls1_process_heartbeat(SSL *s) int tls1_heartbeat(SSL *s) { unsigned char *buf, *p; - int ret; + int ret = -1; unsigned int payload = 18; /* Sequence number + random bytes */ unsigned int padding = 16; /* Use minimum padding */ @@ -2695,10 +2668,16 @@ int tls1_heartbeat(SSL *s) /* Sequence number */ s2n(s->tlsext_hb_seq, p); /* 16 random bytes */ - RAND_pseudo_bytes(p, 16); + if (RAND_pseudo_bytes(p, 16) < 0) { + SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR); + goto err; + } p += 16; /* Random padding */ - RAND_pseudo_bytes(p, padding); + if (RAND_pseudo_bytes(p, padding) < 0) { + SSLerr(SSL_F_TLS1_HEARTBEAT, ERR_R_INTERNAL_ERROR); + goto err; + } ret = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buf, 3 + payload + padding); if (ret >= 0) { @@ -2710,6 +2689,7 @@ int tls1_heartbeat(SSL *s) s->tlsext_hb_pending = 1; } +err: OPENSSL_free(buf); return ret; diff --git a/deps/openssl/openssl/ssl/tls_srp.c b/deps/openssl/openssl/ssl/tls_srp.c index d36cfa0a5c2..bb719ba4cf9 100644 --- a/deps/openssl/openssl/ssl/tls_srp.c +++ b/deps/openssl/openssl/ssl/tls_srp.c @@ -454,7 +454,8 @@ int SRP_Calc_A_param(SSL *s) { unsigned char rnd[SSL_MAX_MASTER_KEY_LENGTH]; - RAND_bytes(rnd, sizeof(rnd)); + if (RAND_bytes(rnd, sizeof(rnd)) <= 0) + return -1; s->srp_ctx.a = BN_bin2bn(rnd, sizeof(rnd), s->srp_ctx.a); OPENSSL_cleanse(rnd, sizeof(rnd)); diff --git a/deps/openssl/openssl/test/Makefile b/deps/openssl/openssl/test/Makefile index 9aa920de1bd..0ee4ec28520 100644 --- a/deps/openssl/openssl/test/Makefile +++ b/deps/openssl/openssl/test/Makefile @@ -337,12 +337,13 @@ test_constant_time: $(CONSTTIMETEST)$(EXE_EXT) lint: lint -DLINT $(INCLUDES) $(SRC)>fluff -depend: - @if [ -z "$(THIS)" ]; then \ - $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; \ - else \ - $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC); \ - fi +update: local_depend + @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi + +depend: local_depend + @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi +local_depend: + @[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC) dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new @@ -354,10 +355,10 @@ clean: rm -f .rnd tmp.bntest tmp.bctest *.o *.obj *.dll lib tags core .pure .nfs* *.old *.bak fluff $(EXE) *.ss *.srl log dummytest $(DLIBSSL): - (cd ..; $(MAKE) DIRS=ssl all) + (cd ..; $(MAKE) build_libssl) $(DLIBCRYPTO): - (cd ..; $(MAKE) DIRS=crypto all) + (cd ..; $(MAKE) build_libcrypto) BUILD_CMD=shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \ shlib_target="$(SHLIB_TARGET)"; \ diff --git a/deps/openssl/openssl/test/testssl b/deps/openssl/openssl/test/testssl index 9fb89a3ddde..b9b86b3b63b 100644 --- a/deps/openssl/openssl/test/testssl +++ b/deps/openssl/openssl/test/testssl @@ -119,10 +119,9 @@ $ssltest -bio_pair -server_auth -client_auth $CA $extra || exit 1 echo test sslv2/sslv3 with both client and server authentication via BIO pair and app verify $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1 -echo "Testing ciphersuites" -for protocol in TLSv1.2 SSLv3; do - echo "Testing ciphersuites for $protocol" - for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do +test_cipher() { + local cipher=$1 + local protocol=$2 echo "Testing $cipher" prot="" if [ $protocol = "SSLv3" ] ; then @@ -133,7 +132,38 @@ for protocol in TLSv1.2 SSLv3; do echo "Failed $cipher" exit 1 fi +} + +echo "Testing ciphersuites" +for protocol in TLSv1.2 SSLv3; do + echo "Testing ciphersuites for $protocol" + for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "RSA+$protocol" | tr ':' ' '`; do + test_cipher $cipher $protocol done + if ../util/shlib_wrap.sh ../apps/openssl no-dh; then + echo "skipping RSA+DHE tests" + else + for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EDH+aRSA+$protocol:-EXP" | tr ':' ' '`; do + test_cipher $cipher $protocol + done + echo "testing connection with weak DH, expecting failure" + if [ $protocol = "SSLv3" ] ; then + $ssltest -cipher EDH -dhe512 -ssl3 + else + $ssltest -cipher EDH -dhe512 + fi + if [ $? -eq 0 ]; then + echo "FAIL: connection with weak DH succeeded" + exit 1 + fi + fi + if ../util/shlib_wrap.sh ../apps/openssl no-ec; then + echo "skipping RSA+ECDHE tests" + else + for cipher in `../util/shlib_wrap.sh ../apps/openssl ciphers "EECDH+aRSA+$protocol:-EXP" | tr ':' ' '`; do + test_cipher $cipher $protocol + done + fi done ############################################################################# diff --git a/deps/openssl/openssl/tools/Makefile b/deps/openssl/openssl/tools/Makefile index bb6fb71f3eb..c1a2f6bccf5 100644 --- a/deps/openssl/openssl/tools/Makefile +++ b/deps/openssl/openssl/tools/Makefile @@ -44,6 +44,8 @@ tags: errors: +update: depend + depend: dclean: diff --git a/deps/openssl/openssl/util/mk1mf.pl b/deps/openssl/openssl/util/mk1mf.pl index 550ef9f6853..1eee7aa349e 100755 --- a/deps/openssl/openssl/util/mk1mf.pl +++ b/deps/openssl/openssl/util/mk1mf.pl @@ -326,7 +326,7 @@ $_=; for (;;) { - chop; + s/\s*$//; # was chop, didn't work in mixture of perls for Windows... ($key,$val)=/^([^=]+)=(.*)/; if ($key eq "RELATIVE_DIRECTORY") diff --git a/deps/openssl/openssl/util/mkerr.pl b/deps/openssl/openssl/util/mkerr.pl index 8d2fdbc7e88..d87c4fd22cd 100644 --- a/deps/openssl/openssl/util/mkerr.pl +++ b/deps/openssl/openssl/util/mkerr.pl @@ -534,14 +534,21 @@ # First, read any existing reason string definitions: my %err_reason_strings; if (open(IN,"<$cfile")) { + my $line = ""; while () { - if (/\b(${lib}_R_\w*)\b.*\"(.*)\"/) { - $err_reason_strings{$1} = $2; - } - if (/\b${lib}_F_(\w*)\b.*\"(.*)\"/) { - if (!exists $ftrans{$1} && ($1 ne $2)) { - print STDERR "WARNING: Mismatched function string $2\n"; - $ftrans{$1} = $2; + chomp; + $_ = $line . $_; + $line = ""; + if (/{ERR_(FUNC|REASON)\(/) { + if (/\b(${lib}_R_\w*)\b.*\"(.*)\"/) { + $err_reason_strings{$1} = $2; + } elsif (/\b${lib}_F_(\w*)\b.*\"(.*)\"/) { + if (!exists $ftrans{$1} && ($1 ne $2)) { + print STDERR "WARNING: Mismatched function string $2\n"; + $ftrans{$1} = $2; + } + } else { + $line = $_; } } } diff --git a/deps/openssl/openssl/util/pl/BC-32.pl b/deps/openssl/openssl/util/pl/BC-32.pl index b41bb45e820..6d036644de7 100644 --- a/deps/openssl/openssl/util/pl/BC-32.pl +++ b/deps/openssl/openssl/util/pl/BC-32.pl @@ -130,7 +130,7 @@ sub do_link_rule local($ret,$_); $file =~ s/\//$o/g if $o ne '/'; - $n=&bname($targer); + $n=&bname($target); $ret.="$target: $files $dep_libs\n"; $ret.="\t\$(LINK) \$(LFLAGS) $files \$(APP_EX_OBJ), $target,, $libs\n\n"; return($ret); diff --git a/deps/openssl/openssl/util/pl/VC-32.pl b/deps/openssl/openssl/util/pl/VC-32.pl index 3705fc73b70..b5979985152 100644 --- a/deps/openssl/openssl/util/pl/VC-32.pl +++ b/deps/openssl/openssl/util/pl/VC-32.pl @@ -341,7 +341,7 @@ sub do_link_rule my($target,$files,$dep_libs,$libs,$standalone)=@_; local($ret,$_); $file =~ s/\//$o/g if $o ne '/'; - $n=&bname($targer); + $n=&bname($target); $ret.="$target: $files $dep_libs\n"; if ($standalone == 1) { From ee9545469d7914f134f9eb883805754ef83d2410 Mon Sep 17 00:00:00 2001 From: Shigeki Ohtsu Date: Sat, 13 Jun 2015 02:09:12 +0900 Subject: [PATCH 11/17] deps: replace all headers in openssl Change all openssl/include/openssl/*.h to include resolved symbolic links and openssl/crypto/opensslconf.h to refer config/opensslconf.h. PR: #25523 PR-URL: https://github.com/joyent/node/pull/25523 Reviewed-By: Julien Gilli --- deps/openssl/openssl/crypto/opensslconf.h | 242 +----------------- deps/openssl/openssl/include/openssl/aes.h | 2 +- deps/openssl/openssl/include/openssl/asn1.h | 2 +- .../openssl/include/openssl/asn1_mac.h | 2 +- deps/openssl/openssl/include/openssl/asn1t.h | 2 +- deps/openssl/openssl/include/openssl/bio.h | 2 +- .../openssl/include/openssl/blowfish.h | 2 +- deps/openssl/openssl/include/openssl/bn.h | 2 +- deps/openssl/openssl/include/openssl/buffer.h | 2 +- .../openssl/include/openssl/camellia.h | 2 +- deps/openssl/openssl/include/openssl/cast.h | 2 +- deps/openssl/openssl/include/openssl/cmac.h | 2 +- deps/openssl/openssl/include/openssl/cms.h | 2 +- deps/openssl/openssl/include/openssl/comp.h | 2 +- deps/openssl/openssl/include/openssl/conf.h | 2 +- .../openssl/include/openssl/conf_api.h | 2 +- deps/openssl/openssl/include/openssl/crypto.h | 2 +- deps/openssl/openssl/include/openssl/des.h | 2 +- .../openssl/openssl/include/openssl/des_old.h | 2 +- deps/openssl/openssl/include/openssl/dh.h | 2 +- deps/openssl/openssl/include/openssl/dsa.h | 2 +- deps/openssl/openssl/include/openssl/dso.h | 2 +- deps/openssl/openssl/include/openssl/dtls1.h | 2 +- deps/openssl/openssl/include/openssl/e_os2.h | 2 +- deps/openssl/openssl/include/openssl/ebcdic.h | 2 +- deps/openssl/openssl/include/openssl/ec.h | 2 +- deps/openssl/openssl/include/openssl/ecdh.h | 2 +- deps/openssl/openssl/include/openssl/ecdsa.h | 2 +- deps/openssl/openssl/include/openssl/engine.h | 2 +- deps/openssl/openssl/include/openssl/err.h | 2 +- deps/openssl/openssl/include/openssl/evp.h | 2 +- deps/openssl/openssl/include/openssl/hmac.h | 2 +- deps/openssl/openssl/include/openssl/idea.h | 2 +- .../openssl/include/openssl/krb5_asn.h | 2 +- deps/openssl/openssl/include/openssl/kssl.h | 2 +- deps/openssl/openssl/include/openssl/lhash.h | 2 +- deps/openssl/openssl/include/openssl/md4.h | 2 +- deps/openssl/openssl/include/openssl/md5.h | 2 +- deps/openssl/openssl/include/openssl/mdc2.h | 2 +- deps/openssl/openssl/include/openssl/modes.h | 2 +- .../openssl/openssl/include/openssl/obj_mac.h | 2 +- .../openssl/openssl/include/openssl/objects.h | 2 +- deps/openssl/openssl/include/openssl/ocsp.h | 2 +- .../openssl/include/openssl/opensslconf.h | 2 +- .../openssl/include/openssl/opensslv.h | 2 +- .../openssl/include/openssl/ossl_typ.h | 2 +- deps/openssl/openssl/include/openssl/pem.h | 2 +- deps/openssl/openssl/include/openssl/pem2.h | 2 +- deps/openssl/openssl/include/openssl/pkcs12.h | 2 +- deps/openssl/openssl/include/openssl/pkcs7.h | 2 +- deps/openssl/openssl/include/openssl/pqueue.h | 2 +- deps/openssl/openssl/include/openssl/rand.h | 2 +- deps/openssl/openssl/include/openssl/rc2.h | 2 +- deps/openssl/openssl/include/openssl/rc4.h | 2 +- deps/openssl/openssl/include/openssl/ripemd.h | 2 +- deps/openssl/openssl/include/openssl/rsa.h | 2 +- .../openssl/include/openssl/safestack.h | 2 +- deps/openssl/openssl/include/openssl/seed.h | 2 +- deps/openssl/openssl/include/openssl/sha.h | 2 +- deps/openssl/openssl/include/openssl/srp.h | 2 +- deps/openssl/openssl/include/openssl/srtp.h | 2 +- deps/openssl/openssl/include/openssl/ssl.h | 2 +- deps/openssl/openssl/include/openssl/ssl2.h | 2 +- deps/openssl/openssl/include/openssl/ssl23.h | 2 +- deps/openssl/openssl/include/openssl/ssl3.h | 2 +- deps/openssl/openssl/include/openssl/stack.h | 2 +- .../openssl/include/openssl/symhacks.h | 2 +- deps/openssl/openssl/include/openssl/tls1.h | 2 +- deps/openssl/openssl/include/openssl/ts.h | 2 +- deps/openssl/openssl/include/openssl/txt_db.h | 2 +- deps/openssl/openssl/include/openssl/ui.h | 2 +- .../openssl/include/openssl/ui_compat.h | 2 +- .../openssl/include/openssl/whrlpool.h | 2 +- deps/openssl/openssl/include/openssl/x509.h | 2 +- .../openssl/include/openssl/x509_vfy.h | 2 +- deps/openssl/openssl/include/openssl/x509v3.h | 2 +- 76 files changed, 76 insertions(+), 316 deletions(-) mode change 120000 => 100644 deps/openssl/openssl/include/openssl/aes.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/asn1.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/asn1_mac.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/asn1t.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/bio.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/blowfish.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/bn.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/buffer.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/camellia.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/cast.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/cmac.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/cms.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/comp.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/conf.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/conf_api.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/crypto.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/des.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/des_old.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/dh.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/dsa.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/dso.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/dtls1.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/e_os2.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/ebcdic.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/ec.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/ecdh.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/ecdsa.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/engine.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/err.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/evp.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/hmac.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/idea.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/krb5_asn.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/kssl.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/lhash.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/md4.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/md5.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/mdc2.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/modes.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/obj_mac.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/objects.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/ocsp.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/opensslconf.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/opensslv.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/ossl_typ.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/pem.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/pem2.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/pkcs12.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/pkcs7.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/pqueue.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/rand.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/rc2.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/rc4.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/ripemd.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/rsa.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/safestack.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/seed.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/sha.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/srp.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/srtp.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/ssl.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/ssl2.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/ssl23.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/ssl3.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/stack.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/symhacks.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/tls1.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/ts.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/txt_db.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/ui.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/ui_compat.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/whrlpool.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/x509.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/x509_vfy.h mode change 120000 => 100644 deps/openssl/openssl/include/openssl/x509v3.h diff --git a/deps/openssl/openssl/crypto/opensslconf.h b/deps/openssl/openssl/crypto/opensslconf.h index 7513d14c753..76c99d433ab 100644 --- a/deps/openssl/openssl/crypto/opensslconf.h +++ b/deps/openssl/openssl/crypto/opensslconf.h @@ -1,241 +1 @@ -/* opensslconf.h */ -/* WARNING: Generated automatically from opensslconf.h.in by Configure. */ - -#ifdef __cplusplus -extern "C" { -#endif -/* OpenSSL was configured with the following options: */ -#ifndef OPENSSL_DOING_MAKEDEPEND - - -#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 -# define OPENSSL_NO_EC_NISTP_64_GCC_128 -#endif -#ifndef OPENSSL_NO_GMP -# define OPENSSL_NO_GMP -#endif -#ifndef OPENSSL_NO_JPAKE -# define OPENSSL_NO_JPAKE -#endif -#ifndef OPENSSL_NO_KRB5 -# define OPENSSL_NO_KRB5 -#endif -#ifndef OPENSSL_NO_MD2 -# define OPENSSL_NO_MD2 -#endif -#ifndef OPENSSL_NO_RC5 -# define OPENSSL_NO_RC5 -#endif -#ifndef OPENSSL_NO_RFC3779 -# define OPENSSL_NO_RFC3779 -#endif -#ifndef OPENSSL_NO_SCTP -# define OPENSSL_NO_SCTP -#endif -#ifndef OPENSSL_NO_STORE -# define OPENSSL_NO_STORE -#endif -#ifndef OPENSSL_NO_UNIT_TEST -# define OPENSSL_NO_UNIT_TEST -#endif - -#endif /* OPENSSL_DOING_MAKEDEPEND */ - -#ifndef OPENSSL_NO_DYNAMIC_ENGINE -# define OPENSSL_NO_DYNAMIC_ENGINE -#endif - -/* The OPENSSL_NO_* macros are also defined as NO_* if the application - asks for it. This is a transient feature that is provided for those - who haven't had the time to do the appropriate changes in their - applications. */ -#ifdef OPENSSL_ALGORITHM_DEFINES -# if defined(OPENSSL_NO_EC_NISTP_64_GCC_128) && !defined(NO_EC_NISTP_64_GCC_128) -# define NO_EC_NISTP_64_GCC_128 -# endif -# if defined(OPENSSL_NO_GMP) && !defined(NO_GMP) -# define NO_GMP -# endif -# if defined(OPENSSL_NO_JPAKE) && !defined(NO_JPAKE) -# define NO_JPAKE -# endif -# if defined(OPENSSL_NO_KRB5) && !defined(NO_KRB5) -# define NO_KRB5 -# endif -# if defined(OPENSSL_NO_MD2) && !defined(NO_MD2) -# define NO_MD2 -# endif -# if defined(OPENSSL_NO_RC5) && !defined(NO_RC5) -# define NO_RC5 -# endif -# if defined(OPENSSL_NO_RFC3779) && !defined(NO_RFC3779) -# define NO_RFC3779 -# endif -# if defined(OPENSSL_NO_SCTP) && !defined(NO_SCTP) -# define NO_SCTP -# endif -# if defined(OPENSSL_NO_STORE) && !defined(NO_STORE) -# define NO_STORE -# endif -# if defined(OPENSSL_NO_UNIT_TEST) && !defined(NO_UNIT_TEST) -# define NO_UNIT_TEST -# endif -#endif - -/* crypto/opensslconf.h.in */ - -/* Generate 80386 code? */ -#undef I386_ONLY - -#if !(defined(VMS) || defined(__VMS)) /* VMS uses logical names instead */ -#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) -#define ENGINESDIR "/usr/local/ssl/lib/engines" -#define OPENSSLDIR "/usr/local/ssl" -#endif -#endif - -#undef OPENSSL_UNISTD -#define OPENSSL_UNISTD - -#undef OPENSSL_EXPORT_VAR_AS_FUNCTION - -#if defined(HEADER_IDEA_H) && !defined(IDEA_INT) -#define IDEA_INT unsigned int -#endif - -#if defined(HEADER_MD2_H) && !defined(MD2_INT) -#define MD2_INT unsigned int -#endif - -#if defined(HEADER_RC2_H) && !defined(RC2_INT) -/* I need to put in a mod for the alpha - eay */ -#define RC2_INT unsigned int -#endif - -#if defined(HEADER_RC4_H) -#if !defined(RC4_INT) -/* using int types make the structure larger but make the code faster - * on most boxes I have tested - up to %20 faster. */ -/* - * I don't know what does "most" mean, but declaring "int" is a must on: - * - Intel P6 because partial register stalls are very expensive; - * - elder Alpha because it lacks byte load/store instructions; - */ -#define RC4_INT unsigned int -#endif -#if !defined(RC4_CHUNK) -/* - * This enables code handling data aligned at natural CPU word - * boundary. See crypto/rc4/rc4_enc.c for further details. - */ -#undef RC4_CHUNK -#endif -#endif - -#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG) -/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a - * %20 speed up (longs are 8 bytes, int's are 4). */ -#ifndef DES_LONG -#define DES_LONG unsigned long -#endif -#endif - -#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) -#define CONFIG_HEADER_BN_H -#undef BN_LLONG - -/* Should we define BN_DIV2W here? */ - -/* Only one for the following should be defined */ -#undef SIXTY_FOUR_BIT_LONG -#undef SIXTY_FOUR_BIT -#define THIRTY_TWO_BIT -#endif - -#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) -#define CONFIG_HEADER_RC4_LOCL_H -/* if this is defined data[i] is used instead of *data, this is a %20 - * speedup on x86 */ -#undef RC4_INDEX -#endif - -#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) -#define CONFIG_HEADER_BF_LOCL_H -#undef BF_PTR -#endif /* HEADER_BF_LOCL_H */ - -#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H) -#define CONFIG_HEADER_DES_LOCL_H -#ifndef DES_DEFAULT_OPTIONS -/* the following is tweaked from a config script, that is why it is a - * protected undef/define */ -#ifndef DES_PTR -#undef DES_PTR -#endif - -/* This helps C compiler generate the correct code for multiple functional - * units. It reduces register dependancies at the expense of 2 more - * registers */ -#ifndef DES_RISC1 -#undef DES_RISC1 -#endif - -#ifndef DES_RISC2 -#undef DES_RISC2 -#endif - -#if defined(DES_RISC1) && defined(DES_RISC2) -YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! -#endif - -/* Unroll the inner loop, this sometimes helps, sometimes hinders. - * Very mucy CPU dependant */ -#ifndef DES_UNROLL -#undef DES_UNROLL -#endif - -/* These default values were supplied by - * Peter Gutman - * They are only used if nothing else has been defined */ -#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL) -/* Special defines which change the way the code is built depending on the - CPU and OS. For SGI machines you can use _MIPS_SZLONG (32 or 64) to find - even newer MIPS CPU's, but at the moment one size fits all for - optimization options. Older Sparc's work better with only UNROLL, but - there's no way to tell at compile time what it is you're running on */ - -#if defined( sun ) /* Newer Sparc's */ -# define DES_PTR -# define DES_RISC1 -# define DES_UNROLL -#elif defined( __ultrix ) /* Older MIPS */ -# define DES_PTR -# define DES_RISC2 -# define DES_UNROLL -#elif defined( __osf1__ ) /* Alpha */ -# define DES_PTR -# define DES_RISC2 -#elif defined ( _AIX ) /* RS6000 */ - /* Unknown */ -#elif defined( __hpux ) /* HP-PA */ - /* Unknown */ -#elif defined( __aux ) /* 68K */ - /* Unknown */ -#elif defined( __dgux ) /* 88K (but P6 in latest boxes) */ -# define DES_UNROLL -#elif defined( __sgi ) /* Newer MIPS */ -# define DES_PTR -# define DES_RISC2 -# define DES_UNROLL -#elif defined(i386) || defined(__i386__) /* x86 boxes, should be gcc */ -# define DES_PTR -# define DES_RISC1 -# define DES_UNROLL -#endif /* Systems-specific speed defines */ -#endif - -#endif /* DES_DEFAULT_OPTIONS */ -#endif /* HEADER_DES_LOCL_H */ -#ifdef __cplusplus -} -#endif +#include "../../config/opensslconf.h" diff --git a/deps/openssl/openssl/include/openssl/aes.h b/deps/openssl/openssl/include/openssl/aes.h deleted file mode 120000 index f555c13ed7b..00000000000 --- a/deps/openssl/openssl/include/openssl/aes.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/aes/aes.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/aes.h b/deps/openssl/openssl/include/openssl/aes.h new file mode 100644 index 00000000000..f646d41f060 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/aes.h @@ -0,0 +1 @@ +#include "../../crypto/aes/aes.h" diff --git a/deps/openssl/openssl/include/openssl/asn1.h b/deps/openssl/openssl/include/openssl/asn1.h deleted file mode 120000 index dd514954a11..00000000000 --- a/deps/openssl/openssl/include/openssl/asn1.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/asn1/asn1.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/asn1.h b/deps/openssl/openssl/include/openssl/asn1.h new file mode 100644 index 00000000000..5432ed8dc83 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/asn1.h @@ -0,0 +1 @@ +#include "../../crypto/asn1/asn1.h" diff --git a/deps/openssl/openssl/include/openssl/asn1_mac.h b/deps/openssl/openssl/include/openssl/asn1_mac.h deleted file mode 120000 index 97781d99331..00000000000 --- a/deps/openssl/openssl/include/openssl/asn1_mac.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/asn1/asn1_mac.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/asn1_mac.h b/deps/openssl/openssl/include/openssl/asn1_mac.h new file mode 100644 index 00000000000..214787c4774 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/asn1_mac.h @@ -0,0 +1 @@ +#include "../../crypto/asn1/asn1_mac.h" diff --git a/deps/openssl/openssl/include/openssl/asn1t.h b/deps/openssl/openssl/include/openssl/asn1t.h deleted file mode 120000 index 31c87c38853..00000000000 --- a/deps/openssl/openssl/include/openssl/asn1t.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/asn1/asn1t.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/asn1t.h b/deps/openssl/openssl/include/openssl/asn1t.h new file mode 100644 index 00000000000..4de87a9c610 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/asn1t.h @@ -0,0 +1 @@ +#include "../../crypto/asn1/asn1t.h" diff --git a/deps/openssl/openssl/include/openssl/bio.h b/deps/openssl/openssl/include/openssl/bio.h deleted file mode 120000 index c598b6f73a7..00000000000 --- a/deps/openssl/openssl/include/openssl/bio.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/bio/bio.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/bio.h b/deps/openssl/openssl/include/openssl/bio.h new file mode 100644 index 00000000000..34f8a2df07e --- /dev/null +++ b/deps/openssl/openssl/include/openssl/bio.h @@ -0,0 +1 @@ +#include "../../crypto/bio/bio.h" diff --git a/deps/openssl/openssl/include/openssl/blowfish.h b/deps/openssl/openssl/include/openssl/blowfish.h deleted file mode 120000 index 88bf9223423..00000000000 --- a/deps/openssl/openssl/include/openssl/blowfish.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/bf/blowfish.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/blowfish.h b/deps/openssl/openssl/include/openssl/blowfish.h new file mode 100644 index 00000000000..8d515feb058 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/blowfish.h @@ -0,0 +1 @@ +#include "../../crypto/bf/blowfish.h" diff --git a/deps/openssl/openssl/include/openssl/bn.h b/deps/openssl/openssl/include/openssl/bn.h deleted file mode 120000 index 5c251c135af..00000000000 --- a/deps/openssl/openssl/include/openssl/bn.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/bn/bn.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/bn.h b/deps/openssl/openssl/include/openssl/bn.h new file mode 100644 index 00000000000..f47d65a93f4 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/bn.h @@ -0,0 +1 @@ +#include "../../crypto/bn/bn.h" diff --git a/deps/openssl/openssl/include/openssl/buffer.h b/deps/openssl/openssl/include/openssl/buffer.h deleted file mode 120000 index 76ea7114a2b..00000000000 --- a/deps/openssl/openssl/include/openssl/buffer.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/buffer/buffer.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/buffer.h b/deps/openssl/openssl/include/openssl/buffer.h new file mode 100644 index 00000000000..1d2c2a2ec1b --- /dev/null +++ b/deps/openssl/openssl/include/openssl/buffer.h @@ -0,0 +1 @@ +#include "../../crypto/buffer/buffer.h" diff --git a/deps/openssl/openssl/include/openssl/camellia.h b/deps/openssl/openssl/include/openssl/camellia.h deleted file mode 120000 index ad10f9792b6..00000000000 --- a/deps/openssl/openssl/include/openssl/camellia.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/camellia/camellia.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/camellia.h b/deps/openssl/openssl/include/openssl/camellia.h new file mode 100644 index 00000000000..5a0a141eed5 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/camellia.h @@ -0,0 +1 @@ +#include "../../crypto/camellia/camellia.h" diff --git a/deps/openssl/openssl/include/openssl/cast.h b/deps/openssl/openssl/include/openssl/cast.h deleted file mode 120000 index b775ab04b81..00000000000 --- a/deps/openssl/openssl/include/openssl/cast.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/cast/cast.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/cast.h b/deps/openssl/openssl/include/openssl/cast.h new file mode 100644 index 00000000000..12cf92c4a9b --- /dev/null +++ b/deps/openssl/openssl/include/openssl/cast.h @@ -0,0 +1 @@ +#include "../../crypto/cast/cast.h" diff --git a/deps/openssl/openssl/include/openssl/cmac.h b/deps/openssl/openssl/include/openssl/cmac.h deleted file mode 120000 index bfb70c46830..00000000000 --- a/deps/openssl/openssl/include/openssl/cmac.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/cmac/cmac.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/cmac.h b/deps/openssl/openssl/include/openssl/cmac.h new file mode 100644 index 00000000000..a7579aeabdd --- /dev/null +++ b/deps/openssl/openssl/include/openssl/cmac.h @@ -0,0 +1 @@ +#include "../../crypto/cmac/cmac.h" diff --git a/deps/openssl/openssl/include/openssl/cms.h b/deps/openssl/openssl/include/openssl/cms.h deleted file mode 120000 index 0f651adde2c..00000000000 --- a/deps/openssl/openssl/include/openssl/cms.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/cms/cms.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/cms.h b/deps/openssl/openssl/include/openssl/cms.h new file mode 100644 index 00000000000..8687c7fe467 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/cms.h @@ -0,0 +1 @@ +#include "../../crypto/cms/cms.h" diff --git a/deps/openssl/openssl/include/openssl/comp.h b/deps/openssl/openssl/include/openssl/comp.h deleted file mode 120000 index 712c9d4ae58..00000000000 --- a/deps/openssl/openssl/include/openssl/comp.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/comp/comp.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/comp.h b/deps/openssl/openssl/include/openssl/comp.h new file mode 100644 index 00000000000..d14e36cc36b --- /dev/null +++ b/deps/openssl/openssl/include/openssl/comp.h @@ -0,0 +1 @@ +#include "../../crypto/comp/comp.h" diff --git a/deps/openssl/openssl/include/openssl/conf.h b/deps/openssl/openssl/include/openssl/conf.h deleted file mode 120000 index 44156b189b0..00000000000 --- a/deps/openssl/openssl/include/openssl/conf.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/conf/conf.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/conf.h b/deps/openssl/openssl/include/openssl/conf.h new file mode 100644 index 00000000000..3882c82f8d0 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/conf.h @@ -0,0 +1 @@ +#include "../../crypto/conf/conf.h" diff --git a/deps/openssl/openssl/include/openssl/conf_api.h b/deps/openssl/openssl/include/openssl/conf_api.h deleted file mode 120000 index 26b42198a86..00000000000 --- a/deps/openssl/openssl/include/openssl/conf_api.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/conf/conf_api.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/conf_api.h b/deps/openssl/openssl/include/openssl/conf_api.h new file mode 100644 index 00000000000..03933578574 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/conf_api.h @@ -0,0 +1 @@ +#include "../../crypto/conf/conf_api.h" diff --git a/deps/openssl/openssl/include/openssl/crypto.h b/deps/openssl/openssl/include/openssl/crypto.h deleted file mode 120000 index 2f3f63cb016..00000000000 --- a/deps/openssl/openssl/include/openssl/crypto.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/crypto.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/crypto.h b/deps/openssl/openssl/include/openssl/crypto.h new file mode 100644 index 00000000000..7e3d91e42f0 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/crypto.h @@ -0,0 +1 @@ +#include "../../crypto/crypto.h" diff --git a/deps/openssl/openssl/include/openssl/des.h b/deps/openssl/openssl/include/openssl/des.h deleted file mode 120000 index 5eb7c88b38a..00000000000 --- a/deps/openssl/openssl/include/openssl/des.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/des/des.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/des.h b/deps/openssl/openssl/include/openssl/des.h new file mode 100644 index 00000000000..1d6631e9b6a --- /dev/null +++ b/deps/openssl/openssl/include/openssl/des.h @@ -0,0 +1 @@ +#include "../../crypto/des/des.h" diff --git a/deps/openssl/openssl/include/openssl/des_old.h b/deps/openssl/openssl/include/openssl/des_old.h deleted file mode 120000 index 97098988052..00000000000 --- a/deps/openssl/openssl/include/openssl/des_old.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/des/des_old.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/des_old.h b/deps/openssl/openssl/include/openssl/des_old.h new file mode 100644 index 00000000000..e5828733cca --- /dev/null +++ b/deps/openssl/openssl/include/openssl/des_old.h @@ -0,0 +1 @@ +#include "../../crypto/des/des_old.h" diff --git a/deps/openssl/openssl/include/openssl/dh.h b/deps/openssl/openssl/include/openssl/dh.h deleted file mode 120000 index c0eacb5eb35..00000000000 --- a/deps/openssl/openssl/include/openssl/dh.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/dh/dh.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/dh.h b/deps/openssl/openssl/include/openssl/dh.h new file mode 100644 index 00000000000..f70a767ac90 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/dh.h @@ -0,0 +1 @@ +#include "../../crypto/dh/dh.h" diff --git a/deps/openssl/openssl/include/openssl/dsa.h b/deps/openssl/openssl/include/openssl/dsa.h deleted file mode 120000 index ad4695f9b6a..00000000000 --- a/deps/openssl/openssl/include/openssl/dsa.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/dsa/dsa.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/dsa.h b/deps/openssl/openssl/include/openssl/dsa.h new file mode 100644 index 00000000000..0365acfe665 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/dsa.h @@ -0,0 +1 @@ +#include "../../crypto/dsa/dsa.h" diff --git a/deps/openssl/openssl/include/openssl/dso.h b/deps/openssl/openssl/include/openssl/dso.h deleted file mode 120000 index b1f215dafc8..00000000000 --- a/deps/openssl/openssl/include/openssl/dso.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/dso/dso.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/dso.h b/deps/openssl/openssl/include/openssl/dso.h new file mode 100644 index 00000000000..f3c8de23065 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/dso.h @@ -0,0 +1 @@ +#include "../../crypto/dso/dso.h" diff --git a/deps/openssl/openssl/include/openssl/dtls1.h b/deps/openssl/openssl/include/openssl/dtls1.h deleted file mode 120000 index 95aef9913ab..00000000000 --- a/deps/openssl/openssl/include/openssl/dtls1.h +++ /dev/null @@ -1 +0,0 @@ -../../ssl/dtls1.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/dtls1.h b/deps/openssl/openssl/include/openssl/dtls1.h new file mode 100644 index 00000000000..ac8ab57453c --- /dev/null +++ b/deps/openssl/openssl/include/openssl/dtls1.h @@ -0,0 +1 @@ +#include "../../ssl/dtls1.h" diff --git a/deps/openssl/openssl/include/openssl/e_os2.h b/deps/openssl/openssl/include/openssl/e_os2.h deleted file mode 120000 index 0e8c0399248..00000000000 --- a/deps/openssl/openssl/include/openssl/e_os2.h +++ /dev/null @@ -1 +0,0 @@ -../../e_os2.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/e_os2.h b/deps/openssl/openssl/include/openssl/e_os2.h new file mode 100644 index 00000000000..ab3f1ee44f4 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/e_os2.h @@ -0,0 +1 @@ +#include "../../e_os2.h" diff --git a/deps/openssl/openssl/include/openssl/ebcdic.h b/deps/openssl/openssl/include/openssl/ebcdic.h deleted file mode 120000 index a7ee60e0aee..00000000000 --- a/deps/openssl/openssl/include/openssl/ebcdic.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/ebcdic.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ebcdic.h b/deps/openssl/openssl/include/openssl/ebcdic.h new file mode 100644 index 00000000000..6dedc7051d2 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ebcdic.h @@ -0,0 +1 @@ +#include "../../crypto/ebcdic.h" diff --git a/deps/openssl/openssl/include/openssl/ec.h b/deps/openssl/openssl/include/openssl/ec.h deleted file mode 120000 index 245497eda7c..00000000000 --- a/deps/openssl/openssl/include/openssl/ec.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/ec/ec.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ec.h b/deps/openssl/openssl/include/openssl/ec.h new file mode 100644 index 00000000000..7d206145260 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ec.h @@ -0,0 +1 @@ +#include "../../crypto/ec/ec.h" diff --git a/deps/openssl/openssl/include/openssl/ecdh.h b/deps/openssl/openssl/include/openssl/ecdh.h deleted file mode 120000 index 3fd1c3ba39f..00000000000 --- a/deps/openssl/openssl/include/openssl/ecdh.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/ecdh/ecdh.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ecdh.h b/deps/openssl/openssl/include/openssl/ecdh.h new file mode 100644 index 00000000000..ad6e3dc9c7e --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ecdh.h @@ -0,0 +1 @@ +#include "../../crypto/ecdh/ecdh.h" diff --git a/deps/openssl/openssl/include/openssl/ecdsa.h b/deps/openssl/openssl/include/openssl/ecdsa.h deleted file mode 120000 index e48acc669ce..00000000000 --- a/deps/openssl/openssl/include/openssl/ecdsa.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/ecdsa/ecdsa.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ecdsa.h b/deps/openssl/openssl/include/openssl/ecdsa.h new file mode 100644 index 00000000000..da451230932 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ecdsa.h @@ -0,0 +1 @@ +#include "../../crypto/ecdsa/ecdsa.h" diff --git a/deps/openssl/openssl/include/openssl/engine.h b/deps/openssl/openssl/include/openssl/engine.h deleted file mode 120000 index a02073e32aa..00000000000 --- a/deps/openssl/openssl/include/openssl/engine.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/engine/engine.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/engine.h b/deps/openssl/openssl/include/openssl/engine.h new file mode 100644 index 00000000000..2dceaac6c78 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/engine.h @@ -0,0 +1 @@ +#include "../../crypto/engine/engine.h" diff --git a/deps/openssl/openssl/include/openssl/err.h b/deps/openssl/openssl/include/openssl/err.h deleted file mode 120000 index 20f65bd9c8c..00000000000 --- a/deps/openssl/openssl/include/openssl/err.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/err/err.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/err.h b/deps/openssl/openssl/include/openssl/err.h new file mode 100644 index 00000000000..caf89a936cd --- /dev/null +++ b/deps/openssl/openssl/include/openssl/err.h @@ -0,0 +1 @@ +#include "../../crypto/err/err.h" diff --git a/deps/openssl/openssl/include/openssl/evp.h b/deps/openssl/openssl/include/openssl/evp.h deleted file mode 120000 index 7e3a904ae95..00000000000 --- a/deps/openssl/openssl/include/openssl/evp.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/evp/evp.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/evp.h b/deps/openssl/openssl/include/openssl/evp.h new file mode 100644 index 00000000000..dd7bcda8f3c --- /dev/null +++ b/deps/openssl/openssl/include/openssl/evp.h @@ -0,0 +1 @@ +#include "../../crypto/evp/evp.h" diff --git a/deps/openssl/openssl/include/openssl/hmac.h b/deps/openssl/openssl/include/openssl/hmac.h deleted file mode 120000 index de19ba7ede0..00000000000 --- a/deps/openssl/openssl/include/openssl/hmac.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/hmac/hmac.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/hmac.h b/deps/openssl/openssl/include/openssl/hmac.h new file mode 100644 index 00000000000..202128bf52c --- /dev/null +++ b/deps/openssl/openssl/include/openssl/hmac.h @@ -0,0 +1 @@ +#include "../../crypto/hmac/hmac.h" diff --git a/deps/openssl/openssl/include/openssl/idea.h b/deps/openssl/openssl/include/openssl/idea.h deleted file mode 120000 index 724fa345811..00000000000 --- a/deps/openssl/openssl/include/openssl/idea.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/idea/idea.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/idea.h b/deps/openssl/openssl/include/openssl/idea.h new file mode 100644 index 00000000000..bdf697d6805 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/idea.h @@ -0,0 +1 @@ +#include "../../crypto/idea/idea.h" diff --git a/deps/openssl/openssl/include/openssl/krb5_asn.h b/deps/openssl/openssl/include/openssl/krb5_asn.h deleted file mode 120000 index 1172e522e4f..00000000000 --- a/deps/openssl/openssl/include/openssl/krb5_asn.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/krb5/krb5_asn.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/krb5_asn.h b/deps/openssl/openssl/include/openssl/krb5_asn.h new file mode 100644 index 00000000000..0d3feea281f --- /dev/null +++ b/deps/openssl/openssl/include/openssl/krb5_asn.h @@ -0,0 +1 @@ +#include "../../crypto/krb5/krb5_asn.h" diff --git a/deps/openssl/openssl/include/openssl/kssl.h b/deps/openssl/openssl/include/openssl/kssl.h deleted file mode 120000 index 2e5c2cd4dcb..00000000000 --- a/deps/openssl/openssl/include/openssl/kssl.h +++ /dev/null @@ -1 +0,0 @@ -../../ssl/kssl.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/kssl.h b/deps/openssl/openssl/include/openssl/kssl.h new file mode 100644 index 00000000000..719634aad90 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/kssl.h @@ -0,0 +1 @@ +#include "../../ssl/kssl.h" diff --git a/deps/openssl/openssl/include/openssl/lhash.h b/deps/openssl/openssl/include/openssl/lhash.h deleted file mode 120000 index 56eb09918c7..00000000000 --- a/deps/openssl/openssl/include/openssl/lhash.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/lhash/lhash.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/lhash.h b/deps/openssl/openssl/include/openssl/lhash.h new file mode 100644 index 00000000000..2d3db87cd5d --- /dev/null +++ b/deps/openssl/openssl/include/openssl/lhash.h @@ -0,0 +1 @@ +#include "../../crypto/lhash/lhash.h" diff --git a/deps/openssl/openssl/include/openssl/md4.h b/deps/openssl/openssl/include/openssl/md4.h deleted file mode 120000 index 4ff863e7fc9..00000000000 --- a/deps/openssl/openssl/include/openssl/md4.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/md4/md4.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/md4.h b/deps/openssl/openssl/include/openssl/md4.h new file mode 100644 index 00000000000..611806e5eaf --- /dev/null +++ b/deps/openssl/openssl/include/openssl/md4.h @@ -0,0 +1 @@ +#include "../../crypto/md4/md4.h" diff --git a/deps/openssl/openssl/include/openssl/md5.h b/deps/openssl/openssl/include/openssl/md5.h deleted file mode 120000 index 26fa47eb5ce..00000000000 --- a/deps/openssl/openssl/include/openssl/md5.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/md5/md5.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/md5.h b/deps/openssl/openssl/include/openssl/md5.h new file mode 100644 index 00000000000..aa8cd0bf863 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/md5.h @@ -0,0 +1 @@ +#include "../../crypto/md5/md5.h" diff --git a/deps/openssl/openssl/include/openssl/mdc2.h b/deps/openssl/openssl/include/openssl/mdc2.h deleted file mode 120000 index 0bc32f121cb..00000000000 --- a/deps/openssl/openssl/include/openssl/mdc2.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/mdc2/mdc2.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/mdc2.h b/deps/openssl/openssl/include/openssl/mdc2.h new file mode 100644 index 00000000000..ac284a179a0 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/mdc2.h @@ -0,0 +1 @@ +#include "../../crypto/mdc2/mdc2.h" diff --git a/deps/openssl/openssl/include/openssl/modes.h b/deps/openssl/openssl/include/openssl/modes.h deleted file mode 120000 index ccc172827f1..00000000000 --- a/deps/openssl/openssl/include/openssl/modes.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/modes/modes.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/modes.h b/deps/openssl/openssl/include/openssl/modes.h new file mode 100644 index 00000000000..f57fcfea800 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/modes.h @@ -0,0 +1 @@ +#include "../../crypto/modes/modes.h" diff --git a/deps/openssl/openssl/include/openssl/obj_mac.h b/deps/openssl/openssl/include/openssl/obj_mac.h deleted file mode 120000 index 0f443c828bc..00000000000 --- a/deps/openssl/openssl/include/openssl/obj_mac.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/objects/obj_mac.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/obj_mac.h b/deps/openssl/openssl/include/openssl/obj_mac.h new file mode 100644 index 00000000000..3890fa9bc41 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/obj_mac.h @@ -0,0 +1 @@ +#include "../../crypto/objects/obj_mac.h" diff --git a/deps/openssl/openssl/include/openssl/objects.h b/deps/openssl/openssl/include/openssl/objects.h deleted file mode 120000 index 7bd145ca086..00000000000 --- a/deps/openssl/openssl/include/openssl/objects.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/objects/objects.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/objects.h b/deps/openssl/openssl/include/openssl/objects.h new file mode 100644 index 00000000000..5365a044bdc --- /dev/null +++ b/deps/openssl/openssl/include/openssl/objects.h @@ -0,0 +1 @@ +#include "../../crypto/objects/objects.h" diff --git a/deps/openssl/openssl/include/openssl/ocsp.h b/deps/openssl/openssl/include/openssl/ocsp.h deleted file mode 120000 index 08288c84a65..00000000000 --- a/deps/openssl/openssl/include/openssl/ocsp.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/ocsp/ocsp.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ocsp.h b/deps/openssl/openssl/include/openssl/ocsp.h new file mode 100644 index 00000000000..50e2885cedb --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ocsp.h @@ -0,0 +1 @@ +#include "../../crypto/ocsp/ocsp.h" diff --git a/deps/openssl/openssl/include/openssl/opensslconf.h b/deps/openssl/openssl/include/openssl/opensslconf.h deleted file mode 120000 index 25d2bea96c8..00000000000 --- a/deps/openssl/openssl/include/openssl/opensslconf.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/opensslconf.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/opensslconf.h b/deps/openssl/openssl/include/openssl/opensslconf.h new file mode 100644 index 00000000000..221be629b72 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/opensslconf.h @@ -0,0 +1 @@ +#include "../../crypto/opensslconf.h" diff --git a/deps/openssl/openssl/include/openssl/opensslv.h b/deps/openssl/openssl/include/openssl/opensslv.h deleted file mode 120000 index f314f5fc717..00000000000 --- a/deps/openssl/openssl/include/openssl/opensslv.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/opensslv.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/opensslv.h b/deps/openssl/openssl/include/openssl/opensslv.h new file mode 100644 index 00000000000..c39a0c3882d --- /dev/null +++ b/deps/openssl/openssl/include/openssl/opensslv.h @@ -0,0 +1 @@ +#include "../../crypto/opensslv.h" diff --git a/deps/openssl/openssl/include/openssl/ossl_typ.h b/deps/openssl/openssl/include/openssl/ossl_typ.h deleted file mode 120000 index e8f42456e14..00000000000 --- a/deps/openssl/openssl/include/openssl/ossl_typ.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/ossl_typ.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ossl_typ.h b/deps/openssl/openssl/include/openssl/ossl_typ.h new file mode 100644 index 00000000000..ddd7e580dd6 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ossl_typ.h @@ -0,0 +1 @@ +#include "../../crypto/ossl_typ.h" diff --git a/deps/openssl/openssl/include/openssl/pem.h b/deps/openssl/openssl/include/openssl/pem.h deleted file mode 120000 index ca371423e7b..00000000000 --- a/deps/openssl/openssl/include/openssl/pem.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/pem/pem.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/pem.h b/deps/openssl/openssl/include/openssl/pem.h new file mode 100644 index 00000000000..5bcc5c59eed --- /dev/null +++ b/deps/openssl/openssl/include/openssl/pem.h @@ -0,0 +1 @@ +#include "../../crypto/pem/pem.h" diff --git a/deps/openssl/openssl/include/openssl/pem2.h b/deps/openssl/openssl/include/openssl/pem2.h deleted file mode 120000 index c734dbdc3f3..00000000000 --- a/deps/openssl/openssl/include/openssl/pem2.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/pem/pem2.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/pem2.h b/deps/openssl/openssl/include/openssl/pem2.h new file mode 100644 index 00000000000..bcd3acf856b --- /dev/null +++ b/deps/openssl/openssl/include/openssl/pem2.h @@ -0,0 +1 @@ +#include "../../crypto/pem/pem2.h" diff --git a/deps/openssl/openssl/include/openssl/pkcs12.h b/deps/openssl/openssl/include/openssl/pkcs12.h deleted file mode 120000 index eebba777899..00000000000 --- a/deps/openssl/openssl/include/openssl/pkcs12.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/pkcs12/pkcs12.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/pkcs12.h b/deps/openssl/openssl/include/openssl/pkcs12.h new file mode 100644 index 00000000000..0b5fbbfe863 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/pkcs12.h @@ -0,0 +1 @@ +#include "../../crypto/pkcs12/pkcs12.h" diff --git a/deps/openssl/openssl/include/openssl/pkcs7.h b/deps/openssl/openssl/include/openssl/pkcs7.h deleted file mode 120000 index 73e1b23f77e..00000000000 --- a/deps/openssl/openssl/include/openssl/pkcs7.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/pkcs7/pkcs7.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/pkcs7.h b/deps/openssl/openssl/include/openssl/pkcs7.h new file mode 100644 index 00000000000..2e19d7c4c9b --- /dev/null +++ b/deps/openssl/openssl/include/openssl/pkcs7.h @@ -0,0 +1 @@ +#include "../../crypto/pkcs7/pkcs7.h" diff --git a/deps/openssl/openssl/include/openssl/pqueue.h b/deps/openssl/openssl/include/openssl/pqueue.h deleted file mode 120000 index 93817c2dfcd..00000000000 --- a/deps/openssl/openssl/include/openssl/pqueue.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/pqueue/pqueue.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/pqueue.h b/deps/openssl/openssl/include/openssl/pqueue.h new file mode 100644 index 00000000000..9681ff52cd2 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/pqueue.h @@ -0,0 +1 @@ +#include "../../crypto/pqueue/pqueue.h" diff --git a/deps/openssl/openssl/include/openssl/rand.h b/deps/openssl/openssl/include/openssl/rand.h deleted file mode 120000 index 11231f85239..00000000000 --- a/deps/openssl/openssl/include/openssl/rand.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/rand/rand.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/rand.h b/deps/openssl/openssl/include/openssl/rand.h new file mode 100644 index 00000000000..9d1521bd4e3 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/rand.h @@ -0,0 +1 @@ +#include "../../crypto/rand/rand.h" diff --git a/deps/openssl/openssl/include/openssl/rc2.h b/deps/openssl/openssl/include/openssl/rc2.h deleted file mode 120000 index bb5a05c5d1e..00000000000 --- a/deps/openssl/openssl/include/openssl/rc2.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/rc2/rc2.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/rc2.h b/deps/openssl/openssl/include/openssl/rc2.h new file mode 100644 index 00000000000..f2f2bd1f21c --- /dev/null +++ b/deps/openssl/openssl/include/openssl/rc2.h @@ -0,0 +1 @@ +#include "../../crypto/rc2/rc2.h" diff --git a/deps/openssl/openssl/include/openssl/rc4.h b/deps/openssl/openssl/include/openssl/rc4.h deleted file mode 120000 index ef7deeb7d4a..00000000000 --- a/deps/openssl/openssl/include/openssl/rc4.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/rc4/rc4.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/rc4.h b/deps/openssl/openssl/include/openssl/rc4.h new file mode 100644 index 00000000000..306de2f406e --- /dev/null +++ b/deps/openssl/openssl/include/openssl/rc4.h @@ -0,0 +1 @@ +#include "../../crypto/rc4/rc4.h" diff --git a/deps/openssl/openssl/include/openssl/ripemd.h b/deps/openssl/openssl/include/openssl/ripemd.h deleted file mode 120000 index 200f562fa7d..00000000000 --- a/deps/openssl/openssl/include/openssl/ripemd.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/ripemd/ripemd.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ripemd.h b/deps/openssl/openssl/include/openssl/ripemd.h new file mode 100644 index 00000000000..11351fc819d --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ripemd.h @@ -0,0 +1 @@ +#include "../../crypto/ripemd/ripemd.h" diff --git a/deps/openssl/openssl/include/openssl/rsa.h b/deps/openssl/openssl/include/openssl/rsa.h deleted file mode 120000 index 3e5a6547543..00000000000 --- a/deps/openssl/openssl/include/openssl/rsa.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/rsa/rsa.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/rsa.h b/deps/openssl/openssl/include/openssl/rsa.h new file mode 100644 index 00000000000..975e5d355ab --- /dev/null +++ b/deps/openssl/openssl/include/openssl/rsa.h @@ -0,0 +1 @@ +#include "../../crypto/rsa/rsa.h" diff --git a/deps/openssl/openssl/include/openssl/safestack.h b/deps/openssl/openssl/include/openssl/safestack.h deleted file mode 120000 index 8ca5b4cc7c5..00000000000 --- a/deps/openssl/openssl/include/openssl/safestack.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/stack/safestack.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/safestack.h b/deps/openssl/openssl/include/openssl/safestack.h new file mode 100644 index 00000000000..8a282b858ba --- /dev/null +++ b/deps/openssl/openssl/include/openssl/safestack.h @@ -0,0 +1 @@ +#include "../../crypto/stack/safestack.h" diff --git a/deps/openssl/openssl/include/openssl/seed.h b/deps/openssl/openssl/include/openssl/seed.h deleted file mode 120000 index 05d04a50bf8..00000000000 --- a/deps/openssl/openssl/include/openssl/seed.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/seed/seed.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/seed.h b/deps/openssl/openssl/include/openssl/seed.h new file mode 100644 index 00000000000..bbbf596df86 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/seed.h @@ -0,0 +1 @@ +#include "../../crypto/seed/seed.h" diff --git a/deps/openssl/openssl/include/openssl/sha.h b/deps/openssl/openssl/include/openssl/sha.h deleted file mode 120000 index 3025cd5d7e5..00000000000 --- a/deps/openssl/openssl/include/openssl/sha.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/sha/sha.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/sha.h b/deps/openssl/openssl/include/openssl/sha.h new file mode 100644 index 00000000000..ab9d94c3868 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/sha.h @@ -0,0 +1 @@ +#include "../../crypto/sha/sha.h" diff --git a/deps/openssl/openssl/include/openssl/srp.h b/deps/openssl/openssl/include/openssl/srp.h deleted file mode 120000 index 16b73ebd3dd..00000000000 --- a/deps/openssl/openssl/include/openssl/srp.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/srp/srp.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/srp.h b/deps/openssl/openssl/include/openssl/srp.h new file mode 100644 index 00000000000..8217476779e --- /dev/null +++ b/deps/openssl/openssl/include/openssl/srp.h @@ -0,0 +1 @@ +#include "../../crypto/srp/srp.h" diff --git a/deps/openssl/openssl/include/openssl/srtp.h b/deps/openssl/openssl/include/openssl/srtp.h deleted file mode 120000 index 9800e4ee402..00000000000 --- a/deps/openssl/openssl/include/openssl/srtp.h +++ /dev/null @@ -1 +0,0 @@ -../../ssl/srtp.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/srtp.h b/deps/openssl/openssl/include/openssl/srtp.h new file mode 100644 index 00000000000..e185494a523 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/srtp.h @@ -0,0 +1 @@ +#include "../../ssl/srtp.h" diff --git a/deps/openssl/openssl/include/openssl/ssl.h b/deps/openssl/openssl/include/openssl/ssl.h deleted file mode 120000 index e87d9be8fc6..00000000000 --- a/deps/openssl/openssl/include/openssl/ssl.h +++ /dev/null @@ -1 +0,0 @@ -../../ssl/ssl.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ssl.h b/deps/openssl/openssl/include/openssl/ssl.h new file mode 100644 index 00000000000..0b0589c639a --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ssl.h @@ -0,0 +1 @@ +#include "../../ssl/ssl.h" diff --git a/deps/openssl/openssl/include/openssl/ssl2.h b/deps/openssl/openssl/include/openssl/ssl2.h deleted file mode 120000 index 72876883c63..00000000000 --- a/deps/openssl/openssl/include/openssl/ssl2.h +++ /dev/null @@ -1 +0,0 @@ -../../ssl/ssl2.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ssl2.h b/deps/openssl/openssl/include/openssl/ssl2.h new file mode 100644 index 00000000000..11b22055ea7 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ssl2.h @@ -0,0 +1 @@ +#include "../../ssl/ssl2.h" diff --git a/deps/openssl/openssl/include/openssl/ssl23.h b/deps/openssl/openssl/include/openssl/ssl23.h deleted file mode 120000 index 5605052d701..00000000000 --- a/deps/openssl/openssl/include/openssl/ssl23.h +++ /dev/null @@ -1 +0,0 @@ -../../ssl/ssl23.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ssl23.h b/deps/openssl/openssl/include/openssl/ssl23.h new file mode 100644 index 00000000000..fe4dae6661f --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ssl23.h @@ -0,0 +1 @@ +#include "../../ssl/ssl23.h" diff --git a/deps/openssl/openssl/include/openssl/ssl3.h b/deps/openssl/openssl/include/openssl/ssl3.h deleted file mode 120000 index 5ae2507f28a..00000000000 --- a/deps/openssl/openssl/include/openssl/ssl3.h +++ /dev/null @@ -1 +0,0 @@ -../../ssl/ssl3.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ssl3.h b/deps/openssl/openssl/include/openssl/ssl3.h new file mode 100644 index 00000000000..0fb66a6f752 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ssl3.h @@ -0,0 +1 @@ +#include "../../ssl/ssl3.h" diff --git a/deps/openssl/openssl/include/openssl/stack.h b/deps/openssl/openssl/include/openssl/stack.h deleted file mode 120000 index 61d342fcdc5..00000000000 --- a/deps/openssl/openssl/include/openssl/stack.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/stack/stack.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/stack.h b/deps/openssl/openssl/include/openssl/stack.h new file mode 100644 index 00000000000..295968cc186 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/stack.h @@ -0,0 +1 @@ +#include "../../crypto/stack/stack.h" diff --git a/deps/openssl/openssl/include/openssl/symhacks.h b/deps/openssl/openssl/include/openssl/symhacks.h deleted file mode 120000 index 4a1a6913cf7..00000000000 --- a/deps/openssl/openssl/include/openssl/symhacks.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/symhacks.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/symhacks.h b/deps/openssl/openssl/include/openssl/symhacks.h new file mode 100644 index 00000000000..f946f4ffc6f --- /dev/null +++ b/deps/openssl/openssl/include/openssl/symhacks.h @@ -0,0 +1 @@ +#include "../../crypto/symhacks.h" diff --git a/deps/openssl/openssl/include/openssl/tls1.h b/deps/openssl/openssl/include/openssl/tls1.h deleted file mode 120000 index 53d998fbd86..00000000000 --- a/deps/openssl/openssl/include/openssl/tls1.h +++ /dev/null @@ -1 +0,0 @@ -../../ssl/tls1.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/tls1.h b/deps/openssl/openssl/include/openssl/tls1.h new file mode 100644 index 00000000000..c43a70ff31f --- /dev/null +++ b/deps/openssl/openssl/include/openssl/tls1.h @@ -0,0 +1 @@ +#include "../../ssl/tls1.h" diff --git a/deps/openssl/openssl/include/openssl/ts.h b/deps/openssl/openssl/include/openssl/ts.h deleted file mode 120000 index a75d99db1a8..00000000000 --- a/deps/openssl/openssl/include/openssl/ts.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/ts/ts.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ts.h b/deps/openssl/openssl/include/openssl/ts.h new file mode 100644 index 00000000000..fe8a2cb51a2 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ts.h @@ -0,0 +1 @@ +#include "../../crypto/ts/ts.h" diff --git a/deps/openssl/openssl/include/openssl/txt_db.h b/deps/openssl/openssl/include/openssl/txt_db.h deleted file mode 120000 index f672e35520c..00000000000 --- a/deps/openssl/openssl/include/openssl/txt_db.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/txt_db/txt_db.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/txt_db.h b/deps/openssl/openssl/include/openssl/txt_db.h new file mode 100644 index 00000000000..167621b6fa8 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/txt_db.h @@ -0,0 +1 @@ +#include "../../crypto/txt_db/txt_db.h" diff --git a/deps/openssl/openssl/include/openssl/ui.h b/deps/openssl/openssl/include/openssl/ui.h deleted file mode 120000 index b07defad72b..00000000000 --- a/deps/openssl/openssl/include/openssl/ui.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/ui/ui.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ui.h b/deps/openssl/openssl/include/openssl/ui.h new file mode 100644 index 00000000000..43dd3ae83a5 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ui.h @@ -0,0 +1 @@ +#include "../../crypto/ui/ui.h" diff --git a/deps/openssl/openssl/include/openssl/ui_compat.h b/deps/openssl/openssl/include/openssl/ui_compat.h deleted file mode 120000 index d8c74b7c5d7..00000000000 --- a/deps/openssl/openssl/include/openssl/ui_compat.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/ui/ui_compat.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/ui_compat.h b/deps/openssl/openssl/include/openssl/ui_compat.h new file mode 100644 index 00000000000..c83f160d802 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/ui_compat.h @@ -0,0 +1 @@ +#include "../../crypto/ui/ui_compat.h" diff --git a/deps/openssl/openssl/include/openssl/whrlpool.h b/deps/openssl/openssl/include/openssl/whrlpool.h deleted file mode 120000 index 125a0816f50..00000000000 --- a/deps/openssl/openssl/include/openssl/whrlpool.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/whrlpool/whrlpool.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/whrlpool.h b/deps/openssl/openssl/include/openssl/whrlpool.h new file mode 100644 index 00000000000..e2424fadde2 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/whrlpool.h @@ -0,0 +1 @@ +#include "../../crypto/whrlpool/whrlpool.h" diff --git a/deps/openssl/openssl/include/openssl/x509.h b/deps/openssl/openssl/include/openssl/x509.h deleted file mode 120000 index b2b85c52486..00000000000 --- a/deps/openssl/openssl/include/openssl/x509.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/x509/x509.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/x509.h b/deps/openssl/openssl/include/openssl/x509.h new file mode 100644 index 00000000000..a4651a28652 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/x509.h @@ -0,0 +1 @@ +#include "../../crypto/x509/x509.h" diff --git a/deps/openssl/openssl/include/openssl/x509_vfy.h b/deps/openssl/openssl/include/openssl/x509_vfy.h deleted file mode 120000 index bb99ad49811..00000000000 --- a/deps/openssl/openssl/include/openssl/x509_vfy.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/x509/x509_vfy.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/x509_vfy.h b/deps/openssl/openssl/include/openssl/x509_vfy.h new file mode 100644 index 00000000000..b897aa087bd --- /dev/null +++ b/deps/openssl/openssl/include/openssl/x509_vfy.h @@ -0,0 +1 @@ +#include "../../crypto/x509/x509_vfy.h" diff --git a/deps/openssl/openssl/include/openssl/x509v3.h b/deps/openssl/openssl/include/openssl/x509v3.h deleted file mode 120000 index 63d12f9dc5f..00000000000 --- a/deps/openssl/openssl/include/openssl/x509v3.h +++ /dev/null @@ -1 +0,0 @@ -../../crypto/x509v3/x509v3.h \ No newline at end of file diff --git a/deps/openssl/openssl/include/openssl/x509v3.h b/deps/openssl/openssl/include/openssl/x509v3.h new file mode 100644 index 00000000000..363795e55a2 --- /dev/null +++ b/deps/openssl/openssl/include/openssl/x509v3.h @@ -0,0 +1 @@ +#include "../../crypto/x509v3/x509v3.h" From 3937563d9aa7bddd18645679d486c5d9fdb0a155 Mon Sep 17 00:00:00 2001 From: Shigeki Ohtsu Date: Wed, 18 Mar 2015 10:31:29 +0900 Subject: [PATCH 12/17] deps: separate sha256/sha512-x86_64.pl for openssl sha256-x86_64.pl does not exist in the origin openssl distribution. It was copied from sha512-x86_64.pl and both sha256/sha512 scripts were modified so as to generates only one asm file specified as its key hash length. PR: #9451 PR-URL: https://github.com/joyent/node/pull/9451 Reviewed-By: Julien Gilli PR: #25523 PR-URL: https://github.com/joyent/node/pull/25523 Reviewed-By: Julien Gilli --- .../openssl/crypto/sha/asm/sha256-x86_64.pl | 438 ++++++++++++++++++ .../openssl/crypto/sha/asm/sha512-x86_64.pl | 36 +- 2 files changed, 449 insertions(+), 25 deletions(-) create mode 100755 deps/openssl/openssl/crypto/sha/asm/sha256-x86_64.pl diff --git a/deps/openssl/openssl/crypto/sha/asm/sha256-x86_64.pl b/deps/openssl/openssl/crypto/sha/asm/sha256-x86_64.pl new file mode 100755 index 00000000000..205a8e6f9a0 --- /dev/null +++ b/deps/openssl/openssl/crypto/sha/asm/sha256-x86_64.pl @@ -0,0 +1,438 @@ +#!/usr/bin/env perl +# +# ==================================================================== +# Written by Andy Polyakov for the OpenSSL +# project. Rights for redistribution and usage in source and binary +# forms are granted according to the OpenSSL license. +# ==================================================================== +# +# sha256/512_block procedure for x86_64. +# +# 40% improvement over compiler-generated code on Opteron. On EM64T +# sha256 was observed to run >80% faster and sha512 - >40%. No magical +# tricks, just straight implementation... I really wonder why gcc +# [being armed with inline assembler] fails to generate as fast code. +# The only thing which is cool about this module is that it's very +# same instruction sequence used for both SHA-256 and SHA-512. In +# former case the instructions operate on 32-bit operands, while in +# latter - on 64-bit ones. All I had to do is to get one flavor right, +# the other one passed the test right away:-) +# +# sha256_block runs in ~1005 cycles on Opteron, which gives you +# asymptotic performance of 64*1000/1005=63.7MBps times CPU clock +# frequency in GHz. sha512_block runs in ~1275 cycles, which results +# in 128*1000/1275=100MBps per GHz. Is there room for improvement? +# Well, if you compare it to IA-64 implementation, which maintains +# X[16] in register bank[!], tends to 4 instructions per CPU clock +# cycle and runs in 1003 cycles, 1275 is very good result for 3-way +# issue Opteron pipeline and X[16] maintained in memory. So that *if* +# there is a way to improve it, *then* the only way would be to try to +# offload X[16] updates to SSE unit, but that would require "deeper" +# loop unroll, which in turn would naturally cause size blow-up, not +# to mention increased complexity! And once again, only *if* it's +# actually possible to noticeably improve overall ILP, instruction +# level parallelism, on a given CPU implementation in this case. +# +# Special note on Intel EM64T. While Opteron CPU exhibits perfect +# perfromance ratio of 1.5 between 64- and 32-bit flavors [see above], +# [currently available] EM64T CPUs apparently are far from it. On the +# contrary, 64-bit version, sha512_block, is ~30% *slower* than 32-bit +# sha256_block:-( This is presumably because 64-bit shifts/rotates +# apparently are not atomic instructions, but implemented in microcode. + +$flavour = shift; +$output = shift; +if ($flavour =~ /\./) { $output = $flavour; undef $flavour; } + +$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/); + +$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; +( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or +( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or +die "can't locate x86_64-xlate.pl"; + +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; + +$func="sha256_block_data_order"; +$TABLE="K256"; +$SZ=4; +@ROT=($A,$B,$C,$D,$E,$F,$G,$H)=("%eax","%ebx","%ecx","%edx", + "%r8d","%r9d","%r10d","%r11d"); +($T1,$a0,$a1,$a2)=("%r12d","%r13d","%r14d","%r15d"); +@Sigma0=( 2,13,22); +@Sigma1=( 6,11,25); +@sigma0=( 7,18, 3); +@sigma1=(17,19,10); +$rounds=64; + + +$ctx="%rdi"; # 1st arg +$round="%rdi"; # zaps $ctx +$inp="%rsi"; # 2nd arg +$Tbl="%rbp"; + +$_ctx="16*$SZ+0*8(%rsp)"; +$_inp="16*$SZ+1*8(%rsp)"; +$_end="16*$SZ+2*8(%rsp)"; +$_rsp="16*$SZ+3*8(%rsp)"; +$framesz="16*$SZ+4*8"; + + +sub ROUND_00_15() +{ my ($i,$a,$b,$c,$d,$e,$f,$g,$h) = @_; + +$code.=<<___; + ror \$`$Sigma1[2]-$Sigma1[1]`,$a0 + mov $f,$a2 + mov $T1,`$SZ*($i&0xf)`(%rsp) + + ror \$`$Sigma0[2]-$Sigma0[1]`,$a1 + xor $e,$a0 + xor $g,$a2 # f^g + + ror \$`$Sigma1[1]-$Sigma1[0]`,$a0 + add $h,$T1 # T1+=h + xor $a,$a1 + + add ($Tbl,$round,$SZ),$T1 # T1+=K[round] + and $e,$a2 # (f^g)&e + mov $b,$h + + ror \$`$Sigma0[1]-$Sigma0[0]`,$a1 + xor $e,$a0 + xor $g,$a2 # Ch(e,f,g)=((f^g)&e)^g + + xor $c,$h # b^c + xor $a,$a1 + add $a2,$T1 # T1+=Ch(e,f,g) + mov $b,$a2 + + ror \$$Sigma1[0],$a0 # Sigma1(e) + and $a,$h # h=(b^c)&a + and $c,$a2 # b&c + + ror \$$Sigma0[0],$a1 # Sigma0(a) + add $a0,$T1 # T1+=Sigma1(e) + add $a2,$h # h+=b&c (completes +=Maj(a,b,c) + + add $T1,$d # d+=T1 + add $T1,$h # h+=T1 + lea 1($round),$round # round++ + add $a1,$h # h+=Sigma0(a) + +___ +} + +sub ROUND_16_XX() +{ my ($i,$a,$b,$c,$d,$e,$f,$g,$h) = @_; + +$code.=<<___; + mov `$SZ*(($i+1)&0xf)`(%rsp),$a0 + mov `$SZ*(($i+14)&0xf)`(%rsp),$a1 + mov $a0,$T1 + mov $a1,$a2 + + ror \$`$sigma0[1]-$sigma0[0]`,$T1 + xor $a0,$T1 + shr \$$sigma0[2],$a0 + + ror \$$sigma0[0],$T1 + xor $T1,$a0 # sigma0(X[(i+1)&0xf]) + mov `$SZ*(($i+9)&0xf)`(%rsp),$T1 + + ror \$`$sigma1[1]-$sigma1[0]`,$a2 + xor $a1,$a2 + shr \$$sigma1[2],$a1 + + ror \$$sigma1[0],$a2 + add $a0,$T1 + xor $a2,$a1 # sigma1(X[(i+14)&0xf]) + + add `$SZ*($i&0xf)`(%rsp),$T1 + mov $e,$a0 + add $a1,$T1 + mov $a,$a1 +___ + &ROUND_00_15(@_); +} + +$code=<<___; +.text + +.globl $func +.type $func,\@function,4 +.align 16 +$func: + push %rbx + push %rbp + push %r12 + push %r13 + push %r14 + push %r15 + mov %rsp,%r11 # copy %rsp + shl \$4,%rdx # num*16 + sub \$$framesz,%rsp + lea ($inp,%rdx,$SZ),%rdx # inp+num*16*$SZ + and \$-64,%rsp # align stack frame + mov $ctx,$_ctx # save ctx, 1st arg + mov $inp,$_inp # save inp, 2nd arh + mov %rdx,$_end # save end pointer, "3rd" arg + mov %r11,$_rsp # save copy of %rsp +.Lprologue: + + lea $TABLE(%rip),$Tbl + + mov $SZ*0($ctx),$A + mov $SZ*1($ctx),$B + mov $SZ*2($ctx),$C + mov $SZ*3($ctx),$D + mov $SZ*4($ctx),$E + mov $SZ*5($ctx),$F + mov $SZ*6($ctx),$G + mov $SZ*7($ctx),$H + jmp .Lloop + +.align 16 +.Lloop: + xor $round,$round +___ + for($i=0;$i<16;$i++) { + $code.=" mov $SZ*$i($inp),$T1\n"; + $code.=" mov @ROT[4],$a0\n"; + $code.=" mov @ROT[0],$a1\n"; + $code.=" bswap $T1\n"; + &ROUND_00_15($i,@ROT); + unshift(@ROT,pop(@ROT)); + } +$code.=<<___; + jmp .Lrounds_16_xx +.align 16 +.Lrounds_16_xx: +___ + for(;$i<32;$i++) { + &ROUND_16_XX($i,@ROT); + unshift(@ROT,pop(@ROT)); + } + +$code.=<<___; + cmp \$$rounds,$round + jb .Lrounds_16_xx + + mov $_ctx,$ctx + lea 16*$SZ($inp),$inp + + add $SZ*0($ctx),$A + add $SZ*1($ctx),$B + add $SZ*2($ctx),$C + add $SZ*3($ctx),$D + add $SZ*4($ctx),$E + add $SZ*5($ctx),$F + add $SZ*6($ctx),$G + add $SZ*7($ctx),$H + + cmp $_end,$inp + + mov $A,$SZ*0($ctx) + mov $B,$SZ*1($ctx) + mov $C,$SZ*2($ctx) + mov $D,$SZ*3($ctx) + mov $E,$SZ*4($ctx) + mov $F,$SZ*5($ctx) + mov $G,$SZ*6($ctx) + mov $H,$SZ*7($ctx) + jb .Lloop + + mov $_rsp,%rsi + mov (%rsi),%r15 + mov 8(%rsi),%r14 + mov 16(%rsi),%r13 + mov 24(%rsi),%r12 + mov 32(%rsi),%rbp + mov 40(%rsi),%rbx + lea 48(%rsi),%rsp +.Lepilogue: + ret +.size $func,.-$func +___ + +if ($SZ==4) { +$code.=<<___; +.align 64 +.type $TABLE,\@object +$TABLE: + .long 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5 + .long 0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5 + .long 0xd807aa98,0x12835b01,0x243185be,0x550c7dc3 + .long 0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174 + .long 0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc + .long 0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da + .long 0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7 + .long 0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967 + .long 0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13 + .long 0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85 + .long 0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3 + .long 0xd192e819,0xd6990624,0xf40e3585,0x106aa070 + .long 0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5 + .long 0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3 + .long 0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208 + .long 0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2 +___ +} else { +$code.=<<___; +.align 64 +.type $TABLE,\@object +$TABLE: + .quad 0x428a2f98d728ae22,0x7137449123ef65cd + .quad 0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc + .quad 0x3956c25bf348b538,0x59f111f1b605d019 + .quad 0x923f82a4af194f9b,0xab1c5ed5da6d8118 + .quad 0xd807aa98a3030242,0x12835b0145706fbe + .quad 0x243185be4ee4b28c,0x550c7dc3d5ffb4e2 + .quad 0x72be5d74f27b896f,0x80deb1fe3b1696b1 + .quad 0x9bdc06a725c71235,0xc19bf174cf692694 + .quad 0xe49b69c19ef14ad2,0xefbe4786384f25e3 + .quad 0x0fc19dc68b8cd5b5,0x240ca1cc77ac9c65 + .quad 0x2de92c6f592b0275,0x4a7484aa6ea6e483 + .quad 0x5cb0a9dcbd41fbd4,0x76f988da831153b5 + .quad 0x983e5152ee66dfab,0xa831c66d2db43210 + .quad 0xb00327c898fb213f,0xbf597fc7beef0ee4 + .quad 0xc6e00bf33da88fc2,0xd5a79147930aa725 + .quad 0x06ca6351e003826f,0x142929670a0e6e70 + .quad 0x27b70a8546d22ffc,0x2e1b21385c26c926 + .quad 0x4d2c6dfc5ac42aed,0x53380d139d95b3df + .quad 0x650a73548baf63de,0x766a0abb3c77b2a8 + .quad 0x81c2c92e47edaee6,0x92722c851482353b + .quad 0xa2bfe8a14cf10364,0xa81a664bbc423001 + .quad 0xc24b8b70d0f89791,0xc76c51a30654be30 + .quad 0xd192e819d6ef5218,0xd69906245565a910 + .quad 0xf40e35855771202a,0x106aa07032bbd1b8 + .quad 0x19a4c116b8d2d0c8,0x1e376c085141ab53 + .quad 0x2748774cdf8eeb99,0x34b0bcb5e19b48a8 + .quad 0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb + .quad 0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3 + .quad 0x748f82ee5defb2fc,0x78a5636f43172f60 + .quad 0x84c87814a1f0ab72,0x8cc702081a6439ec + .quad 0x90befffa23631e28,0xa4506cebde82bde9 + .quad 0xbef9a3f7b2c67915,0xc67178f2e372532b + .quad 0xca273eceea26619c,0xd186b8c721c0c207 + .quad 0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178 + .quad 0x06f067aa72176fba,0x0a637dc5a2c898a6 + .quad 0x113f9804bef90dae,0x1b710b35131c471b + .quad 0x28db77f523047d84,0x32caab7b40c72493 + .quad 0x3c9ebe0a15c9bebc,0x431d67c49c100d4c + .quad 0x4cc5d4becb3e42b6,0x597f299cfc657e2a + .quad 0x5fcb6fab3ad6faec,0x6c44198c4a475817 +___ +} + +# EXCEPTION_DISPOSITION handler (EXCEPTION_RECORD *rec,ULONG64 frame, +# CONTEXT *context,DISPATCHER_CONTEXT *disp) +if ($win64) { +$rec="%rcx"; +$frame="%rdx"; +$context="%r8"; +$disp="%r9"; + +$code.=<<___; +.extern __imp_RtlVirtualUnwind +.type se_handler,\@abi-omnipotent +.align 16 +se_handler: + push %rsi + push %rdi + push %rbx + push %rbp + push %r12 + push %r13 + push %r14 + push %r15 + pushfq + sub \$64,%rsp + + mov 120($context),%rax # pull context->Rax + mov 248($context),%rbx # pull context->Rip + + lea .Lprologue(%rip),%r10 + cmp %r10,%rbx # context->Rip<.Lprologue + jb .Lin_prologue + + mov 152($context),%rax # pull context->Rsp + + lea .Lepilogue(%rip),%r10 + cmp %r10,%rbx # context->Rip>=.Lepilogue + jae .Lin_prologue + + mov 16*$SZ+3*8(%rax),%rax # pull $_rsp + lea 48(%rax),%rax + + mov -8(%rax),%rbx + mov -16(%rax),%rbp + mov -24(%rax),%r12 + mov -32(%rax),%r13 + mov -40(%rax),%r14 + mov -48(%rax),%r15 + mov %rbx,144($context) # restore context->Rbx + mov %rbp,160($context) # restore context->Rbp + mov %r12,216($context) # restore context->R12 + mov %r13,224($context) # restore context->R13 + mov %r14,232($context) # restore context->R14 + mov %r15,240($context) # restore context->R15 + +.Lin_prologue: + mov 8(%rax),%rdi + mov 16(%rax),%rsi + mov %rax,152($context) # restore context->Rsp + mov %rsi,168($context) # restore context->Rsi + mov %rdi,176($context) # restore context->Rdi + + mov 40($disp),%rdi # disp->ContextRecord + mov $context,%rsi # context + mov \$154,%ecx # sizeof(CONTEXT) + .long 0xa548f3fc # cld; rep movsq + + mov $disp,%rsi + xor %rcx,%rcx # arg1, UNW_FLAG_NHANDLER + mov 8(%rsi),%rdx # arg2, disp->ImageBase + mov 0(%rsi),%r8 # arg3, disp->ControlPc + mov 16(%rsi),%r9 # arg4, disp->FunctionEntry + mov 40(%rsi),%r10 # disp->ContextRecord + lea 56(%rsi),%r11 # &disp->HandlerData + lea 24(%rsi),%r12 # &disp->EstablisherFrame + mov %r10,32(%rsp) # arg5 + mov %r11,40(%rsp) # arg6 + mov %r12,48(%rsp) # arg7 + mov %rcx,56(%rsp) # arg8, (NULL) + call *__imp_RtlVirtualUnwind(%rip) + + mov \$1,%eax # ExceptionContinueSearch + add \$64,%rsp + popfq + pop %r15 + pop %r14 + pop %r13 + pop %r12 + pop %rbp + pop %rbx + pop %rdi + pop %rsi + ret +.size se_handler,.-se_handler + +.section .pdata +.align 4 + .rva .LSEH_begin_$func + .rva .LSEH_end_$func + .rva .LSEH_info_$func + +.section .xdata +.align 8 +.LSEH_info_$func: + .byte 9,0,0,0 + .rva se_handler +___ +} + +$code =~ s/\`([^\`]*)\`/eval $1/gem; +print $code; +close STDOUT; diff --git a/deps/openssl/openssl/crypto/sha/asm/sha512-x86_64.pl b/deps/openssl/openssl/crypto/sha/asm/sha512-x86_64.pl index 8d516785578..86c593a2c83 100755 --- a/deps/openssl/openssl/crypto/sha/asm/sha512-x86_64.pl +++ b/deps/openssl/openssl/crypto/sha/asm/sha512-x86_64.pl @@ -54,31 +54,17 @@ open OUT,"| \"$^X\" $xlate $flavour $output"; *STDOUT=*OUT; -if ($output =~ /512/) { - $func="sha512_block_data_order"; - $TABLE="K512"; - $SZ=8; - @ROT=($A,$B,$C,$D,$E,$F,$G,$H)=("%rax","%rbx","%rcx","%rdx", - "%r8", "%r9", "%r10","%r11"); - ($T1,$a0,$a1,$a2)=("%r12","%r13","%r14","%r15"); - @Sigma0=(28,34,39); - @Sigma1=(14,18,41); - @sigma0=(1, 8, 7); - @sigma1=(19,61, 6); - $rounds=80; -} else { - $func="sha256_block_data_order"; - $TABLE="K256"; - $SZ=4; - @ROT=($A,$B,$C,$D,$E,$F,$G,$H)=("%eax","%ebx","%ecx","%edx", - "%r8d","%r9d","%r10d","%r11d"); - ($T1,$a0,$a1,$a2)=("%r12d","%r13d","%r14d","%r15d"); - @Sigma0=( 2,13,22); - @Sigma1=( 6,11,25); - @sigma0=( 7,18, 3); - @sigma1=(17,19,10); - $rounds=64; -} +$func="sha512_block_data_order"; +$TABLE="K512"; +$SZ=8; +@ROT=($A,$B,$C,$D,$E,$F,$G,$H)=("%rax","%rbx","%rcx","%rdx", + "%r8", "%r9", "%r10","%r11"); +($T1,$a0,$a1,$a2)=("%r12","%r13","%r14","%r15"); +@Sigma0=(28,34,39); +@Sigma1=(14,18,41); +@sigma0=(1, 8, 7); +@sigma1=(19,61, 6); +$rounds=80; $ctx="%rdi"; # 1st arg $round="%rdi"; # zaps $ctx From 81e30a11ba79fc5b7d77041956439e760669f9c4 Mon Sep 17 00:00:00 2001 From: Fedor Indutny Date: Wed, 8 Jan 2014 23:05:01 +0400 Subject: [PATCH 13/17] deps: fix openssl assembly error on ia32 win32 `x86masm.pl` was mistakenly using .486 instruction set, why `cpuid` (and perhaps others) are requiring .686 . PR: #9451 PR-URL: https://github.com/joyent/node/pull/9451 Reviewed-By: Julien Gilli PR: #25523 PR-URL: https://github.com/joyent/node/pull/25523 Reviewed-By: Julien Gilli --- deps/openssl/openssl/crypto/perlasm/x86masm.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deps/openssl/openssl/crypto/perlasm/x86masm.pl b/deps/openssl/openssl/crypto/perlasm/x86masm.pl index f937d07c87d..6b33b146f0f 100644 --- a/deps/openssl/openssl/crypto/perlasm/x86masm.pl +++ b/deps/openssl/openssl/crypto/perlasm/x86masm.pl @@ -80,7 +80,7 @@ sub ::file IF \@Version LT 800 ECHO MASM version 8.00 or later is strongly recommended. ENDIF -.486 +.686 .MODEL FLAT OPTION DOTNAME IF \@Version LT 800 From 9463cfae333a5c249e26aef4e5607cbe1d84dea5 Mon Sep 17 00:00:00 2001 From: Shigeki Ohtsu Date: Tue, 17 Feb 2015 11:30:28 +0900 Subject: [PATCH 14/17] openssl: fix keypress requirement in apps on win32 reapply b910613792dac946b295855963869933a9089044 PR: #9451 PR-URL: https://github.com/joyent/node/pull/9451 Reviewed-By: Julien Gilli PR: #25523 PR-URL: https://github.com/joyent/node/pull/25523 Reviewed-By: Julien Gilli --- deps/openssl/openssl/apps/s_client.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/deps/openssl/openssl/apps/s_client.c b/deps/openssl/openssl/apps/s_client.c index 28737b6d1e6..c2e6c0bfdcc 100644 --- a/deps/openssl/openssl/apps/s_client.c +++ b/deps/openssl/openssl/apps/s_client.c @@ -180,6 +180,13 @@ typedef unsigned int u_int; # include #endif +/* Use Windows API with STD_INPUT_HANDLE when checking for input? + Don't look at OPENSSL_SYS_MSDOS for this, since it is always defined if + OPENSSL_SYS_WINDOWS is defined */ +#if defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_WINCE) && defined(STD_INPUT_HANDLE) +#define OPENSSL_USE_STD_INPUT_HANDLE +#endif + #undef PROG #define PROG s_client_main @@ -1584,10 +1591,7 @@ int MAIN(int argc, char **argv) tv.tv_usec = 0; i = select(width, (void *)&readfds, (void *)&writefds, NULL, &tv); -# if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS) - if (!i && (!_kbhit() || !read_tty)) - continue; -# else +#if defined(OPENSSL_USE_STD_INPUT_HANDLE) if (!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle @@ -1595,6 +1599,8 @@ int MAIN(int argc, char **argv) 0))) || !read_tty)) continue; +#else + if(!i && (!_kbhit() || !read_tty) ) continue; # endif } else i = select(width, (void *)&readfds, (void *)&writefds, @@ -1793,12 +1799,12 @@ int MAIN(int argc, char **argv) } } #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) -# if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS) - else if (_kbhit()) -# else +#if defined(OPENSSL_USE_STD_INPUT_HANDLE) else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) +#else + else if (_kbhit()) # endif #elif defined (OPENSSL_SYS_NETWARE) else if (_kbhit()) From dcb7ef2e4024bbb984c5d40b692fb5ec6aefa008 Mon Sep 17 00:00:00 2001 From: Julien Gilli Date: Thu, 11 Jun 2015 14:32:48 -0700 Subject: [PATCH 15/17] tls: revert disable RC4 and cipher lists changes This reverts commit 67d9a56251c4491beacb666ba5833574d0cf0d12. This commit actually reverts both 67d9a56251c4491beacb666ba5833574d0cf0d12 and 02a549ed2b2afe85d8ff0335b6684ad54023afb7 (both related to ciphers list changes). It does it in one commit because reverting 02a549ed2b2afe85d8ff0335b6684ad54023afb7 results in an empty commit. These changes are not yet ready to be released, and before they are we want to be able to publish new releases. We're reverting them so that we can submit a new PR that will contain all these changes plus what's necessary to be able to land them properly. Conflicts: src/node.cc PR: #25511 PR-URL: https://github.com/joyent/node/pull/25511 Reviewed-By: Shigeki Ohtsu --- doc/api/tls.markdown | 66 +++------------------------ lib/tls.js | 14 ++---- src/node.cc | 39 ---------------- src/node_crypto.cc | 25 +---------- src/node_crypto.h | 20 --------- test/simple/test-tls-cipher-list.js | 70 ----------------------------- test/simple/test-tls-getcipher.js | 2 +- 7 files changed, 12 insertions(+), 224 deletions(-) delete mode 100644 test/simple/test-tls-cipher-list.js diff --git a/doc/api/tls.markdown b/doc/api/tls.markdown index 49b37106e27..fbd97e88a65 100644 --- a/doc/api/tls.markdown +++ b/doc/api/tls.markdown @@ -109,60 +109,6 @@ handshake extensions allowing you: * SNI - to use one TLS server for multiple hostnames with different SSL certificates. -## Modifying the Default Cipher Suite - -Node.js is built with a default suite of enabled and disabled ciphers. -Currently, the default cipher suite is: - - ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH - -This default can be overridden entirely using the `--cipher-list` command line -switch or `NODE_CIPHER_LIST` environment variable. For instance: - - node --cipher-list=ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384 - -Setting the environment variable would have the same effect: - - NODE_CIPHER_LIST=ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA384 - -CAUTION: The default cipher suite has been carefully selected to reflect current -security best practices and risk mitigation. Changing the default cipher suite -can have a significant impact on the security of an application. The -`--cipher-list` and `NODE_CIPHER_LIST` options should only be used if -absolutely necessary. - -### Using Legacy Default Cipher Suite ### - -It is possible for the built-in default cipher suite to change from one release -of Node.js to another. For instance, v0.10.39 uses a different default than -v0.10.38. Such changes can cause issues with applications written to assume -certain specific defaults. To help buffer applications against such changes, -the `--enable-legacy-cipher-list` command line switch or `NODE_LEGACY_CIPHER_LIST` -environment variable can be set to specify a specific preset default: - - # Use the v0.10.38 defaults - node --enable-legacy-cipher-list=v0.10.38 - // or - NODE_LEGACY_CIPHER_LIST=v0.10.38 - -Currently, the values supported for the `enable-legacy-cipher-list` switch and -`NODE_LEGACY_CIPHER_LIST` environment variable include: - - v0.10.38 - To enable the default cipher suite used in v0.10.38 - - ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH - -These legacy cipher suites are also made available for use via the -`getLegacyCiphers()` method: - - var tls = require('tls'); - console.log(tls.getLegacyCiphers('v0.10.38')); - -CAUTION: Changes to the default cipher suite are typically made in order to -strengthen the default security for applications running within Node.js. -Reverting back to the defaults used by older releases can weaken the security -of your applications. The legacy cipher suites should only be used if absolutely -necessary. ## tls.getCiphers() @@ -205,13 +151,13 @@ automatically set as a listener for the [secureConnection][] event. The conjunction with the `honorCipherOrder` option described below to prioritize the non-CBC cipher. - Defaults to `ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH`. + Defaults to `AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH`. Consult the [OpenSSL cipher list format documentation] for details on the format. ECDH (Elliptic Curve Diffie-Hellman) ciphers are not yet supported. `AES128-GCM-SHA256` is used when node.js is linked against OpenSSL 1.0.1 - or newer and the client speaks TLS 1.2. + or newer and the client speaks TLS 1.2, RC4 is used as a secure fallback. **NOTE**: Previous revisions of this section suggested `AES256-SHA` as an acceptable cipher. Unfortunately, `AES256-SHA` is a CBC cipher and therefore @@ -387,7 +333,7 @@ Here is an example of a client of echo server as described previously: // These are necessary only if using the client certificate authentication key: fs.readFileSync('client-key.pem'), cert: fs.readFileSync('client-cert.pem'), - + // This is necessary only if the server uses the self-signed certificate ca: [ fs.readFileSync('server-cert.pem') ] }; @@ -579,7 +525,7 @@ A ClearTextStream is the `clear` member of a SecurePair object. ### Event: 'secureConnect' -This event is emitted after a new connection has been successfully handshaked. +This event is emitted after a new connection has been successfully handshaked. The listener will be called no matter if the server's certificate was authorized or not. It is up to the user to test `cleartextStream.authorized` to see if the server certificate was signed by one of the specified CAs. @@ -604,14 +550,14 @@ some properties corresponding to the field of the certificate. Example: - { subject: + { subject: { C: 'UK', ST: 'Acknack Ltd', L: 'Rhys Jones', O: 'node.js', OU: 'Test TLS Certificate', CN: 'localhost' }, - issuer: + issuer: { C: 'UK', ST: 'Acknack Ltd', L: 'Rhys Jones', diff --git a/lib/tls.js b/lib/tls.js index 9f53ad82aef..e3b90832236 100644 --- a/lib/tls.js +++ b/lib/tls.js @@ -19,8 +19,6 @@ // OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE // USE OR OTHER DEALINGS IN THE SOFTWARE. -var _crypto = process.binding('crypto'); - var crypto = require('crypto'); var util = require('util'); var net = require('net'); @@ -33,9 +31,8 @@ var constants = require('constants'); var Timer = process.binding('timer_wrap').Timer; -var DEFAULT_CIPHERS = _crypto.DEFAULT_CIPHER_LIST; - -exports.getLegacyCiphers = _crypto.getLegacyCiphers; +var DEFAULT_CIPHERS = 'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:' + // TLS 1.2 + 'RC4:HIGH:!MD5:!aNULL:!EDH'; // TLS 1.0 // Allow {CLIENT_RENEG_LIMIT} client-initiated session renegotiations // every {CLIENT_RENEG_WINDOW} seconds. An error event is emitted if more @@ -47,7 +44,7 @@ exports.CLIENT_RENEG_WINDOW = 600; exports.SLAB_BUFFER_SIZE = 10 * 1024 * 1024; exports.getCiphers = function() { - var names = _crypto.getSSLCiphers(); + var names = process.binding('crypto').getSSLCiphers(); // Drop all-caps names in favor of their lowercase aliases, var ctx = {}; names.forEach(function(name) { @@ -68,7 +65,7 @@ if (process.env.NODE_DEBUG && /tls/.test(process.env.NODE_DEBUG)) { var Connection = null; try { - Connection = _crypto.Connection; + Connection = process.binding('crypto').Connection; } catch (e) { throw new Error('node.js not compiled with openssl crypto support.'); } @@ -1338,9 +1335,6 @@ exports.connect = function(/* [port, host], options, cb */) { var defaults = { rejectUnauthorized: '0' !== process.env.NODE_TLS_REJECT_UNAUTHORIZED }; - if (DEFAULT_CIPHERS != _crypto.getLegacyCiphers('v0.10.38')) { - defaults.ciphers = DEFAULT_CIPHERS; - } options = util._extend(defaults, options || {}); options.secureOptions = crypto._getSecureOptions(options.secureProtocol, diff --git a/src/node.cc b/src/node.cc index 81e123e571f..e80c1a573f5 100644 --- a/src/node.cc +++ b/src/node.cc @@ -2566,8 +2566,6 @@ static void PrintHelp() { " --max-stack-size=val set max v8 stack size (bytes)\n" " --enable-ssl2 enable ssl2\n" " --enable-ssl3 enable ssl3\n" - " --cipher-list=val specify the default TLS cipher list\n" - " --enable-legacy-cipher-list=v0.10.38 \n" "\n" "Environment variables:\n" #ifdef _WIN32 @@ -2579,8 +2577,6 @@ static void PrintHelp() { "NODE_MODULE_CONTEXTS Set to 1 to load modules in their own\n" " global contexts.\n" "NODE_DISABLE_COLORS Set to 1 to disable colors in the REPL\n" - "NODE_CIPHER_LIST Override the default TLS cipher list\n" - "NODE_LEGACY_CIPHER_LIST=v0.10.38\n" "\n" "Documentation can be found at http://nodejs.org/\n"); } @@ -2588,7 +2584,6 @@ static void PrintHelp() { // Parse node command line arguments. static void ParseArgs(int argc, char **argv) { int i; - bool using_legacy_cipher_list = false; // TODO use parse opts for (i = 1; i < argc; i++) { @@ -2657,21 +2652,6 @@ static void ParseArgs(int argc, char **argv) { } else if (strcmp(arg, "--throw-deprecation") == 0) { argv[i] = const_cast(""); throw_deprecation = true; - } else if (strncmp(arg, "--cipher-list=", 14) == 0) { - if (!using_legacy_cipher_list) { - DEFAULT_CIPHER_LIST = arg + 14; - } - argv[i] = const_cast(""); - } else if (strncmp(arg, "--enable-legacy-cipher-list=", 28) == 0) { - const char * legacy_list = legacy_cipher_list(arg+28); - if (legacy_list != NULL) { - using_legacy_cipher_list = true; - DEFAULT_CIPHER_LIST = legacy_list; - } else { - fprintf(stderr, "Error: An unknown legacy cipher list was specified\n"); - exit(9); - } - argv[i] = const_cast(""); } else if (argv[i][0] != '-') { break; } @@ -2966,25 +2946,6 @@ char** Init(int argc, char *argv[]) { v8argv[option_end_index + 1] = const_cast("v8debug"); } - const char * cipher_list = getenv("NODE_CIPHER_LIST"); - if (cipher_list != NULL) { - DEFAULT_CIPHER_LIST = cipher_list; - } - // Allow the NODE_LEGACY_CIPHER_LIST envar to override the other - // cipher list options. NODE_LEGACY_CIPHER_LIST=v0.10.38 will use - // the cipher list from v0.10.38 - const char * leg_cipher_id = getenv("NODE_LEGACY_CIPHER_LIST"); - if (leg_cipher_id != NULL) { - const char * leg_cipher_list = - legacy_cipher_list(leg_cipher_id); - if (leg_cipher_list != NULL) { - DEFAULT_CIPHER_LIST = leg_cipher_list; - } else { - fprintf(stderr, "Error: An unknown legacy cipher list was specified\n"); - exit(9); - } - } - // For the normal stack which moves from high to low addresses when frames // are pushed, we can compute the limit as stack_size bytes below the // the address of a stack variable (e.g. &stack_var) as an approximation diff --git a/src/node_crypto.cc b/src/node_crypto.cc index c1e943fef49..7a3922a797f 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -71,7 +71,6 @@ const char* root_certs[] = { bool SSL2_ENABLE = false; bool SSL3_ENABLE = false; -const char * DEFAULT_CIPHER_LIST = DEFAULT_CIPHER_LIST_HEAD; namespace crypto { @@ -803,7 +802,7 @@ size_t ClientHelloParser::Write(const uint8_t* data, size_t len) { HandleScope scope; assert(state_ != kEnded); - + // Just accumulate data, everything will be pushed to BIO later if (state_ == kPaused) return 0; @@ -4191,21 +4190,6 @@ static void array_push_back(const TypeName* md, arr->Set(arr->Length(), String::New(from)); } -// borrowed from v8 -// (see http://v8.googlecode.com/svn/trunk/samples/shell.cc) -const char* ToCString(const node::Utf8Value& value) { - return *value ? *value : ""; -} - -Handle DefaultCiphers(const Arguments& args) { - HandleScope scope; - node::Utf8Value key(args[0]); - const char * list = legacy_cipher_list(ToCString(key)); - if (list == NULL) { - list = DEFAULT_CIPHER_LIST_HEAD; - } - return scope.Close(v8::String::New(list)); -} Handle GetCiphers(const Arguments& args) { HandleScope scope; @@ -4280,13 +4264,6 @@ void InitCrypto(Handle target) { NODE_DEFINE_CONSTANT(target, SSL3_ENABLE); NODE_DEFINE_CONSTANT(target, SSL2_ENABLE); - - (target)->ForceSet( - v8::String::New("DEFAULT_CIPHER_LIST"), - v8::String::New(DEFAULT_CIPHER_LIST), - static_cast(v8::ReadOnly | v8::DontDelete)); - - NODE_SET_METHOD(target, "getLegacyCiphers", DefaultCiphers); } } // namespace crypto diff --git a/src/node_crypto.h b/src/node_crypto.h index 0b360cfa36b..54b9b88e437 100644 --- a/src/node_crypto.h +++ b/src/node_crypto.h @@ -27,7 +27,6 @@ #include "node_object_wrap.h" #include "v8.h" -#include #include #include #include @@ -44,29 +43,10 @@ #define EVP_F_EVP_DECRYPTFINAL 101 -#define DEFAULT_CIPHER_LIST_V10_38 "ECDHE-RSA-AES128-SHA256:" \ - "AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH" - -#define DEFAULT_CIPHER_LIST_HEAD "ECDHE-RSA-AES128-SHA256:" \ - "AES128-GCM-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH" - -static inline const char * legacy_cipher_list(const char * ver) { - if (ver == NULL) { - return NULL; - } - if (strncmp(ver, "v0.10.38", 8) == 0) { - return DEFAULT_CIPHER_LIST_V10_38; - } else { - return NULL; - } -} - - namespace node { extern bool SSL2_ENABLE; extern bool SSL3_ENABLE; -extern const char * DEFAULT_CIPHER_LIST; namespace crypto { diff --git a/test/simple/test-tls-cipher-list.js b/test/simple/test-tls-cipher-list.js deleted file mode 100644 index ac2169537b8..00000000000 --- a/test/simple/test-tls-cipher-list.js +++ /dev/null @@ -1,70 +0,0 @@ -// Copyright Joyent, Inc. and other Node contributors. -// -// Permission is hereby granted, free of charge, to any person obtaining a -// copy of this software and associated documentation files (the -// "Software"), to deal in the Software without restriction, including -// without limitation the rights to use, copy, modify, merge, publish, -// distribute, sublicense, and/or sell copies of the Software, and to permit -// persons to whom the Software is furnished to do so, subject to the -// following conditions: -// -// The above copyright notice and this permission notice shall be included -// in all copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS -// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN -// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, -// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR -// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE -// USE OR OTHER DEALINGS IN THE SOFTWARE. - -var spawn = require('child_process').spawn; -var assert = require('assert'); -var tls = require('tls'); -var crypto = process.binding('crypto'); - -function doTest(checklist, env, useswitch) { - var options; - if (env && useswitch === 1) { - options = {env:env}; - } - var args = ['-e', 'console.log(process.binding(\'crypto\').DEFAULT_CIPHER_LIST)']; - - switch(useswitch) { - case 1: - // Test --cipher-test - args.unshift('--cipher-list=' + env); - break; - case 2: - // Test --enable-legacy-cipher-list - args.unshift('--enable-legacy-cipher-list=' + env); - break; - case 3: - // Test NODE_LEGACY_CIPHER_LIST - if (env) options = {env:{"NODE_LEGACY_CIPHER_LIST": env}}; - break; - default: - // Test NODE_CIPHER_LIST - if (env) options = {env:env}; - } - - var out = ''; - spawn(process.execPath, args, options). - stdout. - on('data', function(data) { - out += data; - }). - on('end', function() { - assert.equal(out.trim(), checklist); - }); -} - -doTest(crypto.DEFAULT_CIPHER_LIST); // test the default -doTest('ABC', {'NODE_CIPHER_LIST':'ABC'}); // test the envar -doTest('ABC', 'ABC', 1); // test the --cipher-list switch - -['v0.10.38'].forEach(function(ver) { - doTest(tls.getLegacyCiphers(ver), ver, 2); - doTest(tls.getLegacyCiphers(ver), ver, 3); -}); diff --git a/test/simple/test-tls-getcipher.js b/test/simple/test-tls-getcipher.js index 8fb9d528731..22a280e5874 100644 --- a/test/simple/test-tls-getcipher.js +++ b/test/simple/test-tls-getcipher.js @@ -49,7 +49,7 @@ server.listen(common.PORT, '127.0.0.1', function() { rejectUnauthorized: false }, function() { var cipher = client.getCipher(); - assert.equal(cipher.name, cipher_list[1]); + assert.equal(cipher.name, cipher_list[0]); assert(cipher_version_pattern.test(cipher.version)); client.end(); server.close(); From 615a35ccd2cb5cba80901862aefe51a940995f44 Mon Sep 17 00:00:00 2001 From: Julien Gilli Date: Thu, 18 Jun 2015 22:57:52 -0700 Subject: [PATCH 16/17] 2015.06.18, Version 0.10.39 (Maintenance) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * openssl: upgrade to 1.0.1o (Addressing multiple CVEs) * install: fix source path for openssl headers (Oguz Bastemur) * install: make sure opensslconf.h is overwritten (Oguz Bastemur) * timers: fix timeout when added in timer's callback (Julien Gilli) * windows: broadcast WM_SETTINGCHANGE after install (Mathias Küsel) --- AUTHORS | 4 ++++ ChangeLog | 15 ++++++++++++++- src/node_version.h | 2 +- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/AUTHORS b/AUTHORS index aab71df334e..e82c4f47428 100644 --- a/AUTHORS +++ b/AUTHORS @@ -530,3 +530,7 @@ Amir Saboury Florin-Cristian Gavrila Tyler Anton Jonas Dohse +Paulo McNally +AlexKVal +João Reis +Mathias Küsel diff --git a/ChangeLog b/ChangeLog index 69502ebf2e6..9d2be9618fc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,17 @@ -2015.03.23, Version 0.10.38 (Maintenance) +2015.06.18, Version 0.10.39 (Maintenance) + +* openssl: upgrade to 1.0.1o (Addressing multiple CVEs) + +* install: fix source path for openssl headers (Oguz Bastemur) + +* install: make sure opensslconf.h is overwritten (Oguz Bastemur) + +* timers: fix timeout when added in timer's callback (Julien Gilli) + +* windows: broadcast WM_SETTINGCHANGE after install (Mathias Küsel) + + +2015.03.23, Version 0.10.38 (Maintenance), 0b5731a63cc40c4fe9275c79158fe0a5dd4d1609 * openssl: upgrade to 1.0.1m (Addressing multiple CVEs) diff --git a/src/node_version.h b/src/node_version.h index 094c81c371a..259ed84a1df 100644 --- a/src/node_version.h +++ b/src/node_version.h @@ -26,7 +26,7 @@ #define NODE_MINOR_VERSION 10 #define NODE_PATCH_VERSION 39 -#define NODE_VERSION_IS_RELEASE 0 +#define NODE_VERSION_IS_RELEASE 1 #ifndef NODE_TAG # define NODE_TAG "" From 6f8400a11cd5f64472ccf680dcb864ba005e60cd Mon Sep 17 00:00:00 2001 From: Julien Gilli Date: Mon, 22 Jun 2015 09:45:56 -0700 Subject: [PATCH 17/17] Now working on 0.10.40 --- src/node_version.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/node_version.h b/src/node_version.h index 259ed84a1df..e7d4d96d802 100644 --- a/src/node_version.h +++ b/src/node_version.h @@ -24,9 +24,9 @@ #define NODE_MAJOR_VERSION 0 #define NODE_MINOR_VERSION 10 -#define NODE_PATCH_VERSION 39 +#define NODE_PATCH_VERSION 40 -#define NODE_VERSION_IS_RELEASE 1 +#define NODE_VERSION_IS_RELEASE 0 #ifndef NODE_TAG # define NODE_TAG ""