Import OpenSSL 1.0.1t.
authorSascha Wildner <saw@online.de>
Tue, 3 May 2016 19:47:42 +0000 (21:47 +0200)
committerSascha Wildner <saw@online.de>
Tue, 3 May 2016 19:47:42 +0000 (21:47 +0200)
* Fix CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109,
  CVE-2016-2176, CVE-2016-0702

For a more detailed list of changes, see crypto/openssl/CHANGES.

39 files changed:
crypto/openssl/CHANGES
crypto/openssl/NEWS
crypto/openssl/README
crypto/openssl/README.DELETED
crypto/openssl/apps/pkcs7.c
crypto/openssl/crypto/asn1/a_bytes.c
crypto/openssl/crypto/asn1/a_d2i_fp.c
crypto/openssl/crypto/asn1/a_type.c
crypto/openssl/crypto/asn1/asn1_lib.c
crypto/openssl/crypto/asn1/asn1_par.c
crypto/openssl/crypto/asn1/t_x509.c
crypto/openssl/crypto/asn1/tasn_dec.c
crypto/openssl/crypto/asn1/tasn_enc.c
crypto/openssl/crypto/asn1/x_name.c
crypto/openssl/crypto/asn1/x_x509.c
crypto/openssl/crypto/bn/asm/x86-gf2m.pl [deleted file]
crypto/openssl/crypto/bn/asm/x86-mont.pl [deleted file]
crypto/openssl/crypto/bn/asm/x86_64-mont.pl
crypto/openssl/crypto/bn/asm/x86_64-mont5.pl
crypto/openssl/crypto/comp/comp.h
crypto/openssl/crypto/evp/digest.c
crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c
crypto/openssl/crypto/evp/encode.c
crypto/openssl/crypto/evp/evp_enc.c
crypto/openssl/crypto/opensslv.h
crypto/openssl/crypto/pem/pem_lib.c
crypto/openssl/crypto/pem/pvkfmt.c
crypto/openssl/crypto/x509/x509.h
crypto/openssl/crypto/x509/x509_err.c
crypto/openssl/crypto/x509/x509_obj.c
crypto/openssl/ssl/d1_both.c
crypto/openssl/ssl/s2_lib.c
crypto/openssl/ssl/s2_meth.c
crypto/openssl/ssl/s3_clnt.c
crypto/openssl/ssl/s3_lib.c
crypto/openssl/ssl/ssl.h
crypto/openssl/ssl/ssl_ciph.c
crypto/openssl/ssl/ssl_locl.h
crypto/openssl/ssl/t1_lib.c

index 19e07ab..1c7a5ed 100644 (file)
@@ -2,6 +2,103 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.1s and 1.0.1t [3 May 2016]
+
+  *) Prevent padding oracle in AES-NI CBC MAC check
+
+     A MITM attacker can use a padding oracle attack to decrypt traffic
+     when the connection uses an AES CBC cipher and the server support
+     AES-NI.
+
+     This issue was introduced as part of the fix for Lucky 13 padding
+     attack (CVE-2013-0169). The padding check was rewritten to be in
+     constant time by making sure that always the same bytes are read and
+     compared against either the MAC or padding bytes. But it no longer
+     checked that there was enough data to have both the MAC and padding
+     bytes.
+
+     This issue was reported by Juraj Somorovsky using TLS-Attacker.
+     (CVE-2016-2107)
+     [Kurt Roeckx]
+
+  *) Fix EVP_EncodeUpdate overflow
+
+     An overflow can occur in the EVP_EncodeUpdate() function which is used for
+     Base64 encoding of binary data. If an attacker is able to supply very large
+     amounts of input data then a length check can overflow resulting in a heap
+     corruption.
+
+     Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by
+     the PEM_write_bio* family of functions. These are mainly used within the
+     OpenSSL command line applications, so any application which processes data
+     from an untrusted source and outputs it as a PEM file should be considered
+     vulnerable to this issue. User applications that call these APIs directly
+     with large amounts of untrusted data may also be vulnerable.
+
+     This issue was reported by Guido Vranken.
+     (CVE-2016-2105)
+     [Matt Caswell]
+
+  *) Fix EVP_EncryptUpdate overflow
+
+     An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
+     is able to supply very large amounts of input data after a previous call to
+     EVP_EncryptUpdate() with a partial block then a length check can overflow
+     resulting in a heap corruption. Following an analysis of all OpenSSL
+     internal usage of the EVP_EncryptUpdate() function all usage is one of two
+     forms. The first form is where the EVP_EncryptUpdate() call is known to be
+     the first called function after an EVP_EncryptInit(), and therefore that
+     specific call must be safe. The second form is where the length passed to
+     EVP_EncryptUpdate() can be seen from the code to be some small value and
+     therefore there is no possibility of an overflow. Since all instances are
+     one of these two forms, it is believed that there can be no overflows in
+     internal code due to this problem. It should be noted that
+     EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
+     Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
+     of these calls have also been analysed too and it is believed there are no
+     instances in internal usage where an overflow could occur.
+
+     This issue was reported by Guido Vranken.
+     (CVE-2016-2106)
+     [Matt Caswell]
+
+  *) Prevent ASN.1 BIO excessive memory allocation
+
+     When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
+     a short invalid encoding can casuse allocation of large amounts of memory
+     potentially consuming excessive resources or exhausting memory.
+
+     Any application parsing untrusted data through d2i BIO functions is
+     affected. The memory based functions such as d2i_X509() are *not* affected.
+     Since the memory based functions are used by the TLS library, TLS
+     applications are not affected.
+
+     This issue was reported by Brian Carpenter.
+     (CVE-2016-2109)
+     [Stephen Henson]
+
+  *) EBCDIC overread
+
+     ASN1 Strings that are over 1024 bytes can cause an overread in applications
+     using the X509_NAME_oneline() function on EBCDIC systems. This could result
+     in arbitrary stack data being returned in the buffer.
+
+     This issue was reported by Guido Vranken.
+     (CVE-2016-2176)
+     [Matt Caswell]
+
+  *) Modify behavior of ALPN to invoke callback after SNI/servername
+     callback, such that updates to the SSL_CTX affect ALPN.
+     [Todd Short]
+
+  *) Remove LOW from the DEFAULT cipher list.  This removes singles DES from the
+     default.
+     [Kurt Roeckx]
+
+  *) Only remove the SSLv2 methods with the no-ssl2-method option. When the
+     methods are enabled and ssl2 is disabled the methods return NULL.
+     [Kurt Roeckx]
+
  Changes between 1.0.1r and 1.0.1s [1 Mar 2016]
 
   * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
index 26c7aa5..0fb2cc3 100644 (file)
@@ -5,6 +5,19 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.1s and OpenSSL 1.0.1t [3 May 2016]
+
+      o Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
+      o Fix EVP_EncodeUpdate overflow (CVE-2016-2105)
+      o Fix EVP_EncryptUpdate overflow (CVE-2016-2106)
+      o Prevent ASN.1 BIO excessive memory allocation (CVE-2016-2109)
+      o EBCDIC overread (CVE-2016-2176)
+      o Modify behavior of ALPN to invoke callback after SNI/servername
+        callback, such that updates to the SSL_CTX affect ALPN.
+      o Remove LOW from the DEFAULT cipher list.  This removes singles DES from
+        the default.
+      o Only remove the SSLv2 methods with the no-ssl2-method option.
+
   Major changes between OpenSSL 1.0.1r and OpenSSL 1.0.1s [1 Mar 2016]
 
       o Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
index adde4e8..9395f2b 100644 (file)
@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.1s 1 Mar 2016
+ OpenSSL 1.0.1t 3 May 2016
 
  Copyright (c) 1998-2015 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
index cd897f3..ac11e94 100644 (file)
@@ -121,6 +121,8 @@ crypto/bn/asm/sparcv9a-mont.pl
 crypto/bn/asm/via-mont.pl
 crypto/bn/asm/vms.mar
 crypto/bn/asm/x86/
+crypto/bn/asm/x86-gf2m.pl
+crypto/bn/asm/x86-mont.pl
 crypto/bn/asm/x86.pl
 crypto/bn/bn.mul
 crypto/bn/bn_prime.pl
index 643507f..b677633 100644 (file)
@@ -235,12 +235,16 @@ int MAIN(int argc, char **argv)
         i = OBJ_obj2nid(p7->type);
         switch (i) {
         case NID_pkcs7_signed:
-            certs = p7->d.sign->cert;
-            crls = p7->d.sign->crl;
+            if (p7->d.sign != NULL) {
+                certs = p7->d.sign->cert;
+                crls = p7->d.sign->crl;
+            }
             break;
         case NID_pkcs7_signedAndEnveloped:
-            certs = p7->d.signed_and_enveloped->cert;
-            crls = p7->d.signed_and_enveloped->crl;
+            if (p7->d.signed_and_enveloped != NULL) {
+                certs = p7->d.signed_and_enveloped->cert;
+                crls = p7->d.signed_and_enveloped->crl;
+            }
             break;
         default:
             break;
index 12715a7..385b539 100644 (file)
@@ -200,13 +200,13 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp,
     } else {
         if (len != 0) {
             if ((ret->length < len) || (ret->data == NULL)) {
-                if (ret->data != NULL)
-                    OPENSSL_free(ret->data);
                 s = (unsigned char *)OPENSSL_malloc((int)len + 1);
                 if (s == NULL) {
                     i = ERR_R_MALLOC_FAILURE;
                     goto err;
                 }
+                if (ret->data != NULL)
+                    OPENSSL_free(ret->data);
             } else
                 s = ret->data;
             memcpy(s, p, (int)len);
index a1864b4..51b6f24 100644 (file)
@@ -141,6 +141,7 @@ void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x)
 #endif
 
 #define HEADER_SIZE   8
+#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
 static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 {
     BUF_MEM *b;
@@ -217,29 +218,44 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
             /* suck in c.slen bytes of data */
             want = c.slen;
             if (want > (len - off)) {
+                size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;
+
                 want -= (len - off);
                 if (want > INT_MAX /* BIO_read takes an int length */  ||
                     len + want < len) {
                     ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG);
                     goto err;
                 }
-                if (!BUF_MEM_grow_clean(b, len + want)) {
-                    ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE);
-                    goto err;
-                }
                 while (want > 0) {
-                    i = BIO_read(in, &(b->data[len]), want);
-                    if (i <= 0) {
-                        ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
-                                ASN1_R_NOT_ENOUGH_DATA);
+                    /*
+                     * Read content in chunks of increasing size
+                     * so we can return an error for EOF without
+                     * having to allocate the entire content length
+                     * in one go.
+                     */
+                    size_t chunk = want > chunk_max ? chunk_max : want;
+
+                    if (!BUF_MEM_grow_clean(b, len + chunk)) {
+                        ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE);
                         goto err;
                     }
+                    want -= chunk;
+                    while (chunk > 0) {
+                        i = BIO_read(in, &(b->data[len]), chunk);
+                        if (i <= 0) {
+                            ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
+                                    ASN1_R_NOT_ENOUGH_DATA);
+                            goto err;
+                        }
                     /*
                      * This can't overflow because |len+want| didn't
                      * overflow.
                      */
-                    len += i;
-                    want -= i;
+                        len += i;
+                        chunk -= i;
+                    }
+                    if (chunk_max < INT_MAX/2)
+                        chunk_max *= 2;
                 }
             }
             if (off + c.slen < off) {
index af79530..bb166e8 100644 (file)
@@ -126,9 +126,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b)
         result = 0;             /* They do not have content. */
         break;
     case V_ASN1_INTEGER:
-    case V_ASN1_NEG_INTEGER:
     case V_ASN1_ENUMERATED:
-    case V_ASN1_NEG_ENUMERATED:
     case V_ASN1_BIT_STRING:
     case V_ASN1_OCTET_STRING:
     case V_ASN1_SEQUENCE:
index 0b61fc9..874b1af 100644 (file)
@@ -63,7 +63,7 @@
 #include <openssl/asn1_mac.h>
 
 static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
-                           int max);
+                           long max);
 static void asn1_put_length(unsigned char **pp, int length);
 const char ASN1_version[] = "ASN.1" OPENSSL_VERSION_PTEXT;
 
@@ -131,7 +131,7 @@ int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag,
     }
     *ptag = tag;
     *pclass = xclass;
-    if (!asn1_get_length(&p, &inf, plength, (int)max))
+    if (!asn1_get_length(&p, &inf, plength, max))
         goto err;
 
     if (inf && !(ret & V_ASN1_CONSTRUCTED))
@@ -159,14 +159,14 @@ int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag,
 }
 
 static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
-                           int max)
+                           long max)
 {
     const unsigned char *p = *pp;
     unsigned long ret = 0;
-    unsigned int i;
+    unsigned long i;
 
     if (max-- < 1)
-        return (0);
+        return 0;
     if (*p == 0x80) {
         *inf = 1;
         ret = 0;
@@ -175,15 +175,11 @@ static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
         *inf = 0;
         i = *p & 0x7f;
         if (*(p++) & 0x80) {
-            if (i > sizeof(long))
+            if (i > sizeof(ret) || max < (long)i)
                 return 0;
-            if (max-- == 0)
-                return (0);
             while (i-- > 0) {
                 ret <<= 8L;
                 ret |= *(p++);
-                if (max-- == 0)
-                    return (0);
             }
         } else
             ret = i;
@@ -192,7 +188,7 @@ static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
         return 0;
     *pp = p;
     *rl = (long)ret;
-    return (1);
+    return 1;
 }
 
 /*
index 0ca985a..e85e339 100644 (file)
@@ -173,6 +173,8 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
         if (!asn1_print_info(bp, tag, xclass, j, (indent) ? depth : 0))
             goto end;
         if (j & V_ASN1_CONSTRUCTED) {
+            const unsigned char *sp;
+
             ep = p + len;
             if (BIO_write(bp, "\n", 1) <= 0)
                 goto end;
@@ -182,6 +184,7 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
                 goto end;
             }
             if ((j == 0x21) && (len == 0)) {
+                sp = p;
                 for (;;) {
                     r = asn1_parse2(bp, &p, (long)(tot - p),
                                     offset + (p - *pp), depth + 1,
@@ -190,19 +193,25 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
                         ret = 0;
                         goto end;
                     }
-                    if ((r == 2) || (p >= tot))
+                    if ((r == 2) || (p >= tot)) {
+                        len = p - sp;
                         break;
+                    }
                 }
-            } else
+            } else {
+                long tmp = len;
+
                 while (p < ep) {
-                    r = asn1_parse2(bp, &p, (long)len,
-                                    offset + (p - *pp), depth + 1,
+                    sp = p;
+                    r = asn1_parse2(bp, &p, tmp, offset + (p - *pp), depth + 1,
                                     indent, dump);
                     if (r == 0) {
                         ret = 0;
                         goto end;
                     }
+                    tmp -= p - sp;
                 }
+            }
         } else if (xclass != 0) {
             p += len;
             if (BIO_write(bp, "\n", 1) <= 0)
index 4e7c45d..4f69b51 100644 (file)
@@ -140,7 +140,8 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
             goto err;
 
         bs = X509_get_serialNumber(x);
-        if (bs->length <= (int)sizeof(long)) {
+        if (bs->length < (int)sizeof(long)
+            || (bs->length == sizeof(long) && (bs->data[0] & 0x80) == 0)) {
             l = ASN1_INTEGER_get(bs);
             if (bs->type == V_ASN1_NEG_INTEGER) {
                 l = -l;
index 9256049..2a13388 100644 (file)
@@ -903,9 +903,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
         break;
 
     case V_ASN1_INTEGER:
-    case V_ASN1_NEG_INTEGER:
     case V_ASN1_ENUMERATED:
-    case V_ASN1_NEG_ENUMERATED:
         tint = (ASN1_INTEGER **)pval;
         if (!c2i_ASN1_INTEGER(tint, &cont, len))
             goto err;
index f04a689..f7f83e5 100644 (file)
@@ -611,9 +611,7 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype,
         break;
 
     case V_ASN1_INTEGER:
-    case V_ASN1_NEG_INTEGER:
     case V_ASN1_ENUMERATED:
-    case V_ASN1_NEG_ENUMERATED:
         /*
          * These are all have the same content format as ASN1_INTEGER
          */
index 737c426..a858c29 100644 (file)
 typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY;
 DECLARE_STACK_OF(STACK_OF_X509_NAME_ENTRY)
 
+/*
+ * Maximum length of X509_NAME: much larger than anything we should
+ * ever see in practice.
+ */
+
+#define X509_NAME_MAX (1024 * 1024)
+
 static int x509_name_ex_d2i(ASN1_VALUE **val,
                             const unsigned char **in, long len,
                             const ASN1_ITEM *it,
@@ -192,6 +199,10 @@ static int x509_name_ex_d2i(ASN1_VALUE **val,
     int i, j, ret;
     STACK_OF(X509_NAME_ENTRY) *entries;
     X509_NAME_ENTRY *entry;
+    if (len > X509_NAME_MAX) {
+        ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
+        return 0;
+    }
     q = p;
 
     /* Get internal representation of Name */
index bcd9166..1500871 100644 (file)
@@ -201,9 +201,19 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
 
 int i2d_X509_AUX(X509 *a, unsigned char **pp)
 {
-    int length;
+    int length, tmplen;
+    unsigned char *start = pp != NULL ? *pp : NULL;
     length = i2d_X509(a, pp);
-    if (a)
-        length += i2d_X509_CERT_AUX(a->aux, pp);
+    if (length < 0 || a == NULL)
+        return length;
+
+    tmplen = i2d_X509_CERT_AUX(a->aux, pp);
+    if (tmplen < 0) {
+        if (start != NULL)
+            *pp = start;
+        return tmplen;
+    }
+    length += tmplen;
+
     return length;
 }
diff --git a/crypto/openssl/crypto/bn/asm/x86-gf2m.pl b/crypto/openssl/crypto/bn/asm/x86-gf2m.pl
deleted file mode 100644 (file)
index b579530..0000000
+++ /dev/null
@@ -1,313 +0,0 @@
-#!/usr/bin/env perl
-#
-# ====================================================================
-# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
-# project. The module is, however, dual licensed under OpenSSL and
-# CRYPTOGAMS licenses depending on where you obtain it. For further
-# details see http://www.openssl.org/~appro/cryptogams/.
-# ====================================================================
-#
-# May 2011
-#
-# The module implements bn_GF2m_mul_2x2 polynomial multiplication used
-# in bn_gf2m.c. It's kind of low-hanging mechanical port from C for
-# the time being... Except that it has three code paths: pure integer
-# code suitable for any x86 CPU, MMX code suitable for PIII and later
-# and PCLMULQDQ suitable for Westmere and later. Improvement varies
-# from one benchmark and µ-arch to another. Below are interval values
-# for 163- and 571-bit ECDH benchmarks relative to compiler-generated
-# code:
-#
-# PIII         16%-30%
-# P4           12%-12%
-# Opteron      18%-40%
-# Core2                19%-44%
-# Atom         38%-64%
-# Westmere     53%-121%(PCLMULQDQ)/20%-32%(MMX)
-# Sandy Bridge 72%-127%(PCLMULQDQ)/27%-23%(MMX)
-#
-# Note that above improvement coefficients are not coefficients for
-# bn_GF2m_mul_2x2 itself. For example 120% ECDH improvement is result
-# of bn_GF2m_mul_2x2 being >4x faster. As it gets faster, benchmark
-# is more and more dominated by other subroutines, most notably by
-# BN_GF2m_mod[_mul]_arr...
-
-$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-push(@INC,"${dir}","${dir}../../perlasm");
-require "x86asm.pl";
-
-&asm_init($ARGV[0],$0,$x86only = $ARGV[$#ARGV] eq "386");
-
-$sse2=0;
-for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
-
-&external_label("OPENSSL_ia32cap_P") if ($sse2);
-
-$a="eax";
-$b="ebx";
-($a1,$a2,$a4)=("ecx","edx","ebp");
-
-$R="mm0";
-@T=("mm1","mm2");
-($A,$B,$B30,$B31)=("mm2","mm3","mm4","mm5");
-@i=("esi","edi");
-
-                                       if (!$x86only) {
-&function_begin_B("_mul_1x1_mmx");
-       &sub    ("esp",32+4);
-        &mov   ($a1,$a);
-        &lea   ($a2,&DWP(0,$a,$a));
-        &and   ($a1,0x3fffffff);
-        &lea   ($a4,&DWP(0,$a2,$a2));
-        &mov   (&DWP(0*4,"esp"),0);
-        &and   ($a2,0x7fffffff);
-       &movd   ($A,$a);
-       &movd   ($B,$b);
-        &mov   (&DWP(1*4,"esp"),$a1);  # a1
-        &xor   ($a1,$a2);              # a1^a2
-       &pxor   ($B31,$B31);
-       &pxor   ($B30,$B30);
-        &mov   (&DWP(2*4,"esp"),$a2);  # a2
-        &xor   ($a2,$a4);              # a2^a4
-        &mov   (&DWP(3*4,"esp"),$a1);  # a1^a2
-       &pcmpgtd($B31,$A);              # broadcast 31st bit
-       &paddd  ($A,$A);                # $A<<=1
-        &xor   ($a1,$a2);              # a1^a4=a1^a2^a2^a4
-        &mov   (&DWP(4*4,"esp"),$a4);  # a4
-        &xor   ($a4,$a2);              # a2=a4^a2^a4
-       &pand   ($B31,$B);
-       &pcmpgtd($B30,$A);              # broadcast 30th bit
-        &mov   (&DWP(5*4,"esp"),$a1);  # a1^a4
-        &xor   ($a4,$a1);              # a1^a2^a4
-       &psllq  ($B31,31);
-       &pand   ($B30,$B);
-        &mov   (&DWP(6*4,"esp"),$a2);  # a2^a4
-       &mov    (@i[0],0x7);
-        &mov   (&DWP(7*4,"esp"),$a4);  # a1^a2^a4
-        &mov   ($a4,@i[0]);
-       &and    (@i[0],$b);
-       &shr    ($b,3);
-       &mov    (@i[1],$a4);
-       &psllq  ($B30,30);
-       &and    (@i[1],$b);
-       &shr    ($b,3);
-       &movd   ($R,&DWP(0,"esp",@i[0],4));
-       &mov    (@i[0],$a4);
-       &and    (@i[0],$b);
-       &shr    ($b,3);
-       for($n=1;$n<9;$n++) {
-               &movd   (@T[1],&DWP(0,"esp",@i[1],4));
-               &mov    (@i[1],$a4);
-               &psllq  (@T[1],3*$n);
-               &and    (@i[1],$b);
-               &shr    ($b,3);
-               &pxor   ($R,@T[1]);
-
-               push(@i,shift(@i)); push(@T,shift(@T));
-       }
-       &movd   (@T[1],&DWP(0,"esp",@i[1],4));
-       &pxor   ($R,$B30);
-       &psllq  (@T[1],3*$n++);
-       &pxor   ($R,@T[1]);
-
-       &movd   (@T[0],&DWP(0,"esp",@i[0],4));
-       &pxor   ($R,$B31);
-       &psllq  (@T[0],3*$n);
-       &add    ("esp",32+4);
-       &pxor   ($R,@T[0]);
-       &ret    ();
-&function_end_B("_mul_1x1_mmx");
-                                       }
-
-($lo,$hi)=("eax","edx");
-@T=("ecx","ebp");
-
-&function_begin_B("_mul_1x1_ialu");
-       &sub    ("esp",32+4);
-        &mov   ($a1,$a);
-        &lea   ($a2,&DWP(0,$a,$a));
-        &lea   ($a4,&DWP(0,"",$a,4));
-        &and   ($a1,0x3fffffff);
-       &lea    (@i[1],&DWP(0,$lo,$lo));
-       &sar    ($lo,31);               # broadcast 31st bit
-        &mov   (&DWP(0*4,"esp"),0);
-        &and   ($a2,0x7fffffff);
-        &mov   (&DWP(1*4,"esp"),$a1);  # a1
-        &xor   ($a1,$a2);              # a1^a2
-        &mov   (&DWP(2*4,"esp"),$a2);  # a2
-        &xor   ($a2,$a4);              # a2^a4
-        &mov   (&DWP(3*4,"esp"),$a1);  # a1^a2
-        &xor   ($a1,$a2);              # a1^a4=a1^a2^a2^a4
-        &mov   (&DWP(4*4,"esp"),$a4);  # a4
-        &xor   ($a4,$a2);              # a2=a4^a2^a4
-        &mov   (&DWP(5*4,"esp"),$a1);  # a1^a4
-        &xor   ($a4,$a1);              # a1^a2^a4
-       &sar    (@i[1],31);             # broardcast 30th bit
-       &and    ($lo,$b);
-        &mov   (&DWP(6*4,"esp"),$a2);  # a2^a4
-       &and    (@i[1],$b);
-        &mov   (&DWP(7*4,"esp"),$a4);  # a1^a2^a4
-       &mov    ($hi,$lo);
-       &shl    ($lo,31);
-       &mov    (@T[0],@i[1]);
-       &shr    ($hi,1);
-
-        &mov   (@i[0],0x7);
-       &shl    (@i[1],30);
-        &and   (@i[0],$b);
-       &shr    (@T[0],2);
-       &xor    ($lo,@i[1]);
-
-       &shr    ($b,3);
-       &mov    (@i[1],0x7);            # 5-byte instruction!?
-       &and    (@i[1],$b);
-       &shr    ($b,3);
-        &xor   ($hi,@T[0]);
-       &xor    ($lo,&DWP(0,"esp",@i[0],4));
-       &mov    (@i[0],0x7);
-       &and    (@i[0],$b);
-       &shr    ($b,3);
-       for($n=1;$n<9;$n++) {
-               &mov    (@T[1],&DWP(0,"esp",@i[1],4));
-               &mov    (@i[1],0x7);
-               &mov    (@T[0],@T[1]);
-               &shl    (@T[1],3*$n);
-               &and    (@i[1],$b);
-               &shr    (@T[0],32-3*$n);
-               &xor    ($lo,@T[1]);
-               &shr    ($b,3);
-               &xor    ($hi,@T[0]);
-
-               push(@i,shift(@i)); push(@T,shift(@T));
-       }
-       &mov    (@T[1],&DWP(0,"esp",@i[1],4));
-       &mov    (@T[0],@T[1]);
-       &shl    (@T[1],3*$n);
-       &mov    (@i[1],&DWP(0,"esp",@i[0],4));
-       &shr    (@T[0],32-3*$n);        $n++;
-       &mov    (@i[0],@i[1]);
-       &xor    ($lo,@T[1]);
-       &shl    (@i[1],3*$n);
-       &xor    ($hi,@T[0]);
-       &shr    (@i[0],32-3*$n);
-       &xor    ($lo,@i[1]);
-       &xor    ($hi,@i[0]);
-
-       &add    ("esp",32+4);
-       &ret    ();
-&function_end_B("_mul_1x1_ialu");
-
-# void bn_GF2m_mul_2x2(BN_ULONG *r, BN_ULONG a1, BN_ULONG a0, BN_ULONG b1, BN_ULONG b0);
-&function_begin_B("bn_GF2m_mul_2x2");
-if (!$x86only) {
-       &picmeup("edx","OPENSSL_ia32cap_P");
-       &mov    ("eax",&DWP(0,"edx"));
-       &mov    ("edx",&DWP(4,"edx"));
-       &test   ("eax",1<<23);          # check MMX bit
-       &jz     (&label("ialu"));
-if ($sse2) {
-       &test   ("eax",1<<24);          # check FXSR bit
-       &jz     (&label("mmx"));
-       &test   ("edx",1<<1);           # check PCLMULQDQ bit
-       &jz     (&label("mmx"));
-
-       &movups         ("xmm0",&QWP(8,"esp"));
-       &shufps         ("xmm0","xmm0",0b10110001);
-       &pclmulqdq      ("xmm0","xmm0",1);
-       &mov            ("eax",&DWP(4,"esp"));
-       &movups         (&QWP(0,"eax"),"xmm0");
-       &ret    ();
-
-&set_label("mmx",16);
-}
-       &push   ("ebp");
-       &push   ("ebx");
-       &push   ("esi");
-       &push   ("edi");
-       &mov    ($a,&wparam(1));
-       &mov    ($b,&wparam(3));
-       &call   ("_mul_1x1_mmx");       # a1·b1
-       &movq   ("mm7",$R);
-
-       &mov    ($a,&wparam(2));
-       &mov    ($b,&wparam(4));
-       &call   ("_mul_1x1_mmx");       # a0·b0
-       &movq   ("mm6",$R);
-
-       &mov    ($a,&wparam(1));
-       &mov    ($b,&wparam(3));
-       &xor    ($a,&wparam(2));
-       &xor    ($b,&wparam(4));
-       &call   ("_mul_1x1_mmx");       # (a0+a1)·(b0+b1)
-       &pxor   ($R,"mm7");
-       &mov    ($a,&wparam(0));
-       &pxor   ($R,"mm6");             # (a0+a1)·(b0+b1)-a1·b1-a0·b0
-
-       &movq   ($A,$R);
-       &psllq  ($R,32);
-       &pop    ("edi");
-       &psrlq  ($A,32);
-       &pop    ("esi");
-       &pxor   ($R,"mm6");
-       &pop    ("ebx");
-       &pxor   ($A,"mm7");
-       &movq   (&QWP(0,$a),$R);
-       &pop    ("ebp");
-       &movq   (&QWP(8,$a),$A);
-       &emms   ();
-       &ret    ();
-&set_label("ialu",16);
-}
-       &push   ("ebp");
-       &push   ("ebx");
-       &push   ("esi");
-       &push   ("edi");
-       &stack_push(4+1);
-
-       &mov    ($a,&wparam(1));
-       &mov    ($b,&wparam(3));
-       &call   ("_mul_1x1_ialu");      # a1·b1
-       &mov    (&DWP(8,"esp"),$lo);
-       &mov    (&DWP(12,"esp"),$hi);
-
-       &mov    ($a,&wparam(2));
-       &mov    ($b,&wparam(4));
-       &call   ("_mul_1x1_ialu");      # a0·b0
-       &mov    (&DWP(0,"esp"),$lo);
-       &mov    (&DWP(4,"esp"),$hi);
-
-       &mov    ($a,&wparam(1));
-       &mov    ($b,&wparam(3));
-       &xor    ($a,&wparam(2));
-       &xor    ($b,&wparam(4));
-       &call   ("_mul_1x1_ialu");      # (a0+a1)·(b0+b1)
-
-       &mov    ("ebp",&wparam(0));
-                @r=("ebx","ecx","edi","esi");
-       &mov    (@r[0],&DWP(0,"esp"));
-       &mov    (@r[1],&DWP(4,"esp"));
-       &mov    (@r[2],&DWP(8,"esp"));
-       &mov    (@r[3],&DWP(12,"esp"));
-
-       &xor    ($lo,$hi);
-       &xor    ($hi,@r[1]);
-       &xor    ($lo,@r[0]);
-       &mov    (&DWP(0,"ebp"),@r[0]);
-       &xor    ($hi,@r[2]);
-       &mov    (&DWP(12,"ebp"),@r[3]);
-       &xor    ($lo,@r[3]);
-       &stack_pop(4+1);
-       &xor    ($hi,@r[3]);
-       &pop    ("edi");
-       &xor    ($lo,$hi);
-       &pop    ("esi");
-       &mov    (&DWP(8,"ebp"),$hi);
-       &pop    ("ebx");
-       &mov    (&DWP(4,"ebp"),$lo);
-       &pop    ("ebp");
-       &ret    ();
-&function_end_B("bn_GF2m_mul_2x2");
-
-&asciz ("GF(2^m) Multiplication for x86, CRYPTOGAMS by <appro\@openssl.org>");
-
-&asm_finish();
diff --git a/crypto/openssl/crypto/bn/asm/x86-mont.pl b/crypto/openssl/crypto/bn/asm/x86-mont.pl
deleted file mode 100755 (executable)
index e8f6b05..0000000
+++ /dev/null
@@ -1,593 +0,0 @@
-#!/usr/bin/env perl
-
-# ====================================================================
-# Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
-# project. The module is, however, dual licensed under OpenSSL and
-# CRYPTOGAMS licenses depending on where you obtain it. For further
-# details see http://www.openssl.org/~appro/cryptogams/.
-# ====================================================================
-
-# October 2005
-#
-# This is a "teaser" code, as it can be improved in several ways...
-# First of all non-SSE2 path should be implemented (yes, for now it
-# performs Montgomery multiplication/convolution only on SSE2-capable
-# CPUs such as P4, others fall down to original code). Then inner loop
-# can be unrolled and modulo-scheduled to improve ILP and possibly
-# moved to 128-bit XMM register bank (though it would require input
-# rearrangement and/or increase bus bandwidth utilization). Dedicated
-# squaring procedure should give further performance improvement...
-# Yet, for being draft, the code improves rsa512 *sign* benchmark by
-# 110%(!), rsa1024 one - by 70% and rsa4096 - by 20%:-)
-
-# December 2006
-#
-# Modulo-scheduling SSE2 loops results in further 15-20% improvement.
-# Integer-only code [being equipped with dedicated squaring procedure]
-# gives ~40% on rsa512 sign benchmark...
-
-$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-push(@INC,"${dir}","${dir}../../perlasm");
-require "x86asm.pl";
-
-&asm_init($ARGV[0],$0);
-
-$sse2=0;
-for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
-
-&external_label("OPENSSL_ia32cap_P") if ($sse2);
-
-&function_begin("bn_mul_mont");
-
-$i="edx";
-$j="ecx";
-$ap="esi";     $tp="esi";              # overlapping variables!!!
-$rp="edi";     $bp="edi";              # overlapping variables!!!
-$np="ebp";
-$num="ebx";
-
-$_num=&DWP(4*0,"esp");                 # stack top layout
-$_rp=&DWP(4*1,"esp");
-$_ap=&DWP(4*2,"esp");
-$_bp=&DWP(4*3,"esp");
-$_np=&DWP(4*4,"esp");
-$_n0=&DWP(4*5,"esp");  $_n0q=&QWP(4*5,"esp");
-$_sp=&DWP(4*6,"esp");
-$_bpend=&DWP(4*7,"esp");
-$frame=32;                             # size of above frame rounded up to 16n
-
-       &xor    ("eax","eax");
-       &mov    ("edi",&wparam(5));     # int num
-       &cmp    ("edi",4);
-       &jl     (&label("just_leave"));
-
-       &lea    ("esi",&wparam(0));     # put aside pointer to argument block
-       &lea    ("edx",&wparam(1));     # load ap
-       &mov    ("ebp","esp");          # saved stack pointer!
-       &add    ("edi",2);              # extra two words on top of tp
-       &neg    ("edi");
-       &lea    ("esp",&DWP(-$frame,"esp","edi",4));    # alloca($frame+4*(num+2))
-       &neg    ("edi");
-
-       # minimize cache contention by arraning 2K window between stack
-       # pointer and ap argument [np is also position sensitive vector,
-       # but it's assumed to be near ap, as it's allocated at ~same
-       # time].
-       &mov    ("eax","esp");
-       &sub    ("eax","edx");
-       &and    ("eax",2047);
-       &sub    ("esp","eax");          # this aligns sp and ap modulo 2048
-
-       &xor    ("edx","esp");
-       &and    ("edx",2048);
-       &xor    ("edx",2048);
-       &sub    ("esp","edx");          # this splits them apart modulo 4096
-
-       &and    ("esp",-64);            # align to cache line
-
-       ################################# load argument block...
-       &mov    ("eax",&DWP(0*4,"esi"));# BN_ULONG *rp
-       &mov    ("ebx",&DWP(1*4,"esi"));# const BN_ULONG *ap
-       &mov    ("ecx",&DWP(2*4,"esi"));# const BN_ULONG *bp
-       &mov    ("edx",&DWP(3*4,"esi"));# const BN_ULONG *np
-       &mov    ("esi",&DWP(4*4,"esi"));# const BN_ULONG *n0
-       #&mov   ("edi",&DWP(5*4,"esi"));# int num
-
-       &mov    ("esi",&DWP(0,"esi"));  # pull n0[0]
-       &mov    ($_rp,"eax");           # ... save a copy of argument block
-       &mov    ($_ap,"ebx");
-       &mov    ($_bp,"ecx");
-       &mov    ($_np,"edx");
-       &mov    ($_n0,"esi");
-       &lea    ($num,&DWP(-3,"edi"));  # num=num-1 to assist modulo-scheduling
-       #&mov   ($_num,$num);           # redundant as $num is not reused
-       &mov    ($_sp,"ebp");           # saved stack pointer!
-\f
-if($sse2) {
-$acc0="mm0";   # mmx register bank layout
-$acc1="mm1";
-$car0="mm2";
-$car1="mm3";
-$mul0="mm4";
-$mul1="mm5";
-$temp="mm6";
-$mask="mm7";
-
-       &picmeup("eax","OPENSSL_ia32cap_P");
-       &bt     (&DWP(0,"eax"),26);
-       &jnc    (&label("non_sse2"));
-
-       &mov    ("eax",-1);
-       &movd   ($mask,"eax");          # mask 32 lower bits
-
-       &mov    ($ap,$_ap);             # load input pointers
-       &mov    ($bp,$_bp);
-       &mov    ($np,$_np);
-
-       &xor    ($i,$i);                # i=0
-       &xor    ($j,$j);                # j=0
-
-       &movd   ($mul0,&DWP(0,$bp));            # bp[0]
-       &movd   ($mul1,&DWP(0,$ap));            # ap[0]
-       &movd   ($car1,&DWP(0,$np));            # np[0]
-
-       &pmuludq($mul1,$mul0);                  # ap[0]*bp[0]
-       &movq   ($car0,$mul1);
-       &movq   ($acc0,$mul1);                  # I wish movd worked for
-       &pand   ($acc0,$mask);                  # inter-register transfers
-
-       &pmuludq($mul1,$_n0q);                  # *=n0
-
-       &pmuludq($car1,$mul1);                  # "t[0]"*np[0]*n0
-       &paddq  ($car1,$acc0);
-
-       &movd   ($acc1,&DWP(4,$np));            # np[1]
-       &movd   ($acc0,&DWP(4,$ap));            # ap[1]
-
-       &psrlq  ($car0,32);
-       &psrlq  ($car1,32);
-
-       &inc    ($j);                           # j++
-&set_label("1st",16);
-       &pmuludq($acc0,$mul0);                  # ap[j]*bp[0]
-       &pmuludq($acc1,$mul1);                  # np[j]*m1
-       &paddq  ($car0,$acc0);                  # +=c0
-       &paddq  ($car1,$acc1);                  # +=c1
-
-       &movq   ($acc0,$car0);
-       &pand   ($acc0,$mask);
-       &movd   ($acc1,&DWP(4,$np,$j,4));       # np[j+1]
-       &paddq  ($car1,$acc0);                  # +=ap[j]*bp[0];
-       &movd   ($acc0,&DWP(4,$ap,$j,4));       # ap[j+1]
-       &psrlq  ($car0,32);
-       &movd   (&DWP($frame-4,"esp",$j,4),$car1);      # tp[j-1]=
-       &psrlq  ($car1,32);
-
-       &lea    ($j,&DWP(1,$j));
-       &cmp    ($j,$num);
-       &jl     (&label("1st"));
-
-       &pmuludq($acc0,$mul0);                  # ap[num-1]*bp[0]
-       &pmuludq($acc1,$mul1);                  # np[num-1]*m1
-       &paddq  ($car0,$acc0);                  # +=c0
-       &paddq  ($car1,$acc1);                  # +=c1
-
-       &movq   ($acc0,$car0);
-       &pand   ($acc0,$mask);
-       &paddq  ($car1,$acc0);                  # +=ap[num-1]*bp[0];
-       &movd   (&DWP($frame-4,"esp",$j,4),$car1);      # tp[num-2]=
-
-       &psrlq  ($car0,32);
-       &psrlq  ($car1,32);
-
-       &paddq  ($car1,$car0);
-       &movq   (&QWP($frame,"esp",$num,4),$car1);      # tp[num].tp[num-1]
-\f
-       &inc    ($i);                           # i++
-&set_label("outer");
-       &xor    ($j,$j);                        # j=0
-
-       &movd   ($mul0,&DWP(0,$bp,$i,4));       # bp[i]
-       &movd   ($mul1,&DWP(0,$ap));            # ap[0]
-       &movd   ($temp,&DWP($frame,"esp"));     # tp[0]
-       &movd   ($car1,&DWP(0,$np));            # np[0]
-       &pmuludq($mul1,$mul0);                  # ap[0]*bp[i]
-
-       &paddq  ($mul1,$temp);                  # +=tp[0]
-       &movq   ($acc0,$mul1);
-       &movq   ($car0,$mul1);
-       &pand   ($acc0,$mask);
-
-       &pmuludq($mul1,$_n0q);                  # *=n0
-
-       &pmuludq($car1,$mul1);
-       &paddq  ($car1,$acc0);
-
-       &movd   ($temp,&DWP($frame+4,"esp"));   # tp[1]
-       &movd   ($acc1,&DWP(4,$np));            # np[1]
-       &movd   ($acc0,&DWP(4,$ap));            # ap[1]
-
-       &psrlq  ($car0,32);
-       &psrlq  ($car1,32);
-       &paddq  ($car0,$temp);                  # +=tp[1]
-
-       &inc    ($j);                           # j++
-       &dec    ($num);
-&set_label("inner");
-       &pmuludq($acc0,$mul0);                  # ap[j]*bp[i]
-       &pmuludq($acc1,$mul1);                  # np[j]*m1
-       &paddq  ($car0,$acc0);                  # +=c0
-       &paddq  ($car1,$acc1);                  # +=c1
-
-       &movq   ($acc0,$car0);
-       &movd   ($temp,&DWP($frame+4,"esp",$j,4));# tp[j+1]
-       &pand   ($acc0,$mask);
-       &movd   ($acc1,&DWP(4,$np,$j,4));       # np[j+1]
-       &paddq  ($car1,$acc0);                  # +=ap[j]*bp[i]+tp[j]
-       &movd   ($acc0,&DWP(4,$ap,$j,4));       # ap[j+1]
-       &psrlq  ($car0,32);
-       &movd   (&DWP($frame-4,"esp",$j,4),$car1);# tp[j-1]=
-       &psrlq  ($car1,32);
-       &paddq  ($car0,$temp);                  # +=tp[j+1]
-
-       &dec    ($num);
-       &lea    ($j,&DWP(1,$j));                # j++
-       &jnz    (&label("inner"));
-
-       &mov    ($num,$j);
-       &pmuludq($acc0,$mul0);                  # ap[num-1]*bp[i]
-       &pmuludq($acc1,$mul1);                  # np[num-1]*m1
-       &paddq  ($car0,$acc0);                  # +=c0
-       &paddq  ($car1,$acc1);                  # +=c1
-
-       &movq   ($acc0,$car0);
-       &pand   ($acc0,$mask);
-       &paddq  ($car1,$acc0);                  # +=ap[num-1]*bp[i]+tp[num-1]
-       &movd   (&DWP($frame-4,"esp",$j,4),$car1);      # tp[num-2]=
-       &psrlq  ($car0,32);
-       &psrlq  ($car1,32);
-
-       &movd   ($temp,&DWP($frame+4,"esp",$num,4));    # += tp[num]
-       &paddq  ($car1,$car0);
-       &paddq  ($car1,$temp);
-       &movq   (&QWP($frame,"esp",$num,4),$car1);      # tp[num].tp[num-1]
-
-       &lea    ($i,&DWP(1,$i));                # i++
-       &cmp    ($i,$num);
-       &jle    (&label("outer"));
-
-       &emms   ();                             # done with mmx bank
-       &jmp    (&label("common_tail"));
-
-&set_label("non_sse2",16);
-}
-\f
-if (0) {
-       &mov    ("esp",$_sp);
-       &xor    ("eax","eax");  # signal "not fast enough [yet]"
-       &jmp    (&label("just_leave"));
-       # While the below code provides competitive performance for
-       # all key lengthes on modern Intel cores, it's still more
-       # than 10% slower for 4096-bit key elsewhere:-( "Competitive"
-       # means compared to the original integer-only assembler.
-       # 512-bit RSA sign is better by ~40%, but that's about all
-       # one can say about all CPUs...
-} else {
-$inp="esi";    # integer path uses these registers differently
-$word="edi";
-$carry="ebp";
-
-       &mov    ($inp,$_ap);
-       &lea    ($carry,&DWP(1,$num));
-       &mov    ($word,$_bp);
-       &xor    ($j,$j);                                # j=0
-       &mov    ("edx",$inp);
-       &and    ($carry,1);                             # see if num is even
-       &sub    ("edx",$word);                          # see if ap==bp
-       &lea    ("eax",&DWP(4,$word,$num,4));           # &bp[num]
-       &or     ($carry,"edx");
-       &mov    ($word,&DWP(0,$word));                  # bp[0]
-       &jz     (&label("bn_sqr_mont"));
-       &mov    ($_bpend,"eax");
-       &mov    ("eax",&DWP(0,$inp));
-       &xor    ("edx","edx");
-
-&set_label("mull",16);
-       &mov    ($carry,"edx");
-       &mul    ($word);                                # ap[j]*bp[0]
-       &add    ($carry,"eax");
-       &lea    ($j,&DWP(1,$j));
-       &adc    ("edx",0);
-       &mov    ("eax",&DWP(0,$inp,$j,4));              # ap[j+1]
-       &cmp    ($j,$num);
-       &mov    (&DWP($frame-4,"esp",$j,4),$carry);     # tp[j]=
-       &jl     (&label("mull"));
-
-       &mov    ($carry,"edx");
-       &mul    ($word);                                # ap[num-1]*bp[0]
-        &mov   ($word,$_n0);
-       &add    ("eax",$carry);
-        &mov   ($inp,$_np);
-       &adc    ("edx",0);
-        &imul  ($word,&DWP($frame,"esp"));             # n0*tp[0]
-
-       &mov    (&DWP($frame,"esp",$num,4),"eax");      # tp[num-1]=
-       &xor    ($j,$j);
-       &mov    (&DWP($frame+4,"esp",$num,4),"edx");    # tp[num]=
-       &mov    (&DWP($frame+8,"esp",$num,4),$j);       # tp[num+1]=
-
-       &mov    ("eax",&DWP(0,$inp));                   # np[0]
-       &mul    ($word);                                # np[0]*m
-       &add    ("eax",&DWP($frame,"esp"));             # +=tp[0]
-       &mov    ("eax",&DWP(4,$inp));                   # np[1]
-       &adc    ("edx",0);
-       &inc    ($j);
-
-       &jmp    (&label("2ndmadd"));
-\f\f
-&set_label("1stmadd",16);
-       &mov    ($carry,"edx");
-       &mul    ($word);                                # ap[j]*bp[i]
-       &add    ($carry,&DWP($frame,"esp",$j,4));       # +=tp[j]
-       &lea    ($j,&DWP(1,$j));
-       &adc    ("edx",0);
-       &add    ($carry,"eax");
-       &mov    ("eax",&DWP(0,$inp,$j,4));              # ap[j+1]
-       &adc    ("edx",0);
-       &cmp    ($j,$num);
-       &mov    (&DWP($frame-4,"esp",$j,4),$carry);     # tp[j]=
-       &jl     (&label("1stmadd"));
-
-       &mov    ($carry,"edx");
-       &mul    ($word);                                # ap[num-1]*bp[i]
-       &add    ("eax",&DWP($frame,"esp",$num,4));      # +=tp[num-1]
-        &mov   ($word,$_n0);
-       &adc    ("edx",0);
-        &mov   ($inp,$_np);
-       &add    ($carry,"eax");
-       &adc    ("edx",0);
-        &imul  ($word,&DWP($frame,"esp"));             # n0*tp[0]
-
-       &xor    ($j,$j);
-       &add    ("edx",&DWP($frame+4,"esp",$num,4));    # carry+=tp[num]
-       &mov    (&DWP($frame,"esp",$num,4),$carry);     # tp[num-1]=
-       &adc    ($j,0);
-        &mov   ("eax",&DWP(0,$inp));                   # np[0]
-       &mov    (&DWP($frame+4,"esp",$num,4),"edx");    # tp[num]=
-       &mov    (&DWP($frame+8,"esp",$num,4),$j);       # tp[num+1]=
-
-       &mul    ($word);                                # np[0]*m
-       &add    ("eax",&DWP($frame,"esp"));             # +=tp[0]
-       &mov    ("eax",&DWP(4,$inp));                   # np[1]
-       &adc    ("edx",0);
-       &mov    ($j,1);
-\f
-&set_label("2ndmadd",16);
-       &mov    ($carry,"edx");
-       &mul    ($word);                                # np[j]*m
-       &add    ($carry,&DWP($frame,"esp",$j,4));       # +=tp[j]
-       &lea    ($j,&DWP(1,$j));
-       &adc    ("edx",0);
-       &add    ($carry,"eax");
-       &mov    ("eax",&DWP(0,$inp,$j,4));              # np[j+1]
-       &adc    ("edx",0);
-       &cmp    ($j,$num);
-       &mov    (&DWP($frame-8,"esp",$j,4),$carry);     # tp[j-1]=
-       &jl     (&label("2ndmadd"));
-
-       &mov    ($carry,"edx");
-       &mul    ($word);                                # np[j]*m
-       &add    ($carry,&DWP($frame,"esp",$num,4));     # +=tp[num-1]
-       &adc    ("edx",0);
-       &add    ($carry,"eax");
-       &adc    ("edx",0);
-       &mov    (&DWP($frame-4,"esp",$num,4),$carry);   # tp[num-2]=
-
-       &xor    ("eax","eax");
-        &mov   ($j,$_bp);                              # &bp[i]
-       &add    ("edx",&DWP($frame+4,"esp",$num,4));    # carry+=tp[num]
-       &adc    ("eax",&DWP($frame+8,"esp",$num,4));    # +=tp[num+1]
-        &lea   ($j,&DWP(4,$j));
-       &mov    (&DWP($frame,"esp",$num,4),"edx");      # tp[num-1]=
-        &cmp   ($j,$_bpend);
-       &mov    (&DWP($frame+4,"esp",$num,4),"eax");    # tp[num]=
-       &je     (&label("common_tail"));
-
-       &mov    ($word,&DWP(0,$j));                     # bp[i+1]
-       &mov    ($inp,$_ap);
-       &mov    ($_bp,$j);                              # &bp[++i]
-       &xor    ($j,$j);
-       &xor    ("edx","edx");
-       &mov    ("eax",&DWP(0,$inp));
-       &jmp    (&label("1stmadd"));
-\f
-&set_label("bn_sqr_mont",16);
-$sbit=$num;
-       &mov    ($_num,$num);
-       &mov    ($_bp,$j);                              # i=0
-
-       &mov    ("eax",$word);                          # ap[0]
-       &mul    ($word);                                # ap[0]*ap[0]
-       &mov    (&DWP($frame,"esp"),"eax");             # tp[0]=
-       &mov    ($sbit,"edx");
-       &shr    ("edx",1);
-       &and    ($sbit,1);
-       &inc    ($j);
-&set_label("sqr",16);
-       &mov    ("eax",&DWP(0,$inp,$j,4));              # ap[j]
-       &mov    ($carry,"edx");
-       &mul    ($word);                                # ap[j]*ap[0]
-       &add    ("eax",$carry);
-       &lea    ($j,&DWP(1,$j));
-       &adc    ("edx",0);
-       &lea    ($carry,&DWP(0,$sbit,"eax",2));
-       &shr    ("eax",31);
-       &cmp    ($j,$_num);
-       &mov    ($sbit,"eax");
-       &mov    (&DWP($frame-4,"esp",$j,4),$carry);     # tp[j]=
-       &jl     (&label("sqr"));
-
-       &mov    ("eax",&DWP(0,$inp,$j,4));              # ap[num-1]
-       &mov    ($carry,"edx");
-       &mul    ($word);                                # ap[num-1]*ap[0]
-       &add    ("eax",$carry);
-        &mov   ($word,$_n0);
-       &adc    ("edx",0);
-        &mov   ($inp,$_np);
-       &lea    ($carry,&DWP(0,$sbit,"eax",2));
-        &imul  ($word,&DWP($frame,"esp"));             # n0*tp[0]
-       &shr    ("eax",31);
-       &mov    (&DWP($frame,"esp",$j,4),$carry);       # tp[num-1]=
-
-       &lea    ($carry,&DWP(0,"eax","edx",2));
-        &mov   ("eax",&DWP(0,$inp));                   # np[0]
-       &shr    ("edx",31);
-       &mov    (&DWP($frame+4,"esp",$j,4),$carry);     # tp[num]=
-       &mov    (&DWP($frame+8,"esp",$j,4),"edx");      # tp[num+1]=
-
-       &mul    ($word);                                # np[0]*m
-       &add    ("eax",&DWP($frame,"esp"));             # +=tp[0]
-       &mov    ($num,$j);
-       &adc    ("edx",0);
-       &mov    ("eax",&DWP(4,$inp));                   # np[1]
-       &mov    ($j,1);
-\f\f
-&set_label("3rdmadd",16);
-       &mov    ($carry,"edx");
-       &mul    ($word);                                # np[j]*m
-       &add    ($carry,&DWP($frame,"esp",$j,4));       # +=tp[j]
-       &adc    ("edx",0);
-       &add    ($carry,"eax");
-       &mov    ("eax",&DWP(4,$inp,$j,4));              # np[j+1]
-       &adc    ("edx",0);
-       &mov    (&DWP($frame-4,"esp",$j,4),$carry);     # tp[j-1]=
-
-       &mov    ($carry,"edx");
-       &mul    ($word);                                # np[j+1]*m
-       &add    ($carry,&DWP($frame+4,"esp",$j,4));     # +=tp[j+1]
-       &lea    ($j,&DWP(2,$j));
-       &adc    ("edx",0);
-       &add    ($carry,"eax");
-       &mov    ("eax",&DWP(0,$inp,$j,4));              # np[j+2]
-       &adc    ("edx",0);
-       &cmp    ($j,$num);
-       &mov    (&DWP($frame-8,"esp",$j,4),$carry);     # tp[j]=
-       &jl     (&label("3rdmadd"));
-
-       &mov    ($carry,"edx");
-       &mul    ($word);                                # np[j]*m
-       &add    ($carry,&DWP($frame,"esp",$num,4));     # +=tp[num-1]
-       &adc    ("edx",0);
-       &add    ($carry,"eax");
-       &adc    ("edx",0);
-       &mov    (&DWP($frame-4,"esp",$num,4),$carry);   # tp[num-2]=
-
-       &mov    ($j,$_bp);                              # i
-       &xor    ("eax","eax");
-       &mov    ($inp,$_ap);
-       &add    ("edx",&DWP($frame+4,"esp",$num,4));    # carry+=tp[num]
-       &adc    ("eax",&DWP($frame+8,"esp",$num,4));    # +=tp[num+1]
-       &mov    (&DWP($frame,"esp",$num,4),"edx");      # tp[num-1]=
-       &cmp    ($j,$num);
-       &mov    (&DWP($frame+4,"esp",$num,4),"eax");    # tp[num]=
-       &je     (&label("common_tail"));
-\f
-       &mov    ($word,&DWP(4,$inp,$j,4));              # ap[i]
-       &lea    ($j,&DWP(1,$j));
-       &mov    ("eax",$word);
-       &mov    ($_bp,$j);                              # ++i
-       &mul    ($word);                                # ap[i]*ap[i]
-       &add    ("eax",&DWP($frame,"esp",$j,4));        # +=tp[i]
-       &adc    ("edx",0);
-       &mov    (&DWP($frame,"esp",$j,4),"eax");        # tp[i]=
-       &xor    ($carry,$carry);
-       &cmp    ($j,$num);
-       &lea    ($j,&DWP(1,$j));
-       &je     (&label("sqrlast"));
-
-       &mov    ($sbit,"edx");                          # zaps $num
-       &shr    ("edx",1);
-       &and    ($sbit,1);
-&set_label("sqradd",16);
-       &mov    ("eax",&DWP(0,$inp,$j,4));              # ap[j]
-       &mov    ($carry,"edx");
-       &mul    ($word);                                # ap[j]*ap[i]
-       &add    ("eax",$carry);
-       &lea    ($carry,&DWP(0,"eax","eax"));
-       &adc    ("edx",0);
-       &shr    ("eax",31);
-       &add    ($carry,&DWP($frame,"esp",$j,4));       # +=tp[j]
-       &lea    ($j,&DWP(1,$j));
-       &adc    ("eax",0);
-       &add    ($carry,$sbit);
-       &adc    ("eax",0);
-       &cmp    ($j,$_num);
-       &mov    (&DWP($frame-4,"esp",$j,4),$carry);     # tp[j]=
-       &mov    ($sbit,"eax");
-       &jle    (&label("sqradd"));
-
-       &mov    ($carry,"edx");
-       &add    ("edx","edx");
-       &shr    ($carry,31);
-       &add    ("edx",$sbit);
-       &adc    ($carry,0);
-&set_label("sqrlast");
-       &mov    ($word,$_n0);
-       &mov    ($inp,$_np);
-       &imul   ($word,&DWP($frame,"esp"));             # n0*tp[0]
-
-       &add    ("edx",&DWP($frame,"esp",$j,4));        # +=tp[num]
-       &mov    ("eax",&DWP(0,$inp));                   # np[0]
-       &adc    ($carry,0);
-       &mov    (&DWP($frame,"esp",$j,4),"edx");        # tp[num]=
-       &mov    (&DWP($frame+4,"esp",$j,4),$carry);     # tp[num+1]=
-
-       &mul    ($word);                                # np[0]*m
-       &add    ("eax",&DWP($frame,"esp"));             # +=tp[0]
-       &lea    ($num,&DWP(-1,$j));
-       &adc    ("edx",0);
-       &mov    ($j,1);
-       &mov    ("eax",&DWP(4,$inp));                   # np[1]
-
-       &jmp    (&label("3rdmadd"));
-}
-\f
-&set_label("common_tail",16);
-       &mov    ($np,$_np);                     # load modulus pointer
-       &mov    ($rp,$_rp);                     # load result pointer
-       &lea    ($tp,&DWP($frame,"esp"));       # [$ap and $bp are zapped]
-
-       &mov    ("eax",&DWP(0,$tp));            # tp[0]
-       &mov    ($j,$num);                      # j=num-1
-       &xor    ($i,$i);                        # i=0 and clear CF!
-
-&set_label("sub",16);
-       &sbb    ("eax",&DWP(0,$np,$i,4));
-       &mov    (&DWP(0,$rp,$i,4),"eax");       # rp[i]=tp[i]-np[i]
-       &dec    ($j);                           # doesn't affect CF!
-       &mov    ("eax",&DWP(4,$tp,$i,4));       # tp[i+1]
-       &lea    ($i,&DWP(1,$i));                # i++
-       &jge    (&label("sub"));
-
-       &sbb    ("eax",0);                      # handle upmost overflow bit
-       &and    ($tp,"eax");
-       &not    ("eax");
-       &mov    ($np,$rp);
-       &and    ($np,"eax");
-       &or     ($tp,$np);                      # tp=carry?tp:rp
-
-&set_label("copy",16);                         # copy or in-place refresh
-       &mov    ("eax",&DWP(0,$tp,$num,4));
-       &mov    (&DWP(0,$rp,$num,4),"eax");     # rp[i]=tp[i]
-       &mov    (&DWP($frame,"esp",$num,4),$j); # zap temporary vector
-       &dec    ($num);
-       &jge    (&label("copy"));
-
-       &mov    ("esp",$_sp);           # pull saved stack pointer
-       &mov    ("eax",1);
-&set_label("just_leave");
-&function_end("bn_mul_mont");
-
-&asciz("Montgomery Multiplication for x86, CRYPTOGAMS by <appro\@openssl.org>");
-
-&asm_finish();
index 17fb94c..c8ae019 100755 (executable)
@@ -91,6 +91,20 @@ bn_mul_mont:
 
        mov     %r11,8(%rsp,$num,8)     # tp[num+1]=%rsp
 .Lmul_body:
+       # Some OSes, *cough*-dows, insist on stack being "wired" to
+       # physical memory in strictly sequential manner, i.e. if stack
+       # allocation spans two pages, then reference to farmost one can
+       # be punishable by SEGV. But page walking can do good even on
+       # other OSes, because it guarantees that villain thread hits
+       # the guard page before it can make damage to innocent one...
+       sub     %rsp,%r11
+       and     \$-4096,%r11
+.Lmul_page_walk:
+       mov     (%rsp,%r11),%r10
+       sub     \$4096,%r11
+       .byte   0x66,0x2e               # predict non-taken
+       jnc     .Lmul_page_walk
+
        mov     $bp,%r12                # reassign $bp
 ___
                $bp="%r12";
@@ -296,6 +310,14 @@ bn_mul4x_mont:
 
        mov     %r11,8(%rsp,$num,8)     # tp[num+1]=%rsp
 .Lmul4x_body:
+       sub     %rsp,%r11
+       and     \$-4096,%r11
+.Lmul4x_page_walk:
+       mov     (%rsp,%r11),%r10
+       sub     \$4096,%r11
+       .byte   0x2e                    # predict non-taken
+       jnc     .Lmul4x_page_walk
+
        mov     $rp,16(%rsp,$num,8)     # tp[num+2]=$rp
        mov     %rdx,%r12               # reassign $bp
 ___
@@ -707,6 +729,7 @@ $code.=<<___;
 .align 16
 bn_sqr4x_mont:
 .Lsqr4x_enter:
+       mov     %rsp,%rax
        push    %rbx
        push    %rbp
        push    %r12
@@ -715,12 +738,23 @@ bn_sqr4x_mont:
        push    %r15
 
        shl     \$3,${num}d             # convert $num to bytes
-       xor     %r10,%r10
        mov     %rsp,%r11               # put aside %rsp
-       sub     $num,%r10               # -$num
+       neg     $num                    # -$num
        mov     ($n0),$n0               # *n0
-       lea     -72(%rsp,%r10,2),%rsp   # alloca(frame+2*$num)
+       lea     -72(%rsp,$num,2),%rsp   # alloca(frame+2*$num)
        and     \$-1024,%rsp            # minimize TLB usage
+
+       sub     %rsp,%r11
+       and     \$-4096,%r11
+.Lsqr4x_page_walk:
+       mov     (%rsp,%r11),%r10
+       sub     \$4096,%r11
+       .byte   0x2e                    # predict non-taken
+       jnc     .Lsqr4x_page_walk
+
+       mov     $num,%r10
+       neg     $num                    # restore $num
+       lea     -48(%rax),%r11          # restore saved %rsp
        ##############################################################
        # Stack layout
        #
index 2359791..99243ae 100755 (executable)
@@ -84,6 +84,20 @@ bn_mul_mont_gather5:
 
        mov     %rax,8(%rsp,$num,8)     # tp[num+1]=%rsp
 .Lmul_body:
+       # Some OSes, *cough*-dows, insist on stack being "wired" to
+       # physical memory in strictly sequential manner, i.e. if stack
+       # allocation spans two pages, then reference to farmost one can
+       # be punishable by SEGV. But page walking can do good even on
+       # other OSes, because it guarantees that villain thread hits
+       # the guard page before it can make damage to innocent one...
+       sub     %rsp,%rax
+       and     \$-4096,%rax
+.Lmul_page_walk:
+       mov     (%rsp,%rax),%r11
+       sub     \$4096,%rax
+       .byte   0x2e                    # predict non-taken
+       jnc     .Lmul_page_walk
+
        lea     128($bp),%r12           # reassign $bp (+size optimization)
 ___
                $bp="%r12";
@@ -407,6 +421,14 @@ bn_mul4x_mont_gather5:
 
        mov     %rax,8(%rsp,$num,8)     # tp[num+1]=%rsp
 .Lmul4x_body:
+       sub     %rsp,%rax
+       and     \$-4096,%rax
+.Lmul4x_page_walk:
+       mov     (%rsp,%rax),%r11
+       sub     \$4096,%rax
+       .byte   0x2e                    # predict non-taken
+       jnc     .Lmul4x_page_walk
+
        mov     $rp,16(%rsp,$num,8)     # tp[num+2]=$rp
        lea     128(%rdx),%r12          # reassign $bp (+size optimization)
 ___
index 406c428..60a0734 100644 (file)
@@ -4,6 +4,10 @@
 
 # include <openssl/crypto.h>
 
+# ifdef OPENSSL_NO_COMP
+#  error COMP is disabled.
+# endif
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
index 2e202c8..32167b2 100644 (file)
@@ -200,8 +200,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
     }
 #endif
     if (ctx->digest != type) {
-        if (ctx->digest && ctx->digest->ctx_size)
+        if (ctx->digest && ctx->digest->ctx_size) {
             OPENSSL_free(ctx->md_data);
+            ctx->md_data = NULL;
+        }
         ctx->digest = type;
         if (!(ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) && type->ctx_size) {
             ctx->update = type->update;
index d1f5928..1d598db 100644 (file)
@@ -59,6 +59,7 @@
 # include <openssl/aes.h>
 # include <openssl/sha.h>
 # include "evp_locl.h"
+# include "constant_time_locl.h"
 
 # ifndef EVP_CIPH_FLAG_AEAD_CIPHER
 #  define EVP_CIPH_FLAG_AEAD_CIPHER       0x200000
@@ -286,6 +287,8 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
             maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8);
             maxpad &= 255;
 
+            ret &= constant_time_ge(maxpad, pad);
+
             inp_len = len - (SHA_DIGEST_LENGTH + pad + 1);
             mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1)));
             inp_len &= mask;
index c6abc4a..c6c775e 100644 (file)
@@ -57,6 +57,7 @@
  */
 
 #include <stdio.h>
+#include <limits.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
 
@@ -151,13 +152,13 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
                       const unsigned char *in, int inl)
 {
     int i, j;
-    unsigned int total = 0;
+    size_t total = 0;
 
     *outl = 0;
     if (inl <= 0)
         return;
     OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data));
-    if ((ctx->num + inl) < ctx->length) {
+    if (ctx->length - ctx->num > inl) {
         memcpy(&(ctx->enc_data[ctx->num]), in, inl);
         ctx->num += inl;
         return;
@@ -174,7 +175,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
         *out = '\0';
         total = j + 1;
     }
-    while (inl >= ctx->length) {
+    while (inl >= ctx->length && total <= INT_MAX) {
         j = EVP_EncodeBlock(out, in, ctx->length);
         in += ctx->length;
         inl -= ctx->length;
@@ -183,6 +184,11 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
         *out = '\0';
         total += j + 1;
     }
+    if (total > INT_MAX) {
+        /* Too much output data! */
+        *outl = 0;
+        return;
+    }
     if (inl != 0)
         memcpy(&(ctx->enc_data[0]), in, inl);
     ctx->num = inl;
index 4e983c4..1831572 100644 (file)
@@ -334,7 +334,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
     bl = ctx->cipher->block_size;
     OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
     if (i != 0) {
-        if (i + inl < bl) {
+        if (bl - i > inl) {
             memcpy(&(ctx->buf[i]), in, inl);
             ctx->buf_len += inl;
             *outl = 0;
index 4ec6ff9..2f29323 100644 (file)
@@ -30,11 +30,11 @@ extern "C" {
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER  0x1000113fL
+# define OPENSSL_VERSION_NUMBER  0x1000114fL
 # ifdef OPENSSL_FIPS
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.1s-fips  1 Mar 2016"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.1t-fips  3 May 2016"
 # else
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.1s  1 Mar 2016"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.1t  3 May 2016"
 # endif
 # define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
index 5507161..ab45a84 100644 (file)
@@ -344,7 +344,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
 
     if (enc != NULL) {
         objstr = OBJ_nid2sn(EVP_CIPHER_nid(enc));
-        if (objstr == NULL) {
+        if (objstr == NULL || EVP_CIPHER_iv_length(enc) == 0) {
             PEMerr(PEM_F_PEM_ASN1_WRITE_BIO, PEM_R_UNSUPPORTED_CIPHER);
             goto err;
         }
index 82d4527..6186446 100644 (file)
@@ -131,6 +131,10 @@ static int read_lebn(const unsigned char **in, unsigned int nbyte, BIGNUM **r)
 # define MS_PVKMAGIC             0xb0b5f11eL
 /* Salt length for PVK files */
 # define PVK_SALTLEN             0x10
+/* Maximum length in PVK header */
+# define PVK_MAX_KEYLEN          102400
+/* Maximum salt length */
+# define PVK_MAX_SALTLEN         10240
 
 static EVP_PKEY *b2i_rsa(const unsigned char **in, unsigned int length,
                          unsigned int bitlen, int ispub);
@@ -644,6 +648,9 @@ static int do_PVK_header(const unsigned char **in, unsigned int length,
     *psaltlen = read_ledword(&p);
     *pkeylen = read_ledword(&p);
 
+    if (*pkeylen > PVK_MAX_KEYLEN || *psaltlen > PVK_MAX_SALTLEN)
+        return 0;
+
     if (is_encrypted && !*psaltlen) {
         PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_INCONSISTENT_HEADER);
         return 0;
index a491174..bd600de 100644 (file)
@@ -1281,6 +1281,7 @@ void ERR_load_X509_strings(void);
 # define X509_R_LOADING_CERT_DIR                          103
 # define X509_R_LOADING_DEFAULTS                          104
 # define X509_R_METHOD_NOT_SUPPORTED                      124
+# define X509_R_NAME_TOO_LONG                             134
 # define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY              105
 # define X509_R_PUBLIC_KEY_DECODE_ERROR                   125
 # define X509_R_PUBLIC_KEY_ENCODE_ERROR                   126
index 61a19f7..a2b8b7f 100644 (file)
@@ -145,6 +145,7 @@ static ERR_STRING_DATA X509_str_reasons[] = {
     {ERR_REASON(X509_R_LOADING_CERT_DIR), "loading cert dir"},
     {ERR_REASON(X509_R_LOADING_DEFAULTS), "loading defaults"},
     {ERR_REASON(X509_R_METHOD_NOT_SUPPORTED), "method not supported"},
+    {ERR_REASON(X509_R_NAME_TOO_LONG), "name too long"},
     {ERR_REASON(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY),
      "no cert set for us to verify"},
     {ERR_REASON(X509_R_PUBLIC_KEY_DECODE_ERROR), "public key decode error"},
index d317f3a..3de3ac7 100644 (file)
 #include <openssl/x509.h>
 #include <openssl/buffer.h>
 
+/*
+ * Limit to ensure we don't overflow: much greater than
+ * anything enountered in practice.
+ */
+
+#define NAME_ONELINE_MAX    (1024 * 1024)
+
 char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
 {
     X509_NAME_ENTRY *ne;
@@ -86,6 +93,8 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
             goto err;
         b->data[0] = '\0';
         len = 200;
+    } else if (len == 0) {
+        return NULL;
     }
     if (a == NULL) {
         if (b) {
@@ -110,6 +119,10 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
 
         type = ne->value->type;
         num = ne->value->length;
+        if (num > NAME_ONELINE_MAX) {
+            X509err(X509_F_X509_NAME_ONELINE, X509_R_NAME_TOO_LONG);
+            goto end;
+        }
         q = ne->value->data;
 #ifdef CHARSET_EBCDIC
         if (type == V_ASN1_GENERALSTRING ||
@@ -117,8 +130,9 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
             type == V_ASN1_PRINTABLESTRING ||
             type == V_ASN1_TELETEXSTRING ||
             type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) {
-            ascii2ebcdic(ebcdic_buf, q, (num > sizeof ebcdic_buf)
-                         ? sizeof ebcdic_buf : num);
+            if (num > (int)sizeof(ebcdic_buf))
+                num = sizeof(ebcdic_buf);
+            ascii2ebcdic(ebcdic_buf, q, num);
             q = ebcdic_buf;
         }
 #endif
@@ -154,6 +168,10 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
 
         lold = l;
         l += 1 + l1 + 1 + l2;
+        if (l > NAME_ONELINE_MAX) {
+            X509err(X509_F_X509_NAME_ONELINE, X509_R_NAME_TOO_LONG);
+            goto end;
+        }
         if (b != NULL) {
             if (!BUF_MEM_grow(b, l + 1))
                 goto err;
@@ -206,7 +224,7 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
     return (p);
  err:
     X509err(X509_F_X509_NAME_ONELINE, ERR_R_MALLOC_FAILURE);
-    if (b != NULL)
-        BUF_MEM_free(b);
+ end:
+    BUF_MEM_free(b);
     return (NULL);
 }
index aaa1867..19c3da6 100644 (file)
@@ -1579,6 +1579,8 @@ int dtls1_process_heartbeat(SSL *s)
          * plus 2 bytes payload length, plus payload, plus padding
          */
         buffer = OPENSSL_malloc(write_length);
+        if (buffer == NULL)
+            return -1;
         bp = buffer;
 
         /* Enter response type, length and copy payload */
index 82c1731..7bcb81a 100644 (file)
@@ -150,7 +150,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
      SSL_RC4,
      SSL_MD5,
      SSL_SSLV2,
-     SSL_NOT_EXP | SSL_MEDIUM,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
      0,
      128,
      128,
@@ -167,7 +167,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
      SSL_RC4,
      SSL_MD5,
      SSL_SSLV2,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL2_CF_5_BYTE_ENC,
      40,
      128,
@@ -184,7 +184,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
      SSL_RC2,
      SSL_MD5,
      SSL_SSLV2,
-     SSL_NOT_EXP | SSL_MEDIUM,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
      0,
      128,
      128,
@@ -201,7 +201,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
      SSL_RC2,
      SSL_MD5,
      SSL_SSLV2,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL2_CF_5_BYTE_ENC,
      40,
      128,
@@ -219,7 +219,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
      SSL_IDEA,
      SSL_MD5,
      SSL_SSLV2,
-     SSL_NOT_EXP | SSL_MEDIUM,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
      0,
      128,
      128,
@@ -237,7 +237,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
      SSL_DES,
      SSL_MD5,
      SSL_SSLV2,
-     SSL_NOT_EXP | SSL_LOW,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
      0,
      56,
      56,
@@ -254,7 +254,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
      SSL_3DES,
      SSL_MD5,
      SSL_SSLV2,
-     SSL_NOT_EXP | SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
      0,
      112,
      168,
@@ -271,7 +271,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_ciphers[] = {
      SSL_RC4,
      SSL_MD5,
      SSL_SSLV2,
-     SSL_NOT_EXP | SSL_LOW,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
      SSL2_CF_8_BYTE_ENC,
      64,
      64,
index b312f17..73885b7 100644 (file)
@@ -57,7 +57,8 @@
  */
 
 #include "ssl_locl.h"
-#ifndef OPENSSL_NO_SSL2
+#ifndef OPENSSL_NO_SSL2_METHOD
+# ifndef OPENSSL_NO_SSL2
 # include <stdio.h>
 # include <openssl/objects.h>
 
@@ -72,7 +73,16 @@ static const SSL_METHOD *ssl2_get_method(int ver)
 
 IMPLEMENT_ssl2_meth_func(SSLv2_method,
                          ssl2_accept, ssl2_connect, ssl2_get_method)
-#else                           /* !OPENSSL_NO_SSL2 */
+
+# else /* !OPENSSL_NO_SSL2 */
+
+const SSL_METHOD *SSLv2_method(void) { return NULL; }
+const SSL_METHOD *SSLv2_client_method(void) { return NULL; }
+const SSL_METHOD *SSLv2_server_method(void) { return NULL; }
+
+# endif
+
+#else /* !OPENSSL_NO_SSL2_METHOD */
 
 # if PEDANTIC
 static void *dummy = &dummy;
index cfa5080..9e5875f 100644 (file)
@@ -2104,6 +2104,7 @@ int ssl3_get_certificate_request(SSL *s)
             SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
             goto err;
         }
+        xn = NULL;
 
         p += l;
         nc += l + 2;
@@ -2127,6 +2128,7 @@ int ssl3_get_certificate_request(SSL *s)
  err:
     s->state = SSL_ST_ERR;
  done:
+    X509_NAME_free(xn);
     if (ca_sk != NULL)
         sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
     return (ret);
index a48f2b6..35d6587 100644 (file)
@@ -213,7 +213,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC4,
      SSL_MD5,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      128,
@@ -263,7 +263,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC2,
      SSL_MD5,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      128,
@@ -299,7 +299,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      56,
@@ -317,7 +317,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_NOT_EXP | SSL_LOW,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      56,
      56,
@@ -352,7 +352,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      56,
@@ -370,7 +370,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_NOT_EXP | SSL_LOW,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      56,
      56,
@@ -404,7 +404,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      56,
@@ -422,7 +422,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_NOT_EXP | SSL_LOW,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      56,
      56,
@@ -457,7 +457,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      56,
@@ -475,7 +475,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_NOT_EXP | SSL_LOW,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      56,
      56,
@@ -509,7 +509,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      56,
@@ -527,7 +527,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_NOT_EXP | SSL_LOW,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      56,
      56,
@@ -561,7 +561,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC4,
      SSL_MD5,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      128,
@@ -578,7 +578,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC4,
      SSL_MD5,
      SSL_SSLV3,
-     SSL_NOT_EXP | SSL_MEDIUM,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -595,7 +595,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      128,
@@ -613,7 +613,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_NOT_EXP | SSL_LOW,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      56,
      56,
@@ -630,7 +630,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_3DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      112,
      168,
@@ -700,7 +700,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_NOT_EXP | SSL_LOW,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      56,
      56,
@@ -766,7 +766,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_MD5,
      SSL_SSLV3,
-     SSL_NOT_EXP | SSL_LOW,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      56,
      56,
@@ -832,7 +832,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      56,
@@ -850,7 +850,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC2,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      128,
@@ -868,7 +868,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC4,
      SSL_SHA1,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      128,
@@ -886,7 +886,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_MD5,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      56,
@@ -904,7 +904,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC2,
      SSL_MD5,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      128,
@@ -922,7 +922,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC4,
      SSL_MD5,
      SSL_SSLV3,
-     SSL_EXPORT | SSL_EXP40,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      40,
      128,
@@ -1016,7 +1016,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_AES128,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -1111,7 +1111,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_AES256,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      256,
      256,
@@ -1307,7 +1307,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_CAMELLIA128,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -1327,7 +1327,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC4,
      SSL_MD5,
      SSL_TLSV1,
-     SSL_EXPORT | SSL_EXP56,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      56,
      128,
@@ -1343,7 +1343,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC2,
      SSL_MD5,
      SSL_TLSV1,
-     SSL_EXPORT | SSL_EXP56,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      56,
      128,
@@ -1361,7 +1361,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_EXPORT | SSL_EXP56,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      56,
      56,
@@ -1379,7 +1379,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_DES,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_EXPORT | SSL_EXP56,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      56,
      56,
@@ -1397,7 +1397,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC4,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_EXPORT | SSL_EXP56,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      56,
      128,
@@ -1415,7 +1415,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC4,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_EXPORT | SSL_EXP56,
+     SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      56,
      128,
@@ -1530,7 +1530,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_AES128,
      SSL_SHA256,
      SSL_TLSV1_2,
-     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -1546,7 +1546,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_AES256,
      SSL_SHA256,
      SSL_TLSV1_2,
-     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      256,
      256,
@@ -1699,7 +1699,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_CAMELLIA256,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_HIGH,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      256,
      256,
@@ -1865,7 +1865,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_SEED,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_MEDIUM,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -2045,7 +2045,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_AES128GCM,
      SSL_AEAD,
      SSL_TLSV1_2,
-     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
      128,
      128,
@@ -2061,7 +2061,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_AES256GCM,
      SSL_AEAD,
      SSL_TLSV1_2,
-     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
      256,
      256,
@@ -2414,7 +2414,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_RC4,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_MEDIUM,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -2430,7 +2430,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_3DES,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      112,
      168,
@@ -2446,7 +2446,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_AES128,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      128,
      128,
@@ -2462,7 +2462,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[] = {
      SSL_AES256,
      SSL_SHA1,
      SSL_TLSV1,
-     SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
      SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
      256,
      256,
index 105047e..d6c475c 100644 (file)
@@ -334,7 +334,7 @@ extern "C" {
  * The following cipher list is used by default. It also is substituted when
  * an application-defined cipher list string starts with 'DEFAULT'.
  */
-# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
+# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"
 /*
  * As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
  * starts with a reasonable order, and all we have to do for DEFAULT is
@@ -2017,7 +2017,7 @@ const char *SSL_get_version(const SSL *s);
 /* This sets the 'default' SSL version that SSL_new() will create */
 int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
 
-# ifndef OPENSSL_NO_SSL2
+# ifndef OPENSSL_NO_SSL2_METHOD
 const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
 const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
 const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
index cb559d9..56dd437 100644 (file)
@@ -235,8 +235,7 @@ static const SSL_CIPHER cipher_aliases[] = {
      * "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in
      * ALL!)
      */
-    {0, SSL_TXT_CMPDEF, 0, 0, SSL_aNULL, ~SSL_eNULL, 0, ~SSL_SSLV2,
-     SSL_EXP_MASK, 0, 0, 0},
+    {0, SSL_TXT_CMPDEF, 0, 0, 0, 0, 0, 0, SSL_NOT_DEFAULT, 0, 0, 0},
 
     /*
      * key exchange aliases (some of those using only a single bit here
@@ -1000,10 +999,6 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
                     cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl,
                     cp->algo_strength);
 #endif
-            if (algo_strength == SSL_EXP_MASK && SSL_C_IS_EXPORT(cp))
-                goto ok;
-            if (alg_ssl == ~SSL_SSLV2 && cp->algorithm_ssl == SSL_SSLV2)
-                goto ok;
             if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
                 continue;
             if (alg_auth && !(alg_auth & cp->algorithm_auth))
@@ -1020,10 +1015,11 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
             if ((algo_strength & SSL_STRONG_MASK)
                 && !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))
                 continue;
+            if ((algo_strength & SSL_NOT_DEFAULT)
+                && !(cp->algo_strength & SSL_NOT_DEFAULT))
+                continue;
         }
 
-    ok:
-
 #ifdef CIPHER_DEBUG
         fprintf(stderr, "Action = %d\n", rule);
 #endif
@@ -1307,6 +1303,10 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                         ca_list[j]->algo_strength & SSL_STRONG_MASK;
             }
 
+            if (ca_list[j]->algo_strength & SSL_NOT_DEFAULT) {
+                algo_strength |= SSL_NOT_DEFAULT;
+            }
+
             if (ca_list[j]->valid) {
                 /*
                  * explicit ciphersuite found; its protocol version does not
index f5d9df6..d57b902 100644 (file)
 # define SSL_MEDIUM              0x00000040L
 # define SSL_HIGH                0x00000080L
 # define SSL_FIPS                0x00000100L
+# define SSL_NOT_DEFAULT         0x00000200L
 
-/* we have used 000001ff - 23 bits left to go */
+/* we have used 000003ff - 22 bits left to go */
 
 /*-
  * Macros to check the export status and cipher strength for export ciphers.
index 2e9b65b..0bdb77d 100644 (file)
@@ -2321,8 +2321,10 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
     p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
     eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
     sdec = OPENSSL_malloc(eticklen);
-    if (!sdec || EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) {
+    if (sdec == NULL
+            || EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) {
         EVP_CIPHER_CTX_cleanup(&ctx);
+        OPENSSL_free(sdec);
         return -1;
     }
     if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
@@ -2579,6 +2581,8 @@ int tls1_process_heartbeat(SSL *s)
          * plus 2 bytes payload length, plus payload, plus padding
          */
         buffer = OPENSSL_malloc(1 + 2 + payload + padding);
+        if (buffer == NULL)
+            return -1;
         bp = buffer;
 
         /* Enter response type, length and copy payload */