Date: Thu, 8 Jan 2015 22:40:40 +0000 (UTC) From: Jung-uk Kim <jkim@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r276856 - in vendor-crypto/openssl/dist: . apps crypto crypto/aes/asm crypto/asn1 crypto/bio crypto/bn crypto/bn/asm crypto/dsa crypto/dso crypto/ec crypto/ecdsa crypto/engine crypto/ev... Message-ID: <201501082240.t08Meerr046304@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jkim Date: Thu Jan 8 22:40:39 2015 New Revision: 276856 URL: https://svnweb.freebsd.org/changeset/base/276856 Log: Import OpenSSL 1.0.1k. Added: vendor-crypto/openssl/dist/util/mkbuildinf.pl (contents, props changed) Deleted: vendor-crypto/openssl/dist/crypto/bn/asm/mips3.s Modified: vendor-crypto/openssl/dist/CHANGES vendor-crypto/openssl/dist/Configure vendor-crypto/openssl/dist/FREEBSD-upgrade vendor-crypto/openssl/dist/Makefile vendor-crypto/openssl/dist/NEWS vendor-crypto/openssl/dist/README vendor-crypto/openssl/dist/apps/ca.c vendor-crypto/openssl/dist/apps/dgst.c vendor-crypto/openssl/dist/apps/ocsp.c vendor-crypto/openssl/dist/apps/openssl.c vendor-crypto/openssl/dist/apps/s_client.c vendor-crypto/openssl/dist/apps/s_server.c vendor-crypto/openssl/dist/apps/s_time.c vendor-crypto/openssl/dist/apps/speed.c vendor-crypto/openssl/dist/crypto/Makefile vendor-crypto/openssl/dist/crypto/aes/asm/aes-mips.pl vendor-crypto/openssl/dist/crypto/asn1/a_bitstr.c vendor-crypto/openssl/dist/crypto/asn1/a_type.c vendor-crypto/openssl/dist/crypto/asn1/a_verify.c vendor-crypto/openssl/dist/crypto/asn1/asn1.h vendor-crypto/openssl/dist/crypto/asn1/asn1_err.c vendor-crypto/openssl/dist/crypto/asn1/tasn_dec.c vendor-crypto/openssl/dist/crypto/asn1/x_algor.c vendor-crypto/openssl/dist/crypto/asn1/x_name.c vendor-crypto/openssl/dist/crypto/bio/bio.h vendor-crypto/openssl/dist/crypto/bio/bss_dgram.c vendor-crypto/openssl/dist/crypto/bn/asm/mips.pl vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-gcc.c vendor-crypto/openssl/dist/crypto/bn/bn.h vendor-crypto/openssl/dist/crypto/bn/bn_asm.c vendor-crypto/openssl/dist/crypto/bn/bn_ctx.c vendor-crypto/openssl/dist/crypto/bn/bn_div.c vendor-crypto/openssl/dist/crypto/bn/bntest.c vendor-crypto/openssl/dist/crypto/constant_time_locl.h vendor-crypto/openssl/dist/crypto/cversion.c vendor-crypto/openssl/dist/crypto/dsa/dsa_asn1.c vendor-crypto/openssl/dist/crypto/dso/dso_dlfcn.c vendor-crypto/openssl/dist/crypto/ec/ec_lib.c vendor-crypto/openssl/dist/crypto/ec/ec_mult.c vendor-crypto/openssl/dist/crypto/ec/ec_pmeth.c vendor-crypto/openssl/dist/crypto/ec/ecp_nistp256.c vendor-crypto/openssl/dist/crypto/ec/ectest.c vendor-crypto/openssl/dist/crypto/ecdsa/Makefile vendor-crypto/openssl/dist/crypto/ecdsa/ecs_vrf.c vendor-crypto/openssl/dist/crypto/engine/eng_dyn.c vendor-crypto/openssl/dist/crypto/evp/Makefile vendor-crypto/openssl/dist/crypto/evp/e_des3.c vendor-crypto/openssl/dist/crypto/evp/evp_enc.c vendor-crypto/openssl/dist/crypto/md32_common.h vendor-crypto/openssl/dist/crypto/mem.c vendor-crypto/openssl/dist/crypto/objects/obj_xref.h vendor-crypto/openssl/dist/crypto/objects/objxref.pl vendor-crypto/openssl/dist/crypto/opensslv.h vendor-crypto/openssl/dist/crypto/sha/asm/sha1-mips.pl vendor-crypto/openssl/dist/crypto/sha/asm/sha512-mips.pl vendor-crypto/openssl/dist/crypto/ts/ts_rsp_sign.c vendor-crypto/openssl/dist/crypto/x509/x509.h vendor-crypto/openssl/dist/crypto/x509/x509_vpm.c vendor-crypto/openssl/dist/crypto/x509/x_all.c vendor-crypto/openssl/dist/doc/HOWTO/certificates.txt vendor-crypto/openssl/dist/doc/HOWTO/proxy_certificates.txt vendor-crypto/openssl/dist/doc/apps/dgst.pod vendor-crypto/openssl/dist/doc/apps/ocsp.pod vendor-crypto/openssl/dist/doc/crypto/EVP_EncryptInit.pod vendor-crypto/openssl/dist/doc/crypto/EVP_PKEY_encrypt.pod vendor-crypto/openssl/dist/doc/crypto/X509_NAME_add_entry_by_txt.pod vendor-crypto/openssl/dist/doc/crypto/X509_NAME_get_index_by_NID.pod vendor-crypto/openssl/dist/doc/ssl/SSL_CTX_set_mode.pod vendor-crypto/openssl/dist/doc/ssl/SSL_CTX_set_options.pod vendor-crypto/openssl/dist/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod vendor-crypto/openssl/dist/e_os.h vendor-crypto/openssl/dist/engines/e_padlock.c vendor-crypto/openssl/dist/ssl/d1_both.c vendor-crypto/openssl/dist/ssl/d1_clnt.c vendor-crypto/openssl/dist/ssl/d1_enc.c vendor-crypto/openssl/dist/ssl/d1_lib.c vendor-crypto/openssl/dist/ssl/d1_pkt.c vendor-crypto/openssl/dist/ssl/d1_srvr.c vendor-crypto/openssl/dist/ssl/dtls1.h vendor-crypto/openssl/dist/ssl/kssl.c vendor-crypto/openssl/dist/ssl/s23_srvr.c vendor-crypto/openssl/dist/ssl/s2_enc.c vendor-crypto/openssl/dist/ssl/s2_pkt.c vendor-crypto/openssl/dist/ssl/s2_srvr.c vendor-crypto/openssl/dist/ssl/s3_both.c vendor-crypto/openssl/dist/ssl/s3_clnt.c vendor-crypto/openssl/dist/ssl/s3_enc.c vendor-crypto/openssl/dist/ssl/s3_lib.c vendor-crypto/openssl/dist/ssl/s3_meth.c vendor-crypto/openssl/dist/ssl/s3_pkt.c vendor-crypto/openssl/dist/ssl/s3_srvr.c vendor-crypto/openssl/dist/ssl/srtp.h vendor-crypto/openssl/dist/ssl/ssl.h vendor-crypto/openssl/dist/ssl/ssl3.h vendor-crypto/openssl/dist/ssl/ssl_cert.c vendor-crypto/openssl/dist/ssl/ssl_ciph.c vendor-crypto/openssl/dist/ssl/ssl_lib.c vendor-crypto/openssl/dist/ssl/ssl_locl.h vendor-crypto/openssl/dist/ssl/ssl_sess.c vendor-crypto/openssl/dist/ssl/ssltest.c vendor-crypto/openssl/dist/ssl/t1_enc.c vendor-crypto/openssl/dist/ssl/t1_lib.c vendor-crypto/openssl/dist/util/libeay.num vendor-crypto/openssl/dist/util/mk1mf.pl vendor-crypto/openssl/dist/util/mkdef.pl vendor-crypto/openssl/dist/util/pl/netware.pl vendor-crypto/openssl/dist/util/ssleay.num Modified: vendor-crypto/openssl/dist/CHANGES ============================================================================== --- vendor-crypto/openssl/dist/CHANGES Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/CHANGES Thu Jan 8 22:40:39 2015 (r276856) @@ -2,6 +2,136 @@ OpenSSL CHANGES _______________ + Changes between 1.0.1j and 1.0.1k [8 Jan 2015] + + *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS + message can cause a segmentation fault in OpenSSL due to a NULL pointer + dereference. This could lead to a Denial Of Service attack. Thanks to + Markus Stenberg of Cisco Systems, Inc. for reporting this issue. + (CVE-2014-3571) + [Steve Henson] + + *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the + dtls1_buffer_record function under certain conditions. In particular this + could occur if an attacker sent repeated DTLS records with the same + sequence number but for the next epoch. The memory leak could be exploited + by an attacker in a Denial of Service attack through memory exhaustion. + Thanks to Chris Mueller for reporting this issue. + (CVE-2015-0206) + [Matt Caswell] + + *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is + built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl + method would be set to NULL which could later result in a NULL pointer + dereference. Thanks to Frank Schmirler for reporting this issue. + (CVE-2014-3569) + [Kurt Roeckx] + + *) Abort handshake if server key exchange message is omitted for ephemeral + ECDH ciphersuites. + + Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for + reporting this issue. + (CVE-2014-3572) + [Steve Henson] + + *) Remove non-export ephemeral RSA code on client and server. This code + violated the TLS standard by allowing the use of temporary RSA keys in + non-export ciphersuites and could be used by a server to effectively + downgrade the RSA key length used to a value smaller than the server + certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at + INRIA or reporting this issue. + (CVE-2015-0204) + [Steve Henson] + + *) Fixed issue where DH client certificates are accepted without verification. + An OpenSSL server will accept a DH certificate for client authentication + without the certificate verify message. This effectively allows a client to + authenticate without the use of a private key. This only affects servers + which trust a client certificate authority which issues certificates + containing DH keys: these are extremely rare and hardly ever encountered. + Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting + this issue. + (CVE-2015-0205) + [Steve Henson] + + *) Ensure that the session ID context of an SSL is updated when its + SSL_CTX is updated via SSL_set_SSL_CTX. + + The session ID context is typically set from the parent SSL_CTX, + and can vary with the CTX. + [Adam Langley] + + *) Fix various certificate fingerprint issues. + + By using non-DER or invalid encodings outside the signed portion of a + certificate the fingerprint can be changed without breaking the signature. + Although no details of the signed portion of the certificate can be changed + this can cause problems with some applications: e.g. those using the + certificate fingerprint for blacklists. + + 1. Reject signatures with non zero unused bits. + + If the BIT STRING containing the signature has non zero unused bits reject + the signature. All current signature algorithms require zero unused bits. + + 2. Check certificate algorithm consistency. + + Check the AlgorithmIdentifier inside TBS matches the one in the + certificate signature. NB: this will result in signature failure + errors for some broken certificates. + + Thanks to Konrad Kraszewski from Google for reporting this issue. + + 3. Check DSA/ECDSA signatures use DER. + + Reencode DSA/ECDSA signatures and compare with the original received + signature. Return an error if there is a mismatch. + + This will reject various cases including garbage after signature + (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS + program for discovering this case) and use of BER or invalid ASN.1 INTEGERs + (negative or with leading zeroes). + + Further analysis was conducted and fixes were developed by Stephen Henson + of the OpenSSL core team. + + (CVE-2014-8275) + [Steve Henson] + + *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect + results on some platforms, including x86_64. This bug occurs at random + with a very low probability, and is not known to be exploitable in any + way, though its exact impact is difficult to determine. Thanks to Pieter + Wuille (Blockstream) who reported this issue and also suggested an initial + fix. Further analysis was conducted by the OpenSSL development team and + Adam Langley of Google. The final fix was developed by Andy Polyakov of + the OpenSSL core team. + (CVE-2014-3570) + [Andy Polyakov] + + *) Do not resume sessions on the server if the negotiated protocol + version does not match the session's version. Resuming with a different + version, while not strictly forbidden by the RFC, is of questionable + sanity and breaks all known clients. + [David Benjamin, Emilia Käsper] + + *) Tighten handling of the ChangeCipherSpec (CCS) message: reject + early CCS messages during renegotiation. (Note that because + renegotiation is encrypted, this early CCS was not exploitable.) + [Emilia Käsper] + + *) Tighten client-side session ticket handling during renegotiation: + ensure that the client only accepts a session ticket if the server sends + the extension anew in the ServerHello. Previously, a TLS client would + reuse the old extension state and thus accept a session ticket if one was + announced in the initial ServerHello. + + Similarly, ensure that the client requires a session ticket if one + was advertised in the ServerHello. Previously, a TLS client would + ignore a missing NewSessionTicket message. + [Emilia Käsper] + Changes between 1.0.1i and 1.0.1j [15 Oct 2014] *) SRTP Memory Leak. Modified: vendor-crypto/openssl/dist/Configure ============================================================================== --- vendor-crypto/openssl/dist/Configure Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/Configure Thu Jan 8 22:40:39 2015 (r276856) @@ -804,6 +804,11 @@ PROCESS_ARGS: { $disabled{"tls1"} = "option(tls)" } + elsif ($1 eq "ssl3-method") + { + $disabled{"ssl3-method"} = "option(ssl)"; + $disabled{"ssl3"} = "option(ssl)"; + } else { $disabled{$1} = "option"; Modified: vendor-crypto/openssl/dist/FREEBSD-upgrade ============================================================================== --- vendor-crypto/openssl/dist/FREEBSD-upgrade Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/FREEBSD-upgrade Thu Jan 8 22:40:39 2015 (r276856) @@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/Subv # Xlist setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist setenv FSVN "svn+ssh://svn.freebsd.org/base" -setenv OSSLVER 1.0.1j -# OSSLTAG format: v1_0_1j +setenv OSSLVER 1.0.1k +# OSSLTAG format: v1_0_1k ###setenv OSSLTAG v`echo ${OSSLVER} | tr . _` Modified: vendor-crypto/openssl/dist/Makefile ============================================================================== --- vendor-crypto/openssl/dist/Makefile Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/Makefile Thu Jan 8 22:40:39 2015 (r276856) @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.1j +VERSION=1.0.1k MAJOR=1 MINOR=0.1 SHLIB_VERSION_NUMBER=1.0.0 Modified: vendor-crypto/openssl/dist/NEWS ============================================================================== --- vendor-crypto/openssl/dist/NEWS Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/NEWS Thu Jan 8 22:40:39 2015 (r276856) @@ -5,6 +5,17 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.1k [8 Jan 2015] + + o Fix for CVE-2014-3571 + o Fix for CVE-2015-0206 + o Fix for CVE-2014-3569 + o Fix for CVE-2014-3572 + o Fix for CVE-2015-0204 + o Fix for CVE-2015-0205 + o Fix for CVE-2014-8275 + o Fix for CVE-2014-3570 + Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014] o Fix for CVE-2014-3513 Modified: vendor-crypto/openssl/dist/README ============================================================================== --- vendor-crypto/openssl/dist/README Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/README Thu Jan 8 22:40:39 2015 (r276856) @@ -1,5 +1,5 @@ - OpenSSL 1.0.1j 15 Oct 2014 + OpenSSL 1.0.1k 8 Jan 2015 Copyright (c) 1998-2011 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson Modified: vendor-crypto/openssl/dist/apps/ca.c ============================================================================== --- vendor-crypto/openssl/dist/apps/ca.c Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/apps/ca.c Thu Jan 8 22:40:39 2015 (r276856) @@ -703,7 +703,7 @@ bad: ERR_clear_error(); #ifdef RL_DEBUG if (!p) - BIO_printf(bio_err, "DEBUG: unique_subject undefined\n", p); + BIO_printf(bio_err, "DEBUG: unique_subject undefined\n"); #endif #ifdef RL_DEBUG BIO_printf(bio_err, "DEBUG: configured unique_subject is %d\n", Modified: vendor-crypto/openssl/dist/apps/dgst.c ============================================================================== --- vendor-crypto/openssl/dist/apps/dgst.c Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/apps/dgst.c Thu Jan 8 22:40:39 2015 (r276856) @@ -273,6 +273,8 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err,"-d to output debug info\n"); BIO_printf(bio_err,"-hex output as hex dump\n"); BIO_printf(bio_err,"-binary output in binary form\n"); + BIO_printf(bio_err,"-hmac arg set the HMAC key to arg\n"); + BIO_printf(bio_err,"-non-fips-allow allow use of non FIPS digest\n"); BIO_printf(bio_err,"-sign file sign digest using private key in file\n"); BIO_printf(bio_err,"-verify file verify a signature using public key in file\n"); BIO_printf(bio_err,"-prverify file verify a signature using private key in file\n"); Modified: vendor-crypto/openssl/dist/apps/ocsp.c ============================================================================== --- vendor-crypto/openssl/dist/apps/ocsp.c Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/apps/ocsp.c Thu Jan 8 22:40:39 2015 (r276856) @@ -583,51 +583,52 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "OCSP utility\n"); BIO_printf (bio_err, "Usage ocsp [options]\n"); BIO_printf (bio_err, "where options are\n"); - BIO_printf (bio_err, "-out file output filename\n"); - BIO_printf (bio_err, "-issuer file issuer certificate\n"); - BIO_printf (bio_err, "-cert file certificate to check\n"); - BIO_printf (bio_err, "-serial n serial number to check\n"); - BIO_printf (bio_err, "-signer file certificate to sign OCSP request with\n"); - BIO_printf (bio_err, "-signkey file private key to sign OCSP request with\n"); - BIO_printf (bio_err, "-sign_other file additional certificates to include in signed request\n"); - BIO_printf (bio_err, "-no_certs don't include any certificates in signed request\n"); - BIO_printf (bio_err, "-req_text print text form of request\n"); - BIO_printf (bio_err, "-resp_text print text form of response\n"); - BIO_printf (bio_err, "-text print text form of request and response\n"); - BIO_printf (bio_err, "-reqout file write DER encoded OCSP request to \"file\"\n"); - BIO_printf (bio_err, "-respout file write DER encoded OCSP reponse to \"file\"\n"); - BIO_printf (bio_err, "-reqin file read DER encoded OCSP request from \"file\"\n"); - BIO_printf (bio_err, "-respin file read DER encoded OCSP reponse from \"file\"\n"); - BIO_printf (bio_err, "-nonce add OCSP nonce to request\n"); - BIO_printf (bio_err, "-no_nonce don't add OCSP nonce to request\n"); - BIO_printf (bio_err, "-url URL OCSP responder URL\n"); - BIO_printf (bio_err, "-host host:n send OCSP request to host on port n\n"); - BIO_printf (bio_err, "-path path to use in OCSP request\n"); - BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); - BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); - BIO_printf (bio_err, "-VAfile file validator certificates file\n"); - BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n"); - BIO_printf (bio_err, "-status_age n maximum status age in seconds\n"); - BIO_printf (bio_err, "-noverify don't verify response at all\n"); - BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n"); - BIO_printf (bio_err, "-trust_other don't verify additional certificates\n"); - BIO_printf (bio_err, "-no_intern don't search certificates contained in response for signer\n"); + BIO_printf (bio_err, "-out file output filename\n"); + BIO_printf (bio_err, "-issuer file issuer certificate\n"); + BIO_printf (bio_err, "-cert file certificate to check\n"); + BIO_printf (bio_err, "-serial n serial number to check\n"); + BIO_printf (bio_err, "-signer file certificate to sign OCSP request with\n"); + BIO_printf (bio_err, "-signkey file private key to sign OCSP request with\n"); + BIO_printf (bio_err, "-sign_other file additional certificates to include in signed request\n"); + BIO_printf (bio_err, "-no_certs don't include any certificates in signed request\n"); + BIO_printf (bio_err, "-req_text print text form of request\n"); + BIO_printf (bio_err, "-resp_text print text form of response\n"); + BIO_printf (bio_err, "-text print text form of request and response\n"); + BIO_printf (bio_err, "-reqout file write DER encoded OCSP request to \"file\"\n"); + BIO_printf (bio_err, "-respout file write DER encoded OCSP reponse to \"file\"\n"); + BIO_printf (bio_err, "-reqin file read DER encoded OCSP request from \"file\"\n"); + BIO_printf (bio_err, "-respin file read DER encoded OCSP reponse from \"file\"\n"); + BIO_printf (bio_err, "-nonce add OCSP nonce to request\n"); + BIO_printf (bio_err, "-no_nonce don't add OCSP nonce to request\n"); + BIO_printf (bio_err, "-url URL OCSP responder URL\n"); + BIO_printf (bio_err, "-host host:n send OCSP request to host on port n\n"); + BIO_printf (bio_err, "-path path to use in OCSP request\n"); + BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); + BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); + BIO_printf (bio_err, "-VAfile file validator certificates file\n"); + BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n"); + BIO_printf (bio_err, "-status_age n maximum status age in seconds\n"); + BIO_printf (bio_err, "-noverify don't verify response at all\n"); + BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n"); + BIO_printf (bio_err, "-trust_other don't verify additional certificates\n"); + BIO_printf (bio_err, "-no_intern don't search certificates contained in response for signer\n"); BIO_printf (bio_err, "-no_signature_verify don't check signature on response\n"); - BIO_printf (bio_err, "-no_cert_verify don't check signing certificate\n"); - BIO_printf (bio_err, "-no_chain don't chain verify response\n"); - BIO_printf (bio_err, "-no_cert_checks don't do additional checks on signing certificate\n"); - BIO_printf (bio_err, "-port num port to run responder on\n"); - BIO_printf (bio_err, "-index file certificate status index file\n"); - BIO_printf (bio_err, "-CA file CA certificate\n"); - BIO_printf (bio_err, "-rsigner file responder certificate to sign responses with\n"); - BIO_printf (bio_err, "-rkey file responder key to sign responses with\n"); - BIO_printf (bio_err, "-rother file other certificates to include in response\n"); - BIO_printf (bio_err, "-resp_no_certs don't include any certificates in response\n"); - BIO_printf (bio_err, "-nmin n number of minutes before next update\n"); - BIO_printf (bio_err, "-ndays n number of days before next update\n"); - BIO_printf (bio_err, "-resp_key_id identify reponse by signing certificate key ID\n"); - BIO_printf (bio_err, "-nrequest n number of requests to accept (default unlimited)\n"); - BIO_printf (bio_err, "-<dgst alg> use specified digest in the request\n"); + BIO_printf (bio_err, "-no_cert_verify don't check signing certificate\n"); + BIO_printf (bio_err, "-no_chain don't chain verify response\n"); + BIO_printf (bio_err, "-no_cert_checks don't do additional checks on signing certificate\n"); + BIO_printf (bio_err, "-port num port to run responder on\n"); + BIO_printf (bio_err, "-index file certificate status index file\n"); + BIO_printf (bio_err, "-CA file CA certificate\n"); + BIO_printf (bio_err, "-rsigner file responder certificate to sign responses with\n"); + BIO_printf (bio_err, "-rkey file responder key to sign responses with\n"); + BIO_printf (bio_err, "-rother file other certificates to include in response\n"); + BIO_printf (bio_err, "-resp_no_certs don't include any certificates in response\n"); + BIO_printf (bio_err, "-nmin n number of minutes before next update\n"); + BIO_printf (bio_err, "-ndays n number of days before next update\n"); + BIO_printf (bio_err, "-resp_key_id identify reponse by signing certificate key ID\n"); + BIO_printf (bio_err, "-nrequest n number of requests to accept (default unlimited)\n"); + BIO_printf (bio_err, "-<dgst alg> use specified digest in the request\n"); + BIO_printf (bio_err, "-timeout n timeout connection to OCSP responder after n seconds\n"); goto end; } @@ -1398,16 +1399,7 @@ OCSP_RESPONSE *process_responder(BIO *er if (use_ssl == 1) { BIO *sbio; -#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) ctx = SSL_CTX_new(SSLv23_client_method()); -#elif !defined(OPENSSL_NO_SSL3) - ctx = SSL_CTX_new(SSLv3_client_method()); -#elif !defined(OPENSSL_NO_SSL2) - ctx = SSL_CTX_new(SSLv2_client_method()); -#else - BIO_printf(err, "SSL is disabled\n"); - goto end; -#endif if (ctx == NULL) { BIO_printf(err, "Error creating SSL context.\n"); Modified: vendor-crypto/openssl/dist/apps/openssl.c ============================================================================== --- vendor-crypto/openssl/dist/apps/openssl.c Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/apps/openssl.c Thu Jan 8 22:40:39 2015 (r276856) @@ -435,9 +435,7 @@ end: if (prog != NULL) lh_FUNCTION_free(prog); if (arg.data != NULL) OPENSSL_free(arg.data); - apps_shutdown(); - CRYPTO_mem_leaks(bio_err); if (bio_err != NULL) { BIO_free(bio_err); @@ -450,6 +448,9 @@ end: OPENSSL_free(Argv); } #endif + apps_shutdown(); + CRYPTO_mem_leaks(bio_err); + OPENSSL_EXIT(ret); } Modified: vendor-crypto/openssl/dist/apps/s_client.c ============================================================================== --- vendor-crypto/openssl/dist/apps/s_client.c Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/apps/s_client.c Thu Jan 8 22:40:39 2015 (r276856) @@ -329,10 +329,12 @@ static void sc_usage(void) BIO_printf(bio_err," -srppass arg - password for 'user'\n"); BIO_printf(bio_err," -srp_lateuser - SRP username into second ClientHello message\n"); BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n"); - BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N); + BIO_printf(bio_err," -srp_strength int - minimal length in bits for N (default %d).\n",SRP_MINIMAL_N); #endif BIO_printf(bio_err," -ssl2 - just use SSLv2\n"); +#ifndef OPENSSL_NO_SSL3_METHOD BIO_printf(bio_err," -ssl3 - just use SSLv3\n"); +#endif BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n"); BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n"); BIO_printf(bio_err," -tls1 - just use TLSv1\n"); @@ -807,7 +809,7 @@ int MAIN(int argc, char **argv) else if (strcmp(*argv,"-ssl2") == 0) meth=SSLv2_client_method(); #endif -#ifndef OPENSSL_NO_SSL3 +#ifndef OPENSSL_NO_SSL3_METHOD else if (strcmp(*argv,"-ssl3") == 0) meth=SSLv3_client_method(); #endif @@ -1319,10 +1321,22 @@ re_start: BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); } - if (socket_mtu > 28) + if (socket_mtu) { + if(socket_mtu < DTLS_get_link_min_mtu(con)) + { + BIO_printf(bio_err,"MTU too small. Must be at least %ld\n", + DTLS_get_link_min_mtu(con)); + BIO_free(sbio); + goto shut; + } SSL_set_options(con, SSL_OP_NO_QUERY_MTU); - SSL_set_mtu(con, socket_mtu - 28); + if(!DTLS_set_link_mtu(con, socket_mtu)) + { + BIO_printf(bio_err, "Failed to set MTU\n"); + BIO_free(sbio); + goto shut; + } } else /* want to do MTU discovery */ Modified: vendor-crypto/openssl/dist/apps/s_server.c ============================================================================== --- vendor-crypto/openssl/dist/apps/s_server.c Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/apps/s_server.c Thu Jan 8 22:40:39 2015 (r276856) @@ -515,7 +515,9 @@ static void sv_usage(void) BIO_printf(bio_err," -srpuserseed string - A seed string for a default user salt.\n"); #endif BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n"); +#ifndef OPENSSL_NO_SSL3_METHOD BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n"); +#endif BIO_printf(bio_err," -tls1_2 - Just talk TLSv1.2\n"); BIO_printf(bio_err," -tls1_1 - Just talk TLSv1.1\n"); BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); @@ -1251,7 +1253,7 @@ int MAIN(int argc, char *argv[]) else if (strcmp(*argv,"-ssl2") == 0) { meth=SSLv2_server_method(); } #endif -#ifndef OPENSSL_NO_SSL3 +#ifndef OPENSSL_NO_SSL3_METHOD else if (strcmp(*argv,"-ssl3") == 0) { meth=SSLv3_server_method(); } #endif @@ -2049,10 +2051,24 @@ static int sv_body(char *hostname, int s BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); } - if (socket_mtu > 28) + if (socket_mtu) { + if(socket_mtu < DTLS_get_link_min_mtu(con)) + { + BIO_printf(bio_err,"MTU too small. Must be at least %ld\n", + DTLS_get_link_min_mtu(con)); + ret = -1; + BIO_free(sbio); + goto err; + } SSL_set_options(con, SSL_OP_NO_QUERY_MTU); - SSL_set_mtu(con, socket_mtu - 28); + if(!DTLS_set_link_mtu(con, socket_mtu)) + { + BIO_printf(bio_err, "Failed to set MTU\n"); + ret = -1; + BIO_free(sbio); + goto err; + } } else /* want to do MTU discovery */ Modified: vendor-crypto/openssl/dist/apps/s_time.c ============================================================================== --- vendor-crypto/openssl/dist/apps/s_time.c Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/apps/s_time.c Thu Jan 8 22:40:39 2015 (r276856) @@ -349,13 +349,7 @@ int MAIN(int argc, char **argv) if (bio_err == NULL) bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); -#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) s_time_meth=SSLv23_client_method(); -#elif !defined(OPENSSL_NO_SSL3) - s_time_meth=SSLv3_client_method(); -#elif !defined(OPENSSL_NO_SSL2) - s_time_meth=SSLv2_client_method(); -#endif /* parse the command line arguments */ if( parseArgs( argc, argv ) < 0 ) Modified: vendor-crypto/openssl/dist/apps/speed.c ============================================================================== --- vendor-crypto/openssl/dist/apps/speed.c Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/apps/speed.c Thu Jan 8 22:40:39 2015 (r276856) @@ -225,7 +225,7 @@ #undef BUFSIZE #define BUFSIZE ((long)1024*8+1) -int run=0; +static volatile int run=0; static int mr=0; static int usertime=1; @@ -2739,27 +2739,6 @@ static int do_multi(int multi) else rsa_results[k][1]=d; } - else if(!strncmp(buf,"+F2:",4)) - { - int k; - double d; - - p=buf+4; - k=atoi(sstrsep(&p,sep)); - sstrsep(&p,sep); - - d=atof(sstrsep(&p,sep)); - if(n) - rsa_results[k][0]=1/(1/rsa_results[k][0]+1/d); - else - rsa_results[k][0]=d; - - d=atof(sstrsep(&p,sep)); - if(n) - rsa_results[k][1]=1/(1/rsa_results[k][1]+1/d); - else - rsa_results[k][1]=d; - } #ifndef OPENSSL_NO_DSA else if(!strncmp(buf,"+F3:",4)) { Modified: vendor-crypto/openssl/dist/crypto/Makefile ============================================================================== --- vendor-crypto/openssl/dist/crypto/Makefile Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/crypto/Makefile Thu Jan 8 22:40:39 2015 (r276856) @@ -55,12 +55,7 @@ top: all: shared buildinf.h: ../Makefile - ( echo "#ifndef MK1MF_BUILD"; \ - echo ' /* auto-generated by crypto/Makefile for crypto/cversion.c */'; \ - echo ' #define CFLAGS "$(CC) $(CFLAG)"'; \ - echo ' #define PLATFORM "$(PLATFORM)"'; \ - echo " #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \ - echo '#endif' ) >buildinf.h + $(PERL) $(TOP)/util/mkbuildinf.pl "$(CFLAGS)" "$(PLATFORM)" >buildinf.h x86cpuid.s: x86cpuid.pl perlasm/x86asm.pl $(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@ Modified: vendor-crypto/openssl/dist/crypto/aes/asm/aes-mips.pl ============================================================================== --- vendor-crypto/openssl/dist/crypto/aes/asm/aes-mips.pl Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/crypto/aes/asm/aes-mips.pl Thu Jan 8 22:40:39 2015 (r276856) @@ -70,7 +70,7 @@ $pf = ($flavour =~ /nubi/i) ? $t0 : $t2; # ###################################################################### -$big_endian=(`echo MIPSEL | $ENV{CC} -E -P -`=~/MIPSEL/)?1:0; +$big_endian=(`echo MIPSEL | $ENV{CC} -E -`=~/MIPSEL/)?1:0 if ($ENV{CC}); for (@ARGV) { $output=$_ if (/^\w[\w\-]*\.\w+$/); } open STDOUT,">$output"; Modified: vendor-crypto/openssl/dist/crypto/asn1/a_bitstr.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/asn1/a_bitstr.c Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/crypto/asn1/a_bitstr.c Thu Jan 8 22:40:39 2015 (r276856) @@ -136,11 +136,16 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN p= *pp; i= *(p++); + if (i > 7) + { + i=ASN1_R_INVALID_BIT_STRING_BITS_LEFT; + goto err; + } /* We do this to preserve the settings. If we modify * the settings, via the _set_bit function, we will recalculate * on output */ ret->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */ - ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|(i&0x07)); /* set */ + ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|i); /* set */ if (len-- > 1) /* using one because of the bits left byte */ { Modified: vendor-crypto/openssl/dist/crypto/asn1/a_type.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/asn1/a_type.c Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/crypto/asn1/a_type.c Thu Jan 8 22:40:39 2015 (r276856) @@ -113,7 +113,7 @@ IMPLEMENT_STACK_OF(ASN1_TYPE) IMPLEMENT_ASN1_SET_OF(ASN1_TYPE) /* Returns 0 if they are equal, != 0 otherwise. */ -int ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b) +int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b) { int result = -1; Modified: vendor-crypto/openssl/dist/crypto/asn1/a_verify.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/asn1/a_verify.c Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/crypto/asn1/a_verify.c Thu Jan 8 22:40:39 2015 (r276856) @@ -90,6 +90,12 @@ int ASN1_verify(i2d_of_void *i2d, X509_A ASN1err(ASN1_F_ASN1_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM); goto err; } + + if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7) + { + ASN1err(ASN1_F_ASN1_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT); + goto err; + } inl=i2d(data,NULL); buf_in=OPENSSL_malloc((unsigned int)inl); @@ -146,6 +152,12 @@ int ASN1_item_verify(const ASN1_ITEM *it return -1; } + if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7) + { + ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT); + return -1; + } + EVP_MD_CTX_init(&ctx); /* Convert signature OID into digest and public key OIDs */ Modified: vendor-crypto/openssl/dist/crypto/asn1/asn1.h ============================================================================== --- vendor-crypto/openssl/dist/crypto/asn1/asn1.h Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/crypto/asn1/asn1.h Thu Jan 8 22:40:39 2015 (r276856) @@ -776,7 +776,7 @@ DECLARE_ASN1_FUNCTIONS_fname(ASN1_TYPE, int ASN1_TYPE_get(ASN1_TYPE *a); void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value); int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value); -int ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b); +int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b); ASN1_OBJECT * ASN1_OBJECT_new(void ); void ASN1_OBJECT_free(ASN1_OBJECT *a); @@ -1329,6 +1329,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_ILLEGAL_TIME_VALUE 184 #define ASN1_R_INTEGER_NOT_ASCII_FORMAT 185 #define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG 128 +#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT 220 #define ASN1_R_INVALID_BMPSTRING_LENGTH 129 #define ASN1_R_INVALID_DIGIT 130 #define ASN1_R_INVALID_MIME_TYPE 205 @@ -1378,6 +1379,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_TIME_NOT_ASCII_FORMAT 193 #define ASN1_R_TOO_LONG 155 #define ASN1_R_TYPE_NOT_CONSTRUCTED 156 +#define ASN1_R_TYPE_NOT_PRIMITIVE 218 #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158 #define ASN1_R_UNEXPECTED_EOC 159 Modified: vendor-crypto/openssl/dist/crypto/asn1/asn1_err.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/asn1/asn1_err.c Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/crypto/asn1/asn1_err.c Thu Jan 8 22:40:39 2015 (r276856) @@ -1,6 +1,6 @@ /* crypto/asn1/asn1_err.c */ /* ==================================================================== - * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2014 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -246,6 +246,7 @@ static ERR_STRING_DATA ASN1_str_reasons[ {ERR_REASON(ASN1_R_ILLEGAL_TIME_VALUE) ,"illegal time value"}, {ERR_REASON(ASN1_R_INTEGER_NOT_ASCII_FORMAT),"integer not ascii format"}, {ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG),"integer too large for long"}, +{ERR_REASON(ASN1_R_INVALID_BIT_STRING_BITS_LEFT),"invalid bit string bits left"}, {ERR_REASON(ASN1_R_INVALID_BMPSTRING_LENGTH),"invalid bmpstring length"}, {ERR_REASON(ASN1_R_INVALID_DIGIT) ,"invalid digit"}, {ERR_REASON(ASN1_R_INVALID_MIME_TYPE) ,"invalid mime type"}, @@ -295,6 +296,7 @@ static ERR_STRING_DATA ASN1_str_reasons[ {ERR_REASON(ASN1_R_TIME_NOT_ASCII_FORMAT),"time not ascii format"}, {ERR_REASON(ASN1_R_TOO_LONG) ,"too long"}, {ERR_REASON(ASN1_R_TYPE_NOT_CONSTRUCTED) ,"type not constructed"}, +{ERR_REASON(ASN1_R_TYPE_NOT_PRIMITIVE) ,"type not primitive"}, {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"}, {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"}, {ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"}, Modified: vendor-crypto/openssl/dist/crypto/asn1/tasn_dec.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/asn1/tasn_dec.c Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/crypto/asn1/tasn_dec.c Thu Jan 8 22:40:39 2015 (r276856) @@ -870,6 +870,14 @@ static int asn1_d2i_ex_primitive(ASN1_VA } else if (cst) { + if (utype == V_ASN1_NULL || utype == V_ASN1_BOOLEAN + || utype == V_ASN1_OBJECT || utype == V_ASN1_INTEGER + || utype == V_ASN1_ENUMERATED) + { + ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, + ASN1_R_TYPE_NOT_PRIMITIVE); + return 0; + } buf.length = 0; buf.max = 0; buf.data = NULL; Modified: vendor-crypto/openssl/dist/crypto/asn1/x_algor.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/asn1/x_algor.c Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/crypto/asn1/x_algor.c Thu Jan 8 22:40:39 2015 (r276856) @@ -142,3 +142,14 @@ void X509_ALGOR_set_md(X509_ALGOR *alg, X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_MD_type(md)), param_type, NULL); } + +int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b) + { + int rv; + rv = OBJ_cmp(a->algorithm, b->algorithm); + if (rv) + return rv; + if (!a->parameter && !b->parameter) + return 0; + return ASN1_TYPE_cmp(a->parameter, b->parameter); + } Modified: vendor-crypto/openssl/dist/crypto/asn1/x_name.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/asn1/x_name.c Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/crypto/asn1/x_name.c Thu Jan 8 22:40:39 2015 (r276856) @@ -350,6 +350,8 @@ static int x509_name_canon(X509_NAME *a) set = entry->set; } tmpentry = X509_NAME_ENTRY_new(); + if (!tmpentry) + goto err; tmpentry->object = OBJ_dup(entry->object); if (!asn1_string_canon(tmpentry->value, entry->value)) goto err; Modified: vendor-crypto/openssl/dist/crypto/bio/bio.h ============================================================================== --- vendor-crypto/openssl/dist/crypto/bio/bio.h Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/crypto/bio/bio.h Thu Jan 8 22:40:39 2015 (r276856) @@ -175,6 +175,8 @@ extern "C" { #define BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT 45 /* Next DTLS handshake timeout to * adjust socket timeouts */ +#define BIO_CTRL_DGRAM_GET_MTU_OVERHEAD 49 + #ifndef OPENSSL_NO_SCTP /* SCTP stuff */ #define BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE 50 @@ -607,6 +609,8 @@ int BIO_ctrl_reset_read_request(BIO *b); (int)BIO_ctrl(b, BIO_CTRL_DGRAM_GET_PEER, 0, (char *)peer) #define BIO_dgram_set_peer(b,peer) \ (int)BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, (char *)peer) +#define BIO_dgram_get_mtu_overhead(b) \ + (unsigned int)BIO_ctrl((b), BIO_CTRL_DGRAM_GET_MTU_OVERHEAD, 0, NULL) /* These two aren't currently implemented */ /* int BIO_get_ex_num(BIO *bio); */ Modified: vendor-crypto/openssl/dist/crypto/bio/bss_dgram.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/bio/bss_dgram.c Thu Jan 8 21:46:28 2015 (r276855) +++ vendor-crypto/openssl/dist/crypto/bio/bss_dgram.c Thu Jan 8 22:40:39 2015 (r276856) @@ -454,6 +454,36 @@ static int dgram_write(BIO *b, const cha return(ret); } +static long dgram_get_mtu_overhead(bio_dgram_data *data) + { + long ret; + + switch (data->peer.sa.sa_family) + { + case AF_INET: + /* Assume this is UDP - 20 bytes for IP, 8 bytes for UDP */ + ret = 28; + break; +#if OPENSSL_USE_IPV6 + case AF_INET6: +#ifdef IN6_IS_ADDR_V4MAPPED + if (IN6_IS_ADDR_V4MAPPED(&data->peer.sa_in6.sin6_addr)) + /* Assume this is UDP - 20 bytes for IP, 8 bytes for UDP */ + ret = 28; + else +#endif + /* Assume this is UDP - 40 bytes for IP, 8 bytes for UDP */ + ret = 48; + break; +#endif + default: + /* We don't know. Go with the historical default */ + ret = 28; + break; + } + return ret; + } + static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) { long ret=1; @@ -630,23 +660,24 @@ static long dgram_ctrl(BIO *b, int cmd, #endif break; case BIO_CTRL_DGRAM_GET_FALLBACK_MTU: + ret = -dgram_get_mtu_overhead(data); switch (data->peer.sa.sa_family) { case AF_INET: - ret = 576 - 20 - 8; + ret += 576; break; #if OPENSSL_USE_IPV6 case AF_INET6: #ifdef IN6_IS_ADDR_V4MAPPED if (IN6_IS_ADDR_V4MAPPED(&data->peer.sa_in6.sin6_addr)) - ret = 576 - 20 - 8; + ret += 576; else #endif - ret = 1280 - 40 - 8; + ret += 1280; break; #endif default: - ret = 576 - 20 - 8; + ret += 576; break; } break; @@ -847,6 +878,9 @@ static long dgram_ctrl(BIO *b, int cmd, ret = 0; break; #endif + case BIO_CTRL_DGRAM_GET_MTU_OVERHEAD: + ret = dgram_get_mtu_overhead(data); + break; default: ret=0; break; @@ -893,10 +927,18 @@ BIO *BIO_new_dgram_sctp(int fd, int clos /* Activate SCTP-AUTH for DATA and FORWARD-TSN chunks */ auth.sauth_chunk = OPENSSL_SCTP_DATA_CHUNK_TYPE; ret = setsockopt(fd, IPPROTO_SCTP, SCTP_AUTH_CHUNK, &auth, sizeof(struct sctp_authchunk)); - OPENSSL_assert(ret >= 0); + if (ret < 0) + { + BIO_vfree(bio); + return(NULL); + } auth.sauth_chunk = OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE; ret = setsockopt(fd, IPPROTO_SCTP, SCTP_AUTH_CHUNK, &auth, sizeof(struct sctp_authchunk)); - OPENSSL_assert(ret >= 0); + if (ret < 0) + { + BIO_vfree(bio); + return(NULL); + } /* Test if activation was successful. When using accept(), * SCTP-AUTH has to be activated for the listening socket @@ -905,7 +947,13 @@ BIO *BIO_new_dgram_sctp(int fd, int clos authchunks = OPENSSL_malloc(sockopt_len); memset(authchunks, 0, sizeof(sockopt_len)); ret = getsockopt(fd, IPPROTO_SCTP, SCTP_LOCAL_AUTH_CHUNKS, authchunks, &sockopt_len); - OPENSSL_assert(ret >= 0); + + if (ret < 0) + { + OPENSSL_free(authchunks); + BIO_vfree(bio); + return(NULL); + } for (p = (unsigned char*) authchunks->gauth_chunks; p < (unsigned char*) authchunks + sockopt_len; @@ -927,16 +975,28 @@ BIO *BIO_new_dgram_sctp(int fd, int clos event.se_type = SCTP_AUTHENTICATION_EVENT; event.se_on = 1; ret = setsockopt(fd, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(struct sctp_event)); - OPENSSL_assert(ret >= 0); + if (ret < 0) + { + BIO_vfree(bio); + return(NULL); + } #else sockopt_len = (socklen_t) sizeof(struct sctp_event_subscribe); ret = getsockopt(fd, IPPROTO_SCTP, SCTP_EVENTS, &event, &sockopt_len); - OPENSSL_assert(ret >= 0); + if (ret < 0) + { + BIO_vfree(bio); + return(NULL); + } event.sctp_authentication_event = 1; ret = setsockopt(fd, IPPROTO_SCTP, SCTP_EVENTS, &event, sizeof(struct sctp_event_subscribe)); - OPENSSL_assert(ret >= 0); + if (ret < 0) + { + BIO_vfree(bio); + return(NULL); + } #endif #endif @@ -944,7 +1004,11 @@ BIO *BIO_new_dgram_sctp(int fd, int clos * larger than the max record size of 2^14 + 2048 + 13 */ ret = setsockopt(fd, IPPROTO_SCTP, SCTP_PARTIAL_DELIVERY_POINT, &optval, sizeof(optval)); - OPENSSL_assert(ret >= 0); + if (ret < 0) + { + BIO_vfree(bio); + return(NULL); + } return(bio); } @@ -982,7 +1046,12 @@ static int dgram_sctp_free(BIO *a) return 0; data = (bio_dgram_sctp_data *)a->ptr; - if(data != NULL) OPENSSL_free(data); + if(data != NULL) + { + if(data->saved_message.data != NULL) + OPENSSL_free(data->saved_message.data); + OPENSSL_free(data); + } return(1); } @@ -1034,6 +1103,13 @@ static int dgram_sctp_read(BIO *b, char msg.msg_flags = 0; n = recvmsg(b->num, &msg, 0); + if (n <= 0) + { + if (n < 0) + ret = n; + break; + } + if (msg.msg_controllen > 0) { for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) @@ -1073,13 +1149,6 @@ static int dgram_sctp_read(BIO *b, char } } - if (n <= 0) - { - if (n < 0) - ret = n; - break; - } - if (msg.msg_flags & MSG_NOTIFICATION) { snp = (union sctp_notification*) out; @@ -1099,6 +1168,7 @@ static int dgram_sctp_read(BIO *b, char dgram_sctp_write(data->saved_message.bio, data->saved_message.data, data->saved_message.length); OPENSSL_free(data->saved_message.data); + data->saved_message.data = NULL; data->saved_message.length = 0; } @@ -1109,16 +1179,28 @@ static int dgram_sctp_read(BIO *b, char event.se_type = SCTP_SENDER_DRY_EVENT; event.se_on = 0; i = setsockopt(b->num, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(struct sctp_event)); - OPENSSL_assert(i >= 0); + if (i < 0) + { + ret = i; + break; + } #else eventsize = sizeof(struct sctp_event_subscribe); i = getsockopt(b->num, IPPROTO_SCTP, SCTP_EVENTS, &event, &eventsize); - OPENSSL_assert(i >= 0); + if (i < 0) + { + ret = i; + break; + } event.sctp_sender_dry_event = 0; i = setsockopt(b->num, IPPROTO_SCTP, SCTP_EVENTS, &event, sizeof(struct sctp_event_subscribe)); - OPENSSL_assert(i >= 0); + if (i < 0) + { + ret = i; + break; + } #endif } @@ -1151,8 +1233,8 @@ static int dgram_sctp_read(BIO *b, char */ optlen = (socklen_t) sizeof(int); ret = getsockopt(b->num, SOL_SOCKET, SO_RCVBUF, &optval, &optlen); - OPENSSL_assert(ret >= 0); - OPENSSL_assert(optval >= 18445); + if (ret >= 0) + OPENSSL_assert(optval >= 18445); /* Test if SCTP doesn't partially deliver below * max record size (2^14 + 2048 + 13) @@ -1160,8 +1242,8 @@ static int dgram_sctp_read(BIO *b, char optlen = (socklen_t) sizeof(int); ret = getsockopt(b->num, IPPROTO_SCTP, SCTP_PARTIAL_DELIVERY_POINT, &optval, &optlen); - OPENSSL_assert(ret >= 0); - OPENSSL_assert(optval >= 18445); + if (ret >= 0) + OPENSSL_assert(optval >= 18445); /* Partially delivered notification??? Probably a bug.... */ OPENSSL_assert(!(msg.msg_flags & MSG_NOTIFICATION)); @@ -1195,15 +1277,15 @@ static int dgram_sctp_read(BIO *b, char authchunks = OPENSSL_malloc(optlen); memset(authchunks, 0, sizeof(optlen)); ii = getsockopt(b->num, IPPROTO_SCTP, SCTP_PEER_AUTH_CHUNKS, authchunks, &optlen); - OPENSSL_assert(ii >= 0); - for (p = (unsigned char*) authchunks->gauth_chunks; - p < (unsigned char*) authchunks + optlen; - p += sizeof(uint8_t)) - { - if (*p == OPENSSL_SCTP_DATA_CHUNK_TYPE) auth_data = 1; - if (*p == OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE) auth_forward = 1; - } + if (ii >= 0) *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201501082240.t08Meerr046304>