forked from rpms/openssl
346 lines
12 KiB
Diff
346 lines
12 KiB
Diff
diff -up openssl-1.0.1e/crypto/pem/pem_info.c.backports openssl-1.0.1e/crypto/pem/pem_info.c
|
|
--- openssl-1.0.1e/crypto/pem/pem_info.c.backports 2013-02-11 16:26:04.000000000 +0100
|
|
+++ openssl-1.0.1e/crypto/pem/pem_info.c 2013-08-16 15:31:35.726003892 +0200
|
|
@@ -167,6 +167,7 @@ start:
|
|
#ifndef OPENSSL_NO_RSA
|
|
if (strcmp(name,PEM_STRING_RSA) == 0)
|
|
{
|
|
+ d2i=(D2I_OF(void))d2i_RSAPrivateKey;
|
|
if (xi->x_pkey != NULL)
|
|
{
|
|
if (!sk_X509_INFO_push(ret,xi)) goto err;
|
|
diff -up openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.backports openssl-1.0.1e/crypto/rsa/rsa_pmeth.c
|
|
--- openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.backports 2013-08-16 15:31:35.697003256 +0200
|
|
+++ openssl-1.0.1e/crypto/rsa/rsa_pmeth.c 2013-08-16 15:33:37.770673918 +0200
|
|
@@ -582,6 +582,8 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CT
|
|
pm = RSA_NO_PADDING;
|
|
else if (!strcmp(value, "oeap"))
|
|
pm = RSA_PKCS1_OAEP_PADDING;
|
|
+ else if (!strcmp(value, "oaep"))
|
|
+ pm = RSA_PKCS1_OAEP_PADDING;
|
|
else if (!strcmp(value, "x931"))
|
|
pm = RSA_X931_PADDING;
|
|
else if (!strcmp(value, "pss"))
|
|
diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.backports openssl-1.0.1e/crypto/x509/x509_vfy.c
|
|
--- openssl-1.0.1e/crypto/x509/x509_vfy.c.backports 2013-08-16 15:31:35.721003782 +0200
|
|
+++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2013-08-16 15:31:35.726003892 +0200
|
|
@@ -696,6 +696,7 @@ static int check_cert(X509_STORE_CTX *ct
|
|
X509_CRL *crl = NULL, *dcrl = NULL;
|
|
X509 *x;
|
|
int ok, cnum;
|
|
+ unsigned int last_reasons;
|
|
cnum = ctx->error_depth;
|
|
x = sk_X509_value(ctx->chain, cnum);
|
|
ctx->current_cert = x;
|
|
@@ -704,6 +705,7 @@ static int check_cert(X509_STORE_CTX *ct
|
|
ctx->current_reasons = 0;
|
|
while (ctx->current_reasons != CRLDP_ALL_REASONS)
|
|
{
|
|
+ last_reasons = ctx->current_reasons;
|
|
/* Try to retrieve relevant CRL */
|
|
if (ctx->get_crl)
|
|
ok = ctx->get_crl(ctx, &crl, x);
|
|
@@ -747,6 +749,15 @@ static int check_cert(X509_STORE_CTX *ct
|
|
X509_CRL_free(dcrl);
|
|
crl = NULL;
|
|
dcrl = NULL;
|
|
+ /* If reasons not updated we wont get anywhere by
|
|
+ * another iteration, so exit loop.
|
|
+ */
|
|
+ if (last_reasons == ctx->current_reasons)
|
|
+ {
|
|
+ ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
|
|
+ ok = ctx->verify_cb(0, ctx);
|
|
+ goto err;
|
|
+ }
|
|
}
|
|
err:
|
|
X509_CRL_free(crl);
|
|
diff -up openssl-1.0.1e/crypto/x509/x_all.c.backports openssl-1.0.1e/crypto/x509/x_all.c
|
|
--- openssl-1.0.1e/crypto/x509/x_all.c.backports 2013-02-11 16:26:04.000000000 +0100
|
|
+++ openssl-1.0.1e/crypto/x509/x_all.c 2013-08-16 15:33:25.247399940 +0200
|
|
@@ -97,6 +97,7 @@ int X509_sign(X509 *x, EVP_PKEY *pkey, c
|
|
|
|
int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
|
|
{
|
|
+ x->cert_info->enc.modified = 1;
|
|
return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF),
|
|
x->cert_info->signature,
|
|
x->sig_alg, x->signature, x->cert_info, ctx);
|
|
@@ -123,6 +124,7 @@ int X509_CRL_sign(X509_CRL *x, EVP_PKEY
|
|
|
|
int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
|
|
{
|
|
+ x->crl->enc.modified = 1;
|
|
return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO),
|
|
x->crl->sig_alg, x->sig_alg, x->signature, x->crl, ctx);
|
|
}
|
|
diff -up openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod.backports openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod
|
|
--- openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod.backports 2013-02-11 16:26:04.000000000 +0100
|
|
+++ openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod 2013-08-16 15:31:35.727003914 +0200
|
|
@@ -278,6 +278,8 @@ happen if extended CRL checking is enabl
|
|
an application specific error. This will never be returned unless explicitly
|
|
set by an application.
|
|
|
|
+=back
|
|
+
|
|
=head1 NOTES
|
|
|
|
The above functions should be used instead of directly referencing the fields
|
|
diff -up openssl-1.0.1e/doc/ssl/SSL_accept.pod.backports openssl-1.0.1e/doc/ssl/SSL_accept.pod
|
|
--- openssl-1.0.1e/doc/ssl/SSL_accept.pod.backports 2013-02-11 16:02:48.000000000 +0100
|
|
+++ openssl-1.0.1e/doc/ssl/SSL_accept.pod 2013-08-16 15:31:35.727003914 +0200
|
|
@@ -44,17 +44,17 @@ The following return values can occur:
|
|
|
|
=over 4
|
|
|
|
-=item 1
|
|
-
|
|
-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
|
|
-established.
|
|
-
|
|
=item 0
|
|
|
|
The TLS/SSL handshake was not successful but was shut down controlled and
|
|
by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
|
|
return value B<ret> to find out the reason.
|
|
|
|
+=item 1
|
|
+
|
|
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
|
|
+established.
|
|
+
|
|
=item E<lt>0
|
|
|
|
The TLS/SSL handshake was not successful because a fatal error occurred either
|
|
diff -up openssl-1.0.1e/doc/ssl/SSL_connect.pod.backports openssl-1.0.1e/doc/ssl/SSL_connect.pod
|
|
--- openssl-1.0.1e/doc/ssl/SSL_connect.pod.backports 2013-02-11 16:02:48.000000000 +0100
|
|
+++ openssl-1.0.1e/doc/ssl/SSL_connect.pod 2013-08-16 15:31:35.727003914 +0200
|
|
@@ -41,17 +41,17 @@ The following return values can occur:
|
|
|
|
=over 4
|
|
|
|
-=item 1
|
|
-
|
|
-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
|
|
-established.
|
|
-
|
|
=item 0
|
|
|
|
The TLS/SSL handshake was not successful but was shut down controlled and
|
|
by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
|
|
return value B<ret> to find out the reason.
|
|
|
|
+=item 1
|
|
+
|
|
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
|
|
+established.
|
|
+
|
|
=item E<lt>0
|
|
|
|
The TLS/SSL handshake was not successful, because a fatal error occurred either
|
|
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.backports openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod
|
|
--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.backports 2013-02-11 16:02:48.000000000 +0100
|
|
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod 2013-08-16 15:31:35.727003914 +0200
|
|
@@ -66,16 +66,16 @@ values:
|
|
|
|
=over 4
|
|
|
|
-=item 1
|
|
-
|
|
-The operation succeeded.
|
|
-
|
|
=item 0
|
|
|
|
A failure while manipulating the STACK_OF(X509_NAME) object occurred or
|
|
the X509_NAME could not be extracted from B<cacert>. Check the error stack
|
|
to find out the reason.
|
|
|
|
+=item 1
|
|
+
|
|
+The operation succeeded.
|
|
+
|
|
=back
|
|
|
|
=head1 EXAMPLES
|
|
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.backports openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
|
|
--- openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.backports 2013-02-11 16:26:04.000000000 +0100
|
|
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2013-08-16 15:31:35.727003914 +0200
|
|
@@ -81,6 +81,8 @@ SSL_CTX_use_psk_identity_hint() and SSL_
|
|
|
|
Return values from the server callback are interpreted as follows:
|
|
|
|
+=over 4
|
|
+
|
|
=item > 0
|
|
|
|
PSK identity was found and the server callback has provided the PSK
|
|
@@ -99,4 +101,6 @@ completely.
|
|
PSK identity was not found. An "unknown_psk_identity" alert message
|
|
will be sent and the connection setup fails.
|
|
|
|
+=back
|
|
+
|
|
=cut
|
|
diff -up openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.backports openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod
|
|
--- openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.backports 2013-02-11 16:02:48.000000000 +0100
|
|
+++ openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod 2013-08-16 15:31:35.727003914 +0200
|
|
@@ -45,17 +45,17 @@ The following return values can occur:
|
|
|
|
=over 4
|
|
|
|
-=item 1
|
|
-
|
|
-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
|
|
-established.
|
|
-
|
|
=item 0
|
|
|
|
The TLS/SSL handshake was not successful but was shut down controlled and
|
|
by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
|
|
return value B<ret> to find out the reason.
|
|
|
|
+=item 1
|
|
+
|
|
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
|
|
+established.
|
|
+
|
|
=item E<lt>0
|
|
|
|
The TLS/SSL handshake was not successful because a fatal error occurred either
|
|
diff -up openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.backports openssl-1.0.1e/doc/ssl/SSL_shutdown.pod
|
|
--- openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.backports 2013-02-11 16:02:48.000000000 +0100
|
|
+++ openssl-1.0.1e/doc/ssl/SSL_shutdown.pod 2013-08-16 15:31:35.728003935 +0200
|
|
@@ -92,11 +92,6 @@ The following return values can occur:
|
|
|
|
=over 4
|
|
|
|
-=item 1
|
|
-
|
|
-The shutdown was successfully completed. The "close notify" alert was sent
|
|
-and the peer's "close notify" alert was received.
|
|
-
|
|
=item 0
|
|
|
|
The shutdown is not yet finished. Call SSL_shutdown() for a second time,
|
|
@@ -104,6 +99,11 @@ if a bidirectional shutdown shall be per
|
|
The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an
|
|
erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
|
|
|
|
+=item 1
|
|
+
|
|
+The shutdown was successfully completed. The "close notify" alert was sent
|
|
+and the peer's "close notify" alert was received.
|
|
+
|
|
=item -1
|
|
|
|
The shutdown was not successful because a fatal error occurred either
|
|
diff -up openssl-1.0.1e/ssl/d1_lib.c.backports openssl-1.0.1e/ssl/d1_lib.c
|
|
--- openssl-1.0.1e/ssl/d1_lib.c.backports 2013-02-11 16:26:04.000000000 +0100
|
|
+++ openssl-1.0.1e/ssl/d1_lib.c 2013-08-16 15:33:33.306576363 +0200
|
|
@@ -196,6 +196,7 @@ void dtls1_free(SSL *s)
|
|
pqueue_free(s->d1->buffered_app_data.q);
|
|
|
|
OPENSSL_free(s->d1);
|
|
+ s->d1 = NULL;
|
|
}
|
|
|
|
void dtls1_clear(SSL *s)
|
|
diff -up openssl-1.0.1e/ssl/d1_pkt.c.backports openssl-1.0.1e/ssl/d1_pkt.c
|
|
--- openssl-1.0.1e/ssl/d1_pkt.c.backports 2013-02-11 16:26:04.000000000 +0100
|
|
+++ openssl-1.0.1e/ssl/d1_pkt.c 2013-08-16 15:31:35.728003935 +0200
|
|
@@ -847,6 +847,12 @@ start:
|
|
}
|
|
}
|
|
|
|
+ if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE)
|
|
+ {
|
|
+ rr->length = 0;
|
|
+ goto start;
|
|
+ }
|
|
+
|
|
/* we now have a packet which can be read and processed */
|
|
|
|
if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
|
|
@@ -1051,6 +1057,7 @@ start:
|
|
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
|
|
!s->s3->renegotiate)
|
|
{
|
|
+ s->d1->handshake_read_seq++;
|
|
s->new_session = 1;
|
|
ssl3_renegotiate(s);
|
|
if (ssl3_renegotiate_check(s))
|
|
diff -up openssl-1.0.1e/ssl/d1_srvr.c.backports openssl-1.0.1e/ssl/d1_srvr.c
|
|
--- openssl-1.0.1e/ssl/d1_srvr.c.backports 2013-02-11 16:26:04.000000000 +0100
|
|
+++ openssl-1.0.1e/ssl/d1_srvr.c 2013-08-16 15:31:35.728003935 +0200
|
|
@@ -276,10 +276,11 @@ int dtls1_accept(SSL *s)
|
|
case SSL3_ST_SW_HELLO_REQ_B:
|
|
|
|
s->shutdown=0;
|
|
+ dtls1_clear_record_buffer(s);
|
|
dtls1_start_timer(s);
|
|
ret=dtls1_send_hello_request(s);
|
|
if (ret <= 0) goto end;
|
|
- s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
|
|
+ s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
|
|
s->state=SSL3_ST_SW_FLUSH;
|
|
s->init_num=0;
|
|
|
|
diff -up openssl-1.0.1e/ssl/s3_cbc.c.backports openssl-1.0.1e/ssl/s3_cbc.c
|
|
--- openssl-1.0.1e/ssl/s3_cbc.c.backports 2013-02-11 16:26:04.000000000 +0100
|
|
+++ openssl-1.0.1e/ssl/s3_cbc.c 2013-08-16 15:31:35.729003956 +0200
|
|
@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s
|
|
unsigned padding_length, good, to_check, i;
|
|
const unsigned overhead = 1 /* padding length byte */ + mac_size;
|
|
/* Check if version requires explicit IV */
|
|
- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
|
|
+ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
|
|
{
|
|
/* These lengths are all public so we can test them in
|
|
* non-constant time.
|
|
diff -up openssl-1.0.1e/ssl/ssl_lib.c.backports openssl-1.0.1e/ssl/ssl_lib.c
|
|
--- openssl-1.0.1e/ssl/ssl_lib.c.backports 2013-02-11 16:26:04.000000000 +0100
|
|
+++ openssl-1.0.1e/ssl/ssl_lib.c 2013-08-16 15:31:35.729003956 +0200
|
|
@@ -1797,7 +1797,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
|
|
CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
|
|
|
|
ret->extra_certs=NULL;
|
|
- ret->comp_methods=SSL_COMP_get_compression_methods();
|
|
+ /* No compression for DTLS */
|
|
+ if (meth->version != DTLS1_VERSION)
|
|
+ ret->comp_methods=SSL_COMP_get_compression_methods();
|
|
|
|
ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
|
|
|
|
@@ -2792,9 +2794,7 @@ void ssl_clear_cipher_ctx(SSL *s)
|
|
/* Fix this function so that it takes an optional type parameter */
|
|
X509 *SSL_get_certificate(const SSL *s)
|
|
{
|
|
- if (s->server)
|
|
- return(ssl_get_server_send_cert(s));
|
|
- else if (s->cert != NULL)
|
|
+ if (s->cert != NULL)
|
|
return(s->cert->key->x509);
|
|
else
|
|
return(NULL);
|
|
diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl
|
|
index 3b6c469..e8a7518 100644
|
|
--- a/crypto/x86cpuid.pl
|
|
+++ b/crypto/x86cpuid.pl
|
|
@@ -69,6 +69,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
|
|
&inc ("esi"); # number of cores
|
|
|
|
&mov ("eax",1);
|
|
+ &xor ("ecx","ecx");
|
|
&cpuid ();
|
|
&bt ("edx",28);
|
|
&jnc (&label("generic"));
|
|
@@ -102,6 +103,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
|
|
|
|
&set_label("nocacheinfo");
|
|
&mov ("eax",1);
|
|
+ &xor ("ecx","ecx");
|
|
&cpuid ();
|
|
&and ("edx",0xbfefffff); # force reserved bits #20, #30 to 0
|
|
&cmp ("ebp",0);
|