Blame SOURCES/openssl-1.0.1e-backports.patch

a5ef24
diff -up openssl-1.0.1e/crypto/pem/pem_info.c.backports openssl-1.0.1e/crypto/pem/pem_info.c
a5ef24
--- openssl-1.0.1e/crypto/pem/pem_info.c.backports	2013-02-11 16:26:04.000000000 +0100
a5ef24
+++ openssl-1.0.1e/crypto/pem/pem_info.c	2013-08-16 15:31:35.726003892 +0200
a5ef24
@@ -167,6 +167,7 @@ start:
a5ef24
 #ifndef OPENSSL_NO_RSA
a5ef24
 			if (strcmp(name,PEM_STRING_RSA) == 0)
a5ef24
 			{
a5ef24
+			d2i=(D2I_OF(void))d2i_RSAPrivateKey;
a5ef24
 			if (xi->x_pkey != NULL) 
a5ef24
 				{
a5ef24
 				if (!sk_X509_INFO_push(ret,xi)) goto err;
a5ef24
diff -up openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.backports openssl-1.0.1e/crypto/rsa/rsa_pmeth.c
a5ef24
--- openssl-1.0.1e/crypto/rsa/rsa_pmeth.c.backports	2013-08-16 15:31:35.697003256 +0200
a5ef24
+++ openssl-1.0.1e/crypto/rsa/rsa_pmeth.c	2013-08-16 15:33:37.770673918 +0200
a5ef24
@@ -582,6 +582,8 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CT
a5ef24
 			pm = RSA_NO_PADDING;
a5ef24
 		else if (!strcmp(value, "oeap"))
a5ef24
 			pm = RSA_PKCS1_OAEP_PADDING;
a5ef24
+		else if (!strcmp(value, "oaep"))
a5ef24
+			pm = RSA_PKCS1_OAEP_PADDING;
a5ef24
 		else if (!strcmp(value, "x931"))
a5ef24
 			pm = RSA_X931_PADDING;
a5ef24
 		else if (!strcmp(value, "pss"))
a5ef24
diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.backports openssl-1.0.1e/crypto/x509/x509_vfy.c
a5ef24
--- openssl-1.0.1e/crypto/x509/x509_vfy.c.backports	2013-08-16 15:31:35.721003782 +0200
a5ef24
+++ openssl-1.0.1e/crypto/x509/x509_vfy.c	2013-08-16 15:31:35.726003892 +0200
a5ef24
@@ -696,6 +696,7 @@ static int check_cert(X509_STORE_CTX *ct
a5ef24
 	X509_CRL *crl = NULL, *dcrl = NULL;
a5ef24
 	X509 *x;
a5ef24
 	int ok, cnum;
a5ef24
+	unsigned int last_reasons;
a5ef24
 	cnum = ctx->error_depth;
a5ef24
 	x = sk_X509_value(ctx->chain, cnum);
a5ef24
 	ctx->current_cert = x;
a5ef24
@@ -704,6 +705,7 @@ static int check_cert(X509_STORE_CTX *ct
a5ef24
 	ctx->current_reasons = 0;
a5ef24
 	while (ctx->current_reasons != CRLDP_ALL_REASONS)
a5ef24
 		{
a5ef24
+		last_reasons = ctx->current_reasons;
a5ef24
 		/* Try to retrieve relevant CRL */
a5ef24
 		if (ctx->get_crl)
a5ef24
 			ok = ctx->get_crl(ctx, &crl, x);
a5ef24
@@ -747,6 +749,15 @@ static int check_cert(X509_STORE_CTX *ct
a5ef24
 		X509_CRL_free(dcrl);
a5ef24
 		crl = NULL;
a5ef24
 		dcrl = NULL;
a5ef24
+		/* If reasons not updated we wont get anywhere by
a5ef24
+		 * another iteration, so exit loop.
a5ef24
+		 */
a5ef24
+		if (last_reasons == ctx->current_reasons)
a5ef24
+			{
a5ef24
+			ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
a5ef24
+			ok = ctx->verify_cb(0, ctx);
a5ef24
+			goto err;
a5ef24
+			}
a5ef24
 		}
a5ef24
 	err:
a5ef24
 	X509_CRL_free(crl);
a5ef24
diff -up openssl-1.0.1e/crypto/x509/x_all.c.backports openssl-1.0.1e/crypto/x509/x_all.c
a5ef24
--- openssl-1.0.1e/crypto/x509/x_all.c.backports	2013-02-11 16:26:04.000000000 +0100
a5ef24
+++ openssl-1.0.1e/crypto/x509/x_all.c	2013-08-16 15:33:25.247399940 +0200
a5ef24
@@ -97,6 +97,7 @@ int X509_sign(X509 *x, EVP_PKEY *pkey, c
a5ef24
 
a5ef24
 int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx)
a5ef24
 	{
a5ef24
+	x->cert_info->enc.modified = 1;
a5ef24
 	return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CINF),
a5ef24
 		x->cert_info->signature,
a5ef24
 		x->sig_alg, x->signature, x->cert_info, ctx);
a5ef24
@@ -123,6 +124,7 @@ int X509_CRL_sign(X509_CRL *x, EVP_PKEY
a5ef24
 
a5ef24
 int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx)
a5ef24
 	{
a5ef24
+	x->crl->enc.modified = 1;
a5ef24
 	return ASN1_item_sign_ctx(ASN1_ITEM_rptr(X509_CRL_INFO),
a5ef24
 		x->crl->sig_alg, x->sig_alg, x->signature, x->crl, ctx);
a5ef24
 	}
a5ef24
diff -up openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod.backports openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod
a5ef24
--- openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod.backports	2013-02-11 16:26:04.000000000 +0100
a5ef24
+++ openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod	2013-08-16 15:31:35.727003914 +0200
a5ef24
@@ -278,6 +278,8 @@ happen if extended CRL checking is enabl
a5ef24
 an application specific error. This will never be returned unless explicitly
a5ef24
 set by an application.
a5ef24
 
a5ef24
+=back
a5ef24
+
a5ef24
 =head1 NOTES
a5ef24
 
a5ef24
 The above functions should be used instead of directly referencing the fields
a5ef24
diff -up openssl-1.0.1e/doc/ssl/SSL_accept.pod.backports openssl-1.0.1e/doc/ssl/SSL_accept.pod
a5ef24
--- openssl-1.0.1e/doc/ssl/SSL_accept.pod.backports	2013-02-11 16:02:48.000000000 +0100
a5ef24
+++ openssl-1.0.1e/doc/ssl/SSL_accept.pod	2013-08-16 15:31:35.727003914 +0200
a5ef24
@@ -44,17 +44,17 @@ The following return values can occur:
a5ef24
 
a5ef24
 =over 4
a5ef24
 
a5ef24
-=item 1
a5ef24
-
a5ef24
-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
a5ef24
-established.
a5ef24
-
a5ef24
 =item 0
a5ef24
 
a5ef24
 The TLS/SSL handshake was not successful but was shut down controlled and
a5ef24
 by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
a5ef24
 return value B<ret> to find out the reason.
a5ef24
 
a5ef24
+=item 1
a5ef24
+
a5ef24
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
a5ef24
+established.
a5ef24
+
a5ef24
 =item E<lt>0
a5ef24
 
a5ef24
 The TLS/SSL handshake was not successful because a fatal error occurred either
a5ef24
diff -up openssl-1.0.1e/doc/ssl/SSL_connect.pod.backports openssl-1.0.1e/doc/ssl/SSL_connect.pod
a5ef24
--- openssl-1.0.1e/doc/ssl/SSL_connect.pod.backports	2013-02-11 16:02:48.000000000 +0100
a5ef24
+++ openssl-1.0.1e/doc/ssl/SSL_connect.pod	2013-08-16 15:31:35.727003914 +0200
a5ef24
@@ -41,17 +41,17 @@ The following return values can occur:
a5ef24
 
a5ef24
 =over 4
a5ef24
 
a5ef24
-=item 1
a5ef24
-
a5ef24
-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
a5ef24
-established.
a5ef24
-
a5ef24
 =item 0
a5ef24
 
a5ef24
 The TLS/SSL handshake was not successful but was shut down controlled and
a5ef24
 by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
a5ef24
 return value B<ret> to find out the reason.
a5ef24
 
a5ef24
+=item 1
a5ef24
+
a5ef24
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
a5ef24
+established.
a5ef24
+
a5ef24
 =item E<lt>0
a5ef24
 
a5ef24
 The TLS/SSL handshake was not successful, because a fatal error occurred either
a5ef24
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.backports openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod
a5ef24
--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod.backports	2013-02-11 16:02:48.000000000 +0100
a5ef24
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod	2013-08-16 15:31:35.727003914 +0200
a5ef24
@@ -66,16 +66,16 @@ values:
a5ef24
 
a5ef24
 =over 4
a5ef24
 
a5ef24
-=item 1
a5ef24
-
a5ef24
-The operation succeeded.
a5ef24
-
a5ef24
 =item 0
a5ef24
 
a5ef24
 A failure while manipulating the STACK_OF(X509_NAME) object occurred or
a5ef24
 the X509_NAME could not be extracted from B<cacert>. Check the error stack
a5ef24
 to find out the reason.
a5ef24
 
a5ef24
+=item 1
a5ef24
+
a5ef24
+The operation succeeded.
a5ef24
+
a5ef24
 =back
a5ef24
 
a5ef24
 =head1 EXAMPLES
a5ef24
diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.backports openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod
a5ef24
--- openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod.backports	2013-02-11 16:26:04.000000000 +0100
a5ef24
+++ openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod	2013-08-16 15:31:35.727003914 +0200
a5ef24
@@ -81,6 +81,8 @@ SSL_CTX_use_psk_identity_hint() and SSL_
a5ef24
 
a5ef24
 Return values from the server callback are interpreted as follows:
a5ef24
 
a5ef24
+=over 4
a5ef24
+
a5ef24
 =item > 0
a5ef24
 
a5ef24
 PSK identity was found and the server callback has provided the PSK
a5ef24
@@ -99,4 +101,6 @@ completely.
a5ef24
 PSK identity was not found. An "unknown_psk_identity" alert message
a5ef24
 will be sent and the connection setup fails.
a5ef24
 
a5ef24
+=back
a5ef24
+
a5ef24
 =cut
a5ef24
diff -up openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.backports openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod
a5ef24
--- openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod.backports	2013-02-11 16:02:48.000000000 +0100
a5ef24
+++ openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod	2013-08-16 15:31:35.727003914 +0200
a5ef24
@@ -45,17 +45,17 @@ The following return values can occur:
a5ef24
 
a5ef24
 =over 4
a5ef24
 
a5ef24
-=item 1
a5ef24
-
a5ef24
-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
a5ef24
-established.
a5ef24
-
a5ef24
 =item 0
a5ef24
 
a5ef24
 The TLS/SSL handshake was not successful but was shut down controlled and
a5ef24
 by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
a5ef24
 return value B<ret> to find out the reason.
a5ef24
 
a5ef24
+=item 1
a5ef24
+
a5ef24
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
a5ef24
+established.
a5ef24
+
a5ef24
 =item E<lt>0
a5ef24
 
a5ef24
 The TLS/SSL handshake was not successful because a fatal error occurred either
a5ef24
diff -up openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.backports openssl-1.0.1e/doc/ssl/SSL_shutdown.pod
a5ef24
--- openssl-1.0.1e/doc/ssl/SSL_shutdown.pod.backports	2013-02-11 16:02:48.000000000 +0100
a5ef24
+++ openssl-1.0.1e/doc/ssl/SSL_shutdown.pod	2013-08-16 15:31:35.728003935 +0200
a5ef24
@@ -92,11 +92,6 @@ The following return values can occur:
a5ef24
 
a5ef24
 =over 4
a5ef24
 
a5ef24
-=item 1
a5ef24
-
a5ef24
-The shutdown was successfully completed. The "close notify" alert was sent
a5ef24
-and the peer's "close notify" alert was received.
a5ef24
-
a5ef24
 =item 0
a5ef24
 
a5ef24
 The shutdown is not yet finished. Call SSL_shutdown() for a second time,
a5ef24
@@ -104,6 +99,11 @@ if a bidirectional shutdown shall be per
a5ef24
 The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an
a5ef24
 erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
a5ef24
 
a5ef24
+=item 1
a5ef24
+
a5ef24
+The shutdown was successfully completed. The "close notify" alert was sent
a5ef24
+and the peer's "close notify" alert was received.
a5ef24
+
a5ef24
 =item -1
a5ef24
 
a5ef24
 The shutdown was not successful because a fatal error occurred either
a5ef24
diff -up openssl-1.0.1e/ssl/d1_lib.c.backports openssl-1.0.1e/ssl/d1_lib.c
a5ef24
--- openssl-1.0.1e/ssl/d1_lib.c.backports	2013-02-11 16:26:04.000000000 +0100
a5ef24
+++ openssl-1.0.1e/ssl/d1_lib.c	2013-08-16 15:33:33.306576363 +0200
a5ef24
@@ -196,6 +196,7 @@ void dtls1_free(SSL *s)
a5ef24
 	pqueue_free(s->d1->buffered_app_data.q);
a5ef24
 
a5ef24
 	OPENSSL_free(s->d1);
a5ef24
+	s->d1 = NULL;
a5ef24
 	}
a5ef24
 
a5ef24
 void dtls1_clear(SSL *s)
a5ef24
diff -up openssl-1.0.1e/ssl/d1_pkt.c.backports openssl-1.0.1e/ssl/d1_pkt.c
a5ef24
--- openssl-1.0.1e/ssl/d1_pkt.c.backports	2013-02-11 16:26:04.000000000 +0100
a5ef24
+++ openssl-1.0.1e/ssl/d1_pkt.c	2013-08-16 15:31:35.728003935 +0200
a5ef24
@@ -847,6 +847,12 @@ start:
a5ef24
 			}
a5ef24
 		}
a5ef24
 
a5ef24
+	if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE)
a5ef24
+		{
a5ef24
+		rr->length = 0;
a5ef24
+		goto start;
a5ef24
+		}
a5ef24
+
a5ef24
 	/* we now have a packet which can be read and processed */
a5ef24
 
a5ef24
 	if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
a5ef24
@@ -1051,6 +1057,7 @@ start:
a5ef24
 			!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
a5ef24
 			!s->s3->renegotiate)
a5ef24
 			{
a5ef24
+			s->d1->handshake_read_seq++;
a5ef24
 			s->new_session = 1;
a5ef24
 			ssl3_renegotiate(s);
a5ef24
 			if (ssl3_renegotiate_check(s))
a5ef24
diff -up openssl-1.0.1e/ssl/d1_srvr.c.backports openssl-1.0.1e/ssl/d1_srvr.c
a5ef24
--- openssl-1.0.1e/ssl/d1_srvr.c.backports	2013-02-11 16:26:04.000000000 +0100
a5ef24
+++ openssl-1.0.1e/ssl/d1_srvr.c	2013-08-16 15:31:35.728003935 +0200
a5ef24
@@ -276,10 +276,11 @@ int dtls1_accept(SSL *s)
a5ef24
 		case SSL3_ST_SW_HELLO_REQ_B:
a5ef24
 
a5ef24
 			s->shutdown=0;
a5ef24
+			dtls1_clear_record_buffer(s);
a5ef24
 			dtls1_start_timer(s);
a5ef24
 			ret=dtls1_send_hello_request(s);
a5ef24
 			if (ret <= 0) goto end;
a5ef24
-			s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
a5ef24
+			s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
a5ef24
 			s->state=SSL3_ST_SW_FLUSH;
a5ef24
 			s->init_num=0;
a5ef24
 
a5ef24
diff -up openssl-1.0.1e/ssl/s3_cbc.c.backports openssl-1.0.1e/ssl/s3_cbc.c
a5ef24
--- openssl-1.0.1e/ssl/s3_cbc.c.backports	2013-02-11 16:26:04.000000000 +0100
a5ef24
+++ openssl-1.0.1e/ssl/s3_cbc.c	2013-08-16 15:31:35.729003956 +0200
a5ef24
@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s
a5ef24
 	unsigned padding_length, good, to_check, i;
a5ef24
 	const unsigned overhead = 1 /* padding length byte */ + mac_size;
a5ef24
 	/* Check if version requires explicit IV */
a5ef24
-	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
a5ef24
+	if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
a5ef24
 		{
a5ef24
 		/* These lengths are all public so we can test them in
a5ef24
 		 * non-constant time.
a5ef24
diff -up openssl-1.0.1e/ssl/ssl_lib.c.backports openssl-1.0.1e/ssl/ssl_lib.c
a5ef24
--- openssl-1.0.1e/ssl/ssl_lib.c.backports	2013-02-11 16:26:04.000000000 +0100
a5ef24
+++ openssl-1.0.1e/ssl/ssl_lib.c	2013-08-16 15:31:35.729003956 +0200
a5ef24
@@ -1797,7 +1797,9 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m
a5ef24
 	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data);
a5ef24
 
a5ef24
 	ret->extra_certs=NULL;
a5ef24
-	ret->comp_methods=SSL_COMP_get_compression_methods();
a5ef24
+	/* No compression for DTLS */
a5ef24
+	if (meth->version != DTLS1_VERSION)
a5ef24
+		ret->comp_methods=SSL_COMP_get_compression_methods();
a5ef24
 
a5ef24
 	ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;
a5ef24
 
a5ef24
@@ -2792,9 +2794,7 @@ void ssl_clear_cipher_ctx(SSL *s)
a5ef24
 /* Fix this function so that it takes an optional type parameter */
a5ef24
 X509 *SSL_get_certificate(const SSL *s)
a5ef24
 	{
a5ef24
-	if (s->server)
a5ef24
-		return(ssl_get_server_send_cert(s));
a5ef24
-	else if (s->cert != NULL)
a5ef24
+	if (s->cert != NULL)
a5ef24
 		return(s->cert->key->x509);
a5ef24
 	else
a5ef24
 		return(NULL);
2b5643
diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl
2b5643
index 3b6c469..e8a7518 100644
2b5643
--- a/crypto/x86cpuid.pl
2b5643
+++ b/crypto/x86cpuid.pl
2b5643
@@ -69,6 +69,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
2b5643
 	&inc	("esi");		# number of cores
2b5643
 
2b5643
 	&mov	("eax",1);
2b5643
+	&xor	("ecx","ecx");
2b5643
 	&cpuid	();
2b5643
 	&bt	("edx",28);
2b5643
 	&jnc	(&label("generic"));
2b5643
@@ -102,6 +103,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
2b5643
 
2b5643
 &set_label("nocacheinfo");
2b5643
 	&mov	("eax",1);
2b5643
+	&xor	("ecx","ecx");
2b5643
 	&cpuid	();
2b5643
 	&and	("edx",0xbfefffff);	# force reserved bits #20, #30 to 0
2b5643
 	&cmp	("ebp",0);