Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/crypto/external/bsd/openssl/dist Import of OpenSSL 1.0.1k. U...



details:   https://anonhg.NetBSD.org/src/rev/3b4d110e0937
branches:  trunk
changeset: 335547:3b4d110e0937
user:      spz <spz%NetBSD.org@localhost>
date:      Tue Jan 13 07:59:08 2015 +0000

description:
Import of OpenSSL 1.0.1k. Upstream log:

 Changes between 1.0.1j and 1.0.1k [8 Jan 2015]

  *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
     message can cause a segmentation fault in OpenSSL due to a NULL pointer
     dereference. This could lead to a Denial Of Service attack. Thanks to
     Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
     (CVE-2014-3571)
     [Steve Henson]

  *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
     dtls1_buffer_record function under certain conditions. In particular this
     could occur if an attacker sent repeated DTLS records with the same
     sequence number but for the next epoch. The memory leak could be exploited
     by an attacker in a Denial of Service attack through memory exhaustion.
     Thanks to Chris Mueller for reporting this issue.
     (CVE-2015-0206)
     [Matt Caswell]

  *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
     built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
     method would be set to NULL which could later result in a NULL pointer
     dereference. Thanks to Frank Schmirler for reporting this issue.
     (CVE-2014-3569)
     [Kurt Roeckx]

  *) Abort handshake if server key exchange message is omitted for ephemeral
     ECDH ciphersuites.

     Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
     reporting this issue.
     (CVE-2014-3572)
     [Steve Henson]

  *) Remove non-export ephemeral RSA code on client and server. This code
     violated the TLS standard by allowing the use of temporary RSA keys in
     non-export ciphersuites and could be used by a server to effectively
     downgrade the RSA key length used to a value smaller than the server
     certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
     INRIA or reporting this issue.
     (CVE-2015-0204)
     [Steve Henson]

  *) Fixed issue where DH client certificates are accepted without verification.
     An OpenSSL server will accept a DH certificate for client authentication
     without the certificate verify message. This effectively allows a client to
     authenticate without the use of a private key. This only affects servers
     which trust a client certificate authority which issues certificates
     containing DH keys: these are extremely rare and hardly ever encountered.
     Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
     this issue.
     (CVE-2015-0205)
     [Steve Henson]

  *) Ensure that the session ID context of an SSL is updated when its
     SSL_CTX is updated via SSL_set_SSL_CTX.

     The session ID context is typically set from the parent SSL_CTX,
     and can vary with the CTX.
     [Adam Langley]

  *) Fix various certificate fingerprint issues.

     By using non-DER or invalid encodings outside the signed portion of a
     certificate the fingerprint can be changed without breaking the signature.
     Although no details of the signed portion of the certificate can be changed
     this can cause problems with some applications: e.g. those using the
     certificate fingerprint for blacklists.

     1. Reject signatures with non zero unused bits.

     If the BIT STRING containing the signature has non zero unused bits reject
     the signature. All current signature algorithms require zero unused bits.

     2. Check certificate algorithm consistency.

     Check the AlgorithmIdentifier inside TBS matches the one in the
     certificate signature. NB: this will result in signature failure
     errors for some broken certificates.

     Thanks to Konrad Kraszewski from Google for reporting this issue.

     3. Check DSA/ECDSA signatures use DER.

     Reencode DSA/ECDSA signatures and compare with the original received
     signature. Return an error if there is a mismatch.

     This will reject various cases including garbage after signature
     (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
     program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
     (negative or with leading zeroes).

     Further analysis was conducted and fixes were developed by Stephen Henson
     of the OpenSSL core team.

     (CVE-2014-8275)
     [Steve Henson]

   *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
      results on some platforms, including x86_64. This bug occurs at random
      with a very low probability, and is not known to be exploitable in any
      way, though its exact impact is difficult to determine. Thanks to Pieter
      Wuille (Blockstream) who reported this issue and also suggested an initial
      fix. Further analysis was conducted by the OpenSSL development team and
      Adam Langley of Google. The final fix was developed by Andy Polyakov of
      the OpenSSL core team.
      (CVE-2014-3570)
      [Andy Polyakov]

   *) Do not resume sessions on the server if the negotiated protocol
      version does not match the session's version. Resuming with a different
      version, while not strictly forbidden by the RFC, is of questionable
      sanity and breaks all known clients.
      [David Benjamin, Emilia K?sper]

   *) Tighten handling of the ChangeCipherSpec (CCS) message: reject
      early CCS messages during renegotiation. (Note that because
      renegotiation is encrypted, this early CCS was not exploitable.)
      [Emilia K?sper]

   *) Tighten client-side session ticket handling during renegotiation:
      ensure that the client only accepts a session ticket if the server sends
      the extension anew in the ServerHello. Previously, a TLS client would
      reuse the old extension state and thus accept a session ticket if one was
      announced in the initial ServerHello.

      Similarly, ensure that the client requires a session ticket if one
      was advertised in the ServerHello. Previously, a TLS client would
      ignore a missing NewSessionTicket message.
      [Emilia K?sper]

diffstat:

 crypto/external/bsd/openssl/dist/apps/dgst.c                               |    2 +
 crypto/external/bsd/openssl/dist/apps/openssl.c                            |    5 +-
 crypto/external/bsd/openssl/dist/crypto/aes/asm/aes-mips.pl                |    2 +-
 crypto/external/bsd/openssl/dist/crypto/asn1/a_bitstr.c                    |    7 +-
 crypto/external/bsd/openssl/dist/crypto/asn1/a_type.c                      |    2 +-
 crypto/external/bsd/openssl/dist/crypto/asn1/a_verify.c                    |   12 +
 crypto/external/bsd/openssl/dist/crypto/asn1/asn1.h                        |    4 +-
 crypto/external/bsd/openssl/dist/crypto/asn1/asn1_err.c                    |    4 +-
 crypto/external/bsd/openssl/dist/crypto/asn1/tasn_dec.c                    |    8 +
 crypto/external/bsd/openssl/dist/crypto/asn1/x_algor.c                     |   11 +
 crypto/external/bsd/openssl/dist/crypto/asn1/x_name.c                      |    2 +
 crypto/external/bsd/openssl/dist/crypto/bio/bio.h                          |    4 +
 crypto/external/bsd/openssl/dist/crypto/bio/bss_dgram.c                    |  158 ++-
 crypto/external/bsd/openssl/dist/crypto/bn/asm/mips.pl                     |  611 ++-------
 crypto/external/bsd/openssl/dist/crypto/bn/bn_asm.c                        |   16 +-
 crypto/external/bsd/openssl/dist/crypto/bn/bn_ctx.c                        |    2 +-
 crypto/external/bsd/openssl/dist/crypto/bn/bn_div.c                        |    8 +-
 crypto/external/bsd/openssl/dist/crypto/constant_time_locl.h               |   16 +-
 crypto/external/bsd/openssl/dist/crypto/constant_time_test.c               |  330 +++++
 crypto/external/bsd/openssl/dist/crypto/cversion.c                         |   15 +-
 crypto/external/bsd/openssl/dist/crypto/dsa/dsa_asn1.c                     |   14 +-
 crypto/external/bsd/openssl/dist/crypto/ec/ec_lib.c                        |    2 +-
 crypto/external/bsd/openssl/dist/crypto/ec/ec_mult.c                       |    7 +-
 crypto/external/bsd/openssl/dist/crypto/ec/ec_pmeth.c                      |    6 +
 crypto/external/bsd/openssl/dist/crypto/ec/ecp_nistp256.c                  |    1 -
 crypto/external/bsd/openssl/dist/crypto/ecdsa/Makefile                     |   13 +-
 crypto/external/bsd/openssl/dist/crypto/ecdsa/ecs_vrf.c                    |   15 +-
 crypto/external/bsd/openssl/dist/crypto/engine/eng_dyn.c                   |    3 -
 crypto/external/bsd/openssl/dist/crypto/evp/e_des3.c                       |   22 +-
 crypto/external/bsd/openssl/dist/crypto/objects/obj_xref.h                 |    3 -
 crypto/external/bsd/openssl/dist/crypto/objects/objxref.pl                 |    5 +-
 crypto/external/bsd/openssl/dist/crypto/sha/asm/sha1-mips.pl               |    2 +-
 crypto/external/bsd/openssl/dist/crypto/sha/asm/sha512-mips.pl             |    2 +-
 crypto/external/bsd/openssl/dist/crypto/ts/ts_rsp_sign.c                   |    2 +-
 crypto/external/bsd/openssl/dist/crypto/x509/x509.h                        |    1 +
 crypto/external/bsd/openssl/dist/crypto/x509/x509_vpm.c                    |    2 +
 crypto/external/bsd/openssl/dist/crypto/x509/x_all.c                       |    2 +
 crypto/external/bsd/openssl/dist/doc/HOWTO/certificates.txt                |   75 +-
 crypto/external/bsd/openssl/dist/doc/HOWTO/proxy_certificates.txt          |  206 +-
 crypto/external/bsd/openssl/dist/doc/apps/c_rehash.pod                     |   81 +
 crypto/external/bsd/openssl/dist/doc/apps/ocsp.pod                         |    4 +
 crypto/external/bsd/openssl/dist/doc/crypto/CMS_add1_signer.pod            |  101 +
 crypto/external/bsd/openssl/dist/doc/crypto/EVP_PKEY_encrypt.pod           |   12 +-
 crypto/external/bsd/openssl/dist/doc/crypto/X509_NAME_add_entry_by_txt.pod |   12 +-
 crypto/external/bsd/openssl/dist/doc/crypto/X509_NAME_get_index_by_NID.pod |    4 +
 crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_set_mode.pod              |   10 +
 crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_set_options.pod           |   10 +-
 crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod  |   23 +-
 crypto/external/bsd/openssl/dist/ssl/d1_clnt.c                             |   25 +-
 crypto/external/bsd/openssl/dist/ssl/kssl.c                                |   72 +-
 crypto/external/bsd/openssl/dist/ssl/s2_enc.c                              |   12 +-
 crypto/external/bsd/openssl/dist/ssl/s2_pkt.c                              |    9 +-
 crypto/external/bsd/openssl/dist/ssl/s2_srvr.c                             |   22 +-
 crypto/external/bsd/openssl/dist/ssl/s3_both.c                             |    1 +
 crypto/external/bsd/openssl/dist/ssl/s3_meth.c                             |    5 +-
 crypto/external/bsd/openssl/dist/ssl/ssl_cert.c                            |   29 -
 crypto/external/bsd/openssl/dist/ssl/ssl_sess.c                            |   16 +-
 crypto/external/bsd/openssl/dist/util/libeay.num                           |    1 +
 crypto/external/bsd/openssl/dist/util/mkbuildinf.pl                        |   35 +
 crypto/external/bsd/openssl/dist/util/pl/netware.pl                        |    2 +-
 60 files changed, 1220 insertions(+), 868 deletions(-)

diffs (truncated from 3371 to 300 lines):

diff -r 64754de2ebaa -r 3b4d110e0937 crypto/external/bsd/openssl/dist/apps/dgst.c
--- a/crypto/external/bsd/openssl/dist/apps/dgst.c      Tue Jan 13 03:11:34 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/dgst.c      Tue Jan 13 07:59:08 2015 +0000
@@ -273,6 +273,8 @@
                BIO_printf(bio_err,"-d              to output debug info\n");
                BIO_printf(bio_err,"-hex            output as hex dump\n");
                BIO_printf(bio_err,"-binary         output in binary form\n");
+               BIO_printf(bio_err,"-hmac arg       set the HMAC key to arg\n");
+               BIO_printf(bio_err,"-non-fips-allow allow use of non FIPS digest\n");
                BIO_printf(bio_err,"-sign   file    sign digest using private key in file\n");
                BIO_printf(bio_err,"-verify file    verify a signature using public key in file\n");
                BIO_printf(bio_err,"-prverify file  verify a signature using private key in file\n");
diff -r 64754de2ebaa -r 3b4d110e0937 crypto/external/bsd/openssl/dist/apps/openssl.c
--- a/crypto/external/bsd/openssl/dist/apps/openssl.c   Tue Jan 13 03:11:34 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/apps/openssl.c   Tue Jan 13 07:59:08 2015 +0000
@@ -435,9 +435,7 @@
        if (prog != NULL) lh_FUNCTION_free(prog);
        if (arg.data != NULL) OPENSSL_free(arg.data);
 
-       apps_shutdown();
 
-       CRYPTO_mem_leaks(bio_err);
        if (bio_err != NULL)
                {
                BIO_free(bio_err);
@@ -450,6 +448,9 @@
                OPENSSL_free(Argv);
                }
 #endif
+       apps_shutdown();
+       CRYPTO_mem_leaks(bio_err);
+
        OPENSSL_EXIT(ret);
        }
 
diff -r 64754de2ebaa -r 3b4d110e0937 crypto/external/bsd/openssl/dist/crypto/aes/asm/aes-mips.pl
--- a/crypto/external/bsd/openssl/dist/crypto/aes/asm/aes-mips.pl       Tue Jan 13 03:11:34 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/aes/asm/aes-mips.pl       Tue Jan 13 07:59:08 2015 +0000
@@ -70,7 +70,7 @@
 #
 ######################################################################
 
-$big_endian=(`echo MIPSEL | $ENV{CC} -E -P -`=~/MIPSEL/)?1:0;
+$big_endian=(`echo MIPSEL | $ENV{CC} -E -`=~/MIPSEL/)?1:0 if ($ENV{CC});
 
 for (@ARGV) {  $output=$_ if (/^\w[\w\-]*\.\w+$/);     }
 open STDOUT,">$output";
diff -r 64754de2ebaa -r 3b4d110e0937 crypto/external/bsd/openssl/dist/crypto/asn1/a_bitstr.c
--- a/crypto/external/bsd/openssl/dist/crypto/asn1/a_bitstr.c   Tue Jan 13 03:11:34 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/asn1/a_bitstr.c   Tue Jan 13 07:59:08 2015 +0000
@@ -136,11 +136,16 @@
 
        p= *pp;
        i= *(p++);
+       if (i > 7)
+               {
+               i=ASN1_R_INVALID_BIT_STRING_BITS_LEFT;
+               goto err;
+               }
        /* We do this to preserve the settings.  If we modify
         * the settings, via the _set_bit function, we will recalculate
         * on output */
        ret->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */
-       ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|(i&0x07)); /* set */
+       ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|i); /* set */
 
        if (len-- > 1) /* using one because of the bits left byte */
                {
diff -r 64754de2ebaa -r 3b4d110e0937 crypto/external/bsd/openssl/dist/crypto/asn1/a_type.c
--- a/crypto/external/bsd/openssl/dist/crypto/asn1/a_type.c     Tue Jan 13 03:11:34 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/asn1/a_type.c     Tue Jan 13 07:59:08 2015 +0000
@@ -113,7 +113,7 @@
 IMPLEMENT_ASN1_SET_OF(ASN1_TYPE)
 
 /* Returns 0 if they are equal, != 0 otherwise. */
-int ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b)
+int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b)
        {
        int result = -1;
 
diff -r 64754de2ebaa -r 3b4d110e0937 crypto/external/bsd/openssl/dist/crypto/asn1/a_verify.c
--- a/crypto/external/bsd/openssl/dist/crypto/asn1/a_verify.c   Tue Jan 13 03:11:34 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/asn1/a_verify.c   Tue Jan 13 07:59:08 2015 +0000
@@ -90,6 +90,12 @@
                ASN1err(ASN1_F_ASN1_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
                goto err;
                }
+
+       if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7)
+               {
+               ASN1err(ASN1_F_ASN1_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
+               goto err;
+               }
        
        inl=i2d(data,NULL);
        buf_in=OPENSSL_malloc((unsigned int)inl);
@@ -146,6 +152,12 @@
                return -1;
                }
 
+       if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7)
+               {
+               ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
+               return -1;
+               }
+
        EVP_MD_CTX_init(&ctx);
 
        /* Convert signature OID into digest and public key OIDs */
diff -r 64754de2ebaa -r 3b4d110e0937 crypto/external/bsd/openssl/dist/crypto/asn1/asn1.h
--- a/crypto/external/bsd/openssl/dist/crypto/asn1/asn1.h       Tue Jan 13 03:11:34 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/asn1/asn1.h       Tue Jan 13 07:59:08 2015 +0000
@@ -776,7 +776,7 @@
 int ASN1_TYPE_get(ASN1_TYPE *a);
 void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value);
 int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value);
-int            ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b);
+int            ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b);
 
 ASN1_OBJECT *  ASN1_OBJECT_new(void );
 void           ASN1_OBJECT_free(ASN1_OBJECT *a);
@@ -1329,6 +1329,7 @@
 #define ASN1_R_ILLEGAL_TIME_VALUE                       184
 #define ASN1_R_INTEGER_NOT_ASCII_FORMAT                         185
 #define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG               128
+#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT             220
 #define ASN1_R_INVALID_BMPSTRING_LENGTH                         129
 #define ASN1_R_INVALID_DIGIT                            130
 #define ASN1_R_INVALID_MIME_TYPE                        205
@@ -1378,6 +1379,7 @@
 #define ASN1_R_TIME_NOT_ASCII_FORMAT                    193
 #define ASN1_R_TOO_LONG                                         155
 #define ASN1_R_TYPE_NOT_CONSTRUCTED                     156
+#define ASN1_R_TYPE_NOT_PRIMITIVE                       218
 #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY                         157
 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY                 158
 #define ASN1_R_UNEXPECTED_EOC                           159
diff -r 64754de2ebaa -r 3b4d110e0937 crypto/external/bsd/openssl/dist/crypto/asn1/asn1_err.c
--- a/crypto/external/bsd/openssl/dist/crypto/asn1/asn1_err.c   Tue Jan 13 03:11:34 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/asn1/asn1_err.c   Tue Jan 13 07:59:08 2015 +0000
@@ -1,6 +1,6 @@
 /* crypto/asn1/asn1_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2014 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -246,6 +246,7 @@
 {ERR_REASON(ASN1_R_ILLEGAL_TIME_VALUE)   ,"illegal time value"},
 {ERR_REASON(ASN1_R_INTEGER_NOT_ASCII_FORMAT),"integer not ascii format"},
 {ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG),"integer too large for long"},
+{ERR_REASON(ASN1_R_INVALID_BIT_STRING_BITS_LEFT),"invalid bit string bits left"},
 {ERR_REASON(ASN1_R_INVALID_BMPSTRING_LENGTH),"invalid bmpstring length"},
 {ERR_REASON(ASN1_R_INVALID_DIGIT)        ,"invalid digit"},
 {ERR_REASON(ASN1_R_INVALID_MIME_TYPE)    ,"invalid mime type"},
@@ -295,6 +296,7 @@
 {ERR_REASON(ASN1_R_TIME_NOT_ASCII_FORMAT),"time not ascii format"},
 {ERR_REASON(ASN1_R_TOO_LONG)             ,"too long"},
 {ERR_REASON(ASN1_R_TYPE_NOT_CONSTRUCTED) ,"type not constructed"},
+{ERR_REASON(ASN1_R_TYPE_NOT_PRIMITIVE)   ,"type not primitive"},
 {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"},
 {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"},
 {ERR_REASON(ASN1_R_UNEXPECTED_EOC)       ,"unexpected eoc"},
diff -r 64754de2ebaa -r 3b4d110e0937 crypto/external/bsd/openssl/dist/crypto/asn1/tasn_dec.c
--- a/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_dec.c   Tue Jan 13 03:11:34 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_dec.c   Tue Jan 13 07:59:08 2015 +0000
@@ -870,6 +870,14 @@
                }
        else if (cst)
                {
+               if (utype == V_ASN1_NULL || utype == V_ASN1_BOOLEAN
+                       || utype == V_ASN1_OBJECT || utype == V_ASN1_INTEGER
+                       || utype == V_ASN1_ENUMERATED)
+                       {
+                       ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
+                               ASN1_R_TYPE_NOT_PRIMITIVE);
+                       return 0;
+                       }
                buf.length = 0;
                buf.max = 0;
                buf.data = NULL;
diff -r 64754de2ebaa -r 3b4d110e0937 crypto/external/bsd/openssl/dist/crypto/asn1/x_algor.c
--- a/crypto/external/bsd/openssl/dist/crypto/asn1/x_algor.c    Tue Jan 13 03:11:34 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/asn1/x_algor.c    Tue Jan 13 07:59:08 2015 +0000
@@ -142,3 +142,14 @@
        X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_MD_type(md)), param_type, NULL);
 
        }
+
+int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b)
+       {
+       int rv;
+       rv = OBJ_cmp(a->algorithm, b->algorithm);
+       if (rv)
+               return rv;
+       if (!a->parameter && !b->parameter)
+               return 0;
+       return ASN1_TYPE_cmp(a->parameter, b->parameter);
+       }
diff -r 64754de2ebaa -r 3b4d110e0937 crypto/external/bsd/openssl/dist/crypto/asn1/x_name.c
--- a/crypto/external/bsd/openssl/dist/crypto/asn1/x_name.c     Tue Jan 13 03:11:34 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/asn1/x_name.c     Tue Jan 13 07:59:08 2015 +0000
@@ -350,6 +350,8 @@
                        set = entry->set;
                        }
                tmpentry = X509_NAME_ENTRY_new();
+               if (!tmpentry)
+                       goto err;
                tmpentry->object = OBJ_dup(entry->object);
                if (!asn1_string_canon(tmpentry->value, entry->value))
                        goto err;
diff -r 64754de2ebaa -r 3b4d110e0937 crypto/external/bsd/openssl/dist/crypto/bio/bio.h
--- a/crypto/external/bsd/openssl/dist/crypto/bio/bio.h Tue Jan 13 03:11:34 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/bio/bio.h Tue Jan 13 07:59:08 2015 +0000
@@ -175,6 +175,8 @@
 #define BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT   45 /* Next DTLS handshake timeout to
                                               * adjust socket timeouts */
 
+#define BIO_CTRL_DGRAM_GET_MTU_OVERHEAD   49
+
 #ifndef OPENSSL_NO_SCTP
 /* SCTP stuff */
 #define BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE   50
@@ -607,6 +609,8 @@
          (int)BIO_ctrl(b, BIO_CTRL_DGRAM_GET_PEER, 0, (char *)peer)
 #define BIO_dgram_set_peer(b,peer) \
          (int)BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, (char *)peer)
+#define BIO_dgram_get_mtu_overhead(b) \
+         (unsigned int)BIO_ctrl((b), BIO_CTRL_DGRAM_GET_MTU_OVERHEAD, 0, NULL)
 
 /* These two aren't currently implemented */
 /* int BIO_get_ex_num(BIO *bio); */
diff -r 64754de2ebaa -r 3b4d110e0937 crypto/external/bsd/openssl/dist/crypto/bio/bss_dgram.c
--- a/crypto/external/bsd/openssl/dist/crypto/bio/bss_dgram.c   Tue Jan 13 03:11:34 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/bio/bss_dgram.c   Tue Jan 13 07:59:08 2015 +0000
@@ -454,6 +454,36 @@
        return(ret);
        }
 
+static long dgram_get_mtu_overhead(bio_dgram_data *data)
+       {
+       long ret;
+
+       switch (data->peer.sa.sa_family)
+               {
+               case AF_INET:
+                       /* Assume this is UDP - 20 bytes for IP, 8 bytes for UDP */
+                       ret = 28;
+                       break;
+#if OPENSSL_USE_IPV6
+               case AF_INET6:
+#ifdef IN6_IS_ADDR_V4MAPPED
+                       if (IN6_IS_ADDR_V4MAPPED(&data->peer.sa_in6.sin6_addr))
+                               /* Assume this is UDP - 20 bytes for IP, 8 bytes for UDP */
+                               ret = 28;
+                       else
+#endif
+                               /* Assume this is UDP - 40 bytes for IP, 8 bytes for UDP */
+                               ret = 48;
+                       break;
+#endif
+               default:
+                       /* We don't know. Go with the historical default */
+                       ret = 28;
+                       break;
+               }
+       return ret;
+       }
+
 static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
        {
        long ret=1;
@@ -630,23 +660,24 @@
 #endif
                break;
        case BIO_CTRL_DGRAM_GET_FALLBACK_MTU:
+               ret = -dgram_get_mtu_overhead(data);
                switch (data->peer.sa.sa_family)
                        {
                        case AF_INET:
-                               ret = 576 - 20 - 8;
+                               ret += 576;
                                break;
 #if OPENSSL_USE_IPV6
                        case AF_INET6:
 #ifdef IN6_IS_ADDR_V4MAPPED
                                if (IN6_IS_ADDR_V4MAPPED(&data->peer.sa_in6.sin6_addr))
-                                       ret = 576 - 20 - 8;
+                                       ret += 576;
                                else
 #endif
-                                       ret = 1280 - 40 - 8;
+                                       ret += 1280;
                                break;
 #endif
                        default:
-                               ret = 576 - 20 - 8;
+                               ret += 576;
                                break;



Home | Main Index | Thread Index | Old Index