diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2010-5298.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2010-5298.patch new file mode 100644 index 0000000000..b4f92cd585 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2010-5298.patch @@ -0,0 +1,21 @@ +From: Ben Laurie +Date: Wed, 23 Apr 2014 06:24:03 +0000 (+0100) +Subject: Fix use after free. +X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=94d1f4b + +Fix use after free. +--- + +diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c +index b9e45c7..d601a18 100644 +--- a/ssl/s3_pkt.c ++++ b/ssl/s3_pkt.c +@@ -1334,7 +1334,7 @@ start: + { + s->rstate=SSL_ST_READ_HEADER; + rr->off=0; +- if (s->mode & SSL_MODE_RELEASE_BUFFERS) ++ if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0) + ssl3_release_read_buffer(s); + } + } diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2013-4353.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2013-4353.patch new file mode 100644 index 0000000000..5f96116cf5 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2013-4353.patch @@ -0,0 +1,21 @@ +Fix for TLS record tampering bug. A carefully crafted invalid +handshake could crash OpenSSL with a NULL pointer exception. +Thanks to Anton Johansson for reporting this issues. +(CVE-2013-4353) +diff --git a/ssl/s3_both.c b/ssl/s3_both.c +index 1e5dcab..53b9390 100644 +--- a/ssl/s3_both.c ++++ b/ssl/s3_both.c +@@ -210,7 +210,11 @@ static void ssl3_take_mac(SSL *s) + { + const char *sender; + int slen; +- ++ /* If no new cipher setup return immediately: other functions will ++ * set the appropriate error. ++ */ ++ if (s->s3->tmp.new_cipher == NULL) ++ return; + if (s->state & SSL_ST_CONNECT) + { + sender=s->method->ssl3_enc->server_finished_label; diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2013-6449.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2013-6449.patch new file mode 100644 index 0000000000..d80a1788da --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2013-6449.patch @@ -0,0 +1,111 @@ +Use version in SSL_METHOD not SSL structure. + +When deciding whether to use TLS 1.2 PRF and record hash algorithms +use the version number in the corresponding SSL_METHOD structure +instead of the SSL structure. The SSL structure version is sometimes +inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already. +(CVE-2013-6449) + +Also preventively check EVP errors for handshake digests. + +diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c +index bf832bb..c4ef273 100644 +--- a/ssl/s3_lib.c ++++ b/ssl/s3_lib.c +@@ -4286,7 +4286,7 @@ need to go to SSL_ST_ACCEPT. + long ssl_get_algorithm2(SSL *s) + { + long alg2 = s->s3->tmp.new_cipher->algorithm2; +- if (TLS1_get_version(s) >= TLS1_2_VERSION && ++ if (s->method->version == TLS1_2_VERSION && + alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) + return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; + return alg2; +diff --git a/ssl/s3_both.c b/ssl/s3_both.c +index ead01c8..1e5dcab 100644 +--- a/ssl/s3_both.c ++++ b/ssl/s3_both.c +@@ -161,6 +161,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) + + i=s->method->ssl3_enc->final_finish_mac(s, + sender,slen,s->s3->tmp.finish_md); ++ if (i == 0) ++ return 0; + s->s3->tmp.finish_md_len = i; + memcpy(p, s->s3->tmp.finish_md, i); + p+=i; +diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c +index 804291e..c4bc4e7 100644 +--- a/ssl/s3_pkt.c ++++ b/ssl/s3_pkt.c +@@ -335,7 +335,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length); + if (version != s->version) + { + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); +- if ((s->version & 0xFF00) == (version & 0xFF00)) ++ if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash) + /* Send back error using their minor version number :-) */ + s->version = (unsigned short)version; + al=SSL_AD_PROTOCOL_VERSION; +@@ -1459,8 +1459,14 @@ int ssl3_do_change_cipher_spec(SSL *s) + slen=s->method->ssl3_enc->client_finished_label_len; + } + +- s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, ++ i = s->method->ssl3_enc->final_finish_mac(s, + sender,slen,s->s3->tmp.peer_finish_md); ++ if (i == 0) ++ { ++ SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); ++ return 0; ++ } ++ s->s3->tmp.peer_finish_md_len = i; + + return(1); + } +diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c +index e5a8b3f..52efed3 100644 +--- a/ssl/s3_srvr.c ++++ b/ssl/s3_srvr.c +@@ -958,7 +958,8 @@ int ssl3_get_client_hello(SSL *s) + (s->version != DTLS1_VERSION && s->client_version < s->version)) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); +- if ((s->client_version>>8) == SSL3_VERSION_MAJOR) ++ if ((s->client_version>>8) == SSL3_VERSION_MAJOR && ++ !s->enc_write_ctx && !s->write_hash) + { + /* similar to ssl3_get_record, send alert using remote version number */ + s->version = s->client_version; +diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c +index 809ad2e..72015f5 100644 +--- a/ssl/t1_enc.c ++++ b/ssl/t1_enc.c +@@ -915,18 +915,19 @@ int tls1_final_finish_mac(SSL *s, + if (mask & ssl_get_algorithm2(s)) + { + int hashsize = EVP_MD_size(md); +- if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) ++ EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx]; ++ if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) + { + /* internal error: 'buf' is too small for this cipersuite! */ + err = 1; + } + else + { +- EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]); +- EVP_DigestFinal_ex(&ctx,q,&i); +- if (i != (unsigned int)hashsize) /* can't really happen */ ++ if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || ++ !EVP_DigestFinal_ex(&ctx,q,&i) || ++ (i != (unsigned int)hashsize)) + err = 1; +- q+=i; ++ q+=hashsize; + } + } + } +-- +1.8.3.1 + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2013-6450.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2013-6450.patch new file mode 100644 index 0000000000..fa096c8b2f --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2013-6450.patch @@ -0,0 +1,85 @@ +Fix DTLS retransmission from previous session. + +For DTLS we might need to retransmit messages from the previous session +so keep a copy of write context in DTLS retransmission buffers instead +of replacing it after sending CCS. CVE-2013-6450. + +diff --git a/ssl/d1_both.c b/ssl/d1_both.c +index 65ec001..7a5596a 100644 +--- a/ssl/d1_both.c ++++ b/ssl/d1_both.c +@@ -214,6 +214,12 @@ dtls1_hm_fragment_new(unsigned long frag_len, int reassembly) + static void + dtls1_hm_fragment_free(hm_fragment *frag) + { ++ ++ if (frag->msg_header.is_ccs) ++ { ++ EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx); ++ EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash); ++ } + if (frag->fragment) OPENSSL_free(frag->fragment); + if (frag->reassembly) OPENSSL_free(frag->reassembly); + OPENSSL_free(frag); +diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h +index 96ce9a7..e485907 100644 +--- a/ssl/ssl_locl.h ++++ b/ssl/ssl_locl.h +@@ -621,6 +621,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data; + extern SSL3_ENC_METHOD SSLv3_enc_data; + extern SSL3_ENC_METHOD DTLSv1_enc_data; + ++#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION) ++ + #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \ + s_get_meth) \ + const SSL_METHOD *func_name(void) \ +diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c +index 72015f5..56db834 100644 +--- a/ssl/t1_enc.c ++++ b/ssl/t1_enc.c +@@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int which) + s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; + else + s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; +- if (s->enc_write_ctx != NULL) ++ if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) + reuse_dd = 1; +- else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) ++ else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL) + goto err; +- else +- /* make sure it's intialized in case we exit later with an error */ +- EVP_CIPHER_CTX_init(s->enc_write_ctx); + dd= s->enc_write_ctx; +- mac_ctx = ssl_replace_hash(&s->write_hash,NULL); ++ if (SSL_IS_DTLS(s)) ++ { ++ mac_ctx = EVP_MD_CTX_create(); ++ if (!mac_ctx) ++ goto err; ++ s->write_hash = mac_ctx; ++ } ++ else ++ mac_ctx = ssl_replace_hash(&s->write_hash,NULL); + #ifndef OPENSSL_NO_COMP + if (s->compress != NULL) + { +diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c +index 6fc469f..d14e8e4 100644 +--- a/crypto/evp/digest.c ++++ b/crypto/evp/digest.c +@@ -366,8 +366,11 @@ int EVP_Digest(const void *data, size_t count, + + void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) + { +- EVP_MD_CTX_cleanup(ctx); +- OPENSSL_free(ctx); ++ if (ctx) ++ { ++ EVP_MD_CTX_cleanup(ctx); ++ OPENSSL_free(ctx); ++ } + } + + /* This call frees resources associated with the context */ diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0160.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0160.patch new file mode 100644 index 0000000000..6d5c5cef6f --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0160.patch @@ -0,0 +1,89 @@ +diff -up openssl-1.0.1e/ssl/d1_both.c.heartbeat openssl-1.0.1e/ssl/d1_both.c +--- openssl-1.0.1e/ssl/d1_both.c.heartbeat 2014-04-07 12:52:01.884308971 +0200 ++++ openssl-1.0.1e/ssl/d1_both.c 2014-04-07 13:04:32.860128295 +0200 +@@ -1458,26 +1458,36 @@ dtls1_process_heartbeat(SSL *s) + unsigned int payload; + unsigned int padding = 16; /* Use minimum padding */ + +- /* Read type and payload length first */ +- hbtype = *p++; +- n2s(p, payload); +- pl = p; +- + if (s->msg_callback) + s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, + &s->s3->rrec.data[0], s->s3->rrec.length, + s, s->msg_callback_arg); + ++ /* Read type and payload length first */ ++ if (1 + 2 + 16 > s->s3->rrec.length) ++ return 0; /* silently discard */ ++ hbtype = *p++; ++ n2s(p, payload); ++ if (1 + 2 + payload + 16 > s->s3->rrec.length) ++ return 0; /* silently discard per RFC 6520 sec. 4 */ ++ pl = p; ++ + if (hbtype == TLS1_HB_REQUEST) + { + unsigned char *buffer, *bp; ++ unsigned int write_length = 1 /* heartbeat type */ + ++ 2 /* heartbeat length */ + ++ payload + padding; + int r; + ++ if (write_length > SSL3_RT_MAX_PLAIN_LENGTH) ++ return 0; ++ + /* Allocate memory for the response, size is 1 byte + * message type, plus 2 bytes payload length, plus + * payload, plus padding + */ +- buffer = OPENSSL_malloc(1 + 2 + payload + padding); ++ buffer = OPENSSL_malloc(write_length); + bp = buffer; + + /* Enter response type, length and copy payload */ +@@ -1488,11 +1498,11 @@ dtls1_process_heartbeat(SSL *s) + /* Random padding */ + RAND_pseudo_bytes(bp, padding); + +- r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); ++ r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length); + + if (r >= 0 && s->msg_callback) + s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, +- buffer, 3 + payload + padding, ++ buffer, write_length, + s, s->msg_callback_arg); + + OPENSSL_free(buffer); +diff -up openssl-1.0.1e/ssl/t1_lib.c.heartbeat openssl-1.0.1e/ssl/t1_lib.c +--- openssl-1.0.1e/ssl/t1_lib.c.heartbeat 2014-04-07 12:52:01.891308997 +0200 ++++ openssl-1.0.1e/ssl/t1_lib.c 2014-04-07 12:57:45.063603587 +0200 +@@ -2463,16 +2463,20 @@ tls1_process_heartbeat(SSL *s) + unsigned int payload; + unsigned int padding = 16; /* Use minimum padding */ + +- /* Read type and payload length first */ +- hbtype = *p++; +- n2s(p, payload); +- pl = p; +- + if (s->msg_callback) + s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, + &s->s3->rrec.data[0], s->s3->rrec.length, + s, s->msg_callback_arg); + ++ /* Read type and payload length first */ ++ if (1 + 2 + 16 > s->s3->rrec.length) ++ return 0; /* silently discard */ ++ hbtype = *p++; ++ n2s(p, payload); ++ if (1 + 2 + payload + 16 > s->s3->rrec.length) ++ return 0; /* silently discard per RFC 6520 sec. 4 */ ++ pl = p; ++ + if (hbtype == TLS1_HB_REQUEST) + { + unsigned char *buffer, *bp; diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0195.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0195.patch new file mode 100644 index 0000000000..434eee2052 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0195.patch @@ -0,0 +1,36 @@ +commit 208d54db20d58c9a5e45e856a0650caadd7d9612 +Author: Dr. Stephen Henson +Date: Tue May 13 18:48:31 2014 +0100 + + Fix for CVE-2014-0195 + + A buffer overrun attack can be triggered by sending invalid DTLS fragments + to an OpenSSL DTLS client or server. This is potentially exploitable to + run arbitrary code on a vulnerable client or server. + + Fixed by adding consistency check for DTLS fragments. + + Thanks to Jüri Aedla for reporting this issue. + +diff --git a/ssl/d1_both.c b/ssl/d1_both.c +index 2e8cf68..07f67f8 100644 +--- a/ssl/d1_both.c ++++ b/ssl/d1_both.c +@@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) + frag->msg_header.frag_off = 0; + } + else ++ { + frag = (hm_fragment*) item->data; ++ if (frag->msg_header.msg_len != msg_hdr->msg_len) ++ { ++ item = NULL; ++ frag = NULL; ++ goto err; ++ } ++ } ++ + + /* If message is already reassembled, this must be a + * retransmit and can be dropped. + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0198.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0198.patch new file mode 100644 index 0000000000..2c94bca5df --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0198.patch @@ -0,0 +1,33 @@ +From: Matt Caswell +Date: Sun, 11 May 2014 23:38:37 +0000 (+0100) +Subject: Fixed NULL pointer dereference. See PR#3321 +X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=b107586 + +Fixed NULL pointer dereference. See PR#3321 +--- + +diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c +index 40eb0dd..d961d12 100644 +--- a/ssl/s3_pkt.c ++++ b/ssl/s3_pkt.c +@@ -657,9 +657,6 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, + SSL3_BUFFER *wb=&(s->s3->wbuf); + SSL_SESSION *sess; + +- if (wb->buf == NULL) +- if (!ssl3_setup_write_buffer(s)) +- return -1; + + /* first check if there is a SSL3_BUFFER still being written + * out. This will happen with non blocking IO */ +@@ -675,6 +672,10 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, + /* if it went, fall through and send more stuff */ + } + ++ if (wb->buf == NULL) ++ if (!ssl3_setup_write_buffer(s)) ++ return -1; ++ + if (len == 0 && !create_empty_fragment) + return 0; + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0221.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0221.patch new file mode 100644 index 0000000000..deb3a8b89c --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0221.patch @@ -0,0 +1,34 @@ +commit d30e582446b027868cdabd0994681643682045a4 +Author: Dr. Stephen Henson +Date: Fri May 16 13:00:45 2014 +0100 + + Fix CVE-2014-0221 + + Unnecessary recursion when receiving a DTLS hello request can be used to + crash a DTLS client. Fixed by handling DTLS hello request without recursion. + + Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. + +diff --git a/ssl/d1_both.c b/ssl/d1_both.c +index 07f67f8..4c2fd03 100644 +--- a/ssl/d1_both.c ++++ b/ssl/d1_both.c +@@ -793,6 +793,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) + int i,al; + struct hm_header_st msg_hdr; + ++ redo: + /* see if we have the required fragment already */ + if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok) + { +@@ -851,8 +852,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) + s->msg_callback_arg); + + s->init_num = 0; +- return dtls1_get_message_fragment(s, st1, stn, +- max, ok); ++ goto redo; + } + else /* Incorrectly formated Hello request */ + { + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0224.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0224.patch new file mode 100644 index 0000000000..05e7e795bc --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0224.patch @@ -0,0 +1,104 @@ +diff -up openssl-1.0.1e/ssl/ssl3.h.keying-mitm openssl-1.0.1e/ssl/ssl3.h +--- openssl-1.0.1e/ssl/ssl3.h.keying-mitm 2014-06-02 19:48:04.518100562 +0200 ++++ openssl-1.0.1e/ssl/ssl3.h 2014-06-02 19:48:04.642103429 +0200 +@@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st + #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 + #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 + #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 ++#define SSL3_FLAGS_CCS_OK 0x0080 + + /* SSL3_FLAGS_SGC_RESTART_DONE is set when we + * restart a handshake because of MS SGC and so prevents us +diff -up openssl-1.0.1e/ssl/s3_clnt.c.keying-mitm openssl-1.0.1e/ssl/s3_clnt.c +--- openssl-1.0.1e/ssl/s3_clnt.c.keying-mitm 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/ssl/s3_clnt.c 2014-06-02 19:49:57.042701985 +0200 +@@ -510,6 +510,7 @@ int ssl3_connect(SSL *s) + s->method->ssl3_enc->client_finished_label, + s->method->ssl3_enc->client_finished_label_len); + if (ret <= 0) goto end; ++ s->s3->flags |= SSL3_FLAGS_CCS_OK; + s->state=SSL3_ST_CW_FLUSH; + + /* clear flags */ +@@ -559,6 +560,7 @@ int ssl3_connect(SSL *s) + case SSL3_ST_CR_FINISHED_A: + case SSL3_ST_CR_FINISHED_B: + ++ s->s3->flags |= SSL3_FLAGS_CCS_OK; + ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, + SSL3_ST_CR_FINISHED_B); + if (ret <= 0) goto end; +@@ -901,6 +903,7 @@ int ssl3_get_server_hello(SSL *s) + { + s->session->cipher = pref_cipher ? + pref_cipher : ssl_get_cipher_by_char(s, p+j); ++ s->s3->flags |= SSL3_FLAGS_CCS_OK; + } + } + #endif /* OPENSSL_NO_TLSEXT */ +@@ -916,6 +918,7 @@ int ssl3_get_server_hello(SSL *s) + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); + goto f_err; + } ++ s->s3->flags |= SSL3_FLAGS_CCS_OK; + s->hit=1; + } + else /* a miss or crap from the other end */ +diff -up openssl-1.0.1e/ssl/s3_pkt.c.keying-mitm openssl-1.0.1e/ssl/s3_pkt.c +--- openssl-1.0.1e/ssl/s3_pkt.c.keying-mitm 2014-06-02 19:48:04.640103383 +0200 ++++ openssl-1.0.1e/ssl/s3_pkt.c 2014-06-02 19:48:04.643103452 +0200 +@@ -1298,6 +1298,15 @@ start: + goto f_err; + } + ++ if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) ++ { ++ al=SSL_AD_UNEXPECTED_MESSAGE; ++ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY); ++ goto f_err; ++ } ++ ++ s->s3->flags &= ~SSL3_FLAGS_CCS_OK; ++ + rr->length=0; + + if (s->msg_callback) +@@ -1432,7 +1441,7 @@ int ssl3_do_change_cipher_spec(SSL *s) + + if (s->s3->tmp.key_block == NULL) + { +- if (s->session == NULL) ++ if (s->session == NULL || s->session->master_key_length == 0) + { + /* might happen if dtls1_read_bytes() calls this */ + SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY); +diff -up openssl-1.0.1e/ssl/s3_srvr.c.keying-mitm openssl-1.0.1e/ssl/s3_srvr.c +--- openssl-1.0.1e/ssl/s3_srvr.c.keying-mitm 2014-06-02 19:48:04.630103151 +0200 ++++ openssl-1.0.1e/ssl/s3_srvr.c 2014-06-02 19:48:04.643103452 +0200 +@@ -673,6 +673,7 @@ int ssl3_accept(SSL *s) + case SSL3_ST_SR_CERT_VRFY_A: + case SSL3_ST_SR_CERT_VRFY_B: + ++ s->s3->flags |= SSL3_FLAGS_CCS_OK; + /* we should decide if we expected this one */ + ret=ssl3_get_cert_verify(s); + if (ret <= 0) goto end; +@@ -700,6 +701,7 @@ int ssl3_accept(SSL *s) + + case SSL3_ST_SR_FINISHED_A: + case SSL3_ST_SR_FINISHED_B: ++ s->s3->flags |= SSL3_FLAGS_CCS_OK; + ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, + SSL3_ST_SR_FINISHED_B); + if (ret <= 0) goto end; +@@ -770,7 +772,10 @@ int ssl3_accept(SSL *s) + s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; + #else + if (s->s3->next_proto_neg_seen) ++ { ++ s->s3->flags |= SSL3_FLAGS_CCS_OK; + s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A; ++ } + else + s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; + #endif diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3470.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3470.patch new file mode 100644 index 0000000000..32f4487302 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3470.patch @@ -0,0 +1,26 @@ +commit 4ad43d511f6cf064c66eb4bfd0fb0919b5dd8a86 +Author: Dr. Stephen Henson +Date: Thu May 29 15:00:05 2014 +0100 + + Fix CVE-2014-3470 + + Check session_cert is not NULL before dereferencing it. + +diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c +index d35376d..4324f8d 100644 +--- a/ssl/s3_clnt.c ++++ b/ssl/s3_clnt.c +@@ -2511,6 +2511,13 @@ int ssl3_send_client_key_exchange(SSL *s) + int ecdh_clnt_cert = 0; + int field_size = 0; + ++ if (s->session->sess_cert == NULL) ++ { ++ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); ++ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); ++ goto err; ++ } ++ + /* Did we send out the client's + * ECDH share for use in premaster + * computation as part of client certificate? diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3505.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3505.patch new file mode 100644 index 0000000000..8716fae9ed --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3505.patch @@ -0,0 +1,52 @@ +From 2172d4f63c61922487008f42511cc6bdae9b47a0 Mon Sep 17 00:00:00 2001 +From: Adam Langley +Date: Fri, 6 Jun 2014 14:19:21 -0700 +Subject: [PATCH] Avoid double free when processing DTLS packets. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The |item| variable, in both of these cases, may contain a pointer to a +|pitem| structure within |s->d1->buffered_messages|. It was being freed +in the error case while still being in |buffered_messages|. When the +error later caused the |SSL*| to be destroyed, the item would be double +freed. + +Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was +inconsistent with the other error paths (but correct). + +Fixes CVE-2014-3505 + +Reviewed-by: Matt Caswell +Reviewed-by: Emilia Käsper +--- + ssl/d1_both.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/ssl/d1_both.c b/ssl/d1_both.c +index c1eb970..cdb83b6 100644 +--- a/ssl/d1_both.c ++++ b/ssl/d1_both.c +@@ -693,8 +693,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) + return DTLS1_HM_FRAGMENT_RETRY; + + err: +- if (frag != NULL) dtls1_hm_fragment_free(frag); +- if (item != NULL) OPENSSL_free(item); ++ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag); + *ok = 0; + return i; + } +@@ -778,8 +777,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) + return DTLS1_HM_FRAGMENT_RETRY; + + err: +- if ( frag != NULL) dtls1_hm_fragment_free(frag); +- if ( item != NULL) OPENSSL_free(item); ++ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag); + *ok = 0; + return i; + } +-- +1.8.3.1 + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3506.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3506.patch new file mode 100644 index 0000000000..05e364f5b9 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3506.patch @@ -0,0 +1,87 @@ +From fc7804ec392fcf8051abe6bc9da9108744d2ae35 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 6 Jun 2014 14:25:52 -0700 +Subject: [PATCH] Fix DTLS handshake message size checks. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In |dtls1_reassemble_fragment|, the value of +|msg_hdr->frag_off+frag_len| was being checked against the maximum +handshake message size, but then |msg_len| bytes were allocated for the +fragment buffer. This means that so long as the fragment was within the +allowed size, the pending handshake message could consume 16MB + 2MB +(for the reassembly bitmap). Approx 10 outstanding handshake messages +are allowed, meaning that an attacker could consume ~180MB per DTLS +connection. + +In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no +check was applied. + +Fixes CVE-2014-3506 + +Wholly based on patch by Adam Langley with one minor amendment. + +Reviewed-by: Emilia Käsper +--- + ssl/d1_both.c | 29 ++++++++++++++++------------- + 1 file changed, 16 insertions(+), 13 deletions(-) + +diff --git a/ssl/d1_both.c b/ssl/d1_both.c +index 6559dfc..b9e15df 100644 +--- a/ssl/d1_both.c ++++ b/ssl/d1_both.c +@@ -587,6 +587,16 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) + return 0; + } + ++/* dtls1_max_handshake_message_len returns the maximum number of bytes ++ * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but may ++ * be greater if the maximum certificate list size requires it. */ ++static unsigned long dtls1_max_handshake_message_len(const SSL *s) ++ { ++ unsigned long max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; ++ if (max_len < (unsigned long)s->max_cert_list) ++ return s->max_cert_list; ++ return max_len; ++ } + + static int + dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) +@@ -595,20 +605,10 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) + pitem *item = NULL; + int i = -1, is_complete; + unsigned char seq64be[8]; +- unsigned long frag_len = msg_hdr->frag_len, max_len; +- +- if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) +- goto err; +- +- /* Determine maximum allowed message size. Depends on (user set) +- * maximum certificate length, but 16k is minimum. +- */ +- if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < s->max_cert_list) +- max_len = s->max_cert_list; +- else +- max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; ++ unsigned long frag_len = msg_hdr->frag_len; + +- if ((msg_hdr->frag_off+frag_len) > max_len) ++ if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len || ++ msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) + goto err; + + /* Try to find item in queue */ +@@ -749,6 +749,9 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) + if (frag_len && frag_len < msg_hdr->msg_len) + return dtls1_reassemble_fragment(s, msg_hdr, ok); + ++ if (frag_len > dtls1_max_handshake_message_len(s)) ++ goto err; ++ + frag = dtls1_hm_fragment_new(frag_len, 0); + if ( frag == NULL) + goto err; +-- +1.8.3.1 + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3507.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3507.patch new file mode 100644 index 0000000000..05073152c9 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3507.patch @@ -0,0 +1,53 @@ +diff -up openssl-1.0.1e/ssl/d1_both.c.dtls-memleak openssl-1.0.1e/ssl/d1_both.c +--- openssl-1.0.1e/ssl/d1_both.c.dtls-memleak 2014-08-07 17:51:18.457493922 +0200 ++++ openssl-1.0.1e/ssl/d1_both.c 2014-08-07 17:58:28.478558785 +0200 +@@ -610,6 +610,9 @@ dtls1_reassemble_fragment(SSL *s, struct + msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) + goto err; + ++ if (frag_len == 0) ++ return DTLS1_HM_FRAGMENT_RETRY; ++ + /* Try to find item in queue */ + memset(seq64be,0,sizeof(seq64be)); + seq64be[6] = (unsigned char) (msg_hdr->seq>>8); +@@ -686,7 +689,12 @@ dtls1_reassemble_fragment(SSL *s, struct + i = -1; + } + +- pqueue_insert(s->d1->buffered_messages, item); ++ item = pqueue_insert(s->d1->buffered_messages, item); ++ /* pqueue_insert fails iff a duplicate item is inserted. ++ * However, |item| cannot be a duplicate. If it were, ++ * |pqueue_find|, above, would have returned it and control ++ * would never have reached this branch. */ ++ OPENSSL_assert(item != NULL); + } + + return DTLS1_HM_FRAGMENT_RETRY; +@@ -744,7 +752,7 @@ dtls1_process_out_of_seq_message(SSL *s, + } + else + { +- if (frag_len && frag_len < msg_hdr->msg_len) ++ if (frag_len < msg_hdr->msg_len) + return dtls1_reassemble_fragment(s, msg_hdr, ok); + + if (frag_len > dtls1_max_handshake_message_len(s)) +@@ -773,7 +781,15 @@ dtls1_process_out_of_seq_message(SSL *s, + if ( item == NULL) + goto err; + +- pqueue_insert(s->d1->buffered_messages, item); ++ item = pqueue_insert(s->d1->buffered_messages, item); ++ /* pqueue_insert fails iff a duplicate item is inserted. ++ * However, |item| cannot be a duplicate. If it were, ++ * |pqueue_find|, above, would have returned it. Then, either ++ * |frag_len| != |msg_hdr->msg_len| in which case |item| is set ++ * to NULL and it will have been processed with ++ * |dtls1_reassemble_fragment|, above, or the record will have ++ * been discarded. */ ++ OPENSSL_assert(item != NULL); + } + + return DTLS1_HM_FRAGMENT_RETRY; diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3508.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3508.patch new file mode 100644 index 0000000000..31dd08db9d --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3508.patch @@ -0,0 +1,138 @@ +From 03b04ddac162c7b7fa3c57eadccc5a583a00d291 Mon Sep 17 00:00:00 2001 +From: Emilia Kasper +Date: Wed, 2 Jul 2014 19:02:33 +0200 +Subject: [PATCH] Fix OID handling: + +- Upon parsing, reject OIDs with invalid base-128 encoding. +- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function. + +CVE-2014-3508 + +Reviewed-by: Dr. Stephen Henson +Reviewed-by: Kurt Roeckx +Reviewed-by: Tim Hudson +--- + crypto/asn1/a_object.c | 30 +++++++++++++++++++++--------- + crypto/objects/obj_dat.c | 16 +++++++++------- + 2 files changed, 30 insertions(+), 16 deletions(-) + +diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c +index 3978c91..77b2768 100644 +--- a/crypto/asn1/a_object.c ++++ b/crypto/asn1/a_object.c +@@ -283,17 +283,29 @@ err: + ASN1err(ASN1_F_D2I_ASN1_OBJECT,i); + return(NULL); + } ++ + ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, + long len) + { + ASN1_OBJECT *ret=NULL; + const unsigned char *p; + unsigned char *data; +- int i; +- /* Sanity check OID encoding: can't have leading 0x80 in +- * subidentifiers, see: X.690 8.19.2 ++ int i, length; ++ ++ /* Sanity check OID encoding. ++ * Need at least one content octet. ++ * MSB must be clear in the last octet. ++ * can't have leading 0x80 in subidentifiers, see: X.690 8.19.2 + */ +- for (i = 0, p = *pp; i < len; i++, p++) ++ if (len <= 0 || len > INT_MAX || pp == NULL || (p = *pp) == NULL || ++ p[len - 1] & 0x80) ++ { ++ ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_INVALID_OBJECT_ENCODING); ++ return NULL; ++ } ++ /* Now 0 < len <= INT_MAX, so the cast is safe. */ ++ length = (int)len; ++ for (i = 0; i < length; i++, p++) + { + if (*p == 0x80 && (!i || !(p[-1] & 0x80))) + { +@@ -316,23 +328,23 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, + data = (unsigned char *)ret->data; + ret->data = NULL; + /* once detached we can change it */ +- if ((data == NULL) || (ret->length < len)) ++ if ((data == NULL) || (ret->length < length)) + { + ret->length=0; + if (data != NULL) OPENSSL_free(data); +- data=(unsigned char *)OPENSSL_malloc(len ? (int)len : 1); ++ data=(unsigned char *)OPENSSL_malloc(length); + if (data == NULL) + { i=ERR_R_MALLOC_FAILURE; goto err; } + ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA; + } +- memcpy(data,p,(int)len); ++ memcpy(data,p,length); + /* reattach data to object, after which it remains const */ + ret->data =data; +- ret->length=(int)len; ++ ret->length=length; + ret->sn=NULL; + ret->ln=NULL; + /* ret->flags=ASN1_OBJECT_FLAG_DYNAMIC; we know it is dynamic */ +- p+=len; ++ p+=length; + + if (a != NULL) (*a)=ret; + *pp=p; +diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c +index 8a342ba..0b2f442 100644 +--- a/crypto/objects/obj_dat.c ++++ b/crypto/objects/obj_dat.c +@@ -471,11 +471,12 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) + const unsigned char *p; + char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2]; + +- if ((a == NULL) || (a->data == NULL)) { +- buf[0]='\0'; +- return(0); +- } ++ /* Ensure that, at every state, |buf| is NUL-terminated. */ ++ if (buf && buf_len > 0) ++ buf[0] = '\0'; + ++ if ((a == NULL) || (a->data == NULL)) ++ return(0); + + if (!no_name && (nid=OBJ_obj2nid(a)) != NID_undef) + { +@@ -554,9 +555,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) + i=(int)(l/40); + l-=(long)(i*40); + } +- if (buf && (buf_len > 0)) ++ if (buf && (buf_len > 1)) + { + *buf++ = i + '0'; ++ *buf = '\0'; + buf_len--; + } + n++; +@@ -571,9 +573,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) + i = strlen(bndec); + if (buf) + { +- if (buf_len > 0) ++ if (buf_len > 1) + { + *buf++ = '.'; ++ *buf = '\0'; + buf_len--; + } + BUF_strlcpy(buf,bndec,buf_len); +@@ -807,4 +810,3 @@ err: + OPENSSL_free(buf); + return(ok); + } +- +-- +1.8.3.1 + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3509.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3509.patch new file mode 100644 index 0000000000..cee4aadf5c --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3509.patch @@ -0,0 +1,45 @@ +From 86788e1ee6908a5b3a4c95fa80caa4b724a8a434 Mon Sep 17 00:00:00 2001 +From: Gabor Tyukasz +Date: Wed, 23 Jul 2014 23:42:06 +0200 +Subject: [PATCH] Fix race condition in ssl_parse_serverhello_tlsext + +CVE-2014-3509 +Reviewed-by: Tim Hudson +Reviewed-by: Dr. Stephen Henson +--- + ssl/t1_lib.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index 8167a51..022a4fb 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -1555,15 +1555,18 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in + *al = TLS1_AD_DECODE_ERROR; + return 0; + } +- s->session->tlsext_ecpointformatlist_length = 0; +- if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); +- if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) ++ if (!s->hit) + { +- *al = TLS1_AD_INTERNAL_ERROR; +- return 0; ++ s->session->tlsext_ecpointformatlist_length = 0; ++ if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); ++ if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) ++ { ++ *al = TLS1_AD_INTERNAL_ERROR; ++ return 0; ++ } ++ s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; ++ memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); + } +- s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; +- memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); + #if 0 + fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); + sdata = s->session->tlsext_ecpointformatlist; +-- +1.8.3.1 + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3510.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3510.patch new file mode 100644 index 0000000000..419653646f --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3510.patch @@ -0,0 +1,86 @@ +From 88ae012c8092852f03c50f6461175271104b4c8a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Emilia=20K=C3=A4sper?= +Date: Thu, 24 Jul 2014 22:15:29 +0200 +Subject: [PATCH] Fix DTLS anonymous EC(DH) denial of service + +CVE-2014-3510 + +Reviewed-by: Dr. Stephen Henson +--- + ssl/d1_clnt.c | 23 +++++++++++++++++++++-- + ssl/s3_clnt.c | 7 +++++++ + 2 files changed, 28 insertions(+), 2 deletions(-) + +diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c +index 65dbb4a..fd6562c 100644 +--- a/ssl/d1_clnt.c ++++ b/ssl/d1_clnt.c +@@ -996,6 +996,13 @@ int dtls1_send_client_key_exchange(SSL *s) + RSA *rsa; + unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; + ++ if (s->session->sess_cert == NULL) ++ { ++ /* We should always have a server certificate with SSL_kRSA. */ ++ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ + if (s->session->sess_cert->peer_rsa_tmp != NULL) + rsa=s->session->sess_cert->peer_rsa_tmp; + else +@@ -1186,6 +1193,13 @@ int dtls1_send_client_key_exchange(SSL *s) + { + DH *dh_srvr,*dh_clnt; + ++ if (s->session->sess_cert == NULL) ++ { ++ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); ++ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); ++ goto err; ++ } ++ + if (s->session->sess_cert->peer_dh_tmp != NULL) + dh_srvr=s->session->sess_cert->peer_dh_tmp; + else +@@ -1245,6 +1259,13 @@ int dtls1_send_client_key_exchange(SSL *s) + int ecdh_clnt_cert = 0; + int field_size = 0; + ++ if (s->session->sess_cert == NULL) ++ { ++ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); ++ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); ++ goto err; ++ } ++ + /* Did we send out the client's + * ECDH share for use in premaster + * computation as part of client certificate? +@@ -1720,5 +1741,3 @@ int dtls1_send_client_certificate(SSL *s) + /* SSL3_ST_CW_CERT_D */ + return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); + } +- +- +diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c +index 2afb892..df05f78 100644 +--- a/ssl/s3_clnt.c ++++ b/ssl/s3_clnt.c +@@ -2253,6 +2253,13 @@ int ssl3_send_client_key_exchange(SSL *s) + RSA *rsa; + unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; + ++ if (s->session->sess_cert == NULL) ++ { ++ /* We should always have a server certificate with SSL_kRSA. */ ++ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ + if (s->session->sess_cert->peer_rsa_tmp != NULL) + rsa=s->session->sess_cert->peer_rsa_tmp; + else +-- +1.8.3.1 + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3511.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3511.patch new file mode 100644 index 0000000000..f9cb4ea39c --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3511.patch @@ -0,0 +1,85 @@ +From fc4f4cdb8bf9981904e652abf69b892a45bddacf Mon Sep 17 00:00:00 2001 +From: David Benjamin +Date: Wed, 23 Jul 2014 22:32:21 +0200 +Subject: [PATCH] Fix protocol downgrade bug in case of fragmented packets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2014-3511 + +Reviewed-by: Emilia Käsper +Reviewed-by: Bodo Möller +--- + ssl/s23_srvr.c | 30 +++++++++++++++++++++++------- + 1 file changed, 23 insertions(+), 7 deletions(-) + +diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c +index 4877849..2901a6b 100644 +--- a/ssl/s23_srvr.c ++++ b/ssl/s23_srvr.c +@@ -348,23 +348,19 @@ int ssl23_get_client_hello(SSL *s) + * Client Hello message, this would be difficult, and we'd have + * to read more records to find out. + * No known SSL 3.0 client fragments ClientHello like this, +- * so we simply assume TLS 1.0 to avoid protocol version downgrade +- * attacks. */ ++ * so we simply reject such connections to avoid ++ * protocol version downgrade attacks. */ + if (p[3] == 0 && p[4] < 6) + { +-#if 0 + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL); + goto err; +-#else +- v[1] = TLS1_VERSION_MINOR; +-#endif + } + /* if major version number > 3 set minor to a value + * which will use the highest version 3 we support. + * If TLS 2.0 ever appears we will need to revise + * this.... + */ +- else if (p[9] > SSL3_VERSION_MAJOR) ++ if (p[9] > SSL3_VERSION_MAJOR) + v[1]=0xff; + else + v[1]=p[10]; /* minor version according to client_version */ +@@ -444,14 +440,34 @@ int ssl23_get_client_hello(SSL *s) + v[0] = p[3]; /* == SSL3_VERSION_MAJOR */ + v[1] = p[4]; + ++ /* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2 ++ * header is sent directly on the wire, not wrapped as a TLS ++ * record. It's format is: ++ * Byte Content ++ * 0-1 msg_length ++ * 2 msg_type ++ * 3-4 version ++ * 5-6 cipher_spec_length ++ * 7-8 session_id_length ++ * 9-10 challenge_length ++ * ... ... ++ */ + n=((p[0]&0x7f)<<8)|p[1]; + if (n > (1024*4)) + { + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE); + goto err; + } ++ if (n < 9) ++ { ++ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH); ++ goto err; ++ } + + j=ssl23_read_bytes(s,n+2); ++ /* We previously read 11 bytes, so if j > 0, we must have ++ * j == n+2 == s->packet_length. We have at least 11 valid ++ * packet bytes. */ + if (j <= 0) return(j); + + ssl3_finish_mac(s, s->packet+2, s->packet_length-2); +-- +1.8.3.1 + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3513.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3513.patch new file mode 100644 index 0000000000..0d42eec4be --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3513.patch @@ -0,0 +1,186 @@ +diff -up openssl-1.0.1e/ssl/d1_srtp.c.srtp-leak openssl-1.0.1e/ssl/d1_srtp.c +--- openssl-1.0.1e/ssl/d1_srtp.c.srtp-leak 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/ssl/d1_srtp.c 2014-10-15 13:23:34.253040160 +0200 +@@ -168,25 +168,6 @@ static int find_profile_by_name(char *pr + return 1; + } + +-static int find_profile_by_num(unsigned profile_num, +- SRTP_PROTECTION_PROFILE **pptr) +- { +- SRTP_PROTECTION_PROFILE *p; +- +- p=srtp_known_profiles; +- while(p->name) +- { +- if(p->id == profile_num) +- { +- *pptr=p; +- return 0; +- } +- p++; +- } +- +- return 1; +- } +- + static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) **out) + { + STACK_OF(SRTP_PROTECTION_PROFILE) *profiles; +@@ -209,11 +190,19 @@ static int ssl_ctx_make_profiles(const c + if(!find_profile_by_name(ptr,&p, + col ? col-ptr : (int)strlen(ptr))) + { ++ if (sk_SRTP_PROTECTION_PROFILE_find(profiles,p) >= 0) ++ { ++ SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); ++ sk_SRTP_PROTECTION_PROFILE_free(profiles); ++ return 1; ++ } ++ + sk_SRTP_PROTECTION_PROFILE_push(profiles,p); + } + else + { + SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE); ++ sk_SRTP_PROTECTION_PROFILE_free(profiles); + return 1; + } + +@@ -305,13 +294,12 @@ int ssl_add_clienthello_use_srtp_ext(SSL + + int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al) + { +- SRTP_PROTECTION_PROFILE *cprof,*sprof; +- STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0,*srvr; ++ SRTP_PROTECTION_PROFILE *sprof; ++ STACK_OF(SRTP_PROTECTION_PROFILE) *srvr; + int ct; + int mki_len; +- int i,j; +- int id; +- int ret; ++ int i, srtp_pref; ++ unsigned int id; + + /* Length value + the MKI length */ + if(len < 3) +@@ -341,22 +329,32 @@ int ssl_parse_clienthello_use_srtp_ext(S + return 1; + } + ++ srvr=SSL_get_srtp_profiles(s); ++ s->srtp_profile = NULL; ++ /* Search all profiles for a match initially */ ++ srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr); + +- clnt=sk_SRTP_PROTECTION_PROFILE_new_null(); +- + while(ct) + { + n2s(d,id); + ct-=2; + len-=2; + +- if(!find_profile_by_num(id,&cprof)) ++ /* ++ * Only look for match in profiles of higher preference than ++ * current match. ++ * If no profiles have been have been configured then this ++ * does nothing. ++ */ ++ for (i = 0; i < srtp_pref; i++) + { +- sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof); +- } +- else +- { +- ; /* Ignore */ ++ sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i); ++ if (sprof->id == id) ++ { ++ s->srtp_profile = sprof; ++ srtp_pref = i; ++ break; ++ } + } + } + +@@ -371,36 +369,7 @@ int ssl_parse_clienthello_use_srtp_ext(S + return 1; + } + +- srvr=SSL_get_srtp_profiles(s); +- +- /* Pick our most preferred profile. If no profiles have been +- configured then the outer loop doesn't run +- (sk_SRTP_PROTECTION_PROFILE_num() = -1) +- and so we just return without doing anything */ +- for(i=0;iid==sprof->id) +- { +- s->srtp_profile=sprof; +- *al=0; +- ret=0; +- goto done; +- } +- } +- } +- +- ret=0; +- +-done: +- if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt); +- +- return ret; ++ return 0; + } + + int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen) +diff -up openssl-1.0.1e/ssl/t1_lib.c.srtp-leak openssl-1.0.1e/ssl/t1_lib.c +--- openssl-1.0.1e/ssl/t1_lib.c.srtp-leak 2014-10-15 13:19:59.955202293 +0200 ++++ openssl-1.0.1e/ssl/t1_lib.c 2014-10-15 13:23:34.254040182 +0200 +@@ -696,7 +696,7 @@ unsigned char *ssl_add_clienthello_tlsex + #endif + + #ifndef OPENSSL_NO_SRTP +- if(SSL_get_srtp_profiles(s)) ++ if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) + { + int el; + +@@ -829,7 +829,7 @@ unsigned char *ssl_add_serverhello_tlsex + #endif + + #ifndef OPENSSL_NO_SRTP +- if(s->srtp_profile) ++ if(SSL_IS_DTLS(s) && s->srtp_profile) + { + int el; + +@@ -1377,7 +1377,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, + + /* session ticket processed earlier */ + #ifndef OPENSSL_NO_SRTP +- else if (type == TLSEXT_TYPE_use_srtp) ++ else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) ++ && type == TLSEXT_TYPE_use_srtp) + { + if(ssl_parse_clienthello_use_srtp_ext(s, data, size, + al)) +@@ -1631,7 +1632,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, + } + #endif + #ifndef OPENSSL_NO_SRTP +- else if (type == TLSEXT_TYPE_use_srtp) ++ else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) + { + if(ssl_parse_serverhello_use_srtp_ext(s, data, size, + al)) diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3567.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3567.patch new file mode 100644 index 0000000000..a01ee694d0 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3567.patch @@ -0,0 +1,14 @@ +diff -up openssl-1.0.1e/ssl/t1_lib.c.ticket-leak openssl-1.0.1e/ssl/t1_lib.c +--- openssl-1.0.1e/ssl/t1_lib.c.ticket-leak 2014-10-15 13:19:26.825454374 +0200 ++++ openssl-1.0.1e/ssl/t1_lib.c 2014-10-15 13:19:59.955202293 +0200 +@@ -2280,7 +2280,10 @@ static int tls_decrypt_ticket(SSL *s, co + HMAC_Final(&hctx, tick_hmac, NULL); + HMAC_CTX_cleanup(&hctx); + if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) ++ { ++ EVP_CIPHER_CTX_cleanup(&ctx); + return 2; ++ } + /* Attempt to decrypt session data */ + /* Move p after IV to start of encrypted ticket, update length */ + p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3570.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3570.patch new file mode 100644 index 0000000000..aff2f025d0 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3570.patch @@ -0,0 +1,3155 @@ +From e078642ddea29bbb6ba29788a6a513796387fbbb Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Mon, 5 Jan 2015 14:52:56 +0100 +Subject: [PATCH] Fix for CVE-2014-3570. + +Reviewed-by: Emilia Kasper +(cherry picked from commit e793809ba50c1e90ab592fb640a856168e50f3de) +(with 1.0.1-specific addendum) +--- + crypto/bn/asm/mips.pl | 611 +++--------- + crypto/bn/asm/mips3.s | 2201 -------------------------------------------- + crypto/bn/asm/x86_64-gcc.c | 34 +- + crypto/bn/bn_asm.c | 16 +- + crypto/bn/bntest.c | 102 +- + 5 files changed, 234 insertions(+), 2730 deletions(-) + delete mode 100644 crypto/bn/asm/mips3.s + +diff --git a/crypto/bn/asm/mips.pl b/crypto/bn/asm/mips.pl +index d2f3ef7..215c9a7 100644 +--- a/crypto/bn/asm/mips.pl ++++ b/crypto/bn/asm/mips.pl +@@ -1872,6 +1872,41 @@ ___ + + ($a_4,$a_5,$a_6,$a_7)=($b_0,$b_1,$b_2,$b_3); + ++sub add_c2 () { ++my ($hi,$lo,$c0,$c1,$c2, ++ $warm, # !$warm denotes first call with specific sequence of ++ # $c_[XYZ] when there is no Z-carry to accumulate yet; ++ $an,$bn # these two are arguments for multiplication which ++ # result is used in *next* step [which is why it's ++ # commented as "forward multiplication" below]; ++ )=@_; ++$code.=<<___; ++ mflo $lo ++ mfhi $hi ++ $ADDU $c0,$lo ++ sltu $at,$c0,$lo ++ $MULTU $an,$bn # forward multiplication ++ $ADDU $c0,$lo ++ $ADDU $at,$hi ++ sltu $lo,$c0,$lo ++ $ADDU $c1,$at ++ $ADDU $hi,$lo ++___ ++$code.=<<___ if (!$warm); ++ sltu $c2,$c1,$at ++ $ADDU $c1,$hi ++ sltu $hi,$c1,$hi ++ $ADDU $c2,$hi ++___ ++$code.=<<___ if ($warm); ++ sltu $at,$c1,$at ++ $ADDU $c1,$hi ++ $ADDU $c2,$at ++ sltu $hi,$c1,$hi ++ $ADDU $c2,$hi ++___ ++} ++ + $code.=<<___; + + .align 5 +@@ -1920,21 +1955,10 @@ $code.=<<___; + sltu $at,$c_2,$t_1 + $ADDU $c_3,$t_2,$at + $ST $c_2,$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_2,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_1,$a_1 # mul_add_c(a[1],b[1],c3,c1,c2); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_3,$t_1 +- sltu $at,$c_3,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_1,$t_2 +- sltu $at,$c_1,$t_2 +- $ADDU $c_2,$at ++___ ++ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0, ++ $a_1,$a_1); # mul_add_c(a[1],b[1],c3,c1,c2); ++$code.=<<___; + mflo $t_1 + mfhi $t_2 + $ADDU $c_3,$t_1 +@@ -1945,67 +1969,19 @@ $code.=<<___; + sltu $at,$c_1,$t_2 + $ADDU $c_2,$at + $ST $c_3,2*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_3,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_1,$a_2 # mul_add_c2(a[1],b[2],c1,c2,c3); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_1,$t_1 +- sltu $at,$c_1,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_2,$t_2 +- sltu $at,$c_2,$t_2 +- $ADDU $c_3,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_3,$at +- $MULTU $a_4,$a_0 # mul_add_c2(a[4],b[0],c2,c3,c1); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_1,$t_1 +- sltu $at,$c_1,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_2,$t_2 +- sltu $at,$c_2,$t_2 +- $ADDU $c_3,$at ++___ ++ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0, ++ $a_1,$a_2); # mul_add_c2(a[1],b[2],c1,c2,c3); ++ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1, ++ $a_4,$a_0); # mul_add_c2(a[4],b[0],c2,c3,c1); ++$code.=<<___; + $ST $c_1,3*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_1,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_3,$a_1 # mul_add_c2(a[3],b[1],c2,c3,c1); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_2,$t_1 +- sltu $at,$c_2,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_3,$t_2 +- sltu $at,$c_3,$t_2 +- $ADDU $c_1,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_1,$at +- $MULTU $a_2,$a_2 # mul_add_c(a[2],b[2],c2,c3,c1); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_2,$t_1 +- sltu $at,$c_2,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_3,$t_2 +- sltu $at,$c_3,$t_2 +- $ADDU $c_1,$at ++___ ++ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0, ++ $a_3,$a_1); # mul_add_c2(a[3],b[1],c2,c3,c1); ++ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1, ++ $a_2,$a_2); # mul_add_c(a[2],b[2],c2,c3,c1); ++$code.=<<___; + mflo $t_1 + mfhi $t_2 + $ADDU $c_2,$t_1 +@@ -2016,97 +1992,23 @@ $code.=<<___; + sltu $at,$c_3,$t_2 + $ADDU $c_1,$at + $ST $c_2,4*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_2,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_1,$a_4 # mul_add_c2(a[1],b[4],c3,c1,c2); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_3,$t_1 +- sltu $at,$c_3,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_1,$t_2 +- sltu $at,$c_1,$t_2 +- $ADDU $c_2,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_2,$at +- $MULTU $a_2,$a_3 # mul_add_c2(a[2],b[3],c3,c1,c2); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_3,$t_1 +- sltu $at,$c_3,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_1,$t_2 +- sltu $at,$c_1,$t_2 +- $ADDU $c_2,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $MULTU $a_6,$a_0 # mul_add_c2(a[6],b[0],c1,c2,c3); +- $ADDU $c_2,$at +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_3,$t_1 +- sltu $at,$c_3,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_1,$t_2 +- sltu $at,$c_1,$t_2 +- $ADDU $c_2,$at ++___ ++ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0, ++ $a_1,$a_4); # mul_add_c2(a[1],b[4],c3,c1,c2); ++ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1, ++ $a_2,$a_3); # mul_add_c2(a[2],b[3],c3,c1,c2); ++ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1, ++ $a_6,$a_0); # mul_add_c2(a[6],b[0],c1,c2,c3); ++$code.=<<___; + $ST $c_3,5*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_3,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_5,$a_1 # mul_add_c2(a[5],b[1],c1,c2,c3); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_1,$t_1 +- sltu $at,$c_1,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_2,$t_2 +- sltu $at,$c_2,$t_2 +- $ADDU $c_3,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_3,$at +- $MULTU $a_4,$a_2 # mul_add_c2(a[4],b[2],c1,c2,c3); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_1,$t_1 +- sltu $at,$c_1,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_2,$t_2 +- sltu $at,$c_2,$t_2 +- $ADDU $c_3,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_3,$at +- $MULTU $a_3,$a_3 # mul_add_c(a[3],b[3],c1,c2,c3); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_1,$t_1 +- sltu $at,$c_1,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_2,$t_2 +- sltu $at,$c_2,$t_2 +- $ADDU $c_3,$at ++___ ++ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0, ++ $a_5,$a_1); # mul_add_c2(a[5],b[1],c1,c2,c3); ++ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1, ++ $a_4,$a_2); # mul_add_c2(a[4],b[2],c1,c2,c3); ++ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1, ++ $a_3,$a_3); # mul_add_c(a[3],b[3],c1,c2,c3); ++$code.=<<___; + mflo $t_1 + mfhi $t_2 + $ADDU $c_1,$t_1 +@@ -2117,112 +2019,25 @@ $code.=<<___; + sltu $at,$c_2,$t_2 + $ADDU $c_3,$at + $ST $c_1,6*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_1,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_1,$a_6 # mul_add_c2(a[1],b[6],c2,c3,c1); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_2,$t_1 +- sltu $at,$c_2,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_3,$t_2 +- sltu $at,$c_3,$t_2 +- $ADDU $c_1,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_1,$at +- $MULTU $a_2,$a_5 # mul_add_c2(a[2],b[5],c2,c3,c1); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_2,$t_1 +- sltu $at,$c_2,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_3,$t_2 +- sltu $at,$c_3,$t_2 +- $ADDU $c_1,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_1,$at +- $MULTU $a_3,$a_4 # mul_add_c2(a[3],b[4],c2,c3,c1); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_2,$t_1 +- sltu $at,$c_2,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_3,$t_2 +- sltu $at,$c_3,$t_2 +- $ADDU $c_1,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_1,$at +- $MULTU $a_7,$a_1 # mul_add_c2(a[7],b[1],c3,c1,c2); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_2,$t_1 +- sltu $at,$c_2,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_3,$t_2 +- sltu $at,$c_3,$t_2 +- $ADDU $c_1,$at ++___ ++ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0, ++ $a_1,$a_6); # mul_add_c2(a[1],b[6],c2,c3,c1); ++ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1, ++ $a_2,$a_5); # mul_add_c2(a[2],b[5],c2,c3,c1); ++ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1, ++ $a_3,$a_4); # mul_add_c2(a[3],b[4],c2,c3,c1); ++ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1, ++ $a_7,$a_1); # mul_add_c2(a[7],b[1],c3,c1,c2); ++$code.=<<___; + $ST $c_2,7*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_2,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_6,$a_2 # mul_add_c2(a[6],b[2],c3,c1,c2); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_3,$t_1 +- sltu $at,$c_3,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_1,$t_2 +- sltu $at,$c_1,$t_2 +- $ADDU $c_2,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_2,$at +- $MULTU $a_5,$a_3 # mul_add_c2(a[5],b[3],c3,c1,c2); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_3,$t_1 +- sltu $at,$c_3,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_1,$t_2 +- sltu $at,$c_1,$t_2 +- $ADDU $c_2,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_2,$at +- $MULTU $a_4,$a_4 # mul_add_c(a[4],b[4],c3,c1,c2); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_3,$t_1 +- sltu $at,$c_3,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_1,$t_2 +- sltu $at,$c_1,$t_2 +- $ADDU $c_2,$at ++___ ++ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0, ++ $a_6,$a_2); # mul_add_c2(a[6],b[2],c3,c1,c2); ++ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1, ++ $a_5,$a_3); # mul_add_c2(a[5],b[3],c3,c1,c2); ++ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1, ++ $a_4,$a_4); # mul_add_c(a[4],b[4],c3,c1,c2); ++$code.=<<___; + mflo $t_1 + mfhi $t_2 + $ADDU $c_3,$t_1 +@@ -2233,82 +2048,21 @@ $code.=<<___; + sltu $at,$c_1,$t_2 + $ADDU $c_2,$at + $ST $c_3,8*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_3,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_3,$a_6 # mul_add_c2(a[3],b[6],c1,c2,c3); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_1,$t_1 +- sltu $at,$c_1,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_2,$t_2 +- sltu $at,$c_2,$t_2 +- $ADDU $c_3,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_3,$at +- $MULTU $a_4,$a_5 # mul_add_c2(a[4],b[5],c1,c2,c3); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_1,$t_1 +- sltu $at,$c_1,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_2,$t_2 +- sltu $at,$c_2,$t_2 +- $ADDU $c_3,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_3,$at +- $MULTU $a_7,$a_3 # mul_add_c2(a[7],b[3],c2,c3,c1); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_1,$t_1 +- sltu $at,$c_1,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_2,$t_2 +- sltu $at,$c_2,$t_2 +- $ADDU $c_3,$at ++___ ++ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0, ++ $a_3,$a_6); # mul_add_c2(a[3],b[6],c1,c2,c3); ++ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1, ++ $a_4,$a_5); # mul_add_c2(a[4],b[5],c1,c2,c3); ++ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1, ++ $a_7,$a_3); # mul_add_c2(a[7],b[3],c2,c3,c1); ++$code.=<<___; + $ST $c_1,9*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_1,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_6,$a_4 # mul_add_c2(a[6],b[4],c2,c3,c1); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_2,$t_1 +- sltu $at,$c_2,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_3,$t_2 +- sltu $at,$c_3,$t_2 +- $ADDU $c_1,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_1,$at +- $MULTU $a_5,$a_5 # mul_add_c(a[5],b[5],c2,c3,c1); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_2,$t_1 +- sltu $at,$c_2,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_3,$t_2 +- sltu $at,$c_3,$t_2 +- $ADDU $c_1,$at ++___ ++ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0, ++ $a_6,$a_4); # mul_add_c2(a[6],b[4],c2,c3,c1); ++ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1, ++ $a_5,$a_5); # mul_add_c(a[5],b[5],c2,c3,c1); ++$code.=<<___; + mflo $t_1 + mfhi $t_2 + $ADDU $c_2,$t_1 +@@ -2319,52 +2073,17 @@ $code.=<<___; + sltu $at,$c_3,$t_2 + $ADDU $c_1,$at + $ST $c_2,10*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_2,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_5,$a_6 # mul_add_c2(a[5],b[6],c3,c1,c2); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_3,$t_1 +- sltu $at,$c_3,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_1,$t_2 +- sltu $at,$c_1,$t_2 +- $ADDU $c_2,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_2,$at +- $MULTU $a_7,$a_5 # mul_add_c2(a[7],b[5],c1,c2,c3); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_3,$t_1 +- sltu $at,$c_3,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_1,$t_2 +- sltu $at,$c_1,$t_2 +- $ADDU $c_2,$at ++___ ++ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0, ++ $a_5,$a_6); # mul_add_c2(a[5],b[6],c3,c1,c2); ++ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1, ++ $a_7,$a_5); # mul_add_c2(a[7],b[5],c1,c2,c3); ++$code.=<<___; + $ST $c_3,11*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_3,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_6,$a_6 # mul_add_c(a[6],b[6],c1,c2,c3); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_1,$t_1 +- sltu $at,$c_1,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_2,$t_2 +- sltu $at,$c_2,$t_2 +- $ADDU $c_3,$at ++___ ++ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0, ++ $a_6,$a_6); # mul_add_c(a[6],b[6],c1,c2,c3); ++$code.=<<___; + mflo $t_1 + mfhi $t_2 + $ADDU $c_1,$t_1 +@@ -2375,21 +2094,10 @@ $code.=<<___; + sltu $at,$c_2,$t_2 + $ADDU $c_3,$at + $ST $c_1,12*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_1,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_7,$a_7 # mul_add_c(a[7],b[7],c3,c1,c2); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_2,$t_1 +- sltu $at,$c_2,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_3,$t_2 +- sltu $at,$c_3,$t_2 +- $ADDU $c_1,$at ++___ ++ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0, ++ $a_7,$a_7); # mul_add_c(a[7],b[7],c3,c1,c2); ++$code.=<<___; + $ST $c_2,13*$BNSZ($a0) + + mflo $t_1 +@@ -2457,21 +2165,10 @@ $code.=<<___; + sltu $at,$c_2,$t_1 + $ADDU $c_3,$t_2,$at + $ST $c_2,$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_2,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_1,$a_1 # mul_add_c(a[1],b[1],c3,c1,c2); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_3,$t_1 +- sltu $at,$c_3,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_1,$t_2 +- sltu $at,$c_1,$t_2 +- $ADDU $c_2,$at ++___ ++ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0, ++ $a_1,$a_1); # mul_add_c(a[1],b[1],c3,c1,c2); ++$code.=<<___; + mflo $t_1 + mfhi $t_2 + $ADDU $c_3,$t_1 +@@ -2482,52 +2179,17 @@ $code.=<<___; + sltu $at,$c_1,$t_2 + $ADDU $c_2,$at + $ST $c_3,2*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_3,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_1,$a_2 # mul_add_c(a2[1],b[2],c1,c2,c3); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_1,$t_1 +- sltu $at,$c_1,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_2,$t_2 +- sltu $at,$c_2,$t_2 +- $ADDU $c_3,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_3,$at +- $MULTU $a_3,$a_1 # mul_add_c2(a[3],b[1],c2,c3,c1); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_1,$t_1 +- sltu $at,$c_1,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_2,$t_2 +- sltu $at,$c_2,$t_2 +- $ADDU $c_3,$at ++___ ++ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0, ++ $a_1,$a_2); # mul_add_c2(a2[1],b[2],c1,c2,c3); ++ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1, ++ $a_3,$a_1); # mul_add_c2(a[3],b[1],c2,c3,c1); ++$code.=<<___; + $ST $c_1,3*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_1,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_2,$a_2 # mul_add_c(a[2],b[2],c2,c3,c1); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_2,$t_1 +- sltu $at,$c_2,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_3,$t_2 +- sltu $at,$c_3,$t_2 +- $ADDU $c_1,$at ++___ ++ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0, ++ $a_2,$a_2); # mul_add_c(a[2],b[2],c2,c3,c1); ++$code.=<<___; + mflo $t_1 + mfhi $t_2 + $ADDU $c_2,$t_1 +@@ -2538,21 +2200,10 @@ $code.=<<___; + sltu $at,$c_3,$t_2 + $ADDU $c_1,$at + $ST $c_2,4*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_2,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_3,$a_3 # mul_add_c(a[3],b[3],c1,c2,c3); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_3,$t_1 +- sltu $at,$c_3,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_1,$t_2 +- sltu $at,$c_1,$t_2 +- $ADDU $c_2,$at ++___ ++ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0, ++ $a_3,$a_3); # mul_add_c(a[3],b[3],c1,c2,c3); ++$code.=<<___; + $ST $c_3,5*$BNSZ($a0) + + mflo $t_1 +diff --git a/crypto/bn/asm/mips3.s b/crypto/bn/asm/mips3.s +deleted file mode 100644 +index dca4105..0000000 +--- a/crypto/bn/asm/mips3.s ++++ /dev/null +@@ -1,2201 +0,0 @@ +-.rdata +-.asciiz "mips3.s, Version 1.1" +-.asciiz "MIPS III/IV ISA artwork by Andy Polyakov " +- +-/* +- * ==================================================================== +- * Written by Andy Polyakov for the OpenSSL +- * project. +- * +- * Rights for redistribution and usage in source and binary forms are +- * granted according to the OpenSSL license. Warranty of any kind is +- * disclaimed. +- * ==================================================================== +- */ +- +-/* +- * This is my modest contributon to the OpenSSL project (see +- * http://www.openssl.org/ for more information about it) and is +- * a drop-in MIPS III/IV ISA replacement for crypto/bn/bn_asm.c +- * module. For updates see http://fy.chalmers.se/~appro/hpe/. +- * +- * The module is designed to work with either of the "new" MIPS ABI(5), +- * namely N32 or N64, offered by IRIX 6.x. It's not ment to work under +- * IRIX 5.x not only because it doesn't support new ABIs but also +- * because 5.x kernels put R4x00 CPU into 32-bit mode and all those +- * 64-bit instructions (daddu, dmultu, etc.) found below gonna only +- * cause illegal instruction exception:-( +- * +- * In addition the code depends on preprocessor flags set up by MIPSpro +- * compiler driver (either as or cc) and therefore (probably?) can't be +- * compiled by the GNU assembler. GNU C driver manages fine though... +- * I mean as long as -mmips-as is specified or is the default option, +- * because then it simply invokes /usr/bin/as which in turn takes +- * perfect care of the preprocessor definitions. Another neat feature +- * offered by the MIPSpro assembler is an optimization pass. This gave +- * me the opportunity to have the code looking more regular as all those +- * architecture dependent instruction rescheduling details were left to +- * the assembler. Cool, huh? +- * +- * Performance improvement is astonishing! 'apps/openssl speed rsa dsa' +- * goes way over 3 times faster! +- * +- * +- */ +-#include +-#include +- +-#if _MIPS_ISA>=4 +-#define MOVNZ(cond,dst,src) \ +- movn dst,src,cond +-#else +-#define MOVNZ(cond,dst,src) \ +- .set noreorder; \ +- bnezl cond,.+8; \ +- move dst,src; \ +- .set reorder +-#endif +- +-.text +- +-.set noat +-.set reorder +- +-#define MINUS4 v1 +- +-.align 5 +-LEAF(bn_mul_add_words) +- .set noreorder +- bgtzl a2,.L_bn_mul_add_words_proceed +- ld t0,0(a1) +- jr ra +- move v0,zero +- .set reorder +- +-.L_bn_mul_add_words_proceed: +- li MINUS4,-4 +- and ta0,a2,MINUS4 +- move v0,zero +- beqz ta0,.L_bn_mul_add_words_tail +- +-.L_bn_mul_add_words_loop: +- dmultu t0,a3 +- ld t1,0(a0) +- ld t2,8(a1) +- ld t3,8(a0) +- ld ta0,16(a1) +- ld ta1,16(a0) +- daddu t1,v0 +- sltu v0,t1,v0 /* All manuals say it "compares 32-bit +- * values", but it seems to work fine +- * even on 64-bit registers. */ +- mflo AT +- mfhi t0 +- daddu t1,AT +- daddu v0,t0 +- sltu AT,t1,AT +- sd t1,0(a0) +- daddu v0,AT +- +- dmultu t2,a3 +- ld ta2,24(a1) +- ld ta3,24(a0) +- daddu t3,v0 +- sltu v0,t3,v0 +- mflo AT +- mfhi t2 +- daddu t3,AT +- daddu v0,t2 +- sltu AT,t3,AT +- sd t3,8(a0) +- daddu v0,AT +- +- dmultu ta0,a3 +- subu a2,4 +- PTR_ADD a0,32 +- PTR_ADD a1,32 +- daddu ta1,v0 +- sltu v0,ta1,v0 +- mflo AT +- mfhi ta0 +- daddu ta1,AT +- daddu v0,ta0 +- sltu AT,ta1,AT +- sd ta1,-16(a0) +- daddu v0,AT +- +- +- dmultu ta2,a3 +- and ta0,a2,MINUS4 +- daddu ta3,v0 +- sltu v0,ta3,v0 +- mflo AT +- mfhi ta2 +- daddu ta3,AT +- daddu v0,ta2 +- sltu AT,ta3,AT +- sd ta3,-8(a0) +- daddu v0,AT +- .set noreorder +- bgtzl ta0,.L_bn_mul_add_words_loop +- ld t0,0(a1) +- +- bnezl a2,.L_bn_mul_add_words_tail +- ld t0,0(a1) +- .set reorder +- +-.L_bn_mul_add_words_return: +- jr ra +- +-.L_bn_mul_add_words_tail: +- dmultu t0,a3 +- ld t1,0(a0) +- subu a2,1 +- daddu t1,v0 +- sltu v0,t1,v0 +- mflo AT +- mfhi t0 +- daddu t1,AT +- daddu v0,t0 +- sltu AT,t1,AT +- sd t1,0(a0) +- daddu v0,AT +- beqz a2,.L_bn_mul_add_words_return +- +- ld t0,8(a1) +- dmultu t0,a3 +- ld t1,8(a0) +- subu a2,1 +- daddu t1,v0 +- sltu v0,t1,v0 +- mflo AT +- mfhi t0 +- daddu t1,AT +- daddu v0,t0 +- sltu AT,t1,AT +- sd t1,8(a0) +- daddu v0,AT +- beqz a2,.L_bn_mul_add_words_return +- +- ld t0,16(a1) +- dmultu t0,a3 +- ld t1,16(a0) +- daddu t1,v0 +- sltu v0,t1,v0 +- mflo AT +- mfhi t0 +- daddu t1,AT +- daddu v0,t0 +- sltu AT,t1,AT +- sd t1,16(a0) +- daddu v0,AT +- jr ra +-END(bn_mul_add_words) +- +-.align 5 +-LEAF(bn_mul_words) +- .set noreorder +- bgtzl a2,.L_bn_mul_words_proceed +- ld t0,0(a1) +- jr ra +- move v0,zero +- .set reorder +- +-.L_bn_mul_words_proceed: +- li MINUS4,-4 +- and ta0,a2,MINUS4 +- move v0,zero +- beqz ta0,.L_bn_mul_words_tail +- +-.L_bn_mul_words_loop: +- dmultu t0,a3 +- ld t2,8(a1) +- ld ta0,16(a1) +- ld ta2,24(a1) +- mflo AT +- mfhi t0 +- daddu v0,AT +- sltu t1,v0,AT +- sd v0,0(a0) +- daddu v0,t1,t0 +- +- dmultu t2,a3 +- subu a2,4 +- PTR_ADD a0,32 +- PTR_ADD a1,32 +- mflo AT +- mfhi t2 +- daddu v0,AT +- sltu t3,v0,AT +- sd v0,-24(a0) +- daddu v0,t3,t2 +- +- dmultu ta0,a3 +- mflo AT +- mfhi ta0 +- daddu v0,AT +- sltu ta1,v0,AT +- sd v0,-16(a0) +- daddu v0,ta1,ta0 +- +- +- dmultu ta2,a3 +- and ta0,a2,MINUS4 +- mflo AT +- mfhi ta2 +- daddu v0,AT +- sltu ta3,v0,AT +- sd v0,-8(a0) +- daddu v0,ta3,ta2 +- .set noreorder +- bgtzl ta0,.L_bn_mul_words_loop +- ld t0,0(a1) +- +- bnezl a2,.L_bn_mul_words_tail +- ld t0,0(a1) +- .set reorder +- +-.L_bn_mul_words_return: +- jr ra +- +-.L_bn_mul_words_tail: +- dmultu t0,a3 +- subu a2,1 +- mflo AT +- mfhi t0 +- daddu v0,AT +- sltu t1,v0,AT +- sd v0,0(a0) +- daddu v0,t1,t0 +- beqz a2,.L_bn_mul_words_return +- +- ld t0,8(a1) +- dmultu t0,a3 +- subu a2,1 +- mflo AT +- mfhi t0 +- daddu v0,AT +- sltu t1,v0,AT +- sd v0,8(a0) +- daddu v0,t1,t0 +- beqz a2,.L_bn_mul_words_return +- +- ld t0,16(a1) +- dmultu t0,a3 +- mflo AT +- mfhi t0 +- daddu v0,AT +- sltu t1,v0,AT +- sd v0,16(a0) +- daddu v0,t1,t0 +- jr ra +-END(bn_mul_words) +- +-.align 5 +-LEAF(bn_sqr_words) +- .set noreorder +- bgtzl a2,.L_bn_sqr_words_proceed +- ld t0,0(a1) +- jr ra +- move v0,zero +- .set reorder +- +-.L_bn_sqr_words_proceed: +- li MINUS4,-4 +- and ta0,a2,MINUS4 +- move v0,zero +- beqz ta0,.L_bn_sqr_words_tail +- +-.L_bn_sqr_words_loop: +- dmultu t0,t0 +- ld t2,8(a1) +- ld ta0,16(a1) +- ld ta2,24(a1) +- mflo t1 +- mfhi t0 +- sd t1,0(a0) +- sd t0,8(a0) +- +- dmultu t2,t2 +- subu a2,4 +- PTR_ADD a0,64 +- PTR_ADD a1,32 +- mflo t3 +- mfhi t2 +- sd t3,-48(a0) +- sd t2,-40(a0) +- +- dmultu ta0,ta0 +- mflo ta1 +- mfhi ta0 +- sd ta1,-32(a0) +- sd ta0,-24(a0) +- +- +- dmultu ta2,ta2 +- and ta0,a2,MINUS4 +- mflo ta3 +- mfhi ta2 +- sd ta3,-16(a0) +- sd ta2,-8(a0) +- +- .set noreorder +- bgtzl ta0,.L_bn_sqr_words_loop +- ld t0,0(a1) +- +- bnezl a2,.L_bn_sqr_words_tail +- ld t0,0(a1) +- .set reorder +- +-.L_bn_sqr_words_return: +- move v0,zero +- jr ra +- +-.L_bn_sqr_words_tail: +- dmultu t0,t0 +- subu a2,1 +- mflo t1 +- mfhi t0 +- sd t1,0(a0) +- sd t0,8(a0) +- beqz a2,.L_bn_sqr_words_return +- +- ld t0,8(a1) +- dmultu t0,t0 +- subu a2,1 +- mflo t1 +- mfhi t0 +- sd t1,16(a0) +- sd t0,24(a0) +- beqz a2,.L_bn_sqr_words_return +- +- ld t0,16(a1) +- dmultu t0,t0 +- mflo t1 +- mfhi t0 +- sd t1,32(a0) +- sd t0,40(a0) +- jr ra +-END(bn_sqr_words) +- +-.align 5 +-LEAF(bn_add_words) +- .set noreorder +- bgtzl a3,.L_bn_add_words_proceed +- ld t0,0(a1) +- jr ra +- move v0,zero +- .set reorder +- +-.L_bn_add_words_proceed: +- li MINUS4,-4 +- and AT,a3,MINUS4 +- move v0,zero +- beqz AT,.L_bn_add_words_tail +- +-.L_bn_add_words_loop: +- ld ta0,0(a2) +- subu a3,4 +- ld t1,8(a1) +- and AT,a3,MINUS4 +- ld t2,16(a1) +- PTR_ADD a2,32 +- ld t3,24(a1) +- PTR_ADD a0,32 +- ld ta1,-24(a2) +- PTR_ADD a1,32 +- ld ta2,-16(a2) +- ld ta3,-8(a2) +- daddu ta0,t0 +- sltu t8,ta0,t0 +- daddu t0,ta0,v0 +- sltu v0,t0,ta0 +- sd t0,-32(a0) +- daddu v0,t8 +- +- daddu ta1,t1 +- sltu t9,ta1,t1 +- daddu t1,ta1,v0 +- sltu v0,t1,ta1 +- sd t1,-24(a0) +- daddu v0,t9 +- +- daddu ta2,t2 +- sltu t8,ta2,t2 +- daddu t2,ta2,v0 +- sltu v0,t2,ta2 +- sd t2,-16(a0) +- daddu v0,t8 +- +- daddu ta3,t3 +- sltu t9,ta3,t3 +- daddu t3,ta3,v0 +- sltu v0,t3,ta3 +- sd t3,-8(a0) +- daddu v0,t9 +- +- .set noreorder +- bgtzl AT,.L_bn_add_words_loop +- ld t0,0(a1) +- +- bnezl a3,.L_bn_add_words_tail +- ld t0,0(a1) +- .set reorder +- +-.L_bn_add_words_return: +- jr ra +- +-.L_bn_add_words_tail: +- ld ta0,0(a2) +- daddu ta0,t0 +- subu a3,1 +- sltu t8,ta0,t0 +- daddu t0,ta0,v0 +- sltu v0,t0,ta0 +- sd t0,0(a0) +- daddu v0,t8 +- beqz a3,.L_bn_add_words_return +- +- ld t1,8(a1) +- ld ta1,8(a2) +- daddu ta1,t1 +- subu a3,1 +- sltu t9,ta1,t1 +- daddu t1,ta1,v0 +- sltu v0,t1,ta1 +- sd t1,8(a0) +- daddu v0,t9 +- beqz a3,.L_bn_add_words_return +- +- ld t2,16(a1) +- ld ta2,16(a2) +- daddu ta2,t2 +- sltu t8,ta2,t2 +- daddu t2,ta2,v0 +- sltu v0,t2,ta2 +- sd t2,16(a0) +- daddu v0,t8 +- jr ra +-END(bn_add_words) +- +-.align 5 +-LEAF(bn_sub_words) +- .set noreorder +- bgtzl a3,.L_bn_sub_words_proceed +- ld t0,0(a1) +- jr ra +- move v0,zero +- .set reorder +- +-.L_bn_sub_words_proceed: +- li MINUS4,-4 +- and AT,a3,MINUS4 +- move v0,zero +- beqz AT,.L_bn_sub_words_tail +- +-.L_bn_sub_words_loop: +- ld ta0,0(a2) +- subu a3,4 +- ld t1,8(a1) +- and AT,a3,MINUS4 +- ld t2,16(a1) +- PTR_ADD a2,32 +- ld t3,24(a1) +- PTR_ADD a0,32 +- ld ta1,-24(a2) +- PTR_ADD a1,32 +- ld ta2,-16(a2) +- ld ta3,-8(a2) +- sltu t8,t0,ta0 +- dsubu t0,ta0 +- dsubu ta0,t0,v0 +- sd ta0,-32(a0) +- MOVNZ (t0,v0,t8) +- +- sltu t9,t1,ta1 +- dsubu t1,ta1 +- dsubu ta1,t1,v0 +- sd ta1,-24(a0) +- MOVNZ (t1,v0,t9) +- +- +- sltu t8,t2,ta2 +- dsubu t2,ta2 +- dsubu ta2,t2,v0 +- sd ta2,-16(a0) +- MOVNZ (t2,v0,t8) +- +- sltu t9,t3,ta3 +- dsubu t3,ta3 +- dsubu ta3,t3,v0 +- sd ta3,-8(a0) +- MOVNZ (t3,v0,t9) +- +- .set noreorder +- bgtzl AT,.L_bn_sub_words_loop +- ld t0,0(a1) +- +- bnezl a3,.L_bn_sub_words_tail +- ld t0,0(a1) +- .set reorder +- +-.L_bn_sub_words_return: +- jr ra +- +-.L_bn_sub_words_tail: +- ld ta0,0(a2) +- subu a3,1 +- sltu t8,t0,ta0 +- dsubu t0,ta0 +- dsubu ta0,t0,v0 +- MOVNZ (t0,v0,t8) +- sd ta0,0(a0) +- beqz a3,.L_bn_sub_words_return +- +- ld t1,8(a1) +- subu a3,1 +- ld ta1,8(a2) +- sltu t9,t1,ta1 +- dsubu t1,ta1 +- dsubu ta1,t1,v0 +- MOVNZ (t1,v0,t9) +- sd ta1,8(a0) +- beqz a3,.L_bn_sub_words_return +- +- ld t2,16(a1) +- ld ta2,16(a2) +- sltu t8,t2,ta2 +- dsubu t2,ta2 +- dsubu ta2,t2,v0 +- MOVNZ (t2,v0,t8) +- sd ta2,16(a0) +- jr ra +-END(bn_sub_words) +- +-#undef MINUS4 +- +-.align 5 +-LEAF(bn_div_3_words) +- .set reorder +- move a3,a0 /* we know that bn_div_words doesn't +- * touch a3, ta2, ta3 and preserves a2 +- * so that we can save two arguments +- * and return address in registers +- * instead of stack:-) +- */ +- ld a0,(a3) +- move ta2,a1 +- ld a1,-8(a3) +- bne a0,a2,.L_bn_div_3_words_proceed +- li v0,-1 +- jr ra +-.L_bn_div_3_words_proceed: +- move ta3,ra +- bal bn_div_words +- move ra,ta3 +- dmultu ta2,v0 +- ld t2,-16(a3) +- move ta0,zero +- mfhi t1 +- mflo t0 +- sltu t8,t1,v1 +-.L_bn_div_3_words_inner_loop: +- bnez t8,.L_bn_div_3_words_inner_loop_done +- sgeu AT,t2,t0 +- seq t9,t1,v1 +- and AT,t9 +- sltu t3,t0,ta2 +- daddu v1,a2 +- dsubu t1,t3 +- dsubu t0,ta2 +- sltu t8,t1,v1 +- sltu ta0,v1,a2 +- or t8,ta0 +- .set noreorder +- beqzl AT,.L_bn_div_3_words_inner_loop +- dsubu v0,1 +- .set reorder +-.L_bn_div_3_words_inner_loop_done: +- jr ra +-END(bn_div_3_words) +- +-.align 5 +-LEAF(bn_div_words) +- .set noreorder +- bnezl a2,.L_bn_div_words_proceed +- move v1,zero +- jr ra +- li v0,-1 /* I'd rather signal div-by-zero +- * which can be done with 'break 7' */ +- +-.L_bn_div_words_proceed: +- bltz a2,.L_bn_div_words_body +- move t9,v1 +- dsll a2,1 +- bgtz a2,.-4 +- addu t9,1 +- +- .set reorder +- negu t1,t9 +- li t2,-1 +- dsll t2,t1 +- and t2,a0 +- dsrl AT,a1,t1 +- .set noreorder +- bnezl t2,.+8 +- break 6 /* signal overflow */ +- .set reorder +- dsll a0,t9 +- dsll a1,t9 +- or a0,AT +- +-#define QT ta0 +-#define HH ta1 +-#define DH v1 +-.L_bn_div_words_body: +- dsrl DH,a2,32 +- sgeu AT,a0,a2 +- .set noreorder +- bnezl AT,.+8 +- dsubu a0,a2 +- .set reorder +- +- li QT,-1 +- dsrl HH,a0,32 +- dsrl QT,32 /* q=0xffffffff */ +- beq DH,HH,.L_bn_div_words_skip_div1 +- ddivu zero,a0,DH +- mflo QT +-.L_bn_div_words_skip_div1: +- dmultu a2,QT +- dsll t3,a0,32 +- dsrl AT,a1,32 +- or t3,AT +- mflo t0 +- mfhi t1 +-.L_bn_div_words_inner_loop1: +- sltu t2,t3,t0 +- seq t8,HH,t1 +- sltu AT,HH,t1 +- and t2,t8 +- sltu v0,t0,a2 +- or AT,t2 +- .set noreorder +- beqz AT,.L_bn_div_words_inner_loop1_done +- dsubu t1,v0 +- dsubu t0,a2 +- b .L_bn_div_words_inner_loop1 +- dsubu QT,1 +- .set reorder +-.L_bn_div_words_inner_loop1_done: +- +- dsll a1,32 +- dsubu a0,t3,t0 +- dsll v0,QT,32 +- +- li QT,-1 +- dsrl HH,a0,32 +- dsrl QT,32 /* q=0xffffffff */ +- beq DH,HH,.L_bn_div_words_skip_div2 +- ddivu zero,a0,DH +- mflo QT +-.L_bn_div_words_skip_div2: +-#undef DH +- dmultu a2,QT +- dsll t3,a0,32 +- dsrl AT,a1,32 +- or t3,AT +- mflo t0 +- mfhi t1 +-.L_bn_div_words_inner_loop2: +- sltu t2,t3,t0 +- seq t8,HH,t1 +- sltu AT,HH,t1 +- and t2,t8 +- sltu v1,t0,a2 +- or AT,t2 +- .set noreorder +- beqz AT,.L_bn_div_words_inner_loop2_done +- dsubu t1,v1 +- dsubu t0,a2 +- b .L_bn_div_words_inner_loop2 +- dsubu QT,1 +- .set reorder +-.L_bn_div_words_inner_loop2_done: +-#undef HH +- +- dsubu a0,t3,t0 +- or v0,QT +- dsrl v1,a0,t9 /* v1 contains remainder if anybody wants it */ +- dsrl a2,t9 /* restore a2 */ +- jr ra +-#undef QT +-END(bn_div_words) +- +-#define a_0 t0 +-#define a_1 t1 +-#define a_2 t2 +-#define a_3 t3 +-#define b_0 ta0 +-#define b_1 ta1 +-#define b_2 ta2 +-#define b_3 ta3 +- +-#define a_4 s0 +-#define a_5 s2 +-#define a_6 s4 +-#define a_7 a1 /* once we load a[7] we don't need a anymore */ +-#define b_4 s1 +-#define b_5 s3 +-#define b_6 s5 +-#define b_7 a2 /* once we load b[7] we don't need b anymore */ +- +-#define t_1 t8 +-#define t_2 t9 +- +-#define c_1 v0 +-#define c_2 v1 +-#define c_3 a3 +- +-#define FRAME_SIZE 48 +- +-.align 5 +-LEAF(bn_mul_comba8) +- .set noreorder +- PTR_SUB sp,FRAME_SIZE +- .frame sp,64,ra +- .set reorder +- ld a_0,0(a1) /* If compiled with -mips3 option on +- * R5000 box assembler barks on this +- * line with "shouldn't have mult/div +- * as last instruction in bb (R10K +- * bug)" warning. If anybody out there +- * has a clue about how to circumvent +- * this do send me a note. +- * +- */ +- ld b_0,0(a2) +- ld a_1,8(a1) +- ld a_2,16(a1) +- ld a_3,24(a1) +- ld b_1,8(a2) +- ld b_2,16(a2) +- ld b_3,24(a2) +- dmultu a_0,b_0 /* mul_add_c(a[0],b[0],c1,c2,c3); */ +- sd s0,0(sp) +- sd s1,8(sp) +- sd s2,16(sp) +- sd s3,24(sp) +- sd s4,32(sp) +- sd s5,40(sp) +- mflo c_1 +- mfhi c_2 +- +- dmultu a_0,b_1 /* mul_add_c(a[0],b[1],c2,c3,c1); */ +- ld a_4,32(a1) +- ld a_5,40(a1) +- ld a_6,48(a1) +- ld a_7,56(a1) +- ld b_4,32(a2) +- ld b_5,40(a2) +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu c_3,t_2,AT +- dmultu a_1,b_0 /* mul_add_c(a[1],b[0],c2,c3,c1); */ +- ld b_6,48(a2) +- ld b_7,56(a2) +- sd c_1,0(a0) /* r[0]=c1; */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu c_1,c_3,t_2 +- sd c_2,8(a0) /* r[1]=c2; */ +- +- dmultu a_2,b_0 /* mul_add_c(a[2],b[0],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- dmultu a_1,b_1 /* mul_add_c(a[1],b[1],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu c_2,c_1,t_2 +- dmultu a_0,b_2 /* mul_add_c(a[0],b[2],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,16(a0) /* r[2]=c3; */ +- +- dmultu a_0,b_3 /* mul_add_c(a[0],b[3],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu c_3,c_2,t_2 +- dmultu a_1,b_2 /* mul_add_c(a[1],b[2],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_2,b_1 /* mul_add_c(a[2],b[1],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_3,b_0 /* mul_add_c(a[3],b[0],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- sd c_1,24(a0) /* r[3]=c1; */ +- +- dmultu a_4,b_0 /* mul_add_c(a[4],b[0],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu c_1,c_3,t_2 +- dmultu a_3,b_1 /* mul_add_c(a[3],b[1],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_2,b_2 /* mul_add_c(a[2],b[2],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_1,b_3 /* mul_add_c(a[1],b[3],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_0,b_4 /* mul_add_c(a[0],b[4],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- sd c_2,32(a0) /* r[4]=c2; */ +- +- dmultu a_0,b_5 /* mul_add_c(a[0],b[5],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu c_2,c_1,t_2 +- dmultu a_1,b_4 /* mul_add_c(a[1],b[4],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_2,b_3 /* mul_add_c(a[2],b[3],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_3,b_2 /* mul_add_c(a[3],b[2],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_4,b_1 /* mul_add_c(a[4],b[1],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_5,b_0 /* mul_add_c(a[5],b[0],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,40(a0) /* r[5]=c3; */ +- +- dmultu a_6,b_0 /* mul_add_c(a[6],b[0],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu c_3,c_2,t_2 +- dmultu a_5,b_1 /* mul_add_c(a[5],b[1],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_4,b_2 /* mul_add_c(a[4],b[2],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_3,b_3 /* mul_add_c(a[3],b[3],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_2,b_4 /* mul_add_c(a[2],b[4],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_1,b_5 /* mul_add_c(a[1],b[5],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_0,b_6 /* mul_add_c(a[0],b[6],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- sd c_1,48(a0) /* r[6]=c1; */ +- +- dmultu a_0,b_7 /* mul_add_c(a[0],b[7],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu c_1,c_3,t_2 +- dmultu a_1,b_6 /* mul_add_c(a[1],b[6],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_2,b_5 /* mul_add_c(a[2],b[5],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_3,b_4 /* mul_add_c(a[3],b[4],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_4,b_3 /* mul_add_c(a[4],b[3],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_5,b_2 /* mul_add_c(a[5],b[2],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_6,b_1 /* mul_add_c(a[6],b[1],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_7,b_0 /* mul_add_c(a[7],b[0],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- sd c_2,56(a0) /* r[7]=c2; */ +- +- dmultu a_7,b_1 /* mul_add_c(a[7],b[1],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu c_2,c_1,t_2 +- dmultu a_6,b_2 /* mul_add_c(a[6],b[2],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_5,b_3 /* mul_add_c(a[5],b[3],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_4,b_4 /* mul_add_c(a[4],b[4],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_3,b_5 /* mul_add_c(a[3],b[5],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_2,b_6 /* mul_add_c(a[2],b[6],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_1,b_7 /* mul_add_c(a[1],b[7],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,64(a0) /* r[8]=c3; */ +- +- dmultu a_2,b_7 /* mul_add_c(a[2],b[7],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu c_3,c_2,t_2 +- dmultu a_3,b_6 /* mul_add_c(a[3],b[6],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_4,b_5 /* mul_add_c(a[4],b[5],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_5,b_4 /* mul_add_c(a[5],b[4],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_6,b_3 /* mul_add_c(a[6],b[3],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_7,b_2 /* mul_add_c(a[7],b[2],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- sd c_1,72(a0) /* r[9]=c1; */ +- +- dmultu a_7,b_3 /* mul_add_c(a[7],b[3],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu c_1,c_3,t_2 +- dmultu a_6,b_4 /* mul_add_c(a[6],b[4],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_5,b_5 /* mul_add_c(a[5],b[5],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_4,b_6 /* mul_add_c(a[4],b[6],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_3,b_7 /* mul_add_c(a[3],b[7],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- sd c_2,80(a0) /* r[10]=c2; */ +- +- dmultu a_4,b_7 /* mul_add_c(a[4],b[7],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu c_2,c_1,t_2 +- dmultu a_5,b_6 /* mul_add_c(a[5],b[6],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_6,b_5 /* mul_add_c(a[6],b[5],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_7,b_4 /* mul_add_c(a[7],b[4],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,88(a0) /* r[11]=c3; */ +- +- dmultu a_7,b_5 /* mul_add_c(a[7],b[5],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu c_3,c_2,t_2 +- dmultu a_6,b_6 /* mul_add_c(a[6],b[6],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_5,b_7 /* mul_add_c(a[5],b[7],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- sd c_1,96(a0) /* r[12]=c1; */ +- +- dmultu a_6,b_7 /* mul_add_c(a[6],b[7],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu c_1,c_3,t_2 +- dmultu a_7,b_6 /* mul_add_c(a[7],b[6],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- sd c_2,104(a0) /* r[13]=c2; */ +- +- dmultu a_7,b_7 /* mul_add_c(a[7],b[7],c3,c1,c2); */ +- ld s0,0(sp) +- ld s1,8(sp) +- ld s2,16(sp) +- ld s3,24(sp) +- ld s4,32(sp) +- ld s5,40(sp) +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sd c_3,112(a0) /* r[14]=c3; */ +- sd c_1,120(a0) /* r[15]=c1; */ +- +- PTR_ADD sp,FRAME_SIZE +- +- jr ra +-END(bn_mul_comba8) +- +-.align 5 +-LEAF(bn_mul_comba4) +- .set reorder +- ld a_0,0(a1) +- ld b_0,0(a2) +- ld a_1,8(a1) +- ld a_2,16(a1) +- dmultu a_0,b_0 /* mul_add_c(a[0],b[0],c1,c2,c3); */ +- ld a_3,24(a1) +- ld b_1,8(a2) +- ld b_2,16(a2) +- ld b_3,24(a2) +- mflo c_1 +- mfhi c_2 +- sd c_1,0(a0) +- +- dmultu a_0,b_1 /* mul_add_c(a[0],b[1],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu c_3,t_2,AT +- dmultu a_1,b_0 /* mul_add_c(a[1],b[0],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu c_1,c_3,t_2 +- sd c_2,8(a0) +- +- dmultu a_2,b_0 /* mul_add_c(a[2],b[0],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- dmultu a_1,b_1 /* mul_add_c(a[1],b[1],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu c_2,c_1,t_2 +- dmultu a_0,b_2 /* mul_add_c(a[0],b[2],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,16(a0) +- +- dmultu a_0,b_3 /* mul_add_c(a[0],b[3],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu c_3,c_2,t_2 +- dmultu a_1,b_2 /* mul_add_c(a[1],b[2],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_2,b_1 /* mul_add_c(a[2],b[1],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_3,b_0 /* mul_add_c(a[3],b[0],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- sd c_1,24(a0) +- +- dmultu a_3,b_1 /* mul_add_c(a[3],b[1],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu c_1,c_3,t_2 +- dmultu a_2,b_2 /* mul_add_c(a[2],b[2],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_1,b_3 /* mul_add_c(a[1],b[3],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- sd c_2,32(a0) +- +- dmultu a_2,b_3 /* mul_add_c(a[2],b[3],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu c_2,c_1,t_2 +- dmultu a_3,b_2 /* mul_add_c(a[3],b[2],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,40(a0) +- +- dmultu a_3,b_3 /* mul_add_c(a[3],b[3],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sd c_1,48(a0) +- sd c_2,56(a0) +- +- jr ra +-END(bn_mul_comba4) +- +-#undef a_4 +-#undef a_5 +-#undef a_6 +-#undef a_7 +-#define a_4 b_0 +-#define a_5 b_1 +-#define a_6 b_2 +-#define a_7 b_3 +- +-.align 5 +-LEAF(bn_sqr_comba8) +- .set reorder +- ld a_0,0(a1) +- ld a_1,8(a1) +- ld a_2,16(a1) +- ld a_3,24(a1) +- +- dmultu a_0,a_0 /* mul_add_c(a[0],b[0],c1,c2,c3); */ +- ld a_4,32(a1) +- ld a_5,40(a1) +- ld a_6,48(a1) +- ld a_7,56(a1) +- mflo c_1 +- mfhi c_2 +- sd c_1,0(a0) +- +- dmultu a_0,a_1 /* mul_add_c2(a[0],b[1],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt c_1,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu c_3,t_2,AT +- sd c_2,8(a0) +- +- dmultu a_2,a_0 /* mul_add_c2(a[2],b[0],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- slt c_2,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_1,a_1 /* mul_add_c(a[1],b[1],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,16(a0) +- +- dmultu a_0,a_3 /* mul_add_c2(a[0],b[3],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- slt c_3,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_1,a_2 /* mul_add_c2(a[1],b[2],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_3,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- sd c_1,24(a0) +- +- dmultu a_4,a_0 /* mul_add_c2(a[4],b[0],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt c_1,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_3,a_1 /* mul_add_c2(a[3],b[1],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_1,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_2,a_2 /* mul_add_c(a[2],b[2],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- sd c_2,32(a0) +- +- dmultu a_0,a_5 /* mul_add_c2(a[0],b[5],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- slt c_2,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_1,a_4 /* mul_add_c2(a[1],b[4],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_2,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_2,a_3 /* mul_add_c2(a[2],b[3],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_2,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,40(a0) +- +- dmultu a_6,a_0 /* mul_add_c2(a[6],b[0],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- slt c_3,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_5,a_1 /* mul_add_c2(a[5],b[1],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_3,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_4,a_2 /* mul_add_c2(a[4],b[2],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_3,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_3,a_3 /* mul_add_c(a[3],b[3],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- sd c_1,48(a0) +- +- dmultu a_0,a_7 /* mul_add_c2(a[0],b[7],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt c_1,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_1,a_6 /* mul_add_c2(a[1],b[6],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_1,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_2,a_5 /* mul_add_c2(a[2],b[5],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_1,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_3,a_4 /* mul_add_c2(a[3],b[4],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_1,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- sd c_2,56(a0) +- +- dmultu a_7,a_1 /* mul_add_c2(a[7],b[1],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- slt c_2,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_6,a_2 /* mul_add_c2(a[6],b[2],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_2,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_5,a_3 /* mul_add_c2(a[5],b[3],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_2,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_4,a_4 /* mul_add_c(a[4],b[4],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,64(a0) +- +- dmultu a_2,a_7 /* mul_add_c2(a[2],b[7],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- slt c_3,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_3,a_6 /* mul_add_c2(a[3],b[6],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_3,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_4,a_5 /* mul_add_c2(a[4],b[5],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_3,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- sd c_1,72(a0) +- +- dmultu a_7,a_3 /* mul_add_c2(a[7],b[3],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt c_1,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_6,a_4 /* mul_add_c2(a[6],b[4],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_1,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_5,a_5 /* mul_add_c(a[5],b[5],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- sd c_2,80(a0) +- +- dmultu a_4,a_7 /* mul_add_c2(a[4],b[7],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- slt c_2,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_5,a_6 /* mul_add_c2(a[5],b[6],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_2,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,88(a0) +- +- dmultu a_7,a_5 /* mul_add_c2(a[7],b[5],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- slt c_3,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_6,a_6 /* mul_add_c(a[6],b[6],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- sd c_1,96(a0) +- +- dmultu a_6,a_7 /* mul_add_c2(a[6],b[7],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt c_1,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- sd c_2,104(a0) +- +- dmultu a_7,a_7 /* mul_add_c(a[7],b[7],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sd c_3,112(a0) +- sd c_1,120(a0) +- +- jr ra +-END(bn_sqr_comba8) +- +-.align 5 +-LEAF(bn_sqr_comba4) +- .set reorder +- ld a_0,0(a1) +- ld a_1,8(a1) +- ld a_2,16(a1) +- ld a_3,24(a1) +- dmultu a_0,a_0 /* mul_add_c(a[0],b[0],c1,c2,c3); */ +- mflo c_1 +- mfhi c_2 +- sd c_1,0(a0) +- +- dmultu a_0,a_1 /* mul_add_c2(a[0],b[1],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt c_1,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu c_3,t_2,AT +- sd c_2,8(a0) +- +- dmultu a_2,a_0 /* mul_add_c2(a[2],b[0],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- slt c_2,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_1,a_1 /* mul_add_c(a[1],b[1],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,16(a0) +- +- dmultu a_0,a_3 /* mul_add_c2(a[0],b[3],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- slt c_3,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_1,a_2 /* mul_add_c(a2[1],b[2],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_3,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- sd c_1,24(a0) +- +- dmultu a_3,a_1 /* mul_add_c2(a[3],b[1],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt c_1,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_2,a_2 /* mul_add_c(a[2],b[2],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- sd c_2,32(a0) +- +- dmultu a_2,a_3 /* mul_add_c2(a[2],b[3],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- slt c_2,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,40(a0) +- +- dmultu a_3,a_3 /* mul_add_c(a[3],b[3],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sd c_1,48(a0) +- sd c_2,56(a0) +- +- jr ra +-END(bn_sqr_comba4) +diff --git a/crypto/bn/asm/x86_64-gcc.c b/crypto/bn/asm/x86_64-gcc.c +index 31476ab..2d39407 100644 +--- a/crypto/bn/asm/x86_64-gcc.c ++++ b/crypto/bn/asm/x86_64-gcc.c +@@ -273,6 +273,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n) + /* sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0) */ + /* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0) */ + ++/* ++ * Keep in mind that carrying into high part of multiplication result ++ * can not overflow, because it cannot be all-ones. ++ */ + #if 0 + /* original macros are kept for reference purposes */ + #define mul_add_c(a,b,c0,c1,c2) { \ +@@ -287,10 +291,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n) + BN_ULONG ta=(a),tb=(b),t0; \ + t1 = BN_UMULT_HIGH(ta,tb); \ + t0 = ta * tb; \ +- t2 = t1+t1; c2 += (t2neg=rand_neg(); ++ BN_sqr(c,a,ctx); + if (bp != NULL) + { + if (!results) + { +- BN_print(bp,&a); ++ BN_print(bp,a); + BIO_puts(bp," * "); +- BN_print(bp,&a); ++ BN_print(bp,a); + BIO_puts(bp," - "); + } +- BN_print(bp,&c); ++ BN_print(bp,c); + BIO_puts(bp,"\n"); + } +- BN_div(&d,&e,&c,&a,ctx); +- BN_sub(&d,&d,&a); +- if(!BN_is_zero(&d) || !BN_is_zero(&e)) +- { +- fprintf(stderr,"Square test failed!\n"); +- return 0; +- } ++ BN_div(d,e,c,a,ctx); ++ BN_sub(d,d,a); ++ if(!BN_is_zero(d) || !BN_is_zero(e)) ++ { ++ fprintf(stderr,"Square test failed!\n"); ++ goto err; ++ } + } +- BN_free(&a); +- BN_free(&c); +- BN_free(&d); +- BN_free(&e); +- return(1); ++ ++ /* Regression test for a BN_sqr overflow bug. */ ++ BN_hex2bn(&a, ++ "80000000000000008000000000000001FFFFFFFFFFFFFFFE0000000000000000"); ++ BN_sqr(c, a, ctx); ++ if (bp != NULL) ++ { ++ if (!results) ++ { ++ BN_print(bp,a); ++ BIO_puts(bp," * "); ++ BN_print(bp,a); ++ BIO_puts(bp," - "); ++ } ++ BN_print(bp,c); ++ BIO_puts(bp,"\n"); ++ } ++ BN_mul(d, a, a, ctx); ++ if (BN_cmp(c, d)) ++ { ++ fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce " ++ "different results!\n"); ++ goto err; ++ } ++ ++ /* Regression test for a BN_sqr overflow bug. */ ++ BN_hex2bn(&a, ++ "80000000000000000000000080000001FFFFFFFE000000000000000000000000"); ++ BN_sqr(c, a, ctx); ++ if (bp != NULL) ++ { ++ if (!results) ++ { ++ BN_print(bp,a); ++ BIO_puts(bp," * "); ++ BN_print(bp,a); ++ BIO_puts(bp," - "); ++ } ++ BN_print(bp,c); ++ BIO_puts(bp,"\n"); ++ } ++ BN_mul(d, a, a, ctx); ++ if (BN_cmp(c, d)) ++ { ++ fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce " ++ "different results!\n"); ++ goto err; ++ } ++ ret = 1; ++err: ++ if (a != NULL) BN_free(a); ++ if (c != NULL) BN_free(c); ++ if (d != NULL) BN_free(d); ++ if (e != NULL) BN_free(e); ++ return ret; + } + + int test_mont(BIO *bp, BN_CTX *ctx) +-- +1.8.3.1 + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3571.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3571.patch new file mode 100644 index 0000000000..9c93b7f573 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3571.patch @@ -0,0 +1,34 @@ +diff -up openssl-1.0.1e/ssl/d1_pkt.c.dtls1-reads openssl-1.0.1e/ssl/d1_pkt.c +--- openssl-1.0.1e/ssl/d1_pkt.c.dtls1-reads 2015-01-12 17:31:41.647213706 +0100 ++++ openssl-1.0.1e/ssl/d1_pkt.c 2015-01-12 17:38:21.708261411 +0100 +@@ -641,8 +641,6 @@ again: + /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */ + i=rr->length; + n=ssl3_read_n(s,i,i,1); +- if (n <= 0) return(n); /* error or non-blocking io */ +- + /* this packet contained a partial record, dump it */ + if ( n != i) + { +@@ -677,7 +675,8 @@ again: + * would be dropped unnecessarily. + */ + if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE && +- *p == SSL3_MT_CLIENT_HELLO) && ++ s->packet_length > DTLS1_RT_HEADER_LENGTH && ++ s->packet[DTLS1_RT_HEADER_LENGTH] == SSL3_MT_CLIENT_HELLO) && + !dtls1_record_replay_check(s, bitmap)) + { + rr->length = 0; +diff -up openssl-1.0.1e/ssl/s3_pkt.c.dtls1-reads openssl-1.0.1e/ssl/s3_pkt.c +--- openssl-1.0.1e/ssl/s3_pkt.c.dtls1-reads 2015-01-12 17:31:41.680214453 +0100 ++++ openssl-1.0.1e/ssl/s3_pkt.c 2015-01-12 17:38:06.721922482 +0100 +@@ -182,6 +182,8 @@ int ssl3_read_n(SSL *s, int n, int max, + * at once (as long as it fits into the buffer). */ + if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) + { ++ if (left == 0 && extend) ++ return 0; + if (left > 0 && n > left) + n = left; + } diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3572.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3572.patch new file mode 100644 index 0000000000..013876b974 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3572.patch @@ -0,0 +1,51 @@ +diff -up openssl-1.0.1e/ssl/s3_clnt.c.ecdh-downgrade openssl-1.0.1e/ssl/s3_clnt.c +--- openssl-1.0.1e/ssl/s3_clnt.c.ecdh-downgrade 2015-01-12 16:37:49.978126895 +0100 ++++ openssl-1.0.1e/ssl/s3_clnt.c 2015-01-12 17:02:01.740959687 +0100 +@@ -1287,6 +1287,8 @@ int ssl3_get_key_exchange(SSL *s) + int encoded_pt_len = 0; + #endif + ++ EVP_MD_CTX_init(&md_ctx); ++ + /* use same message size as in ssl3_get_certificate_request() + * as ServerKeyExchange message may be skipped */ + n=s->method->ssl_get_message(s, +@@ -1297,14 +1299,26 @@ int ssl3_get_key_exchange(SSL *s) + &ok); + if (!ok) return((int)n); + ++ alg_k=s->s3->tmp.new_cipher->algorithm_mkey; ++ + if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) + { ++ /* ++ * Can't skip server key exchange if this is an ephemeral ++ * ciphersuite. ++ */ ++ if (alg_k & (SSL_kEDH|SSL_kEECDH)) ++ { ++ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE); ++ al = SSL_AD_UNEXPECTED_MESSAGE; ++ goto f_err; ++ } + #ifndef OPENSSL_NO_PSK + /* In plain PSK ciphersuite, ServerKeyExchange can be + omitted if no identity hint is sent. Set + session->sess_cert anyway to avoid problems + later.*/ +- if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) ++ if (alg_k & SSL_kPSK) + { + s->session->sess_cert=ssl_sess_cert_new(); + if (s->ctx->psk_identity_hint) +@@ -1347,9 +1361,8 @@ int ssl3_get_key_exchange(SSL *s) + } + + param_len=0; +- alg_k=s->s3->tmp.new_cipher->algorithm_mkey; ++ + alg_a=s->s3->tmp.new_cipher->algorithm_auth; +- EVP_MD_CTX_init(&md_ctx); + + #ifndef OPENSSL_NO_PSK + if (alg_k & SSL_kPSK) diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-8176.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-8176.patch new file mode 100644 index 0000000000..052b907af2 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-8176.patch @@ -0,0 +1,34 @@ +From bcc311668ede6ffdcd6dc5a65454a548b5404fcc Mon Sep 17 00:00:00 2001 +From: zhu qun-ying +Date: Mon, 2 Jun 2014 14:38:52 +0100 +Subject: [PATCH] Free up s->d1->buffered_app_data.q properly. + +PR#3286 +(cherry picked from commit 71e95000afb2227fe5cac1c79ae884338bcd8d0b) +--- + ssl/d1_lib.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c +index 106939f..6bde16f 100644 +--- a/ssl/d1_lib.c ++++ b/ssl/d1_lib.c +@@ -176,9 +176,12 @@ static void dtls1_clear_queues(SSL *s) + + while ( (item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) + { +- frag = (hm_fragment *)item->data; +- OPENSSL_free(frag->fragment); +- OPENSSL_free(frag); ++ rdata = (DTLS1_RECORD_DATA *) item->data; ++ if (rdata->rbuf.buf) ++ { ++ OPENSSL_free(rdata->rbuf.buf); ++ } ++ OPENSSL_free(item->data); + pitem_free(item); + } + } +-- +2.1.0 + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-8275.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-8275.patch new file mode 100644 index 0000000000..91041ac4d0 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-8275.patch @@ -0,0 +1,202 @@ +diff -up openssl-1.0.1e/crypto/asn1/a_bitstr.c.cert-fingerprint openssl-1.0.1e/crypto/asn1/a_bitstr.c +--- openssl-1.0.1e/crypto/asn1/a_bitstr.c.cert-fingerprint 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/asn1/a_bitstr.c 2015-01-13 12:23:36.090478923 +0100 +@@ -136,11 +136,16 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN + + p= *pp; + i= *(p++); ++ if (i > 7) ++ { ++ i=ASN1_R_INVALID_BIT_STRING_BITS_LEFT; ++ goto err; ++ } + /* We do this to preserve the settings. If we modify + * the settings, via the _set_bit function, we will recalculate + * on output */ + ret->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */ +- ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|(i&0x07)); /* set */ ++ ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|i); /* set */ + + if (len-- > 1) /* using one because of the bits left byte */ + { +diff -up openssl-1.0.1e/crypto/asn1/asn1_err.c.cert-fingerprint openssl-1.0.1e/crypto/asn1/asn1_err.c +--- openssl-1.0.1e/crypto/asn1/asn1_err.c.cert-fingerprint 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/asn1/asn1_err.c 2015-01-13 12:23:36.090478923 +0100 +@@ -246,6 +246,7 @@ static ERR_STRING_DATA ASN1_str_reasons[ + {ERR_REASON(ASN1_R_ILLEGAL_TIME_VALUE) ,"illegal time value"}, + {ERR_REASON(ASN1_R_INTEGER_NOT_ASCII_FORMAT),"integer not ascii format"}, + {ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG),"integer too large for long"}, ++{ERR_REASON(ASN1_R_INVALID_BIT_STRING_BITS_LEFT),"invalid bit string bits left"}, + {ERR_REASON(ASN1_R_INVALID_BMPSTRING_LENGTH),"invalid bmpstring length"}, + {ERR_REASON(ASN1_R_INVALID_DIGIT) ,"invalid digit"}, + {ERR_REASON(ASN1_R_INVALID_MIME_TYPE) ,"invalid mime type"}, +diff -up openssl-1.0.1e/crypto/asn1/asn1.h.cert-fingerprint openssl-1.0.1e/crypto/asn1/asn1.h +--- openssl-1.0.1e/crypto/asn1/asn1.h.cert-fingerprint 2015-01-13 11:44:11.999013082 +0100 ++++ openssl-1.0.1e/crypto/asn1/asn1.h 2015-01-13 12:23:36.090478923 +0100 +@@ -776,7 +776,7 @@ DECLARE_ASN1_FUNCTIONS_fname(ASN1_TYPE, + int ASN1_TYPE_get(ASN1_TYPE *a); + void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value); + int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value); +-int ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b); ++int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b); + + ASN1_OBJECT * ASN1_OBJECT_new(void ); + void ASN1_OBJECT_free(ASN1_OBJECT *a); +@@ -1329,6 +1329,7 @@ void ERR_load_ASN1_strings(void); + #define ASN1_R_ILLEGAL_TIME_VALUE 184 + #define ASN1_R_INTEGER_NOT_ASCII_FORMAT 185 + #define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG 128 ++#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT 220 + #define ASN1_R_INVALID_BMPSTRING_LENGTH 129 + #define ASN1_R_INVALID_DIGIT 130 + #define ASN1_R_INVALID_MIME_TYPE 205 +diff -up openssl-1.0.1e/crypto/asn1/a_type.c.cert-fingerprint openssl-1.0.1e/crypto/asn1/a_type.c +--- openssl-1.0.1e/crypto/asn1/a_type.c.cert-fingerprint 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/asn1/a_type.c 2015-01-13 12:43:36.779633480 +0100 +@@ -113,7 +113,7 @@ IMPLEMENT_STACK_OF(ASN1_TYPE) + IMPLEMENT_ASN1_SET_OF(ASN1_TYPE) + + /* Returns 0 if they are equal, != 0 otherwise. */ +-int ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b) ++int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b) + { + int result = -1; + +diff -up openssl-1.0.1e/crypto/asn1/a_verify.c.cert-fingerprint openssl-1.0.1e/crypto/asn1/a_verify.c +--- openssl-1.0.1e/crypto/asn1/a_verify.c.cert-fingerprint 2015-01-13 11:44:12.308020070 +0100 ++++ openssl-1.0.1e/crypto/asn1/a_verify.c 2015-01-13 11:44:12.413022445 +0100 +@@ -93,6 +93,12 @@ int ASN1_verify(i2d_of_void *i2d, X509_A + ASN1err(ASN1_F_ASN1_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM); + goto err; + } ++ ++ if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7) ++ { ++ ASN1err(ASN1_F_ASN1_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT); ++ goto err; ++ } + + inl=i2d(data,NULL); + buf_in=OPENSSL_malloc((unsigned int)inl); +@@ -149,6 +155,12 @@ int ASN1_item_verify(const ASN1_ITEM *it + return -1; + } + ++ if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7) ++ { ++ ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT); ++ return -1; ++ } ++ + EVP_MD_CTX_init(&ctx); + + /* Convert signature OID into digest and public key OIDs */ +diff -up openssl-1.0.1e/crypto/asn1/x_algor.c.cert-fingerprint openssl-1.0.1e/crypto/asn1/x_algor.c +--- openssl-1.0.1e/crypto/asn1/x_algor.c.cert-fingerprint 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/asn1/x_algor.c 2015-01-13 12:43:36.780633502 +0100 +@@ -142,3 +142,14 @@ void X509_ALGOR_set_md(X509_ALGOR *alg, + X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_MD_type(md)), param_type, NULL); + + } ++ ++int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b) ++ { ++ int rv; ++ rv = OBJ_cmp(a->algorithm, b->algorithm); ++ if (rv) ++ return rv; ++ if (!a->parameter && !b->parameter) ++ return 0; ++ return ASN1_TYPE_cmp(a->parameter, b->parameter); ++ } +diff -up openssl-1.0.1e/crypto/dsa/dsa_asn1.c.cert-fingerprint openssl-1.0.1e/crypto/dsa/dsa_asn1.c +--- openssl-1.0.1e/crypto/dsa/dsa_asn1.c.cert-fingerprint 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/dsa/dsa_asn1.c 2015-01-13 11:44:12.414022468 +0100 +@@ -176,13 +176,25 @@ int DSA_verify(int type, const unsigned + const unsigned char *sigbuf, int siglen, DSA *dsa) + { + DSA_SIG *s; ++ const unsigned char *p = sigbuf; ++ unsigned char *der = NULL; ++ int derlen = -1; + int ret=-1; + + s = DSA_SIG_new(); + if (s == NULL) return(ret); +- if (d2i_DSA_SIG(&s,&sigbuf,siglen) == NULL) goto err; ++ if (d2i_DSA_SIG(&s,&p,siglen) == NULL) goto err; ++ /* Ensure signature uses DER and doesn't have trailing garbage */ ++ derlen = i2d_DSA_SIG(s, &der); ++ if (derlen != siglen || memcmp(sigbuf, der, derlen)) ++ goto err; + ret=DSA_do_verify(dgst,dgst_len,s,dsa); + err: ++ if (derlen > 0) ++ { ++ OPENSSL_cleanse(der, derlen); ++ OPENSSL_free(der); ++ } + DSA_SIG_free(s); + return(ret); + } +diff -up openssl-1.0.1e/crypto/ecdsa/ecs_vrf.c.cert-fingerprint openssl-1.0.1e/crypto/ecdsa/ecs_vrf.c +--- openssl-1.0.1e/crypto/ecdsa/ecs_vrf.c.cert-fingerprint 2013-02-11 16:02:48.000000000 +0100 ++++ openssl-1.0.1e/crypto/ecdsa/ecs_vrf.c 2015-01-13 11:44:12.414022468 +0100 +@@ -57,6 +57,7 @@ + */ + + #include "ecs_locl.h" ++#include "cryptlib.h" + #ifndef OPENSSL_NO_ENGINE + #include + #endif +@@ -84,13 +85,25 @@ int ECDSA_verify(int type, const unsigne + const unsigned char *sigbuf, int sig_len, EC_KEY *eckey) + { + ECDSA_SIG *s; ++ const unsigned char *p = sigbuf; ++ unsigned char *der = NULL; ++ int derlen = -1; + int ret=-1; + + s = ECDSA_SIG_new(); + if (s == NULL) return(ret); +- if (d2i_ECDSA_SIG(&s, &sigbuf, sig_len) == NULL) goto err; ++ if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL) goto err; ++ /* Ensure signature uses DER and doesn't have trailing garbage */ ++ derlen = i2d_ECDSA_SIG(s, &der); ++ if (derlen != sig_len || memcmp(sigbuf, der, derlen)) ++ goto err; + ret=ECDSA_do_verify(dgst, dgst_len, s, eckey); + err: ++ if (derlen > 0) ++ { ++ OPENSSL_cleanse(der, derlen); ++ OPENSSL_free(der); ++ } + ECDSA_SIG_free(s); + return(ret); + } +diff -up openssl-1.0.1e/crypto/x509/x_all.c.cert-fingerprint openssl-1.0.1e/crypto/x509/x_all.c +--- openssl-1.0.1e/crypto/x509/x_all.c.cert-fingerprint 2015-01-13 11:44:12.330020568 +0100 ++++ openssl-1.0.1e/crypto/x509/x_all.c 2015-01-13 11:44:12.414022468 +0100 +@@ -72,6 +72,8 @@ + + int X509_verify(X509 *a, EVP_PKEY *r) + { ++ if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature)) ++ return 0; + return(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF),a->sig_alg, + a->signature,a->cert_info,r)); + } +diff -up openssl-1.0.1e/crypto/x509/x509.h.cert-fingerprint openssl-1.0.1e/crypto/x509/x509.h +--- openssl-1.0.1e/crypto/x509/x509.h.cert-fingerprint 2015-01-13 11:44:12.126015954 +0100 ++++ openssl-1.0.1e/crypto/x509/x509.h 2015-01-13 12:43:36.780633502 +0100 +@@ -768,6 +768,7 @@ int X509_ALGOR_set0(X509_ALGOR *alg, ASN + void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval, + X509_ALGOR *algor); + void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md); ++int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b); + + X509_NAME *X509_NAME_dup(X509_NAME *xn); + X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne); diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0204.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0204.patch new file mode 100644 index 0000000000..527f7c56bd --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0204.patch @@ -0,0 +1,158 @@ +diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_options.pod.rsa-ephemeral openssl-1.0.1e/doc/ssl/SSL_CTX_set_options.pod +--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_options.pod.rsa-ephemeral 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_options.pod 2015-01-13 11:15:25.096957795 +0100 +@@ -151,15 +151,7 @@ temporary/ephemeral DH parameters are us + + =item SSL_OP_EPHEMERAL_RSA + +-Always use ephemeral (temporary) RSA key when doing RSA operations +-(see L). +-According to the specifications this is only done, when a RSA key +-can only be used for signature operations (namely under export ciphers +-with restricted RSA keylength). By setting this option, ephemeral +-RSA keys are always used. This option breaks compatibility with the +-SSL/TLS specifications and may lead to interoperability problems with +-clients and should therefore never be used. Ciphers with EDH (ephemeral +-Diffie-Hellman) key exchange should be used instead. ++This option is no longer implemented and is treated as no op. + + =item SSL_OP_CIPHER_SERVER_PREFERENCE + +diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod.rsa-ephemeral openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod +--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod.rsa-ephemeral 2013-02-11 16:02:48.000000000 +0100 ++++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod 2015-01-13 11:15:25.096957795 +0100 +@@ -74,21 +74,14 @@ exchange and use EDH (Ephemeral Diffie-H + in order to achieve forward secrecy (see + L). + +-On OpenSSL servers ephemeral RSA key exchange is therefore disabled by default +-and must be explicitly enabled using the SSL_OP_EPHEMERAL_RSA option of +-L, violating the TLS/SSL +-standard. When ephemeral RSA key exchange is required for export ciphers, +-it will automatically be used without this option! +- +-An application may either directly specify the key or can supply the key via +-a callback function. The callback approach has the advantage, that the +-callback may generate the key only in case it is actually needed. As the +-generation of a RSA key is however costly, it will lead to a significant +-delay in the handshake procedure. Another advantage of the callback function +-is that it can supply keys of different size (e.g. for SSL_OP_EPHEMERAL_RSA +-usage) while the explicit setting of the key is only useful for key size of +-512 bits to satisfy the export restricted ciphers and does give away key length +-if a longer key would be allowed. ++An application may either directly specify the key or can supply the key via a ++callback function. The callback approach has the advantage, that the callback ++may generate the key only in case it is actually needed. As the generation of a ++RSA key is however costly, it will lead to a significant delay in the handshake ++procedure. Another advantage of the callback function is that it can supply ++keys of different size while the explicit setting of the key is only useful for ++key size of 512 bits to satisfy the export restricted ciphers and does give ++away key length if a longer key would be allowed. + + The B is called with the B needed and + the B information. The B flag is set, when the +diff -up openssl-1.0.1e/CHANGES.rsa-ephemeral openssl-1.0.1e/CHANGES +diff -up openssl-1.0.1e/ssl/d1_srvr.c.rsa-ephemeral openssl-1.0.1e/ssl/d1_srvr.c +--- openssl-1.0.1e/ssl/d1_srvr.c.rsa-ephemeral 2015-01-12 17:49:04.912808002 +0100 ++++ openssl-1.0.1e/ssl/d1_srvr.c 2015-01-13 11:15:25.096957795 +0100 +@@ -450,24 +450,15 @@ int dtls1_accept(SSL *s) + case SSL3_ST_SW_KEY_EXCH_B: + alg_k = s->s3->tmp.new_cipher->algorithm_mkey; + +- /* clear this, it may get reset by +- * send_server_key_exchange */ +- if ((s->options & SSL_OP_EPHEMERAL_RSA) +-#ifndef OPENSSL_NO_KRB5 +- && !(alg_k & SSL_kKRB5) +-#endif /* OPENSSL_NO_KRB5 */ +- ) +- /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key +- * even when forbidden by protocol specs +- * (handshake may fail as clients are not required to +- * be able to handle this) */ +- s->s3->tmp.use_rsa_tmp=1; +- else +- s->s3->tmp.use_rsa_tmp=0; ++ /* ++ * clear this, it may get reset by ++ * send_server_key_exchange ++ */ ++ s->s3->tmp.use_rsa_tmp=0; + + /* only send if a DH key exchange or + * RSA but we have a sign only certificate */ +- if (s->s3->tmp.use_rsa_tmp ++ if (0 + /* PSK: send ServerKeyExchange if PSK identity + * hint if provided */ + #ifndef OPENSSL_NO_PSK +diff -up openssl-1.0.1e/ssl/ssl.h.rsa-ephemeral openssl-1.0.1e/ssl/ssl.h +--- openssl-1.0.1e/ssl/ssl.h.rsa-ephemeral 2015-01-12 17:49:04.936808545 +0100 ++++ openssl-1.0.1e/ssl/ssl.h 2015-01-13 11:15:25.098957840 +0100 +@@ -587,9 +587,8 @@ struct ssl_session_st + #define SSL_OP_SINGLE_ECDH_USE 0x00080000L + /* If set, always create a new key when using tmp_dh parameters */ + #define SSL_OP_SINGLE_DH_USE 0x00100000L +-/* Set to always use the tmp_rsa key when doing RSA operations, +- * even when this violates protocol specs */ +-#define SSL_OP_EPHEMERAL_RSA 0x00200000L ++/* Does nothing: retained for compatibiity */ ++#define SSL_OP_EPHEMERAL_RSA 0x0 + /* Set on servers to choose the cipher according to the server's + * preferences */ + #define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L +diff -up openssl-1.0.1e/ssl/s3_clnt.c.rsa-ephemeral openssl-1.0.1e/ssl/s3_clnt.c +--- openssl-1.0.1e/ssl/s3_clnt.c.rsa-ephemeral 2015-01-12 17:49:04.946808771 +0100 ++++ openssl-1.0.1e/ssl/s3_clnt.c 2015-01-13 11:15:25.097957817 +0100 +@@ -1492,6 +1492,13 @@ int ssl3_get_key_exchange(SSL *s) + #ifndef OPENSSL_NO_RSA + if (alg_k & SSL_kRSA) + { ++ /* Temporary RSA keys only allowed in export ciphersuites */ ++ if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)) ++ { ++ al=SSL_AD_UNEXPECTED_MESSAGE; ++ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); ++ goto f_err; ++ } + if ((rsa=RSA_new()) == NULL) + { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); +diff -up openssl-1.0.1e/ssl/s3_srvr.c.rsa-ephemeral openssl-1.0.1e/ssl/s3_srvr.c +--- openssl-1.0.1e/ssl/s3_srvr.c.rsa-ephemeral 2015-01-12 17:51:32.044135496 +0100 ++++ openssl-1.0.1e/ssl/s3_srvr.c 2015-01-13 11:15:25.098957840 +0100 +@@ -441,20 +441,11 @@ int ssl3_accept(SSL *s) + case SSL3_ST_SW_KEY_EXCH_B: + alg_k = s->s3->tmp.new_cipher->algorithm_mkey; + +- /* clear this, it may get reset by +- * send_server_key_exchange */ +- if ((s->options & SSL_OP_EPHEMERAL_RSA) +-#ifndef OPENSSL_NO_KRB5 +- && !(alg_k & SSL_kKRB5) +-#endif /* OPENSSL_NO_KRB5 */ +- ) +- /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key +- * even when forbidden by protocol specs +- * (handshake may fail as clients are not required to +- * be able to handle this) */ +- s->s3->tmp.use_rsa_tmp=1; +- else +- s->s3->tmp.use_rsa_tmp=0; ++ /* ++ * clear this, it may get reset by ++ * send_server_key_exchange ++ */ ++ s->s3->tmp.use_rsa_tmp=0; + + + /* only send if a DH key exchange, fortezza or +@@ -468,7 +459,7 @@ int ssl3_accept(SSL *s) + * server certificate contains the server's + * public key for key exchange. + */ +- if (s->s3->tmp.use_rsa_tmp ++ if (0 + /* PSK: send ServerKeyExchange if PSK identity + * hint if provided */ + #ifndef OPENSSL_NO_PSK diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0205.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0205.patch new file mode 100644 index 0000000000..ff378ae4ef --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0205.patch @@ -0,0 +1,12 @@ +diff -up openssl-1.0.1e/ssl/s3_srvr.c.dh-unauthenticated openssl-1.0.1e/ssl/s3_srvr.c +--- openssl-1.0.1e/ssl/s3_srvr.c.dh-unauthenticated 2015-01-12 17:49:04.930808409 +0100 ++++ openssl-1.0.1e/ssl/s3_srvr.c 2015-01-13 11:15:25.098957840 +0100 +@@ -2951,7 +2951,7 @@ int ssl3_get_cert_verify(SSL *s) + if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) + { + s->s3->tmp.reuse_message=1; +- if ((peer != NULL) && (type & EVP_PKT_SIGN)) ++ if (peer != NULL) + { + al=SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE); diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0206.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0206.patch new file mode 100644 index 0000000000..e2d1718689 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0206.patch @@ -0,0 +1,116 @@ +diff -up openssl-1.0.1e/ssl/d1_pkt.c.dtls-recleak openssl-1.0.1e/ssl/d1_pkt.c +--- openssl-1.0.1e/ssl/d1_pkt.c.dtls-rec-leak 2015-01-13 11:44:12.410022377 +0100 ++++ openssl-1.0.1e/ssl/d1_pkt.c 2015-01-13 11:50:40.062789458 +0100 +@@ -212,7 +212,7 @@ dtls1_buffer_record(SSL *s, record_pqueu + /* Limit the size of the queue to prevent DOS attacks */ + if (pqueue_size(queue->q) >= 100) + return 0; +- ++ + rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); + item = pitem_new(priority, rdata); + if (rdata == NULL || item == NULL) +@@ -239,14 +239,6 @@ dtls1_buffer_record(SSL *s, record_pqueu + } + #endif + +- /* insert should not fail, since duplicates are dropped */ +- if (pqueue_insert(queue->q, item) == NULL) +- { +- OPENSSL_free(rdata); +- pitem_free(item); +- return(0); +- } +- + s->packet = NULL; + s->packet_length = 0; + memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER)); +@@ -255,11 +247,24 @@ dtls1_buffer_record(SSL *s, record_pqueu + if (!ssl3_setup_buffers(s)) + { + SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); ++ if (rdata->rbuf.buf != NULL) ++ OPENSSL_free(rdata->rbuf.buf); + OPENSSL_free(rdata); + pitem_free(item); +- return(0); ++ return(-1); + } +- ++ ++ /* insert should not fail, since duplicates are dropped */ ++ if (pqueue_insert(queue->q, item) == NULL) ++ { ++ SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); ++ if (rdata->rbuf.buf != NULL) ++ OPENSSL_free(rdata->rbuf.buf); ++ OPENSSL_free(rdata); ++ pitem_free(item); ++ return(-1); ++ } ++ + return(1); + } + +@@ -313,8 +318,9 @@ dtls1_process_buffered_records(SSL *s) + dtls1_get_unprocessed_record(s); + if ( ! dtls1_process_record(s)) + return(0); +- dtls1_buffer_record(s, &(s->d1->processed_rcds), +- s->s3->rrec.seq_num); ++ if(dtls1_buffer_record(s, &(s->d1->processed_rcds), ++ s->s3->rrec.seq_num)<0) ++ return -1; + } + } + +@@ -529,7 +535,6 @@ printf("\n"); + + /* we have pulled in a full packet so zero things */ + s->packet_length=0; +- dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */ + return(1); + + f_err: +@@ -562,7 +567,8 @@ int dtls1_get_record(SSL *s) + + /* The epoch may have changed. If so, process all the + * pending records. This is a non-blocking operation. */ +- dtls1_process_buffered_records(s); ++ if(dtls1_process_buffered_records(s)<0) ++ return -1; + + /* if we're renegotiating, then there may be buffered records */ + if (dtls1_get_processed_record(s)) +@@ -699,7 +705,9 @@ again: + { + if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) + { +- dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); ++ if(dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num)<0) ++ return -1; ++ dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */ + } + rr->length = 0; + s->packet_length = 0; +@@ -712,6 +720,7 @@ again: + s->packet_length = 0; /* dump this record */ + goto again; /* get another record */ + } ++ dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */ + + return(1); + +@@ -863,7 +872,11 @@ start: + * buffer the application data for later processing rather + * than dropping the connection. + */ +- dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num); ++ if(dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num)<0) ++ { ++ SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); ++ return -1; ++ } + rr->length = 0; + goto start; + } diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0209.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0209.patch new file mode 100644 index 0000000000..0ebcc56a66 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0209.patch @@ -0,0 +1,82 @@ +diff -up openssl-1.0.1e/crypto/asn1/x_x509.c.use-after-free openssl-1.0.1e/crypto/asn1/x_x509.c +--- openssl-1.0.1e/crypto/asn1/x_x509.c.use-after-free 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/asn1/x_x509.c 2015-06-11 11:14:52.581856349 +0200 +@@ -170,8 +170,14 @@ X509 *d2i_X509_AUX(X509 **a, const unsig + { + const unsigned char *q; + X509 *ret; ++ int freeret = 0; ++ + /* Save start position */ + q = *pp; ++ ++ if(!a || *a == NULL) { ++ freeret = 1; ++ } + ret = d2i_X509(a, pp, length); + /* If certificate unreadable then forget it */ + if(!ret) return NULL; +@@ -181,7 +187,11 @@ X509 *d2i_X509_AUX(X509 **a, const unsig + if(!d2i_X509_CERT_AUX(&ret->aux, pp, length)) goto err; + return ret; + err: +- X509_free(ret); ++ if(freeret) { ++ X509_free(ret); ++ if (a) ++ *a = NULL; ++ } + return NULL; + } + +diff -up openssl-1.0.1e/crypto/ec/ec_asn1.c.use-after-free openssl-1.0.1e/crypto/ec/ec_asn1.c +--- openssl-1.0.1e/crypto/ec/ec_asn1.c.use-after-free 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/ec/ec_asn1.c 2015-06-11 11:14:52.581856349 +0200 +@@ -1140,8 +1140,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con + ERR_R_MALLOC_FAILURE); + goto err; + } +- if (a) +- *a = ret; + } + else + ret = *a; +@@ -1206,11 +1204,13 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con + } + } + ++ if (a) ++ *a = ret; + ok = 1; + err: + if (!ok) + { +- if (ret) ++ if (ret && (a == NULL || *a != ret)) + EC_KEY_free(ret); + ret = NULL; + } +@@ -1358,8 +1358,6 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, con + ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE); + return NULL; + } +- if (a) +- *a = ret; + } + else + ret = *a; +@@ -1367,9 +1365,14 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, con + if (!d2i_ECPKParameters(&ret->group, in, len)) + { + ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB); ++ if (a == NULL || *a != ret) ++ EC_KEY_free(ret); + return NULL; + } + ++ if (a) ++ *a = ret; ++ + return ret; + } + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0286.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0286.patch new file mode 100644 index 0000000000..64ec2b794b --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0286.patch @@ -0,0 +1,13 @@ +diff -up openssl-1.0.1e/crypto/asn1/a_type.c.bool-cmp openssl-1.0.1e/crypto/asn1/a_type.c +--- openssl-1.0.1e/crypto/asn1/a_type.c.bool-cmp 2015-03-18 13:02:36.000000000 +0100 ++++ openssl-1.0.1e/crypto/asn1/a_type.c 2015-03-18 14:38:07.111401390 +0100 +@@ -124,6 +124,9 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co + case V_ASN1_OBJECT: + result = OBJ_cmp(a->value.object, b->value.object); + break; ++ case V_ASN1_BOOLEAN: ++ result = a->value.boolean - b->value.boolean; ++ break; + case V_ASN1_NULL: + result = 0; /* They do not have content. */ + break; diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0287.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0287.patch new file mode 100644 index 0000000000..f77b099c4e --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0287.patch @@ -0,0 +1,46 @@ +diff -up openssl-1.0.1e/crypto/asn1/tasn_dec.c.item-reuse openssl-1.0.1e/crypto/asn1/tasn_dec.c +--- openssl-1.0.1e/crypto/asn1/tasn_dec.c.item-reuse 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/asn1/tasn_dec.c 2015-03-19 15:46:51.097022616 +0100 +@@ -310,9 +310,19 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, + case ASN1_ITYPE_CHOICE: + if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) + goto auxerr; +- +- /* Allocate structure */ +- if (!*pval && !ASN1_item_ex_new(pval, it)) ++ if (*pval) ++ { ++ /* Free up and zero CHOICE value if initialised */ ++ i = asn1_get_choice_selector(pval, it); ++ if ((i >= 0) && (i < it->tcount)) ++ { ++ tt = it->templates + i; ++ pchptr = asn1_get_field_ptr(pval, tt); ++ ASN1_template_free(pchptr, tt); ++ asn1_set_choice_selector(pval, -1, it); ++ } ++ } ++ else if (!ASN1_item_ex_new(pval, it)) + { + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, + ERR_R_NESTED_ASN1_ERROR); +@@ -407,6 +417,19 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, + if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) + goto auxerr; + ++ /* Free up and zero any ADB found */ ++ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) ++ { ++ if (tt->flags & ASN1_TFLG_ADB_MASK) ++ { ++ const ASN1_TEMPLATE *seqtt; ++ ASN1_VALUE **pseqval; ++ seqtt = asn1_do_adb(pval, tt, 1); ++ pseqval = asn1_get_field_ptr(pval, seqtt); ++ ASN1_template_free(pseqval, seqtt); ++ } ++ } ++ + /* Get each field entry */ + for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) + { diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0288.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0288.patch new file mode 100644 index 0000000000..c8dc6b9888 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0288.patch @@ -0,0 +1,12 @@ +diff -up openssl-1.0.1e/crypto/x509/x509_req.c.req-null-deref openssl-1.0.1e/crypto/x509/x509_req.c +--- openssl-1.0.1e/crypto/x509/x509_req.c.req-null-deref 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/x509/x509_req.c 2015-03-18 18:34:35.732448017 +0100 +@@ -92,6 +92,8 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_ + goto err; + + pktmp = X509_get_pubkey(x); ++ if (pktmp == NULL) ++ goto err; + i=X509_REQ_set_pubkey(ret,pktmp); + EVP_PKEY_free(pktmp); + if (!i) goto err; diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0289.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0289.patch new file mode 100644 index 0000000000..b52889d7e9 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0289.patch @@ -0,0 +1,184 @@ +diff -up openssl-1.0.1e/crypto/pkcs7/pk7_doit.c.pkcs7-null-deref openssl-1.0.1e/crypto/pkcs7/pk7_doit.c +--- openssl-1.0.1e/crypto/pkcs7/pk7_doit.c.pkcs7-null-deref 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/pkcs7/pk7_doit.c 2015-03-18 18:54:10.064871658 +0100 +@@ -272,6 +272,27 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) + PKCS7_RECIP_INFO *ri=NULL; + ASN1_OCTET_STRING *os=NULL; + ++ if (p7 == NULL) ++ { ++ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER); ++ return NULL; ++ } ++ /* ++ * The content field in the PKCS7 ContentInfo is optional, but that really ++ * only applies to inner content (precisely, detached signatures). ++ * ++ * When reading content, missing outer content is therefore treated as an ++ * error. ++ * ++ * When creating content, PKCS7_content_new() must be called before ++ * calling this method, so a NULL p7->d is always an error. ++ */ ++ if (p7->d.ptr == NULL) ++ { ++ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT); ++ return NULL; ++ } ++ + i=OBJ_obj2nid(p7->type); + p7->state=PKCS7_S_HEADER; + +@@ -433,6 +454,18 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE + unsigned char *ek = NULL, *tkey = NULL; + int eklen = 0, tkeylen = 0; + ++ if (p7 == NULL) ++ { ++ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER); ++ return NULL; ++ } ++ ++ if (p7->d.ptr == NULL) ++ { ++ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT); ++ return NULL; ++ } ++ + i=OBJ_obj2nid(p7->type); + p7->state=PKCS7_S_HEADER; + +@@ -440,6 +473,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE + { + case NID_pkcs7_signed: + data_body=PKCS7_get_octet_string(p7->d.sign->contents); ++ if (!PKCS7_is_detached(p7) && data_body == NULL) ++ { ++ PKCS7err(PKCS7_F_PKCS7_DATADECODE, ++ PKCS7_R_NO_CONTENT); ++ goto err; ++ } + md_sk=p7->d.sign->md_algs; + break; + case NID_pkcs7_signedAndEnveloped: +@@ -747,6 +786,18 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) + STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL; + ASN1_OCTET_STRING *os=NULL; + ++ if (p7 == NULL) ++ { ++ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER); ++ return 0; ++ } ++ ++ if (p7->d.ptr == NULL) ++ { ++ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT); ++ return 0; ++ } ++ + EVP_MD_CTX_init(&ctx_tmp); + i=OBJ_obj2nid(p7->type); + p7->state=PKCS7_S_HEADER; +@@ -791,6 +842,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) + /* If detached data then the content is excluded */ + if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) { + M_ASN1_OCTET_STRING_free(os); ++ os = NULL; + p7->d.sign->contents->d.data = NULL; + } + break; +@@ -801,6 +853,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) + if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached) + { + M_ASN1_OCTET_STRING_free(os); ++ os = NULL; + p7->d.digest->contents->d.data = NULL; + } + break; +@@ -873,23 +926,32 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) + M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len); + } + +- if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF)) ++ if (!PKCS7_is_detached(p7)) + { +- char *cont; +- long contlen; +- btmp=BIO_find_type(bio,BIO_TYPE_MEM); +- if (btmp == NULL) +- { +- PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO); ++ /* ++ * NOTE(emilia): I think we only reach os == NULL here because detached ++ * digested data support is broken. ++ */ ++ if (os == NULL) + goto err; ++ if (!(os->flags & ASN1_STRING_FLAG_NDEF)) ++ { ++ char *cont; ++ long contlen; ++ btmp=BIO_find_type(bio,BIO_TYPE_MEM); ++ if (btmp == NULL) ++ { ++ PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO); ++ goto err; ++ } ++ contlen = BIO_get_mem_data(btmp, &cont); ++ /* Mark the BIO read only then we can use its copy of the data ++ * instead of making an extra copy. ++ */ ++ BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY); ++ BIO_set_mem_eof_return(btmp, 0); ++ ASN1_STRING_set0(os, (unsigned char *)cont, contlen); + } +- contlen = BIO_get_mem_data(btmp, &cont); +- /* Mark the BIO read only then we can use its copy of the data +- * instead of making an extra copy. +- */ +- BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY); +- BIO_set_mem_eof_return(btmp, 0); +- ASN1_STRING_set0(os, (unsigned char *)cont, contlen); + } + ret=1; + err: +@@ -928,6 +990,7 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_ + if (EVP_DigestSignUpdate(&mctx,abuf,alen) <= 0) + goto err; + OPENSSL_free(abuf); ++ abuf = NULL; + if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0) + goto err; + abuf = OPENSSL_malloc(siglen); +@@ -965,6 +1028,18 @@ int PKCS7_dataVerify(X509_STORE *cert_st + STACK_OF(X509) *cert; + X509 *x509; + ++ if (p7 == NULL) ++ { ++ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER); ++ return 0; ++ } ++ ++ if (p7->d.ptr == NULL) ++ { ++ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT); ++ return 0; ++ } ++ + if (PKCS7_type_is_signed(p7)) + { + cert=p7->d.sign->cert; +diff -up openssl-1.0.1e/crypto/pkcs7/pk7_lib.c.pkcs7-null-deref openssl-1.0.1e/crypto/pkcs7/pk7_lib.c +--- openssl-1.0.1e/crypto/pkcs7/pk7_lib.c.pkcs7-null-deref 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/pkcs7/pk7_lib.c 2015-03-18 18:05:58.398767116 +0100 +@@ -459,6 +459,8 @@ int PKCS7_set_digest(PKCS7 *p7, const EV + + STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7) + { ++ if (p7 == NULL || p7->d.ptr == NULL) ++ return NULL; + if (PKCS7_type_is_signed(p7)) + { + return(p7->d.sign->signer_info); diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0292.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0292.patch new file mode 100644 index 0000000000..dd6a737808 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0292.patch @@ -0,0 +1,11 @@ +diff -up openssl-1.0.1e/crypto/evp/encode.c.b64-underflow openssl-1.0.1e/crypto/evp/encode.c +--- openssl-1.0.1e/crypto/evp/encode.c.b64-underflow 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/encode.c 2015-03-18 18:16:26.452331934 +0100 +@@ -324,6 +324,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx + v=EVP_DecodeBlock(out,d,n); + n=0; + if (v < 0) { rv=0; goto end; } ++ if (eof > v) { rv=-1; goto end; } + ret+=(v-eof); + } + else diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0293.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0293.patch new file mode 100644 index 0000000000..1ca78b3ae8 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0293.patch @@ -0,0 +1,102 @@ +diff -up openssl-1.0.1e/ssl/s2_lib.c.ssl2-assert openssl-1.0.1e/ssl/s2_lib.c +--- openssl-1.0.1e/ssl/s2_lib.c.ssl2-assert 2015-03-18 13:02:36.000000000 +0100 ++++ openssl-1.0.1e/ssl/s2_lib.c 2015-03-18 18:22:20.195322489 +0100 +@@ -488,7 +488,7 @@ int ssl2_generate_key_material(SSL *s) + + OPENSSL_assert(s->session->master_key_length >= 0 + && s->session->master_key_length +- < (int)sizeof(s->session->master_key)); ++ <= (int)sizeof(s->session->master_key)); + EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length); + EVP_DigestUpdate(&ctx,&c,1); + c++; +diff -up openssl-1.0.1e/ssl/s2_srvr.c.ssl2-assert openssl-1.0.1e/ssl/s2_srvr.c +--- openssl-1.0.1e/ssl/s2_srvr.c.ssl2-assert 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/ssl/s2_srvr.c 2015-03-18 18:30:11.403974038 +0100 +@@ -446,9 +446,6 @@ static int get_client_master_key(SSL *s) + SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY); + return(-1); + } +- i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc, +- &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]), +- (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING); + + is_export=SSL_C_IS_EXPORT(s->session->cipher); + +@@ -467,21 +464,61 @@ static int get_client_master_key(SSL *s) + else + ek=5; + ++ /* ++ * The format of the CLIENT-MASTER-KEY message is ++ * 1 byte message type ++ * 3 bytes cipher ++ * 2-byte clear key length (stored in s->s2->tmp.clear) ++ * 2-byte encrypted key length (stored in s->s2->tmp.enc) ++ * 2-byte key args length (IV etc) ++ * clear key ++ * encrypted key ++ * key args ++ * ++ * If the cipher is an export cipher, then the encrypted key bytes ++ * are a fixed portion of the total key (5 or 8 bytes). The size of ++ * this portion is in |ek|. If the cipher is not an export cipher, ++ * then the entire key material is encrypted (i.e., clear key length ++ * must be zero). ++ */ ++ if ((!is_export && s->s2->tmp.clear != 0) || ++ (is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c))) ++ { ++ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); ++ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH); ++ return -1; ++ } ++ /* ++ * The encrypted blob must decrypt to the encrypted portion of the key. ++ * Decryption can't be expanding, so if we don't have enough encrypted ++ * bytes to fit the key in the buffer, stop now. ++ */ ++ if ((is_export && s->s2->tmp.enc < ek) || ++ (!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c))) ++ { ++ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); ++ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT); ++ return -1; ++ } ++ ++ i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc, ++ &(p[s->s2->tmp.clear]), ++ &(p[s->s2->tmp.clear]), ++ (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING : RSA_PKCS1_PADDING); ++ + /* bad decrypt */ + #if 1 + /* If a bad decrypt, continue with protocol but with a + * random master secret (Bleichenbacher attack) */ +- if ((i < 0) || +- ((!is_export && (i != EVP_CIPHER_key_length(c))) +- || (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i != +- (unsigned int)EVP_CIPHER_key_length(c)))))) ++ if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c)) ++ || (is_export && i != ek))) + { + ERR_clear_error(); + if (is_export) + i=ek; + else + i=EVP_CIPHER_key_length(c); +- if (RAND_pseudo_bytes(p,i) <= 0) ++ if (RAND_pseudo_bytes(&p[s->s2->tmp.clear],i) <= 0) + return 0; + } + #else +@@ -505,7 +542,8 @@ static int get_client_master_key(SSL *s) + } + #endif + +- if (is_export) i+=s->s2->tmp.clear; ++ if (is_export) ++ i = EVP_CIPHER_key_length(c); + + if (i > SSL_MAX_MASTER_KEY_LENGTH) + { diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1789.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1789.patch new file mode 100644 index 0000000000..8633a76849 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1789.patch @@ -0,0 +1,103 @@ +diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.oob-read openssl-1.0.1e/crypto/x509/x509_vfy.c +--- openssl-1.0.1e/crypto/x509/x509_vfy.c.oob-read 2015-05-25 12:03:41.000000000 +0200 ++++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2015-06-09 15:01:51.688640453 +0200 +@@ -1702,49 +1702,92 @@ int X509_cmp_time(const ASN1_TIME *ctm, + ASN1_TIME atm; + long offset; + char buff1[24],buff2[24],*p; +- int i,j; ++ int i, j, remaining; + + p=buff1; +- i=ctm->length; ++ remaining=ctm->length; + str=(char *)ctm->data; ++ /* ++ * Note that the following (historical) code allows much more slack in the ++ * time format than RFC5280. In RFC5280, the representation is fixed: ++ * UTCTime: YYMMDDHHMMSSZ ++ * GeneralizedTime: YYYYMMDDHHMMSSZ ++ */ + if (ctm->type == V_ASN1_UTCTIME) + { +- if ((i < 11) || (i > 17)) return 0; ++ /* YYMMDDHHMM[SS]Z or YYMMDDHHMM[SS](+-)hhmm */ ++ int min_length = sizeof("YYMMDDHHMMZ") - 1; ++ int max_length = sizeof("YYMMDDHHMMSS+hhmm") - 1; ++ if (remaining < min_length || remaining > max_length) ++ return 0; + memcpy(p,str,10); + p+=10; + str+=10; ++ remaining -= 10; + } + else + { +- if (i < 13) return 0; ++ /* YYYYMMDDHHMM[SS[.fff]]Z or YYYYMMDDHHMM[SS[.f[f[f]]]](+-)hhmm */ ++ int min_length = sizeof("YYYYMMDDHHMMZ") - 1; ++ int max_length = sizeof("YYYYMMDDHHMMSS.fff+hhmm") - 1; ++ if (remaining < min_length || remaining > max_length) ++ return 0; + memcpy(p,str,12); + p+=12; + str+=12; ++ remaining -= 12; + } + + if ((*str == 'Z') || (*str == '-') || (*str == '+')) + { *(p++)='0'; *(p++)='0'; } + else + { ++ /* SS (seconds) */ ++ if (remaining < 2) ++ return 0; + *(p++)= *(str++); + *(p++)= *(str++); +- /* Skip any fractional seconds... */ +- if (*str == '.') ++ remaining -= 2; ++ /* ++ * Skip any (up to three) fractional seconds... ++ * TODO(emilia): in RFC5280, fractional seconds are forbidden. ++ * Can we just kill them altogether? ++ */ ++ if (remaining && *str == '.') + { + str++; +- while ((*str >= '0') && (*str <= '9')) str++; ++ remaining--; ++ for (i = 0; i < 3 && remaining; i++, str++, remaining--) ++ { ++ if (*str < '0' || *str > '9') ++ break; ++ } + } + + } + *(p++)='Z'; + *(p++)='\0'; + ++ /* We now need either a terminating 'Z' or an offset. */ ++ if (!remaining) ++ return 0; + if (*str == 'Z') ++ { ++ if (remaining != 1) ++ return 0; + offset=0; ++ } + else + { ++ /* (+-)HHMM */ + if ((*str != '+') && (*str != '-')) + return 0; ++ /* Historical behaviour: the (+-)hhmm offset is forbidden in RFC5280. */ ++ if (remaining != 5) ++ return 0; ++ if (str[1] < '0' || str[1] > '9' || str[2] < '0' || str[2] > '9' || ++ str[3] < '0' || str[3] > '9' || str[4] < '0' || str[4] > '9') ++ return 0; + offset=((str[1]-'0')*10+(str[2]-'0'))*60; + offset+=(str[3]-'0')*10+(str[4]-'0'); + if (*str == '-') diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1790.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1790.patch new file mode 100644 index 0000000000..3b3024097d --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1790.patch @@ -0,0 +1,55 @@ +diff -up openssl-1.0.1e/crypto/pkcs7/pk7_doit.c.missing-content openssl-1.0.1e/crypto/pkcs7/pk7_doit.c +--- openssl-1.0.1e/crypto/pkcs7/pk7_doit.c.missing-content 2015-05-25 12:03:41.000000000 +0200 ++++ openssl-1.0.1e/crypto/pkcs7/pk7_doit.c 2015-06-09 15:21:21.377951520 +0200 +@@ -472,6 +472,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE + switch (i) + { + case NID_pkcs7_signed: ++ /* ++ * p7->d.sign->contents is a PKCS7 structure consisting of a contentType ++ * field and optional content. ++ * data_body is NULL if that structure has no (=detached) content ++ * or if the contentType is wrong (i.e., not "data"). ++ */ + data_body=PKCS7_get_octet_string(p7->d.sign->contents); + if (!PKCS7_is_detached(p7) && data_body == NULL) + { +@@ -484,6 +490,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE + case NID_pkcs7_signedAndEnveloped: + rsk=p7->d.signed_and_enveloped->recipientinfo; + md_sk=p7->d.signed_and_enveloped->md_algs; ++ /* data_body is NULL if the optional EncryptedContent is missing. */ + data_body=p7->d.signed_and_enveloped->enc_data->enc_data; + enc_alg=p7->d.signed_and_enveloped->enc_data->algorithm; + evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm); +@@ -496,6 +503,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE + case NID_pkcs7_enveloped: + rsk=p7->d.enveloped->recipientinfo; + enc_alg=p7->d.enveloped->enc_data->algorithm; ++ /* data_body is NULL if the optional EncryptedContent is missing. */ + data_body=p7->d.enveloped->enc_data->enc_data; + evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm); + if (evp_cipher == NULL) +@@ -509,6 +517,13 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE + goto err; + } + ++ /* Detached content must be supplied via in_bio instead. */ ++ if (data_body == NULL && in_bio == NULL) ++ { ++ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT); ++ goto err; ++ } ++ + /* We will be checking the signature */ + if (md_sk != NULL) + { +@@ -665,7 +680,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE + } + + #if 1 +- if (PKCS7_is_detached(p7) || (in_bio != NULL)) ++ if (in_bio != NULL) + { + bio=in_bio; + } diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1791.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1791.patch new file mode 100644 index 0000000000..2b6f315b8d --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1791.patch @@ -0,0 +1,231 @@ +diff -up openssl-1.0.1e/ssl/ssl_err.c.ticket-race openssl-1.0.1e/ssl/ssl_err.c +--- openssl-1.0.1e/ssl/ssl_err.c.ticket-race 2015-06-09 15:40:41.000000000 +0200 ++++ openssl-1.0.1e/ssl/ssl_err.c 2015-06-09 15:45:06.879198463 +0200 +@@ -245,6 +245,7 @@ static ERR_STRING_DATA SSL_str_functs[]= + {ERR_FUNC(SSL_F_SSL_READ), "SSL_read"}, + {ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT), "SSL_RSA_PRIVATE_DECRYPT"}, + {ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT), "SSL_RSA_PUBLIC_ENCRYPT"}, ++{ERR_FUNC(SSL_F_SSL_SESSION_DUP), "ssl_session_dup"}, + {ERR_FUNC(SSL_F_SSL_SESSION_NEW), "SSL_SESSION_new"}, + {ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"}, + {ERR_FUNC(SSL_F_SSL_SESSION_SET1_ID_CONTEXT), "SSL_SESSION_set1_id_context"}, +diff -up openssl-1.0.1e/ssl/ssl.h.ticket-race openssl-1.0.1e/ssl/ssl.h +--- openssl-1.0.1e/ssl/ssl.h.ticket-race 2015-06-09 15:40:41.000000000 +0200 ++++ openssl-1.0.1e/ssl/ssl.h 2015-06-09 15:44:22.696191291 +0200 +@@ -2176,6 +2176,7 @@ void ERR_load_SSL_strings(void); + #define SSL_F_SSL_READ 223 + #define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187 + #define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188 ++#define SSL_F_SSL_SESSION_DUP 348 + #define SSL_F_SSL_SESSION_NEW 189 + #define SSL_F_SSL_SESSION_PRINT_FP 190 + #define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312 +diff -up openssl-1.0.1e/ssl/ssl_locl.h.ticket-race openssl-1.0.1e/ssl/ssl_locl.h +--- openssl-1.0.1e/ssl/ssl_locl.h.ticket-race 2015-06-09 15:40:41.000000000 +0200 ++++ openssl-1.0.1e/ssl/ssl_locl.h 2015-06-09 16:02:41.105243796 +0200 +@@ -822,6 +822,7 @@ void ssl_sess_cert_free(SESS_CERT *sc); + int ssl_set_peer_cert_type(SESS_CERT *c, int type); + int ssl_get_new_session(SSL *s, int session); + int ssl_get_prev_session(SSL *s, unsigned char *session,int len, const unsigned char *limit); ++SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket); + int ssl_cipher_id_cmp(const SSL_CIPHER *a,const SSL_CIPHER *b); + DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, + ssl_cipher_id); +diff -up openssl-1.0.1e/ssl/ssl_sess.c.ticket-race openssl-1.0.1e/ssl/ssl_sess.c +--- openssl-1.0.1e/ssl/ssl_sess.c.ticket-race 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/ssl/ssl_sess.c 2015-06-11 13:48:26.724348868 +0200 +@@ -224,6 +224,146 @@ SSL_SESSION *SSL_SESSION_new(void) + return(ss); + } + ++/* ++ * Create a new SSL_SESSION and duplicate the contents of |src| into it. If ++ * ticket == 0 then no ticket information is duplicated, otherwise it is. ++ */ ++SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) ++{ ++ SSL_SESSION *dest; ++ ++ dest = OPENSSL_malloc(sizeof(*src)); ++ if (dest == NULL) ++ { ++ goto err; ++ } ++ memcpy(dest, src, sizeof(*dest)); ++ ++ /* ++ * Set the various pointers to NULL so that we can call SSL_SESSION_free in ++ * the case of an error whilst halfway through constructing dest ++ */ ++#ifndef OPENSSL_NO_PSK ++ dest->psk_identity_hint = NULL; ++ dest->psk_identity = NULL; ++#endif ++ dest->ciphers = NULL; ++#ifndef OPENSSL_NO_TLSEXT ++ dest->tlsext_hostname = NULL; ++# ifndef OPENSSL_NO_EC ++ dest->tlsext_ecpointformatlist = NULL; ++ dest->tlsext_ellipticcurvelist = NULL; ++# endif ++#endif ++ dest->tlsext_tick = NULL; ++#ifndef OPENSSL_NO_SRP ++ dest->srp_username = NULL; ++#endif ++ memset(&dest->ex_data, 0, sizeof(dest->ex_data)); ++ ++ /* We deliberately don't copy the prev and next pointers */ ++ dest->prev = NULL; ++ dest->next = NULL; ++ ++ dest->references = 1; ++ ++ if (src->sess_cert != NULL) ++ CRYPTO_add(&src->sess_cert->references, 1, CRYPTO_LOCK_SSL_SESS_CERT); ++ ++ if (src->peer != NULL) ++ CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509); ++ ++#ifndef OPENSSL_NO_PSK ++ if (src->psk_identity_hint) ++ { ++ dest->psk_identity_hint = BUF_strdup(src->psk_identity_hint); ++ if (dest->psk_identity_hint == NULL) ++ { ++ goto err; ++ } ++ } ++ if (src->psk_identity) ++ { ++ dest->psk_identity = BUF_strdup(src->psk_identity); ++ if (dest->psk_identity == NULL) ++ { ++ goto err; ++ } ++ } ++#endif ++ ++ if(src->ciphers != NULL) ++ { ++ dest->ciphers = sk_SSL_CIPHER_dup(src->ciphers); ++ if (dest->ciphers == NULL) ++ goto err; ++ } ++ ++ if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ++ &dest->ex_data, &src->ex_data)) ++ { ++ goto err; ++ } ++ ++#ifndef OPENSSL_NO_TLSEXT ++ if (src->tlsext_hostname) ++ { ++ dest->tlsext_hostname = BUF_strdup(src->tlsext_hostname); ++ if (dest->tlsext_hostname == NULL) ++ { ++ goto err; ++ } ++ } ++# ifndef OPENSSL_NO_EC ++ if (src->tlsext_ecpointformatlist) ++ { ++ dest->tlsext_ecpointformatlist = ++ BUF_memdup(src->tlsext_ecpointformatlist, ++ src->tlsext_ecpointformatlist_length); ++ if (dest->tlsext_ecpointformatlist == NULL) ++ goto err; ++ } ++ if (src->tlsext_ellipticcurvelist) ++ { ++ dest->tlsext_ellipticcurvelist = ++ BUF_memdup(src->tlsext_ellipticcurvelist, ++ src->tlsext_ellipticcurvelist_length); ++ if (dest->tlsext_ellipticcurvelist == NULL) ++ goto err; ++ } ++# endif ++#endif ++ ++ if (ticket != 0) ++ { ++ dest->tlsext_tick = BUF_memdup(src->tlsext_tick, src->tlsext_ticklen); ++ if(dest->tlsext_tick == NULL) ++ goto err; ++ } ++ else ++ { ++ dest->tlsext_tick_lifetime_hint = 0; ++ dest->tlsext_ticklen = 0; ++ } ++ ++#ifndef OPENSSL_NO_SRP ++ if (src->srp_username) ++ { ++ dest->srp_username = BUF_strdup(src->srp_username); ++ if (dest->srp_username == NULL) ++ { ++ goto err; ++ } ++ } ++#endif ++ ++ return dest; ++err: ++ SSLerr(SSL_F_SSL_SESSION_DUP, ERR_R_MALLOC_FAILURE); ++ SSL_SESSION_free(dest); ++ return NULL; ++} ++ + const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) + { + if(len) +diff -up openssl-1.0.1e/ssl/s3_clnt.c.ticket-race openssl-1.0.1e/ssl/s3_clnt.c +--- openssl-1.0.1e/ssl/s3_clnt.c.ticket-race 2015-06-09 15:40:41.000000000 +0200 ++++ openssl-1.0.1e/ssl/s3_clnt.c 2015-06-09 15:39:56.315119013 +0200 +@@ -2092,6 +2092,44 @@ int ssl3_get_new_session_ticket(SSL *s) + } + + p=d=(unsigned char *)s->init_msg; ++ ++ if (s->session->session_id_length > 0) ++ { ++ int i = s->session_ctx->session_cache_mode; ++ SSL_SESSION *new_sess; ++ /* ++ * We reused an existing session, so we need to replace it with a new ++ * one ++ */ ++ if (i & SSL_SESS_CACHE_CLIENT) ++ { ++ /* ++ * Remove the old session from the cache ++ */ ++ if (i & SSL_SESS_CACHE_NO_INTERNAL_STORE) ++ { ++ if (s->session_ctx->remove_session_cb != NULL) ++ s->session_ctx->remove_session_cb(s->session_ctx, ++ s->session); ++ } ++ else ++ { ++ /* We carry on if this fails */ ++ SSL_CTX_remove_session(s->session_ctx, s->session); ++ } ++ } ++ ++ if ((new_sess = ssl_session_dup(s->session, 0)) == 0) ++ { ++ al = SSL_AD_INTERNAL_ERROR; ++ SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); ++ goto f_err; ++ } ++ ++ SSL_SESSION_free(s->session); ++ s->session = new_sess; ++ } ++ + n2l(p, s->session->tlsext_tick_lifetime_hint); + n2s(p, ticklen); + /* ticket_lifetime_hint + ticket_length + ticket */ diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1792.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1792.patch new file mode 100644 index 0000000000..5f2b0cd976 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1792.patch @@ -0,0 +1,12 @@ +diff -up openssl-1.0.1e/crypto/cms/cms_smime.c.unknown-hash openssl-1.0.1e/crypto/cms/cms_smime.c +--- openssl-1.0.1e/crypto/cms/cms_smime.c.unknown-hash 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/cms/cms_smime.c 2015-06-09 16:07:16.001516190 +0200 +@@ -141,7 +141,7 @@ static void do_free_upto(BIO *f, BIO *up + BIO_free(f); + f = tbio; + } +- while (f != upto); ++ while (f && f != upto); + } + else + BIO_free_all(f); diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-3194.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-3194.patch new file mode 100644 index 0000000000..58b52f26e2 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-3194.patch @@ -0,0 +1,12 @@ +diff -up openssl-1.0.1e/crypto/rsa/rsa_ameth.c.pss-check openssl-1.0.1e/crypto/rsa/rsa_ameth.c +--- openssl-1.0.1e/crypto/rsa/rsa_ameth.c.pss-check 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/rsa/rsa_ameth.c 2015-12-04 09:03:18.300660817 +0100 +@@ -287,7 +287,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(co + { + ASN1_TYPE *param = pss->maskGenAlgorithm->parameter; + if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 +- && param->type == V_ASN1_SEQUENCE) ++ && param && param->type == V_ASN1_SEQUENCE) + { + p = param->value.sequence->data; + plen = param->value.sequence->length; diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-3195.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-3195.patch new file mode 100644 index 0000000000..80f196fa74 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-3195.patch @@ -0,0 +1,31 @@ +diff -up openssl-1.0.1e/crypto/asn1/tasn_dec.c.combine-leak openssl-1.0.1e/crypto/asn1/tasn_dec.c +--- openssl-1.0.1e/crypto/asn1/tasn_dec.c.combine-leak 2015-12-04 09:01:53.000000000 +0100 ++++ openssl-1.0.1e/crypto/asn1/tasn_dec.c 2015-12-04 09:09:30.629793475 +0100 +@@ -169,6 +169,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, + int otag; + int ret = 0; + ASN1_VALUE **pchptr, *ptmpval; ++ int combine = aclass & ASN1_TFLG_COMBINE; ++ aclass &= ~ASN1_TFLG_COMBINE; + if (!pval) + return 0; + if (aux && aux->asn1_cb) +@@ -539,7 +541,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, + auxerr: + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); + err: +- ASN1_item_ex_free(pval, it); ++ if (combine == 0) ++ ASN1_item_ex_free(pval, it); + if (errtt) + ERR_add_error_data(4, "Field=", errtt->field_name, + ", Type=", it->sname); +@@ -767,7 +770,7 @@ static int asn1_template_noexp_d2i(ASN1_ + { + /* Nothing special */ + ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), +- -1, 0, opt, ctx); ++ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); + if (!ret) + { + ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-3196.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-3196.patch new file mode 100644 index 0000000000..19dc323ab2 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-3196.patch @@ -0,0 +1,52 @@ +diff -up openssl-1.0.1e/ssl/s3_clnt.c.psk-identity openssl-1.0.1e/ssl/s3_clnt.c +--- openssl-1.0.1e/ssl/s3_clnt.c.psk-identity 2015-12-04 09:01:53.000000000 +0100 ++++ openssl-1.0.1e/ssl/s3_clnt.c 2015-12-04 09:36:24.182010426 +0100 +@@ -1367,8 +1367,6 @@ int ssl3_get_key_exchange(SSL *s) + #ifndef OPENSSL_NO_PSK + if (alg_k & SSL_kPSK) + { +- char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1]; +- + al=SSL_AD_HANDSHAKE_FAILURE; + n2s(p,i); + param_len=i+2; +@@ -1389,16 +1387,8 @@ int ssl3_get_key_exchange(SSL *s) + SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH); + goto f_err; + } +- /* If received PSK identity hint contains NULL +- * characters, the hint is truncated from the first +- * NULL. p may not be ending with NULL, so create a +- * NULL-terminated string. */ +- memcpy(tmp_id_hint, p, i); +- memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i); +- if (s->ctx->psk_identity_hint != NULL) +- OPENSSL_free(s->ctx->psk_identity_hint); +- s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); +- if (s->ctx->psk_identity_hint == NULL) ++ s->session->psk_identity_hint = BUF_strndup((char *)p, i); ++ if (s->session->psk_identity_hint == NULL) + { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); + goto f_err; +@@ -2904,7 +2894,7 @@ int ssl3_send_client_key_exchange(SSL *s + goto err; + } + +- psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, ++ psk_len = s->psk_client_callback(s, s->session->psk_identity_hint, + identity, PSK_MAX_IDENTITY_LEN, + psk_or_pre_ms, sizeof(psk_or_pre_ms)); + if (psk_len > PSK_MAX_PSK_LEN) +diff -up openssl-1.0.1e/ssl/s3_srvr.c.psk-identity openssl-1.0.1e/ssl/s3_srvr.c +--- openssl-1.0.1e/ssl/s3_srvr.c.psk-identity 2015-12-04 09:01:53.000000000 +0100 ++++ openssl-1.0.1e/ssl/s3_srvr.c 2015-12-04 09:43:45.144086868 +0100 +@@ -2751,7 +2751,7 @@ int ssl3_get_client_key_exchange(SSL *s) + + if (s->session->psk_identity != NULL) + OPENSSL_free(s->session->psk_identity); +- s->session->psk_identity = BUF_strdup((char *)p); ++ s->session->psk_identity = BUF_strndup((char *)p, i); + if (s->session->psk_identity == NULL) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-4000.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-4000.patch new file mode 100644 index 0000000000..66dd559d8b --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-4000.patch @@ -0,0 +1,241 @@ +diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod.logjam openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod +--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod.logjam 2013-02-11 16:02:48.000000000 +0100 ++++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod 2015-05-25 11:37:08.893049771 +0200 +@@ -12,12 +12,10 @@ SSL_CTX_set_tmp_dh_callback, SSL_CTX_set + DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength)); + long SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh); + +- void SSL_set_tmp_dh_callback(SSL_CTX *ctx, ++ void SSL_set_tmp_dh_callback(SSL *ctx, + DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength)); + long SSL_set_tmp_dh(SSL *ssl, DH *dh) + +- DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength)); +- + =head1 DESCRIPTION + + SSL_CTX_set_tmp_dh_callback() sets the callback function for B to be +@@ -50,24 +48,25 @@ even if he gets hold of the normal (cert + only used for signing. + + In order to perform a DH key exchange the server must use a DH group +-(DH parameters) and generate a DH key. The server will always generate a new +-DH key during the negotiation, when the DH parameters are supplied via +-callback and/or when the SSL_OP_SINGLE_DH_USE option of +-L is set. It will +-immediately create a DH key, when DH parameters are supplied via +-SSL_CTX_set_tmp_dh() and SSL_OP_SINGLE_DH_USE is not set. In this case, ++(DH parameters) and generate a DH key. ++The server will always generate a new DH key during the negotiation ++if either the DH parameters are supplied via callback or the ++SSL_OP_SINGLE_DH_USE option of SSL_CTX_set_options(3) is set (or both). ++It will immediately create a DH key if DH parameters are supplied via ++SSL_CTX_set_tmp_dh() and SSL_OP_SINGLE_DH_USE is not set. ++In this case, + it may happen that a key is generated on initialization without later + being needed, while on the other hand the computer time during the + negotiation is being saved. + + If "strong" primes were used to generate the DH parameters, it is not strictly + necessary to generate a new key for each handshake but it does improve forward +-secrecy. If it is not assured, that "strong" primes were used (see especially +-the section about DSA parameters below), SSL_OP_SINGLE_DH_USE must be used +-in order to prevent small subgroup attacks. Always using SSL_OP_SINGLE_DH_USE +-has an impact on the computer time needed during negotiation, but it is not +-very large, so application authors/users should consider to always enable +-this option. ++secrecy. If it is not assured that "strong" primes were used, ++SSL_OP_SINGLE_DH_USE must be used in order to prevent small subgroup ++attacks. Always using SSL_OP_SINGLE_DH_USE has an impact on the ++computer time needed during negotiation, but it is not very large, so ++application authors/users should consider always enabling this option. ++The option is required to implement perfect forward secrecy (PFS). + + As generating DH parameters is extremely time consuming, an application + should not generate the parameters on the fly but supply the parameters. +@@ -75,82 +74,62 @@ DH parameters can be reused, as the actu + the negotiation. The risk in reusing DH parameters is that an attacker + may specialize on a very often used DH group. Applications should therefore + generate their own DH parameters during the installation process using the +-openssl L application. In order to reduce the computer +-time needed for this generation, it is possible to use DSA parameters +-instead (see L), but in this case SSL_OP_SINGLE_DH_USE +-is mandatory. ++openssl L application. This application ++guarantees that "strong" primes are used. + +-Application authors may compile in DH parameters. Files dh512.pem, +-dh1024.pem, dh2048.pem, and dh4096 in the 'apps' directory of current ++Files dh2048.pem, and dh4096.pem in the 'apps' directory of the current + version of the OpenSSL distribution contain the 'SKIP' DH parameters, + which use safe primes and were generated verifiably pseudo-randomly. + These files can be converted into C code using the B<-C> option of the +-L application. +-Authors may also generate their own set of parameters using +-L, but a user may not be sure how the parameters were +-generated. The generation of DH parameters during installation is therefore +-recommended. ++L application. Generation of custom DH ++parameters during installation should still be preferred to stop an ++attacker from specializing on a commonly used group. Files dh1024.pem ++and dh512.pem contain old parameters that must not be used by ++applications. + + An application may either directly specify the DH parameters or +-can supply the DH parameters via a callback function. The callback approach +-has the advantage, that the callback may supply DH parameters for different +-key lengths. +- +-The B is called with the B needed and +-the B information. The B flag is set, when the +-ephemeral DH key exchange is performed with an export cipher. ++can supply the DH parameters via a callback function. ++ ++Previous versions of the callback used B and B ++parameters to control parameter generation for export and non-export ++cipher suites. Modern servers that do not support export ciphersuites ++are advised to either use SSL_CTX_set_tmp_dh() in combination with ++SSL_OP_SINGLE_DH_USE, or alternatively, use the callback but ignore ++B and B and simply supply at least 2048-bit ++parameters in the callback. + + =head1 EXAMPLES + +-Handle DH parameters for key lengths of 512 and 1024 bits. (Error handling ++Setup DH parameters with a key length of 2048 bits. (Error handling + partly left out.) + +- ... +- /* Set up ephemeral DH stuff */ +- DH *dh_512 = NULL; +- DH *dh_1024 = NULL; +- FILE *paramfile; ++ Command-line parameter generation: ++ $ openssl dhparam -out dh_param_2048.pem 2048 + ++ Code for setting up parameters during server initialization: ++ ++ ... ++ SSL_CTX ctx = SSL_CTX_new(); + ... +- /* "openssl dhparam -out dh_param_512.pem -2 512" */ +- paramfile = fopen("dh_param_512.pem", "r"); ++ ++ /* Set up ephemeral DH parameters. */ ++ DH *dh_2048 = NULL; ++ FILE *paramfile; ++ paramfile = fopen("dh_param_2048.pem", "r"); + if (paramfile) { +- dh_512 = PEM_read_DHparams(paramfile, NULL, NULL, NULL); ++ dh_2048 = PEM_read_DHparams(paramfile, NULL, NULL, NULL); + fclose(paramfile); ++ } else { ++ /* Error. */ + } +- /* "openssl dhparam -out dh_param_1024.pem -2 1024" */ +- paramfile = fopen("dh_param_1024.pem", "r"); +- if (paramfile) { +- dh_1024 = PEM_read_DHparams(paramfile, NULL, NULL, NULL); +- fclose(paramfile); ++ if (dh_2048 == NULL) { ++ /* Error. */ + } +- ... +- +- /* "openssl dhparam -C -2 512" etc... */ +- DH *get_dh512() { ... } +- DH *get_dh1024() { ... } +- +- DH *tmp_dh_callback(SSL *s, int is_export, int keylength) +- { +- DH *dh_tmp=NULL; +- +- switch (keylength) { +- case 512: +- if (!dh_512) +- dh_512 = get_dh512(); +- dh_tmp = dh_512; +- break; +- case 1024: +- if (!dh_1024) +- dh_1024 = get_dh1024(); +- dh_tmp = dh_1024; +- break; +- default: +- /* Generating a key on the fly is very costly, so use what is there */ +- setup_dh_parameters_like_above(); +- } +- return(dh_tmp); ++ if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1) { ++ /* Error. */ + } ++ SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); ++ ... + + =head1 RETURN VALUES + +diff -up openssl-1.0.1e/ssl/ssl_err.c.logjam openssl-1.0.1e/ssl/ssl_err.c +--- openssl-1.0.1e/ssl/ssl_err.c.logjam 2015-05-25 11:38:29.834858712 +0200 ++++ openssl-1.0.1e/ssl/ssl_err.c 2015-05-25 11:42:01.041578905 +0200 +@@ -361,6 +361,7 @@ static ERR_STRING_DATA SSL_str_reasons[] + {ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG) ,"data length too long"}, + {ERR_REASON(SSL_R_DECRYPTION_FAILED) ,"decryption failed"}, + {ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC),"decryption failed or bad record mac"}, ++{ERR_REASON(SSL_R_DH_KEY_TOO_SMALL) ,"dh key too small"}, + {ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG),"dh public value length is wrong"}, + {ERR_REASON(SSL_R_DIGEST_CHECK_FAILED) ,"digest check failed"}, + {ERR_REASON(SSL_R_DTLS_MESSAGE_TOO_BIG) ,"dtls message too big"}, +diff -up openssl-1.0.1e/ssl/ssl.h.logjam openssl-1.0.1e/ssl/ssl.h +--- openssl-1.0.1e/ssl/ssl.h.logjam 2015-05-25 11:38:29.834858712 +0200 ++++ openssl-1.0.1e/ssl/ssl.h 2015-05-25 11:40:42.482823220 +0200 +@@ -2289,6 +2289,7 @@ void ERR_load_SSL_strings(void); + #define SSL_R_DATA_LENGTH_TOO_LONG 146 + #define SSL_R_DECRYPTION_FAILED 147 + #define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 281 ++#define SSL_R_DH_KEY_TOO_SMALL 372 + #define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148 + #define SSL_R_DIGEST_CHECK_FAILED 149 + #define SSL_R_DTLS_MESSAGE_TOO_BIG 334 +diff -up openssl-1.0.1e/ssl/s3_clnt.c.logjam openssl-1.0.1e/ssl/s3_clnt.c +--- openssl-1.0.1e/ssl/s3_clnt.c.logjam 2015-05-25 11:38:29.833858690 +0200 ++++ openssl-1.0.1e/ssl/s3_clnt.c 2015-05-25 11:51:05.845754562 +0200 +@@ -3277,24 +3277,34 @@ int ssl3_check_cert_and_algorithm(SSL *s + } + #endif + #ifndef OPENSSL_NO_DH +- if ((alg_k & SSL_kEDH) && +- !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) ++ if ((alg_k & SSL_kEDH) && dh == NULL) + { +- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY); ++ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR); + goto f_err; + } +- else if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA)) ++ if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA)) + { + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT); + goto f_err; + } + #ifndef OPENSSL_NO_DSA +- else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) ++ if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) + { + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT); + goto f_err; + } + #endif ++ /* Check DHE only: static DH not implemented. */ ++ if (alg_k & SSL_kEDH) ++ { ++ int dh_size = BN_num_bits(dh->p); ++ if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768) ++ || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) ++ { ++ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL); ++ goto f_err; ++ } ++ } + #endif + + if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP)) diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-7575.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-7575.patch new file mode 100644 index 0000000000..dc86361db5 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-7575.patch @@ -0,0 +1,38 @@ +diff -up openssl-1.0.1e/ssl/t1_lib.c.no-md5-tls openssl-1.0.1e/ssl/t1_lib.c +--- openssl-1.0.1e/ssl/t1_lib.c.no-md5-tls 2015-12-04 09:51:39.000000000 +0100 ++++ openssl-1.0.1e/ssl/t1_lib.c 2015-12-21 14:09:35.239084727 +0100 +@@ -390,19 +390,11 @@ static unsigned char tls12_sigalgs[] = { + #ifndef OPENSSL_NO_SHA + tlsext_sigalg(TLSEXT_hash_sha1) + #endif +-#ifndef OPENSSL_NO_MD5 +- tlsext_sigalg_rsa(TLSEXT_hash_md5) +-#endif + }; + + int tls12_get_req_sig_algs(SSL *s, unsigned char *p) + { + size_t slen = sizeof(tls12_sigalgs); +-#ifdef OPENSSL_FIPS +- /* If FIPS mode don't include MD5 which is last */ +- if (FIPS_mode()) +- slen -= 2; +-#endif + if (p) + memcpy(p, tls12_sigalgs, slen); + return (int)slen; +@@ -2413,14 +2405,6 @@ const EVP_MD *tls12_get_hash(unsigned ch + { + switch(hash_alg) + { +-#ifndef OPENSSL_NO_MD5 +- case TLSEXT_hash_md5: +-#ifdef OPENSSL_FIPS +- if (FIPS_mode()) +- return NULL; +-#endif +- return EVP_md5(); +-#endif + #ifndef OPENSSL_NO_SHA + case TLSEXT_hash_sha1: + return EVP_sha1(); diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb index b4d59ae2b0..9192bbdacb 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb @@ -48,7 +48,65 @@ SRC_URI += "file://configure-targets.patch \ file://openssl-fix-CVE-2014-3513.patch \ file://openssl-fix-CVE-2014-3567.patch \ file://openssl-fix-CVE-2014-3568.patch \ +\ + file://rhel/openssl-1.0.1e-cve-2014-3505.patch \ + file://rhel/openssl-1.0.1e-cve-2014-3506.patch \ + file://rhel/openssl-1.0.1e-cve-2014-3507.patch \ + file://rhel/openssl-1.0.1e-cve-2014-3508.patch \ + file://rhel/openssl-1.0.1e-cve-2014-3509.patch \ + file://rhel/openssl-1.0.1e-cve-2014-3510.patch \ + file://rhel/openssl-1.0.1e-cve-2014-3511.patch \ + file://rhel/openssl-1.0.1e-cve-2014-3570.patch \ + file://rhel/openssl-1.0.1e-cve-2014-3571.patch \ + file://rhel/openssl-1.0.1e-cve-2014-3572.patch \ + file://rhel/openssl-1.0.1e-cve-2014-8275.patch \ + file://rhel/openssl-1.0.1e-cve-2015-0204.patch \ + file://rhel/openssl-1.0.1e-cve-2015-0205.patch \ + file://rhel/openssl-1.0.1e-cve-2015-0206.patch \ + file://rhel/openssl-1.0.1e-cve-2015-0209.patch \ + file://rhel/openssl-1.0.1e-cve-2015-0286.patch \ + file://rhel/openssl-1.0.1e-cve-2015-0287.patch \ + file://rhel/openssl-1.0.1e-cve-2015-0288.patch \ + file://rhel/openssl-1.0.1e-cve-2015-0289.patch \ + file://rhel/openssl-1.0.1e-cve-2015-0292.patch \ + file://rhel/openssl-1.0.1e-cve-2015-0293.patch \ + file://rhel/openssl-1.0.1e-cve-2015-4000.patch \ + file://rhel/openssl-1.0.1e-cve-2014-8176.patch \ + file://rhel/openssl-1.0.1e-cve-2015-1789.patch \ + file://rhel/openssl-1.0.1e-cve-2015-1790.patch \ + file://rhel/openssl-1.0.1e-cve-2015-1791.patch \ + file://rhel/openssl-1.0.1e-cve-2015-1792.patch \ + file://rhel/openssl-1.0.1e-cve-2015-3194.patch \ + file://rhel/openssl-1.0.1e-cve-2015-3195.patch \ + file://rhel/openssl-1.0.1e-cve-2015-3196.patch \ + file://rhel/openssl-1.0.1e-cve-2015-7575.patch \ " +# file://rhel/openssl-1.0.1e-evp-wrap.patch -- looks like a feature +# file://rhel/openssl-1.0.1e-backports.patch -- doesn't apply cleanly +# file://rhel/openssl-1.0.1-beta2-padlock64.patch -- via? +# file://rhel/openssl-1.0.1e-arm-use-elf-auxv-caps.patch --feature +# file://rhel/openssl-1.0.1e-bad-mac.patch -- aes-ni patch +# file://rhel/openssl-1.0.1e-trusted-first.patch -- feature +# file://rhel/openssl-1.0.1e-cve-2013-6449.patch -- SSL_METHOD.. +# file://rhel/openssl-1.0.1e-cve-2013-6450.patch -- Fix-DTLS.. +# file://rhel/openssl-1.0.1e-cve-2013-4353.patch -- Fix for TLS.. +# file://rhel/openssl-1.0.1e-ephemeral-key-size.patch -- feature +# file://rhel/openssl-1.0.1e-cve-2014-0160.patch -- applied +# file://rhel/openssl-1.0.1e-cve-2010-5298.patch -- applied +# file://rhel/openssl-1.0.1e-cve-2014-0195.patch -- applied +# file://rhel/openssl-1.0.1e-cve-2014-0198.patch -- applied +# file://rhel/openssl-1.0.1e-cve-2014-0221.patch -- applied +# file://rhel/openssl-1.0.1e-cve-2014-0224.patch -- applied +# file://rhel/openssl-1.0.1e-cve-2014-3470.patch -- applied +# file://rhel/openssl-1.0.1e-dtls-ecc-ext.patch -- bug fix.. no security +# file://rhel/openssl-1.0.1e-doc-ciphersuites.patch --bugfix +# file://rhel/openssl-1.0.1e-sn-case.patch -- bugfix +# file://rhel/openssl-1.0.1e-ecdh-auto.patch -- feature +# file://rhel/openssl-1.0.1e-fallback-scsv.patch -- feature +# file://rhel/openssl-1.0.1e-copy-algo.patch -- bugfix? +# file://rhel/openssl-1.0.1e-cc-reqs.patch -- bugfix +# file://rhel/openssl-1.0.1e-cve-2014-3567.patch -- applied +# file://rhel/openssl-1.0.1e-cve-2014-3513.patch -- applied SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c" SRC_URI[sha256sum] = "f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3"