From ceac7bd7b9e016c08a7f25964098b269b6b9d388 Mon Sep 17 00:00:00 2001 From: Holger Hans Peter Freyther Date: Sat, 27 Feb 2016 16:38:26 +0100 Subject: [PATCH] openssl: Apply patches from RHEL to address open CVEs The patches were taken from openssl-1.0.1e-51.el7_2.2.src.rpm and apply all CVEs that were not applied yet. Document which patches were not applied. There should be another openssl version soon as the next round of fixes was announced for the 1st of March. After the upgrade "opkg update with https feeds" and "openvpn against netport" were tested. They seem to work. Fixes: SYS#2448 --- .../rhel/openssl-1.0.1e-cve-2010-5298.patch | 21 + .../rhel/openssl-1.0.1e-cve-2013-4353.patch | 21 + .../rhel/openssl-1.0.1e-cve-2013-6449.patch | 111 + .../rhel/openssl-1.0.1e-cve-2013-6450.patch | 85 + .../rhel/openssl-1.0.1e-cve-2014-0160.patch | 89 + .../rhel/openssl-1.0.1e-cve-2014-0195.patch | 36 + .../rhel/openssl-1.0.1e-cve-2014-0198.patch | 33 + .../rhel/openssl-1.0.1e-cve-2014-0221.patch | 34 + .../rhel/openssl-1.0.1e-cve-2014-0224.patch | 104 + .../rhel/openssl-1.0.1e-cve-2014-3470.patch | 26 + .../rhel/openssl-1.0.1e-cve-2014-3505.patch | 52 + .../rhel/openssl-1.0.1e-cve-2014-3506.patch | 87 + .../rhel/openssl-1.0.1e-cve-2014-3507.patch | 53 + .../rhel/openssl-1.0.1e-cve-2014-3508.patch | 138 + .../rhel/openssl-1.0.1e-cve-2014-3509.patch | 45 + .../rhel/openssl-1.0.1e-cve-2014-3510.patch | 86 + .../rhel/openssl-1.0.1e-cve-2014-3511.patch | 85 + .../rhel/openssl-1.0.1e-cve-2014-3513.patch | 186 + .../rhel/openssl-1.0.1e-cve-2014-3567.patch | 14 + .../rhel/openssl-1.0.1e-cve-2014-3570.patch | 3155 +++++++++++++++++ .../rhel/openssl-1.0.1e-cve-2014-3571.patch | 34 + .../rhel/openssl-1.0.1e-cve-2014-3572.patch | 51 + .../rhel/openssl-1.0.1e-cve-2014-8176.patch | 34 + .../rhel/openssl-1.0.1e-cve-2014-8275.patch | 202 ++ .../rhel/openssl-1.0.1e-cve-2015-0204.patch | 158 + .../rhel/openssl-1.0.1e-cve-2015-0205.patch | 12 + .../rhel/openssl-1.0.1e-cve-2015-0206.patch | 116 + .../rhel/openssl-1.0.1e-cve-2015-0209.patch | 82 + .../rhel/openssl-1.0.1e-cve-2015-0286.patch | 13 + .../rhel/openssl-1.0.1e-cve-2015-0287.patch | 46 + .../rhel/openssl-1.0.1e-cve-2015-0288.patch | 12 + .../rhel/openssl-1.0.1e-cve-2015-0289.patch | 184 + .../rhel/openssl-1.0.1e-cve-2015-0292.patch | 11 + .../rhel/openssl-1.0.1e-cve-2015-0293.patch | 102 + .../rhel/openssl-1.0.1e-cve-2015-1789.patch | 103 + .../rhel/openssl-1.0.1e-cve-2015-1790.patch | 55 + .../rhel/openssl-1.0.1e-cve-2015-1791.patch | 231 ++ .../rhel/openssl-1.0.1e-cve-2015-1792.patch | 12 + .../rhel/openssl-1.0.1e-cve-2015-3194.patch | 12 + .../rhel/openssl-1.0.1e-cve-2015-3195.patch | 31 + .../rhel/openssl-1.0.1e-cve-2015-3196.patch | 52 + .../rhel/openssl-1.0.1e-cve-2015-4000.patch | 241 ++ .../rhel/openssl-1.0.1e-cve-2015-7575.patch | 38 + .../openssl/openssl_1.0.1e.bb | 58 + 44 files changed, 6351 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2010-5298.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2013-4353.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2013-6449.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2013-6450.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0160.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0195.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0198.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0221.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0224.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3470.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3505.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3506.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3507.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3508.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3509.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3510.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3511.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3513.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3567.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3570.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3571.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3572.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-8176.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-8275.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0204.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0205.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0206.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0209.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0286.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0287.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0288.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0289.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0292.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0293.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1789.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1790.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1791.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1792.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-3194.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-3195.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-3196.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-4000.patch create mode 100644 meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-7575.patch diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2010-5298.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2010-5298.patch new file mode 100644 index 0000000000..b4f92cd585 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2010-5298.patch @@ -0,0 +1,21 @@ +From: Ben Laurie +Date: Wed, 23 Apr 2014 06:24:03 +0000 (+0100) +Subject: Fix use after free. +X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=94d1f4b + +Fix use after free. +--- + +diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c +index b9e45c7..d601a18 100644 +--- a/ssl/s3_pkt.c ++++ b/ssl/s3_pkt.c +@@ -1334,7 +1334,7 @@ start: + { + s->rstate=SSL_ST_READ_HEADER; + rr->off=0; +- if (s->mode & SSL_MODE_RELEASE_BUFFERS) ++ if (s->mode & SSL_MODE_RELEASE_BUFFERS && s->s3->rbuf.left == 0) + ssl3_release_read_buffer(s); + } + } diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2013-4353.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2013-4353.patch new file mode 100644 index 0000000000..5f96116cf5 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2013-4353.patch @@ -0,0 +1,21 @@ +Fix for TLS record tampering bug. A carefully crafted invalid +handshake could crash OpenSSL with a NULL pointer exception. +Thanks to Anton Johansson for reporting this issues. +(CVE-2013-4353) +diff --git a/ssl/s3_both.c b/ssl/s3_both.c +index 1e5dcab..53b9390 100644 +--- a/ssl/s3_both.c ++++ b/ssl/s3_both.c +@@ -210,7 +210,11 @@ static void ssl3_take_mac(SSL *s) + { + const char *sender; + int slen; +- ++ /* If no new cipher setup return immediately: other functions will ++ * set the appropriate error. ++ */ ++ if (s->s3->tmp.new_cipher == NULL) ++ return; + if (s->state & SSL_ST_CONNECT) + { + sender=s->method->ssl3_enc->server_finished_label; diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2013-6449.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2013-6449.patch new file mode 100644 index 0000000000..d80a1788da --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2013-6449.patch @@ -0,0 +1,111 @@ +Use version in SSL_METHOD not SSL structure. + +When deciding whether to use TLS 1.2 PRF and record hash algorithms +use the version number in the corresponding SSL_METHOD structure +instead of the SSL structure. The SSL structure version is sometimes +inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already. +(CVE-2013-6449) + +Also preventively check EVP errors for handshake digests. + +diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c +index bf832bb..c4ef273 100644 +--- a/ssl/s3_lib.c ++++ b/ssl/s3_lib.c +@@ -4286,7 +4286,7 @@ need to go to SSL_ST_ACCEPT. + long ssl_get_algorithm2(SSL *s) + { + long alg2 = s->s3->tmp.new_cipher->algorithm2; +- if (TLS1_get_version(s) >= TLS1_2_VERSION && ++ if (s->method->version == TLS1_2_VERSION && + alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF)) + return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; + return alg2; +diff --git a/ssl/s3_both.c b/ssl/s3_both.c +index ead01c8..1e5dcab 100644 +--- a/ssl/s3_both.c ++++ b/ssl/s3_both.c +@@ -161,6 +161,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) + + i=s->method->ssl3_enc->final_finish_mac(s, + sender,slen,s->s3->tmp.finish_md); ++ if (i == 0) ++ return 0; + s->s3->tmp.finish_md_len = i; + memcpy(p, s->s3->tmp.finish_md, i); + p+=i; +diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c +index 804291e..c4bc4e7 100644 +--- a/ssl/s3_pkt.c ++++ b/ssl/s3_pkt.c +@@ -335,7 +335,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length); + if (version != s->version) + { + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); +- if ((s->version & 0xFF00) == (version & 0xFF00)) ++ if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash) + /* Send back error using their minor version number :-) */ + s->version = (unsigned short)version; + al=SSL_AD_PROTOCOL_VERSION; +@@ -1459,8 +1459,14 @@ int ssl3_do_change_cipher_spec(SSL *s) + slen=s->method->ssl3_enc->client_finished_label_len; + } + +- s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, ++ i = s->method->ssl3_enc->final_finish_mac(s, + sender,slen,s->s3->tmp.peer_finish_md); ++ if (i == 0) ++ { ++ SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR); ++ return 0; ++ } ++ s->s3->tmp.peer_finish_md_len = i; + + return(1); + } +diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c +index e5a8b3f..52efed3 100644 +--- a/ssl/s3_srvr.c ++++ b/ssl/s3_srvr.c +@@ -958,7 +958,8 @@ int ssl3_get_client_hello(SSL *s) + (s->version != DTLS1_VERSION && s->client_version < s->version)) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER); +- if ((s->client_version>>8) == SSL3_VERSION_MAJOR) ++ if ((s->client_version>>8) == SSL3_VERSION_MAJOR && ++ !s->enc_write_ctx && !s->write_hash) + { + /* similar to ssl3_get_record, send alert using remote version number */ + s->version = s->client_version; +diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c +index 809ad2e..72015f5 100644 +--- a/ssl/t1_enc.c ++++ b/ssl/t1_enc.c +@@ -915,18 +915,19 @@ int tls1_final_finish_mac(SSL *s, + if (mask & ssl_get_algorithm2(s)) + { + int hashsize = EVP_MD_size(md); +- if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) ++ EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx]; ++ if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf))) + { + /* internal error: 'buf' is too small for this cipersuite! */ + err = 1; + } + else + { +- EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]); +- EVP_DigestFinal_ex(&ctx,q,&i); +- if (i != (unsigned int)hashsize) /* can't really happen */ ++ if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) || ++ !EVP_DigestFinal_ex(&ctx,q,&i) || ++ (i != (unsigned int)hashsize)) + err = 1; +- q+=i; ++ q+=hashsize; + } + } + } +-- +1.8.3.1 + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2013-6450.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2013-6450.patch new file mode 100644 index 0000000000..fa096c8b2f --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2013-6450.patch @@ -0,0 +1,85 @@ +Fix DTLS retransmission from previous session. + +For DTLS we might need to retransmit messages from the previous session +so keep a copy of write context in DTLS retransmission buffers instead +of replacing it after sending CCS. CVE-2013-6450. + +diff --git a/ssl/d1_both.c b/ssl/d1_both.c +index 65ec001..7a5596a 100644 +--- a/ssl/d1_both.c ++++ b/ssl/d1_both.c +@@ -214,6 +214,12 @@ dtls1_hm_fragment_new(unsigned long frag_len, int reassembly) + static void + dtls1_hm_fragment_free(hm_fragment *frag) + { ++ ++ if (frag->msg_header.is_ccs) ++ { ++ EVP_CIPHER_CTX_free(frag->msg_header.saved_retransmit_state.enc_write_ctx); ++ EVP_MD_CTX_destroy(frag->msg_header.saved_retransmit_state.write_hash); ++ } + if (frag->fragment) OPENSSL_free(frag->fragment); + if (frag->reassembly) OPENSSL_free(frag->reassembly); + OPENSSL_free(frag); +diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h +index 96ce9a7..e485907 100644 +--- a/ssl/ssl_locl.h ++++ b/ssl/ssl_locl.h +@@ -621,6 +621,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data; + extern SSL3_ENC_METHOD SSLv3_enc_data; + extern SSL3_ENC_METHOD DTLSv1_enc_data; + ++#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION) ++ + #define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \ + s_get_meth) \ + const SSL_METHOD *func_name(void) \ +diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c +index 72015f5..56db834 100644 +--- a/ssl/t1_enc.c ++++ b/ssl/t1_enc.c +@@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int which) + s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; + else + s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; +- if (s->enc_write_ctx != NULL) ++ if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s)) + reuse_dd = 1; +- else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL) ++ else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL) + goto err; +- else +- /* make sure it's intialized in case we exit later with an error */ +- EVP_CIPHER_CTX_init(s->enc_write_ctx); + dd= s->enc_write_ctx; +- mac_ctx = ssl_replace_hash(&s->write_hash,NULL); ++ if (SSL_IS_DTLS(s)) ++ { ++ mac_ctx = EVP_MD_CTX_create(); ++ if (!mac_ctx) ++ goto err; ++ s->write_hash = mac_ctx; ++ } ++ else ++ mac_ctx = ssl_replace_hash(&s->write_hash,NULL); + #ifndef OPENSSL_NO_COMP + if (s->compress != NULL) + { +diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c +index 6fc469f..d14e8e4 100644 +--- a/crypto/evp/digest.c ++++ b/crypto/evp/digest.c +@@ -366,8 +366,11 @@ int EVP_Digest(const void *data, size_t count, + + void EVP_MD_CTX_destroy(EVP_MD_CTX *ctx) + { +- EVP_MD_CTX_cleanup(ctx); +- OPENSSL_free(ctx); ++ if (ctx) ++ { ++ EVP_MD_CTX_cleanup(ctx); ++ OPENSSL_free(ctx); ++ } + } + + /* This call frees resources associated with the context */ diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0160.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0160.patch new file mode 100644 index 0000000000..6d5c5cef6f --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0160.patch @@ -0,0 +1,89 @@ +diff -up openssl-1.0.1e/ssl/d1_both.c.heartbeat openssl-1.0.1e/ssl/d1_both.c +--- openssl-1.0.1e/ssl/d1_both.c.heartbeat 2014-04-07 12:52:01.884308971 +0200 ++++ openssl-1.0.1e/ssl/d1_both.c 2014-04-07 13:04:32.860128295 +0200 +@@ -1458,26 +1458,36 @@ dtls1_process_heartbeat(SSL *s) + unsigned int payload; + unsigned int padding = 16; /* Use minimum padding */ + +- /* Read type and payload length first */ +- hbtype = *p++; +- n2s(p, payload); +- pl = p; +- + if (s->msg_callback) + s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, + &s->s3->rrec.data[0], s->s3->rrec.length, + s, s->msg_callback_arg); + ++ /* Read type and payload length first */ ++ if (1 + 2 + 16 > s->s3->rrec.length) ++ return 0; /* silently discard */ ++ hbtype = *p++; ++ n2s(p, payload); ++ if (1 + 2 + payload + 16 > s->s3->rrec.length) ++ return 0; /* silently discard per RFC 6520 sec. 4 */ ++ pl = p; ++ + if (hbtype == TLS1_HB_REQUEST) + { + unsigned char *buffer, *bp; ++ unsigned int write_length = 1 /* heartbeat type */ + ++ 2 /* heartbeat length */ + ++ payload + padding; + int r; + ++ if (write_length > SSL3_RT_MAX_PLAIN_LENGTH) ++ return 0; ++ + /* Allocate memory for the response, size is 1 byte + * message type, plus 2 bytes payload length, plus + * payload, plus padding + */ +- buffer = OPENSSL_malloc(1 + 2 + payload + padding); ++ buffer = OPENSSL_malloc(write_length); + bp = buffer; + + /* Enter response type, length and copy payload */ +@@ -1488,11 +1498,11 @@ dtls1_process_heartbeat(SSL *s) + /* Random padding */ + RAND_pseudo_bytes(bp, padding); + +- r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); ++ r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length); + + if (r >= 0 && s->msg_callback) + s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, +- buffer, 3 + payload + padding, ++ buffer, write_length, + s, s->msg_callback_arg); + + OPENSSL_free(buffer); +diff -up openssl-1.0.1e/ssl/t1_lib.c.heartbeat openssl-1.0.1e/ssl/t1_lib.c +--- openssl-1.0.1e/ssl/t1_lib.c.heartbeat 2014-04-07 12:52:01.891308997 +0200 ++++ openssl-1.0.1e/ssl/t1_lib.c 2014-04-07 12:57:45.063603587 +0200 +@@ -2463,16 +2463,20 @@ tls1_process_heartbeat(SSL *s) + unsigned int payload; + unsigned int padding = 16; /* Use minimum padding */ + +- /* Read type and payload length first */ +- hbtype = *p++; +- n2s(p, payload); +- pl = p; +- + if (s->msg_callback) + s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, + &s->s3->rrec.data[0], s->s3->rrec.length, + s, s->msg_callback_arg); + ++ /* Read type and payload length first */ ++ if (1 + 2 + 16 > s->s3->rrec.length) ++ return 0; /* silently discard */ ++ hbtype = *p++; ++ n2s(p, payload); ++ if (1 + 2 + payload + 16 > s->s3->rrec.length) ++ return 0; /* silently discard per RFC 6520 sec. 4 */ ++ pl = p; ++ + if (hbtype == TLS1_HB_REQUEST) + { + unsigned char *buffer, *bp; diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0195.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0195.patch new file mode 100644 index 0000000000..434eee2052 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0195.patch @@ -0,0 +1,36 @@ +commit 208d54db20d58c9a5e45e856a0650caadd7d9612 +Author: Dr. Stephen Henson +Date: Tue May 13 18:48:31 2014 +0100 + + Fix for CVE-2014-0195 + + A buffer overrun attack can be triggered by sending invalid DTLS fragments + to an OpenSSL DTLS client or server. This is potentially exploitable to + run arbitrary code on a vulnerable client or server. + + Fixed by adding consistency check for DTLS fragments. + + Thanks to Jüri Aedla for reporting this issue. + +diff --git a/ssl/d1_both.c b/ssl/d1_both.c +index 2e8cf68..07f67f8 100644 +--- a/ssl/d1_both.c ++++ b/ssl/d1_both.c +@@ -627,7 +627,16 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) + frag->msg_header.frag_off = 0; + } + else ++ { + frag = (hm_fragment*) item->data; ++ if (frag->msg_header.msg_len != msg_hdr->msg_len) ++ { ++ item = NULL; ++ frag = NULL; ++ goto err; ++ } ++ } ++ + + /* If message is already reassembled, this must be a + * retransmit and can be dropped. + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0198.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0198.patch new file mode 100644 index 0000000000..2c94bca5df --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0198.patch @@ -0,0 +1,33 @@ +From: Matt Caswell +Date: Sun, 11 May 2014 23:38:37 +0000 (+0100) +Subject: Fixed NULL pointer dereference. See PR#3321 +X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff_plain;h=b107586 + +Fixed NULL pointer dereference. See PR#3321 +--- + +diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c +index 40eb0dd..d961d12 100644 +--- a/ssl/s3_pkt.c ++++ b/ssl/s3_pkt.c +@@ -657,9 +657,6 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, + SSL3_BUFFER *wb=&(s->s3->wbuf); + SSL_SESSION *sess; + +- if (wb->buf == NULL) +- if (!ssl3_setup_write_buffer(s)) +- return -1; + + /* first check if there is a SSL3_BUFFER still being written + * out. This will happen with non blocking IO */ +@@ -675,6 +672,10 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, + /* if it went, fall through and send more stuff */ + } + ++ if (wb->buf == NULL) ++ if (!ssl3_setup_write_buffer(s)) ++ return -1; ++ + if (len == 0 && !create_empty_fragment) + return 0; + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0221.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0221.patch new file mode 100644 index 0000000000..deb3a8b89c --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0221.patch @@ -0,0 +1,34 @@ +commit d30e582446b027868cdabd0994681643682045a4 +Author: Dr. Stephen Henson +Date: Fri May 16 13:00:45 2014 +0100 + + Fix CVE-2014-0221 + + Unnecessary recursion when receiving a DTLS hello request can be used to + crash a DTLS client. Fixed by handling DTLS hello request without recursion. + + Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. + +diff --git a/ssl/d1_both.c b/ssl/d1_both.c +index 07f67f8..4c2fd03 100644 +--- a/ssl/d1_both.c ++++ b/ssl/d1_both.c +@@ -793,6 +793,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) + int i,al; + struct hm_header_st msg_hdr; + ++ redo: + /* see if we have the required fragment already */ + if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok) + { +@@ -851,8 +852,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) + s->msg_callback_arg); + + s->init_num = 0; +- return dtls1_get_message_fragment(s, st1, stn, +- max, ok); ++ goto redo; + } + else /* Incorrectly formated Hello request */ + { + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0224.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0224.patch new file mode 100644 index 0000000000..05e7e795bc --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-0224.patch @@ -0,0 +1,104 @@ +diff -up openssl-1.0.1e/ssl/ssl3.h.keying-mitm openssl-1.0.1e/ssl/ssl3.h +--- openssl-1.0.1e/ssl/ssl3.h.keying-mitm 2014-06-02 19:48:04.518100562 +0200 ++++ openssl-1.0.1e/ssl/ssl3.h 2014-06-02 19:48:04.642103429 +0200 +@@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st + #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 + #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 + #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 ++#define SSL3_FLAGS_CCS_OK 0x0080 + + /* SSL3_FLAGS_SGC_RESTART_DONE is set when we + * restart a handshake because of MS SGC and so prevents us +diff -up openssl-1.0.1e/ssl/s3_clnt.c.keying-mitm openssl-1.0.1e/ssl/s3_clnt.c +--- openssl-1.0.1e/ssl/s3_clnt.c.keying-mitm 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/ssl/s3_clnt.c 2014-06-02 19:49:57.042701985 +0200 +@@ -510,6 +510,7 @@ int ssl3_connect(SSL *s) + s->method->ssl3_enc->client_finished_label, + s->method->ssl3_enc->client_finished_label_len); + if (ret <= 0) goto end; ++ s->s3->flags |= SSL3_FLAGS_CCS_OK; + s->state=SSL3_ST_CW_FLUSH; + + /* clear flags */ +@@ -559,6 +560,7 @@ int ssl3_connect(SSL *s) + case SSL3_ST_CR_FINISHED_A: + case SSL3_ST_CR_FINISHED_B: + ++ s->s3->flags |= SSL3_FLAGS_CCS_OK; + ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, + SSL3_ST_CR_FINISHED_B); + if (ret <= 0) goto end; +@@ -901,6 +903,7 @@ int ssl3_get_server_hello(SSL *s) + { + s->session->cipher = pref_cipher ? + pref_cipher : ssl_get_cipher_by_char(s, p+j); ++ s->s3->flags |= SSL3_FLAGS_CCS_OK; + } + } + #endif /* OPENSSL_NO_TLSEXT */ +@@ -916,6 +918,7 @@ int ssl3_get_server_hello(SSL *s) + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT); + goto f_err; + } ++ s->s3->flags |= SSL3_FLAGS_CCS_OK; + s->hit=1; + } + else /* a miss or crap from the other end */ +diff -up openssl-1.0.1e/ssl/s3_pkt.c.keying-mitm openssl-1.0.1e/ssl/s3_pkt.c +--- openssl-1.0.1e/ssl/s3_pkt.c.keying-mitm 2014-06-02 19:48:04.640103383 +0200 ++++ openssl-1.0.1e/ssl/s3_pkt.c 2014-06-02 19:48:04.643103452 +0200 +@@ -1298,6 +1298,15 @@ start: + goto f_err; + } + ++ if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) ++ { ++ al=SSL_AD_UNEXPECTED_MESSAGE; ++ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY); ++ goto f_err; ++ } ++ ++ s->s3->flags &= ~SSL3_FLAGS_CCS_OK; ++ + rr->length=0; + + if (s->msg_callback) +@@ -1432,7 +1441,7 @@ int ssl3_do_change_cipher_spec(SSL *s) + + if (s->s3->tmp.key_block == NULL) + { +- if (s->session == NULL) ++ if (s->session == NULL || s->session->master_key_length == 0) + { + /* might happen if dtls1_read_bytes() calls this */ + SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY); +diff -up openssl-1.0.1e/ssl/s3_srvr.c.keying-mitm openssl-1.0.1e/ssl/s3_srvr.c +--- openssl-1.0.1e/ssl/s3_srvr.c.keying-mitm 2014-06-02 19:48:04.630103151 +0200 ++++ openssl-1.0.1e/ssl/s3_srvr.c 2014-06-02 19:48:04.643103452 +0200 +@@ -673,6 +673,7 @@ int ssl3_accept(SSL *s) + case SSL3_ST_SR_CERT_VRFY_A: + case SSL3_ST_SR_CERT_VRFY_B: + ++ s->s3->flags |= SSL3_FLAGS_CCS_OK; + /* we should decide if we expected this one */ + ret=ssl3_get_cert_verify(s); + if (ret <= 0) goto end; +@@ -700,6 +701,7 @@ int ssl3_accept(SSL *s) + + case SSL3_ST_SR_FINISHED_A: + case SSL3_ST_SR_FINISHED_B: ++ s->s3->flags |= SSL3_FLAGS_CCS_OK; + ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, + SSL3_ST_SR_FINISHED_B); + if (ret <= 0) goto end; +@@ -770,7 +772,10 @@ int ssl3_accept(SSL *s) + s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; + #else + if (s->s3->next_proto_neg_seen) ++ { ++ s->s3->flags |= SSL3_FLAGS_CCS_OK; + s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A; ++ } + else + s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; + #endif diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3470.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3470.patch new file mode 100644 index 0000000000..32f4487302 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3470.patch @@ -0,0 +1,26 @@ +commit 4ad43d511f6cf064c66eb4bfd0fb0919b5dd8a86 +Author: Dr. Stephen Henson +Date: Thu May 29 15:00:05 2014 +0100 + + Fix CVE-2014-3470 + + Check session_cert is not NULL before dereferencing it. + +diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c +index d35376d..4324f8d 100644 +--- a/ssl/s3_clnt.c ++++ b/ssl/s3_clnt.c +@@ -2511,6 +2511,13 @@ int ssl3_send_client_key_exchange(SSL *s) + int ecdh_clnt_cert = 0; + int field_size = 0; + ++ if (s->session->sess_cert == NULL) ++ { ++ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); ++ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); ++ goto err; ++ } ++ + /* Did we send out the client's + * ECDH share for use in premaster + * computation as part of client certificate? diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3505.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3505.patch new file mode 100644 index 0000000000..8716fae9ed --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3505.patch @@ -0,0 +1,52 @@ +From 2172d4f63c61922487008f42511cc6bdae9b47a0 Mon Sep 17 00:00:00 2001 +From: Adam Langley +Date: Fri, 6 Jun 2014 14:19:21 -0700 +Subject: [PATCH] Avoid double free when processing DTLS packets. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The |item| variable, in both of these cases, may contain a pointer to a +|pitem| structure within |s->d1->buffered_messages|. It was being freed +in the error case while still being in |buffered_messages|. When the +error later caused the |SSL*| to be destroyed, the item would be double +freed. + +Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was +inconsistent with the other error paths (but correct). + +Fixes CVE-2014-3505 + +Reviewed-by: Matt Caswell +Reviewed-by: Emilia Käsper +--- + ssl/d1_both.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/ssl/d1_both.c b/ssl/d1_both.c +index c1eb970..cdb83b6 100644 +--- a/ssl/d1_both.c ++++ b/ssl/d1_both.c +@@ -693,8 +693,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) + return DTLS1_HM_FRAGMENT_RETRY; + + err: +- if (frag != NULL) dtls1_hm_fragment_free(frag); +- if (item != NULL) OPENSSL_free(item); ++ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag); + *ok = 0; + return i; + } +@@ -778,8 +777,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) + return DTLS1_HM_FRAGMENT_RETRY; + + err: +- if ( frag != NULL) dtls1_hm_fragment_free(frag); +- if ( item != NULL) OPENSSL_free(item); ++ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag); + *ok = 0; + return i; + } +-- +1.8.3.1 + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3506.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3506.patch new file mode 100644 index 0000000000..05e364f5b9 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3506.patch @@ -0,0 +1,87 @@ +From fc7804ec392fcf8051abe6bc9da9108744d2ae35 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 6 Jun 2014 14:25:52 -0700 +Subject: [PATCH] Fix DTLS handshake message size checks. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +In |dtls1_reassemble_fragment|, the value of +|msg_hdr->frag_off+frag_len| was being checked against the maximum +handshake message size, but then |msg_len| bytes were allocated for the +fragment buffer. This means that so long as the fragment was within the +allowed size, the pending handshake message could consume 16MB + 2MB +(for the reassembly bitmap). Approx 10 outstanding handshake messages +are allowed, meaning that an attacker could consume ~180MB per DTLS +connection. + +In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no +check was applied. + +Fixes CVE-2014-3506 + +Wholly based on patch by Adam Langley with one minor amendment. + +Reviewed-by: Emilia Käsper +--- + ssl/d1_both.c | 29 ++++++++++++++++------------- + 1 file changed, 16 insertions(+), 13 deletions(-) + +diff --git a/ssl/d1_both.c b/ssl/d1_both.c +index 6559dfc..b9e15df 100644 +--- a/ssl/d1_both.c ++++ b/ssl/d1_both.c +@@ -587,6 +587,16 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) + return 0; + } + ++/* dtls1_max_handshake_message_len returns the maximum number of bytes ++ * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but may ++ * be greater if the maximum certificate list size requires it. */ ++static unsigned long dtls1_max_handshake_message_len(const SSL *s) ++ { ++ unsigned long max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; ++ if (max_len < (unsigned long)s->max_cert_list) ++ return s->max_cert_list; ++ return max_len; ++ } + + static int + dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) +@@ -595,20 +605,10 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok) + pitem *item = NULL; + int i = -1, is_complete; + unsigned char seq64be[8]; +- unsigned long frag_len = msg_hdr->frag_len, max_len; +- +- if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len) +- goto err; +- +- /* Determine maximum allowed message size. Depends on (user set) +- * maximum certificate length, but 16k is minimum. +- */ +- if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < s->max_cert_list) +- max_len = s->max_cert_list; +- else +- max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; ++ unsigned long frag_len = msg_hdr->frag_len; + +- if ((msg_hdr->frag_off+frag_len) > max_len) ++ if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len || ++ msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) + goto err; + + /* Try to find item in queue */ +@@ -749,6 +749,9 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok) + if (frag_len && frag_len < msg_hdr->msg_len) + return dtls1_reassemble_fragment(s, msg_hdr, ok); + ++ if (frag_len > dtls1_max_handshake_message_len(s)) ++ goto err; ++ + frag = dtls1_hm_fragment_new(frag_len, 0); + if ( frag == NULL) + goto err; +-- +1.8.3.1 + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3507.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3507.patch new file mode 100644 index 0000000000..05073152c9 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3507.patch @@ -0,0 +1,53 @@ +diff -up openssl-1.0.1e/ssl/d1_both.c.dtls-memleak openssl-1.0.1e/ssl/d1_both.c +--- openssl-1.0.1e/ssl/d1_both.c.dtls-memleak 2014-08-07 17:51:18.457493922 +0200 ++++ openssl-1.0.1e/ssl/d1_both.c 2014-08-07 17:58:28.478558785 +0200 +@@ -610,6 +610,9 @@ dtls1_reassemble_fragment(SSL *s, struct + msg_hdr->msg_len > dtls1_max_handshake_message_len(s)) + goto err; + ++ if (frag_len == 0) ++ return DTLS1_HM_FRAGMENT_RETRY; ++ + /* Try to find item in queue */ + memset(seq64be,0,sizeof(seq64be)); + seq64be[6] = (unsigned char) (msg_hdr->seq>>8); +@@ -686,7 +689,12 @@ dtls1_reassemble_fragment(SSL *s, struct + i = -1; + } + +- pqueue_insert(s->d1->buffered_messages, item); ++ item = pqueue_insert(s->d1->buffered_messages, item); ++ /* pqueue_insert fails iff a duplicate item is inserted. ++ * However, |item| cannot be a duplicate. If it were, ++ * |pqueue_find|, above, would have returned it and control ++ * would never have reached this branch. */ ++ OPENSSL_assert(item != NULL); + } + + return DTLS1_HM_FRAGMENT_RETRY; +@@ -744,7 +752,7 @@ dtls1_process_out_of_seq_message(SSL *s, + } + else + { +- if (frag_len && frag_len < msg_hdr->msg_len) ++ if (frag_len < msg_hdr->msg_len) + return dtls1_reassemble_fragment(s, msg_hdr, ok); + + if (frag_len > dtls1_max_handshake_message_len(s)) +@@ -773,7 +781,15 @@ dtls1_process_out_of_seq_message(SSL *s, + if ( item == NULL) + goto err; + +- pqueue_insert(s->d1->buffered_messages, item); ++ item = pqueue_insert(s->d1->buffered_messages, item); ++ /* pqueue_insert fails iff a duplicate item is inserted. ++ * However, |item| cannot be a duplicate. If it were, ++ * |pqueue_find|, above, would have returned it. Then, either ++ * |frag_len| != |msg_hdr->msg_len| in which case |item| is set ++ * to NULL and it will have been processed with ++ * |dtls1_reassemble_fragment|, above, or the record will have ++ * been discarded. */ ++ OPENSSL_assert(item != NULL); + } + + return DTLS1_HM_FRAGMENT_RETRY; diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3508.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3508.patch new file mode 100644 index 0000000000..31dd08db9d --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3508.patch @@ -0,0 +1,138 @@ +From 03b04ddac162c7b7fa3c57eadccc5a583a00d291 Mon Sep 17 00:00:00 2001 +From: Emilia Kasper +Date: Wed, 2 Jul 2014 19:02:33 +0200 +Subject: [PATCH] Fix OID handling: + +- Upon parsing, reject OIDs with invalid base-128 encoding. +- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function. + +CVE-2014-3508 + +Reviewed-by: Dr. Stephen Henson +Reviewed-by: Kurt Roeckx +Reviewed-by: Tim Hudson +--- + crypto/asn1/a_object.c | 30 +++++++++++++++++++++--------- + crypto/objects/obj_dat.c | 16 +++++++++------- + 2 files changed, 30 insertions(+), 16 deletions(-) + +diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c +index 3978c91..77b2768 100644 +--- a/crypto/asn1/a_object.c ++++ b/crypto/asn1/a_object.c +@@ -283,17 +283,29 @@ err: + ASN1err(ASN1_F_D2I_ASN1_OBJECT,i); + return(NULL); + } ++ + ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, + long len) + { + ASN1_OBJECT *ret=NULL; + const unsigned char *p; + unsigned char *data; +- int i; +- /* Sanity check OID encoding: can't have leading 0x80 in +- * subidentifiers, see: X.690 8.19.2 ++ int i, length; ++ ++ /* Sanity check OID encoding. ++ * Need at least one content octet. ++ * MSB must be clear in the last octet. ++ * can't have leading 0x80 in subidentifiers, see: X.690 8.19.2 + */ +- for (i = 0, p = *pp; i < len; i++, p++) ++ if (len <= 0 || len > INT_MAX || pp == NULL || (p = *pp) == NULL || ++ p[len - 1] & 0x80) ++ { ++ ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_INVALID_OBJECT_ENCODING); ++ return NULL; ++ } ++ /* Now 0 < len <= INT_MAX, so the cast is safe. */ ++ length = (int)len; ++ for (i = 0; i < length; i++, p++) + { + if (*p == 0x80 && (!i || !(p[-1] & 0x80))) + { +@@ -316,23 +328,23 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, + data = (unsigned char *)ret->data; + ret->data = NULL; + /* once detached we can change it */ +- if ((data == NULL) || (ret->length < len)) ++ if ((data == NULL) || (ret->length < length)) + { + ret->length=0; + if (data != NULL) OPENSSL_free(data); +- data=(unsigned char *)OPENSSL_malloc(len ? (int)len : 1); ++ data=(unsigned char *)OPENSSL_malloc(length); + if (data == NULL) + { i=ERR_R_MALLOC_FAILURE; goto err; } + ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA; + } +- memcpy(data,p,(int)len); ++ memcpy(data,p,length); + /* reattach data to object, after which it remains const */ + ret->data =data; +- ret->length=(int)len; ++ ret->length=length; + ret->sn=NULL; + ret->ln=NULL; + /* ret->flags=ASN1_OBJECT_FLAG_DYNAMIC; we know it is dynamic */ +- p+=len; ++ p+=length; + + if (a != NULL) (*a)=ret; + *pp=p; +diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c +index 8a342ba..0b2f442 100644 +--- a/crypto/objects/obj_dat.c ++++ b/crypto/objects/obj_dat.c +@@ -471,11 +471,12 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) + const unsigned char *p; + char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2]; + +- if ((a == NULL) || (a->data == NULL)) { +- buf[0]='\0'; +- return(0); +- } ++ /* Ensure that, at every state, |buf| is NUL-terminated. */ ++ if (buf && buf_len > 0) ++ buf[0] = '\0'; + ++ if ((a == NULL) || (a->data == NULL)) ++ return(0); + + if (!no_name && (nid=OBJ_obj2nid(a)) != NID_undef) + { +@@ -554,9 +555,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) + i=(int)(l/40); + l-=(long)(i*40); + } +- if (buf && (buf_len > 0)) ++ if (buf && (buf_len > 1)) + { + *buf++ = i + '0'; ++ *buf = '\0'; + buf_len--; + } + n++; +@@ -571,9 +573,10 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) + i = strlen(bndec); + if (buf) + { +- if (buf_len > 0) ++ if (buf_len > 1) + { + *buf++ = '.'; ++ *buf = '\0'; + buf_len--; + } + BUF_strlcpy(buf,bndec,buf_len); +@@ -807,4 +810,3 @@ err: + OPENSSL_free(buf); + return(ok); + } +- +-- +1.8.3.1 + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3509.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3509.patch new file mode 100644 index 0000000000..cee4aadf5c --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3509.patch @@ -0,0 +1,45 @@ +From 86788e1ee6908a5b3a4c95fa80caa4b724a8a434 Mon Sep 17 00:00:00 2001 +From: Gabor Tyukasz +Date: Wed, 23 Jul 2014 23:42:06 +0200 +Subject: [PATCH] Fix race condition in ssl_parse_serverhello_tlsext + +CVE-2014-3509 +Reviewed-by: Tim Hudson +Reviewed-by: Dr. Stephen Henson +--- + ssl/t1_lib.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index 8167a51..022a4fb 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -1555,15 +1555,18 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in + *al = TLS1_AD_DECODE_ERROR; + return 0; + } +- s->session->tlsext_ecpointformatlist_length = 0; +- if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); +- if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) ++ if (!s->hit) + { +- *al = TLS1_AD_INTERNAL_ERROR; +- return 0; ++ s->session->tlsext_ecpointformatlist_length = 0; ++ if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); ++ if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) ++ { ++ *al = TLS1_AD_INTERNAL_ERROR; ++ return 0; ++ } ++ s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; ++ memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); + } +- s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; +- memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); + #if 0 + fprintf(stderr,"ssl_parse_serverhello_tlsext s->session->tlsext_ecpointformatlist "); + sdata = s->session->tlsext_ecpointformatlist; +-- +1.8.3.1 + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3510.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3510.patch new file mode 100644 index 0000000000..419653646f --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3510.patch @@ -0,0 +1,86 @@ +From 88ae012c8092852f03c50f6461175271104b4c8a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Emilia=20K=C3=A4sper?= +Date: Thu, 24 Jul 2014 22:15:29 +0200 +Subject: [PATCH] Fix DTLS anonymous EC(DH) denial of service + +CVE-2014-3510 + +Reviewed-by: Dr. Stephen Henson +--- + ssl/d1_clnt.c | 23 +++++++++++++++++++++-- + ssl/s3_clnt.c | 7 +++++++ + 2 files changed, 28 insertions(+), 2 deletions(-) + +diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c +index 65dbb4a..fd6562c 100644 +--- a/ssl/d1_clnt.c ++++ b/ssl/d1_clnt.c +@@ -996,6 +996,13 @@ int dtls1_send_client_key_exchange(SSL *s) + RSA *rsa; + unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; + ++ if (s->session->sess_cert == NULL) ++ { ++ /* We should always have a server certificate with SSL_kRSA. */ ++ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ + if (s->session->sess_cert->peer_rsa_tmp != NULL) + rsa=s->session->sess_cert->peer_rsa_tmp; + else +@@ -1186,6 +1193,13 @@ int dtls1_send_client_key_exchange(SSL *s) + { + DH *dh_srvr,*dh_clnt; + ++ if (s->session->sess_cert == NULL) ++ { ++ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); ++ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); ++ goto err; ++ } ++ + if (s->session->sess_cert->peer_dh_tmp != NULL) + dh_srvr=s->session->sess_cert->peer_dh_tmp; + else +@@ -1245,6 +1259,13 @@ int dtls1_send_client_key_exchange(SSL *s) + int ecdh_clnt_cert = 0; + int field_size = 0; + ++ if (s->session->sess_cert == NULL) ++ { ++ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE); ++ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); ++ goto err; ++ } ++ + /* Did we send out the client's + * ECDH share for use in premaster + * computation as part of client certificate? +@@ -1720,5 +1741,3 @@ int dtls1_send_client_certificate(SSL *s) + /* SSL3_ST_CW_CERT_D */ + return(dtls1_do_write(s,SSL3_RT_HANDSHAKE)); + } +- +- +diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c +index 2afb892..df05f78 100644 +--- a/ssl/s3_clnt.c ++++ b/ssl/s3_clnt.c +@@ -2253,6 +2253,13 @@ int ssl3_send_client_key_exchange(SSL *s) + RSA *rsa; + unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH]; + ++ if (s->session->sess_cert == NULL) ++ { ++ /* We should always have a server certificate with SSL_kRSA. */ ++ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ + if (s->session->sess_cert->peer_rsa_tmp != NULL) + rsa=s->session->sess_cert->peer_rsa_tmp; + else +-- +1.8.3.1 + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3511.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3511.patch new file mode 100644 index 0000000000..f9cb4ea39c --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3511.patch @@ -0,0 +1,85 @@ +From fc4f4cdb8bf9981904e652abf69b892a45bddacf Mon Sep 17 00:00:00 2001 +From: David Benjamin +Date: Wed, 23 Jul 2014 22:32:21 +0200 +Subject: [PATCH] Fix protocol downgrade bug in case of fragmented packets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +CVE-2014-3511 + +Reviewed-by: Emilia Käsper +Reviewed-by: Bodo Möller +--- + ssl/s23_srvr.c | 30 +++++++++++++++++++++++------- + 1 file changed, 23 insertions(+), 7 deletions(-) + +diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c +index 4877849..2901a6b 100644 +--- a/ssl/s23_srvr.c ++++ b/ssl/s23_srvr.c +@@ -348,23 +348,19 @@ int ssl23_get_client_hello(SSL *s) + * Client Hello message, this would be difficult, and we'd have + * to read more records to find out. + * No known SSL 3.0 client fragments ClientHello like this, +- * so we simply assume TLS 1.0 to avoid protocol version downgrade +- * attacks. */ ++ * so we simply reject such connections to avoid ++ * protocol version downgrade attacks. */ + if (p[3] == 0 && p[4] < 6) + { +-#if 0 + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL); + goto err; +-#else +- v[1] = TLS1_VERSION_MINOR; +-#endif + } + /* if major version number > 3 set minor to a value + * which will use the highest version 3 we support. + * If TLS 2.0 ever appears we will need to revise + * this.... + */ +- else if (p[9] > SSL3_VERSION_MAJOR) ++ if (p[9] > SSL3_VERSION_MAJOR) + v[1]=0xff; + else + v[1]=p[10]; /* minor version according to client_version */ +@@ -444,14 +440,34 @@ int ssl23_get_client_hello(SSL *s) + v[0] = p[3]; /* == SSL3_VERSION_MAJOR */ + v[1] = p[4]; + ++ /* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2 ++ * header is sent directly on the wire, not wrapped as a TLS ++ * record. It's format is: ++ * Byte Content ++ * 0-1 msg_length ++ * 2 msg_type ++ * 3-4 version ++ * 5-6 cipher_spec_length ++ * 7-8 session_id_length ++ * 9-10 challenge_length ++ * ... ... ++ */ + n=((p[0]&0x7f)<<8)|p[1]; + if (n > (1024*4)) + { + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE); + goto err; + } ++ if (n < 9) ++ { ++ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH); ++ goto err; ++ } + + j=ssl23_read_bytes(s,n+2); ++ /* We previously read 11 bytes, so if j > 0, we must have ++ * j == n+2 == s->packet_length. We have at least 11 valid ++ * packet bytes. */ + if (j <= 0) return(j); + + ssl3_finish_mac(s, s->packet+2, s->packet_length-2); +-- +1.8.3.1 + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3513.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3513.patch new file mode 100644 index 0000000000..0d42eec4be --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3513.patch @@ -0,0 +1,186 @@ +diff -up openssl-1.0.1e/ssl/d1_srtp.c.srtp-leak openssl-1.0.1e/ssl/d1_srtp.c +--- openssl-1.0.1e/ssl/d1_srtp.c.srtp-leak 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/ssl/d1_srtp.c 2014-10-15 13:23:34.253040160 +0200 +@@ -168,25 +168,6 @@ static int find_profile_by_name(char *pr + return 1; + } + +-static int find_profile_by_num(unsigned profile_num, +- SRTP_PROTECTION_PROFILE **pptr) +- { +- SRTP_PROTECTION_PROFILE *p; +- +- p=srtp_known_profiles; +- while(p->name) +- { +- if(p->id == profile_num) +- { +- *pptr=p; +- return 0; +- } +- p++; +- } +- +- return 1; +- } +- + static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) **out) + { + STACK_OF(SRTP_PROTECTION_PROFILE) *profiles; +@@ -209,11 +190,19 @@ static int ssl_ctx_make_profiles(const c + if(!find_profile_by_name(ptr,&p, + col ? col-ptr : (int)strlen(ptr))) + { ++ if (sk_SRTP_PROTECTION_PROFILE_find(profiles,p) >= 0) ++ { ++ SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); ++ sk_SRTP_PROTECTION_PROFILE_free(profiles); ++ return 1; ++ } ++ + sk_SRTP_PROTECTION_PROFILE_push(profiles,p); + } + else + { + SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE); ++ sk_SRTP_PROTECTION_PROFILE_free(profiles); + return 1; + } + +@@ -305,13 +294,12 @@ int ssl_add_clienthello_use_srtp_ext(SSL + + int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al) + { +- SRTP_PROTECTION_PROFILE *cprof,*sprof; +- STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0,*srvr; ++ SRTP_PROTECTION_PROFILE *sprof; ++ STACK_OF(SRTP_PROTECTION_PROFILE) *srvr; + int ct; + int mki_len; +- int i,j; +- int id; +- int ret; ++ int i, srtp_pref; ++ unsigned int id; + + /* Length value + the MKI length */ + if(len < 3) +@@ -341,22 +329,32 @@ int ssl_parse_clienthello_use_srtp_ext(S + return 1; + } + ++ srvr=SSL_get_srtp_profiles(s); ++ s->srtp_profile = NULL; ++ /* Search all profiles for a match initially */ ++ srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr); + +- clnt=sk_SRTP_PROTECTION_PROFILE_new_null(); +- + while(ct) + { + n2s(d,id); + ct-=2; + len-=2; + +- if(!find_profile_by_num(id,&cprof)) ++ /* ++ * Only look for match in profiles of higher preference than ++ * current match. ++ * If no profiles have been have been configured then this ++ * does nothing. ++ */ ++ for (i = 0; i < srtp_pref; i++) + { +- sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof); +- } +- else +- { +- ; /* Ignore */ ++ sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i); ++ if (sprof->id == id) ++ { ++ s->srtp_profile = sprof; ++ srtp_pref = i; ++ break; ++ } + } + } + +@@ -371,36 +369,7 @@ int ssl_parse_clienthello_use_srtp_ext(S + return 1; + } + +- srvr=SSL_get_srtp_profiles(s); +- +- /* Pick our most preferred profile. If no profiles have been +- configured then the outer loop doesn't run +- (sk_SRTP_PROTECTION_PROFILE_num() = -1) +- and so we just return without doing anything */ +- for(i=0;iid==sprof->id) +- { +- s->srtp_profile=sprof; +- *al=0; +- ret=0; +- goto done; +- } +- } +- } +- +- ret=0; +- +-done: +- if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt); +- +- return ret; ++ return 0; + } + + int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen) +diff -up openssl-1.0.1e/ssl/t1_lib.c.srtp-leak openssl-1.0.1e/ssl/t1_lib.c +--- openssl-1.0.1e/ssl/t1_lib.c.srtp-leak 2014-10-15 13:19:59.955202293 +0200 ++++ openssl-1.0.1e/ssl/t1_lib.c 2014-10-15 13:23:34.254040182 +0200 +@@ -696,7 +696,7 @@ unsigned char *ssl_add_clienthello_tlsex + #endif + + #ifndef OPENSSL_NO_SRTP +- if(SSL_get_srtp_profiles(s)) ++ if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) + { + int el; + +@@ -829,7 +829,7 @@ unsigned char *ssl_add_serverhello_tlsex + #endif + + #ifndef OPENSSL_NO_SRTP +- if(s->srtp_profile) ++ if(SSL_IS_DTLS(s) && s->srtp_profile) + { + int el; + +@@ -1377,7 +1377,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, + + /* session ticket processed earlier */ + #ifndef OPENSSL_NO_SRTP +- else if (type == TLSEXT_TYPE_use_srtp) ++ else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) ++ && type == TLSEXT_TYPE_use_srtp) + { + if(ssl_parse_clienthello_use_srtp_ext(s, data, size, + al)) +@@ -1631,7 +1632,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, + } + #endif + #ifndef OPENSSL_NO_SRTP +- else if (type == TLSEXT_TYPE_use_srtp) ++ else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) + { + if(ssl_parse_serverhello_use_srtp_ext(s, data, size, + al)) diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3567.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3567.patch new file mode 100644 index 0000000000..a01ee694d0 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3567.patch @@ -0,0 +1,14 @@ +diff -up openssl-1.0.1e/ssl/t1_lib.c.ticket-leak openssl-1.0.1e/ssl/t1_lib.c +--- openssl-1.0.1e/ssl/t1_lib.c.ticket-leak 2014-10-15 13:19:26.825454374 +0200 ++++ openssl-1.0.1e/ssl/t1_lib.c 2014-10-15 13:19:59.955202293 +0200 +@@ -2280,7 +2280,10 @@ static int tls_decrypt_ticket(SSL *s, co + HMAC_Final(&hctx, tick_hmac, NULL); + HMAC_CTX_cleanup(&hctx); + if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) ++ { ++ EVP_CIPHER_CTX_cleanup(&ctx); + return 2; ++ } + /* Attempt to decrypt session data */ + /* Move p after IV to start of encrypted ticket, update length */ + p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3570.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3570.patch new file mode 100644 index 0000000000..aff2f025d0 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3570.patch @@ -0,0 +1,3155 @@ +From e078642ddea29bbb6ba29788a6a513796387fbbb Mon Sep 17 00:00:00 2001 +From: Andy Polyakov +Date: Mon, 5 Jan 2015 14:52:56 +0100 +Subject: [PATCH] Fix for CVE-2014-3570. + +Reviewed-by: Emilia Kasper +(cherry picked from commit e793809ba50c1e90ab592fb640a856168e50f3de) +(with 1.0.1-specific addendum) +--- + crypto/bn/asm/mips.pl | 611 +++--------- + crypto/bn/asm/mips3.s | 2201 -------------------------------------------- + crypto/bn/asm/x86_64-gcc.c | 34 +- + crypto/bn/bn_asm.c | 16 +- + crypto/bn/bntest.c | 102 +- + 5 files changed, 234 insertions(+), 2730 deletions(-) + delete mode 100644 crypto/bn/asm/mips3.s + +diff --git a/crypto/bn/asm/mips.pl b/crypto/bn/asm/mips.pl +index d2f3ef7..215c9a7 100644 +--- a/crypto/bn/asm/mips.pl ++++ b/crypto/bn/asm/mips.pl +@@ -1872,6 +1872,41 @@ ___ + + ($a_4,$a_5,$a_6,$a_7)=($b_0,$b_1,$b_2,$b_3); + ++sub add_c2 () { ++my ($hi,$lo,$c0,$c1,$c2, ++ $warm, # !$warm denotes first call with specific sequence of ++ # $c_[XYZ] when there is no Z-carry to accumulate yet; ++ $an,$bn # these two are arguments for multiplication which ++ # result is used in *next* step [which is why it's ++ # commented as "forward multiplication" below]; ++ )=@_; ++$code.=<<___; ++ mflo $lo ++ mfhi $hi ++ $ADDU $c0,$lo ++ sltu $at,$c0,$lo ++ $MULTU $an,$bn # forward multiplication ++ $ADDU $c0,$lo ++ $ADDU $at,$hi ++ sltu $lo,$c0,$lo ++ $ADDU $c1,$at ++ $ADDU $hi,$lo ++___ ++$code.=<<___ if (!$warm); ++ sltu $c2,$c1,$at ++ $ADDU $c1,$hi ++ sltu $hi,$c1,$hi ++ $ADDU $c2,$hi ++___ ++$code.=<<___ if ($warm); ++ sltu $at,$c1,$at ++ $ADDU $c1,$hi ++ $ADDU $c2,$at ++ sltu $hi,$c1,$hi ++ $ADDU $c2,$hi ++___ ++} ++ + $code.=<<___; + + .align 5 +@@ -1920,21 +1955,10 @@ $code.=<<___; + sltu $at,$c_2,$t_1 + $ADDU $c_3,$t_2,$at + $ST $c_2,$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_2,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_1,$a_1 # mul_add_c(a[1],b[1],c3,c1,c2); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_3,$t_1 +- sltu $at,$c_3,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_1,$t_2 +- sltu $at,$c_1,$t_2 +- $ADDU $c_2,$at ++___ ++ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0, ++ $a_1,$a_1); # mul_add_c(a[1],b[1],c3,c1,c2); ++$code.=<<___; + mflo $t_1 + mfhi $t_2 + $ADDU $c_3,$t_1 +@@ -1945,67 +1969,19 @@ $code.=<<___; + sltu $at,$c_1,$t_2 + $ADDU $c_2,$at + $ST $c_3,2*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_3,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_1,$a_2 # mul_add_c2(a[1],b[2],c1,c2,c3); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_1,$t_1 +- sltu $at,$c_1,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_2,$t_2 +- sltu $at,$c_2,$t_2 +- $ADDU $c_3,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_3,$at +- $MULTU $a_4,$a_0 # mul_add_c2(a[4],b[0],c2,c3,c1); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_1,$t_1 +- sltu $at,$c_1,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_2,$t_2 +- sltu $at,$c_2,$t_2 +- $ADDU $c_3,$at ++___ ++ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0, ++ $a_1,$a_2); # mul_add_c2(a[1],b[2],c1,c2,c3); ++ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1, ++ $a_4,$a_0); # mul_add_c2(a[4],b[0],c2,c3,c1); ++$code.=<<___; + $ST $c_1,3*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_1,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_3,$a_1 # mul_add_c2(a[3],b[1],c2,c3,c1); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_2,$t_1 +- sltu $at,$c_2,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_3,$t_2 +- sltu $at,$c_3,$t_2 +- $ADDU $c_1,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_1,$at +- $MULTU $a_2,$a_2 # mul_add_c(a[2],b[2],c2,c3,c1); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_2,$t_1 +- sltu $at,$c_2,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_3,$t_2 +- sltu $at,$c_3,$t_2 +- $ADDU $c_1,$at ++___ ++ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0, ++ $a_3,$a_1); # mul_add_c2(a[3],b[1],c2,c3,c1); ++ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1, ++ $a_2,$a_2); # mul_add_c(a[2],b[2],c2,c3,c1); ++$code.=<<___; + mflo $t_1 + mfhi $t_2 + $ADDU $c_2,$t_1 +@@ -2016,97 +1992,23 @@ $code.=<<___; + sltu $at,$c_3,$t_2 + $ADDU $c_1,$at + $ST $c_2,4*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_2,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_1,$a_4 # mul_add_c2(a[1],b[4],c3,c1,c2); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_3,$t_1 +- sltu $at,$c_3,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_1,$t_2 +- sltu $at,$c_1,$t_2 +- $ADDU $c_2,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_2,$at +- $MULTU $a_2,$a_3 # mul_add_c2(a[2],b[3],c3,c1,c2); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_3,$t_1 +- sltu $at,$c_3,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_1,$t_2 +- sltu $at,$c_1,$t_2 +- $ADDU $c_2,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $MULTU $a_6,$a_0 # mul_add_c2(a[6],b[0],c1,c2,c3); +- $ADDU $c_2,$at +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_3,$t_1 +- sltu $at,$c_3,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_1,$t_2 +- sltu $at,$c_1,$t_2 +- $ADDU $c_2,$at ++___ ++ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0, ++ $a_1,$a_4); # mul_add_c2(a[1],b[4],c3,c1,c2); ++ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1, ++ $a_2,$a_3); # mul_add_c2(a[2],b[3],c3,c1,c2); ++ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1, ++ $a_6,$a_0); # mul_add_c2(a[6],b[0],c1,c2,c3); ++$code.=<<___; + $ST $c_3,5*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_3,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_5,$a_1 # mul_add_c2(a[5],b[1],c1,c2,c3); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_1,$t_1 +- sltu $at,$c_1,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_2,$t_2 +- sltu $at,$c_2,$t_2 +- $ADDU $c_3,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_3,$at +- $MULTU $a_4,$a_2 # mul_add_c2(a[4],b[2],c1,c2,c3); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_1,$t_1 +- sltu $at,$c_1,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_2,$t_2 +- sltu $at,$c_2,$t_2 +- $ADDU $c_3,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_3,$at +- $MULTU $a_3,$a_3 # mul_add_c(a[3],b[3],c1,c2,c3); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_1,$t_1 +- sltu $at,$c_1,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_2,$t_2 +- sltu $at,$c_2,$t_2 +- $ADDU $c_3,$at ++___ ++ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0, ++ $a_5,$a_1); # mul_add_c2(a[5],b[1],c1,c2,c3); ++ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1, ++ $a_4,$a_2); # mul_add_c2(a[4],b[2],c1,c2,c3); ++ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1, ++ $a_3,$a_3); # mul_add_c(a[3],b[3],c1,c2,c3); ++$code.=<<___; + mflo $t_1 + mfhi $t_2 + $ADDU $c_1,$t_1 +@@ -2117,112 +2019,25 @@ $code.=<<___; + sltu $at,$c_2,$t_2 + $ADDU $c_3,$at + $ST $c_1,6*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_1,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_1,$a_6 # mul_add_c2(a[1],b[6],c2,c3,c1); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_2,$t_1 +- sltu $at,$c_2,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_3,$t_2 +- sltu $at,$c_3,$t_2 +- $ADDU $c_1,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_1,$at +- $MULTU $a_2,$a_5 # mul_add_c2(a[2],b[5],c2,c3,c1); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_2,$t_1 +- sltu $at,$c_2,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_3,$t_2 +- sltu $at,$c_3,$t_2 +- $ADDU $c_1,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_1,$at +- $MULTU $a_3,$a_4 # mul_add_c2(a[3],b[4],c2,c3,c1); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_2,$t_1 +- sltu $at,$c_2,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_3,$t_2 +- sltu $at,$c_3,$t_2 +- $ADDU $c_1,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_1,$at +- $MULTU $a_7,$a_1 # mul_add_c2(a[7],b[1],c3,c1,c2); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_2,$t_1 +- sltu $at,$c_2,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_3,$t_2 +- sltu $at,$c_3,$t_2 +- $ADDU $c_1,$at ++___ ++ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0, ++ $a_1,$a_6); # mul_add_c2(a[1],b[6],c2,c3,c1); ++ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1, ++ $a_2,$a_5); # mul_add_c2(a[2],b[5],c2,c3,c1); ++ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1, ++ $a_3,$a_4); # mul_add_c2(a[3],b[4],c2,c3,c1); ++ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1, ++ $a_7,$a_1); # mul_add_c2(a[7],b[1],c3,c1,c2); ++$code.=<<___; + $ST $c_2,7*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_2,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_6,$a_2 # mul_add_c2(a[6],b[2],c3,c1,c2); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_3,$t_1 +- sltu $at,$c_3,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_1,$t_2 +- sltu $at,$c_1,$t_2 +- $ADDU $c_2,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_2,$at +- $MULTU $a_5,$a_3 # mul_add_c2(a[5],b[3],c3,c1,c2); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_3,$t_1 +- sltu $at,$c_3,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_1,$t_2 +- sltu $at,$c_1,$t_2 +- $ADDU $c_2,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_2,$at +- $MULTU $a_4,$a_4 # mul_add_c(a[4],b[4],c3,c1,c2); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_3,$t_1 +- sltu $at,$c_3,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_1,$t_2 +- sltu $at,$c_1,$t_2 +- $ADDU $c_2,$at ++___ ++ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0, ++ $a_6,$a_2); # mul_add_c2(a[6],b[2],c3,c1,c2); ++ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1, ++ $a_5,$a_3); # mul_add_c2(a[5],b[3],c3,c1,c2); ++ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1, ++ $a_4,$a_4); # mul_add_c(a[4],b[4],c3,c1,c2); ++$code.=<<___; + mflo $t_1 + mfhi $t_2 + $ADDU $c_3,$t_1 +@@ -2233,82 +2048,21 @@ $code.=<<___; + sltu $at,$c_1,$t_2 + $ADDU $c_2,$at + $ST $c_3,8*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_3,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_3,$a_6 # mul_add_c2(a[3],b[6],c1,c2,c3); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_1,$t_1 +- sltu $at,$c_1,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_2,$t_2 +- sltu $at,$c_2,$t_2 +- $ADDU $c_3,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_3,$at +- $MULTU $a_4,$a_5 # mul_add_c2(a[4],b[5],c1,c2,c3); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_1,$t_1 +- sltu $at,$c_1,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_2,$t_2 +- sltu $at,$c_2,$t_2 +- $ADDU $c_3,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_3,$at +- $MULTU $a_7,$a_3 # mul_add_c2(a[7],b[3],c2,c3,c1); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_1,$t_1 +- sltu $at,$c_1,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_2,$t_2 +- sltu $at,$c_2,$t_2 +- $ADDU $c_3,$at ++___ ++ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0, ++ $a_3,$a_6); # mul_add_c2(a[3],b[6],c1,c2,c3); ++ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1, ++ $a_4,$a_5); # mul_add_c2(a[4],b[5],c1,c2,c3); ++ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1, ++ $a_7,$a_3); # mul_add_c2(a[7],b[3],c2,c3,c1); ++$code.=<<___; + $ST $c_1,9*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_1,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_6,$a_4 # mul_add_c2(a[6],b[4],c2,c3,c1); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_2,$t_1 +- sltu $at,$c_2,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_3,$t_2 +- sltu $at,$c_3,$t_2 +- $ADDU $c_1,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_1,$at +- $MULTU $a_5,$a_5 # mul_add_c(a[5],b[5],c2,c3,c1); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_2,$t_1 +- sltu $at,$c_2,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_3,$t_2 +- sltu $at,$c_3,$t_2 +- $ADDU $c_1,$at ++___ ++ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0, ++ $a_6,$a_4); # mul_add_c2(a[6],b[4],c2,c3,c1); ++ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,1, ++ $a_5,$a_5); # mul_add_c(a[5],b[5],c2,c3,c1); ++$code.=<<___; + mflo $t_1 + mfhi $t_2 + $ADDU $c_2,$t_1 +@@ -2319,52 +2073,17 @@ $code.=<<___; + sltu $at,$c_3,$t_2 + $ADDU $c_1,$at + $ST $c_2,10*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_2,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_5,$a_6 # mul_add_c2(a[5],b[6],c3,c1,c2); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_3,$t_1 +- sltu $at,$c_3,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_1,$t_2 +- sltu $at,$c_1,$t_2 +- $ADDU $c_2,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_2,$at +- $MULTU $a_7,$a_5 # mul_add_c2(a[7],b[5],c1,c2,c3); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_3,$t_1 +- sltu $at,$c_3,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_1,$t_2 +- sltu $at,$c_1,$t_2 +- $ADDU $c_2,$at ++___ ++ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0, ++ $a_5,$a_6); # mul_add_c2(a[5],b[6],c3,c1,c2); ++ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,1, ++ $a_7,$a_5); # mul_add_c2(a[7],b[5],c1,c2,c3); ++$code.=<<___; + $ST $c_3,11*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_3,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_6,$a_6 # mul_add_c(a[6],b[6],c1,c2,c3); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_1,$t_1 +- sltu $at,$c_1,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_2,$t_2 +- sltu $at,$c_2,$t_2 +- $ADDU $c_3,$at ++___ ++ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0, ++ $a_6,$a_6); # mul_add_c(a[6],b[6],c1,c2,c3); ++$code.=<<___; + mflo $t_1 + mfhi $t_2 + $ADDU $c_1,$t_1 +@@ -2375,21 +2094,10 @@ $code.=<<___; + sltu $at,$c_2,$t_2 + $ADDU $c_3,$at + $ST $c_1,12*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_1,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_7,$a_7 # mul_add_c(a[7],b[7],c3,c1,c2); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_2,$t_1 +- sltu $at,$c_2,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_3,$t_2 +- sltu $at,$c_3,$t_2 +- $ADDU $c_1,$at ++___ ++ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0, ++ $a_7,$a_7); # mul_add_c(a[7],b[7],c3,c1,c2); ++$code.=<<___; + $ST $c_2,13*$BNSZ($a0) + + mflo $t_1 +@@ -2457,21 +2165,10 @@ $code.=<<___; + sltu $at,$c_2,$t_1 + $ADDU $c_3,$t_2,$at + $ST $c_2,$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_2,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_1,$a_1 # mul_add_c(a[1],b[1],c3,c1,c2); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_3,$t_1 +- sltu $at,$c_3,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_1,$t_2 +- sltu $at,$c_1,$t_2 +- $ADDU $c_2,$at ++___ ++ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0, ++ $a_1,$a_1); # mul_add_c(a[1],b[1],c3,c1,c2); ++$code.=<<___; + mflo $t_1 + mfhi $t_2 + $ADDU $c_3,$t_1 +@@ -2482,52 +2179,17 @@ $code.=<<___; + sltu $at,$c_1,$t_2 + $ADDU $c_2,$at + $ST $c_3,2*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_3,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_1,$a_2 # mul_add_c(a2[1],b[2],c1,c2,c3); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_1,$t_1 +- sltu $at,$c_1,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_2,$t_2 +- sltu $at,$c_2,$t_2 +- $ADDU $c_3,$at +- mflo $t_1 +- mfhi $t_2 +- slt $at,$t_2,$zero +- $ADDU $c_3,$at +- $MULTU $a_3,$a_1 # mul_add_c2(a[3],b[1],c2,c3,c1); +- $SLL $t_2,1 +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_1,$t_1 +- sltu $at,$c_1,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_2,$t_2 +- sltu $at,$c_2,$t_2 +- $ADDU $c_3,$at ++___ ++ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,0, ++ $a_1,$a_2); # mul_add_c2(a2[1],b[2],c1,c2,c3); ++ &add_c2($t_2,$t_1,$c_1,$c_2,$c_3,1, ++ $a_3,$a_1); # mul_add_c2(a[3],b[1],c2,c3,c1); ++$code.=<<___; + $ST $c_1,3*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_1,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_2,$a_2 # mul_add_c(a[2],b[2],c2,c3,c1); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_2,$t_1 +- sltu $at,$c_2,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_3,$t_2 +- sltu $at,$c_3,$t_2 +- $ADDU $c_1,$at ++___ ++ &add_c2($t_2,$t_1,$c_2,$c_3,$c_1,0, ++ $a_2,$a_2); # mul_add_c(a[2],b[2],c2,c3,c1); ++$code.=<<___; + mflo $t_1 + mfhi $t_2 + $ADDU $c_2,$t_1 +@@ -2538,21 +2200,10 @@ $code.=<<___; + sltu $at,$c_3,$t_2 + $ADDU $c_1,$at + $ST $c_2,4*$BNSZ($a0) +- +- mflo $t_1 +- mfhi $t_2 +- slt $c_2,$t_2,$zero +- $SLL $t_2,1 +- $MULTU $a_3,$a_3 # mul_add_c(a[3],b[3],c1,c2,c3); +- slt $a2,$t_1,$zero +- $ADDU $t_2,$a2 +- $SLL $t_1,1 +- $ADDU $c_3,$t_1 +- sltu $at,$c_3,$t_1 +- $ADDU $t_2,$at +- $ADDU $c_1,$t_2 +- sltu $at,$c_1,$t_2 +- $ADDU $c_2,$at ++___ ++ &add_c2($t_2,$t_1,$c_3,$c_1,$c_2,0, ++ $a_3,$a_3); # mul_add_c(a[3],b[3],c1,c2,c3); ++$code.=<<___; + $ST $c_3,5*$BNSZ($a0) + + mflo $t_1 +diff --git a/crypto/bn/asm/mips3.s b/crypto/bn/asm/mips3.s +deleted file mode 100644 +index dca4105..0000000 +--- a/crypto/bn/asm/mips3.s ++++ /dev/null +@@ -1,2201 +0,0 @@ +-.rdata +-.asciiz "mips3.s, Version 1.1" +-.asciiz "MIPS III/IV ISA artwork by Andy Polyakov " +- +-/* +- * ==================================================================== +- * Written by Andy Polyakov for the OpenSSL +- * project. +- * +- * Rights for redistribution and usage in source and binary forms are +- * granted according to the OpenSSL license. Warranty of any kind is +- * disclaimed. +- * ==================================================================== +- */ +- +-/* +- * This is my modest contributon to the OpenSSL project (see +- * http://www.openssl.org/ for more information about it) and is +- * a drop-in MIPS III/IV ISA replacement for crypto/bn/bn_asm.c +- * module. For updates see http://fy.chalmers.se/~appro/hpe/. +- * +- * The module is designed to work with either of the "new" MIPS ABI(5), +- * namely N32 or N64, offered by IRIX 6.x. It's not ment to work under +- * IRIX 5.x not only because it doesn't support new ABIs but also +- * because 5.x kernels put R4x00 CPU into 32-bit mode and all those +- * 64-bit instructions (daddu, dmultu, etc.) found below gonna only +- * cause illegal instruction exception:-( +- * +- * In addition the code depends on preprocessor flags set up by MIPSpro +- * compiler driver (either as or cc) and therefore (probably?) can't be +- * compiled by the GNU assembler. GNU C driver manages fine though... +- * I mean as long as -mmips-as is specified or is the default option, +- * because then it simply invokes /usr/bin/as which in turn takes +- * perfect care of the preprocessor definitions. Another neat feature +- * offered by the MIPSpro assembler is an optimization pass. This gave +- * me the opportunity to have the code looking more regular as all those +- * architecture dependent instruction rescheduling details were left to +- * the assembler. Cool, huh? +- * +- * Performance improvement is astonishing! 'apps/openssl speed rsa dsa' +- * goes way over 3 times faster! +- * +- * +- */ +-#include +-#include +- +-#if _MIPS_ISA>=4 +-#define MOVNZ(cond,dst,src) \ +- movn dst,src,cond +-#else +-#define MOVNZ(cond,dst,src) \ +- .set noreorder; \ +- bnezl cond,.+8; \ +- move dst,src; \ +- .set reorder +-#endif +- +-.text +- +-.set noat +-.set reorder +- +-#define MINUS4 v1 +- +-.align 5 +-LEAF(bn_mul_add_words) +- .set noreorder +- bgtzl a2,.L_bn_mul_add_words_proceed +- ld t0,0(a1) +- jr ra +- move v0,zero +- .set reorder +- +-.L_bn_mul_add_words_proceed: +- li MINUS4,-4 +- and ta0,a2,MINUS4 +- move v0,zero +- beqz ta0,.L_bn_mul_add_words_tail +- +-.L_bn_mul_add_words_loop: +- dmultu t0,a3 +- ld t1,0(a0) +- ld t2,8(a1) +- ld t3,8(a0) +- ld ta0,16(a1) +- ld ta1,16(a0) +- daddu t1,v0 +- sltu v0,t1,v0 /* All manuals say it "compares 32-bit +- * values", but it seems to work fine +- * even on 64-bit registers. */ +- mflo AT +- mfhi t0 +- daddu t1,AT +- daddu v0,t0 +- sltu AT,t1,AT +- sd t1,0(a0) +- daddu v0,AT +- +- dmultu t2,a3 +- ld ta2,24(a1) +- ld ta3,24(a0) +- daddu t3,v0 +- sltu v0,t3,v0 +- mflo AT +- mfhi t2 +- daddu t3,AT +- daddu v0,t2 +- sltu AT,t3,AT +- sd t3,8(a0) +- daddu v0,AT +- +- dmultu ta0,a3 +- subu a2,4 +- PTR_ADD a0,32 +- PTR_ADD a1,32 +- daddu ta1,v0 +- sltu v0,ta1,v0 +- mflo AT +- mfhi ta0 +- daddu ta1,AT +- daddu v0,ta0 +- sltu AT,ta1,AT +- sd ta1,-16(a0) +- daddu v0,AT +- +- +- dmultu ta2,a3 +- and ta0,a2,MINUS4 +- daddu ta3,v0 +- sltu v0,ta3,v0 +- mflo AT +- mfhi ta2 +- daddu ta3,AT +- daddu v0,ta2 +- sltu AT,ta3,AT +- sd ta3,-8(a0) +- daddu v0,AT +- .set noreorder +- bgtzl ta0,.L_bn_mul_add_words_loop +- ld t0,0(a1) +- +- bnezl a2,.L_bn_mul_add_words_tail +- ld t0,0(a1) +- .set reorder +- +-.L_bn_mul_add_words_return: +- jr ra +- +-.L_bn_mul_add_words_tail: +- dmultu t0,a3 +- ld t1,0(a0) +- subu a2,1 +- daddu t1,v0 +- sltu v0,t1,v0 +- mflo AT +- mfhi t0 +- daddu t1,AT +- daddu v0,t0 +- sltu AT,t1,AT +- sd t1,0(a0) +- daddu v0,AT +- beqz a2,.L_bn_mul_add_words_return +- +- ld t0,8(a1) +- dmultu t0,a3 +- ld t1,8(a0) +- subu a2,1 +- daddu t1,v0 +- sltu v0,t1,v0 +- mflo AT +- mfhi t0 +- daddu t1,AT +- daddu v0,t0 +- sltu AT,t1,AT +- sd t1,8(a0) +- daddu v0,AT +- beqz a2,.L_bn_mul_add_words_return +- +- ld t0,16(a1) +- dmultu t0,a3 +- ld t1,16(a0) +- daddu t1,v0 +- sltu v0,t1,v0 +- mflo AT +- mfhi t0 +- daddu t1,AT +- daddu v0,t0 +- sltu AT,t1,AT +- sd t1,16(a0) +- daddu v0,AT +- jr ra +-END(bn_mul_add_words) +- +-.align 5 +-LEAF(bn_mul_words) +- .set noreorder +- bgtzl a2,.L_bn_mul_words_proceed +- ld t0,0(a1) +- jr ra +- move v0,zero +- .set reorder +- +-.L_bn_mul_words_proceed: +- li MINUS4,-4 +- and ta0,a2,MINUS4 +- move v0,zero +- beqz ta0,.L_bn_mul_words_tail +- +-.L_bn_mul_words_loop: +- dmultu t0,a3 +- ld t2,8(a1) +- ld ta0,16(a1) +- ld ta2,24(a1) +- mflo AT +- mfhi t0 +- daddu v0,AT +- sltu t1,v0,AT +- sd v0,0(a0) +- daddu v0,t1,t0 +- +- dmultu t2,a3 +- subu a2,4 +- PTR_ADD a0,32 +- PTR_ADD a1,32 +- mflo AT +- mfhi t2 +- daddu v0,AT +- sltu t3,v0,AT +- sd v0,-24(a0) +- daddu v0,t3,t2 +- +- dmultu ta0,a3 +- mflo AT +- mfhi ta0 +- daddu v0,AT +- sltu ta1,v0,AT +- sd v0,-16(a0) +- daddu v0,ta1,ta0 +- +- +- dmultu ta2,a3 +- and ta0,a2,MINUS4 +- mflo AT +- mfhi ta2 +- daddu v0,AT +- sltu ta3,v0,AT +- sd v0,-8(a0) +- daddu v0,ta3,ta2 +- .set noreorder +- bgtzl ta0,.L_bn_mul_words_loop +- ld t0,0(a1) +- +- bnezl a2,.L_bn_mul_words_tail +- ld t0,0(a1) +- .set reorder +- +-.L_bn_mul_words_return: +- jr ra +- +-.L_bn_mul_words_tail: +- dmultu t0,a3 +- subu a2,1 +- mflo AT +- mfhi t0 +- daddu v0,AT +- sltu t1,v0,AT +- sd v0,0(a0) +- daddu v0,t1,t0 +- beqz a2,.L_bn_mul_words_return +- +- ld t0,8(a1) +- dmultu t0,a3 +- subu a2,1 +- mflo AT +- mfhi t0 +- daddu v0,AT +- sltu t1,v0,AT +- sd v0,8(a0) +- daddu v0,t1,t0 +- beqz a2,.L_bn_mul_words_return +- +- ld t0,16(a1) +- dmultu t0,a3 +- mflo AT +- mfhi t0 +- daddu v0,AT +- sltu t1,v0,AT +- sd v0,16(a0) +- daddu v0,t1,t0 +- jr ra +-END(bn_mul_words) +- +-.align 5 +-LEAF(bn_sqr_words) +- .set noreorder +- bgtzl a2,.L_bn_sqr_words_proceed +- ld t0,0(a1) +- jr ra +- move v0,zero +- .set reorder +- +-.L_bn_sqr_words_proceed: +- li MINUS4,-4 +- and ta0,a2,MINUS4 +- move v0,zero +- beqz ta0,.L_bn_sqr_words_tail +- +-.L_bn_sqr_words_loop: +- dmultu t0,t0 +- ld t2,8(a1) +- ld ta0,16(a1) +- ld ta2,24(a1) +- mflo t1 +- mfhi t0 +- sd t1,0(a0) +- sd t0,8(a0) +- +- dmultu t2,t2 +- subu a2,4 +- PTR_ADD a0,64 +- PTR_ADD a1,32 +- mflo t3 +- mfhi t2 +- sd t3,-48(a0) +- sd t2,-40(a0) +- +- dmultu ta0,ta0 +- mflo ta1 +- mfhi ta0 +- sd ta1,-32(a0) +- sd ta0,-24(a0) +- +- +- dmultu ta2,ta2 +- and ta0,a2,MINUS4 +- mflo ta3 +- mfhi ta2 +- sd ta3,-16(a0) +- sd ta2,-8(a0) +- +- .set noreorder +- bgtzl ta0,.L_bn_sqr_words_loop +- ld t0,0(a1) +- +- bnezl a2,.L_bn_sqr_words_tail +- ld t0,0(a1) +- .set reorder +- +-.L_bn_sqr_words_return: +- move v0,zero +- jr ra +- +-.L_bn_sqr_words_tail: +- dmultu t0,t0 +- subu a2,1 +- mflo t1 +- mfhi t0 +- sd t1,0(a0) +- sd t0,8(a0) +- beqz a2,.L_bn_sqr_words_return +- +- ld t0,8(a1) +- dmultu t0,t0 +- subu a2,1 +- mflo t1 +- mfhi t0 +- sd t1,16(a0) +- sd t0,24(a0) +- beqz a2,.L_bn_sqr_words_return +- +- ld t0,16(a1) +- dmultu t0,t0 +- mflo t1 +- mfhi t0 +- sd t1,32(a0) +- sd t0,40(a0) +- jr ra +-END(bn_sqr_words) +- +-.align 5 +-LEAF(bn_add_words) +- .set noreorder +- bgtzl a3,.L_bn_add_words_proceed +- ld t0,0(a1) +- jr ra +- move v0,zero +- .set reorder +- +-.L_bn_add_words_proceed: +- li MINUS4,-4 +- and AT,a3,MINUS4 +- move v0,zero +- beqz AT,.L_bn_add_words_tail +- +-.L_bn_add_words_loop: +- ld ta0,0(a2) +- subu a3,4 +- ld t1,8(a1) +- and AT,a3,MINUS4 +- ld t2,16(a1) +- PTR_ADD a2,32 +- ld t3,24(a1) +- PTR_ADD a0,32 +- ld ta1,-24(a2) +- PTR_ADD a1,32 +- ld ta2,-16(a2) +- ld ta3,-8(a2) +- daddu ta0,t0 +- sltu t8,ta0,t0 +- daddu t0,ta0,v0 +- sltu v0,t0,ta0 +- sd t0,-32(a0) +- daddu v0,t8 +- +- daddu ta1,t1 +- sltu t9,ta1,t1 +- daddu t1,ta1,v0 +- sltu v0,t1,ta1 +- sd t1,-24(a0) +- daddu v0,t9 +- +- daddu ta2,t2 +- sltu t8,ta2,t2 +- daddu t2,ta2,v0 +- sltu v0,t2,ta2 +- sd t2,-16(a0) +- daddu v0,t8 +- +- daddu ta3,t3 +- sltu t9,ta3,t3 +- daddu t3,ta3,v0 +- sltu v0,t3,ta3 +- sd t3,-8(a0) +- daddu v0,t9 +- +- .set noreorder +- bgtzl AT,.L_bn_add_words_loop +- ld t0,0(a1) +- +- bnezl a3,.L_bn_add_words_tail +- ld t0,0(a1) +- .set reorder +- +-.L_bn_add_words_return: +- jr ra +- +-.L_bn_add_words_tail: +- ld ta0,0(a2) +- daddu ta0,t0 +- subu a3,1 +- sltu t8,ta0,t0 +- daddu t0,ta0,v0 +- sltu v0,t0,ta0 +- sd t0,0(a0) +- daddu v0,t8 +- beqz a3,.L_bn_add_words_return +- +- ld t1,8(a1) +- ld ta1,8(a2) +- daddu ta1,t1 +- subu a3,1 +- sltu t9,ta1,t1 +- daddu t1,ta1,v0 +- sltu v0,t1,ta1 +- sd t1,8(a0) +- daddu v0,t9 +- beqz a3,.L_bn_add_words_return +- +- ld t2,16(a1) +- ld ta2,16(a2) +- daddu ta2,t2 +- sltu t8,ta2,t2 +- daddu t2,ta2,v0 +- sltu v0,t2,ta2 +- sd t2,16(a0) +- daddu v0,t8 +- jr ra +-END(bn_add_words) +- +-.align 5 +-LEAF(bn_sub_words) +- .set noreorder +- bgtzl a3,.L_bn_sub_words_proceed +- ld t0,0(a1) +- jr ra +- move v0,zero +- .set reorder +- +-.L_bn_sub_words_proceed: +- li MINUS4,-4 +- and AT,a3,MINUS4 +- move v0,zero +- beqz AT,.L_bn_sub_words_tail +- +-.L_bn_sub_words_loop: +- ld ta0,0(a2) +- subu a3,4 +- ld t1,8(a1) +- and AT,a3,MINUS4 +- ld t2,16(a1) +- PTR_ADD a2,32 +- ld t3,24(a1) +- PTR_ADD a0,32 +- ld ta1,-24(a2) +- PTR_ADD a1,32 +- ld ta2,-16(a2) +- ld ta3,-8(a2) +- sltu t8,t0,ta0 +- dsubu t0,ta0 +- dsubu ta0,t0,v0 +- sd ta0,-32(a0) +- MOVNZ (t0,v0,t8) +- +- sltu t9,t1,ta1 +- dsubu t1,ta1 +- dsubu ta1,t1,v0 +- sd ta1,-24(a0) +- MOVNZ (t1,v0,t9) +- +- +- sltu t8,t2,ta2 +- dsubu t2,ta2 +- dsubu ta2,t2,v0 +- sd ta2,-16(a0) +- MOVNZ (t2,v0,t8) +- +- sltu t9,t3,ta3 +- dsubu t3,ta3 +- dsubu ta3,t3,v0 +- sd ta3,-8(a0) +- MOVNZ (t3,v0,t9) +- +- .set noreorder +- bgtzl AT,.L_bn_sub_words_loop +- ld t0,0(a1) +- +- bnezl a3,.L_bn_sub_words_tail +- ld t0,0(a1) +- .set reorder +- +-.L_bn_sub_words_return: +- jr ra +- +-.L_bn_sub_words_tail: +- ld ta0,0(a2) +- subu a3,1 +- sltu t8,t0,ta0 +- dsubu t0,ta0 +- dsubu ta0,t0,v0 +- MOVNZ (t0,v0,t8) +- sd ta0,0(a0) +- beqz a3,.L_bn_sub_words_return +- +- ld t1,8(a1) +- subu a3,1 +- ld ta1,8(a2) +- sltu t9,t1,ta1 +- dsubu t1,ta1 +- dsubu ta1,t1,v0 +- MOVNZ (t1,v0,t9) +- sd ta1,8(a0) +- beqz a3,.L_bn_sub_words_return +- +- ld t2,16(a1) +- ld ta2,16(a2) +- sltu t8,t2,ta2 +- dsubu t2,ta2 +- dsubu ta2,t2,v0 +- MOVNZ (t2,v0,t8) +- sd ta2,16(a0) +- jr ra +-END(bn_sub_words) +- +-#undef MINUS4 +- +-.align 5 +-LEAF(bn_div_3_words) +- .set reorder +- move a3,a0 /* we know that bn_div_words doesn't +- * touch a3, ta2, ta3 and preserves a2 +- * so that we can save two arguments +- * and return address in registers +- * instead of stack:-) +- */ +- ld a0,(a3) +- move ta2,a1 +- ld a1,-8(a3) +- bne a0,a2,.L_bn_div_3_words_proceed +- li v0,-1 +- jr ra +-.L_bn_div_3_words_proceed: +- move ta3,ra +- bal bn_div_words +- move ra,ta3 +- dmultu ta2,v0 +- ld t2,-16(a3) +- move ta0,zero +- mfhi t1 +- mflo t0 +- sltu t8,t1,v1 +-.L_bn_div_3_words_inner_loop: +- bnez t8,.L_bn_div_3_words_inner_loop_done +- sgeu AT,t2,t0 +- seq t9,t1,v1 +- and AT,t9 +- sltu t3,t0,ta2 +- daddu v1,a2 +- dsubu t1,t3 +- dsubu t0,ta2 +- sltu t8,t1,v1 +- sltu ta0,v1,a2 +- or t8,ta0 +- .set noreorder +- beqzl AT,.L_bn_div_3_words_inner_loop +- dsubu v0,1 +- .set reorder +-.L_bn_div_3_words_inner_loop_done: +- jr ra +-END(bn_div_3_words) +- +-.align 5 +-LEAF(bn_div_words) +- .set noreorder +- bnezl a2,.L_bn_div_words_proceed +- move v1,zero +- jr ra +- li v0,-1 /* I'd rather signal div-by-zero +- * which can be done with 'break 7' */ +- +-.L_bn_div_words_proceed: +- bltz a2,.L_bn_div_words_body +- move t9,v1 +- dsll a2,1 +- bgtz a2,.-4 +- addu t9,1 +- +- .set reorder +- negu t1,t9 +- li t2,-1 +- dsll t2,t1 +- and t2,a0 +- dsrl AT,a1,t1 +- .set noreorder +- bnezl t2,.+8 +- break 6 /* signal overflow */ +- .set reorder +- dsll a0,t9 +- dsll a1,t9 +- or a0,AT +- +-#define QT ta0 +-#define HH ta1 +-#define DH v1 +-.L_bn_div_words_body: +- dsrl DH,a2,32 +- sgeu AT,a0,a2 +- .set noreorder +- bnezl AT,.+8 +- dsubu a0,a2 +- .set reorder +- +- li QT,-1 +- dsrl HH,a0,32 +- dsrl QT,32 /* q=0xffffffff */ +- beq DH,HH,.L_bn_div_words_skip_div1 +- ddivu zero,a0,DH +- mflo QT +-.L_bn_div_words_skip_div1: +- dmultu a2,QT +- dsll t3,a0,32 +- dsrl AT,a1,32 +- or t3,AT +- mflo t0 +- mfhi t1 +-.L_bn_div_words_inner_loop1: +- sltu t2,t3,t0 +- seq t8,HH,t1 +- sltu AT,HH,t1 +- and t2,t8 +- sltu v0,t0,a2 +- or AT,t2 +- .set noreorder +- beqz AT,.L_bn_div_words_inner_loop1_done +- dsubu t1,v0 +- dsubu t0,a2 +- b .L_bn_div_words_inner_loop1 +- dsubu QT,1 +- .set reorder +-.L_bn_div_words_inner_loop1_done: +- +- dsll a1,32 +- dsubu a0,t3,t0 +- dsll v0,QT,32 +- +- li QT,-1 +- dsrl HH,a0,32 +- dsrl QT,32 /* q=0xffffffff */ +- beq DH,HH,.L_bn_div_words_skip_div2 +- ddivu zero,a0,DH +- mflo QT +-.L_bn_div_words_skip_div2: +-#undef DH +- dmultu a2,QT +- dsll t3,a0,32 +- dsrl AT,a1,32 +- or t3,AT +- mflo t0 +- mfhi t1 +-.L_bn_div_words_inner_loop2: +- sltu t2,t3,t0 +- seq t8,HH,t1 +- sltu AT,HH,t1 +- and t2,t8 +- sltu v1,t0,a2 +- or AT,t2 +- .set noreorder +- beqz AT,.L_bn_div_words_inner_loop2_done +- dsubu t1,v1 +- dsubu t0,a2 +- b .L_bn_div_words_inner_loop2 +- dsubu QT,1 +- .set reorder +-.L_bn_div_words_inner_loop2_done: +-#undef HH +- +- dsubu a0,t3,t0 +- or v0,QT +- dsrl v1,a0,t9 /* v1 contains remainder if anybody wants it */ +- dsrl a2,t9 /* restore a2 */ +- jr ra +-#undef QT +-END(bn_div_words) +- +-#define a_0 t0 +-#define a_1 t1 +-#define a_2 t2 +-#define a_3 t3 +-#define b_0 ta0 +-#define b_1 ta1 +-#define b_2 ta2 +-#define b_3 ta3 +- +-#define a_4 s0 +-#define a_5 s2 +-#define a_6 s4 +-#define a_7 a1 /* once we load a[7] we don't need a anymore */ +-#define b_4 s1 +-#define b_5 s3 +-#define b_6 s5 +-#define b_7 a2 /* once we load b[7] we don't need b anymore */ +- +-#define t_1 t8 +-#define t_2 t9 +- +-#define c_1 v0 +-#define c_2 v1 +-#define c_3 a3 +- +-#define FRAME_SIZE 48 +- +-.align 5 +-LEAF(bn_mul_comba8) +- .set noreorder +- PTR_SUB sp,FRAME_SIZE +- .frame sp,64,ra +- .set reorder +- ld a_0,0(a1) /* If compiled with -mips3 option on +- * R5000 box assembler barks on this +- * line with "shouldn't have mult/div +- * as last instruction in bb (R10K +- * bug)" warning. If anybody out there +- * has a clue about how to circumvent +- * this do send me a note. +- * +- */ +- ld b_0,0(a2) +- ld a_1,8(a1) +- ld a_2,16(a1) +- ld a_3,24(a1) +- ld b_1,8(a2) +- ld b_2,16(a2) +- ld b_3,24(a2) +- dmultu a_0,b_0 /* mul_add_c(a[0],b[0],c1,c2,c3); */ +- sd s0,0(sp) +- sd s1,8(sp) +- sd s2,16(sp) +- sd s3,24(sp) +- sd s4,32(sp) +- sd s5,40(sp) +- mflo c_1 +- mfhi c_2 +- +- dmultu a_0,b_1 /* mul_add_c(a[0],b[1],c2,c3,c1); */ +- ld a_4,32(a1) +- ld a_5,40(a1) +- ld a_6,48(a1) +- ld a_7,56(a1) +- ld b_4,32(a2) +- ld b_5,40(a2) +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu c_3,t_2,AT +- dmultu a_1,b_0 /* mul_add_c(a[1],b[0],c2,c3,c1); */ +- ld b_6,48(a2) +- ld b_7,56(a2) +- sd c_1,0(a0) /* r[0]=c1; */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu c_1,c_3,t_2 +- sd c_2,8(a0) /* r[1]=c2; */ +- +- dmultu a_2,b_0 /* mul_add_c(a[2],b[0],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- dmultu a_1,b_1 /* mul_add_c(a[1],b[1],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu c_2,c_1,t_2 +- dmultu a_0,b_2 /* mul_add_c(a[0],b[2],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,16(a0) /* r[2]=c3; */ +- +- dmultu a_0,b_3 /* mul_add_c(a[0],b[3],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu c_3,c_2,t_2 +- dmultu a_1,b_2 /* mul_add_c(a[1],b[2],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_2,b_1 /* mul_add_c(a[2],b[1],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_3,b_0 /* mul_add_c(a[3],b[0],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- sd c_1,24(a0) /* r[3]=c1; */ +- +- dmultu a_4,b_0 /* mul_add_c(a[4],b[0],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu c_1,c_3,t_2 +- dmultu a_3,b_1 /* mul_add_c(a[3],b[1],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_2,b_2 /* mul_add_c(a[2],b[2],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_1,b_3 /* mul_add_c(a[1],b[3],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_0,b_4 /* mul_add_c(a[0],b[4],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- sd c_2,32(a0) /* r[4]=c2; */ +- +- dmultu a_0,b_5 /* mul_add_c(a[0],b[5],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu c_2,c_1,t_2 +- dmultu a_1,b_4 /* mul_add_c(a[1],b[4],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_2,b_3 /* mul_add_c(a[2],b[3],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_3,b_2 /* mul_add_c(a[3],b[2],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_4,b_1 /* mul_add_c(a[4],b[1],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_5,b_0 /* mul_add_c(a[5],b[0],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,40(a0) /* r[5]=c3; */ +- +- dmultu a_6,b_0 /* mul_add_c(a[6],b[0],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu c_3,c_2,t_2 +- dmultu a_5,b_1 /* mul_add_c(a[5],b[1],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_4,b_2 /* mul_add_c(a[4],b[2],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_3,b_3 /* mul_add_c(a[3],b[3],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_2,b_4 /* mul_add_c(a[2],b[4],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_1,b_5 /* mul_add_c(a[1],b[5],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_0,b_6 /* mul_add_c(a[0],b[6],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- sd c_1,48(a0) /* r[6]=c1; */ +- +- dmultu a_0,b_7 /* mul_add_c(a[0],b[7],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu c_1,c_3,t_2 +- dmultu a_1,b_6 /* mul_add_c(a[1],b[6],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_2,b_5 /* mul_add_c(a[2],b[5],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_3,b_4 /* mul_add_c(a[3],b[4],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_4,b_3 /* mul_add_c(a[4],b[3],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_5,b_2 /* mul_add_c(a[5],b[2],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_6,b_1 /* mul_add_c(a[6],b[1],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_7,b_0 /* mul_add_c(a[7],b[0],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- sd c_2,56(a0) /* r[7]=c2; */ +- +- dmultu a_7,b_1 /* mul_add_c(a[7],b[1],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu c_2,c_1,t_2 +- dmultu a_6,b_2 /* mul_add_c(a[6],b[2],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_5,b_3 /* mul_add_c(a[5],b[3],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_4,b_4 /* mul_add_c(a[4],b[4],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_3,b_5 /* mul_add_c(a[3],b[5],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_2,b_6 /* mul_add_c(a[2],b[6],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_1,b_7 /* mul_add_c(a[1],b[7],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,64(a0) /* r[8]=c3; */ +- +- dmultu a_2,b_7 /* mul_add_c(a[2],b[7],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu c_3,c_2,t_2 +- dmultu a_3,b_6 /* mul_add_c(a[3],b[6],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_4,b_5 /* mul_add_c(a[4],b[5],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_5,b_4 /* mul_add_c(a[5],b[4],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_6,b_3 /* mul_add_c(a[6],b[3],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_7,b_2 /* mul_add_c(a[7],b[2],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- sd c_1,72(a0) /* r[9]=c1; */ +- +- dmultu a_7,b_3 /* mul_add_c(a[7],b[3],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu c_1,c_3,t_2 +- dmultu a_6,b_4 /* mul_add_c(a[6],b[4],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_5,b_5 /* mul_add_c(a[5],b[5],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_4,b_6 /* mul_add_c(a[4],b[6],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_3,b_7 /* mul_add_c(a[3],b[7],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- sd c_2,80(a0) /* r[10]=c2; */ +- +- dmultu a_4,b_7 /* mul_add_c(a[4],b[7],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu c_2,c_1,t_2 +- dmultu a_5,b_6 /* mul_add_c(a[5],b[6],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_6,b_5 /* mul_add_c(a[6],b[5],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_7,b_4 /* mul_add_c(a[7],b[4],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,88(a0) /* r[11]=c3; */ +- +- dmultu a_7,b_5 /* mul_add_c(a[7],b[5],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu c_3,c_2,t_2 +- dmultu a_6,b_6 /* mul_add_c(a[6],b[6],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_5,b_7 /* mul_add_c(a[5],b[7],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- sd c_1,96(a0) /* r[12]=c1; */ +- +- dmultu a_6,b_7 /* mul_add_c(a[6],b[7],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu c_1,c_3,t_2 +- dmultu a_7,b_6 /* mul_add_c(a[7],b[6],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- sd c_2,104(a0) /* r[13]=c2; */ +- +- dmultu a_7,b_7 /* mul_add_c(a[7],b[7],c3,c1,c2); */ +- ld s0,0(sp) +- ld s1,8(sp) +- ld s2,16(sp) +- ld s3,24(sp) +- ld s4,32(sp) +- ld s5,40(sp) +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sd c_3,112(a0) /* r[14]=c3; */ +- sd c_1,120(a0) /* r[15]=c1; */ +- +- PTR_ADD sp,FRAME_SIZE +- +- jr ra +-END(bn_mul_comba8) +- +-.align 5 +-LEAF(bn_mul_comba4) +- .set reorder +- ld a_0,0(a1) +- ld b_0,0(a2) +- ld a_1,8(a1) +- ld a_2,16(a1) +- dmultu a_0,b_0 /* mul_add_c(a[0],b[0],c1,c2,c3); */ +- ld a_3,24(a1) +- ld b_1,8(a2) +- ld b_2,16(a2) +- ld b_3,24(a2) +- mflo c_1 +- mfhi c_2 +- sd c_1,0(a0) +- +- dmultu a_0,b_1 /* mul_add_c(a[0],b[1],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu c_3,t_2,AT +- dmultu a_1,b_0 /* mul_add_c(a[1],b[0],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu c_1,c_3,t_2 +- sd c_2,8(a0) +- +- dmultu a_2,b_0 /* mul_add_c(a[2],b[0],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- dmultu a_1,b_1 /* mul_add_c(a[1],b[1],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu c_2,c_1,t_2 +- dmultu a_0,b_2 /* mul_add_c(a[0],b[2],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,16(a0) +- +- dmultu a_0,b_3 /* mul_add_c(a[0],b[3],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu c_3,c_2,t_2 +- dmultu a_1,b_2 /* mul_add_c(a[1],b[2],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_2,b_1 /* mul_add_c(a[2],b[1],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_3,b_0 /* mul_add_c(a[3],b[0],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- sd c_1,24(a0) +- +- dmultu a_3,b_1 /* mul_add_c(a[3],b[1],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu c_1,c_3,t_2 +- dmultu a_2,b_2 /* mul_add_c(a[2],b[2],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_1,b_3 /* mul_add_c(a[1],b[3],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- sd c_2,32(a0) +- +- dmultu a_2,b_3 /* mul_add_c(a[2],b[3],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu c_2,c_1,t_2 +- dmultu a_3,b_2 /* mul_add_c(a[3],b[2],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,40(a0) +- +- dmultu a_3,b_3 /* mul_add_c(a[3],b[3],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sd c_1,48(a0) +- sd c_2,56(a0) +- +- jr ra +-END(bn_mul_comba4) +- +-#undef a_4 +-#undef a_5 +-#undef a_6 +-#undef a_7 +-#define a_4 b_0 +-#define a_5 b_1 +-#define a_6 b_2 +-#define a_7 b_3 +- +-.align 5 +-LEAF(bn_sqr_comba8) +- .set reorder +- ld a_0,0(a1) +- ld a_1,8(a1) +- ld a_2,16(a1) +- ld a_3,24(a1) +- +- dmultu a_0,a_0 /* mul_add_c(a[0],b[0],c1,c2,c3); */ +- ld a_4,32(a1) +- ld a_5,40(a1) +- ld a_6,48(a1) +- ld a_7,56(a1) +- mflo c_1 +- mfhi c_2 +- sd c_1,0(a0) +- +- dmultu a_0,a_1 /* mul_add_c2(a[0],b[1],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt c_1,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu c_3,t_2,AT +- sd c_2,8(a0) +- +- dmultu a_2,a_0 /* mul_add_c2(a[2],b[0],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- slt c_2,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_1,a_1 /* mul_add_c(a[1],b[1],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,16(a0) +- +- dmultu a_0,a_3 /* mul_add_c2(a[0],b[3],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- slt c_3,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_1,a_2 /* mul_add_c2(a[1],b[2],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_3,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- sd c_1,24(a0) +- +- dmultu a_4,a_0 /* mul_add_c2(a[4],b[0],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt c_1,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_3,a_1 /* mul_add_c2(a[3],b[1],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_1,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_2,a_2 /* mul_add_c(a[2],b[2],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- sd c_2,32(a0) +- +- dmultu a_0,a_5 /* mul_add_c2(a[0],b[5],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- slt c_2,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_1,a_4 /* mul_add_c2(a[1],b[4],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_2,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_2,a_3 /* mul_add_c2(a[2],b[3],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_2,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,40(a0) +- +- dmultu a_6,a_0 /* mul_add_c2(a[6],b[0],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- slt c_3,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_5,a_1 /* mul_add_c2(a[5],b[1],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_3,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_4,a_2 /* mul_add_c2(a[4],b[2],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_3,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_3,a_3 /* mul_add_c(a[3],b[3],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- sd c_1,48(a0) +- +- dmultu a_0,a_7 /* mul_add_c2(a[0],b[7],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt c_1,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_1,a_6 /* mul_add_c2(a[1],b[6],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_1,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_2,a_5 /* mul_add_c2(a[2],b[5],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_1,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_3,a_4 /* mul_add_c2(a[3],b[4],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_1,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- sd c_2,56(a0) +- +- dmultu a_7,a_1 /* mul_add_c2(a[7],b[1],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- slt c_2,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_6,a_2 /* mul_add_c2(a[6],b[2],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_2,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_5,a_3 /* mul_add_c2(a[5],b[3],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_2,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_4,a_4 /* mul_add_c(a[4],b[4],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,64(a0) +- +- dmultu a_2,a_7 /* mul_add_c2(a[2],b[7],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- slt c_3,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_3,a_6 /* mul_add_c2(a[3],b[6],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_3,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_4,a_5 /* mul_add_c2(a[4],b[5],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_3,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- sd c_1,72(a0) +- +- dmultu a_7,a_3 /* mul_add_c2(a[7],b[3],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt c_1,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_6,a_4 /* mul_add_c2(a[6],b[4],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_1,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_5,a_5 /* mul_add_c(a[5],b[5],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- sd c_2,80(a0) +- +- dmultu a_4,a_7 /* mul_add_c2(a[4],b[7],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- slt c_2,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_5,a_6 /* mul_add_c2(a[5],b[6],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_2,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,88(a0) +- +- dmultu a_7,a_5 /* mul_add_c2(a[7],b[5],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- slt c_3,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_6,a_6 /* mul_add_c(a[6],b[6],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- sd c_1,96(a0) +- +- dmultu a_6,a_7 /* mul_add_c2(a[6],b[7],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt c_1,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- sd c_2,104(a0) +- +- dmultu a_7,a_7 /* mul_add_c(a[7],b[7],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sd c_3,112(a0) +- sd c_1,120(a0) +- +- jr ra +-END(bn_sqr_comba8) +- +-.align 5 +-LEAF(bn_sqr_comba4) +- .set reorder +- ld a_0,0(a1) +- ld a_1,8(a1) +- ld a_2,16(a1) +- ld a_3,24(a1) +- dmultu a_0,a_0 /* mul_add_c(a[0],b[0],c1,c2,c3); */ +- mflo c_1 +- mfhi c_2 +- sd c_1,0(a0) +- +- dmultu a_0,a_1 /* mul_add_c2(a[0],b[1],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt c_1,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu c_3,t_2,AT +- sd c_2,8(a0) +- +- dmultu a_2,a_0 /* mul_add_c2(a[2],b[0],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- slt c_2,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- dmultu a_1,a_1 /* mul_add_c(a[1],b[1],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,16(a0) +- +- dmultu a_0,a_3 /* mul_add_c2(a[0],b[3],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- slt c_3,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- dmultu a_1,a_2 /* mul_add_c(a2[1],b[2],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- slt AT,t_2,zero +- daddu c_3,AT +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sltu AT,c_2,t_2 +- daddu c_3,AT +- sd c_1,24(a0) +- +- dmultu a_3,a_1 /* mul_add_c2(a[3],b[1],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- slt c_1,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- dmultu a_2,a_2 /* mul_add_c(a[2],b[2],c2,c3,c1); */ +- mflo t_1 +- mfhi t_2 +- daddu c_2,t_1 +- sltu AT,c_2,t_1 +- daddu t_2,AT +- daddu c_3,t_2 +- sltu AT,c_3,t_2 +- daddu c_1,AT +- sd c_2,32(a0) +- +- dmultu a_2,a_3 /* mul_add_c2(a[2],b[3],c3,c1,c2); */ +- mflo t_1 +- mfhi t_2 +- slt c_2,t_2,zero +- dsll t_2,1 +- slt a2,t_1,zero +- daddu t_2,a2 +- dsll t_1,1 +- daddu c_3,t_1 +- sltu AT,c_3,t_1 +- daddu t_2,AT +- daddu c_1,t_2 +- sltu AT,c_1,t_2 +- daddu c_2,AT +- sd c_3,40(a0) +- +- dmultu a_3,a_3 /* mul_add_c(a[3],b[3],c1,c2,c3); */ +- mflo t_1 +- mfhi t_2 +- daddu c_1,t_1 +- sltu AT,c_1,t_1 +- daddu t_2,AT +- daddu c_2,t_2 +- sd c_1,48(a0) +- sd c_2,56(a0) +- +- jr ra +-END(bn_sqr_comba4) +diff --git a/crypto/bn/asm/x86_64-gcc.c b/crypto/bn/asm/x86_64-gcc.c +index 31476ab..2d39407 100644 +--- a/crypto/bn/asm/x86_64-gcc.c ++++ b/crypto/bn/asm/x86_64-gcc.c +@@ -273,6 +273,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n) + /* sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0) */ + /* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0) */ + ++/* ++ * Keep in mind that carrying into high part of multiplication result ++ * can not overflow, because it cannot be all-ones. ++ */ + #if 0 + /* original macros are kept for reference purposes */ + #define mul_add_c(a,b,c0,c1,c2) { \ +@@ -287,10 +291,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n) + BN_ULONG ta=(a),tb=(b),t0; \ + t1 = BN_UMULT_HIGH(ta,tb); \ + t0 = ta * tb; \ +- t2 = t1+t1; c2 += (t2neg=rand_neg(); ++ BN_sqr(c,a,ctx); + if (bp != NULL) + { + if (!results) + { +- BN_print(bp,&a); ++ BN_print(bp,a); + BIO_puts(bp," * "); +- BN_print(bp,&a); ++ BN_print(bp,a); + BIO_puts(bp," - "); + } +- BN_print(bp,&c); ++ BN_print(bp,c); + BIO_puts(bp,"\n"); + } +- BN_div(&d,&e,&c,&a,ctx); +- BN_sub(&d,&d,&a); +- if(!BN_is_zero(&d) || !BN_is_zero(&e)) +- { +- fprintf(stderr,"Square test failed!\n"); +- return 0; +- } ++ BN_div(d,e,c,a,ctx); ++ BN_sub(d,d,a); ++ if(!BN_is_zero(d) || !BN_is_zero(e)) ++ { ++ fprintf(stderr,"Square test failed!\n"); ++ goto err; ++ } + } +- BN_free(&a); +- BN_free(&c); +- BN_free(&d); +- BN_free(&e); +- return(1); ++ ++ /* Regression test for a BN_sqr overflow bug. */ ++ BN_hex2bn(&a, ++ "80000000000000008000000000000001FFFFFFFFFFFFFFFE0000000000000000"); ++ BN_sqr(c, a, ctx); ++ if (bp != NULL) ++ { ++ if (!results) ++ { ++ BN_print(bp,a); ++ BIO_puts(bp," * "); ++ BN_print(bp,a); ++ BIO_puts(bp," - "); ++ } ++ BN_print(bp,c); ++ BIO_puts(bp,"\n"); ++ } ++ BN_mul(d, a, a, ctx); ++ if (BN_cmp(c, d)) ++ { ++ fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce " ++ "different results!\n"); ++ goto err; ++ } ++ ++ /* Regression test for a BN_sqr overflow bug. */ ++ BN_hex2bn(&a, ++ "80000000000000000000000080000001FFFFFFFE000000000000000000000000"); ++ BN_sqr(c, a, ctx); ++ if (bp != NULL) ++ { ++ if (!results) ++ { ++ BN_print(bp,a); ++ BIO_puts(bp," * "); ++ BN_print(bp,a); ++ BIO_puts(bp," - "); ++ } ++ BN_print(bp,c); ++ BIO_puts(bp,"\n"); ++ } ++ BN_mul(d, a, a, ctx); ++ if (BN_cmp(c, d)) ++ { ++ fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce " ++ "different results!\n"); ++ goto err; ++ } ++ ret = 1; ++err: ++ if (a != NULL) BN_free(a); ++ if (c != NULL) BN_free(c); ++ if (d != NULL) BN_free(d); ++ if (e != NULL) BN_free(e); ++ return ret; + } + + int test_mont(BIO *bp, BN_CTX *ctx) +-- +1.8.3.1 + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3571.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3571.patch new file mode 100644 index 0000000000..9c93b7f573 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3571.patch @@ -0,0 +1,34 @@ +diff -up openssl-1.0.1e/ssl/d1_pkt.c.dtls1-reads openssl-1.0.1e/ssl/d1_pkt.c +--- openssl-1.0.1e/ssl/d1_pkt.c.dtls1-reads 2015-01-12 17:31:41.647213706 +0100 ++++ openssl-1.0.1e/ssl/d1_pkt.c 2015-01-12 17:38:21.708261411 +0100 +@@ -641,8 +641,6 @@ again: + /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */ + i=rr->length; + n=ssl3_read_n(s,i,i,1); +- if (n <= 0) return(n); /* error or non-blocking io */ +- + /* this packet contained a partial record, dump it */ + if ( n != i) + { +@@ -677,7 +675,8 @@ again: + * would be dropped unnecessarily. + */ + if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE && +- *p == SSL3_MT_CLIENT_HELLO) && ++ s->packet_length > DTLS1_RT_HEADER_LENGTH && ++ s->packet[DTLS1_RT_HEADER_LENGTH] == SSL3_MT_CLIENT_HELLO) && + !dtls1_record_replay_check(s, bitmap)) + { + rr->length = 0; +diff -up openssl-1.0.1e/ssl/s3_pkt.c.dtls1-reads openssl-1.0.1e/ssl/s3_pkt.c +--- openssl-1.0.1e/ssl/s3_pkt.c.dtls1-reads 2015-01-12 17:31:41.680214453 +0100 ++++ openssl-1.0.1e/ssl/s3_pkt.c 2015-01-12 17:38:06.721922482 +0100 +@@ -182,6 +182,8 @@ int ssl3_read_n(SSL *s, int n, int max, + * at once (as long as it fits into the buffer). */ + if (SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER) + { ++ if (left == 0 && extend) ++ return 0; + if (left > 0 && n > left) + n = left; + } diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3572.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3572.patch new file mode 100644 index 0000000000..013876b974 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-3572.patch @@ -0,0 +1,51 @@ +diff -up openssl-1.0.1e/ssl/s3_clnt.c.ecdh-downgrade openssl-1.0.1e/ssl/s3_clnt.c +--- openssl-1.0.1e/ssl/s3_clnt.c.ecdh-downgrade 2015-01-12 16:37:49.978126895 +0100 ++++ openssl-1.0.1e/ssl/s3_clnt.c 2015-01-12 17:02:01.740959687 +0100 +@@ -1287,6 +1287,8 @@ int ssl3_get_key_exchange(SSL *s) + int encoded_pt_len = 0; + #endif + ++ EVP_MD_CTX_init(&md_ctx); ++ + /* use same message size as in ssl3_get_certificate_request() + * as ServerKeyExchange message may be skipped */ + n=s->method->ssl_get_message(s, +@@ -1297,14 +1299,26 @@ int ssl3_get_key_exchange(SSL *s) + &ok); + if (!ok) return((int)n); + ++ alg_k=s->s3->tmp.new_cipher->algorithm_mkey; ++ + if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) + { ++ /* ++ * Can't skip server key exchange if this is an ephemeral ++ * ciphersuite. ++ */ ++ if (alg_k & (SSL_kEDH|SSL_kEECDH)) ++ { ++ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE); ++ al = SSL_AD_UNEXPECTED_MESSAGE; ++ goto f_err; ++ } + #ifndef OPENSSL_NO_PSK + /* In plain PSK ciphersuite, ServerKeyExchange can be + omitted if no identity hint is sent. Set + session->sess_cert anyway to avoid problems + later.*/ +- if (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK) ++ if (alg_k & SSL_kPSK) + { + s->session->sess_cert=ssl_sess_cert_new(); + if (s->ctx->psk_identity_hint) +@@ -1347,9 +1361,8 @@ int ssl3_get_key_exchange(SSL *s) + } + + param_len=0; +- alg_k=s->s3->tmp.new_cipher->algorithm_mkey; ++ + alg_a=s->s3->tmp.new_cipher->algorithm_auth; +- EVP_MD_CTX_init(&md_ctx); + + #ifndef OPENSSL_NO_PSK + if (alg_k & SSL_kPSK) diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-8176.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-8176.patch new file mode 100644 index 0000000000..052b907af2 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-8176.patch @@ -0,0 +1,34 @@ +From bcc311668ede6ffdcd6dc5a65454a548b5404fcc Mon Sep 17 00:00:00 2001 +From: zhu qun-ying +Date: Mon, 2 Jun 2014 14:38:52 +0100 +Subject: [PATCH] Free up s->d1->buffered_app_data.q properly. + +PR#3286 +(cherry picked from commit 71e95000afb2227fe5cac1c79ae884338bcd8d0b) +--- + ssl/d1_lib.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c +index 106939f..6bde16f 100644 +--- a/ssl/d1_lib.c ++++ b/ssl/d1_lib.c +@@ -176,9 +176,12 @@ static void dtls1_clear_queues(SSL *s) + + while ( (item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL) + { +- frag = (hm_fragment *)item->data; +- OPENSSL_free(frag->fragment); +- OPENSSL_free(frag); ++ rdata = (DTLS1_RECORD_DATA *) item->data; ++ if (rdata->rbuf.buf) ++ { ++ OPENSSL_free(rdata->rbuf.buf); ++ } ++ OPENSSL_free(item->data); + pitem_free(item); + } + } +-- +2.1.0 + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-8275.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-8275.patch new file mode 100644 index 0000000000..91041ac4d0 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2014-8275.patch @@ -0,0 +1,202 @@ +diff -up openssl-1.0.1e/crypto/asn1/a_bitstr.c.cert-fingerprint openssl-1.0.1e/crypto/asn1/a_bitstr.c +--- openssl-1.0.1e/crypto/asn1/a_bitstr.c.cert-fingerprint 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/asn1/a_bitstr.c 2015-01-13 12:23:36.090478923 +0100 +@@ -136,11 +136,16 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN + + p= *pp; + i= *(p++); ++ if (i > 7) ++ { ++ i=ASN1_R_INVALID_BIT_STRING_BITS_LEFT; ++ goto err; ++ } + /* We do this to preserve the settings. If we modify + * the settings, via the _set_bit function, we will recalculate + * on output */ + ret->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */ +- ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|(i&0x07)); /* set */ ++ ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|i); /* set */ + + if (len-- > 1) /* using one because of the bits left byte */ + { +diff -up openssl-1.0.1e/crypto/asn1/asn1_err.c.cert-fingerprint openssl-1.0.1e/crypto/asn1/asn1_err.c +--- openssl-1.0.1e/crypto/asn1/asn1_err.c.cert-fingerprint 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/asn1/asn1_err.c 2015-01-13 12:23:36.090478923 +0100 +@@ -246,6 +246,7 @@ static ERR_STRING_DATA ASN1_str_reasons[ + {ERR_REASON(ASN1_R_ILLEGAL_TIME_VALUE) ,"illegal time value"}, + {ERR_REASON(ASN1_R_INTEGER_NOT_ASCII_FORMAT),"integer not ascii format"}, + {ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG),"integer too large for long"}, ++{ERR_REASON(ASN1_R_INVALID_BIT_STRING_BITS_LEFT),"invalid bit string bits left"}, + {ERR_REASON(ASN1_R_INVALID_BMPSTRING_LENGTH),"invalid bmpstring length"}, + {ERR_REASON(ASN1_R_INVALID_DIGIT) ,"invalid digit"}, + {ERR_REASON(ASN1_R_INVALID_MIME_TYPE) ,"invalid mime type"}, +diff -up openssl-1.0.1e/crypto/asn1/asn1.h.cert-fingerprint openssl-1.0.1e/crypto/asn1/asn1.h +--- openssl-1.0.1e/crypto/asn1/asn1.h.cert-fingerprint 2015-01-13 11:44:11.999013082 +0100 ++++ openssl-1.0.1e/crypto/asn1/asn1.h 2015-01-13 12:23:36.090478923 +0100 +@@ -776,7 +776,7 @@ DECLARE_ASN1_FUNCTIONS_fname(ASN1_TYPE, + int ASN1_TYPE_get(ASN1_TYPE *a); + void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value); + int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value); +-int ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b); ++int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b); + + ASN1_OBJECT * ASN1_OBJECT_new(void ); + void ASN1_OBJECT_free(ASN1_OBJECT *a); +@@ -1329,6 +1329,7 @@ void ERR_load_ASN1_strings(void); + #define ASN1_R_ILLEGAL_TIME_VALUE 184 + #define ASN1_R_INTEGER_NOT_ASCII_FORMAT 185 + #define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG 128 ++#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT 220 + #define ASN1_R_INVALID_BMPSTRING_LENGTH 129 + #define ASN1_R_INVALID_DIGIT 130 + #define ASN1_R_INVALID_MIME_TYPE 205 +diff -up openssl-1.0.1e/crypto/asn1/a_type.c.cert-fingerprint openssl-1.0.1e/crypto/asn1/a_type.c +--- openssl-1.0.1e/crypto/asn1/a_type.c.cert-fingerprint 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/asn1/a_type.c 2015-01-13 12:43:36.779633480 +0100 +@@ -113,7 +113,7 @@ IMPLEMENT_STACK_OF(ASN1_TYPE) + IMPLEMENT_ASN1_SET_OF(ASN1_TYPE) + + /* Returns 0 if they are equal, != 0 otherwise. */ +-int ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b) ++int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b) + { + int result = -1; + +diff -up openssl-1.0.1e/crypto/asn1/a_verify.c.cert-fingerprint openssl-1.0.1e/crypto/asn1/a_verify.c +--- openssl-1.0.1e/crypto/asn1/a_verify.c.cert-fingerprint 2015-01-13 11:44:12.308020070 +0100 ++++ openssl-1.0.1e/crypto/asn1/a_verify.c 2015-01-13 11:44:12.413022445 +0100 +@@ -93,6 +93,12 @@ int ASN1_verify(i2d_of_void *i2d, X509_A + ASN1err(ASN1_F_ASN1_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM); + goto err; + } ++ ++ if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7) ++ { ++ ASN1err(ASN1_F_ASN1_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT); ++ goto err; ++ } + + inl=i2d(data,NULL); + buf_in=OPENSSL_malloc((unsigned int)inl); +@@ -149,6 +155,12 @@ int ASN1_item_verify(const ASN1_ITEM *it + return -1; + } + ++ if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7) ++ { ++ ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT); ++ return -1; ++ } ++ + EVP_MD_CTX_init(&ctx); + + /* Convert signature OID into digest and public key OIDs */ +diff -up openssl-1.0.1e/crypto/asn1/x_algor.c.cert-fingerprint openssl-1.0.1e/crypto/asn1/x_algor.c +--- openssl-1.0.1e/crypto/asn1/x_algor.c.cert-fingerprint 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/asn1/x_algor.c 2015-01-13 12:43:36.780633502 +0100 +@@ -142,3 +142,14 @@ void X509_ALGOR_set_md(X509_ALGOR *alg, + X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_MD_type(md)), param_type, NULL); + + } ++ ++int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b) ++ { ++ int rv; ++ rv = OBJ_cmp(a->algorithm, b->algorithm); ++ if (rv) ++ return rv; ++ if (!a->parameter && !b->parameter) ++ return 0; ++ return ASN1_TYPE_cmp(a->parameter, b->parameter); ++ } +diff -up openssl-1.0.1e/crypto/dsa/dsa_asn1.c.cert-fingerprint openssl-1.0.1e/crypto/dsa/dsa_asn1.c +--- openssl-1.0.1e/crypto/dsa/dsa_asn1.c.cert-fingerprint 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/dsa/dsa_asn1.c 2015-01-13 11:44:12.414022468 +0100 +@@ -176,13 +176,25 @@ int DSA_verify(int type, const unsigned + const unsigned char *sigbuf, int siglen, DSA *dsa) + { + DSA_SIG *s; ++ const unsigned char *p = sigbuf; ++ unsigned char *der = NULL; ++ int derlen = -1; + int ret=-1; + + s = DSA_SIG_new(); + if (s == NULL) return(ret); +- if (d2i_DSA_SIG(&s,&sigbuf,siglen) == NULL) goto err; ++ if (d2i_DSA_SIG(&s,&p,siglen) == NULL) goto err; ++ /* Ensure signature uses DER and doesn't have trailing garbage */ ++ derlen = i2d_DSA_SIG(s, &der); ++ if (derlen != siglen || memcmp(sigbuf, der, derlen)) ++ goto err; + ret=DSA_do_verify(dgst,dgst_len,s,dsa); + err: ++ if (derlen > 0) ++ { ++ OPENSSL_cleanse(der, derlen); ++ OPENSSL_free(der); ++ } + DSA_SIG_free(s); + return(ret); + } +diff -up openssl-1.0.1e/crypto/ecdsa/ecs_vrf.c.cert-fingerprint openssl-1.0.1e/crypto/ecdsa/ecs_vrf.c +--- openssl-1.0.1e/crypto/ecdsa/ecs_vrf.c.cert-fingerprint 2013-02-11 16:02:48.000000000 +0100 ++++ openssl-1.0.1e/crypto/ecdsa/ecs_vrf.c 2015-01-13 11:44:12.414022468 +0100 +@@ -57,6 +57,7 @@ + */ + + #include "ecs_locl.h" ++#include "cryptlib.h" + #ifndef OPENSSL_NO_ENGINE + #include + #endif +@@ -84,13 +85,25 @@ int ECDSA_verify(int type, const unsigne + const unsigned char *sigbuf, int sig_len, EC_KEY *eckey) + { + ECDSA_SIG *s; ++ const unsigned char *p = sigbuf; ++ unsigned char *der = NULL; ++ int derlen = -1; + int ret=-1; + + s = ECDSA_SIG_new(); + if (s == NULL) return(ret); +- if (d2i_ECDSA_SIG(&s, &sigbuf, sig_len) == NULL) goto err; ++ if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL) goto err; ++ /* Ensure signature uses DER and doesn't have trailing garbage */ ++ derlen = i2d_ECDSA_SIG(s, &der); ++ if (derlen != sig_len || memcmp(sigbuf, der, derlen)) ++ goto err; + ret=ECDSA_do_verify(dgst, dgst_len, s, eckey); + err: ++ if (derlen > 0) ++ { ++ OPENSSL_cleanse(der, derlen); ++ OPENSSL_free(der); ++ } + ECDSA_SIG_free(s); + return(ret); + } +diff -up openssl-1.0.1e/crypto/x509/x_all.c.cert-fingerprint openssl-1.0.1e/crypto/x509/x_all.c +--- openssl-1.0.1e/crypto/x509/x_all.c.cert-fingerprint 2015-01-13 11:44:12.330020568 +0100 ++++ openssl-1.0.1e/crypto/x509/x_all.c 2015-01-13 11:44:12.414022468 +0100 +@@ -72,6 +72,8 @@ + + int X509_verify(X509 *a, EVP_PKEY *r) + { ++ if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature)) ++ return 0; + return(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF),a->sig_alg, + a->signature,a->cert_info,r)); + } +diff -up openssl-1.0.1e/crypto/x509/x509.h.cert-fingerprint openssl-1.0.1e/crypto/x509/x509.h +--- openssl-1.0.1e/crypto/x509/x509.h.cert-fingerprint 2015-01-13 11:44:12.126015954 +0100 ++++ openssl-1.0.1e/crypto/x509/x509.h 2015-01-13 12:43:36.780633502 +0100 +@@ -768,6 +768,7 @@ int X509_ALGOR_set0(X509_ALGOR *alg, ASN + void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval, + X509_ALGOR *algor); + void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md); ++int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b); + + X509_NAME *X509_NAME_dup(X509_NAME *xn); + X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne); diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0204.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0204.patch new file mode 100644 index 0000000000..527f7c56bd --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0204.patch @@ -0,0 +1,158 @@ +diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_options.pod.rsa-ephemeral openssl-1.0.1e/doc/ssl/SSL_CTX_set_options.pod +--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_options.pod.rsa-ephemeral 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_options.pod 2015-01-13 11:15:25.096957795 +0100 +@@ -151,15 +151,7 @@ temporary/ephemeral DH parameters are us + + =item SSL_OP_EPHEMERAL_RSA + +-Always use ephemeral (temporary) RSA key when doing RSA operations +-(see L). +-According to the specifications this is only done, when a RSA key +-can only be used for signature operations (namely under export ciphers +-with restricted RSA keylength). By setting this option, ephemeral +-RSA keys are always used. This option breaks compatibility with the +-SSL/TLS specifications and may lead to interoperability problems with +-clients and should therefore never be used. Ciphers with EDH (ephemeral +-Diffie-Hellman) key exchange should be used instead. ++This option is no longer implemented and is treated as no op. + + =item SSL_OP_CIPHER_SERVER_PREFERENCE + +diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod.rsa-ephemeral openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod +--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod.rsa-ephemeral 2013-02-11 16:02:48.000000000 +0100 ++++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod 2015-01-13 11:15:25.096957795 +0100 +@@ -74,21 +74,14 @@ exchange and use EDH (Ephemeral Diffie-H + in order to achieve forward secrecy (see + L). + +-On OpenSSL servers ephemeral RSA key exchange is therefore disabled by default +-and must be explicitly enabled using the SSL_OP_EPHEMERAL_RSA option of +-L, violating the TLS/SSL +-standard. When ephemeral RSA key exchange is required for export ciphers, +-it will automatically be used without this option! +- +-An application may either directly specify the key or can supply the key via +-a callback function. The callback approach has the advantage, that the +-callback may generate the key only in case it is actually needed. As the +-generation of a RSA key is however costly, it will lead to a significant +-delay in the handshake procedure. Another advantage of the callback function +-is that it can supply keys of different size (e.g. for SSL_OP_EPHEMERAL_RSA +-usage) while the explicit setting of the key is only useful for key size of +-512 bits to satisfy the export restricted ciphers and does give away key length +-if a longer key would be allowed. ++An application may either directly specify the key or can supply the key via a ++callback function. The callback approach has the advantage, that the callback ++may generate the key only in case it is actually needed. As the generation of a ++RSA key is however costly, it will lead to a significant delay in the handshake ++procedure. Another advantage of the callback function is that it can supply ++keys of different size while the explicit setting of the key is only useful for ++key size of 512 bits to satisfy the export restricted ciphers and does give ++away key length if a longer key would be allowed. + + The B is called with the B needed and + the B information. The B flag is set, when the +diff -up openssl-1.0.1e/CHANGES.rsa-ephemeral openssl-1.0.1e/CHANGES +diff -up openssl-1.0.1e/ssl/d1_srvr.c.rsa-ephemeral openssl-1.0.1e/ssl/d1_srvr.c +--- openssl-1.0.1e/ssl/d1_srvr.c.rsa-ephemeral 2015-01-12 17:49:04.912808002 +0100 ++++ openssl-1.0.1e/ssl/d1_srvr.c 2015-01-13 11:15:25.096957795 +0100 +@@ -450,24 +450,15 @@ int dtls1_accept(SSL *s) + case SSL3_ST_SW_KEY_EXCH_B: + alg_k = s->s3->tmp.new_cipher->algorithm_mkey; + +- /* clear this, it may get reset by +- * send_server_key_exchange */ +- if ((s->options & SSL_OP_EPHEMERAL_RSA) +-#ifndef OPENSSL_NO_KRB5 +- && !(alg_k & SSL_kKRB5) +-#endif /* OPENSSL_NO_KRB5 */ +- ) +- /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key +- * even when forbidden by protocol specs +- * (handshake may fail as clients are not required to +- * be able to handle this) */ +- s->s3->tmp.use_rsa_tmp=1; +- else +- s->s3->tmp.use_rsa_tmp=0; ++ /* ++ * clear this, it may get reset by ++ * send_server_key_exchange ++ */ ++ s->s3->tmp.use_rsa_tmp=0; + + /* only send if a DH key exchange or + * RSA but we have a sign only certificate */ +- if (s->s3->tmp.use_rsa_tmp ++ if (0 + /* PSK: send ServerKeyExchange if PSK identity + * hint if provided */ + #ifndef OPENSSL_NO_PSK +diff -up openssl-1.0.1e/ssl/ssl.h.rsa-ephemeral openssl-1.0.1e/ssl/ssl.h +--- openssl-1.0.1e/ssl/ssl.h.rsa-ephemeral 2015-01-12 17:49:04.936808545 +0100 ++++ openssl-1.0.1e/ssl/ssl.h 2015-01-13 11:15:25.098957840 +0100 +@@ -587,9 +587,8 @@ struct ssl_session_st + #define SSL_OP_SINGLE_ECDH_USE 0x00080000L + /* If set, always create a new key when using tmp_dh parameters */ + #define SSL_OP_SINGLE_DH_USE 0x00100000L +-/* Set to always use the tmp_rsa key when doing RSA operations, +- * even when this violates protocol specs */ +-#define SSL_OP_EPHEMERAL_RSA 0x00200000L ++/* Does nothing: retained for compatibiity */ ++#define SSL_OP_EPHEMERAL_RSA 0x0 + /* Set on servers to choose the cipher according to the server's + * preferences */ + #define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L +diff -up openssl-1.0.1e/ssl/s3_clnt.c.rsa-ephemeral openssl-1.0.1e/ssl/s3_clnt.c +--- openssl-1.0.1e/ssl/s3_clnt.c.rsa-ephemeral 2015-01-12 17:49:04.946808771 +0100 ++++ openssl-1.0.1e/ssl/s3_clnt.c 2015-01-13 11:15:25.097957817 +0100 +@@ -1492,6 +1492,13 @@ int ssl3_get_key_exchange(SSL *s) + #ifndef OPENSSL_NO_RSA + if (alg_k & SSL_kRSA) + { ++ /* Temporary RSA keys only allowed in export ciphersuites */ ++ if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)) ++ { ++ al=SSL_AD_UNEXPECTED_MESSAGE; ++ SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); ++ goto f_err; ++ } + if ((rsa=RSA_new()) == NULL) + { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); +diff -up openssl-1.0.1e/ssl/s3_srvr.c.rsa-ephemeral openssl-1.0.1e/ssl/s3_srvr.c +--- openssl-1.0.1e/ssl/s3_srvr.c.rsa-ephemeral 2015-01-12 17:51:32.044135496 +0100 ++++ openssl-1.0.1e/ssl/s3_srvr.c 2015-01-13 11:15:25.098957840 +0100 +@@ -441,20 +441,11 @@ int ssl3_accept(SSL *s) + case SSL3_ST_SW_KEY_EXCH_B: + alg_k = s->s3->tmp.new_cipher->algorithm_mkey; + +- /* clear this, it may get reset by +- * send_server_key_exchange */ +- if ((s->options & SSL_OP_EPHEMERAL_RSA) +-#ifndef OPENSSL_NO_KRB5 +- && !(alg_k & SSL_kKRB5) +-#endif /* OPENSSL_NO_KRB5 */ +- ) +- /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key +- * even when forbidden by protocol specs +- * (handshake may fail as clients are not required to +- * be able to handle this) */ +- s->s3->tmp.use_rsa_tmp=1; +- else +- s->s3->tmp.use_rsa_tmp=0; ++ /* ++ * clear this, it may get reset by ++ * send_server_key_exchange ++ */ ++ s->s3->tmp.use_rsa_tmp=0; + + + /* only send if a DH key exchange, fortezza or +@@ -468,7 +459,7 @@ int ssl3_accept(SSL *s) + * server certificate contains the server's + * public key for key exchange. + */ +- if (s->s3->tmp.use_rsa_tmp ++ if (0 + /* PSK: send ServerKeyExchange if PSK identity + * hint if provided */ + #ifndef OPENSSL_NO_PSK diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0205.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0205.patch new file mode 100644 index 0000000000..ff378ae4ef --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0205.patch @@ -0,0 +1,12 @@ +diff -up openssl-1.0.1e/ssl/s3_srvr.c.dh-unauthenticated openssl-1.0.1e/ssl/s3_srvr.c +--- openssl-1.0.1e/ssl/s3_srvr.c.dh-unauthenticated 2015-01-12 17:49:04.930808409 +0100 ++++ openssl-1.0.1e/ssl/s3_srvr.c 2015-01-13 11:15:25.098957840 +0100 +@@ -2951,7 +2951,7 @@ int ssl3_get_cert_verify(SSL *s) + if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) + { + s->s3->tmp.reuse_message=1; +- if ((peer != NULL) && (type & EVP_PKT_SIGN)) ++ if (peer != NULL) + { + al=SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE); diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0206.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0206.patch new file mode 100644 index 0000000000..e2d1718689 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0206.patch @@ -0,0 +1,116 @@ +diff -up openssl-1.0.1e/ssl/d1_pkt.c.dtls-recleak openssl-1.0.1e/ssl/d1_pkt.c +--- openssl-1.0.1e/ssl/d1_pkt.c.dtls-rec-leak 2015-01-13 11:44:12.410022377 +0100 ++++ openssl-1.0.1e/ssl/d1_pkt.c 2015-01-13 11:50:40.062789458 +0100 +@@ -212,7 +212,7 @@ dtls1_buffer_record(SSL *s, record_pqueu + /* Limit the size of the queue to prevent DOS attacks */ + if (pqueue_size(queue->q) >= 100) + return 0; +- ++ + rdata = OPENSSL_malloc(sizeof(DTLS1_RECORD_DATA)); + item = pitem_new(priority, rdata); + if (rdata == NULL || item == NULL) +@@ -239,14 +239,6 @@ dtls1_buffer_record(SSL *s, record_pqueu + } + #endif + +- /* insert should not fail, since duplicates are dropped */ +- if (pqueue_insert(queue->q, item) == NULL) +- { +- OPENSSL_free(rdata); +- pitem_free(item); +- return(0); +- } +- + s->packet = NULL; + s->packet_length = 0; + memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER)); +@@ -255,11 +247,24 @@ dtls1_buffer_record(SSL *s, record_pqueu + if (!ssl3_setup_buffers(s)) + { + SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); ++ if (rdata->rbuf.buf != NULL) ++ OPENSSL_free(rdata->rbuf.buf); + OPENSSL_free(rdata); + pitem_free(item); +- return(0); ++ return(-1); + } +- ++ ++ /* insert should not fail, since duplicates are dropped */ ++ if (pqueue_insert(queue->q, item) == NULL) ++ { ++ SSLerr(SSL_F_DTLS1_BUFFER_RECORD, ERR_R_INTERNAL_ERROR); ++ if (rdata->rbuf.buf != NULL) ++ OPENSSL_free(rdata->rbuf.buf); ++ OPENSSL_free(rdata); ++ pitem_free(item); ++ return(-1); ++ } ++ + return(1); + } + +@@ -313,8 +318,9 @@ dtls1_process_buffered_records(SSL *s) + dtls1_get_unprocessed_record(s); + if ( ! dtls1_process_record(s)) + return(0); +- dtls1_buffer_record(s, &(s->d1->processed_rcds), +- s->s3->rrec.seq_num); ++ if(dtls1_buffer_record(s, &(s->d1->processed_rcds), ++ s->s3->rrec.seq_num)<0) ++ return -1; + } + } + +@@ -529,7 +535,6 @@ printf("\n"); + + /* we have pulled in a full packet so zero things */ + s->packet_length=0; +- dtls1_record_bitmap_update(s, &(s->d1->bitmap));/* Mark receipt of record. */ + return(1); + + f_err: +@@ -562,7 +567,8 @@ int dtls1_get_record(SSL *s) + + /* The epoch may have changed. If so, process all the + * pending records. This is a non-blocking operation. */ +- dtls1_process_buffered_records(s); ++ if(dtls1_process_buffered_records(s)<0) ++ return -1; + + /* if we're renegotiating, then there may be buffered records */ + if (dtls1_get_processed_record(s)) +@@ -699,7 +705,9 @@ again: + { + if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) + { +- dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num); ++ if(dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num)<0) ++ return -1; ++ dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */ + } + rr->length = 0; + s->packet_length = 0; +@@ -712,6 +720,7 @@ again: + s->packet_length = 0; /* dump this record */ + goto again; /* get another record */ + } ++ dtls1_record_bitmap_update(s, bitmap);/* Mark receipt of record. */ + + return(1); + +@@ -863,7 +872,11 @@ start: + * buffer the application data for later processing rather + * than dropping the connection. + */ +- dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num); ++ if(dtls1_buffer_record(s, &(s->d1->buffered_app_data), rr->seq_num)<0) ++ { ++ SSLerr(SSL_F_DTLS1_READ_BYTES, ERR_R_INTERNAL_ERROR); ++ return -1; ++ } + rr->length = 0; + goto start; + } diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0209.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0209.patch new file mode 100644 index 0000000000..0ebcc56a66 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0209.patch @@ -0,0 +1,82 @@ +diff -up openssl-1.0.1e/crypto/asn1/x_x509.c.use-after-free openssl-1.0.1e/crypto/asn1/x_x509.c +--- openssl-1.0.1e/crypto/asn1/x_x509.c.use-after-free 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/asn1/x_x509.c 2015-06-11 11:14:52.581856349 +0200 +@@ -170,8 +170,14 @@ X509 *d2i_X509_AUX(X509 **a, const unsig + { + const unsigned char *q; + X509 *ret; ++ int freeret = 0; ++ + /* Save start position */ + q = *pp; ++ ++ if(!a || *a == NULL) { ++ freeret = 1; ++ } + ret = d2i_X509(a, pp, length); + /* If certificate unreadable then forget it */ + if(!ret) return NULL; +@@ -181,7 +187,11 @@ X509 *d2i_X509_AUX(X509 **a, const unsig + if(!d2i_X509_CERT_AUX(&ret->aux, pp, length)) goto err; + return ret; + err: +- X509_free(ret); ++ if(freeret) { ++ X509_free(ret); ++ if (a) ++ *a = NULL; ++ } + return NULL; + } + +diff -up openssl-1.0.1e/crypto/ec/ec_asn1.c.use-after-free openssl-1.0.1e/crypto/ec/ec_asn1.c +--- openssl-1.0.1e/crypto/ec/ec_asn1.c.use-after-free 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/ec/ec_asn1.c 2015-06-11 11:14:52.581856349 +0200 +@@ -1140,8 +1140,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con + ERR_R_MALLOC_FAILURE); + goto err; + } +- if (a) +- *a = ret; + } + else + ret = *a; +@@ -1206,11 +1204,13 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con + } + } + ++ if (a) ++ *a = ret; + ok = 1; + err: + if (!ok) + { +- if (ret) ++ if (ret && (a == NULL || *a != ret)) + EC_KEY_free(ret); + ret = NULL; + } +@@ -1358,8 +1358,6 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, con + ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE); + return NULL; + } +- if (a) +- *a = ret; + } + else + ret = *a; +@@ -1367,9 +1365,14 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, con + if (!d2i_ECPKParameters(&ret->group, in, len)) + { + ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB); ++ if (a == NULL || *a != ret) ++ EC_KEY_free(ret); + return NULL; + } + ++ if (a) ++ *a = ret; ++ + return ret; + } + diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0286.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0286.patch new file mode 100644 index 0000000000..64ec2b794b --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0286.patch @@ -0,0 +1,13 @@ +diff -up openssl-1.0.1e/crypto/asn1/a_type.c.bool-cmp openssl-1.0.1e/crypto/asn1/a_type.c +--- openssl-1.0.1e/crypto/asn1/a_type.c.bool-cmp 2015-03-18 13:02:36.000000000 +0100 ++++ openssl-1.0.1e/crypto/asn1/a_type.c 2015-03-18 14:38:07.111401390 +0100 +@@ -124,6 +124,9 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co + case V_ASN1_OBJECT: + result = OBJ_cmp(a->value.object, b->value.object); + break; ++ case V_ASN1_BOOLEAN: ++ result = a->value.boolean - b->value.boolean; ++ break; + case V_ASN1_NULL: + result = 0; /* They do not have content. */ + break; diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0287.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0287.patch new file mode 100644 index 0000000000..f77b099c4e --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0287.patch @@ -0,0 +1,46 @@ +diff -up openssl-1.0.1e/crypto/asn1/tasn_dec.c.item-reuse openssl-1.0.1e/crypto/asn1/tasn_dec.c +--- openssl-1.0.1e/crypto/asn1/tasn_dec.c.item-reuse 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/asn1/tasn_dec.c 2015-03-19 15:46:51.097022616 +0100 +@@ -310,9 +310,19 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, + case ASN1_ITYPE_CHOICE: + if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) + goto auxerr; +- +- /* Allocate structure */ +- if (!*pval && !ASN1_item_ex_new(pval, it)) ++ if (*pval) ++ { ++ /* Free up and zero CHOICE value if initialised */ ++ i = asn1_get_choice_selector(pval, it); ++ if ((i >= 0) && (i < it->tcount)) ++ { ++ tt = it->templates + i; ++ pchptr = asn1_get_field_ptr(pval, tt); ++ ASN1_template_free(pchptr, tt); ++ asn1_set_choice_selector(pval, -1, it); ++ } ++ } ++ else if (!ASN1_item_ex_new(pval, it)) + { + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, + ERR_R_NESTED_ASN1_ERROR); +@@ -407,6 +417,19 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, + if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) + goto auxerr; + ++ /* Free up and zero any ADB found */ ++ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) ++ { ++ if (tt->flags & ASN1_TFLG_ADB_MASK) ++ { ++ const ASN1_TEMPLATE *seqtt; ++ ASN1_VALUE **pseqval; ++ seqtt = asn1_do_adb(pval, tt, 1); ++ pseqval = asn1_get_field_ptr(pval, seqtt); ++ ASN1_template_free(pseqval, seqtt); ++ } ++ } ++ + /* Get each field entry */ + for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) + { diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0288.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0288.patch new file mode 100644 index 0000000000..c8dc6b9888 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0288.patch @@ -0,0 +1,12 @@ +diff -up openssl-1.0.1e/crypto/x509/x509_req.c.req-null-deref openssl-1.0.1e/crypto/x509/x509_req.c +--- openssl-1.0.1e/crypto/x509/x509_req.c.req-null-deref 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/x509/x509_req.c 2015-03-18 18:34:35.732448017 +0100 +@@ -92,6 +92,8 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_ + goto err; + + pktmp = X509_get_pubkey(x); ++ if (pktmp == NULL) ++ goto err; + i=X509_REQ_set_pubkey(ret,pktmp); + EVP_PKEY_free(pktmp); + if (!i) goto err; diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0289.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0289.patch new file mode 100644 index 0000000000..b52889d7e9 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0289.patch @@ -0,0 +1,184 @@ +diff -up openssl-1.0.1e/crypto/pkcs7/pk7_doit.c.pkcs7-null-deref openssl-1.0.1e/crypto/pkcs7/pk7_doit.c +--- openssl-1.0.1e/crypto/pkcs7/pk7_doit.c.pkcs7-null-deref 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/pkcs7/pk7_doit.c 2015-03-18 18:54:10.064871658 +0100 +@@ -272,6 +272,27 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio) + PKCS7_RECIP_INFO *ri=NULL; + ASN1_OCTET_STRING *os=NULL; + ++ if (p7 == NULL) ++ { ++ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER); ++ return NULL; ++ } ++ /* ++ * The content field in the PKCS7 ContentInfo is optional, but that really ++ * only applies to inner content (precisely, detached signatures). ++ * ++ * When reading content, missing outer content is therefore treated as an ++ * error. ++ * ++ * When creating content, PKCS7_content_new() must be called before ++ * calling this method, so a NULL p7->d is always an error. ++ */ ++ if (p7->d.ptr == NULL) ++ { ++ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT); ++ return NULL; ++ } ++ + i=OBJ_obj2nid(p7->type); + p7->state=PKCS7_S_HEADER; + +@@ -433,6 +454,18 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE + unsigned char *ek = NULL, *tkey = NULL; + int eklen = 0, tkeylen = 0; + ++ if (p7 == NULL) ++ { ++ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER); ++ return NULL; ++ } ++ ++ if (p7->d.ptr == NULL) ++ { ++ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT); ++ return NULL; ++ } ++ + i=OBJ_obj2nid(p7->type); + p7->state=PKCS7_S_HEADER; + +@@ -440,6 +473,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE + { + case NID_pkcs7_signed: + data_body=PKCS7_get_octet_string(p7->d.sign->contents); ++ if (!PKCS7_is_detached(p7) && data_body == NULL) ++ { ++ PKCS7err(PKCS7_F_PKCS7_DATADECODE, ++ PKCS7_R_NO_CONTENT); ++ goto err; ++ } + md_sk=p7->d.sign->md_algs; + break; + case NID_pkcs7_signedAndEnveloped: +@@ -747,6 +786,18 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) + STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL; + ASN1_OCTET_STRING *os=NULL; + ++ if (p7 == NULL) ++ { ++ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER); ++ return 0; ++ } ++ ++ if (p7->d.ptr == NULL) ++ { ++ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT); ++ return 0; ++ } ++ + EVP_MD_CTX_init(&ctx_tmp); + i=OBJ_obj2nid(p7->type); + p7->state=PKCS7_S_HEADER; +@@ -791,6 +842,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) + /* If detached data then the content is excluded */ + if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) { + M_ASN1_OCTET_STRING_free(os); ++ os = NULL; + p7->d.sign->contents->d.data = NULL; + } + break; +@@ -801,6 +853,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) + if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached) + { + M_ASN1_OCTET_STRING_free(os); ++ os = NULL; + p7->d.digest->contents->d.data = NULL; + } + break; +@@ -873,23 +926,32 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio) + M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len); + } + +- if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF)) ++ if (!PKCS7_is_detached(p7)) + { +- char *cont; +- long contlen; +- btmp=BIO_find_type(bio,BIO_TYPE_MEM); +- if (btmp == NULL) +- { +- PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO); ++ /* ++ * NOTE(emilia): I think we only reach os == NULL here because detached ++ * digested data support is broken. ++ */ ++ if (os == NULL) + goto err; ++ if (!(os->flags & ASN1_STRING_FLAG_NDEF)) ++ { ++ char *cont; ++ long contlen; ++ btmp=BIO_find_type(bio,BIO_TYPE_MEM); ++ if (btmp == NULL) ++ { ++ PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO); ++ goto err; ++ } ++ contlen = BIO_get_mem_data(btmp, &cont); ++ /* Mark the BIO read only then we can use its copy of the data ++ * instead of making an extra copy. ++ */ ++ BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY); ++ BIO_set_mem_eof_return(btmp, 0); ++ ASN1_STRING_set0(os, (unsigned char *)cont, contlen); + } +- contlen = BIO_get_mem_data(btmp, &cont); +- /* Mark the BIO read only then we can use its copy of the data +- * instead of making an extra copy. +- */ +- BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY); +- BIO_set_mem_eof_return(btmp, 0); +- ASN1_STRING_set0(os, (unsigned char *)cont, contlen); + } + ret=1; + err: +@@ -928,6 +990,7 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_ + if (EVP_DigestSignUpdate(&mctx,abuf,alen) <= 0) + goto err; + OPENSSL_free(abuf); ++ abuf = NULL; + if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0) + goto err; + abuf = OPENSSL_malloc(siglen); +@@ -965,6 +1028,18 @@ int PKCS7_dataVerify(X509_STORE *cert_st + STACK_OF(X509) *cert; + X509 *x509; + ++ if (p7 == NULL) ++ { ++ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER); ++ return 0; ++ } ++ ++ if (p7->d.ptr == NULL) ++ { ++ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT); ++ return 0; ++ } ++ + if (PKCS7_type_is_signed(p7)) + { + cert=p7->d.sign->cert; +diff -up openssl-1.0.1e/crypto/pkcs7/pk7_lib.c.pkcs7-null-deref openssl-1.0.1e/crypto/pkcs7/pk7_lib.c +--- openssl-1.0.1e/crypto/pkcs7/pk7_lib.c.pkcs7-null-deref 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/pkcs7/pk7_lib.c 2015-03-18 18:05:58.398767116 +0100 +@@ -459,6 +459,8 @@ int PKCS7_set_digest(PKCS7 *p7, const EV + + STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7) + { ++ if (p7 == NULL || p7->d.ptr == NULL) ++ return NULL; + if (PKCS7_type_is_signed(p7)) + { + return(p7->d.sign->signer_info); diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0292.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0292.patch new file mode 100644 index 0000000000..dd6a737808 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0292.patch @@ -0,0 +1,11 @@ +diff -up openssl-1.0.1e/crypto/evp/encode.c.b64-underflow openssl-1.0.1e/crypto/evp/encode.c +--- openssl-1.0.1e/crypto/evp/encode.c.b64-underflow 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/evp/encode.c 2015-03-18 18:16:26.452331934 +0100 +@@ -324,6 +324,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx + v=EVP_DecodeBlock(out,d,n); + n=0; + if (v < 0) { rv=0; goto end; } ++ if (eof > v) { rv=-1; goto end; } + ret+=(v-eof); + } + else diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0293.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0293.patch new file mode 100644 index 0000000000..1ca78b3ae8 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-0293.patch @@ -0,0 +1,102 @@ +diff -up openssl-1.0.1e/ssl/s2_lib.c.ssl2-assert openssl-1.0.1e/ssl/s2_lib.c +--- openssl-1.0.1e/ssl/s2_lib.c.ssl2-assert 2015-03-18 13:02:36.000000000 +0100 ++++ openssl-1.0.1e/ssl/s2_lib.c 2015-03-18 18:22:20.195322489 +0100 +@@ -488,7 +488,7 @@ int ssl2_generate_key_material(SSL *s) + + OPENSSL_assert(s->session->master_key_length >= 0 + && s->session->master_key_length +- < (int)sizeof(s->session->master_key)); ++ <= (int)sizeof(s->session->master_key)); + EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length); + EVP_DigestUpdate(&ctx,&c,1); + c++; +diff -up openssl-1.0.1e/ssl/s2_srvr.c.ssl2-assert openssl-1.0.1e/ssl/s2_srvr.c +--- openssl-1.0.1e/ssl/s2_srvr.c.ssl2-assert 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/ssl/s2_srvr.c 2015-03-18 18:30:11.403974038 +0100 +@@ -446,9 +446,6 @@ static int get_client_master_key(SSL *s) + SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY); + return(-1); + } +- i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc, +- &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]), +- (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING); + + is_export=SSL_C_IS_EXPORT(s->session->cipher); + +@@ -467,21 +464,61 @@ static int get_client_master_key(SSL *s) + else + ek=5; + ++ /* ++ * The format of the CLIENT-MASTER-KEY message is ++ * 1 byte message type ++ * 3 bytes cipher ++ * 2-byte clear key length (stored in s->s2->tmp.clear) ++ * 2-byte encrypted key length (stored in s->s2->tmp.enc) ++ * 2-byte key args length (IV etc) ++ * clear key ++ * encrypted key ++ * key args ++ * ++ * If the cipher is an export cipher, then the encrypted key bytes ++ * are a fixed portion of the total key (5 or 8 bytes). The size of ++ * this portion is in |ek|. If the cipher is not an export cipher, ++ * then the entire key material is encrypted (i.e., clear key length ++ * must be zero). ++ */ ++ if ((!is_export && s->s2->tmp.clear != 0) || ++ (is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c))) ++ { ++ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); ++ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH); ++ return -1; ++ } ++ /* ++ * The encrypted blob must decrypt to the encrypted portion of the key. ++ * Decryption can't be expanding, so if we don't have enough encrypted ++ * bytes to fit the key in the buffer, stop now. ++ */ ++ if ((is_export && s->s2->tmp.enc < ek) || ++ (!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c))) ++ { ++ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); ++ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT); ++ return -1; ++ } ++ ++ i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc, ++ &(p[s->s2->tmp.clear]), ++ &(p[s->s2->tmp.clear]), ++ (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING : RSA_PKCS1_PADDING); ++ + /* bad decrypt */ + #if 1 + /* If a bad decrypt, continue with protocol but with a + * random master secret (Bleichenbacher attack) */ +- if ((i < 0) || +- ((!is_export && (i != EVP_CIPHER_key_length(c))) +- || (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i != +- (unsigned int)EVP_CIPHER_key_length(c)))))) ++ if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c)) ++ || (is_export && i != ek))) + { + ERR_clear_error(); + if (is_export) + i=ek; + else + i=EVP_CIPHER_key_length(c); +- if (RAND_pseudo_bytes(p,i) <= 0) ++ if (RAND_pseudo_bytes(&p[s->s2->tmp.clear],i) <= 0) + return 0; + } + #else +@@ -505,7 +542,8 @@ static int get_client_master_key(SSL *s) + } + #endif + +- if (is_export) i+=s->s2->tmp.clear; ++ if (is_export) ++ i = EVP_CIPHER_key_length(c); + + if (i > SSL_MAX_MASTER_KEY_LENGTH) + { diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1789.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1789.patch new file mode 100644 index 0000000000..8633a76849 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1789.patch @@ -0,0 +1,103 @@ +diff -up openssl-1.0.1e/crypto/x509/x509_vfy.c.oob-read openssl-1.0.1e/crypto/x509/x509_vfy.c +--- openssl-1.0.1e/crypto/x509/x509_vfy.c.oob-read 2015-05-25 12:03:41.000000000 +0200 ++++ openssl-1.0.1e/crypto/x509/x509_vfy.c 2015-06-09 15:01:51.688640453 +0200 +@@ -1702,49 +1702,92 @@ int X509_cmp_time(const ASN1_TIME *ctm, + ASN1_TIME atm; + long offset; + char buff1[24],buff2[24],*p; +- int i,j; ++ int i, j, remaining; + + p=buff1; +- i=ctm->length; ++ remaining=ctm->length; + str=(char *)ctm->data; ++ /* ++ * Note that the following (historical) code allows much more slack in the ++ * time format than RFC5280. In RFC5280, the representation is fixed: ++ * UTCTime: YYMMDDHHMMSSZ ++ * GeneralizedTime: YYYYMMDDHHMMSSZ ++ */ + if (ctm->type == V_ASN1_UTCTIME) + { +- if ((i < 11) || (i > 17)) return 0; ++ /* YYMMDDHHMM[SS]Z or YYMMDDHHMM[SS](+-)hhmm */ ++ int min_length = sizeof("YYMMDDHHMMZ") - 1; ++ int max_length = sizeof("YYMMDDHHMMSS+hhmm") - 1; ++ if (remaining < min_length || remaining > max_length) ++ return 0; + memcpy(p,str,10); + p+=10; + str+=10; ++ remaining -= 10; + } + else + { +- if (i < 13) return 0; ++ /* YYYYMMDDHHMM[SS[.fff]]Z or YYYYMMDDHHMM[SS[.f[f[f]]]](+-)hhmm */ ++ int min_length = sizeof("YYYYMMDDHHMMZ") - 1; ++ int max_length = sizeof("YYYYMMDDHHMMSS.fff+hhmm") - 1; ++ if (remaining < min_length || remaining > max_length) ++ return 0; + memcpy(p,str,12); + p+=12; + str+=12; ++ remaining -= 12; + } + + if ((*str == 'Z') || (*str == '-') || (*str == '+')) + { *(p++)='0'; *(p++)='0'; } + else + { ++ /* SS (seconds) */ ++ if (remaining < 2) ++ return 0; + *(p++)= *(str++); + *(p++)= *(str++); +- /* Skip any fractional seconds... */ +- if (*str == '.') ++ remaining -= 2; ++ /* ++ * Skip any (up to three) fractional seconds... ++ * TODO(emilia): in RFC5280, fractional seconds are forbidden. ++ * Can we just kill them altogether? ++ */ ++ if (remaining && *str == '.') + { + str++; +- while ((*str >= '0') && (*str <= '9')) str++; ++ remaining--; ++ for (i = 0; i < 3 && remaining; i++, str++, remaining--) ++ { ++ if (*str < '0' || *str > '9') ++ break; ++ } + } + + } + *(p++)='Z'; + *(p++)='\0'; + ++ /* We now need either a terminating 'Z' or an offset. */ ++ if (!remaining) ++ return 0; + if (*str == 'Z') ++ { ++ if (remaining != 1) ++ return 0; + offset=0; ++ } + else + { ++ /* (+-)HHMM */ + if ((*str != '+') && (*str != '-')) + return 0; ++ /* Historical behaviour: the (+-)hhmm offset is forbidden in RFC5280. */ ++ if (remaining != 5) ++ return 0; ++ if (str[1] < '0' || str[1] > '9' || str[2] < '0' || str[2] > '9' || ++ str[3] < '0' || str[3] > '9' || str[4] < '0' || str[4] > '9') ++ return 0; + offset=((str[1]-'0')*10+(str[2]-'0'))*60; + offset+=(str[3]-'0')*10+(str[4]-'0'); + if (*str == '-') diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1790.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1790.patch new file mode 100644 index 0000000000..3b3024097d --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1790.patch @@ -0,0 +1,55 @@ +diff -up openssl-1.0.1e/crypto/pkcs7/pk7_doit.c.missing-content openssl-1.0.1e/crypto/pkcs7/pk7_doit.c +--- openssl-1.0.1e/crypto/pkcs7/pk7_doit.c.missing-content 2015-05-25 12:03:41.000000000 +0200 ++++ openssl-1.0.1e/crypto/pkcs7/pk7_doit.c 2015-06-09 15:21:21.377951520 +0200 +@@ -472,6 +472,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE + switch (i) + { + case NID_pkcs7_signed: ++ /* ++ * p7->d.sign->contents is a PKCS7 structure consisting of a contentType ++ * field and optional content. ++ * data_body is NULL if that structure has no (=detached) content ++ * or if the contentType is wrong (i.e., not "data"). ++ */ + data_body=PKCS7_get_octet_string(p7->d.sign->contents); + if (!PKCS7_is_detached(p7) && data_body == NULL) + { +@@ -484,6 +490,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE + case NID_pkcs7_signedAndEnveloped: + rsk=p7->d.signed_and_enveloped->recipientinfo; + md_sk=p7->d.signed_and_enveloped->md_algs; ++ /* data_body is NULL if the optional EncryptedContent is missing. */ + data_body=p7->d.signed_and_enveloped->enc_data->enc_data; + enc_alg=p7->d.signed_and_enveloped->enc_data->algorithm; + evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm); +@@ -496,6 +503,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE + case NID_pkcs7_enveloped: + rsk=p7->d.enveloped->recipientinfo; + enc_alg=p7->d.enveloped->enc_data->algorithm; ++ /* data_body is NULL if the optional EncryptedContent is missing. */ + data_body=p7->d.enveloped->enc_data->enc_data; + evp_cipher=EVP_get_cipherbyobj(enc_alg->algorithm); + if (evp_cipher == NULL) +@@ -509,6 +517,13 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE + goto err; + } + ++ /* Detached content must be supplied via in_bio instead. */ ++ if (data_body == NULL && in_bio == NULL) ++ { ++ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT); ++ goto err; ++ } ++ + /* We will be checking the signature */ + if (md_sk != NULL) + { +@@ -665,7 +680,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE + } + + #if 1 +- if (PKCS7_is_detached(p7) || (in_bio != NULL)) ++ if (in_bio != NULL) + { + bio=in_bio; + } diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1791.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1791.patch new file mode 100644 index 0000000000..2b6f315b8d --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1791.patch @@ -0,0 +1,231 @@ +diff -up openssl-1.0.1e/ssl/ssl_err.c.ticket-race openssl-1.0.1e/ssl/ssl_err.c +--- openssl-1.0.1e/ssl/ssl_err.c.ticket-race 2015-06-09 15:40:41.000000000 +0200 ++++ openssl-1.0.1e/ssl/ssl_err.c 2015-06-09 15:45:06.879198463 +0200 +@@ -245,6 +245,7 @@ static ERR_STRING_DATA SSL_str_functs[]= + {ERR_FUNC(SSL_F_SSL_READ), "SSL_read"}, + {ERR_FUNC(SSL_F_SSL_RSA_PRIVATE_DECRYPT), "SSL_RSA_PRIVATE_DECRYPT"}, + {ERR_FUNC(SSL_F_SSL_RSA_PUBLIC_ENCRYPT), "SSL_RSA_PUBLIC_ENCRYPT"}, ++{ERR_FUNC(SSL_F_SSL_SESSION_DUP), "ssl_session_dup"}, + {ERR_FUNC(SSL_F_SSL_SESSION_NEW), "SSL_SESSION_new"}, + {ERR_FUNC(SSL_F_SSL_SESSION_PRINT_FP), "SSL_SESSION_print_fp"}, + {ERR_FUNC(SSL_F_SSL_SESSION_SET1_ID_CONTEXT), "SSL_SESSION_set1_id_context"}, +diff -up openssl-1.0.1e/ssl/ssl.h.ticket-race openssl-1.0.1e/ssl/ssl.h +--- openssl-1.0.1e/ssl/ssl.h.ticket-race 2015-06-09 15:40:41.000000000 +0200 ++++ openssl-1.0.1e/ssl/ssl.h 2015-06-09 15:44:22.696191291 +0200 +@@ -2176,6 +2176,7 @@ void ERR_load_SSL_strings(void); + #define SSL_F_SSL_READ 223 + #define SSL_F_SSL_RSA_PRIVATE_DECRYPT 187 + #define SSL_F_SSL_RSA_PUBLIC_ENCRYPT 188 ++#define SSL_F_SSL_SESSION_DUP 348 + #define SSL_F_SSL_SESSION_NEW 189 + #define SSL_F_SSL_SESSION_PRINT_FP 190 + #define SSL_F_SSL_SESSION_SET1_ID_CONTEXT 312 +diff -up openssl-1.0.1e/ssl/ssl_locl.h.ticket-race openssl-1.0.1e/ssl/ssl_locl.h +--- openssl-1.0.1e/ssl/ssl_locl.h.ticket-race 2015-06-09 15:40:41.000000000 +0200 ++++ openssl-1.0.1e/ssl/ssl_locl.h 2015-06-09 16:02:41.105243796 +0200 +@@ -822,6 +822,7 @@ void ssl_sess_cert_free(SESS_CERT *sc); + int ssl_set_peer_cert_type(SESS_CERT *c, int type); + int ssl_get_new_session(SSL *s, int session); + int ssl_get_prev_session(SSL *s, unsigned char *session,int len, const unsigned char *limit); ++SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket); + int ssl_cipher_id_cmp(const SSL_CIPHER *a,const SSL_CIPHER *b); + DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, + ssl_cipher_id); +diff -up openssl-1.0.1e/ssl/ssl_sess.c.ticket-race openssl-1.0.1e/ssl/ssl_sess.c +--- openssl-1.0.1e/ssl/ssl_sess.c.ticket-race 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/ssl/ssl_sess.c 2015-06-11 13:48:26.724348868 +0200 +@@ -224,6 +224,146 @@ SSL_SESSION *SSL_SESSION_new(void) + return(ss); + } + ++/* ++ * Create a new SSL_SESSION and duplicate the contents of |src| into it. If ++ * ticket == 0 then no ticket information is duplicated, otherwise it is. ++ */ ++SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) ++{ ++ SSL_SESSION *dest; ++ ++ dest = OPENSSL_malloc(sizeof(*src)); ++ if (dest == NULL) ++ { ++ goto err; ++ } ++ memcpy(dest, src, sizeof(*dest)); ++ ++ /* ++ * Set the various pointers to NULL so that we can call SSL_SESSION_free in ++ * the case of an error whilst halfway through constructing dest ++ */ ++#ifndef OPENSSL_NO_PSK ++ dest->psk_identity_hint = NULL; ++ dest->psk_identity = NULL; ++#endif ++ dest->ciphers = NULL; ++#ifndef OPENSSL_NO_TLSEXT ++ dest->tlsext_hostname = NULL; ++# ifndef OPENSSL_NO_EC ++ dest->tlsext_ecpointformatlist = NULL; ++ dest->tlsext_ellipticcurvelist = NULL; ++# endif ++#endif ++ dest->tlsext_tick = NULL; ++#ifndef OPENSSL_NO_SRP ++ dest->srp_username = NULL; ++#endif ++ memset(&dest->ex_data, 0, sizeof(dest->ex_data)); ++ ++ /* We deliberately don't copy the prev and next pointers */ ++ dest->prev = NULL; ++ dest->next = NULL; ++ ++ dest->references = 1; ++ ++ if (src->sess_cert != NULL) ++ CRYPTO_add(&src->sess_cert->references, 1, CRYPTO_LOCK_SSL_SESS_CERT); ++ ++ if (src->peer != NULL) ++ CRYPTO_add(&src->peer->references, 1, CRYPTO_LOCK_X509); ++ ++#ifndef OPENSSL_NO_PSK ++ if (src->psk_identity_hint) ++ { ++ dest->psk_identity_hint = BUF_strdup(src->psk_identity_hint); ++ if (dest->psk_identity_hint == NULL) ++ { ++ goto err; ++ } ++ } ++ if (src->psk_identity) ++ { ++ dest->psk_identity = BUF_strdup(src->psk_identity); ++ if (dest->psk_identity == NULL) ++ { ++ goto err; ++ } ++ } ++#endif ++ ++ if(src->ciphers != NULL) ++ { ++ dest->ciphers = sk_SSL_CIPHER_dup(src->ciphers); ++ if (dest->ciphers == NULL) ++ goto err; ++ } ++ ++ if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ++ &dest->ex_data, &src->ex_data)) ++ { ++ goto err; ++ } ++ ++#ifndef OPENSSL_NO_TLSEXT ++ if (src->tlsext_hostname) ++ { ++ dest->tlsext_hostname = BUF_strdup(src->tlsext_hostname); ++ if (dest->tlsext_hostname == NULL) ++ { ++ goto err; ++ } ++ } ++# ifndef OPENSSL_NO_EC ++ if (src->tlsext_ecpointformatlist) ++ { ++ dest->tlsext_ecpointformatlist = ++ BUF_memdup(src->tlsext_ecpointformatlist, ++ src->tlsext_ecpointformatlist_length); ++ if (dest->tlsext_ecpointformatlist == NULL) ++ goto err; ++ } ++ if (src->tlsext_ellipticcurvelist) ++ { ++ dest->tlsext_ellipticcurvelist = ++ BUF_memdup(src->tlsext_ellipticcurvelist, ++ src->tlsext_ellipticcurvelist_length); ++ if (dest->tlsext_ellipticcurvelist == NULL) ++ goto err; ++ } ++# endif ++#endif ++ ++ if (ticket != 0) ++ { ++ dest->tlsext_tick = BUF_memdup(src->tlsext_tick, src->tlsext_ticklen); ++ if(dest->tlsext_tick == NULL) ++ goto err; ++ } ++ else ++ { ++ dest->tlsext_tick_lifetime_hint = 0; ++ dest->tlsext_ticklen = 0; ++ } ++ ++#ifndef OPENSSL_NO_SRP ++ if (src->srp_username) ++ { ++ dest->srp_username = BUF_strdup(src->srp_username); ++ if (dest->srp_username == NULL) ++ { ++ goto err; ++ } ++ } ++#endif ++ ++ return dest; ++err: ++ SSLerr(SSL_F_SSL_SESSION_DUP, ERR_R_MALLOC_FAILURE); ++ SSL_SESSION_free(dest); ++ return NULL; ++} ++ + const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) + { + if(len) +diff -up openssl-1.0.1e/ssl/s3_clnt.c.ticket-race openssl-1.0.1e/ssl/s3_clnt.c +--- openssl-1.0.1e/ssl/s3_clnt.c.ticket-race 2015-06-09 15:40:41.000000000 +0200 ++++ openssl-1.0.1e/ssl/s3_clnt.c 2015-06-09 15:39:56.315119013 +0200 +@@ -2092,6 +2092,44 @@ int ssl3_get_new_session_ticket(SSL *s) + } + + p=d=(unsigned char *)s->init_msg; ++ ++ if (s->session->session_id_length > 0) ++ { ++ int i = s->session_ctx->session_cache_mode; ++ SSL_SESSION *new_sess; ++ /* ++ * We reused an existing session, so we need to replace it with a new ++ * one ++ */ ++ if (i & SSL_SESS_CACHE_CLIENT) ++ { ++ /* ++ * Remove the old session from the cache ++ */ ++ if (i & SSL_SESS_CACHE_NO_INTERNAL_STORE) ++ { ++ if (s->session_ctx->remove_session_cb != NULL) ++ s->session_ctx->remove_session_cb(s->session_ctx, ++ s->session); ++ } ++ else ++ { ++ /* We carry on if this fails */ ++ SSL_CTX_remove_session(s->session_ctx, s->session); ++ } ++ } ++ ++ if ((new_sess = ssl_session_dup(s->session, 0)) == 0) ++ { ++ al = SSL_AD_INTERNAL_ERROR; ++ SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); ++ goto f_err; ++ } ++ ++ SSL_SESSION_free(s->session); ++ s->session = new_sess; ++ } ++ + n2l(p, s->session->tlsext_tick_lifetime_hint); + n2s(p, ticklen); + /* ticket_lifetime_hint + ticket_length + ticket */ diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1792.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1792.patch new file mode 100644 index 0000000000..5f2b0cd976 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-1792.patch @@ -0,0 +1,12 @@ +diff -up openssl-1.0.1e/crypto/cms/cms_smime.c.unknown-hash openssl-1.0.1e/crypto/cms/cms_smime.c +--- openssl-1.0.1e/crypto/cms/cms_smime.c.unknown-hash 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/cms/cms_smime.c 2015-06-09 16:07:16.001516190 +0200 +@@ -141,7 +141,7 @@ static void do_free_upto(BIO *f, BIO *up + BIO_free(f); + f = tbio; + } +- while (f != upto); ++ while (f && f != upto); + } + else + BIO_free_all(f); diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-3194.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-3194.patch new file mode 100644 index 0000000000..58b52f26e2 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-3194.patch @@ -0,0 +1,12 @@ +diff -up openssl-1.0.1e/crypto/rsa/rsa_ameth.c.pss-check openssl-1.0.1e/crypto/rsa/rsa_ameth.c +--- openssl-1.0.1e/crypto/rsa/rsa_ameth.c.pss-check 2013-02-11 16:26:04.000000000 +0100 ++++ openssl-1.0.1e/crypto/rsa/rsa_ameth.c 2015-12-04 09:03:18.300660817 +0100 +@@ -287,7 +287,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(co + { + ASN1_TYPE *param = pss->maskGenAlgorithm->parameter; + if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 +- && param->type == V_ASN1_SEQUENCE) ++ && param && param->type == V_ASN1_SEQUENCE) + { + p = param->value.sequence->data; + plen = param->value.sequence->length; diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-3195.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-3195.patch new file mode 100644 index 0000000000..80f196fa74 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-3195.patch @@ -0,0 +1,31 @@ +diff -up openssl-1.0.1e/crypto/asn1/tasn_dec.c.combine-leak openssl-1.0.1e/crypto/asn1/tasn_dec.c +--- openssl-1.0.1e/crypto/asn1/tasn_dec.c.combine-leak 2015-12-04 09:01:53.000000000 +0100 ++++ openssl-1.0.1e/crypto/asn1/tasn_dec.c 2015-12-04 09:09:30.629793475 +0100 +@@ -169,6 +169,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, + int otag; + int ret = 0; + ASN1_VALUE **pchptr, *ptmpval; ++ int combine = aclass & ASN1_TFLG_COMBINE; ++ aclass &= ~ASN1_TFLG_COMBINE; + if (!pval) + return 0; + if (aux && aux->asn1_cb) +@@ -539,7 +541,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, + auxerr: + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); + err: +- ASN1_item_ex_free(pval, it); ++ if (combine == 0) ++ ASN1_item_ex_free(pval, it); + if (errtt) + ERR_add_error_data(4, "Field=", errtt->field_name, + ", Type=", it->sname); +@@ -767,7 +770,7 @@ static int asn1_template_noexp_d2i(ASN1_ + { + /* Nothing special */ + ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), +- -1, 0, opt, ctx); ++ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); + if (!ret) + { + ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-3196.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-3196.patch new file mode 100644 index 0000000000..19dc323ab2 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-3196.patch @@ -0,0 +1,52 @@ +diff -up openssl-1.0.1e/ssl/s3_clnt.c.psk-identity openssl-1.0.1e/ssl/s3_clnt.c +--- openssl-1.0.1e/ssl/s3_clnt.c.psk-identity 2015-12-04 09:01:53.000000000 +0100 ++++ openssl-1.0.1e/ssl/s3_clnt.c 2015-12-04 09:36:24.182010426 +0100 +@@ -1367,8 +1367,6 @@ int ssl3_get_key_exchange(SSL *s) + #ifndef OPENSSL_NO_PSK + if (alg_k & SSL_kPSK) + { +- char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1]; +- + al=SSL_AD_HANDSHAKE_FAILURE; + n2s(p,i); + param_len=i+2; +@@ -1389,16 +1387,8 @@ int ssl3_get_key_exchange(SSL *s) + SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH); + goto f_err; + } +- /* If received PSK identity hint contains NULL +- * characters, the hint is truncated from the first +- * NULL. p may not be ending with NULL, so create a +- * NULL-terminated string. */ +- memcpy(tmp_id_hint, p, i); +- memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i); +- if (s->ctx->psk_identity_hint != NULL) +- OPENSSL_free(s->ctx->psk_identity_hint); +- s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); +- if (s->ctx->psk_identity_hint == NULL) ++ s->session->psk_identity_hint = BUF_strndup((char *)p, i); ++ if (s->session->psk_identity_hint == NULL) + { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); + goto f_err; +@@ -2904,7 +2894,7 @@ int ssl3_send_client_key_exchange(SSL *s + goto err; + } + +- psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, ++ psk_len = s->psk_client_callback(s, s->session->psk_identity_hint, + identity, PSK_MAX_IDENTITY_LEN, + psk_or_pre_ms, sizeof(psk_or_pre_ms)); + if (psk_len > PSK_MAX_PSK_LEN) +diff -up openssl-1.0.1e/ssl/s3_srvr.c.psk-identity openssl-1.0.1e/ssl/s3_srvr.c +--- openssl-1.0.1e/ssl/s3_srvr.c.psk-identity 2015-12-04 09:01:53.000000000 +0100 ++++ openssl-1.0.1e/ssl/s3_srvr.c 2015-12-04 09:43:45.144086868 +0100 +@@ -2751,7 +2751,7 @@ int ssl3_get_client_key_exchange(SSL *s) + + if (s->session->psk_identity != NULL) + OPENSSL_free(s->session->psk_identity); +- s->session->psk_identity = BUF_strdup((char *)p); ++ s->session->psk_identity = BUF_strndup((char *)p, i); + if (s->session->psk_identity == NULL) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-4000.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-4000.patch new file mode 100644 index 0000000000..66dd559d8b --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-4000.patch @@ -0,0 +1,241 @@ +diff -up openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod.logjam openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod +--- openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod.logjam 2013-02-11 16:02:48.000000000 +0100 ++++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod 2015-05-25 11:37:08.893049771 +0200 +@@ -12,12 +12,10 @@ SSL_CTX_set_tmp_dh_callback, SSL_CTX_set + DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength)); + long SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh); + +- void SSL_set_tmp_dh_callback(SSL_CTX *ctx, ++ void SSL_set_tmp_dh_callback(SSL *ctx, + DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength)); + long SSL_set_tmp_dh(SSL *ssl, DH *dh) + +- DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength)); +- + =head1 DESCRIPTION + + SSL_CTX_set_tmp_dh_callback() sets the callback function for B to be +@@ -50,24 +48,25 @@ even if he gets hold of the normal (cert + only used for signing. + + In order to perform a DH key exchange the server must use a DH group +-(DH parameters) and generate a DH key. The server will always generate a new +-DH key during the negotiation, when the DH parameters are supplied via +-callback and/or when the SSL_OP_SINGLE_DH_USE option of +-L is set. It will +-immediately create a DH key, when DH parameters are supplied via +-SSL_CTX_set_tmp_dh() and SSL_OP_SINGLE_DH_USE is not set. In this case, ++(DH parameters) and generate a DH key. ++The server will always generate a new DH key during the negotiation ++if either the DH parameters are supplied via callback or the ++SSL_OP_SINGLE_DH_USE option of SSL_CTX_set_options(3) is set (or both). ++It will immediately create a DH key if DH parameters are supplied via ++SSL_CTX_set_tmp_dh() and SSL_OP_SINGLE_DH_USE is not set. ++In this case, + it may happen that a key is generated on initialization without later + being needed, while on the other hand the computer time during the + negotiation is being saved. + + If "strong" primes were used to generate the DH parameters, it is not strictly + necessary to generate a new key for each handshake but it does improve forward +-secrecy. If it is not assured, that "strong" primes were used (see especially +-the section about DSA parameters below), SSL_OP_SINGLE_DH_USE must be used +-in order to prevent small subgroup attacks. Always using SSL_OP_SINGLE_DH_USE +-has an impact on the computer time needed during negotiation, but it is not +-very large, so application authors/users should consider to always enable +-this option. ++secrecy. If it is not assured that "strong" primes were used, ++SSL_OP_SINGLE_DH_USE must be used in order to prevent small subgroup ++attacks. Always using SSL_OP_SINGLE_DH_USE has an impact on the ++computer time needed during negotiation, but it is not very large, so ++application authors/users should consider always enabling this option. ++The option is required to implement perfect forward secrecy (PFS). + + As generating DH parameters is extremely time consuming, an application + should not generate the parameters on the fly but supply the parameters. +@@ -75,82 +74,62 @@ DH parameters can be reused, as the actu + the negotiation. The risk in reusing DH parameters is that an attacker + may specialize on a very often used DH group. Applications should therefore + generate their own DH parameters during the installation process using the +-openssl L application. In order to reduce the computer +-time needed for this generation, it is possible to use DSA parameters +-instead (see L), but in this case SSL_OP_SINGLE_DH_USE +-is mandatory. ++openssl L application. This application ++guarantees that "strong" primes are used. + +-Application authors may compile in DH parameters. Files dh512.pem, +-dh1024.pem, dh2048.pem, and dh4096 in the 'apps' directory of current ++Files dh2048.pem, and dh4096.pem in the 'apps' directory of the current + version of the OpenSSL distribution contain the 'SKIP' DH parameters, + which use safe primes and were generated verifiably pseudo-randomly. + These files can be converted into C code using the B<-C> option of the +-L application. +-Authors may also generate their own set of parameters using +-L, but a user may not be sure how the parameters were +-generated. The generation of DH parameters during installation is therefore +-recommended. ++L application. Generation of custom DH ++parameters during installation should still be preferred to stop an ++attacker from specializing on a commonly used group. Files dh1024.pem ++and dh512.pem contain old parameters that must not be used by ++applications. + + An application may either directly specify the DH parameters or +-can supply the DH parameters via a callback function. The callback approach +-has the advantage, that the callback may supply DH parameters for different +-key lengths. +- +-The B is called with the B needed and +-the B information. The B flag is set, when the +-ephemeral DH key exchange is performed with an export cipher. ++can supply the DH parameters via a callback function. ++ ++Previous versions of the callback used B and B ++parameters to control parameter generation for export and non-export ++cipher suites. Modern servers that do not support export ciphersuites ++are advised to either use SSL_CTX_set_tmp_dh() in combination with ++SSL_OP_SINGLE_DH_USE, or alternatively, use the callback but ignore ++B and B and simply supply at least 2048-bit ++parameters in the callback. + + =head1 EXAMPLES + +-Handle DH parameters for key lengths of 512 and 1024 bits. (Error handling ++Setup DH parameters with a key length of 2048 bits. (Error handling + partly left out.) + +- ... +- /* Set up ephemeral DH stuff */ +- DH *dh_512 = NULL; +- DH *dh_1024 = NULL; +- FILE *paramfile; ++ Command-line parameter generation: ++ $ openssl dhparam -out dh_param_2048.pem 2048 + ++ Code for setting up parameters during server initialization: ++ ++ ... ++ SSL_CTX ctx = SSL_CTX_new(); + ... +- /* "openssl dhparam -out dh_param_512.pem -2 512" */ +- paramfile = fopen("dh_param_512.pem", "r"); ++ ++ /* Set up ephemeral DH parameters. */ ++ DH *dh_2048 = NULL; ++ FILE *paramfile; ++ paramfile = fopen("dh_param_2048.pem", "r"); + if (paramfile) { +- dh_512 = PEM_read_DHparams(paramfile, NULL, NULL, NULL); ++ dh_2048 = PEM_read_DHparams(paramfile, NULL, NULL, NULL); + fclose(paramfile); ++ } else { ++ /* Error. */ + } +- /* "openssl dhparam -out dh_param_1024.pem -2 1024" */ +- paramfile = fopen("dh_param_1024.pem", "r"); +- if (paramfile) { +- dh_1024 = PEM_read_DHparams(paramfile, NULL, NULL, NULL); +- fclose(paramfile); ++ if (dh_2048 == NULL) { ++ /* Error. */ + } +- ... +- +- /* "openssl dhparam -C -2 512" etc... */ +- DH *get_dh512() { ... } +- DH *get_dh1024() { ... } +- +- DH *tmp_dh_callback(SSL *s, int is_export, int keylength) +- { +- DH *dh_tmp=NULL; +- +- switch (keylength) { +- case 512: +- if (!dh_512) +- dh_512 = get_dh512(); +- dh_tmp = dh_512; +- break; +- case 1024: +- if (!dh_1024) +- dh_1024 = get_dh1024(); +- dh_tmp = dh_1024; +- break; +- default: +- /* Generating a key on the fly is very costly, so use what is there */ +- setup_dh_parameters_like_above(); +- } +- return(dh_tmp); ++ if (SSL_CTX_set_tmp_dh(ctx, dh_2048) != 1) { ++ /* Error. */ + } ++ SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); ++ ... + + =head1 RETURN VALUES + +diff -up openssl-1.0.1e/ssl/ssl_err.c.logjam openssl-1.0.1e/ssl/ssl_err.c +--- openssl-1.0.1e/ssl/ssl_err.c.logjam 2015-05-25 11:38:29.834858712 +0200 ++++ openssl-1.0.1e/ssl/ssl_err.c 2015-05-25 11:42:01.041578905 +0200 +@@ -361,6 +361,7 @@ static ERR_STRING_DATA SSL_str_reasons[] + {ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG) ,"data length too long"}, + {ERR_REASON(SSL_R_DECRYPTION_FAILED) ,"decryption failed"}, + {ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC),"decryption failed or bad record mac"}, ++{ERR_REASON(SSL_R_DH_KEY_TOO_SMALL) ,"dh key too small"}, + {ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG),"dh public value length is wrong"}, + {ERR_REASON(SSL_R_DIGEST_CHECK_FAILED) ,"digest check failed"}, + {ERR_REASON(SSL_R_DTLS_MESSAGE_TOO_BIG) ,"dtls message too big"}, +diff -up openssl-1.0.1e/ssl/ssl.h.logjam openssl-1.0.1e/ssl/ssl.h +--- openssl-1.0.1e/ssl/ssl.h.logjam 2015-05-25 11:38:29.834858712 +0200 ++++ openssl-1.0.1e/ssl/ssl.h 2015-05-25 11:40:42.482823220 +0200 +@@ -2289,6 +2289,7 @@ void ERR_load_SSL_strings(void); + #define SSL_R_DATA_LENGTH_TOO_LONG 146 + #define SSL_R_DECRYPTION_FAILED 147 + #define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 281 ++#define SSL_R_DH_KEY_TOO_SMALL 372 + #define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148 + #define SSL_R_DIGEST_CHECK_FAILED 149 + #define SSL_R_DTLS_MESSAGE_TOO_BIG 334 +diff -up openssl-1.0.1e/ssl/s3_clnt.c.logjam openssl-1.0.1e/ssl/s3_clnt.c +--- openssl-1.0.1e/ssl/s3_clnt.c.logjam 2015-05-25 11:38:29.833858690 +0200 ++++ openssl-1.0.1e/ssl/s3_clnt.c 2015-05-25 11:51:05.845754562 +0200 +@@ -3277,24 +3277,34 @@ int ssl3_check_cert_and_algorithm(SSL *s + } + #endif + #ifndef OPENSSL_NO_DH +- if ((alg_k & SSL_kEDH) && +- !(has_bits(i,EVP_PK_DH|EVP_PKT_EXCH) || (dh != NULL))) ++ if ((alg_k & SSL_kEDH) && dh == NULL) + { +- SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_KEY); ++ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,ERR_R_INTERNAL_ERROR); + goto f_err; + } +- else if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA)) ++ if ((alg_k & SSL_kDHr) && !has_bits(i,EVP_PK_DH|EVP_PKS_RSA)) + { + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_RSA_CERT); + goto f_err; + } + #ifndef OPENSSL_NO_DSA +- else if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) ++ if ((alg_k & SSL_kDHd) && !has_bits(i,EVP_PK_DH|EVP_PKS_DSA)) + { + SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_DH_DSA_CERT); + goto f_err; + } + #endif ++ /* Check DHE only: static DH not implemented. */ ++ if (alg_k & SSL_kEDH) ++ { ++ int dh_size = BN_num_bits(dh->p); ++ if ((!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 768) ++ || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && dh_size < 512)) ++ { ++ SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM, SSL_R_DH_KEY_TOO_SMALL); ++ goto f_err; ++ } ++ } + #endif + + if (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) && !has_bits(i,EVP_PKT_EXP)) diff --git a/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-7575.patch b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-7575.patch new file mode 100644 index 0000000000..dc86361db5 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl-1.0.1e/rhel/openssl-1.0.1e-cve-2015-7575.patch @@ -0,0 +1,38 @@ +diff -up openssl-1.0.1e/ssl/t1_lib.c.no-md5-tls openssl-1.0.1e/ssl/t1_lib.c +--- openssl-1.0.1e/ssl/t1_lib.c.no-md5-tls 2015-12-04 09:51:39.000000000 +0100 ++++ openssl-1.0.1e/ssl/t1_lib.c 2015-12-21 14:09:35.239084727 +0100 +@@ -390,19 +390,11 @@ static unsigned char tls12_sigalgs[] = { + #ifndef OPENSSL_NO_SHA + tlsext_sigalg(TLSEXT_hash_sha1) + #endif +-#ifndef OPENSSL_NO_MD5 +- tlsext_sigalg_rsa(TLSEXT_hash_md5) +-#endif + }; + + int tls12_get_req_sig_algs(SSL *s, unsigned char *p) + { + size_t slen = sizeof(tls12_sigalgs); +-#ifdef OPENSSL_FIPS +- /* If FIPS mode don't include MD5 which is last */ +- if (FIPS_mode()) +- slen -= 2; +-#endif + if (p) + memcpy(p, tls12_sigalgs, slen); + return (int)slen; +@@ -2413,14 +2405,6 @@ const EVP_MD *tls12_get_hash(unsigned ch + { + switch(hash_alg) + { +-#ifndef OPENSSL_NO_MD5 +- case TLSEXT_hash_md5: +-#ifdef OPENSSL_FIPS +- if (FIPS_mode()) +- return NULL; +-#endif +- return EVP_md5(); +-#endif + #ifndef OPENSSL_NO_SHA + case TLSEXT_hash_sha1: + return EVP_sha1(); diff --git a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb index b4d59ae2b0..9192bbdacb 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.0.1e.bb @@ -48,7 +48,65 @@ SRC_URI += "file://configure-targets.patch \ file://openssl-fix-CVE-2014-3513.patch \ file://openssl-fix-CVE-2014-3567.patch \ file://openssl-fix-CVE-2014-3568.patch \ +\ + file://rhel/openssl-1.0.1e-cve-2014-3505.patch \ + file://rhel/openssl-1.0.1e-cve-2014-3506.patch \ + file://rhel/openssl-1.0.1e-cve-2014-3507.patch \ + file://rhel/openssl-1.0.1e-cve-2014-3508.patch \ + file://rhel/openssl-1.0.1e-cve-2014-3509.patch \ + file://rhel/openssl-1.0.1e-cve-2014-3510.patch \ + file://rhel/openssl-1.0.1e-cve-2014-3511.patch \ + file://rhel/openssl-1.0.1e-cve-2014-3570.patch \ + file://rhel/openssl-1.0.1e-cve-2014-3571.patch \ + file://rhel/openssl-1.0.1e-cve-2014-3572.patch \ + file://rhel/openssl-1.0.1e-cve-2014-8275.patch \ + file://rhel/openssl-1.0.1e-cve-2015-0204.patch \ + file://rhel/openssl-1.0.1e-cve-2015-0205.patch \ + file://rhel/openssl-1.0.1e-cve-2015-0206.patch \ + file://rhel/openssl-1.0.1e-cve-2015-0209.patch \ + file://rhel/openssl-1.0.1e-cve-2015-0286.patch \ + file://rhel/openssl-1.0.1e-cve-2015-0287.patch \ + file://rhel/openssl-1.0.1e-cve-2015-0288.patch \ + file://rhel/openssl-1.0.1e-cve-2015-0289.patch \ + file://rhel/openssl-1.0.1e-cve-2015-0292.patch \ + file://rhel/openssl-1.0.1e-cve-2015-0293.patch \ + file://rhel/openssl-1.0.1e-cve-2015-4000.patch \ + file://rhel/openssl-1.0.1e-cve-2014-8176.patch \ + file://rhel/openssl-1.0.1e-cve-2015-1789.patch \ + file://rhel/openssl-1.0.1e-cve-2015-1790.patch \ + file://rhel/openssl-1.0.1e-cve-2015-1791.patch \ + file://rhel/openssl-1.0.1e-cve-2015-1792.patch \ + file://rhel/openssl-1.0.1e-cve-2015-3194.patch \ + file://rhel/openssl-1.0.1e-cve-2015-3195.patch \ + file://rhel/openssl-1.0.1e-cve-2015-3196.patch \ + file://rhel/openssl-1.0.1e-cve-2015-7575.patch \ " +# file://rhel/openssl-1.0.1e-evp-wrap.patch -- looks like a feature +# file://rhel/openssl-1.0.1e-backports.patch -- doesn't apply cleanly +# file://rhel/openssl-1.0.1-beta2-padlock64.patch -- via? +# file://rhel/openssl-1.0.1e-arm-use-elf-auxv-caps.patch --feature +# file://rhel/openssl-1.0.1e-bad-mac.patch -- aes-ni patch +# file://rhel/openssl-1.0.1e-trusted-first.patch -- feature +# file://rhel/openssl-1.0.1e-cve-2013-6449.patch -- SSL_METHOD.. +# file://rhel/openssl-1.0.1e-cve-2013-6450.patch -- Fix-DTLS.. +# file://rhel/openssl-1.0.1e-cve-2013-4353.patch -- Fix for TLS.. +# file://rhel/openssl-1.0.1e-ephemeral-key-size.patch -- feature +# file://rhel/openssl-1.0.1e-cve-2014-0160.patch -- applied +# file://rhel/openssl-1.0.1e-cve-2010-5298.patch -- applied +# file://rhel/openssl-1.0.1e-cve-2014-0195.patch -- applied +# file://rhel/openssl-1.0.1e-cve-2014-0198.patch -- applied +# file://rhel/openssl-1.0.1e-cve-2014-0221.patch -- applied +# file://rhel/openssl-1.0.1e-cve-2014-0224.patch -- applied +# file://rhel/openssl-1.0.1e-cve-2014-3470.patch -- applied +# file://rhel/openssl-1.0.1e-dtls-ecc-ext.patch -- bug fix.. no security +# file://rhel/openssl-1.0.1e-doc-ciphersuites.patch --bugfix +# file://rhel/openssl-1.0.1e-sn-case.patch -- bugfix +# file://rhel/openssl-1.0.1e-ecdh-auto.patch -- feature +# file://rhel/openssl-1.0.1e-fallback-scsv.patch -- feature +# file://rhel/openssl-1.0.1e-copy-algo.patch -- bugfix? +# file://rhel/openssl-1.0.1e-cc-reqs.patch -- bugfix +# file://rhel/openssl-1.0.1e-cve-2014-3567.patch -- applied +# file://rhel/openssl-1.0.1e-cve-2014-3513.patch -- applied SRC_URI[md5sum] = "66bf6f10f060d561929de96f9dfe5b8c" SRC_URI[sha256sum] = "f74f15e8c8ff11aa3d5bb5f276d202ec18d7246e95f961db76054199c69c1ae3"