24710405 Upgrade OpenSSL version to 1.0.1u s11u3-sru
authorRonald Jordan <ron.jordan@oracle.com>
Tue, 27 Sep 2016 10:50:55 -0700
branchs11u3-sru
changeset 6981 1d2ebf9515bd
parent 6980 f9de80b7cc17
child 6985 b1711a8f4522
24710405 Upgrade OpenSSL version to 1.0.1u 24703800 problem in LIBRARY/OPENSSL 24703856 problem in LIBRARY/OPENSSL 24703866 problem in LIBRARY/OPENSSL 24703911 problem in LIBRARY/OPENSSL 24703934 problem in LIBRARY/OPENSSL 24703939 problem in LIBRARY/OPENSSL
components/openssl/openssl-1.0.1-fips-140/Makefile
components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.license
components/openssl/openssl-1.0.1-fips-140/patches/42_rm_sslv2.patch
components/openssl/openssl-1.0.1-fips-140/patches/43_cve-2016-2177.patch
components/openssl/openssl-1.0.1-fips-140/patches/44_cve-2016-2178.patch
components/openssl/openssl-1.0.1-fips-140/patches/46_cve-2016-6302.patch
components/openssl/openssl-1.0.1-fips-140/patches/48_large_crl.patch
components/openssl/openssl-1.0.1/Makefile
components/openssl/openssl-1.0.1/openssl-1.0.1.license
components/openssl/openssl-1.0.1/patches/42_rm_sslv2.patch
components/openssl/openssl-1.0.1/patches/43_cve-2016-2177.patch
components/openssl/openssl-1.0.1/patches/44_cve-2016-2178.patch
components/openssl/openssl-1.0.1/patches/46_cve-2016-6302.patch
components/openssl/openssl-1.0.1/patches/48_large_crl.patch
--- a/components/openssl/openssl-1.0.1-fips-140/Makefile	Tue Sep 27 00:30:26 2016 -0700
+++ b/components/openssl/openssl-1.0.1-fips-140/Makefile	Tue Sep 27 10:50:55 2016 -0700
@@ -32,18 +32,18 @@
 COMPONENT_NAME =	openssl-fips-140
 # Note that this is the OpenSSL version that is used to build FIPS-140 certified
 # libraries. However, we use the FIPS canister version for the IPS package.
-COMPONENT_VERSION =	1.0.1t
+COMPONENT_VERSION =	1.0.1u
 IPS_COMPONENT_VERSION = 2.0.6
 COMPONENT_PROJECT_URL=	http://www.openssl.org/
 COMPONENT_SRC_NAME =	openssl
 COMPONENT_SRC =		$(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE =	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-    sha256:4a6ee491a2fdb22e519c76fdc2a628bb3cec12762cd456861d207996c8a07088
+    sha256:4312b4ca1215b6f2c97007503d80db80d5157f76f8f7d3febbe6b4c56ff26739
 COMPONENT_ARCHIVE_URL =	$(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	library/openssl
 
-TPNO=			28138
+TPNO=			31796
 
 # OpenSSL FIPS directory
 OPENSSL_FIPS_DIR = $(COMPONENT_DIR)/../openssl-fips
@@ -107,7 +107,7 @@
 CONFIGURE_OPTIONS += no-seed
 
 # Disable SSLv2 protocol
-CONFIGURE_OPTIONS += no-ssl2 no-ssl2-method
+CONFIGURE_OPTIONS += no-ssl2
 
 # We define our own compiler and linker option sets for Solaris. See Configure
 # for more information.
--- a/components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.license	Tue Sep 27 00:30:26 2016 -0700
+++ b/components/openssl/openssl-1.0.1-fips-140/openssl-1.0.1-fips-140.license	Tue Sep 27 10:50:55 2016 -0700
@@ -12,7 +12,7 @@
   ---------------
 
 /* ====================================================================
- * Copyright (c) 1998-2011 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2016 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
--- a/components/openssl/openssl-1.0.1-fips-140/patches/42_rm_sslv2.patch	Tue Sep 27 00:30:26 2016 -0700
+++ b/components/openssl/openssl-1.0.1-fips-140/patches/42_rm_sslv2.patch	Tue Sep 27 10:50:55 2016 -0700
@@ -1,54 +1,6 @@
 #
 # This was developed in house.  Not applicable to the upstream.
 #
---- openssl-1.0.1/ssl/s2_meth.c      Fri May  8 09:38:33 2015
-+++ openssl-1.0.1/ssl/s2_meth.c.new       Fri May  8 09:51:53 2015
[email protected]@ -74,6 +74,13 @@
-                          ssl2_accept, ssl2_connect, ssl2_get_method)
- #else                           /* !OPENSSL_NO_SSL2 */
-
-+/* stub function */
-+const SSL_METHOD *
-+SSLv2_method(void)
-+{
-+       return (NULL);
-+}
-+
- # if PEDANTIC
- static void *dummy = &dummy;
- # endif
---- openssl-1.0.1/ssl/s2_clnt.c      Fri May  8 09:37:51 2015
-+++ openssl-1.0.1/ssl/ss2_clnt.c.new       Fri May  8 09:53:12 2015
[email protected]@ -1087,6 +1087,13 @@
- }
- #else                           /* !OPENSSL_NO_SSL2 */
-
-+/* stub function */
-+const SSL_METHOD *
-+SSLv2_client_method(void)
-+{
-+       return (NULL);
-+}
-+
- # if PEDANTIC
- static void *dummy = &dummy;
- # endif
---- openssl-1.0.1/ssl/s2_srvr.c      Fri May  8 09:38:02 2015
-+++ openssl-1.0.1/ssl/s2_srvr.c.new       Fri May  8 09:53:43 2015
[email protected]@ -1150,6 +1150,13 @@
- }
- #else                           /* !OPENSSL_NO_SSL2 */
-
-+/* stub function */
-+const SSL_METHOD *
-+SSLv2_server_method(void)
-+{
-+        return (NULL);
-+}
-+
- # if PEDANTIC
- static void *dummy = &dummy;
- # endif
 --- openssl-1.0.1/ssl/ssl.h	Tue May 26 11:13:15 2015
 +++ openssl-1.0.1/ssl/ssl.h.new	Tue May 26 11:32:09 2015
 @@ -2016,12 +2016,28 @@
--- a/components/openssl/openssl-1.0.1-fips-140/patches/43_cve-2016-2177.patch	Tue Sep 27 00:30:26 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,214 +0,0 @@
-# The patch is based on the following commit from the upstream:
-# https://git.openssl.org/?p=openssl.git;a=commit;h=a004e72b95835136d3f1ea90517f706c24c03da7
-# The fix is patched until the new version becomes available
-# from the upstream.
---- a/ssl/s3_srvr.c
-+++ b/ssl/s3_srvr.c
[email protected]@ -1040,7 +1040,7 @@ int ssl3_get_client_hello(SSL *s)
- 
-         session_length = *(p + SSL3_RANDOM_SIZE);
- 
--        if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) {
-+        if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) {
-             al = SSL_AD_DECODE_ERROR;
-             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-             goto f_err;
[email protected]@ -1058,7 +1058,7 @@ int ssl3_get_client_hello(SSL *s)
-     /* get the session-id */
-     j = *(p++);
- 
--    if (p + j > d + n) {
-+    if ((d + n) - p < j) {
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-         goto f_err;
[email protected]@ -1114,14 +1114,14 @@ int ssl3_get_client_hello(SSL *s)
- 
-     if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
-         /* cookie stuff */
--        if (p + 1 > d + n) {
-+        if ((d + n) - p < 1) {
-             al = SSL_AD_DECODE_ERROR;
-             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-             goto f_err;
-         }
-         cookie_len = *(p++);
- 
--        if (p + cookie_len > d + n) {
-+        if ((d + n ) - p < cookie_len) {
-             al = SSL_AD_DECODE_ERROR;
-             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-             goto f_err;
[email protected]@ -1166,7 +1166,7 @@ int ssl3_get_client_hello(SSL *s)
-         p += cookie_len;
-     }
- 
--    if (p + 2 > d + n) {
-+    if ((d + n ) - p < 2) {
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-         goto f_err;
[email protected]@ -1180,7 +1180,7 @@ int ssl3_get_client_hello(SSL *s)
-     }
- 
-     /* i bytes of cipher data + 1 byte for compression length later */
--    if ((p + i + 1) > (d + n)) {
-+    if ((d + n) - p < i + 1) {
-         /* not enough data */
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
[email protected]@ -1246,7 +1246,7 @@ int ssl3_get_client_hello(SSL *s)
- 
-     /* compression */
-     i = *(p++);
--    if ((p + i) > (d + n)) {
-+    if ((d + n) - p < i) {
-         /* not enough data */
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
---- a/ssl/ssl_sess.c
-+++ b/ssl/ssl_sess.c
[email protected]@ -602,7 +602,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
-     int r;
- #endif
- 
--    if (session_id + len > limit) {
-+    if (limit - session_id < len) {
-         fatal = 1;
-         goto err;
-     }
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
[email protected]@ -942,11 +942,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-         0x02, 0x03,             /* SHA-1/ECDSA */
-     };
- 
--    if (data >= (limit - 2))
-+    if (limit - data <= 2)
-         return;
-     data += 2;
- 
--    if (data > (limit - 4))
-+    if (limit - data < 4)
-         return;
-     n2s(data, type);
-     n2s(data, size);
[email protected]@ -954,7 +954,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-     if (type != TLSEXT_TYPE_server_name)
-         return;
- 
--    if (data + size > limit)
-+    if (limit - data < size)
-         return;
-     data += size;
- 
[email protected]@ -962,7 +962,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-         const size_t len1 = sizeof(kSafariExtensionsBlock);
-         const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
- 
--        if (data + len1 + len2 != limit)
-+        if (limit - data != (int)(len1 + len2))
-             return;
-         if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
-             return;
[email protected]@ -971,7 +971,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-     } else {
-         const size_t len = sizeof(kSafariExtensionsBlock);
- 
--        if (data + len != limit)
-+        if (limit - data != (int)(len))
-             return;
-         if (memcmp(data, kSafariExtensionsBlock, len) != 0)
-             return;
[email protected]@ -1019,19 +1019,19 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
-     if (data == limit)
-         goto ri_check;
- 
--    if (data > (limit - 2))
-+    if (limit - data < 2)
-         goto err;
- 
-     n2s(data, len);
- 
--    if (data + len != limit)
-+    if (limit - data != len)
-         goto err;
- 
--    while (data <= (limit - 4)) {
-+    while (limit - data >= 4) {
-         n2s(data, type);
-         n2s(data, size);
- 
--        if (data + size > (limit))
-+        if (limit - data < size)
-             goto err;
- # if 0
-         fprintf(stderr, "Received extension type %d size %d\n", type, size);
[email protected]@ -1460,20 +1460,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
-                              SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
- # endif
- 
--    if (data >= (d + n - 2))
-+    if ((d + n) - data <= 2)
-         goto ri_check;
- 
-     n2s(data, length);
--    if (data + length != d + n) {
-+    if ((d + n) - data != length) {
-         *al = SSL_AD_DECODE_ERROR;
-         return 0;
-     }
- 
--    while (data <= (d + n - 4)) {
-+    while ((d + n) - data >= 4) {
-         n2s(data, type);
-         n2s(data, size);
- 
--        if (data + size > (d + n))
-+        if ((d + n) - data < size)
-             goto ri_check;
- 
-         if (s->tlsext_debug_cb)
[email protected]@ -2179,29 +2179,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
-     /* Skip past DTLS cookie */
-     if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
-         i = *(p++);
--        p += i;
--        if (p >= limit)
-+
-+        if (limit - p <= i)
-             return -1;
-+
-+        p += i;
-     }
-     /* Skip past cipher list */
-     n2s(p, i);
--    p += i;
--    if (p >= limit)
-+    if (limit - p <= i)
-         return -1;
-+    p += i;
-+
-     /* Skip past compression algorithm list */
-     i = *(p++);
--    p += i;
--    if (p > limit)
-+    if (limit - p < i)
-         return -1;
-+    p += i;
-+
-     /* Now at start of extensions */
--    if ((p + 2) >= limit)
-+    if (limit - p <= 2)
-         return 0;
-     n2s(p, i);
--    while ((p + 4) <= limit) {
-+    while (limit - p >= 4) {
-         unsigned short type, size;
-         n2s(p, type);
-         n2s(p, size);
--        if (p + size > limit)
-+        if (limit - p < size)
-             return 0;
-         if (type == TLSEXT_TYPE_session_ticket) {
-             int r;
--- a/components/openssl/openssl-1.0.1-fips-140/patches/44_cve-2016-2178.patch	Tue Sep 27 00:30:26 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,28 +0,0 @@
-# The patch is based on the following commit from the upstream:
-# https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2
-# The fix is patched until the new version becomes available
-# from the upstream.
---- a/crypto/dsa/dsa_ossl.c	2016-06-20 08:06:46.793733045 -0700
-+++ b/crypto/dsa/dsa_ossl.c	2016-06-20 08:07:42.133601060 -0700
[email protected]@ -248,9 +248,6 @@
-         if (!BN_rand_range(&k, dsa->q))
-             goto err;
-     while (BN_is_zero(&k)) ;
--    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
--        BN_set_flags(&k, BN_FLG_CONSTTIME);
--    }
- 
-     if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
-         if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
[email protected]@ -282,6 +279,11 @@
-     } else {
-         K = &k;
-     }
-+
-+    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
-+        BN_set_flags(K, BN_FLG_CONSTTIME);
-+    }
-+
-     DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
-                    dsa->method_mont_p);
-     if (!BN_mod(r, r, dsa->q, ctx))
--- a/components/openssl/openssl-1.0.1-fips-140/patches/46_cve-2016-6302.patch	Tue Sep 27 00:30:26 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,30 +0,0 @@
-# The patch is based on the following commit from the upstream:
-# https://github.com/openssl/openssl/commit/baaabfd8fdcec04a691695fad9a664bea43202b6
-# The fix is patched until the new version becomes available
-# from the upstream.
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
[email protected]@ -3401,9 +3401,7 @@
-     HMAC_CTX hctx;
-     EVP_CIPHER_CTX ctx;
-     SSL_CTX *tctx = s->initial_ctx;
--    /* Need at least keyname + iv + some encrypted data */
--    if (eticklen < 48)
--        return 2;
-+
-     /* Initialize session ticket encryption and HMAC contexts */
-     HMAC_CTX_init(&hctx);
-     EVP_CIPHER_CTX_init(&ctx);
[email protected]@ -3437,6 +3435,12 @@
-     if (mlen < 0) {
-         goto err;
-     }
-+    /* Sanity check ticket length: must exceed keyname + IV + HMAC */
-+    if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) {
-+        HMAC_CTX_cleanup(&hctx);
-+        EVP_CIPHER_CTX_cleanup(&ctx);
-+        return 2;
-+    }
-     eticklen -= mlen;
-     /* Check HMAC of encrypted ticket */
-     if (HMAC_Update(&hctx, etick, eticklen) <= 0
--- a/components/openssl/openssl-1.0.1-fips-140/patches/48_large_crl.patch	Tue Sep 27 00:30:26 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,18 +0,0 @@
-# The patch is based on the following commit from the upstream:
-# https://github.com/openssl/openssl/commit/a1eef756cc1948e
-# The fix is patched until the new version becomes available from the upstream.
---- a/crypto/asn1/x_name.c	2016-07-12 15:17:45.766267352 -0700
-+++ b/crypto/asn1/x_name.c	2016-07-12 15:18:02.542842140 -0700
[email protected]@ -199,10 +199,8 @@
-     int i, j, ret;
-     STACK_OF(X509_NAME_ENTRY) *entries;
-     X509_NAME_ENTRY *entry;
--    if (len > X509_NAME_MAX) {
--        ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
--        return 0;
--    }
-+    if (len > X509_NAME_MAX)
-+        len = X509_NAME_MAX;
-     q = p;
- 
-     /* Get internal representation of Name */
--- a/components/openssl/openssl-1.0.1/Makefile	Tue Sep 27 00:30:26 2016 -0700
+++ b/components/openssl/openssl-1.0.1/Makefile	Tue Sep 27 10:50:55 2016 -0700
@@ -28,20 +28,20 @@
 # When upgrading OpenSSL, please, DON'T FORGET TO TEST WANBOOT too. 
 # For more information about wanboot-openssl testing, please refer to
 # ../README.
-COMPONENT_VERSION =	1.0.1t
+COMPONENT_VERSION =	1.0.1u
 # Version for IPS. It is easier to do it manually than convert the letter to a
 # number while taking into account that there might be no letter at all.
-IPS_COMPONENT_VERSION = 1.0.1.20
+IPS_COMPONENT_VERSION = 1.0.1.21
 COMPONENT_PROJECT_URL=	http://www.openssl.org/
 COMPONENT_SRC =		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE =	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-    sha256:4a6ee491a2fdb22e519c76fdc2a628bb3cec12762cd456861d207996c8a07088
+    sha256:4312b4ca1215b6f2c97007503d80db80d5157f76f8f7d3febbe6b4c56ff26739
 
 COMPONENT_ARCHIVE_URL =	$(COMPONENT_PROJECT_URL)source/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	library/openssl
 
-TPNO=			28138
+TPNO=			31796
 
 include $(WS_MAKE_RULES)/prep.mk
 include $(WS_MAKE_RULES)/configure.mk
@@ -98,7 +98,7 @@
 CONFIGURE_OPTIONS += no-seed
 
 # Disable SSLv2 protocol
-CONFIGURE_OPTIONS += no-ssl2 no-ssl2-method
+CONFIGURE_OPTIONS += no-ssl2
 
 # We use both no-whirlpool and no-whrlpool since there is an inconsistency in
 # the OpenSSL code and one needs both to build OpenSSL successfully with
--- a/components/openssl/openssl-1.0.1/openssl-1.0.1.license	Tue Sep 27 00:30:26 2016 -0700
+++ b/components/openssl/openssl-1.0.1/openssl-1.0.1.license	Tue Sep 27 10:50:55 2016 -0700
@@ -12,7 +12,7 @@
   ---------------
 
 /* ====================================================================
- * Copyright (c) 1998-2011 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2016 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
--- a/components/openssl/openssl-1.0.1/patches/42_rm_sslv2.patch	Tue Sep 27 00:30:26 2016 -0700
+++ b/components/openssl/openssl-1.0.1/patches/42_rm_sslv2.patch	Tue Sep 27 10:50:55 2016 -0700
@@ -1,54 +1,6 @@
 #
 # This was developed in house.  Not applicable to the upstream.
 #
---- openssl-1.0.1/ssl/s2_meth.c      Fri May  8 09:38:33 2015
-+++ openssl-1.0.1/ssl/s2_meth.c.new       Fri May  8 09:51:53 2015
[email protected]@ -74,6 +74,13 @@
-                          ssl2_accept, ssl2_connect, ssl2_get_method)
- #else                           /* !OPENSSL_NO_SSL2 */
-
-+/* stub function */
-+const SSL_METHOD *
-+SSLv2_method(void)
-+{
-+       return (NULL);
-+}
-+
- # if PEDANTIC
- static void *dummy = &dummy;
- # endif
---- openssl-1.0.1/ssl/s2_clnt.c      Fri May  8 09:37:51 2015
-+++ openssl-1.0.1/ssl/ss2_clnt.c.new       Fri May  8 09:53:12 2015
[email protected]@ -1087,6 +1087,13 @@
- }
- #else                           /* !OPENSSL_NO_SSL2 */
-
-+/* stub function */
-+const SSL_METHOD *
-+SSLv2_client_method(void)
-+{
-+       return (NULL);
-+}
-+
- # if PEDANTIC
- static void *dummy = &dummy;
- # endif
---- openssl-1.0.1/ssl/s2_srvr.c      Fri May  8 09:38:02 2015
-+++ openssl-1.0.1/ssl/s2_srvr.c.new       Fri May  8 09:53:43 2015
[email protected]@ -1150,6 +1150,13 @@
- }
- #else                           /* !OPENSSL_NO_SSL2 */
-
-+/* stub function */
-+const SSL_METHOD *
-+SSLv2_server_method(void)
-+{
-+        return (NULL);
-+}
-+
- # if PEDANTIC
- static void *dummy = &dummy;
- # endif
 --- openssl-1.0.1/ssl/ssl.h	Tue May 26 11:13:15 2015
 +++ openssl-1.0.1/ssl/ssl.h.new	Tue May 26 11:32:09 2015
 @@ -2016,12 +2016,28 @@
--- a/components/openssl/openssl-1.0.1/patches/43_cve-2016-2177.patch	Tue Sep 27 00:30:26 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,214 +0,0 @@
-# The patch is based on the following commit from the upstream:
-# https://git.openssl.org/?p=openssl.git;a=commit;h=a004e72b95835136d3f1ea90517f706c24c03da7
-# The fix is patched until the new version becomes available
-# from the upstream.
---- a/ssl/s3_srvr.c
-+++ b/ssl/s3_srvr.c
[email protected]@ -1040,7 +1040,7 @@ int ssl3_get_client_hello(SSL *s)
- 
-         session_length = *(p + SSL3_RANDOM_SIZE);
- 
--        if (p + SSL3_RANDOM_SIZE + session_length + 1 >= d + n) {
-+        if (SSL3_RANDOM_SIZE + session_length + 1 >= (d + n) - p) {
-             al = SSL_AD_DECODE_ERROR;
-             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-             goto f_err;
[email protected]@ -1058,7 +1058,7 @@ int ssl3_get_client_hello(SSL *s)
-     /* get the session-id */
-     j = *(p++);
- 
--    if (p + j > d + n) {
-+    if ((d + n) - p < j) {
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-         goto f_err;
[email protected]@ -1114,14 +1114,14 @@ int ssl3_get_client_hello(SSL *s)
- 
-     if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
-         /* cookie stuff */
--        if (p + 1 > d + n) {
-+        if ((d + n) - p < 1) {
-             al = SSL_AD_DECODE_ERROR;
-             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-             goto f_err;
-         }
-         cookie_len = *(p++);
- 
--        if (p + cookie_len > d + n) {
-+        if ((d + n ) - p < cookie_len) {
-             al = SSL_AD_DECODE_ERROR;
-             SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-             goto f_err;
[email protected]@ -1166,7 +1166,7 @@ int ssl3_get_client_hello(SSL *s)
-         p += cookie_len;
-     }
- 
--    if (p + 2 > d + n) {
-+    if ((d + n ) - p < 2) {
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_TOO_SHORT);
-         goto f_err;
[email protected]@ -1180,7 +1180,7 @@ int ssl3_get_client_hello(SSL *s)
-     }
- 
-     /* i bytes of cipher data + 1 byte for compression length later */
--    if ((p + i + 1) > (d + n)) {
-+    if ((d + n) - p < i + 1) {
-         /* not enough data */
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
[email protected]@ -1246,7 +1246,7 @@ int ssl3_get_client_hello(SSL *s)
- 
-     /* compression */
-     i = *(p++);
--    if ((p + i) > (d + n)) {
-+    if ((d + n) - p < i) {
-         /* not enough data */
-         al = SSL_AD_DECODE_ERROR;
-         SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_LENGTH_MISMATCH);
---- a/ssl/ssl_sess.c
-+++ b/ssl/ssl_sess.c
[email protected]@ -602,7 +602,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
-     int r;
- #endif
- 
--    if (session_id + len > limit) {
-+    if (limit - session_id < len) {
-         fatal = 1;
-         goto err;
-     }
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
[email protected]@ -942,11 +942,11 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-         0x02, 0x03,             /* SHA-1/ECDSA */
-     };
- 
--    if (data >= (limit - 2))
-+    if (limit - data <= 2)
-         return;
-     data += 2;
- 
--    if (data > (limit - 4))
-+    if (limit - data < 4)
-         return;
-     n2s(data, type);
-     n2s(data, size);
[email protected]@ -954,7 +954,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-     if (type != TLSEXT_TYPE_server_name)
-         return;
- 
--    if (data + size > limit)
-+    if (limit - data < size)
-         return;
-     data += size;
- 
[email protected]@ -962,7 +962,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-         const size_t len1 = sizeof(kSafariExtensionsBlock);
-         const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
- 
--        if (data + len1 + len2 != limit)
-+        if (limit - data != (int)(len1 + len2))
-             return;
-         if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
-             return;
[email protected]@ -971,7 +971,7 @@ static void ssl_check_for_safari(SSL *s, const unsigned char *data,
-     } else {
-         const size_t len = sizeof(kSafariExtensionsBlock);
- 
--        if (data + len != limit)
-+        if (limit - data != (int)(len))
-             return;
-         if (memcmp(data, kSafariExtensionsBlock, len) != 0)
-             return;
[email protected]@ -1019,19 +1019,19 @@ static int ssl_scan_clienthello_tlsext(SSL *s, unsigned char **p,
-     if (data == limit)
-         goto ri_check;
- 
--    if (data > (limit - 2))
-+    if (limit - data < 2)
-         goto err;
- 
-     n2s(data, len);
- 
--    if (data + len != limit)
-+    if (limit - data != len)
-         goto err;
- 
--    while (data <= (limit - 4)) {
-+    while (limit - data >= 4) {
-         n2s(data, type);
-         n2s(data, size);
- 
--        if (data + size > (limit))
-+        if (limit - data < size)
-             goto err;
- # if 0
-         fprintf(stderr, "Received extension type %d size %d\n", type, size);
[email protected]@ -1460,20 +1460,20 @@ static int ssl_scan_serverhello_tlsext(SSL *s, unsigned char **p,
-                              SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
- # endif
- 
--    if (data >= (d + n - 2))
-+    if ((d + n) - data <= 2)
-         goto ri_check;
- 
-     n2s(data, length);
--    if (data + length != d + n) {
-+    if ((d + n) - data != length) {
-         *al = SSL_AD_DECODE_ERROR;
-         return 0;
-     }
- 
--    while (data <= (d + n - 4)) {
-+    while ((d + n) - data >= 4) {
-         n2s(data, type);
-         n2s(data, size);
- 
--        if (data + size > (d + n))
-+        if ((d + n) - data < size)
-             goto ri_check;
- 
-         if (s->tlsext_debug_cb)
[email protected]@ -2179,29 +2179,33 @@ int tls1_process_ticket(SSL *s, unsigned char *session_id, int len,
-     /* Skip past DTLS cookie */
-     if (s->version == DTLS1_VERSION || s->version == DTLS1_BAD_VER) {
-         i = *(p++);
--        p += i;
--        if (p >= limit)
-+
-+        if (limit - p <= i)
-             return -1;
-+
-+        p += i;
-     }
-     /* Skip past cipher list */
-     n2s(p, i);
--    p += i;
--    if (p >= limit)
-+    if (limit - p <= i)
-         return -1;
-+    p += i;
-+
-     /* Skip past compression algorithm list */
-     i = *(p++);
--    p += i;
--    if (p > limit)
-+    if (limit - p < i)
-         return -1;
-+    p += i;
-+
-     /* Now at start of extensions */
--    if ((p + 2) >= limit)
-+    if (limit - p <= 2)
-         return 0;
-     n2s(p, i);
--    while ((p + 4) <= limit) {
-+    while (limit - p >= 4) {
-         unsigned short type, size;
-         n2s(p, type);
-         n2s(p, size);
--        if (p + size > limit)
-+        if (limit - p < size)
-             return 0;
-         if (type == TLSEXT_TYPE_session_ticket) {
-             int r;
--- a/components/openssl/openssl-1.0.1/patches/44_cve-2016-2178.patch	Tue Sep 27 00:30:26 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,28 +0,0 @@
-# The patch is based on the following commit from the upstream:
-# https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2
-# The fix is patched until the new version becomes available
-# from the upstream.
---- a/crypto/dsa/dsa_ossl.c	2016-06-20 08:06:46.793733045 -0700
-+++ b/crypto/dsa/dsa_ossl.c	2016-06-20 08:07:42.133601060 -0700
[email protected]@ -248,9 +248,6 @@
-         if (!BN_rand_range(&k, dsa->q))
-             goto err;
-     while (BN_is_zero(&k)) ;
--    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
--        BN_set_flags(&k, BN_FLG_CONSTTIME);
--    }
- 
-     if (dsa->flags & DSA_FLAG_CACHE_MONT_P) {
-         if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p,
[email protected]@ -282,6 +279,11 @@
-     } else {
-         K = &k;
-     }
-+
-+    if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0) {
-+        BN_set_flags(K, BN_FLG_CONSTTIME);
-+    }
-+
-     DSA_BN_MOD_EXP(goto err, dsa, r, dsa->g, K, dsa->p, ctx,
-                    dsa->method_mont_p);
-     if (!BN_mod(r, r, dsa->q, ctx))
--- a/components/openssl/openssl-1.0.1/patches/46_cve-2016-6302.patch	Tue Sep 27 00:30:26 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,30 +0,0 @@
-# The patch is based on the following commit from the upstream:
-# https://github.com/openssl/openssl/commit/baaabfd8fdcec04a691695fad9a664bea43202b6
-# The fix is patched until the new version becomes available
-# from the upstream.
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
[email protected]@ -3401,9 +3401,7 @@
-     HMAC_CTX hctx;
-     EVP_CIPHER_CTX ctx;
-     SSL_CTX *tctx = s->initial_ctx;
--    /* Need at least keyname + iv + some encrypted data */
--    if (eticklen < 48)
--        return 2;
-+
-     /* Initialize session ticket encryption and HMAC contexts */
-     HMAC_CTX_init(&hctx);
-     EVP_CIPHER_CTX_init(&ctx);
[email protected]@ -3437,6 +3435,12 @@
-     if (mlen < 0) {
-         goto err;
-     }
-+    /* Sanity check ticket length: must exceed keyname + IV + HMAC */
-+    if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) {
-+        HMAC_CTX_cleanup(&hctx);
-+        EVP_CIPHER_CTX_cleanup(&ctx);
-+        return 2;
-+    }
-     eticklen -= mlen;
-     /* Check HMAC of encrypted ticket */
-     if (HMAC_Update(&hctx, etick, eticklen) <= 0
--- a/components/openssl/openssl-1.0.1/patches/48_large_crl.patch	Tue Sep 27 00:30:26 2016 -0700
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,18 +0,0 @@
-# The patch is based on the following commit from the upstream:
-# https://github.com/openssl/openssl/commit/a1eef756cc1948e
-# The fix is patched until the new version becomes available from the upstream.
---- a/crypto/asn1/x_name.c	2016-07-12 15:17:45.766267352 -0700
-+++ b/crypto/asn1/x_name.c	2016-07-12 15:18:02.542842140 -0700
[email protected]@ -199,10 +199,8 @@
-     int i, j, ret;
-     STACK_OF(X509_NAME_ENTRY) *entries;
-     X509_NAME_ENTRY *entry;
--    if (len > X509_NAME_MAX) {
--        ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
--        return 0;
--    }
-+    if (len > X509_NAME_MAX)
-+        len = X509_NAME_MAX;
-     q = p;
- 
-     /* Get internal representation of Name */