diff -Nru openssl-1.0.1/debian/changelog openssl-1.0.1/debian/changelog --- openssl-1.0.1/debian/changelog 2015-06-11 11:36:19.000000000 +0000 +++ openssl-1.0.1/debian/changelog 2016-02-29 13:03:31.000000000 +0000 @@ -1,3 +1,68 @@ +openssl (1.0.1-4ubuntu5.35) precise-security; urgency=medium + + * SECURITY UPDATE: side channel attack on modular exponentiation + - debian/patches/CVE-2016-0702.patch: use constant-time calculations in + crypto/bn/asm/x86_64-mont5.pl, crypto/bn/bn_exp.c, + crypto/perlasm/x86_64-xlate.pl, crypto/constant_time_locl.h. + - CVE-2016-0702 + * SECURITY UPDATE: double-free in DSA code + - debian/patches/CVE-2016-0705.patch: fix double-free in + crypto/dsa/dsa_ameth.c. + - CVE-2016-0705 + * SECURITY UPDATE: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption + - debian/patches/CVE-2016-0797.patch: prevent overflow in + crypto/bn/bn_print.c, crypto/bn/bn.h. + - CVE-2016-0797 + * SECURITY UPDATE: memory leak in SRP database lookups + - debian/patches/CVE-2016-0798.patch: disable SRP fake user seed and + introduce new SRP_VBASE_get1_by_user function that handled seed + properly in apps/s_server.c, crypto/srp/srp.h, crypto/srp/srp_vfy.c, + util/libeay.num, openssl.ld. + - CVE-2016-0798 + * SECURITY UPDATE: memory issues in BIO_*printf functions + - debian/patches/CVE-2016-0799.patch: prevent overflow in + crypto/bio/b_print.c. + - CVE-2016-0799 + * debian/patches/preserve_digests_for_sni.patch: preserve negotiated + digests for SNI when SSL_set_SSL_CTX is called in ssl/ssl_lib.c. + (LP: #1550643) + + -- Marc Deslauriers Mon, 29 Feb 2016 08:01:48 -0500 + +openssl (1.0.1-4ubuntu5.34) precise-security; urgency=medium + + * debian/patches/alt-cert-chains-*.patch: backport series of upstream + commits to add alternate chains support. This will allow the future + removal of 1024-bit RSA keys from the ca-certificates package. + + -- Marc Deslauriers Mon, 08 Feb 2016 09:15:37 -0500 + +openssl (1.0.1-4ubuntu5.33) precise-security; urgency=medium + + * SECURITY UPDATE: incorrect RSA+MD5 support with TLS 1.2 + - debian/patches/CVE-2015-7575.patch: disable RSA+MD5 when using TLS + 1.2 in ssl/t1_lib.c. + - CVE-2015-7575 + + -- Marc Deslauriers Thu, 07 Jan 2016 09:27:55 -0500 + +openssl (1.0.1-4ubuntu5.32) precise-security; urgency=medium + + * SECURITY UPDATE: Certificate verify crash with missing PSS parameter + - debian/patches/CVE-2015-3194.patch: add PSS parameter check to + crypto/rsa/rsa_ameth.c. + - CVE-2015-3194 + * SECURITY UPDATE: X509_ATTRIBUTE memory leak + - debian/patches/CVE-2015-3195.patch: fix leak in + crypto/asn1/tasn_dec.c. + - CVE-2015-3195 + * SECURITY UPDATE: Race condition handling PSK identify hint + - debian/patches/CVE-2015-3196.patch: fix PSK handling in + ssl/s3_clnt.c, ssl/s3_srvr.c. + - CVE-2015-3196 + + -- Marc Deslauriers Fri, 04 Dec 2015 08:22:09 -0500 + openssl (1.0.1-4ubuntu5.31) precise-security; urgency=medium * SECURITY IMPROVEMENT: reject dh keys smaller than 768 bits diff -Nru openssl-1.0.1/debian/patches/alt-cert-chains-1.patch openssl-1.0.1/debian/patches/alt-cert-chains-1.patch --- openssl-1.0.1/debian/patches/alt-cert-chains-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1/debian/patches/alt-cert-chains-1.patch 2016-02-08 14:14:54.000000000 +0000 @@ -0,0 +1,217 @@ +Backport of: + +From f7bf8e02dfcb2c02bc12a59276d0a3ba43e6c204 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 27 Jan 2015 10:03:29 +0000 +Subject: [PATCH] In certain situations the server provided certificate chain + may no longer be valid. However the issuer of the leaf, or some intermediate + cert is in fact in the trust store. + +When building a trust chain if the first attempt fails, then try to see if +alternate chains could be constructed that are trusted. + +RT3637 +RT3621 + +Reviewed-by: Kurt Roeckx +--- + crypto/x509/x509_vfy.c | 165 +++++++++++++++++++++++++++++-------------------- + 1 file changed, 98 insertions(+), 67 deletions(-) + +Index: openssl-1.0.1f/crypto/x509/x509_vfy.c +=================================================================== +--- openssl-1.0.1f.orig/crypto/x509/x509_vfy.c 2016-02-05 15:45:12.062806522 -0500 ++++ openssl-1.0.1f/crypto/x509/x509_vfy.c 2016-02-05 15:55:56.873867283 -0500 +@@ -153,11 +153,11 @@ + + int X509_verify_cert(X509_STORE_CTX *ctx) + { +- X509 *x,*xtmp,*chain_ss=NULL; ++ X509 *x,*xtmp,*xtmp2,*chain_ss=NULL; + int bad_chain = 0; + X509_VERIFY_PARAM *param = ctx->param; + int depth,i,ok=0; +- int num; ++ int num,j,retry; + int (*cb)(int xok,X509_STORE_CTX *xctx); + STACK_OF(X509) *sktmp=NULL; + if (ctx->cert == NULL) +@@ -231,82 +231,114 @@ + break; + } + ++ /* Remember how many untrusted certs we have */ ++ j = num; + /* at this point, chain should contain a list of untrusted + * certificates. We now need to add at least one trusted one, + * if possible, otherwise we complain. */ + +- /* Examine last certificate in chain and see if it +- * is self signed. +- */ +- +- i=sk_X509_num(ctx->chain); +- x=sk_X509_value(ctx->chain,i-1); +- if (ctx->check_issued(ctx, x, x)) +- { +- /* we have a self signed certificate */ +- if (sk_X509_num(ctx->chain) == 1) +- { +- /* We have a single self signed certificate: see if +- * we can find it in the store. We must have an exact +- * match to avoid possible impersonation. +- */ +- ok = ctx->get_issuer(&xtmp, ctx, x); +- if ((ok <= 0) || X509_cmp(x, xtmp)) +- { +- ctx->error=X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; +- ctx->current_cert=x; +- ctx->error_depth=i-1; +- if (ok == 1) X509_free(xtmp); +- bad_chain = 1; +- ok=cb(0,ctx); +- if (!ok) goto end; +- } +- else +- { +- /* We have a match: replace certificate with store version +- * so we get any trust settings. ++ do { ++ /* ++ * Examine last certificate in chain and see if it is self signed. ++ */ ++ i = sk_X509_num(ctx->chain); ++ x = sk_X509_value(ctx->chain, i - 1); ++ if (ctx->check_issued(ctx, x, x)) { ++ /* we have a self signed certificate */ ++ if (sk_X509_num(ctx->chain) == 1) { ++ /* ++ * We have a single self signed certificate: see if we can ++ * find it in the store. We must have an exact match to avoid ++ * possible impersonation. + */ +- X509_free(x); +- x = xtmp; +- (void)sk_X509_set(ctx->chain, i - 1, x); +- ctx->last_untrusted=0; ++ ok = ctx->get_issuer(&xtmp, ctx, x); ++ if ((ok <= 0) || X509_cmp(x, xtmp)) { ++ ctx->error = X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; ++ ctx->current_cert = x; ++ ctx->error_depth = i - 1; ++ if (ok == 1) ++ X509_free(xtmp); ++ bad_chain = 1; ++ ok = cb(0, ctx); ++ if (!ok) ++ goto end; ++ } else { ++ /* ++ * We have a match: replace certificate with store ++ * version so we get any trust settings. ++ */ ++ X509_free(x); ++ x = xtmp; ++ (void)sk_X509_set(ctx->chain, i - 1, x); ++ ctx->last_untrusted = 0; + } ++ } else { ++ /* extract and save self signed certificate for later use ++ */ ++ chain_ss = sk_X509_pop(ctx->chain); ++ ctx->last_untrusted--; ++ num--; ++ j--; ++ x = sk_X509_value(ctx->chain, num - 1); + } +- else +- { +- /* extract and save self signed certificate for later use */ +- chain_ss=sk_X509_pop(ctx->chain); +- ctx->last_untrusted--; +- num--; +- x=sk_X509_value(ctx->chain,num-1); ++ ++ } ++ /* We now lookup certs from the certificate store */ ++ for (;;) { ++ /* If we have enough, we break */ ++ if (depth < num) ++ break; ++ /* If we are self signed, we break */ ++ if (ctx->check_issued(ctx, x, x)) ++ break; ++ ok = ctx->get_issuer(&xtmp, ctx, x); ++ if (ok < 0) ++ return ok; ++ if (ok == 0) ++ break; ++ x = xtmp; ++ if (!sk_X509_push(ctx->chain, x)) { ++ X509_free(xtmp); ++ X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); ++ return 0; + } ++ num++; + } + +- /* We now lookup certs from the certificate store */ +- for (;;) +- { +- /* If we have enough, we break */ +- if (depth < num) break; +- +- /* If we are self signed, we break */ +- if (ctx->check_issued(ctx,x,x)) break; +- +- ok = ctx->get_issuer(&xtmp, ctx, x); +- +- if (ok < 0) return ok; +- if (ok == 0) break; +- +- x = xtmp; +- if (!sk_X509_push(ctx->chain,x)) +- { +- X509_free(xtmp); +- X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); +- return 0; ++ /* ++ * If we haven't got a least one certificate from our store then check ++ * if there is an alternative chain that could be used. ++ */ ++ retry = 0; ++ if (j == ctx->last_untrusted) { ++ while (j-- > 1) { ++ xtmp2 = sk_X509_value(ctx->chain, j - 1); ++ ok = ctx->get_issuer(&xtmp, ctx, xtmp2); ++ if (ok < 0) ++ goto end; ++ /* Check if we found an alternate chain */ ++ if (ok > 0) { ++ /* ++ * Free up the found cert we'll add it again later ++ */ ++ X509_free(xtmp); ++ ++ /* ++ * Dump all the certs above this point - we've found an ++ * alternate chain ++ */ ++ while (num > j) { ++ xtmp = sk_X509_pop(ctx->chain); ++ X509_free(xtmp); ++ num--; ++ ctx->last_untrusted--; ++ } ++ retry = 1; ++ break; ++ } + } +- num++; + } +- +- /* we now have our chain, lets check it... */ ++ } while (retry); + + /* Is last certificate looked up self signed? */ + if (!ctx->check_issued(ctx,x,x)) diff -Nru openssl-1.0.1/debian/patches/alt-cert-chains-2.patch openssl-1.0.1/debian/patches/alt-cert-chains-2.patch --- openssl-1.0.1/debian/patches/alt-cert-chains-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1/debian/patches/alt-cert-chains-2.patch 2016-02-08 14:14:59.000000000 +0000 @@ -0,0 +1,53 @@ +Backport of: + +From cf1bf3f03250113c04dcfb929a1e83c744a14e9d Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 27 Jan 2015 10:35:27 +0000 +Subject: [PATCH] Add flag to inhibit checking for alternate certificate + chains. Setting this behaviour will force behaviour as per previous versions + of OpenSSL + +Reviewed-by: Dr. Stephen Henson +Reviewed-by: Kurt Roeckx +--- + crypto/x509/x509_vfy.c | 6 ++++-- + crypto/x509/x509_vfy.h | 6 ++++++ + 2 files changed, 10 insertions(+), 2 deletions(-) + +Index: openssl-1.0.1f/crypto/x509/x509_vfy.c +=================================================================== +--- openssl-1.0.1f.orig/crypto/x509/x509_vfy.c 2016-02-05 15:57:36.802967587 -0500 ++++ openssl-1.0.1f/crypto/x509/x509_vfy.c 2016-02-05 15:58:52.691806009 -0500 +@@ -307,10 +307,12 @@ + + /* + * If we haven't got a least one certificate from our store then check +- * if there is an alternative chain that could be used. ++ * if there is an alternative chain that could be used. We only do this ++ * if the user hasn't switched off alternate chain checking + */ + retry = 0; +- if (j == ctx->last_untrusted) { ++ if (j == ctx->last_untrusted && ++ !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) { + while (j-- > 1) { + xtmp2 = sk_X509_value(ctx->chain, j - 1); + ok = ctx->get_issuer(&xtmp, ctx, xtmp2); +Index: openssl-1.0.1f/crypto/x509/x509_vfy.h +=================================================================== +--- openssl-1.0.1f.orig/crypto/x509/x509_vfy.h 2016-02-05 15:57:36.802967587 -0500 ++++ openssl-1.0.1f/crypto/x509/x509_vfy.h 2016-02-05 15:59:31.300233429 -0500 +@@ -389,7 +389,12 @@ + #define X509_V_FLAG_USE_DELTAS 0x2000 + /* Check selfsigned CA signature */ + #define X509_V_FLAG_CHECK_SS_SIGNATURE 0x4000 +- ++/* ++ * If the initial chain is not trusted, do not attempt to build an alternative ++ * chain. Alternate chain checking was introduced in 1.0.1n/1.0.2b. Setting ++ * this flag will force the behaviour to match that of previous versions. ++ */ ++#define X509_V_FLAG_NO_ALT_CHAINS 0x100000 + + #define X509_VP_FLAG_DEFAULT 0x1 + #define X509_VP_FLAG_OVERWRITE 0x2 diff -Nru openssl-1.0.1/debian/patches/alt-cert-chains-3.patch openssl-1.0.1/debian/patches/alt-cert-chains-3.patch --- openssl-1.0.1/debian/patches/alt-cert-chains-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1/debian/patches/alt-cert-chains-3.patch 2016-02-08 14:15:07.000000000 +0000 @@ -0,0 +1,117 @@ +Backport of: + +From c6a39046f576ab0af25bf3ef844812330af2b27b Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 27 Jan 2015 10:50:38 +0000 +Subject: [PATCH] Add -no_alt_chains option to apps to implement the new + X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building + certificate chains, the first chain found will be the one used. Without this + flag, if the first chain found is not trusted then we will keep looking to + see if we can build an alternative chain instead. + +Reviewed-by: Dr. Stephen Henson +Reviewed-by: Kurt Roeckx + +Conflicts: + apps/cms.c + apps/ocsp.c + apps/s_client.c + apps/s_server.c + apps/smime.c + apps/verify.c +--- + apps/apps.c | 2 ++ + apps/cms.c | 2 ++ + apps/ocsp.c | 2 ++ + apps/s_client.c | 2 ++ + apps/s_server.c | 2 ++ + apps/smime.c | 2 ++ + apps/verify.c | 2 +- + 7 files changed, 13 insertions(+), 1 deletion(-) + +Index: openssl-1.0.1/apps/apps.c +=================================================================== +--- openssl-1.0.1.orig/apps/apps.c 2016-02-08 09:15:04.309412023 -0500 ++++ openssl-1.0.1/apps/apps.c 2016-02-08 09:15:04.301411959 -0500 +@@ -2358,6 +2358,8 @@ + flags |= X509_V_FLAG_NOTIFY_POLICY; + else if (!strcmp(arg, "-check_ss_sig")) + flags |= X509_V_FLAG_CHECK_SS_SIGNATURE; ++ else if (!strcmp(arg, "-no_alt_chains")) ++ flags |= X509_V_FLAG_NO_ALT_CHAINS; + else + return 0; + +Index: openssl-1.0.1/apps/cms.c +=================================================================== +--- openssl-1.0.1.orig/apps/cms.c 2016-02-08 09:15:04.309412023 -0500 ++++ openssl-1.0.1/apps/cms.c 2016-02-08 09:15:04.301411959 -0500 +@@ -640,6 +640,7 @@ + BIO_printf (bio_err, "-text include or delete text MIME headers\n"); + BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); + BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); ++ BIO_printf (bio_err, "-no_alt_chains only ever use the first certificate chain found\n"); + BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); + BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); + #ifndef OPENSSL_NO_ENGINE +Index: openssl-1.0.1/apps/ocsp.c +=================================================================== +--- openssl-1.0.1.orig/apps/ocsp.c 2016-02-08 09:15:04.309412023 -0500 ++++ openssl-1.0.1/apps/ocsp.c 2016-02-08 09:15:04.301411959 -0500 +@@ -595,6 +595,7 @@ + BIO_printf (bio_err, "-path path to use in OCSP request\n"); + BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); + BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); ++ BIO_printf (bio_err, "-no_alt_chains only ever use the first certificate chain found\n"); + BIO_printf (bio_err, "-VAfile file validator certificates file\n"); + BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n"); + BIO_printf (bio_err, "-status_age n maximum status age in seconds\n"); +Index: openssl-1.0.1/apps/s_client.c +=================================================================== +--- openssl-1.0.1.orig/apps/s_client.c 2016-02-08 09:15:04.309412023 -0500 ++++ openssl-1.0.1/apps/s_client.c 2016-02-08 09:15:04.305411991 -0500 +@@ -298,6 +298,7 @@ + BIO_printf(bio_err," -pass arg - private key file pass phrase source\n"); + BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); + BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); ++ BIO_printf(bio_err," -no_alt_chains - only ever use the first certificate chain found\n"); + BIO_printf(bio_err," -reconnect - Drop and re-make the connection with the same Session-ID\n"); + BIO_printf(bio_err," -pause - sleep(1) after each read(2) and write(2) system call\n"); + BIO_printf(bio_err," -showcerts - show all certificates in the chain\n"); +Index: openssl-1.0.1/apps/s_server.c +=================================================================== +--- openssl-1.0.1.orig/apps/s_server.c 2016-02-08 09:15:04.309412023 -0500 ++++ openssl-1.0.1/apps/s_server.c 2016-02-08 09:15:04.305411991 -0500 +@@ -517,6 +517,7 @@ + BIO_printf(bio_err," -state - Print the SSL states\n"); + BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); + BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); ++ BIO_printf(bio_err," -no_alt_chains - only ever use the first certificate chain found\n"); + BIO_printf(bio_err," -nocert - Don't use any certificates (Anon-DH)\n"); + BIO_printf(bio_err," -cipher arg - play with 'openssl ciphers' to see what goes here\n"); + BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n"); +Index: openssl-1.0.1/apps/smime.c +=================================================================== +--- openssl-1.0.1.orig/apps/smime.c 2016-02-08 09:15:04.309412023 -0500 ++++ openssl-1.0.1/apps/smime.c 2016-02-08 09:15:04.305411991 -0500 +@@ -479,6 +479,7 @@ + BIO_printf (bio_err, "-text include or delete text MIME headers\n"); + BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); + BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); ++ BIO_printf (bio_err, "-no_alt_chains only ever use the first certificate chain found\n"); + BIO_printf (bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); + BIO_printf (bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); + #ifndef OPENSSL_NO_ENGINE +Index: openssl-1.0.1/apps/verify.c +=================================================================== +--- openssl-1.0.1.orig/apps/verify.c 2016-02-08 09:15:04.309412023 -0500 ++++ openssl-1.0.1/apps/verify.c 2016-02-08 09:15:04.305411991 -0500 +@@ -230,7 +230,7 @@ + end: + if (ret == 1) { + BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]"); +- BIO_printf(bio_err," [-attime timestamp]"); ++ BIO_printf(bio_err," [-no_alt_chains] [-attime timestamp]"); + #ifndef OPENSSL_NO_ENGINE + BIO_printf(bio_err," [-engine e]"); + #endif diff -Nru openssl-1.0.1/debian/patches/alt-cert-chains-4.patch openssl-1.0.1/debian/patches/alt-cert-chains-4.patch --- openssl-1.0.1/debian/patches/alt-cert-chains-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1/debian/patches/alt-cert-chains-4.patch 2016-02-08 14:15:14.000000000 +0000 @@ -0,0 +1,238 @@ +From 1c687ff4dd5dcc0f05f1d062effdb40e4e41f24f Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 27 Jan 2015 11:15:15 +0000 +Subject: [PATCH] Add documentation for the -no_alt_chains option for various + apps, as well as the X509_V_FLAG_NO_ALT_CHAINS flag. + +Reviewed-by: Dr. Stephen Henson +Reviewed-by: Kurt Roeckx + +Conflicts: + doc/apps/cms.pod + doc/apps/ocsp.pod + doc/apps/s_client.pod + doc/apps/s_server.pod + doc/apps/smime.pod + doc/apps/verify.pod +--- + doc/apps/cms.pod | 5 ++++- + doc/apps/ocsp.pod | 11 +++++++++++ + doc/apps/s_client.pod | 7 ++++++- + doc/apps/s_server.pod | 9 +++++++++ + doc/apps/smime.pod | 4 +++- + doc/apps/verify.pod | 13 +++++++++++++ + doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 8 +++++++- + 7 files changed, 53 insertions(+), 4 deletions(-) + +Index: openssl-1.0.1/doc/apps/cms.pod +=================================================================== +--- openssl-1.0.1.orig/doc/apps/cms.pod 2016-02-08 09:15:11.077466223 -0500 ++++ openssl-1.0.1/doc/apps/cms.pod 2016-02-08 09:15:11.073466191 -0500 +@@ -35,6 +35,7 @@ + [B<-print>] + [B<-CAfile file>] + [B<-CApath dir>] ++[B<-no_alt_chains>] + [B<-md digest>] + [B<-[cipher]>] + [B<-nointern>] +@@ -401,7 +402,7 @@ + then many S/MIME mail clients check the signers certificate's email + address matches that specified in the From: address. + +-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> ++=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains> + + Set various certificate chain valiadition option. See the + L|verify(1)> manual page for details. +@@ -599,4 +600,6 @@ + added in OpenSSL 1.0.0 + + ++The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. ++ + =cut +Index: openssl-1.0.1/doc/apps/ocsp.pod +=================================================================== +--- openssl-1.0.1.orig/doc/apps/ocsp.pod 2016-02-08 09:15:11.077466223 -0500 ++++ openssl-1.0.1/doc/apps/ocsp.pod 2016-02-08 09:15:11.073466191 -0500 +@@ -29,6 +29,7 @@ + [B<-path>] + [B<-CApath dir>] + [B<-CAfile file>] ++[B<-no_alt_chains>]] + [B<-VAfile file>] + [B<-validity_period n>] + [B<-status_age n>] +@@ -138,6 +139,10 @@ + file or pathname containing trusted CA certificates. These are used to verify + the signature on the OCSP response. + ++=item B<-no_alt_chains> ++ ++See L|verify(1)> manual page for details. ++ + =item B<-verify_other file> + + file containing additional certificates to search when attempting to locate +@@ -369,3 +374,9 @@ + + openssl ocsp -index demoCA/index.txt -rsigner rcert.pem -CA demoCA/cacert.pem + -reqin req.der -respout resp.der ++ ++=head1 HISTORY ++ ++The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. ++ ++=cut +Index: openssl-1.0.1/doc/apps/s_client.pod +=================================================================== +--- openssl-1.0.1.orig/doc/apps/s_client.pod 2016-02-08 09:15:11.077466223 -0500 ++++ openssl-1.0.1/doc/apps/s_client.pod 2016-02-08 09:15:11.073466191 -0500 +@@ -17,6 +17,7 @@ + [B<-pass arg>] + [B<-CApath directory>] + [B<-CAfile filename>] ++[B<-no_alt_chains>] + [B<-reconnect>] + [B<-pause>] + [B<-showcerts>] +@@ -104,7 +105,7 @@ + A file containing trusted certificates to use during server authentication + and to use when attempting to build the client certificate chain. + +-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> ++=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains> + + Set various certificate chain valiadition option. See the + L|verify(1)> manual page for details. +@@ -309,4 +310,8 @@ + + L, L, L + ++=head1 HISTORY ++ ++The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. ++ + =cut +Index: openssl-1.0.1/doc/apps/s_server.pod +=================================================================== +--- openssl-1.0.1.orig/doc/apps/s_server.pod 2016-02-08 09:15:11.077466223 -0500 ++++ openssl-1.0.1/doc/apps/s_server.pod 2016-02-08 09:15:11.073466191 -0500 +@@ -33,6 +33,7 @@ + [B<-state>] + [B<-CApath directory>] + [B<-CAfile filename>] ++[B<-no_alt_chains>] + [B<-nocert>] + [B<-cipher cipherlist>] + [B<-quiet>] +@@ -163,6 +164,10 @@ + is also used in the list of acceptable client CAs passed to the client when + a certificate is requested. + ++=item B<-no_alt_chains> ++ ++See the L|verify(1)> manual page for details. ++ + =item B<-state> + + prints out the SSL session states. +@@ -352,4 +357,8 @@ + + L, L, L + ++=head1 HISTORY ++ ++The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. ++ + =cut +Index: openssl-1.0.1/doc/apps/smime.pod +=================================================================== +--- openssl-1.0.1.orig/doc/apps/smime.pod 2016-02-08 09:15:11.077466223 -0500 ++++ openssl-1.0.1/doc/apps/smime.pod 2016-02-08 09:15:11.073466191 -0500 +@@ -15,6 +15,7 @@ + [B<-pk7out>] + [B<-[cipher]>] + [B<-in file>] ++[B<-no_alt_chains>] + [B<-certfile file>] + [B<-signer file>] + [B<-recip file>] +@@ -259,7 +260,7 @@ + then many S/MIME mail clients check the signers certificate's email + address matches that specified in the From: address. + +-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig> ++=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains> + + Set various options of certificate chain verification. See + L|verify(1)> manual page for details. +@@ -441,5 +442,6 @@ + The use of multiple B<-signer> options and the B<-resign> command were first + added in OpenSSL 1.0.0 + ++The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. + + =cut +Index: openssl-1.0.1/doc/apps/verify.pod +=================================================================== +--- openssl-1.0.1.orig/doc/apps/verify.pod 2016-02-08 09:15:11.077466223 -0500 ++++ openssl-1.0.1/doc/apps/verify.pod 2016-02-08 09:15:11.073466191 -0500 +@@ -22,6 +22,7 @@ + [B<-extended_crl>] + [B<-use_deltas>] + [B<-policy_print>] ++[B<-no_alt_chains>] + [B<-untrusted file>] + [B<-help>] + [B<-issuer_checks>] +@@ -100,6 +101,14 @@ + + Set policy variable inhibit-policy-mapping (see RFC3280 et al). + ++=item B<-no_alt_chains> ++ ++When building a certificate chain, if the first certificate chain found is not ++trusted, then OpenSSL will continue to check to see if an alternative chain can ++be found that is trusted. With this option that behaviour is suppressed so that ++only the first chain found is ever used. Using this option will force the ++behaviour to match that of previous OpenSSL versions. ++ + =item B<-policy_print> + + Print out diagnostics, related to policy checking +@@ -403,4 +412,8 @@ + + L + ++=head1 HISTORY ++ ++The -no_alt_chains options was first added to OpenSSL 1.0.1n and 1.0.2b. ++ + =cut +Index: openssl-1.0.1/doc/crypto/X509_VERIFY_PARAM_set_flags.pod +=================================================================== +--- openssl-1.0.1.orig/doc/crypto/X509_VERIFY_PARAM_set_flags.pod 2016-02-08 09:15:11.077466223 -0500 ++++ openssl-1.0.1/doc/crypto/X509_VERIFY_PARAM_set_flags.pod 2016-02-08 09:15:11.073466191 -0500 +@@ -133,6 +133,12 @@ + to the verification callback and it B be prepared to handle such cases + without assuming they are hard errors. + ++The B flag suppresses checking for alternative ++chains. By default, when building a certificate chain, if the first certificate ++chain found is not trusted, then OpenSSL will continue to check to see if an ++alternative chain can be found that is trusted. With this flag set the behaviour ++will match that of OpenSSL versions prior to 1.0.1n and 1.0.2b. ++ + =head1 NOTES + + The above functions should be used to manipulate verification parameters +@@ -166,6 +172,6 @@ + + =head1 HISTORY + +-TBA ++The B flag was added in OpenSSL 1.0.1n and 1.0.2b + + =cut diff -Nru openssl-1.0.1/debian/patches/alt-cert-chains-5.patch openssl-1.0.1/debian/patches/alt-cert-chains-5.patch --- openssl-1.0.1/debian/patches/alt-cert-chains-5.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1/debian/patches/alt-cert-chains-5.patch 2016-02-08 14:15:18.000000000 +0000 @@ -0,0 +1,41 @@ +Backport of: + +From 9a0db453ba017ebcaccbee933ee6511a9ae4d1c8 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 24 Jun 2015 15:55:36 +0100 +Subject: [PATCH] Fix alternate chains certificate forgery issue + +During certificate verfification, OpenSSL will attempt to find an +alternative certificate chain if the first attempt to build such a chain +fails. An error in the implementation of this logic can mean that an +attacker could cause certain checks on untrusted certificates to be +bypassed, such as the CA flag, enabling them to use a valid leaf +certificate to act as a CA and "issue" an invalid certificate. + +This occurs where at least one cert is added to the first chain from the +trust store, but that chain still ends up being untrusted. In that case +ctx->last_untrusted is decremented in error. + +Patch provided by the BoringSSL project. + +CVE-2015-1793 + +Reviewed-by: Stephen Henson +--- + crypto/x509/x509_vfy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: openssl-1.0.1f/crypto/x509/x509_vfy.c +=================================================================== +--- openssl-1.0.1f.orig/crypto/x509/x509_vfy.c 2016-02-05 16:07:17.385431908 -0500 ++++ openssl-1.0.1f/crypto/x509/x509_vfy.c 2016-02-05 16:07:53.445836601 -0500 +@@ -333,8 +333,8 @@ + xtmp = sk_X509_pop(ctx->chain); + X509_free(xtmp); + num--; +- ctx->last_untrusted--; + } ++ ctx->last_untrusted = sk_X509_num(ctx->chain); + retry = 1; + break; + } diff -Nru openssl-1.0.1/debian/patches/alt-cert-chains-6.patch openssl-1.0.1/debian/patches/alt-cert-chains-6.patch --- openssl-1.0.1/debian/patches/alt-cert-chains-6.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1/debian/patches/alt-cert-chains-6.patch 2016-02-08 14:15:23.000000000 +0000 @@ -0,0 +1,763 @@ +Backport of: + +From d42d1004332f40c1098946b0804791fd3da3e378 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 2 Jul 2015 00:15:56 +0100 +Subject: [PATCH] Add test for CVE-2015-1793 + +This adds a test for CVE-2015-1793. This adds a new test file +verify_extra_test.c, which could form the basis for additional +verification tests. + +Reviewed-by: Stephen Henson + +Conflicts: + test/Makefile +--- + crypto/x509/Makefile | 2 +- + crypto/x509/verify_extra_test.c | 208 ++++++++++++++++++++++++++++++++++++++++ + test/Makefile | 31 +++++- + test/certs/bad.key | 27 ++++++ + test/certs/bad.pem | 21 ++++ + test/certs/interCA.key | 27 ++++++ + test/certs/interCA.pem | 21 ++++ + test/certs/leaf.key | 27 ++++++ + test/certs/leaf.pem | 21 ++++ + test/certs/rootCA.key | 27 ++++++ + test/certs/rootCA.pem | 21 ++++ + test/certs/roots.pem | 42 ++++++++ + test/certs/subinterCA-ss.pem | 21 ++++ + test/certs/subinterCA.key | 27 ++++++ + test/certs/subinterCA.pem | 21 ++++ + test/certs/untrusted.pem | 42 ++++++++ + 16 files changed, 581 insertions(+), 5 deletions(-) + create mode 100644 crypto/x509/verify_extra_test.c + create mode 100644 test/certs/bad.key + create mode 100644 test/certs/bad.pem + create mode 100644 test/certs/interCA.key + create mode 100644 test/certs/interCA.pem + create mode 100644 test/certs/leaf.key + create mode 100644 test/certs/leaf.pem + create mode 100644 test/certs/rootCA.key + create mode 100644 test/certs/rootCA.pem + create mode 100644 test/certs/roots.pem + create mode 100644 test/certs/subinterCA-ss.pem + create mode 100644 test/certs/subinterCA.key + create mode 100644 test/certs/subinterCA.pem + create mode 100644 test/certs/untrusted.pem + +Index: openssl-1.0.1f/test/verify_extra_test.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.0.1f/test/verify_extra_test.c 2016-02-05 16:08:32.834278985 -0500 +@@ -0,0 +1,208 @@ ++/* ++ * Written by Matt Caswell for the OpenSSL project. ++ */ ++/* ==================================================================== ++ * Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. All advertising materials mentioning features or use of this ++ * software must display the following acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" ++ * ++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. For written permission, please contact ++ * openssl-core@openssl.org. ++ * ++ * 5. Products derived from this software may not be called "OpenSSL" ++ * nor may "OpenSSL" appear in their names without prior written ++ * permission of the OpenSSL Project. ++ * ++ * 6. Redistributions of any form whatsoever must retain the following ++ * acknowledgment: ++ * "This product includes software developed by the OpenSSL Project ++ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY ++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, ++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT ++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, ++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED ++ * OF THE POSSIBILITY OF SUCH DAMAGE. ++ * ==================================================================== ++ * ++ * This product includes cryptographic software written by Eric Young ++ * (eay@cryptsoft.com). This product includes software written by Tim ++ * Hudson (tjh@cryptsoft.com). ++ * ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++static STACK_OF(X509) *load_certs_from_file(const char *filename) ++{ ++ STACK_OF(X509) *certs; ++ BIO *bio; ++ X509 *x; ++ ++ bio = BIO_new_file(filename, "r"); ++ ++ if (bio == NULL) { ++ return NULL; ++ } ++ ++ certs = sk_X509_new_null(); ++ if (certs == NULL) { ++ BIO_free(bio); ++ return NULL; ++ } ++ ++ ERR_set_mark(); ++ do { ++ x = PEM_read_bio_X509(bio, NULL, 0, NULL); ++ if (x != NULL && !sk_X509_push(certs, x)) { ++ sk_X509_pop_free(certs, X509_free); ++ BIO_free(bio); ++ return NULL; ++ } else if (x == NULL) { ++ /* ++ * We probably just ran out of certs, so ignore any errors ++ * generated ++ */ ++ ERR_pop_to_mark(); ++ } ++ } while (x != NULL); ++ ++ BIO_free(bio); ++ ++ return certs; ++} ++ ++/* ++ * Test for CVE-2015-1793 (Alternate Chains Certificate Forgery) ++ * ++ * Chain is as follows: ++ * ++ * rootCA (self-signed) ++ * | ++ * interCA ++ * | ++ * subinterCA subinterCA (self-signed) ++ * | | ++ * leaf ------------------ ++ * | ++ * bad ++ * ++ * rootCA, interCA, subinterCA, subinterCA (ss) all have CA=TRUE ++ * leaf and bad have CA=FALSE ++ * ++ * subinterCA and subinterCA (ss) have the same subject name and keys ++ * ++ * interCA (but not rootCA) and subinterCA (ss) are in the trusted store ++ * (roots.pem) ++ * leaf and subinterCA are in the untrusted list (untrusted.pem) ++ * bad is the certificate being verified (bad.pem) ++ * ++ * Versions vulnerable to CVE-2015-1793 will fail to detect that leaf has ++ * CA=FALSE, and will therefore incorrectly verify bad ++ * ++ */ ++static int test_alt_chains_cert_forgery(void) ++{ ++ int ret = 0; ++ int i; ++ X509 *x = NULL; ++ STACK_OF(X509) *untrusted = NULL; ++ BIO *bio = NULL; ++ X509_STORE_CTX *sctx = NULL; ++ X509_STORE *store = NULL; ++ X509_LOOKUP *lookup = NULL; ++ ++ store = X509_STORE_new(); ++ if (store == NULL) ++ goto err; ++ ++ lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); ++ if (lookup == NULL) ++ goto err; ++ if(!X509_LOOKUP_load_file(lookup, "certs/roots.pem", X509_FILETYPE_PEM)) ++ goto err; ++ ++ untrusted = load_certs_from_file("certs/untrusted.pem"); ++ ++ if ((bio = BIO_new_file("certs/bad.pem", "r")) == NULL) ++ goto err; ++ ++ if((x = PEM_read_bio_X509(bio, NULL, 0, NULL)) == NULL) ++ goto err; ++ ++ sctx = X509_STORE_CTX_new(); ++ if (sctx == NULL) ++ goto err; ++ ++ if (!X509_STORE_CTX_init(sctx, store, x, untrusted)) ++ goto err; ++ ++ i = X509_verify_cert(sctx); ++ ++ if(i == 0 && X509_STORE_CTX_get_error(sctx) == X509_V_ERR_INVALID_CA) { ++ /* This is the result we were expecting: Test passed */ ++ ret = 1; ++ } ++ err: ++ X509_STORE_CTX_free(sctx); ++ X509_free(x); ++ BIO_free(bio); ++ sk_X509_pop_free(untrusted, X509_free); ++ X509_STORE_free(store); ++ if (ret != 1) ++ ERR_print_errors_fp(stderr); ++ return ret; ++} ++ ++int main(void) ++{ ++ CRYPTO_malloc_debug_init(); ++ CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); ++ CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); ++ ++ ERR_load_crypto_strings(); ++ OpenSSL_add_all_digests(); ++ ++ if (!test_alt_chains_cert_forgery()) { ++ fprintf(stderr, "Test alt chains cert forgery failed\n"); ++ return 1; ++ } ++ ++ EVP_cleanup(); ++ CRYPTO_cleanup_all_ex_data(); ++ ERR_remove_thread_state(NULL); ++ ERR_free_strings(); ++ CRYPTO_mem_leaks_fp(stderr); ++ ++ printf("PASS\n"); ++ return 0; ++} +Index: openssl-1.0.1f/test/Makefile +=================================================================== +--- openssl-1.0.1f.orig/test/Makefile 2016-02-05 16:08:32.834278985 -0500 ++++ openssl-1.0.1f/test/Makefile 2016-02-05 16:09:49.619142352 -0500 +@@ -63,6 +63,7 @@ + JPAKETEST= jpaketest + SRPTEST= srptest + ASN1TEST= asn1test ++VERIFYEXTRATEST= verify_extra_test + + TESTS= alltests + +@@ -74,7 +75,7 @@ + $(RANDTEST)$(EXE_EXT) $(DHTEST)$(EXE_EXT) $(ENGINETEST)$(EXE_EXT) \ + $(BFTEST)$(EXE_EXT) $(CASTTEST)$(EXE_EXT) $(SSLTEST)$(EXE_EXT) $(EXPTEST)$(EXE_EXT) $(DSATEST)$(EXE_EXT) $(RSATEST)$(EXE_EXT) \ + $(EVPTEST)$(EXE_EXT) $(IGETEST)$(EXE_EXT) $(JPAKETEST)$(EXE_EXT) $(SRPTEST)$(EXE_EXT) \ +- $(ASN1TEST)$(EXE_EXT) ++ $(ASN1TEST)$(EXE_EXT) $(VERIFYEXTRATEST)$(EXE_EXT) + + # $(METHTEST)$(EXE_EXT) + +@@ -86,7 +87,7 @@ + $(MDC2TEST).o $(RMDTEST).o \ + $(RANDTEST).o $(DHTEST).o $(ENGINETEST).o $(CASTTEST).o \ + $(BFTEST).o $(SSLTEST).o $(DSATEST).o $(EXPTEST).o $(RSATEST).o \ +- $(EVPTEST).o $(IGETEST).o $(JPAKETEST).o $(ASN1TEST).o ++ $(EVPTEST).o $(IGETEST).o $(JPAKETEST).o $(ASN1TEST).o $(VERIFYEXTRATEST).o + SRC= $(BNTEST).c $(ECTEST).c $(ECDSATEST).c $(ECDHTEST).c $(IDEATEST).c \ + $(MD2TEST).c $(MD4TEST).c $(MD5TEST).c \ + $(HMACTEST).c $(WPTEST).c \ +@@ -94,7 +95,8 @@ + $(DESTEST).c $(SHATEST).c $(SHA1TEST).c $(MDC2TEST).c $(RMDTEST).c \ + $(RANDTEST).c $(DHTEST).c $(ENGINETEST).c $(CASTTEST).c \ + $(BFTEST).c $(SSLTEST).c $(DSATEST).c $(EXPTEST).c $(RSATEST).c \ +- $(EVPTEST).c $(IGETEST).c $(JPAKETEST).c $(SRPTEST).c $(ASN1TEST).c ++ $(EVPTEST).c $(IGETEST).c $(JPAKETEST).c $(SRPTEST).c $(ASN1TEST).c \ ++ $(VERIFYEXTRATEST).c + + EXHEADER= + HEADER= $(EXHEADER) +@@ -137,7 +139,7 @@ + test_enc test_x509 test_rsa test_crl test_sid \ + test_gen test_req test_pkcs7 test_verify test_dh test_dsa \ + test_ss test_ca test_engine test_evp test_ssl test_tsa test_ige \ +- test_jpake test_srp test_cms ++ test_jpake test_srp test_cms test_verify_extra + + test_evp: + ../util/shlib_wrap.sh ./$(EVPTEST) evptests.txt +@@ -318,6 +320,10 @@ + @echo "Test SRP" + ../util/shlib_wrap.sh ./srptest + ++test_verify_extra: $(VERIFYEXTRATEST)$(EXE_EXT) ++ @echo $(START) $@ ++ ../util/shlib_wrap.sh ./$(VERIFYEXTRATEST) ++ + lint: + lint -DLINT $(INCLUDES) $(SRC)>fluff + +@@ -469,6 +475,9 @@ + $(SRPTEST)$(EXE_EXT): $(SRPTEST).o $(DLIBCRYPTO) + @target=$(SRPTEST); $(BUILD_CMD) + ++$(VERIFYEXTRATEST)$(EXE_EXT): $(VERIFYEXTRATEST).o ++ @target=$(VERIFYEXTRATEST) $(BUILD_CMD) ++ + #$(AESTEST).o: $(AESTEST).c + # $(CC) -c $(CFLAGS) -DINTERMEDIATE_VALUE_KAT -DTRACE_KAT_MCT $(AESTEST).c + +@@ -722,6 +731,21 @@ + ssltest.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h + ssltest.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h + ssltest.o: ../include/openssl/x509v3.h ssltest.c ++verify_extra_test.o: ../include/openssl/asn1.h ../include/openssl/bio.h ++verify_extra_test.o: ../include/openssl/buffer.h ../include/openssl/crypto.h ++verify_extra_test.o: ../include/openssl/e_os2.h ../include/openssl/ec.h ++verify_extra_test.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h ++verify_extra_test.o: ../include/openssl/err.h ../include/openssl/evp.h ++verify_extra_test.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h ++verify_extra_test.o: ../include/openssl/objects.h ++verify_extra_test.o: ../include/openssl/opensslconf.h ++verify_extra_test.o: ../include/openssl/opensslv.h ++verify_extra_test.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h ++verify_extra_test.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h ++verify_extra_test.o: ../include/openssl/safestack.h ../include/openssl/sha.h ++verify_extra_test.o: ../include/openssl/stack.h ../include/openssl/symhacks.h ++verify_extra_test.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h ++verify_extra_test.o: verify_extra_test.c + wp_test.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h + wp_test.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h + wp_test.o: ../include/openssl/ossl_typ.h ../include/openssl/safestack.h +Index: openssl-1.0.1f/test/certs/bad.key +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.0.1f/test/certs/bad.key 2016-02-05 16:08:32.834278985 -0500 +@@ -0,0 +1,27 @@ ++-----BEGIN RSA PRIVATE KEY----- ++MIIEogIBAAKCAQEAwTqNko5vQiQ5BQohPJ3sySrjT6JedjsKtt1OZ8ndR2C1asUi ++HgpVO8QDHKID88Qklx6UCieeKAwIY0VzqWzTyZWTwdqTU9t8arHHJu7IcFlmWsAL ++fwTmARWJmpY+K8fGnQx1Kxfi6nQJ8Whq4bcAqJ2HXzG69Wjs3Ki70ScNbQ9RUwXJ ++n/FeNrsphKAv5K22zBqjWAQdYMg6vtKZAXCET8jw6OkPVnUb/QvyoBEijWt0+HBh ++7wLkSUvMj/7fc88+xtvGqZPyG2Py4DdWW1stpgiZ3TTohEk84t1u5L3qQaRQmVE6 ++y5RMImyVY8hegC4zc6aGZDFRv8MR+gk6prcuUwIDAQABAoIBAEkz4YZwJ34rMt7R ++452PRrE/ajY1EQxBeeGlHZr8QrRT0ubMIAy5ZWjq7TLfvhePaz1E/FiMgcIyLMtO +++G5rKCDqZbu/DqlqMUxKZWQ+efj2JWyj7LcGKAypGCRUXuE/IeNFYO4ecnzX0Rx/ ++rl4scjdu1mYd9PIb+f/ufJjT7qYtykmwlb0MbEJ25yjTC4iHzacvFLJgdXrPp8b9 ++ZGlVBKyuk9ZrZDC8/a4QrKt7Hp2SqqO4WqaTgM1G+cQFYuVBmj74bQhJHMmQ+Opr ++5KXwBKEHMtJkq1GPVZ34W90V82d+8MJAxymuPomwRXKl1dKgnvny+0eobXkiBDcF ++XCBCmIECgYEA8c/fE7Sa1vLZriw0Meq+TxU5hru4YM6OmQ+idc6diCp2U9lW+KJr ++YrIRTZFcmhEGmRjAEZrdK0oFY7h5RhsZ+gTftmNZuL8WJCK9+y2DE9dB++md3oVC ++PK0d4SmQKsivOTTeiK/VYFGoLc8t8Ud/anu2Q1kFdC+7cH/TrRseV4MCgYEAzJDw ++MTil055rYlrAAH8ePEuONomu2MoZRRCX/tWuVvz+eIzA35mryW3OR45l5qNluQoZ ++AdpVE68kBak2wIrF2oyWcF1s8VzSbAJCoqK42lKiSGVDVnr6jb69WUujCkYUZIwR ++Q20QYBUUQu0JiFBU22tRgILIAK+rRah37EP4RPECgYBN3hKH1fDGpw1R+QoVyPHf ++pYYQzQJiqiFhSJeYOCCiaIoSFjrbdfH+pjjMMbMQKctmIYI4KRZvijaSFiV3XeLP ++kCI6KWQLCf2nRUjISa+cBAVLib88mMzrnROyHiA+psFGOrAuc/DSQ3lUxxKUT+HH +++G6I4XHQKE7Du2X+qGzs4QKBgBZyJNjRxWhF7rR5Dq4/RHsLM0yKqPPCoSkx2+ur ++WJjU47sofpVKUE4mzUaOumGnNicqk3nfkgw54HL6kTZpQ7JqUKt9pNGLBM+zI8qi ++njPec04MRmo7zjg1YKNmqDodXGl38QD7+5r/VRzO04fwgI8e5G98aiOhIuLezGHR ++R3GRAoGAAyhwtKoC87fSGrpyZQ16UAYuqNy0fVAQtrDgRgP5Nu4esr9QxS/hWjcR ++8s2P82wsR4gZna6l6vSz4awGVG4PGKnVjteAtZxok3nBHxPmRke5o7IpdObPjpQP ++RJNZYbJ9G/PbYDhciEoTjVyig6Ol5BRe9stSbO7+JIxEYr7VSpA= ++-----END RSA PRIVATE KEY----- +Index: openssl-1.0.1f/test/certs/bad.pem +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.0.1f/test/certs/bad.pem 2016-02-05 16:08:32.834278985 -0500 +@@ -0,0 +1,21 @@ ++-----BEGIN CERTIFICATE----- ++MIIDdzCCAl+gAwIBAgIJAJgwOOciuxjSMA0GCSqGSIb3DQEBCwUAMFQxCzAJBgNV ++BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX ++aWRnaXRzIFB0eSBMdGQxDTALBgNVBAMTBGxlYWYwHhcNMTUwNzAyMTMyMDQ2WhcN ++MzUwNzAyMTMyMDQ2WjBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0 ++ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQwwCgYDVQQDEwNi ++YWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBOo2Sjm9CJDkFCiE8 ++nezJKuNPol52Owq23U5nyd1HYLVqxSIeClU7xAMcogPzxCSXHpQKJ54oDAhjRXOp ++bNPJlZPB2pNT23xqsccm7shwWWZawAt/BOYBFYmalj4rx8adDHUrF+LqdAnxaGrh ++twConYdfMbr1aOzcqLvRJw1tD1FTBcmf8V42uymEoC/krbbMGqNYBB1gyDq+0pkB ++cIRPyPDo6Q9WdRv9C/KgESKNa3T4cGHvAuRJS8yP/t9zzz7G28apk/IbY/LgN1Zb ++Wy2mCJndNOiESTzi3W7kvepBpFCZUTrLlEwibJVjyF6ALjNzpoZkMVG/wxH6CTqm ++ty5TAgMBAAGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFJoH29IULbskIG8BwYp4 ++9yD+q7wbMB8GA1UdIwQYMBaAFBwdxP7xJUYhGU31hO4z2uXPtRl/MA0GCSqGSIb3 ++DQEBCwUAA4IBAQBl0tHkWMBHW6r3ywBlWWFdok04xlt2QD8eA4ywwz97t/8JgLht ++OpuHO1bQtrZR6bxAgYT1+yHQnYBTfjKxFq+S9EP6nxBe94mEgizLmMv9pf7x5q+H ++pfT8ejcY54E/oXlFXSbLDE1BDpfgkWll2/TIsTRJNoM2n8mytEdPqzRburwWnoFR ++VchcfO968asdc9/8glSLJSNO+Wh9vQlbtcPzfbd4ZVE5E/P6drQzSwNjWvHQdswJ ++ujkY1zkTP2rtVBGN4OyOfkE6enVKpt5lN6AqjEMhJ5i/yFM/jDndTrgd/JkAvyUJ ++O2ELtifCd8DeSYNA9Qm8/MEUYq1xXQrGJHCE ++-----END CERTIFICATE----- +Index: openssl-1.0.1f/test/certs/interCA.key +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.0.1f/test/certs/interCA.key 2016-02-05 16:08:32.834278985 -0500 +@@ -0,0 +1,27 @@ ++-----BEGIN RSA PRIVATE KEY----- ++MIIEowIBAAKCAQEAu7NHo76UDp738A/nuEfvVkKL7a7Kjk8PJIYkRKouSZZgBW6Q ++xBWptfJ6UZLeoDnBjJ47hc7s+ohLkJnnsodAalgMKTIFjDLXhMyzgGqpBJf/ydvl ++oEWwP/KZsB32z1v3fn926euBaA9YUAHpwc15i8VaIREPQQPsRA0ZC/3AN2PpPztQ ++vTkYUkKyTbAfWhN8ymxR3fZjph+GjUrBfDp90qpUVTgkIp3uXOgAkndB1BI2MvWj ++m6mOO8kjVC281auculTozLNFvthv16q3FZMc3/W1aslQa6wCa529+f8v4itM1oCQ ++T/h14cK+ZjE7zbhIqwXlWLs/uoVHq1G7iYa9BQIDAQABAoIBABa8FldNBB3pP1rC ++cmytud2W3eACJeKqzMi9vrLachTTs/m0dLBrd0zke9BZm8GIfVsM52TDtYx66bww ++CBJls3WuCHsM5gMfPV+Gc8+AG8zEpGTMz7lj938nYVolpvliyE14Hu0ia2AxS58V ++PD0PKEO3ubz7lf9n/DwZ4gjDyX5r1Cq+thwPlIf4PbEcGHk5SYxNm2DGR0DNL676 ++X7CrRu3JBa2mY+moTV/pMrjvwAInmSxs4RBO7ggdYEief/4cBYyzMdiQ1v0UxvdO ++674dBJJFG32akPrnPqza7U41ivoDPlgCpKWHDaZadI0Joozd2pw0Mq0a8cyig0BJ ++Wa3d9xkCgYEA9T3j8F52u+QMaMzV1VENUAwo0Sqhk8xU0r/4l5PsvCjOuJ7NZkkW ++EQnNOI++zaPCeBRV55X0A5E8Pi3uEdKt6m+wsncJzGEVNRwixfd0Ul7Itntq7u9L ++/DHTlwpQ4t4PLNu8/uSBDN9A2slY2WsoXkJsdYPgjkrS2rYkt5bHFN8CgYEAw+8w ++Qw/zTCBmerzYLJSsjz9rcD2hTtDw72UF1rvEg4QP/9v0I/OU7Lu0ds0KmKJcJfay ++ZDMeBT8tW6LFztqdFi24tKISfodfYdET32lNd4QnMtWhoqXXXNiJY5gQC16YmSJm ++R7Dgw9hBrr0323/lhhwDDysq1lgD9QbUVEacJpsCgYAoau/TIK5u3vHQn9mqE3af ++N7HObzk785QTO8JLsPx2Mj+Hm9x8PBVf736cEMzAdXnKcoeJ6GPT5q7IDKfM1i0F ++kyzK7OV3gpSNMTrl55eLL8XilUqVYGjkgo29udyE11Ym7XwjgiNmrLCynjZ/drKr ++fkUDxR1QNjK0CwrYGwhqfwKBgQDAYGn3foK4nRthqWdrJjLjlzZLBwgJldbqhjsc ++YlIJezImWnU0k2YGpioDd0DPKqLlV3pCLXptVmGXlpM3jags7YlsObGE8C+zoBAu ++DHtWPLgsDltckg6Jh8YltlkSgLe9q2vXOhEF2aBsDDb62nGmonxSeWTe/Z4tB56U ++fJu2vwKBgFnGbZIcH8sDR7Vwh0sjSKnFkZ1v0T4qsBKpDz9yCvZVIgIFXPkKnALT +++OEpQTuLVN/MZxVlc8qo8UFflJprDsK1/Rm3iPaw+lwErswgddNUKNLnLPjlxcEe ++nTinsfyf4i48+IW55UFVU118nyufNeDdasoU6SSBH/MdeNq4hrTa ++-----END RSA PRIVATE KEY----- +Index: openssl-1.0.1f/test/certs/interCA.pem +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.0.1f/test/certs/interCA.pem 2016-02-05 16:08:32.834278985 -0500 +@@ -0,0 +1,21 @@ ++-----BEGIN CERTIFICATE----- ++MIIDgDCCAmigAwIBAgIJANnoWlLlEsTgMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV ++BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX ++aWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnJvb3RDQTAeFw0xNTA3MDIxMzE3MDVa ++Fw0zNTA3MDIxMzE3MDVaMFcxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0 ++YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMT ++B2ludGVyQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7s0ejvpQO ++nvfwD+e4R+9WQovtrsqOTw8khiREqi5JlmAFbpDEFam18npRkt6gOcGMnjuFzuz6 ++iEuQmeeyh0BqWAwpMgWMMteEzLOAaqkEl//J2+WgRbA/8pmwHfbPW/d+f3bp64Fo ++D1hQAenBzXmLxVohEQ9BA+xEDRkL/cA3Y+k/O1C9ORhSQrJNsB9aE3zKbFHd9mOm ++H4aNSsF8On3SqlRVOCQine5c6ACSd0HUEjYy9aObqY47ySNULbzVq5y6VOjMs0W+ ++2G/XqrcVkxzf9bVqyVBrrAJrnb35/y/iK0zWgJBP+HXhwr5mMTvNuEirBeVYuz+6 ++hUerUbuJhr0FAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFBj61iO5 ++j11dE30+j6iRx9lhwBcuMB8GA1UdIwQYMBaAFIVWiTXinwAa4YYDC0uvdhJrM239 ++MA0GCSqGSIb3DQEBCwUAA4IBAQDAU0MvL/yZpmibhxUsoSsa97UJbejn5IbxpPzZ ++4WHw8lsoUGs12ZHzQJ9LxkZVeuccFXy9yFEHW56GTlkBmD2qrddlmQCfQ3m8jtZ9 ++Hh5feKAyrqfmfsWF5QPjAmdj/MFdq+yMJVosDftkmUmaBHjzbvbcq1sWh/6drH8U ++7pdYRpfeEY8dHSU6FHwVN/H8VaBB7vYYc2wXwtk8On7z2ocIVHn9RPkcLwmwJjb/ ++e4jmcYiyZev22KXQudeHc4w6crWiEFkVspomn5PqDmza3rkdB3baXFVZ6sd23ufU ++wjkiKKtwRBwU+5tCCagQZoeQ5dZXQThkiH2XEIOCOLxyD/tb ++-----END CERTIFICATE----- +Index: openssl-1.0.1f/test/certs/leaf.key +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.0.1f/test/certs/leaf.key 2016-02-05 16:08:32.834278985 -0500 +@@ -0,0 +1,27 @@ ++-----BEGIN RSA PRIVATE KEY----- ++MIIEpAIBAAKCAQEAv0Qo9WC/BKA70LtQJdwVGSXqr9dut3cQmiFzTb/SaWldjOT1 ++sRNDFxSzdTJjU/8cIDEZvaTIwRxP/dtVQLjc+4jzrUwz93NuZYlsEWUEUg4Lrnfs ++0Nz50yHk4rJhVxWjb8Ii/wRBViWHFExP7CwTkXiTclC1bCqTuWkjxF3thTfTsttR ++yY7qNkz2JpNx0guD8v4otQoYjA5AEZvK4IXLwOwxol5xBTMvIrvvff2kkh+c7OC2 ++QVbUTow/oppjqIKCx2maNHCtLFTJELf3fwtRJLJsy4fKGP0/6kpZc8Sp88WK4B4F ++auF9IV1CmoAJUC1vJxhagHIKfVtFjUWs8GPobQIDAQABAoIBAB1fCiskQDElqgnT ++uesWcOb7u55lJstlrVb97Ab0fgtR8tvADTq0Colw1F4a7sXnVxpab+l/dJSzFFWX ++aPAXc1ftH/5sxU4qm7lb8Qx6xr8TCRgxslwgkvypJ8zoN6p32DFBTr56mM3x1Vx4 ++m41Y92hPa9USL8n8f9LpImT1R5Q9ShI/RUCowPyzhC6OGkFSBJu72nyA3WK0znXn ++q5TNsTRdJLOug7eoJJvhOPfy3neNQV0f2jQ+2wDKCYvn6i4j9FSLgYC/vorqofEd ++vFBHxl374117F6DXdBChyD4CD5vsplB0zcExRUCT5+iBqf5uc8CbLHeyNk6vSaf5 ++BljHWsECgYEA93QnlKsVycgCQqHt2q8EIZ5p7ksGYRVfBEzgetsNdpxvSwrLyLQE ++L5AKG3upndOofCeJnLuQF1j954FjCs5Y+8Sy2H1D1EPrHSBp4ig2F5aOxT3vYROd ++v+/mF4ZUzlIlv3jNDz5IoLaxm9vhXTtLLUtQyTueGDmqwlht0Kr3/gcCgYEAxd86 ++Q23jT4DmJqUl+g0lWdc2dgej0jwFfJ2BEw/Q55vHjqj96oAX5QQZFOUhZU8Otd/D ++lLzlsFn0pOaSW/RB4l5Kv8ab+ZpxfAV6Gq47nlfzmEGGx4wcoL0xkHufiXg0sqaG ++UtEMSKFhxPQZhWojUimK/+YIF69molxA6G9miOsCgYEA8mICSytxwh55qE74rtXz ++1AJZfKJcc0f9tDahQ3XBsEb29Kh0h/lciEIsxFLTB9dFF6easb0/HL98pQElxHXu ++z14SWOAKSqbka7lOPcppgZ1l52oNSiduw4z28mAQPbBVbUGkiqPVfCa3vhUYoLvt ++nUZCsXoGF3CVBJydpGFzXI0CgYEAtt3Jg72PoM8YZEimI0R462F4xHXlEYtE6tjJ ++C+vG/fU65P4Kw+ijrJQv9d6YEX+RscXdg51bjLJl5OvuAStopCLOZBPR3Ei+bobF ++RNkW4gyYZHLSc6JqZqbSopuNYkeENEKvyuPFvW3f5FxPJbxkbi9UdZCKlBEXAh/O ++IMGregcCgYBC8bS7zk6KNDy8q2uC/m/g6LRMxpb8G4jsrcLoyuJs3zDckBjQuLJQ ++IOMXcQBWN1h+DKekF2ecr3fJAJyEv4pU4Ct2r/ZTYFMdJTyAbjw0mqOjUR4nsdOh ++t/vCbt0QW3HXYTcVdCnFqBtelKnI12KoC0jAO9EAJGZ6kE/NwG6dQg== ++-----END RSA PRIVATE KEY----- +Index: openssl-1.0.1f/test/certs/leaf.pem +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.0.1f/test/certs/leaf.pem 2016-02-05 16:08:32.834278985 -0500 +@@ -0,0 +1,21 @@ ++-----BEGIN CERTIFICATE----- ++MIIDfjCCAmagAwIBAgIJAKRNsDKacUqNMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV ++BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX ++aWRnaXRzIFB0eSBMdGQxEzARBgNVBAMTCnN1YmludGVyQ0EwHhcNMTUwNzAyMTMx ++OTQ5WhcNMzUwNzAyMTMxOTQ5WjBUMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29t ++ZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQ0wCwYD ++VQQDEwRsZWFmMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv0Qo9WC/ ++BKA70LtQJdwVGSXqr9dut3cQmiFzTb/SaWldjOT1sRNDFxSzdTJjU/8cIDEZvaTI ++wRxP/dtVQLjc+4jzrUwz93NuZYlsEWUEUg4Lrnfs0Nz50yHk4rJhVxWjb8Ii/wRB ++ViWHFExP7CwTkXiTclC1bCqTuWkjxF3thTfTsttRyY7qNkz2JpNx0guD8v4otQoY ++jA5AEZvK4IXLwOwxol5xBTMvIrvvff2kkh+c7OC2QVbUTow/oppjqIKCx2maNHCt ++LFTJELf3fwtRJLJsy4fKGP0/6kpZc8Sp88WK4B4FauF9IV1CmoAJUC1vJxhagHIK ++fVtFjUWs8GPobQIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQcHcT+8SVG ++IRlN9YTuM9rlz7UZfzAfBgNVHSMEGDAWgBTpZ30QdMGarrhMPwk+HHAV3R8aTzAN ++BgkqhkiG9w0BAQsFAAOCAQEAGjmSkF8is+v0/RLcnSRiCXENz+yNi4pFCAt6dOtT ++6Gtpqa1tY5It9lVppfWb26JrygMIzOr/fB0r1Q7FtZ/7Ft3P6IXVdk3GDO0QsORD ++2dRAejhYpc5c7joHxAw9oRfKrEqE+ihVPUTcfcIuBaalvuhkpQRmKP71ws5DVzOw ++QhnMd0TtIrbKHaNQ4kNsmSY5fQolwB0LtNfTus7OEFdcZWhOXrWImKXN9jewPKdV ++mSG34NfXOnA6qx0eQg06z+TkdrptH6j1Va2vS1/bL+h1GxjpTHlvTGaZYxaloIjw ++y/EzY5jygRoABnR3eBm15CYZwwKL9izIq1H3OhymEi/Ycg== ++-----END CERTIFICATE----- +Index: openssl-1.0.1f/test/certs/rootCA.key +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.0.1f/test/certs/rootCA.key 2016-02-05 16:08:32.834278985 -0500 +@@ -0,0 +1,27 @@ ++-----BEGIN RSA PRIVATE KEY----- ++MIIEpAIBAAKCAQEAwPFrd4isNd/7c1MvkoAvdBYyTfUQIG9sOo7R3GvhLj7DBA+/ ++m8TJEtHkC0WX5QbNZjrh4OIr36LE7HvTPTyK/150oKunA2oWW16SxH5beYpp1LyD ++Xq5CknSlK+cAwanc1bFTBw9z946tFD4lnuUe5syRzZUMgEQgw/0Xz5E9YxAcFFv7 ++w6jBiLJ3/5zb/GpERET3hewILNTfgaN5yf4em5MWU7eXq75PGqXi+kYF5A2cKqTM ++uR4hoGzEq1mwQDm7+Yit/d+NtAuvfkHgITzIM0VJhC+TBu79T+1P87yb3vwlXlXV ++ddTFezpANQafxIS0bJMMrzdar7ZBTSYjHLgCswIDAQABAoIBAC1EdwJEfqLlOgmE ++qtSkXn3N919y76Wsfqf+eh5M8Tf4YajCSSIyuTpBJE/AtDJ3thkWF4i7h6+gcLNL ++GfR0D+h6MMLBgx259iTZu3V+b9fEMbBHykqcd+IEm/wA5pyJTdaVE/XEGmEqiFEH ++g6wT9XwQ4uRo49X0JfvVlZCNcumapYfPY+BwPQloydm/cLtgUtc1RKUCG7i27aHM ++VaUm+NdYZIwwCQs0Aof/h7PkEWvHq0idaxY9qkLbbZHb1Np/IkmvqCo/PSS1whDj ++/KIQGJDBGuXX/V+cZ+DYkCXAq1fCto9MjarEVmlLW5Hr5QojdbpvwsxSmrGfCqdH ++bfc/9gECgYEA6y6EcYBuvCibmO4G2OA1sNSe5lJF911xUHuUl3CRORdeVFDi9Ch+ ++LKzE+XEOlvA+qFSIA/KztevX3dvmvvBMwu0PUWDtBKJZ1mXt4Mgo63MHpYnKIzWz ++YuDaMKpvbl3iTFJlKPUkPlv+/uDccd0QYYvk4gbBrWVQDghV3ya9LqMCgYEA0gW6 ++Cu5yRWodehCh0z8VtFfOGDkhZEav6B5mZvyDCk5f+zVeRlsTJwY4BsgnoMUJ+SjQ ++iQwQX3FbWrwcyYPOIA+ja6Hisgb9p/f+hxsQOOhN9nFsk2MNIHkwrMRcE8pj7pc1 ++uBoYqpdX8blEs8wkJI+bTI3/SIZw6vjbogSqbLECgYEAhXuQho9byoXN0p3+2ude ++8e+sBJPbzEuH/iM2MkIc2ueNjZOfTO8Sti6VWfK2UisnlQjtbjg5kd67Vdvy+pqP ++Ju/ACvNVc5TmIo8V1cglmYVfaLBtP1DCcTOoA4ko196Hi8QUUIvat14lu+pKlIHh ++Q0xQa41kLhNbvaszegWVyLsCgYEAxhuGySbw/U9CbNDhhL1eANZOXoUNXWRcK6z5 ++VS3dgcw6N2C5A86G+2mfUa5dywXyCWgZhRyvGQh5btZApUlCFvYJZc63Ysy7WkTQ ++f6rkm3ltiQimrURirn4CjwVOAZEIwJc7oeRj3g6Scz4acysd8KrRh93trwC55LtH ++mcWi6JECgYAlqCQvaAnvaWpR0RX7m/UMpqWOVgIperGR7hrN3d04RaWG4yv1+66T ++xANNBA8aDxhFwXjAKev4iOE/rp8SEjYXh3lbKmx+p9dk8REUdIFqoClX9tqctW9g ++AkDF34S0mSE4T34zhs2+InfohJa6ojsuiNJSQMBPBxfr6wV2C+UWMQ== ++-----END RSA PRIVATE KEY----- +Index: openssl-1.0.1f/test/certs/rootCA.pem +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.0.1f/test/certs/rootCA.pem 2016-02-05 16:08:32.834278985 -0500 +@@ -0,0 +1,21 @@ ++-----BEGIN CERTIFICATE----- ++MIIDfzCCAmegAwIBAgIJAIhDKcvC6xWaMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV ++BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX ++aWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnJvb3RDQTAeFw0xNTA3MDIxMzE1MTFa ++Fw0zNTA3MDIxMzE1MTFaMFYxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0 ++YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDzANBgNVBAMM ++BnJvb3RDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMDxa3eIrDXf +++3NTL5KAL3QWMk31ECBvbDqO0dxr4S4+wwQPv5vEyRLR5AtFl+UGzWY64eDiK9+i ++xOx70z08iv9edKCrpwNqFlteksR+W3mKadS8g16uQpJ0pSvnAMGp3NWxUwcPc/eO ++rRQ+JZ7lHubMkc2VDIBEIMP9F8+RPWMQHBRb+8OowYiyd/+c2/xqRERE94XsCCzU ++34Gjecn+HpuTFlO3l6u+Txql4vpGBeQNnCqkzLkeIaBsxKtZsEA5u/mIrf3fjbQL ++r35B4CE8yDNFSYQvkwbu/U/tT/O8m978JV5V1XXUxXs6QDUGn8SEtGyTDK83Wq+2 ++QU0mIxy4ArMCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUhVaJNeKf ++ABrhhgMLS692Emszbf0wHwYDVR0jBBgwFoAUhVaJNeKfABrhhgMLS692Emszbf0w ++DQYJKoZIhvcNAQELBQADggEBADIKvyoK4rtPQ86I2lo5EDeAuzctXi2I3SZpnOe0 ++mCCxJeZhWW0S7JuHvlfhEgXFBPEXzhS4HJLUlZUsWyiJ+3KcINMygaiF7MgIe6hZ ++WzpsMatS4mbNFElc89M+YryRFrQc9d1Uqjxhl3ms5MhDNcMP/PNwHa/wnIoqkpNI ++qtDoR741wcZ7bdr6XVdF8+pBjzbBPPRSf24x3bqavHBWcTjcSVcM/ZEXxeqH5SN0 ++GbK2mQxrogX4UWjtl+DfYvl+ejpEcYNXKEmIabUUHtpG42544cuPtZizLW5bt/aT ++JBQfpPZpvf9MUlACxUONFOLQdZ8SXpSJ0e93iX2J2Z52mSQ= ++-----END CERTIFICATE----- +Index: openssl-1.0.1f/test/certs/roots.pem +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.0.1f/test/certs/roots.pem 2016-02-05 16:08:32.834278985 -0500 +@@ -0,0 +1,42 @@ ++-----BEGIN CERTIFICATE----- ++MIIDgDCCAmigAwIBAgIJANnoWlLlEsTgMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV ++BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX ++aWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnJvb3RDQTAeFw0xNTA3MDIxMzE3MDVa ++Fw0zNTA3MDIxMzE3MDVaMFcxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0 ++YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMT ++B2ludGVyQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7s0ejvpQO ++nvfwD+e4R+9WQovtrsqOTw8khiREqi5JlmAFbpDEFam18npRkt6gOcGMnjuFzuz6 ++iEuQmeeyh0BqWAwpMgWMMteEzLOAaqkEl//J2+WgRbA/8pmwHfbPW/d+f3bp64Fo ++D1hQAenBzXmLxVohEQ9BA+xEDRkL/cA3Y+k/O1C9ORhSQrJNsB9aE3zKbFHd9mOm ++H4aNSsF8On3SqlRVOCQine5c6ACSd0HUEjYy9aObqY47ySNULbzVq5y6VOjMs0W+ ++2G/XqrcVkxzf9bVqyVBrrAJrnb35/y/iK0zWgJBP+HXhwr5mMTvNuEirBeVYuz+6 ++hUerUbuJhr0FAgMBAAGjUDBOMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFBj61iO5 ++j11dE30+j6iRx9lhwBcuMB8GA1UdIwQYMBaAFIVWiTXinwAa4YYDC0uvdhJrM239 ++MA0GCSqGSIb3DQEBCwUAA4IBAQDAU0MvL/yZpmibhxUsoSsa97UJbejn5IbxpPzZ ++4WHw8lsoUGs12ZHzQJ9LxkZVeuccFXy9yFEHW56GTlkBmD2qrddlmQCfQ3m8jtZ9 ++Hh5feKAyrqfmfsWF5QPjAmdj/MFdq+yMJVosDftkmUmaBHjzbvbcq1sWh/6drH8U ++7pdYRpfeEY8dHSU6FHwVN/H8VaBB7vYYc2wXwtk8On7z2ocIVHn9RPkcLwmwJjb/ ++e4jmcYiyZev22KXQudeHc4w6crWiEFkVspomn5PqDmza3rkdB3baXFVZ6sd23ufU ++wjkiKKtwRBwU+5tCCagQZoeQ5dZXQThkiH2XEIOCOLxyD/tb ++-----END CERTIFICATE----- ++-----BEGIN CERTIFICATE----- ++MIIDhzCCAm+gAwIBAgIJAJTed6XmFiu/MA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV ++BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX ++aWRnaXRzIFB0eSBMdGQxEzARBgNVBAMMCnN1YmludGVyQ0EwHhcNMTUwNzAyMTMy ++MTU4WhcNMzUwNzAyMTMyMTU4WjBaMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29t ++ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYD ++VQQDDApzdWJpbnRlckNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA ++/zQjvhbU7RWDsRaEkVUBZWR/PqZ49GoE9p3OyRN4pkt1c1yb2ARVkYZP5e9gHb04 ++wPVz2+FYy+2mNkl+uAZbcK5w5fWO3WJIEn57he4MkWu3ew1nJeSv3na8gyOoCheG ++64kWVbA2YL92mR7QoSCo4SP7RmykLrwj6TlDxqgH6DxKSD/CpdCHE3DKAzAiri3G ++Vc90OJAszYHlje4/maVIOayGROVET3xa5cbtRJl8IBgmqhMywtz4hhY/XZTvdEn2 ++90aL857Hk7JjogA7mLKi07yKzknMxHV+k6JX7xJEttkcNQRFHONWZG1T4mRY1Drh ++6VbJGb+0GNIldNLQqigkfwIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQW ++BBTpZ30QdMGarrhMPwk+HHAV3R8aTzAfBgNVHSMEGDAWgBTpZ30QdMGarrhMPwk+ ++HHAV3R8aTzANBgkqhkiG9w0BAQsFAAOCAQEAF8UAMtV1DClUWRw1h+THdAhjeo8S ++9BOp6QphtlYuc9o+tQri5m+WqbyUZKIBEtumNhFb7QI1e4hO64y1kKbSs2AjWcJ2 ++QxAyGiMM3wl2UfxPohDtgNhm0GFgQ1tUTeSnW3kAom9NqI7U/2lPpLh4rrFYTepR ++wy0FV3NpRuHPtJE0VfqYnwWiTRdCJ7w1XzknKOUSHP/hRbyJVlwQp3VEQ9SIOYU6 ++C+QEVGIgQiST6MRlCvoNP43guaRtrMuBZJaHKy/hLPvkdRpXHoUeKQFDuH77sZsF ++sBv3EHNKoBvpSpSJndZN6UcH7Z1yn41Y6AnO4u492jiRAjQpP9+Nf/x1eg== ++-----END CERTIFICATE----- +Index: openssl-1.0.1f/test/certs/subinterCA-ss.pem +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.0.1f/test/certs/subinterCA-ss.pem 2016-02-05 16:08:32.834278985 -0500 +@@ -0,0 +1,21 @@ ++-----BEGIN CERTIFICATE----- ++MIIDhzCCAm+gAwIBAgIJAJTed6XmFiu/MA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV ++BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX ++aWRnaXRzIFB0eSBMdGQxEzARBgNVBAMMCnN1YmludGVyQ0EwHhcNMTUwNzAyMTMy ++MTU4WhcNMzUwNzAyMTMyMTU4WjBaMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29t ++ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYD ++VQQDDApzdWJpbnRlckNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA ++/zQjvhbU7RWDsRaEkVUBZWR/PqZ49GoE9p3OyRN4pkt1c1yb2ARVkYZP5e9gHb04 ++wPVz2+FYy+2mNkl+uAZbcK5w5fWO3WJIEn57he4MkWu3ew1nJeSv3na8gyOoCheG ++64kWVbA2YL92mR7QoSCo4SP7RmykLrwj6TlDxqgH6DxKSD/CpdCHE3DKAzAiri3G ++Vc90OJAszYHlje4/maVIOayGROVET3xa5cbtRJl8IBgmqhMywtz4hhY/XZTvdEn2 ++90aL857Hk7JjogA7mLKi07yKzknMxHV+k6JX7xJEttkcNQRFHONWZG1T4mRY1Drh ++6VbJGb+0GNIldNLQqigkfwIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQW ++BBTpZ30QdMGarrhMPwk+HHAV3R8aTzAfBgNVHSMEGDAWgBTpZ30QdMGarrhMPwk+ ++HHAV3R8aTzANBgkqhkiG9w0BAQsFAAOCAQEAF8UAMtV1DClUWRw1h+THdAhjeo8S ++9BOp6QphtlYuc9o+tQri5m+WqbyUZKIBEtumNhFb7QI1e4hO64y1kKbSs2AjWcJ2 ++QxAyGiMM3wl2UfxPohDtgNhm0GFgQ1tUTeSnW3kAom9NqI7U/2lPpLh4rrFYTepR ++wy0FV3NpRuHPtJE0VfqYnwWiTRdCJ7w1XzknKOUSHP/hRbyJVlwQp3VEQ9SIOYU6 ++C+QEVGIgQiST6MRlCvoNP43guaRtrMuBZJaHKy/hLPvkdRpXHoUeKQFDuH77sZsF ++sBv3EHNKoBvpSpSJndZN6UcH7Z1yn41Y6AnO4u492jiRAjQpP9+Nf/x1eg== ++-----END CERTIFICATE----- +Index: openssl-1.0.1f/test/certs/subinterCA.key +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.0.1f/test/certs/subinterCA.key 2016-02-05 16:08:32.834278985 -0500 +@@ -0,0 +1,27 @@ ++-----BEGIN RSA PRIVATE KEY----- ++MIIEpQIBAAKCAQEA/zQjvhbU7RWDsRaEkVUBZWR/PqZ49GoE9p3OyRN4pkt1c1yb ++2ARVkYZP5e9gHb04wPVz2+FYy+2mNkl+uAZbcK5w5fWO3WJIEn57he4MkWu3ew1n ++JeSv3na8gyOoCheG64kWVbA2YL92mR7QoSCo4SP7RmykLrwj6TlDxqgH6DxKSD/C ++pdCHE3DKAzAiri3GVc90OJAszYHlje4/maVIOayGROVET3xa5cbtRJl8IBgmqhMy ++wtz4hhY/XZTvdEn290aL857Hk7JjogA7mLKi07yKzknMxHV+k6JX7xJEttkcNQRF ++HONWZG1T4mRY1Drh6VbJGb+0GNIldNLQqigkfwIDAQABAoIBAQDg14MWGu+F4gqg ++nwI1OPt95UjmXaz7Sd0NmoNxTKJjgN/9v33emBL7n6YNIxU/nlK+ToLBGo0tPjfO ++ZHoskA1H/aiiMfKowcpV4PHbUZvpE0oYM/rIu+7mxR3ZPDT0jz3jjmgLHrEKFCXd ++SfTtwOSJVzYvGdCdDE1nUXiRMcGlrJYxPf+0k3sGK7G90rYJkgffz92yuJote/s5 ++P5nsK1h30yjKaWEzvf3ABladplykFN3GkICRGaCq0Nj5YWiG7qX9H9smYrioG0VH ++VqgIbV2sHnmUYZaOTmC0RnwDWSZR25xOHVbugZ7rGnf4NdoM2S/oTI/SAXcDsaDX ++lDpiEEuBAoGBAP/TISpeDRtUWzfVQxH+wbMdSbABjawf5sT7op7IsWsurY7u+KVh ++ubhaSdeR7YbTyVUqbAc4mg9TIZxDe6+/I2S8LibQAa8wnv5aR1iPj/tZJOKrtu+Z ++uHUyXMDR+8pIjQS0N+ukFp0tw9nicPNUt23JpqDFMvpASF+kUlnHOWAvAoGBAP9g ++5rDid235QnnAhNJGkxE1ZwICPSo66AD/kF8XsMnAVasR0EPJCQ1+Zmh7wsXGq6Im ++S65F4m0tsw4jeD67D1o5yuAnk/LLcdOdHW1w7iHuIhYKuWf1fqsOIqJLy7gdzwj4 ++hImECoE40cqlLTge7xByxeHJwKF9ssXcwHFBIJyxAoGBAI5SeyUC5e/KYmURdBrS ++zBhFtvUAKD0WEmCMTdBgfrPOaCgYsqPvVk9Fi8cuHCLiOCP1UdxClRLpgM1ajbkc ++cShduJ9HIWjBd/KxbvfKBqQi1+5y8Xci4gfxWMC9EYNcEXgIewPRafNPvqG85HG7 ++M8EUamsOymmG0bzDwjzIJRdpAoGAOUoVtmy3ehZG0WVc5ocqitu+BfdWnViln0O1 ++sX9xC3F4Rm4ymGJLA5ntg1bwNMoCytdodun6h5+O4YcXfIseQJFib7KxP/Bf0qcW ++aOzCnx36y5MQUMAD8H+1SU9TnjQhs9N8eBUE/kQu3BT99e8KllgJCEPoUNIP/s8s ++5LtFg6ECgYEAgLwJoJ3hBwr0LmUi3kpFYdbZ+tAKIvKQH3xYMnQulOqtlXJFy0bu ++ZcIAwsigRUqdCC2JuyAUw52HCtVVlpQjNs4BnUzaKooLOCm3w3i6X27mnHE0200S ++zqC0rcB0xNz/IltGc7IP+T8UK5xX38uhJ/vUW75OvAjqheJSBwR9h5c= ++-----END RSA PRIVATE KEY----- +Index: openssl-1.0.1f/test/certs/subinterCA.pem +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.0.1f/test/certs/subinterCA.pem 2016-02-05 16:08:32.834278985 -0500 +@@ -0,0 +1,21 @@ ++-----BEGIN CERTIFICATE----- ++MIIDhDCCAmygAwIBAgIJAJkv2OGshkmUMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV ++BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX ++aWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMTB2ludGVyQ0EwHhcNMTUwNzAyMTMxODIz ++WhcNMzUwNzAyMTMxODIzWjBaMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1T ++dGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYDVQQD ++EwpzdWJpbnRlckNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/zQj ++vhbU7RWDsRaEkVUBZWR/PqZ49GoE9p3OyRN4pkt1c1yb2ARVkYZP5e9gHb04wPVz ++2+FYy+2mNkl+uAZbcK5w5fWO3WJIEn57he4MkWu3ew1nJeSv3na8gyOoCheG64kW ++VbA2YL92mR7QoSCo4SP7RmykLrwj6TlDxqgH6DxKSD/CpdCHE3DKAzAiri3GVc90 ++OJAszYHlje4/maVIOayGROVET3xa5cbtRJl8IBgmqhMywtz4hhY/XZTvdEn290aL ++857Hk7JjogA7mLKi07yKzknMxHV+k6JX7xJEttkcNQRFHONWZG1T4mRY1Drh6VbJ ++Gb+0GNIldNLQqigkfwIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTp ++Z30QdMGarrhMPwk+HHAV3R8aTzAfBgNVHSMEGDAWgBQY+tYjuY9dXRN9Po+okcfZ ++YcAXLjANBgkqhkiG9w0BAQsFAAOCAQEAgVUsOf9rdHlQDw4clP8GMY7QahfXbvd8 ++8o++P18KeInQXH6+sCg0axZXzhOmKwn+Ina3EsOP7xk4aKIYwJ4A1xBuT7fKxquQ ++pbJyjkEBsNRVLC9t4gOA0FC791v5bOCZjyff5uN+hy8r0828nVxha6CKLqwrPd+E ++mC7DtilSZIgO2vwbTBL6ifmw9n1dd/Bl8Wdjnl7YJqTIf0Ozc2SZSMRUq9ryn4Wq ++YrjRl8NwioGb1LfjEJ0wJi2ngL3IgaN94qmDn10OJs8hlsufwP1n+Bca3fsl0m5U ++gUMG+CXxbF0kdCKZ9kQb1MJE4vOk6zfyBGQndmQnxHjt5botI/xpXg== ++-----END CERTIFICATE----- +Index: openssl-1.0.1f/test/certs/untrusted.pem +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.0.1f/test/certs/untrusted.pem 2016-02-05 16:08:32.834278985 -0500 +@@ -0,0 +1,42 @@ ++-----BEGIN CERTIFICATE----- ++MIIDhDCCAmygAwIBAgIJAJkv2OGshkmUMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV ++BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX ++aWRnaXRzIFB0eSBMdGQxEDAOBgNVBAMTB2ludGVyQ0EwHhcNMTUwNzAyMTMxODIz ++WhcNMzUwNzAyMTMxODIzWjBaMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1T ++dGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYDVQQD ++EwpzdWJpbnRlckNBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/zQj ++vhbU7RWDsRaEkVUBZWR/PqZ49GoE9p3OyRN4pkt1c1yb2ARVkYZP5e9gHb04wPVz ++2+FYy+2mNkl+uAZbcK5w5fWO3WJIEn57he4MkWu3ew1nJeSv3na8gyOoCheG64kW ++VbA2YL92mR7QoSCo4SP7RmykLrwj6TlDxqgH6DxKSD/CpdCHE3DKAzAiri3GVc90 ++OJAszYHlje4/maVIOayGROVET3xa5cbtRJl8IBgmqhMywtz4hhY/XZTvdEn290aL ++857Hk7JjogA7mLKi07yKzknMxHV+k6JX7xJEttkcNQRFHONWZG1T4mRY1Drh6VbJ ++Gb+0GNIldNLQqigkfwIDAQABo1AwTjAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBTp ++Z30QdMGarrhMPwk+HHAV3R8aTzAfBgNVHSMEGDAWgBQY+tYjuY9dXRN9Po+okcfZ ++YcAXLjANBgkqhkiG9w0BAQsFAAOCAQEAgVUsOf9rdHlQDw4clP8GMY7QahfXbvd8 ++8o++P18KeInQXH6+sCg0axZXzhOmKwn+Ina3EsOP7xk4aKIYwJ4A1xBuT7fKxquQ ++pbJyjkEBsNRVLC9t4gOA0FC791v5bOCZjyff5uN+hy8r0828nVxha6CKLqwrPd+E ++mC7DtilSZIgO2vwbTBL6ifmw9n1dd/Bl8Wdjnl7YJqTIf0Ozc2SZSMRUq9ryn4Wq ++YrjRl8NwioGb1LfjEJ0wJi2ngL3IgaN94qmDn10OJs8hlsufwP1n+Bca3fsl0m5U ++gUMG+CXxbF0kdCKZ9kQb1MJE4vOk6zfyBGQndmQnxHjt5botI/xpXg== ++-----END CERTIFICATE----- ++-----BEGIN CERTIFICATE----- ++MIIDfjCCAmagAwIBAgIJAKRNsDKacUqNMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV ++BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX ++aWRnaXRzIFB0eSBMdGQxEzARBgNVBAMTCnN1YmludGVyQ0EwHhcNMTUwNzAyMTMx ++OTQ5WhcNMzUwNzAyMTMxOTQ5WjBUMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29t ++ZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQ0wCwYD ++VQQDEwRsZWFmMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv0Qo9WC/ ++BKA70LtQJdwVGSXqr9dut3cQmiFzTb/SaWldjOT1sRNDFxSzdTJjU/8cIDEZvaTI ++wRxP/dtVQLjc+4jzrUwz93NuZYlsEWUEUg4Lrnfs0Nz50yHk4rJhVxWjb8Ii/wRB ++ViWHFExP7CwTkXiTclC1bCqTuWkjxF3thTfTsttRyY7qNkz2JpNx0guD8v4otQoY ++jA5AEZvK4IXLwOwxol5xBTMvIrvvff2kkh+c7OC2QVbUTow/oppjqIKCx2maNHCt ++LFTJELf3fwtRJLJsy4fKGP0/6kpZc8Sp88WK4B4FauF9IV1CmoAJUC1vJxhagHIK ++fVtFjUWs8GPobQIDAQABo00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBQcHcT+8SVG ++IRlN9YTuM9rlz7UZfzAfBgNVHSMEGDAWgBTpZ30QdMGarrhMPwk+HHAV3R8aTzAN ++BgkqhkiG9w0BAQsFAAOCAQEAGjmSkF8is+v0/RLcnSRiCXENz+yNi4pFCAt6dOtT ++6Gtpqa1tY5It9lVppfWb26JrygMIzOr/fB0r1Q7FtZ/7Ft3P6IXVdk3GDO0QsORD ++2dRAejhYpc5c7joHxAw9oRfKrEqE+ihVPUTcfcIuBaalvuhkpQRmKP71ws5DVzOw ++QhnMd0TtIrbKHaNQ4kNsmSY5fQolwB0LtNfTus7OEFdcZWhOXrWImKXN9jewPKdV ++mSG34NfXOnA6qx0eQg06z+TkdrptH6j1Va2vS1/bL+h1GxjpTHlvTGaZYxaloIjw ++y/EzY5jygRoABnR3eBm15CYZwwKL9izIq1H3OhymEi/Ycg== ++-----END CERTIFICATE----- diff -Nru openssl-1.0.1/debian/patches/alt-cert-chains-7.patch openssl-1.0.1/debian/patches/alt-cert-chains-7.patch --- openssl-1.0.1/debian/patches/alt-cert-chains-7.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1/debian/patches/alt-cert-chains-7.patch 2016-02-08 14:15:27.000000000 +0000 @@ -0,0 +1,125 @@ +Backport of: + +From b3b1eb5735c5b3d566a9fc3bf745bf716a29afa0 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 25 Jun 2015 09:47:15 +0100 +Subject: [PATCH] Reject calls to X509_verify_cert that have not been + reinitialised + +The function X509_verify_cert checks the value of |ctx->chain| at the +beginning, and if it is NULL then it initialises it, along with the value +of ctx->untrusted. The normal way to use X509_verify_cert() is to first +call X509_STORE_CTX_init(); then set up various parameters etc; then call +X509_verify_cert(); then check the results; and finally call +X509_STORE_CTX_cleanup(). The initial call to X509_STORE_CTX_init() sets +|ctx->chain| to NULL. The only place in the OpenSSL codebase where +|ctx->chain| is set to anything other than a non NULL value is in +X509_verify_cert itself. Therefore the only ways that |ctx->chain| could be +non NULL on entry to X509_verify_cert is if one of the following occurs: +1) An application calls X509_verify_cert() twice without re-initialising +in between. +2) An application reaches inside the X509_STORE_CTX structure and changes +the value of |ctx->chain| directly. + +With regards to the second of these, we should discount this - it should +not be supported to allow this. + +With regards to the first of these, the documentation is not exactly +crystal clear, but the implication is that you must call +X509_STORE_CTX_init() before each call to X509_verify_cert(). If you fail +to do this then, at best, the results would be undefined. + +Calling X509_verify_cert() with |ctx->chain| set to a non NULL value is +likely to have unexpected results, and could be dangerous. This commit +changes the behaviour of X509_verify_cert() so that it causes an error if +|ctx->chain| is anything other than NULL (because this indicates that we +have not been initialised properly). It also clarifies the associated +documentation. This is a follow up commit to CVE-2015-1793. + +Reviewed-by: Stephen Henson +--- + crypto/x509/x509_vfy.c | 22 ++++++++++++++-------- + doc/crypto/X509_STORE_CTX_new.pod | 13 +++++++++---- + doc/crypto/X509_verify_cert.pod | 3 ++- + 3 files changed, 25 insertions(+), 13 deletions(-) + +Index: openssl-1.0.1f/crypto/x509/x509_vfy.c +=================================================================== +--- openssl-1.0.1f.orig/crypto/x509/x509_vfy.c 2016-02-05 16:10:38.163688817 -0500 ++++ openssl-1.0.1f/crypto/x509/x509_vfy.c 2016-02-05 16:12:38.097040833 -0500 +@@ -166,21 +166,26 @@ + return -1; + } + ++ if (ctx->chain != NULL) { ++ /* ++ * This X509_STORE_CTX has already been used to verify a cert. We ++ * cannot do another one. ++ */ ++ X509err(X509_F_X509_VERIFY_CERT, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); ++ return -1; ++ } ++ + cb=ctx->verify_cb; + + /* first we make sure the chain we are going to build is + * present and that the first entry is in place */ +- if (ctx->chain == NULL) +- { +- if ( ((ctx->chain=sk_X509_new_null()) == NULL) || +- (!sk_X509_push(ctx->chain,ctx->cert))) +- { +- X509err(X509_F_X509_VERIFY_CERT,ERR_R_MALLOC_FAILURE); +- goto end; +- } +- CRYPTO_add(&ctx->cert->references,1,CRYPTO_LOCK_X509); +- ctx->last_untrusted=1; +- } ++ if (((ctx->chain = sk_X509_new_null()) == NULL) || ++ (!sk_X509_push(ctx->chain, ctx->cert))) { ++ X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE); ++ goto end; ++ } ++ CRYPTO_add(&ctx->cert->references, 1, CRYPTO_LOCK_X509); ++ ctx->last_untrusted = 1; + + /* We use a temporary STACK so we can chop and hack at it */ + if (ctx->untrusted != NULL +Index: openssl-1.0.1f/doc/crypto/X509_STORE_CTX_new.pod +=================================================================== +--- openssl-1.0.1f.orig/doc/crypto/X509_STORE_CTX_new.pod 2016-02-05 16:10:38.163688817 -0500 ++++ openssl-1.0.1f/doc/crypto/X509_STORE_CTX_new.pod 2016-02-05 16:10:38.163688817 -0500 +@@ -39,10 +39,15 @@ + is no longer valid. + + X509_STORE_CTX_init() sets up B for a subsequent verification operation. +-The trusted certificate store is set to B, the end entity certificate +-to be verified is set to B and a set of additional certificates (which +-will be untrusted but may be used to build the chain) in B. Any or +-all of the B, B and B parameters can be B. ++It must be called before each call to X509_verify_cert(), i.e. a B is only ++good for one call to X509_verify_cert(); if you want to verify a second ++certificate with the same B then you must call X509_XTORE_CTX_cleanup() ++and then X509_STORE_CTX_init() again before the second call to ++X509_verify_cert(). The trusted certificate store is set to B, the end ++entity certificate to be verified is set to B and a set of additional ++certificates (which will be untrusted but may be used to build the chain) in ++B. Any or all of the B, B and B parameters can be ++B. + + X509_STORE_CTX_trusted_stack() sets the set of trusted certificates of B + to B. This is an alternative way of specifying trusted certificates +Index: openssl-1.0.1f/doc/crypto/X509_verify_cert.pod +=================================================================== +--- openssl-1.0.1f.orig/doc/crypto/X509_verify_cert.pod 2016-02-05 16:10:38.163688817 -0500 ++++ openssl-1.0.1f/doc/crypto/X509_verify_cert.pod 2016-02-05 16:10:38.163688817 -0500 +@@ -32,7 +32,8 @@ + SSL/TLS code. + + The negative return value from X509_verify_cert() can only occur if no +-certificate is set in B (due to a programming error) or if a retry ++certificate is set in B (due to a programming error); if X509_verify_cert() ++twice without reinitialising B in between; or if a retry + operation is requested during internal lookups (which never happens with + standard lookup methods). It is however recommended that application check + for <= 0 return value on error. diff -Nru openssl-1.0.1/debian/patches/alt-cert-chains-8.patch openssl-1.0.1/debian/patches/alt-cert-chains-8.patch --- openssl-1.0.1/debian/patches/alt-cert-chains-8.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1/debian/patches/alt-cert-chains-8.patch 2016-02-08 14:15:32.000000000 +0000 @@ -0,0 +1,46 @@ +Backport of: + +From cb22d2ae5a5b6069dbf66dbcce07223ac15a16de Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Wed, 24 Jun 2015 00:12:38 +0100 +Subject: [PATCH] Fix alt chains bug + +This is a follow up to the alternate chains certificate forgery issue +(CVE-2015-1793). That issue is exacerbated in 1.0.1 by a related bug which +means that we *always* check for an alternative chain, even if we have +already found a chain. The code is supposed to stop as soon as it has found +one (and does do in master and 1.0.2). + +Reviewed-by: Stephen Henson +--- + crypto/x509/verify_extra_test.c | 3 ++- + crypto/x509/x509_vfy.c | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +Index: openssl-1.0.1f/test/verify_extra_test.c +=================================================================== +--- openssl-1.0.1f.orig/test/verify_extra_test.c 2016-02-05 16:13:04.021333419 -0500 ++++ openssl-1.0.1f/test/verify_extra_test.c 2016-02-05 16:13:04.017333373 -0500 +@@ -168,7 +168,8 @@ + + i = X509_verify_cert(sctx); + +- if(i == 0 && X509_STORE_CTX_get_error(sctx) == X509_V_ERR_INVALID_CA) { ++ if(i == 0 && X509_STORE_CTX_get_error(sctx) ++ == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) { + /* This is the result we were expecting: Test passed */ + ret = 1; + } +Index: openssl-1.0.1f/crypto/x509/x509_vfy.c +=================================================================== +--- openssl-1.0.1f.orig/crypto/x509/x509_vfy.c 2016-02-05 16:13:04.021333419 -0500 ++++ openssl-1.0.1f/crypto/x509/x509_vfy.c 2016-02-05 16:13:28.365608276 -0500 +@@ -316,7 +316,7 @@ + * if the user hasn't switched off alternate chain checking + */ + retry = 0; +- if (j == ctx->last_untrusted && ++ if (num == ctx->last_untrusted && + !(ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) { + while (j-- > 1) { + xtmp2 = sk_X509_value(ctx->chain, j - 1); diff -Nru openssl-1.0.1/debian/patches/CVE-2015-3194.patch openssl-1.0.1/debian/patches/CVE-2015-3194.patch --- openssl-1.0.1/debian/patches/CVE-2015-3194.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1/debian/patches/CVE-2015-3194.patch 2015-12-04 13:21:31.000000000 +0000 @@ -0,0 +1,36 @@ +Backport of: + +From d8541d7e9e63bf5f343af24644046c8d96498c17 Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Fri, 2 Oct 2015 13:10:29 +0100 +Subject: [PATCH] Add PSS parameter check. +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Avoid seg fault by checking mgf1 parameter is not NULL. This can be +triggered during certificate verification so could be a DoS attack +against a client or a server enabling client authentication. + +Thanks to Loïc Jonas Etienne (Qnective AG) for discovering this bug. + +CVE-2015-3194 + +Reviewed-by: Matt Caswell +--- + crypto/rsa/rsa_ameth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: openssl-1.0.1f/crypto/rsa/rsa_ameth.c +=================================================================== +--- openssl-1.0.1f.orig/crypto/rsa/rsa_ameth.c 2015-12-04 07:35:43.437923518 -0500 ++++ openssl-1.0.1f/crypto/rsa/rsa_ameth.c 2015-12-04 07:36:26.458397427 -0500 +@@ -287,7 +287,7 @@ + { + ASN1_TYPE *param = pss->maskGenAlgorithm->parameter; + if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 +- && param->type == V_ASN1_SEQUENCE) ++ && param && param->type == V_ASN1_SEQUENCE) + { + p = param->value.sequence->data; + plen = param->value.sequence->length; diff -Nru openssl-1.0.1/debian/patches/CVE-2015-3195.patch openssl-1.0.1/debian/patches/CVE-2015-3195.patch --- openssl-1.0.1/debian/patches/CVE-2015-3195.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1/debian/patches/CVE-2015-3195.patch 2015-12-04 13:21:35.000000000 +0000 @@ -0,0 +1,57 @@ +Backport of: + +From b29ffa392e839d05171206523e84909146f7a77c Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Tue, 10 Nov 2015 19:03:07 +0000 +Subject: [PATCH] Fix leak with ASN.1 combine. + +When parsing a combined structure pass a flag to the decode routine +so on error a pointer to the parent structure is not zeroed as +this will leak any additional components in the parent. + +This can leak memory in any application parsing PKCS#7 or CMS structures. + +CVE-2015-3195. + +Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using +libFuzzer. + +PR#4131 + +Reviewed-by: Richard Levitte +--- + crypto/asn1/tasn_dec.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +Index: openssl-1.0.1f/crypto/asn1/tasn_dec.c +=================================================================== +--- openssl-1.0.1f.orig/crypto/asn1/tasn_dec.c 2015-12-04 07:36:53.038690220 -0500 ++++ openssl-1.0.1f/crypto/asn1/tasn_dec.c 2015-12-04 07:38:24.187694186 -0500 +@@ -169,6 +169,8 @@ + int otag; + int ret = 0; + ASN1_VALUE **pchptr, *ptmpval; ++ int combine = aclass & ASN1_TFLG_COMBINE; ++ aclass &= ~ASN1_TFLG_COMBINE; + if (!pval) + return 0; + if (aux && aux->asn1_cb) +@@ -534,7 +536,8 @@ + auxerr: + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); + err: +- ASN1_item_ex_free(pval, it); ++ if (combine == 0) ++ ASN1_item_ex_free(pval, it); + if (errtt) + ERR_add_error_data(4, "Field=", errtt->field_name, + ", Type=", it->sname); +@@ -762,7 +765,7 @@ + { + /* Nothing special */ + ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), +- -1, 0, opt, ctx); ++ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); + if (!ret) + { + ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, diff -Nru openssl-1.0.1/debian/patches/CVE-2015-3196.patch openssl-1.0.1/debian/patches/CVE-2015-3196.patch --- openssl-1.0.1/debian/patches/CVE-2015-3196.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1/debian/patches/CVE-2015-3196.patch 2015-12-04 13:21:45.000000000 +0000 @@ -0,0 +1,74 @@ +Backport of: + +From d6be3124f22870f1888c532523b74ea5d89795eb Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Wed, 1 Jul 2015 23:40:03 +0100 +Subject: [PATCH] Fix PSK handling. + +The PSK identity hint should be stored in the SSL_SESSION structure +and not in the parent context (which will overwrite values used +by other SSL structures with the same SSL_CTX). + +Use BUF_strndup when copying identity as it may not be null terminated. + +Reviewed-by: Tim Hudson +(cherry picked from commit 3c66a669dfc7b3792f7af0758ea26fe8502ce70c) +--- + ssl/s3_clnt.c | 17 +++-------------- + ssl/s3_srvr.c | 2 +- + 2 files changed, 4 insertions(+), 15 deletions(-) + +Index: openssl-1.0.1/ssl/s3_clnt.c +=================================================================== +--- openssl-1.0.1.orig/ssl/s3_clnt.c 2015-12-04 08:21:41.252946085 -0500 ++++ openssl-1.0.1/ssl/s3_clnt.c 2015-12-04 08:21:41.240945945 -0500 +@@ -1373,8 +1373,6 @@ + #ifndef OPENSSL_NO_PSK + if (alg_k & SSL_kPSK) + { +- char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1]; +- + al=SSL_AD_HANDSHAKE_FAILURE; + n2s(p,i); + param_len=i+2; +@@ -1395,16 +1393,8 @@ + SSL_R_BAD_PSK_IDENTITY_HINT_LENGTH); + goto f_err; + } +- /* If received PSK identity hint contains NULL +- * characters, the hint is truncated from the first +- * NULL. p may not be ending with NULL, so create a +- * NULL-terminated string. */ +- memcpy(tmp_id_hint, p, i); +- memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i); +- if (s->ctx->psk_identity_hint != NULL) +- OPENSSL_free(s->ctx->psk_identity_hint); +- s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint); +- if (s->ctx->psk_identity_hint == NULL) ++ s->session->psk_identity_hint = BUF_strndup((char *)p, i); ++ if (s->session->psk_identity_hint == NULL) + { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE); + goto f_err; +@@ -2904,7 +2894,7 @@ + goto err; + } + +- psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint, ++ psk_len = s->psk_client_callback(s, s->session->psk_identity_hint, + identity, PSK_MAX_IDENTITY_LEN, + psk_or_pre_ms, sizeof(psk_or_pre_ms)); + if (psk_len > PSK_MAX_PSK_LEN) +Index: openssl-1.0.1/ssl/s3_srvr.c +=================================================================== +--- openssl-1.0.1.orig/ssl/s3_srvr.c 2015-12-04 08:21:41.252946085 -0500 ++++ openssl-1.0.1/ssl/s3_srvr.c 2015-12-04 08:21:41.248946039 -0500 +@@ -2727,7 +2727,7 @@ + + if (s->session->psk_identity != NULL) + OPENSSL_free(s->session->psk_identity); +- s->session->psk_identity = BUF_strdup((char *)p); ++ s->session->psk_identity = BUF_strndup((char *)p, i); + if (s->session->psk_identity == NULL) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, diff -Nru openssl-1.0.1/debian/patches/CVE-2015-7575.patch openssl-1.0.1/debian/patches/CVE-2015-7575.patch --- openssl-1.0.1/debian/patches/CVE-2015-7575.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1/debian/patches/CVE-2015-7575.patch 2016-01-07 14:27:42.000000000 +0000 @@ -0,0 +1,56 @@ +From 5e1ff664f95ab4c9176b3e86b5111e5777bad61a Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Tue, 15 Oct 2013 14:15:54 +0100 +Subject: [PATCH] Don't use RSA+MD5 with TLS 1.2 + +Since the TLS 1.2 supported signature algorithms extension is less +sophisticaed in OpenSSL 1.0.1 this has to be done in two stages. + +RSA+MD5 is removed from supported signature algorithms extension: +any compliant implementation should never use RSA+MD5 as a result. + +To cover the case of a broken implementation using RSA+MD5 anyway +disable lookup of MD5 algorithm in TLS 1.2. +--- + ssl/t1_lib.c | 16 ---------------- + 1 file changed, 16 deletions(-) + +Index: openssl-1.0.1/ssl/t1_lib.c +=================================================================== +--- openssl-1.0.1.orig/ssl/t1_lib.c 2016-01-07 09:27:40.090082987 -0500 ++++ openssl-1.0.1/ssl/t1_lib.c 2016-01-07 09:27:40.082082902 -0500 +@@ -342,19 +342,11 @@ + #ifndef OPENSSL_NO_SHA + tlsext_sigalg(TLSEXT_hash_sha1) + #endif +-#ifndef OPENSSL_NO_MD5 +- tlsext_sigalg_rsa(TLSEXT_hash_md5) +-#endif + }; + + int tls12_get_req_sig_algs(SSL *s, unsigned char *p) + { + size_t slen = sizeof(tls12_sigalgs); +-#ifdef OPENSSL_FIPS +- /* If FIPS mode don't include MD5 which is last */ +- if (FIPS_mode()) +- slen -= 2; +-#endif + if (p) + memcpy(p, tls12_sigalgs, slen); + return (int)slen; +@@ -2326,14 +2318,6 @@ + { + switch(hash_alg) + { +-#ifndef OPENSSL_NO_MD5 +- case TLSEXT_hash_md5: +-#ifdef OPENSSL_FIPS +- if (FIPS_mode()) +- return NULL; +-#endif +- return EVP_md5(); +-#endif + #ifndef OPENSSL_NO_SHA + case TLSEXT_hash_sha1: + return EVP_sha1(); diff -Nru openssl-1.0.1/debian/patches/CVE-2016-0702.patch openssl-1.0.1/debian/patches/CVE-2016-0702.patch --- openssl-1.0.1/debian/patches/CVE-2016-0702.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1/debian/patches/CVE-2016-0702.patch 2016-02-26 18:49:09.000000000 +0000 @@ -0,0 +1,1110 @@ +Description: fix side channel attack on modular exponentiation +Origin: backported from patch by Andy Polyakov + +Index: openssl-1.0.1/crypto/bn/asm/x86_64-mont5.pl +=================================================================== +--- openssl-1.0.1.orig/crypto/bn/asm/x86_64-mont5.pl 2016-02-26 13:44:34.863305608 -0500 ++++ openssl-1.0.1/crypto/bn/asm/x86_64-mont5.pl 2016-02-26 13:48:48.334322790 -0500 +@@ -65,60 +65,113 @@ + .align 16 + .Lmul_enter: + mov ${num}d,${num}d +- mov `($win64?56:8)`(%rsp),%r10d # load 7th argument ++ movd `($win64?56:8)`(%rsp),%xmm5 # load 7th argument ++ lea .Linc(%rip),%r10 + push %rbx + push %rbp + push %r12 + push %r13 + push %r14 + push %r15 +-___ +-$code.=<<___ if ($win64); +- lea -0x28(%rsp),%rsp +- movaps %xmm6,(%rsp) +- movaps %xmm7,0x10(%rsp) ++ + .Lmul_alloca: +-___ +-$code.=<<___; + mov %rsp,%rax + lea 2($num),%r11 + neg %r11 +- lea (%rsp,%r11,8),%rsp # tp=alloca(8*(num+2)) ++ lea -264(%rsp,%r11,8),%rsp # tp=alloca(8*(num+2)+256+8) + and \$-1024,%rsp # minimize TLB usage + + mov %rax,8(%rsp,$num,8) # tp[num+1]=%rsp + .Lmul_body: +- mov $bp,%r12 # reassign $bp ++ lea 128($bp),%r12 # reassign $bp (+size optimization) + ___ + $bp="%r12"; + $STRIDE=2**5*8; # 5 is "window size" + $N=$STRIDE/4; # should match cache line size + $code.=<<___; +- mov %r10,%r11 +- shr \$`log($N/8)/log(2)`,%r10 +- and \$`$N/8-1`,%r11 +- not %r10 +- lea .Lmagic_masks(%rip),%rax +- and \$`2**5/($N/8)-1`,%r10 # 5 is "window size" +- lea 96($bp,%r11,8),$bp # pointer within 1st cache line +- movq 0(%rax,%r10,8),%xmm4 # set of masks denoting which +- movq 8(%rax,%r10,8),%xmm5 # cache line contains element +- movq 16(%rax,%r10,8),%xmm6 # denoted by 7th argument +- movq 24(%rax,%r10,8),%xmm7 +- +- movq `0*$STRIDE/4-96`($bp),%xmm0 +- movq `1*$STRIDE/4-96`($bp),%xmm1 +- pand %xmm4,%xmm0 +- movq `2*$STRIDE/4-96`($bp),%xmm2 +- pand %xmm5,%xmm1 +- movq `3*$STRIDE/4-96`($bp),%xmm3 +- pand %xmm6,%xmm2 +- por %xmm1,%xmm0 +- pand %xmm7,%xmm3 ++ movdqa 0(%r10),%xmm0 # 00000001000000010000000000000000 ++ movdqa 16(%r10),%xmm1 # 00000002000000020000000200000002 ++ lea 24-112(%rsp,$num,8),%r10# place the mask after tp[num+3] (+ICache optimization) ++ and \$-16,%r10 ++ ++ pshufd \$0,%xmm5,%xmm5 # broadcast index ++ movdqa %xmm1,%xmm4 ++ movdqa %xmm1,%xmm2 ++___ ++######################################################################## ++# calculate mask by comparing 0..31 to index and save result to stack ++# ++$code.=<<___; ++ paddd %xmm0,%xmm1 ++ pcmpeqd %xmm5,%xmm0 # compare to 1,0 ++ .byte 0x67 ++ movdqa %xmm4,%xmm3 ++___ ++for($k=0;$k<$STRIDE/16-4;$k+=4) { ++$code.=<<___; ++ paddd %xmm1,%xmm2 ++ pcmpeqd %xmm5,%xmm1 # compare to 3,2 ++ movdqa %xmm0,`16*($k+0)+112`(%r10) ++ movdqa %xmm4,%xmm0 ++ ++ paddd %xmm2,%xmm3 ++ pcmpeqd %xmm5,%xmm2 # compare to 5,4 ++ movdqa %xmm1,`16*($k+1)+112`(%r10) ++ movdqa %xmm4,%xmm1 ++ ++ paddd %xmm3,%xmm0 ++ pcmpeqd %xmm5,%xmm3 # compare to 7,6 ++ movdqa %xmm2,`16*($k+2)+112`(%r10) ++ movdqa %xmm4,%xmm2 ++ ++ paddd %xmm0,%xmm1 ++ pcmpeqd %xmm5,%xmm0 ++ movdqa %xmm3,`16*($k+3)+112`(%r10) ++ movdqa %xmm4,%xmm3 ++___ ++} ++$code.=<<___; # last iteration can be optimized ++ paddd %xmm1,%xmm2 ++ pcmpeqd %xmm5,%xmm1 ++ movdqa %xmm0,`16*($k+0)+112`(%r10) ++ ++ paddd %xmm2,%xmm3 ++ .byte 0x67 ++ pcmpeqd %xmm5,%xmm2 ++ movdqa %xmm1,`16*($k+1)+112`(%r10) ++ ++ pcmpeqd %xmm5,%xmm3 ++ movdqa %xmm2,`16*($k+2)+112`(%r10) ++ pand `16*($k+0)-128`($bp),%xmm0 # while it's still in register ++ ++ pand `16*($k+1)-128`($bp),%xmm1 ++ pand `16*($k+2)-128`($bp),%xmm2 ++ movdqa %xmm3,`16*($k+3)+112`(%r10) ++ pand `16*($k+3)-128`($bp),%xmm3 + por %xmm2,%xmm0 ++ por %xmm3,%xmm1 ++___ ++for($k=0;$k<$STRIDE/16-4;$k+=4) { ++$code.=<<___; ++ movdqa `16*($k+0)-128`($bp),%xmm4 ++ movdqa `16*($k+1)-128`($bp),%xmm5 ++ movdqa `16*($k+2)-128`($bp),%xmm2 ++ pand `16*($k+0)+112`(%r10),%xmm4 ++ movdqa `16*($k+3)-128`($bp),%xmm3 ++ pand `16*($k+1)+112`(%r10),%xmm5 ++ por %xmm4,%xmm0 ++ pand `16*($k+2)+112`(%r10),%xmm2 ++ por %xmm5,%xmm1 ++ pand `16*($k+3)+112`(%r10),%xmm3 ++ por %xmm2,%xmm0 ++ por %xmm3,%xmm1 ++___ ++} ++$code.=<<___; ++ por %xmm1,%xmm0 ++ pshufd \$0x4e,%xmm0,%xmm1 ++ por %xmm1,%xmm0 + lea $STRIDE($bp),$bp +- por %xmm3,%xmm0 +- + movq %xmm0,$m0 # m0=bp[0] + + mov ($n0),$n0 # pull n0[0] value +@@ -127,29 +180,14 @@ + xor $i,$i # i=0 + xor $j,$j # j=0 + +- movq `0*$STRIDE/4-96`($bp),%xmm0 +- movq `1*$STRIDE/4-96`($bp),%xmm1 +- pand %xmm4,%xmm0 +- movq `2*$STRIDE/4-96`($bp),%xmm2 +- pand %xmm5,%xmm1 +- + mov $n0,$m1 + mulq $m0 # ap[0]*bp[0] + mov %rax,$lo0 + mov ($np),%rax + +- movq `3*$STRIDE/4-96`($bp),%xmm3 +- pand %xmm6,%xmm2 +- por %xmm1,%xmm0 +- pand %xmm7,%xmm3 +- + imulq $lo0,$m1 # "tp[0]"*n0 + mov %rdx,$hi0 + +- por %xmm2,%xmm0 +- lea $STRIDE($bp),$bp +- por %xmm3,%xmm0 +- + mulq $m1 # np[0]*m1 + add %rax,$lo0 # discarded + mov 8($ap),%rax +@@ -182,8 +220,6 @@ + cmp $num,$j + jne .L1st + +- movq %xmm0,$m0 # bp[1] +- + add %rax,$hi1 + mov ($ap),%rax # ap[0] + adc \$0,%rdx +@@ -203,33 +239,46 @@ + jmp .Louter + .align 16 + .Louter: ++ lea 24+128(%rsp,$num,8),%rdx # where 256-byte mask is (+size optimization) ++ and \$-16,%rdx ++ pxor %xmm4,%xmm4 ++ pxor %xmm5,%xmm5 ++___ ++for($k=0;$k<$STRIDE/16;$k+=4) { ++$code.=<<___; ++ movdqa `16*($k+0)-128`($bp),%xmm0 ++ movdqa `16*($k+1)-128`($bp),%xmm1 ++ movdqa `16*($k+2)-128`($bp),%xmm2 ++ movdqa `16*($k+3)-128`($bp),%xmm3 ++ pand `16*($k+0)-128`(%rdx),%xmm0 ++ pand `16*($k+1)-128`(%rdx),%xmm1 ++ por %xmm0,%xmm4 ++ pand `16*($k+2)-128`(%rdx),%xmm2 ++ por %xmm1,%xmm5 ++ pand `16*($k+3)-128`(%rdx),%xmm3 ++ por %xmm2,%xmm4 ++ por %xmm3,%xmm5 ++___ ++} ++$code.=<<___; ++ por %xmm5,%xmm4 ++ pshufd \$0x4e,%xmm4,%xmm0 ++ por %xmm4,%xmm0 ++ lea $STRIDE($bp),$bp ++ movq %xmm0,$m0 # m0=bp[i] ++ + xor $j,$j # j=0 + mov $n0,$m1 + mov (%rsp),$lo0 + +- movq `0*$STRIDE/4-96`($bp),%xmm0 +- movq `1*$STRIDE/4-96`($bp),%xmm1 +- pand %xmm4,%xmm0 +- movq `2*$STRIDE/4-96`($bp),%xmm2 +- pand %xmm5,%xmm1 +- + mulq $m0 # ap[0]*bp[i] + add %rax,$lo0 # ap[0]*bp[i]+tp[0] + mov ($np),%rax + adc \$0,%rdx + +- movq `3*$STRIDE/4-96`($bp),%xmm3 +- pand %xmm6,%xmm2 +- por %xmm1,%xmm0 +- pand %xmm7,%xmm3 +- + imulq $lo0,$m1 # tp[0]*n0 + mov %rdx,$hi0 + +- por %xmm2,%xmm0 +- lea $STRIDE($bp),$bp +- por %xmm3,%xmm0 +- + mulq $m1 # np[0]*m1 + add %rax,$lo0 # discarded + mov 8($ap),%rax +@@ -265,8 +314,6 @@ + cmp $num,$j + jne .Linner + +- movq %xmm0,$m0 # bp[i+1] +- + add %rax,$hi1 + mov ($ap),%rax # ap[0] + adc \$0,%rdx +@@ -320,13 +367,7 @@ + + mov 8(%rsp,$num,8),%rsi # restore %rsp + mov \$1,%rax +-___ +-$code.=<<___ if ($win64); +- movaps (%rsi),%xmm6 +- movaps 0x10(%rsi),%xmm7 +- lea 0x28(%rsi),%rsi +-___ +-$code.=<<___; ++ + mov (%rsi),%r15 + mov 8(%rsi),%r14 + mov 16(%rsi),%r13 +@@ -347,91 +388,130 @@ + bn_mul4x_mont_gather5: + .Lmul4x_enter: + mov ${num}d,${num}d +- mov `($win64?56:8)`(%rsp),%r10d # load 7th argument ++ movd `($win64?56:8)`(%rsp),%xmm5 # load 7th argument ++ lea .Linc(%rip),%r10 + push %rbx + push %rbp + push %r12 + push %r13 + push %r14 + push %r15 +-___ +-$code.=<<___ if ($win64); +- lea -0x28(%rsp),%rsp +- movaps %xmm6,(%rsp) +- movaps %xmm7,0x10(%rsp) ++ + .Lmul4x_alloca: +-___ +-$code.=<<___; + mov %rsp,%rax + lea 4($num),%r11 + neg %r11 +- lea (%rsp,%r11,8),%rsp # tp=alloca(8*(num+4)) ++ lea -256(%rsp,%r11,8),%rsp # tp=alloca(8*(num+4)+256) + and \$-1024,%rsp # minimize TLB usage + + mov %rax,8(%rsp,$num,8) # tp[num+1]=%rsp + .Lmul4x_body: + mov $rp,16(%rsp,$num,8) # tp[num+2]=$rp +- mov %rdx,%r12 # reassign $bp ++ lea 128(%rdx),%r12 # reassign $bp (+size optimization) + ___ + $bp="%r12"; + $STRIDE=2**5*8; # 5 is "window size" + $N=$STRIDE/4; # should match cache line size + $code.=<<___; +- mov %r10,%r11 +- shr \$`log($N/8)/log(2)`,%r10 +- and \$`$N/8-1`,%r11 +- not %r10 +- lea .Lmagic_masks(%rip),%rax +- and \$`2**5/($N/8)-1`,%r10 # 5 is "window size" +- lea 96($bp,%r11,8),$bp # pointer within 1st cache line +- movq 0(%rax,%r10,8),%xmm4 # set of masks denoting which +- movq 8(%rax,%r10,8),%xmm5 # cache line contains element +- movq 16(%rax,%r10,8),%xmm6 # denoted by 7th argument +- movq 24(%rax,%r10,8),%xmm7 +- +- movq `0*$STRIDE/4-96`($bp),%xmm0 +- movq `1*$STRIDE/4-96`($bp),%xmm1 +- pand %xmm4,%xmm0 +- movq `2*$STRIDE/4-96`($bp),%xmm2 +- pand %xmm5,%xmm1 +- movq `3*$STRIDE/4-96`($bp),%xmm3 +- pand %xmm6,%xmm2 +- por %xmm1,%xmm0 +- pand %xmm7,%xmm3 ++ movdqa 0(%r10),%xmm0 # 00000001000000010000000000000000 ++ movdqa 16(%r10),%xmm1 # 00000002000000020000000200000002 ++ lea 32-112(%rsp,$num,8),%r10# place the mask after tp[num+4] (+ICache optimization) ++ ++ pshufd \$0,%xmm5,%xmm5 # broadcast index ++ movdqa %xmm1,%xmm4 ++ .byte 0x67,0x67 ++ movdqa %xmm1,%xmm2 ++___ ++######################################################################## ++# calculate mask by comparing 0..31 to index and save result to stack ++# ++$code.=<<___; ++ paddd %xmm0,%xmm1 ++ pcmpeqd %xmm5,%xmm0 # compare to 1,0 ++ .byte 0x67 ++ movdqa %xmm4,%xmm3 ++___ ++for($k=0;$k<$STRIDE/16-4;$k+=4) { ++$code.=<<___; ++ paddd %xmm1,%xmm2 ++ pcmpeqd %xmm5,%xmm1 # compare to 3,2 ++ movdqa %xmm0,`16*($k+0)+112`(%r10) ++ movdqa %xmm4,%xmm0 ++ ++ paddd %xmm2,%xmm3 ++ pcmpeqd %xmm5,%xmm2 # compare to 5,4 ++ movdqa %xmm1,`16*($k+1)+112`(%r10) ++ movdqa %xmm4,%xmm1 ++ ++ paddd %xmm3,%xmm0 ++ pcmpeqd %xmm5,%xmm3 # compare to 7,6 ++ movdqa %xmm2,`16*($k+2)+112`(%r10) ++ movdqa %xmm4,%xmm2 ++ ++ paddd %xmm0,%xmm1 ++ pcmpeqd %xmm5,%xmm0 ++ movdqa %xmm3,`16*($k+3)+112`(%r10) ++ movdqa %xmm4,%xmm3 ++___ ++} ++$code.=<<___; # last iteration can be optimized ++ paddd %xmm1,%xmm2 ++ pcmpeqd %xmm5,%xmm1 ++ movdqa %xmm0,`16*($k+0)+112`(%r10) ++ ++ paddd %xmm2,%xmm3 ++ .byte 0x67 ++ pcmpeqd %xmm5,%xmm2 ++ movdqa %xmm1,`16*($k+1)+112`(%r10) ++ ++ pcmpeqd %xmm5,%xmm3 ++ movdqa %xmm2,`16*($k+2)+112`(%r10) ++ pand `16*($k+0)-128`($bp),%xmm0 # while it's still in register ++ ++ pand `16*($k+1)-128`($bp),%xmm1 ++ pand `16*($k+2)-128`($bp),%xmm2 ++ movdqa %xmm3,`16*($k+3)+112`(%r10) ++ pand `16*($k+3)-128`($bp),%xmm3 ++ por %xmm2,%xmm0 ++ por %xmm3,%xmm1 ++___ ++for($k=0;$k<$STRIDE/16-4;$k+=4) { ++$code.=<<___; ++ movdqa `16*($k+0)-128`($bp),%xmm4 ++ movdqa `16*($k+1)-128`($bp),%xmm5 ++ movdqa `16*($k+2)-128`($bp),%xmm2 ++ pand `16*($k+0)+112`(%r10),%xmm4 ++ movdqa `16*($k+3)-128`($bp),%xmm3 ++ pand `16*($k+1)+112`(%r10),%xmm5 ++ por %xmm4,%xmm0 ++ pand `16*($k+2)+112`(%r10),%xmm2 ++ por %xmm5,%xmm1 ++ pand `16*($k+3)+112`(%r10),%xmm3 + por %xmm2,%xmm0 ++ por %xmm3,%xmm1 ++___ ++} ++$code.=<<___; ++ por %xmm1,%xmm0 ++ pshufd \$0x4e,%xmm0,%xmm1 ++ por %xmm1,%xmm0 + lea $STRIDE($bp),$bp +- por %xmm3,%xmm0 +- + movq %xmm0,$m0 # m0=bp[0] ++ + mov ($n0),$n0 # pull n0[0] value + mov ($ap),%rax + + xor $i,$i # i=0 + xor $j,$j # j=0 + +- movq `0*$STRIDE/4-96`($bp),%xmm0 +- movq `1*$STRIDE/4-96`($bp),%xmm1 +- pand %xmm4,%xmm0 +- movq `2*$STRIDE/4-96`($bp),%xmm2 +- pand %xmm5,%xmm1 +- + mov $n0,$m1 + mulq $m0 # ap[0]*bp[0] + mov %rax,$A[0] + mov ($np),%rax + +- movq `3*$STRIDE/4-96`($bp),%xmm3 +- pand %xmm6,%xmm2 +- por %xmm1,%xmm0 +- pand %xmm7,%xmm3 +- + imulq $A[0],$m1 # "tp[0]"*n0 + mov %rdx,$A[1] + +- por %xmm2,%xmm0 +- lea $STRIDE($bp),$bp +- por %xmm3,%xmm0 +- + mulq $m1 # np[0]*m1 + add %rax,$A[0] # discarded + mov 8($ap),%rax +@@ -549,8 +629,6 @@ + mov $N[1],-16(%rsp,$j,8) # tp[j-1] + mov %rdx,$N[0] + +- movq %xmm0,$m0 # bp[1] +- + xor $N[1],$N[1] + add $A[0],$N[0] + adc \$0,$N[1] +@@ -560,12 +638,34 @@ + lea 1($i),$i # i++ + .align 4 + .Louter4x: ++ lea 32+128(%rsp,$num,8),%rdx # where 256-byte mask is (+size optimization) ++ pxor %xmm4,%xmm4 ++ pxor %xmm5,%xmm5 ++___ ++for($k=0;$k<$STRIDE/16;$k+=4) { ++$code.=<<___; ++ movdqa `16*($k+0)-128`($bp),%xmm0 ++ movdqa `16*($k+1)-128`($bp),%xmm1 ++ movdqa `16*($k+2)-128`($bp),%xmm2 ++ movdqa `16*($k+3)-128`($bp),%xmm3 ++ pand `16*($k+0)-128`(%rdx),%xmm0 ++ pand `16*($k+1)-128`(%rdx),%xmm1 ++ por %xmm0,%xmm4 ++ pand `16*($k+2)-128`(%rdx),%xmm2 ++ por %xmm1,%xmm5 ++ pand `16*($k+3)-128`(%rdx),%xmm3 ++ por %xmm2,%xmm4 ++ por %xmm3,%xmm5 ++___ ++} ++$code.=<<___; ++ por %xmm5,%xmm4 ++ pshufd \$0x4e,%xmm4,%xmm0 ++ por %xmm4,%xmm0 ++ lea $STRIDE($bp),$bp ++ movq %xmm0,$m0 # m0=bp[i] ++ + xor $j,$j # j=0 +- movq `0*$STRIDE/4-96`($bp),%xmm0 +- movq `1*$STRIDE/4-96`($bp),%xmm1 +- pand %xmm4,%xmm0 +- movq `2*$STRIDE/4-96`($bp),%xmm2 +- pand %xmm5,%xmm1 + + mov (%rsp),$A[0] + mov $n0,$m1 +@@ -574,18 +674,9 @@ + mov ($np),%rax + adc \$0,%rdx + +- movq `3*$STRIDE/4-96`($bp),%xmm3 +- pand %xmm6,%xmm2 +- por %xmm1,%xmm0 +- pand %xmm7,%xmm3 +- + imulq $A[0],$m1 # tp[0]*n0 + mov %rdx,$A[1] + +- por %xmm2,%xmm0 +- lea $STRIDE($bp),$bp +- por %xmm3,%xmm0 +- + mulq $m1 # np[0]*m1 + add %rax,$A[0] # "$N[0]", discarded + mov 8($ap),%rax +@@ -717,7 +808,6 @@ + mov $N[0],-24(%rsp,$j,8) # tp[j-1] + mov %rdx,$N[0] + +- movq %xmm0,$m0 # bp[i+1] + mov $N[1],-16(%rsp,$j,8) # tp[j-1] + + xor $N[1],$N[1] +@@ -808,13 +898,7 @@ + $code.=<<___; + mov 8(%rsp,$num,8),%rsi # restore %rsp + mov \$1,%rax +-___ +-$code.=<<___ if ($win64); +- movaps (%rsi),%xmm6 +- movaps 0x10(%rsi),%xmm7 +- lea 0x28(%rsi),%rsi +-___ +-$code.=<<___; ++ + mov (%rsi),%r15 + mov 8(%rsi),%r14 + mov 16(%rsi),%r13 +@@ -829,8 +913,8 @@ + }}} + + { +-my ($inp,$num,$tbl,$idx)=$win64?("%rcx","%rdx","%r8", "%r9") : # Win64 order +- ("%rdi","%rsi","%rdx","%rcx"); # Unix order ++my ($inp,$num,$tbl,$idx)=$win64?("%rcx","%rdx","%r8", "%r9d") : # Win64 order ++ ("%rdi","%rsi","%rdx","%ecx"); # Unix order + my $out=$inp; + my $STRIDE=2**5*8; + my $N=$STRIDE/4; +@@ -858,53 +942,89 @@ + .type bn_gather5,\@abi-omnipotent + .align 16 + bn_gather5: +-___ +-$code.=<<___ if ($win64); +-.LSEH_begin_bn_gather5: ++.LSEH_begin_bn_gather5: # Win64 thing, but harmless in other cases + # I can't trust assembler to use specific encoding:-( +- .byte 0x48,0x83,0xec,0x28 #sub \$0x28,%rsp +- .byte 0x0f,0x29,0x34,0x24 #movaps %xmm6,(%rsp) +- .byte 0x0f,0x29,0x7c,0x24,0x10 #movdqa %xmm7,0x10(%rsp) +-___ +-$code.=<<___; +- mov $idx,%r11 +- shr \$`log($N/8)/log(2)`,$idx +- and \$`$N/8-1`,%r11 +- not $idx +- lea .Lmagic_masks(%rip),%rax +- and \$`2**5/($N/8)-1`,$idx # 5 is "window size" +- lea 96($tbl,%r11,8),$tbl # pointer within 1st cache line +- movq 0(%rax,$idx,8),%xmm4 # set of masks denoting which +- movq 8(%rax,$idx,8),%xmm5 # cache line contains element +- movq 16(%rax,$idx,8),%xmm6 # denoted by 7th argument +- movq 24(%rax,$idx,8),%xmm7 ++ .byte 0x4c,0x8d,0x14,0x24 # lea (%rsp),%r10 ++ .byte 0x48,0x81,0xec,0x08,0x01,0x00,0x00 # sub $0x108,%rsp ++ lea .Linc(%rip),%rax ++ and \$-16,%rsp # shouldn't be formally required ++ ++ movd $idx,%xmm5 ++ movdqa 0(%rax),%xmm0 # 00000001000000010000000000000000 ++ movdqa 16(%rax),%xmm1 # 00000002000000020000000200000002 ++ lea 128($tbl),%r11 # size optimization ++ lea 128(%rsp),%rax # size optimization ++ ++ pshufd \$0,%xmm5,%xmm5 # broadcast $idx ++ movdqa %xmm1,%xmm4 ++ movdqa %xmm1,%xmm2 ++___ ++######################################################################## ++# calculate mask by comparing 0..31 to $idx and save result to stack ++# ++for($i=0;$i<$STRIDE/16;$i+=4) { ++$code.=<<___; ++ paddd %xmm0,%xmm1 ++ pcmpeqd %xmm5,%xmm0 # compare to 1,0 ++___ ++$code.=<<___ if ($i); ++ movdqa %xmm3,`16*($i-1)-128`(%rax) ++___ ++$code.=<<___; ++ movdqa %xmm4,%xmm3 ++ ++ paddd %xmm1,%xmm2 ++ pcmpeqd %xmm5,%xmm1 # compare to 3,2 ++ movdqa %xmm0,`16*($i+0)-128`(%rax) ++ movdqa %xmm4,%xmm0 ++ ++ paddd %xmm2,%xmm3 ++ pcmpeqd %xmm5,%xmm2 # compare to 5,4 ++ movdqa %xmm1,`16*($i+1)-128`(%rax) ++ movdqa %xmm4,%xmm1 ++ ++ paddd %xmm3,%xmm0 ++ pcmpeqd %xmm5,%xmm3 # compare to 7,6 ++ movdqa %xmm2,`16*($i+2)-128`(%rax) ++ movdqa %xmm4,%xmm2 ++___ ++} ++$code.=<<___; ++ movdqa %xmm3,`16*($i-1)-128`(%rax) + jmp .Lgather +-.align 16 +-.Lgather: +- movq `0*$STRIDE/4-96`($tbl),%xmm0 +- movq `1*$STRIDE/4-96`($tbl),%xmm1 +- pand %xmm4,%xmm0 +- movq `2*$STRIDE/4-96`($tbl),%xmm2 +- pand %xmm5,%xmm1 +- movq `3*$STRIDE/4-96`($tbl),%xmm3 +- pand %xmm6,%xmm2 +- por %xmm1,%xmm0 +- pand %xmm7,%xmm3 +- por %xmm2,%xmm0 +- lea $STRIDE($tbl),$tbl +- por %xmm3,%xmm0 + ++.align 32 ++.Lgather: ++ pxor %xmm4,%xmm4 ++ pxor %xmm5,%xmm5 ++___ ++for($i=0;$i<$STRIDE/16;$i+=4) { ++$code.=<<___; ++ movdqa `16*($i+0)-128`(%r11),%xmm0 ++ movdqa `16*($i+1)-128`(%r11),%xmm1 ++ movdqa `16*($i+2)-128`(%r11),%xmm2 ++ pand `16*($i+0)-128`(%rax),%xmm0 ++ movdqa `16*($i+3)-128`(%r11),%xmm3 ++ pand `16*($i+1)-128`(%rax),%xmm1 ++ por %xmm0,%xmm4 ++ pand `16*($i+2)-128`(%rax),%xmm2 ++ por %xmm1,%xmm5 ++ pand `16*($i+3)-128`(%rax),%xmm3 ++ por %xmm2,%xmm4 ++ por %xmm3,%xmm5 ++___ ++} ++$code.=<<___; ++ por %xmm5,%xmm4 ++ lea $STRIDE(%r11),%r11 ++ pshufd \$0x4e,%xmm4,%xmm0 ++ por %xmm4,%xmm0 + movq %xmm0,($out) # m0=bp[0] + lea 8($out),$out + sub \$1,$num + jnz .Lgather +-___ +-$code.=<<___ if ($win64); +- movaps %xmm6,(%rsp) +- movaps %xmm7,0x10(%rsp) +- lea 0x28(%rsp),%rsp +-___ +-$code.=<<___; ++ ++ lea (%r10),%rsp + ret + .LSEH_end_bn_gather5: + .size bn_gather5,.-bn_gather5 +@@ -912,9 +1032,9 @@ + } + $code.=<<___; + .align 64 +-.Lmagic_masks: +- .long 0,0, 0,0, 0,0, -1,-1 +- .long 0,0, 0,0, 0,0, 0,0 ++.Linc: ++ .long 0,0, 1,1 ++ .long 2,2, 2,2 + .asciz "Montgomery Multiplication with scatter/gather for x86_64, CRYPTOGAMS by " + ___ + +@@ -953,7 +1073,7 @@ + cmp %r10,%rbx # context->RipR13 + mov %r14,232($context) # restore context->R14 + mov %r15,240($context) # restore context->R15 +- movups %xmm0,512($context) # restore context->Xmm6 +- movups %xmm1,528($context) # restore context->Xmm7 + + .Lcommon_seh_tail: + mov 8(%rax),%rdi +@@ -1056,10 +1172,9 @@ + .rva .Lmul4x_alloca,.Lmul4x_body,.Lmul4x_epilogue # HandlerData[] + .align 8 + .LSEH_info_bn_gather5: +- .byte 0x01,0x0d,0x05,0x00 +- .byte 0x0d,0x78,0x01,0x00 #movaps 0x10(rsp),xmm7 +- .byte 0x08,0x68,0x00,0x00 #movaps (rsp),xmm6 +- .byte 0x04,0x42,0x00,0x00 #sub rsp,0x28 ++ .byte 0x01,0x0b,0x03,0x0a ++ .byte 0x0b,0x01,0x21,0x00 # sub rsp,0x108 ++ .byte 0x04,0xa3,0x00,0x00 # lea r10,(rsp), set_frame r10 + .align 8 + ___ + } +Index: openssl-1.0.1/crypto/bn/bn_exp.c +=================================================================== +--- openssl-1.0.1.orig/crypto/bn/bn_exp.c 2016-02-26 13:44:34.863305608 -0500 ++++ openssl-1.0.1/crypto/bn/bn_exp.c 2016-02-26 13:44:34.863305608 -0500 +@@ -111,6 +111,7 @@ + + + #include "cryptlib.h" ++#include "constant_time_locl.h" + #include "bn_lcl.h" + + #include +@@ -534,31 +535,67 @@ + * as cache lines are concerned. The following functions are used to transfer a BIGNUM + * from/to that table. */ + +-static int MOD_EXP_CTIME_COPY_TO_PREBUF(const BIGNUM *b, int top, unsigned char *buf, int idx, int width) ++static int MOD_EXP_CTIME_COPY_TO_PREBUF(const BIGNUM *b, int top, unsigned char *buf, int idx, int window) + { +- size_t i, j; ++ int i, j; ++ int width = 1 << window; ++ BN_ULONG *table = (BN_ULONG *)buf; + + if (top > b->top) + top = b->top; /* this works because 'buf' is explicitly zeroed */ +- for (i = 0, j=idx; i < top * sizeof b->d[0]; i++, j+=width) +- { +- buf[j] = ((unsigned char*)b->d)[i]; +- } ++ for (i = 0, j = idx; i < top; i++, j += width) { ++ table[j] = b->d[i]; ++ } + + return 1; + } + +-static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int width) ++static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int window) + { +- size_t i, j; ++ int i, j; ++ int width = 1 << window; ++ volatile BN_ULONG *table = (volatile BN_ULONG *)buf; + + if (bn_wexpand(b, top) == NULL) + return 0; + +- for (i=0, j=idx; i < top * sizeof b->d[0]; i++, j+=width) +- { +- ((unsigned char*)b->d)[i] = buf[j]; ++ if (window <= 3) { ++ for (i = 0; i < top; i++, table += width) { ++ BN_ULONG acc = 0; ++ ++ for (j = 0; j < width; j++) { ++ acc |= table[j] & ++ ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1)); ++ } ++ ++ b->d[i] = acc; + } ++ } else { ++ int xstride = 1 << (window - 2); ++ BN_ULONG y0, y1, y2, y3; ++ ++ i = idx >> (window - 2); /* equivalent of idx / xstride */ ++ idx &= xstride - 1; /* equivalent of idx % xstride */ ++ ++ y0 = (BN_ULONG)0 - (constant_time_eq_int(i,0)&1); ++ y1 = (BN_ULONG)0 - (constant_time_eq_int(i,1)&1); ++ y2 = (BN_ULONG)0 - (constant_time_eq_int(i,2)&1); ++ y3 = (BN_ULONG)0 - (constant_time_eq_int(i,3)&1); ++ ++ for (i = 0; i < top; i++, table += width) { ++ BN_ULONG acc = 0; ++ ++ for (j = 0; j < xstride; j++) { ++ acc |= ( (table[j + 0 * xstride] & y0) | ++ (table[j + 1 * xstride] & y1) | ++ (table[j + 2 * xstride] & y2) | ++ (table[j + 3 * xstride] & y3) ) ++ & ((BN_ULONG)0 - (constant_time_eq_int(j,idx)&1)); ++ } ++ ++ b->d[i] = acc; ++ } ++ } + + b->top = top; + bn_correct_top(b); +@@ -767,8 +804,8 @@ + else + #endif + { +- if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 0, numPowers)) goto err; +- if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am, top, powerbuf, 1, numPowers)) goto err; ++ if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 0, window)) goto err; ++ if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am, top, powerbuf, 1, window)) goto err; + + /* If the window size is greater than 1, then calculate + * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1) +@@ -778,20 +815,20 @@ + if (window > 1) + { + if (!BN_mod_mul_montgomery(&tmp,&am,&am,mont,ctx)) goto err; +- if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 2, numPowers)) goto err; ++ if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp, top, powerbuf, 2, window)) goto err; + for (i=3; i=0; i--,bits--) + wvalue = (wvalue<<1)+BN_is_bit_set(p,bits); +- if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&tmp,top,powerbuf,wvalue,numPowers)) goto err; ++ if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&tmp,top,powerbuf,wvalue,window)) goto err; + + /* Scan the exponent one window at a time starting from the most + * significant bits. +@@ -808,7 +845,7 @@ + } + + /* Fetch the appropriate pre-computed value from the pre-buf */ +- if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&am, top, powerbuf, wvalue, numPowers)) goto err; ++ if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&am, top, powerbuf, wvalue, window)) goto err; + + /* Multiply the result into the intermediate result */ + if (!BN_mod_mul_montgomery(&tmp,&tmp,&am,mont,ctx)) goto err; +Index: openssl-1.0.1/crypto/perlasm/x86_64-xlate.pl +=================================================================== +--- openssl-1.0.1.orig/crypto/perlasm/x86_64-xlate.pl 2016-02-26 13:44:34.863305608 -0500 ++++ openssl-1.0.1/crypto/perlasm/x86_64-xlate.pl 2016-02-26 13:44:34.863305608 -0500 +@@ -121,7 +121,7 @@ + $self->{sz} = ""; + } elsif ($self->{op} =~ /^v/) { # VEX + $self->{sz} = ""; +- } elsif ($self->{op} =~ /movq/ && $line =~ /%xmm/) { ++ } elsif ($self->{op} =~ /mov[dq]/ && $line =~ /%xmm/) { + $self->{sz} = ""; + } elsif ($self->{op} =~ /([a-z]{3,})([qlwb])$/) { + $self->{op} = $1; +Index: openssl-1.0.1/crypto/constant_time_locl.h +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ openssl-1.0.1/crypto/constant_time_locl.h 2016-02-26 13:44:34.863305608 -0500 +@@ -0,0 +1,211 @@ ++/* crypto/constant_time_locl.h */ ++/*- ++ * Utilities for constant-time cryptography. ++ * ++ * Author: Emilia Kasper (emilia@openssl.org) ++ * Based on previous work by Bodo Moeller, Emilia Kasper, Adam Langley ++ * (Google). ++ * ==================================================================== ++ * Copyright (c) 2014 The OpenSSL Project. All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. All advertising materials mentioning features or use of this software ++ * must display the following acknowledgement: ++ * "This product includes cryptographic software written by ++ * Eric Young (eay@cryptsoft.com)" ++ * The word 'cryptographic' can be left out if the rouines from the library ++ * being used are not cryptographic related :-). ++ * 4. If you include any Windows specific code (or a derivative thereof) from ++ * the apps directory (application code) you must include an acknowledgement: ++ * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" ++ * ++ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ * ++ * The licence and distribution terms for any publically available version or ++ * derivative of this code cannot be changed. i.e. this code cannot simply be ++ * copied and put under another distribution licence ++ * [including the GNU Public Licence.] ++ */ ++ ++#ifndef HEADER_CONSTANT_TIME_LOCL_H ++# define HEADER_CONSTANT_TIME_LOCL_H ++ ++# include "e_os.h" /* For 'inline' */ ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++/*- ++ * The boolean methods return a bitmask of all ones (0xff...f) for true ++ * and 0 for false. This is useful for choosing a value based on the result ++ * of a conditional in constant time. For example, ++ * ++ * if (a < b) { ++ * c = a; ++ * } else { ++ * c = b; ++ * } ++ * ++ * can be written as ++ * ++ * unsigned int lt = constant_time_lt(a, b); ++ * c = constant_time_select(lt, a, b); ++ */ ++ ++/* ++ * Returns the given value with the MSB copied to all the other ++ * bits. Uses the fact that arithmetic shift shifts-in the sign bit. ++ * However, this is not ensured by the C standard so you may need to ++ * replace this with something else on odd CPUs. ++ */ ++static inline unsigned int constant_time_msb(unsigned int a); ++ ++/* ++ * Returns 0xff..f if a < b and 0 otherwise. ++ */ ++static inline unsigned int constant_time_lt(unsigned int a, unsigned int b); ++/* Convenience method for getting an 8-bit mask. */ ++static inline unsigned char constant_time_lt_8(unsigned int a, ++ unsigned int b); ++ ++/* ++ * Returns 0xff..f if a >= b and 0 otherwise. ++ */ ++static inline unsigned int constant_time_ge(unsigned int a, unsigned int b); ++/* Convenience method for getting an 8-bit mask. */ ++static inline unsigned char constant_time_ge_8(unsigned int a, ++ unsigned int b); ++ ++/* ++ * Returns 0xff..f if a == 0 and 0 otherwise. ++ */ ++static inline unsigned int constant_time_is_zero(unsigned int a); ++/* Convenience method for getting an 8-bit mask. */ ++static inline unsigned char constant_time_is_zero_8(unsigned int a); ++ ++/* ++ * Returns 0xff..f if a == b and 0 otherwise. ++ */ ++static inline unsigned int constant_time_eq(unsigned int a, unsigned int b); ++/* Convenience method for getting an 8-bit mask. */ ++static inline unsigned char constant_time_eq_8(unsigned int a, ++ unsigned int b); ++/* Signed integers. */ ++static inline unsigned int constant_time_eq_int(int a, int b); ++/* Convenience method for getting an 8-bit mask. */ ++static inline unsigned char constant_time_eq_int_8(int a, int b); ++ ++/*- ++ * Returns (mask & a) | (~mask & b). ++ * ++ * When |mask| is all 1s or all 0s (as returned by the methods above), ++ * the select methods return either |a| (if |mask| is nonzero) or |b| ++ * (if |mask| is zero). ++ */ ++static inline unsigned int constant_time_select(unsigned int mask, ++ unsigned int a, ++ unsigned int b); ++/* Convenience method for unsigned chars. */ ++static inline unsigned char constant_time_select_8(unsigned char mask, ++ unsigned char a, ++ unsigned char b); ++/* Convenience method for signed integers. */ ++static inline int constant_time_select_int(unsigned int mask, int a, int b); ++ ++static inline unsigned int constant_time_msb(unsigned int a) ++{ ++ return 0 - (a >> (sizeof(a) * 8 - 1)); ++} ++ ++static inline unsigned int constant_time_lt(unsigned int a, unsigned int b) ++{ ++ return constant_time_msb(a ^ ((a ^ b) | ((a - b) ^ b))); ++} ++ ++static inline unsigned char constant_time_lt_8(unsigned int a, unsigned int b) ++{ ++ return (unsigned char)(constant_time_lt(a, b)); ++} ++ ++static inline unsigned int constant_time_ge(unsigned int a, unsigned int b) ++{ ++ return ~constant_time_lt(a, b); ++} ++ ++static inline unsigned char constant_time_ge_8(unsigned int a, unsigned int b) ++{ ++ return (unsigned char)(constant_time_ge(a, b)); ++} ++ ++static inline unsigned int constant_time_is_zero(unsigned int a) ++{ ++ return constant_time_msb(~a & (a - 1)); ++} ++ ++static inline unsigned char constant_time_is_zero_8(unsigned int a) ++{ ++ return (unsigned char)(constant_time_is_zero(a)); ++} ++ ++static inline unsigned int constant_time_eq(unsigned int a, unsigned int b) ++{ ++ return constant_time_is_zero(a ^ b); ++} ++ ++static inline unsigned char constant_time_eq_8(unsigned int a, unsigned int b) ++{ ++ return (unsigned char)(constant_time_eq(a, b)); ++} ++ ++static inline unsigned int constant_time_eq_int(int a, int b) ++{ ++ return constant_time_eq((unsigned)(a), (unsigned)(b)); ++} ++ ++static inline unsigned char constant_time_eq_int_8(int a, int b) ++{ ++ return constant_time_eq_8((unsigned)(a), (unsigned)(b)); ++} ++ ++static inline unsigned int constant_time_select(unsigned int mask, ++ unsigned int a, ++ unsigned int b) ++{ ++ return (mask & a) | (~mask & b); ++} ++ ++static inline unsigned char constant_time_select_8(unsigned char mask, ++ unsigned char a, ++ unsigned char b) ++{ ++ return (unsigned char)(constant_time_select(mask, a, b)); ++} ++ ++static inline int constant_time_select_int(unsigned int mask, int a, int b) ++{ ++ return (int)(constant_time_select(mask, (unsigned)(a), (unsigned)(b))); ++} ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* HEADER_CONSTANT_TIME_LOCL_H */ diff -Nru openssl-1.0.1/debian/patches/CVE-2016-0705.patch openssl-1.0.1/debian/patches/CVE-2016-0705.patch --- openssl-1.0.1/debian/patches/CVE-2016-0705.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1/debian/patches/CVE-2016-0705.patch 2016-02-26 15:53:03.000000000 +0000 @@ -0,0 +1,68 @@ +Backport of: + +From ccb2a614074ee15c0fbbb9dd49e3cd258d68380a Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Thu, 18 Feb 2016 12:47:23 +0000 +Subject: [PATCH] Fix double free in DSA private key parsing. +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Fix double free bug when parsing malformed DSA private keys. + +Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using +libFuzzer. + +CVE-2016-0705 + +Reviewed-by: Emilia Käsper +(cherry picked from commit 6c88c71b4e4825c7bc0489306d062d017634eb88) +--- + crypto/dsa/dsa_ameth.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +Index: openssl-1.0.1f/crypto/dsa/dsa_ameth.c +=================================================================== +--- openssl-1.0.1f.orig/crypto/dsa/dsa_ameth.c 2016-02-26 09:35:37.374651903 -0500 ++++ openssl-1.0.1f/crypto/dsa/dsa_ameth.c 2016-02-26 09:38:18.028130474 -0500 +@@ -201,6 +201,8 @@ + STACK_OF(ASN1_TYPE) *ndsa = NULL; + DSA *dsa = NULL; + ++ int ret = 0; ++ + if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8)) + return 0; + X509_ALGOR_get0(NULL, &ptype, &pval, palg); +@@ -281,23 +283,21 @@ + } + + EVP_PKEY_assign_DSA(pkey, dsa); +- BN_CTX_free (ctx); +- if(ndsa) +- sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); +- else +- ASN1_INTEGER_free(privkey); + +- return 1; ++ ret = 1; ++ goto done; + + decerr: + DSAerr(DSA_F_DSA_PRIV_DECODE, EVP_R_DECODE_ERROR); + dsaerr: ++ DSA_free(dsa); ++ done: + BN_CTX_free (ctx); +- if (privkey) ++ if (ndsa) ++ sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); ++ else + ASN1_INTEGER_free(privkey); +- sk_ASN1_TYPE_pop_free(ndsa, ASN1_TYPE_free); +- DSA_free(dsa); +- return 0; ++ return ret; + } + + static int dsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) diff -Nru openssl-1.0.1/debian/patches/CVE-2016-0797.patch openssl-1.0.1/debian/patches/CVE-2016-0797.patch --- openssl-1.0.1/debian/patches/CVE-2016-0797.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1/debian/patches/CVE-2016-0797.patch 2016-02-26 18:44:11.000000000 +0000 @@ -0,0 +1,117 @@ +Backport of: + +From 57ca428d6626f59c1b800c44d558cd2b6afdbf31 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Mon, 22 Feb 2016 10:27:18 +0000 +Subject: [PATCH] Fix BN_hex2bn/BN_dec2bn NULL ptr/heap corruption + +In the BN_hex2bn function the number of hex digits is calculated using +an int value |i|. Later |bn_expand| is called with a value of |i * 4|. +For large values of |i| this can result in |bn_expand| not allocating any +memory because |i * 4| is negative. This leaves ret->d as NULL leading +to a subsequent NULL ptr deref. For very large values of |i|, the +calculation |i * 4| could be a positive value smaller than |i|. In this +case memory is allocated to ret->d, but it is insufficiently sized +leading to heap corruption. A similar issue exists in BN_dec2bn. + +This could have security consequences if BN_hex2bn/BN_dec2bn is ever +called by user applications with very large untrusted hex/dec data. + +All OpenSSL internal usage of this function uses data that is not expected +to be untrusted, e.g. config file data or application command line +arguments. If user developed applications generate config file data based +on untrusted data then it is possible that this could also lead to security +consequences. + +CVE-2016-0797 +--- + crypto/bn/bn_print.c | 13 +++++++++---- + crypto/include/internal/bn_int.h | 14 ++++++++++++-- + 2 files changed, 21 insertions(+), 6 deletions(-) + +Index: openssl-1.0.1f/crypto/bn/bn_print.c +=================================================================== +--- openssl-1.0.1f.orig/crypto/bn/bn_print.c 2016-02-26 13:03:29.000095619 -0500 ++++ openssl-1.0.1f/crypto/bn/bn_print.c 2016-02-26 13:04:52.777060606 -0500 +@@ -58,6 +58,7 @@ + + #include + #include ++#include + #include "cryptlib.h" + #include + #include "bn_lcl.h" +@@ -180,8 +181,9 @@ + + if (*a == '-') { neg=1; a++; } + +- for (i=0; isxdigit((unsigned char) a[i]); i++) +- ; ++ for (i = 0; i <= (INT_MAX/4) && isxdigit((unsigned char)a[i]); i++); ++ if (i > INT_MAX/4) ++ goto err; + + num=i+neg; + if (bn == NULL) return(num); +@@ -197,7 +199,7 @@ + BN_zero(ret); + } + +- /* i is the number of hex digests; */ ++ /* i is the number of hex digits */ + if (bn_expand(ret,i*4) == NULL) goto err; + + j=i; /* least significant 'hex' */ +@@ -246,8 +248,9 @@ + if ((a == NULL) || (*a == '\0')) return(0); + if (*a == '-') { neg=1; a++; } + +- for (i=0; isdigit((unsigned char) a[i]); i++) +- ; ++ for (i = 0; i <= (INT_MAX/4) && isdigit((unsigned char)a[i]); i++); ++ if (i > INT_MAX/4) ++ goto err; + + num=i+neg; + if (bn == NULL) return(num); +@@ -264,7 +267,7 @@ + BN_zero(ret); + } + +- /* i is the number of digests, a bit of an over expand; */ ++ /* i is the number of digits, a bit of an over expand */ + if (bn_expand(ret,i*4) == NULL) goto err; + + j=BN_DEC_NUM-(i%BN_DEC_NUM); +Index: openssl-1.0.1f/crypto/bn/bn.h +=================================================================== +--- openssl-1.0.1f.orig/crypto/bn/bn.h 2016-02-26 13:03:29.000095619 -0500 ++++ openssl-1.0.1f/crypto/bn/bn.h 2016-02-26 13:05:46.729680720 -0500 +@@ -131,6 +131,7 @@ + #endif + #include + #include ++#include + + #ifdef __cplusplus + extern "C" { +@@ -696,8 +697,17 @@ + + /* library internal functions */ + +-#define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\ +- (a):bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2)) ++#define bn_expand(a,bits) \ ++ ( \ ++ bits > (INT_MAX - BN_BITS2 + 1) ? \ ++ NULL \ ++ : \ ++ (((bits+BN_BITS2-1)/BN_BITS2) <= (a)->dmax) ? \ ++ (a) \ ++ : \ ++ bn_expand2((a),(bits+BN_BITS2-1)/BN_BITS2) \ ++ ) ++ + #define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words))) + BIGNUM *bn_expand2(BIGNUM *a, int words); + #ifndef OPENSSL_NO_DEPRECATED diff -Nru openssl-1.0.1/debian/patches/CVE-2016-0798.patch openssl-1.0.1/debian/patches/CVE-2016-0798.patch --- openssl-1.0.1/debian/patches/CVE-2016-0798.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1/debian/patches/CVE-2016-0798.patch 2016-02-26 15:53:12.000000000 +0000 @@ -0,0 +1,309 @@ +Backport of: + +From 59a908f1e8380412a81392c468b83bf6071beb2a Mon Sep 17 00:00:00 2001 +From: Emilia Kasper +Date: Wed, 24 Feb 2016 12:59:59 +0100 +Subject: [PATCH] CVE-2016-0798: avoid memory leak in SRP + +The SRP user database lookup method SRP_VBASE_get_by_user had confusing +memory management semantics; the returned pointer was sometimes newly +allocated, and sometimes owned by the callee. The calling code has no +way of distinguishing these two cases. + +Specifically, SRP servers that configure a secret seed to hide valid +login information are vulnerable to a memory leak: an attacker +connecting with an invalid username can cause a memory leak of around +300 bytes per connection. + +Servers that do not configure SRP, or configure SRP but do not configure +a seed are not vulnerable. + +In Apache, the seed directive is known as SSLSRPUnknownUserSeed. + +To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user +is now disabled even if the user has configured a seed. + +Applications are advised to migrate to SRP_VBASE_get1_by_user. However, +note that OpenSSL makes no strong guarantees about the +indistinguishability of valid and invalid logins. In particular, +computations are currently not carried out in constant time. + +Reviewed-by: Rich Salz +--- + CHANGES | 19 +++++++++++++++++- + apps/s_server.c | 39 ++++++++++++++++++++++------------- + crypto/srp/srp.h | 10 +++++++++ + crypto/srp/srp_vfy.c | 57 +++++++++++++++++++++++++++++++++++++++++++++++----- + util/libeay.num | 2 ++ + 5 files changed, 107 insertions(+), 20 deletions(-) + +#diff --git a/CHANGES b/CHANGES +#index cdc4e6f..b95a3ed 100644 +#--- a/CHANGES +#+++ b/CHANGES +#@@ -4,7 +4,24 @@ +# +# Changes between 1.0.1r and 1.0.1s [xx XXX xxxx] +# +#- *) +#+ *) Disable SRP fake user seed to address a server memory leak. +#+ +#+ Add a new method SRP_VBASE_get1_by_user that handles the seed properly. +#+ +#+ SRP_VBASE_get_by_user had inconsistent memory management behaviour. +#+ In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user +#+ was changed to ignore the "fake user" SRP seed, even if the seed +#+ is configured. +#+ +#+ Users should use SRP_VBASE_get1_by_user instead. Note that in +#+ SRP_VBASE_get1_by_user, caller must free the returned value. Note +#+ also that even though configuring the SRP seed attempts to hide +#+ invalid usernames by continuing the handshake with fake +#+ credentials, this behaviour is not constant time and no strong +#+ guarantees are made that the handshake is indistinguishable from +#+ that of a valid user. +#+ (CVE-2016-0798) +#+ [Emilia Käsper] +# +# Changes between 1.0.1q and 1.0.1r [28 Jan 2016] +# +Index: openssl-1.0.1/apps/s_server.c +=================================================================== +--- openssl-1.0.1.orig/apps/s_server.c 2016-02-26 10:53:09.954635195 -0500 ++++ openssl-1.0.1/apps/s_server.c 2016-02-26 10:53:09.946635114 -0500 +@@ -415,6 +415,8 @@ + static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg) + { + srpsrvparm *p = (srpsrvparm *)arg; ++ int ret = SSL3_AL_FATAL; ++ + if (p->login == NULL && p->user == NULL ) + { + p->login = SSL_get_srp_username(s); +@@ -425,19 +427,23 @@ + if (p->user == NULL) + { + BIO_printf(bio_err, "User %s doesn't exist\n", p->login); +- return SSL3_AL_FATAL; ++ goto err; + } ++ + if (SSL_set_srp_server_param(s, p->user->N, p->user->g, p->user->s, p->user->v, + p->user->info) < 0) + { + *ad = SSL_AD_INTERNAL_ERROR; +- return SSL3_AL_FATAL; ++ goto err; + } + BIO_printf(bio_err, "SRP parameters set: username = \"%s\" info=\"%s\" \n", p->login,p->user->info); +- /* need to check whether there are memory leaks */ ++ ret = SSL_ERROR_NONE; ++ ++err: ++ SRP_user_pwd_free(p->user); + p->user = NULL; + p->login = NULL; +- return SSL_ERROR_NONE; ++ return ret; + } + + #endif +@@ -2265,7 +2271,8 @@ + while (SSL_get_error(con,k) == SSL_ERROR_WANT_X509_LOOKUP) + { + BIO_printf(bio_s_out,"LOOKUP renego during write\n"); +- srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login); ++ SRP_user_pwd_free(srp_callback_parm.user); ++ srp_callback_parm.user = SRP_VBASE_get1_by_user(srp_callback_parm.vb, srp_callback_parm.login); + if (srp_callback_parm.user) + BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info); + else +@@ -2324,7 +2331,8 @@ + while (SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP) + { + BIO_printf(bio_s_out,"LOOKUP renego during read\n"); +- srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login); ++ SRP_user_pwd_free(srp_callback_parm.user); ++ srp_callback_parm.user = SRP_VBASE_get1_by_user(srp_callback_parm.vb, srp_callback_parm.login); + if (srp_callback_parm.user) + BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info); + else +@@ -2413,7 +2421,8 @@ + while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP) + { + BIO_printf(bio_s_out,"LOOKUP during accept %s\n",srp_callback_parm.login); +- srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login); ++ SRP_user_pwd_free(srp_callback_parm.user); ++ srp_callback_parm.user = SRP_VBASE_get1_by_user(srp_callback_parm.vb, srp_callback_parm.login); + if (srp_callback_parm.user) + BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info); + else +@@ -2652,7 +2661,8 @@ + while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP) + { + BIO_printf(bio_s_out,"LOOKUP during accept %s\n",srp_callback_parm.login); +- srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login); ++ SRP_user_pwd_free(srp_callback_parm.user); ++ srp_callback_parm.user = SRP_VBASE_get1_by_user(srp_callback_parm.vb, srp_callback_parm.login); + if (srp_callback_parm.user) + BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info); + else +Index: openssl-1.0.1/crypto/srp/srp.h +=================================================================== +--- openssl-1.0.1.orig/crypto/srp/srp.h 2016-02-26 10:53:09.954635195 -0500 ++++ openssl-1.0.1/crypto/srp/srp.h 2016-02-26 10:53:09.946635114 -0500 +@@ -83,16 +83,21 @@ + + typedef struct SRP_user_pwd_st + { ++ /* Owned by us. */ + char *id; + BIGNUM *s; + BIGNUM *v; ++ /* Not owned by us. */ + const BIGNUM *g; + const BIGNUM *N; ++ /* Owned by us. */ + char *info; + } SRP_user_pwd; + + DECLARE_STACK_OF(SRP_user_pwd) + ++void SRP_user_pwd_free(SRP_user_pwd *user_pwd); ++ + typedef struct SRP_VBASE_st + { + STACK_OF(SRP_user_pwd) *users_pwd; +@@ -117,7 +122,12 @@ + SRP_VBASE *SRP_VBASE_new(char *seed_key); + int SRP_VBASE_free(SRP_VBASE *vb); + int SRP_VBASE_init(SRP_VBASE *vb, char * verifier_file); ++ ++/* This method ignores the configured seed and fails for an unknown user. */ + SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username); ++/* NOTE: unlike in SRP_VBASE_get_by_user, caller owns the returned pointer.*/ ++SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username); ++ + char *SRP_create_verifier(const char *user, const char *pass, char **salt, + char **verifier, const char *N, const char *g); + int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, BIGNUM **verifier, BIGNUM *N, BIGNUM *g); +Index: openssl-1.0.1/crypto/srp/srp_vfy.c +=================================================================== +--- openssl-1.0.1.orig/crypto/srp/srp_vfy.c 2016-02-26 10:53:09.954635195 -0500 ++++ openssl-1.0.1/crypto/srp/srp_vfy.c 2016-02-26 10:53:09.946635114 -0500 +@@ -179,7 +179,7 @@ + return olddst; + } + +-static void SRP_user_pwd_free(SRP_user_pwd *user_pwd) ++void SRP_user_pwd_free(SRP_user_pwd *user_pwd) + { + if (user_pwd == NULL) + return; +@@ -241,6 +241,24 @@ + return (vinfo->s != NULL && vinfo->v != NULL) ; + } + ++static SRP_user_pwd *srp_user_pwd_dup(SRP_user_pwd *src) ++{ ++ SRP_user_pwd *ret; ++ ++ if (src == NULL) ++ return NULL; ++ if ((ret = SRP_user_pwd_new()) == NULL) ++ return NULL; ++ ++ SRP_user_pwd_set_gN(ret, src->g, src->N); ++ if (!SRP_user_pwd_set_ids(ret, src->id, src->info) ++ || !SRP_user_pwd_set_sv_BN(ret, BN_dup(src->s), BN_dup(src->v))) { ++ SRP_user_pwd_free(ret); ++ return NULL; ++ } ++ return ret; ++} ++ + SRP_VBASE *SRP_VBASE_new(char *seed_key) + { + SRP_VBASE *vb = (SRP_VBASE *) OPENSSL_malloc(sizeof(SRP_VBASE)); +@@ -472,22 +490,51 @@ + } + + +-SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username) ++static SRP_user_pwd *find_user(SRP_VBASE *vb, char *username) + { + int i; + SRP_user_pwd *user; +- unsigned char digv[SHA_DIGEST_LENGTH]; +- unsigned char digs[SHA_DIGEST_LENGTH]; +- EVP_MD_CTX ctxt; + + if (vb == NULL) + return NULL; ++ + for(i = 0; i < sk_SRP_user_pwd_num(vb->users_pwd); i++) + { + user = sk_SRP_user_pwd_value(vb->users_pwd, i); + if (strcmp(user->id,username)==0) + return user; + } ++ ++ return NULL; ++} ++ ++/* ++ * This method ignores the configured seed and fails for an unknown user. ++ * Ownership of the returned pointer is not released to the caller. ++ * In other words, caller must not free the result. ++ */ ++SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username) ++{ ++ return find_user(vb, username); ++} ++ ++/* ++ * Ownership of the returned pointer is released to the caller. ++ * In other words, caller must free the result once done. ++ */ ++SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username) ++{ ++ SRP_user_pwd *user; ++ unsigned char digv[SHA_DIGEST_LENGTH]; ++ unsigned char digs[SHA_DIGEST_LENGTH]; ++ EVP_MD_CTX ctxt; ++ ++ if (vb == NULL) ++ return NULL; ++ ++ if ((user = find_user(vb, username)) != NULL) ++ return srp_user_pwd_dup(user); ++ + if ((vb->seed_key == NULL) || + (vb->default_g == NULL) || + (vb->default_N == NULL)) +Index: openssl-1.0.1/util/libeay.num +=================================================================== +--- openssl-1.0.1.orig/util/libeay.num 2016-02-26 10:53:09.954635195 -0500 ++++ openssl-1.0.1/util/libeay.num 2016-02-26 10:53:09.950635154 -0500 +@@ -1806,6 +1806,8 @@ + ASN1_UTCTIME_get 2350 NOEXIST::FUNCTION: + X509_REQ_digest 2362 EXIST::FUNCTION:EVP + X509_CRL_digest 2391 EXIST::FUNCTION:EVP ++SRP_VBASE_get1_by_user 2393 EXIST::FUNCTION:SRP ++SRP_user_pwd_free 2394 EXIST::FUNCTION:SRP + d2i_ASN1_SET_OF_PKCS7 2397 NOEXIST::FUNCTION: + EVP_CIPHER_CTX_set_key_length 2399 EXIST::FUNCTION: + EVP_CIPHER_CTX_ctrl 2400 EXIST::FUNCTION: +Index: openssl-1.0.1/openssl.ld +=================================================================== +--- openssl-1.0.1.orig/openssl.ld 2016-02-26 10:53:09.954635195 -0500 ++++ openssl-1.0.1/openssl.ld 2016-02-26 10:53:09.954635195 -0500 +@@ -4507,6 +4507,8 @@ + SSL_SESSION_get_compress_id; + + SRP_VBASE_get_by_user; ++ SRP_VBASE_get1_by_user; ++ SRP_user_pwd_free; + SRP_Calc_server_key; + SRP_create_verifier; + SRP_create_verifier_BN; diff -Nru openssl-1.0.1/debian/patches/CVE-2016-0799.patch openssl-1.0.1/debian/patches/CVE-2016-0799.patch --- openssl-1.0.1/debian/patches/CVE-2016-0799.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1/debian/patches/CVE-2016-0799.patch 2016-02-26 15:53:25.000000000 +0000 @@ -0,0 +1,459 @@ +Backport of: + +From a801bf263849a2ef773e5bc0c86438cbba720835 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Thu, 25 Feb 2016 13:09:46 +0000 +Subject: [PATCH] Fix memory issues in BIO_*printf functions + +The internal |fmtstr| function used in processing a "%s" format string +in the BIO_*printf functions could overflow while calculating the length +of a string and cause an OOB read when printing very long strings. + +Additionally the internal |doapr_outch| function can attempt to write to +an OOB memory location (at an offset from the NULL pointer) in the event of +a memory allocation failure. In 1.0.2 and below this could be caused where +the size of a buffer to be allocated is greater than INT_MAX. E.g. this +could be in processing a very long "%s" format string. Memory leaks can also +occur. + +These issues will only occur on certain platforms where sizeof(size_t) > +sizeof(int). E.g. many 64 bit systems. The first issue may mask the second +issue dependent on compiler behaviour. + +These problems could enable attacks where large amounts of untrusted data +is passed to the BIO_*printf functions. If applications use these functions +in this way then they could be vulnerable. OpenSSL itself uses these +functions when printing out human-readable dumps of ASN.1 data. Therefore +applications that print this data could be vulnerable if the data is from +untrusted sources. OpenSSL command line applications could also be +vulnerable where they print out ASN.1 data, or if untrusted data is passed +as command line arguments. + +Libssl is not considered directly vulnerable. Additionally certificates etc +received via remote connections via libssl are also unlikely to be able to +trigger these issues because of message size limits enforced within libssl. + +CVE-2016-0799 + +Issue reported by Guido Vranken. + +Reviewed-by: Andy Polyakov +(cherry picked from commit 578b956fe741bf8e84055547b1e83c28dd902c73) +--- + crypto/bio/b_print.c | 187 ++++++++++++++++++++++++++++++++------------------- + 1 file changed, 116 insertions(+), 71 deletions(-) + +Index: openssl-1.0.1f/crypto/bio/b_print.c +=================================================================== +--- openssl-1.0.1f.orig/crypto/bio/b_print.c 2016-02-26 09:50:10.598587200 -0500 ++++ openssl-1.0.1f/crypto/bio/b_print.c 2016-02-26 10:05:21.762908573 -0500 +@@ -125,16 +125,16 @@ + #define LLONG long + #endif + +-static void fmtstr (char **, char **, size_t *, size_t *, ++static int fmtstr (char **, char **, size_t *, size_t *, + const char *, int, int, int); +-static void fmtint (char **, char **, size_t *, size_t *, ++static int fmtint (char **, char **, size_t *, size_t *, + LLONG, int, int, int, int); +-static void fmtfp (char **, char **, size_t *, size_t *, ++static int fmtfp (char **, char **, size_t *, size_t *, + LDOUBLE, int, int, int); +-static void doapr_outch (char **, char **, size_t *, size_t *, int); +-static void _dopr(char **sbuffer, char **buffer, +- size_t *maxlen, size_t *retlen, int *truncated, +- const char *format, va_list args); ++static int doapr_outch (char **, char **, size_t *, size_t *, int); ++static int _dopr(char **sbuffer, char **buffer, ++ size_t *maxlen, size_t *retlen, int *truncated, ++ const char *format, va_list args); + + /* format read states */ + #define DP_S_DEFAULT 0 +@@ -165,7 +165,7 @@ + #define char_to_int(p) (p - '0') + #define OSSL_MAX(p,q) ((p >= q) ? p : q) + +-static void ++static int + _dopr( + char **sbuffer, + char **buffer, +@@ -200,7 +200,8 @@ + if (ch == '%') + state = DP_S_FLAGS; + else +- doapr_outch(sbuffer,buffer, &currlen, maxlen, ch); ++ if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch)) ++ return 0; + ch = *format++; + break; + case DP_S_FLAGS: +@@ -306,8 +307,9 @@ + value = va_arg(args, int); + break; + } +- fmtint(sbuffer, buffer, &currlen, maxlen, +- value, 10, min, max, flags); ++ if (!fmtint(sbuffer, buffer, &currlen, maxlen, value, 10, min, ++ max, flags)) ++ return 0; + break; + case 'X': + flags |= DP_F_UP; +@@ -332,17 +334,19 @@ + unsigned int); + break; + } +- fmtint(sbuffer, buffer, &currlen, maxlen, value, +- ch == 'o' ? 8 : (ch == 'u' ? 10 : 16), +- min, max, flags); ++ if (!fmtint(sbuffer, buffer, &currlen, maxlen, value, ++ ch == 'o' ? 8 : (ch == 'u' ? 10 : 16), ++ min, max, flags)) ++ return 0; + break; + case 'f': + if (cflags == DP_C_LDOUBLE) + fvalue = va_arg(args, LDOUBLE); + else + fvalue = va_arg(args, double); +- fmtfp(sbuffer, buffer, &currlen, maxlen, +- fvalue, min, max, flags); ++ if (!fmtfp(sbuffer, buffer, &currlen, maxlen, fvalue, min, max, ++ flags)) ++ return 0; + break; + case 'E': + flags |= DP_F_UP; +@@ -361,8 +365,9 @@ + fvalue = va_arg(args, double); + break; + case 'c': +- doapr_outch(sbuffer, buffer, &currlen, maxlen, +- va_arg(args, int)); ++ if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, ++ va_arg(args, int))) ++ return 0; + break; + case 's': + strvalue = va_arg(args, char *); +@@ -372,13 +377,15 @@ + else + max = *maxlen; + } +- fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue, +- flags, min, max); ++ if (!fmtstr(sbuffer, buffer, &currlen, maxlen, strvalue, ++ flags, min, max)) ++ return 0; + break; + case 'p': + value = (long)va_arg(args, void *); +- fmtint(sbuffer, buffer, &currlen, maxlen, +- value, 16, min, max, flags|DP_F_NUM); ++ if (!fmtint(sbuffer, buffer, &currlen, maxlen, ++ value, 16, min, max, flags | DP_F_NUM)) ++ return 0; + break; + case 'n': /* XXX */ + if (cflags == DP_C_SHORT) { +@@ -400,7 +407,8 @@ + } + break; + case '%': +- doapr_outch(sbuffer, buffer, &currlen, maxlen, ch); ++ if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, ch)) ++ return 0; + break; + case 'w': + /* not supported yet, treat as next char */ +@@ -424,12 +432,13 @@ + *truncated = (currlen > *maxlen - 1); + if (*truncated) + currlen = *maxlen - 1; +- doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0'); ++ if(!doapr_outch(sbuffer, buffer, &currlen, maxlen, '\0')) ++ return 0; + *retlen = currlen - 1; +- return; ++ return 1; + } + +-static void ++static int + fmtstr( + char **sbuffer, + char **buffer, +@@ -440,36 +449,44 @@ + int min, + int max) + { +- int padlen, strln; ++ int padlen; ++ size_t strln; + int cnt = 0; + + if (value == 0) + value = ""; +- for (strln = 0; value[strln]; ++strln) +- ; ++ ++ strln = strlen(value); ++ if (strln > INT_MAX) ++ strln = INT_MAX; ++ + padlen = min - strln; +- if (padlen < 0) ++ if (min < 0 || padlen < 0) + padlen = 0; + if (flags & DP_F_MINUS) + padlen = -padlen; + + while ((padlen > 0) && (cnt < max)) { +- doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); ++ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) ++ return 0; + --padlen; + ++cnt; + } + while (*value && (cnt < max)) { +- doapr_outch(sbuffer, buffer, currlen, maxlen, *value++); ++ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *value++)) ++ return 0; + ++cnt; + } + while ((padlen < 0) && (cnt < max)) { +- doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); ++ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) ++ return 0; + ++padlen; + ++cnt; + } ++ return 1; + } + +-static void ++static int + fmtint( + char **sbuffer, + char **buffer, +@@ -533,37 +550,44 @@ + + /* spaces */ + while (spadlen > 0) { +- doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); ++ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) ++ return 0; + --spadlen; + } + + /* sign */ + if (signvalue) +- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue); ++ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue)) ++ return 0; + + /* prefix */ + while (*prefix) { +- doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix); ++ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix)) ++ return 0; + prefix++; + } + + /* zeros */ + if (zpadlen > 0) { + while (zpadlen > 0) { +- doapr_outch(sbuffer, buffer, currlen, maxlen, '0'); ++ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, '0')) ++ return 0; + --zpadlen; + } + } + /* digits */ +- while (place > 0) +- doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place]); ++ while (place > 0) { ++ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, convert[--place])) ++ return 0; ++ } + + /* left justified spaces */ + while (spadlen < 0) { +- doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); ++ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) ++ return 0; + ++spadlen; + } +- return; ++ return 1; + } + + static LDOUBLE +@@ -597,7 +621,7 @@ + return intpart; + } + +-static void ++static int + fmtfp( + char **sbuffer, + char **buffer, +@@ -682,47 +706,61 @@ + + if ((flags & DP_F_ZERO) && (padlen > 0)) { + if (signvalue) { +- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue); ++ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue)) ++ return 0; + --padlen; + signvalue = 0; + } + while (padlen > 0) { +- doapr_outch(sbuffer, buffer, currlen, maxlen, '0'); ++ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0')) ++ return 0; + --padlen; + } + } + while (padlen > 0) { +- doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); ++ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) ++ return 0; + --padlen; + } +- if (signvalue) +- doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue); ++ if (signvalue && !doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue)) ++ return 0; + +- while (iplace > 0) +- doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace]); ++ while (iplace > 0) { ++ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, iconvert[--iplace])) ++ return 0; ++ } + + /* + * Decimal point. This should probably use locale to find the correct + * char to print out. + */ + if (max > 0 || (flags & DP_F_NUM)) { +- doapr_outch(sbuffer, buffer, currlen, maxlen, '.'); ++ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '.')) ++ return 0; + +- while (fplace > 0) +- doapr_outch(sbuffer, buffer, currlen, maxlen, fconvert[--fplace]); ++ while (fplace > 0) { ++ if(!doapr_outch(sbuffer, buffer, currlen, maxlen, ++ fconvert[--fplace])) ++ return 0; ++ } + } + while (zpadlen > 0) { +- doapr_outch(sbuffer, buffer, currlen, maxlen, '0'); ++ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, '0')) ++ return 0; + --zpadlen; + } + + while (padlen < 0) { +- doapr_outch(sbuffer, buffer, currlen, maxlen, ' '); ++ if (!doapr_outch(sbuffer, buffer, currlen, maxlen, ' ')) ++ return 0; + ++padlen; + } ++ return 1; + } + +-static void ++#define BUFFER_INC 1024 ++ ++static int + doapr_outch( + char **sbuffer, + char **buffer, +@@ -733,24 +771,30 @@ + /* If we haven't at least one buffer, someone has doe a big booboo */ + assert(*sbuffer != NULL || buffer != NULL); + +- if (buffer) { +- while (*currlen >= *maxlen) { +- if (*buffer == NULL) { +- if (*maxlen == 0) +- *maxlen = 1024; +- *buffer = OPENSSL_malloc(*maxlen); +- if (*currlen > 0) { +- assert(*sbuffer != NULL); +- memcpy(*buffer, *sbuffer, *currlen); +- } +- *sbuffer = NULL; +- } else { +- *maxlen += 1024; +- *buffer = OPENSSL_realloc(*buffer, *maxlen); +- } ++ /* |currlen| must always be <= |*maxlen| */ ++ assert(*currlen <= *maxlen); ++ ++ if (buffer && *currlen == *maxlen) { ++ if (*maxlen > INT_MAX - BUFFER_INC) ++ return 0; ++ ++ *maxlen += BUFFER_INC; ++ if (*buffer == NULL) { ++ *buffer = OPENSSL_malloc(*maxlen); ++ if (*buffer == NULL) ++ return 0; ++ if (*currlen > 0) { ++ assert(*sbuffer != NULL); ++ memcpy(*buffer, *sbuffer, *currlen); ++ } ++ *sbuffer = NULL; ++ } else { ++ char *tmpbuf; ++ tmpbuf = OPENSSL_realloc(*buffer, *maxlen); ++ if (tmpbuf == NULL) ++ return 0; ++ *buffer = tmpbuf; + } +- /* What to do if *buffer is NULL? */ +- assert(*sbuffer != NULL || *buffer != NULL); + } + + if (*currlen < *maxlen) { +@@ -760,7 +804,7 @@ + (*buffer)[(*currlen)++] = (char)c; + } + +- return; ++ return 1; + } + + /***************************************************************************/ +@@ -792,8 +836,11 @@ + + dynbuf = NULL; + CRYPTO_push_info("doapr()"); +- _dopr(&hugebufp, &dynbuf, &hugebufsize, +- &retlen, &ignored, format, args); ++ if (!_dopr(&hugebufp, &dynbuf, &hugebufsize, &retlen, &ignored, format, ++ args)) { ++ OPENSSL_free(dynbuf); ++ return -1; ++ } + if (dynbuf) + { + ret=BIO_write(bio, dynbuf, (int)retlen); +@@ -829,7 +876,8 @@ + size_t retlen; + int truncated; + +- _dopr(&buf, NULL, &n, &retlen, &truncated, format, args); ++ if(!_dopr(&buf, NULL, &n, &retlen, &truncated, format, args)) ++ return -1; + + if (truncated) + /* In case of truncation, return -1 like traditional snprintf. diff -Nru openssl-1.0.1/debian/patches/preserve_digests_for_sni.patch openssl-1.0.1/debian/patches/preserve_digests_for_sni.patch --- openssl-1.0.1/debian/patches/preserve_digests_for_sni.patch 1970-01-01 00:00:00.000000000 +0000 +++ openssl-1.0.1/debian/patches/preserve_digests_for_sni.patch 2016-02-29 12:02:03.000000000 +0000 @@ -0,0 +1,49 @@ +From 4e05aedbcab7f7f83a887e952ebdcc5d4f2291e4 Mon Sep 17 00:00:00 2001 +From: "Dr. Stephen Henson" +Date: Fri, 10 Oct 2014 13:18:09 +0100 +Subject: [PATCH] Preserve digests for SNI. + +SSL_set_SSL_CTX is normally called for SNI after ClientHello has +received and the digest to use for each certificate has been decided. +The original ssl->cert contains the negotiated digests and is now +copied to the new ssl->cert. + +PR: 3560 +Reviewed-by: Tim Hudson +--- + ssl/ssl_lib.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +Index: openssl-1.0.1/ssl/ssl_lib.c +=================================================================== +--- openssl-1.0.1.orig/ssl/ssl_lib.c 2016-02-29 07:02:00.835648480 -0500 ++++ openssl-1.0.1/ssl/ssl_lib.c 2016-02-29 07:02:00.831648438 -0500 +@@ -2958,15 +2958,26 @@ + + SSL_CTX *SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) + { ++ CERT *ocert = ssl->cert; + if (ssl->ctx == ctx) + return ssl->ctx; + #ifndef OPENSSL_NO_TLSEXT + if (ctx == NULL) + ctx = ssl->initial_ctx; + #endif +- if (ssl->cert != NULL) +- ssl_cert_free(ssl->cert); + ssl->cert = ssl_cert_dup(ctx->cert); ++ if (ocert != NULL) ++ { ++ int i; ++ /* Copy negotiated digests from original */ ++ for (i = 0; i < SSL_PKEY_NUM; i++) ++ { ++ CERT_PKEY *cpk = ocert->pkeys + i; ++ CERT_PKEY *rpk = ssl->cert->pkeys + i; ++ rpk->digest = cpk->digest; ++ } ++ ssl_cert_free(ocert); ++ } + CRYPTO_add(&ctx->references,1,CRYPTO_LOCK_SSL_CTX); + if (ssl->ctx != NULL) + SSL_CTX_free(ssl->ctx); /* decrement reference count */ diff -Nru openssl-1.0.1/debian/patches/series openssl-1.0.1/debian/patches/series --- openssl-1.0.1/debian/patches/series 2015-06-11 11:35:45.000000000 +0000 +++ openssl-1.0.1/debian/patches/series 2016-02-29 12:01:59.000000000 +0000 @@ -105,3 +105,21 @@ CVE-2015-1792.patch CVE-2015-1791-2.patch CVE-2015-1791-3.patch +CVE-2015-3194.patch +CVE-2015-3195.patch +CVE-2015-3196.patch +CVE-2015-7575.patch +alt-cert-chains-1.patch +alt-cert-chains-2.patch +alt-cert-chains-3.patch +alt-cert-chains-4.patch +alt-cert-chains-5.patch +alt-cert-chains-6.patch +alt-cert-chains-7.patch +alt-cert-chains-8.patch +CVE-2016-0705.patch +CVE-2016-0798.patch +CVE-2016-0799.patch +CVE-2016-0797.patch +CVE-2016-0702.patch +preserve_digests_for_sni.patch