openssl-1.0.1b upgrade
Change-Id: I4fe854007f774cf7f386cd405a9d21e6ca94e7b6
diff --git a/ThirdPartyProject.prop b/ThirdPartyProject.prop
index 68629bd..5ce3971 100644
--- a/ThirdPartyProject.prop
+++ b/ThirdPartyProject.prop
@@ -1,7 +1,7 @@
# Copyright 2010 Google Inc. All Rights Reserved.
#Fri Jul 16 10:03:09 PDT 2010
-currentVersion=1.0.1a
-version=1.0.1a
+currentVersion=1.0.1b
+version=1.0.1b
isNative=true
feedurl=http\://www.openssl.org/
name=openssl
diff --git a/crypto/buffer/buffer.c b/crypto/buffer/buffer.c
index 52e65df..d7aa79a 100644
--- a/crypto/buffer/buffer.c
+++ b/crypto/buffer/buffer.c
@@ -156,7 +156,7 @@
/* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */
if (len > LIMIT_BEFORE_EXPANSION)
{
- BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
+ BUFerr(BUF_F_BUF_MEM_GROW_CLEAN,ERR_R_MALLOC_FAILURE);
return 0;
}
n=(len+3)/3*4;
diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c
index 5f1490c..5656319 100644
--- a/crypto/evp/e_rc4_hmac_md5.c
+++ b/crypto/evp/e_rc4_hmac_md5.c
@@ -103,7 +103,8 @@
#if !defined(OPENSSL_NO_ASM) && ( \
defined(__x86_64) || defined(__x86_64__) || \
defined(_M_AMD64) || defined(_M_X64) || \
- defined(__INTEL__) )
+ defined(__INTEL__) ) && \
+ !(defined(__APPLE__) && defined(__MACH__))
#define STITCHED_CALL
#endif
@@ -121,7 +122,7 @@
md5_off = MD5_CBLOCK-key->md.num,
blocks;
unsigned int l;
- extern unsigned int OPENSSL_ia32cap_P[];
+ extern unsigned int OPENSSL_ia32cap_P[];
#endif
size_t plen = key->payload_length;
@@ -133,8 +134,8 @@
/* cipher has to "fall behind" */
if (rc4_off>md5_off) md5_off+=MD5_CBLOCK;
- if (plen>md5_off && (blocks=(plen-md5_off)/MD5_CBLOCK) &&
- (OPENSSL_ia32cap_P[0]&(1<<20))==0) {
+ if (plen>md5_off && (blocks=(plen-md5_off)/MD5_CBLOCK) &&
+ (OPENSSL_ia32cap_P[0]&(1<<20))==0) {
MD5_Update(&key->md,in,md5_off);
RC4(&key->ks,rc4_off,in,out);
@@ -174,8 +175,8 @@
if (md5_off>rc4_off) rc4_off += 2*MD5_CBLOCK;
else rc4_off += MD5_CBLOCK;
- if (len>rc4_off && (blocks=(len-rc4_off)/MD5_CBLOCK) &&
- (OPENSSL_ia32cap_P[0]&(1<<20))==0) {
+ if (len>rc4_off && (blocks=(len-rc4_off)/MD5_CBLOCK) &&
+ (OPENSSL_ia32cap_P[0]&(1<<20))==0) {
RC4(&key->ks,rc4_off,in,out);
MD5_Update(&key->md,out,md5_off);
diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index 8835d9a..0c54f05 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -172,7 +172,7 @@
#ifdef OPENSSL_FIPS
if (FIPS_mode())
return FIPS_cipherinit(ctx, cipher, key, iv, enc);
-#else
+#endif
ctx->cipher=cipher;
if (ctx->cipher->ctx_size)
{
@@ -197,7 +197,6 @@
return 0;
}
}
-#endif
}
else if(!ctx->cipher)
{
@@ -210,7 +209,7 @@
#ifdef OPENSSL_FIPS
if (FIPS_mode())
return FIPS_cipherinit(ctx, cipher, key, iv, enc);
-#else
+#endif
/* we assume block size is a power of 2 in *cryptUpdate */
OPENSSL_assert(ctx->cipher->block_size == 1
|| ctx->cipher->block_size == 8
@@ -257,7 +256,6 @@
ctx->final_used=0;
ctx->block_mask=ctx->cipher->block_size-1;
return 1;
-#endif
}
int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
diff --git a/crypto/opensslv.h b/crypto/opensslv.h
index 20e889e..9e86557 100644
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -25,11 +25,11 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-#define OPENSSL_VERSION_NUMBER 0x1000101fL
+#define OPENSSL_VERSION_NUMBER 0x1000102fL
#ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1a-fips 19 Apr 2012"
+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1b-fips 26 Apr 2012"
#else
-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1a 19 Apr 2012"
+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1b 26 Apr 2012"
#endif
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index 20e889e..9e86557 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -25,11 +25,11 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-#define OPENSSL_VERSION_NUMBER 0x1000101fL
+#define OPENSSL_VERSION_NUMBER 0x1000102fL
#ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1a-fips 19 Apr 2012"
+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1b-fips 26 Apr 2012"
#else
-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1a 19 Apr 2012"
+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1b 26 Apr 2012"
#endif
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 912a2f7..d5bcead 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -556,7 +556,6 @@
#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
#define SSL_OP_TLS_D5_BUG 0x00000100L
#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L
-#define SSL_OP_NO_TLSv1_1 0x00000400L
/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
* in OpenSSL 0.9.6d. Usually (depending on the application protocol)
@@ -604,6 +603,7 @@
#define SSL_OP_NO_SSLv3 0x02000000L
#define SSL_OP_NO_TLSv1 0x04000000L
#define SSL_OP_NO_TLSv1_2 0x08000000L
+#define SSL_OP_NO_TLSv1_1 0x10000000L
/* These next two were never actually used for anything since SSLeay
* zap so we have some more flags.
diff --git a/openssl.config b/openssl.config
index 067ad6f..7109f03 100644
--- a/openssl.config
+++ b/openssl.config
@@ -203,7 +203,6 @@
handshake_cutthrough.patch \
jsse.patch \
sha1_armv4_large.patch \
-cn_22455.patch \
"
OPENSSL_PATCHES_progs_SOURCES="\
diff --git a/openssl.version b/openssl.version
index 092a791..777d72c 100644
--- a/openssl.version
+++ b/openssl.version
@@ -1,2 +1,2 @@
# also update ThirdPartyProject.prop
-OPENSSL_VERSION=1.0.1a
+OPENSSL_VERSION=1.0.1b
diff --git a/patches/README b/patches/README
index 2360365..f7d886d 100644
--- a/patches/README
+++ b/patches/README
@@ -33,9 +33,3 @@
sha1_armv4_large.patch
This patch eliminates memory stores to addresses below SP.
-
-cn_22455.patch
-
-fix for non-x86 build issue in crypto/e_rc4_hmac_md5.c
-e_rc4_hmac_md5.c: last commit was inappropriate for non-x86[_64] platforms [from HEAD]. PR: 2792
-http://cvs.openssl.org/chngview?cn=22455
diff --git a/patches/cn_22455.patch b/patches/cn_22455.patch
deleted file mode 100644
index c1cae52..0000000
--- a/patches/cn_22455.patch
+++ /dev/null
@@ -1,40 +0,0 @@
---- a/crypto/evp/e_rc4_hmac_md5.c 2012/04/18 17:51:33 1.1.2.5
-+++ b/crypto/evp/e_rc4_hmac_md5.c 2012/04/19 20:43:02 1.1.2.6
-@@ -121,6 +121,7 @@
- md5_off = MD5_CBLOCK-key->md.num,
- blocks;
- unsigned int l;
-+ extern unsigned int OPENSSL_ia32cap_P[];
- #endif
- size_t plen = key->payload_length;
-
-@@ -132,7 +133,8 @@
- /* cipher has to "fall behind" */
- if (rc4_off>md5_off) md5_off+=MD5_CBLOCK;
-
-- if (plen>md5_off && (blocks=(plen-md5_off)/MD5_CBLOCK)) {
-+ if (plen>md5_off && (blocks=(plen-md5_off)/MD5_CBLOCK) &&
-+ (OPENSSL_ia32cap_P[0]&(1<<20))==0) {
- MD5_Update(&key->md,in,md5_off);
- RC4(&key->ks,rc4_off,in,out);
-
-@@ -172,7 +174,8 @@
- if (md5_off>rc4_off) rc4_off += 2*MD5_CBLOCK;
- else rc4_off += MD5_CBLOCK;
-
-- if (len>rc4_off && (blocks=(len-rc4_off)/MD5_CBLOCK)) {
-+ if (len>rc4_off && (blocks=(len-rc4_off)/MD5_CBLOCK) &&
-+ (OPENSSL_ia32cap_P[0]&(1<<20))==0) {
- RC4(&key->ks,rc4_off,in,out);
- MD5_Update(&key->md,out,md5_off);
-
-@@ -289,8 +292,6 @@
-
- const EVP_CIPHER *EVP_rc4_hmac_md5(void)
- {
-- extern unsigned int OPENSSL_ia32cap_P[];
-- /* RC4_CHAR flag ------------vvvvv */
-- return(OPENSSL_ia32cap_P[0]&(1<<20) ? NULL : &r4_hmac_md5_cipher);
-+ return(&r4_hmac_md5_cipher);
- }
- #endif
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index 96d717c..2d0f51d 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -282,34 +282,51 @@
SSL_COMP *comp;
#endif
int ret;
+ unsigned long mask, options = s->options;
- ssl2_compat = (s->options & SSL_OP_NO_SSLv2) ? 0 : 1;
+ ssl2_compat = (options & SSL_OP_NO_SSLv2) ? 0 : 1;
if (ssl2_compat && ssl23_no_ssl2_ciphers(s))
ssl2_compat = 0;
-#ifndef OPENSSL_NO_TLS1_2_CLIENT
- if (!(s->options & SSL_OP_NO_TLSv1_2))
- {
- version = TLS1_2_VERSION;
- }
- else
+
+ /*
+ * SSL_OP_NO_X disables all protocols above X *if* there are
+ * some protocols below X enabled. This is required in order
+ * to maintain "version capability" vector contiguous. So
+ * that if application wants to disable TLS1.0 in favour of
+ * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the
+ * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2.
+ */
+ mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1
+#if !defined(OPENSSL_NO_SSL3)
+ |SSL_OP_NO_SSLv3
#endif
- if (!(s->options & SSL_OP_NO_TLSv1_1))
- {
+#if !defined(OPENSSL_NO_SSL2)
+ |(ssl2_compat?SSL_OP_NO_SSLv2:0)
+#endif
+ ;
+#if !defined(OPENSSL_NO_TLS1_2_CLIENT)
+ version = TLS1_2_VERSION;
+
+ if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask)
version = TLS1_1_VERSION;
- }
- else if (!(s->options & SSL_OP_NO_TLSv1))
- {
+#else
+ version = TLS1_1_VERSION;
+#endif
+ mask &= ~SSL_OP_NO_TLSv1_1;
+ if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask)
version = TLS1_VERSION;
- }
- else if (!(s->options & SSL_OP_NO_SSLv3))
- {
+ mask &= ~SSL_OP_NO_TLSv1;
+#if !defined(OPENSSL_NO_SSL3)
+ if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask)
version = SSL3_VERSION;
- }
- else if (!(s->options & SSL_OP_NO_SSLv2))
- {
+ mask &= ~SSL_OP_NO_SSLv3;
+#endif
+#if !defined(OPENSSL_NO_SSL2)
+ if ((options & SSL_OP_NO_SSLv3) && (options & mask) != mask)
version = SSL2_VERSION;
- }
+#endif
+
#ifndef OPENSSL_NO_TLSEXT
if (version != SSL2_VERSION)
{
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 912a2f7..d5bcead 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -556,7 +556,6 @@
#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
#define SSL_OP_TLS_D5_BUG 0x00000100L
#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L
-#define SSL_OP_NO_TLSv1_1 0x00000400L
/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
* in OpenSSL 0.9.6d. Usually (depending on the application protocol)
@@ -604,6 +603,7 @@
#define SSL_OP_NO_SSLv3 0x02000000L
#define SSL_OP_NO_TLSv1 0x04000000L
#define SSL_OP_NO_TLSv1_2 0x08000000L
+#define SSL_OP_NO_TLSv1_1 0x10000000L
/* These next two were never actually used for anything since SSLeay
* zap so we have some more flags.
