Browse Source

Merge branch 'freebsd/current/master' into hardened/current/master

* freebsd/current/master:
  Remove wrong entries added in the previous commit.
  Bhyve: log message when rfb client connects
  Bhyve: DPRINTF already includes newline, so don't add another
  ath_hal: fix typo in ath_hal_printf
  [PowerPC][Book-E] Fix missing load base in elf_cpu_parse_dynamic().
  Reduce diff with the vendor version.  No functional change.
  powerpc: Axe PPC4xx support.
  Remove spurious warning about invalid VPD data.
  Import OpenSSL 1.1.1e.
hardened/current/tmpfs_extattr
HardenedBSD Sync Service 2 months ago
parent
commit
e641009597
100 changed files with 760 additions and 397 deletions
  1. +76
    -9
      crypto/openssl/CHANGES
  2. +1
    -1
      crypto/openssl/CONTRIBUTING
  3. +109
    -53
      crypto/openssl/Configure
  4. +16
    -4
      crypto/openssl/INSTALL
  5. +5
    -0
      crypto/openssl/NEWS
  6. +1
    -1
      crypto/openssl/README
  7. +25
    -5
      crypto/openssl/apps/apps.c
  8. +2
    -2
      crypto/openssl/apps/apps.h
  9. +115
    -11
      crypto/openssl/apps/dgst.c
  10. +2
    -1
      crypto/openssl/apps/enc.c
  11. +3
    -3
      crypto/openssl/apps/ocsp.c
  12. +7
    -0
      crypto/openssl/apps/openssl.c
  13. +1
    -1
      crypto/openssl/apps/passwd.c
  14. +38
    -26
      crypto/openssl/apps/pkcs12.c
  15. +2
    -3
      crypto/openssl/apps/pkeyutl.c
  16. +10
    -5
      crypto/openssl/apps/req.c
  17. +2
    -1
      crypto/openssl/apps/s_cb.c
  18. +10
    -7
      crypto/openssl/apps/s_server.c
  19. +45
    -50
      crypto/openssl/apps/server.pem
  20. +22
    -21
      crypto/openssl/apps/speed.c
  21. +3
    -3
      crypto/openssl/apps/timeouts.h
  22. +2
    -1
      crypto/openssl/apps/ts.c
  23. +6
    -6
      crypto/openssl/apps/x509.c
  24. +15
    -4
      crypto/openssl/appveyor.yml
  25. +7
    -7
      crypto/openssl/build.info
  26. +9
    -11
      crypto/openssl/config
  27. +2
    -3
      crypto/openssl/crypto/LPdir_unix.c
  28. +1
    -1
      crypto/openssl/crypto/aes/aes_core.c
  29. +1
    -1
      crypto/openssl/crypto/aes/aes_ecb.c
  30. +1
    -1
      crypto/openssl/crypto/aes/aes_ige.c
  31. +3
    -3
      crypto/openssl/crypto/aes/aes_local.h
  32. +1
    -1
      crypto/openssl/crypto/aes/aes_misc.c
  33. +1
    -1
      crypto/openssl/crypto/aes/aes_x86core.c
  34. +2
    -2
      crypto/openssl/crypto/aes/asm/aes-armv4.pl
  35. +2
    -2
      crypto/openssl/crypto/aes/asm/aes-c64xplus.pl
  36. +2
    -2
      crypto/openssl/crypto/aes/asm/aes-mips.pl
  37. +2
    -2
      crypto/openssl/crypto/aes/asm/aes-parisc.pl
  38. +2
    -2
      crypto/openssl/crypto/aes/asm/aes-ppc.pl
  39. +4
    -4
      crypto/openssl/crypto/aes/asm/aes-s390x.pl
  40. +2
    -2
      crypto/openssl/crypto/aes/asm/aes-sparcv9.pl
  41. +2
    -2
      crypto/openssl/crypto/aes/asm/aesfx-sparcv9.pl
  42. +3
    -3
      crypto/openssl/crypto/aes/asm/aesni-mb-x86_64.pl
  43. +9
    -3
      crypto/openssl/crypto/aes/asm/aesni-sha1-x86_64.pl
  44. +49
    -17
      crypto/openssl/crypto/aes/asm/aesni-sha256-x86_64.pl
  45. +2
    -2
      crypto/openssl/crypto/aes/asm/aesni-x86.pl
  46. +23
    -7
      crypto/openssl/crypto/aes/asm/aesni-x86_64.pl
  47. +2
    -2
      crypto/openssl/crypto/aes/asm/aesp8-ppc.pl
  48. +2
    -2
      crypto/openssl/crypto/aes/asm/aest4-sparcv9.pl
  49. +2
    -2
      crypto/openssl/crypto/aes/asm/aesv8-armx.pl
  50. +2
    -2
      crypto/openssl/crypto/aes/asm/bsaes-armv7.pl
  51. +2
    -2
      crypto/openssl/crypto/aes/asm/vpaes-armv8.pl
  52. +2
    -2
      crypto/openssl/crypto/aes/asm/vpaes-ppc.pl
  53. +2
    -2
      crypto/openssl/crypto/aes/asm/vpaes-x86.pl
  54. +2
    -2
      crypto/openssl/crypto/aes/asm/vpaes-x86_64.pl
  55. +1
    -1
      crypto/openssl/crypto/aria/aria.c
  56. +2
    -2
      crypto/openssl/crypto/arm64cpuid.pl
  57. +2
    -2
      crypto/openssl/crypto/arm_arch.h
  58. +2
    -2
      crypto/openssl/crypto/armv4cpuid.pl
  59. +1
    -1
      crypto/openssl/crypto/asn1/a_bitstr.c
  60. +1
    -1
      crypto/openssl/crypto/asn1/a_d2i_fp.c
  61. +1
    -1
      crypto/openssl/crypto/asn1/a_gentm.c
  62. +1
    -1
      crypto/openssl/crypto/asn1/a_int.c
  63. +1
    -1
      crypto/openssl/crypto/asn1/a_mbstr.c
  64. +3
    -3
      crypto/openssl/crypto/asn1/a_object.c
  65. +1
    -1
      crypto/openssl/crypto/asn1/a_print.c
  66. +2
    -2
      crypto/openssl/crypto/asn1/a_sign.c
  67. +1
    -1
      crypto/openssl/crypto/asn1/a_strex.c
  68. +2
    -2
      crypto/openssl/crypto/asn1/a_time.c
  69. +1
    -1
      crypto/openssl/crypto/asn1/a_type.c
  70. +1
    -1
      crypto/openssl/crypto/asn1/a_utctm.c
  71. +2
    -2
      crypto/openssl/crypto/asn1/a_verify.c
  72. +2
    -2
      crypto/openssl/crypto/asn1/ameth_lib.c
  73. +1
    -1
      crypto/openssl/crypto/asn1/asn1_lib.c
  74. +0
    -0
      crypto/openssl/crypto/asn1/asn1_local.h
  75. +21
    -17
      crypto/openssl/crypto/asn1/asn1_par.c
  76. +12
    -4
      crypto/openssl/crypto/asn1/asn_mime.c
  77. +3
    -3
      crypto/openssl/crypto/asn1/asn_moid.c
  78. +1
    -1
      crypto/openssl/crypto/asn1/charmap.h
  79. +2
    -2
      crypto/openssl/crypto/asn1/d2i_pr.c
  80. +1
    -1
      crypto/openssl/crypto/asn1/d2i_pu.c
  81. +1
    -1
      crypto/openssl/crypto/asn1/f_int.c
  82. +1
    -1
      crypto/openssl/crypto/asn1/f_string.c
  83. +2
    -2
      crypto/openssl/crypto/asn1/i2d_pr.c
  84. +1
    -1
      crypto/openssl/crypto/asn1/p8_pkey.c
  85. +1
    -1
      crypto/openssl/crypto/asn1/t_pkey.c
  86. +1
    -1
      crypto/openssl/crypto/asn1/tasn_dec.c
  87. +2
    -2
      crypto/openssl/crypto/asn1/tasn_enc.c
  88. +1
    -1
      crypto/openssl/crypto/asn1/tasn_fre.c
  89. +1
    -1
      crypto/openssl/crypto/asn1/tasn_new.c
  90. +2
    -2
      crypto/openssl/crypto/asn1/tasn_prn.c
  91. +1
    -1
      crypto/openssl/crypto/asn1/tasn_scn.c
  92. +1
    -1
      crypto/openssl/crypto/asn1/tasn_utl.c
  93. +1
    -1
      crypto/openssl/crypto/asn1/x_algor.c
  94. +3
    -3
      crypto/openssl/crypto/asn1/x_bignum.c
  95. +1
    -1
      crypto/openssl/crypto/asn1/x_int64.c
  96. +1
    -1
      crypto/openssl/crypto/asn1/x_sig.c
  97. +1
    -1
      crypto/openssl/crypto/async/arch/async_null.c
  98. +1
    -1
      crypto/openssl/crypto/async/arch/async_posix.c
  99. +3
    -3
      crypto/openssl/crypto/async/arch/async_posix.h
  100. +2
    -2
      crypto/openssl/crypto/async/async.c

+ 76
- 9
crypto/openssl/CHANGES View File

@@ -7,6 +7,73 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.

Changes between 1.1.1d and 1.1.1e [17 Mar 2020]
*) Properly detect EOF while reading in libssl. Previously if we hit an EOF
while reading in libssl then we would report an error back to the
application (SSL_ERROR_SYSCALL) but errno would be 0. We now add
an error to the stack (which means we instead return SSL_ERROR_SSL) and
therefore give a hint as to what went wrong.
[Matt Caswell]

*) Check that ed25519 and ed448 are allowed by the security level. Previously
signature algorithms not using an MD were not being checked that they were
allowed by the security level.
[Kurt Roeckx]

*) Fixed SSL_get_servername() behaviour. The behaviour of SSL_get_servername()
was not quite right. The behaviour was not consistent between resumption
and normal handshakes, and also not quite consistent with historical
behaviour. The behaviour in various scenarios has been clarified and
it has been updated to make it match historical behaviour as closely as
possible.
[Matt Caswell]

*) [VMS only] The header files that the VMS compilers include automatically,
__DECC_INCLUDE_PROLOGUE.H and __DECC_INCLUDE_EPILOGUE.H, use pragmas that
the C++ compiler doesn't understand. This is a shortcoming in the
compiler, but can be worked around with __cplusplus guards.

C++ applications that use OpenSSL libraries must be compiled using the
qualifier '/NAMES=(AS_IS,SHORTENED)' to be able to use all the OpenSSL
functions. Otherwise, only functions with symbols of less than 31
characters can be used, as the linker will not be able to successfully
resolve symbols with longer names.
[Richard Levitte]

*) Corrected the documentation of the return values from the EVP_DigestSign*
set of functions. The documentation mentioned negative values for some
errors, but this was never the case, so the mention of negative values
was removed.

Code that followed the documentation and thereby check with something
like 'EVP_DigestSignInit(...) <= 0' will continue to work undisturbed.
[Richard Levitte]

*) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure
used in exponentiation with 512-bit moduli. No EC algorithms are
affected. Analysis suggests that attacks against 2-prime RSA1024,
3-prime RSA1536, and DSA1024 as a result of this defect would be very
difficult to perform and are not believed likely. Attacks against DH512
are considered just feasible. However, for an attack the target would
have to re-use the DH512 private key, which is not recommended anyway.
Also applications directly using the low level API BN_mod_exp may be
affected if they use BN_FLG_CONSTTIME.
(CVE-2019-1551)
[Andy Polyakov]

*) Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY.
The presence of this system service is determined at run-time.
[Richard Levitte]

*) Added newline escaping functionality to a filename when using openssl dgst.
This output format is to replicate the output format found in the '*sum'
checksum programs. This aims to preserve backward compatibility.
[Matt Eaton, Richard Levitte, and Paul Dale]

*) Print all values for a PKCS#12 attribute with 'openssl pkcs12', not just
the first value.
[Jon Spillett]

Changes between 1.1.1c and 1.1.1d [10 Sep 2019]

*) Fixed a fork protection issue. OpenSSL 1.1.1 introduced a rewritten random
@@ -633,9 +700,9 @@
bytes long. In theory it is permissible in SSLv3 - TLSv1.2 to fragment such
alerts across multiple records (some of which could be empty). In practice
it make no sense to send an empty alert record, or to fragment one. TLSv1.3
prohibts this altogether and other libraries (BoringSSL, NSS) do not
prohibits this altogether and other libraries (BoringSSL, NSS) do not
support this at all. Supporting it adds significant complexity to the
record layer, and its removal is unlikely to cause inter-operability
record layer, and its removal is unlikely to cause interoperability
issues.
[Matt Caswell]

@@ -3652,7 +3719,7 @@
implementations).
[Emilia Käsper, Adam Langley, Bodo Moeller (Google)]

*) Use type ossl_ssize_t instad of ssize_t which isn't available on
*) Use type ossl_ssize_t instead of ssize_t which isn't available on
all platforms. Move ssize_t definition from e_os.h to the public
header file e_os2.h as it now appears in public header file cms.h
[Steve Henson]
@@ -8373,7 +8440,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k

*) New OCSP utility. Allows OCSP requests to be generated or
read. The request can be sent to a responder and the output
parsed, outputed or printed in text form. Not complete yet:
parsed, outputted or printed in text form. Not complete yet:
still needs to check the OCSP response validity.
[Steve Henson]

@@ -9368,7 +9435,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
[Andy Polyakov]

*) Modified SSL library such that the verify_callback that has been set
specificly for an SSL object with SSL_set_verify() is actually being
specifically for an SSL object with SSL_set_verify() is actually being
used. Before the change, a verify_callback set with this function was
ignored and the verify_callback() set in the SSL_CTX at the time of
the call was used. New function X509_STORE_CTX_set_verify_cb() introduced
@@ -10485,10 +10552,10 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
as other interfaces in OpenSSL, like the BIO interface.
NCONF_dump_* dump the internal storage of the configuration file,
which is useful for debugging. All other functions take the same
arguments as the old CONF_* functions wth the exception of the
arguments as the old CONF_* functions with the exception of the
first that must be a `CONF *' instead of a `LHASH *'.

To make it easer to use the new classes with the old CONF_* functions,
To make it easier to use the new classes with the old CONF_* functions,
the function CONF_set_default_method is provided.
[Richard Levitte]

@@ -12331,7 +12398,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k
than the old method: it now uses a modified version of Ulf's parser to
read the ANSI prototypes in all header files (thus the old K&R definitions
aren't needed for error creation any more) and do a better job of
translating function codes into names. The old 'ASN1 error code imbedded
translating function codes into names. The old 'ASN1 error code embedded
in a comment' is no longer necessary and it doesn't use .err files which
have now been deleted. Also the error code call doesn't have to appear all
on one line (which resulted in some large lines...).
@@ -12632,7 +12699,7 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k

*) Add a useful kludge to allow package maintainers to specify compiler and
other platforms details on the command line without having to patch the
Configure script everytime: One now can use ``perl Configure
Configure script every time: One now can use ``perl Configure
<id>:<details>'', i.e. platform ids are allowed to have details appended
to them (separated by colons). This is treated as there would be a static
pre-configured entry in Configure's %table under key <id> with value

+ 1
- 1
crypto/openssl/CONTRIBUTING View File

@@ -58,7 +58,7 @@ guidelines:
consider adding a note in CHANGES. This could be a summarising
description of the change, and could explain the grander details.
Have a look through existing entries for inspiration.
Please note that this is NOT simply a copy of git-log oneliners.
Please note that this is NOT simply a copy of git-log one-liners.
Also note that security fixes get an entry in CHANGES.
This file helps users get more in depth information of what comes
with a specific release without having to sift through the higher

+ 109
- 53
crypto/openssl/Configure View File

@@ -1,6 +1,6 @@
#! /usr/bin/env perl
# -*- mode: perl; -*-
# Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -69,7 +69,15 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lx
# no-sse2 disables IA-32 SSE2 code in assembly modules, the above
# mentioned '386' option implies this one
# no-<cipher> build without specified algorithm (rsa, idea, rc5, ...)
# -<xxx> +<xxx> compiler options are passed through
# -<xxx> +<xxx> All options which are unknown to the 'Configure' script are
# /<xxx> passed through to the compiler. Unix-style options beginning
# with a '-' or '+' are recognized, as well as Windows-style
# options beginning with a '/'. If the option contains arguments
# separated by spaces, then the URL-style notation %20 can be
# used for the space character in order to avoid having to quote
# the option. For example, -opt%20arg gets expanded to -opt arg.
# In fact, any ASCII character can be encoded as %xx using its
# hexadecimal encoding.
# -static while -static is also a pass-through compiler option (and
# as such is limited to environments where it's actually
# meaningful), it triggers a number configuration options,
@@ -152,6 +160,10 @@ my @clang_devteam_warn = qw(
-Wmissing-variable-declarations
);

my @cl_devteam_warn = qw(
/WX
);

# This adds backtrace information to the memory leak info. Is only used
# when crypto-mdebug-backtrace is enabled.
my $memleak_devteam_backtrace = "-rdynamic";
@@ -346,6 +358,7 @@ my @disablables = (
"dgram",
"dh",
"dsa",
"dso",
"dtls",
"dynamic-engine",
"ec",
@@ -423,7 +436,6 @@ my %deprecated_disablables = (
"buf-freelists" => undef,
"ripemd" => "rmd160",
"ui" => "ui-console",
"dso" => "", # Empty string means we're silent about it
);

# All of the following are disabled by default:
@@ -480,6 +492,7 @@ my @disable_cascades = (
# Without position independent code, there can be no shared libraries or DSOs
"pic" => [ "shared" ],
"shared" => [ "dynamic-engine" ],
"dso" => [ "dynamic-engine" ],
"engine" => [ "afalgeng", "devcryptoeng" ],

# no-autoalginit is only useful when building non-shared
@@ -520,7 +533,7 @@ while ((my $first, my $second) = (shift @list, shift @list)) {

&usage if ($#ARGV < 0);

# For the "make variables" CINCLUDES and CDEFINES, we support lists with
# For the "make variables" CPPINCLUDES and CPPDEFINES, we support lists with
# platform specific list separators. Users from those platforms should
# recognise those separators from how you set up the PATH to find executables.
# The default is the Unix like separator, :, but as an exception, we also
@@ -776,7 +789,7 @@ while (@argvcopy)
{
die "FIPS mode not supported\n";
}
elsif (/^[-+]/)
elsif (m|^[-+/]|)
{
if (/^--prefix=(.*)$/)
{
@@ -853,11 +866,11 @@ while (@argvcopy)
{
push @{$useradd{LDFLAGS}}, $_;
}
elsif (/^-D(.*)$/)
elsif (m|^[-/]D(.*)$|)
{
push @{$useradd{CPPDEFINES}}, $1;
}
elsif (/^-I(.*)$/)
elsif (m|^[-/]I(.*)$|)
{
push @{$useradd{CPPINCLUDES}}, $1;
}
@@ -867,11 +880,23 @@ while (@argvcopy)
}
else # common if (/^[-+]/), just pass down...
{
# Treat %xx as an ASCII code (e.g. replace %20 by a space character).
# This provides a simple way to pass options with arguments separated
# by spaces without quoting (e.g. -opt%20arg translates to -opt arg).
$_ =~ s/%([0-9a-f]{1,2})/chr(hex($1))/gei;
push @{$useradd{CFLAGS}}, $_;
push @{$useradd{CXXFLAGS}}, $_;
}
}
elsif (m|^/|)
{
# Treat %xx as an ASCII code (e.g. replace %20 by a space character).
# This provides a simple way to pass options with arguments separated
# by spaces without quoting (e.g. /opt%20arg translates to /opt arg).
$_ =~ s/%([0-9a-f]{1,2})/chr(hex($1))/gei;
push @{$useradd{CFLAGS}}, $_;
push @{$useradd{CXXFLAGS}}, $_;
}
else
{
die "target already defined - $target (offending arg: $_)\n" if ($target ne "");
@@ -949,7 +974,11 @@ foreach (keys %user) {

if (defined $value) {
if (ref $user{$_} eq 'ARRAY') {
$user{$_} = [ split /$list_separator_re/, $value ];
if ($_ eq 'CPPDEFINES' || $_ eq 'CPPINCLUDES') {
$user{$_} = [ split /$list_separator_re/, $value ];
} else {
$user{$_} = [ $value ];
}
} elsif (!defined $user{$_}) {
$user{$_} = $value;
}
@@ -1162,43 +1191,6 @@ foreach (keys %useradd) {
# Allow overriding the build file name
$config{build_file} = env('BUILDFILE') || $target{build_file} || "Makefile";

my %disabled_info = (); # For configdata.pm
foreach my $what (sort keys %disabled) {
$config{options} .= " no-$what";

if (!grep { $what eq $_ } ( 'buildtest-c++', 'threads', 'shared', 'pic',
'dynamic-engine', 'makedepend',
'zlib-dynamic', 'zlib', 'sse2' )) {
(my $WHAT = uc $what) =~ s|-|_|g;

# Fix up C macro end names
$WHAT = "RMD160" if $what eq "ripemd";

# fix-up crypto/directory name(s)
$what = "ripemd" if $what eq "rmd160";
$what = "whrlpool" if $what eq "whirlpool";

my $macro = $disabled_info{$what}->{macro} = "OPENSSL_NO_$WHAT";

if ((grep { $what eq $_ } @{$config{sdirs}})
&& $what ne 'async' && $what ne 'err') {
@{$config{sdirs}} = grep { $what ne $_} @{$config{sdirs}};
$disabled_info{$what}->{skipped} = [ catdir('crypto', $what) ];

if ($what ne 'engine') {
push @{$config{openssl_algorithm_defines}}, $macro;
} else {
@{$config{dirs}} = grep !/^engines$/, @{$config{dirs}};
push @{$disabled_info{engine}->{skipped}}, catdir('engines');
push @{$config{openssl_other_defines}}, $macro;
}
} else {
push @{$config{openssl_other_defines}}, $macro;
}

}
}

# Make sure build_scheme is consistent.
$target{build_scheme} = [ $target{build_scheme} ]
if ref($target{build_scheme}) ne "ARRAY";
@@ -1288,10 +1280,8 @@ if ($target{shared_target} eq "")
}

if ($disabled{"dynamic-engine"}) {
push @{$config{openssl_other_defines}}, "OPENSSL_NO_DYNAMIC_ENGINE";
$config{dynamic_engines} = 0;
} else {
push @{$config{openssl_other_defines}}, "OPENSSL_NO_STATIC_ENGINE";
$config{dynamic_engines} = 1;
}

@@ -1375,6 +1365,7 @@ unless ($disabled{asm}) {
}
if ($target{aes_asm_src}) {
push @{$config{lib_defines}}, "AES_ASM" if ($target{aes_asm_src} =~ m/\baes-/);;
push @{$config{lib_defines}}, "AESNI_ASM" if ($target{aes_asm_src} =~ m/\baesni-/);;
# aes-ctr.fake is not a real file, only indication that assembler
# module implements AES_ctr32_encrypt...
push @{$config{lib_defines}}, "AES_CTR_ASM" if ($target{aes_asm_src} =~ s/\s*aes-ctr\.fake//);
@@ -1501,11 +1492,20 @@ if ($strict_warnings)
my $wopt;
my $gccver = $predefined_C{__GNUC__} // -1;

warn "WARNING --strict-warnings requires gcc[>=4] or gcc-alike"
unless $gccver >= 4;
push @strict_warnings_collection, @gcc_devteam_warn;
push @strict_warnings_collection, @clang_devteam_warn
if (defined($predefined_C{__clang__}));
if ($gccver >= 4)
{
push @strict_warnings_collection, @gcc_devteam_warn;
push @strict_warnings_collection, @clang_devteam_warn
if (defined($predefined_C{__clang__}));
}
elsif ($config{target} =~ /^VC-/)
{
push @strict_warnings_collection, @cl_devteam_warn;
}
else
{
warn "WARNING --strict-warnings requires gcc[>=4] or gcc-alike, or MSVC"
}
}

if (grep { $_ eq '-static' } @{$config{LDFLAGS}}) {
@@ -1552,7 +1552,20 @@ unless ($disabled{afalgeng}) {
}
}

push @{$config{openssl_other_defines}}, "OPENSSL_NO_AFALGENG" if ($disabled{afalgeng});
unless ($disabled{devcryptoeng}) {
if ($target =~ m/^BSD/) {
my $maxver = 5*100 + 7;
my $sysstr = `uname -s`;
my $verstr = `uname -r`;
$sysstr =~ s|\R$||;
$verstr =~ s|\R$||;
my ($ma, $mi, @rest) = split m|\.|, $verstr;
my $ver = $ma*100 + $mi;
if ($sysstr eq 'OpenBSD' && $ver >= $maxver) {
disable('too-new-kernel', 'devcryptoeng');
}
}
}

# Get the extra flags used when building shared libraries and modules. We
# do this late because some of them depend on %disabled.
@@ -1597,6 +1610,49 @@ $target{module_ldflags} = $target{shared_ldflag} unless defined $target{module_l

# ALL MODIFICATIONS TO %disabled, %config and %target MUST BE DONE FROM HERE ON

my %disabled_info = (); # For configdata.pm
foreach my $what (sort keys %disabled) {
$config{options} .= " no-$what";

if (!grep { $what eq $_ } ( 'buildtest-c++', 'threads', 'shared', 'pic',
'dynamic-engine', 'makedepend',
'zlib-dynamic', 'zlib', 'sse2' )) {
(my $WHAT = uc $what) =~ s|-|_|g;

# Fix up C macro end names
$WHAT = "RMD160" if $what eq "ripemd";

# fix-up crypto/directory name(s)
$what = "ripemd" if $what eq "rmd160";
$what = "whrlpool" if $what eq "whirlpool";

my $macro = $disabled_info{$what}->{macro} = "OPENSSL_NO_$WHAT";

if ((grep { $what eq $_ } @{$config{sdirs}})
&& $what ne 'async' && $what ne 'err' && $what ne 'dso') {
@{$config{sdirs}} = grep { $what ne $_} @{$config{sdirs}};
$disabled_info{$what}->{skipped} = [ catdir('crypto', $what) ];

if ($what ne 'engine') {
push @{$config{openssl_algorithm_defines}}, $macro;
} else {
@{$config{dirs}} = grep !/^engines$/, @{$config{dirs}};
push @{$disabled_info{engine}->{skipped}}, catdir('engines');
push @{$config{openssl_other_defines}}, $macro;
}
} else {
push @{$config{openssl_other_defines}}, $macro;
}

}
}

if ($disabled{"dynamic-engine"}) {
push @{$config{openssl_other_defines}}, "OPENSSL_NO_DYNAMIC_ENGINE";
} else {
push @{$config{openssl_other_defines}}, "OPENSSL_NO_STATIC_ENGINE";
}

# If we use the unified build, collect information from build.info files
my %unified_info = ();


+ 16
- 4
crypto/openssl/INSTALL View File

@@ -351,6 +351,9 @@
Don't build support for datagram based BIOs. Selecting this
option will also force the disabling of DTLS.

no-dso
Don't build support for loading Dynamic Shared Objects.

enable-devcryptoeng
Build the /dev/crypto engine. It is automatically selected
on BSD implementations, in which case it can be disabled with
@@ -605,10 +608,19 @@
Take note of the VAR=value documentation below and how
these flags interact with those variables.

-xxx, +xxx
-xxx, +xxx, /xxx
Additional options that are not otherwise recognised are
passed through as they are to the compiler as well. Again,
consult your compiler documentation.
passed through as they are to the compiler as well.
Unix-style options beginning with a '-' or '+' and
Windows-style options beginning with a '/' are recognized.
Again, consult your compiler documentation.

If the option contains arguments separated by spaces,
then the URL-style notation %20 can be used for the space
character in order to avoid having to quote the option.
For example, -opt%20arg gets expanded to -opt arg.
In fact, any ASCII character can be encoded as %xx using its
hexadecimal encoding.

Take note of the VAR=value documentation below and how
these flags interact with those variables.
@@ -1071,7 +1083,7 @@

HASHBANGPERL
The command string for the Perl executable to insert in the
#! line of perl scripts that will be publically installed.
#! line of perl scripts that will be publicly installed.
Default: /usr/bin/env perl
Note: the value of this variable is added to the same scripts
on all platforms, but it's only relevant on Unix-like platforms.

+ 5
- 0
crypto/openssl/NEWS View File

@@ -5,6 +5,11 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.

Major changes between OpenSSL 1.1.1d and OpenSSL 1.1.1e [17 Mar 2020]

o Fixed an overflow bug in the x64_64 Montgomery squaring procedure
used in exponentiation with 512-bit moduli (CVE-2019-1551)

Major changes between OpenSSL 1.1.1c and OpenSSL 1.1.1d [10 Sep 2019]

o Fixed a fork protection issue (CVE-2019-1549)

+ 1
- 1
crypto/openssl/README View File

@@ -1,5 +1,5 @@

OpenSSL 1.1.1d 10 Sep 2019
OpenSSL 1.1.1e 17 Mar 2020

Copyright (c) 1998-2019 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

+ 25
- 5
crypto/openssl/apps/apps.c View File

@@ -1962,26 +1962,46 @@ unsigned char *next_protos_parse(size_t *outlen, const char *in)
size_t len;
unsigned char *out;
size_t i, start = 0;
size_t skipped = 0;

len = strlen(in);
if (len >= 65535)
if (len == 0 || len >= 65535)
return NULL;

out = app_malloc(strlen(in) + 1, "NPN buffer");
out = app_malloc(len + 1, "NPN buffer");
for (i = 0; i <= len; ++i) {
if (i == len || in[i] == ',') {
/*
* Zero-length ALPN elements are invalid on the wire, we could be
* strict and reject the entire string, but just ignoring extra
* commas seems harmless and more friendly.
*
* Every comma we skip in this way puts the input buffer another
* byte ahead of the output buffer, so all stores into the output
* buffer need to be decremented by the number commas skipped.
*/
if (i == start) {
++start;
++skipped;
continue;
}
if (i - start > 255) {
OPENSSL_free(out);
return NULL;
}
out[start] = (unsigned char)(i - start);
out[start-skipped] = (unsigned char)(i - start);
start = i + 1;
} else {
out[i + 1] = in[i];
out[i + 1 - skipped] = in[i];
}
}

*outlen = len + 1;
if (len <= skipped) {
OPENSSL_free(out);
return NULL;
}

*outlen = len + 1 - skipped;
return out;
}


+ 2
- 2
crypto/openssl/apps/apps.h View File

@@ -7,8 +7,8 @@
* https://www.openssl.org/source/license.html
*/

#ifndef HEADER_APPS_H
# define HEADER_APPS_H
#ifndef OSSL_APPS_H
# define OSSL_APPS_H

# include "e_os.h" /* struct timeval for DTLS */
# include "internal/nelem.h"

+ 115
- 11
crypto/openssl/apps/dgst.c View File

@@ -19,6 +19,7 @@
#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/hmac.h>
#include <ctype.h>

#undef BUFSIZE
#define BUFSIZE 1024*8
@@ -27,9 +28,15 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
EVP_PKEY *key, unsigned char *sigin, int siglen,
const char *sig_name, const char *md_name,
const char *file);
static void show_digests(const OBJ_NAME *name, void *bio_);

struct doall_dgst_digests {
BIO *bio;
int n;
};

typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_LIST,
OPT_C, OPT_R, OPT_OUT, OPT_SIGN, OPT_PASSIN, OPT_VERIFY,
OPT_PRVERIFY, OPT_SIGNATURE, OPT_KEYFORM, OPT_ENGINE, OPT_ENGINE_IMPL,
OPT_HEX, OPT_BINARY, OPT_DEBUG, OPT_FIPS_FINGERPRINT,
@@ -43,6 +50,7 @@ const OPTIONS dgst_options[] = {
{OPT_HELP_STR, 1, '-',
" file... files to digest (default is stdin)\n"},
{"help", OPT_HELP, '-', "Display this summary"},
{"list", OPT_LIST, '-', "List digests"},
{"c", OPT_C, '-', "Print the digest with separating colons"},
{"r", OPT_R, '-', "Print the digest in coreutils format"},
{"out", OPT_OUT, '>', "Output to filename rather than stdout"},
@@ -91,6 +99,7 @@ int dgst_main(int argc, char **argv)
int i, ret = 1, out_bin = -1, want_pub = 0, do_verify = 0;
unsigned char *buf = NULL, *sigbuf = NULL;
int engine_impl = 0;
struct doall_dgst_digests dec;

prog = opt_progname(argv[0]);
buf = app_malloc(BUFSIZE, "I/O buffer");
@@ -108,6 +117,15 @@ int dgst_main(int argc, char **argv)
opt_help(dgst_options);
ret = 0;
goto end;
case OPT_LIST:
BIO_printf(bio_out, "Supported digests:\n");
dec.bio = bio_out;
dec.n = 0;
OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_MD_METH,
show_digests, &dec);
BIO_printf(bio_out, "\n");
ret = 0;
goto end;
case OPT_C:
separator = 1;
break;
@@ -413,20 +431,86 @@ int dgst_main(int argc, char **argv)
return ret;
}

static void show_digests(const OBJ_NAME *name, void *arg)
{
struct doall_dgst_digests *dec = (struct doall_dgst_digests *)arg;
const EVP_MD *md = NULL;

/* Filter out signed digests (a.k.a signature algorithms) */
if (strstr(name->name, "rsa") != NULL || strstr(name->name, "RSA") != NULL)
return;

if (!islower((unsigned char)*name->name))
return;

/* Filter out message digests that we cannot use */
md = EVP_get_digestbyname(name->name);
if (md == NULL)
return;

BIO_printf(dec->bio, "-%-25s", name->name);
if (++dec->n == 3) {
BIO_printf(dec->bio, "\n");
dec->n = 0;
} else {
BIO_printf(dec->bio, " ");
}
}

/*
* The newline_escape_filename function performs newline escaping for any
* filename that contains a newline. This function also takes a pointer
* to backslash. The backslash pointer is a flag to indicating whether a newline
* is present in the filename. If a newline is present, the backslash flag is
* set and the output format will contain a backslash at the beginning of the
* digest output. This output format is to replicate the output format found
* in the '*sum' checksum programs. This aims to preserve backward
* compatibility.
*/
static const char *newline_escape_filename(const char *file, int * backslash)
{
size_t i, e = 0, length = strlen(file), newline_count = 0, mem_len = 0;
char *file_cpy = NULL;

for (i = 0; i < length; i++)
if (file[i] == '\n')
newline_count++;

mem_len = length + newline_count + 1;
file_cpy = app_malloc(mem_len, file);
i = 0;

while(e < length) {
const char c = file[e];
if (c == '\n') {
file_cpy[i++] = '\\';
file_cpy[i++] = 'n';
*backslash = 1;
} else {
file_cpy[i++] = c;
}
e++;
}
file_cpy[i] = '\0';
return (const char*)file_cpy;
}


int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
EVP_PKEY *key, unsigned char *sigin, int siglen,
const char *sig_name, const char *md_name,
const char *file)
{
size_t len;
int i;
size_t len = BUFSIZE;
int i, backslash = 0, ret = 1;
unsigned char *sigbuf = NULL;

while (BIO_pending(bp) || !BIO_eof(bp)) {
i = BIO_read(bp, (char *)buf, BUFSIZE);
if (i < 0) {
BIO_printf(bio_err, "Read Error in %s\n", file);
ERR_print_errors(bio_err);
return 1;
goto end;
}
if (i == 0)
break;
@@ -439,37 +523,51 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
BIO_printf(out, "Verified OK\n");
} else if (i == 0) {
BIO_printf(out, "Verification Failure\n");
return 1;
goto end;
} else {
BIO_printf(bio_err, "Error Verifying Data\n");
ERR_print_errors(bio_err);
return 1;
goto end;
}
return 0;
ret = 0;
goto end;
}
if (key != NULL) {
EVP_MD_CTX *ctx;
int pkey_len;
BIO_get_md_ctx(bp, &ctx);
len = BUFSIZE;
pkey_len = EVP_PKEY_size(key);
if (pkey_len > BUFSIZE) {
len = pkey_len;
sigbuf = app_malloc(len, "Signature buffer");
buf = sigbuf;
}
if (!EVP_DigestSignFinal(ctx, buf, &len)) {
BIO_printf(bio_err, "Error Signing Data\n");
ERR_print_errors(bio_err);
return 1;
goto end;
}
} else {
len = BIO_gets(bp, (char *)buf, BUFSIZE);
if ((int)len < 0) {
ERR_print_errors(bio_err);
return 1;
goto end;
}
}

if (binout) {
BIO_write(out, buf, len);
} else if (sep == 2) {
file = newline_escape_filename(file, &backslash);

if (backslash == 1)
BIO_puts(out, "\\");

for (i = 0; i < (int)len; i++)
BIO_printf(out, "%02x", buf[i]);

BIO_printf(out, " *%s\n", file);
OPENSSL_free((char *)file);
} else {
if (sig_name != NULL) {
BIO_puts(out, sig_name);
@@ -488,5 +586,11 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
}
BIO_printf(out, "\n");
}
return 0;

ret = 0;
end:
if (sigbuf != NULL)
OPENSSL_clear_free(sigbuf, len);

return ret;
}

+ 2
- 1
crypto/openssl/apps/enc.c View File

@@ -50,7 +50,8 @@ typedef enum OPTION_choice {

const OPTIONS enc_options[] = {
{"help", OPT_HELP, '-', "Display this summary"},
{"ciphers", OPT_LIST, '-', "List ciphers"},
{"list", OPT_LIST, '-', "List ciphers"},
{"ciphers", OPT_LIST, '-', "Alias for -list"},
{"in", OPT_IN, '<', "Input file"},
{"out", OPT_OUT, '>', "Output file"},
{"pass", OPT_PASS, 's', "Passphrase source"},

+ 3
- 3
crypto/openssl/apps/ocsp.c View File

@@ -114,7 +114,7 @@ static int acfd = (int) INVALID_SOCKET;
static int index_changed(CA_DB *);
static void spawn_loop(void);
static int print_syslog(const char *str, size_t len, void *levPtr);
static void sock_timeout(int signum);
static void socket_timeout(int signum);
# endif

# ifndef OPENSSL_NO_SOCK
@@ -597,7 +597,7 @@ int ocsp_main(int argc, char **argv)
if (multi && acbio != NULL)
spawn_loop();
if (acbio != NULL && req_timeout > 0)
signal(SIGALRM, sock_timeout);
signal(SIGALRM, socket_timeout);
#endif

if (acbio != NULL)
@@ -1352,7 +1352,7 @@ static int urldecode(char *p)
# endif

# ifdef OCSP_DAEMON
static void sock_timeout(int signum)
static void socket_timeout(int signum)
{
if (acfd != (int)INVALID_SOCKET)
(void)shutdown(acfd, SHUT_RD);

+ 7
- 0
crypto/openssl/apps/openssl.c View File

@@ -164,6 +164,13 @@ int main(int argc, char *argv[])
}

prog = prog_init();
if (prog == NULL) {
BIO_printf(bio_err,
"FATAL: Startup failure (dev note: prog_init() failed)\n");
ERR_print_errors(bio_err);
ret = 1;
goto end;
}
pname = opt_progname(argv[0]);

/* first check the program name */

+ 1
- 1
crypto/openssl/apps/passwd.c View File

@@ -807,7 +807,7 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
(*salt_p)[i] = cov_2char[(*salt_p)[i] & 0x3f]; /* 6 bits */
(*salt_p)[i] = 0;
# ifdef CHARSET_EBCDIC
/* The password encryption funtion will convert back to ASCII */
/* The password encryption function will convert back to ASCII */
ascii2ebcdic(*salt_p, *salt_p, saltlen);
# endif
}

+ 38
- 26
crypto/openssl/apps/pkcs12.c View File

@@ -41,6 +41,7 @@ int dump_certs_pkeys_bags(BIO *out, const STACK_OF(PKCS12_SAFEBAG) *bags,
int dump_certs_pkeys_bag(BIO *out, const PKCS12_SAFEBAG *bags,
const char *pass, int passlen,
int options, char *pempass, const EVP_CIPHER *enc);
void print_attribute(BIO *out, const ASN1_TYPE *av);
int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst,
const char *name);
void hex_prin(BIO *out, unsigned char *buf, int len);
@@ -878,6 +879,38 @@ int cert_load(BIO *in, STACK_OF(X509) *sk)
return ret;
}

/* Generalised x509 attribute value print */

void print_attribute(BIO *out, const ASN1_TYPE *av)
{
char *value;

switch (av->type) {
case V_ASN1_BMPSTRING:
value = OPENSSL_uni2asc(av->value.bmpstring->data,
av->value.bmpstring->length);
BIO_printf(out, "%s\n", value);
OPENSSL_free(value);
break;

case V_ASN1_OCTET_STRING:
hex_prin(out, av->value.octet_string->data,
av->value.octet_string->length);
BIO_printf(out, "\n");
break;

case V_ASN1_BIT_STRING:
hex_prin(out, av->value.bit_string->data,
av->value.bit_string->length);
BIO_printf(out, "\n");
break;

default:
BIO_printf(out, "<Unsupported tag %d>\n", av->type);
break;
}
}

/* Generalised attribute print: handle PKCS#8 and bag attributes */

int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst,
@@ -885,8 +918,7 @@ int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst,
{
X509_ATTRIBUTE *attr;
ASN1_TYPE *av;
char *value;
int i, attr_nid;
int i, j, attr_nid;
if (!attrlst) {
BIO_printf(out, "%s: <No Attributes>\n", name);
return 1;
@@ -910,30 +942,10 @@ int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst,
}

if (X509_ATTRIBUTE_count(attr)) {
av = X509_ATTRIBUTE_get0_type(attr, 0);
switch (av->type) {
case V_ASN1_BMPSTRING:
value = OPENSSL_uni2asc(av->value.bmpstring->data,
av->value.bmpstring->length);
BIO_printf(out, "%s\n", value);
OPENSSL_free(value);
break;

case V_ASN1_OCTET_STRING:
hex_prin(out, av->value.octet_string->data,
av->value.octet_string->length);
BIO_printf(out, "\n");
break;

case V_ASN1_BIT_STRING:
hex_prin(out, av->value.bit_string->data,
av->value.bit_string->length);
BIO_printf(out, "\n");
break;

default:
BIO_printf(out, "<Unsupported tag %d>\n", av->type);
break;
for (j = 0; j < X509_ATTRIBUTE_count(attr); j++)
{
av = X509_ATTRIBUTE_get0_type(attr, j);
print_attribute(out, av);
}
} else {
BIO_printf(out, "<No Values>\n");

+ 2
- 3
crypto/openssl/apps/pkeyutl.c View File

@@ -1,5 +1,5 @@
/*
* Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -299,8 +299,7 @@ int pkeyutl_main(int argc, char **argv)
/* Sanity check the input */
if (buf_inlen > EVP_MAX_MD_SIZE
&& (pkey_op == EVP_PKEY_OP_SIGN
|| pkey_op == EVP_PKEY_OP_VERIFY
|| pkey_op == EVP_PKEY_OP_VERIFYRECOVER)) {
|| pkey_op == EVP_PKEY_OP_VERIFY)) {
BIO_printf(bio_err,
"Error: The input data looks too long to be a hash\n");
goto end;

+ 10
- 5
crypto/openssl/apps/req.c View File

@@ -200,9 +200,12 @@ static int duplicated(LHASH_OF(OPENSSL_STRING) *addexts, char *kv)
*p = '\0';

/* Finally have a clean "key"; see if it's there [by attempt to add it]. */
if ((p = (char *)lh_OPENSSL_STRING_insert(addexts, (OPENSSL_STRING*)kv))
!= NULL || lh_OPENSSL_STRING_error(addexts)) {
OPENSSL_free(p != NULL ? p : kv);
p = (char *)lh_OPENSSL_STRING_insert(addexts, (OPENSSL_STRING*)kv);
if (p != NULL) {
OPENSSL_free(p);
return 1;
} else if (lh_OPENSSL_STRING_error(addexts)) {
OPENSSL_free(kv);
return -1;
}

@@ -435,12 +438,14 @@ int req_main(int argc, char **argv)

if (verbose)
BIO_printf(bio_err, "Using configuration from %s\n", template);
req_conf = app_load_config(template);
if ((req_conf = app_load_config(template)) == NULL)
goto end;
if (addext_bio) {
if (verbose)
BIO_printf(bio_err,
"Using additional configuration from command line\n");
addext_conf = app_load_config_bio(addext_bio, NULL);
if ((addext_conf = app_load_config_bio(addext_bio, NULL)) == NULL)
goto end;
}
if (template != default_config_file && !app_load_modules(req_conf))
goto end;

+ 2
- 1
crypto/openssl/apps/s_cb.c View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -188,6 +188,7 @@ static STRINT_PAIR cert_type_list[] = {
{"RSA fixed ECDH", TLS_CT_RSA_FIXED_ECDH},
{"ECDSA fixed ECDH", TLS_CT_ECDSA_FIXED_ECDH},
{"GOST01 Sign", TLS_CT_GOST01_SIGN},
{"GOST12 Sign", TLS_CT_GOST12_SIGN},
{NULL}
};


+ 10
- 7
crypto/openssl/apps/s_server.c View File

@@ -180,9 +180,6 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity,
}
#endif

#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")

static int psk_find_session_cb(SSL *ssl, const unsigned char *identity,
size_t identity_len, SSL_SESSION **sess)
{
@@ -3208,6 +3205,12 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
if (e[0] == ' ')
break;

if (e[0] == ':') {
/* Windows drive. We treat this the same way as ".." */
dot = -1;
break;
}

switch (dot) {
case 1:
dot = (e[0] == '.') ? 2 : 0;
@@ -3216,11 +3219,11 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
dot = (e[0] == '.') ? 3 : 0;
break;
case 3:
dot = (e[0] == '/') ? -1 : 0;
dot = (e[0] == '/' || e[0] == '\\') ? -1 : 0;
break;
}
if (dot == 0)
dot = (e[0] == '/') ? 1 : 0;
dot = (e[0] == '/' || e[0] == '\\') ? 1 : 0;
}
dot = (dot == 3) || (dot == -1); /* filename contains ".."
* component */
@@ -3234,11 +3237,11 @@ static int www_body(int s, int stype, int prot, unsigned char *context)

if (dot) {
BIO_puts(io, text);
BIO_printf(io, "'%s' contains '..' reference\r\n", p);
BIO_printf(io, "'%s' contains '..' or ':'\r\n", p);
break;
}

if (*p == '/') {
if (*p == '/' || *p == '\\') {
BIO_puts(io, text);
BIO_printf(io, "'%s' is an invalid path\r\n", p);
break;

+ 45
- 50
crypto/openssl/apps/server.pem View File

@@ -1,52 +1,47 @@
subject= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Server Cert
issuer= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = OpenSSL Test Intermediate CA
-----BEGIN CERTIFICATE-----
MIID5zCCAs+gAwIBAgIJALnu1NlVpZ6zMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT
VElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJt
ZWRpYXRlIENBMB4XDTExMTIwODE0MDE0OFoXDTIxMTAxNjE0MDE0OFowZDELMAkG
A1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxIjAgBgNVBAsMGUZPUiBU
RVNUSU5HIFBVUlBPU0VTIE9OTFkxGTAXBgNVBAMMEFRlc3QgU2VydmVyIENlcnQw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDzhPOSNtyyRspmeuUpxfNJ
KCLTuf7g3uQ4zu4iHOmRO5TQci+HhVlLZrHF9XqFXcIP0y4pWDbMSGuiorUmzmfi
R7bfSdI/+qIQt8KXRH6HNG1t8ou0VSvWId5TS5Dq/er5ODUr9OaaDva7EquHIcMv
vPQGuI+OEAcnleVCy9HVEIySrO4P3CNIicnGkwwiAud05yUAq/gPXBC1hTtmlPD7
TVcGVSEiJdvzqqlgv02qedGrkki6GY4S7GjZxrrf7Foc2EP+51LJzwLQx3/JfrCU
41NEWAsu/Sl0tQabXESN+zJ1pDqoZ3uHMgpQjeGiE0olr+YcsSW/tJmiU9OiAr8R
AgMBAAGjgY8wgYwwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwLAYJYIZI
AYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW
BBSCvM8AABPR9zklmifnr9LvIBturDAfBgNVHSMEGDAWgBQ2w2yI55X+sL3szj49
hqshgYfa2jANBgkqhkiG9w0BAQUFAAOCAQEAqb1NV0B0/pbpK9Z4/bNjzPQLTRLK
WnSNm/Jh5v0GEUOE/Beg7GNjNrmeNmqxAlpqWz9qoeoFZax+QBpIZYjROU3TS3fp
yLsrnlr0CDQ5R7kCCDGa8dkXxemmpZZLbUCpW2Uoy8sAA4JjN9OtsZY7dvUXFgJ7
vVNTRnI01ghknbtD+2SxSQd3CWF6QhcRMAzZJ1z1cbbwGDDzfvGFPzJ+Sq+zEPds
xoVLLSetCiBc+40ZcDS5dV98h9XD7JMTQfxzA7mNGv73JoZJA6nFgj+ADSlJsY/t
JBv+z1iQRueoh9Qeee+ZbRifPouCB8FDx+AltvHTANdAq0t/K3o+pplMVA==
MIIDJTCCAg2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
IENBMCAXDTE2MDExNDIyMjk0NloYDzIxMTYwMTE1MjIyOTQ2WjAZMRcwFQYDVQQD
DA5zZXJ2ZXIuZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ANVdYGrf/GHuSKqMEUhDpW22Ul2qmEmxYZI1sfw6BCUMbXn/tNXJ6VwcO+Crs7h9
o95tveDd11q/FEcRQl6mgtBhwX/dE0bmCYUHDvLU/Bpk0gqtIKsga5bwrczEGVNV
3AEdpLPvirRJU12KBRzx3OFEv8XX4ncZV1yXC3XuiENxD8pswbSyUKd3RmxYDxG/
8XYkWq45QrdRZynh0FUwbxfkkeqt+CjCQ2+iZKn7nZiSYkg+6w1PgkqK/z9y7pa1
rqHBmLrvfZB1bf9aUp6r9cB+0IdD24UHBw99OHr90dPuZR3T6jlqhzfuStPgDW71
cKzCvfFu85KVXqnwoWWVk40CAwEAAaN9MHswHQYDVR0OBBYEFMDnhL/oWSczELBS
T1FSLwbWwHrNMB8GA1UdIwQYMBaAFHB/Lq6DaFmYBCMqzes+F80k3QFJMAkGA1Ud
EwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4
YW1wbGUwDQYJKoZIhvcNAQELBQADggEBAHvTBEN1ig8RrsT716Ginv4gGNX0LzGI
RrZ1jO7lm5emuaPNYJpGw0iX5Zdo91qGNXPZaZ75X3S55pQTActq3OPEBOll2pyk
iyjz+Zp/v5cfRZLlBbFW5gv2R94eibYr4U3fSn4B0yPcl4xH/l/HzJhGDsSDW8qK
8VIJvmvsPwmL0JMCv+FR59F+NFYZdND/KCXet59WUpF9ICmFCoBEX3EyJXEPwhbi
X2sdPzJbCjx0HLli8e0HUKNttLQxCsBTRGo6iISLLamwN47mGDa9miBADwGSiz2q
YeeuLO02zToHhnQ6KbPXOrQAqcL1kngO4g+j/ru+4AZThFkdkGnltvk=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA84TzkjbcskbKZnrlKcXzSSgi07n+4N7kOM7uIhzpkTuU0HIv
h4VZS2axxfV6hV3CD9MuKVg2zEhroqK1Js5n4ke230nSP/qiELfCl0R+hzRtbfKL
tFUr1iHeU0uQ6v3q+Tg1K/Tmmg72uxKrhyHDL7z0BriPjhAHJ5XlQsvR1RCMkqzu
D9wjSInJxpMMIgLndOclAKv4D1wQtYU7ZpTw+01XBlUhIiXb86qpYL9NqnnRq5JI
uhmOEuxo2ca63+xaHNhD/udSyc8C0Md/yX6wlONTRFgLLv0pdLUGm1xEjfsydaQ6
qGd7hzIKUI3hohNKJa/mHLElv7SZolPTogK/EQIDAQABAoIBAADq9FwNtuE5IRQn
zGtO4q7Y5uCzZ8GDNYr9RKp+P2cbuWDbvVAecYq2NV9QoIiWJOAYZKklOvekIju3
r0UZLA0PRiIrTg6NrESx3JrjWDK8QNlUO7CPTZ39/K+FrmMkV9lem9yxjJjyC34D
AQB+YRTx+l14HppjdxNwHjAVQpIx/uO2F5xAMuk32+3K+pq9CZUtrofe1q4Agj9R
5s8mSy9pbRo9kW9wl5xdEotz1LivFOEiqPUJTUq5J5PeMKao3vdK726XI4Z455Nm
W2/MA0YV0ug2FYinHcZdvKM6dimH8GLfa3X8xKRfzjGjTiMSwsdjgMa4awY3tEHH
674jhAECgYEA/zqMrc0zsbNk83sjgaYIug5kzEpN4ic020rSZsmQxSCerJTgNhmg
utKSCt0Re09Jt3LqG48msahX8ycqDsHNvlEGPQSbMu9IYeO3Wr3fAm75GEtFWePY
BhM73I7gkRt4s8bUiUepMG/wY45c5tRF23xi8foReHFFe9MDzh8fJFECgYEA9EFX
4qAik1pOJGNei9BMwmx0I0gfVEIgu0tzeVqT45vcxbxr7RkTEaDoAG6PlbWP6D9a
WQNLp4gsgRM90ZXOJ4up5DsAWDluvaF4/omabMA+MJJ5kGZ0gCj5rbZbKqUws7x8
bp+6iBfUPJUbcqNqFmi/08Yt7vrDnMnyMw2A/sECgYEAiiuRMxnuzVm34hQcsbhH
6ymVqf7j0PW2qK0F4H1ocT9qhzWFd+RB3kHWrCjnqODQoI6GbGr/4JepHUpre1ex
4UEN5oSS3G0ru0rC3U4C59dZ5KwDHFm7ffZ1pr52ljfQDUsrjjIMRtuiwNK2OoRa
WSsqiaL+SDzSB+nBmpnAizECgYBdt/y6rerWUx4MhDwwtTnel7JwHyo2MDFS6/5g
n8qC2Lj6/fMDRE22w+CA2esp7EJNQJGv+b27iFpbJEDh+/Lf5YzIT4MwVskQ5bYB
JFcmRxUVmf4e09D7o705U/DjCgMH09iCsbLmqQ38ONIRSHZaJtMDtNTHD1yi+jF+
OT43gQKBgQC/2OHZoko6iRlNOAQ/tMVFNq7fL81GivoQ9F1U0Qr+DH3ZfaH8eIkX
xT0ToMPJUzWAn8pZv0snA0um6SIgvkCuxO84OkANCVbttzXImIsL7pFzfcwV/ERK
UM6j0ZuSMFOCr/lGPAoOQU0fskidGEHi1/kW+suSr28TqsyYZpwBDQ==
-----END RSA PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDVXWBq3/xh7kiq
jBFIQ6VttlJdqphJsWGSNbH8OgQlDG15/7TVyelcHDvgq7O4faPebb3g3ddavxRH
EUJepoLQYcF/3RNG5gmFBw7y1PwaZNIKrSCrIGuW8K3MxBlTVdwBHaSz74q0SVNd
igUc8dzhRL/F1+J3GVdclwt17ohDcQ/KbMG0slCnd0ZsWA8Rv/F2JFquOUK3UWcp
4dBVMG8X5JHqrfgowkNvomSp+52YkmJIPusNT4JKiv8/cu6Wta6hwZi6732QdW3/
WlKeq/XAftCHQ9uFBwcPfTh6/dHT7mUd0+o5aoc37krT4A1u9XCswr3xbvOSlV6p
8KFllZONAgMBAAECggEADLTt7A+A2Vg2jamf0dztejY0e42QWjstI2b9PZc67fXq
gyx+WYkX07t+uWegYWliG/oPJ9guXiIpE/5sJHToL37S5kmFP2CtynVcJ4wVo4DD
nY0n9+kLX0bgIuS+2V6wpoRcbbbjXM9NHrH8kfe5ftT4UtEDlLI2qLX6IcDd7p4u
OYjILChR8GSGTw96yIy2Ws/1Uq9PMw64JoT4RcK5QqnkcPMDFRH1SeLOL+zXP2c4
nEl9yOy3HauZKxwl/Ry/XK1s3DdjopIAU29ut+hAuMiTb06kzZnumL9NoplKoZtU
otw/gVcCKhT+Ep+p6i8InLF0XEME8A0qUR0niWebgQKBgQD6vkxR49B8ZZQrzjw4
XKs1lI9cP7cgPiuWlDHMNjYou3WbOaGrMeScvbB1Ldh9A8pjAhxlw8AaV/xs4qcA
trmVmSISVMVyc1wSGlJXWi2nUzTNs9OE3vj22SyStihf8UUZtWwX2b5Y4JrYhA/V
+ThGGqHR03oLNLShNLtJc2c7YQKBgQDZ1nkibEyrepexw/fnwkw61IJKq9wRIh1G
PREakhbe9wU5ie0knuf9razt7awzQiwFmlixmWqsM7UEtLuXNnNPciwdrKhhbvrd
vD/rkbIEHEPllIhFlDtOzn3hRBWTzWmXFjpou/2LvHTSbVis4IYVZymTp2jb1ZLs
7VbiG9JTrQKBgQDc6n75g1szzpdehQT/r33U5j/syeJBUSU8NPMu9fB/sLHsgjlT
SNEf2+y1QSBE/Or6kmiMrIv7advn30W+Vj9qc5HWTsPrk4HiHTjA553jl2alebN5
lK4LZspjtIQcC8mS3goPdXPEgJdM/gWpwzr2YQ6DfOxBJT2j7n64NyoT4QKBgH7/
yx+GhCx1DHtXBPDZFhg2TL+78lEK0oZgk9gp06up2CHzh44SFq6O0oLkTcCUk5Ww
poTkLIy4mJBlzfgahp+KsK2cO46SZS9g0ONFzcMXt33hWpE2Gl2XhUwPpYTF/QlY
rDTjZK5S8Mi9dzVSsNlJi7PJphiEK2R1+nFYRwcBAoGBANWoIG85jpXAOnq/Kcgx
Rl3YivR0Ke6r1tFlP58rT7X3EkiboXyQl5vLIFCAwUte6RGrLl1dy3Qyh80B9ySL
Jx6vj42CK7vgv6A96TuVYhnXTnEI6ZvwAQ2VGaw4BizhjALs/kdSE/og9aSCs3ws
KQypwAFz0tbHxaNag/bSAN0J
-----END PRIVATE KEY-----

+ 22
- 21
crypto/openssl/apps/speed.c View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
@@ -1242,8 +1242,6 @@ static int run_benchmark(int async_jobs,
OSSL_ASYNC_FD job_fd = 0;
size_t num_job_fds = 0;

run = 1;

if (async_jobs == 0) {
return loop_function((void *)&loopargs);
}
@@ -2412,7 +2410,7 @@ int speed_main(int argc, char **argv)
print_message(names[D_CBC_128_CML], c[D_CBC_128_CML][testnum],
lengths[testnum], seconds.sym);
Time_F(START);
for (count = 0, run = 1; COND(c[D_CBC_128_CML][testnum]); count++)
for (count = 0; COND(c[D_CBC_128_CML][testnum]); count++)
Camellia_cbc_encrypt(loopargs[0].buf, loopargs[0].buf,
(size_t)lengths[testnum], &camellia_ks1,
iv, CAMELLIA_ENCRYPT);
@@ -2434,7 +2432,7 @@ int speed_main(int argc, char **argv)
exit(1);
}
Time_F(START);
for (count = 0, run = 1; COND(c[D_CBC_192_CML][testnum]); count++)
for (count = 0; COND(c[D_CBC_192_CML][testnum]); count++)
Camellia_cbc_encrypt(loopargs[0].buf, loopargs[0].buf,
(size_t)lengths[testnum], &camellia_ks2,
iv, CAMELLIA_ENCRYPT);
@@ -2452,7 +2450,7 @@ int speed_main(int argc, char **argv)
print_message(names[D_CBC_256_CML], c[D_CBC_256_CML][testnum],
lengths[testnum], seconds.sym);
Time_F(START);
for (count = 0, run = 1; COND(c[D_CBC_256_CML][testnum]); count++)
for (count = 0; COND(c[D_CBC_256_CML][testnum]); count++)
Camellia_cbc_encrypt(loopargs[0].buf, loopargs[0].buf,
(size_t)lengths[testnum], &camellia_ks3,
iv, CAMELLIA_ENCRYPT);
@@ -2472,7 +2470,7 @@ int speed_main(int argc, char **argv)
print_message(names[D_CBC_IDEA], c[D_CBC_IDEA][testnum],
lengths[testnum], seconds.sym);
Time_F(START);
for (count = 0, run = 1; COND(c[D_CBC_IDEA][testnum]); count++)
for (count = 0; COND(c[D_CBC_IDEA][testnum]); count++)
IDEA_cbc_encrypt(loopargs[0].buf, loopargs[0].buf,
(size_t)lengths[testnum], &idea_ks,
iv, IDEA_ENCRYPT);
@@ -2492,7 +2490,7 @@ int speed_main(int argc, char **argv)
print_message(names[D_CBC_SEED], c[D_CBC_SEED][testnum],
lengths[testnum], seconds.sym);
Time_F(START);
for (count = 0, run = 1; COND(c[D_CBC_SEED][testnum]); count++)
for (count = 0; COND(c[D_CBC_SEED][testnum]); count++)
SEED_cbc_encrypt(loopargs[0].buf, loopargs[0].buf,
(size_t)lengths[testnum], &seed_ks, iv, 1);
d = Time_F(STOP);
@@ -2515,7 +2513,7 @@ int speed_main(int argc, char **argv)
exit(1);
}
Time_F(START);
for (count = 0, run = 1; COND(c[D_CBC_RC2][testnum]); count++)
for (count = 0; COND(c[D_CBC_RC2][testnum]); count++)
RC2_cbc_encrypt(loopargs[0].buf, loopargs[0].buf,
(size_t)lengths[testnum], &rc2_ks,
iv, RC2_ENCRYPT);
@@ -2539,7 +2537,7 @@ int speed_main(int argc, char **argv)
exit(1);
}
Time_F(START);
for (count = 0, run = 1; COND(c[D_CBC_RC5][testnum]); count++)
for (count = 0; COND(c[D_CBC_RC5][testnum]); count++)
RC5_32_cbc_encrypt(loopargs[0].buf, loopargs[0].buf,
(size_t)lengths[testnum], &rc5_ks,
iv, RC5_ENCRYPT);
@@ -2559,7 +2557,7 @@ int speed_main(int argc, char **argv)
print_message(names[D_CBC_BF], c[D_CBC_BF][testnum],
lengths[testnum], seconds.sym);
Time_F(START);
for (count = 0, run = 1; COND(c[D_CBC_BF][testnum]); count++)
for (count = 0; COND(c[D_CBC_BF][testnum]); count++)
BF_cbc_encrypt(loopargs[0].buf, loopargs[0].buf,
(size_t)lengths[testnum], &bf_ks,
iv, BF_ENCRYPT);
@@ -2579,7 +2577,7 @@ int speed_main(int argc, char **argv)
print_message(names[D_CBC_CAST], c[D_CBC_CAST][testnum],
lengths[testnum], seconds.sym);
Time_F(START);
for (count = 0, run = 1; COND(c[D_CBC_CAST][testnum]); count++)
for (count = 0; COND(c[D_CBC_CAST][testnum]); count++)
CAST_cbc_encrypt(loopargs[0].buf, loopargs[0].buf,
(size_t)lengths[testnum], &cast_ks,
iv, CAST_ENCRYPT);
@@ -3006,7 +3004,7 @@ int speed_main(int argc, char **argv)
pctx = NULL;
}
if (kctx == NULL || /* keygen ctx is not null */
!EVP_PKEY_keygen_init(kctx) /* init keygen ctx */ ) {
EVP_PKEY_keygen_init(kctx) <= 0/* init keygen ctx */ ) {
ecdh_checks = 0;
BIO_printf(bio_err, "ECDH keygen failure.\n");
ERR_print_errors(bio_err);
@@ -3014,12 +3012,12 @@ int speed_main(int argc, char **argv)
break;
}

if (!EVP_PKEY_keygen(kctx, &key_A) || /* generate secret key A */
!EVP_PKEY_keygen(kctx, &key_B) || /* generate secret key B */
if (EVP_PKEY_keygen(kctx, &key_A) <= 0 || /* generate secret key A */
EVP_PKEY_keygen(kctx, &key_B) <= 0 || /* generate secret key B */
!(ctx = EVP_PKEY_CTX_new(key_A, NULL)) || /* derivation ctx from skeyA */
!EVP_PKEY_derive_init(ctx) || /* init derivation ctx */
!EVP_PKEY_derive_set_peer(ctx, key_B) || /* set peer pubkey in ctx */
!EVP_PKEY_derive(ctx, NULL, &outlen) || /* determine max length */
EVP_PKEY_derive_init(ctx) <= 0 || /* init derivation ctx */
EVP_PKEY_derive_set_peer(ctx, key_B) <= 0 || /* set peer pubkey in ctx */
EVP_PKEY_derive(ctx, NULL, &outlen) <= 0 || /* determine max length */
outlen == 0 || /* ensure outlen is a valid size */
outlen > MAX_ECDH_SIZE /* avoid buffer overflow */ ) {
ecdh_checks = 0;
@@ -3106,8 +3104,8 @@ int speed_main(int argc, char **argv)

if ((ed_pctx = EVP_PKEY_CTX_new_id(test_ed_curves[testnum].nid, NULL))
== NULL
|| !EVP_PKEY_keygen_init(ed_pctx)
|| !EVP_PKEY_keygen(ed_pctx, &ed_pkey)) {
|| EVP_PKEY_keygen_init(ed_pctx) <= 0
|| EVP_PKEY_keygen(ed_pctx, &ed_pkey) <= 0) {
st = 0;
EVP_PKEY_CTX_free(ed_pctx);
break;
@@ -3395,6 +3393,7 @@ static void print_message(const char *s, long num, int length, int tm)
mr ? "+DT:%s:%d:%d\n"
: "Doing %s for %ds on %d size blocks: ", s, tm, length);
(void)BIO_flush(bio_err);
run = 1;
alarm(tm);
#else
BIO_printf(bio_err,
@@ -3412,6 +3411,7 @@ static void pkey_print_message(const char *str, const char *str2, long num,
mr ? "+DTP:%d:%s:%s:%d\n"
: "Doing %u bits %s %s's for %ds: ", bits, str, str2, tm);
(void)BIO_flush(bio_err);
run = 1;
alarm(tm);
#else
BIO_printf(bio_err,
@@ -3584,6 +3584,7 @@ static int do_multi(int multi, int size_num)
p = buf + 4;
k = atoi(sstrsep(&p, sep));
sstrsep(&p, sep);
sstrsep(&p, sep);

d = atof(sstrsep(&p, sep));
eddsa_results[k][0] += d;
@@ -3641,7 +3642,7 @@ static void multiblock_speed(const EVP_CIPHER *evp_cipher, int lengths_single,
for (j = 0; j < num; j++) {
print_message(alg_name, 0, mblengths[j], seconds->sym);
Time_F(START);
for (count = 0, run = 1; run && count < 0x7fffffff; count++) {
for (count = 0; run && count < 0x7fffffff; count++) {
unsigned char aad[EVP_AEAD_TLS1_AAD_LEN];
EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param;
size_t len = mblengths[j];

+ 3
- 3
crypto/openssl/apps/timeouts.h View File

@@ -7,11 +7,11 @@
* https://www.openssl.org/source/license.html
*/

#ifndef INCLUDED_TIMEOUTS_H
# define INCLUDED_TIMEOUTS_H
#ifndef OSSL_APPS_TIMEOUTS_H
# define OSSL_APPS_TIMEOUTS_H

/* numbers in us */
# define DGRAM_RCV_TIMEOUT 250000
# define DGRAM_SND_TIMEOUT 250000

#endif /* ! INCLUDED_TIMEOUTS_H */
#endif /* ! OSSL_APPS_TIMEOUTS_H */

+ 2
- 1
crypto/openssl/apps/ts.c View File

@@ -282,7 +282,8 @@ int ts_main(int argc, char **argv)
goto end;
}

conf = load_config_file(configfile);
if ((conf = load_config_file(configfile)) == NULL)
goto end;
if (configfile != default_config_file && !app_load_modules(conf))
goto end;


+ 6
- 6
crypto/openssl/apps/x509.c View File

@@ -1,5 +1,5 @@
/*
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@@ -72,7 +72,7 @@ const OPTIONS x509_options[] = {
{"outform", OPT_OUTFORM, 'f',
"Output format - default PEM (one of DER or PEM)"},
{"out", OPT_OUT, '>', "Output file - default stdout"},
{"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"},
{"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"},
{"passin", OPT_PASSIN, 's', "Private key password/pass-phrase source"},
{"serial", OPT_SERIAL, '-', "Print serial number value"},
{"subject_hash", OPT_HASH, '-', "Print subject hash value"},
@@ -107,7 +107,7 @@ const OPTIONS x509_options[] = {
{"checkend", OPT_CHECKEND, 'M',
"Check whether the cert expires in the next arg seconds"},
{OPT_MORE_STR, 1, 1, "Exit 1 if so, 0 if not"},
{"signkey", OPT_SIGNKEY, '<', "Self sign cert with arg"},
{"signkey", OPT_SIGNKEY, 's', "Self sign cert with arg"},
{"x509toreq", OPT_X509TOREQ, '-',
"Output a certification request object"},
{"req", OPT_REQ, '-', "Input is a certificate request, sign and output"},
@@ -130,7 +130,7 @@ const OPTIONS x509_options[] = {
{"checkemail", OPT_CHECKEMAIL, 's', "Check certificate matches email"},
{"checkip", OPT_CHECKIP, 's', "Check certificate matches ipaddr"},
{"CAform", OPT_CAFORM, 'F', "CA format - default PEM"},
{"CAkeyform", OPT_CAKEYFORM, 'f', "CA key format - default PEM"},
{"CAkeyform", OPT_CAKEYFORM, 'E', "CA key format - default PEM"},
{"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
{"force_pubkey", OPT_FORCE_PUBKEY, '<', "Force the Key to put inside certificate"},
{"next_serial", OPT_NEXT_SERIAL, '-', "Increment current certificate serial number"},
@@ -217,7 +217,7 @@ int x509_main(int argc, char **argv)
goto opthelp;
break;
case OPT_KEYFORM:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat))
if (!opt_format(opt_arg(), OPT_FMT_PDE, &keyformat))
goto opthelp;
break;
case OPT_CAFORM:
@@ -225,7 +225,7 @@ int x509_main(int argc, char **argv)
goto opthelp;
break;
case OPT_CAKEYFORM:
if (!opt_format(opt_arg(), OPT_FMT_ANY, &CAkeyformat))
if (!opt_format(opt_arg(), OPT_FMT_PDE, &CAkeyformat))
goto opthelp;
break;
case OPT_OUT:

+ 15
- 4
crypto/openssl/appveyor.yml View File

@@ -1,3 +1,6 @@
image:
- Visual Studio 2017

platform:
- x64
- x86
@@ -5,17 +8,24 @@ platform:
environment:
fast_finish: true
matrix:
- VSVER: 14
- VSVER: 15

configuration:
- shared
- plain
- minimal

before_build:
- ps: >-
Install-Module VSSetup -Scope CurrentUser
- ps: >-
Get-VSSetupInstance -All
- ps: >-
gci env:* | sort-object name
- ps: >-
If ($env:Platform -Match "x86") {
$env:VCVARS_PLATFORM="x86"
$env:TARGET="VC-WIN32 no-asm"
$env:TARGET="VC-WIN32 no-asm --strict-warnings"
} Else {
$env:VCVARS_PLATFORM="amd64"
$env:TARGET="VC-WIN64A-masm"
@@ -23,11 +33,12 @@ before_build:
- ps: >-
If ($env:Configuration -Match "shared") {
$env:SHARED="no-makedepend"
} ElseIf ($env:Configuration -Match "minimal") {
$env:SHARED="no-shared no-dso no-makedepend no-aria no-async no-autoload-config no-blake2 no-bf no-camellia no-cast no-chacha no-cmac no-cms no-comp no-ct no-des no-dgram no-dh no-dsa no-dtls no-ec2m no-engine no-filenames no-gost no-idea no-mdc2 no-md4 no-multiblock no-nextprotoneg no-ocsp no-ocb no-poly1305 no-psk no-rc2 no-rc4 no-rmd160 no-seed no-siphash no-sm2 no-sm3 no-sm4 no-srp no-srtp no-ssl3 no-ssl3-method no-ts no-ui-console no-whirlpool no-asm -DOPENSSL_SMALL_FOOTPRINT"
} Else {
$env:SHARED="no-shared no-makedepend"
}
- ps: $env:VSCOMNTOOLS=(Get-Content ("env:VS" + "$env:VSVER" + "0COMNTOOLS"))
- call "%VSCOMNTOOLS%\..\..\VC\vcvarsall.bat" %VCVARS_PLATFORM%
- call "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Auxiliary\Build\vcvarsall.bat" %VCVARS_PLATFORM%
- mkdir _build
- cd _build
- perl ..\Configure %TARGET% %SHARED%

+ 7
- 7
crypto/openssl/build.info View File

@@ -9,20 +9,20 @@
"";
-}
LIBS=libcrypto libssl
INCLUDE[libcrypto]=. crypto/include include
INCLUDE[libcrypto]=. include
INCLUDE[libssl]=. include
DEPEND[libssl]=libcrypto

# Empty DEPEND "indices" means the dependencies are expected to be built
# unconditionally before anything else.
DEPEND[]=include/openssl/opensslconf.h crypto/include/internal/bn_conf.h \
crypto/include/internal/dso_conf.h
DEPEND[]=include/openssl/opensslconf.h include/crypto/bn_conf.h \
include/crypto/dso_conf.h
DEPEND[include/openssl/opensslconf.h]=configdata.pm
GENERATE[include/openssl/opensslconf.h]=include/openssl/opensslconf.h.in
DEPEND[crypto/include/internal/bn_conf.h]=configdata.pm
GENERATE[crypto/include/internal/bn_conf.h]=crypto/include/internal/bn_conf.h.in
DEPEND[crypto/include/internal/dso_conf.h]=configdata.pm
GENERATE[crypto/include/internal/dso_conf.h]=crypto/include/internal/dso_conf.h.in
DEPEND[include/crypto/bn_conf.h]=configdata.pm
GENERATE[include/crypto/bn_conf.h]=include/crypto/bn_conf.h.in
DEPEND[include/crypto/dso_conf.h]=configdata.pm
GENERATE[include/crypto/dso_conf.h]=include/crypto/dso_conf.h.in

IF[{- defined $target{shared_defflag} -}]
IF[{- $config{target} =~ /^mingw/ -}]

+ 9
- 11
crypto/openssl/config View File

@@ -1,5 +1,5 @@
#!/bin/sh
# Copyright 1998-2019 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 1998-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -509,10 +509,7 @@ case "$GUESSOS" in
OUT="ios64-cross" ;;
alpha-*-linux2)
ISA=`awk '/cpu model/{print$4;exit(0);}' /proc/cpuinfo`
case ${ISA:-generic} in
*[678]) OUT="linux-alpha+bwx-$CC" ;;
*) OUT="linux-alpha-$CC" ;;
esac
OUT="linux-alpha-$CC"
if [ "$CC" = "gcc" ]; then
case ${ISA:-generic} in
EV5|EV45) __CNF_CFLAGS="$__CNF_CFLAGS -mcpu=ev5"
@@ -908,8 +905,12 @@ fi

OUT="$OUT"

$PERL $THERE/Configure LIST | grep "$OUT" > /dev/null
if [ $? = "0" ]; then
if [ "$OUT" = "darwin64-x86_64-cc" ]; then
echo "WARNING! If you wish to build 32-bit libraries, then you have to"
echo " invoke 'KERNEL_BITS=32 $THERE/config $options'."
fi

if $PERL $THERE/Configure LIST | grep "$OUT" > /dev/null; then
if [ "$VERBOSE" = "true" ]; then
echo /usr/bin/env \
__CNF_CPPDEFINES="'$__CNF_CPPDEFINES'" \
@@ -939,8 +940,5 @@ else
exit 1
fi

if [ "$OUT" = "darwin64-x86_64-cc" ]; then
echo "WARNING! If you wish to build 32-bit libraries, then you have to"
echo " invoke 'KERNEL_BITS=32 $THERE/config $options'."
fi
# Do not add anothing from here on, so we don't lose the Configure exit code
)

+ 2
- 3
crypto/openssl/crypto/LPdir_unix.c View File

@@ -131,9 +131,8 @@ const char *LP_find_file(LP_DIR_CTX **ctx, const char *directory)
return 0;
}

strncpy((*ctx)->entry_name, direntry->d_name,
sizeof((*ctx)->entry_name) - 1);
(*ctx)->entry_name[sizeof((*ctx)->entry_name) - 1] = '\0';
OPENSSL_strlcpy((*ctx)->entry_name, direntry->d_name,
sizeof((*ctx)->entry_name));
#ifdef __VMS
if ((*ctx)->expect_file_generations) {
char *p = (*ctx)->entry_name + strlen((*ctx)->entry_name);

+ 1
- 1
crypto/openssl/crypto/aes/aes_core.c View File

@@ -41,7 +41,7 @@
#include <stdlib.h>
#include <openssl/crypto.h>
#include <openssl/aes.h>
#include "aes_locl.h"
#include "aes_local.h"

#ifndef AES_ASM
/*-

+ 1
- 1
crypto/openssl/crypto/aes/aes_ecb.c View File

@@ -10,7 +10,7 @@
#include <assert.h>

#include <openssl/aes.h>
#include "aes_locl.h"
#include "aes_local.h"

void AES_ecb_encrypt(const unsigned char *in, unsigned char *out,
const AES_KEY *key, const int enc)

+ 1
- 1
crypto/openssl/crypto/aes/aes_ige.c View File

@@ -10,7 +10,7 @@
#include "internal/cryptlib.h"

#include <openssl/aes.h>
#include "aes_locl.h"
#include "aes_local.h"

#define N_WORDS (AES_BLOCK_SIZE / sizeof(unsigned long))
typedef struct {

crypto/openssl/crypto/aes/aes_locl.h → crypto/openssl/crypto/aes/aes_local.h View File

@@ -7,8 +7,8 @@
* https://www.openssl.org/source/license.html
*/

#ifndef HEADER_AES_LOCL_H
# define HEADER_AES_LOCL_H
#ifndef OSSL_CRYPTO_AES_LOCAL_H
# define OSSL_CRYPTO_AES_LOCAL_H

# include <openssl/e_os2.h>
# include <stdio.h>
@@ -39,4 +39,4 @@ typedef unsigned char u8;
/* This controls loop-unrolling in aes_core.c */
# undef FULL_UNROLL

#endif /* !HEADER_AES_LOCL_H */
#endif /* !OSSL_CRYPTO_AES_LOCAL_H */

+ 1
- 1
crypto/openssl/crypto/aes/aes_misc.c View File

@@ -9,7 +9,7 @@

#include <openssl/opensslv.h>
#include <openssl/aes.h>
#include "aes_locl.h"
#include "aes_local.h"

const char *AES_options(void)
{

+ 1
- 1
crypto/openssl/crypto/aes/aes_x86core.c View File

@@ -46,7 +46,7 @@

#include <stdlib.h>
#include <openssl/aes.h>
#include "aes_locl.h"
#include "aes_local.h"

/*
* These two parameters control which table, 256-byte or 2KB, is

+ 2
- 2
crypto/openssl/crypto/aes/asm/aes-armv4.pl View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2007-2018 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -1242,4 +1242,4 @@ while(<SELF>) {
close SELF;

print $code;
close STDOUT; # enforce flush
close STDOUT or die "error closing STDOUT: $!"; # enforce flush

+ 2
- 2
crypto/openssl/crypto/aes/asm/aes-c64xplus.pl View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2012-2016 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -1379,4 +1379,4 @@ AES_Td4:
___

print $code;
close STDOUT;
close STDOUT or die "error closing STDOUT: $!";

+ 2
- 2
crypto/openssl/crypto/aes/asm/aes-mips.pl View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2010-2018 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2010-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -2167,4 +2167,4 @@ foreach (split("\n",$code)) {
print $_,"\n";
}

close STDOUT;
close STDOUT or die "error closing STDOUT: $!";

+ 2
- 2
crypto/openssl/crypto/aes/asm/aes-parisc.pl View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2009-2018 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -1035,4 +1035,4 @@ foreach (split("\n",$code)) {

print $_,"\n";
}
close STDOUT;
close STDOUT or die "error closing STDOUT: $!";

+ 2
- 2
crypto/openssl/crypto/aes/asm/aes-ppc.pl View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2007-2016 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -1456,4 +1456,4 @@ ___

$code =~ s/\`([^\`]*)\`/eval $1/gem;
print $code;
close STDOUT;
close STDOUT or die "error closing STDOUT: $!";

+ 4
- 4
crypto/openssl/crypto/aes/asm/aes-s390x.pl View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -1987,7 +1987,7 @@ $code.=<<___;

.Lxts_enc_done:
stg $sp,$tweak+0($sp) # wipe tweak
stg $sp,$twesk+8($sp)
stg $sp,$tweak+8($sp)
lm${g} %r6,$ra,6*$SIZE_T($sp)
br $ra
.size AES_xts_encrypt,.-AES_xts_encrypt
@@ -2267,7 +2267,7 @@ $code.=<<___;
stg $sp,$tweak-16+8($sp)
.Lxts_dec_done:
stg $sp,$tweak+0($sp) # wipe tweak
stg $sp,$twesk+8($sp)
stg $sp,$tweak+8($sp)
lm${g} %r6,$ra,6*$SIZE_T($sp)
br $ra
.size AES_xts_decrypt,.-AES_xts_decrypt
@@ -2279,4 +2279,4 @@ ___

$code =~ s/\`([^\`]*)\`/eval $1/gem;
print $code;
close STDOUT; # force flush
close STDOUT or die "error closing STDOUT: $!"; # force flush

+ 2
- 2
crypto/openssl/crypto/aes/asm/aes-sparcv9.pl View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2005-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -1189,4 +1189,4 @@ ___
$code =~ s/fmovs.*$//gm;

print $code;
close STDOUT; # ensure flush
close STDOUT or die "error closing STDOUT: $!"; # ensure flush

+ 2
- 2
crypto/openssl/crypto/aes/asm/aesfx-sparcv9.pl View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -1267,4 +1267,4 @@ foreach (split("\n",$code)) {
print $_,"\n";
}

close STDOUT;
close STDOUT or die "error closing STDOUT: $!";

+ 3
- 3
crypto/openssl/crypto/aes/asm/aesni-mb-x86_64.pl View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2013-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -70,7 +70,7 @@ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
$avx = ($1>=10) + ($1>=11);
}

if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([3-9]\.[0-9]+)/) {
if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
$avx = ($2>=3.0) + ($2>3.0);
}

@@ -1471,4 +1471,4 @@ $code =~ s/\`([^\`]*)\`/eval($1)/gem;
$code =~ s/\b(aes.*%xmm[0-9]+).*$/aesni($1)/gem;

print $code;
close STDOUT;
close STDOUT or die "error closing STDOUT: $!";

+ 9
- 3
crypto/openssl/crypto/aes/asm/aesni-sha1-x86_64.pl View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -108,7 +108,7 @@ $avx=1 if (!$avx && $win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&
$avx=1 if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
`ml64 2>&1` =~ /Version ([0-9]+)\./ &&
$1>=10);
$avx=1 if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([3-9]\.[0-9]+)/ && $2>=3.0);
$avx=1 if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/ && $2>=3.0);

$shaext=1; ### set to zero if compiling for 1.0.1

@@ -133,6 +133,7 @@ $code.=<<___;
.type aesni_cbc_sha1_enc,\@abi-omnipotent
.align 32
aesni_cbc_sha1_enc:
.cfi_startproc
# caller should check for SSSE3 and AES-NI bits
mov OPENSSL_ia32cap_P+0(%rip),%r10d
mov OPENSSL_ia32cap_P+4(%rip),%r11
@@ -151,6 +152,7 @@ ___
$code.=<<___;
jmp aesni_cbc_sha1_enc_ssse3
ret
.cfi_endproc
.size aesni_cbc_sha1_enc,.-aesni_cbc_sha1_enc
___

@@ -840,6 +842,7 @@ $code.=<<___;
.type aesni256_cbc_sha1_dec,\@abi-omnipotent
.align 32
aesni256_cbc_sha1_dec:
.cfi_startproc
# caller should check for SSSE3 and AES-NI bits
mov OPENSSL_ia32cap_P+0(%rip),%r10d
mov OPENSSL_ia32cap_P+4(%rip),%r11d
@@ -854,6 +857,7 @@ ___
$code.=<<___;
jmp aesni256_cbc_sha1_dec_ssse3
ret
.cfi_endproc
.size aesni256_cbc_sha1_dec,.-aesni256_cbc_sha1_dec

.type aesni256_cbc_sha1_dec_ssse3,\@function,6
@@ -1760,6 +1764,7 @@ $code.=<<___;
.type aesni_cbc_sha1_enc_shaext,\@function,6
.align 32
aesni_cbc_sha1_enc_shaext:
.cfi_startproc
mov `($win64?56:8)`(%rsp),$inp # load 7th argument
___
$code.=<<___ if ($win64);
@@ -1911,6 +1916,7 @@ $code.=<<___ if ($win64);
___
$code.=<<___;
ret
.cfi_endproc
.size aesni_cbc_sha1_enc_shaext,.-aesni_cbc_sha1_enc_shaext
___
}}}
@@ -2137,4 +2143,4 @@ foreach (split("\n",$code)) {

print $_,"\n";
}
close STDOUT;
close STDOUT or die "error closing STDOUT: $!";

+ 49
- 17
crypto/openssl/crypto/aes/asm/aesni-sha256-x86_64.pl View File

@@ -1,5 +1,5 @@
#! /usr/bin/env perl
# Copyright 2013-2016 The OpenSSL Project Authors. All Rights Reserved.
# Copyright 2013-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
@@ -70,7 +70,7 @@ if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
$avx = ($1>=10) + ($1>=12);
}

if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([3-9]\.[0-9]+)/) {
if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
$avx = ($2>=3.0) + ($2>3.0);
}

@@ -123,6 +123,7 @@ $code=<<___;
.type $func,\@abi-omnipotent
.align 16
$func:
.cfi_startproc
___
if ($avx) {
$code.=<<___;
@@ -162,6 +163,7 @@ $code.=<<___;
ud2
.Lprobe:
ret
.cfi_endproc
.size $func,.-$func

.align 64
@@ -1084,7 +1086,23 @@ $code.=<<___;
vmovdqa $t0,0x00(%rsp)
xor $a1,$a1
vmovdqa $t1,0x20(%rsp)
___
$code.=<<___ if (!$win64);
# temporarily use %rsi as frame pointer
mov $_rsp,%rsi
.cfi_def_cfa %rsi,8
___
$code.=<<___;
lea -$PUSH8(%rsp),%rsp
___
$code.=<<___ if (!$win64);
# the frame info is at $_rsp, but the stack is moving...
# so a second frame pointer is saved at -8(%rsp)
# that is in the red zone
mov %rsi,-8(%rsp)
.cfi_cfa_expression %rsp-8,deref,+8
___
$code.=<<___;
mov $B,$a3
vmovdqa $t2,0x00(%rsp)
xor $C,$a3 # magic
@@ -1106,7 +1124,17 @@ my @X = @_;
my @insns = (&$body,&$body,&$body,&$body); # 96 instructions
my $base = "+2*$PUSH8(%rsp)";

&lea ("%rsp","-$PUSH8(%rsp)") if (($j%2)==0);
if (($j%2)==0) {
&lea ("%rsp","-$PUSH8(%rsp)");
$code.=<<___ if (!$win64);
.cfi_cfa_expression %rsp+`$PUSH8-8`,deref,+8
# copy secondary frame pointer to new location again at -8(%rsp)
pushq $PUSH8-8(%rsp)
.cfi_cfa_expression %rsp,deref,+8
lea 8(%rsp),%rsp
.cfi_cfa_expression %rsp-8,deref,+8
___
}
foreach (Xupdate_256_AVX()) { # 29 instructions
eval;
eval(shift(@insns));
@@ -1232,26 +1260,28 @@ $code.=<<___;

jbe .Loop_avx2
lea (%rsp),$Tbl
# temporarily use $Tbl as index to $_rsp
# this avoids the need to save a secondary frame pointer at -8(%rsp)
.cfi_cfa_expression $Tbl+`16*$SZ+7*8`,deref,+8

.Ldone_avx2:
lea ($Tbl),%rsp
mov $_ivp,$ivp
mov $_rsp,%rsi
mov 16*$SZ+4*8($Tbl),$ivp
mov 16*$SZ+7*8($Tbl),%rsi
.cfi_def_cfa %rsi,8