diff --git a/core/openssl-cryptodev/0001-cryptodev-Fix-issue-with-signature-generation.patch b/core/openssl-cryptodev/0001-cryptodev-Fix-issue-with-signature-generation.patch new file mode 100755 index 000000000..a95ba0491 --- /dev/null +++ b/core/openssl-cryptodev/0001-cryptodev-Fix-issue-with-signature-generation.patch @@ -0,0 +1,429 @@ +From fa47376f4c3e03b18ccd52df53d8c5041155d4ed Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Fri, 4 Jul 2014 07:31:25 +0200 +Subject: [PATCH] cryptodev: Fix issue with signature generation + +That patch also enables support for SHA2 hashes, and +removes support for hashes that were never supported by +cryptodev. +--- + crypto/engine/eng_cryptodev.c | 192 ++++++++++++++++++++++++++++++------------ + 1 file changed, 140 insertions(+), 52 deletions(-) + +diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c +index 568e131..a1c39e5 100644 +--- a/crypto/engine/eng_cryptodev.c ++++ b/crypto/engine/eng_cryptodev.c +@@ -2,6 +2,7 @@ + * Copyright (c) 2002 Bob Beck + * Copyright (c) 2002 Theo de Raadt + * Copyright (c) 2002 Markus Friedl ++ * Copyright (c) 2012 Nikos Mavrogiannopoulos + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -74,8 +75,6 @@ struct dev_crypto_state { + int d_fd; + + #ifdef USE_CRYPTODEV_DIGESTS +- char dummy_mac_key[HASH_MAX_LEN]; +- + unsigned char digest_res[HASH_MAX_LEN]; + char *mac_data; + int mac_len; +@@ -162,15 +161,21 @@ static struct { + static struct { + int id; + int nid; +- int keylen; ++ int digestlen; + } digests[] = { ++#if 0 ++ /* HMAC is not supported */ + { CRYPTO_MD5_HMAC, NID_hmacWithMD5, 16}, + { CRYPTO_SHA1_HMAC, NID_hmacWithSHA1, 20}, +- { CRYPTO_RIPEMD160_HMAC, NID_ripemd160, 16/*?*/}, +- { CRYPTO_MD5_KPDK, NID_undef, 0}, +- { CRYPTO_SHA1_KPDK, NID_undef, 0}, ++ { CRYPTO_SHA2_256_HMAC, NID_hmacWithSHA256, 32}, ++ { CRYPTO_SHA2_384_HMAC, NID_hmacWithSHA384, 48}, ++ { CRYPTO_SHA2_512_HMAC, NID_hmacWithSHA512, 64}, ++#endif + { CRYPTO_MD5, NID_md5, 16}, + { CRYPTO_SHA1, NID_sha1, 20}, ++ { CRYPTO_SHA2_256, NID_sha256, 32}, ++ { CRYPTO_SHA2_384, NID_sha384, 48}, ++ { CRYPTO_SHA2_512, NID_sha512, 64}, + { 0, NID_undef, 0}, + }; + #endif +@@ -248,13 +253,14 @@ get_cryptodev_ciphers(const int **cnids) + static int nids[CRYPTO_ALGORITHM_MAX]; + struct session_op sess; + int fd, i, count = 0; ++ unsigned char fake_key[CRYPTO_CIPHER_MAX_KEY_LEN]; + + if ((fd = get_dev_crypto()) < 0) { + *cnids = NULL; + return (0); + } + memset(&sess, 0, sizeof(sess)); +- sess.key = (caddr_t)"123456789abcdefghijklmno"; ++ sess.key = (void*)fake_key; + + for (i = 0; ciphers[i].id && count < CRYPTO_ALGORITHM_MAX; i++) { + if (ciphers[i].nid == NID_undef) +@@ -286,6 +292,7 @@ static int + get_cryptodev_digests(const int **cnids) + { + static int nids[CRYPTO_ALGORITHM_MAX]; ++ unsigned char fake_key[CRYPTO_CIPHER_MAX_KEY_LEN]; + struct session_op sess; + int fd, i, count = 0; + +@@ -294,12 +301,12 @@ get_cryptodev_digests(const int **cnids) + return (0); + } + memset(&sess, 0, sizeof(sess)); +- sess.mackey = (caddr_t)"123456789abcdefghijklmno"; ++ sess.mackey = fake_key; + for (i = 0; digests[i].id && count < CRYPTO_ALGORITHM_MAX; i++) { + if (digests[i].nid == NID_undef) + continue; + sess.mac = digests[i].id; +- sess.mackeylen = digests[i].keylen; ++ sess.mackeylen = 8; + sess.cipher = 0; + if (ioctl(fd, CIOCGSESSION, &sess) != -1 && + ioctl(fd, CIOCFSESSION, &sess.ses) != -1) +@@ -387,14 +394,14 @@ cryptodev_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + cryp.ses = sess->ses; + cryp.flags = 0; + cryp.len = inl; +- cryp.src = (caddr_t) in; +- cryp.dst = (caddr_t) out; ++ cryp.src = (void*) in; ++ cryp.dst = (void*) out; + cryp.mac = 0; + + cryp.op = ctx->encrypt ? COP_ENCRYPT : COP_DECRYPT; + + if (ctx->cipher->iv_len) { +- cryp.iv = (caddr_t) ctx->iv; ++ cryp.iv = (void*) ctx->iv; + if (!ctx->encrypt) { + iiv = in + inl - ctx->cipher->iv_len; + memcpy(save_iv, iiv, ctx->cipher->iv_len); +@@ -445,7 +452,7 @@ cryptodev_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, + if ((state->d_fd = get_dev_crypto()) < 0) + return (0); + +- sess->key = (caddr_t)key; ++ sess->key = (void*)key; + sess->keylen = ctx->key_len; + sess->cipher = cipher; + +@@ -715,18 +722,6 @@ digest_nid_to_cryptodev(int nid) + } + + +-static int +-digest_key_length(int nid) +-{ +- int i; +- +- for (i = 0; digests[i].id; i++) +- if (digests[i].nid == nid) +- return digests[i].keylen; +- return (0); +-} +- +- + static int cryptodev_digest_init(EVP_MD_CTX *ctx) + { + struct dev_crypto_state *state = ctx->md_data; +@@ -737,7 +732,6 @@ static int cryptodev_digest_init(EVP_MD_CTX *ctx) + printf("cryptodev_digest_init: Can't get digest \n"); + return (0); + } +- + memset(state, 0, sizeof(struct dev_crypto_state)); + + if ((state->d_fd = get_dev_crypto()) < 0) { +@@ -745,8 +739,8 @@ static int cryptodev_digest_init(EVP_MD_CTX *ctx) + return (0); + } + +- sess->mackey = state->dummy_mac_key; +- sess->mackeylen = digest_key_length(ctx->digest->type); ++ sess->mackey = NULL; ++ sess->mackeylen = 0; + sess->mac = digest; + + if (ioctl(state->d_fd, CIOCGSESSION, sess) < 0) { +@@ -762,8 +756,8 @@ static int cryptodev_digest_init(EVP_MD_CTX *ctx) + static int cryptodev_digest_update(EVP_MD_CTX *ctx, const void *data, + size_t count) + { +- struct crypt_op cryp; + struct dev_crypto_state *state = ctx->md_data; ++ struct crypt_op cryp; + struct session_op *sess = &state->d_sess; + + if (!data || state->d_fd < 0) { +@@ -772,7 +766,7 @@ static int cryptodev_digest_update(EVP_MD_CTX *ctx, const void *data, + } + + if (!count) { +- return (0); ++ return (1); + } + + if (!(ctx->flags & EVP_MD_CTX_FLAG_ONESHOT)) { +@@ -795,9 +789,9 @@ static int cryptodev_digest_update(EVP_MD_CTX *ctx, const void *data, + cryp.ses = sess->ses; + cryp.flags = 0; + cryp.len = count; +- cryp.src = (caddr_t) data; ++ cryp.src = (void*) data; + cryp.dst = NULL; +- cryp.mac = (caddr_t) state->digest_res; ++ cryp.mac = (void*) state->digest_res; + if (ioctl(state->d_fd, CIOCCRYPT, &cryp) < 0) { + printf("cryptodev_digest_update: digest failed\n"); + return (0); +@@ -812,8 +806,6 @@ static int cryptodev_digest_final(EVP_MD_CTX *ctx, unsigned char *md) + struct dev_crypto_state *state = ctx->md_data; + struct session_op *sess = &state->d_sess; + +- int ret = 1; +- + if (!md || state->d_fd < 0) { + printf("cryptodev_digest_final: illegal input\n"); + return(0); +@@ -827,7 +819,7 @@ static int cryptodev_digest_final(EVP_MD_CTX *ctx, unsigned char *md) + cryp.len = state->mac_len; + cryp.src = state->mac_data; + cryp.dst = NULL; +- cryp.mac = (caddr_t)md; ++ cryp.mac = (void*)md; + if (ioctl(state->d_fd, CIOCCRYPT, &cryp) < 0) { + printf("cryptodev_digest_final: digest failed\n"); + return (0); +@@ -838,7 +830,7 @@ static int cryptodev_digest_final(EVP_MD_CTX *ctx, unsigned char *md) + + memcpy(md, state->digest_res, ctx->digest->md_size); + +- return (ret); ++ return 1; + } + + +@@ -890,8 +882,8 @@ static int cryptodev_digest_copy(EVP_MD_CTX *to,const EVP_MD_CTX *from) + + digest = digest_nid_to_cryptodev(to->digest->type); + +- sess->mackey = dstate->dummy_mac_key; +- sess->mackeylen = digest_key_length(to->digest->type); ++ sess->mackey = NULL; ++ sess->mackeylen = 0; + sess->mac = digest; + + dstate->d_fd = get_dev_crypto(); +@@ -916,34 +908,117 @@ static int cryptodev_digest_copy(EVP_MD_CTX *to,const EVP_MD_CTX *from) + } + + +-const EVP_MD cryptodev_sha1 = { ++static const EVP_MD cryptodev_sha1 = { + NID_sha1, +- NID_undef, ++ NID_sha1WithRSAEncryption, + SHA_DIGEST_LENGTH, ++#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT) ++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE| ++ EVP_MD_FLAG_DIGALGID_ABSENT| ++#endif + EVP_MD_FLAG_ONESHOT, + cryptodev_digest_init, + cryptodev_digest_update, + cryptodev_digest_final, + cryptodev_digest_copy, + cryptodev_digest_cleanup, +- EVP_PKEY_NULL_method, ++ EVP_PKEY_RSA_method, + SHA_CBLOCK, +- sizeof(struct dev_crypto_state), ++ sizeof(EVP_MD *)+sizeof(struct dev_crypto_state), ++}; ++ ++static const EVP_MD cryptodev_sha256 = { ++ NID_sha256, ++ NID_sha256WithRSAEncryption, ++ SHA256_DIGEST_LENGTH, ++#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT) ++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE| ++ EVP_MD_FLAG_DIGALGID_ABSENT| ++#endif ++ EVP_MD_FLAG_ONESHOT, ++ cryptodev_digest_init, ++ cryptodev_digest_update, ++ cryptodev_digest_final, ++ cryptodev_digest_copy, ++ cryptodev_digest_cleanup, ++ EVP_PKEY_RSA_method, ++ SHA256_CBLOCK, ++ sizeof(EVP_MD *)+sizeof(struct dev_crypto_state), ++}; ++static const EVP_MD cryptodev_sha224 = { ++ NID_sha224, ++ NID_sha224WithRSAEncryption, ++ SHA224_DIGEST_LENGTH, ++#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT) ++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE| ++ EVP_MD_FLAG_DIGALGID_ABSENT| ++#endif ++ EVP_MD_FLAG_ONESHOT, ++ cryptodev_digest_init, ++ cryptodev_digest_update, ++ cryptodev_digest_final, ++ cryptodev_digest_copy, ++ cryptodev_digest_cleanup, ++ EVP_PKEY_RSA_method, ++ SHA256_CBLOCK, ++ sizeof(EVP_MD *)+sizeof(struct dev_crypto_state), ++}; ++ ++static const EVP_MD cryptodev_sha384 = { ++ NID_sha384, ++ NID_sha384WithRSAEncryption, ++ SHA384_DIGEST_LENGTH, ++#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT) ++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE| ++ EVP_MD_FLAG_DIGALGID_ABSENT| ++#endif ++ EVP_MD_FLAG_ONESHOT, ++ cryptodev_digest_init, ++ cryptodev_digest_update, ++ cryptodev_digest_final, ++ cryptodev_digest_copy, ++ cryptodev_digest_cleanup, ++ EVP_PKEY_RSA_method, ++ SHA512_CBLOCK, ++ sizeof(EVP_MD *)+sizeof(struct dev_crypto_state), ++}; ++ ++static const EVP_MD cryptodev_sha512 = { ++ NID_sha512, ++ NID_sha512WithRSAEncryption, ++ SHA512_DIGEST_LENGTH, ++#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT) ++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE| ++ EVP_MD_FLAG_DIGALGID_ABSENT| ++#endif ++ EVP_MD_FLAG_ONESHOT, ++ cryptodev_digest_init, ++ cryptodev_digest_update, ++ cryptodev_digest_final, ++ cryptodev_digest_copy, ++ cryptodev_digest_cleanup, ++ EVP_PKEY_RSA_method, ++ SHA512_CBLOCK, ++ sizeof(EVP_MD *)+sizeof(struct dev_crypto_state), + }; + +-const EVP_MD cryptodev_md5 = { ++static const EVP_MD cryptodev_md5 = { + NID_md5, +- NID_undef, ++ NID_md5WithRSAEncryption, + 16 /* MD5_DIGEST_LENGTH */, ++#if defined(EVP_MD_FLAG_PKEY_METHOD_SIGNATURE) && defined(EVP_MD_FLAG_DIGALGID_ABSENT) ++ EVP_MD_FLAG_PKEY_METHOD_SIGNATURE| ++ EVP_MD_FLAG_DIGALGID_ABSENT| ++#endif + EVP_MD_FLAG_ONESHOT, + cryptodev_digest_init, + cryptodev_digest_update, + cryptodev_digest_final, + cryptodev_digest_copy, + cryptodev_digest_cleanup, +- EVP_PKEY_NULL_method, ++ EVP_PKEY_RSA_method, + 64 /* MD5_CBLOCK */, +- sizeof(struct dev_crypto_state), ++ sizeof(EVP_MD *)+sizeof(struct dev_crypto_state), + }; + + #endif /* USE_CRYPTODEV_DIGESTS */ +@@ -964,6 +1039,18 @@ cryptodev_engine_digests(ENGINE *e, const EVP_MD **digest, + case NID_sha1: + *digest = &cryptodev_sha1; + break; ++ case NID_sha224: ++ *digest = &cryptodev_sha224; ++ break; ++ case NID_sha256: ++ *digest = &cryptodev_sha256; ++ break; ++ case NID_sha384: ++ *digest = &cryptodev_sha384; ++ break; ++ case NID_sha512: ++ *digest = &cryptodev_sha512; ++ break; + default: + #endif /* USE_CRYPTODEV_DIGESTS */ + *digest = NULL; +@@ -995,7 +1082,7 @@ bn2crparam(const BIGNUM *a, struct crparam *crp) + return (1); + memset(b, 0, bytes); + +- crp->crp_p = (caddr_t) b; ++ crp->crp_p = (void*) b; + crp->crp_nbits = bits; + + for (i = 0, j = 0; i < a->top; i++) { +@@ -1248,7 +1335,7 @@ cryptodev_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) + kop.crk_op = CRK_DSA_SIGN; + + /* inputs: dgst dsa->p dsa->q dsa->g dsa->priv_key */ +- kop.crk_param[0].crp_p = (caddr_t)dgst; ++ kop.crk_param[0].crp_p = (void*)dgst; + kop.crk_param[0].crp_nbits = dlen * 8; + if (bn2crparam(dsa->p, &kop.crk_param[1])) + goto err; +@@ -1288,7 +1375,7 @@ cryptodev_dsa_verify(const unsigned char *dgst, int dlen, + kop.crk_op = CRK_DSA_VERIFY; + + /* inputs: dgst dsa->p dsa->q dsa->g dsa->pub_key sig->r sig->s */ +- kop.crk_param[0].crp_p = (caddr_t)dgst; ++ kop.crk_param[0].crp_p = (void*)dgst; + kop.crk_param[0].crp_nbits = dlen * 8; + if (bn2crparam(dsa->p, &kop.crk_param[1])) + goto err; +@@ -1366,9 +1453,10 @@ cryptodev_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) + goto err; + kop.crk_iparams = 3; + +- kop.crk_param[3].crp_p = (caddr_t) key; +- kop.crk_param[3].crp_nbits = keylen * 8; ++ kop.crk_param[3].crp_p = (void*) key; ++ kop.crk_param[3].crp_nbits = keylen; + kop.crk_oparams = 1; ++ dhret = keylen/8; + + if (ioctl(fd, CIOCKEY, &kop) == -1) { + const DH_METHOD *meth = DH_OpenSSL(); +@@ -1440,7 +1528,7 @@ ENGINE_load_cryptodev(void) + put_dev_crypto(fd); + + if (!ENGINE_set_id(engine, "cryptodev") || +- !ENGINE_set_name(engine, "BSD cryptodev engine") || ++ !ENGINE_set_name(engine, "cryptodev engine") || + !ENGINE_set_ciphers(engine, cryptodev_engine_ciphers) || + !ENGINE_set_digests(engine, cryptodev_engine_digests) || + !ENGINE_set_ctrl_function(engine, cryptodev_ctrl) || +-- +2.0.0 + diff --git a/core/openssl-cryptodev/0002-cryptodev-allow-copying-EVP-contexts.patch b/core/openssl-cryptodev/0002-cryptodev-allow-copying-EVP-contexts.patch new file mode 100755 index 000000000..c4ab53ca7 --- /dev/null +++ b/core/openssl-cryptodev/0002-cryptodev-allow-copying-EVP-contexts.patch @@ -0,0 +1,202 @@ +From 656b55e39ab22ed135221214ccc47a00369f3ff6 Mon Sep 17 00:00:00 2001 +From: Nikos Mavrogiannopoulos +Date: Fri, 4 Jul 2014 08:41:04 +0200 +Subject: [PATCH 2/2] cryptodev: allow copying EVP contexts + +--- + crypto/engine/eng_cryptodev.c | 57 ++++++++++++++++++++++++++----------------- + 1 file changed, 35 insertions(+), 22 deletions(-) + +diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c +index a1c39e5..0d54613 100644 +--- a/crypto/engine/eng_cryptodev.c ++++ b/crypto/engine/eng_cryptodev.c +@@ -505,150 +505,163 @@ cryptodev_cleanup(EVP_CIPHER_CTX *ctx) + * gets called when libcrypto requests a cipher NID. + */ + ++static int cryptodev_cipher_ctrl(EVP_CIPHER_CTX *ctx, int type, int p1, void *p2) ++{ ++ struct dev_crypto_state *state = ctx->cipher_data; ++ struct session_op *sess = &state->d_sess; ++ ++ if (type == EVP_CTRL_COPY) { ++ EVP_CIPHER_CTX *out = p2; ++ return cryptodev_init_key(out, sess->key, ctx->iv, 0); ++ } ++ ++ return 0; ++} ++ + /* RC4 */ + const EVP_CIPHER cryptodev_rc4 = { + NID_rc4, + 1, 16, 0, +- EVP_CIPH_VARIABLE_LENGTH, ++ EVP_CIPH_VARIABLE_LENGTH|EVP_CIPH_CUSTOM_COPY, + cryptodev_init_key, + cryptodev_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), + NULL, + NULL, +- NULL ++ cryptodev_cipher_ctrl + }; + + /* DES CBC EVP */ + const EVP_CIPHER cryptodev_des_cbc = { + NID_des_cbc, + 8, 8, 8, +- EVP_CIPH_CBC_MODE, ++ EVP_CIPH_CBC_MODE|EVP_CIPH_CUSTOM_COPY, + cryptodev_init_key, + cryptodev_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv, +- NULL ++ cryptodev_cipher_ctrl + }; + + /* 3DES CBC EVP */ + const EVP_CIPHER cryptodev_3des_cbc = { + NID_des_ede3_cbc, + 8, 24, 8, +- EVP_CIPH_CBC_MODE, ++ EVP_CIPH_CBC_MODE|EVP_CIPH_CUSTOM_COPY, + cryptodev_init_key, + cryptodev_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv, +- NULL ++ cryptodev_cipher_ctrl + }; + + const EVP_CIPHER cryptodev_bf_cbc = { + NID_bf_cbc, + 8, 16, 8, +- EVP_CIPH_CBC_MODE, ++ EVP_CIPH_CBC_MODE|EVP_CIPH_CUSTOM_COPY, + cryptodev_init_key, + cryptodev_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv, +- NULL ++ cryptodev_cipher_ctrl + }; + + const EVP_CIPHER cryptodev_cast_cbc = { + NID_cast5_cbc, + 8, 16, 8, +- EVP_CIPH_CBC_MODE, ++ EVP_CIPH_CBC_MODE|EVP_CIPH_CUSTOM_COPY, + cryptodev_init_key, + cryptodev_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv, +- NULL ++ cryptodev_cipher_ctrl + }; + + const EVP_CIPHER cryptodev_aes_cbc = { + NID_aes_128_cbc, + 16, 16, 16, +- EVP_CIPH_CBC_MODE, ++ EVP_CIPH_CBC_MODE|EVP_CIPH_CUSTOM_COPY, + cryptodev_init_key, + cryptodev_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv, +- NULL ++ cryptodev_cipher_ctrl + }; + + const EVP_CIPHER cryptodev_aes_192_cbc = { + NID_aes_192_cbc, + 16, 24, 16, +- EVP_CIPH_CBC_MODE, ++ EVP_CIPH_CBC_MODE|EVP_CIPH_CUSTOM_COPY, + cryptodev_init_key, + cryptodev_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv, +- NULL ++ cryptodev_cipher_ctrl + }; + + const EVP_CIPHER cryptodev_aes_256_cbc = { + NID_aes_256_cbc, + 16, 32, 16, +- EVP_CIPH_CBC_MODE, ++ EVP_CIPH_CBC_MODE|EVP_CIPH_CUSTOM_COPY, + cryptodev_init_key, + cryptodev_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv, +- NULL ++ cryptodev_cipher_ctrl + }; + #ifdef CRYPTO_AES_CTR + const EVP_CIPHER cryptodev_aes_ctr = { + NID_aes_128_ctr, + 16, 16, 14, +- EVP_CIPH_CTR_MODE, ++ EVP_CIPH_CTR_MODE|EVP_CIPH_CUSTOM_COPY, + cryptodev_init_key, + cryptodev_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv, +- NULL ++ cryptodev_cipher_ctrl + }; + + const EVP_CIPHER cryptodev_aes_ctr_192 = { + NID_aes_192_ctr, + 16, 24, 14, +- EVP_CIPH_CTR_MODE, ++ EVP_CIPH_CTR_MODE|EVP_CIPH_CUSTOM_COPY, + cryptodev_init_key, + cryptodev_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv, +- NULL ++ cryptodev_cipher_ctrl + }; + + const EVP_CIPHER cryptodev_aes_ctr_256 = { + NID_aes_256_ctr, + 16, 32, 14, +- EVP_CIPH_CTR_MODE, ++ EVP_CIPH_CTR_MODE|EVP_CIPH_CUSTOM_COPY, + cryptodev_init_key, + cryptodev_cipher, + cryptodev_cleanup, + sizeof(struct dev_crypto_state), + EVP_CIPHER_set_asn1_iv, + EVP_CIPHER_get_asn1_iv, +- NULL ++ cryptodev_cipher_ctrl + }; + #endif + /* +-- +2.0.0 + diff --git a/core/openssl-cryptodev/CVE-2014-0160.patch b/core/openssl-cryptodev/CVE-2014-0160.patch deleted file mode 100644 index a96bc64f6..000000000 --- a/core/openssl-cryptodev/CVE-2014-0160.patch +++ /dev/null @@ -1,94 +0,0 @@ -Description: fix memory disclosure in TLS heartbeat extension -Origin: upstream, http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=96db9023b881d7cd9f379b0c154650d6c108e9a3 - -Index: openssl-1.0.1f/ssl/d1_both.c -=================================================================== ---- openssl-1.0.1f.orig/ssl/d1_both.c 2014-01-06 08:47:42.000000000 -0500 -+++ openssl-1.0.1f/ssl/d1_both.c 2014-04-07 15:37:38.548342862 -0400 -@@ -1459,26 +1459,36 @@ - unsigned int payload; - unsigned int padding = 16; /* Use minimum padding */ - -- /* Read type and payload length first */ -- hbtype = *p++; -- n2s(p, payload); -- pl = p; -- - if (s->msg_callback) - s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, - &s->s3->rrec.data[0], s->s3->rrec.length, - s, s->msg_callback_arg); - -+ /* Read type and payload length first */ -+ if (1 + 2 + 16 > s->s3->rrec.length) -+ return 0; /* silently discard */ -+ hbtype = *p++; -+ n2s(p, payload); -+ if (1 + 2 + payload + 16 > s->s3->rrec.length) -+ return 0; /* silently discard per RFC 6520 sec. 4 */ -+ pl = p; -+ - if (hbtype == TLS1_HB_REQUEST) - { - unsigned char *buffer, *bp; -+ unsigned int write_length = 1 /* heartbeat type */ + -+ 2 /* heartbeat length */ + -+ payload + padding; - int r; - -+ if (write_length > SSL3_RT_MAX_PLAIN_LENGTH) -+ return 0; -+ - /* Allocate memory for the response, size is 1 byte - * message type, plus 2 bytes payload length, plus - * payload, plus padding - */ -- buffer = OPENSSL_malloc(1 + 2 + payload + padding); -+ buffer = OPENSSL_malloc(write_length); - bp = buffer; - - /* Enter response type, length and copy payload */ -@@ -1489,11 +1499,11 @@ - /* Random padding */ - RAND_pseudo_bytes(bp, padding); - -- r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding); -+ r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length); - - if (r >= 0 && s->msg_callback) - s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT, -- buffer, 3 + payload + padding, -+ buffer, write_length, - s, s->msg_callback_arg); - - OPENSSL_free(buffer); -Index: openssl-1.0.1f/ssl/t1_lib.c -=================================================================== ---- openssl-1.0.1f.orig/ssl/t1_lib.c 2014-01-06 08:47:42.000000000 -0500 -+++ openssl-1.0.1f/ssl/t1_lib.c 2014-04-07 15:37:38.548342862 -0400 -@@ -2558,16 +2558,20 @@ - unsigned int payload; - unsigned int padding = 16; /* Use minimum padding */ - -- /* Read type and payload length first */ -- hbtype = *p++; -- n2s(p, payload); -- pl = p; -- - if (s->msg_callback) - s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, - &s->s3->rrec.data[0], s->s3->rrec.length, - s, s->msg_callback_arg); - -+ /* Read type and payload length first */ -+ if (1 + 2 + 16 > s->s3->rrec.length) -+ return 0; /* silently discard */ -+ hbtype = *p++; -+ n2s(p, payload); -+ if (1 + 2 + payload + 16 > s->s3->rrec.length) -+ return 0; /* silently discard per RFC 6520 sec. 4 */ -+ pl = p; -+ - if (hbtype == TLS1_HB_REQUEST) - { - unsigned char *buffer, *bp; diff --git a/core/openssl-cryptodev/CVE-2014-0224.patch b/core/openssl-cryptodev/CVE-2014-0224.patch deleted file mode 100644 index 4677116ac..000000000 --- a/core/openssl-cryptodev/CVE-2014-0224.patch +++ /dev/null @@ -1,111 +0,0 @@ -commit a5852a6db4b36f91d6254b2d8757f125e6e8e5cb -Author: Dr. Stephen Henson -Date: Fri May 16 12:55:16 2014 +0100 - - Additional CVE-2014-0224 protection. - - Return a fatal error if an attempt is made to use a zero length - master secret. - -diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c -index 98c36e6..59011e3 100644 ---- a/ssl/s3_pkt.c -+++ b/ssl/s3_pkt.c -@@ -1459,7 +1459,7 @@ int ssl3_do_change_cipher_spec(SSL *s) - - if (s->s3->tmp.key_block == NULL) - { -- if (s->session == NULL) -+ if (s->session == NULL || s->session->master_key_length == 0) - { - /* might happen if dtls1_read_bytes() calls this */ - SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC,SSL_R_CCS_RECEIVED_EARLY); - -commit eaa71076511eab5e84ed36ddecbfc6cc20a48952 -Author: Dr. Stephen Henson -Date: Fri May 16 12:49:48 2014 +0100 - - Fix for CVE-2014-0224 - - Only accept change cipher spec when it is expected instead of at any - time. This prevents premature setting of session keys before the master - secret is determined which an attacker could use as a MITM attack. - - Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue - and providing the initial fix this patch is based on. - -diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c -index a6b3c01..d35376d 100644 ---- a/ssl/s3_clnt.c -+++ b/ssl/s3_clnt.c -@@ -559,6 +559,7 @@ int ssl3_connect(SSL *s) - case SSL3_ST_CR_FINISHED_A: - case SSL3_ST_CR_FINISHED_B: - -+ s->s3->flags |= SSL3_FLAGS_CCS_OK; - ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A, - SSL3_ST_CR_FINISHED_B); - if (ret <= 0) goto end; -diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c -index 6bc8bf9..98c36e6 100644 ---- a/ssl/s3_pkt.c -+++ b/ssl/s3_pkt.c -@@ -1316,6 +1316,15 @@ start: - goto f_err; - } - -+ if (!(s->s3->flags & SSL3_FLAGS_CCS_OK)) -+ { -+ al=SSL_AD_UNEXPECTED_MESSAGE; -+ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY); -+ goto f_err; -+ } -+ -+ s->s3->flags &= ~SSL3_FLAGS_CCS_OK; -+ - rr->length=0; - - if (s->msg_callback) -diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c -index 4de9d19..29f8b14 100644 ---- a/ssl/s3_srvr.c -+++ b/ssl/s3_srvr.c -@@ -673,6 +673,7 @@ int ssl3_accept(SSL *s) - case SSL3_ST_SR_CERT_VRFY_A: - case SSL3_ST_SR_CERT_VRFY_B: - -+ s->s3->flags |= SSL3_FLAGS_CCS_OK; - /* we should decide if we expected this one */ - ret=ssl3_get_cert_verify(s); - if (ret <= 0) goto end; -@@ -700,6 +701,7 @@ int ssl3_accept(SSL *s) - - case SSL3_ST_SR_FINISHED_A: - case SSL3_ST_SR_FINISHED_B: -+ s->s3->flags |= SSL3_FLAGS_CCS_OK; - ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A, - SSL3_ST_SR_FINISHED_B); - if (ret <= 0) goto end; -@@ -770,7 +772,10 @@ int ssl3_accept(SSL *s) - s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; - #else - if (s->s3->next_proto_neg_seen) -+ { -+ s->s3->flags |= SSL3_FLAGS_CCS_OK; - s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A; -+ } - else - s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A; - #endif -diff --git a/ssl/ssl3.h b/ssl/ssl3.h -index cb8b249..4ac4199 100644 ---- a/ssl/ssl3.h -+++ b/ssl/ssl3.h -@@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st - #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 - #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 - #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 -+#define SSL3_FLAGS_CCS_OK 0x0040 - - /* SSL3_FLAGS_SGC_RESTART_DONE is set when we - * restart a handshake because of MS SGC and so prevents us diff --git a/core/openssl-cryptodev/PKGBUILD b/core/openssl-cryptodev/PKGBUILD index 4f5fe70f3..0f567089e 100644 --- a/core/openssl-cryptodev/PKGBUILD +++ b/core/openssl-cryptodev/PKGBUILD @@ -6,18 +6,18 @@ # - cryptodev-enabled version # # moonman -# - replace eng_cryptodev in openssl with the one provided with cryptodev # - get cryptodev.h from cryptodev tarball instead of the kernel headers +# - patches from cryptodev developers for openssl buildarch=6 pkgname=openssl-cryptodev _pkgname=openssl -_ver=1.0.1e +_ver=1.0.1h # use a pacman compatible version scheme pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}} #pkgver=$_ver -pkgrel=7 +pkgrel=1 pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer Security' arch=('arm' 'armv7h') url='https://www.openssl.org' @@ -33,22 +33,20 @@ _cryptover=1.6 source=("https://www.openssl.org/source/${_pkgname}-${_ver}.tar.gz" 'no-rpath.patch' 'ca-dir.patch' - 'openssl-1.0.1e-fix_pod_syntax-1.patch' "http://download.gna.org/cryptodev-linux/cryptodev-linux-${_cryptover}.tar.gz" - 'openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch' - 'openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch' - 'CVE-2014-0160.patch' - 'CVE-2014-0224.patch') + "https://github.com/openssl/openssl/commit/be2c4d9bd9e81030c547a34216ae2d8e5c888190.patch" + "https://github.com/openssl/openssl/commit/6ecbc2bb62835a401ad6efe240d469a23b21755b.patch" + '0001-cryptodev-Fix-issue-with-signature-generation.patch' + '0002-cryptodev-allow-copying-EVP-contexts.patch') -md5sums=('66bf6f10f060d561929de96f9dfe5b8c' +md5sums=('8d6d684a9430d5cc98a62a5d8fbda8cf' 'dc78d3d06baffc16217519242ce92478' '3bf51be3a1bbd262be46dc619f92aa90' - '88d3bef4bbdc640b0412315d8d347bdf' 'eade38998313c25fd7934719cdf8a2ea' - 'ae7848bb152b8834ceff30c8c480d422' - 'c5cc62a47cef72f4e5ad119a88e97ae4' - '5fd0261f74e5358fe28b725cddd24bbf' - '8c724df827d6036946dc5074aea9ae66') + 'a1761273d79bc5c62eb3bd4cb91f66b4' + '310a63a4ea3e948eee54c953d49a6bf1' + '440f706c63735f32274e13325557a331' + 'e8ec495c49ae2494acbfb47d98c363b6') prepare() { cd $srcdir/${_pkgname}-$_ver @@ -58,24 +56,13 @@ prepare() { # set ca dir to /etc/ssl by default patch -p0 -i $srcdir/ca-dir.patch - patch -p1 -i $srcdir/openssl-1.0.1e-fix_pod_syntax-1.patch + msg "Bring eng_cryptodev.c up-to-date for the following 2 patches" + patch -Np1 -i $srcdir/be2c4d9bd9e81030c547a34216ae2d8e5c888190.patch + patch -Np1 -i $srcdir/6ecbc2bb62835a401ad6efe240d469a23b21755b.patch - # OpenSSL 1.0.0k, 1.0.1.d, 1.0.1e fail handshake with DTLS1_BAD_VER - # http://rt.openssl.org/Ticket/Display.html?id=2984 - patch -p1 -i $srcdir/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch - - # Communication problems with 1.0.1e - # http://rt.openssl.org/Ticket/Display.html?id=3002 - patch -p1 -i $srcdir/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch - - # Patch the heartbleed vulnerability - patch -p1 -i $srcdir/CVE-2014-0160.patch - - msg2 "Patch zero length master secret vulnerability" - patch -p1 -i $srcdir/CVE-2014-0224.patch - - # Replace eng_cryptodev.c with cryptodev version - cp -u ${srcdir}/cryptodev-linux-${_cryptover}/extras/eng_cryptodev.c ${srcdir}/openssl-${_ver}/crypto/engine/ + msg2 "Patch eng_cryptodev.c" + patch -p1 -i $srcdir/0001-cryptodev-Fix-issue-with-signature-generation.patch + patch -p1 -i $srcdir/0002-cryptodev-allow-copying-EVP-contexts.patch # Copy the header file cp -u ${srcdir}/cryptodev-linux-${_cryptover}/crypto/cryptodev.h ${srcdir}/openssl-${_ver}/crypto/ @@ -98,7 +85,7 @@ build() { -DHAVE_CRYPTODEV -DUSE_CRYPTODEV_DIGESTS -DHASH_MAX_LEN=64 \ shared threads zlib \ "${openssltarget}" \ - -Wa,--noexecstack "${CFLAGS}" + "-Wa,--noexecstack ${CPPFLAGS} ${CFLAGS} ${LDFLAGS}" make depend make @@ -109,7 +96,7 @@ check() { # the test fails due to missing write permissions in /etc/ssl # revert this patch for make test patch -p0 -R -i $srcdir/ca-dir.patch -# make test + make test patch -p0 -i $srcdir/ca-dir.patch } diff --git a/core/openssl-cryptodev/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch b/core/openssl-cryptodev/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch deleted file mode 100644 index 5a88220c3..000000000 --- a/core/openssl-cryptodev/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001 -From: David Woodhouse -Date: Tue, 12 Feb 2013 14:55:32 +0000 -Subject: Check DTLS_BAD_VER for version number. - -The version check for DTLS1_VERSION was redundant as -DTLS1_VERSION > TLS1_1_VERSION, however we do need to -check for DTLS1_BAD_VER for compatibility. - -PR:2984 -(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc) ---- - ssl/s3_cbc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c -index 02edf3f..443a31e 100644 ---- a/ssl/s3_cbc.c -+++ b/ssl/s3_cbc.c -@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s, - unsigned padding_length, good, to_check, i; - const unsigned overhead = 1 /* padding length byte */ + mac_size; - /* Check if version requires explicit IV */ -- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION) -+ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER) - { - /* These lengths are all public so we can test them in - * non-constant time. --- -1.8.4.2 - diff --git a/core/openssl-cryptodev/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch b/core/openssl-cryptodev/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch deleted file mode 100644 index f1a251227..000000000 --- a/core/openssl-cryptodev/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 9ab3ce124616cb12bd39c6aa1e1bde0f46969b29 Mon Sep 17 00:00:00 2001 -From: Andy Polyakov -Date: Mon, 18 Mar 2013 19:29:41 +0100 -Subject: e_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI plaforms. - -PR: 3002 -(cherry picked from commit 5c60046553716fcf160718f59160493194f212dc) ---- - crypto/evp/e_aes_cbc_hmac_sha1.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c -index 483e04b..fb2c884 100644 ---- a/crypto/evp/e_aes_cbc_hmac_sha1.c -+++ b/crypto/evp/e_aes_cbc_hmac_sha1.c -@@ -328,10 +328,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - - if (res!=SHA_CBLOCK) continue; - -- mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1)); -+ /* j is not incremented yet */ -+ mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1)); - data->u[SHA_LBLOCK-1] |= bitlen&mask; - sha1_block_data_order(&key->md,data,1); -- mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1)); -+ mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1)); - pmac->u[0] |= key->md.h0 & mask; - pmac->u[1] |= key->md.h1 & mask; - pmac->u[2] |= key->md.h2 & mask; --- -1.8.4.2 - diff --git a/core/openssl-cryptodev/openssl-1.0.1e-fix_pod_syntax-1.patch b/core/openssl-cryptodev/openssl-1.0.1e-fix_pod_syntax-1.patch deleted file mode 100644 index ba25afec3..000000000 --- a/core/openssl-cryptodev/openssl-1.0.1e-fix_pod_syntax-1.patch +++ /dev/null @@ -1,393 +0,0 @@ -Submitted By: Martin Ward -Date: 2013-06-18 -Initial Package Version: 1.0.1e -Upstream Status: Unknown -Origin: self, based on fedora -Description: Fixes install with perl-5.18. - -diff -Naur openssl-1.0.1e.orig/doc/apps/cms.pod openssl-1.0.1e/doc/apps/cms.pod ---- openssl-1.0.1e.orig/doc/apps/cms.pod 2013-06-06 14:35:15.867871879 +0100 -+++ openssl-1.0.1e/doc/apps/cms.pod 2013-06-06 14:35:25.791747119 +0100 -@@ -450,28 +450,28 @@ - - =over 4 - --=item 0 -+=item C<0> - - the operation was completely successfully. - --=item 1 -+=item C<1> - - an error occurred parsing the command options. - --=item 2 -+=item C<2> - - one of the input files could not be read. - --=item 3 -+=item C<3> - - an error occurred creating the CMS file or when reading the MIME - message. - --=item 4 -+=item C<4> - - an error occurred decrypting or verifying the message. - --=item 5 -+=item C<5> - - the message was verified correctly but an error occurred writing out - the signers certificates. -diff -Naur openssl-1.0.1e.orig/doc/apps/smime.pod openssl-1.0.1e/doc/apps/smime.pod ---- openssl-1.0.1e.orig/doc/apps/smime.pod 2013-06-06 14:35:15.867871879 +0100 -+++ openssl-1.0.1e/doc/apps/smime.pod 2013-06-06 14:35:25.794747082 +0100 -@@ -308,28 +308,28 @@ - - =over 4 - --=item 0 -+=item C<0> - - the operation was completely successfully. - --=item 1 -+=item C<1> - - an error occurred parsing the command options. - --=item 2 -+=item C<2> - - one of the input files could not be read. - --=item 3 -+=item C<3> - - an error occurred creating the PKCS#7 file or when reading the MIME - message. - --=item 4 -+=item C<4> - - an error occurred decrypting or verifying the message. - --=item 5 -+=item C<5> - - the message was verified correctly but an error occurred writing out - the signers certificates. -diff -Naur openssl-1.0.1e.orig/doc/crypto/X509_STORE_CTX_get_error.pod openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod ---- openssl-1.0.1e.orig/doc/crypto/X509_STORE_CTX_get_error.pod 2013-06-06 14:35:15.874871791 +0100 -+++ openssl-1.0.1e/doc/crypto/X509_STORE_CTX_get_error.pod 2013-06-06 14:37:13.826388940 +0100 -@@ -278,6 +278,8 @@ - an application specific error. This will never be returned unless explicitly - set by an application. - -+=back -+ - =head1 NOTES - - The above functions should be used instead of directly referencing the fields -diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_accept.pod openssl-1.0.1e/doc/ssl/SSL_accept.pod ---- openssl-1.0.1e.orig/doc/ssl/SSL_accept.pod 2013-06-06 14:35:15.871871829 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_accept.pod 2013-06-06 14:35:25.796747057 +0100 -@@ -44,12 +44,12 @@ - - =over 4 - --=item 1 -+=item C<1> - - The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been - established. - --=item 0 -+=item C<0> - - The TLS/SSL handshake was not successful but was shut down controlled and - by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the -diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_clear.pod openssl-1.0.1e/doc/ssl/SSL_clear.pod ---- openssl-1.0.1e.orig/doc/ssl/SSL_clear.pod 2013-06-06 14:35:15.871871829 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_clear.pod 2013-06-06 14:35:25.803746969 +0100 -@@ -56,12 +56,12 @@ - - =over 4 - --=item 0 -+=item C<0> - - The SSL_clear() operation could not be performed. Check the error stack to - find out the reason. - --=item 1 -+=item C<1> - - The SSL_clear() operation was successful. - -diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_COMP_add_compression_method.pod openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod ---- openssl-1.0.1e.orig/doc/ssl/SSL_COMP_add_compression_method.pod 2013-06-06 14:35:15.870871842 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_COMP_add_compression_method.pod 2013-06-06 14:35:25.806746931 +0100 -@@ -53,11 +53,11 @@ - - =over 4 - --=item 0 -+=item C<0> - - The operation succeeded. - --=item 1 -+=item C<1> - - The operation failed. Check the error queue to find out the reason. - -diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_connect.pod openssl-1.0.1e/doc/ssl/SSL_connect.pod ---- openssl-1.0.1e.orig/doc/ssl/SSL_connect.pod 2013-06-06 14:35:15.869871854 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_connect.pod 2013-06-06 14:35:25.808746906 +0100 -@@ -41,12 +41,12 @@ - - =over 4 - --=item 1 -+=item C<1> - - The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been - established. - --=item 0 -+=item C<0> - - The TLS/SSL handshake was not successful but was shut down controlled and - by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the -diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_CTX_add_session.pod openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod ---- openssl-1.0.1e.orig/doc/ssl/SSL_CTX_add_session.pod 2013-06-06 14:35:15.871871829 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_CTX_add_session.pod 2013-06-06 14:35:25.816746805 +0100 -@@ -52,13 +52,13 @@ - - =over 4 - --=item 0 -+=item C<0> - - The operation failed. In case of the add operation, it was tried to add - the same (identical) session twice. In case of the remove operation, the - session was not found in the cache. - --=item 1 -+=item C<1> - - The operation succeeded. - -diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_CTX_load_verify_locations.pod openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod ---- openssl-1.0.1e.orig/doc/ssl/SSL_CTX_load_verify_locations.pod 2013-06-06 14:35:15.870871842 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_CTX_load_verify_locations.pod 2013-06-06 14:35:25.818746780 +0100 -@@ -100,13 +100,13 @@ - - =over 4 - --=item 0 -+=item C<0> - - The operation failed because B and B are NULL or the - processing at one of the locations specified failed. Check the error - stack to find out the reason. - --=item 1 -+=item C<1> - - The operation succeeded. - -diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_CTX_set_client_CA_list.pod openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod ---- openssl-1.0.1e.orig/doc/ssl/SSL_CTX_set_client_CA_list.pod 2013-06-06 14:35:15.871871829 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_client_CA_list.pod 2013-06-06 14:35:25.821746742 +0100 -@@ -66,11 +66,11 @@ - - =over 4 - --=item 1 -+=item C<1> - - The operation succeeded. - --=item 0 -+=item C<0> - - A failure while manipulating the STACK_OF(X509_NAME) object occurred or - the X509_NAME could not be extracted from B. Check the error stack -diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_CTX_set_session_id_context.pod openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod ---- openssl-1.0.1e.orig/doc/ssl/SSL_CTX_set_session_id_context.pod 2013-06-06 14:35:15.871871829 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_session_id_context.pod 2013-06-06 14:35:25.828746654 +0100 -@@ -64,13 +64,13 @@ - - =over 4 - --=item 0 -+=item C<0> - - The length B of the session id context B exceeded - the maximum allowed length of B. The error - is logged to the error stack. - --=item 1 -+=item C<1> - - The operation succeeded. - -diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_CTX_set_ssl_version.pod openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod ---- openssl-1.0.1e.orig/doc/ssl/SSL_CTX_set_ssl_version.pod 2013-06-06 14:35:15.871871829 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_CTX_set_ssl_version.pod 2013-06-06 14:35:25.831746617 +0100 -@@ -42,11 +42,11 @@ - - =over 4 - --=item 0 -+=item C<0> - - The new choice failed, check the error stack to find out the reason. - --=item 1 -+=item C<1> - - The operation succeeded. - -diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_CTX_use_psk_identity_hint.pod openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod ---- openssl-1.0.1e.orig/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2013-06-06 14:35:15.870871842 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_CTX_use_psk_identity_hint.pod 2013-06-06 14:36:42.456783309 +0100 -@@ -81,6 +81,8 @@ - - Return values from the server callback are interpreted as follows: - -+=over -+ - =item > 0 - - PSK identity was found and the server callback has provided the PSK -@@ -94,9 +96,11 @@ - connection will fail with decryption_error before it will be finished - completely. - --=item 0 -+=item C<0> - - PSK identity was not found. An "unknown_psk_identity" alert message - will be sent and the connection setup fails. - -+=back -+ - =cut -diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_do_handshake.pod openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod ---- openssl-1.0.1e.orig/doc/ssl/SSL_do_handshake.pod 2013-06-06 14:35:15.869871854 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_do_handshake.pod 2013-06-06 14:35:25.839746516 +0100 -@@ -45,12 +45,12 @@ - - =over 4 - --=item 1 -+=item C<1> - - The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been - established. - --=item 0 -+=item C<0> - - The TLS/SSL handshake was not successful but was shut down controlled and - by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the -diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_read.pod openssl-1.0.1e/doc/ssl/SSL_read.pod ---- openssl-1.0.1e.orig/doc/ssl/SSL_read.pod 2013-06-06 14:35:15.871871829 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_read.pod 2013-06-06 14:35:25.847746415 +0100 -@@ -86,7 +86,7 @@ - The read operation was successful; the return value is the number of - bytes actually read from the TLS/SSL connection. - --=item 0 -+=item C<0> - - The read operation was not successful. The reason may either be a clean - shutdown due to a "close notify" alert sent by the peer (in which case -diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_session_reused.pod openssl-1.0.1e/doc/ssl/SSL_session_reused.pod ---- openssl-1.0.1e.orig/doc/ssl/SSL_session_reused.pod 2013-06-06 14:35:15.871871829 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_session_reused.pod 2013-06-06 14:35:25.849746390 +0100 -@@ -27,11 +27,11 @@ - - =over 4 - --=item 0 -+=item C<0> - - A new session was negotiated. - --=item 1 -+=item C<1> - - A session was reused. - -diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_set_fd.pod openssl-1.0.1e/doc/ssl/SSL_set_fd.pod ---- openssl-1.0.1e.orig/doc/ssl/SSL_set_fd.pod 2013-06-06 14:35:15.869871854 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_set_fd.pod 2013-06-06 14:35:25.852746353 +0100 -@@ -35,11 +35,11 @@ - - =over 4 - --=item 0 -+=item C<0> - - The operation failed. Check the error stack to find out why. - --=item 1 -+=item C<1> - - The operation succeeded. - -diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_set_session.pod openssl-1.0.1e/doc/ssl/SSL_set_session.pod ---- openssl-1.0.1e.orig/doc/ssl/SSL_set_session.pod 2013-06-06 14:35:15.870871842 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_set_session.pod 2013-06-06 14:35:25.855746315 +0100 -@@ -37,11 +37,11 @@ - - =over 4 - --=item 0 -+=item C<0> - - The operation failed; check the error stack to find out the reason. - --=item 1 -+=item C<1> - - The operation succeeded. - -diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_shutdown.pod openssl-1.0.1e/doc/ssl/SSL_shutdown.pod ---- openssl-1.0.1e.orig/doc/ssl/SSL_shutdown.pod 2013-06-06 14:35:15.870871842 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_shutdown.pod 2013-06-06 14:35:25.857746290 +0100 -@@ -92,12 +92,12 @@ - - =over 4 - --=item 1 -+=item C<1> - - The shutdown was successfully completed. The "close notify" alert was sent - and the peer's "close notify" alert was received. - --=item 0 -+=item C<0> - - The shutdown is not yet finished. Call SSL_shutdown() for a second time, - if a bidirectional shutdown shall be performed. -diff -Naur openssl-1.0.1e.orig/doc/ssl/SSL_write.pod openssl-1.0.1e/doc/ssl/SSL_write.pod ---- openssl-1.0.1e.orig/doc/ssl/SSL_write.pod 2013-06-06 14:35:15.870871842 +0100 -+++ openssl-1.0.1e/doc/ssl/SSL_write.pod 2013-06-06 14:35:25.865746189 +0100 -@@ -79,7 +79,7 @@ - The write operation was successful, the return value is the number of - bytes actually written to the TLS/SSL connection. - --=item 0 -+=item C<0> - - The write operation was not successful. Probably the underlying connection - was closed. Call SSL_get_error() with the return value B to find out,