Prepare for 0.9.8zf-dev

Reviewed-by: Stephen Henson <steve@openssl.org>

.gitignore

@@ -1,5 +1,6 @@
 # Object files
 *.o
+*.obj
 
 # editor artefacts
 *.swp
@@ -47,6 +48,21 @@
 *.s
 !/crypto/bn/asm/pa-risc2.s
 !/crypto/bn/asm/pa-risc2W.s
+crypto/aes/asm/a_win32.asm
+crypto/bf/asm/b_win32.asm
+crypto/bn/asm/bn_win32.asm
+crypto/bn/asm/co_win32.asm
+crypto/bn/asm/mt_win32.asm
+crypto/cast/asm/c_win32.asm
+crypto/cpu_win32.asm
+crypto/des/asm/d_win32.asm
+crypto/des/asm/y_win32.asm
+crypto/md5/asm/m5_win32.asm
+crypto/rc4/asm/r4_win32.asm
+crypto/rc5/asm/r5_win32.asm
+crypto/ripemd/asm/rm_win32.asm
+crypto/sha/asm/s1_win32.asm
+crypto/sha/asm/sha512-sse2.asm
 
 # Executables
 /apps/openssl
@@ -75,3 +91,17 @@
 lib
 Makefile.save
 *.bak
+
+# Windows
+/tmp32dll
+/tmp32dll.dbg
+/out32dll
+/out32dll.dbg
+/inc32
+/MINFO
+ms/bcb.mak
+ms/libeay32.def
+ms/nt.mak
+ms/ntdll.mak
+ms/ssleay32.def
+ms/version32.rc

CHANGES

@@ -2,6 +2,96 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 0.9.8ze and 0.9.8zf [xx XXX xxxx]
+
+  *)
+
+ Changes between 0.9.8zd and 0.9.8ze [15 Jan 2015]
+
+  *) Build fixes for the Windows and OpenVMS platforms
+     [Matt Caswell and Richard Levitte]
+
+ Changes between 0.9.8zc and 0.9.8zd [8 Jan 2015]
+
+  *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
+     message can cause a segmentation fault in OpenSSL due to a NULL pointer
+     dereference. This could lead to a Denial Of Service attack. Thanks to
+     Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
+     (CVE-2014-3571)
+     [Steve Henson]
+
+  *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
+     built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
+     method would be set to NULL which could later result in a NULL pointer
+     dereference. Thanks to Frank Schmirler for reporting this issue.
+     (CVE-2014-3569)
+     [Kurt Roeckx]
+
+  *) Abort handshake if server key exchange message is omitted for ephemeral
+     ECDH ciphersuites.
+
+     Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
+     reporting this issue.
+     (CVE-2014-3572)
+     [Steve Henson]
+
+  *) Remove non-export ephemeral RSA code on client and server. This code
+     violated the TLS standard by allowing the use of temporary RSA keys in
+     non-export ciphersuites and could be used by a server to effectively
+     downgrade the RSA key length used to a value smaller than the server
+     certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
+     INRIA or reporting this issue.
+     (CVE-2015-0204)
+     [Steve Henson]
+
+  *) Fix various certificate fingerprint issues.
+
+     By using non-DER or invalid encodings outside the signed portion of a
+     certificate the fingerprint can be changed without breaking the signature.
+     Although no details of the signed portion of the certificate can be changed
+     this can cause problems with some applications: e.g. those using the
+     certificate fingerprint for blacklists.
+
+     1. Reject signatures with non zero unused bits.
+
+     If the BIT STRING containing the signature has non zero unused bits reject
+     the signature. All current signature algorithms require zero unused bits.
+
+     2. Check certificate algorithm consistency.
+
+     Check the AlgorithmIdentifier inside TBS matches the one in the
+     certificate signature. NB: this will result in signature failure
+     errors for some broken certificates.
+
+     Thanks to Konrad Kraszewski from Google for reporting this issue.
+
+     3. Check DSA/ECDSA signatures use DER.
+
+     Reencode DSA/ECDSA signatures and compare with the original received
+     signature. Return an error if there is a mismatch.
+
+     This will reject various cases including garbage after signature
+     (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
+     program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
+     (negative or with leading zeroes).
+
+     Further analysis was conducted and fixes were developed by Stephen Henson
+     of the OpenSSL core team.
+
+     (CVE-2014-8275)
+     [Steve Henson]
+
+   *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
+      results on some platforms, including x86_64. This bug occurs at random
+      with a very low probability, and is not known to be exploitable in any
+      way, though its exact impact is difficult to determine. Thanks to Pieter
+      Wuille (Blockstream) who reported this issue and also suggested an initial
+      fix. Further analysis was conducted by the OpenSSL development team and
+      Adam Langley of Google. The final fix was developed by Andy Polyakov of
+      the OpenSSL core team.
+      (CVE-2014-3570)
+      [Andy Polyakov]
+
  Changes between 0.9.8zb and 0.9.8zc [15 Oct 2014]
 
   *) Session Ticket Memory Leak.

NEWS

@@ -5,6 +5,23 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.8ze and OpenSSL 0.9.8zf [under development]
+
+      o
+
+  Major changes between OpenSSL 0.9.8zd and OpenSSL 0.9.8ze [15 Jan 2015]
+
+      o Build fixes for the Windows and OpenVMS platforms
+
+  Major changes between OpenSSL 0.9.8zc and OpenSSL 0.9.8zd [8 Jan 2015]
+
+      o Fix for CVE-2014-3571
+      o Fix for CVE-2014-3569
+      o Fix for CVE-2014-3572
+      o Fix for CVE-2015-0204
+      o Fix for CVE-2014-8275
+      o Fix for CVE-2014-3570
+
   Major changes between OpenSSL 0.9.8zb and OpenSSL 0.9.8zc [15 Oct 2014]:
 
       o Fix for CVE-2014-3513

README

@@ -1,5 +1,5 @@
 
- OpenSSL 0.9.8zc 15 Oct 2014
+ OpenSSL 0.9.8zf-dev
 
  Copyright (c) 1998-2011 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

crypto/Makefile

@@ -41,7 +41,8 @@ SRC= $(LIBSRC)
 
 EXHEADER= crypto.h tmdiff.h opensslv.h opensslconf.h ebcdic.h symhacks.h \
 	ossl_typ.h
-HEADER=	cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h $(EXHEADER)
+HEADER=	cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h \
+	constant_time_locl.h $(EXHEADER)
 
 ALL=    $(GENERAL) $(SRC) $(HEADER)
 

crypto/asn1/a_bitstr.c

@@ -136,11 +136,16 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a,
 
 	p= *pp;
 	i= *(p++);
+	if (i > 7)
+		{
+		i=ASN1_R_INVALID_BIT_STRING_BITS_LEFT;
+		goto err;
+		}
 	/* We do this to preserve the settings.  If we modify
 	 * the settings, via the _set_bit function, we will recalculate
 	 * on output */
 	ret->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */
-	ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|(i&0x07)); /* set */
+	ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|i); /* set */
 
 	if (len-- > 1) /* using one because of the bits left byte */
 		{

crypto/asn1/a_type.c

@@ -108,3 +108,49 @@ int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value)
 
 IMPLEMENT_STACK_OF(ASN1_TYPE)
 IMPLEMENT_ASN1_SET_OF(ASN1_TYPE)
+
+/* Returns 0 if they are equal, != 0 otherwise. */
+int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b)
+	{
+	int result = -1;
+
+	if (!a || !b || a->type != b->type) return -1;
+
+	switch (a->type)
+		{
+	case V_ASN1_OBJECT:
+		result = OBJ_cmp(a->value.object, b->value.object);
+		break;
+	case V_ASN1_NULL:
+		result = 0;	/* They do not have content. */
+		break;
+	case V_ASN1_INTEGER:
+	case V_ASN1_NEG_INTEGER:
+	case V_ASN1_ENUMERATED:
+	case V_ASN1_NEG_ENUMERATED:
+	case V_ASN1_BIT_STRING:
+	case V_ASN1_OCTET_STRING:
+	case V_ASN1_SEQUENCE:
+	case V_ASN1_SET:
+	case V_ASN1_NUMERICSTRING:
+	case V_ASN1_PRINTABLESTRING:
+	case V_ASN1_T61STRING:
+	case V_ASN1_VIDEOTEXSTRING:
+	case V_ASN1_IA5STRING:
+	case V_ASN1_UTCTIME:
+	case V_ASN1_GENERALIZEDTIME:
+	case V_ASN1_GRAPHICSTRING:
+	case V_ASN1_VISIBLESTRING:
+	case V_ASN1_GENERALSTRING:
+	case V_ASN1_UNIVERSALSTRING:
+	case V_ASN1_BMPSTRING:
+	case V_ASN1_UTF8STRING:
+	case V_ASN1_OTHER:
+	default:
+		result = ASN1_STRING_cmp((ASN1_STRING *) a->value.ptr,
+					 (ASN1_STRING *) b->value.ptr);
+		break;
+		}
+
+	return result;
+	}

crypto/asn1/a_verify.c

@@ -89,6 +89,12 @@ int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *a, ASN1_BIT_STRING *signature,
 		ASN1err(ASN1_F_ASN1_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
 		goto err;
 		}
+
+	if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7)
+		{
+		ASN1err(ASN1_F_ASN1_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
+		goto err;
+		}
 	
 	inl=i2d(data,NULL);
 	buf_in=OPENSSL_malloc((unsigned int)inl);
@@ -144,6 +150,12 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
 		return -1;
 		}
 
+	if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7)
+		{
+		ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
+		return -1;
+		}
+
 	EVP_MD_CTX_init(&ctx);
 	i=OBJ_obj2nid(a->algorithm);
 	type=EVP_get_digestbyname(OBJ_nid2sn(i));

crypto/asn1/asn1.h

@@ -769,6 +769,7 @@ DECLARE_ASN1_FUNCTIONS_fname(ASN1_TYPE, ASN1_ANY, ASN1_TYPE)
 int ASN1_TYPE_get(ASN1_TYPE *a);
 void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value);
 int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value);
+int            ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b);
 
 ASN1_OBJECT *	ASN1_OBJECT_new(void );
 void		ASN1_OBJECT_free(ASN1_OBJECT *a);
@@ -1260,6 +1261,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_ILLEGAL_TIME_VALUE			 184
 #define ASN1_R_INTEGER_NOT_ASCII_FORMAT			 185
 #define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG		 128
+#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT		 220
 #define ASN1_R_INVALID_BMPSTRING_LENGTH			 129
 #define ASN1_R_INVALID_DIGIT				 130
 #define ASN1_R_INVALID_MIME_TYPE			 200
@@ -1308,6 +1310,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_TIME_NOT_ASCII_FORMAT			 193
 #define ASN1_R_TOO_LONG					 155
 #define ASN1_R_TYPE_NOT_CONSTRUCTED			 156
+#define ASN1_R_TYPE_NOT_PRIMITIVE			 218
 #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY			 157
 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY		 158
 #define ASN1_R_UNEXPECTED_EOC				 159

crypto/asn1/asn1_err.c

@@ -1,6 +1,6 @@
 /* crypto/asn1/asn1_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2014 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -235,6 +235,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ERR_REASON(ASN1_R_ILLEGAL_TIME_VALUE)   ,"illegal time value"},
 {ERR_REASON(ASN1_R_INTEGER_NOT_ASCII_FORMAT),"integer not ascii format"},
 {ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG),"integer too large for long"},
+{ERR_REASON(ASN1_R_INVALID_BIT_STRING_BITS_LEFT),"invalid bit string bits left"},
 {ERR_REASON(ASN1_R_INVALID_BMPSTRING_LENGTH),"invalid bmpstring length"},
 {ERR_REASON(ASN1_R_INVALID_DIGIT)        ,"invalid digit"},
 {ERR_REASON(ASN1_R_INVALID_MIME_TYPE)    ,"invalid mime type"},
@@ -283,6 +284,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]=
 {ERR_REASON(ASN1_R_TIME_NOT_ASCII_FORMAT),"time not ascii format"},
 {ERR_REASON(ASN1_R_TOO_LONG)             ,"too long"},
 {ERR_REASON(ASN1_R_TYPE_NOT_CONSTRUCTED) ,"type not constructed"},
+{ERR_REASON(ASN1_R_TYPE_NOT_PRIMITIVE)   ,"type not primitive"},
 {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"},
 {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"},
 {ERR_REASON(ASN1_R_UNEXPECTED_EOC)       ,"unexpected eoc"},

crypto/asn1/tasn_dec.c

@@ -866,6 +866,14 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
 		}
 	else if (cst)
 		{
+		if (utype == V_ASN1_NULL || utype == V_ASN1_BOOLEAN
+			|| utype == V_ASN1_OBJECT || utype == V_ASN1_INTEGER
+			|| utype == V_ASN1_ENUMERATED)
+			{
+			ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
+				ASN1_R_TYPE_NOT_PRIMITIVE);
+			return 0;
+			}
 		buf.length = 0;
 		buf.max = 0;
 		buf.data = NULL;

crypto/asn1/x_algor.c

@@ -128,3 +128,13 @@ void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval,
 		}
 	}
 
+int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b)
+	{
+	int rv;
+	rv = OBJ_cmp(a->algorithm, b->algorithm);
+	if (rv)
+		return rv;
+	if (!a->parameter && !b->parameter)
+		return 0;
+	return ASN1_TYPE_cmp(a->parameter, b->parameter);
+	}

crypto/bn/asm/mips3.s

@@ -1584,17 +1584,17 @@ LEAF(bn_sqr_comba8)
 	dmultu	a_2,a_0		/* mul_add_c2(a[2],b[0],c3,c1,c2); */
 	mflo	t_1
 	mfhi	t_2
-	slt	c_2,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_3,t_1
 	sltu	AT,c_3,t_1
-	daddu	t_2,AT
+	daddu	c_3,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_3,t_1
+	daddu	c_1,AT
+	daddu	t_2,t_1
+	sltu	c_2,c_1,AT
 	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
+	sltu	t_2,c_1,t_2
+	daddu	c_2,t_2
 	dmultu	a_1,a_1		/* mul_add_c(a[1],b[1],c3,c1,c2); */
 	mflo	t_1
 	mfhi	t_2
@@ -1609,63 +1609,63 @@ LEAF(bn_sqr_comba8)
 	dmultu	a_0,a_3		/* mul_add_c2(a[0],b[3],c1,c2,c3); */
 	mflo	t_1
 	mfhi	t_2
-	slt	c_3,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_1,t_1
 	sltu	AT,c_1,t_1
-	daddu	t_2,AT
+	daddu	c_1,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_1,t_1
+	daddu	c_2,AT
+	daddu	t_2,t_1
+	sltu	c_3,c_2,AT
 	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
+	sltu	t_2,c_2,t_2
+	daddu	c_3,t_2
 	dmultu	a_1,a_2		/* mul_add_c2(a[1],b[2],c1,c2,c3); */
 	mflo	t_1
 	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_3,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_1,t_1
 	sltu	AT,c_1,t_1
-	daddu	t_2,AT
+	daddu	c_1,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_1,t_1
+	daddu	c_2,AT
+	daddu	t_2,t_1
+	sltu	AT,c_2,AT
 	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
 	daddu	c_3,AT
+	sltu	t_2,c_2,t_2
+	daddu	c_3,t_2
 	sd	c_1,24(a0)
 
 	dmultu	a_4,a_0		/* mul_add_c2(a[4],b[0],c2,c3,c1); */
 	mflo	t_1
 	mfhi	t_2
-	slt	c_1,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_2,t_1
 	sltu	AT,c_2,t_1
-	daddu	t_2,AT
+	daddu	c_2,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_2,t_1
+	daddu	c_3,AT
+	daddu	t_2,t_1
+	sltu	c_1,c_3,AT
 	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
+	sltu	t_2,c_3,t_2
+	daddu	c_1,t_2
 	dmultu	a_3,a_1		/* mul_add_c2(a[3],b[1],c2,c3,c1); */
 	mflo	t_1
 	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_1,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_2,t_1
 	sltu	AT,c_2,t_1
-	daddu	t_2,AT
+	daddu	c_2,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_2,t_1
+	daddu	c_3,AT
+	daddu	t_2,t_1
+	sltu	AT,c_3,AT
 	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
 	daddu	c_1,AT
+	sltu	t_2,c_3,t_2
+	daddu	c_1,t_2
 	dmultu	a_2,a_2		/* mul_add_c(a[2],b[2],c2,c3,c1); */
 	mflo	t_1
 	mfhi	t_2
@@ -1680,93 +1680,93 @@ LEAF(bn_sqr_comba8)
 	dmultu	a_0,a_5		/* mul_add_c2(a[0],b[5],c3,c1,c2); */
 	mflo	t_1
 	mfhi	t_2
-	slt	c_2,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_3,t_1
 	sltu	AT,c_3,t_1
-	daddu	t_2,AT
+	daddu	c_3,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_3,t_1
+	daddu	c_1,AT
+	daddu	t_2,t_1
+	sltu	c_2,c_1,AT
 	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
+	sltu	t_2,c_1,t_2
+	daddu	c_2,t_2
 	dmultu	a_1,a_4		/* mul_add_c2(a[1],b[4],c3,c1,c2); */
 	mflo	t_1
 	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_2,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_3,t_1
 	sltu	AT,c_3,t_1
-	daddu	t_2,AT
+	daddu	c_3,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_3,t_1
+	daddu	c_1,AT
+	daddu	t_2,t_1
+	sltu	AT,c_1,AT
 	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
 	daddu	c_2,AT
+	sltu	t_2,c_1,t_2
+	daddu	c_2,t_2
 	dmultu	a_2,a_3		/* mul_add_c2(a[2],b[3],c3,c1,c2); */
 	mflo	t_1
 	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_2,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_3,t_1
 	sltu	AT,c_3,t_1
-	daddu	t_2,AT
+	daddu	c_3,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_3,t_1
+	daddu	c_1,AT
+	daddu	t_2,t_1
+	sltu	AT,c_1,AT
 	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
 	daddu	c_2,AT
+	sltu	t_2,c_1,t_2
+	daddu	c_2,t_2
 	sd	c_3,40(a0)
 
 	dmultu	a_6,a_0		/* mul_add_c2(a[6],b[0],c1,c2,c3); */
 	mflo	t_1
 	mfhi	t_2
-	slt	c_3,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_1,t_1
 	sltu	AT,c_1,t_1
-	daddu	t_2,AT
+	daddu	c_1,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_1,t_1
+	daddu	c_2,AT
+	daddu	t_2,t_1
+	sltu	c_3,c_2,AT
 	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
+	sltu	t_2,c_2,t_2
+	daddu	c_3,t_2
 	dmultu	a_5,a_1		/* mul_add_c2(a[5],b[1],c1,c2,c3); */
 	mflo	t_1
 	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_3,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_1,t_1
 	sltu	AT,c_1,t_1
-	daddu	t_2,AT
+	daddu	c_1,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_1,t_1
+	daddu	c_2,AT
+	daddu	t_2,t_1
+	sltu	AT,c_2,AT
 	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
 	daddu	c_3,AT
+	sltu	t_2,c_2,t_2
+	daddu	c_3,t_2
 	dmultu	a_4,a_2		/* mul_add_c2(a[4],b[2],c1,c2,c3); */
 	mflo	t_1
 	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_3,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_1,t_1
 	sltu	AT,c_1,t_1
-	daddu	t_2,AT
+	daddu	c_1,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_1,t_1
+	daddu	c_2,AT
+	daddu	t_2,t_1
+	sltu	AT,c_2,AT
 	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
 	daddu	c_3,AT
+	sltu	t_2,c_2,t_2
+	daddu	c_3,t_2
 	dmultu	a_3,a_3		/* mul_add_c(a[3],b[3],c1,c2,c3); */
 	mflo	t_1
 	mfhi	t_2
@@ -1781,108 +1781,108 @@ LEAF(bn_sqr_comba8)
 	dmultu	a_0,a_7		/* mul_add_c2(a[0],b[7],c2,c3,c1); */
 	mflo	t_1
 	mfhi	t_2
-	slt	c_1,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_2,t_1
 	sltu	AT,c_2,t_1
-	daddu	t_2,AT
+	daddu	c_2,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_2,t_1
+	daddu	c_3,AT
+	daddu	t_2,t_1
+	sltu	c_1,c_3,AT
 	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
+	sltu	t_2,c_3,t_2
+	daddu	c_1,t_2
 	dmultu	a_1,a_6		/* mul_add_c2(a[1],b[6],c2,c3,c1); */
 	mflo	t_1
 	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_1,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_2,t_1
 	sltu	AT,c_2,t_1
-	daddu	t_2,AT
+	daddu	c_2,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_2,t_1
+	daddu	c_3,AT
+	daddu	t_2,t_1
+	sltu	AT,c_3,AT
 	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
 	daddu	c_1,AT
+	sltu	t_2,c_3,t_2
+	daddu	c_1,t_2
 	dmultu	a_2,a_5		/* mul_add_c2(a[2],b[5],c2,c3,c1); */
 	mflo	t_1
 	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_1,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_2,t_1
 	sltu	AT,c_2,t_1
-	daddu	t_2,AT
+	daddu	c_2,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_2,t_1
+	daddu	c_3,AT
+	daddu	t_2,t_1
+	sltu	AT,c_3,AT
 	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
 	daddu	c_1,AT
+	sltu	t_2,c_3,t_2
+	daddu	c_1,t_2
 	dmultu	a_3,a_4		/* mul_add_c2(a[3],b[4],c2,c3,c1); */
 	mflo	t_1
 	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_1,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_2,t_1
 	sltu	AT,c_2,t_1
-	daddu	t_2,AT
+	daddu	c_2,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_2,t_1
+	daddu	c_3,AT
+	daddu	t_2,t_1
+	sltu	AT,c_3,AT
 	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
 	daddu	c_1,AT
+	sltu	t_2,c_3,t_2
+	daddu	c_1,t_2
 	sd	c_2,56(a0)
 
 	dmultu	a_7,a_1		/* mul_add_c2(a[7],b[1],c3,c1,c2); */
 	mflo	t_1
 	mfhi	t_2
-	slt	c_2,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_3,t_1
 	sltu	AT,c_3,t_1
-	daddu	t_2,AT
+	daddu	c_3,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_3,t_1
+	daddu	c_1,AT
+	daddu	t_2,t_1
+	sltu	c_2,c_1,AT
 	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
+	sltu	t_2,c_1,t_2
+	daddu	c_2,t_2
 	dmultu	a_6,a_2		/* mul_add_c2(a[6],b[2],c3,c1,c2); */
 	mflo	t_1
 	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_2,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_3,t_1
 	sltu	AT,c_3,t_1
-	daddu	t_2,AT
+	daddu	c_3,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_3,t_1
+	daddu	c_1,AT
+	daddu	t_2,t_1
+	sltu	AT,c_1,AT
 	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
 	daddu	c_2,AT
+	sltu	t_2,c_1,t_2
+	daddu	c_2,t_2
 	dmultu	a_5,a_3		/* mul_add_c2(a[5],b[3],c3,c1,c2); */
 	mflo	t_1
 	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_2,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_3,t_1
 	sltu	AT,c_3,t_1
-	daddu	t_2,AT
+	daddu	c_3,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_3,t_1
+	daddu	c_1,AT
+	daddu	t_2,t_1
+	sltu	AT,c_1,AT
 	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
 	daddu	c_2,AT
+	sltu	t_2,c_1,t_2
+	daddu	c_2,t_2
 	dmultu	a_4,a_4		/* mul_add_c(a[4],b[4],c3,c1,c2); */
 	mflo	t_1
 	mfhi	t_2
@@ -1897,78 +1897,78 @@ LEAF(bn_sqr_comba8)
 	dmultu	a_2,a_7		/* mul_add_c2(a[2],b[7],c1,c2,c3); */
 	mflo	t_1
 	mfhi	t_2
-	slt	c_3,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_1,t_1
 	sltu	AT,c_1,t_1
-	daddu	t_2,AT
+	daddu	c_1,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_1,t_1
+	daddu	c_2,AT
+	daddu	t_2,t_1
+	sltu	c_3,c_2,AT
 	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
+	sltu	t_2,c_2,t_2
+	daddu	c_3,t_2
 	dmultu	a_3,a_6		/* mul_add_c2(a[3],b[6],c1,c2,c3); */
 	mflo	t_1
 	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_3,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_1,t_1
 	sltu	AT,c_1,t_1
-	daddu	t_2,AT
+	daddu	c_1,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_1,t_1
+	daddu	c_2,AT
+	daddu	t_2,t_1
+	sltu	AT,c_2,AT
 	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
 	daddu	c_3,AT
+	sltu	t_2,c_2,t_2
+	daddu	c_3,t_2
 	dmultu	a_4,a_5		/* mul_add_c2(a[4],b[5],c1,c2,c3); */
 	mflo	t_1
 	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_3,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_1,t_1
 	sltu	AT,c_1,t_1
-	daddu	t_2,AT
+	daddu	c_1,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_1,t_1
+	daddu	c_2,AT
+	daddu	t_2,t_1
+	sltu	AT,c_2,AT
 	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
 	daddu	c_3,AT
+	sltu	t_2,c_2,t_2
+	daddu	c_3,t_2
 	sd	c_1,72(a0)
 
 	dmultu	a_7,a_3		/* mul_add_c2(a[7],b[3],c2,c3,c1); */
 	mflo	t_1
 	mfhi	t_2
-	slt	c_1,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_2,t_1
 	sltu	AT,c_2,t_1
-	daddu	t_2,AT
+	daddu	c_2,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_2,t_1
+	daddu	c_3,AT
+	daddu	t_2,t_1
+	sltu	c_1,c_3,AT
 	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
+	sltu	t_2,c_3,t_2
+	daddu	c_1,t_2
 	dmultu	a_6,a_4		/* mul_add_c2(a[6],b[4],c2,c3,c1); */
 	mflo	t_1
 	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_1,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_2,t_1
 	sltu	AT,c_2,t_1
-	daddu	t_2,AT
+	daddu	c_2,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_2,t_1
+	daddu	c_3,AT
+	daddu	t_2,t_1
+	sltu	AT,c_3,AT
 	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
 	daddu	c_1,AT
+	sltu	t_2,c_3,t_2
+	daddu	c_1,t_2
 	dmultu	a_5,a_5		/* mul_add_c(a[5],b[5],c2,c3,c1); */
 	mflo	t_1
 	mfhi	t_2
@@ -1983,48 +1983,48 @@ LEAF(bn_sqr_comba8)
 	dmultu	a_4,a_7		/* mul_add_c2(a[4],b[7],c3,c1,c2); */
 	mflo	t_1
 	mfhi	t_2
-	slt	c_2,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_3,t_1
 	sltu	AT,c_3,t_1
-	daddu	t_2,AT
+	daddu	c_3,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_3,t_1
+	daddu	c_1,AT
+	daddu	t_2,t_1
+	sltu	c_2,c_1,AT
 	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
+	sltu	t_2,c_1,t_2
+	daddu	c_2,t_2
 	dmultu	a_5,a_6		/* mul_add_c2(a[5],b[6],c3,c1,c2); */
 	mflo	t_1
 	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_2,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_3,t_1
 	sltu	AT,c_3,t_1
-	daddu	t_2,AT
+	daddu	c_3,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_3,t_1
+	daddu	c_1,AT
+	daddu	t_2,t_1
+	sltu	AT,c_1,AT
 	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
 	daddu	c_2,AT
+	sltu	t_2,c_1,t_2
+	daddu	c_2,t_2
 	sd	c_3,88(a0)
 
 	dmultu	a_7,a_5		/* mul_add_c2(a[7],b[5],c1,c2,c3); */
 	mflo	t_1
 	mfhi	t_2
-	slt	c_3,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_1,t_1
 	sltu	AT,c_1,t_1
-	daddu	t_2,AT
+	daddu	c_1,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_1,t_1
+	daddu	c_2,AT
+	daddu	t_2,t_1
+	sltu	c_3,c_2,AT
 	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
+	sltu	t_2,c_2,t_2
+	daddu	c_3,t_2
 	dmultu	a_6,a_6		/* mul_add_c(a[6],b[6],c1,c2,c3); */
 	mflo	t_1
 	mfhi	t_2
@@ -2039,17 +2039,17 @@ LEAF(bn_sqr_comba8)
 	dmultu	a_6,a_7		/* mul_add_c2(a[6],b[7],c2,c3,c1); */
 	mflo	t_1
 	mfhi	t_2
-	slt	c_1,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_2,t_1
 	sltu	AT,c_2,t_1
-	daddu	t_2,AT
+	daddu	c_2,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_2,t_1
+	daddu	c_3,AT
+	daddu	t_2,t_1
+	sltu	c_1,c_3,AT
 	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
+	sltu	t_2,c_3,t_2
+	daddu	c_1,t_2
 	sd	c_2,104(a0)
 
 	dmultu	a_7,a_7		/* mul_add_c(a[7],b[7],c3,c1,c2); */
@@ -2070,9 +2070,9 @@ LEAF(bn_sqr_comba4)
 	.set	reorder
 	ld	a_0,0(a1)
 	ld	a_1,8(a1)
+	dmultu	a_0,a_0		/* mul_add_c(a[0],b[0],c1,c2,c3); */
 	ld	a_2,16(a1)
 	ld	a_3,24(a1)
-	dmultu	a_0,a_0		/* mul_add_c(a[0],b[0],c1,c2,c3); */
 	mflo	c_1
 	mfhi	c_2
 	sd	c_1,0(a0)
@@ -2093,17 +2093,17 @@ LEAF(bn_sqr_comba4)
 	dmultu	a_2,a_0		/* mul_add_c2(a[2],b[0],c3,c1,c2); */
 	mflo	t_1
 	mfhi	t_2
-	slt	c_2,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_3,t_1
 	sltu	AT,c_3,t_1
-	daddu	t_2,AT
+	daddu	c_3,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_3,t_1
+	daddu	c_1,AT
+	daddu	t_2,t_1
+	sltu	c_2,c_1,AT
 	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
+	sltu	t_2,c_1,t_2
+	daddu	c_2,t_2
 	dmultu	a_1,a_1		/* mul_add_c(a[1],b[1],c3,c1,c2); */
 	mflo	t_1
 	mfhi	t_2
@@ -2118,48 +2118,48 @@ LEAF(bn_sqr_comba4)
 	dmultu	a_0,a_3		/* mul_add_c2(a[0],b[3],c1,c2,c3); */
 	mflo	t_1
 	mfhi	t_2
-	slt	c_3,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_1,t_1
 	sltu	AT,c_1,t_1
-	daddu	t_2,AT
+	daddu	c_1,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_1,t_1
+	daddu	c_2,AT
+	daddu	t_2,t_1
+	sltu	c_3,c_2,AT
 	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
-	daddu	c_3,AT
+	sltu	t_2,c_2,t_2
+	daddu	c_3,t_2
 	dmultu	a_1,a_2		/* mul_add_c(a2[1],b[2],c1,c2,c3); */
 	mflo	t_1
 	mfhi	t_2
-	slt	AT,t_2,zero
-	daddu	c_3,AT
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_1,t_1
 	sltu	AT,c_1,t_1
-	daddu	t_2,AT
+	daddu	c_1,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_1,t_1
+	daddu	c_2,AT
+	daddu	t_2,t_1
+	sltu	AT,c_2,AT
 	daddu	c_2,t_2
-	sltu	AT,c_2,t_2
 	daddu	c_3,AT
+	sltu	t_2,c_2,t_2
+	daddu	c_3,t_2
 	sd	c_1,24(a0)
 
 	dmultu	a_3,a_1		/* mul_add_c2(a[3],b[1],c2,c3,c1); */
 	mflo	t_1
 	mfhi	t_2
-	slt	c_1,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_2,t_1
 	sltu	AT,c_2,t_1
-	daddu	t_2,AT
+	daddu	c_2,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_2,t_1
+	daddu	c_3,AT
+	daddu	t_2,t_1
+	sltu	c_1,c_3,AT
 	daddu	c_3,t_2
-	sltu	AT,c_3,t_2
-	daddu	c_1,AT
+	sltu	t_2,c_3,t_2
+	daddu	c_1,t_2
 	dmultu	a_2,a_2		/* mul_add_c(a[2],b[2],c2,c3,c1); */
 	mflo	t_1
 	mfhi	t_2
@@ -2174,17 +2174,17 @@ LEAF(bn_sqr_comba4)
 	dmultu	a_2,a_3		/* mul_add_c2(a[2],b[3],c3,c1,c2); */
 	mflo	t_1
 	mfhi	t_2
-	slt	c_2,t_2,zero
-	dsll	t_2,1
-	slt	a2,t_1,zero
-	daddu	t_2,a2
-	dsll	t_1,1
 	daddu	c_3,t_1
 	sltu	AT,c_3,t_1
-	daddu	t_2,AT
+	daddu	c_3,t_1
+	daddu	AT,t_2
+	sltu	t_1,c_3,t_1
+	daddu	c_1,AT
+	daddu	t_2,t_1
+	sltu	c_2,c_1,AT
 	daddu	c_1,t_2
-	sltu	AT,c_1,t_2
-	daddu	c_2,AT
+	sltu	t_2,c_1,t_2
+	daddu	c_2,t_2
 	sd	c_3,40(a0)
 
 	dmultu	a_3,a_3		/* mul_add_c(a[3],b[3],c1,c2,c3); */

crypto/bn/asm/x86_64-gcc.c

@@ -269,6 +269,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
 /* sqr_add_c(a,i,c0,c1,c2)  -- c+=a[i]^2 for three word number c=(c2,c1,c0) */
 /* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0) */
 
+/*
+ * Keep in mind that carrying into high part of multiplication result
+ * can not overflow, because it cannot be all-ones.
+ */
 #if 0
 /* original macros are kept for reference purposes */
 #define mul_add_c(a,b,c0,c1,c2) {	\
@@ -283,10 +287,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
 	BN_ULONG ta=(a),tb=(b),t0;	\
 	t1 = BN_UMULT_HIGH(ta,tb);	\
 	t0 = ta * tb;			\
-	t2 = t1+t1; c2 += (t2<t1)?1:0;	\
-	t1 = t0+t0; t2 += (t1<t0)?1:0;	\
-	c0 += t1; t2 += (c0<t1)?1:0;	\
+	c0 += t0; t2 = t1+((c0<t0)?1:0);\
 	c1 += t2; c2 += (c1<t2)?1:0;	\
+	c0 += t0; t1 += (c0<t0)?1:0;	\
+	c1 += t1; c2 += (c1<t1)?1:0;	\
 	}
 #else
 #define mul_add_c(a,b,c0,c1,c2)	do {	\
@@ -324,22 +328,14 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n)
 		: "=a"(t1),"=d"(t2)	\
 		: "a"(a),"m"(b)		\
 		: "cc");		\
-	asm ("addq %0,%0; adcq %2,%1"	\
-		: "+d"(t2),"+r"(c2)	\
-		: "g"(0)		\
-		: "cc");		\
-	asm ("addq %0,%0; adcq %2,%1"	\
-		: "+a"(t1),"+d"(t2)	\
-		: "g"(0)		\
-		: "cc");		\
-	asm ("addq %2,%0; adcq %3,%1"	\
-		: "+r"(c0),"+d"(t2)	\
-		: "a"(t1),"g"(0)	\
-		: "cc");		\
-	asm ("addq %2,%0; adcq %3,%1"	\
-		: "+r"(c1),"+r"(c2)	\
-		: "d"(t2),"g"(0)	\
-		: "cc");		\
+	asm ("addq %3,%0; adcq %4,%1; adcq %5,%2"	\
+		: "+r"(c0),"+r"(c1),"+r"(c2)		\
+		: "r"(t1),"r"(t2),"g"(0)		\
+		: "cc");				\
+	asm ("addq %3,%0; adcq %4,%1; adcq %5,%2"	\
+		: "+r"(c0),"+r"(c1),"+r"(c2)		\
+		: "r"(t1),"r"(t2),"g"(0)		\
+		: "cc");				\
 	} while (0)
 #endif
 

crypto/bn/bn_asm.c

@@ -431,6 +431,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
 /* sqr_add_c(a,i,c0,c1,c2)  -- c+=a[i]^2 for three word number c=(c2,c1,c0) */
 /* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0) */
 
+/*
+ * Keep in mind that carrying into high part of multiplication result
+ * can not overflow, because it cannot be all-ones.
+ */
 #ifdef BN_LLONG
 #define mul_add_c(a,b,c0,c1,c2) \
 	t=(BN_ULLONG)a*b; \
@@ -471,10 +475,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
 #define mul_add_c2(a,b,c0,c1,c2) {	\
 	BN_ULONG ta=(a),tb=(b),t0;	\
 	BN_UMULT_LOHI(t0,t1,ta,tb);	\
-	t2 = t1+t1; c2 += (t2<t1)?1:0;	\
-	t1 = t0+t0; t2 += (t1<t0)?1:0;	\
-	c0 += t1; t2 += (c0<t1)?1:0;	\
+	c0 += t0; t2 = t1+((c0<t0)?1:0);\
 	c1 += t2; c2 += (c1<t2)?1:0;	\
+	c0 += t0; t1 += (c0<t0)?1:0;	\
+	c1 += t1; c2 += (c1<t1)?1:0;	\
 	}
 
 #define sqr_add_c(a,i,c0,c1,c2)	{	\
@@ -501,10 +505,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n)
 	BN_ULONG ta=(a),tb=(b),t0;	\
 	t1 = BN_UMULT_HIGH(ta,tb);	\
 	t0 = ta * tb;			\
-	t2 = t1+t1; c2 += (t2<t1)?1:0;	\
-	t1 = t0+t0; t2 += (t1<t0)?1:0;	\
-	c0 += t1; t2 += (c0<t1)?1:0;	\
+	c0 += t0; t2 = t1+((c0<t0)?1:0);\
 	c1 += t2; c2 += (c1<t2)?1:0;	\
+	c0 += t0; t1 += (c0<t0)?1:0;	\
+	c1 += t1; c2 += (c1<t1)?1:0;	\
 	}
 
 #define sqr_add_c(a,i,c0,c1,c2)	{	\

crypto/bn/bntest.c

@@ -676,44 +676,98 @@ int test_mul(BIO *bp)
 
 int test_sqr(BIO *bp, BN_CTX *ctx)
 	{
-	BIGNUM a,c,d,e;
-	int i;
+	BIGNUM *a,*c,*d,*e;
+	int i, ret = 0;
 
-	BN_init(&a);
-	BN_init(&c);
-	BN_init(&d);
-	BN_init(&e);
+	a = BN_new();
+	c = BN_new();
+	d = BN_new();
+	e = BN_new();
+	if (a == NULL || c == NULL || d == NULL || e == NULL)
+		{
+		goto err;
+		}
 
 	for (i=0; i<num0; i++)
 		{
-		BN_bntest_rand(&a,40+i*10,0,0);
-		a.neg=rand_neg();
-		BN_sqr(&c,&a,ctx);
+		BN_bntest_rand(a,40+i*10,0,0);
+		a->neg=rand_neg();
+		BN_sqr(c,a,ctx);
 		if (bp != NULL)
 			{
 			if (!results)
 				{
-				BN_print(bp,&a);
+				BN_print(bp,a);
 				BIO_puts(bp," * ");
-				BN_print(bp,&a);
+				BN_print(bp,a);
 				BIO_puts(bp," - ");
 				}
-			BN_print(bp,&c);
+			BN_print(bp,c);
 			BIO_puts(bp,"\n");
 			}
-		BN_div(&d,&e,&c,&a,ctx);
-		BN_sub(&d,&d,&a);
-		if(!BN_is_zero(&d) || !BN_is_zero(&e))
-		    {
-		    fprintf(stderr,"Square test failed!\n");
-		    return 0;
-		    }
+		BN_div(d,e,c,a,ctx);
+		BN_sub(d,d,a);
+		if(!BN_is_zero(d) || !BN_is_zero(e))
+			{
+			fprintf(stderr,"Square test failed!\n");
+			goto err;
+			}
 		}
-	BN_free(&a);
-	BN_free(&c);
-	BN_free(&d);
-	BN_free(&e);
-	return(1);
+
+	/* Regression test for a BN_sqr overflow bug. */
+	BN_hex2bn(&a,
+		"80000000000000008000000000000001FFFFFFFFFFFFFFFE0000000000000000");
+	BN_sqr(c, a, ctx);
+	if (bp != NULL)
+		{
+		if (!results)
+			{
+			BN_print(bp,a);
+			BIO_puts(bp," * ");
+			BN_print(bp,a);
+			BIO_puts(bp," - ");
+			}
+		BN_print(bp,c);
+		BIO_puts(bp,"\n");
+		}
+	BN_mul(d, a, a, ctx);
+	if (BN_cmp(c, d))
+		{
+		fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
+			"different results!\n");
+		goto err;
+		}
+
+	/* Regression test for a BN_sqr overflow bug. */
+	BN_hex2bn(&a,
+		"80000000000000000000000080000001FFFFFFFE000000000000000000000000");
+	BN_sqr(c, a, ctx);
+	if (bp != NULL)
+		{
+		if (!results)
+			{
+			BN_print(bp,a);
+			BIO_puts(bp," * ");
+			BN_print(bp,a);
+			BIO_puts(bp," - ");
+			}
+		BN_print(bp,c);
+		BIO_puts(bp,"\n");
+		}
+	BN_mul(d, a, a, ctx);
+	if (BN_cmp(c, d))
+		{
+		fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce "
+			"different results!\n");
+		goto err;
+		}
+	ret = 1;
+err:
+	if (a != NULL) BN_free(a);
+	if (c != NULL) BN_free(c);
+	if (d != NULL) BN_free(d);
+	if (e != NULL) BN_free(e);
+	return ret;
 	}
 
 int test_mont(BIO *bp, BN_CTX *ctx)

crypto/bn/exptest.c

@@ -71,6 +71,11 @@
 
 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
 
+/*
+ * Disabled for FIPS capable builds because they use the FIPS BIGNUM library
+ * which will fail this test.
+ */
+#ifndef OPENSSL_FIPS
 /* test_exp_mod_zero tests that x**0 mod 1 == 0. It returns zero on success. */
 static int test_exp_mod_zero() {
 	BIGNUM a, p, m;
@@ -107,7 +112,7 @@ static int test_exp_mod_zero() {
 
 	return ret;
 }
-
+#endif
 int main(int argc, char *argv[])
 	{
 	BN_CTX *ctx;
@@ -228,10 +233,10 @@ int main(int argc, char *argv[])
 	CRYPTO_mem_leaks(out);
 	BIO_free(out);
 	printf("\n");
-
+#ifndef OPENSSL_FIPS
 	if (test_exp_mod_zero() != 0)
 		goto err;
-
+#endif
 	printf("done\n");
 
 	EXIT(0);

crypto/constant_time_locl.h

@@ -129,17 +129,12 @@ static inline int constant_time_select_int(unsigned int mask, int a, int b);
 
 static inline unsigned int constant_time_msb(unsigned int a)
 	{
-	return (unsigned int)((int)(a) >> (sizeof(int) * 8 - 1));
+	return 0-(a >> (sizeof(a) * 8 - 1));
 	}
 
 static inline unsigned int constant_time_lt(unsigned int a, unsigned int b)
 	{
-	unsigned int lt;
-	/* Case 1: msb(a) == msb(b). a < b iff the MSB of a - b is set.*/
-	lt = ~(a ^ b) & (a - b);
-	/* Case 2: msb(a) != msb(b). a < b iff the MSB of b is set. */
-	lt |= ~a & b;
-	return constant_time_msb(lt);
+	return constant_time_msb(a^((a^b)|((a-b)^b)));
 	}
 
 static inline unsigned char constant_time_lt_8(unsigned int a, unsigned int b)
@@ -149,12 +144,7 @@ static inline unsigned char constant_time_lt_8(unsigned int a, unsigned int b)
 
 static inline unsigned int constant_time_ge(unsigned int a, unsigned int b)
 	{
-	unsigned int ge;
-	/* Case 1: msb(a) == msb(b). a >= b iff the MSB of a - b is not set.*/
-	ge = ~((a ^ b) | (a - b));
-	/* Case 2: msb(a) != msb(b). a >= b iff the MSB of a is set. */
-	ge |= a & ~b;
-	return constant_time_msb(ge);
+	return ~constant_time_lt(a, b);
 	}
 
 static inline unsigned char constant_time_ge_8(unsigned int a, unsigned int b)
@@ -204,7 +194,7 @@ static inline unsigned char constant_time_select_8(unsigned char mask,
 	return (unsigned char)(constant_time_select(mask, a, b));
 	}
 
-inline int constant_time_select_int(unsigned int mask, int a, int b)
+static inline int constant_time_select_int(unsigned int mask, int a, int b)
 	{
 	return (int)(constant_time_select(mask, (unsigned)(a), (unsigned)(b)));
 	}

crypto/cryptlib.c

@@ -512,7 +512,7 @@ void OPENSSL_showfatal (const char *fmta,...)
 
 #if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333
     /* this -------------v--- guards NT-specific calls */
-    if (GetVersion() < 0x80000000 && OPENSSL_isservice() > 0)
+    if (check_winnt() && OPENSSL_isservice() > 0)
     {	HANDLE h = RegisterEventSource(0,_T("OPENSSL"));
 	const TCHAR *pmsg=buf;
 	ReportEvent(h,EVENTLOG_ERROR_TYPE,0,0,0,1,0,&pmsg,0);

crypto/dsa/dsa_asn1.c

@@ -200,7 +200,11 @@ int DSA_verify(int type, const unsigned char *dgst, int dgst_len,
 	     const unsigned char *sigbuf, int siglen, DSA *dsa)
 	{
 	DSA_SIG *s;
+	const unsigned char *p = sigbuf;
+	unsigned char *der = NULL;
+	int derlen = -1;
 	int ret=-1;
+
 #ifdef OPENSSL_FIPS
 	if(FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW))
 		{
@@ -211,10 +215,18 @@ int DSA_verify(int type, const unsigned char *dgst, int dgst_len,
 
 	s = DSA_SIG_new();
 	if (s == NULL) return(ret);
-	if (d2i_DSA_SIG(&s,&sigbuf,siglen) == NULL) goto err;
+	if (d2i_DSA_SIG(&s,&p,siglen) == NULL) goto err;
+	/* Ensure signature uses DER and doesn't have trailing garbage */
+	derlen = i2d_DSA_SIG(s, &der);
+	if (derlen != siglen || memcmp(sigbuf, der, derlen))
+		goto err;
 	ret=DSA_do_verify(dgst,dgst_len,s,dsa);
 err:
+	if (derlen > 0)
+		{
+		OPENSSL_cleanse(der, derlen);
+		OPENSSL_free(der);
+		}
 	DSA_SIG_free(s);
 	return(ret);
 	}
-

crypto/ecdsa/ecs_vrf.c

@@ -57,6 +57,7 @@
  */
 
 #include "ecs_locl.h"
+#include <string.h>
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
@@ -84,13 +85,25 @@ int ECDSA_verify(int type, const unsigned char *dgst, int dgst_len,
 		const unsigned char *sigbuf, int sig_len, EC_KEY *eckey)
  	{
 	ECDSA_SIG *s;
+	const unsigned char *p = sigbuf;
+	unsigned char *der = NULL;
+	int derlen = -1;
 	int ret=-1;
 
 	s = ECDSA_SIG_new();
 	if (s == NULL) return(ret);
-	if (d2i_ECDSA_SIG(&s, &sigbuf, sig_len) == NULL) goto err;
+	if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL) goto err;
+	/* Ensure signature uses DER and doesn't have trailing garbage */
+	derlen = i2d_ECDSA_SIG(s, &der);
+	if (derlen != sig_len || memcmp(sigbuf, der, derlen))
+		goto err;
 	ret=ECDSA_do_verify(dgst, dgst_len, s, eckey);
 err:
+	if (derlen > 0)
+		{
+		OPENSSL_cleanse(der, derlen);
+		OPENSSL_free(der);
+		}
 	ECDSA_SIG_free(s);
 	return(ret);
 	}

crypto/evp/Makefile

@@ -385,8 +385,7 @@ evp_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h
 evp_enc.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 evp_enc.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 evp_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
-evp_enc.o: ../../include/openssl/x509_vfy.h ../constant_time_locl.h
-evp_enc.o: ../cryptlib.h evp_enc.c evp_locl.h
+evp_enc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_enc.c evp_locl.h
 evp_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 evp_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
 evp_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h

crypto/evp/evp_enc.c

@@ -64,7 +64,6 @@
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
-#include "../constant_time_locl.h"
 #include "evp_locl.h"
 
 #ifdef OPENSSL_FIPS
@@ -302,11 +301,11 @@ int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 
 int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 	{
-	unsigned int i, b;
-	unsigned char pad, padding_good;
+	int i,n;
+	unsigned int b;
 
 	*outl=0;
-	b=(unsigned int)(ctx->cipher->block_size);
+	b=ctx->cipher->block_size;
 	if (ctx->flags & EVP_CIPH_NO_PADDING)
 		{
 		if(ctx->buf_len)
@@ -325,34 +324,28 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl)
 			return(0);
 			}
 		OPENSSL_assert(b <= sizeof ctx->final);
-		pad=ctx->final[b-1];
-
-		padding_good = (unsigned char)(~constant_time_is_zero_8(pad));
-		padding_good &= constant_time_ge_8(b, pad);
-
-                for (i = 1; i < b; ++i)
+		n=ctx->final[b-1];
+		if (n == 0 || n > (int)b)
 			{
-			unsigned char is_pad_index = constant_time_lt_8(i, pad);
-			unsigned char pad_byte_good = constant_time_eq_8(ctx->final[b-i-1], pad);
-			padding_good &= constant_time_select_8(is_pad_index, pad_byte_good, 0xff);
+			EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+			return(0);
 			}
-
-		/*
-		 * At least 1 byte is always padding, so we always write b - 1
-		 * bytes to avoid a timing leak. The caller is required to have |b|
-		 * bytes space in |out| by the API contract.
-		 */
-		for (i = 0; i < b - 1; ++i)
-			out[i] = ctx->final[i] & padding_good;
-		/* Safe cast: for a good padding, EVP_MAX_IV_LENGTH >= b >= pad */
-		*outl = padding_good & ((unsigned char)(b - pad));
-		return padding_good & 1;
+		for (i=0; i<n; i++)
+			{
+			if (ctx->final[--b] != n)
+				{
+				EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
+				return(0);
+				}
+			}
+		n=ctx->cipher->block_size-n;
+		for (i=0; i<n; i++)
+			out[i]=ctx->final[i];
+		*outl=n;
 		}
 	else
-		{
-		*outl = 0;
-		return 1;
-		}
+		*outl=0;
+	return(1);
 	}
 
 void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx)

crypto/md32_common.h

@@ -225,8 +225,7 @@
 #define HOST_c2l(c,l)	(l =(((unsigned long)(*((c)++)))<<24),		\
 			 l|=(((unsigned long)(*((c)++)))<<16),		\
 			 l|=(((unsigned long)(*((c)++)))<< 8),		\
-			 l|=(((unsigned long)(*((c)++)))    ),		\
-			 l)
+			 l|=(((unsigned long)(*((c)++)))    )		)
 #endif
 #ifndef HOST_l2c
 #define HOST_l2c(l,c)	(*((c)++)=(unsigned char)(((l)>>24)&0xff),	\
@@ -262,8 +261,7 @@
 #define HOST_c2l(c,l)	(l =(((unsigned long)(*((c)++)))    ),		\
 			 l|=(((unsigned long)(*((c)++)))<< 8),		\
 			 l|=(((unsigned long)(*((c)++)))<<16),		\
-			 l|=(((unsigned long)(*((c)++)))<<24),		\
-			 l)
+			 l|=(((unsigned long)(*((c)++)))<<24)		)
 #endif
 #ifndef HOST_l2c
 #define HOST_l2c(l,c)	(*((c)++)=(unsigned char)(((l)    )&0xff),	\

crypto/opensslv.h

@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER	0x009081cfL
+#define OPENSSL_VERSION_NUMBER	0x009081f0L
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8zc-fips 15 Oct 2014"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8zf-fips-dev xx XXX xxxx"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8zc 15 Oct 2014"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8zf-dev xx XXX xxxx"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 

crypto/rand/rand_win.c

@@ -196,12 +196,6 @@ int RAND_poll(void)
 	DWORD w;
 	int good = 0;
 
-	/* Determine the OS version we are on so we can turn off things 
-	 * that do not work properly.
-	 */
-        OSVERSIONINFO osverinfo ;
-        osverinfo.dwOSVersionInfoSize = sizeof(OSVERSIONINFO) ;
-        GetVersionEx( &osverinfo ) ;
 
 #if defined(OPENSSL_SYS_WINCE)
 # if defined(_WIN32_WCE) && _WIN32_WCE>=300
@@ -281,56 +275,6 @@ int RAND_poll(void)
          * at random times on Windows 2000.  Reported by Jeffrey Altman.  
          * Only use it on NT.
 	 */
-	/* Wolfgang Marczy <WMarczy@topcall.co.at> reports that
-	 * the RegQueryValueEx call below can hang on NT4.0 (SP6).
-	 * So we don't use this at all for now. */
-#if 0
-        if ( osverinfo.dwPlatformId == VER_PLATFORM_WIN32_NT &&
-		osverinfo.dwMajorVersion < 5)
-		{
-		/* Read Performance Statistics from NT/2000 registry
-		 * The size of the performance data can vary from call
-		 * to call so we must guess the size of the buffer to use
-		 * and increase its size if we get an ERROR_MORE_DATA
-		 * return instead of ERROR_SUCCESS.
-		 */
-		LONG   rc=ERROR_MORE_DATA;
-		char * buf=NULL;
-		DWORD bufsz=0;
-		DWORD length;
-
-		while (rc == ERROR_MORE_DATA)
-			{
-			buf = realloc(buf,bufsz+8192);
-			if (!buf)
-				break;
-			bufsz += 8192;
-
-			length = bufsz;
-			rc = RegQueryValueEx(HKEY_PERFORMANCE_DATA, TEXT("Global"),
-				NULL, NULL, buf, &length);
-			}
-		if (rc == ERROR_SUCCESS)
-			{
-                        /* For entropy count assume only least significant
-			 * byte of each DWORD is random.
-			 */
-			RAND_add(&length, sizeof(length), 0);
-			RAND_add(buf, length, length / 4.0);
-
-			/* Close the Registry Key to allow Windows to cleanup/close
-			 * the open handle
-			 * Note: The 'HKEY_PERFORMANCE_DATA' key is implicitly opened
-			 *       when the RegQueryValueEx above is done.  However, if
-			 *       it is not explicitly closed, it can cause disk
-			 *       partition manipulation problems.
-			 */
-			RegCloseKey(HKEY_PERFORMANCE_DATA);
-			}
-		if (buf)
-			free(buf);
-		}
-#endif
 
 	if (advapi)
 		{
@@ -383,7 +327,7 @@ int RAND_poll(void)
         if (advapi)
 		FreeLibrary(advapi);
 
-	if ((osverinfo.dwPlatformId != VER_PLATFORM_WIN32_NT ||
+	if ((!check_winnt() ||
 	     !OPENSSL_isservice()) &&
 	    (user = LoadLibrary(TEXT("USER32.DLL"))))
 		{
@@ -407,8 +351,7 @@ int RAND_poll(void)
 			 * on NT4 even though it exists in SP3 (or SP6) and
 			 * higher.
 			 */
-			if ( osverinfo.dwPlatformId == VER_PLATFORM_WIN32_NT &&
-				osverinfo.dwMajorVersion < 5)
+			if (check_winnt() && !check_win_minplat(5))
 				cursor = 0;
 			}
 		if (cursor)
@@ -750,7 +693,7 @@ static void readscreen(void)
   int		y;		/* y-coordinate of screen lines to grab */
   int		n = 16;		/* number of screen lines to grab at a time */
 
-  if (GetVersion() < 0x80000000 && OPENSSL_isservice()>0)
+  if (check_winnt() && OPENSSL_isservice()>0)
     return;
 
   /* Create a screen DC and a memory DC compatible to screen DC */

crypto/rsa/rsa_oaep.c

@@ -18,7 +18,7 @@
  * an equivalent notion.
  */
 
-#include "../constant_time_locl.h"
+#include "constant_time_locl.h"
 
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
 #include <stdio.h>

crypto/rsa/rsa_pk1.c

@@ -56,7 +56,7 @@
  * [including the GNU Public Licence.]
  */
 
-#include "../constant_time_locl.h"
+#include "constant_time_locl.h"
 
 #include <stdio.h>
 #include "cryptlib.h"

crypto/x509/x509.h

@@ -870,6 +870,7 @@ X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn);
 int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval);
 void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval,
 						X509_ALGOR *algor);
+int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b);
 
 X509_NAME *X509_NAME_dup(X509_NAME *xn);
 X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne);

crypto/x509/x_all.c

@@ -73,6 +73,8 @@
 
 int X509_verify(X509 *a, EVP_PKEY *r)
 	{
+	if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature))
+		return 0;
 	return(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF),a->sig_alg,
 		a->signature,a->cert_info,r));
 	}

doc/ssl/SSL_CTX_set_mode.pod

@@ -61,12 +61,16 @@ deal with read/write operations returning without success report. The
 flag SSL_MODE_AUTO_RETRY will cause read/write operations to only
 return after the handshake and successful completion.
 
-=item SSL_MODE_FALLBACK_SCSV
+=item SSL_MODE_SEND_FALLBACK_SCSV
 
 Send TLS_FALLBACK_SCSV in the ClientHello.
-To be set by applications that reconnect with a downgraded protocol
+To be set only by applications that reconnect with a downgraded protocol
 version; see draft-ietf-tls-downgrade-scsv-00 for details.
 
+DO NOT ENABLE THIS if your application attempts a normal handshake.
+Only use this in explicit fallback retries, following the guidance
+in draft-ietf-tls-downgrade-scsv-00.
+
 =back
 
 =head1 RETURN VALUES

doc/ssl/SSL_CTX_set_options.pod

@@ -152,15 +152,7 @@ temporary/ephemeral DH parameters are used.
 
 =item SSL_OP_EPHEMERAL_RSA
 
-Always use ephemeral (temporary) RSA key when doing RSA operations
-(see L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>).
-According to the specifications this is only done, when a RSA key
-can only be used for signature operations (namely under export ciphers
-with restricted RSA keylength). By setting this option, ephemeral
-RSA keys are always used. This option breaks compatibility with the
-SSL/TLS specifications and may lead to interoperability problems with
-clients and should therefore never be used. Ciphers with EDH (ephemeral
-Diffie-Hellman) key exchange should be used instead.
+This option is no longer implemented and is treated as no op.
 
 =item SSL_OP_CIPHER_SERVER_PREFERENCE
 

doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod

@@ -74,21 +74,14 @@ exchange and use EDH (Ephemeral Diffie-Hellman) key exchange instead
 in order to achieve forward secrecy (see
 L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>).
 
-On OpenSSL servers ephemeral RSA key exchange is therefore disabled by default
-and must be explicitly enabled  using the SSL_OP_EPHEMERAL_RSA option of
-L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, violating the TLS/SSL
-standard. When ephemeral RSA key exchange is required for export ciphers,
-it will automatically be used without this option!
-
-An application may either directly specify the key or can supply the key via
-a callback function. The callback approach has the advantage, that the
-callback may generate the key only in case it is actually needed. As the
-generation of a RSA key is however costly, it will lead to a significant
-delay in the handshake procedure.  Another advantage of the callback function
-is that it can supply keys of different size (e.g. for SSL_OP_EPHEMERAL_RSA
-usage) while the explicit setting of the key is only useful for key size of
-512 bits to satisfy the export restricted ciphers and does give away key length
-if a longer key would be allowed.
+An application may either directly specify the key or can supply the key via a
+callback function. The callback approach has the advantage, that the callback
+may generate the key only in case it is actually needed. As the generation of a
+RSA key is however costly, it will lead to a significant delay in the handshake
+procedure.  Another advantage of the callback function is that it can supply
+keys of different size while the explicit setting of the key is only useful for
+key size of 512 bits to satisfy the export restricted ciphers and does give
+away key length if a longer key would be allowed.
 
 The B<tmp_rsa_callback> is called with the B<keylength> needed and
 the B<is_export> information. The B<is_export> flag is set, when the

e_os.h

@@ -275,7 +275,7 @@ extern "C" {
 #    ifdef _WIN64
 #      define strlen(s) _strlen31(s)
 /* cut strings to 2GB */
-static unsigned int _strlen31(const char *str)
+static __inline unsigned int _strlen31(const char *str)
 	{
 	unsigned int len=0;
 	while (*str && len<0x80000000U) str++, len++;
@@ -360,13 +360,13 @@ static unsigned int _strlen31(const char *str)
 #    define DEFAULT_HOME  "C:"
 #  endif
 
-/*
- * Visual Studio: inline is available in C++ only, however
- * __inline is available for C, see
- * http://msdn.microsoft.com/en-us/library/z8y1yy88.aspx
- */
-#if defined(_MSC_VER) && !defined(__cplusplus) && !defined(inline)
-#  define inline __inline
+/* Avoid Visual Studio 13 GetVersion deprecated problems */
+#if defined(_MSC_VER) && _MSC_VER>=1800
+#  define check_winnt() (1)
+#  define check_win_minplat(x) (1)
+#else
+#  define check_winnt() (GetVersion() < 0x80000000)
+#  define check_win_minplat(x) (LOBYTE(LOWORD(GetVersion())) >= (x))
 #endif
 
 #else /* The non-microsoft world */
@@ -711,6 +711,23 @@ struct servent *getservbyname(const char *name, const char *proto);
 #endif
 /* end vxworks */
 
+#if !defined(inline) && !defined(__cplusplus)
+# if defined(__STDC_VERSION__) && __STDC_VERSION__>=199901L
+   /* do nothing, inline works */
+# elif defined(__GNUC__) && __GNUC__>=2
+#  define inline __inline__
+# elif defined(_MSC_VER)
+  /*
+   * Visual Studio: inline is available in C++ only, however
+   * __inline is available for C, see
+   * http://msdn.microsoft.com/en-us/library/z8y1yy88.aspx
+   */
+#  define inline __inline
+# else
+#  define inline
+# endif
+#endif
+
 #ifdef  __cplusplus
 }
 #endif

openssl.spec

@@ -6,7 +6,7 @@ Release: 1
 
 Summary: Secure Sockets Layer and cryptography libraries and tools
 Name: openssl
-Version: 0.9.8zc
+Version: 0.9.8zf
 Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
 License: OpenSSL
 Group: System Environment/Libraries

ssl/d1_pkt.c

@@ -595,8 +595,6 @@ again:
 		/* now s->packet_length == DTLS1_RT_HEADER_LENGTH */
 		i=rr->length;
 		n=ssl3_read_n(s,i,i,1);
-		if (n <= 0) return(n); /* error or non-blocking io */
-
 		/* this packet contained a partial record, dump it */
 		if ( n != i)
 			{
@@ -626,7 +624,8 @@ again:
 	 * would be dropped unnecessarily.
 	 */
 	if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE &&
-		*p == SSL3_MT_CLIENT_HELLO) &&
+		s->packet_length > DTLS1_RT_HEADER_LENGTH &&
+		s->packet[DTLS1_RT_HEADER_LENGTH] == SSL3_MT_CLIENT_HELLO) &&
 		! dtls1_record_replay_check(s, bitmap, &(rr->seq_num)))
 		{
 		rr->length = 0;

ssl/d1_srvr.c

@@ -371,23 +371,11 @@ int dtls1_accept(SSL *s)
 
 			/* clear this, it may get reset by
 			 * send_server_key_exchange */
-			if ((s->options & SSL_OP_EPHEMERAL_RSA)
-#ifndef OPENSSL_NO_KRB5
-				&& !(l & SSL_KRB5)
-#endif /* OPENSSL_NO_KRB5 */
-				)
-				/* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
-				 * even when forbidden by protocol specs
-				 * (handshake may fail as clients are not required to
-				 * be able to handle this) */
-				s->s3->tmp.use_rsa_tmp=1;
-			else
-				s->s3->tmp.use_rsa_tmp=0;
+			s->s3->tmp.use_rsa_tmp=0;
 
 			/* only send if a DH key exchange, fortezza or
 			 * RSA but we have a sign only certificate */
-			if (s->s3->tmp.use_rsa_tmp
-			    || (l & (SSL_DH|SSL_kFZA))
+			if ((l & (SSL_DH|SSL_kFZA))
 			    || ((l & SSL_kRSA)
 				&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
 				    || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)

ssl/s23_srvr.c

@@ -559,12 +559,14 @@ int ssl23_get_client_hello(SSL *s)
 	if ((type == 2) || (type == 3))
 		{
 		/* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */
-                s->method = ssl23_get_server_method(s->version);
-		if (s->method == NULL)
+		SSL_METHOD *new_method;
+		new_method = ssl23_get_server_method(s->version);
+		if (new_method == NULL)
 			{
 			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
 			goto err;
 			}
+		s->method = new_method;
 
 		if (!ssl_init_wbio_buffer(s,1)) goto err;
 

ssl/s3_clnt.c

@@ -1123,8 +1123,21 @@ int ssl3_get_key_exchange(SSL *s)
 
 	if (!ok) return((int)n);
 
+	alg=s->s3->tmp.new_cipher->algorithms;
+	EVP_MD_CTX_init(&md_ctx);
+
 	if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE)
 		{
+		/*
+		 * Can't skip server key exchange if this is an ephemeral
+		 * ciphersuite.
+		 */
+		if (alg & (SSL_kEDH|SSL_kECDHE))
+			{
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE);
+			al = SSL_AD_UNEXPECTED_MESSAGE;
+			goto f_err;
+			}
 		s->s3->tmp.reuse_message=1;
 		return(1);
 		}
@@ -1162,13 +1175,18 @@ int ssl3_get_key_exchange(SSL *s)
 
 	/* Total length of the parameters including the length prefix */
 	param_len=0;
-	alg=s->s3->tmp.new_cipher->algorithms;
-	EVP_MD_CTX_init(&md_ctx);
 
 	al=SSL_AD_DECODE_ERROR;
 #ifndef OPENSSL_NO_RSA
 	if (alg & SSL_kRSA)
 		{
+		/* Temporary RSA keys only allowed in export ciphersuites */
+		if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher))
+			{
+			al=SSL_AD_UNEXPECTED_MESSAGE;
+			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
+			goto f_err;
+			}
 		if ((rsa=RSA_new()) == NULL)
 			{
 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE);

ssl/s3_pkt.c

@@ -147,6 +147,8 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
 	 * at once (as long as it fits into the buffer). */
 	if (SSL_version(s) == DTLS1_VERSION)
 		{
+		if (s->s3->rbuf.left == 0 && extend)
+			return 0;
 		if ( s->s3->rbuf.left > 0 && n > s->s3->rbuf.left)
 			n = s->s3->rbuf.left;
 		}

ssl/s3_srvr.c

@@ -355,18 +355,7 @@ int ssl3_accept(SSL *s)
 
 			/* clear this, it may get reset by
 			 * send_server_key_exchange */
-			if ((s->options & SSL_OP_EPHEMERAL_RSA)
-#ifndef OPENSSL_NO_KRB5
-				&& !(l & SSL_KRB5)
-#endif /* OPENSSL_NO_KRB5 */
-				)
-				/* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key
-				 * even when forbidden by protocol specs
-				 * (handshake may fail as clients are not required to
-				 * be able to handle this) */
-				s->s3->tmp.use_rsa_tmp=1;
-			else
-				s->s3->tmp.use_rsa_tmp=0;
+			s->s3->tmp.use_rsa_tmp=0;
 
 
 			/* only send if a DH key exchange, fortezza or
@@ -378,8 +367,7 @@ int ssl3_accept(SSL *s)
 			 * server certificate contains the server's 
 			 * public key for key exchange.
 			 */
-			if (s->s3->tmp.use_rsa_tmp
-			    || (l & SSL_kECDHE)
+			if ((l & SSL_kECDHE)
 			    || (l & (SSL_DH|SSL_kFZA))
 			    || ((l & SSL_kRSA)
 				&& (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL
@@ -2412,7 +2400,7 @@ int ssl3_get_cert_verify(SSL *s)
 	if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY)
 		{
 		s->s3->tmp.reuse_message=1;
-		if ((peer != NULL) && (type | EVP_PKT_SIGN))
+		if (peer != NULL)
 			{
 			al=SSL_AD_UNEXPECTED_MESSAGE;
 			SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);

ssl/ssl.h

@@ -526,9 +526,8 @@ typedef struct ssl_session_st
 #define SSL_OP_SINGLE_ECDH_USE				0x00080000L
 /* If set, always create a new key when using tmp_dh parameters */
 #define SSL_OP_SINGLE_DH_USE				0x00100000L
-/* Set to always use the tmp_rsa key when doing RSA operations,
- * even when this violates protocol specs */
-#define SSL_OP_EPHEMERAL_RSA				0x00200000L
+/* Does nothing: retained for compatibiity */
+#define SSL_OP_EPHEMERAL_RSA				0x0
 /* Set on servers to choose the cipher according to the server's
  * preferences */
 #define SSL_OP_CIPHER_SERVER_PREFERENCE			0x00400000L
@@ -564,8 +563,13 @@ typedef struct ssl_session_st
 /* Don't attempt to automatically build certificate chain */
 #define SSL_MODE_NO_AUTO_CHAIN 0x00000008L
 /* Send TLS_FALLBACK_SCSV in the ClientHello.
- * To be set by applications that reconnect with a downgraded protocol
- * version; see draft-ietf-tls-downgrade-scsv-00 for details. */
+ * To be set only by applications that reconnect with a downgraded protocol
+ * version; see draft-ietf-tls-downgrade-scsv-00 for details.
+ *
+ * DO NOT ENABLE THIS if your application attempts a normal handshake.
+ * Only use this in explicit fallback retries, following the guidance
+ * in draft-ietf-tls-downgrade-scsv-00.
+ */
 #define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L
 
 

ssl/ssl_lib.c

@@ -1401,6 +1401,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num,
 					ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK);
 				goto err;
 				}
+			p += n;
 			continue;
 			}
 

util/libeay.num

@@ -1807,6 +1807,7 @@ ASN1_UTCTIME_get                        2350	NOEXIST::FUNCTION:
 X509_REQ_digest                         2362	EXIST::FUNCTION:EVP
 X509_CRL_digest                         2391	EXIST::FUNCTION:EVP
 d2i_ASN1_SET_OF_PKCS7                   2397	NOEXIST::FUNCTION:
+X509_ALGOR_cmp                          2398	EXIST::FUNCTION:
 EVP_CIPHER_CTX_set_key_length           2399	EXIST::FUNCTION:
 EVP_CIPHER_CTX_ctrl                     2400	EXIST::FUNCTION:
 BN_mod_exp_mont_word                    2401	EXIST::FUNCTION:
@@ -3730,3 +3731,4 @@ JPAKE_STEP2_init                        4113	EXIST::FUNCTION:JPAKE
 pqueue_size                             4114	EXIST::FUNCTION:
 OPENSSL_uni2asc                         4115	EXIST:NETWARE:FUNCTION:
 OPENSSL_asc2uni                         4116	EXIST:NETWARE:FUNCTION:
+ASN1_TYPE_cmp                           4428	EXIST::FUNCTION:

util/mk1mf.pl

@@ -786,12 +786,6 @@ foreach (values %lib_nam)
 	$lib_obj=$lib_obj{$_};
 	local($slib)=$shlib;
 
-	if (($_ eq "SSL") && $no_ssl2 && $no_ssl3)
-		{
-		$rules.="\$(O_SSL):\n\n"; 
-		next;
-		}
-
 	if ((!$fips && ($_ eq "CRYPTO")) || ($fips && ($_ eq "FIPS")))
 		{
 		if ($cpuid_asm_obj ne "")