Binaries from r885 of ics-openvpn, ndk10b 32 bits.

We don't support 64 bits targets because of https://code.google.com/p/android/issues/detail?id=77004&thanks=77004&ts=1412248443.
author: Parménides GV <parmegv@sdf.org> 2014-10-02 18:07:56 +0200
committer: Parménides GV <parmegv@sdf.org> 2014-10-02 18:07:56 +0200
commit: 914c5156b014970dde717b9a27c0c69f11cc7d98 (patch)
tree: cb15666fb01b0f0410327ae7aaa23df444ac3b4c /app/openssl/include
parent: 22b7ee4614a2f47d55496de8a9b55040c0f4ba85 (diff)
10 files changed, 77 insertions, 20 deletions
diff --git a/app/openssl/include/openssl/bio.h b/app/openssl/include/openssl/bio.h
index 05699ab2..d05fa22a 100644
--- a/app/openssl/include/openssl/bio.h
+++ b/app/openssl/include/openssl/bio.h
@@ -266,6 +266,9 @@ void BIO_clear_flags(BIO *b, int flags);
 #define BIO_RR_CONNECT			0x02
 /* Returned from the accept BIO when an accept would have blocked */
 #define BIO_RR_ACCEPT			0x03
+/* Returned from the SSL bio when the channel id retrieval code cannot find the
+ * private key. */
+#define BIO_RR_SSL_CHANNEL_ID_LOOKUP	0x04
 
 /* These are passed by the BIO callback */
 #define BIO_CB_FREE	0x01
diff --git a/app/openssl/include/openssl/opensslconf-32.h b/app/openssl/include/openssl/opensslconf-32.h
index d6625489..caf6f1b8 100644
--- a/app/openssl/include/openssl/opensslconf-32.h
+++ b/app/openssl/include/openssl/opensslconf-32.h
@@ -53,6 +53,9 @@
 #ifndef OPENSSL_NO_RFC3779
 # define OPENSSL_NO_RFC3779
 #endif
+#ifndef OPENSSL_NO_RIPEMD
+# define OPENSSL_NO_RIPEMD
+#endif
 #ifndef OPENSSL_NO_RSAX
 # define OPENSSL_NO_RSAX
 #endif
@@ -137,6 +140,9 @@
 # if defined(OPENSSL_NO_RFC3779) && !defined(NO_RFC3779)
 #  define NO_RFC3779
 # endif
+# if defined(OPENSSL_NO_RIPEMD) && !defined(NO_RIPEMD)
+#  define NO_RIPEMD
+# endif
 # if defined(OPENSSL_NO_RSAX) && !defined(NO_RSAX)
 #  define NO_RSAX
 # endif
diff --git a/app/openssl/include/openssl/opensslconf-64.h b/app/openssl/include/openssl/opensslconf-64.h
index 70c5a2cb..88fb0419 100644
--- a/app/openssl/include/openssl/opensslconf-64.h
+++ b/app/openssl/include/openssl/opensslconf-64.h
@@ -53,6 +53,9 @@
 #ifndef OPENSSL_NO_RFC3779
 # define OPENSSL_NO_RFC3779
 #endif
+#ifndef OPENSSL_NO_RIPEMD
+# define OPENSSL_NO_RIPEMD
+#endif
 #ifndef OPENSSL_NO_RSAX
 # define OPENSSL_NO_RSAX
 #endif
@@ -137,6 +140,9 @@
 # if defined(OPENSSL_NO_RFC3779) && !defined(NO_RFC3779)
 #  define NO_RFC3779
 # endif
+# if defined(OPENSSL_NO_RIPEMD) && !defined(NO_RIPEMD)
+#  define NO_RIPEMD
+# endif
 # if defined(OPENSSL_NO_RSAX) && !defined(NO_RSAX)
 #  define NO_RSAX
 # endif
diff --git a/app/openssl/include/openssl/opensslconf-static-32.h b/app/openssl/include/openssl/opensslconf-static-32.h
index d6625489..caf6f1b8 100644
--- a/app/openssl/include/openssl/opensslconf-static-32.h
+++ b/app/openssl/include/openssl/opensslconf-static-32.h
@@ -53,6 +53,9 @@
 #ifndef OPENSSL_NO_RFC3779
 # define OPENSSL_NO_RFC3779
 #endif
+#ifndef OPENSSL_NO_RIPEMD
+# define OPENSSL_NO_RIPEMD
+#endif
 #ifndef OPENSSL_NO_RSAX
 # define OPENSSL_NO_RSAX
 #endif
@@ -137,6 +140,9 @@
 # if defined(OPENSSL_NO_RFC3779) && !defined(NO_RFC3779)
 #  define NO_RFC3779
 # endif
+# if defined(OPENSSL_NO_RIPEMD) && !defined(NO_RIPEMD)
+#  define NO_RIPEMD
+# endif
 # if defined(OPENSSL_NO_RSAX) && !defined(NO_RSAX)
 #  define NO_RSAX
 # endif
diff --git a/app/openssl/include/openssl/opensslconf-static-64.h b/app/openssl/include/openssl/opensslconf-static-64.h
index 70c5a2cb..88fb0419 100644
--- a/app/openssl/include/openssl/opensslconf-static-64.h
+++ b/app/openssl/include/openssl/opensslconf-static-64.h
@@ -53,6 +53,9 @@
 #ifndef OPENSSL_NO_RFC3779
 # define OPENSSL_NO_RFC3779
 #endif
+#ifndef OPENSSL_NO_RIPEMD
+# define OPENSSL_NO_RIPEMD
+#endif
 #ifndef OPENSSL_NO_RSAX
 # define OPENSSL_NO_RSAX
 #endif
@@ -137,6 +140,9 @@
 # if defined(OPENSSL_NO_RFC3779) && !defined(NO_RFC3779)
 #  define NO_RFC3779
 # endif
+# if defined(OPENSSL_NO_RIPEMD) && !defined(NO_RIPEMD)
+#  define NO_RIPEMD
+# endif
 # if defined(OPENSSL_NO_RSAX) && !defined(NO_RSAX)
 #  define NO_RSAX
 # endif
diff --git a/app/openssl/include/openssl/opensslv.h b/app/openssl/include/openssl/opensslv.h
index ebe71807..c3b6acec 100644
--- a/app/openssl/include/openssl/opensslv.h
+++ b/app/openssl/include/openssl/opensslv.h
@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER	0x1000107fL
+#define OPENSSL_VERSION_NUMBER	0x1000108fL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1g-fips 7 Apr 2014"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1h-fips 5 Jun 2014"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1g 7 Apr 2014"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1h 5 Jun 2014"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 
diff --git a/app/openssl/include/openssl/pkcs7.h b/app/openssl/include/openssl/pkcs7.h
index e4d44319..04f60379 100644
--- a/app/openssl/include/openssl/pkcs7.h
+++ b/app/openssl/include/openssl/pkcs7.h
@@ -453,6 +453,7 @@ void ERR_load_PKCS7_strings(void);
 #define PKCS7_R_ERROR_SETTING_CIPHER			 121
 #define PKCS7_R_INVALID_MIME_TYPE			 131
 #define PKCS7_R_INVALID_NULL_POINTER			 143
+#define PKCS7_R_INVALID_SIGNED_DATA_TYPE		 155
 #define PKCS7_R_MIME_NO_CONTENT_TYPE			 132
 #define PKCS7_R_MIME_PARSE_ERROR			 133
 #define PKCS7_R_MIME_SIG_PARSE_ERROR			 134
diff --git a/app/openssl/include/openssl/ssl.h b/app/openssl/include/openssl/ssl.h
index 54b0eb6c..7566f2df 100644
--- a/app/openssl/include/openssl/ssl.h
+++ b/app/openssl/include/openssl/ssl.h
@@ -544,6 +544,13 @@ struct ssl_session_st
 #ifndef OPENSSL_NO_SRP
 	char *srp_username;
 #endif
+
+	/* original_handshake_hash contains the handshake hash (either
+	 * SHA-1+MD5 or SHA-2, depending on TLS version) for the original, full
+	 * handshake that created a session. This is used by Channel IDs during
+	 * resumption. */
+	unsigned char original_handshake_hash[EVP_MAX_MD_SIZE];
+	unsigned int original_handshake_hash_len;
 	};
 
 #endif
@@ -553,7 +560,7 @@ struct ssl_session_st
 /* Allow initial connection to servers that don't support RI */
 #define SSL_OP_LEGACY_SERVER_CONNECT			0x00000004L
 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG		0x00000008L
-#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG		0x00000010L
+#define SSL_OP_TLSEXT_PADDING				0x00000010L
 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER		0x00000020L
 #define SSL_OP_SAFARI_ECDHE_ECDSA_BUG			0x00000040L
 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG			0x00000080L
@@ -562,6 +569,8 @@ struct ssl_session_st
 
 /* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */
 #define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x0
+/* Refers to ancient SSLREF and SSLv2, retained for compatibility */
+#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG		0x0
 
 /* SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS is vestigial. Previously it disabled the
  * insertion of empty records in CBC mode, but the empty records were commonly
@@ -648,16 +657,19 @@ struct ssl_session_st
  * TLS only.)  "Released" buffers are put onto a free-list in the context
  * or just freed (depending on the context's setting for freelist_max_len). */
 #define SSL_MODE_RELEASE_BUFFERS 0x00000010L
+
 /* Send the current time in the Random fields of the ClientHello and
  * ServerHello records for compatibility with hypothetical implementations
  * that require it.
  */
 #define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020L
 #define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040L
+
 /* When set, clients may send application data before receipt of CCS
  * and Finished.  This mode enables full-handshakes to 'complete' in
  * one RTT. */
 #define SSL_MODE_HANDSHAKE_CUTTHROUGH 0x00000080L
+
 /* When set, TLS 1.0 and SSLv3, multi-byte, CBC records will be split in two:
  * the first record will contain a single byte and the second will contain the
  * rest of the bytes. This effectively randomises the IV and prevents BEAST
@@ -866,6 +878,9 @@ struct ssl_ctx_st
 	/* get client cert callback */
 	int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
 
+	/* get channel id callback */
+	void (*channel_id_cb)(SSL *ssl, EVP_PKEY **pkey);
+
     /* cookie generate callback */
     int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, 
         unsigned int *cookie_len);
@@ -1028,6 +1043,10 @@ struct ssl_ctx_st
 	/* If true, a client will advertise the Channel ID extension and a
 	 * server will echo it. */
 	char tlsext_channel_id_enabled;
+	/* tlsext_channel_id_enabled_new is a hack to support both old and new
+	 * ChannelID signatures. It indicates that a client should advertise the
+	 * new ChannelID extension number. */
+	char tlsext_channel_id_enabled_new;
 	/* The client's Channel ID private key. */
 	EVP_PKEY *tlsext_channel_id_private;
 #endif
@@ -1086,6 +1105,8 @@ void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl,int type,
 void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl,int type,int val);
 void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
 int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
+void SSL_CTX_set_channel_id_cb(SSL_CTX *ctx, void (*channel_id_cb)(SSL *ssl, EVP_PKEY **pkey));
+void (*SSL_CTX_get_channel_id_cb(SSL_CTX *ctx))(SSL *ssl, EVP_PKEY **pkey);
 #ifndef OPENSSL_NO_ENGINE
 int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e);
 #endif
@@ -1162,12 +1183,14 @@ const char *SSL_get_psk_identity(const SSL *s);
 #define SSL_WRITING	2
 #define SSL_READING	3
 #define SSL_X509_LOOKUP	4
+#define SSL_CHANNEL_ID_LOOKUP	5
 
 /* These will only be used when doing non-blocking IO */
 #define SSL_want_nothing(s)	(SSL_want(s) == SSL_NOTHING)
 #define SSL_want_read(s)	(SSL_want(s) == SSL_READING)
 #define SSL_want_write(s)	(SSL_want(s) == SSL_WRITING)
 #define SSL_want_x509_lookup(s)	(SSL_want(s) == SSL_X509_LOOKUP)
+#define SSL_want_channel_id_lookup(s)	(SSL_want(s) == SSL_CHANNEL_ID_LOOKUP)
 
 #define SSL_MAC_FLAG_READ_MAC_STREAM 1
 #define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
@@ -1602,6 +1625,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_ERROR_ZERO_RETURN		6
 #define SSL_ERROR_WANT_CONNECT		7
 #define SSL_ERROR_WANT_ACCEPT		8
+#define SSL_ERROR_WANT_CHANNEL_ID_LOOKUP	9
 
 #define SSL_CTRL_NEED_TMP_RSA			1
 #define SSL_CTRL_SET_TMP_RSA			2
@@ -1739,10 +1763,11 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_set_tmp_ecdh(ssl,ecdh) \
 	SSL_ctrl(ssl,SSL_CTRL_SET_TMP_ECDH,0,(char *)ecdh)
 
-/* SSL_enable_tls_channel_id configures a TLS server to accept TLS client
- * IDs from clients. Returns 1 on success. */
-#define SSL_enable_tls_channel_id(ctx) \
-	SSL_ctrl(ctx,SSL_CTRL_CHANNEL_ID,0,NULL)
+/* SSL_enable_tls_channel_id either configures a TLS server to accept TLS client
+ * IDs from clients, or configure a client to send TLS client IDs to server.
+ * Returns 1 on success. */
+#define SSL_enable_tls_channel_id(s) \
+	SSL_ctrl(s,SSL_CTRL_CHANNEL_ID,0,NULL)
 /* SSL_set1_tls_channel_id configures a TLS client to send a TLS Channel ID to
  * compatible servers. private_key must be a P-256 EVP_PKEY*. Returns 1 on
  * success. */
@@ -1792,7 +1817,7 @@ int	SSL_CIPHER_get_bits(const SSL_CIPHER *c,int *alg_bits);
 char *	SSL_CIPHER_get_version(const SSL_CIPHER *c);
 const char *	SSL_CIPHER_get_name(const SSL_CIPHER *c);
 unsigned long 	SSL_CIPHER_get_id(const SSL_CIPHER *c);
-const char* SSL_CIPHER_authentication_method(const SSL_CIPHER* cipher);
+const char *	SSL_CIPHER_authentication_method(const SSL_CIPHER* cipher);
 
 int	SSL_get_fd(const SSL *s);
 int	SSL_get_rfd(const SSL *s);
@@ -2707,7 +2732,6 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_WRONG_VERSION_NUMBER			 267
 #define SSL_R_X509_LIB					 268
 #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS		 269
-#define SSL_R_UNEXPECTED_CCS				 388
 
 #ifdef  __cplusplus
 }
diff --git a/app/openssl/include/openssl/ssl3.h b/app/openssl/include/openssl/ssl3.h
index f205f73d..83d59bff 100644
--- a/app/openssl/include/openssl/ssl3.h
+++ b/app/openssl/include/openssl/ssl3.h
@@ -388,9 +388,6 @@ typedef struct ssl3_buffer_st
 #define TLS1_FLAGS_TLS_PADDING_BUG		0x0008
 #define TLS1_FLAGS_SKIP_CERT_VERIFY		0x0010
 #define TLS1_FLAGS_KEEP_HANDSHAKE		0x0020
-/* SSL3_FLAGS_CCS_OK indicates that a ChangeCipherSpec record is acceptable at
- * this point in the handshake. If this flag is not set then received CCS
- * records will cause a fatal error for the connection. */
 #define SSL3_FLAGS_CCS_OK			0x0080
  
 /* SSL3_FLAGS_SGC_RESTART_DONE is set when we
@@ -558,6 +555,11 @@ typedef struct ssl3_state_st
 	 * for Channel IDs and that tlsext_channel_id will be valid after the
 	 * handshake. */
 	char tlsext_channel_id_valid;
+	/* tlsext_channel_id_new means that the updated Channel ID extension
+	 * was negotiated. This is a temporary hack in the code to support both
+	 * forms of Channel ID extension while we transition to the new format,
+	 * which fixed a security issue. */
+	char tlsext_channel_id_new;
 	/* For a server:
 	 *     If |tlsext_channel_id_valid| is true, then this contains the
 	 *     verified Channel ID from the client: a P256 point, (x,y), where
@@ -678,11 +680,11 @@ typedef struct ssl3_state_st
 #define SSL3_ST_SR_CERT_VRFY_B		(0x1A1|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_CHANGE_A		(0x1B0|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_CHANGE_B		(0x1B1|SSL_ST_ACCEPT)
-#define SSL3_ST_SR_POST_CLIENT_CERT	(0x1BF|SSL_ST_ACCEPT)
 #ifndef OPENSSL_NO_NEXTPROTONEG
 #define SSL3_ST_SR_NEXT_PROTO_A		(0x210|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_NEXT_PROTO_B		(0x211|SSL_ST_ACCEPT)
 #endif
+#define SSL3_ST_SR_POST_CLIENT_CERT	(0x1BF|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_CHANNEL_ID_A		(0x220|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_CHANNEL_ID_B		(0x221|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_FINISHED_A		(0x1C0|SSL_ST_ACCEPT)
diff --git a/app/openssl/include/openssl/tls1.h b/app/openssl/include/openssl/tls1.h
index ec8948d5..b9a0899e 100644
--- a/app/openssl/include/openssl/tls1.h
+++ b/app/openssl/include/openssl/tls1.h
@@ -259,6 +259,7 @@ extern "C" {
 
 /* This is not an IANA defined extension number */
 #define TLSEXT_TYPE_channel_id			30031
+#define TLSEXT_TYPE_channel_id_new		30032
 
 /* NameType value from RFC 3546 */
 #define TLSEXT_NAMETYPE_host_name 0
@@ -531,9 +532,11 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 #define TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256        0x0300C031
 #define TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384        0x0300C032
 
-/* ECDHE PSK ciphersuites from RFC 5489 */
-#define TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA256    0x0300C037
-#define TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA384    0x0300C038
+/* ECDHE PSK ciphersuites from RFC5489
+ * SHA-2 cipher suites are omitted because they cannot be used safely with
+ * SSLv3. */
+#define TLS1_CK_ECDHE_PSK_WITH_AES_128_CBC_SHA          0x0300C035
+#define TLS1_CK_ECDHE_PSK_WITH_AES_256_CBC_SHA          0x0300C036
 
 /* XXX
  * Inconsistency alert:
@@ -686,9 +689,9 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 #define TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256       "ECDH-RSA-AES128-GCM-SHA256"
 #define TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384       "ECDH-RSA-AES256-GCM-SHA384"
 
-/* ECDHE PSK ciphersuites from RFC 5489 */
-#define TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA256  "ECDHE-PSK-WITH-AES-128-CBC-SHA256"
-#define TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA384  "ECDHE-PSK-WITH-AES-256-CBC-SHA384"
+/* ECDHE PSK ciphersuites from RFC5489 */
+#define TLS1_TXT_ECDHE_PSK_WITH_AES_128_CBC_SHA         "ECDHE-PSK-AES128-CBC-SHA"
+#define TLS1_TXT_ECDHE_PSK_WITH_AES_256_CBC_SHA         "ECDHE-PSK-AES256-CBC-SHA"
 
 #define TLS_CT_RSA_SIGN			1
 #define TLS_CT_DSS_SIGN			2
author	Parménides GV <parmegv@sdf.org>	2014-10-02 18:07:56 +0200
committer	Parménides GV <parmegv@sdf.org>	2014-10-02 18:07:56 +0200
commit	914c5156b014970dde717b9a27c0c69f11cc7d98 (patch)
tree	cb15666fb01b0f0410327ae7aaa23df444ac3b4c /app/openssl/include
parent	22b7ee4614a2f47d55496de8a9b55040c0f4ba85 (diff)