fd2893
diff -up openssl-1.0.2k/crypto/aes/asm/aesni-sha1-x86_64.pl.backports openssl-1.0.2k/crypto/aes/asm/aesni-sha1-x86_64.pl
fd2893
--- openssl-1.0.2k/crypto/aes/asm/aesni-sha1-x86_64.pl.backports	2017-03-09 17:59:26.367233931 +0100
fd2893
+++ openssl-1.0.2k/crypto/aes/asm/aesni-sha1-x86_64.pl	2017-03-27 15:25:28.615014528 +0200
fd2893
@@ -1702,6 +1702,7 @@ $code.=<<___;
fd2893
 	mov	240($key),$rounds
fd2893
 	sub	$in0,$out
fd2893
 	movups	($key),$rndkey0			# $key[0]
fd2893
+	movups	($ivp),$iv			# load IV
fd2893
 	movups	16($key),$rndkey[0]		# forward reference
fd2893
 	lea	112($key),$key			# size optimization
fd2893
 
fd2893
diff -up openssl-1.0.2k/crypto/aes/asm/aesni-sha256-x86_64.pl.backports openssl-1.0.2k/crypto/aes/asm/aesni-sha256-x86_64.pl
fd2893
--- openssl-1.0.2k/crypto/aes/asm/aesni-sha256-x86_64.pl.backports	2017-03-09 17:59:26.369233978 +0100
fd2893
+++ openssl-1.0.2k/crypto/aes/asm/aesni-sha256-x86_64.pl	2017-03-27 15:25:28.618014599 +0200
fd2893
@@ -1299,6 +1299,7 @@ $code.=<<___;
fd2893
 	mov		240($key),$rounds
fd2893
 	sub		$in0,$out
fd2893
 	movups		($key),$rndkey0		# $key[0]
fd2893
+	movups		($ivp),$iv		# load IV
fd2893
 	movups		16($key),$rndkey[0]	# forward reference
fd2893
 	lea		112($key),$key		# size optimization
fd2893
 
fd2893
diff -up openssl-1.0.2k/crypto/x86cpuid.pl.backports openssl-1.0.2k/crypto/x86cpuid.pl
fd2893
--- openssl-1.0.2k/crypto/x86cpuid.pl.backports	2017-03-09 17:59:26.339233278 +0100
fd2893
+++ openssl-1.0.2k/crypto/x86cpuid.pl	2017-03-27 15:26:06.833916588 +0200
fd2893
@@ -20,10 +20,10 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
fd2893
 	&pop	("eax");
fd2893
 	&xor	("ecx","eax");
fd2893
 	&xor	("eax","eax");
fd2893
+	&mov	("esi",&wparam(0));
fd2893
+	&mov	(&DWP(8,"esi"),"eax");	# clear extended feature flags
fd2893
 	&bt	("ecx",21);
fd2893
 	&jnc	(&label("nocpuid"));
fd2893
-	&mov	("esi",&wparam(0));
fd2893
-	&mov	(&DWP(8,"esi"),"eax");	# clear 3rd word
fd2893
 	&cpuid	();
fd2893
 	&mov	("edi","eax");		# max value for standard query level
fd2893
 
fd2893
@@ -81,26 +81,16 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
fd2893
 	&jmp	(&label("generic"));
fd2893
 	
fd2893
 &set_label("intel");
fd2893
-	&cmp	("edi",7);
fd2893
-	&jb	(&label("cacheinfo"));
fd2893
-
fd2893
-	&mov	("esi",&wparam(0));
fd2893
-	&mov	("eax",7);
fd2893
-	&xor	("ecx","ecx");
fd2893
-	&cpuid	();
fd2893
-	&mov	(&DWP(8,"esi"),"ebx");
fd2893
-
fd2893
-&set_label("cacheinfo");
fd2893
 	&cmp	("edi",4);
fd2893
-	&mov	("edi",-1);
fd2893
+	&mov	("esi",-1);
fd2893
 	&jb	(&label("nocacheinfo"));
fd2893
 
fd2893
 	&mov	("eax",4);
fd2893
 	&mov	("ecx",0);		# query L1D
fd2893
 	&cpuid	();
fd2893
-	&mov	("edi","eax");
fd2893
-	&shr	("edi",14);
fd2893
-	&and	("edi",0xfff);		# number of cores -1 per L1D
fd2893
+	&mov	("esi","eax");
fd2893
+	&shr	("esi",14);
fd2893
+	&and	("esi",0xfff);		# number of cores -1 per L1D
fd2893
 
fd2893
 &set_label("nocacheinfo");
fd2893
 	&mov	("eax",1);
fd2893
@@ -118,7 +108,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
fd2893
 	&bt	("edx",28);		# test hyper-threading bit
fd2893
 	&jnc	(&label("generic"));
fd2893
 	&and	("edx",0xefffffff);
fd2893
-	&cmp	("edi",0);
fd2893
+	&cmp	("esi",0);
fd2893
 	&je	(&label("generic"));
fd2893
 
fd2893
 	&or	("edx",0x10000000);
fd2893
@@ -130,10 +120,19 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
fd2893
 &set_label("generic");
fd2893
 	&and	("ebp",1<<11);		# isolate AMD XOP flag
fd2893
 	&and	("ecx",0xfffff7ff);	# force 11th bit to 0
fd2893
-	&mov	("esi","edx");
fd2893
+	&mov	("esi","edx");		# %ebp:%esi is copy of %ecx:%edx
fd2893
 	&or	("ebp","ecx");		# merge AMD XOP flag
fd2893
 
fd2893
-	&bt	("ecx",27);		# check OSXSAVE bit
fd2893
+	&cmp	("edi",7);
fd2893
+	&mov	("edi",&wparam(0));
fd2893
+	&jb	(&label("no_extended_info"));
fd2893
+	&mov	("eax",7);
fd2893
+	&xor	("ecx","ecx");
fd2893
+	&cpuid	();
fd2893
+	&mov	(&DWP(8,"edi"),"ebx");	# save extended feature flag
fd2893
+&set_label("no_extended_info");
fd2893
+
fd2893
+	&bt	("ebp",27);		# check OSXSAVE bit
fd2893
 	&jnc	(&label("clear_avx"));
fd2893
 	&xor	("ecx","ecx");
fd2893
 	&data_byte(0x0f,0x01,0xd0);	# xgetbv
fd2893
@@ -147,7 +146,6 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA3
fd2893
 	&and	("esi",0xfeffffff);	# clear FXSR
fd2893
 &set_label("clear_avx");
fd2893
 	&and	("ebp",0xefffe7ff);	# clear AVX, FMA and AMD XOP bits
fd2893
-	&mov	("edi",&wparam(0));
fd2893
 	&and	(&DWP(8,"edi"),0xffffffdf);	# clear AVX2
fd2893
 &set_label("done");
fd2893
 	&mov	("eax","esi");
fd2893
diff -up openssl-1.0.2k/crypto/x86_64cpuid.pl.backports openssl-1.0.2k/crypto/x86_64cpuid.pl
fd2893
--- openssl-1.0.2k/crypto/x86_64cpuid.pl.backports	2017-03-09 17:59:26.339233278 +0100
fd2893
+++ openssl-1.0.2k/crypto/x86_64cpuid.pl	2017-03-27 15:26:06.833916588 +0200
fd2893
@@ -59,7 +59,7 @@ OPENSSL_ia32_cpuid:
fd2893
 	mov	%rbx,%r8		# save %rbx
fd2893
 
fd2893
 	xor	%eax,%eax
fd2893
-	mov	%eax,8(%rdi)		# clear 3rd word
fd2893
+	mov	%eax,8(%rdi)		# clear extended feature flags
fd2893
 	cpuid
fd2893
 	mov	%eax,%r11d		# max value for standard query level
fd2893
 
fd2893
@@ -127,14 +127,6 @@ OPENSSL_ia32_cpuid:
fd2893
 	shr	\$14,%r10d
fd2893
 	and	\$0xfff,%r10d		# number of cores -1 per L1D
fd2893
 
fd2893
-	cmp	\$7,%r11d
fd2893
-	jb	.Lnocacheinfo
fd2893
-
fd2893
-	mov	\$7,%eax
fd2893
-	xor	%ecx,%ecx
fd2893
-	cpuid
fd2893
-	mov	%ebx,8(%rdi)
fd2893
-
fd2893
 .Lnocacheinfo:
fd2893
 	mov	\$1,%eax
fd2893
 	cpuid
fd2893
@@ -164,6 +156,15 @@ OPENSSL_ia32_cpuid:
fd2893
 	or	%ecx,%r9d		# merge AMD XOP flag
fd2893
 
fd2893
 	mov	%edx,%r10d		# %r9d:%r10d is copy of %ecx:%edx
fd2893
+
fd2893
+	cmp	\$7,%r11d
fd2893
+	jb	.Lno_extended_info
fd2893
+	mov	\$7,%eax
fd2893
+	xor	%ecx,%ecx
fd2893
+	cpuid
fd2893
+	mov	%ebx,8(%rdi)		# save extended feature flags
fd2893
+.Lno_extended_info:
fd2893
+
fd2893
 	bt	\$27,%r9d		# check OSXSAVE bit
fd2893
 	jnc	.Lclear_avx
fd2893
 	xor	%ecx,%ecx		# XCR0
fd2893
diff -up openssl-1.0.2k/ssl/ssl_locl.h.backports openssl-1.0.2k/ssl/ssl_locl.h
fd2893
--- openssl-1.0.2k/ssl/ssl_locl.h.backports	2017-03-09 17:59:26.183229642 +0100
fd2893
+++ openssl-1.0.2k/ssl/ssl_locl.h	2017-03-09 17:59:26.311232626 +0100
fd2893
@@ -1430,7 +1430,7 @@ int ssl_parse_clienthello_renegotiate_ex
fd2893
 long ssl_get_algorithm2(SSL *s);
fd2893
 int tls1_save_sigalgs(SSL *s, const unsigned char *data, int dsize);
fd2893
 int tls1_process_sigalgs(SSL *s);
fd2893
-size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs);
fd2893
+size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs);
fd2893
 int tls12_check_peer_sigalg(const EVP_MD **pmd, SSL *s,
fd2893
                             const unsigned char *sig, EVP_PKEY *pkey);
fd2893
 void ssl_set_client_disabled(SSL *s);
fd2893
diff -up openssl-1.0.2k/ssl/s3_lib.c.backports openssl-1.0.2k/ssl/s3_lib.c
fd2893
--- openssl-1.0.2k/ssl/s3_lib.c.backports	2017-03-09 17:59:26.294232230 +0100
fd2893
+++ openssl-1.0.2k/ssl/s3_lib.c	2017-03-09 17:59:26.311232626 +0100
fd2893
@@ -4237,7 +4237,7 @@ int ssl3_get_req_cert_type(SSL *s, unsig
fd2893
         return (int)s->cert->ctype_num;
fd2893
     }
fd2893
     /* get configured sigalgs */
fd2893
-    siglen = tls12_get_psigalgs(s, &sig);
fd2893
+    siglen = tls12_get_psigalgs(s, 1, &sig);
fd2893
     if (s->cert->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
fd2893
         nostrict = 0;
fd2893
     for (i = 0; i < siglen; i += 2, sig += 2) {
fd2893
diff -up openssl-1.0.2k/ssl/s3_srvr.c.backports openssl-1.0.2k/ssl/s3_srvr.c
fd2893
--- openssl-1.0.2k/ssl/s3_srvr.c.backports	2017-01-26 14:22:04.000000000 +0100
fd2893
+++ openssl-1.0.2k/ssl/s3_srvr.c	2017-03-09 17:59:26.311232626 +0100
fd2893
@@ -2084,7 +2084,7 @@ int ssl3_send_certificate_request(SSL *s
fd2893
 
fd2893
         if (SSL_USE_SIGALGS(s)) {
fd2893
             const unsigned char *psigs;
fd2893
-            nl = tls12_get_psigalgs(s, &psigs);
fd2893
+            nl = tls12_get_psigalgs(s, 1, &psigs);
fd2893
             s2n(nl, p);
fd2893
             memcpy(p, psigs, nl);
fd2893
             p += nl;
fd2893
diff -up openssl-1.0.2k/ssl/t1_lib.c.backports openssl-1.0.2k/ssl/t1_lib.c
fd2893
--- openssl-1.0.2k/ssl/t1_lib.c.backports	2017-03-09 17:59:26.297232299 +0100
fd2893
+++ openssl-1.0.2k/ssl/t1_lib.c	2017-03-09 17:59:26.312232649 +0100
fd2893
@@ -1015,7 +1015,7 @@ static unsigned char suiteb_sigalgs[] =
fd2893
         tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
fd2893
 };
fd2893
 # endif
fd2893
-size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
fd2893
+size_t tls12_get_psigalgs(SSL *s, int sent, const unsigned char **psigs)
fd2893
 {
fd2893
     /*
fd2893
      * If Suite B mode use Suite B sigalgs only, ignore any other
fd2893
@@ -1037,7 +1037,7 @@ size_t tls12_get_psigalgs(SSL *s, const
fd2893
     }
fd2893
 # endif
fd2893
     /* If server use client authentication sigalgs if not NULL */
fd2893
-    if (s->server && s->cert->client_sigalgs) {
fd2893
+    if (s->server == sent && s->cert->client_sigalgs) {
fd2893
         *psigs = s->cert->client_sigalgs;
fd2893
         return s->cert->client_sigalgslen;
fd2893
     } else if (s->cert->conf_sigalgs) {
fd2893
@@ -1101,7 +1101,7 @@ int tls12_check_peer_sigalg(const EVP_MD
fd2893
 # endif
fd2893
 
fd2893
     /* Check signature matches a type we sent */
fd2893
-    sent_sigslen = tls12_get_psigalgs(s, &sent_sigs);
fd2893
+    sent_sigslen = tls12_get_psigalgs(s, 1, &sent_sigs);
fd2893
     for (i = 0; i < sent_sigslen; i += 2, sent_sigs += 2) {
fd2893
         if (sig[0] == sent_sigs[0] && sig[1] == sent_sigs[1])
fd2893
             break;
fd2893
@@ -1149,7 +1149,7 @@ void ssl_set_client_disabled(SSL *s)
fd2893
      * Now go through all signature algorithms seeing if we support any for
fd2893
      * RSA, DSA, ECDSA. Do this for all versions not just TLS 1.2.
fd2893
      */
fd2893
-    sigalgslen = tls12_get_psigalgs(s, &sigalgs);
fd2893
+    sigalgslen = tls12_get_psigalgs(s, 1, &sigalgs);
fd2893
     for (i = 0; i < sigalgslen; i += 2, sigalgs += 2) {
fd2893
         switch (sigalgs[1]) {
fd2893
 # ifndef OPENSSL_NO_RSA
fd2893
@@ -1420,7 +1420,7 @@ unsigned char *ssl_add_clienthello_tlsex
fd2893
     if (SSL_CLIENT_USE_SIGALGS(s)) {
fd2893
         size_t salglen;
fd2893
         const unsigned char *salg;
fd2893
-        salglen = tls12_get_psigalgs(s, &salg);
fd2893
+        salglen = tls12_get_psigalgs(s, 1, &salg);
fd2893
 
fd2893
         /*-
fd2893
          * check for enough space.
fd2893
@@ -3783,7 +3783,7 @@ static int tls1_set_shared_sigalgs(SSL *
fd2893
         conf = c->conf_sigalgs;
fd2893
         conflen = c->conf_sigalgslen;
fd2893
     } else
fd2893
-        conflen = tls12_get_psigalgs(s, &conf;;
fd2893
+        conflen = tls12_get_psigalgs(s, 0, &conf;;
fd2893
     if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE || is_suiteb) {
fd2893
         pref = conf;
fd2893
         preflen = conflen;