Compare commits

...

186 Commits

Author SHA1 Message Date
Dr. Stephen Henson
8964efc413 prepare for release 2013-02-05 16:50:37 +00:00
Dr. Stephen Henson
430b637bd5 make update 2013-02-05 16:50:36 +00:00
Dr. Stephen Henson
ca3b81c858 Fix error codes.
(cherry picked from commit 35d732fc2e)
2013-02-05 16:50:36 +00:00
Dr. Stephen Henson
031cbecf86 update NEWS and CHANGES 2013-02-05 16:50:36 +00:00
Andy Polyakov
1213e6c3c2 bn_word.c: fix overflow bug in BN_add_word.
(cherry picked from commit 134c00659a)
2013-02-05 16:50:36 +00:00
Dr. Stephen Henson
32619893b4 update NEWS 2013-02-05 16:50:35 +00:00
Andy Polyakov
40e0de0395 s3/s3_cbc.c: allow for compilations with NO_SHA256|512.
(cherry picked from commit d5371324d9)
2013-02-05 16:50:35 +00:00
Andy Polyakov
5f9345a2f0 ssl/s3_cbc.c: md_state alignment portability fix.
RISCs are picky and alignment granted by compiler for md_state can be
insufficient for SHA512.
(cherry picked from commit 36260233e7)
2013-02-05 16:50:35 +00:00
Andy Polyakov
33ccde59a1 ssl/s3_cbc.c: uint64_t portability fix.
Break dependency on uint64_t. It's possible to declare bits as
unsigned int, because TLS packets are limited in size and 32-bit
value can't overflow.
(cherry picked from commit cab13fc847)
2013-02-05 16:50:35 +00:00
Dr. Stephen Henson
1909df070f Don't access EVP_MD internals directly. 2013-02-05 16:50:35 +00:00
Dr. Stephen Henson
c23a745820 Add ordinal for CRYPTO_memcmp: since this will affect multiple
branches it needs to be in a "gap".
2013-02-05 16:50:34 +00:00
Dr. Stephen Henson
924b117422 Timing fix mitigation for FIPS mode.
We have to use EVP in FIPS mode so we can only partially mitigate
timing differences.

Make an extra call to HMAC_Update to hash additonal blocks
to cover any timing differences caused by removal of padding.
2013-02-05 16:50:34 +00:00
Dr. Stephen Henson
24b2806097 Move CRYPTO_memcmp to o_init.c when compiling with fips: cryptlib.o
is in the fips module for fips capable builds.
2013-02-05 16:50:34 +00:00
Dr. Stephen Henson
99f5093347 The cbc functions shouldn't be inside #ifdef OPENSSL_NO_TLSEXT 2013-02-05 16:50:34 +00:00
Ben Laurie
be88529753 Update DTLS code to match CBC decoding in TLS.
This change updates the DTLS code to match the constant-time CBC
behaviour in the TLS.
(cherry picked from commit 9f27de170d)
(cherry picked from commit 5e4ca556e970edb8a7f364fcb6ee6818a965a60b)

Conflicts:
	ssl/d1_enc.c
	ssl/d1_pkt.c
	ssl/s3_pkt.c
2013-02-05 16:50:33 +00:00
Ben Laurie
b3a959a337 Don't crash when processing a zero-length, TLS >= 1.1 record.
The previous CBC patch was bugged in that there was a path through enc()
in s3_pkt.c/d1_pkt.c which didn't set orig_len. orig_len would be left
at the previous value which could suggest that the packet was a
sufficient length when it wasn't.
(cherry picked from commit 6cb19b7681)
(cherry picked from commit 2c948c1bb218f4ae126e14fd3453d42c62b93235)

Conflicts:
	ssl/s3_enc.c
2013-02-05 16:50:33 +00:00
Ben Laurie
2928cb4c82 Fixups. 2013-02-05 16:50:33 +00:00
Ben Laurie
a33e6702a0 Oops. Add missing file.
(cherry picked from commit 014265eb02)
(cherry picked from commit 7721c53e5e9fe4c90be420d7613559935a96a4fb)
2013-02-05 16:50:33 +00:00
Ben Laurie
35a65e814b Make CBC decoding constant time.
This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.

This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.

In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
(cherry picked from commit e130841bcc)

Conflicts:
	crypto/evp/c_allc.c
	ssl/ssl_algs.c
	ssl/ssl_locl.h
	ssl/t1_enc.c
(cherry picked from commit 3622239826698a0e534dcf0473204c724bb9b4b4)

Conflicts:
	ssl/d1_enc.c
	ssl/s3_enc.c
	ssl/s3_pkt.c
	ssl/ssl3.h
	ssl/ssl_algs.c
	ssl/t1_enc.c
2013-02-05 16:50:32 +00:00
Andy Polyakov
7ad132b133 .gitignore adjustments 2013-02-05 16:50:32 +00:00
Ben Laurie
2708813166 Add and use a constant-time memcmp.
This change adds CRYPTO_memcmp, which compares two vectors of bytes in
an amount of time that's independent of their contents. It also changes
several MAC compares in the code to use this over the standard memcmp,
which may leak information about the size of a matching prefix.
(cherry picked from commit 2ee798880a)

Conflicts:
	crypto/crypto.h
	ssl/t1_lib.c
(cherry picked from commit dc406b59f3169fe191e58906df08dce97edb727c)

Conflicts:
	crypto/crypto.h
	ssl/d1_pkt.c
	ssl/s3_pkt.c
2013-02-05 16:50:32 +00:00
Ben Laurie
affe98998a Add target so I can build. 2013-02-05 16:50:32 +00:00
Dr. Stephen Henson
66e8211c0b Don't try and verify signatures if key is NULL (CVE-2013-0166)
Add additional check to catch this in ASN1_item_verify too.
2013-02-05 16:50:31 +00:00
Dr. Stephen Henson
dd2dee60f3 Don't include comp.h in cmd_cd.c if OPENSSL_NO_COMP set 2013-01-23 01:16:59 +00:00
Dr. Stephen Henson
6495179af6 Don't include comp.h if no-comp set. 2013-01-20 01:16:25 +00:00
Dr. Stephen Henson
61b8c79d15 Add .gitignore 2013-01-11 23:21:19 +00:00
Dr. Stephen Henson
42aa3ec4f2 PR: 2888
Reported by: Daniel Black <daniel.black@openquery.com>

Support renewing session tickets (backport from HEAD).
2012-12-10 16:45:39 +00:00
Dr. Stephen Henson
bb152dae8f check mval for NULL too 2012-12-04 17:26:36 +00:00
Dr. Stephen Henson
c42ab44087 fix leak 2012-12-03 16:33:54 +00:00
Dr. Stephen Henson
42e10c3fd6 PR: 2803
Submitted by: jean-etienne.schwartz@bull.net

In OCSP_basic_varify return an error if X509_STORE_CTX_init fails.
2012-11-29 19:16:01 +00:00
Dr. Stephen Henson
c571a3e984 PR: 2908
Submitted by: Dmitry Belyavsky <beldmit@gmail.com>

Fix DH double free if parameter generation fails.
2012-11-21 14:01:38 +00:00
Dr. Stephen Henson
e55988bb60 correct docs 2012-11-19 20:07:23 +00:00
Dr. Stephen Henson
34b5ba3b60 PR: 2880
Submitted by: "Florian Rüchel" <florian.ruechel@ruhr-uni-bochum.de>

Correctly handle local machine keys in the capi ENGINE.
2012-11-18 15:20:40 +00:00
Andy Polyakov
629ac4b4ca aix[64]-cc: get MT support right [from HEAD].
PR: 2896
2012-10-16 08:22:55 +00:00
Bodo Möller
75f0bc4f44 Fix EC_KEY initialization race.
Submitted by: Adam Langley
2012-10-05 20:51:47 +00:00
Dr. Stephen Henson
71a2440ee5 backport OCSP fix enhancement 2012-10-05 13:02:31 +00:00
Ben Laurie
04e40739f7 Update CHANGES for OCSP fix. 2012-10-05 13:00:17 +00:00
Ben Laurie
48bcdad0d5 Backport OCSP fix. 2012-10-05 12:50:24 +00:00
Bodo Möller
f7d2402cab Fix Valgrind warning.
Submitted by: Adam Langley
2012-09-24 19:50:07 +00:00
Richard Levitte
808f55351a * Configure: make the debug-levitte-linux{elf,noasm} less extreme. 2012-09-24 18:49:09 +00:00
Richard Levitte
c06271bc35 * ssl/t1_enc.c (tls1_change_cipher_state): Stupid bug. Fortunately in
debugging code that's seldom used.
2012-09-21 13:08:32 +00:00
Dr. Stephen Henson
92e5882aca fix memory leak 2012-09-11 13:45:42 +00:00
Richard Levitte
afa0580cd5 Remove duplicate symbol in crypto/symhacks.h
Have the new names start in column 48, that makes it easy to see when
the 31 character limit is reached (on a 80 column display, do the math)
2012-07-05 09:06:20 +00:00
Dr. Stephen Henson
4baee3031c PR: 2813
Reported by: Constantine Sapuntzakis <csapuntz@gmail.com>

Fix possible deadlock when decoding public keys.
2012-05-11 13:49:15 +00:00
Dr. Stephen Henson
db7a72b224 prepare for next version 2012-05-10 16:01:11 +00:00
Dr. Stephen Henson
b71e69ad8e update FAQ 2012-05-10 14:38:52 +00:00
Dr. Stephen Henson
f856173c43 prepare for 0.9.8x release 2012-05-10 14:36:07 +00:00
Dr. Stephen Henson
d742f9ebbd update NEWS 2012-05-10 14:35:13 +00:00
Dr. Stephen Henson
36dd4cba3d Sanity check record length before skipping explicit IV in DTLS
to fix DoS attack.

Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing as a service testing platform.
(CVE-2012-2333)
2012-05-10 14:33:11 +00:00
Dr. Stephen Henson
3978429ad5 Reported by: Solar Designer of Openwall
Make sure tkeylen is initialised properly when encrypting CMS messages.
2012-05-10 13:27:57 +00:00
Richard Levitte
885945d6e1 Correct environment variable is OPENSSL_ALLOW_PROXY_CERTS. 2012-05-04 10:43:17 +00:00
Dr. Stephen Henson
e22e770147 prepare for next version 2012-04-23 21:15:22 +00:00
Dr. Stephen Henson
e0c0203341 update STATUS 2012-04-23 21:03:04 +00:00
Dr. Stephen Henson
e1eec61e26 correct STATUS 2012-04-23 20:51:18 +00:00
Dr. Stephen Henson
296fa128c9 correct NEWS 2012-04-23 20:49:21 +00:00
Dr. Stephen Henson
6dde222aae prepare form 0.9.8w release 2012-04-23 20:45:29 +00:00
Dr. Stephen Henson
391ac37018 update NEWS 2012-04-23 20:43:35 +00:00
Dr. Stephen Henson
8d038a08fb The fix for CVE-2012-2110 did not take into account that the
'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
int in OpenSSL 0.9.8, making it still vulnerable. Fix by
rejecting negative len parameter.

Thanks to the many people who reported this bug and to Tomas Hoger
<thoger@redhat.com> for supplying the fix.
2012-04-23 20:35:55 +00:00
Dr. Stephen Henson
747c6ffda4 correct error code 2012-04-22 13:31:46 +00:00
Dr. Stephen Henson
d4cddc54f0 correct old FAQ answers, sync with HEAD 2012-04-22 13:22:38 +00:00
Dr. Stephen Henson
eb7112c18e prepare for next version 2012-04-19 17:03:28 +00:00
Dr. Stephen Henson
fef9e07930 update FAQ 2012-04-19 12:05:18 +00:00
Dr. Stephen Henson
8ab27e6ef7 prepare for 0.9.8v release 2012-04-19 11:39:03 +00:00
Dr. Stephen Henson
6415055590 update NEWS 2012-04-19 11:37:17 +00:00
Dr. Stephen Henson
556e27b14f Check for potentially exploitable overflows in asn1_d2i_read_bio
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
in CRYPTO_realloc_clean.

Thanks to Tavis Ormandy, Google Security Team, for discovering this
issue and to Adam Langley <agl@chromium.org> for fixing it. (CVE-2012-2110)
2012-04-19 11:36:09 +00:00
Dr. Stephen Henson
af0c009d70 use /fixed argument when linking FIPS targets to disable address space layout randomization 2012-04-15 16:48:34 +00:00
Dr. Stephen Henson
0b1cf4a139 PR: 2778(part)
Submitted by: John Fitzgibbon <john_fitzgibbon@yahoo.com>

Time is always encoded as 4 bytes, not sizeof(Time).
2012-03-31 18:02:23 +00:00
Dr. Stephen Henson
a9101cdcaa Always use SSLv23_{client,server}_method in s_client.c and s_server.c,
the old code came from SSLeay days before TLS was even supported.
2012-03-18 18:18:30 +00:00
Dr. Stephen Henson
e351e2a7cf prepare for next version 2012-03-12 16:35:13 +00:00
Dr. Stephen Henson
215276243d corrected fix to PR#2711 and also cover mime_param_cmp 2012-03-12 15:25:53 +00:00
Dr. Stephen Henson
ddb7832852 correct FAQ 2012-03-12 15:01:44 +00:00
Dr. Stephen Henson
2fad41d155 prepare for release 2012-03-12 14:53:14 +00:00
Dr. Stephen Henson
b9c3d9168f update NEWS 2012-03-12 14:52:14 +00:00
Dr. Stephen Henson
4f2fc3c2dd Fix for CMS/PKCS7 MMA. If RSA decryption fails use a random key and
continue with symmetric decryption process to avoid leaking timing
information to an attacker.

Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
this issue. (CVE-2012-0884)
2012-03-12 14:51:45 +00:00
Dr. Stephen Henson
48819f4d54 fix error code 2012-03-12 14:50:55 +00:00
Dr. Stephen Henson
b0cbdd3eba manually patch missing part of PR#2756 2012-03-12 12:46:52 +00:00
Dr. Stephen Henson
5016107550 PR: 2756
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix DTLS timeout handling.
2012-03-09 15:51:56 +00:00
Dr. Stephen Henson
25d5d15fd5 check return value of BIO_write in PKCS7_decrypt 2012-03-08 14:01:44 +00:00
Dr. Stephen Henson
725713f74a PR: 2755
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Reduce MTU after failed transmissions. [0.9.8 version of patch]
2012-03-07 15:14:16 +00:00
Dr. Stephen Henson
73eb0972cf return failure code if I/O error 2012-03-06 19:08:30 +00:00
Dr. Stephen Henson
6720779c7e revert PR#2755: it breaks compilation 2012-03-06 18:25:33 +00:00
Dr. Stephen Henson
b2a2c6af2a PR: 2755
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Reduce MTU after failed transmissions.
2012-03-06 13:45:47 +00:00
Dr. Stephen Henson
272993bac4 PR: 2696 Submitted by: Rob Austein <sra@hactrn.net>
Fix inverted range problem in RFC3779 code.

Thanks to Andrew Chi for generating test cases for this bug.

[from HEAD]
2012-03-06 13:37:52 +00:00
Dr. Stephen Henson
58532ae047 oops, revert unrelated patches 2012-03-06 13:22:32 +00:00
Dr. Stephen Henson
4e7f6d380d PR: 2748
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>

Fix possible DTLS timer deadlock.
2012-03-06 13:20:20 +00:00
Dr. Stephen Henson
f0be325f88 Fix memory leak cause by race condition when creating public keys.
Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for reporting this bug.
2012-02-28 14:47:36 +00:00
Dr. Stephen Henson
b66af23aa9 free headers after use in error message 2012-02-27 16:26:32 +00:00
Dr. Stephen Henson
29d0c13e97 Detect symmetric crypto errors in PKCS7_decrypt.
Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for reporting this bug.
2012-02-27 15:23:20 +00:00
Dr. Stephen Henson
8a4e81a269 PR: 2711
Submitted by: Tomas Mraz <tmraz@redhat.com>

Tolerate bad MIME headers in parser.
2012-02-23 21:50:13 +00:00
Dr. Stephen Henson
843fc7b681 Fix bug in CVE-2011-4619: check we have really received a client hello
before rejecting multiple SGC restarts.
2012-02-16 15:21:17 +00:00
Dr. Stephen Henson
6dcb6bf1c1 PR: 2703
Submitted by: Alexey Melnikov <alexey.melnikov@isode.com>

Fix some memory and resource leaks in CAPI ENGINE.
2012-02-11 23:12:34 +00:00
Dr. Stephen Henson
1061c3cb3c PR: 2705
Submitted by: Alexey Melnikov <alexey.melnikov@isode.com>

Only create ex_data indices once for CAPI engine.
2012-02-11 23:07:32 +00:00
Dr. Stephen Henson
0d0f15d8d1 fix Visual Studio 2010 warning [from HEAD] (original by appro) 2012-01-20 23:24:17 +00:00
Dr. Stephen Henson
a72ce94213 prepare for next version 2012-01-18 14:27:13 +00:00
Dr. Stephen Henson
f71d59c70e update FAQ 2012-01-18 13:15:37 +00:00
Dr. Stephen Henson
3309f8313c prepare for release 2012-01-18 13:14:49 +00:00
Dr. Stephen Henson
6cc5f194a7 update NEWS 2012-01-18 13:13:31 +00:00
Dr. Stephen Henson
096327a99a Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
Thanks to Antonio Martin, Enterprise Secure Access Research and
Development, Cisco Systems, Inc. for discovering this bug and
preparing a fix. (CVE-2012-0050)
2012-01-18 13:12:08 +00:00
Dr. Stephen Henson
cc10bcf25e fix CHANGES entry 2012-01-17 14:18:26 +00:00
Dr. Stephen Henson
875ac0ec00 fix warning 2012-01-10 14:37:00 +00:00
Bodo Möller
bf240f063a Fix usage indentation 2012-01-05 13:15:29 +00:00
Bodo Möller
dd016b0570 Fix for builds without DTLS support.
Submitted by: Brian Carlstrom
2012-01-05 10:21:49 +00:00
Dr. Stephen Henson
244788464a update for next version 2012-01-04 23:56:13 +00:00
Dr. Stephen Henson
a95808334e update FAQ 2012-01-04 19:23:07 +00:00
Dr. Stephen Henson
b3cebd5acf prepare for 0.9.8s release 2012-01-04 19:20:49 +00:00
Dr. Stephen Henson
7b775145e4 update NEWS 2012-01-04 19:16:11 +00:00
Dr. Stephen Henson
7183aa6b9d make update 2012-01-04 19:12:39 +00:00
Dr. Stephen Henson
eebefe35e7 Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>, Michael Tuexen <tuexen@fh-muenster.de>
Reviewed by: steve

Fix for DTLS plaintext recovery attack discovered by Nadhem Alfardan and
Kenny Paterson.
2012-01-04 19:10:16 +00:00
Dr. Stephen Henson
1db0bbdc76 Fix double free in policy check code (CVE-2011-4109) 2012-01-04 19:00:28 +00:00
Dr. Stephen Henson
e643112dd8 Clear bytes used for block padding of SSL 3.0 records. (CVE-2011-4576) 2012-01-04 18:54:17 +00:00
Dr. Stephen Henson
21c4b25959 Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619) 2012-01-04 18:52:18 +00:00
Dr. Stephen Henson
41cf2c3aef stop warning 2012-01-04 18:45:18 +00:00
Dr. Stephen Henson
0e3a930fb4 Prevent malformed RFC3779 data triggering an assertion failure (CVE-2011-4577) 2012-01-04 18:44:20 +00:00
Dr. Stephen Henson
0c214e0153 Submitted by: Adam Langley <agl@chromium.org>
Reviewed by: steve

Fix memory leaks.
2012-01-04 14:25:10 +00:00
Dr. Stephen Henson
6c61cfbe03 PR: 2326
Submitted by: Tianjie Mao <tjmao@tjmao.net>
Reviewed by: steve

Fix incorrect comma expressions and goto f_err as alert has been set.
2011-12-26 19:38:28 +00:00
Andy Polyakov
2ee77d36a0 x86-mont.pl: fix bug in integer-only squaring path [from HEAD].
PR: 2648
2011-12-09 14:28:48 +00:00
Dr. Stephen Henson
24f441e0bb The default CN prompt message can be confusing when often the CN needs to
be the server FQDN: change it.
[Reported by PSW Group]
2011-12-06 00:01:09 +00:00
Bodo Möller
740da44f20 Resolve a stack set-up race condition (if the list of compression
methods isn't presorted, it will be sorted on first read).

Submitted by: Adam Langley
2011-12-02 12:50:44 +00:00
Bodo Möller
72033fde7b Fix ecdsatest.c.
Submitted by: Emilia Kasper
2011-12-02 12:40:25 +00:00
Bodo Möller
9adf3fcf9a Fix BIO_f_buffer().
Submitted by: Adam Langley
Reviewed by: Bodo Moeller
2011-12-02 12:23:57 +00:00
Andy Polyakov
65f7456652 ppc.pl: fix bug in bn_mul_comba4 [from HEAD].
PR: 2636
Submitted by: Charles Bryant
2011-11-05 10:17:06 +00:00
Dr. Stephen Henson
8794569a08 PR: 2628
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Send alert instead of assertion failure for incorrectly formatted DTLS
fragments.
2011-10-27 13:06:26 +00:00
Dr. Stephen Henson
f8731bc2fd PR: 2632
Submitted by: emmanuel.azencot@bull.net
Reviewed by: steve

Return -1 immediately if not affine coordinates as BN_CTX has not been
set up.
2011-10-26 16:42:48 +00:00
Bodo Möller
195d6bf760 BN_BLINDING multi-threading fix.
Submitted by: Emilia Kasper (Google)
2011-10-19 14:57:59 +00:00
Bodo Möller
dacd94b9c8 Oops: this change (http://cvs.openssl.org/chngview?cn=21503)
wasn't right for 0.9.8-stable (it's actually a fix for
http://cvs.openssl.org/chngview?cn=14494, which introduced
SSL_CTRL_SET_MAX_SEND_FRAGMENT).
2011-10-19 13:53:41 +00:00
Bodo Möller
8070cb5f87 Clarify warning 2011-10-13 13:24:13 +00:00
Bodo Möller
f7d514f449 In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
Submitted by: Bob Buckholz <bbuckholz@google.com>
2011-10-13 13:04:40 +00:00
Dr. Stephen Henson
6d50bce79f PR: 2482
Submitted by: Rob Austein <sra@hactrn.net>
Reviewed by: steve

Don't allow inverted ranges in RFC3779 code, discovered by Frank Ellermann.
2011-10-09 00:56:18 +00:00
Dr. Stephen Henson
3cf0a38b3e fix signed/unsigned warning 2011-09-26 17:05:00 +00:00
Dr. Stephen Henson
91a1d08a4c use keyformat for -x509toreq, don't hard code PEM 2011-09-23 21:49:08 +00:00
Dr. Stephen Henson
85e776885b PR: 2606
Submitted by: Christoph Viethen <cv@kawo2.rwth-aachen.de>
Reviewed by: steve

Handle timezones correctly in UTCTime.
2011-09-23 13:40:06 +00:00
Dr. Stephen Henson
fc4015329f PR: 2602
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS bug which prevents manual MTU setting
2011-09-23 13:35:32 +00:00
Dr. Stephen Henson
6ec9ff83f3 PR: 2347
Submitted by: Tomas Mraz <tmraz@redhat.com>
Reviewed by: steve

Fix usage message.
2011-09-23 13:13:02 +00:00
Bodo Möller
db45308477 (EC)DH memory handling fixes.
Submitted by: Adam Langley
2011-09-05 10:25:15 +00:00
Bodo Möller
1c7c69a8a5 Fix memory leak on bad inputs. 2011-09-05 09:56:48 +00:00
Bodo Möller
24ad061037 Move OPENSSL_init declaration out of auto-generated code section
(it is not auto-generated).
2011-09-05 09:52:58 +00:00
Dr. Stephen Henson
92f96fa721 PR: 2576
Submitted by: Doug Goldstein <cardoe@gentoo.org>
Reviewed by: steve

Include header file stdlib.h which is needed on some platforms to get
getenv() declaration.
2011-09-02 11:20:49 +00:00
Dr. Stephen Henson
0d1e362363 PR: 2340
Submitted by: "Mauro H. Leggieri" <mxmauro@caiman.com.ar>
Reviewed by: steve

Stop warnings if OPENSSL_NO_DGRAM is defined.
2011-09-01 15:03:10 +00:00
Dr. Stephen Henson
a0bf2c86ab make timing attack protection unconditional 2011-09-01 14:23:41 +00:00
Dr. Stephen Henson
6a662a45f3 PR: 2573
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS buffering and decryption bug.
2011-09-01 14:01:36 +00:00
Dr. Stephen Henson
24d0524f31 PR: 2588
Submitted by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Reviewed by: steve

Close file pointer.
2011-09-01 13:48:48 +00:00
Dr. Stephen Henson
c081817c95 PR: 2586
Submitted by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Reviewed by: steve

Fix brace mismatch.
2011-09-01 13:37:11 +00:00
Dr. Stephen Henson
46a1f2487e PR: 2559
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS socket error bug
2011-07-20 15:20:19 +00:00
Dr. Stephen Henson
ac02a4b68a PR: 2555
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS sequence number bug
2011-07-20 15:17:20 +00:00
Dr. Stephen Henson
4ba063d3c5 PR: 2550
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS HelloVerifyRequest Timer bug
2011-07-20 15:12:58 +00:00
Andy Polyakov
e0e0818e4b config: detect if assembler supports --noexecstack and pass it down [from HEAD]. 2011-07-15 19:59:31 +00:00
Dr. Stephen Henson
82a5049f6a PR: 2556 (partial)
Reported by: Daniel Marschall <daniel-marschall@viathinksoft.de>
Reviewed by: steve

Fix OID routines.

Check on encoding leading zero rejection should start at beginning of
encoding.

Allow for initial digit when testing when to use BIGNUMs which can increase
first value by 2 * 40.
2011-07-14 12:01:08 +00:00
Andy Polyakov
d027b75b73 perlasm/cbc.pl: fix tail processing bug [from HEAD].
PR: 2557
2011-07-13 06:25:15 +00:00
Dr. Stephen Henson
87421d3fc5 PR: 2471
Submitted by: Corinna Vinschen

util/cygwin.sh: maintainer's update [from HEAD].
2011-06-22 15:46:37 +00:00
Dr. Stephen Henson
87d14a3625 PR: 2470
Submitted by: Corinna Vinschen <vinschen@redhat.com>
Reviewed by: steve

Don't call ERR_remove_state from DllMain.
2011-06-22 15:39:19 +00:00
Dr. Stephen Henson
cc0931e36b PR: 2543
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Correctly handle errors in DTLSv1_handle_timeout()
2011-06-22 15:29:36 +00:00
Dr. Stephen Henson
22152d6885 PR: 2540
Submitted by: emmanuel.azencot@bull.net
Reviewed by: steve

Prevent infinite loop in BN_GF2m_mod_inv().
2011-06-22 15:23:20 +00:00
Dr. Stephen Henson
102bcbce8d correctly encode OIDs near 2^32 2011-06-22 15:15:20 +00:00
Andy Polyakov
8655de423d rc4_skey.c [0.9.8]: at some point rc4_skey and x86[_64]cpuid were modified
to examine bit#20 on x86[_64], but it was erroneously reverted to bit#28
in 2008 in process of FIPS integration.
2011-06-06 19:58:21 +00:00
Dr. Stephen Henson
c4b2eb24b3 PR: 2529
Submitted by: Marcus Meissner <meissner@suse.de>
Reviewed by: steve

Call ssl_new() to reallocate SSL BIO internals if we want to replace
the existing internal SSL structure.
2011-05-25 15:15:43 +00:00
Dr. Stephen Henson
03e3fbb702 PR: 2527
Submitted by: Marcus Meissner <meissner@suse.de>
Reviewed by: steve

Set cnf to NULL to avoid possible double free.
2011-05-25 15:06:32 +00:00
Dr. Stephen Henson
bc7ee385f5 Fix the ECDSA timing attack mentioned in the paper at:
http://eprint.iacr.org/2011/232.pdf

Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for
bringing this to our attention.
2011-05-25 14:52:54 +00:00
Dr. Stephen Henson
1e368ab08f Fix the ECDSA timing attack mentioned in the paper at:
http://eprint.iacr.org/2011/232.pdf

Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for
bringing this to our attention.
2011-05-25 14:43:47 +00:00
Dr. Stephen Henson
2c77c5c8db Oops use up to date patch for PR#2506 2011-05-25 14:29:39 +00:00
Dr. Stephen Henson
1eb38c563f PR: 2506
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fully implement SSL_clear for DTLS.
2011-05-25 12:28:42 +00:00
Dr. Stephen Henson
fa657871ed PR: 2505
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS session resumption timer bug.
2011-05-25 12:24:03 +00:00
Dr. Stephen Henson
09dac71a45 update date 2011-05-19 17:57:08 +00:00
Dr. Stephen Henson
be70b3adce set encodedPoint to NULL after freeing it 2011-05-19 16:18:39 +00:00
Dr. Stephen Henson
6d12b1f82b check buffer is larger enough before overwriting 2011-04-06 18:07:12 +00:00
Dr. Stephen Henson
7116a41129 PR: 2462
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS Retransmission Buffer Bug
2011-04-03 17:15:23 +00:00
Dr. Stephen Henson
7143acab25 PR: 2458
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Don't change state when answering DTLS ClientHello.
2011-04-03 16:26:33 +00:00
Dr. Stephen Henson
11d4086d8e PR: 2457
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>
Reviewed by: steve

Fix DTLS fragment reassembly bug.
2011-04-03 15:49:26 +00:00
Dr. Stephen Henson
32cd1da62e PR: 2469
Submitted by: Jim Studt <jim@studt.net>
Reviewed by: steve

Check mac is present before trying to retrieve mac iteration count.
2011-03-13 18:23:24 +00:00
Bodo Möller
d430f56de6 start 0.9.8s-dev 2011-02-08 17:58:34 +00:00
Bodo Möller
957ebe98fb OCSP stapling fix (OpenSSL 0.9.8r/1.0.0d)
Submitted by: Neel Mehta, Adam Langley, Bodo Moeller
2011-02-08 17:10:47 +00:00
Bodo Möller
9d09fc8485 Assorted bugfixes:
- RLE decompression boundary case
- SSL 2.0 key arg length check

Submitted by: Google (Neel Mehta, Bodo Moeller)
2011-02-03 12:04:48 +00:00
Bodo Möller
8ea4531718 Update 0.9.7-branch section with information from 1.0.0-branch NEWS file 2011-02-03 11:44:00 +00:00
Bodo Möller
881611678e "make update" 2011-02-03 10:28:14 +00:00
Dr. Stephen Henson
a3dc628d86 PR: 2433
Submitted by: Chris Wilson <chris@qwirx.com>
Reviewed by: steve

Constify ASN1_STRING_set_default_mask_asc().
2011-01-24 16:21:00 +00:00
Dr. Stephen Henson
3c159fc1a5 check EC public key isn't point at infinity 2011-01-24 15:08:12 +00:00
Dr. Stephen Henson
6056afd223 PR: 1612
Submitted by: Robert Jackson <robert@rjsweb.net>
Reviewed by: steve

Fix EC_POINT_cmp function for case where b but not a is the point at infinity.
2011-01-24 14:42:11 +00:00
Richard Levitte
54db796991 PR: 2434
Under Windows, there seems to be a problem relinking fips_premain_dso
because that file is locked.  Changing from backtick op to using
system() with redirection and reading the hash from the output file
seems to fix the problem.

In an ideal world, there should be no difference, as a command in a
backtick op should terminate before the backtick returns, same as it
does with system().  We suspect, though, that the loaded binary is
cached by Windows for a little while, and that reading the output from
a file provides enough delay for the lock to drop before we try to
relink.
2011-01-20 22:12:50 +00:00
Dr. Stephen Henson
119e912a83 Since DTLS 1.0 is based on TLS 1.1 we should never return a decryption_failed
alert.
2011-01-04 19:33:01 +00:00
Dr. Stephen Henson
f4a4a0fdc7 PR: 2411
Submitted by: Rob Austein <sra@hactrn.net>
Reviewed by: steve

Fix corner cases in RFC3779 code.
2011-01-03 01:40:22 +00:00
Dr. Stephen Henson
9ad765173f Fix escaping code for string printing. If *any* escaping is enabled we
must escape the escape character itself (backslash).
2011-01-03 01:26:33 +00:00
Dr. Stephen Henson
c8e3c1a9b5 PR: 2410
Submitted by: Rob Austein <sra@hactrn.net>
Reviewed by: steve

Use OPENSSL_assert() instead of assert().
2011-01-03 01:20:03 +00:00
Dr. Stephen Henson
ae378b769a use fips-dev not dev-fips 2011-01-03 00:43:47 +00:00
Dr. Stephen Henson
4de4e35459 PR: 2416
Submitted by: Mark Phalan <mark.phalan@oracle.com>
Reviewed by: steve

Use L suffix in version number.
2011-01-03 00:25:47 +00:00
Bodo Möller
5537a83e56 Add missing explicit instruction size.
[CVS head and later branches have this since revision 1.7 of this file.]

Submitted by: Chandler Carruth (Google)
2010-12-13 20:47:26 +00:00
Dr. Stephen Henson
c850d322a6 add Android changes from FIPS 1.2.2 module 2010-12-11 00:30:43 +00:00
Dr. Stephen Henson
b8be571868 update for next release 2010-12-02 19:42:28 +00:00
116 changed files with 2692 additions and 683 deletions

77
.gitignore vendored Normal file
View File

@@ -0,0 +1,77 @@
# Object files
*.o
# editor artefacts
*.swp
.#*
#*#
*~
# Top level excludes
/Makefile.bak
/Makefile
/*.a
/include
/*.pc
/rehash.time
# Most *.c files under test/ are symlinks
/test/*.c
# Apart from these
!/test/asn1test.c
!/test/methtest.c
!/test/dummytest.c
!/test/igetest.c
!/test/r160test.c
!/test/fips_algvs.c
/test/*.ss
/test/*.srl
/test/.rnd
/test/test*.pem
/test/newkey.pem
# Certificate symbolic links
*.0
# Links under apps
/apps/CA.pl
/apps/md4.c
# Auto generated headers
/crypto/buildinf.h
/crypto/opensslconf.h
# Auto generated assembly language source files
*.s
!/crypto/bn/asm/pa-risc2.s
!/crypto/bn/asm/pa-risc2W.s
# Executables
/apps/openssl
/test/sha256t
/test/sha512t
/test/*test
/test/fips_aesavs
/test/fips_desmovs
/test/fips_dhvs
/test/fips_drbgvs
/test/fips_dssvs
/test/fips_ecdhvs
/test/fips_ecdsavs
/test/fips_rngvs
/test/fips_test_suite
*.so*
*.dylib*
*.dll*
# Exceptions
!/test/bctest
!/crypto/des/times/486-50.sol
# Misc auto generated files
/tools/c_rehash
/test/evptests.txt
lib
Makefile.save
*.bak

165
CHANGES
View File

@@ -2,6 +2,171 @@
OpenSSL CHANGES
_______________
Changes between 0.9.8x and 0.9.8y [5 Feb 2013]
*) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
This addresses the flaw in CBC record processing discovered by
Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
at: http://www.isg.rhul.ac.uk/tls/
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
Emilia K<>sper for the initial patch.
(CVE-2013-0169)
[Emilia K<>sper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
*) Return an error when checking OCSP signatures when key is NULL.
This fixes a DoS attack. (CVE-2013-0166)
[Steve Henson]
*) Call OCSP Stapling callback after ciphersuite has been chosen, so
the right response is stapled. Also change SSL_get_certificate()
so it returns the certificate actually sent.
See http://rt.openssl.org/Ticket/Display.html?id=2836.
(This is a backport)
[Rob Stradling <rob.stradling@comodo.com>]
*) Fix possible deadlock when decoding public keys.
[Steve Henson]
Changes between 0.9.8w and 0.9.8x [10 May 2012]
*) Sanity check record length before skipping explicit IV in DTLS
to fix DoS attack.
Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing as a service testing platform.
(CVE-2012-2333)
[Steve Henson]
*) Initialise tkeylen properly when encrypting CMS messages.
Thanks to Solar Designer of Openwall for reporting this issue.
[Steve Henson]
Changes between 0.9.8v and 0.9.8w [23 Apr 2012]
*) The fix for CVE-2012-2110 did not take into account that the
'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
int in OpenSSL 0.9.8, making it still vulnerable. Fix by
rejecting negative len parameter. (CVE-2012-2131)
[Tomas Hoger <thoger@redhat.com>]
Changes between 0.9.8u and 0.9.8v [19 Apr 2012]
*) Check for potentially exploitable overflows in asn1_d2i_read_bio
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
in CRYPTO_realloc_clean.
Thanks to Tavis Ormandy, Google Security Team, for discovering this
issue and to Adam Langley <agl@chromium.org> for fixing it.
(CVE-2012-2110)
[Adam Langley (Google), Tavis Ormandy, Google Security Team]
Changes between 0.9.8t and 0.9.8u [12 Mar 2012]
*) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
in CMS and PKCS7 code. When RSA decryption fails use a random key for
content decryption and always return the same error. Note: this attack
needs on average 2^20 messages so it only affects automated senders. The
old behaviour can be reenabled in the CMS code by setting the
CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
an MMA defence is not necessary.
Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
this issue. (CVE-2012-0884)
[Steve Henson]
*) Fix CVE-2011-4619: make sure we really are receiving a
client hello before rejecting multiple SGC restarts. Thanks to
Ivan Nestlerode <inestlerode@us.ibm.com> for discovering this bug.
[Steve Henson]
Changes between 0.9.8s and 0.9.8t [18 Jan 2012]
*) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
Thanks to Antonio Martin, Enterprise Secure Access Research and
Development, Cisco Systems, Inc. for discovering this bug and
preparing a fix. (CVE-2012-0050)
[Antonio Martin]
Changes between 0.9.8r and 0.9.8s [4 Jan 2012]
*) Nadhem Alfardan and Kenny Paterson have discovered an extension
of the Vaudenay padding oracle attack on CBC mode encryption
which enables an efficient plaintext recovery attack against
the OpenSSL implementation of DTLS. Their attack exploits timing
differences arising during decryption processing. A research
paper describing this attack can be found at:
http://www.isg.rhul.ac.uk/~kp/dtls.pdf
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
<seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
for preparing the fix. (CVE-2011-4108)
[Robin Seggelmann, Michael Tuexen]
*) Stop policy check failure freeing same buffer twice. (CVE-2011-4109)
[Ben Laurie, Kasper <ekasper@google.com>]
*) Clear bytes used for block padding of SSL 3.0 records.
(CVE-2011-4576)
[Adam Langley (Google)]
*) Only allow one SGC handshake restart for SSL/TLS. Thanks to George
Kadianakis <desnacked@gmail.com> for discovering this issue and
Adam Langley for preparing the fix. (CVE-2011-4619)
[Adam Langley (Google)]
*) Prevent malformed RFC3779 data triggering an assertion failure.
Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)
[Rob Austein <sra@hactrn.net>]
*) Fix ssl_ciph.c set-up race.
[Adam Langley (Google)]
*) Fix spurious failures in ecdsatest.c.
[Emilia K<>sper (Google)]
*) Fix the BIO_f_buffer() implementation (which was mixing different
interpretations of the '..._len' fields).
[Adam Langley (Google)]
*) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
threads won't reuse the same blinding coefficients.
This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
lock to call BN_BLINDING_invert_ex, and avoids one use of
BN_BLINDING_update for each BN_BLINDING structure (previously,
the last update always remained unused).
[Emilia K<>sper (Google)]
*) Fix SSL memory handling for (EC)DH ciphersuites, in particular
for multi-threaded use of ECDH.
[Adam Langley (Google)]
*) Fix x509_name_ex_d2i memory leak on bad inputs.
[Bodo Moeller]
*) Add protection against ECDSA timing attacks as mentioned in the paper
by Billy Bob Brumley and Nicola Tuveri, see:
http://eprint.iacr.org/2011/232.pdf
[Billy Bob Brumley and Nicola Tuveri]
Changes between 0.9.8q and 0.9.8r [8 Feb 2011]
*) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
[Neel Mehta, Adam Langley, Bodo Moeller (Google)]
*) Fix bug in string printing code: if *any* escaping is enabled we must
escape the escape character (backslash) or the resulting string is
ambiguous.
[Steve Henson]
Changes between 0.9.8p and 0.9.8q [2 Dec 2010]
*) Disable code workaround for ancient and obsolete Netscape browsers

View File

@@ -162,6 +162,7 @@ my %table=(
"debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
"debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
"debug-ben-debug", "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -ggdb3 -O2 -pipe::(unknown)::::::",
"debug-ben-debug-64", "gcc:$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-ben-debug-noopt", "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -ggdb3 -pipe::(unknown)::::::",
"debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
"debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
@@ -172,10 +173,10 @@ my %table=(
"debug-steve-opt", "gcc:$gcc_devteam_warn -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-steve", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -m32 -g -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared",
"debug-steve-linux-pseudo64", "gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT:${no_asm}:dlfcn:linux-shared",
"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -ggdb -g3 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -ggdb -g3 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-geoff","gcc:-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DPURIFY -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-linux-pentium","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
"debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
@@ -371,6 +372,9 @@ my %table=(
"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}",
"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${no_asm}",
# Android: Linux but without -DTERMIO and pointers to headers and libs.
"android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
#### *BSD [do see comment about ${BSDthreads} above!]
"BSD-generic32","gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"BSD-x86", "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -425,8 +429,8 @@ my %table=(
"aix64-gcc","gcc:-maix64 -O -DB_ENDIAN::-pthread:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR::aix_ppc64.o::::::::::dlfcn:aix-shared::-maix64 -shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X64",
# Below targets assume AIX 5. Idea is to effectively disregard $OBJECT_MODE
# at build time. $OBJECT_MODE is respected at ./config stage!
"aix-cc", "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded:AIX::BN_LLONG RC4_CHAR::aix_ppc32.o::::::::::dlfcn:aix-shared::-q32 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",
"aix64-cc", "cc:-q64 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR::aix_ppc64.o::::::::::dlfcn:aix-shared::-q64 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",
"aix-cc", "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded -D_THREAD_SAFE:AIX::BN_LLONG RC4_CHAR::aix_ppc32.o::::::::::dlfcn:aix-shared::-q32 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32",
"aix64-cc", "cc:-q64 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded -D_THREAD_SAFE:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR::aix_ppc64.o::::::::::dlfcn:aix-shared::-q64 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64",
#
# Cray T90 and similar (SDSC)

22
FAQ
View File

@@ -10,6 +10,7 @@ OpenSSL - Frequently Asked Questions
* Why aren't tools like 'autoconf' and 'libtool' used?
* What is an 'engine' version?
* How do I check the authenticity of the OpenSSL distribution?
* How does the versioning scheme work?
[LEGAL] Legal questions
@@ -82,7 +83,7 @@ OpenSSL - Frequently Asked Questions
* Which is the current version of OpenSSL?
The current version is available from <URL: http://www.openssl.org>.
OpenSSL 1.0.0c was released on Dec 2nd, 2010.
OpenSSL 1.0.1d was released on Feb 5th, 2013.
In addition to the current stable release, you can also access daily
snapshots of the OpenSSL development version at <URL:
@@ -108,7 +109,9 @@ In addition, you can read the most current versions at
<URL: http://www.openssl.org/docs/>. Note that the online documents refer
to the very latest development versions of OpenSSL and may include features
not present in released versions. If in doubt refer to the documentation
that came with the version of OpenSSL you are using.
that came with the version of OpenSSL you are using. The pod format
documentation is included in each OpenSSL distribution under the docs
directory.
For information on parts of libcrypto that are not yet documented, you
might want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's
@@ -173,6 +176,19 @@ just do:
pgp TARBALL.asc
* How does the versioning scheme work?
After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter
releases (e.g. 1.0.1a) can only contain bug and security fixes and no
new features. Minor releases change the last number (e.g. 1.0.2) and
can contain new features that retain binary compatibility. Changes to
the middle number are considered major releases and neither source nor
binary compatibility is guaranteed.
Therefore the answer to the common question "when will feature X be
backported to OpenSSL 1.0.0/0.9.8?" is "never" but it could appear
in the next minor release.
[LEGAL] =======================================================================
* Do I need patent licenses to use OpenSSL?
@@ -284,7 +300,7 @@ current directory in this case, but this has changed with 0.9.6a.)
Check out the CA.pl(1) manual page. This provides a simple wrapper round
the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check
out the manual pages for the individual utilities and the certificate
extensions documentation (currently in doc/openssl.txt).
extensions documentation (in ca(1), req(1), x509v3_config(5) )
* Why can't I create certificate requests?

View File

@@ -12,7 +12,7 @@
---------------
/* ====================================================================
* Copyright (c) 1998-2008 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions

44
NEWS
View File

@@ -5,6 +5,45 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
Major changes between OpenSSL 0.9.8x and OpenSSL 0.9.8y:
o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
o Fix OCSP bad key DoS attack CVE-2013-0166
Major changes between OpenSSL 0.9.8w and OpenSSL 0.9.8x:
o Fix DTLS record length checking bug CVE-2012-2333
Major changes between OpenSSL 0.9.8v and OpenSSL 0.9.8w:
o Fix for CVE-2012-2131 (corrected fix for 0.9.8 and CVE-2012-2110)
Major changes between OpenSSL 0.9.8u and OpenSSL 0.9.8v:
o Fix for ASN1 overflow bug CVE-2012-2110
Major changes between OpenSSL 0.9.8t and OpenSSL 0.9.8u:
o Fix for CMS/PKCS#7 MMA CVE-2012-0884
o Corrected fix for CVE-2011-4619
o Various DTLS fixes.
Major changes between OpenSSL 0.9.8s and OpenSSL 0.9.8t:
o Fix for DTLS DoS issue CVE-2012-0050
Major changes between OpenSSL 0.9.8r and OpenSSL 0.9.8s:
o Fix for DTLS plaintext recovery attack CVE-2011-4108
o Fix policy check double free error CVE-2011-4109
o Clear block padding bytes of SSL 3.0 records CVE-2011-4576
o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619
o Check for malformed RFC3779 data CVE-2011-4577
Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r:
o Fix for security issue CVE-2011-0014
Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q:
o Fix for security issue CVE-2010-4180
@@ -181,6 +220,11 @@
o Added initial support for Win64.
o Added alternate pkg-config files.
Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m:
o FIPS 1.1.1 module linking.
o Various ciphersuite selection fixes.
Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l:
o Introduce limits to prevent malicious key DoS (CVE-2006-2940)

4
README
View File

@@ -1,7 +1,7 @@
OpenSSL 0.9.8q 2 Dec 2010
OpenSSL 0.9.8y 5 Feb 2013
Copyright (c) 1998-2009 The OpenSSL Project
Copyright (c) 1998-2011 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.

18
STATUS
View File

@@ -1,13 +1,29 @@
OpenSSL STATUS Last modified at
______________ $Date: 2010/12/02 18:53:51 $
______________ $Date: 2012/05/10 14:36:07 $
DEVELOPMENT STATE
o OpenSSL 1.1.0: Under development...
o OpenSSL 1.0.1: Under development...
o OpenSSL 1.0.0i: Released on April 19th, 2012
o OpenSSL 1.0.0h: Released on March 12th, 2012
o OpenSSL 1.0.0g: Released on January 18th, 2012
o OpenSSL 1.0.0f: Released on January 4th, 2012
o OpenSSL 1.0.0e: Released on September 6th, 2011
o OpenSSL 1.0.0d: Released on February 8nd, 2011
o OpenSSL 1.0.0c: Released on December 2nd, 2010
o OpenSSL 1.0.0b: Released on November 16th, 2010
o OpenSSL 1.0.0a: Released on June 1st, 2010
o OpenSSL 1.0.0: Released on March 29th, 2010
o OpenSSL 0.9.8y: Released on February 5th, 2013
o OpenSSL 0.9.8x: Released on May 10th, 2012
o OpenSSL 0.9.8w: Released on April 23rd, 2012
o OpenSSL 0.9.8v: Released on April 19th, 2012
o OpenSSL 0.9.8u: Released on March 12th, 2012
o OpenSSL 0.9.8t: Released on January 18th, 2012
o OpenSSL 0.9.8s: Released on January 4th, 2012
o OpenSSL 0.9.8r: Released on February 8nd, 2011
o OpenSSL 0.9.8q: Released on December 2nd, 2010
o OpenSSL 0.9.8p: Released on November 16th, 2010
o OpenSSL 0.9.8o: Released on June 1st, 2010

39
TABLE
View File

@@ -733,7 +733,7 @@ $arflags =
$cc = cc
$cflags = -q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst
$unistd =
$thread_cflag = -qthreaded
$thread_cflag = -qthreaded -D_THREAD_SAFE
$sys_id = AIX
$lflags =
$bn_ops = BN_LLONG RC4_CHAR
@@ -814,7 +814,7 @@ $arflags =
$cc = cc
$cflags = -q64 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst
$unistd =
$thread_cflag = -qthreaded
$thread_cflag = -qthreaded -D_THREAD_SAFE
$sys_id = AIX
$lflags =
$bn_ops = SIXTY_FOUR_BIT_LONG RC4_CHAR
@@ -864,6 +864,33 @@ $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
$ranlib =
$arflags = -X64
*** android
$cc = gcc
$cflags = -mandroid -I$(ANDROID_DEV)/include -B$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall
$unistd =
$thread_cflag = -D_REENTRANT
$sys_id =
$lflags = -ldl
$bn_ops = BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR
$cpuid_obj =
$bn_obj =
$des_obj =
$aes_obj =
$bf_obj =
$md5_obj =
$sha1_obj =
$cast_obj =
$rc4_obj =
$rmd160_obj =
$rc5_obj =
$dso_scheme = dlfcn
$shared_target= linux-shared
$shared_cflag = -fPIC
$shared_ldflag =
$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
$ranlib =
$arflags =
*** aux3-gcc
$cc = gcc
$cflags = -O2 -DTERMIO
@@ -1460,7 +1487,7 @@ $arflags =
*** debug-levitte-linux-elf
$cc = gcc
$cflags = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe
$cflags = -DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -ggdb -g3 -Wall
$unistd =
$thread_cflag = -D_REENTRANT
$sys_id =
@@ -1487,7 +1514,7 @@ $arflags =
*** debug-levitte-linux-elf-extreme
$cc = gcc
$cflags = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe
$cflags = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe
$unistd =
$thread_cflag = -D_REENTRANT
$sys_id =
@@ -1514,7 +1541,7 @@ $arflags =
*** debug-levitte-linux-noasm
$cc = gcc
$cflags = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe
$cflags = -DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -ggdb -g3 -Wall
$unistd =
$thread_cflag = -D_REENTRANT
$sys_id =
@@ -1541,7 +1568,7 @@ $arflags =
*** debug-levitte-linux-noasm-extreme
$cc = gcc
$cflags = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe
$cflags = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe
$unistd =
$thread_cflag = -D_REENTRANT
$sys_id =

View File

@@ -2052,7 +2052,7 @@ X509_NAME *parse_name(char *subject, long chtype, int multirdn)
X509_NAME *n = NULL;
int nid;
if (!buf || !ne_types || !ne_values)
if (!buf || !ne_types || !ne_values || !mval)
{
BIO_printf(bio_err, "malloc error\n");
goto error;
@@ -2156,6 +2156,7 @@ X509_NAME *parse_name(char *subject, long chtype, int multirdn)
OPENSSL_free(ne_values);
OPENSSL_free(ne_types);
OPENSSL_free(buf);
OPENSSL_free(mval);
return n;
error:
@@ -2164,6 +2165,8 @@ error:
OPENSSL_free(ne_values);
if (ne_types)
OPENSSL_free(ne_types);
if (mval)
OPENSSL_free(mval);
if (buf)
OPENSSL_free(buf);
return NULL;

View File

@@ -408,6 +408,7 @@ static int do_generate(BIO *bio, char *genstr, char *genconf, BUF_MEM *buf)
atyp = ASN1_generate_nconf(genstr, cnf);
NCONF_free(cnf);
cnf = NULL;
if (!atyp)
return -1;

View File

@@ -226,6 +226,8 @@ int MAIN(int argc, char **argv)
else if (!strcmp(*args,"-camellia256"))
cipher = EVP_camellia_256_cbc();
#endif
else if (!strcmp (*args, "-debug_decrypt"))
flags |= CMS_DEBUG_DECRYPT;
else if (!strcmp (*args, "-text"))
flags |= CMS_TEXT;
else if (!strcmp (*args, "-nointern"))
@@ -611,7 +613,7 @@ int MAIN(int argc, char **argv)
BIO_printf (bio_err, "-certsout file certificate output file\n");
BIO_printf (bio_err, "-signer file signer certificate file\n");
BIO_printf (bio_err, "-recip file recipient certificate file for decryption\n");
BIO_printf (bio_err, "-skeyid use subject key identifier\n");
BIO_printf (bio_err, "-keyid use subject key identifier\n");
BIO_printf (bio_err, "-in file input file\n");
BIO_printf (bio_err, "-inform arg input format SMIME (default), PEM or DER\n");
BIO_printf (bio_err, "-inkey file input private key (if not signer or recipient)\n");
@@ -1013,6 +1015,8 @@ int MAIN(int argc, char **argv)
ret = 4;
if (operation == SMIME_DECRYPT)
{
if (flags & CMS_DEBUG_DECRYPT)
CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags);
if (secret_key)
{

View File

@@ -332,7 +332,6 @@ bad:
BIO_printf(bio_err,"This is going to take a long time\n");
if(!dh || !DH_generate_parameters_ex(dh, num, g, &cb))
{
if(dh) DH_free(dh);
ERR_print_errors(bio_err);
goto end;
}

View File

@@ -141,7 +141,7 @@ localityName = Locality Name (eg, city)
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, YOUR name)
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address

View File

@@ -141,7 +141,7 @@ localityName = Locality Name (eg, city)
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, YOUR name)
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address

View File

@@ -659,7 +659,7 @@ int MAIN(int argc, char **argv)
if (!twopass) BUF_strlcpy(macpass, pass, sizeof macpass);
if (options & INFO) BIO_printf (bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get (p12->mac->iter) : 1);
if ((options & INFO) && p12->mac) BIO_printf (bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get (p12->mac->iter) : 1);
if(macver) {
#ifdef CRYPTO_MDEBUG
CRYPTO_push_info("verify MAC");

View File

@@ -345,13 +345,7 @@ int MAIN(int argc, char **argv)
char *jpake_secret = NULL;
#endif
#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
meth=SSLv23_client_method();
#elif !defined(OPENSSL_NO_SSL3)
meth=SSLv3_client_method();
#elif !defined(OPENSSL_NO_SSL2)
meth=SSLv2_client_method();
#endif
apps_startup();
c_Pause=0;

View File

@@ -781,13 +781,7 @@ int MAIN(int argc, char *argv[])
tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};
#endif
#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
meth=SSLv23_server_method();
#elif !defined(OPENSSL_NO_SSL3)
meth=SSLv3_server_method();
#elif !defined(OPENSSL_NO_SSL2)
meth=SSLv2_server_method();
#endif
local_argc=argc;
local_argv=argv;
@@ -1556,6 +1550,12 @@ end:
if (dpass)
OPENSSL_free(dpass);
#ifndef OPENSSL_NO_TLSEXT
if (tlscstatp.host)
OPENSSL_free(tlscstatp.host);
if (tlscstatp.port)
OPENSSL_free(tlscstatp.port);
if (tlscstatp.path)
OPENSSL_free(tlscstatp.path);
if (ctx2 != NULL) SSL_CTX_free(ctx2);
if (s_cert2)
X509_free(s_cert2);

View File

@@ -969,7 +969,7 @@ bad:
else
{
pk=load_key(bio_err,
keyfile, FORMAT_PEM, 0,
keyfile, keyformat, 0,
passin, e, "request key");
if (pk == NULL) goto end;
}

4
config
View File

@@ -790,6 +790,10 @@ esac
# options="$options -DATALLA"
#fi
($CC -Wa,--help -c -o /dev/null -x assembler /dev/null 2>&1 | \
grep \\--noexecstack) 2>&1 > /dev/null && \
options="$options -Wa,--noexecstack"
# gcc < 2.8 does not support -march=ultrasparc
if [ "$OUT" = solaris-sparcv9-gcc -a $GCCVER -lt 28 ]
then

View File

@@ -57,6 +57,7 @@
*/
#include <stdio.h>
#include <limits.h>
#include "cryptlib.h"
#include <openssl/buffer.h>
#include <openssl/asn1_mac.h>
@@ -143,17 +144,11 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
BUF_MEM *b;
unsigned char *p;
int i;
int ret=-1;
ASN1_const_CTX c;
int want=HEADER_SIZE;
size_t want=HEADER_SIZE;
int eos=0;
#if defined(__GNUC__) && defined(__ia64)
/* pathetic compiler bug in all known versions as of Nov. 2002 */
long off=0;
#else
int off=0;
#endif
int len=0;
size_t off=0;
size_t len=0;
b=BUF_MEM_new();
if (b == NULL)
@@ -169,7 +164,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
{
want-=(len-off);
if (!BUF_MEM_grow_clean(b,len+want))
if (len + want < len || !BUF_MEM_grow_clean(b,len+want))
{
ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE);
goto err;
@@ -181,7 +176,14 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
goto err;
}
if (i > 0)
{
if (len+i < len)
{
ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG);
goto err;
}
len+=i;
}
}
/* else data already loaded */
@@ -206,6 +208,11 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
{
/* no data body so go round again */
eos++;
if (eos < 0)
{
ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_HEADER_TOO_LONG);
goto err;
}
want=HEADER_SIZE;
}
else if (eos && (c.slen == 0) && (c.tag == V_ASN1_EOC))
@@ -220,10 +227,16 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
else
{
/* suck in c.slen bytes of data */
want=(int)c.slen;
want=c.slen;
if (want > (len-off))
{
want-=(len-off);
if (want > INT_MAX /* BIO_read takes an int length */ ||
len+want < len)
{
ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG);
goto err;
}
if (!BUF_MEM_grow_clean(b,len+want))
{
ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE);
@@ -238,11 +251,18 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
ASN1_R_NOT_ENOUGH_DATA);
goto err;
}
/* This can't overflow because
* |len+want| didn't overflow. */
len+=i;
want -= i;
want-=i;
}
}
off+=(int)c.slen;
if (off + c.slen < off)
{
ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG);
goto err;
}
off+=c.slen;
if (eos <= 0)
{
break;
@@ -252,9 +272,15 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
}
}
if (off > INT_MAX)
{
ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG);
goto err;
}
*pb = b;
return off;
err:
if (b != NULL) BUF_MEM_free(b);
return(ret);
return -1;
}

View File

@@ -139,7 +139,7 @@ int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
ASN1err(ASN1_F_A2D_ASN1_OBJECT,ASN1_R_INVALID_DIGIT);
goto err;
}
if (!use_bn && l > (ULONG_MAX / 10L))
if (!use_bn && l >= ((ULONG_MAX - 80) / 10L))
{
use_bn = 1;
if (!bl)
@@ -294,7 +294,7 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
/* Sanity check OID encoding: can't have leading 0x80 in
* subidentifiers, see: X.690 8.19.2
*/
for (i = 0, p = *pp + 1; i < len - 1; i++, p++)
for (i = 0, p = *pp; i < len; i++, p++)
{
if (*p == 0x80 && (!i || !(p[-1] & 0x80)))
{

View File

@@ -74,6 +74,11 @@
#define CHARTYPE_BS_ESC (ASN1_STRFLGS_ESC_2253 | CHARTYPE_FIRST_ESC_2253 | CHARTYPE_LAST_ESC_2253)
#define ESC_FLAGS (ASN1_STRFLGS_ESC_2253 | \
ASN1_STRFLGS_ESC_QUOTE | \
ASN1_STRFLGS_ESC_CTRL | \
ASN1_STRFLGS_ESC_MSB)
/* Three IO functions for sending data to memory, a BIO and
* and a FILE pointer.
@@ -148,6 +153,13 @@ static int do_esc_char(unsigned long c, unsigned char flags, char *do_quotes, ch
if(!io_ch(arg, tmphex, 3)) return -1;
return 3;
}
/* If we get this far and do any escaping at all must escape
* the escape character itself: backslash.
*/
if (chtmp == '\\' && flags & ESC_FLAGS) {
if(!io_ch(arg, "\\\\", 2)) return -1;
return 2;
}
if(!io_ch(arg, &chtmp, 1)) return -1;
return 1;
}
@@ -292,11 +304,6 @@ static const signed char tag2nbyte[] = {
4, -1, 2 /* 28-30 */
};
#define ESC_FLAGS (ASN1_STRFLGS_ESC_2253 | \
ASN1_STRFLGS_ESC_QUOTE | \
ASN1_STRFLGS_ESC_CTRL | \
ASN1_STRFLGS_ESC_MSB)
/* This is the main function, print out an
* ASN1_STRING taking note of various escape
* and display options. Returns number of
@@ -560,6 +567,7 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
if(mbflag == -1) return -1;
mbflag |= MBSTRING_FLAG;
stmp.data = NULL;
stmp.length = 0;
ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
if(ret < 0) return ret;
*out = stmp.data;

View File

@@ -96,7 +96,7 @@ unsigned long ASN1_STRING_get_default_mask(void)
* default: the default value, Printable, T61, BMP.
*/
int ASN1_STRING_set_default_mask_asc(char *p)
int ASN1_STRING_set_default_mask_asc(const char *p)
{
unsigned long mask;
char *end;

View File

@@ -138,6 +138,12 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
unsigned char *buf_in=NULL;
int ret= -1,i,inl;
if (!pkey)
{
ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_PASSED_NULL_PARAMETER);
return -1;
}
EVP_MD_CTX_init(&ctx);
i=OBJ_obj2nid(a->algorithm);
type=EVP_get_digestbyname(OBJ_nid2sn(i));

View File

@@ -1051,7 +1051,7 @@ ASN1_STRING *ASN1_pack_string(void *obj, i2d_of_void *i2d,
ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_OCTET_STRING **oct);
void ASN1_STRING_set_default_mask(unsigned long mask);
int ASN1_STRING_set_default_mask_asc(char *p);
int ASN1_STRING_set_default_mask_asc(const char *p);
unsigned long ASN1_STRING_get_default_mask(void);
int ASN1_mbstring_copy(ASN1_STRING **out, const unsigned char *in, int len,
int inform, unsigned long mask);

View File

@@ -418,9 +418,9 @@ ASN1_VALUE *SMIME_read_ASN1(BIO *bio, BIO **bcont, const ASN1_ITEM *it)
if(strcmp(hdr->value, "application/x-pkcs7-signature") &&
strcmp(hdr->value, "application/pkcs7-signature")) {
sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
ASN1err(ASN1_F_SMIME_READ_ASN1,ASN1_R_SIG_INVALID_MIME_TYPE);
ERR_add_error_data(2, "type: ", hdr->value);
sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
sk_BIO_pop_free(parts, BIO_vfree);
return NULL;
}
@@ -790,12 +790,17 @@ static int mime_hdr_addparam(MIME_HEADER *mhdr, char *name, char *value)
static int mime_hdr_cmp(const MIME_HEADER * const *a,
const MIME_HEADER * const *b)
{
if (!(*a)->name || !(*b)->name)
return !!(*a)->name - !!(*b)->name;
return(strcmp((*a)->name, (*b)->name));
}
static int mime_param_cmp(const MIME_PARAM * const *a,
const MIME_PARAM * const *b)
{
if (!(*a)->param_name || !(*b)->param_name)
return !!(*a)->param_name - !!(*b)->param_name;
return(strcmp((*a)->param_name, (*b)->param_name));
}

View File

@@ -196,7 +196,9 @@ static int x509_name_ex_d2i(ASN1_VALUE **val, const unsigned char **in, long len
*val = nm.a;
*in = p;
return ret;
err:
err:
if (nm.x != NULL)
X509_NAME_free(nm.x);
ASN1err(ASN1_F_X509_NAME_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
return 0;
}

View File

@@ -367,7 +367,19 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
goto err;
}
key->pkey = ret;
/* Check to see if another thread set key->pkey first */
CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY);
if (key->pkey)
{
CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
EVP_PKEY_free(ret);
ret = key->pkey;
}
else
{
key->pkey = ret;
CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY);
}
CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY);
return(ret);
err:

View File

@@ -209,7 +209,7 @@ start:
/* add to buffer and return */
if (i >= inl)
{
memcpy(&(ctx->obuf[ctx->obuf_len]),in,inl);
memcpy(&(ctx->obuf[ctx->obuf_off+ctx->obuf_len]),in,inl);
ctx->obuf_len+=inl;
return(num+inl);
}
@@ -219,7 +219,7 @@ start:
{
if (i > 0) /* lets fill it up if we can */
{
memcpy(&(ctx->obuf[ctx->obuf_len]),in,i);
memcpy(&(ctx->obuf[ctx->obuf_off+ctx->obuf_len]),in,i);
in+=i;
inl-=i;
num+=i;
@@ -294,9 +294,9 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr)
case BIO_C_GET_BUFF_NUM_LINES:
ret=0;
p1=ctx->ibuf;
for (i=ctx->ibuf_off; i<ctx->ibuf_len; i++)
for (i=0; i<ctx->ibuf_len; i++)
{
if (p1[i] == '\n') ret++;
if (p1[ctx->ibuf_off + i] == '\n') ret++;
}
break;
case BIO_CTRL_WPENDING:
@@ -399,17 +399,18 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr)
for (;;)
{
BIO_clear_retry_flags(b);
if (ctx->obuf_len > ctx->obuf_off)
if (ctx->obuf_len > 0)
{
r=BIO_write(b->next_bio,
&(ctx->obuf[ctx->obuf_off]),
ctx->obuf_len-ctx->obuf_off);
ctx->obuf_len);
#if 0
fprintf(stderr,"FLUSH [%3d] %3d -> %3d\n",ctx->obuf_off,ctx->obuf_len-ctx->obuf_off,r);
fprintf(stderr,"FLUSH [%3d] %3d -> %3d\n",ctx->obuf_off,ctx->obuf_len,r);
#endif
BIO_copy_next_retry(b);
if (r <= 0) return((long)r);
ctx->obuf_off+=r;
ctx->obuf_len-=r;
}
else
{

View File

@@ -145,6 +145,7 @@ extern "C" {
/* #endif */
#define BIO_CTRL_DGRAM_QUERY_MTU 40 /* as kernel for current MTU */
#define BIO_CTRL_DGRAM_GET_FALLBACK_MTU 47
#define BIO_CTRL_DGRAM_GET_MTU 41 /* get cached value for MTU */
#define BIO_CTRL_DGRAM_SET_MTU 42 /* set cached value for
* MTU. want to use this
@@ -321,6 +322,15 @@ DECLARE_STACK_OF(BIO)
typedef struct bio_f_buffer_ctx_struct
{
/* Buffers are setup like this:
*
* <---------------------- size ----------------------->
* +---------------------------------------------------+
* | consumed | remaining | free space |
* +---------------------------------------------------+
* <-- off --><------- len ------->
*/
/* BIO *bio; */ /* this is now in the BIO struct */
int ibuf_size; /* how big is the input buffer */
int obuf_size; /* how big is the output buffer */

View File

@@ -57,7 +57,6 @@
*
*/
#ifndef OPENSSL_NO_DGRAM
#include <stdio.h>
#include <errno.h>
@@ -65,6 +64,7 @@
#include "cryptlib.h"
#include <openssl/bio.h>
#ifndef OPENSSL_NO_DGRAM
#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS)
#include <sys/timeb.h>
@@ -288,7 +288,6 @@ static int dgram_read(BIO *b, char *out, int outl)
*/
dgram_adjust_rcv_timeout(b);
ret=recvfrom(b->num,out,outl,0,&peer,(void *)&peerlen);
dgram_reset_rcv_timeout(b);
if ( ! data->connected && ret >= 0)
BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, &peer);
@@ -302,6 +301,8 @@ static int dgram_read(BIO *b, char *out, int outl)
data->_errno = get_last_socket_error();
}
}
dgram_reset_rcv_timeout(b);
}
return(ret);
}
@@ -493,6 +494,9 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
ret = 0;
#endif
break;
case BIO_CTRL_DGRAM_GET_FALLBACK_MTU:
ret = 576 - 20 - 8;
break;
case BIO_CTRL_DGRAM_GET_MTU:
return data->mtu;
break;
@@ -654,9 +658,13 @@ static int BIO_dgram_should_retry(int i)
{
err=get_last_socket_error();
#if defined(OPENSSL_SYS_WINDOWS) && 0 /* more microsoft stupidity? perhaps not? Ben 4/1/99 */
if ((i == -1) && (err == 0))
return(1);
#if defined(OPENSSL_SYS_WINDOWS)
/* If the socket return value (i) is -1
* and err is unexpectedly 0 at this point,
* the error code was overwritten by
* another system call before this error
* handling is called.
*/
#endif
return(BIO_dgram_non_fatal_error(err));
@@ -719,7 +727,6 @@ int BIO_dgram_non_fatal_error(int err)
}
return(0);
}
#endif
static void get_current_time(struct timeval *t)
{
@@ -737,3 +744,5 @@ static void get_current_time(struct timeval *t)
gettimeofday(t, NULL);
#endif
}
#endif

View File

@@ -539,8 +539,10 @@ $sbit=$num;
&jle (&label("sqradd"));
&mov ($carry,"edx");
&lea ("edx",&DWP(0,$sbit,"edx",2));
&add ("edx","edx");
&shr ($carry,31);
&add ("edx",$sbit);
&adc ($carry,0);
&set_label("sqrlast");
&mov ($word,$_n0);
&mov ($inp,$_np);

View File

@@ -1039,7 +1039,7 @@ sub data {
addze r11,r0
#mul_add_c(a[3],b[2],c3,c1,c2);
$LD r6,`3*$BNSZ`(r4)
$LD r7,`2*$BNSZ`(r4)
$LD r7,`2*$BNSZ`(r5)
$UMULL r8,r6,r7
$UMULH r9,r6,r7
addc r12,r8,r12

View File

@@ -123,7 +123,7 @@ struct bn_blinding_st
BIGNUM *mod; /* just a reference */
unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b;
* used only by crypto/rsa/rsa_eay.c, rsa_lib.c */
unsigned int counter;
int counter;
unsigned long flags;
BN_MONT_CTX *m_ctx;
int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
@@ -157,7 +157,10 @@ BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, /* const */ BIGN
if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
BN_set_flags(ret->mod, BN_FLG_CONSTTIME);
ret->counter = BN_BLINDING_COUNTER;
/* Set the counter to the special value -1
* to indicate that this is never-used fresh blinding
* that does not need updating before first use. */
ret->counter = -1;
return(ret);
err:
if (ret != NULL) BN_BLINDING_free(ret);
@@ -186,7 +189,10 @@ int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
goto err;
}
if (--(b->counter) == 0 && b->e != NULL &&
if (b->counter == -1)
b->counter = 0;
if (++b->counter == BN_BLINDING_COUNTER && b->e != NULL &&
!(b->flags & BN_BLINDING_NO_RECREATE))
{
/* re-create blinding parameters */
@@ -201,8 +207,8 @@ int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
ret=1;
err:
if (b->counter == 0)
b->counter = BN_BLINDING_COUNTER;
if (b->counter == BN_BLINDING_COUNTER)
b->counter = 0;
return(ret);
}
@@ -223,6 +229,12 @@ int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
return(0);
}
if (b->counter == -1)
/* Fresh blinding, doesn't need updating. */
b->counter = 0;
else if (!BN_BLINDING_update(b,ctx))
return(0);
if (r != NULL)
{
if (!BN_copy(r, b->Ai)) ret=0;
@@ -243,22 +255,19 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ct
int ret;
bn_check_top(n);
if ((b->A == NULL) || (b->Ai == NULL))
{
BNerr(BN_F_BN_BLINDING_INVERT_EX,BN_R_NOT_INITIALIZED);
return(0);
}
if (r != NULL)
ret = BN_mod_mul(n, n, r, b->mod, ctx);
else
ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
if (ret >= 0)
{
if (!BN_BLINDING_update(b,ctx))
if (b->Ai == NULL)
{
BNerr(BN_F_BN_BLINDING_INVERT_EX,BN_R_NOT_INITIALIZED);
return(0);
}
ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
}
bn_check_top(n);
return(ret);
}

View File

@@ -607,6 +607,7 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
{
while (!BN_is_odd(u))
{
if (BN_is_zero(u)) goto err;
if (!BN_rshift1(u, u)) goto err;
if (BN_is_odd(b))
{

View File

@@ -144,26 +144,17 @@ int BN_add_word(BIGNUM *a, BN_ULONG w)
a->neg=!(a->neg);
return(i);
}
/* Only expand (and risk failing) if it's possibly necessary */
if (((BN_ULONG)(a->d[a->top - 1] + 1) == 0) &&
(bn_wexpand(a,a->top+1) == NULL))
return(0);
i=0;
for (;;)
for (i=0;w!=0 && i<a->top;i++)
{
if (i >= a->top)
l=w;
else
l=(a->d[i]+w)&BN_MASK2;
a->d[i]=l;
if (w > l)
w=1;
else
break;
i++;
a->d[i] = l = (a->d[i]+w)&BN_MASK2;
w = (w>l)?1:0;
}
if (i >= a->top)
if (w && i==a->top)
{
if (bn_wexpand(a,a->top+1) == NULL) return 0;
a->top++;
a->d[i]=w;
}
bn_check_top(a);
return(1);
}

View File

@@ -60,6 +60,11 @@
#include "cryptlib.h"
#include <openssl/buffer.h>
/* LIMIT_BEFORE_EXPANSION is the maximum n such that (n+3)/3*4 < 2**31. That
* function is applied in several functions in this file and this limit ensures
* that the result fits in an int. */
#define LIMIT_BEFORE_EXPANSION 0x5ffffffc
BUF_MEM *BUF_MEM_new(void)
{
BUF_MEM *ret;
@@ -94,6 +99,11 @@ int BUF_MEM_grow(BUF_MEM *str, int len)
char *ret;
unsigned int n;
if (len < 0)
{
BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
return 0;
}
if (str->length >= len)
{
str->length=len;
@@ -105,6 +115,12 @@ int BUF_MEM_grow(BUF_MEM *str, int len)
str->length=len;
return(len);
}
/* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */
if (len > LIMIT_BEFORE_EXPANSION)
{
BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
return 0;
}
n=(len+3)/3*4;
if (str->data == NULL)
ret=OPENSSL_malloc(n);
@@ -130,6 +146,11 @@ int BUF_MEM_grow_clean(BUF_MEM *str, int len)
char *ret;
unsigned int n;
if (len < 0)
{
BUFerr(BUF_F_BUF_MEM_GROW_CLEAN,ERR_R_MALLOC_FAILURE);
return 0;
}
if (str->length >= len)
{
memset(&str->data[len],0,str->length-len);
@@ -142,6 +163,12 @@ int BUF_MEM_grow_clean(BUF_MEM *str, int len)
str->length=len;
return(len);
}
/* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */
if (len > LIMIT_BEFORE_EXPANSION)
{
BUFerr(BUF_F_BUF_MEM_GROW_CLEAN,ERR_R_MALLOC_FAILURE);
return 0;
}
n=(len+3)/3*4;
if (str->data == NULL)
ret=OPENSSL_malloc(n);

View File

@@ -110,6 +110,7 @@ DECLARE_ASN1_FUNCTIONS_const(CMS_ReceiptRequest)
#define CMS_PARTIAL 0x4000
#define CMS_REUSE_DIGEST 0x8000
#define CMS_USE_KEYID 0x10000
#define CMS_DEBUG_DECRYPT 0x20000
const ASN1_OBJECT *CMS_get0_type(CMS_ContentInfo *cms);

View File

@@ -58,7 +58,9 @@
#include <openssl/err.h>
#include <openssl/cms.h>
#include <openssl/bio.h>
#ifndef OPENSSL_NO_COMP
#include <openssl/comp.h>
#endif
#include "cms_lcl.h"
DECLARE_ASN1_ITEM(CMS_CompressedData)

View File

@@ -73,6 +73,8 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
const EVP_CIPHER *ciph;
X509_ALGOR *calg = ec->contentEncryptionAlgorithm;
unsigned char iv[EVP_MAX_IV_LENGTH], *piv = NULL;
unsigned char *tkey = NULL;
size_t tkeylen;
int ok = 0;
@@ -137,32 +139,57 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR);
goto err;
}
if (enc && !ec->key)
tkeylen = EVP_CIPHER_CTX_key_length(ctx);
/* Generate random session key */
if (!enc || !ec->key)
{
/* Generate random key */
if (!ec->keylen)
ec->keylen = EVP_CIPHER_CTX_key_length(ctx);
ec->key = OPENSSL_malloc(ec->keylen);
if (!ec->key)
tkey = OPENSSL_malloc(tkeylen);
if (!tkey)
{
CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
ERR_R_MALLOC_FAILURE);
goto err;
}
if (EVP_CIPHER_CTX_rand_key(ctx, ec->key) <= 0)
if (EVP_CIPHER_CTX_rand_key(ctx, tkey) <= 0)
goto err;
keep_key = 1;
}
else if (ec->keylen != (unsigned int)EVP_CIPHER_CTX_key_length(ctx))
if (!ec->key)
{
ec->key = tkey;
ec->keylen = tkeylen;
tkey = NULL;
if (enc)
keep_key = 1;
else
ERR_clear_error();
}
if (ec->keylen != tkeylen)
{
/* If necessary set key length */
if (EVP_CIPHER_CTX_set_key_length(ctx, ec->keylen) <= 0)
{
CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
CMS_R_INVALID_KEY_LENGTH);
goto err;
/* Only reveal failure if debugging so we don't
* leak information which may be useful in MMA.
*/
if (enc || ec->debug)
{
CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
CMS_R_INVALID_KEY_LENGTH);
goto err;
}
else
{
/* Use random key */
OPENSSL_cleanse(ec->key, ec->keylen);
OPENSSL_free(ec->key);
ec->key = tkey;
ec->keylen = tkeylen;
tkey = NULL;
ERR_clear_error();
}
}
}
@@ -198,6 +225,11 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
OPENSSL_free(ec->key);
ec->key = NULL;
}
if (tkey)
{
OPENSSL_cleanse(tkey, tkeylen);
OPENSSL_free(tkey);
}
if (ok)
return b;
BIO_free(b);

View File

@@ -352,6 +352,8 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
unsigned char *ek = NULL;
int eklen;
int ret = 0;
CMS_EncryptedContentInfo *ec;
ec = cms->d.envelopedData->encryptedContentInfo;
if (ktri->pkey == NULL)
{
@@ -382,8 +384,14 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms,
ret = 1;
cms->d.envelopedData->encryptedContentInfo->key = ek;
cms->d.envelopedData->encryptedContentInfo->keylen = eklen;
if (ec->key)
{
OPENSSL_cleanse(ec->key, ec->keylen);
OPENSSL_free(ec->key);
}
ec->key = ek;
ec->keylen = eklen;
err:
if (!ret && ek)

View File

@@ -112,7 +112,7 @@ static int cms_output_data(BIO *out, BIO *data, ASN1_VALUE *val, int flags,
cmsbio = tmpbio;
}
return 1;
return r;
}

View File

@@ -175,6 +175,8 @@ struct CMS_EncryptedContentInfo_st
const EVP_CIPHER *cipher;
unsigned char *key;
size_t keylen;
/* Set to 1 if we are debugging decrypt and don't fake keys for MMA */
int debug;
};
struct CMS_RecipientInfo_st

View File

@@ -622,7 +622,10 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
STACK_OF(CMS_RecipientInfo) *ris;
CMS_RecipientInfo *ri;
int i, r;
int debug = 0;
ris = CMS_get0_RecipientInfos(cms);
if (ris)
debug = cms->d.envelopedData->encryptedContentInfo->debug;
for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++)
{
ri = sk_CMS_RecipientInfo_value(ris, i);
@@ -636,17 +639,38 @@ int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert)
CMS_RecipientInfo_set0_pkey(ri, pk);
r = CMS_RecipientInfo_decrypt(cms, ri);
CMS_RecipientInfo_set0_pkey(ri, NULL);
if (r > 0)
return 1;
if (cert)
{
/* If not debugging clear any error and
* return success to avoid leaking of
* information useful to MMA
*/
if (!debug)
{
ERR_clear_error();
return 1;
}
if (r > 0)
return 1;
CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY,
CMS_R_DECRYPT_ERROR);
return 0;
}
ERR_clear_error();
/* If no cert and not debugging don't leave loop
* after first successful decrypt. Always attempt
* to decrypt all recipients to avoid leaking timing
* of a successful decrypt.
*/
else if (r > 0 && debug)
return 1;
}
}
/* If no cert and not debugging always return success */
if (!cert && !debug)
{
ERR_clear_error();
return 1;
}
CMSerr(CMS_F_CMS_DECRYPT_SET1_PKEY, CMS_R_NO_MATCHING_RECIPIENT);
return 0;
@@ -705,9 +729,14 @@ int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert,
}
if (!dcont && !check_content(cms))
return 0;
if (flags & CMS_DEBUG_DECRYPT)
cms->d.envelopedData->encryptedContentInfo->debug = 1;
else
cms->d.envelopedData->encryptedContentInfo->debug = 0;
if (!pk && !cert && !dcont && !out)
return 1;
if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert))
return 0;
cont = CMS_dataInit(cms, dcont);
if (!cont)
return 0;

View File

@@ -46,7 +46,7 @@ static int rle_expand_block(COMP_CTX *ctx, unsigned char *out,
{
int i;
if (olen < (ilen-1))
if (ilen == 0 || olen < (ilen-1))
{
/* ZZZZZZZZZZZZZZZZZZZZZZ */
return(-1);
@@ -59,4 +59,3 @@ static int rle_expand_block(COMP_CTX *ctx, unsigned char *out,
}
return(ilen-1);
}

View File

@@ -64,6 +64,7 @@
#endif
#include <assert.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/conf.h>
#include <openssl/conf_api.h>

View File

@@ -396,7 +396,6 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason,
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
ERR_remove_state(0);
break;
case DLL_PROCESS_DETACH:
break;
@@ -543,3 +542,19 @@ void OpenSSLDie(const char *file,int line,const char *assertion)
}
void *OPENSSL_stderr(void) { return stderr; }
#ifndef OPENSSL_FIPS
int CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len)
{
size_t i;
const unsigned char *a = in_a;
const unsigned char *b = in_b;
unsigned char x = 0;
for (i = 0; i < len; i++)
x |= a[i] ^ b[i];
return x;
}
#endif

View File

@@ -588,15 +588,22 @@ int OPENSSL_isservice(void);
#endif /* def OPENSSL_FIPS */
#define OPENSSL_HAVE_INIT 1
void OPENSSL_init(void);
/* CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It
* takes an amount of time dependent on |len|, but independent of the contents
* of |a| and |b|. Unlike memcmp, it cannot be used to put elements into a
* defined order as the return value when a != b is undefined, other than to be
* non-zero. */
int CRYPTO_memcmp(const void *a, const void *b, size_t len);
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.
*/
void ERR_load_CRYPTO_strings(void);
#define OPENSSL_HAVE_INIT 1
void OPENSSL_init(void);
/* Error codes for the CRYPTO functions. */
/* Function codes. */

View File

@@ -321,7 +321,15 @@ void EC_KEY_set_conv_form(EC_KEY *, point_conversion_form_t);
/* functions to set/get method specific data */
void *EC_KEY_get_key_method_data(EC_KEY *,
void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
void EC_KEY_insert_key_method_data(EC_KEY *, void *data,
/** Sets the key method data of an EC_KEY object, if none has yet been set.
* \param key EC_KEY object
* \param data opaque data to install.
* \param dup_func a function that duplicates |data|.
* \param free_func a function that frees |data|.
* \param clear_free_func a function that wipes and frees |data|.
* \return the previously set data pointer, or NULL if |data| was inserted.
*/
void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
/* wrapper functions for the underlying EC_GROUP object */
void EC_KEY_set_asn1_flag(EC_KEY *, int);

View File

@@ -821,7 +821,7 @@ int ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_
field_sqr = group->meth->field_sqr;
/* only support affine coordinates */
if (!point->Z_is_one) goto err;
if (!point->Z_is_one) return -1;
if (ctx == NULL)
{
@@ -871,6 +871,9 @@ int ec_GF2m_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT
{
return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
}
if (EC_POINT_is_at_infinity(group, b))
return 1;
if (a->Z_is_one && b->Z_is_one)
{

View File

@@ -304,7 +304,13 @@ int EC_KEY_check_key(const EC_KEY *eckey)
ECerr(EC_F_EC_KEY_CHECK_KEY, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
if (EC_POINT_is_at_infinity(eckey->group, eckey->pub_key))
{
ECerr(EC_F_EC_KEY_CHECK_KEY, EC_R_POINT_AT_INFINITY);
goto err;
}
if ((ctx = BN_CTX_new()) == NULL)
goto err;
if ((point = EC_POINT_new(eckey->group)) == NULL)
@@ -429,18 +435,27 @@ void EC_KEY_set_conv_form(EC_KEY *key, point_conversion_form_t cform)
void *EC_KEY_get_key_method_data(EC_KEY *key,
void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
{
return EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func);
void *ret;
CRYPTO_r_lock(CRYPTO_LOCK_EC);
ret = EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func);
CRYPTO_r_unlock(CRYPTO_LOCK_EC);
return ret;
}
void EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *))
{
EC_EXTRA_DATA *ex_data;
CRYPTO_w_lock(CRYPTO_LOCK_EC);
ex_data = EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func);
if (ex_data == NULL)
EC_EX_DATA_set_data(&key->method_data, data, dup_func, free_func, clear_free_func);
CRYPTO_w_unlock(CRYPTO_LOCK_EC);
return ex_data;
}
void EC_KEY_set_asn1_flag(EC_KEY *key, int flag)

View File

@@ -1406,6 +1406,9 @@ int ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *
{
return EC_POINT_is_at_infinity(group, b) ? 0 : 1;
}
if (EC_POINT_is_at_infinity(group, b))
return 1;
if (a->Z_is_one && b->Z_is_one)
{

View File

@@ -205,8 +205,15 @@ ECDH_DATA *ecdh_check(EC_KEY *key)
ecdh_data = (ECDH_DATA *)ecdh_data_new();
if (ecdh_data == NULL)
return NULL;
EC_KEY_insert_key_method_data(key, (void *)ecdh_data,
ecdh_data_dup, ecdh_data_free, ecdh_data_free);
data = EC_KEY_insert_key_method_data(key, (void *)ecdh_data,
ecdh_data_dup, ecdh_data_free, ecdh_data_free);
if (data != NULL)
{
/* Another thread raced us to install the key_method
* data and won. */
ecdh_data_free(ecdh_data);
ecdh_data = (ECDH_DATA *)data;
}
}
else
ecdh_data = (ECDH_DATA *)data;

View File

@@ -168,10 +168,9 @@ int fbytes(unsigned char *buf, int num)
return 0;
}
fbytes_counter ++;
ret = BN_bn2bin(tmp, buf);
if (ret == 0 || ret != num)
if (num != BN_num_bytes(tmp) || !BN_bn2bin(tmp, buf))
ret = 0;
else
else
ret = 1;
if (tmp)
BN_free(tmp);
@@ -287,9 +286,13 @@ int test_builtin(BIO *out)
size_t crv_len = 0, n = 0;
EC_KEY *eckey = NULL, *wrong_eckey = NULL;
EC_GROUP *group;
ECDSA_SIG *ecdsa_sig = NULL;
unsigned char digest[20], wrong_digest[20];
unsigned char *signature = NULL;
unsigned int sig_len;
unsigned char *signature = NULL;
const unsigned char *sig_ptr;
unsigned char *sig_ptr2;
unsigned char *raw_buf = NULL;
unsigned int sig_len, degree, r_len, s_len, bn_len, buf_len;
int nid, ret = 0;
/* fill digest values with some random data */
@@ -339,7 +342,8 @@ int test_builtin(BIO *out)
if (EC_KEY_set_group(eckey, group) == 0)
goto builtin_err;
EC_GROUP_free(group);
if (EC_GROUP_get_degree(EC_KEY_get0_group(eckey)) < 160)
degree = EC_GROUP_get_degree(EC_KEY_get0_group(eckey));
if (degree < 160)
/* drop the curve */
{
EC_KEY_free(eckey);
@@ -415,26 +419,89 @@ int test_builtin(BIO *out)
}
BIO_printf(out, ".");
(void)BIO_flush(out);
/* modify a single byte of the signature */
offset = signature[10] % sig_len;
dirt = signature[11];
signature[offset] ^= dirt ? dirt : 1;
/* wrong length */
if (ECDSA_verify(0, digest, 20, signature, sig_len - 1,
eckey) == 1)
{
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
/* Modify a single byte of the signature: to ensure we don't
* garble the ASN1 structure, we read the raw signature and
* modify a byte in one of the bignums directly. */
sig_ptr = signature;
if ((ecdsa_sig = d2i_ECDSA_SIG(NULL, &sig_ptr, sig_len)) == NULL)
{
BIO_printf(out, " failed\n");
goto builtin_err;
}
/* Store the two BIGNUMs in raw_buf. */
r_len = BN_num_bytes(ecdsa_sig->r);
s_len = BN_num_bytes(ecdsa_sig->s);
bn_len = (degree + 7) / 8;
if ((r_len > bn_len) || (s_len > bn_len))
{
BIO_printf(out, " failed\n");
goto builtin_err;
}
buf_len = 2 * bn_len;
if ((raw_buf = OPENSSL_malloc(buf_len)) == NULL)
goto builtin_err;
/* Pad the bignums with leading zeroes. */
memset(raw_buf, 0, buf_len);
BN_bn2bin(ecdsa_sig->r, raw_buf + bn_len - r_len);
BN_bn2bin(ecdsa_sig->s, raw_buf + buf_len - s_len);
/* Modify a single byte in the buffer. */
offset = raw_buf[10] % buf_len;
dirt = raw_buf[11] ? raw_buf[11] : 1;
raw_buf[offset] ^= dirt;
/* Now read the BIGNUMs back in from raw_buf. */
if ((BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL) ||
(BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL))
goto builtin_err;
sig_ptr2 = signature;
sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2);
if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) == 1)
{
BIO_printf(out, " failed\n");
goto builtin_err;
}
/* Sanity check: undo the modification and verify signature. */
raw_buf[offset] ^= dirt;
if ((BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL) ||
(BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL))
goto builtin_err;
sig_ptr2 = signature;
sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2);
if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1)
{
BIO_printf(out, " failed\n");
goto builtin_err;
}
BIO_printf(out, ".");
(void)BIO_flush(out);
BIO_printf(out, " ok\n");
/* cleanup */
/* clean bogus errors */
ERR_clear_error();
OPENSSL_free(signature);
signature = NULL;
EC_KEY_free(eckey);
eckey = NULL;
EC_KEY_free(wrong_eckey);
wrong_eckey = NULL;
ECDSA_SIG_free(ecdsa_sig);
ecdsa_sig = NULL;
OPENSSL_free(raw_buf);
raw_buf = NULL;
}
ret = 1;
@@ -443,8 +510,12 @@ builtin_err:
EC_KEY_free(eckey);
if (wrong_eckey)
EC_KEY_free(wrong_eckey);
if (ecdsa_sig)
ECDSA_SIG_free(ecdsa_sig);
if (signature)
OPENSSL_free(signature);
if (raw_buf)
OPENSSL_free(raw_buf);
if (curves)
OPENSSL_free(curves);

View File

@@ -188,8 +188,15 @@ ECDSA_DATA *ecdsa_check(EC_KEY *key)
ecdsa_data = (ECDSA_DATA *)ecdsa_data_new();
if (ecdsa_data == NULL)
return NULL;
EC_KEY_insert_key_method_data(key, (void *)ecdsa_data,
ecdsa_data_dup, ecdsa_data_free, ecdsa_data_free);
data = EC_KEY_insert_key_method_data(key, (void *)ecdsa_data,
ecdsa_data_dup, ecdsa_data_free, ecdsa_data_free);
if (data != NULL)
{
/* Another thread raced us to install the key_method
* data and won. */
ecdsa_data_free(ecdsa_data);
ecdsa_data = (ECDSA_DATA *)data;
}
}
else
ecdsa_data = (ECDSA_DATA *)data;

View File

@@ -144,6 +144,14 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
}
while (BN_is_zero(k));
/* We do not want timing information to leak the length of k,
* so we compute G*k using an equivalent scalar of fixed
* bit-length. */
if (!BN_add(k, k, order)) goto err;
if (BN_num_bits(k) <= BN_num_bits(order))
if (!BN_add(k, k, order)) goto err;
/* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx))
{

View File

@@ -104,7 +104,9 @@
#ifndef OPENSSL_NO_JPAKE
#include <openssl/jpake.h>
#endif
#ifndef OPENSSL_NO_COMP
#include <openssl/comp.h>
#endif
void ERR_load_crypto_strings(void)
{

View File

@@ -435,6 +435,7 @@ int main(int argc,char **argv)
EXIT(3);
}
}
fclose(f);
#ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup();

View File

@@ -372,6 +372,10 @@ void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file,
if (num <= 0) return NULL;
/* We don't support shrinking the buffer. Note the memcpy that copies
* |old_len| bytes to the new buffer, below. */
if (num < old_len) return NULL;
if (realloc_debug_func != NULL)
realloc_debug_func(str, NULL, num, file, line, 0);
ret=malloc_ex_func(num,file,line);

View File

@@ -93,4 +93,18 @@ void OPENSSL_init(void)
#endif
}
#ifdef OPENSSL_FIPS
int CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len)
{
size_t i;
const unsigned char *a = in_a;
const unsigned char *b = in_b;
unsigned char x = 0;
for (i = 0; i < len; i++)
x |= a[i] ^ b[i];
return x;
}
#endif

View File

@@ -169,14 +169,14 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pss
char *host, *port;
/* dup the buffer since we are going to mess with it */
buf = BUF_strdup(url);
if (!buf) goto mem_err;
*phost = NULL;
*pport = NULL;
*ppath = NULL;
/* dup the buffer since we are going to mess with it */
buf = BUF_strdup(url);
if (!buf) goto mem_err;
/* Check for initial colon */
p = strchr(buf, ':');

View File

@@ -91,9 +91,12 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
{
EVP_PKEY *skey;
skey = X509_get_pubkey(signer);
ret = OCSP_BASICRESP_verify(bs, skey, 0);
EVP_PKEY_free(skey);
if(ret <= 0)
if (skey)
{
ret = OCSP_BASICRESP_verify(bs, skey, 0);
EVP_PKEY_free(skey);
}
if(!skey || ret <= 0)
{
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE);
goto end;
@@ -108,6 +111,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
if(!init_res)
{
ret = -1;
OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB);
goto end;
}

View File

@@ -25,11 +25,11 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
#define OPENSSL_VERSION_NUMBER 0x0090811f
#define OPENSSL_VERSION_NUMBER 0x0090819fL
#ifdef OPENSSL_FIPS
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8q-fips 2 Dec 2010"
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8y-fips 5 Feb 2013"
#else
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8q 2 Dec 2010"
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8y 5 Feb 2013"
#endif
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT

View File

@@ -158,7 +158,6 @@ sub cbc
&jmp_ptr($count);
&set_label("ej7");
&xor("edx", "edx") if $ppro; # ppro friendly
&movb(&HB("edx"), &BP(6,$in,"",0));
&shl("edx",8);
&set_label("ej6");
@@ -170,7 +169,6 @@ sub cbc
&jmp(&label("ejend"));
&set_label("ej3");
&movb(&HB("ecx"), &BP(2,$in,"",0));
&xor("ecx", "ecx") if $ppro; # ppro friendly
&shl("ecx",8);
&set_label("ej2");
&movb(&HB("ecx"), &BP(1,$in,"",0));

View File

@@ -420,6 +420,8 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
int max;
X509_OBJECT ret;
#endif
unsigned char *tkey = NULL;
int tkeylen;
int jj;
if ((etmp=BIO_new(BIO_f_cipher())) == NULL)
@@ -461,36 +463,42 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
if (pcert == NULL)
{
/* Temporary storage in case EVP_PKEY_decrypt
* overwrites output buffer on error.
*/
unsigned char *tmp2;
tmp2 = OPENSSL_malloc(jj);
if (!tmp2)
goto err;
jj = -1;
/* Always attempt to decrypt all cases to avoid
* leaking timing information about a successful
* decrypt.
*/
for (i=0; i<sk_PKCS7_RECIP_INFO_num(rsk); i++)
{
int tret;
ri=sk_PKCS7_RECIP_INFO_value(rsk,i);
jj=EVP_PKEY_decrypt(tmp,
tret=EVP_PKEY_decrypt(tmp2,
M_ASN1_STRING_data(ri->enc_key),
M_ASN1_STRING_length(ri->enc_key),
pkey);
if (jj > 0)
break;
if (tret > 0)
{
memcpy(tmp, tmp2, tret);
OPENSSL_cleanse(tmp2, tret);
jj = tret;
}
ERR_clear_error();
ri = NULL;
}
if (ri == NULL)
{
PKCS7err(PKCS7_F_PKCS7_DATADECODE,
PKCS7_R_NO_RECIPIENT_MATCHES_KEY);
goto err;
}
OPENSSL_free(tmp2);
}
else
{
jj=EVP_PKEY_decrypt(tmp,
M_ASN1_STRING_data(ri->enc_key),
M_ASN1_STRING_length(ri->enc_key), pkey);
if (jj <= 0)
{
PKCS7err(PKCS7_F_PKCS7_DATADECODE,
ERR_R_EVP_LIB);
goto err;
}
ERR_clear_error();
}
evp_ctx=NULL;
@@ -499,24 +507,49 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
goto err;
if (EVP_CIPHER_asn1_to_param(evp_ctx,enc_alg->parameter) < 0)
goto err;
/* Generate random key to counter MMA */
tkeylen = EVP_CIPHER_CTX_key_length(evp_ctx);
tkey = OPENSSL_malloc(tkeylen);
if (!tkey)
goto err;
if (EVP_CIPHER_CTX_rand_key(evp_ctx, tkey) <= 0)
goto err;
/* If we have no key use random key */
if (jj <= 0)
{
OPENSSL_free(tmp);
jj = tkeylen;
tmp = tkey;
tkey = NULL;
}
if (jj != EVP_CIPHER_CTX_key_length(evp_ctx)) {
if (jj != tkeylen) {
/* Some S/MIME clients don't use the same key
* and effective key length. The key length is
* determined by the size of the decrypted RSA key.
*/
if(!EVP_CIPHER_CTX_set_key_length(evp_ctx, jj))
{
PKCS7err(PKCS7_F_PKCS7_DATADECODE,
PKCS7_R_DECRYPTED_KEY_IS_WRONG_LENGTH);
goto err;
/* As MMA defence use random key instead */
OPENSSL_cleanse(tmp, jj);
OPENSSL_free(tmp);
jj = tkeylen;
tmp = tkey;
tkey = NULL;
}
}
ERR_clear_error();
if (EVP_CipherInit_ex(evp_ctx,NULL,NULL,tmp,NULL,0) <= 0)
goto err;
OPENSSL_cleanse(tmp,jj);
if (tkey)
{
OPENSSL_cleanse(tkey, tkeylen);
OPENSSL_free(tkey);
}
if (out == NULL)
out=etmp;
else

View File

@@ -486,15 +486,34 @@ int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags)
return 0;
}
ret = SMIME_text(bread, data);
if (ret > 0 && BIO_method_type(tmpmem) == BIO_TYPE_CIPHER)
{
if (!BIO_get_cipher_status(tmpmem))
ret = 0;
}
BIO_free_all(bread);
return ret;
} else {
for(;;) {
i = BIO_read(tmpmem, buf, sizeof(buf));
if(i <= 0) break;
BIO_write(data, buf, i);
if(i <= 0)
{
ret = 1;
if (BIO_method_type(tmpmem) == BIO_TYPE_CIPHER)
{
if (!BIO_get_cipher_status(tmpmem))
ret = 0;
}
break;
}
if (BIO_write(data, buf, i) != i)
{
ret = 0;
break;
}
}
BIO_free_all(tmpmem);
return 1;
return ret;
}
}

View File

@@ -167,7 +167,7 @@ $code.=<<___;
movzb ($dat,$XX[0]),$TX[0]#d
test \$-8,$len
jz .Lcloop1
cmp \$0,260($dat)
cmpl \$0,260($dat)
jnz .Lcloop1
push %rbx
jmp .Lcloop8

View File

@@ -138,9 +138,9 @@ void RC4_set_key(RC4_KEY *key, int len, const unsigned char *data)
*/
#ifdef OPENSSL_FIPS
unsigned long *ia32cap_ptr = OPENSSL_ia32cap_loc();
if (ia32cap_ptr && (*ia32cap_ptr & (1<<28))) {
if (ia32cap_ptr && (*ia32cap_ptr & (1<<20))) {
#else
if (OPENSSL_ia32cap_P & (1<<28)) {
if (OPENSSL_ia32cap_P & (1<<20)) {
#endif
unsigned char *cp=(unsigned char *)d;

View File

@@ -312,51 +312,56 @@ static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
return ret;
}
static int rsa_blinding_convert(BN_BLINDING *b, int local, BIGNUM *f,
BIGNUM *r, BN_CTX *ctx)
{
if (local)
static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
BN_CTX *ctx)
{
if (unblind == NULL)
/* Local blinding: store the unblinding factor
* in BN_BLINDING. */
return BN_BLINDING_convert_ex(f, NULL, b, ctx);
else
{
int ret;
CRYPTO_r_lock(CRYPTO_LOCK_RSA_BLINDING);
ret = BN_BLINDING_convert_ex(f, r, b, ctx);
CRYPTO_r_unlock(CRYPTO_LOCK_RSA_BLINDING);
return ret;
}
}
static int rsa_blinding_invert(BN_BLINDING *b, int local, BIGNUM *f,
BIGNUM *r, BN_CTX *ctx)
{
if (local)
return BN_BLINDING_invert_ex(f, NULL, b, ctx);
else
{
/* Shared blinding: store the unblinding factor
* outside BN_BLINDING. */
int ret;
CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
ret = BN_BLINDING_invert_ex(f, r, b, ctx);
ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
return ret;
}
}
}
static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
BN_CTX *ctx)
{
/* For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
* will use the unblinding factor stored in BN_BLINDING.
* If BN_BLINDING is shared between threads, unblind must be non-null:
* BN_BLINDING_invert_ex will then use the local unblinding factor,
* and will only read the modulus from BN_BLINDING.
* In both cases it's safe to access the blinding without a lock.
*/
return BN_BLINDING_invert_ex(f, unblind, b, ctx);
}
/* signing */
static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
BIGNUM *f, *ret, *br, *res;
BIGNUM *f, *ret, *res;
int i,j,k,num=0,r= -1;
unsigned char *buf=NULL;
BN_CTX *ctx=NULL;
int local_blinding = 0;
/* Used only if the blinding structure is shared. A non-NULL unblind
* instructs rsa_blinding_convert() and rsa_blinding_invert() to store
* the unblinding factor outside the blinding structure. */
BIGNUM *unblind = NULL;
BN_BLINDING *blinding = NULL;
if ((ctx=BN_CTX_new()) == NULL) goto err;
BN_CTX_start(ctx);
f = BN_CTX_get(ctx);
br = BN_CTX_get(ctx);
ret = BN_CTX_get(ctx);
num = BN_num_bytes(rsa->n);
buf = OPENSSL_malloc(num);
@@ -404,8 +409,15 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
}
if (blinding != NULL)
if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx))
{
if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL))
{
RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
goto err;
}
if (!rsa_blinding_convert(blinding, f, unblind, ctx))
goto err;
}
if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
((rsa->p != NULL) &&
@@ -439,7 +451,7 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
}
if (blinding)
if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx))
if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
goto err;
if (padding == RSA_X931_PADDING)
@@ -478,18 +490,21 @@ err:
static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
BIGNUM *f, *ret, *br;
BIGNUM *f, *ret;
int j,num=0,r= -1;
unsigned char *p;
unsigned char *buf=NULL;
BN_CTX *ctx=NULL;
int local_blinding = 0;
/* Used only if the blinding structure is shared. A non-NULL unblind
* instructs rsa_blinding_convert() and rsa_blinding_invert() to store
* the unblinding factor outside the blinding structure. */
BIGNUM *unblind = NULL;
BN_BLINDING *blinding = NULL;
if((ctx = BN_CTX_new()) == NULL) goto err;
BN_CTX_start(ctx);
f = BN_CTX_get(ctx);
br = BN_CTX_get(ctx);
ret = BN_CTX_get(ctx);
num = BN_num_bytes(rsa->n);
buf = OPENSSL_malloc(num);
@@ -527,8 +542,15 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
}
if (blinding != NULL)
if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx))
{
if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL))
{
RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
goto err;
}
if (!rsa_blinding_convert(blinding, f, unblind, ctx))
goto err;
}
/* do the decrypt */
if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
@@ -562,7 +584,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
}
if (blinding)
if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx))
if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
goto err;
p=buf;

View File

@@ -143,7 +143,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL);
if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
if (CRYPTO_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
goto decoding_err;
else
{

View File

@@ -252,15 +252,15 @@
#define EC_POINT_set_compressed_coordinates_GF2m \
EC_POINT_set_compr_coords_GF2m
#undef ec_GF2m_simple_group_clear_finish
#define ec_GF2m_simple_group_clear_finish ec_GF2m_simple_grp_clr_finish
#define ec_GF2m_simple_group_clear_finish ec_GF2m_simple_grp_clr_finish
#undef ec_GF2m_simple_group_check_discriminant
#define ec_GF2m_simple_group_check_discriminant ec_GF2m_simple_grp_chk_discrim
#undef ec_GF2m_simple_point_clear_finish
#define ec_GF2m_simple_point_clear_finish ec_GF2m_simple_pt_clr_finish
#define ec_GF2m_simple_point_clear_finish ec_GF2m_simple_pt_clr_finish
#undef ec_GF2m_simple_point_set_to_infinity
#define ec_GF2m_simple_point_set_to_infinity ec_GF2m_simple_pt_set_to_inf
#define ec_GF2m_simple_point_set_to_infinity ec_GF2m_simple_pt_set_to_inf
#undef ec_GF2m_simple_points_make_affine
#define ec_GF2m_simple_points_make_affine ec_GF2m_simple_pts_make_affine
#define ec_GF2m_simple_points_make_affine ec_GF2m_simple_pts_make_affine
#undef ec_GF2m_simple_point_set_affine_coordinates
#define ec_GF2m_simple_point_set_affine_coordinates \
ec_GF2m_smp_pt_set_af_coords
@@ -288,8 +288,6 @@
#define ec_GFp_simple_point_set_to_infinity ec_GFp_simple_pt_set_to_inf
#undef ec_GFp_simple_points_make_affine
#define ec_GFp_simple_points_make_affine ec_GFp_simple_pts_make_affine
#undef ec_GFp_simple_group_get_curve_GFp
#define ec_GFp_simple_group_get_curve_GFp ec_GFp_simple_grp_get_curve_GFp
#undef ec_GFp_simple_set_Jprojective_coordinates_GFp
#define ec_GFp_simple_set_Jprojective_coordinates_GFp \
ec_GFp_smp_set_Jproj_coords_GFp

View File

@@ -1097,7 +1097,7 @@ int X509_cmp_time(ASN1_TIME *ctm, time_t *cmp_time)
atm.length=sizeof(buff2);
atm.data=(unsigned char *)buff2;
if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL)
if (X509_time_adj(&atm, offset*60, cmp_time) == NULL)
return 0;
if (ctm->type == V_ASN1_UTCTIME)

View File

@@ -70,8 +70,6 @@ static int ref_cmp(const X509_POLICY_REF * const *a,
static void policy_map_free(X509_POLICY_REF *map)
{
if (map->subjectDomainPolicy)
ASN1_OBJECT_free(map->subjectDomainPolicy);
OPENSSL_free(map);
}
@@ -95,6 +93,7 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
{
POLICY_MAPPING *map;
X509_POLICY_REF *ref = NULL;
ASN1_OBJECT *subjectDomainPolicyRef;
X509_POLICY_DATA *data;
X509_POLICY_CACHE *cache = x->policy_cache;
int i;
@@ -153,13 +152,16 @@ int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
if (!sk_ASN1_OBJECT_push(data->expected_policy_set,
map->subjectDomainPolicy))
goto bad_mapping;
/* map->subjectDomainPolicy will be freed when
* cache->data is freed. Set it to NULL to avoid double-free. */
subjectDomainPolicyRef = map->subjectDomainPolicy;
map->subjectDomainPolicy = NULL;
ref = OPENSSL_malloc(sizeof(X509_POLICY_REF));
if (!ref)
goto bad_mapping;
ref->subjectDomainPolicy = map->subjectDomainPolicy;
map->subjectDomainPolicy = NULL;
ref->subjectDomainPolicy = subjectDomainPolicyRef;
ref->data = data;
if (!sk_X509_POLICY_REF_push(cache->maps, ref))

View File

@@ -612,6 +612,10 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
case 2:
return 1;
/* Some internal error */
case -1:
return -1;
/* Some internal error */
case 0:
return 0;
@@ -691,4 +695,3 @@ int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy,
return 0;
}

View File

@@ -142,12 +142,13 @@ unsigned int v3_addr_get_afi(const IPAddressFamily *f)
* Expand the bitstring form of an address into a raw byte array.
* At the moment this is coded for simplicity, not speed.
*/
static void addr_expand(unsigned char *addr,
static int addr_expand(unsigned char *addr,
const ASN1_BIT_STRING *bs,
const int length,
const unsigned char fill)
{
OPENSSL_assert(bs->length >= 0 && bs->length <= length);
if (bs->length < 0 || bs->length > length)
return 0;
if (bs->length > 0) {
memcpy(addr, bs->data, bs->length);
if ((bs->flags & 7) != 0) {
@@ -159,6 +160,7 @@ static void addr_expand(unsigned char *addr,
}
}
memset(addr + bs->length, fill, length - bs->length);
return 1;
}
/*
@@ -177,13 +179,17 @@ static int i2r_address(BIO *out,
unsigned char addr[ADDR_RAW_BUF_LEN];
int i, n;
if (bs->length < 0)
return 0;
switch (afi) {
case IANA_AFI_IPV4:
addr_expand(addr, bs, 4, fill);
if (!addr_expand(addr, bs, 4, fill))
return 0;
BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
break;
case IANA_AFI_IPV6:
addr_expand(addr, bs, 16, fill);
if (!addr_expand(addr, bs, 16, fill))
return 0;
for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2)
;
for (i = 0; i < n; i += 2)
@@ -309,6 +315,12 @@ static int i2r_IPAddrBlocks(X509V3_EXT_METHOD *method,
/*
* Sort comparison function for a sequence of IPAddressOrRange
* elements.
*
* There's no sane answer we can give if addr_expand() fails, and an
* assertion failure on externally supplied data is seriously uncool,
* so we just arbitrarily declare that if given invalid inputs this
* function returns -1. If this messes up your preferred sort order
* for garbage input, tough noogies.
*/
static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
const IPAddressOrRange *b,
@@ -321,22 +333,26 @@ static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
switch (a->type) {
case IPAddressOrRange_addressPrefix:
addr_expand(addr_a, a->u.addressPrefix, length, 0x00);
if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
return -1;
prefixlen_a = addr_prefixlen(a->u.addressPrefix);
break;
case IPAddressOrRange_addressRange:
addr_expand(addr_a, a->u.addressRange->min, length, 0x00);
if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
return -1;
prefixlen_a = length * 8;
break;
}
switch (b->type) {
case IPAddressOrRange_addressPrefix:
addr_expand(addr_b, b->u.addressPrefix, length, 0x00);
if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
return -1;
prefixlen_b = addr_prefixlen(b->u.addressPrefix);
break;
case IPAddressOrRange_addressRange:
addr_expand(addr_b, b->u.addressRange->min, length, 0x00);
if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
return -1;
prefixlen_b = length * 8;
break;
}
@@ -378,6 +394,7 @@ static int range_should_be_prefix(const unsigned char *min,
unsigned char mask;
int i, j;
OPENSSL_assert(memcmp(min, max, length) <= 0);
for (i = 0; i < length && min[i] == max[i]; i++)
;
for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--)
@@ -651,22 +668,22 @@ int v3_addr_add_range(IPAddrBlocks *addr,
/*
* Extract min and max values from an IPAddressOrRange.
*/
static void extract_min_max(IPAddressOrRange *aor,
static int extract_min_max(IPAddressOrRange *aor,
unsigned char *min,
unsigned char *max,
int length)
{
OPENSSL_assert(aor != NULL && min != NULL && max != NULL);
if (aor == NULL || min == NULL || max == NULL)
return 0;
switch (aor->type) {
case IPAddressOrRange_addressPrefix:
addr_expand(min, aor->u.addressPrefix, length, 0x00);
addr_expand(max, aor->u.addressPrefix, length, 0xFF);
return;
return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
addr_expand(max, aor->u.addressPrefix, length, 0xFF));
case IPAddressOrRange_addressRange:
addr_expand(min, aor->u.addressRange->min, length, 0x00);
addr_expand(max, aor->u.addressRange->max, length, 0xFF);
return;
return (addr_expand(min, aor->u.addressRange->min, length, 0x00) &&
addr_expand(max, aor->u.addressRange->max, length, 0xFF));
}
return 0;
}
/*
@@ -682,9 +699,10 @@ int v3_addr_get_range(IPAddressOrRange *aor,
if (aor == NULL || min == NULL || max == NULL ||
afi_length == 0 || length < afi_length ||
(aor->type != IPAddressOrRange_addressPrefix &&
aor->type != IPAddressOrRange_addressRange))
aor->type != IPAddressOrRange_addressRange) ||
!extract_min_max(aor, min, max, afi_length))
return 0;
extract_min_max(aor, min, max, afi_length);
return afi_length;
}
@@ -766,8 +784,9 @@ int v3_addr_is_canonical(IPAddrBlocks *addr)
IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);
extract_min_max(a, a_min, a_max, length);
extract_min_max(b, b_min, b_max, length);
if (!extract_min_max(a, a_min, a_max, length) ||
!extract_min_max(b, b_min, b_max, length))
return 0;
/*
* Punt misordered list, overlapping start, or inverted range.
@@ -795,14 +814,17 @@ int v3_addr_is_canonical(IPAddrBlocks *addr)
}
/*
* Check final range to see if it should be a prefix.
* Check range to see if it's inverted or should be a
* prefix.
*/
j = sk_IPAddressOrRange_num(aors) - 1;
{
IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
if (a->type == IPAddressOrRange_addressRange) {
extract_min_max(a, a_min, a_max, length);
if (range_should_be_prefix(a_min, a_max, length) >= 0)
if (a != NULL && a->type == IPAddressOrRange_addressRange) {
if (!extract_min_max(a, a_min, a_max, length))
return 0;
if (memcmp(a_min, a_max, length) > 0 ||
range_should_be_prefix(a_min, a_max, length) >= 0)
return 0;
}
}
@@ -836,8 +858,16 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
extract_min_max(a, a_min, a_max, length);
extract_min_max(b, b_min, b_max, length);
if (!extract_min_max(a, a_min, a_max, length) ||
!extract_min_max(b, b_min, b_max, length))
return 0;
/*
* Punt inverted ranges.
*/
if (memcmp(a_min, a_max, length) > 0 ||
memcmp(b_min, b_max, length) > 0)
return 0;
/*
* Punt overlaps.
@@ -864,6 +894,20 @@ static int IPAddressOrRanges_canonize(IPAddressOrRanges *aors,
}
}
/*
* Check for inverted final range.
*/
j = sk_IPAddressOrRange_num(aors) - 1;
{
IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
if (a != NULL && a->type == IPAddressOrRange_addressRange) {
unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
extract_min_max(a, a_min, a_max, length);
if (memcmp(a_min, a_max, length) > 0)
return 0;
}
}
return 1;
}
@@ -1012,6 +1056,11 @@ static void *v2i_IPAddrBlocks(struct v3_ext_method *method,
X509V3_conf_err(val);
goto err;
}
if (memcmp(min, max, length_from_afi(afi)) > 0) {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
X509V3_conf_err(val);
goto err;
}
if (!v3_addr_add_range(addr, afi, safi, min, max)) {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
goto err;
@@ -1097,13 +1146,15 @@ static int addr_contains(IPAddressOrRanges *parent,
p = 0;
for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
extract_min_max(sk_IPAddressOrRange_value(child, c),
c_min, c_max, length);
if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
c_min, c_max, length))
return -1;
for (;; p++) {
if (p >= sk_IPAddressOrRange_num(parent))
return 0;
extract_min_max(sk_IPAddressOrRange_value(parent, p),
p_min, p_max, length);
if (!extract_min_max(sk_IPAddressOrRange_value(parent, p),
p_min, p_max, length))
return 0;
if (memcmp(p_max, c_max, length) < 0)
continue;
if (memcmp(p_min, c_min, length) > 0)

View File

@@ -61,7 +61,6 @@
#include <stdio.h>
#include <string.h>
#include <assert.h>
#include "cryptlib.h"
#include <openssl/conf.h>
#include <openssl/asn1.h>
@@ -172,11 +171,11 @@ static int ASIdOrRange_cmp(const ASIdOrRange * const *a_,
{
const ASIdOrRange *a = *a_, *b = *b_;
assert((a->type == ASIdOrRange_id && a->u.id != NULL) ||
OPENSSL_assert((a->type == ASIdOrRange_id && a->u.id != NULL) ||
(a->type == ASIdOrRange_range && a->u.range != NULL &&
a->u.range->min != NULL && a->u.range->max != NULL));
assert((b->type == ASIdOrRange_id && b->u.id != NULL) ||
OPENSSL_assert((b->type == ASIdOrRange_id && b->u.id != NULL) ||
(b->type == ASIdOrRange_range && b->u.range != NULL &&
b->u.range->min != NULL && b->u.range->max != NULL));
@@ -215,7 +214,7 @@ int v3_asid_add_inherit(ASIdentifiers *asid, int which)
if (*choice == NULL) {
if ((*choice = ASIdentifierChoice_new()) == NULL)
return 0;
assert((*choice)->u.inherit == NULL);
OPENSSL_assert((*choice)->u.inherit == NULL);
if (((*choice)->u.inherit = ASN1_NULL_new()) == NULL)
return 0;
(*choice)->type = ASIdentifierChoice_inherit;
@@ -250,7 +249,7 @@ int v3_asid_add_id_or_range(ASIdentifiers *asid,
if (*choice == NULL) {
if ((*choice = ASIdentifierChoice_new()) == NULL)
return 0;
assert((*choice)->u.asIdsOrRanges == NULL);
OPENSSL_assert((*choice)->u.asIdsOrRanges == NULL);
(*choice)->u.asIdsOrRanges = sk_ASIdOrRange_new(ASIdOrRange_cmp);
if ((*choice)->u.asIdsOrRanges == NULL)
return 0;
@@ -286,7 +285,7 @@ static void extract_min_max(ASIdOrRange *aor,
ASN1_INTEGER **min,
ASN1_INTEGER **max)
{
assert(aor != NULL && min != NULL && max != NULL);
OPENSSL_assert(aor != NULL && min != NULL && max != NULL);
switch (aor->type) {
case ASIdOrRange_id:
*min = aor->u.id;
@@ -359,6 +358,20 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
goto done;
}
/*
* Check for inverted range.
*/
i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1;
{
ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
ASN1_INTEGER *a_min, *a_max;
if (a != NULL && a->type == ASIdOrRange_range) {
extract_min_max(a, &a_min, &a_max);
if (ASN1_INTEGER_cmp(a_min, a_max) > 0)
goto done;
}
}
ret = 1;
done:
@@ -373,7 +386,7 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
int v3_asid_is_canonical(ASIdentifiers *asid)
{
return (asid == NULL ||
(ASIdentifierChoice_is_canonical(asid->asnum) ||
(ASIdentifierChoice_is_canonical(asid->asnum) &&
ASIdentifierChoice_is_canonical(asid->rdi)));
}
@@ -393,9 +406,18 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
return 1;
/*
* We have a list. Sort it.
* If not a list, or if empty list, it's broken.
*/
if (choice->type != ASIdentifierChoice_asIdsOrRanges ||
sk_ASIdOrRange_num(choice->u.asIdsOrRanges) == 0) {
X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
X509V3_R_EXTENSION_VALUE_ERROR);
return 0;
}
/*
* We have a non-empty list. Sort it.
*/
assert(choice->type == ASIdentifierChoice_asIdsOrRanges);
sk_ASIdOrRange_sort(choice->u.asIdsOrRanges);
/*
@@ -413,7 +435,14 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
/*
* Make sure we're properly sorted (paranoia).
*/
assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
/*
* Punt inverted ranges.
*/
if (ASN1_INTEGER_cmp(a_min, a_max) > 0 ||
ASN1_INTEGER_cmp(b_min, b_max) > 0)
goto done;
/*
* Check for overlaps.
@@ -466,13 +495,27 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
break;
}
ASIdOrRange_free(b);
(void)sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1);
(void) sk_ASIdOrRange_delete(choice->u.asIdsOrRanges, i + 1);
i--;
continue;
}
}
assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */
/*
* Check for final inverted range.
*/
i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1;
{
ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, i);
ASN1_INTEGER *a_min, *a_max;
if (a != NULL && a->type == ASIdOrRange_range) {
extract_min_max(a, &a_min, &a_max);
if (ASN1_INTEGER_cmp(a_min, a_max) > 0)
goto done;
}
}
OPENSSL_assert(ASIdentifierChoice_is_canonical(choice)); /* Paranoia */
ret = 1;
@@ -499,6 +542,7 @@ static void *v2i_ASIdentifiers(struct v3_ext_method *method,
struct v3_ext_ctx *ctx,
STACK_OF(CONF_VALUE) *values)
{
ASN1_INTEGER *min = NULL, *max = NULL;
ASIdentifiers *asid = NULL;
int i;
@@ -509,7 +553,6 @@ static void *v2i_ASIdentifiers(struct v3_ext_method *method,
for (i = 0; i < sk_CONF_VALUE_num(values); i++) {
CONF_VALUE *val = sk_CONF_VALUE_value(values, i);
ASN1_INTEGER *min = NULL, *max = NULL;
int i1, i2, i3, is_range, which;
/*
@@ -579,18 +622,19 @@ static void *v2i_ASIdentifiers(struct v3_ext_method *method,
max = s2i_ASN1_INTEGER(NULL, s + i2);
OPENSSL_free(s);
if (min == NULL || max == NULL) {
ASN1_INTEGER_free(min);
ASN1_INTEGER_free(max);
X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
goto err;
}
if (ASN1_INTEGER_cmp(min, max) > 0) {
X509V3err(X509V3_F_V2I_ASIDENTIFIERS, X509V3_R_EXTENSION_VALUE_ERROR);
goto err;
}
}
if (!v3_asid_add_id_or_range(asid, which, min, max)) {
ASN1_INTEGER_free(min);
ASN1_INTEGER_free(max);
X509V3err(X509V3_F_V2I_ASIDENTIFIERS, ERR_R_MALLOC_FAILURE);
goto err;
}
min = max = NULL;
}
/*
@@ -602,6 +646,8 @@ static void *v2i_ASIdentifiers(struct v3_ext_method *method,
err:
ASIdentifiers_free(asid);
ASN1_INTEGER_free(min);
ASN1_INTEGER_free(max);
return NULL;
}
@@ -709,9 +755,9 @@ static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx,
int i, ret = 1, inherit_as = 0, inherit_rdi = 0;
X509 *x = NULL;
assert(chain != NULL && sk_X509_num(chain) > 0);
assert(ctx != NULL || ext != NULL);
assert(ctx == NULL || ctx->verify_cb != NULL);
OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
OPENSSL_assert(ctx != NULL || ext != NULL);
OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
/*
* Figure out where to start. If we don't have an extension to
@@ -723,7 +769,7 @@ static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx,
} else {
i = 0;
x = sk_X509_value(chain, i);
assert(x != NULL);
OPENSSL_assert(x != NULL);
if ((ext = x->rfc3779_asid) == NULL)
goto done;
}
@@ -756,7 +802,7 @@ static int v3_asid_validate_path_internal(X509_STORE_CTX *ctx,
*/
for (i++; i < sk_X509_num(chain); i++) {
x = sk_X509_value(chain, i);
assert(x != NULL);
OPENSSL_assert(x != NULL);
if (x->rfc3779_asid == NULL) {
if (child_as != NULL || child_rdi != NULL)
validation_err(X509_V_ERR_UNNESTED_RESOURCE);

View File

@@ -57,7 +57,7 @@ following methods:
- in all other cases, proxy certificate validation can be enabled
before starting the application by setting the envirnoment variable
OPENSSL_ALLOW_PROXY with some non-empty value.
OPENSSL_ALLOW_PROXY_CERTS with some non-empty value.
There are thoughts to allow proxy certificates with a line in the
default openssl.cnf, but that's still in the future.

View File

@@ -39,13 +39,13 @@ prints a usage message.
=item B<-newcert>
creates a new self signed certificate. The private key and certificate are
written to the file "newreq.pem".
creates a new self signed certificate. The private key is written to the file
"newkey.pem" and the request written to the file "newreq.pem".
=item B<-newreq>
creates a new certificate request. The private key and request are
written to the file "newreq.pem".
creates a new certificate request. The private key is written to the file
"newkey.pem" and the request written to the file "newreq.pem".
=item B<-newreq-nodes>

View File

@@ -39,10 +39,16 @@ for a description of the method's properties.
SSL_clear() resets the SSL object to allow for another connection. The
reset operation however keeps several settings of the last sessions
(some of these settings were made automatically during the last
handshake). It only makes sense when opening a new session (or reusing
an old one) with the same peer that shares these settings.
SSL_clear() is not a short form for the sequence
L<SSL_free(3)|SSL_free(3)>; L<SSL_new(3)|SSL_new(3)>; .
handshake). It only makes sense for a new connection with the exact
same peer that shares these settings, and may fail if that peer
changes its settings between connections. Use the sequence
L<SSL_get_session(3)|SSL_get_session(3)>;
L<SSL_new(3)|SSL_new(3)>;
L<SSL_set_session(3)|SSL_set_session(3)>;
L<SSL_free(3)|SSL_free(3)>
instead to avoid such failures
(or simply L<SSL_free(3)|SSL_free(3)>; L<SSL_new(3)|SSL_new(3)>
if session reuse is not desired).
=head1 RETURN VALUES

View File

@@ -420,28 +420,36 @@ static int capi_init(ENGINE *e)
CAPI_CTX *ctx;
const RSA_METHOD *ossl_rsa_meth;
const DSA_METHOD *ossl_dsa_meth;
capi_idx = ENGINE_get_ex_new_index(0, NULL, NULL, NULL, 0);
cert_capi_idx = X509_get_ex_new_index(0, NULL, NULL, NULL, 0);
if (capi_idx < 0)
{
capi_idx = ENGINE_get_ex_new_index(0, NULL, NULL, NULL, 0);
if (capi_idx < 0)
goto memerr;
cert_capi_idx = X509_get_ex_new_index(0, NULL, NULL, NULL, 0);
/* Setup RSA_METHOD */
rsa_capi_idx = RSA_get_ex_new_index(0, NULL, NULL, NULL, 0);
ossl_rsa_meth = RSA_PKCS1_SSLeay();
capi_rsa_method.rsa_pub_enc = ossl_rsa_meth->rsa_pub_enc;
capi_rsa_method.rsa_pub_dec = ossl_rsa_meth->rsa_pub_dec;
capi_rsa_method.rsa_mod_exp = ossl_rsa_meth->rsa_mod_exp;
capi_rsa_method.bn_mod_exp = ossl_rsa_meth->bn_mod_exp;
/* Setup DSA Method */
dsa_capi_idx = DSA_get_ex_new_index(0, NULL, NULL, NULL, 0);
ossl_dsa_meth = DSA_OpenSSL();
capi_dsa_method.dsa_do_verify = ossl_dsa_meth->dsa_do_verify;
capi_dsa_method.dsa_mod_exp = ossl_dsa_meth->dsa_mod_exp;
capi_dsa_method.bn_mod_exp = ossl_dsa_meth->bn_mod_exp;
}
ctx = capi_ctx_new();
if (!ctx || (capi_idx < 0))
if (!ctx)
goto memerr;
ENGINE_set_ex_data(e, capi_idx, ctx);
/* Setup RSA_METHOD */
rsa_capi_idx = RSA_get_ex_new_index(0, NULL, NULL, NULL, 0);
ossl_rsa_meth = RSA_PKCS1_SSLeay();
capi_rsa_method.rsa_pub_enc = ossl_rsa_meth->rsa_pub_enc;
capi_rsa_method.rsa_pub_dec = ossl_rsa_meth->rsa_pub_dec;
capi_rsa_method.rsa_mod_exp = ossl_rsa_meth->rsa_mod_exp;
capi_rsa_method.bn_mod_exp = ossl_rsa_meth->bn_mod_exp;
/* Setup DSA Method */
dsa_capi_idx = DSA_get_ex_new_index(0, NULL, NULL, NULL, 0);
ossl_dsa_meth = DSA_OpenSSL();
capi_dsa_method.dsa_do_verify = ossl_dsa_meth->dsa_do_verify;
capi_dsa_method.dsa_mod_exp = ossl_dsa_meth->dsa_mod_exp;
capi_dsa_method.bn_mod_exp = ossl_dsa_meth->bn_mod_exp;
#ifdef OPENSSL_CAPIENG_DIALOG
{
@@ -1133,6 +1141,7 @@ static int capi_list_containers(CAPI_CTX *ctx, BIO *out)
{
CAPIerr(CAPI_F_CAPI_LIST_CONTAINERS, CAPI_R_ENUMCONTAINERS_ERROR);
capi_addlasterror();
CryptReleaseContext(hprov, 0);
return 0;
}
CAPI_trace(ctx, "Got max container len %d\n", buflen);
@@ -1400,10 +1409,13 @@ static PCCERT_CONTEXT capi_find_cert(CAPI_CTX *ctx, const char *id, HCERTSTORE h
static CAPI_KEY *capi_get_key(CAPI_CTX *ctx, const char *contname, char *provname, DWORD ptype, DWORD keyspec)
{
CAPI_KEY *key;
DWORD dwFlags = 0;
key = OPENSSL_malloc(sizeof(CAPI_KEY));
CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n",
contname, provname, ptype);
if (!CryptAcquireContextA(&key->hprov, contname, provname, ptype, 0))
if(ctx->store_flags & CERT_SYSTEM_STORE_LOCAL_MACHINE)
dwFlags = CRYPT_MACHINE_KEYSET;
if (!CryptAcquireContextA(&key->hprov, contname, provname, ptype, dwFlags))
{
CAPIerr(CAPI_F_CAPI_GET_KEY, CAPI_R_CRYPTACQUIRECONTEXT_ERROR);
capi_addlasterror();
@@ -1550,6 +1562,8 @@ static int capi_ctx_set_provname(CAPI_CTX *ctx, LPSTR pname, DWORD type, int che
}
CryptReleaseContext(hprov, 0);
}
if (ctx->cspname)
OPENSSL_free(ctx->cspname);
ctx->cspname = BUF_strdup(pname);
ctx->csptype = type;
return 1;
@@ -1559,9 +1573,12 @@ static int capi_ctx_set_provname_idx(CAPI_CTX *ctx, int idx)
{
LPSTR pname;
DWORD type;
int res;
if (capi_get_provname(ctx, &pname, &type, idx) != 1)
return 0;
return capi_ctx_set_provname(ctx, pname, type, 0);
res = capi_ctx_set_provname(ctx, pname, type, 0);
OPENSSL_free(pname);
return res;
}
static int cert_issuer_match(STACK_OF(X509_NAME) *ca_dn, X509 *x)

View File

@@ -55,6 +55,10 @@
#ifndef HEADER_CAPI_ERR_H
#define HEADER_CAPI_ERR_H
#ifdef __cplusplus
extern "C" {
#endif
/* BEGIN ERROR CODES */
/* The following lines are auto generated by the script mkerr.pl. Any changes
* made after this point may be overwritten when the script is next run.

View File

@@ -19,6 +19,7 @@
(defined(__linux) && (defined(__arm) || defined(__arm__))) || \
(defined(__i386) || defined(__i386__)) || \
(defined(__x86_64) || defined(__x86_64__)) || \
defined(__ANDROID__) || \
(defined(vax) || defined(__vax__))
# define POINTER_TO_FUNCTION_IS_POINTER_TO_1ST_INSTRUCTION
# endif

View File

@@ -40,7 +40,8 @@ void OPENSSL_Uplink (volatile void **table, int index)
* should be sufficient [it prohibits compiler to reorder memory
* access instructions]. */
do {
len = _stprintf (msg,_T("OPENSSL_Uplink(%p,%02X): "),table,index);
len = _sntprintf (msg,sizeof(msg)/sizeof(TCHAR),
_T("OPENSSL_Uplink(%p,%02X): "),table,index);
_tcscpy (msg+len,_T("unimplemented function"));
if ((h=apphandle)==NULL)

View File

@@ -2,7 +2,7 @@
%define libmaj 0
%define libmin 9
%define librel 8
%define librev q
%define librev y
Release: 1
%define openssldir /var/ssl

View File

@@ -22,7 +22,7 @@ LIB=$(TOP)/libssl.a
SHARED_LIB= libssl$(SHLIB_EXT)
LIBSRC= \
s2_meth.c s2_srvr.c s2_clnt.c s2_lib.c s2_enc.c s2_pkt.c \
s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c \
s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c s3_cbc.c \
s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c s23_pkt.c \
t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c \
d1_meth.c d1_srvr.c d1_clnt.c d1_lib.c d1_pkt.c \
@@ -33,7 +33,7 @@ LIBSRC= \
bio_ssl.c ssl_err.c kssl.c t1_reneg.c
LIBOBJ= \
s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \
s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o \
s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o s3_cbc.o \
s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o s23_pkt.o \
t1_meth.o t1_srvr.o t1_clnt.o t1_lib.o t1_enc.o \
d1_meth.o d1_srvr.o d1_clnt.o d1_lib.o d1_pkt.o \
@@ -545,6 +545,27 @@ s3_both.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
s3_both.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
s3_both.o: ../include/openssl/tls1.h ../include/openssl/x509.h
s3_both.o: ../include/openssl/x509_vfy.h s3_both.c ssl_locl.h
s3_cbc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
s3_cbc.o: ../include/openssl/bn.h ../include/openssl/buffer.h
s3_cbc.o: ../include/openssl/comp.h ../include/openssl/crypto.h
s3_cbc.o: ../include/openssl/dsa.h ../include/openssl/dtls1.h
s3_cbc.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
s3_cbc.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
s3_cbc.o: ../include/openssl/err.h ../include/openssl/evp.h
s3_cbc.o: ../include/openssl/fips.h ../include/openssl/hmac.h
s3_cbc.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
s3_cbc.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h
s3_cbc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
s3_cbc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
s3_cbc.o: ../include/openssl/pem.h ../include/openssl/pem2.h
s3_cbc.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
s3_cbc.o: ../include/openssl/pqueue.h ../include/openssl/rsa.h
s3_cbc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
s3_cbc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
s3_cbc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
s3_cbc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
s3_cbc.o: ../include/openssl/tls1.h ../include/openssl/x509.h
s3_cbc.o: ../include/openssl/x509_vfy.h s3_cbc.c ssl_locl.h
s3_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
s3_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h
s3_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h

View File

@@ -348,7 +348,11 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
break;
case BIO_C_SET_SSL:
if (ssl != NULL)
{
ssl_free(b);
if (!ssl_new(b))
return 0;
}
b->shutdown=(int)num;
ssl=(SSL *)ptr;
((BIO_SSL *)b->ptr)->ssl=ssl;

View File

@@ -153,12 +153,11 @@
#endif
static unsigned char bitmask_start_values[] = {0xff, 0xfe, 0xfc, 0xf8, 0xf0, 0xe0, 0xc0, 0x80};
static unsigned char bitmask_end_values[] = {0x00, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f};
static unsigned char bitmask_end_values[] = {0xff, 0x01, 0x03, 0x07, 0x0f, 0x1f, 0x3f, 0x7f};
/* XDTLS: figure out the right values */
static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28};
static unsigned int dtls1_min_mtu(void);
static unsigned int dtls1_guess_mtu(unsigned int curr_mtu);
static void dtls1_fix_message_header(SSL *s, unsigned long frag_off,
unsigned long frag_len);
@@ -228,14 +227,14 @@ int dtls1_do_write(SSL *s, int type)
unsigned int len, frag_off, mac_size, blocksize;
/* AHA! Figure out the MTU, and stick to the right size */
if ( ! (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU))
if (s->d1->mtu < dtls1_min_mtu() && !(SSL_get_options(s) & SSL_OP_NO_QUERY_MTU))
{
s->d1->mtu =
BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_QUERY_MTU, 0, NULL);
/* I've seen the kernel return bogus numbers when it doesn't know
* (initial write), so just make sure we have a reasonable number */
if ( s->d1->mtu < dtls1_min_mtu())
if (s->d1->mtu < dtls1_min_mtu())
{
s->d1->mtu = 0;
s->d1->mtu = dtls1_guess_mtu(s->d1->mtu);
@@ -264,11 +263,10 @@ int dtls1_do_write(SSL *s, int type)
return ret;
mtu = s->d1->mtu - (DTLS1_HM_HEADER_LENGTH + DTLS1_RT_HEADER_LENGTH);
}
OPENSSL_assert(mtu > 0); /* should have something reasonable now */
#endif
OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu()); /* should have something reasonable now */
if ( s->init_off == 0 && type == SSL3_RT_HANDSHAKE)
OPENSSL_assert(s->init_num ==
(int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH);
@@ -464,20 +462,9 @@ again:
memset(msg_hdr, 0x00, sizeof(struct hm_header_st));
s->d1->handshake_read_seq++;
/* we just read a handshake message from the other side:
* this means that we don't need to retransmit of the
* buffered messages.
* XDTLS: may be able clear out this
* buffer a little sooner (i.e if an out-of-order
* handshake message/record is received at the record
* layer.
* XDTLS: exception is that the server needs to
* know that change cipher spec and finished messages
* have been received by the client before clearing this
* buffer. this can simply be done by waiting for the
* first data segment, but is there a better way? */
dtls1_clear_record_buffer(s);
/* Don't change sequence numbers while listening */
if (!s->d1->listen)
s->d1->handshake_read_seq++;
s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH;
return s->init_num;
@@ -806,16 +793,24 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
*ok = 0;
return i;
}
OPENSSL_assert(i == DTLS1_HM_HEADER_LENGTH);
/* Handshake fails if message header is incomplete */
if (i != DTLS1_HM_HEADER_LENGTH)
{
al=SSL_AD_UNEXPECTED_MESSAGE;
SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_UNEXPECTED_MESSAGE);
goto f_err;
}
/* parse the message fragment header */
dtls1_get_message_header(wire, &msg_hdr);
/*
* if this is a future (or stale) message it gets buffered
* (or dropped)--no further processing at this time
* (or dropped)--no further processing at this time
* While listening, we accept seq 1 (ClientHello with cookie)
* although we're still expecting seq 0 (ClientHello)
*/
if ( msg_hdr.seq != s->d1->handshake_read_seq)
if (msg_hdr.seq != s->d1->handshake_read_seq && !(s->d1->listen && msg_hdr.seq == 1))
return dtls1_process_out_of_seq_message(s, &msg_hdr, ok);
len = msg_hdr.msg_len;
@@ -876,7 +871,12 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
/* XDTLS: an incorrectly formatted fragment should cause the
* handshake to fail */
OPENSSL_assert(i == (int)frag_len);
if (i != (int)frag_len)
{
al=SSL3_AD_ILLEGAL_PARAMETER;
SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL3_AD_ILLEGAL_PARAMETER);
goto f_err;
}
*ok = 1;
@@ -1326,7 +1326,8 @@ unsigned char *
dtls1_set_message_header(SSL *s, unsigned char *p, unsigned char mt,
unsigned long len, unsigned long frag_off, unsigned long frag_len)
{
if ( frag_off == 0)
/* Don't change sequence numbers while listening */
if (frag_off == 0 && !s->d1->listen)
{
s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;
s->d1->next_handshake_write_seq++;
@@ -1379,7 +1380,7 @@ dtls1_write_message_header(SSL *s, unsigned char *p)
return p;
}
static unsigned int
unsigned int
dtls1_min_mtu(void)
{
return (g_probable_mtu[(sizeof(g_probable_mtu) /

View File

@@ -257,7 +257,6 @@ int dtls1_connect(SSL *s)
if (ret <= 0) goto end;
else
{
dtls1_stop_timer(s);
if (s->hit)
s->state=SSL3_ST_CR_FINISHED_A;
else
@@ -350,6 +349,7 @@ int dtls1_connect(SSL *s)
case SSL3_ST_CR_SRVR_DONE_B:
ret=ssl3_get_server_done(s);
if (ret <= 0) goto end;
dtls1_stop_timer(s);
if (s->s3->tmp.cert_req)
s->state=SSL3_ST_CW_CERT_A;
else
@@ -403,7 +403,8 @@ int dtls1_connect(SSL *s)
case SSL3_ST_CW_CHANGE_A:
case SSL3_ST_CW_CHANGE_B:
dtls1_start_timer(s);
if (!s->hit)
dtls1_start_timer(s);
ret=dtls1_send_change_cipher_spec(s,
SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
if (ret <= 0) goto end;
@@ -438,7 +439,8 @@ int dtls1_connect(SSL *s)
case SSL3_ST_CW_FINISHED_A:
case SSL3_ST_CW_FINISHED_B:
dtls1_start_timer(s);
if (!s->hit)
dtls1_start_timer(s);
ret=dtls1_send_finished(s,
SSL3_ST_CW_FINISHED_A,SSL3_ST_CW_FINISHED_B,
s->method->ssl3_enc->client_finished_label,

View File

@@ -126,16 +126,30 @@
#include <openssl/des.h>
#endif
/* dtls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
*
* Returns:
* 0: (in non-constant time) if the record is publically invalid (i.e. too
* short etc).
* 1: if the record's padding is valid / the encryption was successful.
* -1: if the record's padding/AEAD-authenticator is invalid or, if sending,
* an internal error occured. */
int dtls1_enc(SSL *s, int send)
{
SSL3_RECORD *rec;
EVP_CIPHER_CTX *ds;
unsigned long l;
int bs,i,ii,j,k;
int bs,i,j,k,mac_size=0;
const EVP_CIPHER *enc;
if (send)
{
if (s->write_hash)
{
mac_size=EVP_MD_size(s->write_hash);
if (mac_size < 0)
return -1;
}
ds=s->enc_write_ctx;
rec= &(s->s3->wrec);
if (s->enc_write_ctx == NULL)
@@ -156,6 +170,11 @@ int dtls1_enc(SSL *s, int send)
}
else
{
if (s->read_hash)
{
mac_size=EVP_MD_size(s->read_hash);
OPENSSL_assert(mac_size >= 0);
}
ds=s->enc_read_ctx;
rec= &(s->s3->rrec);
if (s->enc_read_ctx == NULL)
@@ -220,11 +239,7 @@ int dtls1_enc(SSL *s, int send)
if (!send)
{
if (l == 0 || l%bs != 0)
{
SSLerr(SSL_F_DTLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
return 0;
}
}
EVP_Cipher(ds,rec->data,rec->input,l);
@@ -239,43 +254,7 @@ int dtls1_enc(SSL *s, int send)
#endif /* KSSL_DEBUG */
if ((bs != 1) && !send)
{
ii=i=rec->data[l-1]; /* padding_length */
i++;
if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG)
{
/* First packet is even in size, so check */
if ((memcmp(s->s3->read_sequence,
"\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1))
s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG)
i--;
}
/* TLS 1.0 does not bound the number of padding bytes by the block size.
* All of them must have value 'padding_length'. */
if (i > (int)rec->length)
{
/* Incorrect padding. SSLerr() and ssl3_alert are done
* by caller: we don't want to reveal whether this is
* a decryption error or a MAC verification failure
* (see http://www.openssl.org/~bodo/tls-cbc.txt)
*/
return -1;
}
for (j=(int)(l-i); j<(int)l; j++)
{
if (rec->data[j] != ii)
{
/* Incorrect padding */
return -1;
}
}
rec->length-=i;
rec->data += bs; /* skip the implicit IV */
rec->input += bs;
rec->length -= bs;
}
return tls1_cbc_remove_padding(s, rec, bs, mac_size);
}
return(1);
}

View File

@@ -145,26 +145,33 @@ int dtls1_new(SSL *s)
return(1);
}
void dtls1_free(SSL *s)
static void dtls1_clear_queues(SSL *s)
{
pitem *item = NULL;
hm_fragment *frag = NULL;
ssl3_free(s);
DTLS1_RECORD_DATA *rdata;
while( (item = pqueue_pop(s->d1->unprocessed_rcds.q)) != NULL)
{
rdata = (DTLS1_RECORD_DATA *) item->data;
if (rdata->rbuf.buf)
{
OPENSSL_free(rdata->rbuf.buf);
}
OPENSSL_free(item->data);
pitem_free(item);
}
pqueue_free(s->d1->unprocessed_rcds.q);
while( (item = pqueue_pop(s->d1->processed_rcds.q)) != NULL)
{
rdata = (DTLS1_RECORD_DATA *) item->data;
if (rdata->rbuf.buf)
{
OPENSSL_free(rdata->rbuf.buf);
}
OPENSSL_free(item->data);
pitem_free(item);
}
pqueue_free(s->d1->processed_rcds.q);
while( (item = pqueue_pop(s->d1->buffered_messages)) != NULL)
{
@@ -173,7 +180,6 @@ void dtls1_free(SSL *s)
OPENSSL_free(frag);
pitem_free(item);
}
pqueue_free(s->d1->buffered_messages);
while ( (item = pqueue_pop(s->d1->sent_messages)) != NULL)
{
@@ -182,15 +188,26 @@ void dtls1_free(SSL *s)
OPENSSL_free(frag);
pitem_free(item);
}
pqueue_free(s->d1->sent_messages);
while ( (item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL)
{
{
frag = (hm_fragment *)item->data;
OPENSSL_free(frag->fragment);
OPENSSL_free(frag);
pitem_free(item);
}
}
void dtls1_free(SSL *s)
{
ssl3_free(s);
dtls1_clear_queues(s);
pqueue_free(s->d1->unprocessed_rcds.q);
pqueue_free(s->d1->processed_rcds.q);
pqueue_free(s->d1->buffered_messages);
pqueue_free(s->d1->sent_messages);
pqueue_free(s->d1->buffered_app_data.q);
pq_64bit_free(&(s->d1->bitmap.map));
@@ -204,6 +221,61 @@ void dtls1_free(SSL *s)
void dtls1_clear(SSL *s)
{
pqueue unprocessed_rcds;
pqueue processed_rcds;
pqueue buffered_messages;
pqueue sent_messages;
pqueue buffered_app_data;
unsigned int mtu;
if (s->d1)
{
unprocessed_rcds = s->d1->unprocessed_rcds.q;
processed_rcds = s->d1->processed_rcds.q;
buffered_messages = s->d1->buffered_messages;
sent_messages = s->d1->sent_messages;
buffered_app_data = s->d1->buffered_app_data.q;
mtu = s->d1->mtu;
dtls1_clear_queues(s);
pq_64bit_free(&(s->d1->bitmap.map));
pq_64bit_free(&(s->d1->bitmap.max_seq_num));
pq_64bit_free(&(s->d1->next_bitmap.map));
pq_64bit_free(&(s->d1->next_bitmap.max_seq_num));
memset(s->d1, 0, sizeof(*(s->d1)));
if (s->server)
{
s->d1->cookie_len = sizeof(s->d1->cookie);
}
if (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)
{
s->d1->mtu = mtu;
}
s->d1->unprocessed_rcds.q = unprocessed_rcds;
s->d1->processed_rcds.q = processed_rcds;
s->d1->buffered_messages = buffered_messages;
s->d1->sent_messages = sent_messages;
s->d1->buffered_app_data.q = buffered_app_data;
#if defined(OPENSSL_SYS_VMS) || defined(VMS_TEST)
s->d1->bitmap.length=64;
#else
s->d1->bitmap.length=sizeof(s->d1->bitmap.map) * 8;
#endif
pq_64bit_init(&(s->d1->bitmap.map));
pq_64bit_init(&(s->d1->bitmap.max_seq_num));
s->d1->next_bitmap.length = s->d1->bitmap.length;
pq_64bit_init(&(s->d1->next_bitmap.map));
pq_64bit_init(&(s->d1->next_bitmap.max_seq_num));
}
ssl3_clear(s);
if (s->options & SSL_OP_CISCO_ANYCONNECT)
s->version=DTLS1_BAD_VER;
@@ -349,15 +421,36 @@ void dtls1_double_timeout(SSL *s)
void dtls1_stop_timer(SSL *s)
{
/* Reset everything */
memset(&(s->d1->timeout), 0, sizeof(struct dtls1_timeout_st));
memset(&(s->d1->next_timeout), 0, sizeof(struct timeval));
s->d1->timeout_duration = 1;
BIO_ctrl(SSL_get_rbio(s), BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT, 0, &(s->d1->next_timeout));
/* Clear retransmission buffer */
dtls1_clear_record_buffer(s);
}
int dtls1_check_timeout_num(SSL *s)
{
s->d1->timeout.num_alerts++;
/* Reduce MTU after 2 unsuccessful retransmissions */
if (s->d1->timeout.num_alerts > 2)
{
s->d1->mtu = BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_GET_FALLBACK_MTU, 0, NULL);
}
if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT)
{
/* fail the connection, enough alerts have been sent */
SSLerr(SSL_F_DTLS1_CHECK_TIMEOUT_NUM,SSL_R_READ_TIMEOUT_EXPIRED);
return -1;
}
return 0;
}
int dtls1_handle_timeout(SSL *s)
{
DTLS1_STATE *state;
/* if no timer is expired, don't do anything */
if (!dtls1_is_timer_expired(s))
{
@@ -365,19 +458,14 @@ int dtls1_handle_timeout(SSL *s)
}
dtls1_double_timeout(s);
state = s->d1;
state->timeout.num_alerts++;
if ( state->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT)
{
/* fail the connection, enough alerts have been sent */
SSLerr(SSL_F_DTLS1_HANDLE_TIMEOUT,SSL_R_READ_TIMEOUT_EXPIRED);
return 0;
}
state->timeout.read_timeouts++;
if ( state->timeout.read_timeouts > DTLS1_TMO_READ_COUNT)
if (dtls1_check_timeout_num(s) < 0)
return -1;
s->d1->timeout.read_timeouts++;
if (s->d1->timeout.read_timeouts > DTLS1_TMO_READ_COUNT)
{
state->timeout.read_timeouts = 1;
s->d1->timeout.read_timeouts = 1;
}
dtls1_start_timer(s);

View File

@@ -139,7 +139,6 @@ static int dtls1_process_record(SSL *s);
#if PQ_64BIT_IS_INTEGER
static PQ_64BIT bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num);
#endif
static void dtls1_clear_timeouts(SSL *s);
/* copy buffered record into SSL structure */
static int
@@ -328,15 +327,13 @@ dtls1_get_buffered_record(SSL *s)
static int
dtls1_process_record(SSL *s)
{
int al;
int clear=0;
int enc_err;
int i,al;
int enc_err;
SSL_SESSION *sess;
SSL3_RECORD *rr;
unsigned int mac_size;
unsigned char md[EVP_MAX_MD_SIZE];
rr= &(s->s3->rrec);
sess = s->session;
@@ -365,15 +362,18 @@ dtls1_process_record(SSL *s)
/* decrypt in place in 'rr->input' */
rr->data=rr->input;
rr->orig_len=rr->length;
enc_err = s->method->ssl3_enc->enc(s,0);
if (enc_err <= 0)
/* enc_err is:
* 0: (in non-constant time) if the record is publically invalid.
* 1: if the padding is valid
* -1: if the padding is invalid */
if (enc_err == 0)
{
if (enc_err == 0)
/* SSLerr() and ssl3_send_alert() have been called */
goto err;
/* otherwise enc_err == -1 */
/* For DTLS we simply ignore bad packets. */
rr->length = 0;
s->packet_length = 0;
goto err;
}
@@ -384,42 +384,64 @@ printf("\n");
#endif
/* r->length is now the compressed data plus mac */
if ( (sess == NULL) ||
(s->enc_read_ctx == NULL) ||
(s->read_hash == NULL))
clear=1;
if (!clear)
if ((sess != NULL) &&
(s->enc_read_ctx != NULL) &&
(s->read_hash != NULL))
{
/* s->read_hash != NULL => mac_size != -1 */
unsigned char *mac = NULL;
unsigned char mac_tmp[EVP_MAX_MD_SIZE];
mac_size=EVP_MD_size(s->read_hash);
OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE);
if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
/* orig_len is the length of the record before any padding was
* removed. This is public information, as is the MAC in use,
* therefore we can safely process the record in a different
* amount of time if it's too short to possibly contain a MAC.
*/
if (rr->orig_len < mac_size ||
/* CBC records must have a padding length byte too. */
(EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
rr->orig_len < mac_size+1))
{
#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */
al=SSL_AD_RECORD_OVERFLOW;
SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
goto f_err;
#else
goto err;
#endif
}
/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
if (rr->length < mac_size)
{
#if 0 /* OK only for stream ciphers */
al=SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
goto f_err;
#else
goto err;
#endif
}
rr->length-=mac_size;
s->method->ssl3_enc->mac(s,md,0);
if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE)
{
goto err;
/* We update the length so that the TLS header bytes
* can be constructed correctly but we need to extract
* the MAC in constant time from within the record,
* without leaking the contents of the padding bytes.
* */
mac = mac_tmp;
ssl3_cbc_copy_mac(mac_tmp, rr, mac_size);
rr->length -= mac_size;
}
else
{
/* In this case there's no padding, so |rec->orig_len|
* equals |rec->length| and we checked that there's
* enough bytes for |mac_size| above. */
rr->length -= mac_size;
mac = &rr->data[rr->length];
}
i=s->method->ssl3_enc->mac(s,md,0 /* not send */);
if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0)
enc_err = -1;
if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size)
enc_err = -1;
}
if (enc_err < 0)
{
/* decryption failed, silently discard message */
rr->length = 0;
s->packet_length = 0;
goto err;
}
/* r->length is now just compressed */
@@ -615,10 +637,12 @@ again:
/* If this record is from the next epoch (either HM or ALERT),
* and a handshake is currently in progress, buffer it since it
* cannot be processed at this time. */
* cannot be processed at this time. However, do not buffer
* anything while listening.
*/
if (is_next_epoch)
{
if (SSL_in_init(s) || s->in_handshake)
if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen)
{
dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), &rr->seq_num);
}
@@ -634,7 +658,6 @@ again:
goto again; /* get another record */
}
dtls1_clear_timeouts(s); /* done waiting */
return(1);
}
@@ -1103,6 +1126,9 @@ start:
*/
if (msg_hdr.type == SSL3_MT_FINISHED)
{
if (dtls1_check_timeout_num(s) < 0)
return -1;
dtls1_retransmit_buffered_messages(s);
rr->length = 0;
goto start;
@@ -1806,10 +1832,3 @@ bytes_to_long_long(unsigned char *bytes, PQ_64BIT *num)
return _num;
}
#endif
static void
dtls1_clear_timeouts(SSL *s)
{
memset(&(s->d1->timeout), 0x00, sizeof(struct dtls1_timeout_st));
}

View File

@@ -148,6 +148,7 @@ int dtls1_accept(SSL *s)
void (*cb)(const SSL *ssl,int type,int val)=NULL;
int ret= -1;
int new_state,state,skip=0;
int listen;
RAND_add(&Time,sizeof(Time),0);
ERR_clear_error();
@@ -157,11 +158,15 @@ int dtls1_accept(SSL *s)
cb=s->info_callback;
else if (s->ctx->info_callback != NULL)
cb=s->ctx->info_callback;
listen = s->d1->listen;
/* init things to blank */
s->in_handshake++;
if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
s->d1->listen = listen;
if (s->cert == NULL)
{
SSLerr(SSL_F_DTLS1_ACCEPT,SSL_R_NO_CERTIFICATE_SET);
@@ -271,11 +276,23 @@ int dtls1_accept(SSL *s)
s->init_num=0;
/* Reflect ClientHello sequence to remain stateless while listening */
if (listen)
{
memcpy(s->s3->write_sequence, s->s3->read_sequence, sizeof(s->s3->write_sequence));
}
/* If we're just listening, stop here */
if (s->d1->listen && s->state == SSL3_ST_SW_SRVR_HELLO_A)
if (listen && s->state == SSL3_ST_SW_SRVR_HELLO_A)
{
ret = 2;
s->d1->listen = 0;
/* Set expected sequence numbers
* to continue the handshake.
*/
s->d1->handshake_read_seq = 2;
s->d1->handshake_write_seq = 1;
s->d1->next_handshake_write_seq = 1;
goto end;
}
@@ -284,7 +301,6 @@ int dtls1_accept(SSL *s)
case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
dtls1_start_timer(s);
ret = dtls1_send_hello_verify_request(s);
if ( ret <= 0) goto end;
s->state=SSL3_ST_SW_FLUSH;
@@ -457,15 +473,16 @@ int dtls1_accept(SSL *s)
ret = ssl3_check_client_hello(s);
if (ret <= 0)
goto end;
dtls1_stop_timer(s);
if (ret == 2)
{
dtls1_stop_timer(s);
s->state = SSL3_ST_SR_CLNT_HELLO_C;
}
else {
/* could be sent for a DH cert, even if we
* have not asked for it :-) */
ret=ssl3_get_client_certificate(s);
if (ret <= 0) goto end;
dtls1_stop_timer(s);
s->init_num=0;
s->state=SSL3_ST_SR_KEY_EXCH_A;
}
@@ -475,7 +492,6 @@ int dtls1_accept(SSL *s)
case SSL3_ST_SR_KEY_EXCH_B:
ret=ssl3_get_client_key_exchange(s);
if (ret <= 0) goto end;
dtls1_stop_timer(s);
s->state=SSL3_ST_SR_CERT_VRFY_A;
s->init_num=0;
@@ -497,7 +513,6 @@ int dtls1_accept(SSL *s)
/* we should decide if we expected this one */
ret=ssl3_get_cert_verify(s);
if (ret <= 0) goto end;
dtls1_stop_timer(s);
s->state=SSL3_ST_SR_FINISHED_A;
s->init_num=0;
@@ -713,9 +728,6 @@ int dtls1_send_hello_verify_request(SSL *s)
/* number of bytes to write */
s->init_num=p-buf;
s->init_off=0;
/* buffer the message to handle re-xmits */
dtls1_buffer_message(s, 0);
}
/* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
@@ -736,7 +748,7 @@ int dtls1_send_server_hello(SSL *s)
p=s->s3->server_random;
Time=(unsigned long)time(NULL); /* Time */
l2n(Time,p);
RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4);
/* Do the message type and length last */
d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);

View File

@@ -935,7 +935,7 @@ static int get_server_verify(SSL *s)
s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* SERVER-VERIFY */
p += 1;
if (memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0)
if (CRYPTO_memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0)
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_CHALLENGE_IS_DIFFERENT);

View File

@@ -267,8 +267,7 @@ static int ssl2_read_internal(SSL *s, void *buf, int len, int peek)
s->s2->ract_data_length-=mac_size;
ssl2_mac(s,mac,0);
s->s2->ract_data_length-=s->s2->padding;
if ( (memcmp(mac,s->s2->mac_data,
(unsigned int)mac_size) != 0) ||
if ( (CRYPTO_memcmp(mac,s->s2->mac_data,mac_size) != 0) ||
(s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0))
{
SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE);

View File

@@ -403,13 +403,14 @@ static int get_client_master_key(SSL *s)
p+=3;
n2s(p,i); s->s2->tmp.clear=i;
n2s(p,i); s->s2->tmp.enc=i;
n2s(p,i); s->session->key_arg_length=i;
if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH)
n2s(p,i);
if(i > SSL_MAX_KEY_ARG_LENGTH)
{
ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_KEY_ARG_TOO_LONG);
return -1;
}
s->session->key_arg_length=i;
s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B;
}

View File

@@ -242,7 +242,7 @@ int ssl3_get_finished(SSL *s, int a, int b)
goto f_err;
}
if (memcmp(p, s->s3->tmp.peer_finish_md, i) != 0)
if (CRYPTO_memcmp(p, s->s3->tmp.peer_finish_md, i) != 0)
{
al=SSL_AD_DECRYPT_ERROR;
SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED);

759
ssl/s3_cbc.c Normal file
View File

@@ -0,0 +1,759 @@
/* ssl/s3_cbc.c */
/* ====================================================================
* Copyright (c) 2012 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
#include "ssl_locl.h"
#include <openssl/md5.h>
#include <openssl/sha.h>
/* MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length
* field. (SHA-384/512 have 128-bit length.) */
#define MAX_HASH_BIT_COUNT_BYTES 16
/* MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support.
* Currently SHA-384/512 has a 128-byte block size and that's the largest
* supported by TLS.) */
#define MAX_HASH_BLOCK_SIZE 128
/* Some utility functions are needed:
*
* These macros return the given value with the MSB copied to all the other
* bits. They use the fact that arithmetic shift shifts-in the sign bit.
* However, this is not ensured by the C standard so you may need to replace
* them with something else on odd CPUs. */
#define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> (sizeof(int)*8-1) ) )
#define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x)))
/* constant_time_ge returns 0xff if a>=b and 0x00 otherwise. */
static unsigned constant_time_ge(unsigned a, unsigned b)
{
a -= b;
return DUPLICATE_MSB_TO_ALL(~a);
}
/* constant_time_eq_8 returns 0xff if a==b and 0x00 otherwise. */
static unsigned char constant_time_eq_8(unsigned char a, unsigned char b)
{
unsigned c = a ^ b;
c--;
return DUPLICATE_MSB_TO_ALL_8(c);
}
/* ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC
* record in |rec| by updating |rec->length| in constant time.
*
* block_size: the block size of the cipher used to encrypt the record.
* returns:
* 0: (in non-constant time) if the record is publicly invalid.
* 1: if the padding was valid
* -1: otherwise. */
int ssl3_cbc_remove_padding(const SSL* s,
SSL3_RECORD *rec,
unsigned block_size,
unsigned mac_size)
{
unsigned padding_length, good;
const unsigned overhead = 1 /* padding length byte */ + mac_size;
/* These lengths are all public so we can test them in non-constant
* time. */
if (overhead > rec->length)
return 0;
padding_length = rec->data[rec->length-1];
good = constant_time_ge(rec->length, padding_length+overhead);
/* SSLv3 requires that the padding is minimal. */
good &= constant_time_ge(block_size, padding_length+1);
rec->length -= good & (padding_length+1);
return (int)((good & 1) | (~good & -1));
}
/* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC
* record in |rec| in constant time and returns 1 if the padding is valid and
* -1 otherwise. It also removes any explicit IV from the start of the record
* without leaking any timing about whether there was enough space after the
* padding was removed.
*
* block_size: the block size of the cipher used to encrypt the record.
* returns:
* 0: (in non-constant time) if the record is publicly invalid.
* 1: if the padding was valid
* -1: otherwise. */
int tls1_cbc_remove_padding(const SSL* s,
SSL3_RECORD *rec,
unsigned block_size,
unsigned mac_size)
{
unsigned padding_length, good, to_check, i;
const char has_explicit_iv = s->version == DTLS1_VERSION;
const unsigned overhead = 1 /* padding length byte */ +
mac_size +
(has_explicit_iv ? block_size : 0);
/* These lengths are all public so we can test them in non-constant
* time. */
if (overhead > rec->length)
return 0;
padding_length = rec->data[rec->length-1];
/* NB: if compression is in operation the first packet may not be of
* even length so the padding bug check cannot be performed. This bug
* workaround has been around since SSLeay so hopefully it is either
* fixed now or no buggy implementation supports compression [steve]
*/
if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) && !s->expand)
{
/* First packet is even in size, so check */
if ((memcmp(s->s3->read_sequence, "\0\0\0\0\0\0\0\0",8) == 0) &&
!(padding_length & 1))
{
s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG;
}
if ((s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) &&
padding_length > 0)
{
padding_length--;
}
}
good = constant_time_ge(rec->length, overhead+padding_length);
/* The padding consists of a length byte at the end of the record and
* then that many bytes of padding, all with the same value as the
* length byte. Thus, with the length byte included, there are i+1
* bytes of padding.
*
* We can't check just |padding_length+1| bytes because that leaks
* decrypted information. Therefore we always have to check the maximum
* amount of padding possible. (Again, the length of the record is
* public information so we can use it.) */
to_check = 255; /* maximum amount of padding. */
if (to_check > rec->length-1)
to_check = rec->length-1;
for (i = 0; i < to_check; i++)
{
unsigned char mask = constant_time_ge(padding_length, i);
unsigned char b = rec->data[rec->length-1-i];
/* The final |padding_length+1| bytes should all have the value
* |padding_length|. Therefore the XOR should be zero. */
good &= ~(mask&(padding_length ^ b));
}
/* If any of the final |padding_length+1| bytes had the wrong value,
* one or more of the lower eight bits of |good| will be cleared. We
* AND the bottom 8 bits together and duplicate the result to all the
* bits. */
good &= good >> 4;
good &= good >> 2;
good &= good >> 1;
good <<= sizeof(good)*8-1;
good = DUPLICATE_MSB_TO_ALL(good);
rec->length -= good & (padding_length+1);
/* We can always safely skip the explicit IV. We check at the beginning
* of this function that the record has at least enough space for the
* IV, MAC and padding length byte. (These can be checked in
* non-constant time because it's all public information.) So, if the
* padding was invalid, then we didn't change |rec->length| and this is
* safe. If the padding was valid then we know that we have at least
* overhead+padding_length bytes of space and so this is still safe
* because overhead accounts for the explicit IV. */
if (has_explicit_iv)
{
rec->data += block_size;
rec->input += block_size;
rec->length -= block_size;
rec->orig_len -= block_size;
}
return (int)((good & 1) | (~good & -1));
}
#if defined(_M_AMD64) || defined(__x86_64__)
#define CBC_MAC_ROTATE_IN_PLACE
#endif
/* ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in
* constant time (independent of the concrete value of rec->length, which may
* vary within a 256-byte window).
*
* ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to
* this function.
*
* On entry:
* rec->orig_len >= md_size
* md_size <= EVP_MAX_MD_SIZE
*
* If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with
* variable accesses in a 64-byte-aligned buffer. Assuming that this fits into
* a single cache-line, then the variable memory accesses don't actually affect
* the timing. This has been tested to be true on Intel amd64 chips.
*/
void ssl3_cbc_copy_mac(unsigned char* out,
const SSL3_RECORD *rec,
unsigned md_size)
{
#if defined(CBC_MAC_ROTATE_IN_PLACE)
unsigned char rotated_mac_buf[EVP_MAX_MD_SIZE*2];
unsigned char *rotated_mac;
#else
unsigned char rotated_mac[EVP_MAX_MD_SIZE];
#endif
/* mac_end is the index of |rec->data| just after the end of the MAC. */
unsigned mac_end = rec->length;
unsigned mac_start = mac_end - md_size;
/* scan_start contains the number of bytes that we can ignore because
* the MAC's position can only vary by 255 bytes. */
unsigned scan_start = 0;
unsigned i, j;
unsigned div_spoiler;
unsigned rotate_offset;
OPENSSL_assert(rec->orig_len >= md_size);
OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
#if defined(CBC_MAC_ROTATE_IN_PLACE)
rotated_mac = (unsigned char*) (((intptr_t)(rotated_mac_buf + 64)) & ~63);
#endif
/* This information is public so it's safe to branch based on it. */
if (rec->orig_len > md_size + 255 + 1)
scan_start = rec->orig_len - (md_size + 255 + 1);
/* div_spoiler contains a multiple of md_size that is used to cause the
* modulo operation to be constant time. Without this, the time varies
* based on the amount of padding when running on Intel chips at least.
*
* The aim of right-shifting md_size is so that the compiler doesn't
* figure out that it can remove div_spoiler as that would require it
* to prove that md_size is always even, which I hope is beyond it. */
div_spoiler = md_size >> 1;
div_spoiler <<= (sizeof(div_spoiler)-1)*8;
rotate_offset = (div_spoiler + mac_start - scan_start) % md_size;
memset(rotated_mac, 0, md_size);
for (i = scan_start; i < rec->orig_len;)
{
for (j = 0; j < md_size && i < rec->orig_len; i++, j++)
{
unsigned char mac_started = constant_time_ge(i, mac_start);
unsigned char mac_ended = constant_time_ge(i, mac_end);
unsigned char b = 0;
b = rec->data[i];
rotated_mac[j] |= b & mac_started & ~mac_ended;
}
}
/* Now rotate the MAC */
#if defined(CBC_MAC_ROTATE_IN_PLACE)
j = 0;
for (i = 0; i < md_size; i++)
{
unsigned char offset = (div_spoiler + rotate_offset + i) % md_size;
out[j++] = rotated_mac[offset];
}
#else
memset(out, 0, md_size);
for (i = 0; i < md_size; i++)
{
unsigned char offset = (div_spoiler + md_size - rotate_offset + i) % md_size;
for (j = 0; j < md_size; j++)
out[j] |= rotated_mac[i] & constant_time_eq_8(j, offset);
}
#endif
}
/* These functions serialize the state of a hash and thus perform the standard
* "final" operation without adding the padding and length that such a function
* typically does. */
static void tls1_md5_final_raw(void* ctx, unsigned char *md_out)
{
MD5_CTX *md5 = ctx;
l2n(md5->A, md_out);
l2n(md5->B, md_out);
l2n(md5->C, md_out);
l2n(md5->D, md_out);
}
static void tls1_sha1_final_raw(void* ctx, unsigned char *md_out)
{
SHA_CTX *sha1 = ctx;
l2n(sha1->h0, md_out);
l2n(sha1->h1, md_out);
l2n(sha1->h2, md_out);
l2n(sha1->h3, md_out);
l2n(sha1->h4, md_out);
}
#define LARGEST_DIGEST_CTX SHA_CTX
#ifndef OPENSSL_NO_SHA256
static void tls1_sha256_final_raw(void* ctx, unsigned char *md_out)
{
SHA256_CTX *sha256 = ctx;
unsigned i;
for (i = 0; i < 8; i++)
{
l2n(sha256->h[i], md_out);
}
}
#undef LARGEST_DIGEST_CTX
#define LARGEST_DIGEST_CTX SHA256_CTX
#endif
#ifndef OPENSSL_NO_SHA512
static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out)
{
SHA512_CTX *sha512 = ctx;
unsigned i;
for (i = 0; i < 8; i++)
{
l2n8(sha512->h[i], md_out);
}
}
#undef LARGEST_DIGEST_CTX
#define LARGEST_DIGEST_CTX SHA512_CTX
#endif
/* ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function
* which ssl3_cbc_digest_record supports. */
char ssl3_cbc_record_digest_supported(const EVP_MD *digest)
{
#ifdef OPENSSL_FIPS
if (FIPS_mode())
return 0;
#endif
switch (EVP_MD_type(digest))
{
case NID_md5:
case NID_sha1:
#ifndef OPENSSL_NO_SHA256
case NID_sha224:
case NID_sha256:
#endif
#ifndef OPENSSL_NO_SHA512
case NID_sha384:
case NID_sha512:
#endif
return 1;
default:
return 0;
}
}
/* ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS
* record.
*
* ctx: the EVP_MD_CTX from which we take the hash function.
* ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX.
* md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written.
* md_out_size: if non-NULL, the number of output bytes is written here.
* header: the 13-byte, TLS record header.
* data: the record data itself, less any preceeding explicit IV.
* data_plus_mac_size: the secret, reported length of the data and MAC
* once the padding has been removed.
* data_plus_mac_plus_padding_size: the public length of the whole
* record, including padding.
* is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS.
*
* On entry: by virtue of having been through one of the remove_padding
* functions, above, we know that data_plus_mac_size is large enough to contain
* a padding byte and MAC. (If the padding was invalid, it might contain the
* padding too. ) */
void ssl3_cbc_digest_record(
const EVP_MD *digest,
unsigned char* md_out,
size_t* md_out_size,
const unsigned char header[13],
const unsigned char *data,
size_t data_plus_mac_size,
size_t data_plus_mac_plus_padding_size,
const unsigned char *mac_secret,
unsigned mac_secret_length,
char is_sslv3)
{
union { double align;
unsigned char c[sizeof(LARGEST_DIGEST_CTX)]; } md_state;
void (*md_final_raw)(void *ctx, unsigned char *md_out);
void (*md_transform)(void *ctx, const unsigned char *block);
unsigned md_size, md_block_size = 64;
unsigned sslv3_pad_length = 40, header_length, variance_blocks,
len, max_mac_bytes, num_blocks,
num_starting_blocks, k, mac_end_offset, c, index_a, index_b;
unsigned int bits; /* at most 18 bits */
unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES];
/* hmac_pad is the masked HMAC key. */
unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE];
unsigned char first_block[MAX_HASH_BLOCK_SIZE];
unsigned char mac_out[EVP_MAX_MD_SIZE];
unsigned i, j, md_out_size_u;
EVP_MD_CTX md_ctx;
/* mdLengthSize is the number of bytes in the length field that terminates
* the hash. */
unsigned md_length_size = 8;
/* This is a, hopefully redundant, check that allows us to forget about
* many possible overflows later in this function. */
OPENSSL_assert(data_plus_mac_plus_padding_size < 1024*1024);
switch (EVP_MD_type(digest))
{
case NID_md5:
MD5_Init((MD5_CTX*)md_state.c);
md_final_raw = tls1_md5_final_raw;
md_transform = (void(*)(void *ctx, const unsigned char *block)) MD5_Transform;
md_size = 16;
sslv3_pad_length = 48;
break;
case NID_sha1:
SHA1_Init((SHA_CTX*)md_state.c);
md_final_raw = tls1_sha1_final_raw;
md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA1_Transform;
md_size = 20;
break;
#ifndef OPENSSL_NO_SHA256
case NID_sha224:
SHA224_Init((SHA256_CTX*)md_state.c);
md_final_raw = tls1_sha256_final_raw;
md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform;
md_size = 224/8;
break;
case NID_sha256:
SHA256_Init((SHA256_CTX*)md_state.c);
md_final_raw = tls1_sha256_final_raw;
md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform;
md_size = 32;
break;
#endif
#ifndef OPENSSL_NO_SHA512
case NID_sha384:
SHA384_Init((SHA512_CTX*)md_state.c);
md_final_raw = tls1_sha512_final_raw;
md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform;
md_size = 384/8;
md_block_size = 128;
md_length_size = 16;
break;
case NID_sha512:
SHA512_Init((SHA512_CTX*)md_state.c);
md_final_raw = tls1_sha512_final_raw;
md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform;
md_size = 64;
md_block_size = 128;
md_length_size = 16;
break;
#endif
default:
/* ssl3_cbc_record_digest_supported should have been
* called first to check that the hash function is
* supported. */
OPENSSL_assert(0);
if (md_out_size)
*md_out_size = -1;
return;
}
OPENSSL_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES);
OPENSSL_assert(md_block_size <= MAX_HASH_BLOCK_SIZE);
OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE);
header_length = 13;
if (is_sslv3)
{
header_length =
mac_secret_length +
sslv3_pad_length +
8 /* sequence number */ +
1 /* record type */ +
2 /* record length */;
}
/* variance_blocks is the number of blocks of the hash that we have to
* calculate in constant time because they could be altered by the
* padding value.
*
* In SSLv3, the padding must be minimal so the end of the plaintext
* varies by, at most, 15+20 = 35 bytes. (We conservatively assume that
* the MAC size varies from 0..20 bytes.) In case the 9 bytes of hash
* termination (0x80 + 64-bit length) don't fit in the final block, we
* say that the final two blocks can vary based on the padding.
*
* TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not
* required to be minimal. Therefore we say that the final six blocks
* can vary based on the padding.
*
* Later in the function, if the message is short and there obviously
* cannot be this many blocks then variance_blocks can be reduced. */
variance_blocks = is_sslv3 ? 2 : 6;
/* From now on we're dealing with the MAC, which conceptually has 13
* bytes of `header' before the start of the data (TLS) or 71/75 bytes
* (SSLv3) */
len = data_plus_mac_plus_padding_size + header_length;
/* max_mac_bytes contains the maximum bytes of bytes in the MAC, including
* |header|, assuming that there's no padding. */
max_mac_bytes = len - md_size - 1;
/* num_blocks is the maximum number of hash blocks. */
num_blocks = (max_mac_bytes + 1 + md_length_size + md_block_size - 1) / md_block_size;
/* In order to calculate the MAC in constant time we have to handle
* the final blocks specially because the padding value could cause the
* end to appear somewhere in the final |variance_blocks| blocks and we
* can't leak where. However, |num_starting_blocks| worth of data can
* be hashed right away because no padding value can affect whether
* they are plaintext. */
num_starting_blocks = 0;
/* k is the starting byte offset into the conceptual header||data where
* we start processing. */
k = 0;
/* mac_end_offset is the index just past the end of the data to be
* MACed. */
mac_end_offset = data_plus_mac_size + header_length - md_size;
/* c is the index of the 0x80 byte in the final hash block that
* contains application data. */
c = mac_end_offset % md_block_size;
/* index_a is the hash block number that contains the 0x80 terminating
* value. */
index_a = mac_end_offset / md_block_size;
/* index_b is the hash block number that contains the 64-bit hash
* length, in bits. */
index_b = (mac_end_offset + md_length_size) / md_block_size;
/* bits is the hash-length in bits. It includes the additional hash
* block for the masked HMAC key, or whole of |header| in the case of
* SSLv3. */
/* For SSLv3, if we're going to have any starting blocks then we need
* at least two because the header is larger than a single block. */
if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0))
{
num_starting_blocks = num_blocks - variance_blocks;
k = md_block_size*num_starting_blocks;
}
bits = 8*mac_end_offset;
if (!is_sslv3)
{
/* Compute the initial HMAC block. For SSLv3, the padding and
* secret bytes are included in |header| because they take more
* than a single block. */
bits += 8*md_block_size;
memset(hmac_pad, 0, md_block_size);
OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad));
memcpy(hmac_pad, mac_secret, mac_secret_length);
for (i = 0; i < md_block_size; i++)
hmac_pad[i] ^= 0x36;
md_transform(md_state.c, hmac_pad);
}
memset(length_bytes,0,md_length_size-4);
length_bytes[md_length_size-4] = (unsigned char)(bits>>24);
length_bytes[md_length_size-3] = (unsigned char)(bits>>16);
length_bytes[md_length_size-2] = (unsigned char)(bits>>8);
length_bytes[md_length_size-1] = (unsigned char)bits;
if (k > 0)
{
if (is_sslv3)
{
/* The SSLv3 header is larger than a single block.
* overhang is the number of bytes beyond a single
* block that the header consumes: either 7 bytes
* (SHA1) or 11 bytes (MD5). */
unsigned overhang = header_length-md_block_size;
md_transform(md_state.c, header);
memcpy(first_block, header + md_block_size, overhang);
memcpy(first_block + overhang, data, md_block_size-overhang);
md_transform(md_state.c, first_block);
for (i = 1; i < k/md_block_size - 1; i++)
md_transform(md_state.c, data + md_block_size*i - overhang);
}
else
{
/* k is a multiple of md_block_size. */
memcpy(first_block, header, 13);
memcpy(first_block+13, data, md_block_size-13);
md_transform(md_state.c, first_block);
for (i = 1; i < k/md_block_size; i++)
md_transform(md_state.c, data + md_block_size*i - 13);
}
}
memset(mac_out, 0, sizeof(mac_out));
/* We now process the final hash blocks. For each block, we construct
* it in constant time. If the |i==index_a| then we'll include the 0x80
* bytes and zero pad etc. For each block we selectively copy it, in
* constant time, to |mac_out|. */
for (i = num_starting_blocks; i <= num_starting_blocks+variance_blocks; i++)
{
unsigned char block[MAX_HASH_BLOCK_SIZE];
unsigned char is_block_a = constant_time_eq_8(i, index_a);
unsigned char is_block_b = constant_time_eq_8(i, index_b);
for (j = 0; j < md_block_size; j++)
{
unsigned char b = 0, is_past_c, is_past_cp1;
if (k < header_length)
b = header[k];
else if (k < data_plus_mac_plus_padding_size + header_length)
b = data[k-header_length];
k++;
is_past_c = is_block_a & constant_time_ge(j, c);
is_past_cp1 = is_block_a & constant_time_ge(j, c+1);
/* If this is the block containing the end of the
* application data, and we are at the offset for the
* 0x80 value, then overwrite b with 0x80. */
b = (b&~is_past_c) | (0x80&is_past_c);
/* If this the the block containing the end of the
* application data and we're past the 0x80 value then
* just write zero. */
b = b&~is_past_cp1;
/* If this is index_b (the final block), but not
* index_a (the end of the data), then the 64-bit
* length didn't fit into index_a and we're having to
* add an extra block of zeros. */
b &= ~is_block_b | is_block_a;
/* The final bytes of one of the blocks contains the
* length. */
if (j >= md_block_size - md_length_size)
{
/* If this is index_b, write a length byte. */
b = (b&~is_block_b) | (is_block_b&length_bytes[j-(md_block_size-md_length_size)]);
}
block[j] = b;
}
md_transform(md_state.c, block);
md_final_raw(md_state.c, block);
/* If this is index_b, copy the hash value to |mac_out|. */
for (j = 0; j < md_size; j++)
mac_out[j] |= block[j]&is_block_b;
}
EVP_MD_CTX_init(&md_ctx);
EVP_DigestInit_ex(&md_ctx, digest, NULL /* engine */);
if (is_sslv3)
{
/* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */
memset(hmac_pad, 0x5c, sslv3_pad_length);
EVP_DigestUpdate(&md_ctx, mac_secret, mac_secret_length);
EVP_DigestUpdate(&md_ctx, hmac_pad, sslv3_pad_length);
EVP_DigestUpdate(&md_ctx, mac_out, md_size);
}
else
{
/* Complete the HMAC in the standard manner. */
for (i = 0; i < md_block_size; i++)
hmac_pad[i] ^= 0x6a;
EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size);
EVP_DigestUpdate(&md_ctx, mac_out, md_size);
}
EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u);
if (md_out_size)
*md_out_size = md_out_size_u;
EVP_MD_CTX_cleanup(&md_ctx);
}
#ifdef OPENSSL_FIPS
/* Due to the need to use EVP in FIPS mode we can't reimplement digests but
* we can ensure the number of blocks processed is equal for all cases
* by digesting additional data.
*/
void tls_fips_digest_extra(
const EVP_CIPHER_CTX *cipher_ctx, const EVP_MD *hash, HMAC_CTX *hctx,
const unsigned char *data, size_t data_len, size_t orig_len)
{
size_t block_size, digest_pad, blocks_data, blocks_orig;
if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE)
return;
block_size = EVP_MD_block_size(hash);
/* We are in FIPS mode if we get this far so we know we have only SHA*
* digests and TLS to deal with.
* Minimum digest padding length is 17 for SHA384/SHA512 and 9
* otherwise.
* Additional header is 13 bytes. To get the number of digest blocks
* processed round up the amount of data plus padding to the nearest
* block length. Block length is 128 for SHA384/SHA512 and 64 otherwise.
* So we have:
* blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size
* equivalently:
* blocks = (payload_len + digest_pad + 12)/block_size + 1
* HMAC adds a constant overhead.
* We're ultimately only interested in differences so this becomes
* blocks = (payload_len + 29)/128
* for SHA384/SHA512 and
* blocks = (payload_len + 21)/64
* otherwise.
*/
digest_pad = block_size == 64 ? 21 : 29;
blocks_orig = (orig_len + digest_pad)/block_size;
blocks_data = (data_len + digest_pad)/block_size;
/* MAC enough blocks to make up the difference between the original
* and actual lengths plus one extra block to ensure this is never a
* no op. The "data" pointer should always have enough space to
* perform this operation as it is large enough for a maximum
* length TLS buffer.
*/
HMAC_Update(hctx, data,
(blocks_orig - blocks_data + 1) * block_size);
}
#endif

View File

@@ -262,7 +262,16 @@ int ssl3_connect(SSL *s)
ret=ssl3_get_server_hello(s);
if (ret <= 0) goto end;
if (s->hit)
{
s->state=SSL3_ST_CR_FINISHED_A;
#ifndef OPENSSL_NO_TLSEXT
if (s->tlsext_ticket_expected)
{
/* receive renewed session ticket */
s->state=SSL3_ST_CR_SESSION_TICKET_A;
}
#endif
}
else
s->state=SSL3_ST_CR_CERT_A;
s->init_num=0;
@@ -878,7 +887,7 @@ int ssl3_get_server_hello(SSL *s)
/* wrong packet length */
al=SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
goto err;
goto f_err;
}
return(1);
@@ -1713,7 +1722,7 @@ int ssl3_get_new_session_ticket(SSL *s)
if (n < 6)
{
/* need at least ticket_lifetime_hint + ticket length */
al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR;
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
goto f_err;
}
@@ -1724,7 +1733,7 @@ int ssl3_get_new_session_ticket(SSL *s)
/* ticket_lifetime_hint + ticket_length + ticket */
if (ticklen + 6 != n)
{
al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR;
al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
goto f_err;
}

View File

@@ -433,12 +433,21 @@ void ssl3_cleanup_key_block(SSL *s)
s->s3->tmp.key_block_length=0;
}
/* ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively.
*
* Returns:
* 0: (in non-constant time) if the record is publically invalid (i.e. too
* short etc).
* 1: if the record's padding is valid / the encryption was successful.
* -1: if the record's padding is invalid or, if sending, an internal error
* occured.
*/
int ssl3_enc(SSL *s, int send)
{
SSL3_RECORD *rec;
EVP_CIPHER_CTX *ds;
unsigned long l;
int bs,i;
int bs,i,mac_size=0;
const EVP_CIPHER *enc;
if (send)
@@ -479,6 +488,9 @@ int ssl3_enc(SSL *s, int send)
/* we need to add 'i-1' padding bytes */
l+=i;
/* the last of these zero bytes will be overwritten
* with the padding length. */
memset(&rec->input[rec->length], 0, i);
rec->length+=i;
rec->input[l-1]=(i-1);
}
@@ -486,32 +498,19 @@ int ssl3_enc(SSL *s, int send)
if (!send)
{
if (l == 0 || l%bs != 0)
{
SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
return 0;
}
/* otherwise, rec->length >= bs */
}
EVP_Cipher(ds,rec->data,rec->input,l);
rec->orig_len = rec->length;
if (s->read_hash != NULL)
mac_size = EVP_MD_size(s->read_hash);
if ((bs != 1) && !send)
{
i=rec->data[l-1]+1;
/* SSL 3.0 bounds the number of padding bytes by the block size;
* padding bytes (except the last one) are arbitrary */
if (i > bs)
{
/* Incorrect padding. SSLerr() and ssl3_alert are done
* by caller: we don't want to reveal whether this is
* a decryption error or a MAC verification failure
* (see http://www.openssl.org/~bodo/tls-cbc.txt) */
return -1;
}
/* now i <= bs <= rec->length */
rec->length-=i;
}
return ssl3_cbc_remove_padding(s, rec, bs, mac_size);
}
return(1);
}
@@ -588,7 +587,7 @@ int ssl3_mac(SSL *ssl, unsigned char *md, int send)
EVP_MD_CTX md_ctx;
const EVP_MD *hash;
unsigned char *p,rec_char;
unsigned int md_size;
size_t md_size;
int npad;
if (send)
@@ -609,28 +608,68 @@ int ssl3_mac(SSL *ssl, unsigned char *md, int send)
md_size=EVP_MD_size(hash);
npad=(48/md_size)*md_size;
/* Chop the digest off the end :-) */
EVP_MD_CTX_init(&md_ctx);
if (!send &&
EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE &&
ssl3_cbc_record_digest_supported(hash))
{
/* This is a CBC-encrypted record. We must avoid leaking any
* timing-side channel information about how many blocks of
* data we are hashing because that gives an attacker a
* timing-oracle. */
EVP_DigestInit_ex( &md_ctx,hash, NULL);
EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad);
EVP_DigestUpdate(&md_ctx,seq,8);
rec_char=rec->type;
EVP_DigestUpdate(&md_ctx,&rec_char,1);
p=md;
s2n(rec->length,p);
EVP_DigestUpdate(&md_ctx,md,2);
EVP_DigestUpdate(&md_ctx,rec->input,rec->length);
EVP_DigestFinal_ex( &md_ctx,md,NULL);
/* npad is, at most, 48 bytes and that's with MD5:
* 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75.
*
* With SHA-1 (the largest hash speced for SSLv3) the hash size
* goes up 4, but npad goes down by 8, resulting in a smaller
* total size. */
unsigned char header[75];
unsigned j = 0;
memcpy(header+j, mac_sec, md_size);
j += md_size;
memcpy(header+j, ssl3_pad_1, npad);
j += npad;
memcpy(header+j, seq, 8);
j += 8;
header[j++] = rec->type;
header[j++] = rec->length >> 8;
header[j++] = rec->length & 0xff;
EVP_DigestInit_ex( &md_ctx,hash, NULL);
EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad);
EVP_DigestUpdate(&md_ctx,md,md_size);
EVP_DigestFinal_ex( &md_ctx,md,&md_size);
ssl3_cbc_digest_record(
hash,
md, &md_size,
header, rec->input,
rec->length + md_size, rec->orig_len,
mac_sec, md_size,
1 /* is SSLv3 */);
}
else
{
unsigned int md_size_u;
/* Chop the digest off the end :-) */
EVP_MD_CTX_init(&md_ctx);
EVP_MD_CTX_cleanup(&md_ctx);
EVP_DigestInit_ex( &md_ctx,hash, NULL);
EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad);
EVP_DigestUpdate(&md_ctx,seq,8);
rec_char=rec->type;
EVP_DigestUpdate(&md_ctx,&rec_char,1);
p=md;
s2n(rec->length,p);
EVP_DigestUpdate(&md_ctx,md,2);
EVP_DigestUpdate(&md_ctx,rec->input,rec->length);
EVP_DigestFinal_ex( &md_ctx,md,NULL);
EVP_DigestInit_ex( &md_ctx,hash, NULL);
EVP_DigestUpdate(&md_ctx,mac_sec,md_size);
EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad);
EVP_DigestUpdate(&md_ctx,md,md_size);
EVP_DigestFinal_ex( &md_ctx,md,&md_size_u);
md_size = md_size_u;
EVP_MD_CTX_cleanup(&md_ctx);
}
ssl3_record_sequence_update(seq);
return(md_size);

Some files were not shown because too many files have changed in this diff Show More