Index: CHANGES =================================================================== --- CHANGES (revision 246700) +++ CHANGES (working copy) @@ -2,6 +2,53 @@ OpenSSL CHANGES _______________ + Changes between 1.0.1d and 1.0.1e [11 Feb 2013] + + *) + + Changes between 1.0.1c and 1.0.1d [5 Feb 2013] + + *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time. + + This addresses the flaw in CBC record processing discovered by + Nadhem Alfardan and Kenny Paterson. Details of this attack can be found + at: http://www.isg.rhul.ac.uk/tls/ + + Thanks go to Nadhem Alfardan and Kenny Paterson of the Information + Security Group at Royal Holloway, University of London + (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and + Emilia Käsper for the initial patch. + (CVE-2013-0169) + [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson] + + *) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode + ciphersuites which can be exploited in a denial of service attack. + Thanks go to and to Adam Langley for discovering + and detecting this bug and to Wolfgang Ettlinger + for independently discovering this issue. + (CVE-2012-2686) + [Adam Langley] + + *) Return an error when checking OCSP signatures when key is NULL. + This fixes a DoS attack. (CVE-2013-0166) + [Steve Henson] + + *) Make openssl verify return errors. + [Chris Palmer and Ben Laurie] + + *) Call OCSP Stapling callback after ciphersuite has been chosen, so + the right response is stapled. Also change SSL_get_certificate() + so it returns the certificate actually sent. + See http://rt.openssl.org/Ticket/Display.html?id=2836. + [Rob Stradling ] + + *) Fix possible deadlock when decoding public keys. + [Steve Henson] + + *) Don't use TLS 1.0 record version number in initial client hello + if renegotiating. + [Steve Henson] + Changes between 1.0.1b and 1.0.1c [10 May 2012] *) Sanity check record length before skipping explicit IV in TLS Index: Configure =================================================================== --- Configure (revision 246700) +++ Configure (working copy) @@ -171,20 +171,22 @@ my %table=( "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::", "debug-ben-debug", "gcc44:$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O2 -pipe::(unknown)::::::", +"debug-ben-debug-64", "gcc:$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-ben-macos", "cc:$gcc_devteam_warn -arch i386 -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -DL_ENDIAN -g3 -pipe::(unknown)::-Wl,-search_paths_first::::", "debug-ben-macos-gcc46", "gcc-mp-4.6:$gcc_devteam_warn -Wconversion -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -DL_ENDIAN -g3 -pipe::(unknown)::::::", +"debug-ben-darwin64","cc:$gcc_devteam_warn -Wno-language-extension-token -Wno-extended-offsetof -arch x86_64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib", "debug-ben-no-opt", "gcc: -Wall -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG -Werror -DL_ENDIAN -DTERMIOS -Wall -g3::(unknown)::::::", "debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::", "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", "debug-bodo", "gcc:$gcc_devteam_warn -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", "debug-ulf", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations:::CYGWIN32:::${no_asm}:win32:cygwin-shared:::.dll", -"debug-steve64", "gcc:$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-steve64", "gcc:$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -Wno-overlength-strings -g::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-steve32", "gcc:$gcc_devteam_warn -m32 -DL_ENDIAN -DCONF_DEBUG -DDEBUG_SAFESTACK -g -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-steve-opt", "gcc:$gcc_devteam_warn -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -ggdb -g3 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -ggdb -g3 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-geoff32","gcc:-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DPURIFY -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long::-D_REENTRANT::-ldl:BN_LLONG:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-geoff64","gcc:-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DPURIFY -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-linux-pentium","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn", @@ -243,7 +245,7 @@ my %table=( "solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-xarch=v9 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs::/64", +"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-xarch=v9 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/64", #### "debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -464,8 +466,8 @@ my %table=( "aix64-gcc","gcc:-maix64 -O -DB_ENDIAN::-pthread:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:${ppc64_asm}:aix64:dlfcn:aix-shared::-maix64 -shared -Wl,-G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X64", # Below targets assume AIX 5. Idea is to effectively disregard $OBJECT_MODE # at build time. $OBJECT_MODE is respected at ./config stage! -"aix-cc", "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded:AIX::BN_LLONG RC4_CHAR:${ppc32_asm}:aix32:dlfcn:aix-shared::-q32 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32", -"aix64-cc", "cc:-q64 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:${ppc64_asm}:aix64:dlfcn:aix-shared::-q64 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64", +"aix-cc", "cc:-q32 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded -D_THREAD_SAFE:AIX::BN_LLONG RC4_CHAR:${ppc32_asm}:aix32:dlfcn:aix-shared::-q32 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 32", +"aix64-cc", "cc:-q64 -O -DB_ENDIAN -qmaxmem=16384 -qro -qroconst::-qthreaded -D_THREAD_SAFE:AIX::SIXTY_FOUR_BIT_LONG RC4_CHAR:${ppc64_asm}:aix64:dlfcn:aix-shared::-q64 -G:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)::-X 64", # # Cray T90 and similar (SDSC) Index: FAQ =================================================================== --- FAQ (revision 246700) +++ FAQ (working copy) @@ -83,11 +83,11 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from . -OpenSSL 1.0.1c was released on May 10th, 2012. +OpenSSL 1.0.1e was released on Feb 11th, 2013. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at , or get it by anonymous CVS access. +ftp://ftp.openssl.org/snapshot/>, or get it by anonymous Git access. * Where is the documentation? Index: FREEBSD-upgrade =================================================================== --- FREEBSD-upgrade (revision 246700) +++ FREEBSD-upgrade (working copy) @@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/SubversionPrim # Xlist setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist setenv FSVN "svn+ssh://svn.freebsd.org/base" -setenv OSSLVER 1.0.1c -# OSSLTAG format: v1_0_1c +setenv OSSLVER 1.0.1e +# OSSLTAG format: v1_0_1e ###setenv OSSLTAG v`echo ${OSSLVER} | tr . _` @@ -35,7 +35,7 @@ comm -23 old new # See that files to add makes sense comm -13 old new -tar -cf - -C openssl-${OSSLVER} . | tar xf - -C dist +tar -cf - -C openssl-${OSSLVER} . | tar -xf - -C dist cd dist comm -23 ../old ../new | xargs svn rm # Make sure to remove empty directories Index: Makefile =================================================================== --- Makefile (revision 246700) +++ Makefile (working copy) @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.1c +VERSION=1.0.1e MAJOR=1 MINOR=0.1 SHLIB_VERSION_NUMBER=1.0.0 @@ -71,7 +71,7 @@ RANLIB= /usr/bin/ranlib NM= nm PERL= /usr/bin/perl TAR= tar -TARFLAGS= --no-recursion +TARFLAGS= --no-recursion --record-size=10240 MAKEDEPPROG=makedepend LIBDIR=lib @@ -446,7 +446,7 @@ rehash.time: certs apps [ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \ OPENSSL_DEBUG_MEMORY=on; \ export OPENSSL OPENSSL_DEBUG_MEMORY; \ - $(PERL) tools/c_rehash certs) && \ + $(PERL) tools/c_rehash certs/demo) && \ touch rehash.time; \ else :; fi Index: Makefile.org =================================================================== --- Makefile.org (revision 246700) +++ Makefile.org (working copy) @@ -69,7 +69,7 @@ RANLIB= ranlib NM= nm PERL= perl TAR= tar -TARFLAGS= --no-recursion +TARFLAGS= --no-recursion --record-size=10240 MAKEDEPPROG=makedepend LIBDIR=lib @@ -444,7 +444,7 @@ rehash.time: certs apps [ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \ OPENSSL_DEBUG_MEMORY=on; \ export OPENSSL OPENSSL_DEBUG_MEMORY; \ - $(PERL) tools/c_rehash certs) && \ + $(PERL) tools/c_rehash certs/demo) && \ touch rehash.time; \ else :; fi Index: NEWS =================================================================== --- NEWS (revision 246700) +++ NEWS (working copy) @@ -5,6 +5,18 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.1d and OpenSSL 1.0.1e: + + o Corrected fix for CVE-2013-0169 + + Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d: + + o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version. + o Include the fips configuration module. + o Fix OCSP bad key DoS attack CVE-2013-0166 + o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169 + o Fix for TLS AESNI record handling flaw CVE-2012-2686 + Major changes between OpenSSL 1.0.1b and OpenSSL 1.0.1c: o Fix TLS/DTLS record length checking bug CVE-2012-2333 Index: PROBLEMS =================================================================== --- PROBLEMS (revision 246700) +++ PROBLEMS (working copy) @@ -197,3 +197,17 @@ reconfigure with additional no-sse2 [or 386] optio We don't have framework to associate -ldl with no-dso, therefore the only way is to edit Makefile right after ./config no-dso and remove -ldl from EX_LIBS line. + +* hpux-parisc2-cc no-asm build fails with SEGV in ECDSA/DH. + +Compiler bug, presumably at particular patch level. Remaining +hpux*-parisc*-cc configurations can be affected too. Drop optimization +level to +O2 when compiling bn_nist.o. + +* solaris64-sparcv9-cc link failure + +Solaris 8 ar can fail to maintain symbol table in .a, which results in +link failures. Apply 109147-09 or later or modify Makefile generated +by ./Configure solaris64-sparcv9-cc and replace RANLIB assignment with + + RANLIB= /usr/ccs/bin/ar rs Index: README =================================================================== --- README (revision 246700) +++ README (working copy) @@ -1,5 +1,5 @@ - OpenSSL 1.0.1c 10 May 2012 + OpenSSL 1.0.1e 11 Feb 2013 Copyright (c) 1998-2011 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson @@ -190,7 +190,7 @@ reason as to why that feature isn't implemented. Patches should be as up to date as possible, preferably relative to the - current CVS or the last snapshot. They should follow the coding style of + current Git or the last snapshot. They should follow the coding style of OpenSSL and compile without warnings. Some of the core team developer targets can be used for testing purposes, (debug-steve64, debug-geoff etc). OpenSSL compiles on many varied platforms: try to ensure you only use portable Index: apps/apps.c =================================================================== --- apps/apps.c (revision 246700) +++ apps/apps.c (working copy) @@ -2132,7 +2132,7 @@ X509_NAME *parse_name(char *subject, long chtype, X509_NAME *n = NULL; int nid; - if (!buf || !ne_types || !ne_values) + if (!buf || !ne_types || !ne_values || !mval) { BIO_printf(bio_err, "malloc error\n"); goto error; @@ -2236,6 +2236,7 @@ X509_NAME *parse_name(char *subject, long chtype, OPENSSL_free(ne_values); OPENSSL_free(ne_types); OPENSSL_free(buf); + OPENSSL_free(mval); return n; error: @@ -2244,6 +2245,8 @@ error: OPENSSL_free(ne_values); if (ne_types) OPENSSL_free(ne_types); + if (mval) + OPENSSL_free(mval); if (buf) OPENSSL_free(buf); return NULL; Index: apps/ca.c =================================================================== --- apps/ca.c (revision 246700) +++ apps/ca.c (working copy) @@ -1408,6 +1408,7 @@ bad: if (!NCONF_get_number(conf,section, ENV_DEFAULT_CRL_HOURS, &crlhours)) crlhours = 0; + ERR_clear_error(); } if ((crldays == 0) && (crlhours == 0) && (crlsec == 0)) { Index: apps/cms.c =================================================================== --- apps/cms.c (revision 246700) +++ apps/cms.c (working copy) @@ -233,6 +233,8 @@ int MAIN(int argc, char **argv) else if (!strcmp(*args,"-camellia256")) cipher = EVP_camellia_256_cbc(); #endif + else if (!strcmp (*args, "-debug_decrypt")) + flags |= CMS_DEBUG_DECRYPT; else if (!strcmp (*args, "-text")) flags |= CMS_TEXT; else if (!strcmp (*args, "-nointern")) @@ -1039,6 +1041,8 @@ int MAIN(int argc, char **argv) ret = 4; if (operation == SMIME_DECRYPT) { + if (flags & CMS_DEBUG_DECRYPT) + CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags); if (secret_key) { Index: apps/dgst.c =================================================================== --- apps/dgst.c (revision 246700) +++ apps/dgst.c (working copy) @@ -216,10 +216,10 @@ int MAIN(int argc, char **argv) out_bin = 1; else if (strcmp(*argv,"-d") == 0) debug=1; + else if (!strcmp(*argv,"-fips-fingerprint")) + hmac_key = "etaonrishdlcupfm"; else if (strcmp(*argv,"-non-fips-allow") == 0) non_fips_allow=1; - else if (!strcmp(*argv,"-fips-fingerprint")) - hmac_key = "etaonrishdlcupfm"; else if (!strcmp(*argv,"-hmac")) { if (--argc < 1) Index: apps/dhparam.c =================================================================== --- apps/dhparam.c (revision 246700) +++ apps/dhparam.c (working copy) @@ -332,7 +332,6 @@ bad: BIO_printf(bio_err,"This is going to take a long time\n"); if(!dh || !DH_generate_parameters_ex(dh, num, g, &cb)) { - if(dh) DH_free(dh); ERR_print_errors(bio_err); goto end; } Index: apps/dsaparam.c =================================================================== --- apps/dsaparam.c (revision 246700) +++ apps/dsaparam.c (working copy) @@ -326,6 +326,7 @@ bad: goto end; } #endif + ERR_print_errors(bio_err); BIO_printf(bio_err,"Error, DSA key generation failed\n"); goto end; } @@ -429,13 +430,19 @@ bad: assert(need_rand); if ((dsakey=DSAparams_dup(dsa)) == NULL) goto end; - if (!DSA_generate_key(dsakey)) goto end; + if (!DSA_generate_key(dsakey)) + { + ERR_print_errors(bio_err); + DSA_free(dsakey); + goto end; + } if (outformat == FORMAT_ASN1) i=i2d_DSAPrivateKey_bio(out,dsakey); else if (outformat == FORMAT_PEM) i=PEM_write_bio_DSAPrivateKey(out,dsakey,NULL,NULL,0,NULL,NULL); else { BIO_printf(bio_err,"bad output format specified for outfile\n"); + DSA_free(dsakey); goto end; } DSA_free(dsakey); Index: apps/genrsa.c =================================================================== --- apps/genrsa.c (revision 246700) +++ apps/genrsa.c (working copy) @@ -78,7 +78,7 @@ #include #include -#define DEFBITS 512 +#define DEFBITS 1024 #undef PROG #define PROG genrsa_main Index: apps/ocsp.c =================================================================== --- apps/ocsp.c (revision 246700) +++ apps/ocsp.c (working copy) @@ -617,7 +617,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-ndays n number of days before next update\n"); BIO_printf (bio_err, "-resp_key_id identify reponse by signing certificate key ID\n"); BIO_printf (bio_err, "-nrequest n number of requests to accept (default unlimited)\n"); - BIO_printf (bio_err, "- use specified digest in the request"); + BIO_printf (bio_err, "- use specified digest in the request\n"); goto end; } Index: apps/s_cb.c =================================================================== --- apps/s_cb.c (revision 246700) +++ apps/s_cb.c (working copy) @@ -237,8 +237,8 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, /* If we are using DSA, we can copy the parameters from * the private key */ - - + + /* Now we know that a key and cert have been set against * the SSL context */ if (!SSL_CTX_check_private_key(ctx)) @@ -436,6 +436,8 @@ void MS_CALLBACK msg_cb(int write_p, int version, if (version == SSL3_VERSION || version == TLS1_VERSION || + version == TLS1_1_VERSION || + version == TLS1_2_VERSION || version == DTLS1_VERSION || version == DTLS1_BAD_VER) { Index: apps/s_client.c =================================================================== --- apps/s_client.c (revision 246700) +++ apps/s_client.c (working copy) @@ -357,12 +357,14 @@ static void sc_usage(void) BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); BIO_printf(bio_err," -status - request certificate status from server\n"); BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); -# if !defined(OPENSSL_NO_NEXTPROTONEG) +# ifndef OPENSSL_NO_NEXTPROTONEG BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); # endif #endif BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); +#ifndef OPENSSL_NO_SRTP BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); +#endif BIO_printf(bio_err," -keymatexport label - Export keying material using label\n"); BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n"); } @@ -502,7 +504,9 @@ static char * MS_CALLBACK ssl_give_srp_client_pwd_ } #endif +#ifndef OPENSSL_NO_SRTP char *srtp_profiles = NULL; +#endif # ifndef OPENSSL_NO_NEXTPROTONEG /* This the context that we pass to next_proto_cb */ @@ -536,7 +540,7 @@ static int next_proto_cb(SSL *s, unsigned char **o ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len); return SSL_TLSEXT_ERR_OK; } -# endif +# endif /* ndef OPENSSL_NO_NEXTPROTONEG */ #endif enum @@ -945,11 +949,13 @@ int MAIN(int argc, char **argv) jpake_secret = *++argv; } #endif +#ifndef OPENSSL_NO_SRTP else if (strcmp(*argv,"-use_srtp") == 0) { if (--argc < 1) goto bad; srtp_profiles = *(++argv); } +#endif else if (strcmp(*argv,"-keymatexport") == 0) { if (--argc < 1) goto bad; @@ -1130,6 +1136,8 @@ bad: BIO_printf(bio_c_out, "PSK key given or JPAKE in use, setting client callback\n"); SSL_CTX_set_psk_client_callback(ctx, psk_client_cb); } +#endif +#ifndef OPENSSL_NO_SRTP if (srtp_profiles != NULL) SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles); #endif @@ -1890,6 +1898,10 @@ end: print_stuff(bio_c_out,con,1); SSL_free(con); } +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) + if (next_proto.data) + OPENSSL_free(next_proto.data); +#endif if (ctx != NULL) SSL_CTX_free(ctx); if (cert) X509_free(cert); @@ -1897,6 +1909,8 @@ end: EVP_PKEY_free(key); if (pass) OPENSSL_free(pass); + if (vpm) + X509_VERIFY_PARAM_free(vpm); if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); } if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); } if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); } @@ -2061,6 +2075,7 @@ static void print_stuff(BIO *bio, SSL *s, int full } #endif +#ifndef OPENSSL_NO_SRTP { SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s); @@ -2068,6 +2083,7 @@ static void print_stuff(BIO *bio, SSL *s, int full BIO_printf(bio,"SRTP Extension negotiated, profile=%s\n", srtp_profile->name); } +#endif SSL_SESSION_print(bio,SSL_get_session(s)); if (keymatexportlabel != NULL) Index: apps/s_server.c =================================================================== --- apps/s_server.c (revision 246700) +++ apps/s_server.c (working copy) @@ -556,7 +556,9 @@ static void sv_usage(void) # ifndef OPENSSL_NO_NEXTPROTONEG BIO_printf(bio_err," -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n"); # endif +# ifndef OPENSSL_NO_SRTP BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); +# endif #endif BIO_printf(bio_err," -keymatexport label - Export keying material using label\n"); BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n"); @@ -923,7 +925,9 @@ static char *jpake_secret = NULL; #ifndef OPENSSL_NO_SRP static srpsrvparm srp_callback_parm; #endif +#ifndef OPENSSL_NO_SRTP static char *srtp_profiles = NULL; +#endif int MAIN(int argc, char *argv[]) { @@ -1206,13 +1210,13 @@ int MAIN(int argc, char *argv[]) { if (--argc < 1) goto bad; srp_verifier_file = *(++argv); - meth=TLSv1_server_method(); + meth = TLSv1_server_method(); } else if (strcmp(*argv, "-srpuserseed") == 0) { if (--argc < 1) goto bad; srpuserseed = *(++argv); - meth=TLSv1_server_method(); + meth = TLSv1_server_method(); } #endif else if (strcmp(*argv,"-www") == 0) @@ -1319,11 +1323,13 @@ int MAIN(int argc, char *argv[]) jpake_secret = *(++argv); } #endif +#ifndef OPENSSL_NO_SRTP else if (strcmp(*argv,"-use_srtp") == 0) { if (--argc < 1) goto bad; srtp_profiles = *(++argv); } +#endif else if (strcmp(*argv,"-keymatexport") == 0) { if (--argc < 1) goto bad; @@ -1431,26 +1437,25 @@ bad: goto end; } } - -# ifndef OPENSSL_NO_NEXTPROTONEG - if (next_proto_neg_in) - { - unsigned short len; - next_proto.data = next_protos_parse(&len, - next_proto_neg_in); - if (next_proto.data == NULL) - goto end; - next_proto.len = len; - } - else - { - next_proto.data = NULL; - } -# endif #endif } +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) + if (next_proto_neg_in) + { + unsigned short len; + next_proto.data = next_protos_parse(&len, next_proto_neg_in); + if (next_proto.data == NULL) + goto end; + next_proto.len = len; + } + else + { + next_proto.data = NULL; + } +#endif + if (s_dcert_file) { @@ -1550,8 +1555,10 @@ bad: else SSL_CTX_sess_set_cache_size(ctx,128); +#ifndef OPENSSL_NO_SRTP if (srtp_profiles != NULL) SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles); +#endif #if 0 if (cipher == NULL) cipher=getenv("SSL_CIPHER"); @@ -1730,7 +1737,7 @@ bad: } #endif - if (!set_cert_key_stuff(ctx,s_cert,s_key)) + if (!set_cert_key_stuff(ctx, s_cert, s_key)) goto end; #ifndef OPENSSL_NO_TLSEXT if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2)) @@ -1738,7 +1745,7 @@ bad: #endif if (s_dcert != NULL) { - if (!set_cert_key_stuff(ctx,s_dcert,s_dkey)) + if (!set_cert_key_stuff(ctx, s_dcert, s_dkey)) goto end; } @@ -1893,7 +1900,15 @@ end: OPENSSL_free(pass); if (dpass) OPENSSL_free(dpass); + if (vpm) + X509_VERIFY_PARAM_free(vpm); #ifndef OPENSSL_NO_TLSEXT + if (tlscstatp.host) + OPENSSL_free(tlscstatp.host); + if (tlscstatp.port) + OPENSSL_free(tlscstatp.port); + if (tlscstatp.path) + OPENSSL_free(tlscstatp.path); if (ctx2 != NULL) SSL_CTX_free(ctx2); if (s_cert2) X509_free(s_cert2); @@ -2433,6 +2448,7 @@ static int init_ssl_connection(SSL *con) BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf); str=SSL_CIPHER_get_name(SSL_get_current_cipher(con)); BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)"); + #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len); if (next_proto_neg) @@ -2442,6 +2458,7 @@ static int init_ssl_connection(SSL *con) BIO_printf(bio_s_out, "\n"); } #endif +#ifndef OPENSSL_NO_SRTP { SRTP_PROTECTION_PROFILE *srtp_profile = SSL_get_selected_srtp_profile(con); @@ -2450,6 +2467,7 @@ static int init_ssl_connection(SSL *con) BIO_printf(bio_s_out,"SRTP Extension negotiated, profile=%s\n", srtp_profile->name); } +#endif if (SSL_cache_hit(con)) BIO_printf(bio_s_out,"Reused session-id\n"); if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) & TLS1_FLAGS_TLS_PADDING_BUG) @@ -2701,6 +2719,11 @@ static int www_body(char *hostname, int s, unsigne } BIO_puts(io,"\n"); + BIO_printf(io, + "Secure Renegotiation IS%s supported\n", + SSL_get_secure_renegotiation_support(con) ? + "" : " NOT"); + /* The following is evil and should not really * be done */ BIO_printf(io,"Ciphers supported in s_server binary\n"); Index: apps/speed.c =================================================================== --- apps/speed.c (revision 246700) +++ apps/speed.c (working copy) @@ -254,7 +254,7 @@ static const char *names[ALGOR_NUM]={ "aes-128 cbc","aes-192 cbc","aes-256 cbc", "camellia-128 cbc","camellia-192 cbc","camellia-256 cbc", "evp","sha256","sha512","whirlpool", - "aes-128 ige","aes-192 ige","aes-256 ige","ghash"}; + "aes-128 ige","aes-192 ige","aes-256 ige","ghash" }; static double results[ALGOR_NUM][SIZE_NUM]; static int lengths[SIZE_NUM]={16,64,256,1024,8*1024}; #ifndef OPENSSL_NO_RSA @@ -299,7 +299,7 @@ static SIGRETTYPE sig_done(int sig) #if defined(_WIN32) #if !defined(SIGALRM) -#define SIGALRM +# define SIGALRM #endif static unsigned int lapse,schlock; static void alarm_win32(unsigned int secs) { lapse = secs*1000; } Index: apps/srp.c =================================================================== --- apps/srp.c (revision 246700) +++ apps/srp.c (working copy) @@ -125,13 +125,13 @@ static int get_index(CA_DB *db, char* id, char typ if (type == DB_SRP_INDEX) for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { - pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i); - if (pp[DB_srptype][0] == DB_SRP_INDEX && !strcmp(id, pp[DB_srpid])) + pp = sk_OPENSSL_PSTRING_value(db->db->data,i); + if (pp[DB_srptype][0] == DB_SRP_INDEX && !strcmp(id,pp[DB_srpid])) return i; } else for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { - pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i); + pp = sk_OPENSSL_PSTRING_value(db->db->data,i); if (pp[DB_srptype][0] != DB_SRP_INDEX && !strcmp(id,pp[DB_srpid])) return i; @@ -145,7 +145,7 @@ static void print_entry(CA_DB *db, BIO *bio, int i if (indx >= 0 && verbose) { int j; - char **pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, indx); + char **pp = sk_OPENSSL_PSTRING_value(db->db->data, indx); BIO_printf(bio, "%s \"%s\"\n", s, pp[DB_srpid]); for (j = 0; j < DB_NUMBER; j++) { @@ -163,7 +163,7 @@ static void print_user(CA_DB *db, BIO *bio, int us { if (verbose > 0) { - char **pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex); + char **pp = sk_OPENSSL_PSTRING_value(db->db->data,userindex); if (pp[DB_srptype][0] != 'I') { @@ -517,7 +517,7 @@ bad: /* Lets check some fields */ for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { - pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i); + pp = sk_OPENSSL_PSTRING_value(db->db->data, i); if (pp[DB_srptype][0] == DB_SRP_INDEX) { @@ -533,8 +533,8 @@ bad: if (gNindex >= 0) { - gNrow = (char **)sk_OPENSSL_PSTRING_value(db->db->data, gNindex); - print_entry(db, bio_err, gNindex, verbose > 1, "Default g and N") ; + gNrow = sk_OPENSSL_PSTRING_value(db->db->data,gNindex); + print_entry(db, bio_err, gNindex, verbose > 1, "Default g and N"); } else if (maxgN > 0 && !SRP_get_default_gN(gN)) { @@ -587,7 +587,7 @@ bad: if (userindex >= 0) { /* reactivation of a new user */ - char **row = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex); + char **row = sk_OPENSSL_PSTRING_value(db->db->data, userindex); BIO_printf(bio_err, "user \"%s\" reactivated.\n", user); row[DB_srptype][0] = 'V'; @@ -634,7 +634,7 @@ bad: else { - char **row = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex); + char **row = sk_OPENSSL_PSTRING_value(db->db->data, userindex); char type = row[DB_srptype][0]; if (type == 'v') { @@ -664,9 +664,9 @@ bad: if (!(gNid=srp_create_user(user,&(row[DB_srpverifier]), &(row[DB_srpsalt]),gNrow?gNrow[DB_srpsalt]:NULL, gNrow?gNrow[DB_srpverifier]:NULL, passout, bio_err,verbose))) { - BIO_printf(bio_err, "Cannot create srp verifier for user \"%s\", operation abandoned.\n", user); - errors++; - goto err; + BIO_printf(bio_err, "Cannot create srp verifier for user \"%s\", operation abandoned.\n", user); + errors++; + goto err; } row[DB_srptype][0] = 'v'; @@ -689,7 +689,7 @@ bad: } else { - char **xpp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex); + char **xpp = sk_OPENSSL_PSTRING_value(db->db->data,userindex); BIO_printf(bio_err, "user \"%s\" revoked. t\n", user); xpp[DB_srptype][0] = 'R'; @@ -714,7 +714,7 @@ bad: /* Lets check some fields */ for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { - pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i); + pp = sk_OPENSSL_PSTRING_value(db->db->data,i); if (pp[DB_srptype][0] == 'v') { Index: apps/verify.c =================================================================== --- apps/verify.c (revision 246700) +++ apps/verify.c (working copy) @@ -222,11 +222,19 @@ int MAIN(int argc, char **argv) goto end; } - if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, crls, e); + ret = 0; + if (argc < 1) + { + if (1 != check(cert_ctx, NULL, untrusted, trusted, crls, e)) + ret = -1; + } else + { for (i=0; i&1` =~ /Version ([0-9]+)\./ && $1>=10); -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; # void aesni_cbc_sha1_enc(const void *inp, # void *out, Index: crypto/aes/asm/aesni-x86_64.pl =================================================================== --- crypto/aes/asm/aesni-x86_64.pl (revision 246700) +++ crypto/aes/asm/aesni-x86_64.pl (working copy) @@ -172,7 +172,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; $movkey = $PREFIX eq "aesni" ? "movups" : "movups"; @_4args=$win64? ("%rcx","%rdx","%r8", "%r9") : # Win64 order Index: crypto/aes/asm/bsaes-x86_64.pl =================================================================== --- crypto/aes/asm/bsaes-x86_64.pl (revision 246700) +++ crypto/aes/asm/bsaes-x86_64.pl (working copy) @@ -105,7 +105,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; my ($inp,$out,$len,$key,$ivp)=("%rdi","%rsi","%rdx","%rcx"); my @XMM=map("%xmm$_",(15,0..14)); # best on Atom, +10% over (0..15) Index: crypto/aes/asm/vpaes-x86_64.pl =================================================================== --- crypto/aes/asm/vpaes-x86_64.pl (revision 246700) +++ crypto/aes/asm/vpaes-x86_64.pl (working copy) @@ -56,7 +56,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; $PREFIX="vpaes"; Index: crypto/asn1/a_strex.c =================================================================== --- crypto/asn1/a_strex.c (revision 246700) +++ crypto/asn1/a_strex.c (working copy) @@ -567,6 +567,7 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_ if(mbflag == -1) return -1; mbflag |= MBSTRING_FLAG; stmp.data = NULL; + stmp.length = 0; ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING); if(ret < 0) return ret; *out = stmp.data; Index: crypto/asn1/a_verify.c =================================================================== --- crypto/asn1/a_verify.c (revision 246700) +++ crypto/asn1/a_verify.c (working copy) @@ -140,6 +140,12 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALG int mdnid, pknid; + if (!pkey) + { + ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_PASSED_NULL_PARAMETER); + return -1; + } + EVP_MD_CTX_init(&ctx); /* Convert signature OID into digest and public key OIDs */ Index: crypto/asn1/x_pubkey.c =================================================================== --- crypto/asn1/x_pubkey.c (revision 246700) +++ crypto/asn1/x_pubkey.c (working copy) @@ -175,12 +175,15 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key) CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY); if (key->pkey) { + CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); EVP_PKEY_free(ret); ret = key->pkey; } else + { key->pkey = ret; - CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); + CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); + } CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY); return ret; Index: crypto/bio/bss_dgram.c =================================================================== --- crypto/bio/bss_dgram.c (revision 246700) +++ crypto/bio/bss_dgram.c (working copy) @@ -77,10 +77,20 @@ #define OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE 0xc0 #endif -#ifdef OPENSSL_SYS_LINUX +#if defined(OPENSSL_SYS_LINUX) && !defined(IP_MTU) #define IP_MTU 14 /* linux is lame */ #endif +#if defined(__FreeBSD__) && defined(IN6_IS_ADDR_V4MAPPED) +/* Standard definition causes type-punning problems. */ +#undef IN6_IS_ADDR_V4MAPPED +#define s6_addr32 __u6_addr.__u6_addr32 +#define IN6_IS_ADDR_V4MAPPED(a) \ + (((a)->s6_addr32[0] == 0) && \ + ((a)->s6_addr32[1] == 0) && \ + ((a)->s6_addr32[2] == htonl(0x0000ffff))) +#endif + #ifdef WATT32 #define sock_write SockWrite /* Watt-32 uses same names */ #define sock_read SockRead @@ -255,7 +265,7 @@ static void dgram_adjust_rcv_timeout(BIO *b) { #if defined(SO_RCVTIMEO) bio_dgram_data *data = (bio_dgram_data *)b->ptr; - int sz = sizeof(int); + union { size_t s; int i; } sz = {0}; /* Is a timer active? */ if (data->next_timeout.tv_sec > 0 || data->next_timeout.tv_usec > 0) @@ -265,8 +275,10 @@ static void dgram_adjust_rcv_timeout(BIO *b) /* Read current socket timeout */ #ifdef OPENSSL_SYS_WINDOWS int timeout; + + sz.i = sizeof(timeout); if (getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, - (void*)&timeout, &sz) < 0) + (void*)&timeout, &sz.i) < 0) { perror("getsockopt"); } else { @@ -274,9 +286,12 @@ static void dgram_adjust_rcv_timeout(BIO *b) data->socket_timeout.tv_usec = (timeout % 1000) * 1000; } #else + sz.i = sizeof(data->socket_timeout); if ( getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, &(data->socket_timeout), (void *)&sz) < 0) { perror("getsockopt"); } + else if (sizeof(sz.s)!=sizeof(sz.i) && sz.i==0) + OPENSSL_assert(sz.s<=sizeof(data->socket_timeout)); #endif /* Get current time */ @@ -445,11 +460,10 @@ static long dgram_ctrl(BIO *b, int cmd, long num, int *ip; struct sockaddr *to = NULL; bio_dgram_data *data = NULL; -#if defined(IP_MTU_DISCOVER) || defined(IP_MTU) - long sockopt_val = 0; - unsigned int sockopt_len = 0; -#endif -#ifdef OPENSSL_SYS_LINUX +#if defined(OPENSSL_SYS_LINUX) && (defined(IP_MTU_DISCOVER) || defined(IP_MTU)) + int sockopt_val = 0; + socklen_t sockopt_len; /* assume that system supporting IP_MTU is + * modern enough to define socklen_t */ socklen_t addr_len; union { struct sockaddr sa; @@ -531,7 +545,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, break; /* (Linux)kernel sets DF bit on outgoing IP packets */ case BIO_CTRL_DGRAM_MTU_DISCOVER: -#ifdef OPENSSL_SYS_LINUX +#if defined(OPENSSL_SYS_LINUX) && defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DO) addr_len = (socklen_t)sizeof(addr); memset((void *)&addr, 0, sizeof(addr)); if (getsockname(b->num, &addr.sa, &addr_len) < 0) @@ -539,7 +553,6 @@ static long dgram_ctrl(BIO *b, int cmd, long num, ret = 0; break; } - sockopt_len = sizeof(sockopt_val); switch (addr.sa.sa_family) { case AF_INET: @@ -548,7 +561,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, &sockopt_val, sizeof(sockopt_val))) < 0) perror("setsockopt"); break; -#if OPENSSL_USE_IPV6 && defined(IPV6_MTU_DISCOVER) +#if OPENSSL_USE_IPV6 && defined(IPV6_MTU_DISCOVER) && defined(IPV6_PMTUDISC_DO) case AF_INET6: sockopt_val = IPV6_PMTUDISC_DO; if ((ret = setsockopt(b->num, IPPROTO_IPV6, IPV6_MTU_DISCOVER, @@ -565,7 +578,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, break; #endif case BIO_CTRL_DGRAM_QUERY_MTU: -#ifdef OPENSSL_SYS_LINUX +#if defined(OPENSSL_SYS_LINUX) && defined(IP_MTU) addr_len = (socklen_t)sizeof(addr); memset((void *)&addr, 0, sizeof(addr)); if (getsockname(b->num, &addr.sa, &addr_len) < 0) @@ -727,12 +740,15 @@ static long dgram_ctrl(BIO *b, int cmd, long num, #endif break; case BIO_CTRL_DGRAM_GET_RECV_TIMEOUT: + { + union { size_t s; int i; } sz = {0}; #ifdef OPENSSL_SYS_WINDOWS - { - int timeout, sz = sizeof(timeout); + int timeout; struct timeval *tv = (struct timeval *)ptr; + + sz.i = sizeof(timeout); if (getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, - (void*)&timeout, &sz) < 0) + (void*)&timeout, &sz.i) < 0) { perror("getsockopt"); ret = -1; } else { @@ -740,12 +756,20 @@ static long dgram_ctrl(BIO *b, int cmd, long num, tv->tv_usec = (timeout % 1000) * 1000; ret = sizeof(*tv); } - } #else + sz.i = sizeof(struct timeval); if ( getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, - ptr, (void *)&ret) < 0) + ptr, (void *)&sz) < 0) { perror("getsockopt"); ret = -1; } + else if (sizeof(sz.s)!=sizeof(sz.i) && sz.i==0) + { + OPENSSL_assert(sz.s<=sizeof(struct timeval)); + ret = (int)sz.s; + } + else + ret = sz.i; #endif + } break; #endif #if defined(SO_SNDTIMEO) @@ -765,12 +789,15 @@ static long dgram_ctrl(BIO *b, int cmd, long num, #endif break; case BIO_CTRL_DGRAM_GET_SEND_TIMEOUT: + { + union { size_t s; int i; } sz = {0}; #ifdef OPENSSL_SYS_WINDOWS - { - int timeout, sz = sizeof(timeout); + int timeout; struct timeval *tv = (struct timeval *)ptr; + + sz.i = sizeof(timeout); if (getsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO, - (void*)&timeout, &sz) < 0) + (void*)&timeout, &sz.i) < 0) { perror("getsockopt"); ret = -1; } else { @@ -778,12 +805,20 @@ static long dgram_ctrl(BIO *b, int cmd, long num, tv->tv_usec = (timeout % 1000) * 1000; ret = sizeof(*tv); } - } #else + sz.i = sizeof(struct timeval); if ( getsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO, - ptr, (void *)&ret) < 0) + ptr, (void *)&sz) < 0) { perror("getsockopt"); ret = -1; } + else if (sizeof(sz.s)!=sizeof(sz.i) && sz.i==0) + { + OPENSSL_assert(sz.s<=sizeof(struct timeval)); + ret = (int)sz.s; + } + else + ret = sz.i; #endif + } break; #endif case BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP: @@ -955,7 +990,6 @@ static int dgram_sctp_free(BIO *a) #ifdef SCTP_AUTHENTICATION_EVENT void dgram_sctp_handle_auth_free_key_event(BIO *b, union sctp_notification *snp) { - unsigned int sockopt_len = 0; int ret; struct sctp_authkey_event* authkeyevent = &snp->sn_auth_event; @@ -965,9 +999,8 @@ void dgram_sctp_handle_auth_free_key_event(BIO *b, /* delete key */ authkeyid.scact_keynumber = authkeyevent->auth_keynumber; - sockopt_len = sizeof(struct sctp_authkeyid); ret = setsockopt(b->num, IPPROTO_SCTP, SCTP_AUTH_DELETE_KEY, - &authkeyid, sockopt_len); + &authkeyid, sizeof(struct sctp_authkeyid)); } } #endif @@ -1298,7 +1331,7 @@ static long dgram_sctp_ctrl(BIO *b, int cmd, long { long ret=1; bio_dgram_sctp_data *data = NULL; - unsigned int sockopt_len = 0; + socklen_t sockopt_len = 0; struct sctp_authkeyid authkeyid; struct sctp_authkey *authkey; Index: crypto/bn/asm/mips.pl =================================================================== --- crypto/bn/asm/mips.pl (revision 246700) +++ crypto/bn/asm/mips.pl (working copy) @@ -819,7 +819,7 @@ ___ $code.=<<___; .set reorder move $ta3,$ra - bal bn_div_words + bal bn_div_words_internal move $ra,$ta3 $MULTU $ta2,$v0 $LD $t2,-2*$BNSZ($a3) Index: crypto/bn/asm/modexp512-x86_64.pl =================================================================== --- crypto/bn/asm/modexp512-x86_64.pl (revision 246700) +++ crypto/bn/asm/modexp512-x86_64.pl (working copy) @@ -68,7 +68,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; use strict; my $code=".text\n\n"; Index: crypto/bn/asm/x86_64-gf2m.pl =================================================================== --- crypto/bn/asm/x86_64-gf2m.pl (revision 246700) +++ crypto/bn/asm/x86_64-gf2m.pl (working copy) @@ -31,7 +31,7 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open STDOUT,"| \"$^X\" $xlate $flavour $output"; ($lo,$hi)=("%rax","%rdx"); $a=$lo; ($i0,$i1)=("%rsi","%rdi"); Index: crypto/bn/asm/x86_64-mont.pl =================================================================== --- crypto/bn/asm/x86_64-mont.pl (revision 246700) +++ crypto/bn/asm/x86_64-mont.pl (working copy) @@ -40,7 +40,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; # int bn_mul_mont( $rp="%rdi"; # BN_ULONG *rp, Index: crypto/bn/asm/x86_64-mont5.pl =================================================================== --- crypto/bn/asm/x86_64-mont5.pl (revision 246700) +++ crypto/bn/asm/x86_64-mont5.pl (working copy) @@ -28,7 +28,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; # int bn_mul_mont_gather5( $rp="%rdi"; # BN_ULONG *rp, Index: crypto/bn/bn_div.c =================================================================== --- crypto/bn/bn_div.c (revision 246700) +++ crypto/bn/bn_div.c (working copy) @@ -141,6 +141,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM * * * */ +#undef bn_div_words # define bn_div_words(n0,n1,d0) \ ({ asm volatile ( \ "divl %4" \ @@ -155,6 +156,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM * * Same story here, but it's 128-bit by 64-bit division. Wow! * */ +# undef bn_div_words # define bn_div_words(n0,n1,d0) \ ({ asm volatile ( \ "divq %4" \ Index: crypto/bn/bn_gcd.c =================================================================== --- crypto/bn/bn_gcd.c (revision 246700) +++ crypto/bn/bn_gcd.c (working copy) @@ -205,6 +205,7 @@ err: /* solves ax == 1 (mod n) */ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx); + BIGNUM *BN_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx) { Index: crypto/bn/bn_lcl.h =================================================================== --- crypto/bn/bn_lcl.h (revision 246700) +++ crypto/bn/bn_lcl.h (working copy) @@ -282,16 +282,23 @@ extern "C" { # endif # elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)) # if defined(__GNUC__) && __GNUC__>=2 -# define BN_UMULT_HIGH(a,b) ({ \ +# if __GNUC__>=4 && __GNUC_MINOR__>=4 /* "h" constraint is no more since 4.4 */ +# define BN_UMULT_HIGH(a,b) (((__uint128_t)(a)*(b))>>64) +# define BN_UMULT_LOHI(low,high,a,b) ({ \ + __uint128_t ret=(__uint128_t)(a)*(b); \ + (high)=ret>>64; (low)=ret; }) +# else +# define BN_UMULT_HIGH(a,b) ({ \ register BN_ULONG ret; \ asm ("dmultu %1,%2" \ : "=h"(ret) \ : "r"(a), "r"(b) : "l"); \ ret; }) -# define BN_UMULT_LOHI(low,high,a,b) \ +# define BN_UMULT_LOHI(low,high,a,b)\ asm ("dmultu %2,%3" \ : "=l"(low),"=h"(high) \ : "r"(a), "r"(b)); +# endif # endif # endif /* cpu */ #endif /* OPENSSL_NO_ASM */ Index: crypto/camellia/asm/cmll-x86_64.pl =================================================================== --- crypto/camellia/asm/cmll-x86_64.pl (revision 246700) +++ crypto/camellia/asm/cmll-x86_64.pl (working copy) @@ -40,7 +40,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; sub hi() { my $r=shift; $r =~ s/%[er]([a-d])x/%\1h/; $r; } sub lo() { my $r=shift; $r =~ s/%[er]([a-d])x/%\1l/; Index: crypto/cms/cms_cd.c =================================================================== --- crypto/cms/cms_cd.c (revision 246700) +++ crypto/cms/cms_cd.c (working copy) @@ -58,7 +58,9 @@ #include #include #include +#ifndef OPENSSL_NO_COMP #include +#endif #include "cms_lcl.h" DECLARE_ASN1_ITEM(CMS_CompressedData) Index: crypto/cms/cms_enc.c =================================================================== --- crypto/cms/cms_enc.c (revision 246700) +++ crypto/cms/cms_enc.c (working copy) @@ -74,7 +74,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedCo X509_ALGOR *calg = ec->contentEncryptionAlgorithm; unsigned char iv[EVP_MAX_IV_LENGTH], *piv = NULL; unsigned char *tkey = NULL; - size_t tkeylen; + size_t tkeylen = 0; int ok = 0; Index: crypto/cms/cms_lib.c =================================================================== --- crypto/cms/cms_lib.c (revision 246700) +++ crypto/cms/cms_lib.c (working copy) @@ -411,9 +411,7 @@ int cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, * algorithm OID instead of digest. */ || EVP_MD_pkey_type(EVP_MD_CTX_md(mtmp)) == nid) - { return EVP_MD_CTX_copy_ex(mctx, mtmp); - } chain = BIO_next(chain); } } Index: crypto/conf/conf_mall.c =================================================================== --- crypto/conf/conf_mall.c (revision 246700) +++ crypto/conf/conf_mall.c (working copy) @@ -76,5 +76,6 @@ void OPENSSL_load_builtin_modules(void) #ifndef OPENSSL_NO_ENGINE ENGINE_add_conf_module(); #endif + EVP_add_alg_module(); } Index: crypto/cryptlib.c =================================================================== --- crypto/cryptlib.c (revision 246700) +++ crypto/cryptlib.c (working copy) @@ -504,7 +504,7 @@ void CRYPTO_THREADID_current(CRYPTO_THREADID *id) CRYPTO_THREADID_set_numeric(id, (unsigned long)find_thread(NULL)); #else /* For everything else, default to using the address of 'errno' */ - CRYPTO_THREADID_set_pointer(id, &errno); + CRYPTO_THREADID_set_pointer(id, (void*)&errno); #endif } @@ -704,6 +704,7 @@ void OPENSSL_cpuid_setup(void) } else vec = OPENSSL_ia32_cpuid(); + /* * |(1<<10) sets a reserved bit to signal that variable * was initialized already... This is to avoid interference @@ -924,3 +925,16 @@ void OpenSSLDie(const char *file,int line,const ch } void *OPENSSL_stderr(void) { return stderr; } + +int CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len) + { + size_t i; + const unsigned char *a = in_a; + const unsigned char *b = in_b; + unsigned char x = 0; + + for (i = 0; i < len; i++) + x |= a[i] ^ b[i]; + + return x; + } Index: crypto/cryptlib.h =================================================================== --- crypto/cryptlib.h (revision 246700) +++ crypto/cryptlib.h (working copy) @@ -100,7 +100,7 @@ extern "C" { void OPENSSL_cpuid_setup(void); extern unsigned int OPENSSL_ia32cap_P[]; -void OPENSSL_showfatal(const char *,...); +void OPENSSL_showfatal(const char *fmta,...); void *OPENSSL_stderr(void); extern int OPENSSL_NONPIC_relocated; Index: crypto/crypto.h =================================================================== --- crypto/crypto.h (revision 246700) +++ crypto/crypto.h (working copy) @@ -488,10 +488,10 @@ void CRYPTO_get_mem_debug_functions(void (**m)(voi long (**go)(void)); void *CRYPTO_malloc_locked(int num, const char *file, int line); -void CRYPTO_free_locked(void *); +void CRYPTO_free_locked(void *ptr); void *CRYPTO_malloc(int num, const char *file, int line); char *CRYPTO_strdup(const char *str, const char *file, int line); -void CRYPTO_free(void *); +void CRYPTO_free(void *ptr); void *CRYPTO_realloc(void *addr,int num, const char *file, int line); void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file, int line); @@ -574,6 +574,13 @@ void OPENSSL_init(void); #define fips_cipher_abort(alg) while(0) #endif +/* CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It + * takes an amount of time dependent on |len|, but independent of the contents + * of |a| and |b|. Unlike memcmp, it cannot be used to put elements into a + * defined order as the return value when a != b is undefined, other than to be + * non-zero. */ +int CRYPTO_memcmp(const void *a, const void *b, size_t len); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. Index: crypto/des/set_key.c =================================================================== --- crypto/des/set_key.c (revision 246700) +++ crypto/des/set_key.c (working copy) @@ -63,10 +63,9 @@ * 1.1 added norm_expand_bits * 1.0 First working version */ +#include #include "des_locl.h" -#include - OPENSSL_IMPLEMENT_GLOBAL(int,DES_check_key,0) /* defaults to false */ static const unsigned char odd_parity[256]={ Index: crypto/des/str2key.c =================================================================== --- crypto/des/str2key.c (revision 246700) +++ crypto/des/str2key.c (working copy) @@ -56,8 +56,8 @@ * [including the GNU Public Licence.] */ +#include #include "des_locl.h" -#include void DES_string_to_key(const char *str, DES_cblock *key) { Index: crypto/ec/ec.h =================================================================== --- crypto/ec/ec.h (revision 246700) +++ crypto/ec/ec.h (working copy) @@ -274,10 +274,10 @@ int EC_GROUP_get_curve_name(const EC_GROUP *group) void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag); int EC_GROUP_get_asn1_flag(const EC_GROUP *group); -void EC_GROUP_set_point_conversion_form(EC_GROUP *, point_conversion_form_t); +void EC_GROUP_set_point_conversion_form(EC_GROUP *group, point_conversion_form_t form); point_conversion_form_t EC_GROUP_get_point_conversion_form(const EC_GROUP *); -unsigned char *EC_GROUP_get0_seed(const EC_GROUP *); +unsigned char *EC_GROUP_get0_seed(const EC_GROUP *x); size_t EC_GROUP_get_seed_len(const EC_GROUP *); size_t EC_GROUP_set_seed(EC_GROUP *, const unsigned char *, size_t len); @@ -626,8 +626,8 @@ int EC_POINT_is_on_curve(const EC_GROUP *group, co */ int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx); -int EC_POINT_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *); -int EC_POINTs_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *); +int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx); +int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx); /** Computes r = generator * n sum_{i=0}^num p[i] * m[i] * \param group underlying EC_GROUP object @@ -800,16 +800,24 @@ const EC_POINT *EC_KEY_get0_public_key(const EC_KE int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub); unsigned EC_KEY_get_enc_flags(const EC_KEY *key); -void EC_KEY_set_enc_flags(EC_KEY *, unsigned int); -point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *); -void EC_KEY_set_conv_form(EC_KEY *, point_conversion_form_t); +void EC_KEY_set_enc_flags(EC_KEY *eckey, unsigned int flags); +point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key); +void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform); /* functions to set/get method specific data */ -void *EC_KEY_get_key_method_data(EC_KEY *, +void *EC_KEY_get_key_method_data(EC_KEY *key, void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)); -void EC_KEY_insert_key_method_data(EC_KEY *, void *data, +/** Sets the key method data of an EC_KEY object, if none has yet been set. + * \param key EC_KEY object + * \param data opaque data to install. + * \param dup_func a function that duplicates |data|. + * \param free_func a function that frees |data|. + * \param clear_free_func a function that wipes and frees |data|. + * \return the previously set data pointer, or NULL if |data| was inserted. + */ +void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data, void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)); /* wrapper functions for the underlying EC_GROUP object */ -void EC_KEY_set_asn1_flag(EC_KEY *, int); +void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag); /** Creates a table of pre-computed multiples of the generator to * accelerate further EC_KEY operations. Index: crypto/ec/ec_key.c =================================================================== --- crypto/ec/ec_key.c (revision 246700) +++ crypto/ec/ec_key.c (working copy) @@ -520,18 +520,27 @@ void EC_KEY_set_conv_form(EC_KEY *key, point_conve void *EC_KEY_get_key_method_data(EC_KEY *key, void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)) { - return EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func); + void *ret; + + CRYPTO_r_lock(CRYPTO_LOCK_EC); + ret = EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func); + CRYPTO_r_unlock(CRYPTO_LOCK_EC); + + return ret; } -void EC_KEY_insert_key_method_data(EC_KEY *key, void *data, +void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data, void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)) { EC_EXTRA_DATA *ex_data; + CRYPTO_w_lock(CRYPTO_LOCK_EC); ex_data = EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func); if (ex_data == NULL) EC_EX_DATA_set_data(&key->method_data, data, dup_func, free_func, clear_free_func); CRYPTO_w_unlock(CRYPTO_LOCK_EC); + + return ex_data; } void EC_KEY_set_asn1_flag(EC_KEY *key, int flag) Index: crypto/ec/ec_pmeth.c =================================================================== --- crypto/ec/ec_pmeth.c (revision 246700) +++ crypto/ec/ec_pmeth.c (working copy) @@ -188,7 +188,7 @@ static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsig pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec); - /* NB: unlike PKS#3 DH, if *outlen is less than maximum size this is + /* NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is * not an error, the result is truncated. */ Index: crypto/ec/ecp_mont.c =================================================================== --- crypto/ec/ecp_mont.c (revision 246700) +++ crypto/ec/ecp_mont.c (working copy) @@ -114,7 +114,6 @@ const EC_METHOD *EC_GFp_mont_method(void) ec_GFp_mont_field_decode, ec_GFp_mont_field_set_to_one }; - return &ret; #endif } Index: crypto/ec/ectest.c =================================================================== --- crypto/ec/ectest.c (revision 246700) +++ crypto/ec/ectest.c (working copy) @@ -236,7 +236,7 @@ static void group_order_tests(EC_GROUP *group) } static void prime_field_tests(void) - { + { BN_CTX *ctx = NULL; BIGNUM *p, *a, *b; EC_GROUP *group; Index: crypto/ecdh/Makefile =================================================================== --- crypto/ecdh/Makefile (revision 246700) +++ crypto/ecdh/Makefile (working copy) @@ -84,17 +84,12 @@ ech_err.o: ../../include/openssl/ossl_typ.h ../../ ech_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ech_err.o: ech_err.c ech_key.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -ech_key.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h -ech_key.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h -ech_key.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h -ech_key.o: ../../include/openssl/engine.h ../../include/openssl/evp.h -ech_key.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h -ech_key.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h -ech_key.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h -ech_key.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h -ech_key.o: ../../include/openssl/sha.h ../../include/openssl/stack.h -ech_key.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h -ech_key.o: ../../include/openssl/x509_vfy.h ech_key.c ech_locl.h +ech_key.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +ech_key.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h +ech_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +ech_key.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h +ech_key.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +ech_key.o: ech_key.c ech_locl.h ech_lib.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h ech_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h ech_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h Index: crypto/ecdh/ech_key.c =================================================================== --- crypto/ecdh/ech_key.c (revision 246700) +++ crypto/ecdh/ech_key.c (working copy) @@ -68,9 +68,6 @@ */ #include "ech_locl.h" -#ifndef OPENSSL_NO_ENGINE -#include -#endif int ECDH_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, EC_KEY *eckey, Index: crypto/ecdh/ech_lib.c =================================================================== --- crypto/ecdh/ech_lib.c (revision 246700) +++ crypto/ecdh/ech_lib.c (working copy) @@ -222,8 +222,15 @@ ECDH_DATA *ecdh_check(EC_KEY *key) ecdh_data = (ECDH_DATA *)ecdh_data_new(); if (ecdh_data == NULL) return NULL; - EC_KEY_insert_key_method_data(key, (void *)ecdh_data, - ecdh_data_dup, ecdh_data_free, ecdh_data_free); + data = EC_KEY_insert_key_method_data(key, (void *)ecdh_data, + ecdh_data_dup, ecdh_data_free, ecdh_data_free); + if (data != NULL) + { + /* Another thread raced us to install the key_method + * data and won. */ + ecdh_data_free(ecdh_data); + ecdh_data = (ECDH_DATA *)data; + } } else ecdh_data = (ECDH_DATA *)data; Index: crypto/ecdsa/ecs_lib.c =================================================================== --- crypto/ecdsa/ecs_lib.c (revision 246700) +++ crypto/ecdsa/ecs_lib.c (working copy) @@ -200,8 +200,15 @@ ECDSA_DATA *ecdsa_check(EC_KEY *key) ecdsa_data = (ECDSA_DATA *)ecdsa_data_new(); if (ecdsa_data == NULL) return NULL; - EC_KEY_insert_key_method_data(key, (void *)ecdsa_data, - ecdsa_data_dup, ecdsa_data_free, ecdsa_data_free); + data = EC_KEY_insert_key_method_data(key, (void *)ecdsa_data, + ecdsa_data_dup, ecdsa_data_free, ecdsa_data_free); + if (data != NULL) + { + /* Another thread raced us to install the key_method + * data and won. */ + ecdsa_data_free(ecdsa_data); + ecdsa_data = (ECDSA_DATA *)data; + } } else ecdsa_data = (ECDSA_DATA *)data; Index: crypto/err/err_all.c =================================================================== --- crypto/err/err_all.c (revision 246700) +++ crypto/err/err_all.c (working copy) @@ -64,7 +64,9 @@ #endif #include #include +#ifndef OPENSSL_NO_COMP #include +#endif #ifndef OPENSSL_NO_RSA #include #endif @@ -95,6 +97,9 @@ #include #include #include +#ifdef OPENSSL_FIPS +#include +#endif #include #ifndef OPENSSL_NO_CMS #include @@ -102,12 +107,7 @@ #ifndef OPENSSL_NO_JPAKE #include #endif -#include -#ifdef OPENSSL_FIPS -#include -#endif - void ERR_load_crypto_strings(void) { #ifndef OPENSSL_NO_ERR @@ -130,7 +130,9 @@ void ERR_load_crypto_strings(void) ERR_load_ASN1_strings(); ERR_load_CONF_strings(); ERR_load_CRYPTO_strings(); +#ifndef OPENSSL_NO_COMP ERR_load_COMP_strings(); +#endif #ifndef OPENSSL_NO_EC ERR_load_EC_strings(); #endif @@ -153,15 +155,14 @@ void ERR_load_crypto_strings(void) #endif ERR_load_OCSP_strings(); ERR_load_UI_strings(); +#ifdef OPENSSL_FIPS + ERR_load_FIPS_strings(); +#endif #ifndef OPENSSL_NO_CMS ERR_load_CMS_strings(); #endif #ifndef OPENSSL_NO_JPAKE ERR_load_JPAKE_strings(); #endif - ERR_load_COMP_strings(); #endif -#ifdef OPENSSL_FIPS - ERR_load_FIPS_strings(); -#endif } Index: crypto/evp/Makefile =================================================================== --- crypto/evp/Makefile (revision 246700) +++ crypto/evp/Makefile (working copy) @@ -18,7 +18,7 @@ TESTDATA=evptests.txt APPS= LIB=$(TOP)/libcrypto.a -LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c \ +LIBSRC= encode.c digest.c evp_enc.c evp_key.c evp_acnf.c evp_cnf.c \ e_des.c e_bf.c e_idea.c e_des3.c e_camellia.c\ e_rc4.c e_aes.c names.c e_seed.c \ e_xcbc_d.c e_rc2.c e_cast.c e_rc5.c \ @@ -31,7 +31,7 @@ LIB=$(TOP)/libcrypto.a e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c evp_fips.c \ e_aes_cbc_hmac_sha1.c e_rc4_hmac_md5.c -LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o \ +LIBOBJ= encode.o digest.o evp_enc.o evp_key.o evp_acnf.o evp_cnf.o \ e_des.o e_bf.o e_idea.o e_des3.o e_camellia.o\ e_rc4.o e_aes.o names.o e_seed.o \ e_xcbc_d.o e_rc2.o e_cast.o e_rc5.o \ @@ -67,7 +67,7 @@ files: links: @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER) @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) - cp $(TESTDATA) ../../test + [ ! -f $(TESTDATA) ] || cp $(TESTDATA) ../../test @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) install: @@ -356,6 +356,20 @@ evp_acnf.o: ../../include/openssl/opensslconf.h evp_acnf.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h evp_acnf.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h evp_acnf.o: ../../include/openssl/symhacks.h ../cryptlib.h evp_acnf.c +evp_cnf.o: ../../e_os.h ../../include/openssl/asn1.h +evp_cnf.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h +evp_cnf.o: ../../include/openssl/conf.h ../../include/openssl/crypto.h +evp_cnf.o: ../../include/openssl/dso.h ../../include/openssl/e_os2.h +evp_cnf.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h +evp_cnf.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h +evp_cnf.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h +evp_cnf.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +evp_cnf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +evp_cnf.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h +evp_cnf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h +evp_cnf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h +evp_cnf.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h +evp_cnf.o: ../../include/openssl/x509v3.h ../cryptlib.h evp_cnf.c evp_enc.o: ../../e_os.h ../../include/openssl/asn1.h evp_enc.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h evp_enc.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h @@ -437,28 +451,22 @@ evp_pkey.o: ../asn1/asn1_locl.h ../cryptlib.h evp_ m_dss.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h m_dss.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h m_dss.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h -m_dss.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h -m_dss.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h -m_dss.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h -m_dss.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h -m_dss.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h -m_dss.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h +m_dss.o: ../../include/openssl/err.h ../../include/openssl/evp.h +m_dss.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h +m_dss.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h +m_dss.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h m_dss.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h m_dss.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -m_dss.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h m_dss.o: ../cryptlib.h m_dss.c m_dss1.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h m_dss1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h m_dss1.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h -m_dss1.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h -m_dss1.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h -m_dss1.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h -m_dss1.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h -m_dss1.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h -m_dss1.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h +m_dss1.o: ../../include/openssl/err.h ../../include/openssl/evp.h +m_dss1.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h +m_dss1.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h +m_dss1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h m_dss1.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h m_dss1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -m_dss1.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h m_dss1.o: ../cryptlib.h m_dss1.c m_ecdsa.o: ../../e_os.h ../../include/openssl/asn1.h m_ecdsa.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h @@ -563,16 +571,13 @@ m_sha.o: ../../include/openssl/x509.h ../../includ m_sha.o: ../cryptlib.h evp_locl.h m_sha.c m_sha1.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h m_sha1.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h -m_sha1.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h -m_sha1.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h -m_sha1.o: ../../include/openssl/err.h ../../include/openssl/evp.h -m_sha1.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h -m_sha1.o: ../../include/openssl/objects.h ../../include/openssl/opensslconf.h -m_sha1.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h -m_sha1.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h +m_sha1.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h +m_sha1.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h +m_sha1.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +m_sha1.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h +m_sha1.o: ../../include/openssl/ossl_typ.h ../../include/openssl/rsa.h m_sha1.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h m_sha1.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h -m_sha1.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h m_sha1.o: ../cryptlib.h m_sha1.c m_sigver.o: ../../e_os.h ../../include/openssl/asn1.h m_sigver.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h Index: crypto/evp/digest.c =================================================================== --- crypto/evp/digest.c (revision 246700) +++ crypto/evp/digest.c (working copy) @@ -267,6 +267,7 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned c return FIPS_digestfinal(ctx, md, size); #else int ret; + OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); ret=ctx->digest->final(ctx,md); if (size != NULL) Index: crypto/evp/e_aes.c =================================================================== --- crypto/evp/e_aes.c (revision 246700) +++ crypto/evp/e_aes.c (working copy) @@ -969,8 +969,6 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, uns if (!gctx->iv_set) return -1; - if (!ctx->encrypt && gctx->taglen < 0) - return -1; if (in) { if (out == NULL) @@ -1012,6 +1010,8 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, uns { if (!ctx->encrypt) { + if (gctx->taglen < 0) + return -1; if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen) != 0) return -1; @@ -1217,6 +1217,7 @@ static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, c vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks); CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, &cctx->ks, (block128_f)vpaes_encrypt); + cctx->str = NULL; cctx->key_set = 1; break; } Index: crypto/evp/e_aes_cbc_hmac_sha1.c =================================================================== --- crypto/evp/e_aes_cbc_hmac_sha1.c (revision 246700) +++ crypto/evp/e_aes_cbc_hmac_sha1.c (working copy) @@ -1,5 +1,5 @@ /* ==================================================================== - * Copyright (c) 2011 The OpenSSL Project. All rights reserved. + * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -90,6 +90,10 @@ typedef struct defined(_M_AMD64) || defined(_M_X64) || \ defined(__INTEL__) ) +#if defined(__GNUC__) && __GNUC__>=2 && !defined(PEDANTIC) +# define BSWAP(x) ({ unsigned int r=(x); asm ("bswapl %0":"=r"(r):"0"(r)); r; }) +#endif + extern unsigned int OPENSSL_ia32cap_P[2]; #define AESNI_CAPABLE (1<<(57-32)) @@ -167,6 +171,9 @@ static void sha1_update(SHA_CTX *c,const void *dat SHA1_Update(c,ptr,res); } +#ifdef SHA1_Update +#undef SHA1_Update +#endif #define SHA1_Update sha1_update static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, @@ -184,6 +191,8 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_C sha_off = SHA_CBLOCK-key->md.num; #endif + key->payload_length = NO_PAYLOAD_LENGTH; + if (len%AES_BLOCK_SIZE) return 0; if (ctx->encrypt) { @@ -234,47 +243,210 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_C &key->ks,ctx->iv,1); } } else { - unsigned char mac[SHA_DIGEST_LENGTH]; + union { unsigned int u[SHA_DIGEST_LENGTH/sizeof(unsigned int)]; + unsigned char c[32+SHA_DIGEST_LENGTH]; } mac, *pmac; + /* arrange cache line alignment */ + pmac = (void *)(((size_t)mac.c+31)&((size_t)0-32)); + /* decrypt HMAC|padding at once */ aesni_cbc_encrypt(in,out,len, &key->ks,ctx->iv,0); if (plen) { /* "TLS" mode of operation */ - /* figure out payload length */ - if (len<(size_t)(out[len-1]+1+SHA_DIGEST_LENGTH)) - return 0; + size_t inp_len, mask, j, i; + unsigned int res, maxpad, pad, bitlen; + int ret = 1; + union { unsigned int u[SHA_LBLOCK]; + unsigned char c[SHA_CBLOCK]; } + *data = (void *)key->md.data; - len -= (out[len-1]+1+SHA_DIGEST_LENGTH); - if ((key->aux.tls_aad[plen-4]<<8|key->aux.tls_aad[plen-3]) - >= TLS1_1_VERSION) { - len -= AES_BLOCK_SIZE; + >= TLS1_1_VERSION) iv = AES_BLOCK_SIZE; - } - key->aux.tls_aad[plen-2] = len>>8; - key->aux.tls_aad[plen-1] = len; + if (len<(iv+SHA_DIGEST_LENGTH+1)) + return 0; - /* calculate HMAC and verify it */ + /* omit explicit iv */ + out += iv; + len -= iv; + + /* figure out payload length */ + pad = out[len-1]; + maxpad = len-(SHA_DIGEST_LENGTH+1); + maxpad |= (255-maxpad)>>(sizeof(maxpad)*8-8); + maxpad &= 255; + + inp_len = len - (SHA_DIGEST_LENGTH+pad+1); + mask = (0-((inp_len-len)>>(sizeof(inp_len)*8-1))); + inp_len &= mask; + ret &= (int)mask; + + key->aux.tls_aad[plen-2] = inp_len>>8; + key->aux.tls_aad[plen-1] = inp_len; + + /* calculate HMAC */ key->md = key->head; SHA1_Update(&key->md,key->aux.tls_aad,plen); - SHA1_Update(&key->md,out+iv,len); - SHA1_Final(mac,&key->md); +#if 1 + len -= SHA_DIGEST_LENGTH; /* amend mac */ + if (len>=(256+SHA_CBLOCK)) { + j = (len-(256+SHA_CBLOCK))&(0-SHA_CBLOCK); + j += SHA_CBLOCK-key->md.num; + SHA1_Update(&key->md,out,j); + out += j; + len -= j; + inp_len -= j; + } + + /* but pretend as if we hashed padded payload */ + bitlen = key->md.Nl+(inp_len<<3); /* at most 18 bits */ +#ifdef BSWAP + bitlen = BSWAP(bitlen); +#else + mac.c[0] = 0; + mac.c[1] = (unsigned char)(bitlen>>16); + mac.c[2] = (unsigned char)(bitlen>>8); + mac.c[3] = (unsigned char)bitlen; + bitlen = mac.u[0]; +#endif + + pmac->u[0]=0; + pmac->u[1]=0; + pmac->u[2]=0; + pmac->u[3]=0; + pmac->u[4]=0; + + for (res=key->md.num, j=0;j>(sizeof(j)*8-8); + c &= mask; + c |= 0x80&~mask&~((inp_len-j)>>(sizeof(j)*8-8)); + data->c[res++]=(unsigned char)c; + + if (res!=SHA_CBLOCK) continue; + + mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1)); + data->u[SHA_LBLOCK-1] |= bitlen&mask; + sha1_block_data_order(&key->md,data,1); + mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1)); + pmac->u[0] |= key->md.h0 & mask; + pmac->u[1] |= key->md.h1 & mask; + pmac->u[2] |= key->md.h2 & mask; + pmac->u[3] |= key->md.h3 & mask; + pmac->u[4] |= key->md.h4 & mask; + res=0; + } + + for(i=res;ic[i]=0; + + if (res>SHA_CBLOCK-8) { + mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1)); + data->u[SHA_LBLOCK-1] |= bitlen&mask; + sha1_block_data_order(&key->md,data,1); + mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1)); + pmac->u[0] |= key->md.h0 & mask; + pmac->u[1] |= key->md.h1 & mask; + pmac->u[2] |= key->md.h2 & mask; + pmac->u[3] |= key->md.h3 & mask; + pmac->u[4] |= key->md.h4 & mask; + + memset(data,0,SHA_CBLOCK); + j+=64; + } + data->u[SHA_LBLOCK-1] = bitlen; + sha1_block_data_order(&key->md,data,1); + mask = 0-((j-inp_len-73)>>(sizeof(j)*8-1)); + pmac->u[0] |= key->md.h0 & mask; + pmac->u[1] |= key->md.h1 & mask; + pmac->u[2] |= key->md.h2 & mask; + pmac->u[3] |= key->md.h3 & mask; + pmac->u[4] |= key->md.h4 & mask; + +#ifdef BSWAP + pmac->u[0] = BSWAP(pmac->u[0]); + pmac->u[1] = BSWAP(pmac->u[1]); + pmac->u[2] = BSWAP(pmac->u[2]); + pmac->u[3] = BSWAP(pmac->u[3]); + pmac->u[4] = BSWAP(pmac->u[4]); +#else + for (i=0;i<5;i++) { + res = pmac->u[i]; + pmac->c[4*i+0]=(unsigned char)(res>>24); + pmac->c[4*i+1]=(unsigned char)(res>>16); + pmac->c[4*i+2]=(unsigned char)(res>>8); + pmac->c[4*i+3]=(unsigned char)res; + } +#endif + len += SHA_DIGEST_LENGTH; +#else + SHA1_Update(&key->md,out,inp_len); + res = key->md.num; + SHA1_Final(pmac->c,&key->md); + + { + unsigned int inp_blocks, pad_blocks; + + /* but pretend as if we hashed padded payload */ + inp_blocks = 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1)); + res += (unsigned int)(len-inp_len); + pad_blocks = res / SHA_CBLOCK; + res %= SHA_CBLOCK; + pad_blocks += 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1)); + for (;inp_blocksmd,data,1); + } +#endif key->md = key->tail; - SHA1_Update(&key->md,mac,SHA_DIGEST_LENGTH); - SHA1_Final(mac,&key->md); + SHA1_Update(&key->md,pmac->c,SHA_DIGEST_LENGTH); + SHA1_Final(pmac->c,&key->md); - if (memcmp(out+iv+len,mac,SHA_DIGEST_LENGTH)) - return 0; + /* verify HMAC */ + out += inp_len; + len -= inp_len; +#if 1 + { + unsigned char *p = out+len-1-maxpad-SHA_DIGEST_LENGTH; + size_t off = out-p; + unsigned int c, cmask; + + maxpad += SHA_DIGEST_LENGTH; + for (res=0,i=0,j=0;j>(sizeof(int)*8-1); + res |= (c^pad)&~cmask; /* ... and padding */ + cmask &= ((int)(off-1-j))>>(sizeof(int)*8-1); + res |= (c^pmac->c[i])&cmask; + i += 1&cmask; + } + maxpad -= SHA_DIGEST_LENGTH; + + res = 0-((0-res)>>(sizeof(res)*8-1)); + ret &= (int)~res; + } +#else + for (res=0,i=0;ic[i]; + res = 0-((0-res)>>(sizeof(res)*8-1)); + ret &= (int)~res; + + /* verify padding */ + pad = (pad&~res) | (maxpad&res); + out = out+len-1-pad; + for (res=0,i=0;i>(sizeof(res)*8-1); + ret &= (int)~res; +#endif + return ret; } else { SHA1_Update(&key->md,out,len); } } - key->payload_length = NO_PAYLOAD_LENGTH; - return 1; } @@ -309,6 +481,8 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX SHA1_Init(&key->tail); SHA1_Update(&key->tail,hmac_key,sizeof(hmac_key)); + OPENSSL_cleanse(hmac_key,sizeof(hmac_key)); + return 1; } case EVP_CTRL_AEAD_TLS1_AAD: Index: crypto/evp/evp.h =================================================================== --- crypto/evp/evp.h (revision 246700) +++ crypto/evp/evp.h (working copy) @@ -402,7 +402,6 @@ struct evp_cipher_st /* Length of tag for TLS */ #define EVP_GCM_TLS_TAG_LEN 16 - typedef struct evp_cipher_info_st { const EVP_CIPHER *cipher; @@ -789,8 +788,8 @@ const EVP_CIPHER *EVP_aes_128_cfb128(void); # define EVP_aes_128_cfb EVP_aes_128_cfb128 const EVP_CIPHER *EVP_aes_128_ofb(void); const EVP_CIPHER *EVP_aes_128_ctr(void); +const EVP_CIPHER *EVP_aes_128_ccm(void); const EVP_CIPHER *EVP_aes_128_gcm(void); -const EVP_CIPHER *EVP_aes_128_ccm(void); const EVP_CIPHER *EVP_aes_128_xts(void); const EVP_CIPHER *EVP_aes_192_ecb(void); const EVP_CIPHER *EVP_aes_192_cbc(void); @@ -800,8 +799,8 @@ const EVP_CIPHER *EVP_aes_192_cfb128(void); # define EVP_aes_192_cfb EVP_aes_192_cfb128 const EVP_CIPHER *EVP_aes_192_ofb(void); const EVP_CIPHER *EVP_aes_192_ctr(void); +const EVP_CIPHER *EVP_aes_192_ccm(void); const EVP_CIPHER *EVP_aes_192_gcm(void); -const EVP_CIPHER *EVP_aes_192_ccm(void); const EVP_CIPHER *EVP_aes_256_ecb(void); const EVP_CIPHER *EVP_aes_256_cbc(void); const EVP_CIPHER *EVP_aes_256_cfb1(void); @@ -810,8 +809,8 @@ const EVP_CIPHER *EVP_aes_256_cfb128(void); # define EVP_aes_256_cfb EVP_aes_256_cfb128 const EVP_CIPHER *EVP_aes_256_ofb(void); const EVP_CIPHER *EVP_aes_256_ctr(void); +const EVP_CIPHER *EVP_aes_256_ccm(void); const EVP_CIPHER *EVP_aes_256_gcm(void); -const EVP_CIPHER *EVP_aes_256_ccm(void); const EVP_CIPHER *EVP_aes_256_xts(void); #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void); @@ -1243,6 +1242,8 @@ void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth int (*ctrl_str)(EVP_PKEY_CTX *ctx, const char *type, const char *value)); +void EVP_add_alg_module(void); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. @@ -1257,6 +1258,7 @@ void ERR_load_EVP_strings(void); #define EVP_F_AES_INIT_KEY 133 #define EVP_F_AES_XTS 172 #define EVP_F_AES_XTS_CIPHER 175 +#define EVP_F_ALG_MODULE_INIT 177 #define EVP_F_CAMELLIA_INIT_KEY 159 #define EVP_F_CMAC_INIT 173 #define EVP_F_D2I_PKEY 100 @@ -1350,15 +1352,19 @@ void ERR_load_EVP_strings(void); #define EVP_R_DIFFERENT_PARAMETERS 153 #define EVP_R_DISABLED_FOR_FIPS 163 #define EVP_R_ENCODE_ERROR 115 +#define EVP_R_ERROR_LOADING_SECTION 165 +#define EVP_R_ERROR_SETTING_FIPS_MODE 166 #define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119 #define EVP_R_EXPECTING_AN_RSA_KEY 127 #define EVP_R_EXPECTING_A_DH_KEY 128 #define EVP_R_EXPECTING_A_DSA_KEY 129 #define EVP_R_EXPECTING_A_ECDSA_KEY 141 #define EVP_R_EXPECTING_A_EC_KEY 142 +#define EVP_R_FIPS_MODE_NOT_SUPPORTED 167 #define EVP_R_INITIALIZATION_ERROR 134 #define EVP_R_INPUT_NOT_INITIALIZED 111 #define EVP_R_INVALID_DIGEST 152 +#define EVP_R_INVALID_FIPS_MODE 168 #define EVP_R_INVALID_KEY_LENGTH 130 #define EVP_R_INVALID_OPERATION 148 #define EVP_R_IV_TOO_LARGE 102 @@ -1383,6 +1389,7 @@ void ERR_load_EVP_strings(void); #define EVP_R_TOO_LARGE 164 #define EVP_R_UNKNOWN_CIPHER 160 #define EVP_R_UNKNOWN_DIGEST 161 +#define EVP_R_UNKNOWN_OPTION 169 #define EVP_R_UNKNOWN_PBE_ALGORITHM 121 #define EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS 135 #define EVP_R_UNSUPPORTED_ALGORITHM 156 Index: crypto/evp/evp_cnf.c =================================================================== --- crypto/evp/evp_cnf.c (revision 0) +++ crypto/evp/evp_cnf.c (working copy) @@ -0,0 +1,125 @@ +/* evp_cnf.c */ +/* Written by Stephen Henson (steve@openssl.org) for the OpenSSL + * project 2007. + */ +/* ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include +#include +#include +#include "cryptlib.h" +#include +#include +#include +#include +#ifdef OPENSSL_FIPS +#include +#endif + + +/* Algorithm configuration module. */ + +static int alg_module_init(CONF_IMODULE *md, const CONF *cnf) + { + int i; + const char *oid_section; + STACK_OF(CONF_VALUE) *sktmp; + CONF_VALUE *oval; + oid_section = CONF_imodule_get_value(md); + if(!(sktmp = NCONF_get_section(cnf, oid_section))) + { + EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_ERROR_LOADING_SECTION); + return 0; + } + for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++) + { + oval = sk_CONF_VALUE_value(sktmp, i); + if (!strcmp(oval->name, "fips_mode")) + { + int m; + if (!X509V3_get_value_bool(oval, &m)) + { + EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_INVALID_FIPS_MODE); + return 0; + } + if (m > 0) + { +#ifdef OPENSSL_FIPS + if (!FIPS_mode() && !FIPS_mode_set(1)) + { + EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_ERROR_SETTING_FIPS_MODE); + return 0; + } +#else + EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_FIPS_MODE_NOT_SUPPORTED); + return 0; +#endif + } + } + else + { + EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_UNKNOWN_OPTION); + ERR_add_error_data(4, "name=", oval->name, + ", value=", oval->value); + } + + } + return 1; + } + +void EVP_add_alg_module(void) + { + CONF_module_add("alg_section", alg_module_init, 0); + } Property changes on: crypto/evp/evp_cnf.c ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Index: crypto/evp/evp_err.c =================================================================== --- crypto/evp/evp_err.c (revision 246700) +++ crypto/evp/evp_err.c (working copy) @@ -75,6 +75,7 @@ static ERR_STRING_DATA EVP_str_functs[]= {ERR_FUNC(EVP_F_AES_INIT_KEY), "AES_INIT_KEY"}, {ERR_FUNC(EVP_F_AES_XTS), "AES_XTS"}, {ERR_FUNC(EVP_F_AES_XTS_CIPHER), "AES_XTS_CIPHER"}, +{ERR_FUNC(EVP_F_ALG_MODULE_INIT), "ALG_MODULE_INIT"}, {ERR_FUNC(EVP_F_CAMELLIA_INIT_KEY), "CAMELLIA_INIT_KEY"}, {ERR_FUNC(EVP_F_CMAC_INIT), "CMAC_INIT"}, {ERR_FUNC(EVP_F_D2I_PKEY), "D2I_PKEY"}, @@ -171,15 +172,19 @@ static ERR_STRING_DATA EVP_str_reasons[]= {ERR_REASON(EVP_R_DIFFERENT_PARAMETERS) ,"different parameters"}, {ERR_REASON(EVP_R_DISABLED_FOR_FIPS) ,"disabled for fips"}, {ERR_REASON(EVP_R_ENCODE_ERROR) ,"encode error"}, +{ERR_REASON(EVP_R_ERROR_LOADING_SECTION) ,"error loading section"}, +{ERR_REASON(EVP_R_ERROR_SETTING_FIPS_MODE),"error setting fips mode"}, {ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe cipherinit error"}, {ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY) ,"expecting an rsa key"}, {ERR_REASON(EVP_R_EXPECTING_A_DH_KEY) ,"expecting a dh key"}, {ERR_REASON(EVP_R_EXPECTING_A_DSA_KEY) ,"expecting a dsa key"}, {ERR_REASON(EVP_R_EXPECTING_A_ECDSA_KEY) ,"expecting a ecdsa key"}, {ERR_REASON(EVP_R_EXPECTING_A_EC_KEY) ,"expecting a ec key"}, +{ERR_REASON(EVP_R_FIPS_MODE_NOT_SUPPORTED),"fips mode not supported"}, {ERR_REASON(EVP_R_INITIALIZATION_ERROR) ,"initialization error"}, {ERR_REASON(EVP_R_INPUT_NOT_INITIALIZED) ,"input not initialized"}, {ERR_REASON(EVP_R_INVALID_DIGEST) ,"invalid digest"}, +{ERR_REASON(EVP_R_INVALID_FIPS_MODE) ,"invalid fips mode"}, {ERR_REASON(EVP_R_INVALID_KEY_LENGTH) ,"invalid key length"}, {ERR_REASON(EVP_R_INVALID_OPERATION) ,"invalid operation"}, {ERR_REASON(EVP_R_IV_TOO_LARGE) ,"iv too large"}, @@ -204,6 +209,7 @@ static ERR_STRING_DATA EVP_str_reasons[]= {ERR_REASON(EVP_R_TOO_LARGE) ,"too large"}, {ERR_REASON(EVP_R_UNKNOWN_CIPHER) ,"unknown cipher"}, {ERR_REASON(EVP_R_UNKNOWN_DIGEST) ,"unknown digest"}, +{ERR_REASON(EVP_R_UNKNOWN_OPTION) ,"unknown option"}, {ERR_REASON(EVP_R_UNKNOWN_PBE_ALGORITHM) ,"unknown pbe algorithm"}, {ERR_REASON(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS),"unsuported number of rounds"}, {ERR_REASON(EVP_R_UNSUPPORTED_ALGORITHM) ,"unsupported algorithm"}, Index: crypto/evp/m_dss.c =================================================================== --- crypto/evp/m_dss.c (revision 246700) +++ crypto/evp/m_dss.c (working copy) @@ -60,7 +60,7 @@ #include "cryptlib.h" #include #include -#include +#include #ifndef OPENSSL_NO_DSA #include #endif Index: crypto/evp/m_dss1.c =================================================================== --- crypto/evp/m_dss1.c (revision 246700) +++ crypto/evp/m_dss1.c (working copy) @@ -63,7 +63,7 @@ #include #include -#include +#include #ifndef OPENSSL_NO_DSA #include #endif Index: crypto/evp/m_sha1.c =================================================================== --- crypto/evp/m_sha1.c (revision 246700) +++ crypto/evp/m_sha1.c (working copy) @@ -65,7 +65,7 @@ #include #include -#include +#include #ifndef OPENSSL_NO_RSA #include #endif Index: crypto/evp/p_sign.c =================================================================== --- crypto/evp/p_sign.c (revision 246700) +++ crypto/evp/p_sign.c (working copy) @@ -80,7 +80,7 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char * { unsigned char m[EVP_MAX_MD_SIZE]; unsigned int m_len; - int i=0,ok=0,v; + int i = 0,ok = 0,v; EVP_MD_CTX tmp_ctx; EVP_PKEY_CTX *pkctx = NULL; Index: crypto/evp/p_verify.c =================================================================== --- crypto/evp/p_verify.c (revision 246700) +++ crypto/evp/p_verify.c (working copy) @@ -67,7 +67,7 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigne { unsigned char m[EVP_MAX_MD_SIZE]; unsigned int m_len; - int i=-1,ok=0,v; + int i = 0,ok = 0,v; EVP_MD_CTX tmp_ctx; EVP_PKEY_CTX *pkctx = NULL; Index: crypto/md4/md4_dgst.c =================================================================== --- crypto/md4/md4_dgst.c (revision 246700) +++ crypto/md4/md4_dgst.c (working copy) @@ -106,22 +106,23 @@ void md4_block_data_order (MD4_CTX *c, const void for (;num--;) { - HOST_c2l(data,l); X( 0)=l; HOST_c2l(data,l); X( 1)=l; + (void)HOST_c2l(data,l); X( 0)=l; + (void)HOST_c2l(data,l); X( 1)=l; /* Round 0 */ - R0(A,B,C,D,X( 0), 3,0); HOST_c2l(data,l); X( 2)=l; - R0(D,A,B,C,X( 1), 7,0); HOST_c2l(data,l); X( 3)=l; - R0(C,D,A,B,X( 2),11,0); HOST_c2l(data,l); X( 4)=l; - R0(B,C,D,A,X( 3),19,0); HOST_c2l(data,l); X( 5)=l; - R0(A,B,C,D,X( 4), 3,0); HOST_c2l(data,l); X( 6)=l; - R0(D,A,B,C,X( 5), 7,0); HOST_c2l(data,l); X( 7)=l; - R0(C,D,A,B,X( 6),11,0); HOST_c2l(data,l); X( 8)=l; - R0(B,C,D,A,X( 7),19,0); HOST_c2l(data,l); X( 9)=l; - R0(A,B,C,D,X( 8), 3,0); HOST_c2l(data,l); X(10)=l; - R0(D,A,B,C,X( 9), 7,0); HOST_c2l(data,l); X(11)=l; - R0(C,D,A,B,X(10),11,0); HOST_c2l(data,l); X(12)=l; - R0(B,C,D,A,X(11),19,0); HOST_c2l(data,l); X(13)=l; - R0(A,B,C,D,X(12), 3,0); HOST_c2l(data,l); X(14)=l; - R0(D,A,B,C,X(13), 7,0); HOST_c2l(data,l); X(15)=l; + R0(A,B,C,D,X( 0), 3,0); (void)HOST_c2l(data,l); X( 2)=l; + R0(D,A,B,C,X( 1), 7,0); (void)HOST_c2l(data,l); X( 3)=l; + R0(C,D,A,B,X( 2),11,0); (void)HOST_c2l(data,l); X( 4)=l; + R0(B,C,D,A,X( 3),19,0); (void)HOST_c2l(data,l); X( 5)=l; + R0(A,B,C,D,X( 4), 3,0); (void)HOST_c2l(data,l); X( 6)=l; + R0(D,A,B,C,X( 5), 7,0); (void)HOST_c2l(data,l); X( 7)=l; + R0(C,D,A,B,X( 6),11,0); (void)HOST_c2l(data,l); X( 8)=l; + R0(B,C,D,A,X( 7),19,0); (void)HOST_c2l(data,l); X( 9)=l; + R0(A,B,C,D,X( 8), 3,0); (void)HOST_c2l(data,l); X(10)=l; + R0(D,A,B,C,X( 9), 7,0); (void)HOST_c2l(data,l); X(11)=l; + R0(C,D,A,B,X(10),11,0); (void)HOST_c2l(data,l); X(12)=l; + R0(B,C,D,A,X(11),19,0); (void)HOST_c2l(data,l); X(13)=l; + R0(A,B,C,D,X(12), 3,0); (void)HOST_c2l(data,l); X(14)=l; + R0(D,A,B,C,X(13), 7,0); (void)HOST_c2l(data,l); X(15)=l; R0(C,D,A,B,X(14),11,0); R0(B,C,D,A,X(15),19,0); /* Round 1 */ Index: crypto/md4/md4_locl.h =================================================================== --- crypto/md4/md4_locl.h (revision 246700) +++ crypto/md4/md4_locl.h (working copy) @@ -77,10 +77,10 @@ void md4_block_data_order (MD4_CTX *c, const void #define HASH_FINAL MD4_Final #define HASH_MAKE_STRING(c,s) do { \ unsigned long ll; \ - ll=(c)->A; HOST_l2c(ll,(s)); \ - ll=(c)->B; HOST_l2c(ll,(s)); \ - ll=(c)->C; HOST_l2c(ll,(s)); \ - ll=(c)->D; HOST_l2c(ll,(s)); \ + ll=(c)->A; (void)HOST_l2c(ll,(s)); \ + ll=(c)->B; (void)HOST_l2c(ll,(s)); \ + ll=(c)->C; (void)HOST_l2c(ll,(s)); \ + ll=(c)->D; (void)HOST_l2c(ll,(s)); \ } while (0) #define HASH_BLOCK_DATA_ORDER md4_block_data_order Index: crypto/md5/asm/md5-x86_64.pl =================================================================== --- crypto/md5/asm/md5-x86_64.pl (revision 246700) +++ crypto/md5/asm/md5-x86_64.pl (working copy) @@ -120,7 +120,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; my $dir=$1; my $xlat die "can't locate x86_64-xlate.pl"; no warnings qw(uninitialized); -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; $code .= <A; HOST_l2c(ll,(s)); \ - ll=(c)->B; HOST_l2c(ll,(s)); \ - ll=(c)->C; HOST_l2c(ll,(s)); \ - ll=(c)->D; HOST_l2c(ll,(s)); \ + ll=(c)->A; (void)HOST_l2c(ll,(s)); \ + ll=(c)->B; (void)HOST_l2c(ll,(s)); \ + ll=(c)->C; (void)HOST_l2c(ll,(s)); \ + ll=(c)->D; (void)HOST_l2c(ll,(s)); \ } while (0) #define HASH_BLOCK_DATA_ORDER md5_block_data_order Index: crypto/mdc2/mdc2dgst.c =================================================================== --- crypto/mdc2/mdc2dgst.c (revision 246700) +++ crypto/mdc2/mdc2dgst.c (working copy) @@ -59,9 +59,9 @@ #include #include #include +#include #include #include -#include #undef c2l #define c2l(c,l) (l =((DES_LONG)(*((c)++))) , \ Index: crypto/mem.c =================================================================== --- crypto/mem.c (revision 246700) +++ crypto/mem.c (working copy) @@ -121,10 +121,10 @@ static void (*set_debug_options_func)(long) = NULL static long (*get_debug_options_func)(void) = NULL; #endif - int CRYPTO_set_mem_functions(void *(*m)(size_t), void *(*r)(void *, size_t), void (*f)(void *)) { + /* Dummy call just to ensure OPENSSL_init() gets linked in */ OPENSSL_init(); if (!allow_customize) return 0; Index: crypto/modes/asm/ghash-x86.pl =================================================================== --- crypto/modes/asm/ghash-x86.pl (revision 246700) +++ crypto/modes/asm/ghash-x86.pl (working copy) @@ -635,7 +635,7 @@ sub mmx_loop() { { my @lo = ("mm0","mm1","mm2"); my @hi = ("mm3","mm4","mm5"); my @tmp = ("mm6","mm7"); - my $off1=0,$off2=0,$i; + my ($off1,$off2,$i) = (0,0,); &add ($Htbl,128); # optimize for size &lea ("edi",&DWP(16+128,"esp")); @@ -883,7 +883,7 @@ sub reduction_alg9 { # 17/13 times faster than Int my ($Xhi,$Xi) = @_; # 1st phase - &movdqa ($T1,$Xi) # + &movdqa ($T1,$Xi); # &psllq ($Xi,1); &pxor ($Xi,$T1); # &psllq ($Xi,5); # @@ -1019,7 +1019,7 @@ my ($Xhi,$Xi) = @_; &movdqa ($Xhn,$Xn); &pxor ($Xhi,$T1); # "Ii+Xi", consume early - &movdqa ($T1,$Xi) #&reduction_alg9($Xhi,$Xi); 1st phase + &movdqa ($T1,$Xi); #&reduction_alg9($Xhi,$Xi); 1st phase &psllq ($Xi,1); &pxor ($Xi,$T1); # &psllq ($Xi,5); # Index: crypto/modes/asm/ghash-x86_64.pl =================================================================== --- crypto/modes/asm/ghash-x86_64.pl (revision 246700) +++ crypto/modes/asm/ghash-x86_64.pl (working copy) @@ -50,7 +50,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; # common register layout $nlo="%rax"; Index: crypto/modes/gcm128.c =================================================================== --- crypto/modes/gcm128.c (revision 246700) +++ crypto/modes/gcm128.c (working copy) @@ -723,7 +723,7 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx,void * # endif gcm_init_4bit(ctx->Htable,ctx->H.u); # if defined(GHASH_ASM_X86) /* x86 only */ -# if defined(OPENSSL_IA32_SSE2) +# if defined(OPENSSL_IA32_SSE2) if (OPENSSL_ia32cap_P[0]&(1<<25)) { /* check SSE bit */ # else if (OPENSSL_ia32cap_P[0]&(1<<23)) { /* check MMX bit */ @@ -1398,7 +1398,7 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx,const void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16]) = ctx->gmult; #endif - if (ctx->mres) + if (ctx->mres || ctx->ares) GCM_MUL(ctx,Xi); if (is_endian.little) { Index: crypto/objects/o_names.c =================================================================== --- crypto/objects/o_names.c (revision 246700) +++ crypto/objects/o_names.c (working copy) @@ -73,7 +73,7 @@ int OBJ_NAME_new_index(unsigned long (*hash_func)( name_funcs_stack=sk_NAME_FUNCS_new_null(); MemCheck_on(); } - if ((name_funcs_stack == NULL)) + if (name_funcs_stack == NULL) { /* ERROR */ return(0); Index: crypto/ocsp/ocsp_vfy.c =================================================================== --- crypto/ocsp/ocsp_vfy.c (revision 246700) +++ crypto/ocsp/ocsp_vfy.c (working copy) @@ -91,10 +91,13 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF { EVP_PKEY *skey; skey = X509_get_pubkey(signer); - ret = OCSP_BASICRESP_verify(bs, skey, 0); - EVP_PKEY_free(skey); - if(ret <= 0) + if (skey) { + ret = OCSP_BASICRESP_verify(bs, skey, 0); + EVP_PKEY_free(skey); + } + if(!skey || ret <= 0) + { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE); goto end; } @@ -108,6 +111,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs); if(!init_res) { + ret = -1; OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB); goto end; } Index: crypto/opensslv.h =================================================================== --- crypto/opensslv.h (revision 246700) +++ crypto/opensslv.h (working copy) @@ -25,11 +25,11 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x1000103fL +#define OPENSSL_VERSION_NUMBER 0x1000105fL #ifdef OPENSSL_FIPS -#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1c-fips 10 May 2012" +#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1e-fips 11 Feb 2013" #else -#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1c 10 May 2012" +#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1e 11 Feb 2013" #endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT Index: crypto/pem/pem_all.c =================================================================== --- crypto/pem/pem_all.c (revision 246700) +++ crypto/pem/pem_all.c (working copy) @@ -193,7 +193,61 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, p #endif +#ifdef OPENSSL_FIPS + +int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) +{ + if (FIPS_mode()) + { + EVP_PKEY *k; + int ret; + k = EVP_PKEY_new(); + if (!k) + return 0; + EVP_PKEY_set1_RSA(k, x); + + ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); + EVP_PKEY_free(k); + return ret; + } + else + return PEM_ASN1_write_bio((i2d_of_void *)i2d_RSAPrivateKey, + PEM_STRING_RSA,bp,x,enc,kstr,klen,cb,u); +} + +#ifndef OPENSSL_NO_FP_API +int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) +{ + if (FIPS_mode()) + { + EVP_PKEY *k; + int ret; + k = EVP_PKEY_new(); + if (!k) + return 0; + + EVP_PKEY_set1_RSA(k, x); + + ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); + EVP_PKEY_free(k); + return ret; + } + else + return PEM_ASN1_write((i2d_of_void *)i2d_RSAPrivateKey, + PEM_STRING_RSA,fp,x,enc,kstr,klen,cb,u); +} +#endif + +#else + IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey) + +#endif + IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey) IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY) @@ -223,7 +277,59 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa return pkey_get_dsa(pktmp, dsa); /* will free pktmp */ } +#ifdef OPENSSL_FIPS + +int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) +{ + if (FIPS_mode()) + { + EVP_PKEY *k; + int ret; + k = EVP_PKEY_new(); + if (!k) + return 0; + EVP_PKEY_set1_DSA(k, x); + + ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); + EVP_PKEY_free(k); + return ret; + } + else + return PEM_ASN1_write_bio((i2d_of_void *)i2d_DSAPrivateKey, + PEM_STRING_DSA,bp,x,enc,kstr,klen,cb,u); +} + +#ifndef OPENSSL_NO_FP_API +int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) +{ + if (FIPS_mode()) + { + EVP_PKEY *k; + int ret; + k = EVP_PKEY_new(); + if (!k) + return 0; + EVP_PKEY_set1_DSA(k, x); + ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); + EVP_PKEY_free(k); + return ret; + } + else + return PEM_ASN1_write((i2d_of_void *)i2d_DSAPrivateKey, + PEM_STRING_DSA,fp,x,enc,kstr,klen,cb,u); +} +#endif + +#else + IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey) + +#endif + IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY) #ifndef OPENSSL_NO_FP_API @@ -269,8 +375,63 @@ EC_KEY *PEM_read_bio_ECPrivateKey(BIO *bp, EC_KEY IMPLEMENT_PEM_rw_const(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS, ECPKParameters) + + +#ifdef OPENSSL_FIPS + +int PEM_write_bio_ECPrivateKey(BIO *bp, EC_KEY *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) +{ + if (FIPS_mode()) + { + EVP_PKEY *k; + int ret; + k = EVP_PKEY_new(); + if (!k) + return 0; + EVP_PKEY_set1_EC_KEY(k, x); + + ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); + EVP_PKEY_free(k); + return ret; + } + else + return PEM_ASN1_write_bio((i2d_of_void *)i2d_ECPrivateKey, + PEM_STRING_ECPRIVATEKEY, + bp,x,enc,kstr,klen,cb,u); +} + +#ifndef OPENSSL_NO_FP_API +int PEM_write_ECPrivateKey(FILE *fp, EC_KEY *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) +{ + if (FIPS_mode()) + { + EVP_PKEY *k; + int ret; + k = EVP_PKEY_new(); + if (!k) + return 0; + EVP_PKEY_set1_EC_KEY(k, x); + ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); + EVP_PKEY_free(k); + return ret; + } + else + return PEM_ASN1_write((i2d_of_void *)i2d_ECPrivateKey, + PEM_STRING_ECPRIVATEKEY, + fp,x,enc,kstr,klen,cb,u); +} +#endif + +#else + IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey) +#endif + IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY) #ifndef OPENSSL_NO_FP_API Index: crypto/pem/pem_lib.c =================================================================== --- crypto/pem/pem_lib.c (revision 246700) +++ crypto/pem/pem_lib.c (working copy) @@ -394,7 +394,8 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const cha goto err; /* The 'iv' is used as the iv and as a salt. It is * NOT taken from the BytesToKey function */ - EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL); + if (!EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL)) + goto err; if (kstr == (unsigned char *)buf) OPENSSL_cleanse(buf,PEM_BUFSIZE); @@ -406,12 +407,15 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const cha /* k=strlen(buf); */ EVP_CIPHER_CTX_init(&ctx); - EVP_EncryptInit_ex(&ctx,enc,NULL,key,iv); - EVP_EncryptUpdate(&ctx,data,&j,data,i); - EVP_EncryptFinal_ex(&ctx,&(data[j]),&i); + ret = 1; + if (!EVP_EncryptInit_ex(&ctx,enc,NULL,key,iv) + || !EVP_EncryptUpdate(&ctx,data,&j,data,i) + || !EVP_EncryptFinal_ex(&ctx,&(data[j]),&i)) + ret = 0; EVP_CIPHER_CTX_cleanup(&ctx); + if (ret == 0) + goto err; i+=j; - ret=1; } else { @@ -459,14 +463,17 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigne ebcdic2ascii(buf, buf, klen); #endif - EVP_BytesToKey(cipher->cipher,EVP_md5(),&(cipher->iv[0]), - (unsigned char *)buf,klen,1,key,NULL); + if (!EVP_BytesToKey(cipher->cipher,EVP_md5(),&(cipher->iv[0]), + (unsigned char *)buf,klen,1,key,NULL)) + return 0; j=(int)len; EVP_CIPHER_CTX_init(&ctx); - EVP_DecryptInit_ex(&ctx,cipher->cipher,NULL, key,&(cipher->iv[0])); - EVP_DecryptUpdate(&ctx,data,&i,data,j); - o=EVP_DecryptFinal_ex(&ctx,&(data[i]),&j); + o = EVP_DecryptInit_ex(&ctx,cipher->cipher,NULL, key,&(cipher->iv[0])); + if (o) + o = EVP_DecryptUpdate(&ctx,data,&i,data,j); + if (o) + o = EVP_DecryptFinal_ex(&ctx,&(data[i]),&j); EVP_CIPHER_CTX_cleanup(&ctx); OPENSSL_cleanse((char *)buf,sizeof(buf)); OPENSSL_cleanse((char *)key,sizeof(key)); Index: crypto/pem/pem_seal.c =================================================================== --- crypto/pem/pem_seal.c (revision 246700) +++ crypto/pem/pem_seal.c (working copy) @@ -96,7 +96,8 @@ int PEM_SealInit(PEM_ENCODE_SEAL_CTX *ctx, EVP_CIP EVP_EncodeInit(&ctx->encode); EVP_MD_CTX_init(&ctx->md); - EVP_SignInit(&ctx->md,md_type); + if (!EVP_SignInit(&ctx->md,md_type)) + goto err; EVP_CIPHER_CTX_init(&ctx->cipher); ret=EVP_SealInit(&ctx->cipher,type,ek,ekl,iv,pubk,npubk); @@ -163,7 +164,8 @@ int PEM_SealFinal(PEM_ENCODE_SEAL_CTX *ctx, unsign goto err; } - EVP_EncryptFinal_ex(&ctx->cipher,s,(int *)&i); + if (!EVP_EncryptFinal_ex(&ctx->cipher,s,(int *)&i)) + goto err; EVP_EncodeUpdate(&ctx->encode,out,&j,s,i); *outl=j; out+=j; Index: crypto/perlasm/cbc.pl =================================================================== --- crypto/perlasm/cbc.pl (revision 246700) +++ crypto/perlasm/cbc.pl (working copy) @@ -150,7 +150,7 @@ sub cbc &set_label("PIC_point"); &blindpop("edx"); &lea("ecx",&DWP(&label("cbc_enc_jmp_table")."-".&label("PIC_point"),"edx")); - &mov($count,&DWP(0,"ecx",$count,4)) + &mov($count,&DWP(0,"ecx",$count,4)); &add($count,"edx"); &xor("ecx","ecx"); &xor("edx","edx"); Index: crypto/perlasm/x86masm.pl =================================================================== --- crypto/perlasm/x86masm.pl (revision 246700) +++ crypto/perlasm/x86masm.pl (working copy) @@ -33,6 +33,7 @@ sub ::generic sub ::call { &::emit("call",(&::islabel($_[0]) or "$nmdecor$_[0]")); } sub ::call_ptr { &::emit("call",@_); } sub ::jmp_ptr { &::emit("jmp",@_); } +sub ::lock { &::data_byte(0xf0); } sub get_mem { my($size,$addr,$reg1,$reg2,$idx)=@_; Index: crypto/pkcs12/p12_key.c =================================================================== --- crypto/pkcs12/p12_key.c (revision 246700) +++ crypto/pkcs12/p12_key.c (working copy) @@ -176,24 +176,32 @@ int PKCS12_key_gen_uni(unsigned char *pass, int pa out += u; for (j = 0; j < v; j++) B[j] = Ai[j % u]; /* Work out B + 1 first then can use B as tmp space */ - if (!BN_bin2bn (B, v, Bpl1)) goto err; - if (!BN_add_word (Bpl1, 1)) goto err; + if (!BN_bin2bn (B, v, Bpl1)) + goto err; + if (!BN_add_word (Bpl1, 1)) + goto err; for (j = 0; j < Ilen ; j+=v) { - if (!BN_bin2bn (I + j, v, Ij)) goto err; - if (!BN_add (Ij, Ij, Bpl1)) goto err; - BN_bn2bin (Ij, B); + if (!BN_bin2bn(I + j, v, Ij)) + goto err; + if (!BN_add(Ij, Ij, Bpl1)) + goto err; + if (!BN_bn2bin(Ij, B)) + goto err; Ijlen = BN_num_bytes (Ij); /* If more than 2^(v*8) - 1 cut off MSB */ if (Ijlen > v) { - BN_bn2bin (Ij, B); + if (!BN_bn2bin (Ij, B)) + goto err; memcpy (I + j, B + 1, v); #ifndef PKCS12_BROKEN_KEYGEN /* If less than v bytes pad with zeroes */ } else if (Ijlen < v) { memset(I + j, 0, v - Ijlen); - BN_bn2bin(Ij, I + j + v - Ijlen); + if (!BN_bn2bin(Ij, I + j + v - Ijlen)) + goto err; #endif - } else BN_bn2bin (Ij, I + j); + } else if (!BN_bn2bin (Ij, I + j)) + goto err; } } Index: crypto/pkcs7/bio_pk7.c =================================================================== --- crypto/pkcs7/bio_pk7.c (revision 246700) +++ crypto/pkcs7/bio_pk7.c (working copy) @@ -56,7 +56,7 @@ #include #include -#ifndef OPENSSL_SYSNAME_NETWARE +#if !defined(OPENSSL_SYSNAME_NETWARE) && !defined(OPENSSL_SYSNAME_VXWORKS) #include #endif #include Index: crypto/ppccap.c =================================================================== --- crypto/ppccap.c (revision 246700) +++ crypto/ppccap.c (working copy) @@ -3,6 +3,7 @@ #include #include #include +#include #include #include @@ -53,6 +54,7 @@ static sigjmp_buf ill_jmp; static void ill_handler (int sig) { siglongjmp(ill_jmp,sig); } void OPENSSL_ppc64_probe(void); +void OPENSSL_altivec_probe(void); void OPENSSL_cpuid_setup(void) { @@ -82,6 +84,15 @@ void OPENSSL_cpuid_setup(void) OPENSSL_ppccap_P = 0; +#if defined(_AIX) + if (sizeof(size_t)==4 +# if defined(_SC_AIX_KERNEL_BITMODE) + && sysconf(_SC_AIX_KERNEL_BITMODE)!=64 +# endif + ) + return; +#endif + memset(&ill_act,0,sizeof(ill_act)); ill_act.sa_handler = ill_handler; ill_act.sa_mask = all_masked; Index: crypto/rand/md_rand.c =================================================================== --- crypto/rand/md_rand.c (revision 246700) +++ crypto/rand/md_rand.c (working copy) @@ -123,10 +123,10 @@ #include "e_os.h" +#include #include #include "rand_lcl.h" -#include #include #ifdef BN_DEBUG Index: crypto/rand/rand_lib.c =================================================================== --- crypto/rand/rand_lib.c (revision 246700) +++ crypto/rand/rand_lib.c (working copy) @@ -210,8 +210,11 @@ static size_t drbg_get_entropy(DRBG_CTX *ctx, unsi static void drbg_free_entropy(DRBG_CTX *ctx, unsigned char *out, size_t olen) { - OPENSSL_cleanse(out, olen); - OPENSSL_free(out); + if (out) + { + OPENSSL_cleanse(out, olen); + OPENSSL_free(out); + } } /* Set "additional input" when generating random data. This uses the Index: crypto/rand/randfile.c =================================================================== --- crypto/rand/randfile.c (revision 246700) +++ crypto/rand/randfile.c (working copy) @@ -57,7 +57,9 @@ */ /* We need to define this to get macros like S_IFBLK and S_IFCHR */ +#if !defined(OPENSSL_SYS_VXWORKS) #define _XOPEN_SOURCE 500 +#endif #include #include Index: crypto/rc4/asm/rc4-md5-x86_64.pl =================================================================== --- crypto/rc4/asm/rc4-md5-x86_64.pl (revision 246700) +++ crypto/rc4/asm/rc4-md5-x86_64.pl (working copy) @@ -51,7 +51,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; my $dir=$1; my $xlat ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; my ($dat,$in0,$out,$ctx,$inp,$len, $func,$nargs); Index: crypto/rc4/asm/rc4-x86_64.pl =================================================================== --- crypto/rc4/asm/rc4-x86_64.pl (revision 246700) +++ crypto/rc4/asm/rc4-x86_64.pl (working copy) @@ -112,7 +112,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; $dat="%rdi"; # arg1 $len="%rsi"; # arg2 Index: crypto/ripemd/rmd_dgst.c =================================================================== --- crypto/ripemd/rmd_dgst.c (revision 246700) +++ crypto/ripemd/rmd_dgst.c (working copy) @@ -105,21 +105,21 @@ void ripemd160_block_data_order (RIPEMD160_CTX *ct A=ctx->A; B=ctx->B; C=ctx->C; D=ctx->D; E=ctx->E; - HOST_c2l(data,l); X( 0)=l; HOST_c2l(data,l); X( 1)=l; - RIP1(A,B,C,D,E,WL00,SL00); HOST_c2l(data,l); X( 2)=l; - RIP1(E,A,B,C,D,WL01,SL01); HOST_c2l(data,l); X( 3)=l; - RIP1(D,E,A,B,C,WL02,SL02); HOST_c2l(data,l); X( 4)=l; - RIP1(C,D,E,A,B,WL03,SL03); HOST_c2l(data,l); X( 5)=l; - RIP1(B,C,D,E,A,WL04,SL04); HOST_c2l(data,l); X( 6)=l; - RIP1(A,B,C,D,E,WL05,SL05); HOST_c2l(data,l); X( 7)=l; - RIP1(E,A,B,C,D,WL06,SL06); HOST_c2l(data,l); X( 8)=l; - RIP1(D,E,A,B,C,WL07,SL07); HOST_c2l(data,l); X( 9)=l; - RIP1(C,D,E,A,B,WL08,SL08); HOST_c2l(data,l); X(10)=l; - RIP1(B,C,D,E,A,WL09,SL09); HOST_c2l(data,l); X(11)=l; - RIP1(A,B,C,D,E,WL10,SL10); HOST_c2l(data,l); X(12)=l; - RIP1(E,A,B,C,D,WL11,SL11); HOST_c2l(data,l); X(13)=l; - RIP1(D,E,A,B,C,WL12,SL12); HOST_c2l(data,l); X(14)=l; - RIP1(C,D,E,A,B,WL13,SL13); HOST_c2l(data,l); X(15)=l; + (void)HOST_c2l(data,l); X( 0)=l;(void)HOST_c2l(data,l); X( 1)=l; + RIP1(A,B,C,D,E,WL00,SL00); (void)HOST_c2l(data,l); X( 2)=l; + RIP1(E,A,B,C,D,WL01,SL01); (void)HOST_c2l(data,l); X( 3)=l; + RIP1(D,E,A,B,C,WL02,SL02); (void)HOST_c2l(data,l); X( 4)=l; + RIP1(C,D,E,A,B,WL03,SL03); (void)HOST_c2l(data,l); X( 5)=l; + RIP1(B,C,D,E,A,WL04,SL04); (void)HOST_c2l(data,l); X( 6)=l; + RIP1(A,B,C,D,E,WL05,SL05); (void)HOST_c2l(data,l); X( 7)=l; + RIP1(E,A,B,C,D,WL06,SL06); (void)HOST_c2l(data,l); X( 8)=l; + RIP1(D,E,A,B,C,WL07,SL07); (void)HOST_c2l(data,l); X( 9)=l; + RIP1(C,D,E,A,B,WL08,SL08); (void)HOST_c2l(data,l); X(10)=l; + RIP1(B,C,D,E,A,WL09,SL09); (void)HOST_c2l(data,l); X(11)=l; + RIP1(A,B,C,D,E,WL10,SL10); (void)HOST_c2l(data,l); X(12)=l; + RIP1(E,A,B,C,D,WL11,SL11); (void)HOST_c2l(data,l); X(13)=l; + RIP1(D,E,A,B,C,WL12,SL12); (void)HOST_c2l(data,l); X(14)=l; + RIP1(C,D,E,A,B,WL13,SL13); (void)HOST_c2l(data,l); X(15)=l; RIP1(B,C,D,E,A,WL14,SL14); RIP1(A,B,C,D,E,WL15,SL15); Index: crypto/ripemd/rmd_locl.h =================================================================== --- crypto/ripemd/rmd_locl.h (revision 246700) +++ crypto/ripemd/rmd_locl.h (working copy) @@ -88,11 +88,11 @@ void ripemd160_block_data_order (RIPEMD160_CTX *c, #define HASH_FINAL RIPEMD160_Final #define HASH_MAKE_STRING(c,s) do { \ unsigned long ll; \ - ll=(c)->A; HOST_l2c(ll,(s)); \ - ll=(c)->B; HOST_l2c(ll,(s)); \ - ll=(c)->C; HOST_l2c(ll,(s)); \ - ll=(c)->D; HOST_l2c(ll,(s)); \ - ll=(c)->E; HOST_l2c(ll,(s)); \ + ll=(c)->A; (void)HOST_l2c(ll,(s)); \ + ll=(c)->B; (void)HOST_l2c(ll,(s)); \ + ll=(c)->C; (void)HOST_l2c(ll,(s)); \ + ll=(c)->D; (void)HOST_l2c(ll,(s)); \ + ll=(c)->E; (void)HOST_l2c(ll,(s)); \ } while (0) #define HASH_BLOCK_DATA_ORDER ripemd160_block_data_order Index: crypto/rsa/rsa.h =================================================================== --- crypto/rsa/rsa.h (revision 246700) +++ crypto/rsa/rsa.h (working copy) @@ -280,7 +280,7 @@ struct rsa_st RSA * RSA_new(void); RSA * RSA_new_method(ENGINE *engine); -int RSA_size(const RSA *); +int RSA_size(const RSA *rsa); /* Deprecated version */ #ifndef OPENSSL_NO_DEPRECATED Index: crypto/rsa/rsa_eay.c =================================================================== --- crypto/rsa/rsa_eay.c (revision 246700) +++ crypto/rsa/rsa_eay.c (working copy) @@ -847,12 +847,12 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNU if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err; /* If p < q it is occasionally possible for the correction of - * adding 'p' if r0 is negative above to leave the result still + * adding 'p' if r0 is negative above to leave the result still * negative. This can break the private key operations: the following * second correction should *always* correct this rare occurrence. * This will *never* happen with OpenSSL generated keys because - * they ensure p > q [steve] - */ + * they ensure p > q [steve] + */ if (BN_is_negative(r0)) if (!BN_add(r0,r0,rsa->p)) goto err; if (!BN_mul(r1,r0,rsa->q,ctx)) goto err; Index: crypto/rsa/rsa_oaep.c =================================================================== --- crypto/rsa/rsa_oaep.c (revision 246700) +++ crypto/rsa/rsa_oaep.c (working copy) @@ -149,7 +149,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to if (!EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL)) return -1; - if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad) + if (CRYPTO_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad) goto decoding_err; else { Index: crypto/sha/asm/sha1-armv4-large.pl =================================================================== --- crypto/sha/asm/sha1-armv4-large.pl (revision 246700) +++ crypto/sha/asm/sha1-armv4-large.pl (working copy) @@ -177,6 +177,7 @@ for($i=0;$i<5;$i++) { $code.=<<___; teq $Xi,sp bne .L_00_15 @ [((11+4)*5+2)*3] + sub sp,sp,#25*4 ___ &BODY_00_15(@V); unshift(@V,pop(@V)); &BODY_16_19(@V); unshift(@V,pop(@V)); @@ -186,7 +187,6 @@ ___ $code.=<<___; ldr $K,.LK_20_39 @ [+15+16*4] - sub sp,sp,#25*4 cmn sp,#0 @ [+3], clear carry to denote 20_39 .L_20_39_or_60_79: ___ Index: crypto/sha/asm/sha1-ia64.pl =================================================================== --- crypto/sha/asm/sha1-ia64.pl (revision 246700) +++ crypto/sha/asm/sha1-ia64.pl (working copy) @@ -271,7 +271,8 @@ tmp6=loc13; ___ -{ my $i,@V=($A,$B,$C,$D,$E); +{ my $i; + my @V=($A,$B,$C,$D,$E); for($i=0;$i<16;$i++) { &BODY_00_15(\$code,$i,@V); unshift(@V,pop(@V)); } for(;$i<20;$i++) { &BODY_16_19(\$code,$i,@V); unshift(@V,pop(@V)); } Index: crypto/sha/asm/sha1-sparcv9a.pl =================================================================== --- crypto/sha/asm/sha1-sparcv9a.pl (revision 246700) +++ crypto/sha/asm/sha1-sparcv9a.pl (working copy) @@ -549,7 +549,7 @@ ___ # programmer detect if current CPU is VIS capable at run-time. sub unvis { my ($mnemonic,$rs1,$rs2,$rd)=@_; -my $ref,$opf; +my ($ref,$opf); my %visopf = ( "fmul8ulx16" => 0x037, "faligndata" => 0x048, "fpadd32" => 0x052, Index: crypto/sha/asm/sha1-x86_64.pl =================================================================== --- crypto/sha/asm/sha1-x86_64.pl (revision 246700) +++ crypto/sha/asm/sha1-x86_64.pl (working copy) @@ -82,7 +82,8 @@ $avx=1 if (!$avx && $win64 && ($flavour =~ /masm/ `ml64 2>&1` =~ /Version ([0-9]+)\./ && $1>=10); -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; $ctx="%rdi"; # 1st arg $inp="%rsi"; # 2nd arg Index: crypto/sha/asm/sha512-586.pl =================================================================== --- crypto/sha/asm/sha512-586.pl (revision 246700) +++ crypto/sha/asm/sha512-586.pl (working copy) @@ -142,9 +142,9 @@ sub BODY_00_15_x86 { &mov ("edx",$Ehi); &mov ("esi","ecx"); - &shr ("ecx",9) # lo>>9 + &shr ("ecx",9); # lo>>9 &mov ("edi","edx"); - &shr ("edx",9) # hi>>9 + &shr ("edx",9); # hi>>9 &mov ("ebx","ecx"); &shl ("esi",14); # lo<<14 &mov ("eax","edx"); @@ -207,9 +207,9 @@ sub BODY_00_15_x86 { &mov ($Dhi,"ebx"); &mov ("esi","ecx"); - &shr ("ecx",2) # lo>>2 + &shr ("ecx",2); # lo>>2 &mov ("edi","edx"); - &shr ("edx",2) # hi>>2 + &shr ("edx",2); # hi>>2 &mov ("ebx","ecx"); &shl ("esi",4); # lo<<4 &mov ("eax","edx"); @@ -452,9 +452,9 @@ if ($sse2) { &mov ("edx",&DWP(8*(9+15+16-1)+4,"esp")); &mov ("esi","ecx"); - &shr ("ecx",1) # lo>>1 + &shr ("ecx",1); # lo>>1 &mov ("edi","edx"); - &shr ("edx",1) # hi>>1 + &shr ("edx",1); # hi>>1 &mov ("eax","ecx"); &shl ("esi",24); # lo<<24 &mov ("ebx","edx"); @@ -488,9 +488,9 @@ if ($sse2) { &mov ("edx",&DWP(8*(9+15+16-14)+4,"esp")); &mov ("esi","ecx"); - &shr ("ecx",6) # lo>>6 + &shr ("ecx",6); # lo>>6 &mov ("edi","edx"); - &shr ("edx",6) # hi>>6 + &shr ("edx",6); # hi>>6 &mov ("eax","ecx"); &shl ("esi",3); # lo<<3 &mov ("ebx","edx"); Index: crypto/sha/asm/sha512-x86_64.pl =================================================================== --- crypto/sha/asm/sha512-x86_64.pl (revision 246700) +++ crypto/sha/asm/sha512-x86_64.pl (working copy) @@ -51,7 +51,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; if ($output =~ /512/) { $func="sha512_block_data_order"; Index: crypto/sha/sha1_one.c =================================================================== --- crypto/sha/sha1_one.c (revision 246700) +++ crypto/sha/sha1_one.c (working copy) @@ -58,8 +58,8 @@ #include #include +#include #include -#include #ifndef OPENSSL_NO_SHA1 unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md) Index: crypto/sha/sha1dgst.c =================================================================== --- crypto/sha/sha1dgst.c (revision 246700) +++ crypto/sha/sha1dgst.c (working copy) @@ -56,8 +56,8 @@ * [including the GNU Public Licence.] */ +#include #include -#include #if !defined(OPENSSL_NO_SHA1) && !defined(OPENSSL_NO_SHA) #undef SHA_0 Index: crypto/sha/sha256.c =================================================================== --- crypto/sha/sha256.c (revision 246700) +++ crypto/sha/sha256.c (working copy) @@ -88,17 +88,17 @@ int SHA224_Final (unsigned char *md, SHA256_CTX *c switch ((c)->md_len) \ { case SHA224_DIGEST_LENGTH: \ for (nn=0;nnh[nn]; HOST_l2c(ll,(s)); } \ + { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ break; \ case SHA256_DIGEST_LENGTH: \ for (nn=0;nnh[nn]; HOST_l2c(ll,(s)); } \ + { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ break; \ default: \ if ((c)->md_len > SHA256_DIGEST_LENGTH) \ return 0; \ for (nn=0;nn<(c)->md_len/4;nn++) \ - { ll=(c)->h[nn]; HOST_l2c(ll,(s)); } \ + { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ break; \ } \ } while (0) Index: crypto/sha/sha_dgst.c =================================================================== --- crypto/sha/sha_dgst.c (revision 246700) +++ crypto/sha/sha_dgst.c (working copy) @@ -56,8 +56,8 @@ * [including the GNU Public Licence.] */ +#include #include -#include #if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA) #undef SHA_1 Index: crypto/sha/sha_locl.h =================================================================== --- crypto/sha/sha_locl.h (revision 246700) +++ crypto/sha/sha_locl.h (working copy) @@ -69,11 +69,11 @@ #define HASH_CBLOCK SHA_CBLOCK #define HASH_MAKE_STRING(c,s) do { \ unsigned long ll; \ - ll=(c)->h0; HOST_l2c(ll,(s)); \ - ll=(c)->h1; HOST_l2c(ll,(s)); \ - ll=(c)->h2; HOST_l2c(ll,(s)); \ - ll=(c)->h3; HOST_l2c(ll,(s)); \ - ll=(c)->h4; HOST_l2c(ll,(s)); \ + ll=(c)->h0; (void)HOST_l2c(ll,(s)); \ + ll=(c)->h1; (void)HOST_l2c(ll,(s)); \ + ll=(c)->h2; (void)HOST_l2c(ll,(s)); \ + ll=(c)->h3; (void)HOST_l2c(ll,(s)); \ + ll=(c)->h4; (void)HOST_l2c(ll,(s)); \ } while (0) #if defined(SHA_0) @@ -256,21 +256,21 @@ static void HASH_BLOCK_DATA_ORDER (SHA_CTX *c, con } else { - HOST_c2l(data,l); X( 0)=l; HOST_c2l(data,l); X( 1)=l; - BODY_00_15( 0,A,B,C,D,E,T,X( 0)); HOST_c2l(data,l); X( 2)=l; - BODY_00_15( 1,T,A,B,C,D,E,X( 1)); HOST_c2l(data,l); X( 3)=l; - BODY_00_15( 2,E,T,A,B,C,D,X( 2)); HOST_c2l(data,l); X( 4)=l; - BODY_00_15( 3,D,E,T,A,B,C,X( 3)); HOST_c2l(data,l); X( 5)=l; - BODY_00_15( 4,C,D,E,T,A,B,X( 4)); HOST_c2l(data,l); X( 6)=l; - BODY_00_15( 5,B,C,D,E,T,A,X( 5)); HOST_c2l(data,l); X( 7)=l; - BODY_00_15( 6,A,B,C,D,E,T,X( 6)); HOST_c2l(data,l); X( 8)=l; - BODY_00_15( 7,T,A,B,C,D,E,X( 7)); HOST_c2l(data,l); X( 9)=l; - BODY_00_15( 8,E,T,A,B,C,D,X( 8)); HOST_c2l(data,l); X(10)=l; - BODY_00_15( 9,D,E,T,A,B,C,X( 9)); HOST_c2l(data,l); X(11)=l; - BODY_00_15(10,C,D,E,T,A,B,X(10)); HOST_c2l(data,l); X(12)=l; - BODY_00_15(11,B,C,D,E,T,A,X(11)); HOST_c2l(data,l); X(13)=l; - BODY_00_15(12,A,B,C,D,E,T,X(12)); HOST_c2l(data,l); X(14)=l; - BODY_00_15(13,T,A,B,C,D,E,X(13)); HOST_c2l(data,l); X(15)=l; + (void)HOST_c2l(data,l); X( 0)=l; (void)HOST_c2l(data,l); X( 1)=l; + BODY_00_15( 0,A,B,C,D,E,T,X( 0)); (void)HOST_c2l(data,l); X( 2)=l; + BODY_00_15( 1,T,A,B,C,D,E,X( 1)); (void)HOST_c2l(data,l); X( 3)=l; + BODY_00_15( 2,E,T,A,B,C,D,X( 2)); (void)HOST_c2l(data,l); X( 4)=l; + BODY_00_15( 3,D,E,T,A,B,C,X( 3)); (void)HOST_c2l(data,l); X( 5)=l; + BODY_00_15( 4,C,D,E,T,A,B,X( 4)); (void)HOST_c2l(data,l); X( 6)=l; + BODY_00_15( 5,B,C,D,E,T,A,X( 5)); (void)HOST_c2l(data,l); X( 7)=l; + BODY_00_15( 6,A,B,C,D,E,T,X( 6)); (void)HOST_c2l(data,l); X( 8)=l; + BODY_00_15( 7,T,A,B,C,D,E,X( 7)); (void)HOST_c2l(data,l); X( 9)=l; + BODY_00_15( 8,E,T,A,B,C,D,X( 8)); (void)HOST_c2l(data,l); X(10)=l; + BODY_00_15( 9,D,E,T,A,B,C,X( 9)); (void)HOST_c2l(data,l); X(11)=l; + BODY_00_15(10,C,D,E,T,A,B,X(10)); (void)HOST_c2l(data,l); X(12)=l; + BODY_00_15(11,B,C,D,E,T,A,X(11)); (void)HOST_c2l(data,l); X(13)=l; + BODY_00_15(12,A,B,C,D,E,T,X(12)); (void)HOST_c2l(data,l); X(14)=l; + BODY_00_15(13,T,A,B,C,D,E,X(13)); (void)HOST_c2l(data,l); X(15)=l; BODY_00_15(14,E,T,A,B,C,D,X(14)); BODY_00_15(15,D,E,T,A,B,C,X(15)); } Index: crypto/sparccpuid.S =================================================================== --- crypto/sparccpuid.S (revision 246700) +++ crypto/sparccpuid.S (working copy) @@ -235,10 +235,10 @@ _sparcv9_rdtick: .global _sparcv9_vis1_probe .align 8 _sparcv9_vis1_probe: - .word 0x81b00d80 !fxor %f0,%f0,%f0 add %sp,BIAS+2,%o1 + .word 0xc19a5a40 !ldda [%o1]ASI_FP16_P,%f0 retl - .word 0xc19a5a40 !ldda [%o1]ASI_FP16_P,%f0 + .word 0x81b00d80 !fxor %f0,%f0,%f0 .type _sparcv9_vis1_probe,#function .size _sparcv9_vis1_probe,.-_sparcv9_vis1_probe Index: crypto/srp/srp_vfy.c =================================================================== --- crypto/srp/srp_vfy.c (revision 246700) +++ crypto/srp/srp_vfy.c (working copy) @@ -390,7 +390,7 @@ int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_f } for (i = 0; i < sk_OPENSSL_PSTRING_num(tmpdb->data); i++) { - pp = (char **)sk_OPENSSL_PSTRING_value(tmpdb->data,i); + pp = sk_OPENSSL_PSTRING_value(tmpdb->data,i); if (pp[DB_srptype][0] == DB_SRP_INDEX) { /*we add this couple in the internal Stack */ @@ -581,7 +581,8 @@ char *SRP_create_verifier(const char *user, const if (*salt == NULL) { char *tmp_salt; - if ((tmp_salt = (char *)OPENSSL_malloc(SRP_RANDOM_SALT_LEN * 2)) == NULL) + + if ((tmp_salt = OPENSSL_malloc(SRP_RANDOM_SALT_LEN * 2)) == NULL) { OPENSSL_free(vf); goto err; Index: crypto/symhacks.h =================================================================== --- crypto/symhacks.h (revision 246700) +++ crypto/symhacks.h (working copy) @@ -193,17 +193,17 @@ #undef SSL_CTX_set_srp_username_callback #define SSL_CTX_set_srp_username_callback SSL_CTX_set_srp_un_cb #undef ssl_add_clienthello_use_srtp_ext -#define ssl_add_clienthello_use_srtp_ext ssl_add_clihello_use_srtp_ext +#define ssl_add_clienthello_use_srtp_ext ssl_add_clihello_use_srtp_ext #undef ssl_add_serverhello_use_srtp_ext -#define ssl_add_serverhello_use_srtp_ext ssl_add_serhello_use_srtp_ext +#define ssl_add_serverhello_use_srtp_ext ssl_add_serhello_use_srtp_ext #undef ssl_parse_clienthello_use_srtp_ext -#define ssl_parse_clienthello_use_srtp_ext ssl_parse_clihello_use_srtp_ext +#define ssl_parse_clienthello_use_srtp_ext ssl_parse_clihello_use_srtp_ext #undef ssl_parse_serverhello_use_srtp_ext -#define ssl_parse_serverhello_use_srtp_ext ssl_parse_serhello_use_srtp_ext +#define ssl_parse_serverhello_use_srtp_ext ssl_parse_serhello_use_srtp_ext #undef SSL_CTX_set_next_protos_advertised_cb -#define SSL_CTX_set_next_protos_advertised_cb SSL_CTX_set_next_protos_adv_cb +#define SSL_CTX_set_next_protos_advertised_cb SSL_CTX_set_next_protos_adv_cb #undef SSL_CTX_set_next_proto_select_cb -#define SSL_CTX_set_next_proto_select_cb SSL_CTX_set_next_proto_sel_cb +#define SSL_CTX_set_next_proto_select_cb SSL_CTX_set_next_proto_sel_cb /* Hack some long ENGINE names */ #undef ENGINE_get_default_BN_mod_exp_crt @@ -316,8 +316,6 @@ #define ec_GFp_simple_point_set_to_infinity ec_GFp_simple_pt_set_to_inf #undef ec_GFp_simple_points_make_affine #define ec_GFp_simple_points_make_affine ec_GFp_simple_pts_make_affine -#undef ec_GFp_simple_group_get_curve_GFp -#define ec_GFp_simple_group_get_curve_GFp ec_GFp_simple_grp_get_curve_GFp #undef ec_GFp_simple_set_Jprojective_coordinates_GFp #define ec_GFp_simple_set_Jprojective_coordinates_GFp \ ec_GFp_smp_set_Jproj_coords_GFp Index: crypto/ui/ui_openssl.c =================================================================== --- crypto/ui/ui_openssl.c (revision 246700) +++ crypto/ui/ui_openssl.c (working copy) @@ -122,9 +122,15 @@ * sigaction and fileno included. -pedantic would be more appropriate for * the intended purposes, but we can't prevent users from adding -ansi. */ +#if defined(OPENSSL_SYSNAME_VXWORKS) +#include +#endif + #if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS) +#ifndef _POSIX_C_SOURCE #define _POSIX_C_SOURCE 2 #endif +#endif #include #include #include Index: crypto/whrlpool/asm/wp-mmx.pl =================================================================== --- crypto/whrlpool/asm/wp-mmx.pl (revision 246700) +++ crypto/whrlpool/asm/wp-mmx.pl (working copy) @@ -119,7 +119,7 @@ $tbl="ebp"; &mov ("eax",&DWP(0,"esp")); &mov ("ebx",&DWP(4,"esp")); for($i=0;$i<8;$i++) { - my $func = ($i==0)? movq : pxor; + my $func = ($i==0)? \&movq : \&pxor; &movb (&LB("ecx"),&LB("eax")); &movb (&LB("edx"),&HB("eax")); &scale ("esi","ecx"); Index: crypto/whrlpool/asm/wp-x86_64.pl =================================================================== --- crypto/whrlpool/asm/wp-x86_64.pl (revision 246700) +++ crypto/whrlpool/asm/wp-x86_64.pl (working copy) @@ -41,7 +41,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; my $dir=$1; my $xlat ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; sub L() { $code.=".byte ".join(',',@_)."\n"; } sub LL(){ $code.=".byte ".join(',',@_).",".join(',',@_)."\n"; } Index: crypto/x509/x509_cmp.c =================================================================== --- crypto/x509/x509_cmp.c (revision 246700) +++ crypto/x509/x509_cmp.c (working copy) @@ -86,10 +86,9 @@ unsigned long X509_issuer_and_serial_hash(X509 *a) EVP_MD_CTX_init(&ctx); f=X509_NAME_oneline(a->cert_info->issuer,NULL,0); - ret=strlen(f); if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) goto err; - if (!EVP_DigestUpdate(&ctx,(unsigned char *)f,ret)) + if (!EVP_DigestUpdate(&ctx,(unsigned char *)f,strlen(f))) goto err; OPENSSL_free(f); if(!EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data, @@ -249,14 +248,14 @@ unsigned long X509_NAME_hash_old(X509_NAME *x) i2d_X509_NAME(x,NULL); EVP_MD_CTX_init(&md_ctx); EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL); - EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length); - EVP_DigestFinal_ex(&md_ctx,md,NULL); + if (EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL) + && EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length) + && EVP_DigestFinal_ex(&md_ctx,md,NULL)) + ret=(((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| + ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) + )&0xffffffffL; EVP_MD_CTX_cleanup(&md_ctx); - ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| - ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) - )&0xffffffffL; return(ret); } #endif Index: crypto/x509/x509_vfy.c =================================================================== --- crypto/x509/x509_vfy.c (revision 246700) +++ crypto/x509/x509_vfy.c (working copy) @@ -872,7 +872,7 @@ static int crl_extension_match(X509_CRL *a, X509_C { ASN1_OCTET_STRING *exta, *extb; int i; - i = X509_CRL_get_ext_by_NID(a, nid, 0); + i = X509_CRL_get_ext_by_NID(a, nid, -1); if (i >= 0) { /* Can't have multiple occurrences */ @@ -883,7 +883,7 @@ static int crl_extension_match(X509_CRL *a, X509_C else exta = NULL; - i = X509_CRL_get_ext_by_NID(b, nid, 0); + i = X509_CRL_get_ext_by_NID(b, nid, -1); if (i >= 0) { Index: crypto/x509v3/v3_purp.c =================================================================== --- crypto/x509v3/v3_purp.c (revision 246700) +++ crypto/x509v3/v3_purp.c (working copy) @@ -474,11 +474,11 @@ static void x509v3_cache_extensions(X509 *x) for (i = 0; i < X509_get_ext_count(x); i++) { ex = X509_get_ext(x, i); - if (!X509_EXTENSION_get_critical(ex)) - continue; if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_freshest_crl) x->ex_flags |= EXFLAG_FRESHEST; + if (!X509_EXTENSION_get_critical(ex)) + continue; if (!X509_supported_extension(ex)) { x->ex_flags |= EXFLAG_CRITICAL; Index: crypto/x86_64cpuid.pl =================================================================== --- crypto/x86_64cpuid.pl (revision 246700) +++ crypto/x86_64cpuid.pl (working copy) @@ -11,7 +11,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; ($arg1,$arg2,$arg3,$arg4)=$win64?("%rcx","%rdx","%r8", "%r9") : # Win64 order ("%rdi","%rsi","%rdx","%rcx"); # Unix order Index: crypto/x86cpuid.pl =================================================================== --- crypto/x86cpuid.pl (revision 246700) +++ crypto/x86cpuid.pl (working copy) @@ -165,7 +165,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); &jnz (&label("nohalt")); # not enough privileges &pushf (); - &pop ("eax") + &pop ("eax"); &bt ("eax",9); &jnc (&label("nohalt")); # interrupts are disabled @@ -280,7 +280,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); # arguments is 1 or 2! &function_begin_B("OPENSSL_indirect_call"); { - my $i,$max=7; # $max has to be chosen as 4*n-1 + my ($max,$i)=(7,); # $max has to be chosen as 4*n-1 # in order to preserve eventual # stack alignment &push ("ebp"); Index: doc/apps/CA.pl.pod =================================================================== --- doc/apps/CA.pl.pod (revision 246700) +++ doc/apps/CA.pl.pod (working copy) @@ -39,13 +39,13 @@ prints a usage message. =item B<-newcert> -creates a new self signed certificate. The private key and certificate are -written to the file "newreq.pem". +creates a new self signed certificate. The private key is written to the file +"newkey.pem" and the request written to the file "newreq.pem". =item B<-newreq> -creates a new certificate request. The private key and request are -written to the file "newreq.pem". +creates a new certificate request. The private key is written to the file +"newkey.pem" and the request written to the file "newreq.pem". =item B<-newreq-nodes> Index: doc/apps/verify.pod =================================================================== --- doc/apps/verify.pod (revision 246700) +++ doc/apps/verify.pod (working copy) @@ -54,35 +54,37 @@ in PEM format concatenated together. =item B<-untrusted file> A file of untrusted certificates. The file should contain multiple certificates +in PEM format concatenated together. =item B<-purpose purpose> -the intended use for the certificate. Without this option no chain verification -will be done. Currently accepted uses are B, B, -B, B, B. See the B -section for more information. +The intended use for the certificate. If this option is not specified, +B will not consider certificate purpose during chain verification. +Currently accepted uses are B, B, B, +B, B. See the B section for more +information. =item B<-help> -prints out a usage message. +Print out a usage message. =item B<-verbose> -print extra information about the operations being performed. +Print extra information about the operations being performed. =item B<-issuer_checks> -print out diagnostics relating to searches for the issuer certificate -of the current certificate. This shows why each candidate issuer -certificate was rejected. However the presence of rejection messages -does not itself imply that anything is wrong: during the normal -verify process several rejections may take place. +Print out diagnostics relating to searches for the issuer certificate of the +current certificate. This shows why each candidate issuer certificate was +rejected. The presence of rejection messages does not itself imply that +anything is wrong; during the normal verification process, several +rejections may take place. =item B<-policy arg> -Enable policy processing and add B to the user-initial-policy-set -(see RFC3280 et al). The policy B can be an object name an OID in numeric -form. This argument can appear more than once. +Enable policy processing and add B to the user-initial-policy-set (see +RFC5280). The policy B can be an object name an OID in numeric form. +This argument can appear more than once. =item B<-policy_check> @@ -90,41 +92,40 @@ Enables certificate policy processing. =item B<-explicit_policy> -Set policy variable require-explicit-policy (see RFC3280 et al). +Set policy variable require-explicit-policy (see RFC5280). =item B<-inhibit_any> -Set policy variable inhibit-any-policy (see RFC3280 et al). +Set policy variable inhibit-any-policy (see RFC5280). =item B<-inhibit_map> -Set policy variable inhibit-policy-mapping (see RFC3280 et al). +Set policy variable inhibit-policy-mapping (see RFC5280). =item B<-policy_print> -Print out diagnostics, related to policy checking +Print out diagnostics related to policy processing. =item B<-crl_check> -Checks end entity certificate validity by attempting to lookup a valid CRL. +Checks end entity certificate validity by attempting to look up a valid CRL. If a valid CRL cannot be found an error occurs. =item B<-crl_check_all> Checks the validity of B certificates in the chain by attempting -to lookup valid CRLs. +to look up valid CRLs. =item B<-ignore_critical> Normally if an unhandled critical extension is present which is not -supported by OpenSSL the certificate is rejected (as required by -RFC3280 et al). If this option is set critical extensions are -ignored. +supported by OpenSSL the certificate is rejected (as required by RFC5280). +If this option is set critical extensions are ignored. =item B<-x509_strict> -Disable workarounds for broken certificates which have to be disabled -for strict X.509 compliance. +For strict X.509 compliance, disable non-compliant workarounds for broken +certificates. =item B<-extended_crl> @@ -142,17 +143,16 @@ because it doesn't add any security. =item B<-> -marks the last option. All arguments following this are assumed to be +Indicates the last option. All arguments following this are assumed to be certificate files. This is useful if the first certificate filename begins with a B<->. =item B -one or more certificates to verify. If no certificate filenames are included -then an attempt is made to read a certificate from standard input. They should -all be in PEM format. +One or more certificates to verify. If no certificates are given, B +will attempt to read a certificate from standard input. Certificates must be +in PEM format. - =back =head1 VERIFY OPERATION Index: doc/apps/x509.pod =================================================================== --- doc/apps/x509.pod (revision 246700) +++ doc/apps/x509.pod (working copy) @@ -29,6 +29,7 @@ B B [B<-purpose>] [B<-dates>] [B<-modulus>] +[B<-pubkey>] [B<-fingerprint>] [B<-alias>] [B<-noout>] @@ -135,6 +136,10 @@ section for more information. this option prevents output of the encoded version of the request. +=item B<-pubkey> + +outputs the the certificate's SubjectPublicKeyInfo block in PEM format. + =item B<-modulus> this option prints out the value of the modulus of the public key Index: doc/crypto/EVP_PKEY_CTX_ctrl.pod =================================================================== --- doc/crypto/EVP_PKEY_CTX_ctrl.pod (revision 246700) +++ doc/crypto/EVP_PKEY_CTX_ctrl.pod (working copy) @@ -117,7 +117,7 @@ L, L, L, L, -L, +L, L L Index: doc/crypto/EVP_PKEY_decrypt.pod =================================================================== --- doc/crypto/EVP_PKEY_decrypt.pod (revision 246700) +++ doc/crypto/EVP_PKEY_decrypt.pod (working copy) @@ -83,7 +83,7 @@ L, L, L, L, -L, +L, L =head1 HISTORY Index: doc/crypto/EVP_PKEY_derive.pod =================================================================== --- doc/crypto/EVP_PKEY_derive.pod (revision 246700) +++ doc/crypto/EVP_PKEY_derive.pod (working copy) @@ -84,7 +84,7 @@ L, L, L, L, -L, +L, =head1 HISTORY Index: doc/crypto/EVP_PKEY_encrypt.pod =================================================================== --- doc/crypto/EVP_PKEY_encrypt.pod (revision 246700) +++ doc/crypto/EVP_PKEY_encrypt.pod (working copy) @@ -83,7 +83,7 @@ L, L, L, L, -L, +L, L =head1 HISTORY Index: doc/crypto/EVP_PKEY_get_default_digest.pod =================================================================== --- doc/crypto/EVP_PKEY_get_default_digest.pod (revision 246700) +++ doc/crypto/EVP_PKEY_get_default_digest.pod (working copy) @@ -32,7 +32,7 @@ public key algorithm. L, L, L, -L, +L, =head1 HISTORY Index: doc/crypto/EVP_PKEY_keygen.pod =================================================================== --- doc/crypto/EVP_PKEY_keygen.pod (revision 246700) +++ doc/crypto/EVP_PKEY_keygen.pod (working copy) @@ -151,7 +151,7 @@ L, L, L, L, -L, +L, L =head1 HISTORY Index: doc/crypto/EVP_PKEY_sign.pod =================================================================== --- doc/crypto/EVP_PKEY_sign.pod (revision 246700) +++ doc/crypto/EVP_PKEY_sign.pod (working copy) @@ -86,7 +86,7 @@ L, L, L, L, -L, +L, L =head1 HISTORY Index: doc/crypto/EVP_PKEY_verify.pod =================================================================== --- doc/crypto/EVP_PKEY_verify.pod (revision 246700) +++ doc/crypto/EVP_PKEY_verify.pod (working copy) @@ -81,7 +81,7 @@ L, L, L, L, -L, +L, L =head1 HISTORY Index: doc/crypto/EVP_PKEY_verify_recover.pod =================================================================== --- doc/crypto/EVP_PKEY_verify_recover.pod (working copy) +++ doc/crypto/EVP_PKEY_verify_recover.pod (working copy) @@ -2,23 +2,23 @@ =head1 NAME -EVP_PKEY_verifyrecover_init, EVP_PKEY_verifyrecover - recover signature using a public key algorithm +EVP_PKEY_verify_recover_init, EVP_PKEY_verify_recover - recover signature using a public key algorithm =head1 SYNOPSIS #include - int EVP_PKEY_verifyrecover_init(EVP_PKEY_CTX *ctx); - int EVP_PKEY_verifyrecover(EVP_PKEY_CTX *ctx, + int EVP_PKEY_verify_recover_init(EVP_PKEY_CTX *ctx); + int EVP_PKEY_verify_recover(EVP_PKEY_CTX *ctx, unsigned char *rout, size_t *routlen, const unsigned char *sig, size_t siglen); =head1 DESCRIPTION -The EVP_PKEY_verifyrecover_init() function initializes a public key algorithm +The EVP_PKEY_verify_recover_init() function initializes a public key algorithm context using key B for a verify recover operation. -The EVP_PKEY_verifyrecover() function recovers signed data +The EVP_PKEY_verify_recover() function recovers signed data using B. The signature is specified using the B and B parameters. If B is B then the maximum size of the output buffer is written to the B parameter. If B is not B then @@ -36,16 +36,16 @@ Sometimes however it is useful to obtain the data signing operation. Only certain public key algorithms can recover a signature in this way (for example RSA in PKCS padding mode). -After the call to EVP_PKEY_verifyrecover_init() algorithm specific control +After the call to EVP_PKEY_verify_recover_init() algorithm specific control operations can be performed to set any appropriate parameters for the operation. -The function EVP_PKEY_verifyrecover() can be called more than once on the same +The function EVP_PKEY_verify_recover() can be called more than once on the same context if several operations are performed using the same parameters. =head1 RETURN VALUES -EVP_PKEY_verifyrecover_init() and EVP_PKEY_verifyrecover() return 1 for success +EVP_PKEY_verify_recover_init() and EVP_PKEY_verify_recover() return 1 for success and 0 or a negative value for failure. In particular a return value of -2 indicates the operation is not supported by the public key algorithm. @@ -66,7 +66,7 @@ Recover digest originally signed using PKCS#1 and ctx = EVP_PKEY_CTX_new(verify_key); if (!ctx) /* Error occurred */ - if (EVP_PKEY_verifyrecover_init(ctx) <= 0) + if (EVP_PKEY_verify_recover_init(ctx) <= 0) /* Error */ if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0) /* Error */ @@ -74,7 +74,7 @@ Recover digest originally signed using PKCS#1 and /* Error */ /* Determine buffer length */ - if (EVP_PKEY_verifyrecover(ctx, NULL, &routlen, sig, siglen) <= 0) + if (EVP_PKEY_verify_recover(ctx, NULL, &routlen, sig, siglen) <= 0) /* Error */ rout = OPENSSL_malloc(routlen); @@ -82,7 +82,7 @@ Recover digest originally signed using PKCS#1 and if (!rout) /* malloc failure */ - if (EVP_PKEY_verifyrecover(ctx, rout, &routlen, sig, siglen) <= 0) + if (EVP_PKEY_verify_recover(ctx, rout, &routlen, sig, siglen) <= 0) /* Error */ /* Recovered data is routlen bytes written to buffer rout */ Index: doc/crypto/EVP_PKEY_verifyrecover.pod =================================================================== --- doc/crypto/EVP_PKEY_verifyrecover.pod (revision 246700) +++ doc/crypto/EVP_PKEY_verifyrecover.pod (working copy) @@ -1,103 +0,0 @@ -=pod - -=head1 NAME - -EVP_PKEY_verifyrecover_init, EVP_PKEY_verifyrecover - recover signature using a public key algorithm - -=head1 SYNOPSIS - - #include - - int EVP_PKEY_verifyrecover_init(EVP_PKEY_CTX *ctx); - int EVP_PKEY_verifyrecover(EVP_PKEY_CTX *ctx, - unsigned char *rout, size_t *routlen, - const unsigned char *sig, size_t siglen); - -=head1 DESCRIPTION - -The EVP_PKEY_verifyrecover_init() function initializes a public key algorithm -context using key B for a verify recover operation. - -The EVP_PKEY_verifyrecover() function recovers signed data -using B. The signature is specified using the B and -B parameters. If B is B then the maximum size of the output -buffer is written to the B parameter. If B is not B then -before the call the B parameter should contain the length of the -B buffer, if the call is successful recovered data is written to -B and the amount of data written to B. - -=head1 NOTES - -Normally an application is only interested in whether a signature verification -operation is successful in those cases the EVP_verify() function should be -used. - -Sometimes however it is useful to obtain the data originally signed using a -signing operation. Only certain public key algorithms can recover a signature -in this way (for example RSA in PKCS padding mode). - -After the call to EVP_PKEY_verifyrecover_init() algorithm specific control -operations can be performed to set any appropriate parameters for the -operation. - -The function EVP_PKEY_verifyrecover() can be called more than once on the same -context if several operations are performed using the same parameters. - -=head1 RETURN VALUES - -EVP_PKEY_verifyrecover_init() and EVP_PKEY_verifyrecover() return 1 for success -and 0 or a negative value for failure. In particular a return value of -2 -indicates the operation is not supported by the public key algorithm. - -=head1 EXAMPLE - -Recover digest originally signed using PKCS#1 and SHA256 digest: - - #include - #include - - EVP_PKEY_CTX *ctx; - unsigned char *rout, *sig; - size_t routlen, siglen; - EVP_PKEY *verify_key; - /* NB: assumes verify_key, sig and siglen are already set up - * and that verify_key is an RSA public key - */ - ctx = EVP_PKEY_CTX_new(verify_key); - if (!ctx) - /* Error occurred */ - if (EVP_PKEY_verifyrecover_init(ctx) <= 0) - /* Error */ - if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_PADDING) <= 0) - /* Error */ - if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_sha256()) <= 0) - /* Error */ - - /* Determine buffer length */ - if (EVP_PKEY_verifyrecover(ctx, NULL, &routlen, sig, siglen) <= 0) - /* Error */ - - rout = OPENSSL_malloc(routlen); - - if (!rout) - /* malloc failure */ - - if (EVP_PKEY_verifyrecover(ctx, rout, &routlen, sig, siglen) <= 0) - /* Error */ - - /* Recovered data is routlen bytes written to buffer rout */ - -=head1 SEE ALSO - -L, -L, -L, -L, -L, -L - -=head1 HISTORY - -These functions were first added to OpenSSL 1.0.0. - -=cut Index: engines/ccgost/gost89.c =================================================================== --- engines/ccgost/gost89.c (revision 246700) +++ engines/ccgost/gost89.c (working copy) @@ -369,7 +369,13 @@ int gost_mac(gost_ctx *ctx,int mac_len,const unsig memset(buf2,0,8); memcpy(buf2,data+i,data_len-i); mac_block(ctx,buffer,buf2); - } + i+=8; + } + if (i==8) + { + memset(buf2,0,8); + mac_block(ctx,buffer,buf2); + } get_mac(buffer,mac_len,mac); return 1; } @@ -389,7 +395,13 @@ int gost_mac_iv(gost_ctx *ctx,int mac_len,const un memset(buf2,0,8); memcpy(buf2,data+i,data_len-i); mac_block(ctx,buffer,buf2); + i+=8; } + if (i==8) + { + memset(buf2,0,8); + mac_block(ctx,buffer,buf2); + } get_mac(buffer,mac_len,mac); return 1; } Index: engines/ccgost/gost_crypt.c =================================================================== --- engines/ccgost/gost_crypt.c (revision 246700) +++ engines/ccgost/gost_crypt.c (working copy) @@ -11,6 +11,14 @@ #include #include "e_gost_err.h" #include "gost_lcl.h" + +#if !defined(CCGOST_DEBUG) && !defined(DEBUG) +# ifndef NDEBUG +# define NDEBUG +# endif +#endif +#include + static int gost_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); static int gost_cipher_init_cpa(EVP_CIPHER_CTX *ctx, const unsigned char *key, @@ -206,12 +214,13 @@ int gost_cipher_init(EVP_CIPHER_CTX *ctx, const un static void gost_crypt_mesh (void *ctx,unsigned char *iv,unsigned char *buf) { struct ossl_gost_cipher_ctx *c = ctx; - if (c->count&&c->key_meshing && c->count%1024==0) + assert(c->count%8 == 0 && c->count <= 1024); + if (c->key_meshing && c->count==1024) { cryptopro_key_meshing(&(c->cctx),iv); } gostcrypt(&(c->cctx),iv,buf); - c->count+=8; + c->count = c->count%1024 + 8; } static void gost_cnt_next (void *ctx, unsigned char *iv, unsigned char *buf) @@ -219,7 +228,8 @@ static void gost_cnt_next (void *ctx, unsigned cha struct ossl_gost_cipher_ctx *c = ctx; word32 g,go; unsigned char buf1[8]; - if (c->count && c->key_meshing && c->count %1024 ==0) + assert(c->count%8 == 0 && c->count <= 1024); + if (c->key_meshing && c->count==1024) { cryptopro_key_meshing(&(c->cctx),iv); } @@ -248,7 +258,7 @@ static void gost_cnt_next (void *ctx, unsigned cha buf1[7]=(unsigned char)((g>>24)&0xff); memcpy(iv,buf1,8); gostcrypt(&(c->cctx),buf1,buf); - c->count +=8; + c->count = c->count%1024 + 8; } /* GOST encryption in CFB mode */ @@ -511,12 +521,13 @@ static void mac_block_mesh(struct ossl_gost_imit_c * interpret internal state of MAC algorithm as iv during keymeshing * (but does initialize internal state from iv in key transport */ - if (c->key_meshing&& c->count && c->count %1024 ==0) + assert(c->count%8 == 0 && c->count <= 1024); + if (c->key_meshing && c->count==1024) { cryptopro_key_meshing(&(c->cctx),buffer); } mac_block(&(c->cctx),c->buffer,data); - c->count +=8; + c->count = c->count%1024 + 8; } int gost_imit_update(EVP_MD_CTX *ctx, const void *data, size_t count) @@ -565,6 +576,12 @@ int gost_imit_final(EVP_MD_CTX *ctx,unsigned char GOSTerr(GOST_F_GOST_IMIT_FINAL, GOST_R_MAC_KEY_NOT_SET); return 0; } + if (c->count==0 && c->bytes_left) + { + unsigned char buffer[8]; + memset(buffer, 0, 8); + gost_imit_update(ctx, buffer, 8); + } if (c->bytes_left) { int i; Index: engines/ccgost/gost_eng.c =================================================================== --- engines/ccgost/gost_eng.c (revision 246700) +++ engines/ccgost/gost_eng.c (working copy) @@ -64,6 +64,13 @@ static int gost_engine_finish(ENGINE *e) static int gost_engine_destroy(ENGINE *e) { gost_param_free(); + + pmeth_GostR3410_94 = NULL; + pmeth_GostR3410_2001 = NULL; + pmeth_Gost28147_MAC = NULL; + ameth_GostR3410_94 = NULL; + ameth_GostR3410_2001 = NULL; + ameth_Gost28147_MAC = NULL; return 1; } @@ -71,6 +78,11 @@ static int bind_gost (ENGINE *e,const char *id) { int ret = 0; if (id && strcmp(id, engine_gost_id)) return 0; + if (ameth_GostR3410_94) + { + printf("GOST engine already loaded\n"); + goto end; + } if (!ENGINE_set_id(e, engine_gost_id)) { @@ -263,7 +275,10 @@ static ENGINE *engine_gost(void) void ENGINE_load_gost(void) { - ENGINE *toadd =engine_gost(); + ENGINE *toadd; + if (pmeth_GostR3410_94) + return; + toadd = engine_gost(); if (!toadd) return; ENGINE_add(toadd); ENGINE_free(toadd); Index: engines/ccgost/gost_lcl.h =================================================================== --- engines/ccgost/gost_lcl.h (revision 246700) +++ engines/ccgost/gost_lcl.h (working copy) @@ -136,7 +136,7 @@ extern EVP_MD imit_gost_cpa; /* Cipher context used for EVP_CIPHER operation */ struct ossl_gost_cipher_ctx { int paramNID; - off_t count; + unsigned int count; int key_meshing; gost_ctx cctx; }; @@ -151,7 +151,7 @@ struct ossl_gost_imit_ctx { gost_ctx cctx; unsigned char buffer[8]; unsigned char partial_block[8]; - off_t count; + unsigned int count; int key_meshing; int bytes_left; int key_set; Index: engines/ccgost/gosthash.c =================================================================== --- engines/ccgost/gosthash.c (revision 246700) +++ engines/ccgost/gosthash.c (working copy) @@ -42,7 +42,7 @@ static void circle_xor8 (const byte *w, byte *k) byte buf[8]; int i; memcpy(buf,w,8); - memcpy(k,w+8,24); + memmove(k,w+8,24); for(i=0;i<8;i++) k[i+24]=buf[i]^k[i]; } Index: engines/e_capi.c =================================================================== --- engines/e_capi.c (revision 246700) +++ engines/e_capi.c (working copy) @@ -1432,10 +1432,13 @@ static PCCERT_CONTEXT capi_find_cert(CAPI_CTX *ctx static CAPI_KEY *capi_get_key(CAPI_CTX *ctx, const char *contname, char *provname, DWORD ptype, DWORD keyspec) { CAPI_KEY *key; + DWORD dwFlags = 0; key = OPENSSL_malloc(sizeof(CAPI_KEY)); CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n", contname, provname, ptype); - if (!CryptAcquireContextA(&key->hprov, contname, provname, ptype, 0)) + if(ctx->store_flags & CERT_SYSTEM_STORE_LOCAL_MACHINE) + dwFlags = CRYPT_MACHINE_KEYSET; + if (!CryptAcquireContextA(&key->hprov, contname, provname, ptype, dwFlags)) { CAPIerr(CAPI_F_CAPI_GET_KEY, CAPI_R_CRYPTACQUIRECONTEXT_ERROR); capi_addlasterror(); Index: ssl/Makefile =================================================================== --- ssl/Makefile (revision 246700) +++ ssl/Makefile (working copy) @@ -22,7 +22,7 @@ LIB=$(TOP)/libssl.a SHARED_LIB= libssl$(SHLIB_EXT) LIBSRC= \ s2_meth.c s2_srvr.c s2_clnt.c s2_lib.c s2_enc.c s2_pkt.c \ - s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c \ + s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c s3_cbc.c \ s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c s23_pkt.c \ t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c \ d1_meth.c d1_srvr.c d1_clnt.c d1_lib.c d1_pkt.c \ @@ -33,7 +33,7 @@ LIBSRC= \ bio_ssl.c ssl_err.c kssl.c tls_srp.c t1_reneg.c LIBOBJ= \ s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \ - s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o \ + s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o s3_cbc.o \ s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o s23_pkt.o \ t1_meth.o t1_srvr.o t1_clnt.o t1_lib.o t1_enc.o \ d1_meth.o d1_srvr.o d1_clnt.o d1_lib.o d1_pkt.o \ @@ -547,6 +547,26 @@ s3_both.o: ../include/openssl/ssl23.h ../include/o s3_both.o: ../include/openssl/stack.h ../include/openssl/symhacks.h s3_both.o: ../include/openssl/tls1.h ../include/openssl/x509.h s3_both.o: ../include/openssl/x509_vfy.h s3_both.c ssl_locl.h +s3_cbc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h +s3_cbc.o: ../include/openssl/buffer.h ../include/openssl/comp.h +s3_cbc.o: ../include/openssl/crypto.h ../include/openssl/dsa.h +s3_cbc.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h +s3_cbc.o: ../include/openssl/ec.h ../include/openssl/ecdh.h +s3_cbc.o: ../include/openssl/ecdsa.h ../include/openssl/err.h +s3_cbc.o: ../include/openssl/evp.h ../include/openssl/hmac.h +s3_cbc.o: ../include/openssl/kssl.h ../include/openssl/lhash.h +s3_cbc.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h +s3_cbc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h +s3_cbc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h +s3_cbc.o: ../include/openssl/pem.h ../include/openssl/pem2.h +s3_cbc.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h +s3_cbc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h +s3_cbc.o: ../include/openssl/sha.h ../include/openssl/srtp.h +s3_cbc.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h +s3_cbc.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h +s3_cbc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h +s3_cbc.o: ../include/openssl/tls1.h ../include/openssl/x509.h +s3_cbc.o: ../include/openssl/x509_vfy.h s3_cbc.c ssl_locl.h s3_clnt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h s3_clnt.o: ../include/openssl/bn.h ../include/openssl/buffer.h s3_clnt.o: ../include/openssl/comp.h ../include/openssl/crypto.h Index: ssl/d1_enc.c =================================================================== --- ssl/d1_enc.c (revision 246700) +++ ssl/d1_enc.c (working copy) @@ -126,20 +126,28 @@ #include #endif +/* dtls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. + * + * Returns: + * 0: (in non-constant time) if the record is publically invalid (i.e. too + * short etc). + * 1: if the record's padding is valid / the encryption was successful. + * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, + * an internal error occured. */ int dtls1_enc(SSL *s, int send) { SSL3_RECORD *rec; EVP_CIPHER_CTX *ds; unsigned long l; - int bs,i,ii,j,k,n=0; + int bs,i,j,k,mac_size=0; const EVP_CIPHER *enc; if (send) { if (EVP_MD_CTX_md(s->write_hash)) { - n=EVP_MD_CTX_size(s->write_hash); - if (n < 0) + mac_size=EVP_MD_CTX_size(s->write_hash); + if (mac_size < 0) return -1; } ds=s->enc_write_ctx; @@ -164,9 +172,8 @@ int dtls1_enc(SSL *s, int send) { if (EVP_MD_CTX_md(s->read_hash)) { - n=EVP_MD_CTX_size(s->read_hash); - if (n < 0) - return -1; + mac_size=EVP_MD_CTX_size(s->read_hash); + OPENSSL_assert(mac_size >= 0); } ds=s->enc_read_ctx; rec= &(s->s3->rrec); @@ -231,7 +238,7 @@ int dtls1_enc(SSL *s, int send) if (!send) { if (l == 0 || l%bs != 0) - return -1; + return 0; } EVP_Cipher(ds,rec->data,rec->input,l); @@ -246,43 +253,7 @@ int dtls1_enc(SSL *s, int send) #endif /* KSSL_DEBUG */ if ((bs != 1) && !send) - { - ii=i=rec->data[l-1]; /* padding_length */ - i++; - if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) - { - /* First packet is even in size, so check */ - if ((memcmp(s->s3->read_sequence, - "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1)) - s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG; - if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) - i--; - } - /* TLS 1.0 does not bound the number of padding bytes by the block size. - * All of them must have value 'padding_length'. */ - if (i + bs > (int)rec->length) - { - /* Incorrect padding. SSLerr() and ssl3_alert are done - * by caller: we don't want to reveal whether this is - * a decryption error or a MAC verification failure - * (see http://www.openssl.org/~bodo/tls-cbc.txt) - */ - return -1; - } - for (j=(int)(l-i); j<(int)l; j++) - { - if (rec->data[j] != ii) - { - /* Incorrect padding */ - return -1; - } - } - rec->length-=i; - - rec->data += bs; /* skip the implicit IV */ - rec->input += bs; - rec->length -= bs; - } + return tls1_cbc_remove_padding(s, rec, bs, mac_size); } return(1); } Index: ssl/d1_pkt.c =================================================================== --- ssl/d1_pkt.c (revision 246700) +++ ssl/d1_pkt.c (working copy) @@ -376,16 +376,12 @@ static int dtls1_process_record(SSL *s) { int i,al; - int clear=0; int enc_err; SSL_SESSION *sess; SSL3_RECORD *rr; - unsigned int mac_size; + unsigned int mac_size, orig_len; unsigned char md[EVP_MAX_MD_SIZE]; - int decryption_failed_or_bad_record_mac = 0; - unsigned char *mac = NULL; - rr= &(s->s3->rrec); sess = s->session; @@ -416,12 +412,16 @@ dtls1_process_record(SSL *s) rr->data=rr->input; enc_err = s->method->ssl3_enc->enc(s,0); - if (enc_err <= 0) + /* enc_err is: + * 0: (in non-constant time) if the record is publically invalid. + * 1: if the padding is valid + * -1: if the padding is invalid */ + if (enc_err == 0) { - /* To minimize information leaked via timing, we will always - * perform all computations before discarding the message. - */ - decryption_failed_or_bad_record_mac = 1; + /* For DTLS we simply ignore bad packets. */ + rr->length = 0; + s->packet_length = 0; + goto err; } #ifdef TLS_DEBUG @@ -431,45 +431,62 @@ printf("\n"); #endif /* r->length is now the compressed data plus mac */ - if ( (sess == NULL) || - (s->enc_read_ctx == NULL) || - (s->read_hash == NULL)) - clear=1; - - if (!clear) + if ((sess != NULL) && + (s->enc_read_ctx != NULL) && + (EVP_MD_CTX_md(s->read_hash) != NULL)) { - /* !clear => s->read_hash != NULL => mac_size != -1 */ - int t; - t=EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(t >= 0); - mac_size=t; + /* s->read_hash != NULL => mac_size != -1 */ + unsigned char *mac = NULL; + unsigned char mac_tmp[EVP_MAX_MD_SIZE]; + mac_size=EVP_MD_CTX_size(s->read_hash); + OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); - if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) + /* kludge: *_cbc_remove_padding passes padding length in rr->type */ + orig_len = rr->length+((unsigned int)rr->type>>8); + + /* orig_len is the length of the record before any padding was + * removed. This is public information, as is the MAC in use, + * therefore we can safely process the record in a different + * amount of time if it's too short to possibly contain a MAC. + */ + if (orig_len < mac_size || + /* CBC records must have a padding length byte too. */ + (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && + orig_len < mac_size+1)) { -#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */ - al=SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); + al=SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); goto f_err; -#else - decryption_failed_or_bad_record_mac = 1; -#endif } - /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ - if (rr->length >= mac_size) + + if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { + /* We update the length so that the TLS header bytes + * can be constructed correctly but we need to extract + * the MAC in constant time from within the record, + * without leaking the contents of the padding bytes. + * */ + mac = mac_tmp; + ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); rr->length -= mac_size; - mac = &rr->data[rr->length]; } else - rr->length = 0; - i=s->method->ssl3_enc->mac(s,md,0); - if (i < 0 || mac == NULL || memcmp(md, mac, mac_size) != 0) { - decryption_failed_or_bad_record_mac = 1; + /* In this case there's no padding, so |orig_len| + * equals |rec->length| and we checked that there's + * enough bytes for |mac_size| above. */ + rr->length -= mac_size; + mac = &rr->data[rr->length]; } + + i=s->method->ssl3_enc->mac(s,md,0 /* not send */); + if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) + enc_err = -1; + if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) + enc_err = -1; } - if (decryption_failed_or_bad_record_mac) + if (enc_err < 0) { /* decryption failed, silently discard message */ rr->length = 0; Index: ssl/d1_srtp.c =================================================================== --- ssl/d1_srtp.c (revision 246700) +++ ssl/d1_srtp.c (working copy) @@ -115,11 +115,12 @@ Copyright (C) 2011, RTFM, Inc. */ -#ifndef OPENSSL_NO_SRTP - #include #include #include "ssl_locl.h" + +#ifndef OPENSSL_NO_SRTP + #include "srtp.h" Index: ssl/dtls1.h =================================================================== --- ssl/dtls1.h (revision 246700) +++ ssl/dtls1.h (working copy) @@ -57,8 +57,8 @@ * */ -#ifndef HEADER_DTLS1_H -#define HEADER_DTLS1_H +#ifndef HEADER_DTLS1_H +#define HEADER_DTLS1_H #include #include @@ -72,8 +72,12 @@ #elif defined(OPENSSL_SYS_NETWARE) && !defined(_WINSOCK2API_) #include #else +#if defined(OPENSSL_SYS_VXWORKS) +#include +#else #include #endif +#endif #ifdef __cplusplus extern "C" { Index: ssl/s2_clnt.c =================================================================== --- ssl/s2_clnt.c (revision 246700) +++ ssl/s2_clnt.c (working copy) @@ -359,12 +359,14 @@ static int get_server_hello(SSL *s) SSL_R_PEER_ERROR); return(-1); } -#ifdef __APPLE_CC__ - /* The Rhapsody 5.5 (a.k.a. MacOS X) compiler bug - * workaround. */ - s->hit=(i=*(p++))?1:0; +#if 0 + s->hit=(*(p++))?1:0; + /* Some [PPC?] compilers fail to increment p in above + statement, e.g. one provided with Rhapsody 5.5, but + most recent example XL C 11.1 for AIX, even without + optimization flag... */ #else - s->hit=(*(p++))?1:0; + s->hit=(*p)?1:0; p++; #endif s->s2->tmp.cert_type= *(p++); n2s(p,i); @@ -937,7 +939,7 @@ static int get_server_verify(SSL *s) s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* SERVER-VERIFY */ p += 1; - if (memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0) + if (CRYPTO_memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_CHALLENGE_IS_DIFFERENT); Index: ssl/s2_pkt.c =================================================================== --- ssl/s2_pkt.c (revision 246700) +++ ssl/s2_pkt.c (working copy) @@ -269,8 +269,7 @@ static int ssl2_read_internal(SSL *s, void *buf, i s->s2->ract_data_length-=mac_size; ssl2_mac(s,mac,0); s->s2->ract_data_length-=s->s2->padding; - if ( (memcmp(mac,s->s2->mac_data, - (unsigned int)mac_size) != 0) || + if ( (CRYPTO_memcmp(mac,s->s2->mac_data,mac_size) != 0) || (s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0)) { SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE); Index: ssl/s2_srvr.c =================================================================== --- ssl/s2_srvr.c (revision 246700) +++ ssl/s2_srvr.c (working copy) @@ -1059,10 +1059,12 @@ static int request_certificate(SSL *s) EVP_PKEY *pkey=NULL; EVP_MD_CTX_init(&ctx); - EVP_VerifyInit_ex(&ctx,s->ctx->rsa_md5, NULL); - EVP_VerifyUpdate(&ctx,s->s2->key_material, - s->s2->key_material_length); - EVP_VerifyUpdate(&ctx,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH); + if (!EVP_VerifyInit_ex(&ctx,s->ctx->rsa_md5, NULL) + || !EVP_VerifyUpdate(&ctx,s->s2->key_material, + s->s2->key_material_length) + || !EVP_VerifyUpdate(&ctx,ccd, + SSL2_MIN_CERT_CHALLENGE_LENGTH)) + goto msg_end; i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL); buf2=OPENSSL_malloc((unsigned int)i); @@ -1073,7 +1075,11 @@ static int request_certificate(SSL *s) } p2=buf2; i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&p2); - EVP_VerifyUpdate(&ctx,buf2,(unsigned int)i); + if (!EVP_VerifyUpdate(&ctx,buf2,(unsigned int)i)) + { + OPENSSL_free(buf2); + goto msg_end; + } OPENSSL_free(buf2); pkey=X509_get_pubkey(x509); Index: ssl/s3_both.c =================================================================== --- ssl/s3_both.c (revision 246700) +++ ssl/s3_both.c (working copy) @@ -204,7 +204,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const #ifndef OPENSSL_NO_NEXTPROTONEG /* ssl3_take_mac calculates the Finished MAC for the handshakes messages seen to far. */ -static void ssl3_take_mac(SSL *s) { +static void ssl3_take_mac(SSL *s) + { const char *sender; int slen; @@ -221,7 +222,7 @@ int ssl3_send_finished(SSL *s, int a, int b, const s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, sender,slen,s->s3->tmp.peer_finish_md); -} + } #endif int ssl3_get_finished(SSL *s, int a, int b) @@ -231,8 +232,9 @@ int ssl3_get_finished(SSL *s, int a, int b) unsigned char *p; #ifdef OPENSSL_NO_NEXTPROTONEG - /* the mac has already been generated when we received the change - * cipher spec message and is in s->s3->tmp.peer_finish_md. */ + /* the mac has already been generated when we received the + * change cipher spec message and is in s->s3->tmp.peer_finish_md. + */ #endif n=s->method->ssl_get_message(s, @@ -263,7 +265,7 @@ int ssl3_get_finished(SSL *s, int a, int b) goto f_err; } - if (memcmp(p, s->s3->tmp.peer_finish_md, i) != 0) + if (CRYPTO_memcmp(p, s->s3->tmp.peer_finish_md, i) != 0) { al=SSL_AD_DECRYPT_ERROR; SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED); @@ -537,12 +539,14 @@ long ssl3_get_message(SSL *s, int st1, int stn, in s->init_num += i; n -= i; } + #ifndef OPENSSL_NO_NEXTPROTONEG /* If receiving Finished, record MAC of prior handshake messages for * Finished verification. */ if (*s->init_buf->data == SSL3_MT_FINISHED) ssl3_take_mac(s); #endif + /* Feed this message into MAC computation. */ ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4); if (s->msg_callback) Index: ssl/s3_cbc.c =================================================================== --- ssl/s3_cbc.c (revision 0) +++ ssl/s3_cbc.c (working copy) @@ -0,0 +1,790 @@ +/* ssl/s3_cbc.c */ +/* ==================================================================== + * Copyright (c) 2012 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include "ssl_locl.h" + +#include +#include + +/* MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length + * field. (SHA-384/512 have 128-bit length.) */ +#define MAX_HASH_BIT_COUNT_BYTES 16 + +/* MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support. + * Currently SHA-384/512 has a 128-byte block size and that's the largest + * supported by TLS.) */ +#define MAX_HASH_BLOCK_SIZE 128 + +/* Some utility functions are needed: + * + * These macros return the given value with the MSB copied to all the other + * bits. They use the fact that arithmetic shift shifts-in the sign bit. + * However, this is not ensured by the C standard so you may need to replace + * them with something else on odd CPUs. */ +#define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> (sizeof(int)*8-1) ) ) +#define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x))) + +/* constant_time_lt returns 0xff if a=b and 0x00 otherwise. */ +static unsigned constant_time_ge(unsigned a, unsigned b) + { + a -= b; + return DUPLICATE_MSB_TO_ALL(~a); + } + +/* constant_time_eq_8 returns 0xff if a==b and 0x00 otherwise. */ +static unsigned char constant_time_eq_8(unsigned a, unsigned b) + { + unsigned c = a ^ b; + c--; + return DUPLICATE_MSB_TO_ALL_8(c); + } + +/* ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC + * record in |rec| by updating |rec->length| in constant time. + * + * block_size: the block size of the cipher used to encrypt the record. + * returns: + * 0: (in non-constant time) if the record is publicly invalid. + * 1: if the padding was valid + * -1: otherwise. */ +int ssl3_cbc_remove_padding(const SSL* s, + SSL3_RECORD *rec, + unsigned block_size, + unsigned mac_size) + { + unsigned padding_length, good; + const unsigned overhead = 1 /* padding length byte */ + mac_size; + + /* These lengths are all public so we can test them in non-constant + * time. */ + if (overhead > rec->length) + return 0; + + padding_length = rec->data[rec->length-1]; + good = constant_time_ge(rec->length, padding_length+overhead); + /* SSLv3 requires that the padding is minimal. */ + good &= constant_time_ge(block_size, padding_length+1); + padding_length = good & (padding_length+1); + rec->length -= padding_length; + rec->type |= padding_length<<8; /* kludge: pass padding length */ + return (int)((good & 1) | (~good & -1)); +} + +/* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC + * record in |rec| in constant time and returns 1 if the padding is valid and + * -1 otherwise. It also removes any explicit IV from the start of the record + * without leaking any timing about whether there was enough space after the + * padding was removed. + * + * block_size: the block size of the cipher used to encrypt the record. + * returns: + * 0: (in non-constant time) if the record is publicly invalid. + * 1: if the padding was valid + * -1: otherwise. */ +int tls1_cbc_remove_padding(const SSL* s, + SSL3_RECORD *rec, + unsigned block_size, + unsigned mac_size) + { + unsigned padding_length, good, to_check, i; + const unsigned overhead = 1 /* padding length byte */ + mac_size; + /* Check if version requires explicit IV */ + if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION) + { + /* These lengths are all public so we can test them in + * non-constant time. + */ + if (overhead + block_size > rec->length) + return 0; + /* We can now safely skip explicit IV */ + rec->data += block_size; + rec->input += block_size; + rec->length -= block_size; + } + else if (overhead > rec->length) + return 0; + + padding_length = rec->data[rec->length-1]; + + /* NB: if compression is in operation the first packet may not be of + * even length so the padding bug check cannot be performed. This bug + * workaround has been around since SSLeay so hopefully it is either + * fixed now or no buggy implementation supports compression [steve] + */ + if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) && !s->expand) + { + /* First packet is even in size, so check */ + if ((memcmp(s->s3->read_sequence, "\0\0\0\0\0\0\0\0",8) == 0) && + !(padding_length & 1)) + { + s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG; + } + if ((s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) && + padding_length > 0) + { + padding_length--; + } + } + + if (EVP_CIPHER_flags(s->enc_read_ctx->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER) + { + /* padding is already verified */ + rec->length -= padding_length + 1; + return 1; + } + + good = constant_time_ge(rec->length, overhead+padding_length); + /* The padding consists of a length byte at the end of the record and + * then that many bytes of padding, all with the same value as the + * length byte. Thus, with the length byte included, there are i+1 + * bytes of padding. + * + * We can't check just |padding_length+1| bytes because that leaks + * decrypted information. Therefore we always have to check the maximum + * amount of padding possible. (Again, the length of the record is + * public information so we can use it.) */ + to_check = 255; /* maximum amount of padding. */ + if (to_check > rec->length-1) + to_check = rec->length-1; + + for (i = 0; i < to_check; i++) + { + unsigned char mask = constant_time_ge(padding_length, i); + unsigned char b = rec->data[rec->length-1-i]; + /* The final |padding_length+1| bytes should all have the value + * |padding_length|. Therefore the XOR should be zero. */ + good &= ~(mask&(padding_length ^ b)); + } + + /* If any of the final |padding_length+1| bytes had the wrong value, + * one or more of the lower eight bits of |good| will be cleared. We + * AND the bottom 8 bits together and duplicate the result to all the + * bits. */ + good &= good >> 4; + good &= good >> 2; + good &= good >> 1; + good <<= sizeof(good)*8-1; + good = DUPLICATE_MSB_TO_ALL(good); + + padding_length = good & (padding_length+1); + rec->length -= padding_length; + rec->type |= padding_length<<8; /* kludge: pass padding length */ + + return (int)((good & 1) | (~good & -1)); + } + +/* ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in + * constant time (independent of the concrete value of rec->length, which may + * vary within a 256-byte window). + * + * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to + * this function. + * + * On entry: + * rec->orig_len >= md_size + * md_size <= EVP_MAX_MD_SIZE + * + * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with + * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into + * a single or pair of cache-lines, then the variable memory accesses don't + * actually affect the timing. CPUs with smaller cache-lines [if any] are + * not multi-core and are not considered vulnerable to cache-timing attacks. + */ +#define CBC_MAC_ROTATE_IN_PLACE + +void ssl3_cbc_copy_mac(unsigned char* out, + const SSL3_RECORD *rec, + unsigned md_size,unsigned orig_len) + { +#if defined(CBC_MAC_ROTATE_IN_PLACE) + unsigned char rotated_mac_buf[64+EVP_MAX_MD_SIZE]; + unsigned char *rotated_mac; +#else + unsigned char rotated_mac[EVP_MAX_MD_SIZE]; +#endif + + /* mac_end is the index of |rec->data| just after the end of the MAC. */ + unsigned mac_end = rec->length; + unsigned mac_start = mac_end - md_size; + /* scan_start contains the number of bytes that we can ignore because + * the MAC's position can only vary by 255 bytes. */ + unsigned scan_start = 0; + unsigned i, j; + unsigned div_spoiler; + unsigned rotate_offset; + + OPENSSL_assert(orig_len >= md_size); + OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE); + +#if defined(CBC_MAC_ROTATE_IN_PLACE) + rotated_mac = rotated_mac_buf + ((0-(size_t)rotated_mac_buf)&63); +#endif + + /* This information is public so it's safe to branch based on it. */ + if (orig_len > md_size + 255 + 1) + scan_start = orig_len - (md_size + 255 + 1); + /* div_spoiler contains a multiple of md_size that is used to cause the + * modulo operation to be constant time. Without this, the time varies + * based on the amount of padding when running on Intel chips at least. + * + * The aim of right-shifting md_size is so that the compiler doesn't + * figure out that it can remove div_spoiler as that would require it + * to prove that md_size is always even, which I hope is beyond it. */ + div_spoiler = md_size >> 1; + div_spoiler <<= (sizeof(div_spoiler)-1)*8; + rotate_offset = (div_spoiler + mac_start - scan_start) % md_size; + + memset(rotated_mac, 0, md_size); + for (i = scan_start, j = 0; i < orig_len; i++) + { + unsigned char mac_started = constant_time_ge(i, mac_start); + unsigned char mac_ended = constant_time_ge(i, mac_end); + unsigned char b = rec->data[i]; + rotated_mac[j++] |= b & mac_started & ~mac_ended; + j &= constant_time_lt(j,md_size); + } + + /* Now rotate the MAC */ +#if defined(CBC_MAC_ROTATE_IN_PLACE) + j = 0; + for (i = 0; i < md_size; i++) + { + /* in case cache-line is 32 bytes, touch second line */ + ((volatile unsigned char *)rotated_mac)[rotate_offset^32]; + out[j++] = rotated_mac[rotate_offset++]; + rotate_offset &= constant_time_lt(rotate_offset,md_size); + } +#else + memset(out, 0, md_size); + rotate_offset = md_size - rotate_offset; + rotate_offset &= constant_time_lt(rotate_offset,md_size); + for (i = 0; i < md_size; i++) + { + for (j = 0; j < md_size; j++) + out[j] |= rotated_mac[i] & constant_time_eq_8(j, rotate_offset); + rotate_offset++; + rotate_offset &= constant_time_lt(rotate_offset,md_size); + } +#endif + } + +/* u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in + * little-endian order. The value of p is advanced by four. */ +#define u32toLE(n, p) \ + (*((p)++)=(unsigned char)(n), \ + *((p)++)=(unsigned char)(n>>8), \ + *((p)++)=(unsigned char)(n>>16), \ + *((p)++)=(unsigned char)(n>>24)) + +/* These functions serialize the state of a hash and thus perform the standard + * "final" operation without adding the padding and length that such a function + * typically does. */ +static void tls1_md5_final_raw(void* ctx, unsigned char *md_out) + { + MD5_CTX *md5 = ctx; + u32toLE(md5->A, md_out); + u32toLE(md5->B, md_out); + u32toLE(md5->C, md_out); + u32toLE(md5->D, md_out); + } + +static void tls1_sha1_final_raw(void* ctx, unsigned char *md_out) + { + SHA_CTX *sha1 = ctx; + l2n(sha1->h0, md_out); + l2n(sha1->h1, md_out); + l2n(sha1->h2, md_out); + l2n(sha1->h3, md_out); + l2n(sha1->h4, md_out); + } +#define LARGEST_DIGEST_CTX SHA_CTX + +#ifndef OPENSSL_NO_SHA256 +static void tls1_sha256_final_raw(void* ctx, unsigned char *md_out) + { + SHA256_CTX *sha256 = ctx; + unsigned i; + + for (i = 0; i < 8; i++) + { + l2n(sha256->h[i], md_out); + } + } +#undef LARGEST_DIGEST_CTX +#define LARGEST_DIGEST_CTX SHA256_CTX +#endif + +#ifndef OPENSSL_NO_SHA512 +static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out) + { + SHA512_CTX *sha512 = ctx; + unsigned i; + + for (i = 0; i < 8; i++) + { + l2n8(sha512->h[i], md_out); + } + } +#undef LARGEST_DIGEST_CTX +#define LARGEST_DIGEST_CTX SHA512_CTX +#endif + +/* ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function + * which ssl3_cbc_digest_record supports. */ +char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) + { +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + return 0; +#endif + switch (EVP_MD_CTX_type(ctx)) + { + case NID_md5: + case NID_sha1: +#ifndef OPENSSL_NO_SHA256 + case NID_sha224: + case NID_sha256: +#endif +#ifndef OPENSSL_NO_SHA512 + case NID_sha384: + case NID_sha512: +#endif + return 1; + default: + return 0; + } + } + +/* ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS + * record. + * + * ctx: the EVP_MD_CTX from which we take the hash function. + * ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX. + * md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written. + * md_out_size: if non-NULL, the number of output bytes is written here. + * header: the 13-byte, TLS record header. + * data: the record data itself, less any preceeding explicit IV. + * data_plus_mac_size: the secret, reported length of the data and MAC + * once the padding has been removed. + * data_plus_mac_plus_padding_size: the public length of the whole + * record, including padding. + * is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS. + * + * On entry: by virtue of having been through one of the remove_padding + * functions, above, we know that data_plus_mac_size is large enough to contain + * a padding byte and MAC. (If the padding was invalid, it might contain the + * padding too. ) */ +void ssl3_cbc_digest_record( + const EVP_MD_CTX *ctx, + unsigned char* md_out, + size_t* md_out_size, + const unsigned char header[13], + const unsigned char *data, + size_t data_plus_mac_size, + size_t data_plus_mac_plus_padding_size, + const unsigned char *mac_secret, + unsigned mac_secret_length, + char is_sslv3) + { + union { double align; + unsigned char c[sizeof(LARGEST_DIGEST_CTX)]; } md_state; + void (*md_final_raw)(void *ctx, unsigned char *md_out); + void (*md_transform)(void *ctx, const unsigned char *block); + unsigned md_size, md_block_size = 64; + unsigned sslv3_pad_length = 40, header_length, variance_blocks, + len, max_mac_bytes, num_blocks, + num_starting_blocks, k, mac_end_offset, c, index_a, index_b; + unsigned int bits; /* at most 18 bits */ + unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES]; + /* hmac_pad is the masked HMAC key. */ + unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE]; + unsigned char first_block[MAX_HASH_BLOCK_SIZE]; + unsigned char mac_out[EVP_MAX_MD_SIZE]; + unsigned i, j, md_out_size_u; + EVP_MD_CTX md_ctx; + /* mdLengthSize is the number of bytes in the length field that terminates + * the hash. */ + unsigned md_length_size = 8; + char length_is_big_endian = 1; + + /* This is a, hopefully redundant, check that allows us to forget about + * many possible overflows later in this function. */ + OPENSSL_assert(data_plus_mac_plus_padding_size < 1024*1024); + + switch (EVP_MD_CTX_type(ctx)) + { + case NID_md5: + MD5_Init((MD5_CTX*)md_state.c); + md_final_raw = tls1_md5_final_raw; + md_transform = (void(*)(void *ctx, const unsigned char *block)) MD5_Transform; + md_size = 16; + sslv3_pad_length = 48; + length_is_big_endian = 0; + break; + case NID_sha1: + SHA1_Init((SHA_CTX*)md_state.c); + md_final_raw = tls1_sha1_final_raw; + md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA1_Transform; + md_size = 20; + break; +#ifndef OPENSSL_NO_SHA256 + case NID_sha224: + SHA224_Init((SHA256_CTX*)md_state.c); + md_final_raw = tls1_sha256_final_raw; + md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform; + md_size = 224/8; + break; + case NID_sha256: + SHA256_Init((SHA256_CTX*)md_state.c); + md_final_raw = tls1_sha256_final_raw; + md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform; + md_size = 32; + break; +#endif +#ifndef OPENSSL_NO_SHA512 + case NID_sha384: + SHA384_Init((SHA512_CTX*)md_state.c); + md_final_raw = tls1_sha512_final_raw; + md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform; + md_size = 384/8; + md_block_size = 128; + md_length_size = 16; + break; + case NID_sha512: + SHA512_Init((SHA512_CTX*)md_state.c); + md_final_raw = tls1_sha512_final_raw; + md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform; + md_size = 64; + md_block_size = 128; + md_length_size = 16; + break; +#endif + default: + /* ssl3_cbc_record_digest_supported should have been + * called first to check that the hash function is + * supported. */ + OPENSSL_assert(0); + if (md_out_size) + *md_out_size = -1; + return; + } + + OPENSSL_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES); + OPENSSL_assert(md_block_size <= MAX_HASH_BLOCK_SIZE); + OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE); + + header_length = 13; + if (is_sslv3) + { + header_length = + mac_secret_length + + sslv3_pad_length + + 8 /* sequence number */ + + 1 /* record type */ + + 2 /* record length */; + } + + /* variance_blocks is the number of blocks of the hash that we have to + * calculate in constant time because they could be altered by the + * padding value. + * + * In SSLv3, the padding must be minimal so the end of the plaintext + * varies by, at most, 15+20 = 35 bytes. (We conservatively assume that + * the MAC size varies from 0..20 bytes.) In case the 9 bytes of hash + * termination (0x80 + 64-bit length) don't fit in the final block, we + * say that the final two blocks can vary based on the padding. + * + * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not + * required to be minimal. Therefore we say that the final six blocks + * can vary based on the padding. + * + * Later in the function, if the message is short and there obviously + * cannot be this many blocks then variance_blocks can be reduced. */ + variance_blocks = is_sslv3 ? 2 : 6; + /* From now on we're dealing with the MAC, which conceptually has 13 + * bytes of `header' before the start of the data (TLS) or 71/75 bytes + * (SSLv3) */ + len = data_plus_mac_plus_padding_size + header_length; + /* max_mac_bytes contains the maximum bytes of bytes in the MAC, including + * |header|, assuming that there's no padding. */ + max_mac_bytes = len - md_size - 1; + /* num_blocks is the maximum number of hash blocks. */ + num_blocks = (max_mac_bytes + 1 + md_length_size + md_block_size - 1) / md_block_size; + /* In order to calculate the MAC in constant time we have to handle + * the final blocks specially because the padding value could cause the + * end to appear somewhere in the final |variance_blocks| blocks and we + * can't leak where. However, |num_starting_blocks| worth of data can + * be hashed right away because no padding value can affect whether + * they are plaintext. */ + num_starting_blocks = 0; + /* k is the starting byte offset into the conceptual header||data where + * we start processing. */ + k = 0; + /* mac_end_offset is the index just past the end of the data to be + * MACed. */ + mac_end_offset = data_plus_mac_size + header_length - md_size; + /* c is the index of the 0x80 byte in the final hash block that + * contains application data. */ + c = mac_end_offset % md_block_size; + /* index_a is the hash block number that contains the 0x80 terminating + * value. */ + index_a = mac_end_offset / md_block_size; + /* index_b is the hash block number that contains the 64-bit hash + * length, in bits. */ + index_b = (mac_end_offset + md_length_size) / md_block_size; + /* bits is the hash-length in bits. It includes the additional hash + * block for the masked HMAC key, or whole of |header| in the case of + * SSLv3. */ + + /* For SSLv3, if we're going to have any starting blocks then we need + * at least two because the header is larger than a single block. */ + if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0)) + { + num_starting_blocks = num_blocks - variance_blocks; + k = md_block_size*num_starting_blocks; + } + + bits = 8*mac_end_offset; + if (!is_sslv3) + { + /* Compute the initial HMAC block. For SSLv3, the padding and + * secret bytes are included in |header| because they take more + * than a single block. */ + bits += 8*md_block_size; + memset(hmac_pad, 0, md_block_size); + OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad)); + memcpy(hmac_pad, mac_secret, mac_secret_length); + for (i = 0; i < md_block_size; i++) + hmac_pad[i] ^= 0x36; + + md_transform(md_state.c, hmac_pad); + } + + if (length_is_big_endian) + { + memset(length_bytes,0,md_length_size-4); + length_bytes[md_length_size-4] = (unsigned char)(bits>>24); + length_bytes[md_length_size-3] = (unsigned char)(bits>>16); + length_bytes[md_length_size-2] = (unsigned char)(bits>>8); + length_bytes[md_length_size-1] = (unsigned char)bits; + } + else + { + memset(length_bytes,0,md_length_size); + length_bytes[md_length_size-5] = (unsigned char)(bits>>24); + length_bytes[md_length_size-6] = (unsigned char)(bits>>16); + length_bytes[md_length_size-7] = (unsigned char)(bits>>8); + length_bytes[md_length_size-8] = (unsigned char)bits; + } + + if (k > 0) + { + if (is_sslv3) + { + /* The SSLv3 header is larger than a single block. + * overhang is the number of bytes beyond a single + * block that the header consumes: either 7 bytes + * (SHA1) or 11 bytes (MD5). */ + unsigned overhang = header_length-md_block_size; + md_transform(md_state.c, header); + memcpy(first_block, header + md_block_size, overhang); + memcpy(first_block + overhang, data, md_block_size-overhang); + md_transform(md_state.c, first_block); + for (i = 1; i < k/md_block_size - 1; i++) + md_transform(md_state.c, data + md_block_size*i - overhang); + } + else + { + /* k is a multiple of md_block_size. */ + memcpy(first_block, header, 13); + memcpy(first_block+13, data, md_block_size-13); + md_transform(md_state.c, first_block); + for (i = 1; i < k/md_block_size; i++) + md_transform(md_state.c, data + md_block_size*i - 13); + } + } + + memset(mac_out, 0, sizeof(mac_out)); + + /* We now process the final hash blocks. For each block, we construct + * it in constant time. If the |i==index_a| then we'll include the 0x80 + * bytes and zero pad etc. For each block we selectively copy it, in + * constant time, to |mac_out|. */ + for (i = num_starting_blocks; i <= num_starting_blocks+variance_blocks; i++) + { + unsigned char block[MAX_HASH_BLOCK_SIZE]; + unsigned char is_block_a = constant_time_eq_8(i, index_a); + unsigned char is_block_b = constant_time_eq_8(i, index_b); + for (j = 0; j < md_block_size; j++) + { + unsigned char b = 0, is_past_c, is_past_cp1; + if (k < header_length) + b = header[k]; + else if (k < data_plus_mac_plus_padding_size + header_length) + b = data[k-header_length]; + k++; + + is_past_c = is_block_a & constant_time_ge(j, c); + is_past_cp1 = is_block_a & constant_time_ge(j, c+1); + /* If this is the block containing the end of the + * application data, and we are at the offset for the + * 0x80 value, then overwrite b with 0x80. */ + b = (b&~is_past_c) | (0x80&is_past_c); + /* If this the the block containing the end of the + * application data and we're past the 0x80 value then + * just write zero. */ + b = b&~is_past_cp1; + /* If this is index_b (the final block), but not + * index_a (the end of the data), then the 64-bit + * length didn't fit into index_a and we're having to + * add an extra block of zeros. */ + b &= ~is_block_b | is_block_a; + + /* The final bytes of one of the blocks contains the + * length. */ + if (j >= md_block_size - md_length_size) + { + /* If this is index_b, write a length byte. */ + b = (b&~is_block_b) | (is_block_b&length_bytes[j-(md_block_size-md_length_size)]); + } + block[j] = b; + } + + md_transform(md_state.c, block); + md_final_raw(md_state.c, block); + /* If this is index_b, copy the hash value to |mac_out|. */ + for (j = 0; j < md_size; j++) + mac_out[j] |= block[j]&is_block_b; + } + + EVP_MD_CTX_init(&md_ctx); + EVP_DigestInit_ex(&md_ctx, ctx->digest, NULL /* engine */); + if (is_sslv3) + { + /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */ + memset(hmac_pad, 0x5c, sslv3_pad_length); + + EVP_DigestUpdate(&md_ctx, mac_secret, mac_secret_length); + EVP_DigestUpdate(&md_ctx, hmac_pad, sslv3_pad_length); + EVP_DigestUpdate(&md_ctx, mac_out, md_size); + } + else + { + /* Complete the HMAC in the standard manner. */ + for (i = 0; i < md_block_size; i++) + hmac_pad[i] ^= 0x6a; + + EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size); + EVP_DigestUpdate(&md_ctx, mac_out, md_size); + } + EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u); + if (md_out_size) + *md_out_size = md_out_size_u; + EVP_MD_CTX_cleanup(&md_ctx); + } + +#ifdef OPENSSL_FIPS + +/* Due to the need to use EVP in FIPS mode we can't reimplement digests but + * we can ensure the number of blocks processed is equal for all cases + * by digesting additional data. + */ + +void tls_fips_digest_extra( + const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx, + const unsigned char *data, size_t data_len, size_t orig_len) + { + size_t block_size, digest_pad, blocks_data, blocks_orig; + if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE) + return; + block_size = EVP_MD_CTX_block_size(mac_ctx); + /* We are in FIPS mode if we get this far so we know we have only SHA* + * digests and TLS to deal with. + * Minimum digest padding length is 17 for SHA384/SHA512 and 9 + * otherwise. + * Additional header is 13 bytes. To get the number of digest blocks + * processed round up the amount of data plus padding to the nearest + * block length. Block length is 128 for SHA384/SHA512 and 64 otherwise. + * So we have: + * blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size + * equivalently: + * blocks = (payload_len + digest_pad + 12)/block_size + 1 + * HMAC adds a constant overhead. + * We're ultimately only interested in differences so this becomes + * blocks = (payload_len + 29)/128 + * for SHA384/SHA512 and + * blocks = (payload_len + 21)/64 + * otherwise. + */ + digest_pad = block_size == 64 ? 21 : 29; + blocks_orig = (orig_len + digest_pad)/block_size; + blocks_data = (data_len + digest_pad)/block_size; + /* MAC enough blocks to make up the difference between the original + * and actual lengths plus one extra block to ensure this is never a + * no op. The "data" pointer should always have enough space to + * perform this operation as it is large enough for a maximum + * length TLS buffer. + */ + EVP_DigestSignUpdate(mac_ctx, data, + (blocks_orig - blocks_data + 1) * block_size); + } +#endif Property changes on: ssl/s3_cbc.c ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +FreeBSD=%H \ No newline at end of property Index: ssl/s3_clnt.c =================================================================== --- ssl/s3_clnt.c (revision 246700) +++ ssl/s3_clnt.c (working copy) @@ -459,7 +459,6 @@ int ssl3_connect(SSL *s) SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B); if (ret <= 0) goto end; - #if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG) s->state=SSL3_ST_CW_FINISHED_A; #else @@ -987,7 +986,10 @@ int ssl3_get_server_hello(SSL *s) * client authentication. */ if (TLS1_get_version(s) < TLS1_2_VERSION && !ssl3_digest_cached_records(s)) + { + al = SSL_AD_INTERNAL_ERROR; goto f_err; + } /* lets get the compression algorithm */ /* COMPRESSION */ #ifdef OPENSSL_NO_COMP Index: ssl/s3_enc.c =================================================================== --- ssl/s3_enc.c (revision 246700) +++ ssl/s3_enc.c (working copy) @@ -466,12 +466,21 @@ void ssl3_cleanup_key_block(SSL *s) s->s3->tmp.key_block_length=0; } +/* ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. + * + * Returns: + * 0: (in non-constant time) if the record is publically invalid (i.e. too + * short etc). + * 1: if the record's padding is valid / the encryption was successful. + * -1: if the record's padding is invalid or, if sending, an internal error + * occured. + */ int ssl3_enc(SSL *s, int send) { SSL3_RECORD *rec; EVP_CIPHER_CTX *ds; unsigned long l; - int bs,i; + int bs,i,mac_size=0; const EVP_CIPHER *enc; if (send) @@ -522,32 +531,16 @@ int ssl3_enc(SSL *s, int send) if (!send) { if (l == 0 || l%bs != 0) - { - SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); - ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); return 0; - } /* otherwise, rec->length >= bs */ } EVP_Cipher(ds,rec->data,rec->input,l); + if (EVP_MD_CTX_md(s->read_hash) != NULL) + mac_size = EVP_MD_CTX_size(s->read_hash); if ((bs != 1) && !send) - { - i=rec->data[l-1]+1; - /* SSL 3.0 bounds the number of padding bytes by the block size; - * padding bytes (except the last one) are arbitrary */ - if (i > bs) - { - /* Incorrect padding. SSLerr() and ssl3_alert are done - * by caller: we don't want to reveal whether this is - * a decryption error or a MAC verification failure - * (see http://www.openssl.org/~bodo/tls-cbc.txt) */ - return -1; - } - /* now i <= bs <= rec->length */ - rec->length-=i; - } + return ssl3_cbc_remove_padding(s, rec, bs, mac_size); } return(1); } @@ -716,7 +709,7 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int se EVP_MD_CTX md_ctx; const EVP_MD_CTX *hash; unsigned char *p,rec_char; - unsigned int md_size; + size_t md_size, orig_len; int npad; int t; @@ -741,29 +734,73 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int se md_size=t; npad=(48/md_size)*md_size; - /* Chop the digest off the end :-) */ - EVP_MD_CTX_init(&md_ctx); + /* kludge: ssl3_cbc_remove_padding passes padding length in rec->type */ + orig_len = rec->length+md_size+((unsigned int)rec->type>>8); + rec->type &= 0xff; - EVP_MD_CTX_copy_ex( &md_ctx,hash); - EVP_DigestUpdate(&md_ctx,mac_sec,md_size); - EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad); - EVP_DigestUpdate(&md_ctx,seq,8); - rec_char=rec->type; - EVP_DigestUpdate(&md_ctx,&rec_char,1); - p=md; - s2n(rec->length,p); - EVP_DigestUpdate(&md_ctx,md,2); - EVP_DigestUpdate(&md_ctx,rec->input,rec->length); - EVP_DigestFinal_ex( &md_ctx,md,NULL); + if (!send && + EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && + ssl3_cbc_record_digest_supported(hash)) + { + /* This is a CBC-encrypted record. We must avoid leaking any + * timing-side channel information about how many blocks of + * data we are hashing because that gives an attacker a + * timing-oracle. */ - EVP_MD_CTX_copy_ex( &md_ctx,hash); - EVP_DigestUpdate(&md_ctx,mac_sec,md_size); - EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad); - EVP_DigestUpdate(&md_ctx,md,md_size); - EVP_DigestFinal_ex( &md_ctx,md,&md_size); + /* npad is, at most, 48 bytes and that's with MD5: + * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75. + * + * With SHA-1 (the largest hash speced for SSLv3) the hash size + * goes up 4, but npad goes down by 8, resulting in a smaller + * total size. */ + unsigned char header[75]; + unsigned j = 0; + memcpy(header+j, mac_sec, md_size); + j += md_size; + memcpy(header+j, ssl3_pad_1, npad); + j += npad; + memcpy(header+j, seq, 8); + j += 8; + header[j++] = rec->type; + header[j++] = rec->length >> 8; + header[j++] = rec->length & 0xff; - EVP_MD_CTX_cleanup(&md_ctx); + ssl3_cbc_digest_record( + hash, + md, &md_size, + header, rec->input, + rec->length + md_size, orig_len, + mac_sec, md_size, + 1 /* is SSLv3 */); + } + else + { + unsigned int md_size_u; + /* Chop the digest off the end :-) */ + EVP_MD_CTX_init(&md_ctx); + EVP_MD_CTX_copy_ex( &md_ctx,hash); + EVP_DigestUpdate(&md_ctx,mac_sec,md_size); + EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad); + EVP_DigestUpdate(&md_ctx,seq,8); + rec_char=rec->type; + EVP_DigestUpdate(&md_ctx,&rec_char,1); + p=md; + s2n(rec->length,p); + EVP_DigestUpdate(&md_ctx,md,2); + EVP_DigestUpdate(&md_ctx,rec->input,rec->length); + EVP_DigestFinal_ex( &md_ctx,md,NULL); + + EVP_MD_CTX_copy_ex( &md_ctx,hash); + EVP_DigestUpdate(&md_ctx,mac_sec,md_size); + EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad); + EVP_DigestUpdate(&md_ctx,md,md_size); + EVP_DigestFinal_ex( &md_ctx,md,&md_size_u); + md_size = md_size_u; + + EVP_MD_CTX_cleanup(&md_ctx); + } + ssl3_record_sequence_update(seq); return(md_size); } Index: ssl/s3_lib.c =================================================================== --- ssl/s3_lib.c (revision 246700) +++ ssl/s3_lib.c (working copy) @@ -1125,7 +1125,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 0, /* not implemented (non-ephemeral DH) */ TLS1_TXT_DH_DSS_WITH_AES_128_SHA256, TLS1_CK_DH_DSS_WITH_AES_128_SHA256, - SSL_kDHr, + SSL_kDHd, SSL_aDH, SSL_AES128, SSL_SHA256, @@ -1407,7 +1407,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 0, /* not implemented (non-ephemeral DH) */ TLS1_TXT_DH_DSS_WITH_AES_256_SHA256, TLS1_CK_DH_DSS_WITH_AES_256_SHA256, - SSL_kDHr, + SSL_kDHd, SSL_aDH, SSL_AES256, SSL_SHA256, @@ -1958,7 +1958,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 0, TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256, TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256, - SSL_kDHr, + SSL_kDHd, SSL_aDH, SSL_AES128GCM, SSL_AEAD, @@ -1974,7 +1974,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 0, TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384, TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384, - SSL_kDHr, + SSL_kDHd, SSL_aDH, SSL_AES256GCM, SSL_AEAD, @@ -2669,7 +2669,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256, TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256, - SSL_kECDHe, + SSL_kECDHr, SSL_aECDH, SSL_AES128, SSL_SHA256, @@ -2685,7 +2685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384, TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384, - SSL_kECDHe, + SSL_kECDHr, SSL_aECDH, SSL_AES256, SSL_SHA384, @@ -2799,7 +2799,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256, - SSL_kECDHe, + SSL_kECDHr, SSL_aECDH, SSL_AES128GCM, SSL_AEAD, @@ -2815,7 +2815,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384, - SSL_kECDHe, + SSL_kECDHr, SSL_aECDH, SSL_AES256GCM, SSL_AEAD, Index: ssl/s3_pkt.c =================================================================== --- ssl/s3_pkt.c (revision 246700) +++ ssl/s3_pkt.c (working copy) @@ -290,11 +290,8 @@ static int ssl3_get_record(SSL *s) unsigned char *p; unsigned char md[EVP_MAX_MD_SIZE]; short version; - int mac_size; - int clear=0; + unsigned mac_size, orig_len; size_t extra; - int decryption_failed_or_bad_record_mac = 0; - unsigned char *mac = NULL; rr= &(s->s3->rrec); sess=s->session; @@ -403,17 +400,15 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr- rr->data=rr->input; enc_err = s->method->ssl3_enc->enc(s,0); - if (enc_err <= 0) + /* enc_err is: + * 0: (in non-constant time) if the record is publically invalid. + * 1: if the padding is valid + * -1: if the padding is invalid */ + if (enc_err == 0) { - if (enc_err == 0) - /* SSLerr() and ssl3_send_alert() have been called */ - goto err; - - /* Otherwise enc_err == -1, which indicates bad padding - * (rec->length has not been changed in this case). - * To minimize information leaked via timing, we will perform - * the MAC computation anyway. */ - decryption_failed_or_bad_record_mac = 1; + al=SSL_AD_DECRYPTION_FAILED; + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); + goto f_err; } #ifdef TLS_DEBUG @@ -423,53 +418,62 @@ printf("\n"); #endif /* r->length is now the compressed data plus mac */ - if ( (sess == NULL) || - (s->enc_read_ctx == NULL) || - (EVP_MD_CTX_md(s->read_hash) == NULL)) - clear=1; - - if (!clear) + if ((sess != NULL) && + (s->enc_read_ctx != NULL) && + (EVP_MD_CTX_md(s->read_hash) != NULL)) { - /* !clear => s->read_hash != NULL => mac_size != -1 */ + /* s->read_hash != NULL => mac_size != -1 */ + unsigned char *mac = NULL; + unsigned char mac_tmp[EVP_MAX_MD_SIZE]; mac_size=EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(mac_size >= 0); + OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); - if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size) + /* kludge: *_cbc_remove_padding passes padding length in rr->type */ + orig_len = rr->length+((unsigned int)rr->type>>8); + + /* orig_len is the length of the record before any padding was + * removed. This is public information, as is the MAC in use, + * therefore we can safely process the record in a different + * amount of time if it's too short to possibly contain a MAC. + */ + if (orig_len < mac_size || + /* CBC records must have a padding length byte too. */ + (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && + orig_len < mac_size+1)) { -#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */ - al=SSL_AD_RECORD_OVERFLOW; - SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); + al=SSL_AD_DECODE_ERROR; + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); goto f_err; -#else - decryption_failed_or_bad_record_mac = 1; -#endif } - /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ - if (rr->length >= (unsigned int)mac_size) + + if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) { + /* We update the length so that the TLS header bytes + * can be constructed correctly but we need to extract + * the MAC in constant time from within the record, + * without leaking the contents of the padding bytes. + * */ + mac = mac_tmp; + ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); rr->length -= mac_size; - mac = &rr->data[rr->length]; } else { - /* record (minus padding) is too short to contain a MAC */ -#if 0 /* OK only for stream ciphers */ - al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); - goto f_err; -#else - decryption_failed_or_bad_record_mac = 1; - rr->length = 0; -#endif + /* In this case there's no padding, so |orig_len| + * equals |rec->length| and we checked that there's + * enough bytes for |mac_size| above. */ + rr->length -= mac_size; + mac = &rr->data[rr->length]; } - i=s->method->ssl3_enc->mac(s,md,0); - if (i < 0 || mac == NULL || memcmp(md, mac, (size_t)mac_size) != 0) - { - decryption_failed_or_bad_record_mac = 1; - } + + i=s->method->ssl3_enc->mac(s,md,0 /* not send */); + if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) + enc_err = -1; + if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size) + enc_err = -1; } - if (decryption_failed_or_bad_record_mac) + if (enc_err < 0) { /* A separate 'decryption_failed' alert was introduced with TLS 1.0, * SSL 3.0 only has 'bad_record_mac'. But unless a decryption @@ -744,6 +748,7 @@ static int do_ssl3_write(SSL *s, int type, const u * bytes and record version number > TLS 1.0 */ if (s->state == SSL3_ST_CW_CLNT_HELLO_B + && !s->renegotiate && TLS1_get_version(s) > TLS1_VERSION) *(p++) = 0x1; else @@ -1238,7 +1243,7 @@ start: goto f_err; } #ifdef SSL_AD_MISSING_SRP_USERNAME - if (alert_descr == SSL_AD_MISSING_SRP_USERNAME) + else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME) return(0); #endif } Index: ssl/s3_srvr.c =================================================================== --- ssl/s3_srvr.c (revision 246700) +++ ssl/s3_srvr.c (working copy) @@ -191,7 +191,8 @@ static int ssl_check_srp_ext_ClientHello(SSL *s, i { if(s->srp_ctx.login == NULL) { - /* There isn't any srp login extension !!! */ + /* RFC 5054 says SHOULD reject, + we do so if There is no srp login name */ ret = SSL3_AL_FATAL; *al = SSL_AD_UNKNOWN_PSK_IDENTITY; } @@ -378,6 +379,7 @@ int ssl3_accept(SSL *s) } } #endif + s->renegotiate = 2; s->state=SSL3_ST_SW_SRVR_HELLO_A; s->init_num=0; @@ -1181,7 +1183,7 @@ int ssl3_get_client_hello(SSL *s) goto f_err; } } - if (ssl_check_clienthello_tlsext(s) <= 0) { + if (ssl_check_clienthello_tlsext_early(s) <= 0) { SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); goto err; } @@ -1389,7 +1391,10 @@ int ssl3_get_client_hello(SSL *s) if (TLS1_get_version(s) < TLS1_2_VERSION || !(s->verify_mode & SSL_VERIFY_PEER)) { if (!ssl3_digest_cached_records(s)) + { + al = SSL_AD_INTERNAL_ERROR; goto f_err; + } } /* we now have the following setup. @@ -1403,6 +1408,16 @@ int ssl3_get_client_hello(SSL *s) * s->tmp.new_cipher - the new cipher to use. */ + /* Handles TLS extensions that we couldn't check earlier */ + if (s->version >= SSL3_VERSION) + { + if (ssl_check_clienthello_tlsext_late(s) <= 0) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); + goto err; + } + } + if (ret < 0) ret=1; if (0) { Index: ssl/ssl.h =================================================================== --- ssl/ssl.h (revision 246700) +++ ssl/ssl.h (working copy) @@ -493,6 +493,9 @@ struct ssl_session_st char *psk_identity_hint; char *psk_identity; #endif + /* Used to indicate that session resumption is not allowed. + * Applications can also set this bit for a new session via + * not_resumable_session_cb to disable session caching and tickets. */ int not_resumable; /* The cert is the certificate used to establish this connection */ @@ -535,7 +538,7 @@ struct ssl_session_st #endif /* OPENSSL_NO_EC */ /* RFC4507 info */ unsigned char *tlsext_tick; /* Session ticket */ - size_t tlsext_ticklen; /* Session ticket length */ + size_t tlsext_ticklen; /* Session ticket length */ long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ #endif #ifndef OPENSSL_NO_SRP @@ -927,6 +930,7 @@ struct ssl_ctx_st /* Callback for status request */ int (*tlsext_status_cb)(SSL *ssl, void *arg); void *tlsext_status_arg; + /* draft-rescorla-tls-opaque-prf-input-00.txt information */ int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg); void *tlsext_opaque_prf_input_callback_arg; @@ -952,6 +956,7 @@ struct ssl_ctx_st #endif #ifndef OPENSSL_NO_TLSEXT + # ifndef OPENSSL_NO_NEXTPROTONEG /* Next protocol negotiation information */ /* (for experimental NPN extension). */ @@ -2206,6 +2211,7 @@ void ERR_load_SSL_strings(void); #define SSL_F_SSL_GET_NEW_SESSION 181 #define SSL_F_SSL_GET_PREV_SESSION 217 #define SSL_F_SSL_GET_SERVER_SEND_CERT 182 +#define SSL_F_SSL_GET_SERVER_SEND_PKEY 317 #define SSL_F_SSL_GET_SIGN_PKEY 183 #define SSL_F_SSL_INIT_WBIO_BUFFER 184 #define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 Index: ssl/ssl3.h =================================================================== --- ssl/ssl3.h (revision 246700) +++ ssl/ssl3.h (working copy) @@ -578,8 +578,10 @@ typedef struct ssl3_state_st #define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT) #define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT) #define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT) +#ifndef OPENSSL_NO_NEXTPROTONEG #define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT) #define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT) +#endif #define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT) #define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT) /* read from server */ @@ -629,8 +631,10 @@ typedef struct ssl3_state_st #define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT) #define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT) #define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT) +#ifndef OPENSSL_NO_NEXTPROTONEG #define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT) #define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT) +#endif #define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT) #define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT) /* write to client */ @@ -655,7 +659,9 @@ typedef struct ssl3_state_st #define SSL3_MT_CLIENT_KEY_EXCHANGE 16 #define SSL3_MT_FINISHED 20 #define SSL3_MT_CERTIFICATE_STATUS 22 +#ifndef OPENSSL_NO_NEXTPROTONEG #define SSL3_MT_NEXT_PROTO 67 +#endif #define DTLS1_MT_HELLO_VERIFY_REQUEST 3 Index: ssl/ssl_algs.c =================================================================== --- ssl/ssl_algs.c (revision 246700) +++ ssl/ssl_algs.c (working copy) @@ -94,6 +94,7 @@ int SSL_library_init(void) EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1()); EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1()); #endif + #endif #ifndef OPENSSL_NO_CAMELLIA EVP_add_cipher(EVP_camellia_128_cbc()); Index: ssl/ssl_cert.c =================================================================== --- ssl/ssl_cert.c (revision 246700) +++ ssl/ssl_cert.c (working copy) @@ -164,14 +164,14 @@ static void ssl_cert_set_default_md(CERT *cert) { /* Set digest values to defaults */ #ifndef OPENSSL_NO_DSA - cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1(); + cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); #endif #ifndef OPENSSL_NO_RSA cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); #endif #ifndef OPENSSL_NO_ECDSA - cert->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa(); + cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); #endif } Index: ssl/ssl_ciph.c =================================================================== --- ssl/ssl_ciph.c (revision 246700) +++ ssl/ssl_ciph.c (working copy) @@ -312,6 +312,7 @@ static const SSL_CIPHER cipher_aliases[]={ {0,SSL_TXT_SSLV2,0, 0,0,0,0,SSL_SSLV2, 0,0,0,0}, {0,SSL_TXT_SSLV3,0, 0,0,0,0,SSL_SSLV3, 0,0,0,0}, {0,SSL_TXT_TLSV1,0, 0,0,0,0,SSL_TLSV1, 0,0,0,0}, + {0,SSL_TXT_TLSV1_2,0, 0,0,0,0,SSL_TLSV1_2, 0,0,0,0}, /* export flag */ {0,SSL_TXT_EXP,0, 0,0,0,0,0,SSL_EXPORT,0,0,0}, @@ -1150,9 +1151,9 @@ static int ssl_cipher_process_rulestr(const char * while ( ((ch >= 'A') && (ch <= 'Z')) || ((ch >= '0') && (ch <= '9')) || ((ch >= 'a') && (ch <= 'z')) || - (ch == '-')) + (ch == '-') || (ch == '.')) #else - while ( isalnum(ch) || (ch == '-')) + while ( isalnum(ch) || (ch == '-') || (ch == '.')) #endif { ch = *(++l); Index: ssl/ssl_err.c =================================================================== --- ssl/ssl_err.c (revision 246700) +++ ssl/ssl_err.c (working copy) @@ -228,6 +228,7 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION), "SSL_GET_NEW_SESSION"}, {ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION), "SSL_GET_PREV_SESSION"}, {ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT), "SSL_GET_SERVER_SEND_CERT"}, +{ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_PKEY), "SSL_GET_SERVER_SEND_PKEY"}, {ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY), "SSL_GET_SIGN_PKEY"}, {ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"}, {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"}, Index: ssl/ssl_lib.c =================================================================== --- ssl/ssl_lib.c (revision 246700) +++ ssl/ssl_lib.c (working copy) @@ -597,8 +597,10 @@ void SSL_free(SSL *s) OPENSSL_free(s->next_proto_negotiated); #endif +#ifndef OPENSSL_NO_SRTP if (s->srtp_profiles) sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles); +#endif OPENSSL_free(s); } @@ -1952,8 +1954,10 @@ void SSL_CTX_free(SSL_CTX *a) a->comp_methods = NULL; #endif +#ifndef OPENSSL_NO_SRTP if (a->srtp_profiles) sk_SRTP_PROTECTION_PROFILE_free(a->srtp_profiles); +#endif #ifndef OPENSSL_NO_PSK if (a->psk_identity_hint) @@ -2287,7 +2291,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL * #endif /* THIS NEEDS CLEANING UP */ -X509 *ssl_get_server_send_cert(SSL *s) +CERT_PKEY *ssl_get_server_send_pkey(const SSL *s) { unsigned long alg_k,alg_a; CERT *c; @@ -2342,14 +2346,22 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL * i=SSL_PKEY_GOST01; else /* if (alg_a & SSL_aNULL) */ { - SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL_GET_SERVER_SEND_PKEY,ERR_R_INTERNAL_ERROR); return(NULL); } - if (c->pkeys[i].x509 == NULL) return(NULL); - return(c->pkeys[i].x509); + return c->pkeys + i; } +X509 *ssl_get_server_send_cert(const SSL *s) + { + CERT_PKEY *cpk; + cpk = ssl_get_server_send_pkey(s); + if (!cpk) + return NULL; + return cpk->x509; + } + EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd) { unsigned long alg_a; @@ -2608,7 +2620,7 @@ const char *SSL_get_version(const SSL *s) return("TLSv1.2"); else if (s->version == TLS1_1_VERSION) return("TLSv1.1"); - if (s->version == TLS1_VERSION) + else if (s->version == TLS1_VERSION) return("TLSv1"); else if (s->version == SSL3_VERSION) return("SSLv3"); @@ -2780,7 +2792,9 @@ void ssl_clear_cipher_ctx(SSL *s) /* Fix this function so that it takes an optional type parameter */ X509 *SSL_get_certificate(const SSL *s) { - if (s->cert != NULL) + if (s->server) + return(ssl_get_server_send_cert(s)); + else if (s->cert != NULL) return(s->cert->key->x509); else return(NULL); Index: ssl/ssl_locl.h =================================================================== --- ssl/ssl_locl.h (revision 246700) +++ ssl/ssl_locl.h (working copy) @@ -215,6 +215,15 @@ *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ *((c)++)=(unsigned char)(((l) )&0xff)) +#define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \ + *((c)++)=(unsigned char)(((l)>>48)&0xff), \ + *((c)++)=(unsigned char)(((l)>>40)&0xff), \ + *((c)++)=(unsigned char)(((l)>>32)&0xff), \ + *((c)++)=(unsigned char)(((l)>>24)&0xff), \ + *((c)++)=(unsigned char)(((l)>>16)&0xff), \ + *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ + *((c)++)=(unsigned char)(((l) )&0xff)) + #define n2l6(c,l) (l =((BN_ULLONG)(*((c)++)))<<40, \ l|=((BN_ULLONG)(*((c)++)))<<32, \ l|=((BN_ULLONG)(*((c)++)))<<24, \ @@ -830,7 +839,8 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *s int ssl_undefined_function(SSL *s); int ssl_undefined_void_function(void); int ssl_undefined_const_function(const SSL *s); -X509 *ssl_get_server_send_cert(SSL *); +CERT_PKEY *ssl_get_server_send_pkey(const SSL *s); +X509 *ssl_get_server_send_cert(const SSL *); EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd); int ssl_cert_type(X509 *x,EVP_PKEY *pkey); void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); @@ -1088,7 +1098,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); int ssl_prepare_clienthello_tlsext(SSL *s); int ssl_prepare_serverhello_tlsext(SSL *s); -int ssl_check_clienthello_tlsext(SSL *s); +int ssl_check_clienthello_tlsext_early(SSL *s); +int ssl_check_clienthello_tlsext_late(SSL *s); int ssl_check_serverhello_tlsext(SSL *s); #ifndef OPENSSL_NO_HEARTBEATS @@ -1131,4 +1142,33 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, uns int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen); int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al); +/* s3_cbc.c */ +void ssl3_cbc_copy_mac(unsigned char* out, + const SSL3_RECORD *rec, + unsigned md_size,unsigned orig_len); +int ssl3_cbc_remove_padding(const SSL* s, + SSL3_RECORD *rec, + unsigned block_size, + unsigned mac_size); +int tls1_cbc_remove_padding(const SSL* s, + SSL3_RECORD *rec, + unsigned block_size, + unsigned mac_size); +char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx); +void ssl3_cbc_digest_record( + const EVP_MD_CTX *ctx, + unsigned char* md_out, + size_t* md_out_size, + const unsigned char header[13], + const unsigned char *data, + size_t data_plus_mac_size, + size_t data_plus_mac_plus_padding_size, + const unsigned char *mac_secret, + unsigned mac_secret_length, + char is_sslv3); + +void tls_fips_digest_extra( + const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx, + const unsigned char *data, size_t data_len, size_t orig_len); + #endif Index: ssl/ssl_rsa.c =================================================================== --- ssl/ssl_rsa.c (revision 246700) +++ ssl/ssl_rsa.c (working copy) @@ -710,7 +710,7 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ct ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */ - in=BIO_new(BIO_s_file_internal()); + in = BIO_new(BIO_s_file_internal()); if (in == NULL) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_BUF_LIB); @@ -723,14 +723,16 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ct goto end; } - x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata); + x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback, + ctx->default_passwd_callback_userdata); if (x == NULL) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB); goto end; } - ret=SSL_CTX_use_certificate(ctx,x); + ret = SSL_CTX_use_certificate(ctx, x); + if (ERR_peek_error() != 0) ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */ if (ret) @@ -742,13 +744,15 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ct int r; unsigned long err; - if (ctx->extra_certs != NULL) + if (ctx->extra_certs != NULL) { sk_X509_pop_free(ctx->extra_certs, X509_free); ctx->extra_certs = NULL; } - while ((ca = PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata)) + while ((ca = PEM_read_bio_X509(in, NULL, + ctx->default_passwd_callback, + ctx->default_passwd_callback_userdata)) != NULL) { r = SSL_CTX_add_extra_chain_cert(ctx, ca); Index: ssl/ssltest.c =================================================================== --- ssl/ssltest.c (revision 246700) +++ ssl/ssltest.c (working copy) @@ -543,8 +543,8 @@ int main(int argc, char *argv[]) int comp = 0; #ifndef OPENSSL_NO_COMP COMP_METHOD *cm = NULL; + STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; #endif - STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; int test_cipherlist = 0; #ifdef OPENSSL_FIPS int fips_mode=0; Index: ssl/t1_enc.c =================================================================== --- ssl/t1_enc.c (revision 246700) +++ ssl/t1_enc.c (working copy) @@ -361,7 +361,7 @@ int tls1_change_cipher_state(SSL *s, int which) { int i; for (i=0; is3->tmp.key_block_length; i++) - printf("%02x", key_block[i]); printf("\n"); + printf("%02x", s->s3->tmp.key_block[i]); printf("\n"); } #endif /* KSSL_DEBUG */ @@ -667,12 +667,21 @@ err: return(ret); } +/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. + * + * Returns: + * 0: (in non-constant time) if the record is publically invalid (i.e. too + * short etc). + * 1: if the record's padding is valid / the encryption was successful. + * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, + * an internal error occured. + */ int tls1_enc(SSL *s, int send) { SSL3_RECORD *rec; EVP_CIPHER_CTX *ds; unsigned long l; - int bs,i,ii,j,k,pad=0; + int bs,i,j,k,pad=0,ret,mac_size=0; const EVP_CIPHER *enc; if (send) @@ -729,11 +738,11 @@ int tls1_enc(SSL *s, int send) printf("tls1_enc(%d)\n", send); #endif /* KSSL_DEBUG */ - if ((s->session == NULL) || (ds == NULL) || - (enc == NULL)) + if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { memmove(rec->data,rec->input,rec->length); rec->input=rec->data; + ret = 1; } else { @@ -797,13 +806,13 @@ int tls1_enc(SSL *s, int send) #ifdef KSSL_DEBUG { - unsigned long ui; + unsigned long ui; printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n", - ds,rec->data,rec->input,l); + ds,rec->data,rec->input,l); printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n", - ds->buf_len, ds->cipher->key_len, - DES_KEY_SZ, DES_SCHEDULE_SZ, - ds->cipher->iv_len); + ds->buf_len, ds->cipher->key_len, + DES_KEY_SZ, DES_SCHEDULE_SZ, + ds->cipher->iv_len); printf("\t\tIV: "); for (i=0; icipher->iv_len; i++) printf("%02X", ds->iv[i]); printf("\n"); @@ -816,13 +825,7 @@ int tls1_enc(SSL *s, int send) if (!send) { if (l == 0 || l%bs != 0) - { - if (s->version >= TLS1_1_VERSION) - return -1; - SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); - ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); return 0; - } } i = EVP_Cipher(ds,rec->data,rec->input,l); @@ -839,68 +842,24 @@ int tls1_enc(SSL *s, int send) #ifdef KSSL_DEBUG { - unsigned long i; - printf("\trec->data="); + unsigned long i; + printf("\trec->data="); for (i=0; idata[i]); printf("\n"); - } + printf(" %02x", rec->data[i]); printf("\n"); + } #endif /* KSSL_DEBUG */ + ret = 1; + if (EVP_MD_CTX_md(s->read_hash) != NULL) + mac_size = EVP_MD_CTX_size(s->read_hash); if ((bs != 1) && !send) - { - ii=i=rec->data[l-1]; /* padding_length */ - i++; - /* NB: if compression is in operation the first packet - * may not be of even length so the padding bug check - * cannot be performed. This bug workaround has been - * around since SSLeay so hopefully it is either fixed - * now or no buggy implementation supports compression - * [steve] - */ - if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) - && !s->expand) - { - /* First packet is even in size, so check */ - if ((memcmp(s->s3->read_sequence, - "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1)) - s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG; - if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) - i--; - } - /* TLS 1.0 does not bound the number of padding bytes by the block size. - * All of them must have value 'padding_length'. */ - if (i > (int)rec->length) - { - /* Incorrect padding. SSLerr() and ssl3_alert are done - * by caller: we don't want to reveal whether this is - * a decryption error or a MAC verification failure - * (see http://www.openssl.org/~bodo/tls-cbc.txt) */ - return -1; - } - for (j=(int)(l-i); j<(int)l; j++) - { - if (rec->data[j] != ii) - { - /* Incorrect padding */ - return -1; - } - } - rec->length -=i; - if (s->version >= TLS1_1_VERSION - && EVP_CIPHER_CTX_mode(ds) == EVP_CIPH_CBC_MODE) - { - if (bs > (int)rec->length) - return -1; - rec->data += bs; /* skip the explicit IV */ - rec->input += bs; - rec->length -= bs; - } - } + ret = tls1_cbc_remove_padding(s, rec, bs, mac_size); if (pad && !send) rec->length -= pad; } - return(1); + return ret; } + int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) { unsigned int ret; @@ -990,10 +949,10 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send SSL3_RECORD *rec; unsigned char *seq; EVP_MD_CTX *hash; - size_t md_size; + size_t md_size, orig_len; int i; EVP_MD_CTX hmac, *mac_ctx; - unsigned char buf[5]; + unsigned char header[13]; int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM)); int t; @@ -1014,12 +973,6 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send OPENSSL_assert(t >= 0); md_size=t; - buf[0]=rec->type; - buf[1]=(unsigned char)(ssl->version>>8); - buf[2]=(unsigned char)(ssl->version); - buf[3]=rec->length>>8; - buf[4]=rec->length&0xff; - /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ if (stream_mac) { @@ -1038,17 +991,55 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p); memcpy (p,&seq[2],6); - EVP_DigestSignUpdate(mac_ctx,dtlsseq,8); + memcpy(header, dtlsseq, 8); } else - EVP_DigestSignUpdate(mac_ctx,seq,8); + memcpy(header, seq, 8); - EVP_DigestSignUpdate(mac_ctx,buf,5); - EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length); - t=EVP_DigestSignFinal(mac_ctx,md,&md_size); - OPENSSL_assert(t > 0); + /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */ + orig_len = rec->length+md_size+((unsigned int)rec->type>>8); + rec->type &= 0xff; + + header[8]=rec->type; + header[9]=(unsigned char)(ssl->version>>8); + header[10]=(unsigned char)(ssl->version); + header[11]=(rec->length)>>8; + header[12]=(rec->length)&0xff; + + if (!send && + EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && + ssl3_cbc_record_digest_supported(mac_ctx)) + { + /* This is a CBC-encrypted record. We must avoid leaking any + * timing-side channel information about how many blocks of + * data we are hashing because that gives an attacker a + * timing-oracle. */ + ssl3_cbc_digest_record( + mac_ctx, + md, &md_size, + header, rec->input, + rec->length + md_size, orig_len, + ssl->s3->read_mac_secret, + ssl->s3->read_mac_secret_size, + 0 /* not SSLv3 */); + } + else + { + EVP_DigestSignUpdate(mac_ctx,header,sizeof(header)); + EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length); + t=EVP_DigestSignFinal(mac_ctx,md,&md_size); + OPENSSL_assert(t > 0); +#ifdef OPENSSL_FIPS + if (!send && FIPS_mode()) + tls_fips_digest_extra( + ssl->enc_read_ctx, + mac_ctx, rec->input, + rec->length, orig_len); +#endif + } - if (!stream_mac) EVP_MD_CTX_cleanup(&hmac); + if (!stream_mac) + EVP_MD_CTX_cleanup(&hmac); #ifdef TLS_DEBUG printf("sec="); {unsigned int z; for (z=0; zsrtp_profile) { int el; @@ -799,6 +802,7 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, } ret+=el; } +#endif if (((s->s3->tmp.new_cipher->id & 0xFFFF)==0x80 || (s->s3->tmp.new_cipher->id & 0xFFFF)==0x81) && (SSL_get_options(s) & SSL_OP_CRYPTOPRO_TLSEXT_BUG)) @@ -1077,7 +1081,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned int ellipticcurvelist_length = (*(sdata++) << 8); ellipticcurvelist_length += (*(sdata++)); - if (ellipticcurvelist_length != size - 2) + if (ellipticcurvelist_length != size - 2 || + ellipticcurvelist_length < 1) { *al = TLS1_AD_DECODE_ERROR; return 0; @@ -1328,12 +1333,14 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned #endif /* session ticket processed earlier */ +#ifndef OPENSSL_NO_SRTP else if (type == TLSEXT_TYPE_use_srtp) - { + { if(ssl_parse_clienthello_use_srtp_ext(s, data, size, al)) return 0; - } + } +#endif data+=size; } @@ -1433,7 +1440,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned unsigned char *sdata = data; int ecpointformatlist_length = *(sdata++); - if (ecpointformatlist_length != size - 1) + if (ecpointformatlist_length != size - 1 || + ecpointformatlist_length < 1) { *al = TLS1_AD_DECODE_ERROR; return 0; @@ -1527,7 +1535,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned unsigned char selected_len; /* We must have requested it. */ - if ((s->ctx->next_proto_select_cb == NULL)) + if (s->ctx->next_proto_select_cb == NULL) { *al = TLS1_AD_UNSUPPORTED_EXTENSION; return 0; @@ -1577,12 +1585,14 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned } } #endif +#ifndef OPENSSL_NO_SRTP else if (type == TLSEXT_TYPE_use_srtp) - { + { if(ssl_parse_serverhello_use_srtp_ext(s, data, size, al)) return 0; - } + } +#endif data+=size; } @@ -1763,7 +1773,7 @@ int ssl_prepare_serverhello_tlsext(SSL *s) return 1; } -int ssl_check_clienthello_tlsext(SSL *s) +int ssl_check_clienthello_tlsext_early(SSL *s) { int ret=SSL_TLSEXT_ERR_NOACK; int al = SSL_AD_UNRECOGNIZED_NAME; @@ -1782,42 +1792,12 @@ int ssl_prepare_serverhello_tlsext(SSL *s) else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); - /* If status request then ask callback what to do. - * Note: this must be called after servername callbacks in case - * the certificate has changed. - */ - if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) - { - int r; - r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); - switch (r) - { - /* We don't want to send a status request response */ - case SSL_TLSEXT_ERR_NOACK: - s->tlsext_status_expected = 0; - break; - /* status request response should be sent */ - case SSL_TLSEXT_ERR_OK: - if (s->tlsext_ocsp_resp) - s->tlsext_status_expected = 1; - else - s->tlsext_status_expected = 0; - break; - /* something bad happened */ - case SSL_TLSEXT_ERR_ALERT_FATAL: - ret = SSL_TLSEXT_ERR_ALERT_FATAL; - al = SSL_AD_INTERNAL_ERROR; - goto err; - } - } - else - s->tlsext_status_expected = 0; - #ifdef TLSEXT_TYPE_opaque_prf_input { /* This sort of belongs into ssl_prepare_serverhello_tlsext(), * but we might be sending an alert in response to the client hello, - * so this has to happen here in ssl_check_clienthello_tlsext(). */ + * so this has to happen here in + * ssl_check_clienthello_tlsext_early(). */ int r = 1; @@ -1869,8 +1849,8 @@ int ssl_prepare_serverhello_tlsext(SSL *s) } } + err: #endif - err: switch (ret) { case SSL_TLSEXT_ERR_ALERT_FATAL: @@ -1888,6 +1868,71 @@ int ssl_prepare_serverhello_tlsext(SSL *s) } } +int ssl_check_clienthello_tlsext_late(SSL *s) + { + int ret = SSL_TLSEXT_ERR_OK; + int al; + + /* If status request then ask callback what to do. + * Note: this must be called after servername callbacks in case + * the certificate has changed, and must be called after the cipher + * has been chosen because this may influence which certificate is sent + */ + if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) + { + int r; + CERT_PKEY *certpkey; + certpkey = ssl_get_server_send_pkey(s); + /* If no certificate can't return certificate status */ + if (certpkey == NULL) + { + s->tlsext_status_expected = 0; + return 1; + } + /* Set current certificate to one we will use so + * SSL_get_certificate et al can pick it up. + */ + s->cert->key = certpkey; + r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); + switch (r) + { + /* We don't want to send a status request response */ + case SSL_TLSEXT_ERR_NOACK: + s->tlsext_status_expected = 0; + break; + /* status request response should be sent */ + case SSL_TLSEXT_ERR_OK: + if (s->tlsext_ocsp_resp) + s->tlsext_status_expected = 1; + else + s->tlsext_status_expected = 0; + break; + /* something bad happened */ + case SSL_TLSEXT_ERR_ALERT_FATAL: + ret = SSL_TLSEXT_ERR_ALERT_FATAL; + al = SSL_AD_INTERNAL_ERROR; + goto err; + } + } + else + s->tlsext_status_expected = 0; + + err: + switch (ret) + { + case SSL_TLSEXT_ERR_ALERT_FATAL: + ssl3_send_alert(s,SSL3_AL_FATAL,al); + return -1; + + case SSL_TLSEXT_ERR_ALERT_WARNING: + ssl3_send_alert(s,SSL3_AL_WARNING,al); + return 1; + + default: + return 1; + } + } + int ssl_check_serverhello_tlsext(SSL *s) { int ret=SSL_TLSEXT_ERR_NOACK; @@ -2189,7 +2234,7 @@ static int tls_decrypt_ticket(SSL *s, const unsign HMAC_Update(&hctx, etick, eticklen); HMAC_Final(&hctx, tick_hmac, NULL); HMAC_CTX_cleanup(&hctx); - if (memcmp(tick_hmac, etick + eticklen, mlen)) + if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) return 2; /* Attempt to decrypt session data */ /* Move p after IV to start of encrypted ticket, update length */ @@ -2414,7 +2459,7 @@ int tls1_process_sigalgs(SSL *s, const unsigned ch */ #ifndef OPENSSL_NO_DSA if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) - c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1(); + c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); #endif #ifndef OPENSSL_NO_RSA if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) @@ -2425,7 +2470,7 @@ int tls1_process_sigalgs(SSL *s, const unsigned ch #endif #ifndef OPENSSL_NO_ECDSA if (!c->pkeys[SSL_PKEY_ECC].digest) - c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa(); + c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); #endif return 1; } Index: ssl/tls_srp.c =================================================================== --- ssl/tls_srp.c (revision 246700) +++ ssl/tls_srp.c (working copy) @@ -242,7 +242,8 @@ int SSL_srp_server_param_with_username(SSL *s, int (s->srp_ctx.v == NULL)) return SSL3_AL_FATAL; - RAND_bytes(b, sizeof(b)); + if (RAND_bytes(b, sizeof(b)) <= 0) + return SSL3_AL_FATAL; s->srp_ctx.b = BN_bin2bn(b,sizeof(b),NULL); OPENSSL_cleanse(b,sizeof(b)); Index: util/libeay.num =================================================================== --- util/libeay.num (revision 246700) +++ util/libeay.num (working copy) @@ -3510,6 +3510,7 @@ BIO_get_callback_arg 3902 EXIST BIO_set_callback 3903 EXIST::FUNCTION: d2i_ASIdOrRange 3904 EXIST::FUNCTION:RFC3779 i2d_ASIdentifiers 3905 EXIST::FUNCTION:RFC3779 +CRYPTO_memcmp 3906 EXIST::FUNCTION: SEED_decrypt 3908 EXIST::FUNCTION:SEED SEED_encrypt 3909 EXIST::FUNCTION:SEED SEED_cbc_encrypt 3910 EXIST::FUNCTION:SEED @@ -3687,7 +3688,7 @@ FIPS_dh_new 4073 NOEXI FIPS_corrupt_dsa_keygen 4074 NOEXIST::FUNCTION: FIPS_dh_free 4075 NOEXIST::FUNCTION: fips_pkey_signature_test 4076 NOEXIST::FUNCTION: -EVP_add_alg_module 4077 NOEXIST::FUNCTION: +EVP_add_alg_module 4077 EXIST::FUNCTION: int_RAND_init_engine_callbacks 4078 NOEXIST::FUNCTION: int_EVP_CIPHER_set_engine_callbacks 4079 NOEXIST::FUNCTION: int_EVP_MD_init_engine_callbacks 4080 NOEXIST::FUNCTION: Index: util/pl/VC-32.pl =================================================================== --- util/pl/VC-32.pl (revision 246700) +++ util/pl/VC-32.pl (working copy) @@ -118,7 +118,7 @@ elsif ($FLAVOR =~ /CE/) $base_cflags.=' -I$(WCECOMPAT)/include' if (defined($ENV{'WCECOMPAT'})); $base_cflags.=' -I$(PORTSDK_LIBPATH)/../../include' if (defined($ENV{'PORTSDK_LIBPATH'})); $opt_cflags=' /MC /O1i'; # optimize for space, but with intrinsics... - $dbg_clfags=' /MC /Od -DDEBUG -D_DEBUG'; + $dbg_cflags=' /MC /Od -DDEBUG -D_DEBUG'; $lflags="/nologo /opt:ref $wcelflag"; } else # Win32