From 04ef91b390dfcc6125913e2f2af502d23d7a5112 Mon Sep 17 00:00:00 2001 From: Brian Carlstrom Date: Tue, 5 Feb 2013 09:20:38 -0800 Subject: openssl-1.0.1d upgrade Change-Id: Ie980c8834cf2c843858182d98d1f60c65a2a9b70 --- Crypto.mk | 1 + apps/apps.c | 5 +- apps/ca.c | 1 + apps/cms.c | 4 + apps/dgst.c | 4 +- apps/dhparam.c | 1 - apps/dsaparam.c | 9 +- apps/genrsa.c | 2 +- apps/ocsp.c | 2 +- apps/s_cb.c | 6 +- apps/s_client.c | 10 +- apps/s_server.c | 53 +- apps/speed.c | 4 +- apps/srp.c | 30 +- apps/verify.c | 27 +- apps/x509.c | 4 +- crypto/aes/asm/aes-s390x.pl | 95 +- crypto/aes/asm/aes-x86_64.pl | 3 +- crypto/aes/asm/aesni-sha1-x86_64.pl | 3 +- crypto/aes/asm/aesni-x86_64.pl | 3 +- crypto/aes/asm/bsaes-x86_64.pl | 3 +- crypto/aes/asm/vpaes-x86_64.pl | 3 +- crypto/asn1/a_strex.c | 1 + crypto/asn1/a_verify.c | 6 + crypto/bio/bss_dgram.c | 85 +- crypto/bn/asm/bn-mips.S | 2 +- crypto/bn/asm/mips.pl | 2 +- crypto/bn/asm/modexp512-x86_64.pl | 3 +- crypto/bn/asm/x86_64-gf2m.pl | 2 +- crypto/bn/asm/x86_64-mont.pl | 3 +- crypto/bn/asm/x86_64-mont5.pl | 3 +- crypto/bn/bn_div.c | 2 + crypto/bn/bn_gcd.c | 1 + crypto/bn/bn_lcl.h | 11 +- crypto/bn/bn_word.c | 25 +- crypto/conf/conf_mall.c | 1 + crypto/cryptlib.c | 1 + crypto/cryptlib.h | 2 +- crypto/crypto.h | 4 +- crypto/des/set_key.c | 3 +- crypto/des/str2key.c | 2 +- crypto/ec/ec.h | 28 +- crypto/ec/ec_key.c | 13 +- crypto/ec/ec_pmeth.c | 2 +- crypto/ec/ecp_mont.c | 1 - crypto/ec/ectest.c | 2 +- crypto/ecdh/ech_key.c | 3 - crypto/ecdh/ech_lib.c | 11 +- crypto/ecdsa/ecs_lib.c | 11 +- crypto/err/err_all.c | 19 +- crypto/evp/c_allc.c | 2 - crypto/evp/digest.c | 1 + crypto/evp/e_aes.c | 5 +- crypto/evp/e_aes_cbc_hmac_sha1.c | 209 ++- crypto/evp/evp.h | 15 +- crypto/evp/evp_cnf.c | 125 ++ crypto/evp/evp_err.c | 6 + crypto/evp/m_dss.c | 2 +- crypto/evp/m_dss1.c | 2 +- crypto/evp/m_sha1.c | 2 +- crypto/evp/p_sign.c | 2 +- crypto/evp/p_verify.c | 2 +- crypto/md4/md4_dgst.c | 31 +- crypto/md4/md4_locl.h | 8 +- crypto/md5/asm/md5-x86_64.pl | 3 +- crypto/md5/md5_locl.h | 8 +- crypto/mdc2/mdc2dgst.c | 2 +- crypto/mem.c | 2 +- crypto/modes/asm/ghash-x86.pl | 6 +- crypto/modes/asm/ghash-x86_64.pl | 3 +- crypto/modes/gcm128.c | 4 +- crypto/objects/o_names.c | 2 +- crypto/ocsp/ocsp_vfy.c | 10 +- crypto/opensslv.h | 6 +- crypto/pem/pem_all.c | 161 ++ crypto/pem/pem_lib.c | 27 +- crypto/pem/pem_seal.c | 6 +- crypto/perlasm/cbc.pl | 2 +- crypto/perlasm/x86masm.pl | 1 + crypto/pkcs12/p12_key.c | 24 +- crypto/rand/md_rand.c | 2 +- crypto/rand/rand_lib.c | 7 +- crypto/rand/randfile.c | 2 + crypto/rc4/asm/rc4-md5-x86_64.pl | 3 +- crypto/rc4/asm/rc4-x86_64.pl | 3 +- crypto/ripemd/rmd_dgst.c | 30 +- crypto/ripemd/rmd_locl.h | 10 +- crypto/rsa/rsa.h | 2 +- crypto/rsa/rsa_eay.c | 6 +- crypto/sha/asm/sha1-armv4-large.S | 3 +- crypto/sha/asm/sha1-armv4-large.pl | 3 +- crypto/sha/asm/sha1-ia64.pl | 3 +- crypto/sha/asm/sha1-sparcv9a.pl | 2 +- crypto/sha/asm/sha1-x86_64.pl | 3 +- crypto/sha/asm/sha512-586.pl | 16 +- crypto/sha/asm/sha512-x86_64.pl | 3 +- crypto/sha/sha1_one.c | 2 +- crypto/sha/sha1dgst.c | 2 +- crypto/sha/sha256.c | 6 +- crypto/sha/sha_dgst.c | 2 +- crypto/sha/sha_locl.h | 40 +- crypto/srp/srp_vfy.c | 5 +- crypto/symhacks.h | 14 +- crypto/ui/ui_openssl.c | 6 + crypto/x509/x509_cmp.c | 15 +- crypto/x509/x509_vfy.c | 4 +- crypto/x509v3/v3_purp.c | 4 +- crypto/x86_64cpuid.pl | 3 +- crypto/x86cpuid.pl | 4 +- import_openssl.sh | 2 +- include/openssl/crypto.h | 4 +- include/openssl/dtls1.h | 8 +- include/openssl/ec.h | 28 +- include/openssl/evp.h | 15 +- include/openssl/opensslv.h | 6 +- include/openssl/rsa.h | 2 +- include/openssl/ssl.h | 8 +- include/openssl/ssl3.h | 10 +- include/openssl/symhacks.h | 14 +- openssl.config | 20 +- openssl.version | 2 +- .../0001-Add-and-use-a-constant-time-memcmp.patch | 155 -- patches/0002-Make-CBC-decoding-constant-time.patch | 1621 -------------------- patches/README | 37 - patches/channelid.patch | 13 +- patches/clang.patch | 26 - patches/jsse.patch | 4 +- patches/mips_private.patch | 64 - patches/recursive_lock_fix.patch | 22 - patches/sha1_armv4_large.patch | 21 - ssl/d1_pkt.c | 14 +- ssl/dtls1.h | 8 +- ssl/s2_clnt.c | 12 +- ssl/s2_srvr.c | 16 +- ssl/s3_both.c | 12 +- ssl/s3_cbc.c | 178 ++- ssl/s3_enc.c | 8 +- ssl/s3_lib.c | 16 +- ssl/s3_pkt.c | 17 +- ssl/s3_srvr.c | 16 +- ssl/ssl.h | 8 +- ssl/ssl3.h | 10 +- ssl/ssl_algs.c | 2 - ssl/ssl_cert.c | 4 +- ssl/ssl_ciph.c | 5 +- ssl/ssl_err.c | 1 + ssl/ssl_lib.c | 22 +- ssl/ssl_locl.h | 12 +- ssl/ssl_rsa.c | 14 +- ssl/ssltest.c | 2 +- ssl/t1_enc.c | 17 +- ssl/t1_lib.c | 113 +- ssl/tls_srp.c | 3 +- 153 files changed, 1430 insertions(+), 2568 deletions(-) create mode 100644 crypto/evp/evp_cnf.c delete mode 100644 patches/0001-Add-and-use-a-constant-time-memcmp.patch delete mode 100644 patches/0002-Make-CBC-decoding-constant-time.patch delete mode 100644 patches/clang.patch delete mode 100644 patches/mips_private.patch delete mode 100644 patches/recursive_lock_fix.patch delete mode 100644 patches/sha1_armv4_large.patch diff --git a/Crypto.mk b/Crypto.mk index e012527..1ea3939 100644 --- a/Crypto.mk +++ b/Crypto.mk @@ -341,6 +341,7 @@ local_src_files := \ crypto/evp/e_xcbc_d.c \ crypto/evp/encode.c \ crypto/evp/evp_acnf.c \ + crypto/evp/evp_cnf.c \ crypto/evp/evp_enc.c \ crypto/evp/evp_err.c \ crypto/evp/evp_key.c \ diff --git a/apps/apps.c b/apps/apps.c index 4e11915..1096eee 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -2132,7 +2132,7 @@ X509_NAME *parse_name(char *subject, long chtype, int multirdn) X509_NAME *n = NULL; int nid; - if (!buf || !ne_types || !ne_values) + if (!buf || !ne_types || !ne_values || !mval) { BIO_printf(bio_err, "malloc error\n"); goto error; @@ -2236,6 +2236,7 @@ X509_NAME *parse_name(char *subject, long chtype, int multirdn) OPENSSL_free(ne_values); OPENSSL_free(ne_types); OPENSSL_free(buf); + OPENSSL_free(mval); return n; error: @@ -2244,6 +2245,8 @@ error: OPENSSL_free(ne_values); if (ne_types) OPENSSL_free(ne_types); + if (mval) + OPENSSL_free(mval); if (buf) OPENSSL_free(buf); return NULL; diff --git a/apps/ca.c b/apps/ca.c index 2a83d19..1cf50e0 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -1408,6 +1408,7 @@ bad: if (!NCONF_get_number(conf,section, ENV_DEFAULT_CRL_HOURS, &crlhours)) crlhours = 0; + ERR_clear_error(); } if ((crldays == 0) && (crlhours == 0) && (crlsec == 0)) { diff --git a/apps/cms.c b/apps/cms.c index d754140..5f77f8f 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -233,6 +233,8 @@ int MAIN(int argc, char **argv) else if (!strcmp(*args,"-camellia256")) cipher = EVP_camellia_256_cbc(); #endif + else if (!strcmp (*args, "-debug_decrypt")) + flags |= CMS_DEBUG_DECRYPT; else if (!strcmp (*args, "-text")) flags |= CMS_TEXT; else if (!strcmp (*args, "-nointern")) @@ -1039,6 +1041,8 @@ int MAIN(int argc, char **argv) ret = 4; if (operation == SMIME_DECRYPT) { + if (flags & CMS_DEBUG_DECRYPT) + CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags); if (secret_key) { diff --git a/apps/dgst.c b/apps/dgst.c index b08e9a7..81bd870 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -216,10 +216,10 @@ int MAIN(int argc, char **argv) out_bin = 1; else if (strcmp(*argv,"-d") == 0) debug=1; - else if (strcmp(*argv,"-non-fips-allow") == 0) - non_fips_allow=1; else if (!strcmp(*argv,"-fips-fingerprint")) hmac_key = "etaonrishdlcupfm"; + else if (strcmp(*argv,"-non-fips-allow") == 0) + non_fips_allow=1; else if (!strcmp(*argv,"-hmac")) { if (--argc < 1) diff --git a/apps/dhparam.c b/apps/dhparam.c index b47097c..1297d6f 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -332,7 +332,6 @@ bad: BIO_printf(bio_err,"This is going to take a long time\n"); if(!dh || !DH_generate_parameters_ex(dh, num, g, &cb)) { - if(dh) DH_free(dh); ERR_print_errors(bio_err); goto end; } diff --git a/apps/dsaparam.c b/apps/dsaparam.c index fe72c1d..683d513 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -326,6 +326,7 @@ bad: goto end; } #endif + ERR_print_errors(bio_err); BIO_printf(bio_err,"Error, DSA key generation failed\n"); goto end; } @@ -429,13 +430,19 @@ bad: assert(need_rand); if ((dsakey=DSAparams_dup(dsa)) == NULL) goto end; - if (!DSA_generate_key(dsakey)) goto end; + if (!DSA_generate_key(dsakey)) + { + ERR_print_errors(bio_err); + DSA_free(dsakey); + goto end; + } if (outformat == FORMAT_ASN1) i=i2d_DSAPrivateKey_bio(out,dsakey); else if (outformat == FORMAT_PEM) i=PEM_write_bio_DSAPrivateKey(out,dsakey,NULL,NULL,0,NULL,NULL); else { BIO_printf(bio_err,"bad output format specified for outfile\n"); + DSA_free(dsakey); goto end; } DSA_free(dsakey); diff --git a/apps/genrsa.c b/apps/genrsa.c index 37e9310..ece114c 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -78,7 +78,7 @@ #include #include -#define DEFBITS 512 +#define DEFBITS 1024 #undef PROG #define PROG genrsa_main diff --git a/apps/ocsp.c b/apps/ocsp.c index 01847df..83c5a76 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -617,7 +617,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-ndays n number of days before next update\n"); BIO_printf (bio_err, "-resp_key_id identify reponse by signing certificate key ID\n"); BIO_printf (bio_err, "-nrequest n number of requests to accept (default unlimited)\n"); - BIO_printf (bio_err, "- use specified digest in the request"); + BIO_printf (bio_err, "- use specified digest in the request\n"); goto end; } diff --git a/apps/s_cb.c b/apps/s_cb.c index 2cd7337..84c3b44 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -237,8 +237,8 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file) /* If we are using DSA, we can copy the parameters from * the private key */ - - + + /* Now we know that a key and cert have been set against * the SSL context */ if (!SSL_CTX_check_private_key(ctx)) @@ -436,6 +436,8 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void * if (version == SSL3_VERSION || version == TLS1_VERSION || + version == TLS1_1_VERSION || + version == TLS1_2_VERSION || version == DTLS1_VERSION || version == DTLS1_BAD_VER) { diff --git a/apps/s_client.c b/apps/s_client.c index 7dce4cf..3a40a3f 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -357,7 +357,7 @@ static void sc_usage(void) BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); BIO_printf(bio_err," -status - request certificate status from server\n"); BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); -# if !defined(OPENSSL_NO_NEXTPROTONEG) +# ifndef OPENSSL_NO_NEXTPROTONEG BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); # endif #endif @@ -537,7 +537,7 @@ static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, con ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len); return SSL_TLSEXT_ERR_OK; } -# endif +# endif /* ndef OPENSSL_NO_NEXTPROTONEG */ #endif enum @@ -1903,6 +1903,10 @@ end: print_stuff(bio_c_out,con,1); SSL_free(con); } +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) + if (next_proto.data) + OPENSSL_free(next_proto.data); +#endif if (ctx != NULL) SSL_CTX_free(ctx); if (cert) X509_free(cert); @@ -1910,6 +1914,8 @@ end: EVP_PKEY_free(key); if (pass) OPENSSL_free(pass); + if (vpm) + X509_VERIFY_PARAM_free(vpm); if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); } if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); } if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); } diff --git a/apps/s_server.c b/apps/s_server.c index 3f9b370..4720c05 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1206,13 +1206,13 @@ int MAIN(int argc, char *argv[]) { if (--argc < 1) goto bad; srp_verifier_file = *(++argv); - meth=TLSv1_server_method(); + meth = TLSv1_server_method(); } else if (strcmp(*argv, "-srpuserseed") == 0) { if (--argc < 1) goto bad; srpuserseed = *(++argv); - meth=TLSv1_server_method(); + meth = TLSv1_server_method(); } #endif else if (strcmp(*argv,"-www") == 0) @@ -1431,25 +1431,24 @@ bad: goto end; } } - -# ifndef OPENSSL_NO_NEXTPROTONEG - if (next_proto_neg_in) - { - unsigned short len; - next_proto.data = next_protos_parse(&len, - next_proto_neg_in); - if (next_proto.data == NULL) - goto end; - next_proto.len = len; - } - else - { - next_proto.data = NULL; - } -# endif #endif } +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) + if (next_proto_neg_in) + { + unsigned short len; + next_proto.data = next_protos_parse(&len, next_proto_neg_in); + if (next_proto.data == NULL) + goto end; + next_proto.len = len; + } + else + { + next_proto.data = NULL; + } +#endif + if (s_dcert_file) { @@ -1730,7 +1729,7 @@ bad: } #endif - if (!set_cert_key_stuff(ctx,s_cert,s_key)) + if (!set_cert_key_stuff(ctx, s_cert, s_key)) goto end; #ifndef OPENSSL_NO_TLSEXT if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2)) @@ -1738,7 +1737,7 @@ bad: #endif if (s_dcert != NULL) { - if (!set_cert_key_stuff(ctx,s_dcert,s_dkey)) + if (!set_cert_key_stuff(ctx, s_dcert, s_dkey)) goto end; } @@ -1893,7 +1892,15 @@ end: OPENSSL_free(pass); if (dpass) OPENSSL_free(dpass); + if (vpm) + X509_VERIFY_PARAM_free(vpm); #ifndef OPENSSL_NO_TLSEXT + if (tlscstatp.host) + OPENSSL_free(tlscstatp.host); + if (tlscstatp.port) + OPENSSL_free(tlscstatp.port); + if (tlscstatp.path) + OPENSSL_free(tlscstatp.path); if (ctx2 != NULL) SSL_CTX_free(ctx2); if (s_cert2) X509_free(s_cert2); @@ -2433,6 +2440,7 @@ static int init_ssl_connection(SSL *con) BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf); str=SSL_CIPHER_get_name(SSL_get_current_cipher(con)); BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)"); + #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len); if (next_proto_neg) @@ -2701,6 +2709,11 @@ static int www_body(char *hostname, int s, unsigned char *context) } BIO_puts(io,"\n"); + BIO_printf(io, + "Secure Renegotiation IS%s supported\n", + SSL_get_secure_renegotiation_support(con) ? + "" : " NOT"); + /* The following is evil and should not really * be done */ BIO_printf(io,"Ciphers supported in s_server binary\n"); diff --git a/apps/speed.c b/apps/speed.c index ab62e01..9c251eb 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -254,7 +254,7 @@ static const char *names[ALGOR_NUM]={ "aes-128 cbc","aes-192 cbc","aes-256 cbc", "camellia-128 cbc","camellia-192 cbc","camellia-256 cbc", "evp","sha256","sha512","whirlpool", - "aes-128 ige","aes-192 ige","aes-256 ige","ghash"}; + "aes-128 ige","aes-192 ige","aes-256 ige","ghash" }; static double results[ALGOR_NUM][SIZE_NUM]; static int lengths[SIZE_NUM]={16,64,256,1024,8*1024}; #ifndef OPENSSL_NO_RSA @@ -299,7 +299,7 @@ static SIGRETTYPE sig_done(int sig) #if defined(_WIN32) #if !defined(SIGALRM) -#define SIGALRM +# define SIGALRM #endif static unsigned int lapse,schlock; static void alarm_win32(unsigned int secs) { lapse = secs*1000; } diff --git a/apps/srp.c b/apps/srp.c index 80e1b8a..9c7ae18 100644 --- a/apps/srp.c +++ b/apps/srp.c @@ -125,13 +125,13 @@ static int get_index(CA_DB *db, char* id, char type) if (type == DB_SRP_INDEX) for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { - pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i); - if (pp[DB_srptype][0] == DB_SRP_INDEX && !strcmp(id, pp[DB_srpid])) + pp = sk_OPENSSL_PSTRING_value(db->db->data,i); + if (pp[DB_srptype][0] == DB_SRP_INDEX && !strcmp(id,pp[DB_srpid])) return i; } else for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { - pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i); + pp = sk_OPENSSL_PSTRING_value(db->db->data,i); if (pp[DB_srptype][0] != DB_SRP_INDEX && !strcmp(id,pp[DB_srpid])) return i; @@ -145,7 +145,7 @@ static void print_entry(CA_DB *db, BIO *bio, int indx, int verbose, char *s) if (indx >= 0 && verbose) { int j; - char **pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, indx); + char **pp = sk_OPENSSL_PSTRING_value(db->db->data, indx); BIO_printf(bio, "%s \"%s\"\n", s, pp[DB_srpid]); for (j = 0; j < DB_NUMBER; j++) { @@ -163,7 +163,7 @@ static void print_user(CA_DB *db, BIO *bio, int userindex, int verbose) { if (verbose > 0) { - char **pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex); + char **pp = sk_OPENSSL_PSTRING_value(db->db->data,userindex); if (pp[DB_srptype][0] != 'I') { @@ -517,7 +517,7 @@ bad: /* Lets check some fields */ for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { - pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i); + pp = sk_OPENSSL_PSTRING_value(db->db->data, i); if (pp[DB_srptype][0] == DB_SRP_INDEX) { @@ -533,8 +533,8 @@ bad: if (gNindex >= 0) { - gNrow = (char **)sk_OPENSSL_PSTRING_value(db->db->data, gNindex); - print_entry(db, bio_err, gNindex, verbose > 1, "Default g and N") ; + gNrow = sk_OPENSSL_PSTRING_value(db->db->data,gNindex); + print_entry(db, bio_err, gNindex, verbose > 1, "Default g and N"); } else if (maxgN > 0 && !SRP_get_default_gN(gN)) { @@ -587,7 +587,7 @@ bad: if (userindex >= 0) { /* reactivation of a new user */ - char **row = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex); + char **row = sk_OPENSSL_PSTRING_value(db->db->data, userindex); BIO_printf(bio_err, "user \"%s\" reactivated.\n", user); row[DB_srptype][0] = 'V'; @@ -634,7 +634,7 @@ bad: else { - char **row = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex); + char **row = sk_OPENSSL_PSTRING_value(db->db->data, userindex); char type = row[DB_srptype][0]; if (type == 'v') { @@ -664,9 +664,9 @@ bad: if (!(gNid=srp_create_user(user,&(row[DB_srpverifier]), &(row[DB_srpsalt]),gNrow?gNrow[DB_srpsalt]:NULL, gNrow?gNrow[DB_srpverifier]:NULL, passout, bio_err,verbose))) { - BIO_printf(bio_err, "Cannot create srp verifier for user \"%s\", operation abandoned.\n", user); - errors++; - goto err; + BIO_printf(bio_err, "Cannot create srp verifier for user \"%s\", operation abandoned.\n", user); + errors++; + goto err; } row[DB_srptype][0] = 'v'; @@ -689,7 +689,7 @@ bad: } else { - char **xpp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex); + char **xpp = sk_OPENSSL_PSTRING_value(db->db->data,userindex); BIO_printf(bio_err, "user \"%s\" revoked. t\n", user); xpp[DB_srptype][0] = 'R'; @@ -714,7 +714,7 @@ bad: /* Lets check some fields */ for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { - pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i); + pp = sk_OPENSSL_PSTRING_value(db->db->data,i); if (pp[DB_srptype][0] == 'v') { diff --git a/apps/verify.c b/apps/verify.c index b9749dc..893670f 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -222,11 +222,19 @@ int MAIN(int argc, char **argv) goto end; } - if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, crls, e); + ret = 0; + if (argc < 1) + { + if (1 != check(cert_ctx, NULL, untrusted, trusted, crls, e)) + ret = -1; + } else + { for (i=0; i&1` =~ /Version ([0-9]+)\./ && $1>=10); -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; # void aesni_cbc_sha1_enc(const void *inp, # void *out, diff --git a/crypto/aes/asm/aesni-x86_64.pl b/crypto/aes/asm/aesni-x86_64.pl index 499f3b3..0dbb194 100644 --- a/crypto/aes/asm/aesni-x86_64.pl +++ b/crypto/aes/asm/aesni-x86_64.pl @@ -172,7 +172,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; $movkey = $PREFIX eq "aesni" ? "movups" : "movups"; @_4args=$win64? ("%rcx","%rdx","%r8", "%r9") : # Win64 order diff --git a/crypto/aes/asm/bsaes-x86_64.pl b/crypto/aes/asm/bsaes-x86_64.pl index c9c6312..ceb02b5 100644 --- a/crypto/aes/asm/bsaes-x86_64.pl +++ b/crypto/aes/asm/bsaes-x86_64.pl @@ -105,7 +105,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; my ($inp,$out,$len,$key,$ivp)=("%rdi","%rsi","%rdx","%rcx"); my @XMM=map("%xmm$_",(15,0..14)); # best on Atom, +10% over (0..15) diff --git a/crypto/aes/asm/vpaes-x86_64.pl b/crypto/aes/asm/vpaes-x86_64.pl index 37998db..41f2e46 100644 --- a/crypto/aes/asm/vpaes-x86_64.pl +++ b/crypto/aes/asm/vpaes-x86_64.pl @@ -56,7 +56,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; $PREFIX="vpaes"; diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c index 264ebf2..ead37ac 100644 --- a/crypto/asn1/a_strex.c +++ b/crypto/asn1/a_strex.c @@ -567,6 +567,7 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in) if(mbflag == -1) return -1; mbflag |= MBSTRING_FLAG; stmp.data = NULL; + stmp.length = 0; ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING); if(ret < 0) return ret; *out = stmp.data; diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c index 432722e..fc84cd3 100644 --- a/crypto/asn1/a_verify.c +++ b/crypto/asn1/a_verify.c @@ -140,6 +140,12 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, int mdnid, pknid; + if (!pkey) + { + ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ERR_R_PASSED_NULL_PARAMETER); + return -1; + } + EVP_MD_CTX_init(&ctx); /* Convert signature OID into digest and public key OIDs */ diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c index 3c66dd1..8990909 100644 --- a/crypto/bio/bss_dgram.c +++ b/crypto/bio/bss_dgram.c @@ -77,10 +77,20 @@ #define OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE 0xc0 #endif -#ifdef OPENSSL_SYS_LINUX +#if defined(OPENSSL_SYS_LINUX) && !defined(IP_MTU) #define IP_MTU 14 /* linux is lame */ #endif +#if defined(__FreeBSD__) && defined(IN6_IS_ADDR_V4MAPPED) +/* Standard definition causes type-punning problems. */ +#undef IN6_IS_ADDR_V4MAPPED +#define s6_addr32 __u6_addr.__u6_addr32 +#define IN6_IS_ADDR_V4MAPPED(a) \ + (((a)->s6_addr32[0] == 0) && \ + ((a)->s6_addr32[1] == 0) && \ + ((a)->s6_addr32[2] == htonl(0x0000ffff))) +#endif + #ifdef WATT32 #define sock_write SockWrite /* Watt-32 uses same names */ #define sock_read SockRead @@ -255,7 +265,7 @@ static void dgram_adjust_rcv_timeout(BIO *b) { #if defined(SO_RCVTIMEO) bio_dgram_data *data = (bio_dgram_data *)b->ptr; - int sz = sizeof(int); + union { size_t s; int i; } sz = {0}; /* Is a timer active? */ if (data->next_timeout.tv_sec > 0 || data->next_timeout.tv_usec > 0) @@ -265,8 +275,10 @@ static void dgram_adjust_rcv_timeout(BIO *b) /* Read current socket timeout */ #ifdef OPENSSL_SYS_WINDOWS int timeout; + + sz.i = sizeof(timeout); if (getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, - (void*)&timeout, &sz) < 0) + (void*)&timeout, &sz.i) < 0) { perror("getsockopt"); } else { @@ -274,9 +286,12 @@ static void dgram_adjust_rcv_timeout(BIO *b) data->socket_timeout.tv_usec = (timeout % 1000) * 1000; } #else + sz.i = sizeof(data->socket_timeout); if ( getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, &(data->socket_timeout), (void *)&sz) < 0) { perror("getsockopt"); } + else if (sizeof(sz.s)!=sizeof(sz.i) && sz.i==0) + OPENSSL_assert(sz.s<=sizeof(data->socket_timeout)); #endif /* Get current time */ @@ -445,11 +460,10 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) int *ip; struct sockaddr *to = NULL; bio_dgram_data *data = NULL; -#if defined(IP_MTU_DISCOVER) || defined(IP_MTU) - long sockopt_val = 0; - socklen_t sockopt_len = 0; -#endif -#ifdef OPENSSL_SYS_LINUX +#if defined(OPENSSL_SYS_LINUX) && (defined(IP_MTU_DISCOVER) || defined(IP_MTU)) + int sockopt_val = 0; + socklen_t sockopt_len; /* assume that system supporting IP_MTU is + * modern enough to define socklen_t */ socklen_t addr_len; union { struct sockaddr sa; @@ -531,7 +545,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) break; /* (Linux)kernel sets DF bit on outgoing IP packets */ case BIO_CTRL_DGRAM_MTU_DISCOVER: -#ifdef OPENSSL_SYS_LINUX +#if defined(OPENSSL_SYS_LINUX) && defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DO) addr_len = (socklen_t)sizeof(addr); memset((void *)&addr, 0, sizeof(addr)); if (getsockname(b->num, &addr.sa, &addr_len) < 0) @@ -539,7 +553,6 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) ret = 0; break; } - sockopt_len = sizeof(sockopt_val); switch (addr.sa.sa_family) { case AF_INET: @@ -548,7 +561,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) &sockopt_val, sizeof(sockopt_val))) < 0) perror("setsockopt"); break; -#if OPENSSL_USE_IPV6 && defined(IPV6_MTU_DISCOVER) +#if OPENSSL_USE_IPV6 && defined(IPV6_MTU_DISCOVER) && defined(IPV6_PMTUDISC_DO) case AF_INET6: sockopt_val = IPV6_PMTUDISC_DO; if ((ret = setsockopt(b->num, IPPROTO_IPV6, IPV6_MTU_DISCOVER, @@ -565,7 +578,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) break; #endif case BIO_CTRL_DGRAM_QUERY_MTU: -#ifdef OPENSSL_SYS_LINUX +#if defined(OPENSSL_SYS_LINUX) && defined(IP_MTU) addr_len = (socklen_t)sizeof(addr); memset((void *)&addr, 0, sizeof(addr)); if (getsockname(b->num, &addr.sa, &addr_len) < 0) @@ -727,12 +740,15 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) #endif break; case BIO_CTRL_DGRAM_GET_RECV_TIMEOUT: -#ifdef OPENSSL_SYS_WINDOWS { - int timeout, sz = sizeof(timeout); + union { size_t s; int i; } sz = {0}; +#ifdef OPENSSL_SYS_WINDOWS + int timeout; struct timeval *tv = (struct timeval *)ptr; + + sz.i = sizeof(timeout); if (getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, - (void*)&timeout, &sz) < 0) + (void*)&timeout, &sz.i) < 0) { perror("getsockopt"); ret = -1; } else { @@ -740,12 +756,20 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) tv->tv_usec = (timeout % 1000) * 1000; ret = sizeof(*tv); } - } #else + sz.i = sizeof(struct timeval); if ( getsockopt(b->num, SOL_SOCKET, SO_RCVTIMEO, - ptr, (void *)&ret) < 0) + ptr, (void *)&sz) < 0) { perror("getsockopt"); ret = -1; } + else if (sizeof(sz.s)!=sizeof(sz.i) && sz.i==0) + { + OPENSSL_assert(sz.s<=sizeof(struct timeval)); + ret = (int)sz.s; + } + else + ret = sz.i; #endif + } break; #endif #if defined(SO_SNDTIMEO) @@ -765,12 +789,15 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) #endif break; case BIO_CTRL_DGRAM_GET_SEND_TIMEOUT: -#ifdef OPENSSL_SYS_WINDOWS { - int timeout, sz = sizeof(timeout); + union { size_t s; int i; } sz = {0}; +#ifdef OPENSSL_SYS_WINDOWS + int timeout; struct timeval *tv = (struct timeval *)ptr; + + sz.i = sizeof(timeout); if (getsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO, - (void*)&timeout, &sz) < 0) + (void*)&timeout, &sz.i) < 0) { perror("getsockopt"); ret = -1; } else { @@ -778,12 +805,20 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) tv->tv_usec = (timeout % 1000) * 1000; ret = sizeof(*tv); } - } #else + sz.i = sizeof(struct timeval); if ( getsockopt(b->num, SOL_SOCKET, SO_SNDTIMEO, - ptr, (void *)&ret) < 0) + ptr, (void *)&sz) < 0) { perror("getsockopt"); ret = -1; } + else if (sizeof(sz.s)!=sizeof(sz.i) && sz.i==0) + { + OPENSSL_assert(sz.s<=sizeof(struct timeval)); + ret = (int)sz.s; + } + else + ret = sz.i; #endif + } break; #endif case BIO_CTRL_DGRAM_GET_SEND_TIMER_EXP: @@ -955,7 +990,6 @@ static int dgram_sctp_free(BIO *a) #ifdef SCTP_AUTHENTICATION_EVENT void dgram_sctp_handle_auth_free_key_event(BIO *b, union sctp_notification *snp) { - unsigned int sockopt_len = 0; int ret; struct sctp_authkey_event* authkeyevent = &snp->sn_auth_event; @@ -965,9 +999,8 @@ void dgram_sctp_handle_auth_free_key_event(BIO *b, union sctp_notification *snp) /* delete key */ authkeyid.scact_keynumber = authkeyevent->auth_keynumber; - sockopt_len = sizeof(struct sctp_authkeyid); ret = setsockopt(b->num, IPPROTO_SCTP, SCTP_AUTH_DELETE_KEY, - &authkeyid, sockopt_len); + &authkeyid, sizeof(struct sctp_authkeyid)); } } #endif @@ -1298,7 +1331,7 @@ static long dgram_sctp_ctrl(BIO *b, int cmd, long num, void *ptr) { long ret=1; bio_dgram_sctp_data *data = NULL; - unsigned int sockopt_len = 0; + socklen_t sockopt_len = 0; struct sctp_authkeyid authkeyid; struct sctp_authkey *authkey; diff --git a/crypto/bn/asm/bn-mips.S b/crypto/bn/asm/bn-mips.S index 02097fa..229c709 100644 --- a/crypto/bn/asm/bn-mips.S +++ b/crypto/bn/asm/bn-mips.S @@ -582,7 +582,7 @@ bn_div_3_words: bn_div_3_words_internal: .set reorder move $11,$31 - bal bn_div_words + bal bn_div_words_internal move $31,$11 multu $10,$2 lw $14,-2*4($7) diff --git a/crypto/bn/asm/mips.pl b/crypto/bn/asm/mips.pl index c162a3e..38b5164 100644 --- a/crypto/bn/asm/mips.pl +++ b/crypto/bn/asm/mips.pl @@ -819,7 +819,7 @@ ___ $code.=<<___; .set reorder move $ta3,$ra - bal bn_div_words + bal bn_div_words_internal move $ra,$ta3 $MULTU $ta2,$v0 $LD $t2,-2*$BNSZ($a3) diff --git a/crypto/bn/asm/modexp512-x86_64.pl b/crypto/bn/asm/modexp512-x86_64.pl index 54aeb01..bfd6e97 100644 --- a/crypto/bn/asm/modexp512-x86_64.pl +++ b/crypto/bn/asm/modexp512-x86_64.pl @@ -68,7 +68,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; use strict; my $code=".text\n\n"; diff --git a/crypto/bn/asm/x86_64-gf2m.pl b/crypto/bn/asm/x86_64-gf2m.pl index 1658acb..a30d4ef 100644 --- a/crypto/bn/asm/x86_64-gf2m.pl +++ b/crypto/bn/asm/x86_64-gf2m.pl @@ -31,7 +31,7 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open STDOUT,"| \"$^X\" $xlate $flavour $output"; ($lo,$hi)=("%rax","%rdx"); $a=$lo; ($i0,$i1)=("%rsi","%rdi"); diff --git a/crypto/bn/asm/x86_64-mont.pl b/crypto/bn/asm/x86_64-mont.pl index 5d79b35..17fb94c 100755 --- a/crypto/bn/asm/x86_64-mont.pl +++ b/crypto/bn/asm/x86_64-mont.pl @@ -40,7 +40,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; # int bn_mul_mont( $rp="%rdi"; # BN_ULONG *rp, diff --git a/crypto/bn/asm/x86_64-mont5.pl b/crypto/bn/asm/x86_64-mont5.pl index 057cda2..8f8dc5a 100755 --- a/crypto/bn/asm/x86_64-mont5.pl +++ b/crypto/bn/asm/x86_64-mont5.pl @@ -28,7 +28,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; # int bn_mul_mont_gather5( $rp="%rdi"; # BN_ULONG *rp, diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c index 52b3304..7b24031 100644 --- a/crypto/bn/bn_div.c +++ b/crypto/bn/bn_div.c @@ -141,6 +141,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, * * */ +#undef bn_div_words # define bn_div_words(n0,n1,d0) \ ({ asm volatile ( \ "divl %4" \ @@ -155,6 +156,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, * Same story here, but it's 128-bit by 64-bit division. Wow! * */ +# undef bn_div_words # define bn_div_words(n0,n1,d0) \ ({ asm volatile ( \ "divq %4" \ diff --git a/crypto/bn/bn_gcd.c b/crypto/bn/bn_gcd.c index 4a35211..a808f53 100644 --- a/crypto/bn/bn_gcd.c +++ b/crypto/bn/bn_gcd.c @@ -205,6 +205,7 @@ err: /* solves ax == 1 (mod n) */ static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx); + BIGNUM *BN_mod_inverse(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx) { diff --git a/crypto/bn/bn_lcl.h b/crypto/bn/bn_lcl.h index eecfd8c..817c773 100644 --- a/crypto/bn/bn_lcl.h +++ b/crypto/bn/bn_lcl.h @@ -282,16 +282,23 @@ extern "C" { # endif # elif defined(__mips) && (defined(SIXTY_FOUR_BIT) || defined(SIXTY_FOUR_BIT_LONG)) # if defined(__GNUC__) && __GNUC__>=2 -# define BN_UMULT_HIGH(a,b) ({ \ +# if __GNUC__>=4 && __GNUC_MINOR__>=4 /* "h" constraint is no more since 4.4 */ +# define BN_UMULT_HIGH(a,b) (((__uint128_t)(a)*(b))>>64) +# define BN_UMULT_LOHI(low,high,a,b) ({ \ + __uint128_t ret=(__uint128_t)(a)*(b); \ + (high)=ret>>64; (low)=ret; }) +# else +# define BN_UMULT_HIGH(a,b) ({ \ register BN_ULONG ret; \ asm ("dmultu %1,%2" \ : "=h"(ret) \ : "r"(a), "r"(b) : "l"); \ ret; }) -# define BN_UMULT_LOHI(low,high,a,b) \ +# define BN_UMULT_LOHI(low,high,a,b)\ asm ("dmultu %2,%3" \ : "=l"(low),"=h"(high) \ : "r"(a), "r"(b)); +# endif # endif # endif /* cpu */ #endif /* OPENSSL_NO_ASM */ diff --git a/crypto/bn/bn_word.c b/crypto/bn/bn_word.c index ee7b87c..de83a15 100644 --- a/crypto/bn/bn_word.c +++ b/crypto/bn/bn_word.c @@ -144,26 +144,17 @@ int BN_add_word(BIGNUM *a, BN_ULONG w) a->neg=!(a->neg); return(i); } - /* Only expand (and risk failing) if it's possibly necessary */ - if (((BN_ULONG)(a->d[a->top - 1] + 1) == 0) && - (bn_wexpand(a,a->top+1) == NULL)) - return(0); - i=0; - for (;;) + for (i=0;w!=0 && itop;i++) { - if (i >= a->top) - l=w; - else - l=(a->d[i]+w)&BN_MASK2; - a->d[i]=l; - if (w > l) - w=1; - else - break; - i++; + a->d[i] = l = (a->d[i]+w)&BN_MASK2; + w = (w>l)?1:0; } - if (i >= a->top) + if (w && i==a->top) + { + if (bn_wexpand(a,a->top+1) == NULL) return 0; a->top++; + a->d[i]=w; + } bn_check_top(a); return(1); } diff --git a/crypto/conf/conf_mall.c b/crypto/conf/conf_mall.c index c6f4cb2..213890e 100644 --- a/crypto/conf/conf_mall.c +++ b/crypto/conf/conf_mall.c @@ -76,5 +76,6 @@ void OPENSSL_load_builtin_modules(void) #ifndef OPENSSL_NO_ENGINE ENGINE_add_conf_module(); #endif + EVP_add_alg_module(); } diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c index d47ab55..304c6b7 100644 --- a/crypto/cryptlib.c +++ b/crypto/cryptlib.c @@ -704,6 +704,7 @@ void OPENSSL_cpuid_setup(void) } else vec = OPENSSL_ia32_cpuid(); + /* * |(1<<10) sets a reserved bit to signal that variable * was initialized already... This is to avoid interference diff --git a/crypto/cryptlib.h b/crypto/cryptlib.h index 1761f6b..d26f963 100644 --- a/crypto/cryptlib.h +++ b/crypto/cryptlib.h @@ -100,7 +100,7 @@ extern "C" { void OPENSSL_cpuid_setup(void); extern unsigned int OPENSSL_ia32cap_P[]; -void OPENSSL_showfatal(const char *,...); +void OPENSSL_showfatal(const char *fmta,...); void *OPENSSL_stderr(void); extern int OPENSSL_NONPIC_relocated; diff --git a/crypto/crypto.h b/crypto/crypto.h index 793a325..f92fc51 100644 --- a/crypto/crypto.h +++ b/crypto/crypto.h @@ -488,10 +488,10 @@ void CRYPTO_get_mem_debug_functions(void (**m)(void *,int,const char *,int,int), long (**go)(void)); void *CRYPTO_malloc_locked(int num, const char *file, int line); -void CRYPTO_free_locked(void *); +void CRYPTO_free_locked(void *ptr); void *CRYPTO_malloc(int num, const char *file, int line); char *CRYPTO_strdup(const char *str, const char *file, int line); -void CRYPTO_free(void *); +void CRYPTO_free(void *ptr); void *CRYPTO_realloc(void *addr,int num, const char *file, int line); void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file, int line); diff --git a/crypto/des/set_key.c b/crypto/des/set_key.c index d3e69ca..da4d62e 100644 --- a/crypto/des/set_key.c +++ b/crypto/des/set_key.c @@ -63,9 +63,8 @@ * 1.1 added norm_expand_bits * 1.0 First working version */ -#include "des_locl.h" - #include +#include "des_locl.h" OPENSSL_IMPLEMENT_GLOBAL(int,DES_check_key,0) /* defaults to false */ diff --git a/crypto/des/str2key.c b/crypto/des/str2key.c index 9c2054b..1077f99 100644 --- a/crypto/des/str2key.c +++ b/crypto/des/str2key.c @@ -56,8 +56,8 @@ * [including the GNU Public Licence.] */ -#include "des_locl.h" #include +#include "des_locl.h" void DES_string_to_key(const char *str, DES_cblock *key) { diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h index 9d01325..dfe8710 100644 --- a/crypto/ec/ec.h +++ b/crypto/ec/ec.h @@ -274,10 +274,10 @@ int EC_GROUP_get_curve_name(const EC_GROUP *group); void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag); int EC_GROUP_get_asn1_flag(const EC_GROUP *group); -void EC_GROUP_set_point_conversion_form(EC_GROUP *, point_conversion_form_t); +void EC_GROUP_set_point_conversion_form(EC_GROUP *group, point_conversion_form_t form); point_conversion_form_t EC_GROUP_get_point_conversion_form(const EC_GROUP *); -unsigned char *EC_GROUP_get0_seed(const EC_GROUP *); +unsigned char *EC_GROUP_get0_seed(const EC_GROUP *x); size_t EC_GROUP_get_seed_len(const EC_GROUP *); size_t EC_GROUP_set_seed(EC_GROUP *, const unsigned char *, size_t len); @@ -626,8 +626,8 @@ int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *c */ int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx); -int EC_POINT_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *); -int EC_POINTs_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *); +int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx); +int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx); /** Computes r = generator * n sum_{i=0}^num p[i] * m[i] * \param group underlying EC_GROUP object @@ -800,16 +800,24 @@ const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key); int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub); unsigned EC_KEY_get_enc_flags(const EC_KEY *key); -void EC_KEY_set_enc_flags(EC_KEY *, unsigned int); -point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *); -void EC_KEY_set_conv_form(EC_KEY *, point_conversion_form_t); +void EC_KEY_set_enc_flags(EC_KEY *eckey, unsigned int flags); +point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key); +void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform); /* functions to set/get method specific data */ -void *EC_KEY_get_key_method_data(EC_KEY *, +void *EC_KEY_get_key_method_data(EC_KEY *key, void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)); -void EC_KEY_insert_key_method_data(EC_KEY *, void *data, +/** Sets the key method data of an EC_KEY object, if none has yet been set. + * \param key EC_KEY object + * \param data opaque data to install. + * \param dup_func a function that duplicates |data|. + * \param free_func a function that frees |data|. + * \param clear_free_func a function that wipes and frees |data|. + * \return the previously set data pointer, or NULL if |data| was inserted. + */ +void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data, void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)); /* wrapper functions for the underlying EC_GROUP object */ -void EC_KEY_set_asn1_flag(EC_KEY *, int); +void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag); /** Creates a table of pre-computed multiples of the generator to * accelerate further EC_KEY operations. diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index bf9fd2d..7fa2475 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -520,18 +520,27 @@ void EC_KEY_set_conv_form(EC_KEY *key, point_conversion_form_t cform) void *EC_KEY_get_key_method_data(EC_KEY *key, void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)) { - return EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func); + void *ret; + + CRYPTO_r_lock(CRYPTO_LOCK_EC); + ret = EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func); + CRYPTO_r_unlock(CRYPTO_LOCK_EC); + + return ret; } -void EC_KEY_insert_key_method_data(EC_KEY *key, void *data, +void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data, void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)) { EC_EXTRA_DATA *ex_data; + CRYPTO_w_lock(CRYPTO_LOCK_EC); ex_data = EC_EX_DATA_get_data(key->method_data, dup_func, free_func, clear_free_func); if (ex_data == NULL) EC_EX_DATA_set_data(&key->method_data, data, dup_func, free_func, clear_free_func); CRYPTO_w_unlock(CRYPTO_LOCK_EC); + + return ex_data; } void EC_KEY_set_asn1_flag(EC_KEY *key, int flag) diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c index d1ed66c..66ee397 100644 --- a/crypto/ec/ec_pmeth.c +++ b/crypto/ec/ec_pmeth.c @@ -188,7 +188,7 @@ static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen) pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec); - /* NB: unlike PKS#3 DH, if *outlen is less than maximum size this is + /* NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is * not an error, the result is truncated. */ diff --git a/crypto/ec/ecp_mont.c b/crypto/ec/ecp_mont.c index 079e474..f04f132 100644 --- a/crypto/ec/ecp_mont.c +++ b/crypto/ec/ecp_mont.c @@ -114,7 +114,6 @@ const EC_METHOD *EC_GFp_mont_method(void) ec_GFp_mont_field_decode, ec_GFp_mont_field_set_to_one }; - return &ret; #endif } diff --git a/crypto/ec/ectest.c b/crypto/ec/ectest.c index f107782..102eaa9 100644 --- a/crypto/ec/ectest.c +++ b/crypto/ec/ectest.c @@ -236,7 +236,7 @@ static void group_order_tests(EC_GROUP *group) } static void prime_field_tests(void) - { + { BN_CTX *ctx = NULL; BIGNUM *p, *a, *b; EC_GROUP *group; diff --git a/crypto/ecdh/ech_key.c b/crypto/ecdh/ech_key.c index f44da92..2988899 100644 --- a/crypto/ecdh/ech_key.c +++ b/crypto/ecdh/ech_key.c @@ -68,9 +68,6 @@ */ #include "ech_locl.h" -#ifndef OPENSSL_NO_ENGINE -#include -#endif int ECDH_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, EC_KEY *eckey, diff --git a/crypto/ecdh/ech_lib.c b/crypto/ecdh/ech_lib.c index dadbfd3..0644431 100644 --- a/crypto/ecdh/ech_lib.c +++ b/crypto/ecdh/ech_lib.c @@ -222,8 +222,15 @@ ECDH_DATA *ecdh_check(EC_KEY *key) ecdh_data = (ECDH_DATA *)ecdh_data_new(); if (ecdh_data == NULL) return NULL; - EC_KEY_insert_key_method_data(key, (void *)ecdh_data, - ecdh_data_dup, ecdh_data_free, ecdh_data_free); + data = EC_KEY_insert_key_method_data(key, (void *)ecdh_data, + ecdh_data_dup, ecdh_data_free, ecdh_data_free); + if (data != NULL) + { + /* Another thread raced us to install the key_method + * data and won. */ + ecdh_data_free(ecdh_data); + ecdh_data = (ECDH_DATA *)data; + } } else ecdh_data = (ECDH_DATA *)data; diff --git a/crypto/ecdsa/ecs_lib.c b/crypto/ecdsa/ecs_lib.c index e477da4..814a6bf 100644 --- a/crypto/ecdsa/ecs_lib.c +++ b/crypto/ecdsa/ecs_lib.c @@ -200,8 +200,15 @@ ECDSA_DATA *ecdsa_check(EC_KEY *key) ecdsa_data = (ECDSA_DATA *)ecdsa_data_new(); if (ecdsa_data == NULL) return NULL; - EC_KEY_insert_key_method_data(key, (void *)ecdsa_data, - ecdsa_data_dup, ecdsa_data_free, ecdsa_data_free); + data = EC_KEY_insert_key_method_data(key, (void *)ecdsa_data, + ecdsa_data_dup, ecdsa_data_free, ecdsa_data_free); + if (data != NULL) + { + /* Another thread raced us to install the key_method + * data and won. */ + ecdsa_data_free(ecdsa_data); + ecdsa_data = (ECDSA_DATA *)data; + } } else ecdsa_data = (ECDSA_DATA *)data; diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c index bd8946d..8eb547d 100644 --- a/crypto/err/err_all.c +++ b/crypto/err/err_all.c @@ -64,7 +64,9 @@ #endif #include #include +#ifndef OPENSSL_NO_COMP #include +#endif #ifndef OPENSSL_NO_RSA #include #endif @@ -95,6 +97,9 @@ #include #include #include +#ifdef OPENSSL_FIPS +#include +#endif #include #ifndef OPENSSL_NO_CMS #include @@ -102,11 +107,6 @@ #ifndef OPENSSL_NO_JPAKE #include #endif -#include - -#ifdef OPENSSL_FIPS -#include -#endif void ERR_load_crypto_strings(void) { @@ -130,7 +130,9 @@ void ERR_load_crypto_strings(void) ERR_load_ASN1_strings(); ERR_load_CONF_strings(); ERR_load_CRYPTO_strings(); +#ifndef OPENSSL_NO_COMP ERR_load_COMP_strings(); +#endif #ifndef OPENSSL_NO_EC ERR_load_EC_strings(); #endif @@ -153,15 +155,14 @@ void ERR_load_crypto_strings(void) #endif ERR_load_OCSP_strings(); ERR_load_UI_strings(); +#ifdef OPENSSL_FIPS + ERR_load_FIPS_strings(); +#endif #ifndef OPENSSL_NO_CMS ERR_load_CMS_strings(); #endif #ifndef OPENSSL_NO_JPAKE ERR_load_JPAKE_strings(); #endif - ERR_load_COMP_strings(); -#endif -#ifdef OPENSSL_FIPS - ERR_load_FIPS_strings(); #endif } diff --git a/crypto/evp/c_allc.c b/crypto/evp/c_allc.c index e230e60..2a45d43 100644 --- a/crypto/evp/c_allc.c +++ b/crypto/evp/c_allc.c @@ -195,13 +195,11 @@ void OpenSSL_add_all_ciphers(void) EVP_add_cipher(EVP_aes_256_xts()); EVP_add_cipher_alias(SN_aes_256_cbc,"AES256"); EVP_add_cipher_alias(SN_aes_256_cbc,"aes256"); -#if 0 /* Disabled because of timing side-channel leaks. */ #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1()); EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1()); #endif #endif -#endif #ifndef OPENSSL_NO_CAMELLIA EVP_add_cipher(EVP_camellia_128_ecb()); diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index 467e6b5..6fc469f 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -267,6 +267,7 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size) return FIPS_digestfinal(ctx, md, size); #else int ret; + OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); ret=ctx->digest->final(ctx,md); if (size != NULL) diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index 1e4af0c..1bfb5d9 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -969,8 +969,6 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, if (!gctx->iv_set) return -1; - if (!ctx->encrypt && gctx->taglen < 0) - return -1; if (in) { if (out == NULL) @@ -1012,6 +1010,8 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, { if (!ctx->encrypt) { + if (gctx->taglen < 0) + return -1; if (CRYPTO_gcm128_finish(&gctx->gcm, ctx->buf, gctx->taglen) != 0) return -1; @@ -1217,6 +1217,7 @@ static int aes_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, vpaes_set_encrypt_key(key, ctx->key_len*8, &cctx->ks); CRYPTO_ccm128_init(&cctx->ccm, cctx->M, cctx->L, &cctx->ks, (block128_f)vpaes_encrypt); + cctx->str = NULL; cctx->key_set = 1; break; } diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c index 710fb79..b7aff44 100644 --- a/crypto/evp/e_aes_cbc_hmac_sha1.c +++ b/crypto/evp/e_aes_cbc_hmac_sha1.c @@ -1,5 +1,5 @@ /* ==================================================================== - * Copyright (c) 2011 The OpenSSL Project. All rights reserved. + * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -90,6 +90,10 @@ typedef struct defined(_M_AMD64) || defined(_M_X64) || \ defined(__INTEL__) ) +#if defined(__GNUC__) && __GNUC__>=2 && !defined(PEDANTIC) +# define BSWAP(x) ({ unsigned int r=(x); asm ("bswapl %0":"=r"(r):"0"(r)); r; }) +#endif + extern unsigned int OPENSSL_ia32cap_P[2]; #define AESNI_CAPABLE (1<<(57-32)) @@ -167,6 +171,9 @@ static void sha1_update(SHA_CTX *c,const void *data,size_t len) SHA1_Update(c,ptr,res); } +#ifdef SHA1_Update +#undef SHA1_Update +#endif #define SHA1_Update sha1_update static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, @@ -184,6 +191,8 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, sha_off = SHA_CBLOCK-key->md.num; #endif + key->payload_length = NO_PAYLOAD_LENGTH; + if (len%AES_BLOCK_SIZE) return 0; if (ctx->encrypt) { @@ -234,47 +243,203 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, &key->ks,ctx->iv,1); } } else { - unsigned char mac[SHA_DIGEST_LENGTH]; + union { unsigned int u[SHA_DIGEST_LENGTH/sizeof(unsigned int)]; + unsigned char c[SHA_DIGEST_LENGTH]; } mac; /* decrypt HMAC|padding at once */ aesni_cbc_encrypt(in,out,len, &key->ks,ctx->iv,0); if (plen) { /* "TLS" mode of operation */ - /* figure out payload length */ - if (len<(size_t)(out[len-1]+1+SHA_DIGEST_LENGTH)) - return 0; - - len -= (out[len-1]+1+SHA_DIGEST_LENGTH); + size_t inp_len, mask, j, i; + unsigned int res, maxpad, pad, bitlen; + int ret = 1; + union { unsigned int u[SHA_LBLOCK]; + unsigned char c[SHA_CBLOCK]; } + *data = (void *)key->md.data; if ((key->aux.tls_aad[plen-4]<<8|key->aux.tls_aad[plen-3]) - >= TLS1_1_VERSION) { - len -= AES_BLOCK_SIZE; + >= TLS1_1_VERSION) iv = AES_BLOCK_SIZE; - } - key->aux.tls_aad[plen-2] = len>>8; - key->aux.tls_aad[plen-1] = len; + if (len<(iv+SHA_DIGEST_LENGTH+1)) + return 0; + + /* omit explicit iv */ + out += iv; + len -= iv; + + /* figure out payload length */ + pad = out[len-1]; + maxpad = len-(SHA_DIGEST_LENGTH+1); + maxpad |= (255-maxpad)>>(sizeof(maxpad)*8-8); + maxpad &= 255; + + inp_len = len - (SHA_DIGEST_LENGTH+pad+1); + mask = (0-((inp_len-len)>>(sizeof(inp_len)*8-1))); + inp_len &= mask; + ret &= (int)mask; - /* calculate HMAC and verify it */ + key->aux.tls_aad[plen-2] = inp_len>>8; + key->aux.tls_aad[plen-1] = inp_len; + + /* calculate HMAC */ key->md = key->head; SHA1_Update(&key->md,key->aux.tls_aad,plen); - SHA1_Update(&key->md,out+iv,len); - SHA1_Final(mac,&key->md); +#if 1 + len -= SHA_DIGEST_LENGTH; /* amend mac */ + if (len>=(256+SHA_CBLOCK)) { + j = (len-(256+SHA_CBLOCK))&(0-SHA_CBLOCK); + j += SHA_CBLOCK-key->md.num; + SHA1_Update(&key->md,out,j); + out += j; + len -= j; + inp_len -= j; + } + + /* but pretend as if we hashed padded payload */ + bitlen = key->md.Nl+(inp_len<<3); /* at most 18 bits */ + mac.c[0] = 0; + mac.c[1] = (unsigned char)(bitlen>>16); + mac.c[2] = (unsigned char)(bitlen>>8); + mac.c[3] = (unsigned char)bitlen; + bitlen = mac.u[0]; + + mac.u[0]=0; + mac.u[1]=0; + mac.u[2]=0; + mac.u[3]=0; + mac.u[4]=0; + + for (res=key->md.num, j=0;j>(sizeof(j)*8-8); + c &= mask; + c |= 0x80&~mask&~((inp_len-j)>>(sizeof(j)*8-8)); + data->c[res++]=(unsigned char)c; + + if (res!=SHA_CBLOCK) continue; + + mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1)); + data->u[SHA_LBLOCK-1] |= bitlen&mask; + sha1_block_data_order(&key->md,data,1); + mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1)); + mac.u[0] |= key->md.h0 & mask; + mac.u[1] |= key->md.h1 & mask; + mac.u[2] |= key->md.h2 & mask; + mac.u[3] |= key->md.h3 & mask; + mac.u[4] |= key->md.h4 & mask; + res=0; + } + + for(i=res;ic[i]=0; + + if (res>SHA_CBLOCK-8) { + mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1)); + data->u[SHA_LBLOCK-1] |= bitlen&mask; + sha1_block_data_order(&key->md,data,1); + mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1)); + mac.u[0] |= key->md.h0 & mask; + mac.u[1] |= key->md.h1 & mask; + mac.u[2] |= key->md.h2 & mask; + mac.u[3] |= key->md.h3 & mask; + mac.u[4] |= key->md.h4 & mask; + + memset(data,0,SHA_CBLOCK); + j+=64; + } + data->u[SHA_LBLOCK-1] = bitlen; + sha1_block_data_order(&key->md,data,1); + mask = 0-((j-inp_len-73)>>(sizeof(j)*8-1)); + mac.u[0] |= key->md.h0 & mask; + mac.u[1] |= key->md.h1 & mask; + mac.u[2] |= key->md.h2 & mask; + mac.u[3] |= key->md.h3 & mask; + mac.u[4] |= key->md.h4 & mask; + +#ifdef BSWAP + mac.u[0] = BSWAP(mac.u[0]); + mac.u[1] = BSWAP(mac.u[1]); + mac.u[2] = BSWAP(mac.u[2]); + mac.u[3] = BSWAP(mac.u[3]); + mac.u[4] = BSWAP(mac.u[4]); +#else + for (i=0;i<5;i++) { + res = mac.u[i]; + mac.c[4*i+0]=(unsigned char)(res>>24); + mac.c[4*i+1]=(unsigned char)(res>>16); + mac.c[4*i+2]=(unsigned char)(res>>8); + mac.c[4*i+3]=(unsigned char)res; + } +#endif + len += SHA_DIGEST_LENGTH; +#else + SHA1_Update(&key->md,out,inp_len); + res = key->md.num; + SHA1_Final(mac.c,&key->md); + + { + unsigned int inp_blocks, pad_blocks; + + /* but pretend as if we hashed padded payload */ + inp_blocks = 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1)); + res += (unsigned int)(len-inp_len); + pad_blocks = res / SHA_CBLOCK; + res %= SHA_CBLOCK; + pad_blocks += 1+((SHA_CBLOCK-9-res)>>(sizeof(res)*8-1)); + for (;inp_blocksmd,data,1); + } +#endif key->md = key->tail; - SHA1_Update(&key->md,mac,SHA_DIGEST_LENGTH); - SHA1_Final(mac,&key->md); + SHA1_Update(&key->md,mac.c,SHA_DIGEST_LENGTH); + SHA1_Final(mac.c,&key->md); - if (memcmp(out+iv+len,mac,SHA_DIGEST_LENGTH)) - return 0; + /* verify HMAC */ + out += inp_len; + len -= inp_len; +#if 1 + { + unsigned char *p = out+len-1-maxpad-SHA_DIGEST_LENGTH; + size_t off = out-p; + unsigned int c, cmask; + + maxpad += SHA_DIGEST_LENGTH; + for (res=0,i=0,j=0;j>(sizeof(int)*8-1); + res |= (c^pad)&~cmask; /* ... and padding */ + cmask &= ((int)(off-1-j))>>(sizeof(int)*8-1); + res |= (c^mac.c[i])&cmask; + i += 1&cmask; + } + maxpad -= SHA_DIGEST_LENGTH; + + res = 0-((0-res)>>(sizeof(res)*8-1)); + ret &= (int)~res; + } +#else + for (res=0,i=0;i>(sizeof(res)*8-1)); + ret &= (int)~res; + + /* verify padding */ + pad = (pad&~res) | (maxpad&res); + out = out+len-1-pad; + for (res=0,i=0;i>(sizeof(res)*8-1); + ret &= (int)~res; +#endif + return ret; } else { SHA1_Update(&key->md,out,len); } } - key->payload_length = NO_PAYLOAD_LENGTH; - return 1; } @@ -309,6 +474,8 @@ static int aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void SHA1_Init(&key->tail); SHA1_Update(&key->tail,hmac_key,sizeof(hmac_key)); + OPENSSL_cleanse(hmac_key,sizeof(hmac_key)); + return 1; } case EVP_CTRL_AEAD_TLS1_AAD: diff --git a/crypto/evp/evp.h b/crypto/evp/evp.h index 8096a72..e43a58e 100644 --- a/crypto/evp/evp.h +++ b/crypto/evp/evp.h @@ -402,7 +402,6 @@ struct evp_cipher_st /* Length of tag for TLS */ #define EVP_GCM_TLS_TAG_LEN 16 - typedef struct evp_cipher_info_st { const EVP_CIPHER *cipher; @@ -789,8 +788,8 @@ const EVP_CIPHER *EVP_aes_128_cfb128(void); # define EVP_aes_128_cfb EVP_aes_128_cfb128 const EVP_CIPHER *EVP_aes_128_ofb(void); const EVP_CIPHER *EVP_aes_128_ctr(void); -const EVP_CIPHER *EVP_aes_128_gcm(void); const EVP_CIPHER *EVP_aes_128_ccm(void); +const EVP_CIPHER *EVP_aes_128_gcm(void); const EVP_CIPHER *EVP_aes_128_xts(void); const EVP_CIPHER *EVP_aes_192_ecb(void); const EVP_CIPHER *EVP_aes_192_cbc(void); @@ -800,8 +799,8 @@ const EVP_CIPHER *EVP_aes_192_cfb128(void); # define EVP_aes_192_cfb EVP_aes_192_cfb128 const EVP_CIPHER *EVP_aes_192_ofb(void); const EVP_CIPHER *EVP_aes_192_ctr(void); -const EVP_CIPHER *EVP_aes_192_gcm(void); const EVP_CIPHER *EVP_aes_192_ccm(void); +const EVP_CIPHER *EVP_aes_192_gcm(void); const EVP_CIPHER *EVP_aes_256_ecb(void); const EVP_CIPHER *EVP_aes_256_cbc(void); const EVP_CIPHER *EVP_aes_256_cfb1(void); @@ -810,8 +809,8 @@ const EVP_CIPHER *EVP_aes_256_cfb128(void); # define EVP_aes_256_cfb EVP_aes_256_cfb128 const EVP_CIPHER *EVP_aes_256_ofb(void); const EVP_CIPHER *EVP_aes_256_ctr(void); -const EVP_CIPHER *EVP_aes_256_gcm(void); const EVP_CIPHER *EVP_aes_256_ccm(void); +const EVP_CIPHER *EVP_aes_256_gcm(void); const EVP_CIPHER *EVP_aes_256_xts(void); #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void); @@ -1244,6 +1243,8 @@ void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth, int (*ctrl_str)(EVP_PKEY_CTX *ctx, const char *type, const char *value)); +void EVP_add_alg_module(void); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. @@ -1258,6 +1259,7 @@ void ERR_load_EVP_strings(void); #define EVP_F_AES_INIT_KEY 133 #define EVP_F_AES_XTS 172 #define EVP_F_AES_XTS_CIPHER 175 +#define EVP_F_ALG_MODULE_INIT 177 #define EVP_F_CAMELLIA_INIT_KEY 159 #define EVP_F_CMAC_INIT 173 #define EVP_F_D2I_PKEY 100 @@ -1351,15 +1353,19 @@ void ERR_load_EVP_strings(void); #define EVP_R_DIFFERENT_PARAMETERS 153 #define EVP_R_DISABLED_FOR_FIPS 163 #define EVP_R_ENCODE_ERROR 115 +#define EVP_R_ERROR_LOADING_SECTION 165 +#define EVP_R_ERROR_SETTING_FIPS_MODE 166 #define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119 #define EVP_R_EXPECTING_AN_RSA_KEY 127 #define EVP_R_EXPECTING_A_DH_KEY 128 #define EVP_R_EXPECTING_A_DSA_KEY 129 #define EVP_R_EXPECTING_A_ECDSA_KEY 141 #define EVP_R_EXPECTING_A_EC_KEY 142 +#define EVP_R_FIPS_MODE_NOT_SUPPORTED 167 #define EVP_R_INITIALIZATION_ERROR 134 #define EVP_R_INPUT_NOT_INITIALIZED 111 #define EVP_R_INVALID_DIGEST 152 +#define EVP_R_INVALID_FIPS_MODE 168 #define EVP_R_INVALID_KEY_LENGTH 130 #define EVP_R_INVALID_OPERATION 148 #define EVP_R_IV_TOO_LARGE 102 @@ -1384,6 +1390,7 @@ void ERR_load_EVP_strings(void); #define EVP_R_TOO_LARGE 164 #define EVP_R_UNKNOWN_CIPHER 160 #define EVP_R_UNKNOWN_DIGEST 161 +#define EVP_R_UNKNOWN_OPTION 169 #define EVP_R_UNKNOWN_PBE_ALGORITHM 121 #define EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS 135 #define EVP_R_UNSUPPORTED_ALGORITHM 156 diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c new file mode 100644 index 0000000..2e4db30 --- /dev/null +++ b/crypto/evp/evp_cnf.c @@ -0,0 +1,125 @@ +/* evp_cnf.c */ +/* Written by Stephen Henson (steve@openssl.org) for the OpenSSL + * project 2007. + */ +/* ==================================================================== + * Copyright (c) 2007 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include +#include +#include +#include "cryptlib.h" +#include +#include +#include +#include +#ifdef OPENSSL_FIPS +#include +#endif + + +/* Algorithm configuration module. */ + +static int alg_module_init(CONF_IMODULE *md, const CONF *cnf) + { + int i; + const char *oid_section; + STACK_OF(CONF_VALUE) *sktmp; + CONF_VALUE *oval; + oid_section = CONF_imodule_get_value(md); + if(!(sktmp = NCONF_get_section(cnf, oid_section))) + { + EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_ERROR_LOADING_SECTION); + return 0; + } + for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++) + { + oval = sk_CONF_VALUE_value(sktmp, i); + if (!strcmp(oval->name, "fips_mode")) + { + int m; + if (!X509V3_get_value_bool(oval, &m)) + { + EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_INVALID_FIPS_MODE); + return 0; + } + if (m > 0) + { +#ifdef OPENSSL_FIPS + if (!FIPS_mode() && !FIPS_mode_set(1)) + { + EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_ERROR_SETTING_FIPS_MODE); + return 0; + } +#else + EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_FIPS_MODE_NOT_SUPPORTED); + return 0; +#endif + } + } + else + { + EVPerr(EVP_F_ALG_MODULE_INIT, EVP_R_UNKNOWN_OPTION); + ERR_add_error_data(4, "name=", oval->name, + ", value=", oval->value); + } + + } + return 1; + } + +void EVP_add_alg_module(void) + { + CONF_module_add("alg_section", alg_module_init, 0); + } diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c index db0f76d..08eab98 100644 --- a/crypto/evp/evp_err.c +++ b/crypto/evp/evp_err.c @@ -75,6 +75,7 @@ static ERR_STRING_DATA EVP_str_functs[]= {ERR_FUNC(EVP_F_AES_INIT_KEY), "AES_INIT_KEY"}, {ERR_FUNC(EVP_F_AES_XTS), "AES_XTS"}, {ERR_FUNC(EVP_F_AES_XTS_CIPHER), "AES_XTS_CIPHER"}, +{ERR_FUNC(EVP_F_ALG_MODULE_INIT), "ALG_MODULE_INIT"}, {ERR_FUNC(EVP_F_CAMELLIA_INIT_KEY), "CAMELLIA_INIT_KEY"}, {ERR_FUNC(EVP_F_CMAC_INIT), "CMAC_INIT"}, {ERR_FUNC(EVP_F_D2I_PKEY), "D2I_PKEY"}, @@ -171,15 +172,19 @@ static ERR_STRING_DATA EVP_str_reasons[]= {ERR_REASON(EVP_R_DIFFERENT_PARAMETERS) ,"different parameters"}, {ERR_REASON(EVP_R_DISABLED_FOR_FIPS) ,"disabled for fips"}, {ERR_REASON(EVP_R_ENCODE_ERROR) ,"encode error"}, +{ERR_REASON(EVP_R_ERROR_LOADING_SECTION) ,"error loading section"}, +{ERR_REASON(EVP_R_ERROR_SETTING_FIPS_MODE),"error setting fips mode"}, {ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR),"evp pbe cipherinit error"}, {ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY) ,"expecting an rsa key"}, {ERR_REASON(EVP_R_EXPECTING_A_DH_KEY) ,"expecting a dh key"}, {ERR_REASON(EVP_R_EXPECTING_A_DSA_KEY) ,"expecting a dsa key"}, {ERR_REASON(EVP_R_EXPECTING_A_ECDSA_KEY) ,"expecting a ecdsa key"}, {ERR_REASON(EVP_R_EXPECTING_A_EC_KEY) ,"expecting a ec key"}, +{ERR_REASON(EVP_R_FIPS_MODE_NOT_SUPPORTED),"fips mode not supported"}, {ERR_REASON(EVP_R_INITIALIZATION_ERROR) ,"initialization error"}, {ERR_REASON(EVP_R_INPUT_NOT_INITIALIZED) ,"input not initialized"}, {ERR_REASON(EVP_R_INVALID_DIGEST) ,"invalid digest"}, +{ERR_REASON(EVP_R_INVALID_FIPS_MODE) ,"invalid fips mode"}, {ERR_REASON(EVP_R_INVALID_KEY_LENGTH) ,"invalid key length"}, {ERR_REASON(EVP_R_INVALID_OPERATION) ,"invalid operation"}, {ERR_REASON(EVP_R_IV_TOO_LARGE) ,"iv too large"}, @@ -204,6 +209,7 @@ static ERR_STRING_DATA EVP_str_reasons[]= {ERR_REASON(EVP_R_TOO_LARGE) ,"too large"}, {ERR_REASON(EVP_R_UNKNOWN_CIPHER) ,"unknown cipher"}, {ERR_REASON(EVP_R_UNKNOWN_DIGEST) ,"unknown digest"}, +{ERR_REASON(EVP_R_UNKNOWN_OPTION) ,"unknown option"}, {ERR_REASON(EVP_R_UNKNOWN_PBE_ALGORITHM) ,"unknown pbe algorithm"}, {ERR_REASON(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS),"unsuported number of rounds"}, {ERR_REASON(EVP_R_UNSUPPORTED_ALGORITHM) ,"unsupported algorithm"}, diff --git a/crypto/evp/m_dss.c b/crypto/evp/m_dss.c index 4ad63ad..6fb7e9a 100644 --- a/crypto/evp/m_dss.c +++ b/crypto/evp/m_dss.c @@ -60,7 +60,7 @@ #include "cryptlib.h" #include #include -#include +#include #ifndef OPENSSL_NO_DSA #include #endif diff --git a/crypto/evp/m_dss1.c b/crypto/evp/m_dss1.c index f80170e..2df362a 100644 --- a/crypto/evp/m_dss1.c +++ b/crypto/evp/m_dss1.c @@ -63,7 +63,7 @@ #include #include -#include +#include #ifndef OPENSSL_NO_DSA #include #endif diff --git a/crypto/evp/m_sha1.c b/crypto/evp/m_sha1.c index 3cb11f1..bd0c01a 100644 --- a/crypto/evp/m_sha1.c +++ b/crypto/evp/m_sha1.c @@ -65,7 +65,7 @@ #include #include -#include +#include #ifndef OPENSSL_NO_RSA #include #endif diff --git a/crypto/evp/p_sign.c b/crypto/evp/p_sign.c index dfa48c1..8afb664 100644 --- a/crypto/evp/p_sign.c +++ b/crypto/evp/p_sign.c @@ -80,7 +80,7 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, unsigned int *siglen, { unsigned char m[EVP_MAX_MD_SIZE]; unsigned int m_len; - int i=0,ok=0,v; + int i = 0,ok = 0,v; EVP_MD_CTX tmp_ctx; EVP_PKEY_CTX *pkctx = NULL; diff --git a/crypto/evp/p_verify.c b/crypto/evp/p_verify.c index 5f5c409..c66d63c 100644 --- a/crypto/evp/p_verify.c +++ b/crypto/evp/p_verify.c @@ -67,7 +67,7 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf, { unsigned char m[EVP_MAX_MD_SIZE]; unsigned int m_len; - int i=-1,ok=0,v; + int i = 0,ok = 0,v; EVP_MD_CTX tmp_ctx; EVP_PKEY_CTX *pkctx = NULL; diff --git a/crypto/md4/md4_dgst.c b/crypto/md4/md4_dgst.c index 82c2cb2..b5b165b 100644 --- a/crypto/md4/md4_dgst.c +++ b/crypto/md4/md4_dgst.c @@ -106,22 +106,23 @@ void md4_block_data_order (MD4_CTX *c, const void *data_, size_t num) for (;num--;) { - HOST_c2l(data,l); X( 0)=l; HOST_c2l(data,l); X( 1)=l; + (void)HOST_c2l(data,l); X( 0)=l; + (void)HOST_c2l(data,l); X( 1)=l; /* Round 0 */ - R0(A,B,C,D,X( 0), 3,0); HOST_c2l(data,l); X( 2)=l; - R0(D,A,B,C,X( 1), 7,0); HOST_c2l(data,l); X( 3)=l; - R0(C,D,A,B,X( 2),11,0); HOST_c2l(data,l); X( 4)=l; - R0(B,C,D,A,X( 3),19,0); HOST_c2l(data,l); X( 5)=l; - R0(A,B,C,D,X( 4), 3,0); HOST_c2l(data,l); X( 6)=l; - R0(D,A,B,C,X( 5), 7,0); HOST_c2l(data,l); X( 7)=l; - R0(C,D,A,B,X( 6),11,0); HOST_c2l(data,l); X( 8)=l; - R0(B,C,D,A,X( 7),19,0); HOST_c2l(data,l); X( 9)=l; - R0(A,B,C,D,X( 8), 3,0); HOST_c2l(data,l); X(10)=l; - R0(D,A,B,C,X( 9), 7,0); HOST_c2l(data,l); X(11)=l; - R0(C,D,A,B,X(10),11,0); HOST_c2l(data,l); X(12)=l; - R0(B,C,D,A,X(11),19,0); HOST_c2l(data,l); X(13)=l; - R0(A,B,C,D,X(12), 3,0); HOST_c2l(data,l); X(14)=l; - R0(D,A,B,C,X(13), 7,0); HOST_c2l(data,l); X(15)=l; + R0(A,B,C,D,X( 0), 3,0); (void)HOST_c2l(data,l); X( 2)=l; + R0(D,A,B,C,X( 1), 7,0); (void)HOST_c2l(data,l); X( 3)=l; + R0(C,D,A,B,X( 2),11,0); (void)HOST_c2l(data,l); X( 4)=l; + R0(B,C,D,A,X( 3),19,0); (void)HOST_c2l(data,l); X( 5)=l; + R0(A,B,C,D,X( 4), 3,0); (void)HOST_c2l(data,l); X( 6)=l; + R0(D,A,B,C,X( 5), 7,0); (void)HOST_c2l(data,l); X( 7)=l; + R0(C,D,A,B,X( 6),11,0); (void)HOST_c2l(data,l); X( 8)=l; + R0(B,C,D,A,X( 7),19,0); (void)HOST_c2l(data,l); X( 9)=l; + R0(A,B,C,D,X( 8), 3,0); (void)HOST_c2l(data,l); X(10)=l; + R0(D,A,B,C,X( 9), 7,0); (void)HOST_c2l(data,l); X(11)=l; + R0(C,D,A,B,X(10),11,0); (void)HOST_c2l(data,l); X(12)=l; + R0(B,C,D,A,X(11),19,0); (void)HOST_c2l(data,l); X(13)=l; + R0(A,B,C,D,X(12), 3,0); (void)HOST_c2l(data,l); X(14)=l; + R0(D,A,B,C,X(13), 7,0); (void)HOST_c2l(data,l); X(15)=l; R0(C,D,A,B,X(14),11,0); R0(B,C,D,A,X(15),19,0); /* Round 1 */ diff --git a/crypto/md4/md4_locl.h b/crypto/md4/md4_locl.h index c8085b0..99c3e50 100644 --- a/crypto/md4/md4_locl.h +++ b/crypto/md4/md4_locl.h @@ -77,10 +77,10 @@ void md4_block_data_order (MD4_CTX *c, const void *p,size_t num); #define HASH_FINAL MD4_Final #define HASH_MAKE_STRING(c,s) do { \ unsigned long ll; \ - ll=(c)->A; HOST_l2c(ll,(s)); \ - ll=(c)->B; HOST_l2c(ll,(s)); \ - ll=(c)->C; HOST_l2c(ll,(s)); \ - ll=(c)->D; HOST_l2c(ll,(s)); \ + ll=(c)->A; (void)HOST_l2c(ll,(s)); \ + ll=(c)->B; (void)HOST_l2c(ll,(s)); \ + ll=(c)->C; (void)HOST_l2c(ll,(s)); \ + ll=(c)->D; (void)HOST_l2c(ll,(s)); \ } while (0) #define HASH_BLOCK_DATA_ORDER md4_block_data_order diff --git a/crypto/md5/asm/md5-x86_64.pl b/crypto/md5/asm/md5-x86_64.pl index 8678854..f11224d 100755 --- a/crypto/md5/asm/md5-x86_64.pl +++ b/crypto/md5/asm/md5-x86_64.pl @@ -120,7 +120,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; my $dir=$1; my $xlate; die "can't locate x86_64-xlate.pl"; no warnings qw(uninitialized); -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; $code .= <A; HOST_l2c(ll,(s)); \ - ll=(c)->B; HOST_l2c(ll,(s)); \ - ll=(c)->C; HOST_l2c(ll,(s)); \ - ll=(c)->D; HOST_l2c(ll,(s)); \ + ll=(c)->A; (void)HOST_l2c(ll,(s)); \ + ll=(c)->B; (void)HOST_l2c(ll,(s)); \ + ll=(c)->C; (void)HOST_l2c(ll,(s)); \ + ll=(c)->D; (void)HOST_l2c(ll,(s)); \ } while (0) #define HASH_BLOCK_DATA_ORDER md5_block_data_order diff --git a/crypto/mdc2/mdc2dgst.c b/crypto/mdc2/mdc2dgst.c index b74bb1a..d66ed6a 100644 --- a/crypto/mdc2/mdc2dgst.c +++ b/crypto/mdc2/mdc2dgst.c @@ -59,9 +59,9 @@ #include #include #include +#include #include #include -#include #undef c2l #define c2l(c,l) (l =((DES_LONG)(*((c)++))) , \ diff --git a/crypto/mem.c b/crypto/mem.c index 21c0011..1cc62ea 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -121,10 +121,10 @@ static void (*set_debug_options_func)(long) = NULL; static long (*get_debug_options_func)(void) = NULL; #endif - int CRYPTO_set_mem_functions(void *(*m)(size_t), void *(*r)(void *, size_t), void (*f)(void *)) { + /* Dummy call just to ensure OPENSSL_init() gets linked in */ OPENSSL_init(); if (!allow_customize) return 0; diff --git a/crypto/modes/asm/ghash-x86.pl b/crypto/modes/asm/ghash-x86.pl index 6b09669..83c727e 100644 --- a/crypto/modes/asm/ghash-x86.pl +++ b/crypto/modes/asm/ghash-x86.pl @@ -635,7 +635,7 @@ sub mmx_loop() { { my @lo = ("mm0","mm1","mm2"); my @hi = ("mm3","mm4","mm5"); my @tmp = ("mm6","mm7"); - my $off1=0,$off2=0,$i; + my ($off1,$off2,$i) = (0,0,); &add ($Htbl,128); # optimize for size &lea ("edi",&DWP(16+128,"esp")); @@ -883,7 +883,7 @@ sub reduction_alg9 { # 17/13 times faster than Intel version my ($Xhi,$Xi) = @_; # 1st phase - &movdqa ($T1,$Xi) # + &movdqa ($T1,$Xi); # &psllq ($Xi,1); &pxor ($Xi,$T1); # &psllq ($Xi,5); # @@ -1019,7 +1019,7 @@ my ($Xhi,$Xi) = @_; &movdqa ($Xhn,$Xn); &pxor ($Xhi,$T1); # "Ii+Xi", consume early - &movdqa ($T1,$Xi) #&reduction_alg9($Xhi,$Xi); 1st phase + &movdqa ($T1,$Xi); #&reduction_alg9($Xhi,$Xi); 1st phase &psllq ($Xi,1); &pxor ($Xi,$T1); # &psllq ($Xi,5); # diff --git a/crypto/modes/asm/ghash-x86_64.pl b/crypto/modes/asm/ghash-x86_64.pl index a5ae180..38d779e 100644 --- a/crypto/modes/asm/ghash-x86_64.pl +++ b/crypto/modes/asm/ghash-x86_64.pl @@ -50,7 +50,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; # common register layout $nlo="%rax"; diff --git a/crypto/modes/gcm128.c b/crypto/modes/gcm128.c index 7d6d034..0e6ff8b 100644 --- a/crypto/modes/gcm128.c +++ b/crypto/modes/gcm128.c @@ -723,7 +723,7 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx,void *key,block128_f block) # endif gcm_init_4bit(ctx->Htable,ctx->H.u); # if defined(GHASH_ASM_X86) /* x86 only */ -# if defined(OPENSSL_IA32_SSE2) +# if defined(OPENSSL_IA32_SSE2) if (OPENSSL_ia32cap_P[0]&(1<<25)) { /* check SSE bit */ # else if (OPENSSL_ia32cap_P[0]&(1<<23)) { /* check MMX bit */ @@ -1398,7 +1398,7 @@ int CRYPTO_gcm128_finish(GCM128_CONTEXT *ctx,const unsigned char *tag, void (*gcm_gmult_p)(u64 Xi[2],const u128 Htable[16]) = ctx->gmult; #endif - if (ctx->mres) + if (ctx->mres || ctx->ares) GCM_MUL(ctx,Xi); if (is_endian.little) { diff --git a/crypto/objects/o_names.c b/crypto/objects/o_names.c index 84380a9..4a548c2 100644 --- a/crypto/objects/o_names.c +++ b/crypto/objects/o_names.c @@ -73,7 +73,7 @@ int OBJ_NAME_new_index(unsigned long (*hash_func)(const char *), name_funcs_stack=sk_NAME_FUNCS_new_null(); MemCheck_on(); } - if ((name_funcs_stack == NULL)) + if (name_funcs_stack == NULL) { /* ERROR */ return(0); diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index 415d67e..2767183 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -91,9 +91,12 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, { EVP_PKEY *skey; skey = X509_get_pubkey(signer); - ret = OCSP_BASICRESP_verify(bs, skey, 0); - EVP_PKEY_free(skey); - if(ret <= 0) + if (skey) + { + ret = OCSP_BASICRESP_verify(bs, skey, 0); + EVP_PKEY_free(skey); + } + if(!skey || ret <= 0) { OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, OCSP_R_SIGNATURE_FAILURE); goto end; @@ -108,6 +111,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs); if(!init_res) { + ret = -1; OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB); goto end; } diff --git a/crypto/opensslv.h b/crypto/opensslv.h index 71be359..dbea4ad 100644 --- a/crypto/opensslv.h +++ b/crypto/opensslv.h @@ -25,11 +25,11 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x1000103fL +#define OPENSSL_VERSION_NUMBER 0x1000104fL #ifdef OPENSSL_FIPS -#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1c-fips 10 May 2012" +#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1d-fips 5 Feb 2013" #else -#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1c 10 May 2012" +#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1d 5 Feb 2013" #endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/crypto/pem/pem_all.c b/crypto/pem/pem_all.c index 3e7a609..eac0460 100644 --- a/crypto/pem/pem_all.c +++ b/crypto/pem/pem_all.c @@ -193,7 +193,61 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb, #endif +#ifdef OPENSSL_FIPS + +int PEM_write_bio_RSAPrivateKey(BIO *bp, RSA *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) +{ + if (FIPS_mode()) + { + EVP_PKEY *k; + int ret; + k = EVP_PKEY_new(); + if (!k) + return 0; + EVP_PKEY_set1_RSA(k, x); + + ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); + EVP_PKEY_free(k); + return ret; + } + else + return PEM_ASN1_write_bio((i2d_of_void *)i2d_RSAPrivateKey, + PEM_STRING_RSA,bp,x,enc,kstr,klen,cb,u); +} + +#ifndef OPENSSL_NO_FP_API +int PEM_write_RSAPrivateKey(FILE *fp, RSA *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) +{ + if (FIPS_mode()) + { + EVP_PKEY *k; + int ret; + k = EVP_PKEY_new(); + if (!k) + return 0; + + EVP_PKEY_set1_RSA(k, x); + + ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); + EVP_PKEY_free(k); + return ret; + } + else + return PEM_ASN1_write((i2d_of_void *)i2d_RSAPrivateKey, + PEM_STRING_RSA,fp,x,enc,kstr,klen,cb,u); +} +#endif + +#else + IMPLEMENT_PEM_write_cb_const(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey) + +#endif + IMPLEMENT_PEM_rw_const(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey) IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY) @@ -223,7 +277,59 @@ DSA *PEM_read_bio_DSAPrivateKey(BIO *bp, DSA **dsa, pem_password_cb *cb, return pkey_get_dsa(pktmp, dsa); /* will free pktmp */ } +#ifdef OPENSSL_FIPS + +int PEM_write_bio_DSAPrivateKey(BIO *bp, DSA *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) +{ + if (FIPS_mode()) + { + EVP_PKEY *k; + int ret; + k = EVP_PKEY_new(); + if (!k) + return 0; + EVP_PKEY_set1_DSA(k, x); + + ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); + EVP_PKEY_free(k); + return ret; + } + else + return PEM_ASN1_write_bio((i2d_of_void *)i2d_DSAPrivateKey, + PEM_STRING_DSA,bp,x,enc,kstr,klen,cb,u); +} + +#ifndef OPENSSL_NO_FP_API +int PEM_write_DSAPrivateKey(FILE *fp, DSA *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) +{ + if (FIPS_mode()) + { + EVP_PKEY *k; + int ret; + k = EVP_PKEY_new(); + if (!k) + return 0; + EVP_PKEY_set1_DSA(k, x); + ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); + EVP_PKEY_free(k); + return ret; + } + else + return PEM_ASN1_write((i2d_of_void *)i2d_DSAPrivateKey, + PEM_STRING_DSA,fp,x,enc,kstr,klen,cb,u); +} +#endif + +#else + IMPLEMENT_PEM_write_cb_const(DSAPrivateKey, DSA, PEM_STRING_DSA, DSAPrivateKey) + +#endif + IMPLEMENT_PEM_rw(DSA_PUBKEY, DSA, PEM_STRING_PUBLIC, DSA_PUBKEY) #ifndef OPENSSL_NO_FP_API @@ -269,8 +375,63 @@ EC_KEY *PEM_read_bio_ECPrivateKey(BIO *bp, EC_KEY **key, pem_password_cb *cb, IMPLEMENT_PEM_rw_const(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS, ECPKParameters) + + +#ifdef OPENSSL_FIPS + +int PEM_write_bio_ECPrivateKey(BIO *bp, EC_KEY *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) +{ + if (FIPS_mode()) + { + EVP_PKEY *k; + int ret; + k = EVP_PKEY_new(); + if (!k) + return 0; + EVP_PKEY_set1_EC_KEY(k, x); + + ret = PEM_write_bio_PrivateKey(bp, k, enc, kstr, klen, cb, u); + EVP_PKEY_free(k); + return ret; + } + else + return PEM_ASN1_write_bio((i2d_of_void *)i2d_ECPrivateKey, + PEM_STRING_ECPRIVATEKEY, + bp,x,enc,kstr,klen,cb,u); +} + +#ifndef OPENSSL_NO_FP_API +int PEM_write_ECPrivateKey(FILE *fp, EC_KEY *x, const EVP_CIPHER *enc, + unsigned char *kstr, int klen, + pem_password_cb *cb, void *u) +{ + if (FIPS_mode()) + { + EVP_PKEY *k; + int ret; + k = EVP_PKEY_new(); + if (!k) + return 0; + EVP_PKEY_set1_EC_KEY(k, x); + ret = PEM_write_PrivateKey(fp, k, enc, kstr, klen, cb, u); + EVP_PKEY_free(k); + return ret; + } + else + return PEM_ASN1_write((i2d_of_void *)i2d_ECPrivateKey, + PEM_STRING_ECPRIVATEKEY, + fp,x,enc,kstr,klen,cb,u); +} +#endif + +#else + IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY, ECPrivateKey) +#endif + IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY) #ifndef OPENSSL_NO_FP_API diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index cfc89a9..5a421fc 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -394,7 +394,8 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, goto err; /* The 'iv' is used as the iv and as a salt. It is * NOT taken from the BytesToKey function */ - EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL); + if (!EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL)) + goto err; if (kstr == (unsigned char *)buf) OPENSSL_cleanse(buf,PEM_BUFSIZE); @@ -406,12 +407,15 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, /* k=strlen(buf); */ EVP_CIPHER_CTX_init(&ctx); - EVP_EncryptInit_ex(&ctx,enc,NULL,key,iv); - EVP_EncryptUpdate(&ctx,data,&j,data,i); - EVP_EncryptFinal_ex(&ctx,&(data[j]),&i); + ret = 1; + if (!EVP_EncryptInit_ex(&ctx,enc,NULL,key,iv) + || !EVP_EncryptUpdate(&ctx,data,&j,data,i) + || !EVP_EncryptFinal_ex(&ctx,&(data[j]),&i)) + ret = 0; EVP_CIPHER_CTX_cleanup(&ctx); + if (ret == 0) + goto err; i+=j; - ret=1; } else { @@ -459,14 +463,17 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen, ebcdic2ascii(buf, buf, klen); #endif - EVP_BytesToKey(cipher->cipher,EVP_md5(),&(cipher->iv[0]), - (unsigned char *)buf,klen,1,key,NULL); + if (!EVP_BytesToKey(cipher->cipher,EVP_md5(),&(cipher->iv[0]), + (unsigned char *)buf,klen,1,key,NULL)) + return 0; j=(int)len; EVP_CIPHER_CTX_init(&ctx); - EVP_DecryptInit_ex(&ctx,cipher->cipher,NULL, key,&(cipher->iv[0])); - EVP_DecryptUpdate(&ctx,data,&i,data,j); - o=EVP_DecryptFinal_ex(&ctx,&(data[i]),&j); + o = EVP_DecryptInit_ex(&ctx,cipher->cipher,NULL, key,&(cipher->iv[0])); + if (o) + o = EVP_DecryptUpdate(&ctx,data,&i,data,j); + if (o) + o = EVP_DecryptFinal_ex(&ctx,&(data[i]),&j); EVP_CIPHER_CTX_cleanup(&ctx); OPENSSL_cleanse((char *)buf,sizeof(buf)); OPENSSL_cleanse((char *)key,sizeof(key)); diff --git a/crypto/pem/pem_seal.c b/crypto/pem/pem_seal.c index 59690b5..b6b4e13 100644 --- a/crypto/pem/pem_seal.c +++ b/crypto/pem/pem_seal.c @@ -96,7 +96,8 @@ int PEM_SealInit(PEM_ENCODE_SEAL_CTX *ctx, EVP_CIPHER *type, EVP_MD *md_type, EVP_EncodeInit(&ctx->encode); EVP_MD_CTX_init(&ctx->md); - EVP_SignInit(&ctx->md,md_type); + if (!EVP_SignInit(&ctx->md,md_type)) + goto err; EVP_CIPHER_CTX_init(&ctx->cipher); ret=EVP_SealInit(&ctx->cipher,type,ek,ekl,iv,pubk,npubk); @@ -163,7 +164,8 @@ int PEM_SealFinal(PEM_ENCODE_SEAL_CTX *ctx, unsigned char *sig, int *sigl, goto err; } - EVP_EncryptFinal_ex(&ctx->cipher,s,(int *)&i); + if (!EVP_EncryptFinal_ex(&ctx->cipher,s,(int *)&i)) + goto err; EVP_EncodeUpdate(&ctx->encode,out,&j,s,i); *outl=j; out+=j; diff --git a/crypto/perlasm/cbc.pl b/crypto/perlasm/cbc.pl index 6fc2510..24561e7 100644 --- a/crypto/perlasm/cbc.pl +++ b/crypto/perlasm/cbc.pl @@ -150,7 +150,7 @@ sub cbc &set_label("PIC_point"); &blindpop("edx"); &lea("ecx",&DWP(&label("cbc_enc_jmp_table")."-".&label("PIC_point"),"edx")); - &mov($count,&DWP(0,"ecx",$count,4)) + &mov($count,&DWP(0,"ecx",$count,4)); &add($count,"edx"); &xor("ecx","ecx"); &xor("edx","edx"); diff --git a/crypto/perlasm/x86masm.pl b/crypto/perlasm/x86masm.pl index 96b1b73..f937d07 100644 --- a/crypto/perlasm/x86masm.pl +++ b/crypto/perlasm/x86masm.pl @@ -33,6 +33,7 @@ sub ::generic sub ::call { &::emit("call",(&::islabel($_[0]) or "$nmdecor$_[0]")); } sub ::call_ptr { &::emit("call",@_); } sub ::jmp_ptr { &::emit("jmp",@_); } +sub ::lock { &::data_byte(0xf0); } sub get_mem { my($size,$addr,$reg1,$reg2,$idx)=@_; diff --git a/crypto/pkcs12/p12_key.c b/crypto/pkcs12/p12_key.c index c55c7b6..61d5850 100644 --- a/crypto/pkcs12/p12_key.c +++ b/crypto/pkcs12/p12_key.c @@ -176,24 +176,32 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, out += u; for (j = 0; j < v; j++) B[j] = Ai[j % u]; /* Work out B + 1 first then can use B as tmp space */ - if (!BN_bin2bn (B, v, Bpl1)) goto err; - if (!BN_add_word (Bpl1, 1)) goto err; + if (!BN_bin2bn (B, v, Bpl1)) + goto err; + if (!BN_add_word (Bpl1, 1)) + goto err; for (j = 0; j < Ilen ; j+=v) { - if (!BN_bin2bn (I + j, v, Ij)) goto err; - if (!BN_add (Ij, Ij, Bpl1)) goto err; - BN_bn2bin (Ij, B); + if (!BN_bin2bn(I + j, v, Ij)) + goto err; + if (!BN_add(Ij, Ij, Bpl1)) + goto err; + if (!BN_bn2bin(Ij, B)) + goto err; Ijlen = BN_num_bytes (Ij); /* If more than 2^(v*8) - 1 cut off MSB */ if (Ijlen > v) { - BN_bn2bin (Ij, B); + if (!BN_bn2bin (Ij, B)) + goto err; memcpy (I + j, B + 1, v); #ifndef PKCS12_BROKEN_KEYGEN /* If less than v bytes pad with zeroes */ } else if (Ijlen < v) { memset(I + j, 0, v - Ijlen); - BN_bn2bin(Ij, I + j + v - Ijlen); + if (!BN_bn2bin(Ij, I + j + v - Ijlen)) + goto err; #endif - } else BN_bn2bin (Ij, I + j); + } else if (!BN_bn2bin (Ij, I + j)) + goto err; } } diff --git a/crypto/rand/md_rand.c b/crypto/rand/md_rand.c index fcdd3f2..1e3bcb9 100644 --- a/crypto/rand/md_rand.c +++ b/crypto/rand/md_rand.c @@ -123,10 +123,10 @@ #include "e_os.h" +#include #include #include "rand_lcl.h" -#include #include #ifdef BN_DEBUG diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c index daf1dab..476a0cd 100644 --- a/crypto/rand/rand_lib.c +++ b/crypto/rand/rand_lib.c @@ -210,8 +210,11 @@ static size_t drbg_get_entropy(DRBG_CTX *ctx, unsigned char **pout, static void drbg_free_entropy(DRBG_CTX *ctx, unsigned char *out, size_t olen) { - OPENSSL_cleanse(out, olen); - OPENSSL_free(out); + if (out) + { + OPENSSL_cleanse(out, olen); + OPENSSL_free(out); + } } /* Set "additional input" when generating random data. This uses the diff --git a/crypto/rand/randfile.c b/crypto/rand/randfile.c index 030e07f..7f14280 100644 --- a/crypto/rand/randfile.c +++ b/crypto/rand/randfile.c @@ -57,7 +57,9 @@ */ /* We need to define this to get macros like S_IFBLK and S_IFCHR */ +#if !defined(OPENSSL_SYS_VXWORKS) #define _XOPEN_SOURCE 500 +#endif #include #include diff --git a/crypto/rc4/asm/rc4-md5-x86_64.pl b/crypto/rc4/asm/rc4-md5-x86_64.pl index 7f68409..272fa91 100644 --- a/crypto/rc4/asm/rc4-md5-x86_64.pl +++ b/crypto/rc4/asm/rc4-md5-x86_64.pl @@ -51,7 +51,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; my $dir=$1; my $xlate; ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; my ($dat,$in0,$out,$ctx,$inp,$len, $func,$nargs); diff --git a/crypto/rc4/asm/rc4-x86_64.pl b/crypto/rc4/asm/rc4-x86_64.pl index d6eac20..75750db 100755 --- a/crypto/rc4/asm/rc4-x86_64.pl +++ b/crypto/rc4/asm/rc4-x86_64.pl @@ -112,7 +112,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; $dat="%rdi"; # arg1 $len="%rsi"; # arg2 diff --git a/crypto/ripemd/rmd_dgst.c b/crypto/ripemd/rmd_dgst.c index 63f0d98..d8e72da 100644 --- a/crypto/ripemd/rmd_dgst.c +++ b/crypto/ripemd/rmd_dgst.c @@ -105,21 +105,21 @@ void ripemd160_block_data_order (RIPEMD160_CTX *ctx, const void *p, size_t num) A=ctx->A; B=ctx->B; C=ctx->C; D=ctx->D; E=ctx->E; - HOST_c2l(data,l); X( 0)=l; HOST_c2l(data,l); X( 1)=l; - RIP1(A,B,C,D,E,WL00,SL00); HOST_c2l(data,l); X( 2)=l; - RIP1(E,A,B,C,D,WL01,SL01); HOST_c2l(data,l); X( 3)=l; - RIP1(D,E,A,B,C,WL02,SL02); HOST_c2l(data,l); X( 4)=l; - RIP1(C,D,E,A,B,WL03,SL03); HOST_c2l(data,l); X( 5)=l; - RIP1(B,C,D,E,A,WL04,SL04); HOST_c2l(data,l); X( 6)=l; - RIP1(A,B,C,D,E,WL05,SL05); HOST_c2l(data,l); X( 7)=l; - RIP1(E,A,B,C,D,WL06,SL06); HOST_c2l(data,l); X( 8)=l; - RIP1(D,E,A,B,C,WL07,SL07); HOST_c2l(data,l); X( 9)=l; - RIP1(C,D,E,A,B,WL08,SL08); HOST_c2l(data,l); X(10)=l; - RIP1(B,C,D,E,A,WL09,SL09); HOST_c2l(data,l); X(11)=l; - RIP1(A,B,C,D,E,WL10,SL10); HOST_c2l(data,l); X(12)=l; - RIP1(E,A,B,C,D,WL11,SL11); HOST_c2l(data,l); X(13)=l; - RIP1(D,E,A,B,C,WL12,SL12); HOST_c2l(data,l); X(14)=l; - RIP1(C,D,E,A,B,WL13,SL13); HOST_c2l(data,l); X(15)=l; + (void)HOST_c2l(data,l); X( 0)=l;(void)HOST_c2l(data,l); X( 1)=l; + RIP1(A,B,C,D,E,WL00,SL00); (void)HOST_c2l(data,l); X( 2)=l; + RIP1(E,A,B,C,D,WL01,SL01); (void)HOST_c2l(data,l); X( 3)=l; + RIP1(D,E,A,B,C,WL02,SL02); (void)HOST_c2l(data,l); X( 4)=l; + RIP1(C,D,E,A,B,WL03,SL03); (void)HOST_c2l(data,l); X( 5)=l; + RIP1(B,C,D,E,A,WL04,SL04); (void)HOST_c2l(data,l); X( 6)=l; + RIP1(A,B,C,D,E,WL05,SL05); (void)HOST_c2l(data,l); X( 7)=l; + RIP1(E,A,B,C,D,WL06,SL06); (void)HOST_c2l(data,l); X( 8)=l; + RIP1(D,E,A,B,C,WL07,SL07); (void)HOST_c2l(data,l); X( 9)=l; + RIP1(C,D,E,A,B,WL08,SL08); (void)HOST_c2l(data,l); X(10)=l; + RIP1(B,C,D,E,A,WL09,SL09); (void)HOST_c2l(data,l); X(11)=l; + RIP1(A,B,C,D,E,WL10,SL10); (void)HOST_c2l(data,l); X(12)=l; + RIP1(E,A,B,C,D,WL11,SL11); (void)HOST_c2l(data,l); X(13)=l; + RIP1(D,E,A,B,C,WL12,SL12); (void)HOST_c2l(data,l); X(14)=l; + RIP1(C,D,E,A,B,WL13,SL13); (void)HOST_c2l(data,l); X(15)=l; RIP1(B,C,D,E,A,WL14,SL14); RIP1(A,B,C,D,E,WL15,SL15); diff --git a/crypto/ripemd/rmd_locl.h b/crypto/ripemd/rmd_locl.h index f14b346..2bd8957 100644 --- a/crypto/ripemd/rmd_locl.h +++ b/crypto/ripemd/rmd_locl.h @@ -88,11 +88,11 @@ void ripemd160_block_data_order (RIPEMD160_CTX *c, const void *p,size_t num); #define HASH_FINAL RIPEMD160_Final #define HASH_MAKE_STRING(c,s) do { \ unsigned long ll; \ - ll=(c)->A; HOST_l2c(ll,(s)); \ - ll=(c)->B; HOST_l2c(ll,(s)); \ - ll=(c)->C; HOST_l2c(ll,(s)); \ - ll=(c)->D; HOST_l2c(ll,(s)); \ - ll=(c)->E; HOST_l2c(ll,(s)); \ + ll=(c)->A; (void)HOST_l2c(ll,(s)); \ + ll=(c)->B; (void)HOST_l2c(ll,(s)); \ + ll=(c)->C; (void)HOST_l2c(ll,(s)); \ + ll=(c)->D; (void)HOST_l2c(ll,(s)); \ + ll=(c)->E; (void)HOST_l2c(ll,(s)); \ } while (0) #define HASH_BLOCK_DATA_ORDER ripemd160_block_data_order diff --git a/crypto/rsa/rsa.h b/crypto/rsa/rsa.h index 4814a2f..5f269e5 100644 --- a/crypto/rsa/rsa.h +++ b/crypto/rsa/rsa.h @@ -280,7 +280,7 @@ struct rsa_st RSA * RSA_new(void); RSA * RSA_new_method(ENGINE *engine); -int RSA_size(const RSA *); +int RSA_size(const RSA *rsa); /* Deprecated version */ #ifndef OPENSSL_NO_DEPRECATED diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index 2e1ddd4..88ee2cb 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -847,12 +847,12 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err; /* If p < q it is occasionally possible for the correction of - * adding 'p' if r0 is negative above to leave the result still + * adding 'p' if r0 is negative above to leave the result still * negative. This can break the private key operations: the following * second correction should *always* correct this rare occurrence. * This will *never* happen with OpenSSL generated keys because - * they ensure p > q [steve] - */ + * they ensure p > q [steve] + */ if (BN_is_negative(r0)) if (!BN_add(r0,r0,rsa->p)) goto err; if (!BN_mul(r1,r0,rsa->q,ctx)) goto err; diff --git a/crypto/sha/asm/sha1-armv4-large.S b/crypto/sha/asm/sha1-armv4-large.S index 97ad8be..639ae78 100644 --- a/crypto/sha/asm/sha1-armv4-large.S +++ b/crypto/sha/asm/sha1-armv4-large.S @@ -145,7 +145,7 @@ sha1_block_data_order: add r3,r3,r10 @ E+=F_00_19(B,C,D) teq r14,sp bne .L_00_15 @ [((11+4)*5+2)*3] - sub sp,sp,#5*4 + sub sp,sp,#25*4 #if __ARM_ARCH__<7 ldrb r10,[r1,#2] ldrb r9,[r1,#3] @@ -241,7 +241,6 @@ sha1_block_data_order: add r3,r3,r10 @ E+=F_00_19(B,C,D) ldr r8,.LK_20_39 @ [+15+16*4] - sub sp,sp,#20*4 cmn sp,#0 @ [+3], clear carry to denote 20_39 .L_20_39_or_60_79: ldr r9,[r14,#15*4] diff --git a/crypto/sha/asm/sha1-armv4-large.pl b/crypto/sha/asm/sha1-armv4-large.pl index db83c51..33da3e0 100644 --- a/crypto/sha/asm/sha1-armv4-large.pl +++ b/crypto/sha/asm/sha1-armv4-large.pl @@ -177,7 +177,7 @@ for($i=0;$i<5;$i++) { $code.=<<___; teq $Xi,sp bne .L_00_15 @ [((11+4)*5+2)*3] - sub sp,sp,#5*4 + sub sp,sp,#25*4 ___ &BODY_00_15(@V); unshift(@V,pop(@V)); &BODY_16_19(@V); unshift(@V,pop(@V)); @@ -187,7 +187,6 @@ ___ $code.=<<___; ldr $K,.LK_20_39 @ [+15+16*4] - sub sp,sp,#20*4 cmn sp,#0 @ [+3], clear carry to denote 20_39 .L_20_39_or_60_79: ___ diff --git a/crypto/sha/asm/sha1-ia64.pl b/crypto/sha/asm/sha1-ia64.pl index db28f08..02d35d1 100644 --- a/crypto/sha/asm/sha1-ia64.pl +++ b/crypto/sha/asm/sha1-ia64.pl @@ -271,7 +271,8 @@ tmp6=loc13; ___ -{ my $i,@V=($A,$B,$C,$D,$E); +{ my $i; + my @V=($A,$B,$C,$D,$E); for($i=0;$i<16;$i++) { &BODY_00_15(\$code,$i,@V); unshift(@V,pop(@V)); } for(;$i<20;$i++) { &BODY_16_19(\$code,$i,@V); unshift(@V,pop(@V)); } diff --git a/crypto/sha/asm/sha1-sparcv9a.pl b/crypto/sha/asm/sha1-sparcv9a.pl index 85e8d68..e65291b 100644 --- a/crypto/sha/asm/sha1-sparcv9a.pl +++ b/crypto/sha/asm/sha1-sparcv9a.pl @@ -549,7 +549,7 @@ ___ # programmer detect if current CPU is VIS capable at run-time. sub unvis { my ($mnemonic,$rs1,$rs2,$rd)=@_; -my $ref,$opf; +my ($ref,$opf); my %visopf = ( "fmul8ulx16" => 0x037, "faligndata" => 0x048, "fpadd32" => 0x052, diff --git a/crypto/sha/asm/sha1-x86_64.pl b/crypto/sha/asm/sha1-x86_64.pl index f27c1e3..cfdc45c 100755 --- a/crypto/sha/asm/sha1-x86_64.pl +++ b/crypto/sha/asm/sha1-x86_64.pl @@ -82,7 +82,8 @@ $avx=1 if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) && `ml64 2>&1` =~ /Version ([0-9]+)\./ && $1>=10); -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; $ctx="%rdi"; # 1st arg $inp="%rsi"; # 2nd arg diff --git a/crypto/sha/asm/sha512-586.pl b/crypto/sha/asm/sha512-586.pl index 5b9f333..7eab6a5 100644 --- a/crypto/sha/asm/sha512-586.pl +++ b/crypto/sha/asm/sha512-586.pl @@ -142,9 +142,9 @@ sub BODY_00_15_x86 { &mov ("edx",$Ehi); &mov ("esi","ecx"); - &shr ("ecx",9) # lo>>9 + &shr ("ecx",9); # lo>>9 &mov ("edi","edx"); - &shr ("edx",9) # hi>>9 + &shr ("edx",9); # hi>>9 &mov ("ebx","ecx"); &shl ("esi",14); # lo<<14 &mov ("eax","edx"); @@ -207,9 +207,9 @@ sub BODY_00_15_x86 { &mov ($Dhi,"ebx"); &mov ("esi","ecx"); - &shr ("ecx",2) # lo>>2 + &shr ("ecx",2); # lo>>2 &mov ("edi","edx"); - &shr ("edx",2) # hi>>2 + &shr ("edx",2); # hi>>2 &mov ("ebx","ecx"); &shl ("esi",4); # lo<<4 &mov ("eax","edx"); @@ -452,9 +452,9 @@ if ($sse2) { &mov ("edx",&DWP(8*(9+15+16-1)+4,"esp")); &mov ("esi","ecx"); - &shr ("ecx",1) # lo>>1 + &shr ("ecx",1); # lo>>1 &mov ("edi","edx"); - &shr ("edx",1) # hi>>1 + &shr ("edx",1); # hi>>1 &mov ("eax","ecx"); &shl ("esi",24); # lo<<24 &mov ("ebx","edx"); @@ -488,9 +488,9 @@ if ($sse2) { &mov ("edx",&DWP(8*(9+15+16-14)+4,"esp")); &mov ("esi","ecx"); - &shr ("ecx",6) # lo>>6 + &shr ("ecx",6); # lo>>6 &mov ("edi","edx"); - &shr ("edx",6) # hi>>6 + &shr ("edx",6); # hi>>6 &mov ("eax","ecx"); &shl ("esi",3); # lo<<3 &mov ("ebx","edx"); diff --git a/crypto/sha/asm/sha512-x86_64.pl b/crypto/sha/asm/sha512-x86_64.pl index f611a2d..8d51678 100755 --- a/crypto/sha/asm/sha512-x86_64.pl +++ b/crypto/sha/asm/sha512-x86_64.pl @@ -51,7 +51,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; if ($output =~ /512/) { $func="sha512_block_data_order"; diff --git a/crypto/sha/sha1_one.c b/crypto/sha/sha1_one.c index 7c65b60..c56ec94 100644 --- a/crypto/sha/sha1_one.c +++ b/crypto/sha/sha1_one.c @@ -58,8 +58,8 @@ #include #include -#include #include +#include #ifndef OPENSSL_NO_SHA1 unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md) diff --git a/crypto/sha/sha1dgst.c b/crypto/sha/sha1dgst.c index 81219af..a986902 100644 --- a/crypto/sha/sha1dgst.c +++ b/crypto/sha/sha1dgst.c @@ -56,8 +56,8 @@ * [including the GNU Public Licence.] */ -#include #include +#include #if !defined(OPENSSL_NO_SHA1) && !defined(OPENSSL_NO_SHA) #undef SHA_0 diff --git a/crypto/sha/sha256.c b/crypto/sha/sha256.c index f88d3d6..4eae074 100644 --- a/crypto/sha/sha256.c +++ b/crypto/sha/sha256.c @@ -88,17 +88,17 @@ int SHA224_Final (unsigned char *md, SHA256_CTX *c) switch ((c)->md_len) \ { case SHA224_DIGEST_LENGTH: \ for (nn=0;nnh[nn]; HOST_l2c(ll,(s)); } \ + { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ break; \ case SHA256_DIGEST_LENGTH: \ for (nn=0;nnh[nn]; HOST_l2c(ll,(s)); } \ + { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ break; \ default: \ if ((c)->md_len > SHA256_DIGEST_LENGTH) \ return 0; \ for (nn=0;nn<(c)->md_len/4;nn++) \ - { ll=(c)->h[nn]; HOST_l2c(ll,(s)); } \ + { ll=(c)->h[nn]; (void)HOST_l2c(ll,(s)); } \ break; \ } \ } while (0) diff --git a/crypto/sha/sha_dgst.c b/crypto/sha/sha_dgst.c index c946ad8..fb63b17 100644 --- a/crypto/sha/sha_dgst.c +++ b/crypto/sha/sha_dgst.c @@ -56,8 +56,8 @@ * [including the GNU Public Licence.] */ -#include #include +#include #if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA) #undef SHA_1 diff --git a/crypto/sha/sha_locl.h b/crypto/sha/sha_locl.h index 7a0c3ca..d673255 100644 --- a/crypto/sha/sha_locl.h +++ b/crypto/sha/sha_locl.h @@ -69,11 +69,11 @@ #define HASH_CBLOCK SHA_CBLOCK #define HASH_MAKE_STRING(c,s) do { \ unsigned long ll; \ - ll=(c)->h0; HOST_l2c(ll,(s)); \ - ll=(c)->h1; HOST_l2c(ll,(s)); \ - ll=(c)->h2; HOST_l2c(ll,(s)); \ - ll=(c)->h3; HOST_l2c(ll,(s)); \ - ll=(c)->h4; HOST_l2c(ll,(s)); \ + ll=(c)->h0; (void)HOST_l2c(ll,(s)); \ + ll=(c)->h1; (void)HOST_l2c(ll,(s)); \ + ll=(c)->h2; (void)HOST_l2c(ll,(s)); \ + ll=(c)->h3; (void)HOST_l2c(ll,(s)); \ + ll=(c)->h4; (void)HOST_l2c(ll,(s)); \ } while (0) #if defined(SHA_0) @@ -256,21 +256,21 @@ static void HASH_BLOCK_DATA_ORDER (SHA_CTX *c, const void *p, size_t num) } else { - HOST_c2l(data,l); X( 0)=l; HOST_c2l(data,l); X( 1)=l; - BODY_00_15( 0,A,B,C,D,E,T,X( 0)); HOST_c2l(data,l); X( 2)=l; - BODY_00_15( 1,T,A,B,C,D,E,X( 1)); HOST_c2l(data,l); X( 3)=l; - BODY_00_15( 2,E,T,A,B,C,D,X( 2)); HOST_c2l(data,l); X( 4)=l; - BODY_00_15( 3,D,E,T,A,B,C,X( 3)); HOST_c2l(data,l); X( 5)=l; - BODY_00_15( 4,C,D,E,T,A,B,X( 4)); HOST_c2l(data,l); X( 6)=l; - BODY_00_15( 5,B,C,D,E,T,A,X( 5)); HOST_c2l(data,l); X( 7)=l; - BODY_00_15( 6,A,B,C,D,E,T,X( 6)); HOST_c2l(data,l); X( 8)=l; - BODY_00_15( 7,T,A,B,C,D,E,X( 7)); HOST_c2l(data,l); X( 9)=l; - BODY_00_15( 8,E,T,A,B,C,D,X( 8)); HOST_c2l(data,l); X(10)=l; - BODY_00_15( 9,D,E,T,A,B,C,X( 9)); HOST_c2l(data,l); X(11)=l; - BODY_00_15(10,C,D,E,T,A,B,X(10)); HOST_c2l(data,l); X(12)=l; - BODY_00_15(11,B,C,D,E,T,A,X(11)); HOST_c2l(data,l); X(13)=l; - BODY_00_15(12,A,B,C,D,E,T,X(12)); HOST_c2l(data,l); X(14)=l; - BODY_00_15(13,T,A,B,C,D,E,X(13)); HOST_c2l(data,l); X(15)=l; + (void)HOST_c2l(data,l); X( 0)=l; (void)HOST_c2l(data,l); X( 1)=l; + BODY_00_15( 0,A,B,C,D,E,T,X( 0)); (void)HOST_c2l(data,l); X( 2)=l; + BODY_00_15( 1,T,A,B,C,D,E,X( 1)); (void)HOST_c2l(data,l); X( 3)=l; + BODY_00_15( 2,E,T,A,B,C,D,X( 2)); (void)HOST_c2l(data,l); X( 4)=l; + BODY_00_15( 3,D,E,T,A,B,C,X( 3)); (void)HOST_c2l(data,l); X( 5)=l; + BODY_00_15( 4,C,D,E,T,A,B,X( 4)); (void)HOST_c2l(data,l); X( 6)=l; + BODY_00_15( 5,B,C,D,E,T,A,X( 5)); (void)HOST_c2l(data,l); X( 7)=l; + BODY_00_15( 6,A,B,C,D,E,T,X( 6)); (void)HOST_c2l(data,l); X( 8)=l; + BODY_00_15( 7,T,A,B,C,D,E,X( 7)); (void)HOST_c2l(data,l); X( 9)=l; + BODY_00_15( 8,E,T,A,B,C,D,X( 8)); (void)HOST_c2l(data,l); X(10)=l; + BODY_00_15( 9,D,E,T,A,B,C,X( 9)); (void)HOST_c2l(data,l); X(11)=l; + BODY_00_15(10,C,D,E,T,A,B,X(10)); (void)HOST_c2l(data,l); X(12)=l; + BODY_00_15(11,B,C,D,E,T,A,X(11)); (void)HOST_c2l(data,l); X(13)=l; + BODY_00_15(12,A,B,C,D,E,T,X(12)); (void)HOST_c2l(data,l); X(14)=l; + BODY_00_15(13,T,A,B,C,D,E,X(13)); (void)HOST_c2l(data,l); X(15)=l; BODY_00_15(14,E,T,A,B,C,D,X(14)); BODY_00_15(15,D,E,T,A,B,C,X(15)); } diff --git a/crypto/srp/srp_vfy.c b/crypto/srp/srp_vfy.c index c8be907..4a3d13e 100644 --- a/crypto/srp/srp_vfy.c +++ b/crypto/srp/srp_vfy.c @@ -390,7 +390,7 @@ int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file) } for (i = 0; i < sk_OPENSSL_PSTRING_num(tmpdb->data); i++) { - pp = (char **)sk_OPENSSL_PSTRING_value(tmpdb->data,i); + pp = sk_OPENSSL_PSTRING_value(tmpdb->data,i); if (pp[DB_srptype][0] == DB_SRP_INDEX) { /*we add this couple in the internal Stack */ @@ -581,7 +581,8 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt, if (*salt == NULL) { char *tmp_salt; - if ((tmp_salt = (char *)OPENSSL_malloc(SRP_RANDOM_SALT_LEN * 2)) == NULL) + + if ((tmp_salt = OPENSSL_malloc(SRP_RANDOM_SALT_LEN * 2)) == NULL) { OPENSSL_free(vf); goto err; diff --git a/crypto/symhacks.h b/crypto/symhacks.h index 403f592..07a412f 100644 --- a/crypto/symhacks.h +++ b/crypto/symhacks.h @@ -193,17 +193,17 @@ #undef SSL_CTX_set_srp_username_callback #define SSL_CTX_set_srp_username_callback SSL_CTX_set_srp_un_cb #undef ssl_add_clienthello_use_srtp_ext -#define ssl_add_clienthello_use_srtp_ext ssl_add_clihello_use_srtp_ext +#define ssl_add_clienthello_use_srtp_ext ssl_add_clihello_use_srtp_ext #undef ssl_add_serverhello_use_srtp_ext -#define ssl_add_serverhello_use_srtp_ext ssl_add_serhello_use_srtp_ext +#define ssl_add_serverhello_use_srtp_ext ssl_add_serhello_use_srtp_ext #undef ssl_parse_clienthello_use_srtp_ext -#define ssl_parse_clienthello_use_srtp_ext ssl_parse_clihello_use_srtp_ext +#define ssl_parse_clienthello_use_srtp_ext ssl_parse_clihello_use_srtp_ext #undef ssl_parse_serverhello_use_srtp_ext -#define ssl_parse_serverhello_use_srtp_ext ssl_parse_serhello_use_srtp_ext +#define ssl_parse_serverhello_use_srtp_ext ssl_parse_serhello_use_srtp_ext #undef SSL_CTX_set_next_protos_advertised_cb -#define SSL_CTX_set_next_protos_advertised_cb SSL_CTX_set_next_protos_adv_cb +#define SSL_CTX_set_next_protos_advertised_cb SSL_CTX_set_next_protos_adv_cb #undef SSL_CTX_set_next_proto_select_cb -#define SSL_CTX_set_next_proto_select_cb SSL_CTX_set_next_proto_sel_cb +#define SSL_CTX_set_next_proto_select_cb SSL_CTX_set_next_proto_sel_cb /* Hack some long ENGINE names */ #undef ENGINE_get_default_BN_mod_exp_crt @@ -316,8 +316,6 @@ #define ec_GFp_simple_point_set_to_infinity ec_GFp_simple_pt_set_to_inf #undef ec_GFp_simple_points_make_affine #define ec_GFp_simple_points_make_affine ec_GFp_simple_pts_make_affine -#undef ec_GFp_simple_group_get_curve_GFp -#define ec_GFp_simple_group_get_curve_GFp ec_GFp_simple_grp_get_curve_GFp #undef ec_GFp_simple_set_Jprojective_coordinates_GFp #define ec_GFp_simple_set_Jprojective_coordinates_GFp \ ec_GFp_smp_set_Jproj_coords_GFp diff --git a/crypto/ui/ui_openssl.c b/crypto/ui/ui_openssl.c index 7165cb4..e6ccd34 100644 --- a/crypto/ui/ui_openssl.c +++ b/crypto/ui/ui_openssl.c @@ -122,9 +122,15 @@ * sigaction and fileno included. -pedantic would be more appropriate for * the intended purposes, but we can't prevent users from adding -ansi. */ +#if defined(OPENSSL_SYSNAME_VXWORKS) +#include +#endif + #if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS) +#ifndef _POSIX_C_SOURCE #define _POSIX_C_SOURCE 2 #endif +#endif #include #include #include diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 7c2aaee..352aa37 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -86,10 +86,9 @@ unsigned long X509_issuer_and_serial_hash(X509 *a) EVP_MD_CTX_init(&ctx); f=X509_NAME_oneline(a->cert_info->issuer,NULL,0); - ret=strlen(f); if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) goto err; - if (!EVP_DigestUpdate(&ctx,(unsigned char *)f,ret)) + if (!EVP_DigestUpdate(&ctx,(unsigned char *)f,strlen(f))) goto err; OPENSSL_free(f); if(!EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data, @@ -249,14 +248,14 @@ unsigned long X509_NAME_hash_old(X509_NAME *x) i2d_X509_NAME(x,NULL); EVP_MD_CTX_init(&md_ctx); EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL); - EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length); - EVP_DigestFinal_ex(&md_ctx,md,NULL); + if (EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL) + && EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length) + && EVP_DigestFinal_ex(&md_ctx,md,NULL)) + ret=(((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| + ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) + )&0xffffffffL; EVP_MD_CTX_cleanup(&md_ctx); - ret=( ((unsigned long)md[0] )|((unsigned long)md[1]<<8L)| - ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L) - )&0xffffffffL; return(ret); } #endif diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index b0779db..12d71f5 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -872,7 +872,7 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) { ASN1_OCTET_STRING *exta, *extb; int i; - i = X509_CRL_get_ext_by_NID(a, nid, 0); + i = X509_CRL_get_ext_by_NID(a, nid, -1); if (i >= 0) { /* Can't have multiple occurrences */ @@ -883,7 +883,7 @@ static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid) else exta = NULL; - i = X509_CRL_get_ext_by_NID(b, nid, 0); + i = X509_CRL_get_ext_by_NID(b, nid, -1); if (i >= 0) { diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c index 181bd34..ad68865 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509v3/v3_purp.c @@ -474,11 +474,11 @@ static void x509v3_cache_extensions(X509 *x) for (i = 0; i < X509_get_ext_count(x); i++) { ex = X509_get_ext(x, i); - if (!X509_EXTENSION_get_critical(ex)) - continue; if (OBJ_obj2nid(X509_EXTENSION_get_object(ex)) == NID_freshest_crl) x->ex_flags |= EXFLAG_FRESHEST; + if (!X509_EXTENSION_get_critical(ex)) + continue; if (!X509_supported_extension(ex)) { x->ex_flags |= EXFLAG_CRITICAL; diff --git a/crypto/x86_64cpuid.pl b/crypto/x86_64cpuid.pl index 7b7b93b..6ebfd01 100644 --- a/crypto/x86_64cpuid.pl +++ b/crypto/x86_64cpuid.pl @@ -11,7 +11,8 @@ $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ( $xlate="${dir}perlasm/x86_64-xlate.pl" and -f $xlate) or die "can't locate x86_64-xlate.pl"; -open STDOUT,"| $^X $xlate $flavour $output"; +open OUT,"| \"$^X\" $xlate $flavour $output"; +*STDOUT=*OUT; ($arg1,$arg2,$arg3,$arg4)=$win64?("%rcx","%rdx","%r8", "%r9") : # Win64 order ("%rdi","%rsi","%rdx","%rcx"); # Unix order diff --git a/crypto/x86cpuid.pl b/crypto/x86cpuid.pl index 39fd8f2..c18b0e2 100644 --- a/crypto/x86cpuid.pl +++ b/crypto/x86cpuid.pl @@ -165,7 +165,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } &jnz (&label("nohalt")); # not enough privileges &pushf (); - &pop ("eax") + &pop ("eax"); &bt ("eax",9); &jnc (&label("nohalt")); # interrupts are disabled @@ -280,7 +280,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } # arguments is 1 or 2! &function_begin_B("OPENSSL_indirect_call"); { - my $i,$max=7; # $max has to be chosen as 4*n-1 + my ($max,$i)=(7,); # $max has to be chosen as 4*n-1 # in order to preserve eventual # stack alignment &push ("ebp"); diff --git a/import_openssl.sh b/import_openssl.sh index bde07da..03e54c7 100755 --- a/import_openssl.sh +++ b/import_openssl.sh @@ -322,7 +322,7 @@ function applypatches () { for i in $OPENSSL_PATCHES; do if [ ! "$skip_patch" = "patches/$i" ]; then echo "Applying patch $i" - patch -p1 < ../patches/$i || die "Could not apply patches/$i. Fix source and run: $0 regenerate patches/$i" + patch -p1 --merge < ../patches/$i || die "Could not apply patches/$i. Fix source and run: $0 regenerate patches/$i" else echo "Skiping patch $i" fi diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h index 793a325..f92fc51 100644 --- a/include/openssl/crypto.h +++ b/include/openssl/crypto.h @@ -488,10 +488,10 @@ void CRYPTO_get_mem_debug_functions(void (**m)(void *,int,const char *,int,int), long (**go)(void)); void *CRYPTO_malloc_locked(int num, const char *file, int line); -void CRYPTO_free_locked(void *); +void CRYPTO_free_locked(void *ptr); void *CRYPTO_malloc(int num, const char *file, int line); char *CRYPTO_strdup(const char *str, const char *file, int line); -void CRYPTO_free(void *); +void CRYPTO_free(void *ptr); void *CRYPTO_realloc(void *addr,int num, const char *file, int line); void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file, int line); diff --git a/include/openssl/dtls1.h b/include/openssl/dtls1.h index 5008bf6..e65d501 100644 --- a/include/openssl/dtls1.h +++ b/include/openssl/dtls1.h @@ -57,8 +57,8 @@ * */ -#ifndef HEADER_DTLS1_H -#define HEADER_DTLS1_H +#ifndef HEADER_DTLS1_H +#define HEADER_DTLS1_H #include #include @@ -72,8 +72,12 @@ #elif defined(OPENSSL_SYS_NETWARE) && !defined(_WINSOCK2API_) #include #else +#if defined(OPENSSL_SYS_VXWORKS) +#include +#else #include #endif +#endif #ifdef __cplusplus extern "C" { diff --git a/include/openssl/ec.h b/include/openssl/ec.h index 9d01325..dfe8710 100644 --- a/include/openssl/ec.h +++ b/include/openssl/ec.h @@ -274,10 +274,10 @@ int EC_GROUP_get_curve_name(const EC_GROUP *group); void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag); int EC_GROUP_get_asn1_flag(const EC_GROUP *group); -void EC_GROUP_set_point_conversion_form(EC_GROUP *, point_conversion_form_t); +void EC_GROUP_set_point_conversion_form(EC_GROUP *group, point_conversion_form_t form); point_conversion_form_t EC_GROUP_get_point_conversion_form(const EC_GROUP *); -unsigned char *EC_GROUP_get0_seed(const EC_GROUP *); +unsigned char *EC_GROUP_get0_seed(const EC_GROUP *x); size_t EC_GROUP_get_seed_len(const EC_GROUP *); size_t EC_GROUP_set_seed(EC_GROUP *, const unsigned char *, size_t len); @@ -626,8 +626,8 @@ int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *c */ int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx); -int EC_POINT_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *); -int EC_POINTs_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *); +int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx); +int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx); /** Computes r = generator * n sum_{i=0}^num p[i] * m[i] * \param group underlying EC_GROUP object @@ -800,16 +800,24 @@ const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key); int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub); unsigned EC_KEY_get_enc_flags(const EC_KEY *key); -void EC_KEY_set_enc_flags(EC_KEY *, unsigned int); -point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *); -void EC_KEY_set_conv_form(EC_KEY *, point_conversion_form_t); +void EC_KEY_set_enc_flags(EC_KEY *eckey, unsigned int flags); +point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key); +void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform); /* functions to set/get method specific data */ -void *EC_KEY_get_key_method_data(EC_KEY *, +void *EC_KEY_get_key_method_data(EC_KEY *key, void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)); -void EC_KEY_insert_key_method_data(EC_KEY *, void *data, +/** Sets the key method data of an EC_KEY object, if none has yet been set. + * \param key EC_KEY object + * \param data opaque data to install. + * \param dup_func a function that duplicates |data|. + * \param free_func a function that frees |data|. + * \param clear_free_func a function that wipes and frees |data|. + * \return the previously set data pointer, or NULL if |data| was inserted. + */ +void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data, void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)); /* wrapper functions for the underlying EC_GROUP object */ -void EC_KEY_set_asn1_flag(EC_KEY *, int); +void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag); /** Creates a table of pre-computed multiples of the generator to * accelerate further EC_KEY operations. diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 8096a72..e43a58e 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -402,7 +402,6 @@ struct evp_cipher_st /* Length of tag for TLS */ #define EVP_GCM_TLS_TAG_LEN 16 - typedef struct evp_cipher_info_st { const EVP_CIPHER *cipher; @@ -789,8 +788,8 @@ const EVP_CIPHER *EVP_aes_128_cfb128(void); # define EVP_aes_128_cfb EVP_aes_128_cfb128 const EVP_CIPHER *EVP_aes_128_ofb(void); const EVP_CIPHER *EVP_aes_128_ctr(void); -const EVP_CIPHER *EVP_aes_128_gcm(void); const EVP_CIPHER *EVP_aes_128_ccm(void); +const EVP_CIPHER *EVP_aes_128_gcm(void); const EVP_CIPHER *EVP_aes_128_xts(void); const EVP_CIPHER *EVP_aes_192_ecb(void); const EVP_CIPHER *EVP_aes_192_cbc(void); @@ -800,8 +799,8 @@ const EVP_CIPHER *EVP_aes_192_cfb128(void); # define EVP_aes_192_cfb EVP_aes_192_cfb128 const EVP_CIPHER *EVP_aes_192_ofb(void); const EVP_CIPHER *EVP_aes_192_ctr(void); -const EVP_CIPHER *EVP_aes_192_gcm(void); const EVP_CIPHER *EVP_aes_192_ccm(void); +const EVP_CIPHER *EVP_aes_192_gcm(void); const EVP_CIPHER *EVP_aes_256_ecb(void); const EVP_CIPHER *EVP_aes_256_cbc(void); const EVP_CIPHER *EVP_aes_256_cfb1(void); @@ -810,8 +809,8 @@ const EVP_CIPHER *EVP_aes_256_cfb128(void); # define EVP_aes_256_cfb EVP_aes_256_cfb128 const EVP_CIPHER *EVP_aes_256_ofb(void); const EVP_CIPHER *EVP_aes_256_ctr(void); -const EVP_CIPHER *EVP_aes_256_gcm(void); const EVP_CIPHER *EVP_aes_256_ccm(void); +const EVP_CIPHER *EVP_aes_256_gcm(void); const EVP_CIPHER *EVP_aes_256_xts(void); #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void); @@ -1244,6 +1243,8 @@ void EVP_PKEY_meth_set_ctrl(EVP_PKEY_METHOD *pmeth, int (*ctrl_str)(EVP_PKEY_CTX *ctx, const char *type, const char *value)); +void EVP_add_alg_module(void); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. @@ -1258,6 +1259,7 @@ void ERR_load_EVP_strings(void); #define EVP_F_AES_INIT_KEY 133 #define EVP_F_AES_XTS 172 #define EVP_F_AES_XTS_CIPHER 175 +#define EVP_F_ALG_MODULE_INIT 177 #define EVP_F_CAMELLIA_INIT_KEY 159 #define EVP_F_CMAC_INIT 173 #define EVP_F_D2I_PKEY 100 @@ -1351,15 +1353,19 @@ void ERR_load_EVP_strings(void); #define EVP_R_DIFFERENT_PARAMETERS 153 #define EVP_R_DISABLED_FOR_FIPS 163 #define EVP_R_ENCODE_ERROR 115 +#define EVP_R_ERROR_LOADING_SECTION 165 +#define EVP_R_ERROR_SETTING_FIPS_MODE 166 #define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119 #define EVP_R_EXPECTING_AN_RSA_KEY 127 #define EVP_R_EXPECTING_A_DH_KEY 128 #define EVP_R_EXPECTING_A_DSA_KEY 129 #define EVP_R_EXPECTING_A_ECDSA_KEY 141 #define EVP_R_EXPECTING_A_EC_KEY 142 +#define EVP_R_FIPS_MODE_NOT_SUPPORTED 167 #define EVP_R_INITIALIZATION_ERROR 134 #define EVP_R_INPUT_NOT_INITIALIZED 111 #define EVP_R_INVALID_DIGEST 152 +#define EVP_R_INVALID_FIPS_MODE 168 #define EVP_R_INVALID_KEY_LENGTH 130 #define EVP_R_INVALID_OPERATION 148 #define EVP_R_IV_TOO_LARGE 102 @@ -1384,6 +1390,7 @@ void ERR_load_EVP_strings(void); #define EVP_R_TOO_LARGE 164 #define EVP_R_UNKNOWN_CIPHER 160 #define EVP_R_UNKNOWN_DIGEST 161 +#define EVP_R_UNKNOWN_OPTION 169 #define EVP_R_UNKNOWN_PBE_ALGORITHM 121 #define EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS 135 #define EVP_R_UNSUPPORTED_ALGORITHM 156 diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h index 71be359..dbea4ad 100644 --- a/include/openssl/opensslv.h +++ b/include/openssl/opensslv.h @@ -25,11 +25,11 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x1000103fL +#define OPENSSL_VERSION_NUMBER 0x1000104fL #ifdef OPENSSL_FIPS -#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1c-fips 10 May 2012" +#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1d-fips 5 Feb 2013" #else -#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1c 10 May 2012" +#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1d 5 Feb 2013" #endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h index 4814a2f..5f269e5 100644 --- a/include/openssl/rsa.h +++ b/include/openssl/rsa.h @@ -280,7 +280,7 @@ struct rsa_st RSA * RSA_new(void); RSA * RSA_new_method(ENGINE *engine); -int RSA_size(const RSA *); +int RSA_size(const RSA *rsa); /* Deprecated version */ #ifndef OPENSSL_NO_DEPRECATED diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 1aaadf3..5695aae 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -493,6 +493,9 @@ struct ssl_session_st char *psk_identity_hint; char *psk_identity; #endif + /* Used to indicate that session resumption is not allowed. + * Applications can also set this bit for a new session via + * not_resumable_session_cb to disable session caching and tickets. */ int not_resumable; /* The cert is the certificate used to establish this connection */ @@ -535,7 +538,7 @@ struct ssl_session_st #endif /* OPENSSL_NO_EC */ /* RFC4507 info */ unsigned char *tlsext_tick; /* Session ticket */ - size_t tlsext_ticklen; /* Session ticket length */ + size_t tlsext_ticklen; /* Session ticket length */ long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ #endif #ifndef OPENSSL_NO_SRP @@ -931,6 +934,7 @@ struct ssl_ctx_st /* Callback for status request */ int (*tlsext_status_cb)(SSL *ssl, void *arg); void *tlsext_status_arg; + /* draft-rescorla-tls-opaque-prf-input-00.txt information */ int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg); void *tlsext_opaque_prf_input_callback_arg; @@ -956,6 +960,7 @@ struct ssl_ctx_st #endif #ifndef OPENSSL_NO_TLSEXT + # ifndef OPENSSL_NO_NEXTPROTONEG /* Next protocol negotiation information */ /* (for experimental NPN extension). */ @@ -2262,6 +2267,7 @@ void ERR_load_SSL_strings(void); #define SSL_F_SSL_GET_NEW_SESSION 181 #define SSL_F_SSL_GET_PREV_SESSION 217 #define SSL_F_SSL_GET_SERVER_SEND_CERT 182 +#define SSL_F_SSL_GET_SERVER_SEND_PKEY 317 #define SSL_F_SSL_GET_SIGN_PKEY 183 #define SSL_F_SSL_INIT_WBIO_BUFFER 184 #define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h index 879be13..fee9671 100644 --- a/include/openssl/ssl3.h +++ b/include/openssl/ssl3.h @@ -355,10 +355,6 @@ typedef struct ssl3_record_st /*r */ unsigned char *comp; /* only used with decompression - malloc()ed */ /*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */ /*r */ unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */ -/*rw*/ unsigned int orig_len; /* How many bytes were available before padding - was removed? This is used to implement the - MAC check in constant time for CBC records. - */ } SSL3_RECORD; typedef struct ssl3_buffer_st @@ -594,8 +590,10 @@ typedef struct ssl3_state_st #define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT) #define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT) #define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT) +#ifndef OPENSSL_NO_NEXTPROTONEG #define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT) #define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT) +#endif #define SSL3_ST_CW_CHANNEL_ID_A (0x210|SSL_ST_CONNECT) #define SSL3_ST_CW_CHANNEL_ID_B (0x211|SSL_ST_CONNECT) #define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT) @@ -648,8 +646,10 @@ typedef struct ssl3_state_st #define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT) #define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT) #define SSL3_ST_SR_POST_CLIENT_CERT (0x1BF|SSL_ST_ACCEPT) +#ifndef OPENSSL_NO_NEXTPROTONEG #define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT) #define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT) +#endif #define SSL3_ST_SR_CHANNEL_ID_A (0x220|SSL_ST_ACCEPT) #define SSL3_ST_SR_CHANNEL_ID_B (0x221|SSL_ST_ACCEPT) #define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT) @@ -676,7 +676,9 @@ typedef struct ssl3_state_st #define SSL3_MT_CLIENT_KEY_EXCHANGE 16 #define SSL3_MT_FINISHED 20 #define SSL3_MT_CERTIFICATE_STATUS 22 +#ifndef OPENSSL_NO_NEXTPROTONEG #define SSL3_MT_NEXT_PROTO 67 +#endif #define SSL3_MT_ENCRYPTED_EXTENSIONS 203 #define DTLS1_MT_HELLO_VERIFY_REQUEST 3 diff --git a/include/openssl/symhacks.h b/include/openssl/symhacks.h index 403f592..07a412f 100644 --- a/include/openssl/symhacks.h +++ b/include/openssl/symhacks.h @@ -193,17 +193,17 @@ #undef SSL_CTX_set_srp_username_callback #define SSL_CTX_set_srp_username_callback SSL_CTX_set_srp_un_cb #undef ssl_add_clienthello_use_srtp_ext -#define ssl_add_clienthello_use_srtp_ext ssl_add_clihello_use_srtp_ext +#define ssl_add_clienthello_use_srtp_ext ssl_add_clihello_use_srtp_ext #undef ssl_add_serverhello_use_srtp_ext -#define ssl_add_serverhello_use_srtp_ext ssl_add_serhello_use_srtp_ext +#define ssl_add_serverhello_use_srtp_ext ssl_add_serhello_use_srtp_ext #undef ssl_parse_clienthello_use_srtp_ext -#define ssl_parse_clienthello_use_srtp_ext ssl_parse_clihello_use_srtp_ext +#define ssl_parse_clienthello_use_srtp_ext ssl_parse_clihello_use_srtp_ext #undef ssl_parse_serverhello_use_srtp_ext -#define ssl_parse_serverhello_use_srtp_ext ssl_parse_serhello_use_srtp_ext +#define ssl_parse_serverhello_use_srtp_ext ssl_parse_serhello_use_srtp_ext #undef SSL_CTX_set_next_protos_advertised_cb -#define SSL_CTX_set_next_protos_advertised_cb SSL_CTX_set_next_protos_adv_cb +#define SSL_CTX_set_next_protos_advertised_cb SSL_CTX_set_next_protos_adv_cb #undef SSL_CTX_set_next_proto_select_cb -#define SSL_CTX_set_next_proto_select_cb SSL_CTX_set_next_proto_sel_cb +#define SSL_CTX_set_next_proto_select_cb SSL_CTX_set_next_proto_sel_cb /* Hack some long ENGINE names */ #undef ENGINE_get_default_BN_mod_exp_crt @@ -316,8 +316,6 @@ #define ec_GFp_simple_point_set_to_infinity ec_GFp_simple_pt_set_to_inf #undef ec_GFp_simple_points_make_affine #define ec_GFp_simple_points_make_affine ec_GFp_simple_pts_make_affine -#undef ec_GFp_simple_group_get_curve_GFp -#define ec_GFp_simple_group_get_curve_GFp ec_GFp_simple_grp_get_curve_GFp #undef ec_GFp_simple_set_Jprojective_coordinates_GFp #define ec_GFp_simple_set_Jprojective_coordinates_GFp \ ec_GFp_smp_set_Jproj_coords_GFp diff --git a/openssl.config b/openssl.config index 9c20b62..e7009ea 100644 --- a/openssl.config +++ b/openssl.config @@ -175,8 +175,10 @@ include/openssl/camellia.h \ include/openssl/cast.h \ include/openssl/cms.h \ include/openssl/idea.h \ +include/openssl/md2.h \ include/openssl/mdc2.h \ include/openssl/seed.h \ +include/openssl/store.h \ include/openssl/whrlpool.h \ install.com \ makevms.com \ @@ -201,13 +203,7 @@ OPENSSL_PATCHES="\ progs.patch \ handshake_cutthrough.patch \ jsse.patch \ -sha1_armv4_large.patch \ -mips_private.patch \ channelid.patch \ -clang.patch \ -recursive_lock_fix.patch \ -0001-Add-and-use-a-constant-time-memcmp.patch \ -0002-Make-CBC-decoding-constant-time.patch \ " OPENSSL_PATCHES_progs_SOURCES="\ @@ -243,10 +239,6 @@ ssl/ssl_rsa.c \ ssl/ssl_sess.c \ " -OPENSSL_PATCHES_mips_private_SOURCES="\ -crypto/aes/asm/aes-mips.pl \ -" - OPENSSL_PATCHES_channelid_SOURCES="\ crypto/evp/evp.h \ crypto/evp/p_lib.c \ @@ -262,11 +254,3 @@ ssl/ssl_locl.h \ ssl/t1_lib.c \ ssl/tls1.h \ " - -OPENSSL_PATCHES_clang_SOURCES="\ -crypto/bio/bss_dgram.c \ -crypto/cryptlib.c \ -" -OPENSSL_PATCHES_recursive_lock_fix_SOURCES="\ -crypto/asn1/x_pubkey.c \ -" diff --git a/openssl.version b/openssl.version index 1616021..30f1cd2 100644 --- a/openssl.version +++ b/openssl.version @@ -1 +1 @@ -OPENSSL_VERSION=1.0.1c +OPENSSL_VERSION=1.0.1d diff --git a/patches/0001-Add-and-use-a-constant-time-memcmp.patch b/patches/0001-Add-and-use-a-constant-time-memcmp.patch deleted file mode 100644 index a593d49..0000000 --- a/patches/0001-Add-and-use-a-constant-time-memcmp.patch +++ /dev/null @@ -1,155 +0,0 @@ -From 306d003174cb4e5994734b20d741867aeeebf918 Mon Sep 17 00:00:00 2001 -From: Adam Langley -Date: Wed, 16 Jan 2013 11:02:35 -0500 -Subject: [PATCH 1/2] Add and use a constant-time memcmp. - -This change adds CRYPTO_memcmp, which compares two vectors of bytes in -an amount of time that's independent of their contents. It also changes -several MAC compares in the code to use this over the standard memcmp, -which may leak information about the size of a matching prefix. ---- - crypto/cryptlib.c | 13 +++++++++++++ - crypto/crypto.h | 7 +++++++ - crypto/rsa/rsa_oaep.c | 2 +- - ssl/d1_pkt.c | 2 +- - ssl/s2_clnt.c | 2 +- - ssl/s2_pkt.c | 3 +-- - ssl/s3_both.c | 2 +- - ssl/s3_pkt.c | 2 +- - ssl/t1_lib.c | 2 +- - 9 files changed, 27 insertions(+), 8 deletions(-) - -diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c -index a7cb420..304c6b7 100644 ---- a/crypto/cryptlib.c -+++ b/crypto/cryptlib.c -@@ -925,3 +925,16 @@ void OpenSSLDie(const char *file,int line,const char *assertion) - } - - void *OPENSSL_stderr(void) { return stderr; } -+ -+int CRYPTO_memcmp(const void *in_a, const void *in_b, size_t len) -+ { -+ size_t i; -+ const unsigned char *a = in_a; -+ const unsigned char *b = in_b; -+ unsigned char x = 0; -+ -+ for (i = 0; i < len; i++) -+ x |= a[i] ^ b[i]; -+ -+ return x; -+ } -diff --git a/crypto/crypto.h b/crypto/crypto.h -index 6160576..f92fc51 100644 ---- a/crypto/crypto.h -+++ b/crypto/crypto.h -@@ -574,6 +574,13 @@ void OPENSSL_init(void); - #define fips_cipher_abort(alg) while(0) - #endif - -+/* CRYPTO_memcmp returns zero iff the |len| bytes at |a| and |b| are equal. It -+ * takes an amount of time dependent on |len|, but independent of the contents -+ * of |a| and |b|. Unlike memcmp, it cannot be used to put elements into a -+ * defined order as the return value when a != b is undefined, other than to be -+ * non-zero. */ -+int CRYPTO_memcmp(const void *a, const void *b, size_t len); -+ - /* BEGIN ERROR CODES */ - /* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. -diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c -index 553d212..af4d24a 100644 ---- a/crypto/rsa/rsa_oaep.c -+++ b/crypto/rsa/rsa_oaep.c -@@ -149,7 +149,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, - if (!EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL)) - return -1; - -- if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad) -+ if (CRYPTO_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad) - goto decoding_err; - else - { -diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c -index 987af60..5e2c56c 100644 ---- a/ssl/d1_pkt.c -+++ b/ssl/d1_pkt.c -@@ -463,7 +463,7 @@ printf("\n"); - else - rr->length = 0; - i=s->method->ssl3_enc->mac(s,md,0); -- if (i < 0 || mac == NULL || memcmp(md, mac, mac_size) != 0) -+ if (i < 0 || mac == NULL || CRYPTO_memcmp(md,mac,mac_size) != 0) - { - decryption_failed_or_bad_record_mac = 1; - } -diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c -index 76b690e..03b6cf9 100644 ---- a/ssl/s2_clnt.c -+++ b/ssl/s2_clnt.c -@@ -939,7 +939,7 @@ static int get_server_verify(SSL *s) - s->msg_callback(0, s->version, 0, p, len, s, s->msg_callback_arg); /* SERVER-VERIFY */ - p += 1; - -- if (memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0) -+ if (CRYPTO_memcmp(p,s->s2->challenge,s->s2->challenge_length) != 0) - { - ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); - SSLerr(SSL_F_GET_SERVER_VERIFY,SSL_R_CHALLENGE_IS_DIFFERENT); -diff --git a/ssl/s2_pkt.c b/ssl/s2_pkt.c -index ac963b2..8bb6ab8 100644 ---- a/ssl/s2_pkt.c -+++ b/ssl/s2_pkt.c -@@ -269,8 +269,7 @@ static int ssl2_read_internal(SSL *s, void *buf, int len, int peek) - s->s2->ract_data_length-=mac_size; - ssl2_mac(s,mac,0); - s->s2->ract_data_length-=s->s2->padding; -- if ( (memcmp(mac,s->s2->mac_data, -- (unsigned int)mac_size) != 0) || -+ if ( (CRYPTO_memcmp(mac,s->s2->mac_data,mac_size) != 0) || - (s->s2->rlength%EVP_CIPHER_CTX_block_size(s->enc_read_ctx) != 0)) - { - SSLerr(SSL_F_SSL2_READ_INTERNAL,SSL_R_BAD_MAC_DECODE); -diff --git a/ssl/s3_both.c b/ssl/s3_both.c -index 918da35..ead01c8 100644 ---- a/ssl/s3_both.c -+++ b/ssl/s3_both.c -@@ -265,7 +265,7 @@ int ssl3_get_finished(SSL *s, int a, int b) - goto f_err; - } - -- if (memcmp(p, s->s3->tmp.peer_finish_md, i) != 0) -+ if (CRYPTO_memcmp(p, s->s3->tmp.peer_finish_md, i) != 0) - { - al=SSL_AD_DECRYPT_ERROR; - SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_DIGEST_CHECK_FAILED); -diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c -index dca3458..3e11140 100644 ---- a/ssl/s3_pkt.c -+++ b/ssl/s3_pkt.c -@@ -463,7 +463,7 @@ printf("\n"); - #endif - } - i=s->method->ssl3_enc->mac(s,md,0); -- if (i < 0 || mac == NULL || memcmp(md, mac, (size_t)mac_size) != 0) -+ if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) - { - decryption_failed_or_bad_record_mac = 1; - } -diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index d8df062..27010dd 100644 ---- a/ssl/t1_lib.c -+++ b/ssl/t1_lib.c -@@ -2226,7 +2226,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, - HMAC_Update(&hctx, etick, eticklen); - HMAC_Final(&hctx, tick_hmac, NULL); - HMAC_CTX_cleanup(&hctx); -- if (memcmp(tick_hmac, etick + eticklen, mlen)) -+ if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) - return 2; - /* Attempt to decrypt session data */ - /* Move p after IV to start of encrypted ticket, update length */ --- -1.8.1 - diff --git a/patches/0002-Make-CBC-decoding-constant-time.patch b/patches/0002-Make-CBC-decoding-constant-time.patch deleted file mode 100644 index 1893aa2..0000000 --- a/patches/0002-Make-CBC-decoding-constant-time.patch +++ /dev/null @@ -1,1621 +0,0 @@ -From fb402b7cdeffc907a9464cb84aa1311b1f77832a Mon Sep 17 00:00:00 2001 -From: Adam Langley -Date: Wed, 16 Jan 2013 11:18:19 -0500 -Subject: [PATCH 2/2] Make CBC decoding constant time. - -This patch makes the decoding of SSLv3 and TLS CBC records constant -time. Without this, a timing side-channel can be used to build a padding -oracle and mount Vaudenay's attack. - -This patch also disables the stitched AESNI+SHA mode pending a similar -fix to that code. - -In order to be easy to backport, this change is implemented in ssl/, -rather than as a generic AEAD mode. In the future this should be changed -around so that HMAC isn't in ssl/, but crypto/ as FIPS expects. ---- - crypto/evp/c_allc.c | 2 + - ssl/Makefile | 4 +- - ssl/d1_enc.c | 59 ++--- - ssl/d1_pkt.c | 87 ++++--- - ssl/s3_cbc.c | 696 ++++++++++++++++++++++++++++++++++++++++++++++++++++ - ssl/s3_enc.c | 119 +++++---- - ssl/s3_pkt.c | 94 +++---- - ssl/ssl3.h | 4 + - ssl/ssl_algs.c | 3 + - ssl/ssl_locl.h | 34 +++ - ssl/t1_enc.c | 144 +++++------ - 11 files changed, 993 insertions(+), 253 deletions(-) - create mode 100644 ssl/s3_cbc.c - -diff --git a/crypto/evp/c_allc.c b/crypto/evp/c_allc.c -index 2a45d43..e230e60 100644 ---- a/crypto/evp/c_allc.c -+++ b/crypto/evp/c_allc.c -@@ -195,11 +195,13 @@ void OpenSSL_add_all_ciphers(void) - EVP_add_cipher(EVP_aes_256_xts()); - EVP_add_cipher_alias(SN_aes_256_cbc,"AES256"); - EVP_add_cipher_alias(SN_aes_256_cbc,"aes256"); -+#if 0 /* Disabled because of timing side-channel leaks. */ - #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) - EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1()); - EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1()); - #endif - #endif -+#endif - - #ifndef OPENSSL_NO_CAMELLIA - EVP_add_cipher(EVP_camellia_128_ecb()); -diff --git a/ssl/Makefile b/ssl/Makefile -index feaf3e3..bdb49e2 100644 ---- a/ssl/Makefile -+++ b/ssl/Makefile -@@ -22,7 +22,7 @@ LIB=$(TOP)/libssl.a - SHARED_LIB= libssl$(SHLIB_EXT) - LIBSRC= \ - s2_meth.c s2_srvr.c s2_clnt.c s2_lib.c s2_enc.c s2_pkt.c \ -- s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c \ -+ s3_meth.c s3_srvr.c s3_clnt.c s3_lib.c s3_enc.c s3_pkt.c s3_both.c s3_cbc.c \ - s23_meth.c s23_srvr.c s23_clnt.c s23_lib.c s23_pkt.c \ - t1_meth.c t1_srvr.c t1_clnt.c t1_lib.c t1_enc.c \ - d1_meth.c d1_srvr.c d1_clnt.c d1_lib.c d1_pkt.c \ -@@ -33,7 +33,7 @@ LIBSRC= \ - bio_ssl.c ssl_err.c kssl.c tls_srp.c t1_reneg.c - LIBOBJ= \ - s2_meth.o s2_srvr.o s2_clnt.o s2_lib.o s2_enc.o s2_pkt.o \ -- s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o \ -+ s3_meth.o s3_srvr.o s3_clnt.o s3_lib.o s3_enc.o s3_pkt.o s3_both.o s3_cbc.o \ - s23_meth.o s23_srvr.o s23_clnt.o s23_lib.o s23_pkt.o \ - t1_meth.o t1_srvr.o t1_clnt.o t1_lib.o t1_enc.o \ - d1_meth.o d1_srvr.o d1_clnt.o d1_lib.o d1_pkt.o \ -diff --git a/ssl/d1_enc.c b/ssl/d1_enc.c -index 07a5e97..712c464 100644 ---- a/ssl/d1_enc.c -+++ b/ssl/d1_enc.c -@@ -126,20 +126,28 @@ - #include - #endif - -+/* dtls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. -+ * -+ * Returns: -+ * 0: (in non-constant time) if the record is publically invalid (i.e. too -+ * short etc). -+ * 1: if the record's padding is valid / the encryption was successful. -+ * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, -+ * an internal error occured. */ - int dtls1_enc(SSL *s, int send) - { - SSL3_RECORD *rec; - EVP_CIPHER_CTX *ds; - unsigned long l; -- int bs,i,ii,j,k,n=0; -+ int bs,i,j,k,mac_size=0; - const EVP_CIPHER *enc; - - if (send) - { - if (EVP_MD_CTX_md(s->write_hash)) - { -- n=EVP_MD_CTX_size(s->write_hash); -- if (n < 0) -+ mac_size=EVP_MD_CTX_size(s->write_hash); -+ if (mac_size < 0) - return -1; - } - ds=s->enc_write_ctx; -@@ -164,9 +172,8 @@ int dtls1_enc(SSL *s, int send) - { - if (EVP_MD_CTX_md(s->read_hash)) - { -- n=EVP_MD_CTX_size(s->read_hash); -- if (n < 0) -- return -1; -+ mac_size=EVP_MD_CTX_size(s->read_hash); -+ OPENSSL_assert(mac_size >= 0); - } - ds=s->enc_read_ctx; - rec= &(s->s3->rrec); -@@ -231,7 +238,7 @@ int dtls1_enc(SSL *s, int send) - if (!send) - { - if (l == 0 || l%bs != 0) -- return -1; -+ return 0; - } - - EVP_Cipher(ds,rec->data,rec->input,l); -@@ -246,43 +253,7 @@ int dtls1_enc(SSL *s, int send) - #endif /* KSSL_DEBUG */ - - if ((bs != 1) && !send) -- { -- ii=i=rec->data[l-1]; /* padding_length */ -- i++; -- if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) -- { -- /* First packet is even in size, so check */ -- if ((memcmp(s->s3->read_sequence, -- "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1)) -- s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG; -- if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) -- i--; -- } -- /* TLS 1.0 does not bound the number of padding bytes by the block size. -- * All of them must have value 'padding_length'. */ -- if (i + bs > (int)rec->length) -- { -- /* Incorrect padding. SSLerr() and ssl3_alert are done -- * by caller: we don't want to reveal whether this is -- * a decryption error or a MAC verification failure -- * (see http://www.openssl.org/~bodo/tls-cbc.txt) -- */ -- return -1; -- } -- for (j=(int)(l-i); j<(int)l; j++) -- { -- if (rec->data[j] != ii) -- { -- /* Incorrect padding */ -- return -1; -- } -- } -- rec->length-=i; -- -- rec->data += bs; /* skip the implicit IV */ -- rec->input += bs; -- rec->length -= bs; -- } -+ return tls1_cbc_remove_padding(s, rec, bs, mac_size); - } - return(1); - } -diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c -index 5e2c56c..02c881a 100644 ---- a/ssl/d1_pkt.c -+++ b/ssl/d1_pkt.c -@@ -376,15 +376,11 @@ static int - dtls1_process_record(SSL *s) - { - int i,al; -- int clear=0; - int enc_err; - SSL_SESSION *sess; - SSL3_RECORD *rr; - unsigned int mac_size; - unsigned char md[EVP_MAX_MD_SIZE]; -- int decryption_failed_or_bad_record_mac = 0; -- unsigned char *mac = NULL; -- - - rr= &(s->s3->rrec); - sess = s->session; -@@ -414,14 +410,19 @@ dtls1_process_record(SSL *s) - - /* decrypt in place in 'rr->input' */ - rr->data=rr->input; -+ rr->orig_len=rr->length; - - enc_err = s->method->ssl3_enc->enc(s,0); -- if (enc_err <= 0) -+ /* enc_err is: -+ * 0: (in non-constant time) if the record is publically invalid. -+ * 1: if the padding is valid -+ * -1: if the padding is invalid */ -+ if (enc_err == 0) - { -- /* To minimize information leaked via timing, we will always -- * perform all computations before discarding the message. -- */ -- decryption_failed_or_bad_record_mac = 1; -+ /* For DTLS we simply ignore bad packets. */ -+ rr->length = 0; -+ s->packet_length = 0; -+ goto err; - } - - #ifdef TLS_DEBUG -@@ -431,45 +432,59 @@ printf("\n"); - #endif - - /* r->length is now the compressed data plus mac */ -- if ( (sess == NULL) || -- (s->enc_read_ctx == NULL) || -- (s->read_hash == NULL)) -- clear=1; -- -- if (!clear) -+ if ((sess != NULL) && -+ (s->enc_read_ctx != NULL) && -+ (EVP_MD_CTX_md(s->read_hash) != NULL)) - { -- /* !clear => s->read_hash != NULL => mac_size != -1 */ -- int t; -- t=EVP_MD_CTX_size(s->read_hash); -- OPENSSL_assert(t >= 0); -- mac_size=t; -- -- if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) -+ /* s->read_hash != NULL => mac_size != -1 */ -+ unsigned char *mac = NULL; -+ unsigned char mac_tmp[EVP_MAX_MD_SIZE]; -+ mac_size=EVP_MD_CTX_size(s->read_hash); -+ OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); -+ -+ /* orig_len is the length of the record before any padding was -+ * removed. This is public information, as is the MAC in use, -+ * therefore we can safely process the record in a different -+ * amount of time if it's too short to possibly contain a MAC. -+ */ -+ if (rr->orig_len < mac_size || -+ /* CBC records must have a padding length byte too. */ -+ (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && -+ rr->orig_len < mac_size+1)) - { --#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */ -- al=SSL_AD_RECORD_OVERFLOW; -- SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); -+ al=SSL_AD_DECODE_ERROR; -+ SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); - goto f_err; --#else -- decryption_failed_or_bad_record_mac = 1; --#endif - } -- /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ -- if (rr->length >= mac_size) -+ -+ if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) - { -+ /* We update the length so that the TLS header bytes -+ * can be constructed correctly but we need to extract -+ * the MAC in constant time from within the record, -+ * without leaking the contents of the padding bytes. -+ * */ -+ mac = mac_tmp; -+ ssl3_cbc_copy_mac(mac_tmp, rr, mac_size); - rr->length -= mac_size; -- mac = &rr->data[rr->length]; - } - else -- rr->length = 0; -- i=s->method->ssl3_enc->mac(s,md,0); -- if (i < 0 || mac == NULL || CRYPTO_memcmp(md,mac,mac_size) != 0) - { -- decryption_failed_or_bad_record_mac = 1; -+ /* In this case there's no padding, so |rec->orig_len| -+ * equals |rec->length| and we checked that there's -+ * enough bytes for |mac_size| above. */ -+ rr->length -= mac_size; -+ mac = &rr->data[rr->length]; - } -+ -+ i=s->method->ssl3_enc->mac(s,md,0 /* not send */); -+ if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) -+ enc_err = -1; -+ if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+mac_size) -+ enc_err = -1; - } - -- if (decryption_failed_or_bad_record_mac) -+ if (enc_err < 0) - { - /* decryption failed, silently discard message */ - rr->length = 0; -diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c -new file mode 100644 -index 0000000..e9b112c ---- /dev/null -+++ b/ssl/s3_cbc.c -@@ -0,0 +1,696 @@ -+/* ssl/s3_cbc.c */ -+/* ==================================================================== -+ * Copyright (c) 2012 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ * -+ * This product includes cryptographic software written by Eric Young -+ * (eay@cryptsoft.com). This product includes software written by Tim -+ * Hudson (tjh@cryptsoft.com). -+ * -+ */ -+ -+#include -+ -+#include "ssl_locl.h" -+ -+#include -+#include -+ -+/* MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length -+ * field. (SHA-384/512 have 128-bit length.) */ -+#define MAX_HASH_BIT_COUNT_BYTES 16 -+ -+/* MAX_HASH_BLOCK_SIZE is the maximum hash block size that we'll support. -+ * Currently SHA-384/512 has a 128-byte block size and that's the largest -+ * supported by TLS.) */ -+#define MAX_HASH_BLOCK_SIZE 128 -+ -+/* Some utility functions are needed: -+ * -+ * These macros return the given value with the MSB copied to all the other -+ * bits. They use the fact that arithmetic shift shifts-in the sign bit. -+ * However, this is not ensured by the C standard so you may need to replace -+ * them with something else on odd CPUs. */ -+#define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> (sizeof(int)*8-1) ) ) -+#define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x))) -+ -+/* constant_time_ge returns 0xff if a>=b and 0x00 otherwise. */ -+static unsigned constant_time_ge(unsigned a, unsigned b) -+ { -+ a -= b; -+ return DUPLICATE_MSB_TO_ALL(~a); -+ } -+ -+/* constant_time_eq_8 returns 0xff if a==b and 0x00 otherwise. */ -+static unsigned char constant_time_eq_8(unsigned char a, unsigned char b) -+ { -+ unsigned c = a ^ b; -+ c--; -+ return DUPLICATE_MSB_TO_ALL_8(c); -+ } -+ -+/* ssl3_cbc_remove_padding removes padding from the decrypted, SSLv3, CBC -+ * record in |rec| by updating |rec->length| in constant time. -+ * -+ * block_size: the block size of the cipher used to encrypt the record. -+ * returns: -+ * 0: (in non-constant time) if the record is publicly invalid. -+ * 1: if the padding was valid -+ * -1: otherwise. */ -+int ssl3_cbc_remove_padding(const SSL* s, -+ SSL3_RECORD *rec, -+ unsigned block_size, -+ unsigned mac_size) -+ { -+ unsigned padding_length, good; -+ const unsigned overhead = 1 /* padding length byte */ + mac_size; -+ -+ /* These lengths are all public so we can test them in non-constant -+ * time. */ -+ if (overhead > rec->length) -+ return 0; -+ -+ padding_length = rec->data[rec->length-1]; -+ good = constant_time_ge(rec->length, padding_length+overhead); -+ /* SSLv3 requires that the padding is minimal. */ -+ good &= constant_time_ge(block_size, padding_length+1); -+ rec->length -= good & (padding_length+1); -+ return (int)((good & 1) | (~good & -1)); -+} -+ -+/* tls1_cbc_remove_padding removes the CBC padding from the decrypted, TLS, CBC -+ * record in |rec| in constant time and returns 1 if the padding is valid and -+ * -1 otherwise. It also removes any explicit IV from the start of the record -+ * without leaking any timing about whether there was enough space after the -+ * padding was removed. -+ * -+ * block_size: the block size of the cipher used to encrypt the record. -+ * returns: -+ * 0: (in non-constant time) if the record is publicly invalid. -+ * 1: if the padding was valid -+ * -1: otherwise. */ -+int tls1_cbc_remove_padding(const SSL* s, -+ SSL3_RECORD *rec, -+ unsigned block_size, -+ unsigned mac_size) -+ { -+ unsigned padding_length, good, to_check, i; -+ const char has_explicit_iv = -+ s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION; -+ const unsigned overhead = 1 /* padding length byte */ + -+ mac_size + -+ (has_explicit_iv ? block_size : 0); -+ -+ /* These lengths are all public so we can test them in non-constant -+ * time. */ -+ if (overhead > rec->length) -+ return 0; -+ -+ padding_length = rec->data[rec->length-1]; -+ -+ /* NB: if compression is in operation the first packet may not be of -+ * even length so the padding bug check cannot be performed. This bug -+ * workaround has been around since SSLeay so hopefully it is either -+ * fixed now or no buggy implementation supports compression [steve] -+ */ -+ if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) && !s->expand) -+ { -+ /* First packet is even in size, so check */ -+ if ((memcmp(s->s3->read_sequence, "\0\0\0\0\0\0\0\0",8) == 0) && -+ !(padding_length & 1)) -+ { -+ s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG; -+ } -+ if ((s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) && -+ padding_length > 0) -+ { -+ padding_length--; -+ } -+ } -+ -+ good = constant_time_ge(rec->length, overhead+padding_length); -+ /* The padding consists of a length byte at the end of the record and -+ * then that many bytes of padding, all with the same value as the -+ * length byte. Thus, with the length byte included, there are i+1 -+ * bytes of padding. -+ * -+ * We can't check just |padding_length+1| bytes because that leaks -+ * decrypted information. Therefore we always have to check the maximum -+ * amount of padding possible. (Again, the length of the record is -+ * public information so we can use it.) */ -+ to_check = 255; /* maximum amount of padding. */ -+ if (to_check > rec->length-1) -+ to_check = rec->length-1; -+ -+ for (i = 0; i < to_check; i++) -+ { -+ unsigned char mask = constant_time_ge(padding_length, i); -+ unsigned char b = rec->data[rec->length-1-i]; -+ /* The final |padding_length+1| bytes should all have the value -+ * |padding_length|. Therefore the XOR should be zero. */ -+ good &= ~(mask&(padding_length ^ b)); -+ } -+ -+ /* If any of the final |padding_length+1| bytes had the wrong value, -+ * one or more of the lower eight bits of |good| will be cleared. We -+ * AND the bottom 8 bits together and duplicate the result to all the -+ * bits. */ -+ good &= good >> 4; -+ good &= good >> 2; -+ good &= good >> 1; -+ good <<= sizeof(good)*8-1; -+ good = DUPLICATE_MSB_TO_ALL(good); -+ -+ rec->length -= good & (padding_length+1); -+ -+ /* We can always safely skip the explicit IV. We check at the beginning -+ * of this function that the record has at least enough space for the -+ * IV, MAC and padding length byte. (These can be checked in -+ * non-constant time because it's all public information.) So, if the -+ * padding was invalid, then we didn't change |rec->length| and this is -+ * safe. If the padding was valid then we know that we have at least -+ * overhead+padding_length bytes of space and so this is still safe -+ * because overhead accounts for the explicit IV. */ -+ if (has_explicit_iv) -+ { -+ rec->data += block_size; -+ rec->input += block_size; -+ rec->length -= block_size; -+ rec->orig_len -= block_size; -+ } -+ -+ return (int)((good & 1) | (~good & -1)); -+ } -+ -+#if defined(_M_AMD64) || defined(__x86_64__) -+#define CBC_MAC_ROTATE_IN_PLACE -+#endif -+ -+/* ssl3_cbc_copy_mac copies |md_size| bytes from the end of |rec| to |out| in -+ * constant time (independent of the concrete value of rec->length, which may -+ * vary within a 256-byte window). -+ * -+ * ssl3_cbc_remove_padding or tls1_cbc_remove_padding must be called prior to -+ * this function. -+ * -+ * On entry: -+ * rec->orig_len >= md_size -+ * md_size <= EVP_MAX_MD_SIZE -+ * -+ * If CBC_MAC_ROTATE_IN_PLACE is defined then the rotation is performed with -+ * variable accesses in a 64-byte-aligned buffer. Assuming that this fits into -+ * a single cache-line, then the variable memory accesses don't actually affect -+ * the timing. This has been tested to be true on Intel amd64 chips. -+ */ -+void ssl3_cbc_copy_mac(unsigned char* out, -+ const SSL3_RECORD *rec, -+ unsigned md_size) -+ { -+#if defined(CBC_MAC_ROTATE_IN_PLACE) -+ unsigned char rotated_mac_buf[EVP_MAX_MD_SIZE*2]; -+ unsigned char *rotated_mac; -+#else -+ unsigned char rotated_mac[EVP_MAX_MD_SIZE]; -+#endif -+ -+ /* mac_end is the index of |rec->data| just after the end of the MAC. */ -+ unsigned mac_end = rec->length; -+ unsigned mac_start = mac_end - md_size; -+ /* scan_start contains the number of bytes that we can ignore because -+ * the MAC's position can only vary by 255 bytes. */ -+ unsigned scan_start = 0; -+ unsigned i, j; -+ unsigned div_spoiler; -+ unsigned rotate_offset; -+ -+ OPENSSL_assert(rec->orig_len >= md_size); -+ OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE); -+ -+#if defined(CBC_MAC_ROTATE_IN_PLACE) -+ rotated_mac = (unsigned char*) (((intptr_t)(rotated_mac_buf + 64)) & ~63); -+#endif -+ -+ /* This information is public so it's safe to branch based on it. */ -+ if (rec->orig_len > md_size + 255 + 1) -+ scan_start = rec->orig_len - (md_size + 255 + 1); -+ /* div_spoiler contains a multiple of md_size that is used to cause the -+ * modulo operation to be constant time. Without this, the time varies -+ * based on the amount of padding when running on Intel chips at least. -+ * -+ * The aim of right-shifting md_size is so that the compiler doesn't -+ * figure out that it can remove div_spoiler as that would require it -+ * to prove that md_size is always even, which I hope is beyond it. */ -+ div_spoiler = md_size >> 1; -+ div_spoiler <<= (sizeof(div_spoiler)-1)*8; -+ rotate_offset = (div_spoiler + mac_start - scan_start) % md_size; -+ -+ memset(rotated_mac, 0, md_size); -+ for (i = scan_start; i < rec->orig_len;) -+ { -+ for (j = 0; j < md_size && i < rec->orig_len; i++, j++) -+ { -+ unsigned char mac_started = constant_time_ge(i, mac_start); -+ unsigned char mac_ended = constant_time_ge(i, mac_end); -+ unsigned char b = 0; -+ b = rec->data[i]; -+ rotated_mac[j] |= b & mac_started & ~mac_ended; -+ } -+ } -+ -+ /* Now rotate the MAC */ -+#if defined(CBC_MAC_ROTATE_IN_PLACE) -+ j = 0; -+ for (i = 0; i < md_size; i++) -+ { -+ unsigned char offset = (div_spoiler + rotate_offset + i) % md_size; -+ out[j++] = rotated_mac[offset]; -+ } -+#else -+ memset(out, 0, md_size); -+ for (i = 0; i < md_size; i++) -+ { -+ unsigned char offset = (div_spoiler + md_size - rotate_offset + i) % md_size; -+ for (j = 0; j < md_size; j++) -+ out[j] |= rotated_mac[i] & constant_time_eq_8(j, offset); -+ } -+#endif -+ } -+ -+/* These functions serialize the state of a hash and thus perform the standard -+ * "final" operation without adding the padding and length that such a function -+ * typically does. */ -+static void tls1_md5_final_raw(void* ctx, unsigned char *md_out) -+ { -+ MD5_CTX *md5 = ctx; -+ l2n(md5->A, md_out); -+ l2n(md5->B, md_out); -+ l2n(md5->C, md_out); -+ l2n(md5->D, md_out); -+ } -+ -+static void tls1_sha1_final_raw(void* ctx, unsigned char *md_out) -+ { -+ SHA_CTX *sha1 = ctx; -+ l2n(sha1->h0, md_out); -+ l2n(sha1->h1, md_out); -+ l2n(sha1->h2, md_out); -+ l2n(sha1->h3, md_out); -+ l2n(sha1->h4, md_out); -+ } -+ -+static void tls1_sha256_final_raw(void* ctx, unsigned char *md_out) -+ { -+ SHA256_CTX *sha256 = ctx; -+ unsigned i; -+ -+ for (i = 0; i < 8; i++) -+ { -+ l2n(sha256->h[i], md_out); -+ } -+ } -+ -+static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out) -+ { -+ SHA512_CTX *sha512 = ctx; -+ unsigned i; -+ -+ for (i = 0; i < 8; i++) -+ { -+ l2n8(sha512->h[i], md_out); -+ } -+ } -+ -+/* ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function -+ * which ssl3_cbc_digest_record supports. */ -+char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) -+ { -+ switch (ctx->digest->type) -+ { -+ case NID_md5: -+ case NID_sha1: -+ case NID_sha224: -+ case NID_sha256: -+ case NID_sha384: -+ case NID_sha512: -+ return 1; -+ default: -+ return 0; -+ } -+ } -+ -+/* ssl3_cbc_digest_record computes the MAC of a decrypted, padded SSLv3/TLS -+ * record. -+ * -+ * ctx: the EVP_MD_CTX from which we take the hash function. -+ * ssl3_cbc_record_digest_supported must return true for this EVP_MD_CTX. -+ * md_out: the digest output. At most EVP_MAX_MD_SIZE bytes will be written. -+ * md_out_size: if non-NULL, the number of output bytes is written here. -+ * header: the 13-byte, TLS record header. -+ * data: the record data itself, less any preceeding explicit IV. -+ * data_plus_mac_size: the secret, reported length of the data and MAC -+ * once the padding has been removed. -+ * data_plus_mac_plus_padding_size: the public length of the whole -+ * record, including padding. -+ * is_sslv3: non-zero if we are to use SSLv3. Otherwise, TLS. -+ * -+ * On entry: by virtue of having been through one of the remove_padding -+ * functions, above, we know that data_plus_mac_size is large enough to contain -+ * a padding byte and MAC. (If the padding was invalid, it might contain the -+ * padding too. ) */ -+void ssl3_cbc_digest_record( -+ const EVP_MD_CTX *ctx, -+ unsigned char* md_out, -+ size_t* md_out_size, -+ const unsigned char header[13], -+ const unsigned char *data, -+ size_t data_plus_mac_size, -+ size_t data_plus_mac_plus_padding_size, -+ const unsigned char *mac_secret, -+ unsigned mac_secret_length, -+ char is_sslv3) -+ { -+ unsigned char md_state[sizeof(SHA512_CTX)]; -+ void (*md_final_raw)(void *ctx, unsigned char *md_out); -+ void (*md_transform)(void *ctx, const unsigned char *block); -+ unsigned md_size, md_block_size = 64; -+ unsigned sslv3_pad_length = 40, header_length, variance_blocks, -+ len, max_mac_bytes, num_blocks, -+ num_starting_blocks, k, mac_end_offset, c, index_a, index_b; -+ uint64_t bits; -+ unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES]; -+ /* hmac_pad is the masked HMAC key. */ -+ unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE]; -+ unsigned char first_block[MAX_HASH_BLOCK_SIZE]; -+ unsigned char mac_out[EVP_MAX_MD_SIZE]; -+ unsigned i, j, md_out_size_u; -+ EVP_MD_CTX md_ctx; -+ /* mdLengthSize is the number of bytes in the length field that terminates -+ * the hash. */ -+ unsigned md_length_size = 8; -+ -+ /* This is a, hopefully redundant, check that allows us to forget about -+ * many possible overflows later in this function. */ -+ OPENSSL_assert(data_plus_mac_plus_padding_size < 1024*1024); -+ -+ switch (ctx->digest->type) -+ { -+ case NID_md5: -+ MD5_Init((MD5_CTX*)md_state); -+ md_final_raw = tls1_md5_final_raw; -+ md_transform = (void(*)(void *ctx, const unsigned char *block)) MD5_Transform; -+ md_size = 16; -+ sslv3_pad_length = 48; -+ break; -+ case NID_sha1: -+ SHA1_Init((SHA_CTX*)md_state); -+ md_final_raw = tls1_sha1_final_raw; -+ md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA1_Transform; -+ md_size = 20; -+ break; -+ case NID_sha224: -+ SHA224_Init((SHA256_CTX*)md_state); -+ md_final_raw = tls1_sha256_final_raw; -+ md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform; -+ md_size = 224/8; -+ break; -+ case NID_sha256: -+ SHA256_Init((SHA256_CTX*)md_state); -+ md_final_raw = tls1_sha256_final_raw; -+ md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform; -+ md_size = 32; -+ break; -+ case NID_sha384: -+ SHA384_Init((SHA512_CTX*)md_state); -+ md_final_raw = tls1_sha512_final_raw; -+ md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform; -+ md_size = 384/8; -+ md_block_size = 128; -+ md_length_size = 16; -+ break; -+ case NID_sha512: -+ SHA512_Init((SHA512_CTX*)md_state); -+ md_final_raw = tls1_sha512_final_raw; -+ md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform; -+ md_size = 64; -+ md_block_size = 128; -+ md_length_size = 16; -+ break; -+ default: -+ /* ssl3_cbc_record_digest_supported should have been -+ * called first to check that the hash function is -+ * supported. */ -+ OPENSSL_assert(0); -+ if (md_out_size) -+ *md_out_size = -1; -+ return; -+ } -+ -+ OPENSSL_assert(md_length_size <= MAX_HASH_BIT_COUNT_BYTES); -+ OPENSSL_assert(md_block_size <= MAX_HASH_BLOCK_SIZE); -+ OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE); -+ -+ header_length = 13; -+ if (is_sslv3) -+ { -+ header_length = -+ mac_secret_length + -+ sslv3_pad_length + -+ 8 /* sequence number */ + -+ 1 /* record type */ + -+ 2 /* record length */; -+ } -+ -+ /* variance_blocks is the number of blocks of the hash that we have to -+ * calculate in constant time because they could be altered by the -+ * padding value. -+ * -+ * In SSLv3, the padding must be minimal so the end of the plaintext -+ * varies by, at most, 15+20 = 35 bytes. (We conservatively assume that -+ * the MAC size varies from 0..20 bytes.) In case the 9 bytes of hash -+ * termination (0x80 + 64-bit length) don't fit in the final block, we -+ * say that the final two blocks can vary based on the padding. -+ * -+ * TLSv1 has MACs up to 48 bytes long (SHA-384) and the padding is not -+ * required to be minimal. Therefore we say that the final six blocks -+ * can vary based on the padding. -+ * -+ * Later in the function, if the message is short and there obviously -+ * cannot be this many blocks then variance_blocks can be reduced. */ -+ variance_blocks = is_sslv3 ? 2 : 6; -+ /* From now on we're dealing with the MAC, which conceptually has 13 -+ * bytes of `header' before the start of the data (TLS) or 71/75 bytes -+ * (SSLv3) */ -+ len = data_plus_mac_plus_padding_size + header_length; -+ /* max_mac_bytes contains the maximum bytes of bytes in the MAC, including -+ * |header|, assuming that there's no padding. */ -+ max_mac_bytes = len - md_size - 1; -+ /* num_blocks is the maximum number of hash blocks. */ -+ num_blocks = (max_mac_bytes + 1 + md_length_size + md_block_size - 1) / md_block_size; -+ /* In order to calculate the MAC in constant time we have to handle -+ * the final blocks specially because the padding value could cause the -+ * end to appear somewhere in the final |variance_blocks| blocks and we -+ * can't leak where. However, |num_starting_blocks| worth of data can -+ * be hashed right away because no padding value can affect whether -+ * they are plaintext. */ -+ num_starting_blocks = 0; -+ /* k is the starting byte offset into the conceptual header||data where -+ * we start processing. */ -+ k = 0; -+ /* mac_end_offset is the index just past the end of the data to be -+ * MACed. */ -+ mac_end_offset = data_plus_mac_size + header_length - md_size; -+ /* c is the index of the 0x80 byte in the final hash block that -+ * contains application data. */ -+ c = mac_end_offset % md_block_size; -+ /* index_a is the hash block number that contains the 0x80 terminating -+ * value. */ -+ index_a = mac_end_offset / md_block_size; -+ /* index_b is the hash block number that contains the 64-bit hash -+ * length, in bits. */ -+ index_b = (mac_end_offset + md_length_size) / md_block_size; -+ /* bits is the hash-length in bits. It includes the additional hash -+ * block for the masked HMAC key, or whole of |header| in the case of -+ * SSLv3. */ -+ -+ /* For SSLv3, if we're going to have any starting blocks then we need -+ * at least two because the header is larger than a single block. */ -+ if (num_blocks > variance_blocks + (is_sslv3 ? 1 : 0)) -+ { -+ num_starting_blocks = num_blocks - variance_blocks; -+ k = md_block_size*num_starting_blocks; -+ } -+ -+ bits = 8*mac_end_offset; -+ if (!is_sslv3) -+ { -+ /* Compute the initial HMAC block. For SSLv3, the padding and -+ * secret bytes are included in |header| because they take more -+ * than a single block. */ -+ bits += 8*md_block_size; -+ memset(hmac_pad, 0, md_block_size); -+ OPENSSL_assert(mac_secret_length <= sizeof(hmac_pad)); -+ memcpy(hmac_pad, mac_secret, mac_secret_length); -+ for (i = 0; i < md_block_size; i++) -+ hmac_pad[i] ^= 0x36; -+ -+ md_transform(md_state, hmac_pad); -+ } -+ -+ j = 0; -+ if (md_length_size == 16) -+ { -+ memset(length_bytes, 0, 8); -+ j = 8; -+ } -+ for (i = 0; i < 8; i++) -+ length_bytes[i+j] = bits >> (8*(7-i)); -+ -+ if (k > 0) -+ { -+ if (is_sslv3) -+ { -+ /* The SSLv3 header is larger than a single block. -+ * overhang is the number of bytes beyond a single -+ * block that the header consumes: either 7 bytes -+ * (SHA1) or 11 bytes (MD5). */ -+ unsigned overhang = header_length-md_block_size; -+ md_transform(md_state, header); -+ memcpy(first_block, header + md_block_size, overhang); -+ memcpy(first_block + overhang, data, md_block_size-overhang); -+ md_transform(md_state, first_block); -+ for (i = 1; i < k/md_block_size - 1; i++) -+ md_transform(md_state, data + md_block_size*i - overhang); -+ } -+ else -+ { -+ /* k is a multiple of md_block_size. */ -+ memcpy(first_block, header, 13); -+ memcpy(first_block+13, data, md_block_size-13); -+ md_transform(md_state, first_block); -+ for (i = 1; i < k/md_block_size; i++) -+ md_transform(md_state, data + md_block_size*i - 13); -+ } -+ } -+ -+ memset(mac_out, 0, sizeof(mac_out)); -+ -+ /* We now process the final hash blocks. For each block, we construct -+ * it in constant time. If the |i==index_a| then we'll include the 0x80 -+ * bytes and zero pad etc. For each block we selectively copy it, in -+ * constant time, to |mac_out|. */ -+ for (i = num_starting_blocks; i <= num_starting_blocks+variance_blocks; i++) -+ { -+ unsigned char block[MAX_HASH_BLOCK_SIZE]; -+ unsigned char is_block_a = constant_time_eq_8(i, index_a); -+ unsigned char is_block_b = constant_time_eq_8(i, index_b); -+ for (j = 0; j < md_block_size; j++) -+ { -+ unsigned char b = 0, is_past_c, is_past_cp1; -+ if (k < header_length) -+ b = header[k]; -+ else if (k < data_plus_mac_plus_padding_size + header_length) -+ b = data[k-header_length]; -+ k++; -+ -+ is_past_c = is_block_a & constant_time_ge(j, c); -+ is_past_cp1 = is_block_a & constant_time_ge(j, c+1); -+ /* If this is the block containing the end of the -+ * application data, and we are at the offset for the -+ * 0x80 value, then overwrite b with 0x80. */ -+ b = (b&~is_past_c) | (0x80&is_past_c); -+ /* If this the the block containing the end of the -+ * application data and we're past the 0x80 value then -+ * just write zero. */ -+ b = b&~is_past_cp1; -+ /* If this is index_b (the final block), but not -+ * index_a (the end of the data), then the 64-bit -+ * length didn't fit into index_a and we're having to -+ * add an extra block of zeros. */ -+ b &= ~is_block_b | is_block_a; -+ -+ /* The final bytes of one of the blocks contains the -+ * length. */ -+ if (j >= md_block_size - md_length_size) -+ { -+ /* If this is index_b, write a length byte. */ -+ b = (b&~is_block_b) | (is_block_b&length_bytes[j-(md_block_size-md_length_size)]); -+ } -+ block[j] = b; -+ } -+ -+ md_transform(md_state, block); -+ md_final_raw(md_state, block); -+ /* If this is index_b, copy the hash value to |mac_out|. */ -+ for (j = 0; j < md_size; j++) -+ mac_out[j] |= block[j]&is_block_b; -+ } -+ -+ EVP_MD_CTX_init(&md_ctx); -+ EVP_DigestInit_ex(&md_ctx, ctx->digest, NULL /* engine */); -+ if (is_sslv3) -+ { -+ /* We repurpose |hmac_pad| to contain the SSLv3 pad2 block. */ -+ memset(hmac_pad, 0x5c, sslv3_pad_length); -+ -+ EVP_DigestUpdate(&md_ctx, mac_secret, mac_secret_length); -+ EVP_DigestUpdate(&md_ctx, hmac_pad, sslv3_pad_length); -+ EVP_DigestUpdate(&md_ctx, mac_out, md_size); -+ } -+ else -+ { -+ /* Complete the HMAC in the standard manner. */ -+ for (i = 0; i < md_block_size; i++) -+ hmac_pad[i] ^= 0x6a; -+ -+ EVP_DigestUpdate(&md_ctx, hmac_pad, md_block_size); -+ EVP_DigestUpdate(&md_ctx, mac_out, md_size); -+ } -+ EVP_DigestFinal(&md_ctx, md_out, &md_out_size_u); -+ if (md_out_size) -+ *md_out_size = md_out_size_u; -+ EVP_MD_CTX_cleanup(&md_ctx); -+ } -diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c -index c5df2cb..a0eac77 100644 ---- a/ssl/s3_enc.c -+++ b/ssl/s3_enc.c -@@ -466,12 +466,21 @@ void ssl3_cleanup_key_block(SSL *s) - s->s3->tmp.key_block_length=0; - } - -+/* ssl3_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. -+ * -+ * Returns: -+ * 0: (in non-constant time) if the record is publically invalid (i.e. too -+ * short etc). -+ * 1: if the record's padding is valid / the encryption was successful. -+ * -1: if the record's padding is invalid or, if sending, an internal error -+ * occured. -+ */ - int ssl3_enc(SSL *s, int send) - { - SSL3_RECORD *rec; - EVP_CIPHER_CTX *ds; - unsigned long l; -- int bs,i; -+ int bs,i,mac_size=0; - const EVP_CIPHER *enc; - - if (send) -@@ -522,32 +531,16 @@ int ssl3_enc(SSL *s, int send) - if (!send) - { - if (l == 0 || l%bs != 0) -- { -- SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); -- ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); - return 0; -- } - /* otherwise, rec->length >= bs */ - } - - EVP_Cipher(ds,rec->data,rec->input,l); - -+ if (EVP_MD_CTX_md(s->read_hash) != NULL) -+ mac_size = EVP_MD_CTX_size(s->read_hash); - if ((bs != 1) && !send) -- { -- i=rec->data[l-1]+1; -- /* SSL 3.0 bounds the number of padding bytes by the block size; -- * padding bytes (except the last one) are arbitrary */ -- if (i > bs) -- { -- /* Incorrect padding. SSLerr() and ssl3_alert are done -- * by caller: we don't want to reveal whether this is -- * a decryption error or a MAC verification failure -- * (see http://www.openssl.org/~bodo/tls-cbc.txt) */ -- return -1; -- } -- /* now i <= bs <= rec->length */ -- rec->length-=i; -- } -+ return ssl3_cbc_remove_padding(s, rec, bs, mac_size); - } - return(1); - } -@@ -716,7 +709,7 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int send) - EVP_MD_CTX md_ctx; - const EVP_MD_CTX *hash; - unsigned char *p,rec_char; -- unsigned int md_size; -+ size_t md_size; - int npad; - int t; - -@@ -741,28 +734,68 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int send) - md_size=t; - npad=(48/md_size)*md_size; - -- /* Chop the digest off the end :-) */ -- EVP_MD_CTX_init(&md_ctx); -- -- EVP_MD_CTX_copy_ex( &md_ctx,hash); -- EVP_DigestUpdate(&md_ctx,mac_sec,md_size); -- EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad); -- EVP_DigestUpdate(&md_ctx,seq,8); -- rec_char=rec->type; -- EVP_DigestUpdate(&md_ctx,&rec_char,1); -- p=md; -- s2n(rec->length,p); -- EVP_DigestUpdate(&md_ctx,md,2); -- EVP_DigestUpdate(&md_ctx,rec->input,rec->length); -- EVP_DigestFinal_ex( &md_ctx,md,NULL); -- -- EVP_MD_CTX_copy_ex( &md_ctx,hash); -- EVP_DigestUpdate(&md_ctx,mac_sec,md_size); -- EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad); -- EVP_DigestUpdate(&md_ctx,md,md_size); -- EVP_DigestFinal_ex( &md_ctx,md,&md_size); -- -- EVP_MD_CTX_cleanup(&md_ctx); -+ if (!send && -+ EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && -+ ssl3_cbc_record_digest_supported(hash)) -+ { -+ /* This is a CBC-encrypted record. We must avoid leaking any -+ * timing-side channel information about how many blocks of -+ * data we are hashing because that gives an attacker a -+ * timing-oracle. */ -+ -+ /* npad is, at most, 48 bytes and that's with MD5: -+ * 16 + 48 + 8 (sequence bytes) + 1 + 2 = 75. -+ * -+ * With SHA-1 (the largest hash speced for SSLv3) the hash size -+ * goes up 4, but npad goes down by 8, resulting in a smaller -+ * total size. */ -+ unsigned char header[75]; -+ unsigned j = 0; -+ memcpy(header+j, mac_sec, md_size); -+ j += md_size; -+ memcpy(header+j, ssl3_pad_1, npad); -+ j += npad; -+ memcpy(header+j, seq, 8); -+ j += 8; -+ header[j++] = rec->type; -+ header[j++] = rec->length >> 8; -+ header[j++] = rec->length & 0xff; -+ -+ ssl3_cbc_digest_record( -+ hash, -+ md, &md_size, -+ header, rec->input, -+ rec->length + md_size, rec->orig_len, -+ mac_sec, md_size, -+ 1 /* is SSLv3 */); -+ } -+ else -+ { -+ unsigned int md_size_u; -+ /* Chop the digest off the end :-) */ -+ EVP_MD_CTX_init(&md_ctx); -+ -+ EVP_MD_CTX_copy_ex( &md_ctx,hash); -+ EVP_DigestUpdate(&md_ctx,mac_sec,md_size); -+ EVP_DigestUpdate(&md_ctx,ssl3_pad_1,npad); -+ EVP_DigestUpdate(&md_ctx,seq,8); -+ rec_char=rec->type; -+ EVP_DigestUpdate(&md_ctx,&rec_char,1); -+ p=md; -+ s2n(rec->length,p); -+ EVP_DigestUpdate(&md_ctx,md,2); -+ EVP_DigestUpdate(&md_ctx,rec->input,rec->length); -+ EVP_DigestFinal_ex( &md_ctx,md,NULL); -+ -+ EVP_MD_CTX_copy_ex( &md_ctx,hash); -+ EVP_DigestUpdate(&md_ctx,mac_sec,md_size); -+ EVP_DigestUpdate(&md_ctx,ssl3_pad_2,npad); -+ EVP_DigestUpdate(&md_ctx,md,md_size); -+ EVP_DigestFinal_ex( &md_ctx,md,&md_size_u); -+ md_size = md_size_u; -+ -+ EVP_MD_CTX_cleanup(&md_ctx); -+ } - - ssl3_record_sequence_update(seq); - return(md_size); -diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c -index 3e11140..dba6653 100644 ---- a/ssl/s3_pkt.c -+++ b/ssl/s3_pkt.c -@@ -290,11 +290,8 @@ static int ssl3_get_record(SSL *s) - unsigned char *p; - unsigned char md[EVP_MAX_MD_SIZE]; - short version; -- int mac_size; -- int clear=0; -+ unsigned mac_size; - size_t extra; -- int decryption_failed_or_bad_record_mac = 0; -- unsigned char *mac = NULL; - - rr= &(s->s3->rrec); - sess=s->session; -@@ -401,19 +398,18 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length); - - /* decrypt in place in 'rr->input' */ - rr->data=rr->input; -+ rr->orig_len=rr->length; - - enc_err = s->method->ssl3_enc->enc(s,0); -- if (enc_err <= 0) -+ /* enc_err is: -+ * 0: (in non-constant time) if the record is publically invalid. -+ * 1: if the padding is valid -+ * -1: if the padding is invalid */ -+ if (enc_err == 0) - { -- if (enc_err == 0) -- /* SSLerr() and ssl3_send_alert() have been called */ -- goto err; -- -- /* Otherwise enc_err == -1, which indicates bad padding -- * (rec->length has not been changed in this case). -- * To minimize information leaked via timing, we will perform -- * the MAC computation anyway. */ -- decryption_failed_or_bad_record_mac = 1; -+ al=SSL_AD_DECRYPTION_FAILED; -+ SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); -+ goto f_err; - } - - #ifdef TLS_DEBUG -@@ -423,53 +419,59 @@ printf("\n"); - #endif - - /* r->length is now the compressed data plus mac */ -- if ( (sess == NULL) || -- (s->enc_read_ctx == NULL) || -- (EVP_MD_CTX_md(s->read_hash) == NULL)) -- clear=1; -- -- if (!clear) -+ if ((sess != NULL) && -+ (s->enc_read_ctx != NULL) && -+ (EVP_MD_CTX_md(s->read_hash) != NULL)) - { -- /* !clear => s->read_hash != NULL => mac_size != -1 */ -+ /* s->read_hash != NULL => mac_size != -1 */ -+ unsigned char *mac = NULL; -+ unsigned char mac_tmp[EVP_MAX_MD_SIZE]; - mac_size=EVP_MD_CTX_size(s->read_hash); -- OPENSSL_assert(mac_size >= 0); -+ OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); - -- if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size) -+ /* orig_len is the length of the record before any padding was -+ * removed. This is public information, as is the MAC in use, -+ * therefore we can safely process the record in a different -+ * amount of time if it's too short to possibly contain a MAC. -+ */ -+ if (rr->orig_len < mac_size || -+ /* CBC records must have a padding length byte too. */ -+ (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && -+ rr->orig_len < mac_size+1)) - { --#if 0 /* OK only for stream ciphers (then rr->length is visible from ciphertext anyway) */ -- al=SSL_AD_RECORD_OVERFLOW; -- SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); -+ al=SSL_AD_DECODE_ERROR; -+ SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); - goto f_err; --#else -- decryption_failed_or_bad_record_mac = 1; --#endif - } -- /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ -- if (rr->length >= (unsigned int)mac_size) -+ -+ if (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE) - { -+ /* We update the length so that the TLS header bytes -+ * can be constructed correctly but we need to extract -+ * the MAC in constant time from within the record, -+ * without leaking the contents of the padding bytes. -+ * */ -+ mac = mac_tmp; -+ ssl3_cbc_copy_mac(mac_tmp, rr, mac_size); - rr->length -= mac_size; -- mac = &rr->data[rr->length]; - } - else - { -- /* record (minus padding) is too short to contain a MAC */ --#if 0 /* OK only for stream ciphers */ -- al=SSL_AD_DECODE_ERROR; -- SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); -- goto f_err; --#else -- decryption_failed_or_bad_record_mac = 1; -- rr->length = 0; --#endif -+ /* In this case there's no padding, so |rec->orig_len| -+ * equals |rec->length| and we checked that there's -+ * enough bytes for |mac_size| above. */ -+ rr->length -= mac_size; -+ mac = &rr->data[rr->length]; - } -- i=s->method->ssl3_enc->mac(s,md,0); -+ -+ i=s->method->ssl3_enc->mac(s,md,0 /* not send */); - if (i < 0 || mac == NULL || CRYPTO_memcmp(md, mac, (size_t)mac_size) != 0) -- { -- decryption_failed_or_bad_record_mac = 1; -- } -+ enc_err = -1; -+ if (rr->length > SSL3_RT_MAX_COMPRESSED_LENGTH+extra+mac_size) -+ enc_err = -1; - } - -- if (decryption_failed_or_bad_record_mac) -+ if (enc_err < 0) - { - /* A separate 'decryption_failed' alert was introduced with TLS 1.0, - * SSL 3.0 only has 'bad_record_mac'. But unless a decryption -diff --git a/ssl/ssl3.h b/ssl/ssl3.h -index 247e88c..87d3e0f 100644 ---- a/ssl/ssl3.h -+++ b/ssl/ssl3.h -@@ -355,6 +355,10 @@ typedef struct ssl3_record_st - /*r */ unsigned char *comp; /* only used with decompression - malloc()ed */ - /*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */ - /*r */ unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */ -+/*rw*/ unsigned int orig_len; /* How many bytes were available before padding -+ was removed? This is used to implement the -+ MAC check in constant time for CBC records. -+ */ - } SSL3_RECORD; - - typedef struct ssl3_buffer_st -diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c -index d443143..41ccbaa 100644 ---- a/ssl/ssl_algs.c -+++ b/ssl/ssl_algs.c -@@ -90,11 +90,14 @@ int SSL_library_init(void) - EVP_add_cipher(EVP_aes_256_cbc()); - EVP_add_cipher(EVP_aes_128_gcm()); - EVP_add_cipher(EVP_aes_256_gcm()); -+#if 0 /* Disabled because of timing side-channel leaks. */ - #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) - EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1()); - EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1()); - #endif - #endif -+ -+#endif - #ifndef OPENSSL_NO_CAMELLIA - EVP_add_cipher(EVP_camellia_128_cbc()); - EVP_add_cipher(EVP_camellia_256_cbc()); -diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h -index 0572e10..dd8388c 100644 ---- a/ssl/ssl_locl.h -+++ b/ssl/ssl_locl.h -@@ -215,6 +215,15 @@ - *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ - *((c)++)=(unsigned char)(((l) )&0xff)) - -+#define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \ -+ *((c)++)=(unsigned char)(((l)>>48)&0xff), \ -+ *((c)++)=(unsigned char)(((l)>>40)&0xff), \ -+ *((c)++)=(unsigned char)(((l)>>32)&0xff), \ -+ *((c)++)=(unsigned char)(((l)>>24)&0xff), \ -+ *((c)++)=(unsigned char)(((l)>>16)&0xff), \ -+ *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ -+ *((c)++)=(unsigned char)(((l) )&0xff)) -+ - #define n2l6(c,l) (l =((BN_ULLONG)(*((c)++)))<<40, \ - l|=((BN_ULLONG)(*((c)++)))<<32, \ - l|=((BN_ULLONG)(*((c)++)))<<24, \ -@@ -1133,4 +1142,29 @@ int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al - int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen); - int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al); - -+/* s3_cbc.c */ -+void ssl3_cbc_copy_mac(unsigned char* out, -+ const SSL3_RECORD *rec, -+ unsigned md_size); -+int ssl3_cbc_remove_padding(const SSL* s, -+ SSL3_RECORD *rec, -+ unsigned block_size, -+ unsigned mac_size); -+int tls1_cbc_remove_padding(const SSL* s, -+ SSL3_RECORD *rec, -+ unsigned block_size, -+ unsigned mac_size); -+char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx); -+void ssl3_cbc_digest_record( -+ const EVP_MD_CTX *ctx, -+ unsigned char* md_out, -+ size_t* md_out_size, -+ const unsigned char header[13], -+ const unsigned char *data, -+ size_t data_plus_mac_size, -+ size_t data_plus_mac_plus_padding_size, -+ const unsigned char *mac_secret, -+ unsigned mac_secret_length, -+ char is_sslv3); -+ - #endif -diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c -index b37678f..bb46f7f 100644 ---- a/ssl/t1_enc.c -+++ b/ssl/t1_enc.c -@@ -667,12 +667,21 @@ err: - return(ret); - } - -+/* tls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. -+ * -+ * Returns: -+ * 0: (in non-constant time) if the record is publically invalid (i.e. too -+ * short etc). -+ * 1: if the record's padding is valid / the encryption was successful. -+ * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, -+ * an internal error occured. -+ */ - int tls1_enc(SSL *s, int send) - { - SSL3_RECORD *rec; - EVP_CIPHER_CTX *ds; - unsigned long l; -- int bs,i,ii,j,k,pad=0; -+ int bs,i,j,k,pad=0,ret,mac_size=0; - const EVP_CIPHER *enc; - - if (send) -@@ -729,11 +738,11 @@ int tls1_enc(SSL *s, int send) - printf("tls1_enc(%d)\n", send); - #endif /* KSSL_DEBUG */ - -- if ((s->session == NULL) || (ds == NULL) || -- (enc == NULL)) -+ if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) - { - memmove(rec->data,rec->input,rec->length); - rec->input=rec->data; -+ ret = 1; - } - else - { -@@ -797,13 +806,13 @@ int tls1_enc(SSL *s, int send) - - #ifdef KSSL_DEBUG - { -- unsigned long ui; -+ unsigned long ui; - printf("EVP_Cipher(ds=%p,rec->data=%p,rec->input=%p,l=%ld) ==>\n", -- ds,rec->data,rec->input,l); -+ ds,rec->data,rec->input,l); - printf("\tEVP_CIPHER_CTX: %d buf_len, %d key_len [%d %d], %d iv_len\n", -- ds->buf_len, ds->cipher->key_len, -- DES_KEY_SZ, DES_SCHEDULE_SZ, -- ds->cipher->iv_len); -+ ds->buf_len, ds->cipher->key_len, -+ DES_KEY_SZ, DES_SCHEDULE_SZ, -+ ds->cipher->iv_len); - printf("\t\tIV: "); - for (i=0; icipher->iv_len; i++) printf("%02X", ds->iv[i]); - printf("\n"); -@@ -816,13 +825,7 @@ int tls1_enc(SSL *s, int send) - if (!send) - { - if (l == 0 || l%bs != 0) -- { -- if (s->version >= TLS1_1_VERSION) -- return -1; -- SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); -- ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); - return 0; -- } - } - - i = EVP_Cipher(ds,rec->data,rec->input,l); -@@ -839,68 +842,24 @@ int tls1_enc(SSL *s, int send) - - #ifdef KSSL_DEBUG - { -- unsigned long i; -- printf("\trec->data="); -+ unsigned long i; -+ printf("\trec->data="); - for (i=0; idata[i]); printf("\n"); -- } -+ printf(" %02x", rec->data[i]); printf("\n"); -+ } - #endif /* KSSL_DEBUG */ - -+ ret = 1; -+ if (EVP_MD_CTX_md(s->read_hash) != NULL) -+ mac_size = EVP_MD_CTX_size(s->read_hash); - if ((bs != 1) && !send) -- { -- ii=i=rec->data[l-1]; /* padding_length */ -- i++; -- /* NB: if compression is in operation the first packet -- * may not be of even length so the padding bug check -- * cannot be performed. This bug workaround has been -- * around since SSLeay so hopefully it is either fixed -- * now or no buggy implementation supports compression -- * [steve] -- */ -- if ( (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) -- && !s->expand) -- { -- /* First packet is even in size, so check */ -- if ((memcmp(s->s3->read_sequence, -- "\0\0\0\0\0\0\0\0",8) == 0) && !(ii & 1)) -- s->s3->flags|=TLS1_FLAGS_TLS_PADDING_BUG; -- if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) -- i--; -- } -- /* TLS 1.0 does not bound the number of padding bytes by the block size. -- * All of them must have value 'padding_length'. */ -- if (i > (int)rec->length) -- { -- /* Incorrect padding. SSLerr() and ssl3_alert are done -- * by caller: we don't want to reveal whether this is -- * a decryption error or a MAC verification failure -- * (see http://www.openssl.org/~bodo/tls-cbc.txt) */ -- return -1; -- } -- for (j=(int)(l-i); j<(int)l; j++) -- { -- if (rec->data[j] != ii) -- { -- /* Incorrect padding */ -- return -1; -- } -- } -- rec->length -=i; -- if (s->version >= TLS1_1_VERSION -- && EVP_CIPHER_CTX_mode(ds) == EVP_CIPH_CBC_MODE) -- { -- if (bs > (int)rec->length) -- return -1; -- rec->data += bs; /* skip the explicit IV */ -- rec->input += bs; -- rec->length -= bs; -- } -- } -+ ret = tls1_cbc_remove_padding(s, rec, bs, mac_size); - if (pad && !send) - rec->length -= pad; - } -- return(1); -+ return ret; - } -+ - int tls1_cert_verify_mac(SSL *s, int md_nid, unsigned char *out) - { - unsigned int ret; -@@ -993,7 +952,7 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) - size_t md_size; - int i; - EVP_MD_CTX hmac, *mac_ctx; -- unsigned char buf[5]; -+ unsigned char header[13]; - int stream_mac = (send?(ssl->mac_flags & SSL_MAC_FLAG_WRITE_MAC_STREAM):(ssl->mac_flags&SSL_MAC_FLAG_READ_MAC_STREAM)); - int t; - -@@ -1014,12 +973,6 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) - OPENSSL_assert(t >= 0); - md_size=t; - -- buf[0]=rec->type; -- buf[1]=(unsigned char)(ssl->version>>8); -- buf[2]=(unsigned char)(ssl->version); -- buf[3]=rec->length>>8; -- buf[4]=rec->length&0xff; -- - /* I should fix this up TLS TLS TLS TLS TLS XXXXXXXX */ - if (stream_mac) - { -@@ -1038,17 +991,44 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) - s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p); - memcpy (p,&seq[2],6); - -- EVP_DigestSignUpdate(mac_ctx,dtlsseq,8); -+ memcpy(header, dtlsseq, 8); - } - else -- EVP_DigestSignUpdate(mac_ctx,seq,8); -+ memcpy(header, seq, 8); - -- EVP_DigestSignUpdate(mac_ctx,buf,5); -- EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length); -- t=EVP_DigestSignFinal(mac_ctx,md,&md_size); -- OPENSSL_assert(t > 0); -+ header[8]=rec->type; -+ header[9]=(unsigned char)(ssl->version>>8); -+ header[10]=(unsigned char)(ssl->version); -+ header[11]=(rec->length)>>8; -+ header[12]=(rec->length)&0xff; -+ -+ if (!send && -+ EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && -+ ssl3_cbc_record_digest_supported(mac_ctx)) -+ { -+ /* This is a CBC-encrypted record. We must avoid leaking any -+ * timing-side channel information about how many blocks of -+ * data we are hashing because that gives an attacker a -+ * timing-oracle. */ -+ ssl3_cbc_digest_record( -+ mac_ctx, -+ md, &md_size, -+ header, rec->input, -+ rec->length + md_size, rec->orig_len, -+ ssl->s3->read_mac_secret, -+ ssl->s3->read_mac_secret_size, -+ 0 /* not SSLv3 */); -+ } -+ else -+ { -+ EVP_DigestSignUpdate(mac_ctx,header,sizeof(header)); -+ EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length); -+ t=EVP_DigestSignFinal(mac_ctx,md,&md_size); -+ OPENSSL_assert(t > 0); -+ } - -- if (!stream_mac) EVP_MD_CTX_cleanup(&hmac); -+ if (!stream_mac) -+ EVP_MD_CTX_cleanup(&hmac); - #ifdef TLS_DEBUG - printf("sec="); - {unsigned int z; for (z=0; zstate=SSL3_ST_CW_FINISHED_A; -#else @@ -715,31 +714,35 @@ diff -ur openssl/ssl/ssl3.h openssl.channelid/ssl/ssl3.h } SSL3_STATE; #endif -@@ -581,6 +592,8 @@ +@@ -581,7 +592,9 @@ #define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT) #define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT) #define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT) + #endif +#define SSL3_ST_CW_CHANNEL_ID_A (0x210|SSL_ST_CONNECT) +#define SSL3_ST_CW_CHANNEL_ID_B (0x211|SSL_ST_CONNECT) #define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT) #define SSL3_ST_CW_FINISHED_B (0x1B1|SSL_ST_CONNECT) /* read from server */ -@@ -631,8 +644,11 @@ +@@ -631,10 +644,13 @@ #define SSL3_ST_SR_CERT_VRFY_B (0x1A1|SSL_ST_ACCEPT) #define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT) #define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT) +#define SSL3_ST_SR_POST_CLIENT_CERT (0x1BF|SSL_ST_ACCEPT) + #ifndef OPENSSL_NO_NEXTPROTONEG #define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT) #define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT) + #endif +#define SSL3_ST_SR_CHANNEL_ID_A (0x220|SSL_ST_ACCEPT) +#define SSL3_ST_SR_CHANNEL_ID_B (0x221|SSL_ST_ACCEPT) #define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT) #define SSL3_ST_SR_FINISHED_B (0x1C1|SSL_ST_ACCEPT) /* write to client */ -@@ -658,6 +674,7 @@ +@@ -658,7 +674,8 @@ #define SSL3_MT_FINISHED 20 #define SSL3_MT_CERTIFICATE_STATUS 22 #define SSL3_MT_NEXT_PROTO 67 + #endif +#define SSL3_MT_ENCRYPTED_EXTENSIONS 203 #define DTLS1_MT_HELLO_VERIFY_REQUEST 3 diff --git a/patches/clang.patch b/patches/clang.patch deleted file mode 100644 index 285945e..0000000 --- a/patches/clang.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff --git a/openssl/crypto/bio/bss_dgram.c b/openssl/crypto/bio/bss_dgram.c -index 71ebe98..a6d882b 100644 ---- a/crypto/bio/bss_dgram.c -+++ b/crypto/bio/bss_dgram.c -@@ -378,7 +378,7 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr) - bio_dgram_data *data = NULL; - #if defined(IP_MTU_DISCOVER) || defined(IP_MTU) - long sockopt_val = 0; -- unsigned int sockopt_len = 0; -+ socklen_t sockopt_len = 0; - #endif - #ifdef OPENSSL_SYS_LINUX - socklen_t addr_len; -diff --git a/openssl/crypto/cryptlib.c b/openssl/crypto/cryptlib.c -index 387a987..5dfeec7 100644 ---- a/crypto/cryptlib.c -+++ b/crypto/cryptlib.c -@@ -500,7 +500,7 @@ void CRYPTO_THREADID_current(CRYPTO_THREADID *id) - CRYPTO_THREADID_set_numeric(id, (unsigned long)find_thread(NULL)); - #else - /* For everything else, default to using the address of 'errno' */ -- CRYPTO_THREADID_set_pointer(id, &errno); -+ CRYPTO_THREADID_set_pointer(id, (void*)&errno); - #endif - } - diff --git a/patches/jsse.patch b/patches/jsse.patch index 80e5357..e4fa3b4 100644 --- a/patches/jsse.patch +++ b/patches/jsse.patch @@ -301,8 +301,8 @@ - else if (s->version == TLS1_1_VERSION) + else if (version == TLS1_1_VERSION) return("TLSv1.1"); -- if (s->version == TLS1_VERSION) -+ if (version == TLS1_VERSION) +- else if (s->version == TLS1_VERSION) ++ else if (version == TLS1_VERSION) return("TLSv1"); - else if (s->version == SSL3_VERSION) + else if (version == SSL3_VERSION) diff --git a/patches/mips_private.patch b/patches/mips_private.patch deleted file mode 100644 index 97c076a..0000000 --- a/patches/mips_private.patch +++ /dev/null @@ -1,64 +0,0 @@ ---- openssl-1.0.1c.orig/crypto/aes/asm/aes-mips.pl 2011-11-14 20:55:23.000000000 +0000 -+++ openssl-1.0.1c/crypto/aes/asm/aes-mips.pl 2012-08-14 22:13:55.250604273 +0000 -@@ -1036,9 +1036,9 @@ _mips_AES_set_encrypt_key: - nop - .end _mips_AES_set_encrypt_key - --.globl AES_set_encrypt_key --.ent AES_set_encrypt_key --AES_set_encrypt_key: -+.globl private_AES_set_encrypt_key -+.ent private_AES_set_encrypt_key -+private_AES_set_encrypt_key: - .frame $sp,$FRAMESIZE,$ra - .mask $SAVED_REGS_MASK,-$SZREG - .set noreorder -@@ -1060,7 +1060,7 @@ $code.=<<___ if ($flavour =~ /nubi/i); # - ___ - $code.=<<___ if ($flavour !~ /o32/i); # non-o32 PIC-ification - .cplocal $Tbl -- .cpsetup $pf,$zero,AES_set_encrypt_key -+ .cpsetup $pf,$zero,private_AES_set_encrypt_key - ___ - $code.=<<___; - .set reorder -@@ -1083,7 +1083,7 @@ ___ - $code.=<<___; - jr $ra - $PTR_ADD $sp,$FRAMESIZE --.end AES_set_encrypt_key -+.end private_AES_set_encrypt_key - ___ - - my ($head,$tail)=($inp,$bits); -@@ -1091,9 +1091,9 @@ my ($tp1,$tp2,$tp4,$tp8,$tp9,$tpb,$tpd,$ - my ($m,$x80808080,$x7f7f7f7f,$x1b1b1b1b)=($at,$t0,$t1,$t2); - $code.=<<___; - .align 5 --.globl AES_set_decrypt_key --.ent AES_set_decrypt_key --AES_set_decrypt_key: -+.globl private_AES_set_decrypt_key -+.ent private_AES_set_decrypt_key -+private_AES_set_decrypt_key: - .frame $sp,$FRAMESIZE,$ra - .mask $SAVED_REGS_MASK,-$SZREG - .set noreorder -@@ -1115,7 +1115,7 @@ $code.=<<___ if ($flavour =~ /nubi/i); # - ___ - $code.=<<___ if ($flavour !~ /o32/i); # non-o32 PIC-ification - .cplocal $Tbl -- .cpsetup $pf,$zero,AES_set_decrypt_key -+ .cpsetup $pf,$zero,private_AES_set_decrypt_key - ___ - $code.=<<___; - .set reorder -@@ -1226,7 +1226,7 @@ ___ - $code.=<<___; - jr $ra - $PTR_ADD $sp,$FRAMESIZE --.end AES_set_decrypt_key -+.end private_AES_set_decrypt_key - ___ - }}} - diff --git a/patches/recursive_lock_fix.patch b/patches/recursive_lock_fix.patch deleted file mode 100644 index b2e8e2b..0000000 --- a/patches/recursive_lock_fix.patch +++ /dev/null @@ -1,22 +0,0 @@ -Index: openssl/crypto/asn1/x_pubkey.c -RCS File: /v/openssl/cvs/openssl/crypto/asn1/x_pubkey.c,v -rcsdiff -q -kk '-r1.38.2.2' '-r1.38.2.3' -u '/v/openssl/cvs/openssl/crypto/asn1/x_pubkey.c,v' 2>/dev/null ---- x_pubkey.c 2012/02/28 14:47:36 1.38.2.2 -+++ x_pubkey.c 2012/05/11 13:49:15 1.38.2.3 -@@ -371,12 +371,15 @@ - CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY); - if (key->pkey) - { -+ CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); - EVP_PKEY_free(ret); - ret = key->pkey; - } - else -+ { - key->pkey = ret; -- CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); -+ CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); -+ } - CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY); - return(ret); - err: diff --git a/patches/sha1_armv4_large.patch b/patches/sha1_armv4_large.patch deleted file mode 100644 index 359ff94..0000000 --- a/patches/sha1_armv4_large.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff --git a/crypto/sha/asm/sha1-armv4-large.pl b/crypto/sha/asm/sha1-armv4-large.pl -index 6e65fe3..79e3f61 100644 ---- a/crypto/sha/asm/sha1-armv4-large.pl -+++ b/crypto/sha/asm/sha1-armv4-large.pl -@@ -161,6 +161,7 @@ for($i=0;$i<5;$i++) { - $code.=<<___; - teq $Xi,sp - bne .L_00_15 @ [((11+4)*5+2)*3] -+ sub sp,sp,#5*4 - ___ - &BODY_00_15(@V); unshift(@V,pop(@V)); - &BODY_16_19(@V); unshift(@V,pop(@V)); -@@ -170,7 +171,7 @@ ___ - $code.=<<___; - - ldr $K,.LK_20_39 @ [+15+16*4] -- sub sp,sp,#25*4 -+ sub sp,sp,#20*4 - cmn sp,#0 @ [+3], clear carry to denote 20_39 - .L_20_39_or_60_79: - ___ diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index 02c881a..b0302a7 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -379,7 +379,7 @@ dtls1_process_record(SSL *s) int enc_err; SSL_SESSION *sess; SSL3_RECORD *rr; - unsigned int mac_size; + unsigned int mac_size, orig_len; unsigned char md[EVP_MAX_MD_SIZE]; rr= &(s->s3->rrec); @@ -410,7 +410,7 @@ dtls1_process_record(SSL *s) /* decrypt in place in 'rr->input' */ rr->data=rr->input; - rr->orig_len=rr->length; + orig_len=rr->length; enc_err = s->method->ssl3_enc->enc(s,0); /* enc_err is: @@ -447,13 +447,13 @@ printf("\n"); * therefore we can safely process the record in a different * amount of time if it's too short to possibly contain a MAC. */ - if (rr->orig_len < mac_size || + if (orig_len < mac_size || /* CBC records must have a padding length byte too. */ (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && - rr->orig_len < mac_size+1)) + orig_len < mac_size+1)) { al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); + SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); goto f_err; } @@ -465,12 +465,12 @@ printf("\n"); * without leaking the contents of the padding bytes. * */ mac = mac_tmp; - ssl3_cbc_copy_mac(mac_tmp, rr, mac_size); + ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); rr->length -= mac_size; } else { - /* In this case there's no padding, so |rec->orig_len| + /* In this case there's no padding, so |orig_len| * equals |rec->length| and we checked that there's * enough bytes for |mac_size| above. */ rr->length -= mac_size; diff --git a/ssl/dtls1.h b/ssl/dtls1.h index 5008bf6..e65d501 100644 --- a/ssl/dtls1.h +++ b/ssl/dtls1.h @@ -57,8 +57,8 @@ * */ -#ifndef HEADER_DTLS1_H -#define HEADER_DTLS1_H +#ifndef HEADER_DTLS1_H +#define HEADER_DTLS1_H #include #include @@ -72,8 +72,12 @@ #elif defined(OPENSSL_SYS_NETWARE) && !defined(_WINSOCK2API_) #include #else +#if defined(OPENSSL_SYS_VXWORKS) +#include +#else #include #endif +#endif #ifdef __cplusplus extern "C" { diff --git a/ssl/s2_clnt.c b/ssl/s2_clnt.c index 954f398..03b6cf9 100644 --- a/ssl/s2_clnt.c +++ b/ssl/s2_clnt.c @@ -359,12 +359,14 @@ static int get_server_hello(SSL *s) SSL_R_PEER_ERROR); return(-1); } -#ifdef __APPLE_CC__ - /* The Rhapsody 5.5 (a.k.a. MacOS X) compiler bug - * workaround. */ - s->hit=(i=*(p++))?1:0; -#else +#if 0 s->hit=(*(p++))?1:0; + /* Some [PPC?] compilers fail to increment p in above + statement, e.g. one provided with Rhapsody 5.5, but + most recent example XL C 11.1 for AIX, even without + optimization flag... */ +#else + s->hit=(*p)?1:0; p++; #endif s->s2->tmp.cert_type= *(p++); n2s(p,i); diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c index bc885e8..2cba426 100644 --- a/ssl/s2_srvr.c +++ b/ssl/s2_srvr.c @@ -1059,10 +1059,12 @@ static int request_certificate(SSL *s) EVP_PKEY *pkey=NULL; EVP_MD_CTX_init(&ctx); - EVP_VerifyInit_ex(&ctx,s->ctx->rsa_md5, NULL); - EVP_VerifyUpdate(&ctx,s->s2->key_material, - s->s2->key_material_length); - EVP_VerifyUpdate(&ctx,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH); + if (!EVP_VerifyInit_ex(&ctx,s->ctx->rsa_md5, NULL) + || !EVP_VerifyUpdate(&ctx,s->s2->key_material, + s->s2->key_material_length) + || !EVP_VerifyUpdate(&ctx,ccd, + SSL2_MIN_CERT_CHALLENGE_LENGTH)) + goto msg_end; i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL); buf2=OPENSSL_malloc((unsigned int)i); @@ -1073,7 +1075,11 @@ static int request_certificate(SSL *s) } p2=buf2; i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&p2); - EVP_VerifyUpdate(&ctx,buf2,(unsigned int)i); + if (!EVP_VerifyUpdate(&ctx,buf2,(unsigned int)i)) + { + OPENSSL_free(buf2); + goto msg_end; + } OPENSSL_free(buf2); pkey=X509_get_pubkey(x509); diff --git a/ssl/s3_both.c b/ssl/s3_both.c index c775cd8..514ff85 100644 --- a/ssl/s3_both.c +++ b/ssl/s3_both.c @@ -204,7 +204,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) #ifndef OPENSSL_NO_NEXTPROTONEG /* ssl3_take_mac calculates the Finished MAC for the handshakes messages seen to far. */ -static void ssl3_take_mac(SSL *s) { +static void ssl3_take_mac(SSL *s) + { const char *sender; int slen; @@ -221,7 +222,7 @@ static void ssl3_take_mac(SSL *s) { s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s, sender,slen,s->s3->tmp.peer_finish_md); -} + } #endif int ssl3_get_finished(SSL *s, int a, int b) @@ -231,8 +232,9 @@ int ssl3_get_finished(SSL *s, int a, int b) unsigned char *p; #ifdef OPENSSL_NO_NEXTPROTONEG - /* the mac has already been generated when we received the change - * cipher spec message and is in s->s3->tmp.peer_finish_md. */ + /* the mac has already been generated when we received the + * change cipher spec message and is in s->s3->tmp.peer_finish_md. + */ #endif n=s->method->ssl_get_message(s, @@ -544,12 +546,14 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) s->init_num += i; n -= i; } + #ifndef OPENSSL_NO_NEXTPROTONEG /* If receiving Finished, record MAC of prior handshake messages for * Finished verification. */ if (*s->init_buf->data == SSL3_MT_FINISHED) ssl3_take_mac(s); #endif + /* Feed this message into MAC computation. */ if (*s->init_buf->data != SSL3_MT_ENCRYPTED_EXTENSIONS) ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4); diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index e9b112c..3c2c165 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -53,8 +53,6 @@ * */ -#include - #include "ssl_locl.h" #include @@ -118,7 +116,9 @@ int ssl3_cbc_remove_padding(const SSL* s, good = constant_time_ge(rec->length, padding_length+overhead); /* SSLv3 requires that the padding is minimal. */ good &= constant_time_ge(block_size, padding_length+1); - rec->length -= good & (padding_length+1); + padding_length = good & (padding_length+1); + rec->length -= padding_length; + rec->type |= padding_length<<8; /* kludge: pass padding length */ return (int)((good & 1) | (~good & -1)); } @@ -150,6 +150,21 @@ int tls1_cbc_remove_padding(const SSL* s, if (overhead > rec->length) return 0; + /* We can always safely skip the explicit IV. We check at the beginning + * of this function that the record has at least enough space for the + * IV, MAC and padding length byte. (These can be checked in + * non-constant time because it's all public information.) So, if the + * padding was invalid, then we didn't change |rec->length| and this is + * safe. If the padding was valid then we know that we have at least + * overhead+padding_length bytes of space and so this is still safe + * because overhead accounts for the explicit IV. */ + if (has_explicit_iv) + { + rec->data += block_size; + rec->input += block_size; + rec->length -= block_size; + } + padding_length = rec->data[rec->length-1]; /* NB: if compression is in operation the first packet may not be of @@ -172,6 +187,13 @@ int tls1_cbc_remove_padding(const SSL* s, } } + if (EVP_CIPHER_flags(s->enc_read_ctx->cipher)&EVP_CIPH_FLAG_AEAD_CIPHER) + { + /* padding is already verified */ + rec->length -= padding_length; + return 1; + } + good = constant_time_ge(rec->length, overhead+padding_length); /* The padding consists of a length byte at the end of the record and * then that many bytes of padding, all with the same value as the @@ -205,23 +227,9 @@ int tls1_cbc_remove_padding(const SSL* s, good <<= sizeof(good)*8-1; good = DUPLICATE_MSB_TO_ALL(good); - rec->length -= good & (padding_length+1); - - /* We can always safely skip the explicit IV. We check at the beginning - * of this function that the record has at least enough space for the - * IV, MAC and padding length byte. (These can be checked in - * non-constant time because it's all public information.) So, if the - * padding was invalid, then we didn't change |rec->length| and this is - * safe. If the padding was valid then we know that we have at least - * overhead+padding_length bytes of space and so this is still safe - * because overhead accounts for the explicit IV. */ - if (has_explicit_iv) - { - rec->data += block_size; - rec->input += block_size; - rec->length -= block_size; - rec->orig_len -= block_size; - } + padding_length = good & (padding_length+1); + rec->length -= padding_length; + rec->type |= padding_length<<8; /* kludge: pass padding length */ return (int)((good & 1) | (~good & -1)); } @@ -248,7 +256,7 @@ int tls1_cbc_remove_padding(const SSL* s, */ void ssl3_cbc_copy_mac(unsigned char* out, const SSL3_RECORD *rec, - unsigned md_size) + unsigned md_size,unsigned orig_len) { #if defined(CBC_MAC_ROTATE_IN_PLACE) unsigned char rotated_mac_buf[EVP_MAX_MD_SIZE*2]; @@ -267,7 +275,7 @@ void ssl3_cbc_copy_mac(unsigned char* out, unsigned div_spoiler; unsigned rotate_offset; - OPENSSL_assert(rec->orig_len >= md_size); + OPENSSL_assert(orig_len >= md_size); OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE); #if defined(CBC_MAC_ROTATE_IN_PLACE) @@ -275,8 +283,8 @@ void ssl3_cbc_copy_mac(unsigned char* out, #endif /* This information is public so it's safe to branch based on it. */ - if (rec->orig_len > md_size + 255 + 1) - scan_start = rec->orig_len - (md_size + 255 + 1); + if (orig_len > md_size + 255 + 1) + scan_start = orig_len - (md_size + 255 + 1); /* div_spoiler contains a multiple of md_size that is used to cause the * modulo operation to be constant time. Without this, the time varies * based on the amount of padding when running on Intel chips at least. @@ -289,9 +297,9 @@ void ssl3_cbc_copy_mac(unsigned char* out, rotate_offset = (div_spoiler + mac_start - scan_start) % md_size; memset(rotated_mac, 0, md_size); - for (i = scan_start; i < rec->orig_len;) + for (i = scan_start; i < orig_len;) { - for (j = 0; j < md_size && i < rec->orig_len; i++, j++) + for (j = 0; j < md_size && i < orig_len; i++, j++) { unsigned char mac_started = constant_time_ge(i, mac_start); unsigned char mac_ended = constant_time_ge(i, mac_end); @@ -341,7 +349,9 @@ static void tls1_sha1_final_raw(void* ctx, unsigned char *md_out) l2n(sha1->h3, md_out); l2n(sha1->h4, md_out); } +#define LARGEST_DIGEST_CTX SHA_CTX +#ifndef OPENSSL_NO_SHA256 static void tls1_sha256_final_raw(void* ctx, unsigned char *md_out) { SHA256_CTX *sha256 = ctx; @@ -352,7 +362,11 @@ static void tls1_sha256_final_raw(void* ctx, unsigned char *md_out) l2n(sha256->h[i], md_out); } } +#undef LARGEST_DIGEST_CTX +#define LARGEST_DIGEST_CTX SHA256_CTX +#endif +#ifndef OPENSSL_NO_SHA512 static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out) { SHA512_CTX *sha512 = ctx; @@ -363,19 +377,30 @@ static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out) l2n8(sha512->h[i], md_out); } } +#undef LARGEST_DIGEST_CTX +#define LARGEST_DIGEST_CTX SHA512_CTX +#endif /* ssl3_cbc_record_digest_supported returns 1 iff |ctx| uses a hash function * which ssl3_cbc_digest_record supports. */ char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx) { - switch (ctx->digest->type) +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + return 0; +#endif + switch (EVP_MD_CTX_type(ctx)) { case NID_md5: case NID_sha1: +#ifndef OPENSSL_NO_SHA256 case NID_sha224: case NID_sha256: +#endif +#ifndef OPENSSL_NO_SHA512 case NID_sha384: case NID_sha512: +#endif return 1; default: return 0; @@ -413,14 +438,15 @@ void ssl3_cbc_digest_record( unsigned mac_secret_length, char is_sslv3) { - unsigned char md_state[sizeof(SHA512_CTX)]; + union { double align; + unsigned char c[sizeof(LARGEST_DIGEST_CTX)]; } md_state; void (*md_final_raw)(void *ctx, unsigned char *md_out); void (*md_transform)(void *ctx, const unsigned char *block); unsigned md_size, md_block_size = 64; unsigned sslv3_pad_length = 40, header_length, variance_blocks, len, max_mac_bytes, num_blocks, num_starting_blocks, k, mac_end_offset, c, index_a, index_b; - uint64_t bits; + unsigned int bits; /* at most 18 bits */ unsigned char length_bytes[MAX_HASH_BIT_COUNT_BYTES]; /* hmac_pad is the masked HMAC key. */ unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE]; @@ -436,35 +462,38 @@ void ssl3_cbc_digest_record( * many possible overflows later in this function. */ OPENSSL_assert(data_plus_mac_plus_padding_size < 1024*1024); - switch (ctx->digest->type) + switch (EVP_MD_CTX_type(ctx)) { case NID_md5: - MD5_Init((MD5_CTX*)md_state); + MD5_Init((MD5_CTX*)md_state.c); md_final_raw = tls1_md5_final_raw; md_transform = (void(*)(void *ctx, const unsigned char *block)) MD5_Transform; md_size = 16; sslv3_pad_length = 48; break; case NID_sha1: - SHA1_Init((SHA_CTX*)md_state); + SHA1_Init((SHA_CTX*)md_state.c); md_final_raw = tls1_sha1_final_raw; md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA1_Transform; md_size = 20; break; +#ifndef OPENSSL_NO_SHA256 case NID_sha224: - SHA224_Init((SHA256_CTX*)md_state); + SHA224_Init((SHA256_CTX*)md_state.c); md_final_raw = tls1_sha256_final_raw; md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform; md_size = 224/8; break; case NID_sha256: - SHA256_Init((SHA256_CTX*)md_state); + SHA256_Init((SHA256_CTX*)md_state.c); md_final_raw = tls1_sha256_final_raw; md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA256_Transform; md_size = 32; break; +#endif +#ifndef OPENSSL_NO_SHA512 case NID_sha384: - SHA384_Init((SHA512_CTX*)md_state); + SHA384_Init((SHA512_CTX*)md_state.c); md_final_raw = tls1_sha512_final_raw; md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform; md_size = 384/8; @@ -472,13 +501,14 @@ void ssl3_cbc_digest_record( md_length_size = 16; break; case NID_sha512: - SHA512_Init((SHA512_CTX*)md_state); + SHA512_Init((SHA512_CTX*)md_state.c); md_final_raw = tls1_sha512_final_raw; md_transform = (void(*)(void *ctx, const unsigned char *block)) SHA512_Transform; md_size = 64; md_block_size = 128; md_length_size = 16; break; +#endif default: /* ssl3_cbc_record_digest_supported should have been * called first to check that the hash function is @@ -577,17 +607,14 @@ void ssl3_cbc_digest_record( for (i = 0; i < md_block_size; i++) hmac_pad[i] ^= 0x36; - md_transform(md_state, hmac_pad); + md_transform(md_state.c, hmac_pad); } - j = 0; - if (md_length_size == 16) - { - memset(length_bytes, 0, 8); - j = 8; - } - for (i = 0; i < 8; i++) - length_bytes[i+j] = bits >> (8*(7-i)); + memset(length_bytes,0,md_length_size-4); + length_bytes[md_length_size-4] = (unsigned char)(bits>>24); + length_bytes[md_length_size-3] = (unsigned char)(bits>>16); + length_bytes[md_length_size-2] = (unsigned char)(bits>>8); + length_bytes[md_length_size-1] = (unsigned char)bits; if (k > 0) { @@ -598,21 +625,21 @@ void ssl3_cbc_digest_record( * block that the header consumes: either 7 bytes * (SHA1) or 11 bytes (MD5). */ unsigned overhang = header_length-md_block_size; - md_transform(md_state, header); + md_transform(md_state.c, header); memcpy(first_block, header + md_block_size, overhang); memcpy(first_block + overhang, data, md_block_size-overhang); - md_transform(md_state, first_block); + md_transform(md_state.c, first_block); for (i = 1; i < k/md_block_size - 1; i++) - md_transform(md_state, data + md_block_size*i - overhang); + md_transform(md_state.c, data + md_block_size*i - overhang); } else { /* k is a multiple of md_block_size. */ memcpy(first_block, header, 13); memcpy(first_block+13, data, md_block_size-13); - md_transform(md_state, first_block); + md_transform(md_state.c, first_block); for (i = 1; i < k/md_block_size; i++) - md_transform(md_state, data + md_block_size*i - 13); + md_transform(md_state.c, data + md_block_size*i - 13); } } @@ -662,8 +689,8 @@ void ssl3_cbc_digest_record( block[j] = b; } - md_transform(md_state, block); - md_final_raw(md_state, block); + md_transform(md_state.c, block); + md_final_raw(md_state.c, block); /* If this is index_b, copy the hash value to |mac_out|. */ for (j = 0; j < md_size; j++) mac_out[j] |= block[j]&is_block_b; @@ -694,3 +721,50 @@ void ssl3_cbc_digest_record( *md_out_size = md_out_size_u; EVP_MD_CTX_cleanup(&md_ctx); } + +#ifdef OPENSSL_FIPS + +/* Due to the need to use EVP in FIPS mode we can't reimplement digests but + * we can ensure the number of blocks processed is equal for all cases + * by digesting additional data. + */ + +void tls_fips_digest_extra( + const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx, + const unsigned char *data, size_t data_len, size_t orig_len) + { + size_t block_size, digest_pad, blocks_data, blocks_orig; + if (EVP_CIPHER_CTX_mode(cipher_ctx) != EVP_CIPH_CBC_MODE) + return; + block_size = EVP_MD_CTX_block_size(mac_ctx); + /* We are in FIPS mode if we get this far so we know we have only SHA* + * digests and TLS to deal with. + * Minimum digest padding length is 17 for SHA384/SHA512 and 9 + * otherwise. + * Additional header is 13 bytes. To get the number of digest blocks + * processed round up the amount of data plus padding to the nearest + * block length. Block length is 128 for SHA384/SHA512 and 64 otherwise. + * So we have: + * blocks = (payload_len + digest_pad + 13 + block_size - 1)/block_size + * equivalently: + * blocks = (payload_len + digest_pad + 12)/block_size + 1 + * HMAC adds a constant overhead. + * We're ultimately only interested in differences so this becomes + * blocks = (payload_len + 29)/128 + * for SHA384/SHA512 and + * blocks = (payload_len + 21)/64 + * otherwise. + */ + digest_pad = block_size == 64 ? 21 : 29; + blocks_orig = (orig_len + digest_pad)/block_size; + blocks_data = (data_len + digest_pad)/block_size; + /* MAC enough blocks to make up the difference between the original + * and actual lengths plus one extra block to ensure this is never a + * no op. The "data" pointer should always have enough space to + * perform this operation as it is large enough for a maximum + * length TLS buffer. + */ + EVP_DigestSignUpdate(mac_ctx, data, + (blocks_orig - blocks_data + 1) * block_size); + } +#endif diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index a0eac77..e3cd4f0 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -709,7 +709,7 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int send) EVP_MD_CTX md_ctx; const EVP_MD_CTX *hash; unsigned char *p,rec_char; - size_t md_size; + size_t md_size, orig_len; int npad; int t; @@ -734,6 +734,10 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int send) md_size=t; npad=(48/md_size)*md_size; + /* kludge: ssl3_cbc_remove_padding passes padding length in rec->type */ + orig_len = rec->length+md_size+((unsigned int)rec->type>>8); + rec->type &= 0xff; + if (!send && EVP_CIPHER_CTX_mode(ssl->enc_read_ctx) == EVP_CIPH_CBC_MODE && ssl3_cbc_record_digest_supported(hash)) @@ -765,7 +769,7 @@ int n_ssl3_mac(SSL *ssl, unsigned char *md, int send) hash, md, &md_size, header, rec->input, - rec->length + md_size, rec->orig_len, + rec->length + md_size, orig_len, mac_sec, md_size, 1 /* is SSLv3 */); } diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 50aa465..0be87e8 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -1125,7 +1125,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 0, /* not implemented (non-ephemeral DH) */ TLS1_TXT_DH_DSS_WITH_AES_128_SHA256, TLS1_CK_DH_DSS_WITH_AES_128_SHA256, - SSL_kDHr, + SSL_kDHd, SSL_aDH, SSL_AES128, SSL_SHA256, @@ -1407,7 +1407,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 0, /* not implemented (non-ephemeral DH) */ TLS1_TXT_DH_DSS_WITH_AES_256_SHA256, TLS1_CK_DH_DSS_WITH_AES_256_SHA256, - SSL_kDHr, + SSL_kDHd, SSL_aDH, SSL_AES256, SSL_SHA256, @@ -1958,7 +1958,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 0, TLS1_TXT_DH_DSS_WITH_AES_128_GCM_SHA256, TLS1_CK_DH_DSS_WITH_AES_128_GCM_SHA256, - SSL_kDHr, + SSL_kDHd, SSL_aDH, SSL_AES128GCM, SSL_AEAD, @@ -1974,7 +1974,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 0, TLS1_TXT_DH_DSS_WITH_AES_256_GCM_SHA384, TLS1_CK_DH_DSS_WITH_AES_256_GCM_SHA384, - SSL_kDHr, + SSL_kDHd, SSL_aDH, SSL_AES256GCM, SSL_AEAD, @@ -2669,7 +2669,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_ECDH_RSA_WITH_AES_128_SHA256, TLS1_CK_ECDH_RSA_WITH_AES_128_SHA256, - SSL_kECDHe, + SSL_kECDHr, SSL_aECDH, SSL_AES128, SSL_SHA256, @@ -2685,7 +2685,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_ECDH_RSA_WITH_AES_256_SHA384, TLS1_CK_ECDH_RSA_WITH_AES_256_SHA384, - SSL_kECDHe, + SSL_kECDHr, SSL_aECDH, SSL_AES256, SSL_SHA384, @@ -2799,7 +2799,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS1_CK_ECDH_RSA_WITH_AES_128_GCM_SHA256, - SSL_kECDHe, + SSL_kECDHr, SSL_aECDH, SSL_AES128GCM, SSL_AEAD, @@ -2815,7 +2815,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ 1, TLS1_TXT_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS1_CK_ECDH_RSA_WITH_AES_256_GCM_SHA384, - SSL_kECDHe, + SSL_kECDHr, SSL_aECDH, SSL_AES256GCM, SSL_AEAD, diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index 5289092..bf8da98 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -290,7 +290,7 @@ static int ssl3_get_record(SSL *s) unsigned char *p; unsigned char md[EVP_MAX_MD_SIZE]; short version; - unsigned mac_size; + unsigned mac_size, orig_len; size_t extra; rr= &(s->s3->rrec); @@ -398,7 +398,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length); /* decrypt in place in 'rr->input' */ rr->data=rr->input; - rr->orig_len=rr->length; + orig_len=rr->length; enc_err = s->method->ssl3_enc->enc(s,0); /* enc_err is: @@ -408,7 +408,7 @@ fprintf(stderr, "Record type=%d, Length=%d\n", rr->type, rr->length); if (enc_err == 0) { al=SSL_AD_DECRYPTION_FAILED; - SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); goto f_err; } @@ -434,10 +434,10 @@ printf("\n"); * therefore we can safely process the record in a different * amount of time if it's too short to possibly contain a MAC. */ - if (rr->orig_len < mac_size || + if (orig_len < mac_size || /* CBC records must have a padding length byte too. */ (EVP_CIPHER_CTX_mode(s->enc_read_ctx) == EVP_CIPH_CBC_MODE && - rr->orig_len < mac_size+1)) + orig_len < mac_size+1)) { al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); @@ -452,12 +452,12 @@ printf("\n"); * without leaking the contents of the padding bytes. * */ mac = mac_tmp; - ssl3_cbc_copy_mac(mac_tmp, rr, mac_size); + ssl3_cbc_copy_mac(mac_tmp, rr, mac_size, orig_len); rr->length -= mac_size; } else { - /* In this case there's no padding, so |rec->orig_len| + /* In this case there's no padding, so |orig_len| * equals |rec->length| and we checked that there's * enough bytes for |mac_size| above. */ rr->length -= mac_size; @@ -746,6 +746,7 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, * bytes and record version number > TLS 1.0 */ if (s->state == SSL3_ST_CW_CLNT_HELLO_B + && !s->renegotiate && TLS1_get_version(s) > TLS1_VERSION) *(p++) = 0x1; else @@ -1240,7 +1241,7 @@ start: goto f_err; } #ifdef SSL_AD_MISSING_SRP_USERNAME - if (alert_descr == SSL_AD_MISSING_SRP_USERNAME) + else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME) return(0); #endif } diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index c5c53dc..da1c2e8 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -194,7 +194,8 @@ static int ssl_check_srp_ext_ClientHello(SSL *s, int *al) { if(s->srp_ctx.login == NULL) { - /* There isn't any srp login extension !!! */ + /* RFC 5054 says SHOULD reject, + we do so if There is no srp login name */ ret = SSL3_AL_FATAL; *al = SSL_AD_UNKNOWN_PSK_IDENTITY; } @@ -381,6 +382,7 @@ int ssl3_accept(SSL *s) } } #endif + s->renegotiate = 2; s->state=SSL3_ST_SW_SRVR_HELLO_A; s->init_num=0; @@ -1205,7 +1207,7 @@ int ssl3_get_client_hello(SSL *s) goto f_err; } } - if (ssl_check_clienthello_tlsext(s) <= 0) { + if (ssl_check_clienthello_tlsext_early(s) <= 0) { SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO,SSL_R_CLIENTHELLO_TLSEXT); goto err; } @@ -1427,6 +1429,16 @@ int ssl3_get_client_hello(SSL *s) * s->tmp.new_cipher - the new cipher to use. */ + /* Handles TLS extensions that we couldn't check earlier */ + if (s->version >= SSL3_VERSION) + { + if (ssl_check_clienthello_tlsext_late(s) <= 0) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT); + goto err; + } + } + if (ret < 0) ret=1; if (0) { diff --git a/ssl/ssl.h b/ssl/ssl.h index 1aaadf3..5695aae 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -493,6 +493,9 @@ struct ssl_session_st char *psk_identity_hint; char *psk_identity; #endif + /* Used to indicate that session resumption is not allowed. + * Applications can also set this bit for a new session via + * not_resumable_session_cb to disable session caching and tickets. */ int not_resumable; /* The cert is the certificate used to establish this connection */ @@ -535,7 +538,7 @@ struct ssl_session_st #endif /* OPENSSL_NO_EC */ /* RFC4507 info */ unsigned char *tlsext_tick; /* Session ticket */ - size_t tlsext_ticklen; /* Session ticket length */ + size_t tlsext_ticklen; /* Session ticket length */ long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ #endif #ifndef OPENSSL_NO_SRP @@ -931,6 +934,7 @@ struct ssl_ctx_st /* Callback for status request */ int (*tlsext_status_cb)(SSL *ssl, void *arg); void *tlsext_status_arg; + /* draft-rescorla-tls-opaque-prf-input-00.txt information */ int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg); void *tlsext_opaque_prf_input_callback_arg; @@ -956,6 +960,7 @@ struct ssl_ctx_st #endif #ifndef OPENSSL_NO_TLSEXT + # ifndef OPENSSL_NO_NEXTPROTONEG /* Next protocol negotiation information */ /* (for experimental NPN extension). */ @@ -2262,6 +2267,7 @@ void ERR_load_SSL_strings(void); #define SSL_F_SSL_GET_NEW_SESSION 181 #define SSL_F_SSL_GET_PREV_SESSION 217 #define SSL_F_SSL_GET_SERVER_SEND_CERT 182 +#define SSL_F_SSL_GET_SERVER_SEND_PKEY 317 #define SSL_F_SSL_GET_SIGN_PKEY 183 #define SSL_F_SSL_INIT_WBIO_BUFFER 184 #define SSL_F_SSL_LOAD_CLIENT_CA_FILE 185 diff --git a/ssl/ssl3.h b/ssl/ssl3.h index 879be13..fee9671 100644 --- a/ssl/ssl3.h +++ b/ssl/ssl3.h @@ -355,10 +355,6 @@ typedef struct ssl3_record_st /*r */ unsigned char *comp; /* only used with decompression - malloc()ed */ /*r */ unsigned long epoch; /* epoch number, needed by DTLS1 */ /*r */ unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */ -/*rw*/ unsigned int orig_len; /* How many bytes were available before padding - was removed? This is used to implement the - MAC check in constant time for CBC records. - */ } SSL3_RECORD; typedef struct ssl3_buffer_st @@ -594,8 +590,10 @@ typedef struct ssl3_state_st #define SSL3_ST_CW_CERT_VRFY_B (0x191|SSL_ST_CONNECT) #define SSL3_ST_CW_CHANGE_A (0x1A0|SSL_ST_CONNECT) #define SSL3_ST_CW_CHANGE_B (0x1A1|SSL_ST_CONNECT) +#ifndef OPENSSL_NO_NEXTPROTONEG #define SSL3_ST_CW_NEXT_PROTO_A (0x200|SSL_ST_CONNECT) #define SSL3_ST_CW_NEXT_PROTO_B (0x201|SSL_ST_CONNECT) +#endif #define SSL3_ST_CW_CHANNEL_ID_A (0x210|SSL_ST_CONNECT) #define SSL3_ST_CW_CHANNEL_ID_B (0x211|SSL_ST_CONNECT) #define SSL3_ST_CW_FINISHED_A (0x1B0|SSL_ST_CONNECT) @@ -648,8 +646,10 @@ typedef struct ssl3_state_st #define SSL3_ST_SR_CHANGE_A (0x1B0|SSL_ST_ACCEPT) #define SSL3_ST_SR_CHANGE_B (0x1B1|SSL_ST_ACCEPT) #define SSL3_ST_SR_POST_CLIENT_CERT (0x1BF|SSL_ST_ACCEPT) +#ifndef OPENSSL_NO_NEXTPROTONEG #define SSL3_ST_SR_NEXT_PROTO_A (0x210|SSL_ST_ACCEPT) #define SSL3_ST_SR_NEXT_PROTO_B (0x211|SSL_ST_ACCEPT) +#endif #define SSL3_ST_SR_CHANNEL_ID_A (0x220|SSL_ST_ACCEPT) #define SSL3_ST_SR_CHANNEL_ID_B (0x221|SSL_ST_ACCEPT) #define SSL3_ST_SR_FINISHED_A (0x1C0|SSL_ST_ACCEPT) @@ -676,7 +676,9 @@ typedef struct ssl3_state_st #define SSL3_MT_CLIENT_KEY_EXCHANGE 16 #define SSL3_MT_FINISHED 20 #define SSL3_MT_CERTIFICATE_STATUS 22 +#ifndef OPENSSL_NO_NEXTPROTONEG #define SSL3_MT_NEXT_PROTO 67 +#endif #define SSL3_MT_ENCRYPTED_EXTENSIONS 203 #define DTLS1_MT_HELLO_VERIFY_REQUEST 3 diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c index 41ccbaa..9c34d19 100644 --- a/ssl/ssl_algs.c +++ b/ssl/ssl_algs.c @@ -90,12 +90,10 @@ int SSL_library_init(void) EVP_add_cipher(EVP_aes_256_cbc()); EVP_add_cipher(EVP_aes_128_gcm()); EVP_add_cipher(EVP_aes_256_gcm()); -#if 0 /* Disabled because of timing side-channel leaks. */ #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) EVP_add_cipher(EVP_aes_128_cbc_hmac_sha1()); EVP_add_cipher(EVP_aes_256_cbc_hmac_sha1()); #endif -#endif #endif #ifndef OPENSSL_NO_CAMELLIA diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 917be31..5123a89 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -164,14 +164,14 @@ static void ssl_cert_set_default_md(CERT *cert) { /* Set digest values to defaults */ #ifndef OPENSSL_NO_DSA - cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1(); + cert->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); #endif #ifndef OPENSSL_NO_RSA cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); #endif #ifndef OPENSSL_NO_ECDSA - cert->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa(); + cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); #endif } diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 55deaaf..e8794d4 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -312,6 +312,7 @@ static const SSL_CIPHER cipher_aliases[]={ {0,SSL_TXT_SSLV2,0, 0,0,0,0,SSL_SSLV2, 0,0,0,0}, {0,SSL_TXT_SSLV3,0, 0,0,0,0,SSL_SSLV3, 0,0,0,0}, {0,SSL_TXT_TLSV1,0, 0,0,0,0,SSL_TLSV1, 0,0,0,0}, + {0,SSL_TXT_TLSV1_2,0, 0,0,0,0,SSL_TLSV1_2, 0,0,0,0}, /* export flag */ {0,SSL_TXT_EXP,0, 0,0,0,0,0,SSL_EXPORT,0,0,0}, @@ -1150,9 +1151,9 @@ static int ssl_cipher_process_rulestr(const char *rule_str, while ( ((ch >= 'A') && (ch <= 'Z')) || ((ch >= '0') && (ch <= '9')) || ((ch >= 'a') && (ch <= 'z')) || - (ch == '-')) + (ch == '-') || (ch == '.')) #else - while ( isalnum(ch) || (ch == '-')) + while ( isalnum(ch) || (ch == '-') || (ch == '.')) #endif { ch = *(++l); diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index fbefce3..c40c718 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -230,6 +230,7 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_SSL_GET_NEW_SESSION), "SSL_GET_NEW_SESSION"}, {ERR_FUNC(SSL_F_SSL_GET_PREV_SESSION), "SSL_GET_PREV_SESSION"}, {ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_CERT), "SSL_GET_SERVER_SEND_CERT"}, +{ERR_FUNC(SSL_F_SSL_GET_SERVER_SEND_PKEY), "SSL_GET_SERVER_SEND_PKEY"}, {ERR_FUNC(SSL_F_SSL_GET_SIGN_PKEY), "SSL_GET_SIGN_PKEY"}, {ERR_FUNC(SSL_F_SSL_INIT_WBIO_BUFFER), "SSL_INIT_WBIO_BUFFER"}, {ERR_FUNC(SSL_F_SSL_LOAD_CLIENT_CA_FILE), "SSL_load_client_CA_file"}, diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 4db0fef..c94ff26 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -2321,7 +2321,7 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s) #endif /* THIS NEEDS CLEANING UP */ -X509 *ssl_get_server_send_cert(SSL *s) +CERT_PKEY *ssl_get_server_send_pkey(const SSL *s) { unsigned long alg_k,alg_a; CERT *c; @@ -2376,12 +2376,20 @@ X509 *ssl_get_server_send_cert(SSL *s) i=SSL_PKEY_GOST01; else /* if (alg_a & SSL_aNULL) */ { - SSLerr(SSL_F_SSL_GET_SERVER_SEND_CERT,ERR_R_INTERNAL_ERROR); + SSLerr(SSL_F_SSL_GET_SERVER_SEND_PKEY,ERR_R_INTERNAL_ERROR); return(NULL); } - if (c->pkeys[i].x509 == NULL) return(NULL); - return(c->pkeys[i].x509); + return c->pkeys + i; + } + +X509 *ssl_get_server_send_cert(const SSL *s) + { + CERT_PKEY *cpk; + cpk = ssl_get_server_send_pkey(s); + if (!cpk) + return NULL; + return cpk->x509; } EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *cipher, const EVP_MD **pmd) @@ -2642,7 +2650,7 @@ static const char *ssl_get_version(int version) return("TLSv1.2"); else if (version == TLS1_1_VERSION) return("TLSv1.1"); - if (version == TLS1_VERSION) + else if (version == TLS1_VERSION) return("TLSv1"); else if (version == SSL3_VERSION) return("SSLv3"); @@ -2837,7 +2845,9 @@ void ssl_clear_cipher_ctx(SSL *s) /* Fix this function so that it takes an optional type parameter */ X509 *SSL_get_certificate(const SSL *s) { - if (s->cert != NULL) + if (s->server) + return(ssl_get_server_send_cert(s)); + else if (s->cert != NULL) return(s->cert->key->x509); else return(NULL); diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index 9ca3b4a..5f21726 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -841,7 +841,8 @@ int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk); int ssl_undefined_function(SSL *s); int ssl_undefined_void_function(void); int ssl_undefined_const_function(const SSL *s); -X509 *ssl_get_server_send_cert(SSL *); +CERT_PKEY *ssl_get_server_send_pkey(const SSL *s); +X509 *ssl_get_server_send_cert(const SSL *); EVP_PKEY *ssl_get_sign_pkey(SSL *s,const SSL_CIPHER *c, const EVP_MD **pmd); int ssl_cert_type(X509 *x,EVP_PKEY *pkey); void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); @@ -1101,7 +1102,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, unsigned char *d, int n, int *al); int ssl_prepare_clienthello_tlsext(SSL *s); int ssl_prepare_serverhello_tlsext(SSL *s); -int ssl_check_clienthello_tlsext(SSL *s); +int ssl_check_clienthello_tlsext_early(SSL *s); +int ssl_check_clienthello_tlsext_late(SSL *s); int ssl_check_serverhello_tlsext(SSL *s); #ifndef OPENSSL_NO_HEARTBEATS @@ -1149,7 +1151,7 @@ int ssl_parse_serverhello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al /* s3_cbc.c */ void ssl3_cbc_copy_mac(unsigned char* out, const SSL3_RECORD *rec, - unsigned md_size); + unsigned md_size,unsigned orig_len); int ssl3_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size, @@ -1171,4 +1173,8 @@ void ssl3_cbc_digest_record( unsigned mac_secret_length, char is_sslv3); +void tls_fips_digest_extra( + const EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *mac_ctx, + const unsigned char *data, size_t data_len, size_t orig_len); + #endif diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index c43f3e2..82f55b6 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -746,7 +746,7 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */ - in=BIO_new(BIO_s_file_internal()); + in = BIO_new(BIO_s_file_internal()); if (in == NULL) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_BUF_LIB); @@ -759,14 +759,16 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) goto end; } - x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata); + x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback, + ctx->default_passwd_callback_userdata); if (x == NULL) { SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB); goto end; } - ret=SSL_CTX_use_certificate(ctx,x); + ret = SSL_CTX_use_certificate(ctx, x); + if (ERR_peek_error() != 0) ret = 0; /* Key/certificate mismatch doesn't imply ret==0 ... */ if (ret) @@ -778,13 +780,15 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) int r; unsigned long err; - if (ctx->extra_certs != NULL) + if (ctx->extra_certs != NULL) { sk_X509_pop_free(ctx->extra_certs, X509_free); ctx->extra_certs = NULL; } - while ((ca = PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata)) + while ((ca = PEM_read_bio_X509(in, NULL, + ctx->default_passwd_callback, + ctx->default_passwd_callback_userdata)) != NULL) { r = SSL_CTX_add_extra_chain_cert(ctx, ca); diff --git a/ssl/ssltest.c b/ssl/ssltest.c index 02ce4ec..91169bb 100644 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -544,8 +544,8 @@ int main(int argc, char *argv[]) int comp = 0; #ifndef OPENSSL_NO_COMP COMP_METHOD *cm = NULL; -#endif STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; +#endif int test_cipherlist = 0; #ifdef OPENSSL_FIPS int fips_mode=0; diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 643e3e6..809ad2e 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -361,7 +361,7 @@ int tls1_change_cipher_state(SSL *s, int which) { int i; for (i=0; is3->tmp.key_block_length; i++) - printf("%02x", key_block[i]); printf("\n"); + printf("%02x", s->s3->tmp.key_block[i]); printf("\n"); } #endif /* KSSL_DEBUG */ @@ -949,7 +949,7 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) SSL3_RECORD *rec; unsigned char *seq; EVP_MD_CTX *hash; - size_t md_size; + size_t md_size, orig_len; int i; EVP_MD_CTX hmac, *mac_ctx; unsigned char header[13]; @@ -996,6 +996,10 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) else memcpy(header, seq, 8); + /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */ + orig_len = rec->length+md_size+((unsigned int)rec->type>>8); + rec->type &= 0xff; + header[8]=rec->type; header[9]=(unsigned char)(ssl->version>>8); header[10]=(unsigned char)(ssl->version); @@ -1014,7 +1018,7 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) mac_ctx, md, &md_size, header, rec->input, - rec->length + md_size, rec->orig_len, + rec->length + md_size, orig_len, ssl->s3->read_mac_secret, ssl->s3->read_mac_secret_size, 0 /* not SSLv3 */); @@ -1025,6 +1029,13 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) EVP_DigestSignUpdate(mac_ctx,rec->input,rec->length); t=EVP_DigestSignFinal(mac_ctx,md,&md_size); OPENSSL_assert(t > 0); +#ifdef OPENSSL_FIPS + if (!send && FIPS_mode()) + tls_fips_digest_extra( + ssl->enc_read_ctx, + mac_ctx, rec->input, + rec->length, orig_len); +#endif } if (!stream_mac) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 9972b1a..90a88ce 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1097,7 +1097,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in int ellipticcurvelist_length = (*(sdata++) << 8); ellipticcurvelist_length += (*(sdata++)); - if (ellipticcurvelist_length != size - 2) + if (ellipticcurvelist_length != size - 2 || + ellipticcurvelist_length < 1) { *al = TLS1_AD_DECODE_ERROR; return 0; @@ -1456,7 +1457,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in unsigned char *sdata = data; int ecpointformatlist_length = *(sdata++); - if (ecpointformatlist_length != size - 1) + if (ecpointformatlist_length != size - 1 || + ecpointformatlist_length < 1) { *al = TLS1_AD_DECODE_ERROR; return 0; @@ -1789,7 +1791,7 @@ int ssl_prepare_serverhello_tlsext(SSL *s) return 1; } -int ssl_check_clienthello_tlsext(SSL *s) +int ssl_check_clienthello_tlsext_early(SSL *s) { int ret=SSL_TLSEXT_ERR_NOACK; int al = SSL_AD_UNRECOGNIZED_NAME; @@ -1808,42 +1810,12 @@ int ssl_check_clienthello_tlsext(SSL *s) else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) ret = s->initial_ctx->tlsext_servername_callback(s, &al, s->initial_ctx->tlsext_servername_arg); - /* If status request then ask callback what to do. - * Note: this must be called after servername callbacks in case - * the certificate has changed. - */ - if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) - { - int r; - r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); - switch (r) - { - /* We don't want to send a status request response */ - case SSL_TLSEXT_ERR_NOACK: - s->tlsext_status_expected = 0; - break; - /* status request response should be sent */ - case SSL_TLSEXT_ERR_OK: - if (s->tlsext_ocsp_resp) - s->tlsext_status_expected = 1; - else - s->tlsext_status_expected = 0; - break; - /* something bad happened */ - case SSL_TLSEXT_ERR_ALERT_FATAL: - ret = SSL_TLSEXT_ERR_ALERT_FATAL; - al = SSL_AD_INTERNAL_ERROR; - goto err; - } - } - else - s->tlsext_status_expected = 0; - #ifdef TLSEXT_TYPE_opaque_prf_input { /* This sort of belongs into ssl_prepare_serverhello_tlsext(), * but we might be sending an alert in response to the client hello, - * so this has to happen here in ssl_check_clienthello_tlsext(). */ + * so this has to happen here in + * ssl_check_clienthello_tlsext_early(). */ int r = 1; @@ -1895,8 +1867,8 @@ int ssl_check_clienthello_tlsext(SSL *s) } } -#endif err: +#endif switch (ret) { case SSL_TLSEXT_ERR_ALERT_FATAL: @@ -1914,6 +1886,71 @@ int ssl_check_clienthello_tlsext(SSL *s) } } +int ssl_check_clienthello_tlsext_late(SSL *s) + { + int ret = SSL_TLSEXT_ERR_OK; + int al; + + /* If status request then ask callback what to do. + * Note: this must be called after servername callbacks in case + * the certificate has changed, and must be called after the cipher + * has been chosen because this may influence which certificate is sent + */ + if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) + { + int r; + CERT_PKEY *certpkey; + certpkey = ssl_get_server_send_pkey(s); + /* If no certificate can't return certificate status */ + if (certpkey == NULL) + { + s->tlsext_status_expected = 0; + return 1; + } + /* Set current certificate to one we will use so + * SSL_get_certificate et al can pick it up. + */ + s->cert->key = certpkey; + r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg); + switch (r) + { + /* We don't want to send a status request response */ + case SSL_TLSEXT_ERR_NOACK: + s->tlsext_status_expected = 0; + break; + /* status request response should be sent */ + case SSL_TLSEXT_ERR_OK: + if (s->tlsext_ocsp_resp) + s->tlsext_status_expected = 1; + else + s->tlsext_status_expected = 0; + break; + /* something bad happened */ + case SSL_TLSEXT_ERR_ALERT_FATAL: + ret = SSL_TLSEXT_ERR_ALERT_FATAL; + al = SSL_AD_INTERNAL_ERROR; + goto err; + } + } + else + s->tlsext_status_expected = 0; + + err: + switch (ret) + { + case SSL_TLSEXT_ERR_ALERT_FATAL: + ssl3_send_alert(s,SSL3_AL_FATAL,al); + return -1; + + case SSL_TLSEXT_ERR_ALERT_WARNING: + ssl3_send_alert(s,SSL3_AL_WARNING,al); + return 1; + + default: + return 1; + } + } + int ssl_check_serverhello_tlsext(SSL *s) { int ret=SSL_TLSEXT_ERR_NOACK; @@ -2440,7 +2477,7 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) */ #ifndef OPENSSL_NO_DSA if (!c->pkeys[SSL_PKEY_DSA_SIGN].digest) - c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_dss1(); + c->pkeys[SSL_PKEY_DSA_SIGN].digest = EVP_sha1(); #endif #ifndef OPENSSL_NO_RSA if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) @@ -2451,7 +2488,7 @@ int tls1_process_sigalgs(SSL *s, const unsigned char *data, int dsize) #endif #ifndef OPENSSL_NO_ECDSA if (!c->pkeys[SSL_PKEY_ECC].digest) - c->pkeys[SSL_PKEY_ECC].digest = EVP_ecdsa(); + c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); #endif return 1; } diff --git a/ssl/tls_srp.c b/ssl/tls_srp.c index 8512c4d..2315a7c 100644 --- a/ssl/tls_srp.c +++ b/ssl/tls_srp.c @@ -242,7 +242,8 @@ int SSL_srp_server_param_with_username(SSL *s, int *ad) (s->srp_ctx.v == NULL)) return SSL3_AL_FATAL; - RAND_bytes(b, sizeof(b)); + if (RAND_bytes(b, sizeof(b)) <= 0) + return SSL3_AL_FATAL; s->srp_ctx.b = BN_bin2bn(b,sizeof(b),NULL); OPENSSL_cleanse(b,sizeof(b)); -- cgit v1.1