diff options
Diffstat (limited to 'openssl')
59 files changed, 562 insertions, 252 deletions
diff --git a/openssl/CHANGES b/openssl/CHANGES index 03d731451..7013e4c12 100644 --- a/openssl/CHANGES +++ b/openssl/CHANGES @@ -2,6 +2,78 @@ OpenSSL CHANGES _______________ + Changes between 1.0.1b and 1.0.1c [10 May 2012] + + *) Sanity check record length before skipping explicit IV in TLS + 1.2, 1.1 and DTLS to fix DoS attack. + + Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic + fuzzing as a service testing platform. + (CVE-2012-2333) + [Steve Henson] + + *) Initialise tkeylen properly when encrypting CMS messages. + Thanks to Solar Designer of Openwall for reporting this issue. + [Steve Henson] + + *) In FIPS mode don't try to use composite ciphers as they are not + approved. + [Steve Henson] + + Changes between 1.0.1a and 1.0.1b [26 Apr 2012] + + *) OpenSSL 1.0.0 sets SSL_OP_ALL to 0x80000FFFL and OpenSSL 1.0.1 and + 1.0.1a set SSL_OP_NO_TLSv1_1 to 0x00000400L which would unfortunately + mean any application compiled against OpenSSL 1.0.0 headers setting + SSL_OP_ALL would also set SSL_OP_NO_TLSv1_1, unintentionally disablng + TLS 1.1 also. Fix this by changing the value of SSL_OP_NO_TLSv1_1 to + 0x10000000L Any application which was previously compiled against + OpenSSL 1.0.1 or 1.0.1a headers and which cares about SSL_OP_NO_TLSv1_1 + will need to be recompiled as a result. Letting be results in + inability to disable specifically TLS 1.1 and in client context, + in unlike event, limit maximum offered version to TLS 1.0 [see below]. + [Steve Henson] + + *) In order to ensure interoperabilty SSL_OP_NO_protocolX does not + disable just protocol X, but all protocols above X *if* there are + protocols *below* X still enabled. In more practical terms it means + that if application wants to disable TLS1.0 in favor of TLS1.1 and + above, it's not sufficient to pass SSL_OP_NO_TLSv1, one has to pass + SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. This applies to + client side. + [Andy Polyakov] + + Changes between 1.0.1 and 1.0.1a [19 Apr 2012] + + *) Check for potentially exploitable overflows in asn1_d2i_read_bio + BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer + in CRYPTO_realloc_clean. + + Thanks to Tavis Ormandy, Google Security Team, for discovering this + issue and to Adam Langley <agl@chromium.org> for fixing it. + (CVE-2012-2110) + [Adam Langley (Google), Tavis Ormandy, Google Security Team] + + *) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections. + [Adam Langley] + + *) Workarounds for some broken servers that "hang" if a client hello + record length exceeds 255 bytes. + + 1. Do not use record version number > TLS 1.0 in initial client + hello: some (but not all) hanging servers will now work. + 2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate + the number of ciphers sent in the client hello. This should be + set to an even number, such as 50, for example by passing: + -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure. + Most broken servers should now work. + 3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable + TLS 1.2 client support entirely. + [Steve Henson] + + *) Fix SEGV in Vector Permutation AES module observed in OpenSSH. + [Andy Polyakov] + Changes between 1.0.0h and 1.0.1 [14 Mar 2012] *) Add compatibility with old MDC2 signatures which use an ASN1 OCTET @@ -285,7 +357,18 @@ Add command line options to s_client/s_server. [Steve Henson] - Changes between 1.0.0g and 1.0.0h [xx XXX xxxx] + Changes between 1.0.0g and 1.0.0h [12 Mar 2012] + + *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness + in CMS and PKCS7 code. When RSA decryption fails use a random key for + content decryption and always return the same error. Note: this attack + needs on average 2^20 messages so it only affects automated senders. The + old behaviour can be reenabled in the CMS code by setting the + CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where + an MMA defence is not necessary. + Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering + this issue. (CVE-2012-0884) + [Steve Henson] *) Fix CVE-2011-4619: make sure we really are receiving a client hello before rejecting multiple SGC restarts. Thanks to diff --git a/openssl/Configure b/openssl/Configure index 43a90c015..cbbf4de8b 100644 --- a/openssl/Configure +++ b/openssl/Configure @@ -904,11 +904,11 @@ PROCESS_ARGS: } elsif (/^--with-fipsdir=(.*)$/) { - $fipsdir="$1/"; + $fipsdir="$1"; } elsif (/^--with-fipslibdir=(.*)$/) { - $fipslibdir="$1/"; + $fipslibdir="$1"; } elsif (/^--with-baseaddr=(.*)$/) { diff --git a/openssl/FAQ b/openssl/FAQ index b9243a610..bb6f7e2d2 100644 --- a/openssl/FAQ +++ b/openssl/FAQ @@ -10,6 +10,7 @@ OpenSSL - Frequently Asked Questions * Why aren't tools like 'autoconf' and 'libtool' used? * What is an 'engine' version? * How do I check the authenticity of the OpenSSL distribution? +* How does the versioning scheme work? [LEGAL] Legal questions @@ -82,7 +83,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from <URL: http://www.openssl.org>. -OpenSSL 1.0.1 was released on Mar 14th, 2012. +OpenSSL 1.0.1c was released on May 10th, 2012. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at <URL: @@ -108,7 +109,9 @@ In addition, you can read the most current versions at <URL: http://www.openssl.org/docs/>. Note that the online documents refer to the very latest development versions of OpenSSL and may include features not present in released versions. If in doubt refer to the documentation -that came with the version of OpenSSL you are using. +that came with the version of OpenSSL you are using. The pod format +documentation is included in each OpenSSL distribution under the docs +directory. For information on parts of libcrypto that are not yet documented, you might want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's @@ -173,6 +176,19 @@ just do: pgp TARBALL.asc +* How does the versioning scheme work? + +After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter +releases (e.g. 1.0.1a) can only contain bug and security fixes and no +new features. Minor releases change the last number (e.g. 1.0.2) and +can contain new features that retain binary compatibility. Changes to +the middle number are considered major releases and neither source nor +binary compatibility is guaranteed. + +Therefore the answer to the common question "when will feature X be +backported to OpenSSL 1.0.0/0.9.8?" is "never" but it could appear +in the next minor release. + [LEGAL] ======================================================================= * Do I need patent licenses to use OpenSSL? @@ -284,7 +300,7 @@ current directory in this case, but this has changed with 0.9.6a.) Check out the CA.pl(1) manual page. This provides a simple wrapper round the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check out the manual pages for the individual utilities and the certificate -extensions documentation (currently in doc/openssl.txt). +extensions documentation (in ca(1), req(1), x509v3_config(5) ) * Why can't I create certificate requests? diff --git a/openssl/Makefile b/openssl/Makefile index c4abc718e..d5db11b41 100644 --- a/openssl/Makefile +++ b/openssl/Makefile @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.1 +VERSION=1.0.1c MAJOR=1 MINOR=0.1 SHLIB_VERSION_NUMBER=1.0.0 @@ -200,7 +200,7 @@ CLEARENV= TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS} \ $${EXHEADER+EXHEADER} $${HEADER+HEADER} \ $${GENERAL+GENERAL} $${CFLAGS+CFLAGS} \ $${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS} \ - $${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} \ + $${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS} \ $${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS} \ $${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS} @@ -471,9 +471,9 @@ tags: find . -name '[^.]*.[ch]' | xargs etags -a errors: + $(PERL) util/ck_errf.pl -strict */*.c */*/*.c $(PERL) util/mkerr.pl -recurse -write (cd engines; $(MAKE) PERL=$(PERL) errors) - $(PERL) util/ck_errf.pl -strict */*.c */*/*.c stacks: $(PERL) util/mkstack.pl -write diff --git a/openssl/Makefile.org b/openssl/Makefile.org index a829c2a51..55273ea36 100644 --- a/openssl/Makefile.org +++ b/openssl/Makefile.org @@ -198,7 +198,7 @@ CLEARENV= TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS} \ $${EXHEADER+EXHEADER} $${HEADER+HEADER} \ $${GENERAL+GENERAL} $${CFLAGS+CFLAGS} \ $${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS} \ - $${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} \ + $${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS} \ $${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS} \ $${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS} @@ -469,9 +469,9 @@ tags: find . -name '[^.]*.[ch]' | xargs etags -a errors: + $(PERL) util/ck_errf.pl -strict */*.c */*/*.c $(PERL) util/mkerr.pl -recurse -write (cd engines; $(MAKE) PERL=$(PERL) errors) - $(PERL) util/ck_errf.pl -strict */*.c */*/*.c stacks: $(PERL) util/mkstack.pl -write diff --git a/openssl/NEWS b/openssl/NEWS index 3db8ea95a..4f069cbd1 100644 --- a/openssl/NEWS +++ b/openssl/NEWS @@ -5,6 +5,23 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.1b and OpenSSL 1.0.1c: + + o Fix TLS/DTLS record length checking bug CVE-2012-2333 + o Don't attempt to use non-FIPS composite ciphers in FIPS mode. + + Major changes between OpenSSL 1.0.1a and OpenSSL 1.0.1b: + + o Fix compilation error on non-x86 platforms. + o Make FIPS capable OpenSSL ciphers work in non-FIPS mode. + o Fix SSL_OP_NO_TLSv1_1 clash with SSL_OP_ALL in OpenSSL 1.0.0 + + Major changes between OpenSSL 1.0.1 and OpenSSL 1.0.1a: + + o Fix for ASN1 overflow bug CVE-2012-2110 + o Workarounds for some servers that hang on long client hellos. + o Fix SEGV in AES code. + Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1: o TLS/DTLS heartbeat support. diff --git a/openssl/README b/openssl/README index 3a0456ce6..de51583a6 100644 --- a/openssl/README +++ b/openssl/README @@ -1,5 +1,5 @@ - OpenSSL 1.0.1 14 Mar 2012 + OpenSSL 1.0.1c 10 May 2012 Copyright (c) 1998-2011 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/openssl/apps/s_client.c b/openssl/apps/s_client.c index 098cce27d..fc806eb67 100644 --- a/openssl/apps/s_client.c +++ b/openssl/apps/s_client.c @@ -622,13 +622,7 @@ int MAIN(int argc, char **argv) SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024}; #endif -#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) meth=SSLv23_client_method(); -#elif !defined(OPENSSL_NO_SSL3) - meth=SSLv3_client_method(); -#elif !defined(OPENSSL_NO_SSL2) - meth=SSLv2_client_method(); -#endif apps_startup(); c_Pause=0; diff --git a/openssl/apps/s_server.c b/openssl/apps/s_server.c index fe29b4cae..3f9b3704c 100644 --- a/openssl/apps/s_server.c +++ b/openssl/apps/s_server.c @@ -969,17 +969,7 @@ int MAIN(int argc, char *argv[]) char *srpuserseed = NULL; char *srp_verifier_file = NULL; #endif -#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) meth=SSLv23_server_method(); -#elif !defined(OPENSSL_NO_SSL3) - meth=SSLv3_server_method(); -#elif !defined(OPENSSL_NO_SSL2) - meth=SSLv2_server_method(); -#elif !defined(OPENSSL_NO_TLS1) - meth=TLSv1_server_method(); -#else - /* #error no SSL version enabled */ -#endif local_argc=argc; local_argv=argv; diff --git a/openssl/crypto/aes/asm/aes-armv4.pl b/openssl/crypto/aes/asm/aes-armv4.pl index 943ce45ff..86b86c4a0 100644 --- a/openssl/crypto/aes/asm/aes-armv4.pl +++ b/openssl/crypto/aes/asm/aes-armv4.pl @@ -408,6 +408,7 @@ _armv4_AES_encrypt: .type private_AES_set_encrypt_key,%function .align 5 private_AES_set_encrypt_key: +_armv4_AES_set_encrypt_key: sub r3,pc,#8 @ AES_set_encrypt_key teq r0,#0 moveq r0,#-1 @@ -425,7 +426,7 @@ private_AES_set_encrypt_key: bne .Labrt .Lok: stmdb sp!,{r4-r12,lr} - sub $tbl,r3,#private_AES_set_encrypt_key-AES_Te-1024 @ Te4 + sub $tbl,r3,#_armv4_AES_set_encrypt_key-AES_Te-1024 @ Te4 mov $rounds,r0 @ inp mov lr,r1 @ bits @@ -685,7 +686,7 @@ private_AES_set_encrypt_key: .align 5 private_AES_set_decrypt_key: str lr,[sp,#-4]! @ push lr - bl private_AES_set_encrypt_key + bl _armv4_AES_set_encrypt_key teq r0,#0 ldrne lr,[sp],#4 @ pop lr bne .Labrt diff --git a/openssl/crypto/aes/asm/aes-s390x.pl b/openssl/crypto/aes/asm/aes-s390x.pl index f749a52d7..445a1e676 100644 --- a/openssl/crypto/aes/asm/aes-s390x.pl +++ b/openssl/crypto/aes/asm/aes-s390x.pl @@ -783,6 +783,7 @@ $code.=<<___; .type private_AES_set_encrypt_key,\@function .align 16 private_AES_set_encrypt_key: +_s390x_AES_set_encrypt_key: lghi $t0,0 cl${g}r $inp,$t0 je .Lminus1 @@ -836,7 +837,8 @@ $code.=<<___ if (!$softonly); je 1f lg %r1,24($inp) stg %r1,24($key) -1: st $bits,236($key) # save bits +1: st $bits,236($key) # save bits [for debugging purposes] + lgr $t0,%r5 st %r5,240($key) # save km code lghi %r2,0 br %r14 @@ -844,7 +846,7 @@ ___ $code.=<<___; .align 16 .Lekey_internal: - stm${g} %r6,%r13,6*$SIZE_T($sp) # all non-volatile regs + stm${g} %r4,%r13,4*$SIZE_T($sp) # all non-volatile regs and $key larl $tbl,AES_Te+2048 @@ -904,8 +906,9 @@ $code.=<<___; la $key,16($key) # key+=4 la $t3,4($t3) # i++ brct $rounds,.L128_loop + lghi $t0,10 lghi %r2,0 - lm${g} %r6,%r13,6*$SIZE_T($sp) + lm${g} %r4,%r13,4*$SIZE_T($sp) br $ra .align 16 @@ -952,8 +955,9 @@ $code.=<<___; st $s2,32($key) st $s3,36($key) brct $rounds,.L192_continue + lghi $t0,12 lghi %r2,0 - lm${g} %r6,%r13,6*$SIZE_T($sp) + lm${g} %r4,%r13,4*$SIZE_T($sp) br $ra .align 16 @@ -1014,8 +1018,9 @@ $code.=<<___; st $s2,40($key) st $s3,44($key) brct $rounds,.L256_continue + lghi $t0,14 lghi %r2,0 - lm${g} %r6,%r13,6*$SIZE_T($sp) + lm${g} %r4,%r13,4*$SIZE_T($sp) br $ra .align 16 @@ -1066,34 +1071,26 @@ $code.=<<___; .type private_AES_set_decrypt_key,\@function .align 16 private_AES_set_decrypt_key: - st${g} $key,4*$SIZE_T($sp) # I rely on AES_set_encrypt_key to - st${g} $ra,14*$SIZE_T($sp) # save non-volatile registers! - bras $ra,AES_set_encrypt_key - l${g} $key,4*$SIZE_T($sp) + #st${g} $key,4*$SIZE_T($sp) # I rely on AES_set_encrypt_key to + st${g} $ra,14*$SIZE_T($sp) # save non-volatile registers and $key! + bras $ra,_s390x_AES_set_encrypt_key + #l${g} $key,4*$SIZE_T($sp) l${g} $ra,14*$SIZE_T($sp) ltgr %r2,%r2 bnzr $ra ___ $code.=<<___ if (!$softonly); - l $t0,240($key) + #l $t0,240($key) lhi $t1,16 cr $t0,$t1 jl .Lgo oill $t0,0x80 # set "decrypt" bit st $t0,240($key) br $ra - -.align 16 -.Ldkey_internal: - st${g} $key,4*$SIZE_T($sp) - st${g} $ra,14*$SIZE_T($sp) - bras $ra,.Lekey_internal - l${g} $key,4*$SIZE_T($sp) - l${g} $ra,14*$SIZE_T($sp) ___ $code.=<<___; - -.Lgo: llgf $rounds,240($key) +.align 16 +.Lgo: lgr $rounds,$t0 #llgf $rounds,240($key) la $i1,0($key) sllg $i2,$rounds,4 la $i2,0($i2,$key) diff --git a/openssl/crypto/aes/asm/bsaes-x86_64.pl b/openssl/crypto/aes/asm/bsaes-x86_64.pl index ff7e3afe8..c9c6312fa 100644 --- a/openssl/crypto/aes/asm/bsaes-x86_64.pl +++ b/openssl/crypto/aes/asm/bsaes-x86_64.pl @@ -65,12 +65,12 @@ # function is: # # conversion conversion/8x block -# Core 2 410 0.37 -# Nehalem 310 0.35 -# Atom 570 0.26 +# Core 2 240 0.22 +# Nehalem 180 0.20 +# Atom 430 0.19 # # The ratio values mean that 128-byte blocks will be processed -# 21-27% slower, 256-byte blocks - 12-16%, 384-byte blocks - 8-11%, +# 16-18% slower, 256-byte blocks - 9-10%, 384-byte blocks - 6-7%, # etc. Then keep in mind that input sizes not divisible by 128 are # *effectively* slower, especially shortest ones, e.g. consecutive # 144-byte blocks are processed 44% slower than one would expect, @@ -85,6 +85,7 @@ # # Core 2 11.0 # Nehalem 9.16 +# Atom 20.9 # # November 2011. # @@ -754,7 +755,7 @@ _bsaes_encrypt8: movdqa ($key), @XMM[9] # round 0 key lea 0x10($key), $key - movdqa 0x60($const), @XMM[8] # .LM0SR + movdqa 0x50($const), @XMM[8] # .LM0SR pxor @XMM[9], @XMM[0] # xor with round0 key pxor @XMM[9], @XMM[1] pshufb @XMM[8], @XMM[0] @@ -905,46 +906,82 @@ $code.=<<___; .type _bsaes_key_convert,\@abi-omnipotent .align 16 _bsaes_key_convert: - lea .LBS1(%rip), $const + lea .Lmasks(%rip), $const movdqu ($inp), %xmm7 # load round 0 key - movdqa -0x10($const), %xmm8 # .LBS0 - movdqa 0x00($const), %xmm9 # .LBS1 - movdqa 0x10($const), %xmm10 # .LBS2 - movdqa 0x40($const), %xmm13 # .LM0 - movdqa 0x60($const), %xmm14 # .LNOT - - movdqu 0x10($inp), %xmm6 # load round 1 key lea 0x10($inp), $inp + movdqa 0x00($const), %xmm0 # 0x01... + movdqa 0x10($const), %xmm1 # 0x02... + movdqa 0x20($const), %xmm2 # 0x04... + movdqa 0x30($const), %xmm3 # 0x08... + movdqa 0x40($const), %xmm4 # .LM0 + pcmpeqd %xmm5, %xmm5 # .LNOT + + movdqu ($inp), %xmm6 # load round 1 key movdqa %xmm7, ($out) # save round 0 key lea 0x10($out), $out dec $rounds jmp .Lkey_loop .align 16 .Lkey_loop: - pshufb %xmm13, %xmm6 # .LM0 - movdqa %xmm6, %xmm7 -___ - &bitslice_key (map("%xmm$_",(0..7, 8..12))); -$code.=<<___; - pxor %xmm14, %xmm5 # "pnot" - pxor %xmm14, %xmm6 - pxor %xmm14, %xmm0 - pxor %xmm14, %xmm1 - lea 0x10($inp), $inp - movdqa %xmm0, 0x00($out) # write bit-sliced round key - movdqa %xmm1, 0x10($out) - movdqa %xmm2, 0x20($out) - movdqa %xmm3, 0x30($out) - movdqa %xmm4, 0x40($out) - movdqa %xmm5, 0x50($out) - movdqa %xmm6, 0x60($out) - movdqa %xmm7, 0x70($out) + pshufb %xmm4, %xmm6 # .LM0 + + movdqa %xmm0, %xmm8 + movdqa %xmm1, %xmm9 + + pand %xmm6, %xmm8 + pand %xmm6, %xmm9 + movdqa %xmm2, %xmm10 + pcmpeqb %xmm0, %xmm8 + psllq \$4, %xmm0 # 0x10... + movdqa %xmm3, %xmm11 + pcmpeqb %xmm1, %xmm9 + psllq \$4, %xmm1 # 0x20... + + pand %xmm6, %xmm10 + pand %xmm6, %xmm11 + movdqa %xmm0, %xmm12 + pcmpeqb %xmm2, %xmm10 + psllq \$4, %xmm2 # 0x40... + movdqa %xmm1, %xmm13 + pcmpeqb %xmm3, %xmm11 + psllq \$4, %xmm3 # 0x80... + + movdqa %xmm2, %xmm14 + movdqa %xmm3, %xmm15 + pxor %xmm5, %xmm8 # "pnot" + pxor %xmm5, %xmm9 + + pand %xmm6, %xmm12 + pand %xmm6, %xmm13 + movdqa %xmm8, 0x00($out) # write bit-sliced round key + pcmpeqb %xmm0, %xmm12 + psrlq \$4, %xmm0 # 0x01... + movdqa %xmm9, 0x10($out) + pcmpeqb %xmm1, %xmm13 + psrlq \$4, %xmm1 # 0x02... + lea 0x10($inp), $inp + + pand %xmm6, %xmm14 + pand %xmm6, %xmm15 + movdqa %xmm10, 0x20($out) + pcmpeqb %xmm2, %xmm14 + psrlq \$4, %xmm2 # 0x04... + movdqa %xmm11, 0x30($out) + pcmpeqb %xmm3, %xmm15 + psrlq \$4, %xmm3 # 0x08... + movdqu ($inp), %xmm6 # load next round key + + pxor %xmm5, %xmm13 # "pnot" + pxor %xmm5, %xmm14 + movdqa %xmm12, 0x40($out) + movdqa %xmm13, 0x50($out) + movdqa %xmm14, 0x60($out) + movdqa %xmm15, 0x70($out) lea 0x80($out),$out - movdqu ($inp), %xmm6 # load next round key dec $rounds jnz .Lkey_loop - movdqa 0x70($const), %xmm7 # .L63 + movdqa 0x50($const), %xmm7 # .L63 #movdqa %xmm6, ($out) # don't save last round key ret .size _bsaes_key_convert,.-_bsaes_key_convert @@ -2800,14 +2837,8 @@ _bsaes_const: .quad 0x0504070600030201, 0x0f0e0d0c0a09080b .LSRM0: .quad 0x0304090e00050a0f, 0x01060b0c0207080d -.LM0: - .quad 0x02060a0e03070b0f, 0x0004080c0105090d .LM0SR: .quad 0x0a0e02060f03070b, 0x0004080c05090d01 -.LNOT: # magic constants - .quad 0xffffffffffffffff, 0xffffffffffffffff -.L63: - .quad 0x6363636363636363, 0x6363636363636363 .LSWPUP: # byte-swap upper dword .quad 0x0706050403020100, 0x0c0d0e0f0b0a0908 .LSWPUPM0SR: @@ -2830,6 +2861,15 @@ _bsaes_const: .quad 0x0000000000000000, 0x0000000800000000 .Lxts_magic: .long 0x87,0,1,0 +.Lmasks: + .quad 0x0101010101010101, 0x0101010101010101 + .quad 0x0202020202020202, 0x0202020202020202 + .quad 0x0404040404040404, 0x0404040404040404 + .quad 0x0808080808080808, 0x0808080808080808 +.LM0: + .quad 0x02060a0e03070b0f, 0x0004080c0105090d +.L63: + .quad 0x6363636363636363, 0x6363636363636363 .asciz "Bit-sliced AES for x86_64/SSSE3, Emilia Käsper, Peter Schwabe, Andy Polyakov" .align 64 .size _bsaes_const,.-_bsaes_const diff --git a/openssl/crypto/aes/asm/vpaes-x86.pl b/openssl/crypto/aes/asm/vpaes-x86.pl index 84a6f6d33..1533e2c30 100644 --- a/openssl/crypto/aes/asm/vpaes-x86.pl +++ b/openssl/crypto/aes/asm/vpaes-x86.pl @@ -843,6 +843,8 @@ $k_dsbo=0x2c0; # decryption sbox final output &mov ($out,&wparam(1)); # out &mov ($round,&wparam(2)); # len &mov ($key,&wparam(3)); # key + &sub ($round,16); + &jc (&label("cbc_abort")); &lea ($base,&DWP(-56,"esp")); &mov ($const,&wparam(4)); # ivp &and ($base,-16); @@ -853,7 +855,6 @@ $k_dsbo=0x2c0; # decryption sbox final output &mov (&DWP(48,"esp"),$base); &mov (&DWP(0,"esp"),$out); # save out - &sub ($round,16); &mov (&DWP(4,"esp"),$key) # save key &mov (&DWP(8,"esp"),$const); # save ivp &mov ($out,$round); # $out works as $len @@ -896,6 +897,7 @@ $k_dsbo=0x2c0; # decryption sbox final output &mov ($base,&DWP(8,"esp")); # restore ivp &mov ("esp",&DWP(48,"esp")); &movdqu (&QWP(0,$base),"xmm1"); # write IV +&set_label("cbc_abort"); &function_end("${PREFIX}_cbc_encrypt"); &asm_finish(); diff --git a/openssl/crypto/aes/asm/vpaes-x86_64.pl b/openssl/crypto/aes/asm/vpaes-x86_64.pl index 025470223..37998db5e 100644 --- a/openssl/crypto/aes/asm/vpaes-x86_64.pl +++ b/openssl/crypto/aes/asm/vpaes-x86_64.pl @@ -263,7 +263,7 @@ _vpaes_decrypt_core: pshufb %xmm2, %xmm4 # 4 = sbou pxor %xmm0, %xmm4 # 4 = sb1u + k movdqa 0x70(%r10), %xmm0 # 0 : sbot - movdqa .Lk_sr-.Lk_dsbd(%r11), %xmm2 + movdqa -0x160(%r11), %xmm2 # .Lk_sr-.Lk_dsbd=-0x160 pshufb %xmm3, %xmm0 # 0 = sb1t pxor %xmm4, %xmm0 # 0 = A pshufb %xmm2, %xmm0 @@ -869,6 +869,8 @@ ${PREFIX}_cbc_encrypt: ___ ($len,$key)=($key,$len); $code.=<<___; + sub \$16,$len + jc .Lcbc_abort ___ $code.=<<___ if ($win64); lea -0xb8(%rsp),%rsp @@ -887,7 +889,6 @@ ___ $code.=<<___; movdqu ($ivp),%xmm6 # load IV sub $inp,$out - sub \$16,$len call _vpaes_preheat cmp \$0,${enc}d je .Lcbc_dec_loop @@ -932,6 +933,7 @@ $code.=<<___ if ($win64); .Lcbc_epilogue: ___ $code.=<<___; +.Lcbc_abort: ret .size ${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt ___ diff --git a/openssl/crypto/asn1/a_d2i_fp.c b/openssl/crypto/asn1/a_d2i_fp.c index ece40bc4c..52b2ebdb6 100644 --- a/openssl/crypto/asn1/a_d2i_fp.c +++ b/openssl/crypto/asn1/a_d2i_fp.c @@ -57,6 +57,7 @@ */ #include <stdio.h> +#include <limits.h> #include "cryptlib.h" #include <openssl/buffer.h> #include <openssl/asn1_mac.h> @@ -143,17 +144,11 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) BUF_MEM *b; unsigned char *p; int i; - int ret=-1; ASN1_const_CTX c; - int want=HEADER_SIZE; + size_t want=HEADER_SIZE; int eos=0; -#if defined(__GNUC__) && defined(__ia64) - /* pathetic compiler bug in all known versions as of Nov. 2002 */ - long off=0; -#else - int off=0; -#endif - int len=0; + size_t off=0; + size_t len=0; b=BUF_MEM_new(); if (b == NULL) @@ -169,7 +164,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) { want-=(len-off); - if (!BUF_MEM_grow_clean(b,len+want)) + if (len + want < len || !BUF_MEM_grow_clean(b,len+want)) { ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE); goto err; @@ -181,7 +176,14 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) goto err; } if (i > 0) + { + if (len+i < len) + { + ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG); + goto err; + } len+=i; + } } /* else data already loaded */ @@ -206,6 +208,11 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) { /* no data body so go round again */ eos++; + if (eos < 0) + { + ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_HEADER_TOO_LONG); + goto err; + } want=HEADER_SIZE; } else if (eos && (c.slen == 0) && (c.tag == V_ASN1_EOC)) @@ -220,10 +227,16 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) else { /* suck in c.slen bytes of data */ - want=(int)c.slen; + want=c.slen; if (want > (len-off)) { want-=(len-off); + if (want > INT_MAX /* BIO_read takes an int length */ || + len+want < len) + { + ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG); + goto err; + } if (!BUF_MEM_grow_clean(b,len+want)) { ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE); @@ -238,11 +251,18 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) ASN1_R_NOT_ENOUGH_DATA); goto err; } + /* This can't overflow because + * |len+want| didn't overflow. */ len+=i; - want -= i; + want-=i; } } - off+=(int)c.slen; + if (off + c.slen < off) + { + ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG); + goto err; + } + off+=c.slen; if (eos <= 0) { break; @@ -252,9 +272,15 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) } } + if (off > INT_MAX) + { + ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG); + goto err; + } + *pb = b; return off; err: if (b != NULL) BUF_MEM_free(b); - return(ret); + return -1; } diff --git a/openssl/crypto/asn1/tasn_prn.c b/openssl/crypto/asn1/tasn_prn.c index 453698012..542a091a6 100644 --- a/openssl/crypto/asn1/tasn_prn.c +++ b/openssl/crypto/asn1/tasn_prn.c @@ -446,11 +446,11 @@ static int asn1_print_fsname(BIO *out, int indent, return 1; } -static int asn1_print_boolean_ctx(BIO *out, const int bool, +static int asn1_print_boolean_ctx(BIO *out, int boolval, const ASN1_PCTX *pctx) { const char *str; - switch (bool) + switch (boolval) { case -1: str = "BOOL ABSENT"; @@ -574,10 +574,10 @@ static int asn1_primitive_print(BIO *out, ASN1_VALUE **fld, { case V_ASN1_BOOLEAN: { - int bool = *(int *)fld; - if (bool == -1) - bool = it->size; - ret = asn1_print_boolean_ctx(out, bool, pctx); + int boolval = *(int *)fld; + if (boolval == -1) + boolval = it->size; + ret = asn1_print_boolean_ctx(out, boolval, pctx); } break; diff --git a/openssl/crypto/bio/b_sock.c b/openssl/crypto/bio/b_sock.c index d47310d65..41f958be7 100644 --- a/openssl/crypto/bio/b_sock.c +++ b/openssl/crypto/bio/b_sock.c @@ -960,7 +960,6 @@ int BIO_set_tcp_ndelay(int s, int on) #endif return(ret == 0); } -#endif int BIO_socket_nbio(int s, int mode) { @@ -973,3 +972,4 @@ int BIO_socket_nbio(int s, int mode) #endif return(ret == 0); } +#endif diff --git a/openssl/crypto/bio/bio_lib.c b/openssl/crypto/bio/bio_lib.c index e12bc3a2c..9c9646afa 100644 --- a/openssl/crypto/bio/bio_lib.c +++ b/openssl/crypto/bio/bio_lib.c @@ -521,40 +521,40 @@ void BIO_free_all(BIO *bio) BIO *BIO_dup_chain(BIO *in) { - BIO *ret=NULL,*eoc=NULL,*bio,*new; + BIO *ret=NULL,*eoc=NULL,*bio,*new_bio; for (bio=in; bio != NULL; bio=bio->next_bio) { - if ((new=BIO_new(bio->method)) == NULL) goto err; - new->callback=bio->callback; - new->cb_arg=bio->cb_arg; - new->init=bio->init; - new->shutdown=bio->shutdown; - new->flags=bio->flags; + if ((new_bio=BIO_new(bio->method)) == NULL) goto err; + new_bio->callback=bio->callback; + new_bio->cb_arg=bio->cb_arg; + new_bio->init=bio->init; + new_bio->shutdown=bio->shutdown; + new_bio->flags=bio->flags; /* This will let SSL_s_sock() work with stdin/stdout */ - new->num=bio->num; + new_bio->num=bio->num; - if (!BIO_dup_state(bio,(char *)new)) + if (!BIO_dup_state(bio,(char *)new_bio)) { - BIO_free(new); + BIO_free(new_bio); goto err; } /* copy app data */ - if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_BIO, &new->ex_data, + if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_BIO, &new_bio->ex_data, &bio->ex_data)) goto err; if (ret == NULL) { - eoc=new; + eoc=new_bio; ret=eoc; } else { - BIO_push(eoc,new); - eoc=new; + BIO_push(eoc,new_bio); + eoc=new_bio; } } return(ret); diff --git a/openssl/crypto/bn/bn_gf2m.c b/openssl/crypto/bn/bn_gf2m.c index 08ab9fd22..8a4dc20ad 100644 --- a/openssl/crypto/bn/bn_gf2m.c +++ b/openssl/crypto/bn/bn_gf2m.c @@ -628,8 +628,11 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) } if (ubits==vbits) { - bn_correct_top(u); - ubits = BN_num_bits(u); + BN_ULONG ul; + int utop = (ubits-1)/BN_BITS2; + + while ((ul=udp[utop])==0 && utop) utop--; + ubits = utop*BN_BITS2 + BN_num_bits_word(ul); } } bn_correct_top(b); diff --git a/openssl/crypto/buffer/buffer.c b/openssl/crypto/buffer/buffer.c index f4b358bbb..d7aa79ad7 100644 --- a/openssl/crypto/buffer/buffer.c +++ b/openssl/crypto/buffer/buffer.c @@ -60,6 +60,11 @@ #include "cryptlib.h" #include <openssl/buffer.h> +/* LIMIT_BEFORE_EXPANSION is the maximum n such that (n+3)/3*4 < 2**31. That + * function is applied in several functions in this file and this limit ensures + * that the result fits in an int. */ +#define LIMIT_BEFORE_EXPANSION 0x5ffffffc + BUF_MEM *BUF_MEM_new(void) { BUF_MEM *ret; @@ -105,6 +110,12 @@ int BUF_MEM_grow(BUF_MEM *str, size_t len) str->length=len; return(len); } + /* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */ + if (len > LIMIT_BEFORE_EXPANSION) + { + BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE); + return 0; + } n=(len+3)/3*4; if (str->data == NULL) ret=OPENSSL_malloc(n); @@ -142,6 +153,12 @@ int BUF_MEM_grow_clean(BUF_MEM *str, size_t len) str->length=len; return(len); } + /* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */ + if (len > LIMIT_BEFORE_EXPANSION) + { + BUFerr(BUF_F_BUF_MEM_GROW_CLEAN,ERR_R_MALLOC_FAILURE); + return 0; + } n=(len+3)/3*4; if (str->data == NULL) ret=OPENSSL_malloc(n); diff --git a/openssl/crypto/cmac/cmac.c b/openssl/crypto/cmac/cmac.c index b58602680..8b72b0968 100644 --- a/openssl/crypto/cmac/cmac.c +++ b/openssl/crypto/cmac/cmac.c @@ -179,6 +179,8 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen, return 0; if (!EVP_EncryptInit_ex(&ctx->cctx, NULL, NULL, NULL, zero_iv)) return 0; + memset(ctx->tbl, 0, EVP_CIPHER_CTX_block_size(&ctx->cctx)); + ctx->nlast_block = 0; return 1; } /* Initialiase context */ diff --git a/openssl/crypto/cms/cms_enc.c b/openssl/crypto/cms/cms_enc.c index 580083b45..f873ce379 100644 --- a/openssl/crypto/cms/cms_enc.c +++ b/openssl/crypto/cms/cms_enc.c @@ -139,10 +139,10 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec) CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR); goto err; } + tkeylen = EVP_CIPHER_CTX_key_length(ctx); /* Generate random session key */ if (!enc || !ec->key) { - tkeylen = EVP_CIPHER_CTX_key_length(ctx); tkey = OPENSSL_malloc(tkeylen); if (!tkey) { @@ -174,7 +174,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec) /* Only reveal failure if debugging so we don't * leak information which may be useful in MMA. */ - if (ec->debug) + if (enc || ec->debug) { CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO, CMS_R_INVALID_KEY_LENGTH); diff --git a/openssl/crypto/evp/Makefile b/openssl/crypto/evp/Makefile index 9c79f66f5..0fe1b96bf 100644 --- a/openssl/crypto/evp/Makefile +++ b/openssl/crypto/evp/Makefile @@ -211,6 +211,7 @@ e_aes_cbc_hmac_sha1.o: ../../include/openssl/safestack.h e_aes_cbc_hmac_sha1.o: ../../include/openssl/sha.h e_aes_cbc_hmac_sha1.o: ../../include/openssl/stack.h e_aes_cbc_hmac_sha1.o: ../../include/openssl/symhacks.h e_aes_cbc_hmac_sha1.c +e_aes_cbc_hmac_sha1.o: evp_locl.h e_bf.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h e_bf.o: ../../include/openssl/blowfish.h ../../include/openssl/buffer.h e_bf.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h diff --git a/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c b/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c index 278c6caa2..710fb79ba 100644 --- a/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c +++ b/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c @@ -83,6 +83,8 @@ typedef struct } aux; } EVP_AES_HMAC_SHA1; +#define NO_PAYLOAD_LENGTH ((size_t)-1) + #if defined(AES_ASM) && ( \ defined(__x86_64) || defined(__x86_64__) || \ defined(_M_AMD64) || defined(_M_X64) || \ @@ -124,7 +126,7 @@ static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, key->tail = key->head; key->md = key->head; - key->payload_length = 0; + key->payload_length = NO_PAYLOAD_LENGTH; return ret<0?0:1; } @@ -185,7 +187,7 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, if (len%AES_BLOCK_SIZE) return 0; if (ctx->encrypt) { - if (plen==0) + if (plen==NO_PAYLOAD_LENGTH) plen = len; else if (len!=((plen+SHA_DIGEST_LENGTH+AES_BLOCK_SIZE)&-AES_BLOCK_SIZE)) return 0; @@ -271,7 +273,7 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, } } - key->payload_length = 0; + key->payload_length = NO_PAYLOAD_LENGTH; return 1; } diff --git a/openssl/crypto/evp/e_rc4_hmac_md5.c b/openssl/crypto/evp/e_rc4_hmac_md5.c index eaa7a5312..56563191b 100644 --- a/openssl/crypto/evp/e_rc4_hmac_md5.c +++ b/openssl/crypto/evp/e_rc4_hmac_md5.c @@ -75,6 +75,8 @@ typedef struct size_t payload_length; } EVP_RC4_HMAC_MD5; +#define NO_PAYLOAD_LENGTH ((size_t)-1) + void rc4_md5_enc (RC4_KEY *key, const void *in0, void *out, MD5_CTX *ctx,const void *inp,size_t blocks); @@ -93,7 +95,7 @@ static int rc4_hmac_md5_init_key(EVP_CIPHER_CTX *ctx, key->tail = key->head; key->md = key->head; - key->payload_length = 0; + key->payload_length = NO_PAYLOAD_LENGTH; return 1; } @@ -120,18 +122,20 @@ static int rc4_hmac_md5_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, md5_off = MD5_CBLOCK-key->md.num, blocks; unsigned int l; + extern unsigned int OPENSSL_ia32cap_P[]; #endif size_t plen = key->payload_length; - if (plen && len!=(plen+MD5_DIGEST_LENGTH)) return 0; + if (plen!=NO_PAYLOAD_LENGTH && len!=(plen+MD5_DIGEST_LENGTH)) return 0; if (ctx->encrypt) { - if (plen==0) plen = len; + if (plen==NO_PAYLOAD_LENGTH) plen = len; #if defined(STITCHED_CALL) /* cipher has to "fall behind" */ if (rc4_off>md5_off) md5_off+=MD5_CBLOCK; - if (plen>md5_off && (blocks=(plen-md5_off)/MD5_CBLOCK)) { + if (plen>md5_off && (blocks=(plen-md5_off)/MD5_CBLOCK) && + (OPENSSL_ia32cap_P[0]&(1<<20))==0) { MD5_Update(&key->md,in,md5_off); RC4(&key->ks,rc4_off,in,out); @@ -171,7 +175,8 @@ static int rc4_hmac_md5_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, if (md5_off>rc4_off) rc4_off += 2*MD5_CBLOCK; else rc4_off += MD5_CBLOCK; - if (len>rc4_off && (blocks=(len-rc4_off)/MD5_CBLOCK)) { + if (len>rc4_off && (blocks=(len-rc4_off)/MD5_CBLOCK) && + (OPENSSL_ia32cap_P[0]&(1<<20))==0) { RC4(&key->ks,rc4_off,in,out); MD5_Update(&key->md,out,md5_off); @@ -191,7 +196,7 @@ static int rc4_hmac_md5_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, #endif /* decrypt HMAC at once */ RC4(&key->ks,len-rc4_off,in+rc4_off,out+rc4_off); - if (plen) { /* "TLS" mode of operation */ + if (plen!=NO_PAYLOAD_LENGTH) { /* "TLS" mode of operation */ MD5_Update(&key->md,out+md5_off,plen-md5_off); /* calculate HMAC and verify it */ @@ -207,7 +212,7 @@ static int rc4_hmac_md5_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, } } - key->payload_length = 0; + key->payload_length = NO_PAYLOAD_LENGTH; return 1; } diff --git a/openssl/crypto/evp/evp_enc.c b/openssl/crypto/evp/evp_enc.c index 691072655..0c54f05e6 100644 --- a/openssl/crypto/evp/evp_enc.c +++ b/openssl/crypto/evp/evp_enc.c @@ -170,8 +170,9 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp #endif #ifdef OPENSSL_FIPS - return FIPS_cipherinit(ctx, cipher, key, iv, enc); -#else + if (FIPS_mode()) + return FIPS_cipherinit(ctx, cipher, key, iv, enc); +#endif ctx->cipher=cipher; if (ctx->cipher->ctx_size) { @@ -196,7 +197,6 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp return 0; } } -#endif } else if(!ctx->cipher) { @@ -207,8 +207,9 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp skip_to_init: #endif #ifdef OPENSSL_FIPS - return FIPS_cipherinit(ctx, cipher, key, iv, enc); -#else + if (FIPS_mode()) + return FIPS_cipherinit(ctx, cipher, key, iv, enc); +#endif /* we assume block size is a power of 2 in *cryptUpdate */ OPENSSL_assert(ctx->cipher->block_size == 1 || ctx->cipher->block_size == 8 @@ -255,7 +256,6 @@ skip_to_init: ctx->final_used=0; ctx->block_mask=ctx->cipher->block_size-1; return 1; -#endif } int EVP_CipherUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, diff --git a/openssl/crypto/evp/p5_crpt.c b/openssl/crypto/evp/p5_crpt.c index 7d9c1f012..294cc90d8 100644 --- a/openssl/crypto/evp/p5_crpt.c +++ b/openssl/crypto/evp/p5_crpt.c @@ -138,5 +138,6 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen, OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH); rv = 1; err: + EVP_MD_CTX_cleanup(&ctx); return rv; } diff --git a/openssl/crypto/mem.c b/openssl/crypto/mem.c index 8f736c3b1..21c001138 100644 --- a/openssl/crypto/mem.c +++ b/openssl/crypto/mem.c @@ -363,6 +363,10 @@ void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file, if (num <= 0) return NULL; + /* We don't support shrinking the buffer. Note the memcpy that copies + * |old_len| bytes to the new buffer, below. */ + if (num < old_len) return NULL; + if (realloc_debug_func != NULL) realloc_debug_func(str, NULL, num, file, line, 0); ret=malloc_ex_func(num,file,line); diff --git a/openssl/crypto/modes/asm/ghash-s390x.pl b/openssl/crypto/modes/asm/ghash-s390x.pl index 48cb08d33..6a40d5d89 100644 --- a/openssl/crypto/modes/asm/ghash-s390x.pl +++ b/openssl/crypto/modes/asm/ghash-s390x.pl @@ -138,7 +138,7 @@ $code.=<<___ if(!$softonly); .align 32 .Lsoft_ghash: ___ -$cdoe.=<<___ if ($flavour =~ /3[12]/); +$code.=<<___ if ($flavour =~ /3[12]/); llgfr $len,$len ___ $code.=<<___; diff --git a/openssl/crypto/modes/modes_lcl.h b/openssl/crypto/modes/modes_lcl.h index 7a82a981c..b6dc3c336 100644 --- a/openssl/crypto/modes/modes_lcl.h +++ b/openssl/crypto/modes/modes_lcl.h @@ -45,7 +45,7 @@ typedef unsigned char u8; # define BSWAP4(x) ({ u32 ret=(x); \ asm ("bswapl %0" \ : "+r"(ret)); ret; }) -# elif (defined(__i386) || defined(__i386__)) +# elif (defined(__i386) || defined(__i386__)) && !defined(I386_ONLY) # define BSWAP8(x) ({ u32 lo=(u64)(x)>>32,hi=(x); \ asm ("bswapl %0; bswapl %1" \ : "+r"(hi),"+r"(lo)); \ diff --git a/openssl/crypto/o_fips.c b/openssl/crypto/o_fips.c index 6a8239575..f6d1b2185 100644 --- a/openssl/crypto/o_fips.c +++ b/openssl/crypto/o_fips.c @@ -64,6 +64,7 @@ int FIPS_mode(void) { + OPENSSL_init(); #ifdef OPENSSL_FIPS return FIPS_module_mode(); #else diff --git a/openssl/crypto/opensslv.h b/openssl/crypto/opensslv.h index bf4255607..71be3590a 100644 --- a/openssl/crypto/opensslv.h +++ b/openssl/crypto/opensslv.h @@ -25,11 +25,11 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x1000100fL +#define OPENSSL_VERSION_NUMBER 0x1000103fL #ifdef OPENSSL_FIPS -#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1-fips 14 Mar 2012" +#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1c-fips 10 May 2012" #else -#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1 14 Mar 2012" +#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1c 10 May 2012" #endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/openssl/crypto/perlasm/x86masm.pl b/openssl/crypto/perlasm/x86masm.pl index 3af045396..96b1b73e1 100644 --- a/openssl/crypto/perlasm/x86masm.pl +++ b/openssl/crypto/perlasm/x86masm.pl @@ -16,7 +16,7 @@ sub ::generic # fix hexadecimal constants for (@arg) { s/(?<![\w\$\.])0x([0-9a-f]+)/0$1h/oi; } - if ($opcode =~ /lea/ && @arg[1] =~ s/.*PTR\s+([^\[]+)$/$1/) # no [] + if ($opcode =~ /lea/ && @arg[1] =~ s/.*PTR\s+(\(.*\))$/OFFSET $1/) # no [] { $opcode="mov"; } elsif ($opcode !~ /movq/) { # fix xmm references diff --git a/openssl/crypto/pkcs7/pk7_doit.c b/openssl/crypto/pkcs7/pk7_doit.c index fae8eda46..77fda3b82 100644 --- a/openssl/crypto/pkcs7/pk7_doit.c +++ b/openssl/crypto/pkcs7/pk7_doit.c @@ -430,6 +430,8 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) STACK_OF(X509_ALGOR) *md_sk=NULL; STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL; PKCS7_RECIP_INFO *ri=NULL; + unsigned char *ek = NULL, *tkey = NULL; + int eklen = 0, tkeylen = 0; i=OBJ_obj2nid(p7->type); p7->state=PKCS7_S_HEADER; @@ -507,8 +509,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) int max; X509_OBJECT ret; #endif - unsigned char *ek = NULL, *tkey = NULL; - int eklen, tkeylen; if ((etmp=BIO_new(BIO_f_cipher())) == NULL) { @@ -609,11 +609,13 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) { OPENSSL_cleanse(ek,eklen); OPENSSL_free(ek); + ek = NULL; } if (tkey) { OPENSSL_cleanse(tkey,tkeylen); OPENSSL_free(tkey); + tkey = NULL; } if (out == NULL) @@ -656,6 +658,16 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) if (0) { err: + if (ek) + { + OPENSSL_cleanse(ek,eklen); + OPENSSL_free(ek); + } + if (tkey) + { + OPENSSL_cleanse(tkey,tkeylen); + OPENSSL_free(tkey); + } if (out != NULL) BIO_free_all(out); if (btmp != NULL) BIO_free_all(btmp); if (etmp != NULL) BIO_free_all(etmp); diff --git a/openssl/crypto/ppccpuid.pl b/openssl/crypto/ppccpuid.pl index 067746947..4ba736a1d 100644 --- a/openssl/crypto/ppccpuid.pl +++ b/openssl/crypto/ppccpuid.pl @@ -105,7 +105,7 @@ Ladd: lwarx r5,0,r3 Little: mtctr r4 stb r0,0(r3) addi r3,r3,1 - bdnz- \$-8 + bdnz \$-8 blr Lot: andi. r5,r3,3 beq Laligned @@ -118,7 +118,7 @@ Laligned: mtctr r5 stw r0,0(r3) addi r3,r3,4 - bdnz- \$-8 + bdnz \$-8 andi. r4,r4,3 bne Little blr diff --git a/openssl/crypto/rc4/asm/rc4-s390x.pl b/openssl/crypto/rc4/asm/rc4-s390x.pl index 1aa754820..7528ece13 100644 --- a/openssl/crypto/rc4/asm/rc4-s390x.pl +++ b/openssl/crypto/rc4/asm/rc4-s390x.pl @@ -171,10 +171,10 @@ $ikey="%r7"; $iinp="%r8"; $code.=<<___; -.globl RC4_set_key -.type RC4_set_key,\@function +.globl private_RC4_set_key +.type private_RC4_set_key,\@function .align 64 -RC4_set_key: +private_RC4_set_key: stm${g} %r6,%r8,6*$SIZE_T($sp) lhi $cnt,256 la $idx,0(%r0) @@ -210,7 +210,7 @@ RC4_set_key: .Ldone: lm${g} %r6,%r8,6*$SIZE_T($sp) br $rp -.size RC4_set_key,.-RC4_set_key +.size private_RC4_set_key,.-private_RC4_set_key ___ } diff --git a/openssl/crypto/rsa/Makefile b/openssl/crypto/rsa/Makefile index ec9c74d78..f798d2f74 100644 --- a/openssl/crypto/rsa/Makefile +++ b/openssl/crypto/rsa/Makefile @@ -225,11 +225,12 @@ rsa_pk1.o: ../../include/openssl/symhacks.h ../cryptlib.h rsa_pk1.c rsa_pmeth.o: ../../e_os.h ../../include/openssl/asn1.h rsa_pmeth.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h rsa_pmeth.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h -rsa_pmeth.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h -rsa_pmeth.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h -rsa_pmeth.o: ../../include/openssl/ecdsa.h ../../include/openssl/err.h -rsa_pmeth.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h -rsa_pmeth.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h +rsa_pmeth.o: ../../include/openssl/cms.h ../../include/openssl/crypto.h +rsa_pmeth.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h +rsa_pmeth.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h +rsa_pmeth.o: ../../include/openssl/err.h ../../include/openssl/evp.h +rsa_pmeth.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h +rsa_pmeth.o: ../../include/openssl/objects.h rsa_pmeth.o: ../../include/openssl/opensslconf.h rsa_pmeth.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h rsa_pmeth.o: ../../include/openssl/pkcs7.h ../../include/openssl/rsa.h diff --git a/openssl/crypto/ui/ui.h b/openssl/crypto/ui/ui.h index 2b1cfa228..bd78aa413 100644 --- a/openssl/crypto/ui/ui.h +++ b/openssl/crypto/ui/ui.h @@ -316,7 +316,7 @@ int (*UI_method_get_writer(UI_METHOD *method))(UI*,UI_STRING*); int (*UI_method_get_flusher(UI_METHOD *method))(UI*); int (*UI_method_get_reader(UI_METHOD *method))(UI*,UI_STRING*); int (*UI_method_get_closer(UI_METHOD *method))(UI*); -char* (*UI_method_get_prompt_constructor(UI_METHOD *method))(UI*, const char*, const char*); +char * (*UI_method_get_prompt_constructor(UI_METHOD *method))(UI*, const char*, const char*); /* The following functions are helpers for method writers to access relevant data from a UI_STRING. */ diff --git a/openssl/crypto/x509/x509_lu.c b/openssl/crypto/x509/x509_lu.c index 3a6e04a1d..38525a8cd 100644 --- a/openssl/crypto/x509/x509_lu.c +++ b/openssl/crypto/x509/x509_lu.c @@ -87,7 +87,7 @@ void X509_LOOKUP_free(X509_LOOKUP *ctx) if (ctx == NULL) return; if ( (ctx->method != NULL) && (ctx->method->free != NULL)) - ctx->method->free(ctx); + (*ctx->method->free)(ctx); OPENSSL_free(ctx); } diff --git a/openssl/doc/HOWTO/proxy_certificates.txt b/openssl/doc/HOWTO/proxy_certificates.txt index 3d36b02f6..f98ec3607 100644 --- a/openssl/doc/HOWTO/proxy_certificates.txt +++ b/openssl/doc/HOWTO/proxy_certificates.txt @@ -57,7 +57,7 @@ following methods: - in all other cases, proxy certificate validation can be enabled before starting the application by setting the envirnoment variable - OPENSSL_ALLOW_PROXY with some non-empty value. + OPENSSL_ALLOW_PROXY_CERTS with some non-empty value. There are thoughts to allow proxy certificates with a line in the default openssl.cnf, but that's still in the future. diff --git a/openssl/doc/crypto/EVP_DigestInit.pod b/openssl/doc/crypto/EVP_DigestInit.pod index 5b477ac6e..367691cc7 100644 --- a/openssl/doc/crypto/EVP_DigestInit.pod +++ b/openssl/doc/crypto/EVP_DigestInit.pod @@ -6,7 +6,8 @@ EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_DigestInit_ex, EVP_DigestUpdate, EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE, EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type, -EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_dss, EVP_dss1, EVP_mdc2, +EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_sha224, EVP_sha256, +EVP_sha384, EVP_sha512, EVP_dss, EVP_dss1, EVP_mdc2, EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj - EVP digest routines @@ -33,16 +34,15 @@ EVP digest routines int EVP_MD_CTX_copy(EVP_MD_CTX *out,EVP_MD_CTX *in); - #define EVP_MAX_MD_SIZE (16+20) /* The SSLv3 md5+sha1 type */ + #define EVP_MAX_MD_SIZE 64 /* SHA512 */ + int EVP_MD_type(const EVP_MD *md); + int EVP_MD_pkey_type(const EVP_MD *md); + int EVP_MD_size(const EVP_MD *md); + int EVP_MD_block_size(const EVP_MD *md); - #define EVP_MD_type(e) ((e)->type) - #define EVP_MD_pkey_type(e) ((e)->pkey_type) - #define EVP_MD_size(e) ((e)->md_size) - #define EVP_MD_block_size(e) ((e)->block_size) - - #define EVP_MD_CTX_md(e) (e)->digest) - #define EVP_MD_CTX_size(e) EVP_MD_size((e)->digest) + const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx); + #define EVP_MD_CTX_size(e) EVP_MD_size(EVP_MD_CTX_md(e)) #define EVP_MD_CTX_block_size(e) EVP_MD_block_size((e)->digest) #define EVP_MD_CTX_type(e) EVP_MD_type((e)->digest) @@ -56,6 +56,11 @@ EVP digest routines const EVP_MD *EVP_mdc2(void); const EVP_MD *EVP_ripemd160(void); + const EVP_MD *EVP_sha224(void); + const EVP_MD *EVP_sha256(void); + const EVP_MD *EVP_sha384(void); + const EVP_MD *EVP_sha512(void); + const EVP_MD *EVP_get_digestbyname(const char *name); #define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a)) #define EVP_get_digestbyobj(a) EVP_get_digestbynid(OBJ_obj2nid(a)) @@ -124,12 +129,14 @@ B<EVP_MD_CTX>. EVP_MD_pkey_type() returns the NID of the public key signing algorithm associated with this digest. For example EVP_sha1() is associated with RSA so this will -return B<NID_sha1WithRSAEncryption>. This "link" between digests and signature -algorithms may not be retained in future versions of OpenSSL. +return B<NID_sha1WithRSAEncryption>. Since digests and signature algorithms +are no longer linked this function is only retained for compatibility +reasons. -EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_mdc2() and EVP_ripemd160() -return B<EVP_MD> structures for the MD2, MD5, SHA, SHA1, MDC2 and RIPEMD160 digest -algorithms respectively. The associated signature algorithm is RSA in each case. +EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_sha224(), EVP_sha256(), +EVP_sha384(), EVP_sha512(), EVP_mdc2() and EVP_ripemd160() return B<EVP_MD> +structures for the MD2, MD5, SHA, SHA1, SHA224, SHA256, SHA384, SHA512, MDC2 +and RIPEMD160 digest algorithms respectively. EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA and SHA1 digest algorithms but using DSS (DSA) for the signature algorithm. Note: there is @@ -171,8 +178,8 @@ The B<EVP> interface to message digests should almost always be used in preference to the low level interfaces. This is because the code then becomes transparent to the digest used and much more flexible. -SHA1 is the digest of choice for new applications. The other digest algorithms -are still in common use. +New applications should use the SHA2 digest algorithms such as SHA256. +The other digest algorithms are still in common use. For most applications the B<impl> parameter to EVP_DigestInit_ex() will be set to NULL to use the default digest implementation. @@ -187,6 +194,19 @@ implementations of digests to be specified. In OpenSSL 0.9.7 and later if digest contexts are not cleaned up after use memory leaks will occur. +Stack allocation of EVP_MD_CTX structures is common, for example: + + EVP_MD_CTX mctx; + EVP_MD_CTX_init(&mctx); + +This will cause binary compatibility issues if the size of EVP_MD_CTX +structure changes (this will only happen with a major release of OpenSSL). +Applications wishing to avoid this should use EVP_MD_CTX_create() instead: + + EVP_MD_CTX *mctx; + mctx = EVP_MD_CTX_create(); + + =head1 EXAMPLE This example digests the data "Test Message\n" and "Hello World\n", using the @@ -197,7 +217,7 @@ digest name passed on the command line. main(int argc, char *argv[]) { - EVP_MD_CTX mdctx; + EVP_MD_CTX *mdctx; const EVP_MD *md; char mess1[] = "Test Message\n"; char mess2[] = "Hello World\n"; @@ -218,12 +238,12 @@ digest name passed on the command line. exit(1); } - EVP_MD_CTX_init(&mdctx); - EVP_DigestInit_ex(&mdctx, md, NULL); - EVP_DigestUpdate(&mdctx, mess1, strlen(mess1)); - EVP_DigestUpdate(&mdctx, mess2, strlen(mess2)); - EVP_DigestFinal_ex(&mdctx, md_value, &md_len); - EVP_MD_CTX_cleanup(&mdctx); + mdctx = EVP_MD_CTX_create(); + EVP_DigestInit_ex(mdctx, md, NULL); + EVP_DigestUpdate(mdctx, mess1, strlen(mess1)); + EVP_DigestUpdate(mdctx, mess2, strlen(mess2)); + EVP_DigestFinal_ex(mdctx, md_value, &md_len); + EVP_MD_CTX_destroy(mdctx); printf("Digest is: "); for(i = 0; i < md_len; i++) printf("%02x", md_value[i]); diff --git a/openssl/engines/ccgost/Makefile b/openssl/engines/ccgost/Makefile index dadb5230e..d661c1082 100644 --- a/openssl/engines/ccgost/Makefile +++ b/openssl/engines/ccgost/Makefile @@ -142,13 +142,13 @@ gost94_keyx.o: ../../include/openssl/x509_vfy.h e_gost_err.h gost89.h gost94_keyx.o: gost94_keyx.c gost_keywrap.h gost_lcl.h gosthash.h gost_ameth.o: ../../include/openssl/asn1.h ../../include/openssl/asn1t.h gost_ameth.o: ../../include/openssl/bio.h ../../include/openssl/bn.h -gost_ameth.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h -gost_ameth.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h -gost_ameth.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h -gost_ameth.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h -gost_ameth.o: ../../include/openssl/err.h ../../include/openssl/evp.h -gost_ameth.o: ../../include/openssl/lhash.h ../../include/openssl/obj_mac.h -gost_ameth.o: ../../include/openssl/objects.h +gost_ameth.o: ../../include/openssl/buffer.h ../../include/openssl/cms.h +gost_ameth.o: ../../include/openssl/crypto.h ../../include/openssl/dsa.h +gost_ameth.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h +gost_ameth.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h +gost_ameth.o: ../../include/openssl/engine.h ../../include/openssl/err.h +gost_ameth.o: ../../include/openssl/evp.h ../../include/openssl/lhash.h +gost_ameth.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h gost_ameth.o: ../../include/openssl/opensslconf.h gost_ameth.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h gost_ameth.o: ../../include/openssl/pkcs7.h ../../include/openssl/safestack.h diff --git a/openssl/openssl.spec b/openssl/openssl.spec index 1b7c7c6be..0d86222e4 100644 --- a/openssl/openssl.spec +++ b/openssl/openssl.spec @@ -2,15 +2,15 @@ %define libmaj 1 %define libmin 0 %define librel 1 -#%define librev a +%define librev c Release: 1 %define openssldir /var/ssl Summary: Secure Sockets Layer and cryptography libraries and tools Name: openssl -Version: %{libmaj}.%{libmin}.%{librel} -#Version: %{libmaj}.%{libmin}.%{librel}%{librev} +#Version: %{libmaj}.%{libmin}.%{librel} +Version: %{libmaj}.%{libmin}.%{librel}%{librev} Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz Copyright: Freely distributable Group: System Environment/Libraries diff --git a/openssl/ssl/bio_ssl.c b/openssl/ssl/bio_ssl.c index eedac8a3f..e9552caee 100644 --- a/openssl/ssl/bio_ssl.c +++ b/openssl/ssl/bio_ssl.c @@ -538,6 +538,7 @@ err: BIO *BIO_new_ssl_connect(SSL_CTX *ctx) { +#ifndef OPENSSL_NO_SOCK BIO *ret=NULL,*con=NULL,*ssl=NULL; if ((con=BIO_new(BIO_s_connect())) == NULL) @@ -549,6 +550,7 @@ BIO *BIO_new_ssl_connect(SSL_CTX *ctx) return(ret); err: if (con != NULL) BIO_free(con); +#endif return(NULL); } diff --git a/openssl/ssl/d1_enc.c b/openssl/ssl/d1_enc.c index becbab91c..07a5e97ce 100644 --- a/openssl/ssl/d1_enc.c +++ b/openssl/ssl/d1_enc.c @@ -260,7 +260,7 @@ int dtls1_enc(SSL *s, int send) } /* TLS 1.0 does not bound the number of padding bytes by the block size. * All of them must have value 'padding_length'. */ - if (i > (int)rec->length) + if (i + bs > (int)rec->length) { /* Incorrect padding. SSLerr() and ssl3_alert are done * by caller: we don't want to reveal whether this is diff --git a/openssl/ssl/d1_lib.c b/openssl/ssl/d1_lib.c index 56f62530e..f61f71818 100644 --- a/openssl/ssl/d1_lib.c +++ b/openssl/ssl/d1_lib.c @@ -412,7 +412,7 @@ int dtls1_check_timeout_num(SSL *s) if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) { /* fail the connection, enough alerts have been sent */ - SSLerr(SSL_F_DTLS1_HANDLE_TIMEOUT,SSL_R_READ_TIMEOUT_EXPIRED); + SSLerr(SSL_F_DTLS1_CHECK_TIMEOUT_NUM,SSL_R_READ_TIMEOUT_EXPIRED); return -1; } diff --git a/openssl/ssl/d1_srvr.c b/openssl/ssl/d1_srvr.c index 5822379d1..29421da9a 100644 --- a/openssl/ssl/d1_srvr.c +++ b/openssl/ssl/d1_srvr.c @@ -920,7 +920,7 @@ int dtls1_send_server_hello(SSL *s) p=s->s3->server_random; Time=(unsigned long)time(NULL); /* Time */ l2n(Time,p); - RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); + RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4); /* Do the message type and length last */ d=p= &(buf[DTLS1_HM_HEADER_LENGTH]); diff --git a/openssl/ssl/install-ssl.com b/openssl/ssl/install-ssl.com index 1bd6ccaa7..afe6967f8 100644 --- a/openssl/ssl/install-ssl.com +++ b/openssl/ssl/install-ssl.com @@ -73,7 +73,7 @@ $ if f$parse("wrk_sslxexe:") .eqs. "" then - $ if f$parse("wrk_sslxlib:") .eqs. "" then - create /directory /log wrk_sslxlib: $! -$ exheader := ssl.h, ssl2.h, ssl3.h, ssl23.h, tls1.h, dtls1.h, kssl.h +$ exheader := ssl.h, ssl2.h, ssl3.h, ssl23.h, tls1.h, dtls1.h, kssl.h, srtp.h $ e_exe := ssl_task $ libs := ssl_libssl $! diff --git a/openssl/ssl/s23_clnt.c b/openssl/ssl/s23_clnt.c index b3c48232d..47673e740 100644 --- a/openssl/ssl/s23_clnt.c +++ b/openssl/ssl/s23_clnt.c @@ -282,32 +282,51 @@ static int ssl23_client_hello(SSL *s) SSL_COMP *comp; #endif int ret; + unsigned long mask, options = s->options; - ssl2_compat = (s->options & SSL_OP_NO_SSLv2) ? 0 : 1; + ssl2_compat = (options & SSL_OP_NO_SSLv2) ? 0 : 1; if (ssl2_compat && ssl23_no_ssl2_ciphers(s)) ssl2_compat = 0; - if (!(s->options & SSL_OP_NO_TLSv1_2)) - { - version = TLS1_2_VERSION; - } - else if (!(s->options & SSL_OP_NO_TLSv1_1)) - { + /* + * SSL_OP_NO_X disables all protocols above X *if* there are + * some protocols below X enabled. This is required in order + * to maintain "version capability" vector contiguous. So + * that if application wants to disable TLS1.0 in favour of + * TLS1>=1, it would be insufficient to pass SSL_NO_TLSv1, the + * answer is SSL_OP_NO_TLSv1|SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2. + */ + mask = SSL_OP_NO_TLSv1_1|SSL_OP_NO_TLSv1 +#if !defined(OPENSSL_NO_SSL3) + |SSL_OP_NO_SSLv3 +#endif +#if !defined(OPENSSL_NO_SSL2) + |(ssl2_compat?SSL_OP_NO_SSLv2:0) +#endif + ; +#if !defined(OPENSSL_NO_TLS1_2_CLIENT) + version = TLS1_2_VERSION; + + if ((options & SSL_OP_NO_TLSv1_2) && (options & mask) != mask) version = TLS1_1_VERSION; - } - else if (!(s->options & SSL_OP_NO_TLSv1)) - { +#else + version = TLS1_1_VERSION; +#endif + mask &= ~SSL_OP_NO_TLSv1_1; + if ((options & SSL_OP_NO_TLSv1_1) && (options & mask) != mask) version = TLS1_VERSION; - } - else if (!(s->options & SSL_OP_NO_SSLv3)) - { + mask &= ~SSL_OP_NO_TLSv1; +#if !defined(OPENSSL_NO_SSL3) + if ((options & SSL_OP_NO_TLSv1) && (options & mask) != mask) version = SSL3_VERSION; - } - else if (!(s->options & SSL_OP_NO_SSLv2)) - { + mask &= ~SSL_OP_NO_SSLv3; +#endif +#if !defined(OPENSSL_NO_SSL2) + if ((options & SSL_OP_NO_SSLv3) && (options & mask) != mask) version = SSL2_VERSION; - } +#endif + #ifndef OPENSSL_NO_TLSEXT if (version != SSL2_VERSION) { @@ -467,6 +486,15 @@ static int ssl23_client_hello(SSL *s) SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); return -1; } +#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH + /* Some servers hang if client hello > 256 bytes + * as hack workaround chop number of supported ciphers + * to keep it well below this if we use TLS v1.2 + */ + if (TLS1_get_version(s) >= TLS1_2_VERSION + && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) + i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; +#endif s2n(i,p); p+=i; @@ -521,8 +549,13 @@ static int ssl23_client_hello(SSL *s) d=buf; *(d++) = SSL3_RT_HANDSHAKE; *(d++) = version_major; - *(d++) = version_minor; /* arguably we should send the *lowest* suported version here - * (indicating, e.g., TLS 1.0 in "SSL 3.0 format") */ + /* Some servers hang if we use long client hellos + * and a record number > TLS 1.0. + */ + if (TLS1_get_client_version(s) > TLS1_VERSION) + *(d++) = 1; + else + *(d++) = version_minor; s2n((int)l,d); /* number of bytes to write */ diff --git a/openssl/ssl/s3_clnt.c b/openssl/ssl/s3_clnt.c index 4511a914a..b80d052e1 100644 --- a/openssl/ssl/s3_clnt.c +++ b/openssl/ssl/s3_clnt.c @@ -755,6 +755,15 @@ int ssl3_client_hello(SSL *s) SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); goto err; } +#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH + /* Some servers hang if client hello > 256 bytes + * as hack workaround chop number of supported ciphers + * to keep it well below this if we use TLS v1.2 + */ + if (TLS1_get_version(s) >= TLS1_2_VERSION + && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) + i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; +#endif s2n(i,p); p+=i; diff --git a/openssl/ssl/s3_lib.c b/openssl/ssl/s3_lib.c index db75479c3..fb60cde8e 100644 --- a/openssl/ssl/s3_lib.c +++ b/openssl/ssl/s3_lib.c @@ -1081,7 +1081,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aRSA, SSL_eNULL, SSL_SHA256, - SSL_SSLV3, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 0, @@ -1097,7 +1097,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aRSA, SSL_AES128, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, @@ -1113,7 +1113,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aRSA, SSL_AES256, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, @@ -1129,7 +1129,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aDH, SSL_AES128, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, @@ -1145,7 +1145,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aDH, SSL_AES128, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, @@ -1161,7 +1161,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aDSS, SSL_AES128, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, @@ -1395,7 +1395,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aRSA, SSL_AES128, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, @@ -1411,7 +1411,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aDH, SSL_AES256, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, @@ -1427,7 +1427,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aDH, SSL_AES256, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, @@ -1443,7 +1443,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aDSS, SSL_AES256, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, @@ -1459,7 +1459,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aRSA, SSL_AES256, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, @@ -1475,7 +1475,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aNULL, SSL_AES128, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, @@ -1491,7 +1491,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aNULL, SSL_AES256, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, diff --git a/openssl/ssl/s3_pkt.c b/openssl/ssl/s3_pkt.c index 3c56a8693..adf8c387c 100644 --- a/openssl/ssl/s3_pkt.c +++ b/openssl/ssl/s3_pkt.c @@ -664,10 +664,14 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, if ( (sess == NULL) || (s->enc_write_ctx == NULL) || (EVP_MD_CTX_md(s->write_hash) == NULL)) + { +#if 1 + clear=s->enc_write_ctx?0:1; /* must be AEAD cipher */ +#else clear=1; - - if (clear) +#endif mac_size=0; + } else { mac_size=EVP_MD_CTX_size(s->write_hash); @@ -736,7 +740,14 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, wr->type=type; *(p++)=(s->version>>8); - *(p++)=s->version&0xff; + /* Some servers hang if iniatial client hello is larger than 256 + * bytes and record version number > TLS 1.0 + */ + if (s->state == SSL3_ST_CW_CLNT_HELLO_B + && TLS1_get_version(s) > TLS1_VERSION) + *(p++) = 0x1; + else + *(p++)=s->version&0xff; /* field where we are to write out packet length */ plen=p; diff --git a/openssl/ssl/s3_srvr.c b/openssl/ssl/s3_srvr.c index 5944d8c48..118939fab 100644 --- a/openssl/ssl/s3_srvr.c +++ b/openssl/ssl/s3_srvr.c @@ -2930,7 +2930,7 @@ int ssl3_get_cert_verify(SSL *s) if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) { s->s3->tmp.reuse_message=1; - if ((peer != NULL) && (type | EVP_PKT_SIGN)) + if ((peer != NULL) && (type & EVP_PKT_SIGN)) { al=SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE); diff --git a/openssl/ssl/ssl.h b/openssl/ssl/ssl.h index 525602e4c..8b0c2a2da 100644 --- a/openssl/ssl/ssl.h +++ b/openssl/ssl/ssl.h @@ -556,7 +556,6 @@ struct ssl_session_st #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L #define SSL_OP_TLS_D5_BUG 0x00000100L #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L -#define SSL_OP_NO_TLSv1_1 0x00000400L /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added * in OpenSSL 0.9.6d. Usually (depending on the application protocol) @@ -604,6 +603,7 @@ struct ssl_session_st #define SSL_OP_NO_SSLv3 0x02000000L #define SSL_OP_NO_TLSv1 0x04000000L #define SSL_OP_NO_TLSv1_2 0x08000000L +#define SSL_OP_NO_TLSv1_1 0x10000000L /* These next two were never actually used for anything since SSLeay * zap so we have some more flags. @@ -2058,6 +2058,7 @@ void ERR_load_SSL_strings(void); #define SSL_F_DTLS1_ACCEPT 246 #define SSL_F_DTLS1_ADD_CERT_TO_BUF 295 #define SSL_F_DTLS1_BUFFER_RECORD 247 +#define SSL_F_DTLS1_CHECK_TIMEOUT_NUM 316 #define SSL_F_DTLS1_CLIENT_HELLO 248 #define SSL_F_DTLS1_CONNECT 249 #define SSL_F_DTLS1_ENC 250 diff --git a/openssl/ssl/ssl_ciph.c b/openssl/ssl/ssl_ciph.c index ac643c928..92d1e94d6 100644 --- a/openssl/ssl/ssl_ciph.c +++ b/openssl/ssl/ssl_ciph.c @@ -616,18 +616,24 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, { const EVP_CIPHER *evp; - if (s->ssl_version >= TLS1_VERSION && - c->algorithm_enc == SSL_RC4 && + if (s->ssl_version>>8 != TLS1_VERSION_MAJOR || + s->ssl_version < TLS1_VERSION) + return 1; + +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + return 1; +#endif + + if (c->algorithm_enc == SSL_RC4 && c->algorithm_mac == SSL_MD5 && (evp=EVP_get_cipherbyname("RC4-HMAC-MD5"))) *enc = evp, *md = NULL; - else if (s->ssl_version >= TLS1_VERSION && - c->algorithm_enc == SSL_AES128 && + else if (c->algorithm_enc == SSL_AES128 && c->algorithm_mac == SSL_SHA1 && (evp=EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1"))) *enc = evp, *md = NULL; - else if (s->ssl_version >= TLS1_VERSION && - c->algorithm_enc == SSL_AES256 && + else if (c->algorithm_enc == SSL_AES256 && c->algorithm_mac == SSL_SHA1 && (evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1"))) *enc = evp, *md = NULL; diff --git a/openssl/ssl/ssl_err.c b/openssl/ssl/ssl_err.c index ccb93d268..2577c6895 100644 --- a/openssl/ssl/ssl_err.c +++ b/openssl/ssl/ssl_err.c @@ -80,6 +80,7 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_DTLS1_ACCEPT), "DTLS1_ACCEPT"}, {ERR_FUNC(SSL_F_DTLS1_ADD_CERT_TO_BUF), "DTLS1_ADD_CERT_TO_BUF"}, {ERR_FUNC(SSL_F_DTLS1_BUFFER_RECORD), "DTLS1_BUFFER_RECORD"}, +{ERR_FUNC(SSL_F_DTLS1_CHECK_TIMEOUT_NUM), "DTLS1_CHECK_TIMEOUT_NUM"}, {ERR_FUNC(SSL_F_DTLS1_CLIENT_HELLO), "DTLS1_CLIENT_HELLO"}, {ERR_FUNC(SSL_F_DTLS1_CONNECT), "DTLS1_CONNECT"}, {ERR_FUNC(SSL_F_DTLS1_ENC), "DTLS1_ENC"}, diff --git a/openssl/ssl/t1_enc.c b/openssl/ssl/t1_enc.c index 201ca9ad6..f7bdeb3b9 100644 --- a/openssl/ssl/t1_enc.c +++ b/openssl/ssl/t1_enc.c @@ -889,6 +889,8 @@ int tls1_enc(SSL *s, int send) if (s->version >= TLS1_1_VERSION && EVP_CIPHER_CTX_mode(ds) == EVP_CIPH_CBC_MODE) { + if (bs > (int)rec->length) + return -1; rec->data += bs; /* skip the explicit IV */ rec->input += bs; rec->length -= bs; diff --git a/openssl/ssl/t1_lib.c b/openssl/ssl/t1_lib.c index 57d1107e4..27c8e3460 100644 --- a/openssl/ssl/t1_lib.c +++ b/openssl/ssl/t1_lib.c @@ -544,7 +544,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha } skip_ext: - if (TLS1_get_version(s) >= TLS1_2_VERSION) + if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) return NULL; diff --git a/openssl/util/cygwin.sh b/openssl/util/cygwin.sh index d6228521e..cfdb04d2a 100644 --- a/openssl/util/cygwin.sh +++ b/openssl/util/cygwin.sh @@ -11,6 +11,7 @@ CONFIG_OPTIONS="--prefix=/usr shared zlib no-idea no-rc5" INSTALL_PREFIX=/tmp/install/INSTALL VERSION= +SHLIB_VERSION_NUMBER= SUBVERSION=$1 function cleanup() @@ -28,6 +29,13 @@ function get_openssl_version() echo " Check value of variable VERSION in Makefile." exit 1 fi + eval `grep '^SHLIB_VERSION_NUMBER=' Makefile` + if [ -z "${SHLIB_VERSION_NUMBER}" ] + then + echo "Error: Couldn't retrieve OpenSSL shared lib version from Makefile." + echo " Check value of variable SHLIB_VERSION_NUMBER in Makefile." + exit 1 + fi } function base_install() @@ -124,7 +132,7 @@ strip usr/bin/*.exe usr/bin/*.dll usr/lib/engines/*.so chmod u-w usr/lib/engines/*.so # Runtime package -tar cjf libopenssl${VERSION//[!0-9]/}-${VERSION}-${SUBVERSION}.tar.bz2 \ +tar cjf libopenssl${SHLIB_VERSION_NUMBER//[!0-9]/}-${VERSION}-${SUBVERSION}.tar.bz2 \ usr/bin/cyg*dll # Base package find etc usr/bin/openssl.exe usr/bin/c_rehash usr/lib/engines usr/share/doc \ @@ -139,7 +147,7 @@ tar cjfT openssl-devel-${VERSION}-${SUBVERSION}.tar.bz2 - ls -l openssl-${VERSION}-${SUBVERSION}.tar.bz2 ls -l openssl-devel-${VERSION}-${SUBVERSION}.tar.bz2 -ls -l libopenssl${VERSION//[!0-9]/}-${VERSION}-${SUBVERSION}.tar.bz2 +ls -l libopenssl${SHLIB_VERSION_NUMBER//[!0-9]/}-${VERSION}-${SUBVERSION}.tar.bz2 cleanup |