diff options
| author | Jung-uk Kim <jkim@FreeBSD.org> | 2015-01-08 22:50:44 +0000 |
|---|---|---|
| committer | Jung-uk Kim <jkim@FreeBSD.org> | 2015-01-08 22:50:44 +0000 |
| commit | 1b54c06563a2a52b2b26a116ab243c40bf4d0c9f (patch) | |
| tree | e1295f92dee4cb6b09a209711754a49e3c0b90b1 | |
| parent | f62b4332f57a140c7a64082fb139c06b1a71584c (diff) | |
Notes
45 files changed, 702 insertions, 462 deletions
@@ -2,6 +2,87 @@ OpenSSL CHANGES _______________ + Changes between 0.9.8zc and 0.9.8zd [8 Jan 2015] + + *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS + message can cause a segmentation fault in OpenSSL due to a NULL pointer + dereference. This could lead to a Denial Of Service attack. Thanks to + Markus Stenberg of Cisco Systems, Inc. for reporting this issue. + (CVE-2014-3571) + [Steve Henson] + + *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is + built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl + method would be set to NULL which could later result in a NULL pointer + dereference. Thanks to Frank Schmirler for reporting this issue. + (CVE-2014-3569) + [Kurt Roeckx] + + *) Abort handshake if server key exchange message is omitted for ephemeral + ECDH ciphersuites. + + Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for + reporting this issue. + (CVE-2014-3572) + [Steve Henson] + + *) Remove non-export ephemeral RSA code on client and server. This code + violated the TLS standard by allowing the use of temporary RSA keys in + non-export ciphersuites and could be used by a server to effectively + downgrade the RSA key length used to a value smaller than the server + certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at + INRIA or reporting this issue. + (CVE-2015-0204) + [Steve Henson] + + *) Fix various certificate fingerprint issues. + + By using non-DER or invalid encodings outside the signed portion of a + certificate the fingerprint can be changed without breaking the signature. + Although no details of the signed portion of the certificate can be changed + this can cause problems with some applications: e.g. those using the + certificate fingerprint for blacklists. + + 1. Reject signatures with non zero unused bits. + + If the BIT STRING containing the signature has non zero unused bits reject + the signature. All current signature algorithms require zero unused bits. + + 2. Check certificate algorithm consistency. + + Check the AlgorithmIdentifier inside TBS matches the one in the + certificate signature. NB: this will result in signature failure + errors for some broken certificates. + + Thanks to Konrad Kraszewski from Google for reporting this issue. + + 3. Check DSA/ECDSA signatures use DER. + + Reencode DSA/ECDSA signatures and compare with the original received + signature. Return an error if there is a mismatch. + + This will reject various cases including garbage after signature + (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS + program for discovering this case) and use of BER or invalid ASN.1 INTEGERs + (negative or with leading zeroes). + + Further analysis was conducted and fixes were developed by Stephen Henson + of the OpenSSL core team. + + (CVE-2014-8275) + [Steve Henson] + + *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect + results on some platforms, including x86_64. This bug occurs at random + with a very low probability, and is not known to be exploitable in any + way, though its exact impact is difficult to determine. Thanks to Pieter + Wuille (Blockstream) who reported this issue and also suggested an initial + fix. Further analysis was conducted by the OpenSSL development team and + Adam Langley of Google. The final fix was developed by Andy Polyakov of + the OpenSSL core team. + (CVE-2014-3570) + [Andy Polyakov] + Changes between 0.9.8zb and 0.9.8zc [15 Oct 2014] *) Session Ticket Memory Leak. diff --git a/FREEBSD-upgrade b/FREEBSD-upgrade index 19041175920e..7d01bfa3359f 100644 --- a/FREEBSD-upgrade +++ b/FREEBSD-upgrade @@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/SubversionPrimer/VendorImports # Xlist setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist setenv FSVN "svn+ssh://svn.freebsd.org/base" -setenv OSSLVER 0.9.8zc -# OSSLTAG format: v0_9_8zc +setenv OSSLVER 0.9.8zd +# OSSLTAG format: v0_9_8zd ###setenv OSSLTAG v`echo ${OSSLVER} | tr . _` @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=0.9.8zc +VERSION=0.9.8zd MAJOR=0 MINOR=9.8 SHLIB_VERSION_NUMBER=0.9.8 @@ -5,6 +5,15 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.8zc and OpenSSL 0.9.8zd [8 Jan 2015] + + o Fix for CVE-2014-3571 + o Fix for CVE-2014-3569 + o Fix for CVE-2014-3572 + o Fix for CVE-2015-0204 + o Fix for CVE-2014-8275 + o Fix for CVE-2014-3570 + Major changes between OpenSSL 0.9.8zb and OpenSSL 0.9.8zc [15 Oct 2014]: o Fix for CVE-2014-3513 @@ -1,5 +1,5 @@ - OpenSSL 0.9.8zc 15 Oct 2014 + OpenSSL 0.9.8zd 8 Jan 2015 Copyright (c) 1998-2011 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/crypto/Makefile b/crypto/Makefile index c1eb620672f2..6eb8f9101d85 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -41,7 +41,8 @@ SRC= $(LIBSRC) EXHEADER= crypto.h tmdiff.h opensslv.h opensslconf.h ebcdic.h symhacks.h \ ossl_typ.h -HEADER= cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h $(EXHEADER) +HEADER= cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h \ + constant_time_locl.h $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c index 0fb9ce0c2aea..665fc09a1dc5 100644 --- a/crypto/asn1/a_bitstr.c +++ b/crypto/asn1/a_bitstr.c @@ -136,11 +136,16 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, p= *pp; i= *(p++); + if (i > 7) + { + i=ASN1_R_INVALID_BIT_STRING_BITS_LEFT; + goto err; + } /* We do this to preserve the settings. If we modify * the settings, via the _set_bit function, we will recalculate * on output */ ret->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */ - ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|(i&0x07)); /* set */ + ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|i); /* set */ if (len-- > 1) /* using one because of the bits left byte */ { diff --git a/crypto/asn1/a_type.c b/crypto/asn1/a_type.c index 36beceacdb07..b7a95ad2197c 100644 --- a/crypto/asn1/a_type.c +++ b/crypto/asn1/a_type.c @@ -108,3 +108,49 @@ int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value) IMPLEMENT_STACK_OF(ASN1_TYPE) IMPLEMENT_ASN1_SET_OF(ASN1_TYPE) + +/* Returns 0 if they are equal, != 0 otherwise. */ +int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b) + { + int result = -1; + + if (!a || !b || a->type != b->type) return -1; + + switch (a->type) + { + case V_ASN1_OBJECT: + result = OBJ_cmp(a->value.object, b->value.object); + break; + case V_ASN1_NULL: + result = 0; /* They do not have content. */ + break; + case V_ASN1_INTEGER: + case V_ASN1_NEG_INTEGER: + case V_ASN1_ENUMERATED: + case V_ASN1_NEG_ENUMERATED: + case V_ASN1_BIT_STRING: + case V_ASN1_OCTET_STRING: + case V_ASN1_SEQUENCE: + case V_ASN1_SET: + case V_ASN1_NUMERICSTRING: + case V_ASN1_PRINTABLESTRING: + case V_ASN1_T61STRING: + case V_ASN1_VIDEOTEXSTRING: + case V_ASN1_IA5STRING: + case V_ASN1_UTCTIME: + case V_ASN1_GENERALIZEDTIME: + case V_ASN1_GRAPHICSTRING: + case V_ASN1_VISIBLESTRING: + case V_ASN1_GENERALSTRING: + case V_ASN1_UNIVERSALSTRING: + case V_ASN1_BMPSTRING: + case V_ASN1_UTF8STRING: + case V_ASN1_OTHER: + default: + result = ASN1_STRING_cmp((ASN1_STRING *) a->value.ptr, + (ASN1_STRING *) b->value.ptr); + break; + } + + return result; + } diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c index 7ded69b170f6..a04aa8b339f8 100644 --- a/crypto/asn1/a_verify.c +++ b/crypto/asn1/a_verify.c @@ -89,6 +89,12 @@ int ASN1_verify(i2d_of_void *i2d, X509_ALGOR *a, ASN1_BIT_STRING *signature, ASN1err(ASN1_F_ASN1_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM); goto err; } + + if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7) + { + ASN1err(ASN1_F_ASN1_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT); + goto err; + } inl=i2d(data,NULL); buf_in=OPENSSL_malloc((unsigned int)inl); @@ -144,6 +150,12 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat return -1; } + if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7) + { + ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT); + return -1; + } + EVP_MD_CTX_init(&ctx); i=OBJ_obj2nid(a->algorithm); type=EVP_get_digestbyname(OBJ_nid2sn(i)); diff --git a/crypto/asn1/asn1.h b/crypto/asn1/asn1.h index d9d5443a33ca..bd7af2d5099c 100644 --- a/crypto/asn1/asn1.h +++ b/crypto/asn1/asn1.h @@ -769,6 +769,7 @@ DECLARE_ASN1_FUNCTIONS_fname(ASN1_TYPE, ASN1_ANY, ASN1_TYPE) int ASN1_TYPE_get(ASN1_TYPE *a); void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value); int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value); +int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b); ASN1_OBJECT * ASN1_OBJECT_new(void ); void ASN1_OBJECT_free(ASN1_OBJECT *a); @@ -1260,6 +1261,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_ILLEGAL_TIME_VALUE 184 #define ASN1_R_INTEGER_NOT_ASCII_FORMAT 185 #define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG 128 +#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT 220 #define ASN1_R_INVALID_BMPSTRING_LENGTH 129 #define ASN1_R_INVALID_DIGIT 130 #define ASN1_R_INVALID_MIME_TYPE 200 @@ -1308,6 +1310,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_TIME_NOT_ASCII_FORMAT 193 #define ASN1_R_TOO_LONG 155 #define ASN1_R_TYPE_NOT_CONSTRUCTED 156 +#define ASN1_R_TYPE_NOT_PRIMITIVE 218 #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158 #define ASN1_R_UNEXPECTED_EOC 159 diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c index ba88eb318be3..92b4f8f100bb 100644 --- a/crypto/asn1/asn1_err.c +++ b/crypto/asn1/asn1_err.c @@ -1,6 +1,6 @@ /* crypto/asn1/asn1_err.c */ /* ==================================================================== - * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2014 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -235,6 +235,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]= {ERR_REASON(ASN1_R_ILLEGAL_TIME_VALUE) ,"illegal time value"}, {ERR_REASON(ASN1_R_INTEGER_NOT_ASCII_FORMAT),"integer not ascii format"}, {ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG),"integer too large for long"}, +{ERR_REASON(ASN1_R_INVALID_BIT_STRING_BITS_LEFT),"invalid bit string bits left"}, {ERR_REASON(ASN1_R_INVALID_BMPSTRING_LENGTH),"invalid bmpstring length"}, {ERR_REASON(ASN1_R_INVALID_DIGIT) ,"invalid digit"}, {ERR_REASON(ASN1_R_INVALID_MIME_TYPE) ,"invalid mime type"}, @@ -283,6 +284,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]= {ERR_REASON(ASN1_R_TIME_NOT_ASCII_FORMAT),"time not ascii format"}, {ERR_REASON(ASN1_R_TOO_LONG) ,"too long"}, {ERR_REASON(ASN1_R_TYPE_NOT_CONSTRUCTED) ,"type not constructed"}, +{ERR_REASON(ASN1_R_TYPE_NOT_PRIMITIVE) ,"type not primitive"}, {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"}, {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"}, {ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"}, diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index a228c0d6cd16..b81d151e5fd8 100644 --- a/crypto/asn1/tasn_dec.c +++ b/crypto/asn1/tasn_dec.c @@ -866,6 +866,14 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, } else if (cst) { + if (utype == V_ASN1_NULL || utype == V_ASN1_BOOLEAN + || utype == V_ASN1_OBJECT || utype == V_ASN1_INTEGER + || utype == V_ASN1_ENUMERATED) + { + ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, + ASN1_R_TYPE_NOT_PRIMITIVE); + return 0; + } buf.length = 0; buf.max = 0; buf.data = NULL; diff --git a/crypto/asn1/x_algor.c b/crypto/asn1/x_algor.c index 99e53429b797..acc41bacca6e 100644 --- a/crypto/asn1/x_algor.c +++ b/crypto/asn1/x_algor.c @@ -128,3 +128,13 @@ void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval, } } +int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b) + { + int rv; + rv = OBJ_cmp(a->algorithm, b->algorithm); + if (rv) + return rv; + if (!a->parameter && !b->parameter) + return 0; + return ASN1_TYPE_cmp(a->parameter, b->parameter); + } diff --git a/crypto/bn/asm/mips3.s b/crypto/bn/asm/mips3.s index dca4105c7db1..8ced51b0ad51 100644 --- a/crypto/bn/asm/mips3.s +++ b/crypto/bn/asm/mips3.s @@ -1584,17 +1584,17 @@ LEAF(bn_sqr_comba8) dmultu a_2,a_0 /* mul_add_c2(a[2],b[0],c3,c1,c2); */ mflo t_1 mfhi t_2 - slt c_2,t_2,zero - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_3,t_1 sltu AT,c_3,t_1 - daddu t_2,AT + daddu c_3,t_1 + daddu AT,t_2 + sltu t_1,c_3,t_1 + daddu c_1,AT + daddu t_2,t_1 + sltu c_2,c_1,AT daddu c_1,t_2 - sltu AT,c_1,t_2 - daddu c_2,AT + sltu t_2,c_1,t_2 + daddu c_2,t_2 dmultu a_1,a_1 /* mul_add_c(a[1],b[1],c3,c1,c2); */ mflo t_1 mfhi t_2 @@ -1609,63 +1609,63 @@ LEAF(bn_sqr_comba8) dmultu a_0,a_3 /* mul_add_c2(a[0],b[3],c1,c2,c3); */ mflo t_1 mfhi t_2 - slt c_3,t_2,zero - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_1,t_1 sltu AT,c_1,t_1 - daddu t_2,AT + daddu c_1,t_1 + daddu AT,t_2 + sltu t_1,c_1,t_1 + daddu c_2,AT + daddu t_2,t_1 + sltu c_3,c_2,AT daddu c_2,t_2 - sltu AT,c_2,t_2 - daddu c_3,AT + sltu t_2,c_2,t_2 + daddu c_3,t_2 dmultu a_1,a_2 /* mul_add_c2(a[1],b[2],c1,c2,c3); */ mflo t_1 mfhi t_2 - slt AT,t_2,zero - daddu c_3,AT - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_1,t_1 sltu AT,c_1,t_1 - daddu t_2,AT + daddu c_1,t_1 + daddu AT,t_2 + sltu t_1,c_1,t_1 + daddu c_2,AT + daddu t_2,t_1 + sltu AT,c_2,AT daddu c_2,t_2 - sltu AT,c_2,t_2 daddu c_3,AT + sltu t_2,c_2,t_2 + daddu c_3,t_2 sd c_1,24(a0) dmultu a_4,a_0 /* mul_add_c2(a[4],b[0],c2,c3,c1); */ mflo t_1 mfhi t_2 - slt c_1,t_2,zero - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_2,t_1 sltu AT,c_2,t_1 - daddu t_2,AT + daddu c_2,t_1 + daddu AT,t_2 + sltu t_1,c_2,t_1 + daddu c_3,AT + daddu t_2,t_1 + sltu c_1,c_3,AT daddu c_3,t_2 - sltu AT,c_3,t_2 - daddu c_1,AT + sltu t_2,c_3,t_2 + daddu c_1,t_2 dmultu a_3,a_1 /* mul_add_c2(a[3],b[1],c2,c3,c1); */ mflo t_1 mfhi t_2 - slt AT,t_2,zero - daddu c_1,AT - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_2,t_1 sltu AT,c_2,t_1 - daddu t_2,AT + daddu c_2,t_1 + daddu AT,t_2 + sltu t_1,c_2,t_1 + daddu c_3,AT + daddu t_2,t_1 + sltu AT,c_3,AT daddu c_3,t_2 - sltu AT,c_3,t_2 daddu c_1,AT + sltu t_2,c_3,t_2 + daddu c_1,t_2 dmultu a_2,a_2 /* mul_add_c(a[2],b[2],c2,c3,c1); */ mflo t_1 mfhi t_2 @@ -1680,93 +1680,93 @@ LEAF(bn_sqr_comba8) dmultu a_0,a_5 /* mul_add_c2(a[0],b[5],c3,c1,c2); */ mflo t_1 mfhi t_2 - slt c_2,t_2,zero - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_3,t_1 sltu AT,c_3,t_1 - daddu t_2,AT + daddu c_3,t_1 + daddu AT,t_2 + sltu t_1,c_3,t_1 + daddu c_1,AT + daddu t_2,t_1 + sltu c_2,c_1,AT daddu c_1,t_2 - sltu AT,c_1,t_2 - daddu c_2,AT + sltu t_2,c_1,t_2 + daddu c_2,t_2 dmultu a_1,a_4 /* mul_add_c2(a[1],b[4],c3,c1,c2); */ mflo t_1 mfhi t_2 - slt AT,t_2,zero - daddu c_2,AT - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_3,t_1 sltu AT,c_3,t_1 - daddu t_2,AT + daddu c_3,t_1 + daddu AT,t_2 + sltu t_1,c_3,t_1 + daddu c_1,AT + daddu t_2,t_1 + sltu AT,c_1,AT daddu c_1,t_2 - sltu AT,c_1,t_2 daddu c_2,AT + sltu t_2,c_1,t_2 + daddu c_2,t_2 dmultu a_2,a_3 /* mul_add_c2(a[2],b[3],c3,c1,c2); */ mflo t_1 mfhi t_2 - slt AT,t_2,zero - daddu c_2,AT - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_3,t_1 sltu AT,c_3,t_1 - daddu t_2,AT + daddu c_3,t_1 + daddu AT,t_2 + sltu t_1,c_3,t_1 + daddu c_1,AT + daddu t_2,t_1 + sltu AT,c_1,AT daddu c_1,t_2 - sltu AT,c_1,t_2 daddu c_2,AT + sltu t_2,c_1,t_2 + daddu c_2,t_2 sd c_3,40(a0) dmultu a_6,a_0 /* mul_add_c2(a[6],b[0],c1,c2,c3); */ mflo t_1 mfhi t_2 - slt c_3,t_2,zero - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_1,t_1 sltu AT,c_1,t_1 - daddu t_2,AT + daddu c_1,t_1 + daddu AT,t_2 + sltu t_1,c_1,t_1 + daddu c_2,AT + daddu t_2,t_1 + sltu c_3,c_2,AT daddu c_2,t_2 - sltu AT,c_2,t_2 - daddu c_3,AT + sltu t_2,c_2,t_2 + daddu c_3,t_2 dmultu a_5,a_1 /* mul_add_c2(a[5],b[1],c1,c2,c3); */ mflo t_1 mfhi t_2 - slt AT,t_2,zero - daddu c_3,AT - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_1,t_1 sltu AT,c_1,t_1 - daddu t_2,AT + daddu c_1,t_1 + daddu AT,t_2 + sltu t_1,c_1,t_1 + daddu c_2,AT + daddu t_2,t_1 + sltu AT,c_2,AT daddu c_2,t_2 - sltu AT,c_2,t_2 daddu c_3,AT + sltu t_2,c_2,t_2 + daddu c_3,t_2 dmultu a_4,a_2 /* mul_add_c2(a[4],b[2],c1,c2,c3); */ mflo t_1 mfhi t_2 - slt AT,t_2,zero - daddu c_3,AT - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_1,t_1 sltu AT,c_1,t_1 - daddu t_2,AT + daddu c_1,t_1 + daddu AT,t_2 + sltu t_1,c_1,t_1 + daddu c_2,AT + daddu t_2,t_1 + sltu AT,c_2,AT daddu c_2,t_2 - sltu AT,c_2,t_2 daddu c_3,AT + sltu t_2,c_2,t_2 + daddu c_3,t_2 dmultu a_3,a_3 /* mul_add_c(a[3],b[3],c1,c2,c3); */ mflo t_1 mfhi t_2 @@ -1781,108 +1781,108 @@ LEAF(bn_sqr_comba8) dmultu a_0,a_7 /* mul_add_c2(a[0],b[7],c2,c3,c1); */ mflo t_1 mfhi t_2 - slt c_1,t_2,zero - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_2,t_1 sltu AT,c_2,t_1 - daddu t_2,AT + daddu c_2,t_1 + daddu AT,t_2 + sltu t_1,c_2,t_1 + daddu c_3,AT + daddu t_2,t_1 + sltu c_1,c_3,AT daddu c_3,t_2 - sltu AT,c_3,t_2 - daddu c_1,AT + sltu t_2,c_3,t_2 + daddu c_1,t_2 dmultu a_1,a_6 /* mul_add_c2(a[1],b[6],c2,c3,c1); */ mflo t_1 mfhi t_2 - slt AT,t_2,zero - daddu c_1,AT - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_2,t_1 sltu AT,c_2,t_1 - daddu t_2,AT + daddu c_2,t_1 + daddu AT,t_2 + sltu t_1,c_2,t_1 + daddu c_3,AT + daddu t_2,t_1 + sltu AT,c_3,AT daddu c_3,t_2 - sltu AT,c_3,t_2 daddu c_1,AT + sltu t_2,c_3,t_2 + daddu c_1,t_2 dmultu a_2,a_5 /* mul_add_c2(a[2],b[5],c2,c3,c1); */ mflo t_1 mfhi t_2 - slt AT,t_2,zero - daddu c_1,AT - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_2,t_1 sltu AT,c_2,t_1 - daddu t_2,AT + daddu c_2,t_1 + daddu AT,t_2 + sltu t_1,c_2,t_1 + daddu c_3,AT + daddu t_2,t_1 + sltu AT,c_3,AT daddu c_3,t_2 - sltu AT,c_3,t_2 daddu c_1,AT + sltu t_2,c_3,t_2 + daddu c_1,t_2 dmultu a_3,a_4 /* mul_add_c2(a[3],b[4],c2,c3,c1); */ mflo t_1 mfhi t_2 - slt AT,t_2,zero - daddu c_1,AT - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_2,t_1 sltu AT,c_2,t_1 - daddu t_2,AT + daddu c_2,t_1 + daddu AT,t_2 + sltu t_1,c_2,t_1 + daddu c_3,AT + daddu t_2,t_1 + sltu AT,c_3,AT daddu c_3,t_2 - sltu AT,c_3,t_2 daddu c_1,AT + sltu t_2,c_3,t_2 + daddu c_1,t_2 sd c_2,56(a0) dmultu a_7,a_1 /* mul_add_c2(a[7],b[1],c3,c1,c2); */ mflo t_1 mfhi t_2 - slt c_2,t_2,zero - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_3,t_1 sltu AT,c_3,t_1 - daddu t_2,AT + daddu c_3,t_1 + daddu AT,t_2 + sltu t_1,c_3,t_1 + daddu c_1,AT + daddu t_2,t_1 + sltu c_2,c_1,AT daddu c_1,t_2 - sltu AT,c_1,t_2 - daddu c_2,AT + sltu t_2,c_1,t_2 + daddu c_2,t_2 dmultu a_6,a_2 /* mul_add_c2(a[6],b[2],c3,c1,c2); */ mflo t_1 mfhi t_2 - slt AT,t_2,zero - daddu c_2,AT - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_3,t_1 sltu AT,c_3,t_1 - daddu t_2,AT + daddu c_3,t_1 + daddu AT,t_2 + sltu t_1,c_3,t_1 + daddu c_1,AT + daddu t_2,t_1 + sltu AT,c_1,AT daddu c_1,t_2 - sltu AT,c_1,t_2 daddu c_2,AT + sltu t_2,c_1,t_2 + daddu c_2,t_2 dmultu a_5,a_3 /* mul_add_c2(a[5],b[3],c3,c1,c2); */ mflo t_1 mfhi t_2 - slt AT,t_2,zero - daddu c_2,AT - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_3,t_1 sltu AT,c_3,t_1 - daddu t_2,AT + daddu c_3,t_1 + daddu AT,t_2 + sltu t_1,c_3,t_1 + daddu c_1,AT + daddu t_2,t_1 + sltu AT,c_1,AT daddu c_1,t_2 - sltu AT,c_1,t_2 daddu c_2,AT + sltu t_2,c_1,t_2 + daddu c_2,t_2 dmultu a_4,a_4 /* mul_add_c(a[4],b[4],c3,c1,c2); */ mflo t_1 mfhi t_2 @@ -1897,78 +1897,78 @@ LEAF(bn_sqr_comba8) dmultu a_2,a_7 /* mul_add_c2(a[2],b[7],c1,c2,c3); */ mflo t_1 mfhi t_2 - slt c_3,t_2,zero - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_1,t_1 sltu AT,c_1,t_1 - daddu t_2,AT + daddu c_1,t_1 + daddu AT,t_2 + sltu t_1,c_1,t_1 + daddu c_2,AT + daddu t_2,t_1 + sltu c_3,c_2,AT daddu c_2,t_2 - sltu AT,c_2,t_2 - daddu c_3,AT + sltu t_2,c_2,t_2 + daddu c_3,t_2 dmultu a_3,a_6 /* mul_add_c2(a[3],b[6],c1,c2,c3); */ mflo t_1 mfhi t_2 - slt AT,t_2,zero - daddu c_3,AT - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_1,t_1 sltu AT,c_1,t_1 - daddu t_2,AT + daddu c_1,t_1 + daddu AT,t_2 + sltu t_1,c_1,t_1 + daddu c_2,AT + daddu t_2,t_1 + sltu AT,c_2,AT daddu c_2,t_2 - sltu AT,c_2,t_2 daddu c_3,AT + sltu t_2,c_2,t_2 + daddu c_3,t_2 dmultu a_4,a_5 /* mul_add_c2(a[4],b[5],c1,c2,c3); */ mflo t_1 mfhi t_2 - slt AT,t_2,zero - daddu c_3,AT - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_1,t_1 sltu AT,c_1,t_1 - daddu t_2,AT + daddu c_1,t_1 + daddu AT,t_2 + sltu t_1,c_1,t_1 + daddu c_2,AT + daddu t_2,t_1 + sltu AT,c_2,AT daddu c_2,t_2 - sltu AT,c_2,t_2 daddu c_3,AT + sltu t_2,c_2,t_2 + daddu c_3,t_2 sd c_1,72(a0) dmultu a_7,a_3 /* mul_add_c2(a[7],b[3],c2,c3,c1); */ mflo t_1 mfhi t_2 - slt c_1,t_2,zero - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_2,t_1 sltu AT,c_2,t_1 - daddu t_2,AT + daddu c_2,t_1 + daddu AT,t_2 + sltu t_1,c_2,t_1 + daddu c_3,AT + daddu t_2,t_1 + sltu c_1,c_3,AT daddu c_3,t_2 - sltu AT,c_3,t_2 - daddu c_1,AT + sltu t_2,c_3,t_2 + daddu c_1,t_2 dmultu a_6,a_4 /* mul_add_c2(a[6],b[4],c2,c3,c1); */ mflo t_1 mfhi t_2 - slt AT,t_2,zero - daddu c_1,AT - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_2,t_1 sltu AT,c_2,t_1 - daddu t_2,AT + daddu c_2,t_1 + daddu AT,t_2 + sltu t_1,c_2,t_1 + daddu c_3,AT + daddu t_2,t_1 + sltu AT,c_3,AT daddu c_3,t_2 - sltu AT,c_3,t_2 daddu c_1,AT + sltu t_2,c_3,t_2 + daddu c_1,t_2 dmultu a_5,a_5 /* mul_add_c(a[5],b[5],c2,c3,c1); */ mflo t_1 mfhi t_2 @@ -1983,48 +1983,48 @@ LEAF(bn_sqr_comba8) dmultu a_4,a_7 /* mul_add_c2(a[4],b[7],c3,c1,c2); */ mflo t_1 mfhi t_2 - slt c_2,t_2,zero - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_3,t_1 sltu AT,c_3,t_1 - daddu t_2,AT + daddu c_3,t_1 + daddu AT,t_2 + sltu t_1,c_3,t_1 + daddu c_1,AT + daddu t_2,t_1 + sltu c_2,c_1,AT daddu c_1,t_2 - sltu AT,c_1,t_2 - daddu c_2,AT + sltu t_2,c_1,t_2 + daddu c_2,t_2 dmultu a_5,a_6 /* mul_add_c2(a[5],b[6],c3,c1,c2); */ mflo t_1 mfhi t_2 - slt AT,t_2,zero - daddu c_2,AT - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_3,t_1 sltu AT,c_3,t_1 - daddu t_2,AT + daddu c_3,t_1 + daddu AT,t_2 + sltu t_1,c_3,t_1 + daddu c_1,AT + daddu t_2,t_1 + sltu AT,c_1,AT daddu c_1,t_2 - sltu AT,c_1,t_2 daddu c_2,AT + sltu t_2,c_1,t_2 + daddu c_2,t_2 sd c_3,88(a0) dmultu a_7,a_5 /* mul_add_c2(a[7],b[5],c1,c2,c3); */ mflo t_1 mfhi t_2 - slt c_3,t_2,zero - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_1,t_1 sltu AT,c_1,t_1 - daddu t_2,AT + daddu c_1,t_1 + daddu AT,t_2 + sltu t_1,c_1,t_1 + daddu c_2,AT + daddu t_2,t_1 + sltu c_3,c_2,AT daddu c_2,t_2 - sltu AT,c_2,t_2 - daddu c_3,AT + sltu t_2,c_2,t_2 + daddu c_3,t_2 dmultu a_6,a_6 /* mul_add_c(a[6],b[6],c1,c2,c3); */ mflo t_1 mfhi t_2 @@ -2039,17 +2039,17 @@ LEAF(bn_sqr_comba8) dmultu a_6,a_7 /* mul_add_c2(a[6],b[7],c2,c3,c1); */ mflo t_1 mfhi t_2 - slt c_1,t_2,zero - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_2,t_1 sltu AT,c_2,t_1 - daddu t_2,AT + daddu c_2,t_1 + daddu AT,t_2 + sltu t_1,c_2,t_1 + daddu c_3,AT + daddu t_2,t_1 + sltu c_1,c_3,AT daddu c_3,t_2 - sltu AT,c_3,t_2 - daddu c_1,AT + sltu t_2,c_3,t_2 + daddu c_1,t_2 sd c_2,104(a0) dmultu a_7,a_7 /* mul_add_c(a[7],b[7],c3,c1,c2); */ @@ -2070,9 +2070,9 @@ LEAF(bn_sqr_comba4) .set reorder ld a_0,0(a1) ld a_1,8(a1) + dmultu a_0,a_0 /* mul_add_c(a[0],b[0],c1,c2,c3); */ ld a_2,16(a1) ld a_3,24(a1) - dmultu a_0,a_0 /* mul_add_c(a[0],b[0],c1,c2,c3); */ mflo c_1 mfhi c_2 sd c_1,0(a0) @@ -2093,17 +2093,17 @@ LEAF(bn_sqr_comba4) dmultu a_2,a_0 /* mul_add_c2(a[2],b[0],c3,c1,c2); */ mflo t_1 mfhi t_2 - slt c_2,t_2,zero - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_3,t_1 sltu AT,c_3,t_1 - daddu t_2,AT + daddu c_3,t_1 + daddu AT,t_2 + sltu t_1,c_3,t_1 + daddu c_1,AT + daddu t_2,t_1 + sltu c_2,c_1,AT daddu c_1,t_2 - sltu AT,c_1,t_2 - daddu c_2,AT + sltu t_2,c_1,t_2 + daddu c_2,t_2 dmultu a_1,a_1 /* mul_add_c(a[1],b[1],c3,c1,c2); */ mflo t_1 mfhi t_2 @@ -2118,48 +2118,48 @@ LEAF(bn_sqr_comba4) dmultu a_0,a_3 /* mul_add_c2(a[0],b[3],c1,c2,c3); */ mflo t_1 mfhi t_2 - slt c_3,t_2,zero - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_1,t_1 sltu AT,c_1,t_1 - daddu t_2,AT + daddu c_1,t_1 + daddu AT,t_2 + sltu t_1,c_1,t_1 + daddu c_2,AT + daddu t_2,t_1 + sltu c_3,c_2,AT daddu c_2,t_2 - sltu AT,c_2,t_2 - daddu c_3,AT + sltu t_2,c_2,t_2 + daddu c_3,t_2 dmultu a_1,a_2 /* mul_add_c(a2[1],b[2],c1,c2,c3); */ mflo t_1 mfhi t_2 - slt AT,t_2,zero - daddu c_3,AT - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_1,t_1 sltu AT,c_1,t_1 - daddu t_2,AT + daddu c_1,t_1 + daddu AT,t_2 + sltu t_1,c_1,t_1 + daddu c_2,AT + daddu t_2,t_1 + sltu AT,c_2,AT daddu c_2,t_2 - sltu AT,c_2,t_2 daddu c_3,AT + sltu t_2,c_2,t_2 + daddu c_3,t_2 sd c_1,24(a0) dmultu a_3,a_1 /* mul_add_c2(a[3],b[1],c2,c3,c1); */ mflo t_1 mfhi t_2 - slt c_1,t_2,zero - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_2,t_1 sltu AT,c_2,t_1 - daddu t_2,AT + daddu c_2,t_1 + daddu AT,t_2 + sltu t_1,c_2,t_1 + daddu c_3,AT + daddu t_2,t_1 + sltu c_1,c_3,AT daddu c_3,t_2 - sltu AT,c_3,t_2 - daddu c_1,AT + sltu t_2,c_3,t_2 + daddu c_1,t_2 dmultu a_2,a_2 /* mul_add_c(a[2],b[2],c2,c3,c1); */ mflo t_1 mfhi t_2 @@ -2174,17 +2174,17 @@ LEAF(bn_sqr_comba4) dmultu a_2,a_3 /* mul_add_c2(a[2],b[3],c3,c1,c2); */ mflo t_1 mfhi t_2 - slt c_2,t_2,zero - dsll t_2,1 - slt a2,t_1,zero - daddu t_2,a2 - dsll t_1,1 daddu c_3,t_1 sltu AT,c_3,t_1 - daddu t_2,AT + daddu c_3,t_1 + daddu AT,t_2 + sltu t_1,c_3,t_1 + daddu c_1,AT + daddu t_2,t_1 + sltu c_2,c_1,AT daddu c_1,t_2 - sltu AT,c_1,t_2 - daddu c_2,AT + sltu t_2,c_1,t_2 + daddu c_2,t_2 sd c_3,40(a0) dmultu a_3,a_3 /* mul_add_c(a[3],b[3],c1,c2,c3); */ diff --git a/crypto/bn/asm/x86_64-gcc.c b/crypto/bn/asm/x86_64-gcc.c index 2d80f192da25..eba8304f0ae2 100644 --- a/crypto/bn/asm/x86_64-gcc.c +++ b/crypto/bn/asm/x86_64-gcc.c @@ -269,6 +269,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n) /* sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0) */ /* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0) */ +/* + * Keep in mind that carrying into high part of multiplication result + * can not overflow, because it cannot be all-ones. + */ #if 0 /* original macros are kept for reference purposes */ #define mul_add_c(a,b,c0,c1,c2) { \ @@ -283,10 +287,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n) BN_ULONG ta=(a),tb=(b),t0; \ t1 = BN_UMULT_HIGH(ta,tb); \ t0 = ta * tb; \ - t2 = t1+t1; c2 += (t2<t1)?1:0; \ - t1 = t0+t0; t2 += (t1<t0)?1:0; \ - c0 += t1; t2 += (c0<t1)?1:0; \ + c0 += t0; t2 = t1+((c0<t0)?1:0);\ c1 += t2; c2 += (c1<t2)?1:0; \ + c0 += t0; t1 += (c0<t0)?1:0; \ + c1 += t1; c2 += (c1<t1)?1:0; \ } #else #define mul_add_c(a,b,c0,c1,c2) do { \ @@ -324,22 +328,14 @@ BN_ULONG bn_sub_words(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n) : "=a"(t1),"=d"(t2) \ : "a"(a),"m"(b) \ : "cc"); \ - asm ("addq %0,%0; adcq %2,%1" \ - : "+d"(t2),"+r"(c2) \ - : "g"(0) \ - : "cc"); \ - asm ("addq %0,%0; adcq %2,%1" \ - : "+a"(t1),"+d"(t2) \ - : "g"(0) \ - : "cc"); \ - asm ("addq %2,%0; adcq %3,%1" \ - : "+r"(c0),"+d"(t2) \ - : "a"(t1),"g"(0) \ - : "cc"); \ - asm ("addq %2,%0; adcq %3,%1" \ - : "+r"(c1),"+r"(c2) \ - : "d"(t2),"g"(0) \ - : "cc"); \ + asm ("addq %3,%0; adcq %4,%1; adcq %5,%2" \ + : "+r"(c0),"+r"(c1),"+r"(c2) \ + : "r"(t1),"r"(t2),"g"(0) \ + : "cc"); \ + asm ("addq %3,%0; adcq %4,%1; adcq %5,%2" \ + : "+r"(c0),"+r"(c1),"+r"(c2) \ + : "r"(t1),"r"(t2),"g"(0) \ + : "cc"); \ } while (0) #endif diff --git a/crypto/bn/bn_asm.c b/crypto/bn/bn_asm.c index 99bc2de4913e..b95b003e15f7 100644 --- a/crypto/bn/bn_asm.c +++ b/crypto/bn/bn_asm.c @@ -431,6 +431,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n) /* sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0) */ /* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0) */ +/* + * Keep in mind that carrying into high part of multiplication result + * can not overflow, because it cannot be all-ones. + */ #ifdef BN_LLONG #define mul_add_c(a,b,c0,c1,c2) \ t=(BN_ULLONG)a*b; \ @@ -471,10 +475,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n) #define mul_add_c2(a,b,c0,c1,c2) { \ BN_ULONG ta=(a),tb=(b),t0; \ BN_UMULT_LOHI(t0,t1,ta,tb); \ - t2 = t1+t1; c2 += (t2<t1)?1:0; \ - t1 = t0+t0; t2 += (t1<t0)?1:0; \ - c0 += t1; t2 += (c0<t1)?1:0; \ + c0 += t0; t2 = t1+((c0<t0)?1:0);\ c1 += t2; c2 += (c1<t2)?1:0; \ + c0 += t0; t1 += (c0<t0)?1:0; \ + c1 += t1; c2 += (c1<t1)?1:0; \ } #define sqr_add_c(a,i,c0,c1,c2) { \ @@ -501,10 +505,10 @@ BN_ULONG bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n) BN_ULONG ta=(a),tb=(b),t0; \ t1 = BN_UMULT_HIGH(ta,tb); \ t0 = ta * tb; \ - t2 = t1+t1; c2 += (t2<t1)?1:0; \ - t1 = t0+t0; t2 += (t1<t0)?1:0; \ - c0 += t1; t2 += (c0<t1)?1:0; \ + c0 += t0; t2 = t1+((c0<t0)?1:0);\ c1 += t2; c2 += (c1<t2)?1:0; \ + c0 += t0; t1 += (c0<t0)?1:0; \ + c1 += t1; c2 += (c1<t1)?1:0; \ } #define sqr_add_c(a,i,c0,c1,c2) { \ diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c index d41daac5fedb..9138c2f15ea7 100644 --- a/crypto/bn/bntest.c +++ b/crypto/bn/bntest.c @@ -676,44 +676,98 @@ int test_mul(BIO *bp) int test_sqr(BIO *bp, BN_CTX *ctx) { - BIGNUM a,c,d,e; - int i; + BIGNUM *a,*c,*d,*e; + int i, ret = 0; - BN_init(&a); - BN_init(&c); - BN_init(&d); - BN_init(&e); + a = BN_new(); + c = BN_new(); + d = BN_new(); + e = BN_new(); + if (a == NULL || c == NULL || d == NULL || e == NULL) + { + goto err; + } for (i=0; i<num0; i++) { - BN_bntest_rand(&a,40+i*10,0,0); - a.neg=rand_neg(); - BN_sqr(&c,&a,ctx); + BN_bntest_rand(a,40+i*10,0,0); + a->neg=rand_neg(); + BN_sqr(c,a,ctx); if (bp != NULL) { if (!results) { - BN_print(bp,&a); + BN_print(bp,a); BIO_puts(bp," * "); - BN_print(bp,&a); + BN_print(bp,a); BIO_puts(bp," - "); } - BN_print(bp,&c); + BN_print(bp,c); BIO_puts(bp,"\n"); } - BN_div(&d,&e,&c,&a,ctx); - BN_sub(&d,&d,&a); - if(!BN_is_zero(&d) || !BN_is_zero(&e)) - { - fprintf(stderr,"Square test failed!\n"); - return 0; - } + BN_div(d,e,c,a,ctx); + BN_sub(d,d,a); + if(!BN_is_zero(d) || !BN_is_zero(e)) + { + fprintf(stderr,"Square test failed!\n"); + goto err; + } } - BN_free(&a); - BN_free(&c); - BN_free(&d); - BN_free(&e); - return(1); + + /* Regression test for a BN_sqr overflow bug. */ + BN_hex2bn(&a, + "80000000000000008000000000000001FFFFFFFFFFFFFFFE0000000000000000"); + BN_sqr(c, a, ctx); + if (bp != NULL) + { + if (!results) + { + BN_print(bp,a); + BIO_puts(bp," * "); + BN_print(bp,a); + BIO_puts(bp," - "); + } + BN_print(bp,c); + BIO_puts(bp,"\n"); + } + BN_mul(d, a, a, ctx); + if (BN_cmp(c, d)) + { + fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce " + "different results!\n"); + goto err; + } + + /* Regression test for a BN_sqr overflow bug. */ + BN_hex2bn(&a, + "80000000000000000000000080000001FFFFFFFE000000000000000000000000"); + BN_sqr(c, a, ctx); + if (bp != NULL) + { + if (!results) + { + BN_print(bp,a); + BIO_puts(bp," * "); + BN_print(bp,a); + BIO_puts(bp," - "); + } + BN_print(bp,c); + BIO_puts(bp,"\n"); + } + BN_mul(d, a, a, ctx); + if (BN_cmp(c, d)) + { + fprintf(stderr, "Square test failed: BN_sqr and BN_mul produce " + "different results!\n"); + goto err; + } + ret = 1; +err: + if (a != NULL) BN_free(a); + if (c != NULL) BN_free(c); + if (d != NULL) BN_free(d); + if (e != NULL) BN_free(e); + return ret; } int test_mont(BIO *bp, BN_CTX *ctx) diff --git a/crypto/bn/exptest.c b/crypto/bn/exptest.c index 44a90e2c8494..329a05dee2a8 100644 --- a/crypto/bn/exptest.c +++ b/crypto/bn/exptest.c @@ -71,6 +71,11 @@ static const char rnd_seed[] = "string to make the random number generator think it has entropy"; +/* + * Disabled for FIPS capable builds because they use the FIPS BIGNUM library + * which will fail this test. + */ +#ifndef OPENSSL_FIPS /* test_exp_mod_zero tests that x**0 mod 1 == 0. It returns zero on success. */ static int test_exp_mod_zero() { BIGNUM a, p, m; @@ -107,7 +112,7 @@ static int test_exp_mod_zero() { return ret; } - +#endif int main(int argc, char *argv[]) { BN_CTX *ctx; @@ -228,10 +233,10 @@ int main(int argc, char *argv[]) CRYPTO_mem_leaks(out); BIO_free(out); printf("\n"); - +#ifndef OPENSSL_FIPS if (test_exp_mod_zero() != 0) goto err; - +#endif printf("done\n"); EXIT(0); diff --git a/crypto/constant_time_locl.h b/crypto/constant_time_locl.h index c0483939fe3d..8af98c168329 100644 --- a/crypto/constant_time_locl.h +++ b/crypto/constant_time_locl.h @@ -129,17 +129,12 @@ static inline int constant_time_select_int(unsigned int mask, int a, int b); static inline unsigned int constant_time_msb(unsigned int a) { - return (unsigned int)((int)(a) >> (sizeof(int) * 8 - 1)); + return 0-(a >> (sizeof(a) * 8 - 1)); } static inline unsigned int constant_time_lt(unsigned int a, unsigned int b) { - unsigned int lt; - /* Case 1: msb(a) == msb(b). a < b iff the MSB of a - b is set.*/ - lt = ~(a ^ b) & (a - b); - /* Case 2: msb(a) != msb(b). a < b iff the MSB of b is set. */ - lt |= ~a & b; - return constant_time_msb(lt); + return constant_time_msb(a^((a^b)|((a-b)^b))); } static inline unsigned char constant_time_lt_8(unsigned int a, unsigned int b) @@ -149,12 +144,7 @@ static inline unsigned char constant_time_lt_8(unsigned int a, unsigned int b) static inline unsigned int constant_time_ge(unsigned int a, unsigned int b) { - unsigned int ge; - /* Case 1: msb(a) == msb(b). a >= b iff the MSB of a - b is not set.*/ - ge = ~((a ^ b) | (a - b)); - /* Case 2: msb(a) != msb(b). a >= b iff the MSB of a is set. */ - ge |= a & ~b; - return constant_time_msb(ge); + return ~constant_time_lt(a, b); } static inline unsigned char constant_time_ge_8(unsigned int a, unsigned int b) @@ -204,7 +194,7 @@ static inline unsigned char constant_time_select_8(unsigned char mask, return (unsigned char)(constant_time_select(mask, a, b)); } -inline int constant_time_select_int(unsigned int mask, int a, int b) +static inline int constant_time_select_int(unsigned int mask, int a, int b) { return (int)(constant_time_select(mask, (unsigned)(a), (unsigned)(b))); } diff --git a/crypto/dsa/dsa_asn1.c b/crypto/dsa/dsa_asn1.c index bc7d7a02a347..08d47720fa1e 100644 --- a/crypto/dsa/dsa_asn1.c +++ b/crypto/dsa/dsa_asn1.c @@ -200,7 +200,11 @@ int DSA_verify(int type, const unsigned char *dgst, int dgst_len, const unsigned char *sigbuf, int siglen, DSA *dsa) { DSA_SIG *s; + const unsigned char *p = sigbuf; + unsigned char *der = NULL; + int derlen = -1; int ret=-1; + #ifdef OPENSSL_FIPS if(FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) { @@ -211,10 +215,18 @@ int DSA_verify(int type, const unsigned char *dgst, int dgst_len, s = DSA_SIG_new(); if (s == NULL) return(ret); - if (d2i_DSA_SIG(&s,&sigbuf,siglen) == NULL) goto err; + if (d2i_DSA_SIG(&s,&p,siglen) == NULL) goto err; + /* Ensure signature uses DER and doesn't have trailing garbage */ + derlen = i2d_DSA_SIG(s, &der); + if (derlen != siglen || memcmp(sigbuf, der, derlen)) + goto err; ret=DSA_do_verify(dgst,dgst_len,s,dsa); err: + if (derlen > 0) + { + OPENSSL_cleanse(der, derlen); + OPENSSL_free(der); + } DSA_SIG_free(s); return(ret); } - diff --git a/crypto/ecdsa/Makefile b/crypto/ecdsa/Makefile index 49e2681575a1..6a1b4ef1c068 100644 --- a/crypto/ecdsa/Makefile +++ b/crypto/ecdsa/Makefile @@ -128,11 +128,12 @@ ecs_sign.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h ecs_sign.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ecs_sign.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h ecs_sign.o: ecs_locl.h ecs_sign.c -ecs_vrf.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h -ecs_vrf.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h -ecs_vrf.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h -ecs_vrf.o: ../../include/openssl/ecdh.h ../../include/openssl/ecdsa.h -ecs_vrf.o: ../../include/openssl/engine.h ../../include/openssl/evp.h +ecs_vrf.o: ../../e_os.h ../../include/openssl/asn1.h +ecs_vrf.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h +ecs_vrf.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h +ecs_vrf.o: ../../include/openssl/ec.h ../../include/openssl/ecdh.h +ecs_vrf.o: ../../include/openssl/ecdsa.h ../../include/openssl/engine.h +ecs_vrf.o: ../../include/openssl/err.h ../../include/openssl/evp.h ecs_vrf.o: ../../include/openssl/fips.h ../../include/openssl/lhash.h ecs_vrf.o: ../../include/openssl/obj_mac.h ../../include/openssl/objects.h ecs_vrf.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h @@ -140,4 +141,4 @@ ecs_vrf.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h ecs_vrf.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h ecs_vrf.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h ecs_vrf.o: ../../include/openssl/x509.h ../../include/openssl/x509_vfy.h -ecs_vrf.o: ecs_locl.h ecs_vrf.c +ecs_vrf.o: ../cryptlib.h ecs_locl.h ecs_vrf.c diff --git a/crypto/ecdsa/ecs_vrf.c b/crypto/ecdsa/ecs_vrf.c index ef9acf7b6102..2836efe5eff2 100644 --- a/crypto/ecdsa/ecs_vrf.c +++ b/crypto/ecdsa/ecs_vrf.c @@ -57,6 +57,7 @@ */ #include "ecs_locl.h" +#include "cryptlib.h" #ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> #endif @@ -84,13 +85,25 @@ int ECDSA_verify(int type, const unsigned char *dgst, int dgst_len, const unsigned char *sigbuf, int sig_len, EC_KEY *eckey) { ECDSA_SIG *s; + const unsigned char *p = sigbuf; + unsigned char *der = NULL; + int derlen = -1; int ret=-1; s = ECDSA_SIG_new(); if (s == NULL) return(ret); - if (d2i_ECDSA_SIG(&s, &sigbuf, sig_len) == NULL) goto err; + if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL) goto err; + /* Ensure signature uses DER and doesn't have trailing garbage */ + derlen = i2d_ECDSA_SIG(s, &der); + if (derlen != sig_len || memcmp(sigbuf, der, derlen)) + goto err; ret=ECDSA_do_verify(dgst, dgst_len, s, eckey); err: + if (derlen > 0) + { + OPENSSL_cleanse(der, derlen); + OPENSSL_free(der); + } ECDSA_SIG_free(s); return(ret); } diff --git a/crypto/evp/Makefile b/crypto/evp/Makefile index e5082b714c9d..c204f84c1d66 100644 --- a/crypto/evp/Makefile +++ b/crypto/evp/Makefile @@ -385,8 +385,7 @@ evp_enc.o: ../../include/openssl/ossl_typ.h ../../include/openssl/pkcs7.h evp_enc.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h evp_enc.o: ../../include/openssl/sha.h ../../include/openssl/stack.h evp_enc.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h -evp_enc.o: ../../include/openssl/x509_vfy.h ../constant_time_locl.h -evp_enc.o: ../cryptlib.h evp_enc.c evp_locl.h +evp_enc.o: ../../include/openssl/x509_vfy.h ../cryptlib.h evp_enc.c evp_locl.h evp_err.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h evp_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h evp_err.o: ../../include/openssl/err.h ../../include/openssl/evp.h diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index 0e98e8d156c8..30e0ca4d9faa 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -64,7 +64,6 @@ #ifndef OPENSSL_NO_ENGINE #include <openssl/engine.h> #endif -#include "../constant_time_locl.h" #include "evp_locl.h" #ifdef OPENSSL_FIPS @@ -302,11 +301,11 @@ int EVP_DecryptFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) { - unsigned int i, b; - unsigned char pad, padding_good; + int i,n; + unsigned int b; *outl=0; - b=(unsigned int)(ctx->cipher->block_size); + b=ctx->cipher->block_size; if (ctx->flags & EVP_CIPH_NO_PADDING) { if(ctx->buf_len) @@ -325,34 +324,28 @@ int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) return(0); } OPENSSL_assert(b <= sizeof ctx->final); - pad=ctx->final[b-1]; - - padding_good = (unsigned char)(~constant_time_is_zero_8(pad)); - padding_good &= constant_time_ge_8(b, pad); - - for (i = 1; i < b; ++i) + n=ctx->final[b-1]; + if (n == 0 || n > (int)b) { - unsigned char is_pad_index = constant_time_lt_8(i, pad); - unsigned char pad_byte_good = constant_time_eq_8(ctx->final[b-i-1], pad); - padding_good &= constant_time_select_8(is_pad_index, pad_byte_good, 0xff); + EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT); + return(0); } - - /* - * At least 1 byte is always padding, so we always write b - 1 - * bytes to avoid a timing leak. The caller is required to have |b| - * bytes space in |out| by the API contract. - */ - for (i = 0; i < b - 1; ++i) - out[i] = ctx->final[i] & padding_good; - /* Safe cast: for a good padding, EVP_MAX_IV_LENGTH >= b >= pad */ - *outl = padding_good & ((unsigned char)(b - pad)); - return padding_good & 1; + for (i=0; i<n; i++) + { + if (ctx->final[--b] != n) + { + EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT); + return(0); + } + } + n=ctx->cipher->block_size-n; + for (i=0; i<n; i++) + out[i]=ctx->final[i]; + *outl=n; } else - { - *outl = 0; - return 1; - } + *outl=0; + return(1); } void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) diff --git a/crypto/md32_common.h b/crypto/md32_common.h index e0deb78015a5..486d6ca6f4e3 100644 --- a/crypto/md32_common.h +++ b/crypto/md32_common.h @@ -225,8 +225,7 @@ #define HOST_c2l(c,l) (l =(((unsigned long)(*((c)++)))<<24), \ l|=(((unsigned long)(*((c)++)))<<16), \ l|=(((unsigned long)(*((c)++)))<< 8), \ - l|=(((unsigned long)(*((c)++))) ), \ - l) + l|=(((unsigned long)(*((c)++))) ) ) #endif #ifndef HOST_l2c #define HOST_l2c(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \ @@ -262,8 +261,7 @@ #define HOST_c2l(c,l) (l =(((unsigned long)(*((c)++))) ), \ l|=(((unsigned long)(*((c)++)))<< 8), \ l|=(((unsigned long)(*((c)++)))<<16), \ - l|=(((unsigned long)(*((c)++)))<<24), \ - l) + l|=(((unsigned long)(*((c)++)))<<24) ) #endif #ifndef HOST_l2c #define HOST_l2c(l,c) (*((c)++)=(unsigned char)(((l) )&0xff), \ diff --git a/crypto/opensslv.h b/crypto/opensslv.h index 50001f32f925..e05914e05f95 100644 --- a/crypto/opensslv.h +++ b/crypto/opensslv.h @@ -25,11 +25,11 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x009081cfL +#define OPENSSL_VERSION_NUMBER 0x009081dfL #ifdef OPENSSL_FIPS -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8zc-fips 15 Oct 2014" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8zd-fips 8 Jan 2015" #else -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8zc 15 Oct 2014" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8zd 8 Jan 2015" #endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index 97ea8b6c6693..67a7ace7fe52 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -18,7 +18,7 @@ * an equivalent notion. */ -#include "../constant_time_locl.h" +#include "constant_time_locl.h" #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) #include <stdio.h> diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c index e028ff7189e0..c2da56f6cad8 100644 --- a/crypto/rsa/rsa_pk1.c +++ b/crypto/rsa/rsa_pk1.c @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ -#include "../constant_time_locl.h" +#include "constant_time_locl.h" #include <stdio.h> #include "cryptlib.h" diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h index c34689a1b389..e77ee691066c 100644 --- a/crypto/x509/x509.h +++ b/crypto/x509/x509.h @@ -870,6 +870,7 @@ X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn); int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval); void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval, X509_ALGOR *algor); +int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b); X509_NAME *X509_NAME_dup(X509_NAME *xn); X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne); diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index c7b07f7c9d58..f4c68fc17c23 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -73,6 +73,8 @@ int X509_verify(X509 *a, EVP_PKEY *r) { + if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature)) + return 0; return(ASN1_item_verify(ASN1_ITEM_rptr(X509_CINF),a->sig_alg, a->signature,a->cert_info,r)); } diff --git a/doc/ssl/SSL_CTX_set_mode.pod b/doc/ssl/SSL_CTX_set_mode.pod index 0ee23433ba7e..f9b838fe6f78 100644 --- a/doc/ssl/SSL_CTX_set_mode.pod +++ b/doc/ssl/SSL_CTX_set_mode.pod @@ -61,12 +61,16 @@ deal with read/write operations returning without success report. The flag SSL_MODE_AUTO_RETRY will cause read/write operations to only return after the handshake and successful completion. -=item SSL_MODE_FALLBACK_SCSV +=item SSL_MODE_SEND_FALLBACK_SCSV Send TLS_FALLBACK_SCSV in the ClientHello. -To be set by applications that reconnect with a downgraded protocol +To be set only by applications that reconnect with a downgraded protocol version; see draft-ietf-tls-downgrade-scsv-00 for details. +DO NOT ENABLE THIS if your application attempts a normal handshake. +Only use this in explicit fallback retries, following the guidance +in draft-ietf-tls-downgrade-scsv-00. + =back =head1 RETURN VALUES diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod index a2a570b610ee..307b157c5d58 100644 --- a/doc/ssl/SSL_CTX_set_options.pod +++ b/doc/ssl/SSL_CTX_set_options.pod @@ -152,15 +152,7 @@ temporary/ephemeral DH parameters are used. =item SSL_OP_EPHEMERAL_RSA -Always use ephemeral (temporary) RSA key when doing RSA operations -(see L<SSL_CTX_set_tmp_rsa_callback(3)|SSL_CTX_set_tmp_rsa_callback(3)>). -According to the specifications this is only done, when a RSA key -can only be used for signature operations (namely under export ciphers -with restricted RSA keylength). By setting this option, ephemeral -RSA keys are always used. This option breaks compatibility with the -SSL/TLS specifications and may lead to interoperability problems with -clients and should therefore never be used. Ciphers with EDH (ephemeral -Diffie-Hellman) key exchange should be used instead. +This option is no longer implemented and is treated as no op. =item SSL_OP_CIPHER_SERVER_PREFERENCE diff --git a/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod b/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod index 534643cd9de4..8794eb7ac360 100644 --- a/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod +++ b/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod @@ -74,21 +74,14 @@ exchange and use EDH (Ephemeral Diffie-Hellman) key exchange instead in order to achieve forward secrecy (see L<SSL_CTX_set_tmp_dh_callback(3)|SSL_CTX_set_tmp_dh_callback(3)>). -On OpenSSL servers ephemeral RSA key exchange is therefore disabled by default -and must be explicitly enabled using the SSL_OP_EPHEMERAL_RSA option of -L<SSL_CTX_set_options(3)|SSL_CTX_set_options(3)>, violating the TLS/SSL -standard. When ephemeral RSA key exchange is required for export ciphers, -it will automatically be used without this option! - -An application may either directly specify the key or can supply the key via -a callback function. The callback approach has the advantage, that the -callback may generate the key only in case it is actually needed. As the -generation of a RSA key is however costly, it will lead to a significant -delay in the handshake procedure. Another advantage of the callback function -is that it can supply keys of different size (e.g. for SSL_OP_EPHEMERAL_RSA -usage) while the explicit setting of the key is only useful for key size of -512 bits to satisfy the export restricted ciphers and does give away key length -if a longer key would be allowed. +An application may either directly specify the key or can supply the key via a +callback function. The callback approach has the advantage, that the callback +may generate the key only in case it is actually needed. As the generation of a +RSA key is however costly, it will lead to a significant delay in the handshake +procedure. Another advantage of the callback function is that it can supply +keys of different size while the explicit setting of the key is only useful for +key size of 512 bits to satisfy the export restricted ciphers and does give +away key length if a longer key would be allowed. The B<tmp_rsa_callback> is called with the B<keylength> needed and the B<is_export> information. The B<is_export> flag is set, when the @@ -275,7 +275,7 @@ extern "C" { # ifdef _WIN64 # define strlen(s) _strlen31(s) /* cut strings to 2GB */ -static unsigned int _strlen31(const char *str) +static __inline unsigned int _strlen31(const char *str) { unsigned int len=0; while (*str && len<0x80000000U) str++, len++; @@ -360,15 +360,6 @@ static unsigned int _strlen31(const char *str) # define DEFAULT_HOME "C:" # endif -/* - * Visual Studio: inline is available in C++ only, however - * __inline is available for C, see - * http://msdn.microsoft.com/en-us/library/z8y1yy88.aspx - */ -#if defined(_MSC_VER) && !defined(__cplusplus) && !defined(inline) -# define inline __inline -#endif - #else /* The non-microsoft world */ # ifdef OPENSSL_SYS_VMS @@ -711,6 +702,23 @@ struct servent *getservbyname(const char *name, const char *proto); #endif /* end vxworks */ +#if !defined(inline) && !defined(__cplusplus) +# if defined(__STDC_VERSION__) && __STDC_VERSION__>=199901L + /* do nothing, inline works */ +# elif defined(__GNUC__) && __GNUC__>=2 +# define inline __inline__ +# elif defined(_MSC_VER) + /* + * Visual Studio: inline is available in C++ only, however + * __inline is available for C, see + * http://msdn.microsoft.com/en-us/library/z8y1yy88.aspx + */ +# define inline __inline +# else +# define inline +# endif +#endif + #ifdef __cplusplus } #endif diff --git a/openssl.spec b/openssl.spec index d148076bb40a..f233d810d2c7 100644 --- a/openssl.spec +++ b/openssl.spec @@ -6,7 +6,7 @@ Release: 1 Summary: Secure Sockets Layer and cryptography libraries and tools Name: openssl -Version: 0.9.8zc +Version: 0.9.8zd Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz License: OpenSSL Group: System Environment/Libraries diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index d12604e6573e..bc478c240cc3 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -595,8 +595,6 @@ again: /* now s->packet_length == DTLS1_RT_HEADER_LENGTH */ i=rr->length; n=ssl3_read_n(s,i,i,1); - if (n <= 0) return(n); /* error or non-blocking io */ - /* this packet contained a partial record, dump it */ if ( n != i) { @@ -626,7 +624,8 @@ again: * would be dropped unnecessarily. */ if (!(s->d1->listen && rr->type == SSL3_RT_HANDSHAKE && - *p == SSL3_MT_CLIENT_HELLO) && + s->packet_length > DTLS1_RT_HEADER_LENGTH && + s->packet[DTLS1_RT_HEADER_LENGTH] == SSL3_MT_CLIENT_HELLO) && ! dtls1_record_replay_check(s, bitmap, &(rr->seq_num))) { rr->length = 0; diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c index 0e6bf46c028b..0e9bb204add7 100644 --- a/ssl/d1_srvr.c +++ b/ssl/d1_srvr.c @@ -371,23 +371,11 @@ int dtls1_accept(SSL *s) /* clear this, it may get reset by * send_server_key_exchange */ - if ((s->options & SSL_OP_EPHEMERAL_RSA) -#ifndef OPENSSL_NO_KRB5 - && !(l & SSL_KRB5) -#endif /* OPENSSL_NO_KRB5 */ - ) - /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key - * even when forbidden by protocol specs - * (handshake may fail as clients are not required to - * be able to handle this) */ - s->s3->tmp.use_rsa_tmp=1; - else - s->s3->tmp.use_rsa_tmp=0; + s->s3->tmp.use_rsa_tmp=0; /* only send if a DH key exchange, fortezza or * RSA but we have a sign only certificate */ - if (s->s3->tmp.use_rsa_tmp - || (l & (SSL_DH|SSL_kFZA)) + if ((l & (SSL_DH|SSL_kFZA)) || ((l & SSL_kRSA) && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL || (SSL_C_IS_EXPORT(s->s3->tmp.new_cipher) diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index 3d0069baf3e2..5486a3621dcb 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -559,12 +559,14 @@ int ssl23_get_client_hello(SSL *s) if ((type == 2) || (type == 3)) { /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */ - s->method = ssl23_get_server_method(s->version); - if (s->method == NULL) + SSL_METHOD *new_method; + new_method = ssl23_get_server_method(s->version); + if (new_method == NULL) { SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); goto err; } + s->method = new_method; if (!ssl_init_wbio_buffer(s,1)) goto err; diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 482893756693..3352e2d19a16 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -1123,8 +1123,21 @@ int ssl3_get_key_exchange(SSL *s) if (!ok) return((int)n); + alg=s->s3->tmp.new_cipher->algorithms; + EVP_MD_CTX_init(&md_ctx); + if (s->s3->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { + /* + * Can't skip server key exchange if this is an ephemeral + * ciphersuite. + */ + if (alg & (SSL_kEDH|SSL_kECDHE)) + { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_UNEXPECTED_MESSAGE); + al = SSL_AD_UNEXPECTED_MESSAGE; + goto f_err; + } s->s3->tmp.reuse_message=1; return(1); } @@ -1162,13 +1175,18 @@ int ssl3_get_key_exchange(SSL *s) /* Total length of the parameters including the length prefix */ param_len=0; - alg=s->s3->tmp.new_cipher->algorithms; - EVP_MD_CTX_init(&md_ctx); al=SSL_AD_DECODE_ERROR; #ifndef OPENSSL_NO_RSA if (alg & SSL_kRSA) { + /* Temporary RSA keys only allowed in export ciphersuites */ + if (!SSL_C_IS_EXPORT(s->s3->tmp.new_cipher)) + { + al=SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE); + goto f_err; + } if ((rsa=RSA_new()) == NULL) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE,ERR_R_MALLOC_FAILURE); diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index a3b45fba9dc1..1adc30191138 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -147,6 +147,8 @@ int ssl3_read_n(SSL *s, int n, int max, int extend) * at once (as long as it fits into the buffer). */ if (SSL_version(s) == DTLS1_VERSION) { + if (s->s3->rbuf.left == 0 && extend) + return 0; if ( s->s3->rbuf.left > 0 && n > s->s3->rbuf.left) n = s->s3->rbuf.left; } diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index ca3e77aef668..496ae80a250f 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -355,18 +355,7 @@ int ssl3_accept(SSL *s) /* clear this, it may get reset by * send_server_key_exchange */ - if ((s->options & SSL_OP_EPHEMERAL_RSA) -#ifndef OPENSSL_NO_KRB5 - && !(l & SSL_KRB5) -#endif /* OPENSSL_NO_KRB5 */ - ) - /* option SSL_OP_EPHEMERAL_RSA sends temporary RSA key - * even when forbidden by protocol specs - * (handshake may fail as clients are not required to - * be able to handle this) */ - s->s3->tmp.use_rsa_tmp=1; - else - s->s3->tmp.use_rsa_tmp=0; + s->s3->tmp.use_rsa_tmp=0; /* only send if a DH key exchange, fortezza or @@ -378,8 +367,7 @@ int ssl3_accept(SSL *s) * server certificate contains the server's * public key for key exchange. */ - if (s->s3->tmp.use_rsa_tmp - || (l & SSL_kECDHE) + if ((l & SSL_kECDHE) || (l & (SSL_DH|SSL_kFZA)) || ((l & SSL_kRSA) && (s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey == NULL @@ -2412,7 +2400,7 @@ int ssl3_get_cert_verify(SSL *s) if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) { s->s3->tmp.reuse_message=1; - if ((peer != NULL) && (type | EVP_PKT_SIGN)) + if (peer != NULL) { al=SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE); diff --git a/ssl/ssl.h b/ssl/ssl.h index 6435c5966dbf..8420100cf01a 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -526,9 +526,8 @@ typedef struct ssl_session_st #define SSL_OP_SINGLE_ECDH_USE 0x00080000L /* If set, always create a new key when using tmp_dh parameters */ #define SSL_OP_SINGLE_DH_USE 0x00100000L -/* Set to always use the tmp_rsa key when doing RSA operations, - * even when this violates protocol specs */ -#define SSL_OP_EPHEMERAL_RSA 0x00200000L +/* Does nothing: retained for compatibiity */ +#define SSL_OP_EPHEMERAL_RSA 0x0 /* Set on servers to choose the cipher according to the server's * preferences */ #define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L @@ -564,8 +563,13 @@ typedef struct ssl_session_st /* Don't attempt to automatically build certificate chain */ #define SSL_MODE_NO_AUTO_CHAIN 0x00000008L /* Send TLS_FALLBACK_SCSV in the ClientHello. - * To be set by applications that reconnect with a downgraded protocol - * version; see draft-ietf-tls-downgrade-scsv-00 for details. */ + * To be set only by applications that reconnect with a downgraded protocol + * version; see draft-ietf-tls-downgrade-scsv-00 for details. + * + * DO NOT ENABLE THIS if your application attempts a normal handshake. + * Only use this in explicit fallback retries, following the guidance + * in draft-ietf-tls-downgrade-scsv-00. + */ #define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 5db0b5276e3f..542ab5a55849 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1401,6 +1401,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s,unsigned char *p,int num, ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK); goto err; } + p += n; continue; } diff --git a/util/libeay.num b/util/libeay.num index f3b7776b9676..b2f9e4560c45 100755 --- a/util/libeay.num +++ b/util/libeay.num @@ -1807,6 +1807,7 @@ ASN1_UTCTIME_get 2350 NOEXIST::FUNCTION: X509_REQ_digest 2362 EXIST::FUNCTION:EVP X509_CRL_digest 2391 EXIST::FUNCTION:EVP d2i_ASN1_SET_OF_PKCS7 2397 NOEXIST::FUNCTION: +X509_ALGOR_cmp 2398 EXIST::FUNCTION: EVP_CIPHER_CTX_set_key_length 2399 EXIST::FUNCTION: EVP_CIPHER_CTX_ctrl 2400 EXIST::FUNCTION: BN_mod_exp_mont_word 2401 EXIST::FUNCTION: @@ -3730,3 +3731,4 @@ JPAKE_STEP2_init 4113 EXIST::FUNCTION:JPAKE pqueue_size 4114 EXIST::FUNCTION: OPENSSL_uni2asc 4115 EXIST:NETWARE:FUNCTION: OPENSSL_asc2uni 4116 EXIST:NETWARE:FUNCTION: +ASN1_TYPE_cmp 4428 EXIST::FUNCTION: diff --git a/util/mk1mf.pl b/util/mk1mf.pl index a21f6f45a74f..0ddd2ca3f5ef 100755 --- a/util/mk1mf.pl +++ b/util/mk1mf.pl @@ -786,12 +786,6 @@ foreach (values %lib_nam) $lib_obj=$lib_obj{$_}; local($slib)=$shlib; - if (($_ eq "SSL") && $no_ssl2 && $no_ssl3) - { - $rules.="\$(O_SSL):\n\n"; - next; - } - if ((!$fips && ($_ eq "CRYPTO")) || ($fips && ($_ eq "FIPS"))) { if ($cpuid_asm_obj ne "") |