Upgrade to openssl-1.0.0f
Bug: 5822335
Change-Id: Iadf81526a10b072ff323730db0e1897faea7a13f
diff --git a/ThirdPartyProject.prop b/ThirdPartyProject.prop
index 34ad609..04e6594 100644
--- a/ThirdPartyProject.prop
+++ b/ThirdPartyProject.prop
@@ -1,7 +1,7 @@
# Copyright 2010 Google Inc. All Rights Reserved.
#Fri Jul 16 10:03:09 PDT 2010
-currentVersion=1.0.0e
-version=1.0.0e
+currentVersion=1.0.0f
+version=1.0.0f
isNative=true
feedurl=http\://www.openssl.org/
name=openssl
diff --git a/android-config.mk b/android-config.mk
index d76d6e3..75c7391 100644
--- a/android-config.mk
+++ b/android-config.mk
@@ -11,7 +11,7 @@
LOCAL_CFLAGS += -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_CAPIENG -DOPENSSL_NO_CAST -DOPENSSL_NO_CMS -DOPENSSL_NO_GMP -DOPENSSL_NO_IDEA -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_SHA0 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SEED -DOPENSSL_NO_STORE -DOPENSSL_NO_WHIRLPOOL
# Extra
-LOCAL_CFLAGS += -DOPENSSL_NO_HW -DOPENSSL_NO_ENGINE -DZLIB
+LOCAL_CFLAGS += -DOPENSSL_NO_HW -DOPENSSL_NO_ENGINE -DZLIB -DOPENSSL_NO_DTLS1
# Debug
# LOCAL_CFLAGS += -DCIPHER_DEBUG
diff --git a/android.testssl/testssl b/android.testssl/testssl
index 3f24b1d..0eee92d 100755
--- a/android.testssl/testssl
+++ b/android.testssl/testssl
@@ -112,8 +112,8 @@
$ssltest $extra || exit 1
if [ $dsa_cert = NO ]; then
- echo test sslv2/sslv3 w/o DHE via BIO pair
- $ssltest -bio_pair -no_dhe $extra || exit 1
+ echo 'test sslv2/sslv3 w/o (EC)DHE via BIO pair'
+ $ssltest -bio_pair -no_dhe -no_ecdhe $extra || exit 1
fi
echo test sslv2/sslv3 with 1024bit DHE via BIO pair
@@ -143,8 +143,8 @@
if [ `adb shell /system/bin/openssl no-rsa` = no-dh ]; then
echo skipping RSA tests
else
- echo test tls1 with 1024bit RSA, no DHE, multiple handshakes
- adb shell /system/bin/ssltest -v -bio_pair -tls1 -cert /sdcard/android.testssl/server2.pem -no_dhe -num 10 -f -time $extra || exit 1
+ echo 'test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes'
+ adb shell /system/bin/ssltest -v -bio_pair -tls1 -cert /sdcard/android.testssl/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1
if [ `adb shell /system/bin/openssl no-dh` = no-dh ]; then
echo skipping RSA+DHE tests
diff --git a/apps/Android.mk b/apps/Android.mk
index 20cc5a9..c2dc2d7 100644
--- a/apps/Android.mk
+++ b/apps/Android.mk
@@ -62,10 +62,6 @@
local_cflags := -DMONOLITH
-# These flags omit whole features from the commandline "openssl".
-# However, portions of these features are actually turned on.
-local_cflags += -DOPENSSL_NO_DTLS1
-
include $(CLEAR_VARS)
LOCAL_MODULE:= openssl
LOCAL_MODULE_TAGS := optional
diff --git a/apps/cms.c b/apps/cms.c
index d29a884..3f5ee1b 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -618,7 +618,7 @@
BIO_printf (bio_err, "-certsout file certificate output file\n");
BIO_printf (bio_err, "-signer file signer certificate file\n");
BIO_printf (bio_err, "-recip file recipient certificate file for decryption\n");
- BIO_printf (bio_err, "-skeyid use subject key identifier\n");
+ BIO_printf (bio_err, "-keyid use subject key identifier\n");
BIO_printf (bio_err, "-in file input file\n");
BIO_printf (bio_err, "-inform arg input format SMIME (default), PEM or DER\n");
BIO_printf (bio_err, "-inkey file input private key (if not signer or recipient)\n");
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 9d2cd5b..18760c6 100644
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -145,7 +145,7 @@
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
-commonName = Common Name (eg, YOUR name)
+commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
diff --git a/apps/x509.c b/apps/x509.c
index ed1e8c6..9f5eaeb 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -987,7 +987,7 @@
else
{
pk=load_key(bio_err,
- keyfile, FORMAT_PEM, 0,
+ keyfile, keyformat, 0,
passin, e, "request key");
if (pk == NULL) goto end;
}
diff --git a/crypto/bio/bf_buff.c b/crypto/bio/bf_buff.c
index c1fd75a..4b5a132 100644
--- a/crypto/bio/bf_buff.c
+++ b/crypto/bio/bf_buff.c
@@ -209,7 +209,7 @@
/* add to buffer and return */
if (i >= inl)
{
- memcpy(&(ctx->obuf[ctx->obuf_len]),in,inl);
+ memcpy(&(ctx->obuf[ctx->obuf_off+ctx->obuf_len]),in,inl);
ctx->obuf_len+=inl;
return(num+inl);
}
@@ -219,7 +219,7 @@
{
if (i > 0) /* lets fill it up if we can */
{
- memcpy(&(ctx->obuf[ctx->obuf_len]),in,i);
+ memcpy(&(ctx->obuf[ctx->obuf_off+ctx->obuf_len]),in,i);
in+=i;
inl-=i;
num+=i;
@@ -294,9 +294,9 @@
case BIO_C_GET_BUFF_NUM_LINES:
ret=0;
p1=ctx->ibuf;
- for (i=ctx->ibuf_off; i<ctx->ibuf_len; i++)
+ for (i=0; i<ctx->ibuf_len; i++)
{
- if (p1[i] == '\n') ret++;
+ if (p1[ctx->ibuf_off + i] == '\n') ret++;
}
break;
case BIO_CTRL_WPENDING:
@@ -399,17 +399,18 @@
for (;;)
{
BIO_clear_retry_flags(b);
- if (ctx->obuf_len > ctx->obuf_off)
+ if (ctx->obuf_len > 0)
{
r=BIO_write(b->next_bio,
&(ctx->obuf[ctx->obuf_off]),
- ctx->obuf_len-ctx->obuf_off);
+ ctx->obuf_len);
#if 0
-fprintf(stderr,"FLUSH [%3d] %3d -> %3d\n",ctx->obuf_off,ctx->obuf_len-ctx->obuf_off,r);
+fprintf(stderr,"FLUSH [%3d] %3d -> %3d\n",ctx->obuf_off,ctx->obuf_len,r);
#endif
BIO_copy_next_retry(b);
if (r <= 0) return((long)r);
ctx->obuf_off+=r;
+ ctx->obuf_len-=r;
}
else
{
diff --git a/crypto/bio/bio.h b/crypto/bio/bio.h
index 152802f..ab47abc 100644
--- a/crypto/bio/bio.h
+++ b/crypto/bio/bio.h
@@ -306,6 +306,15 @@
typedef struct bio_f_buffer_ctx_struct
{
+ /* Buffers are setup like this:
+ *
+ * <---------------------- size ----------------------->
+ * +---------------------------------------------------+
+ * | consumed | remaining | free space |
+ * +---------------------------------------------------+
+ * <-- off --><------- len ------->
+ */
+
/* BIO *bio; */ /* this is now in the BIO struct */
int ibuf_size; /* how big is the input buffer */
int obuf_size; /* how big is the output buffer */
diff --git a/crypto/bn/asm/ppc.pl b/crypto/bn/asm/ppc.pl
index 37c65d3..f409317 100644
--- a/crypto/bn/asm/ppc.pl
+++ b/crypto/bn/asm/ppc.pl
@@ -949,7 +949,7 @@
addze r11,r0
#mul_add_c(a[3],b[2],c3,c1,c2);
$LD r6,`3*$BNSZ`(r4)
- $LD r7,`2*$BNSZ`(r4)
+ $LD r7,`2*$BNSZ`(r5)
$UMULL r8,r6,r7
$UMULH r9,r6,r7
addc r12,r8,r12
diff --git a/crypto/bn/asm/x86-mont.pl b/crypto/bn/asm/x86-mont.pl
index 5cd3cd2..e8f6b05 100755
--- a/crypto/bn/asm/x86-mont.pl
+++ b/crypto/bn/asm/x86-mont.pl
@@ -527,8 +527,10 @@
&jle (&label("sqradd"));
&mov ($carry,"edx");
- &lea ("edx",&DWP(0,$sbit,"edx",2));
+ &add ("edx","edx");
&shr ($carry,31);
+ &add ("edx",$sbit);
+ &adc ($carry,0);
&set_label("sqrlast");
&mov ($word,$_n0);
&mov ($inp,$_np);
diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c
index e060592..9ed8bc2 100644
--- a/crypto/bn/bn_blind.c
+++ b/crypto/bn/bn_blind.c
@@ -126,7 +126,7 @@
* used only by crypto/rsa/rsa_eay.c, rsa_lib.c */
#endif
CRYPTO_THREADID tid;
- unsigned int counter;
+ int counter;
unsigned long flags;
BN_MONT_CTX *m_ctx;
int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
@@ -160,7 +160,10 @@
if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
BN_set_flags(ret->mod, BN_FLG_CONSTTIME);
- ret->counter = BN_BLINDING_COUNTER;
+ /* Set the counter to the special value -1
+ * to indicate that this is never-used fresh blinding
+ * that does not need updating before first use. */
+ ret->counter = -1;
CRYPTO_THREADID_current(&ret->tid);
return(ret);
err:
@@ -190,7 +193,10 @@
goto err;
}
- if (--(b->counter) == 0 && b->e != NULL &&
+ if (b->counter == -1)
+ b->counter = 0;
+
+ if (++b->counter == BN_BLINDING_COUNTER && b->e != NULL &&
!(b->flags & BN_BLINDING_NO_RECREATE))
{
/* re-create blinding parameters */
@@ -205,8 +211,8 @@
ret=1;
err:
- if (b->counter == 0)
- b->counter = BN_BLINDING_COUNTER;
+ if (b->counter == BN_BLINDING_COUNTER)
+ b->counter = 0;
return(ret);
}
@@ -227,6 +233,12 @@
return(0);
}
+ if (b->counter == -1)
+ /* Fresh blinding, doesn't need updating. */
+ b->counter = 0;
+ else if (!BN_BLINDING_update(b,ctx))
+ return(0);
+
if (r != NULL)
{
if (!BN_copy(r, b->Ai)) ret=0;
@@ -247,22 +259,19 @@
int ret;
bn_check_top(n);
- if ((b->A == NULL) || (b->Ai == NULL))
- {
- BNerr(BN_F_BN_BLINDING_INVERT_EX,BN_R_NOT_INITIALIZED);
- return(0);
- }
if (r != NULL)
ret = BN_mod_mul(n, n, r, b->mod, ctx);
else
- ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
-
- if (ret >= 0)
{
- if (!BN_BLINDING_update(b,ctx))
+ if (b->Ai == NULL)
+ {
+ BNerr(BN_F_BN_BLINDING_INVERT_EX,BN_R_NOT_INITIALIZED);
return(0);
+ }
+ ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
}
+
bn_check_top(n);
return(ret);
}
diff --git a/crypto/ec/ec2_smpl.c b/crypto/ec/ec2_smpl.c
index af94458..03deae6 100644
--- a/crypto/ec/ec2_smpl.c
+++ b/crypto/ec/ec2_smpl.c
@@ -887,7 +887,7 @@
field_sqr = group->meth->field_sqr;
/* only support affine coordinates */
- if (!point->Z_is_one) goto err;
+ if (!point->Z_is_one) return -1;
if (ctx == NULL)
{
diff --git a/crypto/ecdsa/ecdsatest.c b/crypto/ecdsa/ecdsatest.c
index 26a4a9e..54cfb8c 100644
--- a/crypto/ecdsa/ecdsatest.c
+++ b/crypto/ecdsa/ecdsatest.c
@@ -286,9 +286,12 @@
size_t crv_len = 0, n = 0;
EC_KEY *eckey = NULL, *wrong_eckey = NULL;
EC_GROUP *group;
+ ECDSA_SIG *ecdsa_sig = NULL;
unsigned char digest[20], wrong_digest[20];
- unsigned char *signature = NULL;
- unsigned int sig_len;
+ unsigned char *signature = NULL;
+ unsigned char *sig_ptr;
+ unsigned char *raw_buf = NULL;
+ unsigned int sig_len, degree, r_len, s_len, bn_len, buf_len;
int nid, ret = 0;
/* fill digest values with some random data */
@@ -338,7 +341,8 @@
if (EC_KEY_set_group(eckey, group) == 0)
goto builtin_err;
EC_GROUP_free(group);
- if (EC_GROUP_get_degree(EC_KEY_get0_group(eckey)) < 160)
+ degree = EC_GROUP_get_degree(EC_KEY_get0_group(eckey));
+ if (degree < 160)
/* drop the curve */
{
EC_KEY_free(eckey);
@@ -414,26 +418,89 @@
}
BIO_printf(out, ".");
(void)BIO_flush(out);
- /* modify a single byte of the signature */
- offset = signature[10] % sig_len;
- dirt = signature[11];
- signature[offset] ^= dirt ? dirt : 1;
+ /* wrong length */
+ if (ECDSA_verify(0, digest, 20, signature, sig_len - 1,
+ eckey) == 1)
+ {
+ BIO_printf(out, " failed\n");
+ goto builtin_err;
+ }
+ BIO_printf(out, ".");
+ (void)BIO_flush(out);
+
+ /* Modify a single byte of the signature: to ensure we don't
+ * garble the ASN1 structure, we read the raw signature and
+ * modify a byte in one of the bignums directly. */
+ sig_ptr = signature;
+ if ((ecdsa_sig = d2i_ECDSA_SIG(NULL, &sig_ptr, sig_len)) == NULL)
+ {
+ BIO_printf(out, " failed\n");
+ goto builtin_err;
+ }
+
+ /* Store the two BIGNUMs in raw_buf. */
+ r_len = BN_num_bytes(ecdsa_sig->r);
+ s_len = BN_num_bytes(ecdsa_sig->s);
+ bn_len = (degree + 7) / 8;
+ if ((r_len > bn_len) || (s_len > bn_len))
+ {
+ BIO_printf(out, " failed\n");
+ goto builtin_err;
+ }
+ buf_len = 2 * bn_len;
+ if ((raw_buf = OPENSSL_malloc(buf_len)) == NULL)
+ goto builtin_err;
+ /* Pad the bignums with leading zeroes. */
+ memset(raw_buf, 0, buf_len);
+ BN_bn2bin(ecdsa_sig->r, raw_buf + bn_len - r_len);
+ BN_bn2bin(ecdsa_sig->s, raw_buf + buf_len - s_len);
+
+ /* Modify a single byte in the buffer. */
+ offset = raw_buf[10] % buf_len;
+ dirt = raw_buf[11] ? raw_buf[11] : 1;
+ raw_buf[offset] ^= dirt;
+ /* Now read the BIGNUMs back in from raw_buf. */
+ if ((BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL) ||
+ (BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL))
+ goto builtin_err;
+
+ sig_ptr = signature;
+ sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr);
if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) == 1)
{
BIO_printf(out, " failed\n");
goto builtin_err;
}
+ /* Sanity check: undo the modification and verify signature. */
+ raw_buf[offset] ^= dirt;
+ if ((BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL) ||
+ (BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL))
+ goto builtin_err;
+
+ sig_ptr = signature;
+ sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr);
+ if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1)
+ {
+ BIO_printf(out, " failed\n");
+ goto builtin_err;
+ }
BIO_printf(out, ".");
(void)BIO_flush(out);
BIO_printf(out, " ok\n");
/* cleanup */
+ /* clean bogus errors */
+ ERR_clear_error();
OPENSSL_free(signature);
signature = NULL;
EC_KEY_free(eckey);
eckey = NULL;
EC_KEY_free(wrong_eckey);
wrong_eckey = NULL;
+ ECDSA_SIG_free(ecdsa_sig);
+ ecdsa_sig = NULL;
+ OPENSSL_free(raw_buf);
+ raw_buf = NULL;
}
ret = 1;
@@ -442,8 +509,12 @@
EC_KEY_free(eckey);
if (wrong_eckey)
EC_KEY_free(wrong_eckey);
+ if (ecdsa_sig)
+ ECDSA_SIG_free(ecdsa_sig);
if (signature)
OPENSSL_free(signature);
+ if (raw_buf)
+ OPENSSL_free(raw_buf);
if (curves)
OPENSSL_free(curves);
diff --git a/crypto/opensslv.h b/crypto/opensslv.h
index 310a338..d6d61a0 100644
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -25,11 +25,11 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-#define OPENSSL_VERSION_NUMBER 0x1000005fL
+#define OPENSSL_VERSION_NUMBER 0x1000006fL
#ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0e-fips 6 Sep 2011"
+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0f-fips 4 Jan 2012"
#else
-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0e 6 Sep 2011"
+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0f 4 Jan 2012"
#endif
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
diff --git a/crypto/rand/rand_unix.c b/crypto/rand/rand_unix.c
index e9ead3a..e3a6557 100644
--- a/crypto/rand/rand_unix.c
+++ b/crypto/rand/rand_unix.c
@@ -133,47 +133,87 @@
# define FD_SETSIZE (8*sizeof(fd_set))
#endif
-#ifdef __VOS__
+#if defined(OPENSSL_SYS_VOS)
+
+/* The following algorithm repeatedly samples the real-time clock
+ (RTC) to generate a sequence of unpredictable data. The algorithm
+ relies upon the uneven execution speed of the code (due to factors
+ such as cache misses, interrupts, bus activity, and scheduling) and
+ upon the rather large relative difference between the speed of the
+ clock and the rate at which it can be read.
+
+ If this code is ported to an environment where execution speed is
+ more constant or where the RTC ticks at a much slower rate, or the
+ clock can be read with fewer instructions, it is likely that the
+ results would be far more predictable.
+
+ As a precaution, we generate 4 times the minimum required amount of
+ seed data. */
+
int RAND_poll(void)
{
- unsigned char buf[ENTROPY_NEEDED];
+ short int code;
+ gid_t curr_gid;
pid_t curr_pid;
uid_t curr_uid;
- static int first=1;
- int i;
- long rnd = 0;
+ int i, k;
struct timespec ts;
- unsigned seed;
+ unsigned char v;
-/* The VOS random() function starts from a static seed so its
- initial value is predictable. If random() returns the
- initial value, reseed it with dynamic data. The VOS
- real-time clock has a granularity of 1 nsec so it should be
- reasonably difficult to predict its exact value. Do not
- gratuitously reseed the PRNG because other code in this
- process or thread may be using it. */
+#ifdef OPENSSL_SYS_VOS_HPPA
+ long duration;
+ extern void s$sleep (long *_duration, short int *_code);
+#else
+#ifdef OPENSSL_SYS_VOS_IA32
+ long long duration;
+ extern void s$sleep2 (long long *_duration, short int *_code);
+#else
+#error "Unsupported Platform."
+#endif /* OPENSSL_SYS_VOS_IA32 */
+#endif /* OPENSSL_SYS_VOS_HPPA */
- if (first) {
- first = 0;
- rnd = random ();
- if (rnd == 1804289383) {
- clock_gettime (CLOCK_REALTIME, &ts);
- curr_pid = getpid();
- curr_uid = getuid();
- seed = ts.tv_sec ^ ts.tv_nsec ^ curr_pid ^ curr_uid;
- srandom (seed);
- }
+ /* Seed with the gid, pid, and uid, to ensure *some*
+ variation between different processes. */
+
+ curr_gid = getgid();
+ RAND_add (&curr_gid, sizeof curr_gid, 1);
+ curr_gid = 0;
+
+ curr_pid = getpid();
+ RAND_add (&curr_pid, sizeof curr_pid, 1);
+ curr_pid = 0;
+
+ curr_uid = getuid();
+ RAND_add (&curr_uid, sizeof curr_uid, 1);
+ curr_uid = 0;
+
+ for (i=0; i<(ENTROPY_NEEDED*4); i++)
+ {
+ /* burn some cpu; hope for interrupts, cache
+ collisions, bus interference, etc. */
+ for (k=0; k<99; k++)
+ ts.tv_nsec = random ();
+
+#ifdef OPENSSL_SYS_VOS_HPPA
+ /* sleep for 1/1024 of a second (976 us). */
+ duration = 1;
+ s$sleep (&duration, &code);
+#else
+#ifdef OPENSSL_SYS_VOS_IA32
+ /* sleep for 1/65536 of a second (15 us). */
+ duration = 1;
+ s$sleep2 (&duration, &code);
+#endif /* OPENSSL_SYS_VOS_IA32 */
+#endif /* OPENSSL_SYS_VOS_HPPA */
+
+ /* get wall clock time. */
+ clock_gettime (CLOCK_REALTIME, &ts);
+
+ /* take 8 bits */
+ v = (unsigned char) (ts.tv_nsec % 256);
+ RAND_add (&v, sizeof v, 1);
+ v = 0;
}
-
- for (i = 0; i < sizeof(buf); i++) {
- if (i % 4 == 0)
- rnd = random();
- buf[i] = rnd;
- rnd >>= 8;
- }
- RAND_add(buf, sizeof(buf), ENTROPY_NEEDED);
- memset(buf, 0, sizeof(buf));
-
return 1;
}
#elif defined __OpenBSD__
diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c
index 7c94188..2e1ddd4 100644
--- a/crypto/rsa/rsa_eay.c
+++ b/crypto/rsa/rsa_eay.c
@@ -314,51 +314,56 @@
return ret;
}
-static int rsa_blinding_convert(BN_BLINDING *b, int local, BIGNUM *f,
- BIGNUM *r, BN_CTX *ctx)
-{
- if (local)
+static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
+ BN_CTX *ctx)
+ {
+ if (unblind == NULL)
+ /* Local blinding: store the unblinding factor
+ * in BN_BLINDING. */
return BN_BLINDING_convert_ex(f, NULL, b, ctx);
else
{
- int ret;
- CRYPTO_r_lock(CRYPTO_LOCK_RSA_BLINDING);
- ret = BN_BLINDING_convert_ex(f, r, b, ctx);
- CRYPTO_r_unlock(CRYPTO_LOCK_RSA_BLINDING);
- return ret;
- }
-}
-
-static int rsa_blinding_invert(BN_BLINDING *b, int local, BIGNUM *f,
- BIGNUM *r, BN_CTX *ctx)
-{
- if (local)
- return BN_BLINDING_invert_ex(f, NULL, b, ctx);
- else
- {
+ /* Shared blinding: store the unblinding factor
+ * outside BN_BLINDING. */
int ret;
CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
- ret = BN_BLINDING_invert_ex(f, r, b, ctx);
+ ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
return ret;
}
-}
+ }
+
+static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
+ BN_CTX *ctx)
+ {
+ /* For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
+ * will use the unblinding factor stored in BN_BLINDING.
+ * If BN_BLINDING is shared between threads, unblind must be non-null:
+ * BN_BLINDING_invert_ex will then use the local unblinding factor,
+ * and will only read the modulus from BN_BLINDING.
+ * In both cases it's safe to access the blinding without a lock.
+ */
+ return BN_BLINDING_invert_ex(f, unblind, b, ctx);
+ }
/* signing */
static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
- BIGNUM *f, *ret, *br, *res;
+ BIGNUM *f, *ret, *res;
int i,j,k,num=0,r= -1;
unsigned char *buf=NULL;
BN_CTX *ctx=NULL;
int local_blinding = 0;
+ /* Used only if the blinding structure is shared. A non-NULL unblind
+ * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
+ * the unblinding factor outside the blinding structure. */
+ BIGNUM *unblind = NULL;
BN_BLINDING *blinding = NULL;
if ((ctx=BN_CTX_new()) == NULL) goto err;
BN_CTX_start(ctx);
f = BN_CTX_get(ctx);
- br = BN_CTX_get(ctx);
ret = BN_CTX_get(ctx);
num = BN_num_bytes(rsa->n);
buf = OPENSSL_malloc(num);
@@ -406,8 +411,15 @@
}
if (blinding != NULL)
- if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx))
+ {
+ if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL))
+ {
+ RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
goto err;
+ }
+ if (!rsa_blinding_convert(blinding, f, unblind, ctx))
+ goto err;
+ }
if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
((rsa->p != NULL) &&
@@ -441,7 +453,7 @@
}
if (blinding)
- if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx))
+ if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
goto err;
if (padding == RSA_X931_PADDING)
@@ -480,18 +492,21 @@
static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
{
- BIGNUM *f, *ret, *br;
+ BIGNUM *f, *ret;
int j,num=0,r= -1;
unsigned char *p;
unsigned char *buf=NULL;
BN_CTX *ctx=NULL;
int local_blinding = 0;
+ /* Used only if the blinding structure is shared. A non-NULL unblind
+ * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
+ * the unblinding factor outside the blinding structure. */
+ BIGNUM *unblind = NULL;
BN_BLINDING *blinding = NULL;
if((ctx = BN_CTX_new()) == NULL) goto err;
BN_CTX_start(ctx);
f = BN_CTX_get(ctx);
- br = BN_CTX_get(ctx);
ret = BN_CTX_get(ctx);
num = BN_num_bytes(rsa->n);
buf = OPENSSL_malloc(num);
@@ -529,8 +544,15 @@
}
if (blinding != NULL)
- if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx))
+ {
+ if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL))
+ {
+ RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
goto err;
+ }
+ if (!rsa_blinding_convert(blinding, f, unblind, ctx))
+ goto err;
+ }
/* do the decrypt */
if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
@@ -564,7 +586,7 @@
}
if (blinding)
- if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx))
+ if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
goto err;
p=buf;
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 5a0b024..701ec56 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -1732,7 +1732,7 @@
atm.length=sizeof(buff2);
atm.data=(unsigned char *)buff2;
- if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL)
+ if (X509_time_adj(&atm, offset*60, cmp_time) == NULL)
return 0;
if (ctm->type == V_ASN1_UTCTIME)
diff --git a/crypto/x509v3/v3_addr.c b/crypto/x509v3/v3_addr.c
index 0d70e86..df46a49 100644
--- a/crypto/x509v3/v3_addr.c
+++ b/crypto/x509v3/v3_addr.c
@@ -142,12 +142,13 @@
* Expand the bitstring form of an address into a raw byte array.
* At the moment this is coded for simplicity, not speed.
*/
-static void addr_expand(unsigned char *addr,
+static int addr_expand(unsigned char *addr,
const ASN1_BIT_STRING *bs,
const int length,
const unsigned char fill)
{
- OPENSSL_assert(bs->length >= 0 && bs->length <= length);
+ if (bs->length < 0 || bs->length > length)
+ return 0;
if (bs->length > 0) {
memcpy(addr, bs->data, bs->length);
if ((bs->flags & 7) != 0) {
@@ -159,6 +160,7 @@
}
}
memset(addr + bs->length, fill, length - bs->length);
+ return 1;
}
/*
@@ -181,15 +183,13 @@
return 0;
switch (afi) {
case IANA_AFI_IPV4:
- if (bs->length > 4)
+ if (!addr_expand(addr, bs, 4, fill))
return 0;
- addr_expand(addr, bs, 4, fill);
BIO_printf(out, "%d.%d.%d.%d", addr[0], addr[1], addr[2], addr[3]);
break;
case IANA_AFI_IPV6:
- if (bs->length > 16)
+ if (!addr_expand(addr, bs, 16, fill))
return 0;
- addr_expand(addr, bs, 16, fill);
for (n = 16; n > 1 && addr[n-1] == 0x00 && addr[n-2] == 0x00; n -= 2)
;
for (i = 0; i < n; i += 2)
@@ -315,6 +315,12 @@
/*
* Sort comparison function for a sequence of IPAddressOrRange
* elements.
+ *
+ * There's no sane answer we can give if addr_expand() fails, and an
+ * assertion failure on externally supplied data is seriously uncool,
+ * so we just arbitrarily declare that if given invalid inputs this
+ * function returns -1. If this messes up your preferred sort order
+ * for garbage input, tough noogies.
*/
static int IPAddressOrRange_cmp(const IPAddressOrRange *a,
const IPAddressOrRange *b,
@@ -326,22 +332,26 @@
switch (a->type) {
case IPAddressOrRange_addressPrefix:
- addr_expand(addr_a, a->u.addressPrefix, length, 0x00);
+ if (!addr_expand(addr_a, a->u.addressPrefix, length, 0x00))
+ return -1;
prefixlen_a = addr_prefixlen(a->u.addressPrefix);
break;
case IPAddressOrRange_addressRange:
- addr_expand(addr_a, a->u.addressRange->min, length, 0x00);
+ if (!addr_expand(addr_a, a->u.addressRange->min, length, 0x00))
+ return -1;
prefixlen_a = length * 8;
break;
}
switch (b->type) {
case IPAddressOrRange_addressPrefix:
- addr_expand(addr_b, b->u.addressPrefix, length, 0x00);
+ if (!addr_expand(addr_b, b->u.addressPrefix, length, 0x00))
+ return -1;
prefixlen_b = addr_prefixlen(b->u.addressPrefix);
break;
case IPAddressOrRange_addressRange:
- addr_expand(addr_b, b->u.addressRange->min, length, 0x00);
+ if (!addr_expand(addr_b, b->u.addressRange->min, length, 0x00))
+ return -1;
prefixlen_b = length * 8;
break;
}
@@ -383,6 +393,7 @@
unsigned char mask;
int i, j;
+ OPENSSL_assert(memcmp(min, max, length) <= 0);
for (i = 0; i < length && min[i] == max[i]; i++)
;
for (j = length - 1; j >= 0 && min[j] == 0x00 && max[j] == 0xFF; j--)
@@ -601,10 +612,10 @@
return NULL;
switch (afi) {
case IANA_AFI_IPV4:
- sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
+ (void) sk_IPAddressOrRange_set_cmp_func(aors, v4IPAddressOrRange_cmp);
break;
case IANA_AFI_IPV6:
- sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
+ (void) sk_IPAddressOrRange_set_cmp_func(aors, v6IPAddressOrRange_cmp);
break;
}
f->ipAddressChoice->type = IPAddressChoice_addressesOrRanges;
@@ -656,22 +667,22 @@
/*
* Extract min and max values from an IPAddressOrRange.
*/
-static void extract_min_max(IPAddressOrRange *aor,
+static int extract_min_max(IPAddressOrRange *aor,
unsigned char *min,
unsigned char *max,
int length)
{
- OPENSSL_assert(aor != NULL && min != NULL && max != NULL);
+ if (aor == NULL || min == NULL || max == NULL)
+ return 0;
switch (aor->type) {
case IPAddressOrRange_addressPrefix:
- addr_expand(min, aor->u.addressPrefix, length, 0x00);
- addr_expand(max, aor->u.addressPrefix, length, 0xFF);
- return;
+ return (addr_expand(min, aor->u.addressPrefix, length, 0x00) &&
+ addr_expand(max, aor->u.addressPrefix, length, 0xFF));
case IPAddressOrRange_addressRange:
- addr_expand(min, aor->u.addressRange->min, length, 0x00);
- addr_expand(max, aor->u.addressRange->max, length, 0xFF);
- return;
+ return (addr_expand(min, aor->u.addressRange->min, length, 0x00) &&
+ addr_expand(max, aor->u.addressRange->max, length, 0xFF));
}
+ return 0;
}
/*
@@ -687,9 +698,10 @@
if (aor == NULL || min == NULL || max == NULL ||
afi_length == 0 || length < afi_length ||
(aor->type != IPAddressOrRange_addressPrefix &&
- aor->type != IPAddressOrRange_addressRange))
+ aor->type != IPAddressOrRange_addressRange) ||
+ !extract_min_max(aor, min, max, afi_length))
return 0;
- extract_min_max(aor, min, max, afi_length);
+
return afi_length;
}
@@ -771,8 +783,9 @@
IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
IPAddressOrRange *b = sk_IPAddressOrRange_value(aors, j + 1);
- extract_min_max(a, a_min, a_max, length);
- extract_min_max(b, b_min, b_max, length);
+ if (!extract_min_max(a, a_min, a_max, length) ||
+ !extract_min_max(b, b_min, b_max, length))
+ return 0;
/*
* Punt misordered list, overlapping start, or inverted range.
@@ -800,14 +813,17 @@
}
/*
- * Check final range to see if it should be a prefix.
+ * Check range to see if it's inverted or should be a
+ * prefix.
*/
j = sk_IPAddressOrRange_num(aors) - 1;
{
IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
- if (a->type == IPAddressOrRange_addressRange) {
- extract_min_max(a, a_min, a_max, length);
- if (range_should_be_prefix(a_min, a_max, length) >= 0)
+ if (a != NULL && a->type == IPAddressOrRange_addressRange) {
+ if (!extract_min_max(a, a_min, a_max, length))
+ return 0;
+ if (memcmp(a_min, a_max, length) > 0 ||
+ range_should_be_prefix(a_min, a_max, length) >= 0)
return 0;
}
}
@@ -841,8 +857,16 @@
unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
unsigned char b_min[ADDR_RAW_BUF_LEN], b_max[ADDR_RAW_BUF_LEN];
- extract_min_max(a, a_min, a_max, length);
- extract_min_max(b, b_min, b_max, length);
+ if (!extract_min_max(a, a_min, a_max, length) ||
+ !extract_min_max(b, b_min, b_max, length))
+ return 0;
+
+ /*
+ * Punt inverted ranges.
+ */
+ if (memcmp(a_min, a_max, length) > 0 ||
+ memcmp(b_min, b_max, length) > 0)
+ return 0;
/*
* Punt overlaps.
@@ -860,8 +884,8 @@
IPAddressOrRange *merged;
if (!make_addressRange(&merged, a_min, b_max, length))
return 0;
- sk_IPAddressOrRange_set(aors, i, merged);
- sk_IPAddressOrRange_delete(aors, i + 1);
+ (void) sk_IPAddressOrRange_set(aors, i, merged);
+ (void) sk_IPAddressOrRange_delete(aors, i + 1);
IPAddressOrRange_free(a);
IPAddressOrRange_free(b);
--i;
@@ -869,6 +893,20 @@
}
}
+ /*
+ * Check for inverted final range.
+ */
+ j = sk_IPAddressOrRange_num(aors) - 1;
+ {
+ IPAddressOrRange *a = sk_IPAddressOrRange_value(aors, j);
+ if (a != NULL && a->type == IPAddressOrRange_addressRange) {
+ unsigned char a_min[ADDR_RAW_BUF_LEN], a_max[ADDR_RAW_BUF_LEN];
+ extract_min_max(a, a_min, a_max, length);
+ if (memcmp(a_min, a_max, length) > 0)
+ return 0;
+ }
+ }
+
return 1;
}
@@ -885,7 +923,7 @@
v3_addr_get_afi(f)))
return 0;
}
- sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
+ (void) sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp);
sk_IPAddressFamily_sort(addr);
OPENSSL_assert(v3_addr_is_canonical(addr));
return 1;
@@ -1017,6 +1055,11 @@
X509V3_conf_err(val);
goto err;
}
+ if (memcmp(min, max, length_from_afi(afi)) > 0) {
+ X509V3err(X509V3_F_V2I_IPADDRBLOCKS, X509V3_R_EXTENSION_VALUE_ERROR);
+ X509V3_conf_err(val);
+ goto err;
+ }
if (!v3_addr_add_range(addr, afi, safi, min, max)) {
X509V3err(X509V3_F_V2I_IPADDRBLOCKS, ERR_R_MALLOC_FAILURE);
goto err;
@@ -1102,13 +1145,15 @@
p = 0;
for (c = 0; c < sk_IPAddressOrRange_num(child); c++) {
- extract_min_max(sk_IPAddressOrRange_value(child, c),
- c_min, c_max, length);
+ if (!extract_min_max(sk_IPAddressOrRange_value(child, c),
+ c_min, c_max, length))
+ return -1;
for (;; p++) {
if (p >= sk_IPAddressOrRange_num(parent))
return 0;
- extract_min_max(sk_IPAddressOrRange_value(parent, p),
- p_min, p_max, length);
+ if (!extract_min_max(sk_IPAddressOrRange_value(parent, p),
+ p_min, p_max, length))
+ return 0;
if (memcmp(p_max, c_max, length) < 0)
continue;
if (memcmp(p_min, c_min, length) > 0)
@@ -1130,7 +1175,7 @@
return 1;
if (b == NULL || v3_addr_inherits(a) || v3_addr_inherits(b))
return 0;
- sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
+ (void) sk_IPAddressFamily_set_cmp_func(b, IPAddressFamily_cmp);
for (i = 0; i < sk_IPAddressFamily_num(a); i++) {
IPAddressFamily *fa = sk_IPAddressFamily_value(a, i);
int j = sk_IPAddressFamily_find(b, fa);
@@ -1195,7 +1240,7 @@
}
if (!v3_addr_is_canonical(ext))
validation_err(X509_V_ERR_INVALID_EXTENSION);
- sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
+ (void) sk_IPAddressFamily_set_cmp_func(ext, IPAddressFamily_cmp);
if ((child = sk_IPAddressFamily_dup(ext)) == NULL) {
X509V3err(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL, ERR_R_MALLOC_FAILURE);
ret = 0;
@@ -1221,7 +1266,7 @@
}
continue;
}
- sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
+ (void) sk_IPAddressFamily_set_cmp_func(x->rfc3779_addr, IPAddressFamily_cmp);
for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
IPAddressFamily *fc = sk_IPAddressFamily_value(child, j);
int k = sk_IPAddressFamily_find(x->rfc3779_addr, fc);
diff --git a/e_os2.h b/e_os2.h
index 4c785c6..d30724d 100644
--- a/e_os2.h
+++ b/e_os2.h
@@ -193,8 +193,14 @@
#endif
/* --------------------------------- VOS ----------------------------------- */
-#ifdef OPENSSL_SYSNAME_VOS
+#if defined(__VOS__) || defined(OPENSSL_SYSNAME_VOS)
# define OPENSSL_SYS_VOS
+#ifdef __HPPA__
+# define OPENSSL_SYS_VOS_HPPA
+#endif
+#ifdef __IA32__
+# define OPENSSL_SYS_VOS_IA32
+#endif
#endif
/* ------------------------------- VxWorks --------------------------------- */
diff --git a/import_openssl.sh b/import_openssl.sh
index 6f60198..f248648 100755
--- a/import_openssl.sh
+++ b/import_openssl.sh
@@ -241,7 +241,7 @@
done
# Cleanup patch output
- find . -type f -name "*.orig" -print0 | xargs -0 rm -f
+ find . \( -type f -o -type l \) -name "*.orig" -print0 | xargs -0 rm -f
cd ..
}
diff --git a/include/openssl/bio.h b/include/openssl/bio.h
index 152802f..ab47abc 100644
--- a/include/openssl/bio.h
+++ b/include/openssl/bio.h
@@ -306,6 +306,15 @@
typedef struct bio_f_buffer_ctx_struct
{
+ /* Buffers are setup like this:
+ *
+ * <---------------------- size ----------------------->
+ * +---------------------------------------------------+
+ * | consumed | remaining | free space |
+ * +---------------------------------------------------+
+ * <-- off --><------- len ------->
+ */
+
/* BIO *bio; */ /* this is now in the BIO struct */
int ibuf_size; /* how big is the input buffer */
int obuf_size; /* how big is the output buffer */
diff --git a/include/openssl/e_os2.h b/include/openssl/e_os2.h
index 4c785c6..d30724d 100644
--- a/include/openssl/e_os2.h
+++ b/include/openssl/e_os2.h
@@ -193,8 +193,14 @@
#endif
/* --------------------------------- VOS ----------------------------------- */
-#ifdef OPENSSL_SYSNAME_VOS
+#if defined(__VOS__) || defined(OPENSSL_SYSNAME_VOS)
# define OPENSSL_SYS_VOS
+#ifdef __HPPA__
+# define OPENSSL_SYS_VOS_HPPA
+#endif
+#ifdef __IA32__
+# define OPENSSL_SYS_VOS_IA32
+#endif
#endif
/* ------------------------------- VxWorks --------------------------------- */
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index 310a338..d6d61a0 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -25,11 +25,11 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-#define OPENSSL_VERSION_NUMBER 0x1000005fL
+#define OPENSSL_VERSION_NUMBER 0x1000006fL
#ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0e-fips 6 Sep 2011"
+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0f-fips 4 Jan 2012"
#else
-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0e 6 Sep 2011"
+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0f 4 Jan 2012"
#endif
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 9cb2bf9..a0a7e0c 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1957,6 +1957,7 @@
#define SSL_F_SSL3_CALLBACK_CTRL 233
#define SSL_F_SSL3_CHANGE_CIPHER_STATE 129
#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130
+#define SSL_F_SSL3_CHECK_CLIENT_HELLO 304
#define SSL_F_SSL3_CLIENT_HELLO 131
#define SSL_F_SSL3_CONNECT 132
#define SSL_F_SSL3_CTRL 213
@@ -2218,6 +2219,7 @@
#define SSL_R_MISSING_TMP_RSA_KEY 172
#define SSL_R_MISSING_TMP_RSA_PKEY 173
#define SSL_R_MISSING_VERIFY_MESSAGE 174
+#define SSL_R_MULTIPLE_SGC_RESTARTS 346
#define SSL_R_NON_SSLV2_INITIAL_PACKET 175
#define SSL_R_NO_CERTIFICATES_RETURNED 176
#define SSL_R_NO_CERTIFICATE_ASSIGNED 177
diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h
index f9268c5..d6425e5 100644
--- a/include/openssl/ssl3.h
+++ b/include/openssl/ssl3.h
@@ -389,6 +389,17 @@
#define SSL3_FLAGS_POP_BUFFER 0x0004
#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
+
+/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
+ * restart a handshake because of MS SGC and so prevents us
+ * from restarting the handshake in a loop. It's reset on a
+ * renegotiation, so effectively limits the client to one restart
+ * per negotiation. This limits the possibility of a DDoS
+ * attack where the client handshakes in a loop using SGC to
+ * restart. Servers which permit renegotiation can still be
+ * effected, but we can't prevent that.
+ */
+#define SSL3_FLAGS_SGC_RESTART_DONE 0x0040
typedef struct ssl3_state_st
{
diff --git a/openssl.config b/openssl.config
index 293c744..62a5071 100644
--- a/openssl.config
+++ b/openssl.config
@@ -188,8 +188,8 @@
handshake_cutthrough.patch \
jsse.patch \
npn.patch \
-sslv3_uninit_padding.patch \
sha1_armv4_large.patch \
+openssl_no_dtls1.patch \
"
OPENSSL_PATCHES_progs_SOURCES="\
@@ -257,3 +257,7 @@
ssl/t1_lib.c \
ssl/tls1.h \
"
+
+OPENSSL_PATCHES_openssl_no_dtls1_SOURCES="\
+ssl/ssl_lib.c \
+"
diff --git a/openssl.version b/openssl.version
index 721c467..ffdef82 100644
--- a/openssl.version
+++ b/openssl.version
@@ -1,2 +1,2 @@
# also update ThirdPartyProject.prop
-OPENSSL_VERSION=1.0.0e
+OPENSSL_VERSION=1.0.0f
diff --git a/patches/README b/patches/README
index 54b6e06..b2c56ed 100644
--- a/patches/README
+++ b/patches/README
@@ -30,10 +30,10 @@
Transport Layer Security (TLS) Next Protocol Negotiation Extension
-sslv3_uninit_padding.patch
-
-This patch sets the padding for SSLv3 block ciphers to zero.
-
sha1_armv4_large.patch
This patch eliminates memory stores to addresses below SP.
+
+openssl_no_dtls1.patch
+
+Add missing #ifndef OPENSSL_NO_DTLS1
diff --git a/patches/apps_Android.mk b/patches/apps_Android.mk
index 20cc5a9..c2dc2d7 100644
--- a/patches/apps_Android.mk
+++ b/patches/apps_Android.mk
@@ -62,10 +62,6 @@
local_cflags := -DMONOLITH
-# These flags omit whole features from the commandline "openssl".
-# However, portions of these features are actually turned on.
-local_cflags += -DOPENSSL_NO_DTLS1
-
include $(CLEAR_VARS)
LOCAL_MODULE:= openssl
LOCAL_MODULE_TAGS := optional
diff --git a/patches/openssl_no_dtls1.patch b/patches/openssl_no_dtls1.patch
new file mode 100644
index 0000000..8b61cd3
--- /dev/null
+++ b/patches/openssl_no_dtls1.patch
@@ -0,0 +1,13 @@
+--- openssl-1.0.0f.orig/ssl/ssl_lib.c 2012-01-04 22:13:21.000000000 +0000
++++ openssl-1.0.0f/ssl/ssl_lib.c 2012-01-04 22:13:21.000000000 +0000
+@@ -1063,8 +1063,10 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v
+ s->max_cert_list=larg;
+ return(l);
+ case SSL_CTRL_SET_MTU:
++#ifndef OPENSSL_NO_DTLS1
+ if (larg < (long)dtls1_min_mtu())
+ return 0;
++#endif
+
+ if (SSL_version(s) == DTLS1_VERSION ||
+ SSL_version(s) == DTLS1_BAD_VER)
diff --git a/patches/sslv3_uninit_padding.patch b/patches/sslv3_uninit_padding.patch
deleted file mode 100644
index 89fff7b..0000000
--- a/patches/sslv3_uninit_padding.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-diff --git a/ssl/s3_enc.c b/google3/third_party/openssl/openssl/ssl/s3_enc.c
-index 58386e1..b145970 100644
---- a/ssl/s3_enc.c
-+++ b/ssl/s3_enc.c
-@@ -511,6 +511,9 @@ int ssl3_enc(SSL *s, int send)
-
- /* we need to add 'i-1' padding bytes */
- l+=i;
-+ /* the last of these zero bytes will be overwritten
-+ * with the padding length. */
-+ memset(&rec->input[rec->length], 0, i);
- rec->length+=i;
- rec->input[l-1]=(i-1);
- }
diff --git a/ssl/d1_both.c b/ssl/d1_both.c
index 2180c6d..9f898d6 100644
--- a/ssl/d1_both.c
+++ b/ssl/d1_both.c
@@ -158,7 +158,6 @@
/* XDTLS: figure out the right values */
static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28};
-static unsigned int dtls1_min_mtu(void);
static unsigned int dtls1_guess_mtu(unsigned int curr_mtu);
static void dtls1_fix_message_header(SSL *s, unsigned long frag_off,
unsigned long frag_len);
@@ -264,11 +263,10 @@
return ret;
mtu = s->d1->mtu - (DTLS1_HM_HEADER_LENGTH + DTLS1_RT_HEADER_LENGTH);
}
-
- OPENSSL_assert(mtu > 0); /* should have something reasonable now */
-
#endif
+ OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu()); /* should have something reasonable now */
+
if ( s->init_off == 0 && type == SSL3_RT_HANDSHAKE)
OPENSSL_assert(s->init_num ==
(int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH);
@@ -795,7 +793,13 @@
*ok = 0;
return i;
}
- OPENSSL_assert(i == DTLS1_HM_HEADER_LENGTH);
+ /* Handshake fails if message header is incomplete */
+ if (i != DTLS1_HM_HEADER_LENGTH)
+ {
+ al=SSL_AD_UNEXPECTED_MESSAGE;
+ SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_UNEXPECTED_MESSAGE);
+ goto f_err;
+ }
/* parse the message fragment header */
dtls1_get_message_header(wire, &msg_hdr);
@@ -867,7 +871,12 @@
/* XDTLS: an incorrectly formatted fragment should cause the
* handshake to fail */
- OPENSSL_assert(i == (int)frag_len);
+ if (i != (int)frag_len)
+ {
+ al=SSL3_AD_ILLEGAL_PARAMETER;
+ SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL3_AD_ILLEGAL_PARAMETER);
+ goto f_err;
+ }
*ok = 1;
@@ -1367,7 +1376,7 @@
return p;
}
-static unsigned int
+unsigned int
dtls1_min_mtu(void)
{
return (g_probable_mtu[(sizeof(g_probable_mtu) /
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index 48e8b6f..c3b77c8 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -204,7 +204,8 @@
pqueue buffered_messages;
pqueue sent_messages;
pqueue buffered_app_data;
-
+ unsigned int mtu;
+
if (s->d1)
{
unprocessed_rcds = s->d1->unprocessed_rcds.q;
@@ -212,6 +213,7 @@
buffered_messages = s->d1->buffered_messages;
sent_messages = s->d1->sent_messages;
buffered_app_data = s->d1->buffered_app_data.q;
+ mtu = s->d1->mtu;
dtls1_clear_queues(s);
@@ -222,6 +224,11 @@
s->d1->cookie_len = sizeof(s->d1->cookie);
}
+ if (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)
+ {
+ s->d1->mtu = mtu;
+ }
+
s->d1->unprocessed_rcds.q = unprocessed_rcds;
s->d1->processed_rcds.q = processed_rcds;
s->d1->buffered_messages = buffered_messages;
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 91562f3..3927dad 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -375,6 +375,7 @@
SSL3_RECORD *rr;
unsigned int mac_size;
unsigned char md[EVP_MAX_MD_SIZE];
+ int decryption_failed_or_bad_record_mac = 0;
rr= &(s->s3->rrec);
@@ -409,13 +410,10 @@
enc_err = s->method->ssl3_enc->enc(s,0);
if (enc_err <= 0)
{
- /* decryption failed, silently discard message */
- if (enc_err < 0)
- {
- rr->length = 0;
- s->packet_length = 0;
- }
- goto err;
+ /* To minimize information leaked via timing, we will always
+ * perform all computations before discarding the message.
+ */
+ decryption_failed_or_bad_record_mac = 1;
}
#ifdef TLS_DEBUG
@@ -445,7 +443,7 @@
SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
goto f_err;
#else
- goto err;
+ decryption_failed_or_bad_record_mac = 1;
#endif
}
/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
@@ -456,17 +454,25 @@
SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
goto f_err;
#else
- goto err;
+ decryption_failed_or_bad_record_mac = 1;
#endif
}
rr->length-=mac_size;
i=s->method->ssl3_enc->mac(s,md,0);
if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
{
- goto err;
+ decryption_failed_or_bad_record_mac = 1;
}
}
+ if (decryption_failed_or_bad_record_mac)
+ {
+ /* decryption failed, silently discard message */
+ rr->length = 0;
+ s->packet_length = 0;
+ goto err;
+ }
+
/* r->length is now just compressed */
if (s->expand != NULL)
{
diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c
index a6a4c87..149983b 100644
--- a/ssl/d1_srvr.c
+++ b/ssl/d1_srvr.c
@@ -1271,7 +1271,7 @@
EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL);
EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
- EVP_SignUpdate(&md_ctx,&(d[4]),n);
+ EVP_SignUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n);
if (!EVP_SignFinal(&md_ctx,&(p[2]),
(unsigned int *)&i,pkey))
{
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 42bcd62..04d6e5b 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -1030,7 +1030,7 @@
/* wrong packet length */
al=SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
- goto err;
+ goto f_err;
}
return(1);
@@ -1914,7 +1914,7 @@
if (n < 6)
{
/* need at least ticket_lifetime_hint + ticket length */
- al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR;
+ al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
goto f_err;
}
@@ -1925,7 +1925,7 @@
/* ticket_lifetime_hint + ticket_length + ticket */
if (ticklen + 6 != n)
{
- al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR;
+ al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
goto f_err;
}
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 28ee474..2d651ec 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -2177,6 +2177,7 @@
{
unsigned char *rp,*wp;
size_t rlen, wlen;
+ int init_extra;
#ifdef TLSEXT_TYPE_opaque_prf_input
if (s->s3->client_opaque_prf_input != NULL)
@@ -2215,6 +2216,7 @@
wp = s->s3->wbuf.buf;
rlen = s->s3->rbuf.len;
wlen = s->s3->wbuf.len;
+ init_extra = s->s3->init_extra;
if (s->s3->handshake_buffer) {
BIO_free(s->s3->handshake_buffer);
s->s3->handshake_buffer = NULL;
@@ -2227,6 +2229,7 @@
s->s3->wbuf.buf = wp;
s->s3->rbuf.len = rlen;
s->s3->wbuf.len = wlen;
+ s->s3->init_extra = init_extra;
ssl_free_wbio_buffer(s);
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 6059162..41e597f 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -258,6 +258,7 @@
}
s->init_num=0;
+ s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
if (s->state != SSL_ST_RENEGOTIATE)
{
@@ -788,6 +789,14 @@
int ok;
long n;
+ /* We only allow the client to restart the handshake once per
+ * negotiation. */
+ if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
+ {
+ SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
+ return -1;
+ }
+
/* this function is called when we really expect a Certificate message,
* so permit appropriate message length */
n=s->method->ssl_get_message(s,
@@ -816,6 +825,7 @@
s->s3->tmp.ecdh = NULL;
}
#endif
+ s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
return 2;
}
return 1;
@@ -2175,6 +2185,7 @@
if (i <= 0)
{
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
+ BN_clear_free(pub);
goto err;
}
diff --git a/ssl/ssl.h b/ssl/ssl.h
index 9cb2bf9..a0a7e0c 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -1957,6 +1957,7 @@
#define SSL_F_SSL3_CALLBACK_CTRL 233
#define SSL_F_SSL3_CHANGE_CIPHER_STATE 129
#define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM 130
+#define SSL_F_SSL3_CHECK_CLIENT_HELLO 304
#define SSL_F_SSL3_CLIENT_HELLO 131
#define SSL_F_SSL3_CONNECT 132
#define SSL_F_SSL3_CTRL 213
@@ -2218,6 +2219,7 @@
#define SSL_R_MISSING_TMP_RSA_KEY 172
#define SSL_R_MISSING_TMP_RSA_PKEY 173
#define SSL_R_MISSING_VERIFY_MESSAGE 174
+#define SSL_R_MULTIPLE_SGC_RESTARTS 346
#define SSL_R_NON_SSLV2_INITIAL_PACKET 175
#define SSL_R_NO_CERTIFICATES_RETURNED 176
#define SSL_R_NO_CERTIFICATE_ASSIGNED 177
diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index f9268c5..d6425e5 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -389,6 +389,17 @@
#define SSL3_FLAGS_POP_BUFFER 0x0004
#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
#define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
+
+/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
+ * restart a handshake because of MS SGC and so prevents us
+ * from restarting the handshake in a loop. It's reset on a
+ * renegotiation, so effectively limits the client to one restart
+ * per negotiation. This limits the possibility of a DDoS
+ * attack where the client handshakes in a loop using SGC to
+ * restart. Servers which permit renegotiation can still be
+ * effected, but we can't prevent that.
+ */
+#define SSL3_FLAGS_SGC_RESTART_DONE 0x0040
typedef struct ssl3_state_st
{
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index e523a8f..462c45a 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -446,6 +446,7 @@
sk_SSL_COMP_push(ssl_comp_methods,comp);
}
}
+ sk_SSL_COMP_sort(ssl_comp_methods);
}
MemCheck_on();
}
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 8bff590..4fcd5c0 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -1,6 +1,6 @@
/* ssl/ssl_err.c */
/* ====================================================================
- * Copyright (c) 1999-2009 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -137,6 +137,7 @@
{ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL), "SSL3_CALLBACK_CTRL"},
{ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE), "SSL3_CHANGE_CIPHER_STATE"},
{ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"},
+{ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO), "SSL3_CHECK_CLIENT_HELLO"},
{ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO), "SSL3_CLIENT_HELLO"},
{ERR_FUNC(SSL_F_SSL3_CONNECT), "SSL3_CONNECT"},
{ERR_FUNC(SSL_F_SSL3_CTRL), "SSL3_CTRL"},
@@ -400,6 +401,7 @@
{ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY) ,"missing tmp rsa key"},
{ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY) ,"missing tmp rsa pkey"},
{ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"},
+{ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS) ,"multiple sgc restarts"},
{ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"},
{ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"},
{ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"},
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index b169ba9..a8877f5 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1063,6 +1063,11 @@
s->max_cert_list=larg;
return(l);
case SSL_CTRL_SET_MTU:
+#ifndef OPENSSL_NO_DTLS1
+ if (larg < (long)dtls1_min_mtu())
+ return 0;
+#endif
+
if (SSL_version(s) == DTLS1_VERSION ||
SSL_version(s) == DTLS1_BAD_VER)
{
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 25f8e16..a00bd13 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -951,6 +951,7 @@
int dtls1_is_timer_expired(SSL *s);
void dtls1_double_timeout(SSL *s);
int dtls1_send_newsession_ticket(SSL *s);
+unsigned int dtls1_min_mtu(void);
/* some client-only functions */
int ssl3_client_hello(SSL *s);
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index bbab467..0e4c408 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1008,6 +1008,12 @@
sdata = data;
if (dsize > 0)
{
+ if (s->tlsext_ocsp_exts)
+ {
+ sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
+ X509_EXTENSION_free);
+ }
+
s->tlsext_ocsp_exts =
d2i_X509_EXTENSIONS(NULL,
&sdata, dsize);