diff options
| author | Bob Beck <beck@cvs.openbsd.org> | 2001-08-01 19:51:18 +0000 |
|---|---|---|
| committer | Bob Beck <beck@cvs.openbsd.org> | 2001-08-01 19:51:18 +0000 |
| commit | 6e8596032f16519cc69861bac392ae03b741ae66 (patch) | |
| tree | 271857dc2a16e3ad7df473923da396c2374eeb78 /lib | |
| parent | 07a955bae7ba1fa2ff321f3ccc93d662a706d84c (diff) | |
merge openssl 0.9.6b-engine
Note that this is a maintenence release, API's appear *not* to have changed.
As such, I have only increased the minor number on these libraries
Diffstat (limited to 'lib')
56 files changed, 768 insertions, 335 deletions
diff --git a/lib/libssl/crypto/shlib_version b/lib/libssl/crypto/shlib_version index 3066b9771e7..900b4048a96 100644 --- a/lib/libssl/crypto/shlib_version +++ b/lib/libssl/crypto/shlib_version @@ -1,2 +1,2 @@ major=5 -minor=0 +minor=1 diff --git a/lib/libssl/src/CHANGES b/lib/libssl/src/CHANGES index 08ef8508d80..f88867b065e 100644 --- a/lib/libssl/src/CHANGES +++ b/lib/libssl/src/CHANGES @@ -2,6 +2,118 @@ OpenSSL CHANGES _______________ + Changes between 0.9.6a and 0.9.6b [9 Jul 2001] + + *) Change ssleay_rand_bytes (crypto/rand/md_rand.c) + to avoid a SSLeay/OpenSSL PRNG weakness pointed out by + Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>: + PRNG state recovery was possible based on the output of + one PRNG request appropriately sized to gain knowledge on + 'md' followed by enough consecutive 1-byte PRNG requests + to traverse all of 'state'. + + 1. When updating 'md_local' (the current thread's copy of 'md') + during PRNG output generation, hash all of the previous + 'md_local' value, not just the half used for PRNG output. + + 2. Make the number of bytes from 'state' included into the hash + independent from the number of PRNG bytes requested. + + The first measure alone would be sufficient to avoid + Markku-Juhani's attack. (Actually it had never occurred + to me that the half of 'md_local' used for chaining was the + half from which PRNG output bytes were taken -- I had always + assumed that the secret half would be used.) The second + measure makes sure that additional data from 'state' is never + mixed into 'md_local' in small portions; this heuristically + further strengthens the PRNG. + [Bodo Moeller] + + *) Fix crypto/bn/asm/mips3.s. + [Andy Polyakov] + + *) When only the key is given to "enc", the IV is undefined. Print out + an error message in this case. + [Lutz Jaenicke] + + *) Handle special case when X509_NAME is empty in X509 printing routines. + [Steve Henson] + + *) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are + positive and less than q. + [Bodo Moeller] + + *) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is + used: it isn't thread safe and the add_lock_callback should handle + that itself. + [Paul Rose <Paul.Rose@bridge.com>] + + *) Verify that incoming data obeys the block size in + ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c). + [Bodo Moeller] + + *) Fix OAEP check. + [Ulf Möller, Bodo Möller] + + *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 + RSA encryption was accidentily removed in s3_srvr.c in OpenSSL 0.9.5 + when fixing the server behaviour for backwards-compatible 'client + hello' messages. (Note that the attack is impractical against + SSL 3.0 and TLS 1.0 anyway because length and version checking + means that the probability of guessing a valid ciphertext is + around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98 + paper.) + + Before 0.9.5, the countermeasure (hide the error by generating a + random 'decryption result') did not work properly because + ERR_clear_error() was missing, meaning that SSL_get_error() would + detect the supposedly ignored error. + + Both problems are now fixed. + [Bodo Moeller] + + *) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096 + (previously it was 1024). + [Bodo Moeller] + + *) Fix for compatibility mode trust settings: ignore trust settings + unless some valid trust or reject settings are present. + [Steve Henson] + + *) Fix for blowfish EVP: its a variable length cipher. + [Steve Henson] + + *) Fix various bugs related to DSA S/MIME verification. Handle missing + parameters in DSA public key structures and return an error in the + DSA routines if parameters are absent. + [Steve Henson] + + *) In versions up to 0.9.6, RAND_file_name() resorted to file ".rnd" + in the current directory if neither $RANDFILE nor $HOME was set. + RAND_file_name() in 0.9.6a returned NULL in this case. This has + caused some confusion to Windows users who haven't defined $HOME. + Thus RAND_file_name() is changed again: e_os.h can define a + DEFAULT_HOME, which will be used if $HOME is not set. + For Windows, we use "C:"; on other platforms, we still require + environment variables. + + *) Move 'if (!initialized) RAND_poll()' into regions protected by + CRYPTO_LOCK_RAND. This is not strictly necessary, but avoids + having multiple threads call RAND_poll() concurrently. + [Bodo Moeller] + + *) In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a + combination of a flag and a thread ID variable. + Otherwise while one thread is in ssleay_rand_bytes (which sets the + flag), *other* threads can enter ssleay_add_bytes without obeying + the CRYPTO_LOCK_RAND lock (and may even illegaly release the lock + that they do not hold after the first thread unsets add_do_not_lock). + [Bodo Moeller] + + *) Change bctest again: '-x' expressions are not available in all + versions of 'test'. + [Bodo Moeller] + Changes between 0.9.6 and 0.9.6a [5 Apr 2001] *) Fix a couple of memory leaks in PKCS7_dataDecode() @@ -2363,7 +2475,7 @@ copied!) [Bodo Moeller] - *) Bugfix: SSL_set_mode ignored its parameter, only SSL_CTX_set_mode + *) Bugfix: SSL_set_options ignored its parameter, only SSL_CTX_set_options worked. *) Fix problems with no-hmac etc. diff --git a/lib/libssl/src/Configure b/lib/libssl/src/Configure index 98bc46bf878..ed4178084d8 100644 --- a/lib/libssl/src/Configure +++ b/lib/libssl/src/Configure @@ -143,6 +143,9 @@ my %table=( # error message. "solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DNO_INLINE_ASM::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_sol_asm}:dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +#### Solaris x86 with Sun C setups +"solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", + #### SPARC Solaris with GNU C setups "solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", diff --git a/lib/libssl/src/FAQ b/lib/libssl/src/FAQ index cd759e02025..23e212fb4e8 100644 --- a/lib/libssl/src/FAQ +++ b/lib/libssl/src/FAQ @@ -17,6 +17,7 @@ OpenSSL - Frequently Asked Questions [USER] Questions on using the OpenSSL applications * Why do I get a "PRNG not seeded" error message? +* Why do I get an "unable to write 'random state'" error message? * How do I create certificates or certificate requests? * Why can't I create certificate requests? * Why does <SSL program> fail with a certificate verify error? @@ -47,6 +48,7 @@ OpenSSL - Frequently Asked Questions * Why do I get errors about unknown algorithms? * Why can't the OpenSSH configure script detect OpenSSL? * Can I use OpenSSL's SSL library with non-blocking I/O? +* Why doesn't my server application receive a client certificate? =============================================================================== @@ -55,7 +57,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from <URL: http://www.openssl.org>. -OpenSSL 0.9.6a was released on April 5th, 2001. +OpenSSL 0.9.6b was released on July 9th, 2001. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at <URL: @@ -160,6 +162,7 @@ correctly. Many open source operating systems provide a "randomness device" that serves this purpose. On other systems, applications have to call the RAND_add() or RAND_seed() function with appropriate data before generating keys or performing public key encryption. +(These functions initialize the pseudo-random number generator, PRNG.) Some broken applications do not do this. As of version 0.9.5, the OpenSSL functions that need randomness report an error if the random @@ -169,18 +172,36 @@ application you are using. It is likely that it never worked correctly. OpenSSL 0.9.5 and later make the error visible by refusing to perform potentially insecure encryption. -On systems without /dev/urandom, it is a good idea to use the Entropy -Gathering Demon; see the RAND_egd() manpage for details. - -Most components of the openssl command line tool try to use the -file $HOME/.rnd (or $RANDFILE, if this environment variable is set) -for seeding the PRNG. If this file does not exist or is too short, -the "PRNG not seeded" error message may occur. - -[Note to OpenSSL 0.9.5 users: The command "openssl rsa" in version -0.9.5 does not do this and will fail on systems without /dev/urandom -when trying to password-encrypt an RSA key! This is a bug in the -library; try a later version instead.] +On systems without /dev/urandom and /dev/random, it is a good idea to +use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for +details. Starting with version 0.9.7, OpenSSL will automatically look +for an EGD socket at /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool and +/etc/entropy. + +Most components of the openssl command line utility automatically try +to seed the random number generator from a file. The name of the +default seeding file is determined as follows: If environment variable +RANDFILE is set, then it names the seeding file. Otherwise if +environment variable HOME is set, then the seeding file is $HOME/.rnd. +If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will +use file .rnd in the current directory while OpenSSL 0.9.6a uses no +default seeding file at all. OpenSSL 0.9.6b and later will behave +similarly to 0.9.6a, but will use a default of "C:" for HOME on +Windows systems if the environment variable has not been set. + +If the default seeding file does not exist or is too short, the "PRNG +not seeded" error message may occur. + +The openssl command line utility will write back a new state to the +default seeding file (and create this file if necessary) unless +there was no sufficient seeding. + +Pointing $RANDFILE to an Entropy Gathering Daemon socket does not work. +Use the "-rand" option of the OpenSSL command line tools instead. +The $RANDFILE environment variable and $HOME/.rnd are only used by the +OpenSSL command line tools. Applications using the OpenSSL library +provide their own configuration options to specify the entropy source, +please check out the documentation coming the with application. For Solaris 2.6, Tim Nibbe <tnibbe@sprint.net> and others have suggested installing the SUNski package from Sun patch 105710-01 (Sparc) which @@ -190,6 +211,18 @@ versions. However, be warned that /dev/random is usually a blocking device, which may have some effects on OpenSSL. +* Why do I get an "unable to write 'random state'" error message? + + +Sometimes the openssl command line utility does not abort with +a "PRNG not seeded" error message, but complains that it is +"unable to write 'random state'". This message refers to the +default seeding file (see previous answer). A possible reason +is that no default filename is known because neither RANDFILE +nor HOME is set. (Versions up to 0.9.6 used file ".rnd" in the +current directory in this case, but this has changed with 0.9.6a.) + + * How do I create certificates or certificate requests? Check out the CA.pl(1) manual page. This provides a simple wrapper round @@ -543,5 +576,12 @@ requiring a bi-directional message exchange; both SSL_read() and SSL_write() will try to continue any pending handshake. +* Why doesn't my server application receive a client certificate? + +Due to the TLS protocol definition, a client will only send a certificate, +if explicitely asked by the server. Use the SSL_VERIFY_PEER flag of the +SSL_CTX_set_verify() function to enable the use of client certificates. + + =============================================================================== diff --git a/lib/libssl/src/INSTALL b/lib/libssl/src/INSTALL index a7854f3d10f..5bafcd4b5d1 100644 --- a/lib/libssl/src/INSTALL +++ b/lib/libssl/src/INSTALL @@ -7,8 +7,11 @@ To install OpenSSL, you will need: + * make * Perl 5 * an ANSI C compiler + * a development environment in form of development libraries and C + header files * a supported Unix operating system Quick Start @@ -42,9 +45,6 @@ --openssldir=DIR Directory for OpenSSL files. If no prefix is specified, the library files and binaries are also installed there. - rsaref Build with RSADSI's RSAREF toolkit (this assumes that - librsaref.a is in the library search path). - no-threads Don't try to build with support for multi-threaded applications. @@ -127,7 +127,7 @@ directory, and the binary will be in the "apps" directory. If "make" fails, look at the output. There may be reasons for - the failure that isn't a problem in OpenSSL itself (like missing + the failure that aren't problems in OpenSSL itself (like missing standard headers). If it is a problem with OpenSSL itself, please report the problem to <openssl-bugs@openssl.org> (note that your message will be forwarded to a public mailing list). Include the diff --git a/lib/libssl/src/INSTALL.VMS b/lib/libssl/src/INSTALL.VMS index 1fe78a41bb0..b8ea2d0a4d9 100644 --- a/lib/libssl/src/INSTALL.VMS +++ b/lib/libssl/src/INSTALL.VMS @@ -8,6 +8,7 @@ Intro: This file is divided in the following parts: + Requirements - Mandatory reading. Checking the distribution - Mandatory reading. Compilation - Mandatory reading. Logical names - Mandatory reading. @@ -19,6 +20,15 @@ This file is divided in the following parts: TODO - Things that are to come. +Requirements: +============= + +To build and install OpenSSL, you will need: + + * DEC C or some other ANSI C compiler. VAX C is *not* supported. + [Note: OpenSSL has only been tested with DEC C. Compiling with + a different ANSI C compiler may require some work] + Checking the distribution: ========================== diff --git a/lib/libssl/src/Makefile.org b/lib/libssl/src/Makefile.org index d24a0b50103..abd4df61a28 100644 --- a/lib/libssl/src/Makefile.org +++ b/lib/libssl/src/Makefile.org @@ -476,20 +476,20 @@ install_docs: $(INSTALL_PREFIX)$(MANDIR)/man3 \ $(INSTALL_PREFIX)$(MANDIR)/man5 \ $(INSTALL_PREFIX)$(MANDIR)/man7 - @echo installing man 1 and man 5 @for i in doc/apps/*.pod; do \ - (cd `dirname $$i`; \ fn=`basename $$i .pod`; \ - sec=`[ "$$fn" = "config" ] && echo 5 || echo 1`; \ + if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \ + echo "installing man$$sec/`basename $$i .pod`.$$sec"; \ + (cd `dirname $$i`; \ $(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \ --release=$(VERSION) `basename $$i` \ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec); \ done - @echo installing man 3 and man 7 @for i in doc/crypto/*.pod doc/ssl/*.pod; do \ - (cd `dirname $$i`; \ fn=`basename $$i .pod`; \ - sec=`[ "$$fn" = "des_modes" ] && echo 7 || echo 3`; \ + if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \ + echo "installing man$$sec/`basename $$i .pod`.$$sec"; \ + (cd `dirname $$i`; \ $(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \ --release=$(VERSION) `basename $$i` \ > $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec); \ diff --git a/lib/libssl/src/NEWS b/lib/libssl/src/NEWS index b9ea61239f0..f45d8e5ced8 100644 --- a/lib/libssl/src/NEWS +++ b/lib/libssl/src/NEWS @@ -5,6 +5,23 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b: + + o Security fix: PRNG improvements. + o Security fix: RSA OAEP check. + o Security fix: Reinsert and fix countermeasure to Bleichbacher's + attack. + o MIPS bug fix in BIGNUM. + o Bug fix in "openssl enc". + o Bug fix in X.509 printing routine. + o Bug fix in DSA verification routine and DSA S/MIME verification. + o Bug fix to make PRNG thread-safe. + o Bug fix in RAND_file_name(). + o Bug fix in compatibility mode trust settings. + o Bug fix in blowfish EVP. + o Increase default size for BIO buffering filter. + o Compatibility fixes in some scripts. + Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a: o Security fix: change behavior of OpenSSL to avoid using diff --git a/lib/libssl/src/README b/lib/libssl/src/README index c500744c6b0..a2ede5f3914 100644 --- a/lib/libssl/src/README +++ b/lib/libssl/src/README @@ -1,8 +1,8 @@ - OpenSSL 0.9.6a [engine] 5 Apr 2001 + OpenSSL 0.9.6b [engine] 9 Jul 2001 - Copyright (c) 1998-2000 The OpenSSL Project + Copyright (c) 1998-2001 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. diff --git a/lib/libssl/src/apps/ca.c b/lib/libssl/src/apps/ca.c index 2ab0c4db512..f3fb45b7b4e 100644 --- a/lib/libssl/src/apps/ca.c +++ b/lib/libssl/src/apps/ca.c @@ -1247,7 +1247,11 @@ bad: X509_free(revcert); strncpy(buf[0],dbfile,BSIZE-4); +#ifndef VMS strcat(buf[0],".new"); +#else + strcat(buf[0],"-new"); +#endif if (BIO_write_filename(out,buf[0]) <= 0) { perror(dbfile); @@ -1257,7 +1261,11 @@ bad: j=TXT_DB_write(out,db); if (j <= 0) goto err; strncpy(buf[1],dbfile,BSIZE-4); +#ifndef VMS strcat(buf[1],".old"); +#else + strcat(buf[1],"-old"); +#endif if (rename(dbfile,buf[1]) < 0) { BIO_printf(bio_err,"unable to rename %s to %s\n", dbfile, buf[1]); diff --git a/lib/libssl/src/apps/dgst.c b/lib/libssl/src/apps/dgst.c index ab3e2dbb024..61b2a0dc4b2 100644 --- a/lib/libssl/src/apps/dgst.c +++ b/lib/libssl/src/apps/dgst.c @@ -74,7 +74,7 @@ #undef PROG #define PROG dgst_main -void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, char binout, +void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, EVP_PKEY *key, unsigned char *sigin, int siglen); int MAIN(int, char **); @@ -95,7 +95,7 @@ int MAIN(int argc, char **argv) int debug=0; const char *outfile = NULL, *keyfile = NULL; const char *sigfile = NULL, *randfile = NULL; - char out_bin = -1, want_pub = 0, do_verify = 0; + int out_bin = -1, want_pub = 0, do_verify = 0; EVP_PKEY *sigkey = NULL; unsigned char *sigbuf = NULL; int siglen = 0; @@ -365,7 +365,7 @@ end: EXIT(err); } -void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, char binout, +void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout, EVP_PKEY *key, unsigned char *sigin, int siglen) { int len; diff --git a/lib/libssl/src/apps/enc.c b/lib/libssl/src/apps/enc.c index b9190ef53f2..fcb2581b66f 100644 --- a/lib/libssl/src/apps/enc.c +++ b/lib/libssl/src/apps/enc.c @@ -542,6 +542,14 @@ bad: BIO_printf(bio_err,"invalid hex iv value\n"); goto end; } + if ((hiv == NULL) && (str == NULL)) + { + /* No IV was explicitly set and no IV was generated + * during EVP_BytesToKey. Hence the IV is undefined, + * making correct decryption impossible. */ + BIO_printf(bio_err, "iv undefined\n"); + goto end; + } if ((hkey != NULL) && !set_hex(hkey,key,24)) { BIO_printf(bio_err,"invalid hex key value\n"); diff --git a/lib/libssl/src/apps/smime.c b/lib/libssl/src/apps/smime.c index 16b940084bc..7bf71ef868f 100644 --- a/lib/libssl/src/apps/smime.c +++ b/lib/libssl/src/apps/smime.c @@ -299,6 +299,7 @@ int MAIN(int argc, char **argv) BIO_printf (bio_err, "-CApath dir trusted certificates directory\n"); BIO_printf (bio_err, "-CAfile file trusted certificates file\n"); BIO_printf (bio_err, "-engine e use engine e, possibly a hardware device.\n"); + BIO_printf (bio_err, "-passin arg input file pass phrase source\n"); BIO_printf(bio_err, "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); BIO_printf(bio_err, " load the file (or the files in the directory) into\n"); BIO_printf(bio_err, " the random number generator\n"); diff --git a/lib/libssl/src/apps/speed.c b/lib/libssl/src/apps/speed.c index 3562ea277bd..9c91f718e0c 100644 --- a/lib/libssl/src/apps/speed.c +++ b/lib/libssl/src/apps/speed.c @@ -83,12 +83,12 @@ #include <openssl/err.h> #include <openssl/engine.h> -#if defined(__FreeBSD__) +#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) # define USE_TOD #elif !defined(MSDOS) && (!defined(VMS) || defined(__DECC)) # define TIMES #endif -#if !defined(_UNICOS) && !defined(__OpenBSD__) && !defined(sgi) && !defined(__FreeBSD__) && !(defined(__bsdi) || defined(__bsdi__)) && !defined(_AIX) && !defined(MPE) +#if !defined(_UNICOS) && !defined(__OpenBSD__) && !defined(sgi) && !defined(__FreeBSD__) && !(defined(__bsdi) || defined(__bsdi__)) && !defined(_AIX) && !defined(MPE) && !defined(__NetBSD__) # define TIMEB #endif diff --git a/lib/libssl/src/crypto/asn1/t_x509.c b/lib/libssl/src/crypto/asn1/t_x509.c index 314bdfb1c71..89ae73a6dec 100644 --- a/lib/libssl/src/crypto/asn1/t_x509.c +++ b/lib/libssl/src/crypto/asn1/t_x509.c @@ -349,6 +349,8 @@ int X509_NAME_print(BIO *bp, X509_NAME *name, int obase) ll=80-2-obase; s=X509_NAME_oneline(name,buf,256); + if (!*s) + return 1; s++; /* skip the first slash */ l=ll; diff --git a/lib/libssl/src/crypto/asn1/x_pubkey.c b/lib/libssl/src/crypto/asn1/x_pubkey.c index b2e2a514777..4397a404b56 100644 --- a/lib/libssl/src/crypto/asn1/x_pubkey.c +++ b/lib/libssl/src/crypto/asn1/x_pubkey.c @@ -234,7 +234,7 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key) a=key->algor; if (ret->type == EVP_PKEY_DSA) { - if (a->parameter->type == V_ASN1_SEQUENCE) + if (a->parameter && (a->parameter->type == V_ASN1_SEQUENCE)) { ret->pkey.dsa->write_params=0; p=a->parameter->value.sequence->data; diff --git a/lib/libssl/src/crypto/bio/b_print.c b/lib/libssl/src/crypto/bio/b_print.c index b4f7a85f2e4..91a049406e4 100644 --- a/lib/libssl/src/crypto/bio/b_print.c +++ b/lib/libssl/src/crypto/bio/b_print.c @@ -109,7 +109,11 @@ #endif #if HAVE_LONG_LONG -#define LLONG long long +# if defined(WIN32) && !defined(__GNUC__) +# define LLONG _int64 +# else +# define LLONG long long +# endif #else #define LLONG long #endif @@ -152,7 +156,7 @@ static void _dopr(char **sbuffer, char **buffer, /* some handy macros */ #define char_to_int(p) (p - '0') -#define MAX(p,q) ((p >= q) ? p : q) +#define OSSL_MAX(p,q) ((p >= q) ? p : q) static void _dopr( @@ -503,13 +507,13 @@ fmtint( convert[place] = 0; zpadlen = max - place; - spadlen = min - MAX(max, place) - (signvalue ? 1 : 0); + spadlen = min - OSSL_MAX(max, place) - (signvalue ? 1 : 0); if (zpadlen < 0) zpadlen = 0; if (spadlen < 0) spadlen = 0; if (flags & DP_F_ZERO) { - zpadlen = MAX(zpadlen, spadlen); + zpadlen = OSSL_MAX(zpadlen, spadlen); spadlen = 0; } if (flags & DP_F_MINUS) @@ -641,7 +645,7 @@ fmtfp( (caps ? "0123456789ABCDEF" : "0123456789abcdef")[fracpart % 10]; fracpart = (fracpart / 10); - } while (fracpart && (fplace < 20)); + } while (fplace < max); if (fplace == 20) fplace--; fconvert[fplace] = 0; diff --git a/lib/libssl/src/crypto/bio/bf_buff.c b/lib/libssl/src/crypto/bio/bf_buff.c index f50e8f98a3d..c90238bae1e 100644 --- a/lib/libssl/src/crypto/bio/bf_buff.c +++ b/lib/libssl/src/crypto/bio/bf_buff.c @@ -70,7 +70,7 @@ static long buffer_ctrl(BIO *h, int cmd, long arg1, void *arg2); static int buffer_new(BIO *h); static int buffer_free(BIO *data); static long buffer_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp); -#define DEFAULT_BUFFER_SIZE 1024 +#define DEFAULT_BUFFER_SIZE 4096 static BIO_METHOD methods_buffer= { diff --git a/lib/libssl/src/crypto/bn/asm/mips3.s b/lib/libssl/src/crypto/bn/asm/mips3.s index 45786c00a5f..dca4105c7db 100644 --- a/lib/libssl/src/crypto/bn/asm/mips3.s +++ b/lib/libssl/src/crypto/bn/asm/mips3.s @@ -1,5 +1,5 @@ .rdata -.asciiz "mips3.s, Version 1.0" +.asciiz "mips3.s, Version 1.1" .asciiz "MIPS III/IV ISA artwork by Andy Polyakov <appro@fy.chalmers.se>" /* @@ -849,6 +849,7 @@ LEAF(bn_mul_comba8) sltu AT,c_1,t_1 daddu t_2,AT daddu c_2,t_2 + sltu c_3,c_2,t_2 dmultu a_1,b_2 /* mul_add_c(a[1],b[2],c1,c2,c3); */ mflo t_1 mfhi t_2 @@ -856,7 +857,8 @@ LEAF(bn_mul_comba8) sltu AT,c_1,t_1 daddu t_2,AT daddu c_2,t_2 - sltu c_3,c_2,t_2 + sltu AT,c_2,t_2 + daddu c_3,AT dmultu a_2,b_1 /* mul_add_c(a[2],b[1],c1,c2,c3); */ mflo t_1 mfhi t_2 @@ -884,6 +886,7 @@ LEAF(bn_mul_comba8) sltu AT,c_2,t_1 daddu t_2,AT daddu c_3,t_2 + sltu c_1,c_3,t_2 dmultu a_3,b_1 /* mul_add_c(a[3],b[1],c2,c3,c1); */ mflo t_1 mfhi t_2 @@ -891,7 +894,8 @@ LEAF(bn_mul_comba8) sltu AT,c_2,t_1 daddu t_2,AT daddu c_3,t_2 - sltu c_1,c_3,t_2 + sltu AT,c_3,t_2 + daddu c_1,AT dmultu a_2,b_2 /* mul_add_c(a[2],b[2],c2,c3,c1); */ mflo t_1 mfhi t_2 @@ -928,6 +932,7 @@ LEAF(bn_mul_comba8) sltu AT,c_3,t_1 daddu t_2,AT daddu c_1,t_2 + sltu c_2,c_1,t_2 dmultu a_1,b_4 /* mul_add_c(a[1],b[4],c3,c1,c2); */ mflo t_1 mfhi t_2 @@ -935,7 +940,8 @@ LEAF(bn_mul_comba8) sltu AT,c_3,t_1 daddu t_2,AT daddu c_1,t_2 - sltu c_2,c_1,t_2 + sltu AT,c_1,t_2 + daddu c_2,AT dmultu a_2,b_3 /* mul_add_c(a[2],b[3],c3,c1,c2); */ mflo t_1 mfhi t_2 @@ -981,6 +987,7 @@ LEAF(bn_mul_comba8) sltu AT,c_1,t_1 daddu t_2,AT daddu c_2,t_2 + sltu c_3,c_2,t_2 dmultu a_5,b_1 /* mul_add_c(a[5],b[1],c1,c2,c3); */ mflo t_1 mfhi t_2 @@ -988,7 +995,8 @@ LEAF(bn_mul_comba8) sltu AT,c_1,t_1 daddu t_2,AT daddu c_2,t_2 - sltu c_3,c_2,t_2 + sltu AT,c_2,t_2 + daddu c_3,AT dmultu a_4,b_2 /* mul_add_c(a[4],b[2],c1,c2,c3); */ mflo t_1 mfhi t_2 @@ -1043,6 +1051,7 @@ LEAF(bn_mul_comba8) sltu AT,c_2,t_1 daddu t_2,AT daddu c_3,t_2 + sltu c_1,c_3,t_2 dmultu a_1,b_6 /* mul_add_c(a[1],b[6],c2,c3,c1); */ mflo t_1 mfhi t_2 @@ -1050,7 +1059,8 @@ LEAF(bn_mul_comba8) sltu AT,c_2,t_1 daddu t_2,AT daddu c_3,t_2 - sltu c_1,c_3,t_2 + sltu AT,c_3,t_2 + daddu c_1,AT dmultu a_2,b_5 /* mul_add_c(a[2],b[5],c2,c3,c1); */ mflo t_1 mfhi t_2 @@ -1114,6 +1124,7 @@ LEAF(bn_mul_comba8) sltu AT,c_3,t_1 daddu t_2,AT daddu c_1,t_2 + sltu c_2,c_1,t_2 dmultu a_6,b_2 /* mul_add_c(a[6],b[2],c3,c1,c2); */ mflo t_1 mfhi t_2 @@ -1121,7 +1132,8 @@ LEAF(bn_mul_comba8) sltu AT,c_3,t_1 daddu t_2,AT daddu c_1,t_2 - sltu c_2,c_1,t_2 + sltu AT,c_1,t_2 + daddu c_2,AT dmultu a_5,b_3 /* mul_add_c(a[5],b[3],c3,c1,c2); */ mflo t_1 mfhi t_2 @@ -1176,6 +1188,7 @@ LEAF(bn_mul_comba8) sltu AT,c_1,t_1 daddu t_2,AT daddu c_2,t_2 + sltu c_3,c_2,t_2 dmultu a_3,b_6 /* mul_add_c(a[3],b[6],c1,c2,c3); */ mflo t_1 mfhi t_2 @@ -1183,7 +1196,8 @@ LEAF(bn_mul_comba8) sltu AT,c_1,t_1 daddu t_2,AT daddu c_2,t_2 - sltu c_3,c_2,t_2 + sltu AT,c_2,t_2 + daddu c_3,AT dmultu a_4,b_5 /* mul_add_c(a[4],b[5],c1,c2,c3); */ mflo t_1 mfhi t_2 @@ -1229,6 +1243,7 @@ LEAF(bn_mul_comba8) sltu AT,c_2,t_1 daddu t_2,AT daddu c_3,t_2 + sltu c_1,c_3,t_2 dmultu a_6,b_4 /* mul_add_c(a[6],b[4],c2,c3,c1); */ mflo t_1 mfhi t_2 @@ -1236,7 +1251,8 @@ LEAF(bn_mul_comba8) sltu AT,c_2,t_1 daddu t_2,AT daddu c_3,t_2 - sltu c_1,c_3,t_2 + sltu AT,c_3,t_2 + daddu c_1,AT dmultu a_5,b_5 /* mul_add_c(a[5],b[5],c2,c3,c1); */ mflo t_1 mfhi t_2 @@ -1273,6 +1289,7 @@ LEAF(bn_mul_comba8) sltu AT,c_3,t_1 daddu t_2,AT daddu c_1,t_2 + sltu c_2,c_1,t_2 dmultu a_5,b_6 /* mul_add_c(a[5],b[6],c3,c1,c2); */ mflo t_1 mfhi t_2 @@ -1280,7 +1297,8 @@ LEAF(bn_mul_comba8) sltu AT,c_3,t_1 daddu t_2,AT daddu c_1,t_2 - sltu c_2,c_1,t_2 + sltu AT,c_1,t_2 + daddu c_2,AT dmultu a_6,b_5 /* mul_add_c(a[6],b[5],c3,c1,c2); */ mflo t_1 mfhi t_2 @@ -1308,6 +1326,7 @@ LEAF(bn_mul_comba8) sltu AT,c_1,t_1 daddu t_2,AT daddu c_2,t_2 + sltu c_3,c_2,t_2 dmultu a_6,b_6 /* mul_add_c(a[6],b[6],c1,c2,c3); */ mflo t_1 mfhi t_2 @@ -1315,7 +1334,8 @@ LEAF(bn_mul_comba8) sltu AT,c_1,t_1 daddu t_2,AT daddu c_2,t_2 - sltu c_3,c_2,t_2 + sltu AT,c_2,t_2 + daddu c_3,AT dmultu a_5,b_7 /* mul_add_c(a[5],b[7],c1,c2,c3); */ mflo t_1 mfhi t_2 @@ -1334,6 +1354,7 @@ LEAF(bn_mul_comba8) sltu AT,c_2,t_1 daddu t_2,AT daddu c_3,t_2 + sltu c_1,c_3,t_2 dmultu a_7,b_6 /* mul_add_c(a[7],b[6],c2,c3,c1); */ mflo t_1 mfhi t_2 @@ -1341,7 +1362,8 @@ LEAF(bn_mul_comba8) sltu AT,c_2,t_1 daddu t_2,AT daddu c_3,t_2 - sltu c_1,c_3,t_2 + sltu AT,c_3,t_2 + daddu c_1,AT sd c_2,104(a0) /* r[13]=c2; */ dmultu a_7,b_7 /* mul_add_c(a[7],b[7],c3,c1,c2); */ @@ -1430,6 +1452,7 @@ LEAF(bn_mul_comba4) sltu AT,c_1,t_1 daddu t_2,AT daddu c_2,t_2 + sltu c_3,c_2,t_2 dmultu a_1,b_2 /* mul_add_c(a[1],b[2],c1,c2,c3); */ mflo t_1 mfhi t_2 @@ -1437,7 +1460,8 @@ LEAF(bn_mul_comba4) sltu AT,c_1,t_1 daddu t_2,AT daddu c_2,t_2 - sltu c_3,c_2,t_2 + sltu AT,c_2,t_2 + daddu c_3,AT dmultu a_2,b_1 /* mul_add_c(a[2],b[1],c1,c2,c3); */ mflo t_1 mfhi t_2 @@ -1465,6 +1489,7 @@ LEAF(bn_mul_comba4) sltu AT,c_2,t_1 daddu t_2,AT daddu c_3,t_2 + sltu c_1,c_3,t_2 dmultu a_2,b_2 /* mul_add_c(a[2],b[2],c2,c3,c1); */ mflo t_1 mfhi t_2 @@ -1472,7 +1497,8 @@ LEAF(bn_mul_comba4) sltu AT,c_2,t_1 daddu t_2,AT daddu c_3,t_2 - sltu c_1,c_3,t_2 + sltu AT,c_3,t_2 + daddu c_1,AT dmultu a_1,b_3 /* mul_add_c(a[1],b[3],c2,c3,c1); */ mflo t_1 mfhi t_2 @@ -1491,6 +1517,7 @@ LEAF(bn_mul_comba4) sltu AT,c_3,t_1 daddu t_2,AT daddu c_1,t_2 + sltu c_2,c_1,t_2 dmultu a_3,b_2 /* mul_add_c(a[3],b[2],c3,c1,c2); */ mflo t_1 mfhi t_2 @@ -1498,7 +1525,8 @@ LEAF(bn_mul_comba4) sltu AT,c_3,t_1 daddu t_2,AT daddu c_1,t_2 - sltu c_2,c_1,t_2 + sltu AT,c_1,t_2 + daddu c_2,AT sd c_3,40(a0) dmultu a_3,b_3 /* mul_add_c(a[3],b[3],c1,c2,c3); */ @@ -1543,28 +1571,30 @@ LEAF(bn_sqr_comba8) dmultu a_0,a_1 /* mul_add_c2(a[0],b[1],c2,c3,c1); */ mflo t_1 mfhi t_2 + slt c_1,t_2,zero + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_2,t_1 sltu AT,c_2,t_1 daddu c_3,t_2,AT - daddu c_2,t_1 - sltu AT,c_2,t_1 - daddu t_2,AT - daddu c_3,t_2 - sltu c_1,c_3,t_2 sd c_2,8(a0) dmultu a_2,a_0 /* mul_add_c2(a[2],b[0],c3,c1,c2); */ mflo t_1 mfhi t_2 - daddu c_3,t_1 - sltu AT,c_3,t_1 - daddu a2,t_2,AT - daddu c_1,a2 + slt c_2,t_2,zero + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_3,t_1 sltu AT,c_3,t_1 daddu t_2,AT daddu c_1,t_2 - sltu c_2,c_1,t_2 + sltu AT,c_1,t_2 + daddu c_2,AT dmultu a_1,a_1 /* mul_add_c(a[1],b[1],c3,c1,c2); */ mflo t_1 mfhi t_2 @@ -1579,24 +1609,26 @@ LEAF(bn_sqr_comba8) dmultu a_0,a_3 /* mul_add_c2(a[0],b[3],c1,c2,c3); */ mflo t_1 mfhi t_2 - daddu c_1,t_1 - sltu AT,c_1,t_1 - daddu a2,t_2,AT - daddu c_2,a2 + slt c_3,t_2,zero + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_1,t_1 sltu AT,c_1,t_1 daddu t_2,AT daddu c_2,t_2 - sltu c_3,c_2,t_2 + sltu AT,c_2,t_2 + daddu c_3,AT dmultu a_1,a_2 /* mul_add_c2(a[1],b[2],c1,c2,c3); */ mflo t_1 mfhi t_2 - daddu c_1,t_1 - sltu AT,c_1,t_1 - daddu a2,t_2,AT - daddu c_2,a2 - sltu AT,c_2,a2 + slt AT,t_2,zero daddu c_3,AT + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_1,t_1 sltu AT,c_1,t_1 daddu t_2,AT @@ -1608,24 +1640,26 @@ LEAF(bn_sqr_comba8) dmultu a_4,a_0 /* mul_add_c2(a[4],b[0],c2,c3,c1); */ mflo t_1 mfhi t_2 - daddu c_2,t_1 - sltu AT,c_2,t_1 - daddu a2,t_2,AT - daddu c_3,a2 + slt c_1,t_2,zero + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_2,t_1 sltu AT,c_2,t_1 daddu t_2,AT daddu c_3,t_2 - sltu c_1,c_3,t_2 + sltu AT,c_3,t_2 + daddu c_1,AT dmultu a_3,a_1 /* mul_add_c2(a[3],b[1],c2,c3,c1); */ mflo t_1 mfhi t_2 - daddu c_2,t_1 - sltu AT,c_2,t_1 - daddu a2,t_2,AT - daddu c_3,a2 - sltu AT,c_3,a2 + slt AT,t_2,zero daddu c_1,AT + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_2,t_1 sltu AT,c_2,t_1 daddu t_2,AT @@ -1646,24 +1680,26 @@ LEAF(bn_sqr_comba8) dmultu a_0,a_5 /* mul_add_c2(a[0],b[5],c3,c1,c2); */ mflo t_1 mfhi t_2 - daddu c_3,t_1 - sltu AT,c_3,t_1 - daddu a2,t_2,AT - daddu c_1,a2 + slt c_2,t_2,zero + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_3,t_1 sltu AT,c_3,t_1 daddu t_2,AT daddu c_1,t_2 - sltu c_2,c_1,t_2 + sltu AT,c_1,t_2 + daddu c_2,AT dmultu a_1,a_4 /* mul_add_c2(a[1],b[4],c3,c1,c2); */ mflo t_1 mfhi t_2 - daddu c_3,t_1 - sltu AT,c_3,t_1 - daddu a2,t_2,AT - daddu c_1,a2 - sltu AT,c_1,a2 + slt AT,t_2,zero daddu c_2,AT + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_3,t_1 sltu AT,c_3,t_1 daddu t_2,AT @@ -1673,12 +1709,12 @@ LEAF(bn_sqr_comba8) dmultu a_2,a_3 /* mul_add_c2(a[2],b[3],c3,c1,c2); */ mflo t_1 mfhi t_2 - daddu c_3,t_1 - sltu AT,c_3,t_1 - daddu a2,t_2,AT - daddu c_1,a2 - sltu AT,c_1,a2 + slt AT,t_2,zero daddu c_2,AT + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_3,t_1 sltu AT,c_3,t_1 daddu t_2,AT @@ -1690,24 +1726,26 @@ LEAF(bn_sqr_comba8) dmultu a_6,a_0 /* mul_add_c2(a[6],b[0],c1,c2,c3); */ mflo t_1 mfhi t_2 - daddu c_1,t_1 - sltu AT,c_1,t_1 - daddu a2,t_2,AT - daddu c_2,a2 + slt c_3,t_2,zero + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_1,t_1 sltu AT,c_1,t_1 daddu t_2,AT daddu c_2,t_2 - sltu c_3,c_2,t_2 + sltu AT,c_2,t_2 + daddu c_3,AT dmultu a_5,a_1 /* mul_add_c2(a[5],b[1],c1,c2,c3); */ mflo t_1 mfhi t_2 - daddu c_1,t_1 - sltu AT,c_1,t_1 - daddu a2,t_2,AT - daddu c_2,a2 - sltu AT,c_2,a2 + slt AT,t_2,zero daddu c_3,AT + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_1,t_1 sltu AT,c_1,t_1 daddu t_2,AT @@ -1717,12 +1755,12 @@ LEAF(bn_sqr_comba8) dmultu a_4,a_2 /* mul_add_c2(a[4],b[2],c1,c2,c3); */ mflo t_1 mfhi t_2 - daddu c_1,t_1 - sltu AT,c_1,t_1 - daddu a2,t_2,AT - daddu c_2,a2 - sltu AT,c_2,a2 + slt AT,t_2,zero daddu c_3,AT + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_1,t_1 sltu AT,c_1,t_1 daddu t_2,AT @@ -1743,24 +1781,26 @@ LEAF(bn_sqr_comba8) dmultu a_0,a_7 /* mul_add_c2(a[0],b[7],c2,c3,c1); */ mflo t_1 mfhi t_2 - daddu c_2,t_1 - sltu AT,c_2,t_1 - daddu a2,t_2,AT - daddu c_3,a2 + slt c_1,t_2,zero + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_2,t_1 sltu AT,c_2,t_1 daddu t_2,AT daddu c_3,t_2 - sltu c_1,c_3,t_2 + sltu AT,c_3,t_2 + daddu c_1,AT dmultu a_1,a_6 /* mul_add_c2(a[1],b[6],c2,c3,c1); */ mflo t_1 mfhi t_2 - daddu c_2,t_1 - sltu AT,c_2,t_1 - daddu a2,t_2,AT - daddu c_3,a2 - sltu AT,c_3,a2 + slt AT,t_2,zero daddu c_1,AT + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_2,t_1 sltu AT,c_2,t_1 daddu t_2,AT @@ -1770,12 +1810,12 @@ LEAF(bn_sqr_comba8) dmultu a_2,a_5 /* mul_add_c2(a[2],b[5],c2,c3,c1); */ mflo t_1 mfhi t_2 - daddu c_2,t_1 - sltu AT,c_2,t_1 - daddu a2,t_2,AT - daddu c_3,a2 - sltu AT,c_3,a2 + slt AT,t_2,zero daddu c_1,AT + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_2,t_1 sltu AT,c_2,t_1 daddu t_2,AT @@ -1785,12 +1825,12 @@ LEAF(bn_sqr_comba8) dmultu a_3,a_4 /* mul_add_c2(a[3],b[4],c2,c3,c1); */ mflo t_1 mfhi t_2 - daddu c_2,t_1 - sltu AT,c_2,t_1 - daddu a2,t_2,AT - daddu c_3,a2 - sltu AT,c_3,a2 + slt AT,t_2,zero daddu c_1,AT + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_2,t_1 sltu AT,c_2,t_1 daddu t_2,AT @@ -1802,24 +1842,26 @@ LEAF(bn_sqr_comba8) dmultu a_7,a_1 /* mul_add_c2(a[7],b[1],c3,c1,c2); */ mflo t_1 mfhi t_2 - daddu c_3,t_1 - sltu AT,c_3,t_1 - daddu a2,t_2,AT - daddu c_1,a2 + slt c_2,t_2,zero + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_3,t_1 sltu AT,c_3,t_1 daddu t_2,AT daddu c_1,t_2 - sltu c_2,c_1,t_2 + sltu AT,c_1,t_2 + daddu c_2,AT dmultu a_6,a_2 /* mul_add_c2(a[6],b[2],c3,c1,c2); */ mflo t_1 mfhi t_2 - daddu c_3,t_1 - sltu AT,c_3,t_1 - daddu a2,t_2,AT - daddu c_1,a2 - sltu AT,c_1,a2 + slt AT,t_2,zero daddu c_2,AT + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_3,t_1 sltu AT,c_3,t_1 daddu t_2,AT @@ -1829,12 +1871,12 @@ LEAF(bn_sqr_comba8) dmultu a_5,a_3 /* mul_add_c2(a[5],b[3],c3,c1,c2); */ mflo t_1 mfhi t_2 - daddu c_3,t_1 - sltu AT,c_3,t_1 - daddu a2,t_2,AT - daddu c_1,a2 - sltu AT,c_1,a2 + slt AT,t_2,zero daddu c_2,AT + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_3,t_1 sltu AT,c_3,t_1 daddu t_2,AT @@ -1855,24 +1897,26 @@ LEAF(bn_sqr_comba8) dmultu a_2,a_7 /* mul_add_c2(a[2],b[7],c1,c2,c3); */ mflo t_1 mfhi t_2 - daddu c_1,t_1 - sltu AT,c_1,t_1 - daddu a2,t_2,AT - daddu c_2,a2 + slt c_3,t_2,zero + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_1,t_1 sltu AT,c_1,t_1 daddu t_2,AT daddu c_2,t_2 - sltu c_3,c_2,t_2 + sltu AT,c_2,t_2 + daddu c_3,AT dmultu a_3,a_6 /* mul_add_c2(a[3],b[6],c1,c2,c3); */ mflo t_1 mfhi t_2 - daddu c_1,t_1 - sltu AT,c_1,t_1 - daddu a2,t_2,AT - daddu c_2,a2 - sltu AT,c_2,a2 + slt AT,t_2,zero daddu c_3,AT + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_1,t_1 sltu AT,c_1,t_1 daddu t_2,AT @@ -1882,12 +1926,12 @@ LEAF(bn_sqr_comba8) dmultu a_4,a_5 /* mul_add_c2(a[4],b[5],c1,c2,c3); */ mflo t_1 mfhi t_2 - daddu c_1,t_1 - sltu AT,c_1,t_1 - daddu a2,t_2,AT - daddu c_2,a2 - sltu AT,c_2,a2 + slt AT,t_2,zero daddu c_3,AT + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_1,t_1 sltu AT,c_1,t_1 daddu t_2,AT @@ -1899,24 +1943,26 @@ LEAF(bn_sqr_comba8) dmultu a_7,a_3 /* mul_add_c2(a[7],b[3],c2,c3,c1); */ mflo t_1 mfhi t_2 - daddu c_2,t_1 - sltu AT,c_2,t_1 - daddu a2,t_2,AT - daddu c_3,a2 + slt c_1,t_2,zero + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_2,t_1 sltu AT,c_2,t_1 daddu t_2,AT daddu c_3,t_2 - sltu c_1,c_3,t_2 + sltu AT,c_3,t_2 + daddu c_1,AT dmultu a_6,a_4 /* mul_add_c2(a[6],b[4],c2,c3,c1); */ mflo t_1 mfhi t_2 - daddu c_2,t_1 - sltu AT,c_2,t_1 - daddu a2,t_2,AT - daddu c_3,a2 - sltu AT,c_3,a2 + slt AT,t_2,zero daddu c_1,AT + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_2,t_1 sltu AT,c_2,t_1 daddu t_2,AT @@ -1937,24 +1983,26 @@ LEAF(bn_sqr_comba8) dmultu a_4,a_7 /* mul_add_c2(a[4],b[7],c3,c1,c2); */ mflo t_1 mfhi t_2 - daddu c_3,t_1 - sltu AT,c_3,t_1 - daddu a2,t_2,AT - daddu c_1,a2 + slt c_2,t_2,zero + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_3,t_1 sltu AT,c_3,t_1 daddu t_2,AT daddu c_1,t_2 - sltu c_2,c_1,t_2 + sltu AT,c_1,t_2 + daddu c_2,AT dmultu a_5,a_6 /* mul_add_c2(a[5],b[6],c3,c1,c2); */ mflo t_1 mfhi t_2 - daddu c_3,t_1 - sltu AT,c_3,t_1 - daddu a2,t_2,AT - daddu c_1,a2 - sltu AT,c_1,a2 + slt AT,t_2,zero daddu c_2,AT + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_3,t_1 sltu AT,c_3,t_1 daddu t_2,AT @@ -1966,15 +2014,17 @@ LEAF(bn_sqr_comba8) dmultu a_7,a_5 /* mul_add_c2(a[7],b[5],c1,c2,c3); */ mflo t_1 mfhi t_2 - daddu c_1,t_1 - sltu AT,c_1,t_1 - daddu a2,t_2,AT - daddu c_2,a2 + slt c_3,t_2,zero + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_1,t_1 sltu AT,c_1,t_1 daddu t_2,AT daddu c_2,t_2 - sltu c_3,c_2,t_2 + sltu AT,c_2,t_2 + daddu c_3,AT dmultu a_6,a_6 /* mul_add_c(a[6],b[6],c1,c2,c3); */ mflo t_1 mfhi t_2 @@ -1989,15 +2039,17 @@ LEAF(bn_sqr_comba8) dmultu a_6,a_7 /* mul_add_c2(a[6],b[7],c2,c3,c1); */ mflo t_1 mfhi t_2 - daddu c_2,t_1 - sltu AT,c_2,t_1 - daddu a2,t_2,AT - daddu c_3,a2 + slt c_1,t_2,zero + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_2,t_1 sltu AT,c_2,t_1 daddu t_2,AT daddu c_3,t_2 - sltu c_1,c_3,t_2 + sltu AT,c_3,t_2 + daddu c_1,AT sd c_2,104(a0) dmultu a_7,a_7 /* mul_add_c(a[7],b[7],c3,c1,c2); */ @@ -2028,28 +2080,30 @@ LEAF(bn_sqr_comba4) dmultu a_0,a_1 /* mul_add_c2(a[0],b[1],c2,c3,c1); */ mflo t_1 mfhi t_2 + slt c_1,t_2,zero + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_2,t_1 sltu AT,c_2,t_1 daddu c_3,t_2,AT - daddu c_2,t_1 - sltu AT,c_2,t_1 - daddu t_2,AT - daddu c_3,t_2 - sltu c_1,c_3,t_2 sd c_2,8(a0) dmultu a_2,a_0 /* mul_add_c2(a[2],b[0],c3,c1,c2); */ mflo t_1 mfhi t_2 - daddu c_3,t_1 - sltu AT,c_3,t_1 - daddu a2,t_2,AT - daddu c_1,a2 + slt c_2,t_2,zero + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_3,t_1 sltu AT,c_3,t_1 daddu t_2,AT daddu c_1,t_2 - sltu c_2,c_1,t_2 + sltu AT,c_1,t_2 + daddu c_2,AT dmultu a_1,a_1 /* mul_add_c(a[1],b[1],c3,c1,c2); */ mflo t_1 mfhi t_2 @@ -2064,24 +2118,26 @@ LEAF(bn_sqr_comba4) dmultu a_0,a_3 /* mul_add_c2(a[0],b[3],c1,c2,c3); */ mflo t_1 mfhi t_2 - daddu c_1,t_1 - sltu AT,c_1,t_1 - daddu a2,t_2,AT - daddu c_2,a2 + slt c_3,t_2,zero + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_1,t_1 sltu AT,c_1,t_1 daddu t_2,AT daddu c_2,t_2 - sltu c_3,c_2,t_2 + sltu AT,c_2,t_2 + daddu c_3,AT dmultu a_1,a_2 /* mul_add_c(a2[1],b[2],c1,c2,c3); */ mflo t_1 mfhi t_2 - daddu c_1,t_1 - sltu AT,c_1,t_1 - daddu a2,t_2,AT - daddu c_2,a2 - sltu AT,c_2,a2 + slt AT,t_2,zero daddu c_3,AT + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_1,t_1 sltu AT,c_1,t_1 daddu t_2,AT @@ -2093,15 +2149,17 @@ LEAF(bn_sqr_comba4) dmultu a_3,a_1 /* mul_add_c2(a[3],b[1],c2,c3,c1); */ mflo t_1 mfhi t_2 - daddu c_2,t_1 - sltu AT,c_2,t_1 - daddu a2,t_2,AT - daddu c_3,a2 + slt c_1,t_2,zero + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_2,t_1 sltu AT,c_2,t_1 daddu t_2,AT daddu c_3,t_2 - sltu c_1,c_3,t_2 + sltu AT,c_3,t_2 + daddu c_1,AT dmultu a_2,a_2 /* mul_add_c(a[2],b[2],c2,c3,c1); */ mflo t_1 mfhi t_2 @@ -2116,15 +2174,17 @@ LEAF(bn_sqr_comba4) dmultu a_2,a_3 /* mul_add_c2(a[2],b[3],c3,c1,c2); */ mflo t_1 mfhi t_2 - daddu c_3,t_1 - sltu AT,c_3,t_1 - daddu a2,t_2,AT - daddu c_1,a2 + slt c_2,t_2,zero + dsll t_2,1 + slt a2,t_1,zero + daddu t_2,a2 + dsll t_1,1 daddu c_3,t_1 sltu AT,c_3,t_1 daddu t_2,AT daddu c_1,t_2 - sltu c_2,c_1,t_2 + sltu AT,c_1,t_2 + daddu c_2,AT sd c_3,40(a0) dmultu a_3,a_3 /* mul_add_c(a[3],b[3],c1,c2,c3); */ diff --git a/lib/libssl/src/crypto/cryptlib.c b/lib/libssl/src/crypto/cryptlib.c index 9de60fd5281..a7a9262133e 100644 --- a/lib/libssl/src/crypto/cryptlib.c +++ b/lib/libssl/src/crypto/cryptlib.c @@ -241,7 +241,7 @@ void CRYPTO_destroy_dynlockid(int i) } else #endif - if (--(pointer->references) <= 0) + if (pointer->references <= 0) { sk_CRYPTO_dynlock_set(dyn_locks, i, NULL); } @@ -396,16 +396,15 @@ void CRYPTO_lock(int mode, int type, const char *file, int line) #endif if (type < 0) { - int i = -type - 1; struct CRYPTO_dynlock_value *pointer - = CRYPTO_get_dynlock_value(i); + = CRYPTO_get_dynlock_value(type); - if (pointer) + if (pointer && dynlock_lock_callback) { dynlock_lock_callback(mode, pointer, file, line); } - CRYPTO_destroy_dynlockid(i); + CRYPTO_destroy_dynlockid(type); } else if (locking_callback != NULL) @@ -431,7 +430,6 @@ int CRYPTO_add_lock(int *pointer, int amount, int type, const char *file, CRYPTO_get_lock_name(type), file,line); #endif - *pointer=ret; } else { diff --git a/lib/libssl/src/crypto/dsa/dsa.h b/lib/libssl/src/crypto/dsa/dsa.h index 65689a34266..12b60a8faa0 100644 --- a/lib/libssl/src/crypto/dsa/dsa.h +++ b/lib/libssl/src/crypto/dsa/dsa.h @@ -248,6 +248,7 @@ DH *DSA_dup_DH(DSA *r); /* Reason codes. */ #define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100 +#define DSA_R_MISSING_PARAMETERS 101 #ifdef __cplusplus } diff --git a/lib/libssl/src/crypto/dsa/dsa_err.c b/lib/libssl/src/crypto/dsa/dsa_err.c index 2b3ab3a9ad8..736aeef7c47 100644 --- a/lib/libssl/src/crypto/dsa/dsa_err.c +++ b/lib/libssl/src/crypto/dsa/dsa_err.c @@ -85,6 +85,7 @@ static ERR_STRING_DATA DSA_str_functs[]= static ERR_STRING_DATA DSA_str_reasons[]= { {DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE ,"data too large for key size"}, +{DSA_R_MISSING_PARAMETERS ,"missing parameters"}, {0,NULL} }; diff --git a/lib/libssl/src/crypto/dsa/dsa_ossl.c b/lib/libssl/src/crypto/dsa/dsa_ossl.c index 5cbbdddfb96..34c6e9a1412 100644 --- a/lib/libssl/src/crypto/dsa/dsa_ossl.c +++ b/lib/libssl/src/crypto/dsa/dsa_ossl.c @@ -108,6 +108,11 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) int i,reason=ERR_R_BN_LIB; DSA_SIG *ret=NULL; + if (!dsa->p || !dsa->q || !dsa->g) + { + reason=DSA_R_MISSING_PARAMETERS; + goto err; + } BN_init(&m); BN_init(&xr); s=BN_new(); @@ -170,6 +175,11 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) BIGNUM k,*kinv=NULL,*r=NULL; int ret=0; + if (!dsa->p || !dsa->q || !dsa->g) + { + DSAerr(DSA_F_DSA_SIGN_SETUP,DSA_R_MISSING_PARAMETERS); + return 0; + } if (ctx_in == NULL) { if ((ctx=BN_CTX_new()) == NULL) goto err; @@ -233,6 +243,17 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, BN_init(&u2); BN_init(&t1); + if (BN_is_zero(sig->r) || sig->r->neg || BN_ucmp(sig->r, dsa->q) >= 0) + { + ret = 0; + goto err; + } + if (BN_is_zero(sig->s) || sig->s->neg || BN_ucmp(sig->s, dsa->q) >= 0) + { + ret = 0; + goto err; + } + /* Calculate W = inv(S) mod Q * save W in u2 */ if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err; diff --git a/lib/libssl/src/crypto/evp/e_bf.c b/lib/libssl/src/crypto/evp/e_bf.c index 72047f64dab..53559b0b657 100644 --- a/lib/libssl/src/crypto/evp/e_bf.c +++ b/lib/libssl/src/crypto/evp/e_bf.c @@ -67,7 +67,7 @@ static int bf_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); IMPLEMENT_BLOCK_CIPHER(bf, bf_ks, BF, bf_ks, NID_bf, 8, 16, 8, - 0, bf_init_key, NULL, + EVP_CIPH_VARIABLE_LENGTH, bf_init_key, NULL, EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) static int bf_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, diff --git a/lib/libssl/src/crypto/evp/evp.h b/lib/libssl/src/crypto/evp/evp.h index 76d417b44a3..fd431270927 100644 --- a/lib/libssl/src/crypto/evp/evp.h +++ b/lib/libssl/src/crypto/evp/evp.h @@ -553,9 +553,9 @@ int EVP_read_pw_string(char *buf,int length,const char *prompt,int verify); void EVP_set_pw_prompt(char *prompt); char * EVP_get_pw_prompt(void); -int EVP_BytesToKey(const EVP_CIPHER *type,EVP_MD *md,unsigned char *salt, - unsigned char *data, int datal, int count, - unsigned char *key,unsigned char *iv); +int EVP_BytesToKey(const EVP_CIPHER *type, EVP_MD *md, + const unsigned char *salt, const unsigned char *data, int datal, + int count, unsigned char *key, unsigned char *iv); int EVP_EncryptInit(EVP_CIPHER_CTX *ctx,const EVP_CIPHER *type, unsigned char *key, unsigned char *iv); diff --git a/lib/libssl/src/crypto/evp/evp_key.c b/lib/libssl/src/crypto/evp/evp_key.c index 09b72bf4bdd..e7434ef9b27 100644 --- a/lib/libssl/src/crypto/evp/evp_key.c +++ b/lib/libssl/src/crypto/evp/evp_key.c @@ -95,9 +95,9 @@ int EVP_read_pw_string(char *buf, int len, const char *prompt, int verify) #endif } -int EVP_BytesToKey(const EVP_CIPHER *type, EVP_MD *md, unsigned char *salt, - unsigned char *data, int datal, int count, unsigned char *key, - unsigned char *iv) +int EVP_BytesToKey(const EVP_CIPHER *type, EVP_MD *md, + const unsigned char *salt, const unsigned char *data, int datal, + int count, unsigned char *key, unsigned char *iv) { EVP_MD_CTX c; unsigned char md_buf[EVP_MAX_MD_SIZE]; diff --git a/lib/libssl/src/crypto/opensslv.h b/lib/libssl/src/crypto/opensslv.h index dc50f6d7da6..4b25018e494 100644 --- a/lib/libssl/src/crypto/opensslv.h +++ b/lib/libssl/src/crypto/opensslv.h @@ -2,7 +2,7 @@ #define HEADER_OPENSSLV_H /* Numeric release version identifier: - * MMNNFFPPS: major minor fix patch status + * MNNFFPPS: major minor fix patch status * The status nibble has one of the values 0 for development, 1 to e for betas * 1 to 14, and f for release. The patch level is exactly that. * For example: @@ -25,8 +25,8 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x0090601fL -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6a [engine] 5 Apr 2001" +#define OPENSSL_VERSION_NUMBER 0x0090602fL +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6b [engine] 9 Jul 2001" #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/lib/libssl/src/crypto/perlasm/x86unix.pl b/lib/libssl/src/crypto/perlasm/x86unix.pl index 309060ea001..10a7af8bffd 100644 --- a/lib/libssl/src/crypto/perlasm/x86unix.pl +++ b/lib/libssl/src/crypto/perlasm/x86unix.pl @@ -79,7 +79,7 @@ sub main'DWP local($addr,$reg1,$reg2,$idx)=@_; $ret=""; - $addr =~ s/(^|[+ \t])([A-Za-z_]+)($|[+ \t])/$1$under$2$3/; + $addr =~ s/(^|[+ \t])([A-Za-z_]+[A-Za-z0-9_]+)($|[+ \t])/$1$under$2$3/; $reg1="$regs{$reg1}" if defined($regs{$reg1}); $reg2="$regs{$reg2}" if defined($regs{$reg2}); $ret.=$addr if ($addr ne "") && ($addr ne 0); diff --git a/lib/libssl/src/crypto/rand/md_rand.c b/lib/libssl/src/crypto/rand/md_rand.c index ae57570608c..04b9d695b0d 100644 --- a/lib/libssl/src/crypto/rand/md_rand.c +++ b/lib/libssl/src/crypto/rand/md_rand.c @@ -141,10 +141,11 @@ static long md_count[2]={0,0}; static double entropy=0; static int initialized=0; -/* This should be set to 1 only when ssleay_rand_add() is called inside - an already locked state, so it doesn't try to lock and thereby cause - a hang. And it should always be reset back to 0 before unlocking. */ -static int add_do_not_lock=0; +static unsigned int crypto_lock_rand = 0; /* may be set only when a thread + * holds CRYPTO_LOCK_RAND + * (to prevent double locking) */ +static unsigned long locking_thread = 0; /* valid iff crypto_lock_rand is set */ + #ifdef PREDICT int rand_predictable=0; @@ -191,6 +192,7 @@ static void ssleay_rand_add(const void *buf, int num, double add) long md_c[2]; unsigned char local_md[MD_DIGEST_LENGTH]; MD_CTX m; + int do_not_lock; /* * (Based on the rand(3) manpage) @@ -207,7 +209,10 @@ static void ssleay_rand_add(const void *buf, int num, double add) * hash function. */ - if (!add_do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND); + /* check if we already have the lock */ + do_not_lock = crypto_lock_rand && (locking_thread == CRYPTO_thread_id()); + + if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND); st_idx=state_index; /* use our own copies of the counters so that even @@ -239,7 +244,7 @@ static void ssleay_rand_add(const void *buf, int num, double add) md_count[1] += (num / MD_DIGEST_LENGTH) + (num % MD_DIGEST_LENGTH > 0); - if (!add_do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND); + if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND); for (i=0; i<num; i+=MD_DIGEST_LENGTH) { @@ -281,7 +286,7 @@ static void ssleay_rand_add(const void *buf, int num, double add) } memset((char *)&m,0,sizeof(m)); - if (!add_do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND); + if (!do_not_lock) CRYPTO_w_lock(CRYPTO_LOCK_RAND); /* Don't just copy back local_md into md -- this could mean that * other thread's seeding remains without effect (except for * the incremented counter). By XORing it we keep at least as @@ -292,7 +297,7 @@ static void ssleay_rand_add(const void *buf, int num, double add) } if (entropy < ENTROPY_NEEDED) /* stop counting when we have enough */ entropy += add; - if (!add_do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND); + if (!do_not_lock) CRYPTO_w_unlock(CRYPTO_LOCK_RAND); #if !defined(THREADS) && !defined(WIN32) assert(md_c[1] == md_count[1]); @@ -340,28 +345,31 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) * * For each group of 10 bytes (or less), we do the following: * - * Input into the hash function the top 10 bytes from the - * local 'md' (which is initialized from the global 'md' - * before any bytes are generated), the bytes that are - * to be overwritten by the random bytes, and bytes from the - * 'state' (incrementing looping index). From this digest output - * (which is kept in 'md'), the top (up to) 10 bytes are - * returned to the caller and the bottom (up to) 10 bytes are xored - * into the 'state'. + * Input into the hash function the local 'md' (which is initialized from + * the global 'md' before any bytes are generated), the bytes that are to + * be overwritten by the random bytes, and bytes from the 'state' + * (incrementing looping index). From this digest output (which is kept + * in 'md'), the top (up to) 10 bytes are returned to the caller and the + * bottom 10 bytes are xored into the 'state'. + * * Finally, after we have finished 'num' random bytes for the * caller, 'count' (which is incremented) and the local and global 'md' * are fed into the hash function and the results are kept in the * global 'md'. */ - if (!initialized) - RAND_poll(); - CRYPTO_w_lock(CRYPTO_LOCK_RAND); - add_do_not_lock = 1; /* Since we call ssleay_rand_add while in - this locked state. */ - initialized = 1; + /* prevent ssleay_rand_bytes() from trying to obtain the lock again */ + crypto_lock_rand = 1; + locking_thread = CRYPTO_thread_id(); + + if (!initialized) + { + RAND_poll(); + initialized = 1; + } + if (!stirred_pool) do_stir_pool = 1; @@ -387,11 +395,11 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) if (do_stir_pool) { - /* Our output function chains only half of 'md', so we better - * make sure that the required entropy gets 'evenly distributed' - * through 'state', our randomness pool. The input function - * (ssleay_rand_add) chains all of 'md', which makes it more - * suitable for this purpose. + /* In the output function only half of 'md' remains secret, + * so we better make sure that the required entropy gets + * 'evenly distributed' through 'state', our randomness pool. + * The input function (ssleay_rand_add) chains all of 'md', + * which makes it more suitable for this purpose. */ int n = STATE_SIZE; /* so that the complete pool gets accessed */ @@ -425,8 +433,9 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) md_count[0] += 1; - add_do_not_lock = 0; /* If this would ever be forgotten, we can - expect any evil god to eat our souls. */ + /* before unlocking, we must clear 'crypto_lock_rand' */ + crypto_lock_rand = 0; + locking_thread = 0; CRYPTO_w_unlock(CRYPTO_LOCK_RAND); while (num > 0) @@ -492,11 +501,12 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num) { int ret; + unsigned long err; ret = RAND_bytes(buf, num); if (ret == 0) { - long err = ERR_peek_error(); + err = ERR_peek_error(); if (ERR_GET_LIB(err) == ERR_LIB_RAND && ERR_GET_REASON(err) == RAND_R_PRNG_NOT_SEEDED) (void)ERR_get_error(); @@ -507,14 +517,37 @@ static int ssleay_rand_pseudo_bytes(unsigned char *buf, int num) static int ssleay_rand_status(void) { int ret; + int do_not_lock; + /* check if we already have the lock + * (could happen if a RAND_poll() implementation calls RAND_status()) */ + do_not_lock = crypto_lock_rand && (locking_thread == CRYPTO_thread_id()); + + if (!do_not_lock) + { + CRYPTO_w_lock(CRYPTO_LOCK_RAND); + + /* prevent ssleay_rand_bytes() from trying to obtain the lock again */ + crypto_lock_rand = 1; + locking_thread = CRYPTO_thread_id(); + } + if (!initialized) + { RAND_poll(); + initialized = 1; + } - CRYPTO_w_lock(CRYPTO_LOCK_RAND); - initialized = 1; ret = entropy >= ENTROPY_NEEDED; - CRYPTO_w_unlock(CRYPTO_LOCK_RAND); + if (!do_not_lock) + { + /* before unlocking, we must clear 'crypto_lock_rand' */ + crypto_lock_rand = 0; + locking_thread = 0; + + CRYPTO_w_unlock(CRYPTO_LOCK_RAND); + } + return ret; } diff --git a/lib/libssl/src/crypto/rand/randfile.c b/lib/libssl/src/crypto/rand/randfile.c index f4376cf8cc5..2ffb84c89e2 100644 --- a/lib/libssl/src/crypto/rand/randfile.c +++ b/lib/libssl/src/crypto/rand/randfile.c @@ -233,6 +233,12 @@ const char *RAND_file_name(char *buf, size_t size) { if (issetugid() == 0) s=getenv("HOME"); +#ifdef DEFAULT_HOME + if (s == NULL) + { + s = DEFAULT_HOME; + } +#endif if (s && *s && strlen(s)+strlen(RFILE)+2 < size) { strlcpy(buf,s,size); @@ -242,7 +248,7 @@ const char *RAND_file_name(char *buf, size_t size) strlcat(buf,RFILE,size); ret=buf; } - else + else buf[0] = '\0'; /* no file name */ } diff --git a/lib/libssl/src/crypto/rsa/rsa_oaep.c b/lib/libssl/src/crypto/rsa/rsa_oaep.c index fd0b7f361fb..1849e55cd5d 100644 --- a/lib/libssl/src/crypto/rsa/rsa_oaep.c +++ b/lib/libssl/src/crypto/rsa/rsa_oaep.c @@ -77,14 +77,16 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, int i, dblen, mlen = -1; unsigned char *maskeddb; int lzero; - unsigned char *db, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH]; + unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH]; if (--num < 2 * SHA_DIGEST_LENGTH + 1) - { - RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR); - return (-1); - } + goto decoding_err; + lzero = num - flen; + if (lzero < 0) + goto decoding_err; + maskeddb = from - lzero + SHA_DIGEST_LENGTH; + dblen = num - SHA_DIGEST_LENGTH; db = OPENSSL_malloc(dblen); if (db == NULL) @@ -93,9 +95,6 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, return (-1); } - lzero = num - flen; - maskeddb = from - lzero + SHA_DIGEST_LENGTH; - MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen); for (i = lzero; i < SHA_DIGEST_LENGTH; i++) seed[i] ^= from[i - lzero]; @@ -107,21 +106,20 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, SHA1(param, plen, phash); if (memcmp(db, phash, SHA_DIGEST_LENGTH) != 0) - RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR); + goto decoding_err; else { for (i = SHA_DIGEST_LENGTH; i < dblen; i++) if (db[i] != 0x00) break; if (db[i] != 0x01 || i++ >= dblen) - RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, - RSA_R_OAEP_DECODING_ERROR); + goto decoding_err; else { mlen = dblen - i; if (tlen < mlen) { - RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE); + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE); mlen = -1; } else @@ -130,6 +128,13 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, } OPENSSL_free(db); return (mlen); + +decoding_err: + /* to avoid chosen ciphertext attacks, the error message should not reveal + * which kind of decoding error happened */ + RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR); + if (db != NULL) OPENSSL_free(db); + return -1; } int MGF1(unsigned char *mask, long len, unsigned char *seed, long seedlen) diff --git a/lib/libssl/src/crypto/x509/x509_obj.c b/lib/libssl/src/crypto/x509/x509_obj.c index 6a3ba8eb154..f0271fdfa14 100644 --- a/lib/libssl/src/crypto/x509/x509_obj.c +++ b/lib/libssl/src/crypto/x509/x509_obj.c @@ -214,6 +214,8 @@ int i; } else p=buf; + if (i == 0) + *p = '\0'; return(p); err: X509err(X509_F_X509_NAME_ONELINE,ERR_R_MALLOC_FAILURE); diff --git a/lib/libssl/src/crypto/x509/x509_trs.c b/lib/libssl/src/crypto/x509/x509_trs.c index a7b1543461b..86b3b79dcc0 100644 --- a/lib/libssl/src/crypto/x509/x509_trs.c +++ b/lib/libssl/src/crypto/x509/x509_trs.c @@ -228,7 +228,8 @@ int X509_TRUST_get_trust(X509_TRUST *xp) static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags) { - if(x->aux) return obj_trust(trust->arg1, x, flags); + if(x->aux && (x->aux->trust || x->aux->reject)) + return obj_trust(trust->arg1, x, flags); /* we don't have any trust settings: for compatibility * we return trusted if it is self signed */ diff --git a/lib/libssl/src/doc/apps/enc.pod b/lib/libssl/src/doc/apps/enc.pod index e436ccc37e6..a68ddca1394 100644 --- a/lib/libssl/src/doc/apps/enc.pod +++ b/lib/libssl/src/doc/apps/enc.pod @@ -96,12 +96,18 @@ of hex digits. =item B<-K key> the actual key to use: this must be represented as a string comprised only -of hex digits. +of hex digits. If only the key is specified, the IV must additionally specified +using the B<-iv> option. When both a key and a password are specified, the +key given with the B<-K> option will be used and the IV generated from the +password will be taken. It probably does not make much sense to specify +both key and password. =item B<-iv IV> the actual IV to use: this must be represented as a string comprised only -of hex digits. +of hex digits. When only the key is specified using the B<-K> option, the +IV must explicitly be defined. When a password is being specified using +one of the other options, the IV is generated from this password. =item B<-p> diff --git a/lib/libssl/src/doc/apps/rsautl.pod b/lib/libssl/src/doc/apps/rsautl.pod index 7a334bc8d6a..a7c1681d985 100644 --- a/lib/libssl/src/doc/apps/rsautl.pod +++ b/lib/libssl/src/doc/apps/rsautl.pod @@ -101,11 +101,11 @@ Sign some data using a private key: Recover the signed data - openssl rsautl -sign -in sig -inkey key.pem + openssl rsautl -verify -in sig -inkey key.pem Examine the raw signed data: - openssl rsautl -sign -in file -inkey key.pem -raw -hexdump + openssl rsautl -verify -in file -inkey key.pem -raw -hexdump 0000 - 00 01 ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ 0010 - ff ff ff ff ff ff ff ff-ff ff ff ff ff ff ff ff ................ diff --git a/lib/libssl/src/doc/apps/s_server.pod b/lib/libssl/src/doc/apps/s_server.pod index 419383b55db..313116ab666 100644 --- a/lib/libssl/src/doc/apps/s_server.pod +++ b/lib/libssl/src/doc/apps/s_server.pod @@ -7,7 +7,7 @@ s_server - SSL/TLS server program =head1 SYNOPSIS -B<openssl> B<s_client> +B<openssl> B<s_server> [B<-accept port>] [B<-context id>] [B<-verify depth>] diff --git a/lib/libssl/src/doc/crypto/bio.pod b/lib/libssl/src/doc/crypto/bio.pod index 24f61dfb562..f9239226ffc 100644 --- a/lib/libssl/src/doc/crypto/bio.pod +++ b/lib/libssl/src/doc/crypto/bio.pod @@ -40,7 +40,7 @@ BIO). =head1 SEE ALSO L<BIO_ctrl(3)|BIO_ctrl(3)>, -L<BIO_f_base64(3)|BIO_f_base64(3)>, +L<BIO_f_base64(3)|BIO_f_base64(3)>, L<BIO_f_buffer(3)|BIO_f_buffer(3)>, L<BIO_f_cipher(3)|BIO_f_cipher(3)>, L<BIO_f_md(3)|BIO_f_md(3)>, L<BIO_f_null(3)|BIO_f_null(3)>, L<BIO_f_ssl(3)|BIO_f_ssl(3)>, L<BIO_find_type(3)|BIO_find_type(3)>, L<BIO_new(3)|BIO_new(3)>, diff --git a/lib/libssl/src/doc/crypto/rand.pod b/lib/libssl/src/doc/crypto/rand.pod index 9545f0e1095..96901f109e6 100644 --- a/lib/libssl/src/doc/crypto/rand.pod +++ b/lib/libssl/src/doc/crypto/rand.pod @@ -127,13 +127,12 @@ function and xor). When bytes are extracted from the RNG, the following process is used. For each group of 10 bytes (or less), we do the following: -Input into the hash function the top 10 bytes from the local 'md' -(which is initialized from the global 'md' before any bytes are -generated), the bytes that are to be overwritten by the random bytes, -and bytes from the 'state' (incrementing looping index). From this -digest output (which is kept in 'md'), the top (up to) 10 bytes are -returned to the caller and the bottom (up to) 10 bytes are xored into -the 'state'. +Input into the hash function the local 'md' (which is initialized from +the global 'md' before any bytes are generated), the bytes that are to +be overwritten by the random bytes, and bytes from the 'state' +(incrementing looping index). From this digest output (which is kept +in 'md'), the top (up to) 10 bytes are returned to the caller and the +bottom 10 bytes are xored into the 'state'. Finally, after we have finished 'num' random bytes for the caller, 'count' (which is incremented) and the local and global 'md' are fed diff --git a/lib/libssl/src/doc/ssl/SSL_CTX_get_ex_new_index.pod b/lib/libssl/src/doc/ssl/SSL_CTX_get_ex_new_index.pod index 15067438c82..5686faf2998 100644 --- a/lib/libssl/src/doc/ssl/SSL_CTX_get_ex_new_index.pod +++ b/lib/libssl/src/doc/ssl/SSL_CTX_get_ex_new_index.pod @@ -40,7 +40,7 @@ SSL_CTX_get_ex_data() is used to retrieve the information for B<idx> from B<ctx>. A detailed description for the B<*_get_ex_new_index()> functionality -can be found in L<RSA_get_ex_new_index.pod(3)|RSA_get_ex_new_index.pod(3)>. +can be found in L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>. The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>. diff --git a/lib/libssl/src/doc/ssl/SSL_CTX_load_verify_locations.pod b/lib/libssl/src/doc/ssl/SSL_CTX_load_verify_locations.pod index 88f18bd5ff4..0f63537e784 100644 --- a/lib/libssl/src/doc/ssl/SSL_CTX_load_verify_locations.pod +++ b/lib/libssl/src/doc/ssl/SSL_CTX_load_verify_locations.pod @@ -33,10 +33,6 @@ which can be used e.g. for descriptions of the certificates. The B<CAfile> is processed on execution of the SSL_CTX_load_verify_locations() function. -If on an TLS/SSL server no special setting is performed using *client_CA_list() -functions, the certificates contained in B<CAfile> are listed to the client -as available CAs during the TLS/SSL handshake. - If B<CApath> is not NULL, it points to a directory containing CA certificates in PEM format. The files each contain one CA certificate. The files are looked up by the CA subject name hash value, which must hence be available. @@ -50,9 +46,6 @@ The certificates in B<CApath> are only looked up when required, e.g. when building the certificate chain or when actually performing the verification of a peer certificate. -On a server, the certificates in B<CApath> are not listed as available -CA certificates to a client during a TLS/SSL handshake. - When looking up CA certificates, the OpenSSL library will first search the certificates in B<CAfile>, then those in B<CApath>. Certificate matching is done based on the subject name, the key identifier (if present), and the @@ -62,6 +55,13 @@ matching the parameters is found, the verification process will be performed; no other certificates for the same parameters will be searched in case of failure. +In server mode, when requesting a client certificate, the server must send +the list of CAs of which it will accept client certificates. This list +is not influenced by the contents of B<CAfile> or B<CApath> and must +explicitely be set using the +L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)> +family of functions. + When building its own certificate chain, an OpenSSL client/server will try to fill in missing certificates from B<CAfile>/B<CApath>, if the certificate chain was not explicitly specified (see diff --git a/lib/libssl/src/doc/ssl/SSL_CTX_set_client_CA_list.pod b/lib/libssl/src/doc/ssl/SSL_CTX_set_client_CA_list.pod index 81e312761e7..632b556d126 100644 --- a/lib/libssl/src/doc/ssl/SSL_CTX_set_client_CA_list.pod +++ b/lib/libssl/src/doc/ssl/SSL_CTX_set_client_CA_list.pod @@ -36,25 +36,23 @@ the chosen B<ssl>, overriding the setting valid for B<ssl>'s SSL_CTX object. When a TLS/SSL server requests a client certificate (see B<SSL_CTX_set_verify_options()>), it sends a list of CAs, for which -it will accept certificates, to the client. If no special list is provided, -the CAs available using the B<CAfile> option in -L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> -are sent. +it will accept certificates, to the client. -This list can be explicitly set using the SSL_CTX_set_client_CA_list() for +This list must explicitly be set using SSL_CTX_set_client_CA_list() for B<ctx> and SSL_set_client_CA_list() for the specific B<ssl>. The list specified overrides the previous setting. The CAs listed do not become trusted (B<list> only contains the names, not the complete certificates); use L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> to additionally load them for verification. +If the list of acceptable CAs is compiled in a file, the +L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)> +function can be used to help importing the necessary data. + SSL_CTX_add_client_CA() and SSL_add_client_CA() can be used to add additional items the list of client CAs. If no list was specified before using SSL_CTX_set_client_CA_list() or SSL_set_client_CA_list(), a new client -CA list for B<ctx> or B<ssl> (as appropriate) is opened. The CAs implicitly -specified using -L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> -are no longer used automatically. +CA list for B<ctx> or B<ssl> (as appropriate) is opened. These functions are only useful for TLS/SSL servers. @@ -80,11 +78,17 @@ to find out the reason. =back +=head1 EXAMPLES + +Scan all certificates in B<CAfile> and list them as acceptable CAs: + + SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile)); + =head1 SEE ALSO L<ssl(3)|ssl(3)>, L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>, -L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)> +L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)>, L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)> =cut diff --git a/lib/libssl/src/doc/ssl/SSL_CTX_set_session_cache_mode.pod b/lib/libssl/src/doc/ssl/SSL_CTX_set_session_cache_mode.pod index 083766f8d08..8bbfc787209 100644 --- a/lib/libssl/src/doc/ssl/SSL_CTX_set_session_cache_mode.pod +++ b/lib/libssl/src/doc/ssl/SSL_CTX_set_session_cache_mode.pod @@ -101,7 +101,7 @@ L<SSL_CTX_sess_number(3)|SSL_CTX_sess_number(3)>, L<SSL_CTX_sess_set_cache_size(3)|SSL_CTX_sess_set_cache_size(3)>, L<SSL_CTX_sess_set_get_cb(3)|SSL_CTX_sess_set_get_cb(3)>, L<SSL_CTX_set_session_id_context(3)|SSL_CTX_set_session_id_context(3)>, -L<SSL_CTX_set_timeout.pod(3)|SSL_CTX_set_timeout.pod(3)>, +L<SSL_CTX_set_timeout(3)|SSL_CTX_set_timeout(3)>, L<SSL_CTX_flush_sessions(3)|SSL_CTX_flush_sessions(3)> =cut diff --git a/lib/libssl/src/doc/ssl/SSL_SESSION_get_ex_new_index.pod b/lib/libssl/src/doc/ssl/SSL_SESSION_get_ex_new_index.pod index dd5cb4f04bb..da0bcf1590c 100644 --- a/lib/libssl/src/doc/ssl/SSL_SESSION_get_ex_new_index.pod +++ b/lib/libssl/src/doc/ssl/SSL_SESSION_get_ex_new_index.pod @@ -40,7 +40,7 @@ SSL_SESSION_get_ex_data() is used to retrieve the information for B<idx> from B<session>. A detailed description for the B<*_get_ex_new_index()> functionality -can be found in L<RSA_get_ex_new_index.pod(3)|RSA_get_ex_new_index.pod(3)>. +can be found in L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>. The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>. diff --git a/lib/libssl/src/doc/ssl/SSL_get_error.pod b/lib/libssl/src/doc/ssl/SSL_get_error.pod index fefaf619369..d95eec78aa1 100644 --- a/lib/libssl/src/doc/ssl/SSL_get_error.pod +++ b/lib/libssl/src/doc/ssl/SSL_get_error.pod @@ -69,6 +69,17 @@ to read data. This is mainly because TLS/SSL handshakes may occur at any time during the protocol (initiated by either the client or the server); SSL_read(), SSL_peek(), and SSL_write() will handle any pending handshakes. +=item SSL_ERROR_WANT_CONNECT + +The operation did not complete; the same TLS/SSL I/O function should be +called again later. The underlying BIO was not connected yet to the peer +and the call would block in connect(). The SSL function should be +called again when the connection is established. This messages can only +appear with a BIO_s_connect() BIO. +In order to find out, when the connection has been successfully established, +on many platforms select() or poll() for writing on the socket file descriptor +can be used. + =item SSL_ERROR_WANT_X509_LOOKUP The operation did not complete because an application callback set by diff --git a/lib/libssl/src/doc/ssl/SSL_get_ex_new_index.pod b/lib/libssl/src/doc/ssl/SSL_get_ex_new_index.pod index 2b69bb10500..6644ef8fbc1 100644 --- a/lib/libssl/src/doc/ssl/SSL_get_ex_new_index.pod +++ b/lib/libssl/src/doc/ssl/SSL_get_ex_new_index.pod @@ -40,7 +40,7 @@ SSL_get_ex_data() is used to retrieve the information for B<idx> from B<ssl>. A detailed description for the B<*_get_ex_new_index()> functionality -can be found in L<RSA_get_ex_new_index.pod(3)|RSA_get_ex_new_index.pod(3)>. +can be found in L<RSA_get_ex_new_index(3)|RSA_get_ex_new_index(3)>. The B<*_get_ex_data()> and B<*_set_ex_data()> functionality is described in L<CRYPTO_set_ex_data(3)|CRYPTO_set_ex_data(3)>. diff --git a/lib/libssl/src/doc/ssl/SSL_get_peer_certificate.pod b/lib/libssl/src/doc/ssl/SSL_get_peer_certificate.pod index 1102c7fba90..18d1db5183b 100644 --- a/lib/libssl/src/doc/ssl/SSL_get_peer_certificate.pod +++ b/lib/libssl/src/doc/ssl/SSL_get_peer_certificate.pod @@ -17,6 +17,12 @@ peer presented. If the peer did not present a certificate, NULL is returned. =head1 NOTES +Due to the protocol definition, a TLS/SSL server will always send a +certificate, if present. A client will only send a certificate when +explicitely requested to do so by the server (see +L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>). If an anonymous cipher +is used, no certificates are sent. + That a certificate is returned does not indicate information about the verification state, use L<SSL_get_verify_result(3)|SSL_get_verify_result(3)> to check the verification state. @@ -43,6 +49,7 @@ The return value points to the certificate presented by the peer. =head1 SEE ALSO -L<ssl(3)|ssl(3)>, L<SSL_get_verify_result(3)|SSL_get_verify_result(3)> +L<ssl(3)|ssl(3)>, L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>, +L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)> =cut diff --git a/lib/libssl/src/doc/ssl/SSL_read.pod b/lib/libssl/src/doc/ssl/SSL_read.pod index 7db5ee0a22a..cc7aa1a5476 100644 --- a/lib/libssl/src/doc/ssl/SSL_read.pod +++ b/lib/libssl/src/doc/ssl/SSL_read.pod @@ -29,7 +29,22 @@ initialized to client or server mode. This is not the case if a generic method is being used (see L<SSL_CTX_new(3)|SSL_CTX_new(3)>, so that L<SSL_set_connect_state(3)|SSL_set_connect_state(3)> or SSL_set_accept_state() must be used before the first call to an SSL_read() or -L<SSL_write(3)|SSL_write(3)> function. +L<SSL_write(3)|SSL_write(3)> function). + +SSL_read() works based on the SSL/TLS records. The data are received in +records (with a maximum record size of 16kB for SSLv3/TLSv1). Only when a +record has been completely received, it can be processed (decryption and +check of integrity). Therefore data that was not retrieved at the last +call of SSL_read() can still be buffered inside the SSL layer and will be +retrieved on the next call to SSL_read(). If B<num> is higher than the +number of bytes buffered, SSL_read() will return with the bytes buffered. +If no more bytes are in the buffer, SSL_read() will trigger the processing +of the next record. Only when the record has been received and processed +completely, SSL_read() will return reporting success. At most the contents +of the record will be returned. As the size of an SSL/TLS record may exceed +the maximum packet size of the underlying transport (e.g. TCP), it may +be necessary to read several packets from the transport layer before the +record is complete and SSL_read() can succeed. If the underlying BIO is B<blocking>, SSL_read() will only return, once the read operation has been finished or an error occurred, except when a diff --git a/lib/libssl/src/doc/ssl/SSL_shutdown.pod b/lib/libssl/src/doc/ssl/SSL_shutdown.pod index 7988dd3c90b..c4ae6704e70 100644 --- a/lib/libssl/src/doc/ssl/SSL_shutdown.pod +++ b/lib/libssl/src/doc/ssl/SSL_shutdown.pod @@ -66,7 +66,7 @@ Call SSL_get_error() with the return value B<ret> to find out the reason. L<SSL_get_error(3)|SSL_get_error(3)>, L<SSL_connect(3)|SSL_connect(3)>, L<SSL_accept(3)|SSL_accept(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>, -L<SSL_clear(3)|SSL_clear(3), L<SSL_free(3)|SSL_free(3)>, +L<SSL_clear(3)|SSL_clear(3)>, L<SSL_free(3)|SSL_free(3)>, L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)> =cut diff --git a/lib/libssl/src/doc/ssl/SSL_write.pod b/lib/libssl/src/doc/ssl/SSL_write.pod index be1ad76d3b4..b0dfefae20d 100644 --- a/lib/libssl/src/doc/ssl/SSL_write.pod +++ b/lib/libssl/src/doc/ssl/SSL_write.pod @@ -50,6 +50,17 @@ non-blocking socket, nothing is to be done, but select() can be used to check for the required condition. When using a buffering BIO, like a BIO pair, data must be written into or retrieved out of the BIO before being able to continue. +SSL_write() will only return with success, when the complete contents +of B<buf> of length B<num> has been written. This default behaviour +can be changed with the SSL_MODE_ENABLE_PARTIAL_WRITE option of +L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)>. When this flag is set, +SSL_write() will also return with success, when a partial write has been +successfully completed. In this case the SSL_write() operation is considered +completed. The bytes are sent and a new SSL_write() operation with a new +buffer (with the already sent bytes removed) must be started. +A partial write is performed with the size of a message block, which is +16kB for SSLv3/TLSv1. + =head1 WARNING When an SSL_write() operation has to be repeated because of diff --git a/lib/libssl/src/e_os.h b/lib/libssl/src/e_os.h index fc61e0e00bf..44aec41406c 100644 --- a/lib/libssl/src/e_os.h +++ b/lib/libssl/src/e_os.h @@ -223,6 +223,7 @@ extern "C" { # define SSLEAY_CONF OPENSSL_CONF # define NUL_DEV "nul" # define RFILE ".rnd" +# define DEFAULT_HOME "C:" #else /* The non-microsoft world world */ diff --git a/lib/libssl/src/ssl/s2_srvr.c b/lib/libssl/src/ssl/s2_srvr.c index 1ed02540aec..2fa2f310a8e 100644 --- a/lib/libssl/src/ssl/s2_srvr.c +++ b/lib/libssl/src/ssl/s2_srvr.c @@ -405,12 +405,13 @@ static int get_client_master_key(SSL *s) /* bad decrypt */ #if 1 /* If a bad decrypt, continue with protocol but with a - * dud master secret */ + * random master secret (Bleichenbacher attack) */ if ((i < 0) || ((!is_export && (i != EVP_CIPHER_key_length(c))) || (is_export && ((i != ek) || (s->s2->tmp.clear+i != EVP_CIPHER_key_length(c)))))) { + ERR_clear_error(); if (is_export) i=ek; else diff --git a/lib/libssl/src/ssl/s3_enc.c b/lib/libssl/src/ssl/s3_enc.c index 9f52c39ca97..8709da91756 100644 --- a/lib/libssl/src/ssl/s3_enc.c +++ b/lib/libssl/src/ssl/s3_enc.c @@ -356,7 +356,7 @@ int ssl3_enc(SSL *s, int send) if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { - memcpy(rec->data,rec->input,rec->length); + memmove(rec->data,rec->input,rec->length); rec->input=rec->data; } else @@ -366,7 +366,6 @@ int ssl3_enc(SSL *s, int send) /* COMPRESS */ - /* This should be using (bs-1) and bs instead of 7 and 8 */ if ((bs != 1) && send) { i=bs-((int)l%bs); @@ -376,12 +375,24 @@ int ssl3_enc(SSL *s, int send) rec->length+=i; rec->input[l-1]=(i-1); } - + + if (!send) + { + if (l == 0 || l%bs != 0) + { + SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPT_ERROR); + return(0); + } + } + EVP_Cipher(ds,rec->data,rec->input,l); if ((bs != 1) && !send) { i=rec->data[l-1]+1; + /* SSL 3.0 bounds the number of padding bytes by the block size; + * padding bytes (except that last) are arbitrary */ if (i > bs) { SSLerr(SSL_F_SSL3_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); diff --git a/lib/libssl/src/ssl/s3_srvr.c b/lib/libssl/src/ssl/s3_srvr.c index d04232960e3..258af84867a 100644 --- a/lib/libssl/src/ssl/s3_srvr.c +++ b/lib/libssl/src/ssl/s3_srvr.c @@ -1322,14 +1322,15 @@ static int ssl3_get_client_key_exchange(SSL *s) i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING); + al = -1; + if (i != SSL_MAX_MASTER_KEY_LENGTH) { al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); - goto f_err; } - if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) + if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) { /* The premaster secret must contain the same version number as the * ClientHello to detect version rollback attacks (strangely, the @@ -1347,6 +1348,27 @@ static int ssl3_get_client_key_exchange(SSL *s) } } + if (al != -1) + { +#if 0 + goto f_err; +#else + /* Some decryption failure -- use random value instead as countermeasure + * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding + * (see RFC 2246, section 7.4.7.1). + * But note that due to length and protocol version checking, the + * attack is impractical anyway (see section 5 in D. Bleichenbacher: + * "Chosen Ciphertext Attacks Against Protocols Based on the RSA + * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12). + */ + ERR_clear_error(); + i = SSL_MAX_MASTER_KEY_LENGTH; + p[0] = s->client_version >> 8; + p[1] = s->client_version & 0xff; + RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ +#endif + } + s->session->master_key_length= s->method->ssl3_enc->generate_master_secret(s, s->session->master_key, diff --git a/lib/libssl/src/ssl/t1_enc.c b/lib/libssl/src/ssl/t1_enc.c index d10a23af8eb..a0758e92614 100644 --- a/lib/libssl/src/ssl/t1_enc.c +++ b/lib/libssl/src/ssl/t1_enc.c @@ -420,7 +420,7 @@ int tls1_enc(SSL *s, int send) if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { - memcpy(rec->data,rec->input,rec->length); + memmove(rec->data,rec->input,rec->length); rec->input=rec->data; } else @@ -447,11 +447,21 @@ int tls1_enc(SSL *s, int send) rec->length+=i; } + if (!send) + { + if (l == 0 || l%bs != 0) + { + SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPT_ERROR); + return(0); + } + } + EVP_Cipher(ds,rec->data,rec->input,l); if ((bs != 1) && !send) { - ii=i=rec->data[l-1]; + ii=i=rec->data[l-1]; /* padding_length */ i++; if (s->options&SSL_OP_TLS_BLOCK_PADDING_BUG) { @@ -462,6 +472,8 @@ int tls1_enc(SSL *s, int send) if (s->s3->flags & TLS1_FLAGS_TLS_PADDING_BUG) i--; } + /* TLS 1.0 does not bound the number of padding bytes by the block size. + * All of them must have value 'padding_length'. */ if (i > (int)rec->length) { SSLerr(SSL_F_TLS1_ENC,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); diff --git a/lib/libssl/src/test/Makefile.ssl b/lib/libssl/src/test/Makefile.ssl index 9c7b7dd1588..7384243cbdb 100644 --- a/lib/libssl/src/test/Makefile.ssl +++ b/lib/libssl/src/test/Makefile.ssl @@ -192,7 +192,7 @@ test_bn: @./$(BNTEST) >tmp.bntest @echo quit >>tmp.bntest @echo "running bc" - @<tmp.bntest sh -c "`sh ./bctest || true`" | $(PERL) -e '$$i=0; while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"' + @<tmp.bntest sh -c "`sh ./bctest ignore`" | $(PERL) -e '$$i=0; while (<STDIN>) {if (/^test (.*)/) {print STDERR "\nverify $$1";} elsif (!/^0$$/) {die "\nFailed! bc: $$_";} else {print STDERR "."; $$i++;}} print STDERR "\n$$i tests passed\n"' @echo 'test a^b%c implementations' ./$(EXPTEST) diff --git a/lib/libssl/ssl/shlib_version b/lib/libssl/ssl/shlib_version index 3066b9771e7..900b4048a96 100644 --- a/lib/libssl/ssl/shlib_version +++ b/lib/libssl/ssl/shlib_version @@ -1,2 +1,2 @@ major=5 -minor=0 +minor=1 |