Import OpenSSL-1.0.1a.
authorPeter Avalos <pavalos@dragonflybsd.org>
Sat, 21 Apr 2012 03:33:46 +0000 (20:33 -0700)
committerPeter Avalos <pavalos@dragonflybsd.org>
Sat, 21 Apr 2012 03:33:46 +0000 (20:33 -0700)
o Fix for ASN1 overflow bug CVE-2012-2110.
o Workarounds for some servers that hang on long client hellos.
o Fix SEGV in AES code.

39 files changed:
crypto/openssl/CHANGES
crypto/openssl/FAQ
crypto/openssl/NEWS
crypto/openssl/README
crypto/openssl/README.DELETED
crypto/openssl/apps/s_client.c
crypto/openssl/apps/s_server.c
crypto/openssl/crypto/aes/asm/bsaes-x86_64.pl
crypto/openssl/crypto/aes/asm/vpaes-x86.pl
crypto/openssl/crypto/aes/asm/vpaes-x86_64.pl
crypto/openssl/crypto/asn1/a_d2i_fp.c
crypto/openssl/crypto/asn1/tasn_prn.c
crypto/openssl/crypto/bio/b_sock.c
crypto/openssl/crypto/bio/bio_lib.c
crypto/openssl/crypto/bn/bn_gf2m.c
crypto/openssl/crypto/buffer/buffer.c
crypto/openssl/crypto/cmac/cmac.c
crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c
crypto/openssl/crypto/evp/e_rc4_hmac_md5.c
crypto/openssl/crypto/evp/evp_enc.c
crypto/openssl/crypto/evp/p5_crpt.c
crypto/openssl/crypto/mem.c
crypto/openssl/crypto/modes/modes_lcl.h
crypto/openssl/crypto/opensslv.h
crypto/openssl/crypto/pkcs7/pk7_doit.c
crypto/openssl/crypto/x509/x509_lu.c
crypto/openssl/doc/crypto/EVP_DigestInit.pod
crypto/openssl/ssl/bio_ssl.c
crypto/openssl/ssl/d1_lib.c
crypto/openssl/ssl/d1_srvr.c
crypto/openssl/ssl/s23_clnt.c
crypto/openssl/ssl/s3_clnt.c
crypto/openssl/ssl/s3_lib.c
crypto/openssl/ssl/s3_pkt.c
crypto/openssl/ssl/s3_srvr.c
crypto/openssl/ssl/ssl.h
crypto/openssl/ssl/ssl_ciph.c
crypto/openssl/ssl/ssl_err.c
crypto/openssl/ssl/t1_lib.c

index 03d7314..1e96080 100644 (file)
@@ -2,6 +2,36 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.1 and 1.0.1a [19 Apr 2012]
+
+  *) Check for potentially exploitable overflows in asn1_d2i_read_bio
+     BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
+     in CRYPTO_realloc_clean.
+
+     Thanks to Tavis Ormandy, Google Security Team, for discovering this
+     issue and to Adam Langley <agl@chromium.org> for fixing it.
+     (CVE-2012-2110)
+     [Adam Langley (Google), Tavis Ormandy, Google Security Team]
+
+  *) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections.
+     [Adam Langley]
+
+  *) Workarounds for some broken servers that "hang" if a client hello
+     record length exceeds 255 bytes.
+
+     1. Do not use record version number > TLS 1.0 in initial client
+        hello: some (but not all) hanging servers will now work.
+     2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate
+       the number of ciphers sent in the client hello. This should be
+        set to an even number, such as 50, for example by passing:
+        -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure.
+        Most broken servers should now work.
+     3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable
+       TLS 1.2 client support entirely.
+
+  *) Fix SEGV in Vector Permutation AES module observed in OpenSSH.
+     [Andy Polyakov]
+
  Changes between 1.0.0h and 1.0.1  [14 Mar 2012]
 
   *) Add compatibility with old MDC2 signatures which use an ASN1 OCTET
        Add command line options to s_client/s_server.
      [Steve Henson]
 
- Changes between 1.0.0g and 1.0.0h [xx XXX xxxx]
+ Changes between 1.0.0g and 1.0.0h [12 Mar 2012]
+
+  *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
+     in CMS and PKCS7 code. When RSA decryption fails use a random key for
+     content decryption and always return the same error. Note: this attack
+     needs on average 2^20 messages so it only affects automated senders. The
+     old behaviour can be reenabled in the CMS code by setting the
+     CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
+     an MMA defence is not necessary.
+     Thanks to Ivan Nestlerode <inestlerode@us.ibm.com> for discovering
+     this issue. (CVE-2012-0884)
+     [Steve Henson]
 
   *) Fix CVE-2011-4619: make sure we really are receiving a 
      client hello before rejecting multiple SGC restarts. Thanks to
index b9243a6..0ba347e 100644 (file)
@@ -82,7 +82,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.1 was released on Mar 14th, 2012.
+OpenSSL 1.0.1a was released on Apr 19th, 2012.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
index 3db8ea9..8bcb98a 100644 (file)
@@ -5,6 +5,12 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.1 and OpenSSL 1.0.1a:
+
+      o Fix for ASN1 overflow bug CVE-2012-2110
+      o Workarounds for some servers that hang on long client hellos.
+      o Fix SEGV in AES code.
+
   Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1:
 
       o TLS/DTLS heartbeat support.
index 3a0456c..3ab22da 100644 (file)
@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.1 14 Mar 2012
+ OpenSSL 1.0.1a 19 Apr 2012
 
  Copyright (c) 1998-2011 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
index d17c4b6..dbc047d 100644 (file)
@@ -12,7 +12,6 @@ INSTALL.W64
 INSTALL.WCE
 MacOS/
 Makefile
-Makefile.bak
 Makefile.org
 Makefile.shared
 Netware/
index 098cce2..fc806eb 100644 (file)
@@ -622,13 +622,7 @@ int MAIN(int argc, char **argv)
        SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
 #endif
 
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
        meth=SSLv23_client_method();
-#elif !defined(OPENSSL_NO_SSL3)
-       meth=SSLv3_client_method();
-#elif !defined(OPENSSL_NO_SSL2)
-       meth=SSLv2_client_method();
-#endif
 
        apps_startup();
        c_Pause=0;
index fe29b4c..3f9b370 100644 (file)
@@ -969,17 +969,7 @@ int MAIN(int argc, char *argv[])
        char *srpuserseed = NULL;
        char *srp_verifier_file = NULL;
 #endif
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
        meth=SSLv23_server_method();
-#elif !defined(OPENSSL_NO_SSL3)
-       meth=SSLv3_server_method();
-#elif !defined(OPENSSL_NO_SSL2)
-       meth=SSLv2_server_method();
-#elif !defined(OPENSSL_NO_TLS1)
-       meth=TLSv1_server_method();
-#else
-  /*  #error no SSL version enabled */
-#endif
 
        local_argc=argc;
        local_argv=argv;
index ff7e3af..c9c6312 100644 (file)
 # function is:
 #
 #              conversion      conversion/8x block
-# Core 2       410             0.37
-# Nehalem      310             0.35
-# Atom         570             0.26
+# Core 2       240             0.22
+# Nehalem      180             0.20
+# Atom         430             0.19
 #
 # The ratio values mean that 128-byte blocks will be processed
-# 21-27% slower, 256-byte blocks - 12-16%, 384-byte blocks - 8-11%,
+# 16-18% slower, 256-byte blocks - 9-10%, 384-byte blocks - 6-7%,
 # etc. Then keep in mind that input sizes not divisible by 128 are
 # *effectively* slower, especially shortest ones, e.g. consecutive
 # 144-byte blocks are processed 44% slower than one would expect,
@@ -85,6 +85,7 @@
 #
 # Core 2       11.0
 # Nehalem      9.16
+# Atom         20.9
 #
 # November 2011.
 #
@@ -754,7 +755,7 @@ _bsaes_encrypt8:
 
        movdqa  ($key), @XMM[9]         # round 0 key
        lea     0x10($key), $key
-       movdqa  0x60($const), @XMM[8]   # .LM0SR
+       movdqa  0x50($const), @XMM[8]   # .LM0SR
        pxor    @XMM[9], @XMM[0]        # xor with round0 key
        pxor    @XMM[9], @XMM[1]
         pshufb @XMM[8], @XMM[0]
@@ -905,46 +906,82 @@ $code.=<<___;
 .type  _bsaes_key_convert,\@abi-omnipotent
 .align 16
 _bsaes_key_convert:
-       lea     .LBS1(%rip), $const
+       lea     .Lmasks(%rip), $const
        movdqu  ($inp), %xmm7           # load round 0 key
-       movdqa  -0x10($const), %xmm8    # .LBS0
-       movdqa  0x00($const), %xmm9     # .LBS1
-       movdqa  0x10($const), %xmm10    # .LBS2
-       movdqa  0x40($const), %xmm13    # .LM0
-       movdqa  0x60($const), %xmm14    # .LNOT
-
-       movdqu  0x10($inp), %xmm6       # load round 1 key
        lea     0x10($inp), $inp
+       movdqa  0x00($const), %xmm0     # 0x01...
+       movdqa  0x10($const), %xmm1     # 0x02...
+       movdqa  0x20($const), %xmm2     # 0x04...
+       movdqa  0x30($const), %xmm3     # 0x08...
+       movdqa  0x40($const), %xmm4     # .LM0
+       pcmpeqd %xmm5, %xmm5            # .LNOT
+
+       movdqu  ($inp), %xmm6           # load round 1 key
        movdqa  %xmm7, ($out)           # save round 0 key
        lea     0x10($out), $out
        dec     $rounds
        jmp     .Lkey_loop
 .align 16
 .Lkey_loop:
-       pshufb  %xmm13, %xmm6           # .LM0
-       movdqa  %xmm6, %xmm7
-___
-       &bitslice_key   (map("%xmm$_",(0..7, 8..12)));
-$code.=<<___;
-       pxor    %xmm14, %xmm5           # "pnot"
-       pxor    %xmm14, %xmm6
-       pxor    %xmm14, %xmm0
-       pxor    %xmm14, %xmm1
-       lea     0x10($inp), $inp
-       movdqa  %xmm0, 0x00($out)       # write bit-sliced round key
-       movdqa  %xmm1, 0x10($out)
-       movdqa  %xmm2, 0x20($out)
-       movdqa  %xmm3, 0x30($out)
-       movdqa  %xmm4, 0x40($out)
-       movdqa  %xmm5, 0x50($out)
-       movdqa  %xmm6, 0x60($out)
-       movdqa  %xmm7, 0x70($out)
+       pshufb  %xmm4, %xmm6            # .LM0
+
+       movdqa  %xmm0,  %xmm8
+       movdqa  %xmm1,  %xmm9
+
+       pand    %xmm6,  %xmm8
+       pand    %xmm6,  %xmm9
+       movdqa  %xmm2,  %xmm10
+       pcmpeqb %xmm0,  %xmm8
+       psllq   \$4,    %xmm0           # 0x10...
+       movdqa  %xmm3,  %xmm11
+       pcmpeqb %xmm1,  %xmm9
+       psllq   \$4,    %xmm1           # 0x20...
+
+       pand    %xmm6,  %xmm10
+       pand    %xmm6,  %xmm11
+       movdqa  %xmm0,  %xmm12
+       pcmpeqb %xmm2,  %xmm10
+       psllq   \$4,    %xmm2           # 0x40...
+       movdqa  %xmm1,  %xmm13
+       pcmpeqb %xmm3,  %xmm11
+       psllq   \$4,    %xmm3           # 0x80...
+
+       movdqa  %xmm2,  %xmm14
+       movdqa  %xmm3,  %xmm15
+        pxor   %xmm5,  %xmm8           # "pnot"
+        pxor   %xmm5,  %xmm9
+
+       pand    %xmm6,  %xmm12
+       pand    %xmm6,  %xmm13
+        movdqa %xmm8, 0x00($out)       # write bit-sliced round key
+       pcmpeqb %xmm0,  %xmm12
+       psrlq   \$4,    %xmm0           # 0x01...
+        movdqa %xmm9, 0x10($out)
+       pcmpeqb %xmm1,  %xmm13
+       psrlq   \$4,    %xmm1           # 0x02...
+        lea    0x10($inp), $inp
+
+       pand    %xmm6,  %xmm14
+       pand    %xmm6,  %xmm15
+        movdqa %xmm10, 0x20($out)
+       pcmpeqb %xmm2,  %xmm14
+       psrlq   \$4,    %xmm2           # 0x04...
+        movdqa %xmm11, 0x30($out)
+       pcmpeqb %xmm3,  %xmm15
+       psrlq   \$4,    %xmm3           # 0x08...
+        movdqu ($inp), %xmm6           # load next round key
+
+       pxor    %xmm5, %xmm13           # "pnot"
+       pxor    %xmm5, %xmm14
+       movdqa  %xmm12, 0x40($out)
+       movdqa  %xmm13, 0x50($out)
+       movdqa  %xmm14, 0x60($out)
+       movdqa  %xmm15, 0x70($out)
        lea     0x80($out),$out
-       movdqu  ($inp), %xmm6           # load next round key
        dec     $rounds
        jnz     .Lkey_loop
 
-       movdqa  0x70($const), %xmm7     # .L63
+       movdqa  0x50($const), %xmm7     # .L63
        #movdqa %xmm6, ($out)           # don't save last round key
        ret
 .size  _bsaes_key_convert,.-_bsaes_key_convert
@@ -2800,14 +2837,8 @@ _bsaes_const:
        .quad   0x0504070600030201, 0x0f0e0d0c0a09080b
 .LSRM0:
        .quad   0x0304090e00050a0f, 0x01060b0c0207080d
-.LM0:
-       .quad   0x02060a0e03070b0f, 0x0004080c0105090d
 .LM0SR:
        .quad   0x0a0e02060f03070b, 0x0004080c05090d01
-.LNOT:         # magic constants
-       .quad   0xffffffffffffffff, 0xffffffffffffffff
-.L63:
-       .quad   0x6363636363636363, 0x6363636363636363
 .LSWPUP:       # byte-swap upper dword
        .quad   0x0706050403020100, 0x0c0d0e0f0b0a0908
 .LSWPUPM0SR:
@@ -2830,6 +2861,15 @@ _bsaes_const:
        .quad   0x0000000000000000, 0x0000000800000000
 .Lxts_magic:
        .long   0x87,0,1,0
+.Lmasks:
+       .quad   0x0101010101010101, 0x0101010101010101
+       .quad   0x0202020202020202, 0x0202020202020202
+       .quad   0x0404040404040404, 0x0404040404040404
+       .quad   0x0808080808080808, 0x0808080808080808
+.LM0:
+       .quad   0x02060a0e03070b0f, 0x0004080c0105090d
+.L63:
+       .quad   0x6363636363636363, 0x6363636363636363
 .asciz "Bit-sliced AES for x86_64/SSSE3, Emilia K√§sper, Peter Schwabe, Andy Polyakov"
 .align 64
 .size  _bsaes_const,.-_bsaes_const
index 84a6f6d..1533e2c 100644 (file)
@@ -843,6 +843,8 @@ $k_dsbo=0x2c0;              # decryption sbox final output
        &mov    ($out,&wparam(1));              # out
        &mov    ($round,&wparam(2));            # len
        &mov    ($key,&wparam(3));              # key
+       &sub    ($round,16);
+       &jc     (&label("cbc_abort"));
        &lea    ($base,&DWP(-56,"esp"));
        &mov    ($const,&wparam(4));            # ivp
        &and    ($base,-16);
@@ -853,7 +855,6 @@ $k_dsbo=0x2c0;              # decryption sbox final output
        &mov    (&DWP(48,"esp"),$base);
 
        &mov    (&DWP(0,"esp"),$out);           # save out
-       &sub    ($round,16);
        &mov    (&DWP(4,"esp"),$key)            # save key
        &mov    (&DWP(8,"esp"),$const);         # save ivp
        &mov    ($out,$round);                  # $out works as $len
@@ -896,6 +897,7 @@ $k_dsbo=0x2c0;              # decryption sbox final output
        &mov    ($base,&DWP(8,"esp"));          # restore ivp
        &mov    ("esp",&DWP(48,"esp"));
        &movdqu (&QWP(0,$base),"xmm1");         # write IV
+&set_label("cbc_abort");
 &function_end("${PREFIX}_cbc_encrypt");
 
 &asm_finish();
index 0254702..37998db 100644 (file)
@@ -263,7 +263,7 @@ _vpaes_decrypt_core:
        pshufb  %xmm2,  %xmm4   # 4 = sbou
        pxor    %xmm0,  %xmm4   # 4 = sb1u + k
        movdqa  0x70(%r10), %xmm0       # 0 : sbot
-       movdqa  .Lk_sr-.Lk_dsbd(%r11), %xmm2
+       movdqa  -0x160(%r11), %xmm2     # .Lk_sr-.Lk_dsbd=-0x160
        pshufb  %xmm3,  %xmm0   # 0 = sb1t
        pxor    %xmm4,  %xmm0   # 0 = A
        pshufb  %xmm2,  %xmm0
@@ -869,6 +869,8 @@ ${PREFIX}_cbc_encrypt:
 ___
 ($len,$key)=($key,$len);
 $code.=<<___;
+       sub     \$16,$len
+       jc      .Lcbc_abort
 ___
 $code.=<<___ if ($win64);
        lea     -0xb8(%rsp),%rsp
@@ -887,7 +889,6 @@ ___
 $code.=<<___;
        movdqu  ($ivp),%xmm6            # load IV
        sub     $inp,$out
-       sub     \$16,$len
        call    _vpaes_preheat
        cmp     \$0,${enc}d
        je      .Lcbc_dec_loop
@@ -932,6 +933,7 @@ $code.=<<___ if ($win64);
 .Lcbc_epilogue:
 ___
 $code.=<<___;
+.Lcbc_abort:
        ret
 .size  ${PREFIX}_cbc_encrypt,.-${PREFIX}_cbc_encrypt
 ___
index ece40bc..52b2ebd 100644 (file)
@@ -57,6 +57,7 @@
  */
 
 #include <stdio.h>
+#include <limits.h>
 #include "cryptlib.h"
 #include <openssl/buffer.h>
 #include <openssl/asn1_mac.h>
@@ -143,17 +144,11 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
        BUF_MEM *b;
        unsigned char *p;
        int i;
-       int ret=-1;
        ASN1_const_CTX c;
-       int want=HEADER_SIZE;
+       size_t want=HEADER_SIZE;
        int eos=0;
-#if defined(__GNUC__) && defined(__ia64)
-       /* pathetic compiler bug in all known versions as of Nov. 2002 */
-       long off=0;
-#else
-       int off=0;
-#endif
-       int len=0;
+       size_t off=0;
+       size_t len=0;
 
        b=BUF_MEM_new();
        if (b == NULL)
@@ -169,7 +164,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
                        {
                        want-=(len-off);
 
-                       if (!BUF_MEM_grow_clean(b,len+want))
+                       if (len + want < len || !BUF_MEM_grow_clean(b,len+want))
                                {
                                ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE);
                                goto err;
@@ -181,7 +176,14 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
                                goto err;
                                }
                        if (i > 0)
+                               {
+                               if (len+i < len)
+                                       {
+                                       ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG);
+                                       goto err;
+                                       }
                                len+=i;
+                               }
                        }
                /* else data already loaded */
 
@@ -206,6 +208,11 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
                        {
                        /* no data body so go round again */
                        eos++;
+                       if (eos < 0)
+                               {
+                               ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_HEADER_TOO_LONG);
+                               goto err;
+                               }
                        want=HEADER_SIZE;
                        }
                else if (eos && (c.slen == 0) && (c.tag == V_ASN1_EOC))
@@ -220,10 +227,16 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
                else 
                        {
                        /* suck in c.slen bytes of data */
-                       want=(int)c.slen;
+                       want=c.slen;
                        if (want > (len-off))
                                {
                                want-=(len-off);
+                               if (want > INT_MAX /* BIO_read takes an int length */ ||
+                                       len+want < len)
+                                               {
+                                               ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG);
+                                               goto err;
+                                               }
                                if (!BUF_MEM_grow_clean(b,len+want))
                                        {
                                        ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE);
@@ -238,11 +251,18 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
                                                    ASN1_R_NOT_ENOUGH_DATA);
                                                goto err;
                                                }
+                                       /* This can't overflow because
+                                        * |len+want| didn't overflow. */
                                        len+=i;
-                                       want -= i;
+                                       want-=i;
                                        }
                                }
-                       off+=(int)c.slen;
+                       if (off + c.slen < off)
+                               {
+                               ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG);
+                               goto err;
+                               }
+                       off+=c.slen;
                        if (eos <= 0)
                                {
                                break;
@@ -252,9 +272,15 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
                        }
                }
 
+       if (off > INT_MAX)
+               {
+               ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG);
+               goto err;
+               }
+
        *pb = b;
        return off;
 err:
        if (b != NULL) BUF_MEM_free(b);
-       return(ret);
+       return -1;
        }
index 4536980..542a091 100644 (file)
@@ -446,11 +446,11 @@ static int asn1_print_fsname(BIO *out, int indent,
        return 1;
        }
 
-static int asn1_print_boolean_ctx(BIO *out, const int bool,
+static int asn1_print_boolean_ctx(BIO *out, int boolval,
                                                        const ASN1_PCTX *pctx)
        {
        const char *str;
-       switch (bool)
+       switch (boolval)
                {
                case -1:
                str = "BOOL ABSENT";
@@ -574,10 +574,10 @@ static int asn1_primitive_print(BIO *out, ASN1_VALUE **fld,
                {
                case V_ASN1_BOOLEAN:
                        {
-                       int bool = *(int *)fld;
-                       if (bool == -1)
-                               bool = it->size;
-                       ret = asn1_print_boolean_ctx(out, bool, pctx);
+                       int boolval = *(int *)fld;
+                       if (boolval == -1)
+                               boolval = it->size;
+                       ret = asn1_print_boolean_ctx(out, boolval, pctx);
                        }
                break;
 
index d47310d..41f958b 100644 (file)
@@ -960,7 +960,6 @@ int BIO_set_tcp_ndelay(int s, int on)
 #endif
        return(ret == 0);
        }
-#endif
 
 int BIO_socket_nbio(int s, int mode)
        {
@@ -973,3 +972,4 @@ int BIO_socket_nbio(int s, int mode)
 #endif
        return(ret == 0);
        }
+#endif
index e12bc3a..9c9646a 100644 (file)
@@ -521,40 +521,40 @@ void BIO_free_all(BIO *bio)
 
 BIO *BIO_dup_chain(BIO *in)
        {
-       BIO *ret=NULL,*eoc=NULL,*bio,*new;
+       BIO *ret=NULL,*eoc=NULL,*bio,*new_bio;
 
        for (bio=in; bio != NULL; bio=bio->next_bio)
                {
-               if ((new=BIO_new(bio->method)) == NULL) goto err;
-               new->callback=bio->callback;
-               new->cb_arg=bio->cb_arg;
-               new->init=bio->init;
-               new->shutdown=bio->shutdown;
-               new->flags=bio->flags;
+               if ((new_bio=BIO_new(bio->method)) == NULL) goto err;
+               new_bio->callback=bio->callback;
+               new_bio->cb_arg=bio->cb_arg;
+               new_bio->init=bio->init;
+               new_bio->shutdown=bio->shutdown;
+               new_bio->flags=bio->flags;
 
                /* This will let SSL_s_sock() work with stdin/stdout */
-               new->num=bio->num;
+               new_bio->num=bio->num;
 
-               if (!BIO_dup_state(bio,(char *)new))
+               if (!BIO_dup_state(bio,(char *)new_bio))
                        {
-                       BIO_free(new);
+                       BIO_free(new_bio);
                        goto err;
                        }
 
                /* copy app data */
-               if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_BIO, &new->ex_data,
+               if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_BIO, &new_bio->ex_data,
                                        &bio->ex_data))
                        goto err;
 
                if (ret == NULL)
                        {
-                       eoc=new;
+                       eoc=new_bio;
                        ret=eoc;
                        }
                else
                        {
-                       BIO_push(eoc,new);
-                       eoc=new;
+                       BIO_push(eoc,new_bio);
+                       eoc=new_bio;
                        }
                }
        return(ret);
index 08ab9fd..8a4dc20 100644 (file)
@@ -628,8 +628,11 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
                        }
                if (ubits==vbits)
                        {
-                       bn_correct_top(u);
-                       ubits = BN_num_bits(u);
+                       BN_ULONG ul;
+                       int utop = (ubits-1)/BN_BITS2;
+
+                       while ((ul=udp[utop])==0 && utop) utop--;
+                       ubits = utop*BN_BITS2 + BN_num_bits_word(ul);
                        }
                }
        bn_correct_top(b);
index f4b358b..52e65df 100644 (file)
 #include "cryptlib.h"
 #include <openssl/buffer.h>
 
+/* LIMIT_BEFORE_EXPANSION is the maximum n such that (n+3)/3*4 < 2**31. That
+ * function is applied in several functions in this file and this limit ensures
+ * that the result fits in an int. */
+#define LIMIT_BEFORE_EXPANSION 0x5ffffffc
+
 BUF_MEM *BUF_MEM_new(void)
        {
        BUF_MEM *ret;
@@ -105,6 +110,12 @@ int BUF_MEM_grow(BUF_MEM *str, size_t len)
                str->length=len;
                return(len);
                }
+       /* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */
+       if (len > LIMIT_BEFORE_EXPANSION)
+               {
+               BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
+               return 0;
+               }
        n=(len+3)/3*4;
        if (str->data == NULL)
                ret=OPENSSL_malloc(n);
@@ -142,6 +153,12 @@ int BUF_MEM_grow_clean(BUF_MEM *str, size_t len)
                str->length=len;
                return(len);
                }
+       /* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */
+       if (len > LIMIT_BEFORE_EXPANSION)
+               {
+               BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
+               return 0;
+               }
        n=(len+3)/3*4;
        if (str->data == NULL)
                ret=OPENSSL_malloc(n);
index b586026..8b72b09 100644 (file)
@@ -179,6 +179,8 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen,
                        return 0;
                if (!EVP_EncryptInit_ex(&ctx->cctx, NULL, NULL, NULL, zero_iv))
                        return 0;
+               memset(ctx->tbl, 0, EVP_CIPHER_CTX_block_size(&ctx->cctx));
+               ctx->nlast_block = 0;
                return 1;
                }
        /* Initialiase context */
index 278c6ca..710fb79 100644 (file)
@@ -83,6 +83,8 @@ typedef struct
     } aux;
     } EVP_AES_HMAC_SHA1;
 
+#define NO_PAYLOAD_LENGTH      ((size_t)-1)
+
 #if    defined(AES_ASM) &&     ( \
        defined(__x86_64)       || defined(__x86_64__)  || \
        defined(_M_AMD64)       || defined(_M_X64)      || \
@@ -124,7 +126,7 @@ static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx,
        key->tail = key->head;
        key->md   = key->head;
 
-       key->payload_length = 0;
+       key->payload_length = NO_PAYLOAD_LENGTH;
 
        return ret<0?0:1;
        }
@@ -185,7 +187,7 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
        if (len%AES_BLOCK_SIZE) return 0;
 
        if (ctx->encrypt) {
-               if (plen==0)
+               if (plen==NO_PAYLOAD_LENGTH)
                        plen = len;
                else if (len!=((plen+SHA_DIGEST_LENGTH+AES_BLOCK_SIZE)&-AES_BLOCK_SIZE))
                        return 0;
@@ -271,7 +273,7 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                }
        }
 
-       key->payload_length = 0;
+       key->payload_length = NO_PAYLOAD_LENGTH;
 
        return 1;
        }
index eaa7a53..3f32b25 100644 (file)
@@ -75,6 +75,8 @@ typedef struct
     size_t             payload_length;
     } EVP_RC4_HMAC_MD5;
 
+#define NO_PAYLOAD_LENGTH      ((size_t)-1)
+
 void rc4_md5_enc (RC4_KEY *key, const void *in0, void *out,
                MD5_CTX *ctx,const void *inp,size_t blocks);
 
@@ -93,7 +95,7 @@ static int rc4_hmac_md5_init_key(EVP_CIPHER_CTX *ctx,
        key->tail = key->head;
        key->md   = key->head;
 
-       key->payload_length = 0;
+       key->payload_length = NO_PAYLOAD_LENGTH;
 
        return 1;
        }
@@ -101,8 +103,7 @@ static int rc4_hmac_md5_init_key(EVP_CIPHER_CTX *ctx,
 #if    !defined(OPENSSL_NO_ASM) &&     ( \
        defined(__x86_64)       || defined(__x86_64__)  || \
        defined(_M_AMD64)       || defined(_M_X64)      || \
-       defined(__INTEL__)              ) && \
-       !(defined(__APPLE__) && defined(__MACH__))
+       defined(__INTEL__)              )
 #define        STITCHED_CALL
 #endif
 
@@ -123,10 +124,10 @@ static int rc4_hmac_md5_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 #endif
        size_t  plen = key->payload_length;
 
-       if (plen && len!=(plen+MD5_DIGEST_LENGTH)) return 0;
+       if (plen!=NO_PAYLOAD_LENGTH && len!=(plen+MD5_DIGEST_LENGTH)) return 0;
 
        if (ctx->encrypt) {
-               if (plen==0) plen = len;
+               if (plen==NO_PAYLOAD_LENGTH) plen = len;
 #if defined(STITCHED_CALL)
                /* cipher has to "fall behind" */
                if (rc4_off>md5_off) md5_off+=MD5_CBLOCK;
@@ -191,7 +192,7 @@ static int rc4_hmac_md5_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
 #endif
                /* decrypt HMAC at once */
                RC4(&key->ks,len-rc4_off,in+rc4_off,out+rc4_off);
-               if (plen) {     /* "TLS" mode of operation */
+               if (plen!=NO_PAYLOAD_LENGTH) {  /* "TLS" mode of operation */
                        MD5_Update(&key->md,out+md5_off,plen-md5_off);
 
                        /* calculate HMAC and verify it */
@@ -207,7 +208,7 @@ static int rc4_hmac_md5_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
                }
        }
 
-       key->payload_length = 0;
+       key->payload_length = NO_PAYLOAD_LENGTH;
 
        return 1;
        }
@@ -288,6 +289,8 @@ static EVP_CIPHER r4_hmac_md5_cipher=
 
 const EVP_CIPHER *EVP_rc4_hmac_md5(void)
        {
-       return(&r4_hmac_md5_cipher);
+       extern unsigned int OPENSSL_ia32cap_P[];
+       /* RC4_CHAR flag ------------vvvvv */
+       return(OPENSSL_ia32cap_P[0]&(1<<20) ? NULL : &r4_hmac_md5_cipher);
        }
 #endif
index 6910726..8835d9a 100644 (file)
@@ -170,7 +170,8 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
 #endif
 
 #ifdef OPENSSL_FIPS
-               return FIPS_cipherinit(ctx, cipher, key, iv, enc);
+               if (FIPS_mode())
+                       return FIPS_cipherinit(ctx, cipher, key, iv, enc);
 #else
                ctx->cipher=cipher;
                if (ctx->cipher->ctx_size)
@@ -207,7 +208,8 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
 skip_to_init:
 #endif
 #ifdef OPENSSL_FIPS
-       return FIPS_cipherinit(ctx, cipher, key, iv, enc);
+       if (FIPS_mode())
+               return FIPS_cipherinit(ctx, cipher, key, iv, enc);
 #else
        /* we assume block size is a power of 2 in *cryptUpdate */
        OPENSSL_assert(ctx->cipher->block_size == 1
index 7d9c1f0..294cc90 100644 (file)
@@ -138,5 +138,6 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen,
        OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH);
        rv = 1;
        err:
+       EVP_MD_CTX_cleanup(&ctx);
        return rv;
 }
index 8f736c3..21c0011 100644 (file)
@@ -363,6 +363,10 @@ void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file,
 
        if (num <= 0) return NULL;
 
+       /* We don't support shrinking the buffer. Note the memcpy that copies
+        * |old_len| bytes to the new buffer, below. */
+       if (num < old_len) return NULL;
+
        if (realloc_debug_func != NULL)
                realloc_debug_func(str, NULL, num, file, line, 0);
        ret=malloc_ex_func(num,file,line);
index 7a82a98..b6dc3c3 100644 (file)
@@ -45,7 +45,7 @@ typedef unsigned char u8;
 #  define BSWAP4(x) ({ u32 ret=(x);                    \
                        asm ("bswapl %0"                \
                        : "+r"(ret));   ret;            })
-# elif (defined(__i386) || defined(__i386__))
+# elif (defined(__i386) || defined(__i386__)) && !defined(I386_ONLY)
 #  define BSWAP8(x) ({ u32 lo=(u64)(x)>>32,hi=(x);     \
                        asm ("bswapl %0; bswapl %1"     \
                        : "+r"(hi),"+r"(lo));           \
index bf42556..20e889e 100644 (file)
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER 0x1000100fL
+#define OPENSSL_VERSION_NUMBER 0x1000101fL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT   "OpenSSL 1.0.1-fips 14 Mar 2012"
+#define OPENSSL_VERSION_TEXT   "OpenSSL 1.0.1a-fips 19 Apr 2012"
 #else
-#define OPENSSL_VERSION_TEXT   "OpenSSL 1.0.1 14 Mar 2012"
+#define OPENSSL_VERSION_TEXT   "OpenSSL 1.0.1a 19 Apr 2012"
 #endif
 #define OPENSSL_VERSION_PTEXT  " part of " OPENSSL_VERSION_TEXT
 
index fae8eda..77fda3b 100644 (file)
@@ -430,6 +430,8 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
        STACK_OF(X509_ALGOR) *md_sk=NULL;
        STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
        PKCS7_RECIP_INFO *ri=NULL;
+       unsigned char *ek = NULL, *tkey = NULL;
+       int eklen = 0, tkeylen = 0;
 
        i=OBJ_obj2nid(p7->type);
        p7->state=PKCS7_S_HEADER;
@@ -507,8 +509,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
                int max;
                X509_OBJECT ret;
 #endif
-               unsigned char *ek = NULL, *tkey = NULL;
-               int eklen, tkeylen;
 
                if ((etmp=BIO_new(BIO_f_cipher())) == NULL)
                        {
@@ -609,11 +609,13 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
                        {
                        OPENSSL_cleanse(ek,eklen);
                        OPENSSL_free(ek);
+                       ek = NULL;
                        }
                if (tkey)
                        {
                        OPENSSL_cleanse(tkey,tkeylen);
                        OPENSSL_free(tkey);
+                       tkey = NULL;
                        }
 
                if (out == NULL)
@@ -656,6 +658,16 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
        if (0)
                {
 err:
+               if (ek)
+                       {
+                       OPENSSL_cleanse(ek,eklen);
+                       OPENSSL_free(ek);
+                       }
+               if (tkey)
+                       {
+                       OPENSSL_cleanse(tkey,tkeylen);
+                       OPENSSL_free(tkey);
+                       }
                if (out != NULL) BIO_free_all(out);
                if (btmp != NULL) BIO_free_all(btmp);
                if (etmp != NULL) BIO_free_all(etmp);
index 3a6e04a..38525a8 100644 (file)
@@ -87,7 +87,7 @@ void X509_LOOKUP_free(X509_LOOKUP *ctx)
        if (ctx == NULL) return;
        if (    (ctx->method != NULL) &&
                (ctx->method->free != NULL))
-               ctx->method->free(ctx);
+               (*ctx->method->free)(ctx);
        OPENSSL_free(ctx);
        }
 
index 5b477ac..367691c 100644 (file)
@@ -6,7 +6,8 @@ EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_DigestInit_ex, EVP_DigestUpdate,
 EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE,
 EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size,
 EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type,
-EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_dss, EVP_dss1, EVP_mdc2,
+EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_sha224, EVP_sha256,
+EVP_sha384, EVP_sha512, EVP_dss, EVP_dss1, EVP_mdc2,
 EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj -
 EVP digest routines
 
@@ -33,16 +34,15 @@ EVP digest routines
 
  int EVP_MD_CTX_copy(EVP_MD_CTX *out,EVP_MD_CTX *in);  
 
- #define EVP_MAX_MD_SIZE (16+20) /* The SSLv3 md5+sha1 type */
+ #define EVP_MAX_MD_SIZE 64    /* SHA512 */
 
+ int EVP_MD_type(const EVP_MD *md);
+ int EVP_MD_pkey_type(const EVP_MD *md);       
+ int EVP_MD_size(const EVP_MD *md);
+ int EVP_MD_block_size(const EVP_MD *md);
 
- #define EVP_MD_type(e)                        ((e)->type)
- #define EVP_MD_pkey_type(e)           ((e)->pkey_type)
- #define EVP_MD_size(e)                        ((e)->md_size)
- #define EVP_MD_block_size(e)          ((e)->block_size)
-
- #define EVP_MD_CTX_md(e)              (e)->digest)
- #define EVP_MD_CTX_size(e)            EVP_MD_size((e)->digest)
+ const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx);
+ #define EVP_MD_CTX_size(e)            EVP_MD_size(EVP_MD_CTX_md(e))
  #define EVP_MD_CTX_block_size(e)      EVP_MD_block_size((e)->digest)
  #define EVP_MD_CTX_type(e)            EVP_MD_type((e)->digest)
 
@@ -56,6 +56,11 @@ EVP digest routines
  const EVP_MD *EVP_mdc2(void);
  const EVP_MD *EVP_ripemd160(void);
 
+ const EVP_MD *EVP_sha224(void);
+ const EVP_MD *EVP_sha256(void);
+ const EVP_MD *EVP_sha384(void);
+ const EVP_MD *EVP_sha512(void);
+
  const EVP_MD *EVP_get_digestbyname(const char *name);
  #define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a))
  #define EVP_get_digestbyobj(a) EVP_get_digestbynid(OBJ_obj2nid(a))
@@ -124,12 +129,14 @@ B<EVP_MD_CTX>.
 
 EVP_MD_pkey_type() returns the NID of the public key signing algorithm associated
 with this digest. For example EVP_sha1() is associated with RSA so this will
-return B<NID_sha1WithRSAEncryption>. This "link" between digests and signature
-algorithms may not be retained in future versions of OpenSSL.
+return B<NID_sha1WithRSAEncryption>. Since digests and signature algorithms
+are no longer linked this function is only retained for compatibility
+reasons.
 
-EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_mdc2() and EVP_ripemd160()
-return B<EVP_MD> structures for the MD2, MD5, SHA, SHA1, MDC2 and RIPEMD160 digest
-algorithms respectively. The associated signature algorithm is RSA in each case.
+EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_sha224(), EVP_sha256(),
+EVP_sha384(), EVP_sha512(), EVP_mdc2() and EVP_ripemd160() return B<EVP_MD>
+structures for the MD2, MD5, SHA, SHA1, SHA224, SHA256, SHA384, SHA512, MDC2
+and RIPEMD160 digest algorithms respectively. 
 
 EVP_dss() and EVP_dss1() return B<EVP_MD> structures for SHA and SHA1 digest
 algorithms but using DSS (DSA) for the signature algorithm. Note: there is 
@@ -171,8 +178,8 @@ The B<EVP> interface to message digests should almost always be used in
 preference to the low level interfaces. This is because the code then becomes
 transparent to the digest used and much more flexible.
 
-SHA1 is the digest of choice for new applications. The other digest algorithms
-are still in common use.
+New applications should use the SHA2 digest algorithms such as SHA256. 
+The other digest algorithms are still in common use.
 
 For most applications the B<impl> parameter to EVP_DigestInit_ex() will be
 set to NULL to use the default digest implementation.
@@ -187,6 +194,19 @@ implementations of digests to be specified.
 In OpenSSL 0.9.7 and later if digest contexts are not cleaned up after use
 memory leaks will occur. 
 
+Stack allocation of EVP_MD_CTX structures is common, for example:
+
+ EVP_MD_CTX mctx;
+ EVP_MD_CTX_init(&mctx);
+
+This will cause binary compatibility issues if the size of EVP_MD_CTX
+structure changes (this will only happen with a major release of OpenSSL).
+Applications wishing to avoid this should use EVP_MD_CTX_create() instead:
+
+ EVP_MD_CTX *mctx;
+ mctx = EVP_MD_CTX_create();
+
+
 =head1 EXAMPLE
 
 This example digests the data "Test Message\n" and "Hello World\n", using the
@@ -197,7 +217,7 @@ digest name passed on the command line.
 
  main(int argc, char *argv[])
  {
- EVP_MD_CTX mdctx;
+ EVP_MD_CTX *mdctx;
  const EVP_MD *md;
  char mess1[] = "Test Message\n";
  char mess2[] = "Hello World\n";
@@ -218,12 +238,12 @@ digest name passed on the command line.
        exit(1);
  }
 
EVP_MD_CTX_init(&mdctx);
- EVP_DigestInit_ex(&mdctx, md, NULL);
- EVP_DigestUpdate(&mdctx, mess1, strlen(mess1));
- EVP_DigestUpdate(&mdctx, mess2, strlen(mess2));
- EVP_DigestFinal_ex(&mdctx, md_value, &md_len);
- EVP_MD_CTX_cleanup(&mdctx);
mdctx = EVP_MD_CTX_create();
+ EVP_DigestInit_ex(mdctx, md, NULL);
+ EVP_DigestUpdate(mdctx, mess1, strlen(mess1));
+ EVP_DigestUpdate(mdctx, mess2, strlen(mess2));
+ EVP_DigestFinal_ex(mdctx, md_value, &md_len);
+ EVP_MD_CTX_destroy(mdctx);
 
  printf("Digest is: ");
  for(i = 0; i < md_len; i++) printf("%02x", md_value[i]);
index eedac8a..e9552ca 100644 (file)
@@ -538,6 +538,7 @@ err:
 
 BIO *BIO_new_ssl_connect(SSL_CTX *ctx)
        {
+#ifndef OPENSSL_NO_SOCK
        BIO *ret=NULL,*con=NULL,*ssl=NULL;
 
        if ((con=BIO_new(BIO_s_connect())) == NULL)
@@ -549,6 +550,7 @@ BIO *BIO_new_ssl_connect(SSL_CTX *ctx)
        return(ret);
 err:
        if (con != NULL) BIO_free(con);
+#endif
        return(NULL);
        }
 
index 56f6253..f61f718 100644 (file)
@@ -412,7 +412,7 @@ int dtls1_check_timeout_num(SSL *s)
        if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT)
                {
                /* fail the connection, enough alerts have been sent */
-               SSLerr(SSL_F_DTLS1_HANDLE_TIMEOUT,SSL_R_READ_TIMEOUT_EXPIRED);
+               SSLerr(SSL_F_DTLS1_CHECK_TIMEOUT_NUM,SSL_R_READ_TIMEOUT_EXPIRED);
                return -1;
                }
 
index 5822379..29421da 100644 (file)
@@ -920,7 +920,7 @@ int dtls1_send_server_hello(SSL *s)
                p=s->s3->server_random;
                Time=(unsigned long)time(NULL);                 /* Time */
                l2n(Time,p);
-               RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time));
+               RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4);
                /* Do the message type and length last */
                d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
 
index b3c4823..0f2e19e 100644 (file)
@@ -287,12 +287,14 @@ static int ssl23_client_hello(SSL *s)
 
        if (ssl2_compat && ssl23_no_ssl2_ciphers(s))
                ssl2_compat = 0;
-
+#ifndef OPENSSL_NO_TLS1_2_CLIENT
        if (!(s->options & SSL_OP_NO_TLSv1_2))
                {
                version = TLS1_2_VERSION;
                }
-       else if (!(s->options & SSL_OP_NO_TLSv1_1))
+       else
+#endif
+       if (!(s->options & SSL_OP_NO_TLSv1_1))
                {
                version = TLS1_1_VERSION;
                }
@@ -467,6 +469,15 @@ static int ssl23_client_hello(SSL *s)
                                SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
                                return -1;
                                }
+#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
+                       /* Some servers hang if client hello > 256 bytes
+                        * as hack workaround chop number of supported ciphers
+                        * to keep it well below this if we use TLS v1.2
+                        */
+                       if (TLS1_get_version(s) >= TLS1_2_VERSION
+                               && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
+                               i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
+#endif
                        s2n(i,p);
                        p+=i;
 
@@ -521,8 +532,13 @@ static int ssl23_client_hello(SSL *s)
                        d=buf;
                        *(d++) = SSL3_RT_HANDSHAKE;
                        *(d++) = version_major;
-                       *(d++) = version_minor; /* arguably we should send the *lowest* suported version here
-                                                * (indicating, e.g., TLS 1.0 in "SSL 3.0 format") */
+                       /* Some servers hang if we use long client hellos
+                        * and a record number > TLS 1.0.
+                        */
+                       if (TLS1_get_client_version(s) > TLS1_VERSION)
+                               *(d++) = 1;
+                       else
+                               *(d++) = version_minor;
                        s2n((int)l,d);
 
                        /* number of bytes to write */
index 4511a91..b80d052 100644 (file)
@@ -755,6 +755,15 @@ int ssl3_client_hello(SSL *s)
                        SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE);
                        goto err;
                        }
+#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH
+                       /* Some servers hang if client hello > 256 bytes
+                        * as hack workaround chop number of supported ciphers
+                        * to keep it well below this if we use TLS v1.2
+                        */
+                       if (TLS1_get_version(s) >= TLS1_2_VERSION
+                               && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
+                               i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1;
+#endif
                s2n(i,p);
                p+=i;
 
index db75479..fb60cde 100644 (file)
@@ -1081,7 +1081,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL_aRSA,
        SSL_eNULL,
        SSL_SHA256,
-       SSL_SSLV3,
+       SSL_TLSV1_2,
        SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS,
        SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
        0,
@@ -1097,7 +1097,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL_aRSA,
        SSL_AES128,
        SSL_SHA256,
-       SSL_TLSV1,
+       SSL_TLSV1_2,
        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
        128,
@@ -1113,7 +1113,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL_aRSA,
        SSL_AES256,
        SSL_SHA256,
-       SSL_TLSV1,
+       SSL_TLSV1_2,
        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
        256,
@@ -1129,7 +1129,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL_aDH,
        SSL_AES128,
        SSL_SHA256,
-       SSL_TLSV1,
+       SSL_TLSV1_2,
        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
        128,
@@ -1145,7 +1145,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL_aDH,
        SSL_AES128,
        SSL_SHA256,
-       SSL_TLSV1,
+       SSL_TLSV1_2,
        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
        128,
@@ -1161,7 +1161,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL_aDSS,
        SSL_AES128,
        SSL_SHA256,
-       SSL_TLSV1,
+       SSL_TLSV1_2,
        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
        128,
@@ -1395,7 +1395,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL_aRSA,
        SSL_AES128,
        SSL_SHA256,
-       SSL_TLSV1,
+       SSL_TLSV1_2,
        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
        128,
@@ -1411,7 +1411,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL_aDH,
        SSL_AES256,
        SSL_SHA256,
-       SSL_TLSV1,
+       SSL_TLSV1_2,
        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
        256,
@@ -1427,7 +1427,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL_aDH,
        SSL_AES256,
        SSL_SHA256,
-       SSL_TLSV1,
+       SSL_TLSV1_2,
        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
        256,
@@ -1443,7 +1443,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL_aDSS,
        SSL_AES256,
        SSL_SHA256,
-       SSL_TLSV1,
+       SSL_TLSV1_2,
        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
        256,
@@ -1459,7 +1459,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL_aRSA,
        SSL_AES256,
        SSL_SHA256,
-       SSL_TLSV1,
+       SSL_TLSV1_2,
        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
        256,
@@ -1475,7 +1475,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL_aNULL,
        SSL_AES128,
        SSL_SHA256,
-       SSL_TLSV1,
+       SSL_TLSV1_2,
        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
        128,
@@ -1491,7 +1491,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
        SSL_aNULL,
        SSL_AES256,
        SSL_SHA256,
-       SSL_TLSV1,
+       SSL_TLSV1_2,
        SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
        SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
        256,
index 3c56a86..adf8c38 100644 (file)
@@ -664,10 +664,14 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
        if (    (sess == NULL) ||
                (s->enc_write_ctx == NULL) ||
                (EVP_MD_CTX_md(s->write_hash) == NULL))
+               {
+#if 1
+               clear=s->enc_write_ctx?0:1;     /* must be AEAD cipher */
+#else
                clear=1;
-
-       if (clear)
+#endif
                mac_size=0;
+               }
        else
                {
                mac_size=EVP_MD_CTX_size(s->write_hash);
@@ -736,7 +740,14 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
        wr->type=type;
 
        *(p++)=(s->version>>8);
-       *(p++)=s->version&0xff;
+       /* Some servers hang if iniatial client hello is larger than 256
+        * bytes and record version number > TLS 1.0
+        */
+       if (s->state == SSL3_ST_CW_CLNT_HELLO_B
+                               && TLS1_get_version(s) > TLS1_VERSION)
+               *(p++) = 0x1;
+       else
+               *(p++)=s->version&0xff;
 
        /* field where we are to write out packet length */
        plen=p; 
index 5944d8c..118939f 100644 (file)
@@ -2930,7 +2930,7 @@ int ssl3_get_cert_verify(SSL *s)
        if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY)
                {
                s->s3->tmp.reuse_message=1;
-               if ((peer != NULL) && (type | EVP_PKT_SIGN))
+               if ((peer != NULL) && (type & EVP_PKT_SIGN))
                        {
                        al=SSL_AD_UNEXPECTED_MESSAGE;
                        SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE);
index 525602e..ab72473 100644 (file)
@@ -2058,6 +2058,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_DTLS1_ACCEPT                              246
 #define SSL_F_DTLS1_ADD_CERT_TO_BUF                     295
 #define SSL_F_DTLS1_BUFFER_RECORD                       247
+#define SSL_F_DTLS1_CHECK_TIMEOUT_NUM                   316
 #define SSL_F_DTLS1_CLIENT_HELLO                        248
 #define SSL_F_DTLS1_CONNECT                             249
 #define SSL_F_DTLS1_ENC                                         250
index ac643c9..b96d26f 100644 (file)
@@ -616,18 +616,19 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
                {
                const EVP_CIPHER *evp;
 
-               if      (s->ssl_version >= TLS1_VERSION &&
-                        c->algorithm_enc == SSL_RC4 &&
+               if (s->ssl_version>>8 != TLS1_VERSION_MAJOR ||
+                   s->ssl_version < TLS1_VERSION)
+                       return 1;
+
+               if      (c->algorithm_enc == SSL_RC4 &&
                         c->algorithm_mac == SSL_MD5 &&
                         (evp=EVP_get_cipherbyname("RC4-HMAC-MD5")))
                        *enc = evp, *md = NULL;
-               else if (s->ssl_version >= TLS1_VERSION &&
-                        c->algorithm_enc == SSL_AES128 &&
+               else if (c->algorithm_enc == SSL_AES128 &&
                         c->algorithm_mac == SSL_SHA1 &&
                         (evp=EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1")))
                        *enc = evp, *md = NULL;
-               else if (s->ssl_version >= TLS1_VERSION &&
-                        c->algorithm_enc == SSL_AES256 &&
+               else if (c->algorithm_enc == SSL_AES256 &&
                         c->algorithm_mac == SSL_SHA1 &&
                         (evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1")))
                        *enc = evp, *md = NULL;
index ccb93d2..2577c68 100644 (file)
@@ -80,6 +80,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_DTLS1_ACCEPT), "DTLS1_ACCEPT"},
 {ERR_FUNC(SSL_F_DTLS1_ADD_CERT_TO_BUF),        "DTLS1_ADD_CERT_TO_BUF"},
 {ERR_FUNC(SSL_F_DTLS1_BUFFER_RECORD),  "DTLS1_BUFFER_RECORD"},
+{ERR_FUNC(SSL_F_DTLS1_CHECK_TIMEOUT_NUM),      "DTLS1_CHECK_TIMEOUT_NUM"},
 {ERR_FUNC(SSL_F_DTLS1_CLIENT_HELLO),   "DTLS1_CLIENT_HELLO"},
 {ERR_FUNC(SSL_F_DTLS1_CONNECT),        "DTLS1_CONNECT"},
 {ERR_FUNC(SSL_F_DTLS1_ENC),    "DTLS1_ENC"},
index 57d1107..27c8e34 100644 (file)
@@ -544,7 +544,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha
                }
                skip_ext:
 
-       if (TLS1_get_version(s) >= TLS1_2_VERSION)
+       if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
                {
                if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6)
                        return NULL;