From 503f6d4b94dd7e2049355e561534f02376ce418b Mon Sep 17 00:00:00 2001 From: Peter Avalos Date: Fri, 20 Apr 2012 20:33:46 -0700 Subject: [PATCH] Import OpenSSL-1.0.1a. o Fix for ASN1 overflow bug CVE-2012-2110. o Workarounds for some servers that hang on long client hellos. o Fix SEGV in AES code. --- crypto/openssl/CHANGES | 43 ++++++- crypto/openssl/FAQ | 2 +- crypto/openssl/NEWS | 6 + crypto/openssl/README | 2 +- crypto/openssl/README.DELETED | 1 - crypto/openssl/apps/s_client.c | 6 - crypto/openssl/apps/s_server.c | 10 -- crypto/openssl/crypto/aes/asm/bsaes-x86_64.pl | 118 ++++++++++++------ crypto/openssl/crypto/aes/asm/vpaes-x86.pl | 4 +- crypto/openssl/crypto/aes/asm/vpaes-x86_64.pl | 6 +- crypto/openssl/crypto/asn1/a_d2i_fp.c | 54 +++++--- crypto/openssl/crypto/asn1/tasn_prn.c | 12 +- crypto/openssl/crypto/bio/b_sock.c | 2 +- crypto/openssl/crypto/bio/bio_lib.c | 28 ++--- crypto/openssl/crypto/bn/bn_gf2m.c | 7 +- crypto/openssl/crypto/buffer/buffer.c | 17 +++ crypto/openssl/crypto/cmac/cmac.c | 2 + .../openssl/crypto/evp/e_aes_cbc_hmac_sha1.c | 8 +- crypto/openssl/crypto/evp/e_rc4_hmac_md5.c | 19 +-- crypto/openssl/crypto/evp/evp_enc.c | 6 +- crypto/openssl/crypto/evp/p5_crpt.c | 1 + crypto/openssl/crypto/mem.c | 4 + crypto/openssl/crypto/modes/modes_lcl.h | 2 +- crypto/openssl/crypto/opensslv.h | 6 +- crypto/openssl/crypto/pkcs7/pk7_doit.c | 16 ++- crypto/openssl/crypto/x509/x509_lu.c | 2 +- crypto/openssl/doc/crypto/EVP_DigestInit.pod | 66 ++++++---- crypto/openssl/ssl/bio_ssl.c | 2 + crypto/openssl/ssl/d1_lib.c | 2 +- crypto/openssl/ssl/d1_srvr.c | 2 +- crypto/openssl/ssl/s23_clnt.c | 24 +++- crypto/openssl/ssl/s3_clnt.c | 9 ++ crypto/openssl/ssl/s3_lib.c | 26 ++-- crypto/openssl/ssl/s3_pkt.c | 17 ++- crypto/openssl/ssl/s3_srvr.c | 2 +- crypto/openssl/ssl/ssl.h | 1 + crypto/openssl/ssl/ssl_ciph.c | 13 +- crypto/openssl/ssl/ssl_err.c | 1 + crypto/openssl/ssl/t1_lib.c | 2 +- 39 files changed, 379 insertions(+), 172 deletions(-) diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES index 03d731451d..1e9608023e 100644 --- a/crypto/openssl/CHANGES +++ b/crypto/openssl/CHANGES @@ -2,6 +2,36 @@ OpenSSL CHANGES _______________ + Changes between 1.0.1 and 1.0.1a [19 Apr 2012] + + *) Check for potentially exploitable overflows in asn1_d2i_read_bio + BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer + in CRYPTO_realloc_clean. + + Thanks to Tavis Ormandy, Google Security Team, for discovering this + issue and to Adam Langley for fixing it. + (CVE-2012-2110) + [Adam Langley (Google), Tavis Ormandy, Google Security Team] + + *) Don't allow TLS 1.2 SHA-256 ciphersuites in TLS 1.0, 1.1 connections. + [Adam Langley] + + *) Workarounds for some broken servers that "hang" if a client hello + record length exceeds 255 bytes. + + 1. Do not use record version number > TLS 1.0 in initial client + hello: some (but not all) hanging servers will now work. + 2. If we set OPENSSL_MAX_TLS1_2_CIPHER_LENGTH this will truncate + the number of ciphers sent in the client hello. This should be + set to an even number, such as 50, for example by passing: + -DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50 to config or Configure. + Most broken servers should now work. + 3. If all else fails setting OPENSSL_NO_TLS1_2_CLIENT will disable + TLS 1.2 client support entirely. + + *) Fix SEGV in Vector Permutation AES module observed in OpenSSH. + [Andy Polyakov] + Changes between 1.0.0h and 1.0.1 [14 Mar 2012] *) Add compatibility with old MDC2 signatures which use an ASN1 OCTET @@ -285,7 +315,18 @@ Add command line options to s_client/s_server. [Steve Henson] - Changes between 1.0.0g and 1.0.0h [xx XXX xxxx] + Changes between 1.0.0g and 1.0.0h [12 Mar 2012] + + *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness + in CMS and PKCS7 code. When RSA decryption fails use a random key for + content decryption and always return the same error. Note: this attack + needs on average 2^20 messages so it only affects automated senders. The + old behaviour can be reenabled in the CMS code by setting the + CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where + an MMA defence is not necessary. + Thanks to Ivan Nestlerode for discovering + this issue. (CVE-2012-0884) + [Steve Henson] *) Fix CVE-2011-4619: make sure we really are receiving a client hello before rejecting multiple SGC restarts. Thanks to diff --git a/crypto/openssl/FAQ b/crypto/openssl/FAQ index b9243a6104..0ba347e63b 100644 --- a/crypto/openssl/FAQ +++ b/crypto/openssl/FAQ @@ -82,7 +82,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from . -OpenSSL 1.0.1 was released on Mar 14th, 2012. +OpenSSL 1.0.1a was released on Apr 19th, 2012. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at +#include #include "cryptlib.h" #include #include @@ -143,17 +144,11 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) BUF_MEM *b; unsigned char *p; int i; - int ret=-1; ASN1_const_CTX c; - int want=HEADER_SIZE; + size_t want=HEADER_SIZE; int eos=0; -#if defined(__GNUC__) && defined(__ia64) - /* pathetic compiler bug in all known versions as of Nov. 2002 */ - long off=0; -#else - int off=0; -#endif - int len=0; + size_t off=0; + size_t len=0; b=BUF_MEM_new(); if (b == NULL) @@ -169,7 +164,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) { want-=(len-off); - if (!BUF_MEM_grow_clean(b,len+want)) + if (len + want < len || !BUF_MEM_grow_clean(b,len+want)) { ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE); goto err; @@ -181,7 +176,14 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) goto err; } if (i > 0) + { + if (len+i < len) + { + ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG); + goto err; + } len+=i; + } } /* else data already loaded */ @@ -206,6 +208,11 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) { /* no data body so go round again */ eos++; + if (eos < 0) + { + ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_HEADER_TOO_LONG); + goto err; + } want=HEADER_SIZE; } else if (eos && (c.slen == 0) && (c.tag == V_ASN1_EOC)) @@ -220,10 +227,16 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) else { /* suck in c.slen bytes of data */ - want=(int)c.slen; + want=c.slen; if (want > (len-off)) { want-=(len-off); + if (want > INT_MAX /* BIO_read takes an int length */ || + len+want < len) + { + ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG); + goto err; + } if (!BUF_MEM_grow_clean(b,len+want)) { ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE); @@ -238,11 +251,18 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) ASN1_R_NOT_ENOUGH_DATA); goto err; } + /* This can't overflow because + * |len+want| didn't overflow. */ len+=i; - want -= i; + want-=i; } } - off+=(int)c.slen; + if (off + c.slen < off) + { + ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG); + goto err; + } + off+=c.slen; if (eos <= 0) { break; @@ -252,9 +272,15 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) } } + if (off > INT_MAX) + { + ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_TOO_LONG); + goto err; + } + *pb = b; return off; err: if (b != NULL) BUF_MEM_free(b); - return(ret); + return -1; } diff --git a/crypto/openssl/crypto/asn1/tasn_prn.c b/crypto/openssl/crypto/asn1/tasn_prn.c index 453698012d..542a091a66 100644 --- a/crypto/openssl/crypto/asn1/tasn_prn.c +++ b/crypto/openssl/crypto/asn1/tasn_prn.c @@ -446,11 +446,11 @@ static int asn1_print_fsname(BIO *out, int indent, return 1; } -static int asn1_print_boolean_ctx(BIO *out, const int bool, +static int asn1_print_boolean_ctx(BIO *out, int boolval, const ASN1_PCTX *pctx) { const char *str; - switch (bool) + switch (boolval) { case -1: str = "BOOL ABSENT"; @@ -574,10 +574,10 @@ static int asn1_primitive_print(BIO *out, ASN1_VALUE **fld, { case V_ASN1_BOOLEAN: { - int bool = *(int *)fld; - if (bool == -1) - bool = it->size; - ret = asn1_print_boolean_ctx(out, bool, pctx); + int boolval = *(int *)fld; + if (boolval == -1) + boolval = it->size; + ret = asn1_print_boolean_ctx(out, boolval, pctx); } break; diff --git a/crypto/openssl/crypto/bio/b_sock.c b/crypto/openssl/crypto/bio/b_sock.c index d47310d650..41f958be71 100644 --- a/crypto/openssl/crypto/bio/b_sock.c +++ b/crypto/openssl/crypto/bio/b_sock.c @@ -960,7 +960,6 @@ int BIO_set_tcp_ndelay(int s, int on) #endif return(ret == 0); } -#endif int BIO_socket_nbio(int s, int mode) { @@ -973,3 +972,4 @@ int BIO_socket_nbio(int s, int mode) #endif return(ret == 0); } +#endif diff --git a/crypto/openssl/crypto/bio/bio_lib.c b/crypto/openssl/crypto/bio/bio_lib.c index e12bc3a2ca..9c9646afa8 100644 --- a/crypto/openssl/crypto/bio/bio_lib.c +++ b/crypto/openssl/crypto/bio/bio_lib.c @@ -521,40 +521,40 @@ void BIO_free_all(BIO *bio) BIO *BIO_dup_chain(BIO *in) { - BIO *ret=NULL,*eoc=NULL,*bio,*new; + BIO *ret=NULL,*eoc=NULL,*bio,*new_bio; for (bio=in; bio != NULL; bio=bio->next_bio) { - if ((new=BIO_new(bio->method)) == NULL) goto err; - new->callback=bio->callback; - new->cb_arg=bio->cb_arg; - new->init=bio->init; - new->shutdown=bio->shutdown; - new->flags=bio->flags; + if ((new_bio=BIO_new(bio->method)) == NULL) goto err; + new_bio->callback=bio->callback; + new_bio->cb_arg=bio->cb_arg; + new_bio->init=bio->init; + new_bio->shutdown=bio->shutdown; + new_bio->flags=bio->flags; /* This will let SSL_s_sock() work with stdin/stdout */ - new->num=bio->num; + new_bio->num=bio->num; - if (!BIO_dup_state(bio,(char *)new)) + if (!BIO_dup_state(bio,(char *)new_bio)) { - BIO_free(new); + BIO_free(new_bio); goto err; } /* copy app data */ - if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_BIO, &new->ex_data, + if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_BIO, &new_bio->ex_data, &bio->ex_data)) goto err; if (ret == NULL) { - eoc=new; + eoc=new_bio; ret=eoc; } else { - BIO_push(eoc,new); - eoc=new; + BIO_push(eoc,new_bio); + eoc=new_bio; } } return(ret); diff --git a/crypto/openssl/crypto/bn/bn_gf2m.c b/crypto/openssl/crypto/bn/bn_gf2m.c index 08ab9fd227..8a4dc20ad9 100644 --- a/crypto/openssl/crypto/bn/bn_gf2m.c +++ b/crypto/openssl/crypto/bn/bn_gf2m.c @@ -628,8 +628,11 @@ int BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) } if (ubits==vbits) { - bn_correct_top(u); - ubits = BN_num_bits(u); + BN_ULONG ul; + int utop = (ubits-1)/BN_BITS2; + + while ((ul=udp[utop])==0 && utop) utop--; + ubits = utop*BN_BITS2 + BN_num_bits_word(ul); } } bn_correct_top(b); diff --git a/crypto/openssl/crypto/buffer/buffer.c b/crypto/openssl/crypto/buffer/buffer.c index f4b358bbbd..52e65dfdfc 100644 --- a/crypto/openssl/crypto/buffer/buffer.c +++ b/crypto/openssl/crypto/buffer/buffer.c @@ -60,6 +60,11 @@ #include "cryptlib.h" #include +/* LIMIT_BEFORE_EXPANSION is the maximum n such that (n+3)/3*4 < 2**31. That + * function is applied in several functions in this file and this limit ensures + * that the result fits in an int. */ +#define LIMIT_BEFORE_EXPANSION 0x5ffffffc + BUF_MEM *BUF_MEM_new(void) { BUF_MEM *ret; @@ -105,6 +110,12 @@ int BUF_MEM_grow(BUF_MEM *str, size_t len) str->length=len; return(len); } + /* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */ + if (len > LIMIT_BEFORE_EXPANSION) + { + BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE); + return 0; + } n=(len+3)/3*4; if (str->data == NULL) ret=OPENSSL_malloc(n); @@ -142,6 +153,12 @@ int BUF_MEM_grow_clean(BUF_MEM *str, size_t len) str->length=len; return(len); } + /* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */ + if (len > LIMIT_BEFORE_EXPANSION) + { + BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE); + return 0; + } n=(len+3)/3*4; if (str->data == NULL) ret=OPENSSL_malloc(n); diff --git a/crypto/openssl/crypto/cmac/cmac.c b/crypto/openssl/crypto/cmac/cmac.c index b58602680b..8b72b09681 100644 --- a/crypto/openssl/crypto/cmac/cmac.c +++ b/crypto/openssl/crypto/cmac/cmac.c @@ -179,6 +179,8 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen, return 0; if (!EVP_EncryptInit_ex(&ctx->cctx, NULL, NULL, NULL, zero_iv)) return 0; + memset(ctx->tbl, 0, EVP_CIPHER_CTX_block_size(&ctx->cctx)); + ctx->nlast_block = 0; return 1; } /* Initialiase context */ diff --git a/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c index 278c6caa28..710fb79baf 100644 --- a/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c +++ b/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c @@ -83,6 +83,8 @@ typedef struct } aux; } EVP_AES_HMAC_SHA1; +#define NO_PAYLOAD_LENGTH ((size_t)-1) + #if defined(AES_ASM) && ( \ defined(__x86_64) || defined(__x86_64__) || \ defined(_M_AMD64) || defined(_M_X64) || \ @@ -124,7 +126,7 @@ static int aesni_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, key->tail = key->head; key->md = key->head; - key->payload_length = 0; + key->payload_length = NO_PAYLOAD_LENGTH; return ret<0?0:1; } @@ -185,7 +187,7 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, if (len%AES_BLOCK_SIZE) return 0; if (ctx->encrypt) { - if (plen==0) + if (plen==NO_PAYLOAD_LENGTH) plen = len; else if (len!=((plen+SHA_DIGEST_LENGTH+AES_BLOCK_SIZE)&-AES_BLOCK_SIZE)) return 0; @@ -271,7 +273,7 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, } } - key->payload_length = 0; + key->payload_length = NO_PAYLOAD_LENGTH; return 1; } diff --git a/crypto/openssl/crypto/evp/e_rc4_hmac_md5.c b/crypto/openssl/crypto/evp/e_rc4_hmac_md5.c index eaa7a5312c..3f32b2591c 100644 --- a/crypto/openssl/crypto/evp/e_rc4_hmac_md5.c +++ b/crypto/openssl/crypto/evp/e_rc4_hmac_md5.c @@ -75,6 +75,8 @@ typedef struct size_t payload_length; } EVP_RC4_HMAC_MD5; +#define NO_PAYLOAD_LENGTH ((size_t)-1) + void rc4_md5_enc (RC4_KEY *key, const void *in0, void *out, MD5_CTX *ctx,const void *inp,size_t blocks); @@ -93,7 +95,7 @@ static int rc4_hmac_md5_init_key(EVP_CIPHER_CTX *ctx, key->tail = key->head; key->md = key->head; - key->payload_length = 0; + key->payload_length = NO_PAYLOAD_LENGTH; return 1; } @@ -101,8 +103,7 @@ static int rc4_hmac_md5_init_key(EVP_CIPHER_CTX *ctx, #if !defined(OPENSSL_NO_ASM) && ( \ defined(__x86_64) || defined(__x86_64__) || \ defined(_M_AMD64) || defined(_M_X64) || \ - defined(__INTEL__) ) && \ - !(defined(__APPLE__) && defined(__MACH__)) + defined(__INTEL__) ) #define STITCHED_CALL #endif @@ -123,10 +124,10 @@ static int rc4_hmac_md5_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, #endif size_t plen = key->payload_length; - if (plen && len!=(plen+MD5_DIGEST_LENGTH)) return 0; + if (plen!=NO_PAYLOAD_LENGTH && len!=(plen+MD5_DIGEST_LENGTH)) return 0; if (ctx->encrypt) { - if (plen==0) plen = len; + if (plen==NO_PAYLOAD_LENGTH) plen = len; #if defined(STITCHED_CALL) /* cipher has to "fall behind" */ if (rc4_off>md5_off) md5_off+=MD5_CBLOCK; @@ -191,7 +192,7 @@ static int rc4_hmac_md5_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, #endif /* decrypt HMAC at once */ RC4(&key->ks,len-rc4_off,in+rc4_off,out+rc4_off); - if (plen) { /* "TLS" mode of operation */ + if (plen!=NO_PAYLOAD_LENGTH) { /* "TLS" mode of operation */ MD5_Update(&key->md,out+md5_off,plen-md5_off); /* calculate HMAC and verify it */ @@ -207,7 +208,7 @@ static int rc4_hmac_md5_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, } } - key->payload_length = 0; + key->payload_length = NO_PAYLOAD_LENGTH; return 1; } @@ -288,6 +289,8 @@ static EVP_CIPHER r4_hmac_md5_cipher= const EVP_CIPHER *EVP_rc4_hmac_md5(void) { - return(&r4_hmac_md5_cipher); + extern unsigned int OPENSSL_ia32cap_P[]; + /* RC4_CHAR flag ------------vvvvv */ + return(OPENSSL_ia32cap_P[0]&(1<<20) ? NULL : &r4_hmac_md5_cipher); } #endif diff --git a/crypto/openssl/crypto/evp/evp_enc.c b/crypto/openssl/crypto/evp/evp_enc.c index 691072655b..8835d9a6ed 100644 --- a/crypto/openssl/crypto/evp/evp_enc.c +++ b/crypto/openssl/crypto/evp/evp_enc.c @@ -170,7 +170,8 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp #endif #ifdef OPENSSL_FIPS - return FIPS_cipherinit(ctx, cipher, key, iv, enc); + if (FIPS_mode()) + return FIPS_cipherinit(ctx, cipher, key, iv, enc); #else ctx->cipher=cipher; if (ctx->cipher->ctx_size) @@ -207,7 +208,8 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp skip_to_init: #endif #ifdef OPENSSL_FIPS - return FIPS_cipherinit(ctx, cipher, key, iv, enc); + if (FIPS_mode()) + return FIPS_cipherinit(ctx, cipher, key, iv, enc); #else /* we assume block size is a power of 2 in *cryptUpdate */ OPENSSL_assert(ctx->cipher->block_size == 1 diff --git a/crypto/openssl/crypto/evp/p5_crpt.c b/crypto/openssl/crypto/evp/p5_crpt.c index 7d9c1f0123..294cc90d87 100644 --- a/crypto/openssl/crypto/evp/p5_crpt.c +++ b/crypto/openssl/crypto/evp/p5_crpt.c @@ -138,5 +138,6 @@ int PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen, OPENSSL_cleanse(iv, EVP_MAX_IV_LENGTH); rv = 1; err: + EVP_MD_CTX_cleanup(&ctx); return rv; } diff --git a/crypto/openssl/crypto/mem.c b/crypto/openssl/crypto/mem.c index 8f736c3b1f..21c0011380 100644 --- a/crypto/openssl/crypto/mem.c +++ b/crypto/openssl/crypto/mem.c @@ -363,6 +363,10 @@ void *CRYPTO_realloc_clean(void *str, int old_len, int num, const char *file, if (num <= 0) return NULL; + /* We don't support shrinking the buffer. Note the memcpy that copies + * |old_len| bytes to the new buffer, below. */ + if (num < old_len) return NULL; + if (realloc_debug_func != NULL) realloc_debug_func(str, NULL, num, file, line, 0); ret=malloc_ex_func(num,file,line); diff --git a/crypto/openssl/crypto/modes/modes_lcl.h b/crypto/openssl/crypto/modes/modes_lcl.h index 7a82a981ca..b6dc3c336f 100644 --- a/crypto/openssl/crypto/modes/modes_lcl.h +++ b/crypto/openssl/crypto/modes/modes_lcl.h @@ -45,7 +45,7 @@ typedef unsigned char u8; # define BSWAP4(x) ({ u32 ret=(x); \ asm ("bswapl %0" \ : "+r"(ret)); ret; }) -# elif (defined(__i386) || defined(__i386__)) +# elif (defined(__i386) || defined(__i386__)) && !defined(I386_ONLY) # define BSWAP8(x) ({ u32 lo=(u64)(x)>>32,hi=(x); \ asm ("bswapl %0; bswapl %1" \ : "+r"(hi),"+r"(lo)); \ diff --git a/crypto/openssl/crypto/opensslv.h b/crypto/openssl/crypto/opensslv.h index bf42556070..20e889e851 100644 --- a/crypto/openssl/crypto/opensslv.h +++ b/crypto/openssl/crypto/opensslv.h @@ -25,11 +25,11 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x1000100fL +#define OPENSSL_VERSION_NUMBER 0x1000101fL #ifdef OPENSSL_FIPS -#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1-fips 14 Mar 2012" +#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1a-fips 19 Apr 2012" #else -#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1 14 Mar 2012" +#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1a 19 Apr 2012" #endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/crypto/openssl/crypto/pkcs7/pk7_doit.c b/crypto/openssl/crypto/pkcs7/pk7_doit.c index fae8eda46c..77fda3b82a 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_doit.c +++ b/crypto/openssl/crypto/pkcs7/pk7_doit.c @@ -430,6 +430,8 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) STACK_OF(X509_ALGOR) *md_sk=NULL; STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL; PKCS7_RECIP_INFO *ri=NULL; + unsigned char *ek = NULL, *tkey = NULL; + int eklen = 0, tkeylen = 0; i=OBJ_obj2nid(p7->type); p7->state=PKCS7_S_HEADER; @@ -507,8 +509,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) int max; X509_OBJECT ret; #endif - unsigned char *ek = NULL, *tkey = NULL; - int eklen, tkeylen; if ((etmp=BIO_new(BIO_f_cipher())) == NULL) { @@ -609,11 +609,13 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) { OPENSSL_cleanse(ek,eklen); OPENSSL_free(ek); + ek = NULL; } if (tkey) { OPENSSL_cleanse(tkey,tkeylen); OPENSSL_free(tkey); + tkey = NULL; } if (out == NULL) @@ -656,6 +658,16 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) if (0) { err: + if (ek) + { + OPENSSL_cleanse(ek,eklen); + OPENSSL_free(ek); + } + if (tkey) + { + OPENSSL_cleanse(tkey,tkeylen); + OPENSSL_free(tkey); + } if (out != NULL) BIO_free_all(out); if (btmp != NULL) BIO_free_all(btmp); if (etmp != NULL) BIO_free_all(etmp); diff --git a/crypto/openssl/crypto/x509/x509_lu.c b/crypto/openssl/crypto/x509/x509_lu.c index 3a6e04a1de..38525a8cdd 100644 --- a/crypto/openssl/crypto/x509/x509_lu.c +++ b/crypto/openssl/crypto/x509/x509_lu.c @@ -87,7 +87,7 @@ void X509_LOOKUP_free(X509_LOOKUP *ctx) if (ctx == NULL) return; if ( (ctx->method != NULL) && (ctx->method->free != NULL)) - ctx->method->free(ctx); + (*ctx->method->free)(ctx); OPENSSL_free(ctx); } diff --git a/crypto/openssl/doc/crypto/EVP_DigestInit.pod b/crypto/openssl/doc/crypto/EVP_DigestInit.pod index 5b477ac6ec..367691cc7a 100644 --- a/crypto/openssl/doc/crypto/EVP_DigestInit.pod +++ b/crypto/openssl/doc/crypto/EVP_DigestInit.pod @@ -6,7 +6,8 @@ EVP_MD_CTX_init, EVP_MD_CTX_create, EVP_DigestInit_ex, EVP_DigestUpdate, EVP_DigestFinal_ex, EVP_MD_CTX_cleanup, EVP_MD_CTX_destroy, EVP_MAX_MD_SIZE, EVP_MD_CTX_copy_ex, EVP_MD_CTX_copy, EVP_MD_type, EVP_MD_pkey_type, EVP_MD_size, EVP_MD_block_size, EVP_MD_CTX_md, EVP_MD_CTX_size, EVP_MD_CTX_block_size, EVP_MD_CTX_type, -EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_dss, EVP_dss1, EVP_mdc2, +EVP_md_null, EVP_md2, EVP_md5, EVP_sha, EVP_sha1, EVP_sha224, EVP_sha256, +EVP_sha384, EVP_sha512, EVP_dss, EVP_dss1, EVP_mdc2, EVP_ripemd160, EVP_get_digestbyname, EVP_get_digestbynid, EVP_get_digestbyobj - EVP digest routines @@ -33,16 +34,15 @@ EVP digest routines int EVP_MD_CTX_copy(EVP_MD_CTX *out,EVP_MD_CTX *in); - #define EVP_MAX_MD_SIZE (16+20) /* The SSLv3 md5+sha1 type */ + #define EVP_MAX_MD_SIZE 64 /* SHA512 */ + int EVP_MD_type(const EVP_MD *md); + int EVP_MD_pkey_type(const EVP_MD *md); + int EVP_MD_size(const EVP_MD *md); + int EVP_MD_block_size(const EVP_MD *md); - #define EVP_MD_type(e) ((e)->type) - #define EVP_MD_pkey_type(e) ((e)->pkey_type) - #define EVP_MD_size(e) ((e)->md_size) - #define EVP_MD_block_size(e) ((e)->block_size) - - #define EVP_MD_CTX_md(e) (e)->digest) - #define EVP_MD_CTX_size(e) EVP_MD_size((e)->digest) + const EVP_MD *EVP_MD_CTX_md(const EVP_MD_CTX *ctx); + #define EVP_MD_CTX_size(e) EVP_MD_size(EVP_MD_CTX_md(e)) #define EVP_MD_CTX_block_size(e) EVP_MD_block_size((e)->digest) #define EVP_MD_CTX_type(e) EVP_MD_type((e)->digest) @@ -56,6 +56,11 @@ EVP digest routines const EVP_MD *EVP_mdc2(void); const EVP_MD *EVP_ripemd160(void); + const EVP_MD *EVP_sha224(void); + const EVP_MD *EVP_sha256(void); + const EVP_MD *EVP_sha384(void); + const EVP_MD *EVP_sha512(void); + const EVP_MD *EVP_get_digestbyname(const char *name); #define EVP_get_digestbynid(a) EVP_get_digestbyname(OBJ_nid2sn(a)) #define EVP_get_digestbyobj(a) EVP_get_digestbynid(OBJ_obj2nid(a)) @@ -124,12 +129,14 @@ B. EVP_MD_pkey_type() returns the NID of the public key signing algorithm associated with this digest. For example EVP_sha1() is associated with RSA so this will -return B. This "link" between digests and signature -algorithms may not be retained in future versions of OpenSSL. +return B. Since digests and signature algorithms +are no longer linked this function is only retained for compatibility +reasons. -EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_mdc2() and EVP_ripemd160() -return B structures for the MD2, MD5, SHA, SHA1, MDC2 and RIPEMD160 digest -algorithms respectively. The associated signature algorithm is RSA in each case. +EVP_md2(), EVP_md5(), EVP_sha(), EVP_sha1(), EVP_sha224(), EVP_sha256(), +EVP_sha384(), EVP_sha512(), EVP_mdc2() and EVP_ripemd160() return B +structures for the MD2, MD5, SHA, SHA1, SHA224, SHA256, SHA384, SHA512, MDC2 +and RIPEMD160 digest algorithms respectively. EVP_dss() and EVP_dss1() return B structures for SHA and SHA1 digest algorithms but using DSS (DSA) for the signature algorithm. Note: there is @@ -171,8 +178,8 @@ The B interface to message digests should almost always be used in preference to the low level interfaces. This is because the code then becomes transparent to the digest used and much more flexible. -SHA1 is the digest of choice for new applications. The other digest algorithms -are still in common use. +New applications should use the SHA2 digest algorithms such as SHA256. +The other digest algorithms are still in common use. For most applications the B parameter to EVP_DigestInit_ex() will be set to NULL to use the default digest implementation. @@ -187,6 +194,19 @@ implementations of digests to be specified. In OpenSSL 0.9.7 and later if digest contexts are not cleaned up after use memory leaks will occur. +Stack allocation of EVP_MD_CTX structures is common, for example: + + EVP_MD_CTX mctx; + EVP_MD_CTX_init(&mctx); + +This will cause binary compatibility issues if the size of EVP_MD_CTX +structure changes (this will only happen with a major release of OpenSSL). +Applications wishing to avoid this should use EVP_MD_CTX_create() instead: + + EVP_MD_CTX *mctx; + mctx = EVP_MD_CTX_create(); + + =head1 EXAMPLE This example digests the data "Test Message\n" and "Hello World\n", using the @@ -197,7 +217,7 @@ digest name passed on the command line. main(int argc, char *argv[]) { - EVP_MD_CTX mdctx; + EVP_MD_CTX *mdctx; const EVP_MD *md; char mess1[] = "Test Message\n"; char mess2[] = "Hello World\n"; @@ -218,12 +238,12 @@ digest name passed on the command line. exit(1); } - EVP_MD_CTX_init(&mdctx); - EVP_DigestInit_ex(&mdctx, md, NULL); - EVP_DigestUpdate(&mdctx, mess1, strlen(mess1)); - EVP_DigestUpdate(&mdctx, mess2, strlen(mess2)); - EVP_DigestFinal_ex(&mdctx, md_value, &md_len); - EVP_MD_CTX_cleanup(&mdctx); + mdctx = EVP_MD_CTX_create(); + EVP_DigestInit_ex(mdctx, md, NULL); + EVP_DigestUpdate(mdctx, mess1, strlen(mess1)); + EVP_DigestUpdate(mdctx, mess2, strlen(mess2)); + EVP_DigestFinal_ex(mdctx, md_value, &md_len); + EVP_MD_CTX_destroy(mdctx); printf("Digest is: "); for(i = 0; i < md_len; i++) printf("%02x", md_value[i]); diff --git a/crypto/openssl/ssl/bio_ssl.c b/crypto/openssl/ssl/bio_ssl.c index eedac8a3fc..e9552caee2 100644 --- a/crypto/openssl/ssl/bio_ssl.c +++ b/crypto/openssl/ssl/bio_ssl.c @@ -538,6 +538,7 @@ err: BIO *BIO_new_ssl_connect(SSL_CTX *ctx) { +#ifndef OPENSSL_NO_SOCK BIO *ret=NULL,*con=NULL,*ssl=NULL; if ((con=BIO_new(BIO_s_connect())) == NULL) @@ -549,6 +550,7 @@ BIO *BIO_new_ssl_connect(SSL_CTX *ctx) return(ret); err: if (con != NULL) BIO_free(con); +#endif return(NULL); } diff --git a/crypto/openssl/ssl/d1_lib.c b/crypto/openssl/ssl/d1_lib.c index 56f62530e5..f61f718183 100644 --- a/crypto/openssl/ssl/d1_lib.c +++ b/crypto/openssl/ssl/d1_lib.c @@ -412,7 +412,7 @@ int dtls1_check_timeout_num(SSL *s) if (s->d1->timeout.num_alerts > DTLS1_TMO_ALERT_COUNT) { /* fail the connection, enough alerts have been sent */ - SSLerr(SSL_F_DTLS1_HANDLE_TIMEOUT,SSL_R_READ_TIMEOUT_EXPIRED); + SSLerr(SSL_F_DTLS1_CHECK_TIMEOUT_NUM,SSL_R_READ_TIMEOUT_EXPIRED); return -1; } diff --git a/crypto/openssl/ssl/d1_srvr.c b/crypto/openssl/ssl/d1_srvr.c index 5822379d10..29421da9aa 100644 --- a/crypto/openssl/ssl/d1_srvr.c +++ b/crypto/openssl/ssl/d1_srvr.c @@ -920,7 +920,7 @@ int dtls1_send_server_hello(SSL *s) p=s->s3->server_random; Time=(unsigned long)time(NULL); /* Time */ l2n(Time,p); - RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-sizeof(Time)); + RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4); /* Do the message type and length last */ d=p= &(buf[DTLS1_HM_HEADER_LENGTH]); diff --git a/crypto/openssl/ssl/s23_clnt.c b/crypto/openssl/ssl/s23_clnt.c index b3c48232d7..0f2e19e135 100644 --- a/crypto/openssl/ssl/s23_clnt.c +++ b/crypto/openssl/ssl/s23_clnt.c @@ -287,12 +287,14 @@ static int ssl23_client_hello(SSL *s) if (ssl2_compat && ssl23_no_ssl2_ciphers(s)) ssl2_compat = 0; - +#ifndef OPENSSL_NO_TLS1_2_CLIENT if (!(s->options & SSL_OP_NO_TLSv1_2)) { version = TLS1_2_VERSION; } - else if (!(s->options & SSL_OP_NO_TLSv1_1)) + else +#endif + if (!(s->options & SSL_OP_NO_TLSv1_1)) { version = TLS1_1_VERSION; } @@ -467,6 +469,15 @@ static int ssl23_client_hello(SSL *s) SSLerr(SSL_F_SSL23_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); return -1; } +#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH + /* Some servers hang if client hello > 256 bytes + * as hack workaround chop number of supported ciphers + * to keep it well below this if we use TLS v1.2 + */ + if (TLS1_get_version(s) >= TLS1_2_VERSION + && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) + i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; +#endif s2n(i,p); p+=i; @@ -521,8 +532,13 @@ static int ssl23_client_hello(SSL *s) d=buf; *(d++) = SSL3_RT_HANDSHAKE; *(d++) = version_major; - *(d++) = version_minor; /* arguably we should send the *lowest* suported version here - * (indicating, e.g., TLS 1.0 in "SSL 3.0 format") */ + /* Some servers hang if we use long client hellos + * and a record number > TLS 1.0. + */ + if (TLS1_get_client_version(s) > TLS1_VERSION) + *(d++) = 1; + else + *(d++) = version_minor; s2n((int)l,d); /* number of bytes to write */ diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c index 4511a914a4..b80d052e1f 100644 --- a/crypto/openssl/ssl/s3_clnt.c +++ b/crypto/openssl/ssl/s3_clnt.c @@ -755,6 +755,15 @@ int ssl3_client_hello(SSL *s) SSLerr(SSL_F_SSL3_CLIENT_HELLO,SSL_R_NO_CIPHERS_AVAILABLE); goto err; } +#ifdef OPENSSL_MAX_TLS1_2_CIPHER_LENGTH + /* Some servers hang if client hello > 256 bytes + * as hack workaround chop number of supported ciphers + * to keep it well below this if we use TLS v1.2 + */ + if (TLS1_get_version(s) >= TLS1_2_VERSION + && i > OPENSSL_MAX_TLS1_2_CIPHER_LENGTH) + i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH & ~1; +#endif s2n(i,p); p+=i; diff --git a/crypto/openssl/ssl/s3_lib.c b/crypto/openssl/ssl/s3_lib.c index db75479c38..fb60cde8ee 100644 --- a/crypto/openssl/ssl/s3_lib.c +++ b/crypto/openssl/ssl/s3_lib.c @@ -1081,7 +1081,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aRSA, SSL_eNULL, SSL_SHA256, - SSL_SSLV3, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_STRONG_NONE|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 0, @@ -1097,7 +1097,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aRSA, SSL_AES128, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, @@ -1113,7 +1113,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aRSA, SSL_AES256, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, @@ -1129,7 +1129,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aDH, SSL_AES128, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, @@ -1145,7 +1145,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aDH, SSL_AES128, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, @@ -1161,7 +1161,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aDSS, SSL_AES128, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, @@ -1395,7 +1395,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aRSA, SSL_AES128, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, @@ -1411,7 +1411,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aDH, SSL_AES256, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, @@ -1427,7 +1427,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aDH, SSL_AES256, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, @@ -1443,7 +1443,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aDSS, SSL_AES256, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, @@ -1459,7 +1459,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aRSA, SSL_AES256, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, @@ -1475,7 +1475,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aNULL, SSL_AES128, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 128, @@ -1491,7 +1491,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ SSL_aNULL, SSL_AES256, SSL_SHA256, - SSL_TLSV1, + SSL_TLSV1_2, SSL_NOT_EXP|SSL_HIGH|SSL_FIPS, SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, 256, diff --git a/crypto/openssl/ssl/s3_pkt.c b/crypto/openssl/ssl/s3_pkt.c index 3c56a86933..adf8c387cc 100644 --- a/crypto/openssl/ssl/s3_pkt.c +++ b/crypto/openssl/ssl/s3_pkt.c @@ -664,10 +664,14 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, if ( (sess == NULL) || (s->enc_write_ctx == NULL) || (EVP_MD_CTX_md(s->write_hash) == NULL)) + { +#if 1 + clear=s->enc_write_ctx?0:1; /* must be AEAD cipher */ +#else clear=1; - - if (clear) +#endif mac_size=0; + } else { mac_size=EVP_MD_CTX_size(s->write_hash); @@ -736,7 +740,14 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, wr->type=type; *(p++)=(s->version>>8); - *(p++)=s->version&0xff; + /* Some servers hang if iniatial client hello is larger than 256 + * bytes and record version number > TLS 1.0 + */ + if (s->state == SSL3_ST_CW_CLNT_HELLO_B + && TLS1_get_version(s) > TLS1_VERSION) + *(p++) = 0x1; + else + *(p++)=s->version&0xff; /* field where we are to write out packet length */ plen=p; diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c index 5944d8c484..118939fabb 100644 --- a/crypto/openssl/ssl/s3_srvr.c +++ b/crypto/openssl/ssl/s3_srvr.c @@ -2930,7 +2930,7 @@ int ssl3_get_cert_verify(SSL *s) if (s->s3->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) { s->s3->tmp.reuse_message=1; - if ((peer != NULL) && (type | EVP_PKT_SIGN)) + if ((peer != NULL) && (type & EVP_PKT_SIGN)) { al=SSL_AD_UNEXPECTED_MESSAGE; SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_MISSING_VERIFY_MESSAGE); diff --git a/crypto/openssl/ssl/ssl.h b/crypto/openssl/ssl/ssl.h index 525602e4c2..ab724734ed 100644 --- a/crypto/openssl/ssl/ssl.h +++ b/crypto/openssl/ssl/ssl.h @@ -2058,6 +2058,7 @@ void ERR_load_SSL_strings(void); #define SSL_F_DTLS1_ACCEPT 246 #define SSL_F_DTLS1_ADD_CERT_TO_BUF 295 #define SSL_F_DTLS1_BUFFER_RECORD 247 +#define SSL_F_DTLS1_CHECK_TIMEOUT_NUM 316 #define SSL_F_DTLS1_CLIENT_HELLO 248 #define SSL_F_DTLS1_CONNECT 249 #define SSL_F_DTLS1_ENC 250 diff --git a/crypto/openssl/ssl/ssl_ciph.c b/crypto/openssl/ssl/ssl_ciph.c index ac643c928c..b96d26faba 100644 --- a/crypto/openssl/ssl/ssl_ciph.c +++ b/crypto/openssl/ssl/ssl_ciph.c @@ -616,18 +616,19 @@ int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, { const EVP_CIPHER *evp; - if (s->ssl_version >= TLS1_VERSION && - c->algorithm_enc == SSL_RC4 && + if (s->ssl_version>>8 != TLS1_VERSION_MAJOR || + s->ssl_version < TLS1_VERSION) + return 1; + + if (c->algorithm_enc == SSL_RC4 && c->algorithm_mac == SSL_MD5 && (evp=EVP_get_cipherbyname("RC4-HMAC-MD5"))) *enc = evp, *md = NULL; - else if (s->ssl_version >= TLS1_VERSION && - c->algorithm_enc == SSL_AES128 && + else if (c->algorithm_enc == SSL_AES128 && c->algorithm_mac == SSL_SHA1 && (evp=EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1"))) *enc = evp, *md = NULL; - else if (s->ssl_version >= TLS1_VERSION && - c->algorithm_enc == SSL_AES256 && + else if (c->algorithm_enc == SSL_AES256 && c->algorithm_mac == SSL_SHA1 && (evp=EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1"))) *enc = evp, *md = NULL; diff --git a/crypto/openssl/ssl/ssl_err.c b/crypto/openssl/ssl/ssl_err.c index ccb93d2689..2577c6895a 100644 --- a/crypto/openssl/ssl/ssl_err.c +++ b/crypto/openssl/ssl/ssl_err.c @@ -80,6 +80,7 @@ static ERR_STRING_DATA SSL_str_functs[]= {ERR_FUNC(SSL_F_DTLS1_ACCEPT), "DTLS1_ACCEPT"}, {ERR_FUNC(SSL_F_DTLS1_ADD_CERT_TO_BUF), "DTLS1_ADD_CERT_TO_BUF"}, {ERR_FUNC(SSL_F_DTLS1_BUFFER_RECORD), "DTLS1_BUFFER_RECORD"}, +{ERR_FUNC(SSL_F_DTLS1_CHECK_TIMEOUT_NUM), "DTLS1_CHECK_TIMEOUT_NUM"}, {ERR_FUNC(SSL_F_DTLS1_CLIENT_HELLO), "DTLS1_CLIENT_HELLO"}, {ERR_FUNC(SSL_F_DTLS1_CONNECT), "DTLS1_CONNECT"}, {ERR_FUNC(SSL_F_DTLS1_ENC), "DTLS1_ENC"}, diff --git a/crypto/openssl/ssl/t1_lib.c b/crypto/openssl/ssl/t1_lib.c index 57d1107e40..27c8e3460d 100644 --- a/crypto/openssl/ssl/t1_lib.c +++ b/crypto/openssl/ssl/t1_lib.c @@ -544,7 +544,7 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha } skip_ext: - if (TLS1_get_version(s) >= TLS1_2_VERSION) + if (TLS1_get_client_version(s) >= TLS1_2_VERSION) { if ((size_t)(limit - ret) < sizeof(tls12_sigalgs) + 6) return NULL; -- 2.41.0