From c0e4fa118162302ab6d33e0264e7c63eaea7c6c8 Mon Sep 17 00:00:00 2001 From: Sascha Wildner Date: Sat, 13 Jun 2015 18:29:32 +0200 Subject: [PATCH] Import OpenSSL 1.0.1o. Fixes an HMAC ABI incompatibility which was introduced in 1.0.1n. --- crypto/openssl/CHANGES | 6 ++++++ crypto/openssl/NEWS | 4 ++++ crypto/openssl/README | 2 +- crypto/openssl/crypto/hmac/hmac.c | 19 +++++++------------ crypto/openssl/crypto/hmac/hmac.h | 1 - crypto/openssl/crypto/opensslv.h | 6 +++--- crypto/openssl/ssl/t1_lib.c | 12 ++++++------ 7 files changed, 27 insertions(+), 23 deletions(-) diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES index 2565187204..759b2a7bba 100644 --- a/crypto/openssl/CHANGES +++ b/crypto/openssl/CHANGES @@ -2,6 +2,12 @@ OpenSSL CHANGES _______________ + Changes between 1.0.1n and 1.0.1o [12 Jun 2015] + + *) Fix HMAC ABI incompatibility. The previous version introduced an ABI + incompatibility in the handling of HMAC. The previous ABI has now been + restored. + Changes between 1.0.1m and 1.0.1n [11 Jun 2015] *) Malformed ECParameters causes infinite loop diff --git a/crypto/openssl/NEWS b/crypto/openssl/NEWS index e866e94fa6..fb69ad3e5d 100644 --- a/crypto/openssl/NEWS +++ b/crypto/openssl/NEWS @@ -5,6 +5,10 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.1n and OpenSSL 1.0.1o [12 Jun 2015] + + o Fix HMAC ABI incompatibility + Major changes between OpenSSL 1.0.1m and OpenSSL 1.0.1n [11 Jun 2015] o Malformed ECParameters causes infinite loop (CVE-2015-1788) diff --git a/crypto/openssl/README b/crypto/openssl/README index 8718a24346..bf3b71540d 100644 --- a/crypto/openssl/README +++ b/crypto/openssl/README @@ -1,5 +1,5 @@ - OpenSSL 1.0.1n 11 Jun 2015 + OpenSSL 1.0.1o 12 Jun 2015 Copyright (c) 1998-2011 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/crypto/openssl/crypto/hmac/hmac.c b/crypto/openssl/crypto/hmac/hmac.c index 5925467818..33d88be117 100644 --- a/crypto/openssl/crypto/hmac/hmac.c +++ b/crypto/openssl/crypto/hmac/hmac.c @@ -87,6 +87,9 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, return FIPS_hmac_init_ex(ctx, key, len, md, NULL); } #endif + /* If we are changing MD then we must have a key */ + if (md != NULL && md != ctx->md && (key == NULL || len < 0)) + return 0; if (md != NULL) { reset = 1; @@ -97,9 +100,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, return 0; } - if (!ctx->key_init && key == NULL) - return 0; - if (key != NULL) { reset = 1; j = EVP_MD_block_size(md); @@ -121,7 +121,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, if (ctx->key_length != HMAC_MAX_MD_CBLOCK) memset(&ctx->key[ctx->key_length], 0, HMAC_MAX_MD_CBLOCK - ctx->key_length); - ctx->key_init = 1; } if (reset) { @@ -159,7 +158,7 @@ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len) if (FIPS_mode() && !ctx->i_ctx.engine) return FIPS_hmac_update(ctx, data, len); #endif - if (!ctx->key_init) + if (!ctx->md) return 0; return EVP_DigestUpdate(&ctx->md_ctx, data, len); @@ -174,7 +173,7 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len) return FIPS_hmac_final(ctx, md, len); #endif - if (!ctx->key_init) + if (!ctx->md) goto err; if (!EVP_DigestFinal_ex(&ctx->md_ctx, buf, &i)) @@ -195,7 +194,6 @@ void HMAC_CTX_init(HMAC_CTX *ctx) EVP_MD_CTX_init(&ctx->i_ctx); EVP_MD_CTX_init(&ctx->o_ctx); EVP_MD_CTX_init(&ctx->md_ctx); - ctx->key_init = 0; ctx->md = NULL; } @@ -207,11 +205,8 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx) goto err; if (!EVP_MD_CTX_copy(&dctx->md_ctx, &sctx->md_ctx)) goto err; - dctx->key_init = sctx->key_init; - if (sctx->key_init) { - memcpy(dctx->key, sctx->key, HMAC_MAX_MD_CBLOCK); - dctx->key_length = sctx->key_length; - } + memcpy(dctx->key, sctx->key, HMAC_MAX_MD_CBLOCK); + dctx->key_length = sctx->key_length; dctx->md = sctx->md; return 1; err: diff --git a/crypto/openssl/crypto/hmac/hmac.h b/crypto/openssl/crypto/hmac/hmac.h index f8e9f5e4f3..b8b55cda7d 100644 --- a/crypto/openssl/crypto/hmac/hmac.h +++ b/crypto/openssl/crypto/hmac/hmac.h @@ -79,7 +79,6 @@ typedef struct hmac_ctx_st { EVP_MD_CTX o_ctx; unsigned int key_length; unsigned char key[HMAC_MAX_MD_CBLOCK]; - int key_init; } HMAC_CTX; # define HMAC_size(e) (EVP_MD_size((e)->md)) diff --git a/crypto/openssl/crypto/opensslv.h b/crypto/openssl/crypto/opensslv.h index 94a95f3482..84d0bf9d1f 100644 --- a/crypto/openssl/crypto/opensslv.h +++ b/crypto/openssl/crypto/opensslv.h @@ -30,11 +30,11 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x100010efL +# define OPENSSL_VERSION_NUMBER 0x100010ffL # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1n-fips 11 Jun 2015" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1o-fips 12 Jun 2015" # else -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1n 11 Jun 2015" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1o 12 Jun 2015" # endif # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/crypto/openssl/ssl/t1_lib.c b/crypto/openssl/ssl/t1_lib.c index c2d7d72071..d70b93fead 100644 --- a/crypto/openssl/ssl/t1_lib.c +++ b/crypto/openssl/ssl/t1_lib.c @@ -1016,12 +1016,12 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, s->srtp_profile = NULL; - if (data >= (d + n - 2)) { - if (data != d + n) - goto err; - else - goto ri_check; - } + if (data == d + n) + goto ri_check; + + if (data > (d + n - 2)) + goto err; + n2s(data, len); if (data > (d + n - len)) -- 2.41.0