diff options
author | jkim <jkim@FreeBSD.org> | 2015-06-12 17:10:19 +0000 |
---|---|---|
committer | jkim <jkim@FreeBSD.org> | 2015-06-12 17:10:19 +0000 |
commit | 11074f6b1e6b24bcac4e18463aedabbe359b370b (patch) | |
tree | c0577c1c6d2f6563e1e25655fecedee7cfb8feb0 /crypto | |
parent | c51db5833881d75f8efb47db219de90e6fa4fc7c (diff) | |
download | FreeBSD-src-11074f6b1e6b24bcac4e18463aedabbe359b370b.zip FreeBSD-src-11074f6b1e6b24bcac4e18463aedabbe359b370b.tar.gz |
MFC: r284329
Merge OpenSSL 1.0.1o.
Note it is instantly merged because it restores ABI compatibility broken by
the previous OpenSSL 1.0.1n.
Relnotes: yes
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/openssl/CHANGES | 6 | ||||
-rw-r--r-- | crypto/openssl/Makefile | 2 | ||||
-rw-r--r-- | crypto/openssl/NEWS | 4 | ||||
-rw-r--r-- | crypto/openssl/README | 2 | ||||
-rw-r--r-- | crypto/openssl/crypto/hmac/hmac.c | 19 | ||||
-rw-r--r-- | crypto/openssl/crypto/hmac/hmac.h | 1 | ||||
-rw-r--r-- | crypto/openssl/crypto/hmac/hmactest.c | 7 | ||||
-rw-r--r-- | crypto/openssl/crypto/opensslv.h | 6 | ||||
-rw-r--r-- | crypto/openssl/ssl/t1_lib.c | 12 |
9 files changed, 34 insertions, 25 deletions
diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES index 2565187..759b2a7 100644 --- a/crypto/openssl/CHANGES +++ b/crypto/openssl/CHANGES @@ -2,6 +2,12 @@ OpenSSL CHANGES _______________ + Changes between 1.0.1n and 1.0.1o [12 Jun 2015] + + *) Fix HMAC ABI incompatibility. The previous version introduced an ABI + incompatibility in the handling of HMAC. The previous ABI has now been + restored. + Changes between 1.0.1m and 1.0.1n [11 Jun 2015] *) Malformed ECParameters causes infinite loop diff --git a/crypto/openssl/Makefile b/crypto/openssl/Makefile index c01d470..0b3badb 100644 --- a/crypto/openssl/Makefile +++ b/crypto/openssl/Makefile @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.1n +VERSION=1.0.1o MAJOR=1 MINOR=0.1 SHLIB_VERSION_NUMBER=1.0.0 diff --git a/crypto/openssl/NEWS b/crypto/openssl/NEWS index e866e94..fb69ad3 100644 --- a/crypto/openssl/NEWS +++ b/crypto/openssl/NEWS @@ -5,6 +5,10 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.1n and OpenSSL 1.0.1o [12 Jun 2015] + + o Fix HMAC ABI incompatibility + Major changes between OpenSSL 1.0.1m and OpenSSL 1.0.1n [11 Jun 2015] o Malformed ECParameters causes infinite loop (CVE-2015-1788) diff --git a/crypto/openssl/README b/crypto/openssl/README index 8718a24..bf3b715 100644 --- a/crypto/openssl/README +++ b/crypto/openssl/README @@ -1,5 +1,5 @@ - OpenSSL 1.0.1n 11 Jun 2015 + OpenSSL 1.0.1o 12 Jun 2015 Copyright (c) 1998-2011 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/crypto/openssl/crypto/hmac/hmac.c b/crypto/openssl/crypto/hmac/hmac.c index 5925467..33d88be 100644 --- a/crypto/openssl/crypto/hmac/hmac.c +++ b/crypto/openssl/crypto/hmac/hmac.c @@ -87,6 +87,9 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, return FIPS_hmac_init_ex(ctx, key, len, md, NULL); } #endif + /* If we are changing MD then we must have a key */ + if (md != NULL && md != ctx->md && (key == NULL || len < 0)) + return 0; if (md != NULL) { reset = 1; @@ -97,9 +100,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, return 0; } - if (!ctx->key_init && key == NULL) - return 0; - if (key != NULL) { reset = 1; j = EVP_MD_block_size(md); @@ -121,7 +121,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, if (ctx->key_length != HMAC_MAX_MD_CBLOCK) memset(&ctx->key[ctx->key_length], 0, HMAC_MAX_MD_CBLOCK - ctx->key_length); - ctx->key_init = 1; } if (reset) { @@ -159,7 +158,7 @@ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len) if (FIPS_mode() && !ctx->i_ctx.engine) return FIPS_hmac_update(ctx, data, len); #endif - if (!ctx->key_init) + if (!ctx->md) return 0; return EVP_DigestUpdate(&ctx->md_ctx, data, len); @@ -174,7 +173,7 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len) return FIPS_hmac_final(ctx, md, len); #endif - if (!ctx->key_init) + if (!ctx->md) goto err; if (!EVP_DigestFinal_ex(&ctx->md_ctx, buf, &i)) @@ -195,7 +194,6 @@ void HMAC_CTX_init(HMAC_CTX *ctx) EVP_MD_CTX_init(&ctx->i_ctx); EVP_MD_CTX_init(&ctx->o_ctx); EVP_MD_CTX_init(&ctx->md_ctx); - ctx->key_init = 0; ctx->md = NULL; } @@ -207,11 +205,8 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx) goto err; if (!EVP_MD_CTX_copy(&dctx->md_ctx, &sctx->md_ctx)) goto err; - dctx->key_init = sctx->key_init; - if (sctx->key_init) { - memcpy(dctx->key, sctx->key, HMAC_MAX_MD_CBLOCK); - dctx->key_length = sctx->key_length; - } + memcpy(dctx->key, sctx->key, HMAC_MAX_MD_CBLOCK); + dctx->key_length = sctx->key_length; dctx->md = sctx->md; return 1; err: diff --git a/crypto/openssl/crypto/hmac/hmac.h b/crypto/openssl/crypto/hmac/hmac.h index f8e9f5e..b8b55cd 100644 --- a/crypto/openssl/crypto/hmac/hmac.h +++ b/crypto/openssl/crypto/hmac/hmac.h @@ -79,7 +79,6 @@ typedef struct hmac_ctx_st { EVP_MD_CTX o_ctx; unsigned int key_length; unsigned char key[HMAC_MAX_MD_CBLOCK]; - int key_init; } HMAC_CTX; # define HMAC_size(e) (EVP_MD_size((e)->md)) diff --git a/crypto/openssl/crypto/hmac/hmactest.c b/crypto/openssl/crypto/hmac/hmactest.c index 86b6c25..271d0eb 100644 --- a/crypto/openssl/crypto/hmac/hmactest.c +++ b/crypto/openssl/crypto/hmac/hmactest.c @@ -233,7 +233,12 @@ test5: err++; goto test6; } - if (!HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL)) { + if (HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL)) { + printf("Should disallow changing MD without a new key (test 5)\n"); + err++; + goto test6; + } + if (!HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, EVP_sha256(), NULL)) { printf("Failed to reinitialise HMAC (test 5)\n"); err++; goto test6; diff --git a/crypto/openssl/crypto/opensslv.h b/crypto/openssl/crypto/opensslv.h index 320e568..bc91a6c 100644 --- a/crypto/openssl/crypto/opensslv.h +++ b/crypto/openssl/crypto/opensslv.h @@ -30,11 +30,11 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x100010efL +# define OPENSSL_VERSION_NUMBER 0x100010ffL # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1n-fips 11 Jun 2015" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1o-fips 12 Jun 2015" # else -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1n-freebsd 11 Jun 2015" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1o-freebsd 12 Jun 2015" # endif # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/crypto/openssl/ssl/t1_lib.c b/crypto/openssl/ssl/t1_lib.c index c2d7d72..d70b93f 100644 --- a/crypto/openssl/ssl/t1_lib.c +++ b/crypto/openssl/ssl/t1_lib.c @@ -1016,12 +1016,12 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, s->srtp_profile = NULL; - if (data >= (d + n - 2)) { - if (data != d + n) - goto err; - else - goto ri_check; - } + if (data == d + n) + goto ri_check; + + if (data > (d + n - 2)) + goto err; + n2s(data, len); if (data > (d + n - len)) |