This commit was generated by cvs2git to track changes on a CVS vendor

branch.
author: djm <> 2012-01-05 22:59:08 +0000
committer: djm <> 2012-01-05 22:59:08 +0000
commit: bd954f2f01e639df32a5459df28e0da02c379d33 (patch)
tree: 640a52d3f7ef060e793959f9377db0ccc119de45
parent: f5322a6ce33eab65914d76831cbd16781599ebd5 (diff)
parent: 7aa3571aba92d82f8dd3caabe48fad636f05a0fd (diff)
download: openbsd-bd954f2f01e639df32a5459df28e0da02c379d33.tar.gz
openbsd-bd954f2f01e639df32a5459df28e0da02c379d33.tar.bz2
openbsd-bd954f2f01e639df32a5459df28e0da02c379d33.zip
8 files changed, 192 insertions, 24 deletions
diff --git a/src/lib/libcrypto/ecdsa/ecdsatest.c b/src/lib/libcrypto/ecdsa/ecdsatest.c
index 26a4a9ee7c..54cfb8c753 100644
--- a/src/lib/libcrypto/ecdsa/ecdsatest.c
+++ b/src/lib/libcrypto/ecdsa/ecdsatest.c
@@ -286,9 +286,12 @@ int test_builtin(BIO *out)
        size_t          crv_len = 0, n = 0;
        EC_KEY          *eckey = NULL, *wrong_eckey = NULL;
        EC_GROUP        *group;
+        ECDSA_SIG       *ecdsa_sig = NULL;
        unsigned char   digest[20], wrong_digest[20];
-        unsigned char   *signature = NULL; 
+        unsigned char   *signature = NULL;
-        unsigned int    sig_len;
+        unsigned char   *sig_ptr;
+        unsigned char   *raw_buf = NULL;
+        unsigned int    sig_len, degree, r_len, s_len, bn_len, buf_len;
        int             nid, ret =  0;
        
        /* fill digest values with some random data */
@@ -338,7 +341,8 @@ int test_builtin(BIO *out)
                if (EC_KEY_set_group(eckey, group) == 0)
                        goto builtin_err;
                EC_GROUP_free(group);
-                if (EC_GROUP_get_degree(EC_KEY_get0_group(eckey)) < 160)
+                degree = EC_GROUP_get_degree(EC_KEY_get0_group(eckey));
+                if (degree < 160)
                        /* drop the curve */ 
                        {
                        EC_KEY_free(eckey);
@@ -414,26 +418,89 @@ int test_builtin(BIO *out)
                        }
                BIO_printf(out, ".");
                (void)BIO_flush(out);
-                /* modify a single byte of the signature */
+                /* wrong length */
-                offset = signature[10] % sig_len;
+                if (ECDSA_verify(0, digest, 20, signature, sig_len - 1,
-                dirt   = signature[11];
+                        eckey) == 1)
-                signature[offset] ^= dirt ? dirt : 1; 
+                        {
+                        BIO_printf(out, " failed\n");
+                        goto builtin_err;
+                        }
+                BIO_printf(out, ".");
+                (void)BIO_flush(out);
+                /* Modify a single byte of the signature: to ensure we don't
+                 * garble the ASN1 structure, we read the raw signature and
+                 * modify a byte in one of the bignums directly. */
+                sig_ptr = signature;
+                if ((ecdsa_sig = d2i_ECDSA_SIG(NULL, &sig_ptr, sig_len)) == NULL)
+                        {
+                        BIO_printf(out, " failed\n");
+                        goto builtin_err;
+                        }
+                /* Store the two BIGNUMs in raw_buf. */
+                r_len = BN_num_bytes(ecdsa_sig->r);
+                s_len = BN_num_bytes(ecdsa_sig->s);
+                bn_len = (degree + 7) / 8;
+                if ((r_len > bn_len) || (s_len > bn_len))
+                        {
+                        BIO_printf(out, " failed\n");
+                        goto builtin_err;
+                        }
+                buf_len = 2 * bn_len;
+                if ((raw_buf = OPENSSL_malloc(buf_len)) == NULL)
+                        goto builtin_err;
+                /* Pad the bignums with leading zeroes. */
+                memset(raw_buf, 0, buf_len);
+                BN_bn2bin(ecdsa_sig->r, raw_buf + bn_len - r_len);
+                BN_bn2bin(ecdsa_sig->s, raw_buf + buf_len - s_len);
+                /* Modify a single byte in the buffer. */
+                offset = raw_buf[10] % buf_len;
+                dirt   = raw_buf[11] ? raw_buf[11] : 1;
+                raw_buf[offset] ^= dirt;
+                /* Now read the BIGNUMs back in from raw_buf. */
+                if ((BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL) ||
+                        (BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL))
+                        goto builtin_err;
+                sig_ptr = signature;
+                sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr);
                if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) == 1)
                        {
                        BIO_printf(out, " failed\n");
                        goto builtin_err;
                        }
+                /* Sanity check: undo the modification and verify signature. */
+                raw_buf[offset] ^= dirt;
+                if ((BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL) ||
+                        (BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL))
+                        goto builtin_err;
+                sig_ptr = signature;
+                sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr);
+                if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1)
+                        {
+                        BIO_printf(out, " failed\n");
+                        goto builtin_err;
+                        }
                BIO_printf(out, ".");
                (void)BIO_flush(out);
                
                BIO_printf(out, " ok\n");
                /* cleanup */
+                /* clean bogus errors */
+                ERR_clear_error();
                OPENSSL_free(signature);
                signature = NULL;
                EC_KEY_free(eckey);
                eckey = NULL;
                EC_KEY_free(wrong_eckey);
                wrong_eckey = NULL;
+                ECDSA_SIG_free(ecdsa_sig);
+                ecdsa_sig = NULL;
+                OPENSSL_free(raw_buf);
+                raw_buf = NULL;
                }
        ret = 1;        
@@ -442,8 +509,12 @@ builtin_err:
                EC_KEY_free(eckey);
        if (wrong_eckey)
                EC_KEY_free(wrong_eckey);
+        if (ecdsa_sig)
+                ECDSA_SIG_free(ecdsa_sig);
        if (signature)
                OPENSSL_free(signature);
+        if (raw_buf)
+                OPENSSL_free(raw_buf);
        if (curves)
                OPENSSL_free(curves);
diff --git a/src/lib/libssl/src/apps/cms.c b/src/lib/libssl/src/apps/cms.c
index d29a884902..3f5ee1b577 100644
--- a/src/lib/libssl/src/apps/cms.c
+++ b/src/lib/libssl/src/apps/cms.c
@@ -618,7 +618,7 @@ int MAIN(int argc, char **argv)
                BIO_printf (bio_err, "-certsout file certificate output file\n");
                BIO_printf (bio_err, "-signer file   signer certificate file\n");
                BIO_printf (bio_err, "-recip  file   recipient certificate file for decryption\n");
-                BIO_printf (bio_err, "-skeyid        use subject key identifier\n");
+                BIO_printf (bio_err, "-keyid        use subject key identifier\n");
                BIO_printf (bio_err, "-in file       input file\n");
                BIO_printf (bio_err, "-inform arg    input format SMIME (default), PEM or DER\n");
                BIO_printf (bio_err, "-inkey file    input private key (if not signer or recipient)\n");
diff --git a/src/lib/libssl/src/crypto/bn/asm/x86-mont.pl b/src/lib/libssl/src/crypto/bn/asm/x86-mont.pl
index 5cd3cd2ed5..e8f6b05084 100755
--- a/src/lib/libssl/src/crypto/bn/asm/x86-mont.pl
+++ b/src/lib/libssl/src/crypto/bn/asm/x86-mont.pl
@@ -527,8 +527,10 @@ $sbit=$num;
        &jle    (&label("sqradd"));
        &mov    ($carry,"edx");
-        &lea    ("edx",&DWP(0,$sbit,"edx",2));
+        &add    ("edx","edx");
        &shr    ($carry,31);
+        &add    ("edx",$sbit);
+        &adc    ($carry,0);
 &set_label("sqrlast");
        &mov    ($word,$_n0);
        &mov    ($inp,$_np);
diff --git a/src/lib/libssl/src/crypto/ecdsa/ecdsatest.c b/src/lib/libssl/src/crypto/ecdsa/ecdsatest.c
index 26a4a9ee7c..54cfb8c753 100644
--- a/src/lib/libssl/src/crypto/ecdsa/ecdsatest.c
+++ b/src/lib/libssl/src/crypto/ecdsa/ecdsatest.c
@@ -286,9 +286,12 @@ int test_builtin(BIO *out)
        size_t          crv_len = 0, n = 0;
        EC_KEY          *eckey = NULL, *wrong_eckey = NULL;
        EC_GROUP        *group;
+        ECDSA_SIG       *ecdsa_sig = NULL;
        unsigned char   digest[20], wrong_digest[20];
-        unsigned char   *signature = NULL; 
+        unsigned char   *signature = NULL;
-        unsigned int    sig_len;
+        unsigned char   *sig_ptr;
+        unsigned char   *raw_buf = NULL;
+        unsigned int    sig_len, degree, r_len, s_len, bn_len, buf_len;
        int             nid, ret =  0;
        
        /* fill digest values with some random data */
@@ -338,7 +341,8 @@ int test_builtin(BIO *out)
                if (EC_KEY_set_group(eckey, group) == 0)
                        goto builtin_err;
                EC_GROUP_free(group);
-                if (EC_GROUP_get_degree(EC_KEY_get0_group(eckey)) < 160)
+                degree = EC_GROUP_get_degree(EC_KEY_get0_group(eckey));
+                if (degree < 160)
                        /* drop the curve */ 
                        {
                        EC_KEY_free(eckey);
@@ -414,26 +418,89 @@ int test_builtin(BIO *out)
                        }
                BIO_printf(out, ".");
                (void)BIO_flush(out);
-                /* modify a single byte of the signature */
+                /* wrong length */
-                offset = signature[10] % sig_len;
+                if (ECDSA_verify(0, digest, 20, signature, sig_len - 1,
-                dirt   = signature[11];
+                        eckey) == 1)
-                signature[offset] ^= dirt ? dirt : 1; 
+                        {
+                        BIO_printf(out, " failed\n");
+                        goto builtin_err;
+                        }
+                BIO_printf(out, ".");
+                (void)BIO_flush(out);
+                /* Modify a single byte of the signature: to ensure we don't
+                 * garble the ASN1 structure, we read the raw signature and
+                 * modify a byte in one of the bignums directly. */
+                sig_ptr = signature;
+                if ((ecdsa_sig = d2i_ECDSA_SIG(NULL, &sig_ptr, sig_len)) == NULL)
+                        {
+                        BIO_printf(out, " failed\n");
+                        goto builtin_err;
+                        }
+                /* Store the two BIGNUMs in raw_buf. */
+                r_len = BN_num_bytes(ecdsa_sig->r);
+                s_len = BN_num_bytes(ecdsa_sig->s);
+                bn_len = (degree + 7) / 8;
+                if ((r_len > bn_len) || (s_len > bn_len))
+                        {
+                        BIO_printf(out, " failed\n");
+                        goto builtin_err;
+                        }
+                buf_len = 2 * bn_len;
+                if ((raw_buf = OPENSSL_malloc(buf_len)) == NULL)
+                        goto builtin_err;
+                /* Pad the bignums with leading zeroes. */
+                memset(raw_buf, 0, buf_len);
+                BN_bn2bin(ecdsa_sig->r, raw_buf + bn_len - r_len);
+                BN_bn2bin(ecdsa_sig->s, raw_buf + buf_len - s_len);
+                /* Modify a single byte in the buffer. */
+                offset = raw_buf[10] % buf_len;
+                dirt   = raw_buf[11] ? raw_buf[11] : 1;
+                raw_buf[offset] ^= dirt;
+                /* Now read the BIGNUMs back in from raw_buf. */
+                if ((BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL) ||
+                        (BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL))
+                        goto builtin_err;
+                sig_ptr = signature;
+                sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr);
                if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) == 1)
                        {
                        BIO_printf(out, " failed\n");
                        goto builtin_err;
                        }
+                /* Sanity check: undo the modification and verify signature. */
+                raw_buf[offset] ^= dirt;
+                if ((BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL) ||
+                        (BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL))
+                        goto builtin_err;
+                sig_ptr = signature;
+                sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr);
+                if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1)
+                        {
+                        BIO_printf(out, " failed\n");
+                        goto builtin_err;
+                        }
                BIO_printf(out, ".");
                (void)BIO_flush(out);
                
                BIO_printf(out, " ok\n");
                /* cleanup */
+                /* clean bogus errors */
+                ERR_clear_error();
                OPENSSL_free(signature);
                signature = NULL;
                EC_KEY_free(eckey);
                eckey = NULL;
                EC_KEY_free(wrong_eckey);
                wrong_eckey = NULL;
+                ECDSA_SIG_free(ecdsa_sig);
+                ecdsa_sig = NULL;
+                OPENSSL_free(raw_buf);
+                raw_buf = NULL;
                }
        ret = 1;        
@@ -442,8 +509,12 @@ builtin_err:
                EC_KEY_free(eckey);
        if (wrong_eckey)
                EC_KEY_free(wrong_eckey);
+        if (ecdsa_sig)
+                ECDSA_SIG_free(ecdsa_sig);
        if (signature)
                OPENSSL_free(signature);
+        if (raw_buf)
+                OPENSSL_free(raw_buf);
        if (curves)
                OPENSSL_free(curves);
diff --git a/src/lib/libssl/src/engines/ccgost/gost2001_keyx.c b/src/lib/libssl/src/engines/ccgost/gost2001_keyx.c
index 00759bcab0..c748102857 100644
--- a/src/lib/libssl/src/engines/ccgost/gost2001_keyx.c
+++ b/src/lib/libssl/src/engines/ccgost/gost2001_keyx.c
@@ -280,6 +280,10 @@ int pkey_GOST01cp_decrypt(EVP_PKEY_CTX *pctx, unsigned char *key, size_t * key_l
                }
                
        param = get_encryption_params(gkt->key_agreement_info->cipher);
+    if(!param){
+        goto err;
+    }
        gost_init(&ctx,param->sblock);  
        OPENSSL_assert(gkt->key_agreement_info->eph_iv->length==8);
        memcpy(wrappedKey,gkt->key_agreement_info->eph_iv->data,8);
diff --git a/src/lib/libssl/src/engines/ccgost/gost94_keyx.c b/src/lib/libssl/src/engines/ccgost/gost94_keyx.c
index 624be586a5..0d7d3ffe6a 100644
--- a/src/lib/libssl/src/engines/ccgost/gost94_keyx.c
+++ b/src/lib/libssl/src/engines/ccgost/gost94_keyx.c
@@ -261,6 +261,10 @@ int pkey_GOST94cp_decrypt(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *key_len
                }
        param = get_encryption_params(gkt->key_agreement_info->cipher);
+    if(!param){
+        goto err;
+    }
+        
        gost_init(&cctx,param->sblock); 
        OPENSSL_assert(gkt->key_agreement_info->eph_iv->length==8);
        memcpy(wrappedKey,gkt->key_agreement_info->eph_iv->data,8);
diff --git a/src/lib/libssl/src/ssl/d1_both.c b/src/lib/libssl/src/ssl/d1_both.c
index 2180c6d4da..9f898d6997 100644
--- a/src/lib/libssl/src/ssl/d1_both.c
+++ b/src/lib/libssl/src/ssl/d1_both.c
@@ -158,7 +158,6 @@ static unsigned char bitmask_end_values[]   = {0xff, 0x01, 0x03, 0x07, 0x0f, 0x1
 /* XDTLS:  figure out the right values */
 static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28};
-static unsigned int dtls1_min_mtu(void);
 static unsigned int dtls1_guess_mtu(unsigned int curr_mtu);
 static void dtls1_fix_message_header(SSL *s, unsigned long frag_off, 
        unsigned long frag_len);
@@ -264,11 +263,10 @@ int dtls1_do_write(SSL *s, int type)
                        return ret;
                mtu = s->d1->mtu - (DTLS1_HM_HEADER_LENGTH + DTLS1_RT_HEADER_LENGTH);
                }
-        OPENSSL_assert(mtu > 0);  /* should have something reasonable now */
 #endif
+        OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu());  /* should have something reasonable now */
        if ( s->init_off == 0  && type == SSL3_RT_HANDSHAKE)
                OPENSSL_assert(s->init_num == 
                        (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH);
@@ -795,7 +793,13 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
                *ok = 0;
                return i;
                }
-        OPENSSL_assert(i == DTLS1_HM_HEADER_LENGTH);
+        /* Handshake fails if message header is incomplete */
+        if (i != DTLS1_HM_HEADER_LENGTH)
+                {
+                al=SSL_AD_UNEXPECTED_MESSAGE;
+                SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_UNEXPECTED_MESSAGE);
+                goto f_err;
+                }
        /* parse the message fragment header */
        dtls1_get_message_header(wire, &msg_hdr);
@@ -867,7 +871,12 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
        /* XDTLS:  an incorrectly formatted fragment should cause the 
         * handshake to fail */
-        OPENSSL_assert(i == (int)frag_len);
+        if (i != (int)frag_len)
+                {
+                al=SSL3_AD_ILLEGAL_PARAMETER;
+                SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL3_AD_ILLEGAL_PARAMETER);
+                goto f_err;
+                }
        *ok = 1;
@@ -1367,7 +1376,7 @@ dtls1_write_message_header(SSL *s, unsigned char *p)
        return p;
        }
-static unsigned int 
+unsigned int 
 dtls1_min_mtu(void)
        {
        return (g_probable_mtu[(sizeof(g_probable_mtu) / 
diff --git a/src/lib/libssl/src/ssl/d1_lib.c b/src/lib/libssl/src/ssl/d1_lib.c
index 48e8b6ffbb..c3b77c889b 100644
--- a/src/lib/libssl/src/ssl/d1_lib.c
+++ b/src/lib/libssl/src/ssl/d1_lib.c
@@ -204,7 +204,8 @@ void dtls1_clear(SSL *s)
    pqueue buffered_messages;
        pqueue sent_messages;
        pqueue buffered_app_data;
-        
+        unsigned int mtu;
        if (s->d1)
                {
                unprocessed_rcds = s->d1->unprocessed_rcds.q;
@@ -212,6 +213,7 @@ void dtls1_clear(SSL *s)
                buffered_messages = s->d1->buffered_messages;
                sent_messages = s->d1->sent_messages;
                buffered_app_data = s->d1->buffered_app_data.q;
+                mtu = s->d1->mtu;
                dtls1_clear_queues(s);
@@ -222,6 +224,11 @@ void dtls1_clear(SSL *s)
                        s->d1->cookie_len = sizeof(s->d1->cookie);
                        }
+                if (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)
+                        {
+                        s->d1->mtu = mtu;
+                        }
                s->d1->unprocessed_rcds.q = unprocessed_rcds;
                s->d1->processed_rcds.q = processed_rcds;
                s->d1->buffered_messages = buffered_messages;
author	djm <>	2012-01-05 22:59:08 +0000
committer	djm <>	2012-01-05 22:59:08 +0000
commit	bd954f2f01e639df32a5459df28e0da02c379d33 (patch)
tree	640a52d3f7ef060e793959f9377db0ccc119de45
parent	f5322a6ce33eab65914d76831cbd16781599ebd5 (diff)
parent	7aa3571aba92d82f8dd3caabe48fad636f05a0fd (diff)
download	openbsd-bd954f2f01e639df32a5459df28e0da02c379d33.tar.gz openbsd-bd954f2f01e639df32a5459df28e0da02c379d33.tar.bz2 openbsd-bd954f2f01e639df32a5459df28e0da02c379d33.zip

diff --git a/src/lib/libcrypto/ecdsa/ecdsatest.c b/src/lib/libcrypto/ecdsa/ecdsatest.c index 26a4a9ee7c..54cfb8c753 100644 --- a/src/lib/libcrypto/ecdsa/ecdsatest.c +++ b/src/lib/libcrypto/ecdsa/ecdsatest.c
@@ -286,9 +286,12 @@ int test_builtin(BIO *out)
286	size_t crv_len = 0, n = 0;	286	size_t crv_len = 0, n = 0;
287	EC_KEY eckey = NULL, wrong_eckey = NULL;	287	EC_KEY eckey = NULL, wrong_eckey = NULL;
288	EC_GROUP *group;	288	EC_GROUP *group;
		289	ECDSA_SIG *ecdsa_sig = NULL;
289	unsigned char digest[20], wrong_digest[20];	290	unsigned char digest[20], wrong_digest[20];
290	unsigned char *signature = NULL;	291	unsigned char *signature = NULL;
291	unsigned int sig_len;	292	unsigned char *sig_ptr;
		293	unsigned char *raw_buf = NULL;
		294	unsigned int sig_len, degree, r_len, s_len, bn_len, buf_len;
292	int nid, ret = 0;	295	int nid, ret = 0;
293		296
294	/* fill digest values with some random data */	297	/* fill digest values with some random data */
@@ -338,7 +341,8 @@ int test_builtin(BIO *out)
338	if (EC_KEY_set_group(eckey, group) == 0)	341	if (EC_KEY_set_group(eckey, group) == 0)
339	goto builtin_err;	342	goto builtin_err;
340	EC_GROUP_free(group);	343	EC_GROUP_free(group);
341	if (EC_GROUP_get_degree(EC_KEY_get0_group(eckey)) < 160)	344	degree = EC_GROUP_get_degree(EC_KEY_get0_group(eckey));
		345	if (degree < 160)
342	/* drop the curve */	346	/* drop the curve */
343	{	347	{
344	EC_KEY_free(eckey);	348	EC_KEY_free(eckey);
@@ -414,26 +418,89 @@ int test_builtin(BIO *out)
414	}	418	}
415	BIO_printf(out, ".");	419	BIO_printf(out, ".");
416	(void)BIO_flush(out);	420	(void)BIO_flush(out);
417	/* modify a single byte of the signature */	421	/* wrong length */
418	offset = signature[10] % sig_len;	422	if (ECDSA_verify(0, digest, 20, signature, sig_len - 1,
419	dirt = signature[11];	423	eckey) == 1)
420	signature[offset] ^= dirt ? dirt : 1;	424	{
		425	BIO_printf(out, " failed\n");
		426	goto builtin_err;
		427	}
		428	BIO_printf(out, ".");
		429	(void)BIO_flush(out);
		430
		431	/* Modify a single byte of the signature: to ensure we don't
		432	* garble the ASN1 structure, we read the raw signature and
		433	* modify a byte in one of the bignums directly. */
		434	sig_ptr = signature;
		435	if ((ecdsa_sig = d2i_ECDSA_SIG(NULL, &sig_ptr, sig_len)) == NULL)
		436	{
		437	BIO_printf(out, " failed\n");
		438	goto builtin_err;
		439	}
		440
		441	/* Store the two BIGNUMs in raw_buf. */
		442	r_len = BN_num_bytes(ecdsa_sig->r);
		443	s_len = BN_num_bytes(ecdsa_sig->s);
		444	bn_len = (degree + 7) / 8;
		445	if ((r_len > bn_len) \|\| (s_len > bn_len))
		446	{
		447	BIO_printf(out, " failed\n");
		448	goto builtin_err;
		449	}
		450	buf_len = 2 * bn_len;
		451	if ((raw_buf = OPENSSL_malloc(buf_len)) == NULL)
		452	goto builtin_err;
		453	/* Pad the bignums with leading zeroes. */
		454	memset(raw_buf, 0, buf_len);
		455	BN_bn2bin(ecdsa_sig->r, raw_buf + bn_len - r_len);
		456	BN_bn2bin(ecdsa_sig->s, raw_buf + buf_len - s_len);
		457
		458	/* Modify a single byte in the buffer. */
		459	offset = raw_buf[10] % buf_len;
		460	dirt = raw_buf[11] ? raw_buf[11] : 1;
		461	raw_buf[offset] ^= dirt;
		462	/* Now read the BIGNUMs back in from raw_buf. */
		463	if ((BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL) \|\|
		464	(BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL))
		465	goto builtin_err;
		466
		467	sig_ptr = signature;
		468	sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr);
421	if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) == 1)	469	if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) == 1)
422	{	470	{
423	BIO_printf(out, " failed\n");	471	BIO_printf(out, " failed\n");
424	goto builtin_err;	472	goto builtin_err;
425	}	473	}
		474	/* Sanity check: undo the modification and verify signature. */
		475	raw_buf[offset] ^= dirt;
		476	if ((BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL) \|\|
		477	(BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL))
		478	goto builtin_err;
		479
		480	sig_ptr = signature;
		481	sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr);
		482	if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1)
		483	{
		484	BIO_printf(out, " failed\n");
		485	goto builtin_err;
		486	}
426	BIO_printf(out, ".");	487	BIO_printf(out, ".");
427	(void)BIO_flush(out);	488	(void)BIO_flush(out);
428		489
429	BIO_printf(out, " ok\n");	490	BIO_printf(out, " ok\n");
430	/* cleanup */	491	/* cleanup */
		492	/* clean bogus errors */
		493	ERR_clear_error();
431	OPENSSL_free(signature);	494	OPENSSL_free(signature);
432	signature = NULL;	495	signature = NULL;
433	EC_KEY_free(eckey);	496	EC_KEY_free(eckey);
434	eckey = NULL;	497	eckey = NULL;
435	EC_KEY_free(wrong_eckey);	498	EC_KEY_free(wrong_eckey);
436	wrong_eckey = NULL;	499	wrong_eckey = NULL;
		500	ECDSA_SIG_free(ecdsa_sig);
		501	ecdsa_sig = NULL;
		502	OPENSSL_free(raw_buf);
		503	raw_buf = NULL;
437	}	504	}
438		505
439	ret = 1;	506	ret = 1;
@@ -442,8 +509,12 @@ builtin_err:
442	EC_KEY_free(eckey);	509	EC_KEY_free(eckey);
443	if (wrong_eckey)	510	if (wrong_eckey)
444	EC_KEY_free(wrong_eckey);	511	EC_KEY_free(wrong_eckey);
		512	if (ecdsa_sig)
		513	ECDSA_SIG_free(ecdsa_sig);
445	if (signature)	514	if (signature)
446	OPENSSL_free(signature);	515	OPENSSL_free(signature);
		516	if (raw_buf)
		517	OPENSSL_free(raw_buf);
447	if (curves)	518	if (curves)
448	OPENSSL_free(curves);	519	OPENSSL_free(curves);
449		520


diff --git a/src/lib/libssl/src/apps/cms.c b/src/lib/libssl/src/apps/cms.c index d29a884902..3f5ee1b577 100644 --- a/src/lib/libssl/src/apps/cms.c +++ b/src/lib/libssl/src/apps/cms.c
@@ -618,7 +618,7 @@ int MAIN(int argc, char **argv)
618	BIO_printf (bio_err, "-certsout file certificate output file\n");	618	BIO_printf (bio_err, "-certsout file certificate output file\n");
619	BIO_printf (bio_err, "-signer file signer certificate file\n");	619	BIO_printf (bio_err, "-signer file signer certificate file\n");
620	BIO_printf (bio_err, "-recip file recipient certificate file for decryption\n");	620	BIO_printf (bio_err, "-recip file recipient certificate file for decryption\n");
621	BIO_printf (bio_err, "-skeyid use subject key identifier\n");	621	BIO_printf (bio_err, "-keyid use subject key identifier\n");
622	BIO_printf (bio_err, "-in file input file\n");	622	BIO_printf (bio_err, "-in file input file\n");
623	BIO_printf (bio_err, "-inform arg input format SMIME (default), PEM or DER\n");	623	BIO_printf (bio_err, "-inform arg input format SMIME (default), PEM or DER\n");
624	BIO_printf (bio_err, "-inkey file input private key (if not signer or recipient)\n");	624	BIO_printf (bio_err, "-inkey file input private key (if not signer or recipient)\n");


diff --git a/src/lib/libssl/src/crypto/bn/asm/x86-mont.pl b/src/lib/libssl/src/crypto/bn/asm/x86-mont.pl index 5cd3cd2ed5..e8f6b05084 100755 --- a/src/lib/libssl/src/crypto/bn/asm/x86-mont.pl +++ b/src/lib/libssl/src/crypto/bn/asm/x86-mont.pl
@@ -527,8 +527,10 @@ $sbit=$num;
527	&jle (&label("sqradd"));	527	&jle (&label("sqradd"));
528		528
529	&mov ($carry,"edx");	529	&mov ($carry,"edx");
530	&lea ("edx",&DWP(0,$sbit,"edx",2));	530	&add ("edx","edx");
531	&shr ($carry,31);	531	&shr ($carry,31);
		532	&add ("edx",$sbit);
		533	&adc ($carry,0);
532	&set_label("sqrlast");	534	&set_label("sqrlast");
533	&mov ($word,$_n0);	535	&mov ($word,$_n0);
534	&mov ($inp,$_np);	536	&mov ($inp,$_np);


diff --git a/src/lib/libssl/src/crypto/ecdsa/ecdsatest.c b/src/lib/libssl/src/crypto/ecdsa/ecdsatest.c index 26a4a9ee7c..54cfb8c753 100644 --- a/src/lib/libssl/src/crypto/ecdsa/ecdsatest.c +++ b/src/lib/libssl/src/crypto/ecdsa/ecdsatest.c
@@ -286,9 +286,12 @@ int test_builtin(BIO *out)
286	size_t crv_len = 0, n = 0;	286	size_t crv_len = 0, n = 0;
287	EC_KEY eckey = NULL, wrong_eckey = NULL;	287	EC_KEY eckey = NULL, wrong_eckey = NULL;
288	EC_GROUP *group;	288	EC_GROUP *group;
		289	ECDSA_SIG *ecdsa_sig = NULL;
289	unsigned char digest[20], wrong_digest[20];	290	unsigned char digest[20], wrong_digest[20];
290	unsigned char *signature = NULL;	291	unsigned char *signature = NULL;
291	unsigned int sig_len;	292	unsigned char *sig_ptr;
		293	unsigned char *raw_buf = NULL;
		294	unsigned int sig_len, degree, r_len, s_len, bn_len, buf_len;
292	int nid, ret = 0;	295	int nid, ret = 0;
293		296
294	/* fill digest values with some random data */	297	/* fill digest values with some random data */
@@ -338,7 +341,8 @@ int test_builtin(BIO *out)
338	if (EC_KEY_set_group(eckey, group) == 0)	341	if (EC_KEY_set_group(eckey, group) == 0)
339	goto builtin_err;	342	goto builtin_err;
340	EC_GROUP_free(group);	343	EC_GROUP_free(group);
341	if (EC_GROUP_get_degree(EC_KEY_get0_group(eckey)) < 160)	344	degree = EC_GROUP_get_degree(EC_KEY_get0_group(eckey));
		345	if (degree < 160)
342	/* drop the curve */	346	/* drop the curve */
343	{	347	{
344	EC_KEY_free(eckey);	348	EC_KEY_free(eckey);
@@ -414,26 +418,89 @@ int test_builtin(BIO *out)
414	}	418	}
415	BIO_printf(out, ".");	419	BIO_printf(out, ".");
416	(void)BIO_flush(out);	420	(void)BIO_flush(out);
417	/* modify a single byte of the signature */	421	/* wrong length */
418	offset = signature[10] % sig_len;	422	if (ECDSA_verify(0, digest, 20, signature, sig_len - 1,
419	dirt = signature[11];	423	eckey) == 1)
420	signature[offset] ^= dirt ? dirt : 1;	424	{
		425	BIO_printf(out, " failed\n");
		426	goto builtin_err;
		427	}
		428	BIO_printf(out, ".");
		429	(void)BIO_flush(out);
		430
		431	/* Modify a single byte of the signature: to ensure we don't
		432	* garble the ASN1 structure, we read the raw signature and
		433	* modify a byte in one of the bignums directly. */
		434	sig_ptr = signature;
		435	if ((ecdsa_sig = d2i_ECDSA_SIG(NULL, &sig_ptr, sig_len)) == NULL)
		436	{
		437	BIO_printf(out, " failed\n");
		438	goto builtin_err;
		439	}
		440
		441	/* Store the two BIGNUMs in raw_buf. */
		442	r_len = BN_num_bytes(ecdsa_sig->r);
		443	s_len = BN_num_bytes(ecdsa_sig->s);
		444	bn_len = (degree + 7) / 8;
		445	if ((r_len > bn_len) \|\| (s_len > bn_len))
		446	{
		447	BIO_printf(out, " failed\n");
		448	goto builtin_err;
		449	}
		450	buf_len = 2 * bn_len;
		451	if ((raw_buf = OPENSSL_malloc(buf_len)) == NULL)
		452	goto builtin_err;
		453	/* Pad the bignums with leading zeroes. */
		454	memset(raw_buf, 0, buf_len);
		455	BN_bn2bin(ecdsa_sig->r, raw_buf + bn_len - r_len);
		456	BN_bn2bin(ecdsa_sig->s, raw_buf + buf_len - s_len);
		457
		458	/* Modify a single byte in the buffer. */
		459	offset = raw_buf[10] % buf_len;
		460	dirt = raw_buf[11] ? raw_buf[11] : 1;
		461	raw_buf[offset] ^= dirt;
		462	/* Now read the BIGNUMs back in from raw_buf. */
		463	if ((BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL) \|\|
		464	(BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL))
		465	goto builtin_err;
		466
		467	sig_ptr = signature;
		468	sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr);
421	if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) == 1)	469	if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) == 1)
422	{	470	{
423	BIO_printf(out, " failed\n");	471	BIO_printf(out, " failed\n");
424	goto builtin_err;	472	goto builtin_err;
425	}	473	}
		474	/* Sanity check: undo the modification and verify signature. */
		475	raw_buf[offset] ^= dirt;
		476	if ((BN_bin2bn(raw_buf, bn_len, ecdsa_sig->r) == NULL) \|\|
		477	(BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL))
		478	goto builtin_err;
		479
		480	sig_ptr = signature;
		481	sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr);
		482	if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1)
		483	{
		484	BIO_printf(out, " failed\n");
		485	goto builtin_err;
		486	}
426	BIO_printf(out, ".");	487	BIO_printf(out, ".");
427	(void)BIO_flush(out);	488	(void)BIO_flush(out);
428		489
429	BIO_printf(out, " ok\n");	490	BIO_printf(out, " ok\n");
430	/* cleanup */	491	/* cleanup */
		492	/* clean bogus errors */
		493	ERR_clear_error();
431	OPENSSL_free(signature);	494	OPENSSL_free(signature);
432	signature = NULL;	495	signature = NULL;
433	EC_KEY_free(eckey);	496	EC_KEY_free(eckey);
434	eckey = NULL;	497	eckey = NULL;
435	EC_KEY_free(wrong_eckey);	498	EC_KEY_free(wrong_eckey);
436	wrong_eckey = NULL;	499	wrong_eckey = NULL;
		500	ECDSA_SIG_free(ecdsa_sig);
		501	ecdsa_sig = NULL;
		502	OPENSSL_free(raw_buf);
		503	raw_buf = NULL;
437	}	504	}
438		505
439	ret = 1;	506	ret = 1;
@@ -442,8 +509,12 @@ builtin_err:
442	EC_KEY_free(eckey);	509	EC_KEY_free(eckey);
443	if (wrong_eckey)	510	if (wrong_eckey)
444	EC_KEY_free(wrong_eckey);	511	EC_KEY_free(wrong_eckey);
		512	if (ecdsa_sig)
		513	ECDSA_SIG_free(ecdsa_sig);
445	if (signature)	514	if (signature)
446	OPENSSL_free(signature);	515	OPENSSL_free(signature);
		516	if (raw_buf)
		517	OPENSSL_free(raw_buf);
447	if (curves)	518	if (curves)
448	OPENSSL_free(curves);	519	OPENSSL_free(curves);
449		520


diff --git a/src/lib/libssl/src/engines/ccgost/gost2001_keyx.c b/src/lib/libssl/src/engines/ccgost/gost2001_keyx.c index 00759bcab0..c748102857 100644 --- a/src/lib/libssl/src/engines/ccgost/gost2001_keyx.c +++ b/src/lib/libssl/src/engines/ccgost/gost2001_keyx.c
@@ -280,6 +280,10 @@ int pkey_GOST01cp_decrypt(EVP_PKEY_CTX pctx, unsigned char key, size_t * key_l
280	}	280	}
281		281
282	param = get_encryption_params(gkt->key_agreement_info->cipher);	282	param = get_encryption_params(gkt->key_agreement_info->cipher);
		283	if(!param){
		284	goto err;
		285	}
		286
283	gost_init(&ctx,param->sblock);	287	gost_init(&ctx,param->sblock);
284	OPENSSL_assert(gkt->key_agreement_info->eph_iv->length==8);	288	OPENSSL_assert(gkt->key_agreement_info->eph_iv->length==8);
285	memcpy(wrappedKey,gkt->key_agreement_info->eph_iv->data,8);	289	memcpy(wrappedKey,gkt->key_agreement_info->eph_iv->data,8);


diff --git a/src/lib/libssl/src/engines/ccgost/gost94_keyx.c b/src/lib/libssl/src/engines/ccgost/gost94_keyx.c index 624be586a5..0d7d3ffe6a 100644 --- a/src/lib/libssl/src/engines/ccgost/gost94_keyx.c +++ b/src/lib/libssl/src/engines/ccgost/gost94_keyx.c
@@ -261,6 +261,10 @@ int pkey_GOST94cp_decrypt(EVP_PKEY_CTX ctx, unsigned char key, size_t *key_len
261	}	261	}
262		262
263	param = get_encryption_params(gkt->key_agreement_info->cipher);	263	param = get_encryption_params(gkt->key_agreement_info->cipher);
		264	if(!param){
		265	goto err;
		266	}
		267
264	gost_init(&cctx,param->sblock);	268	gost_init(&cctx,param->sblock);
265	OPENSSL_assert(gkt->key_agreement_info->eph_iv->length==8);	269	OPENSSL_assert(gkt->key_agreement_info->eph_iv->length==8);
266	memcpy(wrappedKey,gkt->key_agreement_info->eph_iv->data,8);	270	memcpy(wrappedKey,gkt->key_agreement_info->eph_iv->data,8);


diff --git a/src/lib/libssl/src/ssl/d1_both.c b/src/lib/libssl/src/ssl/d1_both.c index 2180c6d4da..9f898d6997 100644 --- a/src/lib/libssl/src/ssl/d1_both.c +++ b/src/lib/libssl/src/ssl/d1_both.c
@@ -158,7 +158,6 @@ static unsigned char bitmask_end_values[] = {0xff, 0x01, 0x03, 0x07, 0x0f, 0x1
158	/* XDTLS: figure out the right values */	158	/* XDTLS: figure out the right values */
159	static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28};	159	static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28};
160		160
161	static unsigned int dtls1_min_mtu(void);
162	static unsigned int dtls1_guess_mtu(unsigned int curr_mtu);	161	static unsigned int dtls1_guess_mtu(unsigned int curr_mtu);
163	static void dtls1_fix_message_header(SSL *s, unsigned long frag_off,	162	static void dtls1_fix_message_header(SSL *s, unsigned long frag_off,
164	unsigned long frag_len);	163	unsigned long frag_len);
@@ -264,11 +263,10 @@ int dtls1_do_write(SSL *s, int type)
264	return ret;	263	return ret;
265	mtu = s->d1->mtu - (DTLS1_HM_HEADER_LENGTH + DTLS1_RT_HEADER_LENGTH);	264	mtu = s->d1->mtu - (DTLS1_HM_HEADER_LENGTH + DTLS1_RT_HEADER_LENGTH);
266	}	265	}
267
268	OPENSSL_assert(mtu > 0); /* should have something reasonable now */
269
270	#endif	266	#endif
271		267
		268	OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu()); /* should have something reasonable now */
		269
272	if ( s->init_off == 0 && type == SSL3_RT_HANDSHAKE)	270	if ( s->init_off == 0 && type == SSL3_RT_HANDSHAKE)
273	OPENSSL_assert(s->init_num ==	271	OPENSSL_assert(s->init_num ==
274	(int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH);	272	(int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH);
@@ -795,7 +793,13 @@ dtls1_get_message_fragment(SSL s, int st1, int stn, long max, int ok)
795	*ok = 0;	793	*ok = 0;
796	return i;	794	return i;
797	}	795	}
798	OPENSSL_assert(i == DTLS1_HM_HEADER_LENGTH);	796	/* Handshake fails if message header is incomplete */
		797	if (i != DTLS1_HM_HEADER_LENGTH)
		798	{
		799	al=SSL_AD_UNEXPECTED_MESSAGE;
		800	SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL_R_UNEXPECTED_MESSAGE);
		801	goto f_err;
		802	}
799		803
800	/* parse the message fragment header */	804	/* parse the message fragment header */
801	dtls1_get_message_header(wire, &msg_hdr);	805	dtls1_get_message_header(wire, &msg_hdr);
@@ -867,7 +871,12 @@ dtls1_get_message_fragment(SSL s, int st1, int stn, long max, int ok)
867		871
868	/* XDTLS: an incorrectly formatted fragment should cause the	872	/* XDTLS: an incorrectly formatted fragment should cause the
869	* handshake to fail */	873	* handshake to fail */
870	OPENSSL_assert(i == (int)frag_len);	874	if (i != (int)frag_len)
		875	{
		876	al=SSL3_AD_ILLEGAL_PARAMETER;
		877	SSLerr(SSL_F_DTLS1_GET_MESSAGE_FRAGMENT,SSL3_AD_ILLEGAL_PARAMETER);
		878	goto f_err;
		879	}
871		880
872	*ok = 1;	881	*ok = 1;
873		882
@@ -1367,7 +1376,7 @@ dtls1_write_message_header(SSL s, unsigned char p)
1367	return p;	1376	return p;
1368	}	1377	}
1369		1378
1370	static unsigned int	1379	unsigned int
1371	dtls1_min_mtu(void)	1380	dtls1_min_mtu(void)
1372	{	1381	{
1373	return (g_probable_mtu[(sizeof(g_probable_mtu) /	1382	return (g_probable_mtu[(sizeof(g_probable_mtu) /


diff --git a/src/lib/libssl/src/ssl/d1_lib.c b/src/lib/libssl/src/ssl/d1_lib.c index 48e8b6ffbb..c3b77c889b 100644 --- a/src/lib/libssl/src/ssl/d1_lib.c +++ b/src/lib/libssl/src/ssl/d1_lib.c
@@ -204,7 +204,8 @@ void dtls1_clear(SSL *s)
204	pqueue buffered_messages;	204	pqueue buffered_messages;
205	pqueue sent_messages;	205	pqueue sent_messages;
206	pqueue buffered_app_data;	206	pqueue buffered_app_data;
207		207	unsigned int mtu;
		208
208	if (s->d1)	209	if (s->d1)
209	{	210	{
210	unprocessed_rcds = s->d1->unprocessed_rcds.q;	211	unprocessed_rcds = s->d1->unprocessed_rcds.q;
@@ -212,6 +213,7 @@ void dtls1_clear(SSL *s)
212	buffered_messages = s->d1->buffered_messages;	213	buffered_messages = s->d1->buffered_messages;
213	sent_messages = s->d1->sent_messages;	214	sent_messages = s->d1->sent_messages;
214	buffered_app_data = s->d1->buffered_app_data.q;	215	buffered_app_data = s->d1->buffered_app_data.q;
		216	mtu = s->d1->mtu;
215		217
216	dtls1_clear_queues(s);	218	dtls1_clear_queues(s);
217		219
@@ -222,6 +224,11 @@ void dtls1_clear(SSL *s)
222	s->d1->cookie_len = sizeof(s->d1->cookie);	224	s->d1->cookie_len = sizeof(s->d1->cookie);
223	}	225	}
224		226
		227	if (SSL_get_options(s) & SSL_OP_NO_QUERY_MTU)
		228	{
		229	s->d1->mtu = mtu;
		230	}
		231
225	s->d1->unprocessed_rcds.q = unprocessed_rcds;	232	s->d1->unprocessed_rcds.q = unprocessed_rcds;
226	s->d1->processed_rcds.q = processed_rcds;	233	s->d1->processed_rcds.q = processed_rcds;
227	s->d1->buffered_messages = buffered_messages;	234	s->d1->buffered_messages = buffered_messages;