Module Name: src Committed By: christos Date: Sat Feb 20 03:22:14 UTC 2021
Modified Files: src/crypto/external/bsd/openssl/dist: CHANGES Configure NEWS README src/crypto/external/bsd/openssl/dist/apps: ca.c src/crypto/external/bsd/openssl/dist/crypto: armcap.c ppccap.c src/crypto/external/bsd/openssl/dist/crypto/conf: conf_def.c src/crypto/external/bsd/openssl/dist/crypto/evp: evp_enc.c src/crypto/external/bsd/openssl/dist/crypto/x509: x509_vfy.c src/crypto/external/bsd/openssl/dist/ssl: d1_lib.c src/crypto/external/bsd/openssl/dist/test: rsa_test.c Log Message: merge conflicts To generate a diff of this commit: cvs rdiff -u -r1.25 -r1.26 src/crypto/external/bsd/openssl/dist/CHANGES \ src/crypto/external/bsd/openssl/dist/NEWS \ src/crypto/external/bsd/openssl/dist/README cvs rdiff -u -r1.27 -r1.28 src/crypto/external/bsd/openssl/dist/Configure cvs rdiff -u -r1.20 -r1.21 src/crypto/external/bsd/openssl/dist/apps/ca.c cvs rdiff -u -r1.12 -r1.13 \ src/crypto/external/bsd/openssl/dist/crypto/armcap.c cvs rdiff -u -r1.18 -r1.19 \ src/crypto/external/bsd/openssl/dist/crypto/ppccap.c cvs rdiff -u -r1.12 -r1.13 \ src/crypto/external/bsd/openssl/dist/crypto/conf/conf_def.c cvs rdiff -u -r1.11 -r1.12 \ src/crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c cvs rdiff -u -r1.21 -r1.22 \ src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c cvs rdiff -u -r1.10 -r1.11 src/crypto/external/bsd/openssl/dist/ssl/d1_lib.c cvs rdiff -u -r1.6 -r1.7 src/crypto/external/bsd/openssl/dist/test/rsa_test.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/crypto/external/bsd/openssl/dist/CHANGES diff -u src/crypto/external/bsd/openssl/dist/CHANGES:1.25 src/crypto/external/bsd/openssl/dist/CHANGES:1.26 --- src/crypto/external/bsd/openssl/dist/CHANGES:1.25 Wed Dec 9 19:33:08 2020 +++ src/crypto/external/bsd/openssl/dist/CHANGES Fri Feb 19 22:22:13 2021 @@ -7,6 +7,43 @@ https://github.com/openssl/openssl/commits/ and pick the appropriate release branch. + Changes between 1.1.1i and 1.1.1j [16 Feb 2021] + + *) Fixed the X509_issuer_and_serial_hash() function. It attempts to + create a unique hash value based on the issuer and serial number data + contained within an X509 certificate. However it was failing to correctly + handle any errors that may occur while parsing the issuer field (which might + occur if the issuer field is maliciously constructed). This may subsequently + result in a NULL pointer deref and a crash leading to a potential denial of + service attack. + (CVE-2021-23841) + [Matt Caswell] + + *) Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING + padding mode to correctly check for rollback attacks. This is considered a + bug in OpenSSL 1.1.1 because it does not support SSLv2. In 1.0.2 this is + CVE-2021-23839. + [Matt Caswell] + + *) Fixed the EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate + functions. Previously they could overflow the output length argument in some + cases where the input length is close to the maximum permissable length for + an integer on the platform. In such cases the return value from the function + call would be 1 (indicating success), but the output length value would be + negative. This could cause applications to behave incorrectly or crash. + (CVE-2021-23840) + [Matt Caswell] + + *) Fixed SRP_Calc_client_key so that it runs in constant time. The previous + implementation called BN_mod_exp without setting BN_FLG_CONSTTIME. This + could be exploited in a side channel attack to recover the password. Since + the attack is local host only this is outside of the current OpenSSL + threat model and therefore no CVE is assigned. + + Thanks to Mohammed Sabt and Daniel De Almeida Braga for reporting this + issue. + [Matt Caswell] + Changes between 1.1.1h and 1.1.1i [8 Dec 2020] *) Fixed NULL pointer deref in the GENERAL_NAME_cmp function Index: src/crypto/external/bsd/openssl/dist/NEWS diff -u src/crypto/external/bsd/openssl/dist/NEWS:1.25 src/crypto/external/bsd/openssl/dist/NEWS:1.26 --- src/crypto/external/bsd/openssl/dist/NEWS:1.25 Wed Dec 9 19:33:08 2020 +++ src/crypto/external/bsd/openssl/dist/NEWS Fri Feb 19 22:22:13 2021 @@ -5,6 +5,16 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.1.1i and OpenSSL 1.1.1j [16 Feb 2021] + + o Fixed a NULL pointer deref in the X509_issuer_and_serial_hash() + function (CVE-2021-23841) + o Fixed the RSA_padding_check_SSLv23() function and the RSA_SSLV23_PADDING + padding mode to correctly check for rollback attacks + o Fixed an overflow in the EVP_CipherUpdate, EVP_EncryptUpdate and + EVP_DecryptUpdate functions (CVE-2021-23840) + o Fixed SRP_Calc_client_key so that it runs in constant time + Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020] o Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971) Index: src/crypto/external/bsd/openssl/dist/README diff -u src/crypto/external/bsd/openssl/dist/README:1.25 src/crypto/external/bsd/openssl/dist/README:1.26 --- src/crypto/external/bsd/openssl/dist/README:1.25 Wed Dec 9 19:33:08 2020 +++ src/crypto/external/bsd/openssl/dist/README Fri Feb 19 22:22:13 2021 @@ -1,5 +1,5 @@ - OpenSSL 1.1.1i 8 Dec 2020 + OpenSSL 1.1.1j 16 Feb 2021 Copyright (c) 1998-2020 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson Index: src/crypto/external/bsd/openssl/dist/Configure diff -u src/crypto/external/bsd/openssl/dist/Configure:1.27 src/crypto/external/bsd/openssl/dist/Configure:1.28 --- src/crypto/external/bsd/openssl/dist/Configure:1.27 Wed Dec 9 19:33:08 2020 +++ src/crypto/external/bsd/openssl/dist/Configure Fri Feb 19 22:22:13 2021 @@ -1,6 +1,6 @@ #! /usr/bin/env perl # -*- mode: perl; -*- -# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -1201,6 +1201,10 @@ foreach (keys %useradd) { # At this point, we can forget everything about %user and %useradd, # because it's now all been merged into the corresponding $config entry +if (grep { $_ eq '-static' } @{$config{LDFLAGS}}) { + disable('static', 'pic', 'threads'); +} + # Allow overriding the build file name $config{build_file} = env('BUILDFILE') || $target{build_file} || "Makefile"; @@ -1521,10 +1525,6 @@ if ($strict_warnings) } } -if (grep { $_ eq '-static' } @{$config{LDFLAGS}}) { - disable('static', 'pic', 'threads'); -} - $config{CFLAGS} = [ map { $_ eq '--ossl-strict-warnings' ? @strict_warnings_collection : ( $_ ) } @@ -2611,19 +2611,22 @@ _____ } print "\nEnabled features:\n\n"; foreach my $what (@disablables) { - print " $what\n" unless $disabled{$what}; + print " $what\n" + unless grep { $_ =~ /^${what}$/ } keys %disabled; } print "\nDisabled features:\n\n"; foreach my $what (@disablables) { - if ($disabled{$what}) { - print " $what", ' ' x ($longest - length($what) + 1), - "[$disabled{$what}]", ' ' x ($longest2 - length($disabled{$what}) + 1); - print $disabled_info{$what}->{macro} - if $disabled_info{$what}->{macro}; + my @what2 = grep { $_ =~ /^${what}$/ } keys %disabled; + my $what3 = $what2[0]; + if ($what3) { + print " $what3", ' ' x ($longest - length($what3) + 1), + "[$disabled{$what3}]", ' ' x ($longest2 - length($disabled{$what3}) + 1); + print $disabled_info{$what3}->{macro} + if $disabled_info{$what3}->{macro}; print ' (skip ', - join(', ', @{$disabled_info{$what}->{skipped}}), + join(', ', @{$disabled_info{$what3}->{skipped}}), ')' - if $disabled_info{$what}->{skipped}; + if $disabled_info{$what3}->{skipped}; print "\n"; } } Index: src/crypto/external/bsd/openssl/dist/apps/ca.c diff -u src/crypto/external/bsd/openssl/dist/apps/ca.c:1.20 src/crypto/external/bsd/openssl/dist/apps/ca.c:1.21 --- src/crypto/external/bsd/openssl/dist/apps/ca.c:1.20 Wed Dec 9 19:33:08 2020 +++ src/crypto/external/bsd/openssl/dist/apps/ca.c Fri Feb 19 22:22:13 2021 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -2223,62 +2223,51 @@ static int get_certificate_status(const static int do_updatedb(CA_DB *db) { - ASN1_UTCTIME *a_tm = NULL; + ASN1_TIME *a_tm = NULL; int i, cnt = 0; - int db_y2k, a_y2k; /* flags = 1 if y >= 2000 */ - char **rrow, *a_tm_s; + char **rrow; - a_tm = ASN1_UTCTIME_new(); + a_tm = ASN1_TIME_new(); if (a_tm == NULL) return -1; - /* get actual time and make a string */ + /* get actual time */ if (X509_gmtime_adj(a_tm, 0) == NULL) { - ASN1_UTCTIME_free(a_tm); + ASN1_TIME_free(a_tm); return -1; } - a_tm_s = app_malloc(a_tm->length + 1, "time string"); - - memcpy(a_tm_s, a_tm->data, a_tm->length); - a_tm_s[a_tm->length] = '\0'; - - if (strncmp(a_tm_s, "49", 2) <= 0) - a_y2k = 1; - else - a_y2k = 0; for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++) { rrow = sk_OPENSSL_PSTRING_value(db->db->data, i); if (rrow[DB_type][0] == DB_TYPE_VAL) { /* ignore entries that are not valid */ - if (strncmp(rrow[DB_exp_date], "49", 2) <= 0) - db_y2k = 1; - else - db_y2k = 0; + ASN1_TIME *exp_date = NULL; - if (db_y2k == a_y2k) { - /* all on the same y2k side */ - if (strcmp(rrow[DB_exp_date], a_tm_s) <= 0) { - rrow[DB_type][0] = DB_TYPE_EXP; - rrow[DB_type][1] = '\0'; - cnt++; + exp_date = ASN1_TIME_new(); + if (exp_date == NULL) { + ASN1_TIME_free(a_tm); + return -1; + } - BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]); - } - } else if (db_y2k < a_y2k) { + if (!ASN1_TIME_set_string(exp_date, rrow[DB_exp_date])) { + ASN1_TIME_free(a_tm); + ASN1_TIME_free(exp_date); + return -1; + } + + if (ASN1_TIME_compare(exp_date, a_tm) <= 0) { rrow[DB_type][0] = DB_TYPE_EXP; rrow[DB_type][1] = '\0'; cnt++; BIO_printf(bio_err, "%s=Expired\n", rrow[DB_serial]); } - + ASN1_TIME_free(exp_date); } } - ASN1_UTCTIME_free(a_tm); - OPENSSL_free(a_tm_s); + ASN1_TIME_free(a_tm); return cnt; } Index: src/crypto/external/bsd/openssl/dist/crypto/armcap.c diff -u src/crypto/external/bsd/openssl/dist/crypto/armcap.c:1.12 src/crypto/external/bsd/openssl/dist/crypto/armcap.c:1.13 --- src/crypto/external/bsd/openssl/dist/crypto/armcap.c:1.12 Mon Jun 22 18:43:56 2020 +++ src/crypto/external/bsd/openssl/dist/crypto/armcap.c Fri Feb 19 22:22:13 2021 @@ -1,5 +1,5 @@ /* - * Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2011-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -69,6 +69,23 @@ void OPENSSL_cpuid_setup(void) __attribu # define OSSL_IMPLEMENT_GETAUXVAL # endif # endif +# if defined(__FreeBSD__) +# include <sys/param.h> +# if __FreeBSD_version >= 1200000 +# include <sys/auxv.h> +# define OSSL_IMPLEMENT_GETAUXVAL + +static unsigned long getauxval(unsigned long key) +{ + unsigned long val = 0ul; + + if (elf_aux_info((int)key, &val, sizeof(val)) != 0) + return 0ul; + + return val; +} +# endif +# endif /* * ARM puts the feature bits for Crypto Extensions in AT_HWCAP2, whereas Index: src/crypto/external/bsd/openssl/dist/crypto/ppccap.c diff -u src/crypto/external/bsd/openssl/dist/crypto/ppccap.c:1.18 src/crypto/external/bsd/openssl/dist/crypto/ppccap.c:1.19 --- src/crypto/external/bsd/openssl/dist/crypto/ppccap.c:1.18 Sun Jul 19 11:33:08 2020 +++ src/crypto/external/bsd/openssl/dist/crypto/ppccap.c Fri Feb 19 22:22:13 2021 @@ -1,5 +1,5 @@ /* - * Copyright 2009-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2009-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -222,6 +222,24 @@ size_t OPENSSL_instrument_bus2(unsigned # endif #endif +#if defined(__FreeBSD__) +# include <sys/param.h> +# if __FreeBSD_version >= 1200000 +# include <sys/auxv.h> +# define OSSL_IMPLEMENT_GETAUXVAL + +static unsigned long getauxval(unsigned long key) +{ + unsigned long val = 0ul; + + if (elf_aux_info((int)key, &val, sizeof(val)) != 0) + return 0ul; + + return val; +} +# endif +#endif + /* I wish <sys/auxv.h> was universally available */ #define HWCAP 16 /* AT_HWCAP */ #define HWCAP_PPC64 (1U << 30) Index: src/crypto/external/bsd/openssl/dist/crypto/conf/conf_def.c diff -u src/crypto/external/bsd/openssl/dist/crypto/conf/conf_def.c:1.12 src/crypto/external/bsd/openssl/dist/crypto/conf/conf_def.c:1.13 --- src/crypto/external/bsd/openssl/dist/crypto/conf/conf_def.c:1.12 Wed Dec 9 19:33:09 2020 +++ src/crypto/external/bsd/openssl/dist/crypto/conf/conf_def.c Fri Feb 19 22:22:13 2021 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -185,6 +185,7 @@ static int def_load_bio(CONF *conf, BIO BUF_MEM *buff = NULL; char *s, *p, *end; int again; + int first_call = 1; long eline = 0; char btmp[DECIMAL_SIZE(eline) + 1]; CONF_VALUE *v = NULL, *tv; @@ -233,6 +234,19 @@ static int def_load_bio(CONF *conf, BIO BIO_gets(in, p, CONFBUFSIZE - 1); p[CONFBUFSIZE - 1] = '\0'; ii = i = strlen(p); + if (first_call) { + /* Other BOMs imply unsupported multibyte encoding, + * so don't strip them and let the error raise */ + const unsigned char utf8_bom[3] = {0xEF, 0xBB, 0xBF}; + + if (i >= 3 && memcmp(p, utf8_bom, 3) == 0) { + memmove(p, p + 3, i - 3); + p[i - 3] = 0; + i -= 3; + ii -= 3; + } + first_call = 0; + } if (i == 0 && !again) { /* the currently processed BIO is at EOF */ BIO *parent; Index: src/crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c diff -u src/crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c:1.11 src/crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c:1.12 --- src/crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c:1.11 Sat Mar 21 20:53:05 2020 +++ src/crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c Fri Feb 19 22:22:13 2021 @@ -8,6 +8,7 @@ */ #include <stdio.h> +#include <limits.h> #include <assert.h> #include "internal/cryptlib.h" #include <openssl/evp.h> @@ -355,6 +356,19 @@ static int evp_EncryptDecryptUpdate(EVP_ return 1; } else { j = bl - i; + + /* + * Once we've processed the first j bytes from in, the amount of + * data left that is a multiple of the block length is: + * (inl - j) & ~(bl - 1) + * We must ensure that this amount of data, plus the one block that + * we process from ctx->buf does not exceed INT_MAX + */ + if (((inl - j) & ~(bl - 1)) > INT_MAX - bl) { + EVPerr(EVP_F_EVP_ENCRYPTDECRYPTUPDATE, + EVP_R_OUTPUT_WOULD_OVERFLOW); + return 0; + } memcpy(&(ctx->buf[i]), in, j); inl -= j; in += j; @@ -502,6 +516,19 @@ int EVP_DecryptUpdate(EVP_CIPHER_CTX *ct EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_PARTIALLY_OVERLAPPING); return 0; } + /* + * final_used is only ever set if buf_len is 0. Therefore the maximum + * length output we will ever see from evp_EncryptDecryptUpdate is + * the maximum multiple of the block length that is <= inl, or just: + * inl & ~(b - 1) + * Since final_used has been set then the final output length is: + * (inl & ~(b - 1)) + b + * This must never exceed INT_MAX + */ + if ((inl & ~(b - 1)) > INT_MAX - b) { + EVPerr(EVP_F_EVP_DECRYPTUPDATE, EVP_R_OUTPUT_WOULD_OVERFLOW); + return 0; + } memcpy(out, ctx->final, b); out += b; fix_len = 1; Index: src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c diff -u src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c:1.21 src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c:1.22 --- src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c:1.21 Wed Dec 9 19:33:10 2020 +++ src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c Fri Feb 19 22:22:13 2021 @@ -1,5 +1,5 @@ /* - * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -323,9 +323,10 @@ static int sk_X509_contains(STACK_OF(X50 } /* - * Find in given STACK_OF(X509) sk a non-expired issuer cert (if any) of given cert x. - * The issuer must not be the same as x and must not yet be in ctx->chain, where the - * exceptional case x is self-issued and ctx->chain has just one element is allowed. + * Find in given STACK_OF(X509) sk an issuer cert of given cert x. + * The issuer must not yet be in ctx->chain, where the exceptional case + * that x is self-issued and ctx->chain has just one element is allowed. + * Prefer the first one that is not expired, else take the last expired one. */ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) { @@ -334,11 +335,7 @@ static X509 *find_issuer(X509_STORE_CTX for (i = 0; i < sk_X509_num(sk); i++) { issuer = sk_X509_value(sk, i); - /* - * Below check 'issuer != x' is an optimization and safety precaution: - * Candidate issuer cert cannot be the same as the subject cert 'x'. - */ - if (issuer != x && ctx->check_issued(ctx, x, issuer) + if (ctx->check_issued(ctx, x, issuer) && (((x->ex_flags & EXFLAG_SI) != 0 && sk_X509_num(ctx->chain) == 1) || !sk_X509_contains(ctx->chain, issuer))) { rv = issuer; Index: src/crypto/external/bsd/openssl/dist/ssl/d1_lib.c diff -u src/crypto/external/bsd/openssl/dist/ssl/d1_lib.c:1.10 src/crypto/external/bsd/openssl/dist/ssl/d1_lib.c:1.11 --- src/crypto/external/bsd/openssl/dist/ssl/d1_lib.c:1.10 Sat Mar 21 20:53:10 2020 +++ src/crypto/external/bsd/openssl/dist/ssl/d1_lib.c Fri Feb 19 22:22:13 2021 @@ -1,5 +1,5 @@ /* - * Copyright 2005-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2005-2021 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -142,10 +142,11 @@ void dtls1_free(SSL *s) ssl3_free(s); - dtls1_clear_queues(s); - - pqueue_free(s->d1->buffered_messages); - pqueue_free(s->d1->sent_messages); + if (s->d1 != NULL) { + dtls1_clear_queues(s); + pqueue_free(s->d1->buffered_messages); + pqueue_free(s->d1->sent_messages); + } OPENSSL_free(s->d1); s->d1 = NULL; Index: src/crypto/external/bsd/openssl/dist/test/rsa_test.c diff -u src/crypto/external/bsd/openssl/dist/test/rsa_test.c:1.6 src/crypto/external/bsd/openssl/dist/test/rsa_test.c:1.7 --- src/crypto/external/bsd/openssl/dist/test/rsa_test.c:1.6 Wed Dec 9 19:33:10 2020 +++ src/crypto/external/bsd/openssl/dist/test/rsa_test.c Fri Feb 19 22:22:14 2021 @@ -42,7 +42,8 @@ int setup_tests(void) BN_bin2bn(dmp1, sizeof(dmp1)-1, NULL), \ BN_bin2bn(dmq1, sizeof(dmq1)-1, NULL), \ BN_bin2bn(iqmp, sizeof(iqmp)-1, NULL)); \ - memcpy(c, ctext_ex, sizeof(ctext_ex) - 1); \ + if (c != NULL) \ + memcpy(c, ctext_ex, sizeof(ctext_ex) - 1); \ return sizeof(ctext_ex) - 1; static int key1(RSA *key, unsigned char *c) @@ -211,16 +212,7 @@ static int key3(RSA *key, unsigned char SetKey; } -static int pad_unknown(void) -{ - unsigned long l; - while ((l = ERR_get_error()) != 0) - if (ERR_GET_REASON(l) == RSA_R_UNKNOWN_PADDING_TYPE) - return 1; - return 0; -} - -static int rsa_setkey(RSA** key, unsigned char* ctext, int idx) +static int rsa_setkey(RSA** key, unsigned char *ctext, int idx) { int clen = 0; @@ -240,63 +232,72 @@ static int rsa_setkey(RSA** key, unsigne return clen; } -static int test_rsa_pkcs1(int idx) +static int test_rsa_simple(int idx, int en_pad_type, int de_pad_type, + int success, unsigned char *ctext_ex, int *clen, + RSA **retkey) { int ret = 0; RSA *key; unsigned char ptext[256]; unsigned char ctext[256]; static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a"; - unsigned char ctext_ex[256]; int plen; - int clen = 0; + int clentmp = 0; int num; plen = sizeof(ptext_ex) - 1; - clen = rsa_setkey(&key, ctext_ex, idx); + clentmp = rsa_setkey(&key, ctext_ex, idx); + if (clen != NULL) + *clen = clentmp; - num = RSA_public_encrypt(plen, ptext_ex, ctext, key, - RSA_PKCS1_PADDING); - if (!TEST_int_eq(num, clen)) + num = RSA_public_encrypt(plen, ptext_ex, ctext, key, en_pad_type); + if (!TEST_int_eq(num, clentmp)) goto err; - num = RSA_private_decrypt(num, ctext, ptext, key, RSA_PKCS1_PADDING); - if (!TEST_mem_eq(ptext, num, ptext_ex, plen)) - goto err; + num = RSA_private_decrypt(num, ctext, ptext, key, de_pad_type); + if (success) { + if (!TEST_int_gt(num, 0) || !TEST_mem_eq(ptext, num, ptext_ex, plen)) + goto err; + } else { + if (!TEST_int_lt(num, 0)) + goto err; + } ret = 1; + if (retkey != NULL) { + *retkey = key; + key = NULL; + } err: RSA_free(key); return ret; } -static int test_rsa_sslv23(int idx) +static int test_rsa_pkcs1(int idx) { - int ret = 0; - RSA *key; - unsigned char ptext[256]; - unsigned char ctext[256]; - static unsigned char ptext_ex[] = "\x54\x85\x9b\x34\x2c\x49\xea\x2a"; - unsigned char ctext_ex[256]; - int plen; - int clen = 0; - int num; - - plen = sizeof(ptext_ex) - 1; - clen = rsa_setkey(&key, ctext_ex, idx); + return test_rsa_simple(idx, RSA_PKCS1_PADDING, RSA_PKCS1_PADDING, 1, NULL, + NULL, NULL); +} - num = RSA_public_encrypt(plen, ptext_ex, ctext, key, - RSA_SSLV23_PADDING); - if (!TEST_int_eq(num, clen)) - goto err; +static int test_rsa_sslv23(int idx) +{ + int ret; - num = RSA_private_decrypt(num, ctext, ptext, key, RSA_SSLV23_PADDING); - if (!TEST_mem_eq(ptext, num, ptext_ex, plen)) - goto err; + /* Simulate an SSLv2 only client talking to a TLS capable server */ + ret = test_rsa_simple(idx, RSA_PKCS1_PADDING, RSA_SSLV23_PADDING, 1, NULL, + NULL, NULL); + + /* Simulate a TLS capable client talking to an SSLv2 only server */ + ret &= test_rsa_simple(idx, RSA_SSLV23_PADDING, RSA_PKCS1_PADDING, 1, NULL, + NULL, NULL); + + /* + * Simulate a TLS capable client talking to a TLS capable server. Should + * fail due to detecting a rollback attack. + */ + ret &= test_rsa_simple(idx, RSA_SSLV23_PADDING, RSA_SSLV23_PADDING, 0, NULL, + NULL, NULL); - ret = 1; -err: - RSA_free(key); return ret; } @@ -313,28 +314,16 @@ static int test_rsa_oaep(int idx) int num; int n; - plen = sizeof(ptext_ex) - 1; - clen = rsa_setkey(&key, ctext_ex, idx); - - num = RSA_public_encrypt(plen, ptext_ex, ctext, key, - RSA_PKCS1_OAEP_PADDING); - if (num == -1 && pad_unknown()) { - TEST_info("Skipping: No OAEP support"); - ret = 1; - goto err; - } - if (!TEST_int_eq(num, clen)) + if (!test_rsa_simple(idx, RSA_PKCS1_OAEP_PADDING, RSA_PKCS1_OAEP_PADDING, 1, + ctext_ex, &clen, &key)) goto err; - num = RSA_private_decrypt(num, ctext, ptext, key, - RSA_PKCS1_OAEP_PADDING); - if (!TEST_mem_eq(ptext, num, ptext_ex, plen)) - goto err; + plen = sizeof(ptext_ex) - 1; /* Different ciphertexts. Try decrypting ctext_ex */ num = RSA_private_decrypt(clen, ctext_ex, ptext, key, RSA_PKCS1_OAEP_PADDING); - if (!TEST_mem_eq(ptext, num, ptext_ex, plen)) + if (num <= 0 || !TEST_mem_eq(ptext, num, ptext_ex, plen)) goto err; /* Try decrypting corrupted ciphertexts. */