aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--CHANGES6
-rw-r--r--FREEBSD-upgrade4
-rw-r--r--Makefile2
-rw-r--r--NEWS4
-rw-r--r--README2
-rw-r--r--crypto/hmac/hmac.c19
-rw-r--r--crypto/hmac/hmac.h1
-rw-r--r--crypto/hmac/hmactest.c7
-rw-r--r--crypto/opensslv.h6
-rw-r--r--ssl/t1_lib.c12
10 files changed, 36 insertions, 27 deletions
diff --git a/CHANGES b/CHANGES
index 256518720428..759b2a7bbaff 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,12 @@
OpenSSL CHANGES
_______________
+ Changes between 1.0.1n and 1.0.1o [12 Jun 2015]
+
+ *) Fix HMAC ABI incompatibility. The previous version introduced an ABI
+ incompatibility in the handling of HMAC. The previous ABI has now been
+ restored.
+
Changes between 1.0.1m and 1.0.1n [11 Jun 2015]
*) Malformed ECParameters causes infinite loop
diff --git a/FREEBSD-upgrade b/FREEBSD-upgrade
index 8fc95f91a067..125d79716b4d 100644
--- a/FREEBSD-upgrade
+++ b/FREEBSD-upgrade
@@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/SubversionPrimer/VendorImports
# Xlist
setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist
setenv FSVN "svn+ssh://svn.freebsd.org/base"
-setenv OSSLVER 1.0.1n
-# OSSLTAG format: v1_0_1n
+setenv OSSLVER 1.0.1o
+# OSSLTAG format: v1_0_1o
###setenv OSSLTAG v`echo ${OSSLVER} | tr . _`
diff --git a/Makefile b/Makefile
index c01d470daa88..0b3badbd99f8 100644
--- a/Makefile
+++ b/Makefile
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
-VERSION=1.0.1n
+VERSION=1.0.1o
MAJOR=1
MINOR=0.1
SHLIB_VERSION_NUMBER=1.0.0
diff --git a/NEWS b/NEWS
index e866e94fa676..fb69ad3e5daa 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,10 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.0.1n and OpenSSL 1.0.1o [12 Jun 2015]
+
+ o Fix HMAC ABI incompatibility
+
Major changes between OpenSSL 1.0.1m and OpenSSL 1.0.1n [11 Jun 2015]
o Malformed ECParameters causes infinite loop (CVE-2015-1788)
diff --git a/README b/README
index 8718a24346ed..bf3b71540d5c 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
- OpenSSL 1.0.1n 11 Jun 2015
+ OpenSSL 1.0.1o 12 Jun 2015
Copyright (c) 1998-2011 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/crypto/hmac/hmac.c b/crypto/hmac/hmac.c
index 5925467818cb..33d88be1179b 100644
--- a/crypto/hmac/hmac.c
+++ b/crypto/hmac/hmac.c
@@ -87,6 +87,9 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
return FIPS_hmac_init_ex(ctx, key, len, md, NULL);
}
#endif
+ /* If we are changing MD then we must have a key */
+ if (md != NULL && md != ctx->md && (key == NULL || len < 0))
+ return 0;
if (md != NULL) {
reset = 1;
@@ -97,9 +100,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
return 0;
}
- if (!ctx->key_init && key == NULL)
- return 0;
-
if (key != NULL) {
reset = 1;
j = EVP_MD_block_size(md);
@@ -121,7 +121,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
if (ctx->key_length != HMAC_MAX_MD_CBLOCK)
memset(&ctx->key[ctx->key_length], 0,
HMAC_MAX_MD_CBLOCK - ctx->key_length);
- ctx->key_init = 1;
}
if (reset) {
@@ -159,7 +158,7 @@ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
if (FIPS_mode() && !ctx->i_ctx.engine)
return FIPS_hmac_update(ctx, data, len);
#endif
- if (!ctx->key_init)
+ if (!ctx->md)
return 0;
return EVP_DigestUpdate(&ctx->md_ctx, data, len);
@@ -174,7 +173,7 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len)
return FIPS_hmac_final(ctx, md, len);
#endif
- if (!ctx->key_init)
+ if (!ctx->md)
goto err;
if (!EVP_DigestFinal_ex(&ctx->md_ctx, buf, &i))
@@ -195,7 +194,6 @@ void HMAC_CTX_init(HMAC_CTX *ctx)
EVP_MD_CTX_init(&ctx->i_ctx);
EVP_MD_CTX_init(&ctx->o_ctx);
EVP_MD_CTX_init(&ctx->md_ctx);
- ctx->key_init = 0;
ctx->md = NULL;
}
@@ -207,11 +205,8 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx)
goto err;
if (!EVP_MD_CTX_copy(&dctx->md_ctx, &sctx->md_ctx))
goto err;
- dctx->key_init = sctx->key_init;
- if (sctx->key_init) {
- memcpy(dctx->key, sctx->key, HMAC_MAX_MD_CBLOCK);
- dctx->key_length = sctx->key_length;
- }
+ memcpy(dctx->key, sctx->key, HMAC_MAX_MD_CBLOCK);
+ dctx->key_length = sctx->key_length;
dctx->md = sctx->md;
return 1;
err:
diff --git a/crypto/hmac/hmac.h b/crypto/hmac/hmac.h
index f8e9f5e4f3c2..b8b55cda7d73 100644
--- a/crypto/hmac/hmac.h
+++ b/crypto/hmac/hmac.h
@@ -79,7 +79,6 @@ typedef struct hmac_ctx_st {
EVP_MD_CTX o_ctx;
unsigned int key_length;
unsigned char key[HMAC_MAX_MD_CBLOCK];
- int key_init;
} HMAC_CTX;
# define HMAC_size(e) (EVP_MD_size((e)->md))
diff --git a/crypto/hmac/hmactest.c b/crypto/hmac/hmactest.c
index 86b6c2529fe2..271d0ebf264c 100644
--- a/crypto/hmac/hmactest.c
+++ b/crypto/hmac/hmactest.c
@@ -233,7 +233,12 @@ test5:
err++;
goto test6;
}
- if (!HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL)) {
+ if (HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL)) {
+ printf("Should disallow changing MD without a new key (test 5)\n");
+ err++;
+ goto test6;
+ }
+ if (!HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, EVP_sha256(), NULL)) {
printf("Failed to reinitialise HMAC (test 5)\n");
err++;
goto test6;
diff --git a/crypto/opensslv.h b/crypto/opensslv.h
index 94a95f348237..84d0bf9d1f43 100644
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -30,11 +30,11 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x100010efL
+# define OPENSSL_VERSION_NUMBER 0x100010ffL
# ifdef OPENSSL_FIPS
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1n-fips 11 Jun 2015"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1o-fips 12 Jun 2015"
# else
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1n 11 Jun 2015"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1o 12 Jun 2015"
# endif
# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index c2d7d720712a..d70b93feadf0 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1016,12 +1016,12 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d,
s->srtp_profile = NULL;
- if (data >= (d + n - 2)) {
- if (data != d + n)
- goto err;
- else
- goto ri_check;
- }
+ if (data == d + n)
+ goto ri_check;
+
+ if (data > (d + n - 2))
+ goto err;
+
n2s(data, len);
if (data > (d + n - len))