diff options
Diffstat (limited to 'main/openssl/0100-fix-hmac-abi.patch')
-rw-r--r-- | main/openssl/0100-fix-hmac-abi.patch | 122 |
1 files changed, 122 insertions, 0 deletions
diff --git a/main/openssl/0100-fix-hmac-abi.patch b/main/openssl/0100-fix-hmac-abi.patch new file mode 100644 index 0000000000..6f3d187d3a --- /dev/null +++ b/main/openssl/0100-fix-hmac-abi.patch @@ -0,0 +1,122 @@ +From 1030f89f5ea238820645e3d34049eb1bd30e81c4 Mon Sep 17 00:00:00 2001 +From: Matt Caswell <matt@openssl.org> +Date: Fri, 12 Jun 2015 13:08:04 +0100 +Subject: [PATCH] Fix ABI break with HMAC + +Recent HMAC changes broke ABI compatibility due to a new field in HMAC_CTX. +This backs that change out, and does it a different way. + +Thanks to Timo Teras for the concept. + +Conflicts: + crypto/hmac/hmac.c + +Reviewed-by: Richard Levitte <levitte@openssl.org> +--- + crypto/hmac/hmac.c | 19 +++++++------------ + crypto/hmac/hmac.h | 1 - + crypto/hmac/hmactest.c | 7 ++++++- + 3 files changed, 13 insertions(+), 14 deletions(-) + +diff --git a/crypto/hmac/hmac.c b/crypto/hmac/hmac.c +index 15a9a21..51a0a3e 100644 +--- a/crypto/hmac/hmac.c ++++ b/crypto/hmac/hmac.c +@@ -97,6 +97,9 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, + return FIPS_hmac_init_ex(ctx, key, len, md, NULL); + } + #endif ++ /* If we are changing MD then we must have a key */ ++ if (md != NULL && md != ctx->md && (key == NULL || len < 0)) ++ return 0; + + if (md != NULL) { + reset = 1; +@@ -107,9 +110,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, + return 0; + } + +- if (!ctx->key_init && key == NULL) +- return 0; +- + if (key != NULL) { + reset = 1; + j = EVP_MD_block_size(md); +@@ -131,7 +131,6 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, + if (ctx->key_length != HMAC_MAX_MD_CBLOCK) + memset(&ctx->key[ctx->key_length], 0, + HMAC_MAX_MD_CBLOCK - ctx->key_length); +- ctx->key_init = 1; + } + + if (reset) { +@@ -169,7 +168,7 @@ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len) + if (FIPS_mode() && !ctx->i_ctx.engine) + return FIPS_hmac_update(ctx, data, len); + #endif +- if (!ctx->key_init) ++ if (!ctx->md) + return 0; + + return EVP_DigestUpdate(&ctx->md_ctx, data, len); +@@ -184,7 +183,7 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len) + return FIPS_hmac_final(ctx, md, len); + #endif + +- if (!ctx->key_init) ++ if (!ctx->md) + goto err; + + if (!EVP_DigestFinal_ex(&ctx->md_ctx, buf, &i)) +@@ -205,7 +204,6 @@ void HMAC_CTX_init(HMAC_CTX *ctx) + EVP_MD_CTX_init(&ctx->i_ctx); + EVP_MD_CTX_init(&ctx->o_ctx); + EVP_MD_CTX_init(&ctx->md_ctx); +- ctx->key_init = 0; + ctx->md = NULL; + } + +@@ -217,11 +215,8 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx) + goto err; + if (!EVP_MD_CTX_copy(&dctx->md_ctx, &sctx->md_ctx)) + goto err; +- dctx->key_init = sctx->key_init; +- if (sctx->key_init) { +- memcpy(dctx->key, sctx->key, HMAC_MAX_MD_CBLOCK); +- dctx->key_length = sctx->key_length; +- } ++ memcpy(dctx->key, sctx->key, HMAC_MAX_MD_CBLOCK); ++ dctx->key_length = sctx->key_length; + dctx->md = sctx->md; + return 1; + err: +diff --git a/crypto/hmac/hmac.h b/crypto/hmac/hmac.h +index f8e9f5e..b8b55cd 100644 +--- a/crypto/hmac/hmac.h ++++ b/crypto/hmac/hmac.h +@@ -79,7 +79,6 @@ typedef struct hmac_ctx_st { + EVP_MD_CTX o_ctx; + unsigned int key_length; + unsigned char key[HMAC_MAX_MD_CBLOCK]; +- int key_init; + } HMAC_CTX; + + # define HMAC_size(e) (EVP_MD_size((e)->md)) +diff --git a/crypto/hmac/hmactest.c b/crypto/hmac/hmactest.c +index 86b6c25..271d0eb 100644 +--- a/crypto/hmac/hmactest.c ++++ b/crypto/hmac/hmactest.c +@@ -233,7 +233,12 @@ int main(int argc, char *argv[]) + err++; + goto test6; + } +- if (!HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL)) { ++ if (HMAC_Init_ex(&ctx, NULL, 0, EVP_sha256(), NULL)) { ++ printf("Should disallow changing MD without a new key (test 5)\n"); ++ err++; ++ goto test6; ++ } ++ if (!HMAC_Init_ex(&ctx, test[4].key, test[4].key_len, EVP_sha256(), NULL)) { + printf("Failed to reinitialise HMAC (test 5)\n"); + err++; + goto test6; |