-AM_CXXFLAGS=-DSYSCONFDIR=\"@sysconfdir@\" -DLIBDIR=\"@libdir@\" -DLOCALSTATEDIR=\"@socketdir@\" -Ibackends/bind @THREADFLAGS@ $(LUA_CFLAGS) $(SQLITE3_CFLAGS) -Iext/polarssl-1.1.1/include
+AM_CXXFLAGS=-DSYSCONFDIR=\"@sysconfdir@\" -DLIBDIR=\"@libdir@\" -DLOCALSTATEDIR=\"@socketdir@\" -Ibackends/bind @THREADFLAGS@ $(LUA_CFLAGS) $(SQLITE3_CFLAGS) -Iext/polarssl-1.1.2/include
AM_CPPFLAGS=-Ibackends/bind $(BOOST_CPPFLAGS) @THREADFLAGS@
EXTRA_DIST = dnslabeltext.rl dnslabeltext.cc mtasker.cc inflighter.cc docs/pdns_control.8 \
no-dnssec.schema.mysql.sql no-dnssec.schema.pgsql.sql no-dnssec.schema.sqlite3.sql \
bind-dnssec.schema.sqlite3.sql
-SUBDIRS= ext/polarssl-1.1.1 backends
+SUBDIRS= ext/polarssl-1.1.2 backends
BUILT_SOURCES=bind-dnssec.schema.sqlite3.sql.h
#
pdns_server_LDFLAGS=@moduleobjects@ @modulelibs@ @DYNLINKFLAGS@ @LIBDL@ @THREADFLAGS@ $(BOOST_SERIALIZATION_LDFLAGS) -rdynamic
-pdns_server_LDADD= ext/polarssl-1.1.1/library/libpolarssl.a $(BOOST_SERIALIZATION_LIBS) $(LUA_LIBS) $(SQLITE3_LIBS)
+pdns_server_LDADD= ext/polarssl-1.1.2/library/libpolarssl.a $(BOOST_SERIALIZATION_LIBS) $(LUA_LIBS) $(SQLITE3_LIBS)
if BOTAN110
pdnssec_LDFLAGS=@moduleobjects@ @modulelibs@ @DYNLINKFLAGS@ @LIBDL@ @THREADFLAGS@ $(BOOST_PROGRAM_OPTIONS_LDFLAGS) $(BOOST_SERIALIZATION_LDFLAGS)
-pdnssec_LDADD= ext/polarssl-1.1.1/library/libpolarssl.a $(BOOST_PROGRAM_OPTIONS_LIBS) $(BOOST_SERIALIZATION_LIBS) $(SQLITE3_LIBS)
+pdnssec_LDADD= ext/polarssl-1.1.2/library/libpolarssl.a $(BOOST_PROGRAM_OPTIONS_LIBS) $(BOOST_SERIALIZATION_LIBS) $(SQLITE3_LIBS)
if BOTAN110
pdnssec_SOURCES += botan110signers.cc botansigners.cc
aes/aescrypt.c aes/aes.h aes/aeskey.c aes/aes_modes.c aes/aesopt.h \
aes/aestab.c aes/aestab.h aes/brg_endian.h aes/brg_types.h aes/dns_random.cc \
randomhelper.cc dns.cc
-tsig_tests_LDFLAGS= -Lext/polarssl-1.1.1/library
+tsig_tests_LDFLAGS= -Lext/polarssl-1.1.2/library
tsig_tests_LDADD= -lpolarssl
../../nsecrecords.cc ../../dnssecinfra.cc ../../base32.cc ../../md5.cc # ../../dbdnsseckeeper.cc
zone2ldap_LDFLAGS=@THREADFLAGS@
-zone2ldap_LDADD= ../../ext/polarssl-1.1.1/library/libpolarssl.a
+zone2ldap_LDADD= ../../ext/polarssl-1.1.2/library/libpolarssl.a
zone2sql_LDFLAGS=@THREADFLAGS@
-zone2sql_LDADD= ../../ext/polarssl-1.1.1/library/libpolarssl.a
+zone2sql_LDADD= ../../ext/polarssl-1.1.2/library/libpolarssl.a
AM_LFLAGS = -s -i
AM_YFLAGS = -d --verbose --debug
#include <boost/algorithm/string.hpp>
#include "dnssecinfra.hh"
#include "dnsseckeeper.hh"
-#include "ext/polarssl-1.1.1/include/polarssl/sha1.h"
+#include "ext/polarssl-1.1.2/include/polarssl/sha1.h"
#include <boost/assign/std/vector.hpp> // for 'operator+=()'
#include <boost/assign/list_inserter.hpp>
#include "base64.hh"
PolarSSL ChangeLog
+= Version 1.1.2 released on 2012-04-26
+Bugfix
+ * Fixed handling error in mpi_cmp_mpi() on longer B values (found by
+ Hui Dong)
+
+Security
+ * Fixed potential memory corruption on miscrafted client messages (found by
+ Frama-C team at CEA LIST)
+ * Fixed generation of DHM parameters to correct length (found by Ruslan
+ Yushchenko)
+
= Version 1.1.1 released on 2012-01-23
Bugfix
* Check for failed malloc() in ssl_set_hostname() and x509_get_entries()
#define POLARSSL_ERR_DHM_READ_PARAMS_FAILED -0x3100 /**< Reading of the DHM parameters failed. */
#define POLARSSL_ERR_DHM_MAKE_PARAMS_FAILED -0x3180 /**< Making of the DHM parameters failed. */
#define POLARSSL_ERR_DHM_READ_PUBLIC_FAILED -0x3200 /**< Reading of the public values failed. */
-#define POLARSSL_ERR_DHM_MAKE_PUBLIC_FAILED -0x3280 /**< Makeing of the public value failed. */
+#define POLARSSL_ERR_DHM_MAKE_PUBLIC_FAILED -0x3280 /**< Making of the public value failed. */
#define POLARSSL_ERR_DHM_CALC_SECRET_FAILED -0x3300 /**< Calculation of the DHM secret failed. */
/**
* \brief Create own private value X and export G^X
*
* \param ctx DHM context
- * \param x_size private value size in bits
+ * \param x_size private value size in bytes
* \param output destination buffer
* \param olen must be equal to ctx->P.len
* \param f_rng RNG function
*/
#define POLARSSL_VERSION_MAJOR 1
#define POLARSSL_VERSION_MINOR 1
-#define POLARSSL_VERSION_PATCH 1
+#define POLARSSL_VERSION_PATCH 2
/**
* The single version number has the following structure:
* MMNNPP00
* Major version | Minor version | Patch version
*/
-#define POLARSSL_VERSION_NUMBER 0x01010100
-#define POLARSSL_VERSION_STRING "1.1.1"
-#define POLARSSL_VERSION_STRING_FULL "PolarSSL 1.1.1"
+#define POLARSSL_VERSION_NUMBER 0x01010200
+#define POLARSSL_VERSION_STRING "1.1.2"
+#define POLARSSL_VERSION_STRING_FULL "PolarSSL 1.1.2"
#if defined(POLARSSL_VERSION_C)
return( 0 );
if( i > j ) return( X->s );
- if( j > i ) return( -X->s );
+ if( j > i ) return( -Y->s );
if( X->s > 0 && Y->s < 0 ) return( 1 );
if( Y->s > 0 && X->s < 0 ) return( -1 );
/*
* pick a random A, 1 < A < |X| - 1
*/
- MPI_CHK( mpi_fill_random( &A, X->n, f_rng, p_rng ) );
+ MPI_CHK( mpi_fill_random( &A, X->n * ciL, f_rng, p_rng ) );
if( mpi_cmp_mpi( &A, &W ) >= 0 )
{
n = BITS_TO_LIMBS( nbits );
- MPI_CHK( mpi_fill_random( X, n, f_rng, p_rng ) );
+ MPI_CHK( mpi_fill_random( X, n * ciL, f_rng, p_rng ) );
k = mpi_msb( X );
if( k < nbits ) MPI_CHK( mpi_shift_l( X, nbits - k ) );
if( NULL == cipher_info || NULL == ctx )
return POLARSSL_ERR_CIPHER_BAD_INPUT_DATA;
- memset( ctx, 0, sizeof( ctx ) );
+ memset( ctx, 0, sizeof( cipher_context_t ) );
if( NULL == ( ctx->cipher_ctx = cipher_info->base->ctx_alloc_func() ) )
return POLARSSL_ERR_CIPHER_ALLOC_FAILED;
}
/*
- * Verify sanity of public parameter with regards to P
+ * Verify sanity of parameter with regards to P
*
- * Public parameter should be: 2 <= public_param <= P - 2
+ * Parameter should be: 2 <= public_param <= P - 2
*
* For more information on the attack, see:
* http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf
* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2643
*/
-static int dhm_check_range( const mpi *public_param, const mpi *P )
+static int dhm_check_range( const mpi *param, const mpi *P )
{
mpi L, U;
int ret = POLARSSL_ERR_DHM_BAD_INPUT_DATA;
mpi_lset( &L, 2 );
mpi_sub_int( &U, P, 2 );
- if( mpi_cmp_mpi( public_param, &L ) >= 0 &&
- mpi_cmp_mpi( public_param, &U ) <= 0 )
+ if( mpi_cmp_mpi( param, &L ) >= 0 &&
+ mpi_cmp_mpi( param, &U ) <= 0 )
{
ret = 0;
}
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng )
{
- int ret, n;
+ int ret, count = 0;
size_t n1, n2, n3;
unsigned char *p;
/*
* Generate X as large as possible ( < P )
*/
- n = x_size / sizeof( t_uint ) + 1;
+ do
+ {
+ mpi_fill_random( &ctx->X, x_size, f_rng, p_rng );
- mpi_fill_random( &ctx->X, n, f_rng, p_rng );
+ while( mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
+ mpi_shift_r( &ctx->X, 1 );
- while( mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
- mpi_shift_r( &ctx->X, 1 );
+ if( count++ > 10 )
+ return( POLARSSL_ERR_DHM_MAKE_PARAMS_FAILED );
+ }
+ while( dhm_check_range( &ctx->X, &ctx->P ) != 0 );
/*
* Calculate GX = G^X mod P
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng )
{
- int ret, n;
+ int ret, count = 0;
if( ctx == NULL || olen < 1 || olen > ctx->len )
return( POLARSSL_ERR_DHM_BAD_INPUT_DATA );
/*
* generate X and calculate GX = G^X mod P
*/
- n = x_size / sizeof( t_uint ) + 1;
+ do
+ {
+ mpi_fill_random( &ctx->X, x_size, f_rng, p_rng );
- mpi_fill_random( &ctx->X, n, f_rng, p_rng );
+ while( mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
+ mpi_shift_r( &ctx->X, 1 );
- while( mpi_cmp_mpi( &ctx->X, &ctx->P ) >= 0 )
- mpi_shift_r( &ctx->X, 1 );
+ if( count++ > 10 )
+ return( POLARSSL_ERR_DHM_MAKE_PUBLIC_FAILED );
+ }
+ while( dhm_check_range( &ctx->X, &ctx->P ) != 0 );
MPI_CHK( mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X,
&ctx->P , &ctx->RP ) );
int md_init_ctx( md_context_t *ctx, const md_info_t *md_info )
{
- if( md_info == NULL )
+ if( md_info == NULL || ctx == NULL )
return POLARSSL_ERR_MD_BAD_INPUT_DATA;
- if( ctx == NULL || ctx->md_ctx != NULL )
- return POLARSSL_ERR_MD_BAD_INPUT_DATA;
+ memset( ctx, 0, sizeof( md_context_t ) );
if( ( ctx->md_ctx = md_info->ctx_alloc_func() ) == NULL )
return POLARSSL_ERR_MD_ALLOC_FAILED;
/*
* Always compute the MAC (RFC4346, CBCTIME).
*/
+ if( ssl->in_msglen <= ssl->maclen + padlen )
+ {
+ SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
+ ssl->in_msglen, ssl->maclen, padlen ) );
+ return( POLARSSL_ERR_SSL_INVALID_MAC );
+ }
+
ssl->in_msglen -= ( ssl->maclen + padlen );
ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 );
-#include "ext/polarssl-1.1.1/include/polarssl/rsa.h"
-#include "ext/polarssl-1.1.1/include/polarssl/base64.h"
-#include "ext/polarssl-1.1.1/include/polarssl/sha1.h"
-#include "ext/polarssl-1.1.1/include/polarssl/sha2.h"
-#include "ext/polarssl-1.1.1/include/polarssl/sha4.h"
-#include "ext/polarssl-1.1.1/include/polarssl/havege.h"
+#include "ext/polarssl-1.1.2/include/polarssl/rsa.h"
+#include "ext/polarssl-1.1.2/include/polarssl/base64.h"
+#include "ext/polarssl-1.1.2/include/polarssl/sha1.h"
+#include "ext/polarssl-1.1.2/include/polarssl/sha2.h"
+#include "ext/polarssl-1.1.2/include/polarssl/sha4.h"
+#include "ext/polarssl-1.1.2/include/polarssl/havege.h"
#include <boost/assign/std/vector.hpp> // for 'operator+=()'
#include <boost/foreach.hpp>
#include "dnssecinfra.hh"
projects / thirdparty / pdns.git / commitdiff
