+4012. [bug] Check returned status of OpenSSL digest and HMAC
+ functions when they return one. Note this applies
+ only to FIPS capable OpenSSL libraries put in
+ FIPS mode and MD5. [RT #37944]
+
4011. [bug] master's list port and dscp inheritance was not
properly implemented. [RT #37792]
/* Define to 1 if you have the `usleep' function. */
#undef HAVE_USLEEP
+/* HMAC_*() return ints */
+#undef HMAC_RETURN_INT
+
/* Use HMAC-SHA1 for Source Identity Token generation */
#undef HMAC_SHA1_SIT
/* Define if your OpenSSL version supports AES */
@HAVE_OPENSSL_AES@
+/* HMAC_*() return ints */
+@HMAC_RETURN_INT@
+
/* Use AES for Source Identity Token generation */
@AES_SIT@
ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1"
ISC_OPENSSL_INC="$DST_OPENSSL_INC"
ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS"
+ saved_cflags="$CFLAGS"
+ save_libs="$LIBS"
+ CFLAGS="$CFLAGS $ISC_OPENSSL_INC"
+ LIBS="$LIBS $ISC_OPENSSL_LIBS"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking HMAC_Init() return type" >&5
+$as_echo_n "checking HMAC_Init() return type... " >&6; }
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+ #include <openssl/hmac.h>
+int
+main ()
+{
+
+ HMAC_CTX ctx;
+ int n = HMAC_Init(&ctx, NULL, 0, NULL);
+ n += HMAC_Update(&ctx, NULL, 0);
+ n += HMAC_Final(&ctx, NULL, NULL);
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: int" >&5
+$as_echo "int" >&6; }
+
+$as_echo "#define HMAC_RETURN_INT 1" >>confdefs.h
+
+else
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: void" >&5
+$as_echo "void" >&6; }
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ CFLAGS="$saved_cflags"
+ LIBS="$save_libs"
;;
no)
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1"
ISC_OPENSSL_INC="$DST_OPENSSL_INC"
ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS"
+ saved_cflags="$CFLAGS"
+ save_libs="$LIBS"
+ CFLAGS="$CFLAGS $ISC_OPENSSL_INC"
+ LIBS="$LIBS $ISC_OPENSSL_LIBS"
+ AC_MSG_CHECKING([HMAC_Init() return type])
+ AC_TRY_COMPILE([
+ #include <openssl/hmac.h>],[
+ HMAC_CTX ctx;
+ int n = HMAC_Init(&ctx, NULL, 0, NULL);
+ n += HMAC_Update(&ctx, NULL, 0);
+ n += HMAC_Final(&ctx, NULL, NULL);],[
+ AC_MSG_RESULT(int)
+ AC_DEFINE(HMAC_RETURN_INT, 1, [HMAC_*() return ints])],[
+ AC_MSG_RESULT(void)])
+ CFLAGS="$saved_cflags"
+ LIBS="$save_libs"
;;
no)
AC_MSG_RESULT(no)
isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
unsigned int len)
{
+#ifdef HMAC_RETURN_INT
+ RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key,
+ (int) len, EVP_md5()) == 1);
+#else
HMAC_Init(ctx, (const void *) key, (int) len, EVP_md5());
+#endif
}
void
isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf,
unsigned int len)
{
+#ifdef HMAC_RETURN_INT
+ RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1);
+#else
HMAC_Update(ctx, buf, (int) len);
+#endif
}
void
isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) {
+#ifdef HMAC_RETURN_INT
+ RUNTIME_CHECK(HMAC_Final(ctx, digest, NULL) == 1);
+#else
HMAC_Final(ctx, digest, NULL);
+#endif
HMAC_CTX_cleanup(ctx);
}
isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
unsigned int len)
{
+#ifdef HMAC_RETURN_INT
+ RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key,
+ (int) len, EVP_sha1()) == 1);
+#else
HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha1());
+#endif
}
void
isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf,
unsigned int len)
{
+#ifdef HMAC_RETURN_INT
+ RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1);
+#else
HMAC_Update(ctx, buf, (int) len);
+#endif
}
void
REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
+#ifdef HMAC_RETURN_INT
+ RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1);
+#else
HMAC_Final(ctx, newdigest, NULL);
+#endif
HMAC_CTX_cleanup(ctx);
memmove(digest, newdigest, len);
memset(newdigest, 0, sizeof(newdigest));
isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
unsigned int len)
{
+#ifdef HMAC_RETURN_INT
+ RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key,
+ (int) len, EVP_sha224()) == 1);
+#else
HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha224());
+#endif
}
void
isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf,
unsigned int len)
{
+#ifdef HMAC_RETURN_INT
+ RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1);
+#else
HMAC_Update(ctx, buf, (int) len);
+#endif
}
void
REQUIRE(len <= ISC_SHA224_DIGESTLENGTH);
+#ifdef HMAC_RETURN_INT
+ RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1);
+#else
HMAC_Final(ctx, newdigest, NULL);
+#endif
HMAC_CTX_cleanup(ctx);
memmove(digest, newdigest, len);
memset(newdigest, 0, sizeof(newdigest));
isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
unsigned int len)
{
+#ifdef HMAC_RETURN_INT
+ RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key,
+ (int) len, EVP_sha256()) == 1);
+#else
HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha256());
+#endif
}
void
isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf,
unsigned int len)
{
+#ifdef HMAC_RETURN_INT
+ RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1);
+#else
HMAC_Update(ctx, buf, (int) len);
+#endif
}
void
REQUIRE(len <= ISC_SHA256_DIGESTLENGTH);
+#ifdef HMAC_RETURN_INT
+ RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1);
+#else
HMAC_Final(ctx, newdigest, NULL);
+#endif
HMAC_CTX_cleanup(ctx);
memmove(digest, newdigest, len);
memset(newdigest, 0, sizeof(newdigest));
isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
unsigned int len)
{
+#ifdef HMAC_RETURN_INT
+ RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key,
+ (int) len, EVP_sha384()) == 1);
+#else
HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha384());
+#endif
}
void
isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf,
unsigned int len)
{
+#ifdef HMAC_RETURN_INT
+ RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1);
+#else
HMAC_Update(ctx, buf, (int) len);
+#endif
}
void
REQUIRE(len <= ISC_SHA384_DIGESTLENGTH);
+#ifdef HMAC_RETURN_INT
+ RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1);
+#else
HMAC_Final(ctx, newdigest, NULL);
+#endif
HMAC_CTX_cleanup(ctx);
memmove(digest, newdigest, len);
memset(newdigest, 0, sizeof(newdigest));
isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
unsigned int len)
{
+#ifdef HMAC_RETURN_INT
+ RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key,
+ (int) len, EVP_sha512()) == 1);
+#else
HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha512());
+#endif
}
void
isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf,
unsigned int len)
{
+#ifdef HMAC_RETURN_INT
+ RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1);
+#else
HMAC_Update(ctx, buf, (int) len);
+#endif
}
void
REQUIRE(len <= ISC_SHA512_DIGESTLENGTH);
+#ifdef HMAC_RETURN_INT
+ RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1);
+#else
HMAC_Final(ctx, newdigest, NULL);
+#endif
HMAC_CTX_cleanup(ctx);
memmove(digest, newdigest, len);
memset(newdigest, 0, sizeof(newdigest));
#ifdef ISC_PLATFORM_OPENSSLHASH
void
isc_md5_init(isc_md5_t *ctx) {
- EVP_DigestInit(ctx, EVP_md5());
+ RUNTIME_CHECK(EVP_DigestInit(ctx, EVP_md5()) == 1);
}
void
void
isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) {
- EVP_DigestUpdate(ctx, (const void *) buf, (size_t) len);
+ RUNTIME_CHECK(EVP_DigestUpdate(ctx,
+ (const void *) buf,
+ (size_t) len) == 1);
}
void
isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
- EVP_DigestFinal(ctx, digest, NULL);
+ RUNTIME_CHECK(EVP_DigestFinal(ctx, digest, NULL) == 1);
}
#elif PKCS11CRYPTO
{
INSIST(context != NULL);
- EVP_DigestInit(context, EVP_sha1());
+ RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha1()) == 1);
}
void
INSIST(context != 0);
INSIST(data != 0);
- EVP_DigestUpdate(context, (const void *) data, (size_t) len);
+ RUNTIME_CHECK(EVP_DigestUpdate(context,
+ (const void *) data,
+ (size_t) len) == 1);
}
void
INSIST(digest != 0);
INSIST(context != 0);
- EVP_DigestFinal(context, digest, NULL);
+ RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1);
}
#elif PKCS11CRYPTO
if (context == (isc_sha224_t *)0) {
return;
}
- EVP_DigestInit(context, EVP_sha224());
+ RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha224()) == 1);
}
void
/* Sanity check: */
REQUIRE(context != (isc_sha224_t *)0 && data != (isc_uint8_t*)0);
- EVP_DigestUpdate(context, (const void *) data, len);
+ RUNTIME_CHECK(EVP_DigestUpdate(context,
+ (const void *) data, len) == 1);
}
void
/* If no digest buffer is passed, we don't bother doing this: */
if (digest != (isc_uint8_t*)0) {
- EVP_DigestFinal(context, digest, NULL);
+ RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1);
} else {
EVP_MD_CTX_cleanup(context);
}
if (context == (isc_sha256_t *)0) {
return;
}
- EVP_DigestInit(context, EVP_sha256());
+ RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha256()) == 1);
}
void
/* Sanity check: */
REQUIRE(context != (isc_sha256_t *)0 && data != (isc_uint8_t*)0);
- EVP_DigestUpdate(context, (const void *) data, len);
+ RUNTIME_CHECK(EVP_DigestUpdate(context,
+ (const void *) data, len) == 1);
}
void
/* If no digest buffer is passed, we don't bother doing this: */
if (digest != (isc_uint8_t*)0) {
- EVP_DigestFinal(context, digest, NULL);
+ RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1);
} else {
EVP_MD_CTX_cleanup(context);
}
if (context == (isc_sha512_t *)0) {
return;
}
- EVP_DigestInit(context, EVP_sha512());
+ RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha512()) == 1);
}
void
/* Sanity check: */
REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0);
- EVP_DigestUpdate(context, (const void *) data, len);
+ RUNTIME_CHECK(EVP_DigestUpdate(context,
+ (const void *) data, len) == 1);
}
void isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) {
/* If no digest buffer is passed, we don't bother doing this: */
if (digest != (isc_uint8_t*)0) {
- EVP_DigestFinal(context, digest, NULL);
+ RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1);
} else {
EVP_MD_CTX_cleanup(context);
}
if (context == (isc_sha384_t *)0) {
return;
}
- EVP_DigestInit(context, EVP_sha384());
+ RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha384()) == 1);
}
void
/* Sanity check: */
REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0);
- EVP_DigestUpdate(context, (const void *) data, len);
+ RUNTIME_CHECK(EVP_DigestUpdate(context,
+ (const void *) data, len) == 1);
}
void
/* If no digest buffer is passed, we don't bother doing this: */
if (digest != (isc_uint8_t*)0) {
- EVP_DigestFinal(context, digest, NULL);
+ RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1);
} else {
EVP_MD_CTX_cleanup(context);
}
"HAVE_PKCS11_ECDSA",
"HAVE_PKCS11_GOST",
"HAVE_READLINE",
+ "HMAC_RETURN_INT",
"HMAC_SHA1_SIT",
"HMAC_SHA256_SIT",
"ISC_LIST_CHECKINIT",
die "No OpenSSL for hash functions\n";
}
$configdefp{"ISC_PLATFORM_OPENSSLHASH"} = 1;
+ if ($verbose) {
+ print "checking HMAC_Init() return type\n";
+ }
+ open F, ">testhmac.c" || die $!;
+ print F << 'EOF';
+#include <openssl/hmac.h>
+
+int
+main(void)
+{
+ HMAC_CTX ctx;
+ int n = HMAC_Init(&ctx, NULL, 0, NULL);
+ n += HMAC_Update(&ctx, NULL, 0);
+ n += HMAC_Final(&ctx, NULL, NULL);
+ return(n);
+}
+EOF
+ close F;
+ my $include = $configinc{"OPENSSL_INC"};
+ my $library = $configlib{"OPENSSL_LIB"};
+ $compret = `cl /nologo /MD /I "$include" testhmac.c "$library"`;
+ if (grep { -f and -x } ".\\testhmac.exe") {
+ $configdefh{"HMAC_RETURN_INT"} = 1;
+ }
}
# with-pkcs11