diff --git a/CHANGES b/CHANGES index 0939bd459d..60b26a002a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +4012. [bug] Check returned status of OpenSSL digest and HMAC + functions when they return one. Note this applies + only to FIPS capable OpenSSL libraries put in + FIPS mode and MD5. [RT #37944] + 4011. [bug] master's list port and dscp inheritance was not properly implemented. [RT #37792] diff --git a/config.h.in b/config.h.in index e8170791fc..e02f4f9260 100644 --- a/config.h.in +++ b/config.h.in @@ -446,6 +446,9 @@ int sigwait(const unsigned int *set, int *sig); /* Define to 1 if you have the `usleep' function. */ #undef HAVE_USLEEP +/* HMAC_*() return ints */ +#undef HMAC_RETURN_INT + /* Use HMAC-SHA1 for Source Identity Token generation */ #undef HMAC_SHA1_SIT diff --git a/config.h.win32 b/config.h.win32 index 1d2c98127d..73a64ca45f 100644 --- a/config.h.win32 +++ b/config.h.win32 @@ -354,6 +354,9 @@ typedef __int64 off_t; /* Define if your OpenSSL version supports AES */ @HAVE_OPENSSL_AES@ +/* HMAC_*() return ints */ +@HMAC_RETURN_INT@ + /* Use AES for Source Identity Token generation */ @AES_SIT@ diff --git a/configure b/configure index d8c45204b5..844a5b0bed 100755 --- a/configure +++ b/configure @@ -16167,6 +16167,43 @@ $as_echo "yes" >&6; } ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1" ISC_OPENSSL_INC="$DST_OPENSSL_INC" ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS" + saved_cflags="$CFLAGS" + save_libs="$LIBS" + CFLAGS="$CFLAGS $ISC_OPENSSL_INC" + LIBS="$LIBS $ISC_OPENSSL_LIBS" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking HMAC_Init() return type" >&5 +$as_echo_n "checking HMAC_Init() return type... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include +int +main () +{ + + HMAC_CTX ctx; + int n = HMAC_Init(&ctx, NULL, 0, NULL); + n += HMAC_Update(&ctx, NULL, 0); + n += HMAC_Final(&ctx, NULL, NULL); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: int" >&5 +$as_echo "int" >&6; } + +$as_echo "#define HMAC_RETURN_INT 1" >>confdefs.h + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: void" >&5 +$as_echo "void" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS="$saved_cflags" + LIBS="$save_libs" ;; no) { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 diff --git a/configure.in b/configure.in index 271a3b4db8..c0ddd0585f 100644 --- a/configure.in +++ b/configure.in @@ -1876,6 +1876,22 @@ case $want_openssl_hash in ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1" ISC_OPENSSL_INC="$DST_OPENSSL_INC" ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS" + saved_cflags="$CFLAGS" + save_libs="$LIBS" + CFLAGS="$CFLAGS $ISC_OPENSSL_INC" + LIBS="$LIBS $ISC_OPENSSL_LIBS" + AC_MSG_CHECKING([HMAC_Init() return type]) + AC_TRY_COMPILE([ + #include ],[ + HMAC_CTX ctx; + int n = HMAC_Init(&ctx, NULL, 0, NULL); + n += HMAC_Update(&ctx, NULL, 0); + n += HMAC_Final(&ctx, NULL, NULL);],[ + AC_MSG_RESULT(int) + AC_DEFINE(HMAC_RETURN_INT, 1, [HMAC_*() return ints])],[ + AC_MSG_RESULT(void)]) + CFLAGS="$saved_cflags" + LIBS="$save_libs" ;; no) AC_MSG_RESULT(no) diff --git a/lib/isc/hmacmd5.c b/lib/isc/hmacmd5.c index b9e3a94b7e..5f77323e6c 100644 --- a/lib/isc/hmacmd5.c +++ b/lib/isc/hmacmd5.c @@ -44,7 +44,12 @@ void isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, + (int) len, EVP_md5()) == 1); +#else HMAC_Init(ctx, (const void *) key, (int) len, EVP_md5()); +#endif } void @@ -56,12 +61,20 @@ void isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); +#else HMAC_Update(ctx, buf, (int) len); +#endif } void isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Final(ctx, digest, NULL) == 1); +#else HMAC_Final(ctx, digest, NULL); +#endif HMAC_CTX_cleanup(ctx); } diff --git a/lib/isc/hmacsha.c b/lib/isc/hmacsha.c index 0480c59d28..c03a27ac77 100644 --- a/lib/isc/hmacsha.c +++ b/lib/isc/hmacsha.c @@ -44,7 +44,12 @@ void isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, + (int) len, EVP_sha1()) == 1); +#else HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha1()); +#endif } void @@ -56,7 +61,11 @@ void isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); +#else HMAC_Update(ctx, buf, (int) len); +#endif } void @@ -65,7 +74,11 @@ isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) { REQUIRE(len <= ISC_SHA1_DIGESTLENGTH); +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1); +#else HMAC_Final(ctx, newdigest, NULL); +#endif HMAC_CTX_cleanup(ctx); memmove(digest, newdigest, len); memset(newdigest, 0, sizeof(newdigest)); @@ -75,7 +88,12 @@ void isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, + (int) len, EVP_sha224()) == 1); +#else HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha224()); +#endif } void @@ -87,7 +105,11 @@ void isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); +#else HMAC_Update(ctx, buf, (int) len); +#endif } void @@ -96,7 +118,11 @@ isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) { REQUIRE(len <= ISC_SHA224_DIGESTLENGTH); +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1); +#else HMAC_Final(ctx, newdigest, NULL); +#endif HMAC_CTX_cleanup(ctx); memmove(digest, newdigest, len); memset(newdigest, 0, sizeof(newdigest)); @@ -106,7 +132,12 @@ void isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, + (int) len, EVP_sha256()) == 1); +#else HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha256()); +#endif } void @@ -118,7 +149,11 @@ void isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); +#else HMAC_Update(ctx, buf, (int) len); +#endif } void @@ -127,7 +162,11 @@ isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) { REQUIRE(len <= ISC_SHA256_DIGESTLENGTH); +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1); +#else HMAC_Final(ctx, newdigest, NULL); +#endif HMAC_CTX_cleanup(ctx); memmove(digest, newdigest, len); memset(newdigest, 0, sizeof(newdigest)); @@ -137,7 +176,12 @@ void isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, + (int) len, EVP_sha384()) == 1); +#else HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha384()); +#endif } void @@ -149,7 +193,11 @@ void isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); +#else HMAC_Update(ctx, buf, (int) len); +#endif } void @@ -158,7 +206,11 @@ isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) { REQUIRE(len <= ISC_SHA384_DIGESTLENGTH); +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1); +#else HMAC_Final(ctx, newdigest, NULL); +#endif HMAC_CTX_cleanup(ctx); memmove(digest, newdigest, len); memset(newdigest, 0, sizeof(newdigest)); @@ -168,7 +220,12 @@ void isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, + (int) len, EVP_sha512()) == 1); +#else HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha512()); +#endif } void @@ -180,7 +237,11 @@ void isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); +#else HMAC_Update(ctx, buf, (int) len); +#endif } void @@ -189,7 +250,11 @@ isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) { REQUIRE(len <= ISC_SHA512_DIGESTLENGTH); +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1); +#else HMAC_Final(ctx, newdigest, NULL); +#endif HMAC_CTX_cleanup(ctx); memmove(digest, newdigest, len); memset(newdigest, 0, sizeof(newdigest)); diff --git a/lib/isc/md5.c b/lib/isc/md5.c index 383c1c3492..a83febabca 100644 --- a/lib/isc/md5.c +++ b/lib/isc/md5.c @@ -52,7 +52,7 @@ #ifdef ISC_PLATFORM_OPENSSLHASH void isc_md5_init(isc_md5_t *ctx) { - EVP_DigestInit(ctx, EVP_md5()); + RUNTIME_CHECK(EVP_DigestInit(ctx, EVP_md5()) == 1); } void @@ -62,12 +62,14 @@ isc_md5_invalidate(isc_md5_t *ctx) { void isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) { - EVP_DigestUpdate(ctx, (const void *) buf, (size_t) len); + RUNTIME_CHECK(EVP_DigestUpdate(ctx, + (const void *) buf, + (size_t) len) == 1); } void isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { - EVP_DigestFinal(ctx, digest, NULL); + RUNTIME_CHECK(EVP_DigestFinal(ctx, digest, NULL) == 1); } #elif PKCS11CRYPTO diff --git a/lib/isc/sha1.c b/lib/isc/sha1.c index 190f0627ec..f706903776 100644 --- a/lib/isc/sha1.c +++ b/lib/isc/sha1.c @@ -55,7 +55,7 @@ isc_sha1_init(isc_sha1_t *context) { INSIST(context != NULL); - EVP_DigestInit(context, EVP_sha1()); + RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha1()) == 1); } void @@ -70,7 +70,9 @@ isc_sha1_update(isc_sha1_t *context, const unsigned char *data, INSIST(context != 0); INSIST(data != 0); - EVP_DigestUpdate(context, (const void *) data, (size_t) len); + RUNTIME_CHECK(EVP_DigestUpdate(context, + (const void *) data, + (size_t) len) == 1); } void @@ -78,7 +80,7 @@ isc_sha1_final(isc_sha1_t *context, unsigned char *digest) { INSIST(digest != 0); INSIST(context != 0); - EVP_DigestFinal(context, digest, NULL); + RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1); } #elif PKCS11CRYPTO diff --git a/lib/isc/sha2.c b/lib/isc/sha2.c index 49503d8507..b7053d545f 100644 --- a/lib/isc/sha2.c +++ b/lib/isc/sha2.c @@ -75,7 +75,7 @@ isc_sha224_init(isc_sha224_t *context) { if (context == (isc_sha224_t *)0) { return; } - EVP_DigestInit(context, EVP_sha224()); + RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha224()) == 1); } void @@ -93,7 +93,8 @@ isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) { /* Sanity check: */ REQUIRE(context != (isc_sha224_t *)0 && data != (isc_uint8_t*)0); - EVP_DigestUpdate(context, (const void *) data, len); + RUNTIME_CHECK(EVP_DigestUpdate(context, + (const void *) data, len) == 1); } void @@ -103,7 +104,7 @@ isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) { /* If no digest buffer is passed, we don't bother doing this: */ if (digest != (isc_uint8_t*)0) { - EVP_DigestFinal(context, digest, NULL); + RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1); } else { EVP_MD_CTX_cleanup(context); } @@ -114,7 +115,7 @@ isc_sha256_init(isc_sha256_t *context) { if (context == (isc_sha256_t *)0) { return; } - EVP_DigestInit(context, EVP_sha256()); + RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha256()) == 1); } void @@ -132,7 +133,8 @@ isc_sha256_update(isc_sha256_t *context, const isc_uint8_t *data, size_t len) { /* Sanity check: */ REQUIRE(context != (isc_sha256_t *)0 && data != (isc_uint8_t*)0); - EVP_DigestUpdate(context, (const void *) data, len); + RUNTIME_CHECK(EVP_DigestUpdate(context, + (const void *) data, len) == 1); } void @@ -142,7 +144,7 @@ isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) { /* If no digest buffer is passed, we don't bother doing this: */ if (digest != (isc_uint8_t*)0) { - EVP_DigestFinal(context, digest, NULL); + RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1); } else { EVP_MD_CTX_cleanup(context); } @@ -153,7 +155,7 @@ isc_sha512_init(isc_sha512_t *context) { if (context == (isc_sha512_t *)0) { return; } - EVP_DigestInit(context, EVP_sha512()); + RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha512()) == 1); } void @@ -170,7 +172,8 @@ void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t le /* Sanity check: */ REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0); - EVP_DigestUpdate(context, (const void *) data, len); + RUNTIME_CHECK(EVP_DigestUpdate(context, + (const void *) data, len) == 1); } void isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) { @@ -179,7 +182,7 @@ void isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) { /* If no digest buffer is passed, we don't bother doing this: */ if (digest != (isc_uint8_t*)0) { - EVP_DigestFinal(context, digest, NULL); + RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1); } else { EVP_MD_CTX_cleanup(context); } @@ -190,7 +193,7 @@ isc_sha384_init(isc_sha384_t *context) { if (context == (isc_sha384_t *)0) { return; } - EVP_DigestInit(context, EVP_sha384()); + RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha384()) == 1); } void @@ -208,7 +211,8 @@ isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) { /* Sanity check: */ REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0); - EVP_DigestUpdate(context, (const void *) data, len); + RUNTIME_CHECK(EVP_DigestUpdate(context, + (const void *) data, len) == 1); } void @@ -218,7 +222,7 @@ isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) { /* If no digest buffer is passed, we don't bother doing this: */ if (digest != (isc_uint8_t*)0) { - EVP_DigestFinal(context, digest, NULL); + RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1); } else { EVP_MD_CTX_cleanup(context); } diff --git a/win32utils/Configure b/win32utils/Configure index c0ecd6df40..5fcd6732e5 100644 --- a/win32utils/Configure +++ b/win32utils/Configure @@ -365,6 +365,7 @@ my @substdefh = ("AES_SIT", "HAVE_PKCS11_ECDSA", "HAVE_PKCS11_GOST", "HAVE_READLINE", + "HMAC_RETURN_INT", "HMAC_SHA1_SIT", "HMAC_SHA256_SIT", "ISC_LIST_CHECKINIT", @@ -1876,6 +1877,30 @@ if ($enable_openssl_hash eq "yes") { die "No OpenSSL for hash functions\n"; } $configdefp{"ISC_PLATFORM_OPENSSLHASH"} = 1; + if ($verbose) { + print "checking HMAC_Init() return type\n"; + } + open F, ">testhmac.c" || die $!; + print F << 'EOF'; +#include + +int +main(void) +{ + HMAC_CTX ctx; + int n = HMAC_Init(&ctx, NULL, 0, NULL); + n += HMAC_Update(&ctx, NULL, 0); + n += HMAC_Final(&ctx, NULL, NULL); + return(n); +} +EOF + close F; + my $include = $configinc{"OPENSSL_INC"}; + my $library = $configlib{"OPENSSL_LIB"}; + $compret = `cl /nologo /MD /I "$include" testhmac.c "$library"`; + if (grep { -f and -x } ".\\testhmac.exe") { + $configdefh{"HMAC_RETURN_INT"} = 1; + } } # with-pkcs11