diff --git a/CHANGES b/CHANGES index a4ef89ed5a..55adbcad61 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +4012. [bug] Check returned status of OpenSSL digest and HMAC + functions when they return one. Note this applies + only to FIPS capable OpenSSL libraries put in + FIPS mode and MD5. [RT #37944] + 4011. [bug] master's list port inheritance was not properly implemented. [RT #37792] diff --git a/config.h.in b/config.h.in index 71048b6eff..17d2aedd17 100644 --- a/config.h.in +++ b/config.h.in @@ -391,6 +391,9 @@ int sigwait(const unsigned int *set, int *sig); /* Define to 1 if you have the `usleep' function. */ #undef HAVE_USLEEP +/* HMAC_*() return ints */ +#undef HMAC_RETURN_INT + /* return type of gai_strerror */ #undef IRS_GAISTRERROR_RETURN_T diff --git a/config.h.win32 b/config.h.win32 index 88f2f56c2a..de1399c472 100644 --- a/config.h.win32 +++ b/config.h.win32 @@ -331,6 +331,9 @@ typedef __int64 off_t; /* Define if your OpenSSL version supports GOST. */ @HAVE_OPENSSL_GOST@ +/* HMAC_*() return ints */ +@HMAC_RETURN_INT@ + /* Define to 1 if you have the `readline' function. */ @HAVE_READLINE@ diff --git a/configure b/configure index 9a00f68303..7399377b9d 100755 --- a/configure +++ b/configure @@ -14013,6 +14013,44 @@ case $want_openssl_hash in fi ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1" ISC_OPENSSL_INC="$DST_OPENSSL_INC" + ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS" + saved_cflags="$CFLAGS" + save_libs="$LIBS" + CFLAGS="$CFLAGS $ISC_OPENSSL_INC" + LIBS="$LIBS $ISC_OPENSSL_LIBS" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking HMAC_Init() return type" >&5 +$as_echo_n "checking HMAC_Init() return type... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include +int +main () +{ + + HMAC_CTX ctx; + int n = HMAC_Init(&ctx, NULL, 0, NULL); + n += HMAC_Update(&ctx, NULL, 0); + n += HMAC_Final(&ctx, NULL, NULL); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: int" >&5 +$as_echo "int" >&6; } + +$as_echo "#define HMAC_RETURN_INT 1" >>confdefs.h + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: result: void" >&5 +$as_echo "void" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS="$saved_cflags" + LIBS="$save_libs" ;; no) ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" diff --git a/configure.in b/configure.in index c1e88043fc..f36af42bad 100644 --- a/configure.in +++ b/configure.in @@ -979,6 +979,23 @@ case $want_openssl_hash in fi ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1" ISC_OPENSSL_INC="$DST_OPENSSL_INC" + ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS" + saved_cflags="$CFLAGS" + save_libs="$LIBS" + CFLAGS="$CFLAGS $ISC_OPENSSL_INC" + LIBS="$LIBS $ISC_OPENSSL_LIBS" + AC_MSG_CHECKING([HMAC_Init() return type]) + AC_TRY_COMPILE([ + #include ],[ + HMAC_CTX ctx; + int n = HMAC_Init(&ctx, NULL, 0, NULL); + n += HMAC_Update(&ctx, NULL, 0); + n += HMAC_Final(&ctx, NULL, NULL);],[ + AC_MSG_RESULT(int) + AC_DEFINE(HMAC_RETURN_INT, 1, [HMAC_*() return ints])],[ + AC_MSG_RESULT(void)]) + CFLAGS="$saved_cflags" + LIBS="$save_libs" ;; no) ISC_PLATFORM_OPENSSLHASH="#undef ISC_PLATFORM_OPENSSLHASH" diff --git a/lib/isc/hmacmd5.c b/lib/isc/hmacmd5.c index b26a336ead..9c10532c53 100644 --- a/lib/isc/hmacmd5.c +++ b/lib/isc/hmacmd5.c @@ -39,7 +39,12 @@ void isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, + (int) len, EVP_md5()) == 1); +#else HMAC_Init(ctx, (const void *) key, (int) len, EVP_md5()); +#endif } void @@ -51,12 +56,20 @@ void isc_hmacmd5_update(isc_hmacmd5_t *ctx, const unsigned char *buf, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); +#else HMAC_Update(ctx, buf, (int) len); +#endif } void isc_hmacmd5_sign(isc_hmacmd5_t *ctx, unsigned char *digest) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Final(ctx, digest, NULL) == 1); +#else HMAC_Final(ctx, digest, NULL); +#endif HMAC_CTX_cleanup(ctx); } diff --git a/lib/isc/hmacsha.c b/lib/isc/hmacsha.c index ac2b70c59f..1f72330d35 100644 --- a/lib/isc/hmacsha.c +++ b/lib/isc/hmacsha.c @@ -40,7 +40,12 @@ void isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, + (int) len, EVP_sha1()) == 1); +#else HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha1()); +#endif } void @@ -52,7 +57,11 @@ void isc_hmacsha1_update(isc_hmacsha1_t *ctx, const unsigned char *buf, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); +#else HMAC_Update(ctx, buf, (int) len); +#endif } void @@ -61,7 +70,11 @@ isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) { REQUIRE(len <= ISC_SHA1_DIGESTLENGTH); +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1); +#else HMAC_Final(ctx, newdigest, NULL); +#endif HMAC_CTX_cleanup(ctx); memmove(digest, newdigest, len); memset(newdigest, 0, sizeof(newdigest)); @@ -71,7 +84,12 @@ void isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, + (int) len, EVP_sha224()) == 1); +#else HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha224()); +#endif } void @@ -83,7 +101,11 @@ void isc_hmacsha224_update(isc_hmacsha224_t *ctx, const unsigned char *buf, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); +#else HMAC_Update(ctx, buf, (int) len); +#endif } void @@ -92,7 +114,11 @@ isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) { REQUIRE(len <= ISC_SHA224_DIGESTLENGTH); +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1); +#else HMAC_Final(ctx, newdigest, NULL); +#endif HMAC_CTX_cleanup(ctx); memmove(digest, newdigest, len); memset(newdigest, 0, sizeof(newdigest)); @@ -102,7 +128,12 @@ void isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, + (int) len, EVP_sha256()) == 1); +#else HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha256()); +#endif } void @@ -114,7 +145,11 @@ void isc_hmacsha256_update(isc_hmacsha256_t *ctx, const unsigned char *buf, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); +#else HMAC_Update(ctx, buf, (int) len); +#endif } void @@ -123,7 +158,11 @@ isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) { REQUIRE(len <= ISC_SHA256_DIGESTLENGTH); +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1); +#else HMAC_Final(ctx, newdigest, NULL); +#endif HMAC_CTX_cleanup(ctx); memmove(digest, newdigest, len); memset(newdigest, 0, sizeof(newdigest)); @@ -133,7 +172,12 @@ void isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, + (int) len, EVP_sha384()) == 1); +#else HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha384()); +#endif } void @@ -145,7 +189,11 @@ void isc_hmacsha384_update(isc_hmacsha384_t *ctx, const unsigned char *buf, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); +#else HMAC_Update(ctx, buf, (int) len); +#endif } void @@ -154,7 +202,11 @@ isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) { REQUIRE(len <= ISC_SHA384_DIGESTLENGTH); +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1); +#else HMAC_Final(ctx, newdigest, NULL); +#endif HMAC_CTX_cleanup(ctx); memmove(digest, newdigest, len); memset(newdigest, 0, sizeof(newdigest)); @@ -164,7 +216,12 @@ void isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Init(ctx, (const void *) key, + (int) len, EVP_sha512()) == 1); +#else HMAC_Init(ctx, (const void *) key, (int) len, EVP_sha512()); +#endif } void @@ -176,7 +233,11 @@ void isc_hmacsha512_update(isc_hmacsha512_t *ctx, const unsigned char *buf, unsigned int len) { +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Update(ctx, buf, (int) len) == 1); +#else HMAC_Update(ctx, buf, (int) len); +#endif } void @@ -185,7 +246,11 @@ isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) { REQUIRE(len <= ISC_SHA512_DIGESTLENGTH); +#ifdef HMAC_RETURN_INT + RUNTIME_CHECK(HMAC_Final(ctx, newdigest, NULL) == 1); +#else HMAC_Final(ctx, newdigest, NULL); +#endif HMAC_CTX_cleanup(ctx); memmove(digest, newdigest, len); memset(newdigest, 0, sizeof(newdigest)); diff --git a/lib/isc/md5.c b/lib/isc/md5.c index 5d21250293..579d61c20b 100644 --- a/lib/isc/md5.c +++ b/lib/isc/md5.c @@ -47,7 +47,7 @@ void isc_md5_init(isc_md5_t *ctx) { - EVP_DigestInit(ctx, EVP_md5()); + RUNTIME_CHECK(EVP_DigestInit(ctx, EVP_md5()) == 1); } void @@ -57,12 +57,14 @@ isc_md5_invalidate(isc_md5_t *ctx) { void isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len) { - EVP_DigestUpdate(ctx, (const void *) buf, (size_t) len); + RUNTIME_CHECK(EVP_DigestUpdate(ctx, + (const void *) buf, + (size_t) len) == 1); } void isc_md5_final(isc_md5_t *ctx, unsigned char *digest) { - EVP_DigestFinal(ctx, digest, NULL); + RUNTIME_CHECK(EVP_DigestFinal(ctx, digest, NULL) == 1); } #else diff --git a/lib/isc/sha1.c b/lib/isc/sha1.c index aca90b4383..3d64994b2a 100644 --- a/lib/isc/sha1.c +++ b/lib/isc/sha1.c @@ -51,7 +51,7 @@ isc_sha1_init(isc_sha1_t *context) { INSIST(context != NULL); - EVP_DigestInit(context, EVP_sha1()); + RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha1()) == 1); } void @@ -66,7 +66,9 @@ isc_sha1_update(isc_sha1_t *context, const unsigned char *data, INSIST(context != 0); INSIST(data != 0); - EVP_DigestUpdate(context, (const void *) data, (size_t) len); + RUNTIME_CHECK(EVP_DigestUpdate(context, + (const void *) data, + (size_t) len) == 1); } void @@ -74,7 +76,7 @@ isc_sha1_final(isc_sha1_t *context, unsigned char *digest) { INSIST(digest != 0); INSIST(context != 0); - EVP_DigestFinal(context, digest, NULL); + RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1); } #else diff --git a/lib/isc/sha2.c b/lib/isc/sha2.c index 5f3554fa53..ef54cea2d9 100644 --- a/lib/isc/sha2.c +++ b/lib/isc/sha2.c @@ -70,7 +70,7 @@ isc_sha224_init(isc_sha224_t *context) { if (context == (isc_sha224_t *)0) { return; } - EVP_DigestInit(context, EVP_sha224()); + RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha224()) == 1); } void @@ -88,7 +88,8 @@ isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) { /* Sanity check: */ REQUIRE(context != (isc_sha224_t *)0 && data != (isc_uint8_t*)0); - EVP_DigestUpdate(context, (const void *) data, len); + RUNTIME_CHECK(EVP_DigestUpdate(context, + (const void *) data, len) == 1); } void @@ -98,7 +99,7 @@ isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) { /* If no digest buffer is passed, we don't bother doing this: */ if (digest != (isc_uint8_t*)0) { - EVP_DigestFinal(context, digest, NULL); + RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1); } else { EVP_MD_CTX_cleanup(context); } @@ -109,7 +110,7 @@ isc_sha256_init(isc_sha256_t *context) { if (context == (isc_sha256_t *)0) { return; } - EVP_DigestInit(context, EVP_sha256()); + RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha256()) == 1); } void @@ -127,7 +128,8 @@ isc_sha256_update(isc_sha256_t *context, const isc_uint8_t *data, size_t len) { /* Sanity check: */ REQUIRE(context != (isc_sha256_t *)0 && data != (isc_uint8_t*)0); - EVP_DigestUpdate(context, (const void *) data, len); + RUNTIME_CHECK(EVP_DigestUpdate(context, + (const void *) data, len) == 1); } void @@ -137,7 +139,7 @@ isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) { /* If no digest buffer is passed, we don't bother doing this: */ if (digest != (isc_uint8_t*)0) { - EVP_DigestFinal(context, digest, NULL); + RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1); } else { EVP_MD_CTX_cleanup(context); } @@ -148,7 +150,7 @@ isc_sha512_init(isc_sha512_t *context) { if (context == (isc_sha512_t *)0) { return; } - EVP_DigestInit(context, EVP_sha512()); + RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha512()) == 1); } void @@ -165,7 +167,8 @@ void isc_sha512_update(isc_sha512_t *context, const isc_uint8_t *data, size_t le /* Sanity check: */ REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0); - EVP_DigestUpdate(context, (const void *) data, len); + RUNTIME_CHECK(EVP_DigestUpdate(context, + (const void *) data, len) == 1); } void isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) { @@ -174,7 +177,7 @@ void isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) { /* If no digest buffer is passed, we don't bother doing this: */ if (digest != (isc_uint8_t*)0) { - EVP_DigestFinal(context, digest, NULL); + RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1); } else { EVP_MD_CTX_cleanup(context); } @@ -185,7 +188,7 @@ isc_sha384_init(isc_sha384_t *context) { if (context == (isc_sha384_t *)0) { return; } - EVP_DigestInit(context, EVP_sha384()); + RUNTIME_CHECK(EVP_DigestInit(context, EVP_sha384()) == 1); } void @@ -203,7 +206,8 @@ isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) { /* Sanity check: */ REQUIRE(context != (isc_sha512_t *)0 && data != (isc_uint8_t*)0); - EVP_DigestUpdate(context, (const void *) data, len); + RUNTIME_CHECK(EVP_DigestUpdate(context, + (const void *) data, len) == 1); } void @@ -213,7 +217,7 @@ isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) { /* If no digest buffer is passed, we don't bother doing this: */ if (digest != (isc_uint8_t*)0) { - EVP_DigestFinal(context, digest, NULL); + RUNTIME_CHECK(EVP_DigestFinal(context, digest, NULL) == 1); } else { EVP_MD_CTX_cleanup(context); } diff --git a/win32utils/Configure b/win32utils/Configure index ae4938b06b..1a1fb06102 100644 --- a/win32utils/Configure +++ b/win32utils/Configure @@ -321,6 +321,7 @@ my @substdefh = ("ALLOW_FILTER_AAAA", "HAVE_OPENSSL_ECDSA", "HAVE_OPENSSL_GOST", "HAVE_READLINE", + "HMAC_RETURN_INT", "ISC_LIST_CHECKINIT", "WITH_IDN"); @@ -1527,6 +1528,30 @@ if ($enable_openssl_hash eq "yes") { die "No OpenSSL for hash functions\n"; } $configdefp{"ISC_PLATFORM_OPENSSLHASH"} = 1; + if ($verbose) { + print "checking HMAC_Init() return type\n"; + } + open F, ">testhmac.c" || die $!; + print F << 'EOF'; +#include + +int +main(void) +{ + HMAC_CTX ctx; + int n = HMAC_Init(&ctx, NULL, 0, NULL); + n += HMAC_Update(&ctx, NULL, 0); + n += HMAC_Final(&ctx, NULL, NULL); + return(n); +} +EOF + close F; + my $include = $configinc{"OPENSSL_INC"}; + my $library = $configlib{"OPENSSL_LIB"}; + $compret = `cl /nologo /MD /I "$include" testhmac.c "$library"`; + if (grep { -f and -x } ".\\testhmac.exe") { + $configdefh{"HMAC_RETURN_INT"} = 1; + } } # with-pkcs11