From 3e121542d8b7ab5201c47bbd3ba5611a23c54759 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Parm=C3=A9nides=20GV?= Date: Wed, 11 Jun 2014 11:56:59 +0200 Subject: Correctly connects to millipede. Location keyword on android.cfg isn't supported, EIP corresponding code has been commented out. I think we should support it in ics-openvpn, so that we can show the location instead of the server name. I've updated all opensssl, openvpn, etc. subprojects from rev 813 of ics-openvpn, and jni too. --- app/openssl/crypto/ecdh/ecdh.h | 2 ++ app/openssl/crypto/ecdh/ecdhtest.c | 6 ++++++ app/openssl/crypto/ecdh/ech_err.c | 4 +++- app/openssl/crypto/ecdh/ech_key.c | 3 --- app/openssl/crypto/ecdh/ech_lib.c | 31 +++++++++++++++++++++++++++++-- app/openssl/crypto/ecdh/ech_locl.h | 8 ++++++++ app/openssl/crypto/ecdh/ech_ossl.c | 2 ++ 7 files changed, 50 insertions(+), 6 deletions(-) (limited to 'app/openssl/crypto/ecdh') diff --git a/app/openssl/crypto/ecdh/ecdh.h b/app/openssl/crypto/ecdh/ecdh.h index b4b58ee6..8887102c 100644 --- a/app/openssl/crypto/ecdh/ecdh.h +++ b/app/openssl/crypto/ecdh/ecdh.h @@ -109,11 +109,13 @@ void ERR_load_ECDH_strings(void); /* Error codes for the ECDH functions. */ /* Function codes. */ +#define ECDH_F_ECDH_CHECK 102 #define ECDH_F_ECDH_COMPUTE_KEY 100 #define ECDH_F_ECDH_DATA_NEW_METHOD 101 /* Reason codes. */ #define ECDH_R_KDF_FAILED 102 +#define ECDH_R_NON_FIPS_METHOD 103 #define ECDH_R_NO_PRIVATE_VALUE 100 #define ECDH_R_POINT_ARITHMETIC_FAILURE 101 diff --git a/app/openssl/crypto/ecdh/ecdhtest.c b/app/openssl/crypto/ecdh/ecdhtest.c index 212a87ef..823d7baa 100644 --- a/app/openssl/crypto/ecdh/ecdhtest.c +++ b/app/openssl/crypto/ecdh/ecdhtest.c @@ -158,11 +158,13 @@ static int test_ecdh_curve(int nid, const char *text, BN_CTX *ctx, BIO *out) if (!EC_POINT_get_affine_coordinates_GFp(group, EC_KEY_get0_public_key(a), x_a, y_a, ctx)) goto err; } +#ifndef OPENSSL_NO_EC2M else { if (!EC_POINT_get_affine_coordinates_GF2m(group, EC_KEY_get0_public_key(a), x_a, y_a, ctx)) goto err; } +#endif #ifdef NOISY BIO_puts(out," pri 1="); BN_print(out,a->priv_key); @@ -183,11 +185,13 @@ static int test_ecdh_curve(int nid, const char *text, BN_CTX *ctx, BIO *out) if (!EC_POINT_get_affine_coordinates_GFp(group, EC_KEY_get0_public_key(b), x_b, y_b, ctx)) goto err; } +#ifndef OPENSSL_NO_EC2M else { if (!EC_POINT_get_affine_coordinates_GF2m(group, EC_KEY_get0_public_key(b), x_b, y_b, ctx)) goto err; } +#endif #ifdef NOISY BIO_puts(out," pri 2="); @@ -324,6 +328,7 @@ int main(int argc, char *argv[]) if (!test_ecdh_curve(NID_X9_62_prime256v1, "NIST Prime-Curve P-256", ctx, out)) goto err; if (!test_ecdh_curve(NID_secp384r1, "NIST Prime-Curve P-384", ctx, out)) goto err; if (!test_ecdh_curve(NID_secp521r1, "NIST Prime-Curve P-521", ctx, out)) goto err; +#ifndef OPENSSL_NO_EC2M /* NIST BINARY CURVES TESTS */ if (!test_ecdh_curve(NID_sect163k1, "NIST Binary-Curve K-163", ctx, out)) goto err; if (!test_ecdh_curve(NID_sect163r2, "NIST Binary-Curve B-163", ctx, out)) goto err; @@ -335,6 +340,7 @@ int main(int argc, char *argv[]) if (!test_ecdh_curve(NID_sect409r1, "NIST Binary-Curve B-409", ctx, out)) goto err; if (!test_ecdh_curve(NID_sect571k1, "NIST Binary-Curve K-571", ctx, out)) goto err; if (!test_ecdh_curve(NID_sect571r1, "NIST Binary-Curve B-571", ctx, out)) goto err; +#endif ret = 0; diff --git a/app/openssl/crypto/ecdh/ech_err.c b/app/openssl/crypto/ecdh/ech_err.c index 6f4b0c99..3bd24739 100644 --- a/app/openssl/crypto/ecdh/ech_err.c +++ b/app/openssl/crypto/ecdh/ech_err.c @@ -1,6 +1,6 @@ /* crypto/ecdh/ech_err.c */ /* ==================================================================== - * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -70,6 +70,7 @@ static ERR_STRING_DATA ECDH_str_functs[]= { +{ERR_FUNC(ECDH_F_ECDH_CHECK), "ECDH_CHECK"}, {ERR_FUNC(ECDH_F_ECDH_COMPUTE_KEY), "ECDH_compute_key"}, {ERR_FUNC(ECDH_F_ECDH_DATA_NEW_METHOD), "ECDH_DATA_new_method"}, {0,NULL} @@ -78,6 +79,7 @@ static ERR_STRING_DATA ECDH_str_functs[]= static ERR_STRING_DATA ECDH_str_reasons[]= { {ERR_REASON(ECDH_R_KDF_FAILED) ,"KDF failed"}, +{ERR_REASON(ECDH_R_NON_FIPS_METHOD) ,"non fips method"}, {ERR_REASON(ECDH_R_NO_PRIVATE_VALUE) ,"no private value"}, {ERR_REASON(ECDH_R_POINT_ARITHMETIC_FAILURE),"point arithmetic failure"}, {0,NULL} diff --git a/app/openssl/crypto/ecdh/ech_key.c b/app/openssl/crypto/ecdh/ech_key.c index f44da929..2988899e 100644 --- a/app/openssl/crypto/ecdh/ech_key.c +++ b/app/openssl/crypto/ecdh/ech_key.c @@ -68,9 +68,6 @@ */ #include "ech_locl.h" -#ifndef OPENSSL_NO_ENGINE -#include -#endif int ECDH_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, EC_KEY *eckey, diff --git a/app/openssl/crypto/ecdh/ech_lib.c b/app/openssl/crypto/ecdh/ech_lib.c index 4d8ea03d..0644431b 100644 --- a/app/openssl/crypto/ecdh/ech_lib.c +++ b/app/openssl/crypto/ecdh/ech_lib.c @@ -73,6 +73,9 @@ #include #endif #include +#ifdef OPENSSL_FIPS +#include +#endif const char ECDH_version[]="ECDH" OPENSSL_VERSION_PTEXT; @@ -90,7 +93,16 @@ void ECDH_set_default_method(const ECDH_METHOD *meth) const ECDH_METHOD *ECDH_get_default_method(void) { if(!default_ECDH_method) + { +#ifdef OPENSSL_FIPS + if (FIPS_mode()) + return FIPS_ecdh_openssl(); + else + return ECDH_OpenSSL(); +#else default_ECDH_method = ECDH_OpenSSL(); +#endif + } return default_ECDH_method; } @@ -210,11 +222,26 @@ ECDH_DATA *ecdh_check(EC_KEY *key) ecdh_data = (ECDH_DATA *)ecdh_data_new(); if (ecdh_data == NULL) return NULL; - EC_KEY_insert_key_method_data(key, (void *)ecdh_data, - ecdh_data_dup, ecdh_data_free, ecdh_data_free); + data = EC_KEY_insert_key_method_data(key, (void *)ecdh_data, + ecdh_data_dup, ecdh_data_free, ecdh_data_free); + if (data != NULL) + { + /* Another thread raced us to install the key_method + * data and won. */ + ecdh_data_free(ecdh_data); + ecdh_data = (ECDH_DATA *)data; + } } else ecdh_data = (ECDH_DATA *)data; +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(ecdh_data->flags & ECDH_FLAG_FIPS_METHOD) + && !(EC_KEY_get_flags(key) & EC_FLAG_NON_FIPS_ALLOW)) + { + ECDHerr(ECDH_F_ECDH_CHECK, ECDH_R_NON_FIPS_METHOD); + return NULL; + } +#endif return ecdh_data; diff --git a/app/openssl/crypto/ecdh/ech_locl.h b/app/openssl/crypto/ecdh/ech_locl.h index f658526a..f6cad6a8 100644 --- a/app/openssl/crypto/ecdh/ech_locl.h +++ b/app/openssl/crypto/ecdh/ech_locl.h @@ -75,6 +75,14 @@ struct ecdh_method char *app_data; }; +/* If this flag is set the ECDH method is FIPS compliant and can be used + * in FIPS mode. This is set in the validated module method. If an + * application sets this flag in its own methods it is its responsibility + * to ensure the result is compliant. + */ + +#define ECDH_FLAG_FIPS_METHOD 0x1 + typedef struct ecdh_data_st { /* EC_KEY_METH_DATA part */ int (*init)(EC_KEY *); diff --git a/app/openssl/crypto/ecdh/ech_ossl.c b/app/openssl/crypto/ecdh/ech_ossl.c index 2a40ff12..4a30628f 100644 --- a/app/openssl/crypto/ecdh/ech_ossl.c +++ b/app/openssl/crypto/ecdh/ech_ossl.c @@ -157,6 +157,7 @@ static int ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, goto err; } } +#ifndef OPENSSL_NO_EC2M else { if (!EC_POINT_get_affine_coordinates_GF2m(group, tmp, x, y, ctx)) @@ -165,6 +166,7 @@ static int ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, goto err; } } +#endif buflen = (EC_GROUP_get_degree(group) + 7)/8; len = BN_num_bytes(x); -- cgit v1.2.3