polynomial-c 15/03/19 14:28:24
Added: openssl-1.0.1l-CVE-2015-0286.patch
openssl-1.0.2-CVE-2015-0291.patch
Log:
Security bump (bug #543552)
(Portage version: 2.2.18/cvs/Linux x86_64, signed Manifest commit with key
0x981CA6FC)
Revision Changes Path
1.1 dev-libs/openssl/files/openssl-1.0.1l-CVE-2015-0286.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/openssl/files/openssl-1.0.1l-CVE-2015-0286.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/openssl/files/openssl-1.0.1l-CVE-2015-0286.patch?rev=1.1&content-type=text/plain
Index: openssl-1.0.1l-CVE-2015-0286.patch
===================================================================
--- openssl-1.0.1l/crypto/asn1/a_type.c
+++ openssl-1.0.1l/crypto/asn1/a_type.c
@@ -124,6 +124,9 @@
case V_ASN1_OBJECT:
result = OBJ_cmp(a->value.object, b->value.object);
break;
+ case V_ASN1_BOOLEAN:
+ result = a->value.boolean - b->value.boolean;
+ break;
case V_ASN1_NULL:
result = 0; /* They do not have content. */
break;
--- openssl-1.0.1l/crypto/asn1/tasn_dec.c
+++ openssl-1.0.1l/crypto/asn1/tasn_dec.c
@@ -130,11 +130,17 @@
{
ASN1_TLC c;
ASN1_VALUE *ptmpval = NULL;
- if (!pval)
- pval = &ptmpval;
asn1_tlc_clear_nc(&c);
- if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0)
- return *pval;
+ if (pval && *pval && it->itype == ASN1_ITYPE_PRIMITIVE)
+ ptmpval = *pval;
+ if (ASN1_item_ex_d2i(&ptmpval, in, len, it, -1, 0, 0, &c) > 0) {
+ if (pval && it->itype != ASN1_ITYPE_PRIMITIVE) {
+ if (*pval)
+ ASN1_item_free(*pval, it);
+ *pval = ptmpval;
+ }
+ return ptmpval;
+ }
return NULL;
}
@@ -311,9 +317,16 @@
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
goto auxerr;
- /* Allocate structure */
- if (!*pval && !ASN1_item_ex_new(pval, it))
- {
+ if (*pval) {
+ /* Free up and zero CHOICE value if initialised */
+ i = asn1_get_choice_selector(pval, it);
+ if ((i >= 0) && (i < it->tcount)) {
+ tt = it->templates + i;
+ pchptr = asn1_get_field_ptr(pval, tt);
+ ASN1_template_free(pchptr, tt);
+ asn1_set_choice_selector(pval, -1, it);
+ }
+ } else if (!ASN1_item_ex_new(pval, it)) {
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
ERR_R_NESTED_ASN1_ERROR);
goto err;
@@ -407,6 +420,17 @@
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
goto auxerr;
+ /* Free up and zero any ADB found */
+ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
+ if (tt->flags & ASN1_TFLG_ADB_MASK) {
+ const ASN1_TEMPLATE *seqtt;
+ ASN1_VALUE **pseqval;
+ seqtt = asn1_do_adb(pval, tt, 1);
+ pseqval = asn1_get_field_ptr(pval, seqtt);
+ ASN1_template_free(pseqval, seqtt);
+ }
+ }
+
/* Get each field entry */
for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
{
--- openssl-1.0.1l/crypto/pkcs7/pk7_doit.c
+++ openssl-1.0.1l/crypto/pkcs7/pk7_doit.c
@@ -272,6 +272,25 @@
PKCS7_RECIP_INFO *ri=NULL;
ASN1_OCTET_STRING *os=NULL;
+ if (p7 == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER);
+ return NULL;
+ }
+ /*
+ * The content field in the PKCS7 ContentInfo is optional, but that really
+ * only applies to inner content (precisely, detached signatures).
+ *
+ * When reading content, missing outer content is therefore treated as an
+ * error.
+ *
+ * When creating content, PKCS7_content_new() must be called before
+ * calling this method, so a NULL p7->d is always an error.
+ */
+ if (p7->d.ptr == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT);
+ return NULL;
+ }
+
i=OBJ_obj2nid(p7->type);
p7->state=PKCS7_S_HEADER;
@@ -433,6 +452,16 @@
unsigned char *ek = NULL, *tkey = NULL;
int eklen = 0, tkeylen = 0;
+ if (p7 == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER);
+ return NULL;
+ }
+
+ if (p7->d.ptr == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
+ return NULL;
+ }
+
i=OBJ_obj2nid(p7->type);
p7->state=PKCS7_S_HEADER;
@@ -752,6 +781,16 @@
STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;
ASN1_OCTET_STRING *os=NULL;
+ if (p7 == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER);
+ return 0;
+ }
+
+ if (p7->d.ptr == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT);
+ return 0;
+ }
+
EVP_MD_CTX_init(&ctx_tmp);
i=OBJ_obj2nid(p7->type);
p7->state=PKCS7_S_HEADER;
@@ -796,6 +835,7 @@
/* If detached data then the content is excluded */
if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
M_ASN1_OCTET_STRING_free(os);
+ os = NULL;
p7->d.sign->contents->d.data = NULL;
}
break;
@@ -806,6 +846,7 @@
if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached)
{
M_ASN1_OCTET_STRING_free(os);
+ os = NULL;
p7->d.digest->contents->d.data = NULL;
}
break;
@@ -878,24 +919,31 @@
M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len);
}
- if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF))
- {
+ if (!PKCS7_is_detached(p7)) {
+ /*
+ * NOTE(emilia): I think we only reach os == NULL here because
detached
+ * digested data support is broken.
+ */
+ if (os == NULL)
+ goto err;
+ if (!(os->flags & ASN1_STRING_FLAG_NDEF)) {
char *cont;
long contlen;
- btmp=BIO_find_type(bio,BIO_TYPE_MEM);
- if (btmp == NULL)
- {
-
PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
- goto err;
- }
+ btmp = BIO_find_type(bio, BIO_TYPE_MEM);
+ if (btmp == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL,
PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
+ goto err;
+ }
contlen = BIO_get_mem_data(btmp, &cont);
- /* Mark the BIO read only then we can use its copy of the data
+ /*
+ * Mark the BIO read only then we can use its copy of the data
* instead of making an extra copy.
*/
BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
BIO_set_mem_eof_return(btmp, 0);
ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
- }
+ }
+ }
ret=1;
err:
EVP_MD_CTX_cleanup(&ctx_tmp);
@@ -971,6 +1019,16 @@
STACK_OF(X509) *cert;
X509 *x509;
+ if (p7 == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER);
+ return 0;
+ }
+
+ if (p7->d.ptr == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT);
+ return 0;
+ }
+
if (PKCS7_type_is_signed(p7))
{
cert=p7->d.sign->cert;
--- openssl-1.0.1l/crypto/pkcs7/pk7_lib.c
+++ openssl-1.0.1l/crypto/pkcs7/pk7_lib.c
@@ -71,6 +71,7 @@
switch (cmd)
{
+ /* NOTE(emilia): does not support detached digested data. */
case PKCS7_OP_SET_DETACHED_SIGNATURE:
if (nid == NID_pkcs7_signed)
{
@@ -459,6 +460,8 @@
STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
{
+ if (p7 == NULL || p7->d.ptr == NULL)
+ return NULL;
if (PKCS7_type_is_signed(p7))
{
return(p7->d.sign->signer_info);
--- openssl-1.0.1l/doc/crypto/d2i_X509.pod
+++ openssl-1.0.1l/doc/crypto/d2i_X509.pod
@@ -199,6 +199,12 @@
persist if they are not present in the new one. As a result the use
of this "reuse" behaviour is strongly discouraged.
+Current versions of OpenSSL will not modify B<*px> if an error occurs.
+If parsing succeeds then B<*px> is freed (if it is not NULL) and then
+set to the value of the newly decoded structure. As a result B<*px>
+B<must not> be allocated on the stack or an attempt will be made to
+free an invalid pointer.
+
i2d_X509() will not return an error in many versions of OpenSSL,
if mandatory fields are not initialized due to a programming error
then the encoded structure may contain invalid data or omit the
@@ -210,7 +216,9 @@
d2i_X509(), d2i_X509_bio() and d2i_X509_fp() return a valid B<X509> structure
or B<NULL> if an error occurs. The error code that can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>.
+L<ERR_get_error(3)|ERR_get_error(3)>. If the "reuse" capability has been used
+with a valid X509 structure being passed in via B<px> then the object is not
+modified in the event of error.
i2d_X509() returns the number of bytes successfully encoded or a negative
value if an error occurs. The error code can be obtained by
--- openssl-1.0.1l/ssl/s2_lib.c
+++ openssl-1.0.1l/ssl/s2_lib.c
@@ -488,7 +488,7 @@
OPENSSL_assert(s->session->master_key_length >= 0
&& s->session->master_key_length
- < (int)sizeof(s->session->master_key));
+ <= (int)sizeof(s->session->master_key));
EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length);
EVP_DigestUpdate(&ctx,&c,1);
c++;
--- openssl-1.0.1l/ssl/s2_srvr.c
+++ openssl-1.0.1l/ssl/s2_srvr.c
@@ -454,10 +454,6 @@
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
return(-1);
}
- i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc,
- &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
- (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
-
is_export=SSL_C_IS_EXPORT(s->session->cipher);
if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL,NULL))
@@ -475,21 +471,59 @@
else
ek=5;
+ /*
+ * The format of the CLIENT-MASTER-KEY message is
+ * 1 byte message type
+ * 3 bytes cipher
+ * 2-byte clear key length (stored in s->s2->tmp.clear)
+ * 2-byte encrypted key length (stored in s->s2->tmp.enc)
+ * 2-byte key args length (IV etc)
+ * clear key
+ * encrypted key
+ * key args
+ *
+ * If the cipher is an export cipher, then the encrypted key bytes
+ * are a fixed portion of the total key (5 or 8 bytes). The size of
+ * this portion is in |ek|. If the cipher is not an export cipher,
+ * then the entire key material is encrypted (i.e., clear key length
+ * must be zero).
+ */
+ if ((!is_export && s->s2->tmp.clear != 0) ||
+ (is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c))) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH);
+ return -1;
+ }
+ /*
+ * The encrypted blob must decrypt to the encrypted portion of the key.
+ * Decryption can't be expanding, so if we don't have enough encrypted
+ * bytes to fit the key in the buffer, stop now.
+ */
+ if ((is_export && s->s2->tmp.enc < ek) ||
+ (!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c))) {
+ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT);
+ return -1;
+ }
+
+ i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
+ &(p[s->s2->tmp.clear]),
+ &(p[s->s2->tmp.clear]),
+ (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING
:
+ RSA_PKCS1_PADDING);
+
/* bad decrypt */
#if 1
/* If a bad decrypt, continue with protocol but with a
* random master secret (Bleichenbacher attack) */
- if ((i < 0) ||
- ((!is_export && (i != EVP_CIPHER_key_length(c)))
- || (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned
int)i !=
- (unsigned int)EVP_CIPHER_key_length(c))))))
- {
+ if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c))
+ || (is_export && i != ek))) {
ERR_clear_error();
if (is_export)
i=ek;
else
i=EVP_CIPHER_key_length(c);
- if (RAND_pseudo_bytes(p,i) <= 0)
+ if (RAND_pseudo_bytes(&p[s->s2->tmp.clear], i) <= 0)
return 0;
}
#else
@@ -513,7 +547,8 @@
}
#endif
- if (is_export) i+=s->s2->tmp.clear;
+ if (is_export)
+ i = EVP_CIPHER_key_length(c);
if (i > SSL_MAX_MASTER_KEY_LENGTH)
{
1.1 dev-libs/openssl/files/openssl-1.0.2-CVE-2015-0291.patch
file :
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/openssl/files/openssl-1.0.2-CVE-2015-0291.patch?rev=1.1&view=markup
plain:
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/dev-libs/openssl/files/openssl-1.0.2-CVE-2015-0291.patch?rev=1.1&content-type=text/plain
Index: openssl-1.0.2-CVE-2015-0291.patch
===================================================================
--- openssl-1.0.2/crypto/asn1/a_type.c
+++ openssl-1.0.2/crypto/asn1/a_type.c
@@ -119,6 +119,9 @@
case V_ASN1_OBJECT:
result = OBJ_cmp(a->value.object, b->value.object);
break;
+ case V_ASN1_BOOLEAN:
+ result = a->value.boolean - b->value.boolean;
+ break;
case V_ASN1_NULL:
result = 0; /* They do not have content. */
break;
--- openssl-1.0.2/crypto/asn1/tasn_dec.c
+++ openssl-1.0.2/crypto/asn1/tasn_dec.c
@@ -140,11 +140,17 @@
{
ASN1_TLC c;
ASN1_VALUE *ptmpval = NULL;
- if (!pval)
- pval = &ptmpval;
asn1_tlc_clear_nc(&c);
- if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0)
- return *pval;
+ if (pval && *pval && it->itype == ASN1_ITYPE_PRIMITIVE)
+ ptmpval = *pval;
+ if (ASN1_item_ex_d2i(&ptmpval, in, len, it, -1, 0, 0, &c) > 0) {
+ if (pval && it->itype != ASN1_ITYPE_PRIMITIVE) {
+ if (*pval)
+ ASN1_item_free(*pval, it);
+ *pval = ptmpval;
+ }
+ return ptmpval;
+ }
return NULL;
}
@@ -304,9 +310,16 @@
case ASN1_ITYPE_CHOICE:
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
goto auxerr;
-
- /* Allocate structure */
- if (!*pval && !ASN1_item_ex_new(pval, it)) {
+ if (*pval) {
+ /* Free up and zero CHOICE value if initialised */
+ i = asn1_get_choice_selector(pval, it);
+ if ((i >= 0) && (i < it->tcount)) {
+ tt = it->templates + i;
+ pchptr = asn1_get_field_ptr(pval, tt);
+ ASN1_template_free(pchptr, tt);
+ asn1_set_choice_selector(pval, -1, it);
+ }
+ } else if (!ASN1_item_ex_new(pval, it)) {
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
goto err;
}
@@ -386,6 +399,17 @@
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
goto auxerr;
+ /* Free up and zero any ADB found */
+ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
+ if (tt->flags & ASN1_TFLG_ADB_MASK) {
+ const ASN1_TEMPLATE *seqtt;
+ ASN1_VALUE **pseqval;
+ seqtt = asn1_do_adb(pval, tt, 1);
+ pseqval = asn1_get_field_ptr(pval, seqtt);
+ ASN1_template_free(pseqval, seqtt);
+ }
+ }
+
/* Get each field entry */
for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
const ASN1_TEMPLATE *seqtt;
--- openssl-1.0.2/crypto/pkcs7/pk7_doit.c
+++ openssl-1.0.2/crypto/pkcs7/pk7_doit.c
@@ -261,6 +261,25 @@
PKCS7_RECIP_INFO *ri = NULL;
ASN1_OCTET_STRING *os = NULL;
+ if (p7 == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER);
+ return NULL;
+ }
+ /*
+ * The content field in the PKCS7 ContentInfo is optional, but that really
+ * only applies to inner content (precisely, detached signatures).
+ *
+ * When reading content, missing outer content is therefore treated as an
+ * error.
+ *
+ * When creating content, PKCS7_content_new() must be called before
+ * calling this method, so a NULL p7->d is always an error.
+ */
+ if (p7->d.ptr == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT);
+ return NULL;
+ }
+
i = OBJ_obj2nid(p7->type);
p7->state = PKCS7_S_HEADER;
@@ -411,6 +430,16 @@
unsigned char *ek = NULL, *tkey = NULL;
int eklen = 0, tkeylen = 0;
+ if (p7 == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER);
+ return NULL;
+ }
+
+ if (p7->d.ptr == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
+ return NULL;
+ }
+
i = OBJ_obj2nid(p7->type);
p7->state = PKCS7_S_HEADER;
@@ -707,6 +736,16 @@
STACK_OF(PKCS7_SIGNER_INFO) *si_sk = NULL;
ASN1_OCTET_STRING *os = NULL;
+ if (p7 == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER);
+ return 0;
+ }
+
+ if (p7->d.ptr == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT);
+ return 0;
+ }
+
EVP_MD_CTX_init(&ctx_tmp);
i = OBJ_obj2nid(p7->type);
p7->state = PKCS7_S_HEADER;
@@ -746,6 +785,7 @@
/* If detached data then the content is excluded */
if (PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
M_ASN1_OCTET_STRING_free(os);
+ os = NULL;
p7->d.sign->contents->d.data = NULL;
}
break;
@@ -755,6 +795,7 @@
/* If detached data then the content is excluded */
if (PKCS7_type_is_data(p7->d.digest->contents) && p7->detached) {
M_ASN1_OCTET_STRING_free(os);
+ os = NULL;
p7->d.digest->contents->d.data = NULL;
}
break;
@@ -820,22 +861,30 @@
M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len);
}
- if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF)) {
- char *cont;
- long contlen;
- btmp = BIO_find_type(bio, BIO_TYPE_MEM);
- if (btmp == NULL) {
- PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
- goto err;
- }
- contlen = BIO_get_mem_data(btmp, &cont);
+ if (!PKCS7_is_detached(p7)) {
/*
- * Mark the BIO read only then we can use its copy of the data
- * instead of making an extra copy.
+ * NOTE(emilia): I think we only reach os == NULL here because detached
+ * digested data support is broken.
*/
- BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
- BIO_set_mem_eof_return(btmp, 0);
- ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
+ if (os == NULL)
+ goto err;
+ if (!(os->flags & ASN1_STRING_FLAG_NDEF)) {
+ char *cont;
+ long contlen;
+ btmp = BIO_find_type(bio, BIO_TYPE_MEM);
+ if (btmp == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL,
PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
+ goto err;
+ }
+ contlen = BIO_get_mem_data(btmp, &cont);
+ /*
+ * Mark the BIO read only then we can use its copy of the data
+ * instead of making an extra copy.
+ */
+ BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
+ BIO_set_mem_eof_return(btmp, 0);
+ ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
+ }
}
ret = 1;
err:
@@ -910,6 +959,16 @@
STACK_OF(X509) *cert;
X509 *x509;
+ if (p7 == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER);
+ return 0;
+ }
+
+ if (p7->d.ptr == NULL) {
+ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT);
+ return 0;
+ }
+
if (PKCS7_type_is_signed(p7)) {
cert = p7->d.sign->cert;
} else if (PKCS7_type_is_signedAndEnveloped(p7)) {
--- openssl-1.0.2/crypto/pkcs7/pk7_lib.c
+++ openssl-1.0.2/crypto/pkcs7/pk7_lib.c
@@ -70,6 +70,7 @@
nid = OBJ_obj2nid(p7->type);
switch (cmd) {
+ /* NOTE(emilia): does not support detached digested data. */
case PKCS7_OP_SET_DETACHED_SIGNATURE:
if (nid == NID_pkcs7_signed) {
ret = p7->detached = (int)larg;
@@ -444,6 +445,8 @@
STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
{
+ if (p7 == NULL || p7->d.ptr == NULL)
+ return NULL;
if (PKCS7_type_is_signed(p7)) {
return (p7->d.sign->signer_info);
} else if (PKCS7_type_is_signedAndEnveloped(p7)) {
--- openssl-1.0.2/crypto/rsa/rsa_ameth.c
+++ openssl-1.0.2/crypto/rsa/rsa_ameth.c
@@ -698,9 +698,10 @@
RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
return -1;
}
- if (rsa_pss_to_ctx(ctx, NULL, sigalg, pkey))
+ if (rsa_pss_to_ctx(ctx, NULL, sigalg, pkey) > 0) {
/* Carry on */
return 2;
+ }
return -1;
}
--- openssl-1.0.2/doc/crypto/d2i_X509.pod
+++ openssl-1.0.2/doc/crypto/d2i_X509.pod
@@ -207,6 +207,12 @@
persist if they are not present in the new one. As a result the use
of this "reuse" behaviour is strongly discouraged.
+Current versions of OpenSSL will not modify B<*px> if an error occurs.
+If parsing succeeds then B<*px> is freed (if it is not NULL) and then
+set to the value of the newly decoded structure. As a result B<*px>
+B<must not> be allocated on the stack or an attempt will be made to
+free an invalid pointer.
+
i2d_X509() will not return an error in many versions of OpenSSL,
if mandatory fields are not initialized due to a programming error
then the encoded structure may contain invalid data or omit the
@@ -233,7 +239,9 @@
d2i_X509(), d2i_X509_bio() and d2i_X509_fp() return a valid B<X509> structure
or B<NULL> if an error occurs. The error code that can be obtained by
-L<ERR_get_error(3)|ERR_get_error(3)>.
+L<ERR_get_error(3)|ERR_get_error(3)>. If the "reuse" capability has been used
+with a valid X509 structure being passed in via B<px> then the object is not
+modified in the event of error.
i2d_X509() returns the number of bytes successfully encoded or a negative
value if an error occurs. The error code can be obtained by
--- openssl-1.0.2/ssl/d1_lib.c
+++ openssl-1.0.2/ssl/d1_lib.c
@@ -543,6 +543,9 @@
{
int ret;
+ /* Ensure there is no state left over from a previous invocation */
+ SSL_clear(s);
+
SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE);
s->d1->listen = 1;
--- openssl-1.0.2/ssl/s2_lib.c
+++ openssl-1.0.2/ssl/s2_lib.c
@@ -493,7 +493,7 @@
OPENSSL_assert(s->session->master_key_length >= 0
&& s->session->master_key_length
- < (int)sizeof(s->session->master_key));
+ <= (int)sizeof(s->session->master_key));
EVP_DigestUpdate(&ctx, s->session->master_key,
s->session->master_key_length);
EVP_DigestUpdate(&ctx, &c, 1);
--- openssl-1.0.2/ssl/s2_srvr.c
+++ openssl-1.0.2/ssl/s2_srvr.c
@@ -454,11 +454,6 @@
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_PRIVATEKEY);
return (-1);
}
- i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
- &(p[s->s2->tmp.clear]),
- &(p[s->s2->tmp.clear]),
- (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING :
- RSA_PKCS1_PADDING);
is_export = SSL_C_IS_EXPORT(s->session->cipher);
@@ -475,23 +470,61 @@
} else
ek = 5;
+ /*
+ * The format of the CLIENT-MASTER-KEY message is
+ * 1 byte message type
+ * 3 bytes cipher
+ * 2-byte clear key length (stored in s->s2->tmp.clear)
+ * 2-byte encrypted key length (stored in s->s2->tmp.enc)
+ * 2-byte key args length (IV etc)
+ * clear key
+ * encrypted key
+ * key args
+ *
+ * If the cipher is an export cipher, then the encrypted key bytes
+ * are a fixed portion of the total key (5 or 8 bytes). The size of
+ * this portion is in |ek|. If the cipher is not an export cipher,
+ * then the entire key material is encrypted (i.e., clear key length
+ * must be zero).
+ */
+ if ((!is_export && s->s2->tmp.clear != 0) ||
+ (is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c))) {
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH);
+ return -1;
+ }
+ /*
+ * The encrypted blob must decrypt to the encrypted portion of the key.
+ * Decryption can't be expanding, so if we don't have enough encrypted
+ * bytes to fit the key in the buffer, stop now.
+ */
+ if ((is_export && s->s2->tmp.enc < ek) ||
+ (!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c))) {
+ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT);
+ return -1;
+ }
+
+ i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
+ &(p[s->s2->tmp.clear]),
+ &(p[s->s2->tmp.clear]),
+ (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING :
+ RSA_PKCS1_PADDING);
+
/* bad decrypt */
# if 1
/*
* If a bad decrypt, continue with protocol but with a random master
* secret (Bleichenbacher attack)
*/
- if ((i < 0) || ((!is_export && (i != EVP_CIPHER_key_length(c)))
- || (is_export && ((i != ek)
- || (s->s2->tmp.clear +
- (unsigned int)i != (unsigned int)
- EVP_CIPHER_key_length(c)))))) {
+ if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c))
+ || (is_export && i != ek))) {
ERR_clear_error();
if (is_export)
i = ek;
else
i = EVP_CIPHER_key_length(c);
- if (RAND_pseudo_bytes(p, i) <= 0)
+ if (RAND_pseudo_bytes(&p[s->s2->tmp.clear], i) <= 0)
return 0;
}
# else
@@ -513,7 +546,7 @@
# endif
if (is_export)
- i += s->s2->tmp.clear;
+ i = EVP_CIPHER_key_length(c);
if (i > SSL_MAX_MASTER_KEY_LENGTH) {
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
--- openssl-1.0.2/ssl/s3_pkt.c
+++ openssl-1.0.2/ssl/s3_pkt.c
@@ -780,7 +780,7 @@
i = ssl3_write_pending(s, type, &buf[tot], nw);
if (i <= 0) {
- if (i < 0) {
+ if (i < 0 && (!s->wbio || !BIO_should_retry(s->wbio))) {
OPENSSL_free(wb->buf);
wb->buf = NULL;
}
--- openssl-1.0.2/ssl/s3_srvr.c
+++ openssl-1.0.2/ssl/s3_srvr.c
@@ -2251,10 +2251,17 @@
if (alg_k & (SSL_kEDH | SSL_kDHr | SSL_kDHd)) {
int idx = -1;
EVP_PKEY *skey = NULL;
- if (n)
+ if (n) {
n2s(p, i);
- else
+ } else {
+ if (alg_k & SSL_kDHE) {
+ al = SSL_AD_HANDSHAKE_FAILURE;
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+ SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
+ goto f_err;
+ }
i = 0;
+ }
if (n && n != i + 2) {
if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) {
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
--- openssl-1.0.2/ssl/t1_lib.c
+++ openssl-1.0.2/ssl/t1_lib.c
@@ -2965,6 +2965,7 @@
if (s->cert->shared_sigalgs) {
OPENSSL_free(s->cert->shared_sigalgs);
s->cert->shared_sigalgs = NULL;
+ s->cert->shared_sigalgslen = 0;
}
/* Clear certificate digests and validity flags */
for (i = 0; i < SSL_PKEY_NUM; i++) {
@@ -3618,6 +3619,7 @@
if (c->shared_sigalgs) {
OPENSSL_free(c->shared_sigalgs);
c->shared_sigalgs = NULL;
+ c->shared_sigalgslen = 0;
}
/* If client use client signature algorithms if not NULL */
if (!s->server && c->client_sigalgs && !is_suiteb) {
@@ -3640,12 +3642,14 @@
preflen = c->peer_sigalgslen;
}
nmatch = tls12_do_shared_sigalgs(NULL, pref, preflen, allow, allowlen);
- if (!nmatch)
- return 1;
- salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
- if (!salgs)
- return 0;
- nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow, allowlen);
+ if (nmatch) {
+ salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
+ if (!salgs)
+ return 0;
+ nmatch = tls12_do_shared_sigalgs(salgs, pref, preflen, allow,
allowlen);
+ } else {
+ salgs = NULL;
+ }
c->shared_sigalgs = salgs;
c->shared_sigalgslen = nmatch;
return 1;
