Line 0
Link Here
|
|
|
1 |
--- openssl-1.0.1l/crypto/asn1/a_type.c |
2 |
+++ openssl-1.0.1l/crypto/asn1/a_type.c |
3 |
@@ -124,6 +124,9 @@ |
4 |
case V_ASN1_OBJECT: |
5 |
result = OBJ_cmp(a->value.object, b->value.object); |
6 |
break; |
7 |
+ case V_ASN1_BOOLEAN: |
8 |
+ result = a->value.boolean - b->value.boolean; |
9 |
+ break; |
10 |
case V_ASN1_NULL: |
11 |
result = 0; /* They do not have content. */ |
12 |
break; |
13 |
--- openssl-1.0.1l/crypto/asn1/tasn_dec.c |
14 |
+++ openssl-1.0.1l/crypto/asn1/tasn_dec.c |
15 |
@@ -130,11 +130,17 @@ |
16 |
{ |
17 |
ASN1_TLC c; |
18 |
ASN1_VALUE *ptmpval = NULL; |
19 |
- if (!pval) |
20 |
- pval = &ptmpval; |
21 |
asn1_tlc_clear_nc(&c); |
22 |
- if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) |
23 |
- return *pval; |
24 |
+ if (pval && *pval && it->itype == ASN1_ITYPE_PRIMITIVE) |
25 |
+ ptmpval = *pval; |
26 |
+ if (ASN1_item_ex_d2i(&ptmpval, in, len, it, -1, 0, 0, &c) > 0) { |
27 |
+ if (pval && it->itype != ASN1_ITYPE_PRIMITIVE) { |
28 |
+ if (*pval) |
29 |
+ ASN1_item_free(*pval, it); |
30 |
+ *pval = ptmpval; |
31 |
+ } |
32 |
+ return ptmpval; |
33 |
+ } |
34 |
return NULL; |
35 |
} |
36 |
|
37 |
@@ -311,9 +317,16 @@ |
38 |
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) |
39 |
goto auxerr; |
40 |
|
41 |
- /* Allocate structure */ |
42 |
- if (!*pval && !ASN1_item_ex_new(pval, it)) |
43 |
- { |
44 |
+ if (*pval) { |
45 |
+ /* Free up and zero CHOICE value if initialised */ |
46 |
+ i = asn1_get_choice_selector(pval, it); |
47 |
+ if ((i >= 0) && (i < it->tcount)) { |
48 |
+ tt = it->templates + i; |
49 |
+ pchptr = asn1_get_field_ptr(pval, tt); |
50 |
+ ASN1_template_free(pchptr, tt); |
51 |
+ asn1_set_choice_selector(pval, -1, it); |
52 |
+ } |
53 |
+ } else if (!ASN1_item_ex_new(pval, it)) { |
54 |
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, |
55 |
ERR_R_NESTED_ASN1_ERROR); |
56 |
goto err; |
57 |
@@ -407,6 +420,17 @@ |
58 |
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) |
59 |
goto auxerr; |
60 |
|
61 |
+ /* Free up and zero any ADB found */ |
62 |
+ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { |
63 |
+ if (tt->flags & ASN1_TFLG_ADB_MASK) { |
64 |
+ const ASN1_TEMPLATE *seqtt; |
65 |
+ ASN1_VALUE **pseqval; |
66 |
+ seqtt = asn1_do_adb(pval, tt, 1); |
67 |
+ pseqval = asn1_get_field_ptr(pval, seqtt); |
68 |
+ ASN1_template_free(pseqval, seqtt); |
69 |
+ } |
70 |
+ } |
71 |
+ |
72 |
/* Get each field entry */ |
73 |
for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) |
74 |
{ |
75 |
--- openssl-1.0.1l/crypto/pkcs7/pk7_doit.c |
76 |
+++ openssl-1.0.1l/crypto/pkcs7/pk7_doit.c |
77 |
@@ -272,6 +272,25 @@ |
78 |
PKCS7_RECIP_INFO *ri=NULL; |
79 |
ASN1_OCTET_STRING *os=NULL; |
80 |
|
81 |
+ if (p7 == NULL) { |
82 |
+ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER); |
83 |
+ return NULL; |
84 |
+ } |
85 |
+ /* |
86 |
+ * The content field in the PKCS7 ContentInfo is optional, but that really |
87 |
+ * only applies to inner content (precisely, detached signatures). |
88 |
+ * |
89 |
+ * When reading content, missing outer content is therefore treated as an |
90 |
+ * error. |
91 |
+ * |
92 |
+ * When creating content, PKCS7_content_new() must be called before |
93 |
+ * calling this method, so a NULL p7->d is always an error. |
94 |
+ */ |
95 |
+ if (p7->d.ptr == NULL) { |
96 |
+ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT); |
97 |
+ return NULL; |
98 |
+ } |
99 |
+ |
100 |
i=OBJ_obj2nid(p7->type); |
101 |
p7->state=PKCS7_S_HEADER; |
102 |
|
103 |
@@ -433,6 +452,16 @@ |
104 |
unsigned char *ek = NULL, *tkey = NULL; |
105 |
int eklen = 0, tkeylen = 0; |
106 |
|
107 |
+ if (p7 == NULL) { |
108 |
+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER); |
109 |
+ return NULL; |
110 |
+ } |
111 |
+ |
112 |
+ if (p7->d.ptr == NULL) { |
113 |
+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT); |
114 |
+ return NULL; |
115 |
+ } |
116 |
+ |
117 |
i=OBJ_obj2nid(p7->type); |
118 |
p7->state=PKCS7_S_HEADER; |
119 |
|
120 |
@@ -752,6 +781,16 @@ |
121 |
STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL; |
122 |
ASN1_OCTET_STRING *os=NULL; |
123 |
|
124 |
+ if (p7 == NULL) { |
125 |
+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER); |
126 |
+ return 0; |
127 |
+ } |
128 |
+ |
129 |
+ if (p7->d.ptr == NULL) { |
130 |
+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT); |
131 |
+ return 0; |
132 |
+ } |
133 |
+ |
134 |
EVP_MD_CTX_init(&ctx_tmp); |
135 |
i=OBJ_obj2nid(p7->type); |
136 |
p7->state=PKCS7_S_HEADER; |
137 |
@@ -796,6 +835,7 @@ |
138 |
/* If detached data then the content is excluded */ |
139 |
if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) { |
140 |
M_ASN1_OCTET_STRING_free(os); |
141 |
+ os = NULL; |
142 |
p7->d.sign->contents->d.data = NULL; |
143 |
} |
144 |
break; |
145 |
@@ -806,6 +846,7 @@ |
146 |
if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached) |
147 |
{ |
148 |
M_ASN1_OCTET_STRING_free(os); |
149 |
+ os = NULL; |
150 |
p7->d.digest->contents->d.data = NULL; |
151 |
} |
152 |
break; |
153 |
@@ -878,24 +919,31 @@ |
154 |
M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len); |
155 |
} |
156 |
|
157 |
- if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF)) |
158 |
- { |
159 |
+ if (!PKCS7_is_detached(p7)) { |
160 |
+ /* |
161 |
+ * NOTE(emilia): I think we only reach os == NULL here because detached |
162 |
+ * digested data support is broken. |
163 |
+ */ |
164 |
+ if (os == NULL) |
165 |
+ goto err; |
166 |
+ if (!(os->flags & ASN1_STRING_FLAG_NDEF)) { |
167 |
char *cont; |
168 |
long contlen; |
169 |
- btmp=BIO_find_type(bio,BIO_TYPE_MEM); |
170 |
- if (btmp == NULL) |
171 |
- { |
172 |
- PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO); |
173 |
- goto err; |
174 |
- } |
175 |
+ btmp = BIO_find_type(bio, BIO_TYPE_MEM); |
176 |
+ if (btmp == NULL) { |
177 |
+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_UNABLE_TO_FIND_MEM_BIO); |
178 |
+ goto err; |
179 |
+ } |
180 |
contlen = BIO_get_mem_data(btmp, &cont); |
181 |
- /* Mark the BIO read only then we can use its copy of the data |
182 |
+ /* |
183 |
+ * Mark the BIO read only then we can use its copy of the data |
184 |
* instead of making an extra copy. |
185 |
*/ |
186 |
BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY); |
187 |
BIO_set_mem_eof_return(btmp, 0); |
188 |
ASN1_STRING_set0(os, (unsigned char *)cont, contlen); |
189 |
- } |
190 |
+ } |
191 |
+ } |
192 |
ret=1; |
193 |
err: |
194 |
EVP_MD_CTX_cleanup(&ctx_tmp); |
195 |
@@ -971,6 +1019,16 @@ |
196 |
STACK_OF(X509) *cert; |
197 |
X509 *x509; |
198 |
|
199 |
+ if (p7 == NULL) { |
200 |
+ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER); |
201 |
+ return 0; |
202 |
+ } |
203 |
+ |
204 |
+ if (p7->d.ptr == NULL) { |
205 |
+ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT); |
206 |
+ return 0; |
207 |
+ } |
208 |
+ |
209 |
if (PKCS7_type_is_signed(p7)) |
210 |
{ |
211 |
cert=p7->d.sign->cert; |
212 |
--- openssl-1.0.1l/crypto/pkcs7/pk7_lib.c |
213 |
+++ openssl-1.0.1l/crypto/pkcs7/pk7_lib.c |
214 |
@@ -71,6 +71,7 @@ |
215 |
|
216 |
switch (cmd) |
217 |
{ |
218 |
+ /* NOTE(emilia): does not support detached digested data. */ |
219 |
case PKCS7_OP_SET_DETACHED_SIGNATURE: |
220 |
if (nid == NID_pkcs7_signed) |
221 |
{ |
222 |
@@ -459,6 +460,8 @@ |
223 |
|
224 |
STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7) |
225 |
{ |
226 |
+ if (p7 == NULL || p7->d.ptr == NULL) |
227 |
+ return NULL; |
228 |
if (PKCS7_type_is_signed(p7)) |
229 |
{ |
230 |
return(p7->d.sign->signer_info); |
231 |
--- openssl-1.0.1l/doc/crypto/d2i_X509.pod |
232 |
+++ openssl-1.0.1l/doc/crypto/d2i_X509.pod |
233 |
@@ -199,6 +199,12 @@ |
234 |
persist if they are not present in the new one. As a result the use |
235 |
of this "reuse" behaviour is strongly discouraged. |
236 |
|
237 |
+Current versions of OpenSSL will not modify B<*px> if an error occurs. |
238 |
+If parsing succeeds then B<*px> is freed (if it is not NULL) and then |
239 |
+set to the value of the newly decoded structure. As a result B<*px> |
240 |
+B<must not> be allocated on the stack or an attempt will be made to |
241 |
+free an invalid pointer. |
242 |
+ |
243 |
i2d_X509() will not return an error in many versions of OpenSSL, |
244 |
if mandatory fields are not initialized due to a programming error |
245 |
then the encoded structure may contain invalid data or omit the |
246 |
@@ -210,7 +216,9 @@ |
247 |
|
248 |
d2i_X509(), d2i_X509_bio() and d2i_X509_fp() return a valid B<X509> structure |
249 |
or B<NULL> if an error occurs. The error code that can be obtained by |
250 |
-L<ERR_get_error(3)|ERR_get_error(3)>. |
251 |
+L<ERR_get_error(3)|ERR_get_error(3)>. If the "reuse" capability has been used |
252 |
+with a valid X509 structure being passed in via B<px> then the object is not |
253 |
+modified in the event of error. |
254 |
|
255 |
i2d_X509() returns the number of bytes successfully encoded or a negative |
256 |
value if an error occurs. The error code can be obtained by |
257 |
--- openssl-1.0.1l/ssl/s2_lib.c |
258 |
+++ openssl-1.0.1l/ssl/s2_lib.c |
259 |
@@ -488,7 +488,7 @@ |
260 |
|
261 |
OPENSSL_assert(s->session->master_key_length >= 0 |
262 |
&& s->session->master_key_length |
263 |
- < (int)sizeof(s->session->master_key)); |
264 |
+ <= (int)sizeof(s->session->master_key)); |
265 |
EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length); |
266 |
EVP_DigestUpdate(&ctx,&c,1); |
267 |
c++; |
268 |
--- openssl-1.0.1l/ssl/s2_srvr.c |
269 |
+++ openssl-1.0.1l/ssl/s2_srvr.c |
270 |
@@ -454,10 +454,6 @@ |
271 |
SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY); |
272 |
return(-1); |
273 |
} |
274 |
- i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc, |
275 |
- &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]), |
276 |
- (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING); |
277 |
- |
278 |
is_export=SSL_C_IS_EXPORT(s->session->cipher); |
279 |
|
280 |
if (!ssl_cipher_get_evp(s->session,&c,&md,NULL,NULL,NULL)) |
281 |
@@ -475,21 +471,59 @@ |
282 |
else |
283 |
ek=5; |
284 |
|
285 |
+ /* |
286 |
+ * The format of the CLIENT-MASTER-KEY message is |
287 |
+ * 1 byte message type |
288 |
+ * 3 bytes cipher |
289 |
+ * 2-byte clear key length (stored in s->s2->tmp.clear) |
290 |
+ * 2-byte encrypted key length (stored in s->s2->tmp.enc) |
291 |
+ * 2-byte key args length (IV etc) |
292 |
+ * clear key |
293 |
+ * encrypted key |
294 |
+ * key args |
295 |
+ * |
296 |
+ * If the cipher is an export cipher, then the encrypted key bytes |
297 |
+ * are a fixed portion of the total key (5 or 8 bytes). The size of |
298 |
+ * this portion is in |ek|. If the cipher is not an export cipher, |
299 |
+ * then the entire key material is encrypted (i.e., clear key length |
300 |
+ * must be zero). |
301 |
+ */ |
302 |
+ if ((!is_export && s->s2->tmp.clear != 0) || |
303 |
+ (is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c))) { |
304 |
+ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR); |
305 |
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH); |
306 |
+ return -1; |
307 |
+ } |
308 |
+ /* |
309 |
+ * The encrypted blob must decrypt to the encrypted portion of the key. |
310 |
+ * Decryption can't be expanding, so if we don't have enough encrypted |
311 |
+ * bytes to fit the key in the buffer, stop now. |
312 |
+ */ |
313 |
+ if ((is_export && s->s2->tmp.enc < ek) || |
314 |
+ (!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c))) { |
315 |
+ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); |
316 |
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT); |
317 |
+ return -1; |
318 |
+ } |
319 |
+ |
320 |
+ i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc, |
321 |
+ &(p[s->s2->tmp.clear]), |
322 |
+ &(p[s->s2->tmp.clear]), |
323 |
+ (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING : |
324 |
+ RSA_PKCS1_PADDING); |
325 |
+ |
326 |
/* bad decrypt */ |
327 |
#if 1 |
328 |
/* If a bad decrypt, continue with protocol but with a |
329 |
* random master secret (Bleichenbacher attack) */ |
330 |
- if ((i < 0) || |
331 |
- ((!is_export && (i != EVP_CIPHER_key_length(c))) |
332 |
- || (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i != |
333 |
- (unsigned int)EVP_CIPHER_key_length(c)))))) |
334 |
- { |
335 |
+ if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c)) |
336 |
+ || (is_export && i != ek))) { |
337 |
ERR_clear_error(); |
338 |
if (is_export) |
339 |
i=ek; |
340 |
else |
341 |
i=EVP_CIPHER_key_length(c); |
342 |
- if (RAND_pseudo_bytes(p,i) <= 0) |
343 |
+ if (RAND_pseudo_bytes(&p[s->s2->tmp.clear], i) <= 0) |
344 |
return 0; |
345 |
} |
346 |
#else |
347 |
@@ -513,7 +547,8 @@ |
348 |
} |
349 |
#endif |
350 |
|
351 |
- if (is_export) i+=s->s2->tmp.clear; |
352 |
+ if (is_export) |
353 |
+ i = EVP_CIPHER_key_length(c); |
354 |
|
355 |
if (i > SSL_MAX_MASTER_KEY_LENGTH) |
356 |
{ |