diff options
author | brad <> | 2003-10-01 22:46:22 +0000 |
---|---|---|
committer | brad <> | 2003-10-01 22:46:22 +0000 |
commit | 2090f88646016d40fe8f16635bd274711171e5d9 (patch) | |
tree | 1ccfa4ff54abec8dad5f69e102bf10ac7c7816f0 | |
parent | c4a5e23a629462f7c5d45410243a6450fde919ee (diff) | |
download | openbsd-OPENBSD_3_2.tar.gz openbsd-OPENBSD_3_2.tar.bz2 openbsd-OPENBSD_3_2.zip |
Pull patch from -current:OPENBSD_3_2
SECURITY FIX
Fixed by markus@
security fix from http://www.openssl.org/news/secadv_20030930.txt
ok markus@ deraadt@
-rw-r--r-- | src/lib/libssl/src/crypto/asn1/asn1_lib.c | 2 | ||||
-rw-r--r-- | src/lib/libssl/src/crypto/asn1/tasn_dec.c | 9 | ||||
-rw-r--r-- | src/lib/libssl/src/crypto/x509/x509_vfy.c | 2 | ||||
-rw-r--r-- | src/lib/libssl/src/ssl/s3_clnt.c | 1 | ||||
-rw-r--r-- | src/lib/libssl/src/ssl/s3_srvr.c | 14 |
5 files changed, 22 insertions, 6 deletions
diff --git a/src/lib/libssl/src/crypto/asn1/asn1_lib.c b/src/lib/libssl/src/crypto/asn1/asn1_lib.c index 0638870ab7..e30d5dd303 100644 --- a/src/lib/libssl/src/crypto/asn1/asn1_lib.c +++ b/src/lib/libssl/src/crypto/asn1/asn1_lib.c | |||
@@ -104,10 +104,12 @@ int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass, | |||
104 | l<<=7L; | 104 | l<<=7L; |
105 | l|= *(p++)&0x7f; | 105 | l|= *(p++)&0x7f; |
106 | if (--max == 0) goto err; | 106 | if (--max == 0) goto err; |
107 | if (l > (INT_MAX >> 7L)) goto err; | ||
107 | } | 108 | } |
108 | l<<=7L; | 109 | l<<=7L; |
109 | l|= *(p++)&0x7f; | 110 | l|= *(p++)&0x7f; |
110 | tag=(int)l; | 111 | tag=(int)l; |
112 | if (--max == 0) goto err; | ||
111 | } | 113 | } |
112 | else | 114 | else |
113 | { | 115 | { |
diff --git a/src/lib/libssl/src/crypto/asn1/tasn_dec.c b/src/lib/libssl/src/crypto/asn1/tasn_dec.c index f87c08793a..666061e2b7 100644 --- a/src/lib/libssl/src/crypto/asn1/tasn_dec.c +++ b/src/lib/libssl/src/crypto/asn1/tasn_dec.c | |||
@@ -691,6 +691,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long inl | |||
691 | 691 | ||
692 | int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it) | 692 | int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it) |
693 | { | 693 | { |
694 | ASN1_VALUE **opval = NULL; | ||
694 | ASN1_STRING *stmp; | 695 | ASN1_STRING *stmp; |
695 | ASN1_TYPE *typ = NULL; | 696 | ASN1_TYPE *typ = NULL; |
696 | int ret = 0; | 697 | int ret = 0; |
@@ -705,6 +706,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char | |||
705 | *pval = (ASN1_VALUE *)typ; | 706 | *pval = (ASN1_VALUE *)typ; |
706 | } else typ = (ASN1_TYPE *)*pval; | 707 | } else typ = (ASN1_TYPE *)*pval; |
707 | if(utype != typ->type) ASN1_TYPE_set(typ, utype, NULL); | 708 | if(utype != typ->type) ASN1_TYPE_set(typ, utype, NULL); |
709 | opval = pval; | ||
708 | pval = (ASN1_VALUE **)&typ->value.ptr; | 710 | pval = (ASN1_VALUE **)&typ->value.ptr; |
709 | } | 711 | } |
710 | switch(utype) { | 712 | switch(utype) { |
@@ -796,7 +798,12 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char | |||
796 | 798 | ||
797 | ret = 1; | 799 | ret = 1; |
798 | err: | 800 | err: |
799 | if(!ret) ASN1_TYPE_free(typ); | 801 | if(!ret) |
802 | { | ||
803 | ASN1_TYPE_free(typ); | ||
804 | if (opval) | ||
805 | *opval = NULL; | ||
806 | } | ||
800 | return ret; | 807 | return ret; |
801 | } | 808 | } |
802 | 809 | ||
diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c index db12f7bd35..372e58a597 100644 --- a/src/lib/libssl/src/crypto/x509/x509_vfy.c +++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c | |||
@@ -674,7 +674,7 @@ static int internal_verify(X509_STORE_CTX *ctx) | |||
674 | ok=(*cb)(0,ctx); | 674 | ok=(*cb)(0,ctx); |
675 | if (!ok) goto end; | 675 | if (!ok) goto end; |
676 | } | 676 | } |
677 | if (X509_verify(xs,pkey) <= 0) | 677 | else if (X509_verify(xs,pkey) <= 0) |
678 | /* XXX For the final trusted self-signed cert, | 678 | /* XXX For the final trusted self-signed cert, |
679 | * this is a waste of time. That check should | 679 | * this is a waste of time. That check should |
680 | * optional so that e.g. 'openssl x509' can be | 680 | * optional so that e.g. 'openssl x509' can be |
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c index 7da9363ef5..1b14954afe 100644 --- a/src/lib/libssl/src/ssl/s3_clnt.c +++ b/src/lib/libssl/src/ssl/s3_clnt.c | |||
@@ -1752,6 +1752,7 @@ static int ssl3_send_client_verify(SSL *s) | |||
1752 | *(d++)=SSL3_MT_CERTIFICATE_VERIFY; | 1752 | *(d++)=SSL3_MT_CERTIFICATE_VERIFY; |
1753 | l2n3(n,d); | 1753 | l2n3(n,d); |
1754 | 1754 | ||
1755 | s->state=SSL3_ST_CW_CERT_VRFY_B; | ||
1755 | s->init_num=(int)n+4; | 1756 | s->init_num=(int)n+4; |
1756 | s->init_off=0; | 1757 | s->init_off=0; |
1757 | } | 1758 | } |
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c index a2c17f2950..bdf3854dc0 100644 --- a/src/lib/libssl/src/ssl/s3_srvr.c +++ b/src/lib/libssl/src/ssl/s3_srvr.c | |||
@@ -425,10 +425,11 @@ int ssl3_accept(SSL *s) | |||
425 | if (ret == 2) | 425 | if (ret == 2) |
426 | s->state = SSL3_ST_SR_CLNT_HELLO_C; | 426 | s->state = SSL3_ST_SR_CLNT_HELLO_C; |
427 | else { | 427 | else { |
428 | /* could be sent for a DH cert, even if we | 428 | if (s->s3->tmp.cert_request) |
429 | * have not asked for it :-) */ | 429 | { |
430 | ret=ssl3_get_client_certificate(s); | 430 | ret=ssl3_get_client_certificate(s); |
431 | if (ret <= 0) goto end; | 431 | if (ret <= 0) goto end; |
432 | } | ||
432 | s->init_num=0; | 433 | s->init_num=0; |
433 | s->state=SSL3_ST_SR_KEY_EXCH_A; | 434 | s->state=SSL3_ST_SR_KEY_EXCH_A; |
434 | } | 435 | } |
@@ -838,6 +839,9 @@ static int ssl3_get_client_hello(SSL *s) | |||
838 | } | 839 | } |
839 | 840 | ||
840 | /* TLS does not mind if there is extra stuff */ | 841 | /* TLS does not mind if there is extra stuff */ |
842 | #if 0 /* SSL 3.0 does not mind either, so we should disable this test | ||
843 | * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b, | ||
844 | * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */ | ||
841 | if (s->version == SSL3_VERSION) | 845 | if (s->version == SSL3_VERSION) |
842 | { | 846 | { |
843 | if (p < (d+n)) | 847 | if (p < (d+n)) |
@@ -849,6 +853,7 @@ static int ssl3_get_client_hello(SSL *s) | |||
849 | goto f_err; | 853 | goto f_err; |
850 | } | 854 | } |
851 | } | 855 | } |
856 | #endif | ||
852 | 857 | ||
853 | /* Given s->session->ciphers and SSL_get_ciphers, we must | 858 | /* Given s->session->ciphers and SSL_get_ciphers, we must |
854 | * pick a cipher */ | 859 | * pick a cipher */ |
@@ -1346,6 +1351,7 @@ static int ssl3_send_certificate_request(SSL *s) | |||
1346 | s->init_num += 4; | 1351 | s->init_num += 4; |
1347 | #endif | 1352 | #endif |
1348 | 1353 | ||
1354 | s->state = SSL3_ST_SW_CERT_REQ_B; | ||
1349 | } | 1355 | } |
1350 | 1356 | ||
1351 | /* SSL3_ST_SW_CERT_REQ_B */ | 1357 | /* SSL3_ST_SW_CERT_REQ_B */ |