diff options
author | djm <> | 2009-04-08 02:30:01 +0000 |
---|---|---|
committer | djm <> | 2009-04-08 02:30:01 +0000 |
commit | 1f115dde203af79f3f8a29fbd82e02f1cc9afc5a (patch) | |
tree | fff58816643d8acfe58304e4224b745db0cefa10 | |
parent | f85e3c7bb6e0773f7fbbec2487aaa7bc08d544d6 (diff) | |
download | openbsd-OPENBSD_4_3.tar.gz openbsd-OPENBSD_4_3.tar.bz2 openbsd-OPENBSD_4_3.zip |
MFC: fixes for OpenSSL ASN.1 invalid memory accesses (CVE-2009-0590 andOPENBSD_4_3
CVE-2009-0789).
-rw-r--r-- | src/lib/libssl/src/crypto/asn1/asn1.h | 2 | ||||
-rw-r--r-- | src/lib/libssl/src/crypto/asn1/asn1_err.c | 2 | ||||
-rw-r--r-- | src/lib/libssl/src/crypto/asn1/tasn_dec.c | 14 |
3 files changed, 16 insertions, 2 deletions
diff --git a/src/lib/libssl/src/crypto/asn1/asn1.h b/src/lib/libssl/src/crypto/asn1/asn1.h index 0184b475a7..44ee48bb31 100644 --- a/src/lib/libssl/src/crypto/asn1/asn1.h +++ b/src/lib/libssl/src/crypto/asn1/asn1.h | |||
@@ -1037,6 +1037,7 @@ void ERR_load_ASN1_strings(void); | |||
1037 | #define ASN1_R_BAD_OBJECT_HEADER 102 | 1037 | #define ASN1_R_BAD_OBJECT_HEADER 102 |
1038 | #define ASN1_R_BAD_PASSWORD_READ 103 | 1038 | #define ASN1_R_BAD_PASSWORD_READ 103 |
1039 | #define ASN1_R_BAD_TAG 104 | 1039 | #define ASN1_R_BAD_TAG 104 |
1040 | #define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 210 | ||
1040 | #define ASN1_R_BN_LIB 105 | 1041 | #define ASN1_R_BN_LIB 105 |
1041 | #define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106 | 1042 | #define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106 |
1042 | #define ASN1_R_BUFFER_TOO_SMALL 107 | 1043 | #define ASN1_R_BUFFER_TOO_SMALL 107 |
@@ -1096,6 +1097,7 @@ void ERR_load_ASN1_strings(void); | |||
1096 | #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157 | 1097 | #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157 |
1097 | #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158 | 1098 | #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158 |
1098 | #define ASN1_R_UNEXPECTED_EOC 159 | 1099 | #define ASN1_R_UNEXPECTED_EOC 159 |
1100 | #define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 211 | ||
1099 | #define ASN1_R_UNKNOWN_FORMAT 160 | 1101 | #define ASN1_R_UNKNOWN_FORMAT 160 |
1100 | #define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161 | 1102 | #define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161 |
1101 | #define ASN1_R_UNKNOWN_OBJECT_TYPE 162 | 1103 | #define ASN1_R_UNKNOWN_OBJECT_TYPE 162 |
diff --git a/src/lib/libssl/src/crypto/asn1/asn1_err.c b/src/lib/libssl/src/crypto/asn1/asn1_err.c index 315d0a0807..cd23cbf825 100644 --- a/src/lib/libssl/src/crypto/asn1/asn1_err.c +++ b/src/lib/libssl/src/crypto/asn1/asn1_err.c | |||
@@ -164,6 +164,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]= | |||
164 | {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER) ,"bad object header"}, | 164 | {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER) ,"bad object header"}, |
165 | {ERR_REASON(ASN1_R_BAD_PASSWORD_READ) ,"bad password read"}, | 165 | {ERR_REASON(ASN1_R_BAD_PASSWORD_READ) ,"bad password read"}, |
166 | {ERR_REASON(ASN1_R_BAD_TAG) ,"bad tag"}, | 166 | {ERR_REASON(ASN1_R_BAD_TAG) ,"bad tag"}, |
167 | {ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),"bmpstring is wrong length"}, | ||
167 | {ERR_REASON(ASN1_R_BN_LIB) ,"bn lib"}, | 168 | {ERR_REASON(ASN1_R_BN_LIB) ,"bn lib"}, |
168 | {ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"}, | 169 | {ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"}, |
169 | {ERR_REASON(ASN1_R_BUFFER_TOO_SMALL) ,"buffer too small"}, | 170 | {ERR_REASON(ASN1_R_BUFFER_TOO_SMALL) ,"buffer too small"}, |
@@ -223,6 +224,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]= | |||
223 | {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"}, | 224 | {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"}, |
224 | {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"}, | 225 | {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"}, |
225 | {ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"}, | 226 | {ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"}, |
227 | {ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH),"universalstring is wrong length"}, | ||
226 | {ERR_REASON(ASN1_R_UNKNOWN_FORMAT) ,"unknown format"}, | 228 | {ERR_REASON(ASN1_R_UNKNOWN_FORMAT) ,"unknown format"}, |
227 | {ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"}, | 229 | {ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"}, |
228 | {ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE) ,"unknown object type"}, | 230 | {ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE) ,"unknown object type"}, |
diff --git a/src/lib/libssl/src/crypto/asn1/tasn_dec.c b/src/lib/libssl/src/crypto/asn1/tasn_dec.c index b7e916ef36..2ad0c29f94 100644 --- a/src/lib/libssl/src/crypto/asn1/tasn_dec.c +++ b/src/lib/libssl/src/crypto/asn1/tasn_dec.c | |||
@@ -474,7 +474,6 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val, unsigned char **in, long inlen | |||
474 | 474 | ||
475 | err: | 475 | err: |
476 | ASN1_template_free(val, tt); | 476 | ASN1_template_free(val, tt); |
477 | *val = NULL; | ||
478 | return 0; | 477 | return 0; |
479 | } | 478 | } |
480 | 479 | ||
@@ -574,7 +573,6 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, unsigned char **in, long le | |||
574 | 573 | ||
575 | err: | 574 | err: |
576 | ASN1_template_free(val, tt); | 575 | ASN1_template_free(val, tt); |
577 | *val = NULL; | ||
578 | return 0; | 576 | return 0; |
579 | } | 577 | } |
580 | 578 | ||
@@ -768,6 +766,18 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char | |||
768 | case V_ASN1_SET: | 766 | case V_ASN1_SET: |
769 | case V_ASN1_SEQUENCE: | 767 | case V_ASN1_SEQUENCE: |
770 | default: | 768 | default: |
769 | if (utype == V_ASN1_BMPSTRING && (len & 1)) | ||
770 | { | ||
771 | ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, | ||
772 | ASN1_R_BMPSTRING_IS_WRONG_LENGTH); | ||
773 | goto err; | ||
774 | } | ||
775 | if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) | ||
776 | { | ||
777 | ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, | ||
778 | ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH); | ||
779 | goto err; | ||
780 | } | ||
771 | /* All based on ASN1_STRING and handled the same */ | 781 | /* All based on ASN1_STRING and handled the same */ |
772 | if(!*pval) { | 782 | if(!*pval) { |
773 | stmp = ASN1_STRING_type_new(utype); | 783 | stmp = ASN1_STRING_type_new(utype); |