summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjsing <>2015-06-11 16:11:03 +0000
committerjsing <>2015-06-11 16:11:03 +0000
commit5f6c5172519e406f4f71454e5fca995d45e370c9 (patch)
tree155bbacc7fbb17503f34e3a8afc528bba736bcb0
parente37b71b3b36a3d8dc2434dbdf0089ec516ad0bd9 (diff)
downloadopenbsd-5f6c5172519e406f4f71454e5fca995d45e370c9.tar.gz
openbsd-5f6c5172519e406f4f71454e5fca995d45e370c9.tar.bz2
openbsd-5f6c5172519e406f4f71454e5fca995d45e370c9.zip
MFC: Fix several defects from OpenSSL.
These include: CVE-2015-1788 - Malformed ECParameters causes infinite loop CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time CVE-2015-1792 - CMS verify infinite loop with unknown hash function
-rw-r--r--src/lib/libssl/src/crypto/bn/bn_gf2m.c11
-rw-r--r--src/lib/libssl/src/crypto/cms/cms_smime.c4
-rw-r--r--src/lib/libssl/src/crypto/x509/x509_vfy.c31
3 files changed, 37 insertions, 9 deletions
diff --git a/src/lib/libssl/src/crypto/bn/bn_gf2m.c b/src/lib/libssl/src/crypto/bn/bn_gf2m.c
index d87f80d577..71a612b9f4 100644
--- a/src/lib/libssl/src/crypto/bn/bn_gf2m.c
+++ b/src/lib/libssl/src/crypto/bn/bn_gf2m.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: bn_gf2m.c,v 1.15 2014/07/11 08:44:47 jsing Exp $ */ 1/* $OpenBSD: bn_gf2m.c,v 1.15.4.1 2015/06/11 16:11:00 jsing Exp $ */
2/* ==================================================================== 2/* ====================================================================
3 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 3 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
4 * 4 *
@@ -746,8 +746,13 @@ BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
746 ubits--; 746 ubits--;
747 } 747 }
748 748
749 if (ubits <= BN_BITS2 && udp[0] == 1) 749 if (ubits <= BN_BITS2) {
750 break; 750 /* See if poly was reducible. */
751 if (udp[0] == 0)
752 goto err;
753 if (udp[0] == 1)
754 break;
755 }
751 756
752 if (ubits < vbits) { 757 if (ubits < vbits) {
753 i = ubits; 758 i = ubits;
diff --git a/src/lib/libssl/src/crypto/cms/cms_smime.c b/src/lib/libssl/src/crypto/cms/cms_smime.c
index 712f08c32f..077500c435 100644
--- a/src/lib/libssl/src/crypto/cms/cms_smime.c
+++ b/src/lib/libssl/src/crypto/cms/cms_smime.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: cms_smime.c,v 1.12 2014/07/11 12:12:39 miod Exp $ */ 1/* $OpenBSD: cms_smime.c,v 1.12.4.1 2015/06/11 16:11:00 jsing Exp $ */
2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL 2/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3 * project. 3 * project.
4 */ 4 */
@@ -132,7 +132,7 @@ do_free_upto(BIO *f, BIO *upto)
132 tbio = BIO_pop(f); 132 tbio = BIO_pop(f);
133 BIO_free(f); 133 BIO_free(f);
134 f = tbio; 134 f = tbio;
135 } while (f != upto); 135 } while (f != NULL && f != upto);
136 } else 136 } else
137 BIO_free_all(f); 137 BIO_free_all(f);
138} 138}
diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c
index ae8484a885..6a23cfd1f1 100644
--- a/src/lib/libssl/src/crypto/x509/x509_vfy.c
+++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: x509_vfy.c,v 1.37 2014/07/17 07:13:02 logan Exp $ */ 1/* $OpenBSD: x509_vfy.c,v 1.37.4.1 2015/06/11 16:11:00 jsing Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -1660,35 +1660,58 @@ X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
1660 memcpy(p, str, 10); 1660 memcpy(p, str, 10);
1661 p += 10; 1661 p += 10;
1662 str += 10; 1662 str += 10;
1663 i -= 10;
1663 } else { 1664 } else {
1664 if (i < 13) 1665 if (i < 13)
1665 return 0; 1666 return 0;
1666 memcpy(p, str, 12); 1667 memcpy(p, str, 12);
1667 p += 12; 1668 p += 12;
1668 str += 12; 1669 str += 12;
1670 i -= 12;
1669 } 1671 }
1670 1672
1673 if (i < 1)
1674 return 0;
1671 if ((*str == 'Z') || (*str == '-') || (*str == '+')) { 1675 if ((*str == 'Z') || (*str == '-') || (*str == '+')) {
1672 *(p++) = '0'; 1676 *(p++) = '0';
1673 *(p++) = '0'; 1677 *(p++) = '0';
1674 } else { 1678 } else {
1679 if (i < 2)
1680 return 0;
1675 *(p++) = *(str++); 1681 *(p++) = *(str++);
1676 *(p++) = *(str++); 1682 *(p++) = *(str++);
1683 i -= 2;
1684 if (i < 1)
1685 return 0;
1677 /* Skip any fractional seconds... */ 1686 /* Skip any fractional seconds... */
1678 if (*str == '.') { 1687 if (*str == '.') {
1679 str++; 1688 str++;
1680 while ((*str >= '0') && (*str <= '9')) 1689 i--;
1690 while (i > 1 && (*str >= '0') && (*str <= '9')) {
1681 str++; 1691 str++;
1692 i--;
1693 }
1682 } 1694 }
1683 } 1695 }
1684 *(p++) = 'Z'; 1696 *(p++) = 'Z';
1685 *(p++) = '\0'; 1697 *(p++) = '\0';
1686 1698
1687 if (*str == 'Z') 1699 if (i < 1)
1700 return 0;
1701 if (*str == 'Z') {
1702 if (i != 1)
1703 return 0;
1688 offset = 0; 1704 offset = 0;
1689 else { 1705 } else {
1706 if (i != 5)
1707 return 0;
1690 if ((*str != '+') && (*str != '-')) 1708 if ((*str != '+') && (*str != '-'))
1691 return 0; 1709 return 0;
1710 if (str[1] < '0' || str[1] > '9' ||
1711 str[2] < '0' || str[2] > '9' ||
1712 str[3] < '0' || str[3] > '9' ||
1713 str[4] < '0' || str[4] > '9')
1714 return 0;
1692 offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60; 1715 offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60;
1693 offset += (str[3] - '0') * 10 + (str[4] - '0'); 1716 offset += (str[3] - '0') * 10 + (str[4] - '0');
1694 if (*str == '-') 1717 if (*str == '-')