diff options
author | jsing <> | 2015-06-11 16:11:03 +0000 |
---|---|---|
committer | jsing <> | 2015-06-11 16:11:03 +0000 |
commit | 5f6c5172519e406f4f71454e5fca995d45e370c9 (patch) | |
tree | 155bbacc7fbb17503f34e3a8afc528bba736bcb0 | |
parent | e37b71b3b36a3d8dc2434dbdf0089ec516ad0bd9 (diff) | |
download | openbsd-5f6c5172519e406f4f71454e5fca995d45e370c9.tar.gz openbsd-5f6c5172519e406f4f71454e5fca995d45e370c9.tar.bz2 openbsd-5f6c5172519e406f4f71454e5fca995d45e370c9.zip |
MFC: Fix several defects from OpenSSL.
These include:
CVE-2015-1788 - Malformed ECParameters causes infinite loop
CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
CVE-2015-1792 - CMS verify infinite loop with unknown hash function
-rw-r--r-- | src/lib/libssl/src/crypto/bn/bn_gf2m.c | 11 | ||||
-rw-r--r-- | src/lib/libssl/src/crypto/cms/cms_smime.c | 4 | ||||
-rw-r--r-- | src/lib/libssl/src/crypto/x509/x509_vfy.c | 31 |
3 files changed, 37 insertions, 9 deletions
diff --git a/src/lib/libssl/src/crypto/bn/bn_gf2m.c b/src/lib/libssl/src/crypto/bn/bn_gf2m.c index d87f80d577..71a612b9f4 100644 --- a/src/lib/libssl/src/crypto/bn/bn_gf2m.c +++ b/src/lib/libssl/src/crypto/bn/bn_gf2m.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: bn_gf2m.c,v 1.15 2014/07/11 08:44:47 jsing Exp $ */ | 1 | /* $OpenBSD: bn_gf2m.c,v 1.15.4.1 2015/06/11 16:11:00 jsing Exp $ */ |
2 | /* ==================================================================== | 2 | /* ==================================================================== |
3 | * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. | 3 | * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. |
4 | * | 4 | * |
@@ -746,8 +746,13 @@ BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) | |||
746 | ubits--; | 746 | ubits--; |
747 | } | 747 | } |
748 | 748 | ||
749 | if (ubits <= BN_BITS2 && udp[0] == 1) | 749 | if (ubits <= BN_BITS2) { |
750 | break; | 750 | /* See if poly was reducible. */ |
751 | if (udp[0] == 0) | ||
752 | goto err; | ||
753 | if (udp[0] == 1) | ||
754 | break; | ||
755 | } | ||
751 | 756 | ||
752 | if (ubits < vbits) { | 757 | if (ubits < vbits) { |
753 | i = ubits; | 758 | i = ubits; |
diff --git a/src/lib/libssl/src/crypto/cms/cms_smime.c b/src/lib/libssl/src/crypto/cms/cms_smime.c index 712f08c32f..077500c435 100644 --- a/src/lib/libssl/src/crypto/cms/cms_smime.c +++ b/src/lib/libssl/src/crypto/cms/cms_smime.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: cms_smime.c,v 1.12 2014/07/11 12:12:39 miod Exp $ */ | 1 | /* $OpenBSD: cms_smime.c,v 1.12.4.1 2015/06/11 16:11:00 jsing Exp $ */ |
2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
3 | * project. | 3 | * project. |
4 | */ | 4 | */ |
@@ -132,7 +132,7 @@ do_free_upto(BIO *f, BIO *upto) | |||
132 | tbio = BIO_pop(f); | 132 | tbio = BIO_pop(f); |
133 | BIO_free(f); | 133 | BIO_free(f); |
134 | f = tbio; | 134 | f = tbio; |
135 | } while (f != upto); | 135 | } while (f != NULL && f != upto); |
136 | } else | 136 | } else |
137 | BIO_free_all(f); | 137 | BIO_free_all(f); |
138 | } | 138 | } |
diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c index ae8484a885..6a23cfd1f1 100644 --- a/src/lib/libssl/src/crypto/x509/x509_vfy.c +++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: x509_vfy.c,v 1.37 2014/07/17 07:13:02 logan Exp $ */ | 1 | /* $OpenBSD: x509_vfy.c,v 1.37.4.1 2015/06/11 16:11:00 jsing Exp $ */ |
2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | * All rights reserved. | 3 | * All rights reserved. |
4 | * | 4 | * |
@@ -1660,35 +1660,58 @@ X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) | |||
1660 | memcpy(p, str, 10); | 1660 | memcpy(p, str, 10); |
1661 | p += 10; | 1661 | p += 10; |
1662 | str += 10; | 1662 | str += 10; |
1663 | i -= 10; | ||
1663 | } else { | 1664 | } else { |
1664 | if (i < 13) | 1665 | if (i < 13) |
1665 | return 0; | 1666 | return 0; |
1666 | memcpy(p, str, 12); | 1667 | memcpy(p, str, 12); |
1667 | p += 12; | 1668 | p += 12; |
1668 | str += 12; | 1669 | str += 12; |
1670 | i -= 12; | ||
1669 | } | 1671 | } |
1670 | 1672 | ||
1673 | if (i < 1) | ||
1674 | return 0; | ||
1671 | if ((*str == 'Z') || (*str == '-') || (*str == '+')) { | 1675 | if ((*str == 'Z') || (*str == '-') || (*str == '+')) { |
1672 | *(p++) = '0'; | 1676 | *(p++) = '0'; |
1673 | *(p++) = '0'; | 1677 | *(p++) = '0'; |
1674 | } else { | 1678 | } else { |
1679 | if (i < 2) | ||
1680 | return 0; | ||
1675 | *(p++) = *(str++); | 1681 | *(p++) = *(str++); |
1676 | *(p++) = *(str++); | 1682 | *(p++) = *(str++); |
1683 | i -= 2; | ||
1684 | if (i < 1) | ||
1685 | return 0; | ||
1677 | /* Skip any fractional seconds... */ | 1686 | /* Skip any fractional seconds... */ |
1678 | if (*str == '.') { | 1687 | if (*str == '.') { |
1679 | str++; | 1688 | str++; |
1680 | while ((*str >= '0') && (*str <= '9')) | 1689 | i--; |
1690 | while (i > 1 && (*str >= '0') && (*str <= '9')) { | ||
1681 | str++; | 1691 | str++; |
1692 | i--; | ||
1693 | } | ||
1682 | } | 1694 | } |
1683 | } | 1695 | } |
1684 | *(p++) = 'Z'; | 1696 | *(p++) = 'Z'; |
1685 | *(p++) = '\0'; | 1697 | *(p++) = '\0'; |
1686 | 1698 | ||
1687 | if (*str == 'Z') | 1699 | if (i < 1) |
1700 | return 0; | ||
1701 | if (*str == 'Z') { | ||
1702 | if (i != 1) | ||
1703 | return 0; | ||
1688 | offset = 0; | 1704 | offset = 0; |
1689 | else { | 1705 | } else { |
1706 | if (i != 5) | ||
1707 | return 0; | ||
1690 | if ((*str != '+') && (*str != '-')) | 1708 | if ((*str != '+') && (*str != '-')) |
1691 | return 0; | 1709 | return 0; |
1710 | if (str[1] < '0' || str[1] > '9' || | ||
1711 | str[2] < '0' || str[2] > '9' || | ||
1712 | str[3] < '0' || str[3] > '9' || | ||
1713 | str[4] < '0' || str[4] > '9') | ||
1714 | return 0; | ||
1692 | offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60; | 1715 | offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60; |
1693 | offset += (str[3] - '0') * 10 + (str[4] - '0'); | 1716 | offset += (str[3] - '0') * 10 + (str[4] - '0'); |
1694 | if (*str == '-') | 1717 | if (*str == '-') |