MFC: Fix several defects from OpenSSL.

These include:

CVE-2015-1788 - Malformed ECParameters causes infinite loop
CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
CVE-2015-1792 - CMS verify infinite loop with unknown hash function

3 files changed, 37 insertions, 9 deletions

diff --git a/src/lib/libssl/src/crypto/bn/bn_gf2m.c b/src/lib/libssl/src/crypto/bn/bn_gf2m.c
index d87f80d577..71a612b9f4 100644
--- a/src/lib/libssl/src/crypto/bn/bn_gf2m.c
+++ b/src/lib/libssl/src/crypto/bn/bn_gf2m.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_gf2m.c,v 1.15 2014/07/11 08:44:47 jsing Exp $ */
+/* $OpenBSD: bn_gf2m.c,v 1.15.4.1 2015/06/11 16:11:00 jsing Exp $ */
 /* ====================================================================
  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  *
@@ -746,8 +746,13 @@ BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
                                 ubits--;
                         }
 
-                        if (ubits <= BN_BITS2 && udp[0] == 1)
-                                break;
+                        if (ubits <= BN_BITS2) {
+                                /* See if poly was reducible. */
+                                if (udp[0] == 0)
+                                        goto err;
+                                if (udp[0] == 1)
+                                        break;
+                        }
 
                         if (ubits < vbits) {
                                 i = ubits;
diff --git a/src/lib/libssl/src/crypto/cms/cms_smime.c b/src/lib/libssl/src/crypto/cms/cms_smime.c
index 712f08c32f..077500c435 100644
--- a/src/lib/libssl/src/crypto/cms/cms_smime.c
+++ b/src/lib/libssl/src/crypto/cms/cms_smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_smime.c,v 1.12 2014/07/11 12:12:39 miod Exp $ */
+/* $OpenBSD: cms_smime.c,v 1.12.4.1 2015/06/11 16:11:00 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -132,7 +132,7 @@ do_free_upto(BIO *f, BIO *upto)
                         tbio = BIO_pop(f);
                         BIO_free(f);
                         f = tbio;
-                } while (f != upto);
+                } while (f != NULL && f != upto);
         } else
                 BIO_free_all(f);
 }
diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c
index ae8484a885..6a23cfd1f1 100644
--- a/src/lib/libssl/src/crypto/x509/x509_vfy.c
+++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.37 2014/07/17 07:13:02 logan Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.37.4.1 2015/06/11 16:11:00 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1660,35 +1660,58 @@ X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
                 memcpy(p, str, 10);
                 p += 10;
                 str += 10;
+                i -= 10;
         } else {
                 if (i < 13)
                         return 0;
                 memcpy(p, str, 12);
                 p += 12;
                 str += 12;
+                i -= 12;
         }
 
+        if (i < 1)
+                return 0;
         if ((*str == 'Z') || (*str == '-') || (*str == '+')) {
                 *(p++) = '0';
                 *(p++) = '0';
         } else {
+                if (i < 2)
+                        return 0;
                 *(p++) = *(str++);
                 *(p++) = *(str++);
+                i -= 2;
+                if (i < 1)
+                        return 0;
                 /* Skip any fractional seconds... */
                 if (*str == '.') {
                         str++;
-                        while ((*str >= '0') && (*str <= '9'))
+                        i--;
+                        while (i > 1 && (*str >= '0') && (*str <= '9')) {
                                 str++;
+                                i--;
+                        }
                 }
         }
         *(p++) = 'Z';
         *(p++) = '\0';
 
-        if (*str == 'Z')
+        if (i < 1)
+                return 0;
+        if (*str == 'Z') {
+                if (i != 1)
+                        return 0;
                 offset = 0;
-        else {
+        } else {
+                if (i != 5)
+                        return 0;
                 if ((*str != '+') && (*str != '-'))
                         return 0;
+                if (str[1] < '0' || str[1] > '9' ||
+                    str[2] < '0' || str[2] > '9' ||
+                    str[3] < '0' || str[3] > '9' ||
+                    str[4] < '0' || str[4] > '9')
+                        return 0;
                 offset = ((str[1] - '0') * 10 + (str[2] - '0')) * 60;
                 offset += (str[3] - '0') * 10 + (str[4] - '0');
                 if (*str == '-')