diff options
| author | tedu <> | 2016-05-03 12:38:53 +0000 |
|---|---|---|
| committer | tedu <> | 2016-05-03 12:38:53 +0000 |
| commit | c6409771d22d6e819d9017d650687b93c835ed3a (patch) | |
| tree | b82aa12b453d40dd8f8ba316bad714a4590f3c18 /src/lib/libcrypto/asn1 | |
| parent | 5be055d50dafafb44d2ef72c845fd6bdf3785179 (diff) | |
| download | openbsd-c6409771d22d6e819d9017d650687b93c835ed3a.tar.gz openbsd-c6409771d22d6e819d9017d650687b93c835ed3a.tar.bz2 openbsd-c6409771d22d6e819d9017d650687b93c835ed3a.zip | |
patch from openssl for multiple issues:
missing padding check in aesni functions
overflow in evp encode functions
use of invalid negative asn.1 types
ok beck
Diffstat (limited to 'src/lib/libcrypto/asn1')
| -rw-r--r-- | src/lib/libcrypto/asn1/a_d2i_fp.c | 51 | ||||
| -rw-r--r-- | src/lib/libcrypto/asn1/a_type.c | 4 | ||||
| -rw-r--r-- | src/lib/libcrypto/asn1/tasn_dec.c | 4 | ||||
| -rw-r--r-- | src/lib/libcrypto/asn1/tasn_enc.c | 4 |
4 files changed, 40 insertions, 23 deletions
diff --git a/src/lib/libcrypto/asn1/a_d2i_fp.c b/src/lib/libcrypto/asn1/a_d2i_fp.c index c0fb0a3802..d12890ec15 100644 --- a/src/lib/libcrypto/asn1/a_d2i_fp.c +++ b/src/lib/libcrypto/asn1/a_d2i_fp.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: a_d2i_fp.c,v 1.11 2014/07/13 11:10:20 miod Exp $ */ | 1 | /* $OpenBSD: a_d2i_fp.c,v 1.12 2016/05/03 12:38:53 tedu Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -144,6 +144,7 @@ ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x) | |||
| 144 | } | 144 | } |
| 145 | 145 | ||
| 146 | #define HEADER_SIZE 8 | 146 | #define HEADER_SIZE 8 |
| 147 | #define ASN1_CHUNK_INITIAL_SIZE (16 * 1024) | ||
| 147 | static int | 148 | static int |
| 148 | asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) | 149 | asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) |
| 149 | { | 150 | { |
| @@ -167,18 +168,22 @@ asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) | |||
| 167 | if (want >= (len - off)) { | 168 | if (want >= (len - off)) { |
| 168 | want -= (len - off); | 169 | want -= (len - off); |
| 169 | 170 | ||
| 170 | if (len + want < len || !BUF_MEM_grow_clean(b, len + want)) { | 171 | if (len + want < len || |
| 171 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE); | 172 | !BUF_MEM_grow_clean(b, len + want)) { |
| 173 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, | ||
| 174 | ERR_R_MALLOC_FAILURE); | ||
| 172 | goto err; | 175 | goto err; |
| 173 | } | 176 | } |
| 174 | i = BIO_read(in, &(b->data[len]), want); | 177 | i = BIO_read(in, &(b->data[len]), want); |
| 175 | if ((i < 0) && ((len - off) == 0)) { | 178 | if ((i < 0) && ((len - off) == 0)) { |
| 176 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_NOT_ENOUGH_DATA); | 179 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, |
| 180 | ASN1_R_NOT_ENOUGH_DATA); | ||
| 177 | goto err; | 181 | goto err; |
| 178 | } | 182 | } |
| 179 | if (i > 0) { | 183 | if (i > 0) { |
| 180 | if (len + i < len) { | 184 | if (len + i < len) { |
| 181 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); | 185 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, |
| 186 | ASN1_R_TOO_LONG); | ||
| 182 | goto err; | 187 | goto err; |
| 183 | } | 188 | } |
| 184 | len += i; | 189 | len += i; |
| @@ -206,7 +211,8 @@ asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) | |||
| 206 | /* no data body so go round again */ | 211 | /* no data body so go round again */ |
| 207 | eos++; | 212 | eos++; |
| 208 | if (eos < 0) { | 213 | if (eos < 0) { |
| 209 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_HEADER_TOO_LONG); | 214 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, |
| 215 | ASN1_R_HEADER_TOO_LONG); | ||
| 210 | goto err; | 216 | goto err; |
| 211 | } | 217 | } |
| 212 | want = HEADER_SIZE; | 218 | want = HEADER_SIZE; |
| @@ -221,28 +227,45 @@ asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) | |||
| 221 | /* suck in c.slen bytes of data */ | 227 | /* suck in c.slen bytes of data */ |
| 222 | want = c.slen; | 228 | want = c.slen; |
| 223 | if (want > (len - off)) { | 229 | if (want > (len - off)) { |
| 230 | size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE; | ||
| 231 | |||
| 224 | want -= (len - off); | 232 | want -= (len - off); |
| 225 | if (want > INT_MAX /* BIO_read takes an int length */ || | 233 | if (want > INT_MAX /* BIO_read takes an int length */ || |
| 226 | len+want < len) { | 234 | len+want < len) { |
| 227 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); | 235 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, |
| 236 | ASN1_R_TOO_LONG); | ||
| 228 | goto err; | 237 | goto err; |
| 229 | } | 238 | } |
| 230 | if (!BUF_MEM_grow_clean(b, len + want)) { | 239 | /* |
| 231 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE); | 240 | * Read content in chunks of increasing size |
| 241 | * so we can return an error for EOF without | ||
| 242 | * having to allocate the entire content length | ||
| 243 | * in one go. | ||
| 244 | */ | ||
| 245 | size_t chunk = want > chunk_max ? chunk_max : want; | ||
| 246 | |||
| 247 | if (!BUF_MEM_grow_clean(b, len + chunk)) { | ||
| 248 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, | ||
| 249 | ERR_R_MALLOC_FAILURE); | ||
| 232 | goto err; | 250 | goto err; |
| 233 | } | 251 | } |
| 234 | while (want > 0) { | 252 | want -= chunk; |
| 235 | i = BIO_read(in, &(b->data[len]), want); | 253 | while (chunk > 0) { |
| 254 | i = BIO_read(in, &(b->data[len]), chunk); | ||
| 236 | if (i <= 0) { | 255 | if (i <= 0) { |
| 237 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, | 256 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, |
| 238 | ASN1_R_NOT_ENOUGH_DATA); | 257 | ASN1_R_NOT_ENOUGH_DATA); |
| 239 | goto err; | 258 | goto err; |
| 240 | } | 259 | } |
| 241 | /* This can't overflow because | 260 | /* |
| 242 | * |len+want| didn't overflow. */ | 261 | * This can't overflow because |len+want| |
| 262 | * didn't overflow. | ||
| 263 | */ | ||
| 243 | len += i; | 264 | len += i; |
| 244 | want -= i; | 265 | chunk -= i; |
| 245 | } | 266 | } |
| 267 | if (chunk_max < INT_MAX/2) | ||
| 268 | chunk_max *= 2; | ||
| 246 | } | 269 | } |
| 247 | if (off + c.slen < off) { | 270 | if (off + c.slen < off) { |
| 248 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); | 271 | ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); |
diff --git a/src/lib/libcrypto/asn1/a_type.c b/src/lib/libcrypto/asn1/a_type.c index 38b3c65beb..24f8756e73 100644 --- a/src/lib/libcrypto/asn1/a_type.c +++ b/src/lib/libcrypto/asn1/a_type.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: a_type.c,v 1.16 2015/03/19 14:00:22 tedu Exp $ */ | 1 | /* $OpenBSD: a_type.c,v 1.17 2016/05/03 12:38:53 tedu Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -127,9 +127,7 @@ ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b) | |||
| 127 | break; | 127 | break; |
| 128 | 128 | ||
| 129 | case V_ASN1_INTEGER: | 129 | case V_ASN1_INTEGER: |
| 130 | case V_ASN1_NEG_INTEGER: | ||
| 131 | case V_ASN1_ENUMERATED: | 130 | case V_ASN1_ENUMERATED: |
| 132 | case V_ASN1_NEG_ENUMERATED: | ||
| 133 | case V_ASN1_BIT_STRING: | 131 | case V_ASN1_BIT_STRING: |
| 134 | case V_ASN1_OCTET_STRING: | 132 | case V_ASN1_OCTET_STRING: |
| 135 | case V_ASN1_SEQUENCE: | 133 | case V_ASN1_SEQUENCE: |
diff --git a/src/lib/libcrypto/asn1/tasn_dec.c b/src/lib/libcrypto/asn1/tasn_dec.c index 23a6740115..55809babb8 100644 --- a/src/lib/libcrypto/asn1/tasn_dec.c +++ b/src/lib/libcrypto/asn1/tasn_dec.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tasn_dec.c,v 1.29 2015/12/12 21:05:11 beck Exp $ */ | 1 | /* $OpenBSD: tasn_dec.c,v 1.30 2016/05/03 12:38:53 tedu Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 2000. | 3 | * project 2000. |
| 4 | */ | 4 | */ |
| @@ -861,9 +861,7 @@ asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, | |||
| 861 | break; | 861 | break; |
| 862 | 862 | ||
| 863 | case V_ASN1_INTEGER: | 863 | case V_ASN1_INTEGER: |
| 864 | case V_ASN1_NEG_INTEGER: | ||
| 865 | case V_ASN1_ENUMERATED: | 864 | case V_ASN1_ENUMERATED: |
| 866 | case V_ASN1_NEG_ENUMERATED: | ||
| 867 | tint = (ASN1_INTEGER **)pval; | 865 | tint = (ASN1_INTEGER **)pval; |
| 868 | if (!c2i_ASN1_INTEGER(tint, &cont, len)) | 866 | if (!c2i_ASN1_INTEGER(tint, &cont, len)) |
| 869 | goto err; | 867 | goto err; |
diff --git a/src/lib/libcrypto/asn1/tasn_enc.c b/src/lib/libcrypto/asn1/tasn_enc.c index 0a6426a95e..f4b8b300ca 100644 --- a/src/lib/libcrypto/asn1/tasn_enc.c +++ b/src/lib/libcrypto/asn1/tasn_enc.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tasn_enc.c,v 1.17 2015/12/22 08:44:44 mmcc Exp $ */ | 1 | /* $OpenBSD: tasn_enc.c,v 1.18 2016/05/03 12:38:53 tedu Exp $ */ |
| 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL | 2 | /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL |
| 3 | * project 2000. | 3 | * project 2000. |
| 4 | */ | 4 | */ |
| @@ -603,9 +603,7 @@ asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, | |||
| 603 | break; | 603 | break; |
| 604 | 604 | ||
| 605 | case V_ASN1_INTEGER: | 605 | case V_ASN1_INTEGER: |
| 606 | case V_ASN1_NEG_INTEGER: | ||
| 607 | case V_ASN1_ENUMERATED: | 606 | case V_ASN1_ENUMERATED: |
| 608 | case V_ASN1_NEG_ENUMERATED: | ||
| 609 | /* These are all have the same content format | 607 | /* These are all have the same content format |
| 610 | * as ASN1_INTEGER | 608 | * as ASN1_INTEGER |
| 611 | */ | 609 | */ |