Fix several crash causing defects from OpenSSL.

These include:
CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0289 - PKCS7 NULL pointer dereferences

Several other issues did not apply or were already fixed.
Refer to https://www.openssl.org/news/secadv_20150319.txt

joint work with beck, doug, guenther, jsing, miod

1 files changed, 20 insertions, 21 deletions

diff --git a/src/lib/libcrypto/ec/ec_asn1.c b/src/lib/libcrypto/ec/ec_asn1.c
index c0ef6f40e4..f01008ec43 100644
--- a/src/lib/libcrypto/ec/ec_asn1.c
+++ b/src/lib/libcrypto/ec/ec_asn1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_asn1.c,v 1.12 2015/02/10 05:43:09 jsing Exp $ */
+/* $OpenBSD: ec_asn1.c,v 1.13 2015/03/19 14:00:22 tedu Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -999,19 +999,19 @@ d2i_ECPKParameters(EC_GROUP ** a, const unsigned char **in, long len)
 
         if ((params = d2i_ECPKPARAMETERS(NULL, in, len)) == NULL) {
                 ECerr(EC_F_D2I_ECPKPARAMETERS, EC_R_D2I_ECPKPARAMETERS_FAILURE);
-                ECPKPARAMETERS_free(params);
-                return NULL;
+                goto err;
         }
         if ((group = ec_asn1_pkparameters2group(params)) == NULL) {
                 ECerr(EC_F_D2I_ECPKPARAMETERS, EC_R_PKPARAMETERS2GROUP_FAILURE);
-                ECPKPARAMETERS_free(params);
-                return NULL;
+                goto err;
         }
-        if (a && *a)
+
+        if (a != NULL) {
                 EC_GROUP_clear_free(*a);
-        if (a)
                 *a = group;
+        }
 
+err:
         ECPKPARAMETERS_free(params);
         return (group);
 }
@@ -1039,7 +1039,6 @@ i2d_ECPKParameters(const EC_GROUP * a, unsigned char **out)
 EC_KEY *
 d2i_ECPrivateKey(EC_KEY ** a, const unsigned char **in, long len)
 {
-        int ok = 0;
         EC_KEY *ret = NULL;
         EC_PRIVATEKEY *priv_key = NULL;
 
@@ -1054,12 +1053,9 @@ d2i_ECPrivateKey(EC_KEY ** a, const unsigned char **in, long len)
         }
         if (a == NULL || *a == NULL) {
                 if ((ret = EC_KEY_new()) == NULL) {
-                        ECerr(EC_F_D2I_ECPRIVATEKEY,
-                            ERR_R_MALLOC_FAILURE);
+                        ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_MALLOC_FAILURE);
                         goto err;
                 }
-                if (a)
-                        *a = ret;
         } else
                 ret = *a;
 
@@ -1109,17 +1105,19 @@ d2i_ECPrivateKey(EC_KEY ** a, const unsigned char **in, long len)
                         goto err;
                 }
         }
-        ok = 1;
+
+        EC_PRIVATEKEY_free(priv_key);
+        if (a != NULL)
+                *a = ret;
+        return (ret);
+
 err:
-        if (!ok) {
-                if (ret)
-                        EC_KEY_free(ret);
-                ret = NULL;
-        }
+        if (a == NULL || *a != ret)
+                EC_KEY_free(ret);
         if (priv_key)
                 EC_PRIVATEKEY_free(priv_key);
 
-        return (ret);
+        return (NULL);
 }
 
 int 
@@ -1232,8 +1230,6 @@ d2i_ECParameters(EC_KEY ** a, const unsigned char **in, long len)
                         ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
                         return NULL;
                 }
-                if (a)
-                        *a = ret;
         } else
                 ret = *a;
 
@@ -1241,6 +1237,9 @@ d2i_ECParameters(EC_KEY ** a, const unsigned char **in, long len)
                 ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB);
                 return NULL;
         }
+
+        if (a != NULL)
+                *a = ret;
         return ret;
 }