From owner-svn-src-all@freebsd.org Thu Sep 22 13:06:03 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D4393BE340B; Thu, 22 Sep 2016 13:06:03 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7365531D; Thu, 22 Sep 2016 13:06:03 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u8MD628t009630; Thu, 22 Sep 2016 13:06:02 GMT (envelope-from jkim@FreeBSD.org) Received: (from jkim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u8MD5x8K009593; Thu, 22 Sep 2016 13:05:59 GMT (envelope-from jkim@FreeBSD.org) Message-Id: <201609221305.u8MD5x8K009593@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jkim set sender to jkim@FreeBSD.org using -f From: Jung-uk Kim Date: Thu, 22 Sep 2016 13:05:59 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r306191 - in vendor-crypto/openssl/dist-1.0.1: . apps crypto crypto/asn1 crypto/bio crypto/bn crypto/cms crypto/des crypto/dsa crypto/evp crypto/md2 crypto/mdc2 crypto/ocsp crypto/pem c... X-SVN-Group: vendor-crypto MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Sep 2016 13:06:03 -0000 Author: jkim Date: Thu Sep 22 13:05:59 2016 New Revision: 306191 URL: https://svnweb.freebsd.org/changeset/base/306191 Log: Import OpenSSL 1.0.1u. Added: vendor-crypto/openssl/dist-1.0.1/doc/crypto/d2i_PrivateKey.pod Modified: vendor-crypto/openssl/dist-1.0.1/CHANGES vendor-crypto/openssl/dist-1.0.1/CONTRIBUTING vendor-crypto/openssl/dist-1.0.1/Configure vendor-crypto/openssl/dist-1.0.1/FREEBSD-upgrade vendor-crypto/openssl/dist-1.0.1/Makefile vendor-crypto/openssl/dist-1.0.1/NEWS vendor-crypto/openssl/dist-1.0.1/README vendor-crypto/openssl/dist-1.0.1/apps/apps.c vendor-crypto/openssl/dist-1.0.1/apps/enc.c vendor-crypto/openssl/dist-1.0.1/apps/passwd.c vendor-crypto/openssl/dist-1.0.1/apps/s_server.c vendor-crypto/openssl/dist-1.0.1/apps/x509.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_bytes.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_object.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_set.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/asn1_lib.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/asn_mime.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/d2i_pr.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/f_enum.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/f_int.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/f_string.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/p5_pbe.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/p5_pbev2.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/tasn_enc.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/tasn_prn.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/x_name.c vendor-crypto/openssl/dist-1.0.1/crypto/bio/bf_nbio.c vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_lib.c vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_print.c vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_rand.c vendor-crypto/openssl/dist-1.0.1/crypto/cms/cms_enc.c vendor-crypto/openssl/dist-1.0.1/crypto/cms/cms_ess.c vendor-crypto/openssl/dist-1.0.1/crypto/cms/cms_pwri.c vendor-crypto/openssl/dist-1.0.1/crypto/des/des.c vendor-crypto/openssl/dist-1.0.1/crypto/des/enc_writ.c vendor-crypto/openssl/dist-1.0.1/crypto/dsa/dsa_gen.c vendor-crypto/openssl/dist-1.0.1/crypto/dsa/dsa_ossl.c vendor-crypto/openssl/dist-1.0.1/crypto/evp/bio_ok.c vendor-crypto/openssl/dist-1.0.1/crypto/evp/digest.c vendor-crypto/openssl/dist-1.0.1/crypto/evp/e_seed.c vendor-crypto/openssl/dist-1.0.1/crypto/md2/md2_dgst.c vendor-crypto/openssl/dist-1.0.1/crypto/md32_common.h vendor-crypto/openssl/dist-1.0.1/crypto/mdc2/mdc2dgst.c vendor-crypto/openssl/dist-1.0.1/crypto/ocsp/ocsp_ext.c vendor-crypto/openssl/dist-1.0.1/crypto/opensslv.h vendor-crypto/openssl/dist-1.0.1/crypto/pem/pem.h vendor-crypto/openssl/dist-1.0.1/crypto/pem/pem_err.c vendor-crypto/openssl/dist-1.0.1/crypto/pem/pem_lib.c vendor-crypto/openssl/dist-1.0.1/crypto/pem/pvkfmt.c vendor-crypto/openssl/dist-1.0.1/crypto/pkcs12/p12_mutl.c vendor-crypto/openssl/dist-1.0.1/crypto/pkcs12/p12_npas.c vendor-crypto/openssl/dist-1.0.1/crypto/pkcs12/p12_utl.c vendor-crypto/openssl/dist-1.0.1/crypto/pkcs12/pkcs12.h vendor-crypto/openssl/dist-1.0.1/crypto/pkcs7/pk7_doit.c vendor-crypto/openssl/dist-1.0.1/crypto/rand/rand_unix.c vendor-crypto/openssl/dist-1.0.1/crypto/srp/srp_lib.c vendor-crypto/openssl/dist-1.0.1/crypto/srp/srp_vfy.c vendor-crypto/openssl/dist-1.0.1/crypto/ts/ts_lib.c vendor-crypto/openssl/dist-1.0.1/crypto/whrlpool/wp_dgst.c vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509.h vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509_err.c vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509_txt.c vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509_vfy.c vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509_vfy.h vendor-crypto/openssl/dist-1.0.1/crypto/x509v3/v3_addr.c vendor-crypto/openssl/dist-1.0.1/doc/apps/cms.pod vendor-crypto/openssl/dist-1.0.1/doc/apps/smime.pod vendor-crypto/openssl/dist-1.0.1/doc/apps/verify.pod vendor-crypto/openssl/dist-1.0.1/doc/crypto/X509_verify_cert.pod vendor-crypto/openssl/dist-1.0.1/ssl/d1_both.c vendor-crypto/openssl/dist-1.0.1/ssl/d1_clnt.c vendor-crypto/openssl/dist-1.0.1/ssl/d1_lib.c vendor-crypto/openssl/dist-1.0.1/ssl/d1_pkt.c vendor-crypto/openssl/dist-1.0.1/ssl/d1_srvr.c vendor-crypto/openssl/dist-1.0.1/ssl/s23_clnt.c vendor-crypto/openssl/dist-1.0.1/ssl/s2_clnt.c vendor-crypto/openssl/dist-1.0.1/ssl/s2_srvr.c vendor-crypto/openssl/dist-1.0.1/ssl/s3_both.c vendor-crypto/openssl/dist-1.0.1/ssl/s3_clnt.c vendor-crypto/openssl/dist-1.0.1/ssl/s3_lib.c vendor-crypto/openssl/dist-1.0.1/ssl/s3_srvr.c vendor-crypto/openssl/dist-1.0.1/ssl/ssl.h vendor-crypto/openssl/dist-1.0.1/ssl/ssl_err.c vendor-crypto/openssl/dist-1.0.1/ssl/ssl_lib.c vendor-crypto/openssl/dist-1.0.1/ssl/ssl_locl.h vendor-crypto/openssl/dist-1.0.1/ssl/ssl_sess.c vendor-crypto/openssl/dist-1.0.1/ssl/t1_lib.c Modified: vendor-crypto/openssl/dist-1.0.1/CHANGES ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/CHANGES Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/CHANGES Thu Sep 22 13:05:59 2016 (r306191) @@ -2,6 +2,166 @@ OpenSSL CHANGES _______________ + Changes between 1.0.1t and 1.0.1u [22 Sep 2016] + + *) OCSP Status Request extension unbounded memory growth + + A malicious client can send an excessively large OCSP Status Request + extension. If that client continually requests renegotiation, sending a + large OCSP Status Request extension each time, then there will be unbounded + memory growth on the server. This will eventually lead to a Denial Of + Service attack through memory exhaustion. Servers with a default + configuration are vulnerable even if they do not support OCSP. Builds using + the "no-ocsp" build time option are not affected. + + This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) + (CVE-2016-6304) + [Matt Caswell] + + *) In order to mitigate the SWEET32 attack, the DES ciphers were moved from + HIGH to MEDIUM. + + This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan + Leurent (INRIA) + (CVE-2016-2183) + [Rich Salz] + + *) OOB write in MDC2_Update() + + An overflow can occur in MDC2_Update() either if called directly or + through the EVP_DigestUpdate() function using MDC2. If an attacker + is able to supply very large amounts of input data after a previous + call to EVP_EncryptUpdate() with a partial block then a length check + can overflow resulting in a heap corruption. + + The amount of data needed is comparable to SIZE_MAX which is impractical + on most platforms. + + This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) + (CVE-2016-6303) + [Stephen Henson] + + *) Malformed SHA512 ticket DoS + + If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a + DoS attack where a malformed ticket will result in an OOB read which will + ultimately crash. + + The use of SHA512 in TLS session tickets is comparatively rare as it requires + a custom server callback and ticket lookup mechanism. + + This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) + (CVE-2016-6302) + [Stephen Henson] + + *) OOB write in BN_bn2dec() + + The function BN_bn2dec() does not check the return value of BN_div_word(). + This can cause an OOB write if an application uses this function with an + overly large BIGNUM. This could be a problem if an overly large certificate + or CRL is printed out from an untrusted source. TLS is not affected because + record limits will reject an oversized certificate before it is parsed. + + This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) + (CVE-2016-2182) + [Stephen Henson] + + *) OOB read in TS_OBJ_print_bio() + + The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is + the total length the OID text representation would use and not the amount + of data written. This will result in OOB reads when large OIDs are + presented. + + This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) + (CVE-2016-2180) + [Stephen Henson] + + *) Pointer arithmetic undefined behaviour + + Avoid some undefined pointer arithmetic + + A common idiom in the codebase is to check limits in the following manner: + "p + len > limit" + + Where "p" points to some malloc'd data of SIZE bytes and + limit == p + SIZE + + "len" here could be from some externally supplied data (e.g. from a TLS + message). + + The rules of C pointer arithmetic are such that "p + len" is only well + defined where len <= SIZE. Therefore the above idiom is actually + undefined behaviour. + + For example this could cause problems if some malloc implementation + provides an address for "p" such that "p + len" actually overflows for + values of len that are too big and therefore p + len < limit. + + This issue was reported to OpenSSL by Guido Vranken + (CVE-2016-2177) + [Matt Caswell] + + *) Constant time flag not preserved in DSA signing + + Operations in the DSA signing algorithm should run in constant time in + order to avoid side channel attacks. A flaw in the OpenSSL DSA + implementation means that a non-constant time codepath is followed for + certain operations. This has been demonstrated through a cache-timing + attack to be sufficient for an attacker to recover the private DSA key. + + This issue was reported by César Pereida (Aalto University), Billy Brumley + (Tampere University of Technology), and Yuval Yarom (The University of + Adelaide and NICTA). + (CVE-2016-2178) + [César Pereida] + + *) DTLS buffered message DoS + + In a DTLS connection where handshake messages are delivered out-of-order + those messages that OpenSSL is not yet ready to process will be buffered + for later use. Under certain circumstances, a flaw in the logic means that + those messages do not get removed from the buffer even though the handshake + has been completed. An attacker could force up to approx. 15 messages to + remain in the buffer when they are no longer required. These messages will + be cleared when the DTLS connection is closed. The default maximum size for + a message is 100k. Therefore the attacker could force an additional 1500k + to be consumed per connection. By opening many simulataneous connections an + attacker could cause a DoS attack through memory exhaustion. + + This issue was reported to OpenSSL by Quan Luo. + (CVE-2016-2179) + [Matt Caswell] + + *) DTLS replay protection DoS + + A flaw in the DTLS replay attack protection mechanism means that records + that arrive for future epochs update the replay protection "window" before + the MAC for the record has been validated. This could be exploited by an + attacker by sending a record for the next epoch (which does not have to + decrypt or have a valid MAC), with a very large sequence number. This means + that all subsequent legitimate packets are dropped causing a denial of + service for a specific DTLS connection. + + This issue was reported to OpenSSL by the OCAP audit team. + (CVE-2016-2181) + [Matt Caswell] + + *) Certificate message OOB reads + + In OpenSSL 1.0.2 and earlier some missing message length checks can result + in OOB reads of up to 2 bytes beyond an allocated buffer. There is a + theoretical DoS risk but this has not been observed in practice on common + platforms. + + The messages affected are client certificate, client certificate request + and server certificate. As a result the attack can only be performed + against a client or a server which enables client authentication. + + This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) + (CVE-2016-6306) + [Stephen Henson] + Changes between 1.0.1s and 1.0.1t [3 May 2016] *) Prevent padding oracle in AES-NI CBC MAC check Modified: vendor-crypto/openssl/dist-1.0.1/CONTRIBUTING ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/CONTRIBUTING Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/CONTRIBUTING Thu Sep 22 13:05:59 2016 (r306191) @@ -1,38 +1,75 @@ -HOW TO CONTRIBUTE TO OpenSSL ----------------------------- +HOW TO CONTRIBUTE TO PATCHES OpenSSL +------------------------------------ -Development is coordinated on the openssl-dev mailing list (see -http://www.openssl.org for information on subscribing). If you -would like to submit a patch, send it to rt@openssl.org with -the string "[PATCH]" in the subject. Please be sure to include a -textual explanation of what your patch does. - -You can also make GitHub pull requests. If you do this, please also send -mail to rt@openssl.org with a brief description and a link to the PR so -that we can more easily keep track of it. +(Please visit https://www.openssl.org/community/getting-started.html for +other ideas about how to contribute.) +Development is coordinated on the openssl-dev mailing list (see the +above link or https://mta.openssl.org for information on subscribing). If you are unsure as to whether a feature will be useful for the general -OpenSSL community please discuss it on the openssl-dev mailing list first. -Someone may be already working on the same thing or there may be a good -reason as to why that feature isn't implemented. - -Patches should be as up to date as possible, preferably relative to the -current Git or the last snapshot. They should follow our coding style -(see https://www.openssl.org/policies/codingstyle.html) and compile without -warnings using the --strict-warnings flag. OpenSSL compiles on many varied -platforms: try to ensure you only use portable features. - -Our preferred format for patch files is "git format-patch" output. For example -to provide a patch file containing the last commit in your local git repository -use the following command: +OpenSSL community you might want to discuss it on the openssl-dev mailing +list first. Someone may be already working on the same thing or there +may be a good reason as to why that feature isn't implemented. + +The best way to submit a patch is to make a pull request on GitHub. +(It is not necessary to send mail to rt@openssl.org to open a ticket!) +If you think the patch could use feedback from the community, please +start a thread on openssl-dev. + +You can also submit patches by sending it as mail to rt@openssl.org. +Please include the word "PATCH" and an explanation of what the patch +does in the subject line. If you do this, our preferred format is "git +format-patch" output. For example to provide a patch file containing the +last commit in your local git repository use the following command: -# git format-patch --stdout HEAD^ >mydiffs.patch + % git format-patch --stdout HEAD^ >mydiffs.patch Another method of creating an acceptable patch file without using git is as follows: -# cd openssl-work -# [your changes] -# ./Configure dist; make clean -# cd .. -# diff -ur openssl-orig openssl-work > mydiffs.patch + % cd openssl-work + ...make your changes... + % ./Configure dist; make clean + % cd .. + % diff -ur openssl-orig openssl-work >mydiffs.patch + +Note that pull requests are generally easier for the team, and community, to +work with. Pull requests benefit from all of the standard GitHub features, +including code review tools, simpler integration, and CI build support. + +No matter how a patch is submitted, the following items will help make +the acceptance and review process faster: + + 1. Anything other than trivial contributions will require a contributor + licensing agreement, giving us permission to use your code. See + https://www.openssl.org/policies/cla.html for details. + + 2. All source files should start with the following text (with + appropriate comment characters at the start of each line and the + year(s) updated): + + Copyright 20xx-20yy The OpenSSL Project Authors. All Rights Reserved. + + Licensed under the OpenSSL license (the "License"). You may not use + this file except in compliance with the License. You can obtain a copy + in the file LICENSE in the source distribution or at + https://www.openssl.org/source/license.html + + 3. Patches should be as current as possible. When using GitHub, please + expect to have to rebase and update often. Note that we do not accept merge + commits. You will be asked to remove them before a patch is considered + acceptable. + + 4. Patches should follow our coding style (see + https://www.openssl.org/policies/codingstyle.html) and compile without + warnings. Where gcc or clang is availble you should use the + --strict-warnings Configure option. OpenSSL compiles on many varied + platforms: try to ensure you only use portable features. + + 5. When at all possible, patches should include tests. These can either be + added to an existing test, or completely new. Please see test/README + for information on the test framework. + + 6. New features or changed functionality must include documentation. Please + look at the "pod" files in doc/apps, doc/crypto and doc/ssl for examples of + our style. Modified: vendor-crypto/openssl/dist-1.0.1/Configure ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/Configure Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/Configure Thu Sep 22 13:05:59 2016 (r306191) @@ -741,7 +741,7 @@ my @experimental = (); # This is what $depflags will look like with the above defaults # (we need this to see if we should advise the user to run "make depend"): -my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST"; +my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL2 -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST -DOPENSSL_NO_WEAK_SSL_CIPHERS"; # Explicit "no-..." options will be collected in %disabled along with the defaults. # To remove something from %disabled, use "enable-foo" (unless it's experimental). Modified: vendor-crypto/openssl/dist-1.0.1/FREEBSD-upgrade ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/FREEBSD-upgrade Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/FREEBSD-upgrade Thu Sep 22 13:05:59 2016 (r306191) @@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/Subv # Xlist setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist setenv FSVN "svn+ssh://svn.freebsd.org/base" -setenv OSSLVER 1.0.1t -# OSSLTAG format: v1_0_1t +setenv OSSLVER 1.0.1u +# OSSLTAG format: v1_0_1u ###setenv OSSLTAG v`echo ${OSSLVER} | tr . _` Modified: vendor-crypto/openssl/dist-1.0.1/Makefile ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/Makefile Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/Makefile Thu Sep 22 13:05:59 2016 (r306191) @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.1t +VERSION=1.0.1u MAJOR=1 MINOR=0.1 SHLIB_VERSION_NUMBER=1.0.0 Modified: vendor-crypto/openssl/dist-1.0.1/NEWS ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/NEWS Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/NEWS Thu Sep 22 13:05:59 2016 (r306191) @@ -5,6 +5,20 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.1t and OpenSSL 1.0.1u [22 Sep 2016] + + o OCSP Status Request extension unbounded memory growth (CVE-2016-6304) + o SWEET32 Mitigation (CVE-2016-2183) + o OOB write in MDC2_Update() (CVE-2016-6303) + o Malformed SHA512 ticket DoS (CVE-2016-6302) + o OOB write in BN_bn2dec() (CVE-2016-2182) + o OOB read in TS_OBJ_print_bio() (CVE-2016-2180) + o Pointer arithmetic undefined behaviour (CVE-2016-2177) + o Constant time flag not preserved in DSA signing (CVE-2016-2178) + o DTLS buffered message DoS (CVE-2016-2179) + o DTLS replay protection DoS (CVE-2016-2181) + o Certificate message OOB reads (CVE-2016-6306) + Major changes between OpenSSL 1.0.1s and OpenSSL 1.0.1t [3 May 2016] o Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107) Modified: vendor-crypto/openssl/dist-1.0.1/README ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/README Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/README Thu Sep 22 13:05:59 2016 (r306191) @@ -1,5 +1,5 @@ - OpenSSL 1.0.1t 3 May 2016 + OpenSSL 1.0.1u 22 Sep 2016 Copyright (c) 1998-2015 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson Modified: vendor-crypto/openssl/dist-1.0.1/apps/apps.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/apps/apps.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/apps/apps.c Thu Sep 22 13:05:59 2016 (r306191) @@ -2241,6 +2241,8 @@ int args_verify(char ***pargs, int *parg flags |= X509_V_FLAG_CHECK_SS_SIGNATURE; else if (!strcmp(arg, "-no_alt_chains")) flags |= X509_V_FLAG_NO_ALT_CHAINS; + else if (!strcmp(arg, "-allow_proxy_certs")) + flags |= X509_V_FLAG_ALLOW_PROXY_CERTS; else return 0; Modified: vendor-crypto/openssl/dist-1.0.1/apps/enc.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/apps/enc.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/apps/enc.c Thu Sep 22 13:05:59 2016 (r306191) @@ -509,7 +509,7 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "invalid hex salt value\n"); goto end; } - } else if (RAND_pseudo_bytes(salt, sizeof salt) < 0) + } else if (RAND_bytes(salt, sizeof salt) <= 0) goto end; /* * If -P option then don't bother writing Modified: vendor-crypto/openssl/dist-1.0.1/apps/passwd.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/apps/passwd.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/apps/passwd.c Thu Sep 22 13:05:59 2016 (r306191) @@ -416,7 +416,7 @@ static int do_passwd(int passed_salt, ch if (*salt_malloc_p == NULL) goto err; } - if (RAND_pseudo_bytes((unsigned char *)*salt_p, 2) < 0) + if (RAND_bytes((unsigned char *)*salt_p, 2) <= 0) goto err; (*salt_p)[0] = cov_2char[(*salt_p)[0] & 0x3f]; /* 6 bits */ (*salt_p)[1] = cov_2char[(*salt_p)[1] & 0x3f]; /* 6 bits */ @@ -437,7 +437,7 @@ static int do_passwd(int passed_salt, ch if (*salt_malloc_p == NULL) goto err; } - if (RAND_pseudo_bytes((unsigned char *)*salt_p, 8) < 0) + if (RAND_bytes((unsigned char *)*salt_p, 8) <= 0) goto err; for (i = 0; i < 8; i++) Modified: vendor-crypto/openssl/dist-1.0.1/apps/s_server.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/apps/s_server.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/apps/s_server.c Thu Sep 22 13:05:59 2016 (r306191) @@ -2968,7 +2968,7 @@ static int generate_session_id(const SSL { unsigned int count = 0; do { - if (RAND_pseudo_bytes(id, *id_len) < 0) + if (RAND_bytes(id, *id_len) <= 0) return 0; /* * Prefix the session_id with the required prefix. NB: If our prefix Modified: vendor-crypto/openssl/dist-1.0.1/apps/x509.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/apps/x509.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/apps/x509.c Thu Sep 22 13:05:59 2016 (r306191) @@ -1053,6 +1053,10 @@ static int x509_certify(X509_STORE *ctx, EVP_PKEY *upkey; upkey = X509_get_pubkey(xca); + if (upkey == NULL) { + BIO_printf(bio_err, "Error obtaining CA X509 public key\n"); + goto end; + } EVP_PKEY_copy_parameters(upkey, pkey); EVP_PKEY_free(upkey); @@ -1161,6 +1165,8 @@ static int sign(X509 *x, EVP_PKEY *pkey, EVP_PKEY *pktmp; pktmp = X509_get_pubkey(x); + if (pktmp == NULL) + goto err; EVP_PKEY_copy_parameters(pktmp, pkey); EVP_PKEY_save_parameters(pktmp, 1); EVP_PKEY_free(pktmp); Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_bytes.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_bytes.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_bytes.c Thu Sep 22 13:05:59 2016 (r306191) @@ -60,7 +60,12 @@ #include "cryptlib.h" #include -static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c); +static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c, + int depth); +static ASN1_STRING *int_d2i_ASN1_bytes(ASN1_STRING **a, + const unsigned char **pp, long length, + int Ptag, int Pclass, int depth, + int *perr); /* * type is a 'bitmap' of acceptable string types. */ @@ -99,7 +104,7 @@ ASN1_STRING *d2i_ASN1_type_bytes(ASN1_ST ret = (*a); if (len != 0) { - s = (unsigned char *)OPENSSL_malloc((int)len + 1); + s = OPENSSL_malloc((int)len + 1); if (s == NULL) { i = ERR_R_MALLOC_FAILURE; goto err; @@ -154,15 +159,38 @@ int i2d_ASN1_bytes(ASN1_STRING *a, unsig return (r); } +/* + * Maximum recursion depth of d2i_ASN1_bytes(): much more than should be + * encountered in pratice. + */ + +#define ASN1_BYTES_MAXDEPTH 20 + ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp, long length, int Ptag, int Pclass) { + int err = 0; + ASN1_STRING *s = int_d2i_ASN1_bytes(a, pp, length, Ptag, Pclass, 0, &err); + if (err != 0) + ASN1err(ASN1_F_D2I_ASN1_BYTES, err); + return s; +} + +static ASN1_STRING *int_d2i_ASN1_bytes(ASN1_STRING **a, + const unsigned char **pp, long length, + int Ptag, int Pclass, + int depth, int *perr) +{ ASN1_STRING *ret = NULL; const unsigned char *p; unsigned char *s; long len; int inf, tag, xclass; - int i = 0; + + if (depth > ASN1_BYTES_MAXDEPTH) { + *perr = ASN1_R_NESTED_ASN1_STRING; + return NULL; + } if ((a == NULL) || ((*a) == NULL)) { if ((ret = ASN1_STRING_new()) == NULL) @@ -173,18 +201,19 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING p = *pp; inf = ASN1_get_object(&p, &len, &tag, &xclass, length); if (inf & 0x80) { - i = ASN1_R_BAD_OBJECT_HEADER; + *perr = ASN1_R_BAD_OBJECT_HEADER; goto err; } if (tag != Ptag) { - i = ASN1_R_WRONG_TAG; + *perr = ASN1_R_WRONG_TAG; goto err; } if (inf & V_ASN1_CONSTRUCTED) { ASN1_const_CTX c; + c.error = 0; c.pp = pp; c.p = p; c.inf = inf; @@ -192,17 +221,18 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING c.tag = Ptag; c.xclass = Pclass; c.max = (length == 0) ? 0 : (p + length); - if (!asn1_collate_primitive(ret, &c)) + if (!asn1_collate_primitive(ret, &c, depth)) { + *perr = c.error; goto err; - else { + } else { p = c.p; } } else { if (len != 0) { if ((ret->length < len) || (ret->data == NULL)) { - s = (unsigned char *)OPENSSL_malloc((int)len + 1); + s = OPENSSL_malloc((int)len + 1); if (s == NULL) { - i = ERR_R_MALLOC_FAILURE; + *perr = ERR_R_MALLOC_FAILURE; goto err; } if (ret->data != NULL) @@ -230,7 +260,6 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING err: if ((ret != NULL) && ((a == NULL) || (*a != ret))) ASN1_STRING_free(ret); - ASN1err(ASN1_F_D2I_ASN1_BYTES, i); return (NULL); } @@ -242,7 +271,8 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING * There have been a few bug fixes for this function from Paul Keogh * , many thanks to him */ -static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c) +static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c, + int depth) { ASN1_STRING *os = NULL; BUF_MEM b; @@ -270,9 +300,8 @@ static int asn1_collate_primitive(ASN1_S } c->q = c->p; - if (d2i_ASN1_bytes(&os, &c->p, c->max - c->p, c->tag, c->xclass) - == NULL) { - c->error = ERR_R_ASN1_LIB; + if (int_d2i_ASN1_bytes(&os, &c->p, c->max - c->p, c->tag, c->xclass, + depth + 1, &c->error) == NULL) { goto err; } @@ -297,7 +326,6 @@ static int asn1_collate_primitive(ASN1_S ASN1_STRING_free(os); return (1); err: - ASN1err(ASN1_F_ASN1_COLLATE_PRIMITIVE, c->error); if (os != NULL) ASN1_STRING_free(os); if (b.data != NULL) Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_object.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_object.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_object.c Thu Sep 22 13:05:59 2016 (r306191) @@ -73,7 +73,7 @@ int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsi return (0); objsize = ASN1_object_size(0, a->length, V_ASN1_OBJECT); - if (pp == NULL) + if (pp == NULL || objsize == -1) return objsize; p = *pp; @@ -174,8 +174,12 @@ int a2d_ASN1_OBJECT(unsigned char *out, if (!tmp) goto err; } - while (blsize--) - tmp[i++] = (unsigned char)BN_div_word(bl, 0x80L); + while (blsize--) { + BN_ULONG t = BN_div_word(bl, 0x80L); + if (t == (BN_ULONG)-1) + goto err; + tmp[i++] = (unsigned char)t; + } } else { for (;;) { Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_set.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_set.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_set.c Thu Sep 22 13:05:59 2016 (r306191) @@ -57,6 +57,7 @@ */ #include +#include #include "cryptlib.h" #include @@ -98,10 +99,14 @@ int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) if (a == NULL) return (0); - for (i = sk_OPENSSL_BLOCK_num(a) - 1; i >= 0; i--) + for (i = sk_OPENSSL_BLOCK_num(a) - 1; i >= 0; i--) { + int tmplen = i2d(sk_OPENSSL_BLOCK_value(a, i), NULL); + if (tmplen > INT_MAX - ret) + return -1; ret += i2d(sk_OPENSSL_BLOCK_value(a, i), NULL); + } r = ASN1_object_size(1, ret, ex_tag); - if (pp == NULL) + if (pp == NULL || r == -1) return (r); p = *pp; Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/asn1_lib.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/asn1_lib.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/asn1_lib.c Thu Sep 22 13:05:59 2016 (r306191) @@ -256,26 +256,30 @@ static void asn1_put_length(unsigned cha int ASN1_object_size(int constructed, int length, int tag) { - int ret; - - ret = length; - ret++; + int ret = 1; + if (length < 0) + return -1; if (tag >= 31) { while (tag > 0) { tag >>= 7; ret++; } } - if (constructed == 2) - return ret + 3; - ret++; - if (length > 127) { - while (length > 0) { - length >>= 8; - ret++; + if (constructed == 2) { + ret += 3; + } else { + ret++; + if (length > 127) { + int tmplen = length; + while (tmplen > 0) { + tmplen >>= 8; + ret++; + } } } - return (ret); + if (ret >= INT_MAX - length) + return -1; + return ret + length; } static int _asn1_Finish(ASN1_const_CTX *c) @@ -324,7 +328,7 @@ int asn1_GetSequence(ASN1_const_CTX *c, return (0); } if (c->inf == (1 | V_ASN1_CONSTRUCTED)) - c->slen = *length + *(c->pp) - c->p; + c->slen = *length; c->eos = 0; return (1); } @@ -366,7 +370,7 @@ int ASN1_STRING_set(ASN1_STRING *str, co else len = strlen(data); } - if ((str->length < len) || (str->data == NULL)) { + if ((str->length <= len) || (str->data == NULL)) { c = str->data; if (c == NULL) str->data = OPENSSL_malloc(len + 1); Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/asn_mime.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/asn_mime.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/asn_mime.c Thu Sep 22 13:05:59 2016 (r306191) @@ -289,7 +289,7 @@ int SMIME_write_ASN1(BIO *bio, ASN1_VALU if ((flags & SMIME_DETACHED) && data) { /* We want multipart/signed */ /* Generate a random boundary */ - if (RAND_pseudo_bytes((unsigned char *)bound, 32) < 0) + if (RAND_bytes((unsigned char *)bound, 32) <= 0) return 0; for (i = 0; i < 32; i++) { c = bound[i] & 0xf; Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/d2i_pr.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/d2i_pr.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/d2i_pr.c Thu Sep 22 13:05:59 2016 (r306191) @@ -97,15 +97,17 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_P if (!ret->ameth->old_priv_decode || !ret->ameth->old_priv_decode(ret, &p, length)) { if (ret->ameth->priv_decode) { + EVP_PKEY *tmp; PKCS8_PRIV_KEY_INFO *p8 = NULL; p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, &p, length); if (!p8) goto err; - EVP_PKEY_free(ret); - ret = EVP_PKCS82PKEY(p8); + tmp = EVP_PKCS82PKEY(p8); PKCS8_PRIV_KEY_INFO_free(p8); - if (ret == NULL) + if (tmp == NULL) goto err; + EVP_PKEY_free(ret); + ret = tmp; } else { ASN1err(ASN1_F_D2I_PRIVATEKEY, ERR_R_ASN1_LIB); goto err; Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/f_enum.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/f_enum.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/f_enum.c Thu Sep 22 13:05:59 2016 (r306191) @@ -160,8 +160,6 @@ int a2i_ASN1_ENUMERATED(BIO *bp, ASN1_EN i * 2); if (sp == NULL) { ASN1err(ASN1_F_A2I_ASN1_ENUMERATED, ERR_R_MALLOC_FAILURE); - if (s != NULL) - OPENSSL_free(s); goto err; } s = sp; @@ -199,5 +197,7 @@ int a2i_ASN1_ENUMERATED(BIO *bp, ASN1_EN err_sl: ASN1err(ASN1_F_A2I_ASN1_ENUMERATED, ASN1_R_SHORT_LINE); } + if (ret != 1) + OPENSSL_free(s); return (ret); } Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/f_int.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/f_int.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/f_int.c Thu Sep 22 13:05:59 2016 (r306191) @@ -172,8 +172,6 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEG sp = OPENSSL_realloc_clean(s, slen, num + i * 2); if (sp == NULL) { ASN1err(ASN1_F_A2I_ASN1_INTEGER, ERR_R_MALLOC_FAILURE); - if (s != NULL) - OPENSSL_free(s); goto err; } s = sp; @@ -211,5 +209,7 @@ int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEG err_sl: ASN1err(ASN1_F_A2I_ASN1_INTEGER, ASN1_R_SHORT_LINE); } + if (ret != 1) + OPENSSL_free(s); return (ret); } Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/f_string.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/f_string.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/f_string.c Thu Sep 22 13:05:59 2016 (r306191) @@ -166,8 +166,6 @@ int a2i_ASN1_STRING(BIO *bp, ASN1_STRING i * 2); if (sp == NULL) { ASN1err(ASN1_F_A2I_ASN1_STRING, ERR_R_MALLOC_FAILURE); - if (s != NULL) - OPENSSL_free(s); goto err; } s = sp; @@ -205,5 +203,7 @@ int a2i_ASN1_STRING(BIO *bp, ASN1_STRING err_sl: ASN1err(ASN1_F_A2I_ASN1_STRING, ASN1_R_SHORT_LINE); } + if (ret != 1) + OPENSSL_free(s); return (ret); } Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/p5_pbe.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/p5_pbe.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/p5_pbe.c Thu Sep 22 13:05:59 2016 (r306191) @@ -101,7 +101,7 @@ int PKCS5_pbe_set0_algor(X509_ALGOR *alg sstr = ASN1_STRING_data(pbe->salt); if (salt) memcpy(sstr, salt, saltlen); - else if (RAND_pseudo_bytes(sstr, saltlen) < 0) + else if (RAND_bytes(sstr, saltlen) <= 0) goto err; if (!ASN1_item_pack(pbe, ASN1_ITEM_rptr(PBEPARAM), &pbe_str)) { Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/p5_pbev2.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/p5_pbev2.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/p5_pbev2.c Thu Sep 22 13:05:59 2016 (r306191) @@ -120,7 +120,7 @@ X509_ALGOR *PKCS5_pbe2_set_iv(const EVP_ if (EVP_CIPHER_iv_length(cipher)) { if (aiv) memcpy(iv, aiv, EVP_CIPHER_iv_length(cipher)); - else if (RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0) + else if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) <= 0) goto err; } @@ -225,7 +225,7 @@ X509_ALGOR *PKCS5_pbkdf2_set(int iter, u if (salt) memcpy(osalt->data, salt, saltlen); - else if (RAND_pseudo_bytes(osalt->data, saltlen) < 0) + else if (RAND_bytes(osalt->data, saltlen) <= 0) goto merr; if (iter <= 0) Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/tasn_enc.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/tasn_enc.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/tasn_enc.c Thu Sep 22 13:05:59 2016 (r306191) @@ -59,6 +59,7 @@ #include #include +#include #include "cryptlib.h" #include #include @@ -216,17 +217,19 @@ int ASN1_item_ex_i2d(ASN1_VALUE **pval, for (i = 0, tt = it->templates; i < it->tcount; tt++, i++) { const ASN1_TEMPLATE *seqtt; ASN1_VALUE **pseqval; + int tmplen; seqtt = asn1_do_adb(pval, tt, 1); if (!seqtt) return 0; pseqval = asn1_get_field_ptr(pval, seqtt); - /* FIXME: check for errors in enhanced version */ - seqcontlen += asn1_template_ex_i2d(pseqval, NULL, seqtt, - -1, aclass); + tmplen = asn1_template_ex_i2d(pseqval, NULL, seqtt, -1, aclass); + if (tmplen == -1 || (tmplen > INT_MAX - seqcontlen)) + return -1; + seqcontlen += tmplen; } seqlen = ASN1_object_size(ndef, seqcontlen, tag); - if (!out) + if (!out || seqlen == -1) return seqlen; /* Output SEQUENCE header */ ASN1_put_object(out, ndef, seqcontlen, tag, aclass); @@ -339,19 +342,24 @@ static int asn1_template_ex_i2d(ASN1_VAL /* Determine total length of items */ skcontlen = 0; for (i = 0; i < sk_ASN1_VALUE_num(sk); i++) { + int tmplen; skitem = sk_ASN1_VALUE_value(sk, i); - skcontlen += ASN1_item_ex_i2d(&skitem, NULL, - ASN1_ITEM_ptr(tt->item), - -1, iclass); + tmplen = ASN1_item_ex_i2d(&skitem, NULL, ASN1_ITEM_ptr(tt->item), + -1, iclass); + if (tmplen == -1 || (skcontlen > INT_MAX - tmplen)) + return -1; + skcontlen += tmplen; } sklen = ASN1_object_size(ndef, skcontlen, sktag); + if (sklen == -1) + return -1; /* If EXPLICIT need length of surrounding tag */ if (flags & ASN1_TFLG_EXPTAG) ret = ASN1_object_size(ndef, sklen, ttag); else ret = sklen; - if (!out) + if (!out || ret == -1) return ret; /* Now encode this lot... */ @@ -380,7 +388,7 @@ static int asn1_template_ex_i2d(ASN1_VAL return 0; /* Find length of EXPLICIT tag */ ret = ASN1_object_size(ndef, i, ttag); - if (out) { + if (out && ret != -1) { /* Output tag and item */ ASN1_put_object(out, ndef, i, ttag, tclass); ASN1_item_ex_i2d(pval, out, ASN1_ITEM_ptr(tt->item), -1, iclass); Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/tasn_prn.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/tasn_prn.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/tasn_prn.c Thu Sep 22 13:05:59 2016 (r306191) @@ -446,6 +446,8 @@ static int asn1_print_integer_ctx(BIO *o char *s; int ret = 1; s = i2s_ASN1_INTEGER(NULL, str); + if (s == NULL) + return 0; if (BIO_puts(out, s) <= 0) ret = 0; OPENSSL_free(s); Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/x_name.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/x_name.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/x_name.c Thu Sep 22 13:05:59 2016 (r306191) @@ -199,10 +199,8 @@ static int x509_name_ex_d2i(ASN1_VALUE * int i, j, ret; STACK_OF(X509_NAME_ENTRY) *entries; X509_NAME_ENTRY *entry; - if (len > X509_NAME_MAX) { - ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG); - return 0; - } + if (len > X509_NAME_MAX) + len = X509_NAME_MAX; q = p; /* Get internal representation of Name */ Modified: vendor-crypto/openssl/dist-1.0.1/crypto/bio/bf_nbio.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/bio/bf_nbio.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/crypto/bio/bf_nbio.c Thu Sep 22 13:05:59 2016 (r306191) @@ -139,7 +139,7 @@ static int nbiof_read(BIO *b, char *out, BIO_clear_retry_flags(b); #if 1 - if (RAND_pseudo_bytes(&n, 1) < 0) + if (RAND_bytes(&n, 1) <= 0) return -1; num = (n & 0x07); @@ -179,7 +179,7 @@ static int nbiof_write(BIO *b, const cha num = nt->lwn; nt->lwn = 0; } else { - if (RAND_pseudo_bytes(&n, 1) < 0) + if (RAND_bytes(&n, 1) <= 0) return -1; num = (n & 7); } Modified: vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_lib.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_lib.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_lib.c Thu Sep 22 13:05:59 2016 (r306191) @@ -569,7 +569,7 @@ void BN_clear(BIGNUM *a) { bn_check_top(a); if (a->d != NULL) - memset(a->d, 0, a->dmax * sizeof(a->d[0])); + OPENSSL_cleanse(a->d, a->dmax * sizeof(a->d[0])); a->top = 0; a->neg = 0; } Modified: vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_print.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_print.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_print.c Thu Sep 22 13:05:59 2016 (r306191) @@ -111,6 +111,7 @@ char *BN_bn2dec(const BIGNUM *a) char *p; BIGNUM *t = NULL; BN_ULONG *bn_data = NULL, *lp; + int bn_data_num; /*- * get an upper bound for the length of the decimal integer @@ -120,9 +121,9 @@ char *BN_bn2dec(const BIGNUM *a) */ i = BN_num_bits(a) * 3; num = (i / 10 + i / 1000 + 1) + 1; - bn_data = - (BN_ULONG *)OPENSSL_malloc((num / BN_DEC_NUM + 1) * sizeof(BN_ULONG)); - buf = (char *)OPENSSL_malloc(num + 3); + bn_data_num = num / BN_DEC_NUM + 1; + bn_data = OPENSSL_malloc(bn_data_num * sizeof(BN_ULONG)); + buf = OPENSSL_malloc(num + 3); if ((buf == NULL) || (bn_data == NULL)) { BNerr(BN_F_BN_BN2DEC, ERR_R_MALLOC_FAILURE); goto err; @@ -140,9 +141,12 @@ char *BN_bn2dec(const BIGNUM *a) if (BN_is_negative(t)) *p++ = '-'; - i = 0; while (!BN_is_zero(t)) { + if (lp - bn_data >= bn_data_num) + goto err; *lp = BN_div_word(t, BN_DEC_CONV); + if (*lp == (BN_ULONG)-1) + goto err; lp++; } lp--; Modified: vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_rand.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_rand.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_rand.c Thu Sep 22 13:05:59 2016 (r306191) @@ -145,13 +145,9 @@ static int bnrand(int pseudorand, BIGNUM time(&tim); RAND_add(&tim, sizeof(tim), 0.0); - if (pseudorand) { - if (RAND_pseudo_bytes(buf, bytes) == -1) - goto err; - } else { - if (RAND_bytes(buf, bytes) <= 0) - goto err; - } + /* We ignore the value of pseudorand and always call RAND_bytes */ + if (RAND_bytes(buf, bytes) <= 0) + goto err; #if 1 if (pseudorand == 2) { Modified: vendor-crypto/openssl/dist-1.0.1/crypto/cms/cms_enc.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/cms/cms_enc.c Thu Sep 22 13:04:51 2016 (r306190) +++ vendor-crypto/openssl/dist-1.0.1/crypto/cms/cms_enc.c Thu Sep 22 13:05:59 2016 (r306191) @@ -119,7 +119,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_E /* Generate a random IV if we need one */ ivlen = EVP_CIPHER_CTX_iv_length(ctx); if (ivlen > 0) { - if (RAND_pseudo_bytes(iv, ivlen) <= 0) + if (RAND_bytes(iv, ivlen) <= 0) goto err; piv = iv; *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***