[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
Matt Caswell
matt at openssl.org
Thu Mar 12 09:36:07 UTC 2015
The branch OpenSSL_1_0_2-stable has been updated
via 327de270d583e716bc0282dd0d59e133f41d7ada (commit)
via 8e91b3d99115121765a15dbb685aa772b73b97ad (commit)
via 20223855e418e1a4cd5f964e4e504d53b8a00fd4 (commit)
via 563fc239d23985f7e7a7300003bd8eb173224354 (commit)
via 15919ecadc3ba9fc210472b806e6ac258825ea83 (commit)
via 289c06823e52ce0e00b4f19ee260635ac1b02e98 (commit)
via ff2459b91877959bc1a3a8a927c6b5f473530f86 (commit)
via 8944d10e2d444b7fc5e60d4f13644c6648f49e74 (commit)
from df57e42baa0c1c8a97035adb9ffb2f335158c440 (commit)
- Log -----------------------------------------------------------------
commit 327de270d583e716bc0282dd0d59e133f41d7ada
Author: Matt Caswell <matt at openssl.org>
Date: Wed Mar 11 17:01:38 2015 +0000
SSL_check_chain fix
If SSL_check_chain is called with a NULL X509 object or a NULL EVP_PKEY
or the type of the public key is unrecognised then the local variable
|cpk| in tls1_check_chain does not get initialised. Subsequently an
attempt is made to deref it (after the "end" label), and a seg fault will
result.
Reviewed-by: Dr. Stephen Henson <steve at openssl.org>
(cherry picked from commit d813f9eb383a93e472e69750cd1edbb170205ad2)
commit 8e91b3d99115121765a15dbb685aa772b73b97ad
Author: Matt Caswell <matt at openssl.org>
Date: Wed Mar 11 20:50:20 2015 +0000
Fix missing return checks in v3_cpols.c
Fixed assorted missing return value checks in c3_cpols.c
Reviewed-by: Rich Salz <rsalz at openssl.org>
(cherry picked from commit c5f2b5336ab72e40ab91e2ca85639f51fa3178c6)
commit 20223855e418e1a4cd5f964e4e504d53b8a00fd4
Author: Matt Caswell <matt at openssl.org>
Date: Wed Mar 11 20:19:08 2015 +0000
Fix dsa_pub_encode
The return value from ASN1_STRING_new() was not being checked which could
lead to a NULL deref in the event of a malloc failure. Also fixed a mem
leak in the error path.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(cherry picked from commit 0c7ca4033dcf5398334d4b78a7dfb941c8167a40)
commit 563fc239d23985f7e7a7300003bd8eb173224354
Author: Matt Caswell <matt at openssl.org>
Date: Wed Mar 11 20:08:16 2015 +0000
Fix dh_pub_encode
The return value from ASN1_STRING_new() was not being checked which could
lead to a NULL deref in the event of a malloc failure. Also fixed a mem
leak in the error path.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(cherry picked from commit 6aa8dab2bbfd5ad3cfc0d07fe5d7243635d5b2a2)
commit 15919ecadc3ba9fc210472b806e6ac258825ea83
Author: Matt Caswell <matt at openssl.org>
Date: Wed Mar 11 19:41:01 2015 +0000
Fix asn1_item_print_ctx
The call to asn1_do_adb can return NULL on error, so we should check the
return value before attempting to use it.
Reviewed-by: Rich Salz <rsalz at openssl.org>
(cherry picked from commit 34a7ed0c39aa3ab67eea1e106577525eaf0d7a00)
commit 289c06823e52ce0e00b4f19ee260635ac1b02e98
Author: Matt Caswell <matt at openssl.org>
Date: Wed Mar 11 16:00:01 2015 +0000
ASN1_primitive_new NULL param handling
ASN1_primitive_new takes an ASN1_ITEM * param |it|. There are a couple
of conditional code paths that check whether |it| is NULL or not - but
later |it| is deref'd unconditionally. If |it| was ever really NULL then
this would seg fault. In practice ASN1_primitive_new is marked as an
internal function in the public header file. The only places it is ever
used internally always pass a non NULL parameter for |it|. Therefore, change
the code to sanity check that |it| is not NULL, and remove the conditional
checking.
Reviewed-by: Rich Salz <rsalz at openssl.org>
Reviewed-by: Andy Polyakov <appro at openssl.org>
(cherry picked from commit 9e488fd6ab2c295941e91a47ab7bcd346b7540c7)
commit ff2459b91877959bc1a3a8a927c6b5f473530f86
Author: Matt Caswell <matt at openssl.org>
Date: Wed Mar 11 15:41:52 2015 +0000
Fix EVP_DigestInit_ex with NULL digest
Calling EVP_DigestInit_ex which has already had the digest set up for it
should be possible. You are supposed to be able to pass NULL for the type.
However currently this seg faults.
Reviewed-by: Andy Polyakov <appro at openssl.org>
(cherry picked from commit a01087027bd0c5ec053d4eabd972bd942bfcd92f)
commit 8944d10e2d444b7fc5e60d4f13644c6648f49e74
Author: Matt Caswell <matt at openssl.org>
Date: Wed Mar 11 15:31:16 2015 +0000
Fix error handling in bn_exp
In the event of an error |rr| could be NULL. Therefore don't assume you can
use |rr| in the error handling code.
Reviewed-by: Andy Polyakov <appro at openssl.org>
(cherry picked from commit 8c5a7b33c6269c3bd6bc0df6b4c22e4fba03b485)
-----------------------------------------------------------------------
Summary of changes:
crypto/asn1/tasn_new.c | 7 +++++--
crypto/asn1/tasn_prn.c | 2 ++
crypto/bn/bn_exp.c | 4 ++--
crypto/dh/dh_ameth.c | 12 +++++++-----
crypto/dsa/dsa_ameth.c | 14 ++++++++------
crypto/evp/digest.c | 9 ++++++---
crypto/x509v3/v3_cpols.c | 16 ++++++++++++----
ssl/t1_lib.c | 4 ++--
8 files changed, 44 insertions(+), 24 deletions(-)
diff --git a/crypto/asn1/tasn_new.c b/crypto/asn1/tasn_new.c
index d25c68c..7d2964f 100644
--- a/crypto/asn1/tasn_new.c
+++ b/crypto/asn1/tasn_new.c
@@ -315,13 +315,16 @@ int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
ASN1_STRING *str;
int utype;
- if (it && it->funcs) {
+ if (!it)
+ return 0;
+
+ if (it->funcs) {
const ASN1_PRIMITIVE_FUNCS *pf = it->funcs;
if (pf->prim_new)
return pf->prim_new(pval, it);
}
- if (!it || (it->itype == ASN1_ITYPE_MSTRING))
+ if (it->itype == ASN1_ITYPE_MSTRING)
utype = -1;
else
utype = it->utype;
diff --git a/crypto/asn1/tasn_prn.c b/crypto/asn1/tasn_prn.c
index 11d784c..4866dcd 100644
--- a/crypto/asn1/tasn_prn.c
+++ b/crypto/asn1/tasn_prn.c
@@ -289,6 +289,8 @@ static int asn1_item_print_ctx(BIO *out, ASN1_VALUE **fld, int indent,
for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
const ASN1_TEMPLATE *seqtt;
seqtt = asn1_do_adb(fld, tt, 1);
+ if(!seqtt)
+ return 0;
tmpfld = asn1_get_field_ptr(fld, seqtt);
if (!asn1_template_print_ctx(out, tmpfld,
indent + 2, seqtt, pctx))
diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
index 28a9fd5..8c46e50 100644
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -185,10 +185,10 @@ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
goto err;
}
}
- ret = 1;
- err:
if (r != rr)
BN_copy(r, rr);
+ ret = 1;
+ err:
BN_CTX_end(ctx);
bn_check_top(r);
return (ret);
diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c
index 1d573a4..c6bfc2d 100644
--- a/crypto/dh/dh_ameth.c
+++ b/crypto/dh/dh_ameth.c
@@ -151,7 +151,6 @@ static int dh_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
{
DH *dh;
- void *pval = NULL;
int ptype;
unsigned char *penc = NULL;
int penclen;
@@ -161,12 +160,15 @@ static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
dh = pkey->pkey.dh;
str = ASN1_STRING_new();
+ if(!str) {
+ DHerr(DH_F_DH_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
str->length = i2d_dhp(pkey, dh, &str->data);
if (str->length <= 0) {
DHerr(DH_F_DH_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
goto err;
}
- pval = str;
ptype = V_ASN1_SEQUENCE;
pub_key = BN_to_ASN1_INTEGER(dh->pub_key, NULL);
@@ -183,14 +185,14 @@ static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
}
if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id),
- ptype, pval, penc, penclen))
+ ptype, str, penc, penclen))
return 1;
err:
if (penc)
OPENSSL_free(penc);
- if (pval)
- ASN1_STRING_free(pval);
+ if (str)
+ ASN1_STRING_free(str);
return 0;
}
diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c
index 529efb7..2a5cd71 100644
--- a/crypto/dsa/dsa_ameth.c
+++ b/crypto/dsa/dsa_ameth.c
@@ -129,21 +129,23 @@ static int dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
static int dsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
{
DSA *dsa;
- void *pval = NULL;
int ptype;
unsigned char *penc = NULL;
int penclen;
+ ASN1_STRING *str = NULL;
dsa = pkey->pkey.dsa;
if (pkey->save_parameters && dsa->p && dsa->q && dsa->g) {
- ASN1_STRING *str;
str = ASN1_STRING_new();
+ if (!str) {
+ DSAerr(DSA_F_DSA_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
str->length = i2d_DSAparams(dsa, &str->data);
if (str->length <= 0) {
DSAerr(DSA_F_DSA_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
goto err;
}
- pval = str;
ptype = V_ASN1_SEQUENCE;
} else
ptype = V_ASN1_UNDEF;
@@ -158,14 +160,14 @@ static int dsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
}
if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_DSA),
- ptype, pval, penc, penclen))
+ ptype, str, penc, penclen))
return 1;
err:
if (penc)
OPENSSL_free(penc);
- if (pval)
- ASN1_STRING_free(pval);
+ if (str)
+ ASN1_STRING_free(str);
return 0;
}
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index bd7760d..f2643f3 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -203,9 +203,12 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
ctx->engine = impl;
} else
ctx->engine = NULL;
- } else if (!ctx->digest) {
- EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_NO_DIGEST_SET);
- return 0;
+ } else {
+ if (!ctx->digest) {
+ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_NO_DIGEST_SET);
+ return 0;
+ }
+ type = ctx->digest;
}
#endif
if (ctx->digest != type) {
diff --git a/crypto/x509v3/v3_cpols.c b/crypto/x509v3/v3_cpols.c
index 476d51c..dca6ab2 100644
--- a/crypto/x509v3/v3_cpols.c
+++ b/crypto/x509v3/v3_cpols.c
@@ -230,8 +230,12 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
goto merr;
if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
goto merr;
- qual->pqualid = OBJ_nid2obj(NID_id_qt_cps);
- qual->d.cpsuri = M_ASN1_IA5STRING_new();
+ if(!(qual->pqualid = OBJ_nid2obj(NID_id_qt_cps))) {
+ X509V3err(X509V3_F_POLICY_SECTION, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
+ if(!(qual->d.cpsuri = M_ASN1_IA5STRING_new()))
+ goto merr;
if (!ASN1_STRING_set(qual->d.cpsuri, cnf->value,
strlen(cnf->value)))
goto merr;
@@ -290,14 +294,18 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
POLICYQUALINFO *qual;
if (!(qual = POLICYQUALINFO_new()))
goto merr;
- qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice);
+ if(!(qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice))) {
+ X509V3err(X509V3_F_NOTICE_SECTION, ERR_R_INTERNAL_ERROR);
+ goto err;
+ }
if (!(not = USERNOTICE_new()))
goto merr;
qual->d.usernotice = not;
for (i = 0; i < sk_CONF_VALUE_num(unot); i++) {
cnf = sk_CONF_VALUE_value(unot, i);
if (!strcmp(cnf->name, "explicitText")) {
- not->exptext = M_ASN1_VISIBLESTRING_new();
+ if(!(not->exptext = M_ASN1_VISIBLESTRING_new()))
+ goto merr;
if (!ASN1_STRING_set(not->exptext, cnf->value,
strlen(cnf->value)))
goto merr;
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 2c3a1ec..6e991e0 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -4126,10 +4126,10 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
# endif
} else {
if (!x || !pk)
- goto end;
+ return 0;
idx = ssl_cert_type(x, pk);
if (idx == -1)
- goto end;
+ return 0;
cpk = c->pkeys + idx;
if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
check_flags = CERT_PKEY_STRICT_FLAGS;
More information about the openssl-commits
mailing list