[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Thu Mar 12 09:36:17 UTC 2015


The branch master has been updated
       via  007fd1404fc7a2ed33f6108bc3859d3814b44224 (commit)
       via  d813f9eb383a93e472e69750cd1edbb170205ad2 (commit)
       via  c5f2b5336ab72e40ab91e2ca85639f51fa3178c6 (commit)
       via  0c7ca4033dcf5398334d4b78a7dfb941c8167a40 (commit)
       via  6aa8dab2bbfd5ad3cfc0d07fe5d7243635d5b2a2 (commit)
       via  34a7ed0c39aa3ab67eea1e106577525eaf0d7a00 (commit)
       via  9e488fd6ab2c295941e91a47ab7bcd346b7540c7 (commit)
       via  a01087027bd0c5ec053d4eabd972bd942bfcd92f (commit)
       via  8c5a7b33c6269c3bd6bc0df6b4c22e4fba03b485 (commit)
      from  6b937f8b115d817b00116bc6291d604b16dc4602 (commit)


- Log -----------------------------------------------------------------
commit 007fd1404fc7a2ed33f6108bc3859d3814b44224
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Mar 11 17:43:38 2015 +0000

    Fix RSA_X931_derive_ex
    
    In the RSA_X931_derive_ex a call to BN_CTX_new is made. This can return
    NULL on error. However the return value is not tested until *after* it is
    derefed! Also at the top of the function a test is made to ensure that
    |rsa| is not NULL. If it is we go to the "err" label. Unfortunately the
    error handling code deref's rsa.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit d813f9eb383a93e472e69750cd1edbb170205ad2
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Mar 11 17:01:38 2015 +0000

    SSL_check_chain fix
    
    If SSL_check_chain is called with a NULL X509 object or a NULL EVP_PKEY
    or the type of the public key is unrecognised then the local variable
    |cpk| in tls1_check_chain does not get initialised. Subsequently an
    attempt is made to deref it (after the "end" label), and a seg fault will
    result.
    
    Reviewed-by: Dr. Stephen Henson <steve at openssl.org>

commit c5f2b5336ab72e40ab91e2ca85639f51fa3178c6
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Mar 11 20:50:20 2015 +0000

    Fix missing return checks in v3_cpols.c
    
    Fixed assorted missing return value checks in c3_cpols.c
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit 0c7ca4033dcf5398334d4b78a7dfb941c8167a40
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Mar 11 20:19:08 2015 +0000

    Fix dsa_pub_encode
    
    The return value from ASN1_STRING_new() was not being checked which could
    lead to a NULL deref in the event of a malloc failure. Also fixed a mem
    leak in the error path.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit 6aa8dab2bbfd5ad3cfc0d07fe5d7243635d5b2a2
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Mar 11 20:08:16 2015 +0000

    Fix dh_pub_encode
    
    The return value from ASN1_STRING_new() was not being checked which could
    lead to a NULL deref in the event of a malloc failure. Also fixed a mem
    leak in the error path.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit 34a7ed0c39aa3ab67eea1e106577525eaf0d7a00
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Mar 11 19:41:01 2015 +0000

    Fix asn1_item_print_ctx
    
    The call to asn1_do_adb can return NULL on error, so we should check the
    return value before attempting to use it.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit 9e488fd6ab2c295941e91a47ab7bcd346b7540c7
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Mar 11 16:00:01 2015 +0000

    ASN1_primitive_new NULL param handling
    
    ASN1_primitive_new takes an ASN1_ITEM * param |it|. There are a couple
    of conditional code paths that check whether |it| is NULL or not - but
    later |it| is deref'd unconditionally. If |it| was ever really NULL then
    this would seg fault. In practice ASN1_primitive_new is marked as an
    internal function in the public header file. The only places it is ever
    used internally always pass a non NULL parameter for |it|. Therefore, change
    the code to sanity check that |it| is not NULL, and remove the conditional
    checking.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Andy Polyakov <appro at openssl.org>

commit a01087027bd0c5ec053d4eabd972bd942bfcd92f
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Mar 11 15:41:52 2015 +0000

    Fix EVP_DigestInit_ex with NULL digest
    
    Calling EVP_DigestInit_ex which has already had the digest set up for it
    should be possible. You are supposed to be able to pass NULL for the type.
    However currently this seg faults.
    
    Reviewed-by: Andy Polyakov <appro at openssl.org>

commit 8c5a7b33c6269c3bd6bc0df6b4c22e4fba03b485
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Mar 11 15:31:16 2015 +0000

    Fix error handling in bn_exp
    
    In the event of an error |rr| could be NULL. Therefore don't assume you can
    use |rr| in the error handling code.
    
    Reviewed-by: Andy Polyakov <appro at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/asn1/tasn_new.c   |  7 +++++--
 crypto/asn1/tasn_prn.c   |  2 ++
 crypto/bn/bn_exp.c       |  4 ++--
 crypto/dh/dh_ameth.c     | 12 +++++++-----
 crypto/dsa/dsa_ameth.c   | 14 ++++++++------
 crypto/evp/digest.c      |  9 ++++++---
 crypto/rsa/rsa_x931g.c   |  9 ++++-----
 crypto/x509v3/v3_cpols.c | 16 ++++++++++++----
 ssl/t1_lib.c             |  4 ++--
 9 files changed, 48 insertions(+), 29 deletions(-)

diff --git a/crypto/asn1/tasn_new.c b/crypto/asn1/tasn_new.c
index d25c68c..7d2964f 100644
--- a/crypto/asn1/tasn_new.c
+++ b/crypto/asn1/tasn_new.c
@@ -315,13 +315,16 @@ int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
     ASN1_STRING *str;
     int utype;
 
-    if (it && it->funcs) {
+    if (!it)
+        return 0;
+
+    if (it->funcs) {
         const ASN1_PRIMITIVE_FUNCS *pf = it->funcs;
         if (pf->prim_new)
             return pf->prim_new(pval, it);
     }
 
-    if (!it || (it->itype == ASN1_ITYPE_MSTRING))
+    if (it->itype == ASN1_ITYPE_MSTRING)
         utype = -1;
     else
         utype = it->utype;
diff --git a/crypto/asn1/tasn_prn.c b/crypto/asn1/tasn_prn.c
index 94e220b..2626de9 100644
--- a/crypto/asn1/tasn_prn.c
+++ b/crypto/asn1/tasn_prn.c
@@ -285,6 +285,8 @@ static int asn1_item_print_ctx(BIO *out, ASN1_VALUE **fld, int indent,
         for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
             const ASN1_TEMPLATE *seqtt;
             seqtt = asn1_do_adb(fld, tt, 1);
+            if(!seqtt)
+                return 0;
             tmpfld = asn1_get_field_ptr(fld, seqtt);
             if (!asn1_template_print_ctx(out, tmpfld,
                                          indent + 2, seqtt, pctx))
diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
index 28a9fd5..8c46e50 100644
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -185,10 +185,10 @@ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
                 goto err;
         }
     }
-    ret = 1;
- err:
     if (r != rr)
         BN_copy(r, rr);
+    ret = 1;
+ err:
     BN_CTX_end(ctx);
     bn_check_top(r);
     return (ret);
diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c
index 8dac573..2c77381 100644
--- a/crypto/dh/dh_ameth.c
+++ b/crypto/dh/dh_ameth.c
@@ -151,7 +151,6 @@ static int dh_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
 static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
 {
     DH *dh;
-    void *pval = NULL;
     int ptype;
     unsigned char *penc = NULL;
     int penclen;
@@ -161,12 +160,15 @@ static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
     dh = pkey->pkey.dh;
 
     str = ASN1_STRING_new();
+    if(!str) {
+        DHerr(DH_F_DH_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
+        goto err;
+    }
     str->length = i2d_dhp(pkey, dh, &str->data);
     if (str->length <= 0) {
         DHerr(DH_F_DH_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
         goto err;
     }
-    pval = str;
     ptype = V_ASN1_SEQUENCE;
 
     pub_key = BN_to_ASN1_INTEGER(dh->pub_key, NULL);
@@ -183,14 +185,14 @@ static int dh_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
     }
 
     if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id),
-                               ptype, pval, penc, penclen))
+                               ptype, str, penc, penclen))
         return 1;
 
  err:
     if (penc)
         OPENSSL_free(penc);
-    if (pval)
-        ASN1_STRING_free(pval);
+    if (str)
+        ASN1_STRING_free(str);
 
     return 0;
 }
diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c
index c3a85da..d63c417 100644
--- a/crypto/dsa/dsa_ameth.c
+++ b/crypto/dsa/dsa_ameth.c
@@ -129,21 +129,23 @@ static int dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey)
 static int dsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
 {
     DSA *dsa;
-    void *pval = NULL;
     int ptype;
     unsigned char *penc = NULL;
     int penclen;
+    ASN1_STRING *str = NULL;
 
     dsa = pkey->pkey.dsa;
     if (pkey->save_parameters && dsa->p && dsa->q && dsa->g) {
-        ASN1_STRING *str;
         str = ASN1_STRING_new();
+        if (!str) {
+            DSAerr(DSA_F_DSA_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
+            goto err;
+        }
         str->length = i2d_DSAparams(dsa, &str->data);
         if (str->length <= 0) {
             DSAerr(DSA_F_DSA_PUB_ENCODE, ERR_R_MALLOC_FAILURE);
             goto err;
         }
-        pval = str;
         ptype = V_ASN1_SEQUENCE;
     } else
         ptype = V_ASN1_UNDEF;
@@ -158,14 +160,14 @@ static int dsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
     }
 
     if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_DSA),
-                               ptype, pval, penc, penclen))
+                               ptype, str, penc, penclen))
         return 1;
 
  err:
     if (penc)
         OPENSSL_free(penc);
-    if (pval)
-        ASN1_STRING_free(pval);
+    if (str)
+        ASN1_STRING_free(str);
 
     return 0;
 }
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index db755b1..48c7b00 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -187,9 +187,12 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
             ctx->engine = impl;
         } else
             ctx->engine = NULL;
-    } else if (!ctx->digest) {
-        EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_NO_DIGEST_SET);
-        return 0;
+    } else {
+        if (!ctx->digest) {
+            EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_NO_DIGEST_SET);
+            return 0;
+        }
+        type = ctx->digest;
     }
 #endif
     if (ctx->digest != type) {
diff --git a/crypto/rsa/rsa_x931g.c b/crypto/rsa/rsa_x931g.c
index 74bf197..5991615 100644
--- a/crypto/rsa/rsa_x931g.c
+++ b/crypto/rsa/rsa_x931g.c
@@ -72,14 +72,15 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1,
 {
     BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL;
     BN_CTX *ctx = NULL, *ctx2 = NULL;
+    int ret = 0;
 
     if (!rsa)
         goto err;
 
     ctx = BN_CTX_new();
-    BN_CTX_start(ctx);
     if (!ctx)
         goto err;
+    BN_CTX_start(ctx);
 
     r0 = BN_CTX_get(ctx);
     r1 = BN_CTX_get(ctx);
@@ -176,6 +177,7 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1,
     /* calculate inverse of q mod p */
     rsa->iqmp = BN_mod_inverse(NULL, rsa->q, rsa->p, ctx2);
 
+    ret = 1;
  err:
     if (ctx) {
         BN_CTX_end(ctx);
@@ -183,11 +185,8 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1,
     }
     if (ctx2)
         BN_CTX_free(ctx2);
-    /* If this is set all calls successful */
-    if (rsa->iqmp != NULL)
-        return 1;
 
-    return 0;
+    return ret;
 
 }
 
diff --git a/crypto/x509v3/v3_cpols.c b/crypto/x509v3/v3_cpols.c
index 139b8f2..9826859 100644
--- a/crypto/x509v3/v3_cpols.c
+++ b/crypto/x509v3/v3_cpols.c
@@ -230,8 +230,12 @@ static POLICYINFO *policy_section(X509V3_CTX *ctx,
                 goto merr;
             if (!sk_POLICYQUALINFO_push(pol->qualifiers, qual))
                 goto merr;
-            qual->pqualid = OBJ_nid2obj(NID_id_qt_cps);
-            qual->d.cpsuri = M_ASN1_IA5STRING_new();
+            if(!(qual->pqualid = OBJ_nid2obj(NID_id_qt_cps))) {
+                X509V3err(X509V3_F_POLICY_SECTION, ERR_R_INTERNAL_ERROR);
+                goto err;
+            }
+            if(!(qual->d.cpsuri = M_ASN1_IA5STRING_new()))
+                goto merr;
             if (!ASN1_STRING_set(qual->d.cpsuri, cnf->value,
                                  strlen(cnf->value)))
                 goto merr;
@@ -290,14 +294,18 @@ static POLICYQUALINFO *notice_section(X509V3_CTX *ctx,
     POLICYQUALINFO *qual;
     if (!(qual = POLICYQUALINFO_new()))
         goto merr;
-    qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice);
+    if(!(qual->pqualid = OBJ_nid2obj(NID_id_qt_unotice))) {
+        X509V3err(X509V3_F_NOTICE_SECTION, ERR_R_INTERNAL_ERROR);
+        goto err;
+    }
     if (!(not = USERNOTICE_new()))
         goto merr;
     qual->d.usernotice = not;
     for (i = 0; i < sk_CONF_VALUE_num(unot); i++) {
         cnf = sk_CONF_VALUE_value(unot, i);
         if (!strcmp(cnf->name, "explicitText")) {
-            not->exptext = M_ASN1_VISIBLESTRING_new();
+            if(!(not->exptext = M_ASN1_VISIBLESTRING_new()))
+                goto merr;
             if (!ASN1_STRING_set(not->exptext, cnf->value,
                                  strlen(cnf->value)))
                 goto merr;
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 8296ea1..b6e878a 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -3910,10 +3910,10 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
 # endif
     } else {
         if (!x || !pk)
-            goto end;
+            return 0;
         idx = ssl_cert_type(x, pk);
         if (idx == -1)
-            goto end;
+            return 0;
         cpk = c->pkeys + idx;
         if (c->cert_flags & SSL_CERT_FLAGS_CHECK_TLS_STRICT)
             check_flags = CERT_PKEY_STRICT_FLAGS;


More information about the openssl-commits mailing list