[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Thu Mar 19 14:03:36 UTC 2015


The branch master has been updated
       via  5e5d53d341fd9a9b9cc0a58eb3690832ca7a511f (commit)
       via  367eab2f9f1d1131356118507d21534558863365 (commit)
       via  bdc234f3c362b211d9e9384da93f8a0ff212787e (commit)
       via  c225c3cf9bd67297fb0c297768d69cbc03fbdab7 (commit)
       via  e677e8d13595f7b3287f8feef7676feb301b0e8a (commit)
       via  d3cc5e610d1719a35cda52c9152134b490a8c944 (commit)
       via  34e3edbf3a10953cb407288101fd56a629af22f9 (commit)
       via  09f06923e636019c39c807cb59c481375e720556 (commit)
       via  8106d61c354430d6bbbd7f8e7840a39efc0f5829 (commit)
       via  e83ee04bb7de800cdb71d522fa562e99328003a3 (commit)
       via  1d2a18dc5a3b3363e17db5af8b6b0273856ac077 (commit)
      from  7ead0c89185c46378e3ed85c0012d083f4b3039b (commit)


- Log -----------------------------------------------------------------
commit 5e5d53d341fd9a9b9cc0a58eb3690832ca7a511f
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Mar 19 10:16:32 2015 +0000

    Fix a failure to NULL a pointer freed on error.
    
    Reported by the LibreSSL project as a follow on to CVE-2015-0209
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 367eab2f9f1d1131356118507d21534558863365
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Mar 18 10:10:01 2015 +0000

    Update NEWS
    
    Resync NEWS with the latest version from 1.0.2
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit bdc234f3c362b211d9e9384da93f8a0ff212787e
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Mar 18 09:35:22 2015 +0000

    Update CHANGES
    
    Resync CHANGES with the latest version from 1.0.2.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit c225c3cf9bd67297fb0c297768d69cbc03fbdab7
Author: Emilia Kasper <emilia at openssl.org>
Date:   Fri Feb 27 16:52:23 2015 +0100

    PKCS#7: avoid NULL pointer dereferences with missing content
    
    In PKCS#7, the ASN.1 content component is optional.
    This typically applies to inner content (detached signatures),
    however we must also handle unexpected missing outer content
    correctly.
    
    This patch only addresses functions reachable from parsing,
    decryption and verification, and functions otherwise associated
    with reading potentially untrusted data.
    
    Correcting all low-level API calls requires further work.
    
    CVE-2015-0289
    
    Thanks to Michal Zalewski (Google) for reporting this issue.
    
    Reviewed-by: Steve Henson <steve at openssl.org>

commit e677e8d13595f7b3287f8feef7676feb301b0e8a
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Mon Mar 9 23:11:45 2015 +0000

    Fix ASN1_TYPE_cmp
    
    Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
    can be triggered during certificate verification so could be a DoS attack
    against a client or a server enabling client authentication.
    
    CVE-2015-0286
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit d3cc5e610d1719a35cda52c9152134b490a8c944
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Mar 10 16:38:32 2015 +0000

    Fix DHE Null CKE vulnerability
    
    If client auth is used then a server can seg fault in the event of a DHE
    cipher being used and a zero length ClientKeyExchange message being sent
    by the client. This could be exploited in a DoS attack.
    
    CVE-2015-1787
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 34e3edbf3a10953cb407288101fd56a629af22f9
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Tue Mar 3 13:20:57 2015 +0000

    Fix for CVE-2015-0291
    
    If a client renegotiates using an invalid signature algorithms extension
    it will crash a server with a NULL pointer dereference.
    
    Thanks to David Ramos of Stanford University for reporting this bug.
    
    CVE-2015-0291
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit 09f06923e636019c39c807cb59c481375e720556
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Mon Mar 9 23:16:33 2015 +0000

    Reject invalid PSS parameters.
    
    Fix a bug where invalid PSS parameters are not rejected resulting in a
    NULL pointer exception. This can be triggered during certificate
    verification so could be a DoS attack against a client or a server
    enabling client authentication.
    
    Thanks to Brian Carpenter for reporting this issues.
    
    CVE-2015-0208
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit 8106d61c354430d6bbbd7f8e7840a39efc0f5829
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Mon Feb 23 02:32:44 2015 +0000

    Free up ADB and CHOICE if already initialised.
    
    CVE-2015-0287
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Emilia Käsper <emilia at openssl.org>

commit e83ee04bb7de800cdb71d522fa562e99328003a3
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Mar 9 16:09:04 2015 +0000

    Fix Seg fault in DTLSv1_listen
    
    The DTLSv1_listen function is intended to be stateless and processes
    the initial ClientHello from many peers. It is common for user code to
    loop over the call to DTLSv1_listen until a valid ClientHello is received
    with an associated cookie. A defect in the implementation of DTLSv1_listen
    means that state is preserved in the SSL object from one invokation to the
    next that can lead to a segmentation fault. Erorrs processing the initial
    ClientHello can trigger this scenario. An example of such an error could
    be that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
    server.
    
    CVE-2015-0207
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 1d2a18dc5a3b3363e17db5af8b6b0273856ac077
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Mar 2 09:27:10 2015 +0000

    Multiblock corrupted pointer fix
    
    OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
    feature only applies on 64 bit x86 architecture platforms that support AES
    NI instructions. A defect in the implementation of "multiblock" can cause
    OpenSSL's internal write buffer to become incorrectly set to NULL when
    using non-blocking IO. Typically, when the user application is using a
    socket BIO for writing, this will only result in a failed connection.
    However if some other BIO is used then it is likely that a segmentation
    fault will be triggered, thus enabling a potential DoS attack.
    
    CVE-2015-0290
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Andy Polyakov <appro at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                 | 496 +++++++++++++++++++++---------------------------
 NEWS                    | 117 ++++--------
 crypto/asn1/a_type.c    |   3 +
 crypto/asn1/tasn_dec.c  |  24 ++-
 crypto/asn1/x_x509.c    |  12 +-
 crypto/ec/ec_asn1.c     |   7 +-
 crypto/pkcs7/pk7_doit.c |  87 +++++++--
 crypto/pkcs7/pk7_lib.c  |   3 +
 crypto/rsa/rsa_ameth.c  |   3 +-
 ssl/d1_lib.c            |   3 +
 ssl/s3_pkt.c            |   2 +-
 ssl/s3_srvr.c           |  11 +-
 ssl/t1_lib.c            |  16 +-
 13 files changed, 389 insertions(+), 395 deletions(-)

diff --git a/CHANGES b/CHANGES
index 8d6fcaf..5dd7d8d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -370,7 +370,170 @@
      whose return value is often ignored. 
      [Steve Henson]
 
- Changes between 1.0.1k and 1.0.2 [xx XXX xxxx]
+ Changes between 1.0.2 and 1.0.2a [xx XXX xxxx]
+
+  *) ClientHello sigalgs DoS fix
+
+     If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
+     invalid signature algorithms extension a NULL pointer dereference will
+     occur. This can be exploited in a DoS attack against the server.
+
+     This issue was was reported to OpenSSL by David Ramos of Stanford
+     University.
+     (CVE-2015-0291)
+     [Stephen Henson and Matt Caswell]
+
+  *) Multiblock corrupted pointer fix
+
+     OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
+     feature only applies on 64 bit x86 architecture platforms that support AES
+     NI instructions. A defect in the implementation of "multiblock" can cause
+     OpenSSL's internal write buffer to become incorrectly set to NULL when
+     using non-blocking IO. Typically, when the user application is using a
+     socket BIO for writing, this will only result in a failed connection.
+     However if some other BIO is used then it is likely that a segmentation
+     fault will be triggered, thus enabling a potential DoS attack.
+
+     This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller.
+     (CVE-2015-0290)
+     [Matt Caswell]
+
+  *) Segmentation fault in DTLSv1_listen fix
+
+     The DTLSv1_listen function is intended to be stateless and processes the
+     initial ClientHello from many peers. It is common for user code to loop
+     over the call to DTLSv1_listen until a valid ClientHello is received with
+     an associated cookie. A defect in the implementation of DTLSv1_listen means
+     that state is preserved in the SSL object from one invocation to the next
+     that can lead to a segmentation fault. Errors processing the initial
+     ClientHello can trigger this scenario. An example of such an error could be
+     that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
+     server.
+
+     This issue was reported to OpenSSL by Per Allansson.
+     (CVE-2015-0207)
+     [Matt Caswell]
+
+  *) Segmentation fault in ASN1_TYPE_cmp fix
+
+     The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
+     made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
+     certificate signature algorithm consistency this can be used to crash any
+     certificate verification operation and exploited in a DoS attack. Any
+     application which performs certificate verification is vulnerable including
+     OpenSSL clients and servers which enable client authentication.
+     (CVE-2015-0286)
+     [Stephen Henson]
+
+  *) Segmentation fault for invalid PSS parameters fix
+
+     The signature verification routines will crash with a NULL pointer
+     dereference if presented with an ASN.1 signature using the RSA PSS
+     algorithm and invalid parameters. Since these routines are used to verify
+     certificate signature algorithms this can be used to crash any
+     certificate verification operation and exploited in a DoS attack. Any
+     application which performs certificate verification is vulnerable including
+     OpenSSL clients and servers which enable client authentication.
+
+     This issue was was reported to OpenSSL by Brian Carpenter.
+     (CVE-2015-0208)
+     [Stephen Henson]
+
+  *) ASN.1 structure reuse memory corruption fix
+
+     Reusing a structure in ASN.1 parsing may allow an attacker to cause
+     memory corruption via an invalid write. Such reuse is and has been
+     strongly discouraged and is believed to be rare.
+
+     Applications that parse structures containing CHOICE or ANY DEFINED BY
+     components may be affected. Certificate parsing (d2i_X509 and related
+     functions) are however not affected. OpenSSL clients and servers are
+     not affected.
+     (CVE-2015-0287)
+     [Stephen Henson]
+
+  *) PKCS7 NULL pointer dereferences fix
+
+     The PKCS#7 parsing code does not handle missing outer ContentInfo
+     correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
+     missing content and trigger a NULL pointer dereference on parsing.
+
+     Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
+     otherwise parse PKCS#7 structures from untrusted sources are
+     affected. OpenSSL clients and servers are not affected.
+
+     This issue was reported to OpenSSL by Michal Zalewski (Google).
+     (CVE-2015-0289)
+     [Emilia Käsper]
+
+  *) DoS via reachable assert in SSLv2 servers fix
+
+     A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
+     servers that both support SSLv2 and enable export cipher suites by sending
+     a specially crafted SSLv2 CLIENT-MASTER-KEY message.
+
+     This issue was discovered by Sean Burford (Google) and Emilia Käsper
+     (OpenSSL development team).
+     (CVE-2015-0293)
+     [Emilia Käsper]
+
+  *) Empty CKE with client auth and DHE fix
+
+     If client auth is used then a server can seg fault in the event of a DHE
+     ciphersuite being selected and a zero length ClientKeyExchange message
+     being sent by the client. This could be exploited in a DoS attack.
+     (CVE-2015-1787)
+     [Matt Caswell]
+
+  *) Handshake with unseeded PRNG fix
+
+     Under certain conditions an OpenSSL 1.0.2 client can complete a handshake
+     with an unseeded PRNG. The conditions are:
+     - The client is on a platform where the PRNG has not been seeded
+     automatically, and the user has not seeded manually
+     - A protocol specific client method version has been used (i.e. not
+     SSL_client_methodv23)
+     - A ciphersuite is used that does not require additional random data from
+     the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
+
+     If the handshake succeeds then the client random that has been used will
+     have been generated from a PRNG with insufficient entropy and therefore the
+     output may be predictable.
+
+     For example using the following command with an unseeded openssl will
+     succeed on an unpatched platform:
+
+     openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
+     (CVE-2015-0285)
+     [Matt Caswell]
+
+  *) Use After Free following d2i_ECPrivatekey error fix
+
+     A malformed EC private key file consumed via the d2i_ECPrivateKey function
+     could cause a use after free condition. This, in turn, could cause a double
+     free in several private key parsing functions (such as d2i_PrivateKey
+     or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
+     for applications that receive EC private keys from untrusted
+     sources. This scenario is considered rare.
+
+     This issue was discovered by the BoringSSL project and fixed in their
+     commit 517073cd4b.
+     (CVE-2015-0209)
+     [Matt Caswell]
+
+  *) X509_to_X509_REQ NULL pointer deref fix
+
+     The function X509_to_X509_REQ will crash with a NULL pointer dereference if
+     the certificate key is invalid. This function is rarely used in practice.
+
+     This issue was discovered by Brian Carpenter.
+     (CVE-2015-0288)
+     [Stephen Henson]
+
+  *) Removed the export ciphers from the DEFAULT ciphers
+     [Kurt Roeckx]
+
+ Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
 
   *) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g.
      ARMv5 through ARMv8, as opposite to "locking" it to single one.
@@ -700,7 +863,35 @@
      X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and
      X509_CINF_get_signature were reverted post internal team review.
 
- Changes between 1.0.1j and 1.0.1k [xx XXX xxxx]
+ Changes between 1.0.1k and 1.0.1l [15 Jan 2015]
+
+  *) Build fixes for the Windows and OpenVMS platforms
+     [Matt Caswell and Richard Levitte]
+
+ Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
+
+  *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
+     message can cause a segmentation fault in OpenSSL due to a NULL pointer
+     dereference. This could lead to a Denial Of Service attack. Thanks to
+     Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
+     (CVE-2014-3571)
+     [Steve Henson]
+
+  *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
+     dtls1_buffer_record function under certain conditions. In particular this
+     could occur if an attacker sent repeated DTLS records with the same
+     sequence number but for the next epoch. The memory leak could be exploited
+     by an attacker in a Denial of Service attack through memory exhaustion.
+     Thanks to Chris Mueller for reporting this issue.
+     (CVE-2015-0206)
+     [Matt Caswell]
+
+  *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
+     built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
+     method would be set to NULL which could later result in a NULL pointer
+     dereference. Thanks to Frank Schmirler for reporting this issue.
+     (CVE-2014-3569)
+     [Kurt Roeckx]
 
   *) Abort handshake if server key exchange message is omitted for ephemeral
      ECDH ciphersuites.
@@ -719,6 +910,17 @@
      (CVE-2015-0204)
      [Steve Henson]
 
+  *) Fixed issue where DH client certificates are accepted without verification.
+     An OpenSSL server will accept a DH certificate for client authentication
+     without the certificate verify message. This effectively allows a client to
+     authenticate without the use of a private key. This only affects servers
+     which trust a client certificate authority which issues certificates
+     containing DH keys: these are extremely rare and hardly ever encountered.
+     Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
+     this issue.
+     (CVE-2015-0205)
+     [Steve Henson]
+
   *) Ensure that the session ID context of an SSL is updated when its
      SSL_CTX is updated via SSL_set_SSL_CTX.
 
@@ -763,6 +965,17 @@
      (CVE-2014-8275)
      [Steve Henson]
 
+   *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
+      results on some platforms, including x86_64. This bug occurs at random
+      with a very low probability, and is not known to be exploitable in any
+      way, though its exact impact is difficult to determine. Thanks to Pieter
+      Wuille (Blockstream) who reported this issue and also suggested an initial
+      fix. Further analysis was conducted by the OpenSSL development team and
+      Adam Langley of Google. The final fix was developed by Andy Polyakov of
+      the OpenSSL core team.
+      (CVE-2014-3570)
+      [Andy Polyakov]
+
    *) Do not resume sessions on the server if the negotiated protocol
       version does not match the session's version. Resuming with a different
       version, while not strictly forbidden by the RFC, is of questionable
@@ -1419,63 +1632,6 @@
        Add command line options to s_client/s_server.
      [Steve Henson]
 
- Changes between 1.0.0j and 1.0.0k [5 Feb 2013]
-
-  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
-
-     This addresses the flaw in CBC record processing discovered by 
-     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
-     at: http://www.isg.rhul.ac.uk/tls/     
-
-     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
-     Security Group at Royal Holloway, University of London
-     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
-     Emilia Käsper for the initial patch.
-     (CVE-2013-0169)
-     [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
-
-  *) Return an error when checking OCSP signatures when key is NULL.
-     This fixes a DoS attack. (CVE-2013-0166)
-     [Steve Henson]
-
-  *) Call OCSP Stapling callback after ciphersuite has been chosen, so
-     the right response is stapled. Also change SSL_get_certificate()
-     so it returns the certificate actually sent.
-     See http://rt.openssl.org/Ticket/Display.html?id=2836.
-     (This is a backport)
-     [Rob Stradling <rob.stradling at comodo.com>]
-
-  *) Fix possible deadlock when decoding public keys.
-     [Steve Henson]
-
- Changes between 1.0.0i and 1.0.0j [10 May 2012]
-
-  [NB: OpenSSL 1.0.0i and later 1.0.0 patch levels were released after
-  OpenSSL 1.0.1.]
-
-  *) Sanity check record length before skipping explicit IV in DTLS
-     to fix DoS attack.
-
-     Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
-     fuzzing as a service testing platform.
-     (CVE-2012-2333)
-     [Steve Henson]
-
-  *) Initialise tkeylen properly when encrypting CMS messages.
-     Thanks to Solar Designer of Openwall for reporting this issue.
-     [Steve Henson]
-
- Changes between 1.0.0h and 1.0.0i [19 Apr 2012]
-
-  *) Check for potentially exploitable overflows in asn1_d2i_read_bio
-     BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
-     in CRYPTO_realloc_clean.
-
-     Thanks to Tavis Ormandy, Google Security Team, for discovering this
-     issue and to Adam Langley <agl at chromium.org> for fixing it.
-     (CVE-2012-2110)
-     [Adam Langley (Google), Tavis Ormandy, Google Security Team]
-
  Changes between 1.0.0g and 1.0.0h [12 Mar 2012]
 
   *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
@@ -2466,228 +2622,6 @@
   *) Change 'Configure' script to enable Camellia by default.
      [NTT]
 
- Changes between 0.9.8x and 0.9.8y [5 Feb 2013]
-
-  *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.
-
-     This addresses the flaw in CBC record processing discovered by 
-     Nadhem Alfardan and Kenny Paterson. Details of this attack can be found
-     at: http://www.isg.rhul.ac.uk/tls/     
-
-     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
-     Security Group at Royal Holloway, University of London
-     (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
-     Emilia Käsper for the initial patch.
-     (CVE-2013-0169)
-     [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
-
-  *) Return an error when checking OCSP signatures when key is NULL.
-     This fixes a DoS attack. (CVE-2013-0166)
-     [Steve Henson]
-
-  *) Call OCSP Stapling callback after ciphersuite has been chosen, so
-     the right response is stapled. Also change SSL_get_certificate()
-     so it returns the certificate actually sent.
-     See http://rt.openssl.org/Ticket/Display.html?id=2836.
-     (This is a backport)
-     [Rob Stradling <rob.stradling at comodo.com>]
-
-  *) Fix possible deadlock when decoding public keys.
-     [Steve Henson]
-
- Changes between 0.9.8w and 0.9.8x [10 May 2012]
-
-  *) Sanity check record length before skipping explicit IV in DTLS
-     to fix DoS attack.
-
-     Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
-     fuzzing as a service testing platform.
-     (CVE-2012-2333)
-     [Steve Henson]
-
-  *) Initialise tkeylen properly when encrypting CMS messages.
-     Thanks to Solar Designer of Openwall for reporting this issue.
-     [Steve Henson]
-
- Changes between 0.9.8v and 0.9.8w [23 Apr 2012]
-
-  *) The fix for CVE-2012-2110 did not take into account that the 
-     'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
-     int in OpenSSL 0.9.8, making it still vulnerable. Fix by 
-     rejecting negative len parameter. (CVE-2012-2131)
-     [Tomas Hoger <thoger at redhat.com>]
-
- Changes between 0.9.8u and 0.9.8v [19 Apr 2012]
-
-  *) Check for potentially exploitable overflows in asn1_d2i_read_bio
-     BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
-     in CRYPTO_realloc_clean.
-
-     Thanks to Tavis Ormandy, Google Security Team, for discovering this
-     issue and to Adam Langley <agl at chromium.org> for fixing it.
-     (CVE-2012-2110)
-     [Adam Langley (Google), Tavis Ormandy, Google Security Team]
-
- Changes between 0.9.8t and 0.9.8u [12 Mar 2012]
-
-  *) Fix MMA (Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) weakness
-     in CMS and PKCS7 code. When RSA decryption fails use a random key for
-     content decryption and always return the same error. Note: this attack
-     needs on average 2^20 messages so it only affects automated senders. The
-     old behaviour can be reenabled in the CMS code by setting the
-     CMS_DEBUG_DECRYPT flag: this is useful for debugging and testing where
-     an MMA defence is not necessary.
-     Thanks to Ivan Nestlerode <inestlerode at us.ibm.com> for discovering
-     this issue. (CVE-2012-0884)
-     [Steve Henson]
-
-  *) Fix CVE-2011-4619: make sure we really are receiving a 
-     client hello before rejecting multiple SGC restarts. Thanks to
-     Ivan Nestlerode <inestlerode at us.ibm.com> for discovering this bug.
-     [Steve Henson]
-
- Changes between 0.9.8s and 0.9.8t [18 Jan 2012]
-
-  *) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
-     Thanks to Antonio Martin, Enterprise Secure Access Research and
-     Development, Cisco Systems, Inc. for discovering this bug and
-     preparing a fix. (CVE-2012-0050)
-     [Antonio Martin]
-
- Changes between 0.9.8r and 0.9.8s [4 Jan 2012]
-
-  *) Nadhem Alfardan and Kenny Paterson have discovered an extension
-     of the Vaudenay padding oracle attack on CBC mode encryption
-     which enables an efficient plaintext recovery attack against
-     the OpenSSL implementation of DTLS. Their attack exploits timing
-     differences arising during decryption processing. A research
-     paper describing this attack can be found at:
-                  http://www.isg.rhul.ac.uk/~kp/dtls.pdf
-     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
-     Security Group at Royal Holloway, University of London
-     (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
-     <seggelmann at fh-muenster.de> and Michael Tuexen <tuexen at fh-muenster.de>
-     for preparing the fix. (CVE-2011-4108)
-     [Robin Seggelmann, Michael Tuexen]
-
-  *) Stop policy check failure freeing same buffer twice. (CVE-2011-4109)
-     [Ben Laurie, Kasper <ekasper at google.com>]
-
-  *) Clear bytes used for block padding of SSL 3.0 records.
-     (CVE-2011-4576)
-     [Adam Langley (Google)]
-
-  *) Only allow one SGC handshake restart for SSL/TLS. Thanks to George
-     Kadianakis <desnacked at gmail.com> for discovering this issue and
-     Adam Langley for preparing the fix. (CVE-2011-4619)
-     [Adam Langley (Google)]
- 
-  *) Prevent malformed RFC3779 data triggering an assertion failure.
-     Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
-     and Rob Austein <sra at hactrn.net> for fixing it. (CVE-2011-4577)
-     [Rob Austein <sra at hactrn.net>]
-
-  *) Fix ssl_ciph.c set-up race.
-     [Adam Langley (Google)]
-
-  *) Fix spurious failures in ecdsatest.c.
-     [Emilia Käsper (Google)]
-
-  *) Fix the BIO_f_buffer() implementation (which was mixing different
-     interpretations of the '..._len' fields).
-     [Adam Langley (Google)]
-
-  *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
-     BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
-     threads won't reuse the same blinding coefficients.
-
-     This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
-     lock to call BN_BLINDING_invert_ex, and avoids one use of
-     BN_BLINDING_update for each BN_BLINDING structure (previously,
-     the last update always remained unused).
-     [Emilia Käsper (Google)]
-
-  *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
-     for multi-threaded use of ECDH.
-     [Adam Langley (Google)]
-
-  *) Fix x509_name_ex_d2i memory leak on bad inputs.
-     [Bodo Moeller]
-
-  *) Add protection against ECDSA timing attacks as mentioned in the paper
-     by Billy Bob Brumley and Nicola Tuveri, see:
-
-	http://eprint.iacr.org/2011/232.pdf
-
-     [Billy Bob Brumley and Nicola Tuveri]
-
- Changes between 0.9.8q and 0.9.8r [8 Feb 2011]
-
-  *) Fix parsing of OCSP stapling ClientHello extension. CVE-2011-0014
-     [Neel Mehta, Adam Langley, Bodo Moeller (Google)]
-
-  *) Fix bug in string printing code: if *any* escaping is enabled we must
-     escape the escape character (backslash) or the resulting string is
-     ambiguous.
-     [Steve Henson]
-
- Changes between 0.9.8p and 0.9.8q [2 Dec 2010]
-
-  *) Disable code workaround for ancient and obsolete Netscape browsers
-     and servers: an attacker can use it in a ciphersuite downgrade attack.
-     Thanks to Martin Rex for discovering this bug. CVE-2010-4180
-     [Steve Henson]
-
-  *) Fixed J-PAKE implementation error, originally discovered by
-     Sebastien Martini, further info and confirmation from Stefan
-     Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252
-     [Ben Laurie]
-
- Changes between 0.9.8o and 0.9.8p [16 Nov 2010]
-
-  *) Fix extension code to avoid race conditions which can result in a buffer
-     overrun vulnerability: resumed sessions must not be modified as they can
-     be shared by multiple threads. CVE-2010-3864
-     [Steve Henson]
-
-  *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
-     [Steve Henson]
-
-  *) Don't reencode certificate when calculating signature: cache and use
-     the original encoding instead. This makes signature verification of
-     some broken encodings work correctly.
-     [Steve Henson]
-
-  *) ec2_GF2m_simple_mul bugfix: compute correct result if the output EC_POINT
-     is also one of the inputs.
-     [Emilia Käsper <emilia.kasper at esat.kuleuven.be> (Google)]
-
-  *) Don't repeatedly append PBE algorithms to table if they already exist.
-     Sort table on each new add. This effectively makes the table read only
-     after all algorithms are added and subsequent calls to PKCS12_pbe_add
-     etc are non-op.
-     [Steve Henson]
-
- Changes between 0.9.8n and 0.9.8o [01 Jun 2010]
-
-  [NB: OpenSSL 0.9.8o and later 0.9.8 patch levels were released after
-  OpenSSL 1.0.0.]
-
-  *) Correct a typo in the CMS ASN1 module which can result in invalid memory
-     access or freeing data twice (CVE-2010-0742)
-     [Steve Henson, Ronald Moesbergen <intercommit at gmail.com>]
-
-  *) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more
-     common in certificates and some applications which only call
-     SSL_library_init and not OpenSSL_add_all_algorithms() will fail.
-     [Steve Henson]
-
-  *) VMS fixes: 
-     Reduce copying into .apps and .test in makevms.com
-     Don't try to use blank CA certificate in CA.com
-     Allow use of C files from original directories in maketests.com
-     [Steven M. Schweda" <sms at antinode.info>]
-
  Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
 
   *) When rejecting SSL/TLS records due to an incorrect version number, never
diff --git a/NEWS b/NEWS
index 1aa3ea7..cbf847a 100644
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,23 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
-  Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.2 [in beta]:
+  Major changes between OpenSSL 1.0.2 and OpenSSL 1.0.2a [under development]
+
+      o OpenSSL 1.0.2 ClientHello sigalgs DoS fix (CVE-2015-0291)
+      o Multiblock corrupted pointer fix (CVE-2015-0290)
+      o Segmentation fault in DTLSv1_listen fix (CVE-2015-0207)
+      o Segmentation fault in ASN1_TYPE_cmp fix (CVE-2015-0286)
+      o Segmentation fault for invalid PSS parameters fix (CVE-2015-0208)
+      o ASN.1 structure reuse memory corruption fix (CVE-2015-0287)
+      o PKCS7 NULL pointer dereferences fix (CVE-2015-0289)
+      o DoS via reachable assert in SSLv2 servers fix (CVE-2015-0293)
+      o Empty CKE with client auth and DHE fix (CVE-2015-1787)
+      o Handshake with unseeded PRNG fix (CVE-2015-0285)
+      o Use After Free following d2i_ECPrivatekey error fix (CVE-2015-0209)
+      o X509_to_X509_REQ NULL pointer deref fix (CVE-2015-0288)
+      o Removed the export ciphers from the DEFAULT ciphers
+
+  Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.2 [22 Jan 2015]:
 
       o Suite B support for TLS 1.2 and DTLS 1.2
       o Support for DTLS 1.2
@@ -16,6 +32,21 @@
       o ALPN support.
       o CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
 
+  Major changes between OpenSSL 1.0.1k and OpenSSL 1.0.1l [15 Jan 2015]
+
+      o Build fixes for the Windows and OpenVMS platforms
+
+  Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.1k [8 Jan 2015]
+
+      o Fix for CVE-2014-3571
+      o Fix for CVE-2015-0206
+      o Fix for CVE-2014-3569
+      o Fix for CVE-2014-3572
+      o Fix for CVE-2015-0204
+      o Fix for CVE-2015-0205
+      o Fix for CVE-2014-8275
+      o Fix for CVE-2014-3570
+
   Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014]
 
       o Fix for CVE-2014-3513
@@ -39,6 +70,7 @@
 
       o Fix for CVE-2014-0224
       o Fix for CVE-2014-0221
+      o Fix for CVE-2014-0198
       o Fix for CVE-2014-0195
       o Fix for CVE-2014-3470
       o Fix for CVE-2010-5298
@@ -98,23 +130,6 @@
       o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
       o SRP support.
 
-  Major changes between OpenSSL 1.0.0k and OpenSSL 1.0.0l [6 Jan 2014]
-
-      o Fix for DTLS retransmission bug CVE-2013-6450
-
-  Major changes between OpenSSL 1.0.0j and OpenSSL 1.0.0k [5 Feb 2013]:
-
-      o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
-      o Fix OCSP bad key DoS attack CVE-2013-0166
-
-  Major changes between OpenSSL 1.0.0i and OpenSSL 1.0.0j [10 May 2012]:
-
-      o Fix DTLS record length checking bug CVE-2012-2333
-
-  Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.0i [19 Apr 2012]:
-
-      o Fix for ASN1 overflow bug CVE-2012-2110
-
   Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h [12 Mar 2012]:
 
       o Fix for CMS/PKCS#7 MMA CVE-2012-0884
@@ -187,72 +202,6 @@
       o Opaque PRF Input TLS extension support.
       o Updated time routines to avoid OS limitations.
 
-  Major changes between OpenSSL 0.9.8y and OpenSSL 0.9.8za [5 Jun 2014]:
-
-      o Fix for CVE-2014-0224
-      o Fix for CVE-2014-0221
-      o Fix for CVE-2014-0195
-      o Fix for CVE-2014-3470
-      o Fix for CVE-2014-0076
-      o Fix for CVE-2010-5298
-      o Fix to TLS alert handling.
-
-  Major changes between OpenSSL 0.9.8x and OpenSSL 0.9.8y [5 Feb 2013]:
-
-      o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
-      o Fix OCSP bad key DoS attack CVE-2013-0166
-
-  Major changes between OpenSSL 0.9.8w and OpenSSL 0.9.8x [10 May 2012]:
-
-      o Fix DTLS record length checking bug CVE-2012-2333
-
-  Major changes between OpenSSL 0.9.8v and OpenSSL 0.9.8w [23 Apr 2012]:
-
-      o Fix for CVE-2012-2131 (corrected fix for 0.9.8 and CVE-2012-2110)
-
-  Major changes between OpenSSL 0.9.8u and OpenSSL 0.9.8v [19 Apr 2012]:
-
-      o Fix for ASN1 overflow bug CVE-2012-2110
-
-  Major changes between OpenSSL 0.9.8t and OpenSSL 0.9.8u [12 Mar 2012]:
-
-      o Fix for CMS/PKCS#7 MMA CVE-2012-0884
-      o Corrected fix for CVE-2011-4619
-      o Various DTLS fixes.
-
-  Major changes between OpenSSL 0.9.8s and OpenSSL 0.9.8t [18 Jan 2012]:
-
-      o Fix for DTLS DoS issue CVE-2012-0050
-
-  Major changes between OpenSSL 0.9.8r and OpenSSL 0.9.8s [4 Jan 2012]:
-
-      o Fix for DTLS plaintext recovery attack CVE-2011-4108
-      o Fix policy check double free error CVE-2011-4109
-      o Clear block padding bytes of SSL 3.0 records CVE-2011-4576
-      o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619
-      o Check for malformed RFC3779 data CVE-2011-4577
-
-  Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r [8 Feb 2011]:
-
-      o Fix for security issue CVE-2011-0014
-
-  Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q [2 Dec 2010]:
-
-      o Fix for security issue CVE-2010-4180
-      o Fix for CVE-2010-4252
-
-  Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p [16 Nov 2010]:
-
-      o Fix for security issue CVE-2010-3864.
-
-  Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o [1 Jun 2010]:
-
-      o Fix for security issue CVE-2010-0742.
-      o Various DTLS fixes.
-      o Recognise SHA2 certificates if only SSL algorithms added.
-      o Fix for no-rc4 compilation.
-      o Chil ENGINE unload workaround.
-
   Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n [24 Mar 2010]:
 
       o CFB cipher definition fixes.
diff --git a/crypto/asn1/a_type.c b/crypto/asn1/a_type.c
index 13ecfcd..e7ec49d 100644
--- a/crypto/asn1/a_type.c
+++ b/crypto/asn1/a_type.c
@@ -115,6 +115,9 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b)
     case V_ASN1_OBJECT:
         result = OBJ_cmp(a->value.object, b->value.object);
         break;
+    case V_ASN1_BOOLEAN:
+        result = a->value.boolean - b->value.boolean;
+        break;
     case V_ASN1_NULL:
         result = 0;             /* They do not have content. */
         break;
diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
index abdeba4..3d62284 100644
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -303,9 +303,16 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
     case ASN1_ITYPE_CHOICE:
         if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
             goto auxerr;
-
-        /* Allocate structure */
-        if (!*pval && !ASN1_item_ex_new(pval, it)) {
+        if (*pval) {
+            /* Free up and zero CHOICE value if initialised */
+            i = asn1_get_choice_selector(pval, it);
+            if ((i >= 0) && (i < it->tcount)) {
+                tt = it->templates + i;
+                pchptr = asn1_get_field_ptr(pval, tt);
+                ASN1_template_free(pchptr, tt);
+                asn1_set_choice_selector(pval, -1, it);
+            }
+        } else if (!ASN1_item_ex_new(pval, it)) {
             ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
             goto err;
         }
@@ -385,6 +392,17 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
         if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
             goto auxerr;
 
+        /* Free up and zero any ADB found */
+        for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
+            if (tt->flags & ASN1_TFLG_ADB_MASK) {
+                const ASN1_TEMPLATE *seqtt;
+                ASN1_VALUE **pseqval;
+                seqtt = asn1_do_adb(pval, tt, 1);
+                pseqval = asn1_get_field_ptr(pval, seqtt);
+                ASN1_template_free(pseqval, seqtt);
+            }
+        }
+
         /* Get each field entry */
         for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
             const ASN1_TEMPLATE *seqtt;
diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c
index f487dbb..36f6ff4 100644
--- a/crypto/asn1/x_x509.c
+++ b/crypto/asn1/x_x509.c
@@ -168,8 +168,14 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
 {
     const unsigned char *q;
     X509 *ret;
+    int freeret = 0;
+
     /* Save start position */
     q = *pp;
+
+    if(!a || *a == NULL) {
+        freeret = 1;
+    }
     ret = d2i_X509(a, pp, length);
     /* If certificate unreadable then forget it */
     if (!ret)
@@ -182,7 +188,11 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
         goto err;
     return ret;
  err:
-    X509_free(ret);
+    if(freeret) {
+        X509_free(ret);
+        if (a)
+            *a = NULL;
+    }
     return NULL;
 }
 
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 6ff94a3..b4b0e9f 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -1226,16 +1226,19 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len)
             ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
             return NULL;
         }
-        if (a)
-            *a = ret;
     } else
         ret = *a;
 
     if (!d2i_ECPKParameters(&ret->group, in, len)) {
         ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB);
+        if (a == NULL || *a != ret)
+             EC_KEY_free(ret);
         return NULL;
     }
 
+    if (a)
+        *a = ret;
+
     return ret;
 }
 
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index f61d63b..25ac2df 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -261,6 +261,25 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
     PKCS7_RECIP_INFO *ri = NULL;
     ASN1_OCTET_STRING *os = NULL;
 
+    if (p7 == NULL) {
+        PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER);
+        return NULL;
+    }
+    /*
+     * The content field in the PKCS7 ContentInfo is optional, but that really
+     * only applies to inner content (precisely, detached signatures).
+     *
+     * When reading content, missing outer content is therefore treated as an
+     * error.
+     *
+     * When creating content, PKCS7_content_new() must be called before
+     * calling this method, so a NULL p7->d is always an error.
+     */
+    if (p7->d.ptr == NULL) {
+        PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT);
+        return NULL;
+    }
+
     i = OBJ_obj2nid(p7->type);
     p7->state = PKCS7_S_HEADER;
 
@@ -411,6 +430,16 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
     unsigned char *ek = NULL, *tkey = NULL;
     int eklen = 0, tkeylen = 0;
 
+    if (p7 == NULL) {
+        PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER);
+        return NULL;
+    }
+
+    if (p7->d.ptr == NULL) {
+        PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
+        return NULL;
+    }
+
     i = OBJ_obj2nid(p7->type);
     p7->state = PKCS7_S_HEADER;
 
@@ -683,6 +712,16 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
     STACK_OF(PKCS7_SIGNER_INFO) *si_sk = NULL;
     ASN1_OCTET_STRING *os = NULL;
 
+    if (p7 == NULL) {
+        PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER);
+        return 0;
+    }
+
+    if (p7->d.ptr == NULL) {
+        PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT);
+        return 0;
+    }
+
     EVP_MD_CTX_init(&ctx_tmp);
     i = OBJ_obj2nid(p7->type);
     p7->state = PKCS7_S_HEADER;
@@ -722,6 +761,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
         /* If detached data then the content is excluded */
         if (PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
             M_ASN1_OCTET_STRING_free(os);
+            os = NULL;
             p7->d.sign->contents->d.data = NULL;
         }
         break;
@@ -731,6 +771,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
         /* If detached data then the content is excluded */
         if (PKCS7_type_is_data(p7->d.digest->contents) && p7->detached) {
             M_ASN1_OCTET_STRING_free(os);
+            os = NULL;
             p7->d.digest->contents->d.data = NULL;
         }
         break;
@@ -796,22 +837,30 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
         M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len);
     }
 
-    if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF)) {
-        char *cont;
-        long contlen;
-        btmp = BIO_find_type(bio, BIO_TYPE_MEM);
-        if (btmp == NULL) {
-            PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
-            goto err;
-        }
-        contlen = BIO_get_mem_data(btmp, &cont);
+    if (!PKCS7_is_detached(p7)) {
         /*
-         * Mark the BIO read only then we can use its copy of the data
-         * instead of making an extra copy.
+         * NOTE(emilia): I think we only reach os == NULL here because detached
+         * digested data support is broken.
          */
-        BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
-        BIO_set_mem_eof_return(btmp, 0);
-        ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
+        if (os == NULL)
+            goto err;
+        if (!(os->flags & ASN1_STRING_FLAG_NDEF)) {
+            char *cont;
+            long contlen;
+            btmp = BIO_find_type(bio, BIO_TYPE_MEM);
+            if (btmp == NULL) {
+                PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
+                goto err;
+            }
+            contlen = BIO_get_mem_data(btmp, &cont);
+            /*
+             * Mark the BIO read only then we can use its copy of the data
+             * instead of making an extra copy.
+             */
+            BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
+            BIO_set_mem_eof_return(btmp, 0);
+            ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
+        }
     }
     ret = 1;
  err:
@@ -886,6 +935,16 @@ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio,
     STACK_OF(X509) *cert;
     X509 *x509;
 
+    if (p7 == NULL) {
+        PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER);
+        return 0;
+    }
+
+    if (p7->d.ptr == NULL) {
+        PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT);
+        return 0;
+    }
+
     if (PKCS7_type_is_signed(p7)) {
         cert = p7->d.sign->cert;
     } else if (PKCS7_type_is_signedAndEnveloped(p7)) {
diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c
index c773812..0c5fcaa 100644
--- a/crypto/pkcs7/pk7_lib.c
+++ b/crypto/pkcs7/pk7_lib.c
@@ -70,6 +70,7 @@ long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg)
     nid = OBJ_obj2nid(p7->type);
 
     switch (cmd) {
+    /* NOTE(emilia): does not support detached digested data. */
     case PKCS7_OP_SET_DETACHED_SIGNATURE:
         if (nid == NID_pkcs7_signed) {
             ret = p7->detached = (int)larg;
@@ -444,6 +445,8 @@ int PKCS7_set_digest(PKCS7 *p7, const EVP_MD *md)
 
 STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
 {
+    if (p7 == NULL || p7->d.ptr == NULL)
+        return NULL;
     if (PKCS7_type_is_signed(p7)) {
         return (p7->d.sign->signer_info);
     } else if (PKCS7_type_is_signedAndEnveloped(p7)) {
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
index 5e8701a..6f4c104 100644
--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c
@@ -703,9 +703,10 @@ static int rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
         RSAerr(RSA_F_RSA_ITEM_VERIFY, RSA_R_UNSUPPORTED_SIGNATURE_TYPE);
         return -1;
     }
-    if (rsa_pss_to_ctx(ctx, NULL, sigalg, pkey))
+    if (rsa_pss_to_ctx(ctx, NULL, sigalg, pkey) > 0) {
         /* Carry on */
         return 2;
+    }
     return -1;
 }
 
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index 626cecb..e9a2fc5 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -546,6 +546,9 @@ int dtls1_listen(SSL *s, struct sockaddr *client)
 {
     int ret;
 
+    /* Ensure there is no state left over from a previous invocation */
+    SSL_clear(s);
+
     SSL_set_options(s, SSL_OP_COOKIE_EXCHANGE);
     s->d1->listen = 1;
 
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 66fa9d1..cf02e49 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -804,7 +804,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
 
             i = ssl3_write_pending(s, type, &buf[tot], nw);
             if (i <= 0) {
-                if (i < 0) {
+                if (i < 0 && (!s->wbio || !BIO_should_retry(s->wbio))) {
                     OPENSSL_free(wb->buf);
                     wb->buf = NULL;
                 }
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index e5346b6..f8c7e37 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -2233,10 +2233,17 @@ int ssl3_get_client_key_exchange(SSL *s)
     if (alg_k & (SSL_kDHE | SSL_kDHr | SSL_kDHd)) {
         int idx = -1;
         EVP_PKEY *skey = NULL;
-        if (n)
+        if (n > 1) {
             n2s(p, i);
-        else
+        } else {
+            if (alg_k & SSL_kDHE) {
+                al = SSL_AD_HANDSHAKE_FAILURE;
+                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                       SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG);
+                goto f_err;
+            }
             i = 0;
+        }
         if (n && n != i + 2) {
             if (!(s->options & SSL_OP_SSLEAY_080_CLIENT_DH_BUG)) {
                 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index b6e878a..8b75dba 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -2693,6 +2693,7 @@ int tls1_set_server_sigalgs(SSL *s)
     if (s->cert->shared_sigalgs) {
         OPENSSL_free(s->cert->shared_sigalgs);
         s->cert->shared_sigalgs = NULL;
+        s->cert->shared_sigalgslen = 0;
     }
     /* Clear certificate digests and validity flags */
     for (i = 0; i < SSL_PKEY_NUM; i++) {
@@ -3396,6 +3397,7 @@ static int tls1_set_shared_sigalgs(SSL *s)
     if (c->shared_sigalgs) {
         OPENSSL_free(c->shared_sigalgs);
         c->shared_sigalgs = NULL;
+        c->shared_sigalgslen = 0;
     }
     /* If client use client signature algorithms if not NULL */
     if (!s->server && c->client_sigalgs && !is_suiteb) {
@@ -3418,12 +3420,14 @@ static int tls1_set_shared_sigalgs(SSL *s)
         preflen = c->peer_sigalgslen;
     }
     nmatch = tls12_shared_sigalgs(s, NULL, pref, preflen, allow, allowlen);
-    if (!nmatch)
-        return 1;
-    salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
-    if (!salgs)
-        return 0;
-    nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
+    if (nmatch) {
+        salgs = OPENSSL_malloc(nmatch * sizeof(TLS_SIGALGS));
+        if (!salgs)
+            return 0;
+        nmatch = tls12_shared_sigalgs(s, salgs, pref, preflen, allow, allowlen);
+    } else {
+        salgs = NULL;
+    }
     c->shared_sigalgs = salgs;
     c->shared_sigalgslen = nmatch;
     return 1;


More information about the openssl-commits mailing list