[openssl-commits] [openssl] OpenSSL_0_9_8-stable update

Matt Caswell matt at openssl.org
Thu Mar 19 14:05:55 UTC 2015


The branch OpenSSL_0_9_8-stable has been updated
       via  79cc5417a4099c3e61c806a918665570e9aa3c57 (commit)
       via  db8334be06a6573203f29d12f00f45ed69a987cc (commit)
       via  fcc5e899aa942f9d1c72924f867e844c95fd9aae (commit)
       via  b78c9e4a2b3503e06fdee6272427f142d860ed47 (commit)
       via  c380bff888bfd5e48c4b24250ba1996b0fd1a5e3 (commit)
       via  6655ac4e4505b6e791984d7f942bbe33bccc8ead (commit)
       via  c7395fb9997efe924de62ec4d5c7b92aad510869 (commit)
       via  d53f9203652b5f254f3eb5beb2759dbd37f51dae (commit)
       via  65c588c140c5c1c349d69abfea1b92c52fe35d0b (commit)
       via  544e3e3b69d080ee87721bd03c37b4d450384fb9 (commit)
       via  497d0b00dca876beb6c81f2ea6d7160897434c2e (commit)
       via  674341f1b0548e36a6cc49917334f5cbd09aaa2c (commit)
      from  c58f4f73bdb66355b77cd8749afd5deba3d954c1 (commit)


- Log -----------------------------------------------------------------
commit 79cc5417a4099c3e61c806a918665570e9aa3c57
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Mar 19 13:50:06 2015 +0000

    Prepare for 0.9.8zg-dev
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit db8334be06a6573203f29d12f00f45ed69a987cc
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Mar 19 13:47:27 2015 +0000

    Prepare for 0.9.8zf release
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit fcc5e899aa942f9d1c72924f867e844c95fd9aae
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Mar 19 13:47:27 2015 +0000

    make update
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit b78c9e4a2b3503e06fdee6272427f142d860ed47
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Mar 19 11:35:33 2015 +0000

    Fix unsigned/signed warnings
    
    Fix some unsigned/signed warnings introduced as part of the fix
    for CVE-2015-0293
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit c380bff888bfd5e48c4b24250ba1996b0fd1a5e3
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Mar 19 10:16:32 2015 +0000

    Fix a failure to NULL a pointer freed on error.
    
    Reported by the LibreSSL project as a follow on to CVE-2015-0209
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 6655ac4e4505b6e791984d7f942bbe33bccc8ead
Author: Richard Levitte <levitte at openssl.org>
Date:   Wed Mar 18 12:06:56 2015 +0100

    VMS build fix
    
    Reviewed-by: Andy Polyakov <appro at openssl.org>

commit c7395fb9997efe924de62ec4d5c7b92aad510869
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Mar 17 17:01:09 2015 +0000

    Update NEWS file
    
    Update the NEWS file with the latest entries from CHANGES ready for the
    release.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit d53f9203652b5f254f3eb5beb2759dbd37f51dae
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Mar 17 16:56:27 2015 +0000

    Update CHANGES for release
    
    Update CHANGES fiel with all the latest fixes ready for the release.
    
    Conflicts:
    	CHANGES
    
    Conflicts:
    	CHANGES
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 65c588c140c5c1c349d69abfea1b92c52fe35d0b
Author: Emilia Kasper <emilia at openssl.org>
Date:   Wed Mar 4 09:05:02 2015 -0800

    Fix reachable assert in SSLv2 servers.
    
    This assert is reachable for servers that support SSLv2 and export ciphers.
    Therefore, such servers can be DoSed by sending a specially crafted
    SSLv2 CLIENT-MASTER-KEY.
    
    Also fix s2_srvr.c to error out early if the key lengths are malformed.
    These lengths are sent unencrypted, so this does not introduce an oracle.
    
    CVE-2015-0293
    
    This issue was discovered by Sean Burford (Google) and Emilia Käsper of
    the OpenSSL development team.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Tim Hudson <tjh at openssl.org>

commit 544e3e3b69d080ee87721bd03c37b4d450384fb9
Author: Emilia Kasper <emilia at openssl.org>
Date:   Fri Feb 27 16:52:23 2015 +0100

    PKCS#7: avoid NULL pointer dereferences with missing content
    
    In PKCS#7, the ASN.1 content component is optional.
    This typically applies to inner content (detached signatures),
    however we must also handle unexpected missing outer content
    correctly.
    
    This patch only addresses functions reachable from parsing,
    decryption and verification, and functions otherwise associated
    with reading potentially untrusted data.
    
    Correcting all low-level API calls requires further work.
    
    CVE-2015-0289
    
    Thanks to Michal Zalewski (Google) for reporting this issue.
    
    Reviewed-by: Steve Henson <steve at openssl.org>
    
    Conflicts:
    	crypto/pkcs7/pk7_doit.c

commit 497d0b00dca876beb6c81f2ea6d7160897434c2e
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Mon Mar 9 23:11:45 2015 +0000

    Fix ASN1_TYPE_cmp
    
    Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
    can be triggered during certificate verification so could be a DoS attack
    against a client or a server enabling client authentication.
    
    CVE-2015-0286
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 674341f1b0548e36a6cc49917334f5cbd09aaa2c
Author: Dr. Stephen Henson <steve at openssl.org>
Date:   Mon Feb 23 02:32:44 2015 +0000

    Free up ADB and CHOICE if already initialised.
    
    CVE-2015-0287
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    Reviewed-by: Emilia Käsper <emilia at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                  | 78 +++++++++++++++++++++++++++++++++++++++++++++++-
 NEWS                     | 12 +++++++-
 README                   |  2 +-
 crypto/asn1/a_type.c     |  3 ++
 crypto/asn1/tasn_dec.c   | 24 +++++++++++++--
 crypto/asn1/x_x509.c     | 12 +++++++-
 crypto/ec/ec_asn1.c      |  7 +++--
 crypto/opensslv.h        |  6 ++--
 crypto/pkcs7/pk7_doit.c  | 57 +++++++++++++++++++++++++++++++++++
 crypto/pkcs7/pk7_lib.c   |  3 ++
 crypto/stack/safestack.h |  1 -
 crypto/symhacks.h        |  7 +++++
 openssl.spec             |  2 +-
 ssl/s2_lib.c             |  2 +-
 ssl/s2_srvr.c            | 60 +++++++++++++++++++++++++++++--------
 ssl/ssl-lib.com          | 12 ++++----
 16 files changed, 254 insertions(+), 34 deletions(-)

diff --git a/CHANGES b/CHANGES
index c2a3931..c1bb2af 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,7 +2,83 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 0.9.8ze and 0.9.8zf [xx XXX xxxx]
+ Changes between 0.9.8zf and 0.9.8zg [xx XXX xxxx]
+
+  *)
+
+ Changes between 0.9.8ze and 0.9.8zf [19 Mar 2015]
+
+  *) Segmentation fault in ASN1_TYPE_cmp fix
+
+     The function ASN1_TYPE_cmp will crash with an invalid read if an attempt is
+     made to compare ASN.1 boolean types. Since ASN1_TYPE_cmp is used to check
+     certificate signature algorithm consistency this can be used to crash any
+     certificate verification operation and exploited in a DoS attack. Any
+     application which performs certificate verification is vulnerable including
+     OpenSSL clients and servers which enable client authentication.
+     (CVE-2015-0286)
+     [Stephen Henson]
+
+  *) ASN.1 structure reuse memory corruption fix
+
+     Reusing a structure in ASN.1 parsing may allow an attacker to cause
+     memory corruption via an invalid write. Such reuse is and has been
+     strongly discouraged and is believed to be rare.
+
+     Applications that parse structures containing CHOICE or ANY DEFINED BY
+     components may be affected. Certificate parsing (d2i_X509 and related
+     functions) are however not affected. OpenSSL clients and servers are
+     not affected.
+     (CVE-2015-0287)
+     [Stephen Henson]
+
+  *) PKCS7 NULL pointer dereferences fix
+
+     The PKCS#7 parsing code does not handle missing outer ContentInfo
+     correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs with
+     missing content and trigger a NULL pointer dereference on parsing.
+
+     Applications that verify PKCS#7 signatures, decrypt PKCS#7 data or
+     otherwise parse PKCS#7 structures from untrusted sources are
+     affected. OpenSSL clients and servers are not affected.
+
+     This issue was reported to OpenSSL by Michal Zalewski (Google).
+     (CVE-2015-0289)
+     [Emilia Käsper]
+
+  *) DoS via reachable assert in SSLv2 servers fix
+
+     A malicious client can trigger an OPENSSL_assert (i.e., an abort) in
+     servers that both support SSLv2 and enable export cipher suites by sending
+     a specially crafted SSLv2 CLIENT-MASTER-KEY message.
+
+     This issue was discovered by Sean Burford (Google) and Emilia Käsper
+     (OpenSSL development team).
+     (CVE-2015-0293)
+     [Emilia Käsper]
+
+  *) Use After Free following d2i_ECPrivatekey error fix
+
+     A malformed EC private key file consumed via the d2i_ECPrivateKey function
+     could cause a use after free condition. This, in turn, could cause a double
+     free in several private key parsing functions (such as d2i_PrivateKey
+     or EVP_PKCS82PKEY) and could lead to a DoS attack or memory corruption
+     for applications that receive EC private keys from untrusted
+     sources. This scenario is considered rare.
+
+     This issue was discovered by the BoringSSL project and fixed in their
+     commit 517073cd4b.
+     (CVE-2015-0209)
+     [Matt Caswell]
+
+  *) X509_to_X509_REQ NULL pointer deref fix
+
+     The function X509_to_X509_REQ will crash with a NULL pointer dereference if
+     the certificate key is invalid. This function is rarely used in practice.
+
+     This issue was discovered by Brian Carpenter.
+     (CVE-2015-0288)
+     [Stephen Henson]
 
   *) Removed the export and SSLv2 ciphers from the DEFAULT ciphers
      [Kurt Roeckx]
diff --git a/NEWS b/NEWS
index 9ebc70a..0422981 100644
--- a/NEWS
+++ b/NEWS
@@ -5,10 +5,20 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
-  Major changes between OpenSSL 0.9.8ze and OpenSSL 0.9.8zf [under development]
+  Major changes between OpenSSL 0.9.8zf and OpenSSL 0.9.8zg [under development]
 
       o
 
+  Major changes between OpenSSL 0.9.8ze and OpenSSL 0.9.8zf [19 Mar 2015]
+
+      o Segmentation fault in ASN1_TYPE_cmp fix (CVE-2015-0286)
+      o ASN.1 structure reuse memory corruption fix (CVE-2015-0287)
+      o PKCS7 NULL pointer dereferences fix (CVE-2015-0289)
+      o DoS via reachable assert in SSLv2 servers fix (CVE-2015-0293)
+      o Use After Free following d2i_ECPrivatekey error fix (CVE-2015-0209)
+      o X509_to_X509_REQ NULL pointer deref fix (CVE-2015-0288)
+      o Removed the export ciphers from the DEFAULT ciphers
+
   Major changes between OpenSSL 0.9.8zd and OpenSSL 0.9.8ze [15 Jan 2015]
 
       o Build fixes for the Windows and OpenVMS platforms
diff --git a/README b/README
index ee01e57..b4c4a21 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
 
- OpenSSL 0.9.8zf-dev
+ OpenSSL 0.9.8zg-dev
 
  Copyright (c) 1998-2011 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/crypto/asn1/a_type.c b/crypto/asn1/a_type.c
index 00367ad..69a5cf6 100644
--- a/crypto/asn1/a_type.c
+++ b/crypto/asn1/a_type.c
@@ -116,6 +116,9 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b)
     case V_ASN1_OBJECT:
         result = OBJ_cmp(a->value.object, b->value.object);
         break;
+    case V_ASN1_BOOLEAN:
+        result = a->value.boolean - b->value.boolean;
+        break;
     case V_ASN1_NULL:
         result = 0;             /* They do not have content. */
         break;
diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
index 2ed81cc..6e4a325 100644
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -302,9 +302,16 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
     case ASN1_ITYPE_CHOICE:
         if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it))
             goto auxerr;
-
-        /* Allocate structure */
-        if (!*pval && !ASN1_item_ex_new(pval, it)) {
+        if (*pval) {
+            /* Free up and zero CHOICE value if initialised */
+            i = asn1_get_choice_selector(pval, it);
+            if ((i >= 0) && (i < it->tcount)) {
+                tt = it->templates + i;
+                pchptr = asn1_get_field_ptr(pval, tt);
+                ASN1_template_free(pchptr, tt);
+                asn1_set_choice_selector(pval, -1, it);
+            }
+        } else if (!ASN1_item_ex_new(pval, it)) {
             ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
             goto err;
         }
@@ -384,6 +391,17 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
         if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it))
             goto auxerr;
 
+        /* Free up and zero any ADB found */
+        for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
+            if (tt->flags & ASN1_TFLG_ADB_MASK) {
+                const ASN1_TEMPLATE *seqtt;
+                ASN1_VALUE **pseqval;
+                seqtt = asn1_do_adb(pval, tt, 1);
+                pseqval = asn1_get_field_ptr(pval, seqtt);
+                ASN1_template_free(pseqval, seqtt);
+            }
+        }
+
         /* Get each field entry */
         for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
             const ASN1_TEMPLATE *seqtt;
diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c
index 018a18b..d6958f6 100644
--- a/crypto/asn1/x_x509.c
+++ b/crypto/asn1/x_x509.c
@@ -179,8 +179,14 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
 {
     const unsigned char *q;
     X509 *ret;
+    int freeret = 0;
+
     /* Save start position */
     q = *pp;
+
+    if(!a || *a == NULL) {
+        freeret = 1;
+    }
     ret = d2i_X509(a, pp, length);
     /* If certificate unreadable then forget it */
     if (!ret)
@@ -193,7 +199,11 @@ X509 *d2i_X509_AUX(X509 **a, const unsigned char **pp, long length)
         goto err;
     return ret;
  err:
-    X509_free(ret);
+    if(freeret) {
+        X509_free(ret);
+        if (a)
+            *a = NULL;
+    }
     return NULL;
 }
 
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index d3e8316..4ca2545 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -1196,16 +1196,19 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len)
             ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_MALLOC_FAILURE);
             return NULL;
         }
-        if (a)
-            *a = ret;
     } else
         ret = *a;
 
     if (!d2i_ECPKParameters(&ret->group, in, len)) {
         ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB);
+        if (a == NULL || *a != ret)
+             EC_KEY_free(ret);
         return NULL;
     }
 
+    if (a)
+        *a = ret;
+
     return ret;
 }
 
diff --git a/crypto/opensslv.h b/crypto/opensslv.h
index 0c749bb..fa12139 100644
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -26,11 +26,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER  0x009081f0L
+# define OPENSSL_VERSION_NUMBER  0x00908200L
 # ifdef OPENSSL_FIPS
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8zf-fips-dev xx XXX xxxx"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8zg-fips-dev xx XXX xxxx"
 # else
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8zf-dev xx XXX xxxx"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 0.9.8zg-dev xx XXX xxxx"
 # endif
 # define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index ba5b824..db134dd 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -147,6 +147,25 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
     EVP_PKEY *pkey;
     ASN1_OCTET_STRING *os = NULL;
 
+    if (p7 == NULL) {
+        PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER);
+        return NULL;
+    }
+    /*
+     * The content field in the PKCS7 ContentInfo is optional, but that really
+     * only applies to inner content (precisely, detached signatures).
+     *
+     * When reading content, missing outer content is therefore treated as an
+     * error.
+     *
+     * When creating content, PKCS7_content_new() must be called before
+     * calling this method, so a NULL p7->d is always an error.
+     */
+    if (p7->d.ptr == NULL) {
+        PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT);
+        return NULL;
+    }
+
     i = OBJ_obj2nid(p7->type);
     p7->state = PKCS7_S_HEADER;
 
@@ -325,6 +344,16 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
     STACK_OF(PKCS7_RECIP_INFO) *rsk = NULL;
     PKCS7_RECIP_INFO *ri = NULL;
 
+    if (p7 == NULL) {
+        PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER);
+        return NULL;
+    }
+
+    if (p7->d.ptr == NULL) {
+        PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
+        return NULL;
+    }
+
     i = OBJ_obj2nid(p7->type);
     p7->state = PKCS7_S_HEADER;
 
@@ -607,6 +636,16 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
     STACK_OF(PKCS7_SIGNER_INFO) *si_sk = NULL;
     ASN1_OCTET_STRING *os = NULL;
 
+    if (p7 == NULL) {
+        PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER);
+        return 0;
+    }
+
+    if (p7->d.ptr == NULL) {
+        PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT);
+        return 0;
+    }
+
     EVP_MD_CTX_init(&ctx_tmp);
     i = OBJ_obj2nid(p7->type);
     p7->state = PKCS7_S_HEADER;
@@ -635,6 +674,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
         /* If detached data then the content is excluded */
         if (PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
             M_ASN1_OCTET_STRING_free(os);
+            os = NULL;
             p7->d.sign->contents->d.data = NULL;
         }
         break;
@@ -644,6 +684,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
         /* If detached data then the content is excluded */
         if (PKCS7_type_is_data(p7->d.digest->contents) && p7->detached) {
             M_ASN1_OCTET_STRING_free(os);
+            os = NULL;
             p7->d.digest->contents->d.data = NULL;
         }
         break;
@@ -767,6 +808,12 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
     }
 
     if (!PKCS7_is_detached(p7)) {
+        /*
+         * NOTE(emilia): I think we only reach os == NULL here because detached
+         * digested data support is broken.
+         */
+        if (os == NULL)
+            goto err;
         btmp = BIO_find_type(bio, BIO_TYPE_MEM);
         if (btmp == NULL) {
             PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
@@ -803,6 +850,16 @@ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio,
     STACK_OF(X509) *cert;
     X509 *x509;
 
+    if (p7 == NULL) {
+        PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER);
+        return 0;
+    }
+
+    if (p7->d.ptr == NULL) {
+        PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT);
+        return 0;
+    }
+
     if (PKCS7_type_is_signed(p7)) {
         cert = p7->d.sign->cert;
     } else if (PKCS7_type_is_signedAndEnveloped(p7)) {
diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c
index 7d19126..c2ad3ec 100644
--- a/crypto/pkcs7/pk7_lib.c
+++ b/crypto/pkcs7/pk7_lib.c
@@ -69,6 +69,7 @@ long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg)
     nid = OBJ_obj2nid(p7->type);
 
     switch (cmd) {
+    /* NOTE(emilia): does not support detached digested data. */
     case PKCS7_OP_SET_DETACHED_SIGNATURE:
         if (nid == NID_pkcs7_signed) {
             ret = p7->detached = (int)larg;
@@ -464,6 +465,8 @@ int PKCS7_set_digest(PKCS7 *p7, const EVP_MD *md)
 
 STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
 {
+    if (p7 == NULL || p7->d.ptr == NULL)
+        return NULL;
     if (PKCS7_type_is_signed(p7)) {
         return (p7->d.sign->signer_info);
     } else if (PKCS7_type_is_signedAndEnveloped(p7)) {
diff --git a/crypto/stack/safestack.h b/crypto/stack/safestack.h
index 9f36191..334ce9e 100644
--- a/crypto/stack/safestack.h
+++ b/crypto/stack/safestack.h
@@ -1988,6 +1988,5 @@ STACK_OF(type) \
 
 # define PKCS12_decrypt_d2i_PKCS7(algor, d2i_func, free_func, pass, passlen, oct, seq) \
         SKM_PKCS12_decrypt_d2i(PKCS7, (algor), (d2i_func), (free_func), (pass), (passlen), (oct), (seq))
-/* End of util/mkstack.pl block, you may now edit :-) */
 
 #endif                          /* !defined HEADER_SAFESTACK_H */
diff --git a/crypto/symhacks.h b/crypto/symhacks.h
index 99d4b54..b8a6ddf 100644
--- a/crypto/symhacks.h
+++ b/crypto/symhacks.h
@@ -197,6 +197,13 @@
 #  undef ssl_parse_serverhello_renegotiate_ext
 #  define ssl_parse_serverhello_renegotiate_ext   ssl_parse_serverhello_reneg_ext
 
+#  undef ssl3_cbc_record_digest_supported
+#  define ssl3_cbc_record_digest_supported        ssl3_cbc_record_digest_support
+#  undef ssl_check_clienthello_tlsext_late
+#  define ssl_check_clienthello_tlsext_late       ssl_check_clihello_tlsext_late
+#  undef ssl_check_clienthello_tlsext_early
+#  define ssl_check_clienthello_tlsext_early      ssl_check_clihello_tlsext_early
+
 /* Hack some long ENGINE names */
 #  undef ENGINE_get_default_BN_mod_exp_crt
 #  define ENGINE_get_default_BN_mod_exp_crt       ENGINE_get_def_BN_mod_exp_crt
diff --git a/openssl.spec b/openssl.spec
index 934e5b3..ff48b84 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -6,7 +6,7 @@ Release: 1
 
 Summary: Secure Sockets Layer and cryptography libraries and tools
 Name: openssl
-Version: 0.9.8zf
+Version: 0.9.8zg
 Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
 License: OpenSSL
 Group: System Environment/Libraries
diff --git a/ssl/s2_lib.c b/ssl/s2_lib.c
index b717771..4386ac5 100644
--- a/ssl/s2_lib.c
+++ b/ssl/s2_lib.c
@@ -417,7 +417,7 @@ int ssl2_generate_key_material(SSL *s)
 
         OPENSSL_assert(s->session->master_key_length >= 0
                        && s->session->master_key_length
-                       < (int)sizeof(s->session->master_key));
+                       <= (int)sizeof(s->session->master_key));
         EVP_DigestUpdate(&ctx, s->session->master_key,
                          s->session->master_key_length);
         EVP_DigestUpdate(&ctx, &c, 1);
diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c
index a1f82d2..ba8c8e8 100644
--- a/ssl/s2_srvr.c
+++ b/ssl/s2_srvr.c
@@ -369,7 +369,8 @@ int ssl2_accept(SSL *s)
 
 static int get_client_master_key(SSL *s)
 {
-    int is_export, i, n, keya, ek;
+    int is_export, i, n, keya;
+    unsigned int ek;
     unsigned long len;
     unsigned char *p;
     SSL_CIPHER *cp;
@@ -452,11 +453,6 @@ static int get_client_master_key(SSL *s)
         SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, SSL_R_NO_PRIVATEKEY);
         return (-1);
     }
-    i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
-                                &(p[s->s2->tmp.clear]),
-                                &(p[s->s2->tmp.clear]),
-                                (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING :
-                                RSA_PKCS1_PADDING);
 
     is_export = SSL_C_IS_EXPORT(s->session->cipher);
 
@@ -473,23 +469,61 @@ static int get_client_master_key(SSL *s)
     } else
         ek = 5;
 
+    /*
+     * The format of the CLIENT-MASTER-KEY message is
+     * 1 byte message type
+     * 3 bytes cipher
+     * 2-byte clear key length (stored in s->s2->tmp.clear)
+     * 2-byte encrypted key length (stored in s->s2->tmp.enc)
+     * 2-byte key args length (IV etc)
+     * clear key
+     * encrypted key
+     * key args
+     *
+     * If the cipher is an export cipher, then the encrypted key bytes
+     * are a fixed portion of the total key (5 or 8 bytes). The size of
+     * this portion is in |ek|. If the cipher is not an export cipher,
+     * then the entire key material is encrypted (i.e., clear key length
+     * must be zero).
+     */
+    if ((!is_export && s->s2->tmp.clear != 0) ||
+        (is_export && s->s2->tmp.clear + ek != (unsigned int)EVP_CIPHER_key_length(c))) {
+        ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
+        SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH);
+        return -1;
+    }
+    /*
+     * The encrypted blob must decrypt to the encrypted portion of the key.
+     * Decryption can't be expanding, so if we don't have enough encrypted
+     * bytes to fit the key in the buffer, stop now.
+     */
+    if ((is_export && s->s2->tmp.enc < ek) ||
+        (!is_export && s->s2->tmp.enc < (unsigned int)EVP_CIPHER_key_length(c))) {
+        ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
+        SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT);
+        return -1;
+    }
+
+    i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
+                                &(p[s->s2->tmp.clear]),
+                                &(p[s->s2->tmp.clear]),
+                                (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING :
+                                RSA_PKCS1_PADDING);
+
     /* bad decrypt */
 # if 1
     /*
      * If a bad decrypt, continue with protocol but with a random master
      * secret (Bleichenbacher attack)
      */
-    if ((i < 0) || ((!is_export && (i != EVP_CIPHER_key_length(c)))
-                    || (is_export && ((i != ek)
-                                      || (s->s2->tmp.clear +
-                                          (unsigned int)i != (unsigned int)
-                                          EVP_CIPHER_key_length(c)))))) {
+    if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c))
+                    || (is_export && i != (int)ek))) {
         ERR_clear_error();
         if (is_export)
             i = ek;
         else
             i = EVP_CIPHER_key_length(c);
-        if (RAND_pseudo_bytes(p, i) <= 0)
+        if (RAND_pseudo_bytes(&p[s->s2->tmp.clear], i) <= 0)
             return 0;
     }
 # else
@@ -511,7 +545,7 @@ static int get_client_master_key(SSL *s)
 # endif
 
     if (is_export)
-        i += s->s2->tmp.clear;
+        i = EVP_CIPHER_key_length(c);
 
     if (i > SSL_MAX_MASTER_KEY_LENGTH) {
         ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
diff --git a/ssl/ssl-lib.com b/ssl/ssl-lib.com
index 85ab2f6..38efbb0 100644
--- a/ssl/ssl-lib.com
+++ b/ssl/ssl-lib.com
@@ -171,11 +171,11 @@ $ ENDIF
 $!
 $! Define The Different SSL "library" Files.
 $!
-$ LIB_SSL = "s2_meth,s2_srvr,s2_clnt,s2_lib,s2_enc,s2_pkt,"+ -
-	    "s3_meth,s3_srvr,s3_clnt,s3_lib,s3_enc,s3_pkt,s3_both,"+ -
-	    "s23_meth,s23_srvr,s23_clnt,s23_lib,s23_pkt,"+ -
-	    "t1_meth,t1_srvr,t1_clnt,t1_lib,t1_enc,"+ -
-	    "d1_meth,d1_srvr,d1_clnt,d1_lib,d1_pkt,"+ -
+$ LIB_SSL = "s2_meth,  s2_srvr, s2_clnt, s2_lib, s2_enc, s2_pkt,"+ -
+	    "s3_meth,  s3_srvr, s3_clnt, s3_lib, s3_enc, s3_pkt,s3_both,s3_cbc,"+ -
+	    "s23_meth,s23_srvr,s23_clnt,s23_lib,        s23_pkt,"+ -
+	    "t1_meth,  t1_srvr, t1_clnt, t1_lib, t1_enc,"+ -
+	    "d1_meth,  d1_srvr, d1_clnt, d1_lib,         d1_pkt,"+ -
 	    "d1_both,d1_enc,"+ -
 	    "ssl_lib,ssl_err2,ssl_cert,ssl_sess,"+ -
 	    "ssl_ciph,ssl_stat,ssl_rsa,"+ -
@@ -196,7 +196,7 @@ $ NEXT_FILE:
 $!
 $! O.K, Extract The File Name From The File List.
 $!
-$ FILE_NAME = F$ELEMENT(FILE_COUNTER,",",LIB_SSL)
+$ FILE_NAME = F$EDIT(F$ELEMENT(FILE_COUNTER,",",LIB_SSL),"COLLAPSE")
 $!
 $! Check To See If We Are At The End Of The File List.
 $!


More information about the openssl-commits mailing list