Module Name: src
Committed By: snj
Date: Sun Jul 5 00:41:03 UTC 2009
Modified Files:
src/crypto/dist/openssl/apps [netbsd-4-0]: speed.c spkac.c verify.c
x509.c
src/crypto/dist/openssl/crypto/asn1 [netbsd-4-0]: asn1.h asn1_err.c
tasn_dec.c
src/crypto/dist/openssl/ssl [netbsd-4-0]: s2_clnt.c s2_srvr.c s3_clnt.c
s3_srvr.c ssltest.c
Log Message:
Fixes for CVE-2009-0590, CVE-2009-0789, and CVE-2008-5077.
To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.7.12.1 src/crypto/dist/openssl/apps/speed.c
cvs rdiff -u -r1.4 -r1.4.14.1 src/crypto/dist/openssl/apps/spkac.c
cvs rdiff -u -r1.1.1.6 -r1.1.1.6.14.1 src/crypto/dist/openssl/apps/verify.c
cvs rdiff -u -r1.1.1.9 -r1.1.1.9.14.1 src/crypto/dist/openssl/apps/x509.c
cvs rdiff -u -r1.8 -r1.8.14.1 src/crypto/dist/openssl/crypto/asn1/asn1.h
cvs rdiff -u -r1.1.1.6.4.1 -r1.1.1.6.4.1.2.1 \
src/crypto/dist/openssl/crypto/asn1/asn1_err.c
cvs rdiff -u -r1.6.2.1 -r1.6.2.1.2.1 \
src/crypto/dist/openssl/crypto/asn1/tasn_dec.c
cvs rdiff -u -r1.10 -r1.10.12.1 src/crypto/dist/openssl/ssl/s2_clnt.c
cvs rdiff -u -r1.8 -r1.8.14.1 src/crypto/dist/openssl/ssl/s2_srvr.c
cvs rdiff -u -r1.9.4.1 -r1.9.4.1.2.1 src/crypto/dist/openssl/ssl/s3_clnt.c
cvs rdiff -u -r1.13.2.1 -r1.13.2.1.2.1 src/crypto/dist/openssl/ssl/s3_srvr.c
cvs rdiff -u -r1.9 -r1.9.14.1 src/crypto/dist/openssl/ssl/ssltest.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/openssl/apps/speed.c
diff -u src/crypto/dist/openssl/apps/speed.c:1.7 src/crypto/dist/openssl/apps/speed.c:1.7.12.1
--- src/crypto/dist/openssl/apps/speed.c:1.7 Mon Nov 13 21:55:36 2006
+++ src/crypto/dist/openssl/apps/speed.c Sun Jul 5 00:41:01 2009
@@ -2038,7 +2038,7 @@
{
ret=RSA_verify(NID_md5_sha1, buf,36, buf2,
rsa_num, rsa_key[j]);
- if (ret == 0)
+ if (ret <= 0)
{
BIO_printf(bio_err,
"RSA verify failure\n");
Index: src/crypto/dist/openssl/apps/spkac.c
diff -u src/crypto/dist/openssl/apps/spkac.c:1.4 src/crypto/dist/openssl/apps/spkac.c:1.4.14.1
--- src/crypto/dist/openssl/apps/spkac.c:1.4 Fri Nov 25 19:14:11 2005
+++ src/crypto/dist/openssl/apps/spkac.c Sun Jul 5 00:41:02 2009
@@ -285,7 +285,7 @@
pkey = NETSCAPE_SPKI_get_pubkey(spki);
if(verify) {
i = NETSCAPE_SPKI_verify(spki, pkey);
- if(i) BIO_printf(bio_err, "Signature OK\n");
+ if (i > 0) BIO_printf(bio_err, "Signature OK\n");
else {
BIO_printf(bio_err, "Signature Failure\n");
ERR_print_errors(bio_err);
Index: src/crypto/dist/openssl/apps/verify.c
diff -u src/crypto/dist/openssl/apps/verify.c:1.1.1.6 src/crypto/dist/openssl/apps/verify.c:1.1.1.6.14.1
--- src/crypto/dist/openssl/apps/verify.c:1.1.1.6 Fri Nov 25 03:03:49 2005
+++ src/crypto/dist/openssl/apps/verify.c Sun Jul 5 00:41:02 2009
@@ -266,7 +266,7 @@
ret=0;
end:
- if (i)
+ if (i > 0)
{
fprintf(stdout,"OK\n");
ret=1;
@@ -367,4 +367,3 @@
ERR_clear_error();
return(ok);
}
-
Index: src/crypto/dist/openssl/apps/x509.c
diff -u src/crypto/dist/openssl/apps/x509.c:1.1.1.9 src/crypto/dist/openssl/apps/x509.c:1.1.1.9.14.1
--- src/crypto/dist/openssl/apps/x509.c:1.1.1.9 Fri Nov 25 03:03:50 2005
+++ src/crypto/dist/openssl/apps/x509.c Sun Jul 5 00:41:02 2009
@@ -1144,7 +1144,7 @@
/* NOTE: this certificate can/should be self signed, unless it was
* a certificate request in which case it is not. */
X509_STORE_CTX_set_cert(&xsc,x);
- if (!reqfile && !X509_verify_cert(&xsc))
+ if (!reqfile && X509_verify_cert(&xsc) <= 0)
goto end;
if (!X509_check_private_key(xca,pkey))
Index: src/crypto/dist/openssl/crypto/asn1/asn1.h
diff -u src/crypto/dist/openssl/crypto/asn1/asn1.h:1.8 src/crypto/dist/openssl/crypto/asn1/asn1.h:1.8.14.1
--- src/crypto/dist/openssl/crypto/asn1/asn1.h:1.8 Sat Jun 3 01:50:19 2006
+++ src/crypto/dist/openssl/crypto/asn1/asn1.h Sun Jul 5 00:41:02 2009
@@ -1134,6 +1134,7 @@
#define ASN1_R_BAD_OBJECT_HEADER 102
#define ASN1_R_BAD_PASSWORD_READ 103
#define ASN1_R_BAD_TAG 104
+#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 210
#define ASN1_R_BN_LIB 105
#define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106
#define ASN1_R_BUFFER_TOO_SMALL 107
@@ -1213,6 +1214,7 @@
#define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157
#define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158
#define ASN1_R_UNEXPECTED_EOC 159
+#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 211
#define ASN1_R_UNKNOWN_FORMAT 160
#define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161
#define ASN1_R_UNKNOWN_OBJECT_TYPE 162
Index: src/crypto/dist/openssl/crypto/asn1/asn1_err.c
diff -u src/crypto/dist/openssl/crypto/asn1/asn1_err.c:1.1.1.6.4.1 src/crypto/dist/openssl/crypto/asn1/asn1_err.c:1.1.1.6.4.1.2.1
--- src/crypto/dist/openssl/crypto/asn1/asn1_err.c:1.1.1.6.4.1 Sat Aug 25 17:52:29 2007
+++ src/crypto/dist/openssl/crypto/asn1/asn1_err.c Sun Jul 5 00:41:02 2009
@@ -188,6 +188,7 @@
{ERR_REASON(ASN1_R_BAD_OBJECT_HEADER) ,"bad object header"},
{ERR_REASON(ASN1_R_BAD_PASSWORD_READ) ,"bad password read"},
{ERR_REASON(ASN1_R_BAD_TAG) ,"bad tag"},
+{ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),"bmpstring is wrong length"},
{ERR_REASON(ASN1_R_BN_LIB) ,"bn lib"},
{ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"},
{ERR_REASON(ASN1_R_BUFFER_TOO_SMALL) ,"buffer too small"},
@@ -267,6 +268,7 @@
{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"},
{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"},
{ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"},
+{ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH),"universalstring is wrong length"},
{ERR_REASON(ASN1_R_UNKNOWN_FORMAT) ,"unknown format"},
{ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"},
{ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE) ,"unknown object type"},
Index: src/crypto/dist/openssl/crypto/asn1/tasn_dec.c
diff -u src/crypto/dist/openssl/crypto/asn1/tasn_dec.c:1.6.2.1 src/crypto/dist/openssl/crypto/asn1/tasn_dec.c:1.6.2.1.2.1
--- src/crypto/dist/openssl/crypto/asn1/tasn_dec.c:1.6.2.1 Sat Aug 25 17:52:29 2007
+++ src/crypto/dist/openssl/crypto/asn1/tasn_dec.c Sun Jul 5 00:41:02 2009
@@ -611,7 +611,6 @@
err:
ASN1_template_free(val, tt);
- *val = NULL;
return 0;
}
@@ -758,7 +757,6 @@
err:
ASN1_template_free(val, tt);
- *val = NULL;
return 0;
}
@@ -1012,6 +1010,18 @@
case V_ASN1_SET:
case V_ASN1_SEQUENCE:
default:
+ if (utype == V_ASN1_BMPSTRING && (len & 1))
+ {
+ ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
+ ASN1_R_BMPSTRING_IS_WRONG_LENGTH);
+ goto err;
+ }
+ if (utype == V_ASN1_UNIVERSALSTRING && (len & 3))
+ {
+ ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
+ ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH);
+ goto err;
+ }
/* All based on ASN1_STRING and handled the same */
if (!*pval)
{
Index: src/crypto/dist/openssl/ssl/s2_clnt.c
diff -u src/crypto/dist/openssl/ssl/s2_clnt.c:1.10 src/crypto/dist/openssl/ssl/s2_clnt.c:1.10.12.1
--- src/crypto/dist/openssl/ssl/s2_clnt.c:1.10 Mon Nov 13 21:55:36 2006
+++ src/crypto/dist/openssl/ssl/s2_clnt.c Sun Jul 5 00:41:02 2009
@@ -1044,7 +1044,7 @@
i=ssl_verify_cert_chain(s,sk);
- if ((s->verify_mode != SSL_VERIFY_NONE) && (!i))
+ if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0))
{
SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
goto err;
Index: src/crypto/dist/openssl/ssl/s2_srvr.c
diff -u src/crypto/dist/openssl/ssl/s2_srvr.c:1.8 src/crypto/dist/openssl/ssl/s2_srvr.c:1.8.14.1
--- src/crypto/dist/openssl/ssl/s2_srvr.c:1.8 Sat Jun 3 01:50:20 2006
+++ src/crypto/dist/openssl/ssl/s2_srvr.c Sun Jul 5 00:41:02 2009
@@ -1054,7 +1054,7 @@
i=ssl_verify_cert_chain(s,sk);
- if (i) /* we like the packet, now check the chksum */
+ if (i > 0) /* we like the packet, now check the chksum */
{
EVP_MD_CTX ctx;
EVP_PKEY *pkey=NULL;
@@ -1083,7 +1083,7 @@
EVP_PKEY_free(pkey);
EVP_MD_CTX_cleanup(&ctx);
- if (i)
+ if (i > 0)
{
if (s->session->peer != NULL)
X509_free(s->session->peer);
Index: src/crypto/dist/openssl/ssl/s3_clnt.c
diff -u src/crypto/dist/openssl/ssl/s3_clnt.c:1.9.4.1 src/crypto/dist/openssl/ssl/s3_clnt.c:1.9.4.1.2.1
--- src/crypto/dist/openssl/ssl/s3_clnt.c:1.9.4.1 Sat Aug 25 17:53:00 2007
+++ src/crypto/dist/openssl/ssl/s3_clnt.c Sun Jul 5 00:41:02 2009
@@ -883,7 +883,7 @@
}
i=ssl_verify_cert_chain(s,sk);
- if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)
+ if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)
#ifndef OPENSSL_NO_KRB5
&& (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK))
!= (SSL_aKRB5|SSL_kKRB5)
@@ -1368,7 +1368,7 @@
EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
EVP_VerifyUpdate(&md_ctx,param,param_len);
- if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey))
+ if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0)
{
/* bad signature */
al=SSL_AD_DECRYPT_ERROR;
Index: src/crypto/dist/openssl/ssl/s3_srvr.c
diff -u src/crypto/dist/openssl/ssl/s3_srvr.c:1.13.2.1 src/crypto/dist/openssl/ssl/s3_srvr.c:1.13.2.1.2.1
--- src/crypto/dist/openssl/ssl/s3_srvr.c:1.13.2.1 Sat Aug 25 17:53:01 2007
+++ src/crypto/dist/openssl/ssl/s3_srvr.c Sun Jul 5 00:41:02 2009
@@ -2481,7 +2481,7 @@
else
{
i=ssl_verify_cert_chain(s,sk);
- if (!i)
+ if (i <= 0)
{
al=ssl_verify_alarm_type(s->verify_result);
SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);
Index: src/crypto/dist/openssl/ssl/ssltest.c
diff -u src/crypto/dist/openssl/ssl/ssltest.c:1.9 src/crypto/dist/openssl/ssl/ssltest.c:1.9.14.1
--- src/crypto/dist/openssl/ssl/ssltest.c:1.9 Sat Jun 3 01:50:20 2006
+++ src/crypto/dist/openssl/ssl/ssltest.c Sun Jul 5 00:41:03 2009
@@ -2072,7 +2072,7 @@
if (cb_arg->proxy_auth)
{
- if (ok)
+ if (ok > 0)
{
const char *cond_end = NULL;
