Add advisory and patches for SA-15:26.openssl.

svn path=/head/; revision=47823

share/security/patches/SA-15:26/openssl-10.1.patch

@@ -0,0 +1,99 @@
+Index: crypto/openssl/crypto/asn1/tasn_dec.c
+===================================================================
+--- crypto/openssl/crypto/asn1/tasn_dec.c	(revision 291751)
++++ crypto/openssl/crypto/asn1/tasn_dec.c	(working copy)
+@@ -169,6 +169,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsi
+ 	int otag;
+ 	int ret = 0;
+ 	ASN1_VALUE **pchptr, *ptmpval;
++	int combine = aclass & ASN1_TFLG_COMBINE;
++	aclass &= ~ASN1_TFLG_COMBINE;
+ 	if (!pval)
+ 		return 0;
+ 	if (aux && aux->asn1_cb)
+@@ -534,7 +536,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsi
+ 	auxerr:
+ 	ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
+ 	err:
+-	ASN1_item_ex_free(pval, it);
++	if (combine == 0)
++		ASN1_item_ex_free(pval, it);
+ 	if (errtt)
+ 		ERR_add_error_data(4, "Field=", errtt->field_name,
+ 					", Type=", it->sname);
+@@ -762,7 +765,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **va
+ 		{
+ 		/* Nothing special */
+ 		ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
+-							-1, 0, opt, ctx);
++							-1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
+ 		if (!ret)
+ 			{
+ 			ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
+Index: crypto/openssl/crypto/rsa/rsa_ameth.c
+===================================================================
+--- crypto/openssl/crypto/rsa/rsa_ameth.c	(revision 291751)
++++ crypto/openssl/crypto/rsa/rsa_ameth.c	(working copy)
+@@ -287,7 +287,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(const X509_A
+ 		{
+ 		ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
+ 		if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1
+-			&& param->type == V_ASN1_SEQUENCE)
++			&& param && param->type == V_ASN1_SEQUENCE)
+ 			{
+ 			p = param->value.sequence->data;
+ 			plen = param->value.sequence->length;
+Index: crypto/openssl/ssl/s3_clnt.c
+===================================================================
+--- crypto/openssl/ssl/s3_clnt.c	(revision 291751)
++++ crypto/openssl/ssl/s3_clnt.c	(working copy)
+@@ -1360,8 +1360,6 @@ int ssl3_get_key_exchange(SSL *s)
+ #ifndef OPENSSL_NO_PSK
+ 	if (alg_k & SSL_kPSK)
+ 		{
+-		char tmp_id_hint[PSK_MAX_IDENTITY_LEN+1];
+-
+ 		param_len = 2;
+ 		if (param_len > n)
+ 			{
+@@ -1390,16 +1388,8 @@ int ssl3_get_key_exchange(SSL *s)
+ 			}
+ 		param_len += i;
+ 
+-		/* If received PSK identity hint contains NULL
+-		 * characters, the hint is truncated from the first
+-		 * NULL. p may not be ending with NULL, so create a
+-		 * NULL-terminated string. */
+-		memcpy(tmp_id_hint, p, i);
+-		memset(tmp_id_hint+i, 0, PSK_MAX_IDENTITY_LEN+1-i);
+-		if (s->ctx->psk_identity_hint != NULL)
+-			OPENSSL_free(s->ctx->psk_identity_hint);
+-		s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
+-		if (s->ctx->psk_identity_hint == NULL)
++		s->session->psk_identity_hint = BUF_strndup((char *)p, i);
++		if (s->session->psk_identity_hint == NULL)
+ 			{
+ 			al=SSL_AD_HANDSHAKE_FAILURE;
+ 			SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_MALLOC_FAILURE);
+@@ -3009,7 +2999,7 @@ int ssl3_send_client_key_exchange(SSL *s)
+ 				}
+ 
+ 			memset(identity, 0, sizeof(identity));
+-			psk_len = s->psk_client_callback(s, s->ctx->psk_identity_hint,
++			psk_len = s->psk_client_callback(s, s->session->psk_identity_hint,
+ 				identity, sizeof(identity) - 1,
+ 				psk_or_pre_ms, sizeof(psk_or_pre_ms));
+ 			if (psk_len > PSK_MAX_PSK_LEN)
+Index: crypto/openssl/ssl/s3_srvr.c
+===================================================================
+--- crypto/openssl/ssl/s3_srvr.c	(revision 291751)
++++ crypto/openssl/ssl/s3_srvr.c	(working copy)
+@@ -2827,7 +2827,7 @@ int ssl3_get_client_key_exchange(SSL *s)
+ 
+ 			if (s->session->psk_identity != NULL)
+ 				OPENSSL_free(s->session->psk_identity);
+-			s->session->psk_identity = BUF_strdup((char *)p);
++			s->session->psk_identity = BUF_strndup((char *)p, i);
+ 			if (s->session->psk_identity == NULL)
+ 				{
+ 				SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,

share/security/patches/SA-15:26/openssl-10.1.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.8 (FreeBSD)
+
+iQIcBAABCgAGBQJWYrONAAoJEO1n7NZdz2rnDDsP+wWOZMMicG+mxEJkj11+dN+y
+04zWcfalpz92mE9OfrHSNOqGvA4iGRuMpbcXPJv0sdXvQsVmF31eo7rt7I2eyNVy
+xrYSzitW7zLHkj5bELMwwLB5LMnYqZRAhFPQ3DL6JRfTWxWgH6rU79J47dLlZ10/
+3uEoK2mxMpAxSQ6VvShXzuyqOhvJgZoSLdBqEqnl7q42Dk/A3cYojuwvvhhk0Ira
+xlDA2jzz1X/2dS53TaxpxVW4FIr831QuFZluqfGEuVGVVq9zKPvFOrytYysa/8vx
+eUMVUlHFJ+xFNNIaNshELDptTFx7znwWImYy3pK9cl2N8aFpWFMymQKR6V48Y8zR
+uDxW1DWDSRtRKf3PpyrBdsaimIJjrNtbjErmTokvFbcIV9s86EWi0vVXhs693sQ4
+exzns5cVE8bdxC5KdXBkqgrsTripNPIsUlZkI8wB2jPCWjqA+PTepio/W6yT/pGR
+mrTmTWKoH21vhKDYlRYyinz1BUGjShbSR31ClkLpJNpXzKlnnQ96liGe8VJwTQmS
+UbpJhODsMNgYBoJGuQrw+tFmkbjRBLtMjemReLF0AUKsDzg3Brl8leH2zklm5Nsp
+lU++r1XGWZuVIj687w6ObtUqg4Oa7V1CdwvHxt2UoCX+sK7siIsKqPqYDeKc+ToG
+8Z0e5mZabsYPVSdh/UoL
+=OObW
+-----END PGP SIGNATURE-----

share/security/patches/SA-15:26/openssl-10.2.patch

@@ -0,0 +1,45 @@
+Index: crypto/openssl/crypto/asn1/tasn_dec.c
+===================================================================
+--- crypto/openssl/crypto/asn1/tasn_dec.c	(revision 291751)
++++ crypto/openssl/crypto/asn1/tasn_dec.c	(working copy)
+@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsi
+     int otag;
+     int ret = 0;
+     ASN1_VALUE **pchptr, *ptmpval;
++    int combine = aclass & ASN1_TFLG_COMBINE;
++    aclass &= ~ASN1_TFLG_COMBINE;
+     if (!pval)
+         return 0;
+     if (aux && aux->asn1_cb)
+@@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsi
+  auxerr:
+     ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
+  err:
+-    ASN1_item_ex_free(pval, it);
++    if (combine == 0)
++        ASN1_item_ex_free(pval, it);
+     if (errtt)
+         ERR_add_error_data(4, "Field=", errtt->field_name,
+                            ", Type=", it->sname);
+@@ -689,7 +692,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **va
+     } else {
+         /* Nothing special */
+         ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
+-                               -1, 0, opt, ctx);
++                               -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
+         if (!ret) {
+             ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
+             goto err;
+Index: crypto/openssl/crypto/rsa/rsa_ameth.c
+===================================================================
+--- crypto/openssl/crypto/rsa/rsa_ameth.c	(revision 291751)
++++ crypto/openssl/crypto/rsa/rsa_ameth.c	(working copy)
+@@ -279,7 +279,7 @@ static RSA_PSS_PARAMS *rsa_pss_decode(const X509_A
+     if (pss->maskGenAlgorithm) {
+         ASN1_TYPE *param = pss->maskGenAlgorithm->parameter;
+         if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1
+-            && param->type == V_ASN1_SEQUENCE) {
++            && param && param->type == V_ASN1_SEQUENCE) {
+             p = param->value.sequence->data;
+             plen = param->value.sequence->length;
+             *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen);

share/security/patches/SA-15:26/openssl-10.2.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.8 (FreeBSD)
+
+iQIcBAABCgAGBQJWYrOZAAoJEO1n7NZdz2rneXgQAKibSNQBuEk7NefLXohrSKsX
+PQD55JpxI65MqWLbfwRo5jMIXPnjtIYDMQT0sPFTADS+wSEYrmBTE2VfxM3h3VQP
+somTG2inRaK+JzD4Ry8eo2cyKXEnbONcc+lK0IRbJSKQYuFvg1zTPevtjgWjSUaD
+DW2PyAop5gLOiYwKBs3rqPv36RV4T7ZWCoM9c+ybSSQi1PQ3Tpw/Ccjc5mp8N+mj
+BcLw622/xl+WeVpWf3Ai1dg5u7b9cEu7BKpoALjqyjQcilui1Fzga+dsHGmXpXTh
+a85VJS+jG1nzaBD6ZM3CVsWe2HTlhakUiOrZfH+VrjPagWnXzKm+p9ov8Tp87RYr
+EG5rWrE2KTRf28s5uf/xDrrryGUxlnjoIK8a+BcX0cL4GAX9Yas3PHyIOd3d1Lz9
+KOxNBWtQVoDyJFnPvak9Aqt1GDROIaKOXaeuoCxMW5Ys0N4tZS+9wF4Ul8dwfcdQ
+BoFjtuej6qZcyeVQSmX5X2xENU/uuADc6fJoXiR1Xy/a3MwJ/S73vjlDxLutgCe2
+aiGbPUPRQF0hFx481Kn+/f+pp2Slxn4MRM46uCjGXAIYxItKax0kC3Ly3YkZXScu
+77Vge/9GL0pHUbeJimowu2xbiNEGCVJIPZbGQbfMuaLHjSmu70elcFCaceNjETYR
+rt3WjCL9VvJ7X6/8Pzxc
+=EMbB
+-----END PGP SIGNATURE-----

share/security/patches/SA-15:26/openssl-9.3.patch

@@ -0,0 +1,32 @@
+Index: crypto/openssl/crypto/asn1/tasn_dec.c
+===================================================================
+--- crypto/openssl/crypto/asn1/tasn_dec.c	(revision 291751)
++++ crypto/openssl/crypto/asn1/tasn_dec.c	(working copy)
+@@ -167,6 +167,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsi
+ 	int otag;
+ 	int ret = 0;
+ 	ASN1_VALUE **pchptr, *ptmpval;
++	int combine = aclass & ASN1_TFLG_COMBINE;
++	aclass &= ~ASN1_TFLG_COMBINE;
+ 	if (!pval)
+ 		return 0;
+ 	if (aux && aux->asn1_cb)
+@@ -532,7 +534,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsi
+ 	auxerr:
+ 	ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
+ 	err:
+-	ASN1_item_ex_free(pval, it);
++	if (combine == 0)
++		ASN1_item_ex_free(pval, it);
+ 	if (errtt)
+ 		ERR_add_error_data(4, "Field=", errtt->field_name,
+ 					", Type=", it->sname);
+@@ -758,7 +761,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **va
+ 		{
+ 		/* Nothing special */
+ 		ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
+-							-1, 0, opt, ctx);
++							-1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
+ 		if (!ret)
+ 			{
+ 			ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,

share/security/patches/SA-15:26/openssl-9.3.patch.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.1.8 (FreeBSD)
+
+iQIcBAABCgAGBQJWYrOcAAoJEO1n7NZdz2rnacwQAKcafYRsZN53PevgCRkB4ncy
+xcHTOutAExUrx7mIS18MiculjEEKeVZNau/CksoXPupqzW5K3yja3Crw5jS2bl6u
+xN5BYoki5RxLcnwwcJPloHwFnpBkQS+/W0SKVwomXtjOmhsbetRAH6RK+iS3Vc+y
+T3i4I8pcJMeXxIMCV+ZTcfEH0BVoYwkHM1ncO/N4tdrGFUSz35JR+nJNAQZ7EL1s
+HmftsXzjoQqNlqhOdFTSubwqWdoPKBo1ql5wsAEvPskXuvPTQuUVB4onGkoBnGYI
+T+M8gP/LNRGksjzfIG09yTVqj/Zeu/lPWMwoEpzPseO6l03twUmHd4E4NgUr8mYZ
+AWHfCccM5g/1lvNOqSfHOxpKhlhRaOmISKhM1sAw04nX+Hqa6gNWsK2Or9avva6p
+BuYa5Sa5aEMzb8s4EAKeAPXqoUy62d6mlCd4oneCcM36445CbD22sh/Yco8xyr5p
+CHSLKPEcjWbckEREl880NgP2KMjk8L8s1S3hymYP4t3yhulhtlLdjEqp0rRc4wKn
+sDS7PT07PIRxZcSfyvYYrIV7cJuoFlidpJmMEPU5T5qG7+fBen5S0Uc147ZcC13F
+ofPqxctVZOwMQVkYkG64j/XY8O9Z3m1qlNRUtc4iZPM+wwqQM1lwuCZjVDj30PXO
+lUpmCtANfuny1Qz+8RDB
+=Drsr
+-----END PGP SIGNATURE-----