989d921f5d
I'm very pleased to announce the release of our new website and documentation using the new toolchain with Hugo and AsciiDoctor. To get more information about the new toolchain please read the FreeBSD Documentation Project Primer[1], Hugo docs[2] and AsciiDoctor docs[3]. Acknowledgment: Benedict Reuschling <bcr@> Glen Barber <gjb@> Hiroki Sato <hrs@> Li-Wen Hsu <lwhsu@> Sean Chittenden <seanc@> The FreeBSD Foundation [1] https://docs.FreeBSD.org/en/books/fdp-primer/ [2] https://gohugo.io/documentation/ [3] https://docs.asciidoctor.org/home/ Approved by: doceng, core
313 lines
10 KiB
Diff
313 lines
10 KiB
Diff
Index: crypto/openssl/crypto/asn1/tasn_dec.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/asn1/tasn_dec.c,v
|
|
retrieving revision 1.1.1.2
|
|
diff -u -I__FBSDID -r1.1.1.2 tasn_dec.c
|
|
--- crypto/openssl/crypto/asn1/tasn_dec.c 1 Oct 2003 12:32:37 -0000 1.1.1.2
|
|
+++ crypto/openssl/crypto/asn1/tasn_dec.c 27 Sep 2006 07:03:22 -0000
|
|
@@ -628,6 +628,9 @@
|
|
ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR);
|
|
return 0;
|
|
} else if(ret == -1) return -1;
|
|
+
|
|
+ ret = 0;
|
|
+
|
|
/* SEQUENCE, SET and "OTHER" are left in encoded form */
|
|
if((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) {
|
|
/* Clear context cache for type OTHER because the auto clear when
|
|
Index: crypto/openssl/crypto/dh/dh.h
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/dh/dh.h,v
|
|
retrieving revision 1.1.1.6
|
|
diff -u -I__FBSDID -r1.1.1.6 dh.h
|
|
--- crypto/openssl/crypto/dh/dh.h 28 Jan 2003 21:21:24 -0000 1.1.1.6
|
|
+++ crypto/openssl/crypto/dh/dh.h 27 Sep 2006 07:03:22 -0000
|
|
@@ -70,6 +70,10 @@
|
|
#include <openssl/crypto.h>
|
|
#include <openssl/ossl_typ.h>
|
|
|
|
+#ifndef OPENSSL_DH_MAX_MODULUS_BITS
|
|
+# define OPENSSL_DH_MAX_MODULUS_BITS 10000
|
|
+#endif
|
|
+
|
|
#define DH_FLAG_CACHE_MONT_P 0x01
|
|
|
|
#ifdef __cplusplus
|
|
@@ -200,6 +204,7 @@
|
|
/* Reason codes. */
|
|
#define DH_R_BAD_GENERATOR 101
|
|
#define DH_R_NO_PRIVATE_VALUE 100
|
|
+#define DH_R_MODULUS_TOO_LARGE 103
|
|
|
|
#ifdef __cplusplus
|
|
}
|
|
Index: crypto/openssl/crypto/dh/dh_err.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/dh/dh_err.c,v
|
|
retrieving revision 1.1.1.5
|
|
diff -u -I__FBSDID -r1.1.1.5 dh_err.c
|
|
--- crypto/openssl/crypto/dh/dh_err.c 25 Feb 2005 05:34:36 -0000 1.1.1.5
|
|
+++ crypto/openssl/crypto/dh/dh_err.c 27 Sep 2006 07:03:22 -0000
|
|
@@ -78,6 +78,7 @@
|
|
static ERR_STRING_DATA DH_str_reasons[]=
|
|
{
|
|
{DH_R_BAD_GENERATOR ,"bad generator"},
|
|
+{DH_R_MODULUS_TOO_LARGE ,"modulus too large"},
|
|
{DH_R_NO_PRIVATE_VALUE ,"no private value"},
|
|
{0,NULL}
|
|
};
|
|
Index: crypto/openssl/crypto/dh/dh_key.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/dh/dh_key.c,v
|
|
retrieving revision 1.1.1.9
|
|
diff -u -I__FBSDID -r1.1.1.9 dh_key.c
|
|
--- crypto/openssl/crypto/dh/dh_key.c 25 Feb 2005 05:34:37 -0000 1.1.1.9
|
|
+++ crypto/openssl/crypto/dh/dh_key.c 27 Sep 2006 07:03:22 -0000
|
|
@@ -164,6 +164,12 @@
|
|
BIGNUM *tmp;
|
|
int ret= -1;
|
|
|
|
+ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS)
|
|
+ {
|
|
+ DHerr(DH_F_DH_COMPUTE_KEY,DH_R_MODULUS_TOO_LARGE);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
ctx = BN_CTX_new();
|
|
if (ctx == NULL) goto err;
|
|
BN_CTX_start(ctx);
|
|
Index: crypto/openssl/crypto/dsa/dsa.h
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/dsa/dsa.h,v
|
|
retrieving revision 1.1.1.7
|
|
diff -u -I__FBSDID -r1.1.1.7 dsa.h
|
|
--- crypto/openssl/crypto/dsa/dsa.h 25 Feb 2005 05:34:39 -0000 1.1.1.7
|
|
+++ crypto/openssl/crypto/dsa/dsa.h 27 Sep 2006 07:03:23 -0000
|
|
@@ -79,6 +79,10 @@
|
|
# include <openssl/dh.h>
|
|
#endif
|
|
|
|
+#ifndef OPENSSL_DSA_MAX_MODULUS_BITS
|
|
+# define OPENSSL_DSA_MAX_MODULUS_BITS 10000
|
|
+#endif
|
|
+
|
|
#define DSA_FLAG_CACHE_MONT_P 0x01
|
|
|
|
#if defined(OPENSSL_FIPS)
|
|
@@ -245,8 +249,10 @@
|
|
#define DSA_F_SIG_CB 114
|
|
|
|
/* Reason codes. */
|
|
+#define DSA_R_BAD_Q_VALUE 102
|
|
#define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100
|
|
#define DSA_R_MISSING_PARAMETERS 101
|
|
+#define DSA_R_MODULUS_TOO_LARGE 103
|
|
|
|
#ifdef __cplusplus
|
|
}
|
|
Index: crypto/openssl/crypto/dsa/dsa_err.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/dsa/dsa_err.c,v
|
|
retrieving revision 1.1.1.4
|
|
diff -u -I__FBSDID -r1.1.1.4 dsa_err.c
|
|
--- crypto/openssl/crypto/dsa/dsa_err.c 28 Jan 2003 21:21:31 -0000 1.1.1.4
|
|
+++ crypto/openssl/crypto/dsa/dsa_err.c 27 Sep 2006 07:03:23 -0000
|
|
@@ -85,8 +85,10 @@
|
|
|
|
static ERR_STRING_DATA DSA_str_reasons[]=
|
|
{
|
|
+{DSA_R_BAD_Q_VALUE ,"bad q value"},
|
|
{DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE ,"data too large for key size"},
|
|
{DSA_R_MISSING_PARAMETERS ,"missing parameters"},
|
|
+{DSA_R_MODULUS_TOO_LARGE ,"modulus too large"},
|
|
{0,NULL}
|
|
};
|
|
|
|
Index: crypto/openssl/crypto/dsa/dsa_ossl.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/dsa/dsa_ossl.c,v
|
|
retrieving revision 1.1.1.8
|
|
diff -u -I__FBSDID -r1.1.1.8 dsa_ossl.c
|
|
--- crypto/openssl/crypto/dsa/dsa_ossl.c 25 Feb 2005 05:34:40 -0000 1.1.1.8
|
|
+++ crypto/openssl/crypto/dsa/dsa_ossl.c 27 Sep 2006 07:03:23 -0000
|
|
@@ -245,6 +245,18 @@
|
|
return -1;
|
|
}
|
|
|
|
+ if (BN_num_bits(dsa->q) != 160)
|
|
+ {
|
|
+ DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS)
|
|
+ {
|
|
+ DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
BN_init(&u1);
|
|
BN_init(&u2);
|
|
BN_init(&t1);
|
|
Index: crypto/openssl/crypto/rsa/rsa.h
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/rsa/rsa.h,v
|
|
retrieving revision 1.11
|
|
diff -u -I__FBSDID -r1.11 rsa.h
|
|
--- crypto/openssl/crypto/rsa/rsa.h 25 Feb 2005 05:49:43 -0000 1.11
|
|
+++ crypto/openssl/crypto/rsa/rsa.h 27 Sep 2006 07:03:23 -0000
|
|
@@ -155,6 +155,17 @@
|
|
BN_BLINDING *blinding;
|
|
};
|
|
|
|
+#ifndef OPENSSL_RSA_MAX_MODULUS_BITS
|
|
+# define OPENSSL_RSA_MAX_MODULUS_BITS 16400
|
|
+#endif
|
|
+
|
|
+#ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
|
|
+# define OPENSSL_RSA_SMALL_MODULUS_BITS 4112
|
|
+#endif
|
|
+#ifndef OPENSSL_RSA_MAX_PUBEXP_BITS
|
|
+# define OPENSSL_RSA_MAX_PUBEXP_BITS 72 /* exponent limit enforced for "large" modulus only */
|
|
+#endif
|
|
+
|
|
#define RSA_3 0x3L
|
|
#define RSA_F4 0x10001L
|
|
|
|
@@ -348,6 +359,7 @@
|
|
#define RSA_R_INVALID_MESSAGE_LENGTH 131
|
|
#define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
|
|
#define RSA_R_KEY_SIZE_TOO_SMALL 120
|
|
+#define RSA_R_MODULUS_TOO_LARGE 105
|
|
#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
|
|
#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
|
|
#define RSA_R_OAEP_DECODING_ERROR 121
|
|
Index: crypto/openssl/crypto/rsa/rsa_eay.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/rsa/rsa_eay.c,v
|
|
retrieving revision 1.13
|
|
diff -u -I__FBSDID -r1.13 rsa_eay.c
|
|
--- crypto/openssl/crypto/rsa/rsa_eay.c 25 Feb 2005 05:49:43 -0000 1.13
|
|
+++ crypto/openssl/crypto/rsa/rsa_eay.c 27 Sep 2006 07:03:24 -0000
|
|
@@ -105,6 +105,28 @@
|
|
unsigned char *buf=NULL;
|
|
BN_CTX *ctx=NULL;
|
|
|
|
+ if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
|
|
+ {
|
|
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ if (BN_ucmp(rsa->n, rsa->e) <= 0)
|
|
+ {
|
|
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ /* for large moduli, enforce exponent limit */
|
|
+ if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
|
|
+ {
|
|
+ if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
|
|
+ {
|
|
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
|
|
+ return -1;
|
|
+ }
|
|
+ }
|
|
+
|
|
BN_init(&f);
|
|
BN_init(&ret);
|
|
if ((ctx=BN_CTX_new()) == NULL) goto err;
|
|
@@ -505,6 +527,28 @@
|
|
unsigned char *buf=NULL;
|
|
BN_CTX *ctx=NULL;
|
|
|
|
+ if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
|
|
+ {
|
|
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ if (BN_ucmp(rsa->n, rsa->e) <= 0)
|
|
+ {
|
|
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ /* for large moduli, enforce exponent limit */
|
|
+ if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
|
|
+ {
|
|
+ if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
|
|
+ {
|
|
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
|
|
+ return -1;
|
|
+ }
|
|
+ }
|
|
+
|
|
BN_init(&f);
|
|
BN_init(&ret);
|
|
ctx=BN_CTX_new();
|
|
Index: crypto/openssl/crypto/rsa/rsa_err.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/rsa/rsa_err.c,v
|
|
retrieving revision 1.1.1.4
|
|
diff -u -I__FBSDID -r1.1.1.4 rsa_err.c
|
|
--- crypto/openssl/crypto/rsa/rsa_err.c 28 Jan 2003 21:28:58 -0000 1.1.1.4
|
|
+++ crypto/openssl/crypto/rsa/rsa_err.c 27 Sep 2006 07:03:24 -0000
|
|
@@ -116,6 +116,7 @@
|
|
{RSA_R_INVALID_MESSAGE_LENGTH ,"invalid message length"},
|
|
{RSA_R_IQMP_NOT_INVERSE_OF_Q ,"iqmp not inverse of q"},
|
|
{RSA_R_KEY_SIZE_TOO_SMALL ,"key size too small"},
|
|
+{RSA_R_MODULUS_TOO_LARGE ,"modulus too large"},
|
|
{RSA_R_NULL_BEFORE_BLOCK_MISSING ,"null before block missing"},
|
|
{RSA_R_N_DOES_NOT_EQUAL_P_Q ,"n does not equal p q"},
|
|
{RSA_R_OAEP_DECODING_ERROR ,"oaep decoding error"},
|
|
Index: crypto/openssl/ssl/s2_clnt.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/ssl/s2_clnt.c,v
|
|
retrieving revision 1.13
|
|
diff -u -I__FBSDID -r1.13 s2_clnt.c
|
|
--- crypto/openssl/ssl/s2_clnt.c 25 Feb 2005 05:49:43 -0000 1.13
|
|
+++ crypto/openssl/ssl/s2_clnt.c 27 Sep 2006 07:03:24 -0000
|
|
@@ -538,7 +538,8 @@
|
|
CRYPTO_add(&s->session->peer->references, 1, CRYPTO_LOCK_X509);
|
|
}
|
|
|
|
- if (s->session->peer != s->session->sess_cert->peer_key->x509)
|
|
+ if (s->session->sess_cert == NULL
|
|
+ || s->session->peer != s->session->sess_cert->peer_key->x509)
|
|
/* can't happen */
|
|
{
|
|
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
|
|
Index: crypto/openssl/ssl/s3_srvr.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/ssl/s3_srvr.c,v
|
|
retrieving revision 1.1.1.14
|
|
diff -u -I__FBSDID -r1.1.1.14 s3_srvr.c
|
|
--- crypto/openssl/ssl/s3_srvr.c 25 Feb 2005 05:38:27 -0000 1.1.1.14
|
|
+++ crypto/openssl/ssl/s3_srvr.c 27 Sep 2006 07:03:25 -0000
|
|
@@ -1733,7 +1733,7 @@
|
|
|
|
if (kssl_ctx->client_princ)
|
|
{
|
|
- int len = strlen(kssl_ctx->client_princ);
|
|
+ size_t len = strlen(kssl_ctx->client_princ);
|
|
if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH )
|
|
{
|
|
s->session->krb5_client_princ_len = len;
|
|
Index: crypto/openssl/ssl/ssl_lib.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/ssl/ssl_lib.c,v
|
|
retrieving revision 1.1.1.12
|
|
diff -u -I__FBSDID -r1.1.1.12 ssl_lib.c
|
|
--- crypto/openssl/ssl/ssl_lib.c 25 Feb 2005 05:38:37 -0000 1.1.1.12
|
|
+++ crypto/openssl/ssl/ssl_lib.c 27 Sep 2006 07:03:26 -0000
|
|
@@ -1167,7 +1167,7 @@
|
|
c=sk_SSL_CIPHER_value(sk,i);
|
|
for (cp=c->name; *cp; )
|
|
{
|
|
- if (len-- == 0)
|
|
+ if (len-- <= 0)
|
|
{
|
|
*p='\0';
|
|
return(buf);
|