3571e53040
patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
313 lines
10 KiB
Diff
313 lines
10 KiB
Diff
Index: crypto/openssl/crypto/asn1/tasn_dec.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/asn1/tasn_dec.c,v
|
|
retrieving revision 1.1.1.2
|
|
diff -u -I__FBSDID -r1.1.1.2 tasn_dec.c
|
|
--- crypto/openssl/crypto/asn1/tasn_dec.c 1 Oct 2003 12:32:37 -0000 1.1.1.2
|
|
+++ crypto/openssl/crypto/asn1/tasn_dec.c 27 Sep 2006 07:03:22 -0000
|
|
@@ -628,6 +628,9 @@
|
|
ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR);
|
|
return 0;
|
|
} else if(ret == -1) return -1;
|
|
+
|
|
+ ret = 0;
|
|
+
|
|
/* SEQUENCE, SET and "OTHER" are left in encoded form */
|
|
if((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) {
|
|
/* Clear context cache for type OTHER because the auto clear when
|
|
Index: crypto/openssl/crypto/dh/dh.h
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/dh/dh.h,v
|
|
retrieving revision 1.1.1.6
|
|
diff -u -I__FBSDID -r1.1.1.6 dh.h
|
|
--- crypto/openssl/crypto/dh/dh.h 28 Jan 2003 21:21:24 -0000 1.1.1.6
|
|
+++ crypto/openssl/crypto/dh/dh.h 27 Sep 2006 07:03:22 -0000
|
|
@@ -70,6 +70,10 @@
|
|
#include <openssl/crypto.h>
|
|
#include <openssl/ossl_typ.h>
|
|
|
|
+#ifndef OPENSSL_DH_MAX_MODULUS_BITS
|
|
+# define OPENSSL_DH_MAX_MODULUS_BITS 10000
|
|
+#endif
|
|
+
|
|
#define DH_FLAG_CACHE_MONT_P 0x01
|
|
|
|
#ifdef __cplusplus
|
|
@@ -200,6 +204,7 @@
|
|
/* Reason codes. */
|
|
#define DH_R_BAD_GENERATOR 101
|
|
#define DH_R_NO_PRIVATE_VALUE 100
|
|
+#define DH_R_MODULUS_TOO_LARGE 103
|
|
|
|
#ifdef __cplusplus
|
|
}
|
|
Index: crypto/openssl/crypto/dh/dh_err.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/dh/dh_err.c,v
|
|
retrieving revision 1.1.1.5
|
|
diff -u -I__FBSDID -r1.1.1.5 dh_err.c
|
|
--- crypto/openssl/crypto/dh/dh_err.c 25 Feb 2005 05:34:36 -0000 1.1.1.5
|
|
+++ crypto/openssl/crypto/dh/dh_err.c 27 Sep 2006 07:03:22 -0000
|
|
@@ -78,6 +78,7 @@
|
|
static ERR_STRING_DATA DH_str_reasons[]=
|
|
{
|
|
{DH_R_BAD_GENERATOR ,"bad generator"},
|
|
+{DH_R_MODULUS_TOO_LARGE ,"modulus too large"},
|
|
{DH_R_NO_PRIVATE_VALUE ,"no private value"},
|
|
{0,NULL}
|
|
};
|
|
Index: crypto/openssl/crypto/dh/dh_key.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/dh/dh_key.c,v
|
|
retrieving revision 1.1.1.9
|
|
diff -u -I__FBSDID -r1.1.1.9 dh_key.c
|
|
--- crypto/openssl/crypto/dh/dh_key.c 25 Feb 2005 05:34:37 -0000 1.1.1.9
|
|
+++ crypto/openssl/crypto/dh/dh_key.c 27 Sep 2006 07:03:22 -0000
|
|
@@ -164,6 +164,12 @@
|
|
BIGNUM *tmp;
|
|
int ret= -1;
|
|
|
|
+ if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS)
|
|
+ {
|
|
+ DHerr(DH_F_DH_COMPUTE_KEY,DH_R_MODULUS_TOO_LARGE);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
ctx = BN_CTX_new();
|
|
if (ctx == NULL) goto err;
|
|
BN_CTX_start(ctx);
|
|
Index: crypto/openssl/crypto/dsa/dsa.h
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/dsa/dsa.h,v
|
|
retrieving revision 1.1.1.7
|
|
diff -u -I__FBSDID -r1.1.1.7 dsa.h
|
|
--- crypto/openssl/crypto/dsa/dsa.h 25 Feb 2005 05:34:39 -0000 1.1.1.7
|
|
+++ crypto/openssl/crypto/dsa/dsa.h 27 Sep 2006 07:03:23 -0000
|
|
@@ -79,6 +79,10 @@
|
|
# include <openssl/dh.h>
|
|
#endif
|
|
|
|
+#ifndef OPENSSL_DSA_MAX_MODULUS_BITS
|
|
+# define OPENSSL_DSA_MAX_MODULUS_BITS 10000
|
|
+#endif
|
|
+
|
|
#define DSA_FLAG_CACHE_MONT_P 0x01
|
|
|
|
#if defined(OPENSSL_FIPS)
|
|
@@ -245,8 +249,10 @@
|
|
#define DSA_F_SIG_CB 114
|
|
|
|
/* Reason codes. */
|
|
+#define DSA_R_BAD_Q_VALUE 102
|
|
#define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100
|
|
#define DSA_R_MISSING_PARAMETERS 101
|
|
+#define DSA_R_MODULUS_TOO_LARGE 103
|
|
|
|
#ifdef __cplusplus
|
|
}
|
|
Index: crypto/openssl/crypto/dsa/dsa_err.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/dsa/dsa_err.c,v
|
|
retrieving revision 1.1.1.4
|
|
diff -u -I__FBSDID -r1.1.1.4 dsa_err.c
|
|
--- crypto/openssl/crypto/dsa/dsa_err.c 28 Jan 2003 21:21:31 -0000 1.1.1.4
|
|
+++ crypto/openssl/crypto/dsa/dsa_err.c 27 Sep 2006 07:03:23 -0000
|
|
@@ -85,8 +85,10 @@
|
|
|
|
static ERR_STRING_DATA DSA_str_reasons[]=
|
|
{
|
|
+{DSA_R_BAD_Q_VALUE ,"bad q value"},
|
|
{DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE ,"data too large for key size"},
|
|
{DSA_R_MISSING_PARAMETERS ,"missing parameters"},
|
|
+{DSA_R_MODULUS_TOO_LARGE ,"modulus too large"},
|
|
{0,NULL}
|
|
};
|
|
|
|
Index: crypto/openssl/crypto/dsa/dsa_ossl.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/dsa/dsa_ossl.c,v
|
|
retrieving revision 1.1.1.8
|
|
diff -u -I__FBSDID -r1.1.1.8 dsa_ossl.c
|
|
--- crypto/openssl/crypto/dsa/dsa_ossl.c 25 Feb 2005 05:34:40 -0000 1.1.1.8
|
|
+++ crypto/openssl/crypto/dsa/dsa_ossl.c 27 Sep 2006 07:03:23 -0000
|
|
@@ -245,6 +245,18 @@
|
|
return -1;
|
|
}
|
|
|
|
+ if (BN_num_bits(dsa->q) != 160)
|
|
+ {
|
|
+ DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS)
|
|
+ {
|
|
+ DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
BN_init(&u1);
|
|
BN_init(&u2);
|
|
BN_init(&t1);
|
|
Index: crypto/openssl/crypto/rsa/rsa.h
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/rsa/rsa.h,v
|
|
retrieving revision 1.11
|
|
diff -u -I__FBSDID -r1.11 rsa.h
|
|
--- crypto/openssl/crypto/rsa/rsa.h 25 Feb 2005 05:49:43 -0000 1.11
|
|
+++ crypto/openssl/crypto/rsa/rsa.h 27 Sep 2006 07:03:23 -0000
|
|
@@ -155,6 +155,17 @@
|
|
BN_BLINDING *blinding;
|
|
};
|
|
|
|
+#ifndef OPENSSL_RSA_MAX_MODULUS_BITS
|
|
+# define OPENSSL_RSA_MAX_MODULUS_BITS 16400
|
|
+#endif
|
|
+
|
|
+#ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
|
|
+# define OPENSSL_RSA_SMALL_MODULUS_BITS 4112
|
|
+#endif
|
|
+#ifndef OPENSSL_RSA_MAX_PUBEXP_BITS
|
|
+# define OPENSSL_RSA_MAX_PUBEXP_BITS 72 /* exponent limit enforced for "large" modulus only */
|
|
+#endif
|
|
+
|
|
#define RSA_3 0x3L
|
|
#define RSA_F4 0x10001L
|
|
|
|
@@ -348,6 +359,7 @@
|
|
#define RSA_R_INVALID_MESSAGE_LENGTH 131
|
|
#define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
|
|
#define RSA_R_KEY_SIZE_TOO_SMALL 120
|
|
+#define RSA_R_MODULUS_TOO_LARGE 105
|
|
#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
|
|
#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
|
|
#define RSA_R_OAEP_DECODING_ERROR 121
|
|
Index: crypto/openssl/crypto/rsa/rsa_eay.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/rsa/rsa_eay.c,v
|
|
retrieving revision 1.13
|
|
diff -u -I__FBSDID -r1.13 rsa_eay.c
|
|
--- crypto/openssl/crypto/rsa/rsa_eay.c 25 Feb 2005 05:49:43 -0000 1.13
|
|
+++ crypto/openssl/crypto/rsa/rsa_eay.c 27 Sep 2006 07:03:24 -0000
|
|
@@ -105,6 +105,28 @@
|
|
unsigned char *buf=NULL;
|
|
BN_CTX *ctx=NULL;
|
|
|
|
+ if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
|
|
+ {
|
|
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ if (BN_ucmp(rsa->n, rsa->e) <= 0)
|
|
+ {
|
|
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ /* for large moduli, enforce exponent limit */
|
|
+ if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
|
|
+ {
|
|
+ if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
|
|
+ {
|
|
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
|
|
+ return -1;
|
|
+ }
|
|
+ }
|
|
+
|
|
BN_init(&f);
|
|
BN_init(&ret);
|
|
if ((ctx=BN_CTX_new()) == NULL) goto err;
|
|
@@ -505,6 +527,28 @@
|
|
unsigned char *buf=NULL;
|
|
BN_CTX *ctx=NULL;
|
|
|
|
+ if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
|
|
+ {
|
|
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ if (BN_ucmp(rsa->n, rsa->e) <= 0)
|
|
+ {
|
|
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ /* for large moduli, enforce exponent limit */
|
|
+ if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
|
|
+ {
|
|
+ if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
|
|
+ {
|
|
+ RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
|
|
+ return -1;
|
|
+ }
|
|
+ }
|
|
+
|
|
BN_init(&f);
|
|
BN_init(&ret);
|
|
ctx=BN_CTX_new();
|
|
Index: crypto/openssl/crypto/rsa/rsa_err.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/rsa/rsa_err.c,v
|
|
retrieving revision 1.1.1.4
|
|
diff -u -I__FBSDID -r1.1.1.4 rsa_err.c
|
|
--- crypto/openssl/crypto/rsa/rsa_err.c 28 Jan 2003 21:28:58 -0000 1.1.1.4
|
|
+++ crypto/openssl/crypto/rsa/rsa_err.c 27 Sep 2006 07:03:24 -0000
|
|
@@ -116,6 +116,7 @@
|
|
{RSA_R_INVALID_MESSAGE_LENGTH ,"invalid message length"},
|
|
{RSA_R_IQMP_NOT_INVERSE_OF_Q ,"iqmp not inverse of q"},
|
|
{RSA_R_KEY_SIZE_TOO_SMALL ,"key size too small"},
|
|
+{RSA_R_MODULUS_TOO_LARGE ,"modulus too large"},
|
|
{RSA_R_NULL_BEFORE_BLOCK_MISSING ,"null before block missing"},
|
|
{RSA_R_N_DOES_NOT_EQUAL_P_Q ,"n does not equal p q"},
|
|
{RSA_R_OAEP_DECODING_ERROR ,"oaep decoding error"},
|
|
Index: crypto/openssl/ssl/s2_clnt.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/ssl/s2_clnt.c,v
|
|
retrieving revision 1.13
|
|
diff -u -I__FBSDID -r1.13 s2_clnt.c
|
|
--- crypto/openssl/ssl/s2_clnt.c 25 Feb 2005 05:49:43 -0000 1.13
|
|
+++ crypto/openssl/ssl/s2_clnt.c 27 Sep 2006 07:03:24 -0000
|
|
@@ -538,7 +538,8 @@
|
|
CRYPTO_add(&s->session->peer->references, 1, CRYPTO_LOCK_X509);
|
|
}
|
|
|
|
- if (s->session->peer != s->session->sess_cert->peer_key->x509)
|
|
+ if (s->session->sess_cert == NULL
|
|
+ || s->session->peer != s->session->sess_cert->peer_key->x509)
|
|
/* can't happen */
|
|
{
|
|
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
|
|
Index: crypto/openssl/ssl/s3_srvr.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/ssl/s3_srvr.c,v
|
|
retrieving revision 1.1.1.14
|
|
diff -u -I__FBSDID -r1.1.1.14 s3_srvr.c
|
|
--- crypto/openssl/ssl/s3_srvr.c 25 Feb 2005 05:38:27 -0000 1.1.1.14
|
|
+++ crypto/openssl/ssl/s3_srvr.c 27 Sep 2006 07:03:25 -0000
|
|
@@ -1733,7 +1733,7 @@
|
|
|
|
if (kssl_ctx->client_princ)
|
|
{
|
|
- int len = strlen(kssl_ctx->client_princ);
|
|
+ size_t len = strlen(kssl_ctx->client_princ);
|
|
if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH )
|
|
{
|
|
s->session->krb5_client_princ_len = len;
|
|
Index: crypto/openssl/ssl/ssl_lib.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/ssl/ssl_lib.c,v
|
|
retrieving revision 1.1.1.12
|
|
diff -u -I__FBSDID -r1.1.1.12 ssl_lib.c
|
|
--- crypto/openssl/ssl/ssl_lib.c 25 Feb 2005 05:38:37 -0000 1.1.1.12
|
|
+++ crypto/openssl/ssl/ssl_lib.c 27 Sep 2006 07:03:26 -0000
|
|
@@ -1167,7 +1167,7 @@
|
|
c=sk_SSL_CIPHER_value(sk,i);
|
|
for (cp=c->name; *cp; )
|
|
{
|
|
- if (len-- == 0)
|
|
+ if (len-- <= 0)
|
|
{
|
|
*p='\0';
|
|
return(buf);
|