From owner-svn-src-vendor@freebsd.org Tue May 3 18:00:31 2016 Return-Path: Delivered-To: svn-src-vendor@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 66E07B2CF98; Tue, 3 May 2016 18:00:31 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F1A081C06; Tue, 3 May 2016 18:00:30 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u43I0Un3027849; Tue, 3 May 2016 18:00:30 GMT (envelope-from jkim@FreeBSD.org) Received: (from jkim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u43I0R66027818; Tue, 3 May 2016 18:00:27 GMT (envelope-from jkim@FreeBSD.org) Message-Id: <201605031800.u43I0R66027818@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jkim set sender to jkim@FreeBSD.org using -f From: Jung-uk Kim Date: Tue, 3 May 2016 18:00:27 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r298991 - in vendor-crypto/openssl/dist: . apps crypto crypto/aes/asm crypto/asn1 crypto/bn/asm crypto/comp crypto/evp crypto/modes/asm crypto/pem crypto/perlasm crypto/sha/asm crypto/x... X-SVN-Group: vendor-crypto MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-vendor@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the vendor work area tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 May 2016 18:00:31 -0000 Author: jkim Date: Tue May 3 18:00:27 2016 New Revision: 298991 URL: https://svnweb.freebsd.org/changeset/base/298991 Log: Import OpenSSL 1.0.2h. Added: vendor-crypto/openssl/dist/doc/crypto/EVP_EncodeInit.pod vendor-crypto/openssl/dist/doc/ssl/SSL_CTX_set_alpn_select_cb.pod Modified: vendor-crypto/openssl/dist/CHANGES vendor-crypto/openssl/dist/FREEBSD-upgrade vendor-crypto/openssl/dist/Makefile vendor-crypto/openssl/dist/NEWS vendor-crypto/openssl/dist/README vendor-crypto/openssl/dist/apps/pkcs7.c vendor-crypto/openssl/dist/crypto/aes/asm/aes-ppc.pl vendor-crypto/openssl/dist/crypto/aes/asm/aes-s390x.pl vendor-crypto/openssl/dist/crypto/asn1/a_bytes.c vendor-crypto/openssl/dist/crypto/asn1/a_d2i_fp.c vendor-crypto/openssl/dist/crypto/asn1/a_type.c vendor-crypto/openssl/dist/crypto/asn1/asn1_lib.c vendor-crypto/openssl/dist/crypto/asn1/asn1_par.c vendor-crypto/openssl/dist/crypto/asn1/t_x509.c vendor-crypto/openssl/dist/crypto/asn1/tasn_dec.c vendor-crypto/openssl/dist/crypto/asn1/tasn_enc.c vendor-crypto/openssl/dist/crypto/asn1/x_name.c vendor-crypto/openssl/dist/crypto/asn1/x_x509.c vendor-crypto/openssl/dist/crypto/bn/asm/ppc-mont.pl vendor-crypto/openssl/dist/crypto/bn/asm/ppc.pl vendor-crypto/openssl/dist/crypto/bn/asm/ppc64-mont.pl vendor-crypto/openssl/dist/crypto/bn/asm/x86-mont.pl vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-mont.pl vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-mont5.pl vendor-crypto/openssl/dist/crypto/comp/comp.h vendor-crypto/openssl/dist/crypto/evp/Makefile vendor-crypto/openssl/dist/crypto/evp/digest.c vendor-crypto/openssl/dist/crypto/evp/e_aes_cbc_hmac_sha1.c vendor-crypto/openssl/dist/crypto/evp/e_aes_cbc_hmac_sha256.c vendor-crypto/openssl/dist/crypto/evp/encode.c vendor-crypto/openssl/dist/crypto/evp/evp_enc.c vendor-crypto/openssl/dist/crypto/modes/asm/ghash-s390x.pl vendor-crypto/openssl/dist/crypto/opensslv.h vendor-crypto/openssl/dist/crypto/pem/pem_lib.c vendor-crypto/openssl/dist/crypto/pem/pvkfmt.c vendor-crypto/openssl/dist/crypto/perlasm/x86_64-xlate.pl vendor-crypto/openssl/dist/crypto/s390xcpuid.S vendor-crypto/openssl/dist/crypto/sha/asm/sha1-ppc.pl vendor-crypto/openssl/dist/crypto/sha/asm/sha1-s390x.pl vendor-crypto/openssl/dist/crypto/sha/asm/sha512-ppc.pl vendor-crypto/openssl/dist/crypto/sha/asm/sha512-s390x.pl vendor-crypto/openssl/dist/crypto/x509/x509.h vendor-crypto/openssl/dist/crypto/x509/x509_err.c vendor-crypto/openssl/dist/crypto/x509/x509_obj.c vendor-crypto/openssl/dist/doc/apps/ciphers.pod vendor-crypto/openssl/dist/doc/apps/ocsp.pod vendor-crypto/openssl/dist/doc/crypto/evp.pod vendor-crypto/openssl/dist/doc/ssl/SSL_CTX_use_serverinfo.pod vendor-crypto/openssl/dist/ssl/d1_both.c vendor-crypto/openssl/dist/ssl/s2_lib.c vendor-crypto/openssl/dist/ssl/s2_meth.c vendor-crypto/openssl/dist/ssl/s3_clnt.c vendor-crypto/openssl/dist/ssl/s3_lib.c vendor-crypto/openssl/dist/ssl/ssl.h vendor-crypto/openssl/dist/ssl/ssl_cert.c vendor-crypto/openssl/dist/ssl/ssl_ciph.c vendor-crypto/openssl/dist/ssl/ssl_lib.c vendor-crypto/openssl/dist/ssl/ssl_locl.h vendor-crypto/openssl/dist/ssl/ssl_rsa.c vendor-crypto/openssl/dist/ssl/ssltest.c vendor-crypto/openssl/dist/ssl/t1_lib.c vendor-crypto/openssl/dist/util/libeay.num vendor-crypto/openssl/dist/util/mk1mf.pl vendor-crypto/openssl/dist/util/mkdef.pl vendor-crypto/openssl/dist/util/shlib_wrap.sh vendor-crypto/openssl/dist/util/ssleay.num Modified: vendor-crypto/openssl/dist/CHANGES ============================================================================== --- vendor-crypto/openssl/dist/CHANGES Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/CHANGES Tue May 3 18:00:27 2016 (r298991) @@ -2,6 +2,103 @@ OpenSSL CHANGES _______________ + Changes between 1.0.2g and 1.0.2h [3 May 2016] + + *) Prevent padding oracle in AES-NI CBC MAC check + + A MITM attacker can use a padding oracle attack to decrypt traffic + when the connection uses an AES CBC cipher and the server support + AES-NI. + + This issue was introduced as part of the fix for Lucky 13 padding + attack (CVE-2013-0169). The padding check was rewritten to be in + constant time by making sure that always the same bytes are read and + compared against either the MAC or padding bytes. But it no longer + checked that there was enough data to have both the MAC and padding + bytes. + + This issue was reported by Juraj Somorovsky using TLS-Attacker. + (CVE-2016-2107) + [Kurt Roeckx] + + *) Fix EVP_EncodeUpdate overflow + + An overflow can occur in the EVP_EncodeUpdate() function which is used for + Base64 encoding of binary data. If an attacker is able to supply very large + amounts of input data then a length check can overflow resulting in a heap + corruption. + + Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by + the PEM_write_bio* family of functions. These are mainly used within the + OpenSSL command line applications, so any application which processes data + from an untrusted source and outputs it as a PEM file should be considered + vulnerable to this issue. User applications that call these APIs directly + with large amounts of untrusted data may also be vulnerable. + + This issue was reported by Guido Vranken. + (CVE-2016-2105) + [Matt Caswell] + + *) Fix EVP_EncryptUpdate overflow + + An overflow can occur in the EVP_EncryptUpdate() function. If an attacker + is able to supply very large amounts of input data after a previous call to + EVP_EncryptUpdate() with a partial block then a length check can overflow + resulting in a heap corruption. Following an analysis of all OpenSSL + internal usage of the EVP_EncryptUpdate() function all usage is one of two + forms. The first form is where the EVP_EncryptUpdate() call is known to be + the first called function after an EVP_EncryptInit(), and therefore that + specific call must be safe. The second form is where the length passed to + EVP_EncryptUpdate() can be seen from the code to be some small value and + therefore there is no possibility of an overflow. Since all instances are + one of these two forms, it is believed that there can be no overflows in + internal code due to this problem. It should be noted that + EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths. + Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances + of these calls have also been analysed too and it is believed there are no + instances in internal usage where an overflow could occur. + + This issue was reported by Guido Vranken. + (CVE-2016-2106) + [Matt Caswell] + + *) Prevent ASN.1 BIO excessive memory allocation + + When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() + a short invalid encoding can casuse allocation of large amounts of memory + potentially consuming excessive resources or exhausting memory. + + Any application parsing untrusted data through d2i BIO functions is + affected. The memory based functions such as d2i_X509() are *not* affected. + Since the memory based functions are used by the TLS library, TLS + applications are not affected. + + This issue was reported by Brian Carpenter. + (CVE-2016-2109) + [Stephen Henson] + + *) EBCDIC overread + + ASN1 Strings that are over 1024 bytes can cause an overread in applications + using the X509_NAME_oneline() function on EBCDIC systems. This could result + in arbitrary stack data being returned in the buffer. + + This issue was reported by Guido Vranken. + (CVE-2016-2176) + [Matt Caswell] + + *) Modify behavior of ALPN to invoke callback after SNI/servername + callback, such that updates to the SSL_CTX affect ALPN. + [Todd Short] + + *) Remove LOW from the DEFAULT cipher list. This removes singles DES from the + default. + [Kurt Roeckx] + + *) Only remove the SSLv2 methods with the no-ssl2-method option. When the + methods are enabled and ssl2 is disabled the methods return NULL. + [Kurt Roeckx] + Changes between 1.0.2f and 1.0.2g [1 Mar 2016] * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. Modified: vendor-crypto/openssl/dist/FREEBSD-upgrade ============================================================================== --- vendor-crypto/openssl/dist/FREEBSD-upgrade Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/FREEBSD-upgrade Tue May 3 18:00:27 2016 (r298991) @@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/Subv # Xlist setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist setenv FSVN "svn+ssh://repo.freebsd.org/base" -setenv OSSLVER 1.0.2f -# OSSLTAG format: v1_0_2f +setenv OSSLVER 1.0.2h +# OSSLTAG format: v1_0_2h ###setenv OSSLTAG v`echo ${OSSLVER} | tr . _` Modified: vendor-crypto/openssl/dist/Makefile ============================================================================== --- vendor-crypto/openssl/dist/Makefile Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/Makefile Tue May 3 18:00:27 2016 (r298991) @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.2g +VERSION=1.0.2h MAJOR=1 MINOR=0.2 SHLIB_VERSION_NUMBER=1.0.0 Modified: vendor-crypto/openssl/dist/NEWS ============================================================================== --- vendor-crypto/openssl/dist/NEWS Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/NEWS Tue May 3 18:00:27 2016 (r298991) @@ -5,6 +5,19 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016] + + o Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107) + o Fix EVP_EncodeUpdate overflow (CVE-2016-2105) + o Fix EVP_EncryptUpdate overflow (CVE-2016-2106) + o Prevent ASN.1 BIO excessive memory allocation (CVE-2016-2109) + o EBCDIC overread (CVE-2016-2176) + o Modify behavior of ALPN to invoke callback after SNI/servername + callback, such that updates to the SSL_CTX affect ALPN. + o Remove LOW from the DEFAULT cipher list. This removes singles DES from + the default. + o Only remove the SSLv2 methods with the no-ssl2-method option. + Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016] o Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. Modified: vendor-crypto/openssl/dist/README ============================================================================== --- vendor-crypto/openssl/dist/README Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/README Tue May 3 18:00:27 2016 (r298991) @@ -1,5 +1,5 @@ - OpenSSL 1.0.2g 1 Mar 2016 + OpenSSL 1.0.2h 3 May 2016 Copyright (c) 1998-2015 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson Modified: vendor-crypto/openssl/dist/apps/pkcs7.c ============================================================================== --- vendor-crypto/openssl/dist/apps/pkcs7.c Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/apps/pkcs7.c Tue May 3 18:00:27 2016 (r298991) @@ -235,12 +235,16 @@ int MAIN(int argc, char **argv) i = OBJ_obj2nid(p7->type); switch (i) { case NID_pkcs7_signed: - certs = p7->d.sign->cert; - crls = p7->d.sign->crl; + if (p7->d.sign != NULL) { + certs = p7->d.sign->cert; + crls = p7->d.sign->crl; + } break; case NID_pkcs7_signedAndEnveloped: - certs = p7->d.signed_and_enveloped->cert; - crls = p7->d.signed_and_enveloped->crl; + if (p7->d.signed_and_enveloped != NULL) { + certs = p7->d.signed_and_enveloped->cert; + crls = p7->d.signed_and_enveloped->crl; + } break; default: break; Modified: vendor-crypto/openssl/dist/crypto/aes/asm/aes-ppc.pl ============================================================================== --- vendor-crypto/openssl/dist/crypto/aes/asm/aes-ppc.pl Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/crypto/aes/asm/aes-ppc.pl Tue May 3 18:00:27 2016 (r298991) @@ -590,7 +590,7 @@ Lenc_loop: xor $s2,$t2,$acc14 xor $s3,$t3,$acc15 addi $key,$key,16 - bdnz- Lenc_loop + bdnz Lenc_loop addi $Tbl2,$Tbl0,2048 nop @@ -1068,7 +1068,7 @@ Ldec_loop: xor $s2,$t2,$acc14 xor $s3,$t3,$acc15 addi $key,$key,16 - bdnz- Ldec_loop + bdnz Ldec_loop addi $Tbl2,$Tbl0,2048 nop Modified: vendor-crypto/openssl/dist/crypto/aes/asm/aes-s390x.pl ============================================================================== --- vendor-crypto/openssl/dist/crypto/aes/asm/aes-s390x.pl Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/crypto/aes/asm/aes-s390x.pl Tue May 3 18:00:27 2016 (r298991) @@ -818,13 +818,9 @@ $code.=<<___ if (!$softonly); tmhl %r0,0x4000 # check for message-security assist jz .Lekey_internal - lghi %r0,0 # query capability vector - la %r1,16($sp) - .long 0xb92f0042 # kmc %r4,%r2 - - llihh %r1,0x8000 - srlg %r1,%r1,0(%r5) - ng %r1,16($sp) + llihh %r0,0x8000 + srlg %r0,%r0,0(%r5) + ng %r0,48(%r1) # check kmc capability vector jz .Lekey_internal lmg %r0,%r1,0($inp) # just copy 128 bits... @@ -1444,13 +1440,10 @@ $code.=<<___ if (0); ######### kmctr cod llgfr $s0,%r0 lgr $s1,%r1 - lghi %r0,0 - la %r1,16($sp) - .long 0xb92d2042 # kmctr %r4,%r2,%r2 - + larl %r1,OPENSSL_s390xcap_P llihh %r0,0x8000 # check if kmctr supports the function code srlg %r0,%r0,0($s0) - ng %r0,16($sp) + ng %r0,64(%r1) # check kmctr capability vector lgr %r0,$s0 lgr %r1,$s1 jz .Lctr32_km_loop @@ -1597,12 +1590,10 @@ $code.=<<___ if(1); llgfr $s0,%r0 # put aside the function code lghi $s1,0x7f nr $s1,%r0 - lghi %r0,0 # query capability vector - la %r1,$tweak-16($sp) - .long 0xb92e0042 # km %r4,%r2 - llihh %r1,0x8000 - srlg %r1,%r1,32($s1) # check for 32+function code - ng %r1,$tweak-16($sp) + larl %r1,OPENSSL_s390xcap_P + llihh %r0,0x8000 + srlg %r0,%r0,32($s1) # check for 32+function code + ng %r0,32(%r1) # check km capability vector lgr %r0,$s0 # restore the function code la %r1,0($key1) # restore $key1 jz .Lxts_km_vanilla @@ -2229,7 +2220,7 @@ ___ } $code.=<<___; .string "AES for s390x, CRYPTOGAMS by " -.comm OPENSSL_s390xcap_P,16,8 +.comm OPENSSL_s390xcap_P,80,8 ___ $code =~ s/\`([^\`]*)\`/eval $1/gem; Modified: vendor-crypto/openssl/dist/crypto/asn1/a_bytes.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/asn1/a_bytes.c Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/crypto/asn1/a_bytes.c Tue May 3 18:00:27 2016 (r298991) @@ -200,13 +200,13 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING } else { if (len != 0) { if ((ret->length < len) || (ret->data == NULL)) { - if (ret->data != NULL) - OPENSSL_free(ret->data); s = (unsigned char *)OPENSSL_malloc((int)len + 1); if (s == NULL) { i = ERR_R_MALLOC_FAILURE; goto err; } + if (ret->data != NULL) + OPENSSL_free(ret->data); } else s = ret->data; memcpy(s, p, (int)len); Modified: vendor-crypto/openssl/dist/crypto/asn1/a_d2i_fp.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/asn1/a_d2i_fp.c Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/crypto/asn1/a_d2i_fp.c Tue May 3 18:00:27 2016 (r298991) @@ -141,6 +141,7 @@ void *ASN1_item_d2i_fp(const ASN1_ITEM * #endif #define HEADER_SIZE 8 +#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024) static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) { BUF_MEM *b; @@ -217,29 +218,44 @@ static int asn1_d2i_read_bio(BIO *in, BU /* suck in c.slen bytes of data */ want = c.slen; if (want > (len - off)) { + size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE; + want -= (len - off); if (want > INT_MAX /* BIO_read takes an int length */ || len + want < len) { ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); goto err; } - if (!BUF_MEM_grow_clean(b, len + want)) { - ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE); - goto err; - } while (want > 0) { - i = BIO_read(in, &(b->data[len]), want); - if (i <= 0) { - ASN1err(ASN1_F_ASN1_D2I_READ_BIO, - ASN1_R_NOT_ENOUGH_DATA); + /* + * Read content in chunks of increasing size + * so we can return an error for EOF without + * having to allocate the entire content length + * in one go. + */ + size_t chunk = want > chunk_max ? chunk_max : want; + + if (!BUF_MEM_grow_clean(b, len + chunk)) { + ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE); goto err; } + want -= chunk; + while (chunk > 0) { + i = BIO_read(in, &(b->data[len]), chunk); + if (i <= 0) { + ASN1err(ASN1_F_ASN1_D2I_READ_BIO, + ASN1_R_NOT_ENOUGH_DATA); + goto err; + } /* * This can't overflow because |len+want| didn't * overflow. */ - len += i; - want -= i; + len += i; + chunk -= i; + } + if (chunk_max < INT_MAX/2) + chunk_max *= 2; } } if (off + c.slen < off) { Modified: vendor-crypto/openssl/dist/crypto/asn1/a_type.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/asn1/a_type.c Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/crypto/asn1/a_type.c Tue May 3 18:00:27 2016 (r298991) @@ -126,9 +126,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co result = 0; /* They do not have content. */ break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: case V_ASN1_BIT_STRING: case V_ASN1_OCTET_STRING: case V_ASN1_SEQUENCE: Modified: vendor-crypto/openssl/dist/crypto/asn1/asn1_lib.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/asn1/asn1_lib.c Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/crypto/asn1/asn1_lib.c Tue May 3 18:00:27 2016 (r298991) @@ -63,7 +63,7 @@ #include static int asn1_get_length(const unsigned char **pp, int *inf, long *rl, - int max); + long max); static void asn1_put_length(unsigned char **pp, int length); const char ASN1_version[] = "ASN.1" OPENSSL_VERSION_PTEXT; @@ -131,7 +131,7 @@ int ASN1_get_object(const unsigned char } *ptag = tag; *pclass = xclass; - if (!asn1_get_length(&p, &inf, plength, (int)max)) + if (!asn1_get_length(&p, &inf, plength, max)) goto err; if (inf && !(ret & V_ASN1_CONSTRUCTED)) @@ -159,14 +159,14 @@ int ASN1_get_object(const unsigned char } static int asn1_get_length(const unsigned char **pp, int *inf, long *rl, - int max) + long max) { const unsigned char *p = *pp; unsigned long ret = 0; - unsigned int i; + unsigned long i; if (max-- < 1) - return (0); + return 0; if (*p == 0x80) { *inf = 1; ret = 0; @@ -175,15 +175,11 @@ static int asn1_get_length(const unsigne *inf = 0; i = *p & 0x7f; if (*(p++) & 0x80) { - if (i > sizeof(long)) + if (i > sizeof(ret) || max < (long)i) return 0; - if (max-- == 0) - return (0); while (i-- > 0) { ret <<= 8L; ret |= *(p++); - if (max-- == 0) - return (0); } } else ret = i; @@ -192,7 +188,7 @@ static int asn1_get_length(const unsigne return 0; *pp = p; *rl = (long)ret; - return (1); + return 1; } /* Modified: vendor-crypto/openssl/dist/crypto/asn1/asn1_par.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/asn1/asn1_par.c Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/crypto/asn1/asn1_par.c Tue May 3 18:00:27 2016 (r298991) @@ -173,6 +173,8 @@ static int asn1_parse2(BIO *bp, const un if (!asn1_print_info(bp, tag, xclass, j, (indent) ? depth : 0)) goto end; if (j & V_ASN1_CONSTRUCTED) { + const unsigned char *sp; + ep = p + len; if (BIO_write(bp, "\n", 1) <= 0) goto end; @@ -182,6 +184,7 @@ static int asn1_parse2(BIO *bp, const un goto end; } if ((j == 0x21) && (len == 0)) { + sp = p; for (;;) { r = asn1_parse2(bp, &p, (long)(tot - p), offset + (p - *pp), depth + 1, @@ -190,19 +193,25 @@ static int asn1_parse2(BIO *bp, const un ret = 0; goto end; } - if ((r == 2) || (p >= tot)) + if ((r == 2) || (p >= tot)) { + len = p - sp; break; + } } - } else + } else { + long tmp = len; + while (p < ep) { - r = asn1_parse2(bp, &p, (long)len, - offset + (p - *pp), depth + 1, + sp = p; + r = asn1_parse2(bp, &p, tmp, offset + (p - *pp), depth + 1, indent, dump); if (r == 0) { ret = 0; goto end; } + tmp -= p - sp; } + } } else if (xclass != 0) { p += len; if (BIO_write(bp, "\n", 1) <= 0) Modified: vendor-crypto/openssl/dist/crypto/asn1/t_x509.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/asn1/t_x509.c Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/crypto/asn1/t_x509.c Tue May 3 18:00:27 2016 (r298991) @@ -140,7 +140,8 @@ int X509_print_ex(BIO *bp, X509 *x, unsi goto err; bs = X509_get_serialNumber(x); - if (bs->length <= (int)sizeof(long)) { + if (bs->length < (int)sizeof(long) + || (bs->length == sizeof(long) && (bs->data[0] & 0x80) == 0)) { l = ASN1_INTEGER_get(bs); if (bs->type == V_ASN1_NEG_INTEGER) { l = -l; Modified: vendor-crypto/openssl/dist/crypto/asn1/tasn_dec.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/asn1/tasn_dec.c Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/crypto/asn1/tasn_dec.c Tue May 3 18:00:27 2016 (r298991) @@ -901,9 +901,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: tint = (ASN1_INTEGER **)pval; if (!c2i_ASN1_INTEGER(tint, &cont, len)) goto err; Modified: vendor-crypto/openssl/dist/crypto/asn1/tasn_enc.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/asn1/tasn_enc.c Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/crypto/asn1/tasn_enc.c Tue May 3 18:00:27 2016 (r298991) @@ -611,9 +611,7 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsig break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: /* * These are all have the same content format as ASN1_INTEGER */ Modified: vendor-crypto/openssl/dist/crypto/asn1/x_name.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/asn1/x_name.c Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/crypto/asn1/x_name.c Tue May 3 18:00:27 2016 (r298991) @@ -66,6 +66,13 @@ typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY; DECLARE_STACK_OF(STACK_OF_X509_NAME_ENTRY) +/* + * Maximum length of X509_NAME: much larger than anything we should + * ever see in practice. + */ + +#define X509_NAME_MAX (1024 * 1024) + static int x509_name_ex_d2i(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_ITEM *it, @@ -192,6 +199,10 @@ static int x509_name_ex_d2i(ASN1_VALUE * int i, j, ret; STACK_OF(X509_NAME_ENTRY) *entries; X509_NAME_ENTRY *entry; + if (len > X509_NAME_MAX) { + ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG); + return 0; + } q = p; /* Get internal representation of Name */ Modified: vendor-crypto/openssl/dist/crypto/asn1/x_x509.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/asn1/x_x509.c Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/crypto/asn1/x_x509.c Tue May 3 18:00:27 2016 (r298991) @@ -201,10 +201,20 @@ X509 *d2i_X509_AUX(X509 **a, const unsig int i2d_X509_AUX(X509 *a, unsigned char **pp) { - int length; + int length, tmplen; + unsigned char *start = pp != NULL ? *pp : NULL; length = i2d_X509(a, pp); - if (a) - length += i2d_X509_CERT_AUX(a->aux, pp); + if (length < 0 || a == NULL) + return length; + + tmplen = i2d_X509_CERT_AUX(a->aux, pp); + if (tmplen < 0) { + if (start != NULL) + *pp = start; + return tmplen; + } + length += tmplen; + return length; } Modified: vendor-crypto/openssl/dist/crypto/bn/asm/ppc-mont.pl ============================================================================== --- vendor-crypto/openssl/dist/crypto/bn/asm/ppc-mont.pl Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/crypto/bn/asm/ppc-mont.pl Tue May 3 18:00:27 2016 (r298991) @@ -191,7 +191,7 @@ L1st: addi $j,$j,$BNSZ ; j++ addi $tp,$tp,$BNSZ ; tp++ - bdnz- L1st + bdnz L1st ;L1st addc $lo0,$alo,$hi0 addze $hi0,$ahi @@ -253,7 +253,7 @@ Linner: addze $hi1,$hi1 $ST $lo1,0($tp) ; tp[j-1] addi $tp,$tp,$BNSZ ; tp++ - bdnz- Linner + bdnz Linner ;Linner $LD $tj,$BNSZ($tp) ; tp[j] addc $lo0,$alo,$hi0 @@ -276,7 +276,7 @@ Linner: slwi $tj,$num,`log($BNSZ)/log(2)` $UCMP $i,$tj addi $i,$i,$BNSZ - ble- Louter + ble Louter addi $num,$num,2 ; restore $num subfc $j,$j,$j ; j=0 and "clear" XER[CA] @@ -289,7 +289,7 @@ Lsub: $LDX $tj,$tp,$j subfe $aj,$nj,$tj ; tp[j]-np[j] $STX $aj,$rp,$j addi $j,$j,$BNSZ - bdnz- Lsub + bdnz Lsub li $j,0 mtctr $num @@ -304,7 +304,7 @@ Lcopy: ; copy or in-place refresh $STX $tj,$rp,$j $STX $j,$tp,$j ; zap at once addi $j,$j,$BNSZ - bdnz- Lcopy + bdnz Lcopy $POP $tj,0($sp) li r3,1 Modified: vendor-crypto/openssl/dist/crypto/bn/asm/ppc.pl ============================================================================== --- vendor-crypto/openssl/dist/crypto/bn/asm/ppc.pl Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/crypto/bn/asm/ppc.pl Tue May 3 18:00:27 2016 (r298991) @@ -1556,7 +1556,7 @@ Lppcasm_sub_mainloop: # if carry = 1 this is r7-r8. Else it # is r7-r8 -1 as we need. $STU r6,$BNSZ(r3) - bdnz- Lppcasm_sub_mainloop + bdnz Lppcasm_sub_mainloop Lppcasm_sub_adios: subfze r3,r0 # if carry bit is set then r3 = 0 else -1 andi. r3,r3,1 # keep only last bit. @@ -1603,7 +1603,7 @@ Lppcasm_add_mainloop: $LDU r8,$BNSZ(r5) adde r8,r7,r8 $STU r8,$BNSZ(r3) - bdnz- Lppcasm_add_mainloop + bdnz Lppcasm_add_mainloop Lppcasm_add_adios: addze r3,r0 #return carry bit. blr @@ -1762,7 +1762,7 @@ Lppcasm_sqr_mainloop: $UMULH r8,r6,r6 $STU r7,$BNSZ(r3) $STU r8,$BNSZ(r3) - bdnz- Lppcasm_sqr_mainloop + bdnz Lppcasm_sqr_mainloop Lppcasm_sqr_adios: blr .long 0 @@ -1827,7 +1827,7 @@ Lppcasm_mw_LOOP: addi r3,r3,`4*$BNSZ` addi r4,r4,`4*$BNSZ` - bdnz- Lppcasm_mw_LOOP + bdnz Lppcasm_mw_LOOP Lppcasm_mw_REM: andi. r5,r5,0x3 @@ -1951,7 +1951,7 @@ Lppcasm_maw_mainloop: $ST r11,`3*$BNSZ`(r3) addi r3,r3,`4*$BNSZ` addi r4,r4,`4*$BNSZ` - bdnz- Lppcasm_maw_mainloop + bdnz Lppcasm_maw_mainloop Lppcasm_maw_leftover: andi. r5,r5,0x3 Modified: vendor-crypto/openssl/dist/crypto/bn/asm/ppc64-mont.pl ============================================================================== --- vendor-crypto/openssl/dist/crypto/bn/asm/ppc64-mont.pl Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/crypto/bn/asm/ppc64-mont.pl Tue May 3 18:00:27 2016 (r298991) @@ -734,7 +734,7 @@ $code.=<<___; ___ } $code.=<<___; - bdnz- L1st + bdnz L1st fctid $dota,$dota fctid $dotb,$dotb @@ -1280,7 +1280,7 @@ $code.=<<___; ___ } $code.=<<___; - bdnz- Linner + bdnz Linner fctid $dota,$dota fctid $dotb,$dotb @@ -1490,7 +1490,7 @@ Lsub: ldx $t0,$tp,$i stdx $t0,$rp,$i stdx $t2,$t6,$i addi $i,$i,16 - bdnz- Lsub + bdnz Lsub li $i,0 subfe $ovf,$i,$ovf ; handle upmost overflow bit @@ -1517,7 +1517,7 @@ Lcopy: ; copy or in-place refresh stdx $i,$tp,$i ; zap tp at once stdx $i,$t4,$i addi $i,$i,16 - bdnz- Lcopy + bdnz Lcopy ___ $code.=<<___ if ($SIZE_T==4); subf $np,$num,$np ; rewind np @@ -1550,7 +1550,7 @@ Lsub: lwz $t0,12($tp) ; load tp[j..j+3] stw $t5,8($rp) stw $t6,12($rp) stwu $t7,16($rp) - bdnz- Lsub + bdnz Lsub li $i,0 subfe $ovf,$i,$ovf ; handle upmost overflow bit @@ -1582,7 +1582,7 @@ Lcopy: ; copy or in-place refresh stwu $t3,16($rp) std $i,8($tp) ; zap tp at once stdu $i,16($tp) - bdnz- Lcopy + bdnz Lcopy ___ $code.=<<___; Modified: vendor-crypto/openssl/dist/crypto/bn/asm/x86-mont.pl ============================================================================== --- vendor-crypto/openssl/dist/crypto/bn/asm/x86-mont.pl Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/crypto/bn/asm/x86-mont.pl Tue May 3 18:00:27 2016 (r298991) @@ -85,6 +85,21 @@ $frame=32; # size of above frame roun &and ("esp",-64); # align to cache line + # Some OSes, *cough*-dows, insist on stack being "wired" to + # physical memory in strictly sequential manner, i.e. if stack + # allocation spans two pages, then reference to farmost one can + # be punishable by SEGV. But page walking can do good even on + # other OSes, because it guarantees that villain thread hits + # the guard page before it can make damage to innocent one... + &mov ("eax","ebp"); + &sub ("eax","esp"); + &and ("eax",-4096); +&set_label("page_walk"); + &mov ("edx",&DWP(0,"esp","eax")); + &sub ("eax",4096); + &data_byte(0x2e); + &jnc (&label("page_walk")); + ################################# load argument block... &mov ("eax",&DWP(0*4,"esi"));# BN_ULONG *rp &mov ("ebx",&DWP(1*4,"esi"));# const BN_ULONG *ap Modified: vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-mont.pl ============================================================================== --- vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-mont.pl Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-mont.pl Tue May 3 18:00:27 2016 (r298991) @@ -130,6 +130,20 @@ $code.=<<___; mov %r11,8(%rsp,$num,8) # tp[num+1]=%rsp .Lmul_body: + # Some OSes, *cough*-dows, insist on stack being "wired" to + # physical memory in strictly sequential manner, i.e. if stack + # allocation spans two pages, then reference to farmost one can + # be punishable by SEGV. But page walking can do good even on + # other OSes, because it guarantees that villain thread hits + # the guard page before it can make damage to innocent one... + sub %rsp,%r11 + and \$-4096,%r11 +.Lmul_page_walk: + mov (%rsp,%r11),%r10 + sub \$4096,%r11 + .byte 0x66,0x2e # predict non-taken + jnc .Lmul_page_walk + mov $bp,%r12 # reassign $bp ___ $bp="%r12"; @@ -342,6 +356,14 @@ $code.=<<___; mov %r11,8(%rsp,$num,8) # tp[num+1]=%rsp .Lmul4x_body: + sub %rsp,%r11 + and \$-4096,%r11 +.Lmul4x_page_walk: + mov (%rsp,%r11),%r10 + sub \$4096,%r11 + .byte 0x2e # predict non-taken + jnc .Lmul4x_page_walk + mov $rp,16(%rsp,$num,8) # tp[num+2]=$rp mov %rdx,%r12 # reassign $bp ___ @@ -795,6 +817,15 @@ bn_sqr8x_mont: sub %r11,%rsp .Lsqr8x_sp_done: and \$-64,%rsp + mov %rax,%r11 + sub %rsp,%r11 + and \$-4096,%r11 +.Lsqr8x_page_walk: + mov (%rsp,%r11),%r10 + sub \$4096,%r11 + .byte 0x2e # predict non-taken + jnc .Lsqr8x_page_walk + mov $num,%r10 neg $num @@ -932,8 +963,17 @@ bn_mulx4x_mont: sub $num,%r10 # -$num mov ($n0),$n0 # *n0 lea -72(%rsp,%r10),%rsp # alloca(frame+$num+8) - lea ($bp,$num),%r10 and \$-128,%rsp + mov %rax,%r11 + sub %rsp,%r11 + and \$-4096,%r11 +.Lmulx4x_page_walk: + mov (%rsp,%r11),%r10 + sub \$4096,%r11 + .byte 0x66,0x2e # predict non-taken + jnc .Lmulx4x_page_walk + + lea ($bp,$num),%r10 ############################################################## # Stack layout # +0 num Modified: vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-mont5.pl ============================================================================== --- vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-mont5.pl Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-mont5.pl Tue May 3 18:00:27 2016 (r298991) @@ -115,6 +115,20 @@ $code.=<<___; mov %rax,8(%rsp,$num,8) # tp[num+1]=%rsp .Lmul_body: + # Some OSes, *cough*-dows, insist on stack being "wired" to + # physical memory in strictly sequential manner, i.e. if stack + # allocation spans two pages, then reference to farmost one can + # be punishable by SEGV. But page walking can do good even on + # other OSes, because it guarantees that villain thread hits + # the guard page before it can make damage to innocent one... + sub %rsp,%rax + and \$-4096,%rax +.Lmul_page_walk: + mov (%rsp,%rax),%r11 + sub \$4096,%rax + .byte 0x2e # predict non-taken + jnc .Lmul_page_walk + lea 128($bp),%r12 # reassign $bp (+size optimization) ___ $bp="%r12"; @@ -469,6 +483,15 @@ $code.=<<___; sub %r11,%rsp .Lmul4xsp_done: and \$-64,%rsp + mov %rax,%r11 + sub %rsp,%r11 + and \$-4096,%r11 +.Lmul4x_page_walk: + mov (%rsp,%r11),%r10 + sub \$4096,%r11 + .byte 0x2e # predict non-taken + jnc .Lmul4x_page_walk + neg $num mov %rax,40(%rsp) @@ -1058,6 +1081,15 @@ $code.=<<___; sub %r11,%rsp .Lpwr_sp_done: and \$-64,%rsp + mov %rax,%r11 + sub %rsp,%r11 + and \$-4096,%r11 +.Lpwr_page_walk: + mov (%rsp,%r11),%r10 + sub \$4096,%r11 + .byte 0x2e # predict non-taken + jnc .Lpwr_page_walk + mov $num,%r10 neg $num @@ -2028,7 +2060,16 @@ bn_from_mont8x: sub %r11,%rsp .Lfrom_sp_done: and \$-64,%rsp - mov $num,%r10 + mov %rax,%r11 + sub %rsp,%r11 + and \$-4096,%r11 +.Lfrom_page_walk: + mov (%rsp,%r11),%r10 + sub \$4096,%r11 + .byte 0x2e # predict non-taken + jnc .Lfrom_page_walk + + mov $num,%r10 neg $num ############################################################## @@ -2173,6 +2214,15 @@ bn_mulx4x_mont_gather5: sub %r11,%rsp .Lmulx4xsp_done: and \$-64,%rsp # ensure alignment + mov %rax,%r11 + sub %rsp,%r11 + and \$-4096,%r11 +.Lmulx4x_page_walk: + mov (%rsp,%r11),%r10 + sub \$4096,%r11 + .byte 0x2e # predict non-taken + jnc .Lmulx4x_page_walk + ############################################################## # Stack layout # +0 -num @@ -2619,6 +2669,15 @@ bn_powerx5: sub %r11,%rsp .Lpwrx_sp_done: and \$-64,%rsp + mov %rax,%r11 + sub %rsp,%r11 + and \$-4096,%r11 +.Lpwrx_page_walk: + mov (%rsp,%r11),%r10 + sub \$4096,%r11 + .byte 0x2e # predict non-taken + jnc .Lpwrx_page_walk + mov $num,%r10 neg $num Modified: vendor-crypto/openssl/dist/crypto/comp/comp.h ============================================================================== --- vendor-crypto/openssl/dist/crypto/comp/comp.h Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/crypto/comp/comp.h Tue May 3 18:00:27 2016 (r298991) @@ -4,6 +4,10 @@ # include +# ifdef OPENSSL_NO_COMP +# error COMP is disabled. +# endif + #ifdef __cplusplus extern "C" { #endif Modified: vendor-crypto/openssl/dist/crypto/evp/Makefile ============================================================================== --- vendor-crypto/openssl/dist/crypto/evp/Makefile Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/crypto/evp/Makefile Tue May 3 18:00:27 2016 (r298991) @@ -199,8 +199,8 @@ e_aes.o: ../../include/openssl/opensslv. e_aes.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h e_aes.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h e_aes.o: ../modes/modes_lcl.h e_aes.c evp_locl.h -e_aes_cbc_hmac_sha1.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h -e_aes_cbc_hmac_sha1.o: ../../include/openssl/bio.h +e_aes_cbc_hmac_sha1.o: ../../e_os.h ../../include/openssl/aes.h +e_aes_cbc_hmac_sha1.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h e_aes_cbc_hmac_sha1.o: ../../include/openssl/crypto.h e_aes_cbc_hmac_sha1.o: ../../include/openssl/e_os2.h e_aes_cbc_hmac_sha1.o: ../../include/openssl/evp.h @@ -214,9 +214,9 @@ e_aes_cbc_hmac_sha1.o: ../../include/ope e_aes_cbc_hmac_sha1.o: ../../include/openssl/safestack.h e_aes_cbc_hmac_sha1.o: ../../include/openssl/sha.h e_aes_cbc_hmac_sha1.o: ../../include/openssl/stack.h -e_aes_cbc_hmac_sha1.o: ../../include/openssl/symhacks.h ../modes/modes_lcl.h -e_aes_cbc_hmac_sha1.o: e_aes_cbc_hmac_sha1.c -e_aes_cbc_hmac_sha256.o: ../../include/openssl/aes.h +e_aes_cbc_hmac_sha1.o: ../../include/openssl/symhacks.h ../constant_time_locl.h +e_aes_cbc_hmac_sha1.o: ../modes/modes_lcl.h e_aes_cbc_hmac_sha1.c +e_aes_cbc_hmac_sha256.o: ../../e_os.h ../../include/openssl/aes.h e_aes_cbc_hmac_sha256.o: ../../include/openssl/asn1.h e_aes_cbc_hmac_sha256.o: ../../include/openssl/bio.h e_aes_cbc_hmac_sha256.o: ../../include/openssl/crypto.h @@ -232,7 +232,8 @@ e_aes_cbc_hmac_sha256.o: ../../include/o e_aes_cbc_hmac_sha256.o: ../../include/openssl/safestack.h e_aes_cbc_hmac_sha256.o: ../../include/openssl/sha.h e_aes_cbc_hmac_sha256.o: ../../include/openssl/stack.h -e_aes_cbc_hmac_sha256.o: ../../include/openssl/symhacks.h ../modes/modes_lcl.h +e_aes_cbc_hmac_sha256.o: ../../include/openssl/symhacks.h +e_aes_cbc_hmac_sha256.o: ../constant_time_locl.h ../modes/modes_lcl.h e_aes_cbc_hmac_sha256.o: e_aes_cbc_hmac_sha256.c e_bf.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h e_bf.o: ../../include/openssl/blowfish.h ../../include/openssl/buffer.h Modified: vendor-crypto/openssl/dist/crypto/evp/digest.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/evp/digest.c Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/crypto/evp/digest.c Tue May 3 18:00:27 2016 (r298991) @@ -212,8 +212,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c } #endif if (ctx->digest != type) { - if (ctx->digest && ctx->digest->ctx_size) + if (ctx->digest && ctx->digest->ctx_size) { OPENSSL_free(ctx->md_data); + ctx->md_data = NULL; + } ctx->digest = type; if (!(ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) && type->ctx_size) { ctx->update = type->update; Modified: vendor-crypto/openssl/dist/crypto/evp/e_aes_cbc_hmac_sha1.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/evp/e_aes_cbc_hmac_sha1.c Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/crypto/evp/e_aes_cbc_hmac_sha1.c Tue May 3 18:00:27 2016 (r298991) @@ -60,6 +60,7 @@ # include # include # include "modes_lcl.h" +# include "constant_time_locl.h" # ifndef EVP_CIPH_FLAG_AEAD_CIPHER # define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000 @@ -578,6 +579,8 @@ static int aesni_cbc_hmac_sha1_cipher(EV maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); maxpad &= 255; + ret &= constant_time_ge(maxpad, pad); + inp_len = len - (SHA_DIGEST_LENGTH + pad + 1); mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1))); inp_len &= mask; Modified: vendor-crypto/openssl/dist/crypto/evp/e_aes_cbc_hmac_sha256.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/evp/e_aes_cbc_hmac_sha256.c Tue May 3 17:11:33 2016 (r298990) +++ vendor-crypto/openssl/dist/crypto/evp/e_aes_cbc_hmac_sha256.c Tue May 3 18:00:27 2016 (r298991) @@ -60,6 +60,7 @@ # include *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-src-vendor@freebsd.org Tue May 3 18:01:16 2016 Return-Path: Delivered-To: svn-src-vendor@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5AA71B2A032; Tue, 3 May 2016 18:01:16 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0FB761EE8; Tue, 3 May 2016 18:01:15 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u43I1F85028693; Tue, 3 May 2016 18:01:15 GMT (envelope-from jkim@FreeBSD.org) Received: (from jkim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u43I1Ffu028692; Tue, 3 May 2016 18:01:15 GMT (envelope-from jkim@FreeBSD.org) Message-Id: <201605031801.u43I1Ffu028692@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jkim set sender to jkim@FreeBSD.org using -f From: Jung-uk Kim Date: Tue, 3 May 2016 18:01:15 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r298992 - vendor-crypto/openssl/1.0.2h X-SVN-Group: vendor-crypto MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-vendor@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the vendor work area tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 May 2016 18:01:16 -0000 Author: jkim Date: Tue May 3 18:01:15 2016 New Revision: 298992 URL: https://svnweb.freebsd.org/changeset/base/298992 Log: Tag OpenSSL 1.0.2h. Added: vendor-crypto/openssl/1.0.2h/ - copied from r298991, vendor-crypto/openssl/dist/ From owner-svn-src-vendor@freebsd.org Tue May 3 18:02:05 2016 Return-Path: Delivered-To: svn-src-vendor@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BF367B2A0DB; Tue, 3 May 2016 18:02:05 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 7173711B5; Tue, 3 May 2016 18:02:05 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u43I24gi028797; Tue, 3 May 2016 18:02:04 GMT (envelope-from jkim@FreeBSD.org) Received: (from jkim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u43I21vY028763; Tue, 3 May 2016 18:02:01 GMT (envelope-from jkim@FreeBSD.org) Message-Id: <201605031802.u43I21vY028763@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jkim set sender to jkim@FreeBSD.org using -f From: Jung-uk Kim Date: Tue, 3 May 2016 18:02:01 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r298993 - in vendor-crypto/openssl/dist-1.0.1: . apps crypto crypto/asn1 crypto/bn/asm crypto/comp crypto/evp crypto/pem crypto/x509 doc/apps doc/crypto ssl util X-SVN-Group: vendor-crypto MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-vendor@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the vendor work area tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 May 2016 18:02:05 -0000 Author: jkim Date: Tue May 3 18:02:01 2016 New Revision: 298993 URL: https://svnweb.freebsd.org/changeset/base/298993 Log: Import OpenSSL 1.0.1t. Added: vendor-crypto/openssl/dist-1.0.1/doc/crypto/EVP_EncodeInit.pod Modified: vendor-crypto/openssl/dist-1.0.1/CHANGES vendor-crypto/openssl/dist-1.0.1/FREEBSD-upgrade vendor-crypto/openssl/dist-1.0.1/Makefile vendor-crypto/openssl/dist-1.0.1/NEWS vendor-crypto/openssl/dist-1.0.1/README vendor-crypto/openssl/dist-1.0.1/apps/pkcs7.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_bytes.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_d2i_fp.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_type.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/asn1_lib.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/asn1_par.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/t_x509.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/tasn_dec.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/tasn_enc.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/x_name.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/x_x509.c vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/x86-mont.pl vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/x86_64-mont.pl vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/x86_64-mont5.pl vendor-crypto/openssl/dist-1.0.1/crypto/comp/comp.h vendor-crypto/openssl/dist-1.0.1/crypto/evp/Makefile vendor-crypto/openssl/dist-1.0.1/crypto/evp/digest.c vendor-crypto/openssl/dist-1.0.1/crypto/evp/e_aes_cbc_hmac_sha1.c vendor-crypto/openssl/dist-1.0.1/crypto/evp/encode.c vendor-crypto/openssl/dist-1.0.1/crypto/evp/evp_enc.c vendor-crypto/openssl/dist-1.0.1/crypto/opensslv.h vendor-crypto/openssl/dist-1.0.1/crypto/pem/pem_lib.c vendor-crypto/openssl/dist-1.0.1/crypto/pem/pvkfmt.c vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509.h vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509_err.c vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509_obj.c vendor-crypto/openssl/dist-1.0.1/doc/apps/ciphers.pod vendor-crypto/openssl/dist-1.0.1/doc/crypto/evp.pod vendor-crypto/openssl/dist-1.0.1/ssl/d1_both.c vendor-crypto/openssl/dist-1.0.1/ssl/s2_lib.c vendor-crypto/openssl/dist-1.0.1/ssl/s2_meth.c vendor-crypto/openssl/dist-1.0.1/ssl/s3_clnt.c vendor-crypto/openssl/dist-1.0.1/ssl/s3_lib.c vendor-crypto/openssl/dist-1.0.1/ssl/ssl.h vendor-crypto/openssl/dist-1.0.1/ssl/ssl_ciph.c vendor-crypto/openssl/dist-1.0.1/ssl/ssl_locl.h vendor-crypto/openssl/dist-1.0.1/ssl/t1_lib.c vendor-crypto/openssl/dist-1.0.1/util/libeay.num vendor-crypto/openssl/dist-1.0.1/util/mk1mf.pl vendor-crypto/openssl/dist-1.0.1/util/mkdef.pl vendor-crypto/openssl/dist-1.0.1/util/ssleay.num Modified: vendor-crypto/openssl/dist-1.0.1/CHANGES ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/CHANGES Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/CHANGES Tue May 3 18:02:01 2016 (r298993) @@ -2,6 +2,103 @@ OpenSSL CHANGES _______________ + Changes between 1.0.1s and 1.0.1t [3 May 2016] + + *) Prevent padding oracle in AES-NI CBC MAC check + + A MITM attacker can use a padding oracle attack to decrypt traffic + when the connection uses an AES CBC cipher and the server support + AES-NI. + + This issue was introduced as part of the fix for Lucky 13 padding + attack (CVE-2013-0169). The padding check was rewritten to be in + constant time by making sure that always the same bytes are read and + compared against either the MAC or padding bytes. But it no longer + checked that there was enough data to have both the MAC and padding + bytes. + + This issue was reported by Juraj Somorovsky using TLS-Attacker. + (CVE-2016-2107) + [Kurt Roeckx] + + *) Fix EVP_EncodeUpdate overflow + + An overflow can occur in the EVP_EncodeUpdate() function which is used for + Base64 encoding of binary data. If an attacker is able to supply very large + amounts of input data then a length check can overflow resulting in a heap + corruption. + + Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by + the PEM_write_bio* family of functions. These are mainly used within the + OpenSSL command line applications, so any application which processes data + from an untrusted source and outputs it as a PEM file should be considered + vulnerable to this issue. User applications that call these APIs directly + with large amounts of untrusted data may also be vulnerable. + + This issue was reported by Guido Vranken. + (CVE-2016-2105) + [Matt Caswell] + + *) Fix EVP_EncryptUpdate overflow + + An overflow can occur in the EVP_EncryptUpdate() function. If an attacker + is able to supply very large amounts of input data after a previous call to + EVP_EncryptUpdate() with a partial block then a length check can overflow + resulting in a heap corruption. Following an analysis of all OpenSSL + internal usage of the EVP_EncryptUpdate() function all usage is one of two + forms. The first form is where the EVP_EncryptUpdate() call is known to be + the first called function after an EVP_EncryptInit(), and therefore that + specific call must be safe. The second form is where the length passed to + EVP_EncryptUpdate() can be seen from the code to be some small value and + therefore there is no possibility of an overflow. Since all instances are + one of these two forms, it is believed that there can be no overflows in + internal code due to this problem. It should be noted that + EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths. + Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances + of these calls have also been analysed too and it is believed there are no + instances in internal usage where an overflow could occur. + + This issue was reported by Guido Vranken. + (CVE-2016-2106) + [Matt Caswell] + + *) Prevent ASN.1 BIO excessive memory allocation + + When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio() + a short invalid encoding can casuse allocation of large amounts of memory + potentially consuming excessive resources or exhausting memory. + + Any application parsing untrusted data through d2i BIO functions is + affected. The memory based functions such as d2i_X509() are *not* affected. + Since the memory based functions are used by the TLS library, TLS + applications are not affected. + + This issue was reported by Brian Carpenter. + (CVE-2016-2109) + [Stephen Henson] + + *) EBCDIC overread + + ASN1 Strings that are over 1024 bytes can cause an overread in applications + using the X509_NAME_oneline() function on EBCDIC systems. This could result + in arbitrary stack data being returned in the buffer. + + This issue was reported by Guido Vranken. + (CVE-2016-2176) + [Matt Caswell] + + *) Modify behavior of ALPN to invoke callback after SNI/servername + callback, such that updates to the SSL_CTX affect ALPN. + [Todd Short] + + *) Remove LOW from the DEFAULT cipher list. This removes singles DES from the + default. + [Kurt Roeckx] + + *) Only remove the SSLv2 methods with the no-ssl2-method option. When the + methods are enabled and ssl2 is disabled the methods return NULL. + [Kurt Roeckx] + Changes between 1.0.1r and 1.0.1s [1 Mar 2016] * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. Modified: vendor-crypto/openssl/dist-1.0.1/FREEBSD-upgrade ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/FREEBSD-upgrade Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/FREEBSD-upgrade Tue May 3 18:02:01 2016 (r298993) @@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/Subv # Xlist setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist setenv FSVN "svn+ssh://svn.freebsd.org/base" -setenv OSSLVER 1.0.1r -# OSSLTAG format: v1_0_1r +setenv OSSLVER 1.0.1t +# OSSLTAG format: v1_0_1t ###setenv OSSLTAG v`echo ${OSSLVER} | tr . _` Modified: vendor-crypto/openssl/dist-1.0.1/Makefile ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/Makefile Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/Makefile Tue May 3 18:02:01 2016 (r298993) @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.1s +VERSION=1.0.1t MAJOR=1 MINOR=0.1 SHLIB_VERSION_NUMBER=1.0.0 Modified: vendor-crypto/openssl/dist-1.0.1/NEWS ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/NEWS Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/NEWS Tue May 3 18:02:01 2016 (r298993) @@ -5,6 +5,19 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.1s and OpenSSL 1.0.1t [3 May 2016] + + o Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107) + o Fix EVP_EncodeUpdate overflow (CVE-2016-2105) + o Fix EVP_EncryptUpdate overflow (CVE-2016-2106) + o Prevent ASN.1 BIO excessive memory allocation (CVE-2016-2109) + o EBCDIC overread (CVE-2016-2176) + o Modify behavior of ALPN to invoke callback after SNI/servername + callback, such that updates to the SSL_CTX affect ALPN. + o Remove LOW from the DEFAULT cipher list. This removes singles DES from + the default. + o Only remove the SSLv2 methods with the no-ssl2-method option. + Major changes between OpenSSL 1.0.1r and OpenSSL 1.0.1s [1 Mar 2016] o Disable weak ciphers in SSLv3 and up in default builds of OpenSSL. Modified: vendor-crypto/openssl/dist-1.0.1/README ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/README Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/README Tue May 3 18:02:01 2016 (r298993) @@ -1,5 +1,5 @@ - OpenSSL 1.0.1s 1 Mar 2016 + OpenSSL 1.0.1t 3 May 2016 Copyright (c) 1998-2015 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson Modified: vendor-crypto/openssl/dist-1.0.1/apps/pkcs7.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/apps/pkcs7.c Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/apps/pkcs7.c Tue May 3 18:02:01 2016 (r298993) @@ -235,12 +235,16 @@ int MAIN(int argc, char **argv) i = OBJ_obj2nid(p7->type); switch (i) { case NID_pkcs7_signed: - certs = p7->d.sign->cert; - crls = p7->d.sign->crl; + if (p7->d.sign != NULL) { + certs = p7->d.sign->cert; + crls = p7->d.sign->crl; + } break; case NID_pkcs7_signedAndEnveloped: - certs = p7->d.signed_and_enveloped->cert; - crls = p7->d.signed_and_enveloped->crl; + if (p7->d.signed_and_enveloped != NULL) { + certs = p7->d.signed_and_enveloped->cert; + crls = p7->d.signed_and_enveloped->crl; + } break; default: break; Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_bytes.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_bytes.c Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_bytes.c Tue May 3 18:02:01 2016 (r298993) @@ -200,13 +200,13 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING } else { if (len != 0) { if ((ret->length < len) || (ret->data == NULL)) { - if (ret->data != NULL) - OPENSSL_free(ret->data); s = (unsigned char *)OPENSSL_malloc((int)len + 1); if (s == NULL) { i = ERR_R_MALLOC_FAILURE; goto err; } + if (ret->data != NULL) + OPENSSL_free(ret->data); } else s = ret->data; memcpy(s, p, (int)len); Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_d2i_fp.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_d2i_fp.c Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_d2i_fp.c Tue May 3 18:02:01 2016 (r298993) @@ -141,6 +141,7 @@ void *ASN1_item_d2i_fp(const ASN1_ITEM * #endif #define HEADER_SIZE 8 +#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024) static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) { BUF_MEM *b; @@ -217,29 +218,44 @@ static int asn1_d2i_read_bio(BIO *in, BU /* suck in c.slen bytes of data */ want = c.slen; if (want > (len - off)) { + size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE; + want -= (len - off); if (want > INT_MAX /* BIO_read takes an int length */ || len + want < len) { ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG); goto err; } - if (!BUF_MEM_grow_clean(b, len + want)) { - ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE); - goto err; - } while (want > 0) { - i = BIO_read(in, &(b->data[len]), want); - if (i <= 0) { - ASN1err(ASN1_F_ASN1_D2I_READ_BIO, - ASN1_R_NOT_ENOUGH_DATA); + /* + * Read content in chunks of increasing size + * so we can return an error for EOF without + * having to allocate the entire content length + * in one go. + */ + size_t chunk = want > chunk_max ? chunk_max : want; + + if (!BUF_MEM_grow_clean(b, len + chunk)) { + ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE); goto err; } + want -= chunk; + while (chunk > 0) { + i = BIO_read(in, &(b->data[len]), chunk); + if (i <= 0) { + ASN1err(ASN1_F_ASN1_D2I_READ_BIO, + ASN1_R_NOT_ENOUGH_DATA); + goto err; + } /* * This can't overflow because |len+want| didn't * overflow. */ - len += i; - want -= i; + len += i; + chunk -= i; + } + if (chunk_max < INT_MAX/2) + chunk_max *= 2; } } if (off + c.slen < off) { Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_type.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_type.c Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/a_type.c Tue May 3 18:02:01 2016 (r298993) @@ -126,9 +126,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co result = 0; /* They do not have content. */ break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: case V_ASN1_BIT_STRING: case V_ASN1_OCTET_STRING: case V_ASN1_SEQUENCE: Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/asn1_lib.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/asn1_lib.c Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/asn1_lib.c Tue May 3 18:02:01 2016 (r298993) @@ -63,7 +63,7 @@ #include static int asn1_get_length(const unsigned char **pp, int *inf, long *rl, - int max); + long max); static void asn1_put_length(unsigned char **pp, int length); const char ASN1_version[] = "ASN.1" OPENSSL_VERSION_PTEXT; @@ -131,7 +131,7 @@ int ASN1_get_object(const unsigned char } *ptag = tag; *pclass = xclass; - if (!asn1_get_length(&p, &inf, plength, (int)max)) + if (!asn1_get_length(&p, &inf, plength, max)) goto err; if (inf && !(ret & V_ASN1_CONSTRUCTED)) @@ -159,14 +159,14 @@ int ASN1_get_object(const unsigned char } static int asn1_get_length(const unsigned char **pp, int *inf, long *rl, - int max) + long max) { const unsigned char *p = *pp; unsigned long ret = 0; - unsigned int i; + unsigned long i; if (max-- < 1) - return (0); + return 0; if (*p == 0x80) { *inf = 1; ret = 0; @@ -175,15 +175,11 @@ static int asn1_get_length(const unsigne *inf = 0; i = *p & 0x7f; if (*(p++) & 0x80) { - if (i > sizeof(long)) + if (i > sizeof(ret) || max < (long)i) return 0; - if (max-- == 0) - return (0); while (i-- > 0) { ret <<= 8L; ret |= *(p++); - if (max-- == 0) - return (0); } } else ret = i; @@ -192,7 +188,7 @@ static int asn1_get_length(const unsigne return 0; *pp = p; *rl = (long)ret; - return (1); + return 1; } /* Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/asn1_par.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/asn1_par.c Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/asn1_par.c Tue May 3 18:02:01 2016 (r298993) @@ -173,6 +173,8 @@ static int asn1_parse2(BIO *bp, const un if (!asn1_print_info(bp, tag, xclass, j, (indent) ? depth : 0)) goto end; if (j & V_ASN1_CONSTRUCTED) { + const unsigned char *sp; + ep = p + len; if (BIO_write(bp, "\n", 1) <= 0) goto end; @@ -182,6 +184,7 @@ static int asn1_parse2(BIO *bp, const un goto end; } if ((j == 0x21) && (len == 0)) { + sp = p; for (;;) { r = asn1_parse2(bp, &p, (long)(tot - p), offset + (p - *pp), depth + 1, @@ -190,19 +193,25 @@ static int asn1_parse2(BIO *bp, const un ret = 0; goto end; } - if ((r == 2) || (p >= tot)) + if ((r == 2) || (p >= tot)) { + len = p - sp; break; + } } - } else + } else { + long tmp = len; + while (p < ep) { - r = asn1_parse2(bp, &p, (long)len, - offset + (p - *pp), depth + 1, + sp = p; + r = asn1_parse2(bp, &p, tmp, offset + (p - *pp), depth + 1, indent, dump); if (r == 0) { ret = 0; goto end; } + tmp -= p - sp; } + } } else if (xclass != 0) { p += len; if (BIO_write(bp, "\n", 1) <= 0) Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/t_x509.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/t_x509.c Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/t_x509.c Tue May 3 18:02:01 2016 (r298993) @@ -140,7 +140,8 @@ int X509_print_ex(BIO *bp, X509 *x, unsi goto err; bs = X509_get_serialNumber(x); - if (bs->length <= (int)sizeof(long)) { + if (bs->length < (int)sizeof(long) + || (bs->length == sizeof(long) && (bs->data[0] & 0x80) == 0)) { l = ASN1_INTEGER_get(bs); if (bs->type == V_ASN1_NEG_INTEGER) { l = -l; Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/tasn_dec.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/tasn_dec.c Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/tasn_dec.c Tue May 3 18:02:01 2016 (r298993) @@ -903,9 +903,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: tint = (ASN1_INTEGER **)pval; if (!c2i_ASN1_INTEGER(tint, &cont, len)) goto err; Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/tasn_enc.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/tasn_enc.c Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/tasn_enc.c Tue May 3 18:02:01 2016 (r298993) @@ -611,9 +611,7 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsig break; case V_ASN1_INTEGER: - case V_ASN1_NEG_INTEGER: case V_ASN1_ENUMERATED: - case V_ASN1_NEG_ENUMERATED: /* * These are all have the same content format as ASN1_INTEGER */ Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/x_name.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/x_name.c Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/x_name.c Tue May 3 18:02:01 2016 (r298993) @@ -66,6 +66,13 @@ typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY; DECLARE_STACK_OF(STACK_OF_X509_NAME_ENTRY) +/* + * Maximum length of X509_NAME: much larger than anything we should + * ever see in practice. + */ + +#define X509_NAME_MAX (1024 * 1024) + static int x509_name_ex_d2i(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_ITEM *it, @@ -192,6 +199,10 @@ static int x509_name_ex_d2i(ASN1_VALUE * int i, j, ret; STACK_OF(X509_NAME_ENTRY) *entries; X509_NAME_ENTRY *entry; + if (len > X509_NAME_MAX) { + ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG); + return 0; + } q = p; /* Get internal representation of Name */ Modified: vendor-crypto/openssl/dist-1.0.1/crypto/asn1/x_x509.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/asn1/x_x509.c Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/asn1/x_x509.c Tue May 3 18:02:01 2016 (r298993) @@ -201,9 +201,19 @@ X509 *d2i_X509_AUX(X509 **a, const unsig int i2d_X509_AUX(X509 *a, unsigned char **pp) { - int length; + int length, tmplen; + unsigned char *start = pp != NULL ? *pp : NULL; length = i2d_X509(a, pp); - if (a) - length += i2d_X509_CERT_AUX(a->aux, pp); + if (length < 0 || a == NULL) + return length; + + tmplen = i2d_X509_CERT_AUX(a->aux, pp); + if (tmplen < 0) { + if (start != NULL) + *pp = start; + return tmplen; + } + length += tmplen; + return length; } Modified: vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/x86-mont.pl ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/x86-mont.pl Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/x86-mont.pl Tue May 3 18:02:01 2016 (r298993) @@ -85,6 +85,21 @@ $frame=32; # size of above frame roun &and ("esp",-64); # align to cache line + # Some OSes, *cough*-dows, insist on stack being "wired" to + # physical memory in strictly sequential manner, i.e. if stack + # allocation spans two pages, then reference to farmost one can + # be punishable by SEGV. But page walking can do good even on + # other OSes, because it guarantees that villain thread hits + # the guard page before it can make damage to innocent one... + &mov ("eax","ebp"); + &sub ("eax","esp"); + &and ("eax",-4096); +&set_label("page_walk"); + &mov ("edx",&DWP(0,"esp","eax")); + &sub ("eax",4096); + &data_byte(0x2e); + &jnc (&label("page_walk")); + ################################# load argument block... &mov ("eax",&DWP(0*4,"esi"));# BN_ULONG *rp &mov ("ebx",&DWP(1*4,"esi"));# const BN_ULONG *ap Modified: vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/x86_64-mont.pl ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/x86_64-mont.pl Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/x86_64-mont.pl Tue May 3 18:02:01 2016 (r298993) @@ -91,6 +91,20 @@ bn_mul_mont: mov %r11,8(%rsp,$num,8) # tp[num+1]=%rsp .Lmul_body: + # Some OSes, *cough*-dows, insist on stack being "wired" to + # physical memory in strictly sequential manner, i.e. if stack + # allocation spans two pages, then reference to farmost one can + # be punishable by SEGV. But page walking can do good even on + # other OSes, because it guarantees that villain thread hits + # the guard page before it can make damage to innocent one... + sub %rsp,%r11 + and \$-4096,%r11 +.Lmul_page_walk: + mov (%rsp,%r11),%r10 + sub \$4096,%r11 + .byte 0x66,0x2e # predict non-taken + jnc .Lmul_page_walk + mov $bp,%r12 # reassign $bp ___ $bp="%r12"; @@ -296,6 +310,14 @@ bn_mul4x_mont: mov %r11,8(%rsp,$num,8) # tp[num+1]=%rsp .Lmul4x_body: + sub %rsp,%r11 + and \$-4096,%r11 +.Lmul4x_page_walk: + mov (%rsp,%r11),%r10 + sub \$4096,%r11 + .byte 0x2e # predict non-taken + jnc .Lmul4x_page_walk + mov $rp,16(%rsp,$num,8) # tp[num+2]=$rp mov %rdx,%r12 # reassign $bp ___ @@ -707,6 +729,7 @@ $code.=<<___; .align 16 bn_sqr4x_mont: .Lsqr4x_enter: + mov %rsp,%rax push %rbx push %rbp push %r12 @@ -715,12 +738,23 @@ bn_sqr4x_mont: push %r15 shl \$3,${num}d # convert $num to bytes - xor %r10,%r10 mov %rsp,%r11 # put aside %rsp - sub $num,%r10 # -$num + neg $num # -$num mov ($n0),$n0 # *n0 - lea -72(%rsp,%r10,2),%rsp # alloca(frame+2*$num) + lea -72(%rsp,$num,2),%rsp # alloca(frame+2*$num) and \$-1024,%rsp # minimize TLB usage + + sub %rsp,%r11 + and \$-4096,%r11 +.Lsqr4x_page_walk: + mov (%rsp,%r11),%r10 + sub \$4096,%r11 + .byte 0x2e # predict non-taken + jnc .Lsqr4x_page_walk + + mov $num,%r10 + neg $num # restore $num + lea -48(%rax),%r11 # restore saved %rsp ############################################################## # Stack layout # Modified: vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/x86_64-mont5.pl ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/x86_64-mont5.pl Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/x86_64-mont5.pl Tue May 3 18:02:01 2016 (r298993) @@ -84,6 +84,20 @@ bn_mul_mont_gather5: mov %rax,8(%rsp,$num,8) # tp[num+1]=%rsp .Lmul_body: + # Some OSes, *cough*-dows, insist on stack being "wired" to + # physical memory in strictly sequential manner, i.e. if stack + # allocation spans two pages, then reference to farmost one can + # be punishable by SEGV. But page walking can do good even on + # other OSes, because it guarantees that villain thread hits + # the guard page before it can make damage to innocent one... + sub %rsp,%rax + and \$-4096,%rax +.Lmul_page_walk: + mov (%rsp,%rax),%r11 + sub \$4096,%rax + .byte 0x2e # predict non-taken + jnc .Lmul_page_walk + lea 128($bp),%r12 # reassign $bp (+size optimization) ___ $bp="%r12"; @@ -407,6 +421,14 @@ bn_mul4x_mont_gather5: mov %rax,8(%rsp,$num,8) # tp[num+1]=%rsp .Lmul4x_body: + sub %rsp,%rax + and \$-4096,%rax +.Lmul4x_page_walk: + mov (%rsp,%rax),%r11 + sub \$4096,%rax + .byte 0x2e # predict non-taken + jnc .Lmul4x_page_walk + mov $rp,16(%rsp,$num,8) # tp[num+2]=$rp lea 128(%rdx),%r12 # reassign $bp (+size optimization) ___ Modified: vendor-crypto/openssl/dist-1.0.1/crypto/comp/comp.h ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/comp/comp.h Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/comp/comp.h Tue May 3 18:02:01 2016 (r298993) @@ -4,6 +4,10 @@ # include +# ifdef OPENSSL_NO_COMP +# error COMP is disabled. +# endif + #ifdef __cplusplus extern "C" { #endif Modified: vendor-crypto/openssl/dist-1.0.1/crypto/evp/Makefile ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/evp/Makefile Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/evp/Makefile Tue May 3 18:02:01 2016 (r298993) @@ -199,8 +199,8 @@ e_aes.o: ../../include/openssl/opensslv. e_aes.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h e_aes.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h e_aes.o: ../modes/modes_lcl.h e_aes.c evp_locl.h -e_aes_cbc_hmac_sha1.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h -e_aes_cbc_hmac_sha1.o: ../../include/openssl/bio.h +e_aes_cbc_hmac_sha1.o: ../../e_os.h ../../include/openssl/aes.h +e_aes_cbc_hmac_sha1.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h e_aes_cbc_hmac_sha1.o: ../../include/openssl/crypto.h e_aes_cbc_hmac_sha1.o: ../../include/openssl/e_os2.h e_aes_cbc_hmac_sha1.o: ../../include/openssl/evp.h @@ -212,8 +212,8 @@ e_aes_cbc_hmac_sha1.o: ../../include/ope e_aes_cbc_hmac_sha1.o: ../../include/openssl/safestack.h e_aes_cbc_hmac_sha1.o: ../../include/openssl/sha.h e_aes_cbc_hmac_sha1.o: ../../include/openssl/stack.h -e_aes_cbc_hmac_sha1.o: ../../include/openssl/symhacks.h e_aes_cbc_hmac_sha1.c -e_aes_cbc_hmac_sha1.o: evp_locl.h +e_aes_cbc_hmac_sha1.o: ../../include/openssl/symhacks.h ../constant_time_locl.h +e_aes_cbc_hmac_sha1.o: e_aes_cbc_hmac_sha1.c evp_locl.h e_bf.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h e_bf.o: ../../include/openssl/blowfish.h ../../include/openssl/buffer.h e_bf.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h Modified: vendor-crypto/openssl/dist-1.0.1/crypto/evp/digest.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/evp/digest.c Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/evp/digest.c Tue May 3 18:02:01 2016 (r298993) @@ -200,8 +200,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c } #endif if (ctx->digest != type) { - if (ctx->digest && ctx->digest->ctx_size) + if (ctx->digest && ctx->digest->ctx_size) { OPENSSL_free(ctx->md_data); + ctx->md_data = NULL; + } ctx->digest = type; if (!(ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) && type->ctx_size) { ctx->update = type->update; Modified: vendor-crypto/openssl/dist-1.0.1/crypto/evp/e_aes_cbc_hmac_sha1.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/evp/e_aes_cbc_hmac_sha1.c Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/evp/e_aes_cbc_hmac_sha1.c Tue May 3 18:02:01 2016 (r298993) @@ -59,6 +59,7 @@ # include # include # include "evp_locl.h" +# include "constant_time_locl.h" # ifndef EVP_CIPH_FLAG_AEAD_CIPHER # define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000 @@ -286,6 +287,8 @@ static int aesni_cbc_hmac_sha1_cipher(EV maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8); maxpad &= 255; + ret &= constant_time_ge(maxpad, pad); + inp_len = len - (SHA_DIGEST_LENGTH + pad + 1); mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1))); inp_len &= mask; Modified: vendor-crypto/openssl/dist-1.0.1/crypto/evp/encode.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/evp/encode.c Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/evp/encode.c Tue May 3 18:02:01 2016 (r298993) @@ -57,6 +57,7 @@ */ #include +#include #include "cryptlib.h" #include @@ -151,13 +152,13 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct const unsigned char *in, int inl) { int i, j; - unsigned int total = 0; + size_t total = 0; *outl = 0; if (inl <= 0) return; OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); - if ((ctx->num + inl) < ctx->length) { + if (ctx->length - ctx->num > inl) { memcpy(&(ctx->enc_data[ctx->num]), in, inl); ctx->num += inl; return; @@ -174,7 +175,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct *out = '\0'; total = j + 1; } - while (inl >= ctx->length) { + while (inl >= ctx->length && total <= INT_MAX) { j = EVP_EncodeBlock(out, in, ctx->length); in += ctx->length; inl -= ctx->length; @@ -183,6 +184,11 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ct *out = '\0'; total += j + 1; } + if (total > INT_MAX) { + /* Too much output data! */ + *outl = 0; + return; + } if (inl != 0) memcpy(&(ctx->enc_data[0]), in, inl); ctx->num = inl; Modified: vendor-crypto/openssl/dist-1.0.1/crypto/evp/evp_enc.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/evp/evp_enc.c Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/evp/evp_enc.c Tue May 3 18:02:01 2016 (r298993) @@ -334,7 +334,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ct bl = ctx->cipher->block_size; OPENSSL_assert(bl <= (int)sizeof(ctx->buf)); if (i != 0) { - if (i + inl < bl) { + if (bl - i > inl) { memcpy(&(ctx->buf[i]), in, inl); ctx->buf_len += inl; *outl = 0; Modified: vendor-crypto/openssl/dist-1.0.1/crypto/opensslv.h ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/opensslv.h Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/opensslv.h Tue May 3 18:02:01 2016 (r298993) @@ -30,11 +30,11 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x1000113fL +# define OPENSSL_VERSION_NUMBER 0x1000114fL # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1s-fips 1 Mar 2016" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1t-fips 3 May 2016" # else -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1s 1 Mar 2016" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1t 3 May 2016" # endif # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT Modified: vendor-crypto/openssl/dist-1.0.1/crypto/pem/pem_lib.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/pem/pem_lib.c Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/pem/pem_lib.c Tue May 3 18:02:01 2016 (r298993) @@ -344,7 +344,7 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, if (enc != NULL) { objstr = OBJ_nid2sn(EVP_CIPHER_nid(enc)); - if (objstr == NULL) { + if (objstr == NULL || EVP_CIPHER_iv_length(enc) == 0) { PEMerr(PEM_F_PEM_ASN1_WRITE_BIO, PEM_R_UNSUPPORTED_CIPHER); goto err; } Modified: vendor-crypto/openssl/dist-1.0.1/crypto/pem/pvkfmt.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/pem/pvkfmt.c Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/pem/pvkfmt.c Tue May 3 18:02:01 2016 (r298993) @@ -131,6 +131,10 @@ static int read_lebn(const unsigned char # define MS_PVKMAGIC 0xb0b5f11eL /* Salt length for PVK files */ # define PVK_SALTLEN 0x10 +/* Maximum length in PVK header */ +# define PVK_MAX_KEYLEN 102400 +/* Maximum salt length */ +# define PVK_MAX_SALTLEN 10240 static EVP_PKEY *b2i_rsa(const unsigned char **in, unsigned int length, unsigned int bitlen, int ispub); @@ -644,6 +648,9 @@ static int do_PVK_header(const unsigned *psaltlen = read_ledword(&p); *pkeylen = read_ledword(&p); + if (*pkeylen > PVK_MAX_KEYLEN || *psaltlen > PVK_MAX_SALTLEN) + return 0; + if (is_encrypted && !*psaltlen) { PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_INCONSISTENT_HEADER); return 0; Modified: vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509.h ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509.h Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509.h Tue May 3 18:02:01 2016 (r298993) @@ -1281,6 +1281,7 @@ void ERR_load_X509_strings(void); # define X509_R_LOADING_CERT_DIR 103 # define X509_R_LOADING_DEFAULTS 104 # define X509_R_METHOD_NOT_SUPPORTED 124 +# define X509_R_NAME_TOO_LONG 134 # define X509_R_NO_CERT_SET_FOR_US_TO_VERIFY 105 # define X509_R_PUBLIC_KEY_DECODE_ERROR 125 # define X509_R_PUBLIC_KEY_ENCODE_ERROR 126 Modified: vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509_err.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509_err.c Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509_err.c Tue May 3 18:02:01 2016 (r298993) @@ -145,6 +145,7 @@ static ERR_STRING_DATA X509_str_reasons[ {ERR_REASON(X509_R_LOADING_CERT_DIR), "loading cert dir"}, {ERR_REASON(X509_R_LOADING_DEFAULTS), "loading defaults"}, {ERR_REASON(X509_R_METHOD_NOT_SUPPORTED), "method not supported"}, + {ERR_REASON(X509_R_NAME_TOO_LONG), "name too long"}, {ERR_REASON(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY), "no cert set for us to verify"}, {ERR_REASON(X509_R_PUBLIC_KEY_DECODE_ERROR), "public key decode error"}, Modified: vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509_obj.c ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509_obj.c Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509_obj.c Tue May 3 18:02:01 2016 (r298993) @@ -63,6 +63,13 @@ #include #include +/* + * Limit to ensure we don't overflow: much greater than + * anything enountered in practice. + */ + +#define NAME_ONELINE_MAX (1024 * 1024) + char *X509_NAME_oneline(X509_NAME *a, char *buf, int len) { X509_NAME_ENTRY *ne; @@ -86,6 +93,8 @@ char *X509_NAME_oneline(X509_NAME *a, ch goto err; b->data[0] = '\0'; len = 200; + } else if (len == 0) { + return NULL; } if (a == NULL) { if (b) { @@ -110,6 +119,10 @@ char *X509_NAME_oneline(X509_NAME *a, ch type = ne->value->type; num = ne->value->length; + if (num > NAME_ONELINE_MAX) { + X509err(X509_F_X509_NAME_ONELINE, X509_R_NAME_TOO_LONG); + goto end; + } q = ne->value->data; #ifdef CHARSET_EBCDIC if (type == V_ASN1_GENERALSTRING || @@ -117,8 +130,9 @@ char *X509_NAME_oneline(X509_NAME *a, ch type == V_ASN1_PRINTABLESTRING || type == V_ASN1_TELETEXSTRING || type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) { - ascii2ebcdic(ebcdic_buf, q, (num > sizeof ebcdic_buf) - ? sizeof ebcdic_buf : num); + if (num > (int)sizeof(ebcdic_buf)) + num = sizeof(ebcdic_buf); + ascii2ebcdic(ebcdic_buf, q, num); q = ebcdic_buf; } #endif @@ -154,6 +168,10 @@ char *X509_NAME_oneline(X509_NAME *a, ch lold = l; l += 1 + l1 + 1 + l2; + if (l > NAME_ONELINE_MAX) { + X509err(X509_F_X509_NAME_ONELINE, X509_R_NAME_TOO_LONG); + goto end; + } if (b != NULL) { if (!BUF_MEM_grow(b, l + 1)) goto err; @@ -206,7 +224,7 @@ char *X509_NAME_oneline(X509_NAME *a, ch return (p); err: X509err(X509_F_X509_NAME_ONELINE, ERR_R_MALLOC_FAILURE); - if (b != NULL) - BUF_MEM_free(b); + end: + BUF_MEM_free(b); return (NULL); } Modified: vendor-crypto/openssl/dist-1.0.1/doc/apps/ciphers.pod ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/doc/apps/ciphers.pod Tue May 3 18:01:15 2016 (r298992) +++ vendor-crypto/openssl/dist-1.0.1/doc/apps/ciphers.pod Tue May 3 18:02:01 2016 (r298993) @@ -107,7 +107,7 @@ The following is a list of all permitted The default cipher list. This is determined at compile time and is normally -B. +B. When used, this must be the first cipherstring specified. =item B Added: vendor-crypto/openssl/dist-1.0.1/doc/crypto/EVP_EncodeInit.pod ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ vendor-crypto/openssl/dist-1.0.1/doc/crypto/EVP_EncodeInit.pod Tue May 3 18:02:01 2016 (r298993) @@ -0,0 +1,127 @@ +=pod + +=head1 NAME + +EVP_EncodeInit, EVP_EncodeUpdate, EVP_EncodeFinal, EVP_EncodeBlock, +EVP_DecodeInit, EVP_DecodeUpdate, EVP_DecodeFinal, EVP_DecodeBlock - EVP base 64 +encode/decode routines + +=head1 SYNOPSIS + + #include + + void EVP_EncodeInit(EVP_ENCODE_CTX *ctx); + void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, + const unsigned char *in, int inl); + void EVP_EncodeFinal(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl); + int EVP_EncodeBlock(unsigned char *t, const unsigned char *f, int n); + + void EVP_DecodeInit(EVP_ENCODE_CTX *ctx); + int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, + const unsigned char *in, int inl); + int EVP_DecodeFinal(EVP_ENCODE_CTX *ctx, unsigned + char *out, int *outl); + int EVP_DecodeBlock(unsigned char *t, const unsigned char *f, int n); + +=head1 DESCRIPTION + +The EVP encode routines provide a high level interface to base 64 encoding and +decoding. Base 64 encoding converts binary data into a printable form that uses +the characters A-Z, a-z, 0-9, "+" and "/" to represent the data. For every 3 +bytes of binary data provided 4 bytes of base 64 encoded data will be produced +plus some occasional newlines (see below). If the input data length is not a +multiple of 3 then the output data will be padded at the end using the "=" +character. + +Encoding of binary data is performed in blocks of 48 input bytes (or less for +the final block). For each 48 byte input block encoded 64 bytes of base 64 data +is output plus an additional newline character (i.e. 65 bytes in total). The +final block (which may be less than 48 bytes) will output 4 bytes for every 3 +bytes of input. If the data length is not divisible by 3 then a full 4 bytes is +still output for the final 1 or 2 bytes of input. Similarly a newline character +will also be output. + +EVP_EncodeInit() initialises B for the start of a new encoding operation. + +EVP_EncodeUpdate() encode B bytes of data found in the buffer pointed to by +B. The output is stored in the buffer B and the number of bytes output +is stored in B<*outl>. It is the caller's responsibility to ensure that the +buffer at B is sufficiently large to accommodate the output data. Only full +blocks of data (48 bytes) will be immediately processed and output by this +function. Any remainder is held in the B object and will be processed by a +subsequent call to EVP_EncodeUpdate() or EVP_EncodeFinal(). To calculate the +required size of the output buffer add together the value of B with the +amount of unprocessed data held in B and divide the result by 48 (ignore +any remainder). This gives the number of blocks of data that will be processed. +Ensure the output buffer contains 65 bytes of storage for each block, plus an +additional byte for a NUL terminator. EVP_EncodeUpdate() may be called +repeatedly to process large amounts of input data. In the event of an error +EVP_EncodeUpdate() will set B<*outl> to 0. + +EVP_EncodeFinal() must be called at the end of an encoding operation. It will +process any partial block of data remaining in the B object. The output +data will be stored in B and the length of the data written will be stored +in B<*outl>. It is the caller's responsibility to ensure that B is +sufficiently large to accommodate the output data which will never be more than +65 bytes plus an additional NUL terminator (i.e. 66 bytes in total). + +EVP_EncodeBlock() encodes a full block of input data in B and of length +B and stores it in B. For every 3 bytes of input provided 4 bytes of +output data will be produced. If B is not divisible by 3 then the block is +encoded as a final block of data and the output is padded such that it is always +divisible by 4. Additionally a NUL terminator character will be added. For +example if 16 bytes of input data is provided then 24 bytes of encoded data is +created plus 1 byte for a NUL terminator (i.e. 25 bytes in total). The length of +the data generated I the NUL terminator is returned from the function. + +EVP_DecodeInit() initialises B for the start of a new decoding operation. + +EVP_DecodeUpdate() decodes B characters of data found in the buffer pointed +to by B. The output is stored in the buffer B and the number of bytes +output is stored in B<*outl>. It is the caller's responsibility to ensure that +the buffer at B is sufficiently large to accommodate the output data. This +function will attempt to decode as much data as possible in 4 byte chunks. Any +whitespace, newline or carriage return characters are ignored. Any partial chunk +of unprocessed data (1, 2 or 3 bytes) that remains at the end will be held in +the B object and processed by a subsequent call to EVP_DecodeUpdate(). If +any illegal base 64 characters are encountered or if the base 64 padding +character "=" is encountered in the middle of the data then the function returns +-1 to indicate an error. A return value of 0 or 1 indicates successful +processing of the data. A return value of 0 additionally indicates that the last +input data characters processed included the base 64 padding character "=" and +therefore no more non-padding character data is expected to be processed. For +every 4 valid base 64 bytes processed (ignoring whitespace, carriage returns and +line feeds), 3 bytes of binary output data will be produced (or less at the end +of the data where the padding character "=" has been used). + +EVP_DecodeFinal() must be called at the end of a decoding operation. If there +is any unprocessed data still in B then the input data must not have been +a multiple of 4 and therefore an error has occurred. The function will return -1 +in this case. Otherwise the function returns 1 on success. + +EVP_DecodeBlock() will decode the block of B characters of base 64 data +contained in B and store the result in B. Any leading whitespace will be *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-src-vendor@freebsd.org Tue May 3 18:02:26 2016 Return-Path: Delivered-To: svn-src-vendor@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E6E69B2A205; Tue, 3 May 2016 18:02:26 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9DDB3132D; Tue, 3 May 2016 18:02:26 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u43I2P7N030810; Tue, 3 May 2016 18:02:25 GMT (envelope-from jkim@FreeBSD.org) Received: (from jkim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u43I2P2g030809; Tue, 3 May 2016 18:02:25 GMT (envelope-from jkim@FreeBSD.org) Message-Id: <201605031802.u43I2P2g030809@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jkim set sender to jkim@FreeBSD.org using -f From: Jung-uk Kim Date: Tue, 3 May 2016 18:02:25 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r298994 - vendor-crypto/openssl/1.0.1t X-SVN-Group: vendor-crypto MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-vendor@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the vendor work area tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 May 2016 18:02:27 -0000 Author: jkim Date: Tue May 3 18:02:25 2016 New Revision: 298994 URL: https://svnweb.freebsd.org/changeset/base/298994 Log: Tag OpenSSL 1.0.1t. Added: vendor-crypto/openssl/1.0.1t/ - copied from r298993, vendor-crypto/openssl/dist-1.0.1/ From owner-svn-src-vendor@freebsd.org Thu May 5 22:09:45 2016 Return-Path: Delivered-To: svn-src-vendor@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3E7A3B2FA30; Thu, 5 May 2016 22:09:45 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 012F316E9; Thu, 5 May 2016 22:09:44 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u45M9iZQ087625; Thu, 5 May 2016 22:09:44 GMT (envelope-from dim@FreeBSD.org) Received: (from dim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u45M9i0D087623; Thu, 5 May 2016 22:09:44 GMT (envelope-from dim@FreeBSD.org) Message-Id: <201605052209.u45M9i0D087623@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: dim set sender to dim@FreeBSD.org using -f From: Dimitry Andric Date: Thu, 5 May 2016 22:09:44 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r299140 - vendor/libcxxrt/dist X-SVN-Group: vendor MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-vendor@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the vendor work area tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2016 22:09:45 -0000 Author: dim Date: Thu May 5 22:09:43 2016 New Revision: 299140 URL: https://svnweb.freebsd.org/changeset/base/299140 Log: Import libcxxrt master 516a65c109eb0a01e5e95fbef455eb3215135cef. Interesting fixes: 760ae47 Add std::uncaught_exceptions(). e45e6db Fix off-by-ones in emergency exception buffer free 3adaa2e Fix _Unwind_Exception cleanup functions 286776c Check exception cleanup function ptr before calling edda626 Correct exception specifications on new and delete operators Modified: vendor/libcxxrt/dist/exception.cc vendor/libcxxrt/dist/memory.cc Modified: vendor/libcxxrt/dist/exception.cc ============================================================================== --- vendor/libcxxrt/dist/exception.cc Thu May 5 21:25:41 2016 (r299139) +++ vendor/libcxxrt/dist/exception.cc Thu May 5 22:09:43 2016 (r299140) @@ -304,13 +304,17 @@ static pthread_key_t eh_key; static void exception_cleanup(_Unwind_Reason_Code reason, struct _Unwind_Exception *ex) { - __cxa_free_exception(static_cast(ex)); + // Exception layout: + // [__cxa_exception [_Unwind_Exception]] [exception object] + // + // __cxa_free_exception expects a pointer to the exception object + __cxa_free_exception(static_cast(ex + 1)); } static void dependent_exception_cleanup(_Unwind_Reason_Code reason, struct _Unwind_Exception *ex) { - __cxa_free_dependent_exception(static_cast(ex)); + __cxa_free_dependent_exception(static_cast(ex + 1)); } /** @@ -340,7 +344,8 @@ static void thread_cleanup(void* thread_ if (info->foreign_exception_state != __cxa_thread_info::none) { _Unwind_Exception *e = reinterpret_cast<_Unwind_Exception*>(info->globals.caughtExceptions); - e->exception_cleanup(_URC_FOREIGN_EXCEPTION_CAUGHT, e); + if (e->exception_cleanup) + e->exception_cleanup(_URC_FOREIGN_EXCEPTION_CAUGHT, e); } else { @@ -516,7 +521,7 @@ static void emergency_malloc_free(char * break; } } - assert(buffer > 0 && + assert(buffer >= 0 && "Trying to free something that is not an emergency buffer!"); // emergency_malloc() is expected to return 0-initialized data. We don't // zero the buffer when allocating it, because the static buffers will @@ -556,7 +561,7 @@ static void free_exception(char *e) { // If this allocation is within the address range of the emergency buffer, // don't call free() because it was not allocated with malloc() - if ((e > emergency_buffer) && + if ((e >= emergency_buffer) && (e < (emergency_buffer + sizeof(emergency_buffer)))) { emergency_malloc_free(e); @@ -1280,12 +1285,13 @@ extern "C" void __cxa_end_catch() if (ti->foreign_exception_state != __cxa_thread_info::none) { - globals->caughtExceptions = 0; if (ti->foreign_exception_state != __cxa_thread_info::rethrown) { _Unwind_Exception *e = reinterpret_cast<_Unwind_Exception*>(ti->globals.caughtExceptions); - e->exception_cleanup(_URC_FOREIGN_EXCEPTION_CAUGHT, e); + if (e->exception_cleanup) + e->exception_cleanup(_URC_FOREIGN_EXCEPTION_CAUGHT, e); } + globals->caughtExceptions = 0; ti->foreign_exception_state = __cxa_thread_info::none; return; } @@ -1472,6 +1478,15 @@ namespace std return info->globals.uncaughtExceptions != 0; } /** + * Returns the number of exceptions currently being thrown that have not + * been caught. This can occur inside a nested catch statement. + */ + int uncaught_exceptions() throw() + { + __cxa_thread_info *info = thread_info(); + return info->globals.uncaughtExceptions; + } + /** * Returns the current unexpected handler. */ unexpected_handler get_unexpected() throw() Modified: vendor/libcxxrt/dist/memory.cc ============================================================================== --- vendor/libcxxrt/dist/memory.cc Thu May 5 21:25:41 2016 (r299139) +++ vendor/libcxxrt/dist/memory.cc Thu May 5 22:09:43 2016 (r299140) @@ -71,8 +71,17 @@ namespace std } +#if __cplusplus < 201103L +#define NOEXCEPT throw() +#define BADALLOC throw(std::bad_alloc) +#else +#define NOEXCEPT noexcept +#define BADALLOC +#endif + + __attribute__((weak)) -void* operator new(size_t size) +void* operator new(size_t size) BADALLOC { if (0 == size) { @@ -97,7 +106,7 @@ void* operator new(size_t size) } __attribute__((weak)) -void* operator new(size_t size, const std::nothrow_t &) throw() +void* operator new(size_t size, const std::nothrow_t &) NOEXCEPT { try { return :: operator new(size); @@ -110,27 +119,21 @@ void* operator new(size_t size, const st __attribute__((weak)) -void operator delete(void * ptr) -#if __cplusplus < 201000L -throw() -#endif +void operator delete(void * ptr) NOEXCEPT { free(ptr); } __attribute__((weak)) -void * operator new[](size_t size) -#if __cplusplus < 201000L -throw(std::bad_alloc) -#endif +void * operator new[](size_t size) BADALLOC { return ::operator new(size); } __attribute__((weak)) -void * operator new[](size_t size, const std::nothrow_t &) throw() +void * operator new[](size_t size, const std::nothrow_t &) NOEXCEPT { try { return ::operator new[](size); @@ -143,10 +146,7 @@ void * operator new[](size_t size, const __attribute__((weak)) -void operator delete[](void * ptr) -#if __cplusplus < 201000L -throw() -#endif +void operator delete[](void * ptr) NOEXCEPT { ::operator delete(ptr); } From owner-svn-src-vendor@freebsd.org Thu May 5 22:10:43 2016 Return-Path: Delivered-To: svn-src-vendor@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3EF68B2FA80; Thu, 5 May 2016 22:10:43 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E69C0186E; Thu, 5 May 2016 22:10:42 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u45MAgIB087716; Thu, 5 May 2016 22:10:42 GMT (envelope-from dim@FreeBSD.org) Received: (from dim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u45MAgv8087715; Thu, 5 May 2016 22:10:42 GMT (envelope-from dim@FreeBSD.org) Message-Id: <201605052210.u45MAgv8087715@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: dim set sender to dim@FreeBSD.org using -f From: Dimitry Andric Date: Thu, 5 May 2016 22:10:42 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r299141 - vendor/libcxxrt/2016-03-29-516a65c109eb0a01e5e95fbef455eb3215135cef X-SVN-Group: vendor MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-vendor@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the vendor work area tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 May 2016 22:10:43 -0000 Author: dim Date: Thu May 5 22:10:41 2016 New Revision: 299141 URL: https://svnweb.freebsd.org/changeset/base/299141 Log: Tag libcxxrt master 516a65c109eb0a01e5e95fbef455eb3215135cef. Added: vendor/libcxxrt/2016-03-29-516a65c109eb0a01e5e95fbef455eb3215135cef/ - copied from r299140, vendor/libcxxrt/dist/