From owner-svn-src-all@FreeBSD.ORG Wed Jan 7 21:03:42 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3071F1065677; Wed, 7 Jan 2009 21:03:42 +0000 (UTC) (envelope-from simon@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 1D3948FC1C; Wed, 7 Jan 2009 21:03:42 +0000 (UTC) (envelope-from simon@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n07L3gad099486; Wed, 7 Jan 2009 21:03:42 GMT (envelope-from simon@svn.freebsd.org) Received: (from simon@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n07L3fLP099478; Wed, 7 Jan 2009 21:03:41 GMT (envelope-from simon@svn.freebsd.org) Message-Id: <200901072103.n07L3fLP099478@svn.freebsd.org> From: "Simon L. Nielsen" Date: Wed, 7 Jan 2009 21:03:41 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-6@freebsd.org X-SVN-Group: stable-6 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r186873 - in stable/6/crypto/openssl: apps ssl X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2009 21:03:43 -0000 Author: simon Date: Wed Jan 7 21:03:41 2009 New Revision: 186873 URL: http://svn.freebsd.org/changeset/base/186873 Log: This time really commit the OpenSSL part of the advisory round to stable/6: Fix incorrect OpenSSL checks for malformed signatures due to invalid check of return value from EVP_VerifyFinal(), DSA_verify, and DSA_do_verify. Security: FreeBSD-SA-09:02.openssl Obtained from: OpenSSL Project Modified: stable/6/crypto/openssl/apps/speed.c stable/6/crypto/openssl/apps/spkac.c stable/6/crypto/openssl/apps/verify.c stable/6/crypto/openssl/apps/x509.c stable/6/crypto/openssl/ssl/s2_clnt.c stable/6/crypto/openssl/ssl/s2_srvr.c stable/6/crypto/openssl/ssl/s3_clnt.c stable/6/crypto/openssl/ssl/s3_srvr.c Modified: stable/6/crypto/openssl/apps/speed.c ============================================================================== --- stable/6/crypto/openssl/apps/speed.c Wed Jan 7 20:17:55 2009 (r186872) +++ stable/6/crypto/openssl/apps/speed.c Wed Jan 7 21:03:41 2009 (r186873) @@ -1486,7 +1486,7 @@ int MAIN(int argc, char **argv) { ret=RSA_verify(NID_md5_sha1, buf,36, buf2, rsa_num, rsa_key[j]); - if (ret == 0) + if (ret <= 0) { BIO_printf(bio_err, "RSA verify failure\n"); Modified: stable/6/crypto/openssl/apps/spkac.c ============================================================================== --- stable/6/crypto/openssl/apps/spkac.c Wed Jan 7 20:17:55 2009 (r186872) +++ stable/6/crypto/openssl/apps/spkac.c Wed Jan 7 21:03:41 2009 (r186873) @@ -284,7 +284,7 @@ bad: pkey = NETSCAPE_SPKI_get_pubkey(spki); if(verify) { i = NETSCAPE_SPKI_verify(spki, pkey); - if(i) BIO_printf(bio_err, "Signature OK\n"); + if (i > 0) BIO_printf(bio_err, "Signature OK\n"); else { BIO_printf(bio_err, "Signature Failure\n"); ERR_print_errors(bio_err); Modified: stable/6/crypto/openssl/apps/verify.c ============================================================================== --- stable/6/crypto/openssl/apps/verify.c Wed Jan 7 20:17:55 2009 (r186872) +++ stable/6/crypto/openssl/apps/verify.c Wed Jan 7 21:03:41 2009 (r186873) @@ -275,7 +275,7 @@ static int check(X509_STORE *ctx, char * ret=0; end: - if (i) + if (i > 0) { fprintf(stdout,"OK\n"); ret=1; @@ -365,4 +365,3 @@ static int MS_CALLBACK cb(int ok, X509_S ERR_clear_error(); return(ok); } - Modified: stable/6/crypto/openssl/apps/x509.c ============================================================================== --- stable/6/crypto/openssl/apps/x509.c Wed Jan 7 20:17:55 2009 (r186872) +++ stable/6/crypto/openssl/apps/x509.c Wed Jan 7 21:03:41 2009 (r186873) @@ -1113,7 +1113,7 @@ static int x509_certify(X509_STORE *ctx, /* NOTE: this certificate can/should be self signed, unless it was * a certificate request in which case it is not. */ X509_STORE_CTX_set_cert(&xsc,x); - if (!reqfile && !X509_verify_cert(&xsc)) + if (!reqfile && X509_verify_cert(&xsc) <= 0) goto end; if (!X509_check_private_key(xca,pkey)) Modified: stable/6/crypto/openssl/ssl/s2_clnt.c ============================================================================== --- stable/6/crypto/openssl/ssl/s2_clnt.c Wed Jan 7 20:17:55 2009 (r186872) +++ stable/6/crypto/openssl/ssl/s2_clnt.c Wed Jan 7 21:03:41 2009 (r186873) @@ -1062,7 +1062,7 @@ int ssl2_set_certificate(SSL *s, int typ i=ssl_verify_cert_chain(s,sk); - if ((s->verify_mode != SSL_VERIFY_NONE) && (!i)) + if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0)) { SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED); goto err; Modified: stable/6/crypto/openssl/ssl/s2_srvr.c ============================================================================== --- stable/6/crypto/openssl/ssl/s2_srvr.c Wed Jan 7 20:17:55 2009 (r186872) +++ stable/6/crypto/openssl/ssl/s2_srvr.c Wed Jan 7 21:03:41 2009 (r186873) @@ -1070,7 +1070,7 @@ static int request_certificate(SSL *s) i=ssl_verify_cert_chain(s,sk); - if (i) /* we like the packet, now check the chksum */ + if (i > 0) /* we like the packet, now check the chksum */ { EVP_MD_CTX ctx; EVP_PKEY *pkey=NULL; @@ -1099,7 +1099,7 @@ static int request_certificate(SSL *s) EVP_PKEY_free(pkey); EVP_MD_CTX_cleanup(&ctx); - if (i) + if (i > 0) { if (s->session->peer != NULL) X509_free(s->session->peer); Modified: stable/6/crypto/openssl/ssl/s3_clnt.c ============================================================================== --- stable/6/crypto/openssl/ssl/s3_clnt.c Wed Jan 7 20:17:55 2009 (r186872) +++ stable/6/crypto/openssl/ssl/s3_clnt.c Wed Jan 7 21:03:41 2009 (r186873) @@ -833,7 +833,7 @@ static int ssl3_get_server_certificate(S } i=ssl_verify_cert_chain(s,sk); - if ((s->verify_mode != SSL_VERIFY_NONE) && (!i) + if ((s->verify_mode != SSL_VERIFY_NONE) && (i <= 0) #ifndef OPENSSL_NO_KRB5 && (s->s3->tmp.new_cipher->algorithms & (SSL_MKEY_MASK|SSL_AUTH_MASK)) != (SSL_aKRB5|SSL_kKRB5) @@ -1206,7 +1206,7 @@ static int ssl3_get_key_exchange(SSL *s) EVP_VerifyUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_VerifyUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); EVP_VerifyUpdate(&md_ctx,param,param_len); - if (!EVP_VerifyFinal(&md_ctx,p,(int)n,pkey)) + if (EVP_VerifyFinal(&md_ctx,p,(int)n,pkey) <= 0) { /* bad signature */ al=SSL_AD_DECRYPT_ERROR; Modified: stable/6/crypto/openssl/ssl/s3_srvr.c ============================================================================== --- stable/6/crypto/openssl/ssl/s3_srvr.c Wed Jan 7 20:17:55 2009 (r186872) +++ stable/6/crypto/openssl/ssl/s3_srvr.c Wed Jan 7 21:03:41 2009 (r186873) @@ -2015,7 +2015,7 @@ static int ssl3_get_client_certificate(S else { i=ssl_verify_cert_chain(s,sk); - if (!i) + if (i <= 0) { al=ssl_verify_alarm_type(s->verify_result); SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,SSL_R_NO_CERTIFICATE_RETURNED);