From owner-svn-src-stable@FreeBSD.ORG  Fri Mar 20 07:11:25 2015
Return-Path: <owner-svn-src-stable@FreeBSD.ORG>
Delivered-To: svn-src-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 4C71212B;
 Fri, 20 Mar 2015 07:11:25 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 35390D03;
 Fri, 20 Mar 2015 07:11:25 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t2K7BPtB061845;
 Fri, 20 Mar 2015 07:11:25 GMT (envelope-from delphij@FreeBSD.org)
Received: (from delphij@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id t2K7BOrL061840;
 Fri, 20 Mar 2015 07:11:24 GMT (envelope-from delphij@FreeBSD.org)
Message-Id: <201503200711.t2K7BOrL061840@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: delphij set sender to
 delphij@FreeBSD.org using -f
From: Xin LI <delphij@FreeBSD.org>
Date: Fri, 20 Mar 2015 07:11:24 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject: svn commit: r280274 - in stable: 10/crypto/openssl/crypto/asn1
 10/crypto/openssl/crypto/ec 10/crypto/openssl/crypto/x509
 8/crypto/openssl/crypto/asn1 8/crypto/openssl/crypto/ec
 8/crypto/openssl/cry...
X-SVN-Group: stable-10
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
 <svn-src-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable/>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2015 07:11:25 -0000

Author: delphij
Date: Fri Mar 20 07:11:20 2015
New Revision: 280274
URL: https://svnweb.freebsd.org/changeset/base/280274

Log:
  Fix issues with original SA-15:06.openssl commit:
  
   - Revert a portion of ASN1 change per suggested by OpenBSD
     and OpenSSL developers.  The change was removed from the
     formal OpenSSL release and does not solve security issue.
   - Properly fix CVE-2015-0209 and CVE-2015-0288.
  
  Pointy hat to:	delphij

Modified:
  stable/10/crypto/openssl/crypto/asn1/tasn_dec.c
  stable/10/crypto/openssl/crypto/ec/ec_asn1.c
  stable/10/crypto/openssl/crypto/x509/x509_req.c

Changes in other areas also in this revision:
Modified:
  stable/8/crypto/openssl/crypto/asn1/tasn_dec.c
  stable/8/crypto/openssl/crypto/ec/ec_asn1.c
  stable/8/crypto/openssl/crypto/x509/x509_req.c
  stable/9/crypto/openssl/crypto/asn1/tasn_dec.c
  stable/9/crypto/openssl/crypto/ec/ec_asn1.c
  stable/9/crypto/openssl/crypto/x509/x509_req.c

Modified: stable/10/crypto/openssl/crypto/asn1/tasn_dec.c
==============================================================================
--- stable/10/crypto/openssl/crypto/asn1/tasn_dec.c	Fri Mar 20 01:07:48 2015	(r280273)
+++ stable/10/crypto/openssl/crypto/asn1/tasn_dec.c	Fri Mar 20 07:11:20 2015	(r280274)
@@ -127,22 +127,16 @@ unsigned long ASN1_tag2bit(int tag)
 
 ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval,
 		const unsigned char **in, long len, const ASN1_ITEM *it)
-{
+	{
 	ASN1_TLC c;
 	ASN1_VALUE *ptmpval = NULL;
+	if (!pval)
+		pval = &ptmpval;
 	asn1_tlc_clear_nc(&c);
-	if (pval && *pval && it->itype == ASN1_ITYPE_PRIMITIVE)
-		ptmpval = *pval;
-	if (ASN1_item_ex_d2i(&ptmpval, in, len, it, -1, 0, 0, &c) > 0) {
-		if (pval && it->itype != ASN1_ITYPE_PRIMITIVE) {
-			if (*pval)
-				ASN1_item_free(*pval, it);
-			*pval = ptmpval;
-		}
-		return ptmpval;
-	}
+	if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) 
+		return *pval;
 	return NULL;
-}
+	}
 
 int ASN1_template_d2i(ASN1_VALUE **pval,
 		const unsigned char **in, long len, const ASN1_TEMPLATE *tt)

Modified: stable/10/crypto/openssl/crypto/ec/ec_asn1.c
==============================================================================
--- stable/10/crypto/openssl/crypto/ec/ec_asn1.c	Fri Mar 20 01:07:48 2015	(r280273)
+++ stable/10/crypto/openssl/crypto/ec/ec_asn1.c	Fri Mar 20 07:11:20 2015	(r280274)
@@ -1142,8 +1142,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
                                  ERR_R_MALLOC_FAILURE);
 			goto err;
 			}
-		if (a)
-			*a = ret;
 		}
 	else
 		ret = *a;
@@ -1225,11 +1223,13 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
 		ret->enc_flag |= EC_PKEY_NO_PUBKEY;
 		}
 
+	if (a)
+		*a = ret;
 	ok = 1;
 err:
 	if (!ok)
 		{
-		if (ret)
+		if (ret && (a == NULL || *a != ret))
 			EC_KEY_free(ret);
 		ret = NULL;
 		}

Modified: stable/10/crypto/openssl/crypto/x509/x509_req.c
==============================================================================
--- stable/10/crypto/openssl/crypto/x509/x509_req.c	Fri Mar 20 01:07:48 2015	(r280273)
+++ stable/10/crypto/openssl/crypto/x509/x509_req.c	Fri Mar 20 07:11:20 2015	(r280274)
@@ -92,6 +92,8 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_
 		goto err;
 
 	pktmp = X509_get_pubkey(x);
+	if (pktmp == NULL)
+		goto err;
 	i=X509_REQ_set_pubkey(ret,pktmp);
 	EVP_PKEY_free(pktmp);
 	if (!i) goto err;