Import OpenSSL 0.9.8d.
authorPeter Avalos <pavalos@dragonflybsd.org>
Mon, 20 Nov 2006 05:16:00 +0000 (05:16 +0000)
committerPeter Avalos <pavalos@dragonflybsd.org>
Mon, 20 Nov 2006 05:16:00 +0000 (05:16 +0000)
27 files changed:
crypto/openssl-0.9/CHANGES
crypto/openssl-0.9/FAQ
crypto/openssl-0.9/NEWS
crypto/openssl-0.9/README
crypto/openssl-0.9/apps/enc.c
crypto/openssl-0.9/apps/pkcs12.c
crypto/openssl-0.9/crypto/asn1/tasn_dec.c
crypto/openssl-0.9/crypto/asn1/x_req.c
crypto/openssl-0.9/crypto/bn/bn_prime.c
crypto/openssl-0.9/crypto/dh/dh.h
crypto/openssl-0.9/crypto/dh/dh_err.c
crypto/openssl-0.9/crypto/dh/dh_key.c
crypto/openssl-0.9/crypto/dsa/dsa.h
crypto/openssl-0.9/crypto/dsa/dsa_err.c
crypto/openssl-0.9/crypto/dsa/dsa_ossl.c
crypto/openssl-0.9/crypto/ec/ec.h
crypto/openssl-0.9/crypto/ec/ec_asn1.c
crypto/openssl-0.9/crypto/ec/ec_err.c
crypto/openssl-0.9/crypto/opensslv.h
crypto/openssl-0.9/crypto/rsa/rsa.h
crypto/openssl-0.9/crypto/rsa/rsa_eay.c
crypto/openssl-0.9/crypto/rsa/rsa_err.c
crypto/openssl-0.9/ssl/d1_pkt.c
crypto/openssl-0.9/ssl/s2_clnt.c
crypto/openssl-0.9/ssl/s3_srvr.c
crypto/openssl-0.9/ssl/ssl_ciph.c
crypto/openssl-0.9/ssl/ssl_lib.c

index 0cfc559..b25fde5 100644 (file)
@@ -2,6 +2,49 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 0.9.8c and 0.9.8d  [28 Sep 2006]
+
+  *) Introduce limits to prevent malicious keys being able to
+     cause a denial of service.  (CVE-2006-2940)
+     [Steve Henson, Bodo Moeller]
+
+  *) Fix ASN.1 parsing of certain invalid structures that can result
+     in a denial of service.  (CVE-2006-2937)  [Steve Henson]
+
+  *) Fix buffer overflow in SSL_get_shared_ciphers() function. 
+     (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
+
+  *) Fix SSL client code which could crash if connecting to a
+     malicious SSLv2 server.  (CVE-2006-4343)
+     [Tavis Ormandy and Will Drewry, Google Security Team]
+
+  *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites
+     match only those.  Before that, "AES256-SHA" would be interpreted
+     as a pattern and match "AES128-SHA" too (since AES128-SHA got
+     the same strength classification in 0.9.7h) as we currently only
+     have a single AES bit in the ciphersuite description bitmap.
+     That change, however, also applied to ciphersuite strings such as
+     "RC4-MD5" that intentionally matched multiple ciphersuites --
+     namely, SSL 2.0 ciphersuites in addition to the more common ones
+     from SSL 3.0/TLS 1.0.
+
+     So we change the selection algorithm again: Naming an explicit
+     ciphersuite selects this one ciphersuite, and any other similar
+     ciphersuite (same bitmap) from *other* protocol versions.
+     Thus, "RC4-MD5" again will properly select both the SSL 2.0
+     ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite.
+
+     Since SSL 2.0 does not have any ciphersuites for which the
+     128/256 bit distinction would be relevant, this works for now.
+     The proper fix will be to use different bits for AES128 and
+     AES256, which would have avoided the problems from the beginning;
+     however, bits are scarce, so we can only do this in a new release
+     (not just a patchlevel) when we can change the SSL_CIPHER
+     definition to split the single 'unsigned long mask' bitmap into
+     multiple values to extend the available space.
+
+     [Bodo Moeller]
+
  Changes between 0.9.8b and 0.9.8c  [05 Sep 2006]
 
   *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
      differing sizes.
      [Richard Levitte]
 
- Changes between 0.9.7j and 0.9.7k  [xx XXX xxxx]
+ Changes between 0.9.7k and 0.9.7l  [xx XXX xxxx]
+
+  *) Change ciphersuite string processing so that an explicit
+     ciphersuite selects this one ciphersuite (so that "AES256-SHA"
+     will no longer include "AES128-SHA"), and any other similar
+     ciphersuite (same bitmap) from *other* protocol versions (so that
+     "RC4-MD5" will still include both the SSL 2.0 ciphersuite and the
+     SSL 3.0/TLS 1.0 ciphersuite).  This is a backport combining
+     changes from 0.9.8b and 0.9.8d.
+     [Bodo Moeller]
+
+ Changes between 0.9.7j and 0.9.7k  [05 Sep 2006]
 
   *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher
      (CVE-2006-4339)  [Ben Laurie and Google Security Team]
index 45c09d5..bee5094 100644 (file)
@@ -74,7 +74,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.8c was released on September 5th, 2006.
+OpenSSL 0.9.8d was released on September 28th, 2006.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
index 6bda70f..ad8033a 100644 (file)
@@ -5,6 +5,12 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.8d:
+
+      o Introduce limits to prevent malicious key DoS  (CVE-2006-2940)
+      o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343)
+      o Changes to ciphersuite selection algorithm
+
   Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c:
 
       o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
index b719e48..e627231 100644 (file)
@@ -1,5 +1,5 @@
 
- OpenSSL 0.9.8c 05 Sep 2006
+ OpenSSL 0.9.8d 28 Sep 2006
 
  Copyright (c) 1998-2006 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
index ea948f8..3e3e8eb 100644 (file)
@@ -340,7 +340,7 @@ bad:
                        }
 
                /* It must be large enough for a base64 encoded line */
-               if (n < 80) n=80;
+               if (base64 && n < 80) n=80;
 
                bsize=(int)n;
                if (verbose) BIO_printf(bio_err,"bufsize=%d\n",bsize);
@@ -370,7 +370,11 @@ bad:
                }
 
        if (inf == NULL)
+               {
+               if (bufsize != NULL)
+                       setvbuf(stdin, (char *)NULL, _IONBF, 0);
                BIO_set_fp(in,stdin,BIO_NOCLOSE);
+               }
        else
                {
                if (BIO_read_filename(in,inf) <= 0)
@@ -421,6 +425,8 @@ bad:
        if (outf == NULL)
                {
                BIO_set_fp(out,stdout,BIO_NOCLOSE);
+               if (bufsize != NULL)
+                       setvbuf(stdout, (char *)NULL, _IONBF, 0);
 #ifdef OPENSSL_SYS_VMS
                {
                BIO *tmpbio = BIO_new(BIO_f_linebuffer());
index 308f920..688a0ce 100644 (file)
@@ -180,7 +180,8 @@ int MAIN(int argc, char **argv)
                                args++;
                                if (!strcmp(*args, "NONE"))
                                        cert_pbe = -1;
-                               cert_pbe=OBJ_txt2nid(*args);
+                               else
+                                       cert_pbe=OBJ_txt2nid(*args);
                                if(cert_pbe == NID_undef) {
                                        BIO_printf(bio_err,
                                                 "Unknown PBE algorithm %s\n", *args);
index 0294d8e..ff2f77b 100644 (file)
@@ -832,6 +832,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
                }
        else if (ret == -1)
                return -1;
+        ret = 0;
        /* SEQUENCE, SET and "OTHER" are left in encoded form */
        if ((utype == V_ASN1_SEQUENCE)
                || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER))
index b3f18eb..59ca8ce 100644 (file)
@@ -102,7 +102,7 @@ ASN1_SEQUENCE_enc(X509_REQ_INFO, enc, rinf_cb) = {
 
 IMPLEMENT_ASN1_FUNCTIONS(X509_REQ_INFO)
 
-ASN1_SEQUENCE_ref(X509_REQ, 0, CRYPTO_LOCK_X509_INFO) = {
+ASN1_SEQUENCE_ref(X509_REQ, 0, CRYPTO_LOCK_X509_REQ) = {
        ASN1_SIMPLE(X509_REQ, req_info, X509_REQ_INFO),
        ASN1_SIMPLE(X509_REQ, sig_alg, X509_ALGOR),
        ASN1_SIMPLE(X509_REQ, signature, ASN1_BIT_STRING)
index d57f658..5bab019 100644 (file)
@@ -378,13 +378,14 @@ static int probable_prime(BIGNUM *rnd, int bits)
        {
        int i;
        BN_ULONG mods[NUMPRIMES];
-       BN_ULONG delta,d;
+       BN_ULONG delta,maxdelta;
 
 again:
        if (!BN_rand(rnd,bits,1,1)) return(0);
        /* we now have a random number 'rand' to test. */
        for (i=1; i<NUMPRIMES; i++)
                mods[i]=BN_mod_word(rnd,(BN_ULONG)primes[i]);
+       maxdelta=BN_MASK2 - primes[NUMPRIMES-1];
        delta=0;
        loop: for (i=1; i<NUMPRIMES; i++)
                {
@@ -392,12 +393,8 @@ again:
                 * that gcd(rnd-1,primes) == 1 (except for 2) */
                if (((mods[i]+delta)%primes[i]) <= 1)
                        {
-                       d=delta;
                        delta+=2;
-                       /* perhaps need to check for overflow of
-                        * delta (but delta can be up to 2^32)
-                        * 21-May-98 eay - added overflow check */
-                       if (delta < d) goto again;
+                       if (delta > maxdelta) goto again;
                        goto loop;
                        }
                }
index 4d0c565..ccdf35a 100644 (file)
 #include <openssl/bn.h>
 #endif
        
+#ifndef OPENSSL_DH_MAX_MODULUS_BITS
+# define OPENSSL_DH_MAX_MODULUS_BITS   10000
+#endif
+
 #define DH_FLAG_CACHE_MONT_P     0x01
 #define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
                                        * implementation now uses constant time
@@ -221,6 +225,7 @@ void ERR_load_DH_strings(void);
 /* Reason codes. */
 #define DH_R_BAD_GENERATOR                              101
 #define DH_R_INVALID_PUBKEY                             102
+#define DH_R_MODULUS_TOO_LARGE                          103
 #define DH_R_NO_PRIVATE_VALUE                           100
 
 #ifdef  __cplusplus
index b14a94f..783bb47 100644 (file)
@@ -84,6 +84,7 @@ static ERR_STRING_DATA DH_str_reasons[]=
        {
 {ERR_REASON(DH_R_BAD_GENERATOR)          ,"bad generator"},
 {ERR_REASON(DH_R_INVALID_PUBKEY)         ,"invalid public key"},
+{ERR_REASON(DH_R_MODULUS_TOO_LARGE)      ,"modulus too large"},
 {ERR_REASON(DH_R_NO_PRIVATE_VALUE)       ,"no private value"},
 {0,NULL}
        };
index 79984e1..cb5abdc 100644 (file)
@@ -179,6 +179,12 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
        int ret= -1;
         int check_result;
 
+       if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS)
+               {
+               DHerr(DH_F_COMPUTE_KEY,DH_R_MODULUS_TOO_LARGE);
+               goto err;
+               }
+
        ctx = BN_CTX_new();
        if (ctx == NULL) goto err;
        BN_CTX_start(ctx);
index b12db98..3a8fe5b 100644 (file)
 #endif
 #endif
 
+#ifndef OPENSSL_DSA_MAX_MODULUS_BITS
+# define OPENSSL_DSA_MAX_MODULUS_BITS  10000
+#endif
+
 #define DSA_FLAG_CACHE_MONT_P  0x01
 #define DSA_FLAG_NO_EXP_CONSTTIME       0x02 /* new with 0.9.7h; the built-in DSA
                                               * implementation now uses constant time
@@ -270,8 +274,10 @@ void ERR_load_DSA_strings(void);
 #define DSA_F_SIG_CB                                    114
 
 /* Reason codes. */
+#define DSA_R_BAD_Q_VALUE                               102
 #define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE               100
 #define DSA_R_MISSING_PARAMETERS                        101
+#define DSA_R_MODULUS_TOO_LARGE                                 103
 
 #ifdef  __cplusplus
 }
index fd42053..d7fac69 100644 (file)
@@ -89,8 +89,10 @@ static ERR_STRING_DATA DSA_str_functs[]=
 
 static ERR_STRING_DATA DSA_str_reasons[]=
        {
+{ERR_REASON(DSA_R_BAD_Q_VALUE)           ,"bad q value"},
 {ERR_REASON(DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
 {ERR_REASON(DSA_R_MISSING_PARAMETERS)    ,"missing parameters"},
+{ERR_REASON(DSA_R_MODULUS_TOO_LARGE)     ,"modulus too large"},
 {0,NULL}
        };
 
index 3fd8a35..e6aad85 100644 (file)
@@ -304,6 +304,18 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
                return -1;
                }
 
+       if (BN_num_bits(dsa->q) != 160)
+               {
+               DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE);
+               return -1;
+               }
+
+       if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS)
+               {
+               DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
+               return -1;
+               }
+
        BN_init(&u1);
        BN_init(&u2);
        BN_init(&t1);
index 919c736..3c96fbd 100644 (file)
@@ -93,6 +93,10 @@ extern "C" {
 #endif
 
 
+#ifndef OPENSSL_ECC_MAX_FIELD_BITS
+# define OPENSSL_ECC_MAX_FIELD_BITS 661
+#endif
+
 typedef enum {
        /* values as defined in X9.62 (ECDSA) and elsewhere */
        POINT_CONVERSION_COMPRESSED = 2,
@@ -482,6 +486,7 @@ void ERR_load_EC_strings(void);
 #define EC_R_D2I_ECPKPARAMETERS_FAILURE                         117
 #define EC_R_DISCRIMINANT_IS_ZERO                       118
 #define EC_R_EC_GROUP_NEW_BY_NAME_FAILURE               119
+#define EC_R_FIELD_TOO_LARGE                            138
 #define EC_R_GROUP2PKPARAMETERS_FAILURE                         120
 #define EC_R_I2D_ECPKPARAMETERS_FAILURE                         121
 #define EC_R_INCOMPATIBLE_OBJECTS                       101
@@ -492,7 +497,9 @@ void ERR_load_EC_strings(void);
 #define EC_R_INVALID_FIELD                              103
 #define EC_R_INVALID_FORM                               104
 #define EC_R_INVALID_GROUP_ORDER                        122
+#define EC_R_INVALID_PENTANOMIAL_BASIS                  132
 #define EC_R_INVALID_PRIVATE_KEY                        123
+#define EC_R_INVALID_TRINOMIAL_BASIS                    137
 #define EC_R_MISSING_PARAMETERS                                 124
 #define EC_R_MISSING_PRIVATE_KEY                        125
 #define EC_R_NOT_A_NIST_PRIME                           135
index dec913b..66ef129 100644 (file)
@@ -741,6 +741,7 @@ static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *params)
        EC_GROUP                *ret = NULL;
        BIGNUM                  *p = NULL, *a = NULL, *b = NULL;
        EC_POINT                *point=NULL;
+       long                    field_bits;
 
        if (!params->fieldID || !params->fieldID->fieldType || 
            !params->fieldID->p.ptr)
@@ -779,6 +780,13 @@ static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *params)
 
                char_two = params->fieldID->p.char_two;
 
+               field_bits = char_two->m;
+               if (field_bits > OPENSSL_ECC_MAX_FIELD_BITS)
+                       {
+                       ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_FIELD_TOO_LARGE);
+                       goto err;
+                       }
+
                if ((p = BN_new()) == NULL)
                        {
                        ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_MALLOC_FAILURE);
@@ -799,6 +807,13 @@ static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *params)
                                }
 
                        tmp_long = ASN1_INTEGER_get(char_two->p.tpBasis);
+
+                       if (!(char_two->m > tmp_long && tmp_long > 0))
+                               {
+                               ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_TRINOMIAL_BASIS);
+                               goto err;
+                               }
+                       
                        /* create the polynomial */
                        if (!BN_set_bit(p, (int)char_two->m))
                                goto err;
@@ -817,6 +832,13 @@ static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *params)
                                ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_ASN1_ERROR);
                                goto err;
                                }
+
+                       if (!(char_two->m > penta->k3 && penta->k3 > penta->k2 && penta->k2 > penta->k1 && penta->k1 > 0))
+                               {
+                               ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_PENTANOMIAL_BASIS);
+                               goto err;
+                               }
+                       
                        /* create the polynomial */
                        if (!BN_set_bit(p, (int)char_two->m)) goto err;
                        if (!BN_set_bit(p, (int)penta->k1)) goto err;
@@ -853,6 +875,20 @@ static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *params)
                        ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_ASN1_LIB);
                        goto err;
                        }
+
+               if (BN_is_negative(p) || BN_is_zero(p))
+                       {
+                       ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_FIELD);
+                       goto err;
+                       }
+
+               field_bits = BN_num_bits(p);
+               if (field_bits > OPENSSL_ECC_MAX_FIELD_BITS)
+                       {
+                       ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_FIELD_TOO_LARGE);
+                       goto err;
+                       }
+
                /* create the EC_GROUP structure */
                ret = EC_GROUP_new_curve_GFp(p, a, b, NULL);
                }
@@ -910,6 +946,16 @@ static EC_GROUP *ec_asn1_parameters2group(const ECPARAMETERS *params)
                ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, ERR_R_ASN1_LIB);
                goto err;
                }
+       if (BN_is_negative(a) || BN_is_zero(a))
+               {
+               ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_GROUP_ORDER);
+               goto err;
+               }
+       if (BN_num_bits(a) > (int)field_bits + 1) /* Hasse bound */
+               {
+               ECerr(EC_F_EC_ASN1_PARAMETERS2GROUP, EC_R_INVALID_GROUP_ORDER);
+               goto err;
+               }
        
        /* extract the cofactor (optional) */
        if (params->cofactor == NULL)
index 38302b9..031c54d 100644 (file)
@@ -188,6 +188,7 @@ static ERR_STRING_DATA EC_str_reasons[]=
 {ERR_REASON(EC_R_D2I_ECPKPARAMETERS_FAILURE),"d2i ecpkparameters failure"},
 {ERR_REASON(EC_R_DISCRIMINANT_IS_ZERO)   ,"discriminant is zero"},
 {ERR_REASON(EC_R_EC_GROUP_NEW_BY_NAME_FAILURE),"ec group new by name failure"},
+{ERR_REASON(EC_R_FIELD_TOO_LARGE)        ,"field too large"},
 {ERR_REASON(EC_R_GROUP2PKPARAMETERS_FAILURE),"group2pkparameters failure"},
 {ERR_REASON(EC_R_I2D_ECPKPARAMETERS_FAILURE),"i2d ecpkparameters failure"},
 {ERR_REASON(EC_R_INCOMPATIBLE_OBJECTS)   ,"incompatible objects"},
@@ -198,7 +199,9 @@ static ERR_STRING_DATA EC_str_reasons[]=
 {ERR_REASON(EC_R_INVALID_FIELD)          ,"invalid field"},
 {ERR_REASON(EC_R_INVALID_FORM)           ,"invalid form"},
 {ERR_REASON(EC_R_INVALID_GROUP_ORDER)    ,"invalid group order"},
+{ERR_REASON(EC_R_INVALID_PENTANOMIAL_BASIS),"invalid pentanomial basis"},
 {ERR_REASON(EC_R_INVALID_PRIVATE_KEY)    ,"invalid private key"},
+{ERR_REASON(EC_R_INVALID_TRINOMIAL_BASIS),"invalid trinomial basis"},
 {ERR_REASON(EC_R_MISSING_PARAMETERS)     ,"missing parameters"},
 {ERR_REASON(EC_R_MISSING_PRIVATE_KEY)    ,"missing private key"},
 {ERR_REASON(EC_R_NOT_A_NIST_PRIME)       ,"not a NIST prime"},
index d683442..beedc19 100644 (file)
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER 0x0090803f
+#define OPENSSL_VERSION_NUMBER 0x0090804f
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT   "OpenSSL 0.9.8c-fips 05 Sep 2006"
+#define OPENSSL_VERSION_TEXT   "OpenSSL 0.9.8d-fips 28 Sep 2006"
 #else
-#define OPENSSL_VERSION_TEXT   "OpenSSL 0.9.8c 05 Sep 2006"
+#define OPENSSL_VERSION_TEXT   "OpenSSL 0.9.8d 28 Sep 2006"
 #endif
 #define OPENSSL_VERSION_PTEXT  " part of " OPENSSL_VERSION_TEXT
 
index ce6f54f..b19c556 100644 (file)
@@ -159,6 +159,17 @@ struct rsa_st
        BN_BLINDING *mt_blinding;
        };
 
+#ifndef OPENSSL_RSA_MAX_MODULUS_BITS
+# define OPENSSL_RSA_MAX_MODULUS_BITS  16384
+#endif
+
+#ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
+# define OPENSSL_RSA_SMALL_MODULUS_BITS        3072
+#endif
+#ifndef OPENSSL_RSA_MAX_PUBEXP_BITS
+# define OPENSSL_RSA_MAX_PUBEXP_BITS   64 /* exponent limit enforced for "large" modulus only */
+#endif
+
 #define RSA_3  0x3L
 #define RSA_F4 0x10001L
 
@@ -407,12 +418,12 @@ void ERR_load_RSA_strings(void);
 #define RSA_R_IQMP_NOT_INVERSE_OF_Q                     126
 #define RSA_R_KEY_SIZE_TOO_SMALL                        120
 #define RSA_R_LAST_OCTET_INVALID                        134
+#define RSA_R_MODULUS_TOO_LARGE                                 105
 #define RSA_R_NO_PUBLIC_EXPONENT                        140
 #define RSA_R_NULL_BEFORE_BLOCK_MISSING                         113
 #define RSA_R_N_DOES_NOT_EQUAL_P_Q                      127
 #define RSA_R_OAEP_DECODING_ERROR                       121
 #define RSA_R_PADDING_CHECK_FAILED                      114
-#define RSA_R_PKCS1_PADDING_TOO_SHORT                   105
 #define RSA_R_P_NOT_PRIME                               128
 #define RSA_R_Q_NOT_PRIME                               129
 #define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED              130
index d6e07a2..e7b7a9c 100644 (file)
@@ -168,6 +168,28 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
        unsigned char *buf=NULL;
        BN_CTX *ctx=NULL;
 
+       if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
+               {
+               RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
+               return -1;
+               }
+
+       if (BN_ucmp(rsa->n, rsa->e) <= 0)
+               {
+               RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
+               return -1;
+               }
+
+       /* for large moduli, enforce exponent limit */
+       if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
+               {
+               if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
+                       {
+                       RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
+                       return -1;
+                       }
+               }
+       
        if ((ctx=BN_CTX_new()) == NULL) goto err;
        BN_CTX_start(ctx);
        f = BN_CTX_get(ctx);
@@ -597,6 +619,28 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
        unsigned char *buf=NULL;
        BN_CTX *ctx=NULL;
 
+       if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
+               {
+               RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
+               return -1;
+               }
+
+       if (BN_ucmp(rsa->n, rsa->e) <= 0)
+               {
+               RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
+               return -1;
+               }
+
+       /* for large moduli, enforce exponent limit */
+       if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
+               {
+               if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
+                       {
+                       RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
+                       return -1;
+                       }
+               }
+       
        if((ctx = BN_CTX_new()) == NULL) goto err;
        BN_CTX_start(ctx);
        f = BN_CTX_get(ctx);
@@ -640,15 +684,6 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
                {
        case RSA_PKCS1_PADDING:
                r=RSA_padding_check_PKCS1_type_1(to,num,buf,i,num);
-               /* Generally signatures should be at least 2/3 padding, though
-                  this isn't possible for really short keys and some standard
-                  signature schemes, so don't check if the unpadded data is
-                  small. */
-               if(r > 42 && 3*8*r >= BN_num_bits(rsa->n))
-                       {
-                       RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_PKCS1_PADDING_TOO_SHORT);
-                       goto err;
-                       }
                break;
        case RSA_X931_PADDING:
                r=RSA_padding_check_X931(to,num,buf,i,num);
index 584adb0..da7a4fb 100644 (file)
@@ -137,12 +137,12 @@ static ERR_STRING_DATA RSA_str_reasons[]=
 {ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"},
 {ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL)    ,"key size too small"},
 {ERR_REASON(RSA_R_LAST_OCTET_INVALID)    ,"last octet invalid"},
+{ERR_REASON(RSA_R_MODULUS_TOO_LARGE)     ,"modulus too large"},
 {ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT)    ,"no public exponent"},
 {ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"},
 {ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q)  ,"n does not equal p q"},
 {ERR_REASON(RSA_R_OAEP_DECODING_ERROR)   ,"oaep decoding error"},
 {ERR_REASON(RSA_R_PADDING_CHECK_FAILED)  ,"padding check failed"},
-{ERR_REASON(RSA_R_PKCS1_PADDING_TOO_SHORT),"pkcs1 padding too short"},
 {ERR_REASON(RSA_R_P_NOT_PRIME)           ,"p not prime"},
 {ERR_REASON(RSA_R_Q_NOT_PRIME)           ,"q not prime"},
 {ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED),"rsa operations not supported"},
index be6ee32..f8f4516 100644 (file)
@@ -796,8 +796,14 @@ start:
                        dest = s->d1->alert_fragment;
                        dest_len = &s->d1->alert_fragment_len;
                        }
-               else    /* else it's a CCS message */
-                       OPENSSL_assert(rr->type == SSL3_RT_CHANGE_CIPHER_SPEC);
+                /* else it's a CCS message, or it's wrong */
+                else if (rr->type != SSL3_RT_CHANGE_CIPHER_SPEC)
+                        {
+                          /* Not certain if this is the right error handling */
+                          al=SSL_AD_UNEXPECTED_MESSAGE;
+                          SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_UNEXPECTED_RECORD);
+                          goto f_err;
+                        }
 
 
                if (dest_maxlen > 0)
index efb5248..ce60de6 100644 (file)
@@ -520,7 +520,8 @@ static int get_server_hello(SSL *s)
                CRYPTO_add(&s->session->peer->references, 1, CRYPTO_LOCK_X509);
                }
 
-       if (s->session->peer != s->session->sess_cert->peer_key->x509)
+       if (s->session->sess_cert == NULL 
+      || s->session->peer != s->session->sess_cert->peer_key->x509)
                /* can't happen */
                {
                ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
index a8c5df8..098eea1 100644 (file)
@@ -2003,7 +2003,7 @@ int ssl3_get_client_key_exchange(SSL *s)
 
                 if (kssl_ctx->client_princ)
                         {
-                        int len = strlen(kssl_ctx->client_princ);
+                        size_t len = strlen(kssl_ctx->client_princ);
                         if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH ) 
                                 {
                                 s->session->krb5_client_princ_len = len;
index 496b0d2..933d487 100644 (file)
@@ -565,7 +565,7 @@ static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list,
        *ca_curr = NULL;        /* end of list */
        }
 
-static void ssl_cipher_apply_rule(unsigned long cipher_id,
+static void ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long ssl_version,
                unsigned long algorithms, unsigned long mask,
                unsigned long algo_strength, unsigned long mask_strength,
                int rule, int strength_bits, CIPHER_ORDER *co_list,
@@ -592,9 +592,10 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id,
 
                cp = curr->cipher;
 
-               /* If explicit cipher suite match that one only */
+               /* If explicit cipher suite, match only that one for its own protocol version.
+                * Usual selection criteria will be used for similar ciphersuites from other version! */
 
-               if (cipher_id)
+               if (cipher_id && (cp->algorithms & SSL_SSL_MASK) == ssl_version)
                        {
                        if (cp->id != cipher_id)
                                continue;
@@ -731,7 +732,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER *co_list,
         */
        for (i = max_strength_bits; i >= 0; i--)
                if (number_uses[i] > 0)
-                       ssl_cipher_apply_rule(0, 0, 0, 0, 0, CIPHER_ORD, i,
+                       ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i,
                                        co_list, head_p, tail_p);
 
        OPENSSL_free(number_uses);
@@ -745,7 +746,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
        unsigned long algorithms, mask, algo_strength, mask_strength;
        const char *l, *start, *buf;
        int j, multi, found, rule, retval, ok, buflen;
-       unsigned long cipher_id = 0;
+       unsigned long cipher_id = 0, ssl_version = 0;
        char ch;
 
        retval = 1;
@@ -836,6 +837,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                         */
                         j = found = 0;
                         cipher_id = 0;
+                        ssl_version = 0;
                         while (ca_list[j])
                                {
                                if (!strncmp(buf, ca_list[j]->name, buflen) &&
@@ -850,12 +852,6 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                        if (!found)
                                break;  /* ignore this entry */
 
-                       if (ca_list[j]->valid)
-                               {
-                               cipher_id = ca_list[j]->id;
-                               break;
-                               }
-
                        /* New algorithms:
                         *  1 - any old restrictions apply outside new mask
                         *  2 - any new restrictions apply outside old mask
@@ -870,6 +866,14 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                                        (algo_strength & ca_list[j]->algo_strength);
                        mask_strength |= ca_list[j]->mask_strength;
 
+                       /* explicit ciphersuite found */
+                       if (ca_list[j]->valid)
+                               {
+                               cipher_id = ca_list[j]->id;
+                               ssl_version = ca_list[j]->algorithms & SSL_SSL_MASK;
+                               break;
+                               }
+
                        if (!multi) break;
                        }
 
@@ -899,7 +903,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                        }
                else if (found)
                        {
-                       ssl_cipher_apply_rule(cipher_id, algorithms, mask,
+                       ssl_cipher_apply_rule(cipher_id, ssl_version, algorithms, mask,
                                algo_strength, mask_strength, rule, -1,
                                co_list, head_p, tail_p);
                        }
index 28c90fc..4971b34 100644 (file)
@@ -1219,7 +1219,7 @@ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
                c=sk_SSL_CIPHER_value(sk,i);
                for (cp=c->name; *cp; )
                        {
-                       if (len-- == 0)
+                       if (len-- <= 0)
                                {
                                *p='\0';
                                return(buf);