]>
Commit | Line | Data |
---|---|---|
9920e6ec JB |
1 | --- crypto/cryptlib.c.orig Fri Nov 23 13:57:59 2001 |
2 | +++ crypto/cryptlib.c Fri Jul 26 10:43:56 2002 | |
3 | @@ -491,3 +491,11 @@ | |
4 | #endif | |
5 | ||
6 | #endif | |
7 | + | |
8 | +void OpenSSLDie(const char *file,int line,const char *assertion) | |
9 | + { | |
10 | + fprintf(stderr,"%s(%d): OpenSSL internal error, assertion failed: %s\n", | |
11 | + file,line,assertion); | |
12 | + abort(); | |
13 | + } | |
14 | + | |
15 | --- crypto/cryptlib.h.orig Tue May 2 06:35:04 2000 | |
16 | +++ crypto/cryptlib.h Fri Jul 26 10:43:56 2002 | |
17 | @@ -89,6 +89,14 @@ | |
18 | #define X509_CERT_DIR_EVP "SSL_CERT_DIR" | |
19 | #define X509_CERT_FILE_EVP "SSL_CERT_FILE" | |
20 | ||
21 | +/* size of string represenations */ | |
22 | +#define DECIMAL_SIZE(type) ((sizeof(type)*8+2)/3+1) | |
23 | +#define HEX_SIZE(type) ((sizeof(type)*2) | |
24 | + | |
25 | +/* die if we have to */ | |
26 | +void OpenSSLDie(const char *file,int line,const char *assertion); | |
27 | +#define die(e) ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e)) | |
28 | + | |
29 | #ifdef __cplusplus | |
30 | } | |
31 | #endif | |
32 | --- crypto/asn1/asn1_lib.c.orig Fri Mar 30 06:42:32 2001 | |
33 | +++ crypto/asn1/asn1_lib.c Fri Jul 26 10:43:56 2002 | |
b0dc1116 MM |
34 | @@ -57,6 +57,7 @@ |
35 | */ | |
36 | ||
37 | #include <stdio.h> | |
38 | +#include <limits.h> | |
39 | #include "cryptlib.h" | |
40 | #include <openssl/asn1.h> | |
41 | #include <openssl/asn1_mac.h> | |
e635c11d JB |
42 | @@ -124,15 +124,13 @@ |
43 | (int)(omax+ *pp)); | |
44 | ||
45 | #endif | |
46 | -#if 0 | |
47 | - if ((p+ *plength) > (omax+ *pp)) | |
d1002cd6 | 48 | + if (*plength > (omax - (p - *pp))) |
e635c11d JB |
49 | { |
50 | ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG); | |
51 | /* Set this so that even if things are not long enough | |
52 | * the values are set correctly */ | |
53 | ret|=0x80; | |
54 | } | |
55 | -#endif | |
56 | *pp=p; | |
57 | return(ret|inf); | |
58 | err: | |
b0dc1116 MM |
59 | @@ -143,7 +142,7 @@ |
60 | static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max) | |
61 | { | |
62 | unsigned char *p= *pp; | |
63 | - long ret=0; | |
64 | + unsigned long ret=0; | |
65 | int i; | |
66 | ||
67 | if (max-- < 1) return(0); | |
e635c11d JB |
68 | @@ -159,6 +157,8 @@ |
69 | i= *p&0x7f; | |
70 | if (*(p++) & 0x80) | |
71 | { | |
72 | + if (i > sizeof(long)) | |
73 | + return 0; | |
74 | if (max-- == 0) return(0); | |
75 | while (i-- > 0) | |
76 | { | |
b0dc1116 | 77 | @@ -170,8 +171,10 @@ |
e635c11d JB |
78 | else |
79 | ret=i; | |
80 | } | |
b0dc1116 | 81 | + if (ret > LONG_MAX) |
e635c11d JB |
82 | + return 0; |
83 | *pp=p; | |
b0dc1116 MM |
84 | - *rl=ret; |
85 | + *rl=(long)ret; | |
e635c11d | 86 | return(1); |
b0dc1116 MM |
87 | } |
88 | ||
9920e6ec JB |
89 | @@ -407,7 +407,7 @@ |
90 | ||
91 | void asn1_add_error(unsigned char *address, int offset) | |
92 | { | |
93 | - char buf1[16],buf2[16]; | |
94 | + char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1]; | |
95 | ||
96 | sprintf(buf1,"%lu",(unsigned long)address); | |
97 | sprintf(buf2,"%d",offset); | |
98 | --- crypto/conf/conf_def.c.orig Tue Jun 6 09:21:12 2000 | |
99 | +++ crypto/conf/conf_def.c Fri Jul 26 10:43:56 2002 | |
100 | @@ -67,6 +67,7 @@ | |
101 | #include "conf_def.h" | |
102 | #include <openssl/buffer.h> | |
103 | #include <openssl/err.h> | |
104 | +#include "cryptlib.h" | |
105 | ||
106 | static char *eat_ws(CONF *conf, char *p); | |
107 | static char *eat_alpha_numeric(CONF *conf, char *p); | |
108 | @@ -180,12 +181,12 @@ | |
109 | static int def_load(CONF *conf, BIO *in, long *line) | |
110 | { | |
111 | #define BUFSIZE 512 | |
112 | - char btmp[16]; | |
113 | int bufnum=0,i,ii; | |
114 | BUF_MEM *buff=NULL; | |
115 | char *s,*p,*end; | |
116 | int again,n; | |
117 | long eline=0; | |
118 | + char btmp[DECIMAL_SIZE(eline)+1]; | |
119 | CONF_VALUE *v=NULL,*tv; | |
120 | CONF_VALUE *sv=NULL; | |
121 | char *section=NULL,*buf; | |
122 | --- crypto/objects/obj_dat.c.orig Mon Sep 4 09:34:35 2000 | |
123 | +++ crypto/objects/obj_dat.c Fri Jul 26 10:43:56 2002 | |
124 | @@ -428,7 +428,7 @@ | |
125 | unsigned long l; | |
126 | unsigned char *p; | |
127 | const char *s; | |
128 | - char tbuf[32]; | |
129 | + char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2]; | |
130 | ||
131 | if (buf_len <= 0) return(0); | |
132 | ||
133 | --- ssl/s2_clnt.c.orig Sat Nov 10 03:43:51 2001 | |
134 | +++ ssl/s2_clnt.c Fri Jul 26 10:43:56 2002 | |
135 | @@ -116,6 +116,7 @@ | |
136 | #include <openssl/buffer.h> | |
137 | #include <openssl/objects.h> | |
138 | #include <openssl/evp.h> | |
139 | +#include "cryptlib.h" | |
140 | ||
141 | static SSL_METHOD *ssl2_get_client_method(int ver); | |
142 | static int get_server_finished(SSL *s); | |
143 | @@ -517,6 +518,7 @@ | |
144 | } | |
145 | ||
146 | s->s2->conn_id_length=s->s2->tmp.conn_id_length; | |
147 | + die(s->s2->conn_id_length <= sizeof s->s2->conn_id); | |
148 | memcpy(s->s2->conn_id,p,s->s2->tmp.conn_id_length); | |
149 | return(1); | |
150 | } | |
151 | @@ -618,6 +620,7 @@ | |
152 | /* make key_arg data */ | |
153 | i=EVP_CIPHER_iv_length(c); | |
154 | sess->key_arg_length=i; | |
155 | + die(i <= SSL_MAX_KEY_ARG_LENGTH); | |
156 | if (i > 0) RAND_pseudo_bytes(sess->key_arg,i); | |
157 | ||
158 | /* make a master key */ | |
159 | @@ -625,6 +628,7 @@ | |
160 | sess->master_key_length=i; | |
161 | if (i > 0) | |
162 | { | |
163 | + die(i <= sizeof sess->master_key); | |
164 | if (RAND_bytes(sess->master_key,i) <= 0) | |
165 | { | |
166 | ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); | |
167 | @@ -668,6 +672,7 @@ | |
168 | d+=enc; | |
169 | karg=sess->key_arg_length; | |
170 | s2n(karg,p); /* key arg size */ | |
171 | + die(karg <= sizeof sess->key_arg); | |
172 | memcpy(d,sess->key_arg,(unsigned int)karg); | |
173 | d+=karg; | |
174 | ||
175 | @@ -688,6 +693,7 @@ | |
176 | { | |
177 | p=(unsigned char *)s->init_buf->data; | |
178 | *(p++)=SSL2_MT_CLIENT_FINISHED; | |
179 | + die(s->s2->conn_id_length <= sizeof s->s2->conn_id); | |
180 | memcpy(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length); | |
181 | ||
182 | s->state=SSL2_ST_SEND_CLIENT_FINISHED_B; | |
183 | @@ -944,6 +950,8 @@ | |
184 | { | |
185 | if (!(s->options & SSL_OP_MICROSOFT_SESS_ID_BUG)) | |
186 | { | |
187 | + die(s->session->session_id_length | |
188 | + <= sizeof s->session->session_id); | |
189 | if (memcmp(buf,s->session->session_id, | |
190 | (unsigned int)s->session->session_id_length) != 0) | |
191 | { | |
192 | --- ssl/s2_lib.c.orig Tue Dec 26 05:06:47 2000 | |
193 | +++ ssl/s2_lib.c Fri Jul 26 10:52:20 2002 | |
194 | @@ -62,6 +62,7 @@ | |
195 | #include <openssl/rsa.h> | |
196 | #include <openssl/objects.h> | |
197 | #include <openssl/md5.h> | |
198 | +#include "cryptlib.h" | |
199 | ||
200 | static long ssl2_default_timeout(void ); | |
201 | const char *ssl2_version_str="SSLv2" OPENSSL_VERSION_PTEXT; | |
202 | @@ -425,10 +426,14 @@ | |
203 | #endif | |
204 | ||
205 | km=s->s2->key_material; | |
206 | + die(s->s2->key_material_length <= sizeof s->s2->key_material); | |
207 | for (i=0; i<s->s2->key_material_length; i+=MD5_DIGEST_LENGTH) | |
208 | { | |
209 | MD5_Init(&ctx); | |
210 | - | |
211 | + | |
212 | + die(s->session->master_key_length >= 0 | |
213 | + && s->session->master_key_length | |
214 | + < sizeof s->session->master_key); | |
215 | MD5_Update(&ctx,s->session->master_key,s->session->master_key_length); | |
216 | MD5_Update(&ctx,&c,1); | |
217 | c++; | |
218 | @@ -463,6 +468,7 @@ | |
219 | /* state=s->rwstate;*/ | |
220 | error=s->error; | |
221 | s->error=0; | |
222 | + die(error >= 0 && error <= 3); | |
223 | i=ssl2_write(s,&(buf[3-error]),error); | |
224 | /* if (i == error) s->rwstate=state; */ | |
225 | ||
226 | --- ssl/s2_srvr.c.orig Wed Nov 14 14:19:47 2001 | |
227 | +++ ssl/s2_srvr.c Fri Jul 26 10:43:56 2002 | |
228 | @@ -116,6 +116,7 @@ | |
229 | #include <openssl/rand.h> | |
230 | #include <openssl/objects.h> | |
231 | #include <openssl/evp.h> | |
232 | +#include "cryptlib.h" | |
233 | ||
234 | static SSL_METHOD *ssl2_get_server_method(int ver); | |
235 | static int get_client_master_key(SSL *s); | |
236 | @@ -417,11 +418,18 @@ | |
237 | n2s(p,i); s->s2->tmp.clear=i; | |
238 | n2s(p,i); s->s2->tmp.enc=i; | |
239 | n2s(p,i); s->session->key_arg_length=i; | |
240 | + if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH) | |
241 | + { | |
242 | + SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, | |
243 | + SSL_R_KEY_ARG_TOO_LONG); | |
244 | + return -1; | |
245 | + } | |
246 | s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B; | |
247 | } | |
248 | ||
249 | /* SSL2_ST_GET_CLIENT_MASTER_KEY_B */ | |
250 | p=(unsigned char *)s->init_buf->data; | |
251 | + die(s->init_buf->length >= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER); | |
252 | keya=s->session->key_arg_length; | |
253 | len = 10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc + (unsigned long)keya; | |
254 | if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) | |
255 | @@ -502,6 +510,7 @@ | |
256 | #endif | |
257 | ||
258 | if (is_export) i+=s->s2->tmp.clear; | |
259 | + die(i <= SSL_MAX_MASTER_KEY_LENGTH); | |
260 | s->session->master_key_length=i; | |
261 | memcpy(s->session->master_key,p,(unsigned int)i); | |
262 | return(1); | |
263 | @@ -649,6 +658,7 @@ | |
264 | p+=s->s2->tmp.session_id_length; | |
265 | ||
266 | /* challenge */ | |
267 | + die(s->s2->challenge_length <= sizeof s->s2->challenge); | |
268 | memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length); | |
269 | return(1); | |
270 | mem_err: | |
271 | @@ -800,6 +810,7 @@ | |
272 | } | |
273 | ||
274 | /* SSL2_ST_GET_CLIENT_FINISHED_B */ | |
275 | + die(s->s2->conn_id_length <= sizeof s->s2->conn_id); | |
276 | len = 1 + (unsigned long)s->s2->conn_id_length; | |
277 | n = (int)len - s->init_num; | |
278 | i = ssl2_read(s,(char *)&(p[s->init_num]),n); | |
279 | @@ -825,6 +836,7 @@ | |
280 | { | |
281 | p=(unsigned char *)s->init_buf->data; | |
282 | *(p++)=SSL2_MT_SERVER_VERIFY; | |
283 | + die(s->s2->challenge_length <= sizeof s->s2->challenge); | |
284 | memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length); | |
285 | /* p+=s->s2->challenge_length; */ | |
286 | ||
287 | @@ -844,6 +856,8 @@ | |
288 | p=(unsigned char *)s->init_buf->data; | |
289 | *(p++)=SSL2_MT_SERVER_FINISHED; | |
290 | ||
291 | + die(s->session->session_id_length | |
292 | + <= sizeof s->session->session_id); | |
293 | memcpy(p,s->session->session_id, | |
294 | (unsigned int)s->session->session_id_length); | |
295 | /* p+=s->session->session_id_length; */ | |
296 | --- ssl/s3_clnt.c.orig Thu Oct 25 02:18:54 2001 | |
297 | +++ ssl/s3_clnt.c Fri Jul 26 10:56:23 2002 | |
298 | @@ -64,6 +64,7 @@ | |
299 | #include <openssl/sha.h> | |
300 | #include <openssl/evp.h> | |
301 | #include "ssl_locl.h" | |
302 | +#include "cryptlib.h" | |
303 | ||
304 | static SSL_METHOD *ssl3_get_client_method(int ver); | |
305 | static int ssl3_client_hello(SSL *s); | |
306 | @@ -492,6 +493,7 @@ | |
307 | *(p++)=i; | |
308 | if (i != 0) | |
309 | { | |
310 | + die(i <= sizeof s->session->session_id); | |
311 | memcpy(p,s->session->session_id,i); | |
312 | p+=i; | |
313 | } | |
314 | @@ -572,6 +574,14 @@ | |
315 | ||
316 | /* get the session-id */ | |
317 | j= *(p++); | |
318 | + | |
319 | + if(j > sizeof s->session->session_id) | |
320 | + { | |
321 | + al=SSL_AD_ILLEGAL_PARAMETER; | |
322 | + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, | |
323 | + SSL_R_SSL3_SESSION_ID_TOO_LONG); | |
324 | + goto f_err; | |
325 | + } | |
326 | ||
327 | if ((j != 0) && (j != SSL3_SESSION_ID_SIZE)) | |
328 | { | |
329 | --- ssl/ssl.h.orig Mon Dec 17 12:24:39 2001 | |
330 | +++ ssl/ssl.h Fri Jul 26 11:36:19 2002 | |
331 | @@ -1423,6 +1423,7 @@ | |
332 | #define SSL_R_INVALID_COMMAND 280 | |
333 | #define SSL_R_INVALID_PURPOSE 278 | |
334 | #define SSL_R_INVALID_TRUST 279 | |
335 | +#define SSL_R_KEY_ARG_TOO_LONG 1112 | |
336 | #define SSL_R_LENGTH_MISMATCH 159 | |
337 | #define SSL_R_LENGTH_TOO_SHORT 160 | |
338 | #define SSL_R_LIBRARY_BUG 274 | |
339 | @@ -1491,6 +1492,7 @@ | |
340 | #define SSL_R_SHORT_READ 219 | |
341 | #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 | |
342 | #define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221 | |
343 | +#define SSL_R_SSL3_SESSION_ID_TOO_LONG 1113 | |
344 | #define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222 | |
345 | #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042 | |
346 | #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 | |
347 | --- ssl/ssl_asn1.c.orig Thu Jun 1 16:19:19 2000 | |
348 | +++ ssl/ssl_asn1.c Fri Jul 26 11:37:53 2002 | |
349 | @@ -62,6 +62,7 @@ | |
350 | #include <openssl/objects.h> | |
351 | #include <openssl/x509.h> | |
352 | #include "ssl_locl.h" | |
353 | +#include "cryptlib.h" | |
354 | ||
355 | typedef struct ssl_session_asn1_st | |
356 | { | |
357 | @@ -275,6 +276,7 @@ | |
358 | os.length=i; | |
359 | ||
360 | ret->session_id_length=os.length; | |
361 | + die(os.length <= sizeof ret->session_id); | |
362 | memcpy(ret->session_id,os.data,os.length); | |
363 | ||
364 | M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING); | |
365 | --- ssl/ssl_err.c.orig Fri Nov 9 18:15:29 2001 | |
366 | +++ ssl/ssl_err.c Fri Jul 26 11:39:21 2002 | |
367 | @@ -1,6 +1,6 @@ | |
368 | /* ssl/ssl_err.c */ | |
369 | /* ==================================================================== | |
370 | - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. | |
371 | + * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. | |
372 | * | |
373 | * Redistribution and use in source and binary forms, with or without | |
374 | * modification, are permitted provided that the following conditions | |
375 | @@ -275,6 +275,7 @@ | |
376 | {SSL_R_INVALID_COMMAND ,"invalid command"}, | |
377 | {SSL_R_INVALID_PURPOSE ,"invalid purpose"}, | |
378 | {SSL_R_INVALID_TRUST ,"invalid trust"}, | |
379 | +{SSL_R_KEY_ARG_TOO_LONG ,"key arg too long"}, | |
380 | {SSL_R_LENGTH_MISMATCH ,"length mismatch"}, | |
381 | {SSL_R_LENGTH_TOO_SHORT ,"length too short"}, | |
382 | {SSL_R_LIBRARY_BUG ,"library bug"}, | |
383 | @@ -343,6 +344,7 @@ | |
384 | {SSL_R_SHORT_READ ,"short read"}, | |
385 | {SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"}, | |
386 | {SSL_R_SSL23_DOING_SESSION_ID_REUSE ,"ssl23 doing session id reuse"}, | |
387 | +{SSL_R_SSL3_SESSION_ID_TOO_LONG ,"ssl3 session id too long"}, | |
388 | {SSL_R_SSL3_SESSION_ID_TOO_SHORT ,"ssl3 session id too short"}, | |
389 | {SSL_R_SSLV3_ALERT_BAD_CERTIFICATE ,"sslv3 alert bad certificate"}, | |
390 | {SSL_R_SSLV3_ALERT_BAD_RECORD_MAC ,"sslv3 alert bad record mac"}, | |
391 | --- ssl/ssl_sess.c.orig Wed Nov 29 11:12:32 2000 | |
392 | +++ ssl/ssl_sess.c Fri Jul 26 10:43:56 2002 | |
393 | @@ -60,6 +60,7 @@ | |
394 | #include <openssl/lhash.h> | |
395 | #include <openssl/rand.h> | |
396 | #include "ssl_locl.h" | |
397 | +#include "cryptlib.h" | |
398 | ||
399 | static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); | |
400 | static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s); | |
401 | @@ -199,6 +200,7 @@ | |
402 | ss->session_id_length=0; | |
403 | } | |
404 | ||
405 | + die(s->sid_ctx_length <= sizeof ss->sid_ctx); | |
406 | memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length); | |
407 | ss->sid_ctx_length=s->sid_ctx_length; | |
408 | s->session=ss; | |
409 | --- ssl/s3_srvr.c.orig Thu Oct 25 02:18:56 2001 | |
410 | +++ ssl/s3_srvr.c Fri Jul 26 11:27:08 2002 | |
411 | @@ -122,6 +122,7 @@ | |
412 | #include <openssl/evp.h> | |
413 | #include <openssl/x509.h> | |
414 | #include "ssl_locl.h" | |
415 | +#include "cryptlib.h" | |
416 | ||
417 | static SSL_METHOD *ssl3_get_server_method(int ver); | |
418 | static int ssl3_get_client_hello(SSL *s); | |
419 | @@ -942,6 +943,7 @@ | |
420 | s->session->session_id_length=0; | |
421 | ||
422 | sl=s->session->session_id_length; | |
423 | + die(sl <= sizeof s->session->session_id); | |
424 | *(p++)=sl; | |
425 | memcpy(p,s->session->session_id,sl); | |
426 | p+=sl; |