openssl/sme8/openssl-fips-0.9.8e-cve-2015-0289.patch

diff -up openssl-fips-0.9.8e/crypto/pkcs7/pk7_doit.c.pkcs7-null-deref openssl-fips-0.9.8e/crypto/pkcs7/pk7_doit.c
--- openssl-fips-0.9.8e/crypto/pkcs7/pk7_doit.c.pkcs7-null-deref        2015-04-01 12:41:27.998402503 +0200
+++ openssl-fips-0.9.8e/crypto/pkcs7/pk7_doit.c 2015-04-02 15:24:26.781363674 +0200
@@ -151,6 +151,27 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
        EVP_PKEY *pkey;
        ASN1_OCTET_STRING *os=NULL;
 
+       if (p7 == NULL)
+               {
+               PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER);
+               return NULL;
+               }
+       /*
+        * The content field in the PKCS7 ContentInfo is optional, but that really
+        * only applies to inner content (precisely, detached signatures).
+        *
+        * When reading content, missing outer content is therefore treated as an
+        * error.
+        *
+        * When creating content, PKCS7_content_new() must be called before
+        * calling this method, so a NULL p7->d is always an error.
+        */
+       if (p7->d.ptr == NULL)
+               {
+               PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT);
+               return NULL;
+               }
+
        i=OBJ_obj2nid(p7->type);
        p7->state=PKCS7_S_HEADER;
 
@@ -345,6 +366,18 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
        X509_ALGOR *xalg=NULL;
        PKCS7_RECIP_INFO *ri=NULL;
 
+       if (p7 == NULL)
+               {
+               PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER);
+               return NULL;
+               }
+
+       if (p7->d.ptr == NULL)
+               {
+               PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
+               return NULL;
+               }
+
        i=OBJ_obj2nid(p7->type);
        p7->state=PKCS7_S_HEADER;
 
@@ -352,6 +385,12 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
                {
        case NID_pkcs7_signed:
                data_body=PKCS7_get_octet_string(p7->d.sign->contents);
+               if (!PKCS7_is_detached(p7) && data_body == NULL)
+                       {
+                       PKCS7err(PKCS7_F_PKCS7_DATADECODE,
+                               PKCS7_R_NO_CONTENT);
+                       goto err;
+                       }
                md_sk=p7->d.sign->md_algs;
                break;
        case NID_pkcs7_signedAndEnveloped:
@@ -640,6 +679,18 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
        STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;
        ASN1_OCTET_STRING *os=NULL;
 
+       if (p7 == NULL)
+               {
+               PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER);
+               return 0;
+               }
+
+       if (p7->d.ptr == NULL)
+               {
+               PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT);
+               return 0;
+               }
+
        EVP_MD_CTX_init(&ctx_tmp);
        i=OBJ_obj2nid(p7->type);
        p7->state=PKCS7_S_HEADER;
@@ -671,6 +722,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
                /* If detached data then the content is excluded */
                if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
                        M_ASN1_OCTET_STRING_free(os);
+                       os = NULL;
                        p7->d.sign->contents->d.data = NULL;
                }
                break;
@@ -681,6 +733,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
                if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached)
                        {
                        M_ASN1_OCTET_STRING_free(os);
+                       os = NULL;
                        p7->d.digest->contents->d.data = NULL;
                        }
                break;
@@ -818,6 +871,12 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
 
        if (!PKCS7_is_detached(p7))
                {
+               /*
+                * NOTE(emilia): I think we only reach os == NULL here because detached
+                * digested data support is broken.
+                */
+               if (os == NULL)
+                       goto err;
                btmp=BIO_find_type(bio,BIO_TYPE_MEM);
                if (btmp == NULL)
                        {
@@ -852,6 +911,18 @@ int PKCS7_dataVerify(X509_STORE *cert_st
        STACK_OF(X509) *cert;
        X509 *x509;
 
+       if (p7 == NULL)
+               {
+               PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER);
+               return 0;
+               }
+
+       if (p7->d.ptr == NULL)
+               {
+               PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT);
+               return 0;
+               }
+
        if (PKCS7_type_is_signed(p7))
                {
                cert=p7->d.sign->cert;
diff -up openssl-fips-0.9.8e/crypto/pkcs7/pk7_lib.c.pkcs7-null-deref openssl-fips-0.9.8e/crypto/pkcs7/pk7_lib.c
--- openssl-fips-0.9.8e/crypto/pkcs7/pk7_lib.c.pkcs7-null-deref 2007-02-03 10:51:59.000000000 +0100
+++ openssl-fips-0.9.8e/crypto/pkcs7/pk7_lib.c  2015-04-02 15:18:12.874970022 +0200
@@ -473,6 +473,8 @@ int PKCS7_set_digest(PKCS7 *p7, const EV
 
 STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
        {
+       if (p7 == NULL || p7->d.ptr == NULL)
+               return NULL;
        if (PKCS7_type_is_signed(p7))
                {
                return(p7->d.sign->signer_info);
1	vip-ire	1.1	diff -up openssl-fips-0.9.8e/crypto/pkcs7/pk7_doit.c.pkcs7-null-deref openssl-fips-0.9.8e/crypto/pkcs7/pk7_doit.c
2			--- openssl-fips-0.9.8e/crypto/pkcs7/pk7_doit.c.pkcs7-null-deref 2015-04-01 12:41:27.998402503 +0200
3			+++ openssl-fips-0.9.8e/crypto/pkcs7/pk7_doit.c 2015-04-02 15:24:26.781363674 +0200
4			@@ -151,6 +151,27 @@ BIO PKCS7_dataInit(PKCS7 p7, BIO *bio)
5			EVP_PKEY *pkey;
6			ASN1_OCTET_STRING *os=NULL;
7
8			+ if (p7 == NULL)
9			+ {
10			+ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER);
11			+ return NULL;
12			+ }
13			+ /*
14			+ * The content field in the PKCS7 ContentInfo is optional, but that really
15			+ * only applies to inner content (precisely, detached signatures).
16			+ *
17			+ * When reading content, missing outer content is therefore treated as an
18			+ * error.
19			+ *
20			+ * When creating content, PKCS7_content_new() must be called before
21			+ * calling this method, so a NULL p7->d is always an error.
22			+ */
23			+ if (p7->d.ptr == NULL)
24			+ {
25			+ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT);
26			+ return NULL;
27			+ }
28			+
29			i=OBJ_obj2nid(p7->type);
30			p7->state=PKCS7_S_HEADER;
31
32			@@ -345,6 +366,18 @@ BIO PKCS7_dataDecode(PKCS7 p7, EVP_PKE
33			X509_ALGOR *xalg=NULL;
34			PKCS7_RECIP_INFO *ri=NULL;
35
36			+ if (p7 == NULL)
37			+ {
38			+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER);
39			+ return NULL;
40			+ }
41			+
42			+ if (p7->d.ptr == NULL)
43			+ {
44			+ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
45			+ return NULL;
46			+ }
47			+
48			i=OBJ_obj2nid(p7->type);
49			p7->state=PKCS7_S_HEADER;
50
51			@@ -352,6 +385,12 @@ BIO PKCS7_dataDecode(PKCS7 p7, EVP_PKE
52			{
53			case NID_pkcs7_signed:
54			data_body=PKCS7_get_octet_string(p7->d.sign->contents);
55			+ if (!PKCS7_is_detached(p7) && data_body == NULL)
56			+ {
57			+ PKCS7err(PKCS7_F_PKCS7_DATADECODE,
58			+ PKCS7_R_NO_CONTENT);
59			+ goto err;
60			+ }
61			md_sk=p7->d.sign->md_algs;
62			break;
63			case NID_pkcs7_signedAndEnveloped:
64			@@ -640,6 +679,18 @@ int PKCS7_dataFinal(PKCS7 p7, BIO bio)
65			STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;
66			ASN1_OCTET_STRING *os=NULL;
67
68			+ if (p7 == NULL)
69			+ {
70			+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER);
71			+ return 0;
72			+ }
73			+
74			+ if (p7->d.ptr == NULL)
75			+ {
76			+ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT);
77			+ return 0;
78			+ }
79			+
80			EVP_MD_CTX_init(&ctx_tmp);
81			i=OBJ_obj2nid(p7->type);
82			p7->state=PKCS7_S_HEADER;
83			@@ -671,6 +722,7 @@ int PKCS7_dataFinal(PKCS7 p7, BIO bio)
84			/* If detached data then the content is excluded */
85			if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
86			M_ASN1_OCTET_STRING_free(os);
87			+ os = NULL;
88			p7->d.sign->contents->d.data = NULL;
89			}
90			break;
91			@@ -681,6 +733,7 @@ int PKCS7_dataFinal(PKCS7 p7, BIO bio)
92			if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached)
93			{
94			M_ASN1_OCTET_STRING_free(os);
95			+ os = NULL;
96			p7->d.digest->contents->d.data = NULL;
97			}
98			break;
99			@@ -818,6 +871,12 @@ int PKCS7_dataFinal(PKCS7 p7, BIO bio)
100
101			if (!PKCS7_is_detached(p7))
102			{
103			+ /*
104			+ * NOTE(emilia): I think we only reach os == NULL here because detached
105			+ * digested data support is broken.
106			+ */
107			+ if (os == NULL)
108			+ goto err;
109			btmp=BIO_find_type(bio,BIO_TYPE_MEM);
110			if (btmp == NULL)
111			{
112			@@ -852,6 +911,18 @@ int PKCS7_dataVerify(X509_STORE *cert_st
113			STACK_OF(X509) *cert;
114			X509 *x509;
115
116			+ if (p7 == NULL)
117			+ {
118			+ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER);
119			+ return 0;
120			+ }
121			+
122			+ if (p7->d.ptr == NULL)
123			+ {
124			+ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT);
125			+ return 0;
126			+ }
127			+
128			if (PKCS7_type_is_signed(p7))
129			{
130			cert=p7->d.sign->cert;
131			diff -up openssl-fips-0.9.8e/crypto/pkcs7/pk7_lib.c.pkcs7-null-deref openssl-fips-0.9.8e/crypto/pkcs7/pk7_lib.c
132			--- openssl-fips-0.9.8e/crypto/pkcs7/pk7_lib.c.pkcs7-null-deref 2007-02-03 10:51:59.000000000 +0100
133			+++ openssl-fips-0.9.8e/crypto/pkcs7/pk7_lib.c 2015-04-02 15:18:12.874970022 +0200
134			@@ -473,6 +473,8 @@ int PKCS7_set_digest(PKCS7 *p7, const EV
135
136			STACK_OF(PKCS7_SIGNER_INFO) PKCS7_get_signer_info(PKCS7 p7)
137			{
138			+ if (p7 == NULL \|\| p7->d.ptr == NULL)
139			+ return NULL;
140			if (PKCS7_type_is_signed(p7))
141			{
142			return(p7->d.sign->signer_info);