[Pkg-openssl-changes] r717 - in openssl/branches/wheezy/debian: . patches
Kurt Roeckx
kroeckx at moszumanska.debian.org
Thu Mar 19 17:54:26 UTC 2015
Author: kroeckx
Date: 2015-03-19 17:54:26 +0000 (Thu, 19 Mar 2015)
New Revision: 717
Added:
openssl/branches/wheezy/debian/patches/0001-Avoid-double-free-when-processing-DTLS-packets.patch
openssl/branches/wheezy/debian/patches/0001-Check-public-key-is-not-NULL.patch
openssl/branches/wheezy/debian/patches/0001-Fix-a-failure-to-NULL-a-pointer-freed-on-error.patch
openssl/branches/wheezy/debian/patches/0001-Make-DTLS-always-act-as-if-read_ahead-is-set.-The-ac.patch
openssl/branches/wheezy/debian/patches/0001-Remove-export-ciphers-from-the-DEFAULT-cipher-list.patch
openssl/branches/wheezy/debian/patches/0001-evp-prevent-underflow-in-base64-decoding.patch
openssl/branches/wheezy/debian/patches/0001-fix-warning.patch
openssl/branches/wheezy/debian/patches/0002-Added-comment-for-the-frag-reassembly-NULL-case-as-p.patch
openssl/branches/wheezy/debian/patches/0002-Free-up-ADB-and-CHOICE-if-already-initialised.patch
openssl/branches/wheezy/debian/patches/0003-Fix-DTLS-handshake-message-size-checks.patch
openssl/branches/wheezy/debian/patches/0003-Free-up-passed-ASN.1-structure-if-reused.patch
openssl/branches/wheezy/debian/patches/0004-Fix-ASN1_TYPE_cmp.patch
openssl/branches/wheezy/debian/patches/0004-Fix-memory-leak-from-zero-length-DTLS-fragments.patch
openssl/branches/wheezy/debian/patches/0005-Fix-return-code-for-truncated-DTLS-fragment.patch
openssl/branches/wheezy/debian/patches/0005-PKCS-7-avoid-NULL-pointer-dereferences-with-missing-.patch
openssl/branches/wheezy/debian/patches/0006-Applying-same-fix-as-in-dtls1_process_out_of_seq_mes.patch
openssl/branches/wheezy/debian/patches/0006-Fix-reachable-assert-in-SSLv2-servers.patch
openssl/branches/wheezy/debian/patches/0007-Remove-some-duplicate-DTLS-code.patch
openssl/branches/wheezy/debian/patches/0008-Fix-protocol-downgrade-bug-in-case-of-fragmented-pac.patch
openssl/branches/wheezy/debian/patches/0009-Fix-DTLS-anonymous-EC-DH-denial-of-service.patch
openssl/branches/wheezy/debian/patches/0102-use-correct-function-name.patch
Modified:
openssl/branches/wheezy/debian/changelog
openssl/branches/wheezy/debian/patches/series
Log:
1.0.1e-2+deb7u15
Modified: openssl/branches/wheezy/debian/changelog
===================================================================
--- openssl/branches/wheezy/debian/changelog 2015-01-23 18:14:42 UTC (rev 716)
+++ openssl/branches/wheezy/debian/changelog 2015-03-19 17:54:26 UTC (rev 717)
@@ -1,3 +1,19 @@
+openssl (1.0.1e-2+deb7u15) wheezy-security; urgency=medium
+
+ * Fix CVE-2015-0286
+ * Fix CVE-2015-0287
+ * Fix CVE-2015-0289
+ * Fix CVE-2015-0292
+ * Fix CVE-2015-0293 (not affected, SSLv2 disabled)
+ * Fix CVE-2015-0209
+ * Fix CVE-2015-0288
+ * Remove export ciphers from DEFAULT.
+ * Make DTLS always act as if read_ahead is set. This fixes a regression
+ introduce by the fix for CVE-2014-3571. (Closes: #775502)
+ * Fix error codes.
+
+ -- Kurt Roeckx <kurt at roeckx.be> Tue, 17 Mar 2015 19:11:55 +0100
+
openssl (1.0.1e-2+deb7u14) wheezy-security; urgency=medium
- Fix for CVE-2014-3571
Added: openssl/branches/wheezy/debian/patches/0001-Avoid-double-free-when-processing-DTLS-packets.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0001-Avoid-double-free-when-processing-DTLS-packets.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/0001-Avoid-double-free-when-processing-DTLS-packets.patch 2015-03-19 17:54:26 UTC (rev 717)
@@ -0,0 +1,52 @@
+From 4a5adb49d716864b3452ad039bb36ee9e6025ceb Mon Sep 17 00:00:00 2001
+From: Adam Langley <agl at imperialviolet.org>
+Date: Fri, 6 Jun 2014 14:19:21 -0700
+Subject: [PATCH 01/10] Avoid double free when processing DTLS packets.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The |item| variable, in both of these cases, may contain a pointer to a
+|pitem| structure within |s->d1->buffered_messages|. It was being freed
+in the error case while still being in |buffered_messages|. When the
+error later caused the |SSL*| to be destroyed, the item would be double
+freed.
+
+Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
+inconsistent with the other error paths (but correct).
+
+Fixes CVE-2014-3505
+
+Reviewed-by: Matt Caswell <matt at openssl.org>
+Reviewed-by: Emilia Käsper <emilia at openssl.org>
+---
+ ssl/d1_both.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/ssl/d1_both.c b/ssl/d1_both.c
+index fe3a96c..b808f04 100644
+--- a/ssl/d1_both.c
++++ b/ssl/d1_both.c
+@@ -687,8 +687,7 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+ return DTLS1_HM_FRAGMENT_RETRY;
+
+ err:
+- if (frag != NULL) dtls1_hm_fragment_free(frag);
+- if (item != NULL) OPENSSL_free(item);
++ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
+ *ok = 0;
+ return i;
+ }
+@@ -772,8 +771,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+ return DTLS1_HM_FRAGMENT_RETRY;
+
+ err:
+- if ( frag != NULL) dtls1_hm_fragment_free(frag);
+- if ( item != NULL) OPENSSL_free(item);
++ if (frag != NULL && item == NULL) dtls1_hm_fragment_free(frag);
+ *ok = 0;
+ return i;
+ }
+--
+2.0.1
+
Added: openssl/branches/wheezy/debian/patches/0001-Check-public-key-is-not-NULL.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0001-Check-public-key-is-not-NULL.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/0001-Check-public-key-is-not-NULL.patch 2015-03-19 17:54:26 UTC (rev 717)
@@ -0,0 +1,27 @@
+From 51527f1e3564f210e984fe5b654c45d34e4f03d7 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Wed, 18 Feb 2015 00:34:59 +0000
+Subject: [PATCH] Check public key is not NULL.
+
+CVE-2015-0288
+PR#3708
+
+Reviewed-by: Matt Caswell <matt at openssl.org>
+(cherry picked from commit 28a00bcd8e318da18031b2ac8778c64147cd54f9)
+---
+ crypto/x509/x509_req.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+Index: openssl-1.0.1e/crypto/x509/x509_req.c
+===================================================================
+--- openssl-1.0.1e.orig/crypto/x509/x509_req.c
++++ openssl-1.0.1e/crypto/x509/x509_req.c
+@@ -92,6 +92,8 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_
+ goto err;
+
+ pktmp = X509_get_pubkey(x);
++ if (pktmp == NULL)
++ goto err;
+ i=X509_REQ_set_pubkey(ret,pktmp);
+ EVP_PKEY_free(pktmp);
+ if (!i) goto err;
Added: openssl/branches/wheezy/debian/patches/0001-Fix-a-failure-to-NULL-a-pointer-freed-on-error.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0001-Fix-a-failure-to-NULL-a-pointer-freed-on-error.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/0001-Fix-a-failure-to-NULL-a-pointer-freed-on-error.patch 2015-03-19 17:54:26 UTC (rev 717)
@@ -0,0 +1,45 @@
+From 89117535f1bb3ea72a17933b703271587d7aaf0b Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt at openssl.org>
+Date: Mon, 9 Feb 2015 11:38:41 +0000
+Subject: [PATCH] Fix a failure to NULL a pointer freed on error.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Inspired by BoringSSL commit 517073cd4b by Eric Roman <eroman at chromium.org>
+
+CVE-2015-0209
+
+Reviewed-by: Emilia Käsper <emilia at openssl.org>
+---
+ crypto/ec/ec_asn1.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+Index: openssl-1.0.1e/crypto/ec/ec_asn1.c
+===================================================================
+--- openssl-1.0.1e.orig/crypto/ec/ec_asn1.c
++++ openssl-1.0.1e/crypto/ec/ec_asn1.c
+@@ -1140,8 +1140,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
+ ERR_R_MALLOC_FAILURE);
+ goto err;
+ }
+- if (a)
+- *a = ret;
+ }
+ else
+ ret = *a;
+@@ -1206,11 +1204,13 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, con
+ }
+ }
+
++ if (a)
++ *a = ret;
+ ok = 1;
+ err:
+ if (!ok)
+ {
+- if (ret)
++ if (ret && (a == NULL || *a != ret))
+ EC_KEY_free(ret);
+ ret = NULL;
+ }
Added: openssl/branches/wheezy/debian/patches/0001-Make-DTLS-always-act-as-if-read_ahead-is-set.-The-ac.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0001-Make-DTLS-always-act-as-if-read_ahead-is-set.-The-ac.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/0001-Make-DTLS-always-act-as-if-read_ahead-is-set.-The-ac.patch 2015-03-19 17:54:26 UTC (rev 717)
@@ -0,0 +1,28 @@
+From 1895583835239bc44c3f6584e48f0279ad884f3b Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt at openssl.org>
+Date: Mon, 26 Jan 2015 16:47:36 +0000
+Subject: [PATCH] Make DTLS always act as if read_ahead is set. The actual
+ value of read_ahead is ignored for DTLS.
+
+RT#3657
+
+Reviewed-by: Andy Polyakov <appro at openssl.org>
+(cherry picked from commit 8dd4ad0ff5d1d07ec4b6dd5d5104131269a472aa)
+---
+ ssl/s3_pkt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+Index: openssl-1.0.1e/ssl/s3_pkt.c
+===================================================================
+--- openssl-1.0.1e.orig/ssl/s3_pkt.c
++++ openssl-1.0.1e/ssl/s3_pkt.c
+@@ -217,7 +217,8 @@ int ssl3_read_n(SSL *s, int n, int max,
+ return -1;
+ }
+
+- if (!s->read_ahead)
++ /* We always act like read_ahead is set for DTLS */
++ if (!s->read_ahead && !SSL_IS_DTLS(s))
+ /* ignore max parameter */
+ max = n;
+ else
Added: openssl/branches/wheezy/debian/patches/0001-Remove-export-ciphers-from-the-DEFAULT-cipher-list.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0001-Remove-export-ciphers-from-the-DEFAULT-cipher-list.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/0001-Remove-export-ciphers-from-the-DEFAULT-cipher-list.patch 2015-03-19 17:54:26 UTC (rev 717)
@@ -0,0 +1,81 @@
+From bc2e18a3c818ae7e2d8c996b6648aa4ae8e3ee28 Mon Sep 17 00:00:00 2001
+From: Kurt Roeckx <kurt at roeckx.be>
+Date: Wed, 4 Mar 2015 21:57:52 +0100
+Subject: [PATCH] Remove export ciphers from the DEFAULT cipher list
+
+They are moved to the COMPLEMENTOFDEFAULT instead.
+This also fixes SSLv2 to be part of COMPLEMENTOFDEFAULT.
+
+Reviewed-by: Rich Salz <rsalz at openssl.org>
+(cherry picked from commit f417997a324037025be61737288e40e171a8218c)
+
+Conflicts:
+ ssl/ssl_ciph.c
+---
+ CHANGES | 3 ++-
+ doc/apps/ciphers.pod | 4 ++--
+ ssl/ssl.h | 2 +-
+ ssl/ssl_ciph.c | 11 ++++++++---
+ 4 files changed, 13 insertions(+), 7 deletions(-)
+
+Index: openssl-1.0.1e/doc/apps/ciphers.pod
+===================================================================
+--- openssl-1.0.1e.orig/doc/apps/ciphers.pod
++++ openssl-1.0.1e/doc/apps/ciphers.pod
+@@ -109,8 +109,8 @@ The following is a list of all permitted
+
+ =item B<DEFAULT>
+
+-the default cipher list. This is determined at compile time and, as of OpenSSL
+-1.0.0, is normally B<ALL:!aNULL:!eNULL>. This must be the first cipher string
++the default cipher list. This is determined at compile time and
++is normally B<ALL:!EXPORT:!aNULL:!eNULL:!SSLv2>. This must be the firstcipher string
+ specified.
+
+ =item B<COMPLEMENTOFDEFAULT>
+Index: openssl-1.0.1e/ssl/ssl.h
+===================================================================
+--- openssl-1.0.1e.orig/ssl/ssl.h
++++ openssl-1.0.1e/ssl/ssl.h
+@@ -332,7 +332,7 @@ extern "C" {
+ /* The following cipher list is used by default.
+ * It also is substituted when an application-defined cipher list string
+ * starts with 'DEFAULT'. */
+-#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2"
++#define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
+ /* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
+ * starts with a reasonable order, and all we have to do for DEFAULT is
+ * throwing out anonymous and unencrypted ciphersuites!
+Index: openssl-1.0.1e/ssl/ssl_ciph.c
+===================================================================
+--- openssl-1.0.1e.orig/ssl/ssl_ciph.c
++++ openssl-1.0.1e/ssl/ssl_ciph.c
+@@ -230,7 +230,7 @@ static const SSL_CIPHER cipher_aliases[]
+ {0,SSL_TXT_CMPALL,0, 0,0,SSL_eNULL,0,0,0,0,0,0},
+
+ /* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in ALL!) */
+- {0,SSL_TXT_CMPDEF,0, SSL_kEDH|SSL_kEECDH,SSL_aNULL,~SSL_eNULL,0,0,0,0,0,0},
++ {0, SSL_TXT_CMPDEF, 0, 0, SSL_aNULL, ~SSL_eNULL, 0, ~SSL_SSLV2, SSL_EXP_MASK, 0, 0, 0},
+
+ /* key exchange aliases
+ * (some of those using only a single bit here combine
+@@ -976,6 +976,10 @@ static void ssl_cipher_apply_rule(unsign
+ printf("\nName: %s:\nAlgo = %08lx/%08lx/%08lx/%08lx/%08lx Algo_strength = %08lx\n", cp->name, cp->algorithm_mkey, cp->algorithm_auth, cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl, cp->algo_strength);
+ #endif
+
++ if (algo_strength == SSL_EXP_MASK && SSL_C_IS_EXPORT(cp))
++ goto ok;
++ if (alg_ssl == ~SSL_SSLV2 && cp->algorithm_ssl == SSL_SSLV2)
++ goto ok;
+ if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
+ continue;
+ if (alg_auth && !(alg_auth & cp->algorithm_auth))
+@@ -992,6 +996,8 @@ static void ssl_cipher_apply_rule(unsign
+ continue;
+ }
+
++ ok:
++
+ #ifdef CIPHER_DEBUG
+ printf("Action = %d\n", rule);
+ #endif
Added: openssl/branches/wheezy/debian/patches/0001-evp-prevent-underflow-in-base64-decoding.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0001-evp-prevent-underflow-in-base64-decoding.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/0001-evp-prevent-underflow-in-base64-decoding.patch 2015-03-19 17:54:26 UTC (rev 717)
@@ -0,0 +1,30 @@
+From fce3821111e3307a599d2378f2cca2ef2097c6c4 Mon Sep 17 00:00:00 2001
+From: Geoff Thorpe <geoff at openssl.org>
+Date: Sun, 4 May 2014 18:44:14 -0400
+Subject: [PATCH] evp: prevent underflow in base64 decoding
+
+This patch resolves RT ticket #2608.
+
+Thanks to Robert Dugal for originally spotting this, and to David
+Ramos for noticing that the ball had been dropped.
+
+Signed-off-by: Geoff Thorpe <geoff at openssl.org>
+---
+ crypto/evp/encode.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c
+index e278a1b..a4f7674 100644
+--- a/crypto/evp/encode.c
++++ b/crypto/evp/encode.c
+@@ -324,6 +324,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
+ v=EVP_DecodeBlock(out,d,n);
+ n=0;
+ if (v < 0) { rv=0; goto end; }
++ if (eof > v) { rv=-1; goto end; }
+ ret+=(v-eof);
+ }
+ else
+--
+2.1.4
+
Added: openssl/branches/wheezy/debian/patches/0001-fix-warning.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0001-fix-warning.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/0001-fix-warning.patch 2015-03-19 17:54:26 UTC (rev 717)
@@ -0,0 +1,29 @@
+From a67303954caa923e8bf2f2bdf04882e9cbc45cc1 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Sun, 8 Mar 2015 17:31:48 +0000
+Subject: [PATCH 1/6] fix warning
+
+Reviewed-by: Richard Levitte <levitte at openssl.org>
+(cherry picked from commit d6ca1cee8b6efac5906ac66443d1ca67fe689ff8)
+---
+ ssl/ssl_locl.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+Index: openssl-1.0.1e/ssl/ssl_locl.h
+===================================================================
+--- openssl-1.0.1e.orig/ssl/ssl_locl.h
++++ openssl-1.0.1e/ssl/ssl_locl.h
+@@ -346,10 +346,10 @@
+ #define SSL_AEAD 0x00000040L
+
+ /* Bits for algorithm_ssl (protocol version) */
+-#define SSL_SSLV2 0x00000001L
+-#define SSL_SSLV3 0x00000002L
++#define SSL_SSLV2 0x00000001UL
++#define SSL_SSLV3 0x00000002UL
+ #define SSL_TLSV1 SSL_SSLV3 /* for now */
+-#define SSL_TLSV1_2 0x00000004L
++#define SSL_TLSV1_2 0x00000004UL
+
+
+ /* Bits for algorithm2 (handshake digests and other extra flags) */
Added: openssl/branches/wheezy/debian/patches/0002-Added-comment-for-the-frag-reassembly-NULL-case-as-p.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0002-Added-comment-for-the-frag-reassembly-NULL-case-as-p.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/0002-Added-comment-for-the-frag-reassembly-NULL-case-as-p.patch 2015-03-19 17:54:26 UTC (rev 717)
@@ -0,0 +1,31 @@
+From 2feb3f6dc5f774089673947b8054da05ef5a8acd Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt at openssl.org>
+Date: Thu, 24 Jul 2014 23:33:34 +0100
+Subject: [PATCH 02/10] Added comment for the frag->reassembly == NULL case as
+ per feedback from Emilia
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reviewed-by: Emilia Käsper <emilia at openssl.org>
+---
+ ssl/d1_both.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ssl/d1_both.c b/ssl/d1_both.c
+index b808f04..9bc416c 100644
+--- a/ssl/d1_both.c
++++ b/ssl/d1_both.c
+@@ -633,7 +633,8 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+
+
+ /* If message is already reassembled, this must be a
+- * retransmit and can be dropped.
++ * retransmit and can be dropped. In this case item != NULL and so frag
++ * does not need to be freed.
+ */
+ if (frag->reassembly == NULL)
+ {
+--
+2.0.1
+
Added: openssl/branches/wheezy/debian/patches/0002-Free-up-ADB-and-CHOICE-if-already-initialised.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0002-Free-up-ADB-and-CHOICE-if-already-initialised.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/0002-Free-up-ADB-and-CHOICE-if-already-initialised.patch 2015-03-19 17:54:26 UTC (rev 717)
@@ -0,0 +1,58 @@
+From a9f34a7aac5fd89f33a34fb71e954b85fbf35875 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Mon, 23 Feb 2015 02:32:44 +0000
+Subject: [PATCH 2/6] Free up ADB and CHOICE if already initialised.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2015-0287
+
+Reviewed-by: Tim Hudson <tjh at openssl.org>
+Reviewed-by: Emilia Käsper <emilia at openssl.org>
+---
+ crypto/asn1/tasn_dec.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+Index: openssl-1.0.1e/crypto/asn1/tasn_dec.c
+===================================================================
+--- openssl-1.0.1e.orig/crypto/asn1/tasn_dec.c
++++ openssl-1.0.1e/crypto/asn1/tasn_dec.c
+@@ -317,9 +317,16 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
+ if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
+ goto auxerr;
+
+- /* Allocate structure */
+- if (!*pval && !ASN1_item_ex_new(pval, it))
+- {
++ if (*pval) {
++ /* Free up and zero CHOICE value if initialised */
++ i = asn1_get_choice_selector(pval, it);
++ if ((i >= 0) && (i < it->tcount)) {
++ tt = it->templates + i;
++ pchptr = asn1_get_field_ptr(pval, tt);
++ ASN1_template_free(pchptr, tt);
++ asn1_set_choice_selector(pval, -1, it);
++ }
++ } else if (!ASN1_item_ex_new(pval, it)) {
+ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
+ ERR_R_NESTED_ASN1_ERROR);
+ goto err;
+@@ -413,6 +420,17 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval,
+ if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
+ goto auxerr;
+
++ /* Free up and zero any ADB found */
++ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) {
++ if (tt->flags & ASN1_TFLG_ADB_MASK) {
++ const ASN1_TEMPLATE *seqtt;
++ ASN1_VALUE **pseqval;
++ seqtt = asn1_do_adb(pval, tt, 1);
++ pseqval = asn1_get_field_ptr(pval, seqtt);
++ ASN1_template_free(pseqval, seqtt);
++ }
++ }
++
+ /* Get each field entry */
+ for (i = 0, tt = it->templates; i < it->tcount; i++, tt++)
+ {
Added: openssl/branches/wheezy/debian/patches/0003-Fix-DTLS-handshake-message-size-checks.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0003-Fix-DTLS-handshake-message-size-checks.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/0003-Fix-DTLS-handshake-message-size-checks.patch 2015-03-19 17:54:26 UTC (rev 717)
@@ -0,0 +1,87 @@
+From 59942ead835a57fed92b175a4ade50e41b33f8f8 Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt at openssl.org>
+Date: Fri, 6 Jun 2014 14:25:52 -0700
+Subject: [PATCH 03/10] Fix DTLS handshake message size checks.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In |dtls1_reassemble_fragment|, the value of
+|msg_hdr->frag_off+frag_len| was being checked against the maximum
+handshake message size, but then |msg_len| bytes were allocated for the
+fragment buffer. This means that so long as the fragment was within the
+allowed size, the pending handshake message could consume 16MB + 2MB
+(for the reassembly bitmap). Approx 10 outstanding handshake messages
+are allowed, meaning that an attacker could consume ~180MB per DTLS
+connection.
+
+In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
+check was applied.
+
+Fixes CVE-2014-3506
+
+Wholly based on patch by Adam Langley with one minor amendment.
+
+Reviewed-by: Emilia Käsper <emilia at openssl.org>
+---
+ ssl/d1_both.c | 29 ++++++++++++++++-------------
+ 1 file changed, 16 insertions(+), 13 deletions(-)
+
+diff --git a/ssl/d1_both.c b/ssl/d1_both.c
+index 9bc416c..e0eed12 100644
+--- a/ssl/d1_both.c
++++ b/ssl/d1_both.c
+@@ -581,6 +581,16 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
+ return 0;
+ }
+
++/* dtls1_max_handshake_message_len returns the maximum number of bytes
++ * permitted in a DTLS handshake message for |s|. The minimum is 16KB, but may
++ * be greater if the maximum certificate list size requires it. */
++static unsigned long dtls1_max_handshake_message_len(const SSL *s)
++ {
++ unsigned long max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
++ if (max_len < (unsigned long)s->max_cert_list)
++ return s->max_cert_list;
++ return max_len;
++ }
+
+ static int
+ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+@@ -589,20 +599,10 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+ pitem *item = NULL;
+ int i = -1, is_complete;
+ PQ_64BIT seq64;
+- unsigned long frag_len = msg_hdr->frag_len, max_len;
+-
+- if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len)
+- goto err;
+-
+- /* Determine maximum allowed message size. Depends on (user set)
+- * maximum certificate length, but 16k is minimum.
+- */
+- if (DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH < s->max_cert_list)
+- max_len = s->max_cert_list;
+- else
+- max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH;
++ unsigned long frag_len = msg_hdr->frag_len;
+
+- if ((msg_hdr->frag_off+frag_len) > max_len)
++ if ((msg_hdr->frag_off+frag_len) > msg_hdr->msg_len ||
++ msg_hdr->msg_len > dtls1_max_handshake_message_len(s))
+ goto err;
+
+ /* Try to find item in queue */
+@@ -743,6 +743,9 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+ if (frag_len && frag_len < msg_hdr->msg_len)
+ return dtls1_reassemble_fragment(s, msg_hdr, ok);
+
++ if (frag_len > dtls1_max_handshake_message_len(s))
++ goto err;
++
+ frag = dtls1_hm_fragment_new(frag_len, 0);
+ if ( frag == NULL)
+ goto err;
+--
+2.0.1
+
Added: openssl/branches/wheezy/debian/patches/0003-Free-up-passed-ASN.1-structure-if-reused.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0003-Free-up-passed-ASN.1-structure-if-reused.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/0003-Free-up-passed-ASN.1-structure-if-reused.patch 2015-03-19 17:54:26 UTC (rev 717)
@@ -0,0 +1,75 @@
+From 1a87b757b9f755f687492f6b9f685be8e0cd82b0 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Mon, 23 Feb 2015 12:57:50 +0000
+Subject: [PATCH 3/6] Free up passed ASN.1 structure if reused.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Change the "reuse" behaviour in ASN1_item_d2i: if successful the old
+structure is freed and a pointer to the new one used. If it is not
+successful then the passed structure is untouched.
+
+Exception made for primitive types so ssl_asn1.c still works.
+
+Reviewed-by: Tim Hudson <tjh at openssl.org>
+Reviewed-by: Emilia Käsper <emilia at openssl.org>
+---
+ crypto/asn1/tasn_dec.c | 14 ++++++++++----
+ doc/crypto/d2i_X509.pod | 9 +++++++--
+ 2 files changed, 17 insertions(+), 6 deletions(-)
+
+Index: openssl-1.0.1e/crypto/asn1/tasn_dec.c
+===================================================================
+--- openssl-1.0.1e.orig/crypto/asn1/tasn_dec.c
++++ openssl-1.0.1e/crypto/asn1/tasn_dec.c
+@@ -130,11 +130,17 @@ ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **p
+ {
+ ASN1_TLC c;
+ ASN1_VALUE *ptmpval = NULL;
+- if (!pval)
+- pval = &ptmpval;
+ asn1_tlc_clear_nc(&c);
+- if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0)
+- return *pval;
++ if (pval && *pval && it->itype == ASN1_ITYPE_PRIMITIVE)
++ ptmpval = *pval;
++ if (ASN1_item_ex_d2i(&ptmpval, in, len, it, -1, 0, 0, &c) > 0) {
++ if (pval && it->itype != ASN1_ITYPE_PRIMITIVE) {
++ if (*pval)
++ ASN1_item_free(*pval, it);
++ *pval = ptmpval;
++ }
++ return ptmpval;
++ }
+ return NULL;
+ }
+
+Index: openssl-1.0.1e/doc/crypto/d2i_X509.pod
+===================================================================
+--- openssl-1.0.1e.orig/doc/crypto/d2i_X509.pod
++++ openssl-1.0.1e/doc/crypto/d2i_X509.pod
+@@ -199,6 +199,12 @@ B<*px> is valid is broken and some parts
+ persist if they are not present in the new one. As a result the use
+ of this "reuse" behaviour is strongly discouraged.
+
++Current versions of OpenSSL will not modify B<*px> if an error occurs.
++If parsing succeeds then B<*px> is freed (if it is not NULL) and then
++set to the value of the newly decoded structure. As a result B<*px>
++B<must not> be allocated on the stack or an attempt will be made to
++free an invalid pointer.
++
+ i2d_X509() will not return an error in many versions of OpenSSL,
+ if mandatory fields are not initialized due to a programming error
+ then the encoded structure may contain invalid data or omit the
+@@ -210,7 +216,9 @@ always succeed.
+
+ d2i_X509(), d2i_X509_bio() and d2i_X509_fp() return a valid B<X509> structure
+ or B<NULL> if an error occurs. The error code that can be obtained by
+-L<ERR_get_error(3)|ERR_get_error(3)>.
++L<ERR_get_error(3)|ERR_get_error(3)>. If the "reuse" capability has been used
++with a valid X509 structure being passed in via B<px> then the object is not
++modified in the event of error.
+
+ i2d_X509() returns the number of bytes successfully encoded or a negative
+ value if an error occurs. The error code can be obtained by
Added: openssl/branches/wheezy/debian/patches/0004-Fix-ASN1_TYPE_cmp.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0004-Fix-ASN1_TYPE_cmp.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/0004-Fix-ASN1_TYPE_cmp.patch 2015-03-19 17:54:26 UTC (rev 717)
@@ -0,0 +1,30 @@
+From ee5a1253285e5c9f406c8b57b0686319b70c07d8 Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Mon, 9 Mar 2015 23:11:45 +0000
+Subject: [PATCH 4/6] Fix ASN1_TYPE_cmp
+
+Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
+can be triggered during certificate verification so could be a DoS attack
+against a client or a server enabling client authentication.
+
+CVE-2015-0286
+
+Reviewed-by: Richard Levitte <levitte at openssl.org>
+---
+ crypto/asn1/a_type.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: openssl-1.0.1e/crypto/asn1/a_type.c
+===================================================================
+--- openssl-1.0.1e.orig/crypto/asn1/a_type.c
++++ openssl-1.0.1e/crypto/asn1/a_type.c
+@@ -124,6 +124,9 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co
+ case V_ASN1_OBJECT:
+ result = OBJ_cmp(a->value.object, b->value.object);
+ break;
++ case V_ASN1_BOOLEAN:
++ result = a->value.boolean - b->value.boolean;
++ break;
+ case V_ASN1_NULL:
+ result = 0; /* They do not have content. */
+ break;
Added: openssl/branches/wheezy/debian/patches/0004-Fix-memory-leak-from-zero-length-DTLS-fragments.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0004-Fix-memory-leak-from-zero-length-DTLS-fragments.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/0004-Fix-memory-leak-from-zero-length-DTLS-fragments.patch 2015-03-19 17:54:26 UTC (rev 717)
@@ -0,0 +1,82 @@
+From 0a2b055b7719b832b0027fd16793dd000825effb Mon Sep 17 00:00:00 2001
+From: Adam Langley <agl at imperialviolet.org>
+Date: Fri, 6 Jun 2014 14:30:33 -0700
+Subject: [PATCH 04/10] Fix memory leak from zero-length DTLS fragments.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The |pqueue_insert| function can fail if one attempts to insert a
+duplicate sequence number. When handling a fragment of an out of
+sequence message, |dtls1_process_out_of_seq_message| would not call
+|dtls1_reassemble_fragment| if the fragment's length was zero. It would
+then allocate a fresh fragment and attempt to insert it, but ignore the
+return value, leaking the fragment.
+
+This allows an attacker to exhaust the memory of a DTLS peer.
+
+Fixes CVE-2014-3507
+
+Reviewed-by: Matt Caswell <matt at openssl.org>
+Reviewed-by: Emilia Käsper <emilia at openssl.org>
+---
+ ssl/d1_both.c | 22 +++++++++++++++++++---
+ 1 file changed, 19 insertions(+), 3 deletions(-)
+
+diff --git a/ssl/d1_both.c b/ssl/d1_both.c
+index e0eed12..99325e8 100644
+--- a/ssl/d1_both.c
++++ b/ssl/d1_both.c
+@@ -605,6 +605,9 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+ msg_hdr->msg_len > dtls1_max_handshake_message_len(s))
+ goto err;
+
++ if (frag_len == 0)
++ return DTLS1_HM_FRAGMENT_RETRY;
++
+ /* Try to find item in queue */
+ pq_64bit_init(&seq64);
+ pq_64bit_assign_word(&seq64, msg_hdr->seq);
+@@ -682,7 +685,12 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+ goto err;
+ }
+
+- pqueue_insert(s->d1->buffered_messages, item);
++ item = pqueue_insert(s->d1->buffered_messages, item);
++ /* pqueue_insert fails iff a duplicate item is inserted.
++ * However, |item| cannot be a duplicate. If it were,
++ * |pqueue_find|, above, would have returned it and control
++ * would never have reached this branch. */
++ OPENSSL_assert(item != NULL);
+ }
+
+ return DTLS1_HM_FRAGMENT_RETRY;
+@@ -740,7 +748,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+ }
+ else
+ {
+- if (frag_len && frag_len < msg_hdr->msg_len)
++ if (frag_len < msg_hdr->msg_len)
+ return dtls1_reassemble_fragment(s, msg_hdr, ok);
+
+ if (frag_len > dtls1_max_handshake_message_len(s))
+@@ -769,7 +777,15 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+ if ( item == NULL)
+ goto err;
+
+- pqueue_insert(s->d1->buffered_messages, item);
++ item = pqueue_insert(s->d1->buffered_messages, item);
++ /* pqueue_insert fails iff a duplicate item is inserted.
++ * However, |item| cannot be a duplicate. If it were,
++ * |pqueue_find|, above, would have returned it. Then, either
++ * |frag_len| != |msg_hdr->msg_len| in which case |item| is set
++ * to NULL and it will have been processed with
++ * |dtls1_reassemble_fragment|, above, or the record will have
++ * been discarded. */
++ OPENSSL_assert(item != NULL);
+ }
+
+ return DTLS1_HM_FRAGMENT_RETRY;
+--
+2.0.1
+
Added: openssl/branches/wheezy/debian/patches/0005-Fix-return-code-for-truncated-DTLS-fragment.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0005-Fix-return-code-for-truncated-DTLS-fragment.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/0005-Fix-return-code-for-truncated-DTLS-fragment.patch 2015-03-19 17:54:26 UTC (rev 717)
@@ -0,0 +1,43 @@
+From 0b3b1167e1d72a568dae7bb5778de377250e6280 Mon Sep 17 00:00:00 2001
+From: Adam Langley <agl at imperialviolet.org>
+Date: Fri, 6 Jun 2014 14:44:20 -0700
+Subject: [PATCH 05/10] Fix return code for truncated DTLS fragment.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Previously, a truncated DTLS fragment in
+|dtls1_process_out_of_seq_message| would cause *ok to be cleared, but
+the return value would still be the number of bytes read. This would
+cause |dtls1_get_message| not to consider it an error and it would
+continue processing as normal until the calling function noticed that
+*ok was zero.
+
+I can't see an exploit here because |dtls1_get_message| uses
+|s->init_num| as the length, which will always be zero from what I can
+see.
+
+Reviewed-by: Matt Caswell <matt at openssl.org>
+Reviewed-by: Emilia Käsper <emilia at openssl.org>
+---
+ ssl/d1_both.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/ssl/d1_both.c b/ssl/d1_both.c
+index 99325e8..961ac51 100644
+--- a/ssl/d1_both.c
++++ b/ssl/d1_both.c
+@@ -765,7 +765,9 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+ /* read the body of the fragment (header has already been read) */
+ i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
+ frag->fragment,frag_len,0);
+- if (i<=0 || (unsigned long)i!=frag_len)
++ if ((unsigned long)i!=frag_len)
++ i = -1;
++ if (i<=0)
+ goto err;
+ }
+
+--
+2.0.1
+
Added: openssl/branches/wheezy/debian/patches/0005-PKCS-7-avoid-NULL-pointer-dereferences-with-missing-.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0005-PKCS-7-avoid-NULL-pointer-dereferences-with-missing-.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/0005-PKCS-7-avoid-NULL-pointer-dereferences-with-missing-.patch 2015-03-19 17:54:26 UTC (rev 717)
@@ -0,0 +1,195 @@
+From d3d52c73544bba800c2a8f5ef3376358158cf2ca Mon Sep 17 00:00:00 2001
+From: Emilia Kasper <emilia at openssl.org>
+Date: Fri, 27 Feb 2015 16:52:23 +0100
+Subject: [PATCH 5/6] PKCS#7: avoid NULL pointer dereferences with missing
+ content
+
+In PKCS#7, the ASN.1 content component is optional.
+This typically applies to inner content (detached signatures),
+however we must also handle unexpected missing outer content
+correctly.
+
+This patch only addresses functions reachable from parsing,
+decryption and verification, and functions otherwise associated
+with reading potentially untrusted data.
+
+Correcting all low-level API calls requires further work.
+
+CVE-2015-0289
+
+Thanks to Michal Zalewski (Google) for reporting this issue.
+
+Reviewed-by: Steve Henson <steve at openssl.org>
+---
+ crypto/pkcs7/pk7_doit.c | 87 +++++++++++++++++++++++++++++++++++++++++--------
+ crypto/pkcs7/pk7_lib.c | 3 ++
+ 2 files changed, 76 insertions(+), 14 deletions(-)
+
+Index: openssl-1.0.1e/crypto/pkcs7/pk7_doit.c
+===================================================================
+--- openssl-1.0.1e.orig/crypto/pkcs7/pk7_doit.c
++++ openssl-1.0.1e/crypto/pkcs7/pk7_doit.c
+@@ -272,6 +272,25 @@ BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio)
+ PKCS7_RECIP_INFO *ri=NULL;
+ ASN1_OCTET_STRING *os=NULL;
+
++ if (p7 == NULL) {
++ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_INVALID_NULL_POINTER);
++ return NULL;
++ }
++ /*
++ * The content field in the PKCS7 ContentInfo is optional, but that really
++ * only applies to inner content (precisely, detached signatures).
++ *
++ * When reading content, missing outer content is therefore treated as an
++ * error.
++ *
++ * When creating content, PKCS7_content_new() must be called before
++ * calling this method, so a NULL p7->d is always an error.
++ */
++ if (p7->d.ptr == NULL) {
++ PKCS7err(PKCS7_F_PKCS7_DATAINIT, PKCS7_R_NO_CONTENT);
++ return NULL;
++ }
++
+ i=OBJ_obj2nid(p7->type);
+ p7->state=PKCS7_S_HEADER;
+
+@@ -433,6 +452,16 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
+ unsigned char *ek = NULL, *tkey = NULL;
+ int eklen = 0, tkeylen = 0;
+
++ if (p7 == NULL) {
++ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_INVALID_NULL_POINTER);
++ return NULL;
++ }
++
++ if (p7->d.ptr == NULL) {
++ PKCS7err(PKCS7_F_PKCS7_DATADECODE, PKCS7_R_NO_CONTENT);
++ return NULL;
++ }
++
+ i=OBJ_obj2nid(p7->type);
+ p7->state=PKCS7_S_HEADER;
+
+@@ -747,6 +776,16 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
+ STACK_OF(PKCS7_SIGNER_INFO) *si_sk=NULL;
+ ASN1_OCTET_STRING *os=NULL;
+
++ if (p7 == NULL) {
++ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_INVALID_NULL_POINTER);
++ return 0;
++ }
++
++ if (p7->d.ptr == NULL) {
++ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_NO_CONTENT);
++ return 0;
++ }
++
+ EVP_MD_CTX_init(&ctx_tmp);
+ i=OBJ_obj2nid(p7->type);
+ p7->state=PKCS7_S_HEADER;
+@@ -791,6 +830,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
+ /* If detached data then the content is excluded */
+ if(PKCS7_type_is_data(p7->d.sign->contents) && p7->detached) {
+ M_ASN1_OCTET_STRING_free(os);
++ os = NULL;
+ p7->d.sign->contents->d.data = NULL;
+ }
+ break;
+@@ -801,6 +841,7 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
+ if(PKCS7_type_is_data(p7->d.digest->contents) && p7->detached)
+ {
+ M_ASN1_OCTET_STRING_free(os);
++ os = NULL;
+ p7->d.digest->contents->d.data = NULL;
+ }
+ break;
+@@ -873,24 +914,31 @@ int PKCS7_dataFinal(PKCS7 *p7, BIO *bio)
+ M_ASN1_OCTET_STRING_set(p7->d.digest->digest, md_data, md_len);
+ }
+
+- if (!PKCS7_is_detached(p7) && !(os->flags & ASN1_STRING_FLAG_NDEF))
+- {
+- char *cont;
+- long contlen;
+- btmp=BIO_find_type(bio,BIO_TYPE_MEM);
+- if (btmp == NULL)
+- {
+- PKCS7err(PKCS7_F_PKCS7_DATAFINAL,PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
+- goto err;
+- }
+- contlen = BIO_get_mem_data(btmp, &cont);
+- /* Mark the BIO read only then we can use its copy of the data
+- * instead of making an extra copy.
+- */
+- BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
+- BIO_set_mem_eof_return(btmp, 0);
+- ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
+- }
++ if (!PKCS7_is_detached(p7)) {
++ /*
++ * NOTE(emilia): I think we only reach os == NULL here because detached
++ * digested data support is broken.
++ */
++ if (os == NULL)
++ goto err;
++ if (!(os->flags & ASN1_STRING_FLAG_NDEF)) {
++ char *cont;
++ long contlen;
++ btmp = BIO_find_type(bio, BIO_TYPE_MEM);
++ if (btmp == NULL) {
++ PKCS7err(PKCS7_F_PKCS7_DATAFINAL, PKCS7_R_UNABLE_TO_FIND_MEM_BIO);
++ goto err;
++ }
++ contlen = BIO_get_mem_data(btmp, &cont);
++ /*
++ * Mark the BIO read only then we can use its copy of the data
++ * instead of making an extra copy.
++ */
++ BIO_set_flags(btmp, BIO_FLAGS_MEM_RDONLY);
++ BIO_set_mem_eof_return(btmp, 0);
++ ASN1_STRING_set0(os, (unsigned char *)cont, contlen);
++ }
++ }
+ ret=1;
+ err:
+ EVP_MD_CTX_cleanup(&ctx_tmp);
+@@ -965,6 +1013,16 @@ int PKCS7_dataVerify(X509_STORE *cert_st
+ STACK_OF(X509) *cert;
+ X509 *x509;
+
++ if (p7 == NULL) {
++ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_INVALID_NULL_POINTER);
++ return 0;
++ }
++
++ if (p7->d.ptr == NULL) {
++ PKCS7err(PKCS7_F_PKCS7_DATAVERIFY, PKCS7_R_NO_CONTENT);
++ return 0;
++ }
++
+ if (PKCS7_type_is_signed(p7))
+ {
+ cert=p7->d.sign->cert;
+Index: openssl-1.0.1e/crypto/pkcs7/pk7_lib.c
+===================================================================
+--- openssl-1.0.1e.orig/crypto/pkcs7/pk7_lib.c
++++ openssl-1.0.1e/crypto/pkcs7/pk7_lib.c
+@@ -71,6 +71,7 @@ long PKCS7_ctrl(PKCS7 *p7, int cmd, long
+
+ switch (cmd)
+ {
++ /* NOTE(emilia): does not support detached digested data. */
+ case PKCS7_OP_SET_DETACHED_SIGNATURE:
+ if (nid == NID_pkcs7_signed)
+ {
+@@ -459,6 +460,8 @@ int PKCS7_set_digest(PKCS7 *p7, const EV
+
+ STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7)
+ {
++ if (p7 == NULL || p7->d.ptr == NULL)
++ return NULL;
+ if (PKCS7_type_is_signed(p7))
+ {
+ return(p7->d.sign->signer_info);
Added: openssl/branches/wheezy/debian/patches/0006-Applying-same-fix-as-in-dtls1_process_out_of_seq_mes.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0006-Applying-same-fix-as-in-dtls1_process_out_of_seq_mes.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/0006-Applying-same-fix-as-in-dtls1_process_out_of_seq_mes.patch 2015-03-19 17:54:26 UTC (rev 717)
@@ -0,0 +1,36 @@
+From 202dd6345a24df561b1feea60a77d1406983196d Mon Sep 17 00:00:00 2001
+From: Matt Caswell <matt at openssl.org>
+Date: Thu, 24 Jul 2014 23:54:28 +0100
+Subject: [PATCH 06/10] Applying same fix as in
+ dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok
+ to be clear, but the return value would still be the number of bytes read.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Problem identified by Emilia Käsper, based on previous issue/patch by Adam
+Langley.
+
+Reviewed-by: Emilia Käsper <emilia at openssl.org>
+---
+ ssl/d1_both.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/ssl/d1_both.c b/ssl/d1_both.c
+index 961ac51..3a4819f 100644
+--- a/ssl/d1_both.c
++++ b/ssl/d1_both.c
+@@ -657,7 +657,9 @@ dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+ /* read the body of the fragment (header has already been read */
+ i = s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
+ frag->fragment + msg_hdr->frag_off,frag_len,0);
+- if (i<=0 || (unsigned long)i!=frag_len)
++ if ((unsigned long)i!=frag_len)
++ i=-1;
++ if (i<=0)
+ goto err;
+
+ RSMBLY_BITMASK_MARK(frag->reassembly, (long)msg_hdr->frag_off,
+--
+2.0.1
+
Added: openssl/branches/wheezy/debian/patches/0006-Fix-reachable-assert-in-SSLv2-servers.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0006-Fix-reachable-assert-in-SSLv2-servers.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/0006-Fix-reachable-assert-in-SSLv2-servers.patch 2015-03-19 17:54:26 UTC (rev 717)
@@ -0,0 +1,130 @@
+From a40c1bcb8c37fbad24d8f28f0fb0204d76f0fee2 Mon Sep 17 00:00:00 2001
+From: Emilia Kasper <emilia at openssl.org>
+Date: Wed, 4 Mar 2015 09:05:02 -0800
+Subject: [PATCH 6/6] Fix reachable assert in SSLv2 servers.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This assert is reachable for servers that support SSLv2 and export ciphers.
+Therefore, such servers can be DoSed by sending a specially crafted
+SSLv2 CLIENT-MASTER-KEY.
+
+Also fix s2_srvr.c to error out early if the key lengths are malformed.
+These lengths are sent unencrypted, so this does not introduce an oracle.
+
+CVE-2015-0293
+
+This issue was discovered by Sean Burford (Google) and Emilia Käsper of
+the OpenSSL development team.
+
+Reviewed-by: Richard Levitte <levitte at openssl.org>
+Reviewed-by: Tim Hudson <tjh at openssl.org>
+---
+ ssl/s2_lib.c | 2 +-
+ ssl/s2_srvr.c | 57 +++++++++++++++++++++++++++++++++++++++++++++------------
+ 2 files changed, 46 insertions(+), 13 deletions(-)
+
+Index: openssl-1.0.1e/ssl/s2_lib.c
+===================================================================
+--- openssl-1.0.1e.orig/ssl/s2_lib.c
++++ openssl-1.0.1e/ssl/s2_lib.c
+@@ -488,7 +488,7 @@ int ssl2_generate_key_material(SSL *s)
+
+ OPENSSL_assert(s->session->master_key_length >= 0
+ && s->session->master_key_length
+- < (int)sizeof(s->session->master_key));
++ <= (int)sizeof(s->session->master_key));
+ EVP_DigestUpdate(&ctx,s->session->master_key,s->session->master_key_length);
+ EVP_DigestUpdate(&ctx,&c,1);
+ c++;
+Index: openssl-1.0.1e/ssl/s2_srvr.c
+===================================================================
+--- openssl-1.0.1e.orig/ssl/s2_srvr.c
++++ openssl-1.0.1e/ssl/s2_srvr.c
+@@ -446,9 +446,6 @@ static int get_client_master_key(SSL *s)
+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_NO_PRIVATEKEY);
+ return(-1);
+ }
+- i=ssl_rsa_private_decrypt(s->cert,s->s2->tmp.enc,
+- &(p[s->s2->tmp.clear]),&(p[s->s2->tmp.clear]),
+- (s->s2->ssl2_rollback)?RSA_SSLV23_PADDING:RSA_PKCS1_PADDING);
+
+ is_export=SSL_C_IS_EXPORT(s->session->cipher);
+
+@@ -467,21 +464,60 @@ static int get_client_master_key(SSL *s)
+ else
+ ek=5;
+
++ /*
++ * The format of the CLIENT-MASTER-KEY message is
++ * 1 byte message type
++ * 3 bytes cipher
++ * 2-byte clear key length (stored in s->s2->tmp.clear)
++ * 2-byte encrypted key length (stored in s->s2->tmp.enc)
++ * 2-byte key args length (IV etc)
++ * clear key
++ * encrypted key
++ * key args
++ *
++ * If the cipher is an export cipher, then the encrypted key bytes
++ * are a fixed portion of the total key (5 or 8 bytes). The size of
++ * this portion is in |ek|. If the cipher is not an export cipher,
++ * then the entire key material is encrypted (i.e., clear key length
++ * must be zero).
++ */
++ if ((!is_export && s->s2->tmp.clear != 0) ||
++ (is_export && s->s2->tmp.clear + ek != EVP_CIPHER_key_length(c))) {
++ ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
++ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_BAD_LENGTH);
++ return -1;
++ }
++ /*
++ * The encrypted blob must decrypt to the encrypted portion of the key.
++ * Decryption can't be expanding, so if we don't have enough encrypted
++ * bytes to fit the key in the buffer, stop now.
++ */
++ if ((is_export && s->s2->tmp.enc < ek) ||
++ (!is_export && s->s2->tmp.enc < EVP_CIPHER_key_length(c))) {
++ ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
++ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,SSL_R_LENGTH_TOO_SHORT);
++ return -1;
++ }
++
++ i = ssl_rsa_private_decrypt(s->cert, s->s2->tmp.enc,
++ &(p[s->s2->tmp.clear]),
++ &(p[s->s2->tmp.clear]),
++ (s->s2->ssl2_rollback) ? RSA_SSLV23_PADDING :
++ RSA_PKCS1_PADDING);
++
+ /* bad decrypt */
+ #if 1
+ /* If a bad decrypt, continue with protocol but with a
+ * random master secret (Bleichenbacher attack) */
+- if ((i < 0) ||
+- ((!is_export && (i != EVP_CIPHER_key_length(c)))
+- || (is_export && ((i != ek) || (s->s2->tmp.clear+(unsigned int)i !=
+- (unsigned int)EVP_CIPHER_key_length(c))))))
++ if ((i < 0) || ((!is_export && i != EVP_CIPHER_key_length(c))
++ || (is_export && i != ek))) {
+ {
+ ERR_clear_error();
+ if (is_export)
+ i=ek;
+ else
+ i=EVP_CIPHER_key_length(c);
+- if (RAND_pseudo_bytes(p,i) <= 0)
++ if (RAND_pseudo_bytes(&p[s->s2->tmp.clear], i) <= 0)
+ return 0;
+ }
+ #else
+@@ -505,7 +541,8 @@ static int get_client_master_key(SSL *s)
+ }
+ #endif
+
+- if (is_export) i+=s->s2->tmp.clear;
++ if (is_export)
++ i = EVP_CIPHER_key_length(c);
+
+ if (i > SSL_MAX_MASTER_KEY_LENGTH)
+ {
Added: openssl/branches/wheezy/debian/patches/0007-Remove-some-duplicate-DTLS-code.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0007-Remove-some-duplicate-DTLS-code.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/0007-Remove-some-duplicate-DTLS-code.patch 2015-03-19 17:54:26 UTC (rev 717)
@@ -0,0 +1,62 @@
+From 9cfb1ed70502b6ea0bd963b2ec278b70d5f11190 Mon Sep 17 00:00:00 2001
+From: Adam Langley <agl at imperialviolet.org>
+Date: Fri, 6 Jun 2014 14:47:07 -0700
+Subject: [PATCH 07/10] Remove some duplicate DTLS code.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In |dtls1_process_out_of_seq_message|, we know that
+|frag_len| <= |msg_hdr->msg_len| so the later tests for |frag_len <
+msg_hdr->msg_len| can be more clearly written as |frag_len !=
+msg_hdr->msg_len|, since that's the only remaining case.
+
+Reviewed-by: Matt Caswell <matt at openssl.org>
+Reviewed-by: Emilia Käsper <emilia at openssl.org>
+---
+ ssl/d1_both.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/ssl/d1_both.c b/ssl/d1_both.c
+index 3a4819f..d2bbb6b 100644
+--- a/ssl/d1_both.c
++++ b/ssl/d1_both.c
+@@ -593,7 +593,7 @@ static unsigned long dtls1_max_handshake_message_len(const SSL *s)
+ }
+
+ static int
+-dtls1_reassemble_fragment(SSL *s, struct hm_header_st* msg_hdr, int *ok)
++dtls1_reassemble_fragment(SSL *s, const struct hm_header_st* msg_hdr, int *ok)
+ {
+ hm_fragment *frag = NULL;
+ pitem *item = NULL;
+@@ -705,7 +705,7 @@ err:
+
+
+ static int
+-dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
++dtls1_process_out_of_seq_message(SSL *s, const struct hm_header_st* msg_hdr, int *ok)
+ {
+ int i=-1;
+ hm_fragment *frag = NULL;
+@@ -725,7 +725,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+ /* If we already have an entry and this one is a fragment,
+ * don't discard it and rather try to reassemble it.
+ */
+- if (item != NULL && frag_len < msg_hdr->msg_len)
++ if (item != NULL && frag_len != msg_hdr->msg_len)
+ item = NULL;
+
+ /* Discard the message if sequence number was already there, is
+@@ -750,7 +750,7 @@ dtls1_process_out_of_seq_message(SSL *s, struct hm_header_st* msg_hdr, int *ok)
+ }
+ else
+ {
+- if (frag_len < msg_hdr->msg_len)
++ if (frag_len != msg_hdr->msg_len)
+ return dtls1_reassemble_fragment(s, msg_hdr, ok);
+
+ if (frag_len > dtls1_max_handshake_message_len(s))
+--
+2.0.1
+
Added: openssl/branches/wheezy/debian/patches/0008-Fix-protocol-downgrade-bug-in-case-of-fragmented-pac.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0008-Fix-protocol-downgrade-bug-in-case-of-fragmented-pac.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/0008-Fix-protocol-downgrade-bug-in-case-of-fragmented-pac.patch 2015-03-19 17:54:26 UTC (rev 717)
@@ -0,0 +1,86 @@
+From 91a5ef1e22bd41b2567faa90f016b460d973a974 Mon Sep 17 00:00:00 2001
+From: David Benjamin <davidben at google.com>
+Date: Wed, 23 Jul 2014 22:32:21 +0200
+Subject: [PATCH 08/10] Fix protocol downgrade bug in case of fragmented
+ packets
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+CVE-2014-3511
+
+Reviewed-by: Emilia Käsper <emilia at openssl.org>
+Reviewed-by: Bodo Möller <bodo at openssl.org>
+---
+ ssl/s23_srvr.c | 30 +++++++++++++++++++++++-------
+ 1 file changed, 23 insertions(+), 7 deletions(-)
+
+diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c
+index be05911..e544853 100644
+--- a/ssl/s23_srvr.c
++++ b/ssl/s23_srvr.c
+@@ -328,23 +328,19 @@ int ssl23_get_client_hello(SSL *s)
+ * Client Hello message, this would be difficult, and we'd have
+ * to read more records to find out.
+ * No known SSL 3.0 client fragments ClientHello like this,
+- * so we simply assume TLS 1.0 to avoid protocol version downgrade
+- * attacks. */
++ * so we simply reject such connections to avoid
++ * protocol version downgrade attacks. */
+ if (p[3] == 0 && p[4] < 6)
+ {
+-#if 0
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL);
+ goto err;
+-#else
+- v[1] = TLS1_VERSION_MINOR;
+-#endif
+ }
+ /* if major version number > 3 set minor to a value
+ * which will use the highest version 3 we support.
+ * If TLS 2.0 ever appears we will need to revise
+ * this....
+ */
+- else if (p[9] > SSL3_VERSION_MAJOR)
++ if (p[9] > SSL3_VERSION_MAJOR)
+ v[1]=0xff;
+ else
+ v[1]=p[10]; /* minor version according to client_version */
+@@ -412,14 +408,34 @@ int ssl23_get_client_hello(SSL *s)
+ v[0] = p[3]; /* == SSL3_VERSION_MAJOR */
+ v[1] = p[4];
+
++ /* An SSLv3/TLSv1 backwards-compatible CLIENT-HELLO in an SSLv2
++ * header is sent directly on the wire, not wrapped as a TLS
++ * record. It's format is:
++ * Byte Content
++ * 0-1 msg_length
++ * 2 msg_type
++ * 3-4 version
++ * 5-6 cipher_spec_length
++ * 7-8 session_id_length
++ * 9-10 challenge_length
++ * ... ...
++ */
+ n=((p[0]&0x7f)<<8)|p[1];
+ if (n > (1024*4))
+ {
+ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_LARGE);
+ goto err;
+ }
++ if (n < 9)
++ {
++ SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_LENGTH_MISMATCH);
++ goto err;
++ }
+
+ j=ssl23_read_bytes(s,n+2);
++ /* We previously read 11 bytes, so if j > 0, we must have
++ * j == n+2 == s->packet_length. We have at least 11 valid
++ * packet bytes. */
+ if (j <= 0) return(j);
+
+ ssl3_finish_mac(s, s->packet+2, s->packet_length-2);
+--
+2.0.1
+
Added: openssl/branches/wheezy/debian/patches/0009-Fix-DTLS-anonymous-EC-DH-denial-of-service.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0009-Fix-DTLS-anonymous-EC-DH-denial-of-service.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/0009-Fix-DTLS-anonymous-EC-DH-denial-of-service.patch 2015-03-19 17:54:26 UTC (rev 717)
@@ -0,0 +1,72 @@
+From e01e4b5f0181ddfc6a1923cd539a6ad81651dccc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Emilia=20K=C3=A4sper?= <emilia at openssl.org>
+Date: Thu, 24 Jul 2014 22:15:29 +0200
+Subject: [PATCH 09/10] Fix DTLS anonymous EC(DH) denial of service
+
+CVE-2014-3510
+
+Reviewed-by: Dr. Stephen Henson <steve at openssl.org>
+---
+ ssl/d1_clnt.c | 16 ++++++++++++++--
+ ssl/s3_clnt.c | 7 +++++++
+ 2 files changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c
+index ac24bfb..58a3b46 100644
+--- a/ssl/d1_clnt.c
++++ b/ssl/d1_clnt.c
+@@ -796,6 +796,13 @@ int dtls1_send_client_key_exchange(SSL *s)
+ RSA *rsa;
+ unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
+
++ if (s->session->sess_cert == NULL)
++ {
++ /* We should always have a server certificate with SSL_kRSA. */
++ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++
+ if (s->session->sess_cert->peer_rsa_tmp != NULL)
+ rsa=s->session->sess_cert->peer_rsa_tmp;
+ else
+@@ -986,6 +993,13 @@ int dtls1_send_client_key_exchange(SSL *s)
+ {
+ DH *dh_srvr,*dh_clnt;
+
++ if (s->session->sess_cert == NULL)
++ {
++ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
++ SSLerr(SSL_F_DTLS1_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
++ goto err;
++ }
++
+ if (s->session->sess_cert->peer_dh_tmp != NULL)
+ dh_srvr=s->session->sess_cert->peer_dh_tmp;
+ else
+@@ -1226,5 +1240,3 @@ int dtls1_send_client_certificate(SSL *s)
+ /* SSL3_ST_CW_CERT_D */
+ return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
+ }
+-
+-
+diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
+index 4b41a2b..c11048e 100644
+--- a/ssl/s3_clnt.c
++++ b/ssl/s3_clnt.c
+@@ -1916,6 +1916,13 @@ int ssl3_send_client_key_exchange(SSL *s)
+ RSA *rsa;
+ unsigned char tmp_buf[SSL_MAX_MASTER_KEY_LENGTH];
+
++ if (s->session->sess_cert == NULL)
++ {
++ /* We should always have a server certificate with SSL_kRSA. */
++ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,ERR_R_INTERNAL_ERROR);
++ goto err;
++ }
++
+ if (s->session->sess_cert->peer_rsa_tmp != NULL)
+ rsa=s->session->sess_cert->peer_rsa_tmp;
+ else
+--
+2.0.1
+
Added: openssl/branches/wheezy/debian/patches/0102-use-correct-function-name.patch
===================================================================
--- openssl/branches/wheezy/debian/patches/0102-use-correct-function-name.patch (rev 0)
+++ openssl/branches/wheezy/debian/patches/0102-use-correct-function-name.patch 2015-03-19 17:54:26 UTC (rev 717)
@@ -0,0 +1,28 @@
+From 178c562a4621162dbe19a7c34fa2ad558684f40e Mon Sep 17 00:00:00 2001
+From: "Dr. Stephen Henson" <steve at openssl.org>
+Date: Tue, 6 Jan 2015 20:55:38 +0000
+Subject: [PATCH 102/117] use correct function name
+
+Reviewed-by: Rich Salz <rsalz at openssl.org>
+Reviewed-by: Matt Caswell <matt at openssl.org>
+(cherry picked from commit cb62ab4b17818fe66d2fed0a7fe71969131c811b)
+---
+ crypto/asn1/a_verify.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c
+index a571009..78dde1d 100644
+--- a/crypto/asn1/a_verify.c
++++ b/crypto/asn1/a_verify.c
+@@ -154,7 +154,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
+
+ if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7)
+ {
+- ASN1err(ASN1_F_ASN1_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
++ ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
+ return -1;
+ }
+
+--
+2.1.4
+
Modified: openssl/branches/wheezy/debian/patches/series
===================================================================
--- openssl/branches/wheezy/debian/patches/series 2015-01-23 18:14:42 UTC (rev 716)
+++ openssl/branches/wheezy/debian/patches/series 2015-03-19 17:54:26 UTC (rev 717)
@@ -79,9 +79,22 @@
0095-Constify-ASN1_TYPE_cmp-add-X509_ALGOR_cmp.patch
0098-ECDH-downgrade-bug-fix.patch
0099-Only-allow-ephemeral-RSA-keys-in-export-ciphersuites.patch
+0102-use-correct-function-name.patch
+0107-fix-error-discrepancy.patch
0108-Fix-for-CVE-2014-3570.patch
0109-Fix-crash-in-dtls1_get_record-whilst-in-the-listen-s.patch
0110-Follow-on-from-CVE-2014-3571.-This-fixes-the-code-th.patch
0111-Unauthenticated-DH-client-certificate-fix.patch
0112-A-memory-leak-can-occur-in-dtls1_buffer_record-if-ei.patch
+0006-Fix-reachable-assert-in-SSLv2-servers.patch
+0005-PKCS-7-avoid-NULL-pointer-dereferences-with-missing-.patch
+0004-Fix-ASN1_TYPE_cmp.patch
+0003-Free-up-passed-ASN.1-structure-if-reused.patch
+0002-Free-up-ADB-and-CHOICE-if-already-initialised.patch
+0001-fix-warning.patch
+0001-Remove-export-ciphers-from-the-DEFAULT-cipher-list.patch
+0001-Make-DTLS-always-act-as-if-read_ahead-is-set.-The-ac.patch
+0001-Fix-a-failure-to-NULL-a-pointer-freed-on-error.patch
+0001-Check-public-key-is-not-NULL.patch
+0001-evp-prevent-underflow-in-base64-decoding.patch
More information about the Pkg-openssl-changes
mailing list