HEADSUP -- issues with SA-15:06.openssl

[Xin Li]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

Please be advised that we have noticed some issues with
SA-15:06.openssl and are actively working on validating the fix.  A
copy of draft errata patches is attached.

My apologies for this mess.  Revised advisories would be announced
once we have made sure that everything is correct.

Cheers,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.1.2 (FreeBSD)

iQIcBAEBCgAGBQJVC3a5AAoJEJW2GBstM+ns+s4P/A+M1xdhycNvo0qsSTfLcah1
uAvZnWLo7gobBM8CxlrgtrXkRsYwGp7Q6bzW63PA+8qE4FIht7/fgMpXNHufK8bz
1b/h0KrnPs7rEBe3K13RJEI5ufVb/Xj1mOVY59GCJ76QuekN9nEGbYRE2Fbg8yhE
iOWLpNWKsQBPdDhMfqmayUZmuZf8pPhgIEwzEsSefnZhe1XrN5kX8s4T00aWieSz
MbEkLRfOlVn+qeXlZOp6R96vEoNYaGeTnX7AN16wKg+0Sipk9AJBDFUODjPQgzIr
4BbL8TpW3DvC0cOOpJnYb4KVy7o+54QMFoDr0Gt0R/HZQj3lzdtOBbTFfNs82KDl
wWPZB3G4CY5l2d1CYQjUQtXmuRnro3JrslBbx00RcLAs9deDtIoJVqHQv0wiLSlZ
jv1lWZbyUhVw/9cY4A8c1QRs01YWGGPZV4cuO0RN56zs6ipIK/0XkzYrY+b2yWku
U5slMwqhuREZ1ypLcfUwQHgnyX094wTXkuJQ2l+4dMiO8wV6gW5x3C2lOe/0OHYP
L0Atb84aYvMG9RlFCTF6CB2226tRjqxuFhI+x2d0choVJpMt5SJ2cfBi5E3e9Ooy
roPVTlOwB1tsYVi3fjYjwJZ5TiPDq3ekcByTmIrasrsFB5+9tBDBnRC5nERNITM4
o69NYExg60dSJ8p5RTeE
=wG30
-----END PGP SIGNATURE-----
-------------- next part --------------
Index: crypto/openssl/crypto/asn1/tasn_dec.c
===================================================================
--- crypto/openssl/crypto/asn1/tasn_dec.c	(revision 280272)
+++ crypto/openssl/crypto/asn1/tasn_dec.c	(working copy)
@@ -127,22 +127,16 @@ unsigned long ASN1_tag2bit(int tag)
 
 ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval,
 		const unsigned char **in, long len, const ASN1_ITEM *it)
-{
+	{
 	ASN1_TLC c;
 	ASN1_VALUE *ptmpval = NULL;
+	if (!pval)
+		pval = &ptmpval;
 	asn1_tlc_clear_nc(&c);
-	if (pval && *pval && it->itype == ASN1_ITYPE_PRIMITIVE)
-		ptmpval = *pval;
-	if (ASN1_item_ex_d2i(&ptmpval, in, len, it, -1, 0, 0, &c) > 0) {
-		if (pval && it->itype != ASN1_ITYPE_PRIMITIVE) {
-			if (*pval)
-				ASN1_item_free(*pval, it);
-			*pval = ptmpval;
-		}
-		return ptmpval;
+	if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) 
+		return *pval;
+	return NULL;
 	}
-	return NULL;
-}
 
 int ASN1_template_d2i(ASN1_VALUE **pval,
 		const unsigned char **in, long len, const ASN1_TEMPLATE *tt)
Index: crypto/openssl/crypto/ec/ec_asn1.c
===================================================================
--- crypto/openssl/crypto/ec/ec_asn1.c	(revision 280272)
+++ crypto/openssl/crypto/ec/ec_asn1.c	(working copy)
@@ -1142,8 +1142,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigne
                                  ERR_R_MALLOC_FAILURE);
 			goto err;
 			}
-		if (a)
-			*a = ret;
 		}
 	else
 		ret = *a;
@@ -1225,11 +1223,13 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigne
 		ret->enc_flag |= EC_PKEY_NO_PUBKEY;
 		}
 
+	if (a)
+		*a = ret;
 	ok = 1;
 err:
 	if (!ok)
 		{
-		if (ret)
+		if (ret && (a == NULL || *a != ret))
 			EC_KEY_free(ret);
 		ret = NULL;
 		}
Index: crypto/openssl/crypto/x509/x509_req.c
===================================================================
--- crypto/openssl/crypto/x509/x509_req.c	(revision 280272)
+++ crypto/openssl/crypto/x509/x509_req.c	(working copy)
@@ -92,6 +92,8 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey
 		goto err;
 
 	pktmp = X509_get_pubkey(x);
+	if (pktmp == NULL)
+		goto err;
 	i=X509_REQ_set_pubkey(ret,pktmp);
 	EVP_PKEY_free(pktmp);
 	if (!i) goto err;
-------------- next part --------------
Index: crypto/openssl/crypto/asn1/tasn_dec.c
===================================================================
--- crypto/openssl/crypto/asn1/tasn_dec.c	(revision 280272)
+++ crypto/openssl/crypto/asn1/tasn_dec.c	(working copy)
@@ -125,23 +125,16 @@ unsigned long ASN1_tag2bit(int tag)
 
 ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **pval,
 		const unsigned char **in, long len, const ASN1_ITEM *it)
-{
+	{
 	ASN1_TLC c;
 	ASN1_VALUE *ptmpval = NULL;
+	if (!pval)
+		pval = &ptmpval;
 	c.valid = 0;
-	if (pval && *pval && it->itype == ASN1_ITYPE_PRIMITIVE)
-		ptmpval = *pval;
-
-	if (ASN1_item_ex_d2i(&ptmpval, in, len, it, -1, 0, 0, &c) > 0) {
-		if (pval && it->itype != ASN1_ITYPE_PRIMITIVE) {
-			if (*pval)
-				ASN1_item_free(*pval, it);
-			*pval = ptmpval;
-		}
-		return ptmpval;
+	if (ASN1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &c) > 0) 
+		return *pval;
+	return NULL;
 	}
-	return NULL;
-}
 
 int ASN1_template_d2i(ASN1_VALUE **pval,
 		const unsigned char **in, long len, const ASN1_TEMPLATE *tt)
Index: crypto/openssl/crypto/ec/ec_asn1.c
===================================================================
--- crypto/openssl/crypto/ec/ec_asn1.c	(revision 280272)
+++ crypto/openssl/crypto/ec/ec_asn1.c	(working copy)
@@ -1126,8 +1126,6 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigne
                                  ERR_R_MALLOC_FAILURE);
 			goto err;
 			}
-		if (a)
-			*a = ret;
 		}
 	else
 		ret = *a;
@@ -1192,11 +1190,13 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigne
 			}
 		}
 
+	if (a)
+		*a = ret;
 	ok = 1;
 err:
 	if (!ok)
 		{
-		if (ret)
+		if (ret && (a == NULL || *a != ret))
 			EC_KEY_free(ret);
 		ret = NULL;
 		}
Index: crypto/openssl/crypto/x509/x509_req.c
===================================================================
--- crypto/openssl/crypto/x509/x509_req.c	(revision 280272)
+++ crypto/openssl/crypto/x509/x509_req.c	(working copy)
@@ -91,6 +91,8 @@ X509_REQ *X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey
 		goto err;
 
 	pktmp = X509_get_pubkey(x);
+	if (pktmp == NULL)
+		goto err;
 	i=X509_REQ_set_pubkey(ret,pktmp);
 	EVP_PKEY_free(pktmp);
 	if (!i) goto err;