Hello,
The following problems were found in OpenSSL source code. Pasting from
internal CR (6764688) description:
usr/src/common/openssl/ssl/d1_clnt.c
0551: /* else use the pre-loaded session */
0552:
0553: p=s->s3->client_random;
0554: /* if client_random is initialized, reuse it, we are
0555: * required to use same upon reply to HelloVerify */
0556: for (i=0;p[i]=='\0' && i<sizeof(s->s3->client_random);i++) ;
0557: if (i==sizeof(s->s3->client_random))
0558: {
0559: Time=(unsigned long)time(NULL); /* Time */
0560: l2n(Time,p);
0561: RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4);
The loop test condition reads from s->s3->client_random before the
bounds check
- these should be swapped around the other way.
usr/src/common/openssl/crypto/des/xcbc_enc.c
0093: for (i=0; i<8; i++)
0094: {
0095: out[i]=key[i]^desx_white_in2out[out0^out1];
0096: out0=out1;
0097: out1=(int)out[i&0x07];
0098: }
0099:
0100: out0=out[0];
0101: out1=out[i];
At line 101, i will always be 8 following the loop above, and out is a
pointer to char[8].
/usr/src/common/openssl/crypto/aes/aes_cfb.c
0183: num = nbits/8;
0184: if(rem==0)
0185: memcpy(ivec,ovec+num,AES_BLOCK_SIZE);
0186: else
0187: for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
0188: ivec[n] = ovec[n+num]<<rem | ovec[n+num+1]>>(8-rem);
0189:
0190: /* it is not necessary to cleanse ovec, since the IV is not
secret */
0191: }
0192:
0193: /* N.B. This expects the input to be packed, MS bit first */
Harmless, but strictly speaking if nbits is 128 (permitted), the last
iteration
of the loop reads past the end of the ovec array ([32]) with
ovec[15+16+1], even
if it then throws the value away with the shift-right.
This bug was found using the Parfait source code analysis tool.
See http://research.sun.com/projects/parfait
Best regards,
V. Kotal
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
