From f8b2612d6898dbfbd5ae9ba894dfb74b627962d3 Mon Sep 17 00:00:00 2001
From: delphij <delphij@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Wed, 4 May 2016 06:53:02 +0000
Subject: [PATCH] Fix several OpenSSL vulnerabilities.

Security:	CVE-2016-2105, CVE-2016-2106, CVE-2016-2109
Security:	CVE-2016-2176 (does not affect FreeBSD)
Security:	FreeBSD-SA-16:17.openssl


git-svn-id: svn://svn.freebsd.org/base/stable/9@299053 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 crypto/openssl/crypto/asn1/a_type.c   |  2 --
 crypto/openssl/crypto/asn1/tasn_dec.c |  2 --
 crypto/openssl/crypto/asn1/tasn_enc.c |  2 --
 crypto/openssl/crypto/evp/encode.c    | 12 +++++++++---
 crypto/openssl/crypto/evp/evp_enc.c   |  2 +-
 crypto/openssl/crypto/x509/x509_obj.c |  5 +++--
 6 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/crypto/openssl/crypto/asn1/a_type.c b/crypto/openssl/crypto/asn1/a_type.c
index 69a5cf6f4..be6eeedf3 100644
--- a/crypto/openssl/crypto/asn1/a_type.c
+++ b/crypto/openssl/crypto/asn1/a_type.c
@@ -123,9 +123,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b)
         result = 0;             /* They do not have content. */
         break;
     case V_ASN1_INTEGER:
-    case V_ASN1_NEG_INTEGER:
     case V_ASN1_ENUMERATED:
-    case V_ASN1_NEG_ENUMERATED:
     case V_ASN1_BIT_STRING:
     case V_ASN1_OCTET_STRING:
     case V_ASN1_SEQUENCE:
diff --git a/crypto/openssl/crypto/asn1/tasn_dec.c b/crypto/openssl/crypto/asn1/tasn_dec.c
index 91e769811..c72ed08f4 100644
--- a/crypto/openssl/crypto/asn1/tasn_dec.c
+++ b/crypto/openssl/crypto/asn1/tasn_dec.c
@@ -901,9 +901,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
         break;
 
     case V_ASN1_INTEGER:
-    case V_ASN1_NEG_INTEGER:
     case V_ASN1_ENUMERATED:
-    case V_ASN1_NEG_ENUMERATED:
         tint = (ASN1_INTEGER **)pval;
         if (!c2i_ASN1_INTEGER(tint, &cont, len))
             goto err;
diff --git a/crypto/openssl/crypto/asn1/tasn_enc.c b/crypto/openssl/crypto/asn1/tasn_enc.c
index b93f3f69c..928416db3 100644
--- a/crypto/openssl/crypto/asn1/tasn_enc.c
+++ b/crypto/openssl/crypto/asn1/tasn_enc.c
@@ -610,9 +610,7 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype,
         break;
 
     case V_ASN1_INTEGER:
-    case V_ASN1_NEG_INTEGER:
     case V_ASN1_ENUMERATED:
-    case V_ASN1_NEG_ENUMERATED:
         /*
          * These are all have the same content format as ASN1_INTEGER
          */
diff --git a/crypto/openssl/crypto/evp/encode.c b/crypto/openssl/crypto/evp/encode.c
index 9bdcd5724..eb42a18a3 100644
--- a/crypto/openssl/crypto/evp/encode.c
+++ b/crypto/openssl/crypto/evp/encode.c
@@ -57,6 +57,7 @@
  */
 
 #include <stdio.h>
+#include <limits.h>
 #include "cryptlib.h"
 #include <openssl/evp.h>
 
@@ -134,13 +135,13 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
                       const unsigned char *in, int inl)
 {
     int i, j;
-    unsigned int total = 0;
+    size_t total = 0;
 
     *outl = 0;
     if (inl == 0)
         return;
     OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data));
-    if ((ctx->num + inl) < ctx->length) {
+    if (ctx->length - ctx->num > inl) {
         memcpy(&(ctx->enc_data[ctx->num]), in, inl);
         ctx->num += inl;
         return;
@@ -157,7 +158,7 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
         *out = '\0';
         total = j + 1;
     }
-    while (inl >= ctx->length) {
+    while (inl >= ctx->length && total <= INT_MAX) {
         j = EVP_EncodeBlock(out, in, ctx->length);
         in += ctx->length;
         inl -= ctx->length;
@@ -166,6 +167,11 @@ void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
         *out = '\0';
         total += j + 1;
     }
+    if (total > INT_MAX) {
+        /* Too much output data! */
+        *outl = 0;
+        return;
+    }
     if (inl != 0)
         memcpy(&(ctx->enc_data[0]), in, inl);
     ctx->num = inl;
diff --git a/crypto/openssl/crypto/evp/evp_enc.c b/crypto/openssl/crypto/evp/evp_enc.c
index 8a91a679b..5205047e4 100644
--- a/crypto/openssl/crypto/evp/evp_enc.c
+++ b/crypto/openssl/crypto/evp/evp_enc.c
@@ -166,7 +166,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl,
     bl = ctx->cipher->block_size;
     OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
     if (i != 0) {
-        if (i + inl < bl) {
+        if (bl - i > inl) {
             memcpy(&(ctx->buf[i]), in, inl);
             ctx->buf_len += inl;
             *outl = 0;
diff --git a/crypto/openssl/crypto/x509/x509_obj.c b/crypto/openssl/crypto/x509/x509_obj.c
index c334d3b05..e9822b0e9 100644
--- a/crypto/openssl/crypto/x509/x509_obj.c
+++ b/crypto/openssl/crypto/x509/x509_obj.c
@@ -117,8 +117,9 @@ char *X509_NAME_oneline(X509_NAME *a, char *buf, int len)
             type == V_ASN1_PRINTABLESTRING ||
             type == V_ASN1_TELETEXSTRING ||
             type == V_ASN1_VISIBLESTRING || type == V_ASN1_IA5STRING) {
-            ascii2ebcdic(ebcdic_buf, q, (num > sizeof ebcdic_buf)
-                         ? sizeof ebcdic_buf : num);
+            if (num > (int)sizeof(ebcdic_buf))
+                num = sizeof(ebcdic_buf);
+            ascii2ebcdic(ebcdic_buf, q, num);
             q = ebcdic_buf;
         }
 #endif
-- 
2.45.0