Hello,

The following problems were found in OpenSSL source code. Pasting from
internal CR (6764688) description:

usr/src/common/openssl/ssl/d1_clnt.c

0551: /* else use the pre-loaded session */
0552:
0553: p=s->s3->client_random;
0554: /* if client_random is initialized, reuse it, we are
0555: * required to use same upon reply to HelloVerify */
0556: for (i=0;p[i]=='\0' && is3->client_random);i++) ;
0557: if (i==sizeof(s->s3->client_random))
0558: {
0559: Time=(unsigned long)time(NULL); /* Time */
0560: l2n(Time,p);
0561: RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4);

The loop test condition reads from s->s3->client_random before the
bounds check
- these should be swapped around the other way.

usr/src/common/openssl/crypto/des/xcbc_enc.c

0093: for (i=0; i<8; i++)
0094: {
0095: out[i]=key[i]^desx_white_in2out[out0^out1];
0096: out0=out1;
0097: out1=(int)out[i&0x07];
0098: }
0099:
0100: out0=out[0];
0101: out1=out[i];

At line 101, i will always be 8 following the loop above, and out is a
pointer to char[8].

/usr/src/common/openssl/crypto/aes/aes_cfb.c

0183: num = nbits/8;
0184: if(rem==0)
0185: memcpy(ivec,ovec+num,AES_BLOCK_SIZE);
0186: else
0187: for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
0188: ivec[n] = ovec[n+num]<>(8-rem);
0189:
0190: /* it is not necessary to cleanse ovec, since the IV is not
secret */
0191: }
0192:
0193: /* N.B. This expects the input to be packed, MS bit first */

Harmless, but strictly speaking if nbits is 128 (permitted), the last
iteration
of the loop reads past the end of the ovec array ([32]) with
ovec[15+16+1], even
if it then throws the value away with the shift-right.

This bug was found using the Parfait source code analysis tool.
See http://research.sun.com/projects/parfait

Best regards,


V. Kotal

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org