Import OpenSSL-1.0.0b.
authorPeter Avalos <pavalos@dragonflybsd.org>
Thu, 18 Nov 2010 05:41:45 +0000 (19:41 -1000)
committerPeter Avalos <pavalos@dragonflybsd.org>
Thu, 18 Nov 2010 05:41:45 +0000 (19:41 -1000)
This primarily fixes CVE-2010-3864 and CVE-2010-2939.

82 files changed:
crypto/openssl/CHANGES
crypto/openssl/FAQ
crypto/openssl/NEWS
crypto/openssl/PROBLEMS
crypto/openssl/README
crypto/openssl/README.DELETED
crypto/openssl/apps/apps.c
crypto/openssl/apps/dh.c
crypto/openssl/apps/dhparam.c
crypto/openssl/apps/dsaparam.c
crypto/openssl/apps/ec.c
crypto/openssl/apps/ecparam.c
crypto/openssl/apps/enc.c
crypto/openssl/apps/gendh.c
crypto/openssl/apps/gendsa.c
crypto/openssl/apps/pkcs7.c
crypto/openssl/apps/pkeyparam.c
crypto/openssl/apps/pkeyutl.c
crypto/openssl/apps/rand.c
crypto/openssl/apps/s_server.c
crypto/openssl/apps/s_socket.c
crypto/openssl/apps/speed.c
crypto/openssl/apps/x509.c
crypto/openssl/crypto/aes/aes_wrap.c
crypto/openssl/crypto/asn1/a_int.c
crypto/openssl/crypto/asn1/n_pkey.c
crypto/openssl/crypto/asn1/t_crl.c
crypto/openssl/crypto/asn1/tasn_dec.c
crypto/openssl/crypto/asn1/x_x509.c
crypto/openssl/crypto/bio/bf_nbio.c
crypto/openssl/crypto/bio/bio_lib.c
crypto/openssl/crypto/bio/bss_acpt.c
crypto/openssl/crypto/bn/bn_exp2.c
crypto/openssl/crypto/bn/bn_mul.c
crypto/openssl/crypto/conf/conf_api.c
crypto/openssl/crypto/conf/conf_def.c
crypto/openssl/crypto/dsa/dsa_gen.c
crypto/openssl/crypto/dsa/dsa_ossl.c
crypto/openssl/crypto/ec/ec2_mult.c
crypto/openssl/crypto/ec/ec_mult.c
crypto/openssl/crypto/ecdh/ech_lib.c
crypto/openssl/crypto/ecdsa/ecs_lib.c
crypto/openssl/crypto/evp/encode.c
crypto/openssl/crypto/evp/evp_enc.c
crypto/openssl/crypto/evp/pmeth_lib.c
crypto/openssl/crypto/hmac/hmac.c
crypto/openssl/crypto/md32_common.h
crypto/openssl/crypto/ocsp/ocsp_ht.c
crypto/openssl/crypto/ocsp/ocsp_prn.c
crypto/openssl/crypto/opensslv.h
crypto/openssl/crypto/pem/pem_lib.c
crypto/openssl/crypto/pem/pvkfmt.c
crypto/openssl/crypto/pkcs12/p12_key.c
crypto/openssl/crypto/pkcs7/pk7_doit.c
crypto/openssl/crypto/pkcs7/pk7_lib.c
crypto/openssl/crypto/pqueue/pqueue.c
crypto/openssl/crypto/rand/md_rand.c
crypto/openssl/crypto/rand/rand_nw.c
crypto/openssl/crypto/rand/randfile.c
crypto/openssl/crypto/rsa/rsa_eay.c
crypto/openssl/crypto/stack/safestack.h
crypto/openssl/crypto/x509/x509.h
crypto/openssl/crypto/x509/x509_vfy.c
crypto/openssl/crypto/x509/x_all.c
crypto/openssl/crypto/x509v3/pcy_tree.c
crypto/openssl/crypto/x509v3/v3_ncons.c
crypto/openssl/doc/apps/smime.pod
crypto/openssl/engines/ccgost/gost_ameth.c
crypto/openssl/engines/e_chil.c
crypto/openssl/engines/e_cswift.c
crypto/openssl/engines/e_ubsec.c
crypto/openssl/ssl/d1_pkt.c
crypto/openssl/ssl/s23_lib.c
crypto/openssl/ssl/s2_srvr.c
crypto/openssl/ssl/s3_clnt.c
crypto/openssl/ssl/s3_enc.c
crypto/openssl/ssl/s3_srvr.c
crypto/openssl/ssl/ssl_asn1.c
crypto/openssl/ssl/ssl_ciph.c
crypto/openssl/ssl/ssl_lib.c
crypto/openssl/ssl/t1_enc.c
crypto/openssl/ssl/t1_lib.c

index b139cf6..aad698c 100644 (file)
@@ -2,6 +2,17 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.0a and 1.0.0b  [16 Nov 2010]
+
+  *) Fix extension code to avoid race conditions which can result in a buffer
+     overrun vulnerability: resumed sessions must not be modified as they can
+     be shared by multiple threads. CVE-2010-3864
+     [Steve Henson]
+
+  *) Fix WIN32 build system to correctly link an ENGINE directory into
+     a DLL. 
+     [Steve Henson]
+
  Changes between 1.0.0 and 1.0.0a  [01 Jun 2010]
 
   *) Check return value of int_rsa_verify in pkey_rsa_verifyrecover 
   *) Change 'Configure' script to enable Camellia by default.
      [NTT]
   
- Changes between 0.9.8n and 0.9.8o [xx XXX xxxx]
+ Changes between 0.9.8o and 0.9.8p [xx XXX xxxx]
+
+  *) Fix extension code to avoid race conditions which can result in a buffer
+     overrun vulnerability: resumed sessions must not be modified as they can
+     be shared by multiple threads. CVE-2010-3864
+
+  *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
+     [Steve Henson]
+
+  *) Don't reencode certificate when calculating signature: cache and use
+     the original encoding instead. This makes signature verification of
+     some broken encodings work correctly.
+     [Steve Henson]
+
+  *) ec2_GF2m_simple_mul bugfix: compute correct result if the output EC_POINT
+     is also one of the inputs.
+     [Emilia K√§sper <emilia.kasper@esat.kuleuven.be> (Google)]
+
+  *) Don't repeatedly append PBE algorithms to table if they already exist.
+     Sort table on each new add. This effectively makes the table read only
+     after all algorithms are added and subsequent calls to PKCS12_pbe_add
+     etc are non-op.
+     [Steve Henson]
+
+ Changes between 0.9.8n and 0.9.8o [01 Jun 2010]
+
+  [NB: OpenSSL 0.9.8o and later 0.9.8 patch levels were released after
+  OpenSSL 1.0.0.]
 
   *) Correct a typo in the CMS ASN1 module which can result in invalid memory
      access or freeing data twice (CVE-2010-0742)
      SSL_library_init and not OpenSSL_add_all_algorithms() will fail.
      [Steve Henson]
 
+  *) VMS fixes: 
+     Reduce copying into .apps and .test in makevms.com
+     Don't try to use blank CA certificate in CA.com
+     Allow use of C files from original directories in maketests.com
+     [Steven M. Schweda" <sms@antinode.info>]
+
  Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
 
   *) When rejecting SSL/TLS records due to an incorrect version number, never
      - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
      the previous behavior could result in a read attempt at NULL when
      receiving specific incorrect SSL/TLS records once record payload
-     protection is active.  (CVE-2010-####)
-     [Bodo Moeller, Adam Langley]
+     protection is active.  (CVE-2010-0740)
+     [Bodo Moeller, Adam Langley <agl@chromium.org>]
 
   *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL 
      could be crashed if the relevant tables were not present (e.g. chrooted).
index becee66..f7bdc88 100644 (file)
@@ -79,7 +79,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.0a was released on Jun 1st, 2010.
+OpenSSL 1.0.0b was released on Nov 16th, 2010.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
index 3a787ea..23edac2 100644 (file)
@@ -5,6 +5,12 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b:
+
+      o Fix for security issue CVE-2010-3864.
+      o Fix for CVE-2010-2939
+      o Fix WIN32 build system for GOST ENGINE.
+
   Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a:
 
       o Fix for security issue CVE-2010-1633.
index ed3c174..d247470 100644 (file)
@@ -36,7 +36,9 @@ may differ on your machine.
 
 
 As long as Apple doesn't fix the problem with ld, this problem building
-OpenSSL will remain as is.
+OpenSSL will remain as is. Well, the problem was addressed in 0.9.8f by
+passing -Wl,-search_paths_first, but it's unknown if the flag was
+supported from the initial MacOS X release.
 
 
 * Parallell make leads to errors
index c1d0a5f..6b87a4c 100644 (file)
@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.0a 1 Jun 2010
+ OpenSSL 1.0.0b 16 Nov 2010
 
  Copyright (c) 1998-2010 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
index 195de41..f487315 100644 (file)
@@ -68,6 +68,7 @@ crypto/Makefile
 crypto/aes/Makefile
 crypto/aes/aes_x86core.c
 crypto/aes/asm/
+crypto/alphacpuid.pl
 crypto/asn1/Makefile
 crypto/asn1/charmap.pl
 crypto/bf/INSTALL
index acc50df..c279771 100644 (file)
@@ -257,6 +257,8 @@ int args_from_file(char *file, int *argc, char **argv[])
 
 int str2fmt(char *s)
        {
+       if (s == NULL)
+               return FORMAT_UNDEF;
        if      ((*s == 'D') || (*s == 'd'))
                return(FORMAT_ASN1);
        else if ((*s == 'T') || (*s == 't'))
@@ -377,13 +379,12 @@ void program_name(char *in, char *out, int size)
 
 int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
        {
-       int num,len,i;
+       int num,i;
        char *p;
 
        *argc=0;
        *argv=NULL;
 
-       len=strlen(buf);
        i=0;
        if (arg->count == 0)
                {
index e9609d6..dee9c01 100644 (file)
@@ -88,9 +88,6 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
        {
-#ifndef OPENSSL_NO_ENGINE
-       ENGINE *e = NULL;
-#endif
        DH *dh=NULL;
        int i,badops=0,text=0;
        BIO *in=NULL,*out=NULL;
@@ -189,7 +186,7 @@ bad:
        ERR_load_crypto_strings();
 
 #ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
+        setup_engine(bio_err, engine, 0);
 #endif
 
        in=BIO_new(BIO_s_file());
index 5fab29e..b47097c 100644 (file)
@@ -149,9 +149,6 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
        {
-#ifndef OPENSSL_NO_ENGINE
-       ENGINE *e = NULL;
-#endif
        DH *dh=NULL;
        int i,badops=0,text=0;
 #ifndef OPENSSL_NO_DSA
@@ -270,7 +267,7 @@ bad:
        ERR_load_crypto_strings();
 
 #ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
+        setup_engine(bio_err, engine, 0);
 #endif
 
        if (g && !num)
index 4305a73..fe72c1d 100644 (file)
@@ -111,9 +111,6 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
        {
-#ifndef OPENSSL_NO_ENGINE
-       ENGINE *e = NULL;
-#endif
        DSA *dsa=NULL;
        int i,badops=0,text=0;
        BIO *in=NULL,*out=NULL;
@@ -278,7 +275,7 @@ bad:
                }
 
 #ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
+        setup_engine(bio_err, engine, 0);
 #endif
 
        if (need_rand)
@@ -357,12 +354,10 @@ bad:
        if (C)
                {
                unsigned char *data;
-               int l,len,bits_p,bits_q,bits_g;
+               int l,len,bits_p;
 
                len=BN_num_bytes(dsa->p);
                bits_p=BN_num_bits(dsa->p);
-               bits_q=BN_num_bits(dsa->q);
-               bits_g=BN_num_bits(dsa->g);
                data=(unsigned char *)OPENSSL_malloc(len+20);
                if (data == NULL)
                        {
index 31194b4..896eabc 100644 (file)
@@ -85,9 +85,6 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
 {
-#ifndef OPENSSL_NO_ENGINE
-       ENGINE  *e = NULL;
-#endif
        int     ret = 1;
        EC_KEY  *eckey = NULL;
        const EC_GROUP *group;
@@ -254,7 +251,7 @@ bad:
        ERR_load_crypto_strings();
 
 #ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
+        setup_engine(bio_err, engine, 0);
 #endif
 
        if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) 
index e9aa0a1..465480b 100644 (file)
@@ -129,9 +129,6 @@ int MAIN(int argc, char **argv)
        char    *infile = NULL, *outfile = NULL, *prog;
        BIO     *in = NULL, *out = NULL;
        int     informat, outformat, noout = 0, C = 0, ret = 1;
-#ifndef OPENSSL_NO_ENGINE
-       ENGINE  *e = NULL;
-#endif
        char    *engine = NULL;
 
        BIGNUM  *ec_p = NULL, *ec_a = NULL, *ec_b = NULL,
@@ -340,7 +337,7 @@ bad:
                }
 
 #ifndef OPENSSL_NO_ENGINE
-       e = setup_engine(bio_err, engine, 0);
+       setup_engine(bio_err, engine, 0);
 #endif
 
        if (list_curves)
index 3c2c91e..c28d8b1 100644 (file)
@@ -101,9 +101,6 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
        {
-#ifndef OPENSSL_NO_ENGINE
-       ENGINE *e = NULL;
-#endif
        static const char magic[]="Salted__";
        char mbuf[sizeof magic-1];
        char *strbuf=NULL;
@@ -328,7 +325,7 @@ bad:
                }
 
 #ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
+        setup_engine(bio_err, engine, 0);
 #endif
 
        if (md && (dgst=EVP_get_digestbyname(md)) == NULL)
index caa7327..4ec776b 100644 (file)
@@ -89,9 +89,6 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
        {
        BN_GENCB cb;
-#ifndef OPENSSL_NO_ENGINE
-       ENGINE *e = NULL;
-#endif
        DH *dh=NULL;
        int ret=1,num=DEFBITS;
        int g=2;
@@ -163,7 +160,7 @@ bad:
                }
                
 #ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
+        setup_engine(bio_err, engine, 0);
 #endif
 
        out=BIO_new(BIO_s_file());
index 22c3962..62ea977 100644 (file)
@@ -78,9 +78,6 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
        {
-#ifndef OPENSSL_NO_ENGINE
-       ENGINE *e = NULL;
-#endif
        DSA *dsa=NULL;
        int ret=1;
        char *outfile=NULL;
@@ -206,7 +203,7 @@ bad:
                }
 
 #ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
+        setup_engine(bio_err, engine, 0);
 #endif
 
        if(!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
index 86d31b9..ae6cd33 100644 (file)
@@ -82,9 +82,6 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
        {
-#ifndef OPENSSL_NO_ENGINE
-       ENGINE *e = NULL;
-#endif
        PKCS7 *p7=NULL;
        int i,badops=0;
        BIO *in=NULL,*out=NULL;
@@ -182,7 +179,7 @@ bad:
        ERR_load_crypto_strings();
 
 #ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
+        setup_engine(bio_err, engine, 0);
 #endif
 
        in=BIO_new(BIO_s_file());
index 7f18010..6f7a357 100644 (file)
@@ -74,7 +74,6 @@ int MAIN(int argc, char **argv)
        EVP_PKEY *pkey=NULL;
        int badarg = 0;
 #ifndef OPENSSL_NO_ENGINE
-       ENGINE *e = NULL;
        char *engine=NULL;
 #endif
        int ret = 1;
@@ -141,7 +140,7 @@ int MAIN(int argc, char **argv)
                }
 
 #ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
+        setup_engine(bio_err, engine, 0);
 #endif
 
        if (infile)
index 22a6c4b..7eb3f5c 100644 (file)
@@ -119,17 +119,17 @@ int MAIN(int argc, char **argv)
                if (!strcmp(*argv,"-in"))
                        {
                        if (--argc < 1) badarg = 1;
-                        infile= *(++argv);
+                        else infile= *(++argv);
                        }
                else if (!strcmp(*argv,"-out"))
                        {
                        if (--argc < 1) badarg = 1;
-                       outfile= *(++argv);
+                       else outfile= *(++argv);
                        }
                else if (!strcmp(*argv,"-sigfile"))
                        {
                        if (--argc < 1) badarg = 1;
-                       sigfile= *(++argv);
+                       else sigfile= *(++argv);
                        }
                else if(!strcmp(*argv, "-inkey"))
                        {
@@ -159,17 +159,17 @@ int MAIN(int argc, char **argv)
                else if (!strcmp(*argv,"-passin"))
                        {
                        if (--argc < 1) badarg = 1;
-                       passargin= *(++argv);
+                       else passargin= *(++argv);
                        }
                else if (strcmp(*argv,"-peerform") == 0)
                        {
                        if (--argc < 1) badarg = 1;
-                       peerform=str2fmt(*(++argv));
+                       else peerform=str2fmt(*(++argv));
                        }
                else if (strcmp(*argv,"-keyform") == 0)
                        {
                        if (--argc < 1) badarg = 1;
-                       keyform=str2fmt(*(++argv));
+                       else keyform=str2fmt(*(++argv));
                        }
 #ifndef OPENSSL_NO_ENGINE
                else if(!strcmp(*argv, "-engine"))
index 44a1d46..790e795 100644 (file)
@@ -77,9 +77,6 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
        {
-#ifndef OPENSSL_NO_ENGINE
-       ENGINE *e = NULL;
-#endif
        int i, r, ret = 1;
        int badopt;
        char *outfile = NULL;
@@ -178,7 +175,7 @@ int MAIN(int argc, char **argv)
                }
 
 #ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
+        setup_engine(bio_err, engine, 0);
 #endif
 
        app_RAND_load_file(NULL, bio_err, (inrand != NULL));
index 1a06d19..8a0c34c 100644 (file)
@@ -2254,11 +2254,10 @@ static int www_body(char *hostname, int s, unsigned char *context)
        {
        char *buf=NULL;
        int ret=1;
-       int i,j,k,blank,dot;
+       int i,j,k,dot;
        SSL *con;
        const SSL_CIPHER *c;
        BIO *io,*ssl_bio,*sbio;
-       long total_bytes;
 
        buf=OPENSSL_malloc(bufsize);
        if (buf == NULL) return(0);
@@ -2329,7 +2328,6 @@ static int www_body(char *hostname, int s, unsigned char *context)
                SSL_set_msg_callback_arg(con, bio_s_out);
                }
 
-       blank=0;
        for (;;)
                {
                if (hack)
@@ -2559,7 +2557,6 @@ static int www_body(char *hostname, int s, unsigned char *context)
                                         BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n");
                                 }
                        /* send the file */
-                       total_bytes=0;
                        for (;;)
                                {
                                i=BIO_read(file,buf,bufsize);
index 6b8713d..c08544a 100644 (file)
@@ -327,7 +327,7 @@ static int init_server_long(int *sock, int port, char *ip, int type)
        {
        int ret=0;
        struct sockaddr_in server;
-       int s= -1,i;
+       int s= -1;
 
        if (!ssl_sock_init()) return(0);
 
@@ -366,7 +366,6 @@ static int init_server_long(int *sock, int port, char *ip, int type)
                }
        /* Make it 128 for linux */
        if (type==SOCK_STREAM && listen(s,128) == -1) goto err;
-       i=0;
        *sock=s;
        ret=1;
 err:
@@ -384,7 +383,7 @@ static int init_server(int *sock, int port, int type)
 
 static int do_accept(int acc_sock, int *sock, char **host)
        {
-       int ret,i;
+       int ret;
        struct hostent *h1,*h2;
        static struct sockaddr_in from;
        int len;
@@ -407,6 +406,7 @@ redoit:
        if (ret == INVALID_SOCKET)
                {
 #if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
+               int i;
                i=WSAGetLastError();
                BIO_printf(bio_err,"accept error %d\n",i);
 #else
@@ -461,7 +461,6 @@ redoit:
                        BIO_printf(bio_err,"gethostbyname failure\n");
                        return(0);
                        }
-               i=0;
                if (h2->h_addrtype != AF_INET)
                        {
                        BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
index 539bfff..d5e9e24 100644 (file)
@@ -334,9 +334,6 @@ int MAIN(int, char **);
 
 int MAIN(int argc, char **argv)
        {
-#ifndef OPENSSL_NO_ENGINE
-       ENGINE *e = NULL;
-#endif
        unsigned char *buf=NULL,*buf2=NULL;
        int mret=1;
        long count=0,save_count=0;
@@ -430,7 +427,6 @@ int MAIN(int argc, char **argv)
        unsigned char DES_iv[8];
        unsigned char iv[2*MAX_BLOCK_SIZE/8];
 #ifndef OPENSSL_NO_DES
-       DES_cblock *buf_as_des_cblock = NULL;
        static DES_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0};
        static DES_cblock key2={0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12};
        static DES_cblock key3={0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34};
@@ -644,9 +640,6 @@ int MAIN(int argc, char **argv)
                BIO_printf(bio_err,"out of memory\n");
                goto end;
                }
-#ifndef OPENSSL_NO_DES
-       buf_as_des_cblock = (DES_cblock *)buf;
-#endif
        if ((buf2=(unsigned char *)OPENSSL_malloc((int)BUFSIZE)) == NULL)
                {
                BIO_printf(bio_err,"out of memory\n");
@@ -721,7 +714,7 @@ int MAIN(int argc, char **argv)
                                BIO_printf(bio_err,"no engine given\n");
                                goto end;
                                }
-                        e = setup_engine(bio_err, *argv, 0);
+                        setup_engine(bio_err, *argv, 0);
                        /* j will be increased again further down.  We just
                           don't want speed to confuse an engine with an
                           algorithm, especially when none is given (which
index e7e46d7..ed1e8c6 100644 (file)
@@ -556,7 +556,6 @@ bad:
        if (reqfile)
                {
                EVP_PKEY *pkey;
-               X509_CINF *ci;
                BIO *in;
 
                if (!sign_flag && !CA_flag)
@@ -624,7 +623,6 @@ bad:
                print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), nmflag);
 
                if ((x=X509_new()) == NULL) goto end;
-               ci=x->cert_info;
 
                if (sno == NULL)
                        {
index 9feacd6..e2d73d3 100644 (file)
@@ -85,9 +85,9 @@ int AES_wrap_key(AES_KEY *key, const unsigned char *iv,
                        A[7] ^= (unsigned char)(t & 0xff);
                        if (t > 0xff)   
                                {
-                               A[6] ^= (unsigned char)((t & 0xff) >> 8);
-                               A[5] ^= (unsigned char)((t & 0xff) >> 16);
-                               A[4] ^= (unsigned char)((t & 0xff) >> 24);
+                               A[6] ^= (unsigned char)((t >> 8) & 0xff);
+                               A[5] ^= (unsigned char)((t >> 16) & 0xff);
+                               A[4] ^= (unsigned char)((t >> 24) & 0xff);
                                }
                        memcpy(R, B + 8, 8);
                        }
@@ -119,9 +119,9 @@ int AES_unwrap_key(AES_KEY *key, const unsigned char *iv,
                        A[7] ^= (unsigned char)(t & 0xff);
                        if (t > 0xff)   
                                {
-                               A[6] ^= (unsigned char)((t & 0xff) >> 8);
-                               A[5] ^= (unsigned char)((t & 0xff) >> 16);
-                               A[4] ^= (unsigned char)((t & 0xff) >> 24);
+                               A[6] ^= (unsigned char)((t >> 8) & 0xff);
+                               A[5] ^= (unsigned char)((t >> 16) & 0xff);
+                               A[4] ^= (unsigned char)((t >> 24) & 0xff);
                                }
                        memcpy(B + 8, R, 8);
                        AES_decrypt(B, B, key);
index c6fd204..3348b87 100644 (file)
@@ -273,7 +273,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
        {
        ASN1_INTEGER *ret=NULL;
        const unsigned char *p;
-       unsigned char *to,*s;
+       unsigned char *s;
        long len;
        int inf,tag,xclass;
        int i;
@@ -308,7 +308,6 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp,
                i=ERR_R_MALLOC_FAILURE;
                goto err;
                }
-       to=s;
        ret->type=V_ASN1_INTEGER;
        if(len) {
                if ((*p == 0) && (len != 1))
index 60bc437..e7d0439 100644 (file)
@@ -242,7 +242,7 @@ RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length,
                 int sgckey)
        {
        RSA *ret=NULL;
-       const unsigned char *p, *kp;
+       const unsigned char *p;
        NETSCAPE_ENCRYPTED_PKEY *enckey = NULL;
 
        p = *pp;
@@ -265,7 +265,6 @@ RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length,
                ASN1err(ASN1_F_D2I_RSA_NET,ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM);
                goto err;
        }
-       kp = enckey->enckey->digest->data;
        if (cb == NULL)
                cb=EVP_read_pw_string;
        if ((ret=d2i_RSA_NET_2(a, enckey->enckey->digest,cb, sgckey)) == NULL) goto err;
index bdb244c..ee5a687 100644 (file)
@@ -87,7 +87,7 @@ int X509_CRL_print(BIO *out, X509_CRL *x)
        STACK_OF(X509_REVOKED) *rev;
        X509_REVOKED *r;
        long l;
-       int i, n;
+       int i;
        char *p;
 
        BIO_printf(out, "Certificate Revocation List (CRL):\n");
@@ -107,7 +107,6 @@ int X509_CRL_print(BIO *out, X509_CRL *x)
        else BIO_printf(out,"NONE");
        BIO_printf(out,"\n");
 
-       n=X509_CRL_get_ext_count(x);
        X509V3_extensions_print(out, "CRL extensions",
                                                x->crl->extensions, 0, 8);
 
index 3bee439..87d7dfd 100644 (file)
@@ -168,7 +168,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
        int i;
        int otag;
        int ret = 0;
-       ASN1_VALUE *pchval, **pchptr, *ptmpval;
+       ASN1_VALUE **pchptr, *ptmpval;
        if (!pval)
                return 0;
        if (aux && aux->asn1_cb)
@@ -319,7 +319,6 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
                        goto err;
                        }
                /* CHOICE type, try each possibility in turn */
-               pchval = NULL;
                p = *in;
                for (i = 0, tt=it->templates; i < it->tcount; i++, tt++)
                        {
index dafd3cc..de3df9e 100644 (file)
@@ -63,7 +63,7 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
-ASN1_SEQUENCE(X509_CINF) = {
+ASN1_SEQUENCE_enc(X509_CINF, enc, 0) = {
        ASN1_EXP_OPT(X509_CINF, version, ASN1_INTEGER, 0),
        ASN1_SIMPLE(X509_CINF, serialNumber, ASN1_INTEGER),
        ASN1_SIMPLE(X509_CINF, signature, X509_ALGOR),
@@ -74,7 +74,7 @@ ASN1_SEQUENCE(X509_CINF) = {
        ASN1_IMP_OPT(X509_CINF, issuerUID, ASN1_BIT_STRING, 1),
        ASN1_IMP_OPT(X509_CINF, subjectUID, ASN1_BIT_STRING, 2),
        ASN1_EXP_SEQUENCE_OF_OPT(X509_CINF, extensions, X509_EXTENSION, 3)
-} ASN1_SEQUENCE_END(X509_CINF)
+} ASN1_SEQUENCE_END_enc(X509_CINF, X509_CINF)
 
 IMPLEMENT_ASN1_FUNCTIONS(X509_CINF)
 /* X509 top level structure needs a bit of customisation */
index c72a23c..028616c 100644 (file)
@@ -125,7 +125,6 @@ static int nbiof_free(BIO *a)
        
 static int nbiof_read(BIO *b, char *out, int outl)
        {
-       NBIO_TEST *nt;
        int ret=0;
 #if 1
        int num;
@@ -134,7 +133,6 @@ static int nbiof_read(BIO *b, char *out, int outl)
 
        if (out == NULL) return(0);
        if (b->next_bio == NULL) return(0);
-       nt=(NBIO_TEST *)b->ptr;
 
        BIO_clear_retry_flags(b);
 #if 1
index 77f4de9..e12bc3a 100644 (file)
@@ -110,7 +110,7 @@ int BIO_set(BIO *bio, BIO_METHOD *method)
 
 int BIO_free(BIO *a)
        {
-       int ret=0,i;
+       int i;
 
        if (a == NULL) return(0);
 
@@ -133,7 +133,7 @@ int BIO_free(BIO *a)
        CRYPTO_free_ex_data(CRYPTO_EX_INDEX_BIO, a, &a->ex_data);
 
        if ((a->method == NULL) || (a->method->destroy == NULL)) return(1);
-       ret=a->method->destroy(a);
+       a->method->destroy(a);
        OPENSSL_free(a);
        return(1);
        }
index 826f761..5d49e1a 100644 (file)
@@ -340,7 +340,6 @@ static int acpt_write(BIO *b, const char *in, int inl)
 
 static long acpt_ctrl(BIO *b, int cmd, long num, void *ptr)
        {
-       BIO *dbio;
        int *ip;
        long ret=1;
        BIO_ACCEPT *data;
@@ -437,8 +436,8 @@ static long acpt_ctrl(BIO *b, int cmd, long num, void *ptr)
                ret=(long)data->bind_mode;
                break;
        case BIO_CTRL_DUP:
-               dbio=(BIO *)ptr;
-/*             if (data->param_port) EAY EAY
+/*             dbio=(BIO *)ptr;
+               if (data->param_port) EAY EAY
                        BIO_set_port(dbio,data->param_port);
                if (data->param_hostname)
                        BIO_set_hostname(dbio,data->param_hostname);
index b3f43ce..bd0c34b 100644 (file)
@@ -301,7 +301,8 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1,
                        r_is_one = 0;
                        }
                }
-       BN_from_montgomery(rr,r,mont,ctx);
+       if (!BN_from_montgomery(rr,r,mont,ctx))
+               goto err;
        ret=1;
 err:
        if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont);
index a0e9ec3..12e5be8 100644 (file)
@@ -551,7 +551,7 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
             int tna, int tnb, BN_ULONG *t)
        {
        int i,j,n2=n*2;
-       int c1,c2,neg,zero;
+       int c1,c2,neg;
        BN_ULONG ln,lo,*p;
 
 # ifdef BN_COUNT
@@ -567,7 +567,7 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
        /* r=(a[0]-a[1])*(b[1]-b[0]) */
        c1=bn_cmp_part_words(a,&(a[n]),tna,n-tna);
        c2=bn_cmp_part_words(&(b[n]),b,tnb,tnb-n);
-       zero=neg=0;
+       neg=0;
        switch (c1*3+c2)
                {
        case -4:
@@ -575,7 +575,6 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
                bn_sub_part_words(&(t[n]),b,      &(b[n]),tnb,n-tnb); /* - */
                break;
        case -3:
-               zero=1;
                /* break; */
        case -2:
                bn_sub_part_words(t,      &(a[n]),a,      tna,tna-n); /* - */
@@ -585,7 +584,6 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
        case -1:
        case 0:
        case 1:
-               zero=1;
                /* break; */
        case 2:
                bn_sub_part_words(t,      a,      &(a[n]),tna,n-tna); /* + */
@@ -593,7 +591,6 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n,
                neg=1;
                break;
        case 3:
-               zero=1;
                /* break; */
        case 4:
                bn_sub_part_words(t,      a,      &(a[n]),tna,n-tna);
@@ -1012,7 +1009,6 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
                {
                if (i >= -1 && i <= 1)
                        {
-                       int sav_j =0;
                        /* Find out the power of two lower or equal
                           to the longest of the two numbers */
                        if (i >= 0)
@@ -1023,7 +1019,6 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
                                {
                                j = BN_num_bits_word((BN_ULONG)bl);
                                }
-                       sav_j = j;
                        j = 1<<(j-1);
                        assert(j <= al || j <= bl);
                        k = j+j;
index 22617e5..0c1ee2b 100644 (file)
@@ -285,7 +285,7 @@ CONF_VALUE *_CONF_new_section(CONF *conf, const char *section)
        v->value=(char *)sk;
        
        vv=lh_CONF_VALUE_insert(conf->data,v);
-       assert(vv == NULL);
+       OPENSSL_assert(vv == NULL);
        ok=1;
 err:
        if (!ok)
index 0b571b0..cf95132 100644 (file)
@@ -213,13 +213,12 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
        int bufnum=0,i,ii;
        BUF_MEM *buff=NULL;
        char *s,*p,*end;
-       int again,n;
+       int again;
        long eline=0;
        char btmp[DECIMAL_SIZE(eline)+1];
        CONF_VALUE *v=NULL,*tv;
        CONF_VALUE *sv=NULL;
        char *section=NULL,*buf;
-       STACK_OF(CONF_VALUE) *section_sk=NULL,*ts;
        char *start,*psection,*pname;
        void *h = (void *)(conf->data);
 
@@ -250,7 +249,6 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
                                        CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
                goto err;
                }
-       section_sk=(STACK_OF(CONF_VALUE) *)sv->value;
 
        bufnum=0;
        again=0;
@@ -309,7 +307,6 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
                buf=buff->data;
 
                clear_comments(conf, buf);
-               n=strlen(buf);
                s=eat_ws(conf, buf);
                if (IS_EOF(conf,*s)) continue; /* blank line */
                if (*s == '[')
@@ -343,7 +340,6 @@ again:
                                        CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
                                goto err;
                                }
-                       section_sk=(STACK_OF(CONF_VALUE) *)sv->value;
                        continue;
                        }
                else
@@ -406,13 +402,9 @@ again:
                                           CONF_R_UNABLE_TO_CREATE_NEW_SECTION);
                                        goto err;
                                        }
-                               ts=(STACK_OF(CONF_VALUE) *)tv->value;
                                }
                        else
-                               {
                                tv=sv;
-                               ts=section_sk;
-                               }
 #if 1
                        if (_CONF_add_string(conf, tv, v) == 0)
                                {
@@ -465,9 +457,6 @@ err:
 
 static void clear_comments(CONF *conf, char *p)
        {
-       char *to;
-
-       to=p;
        for (;;)
                {
                if (IS_FCOMMENT(conf,*p))
index 0fcd25f..cb0b453 100644 (file)
@@ -120,7 +120,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
        BIGNUM *r0,*W,*X,*c,*test;
        BIGNUM *g=NULL,*q=NULL,*p=NULL;
        BN_MONT_CTX *mont=NULL;
-       int i, k,n=0,b,m=0, qsize = qbits >> 3;
+       int i, k, n=0, m=0, qsize = qbits >> 3;
        int counter=0;
        int r=0;
        BN_CTX *ctx=NULL;
@@ -232,7 +232,6 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
                /* "offset = 2" */
 
                n=(bits-1)/160;
-               b=(bits-1)-n*160;
 
                for (;;)
                        {
index 4fead07..1fb665e 100644 (file)
@@ -185,7 +185,7 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
        if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */
        if (!BN_add(s, &xr, &m)) goto err;              /* s = m + xr */
        if (BN_cmp(s,dsa->q) > 0)
-               BN_sub(s,s,dsa->q);
+               if (!BN_sub(s,s,dsa->q)) goto err;
        if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err;
 
        ret=DSA_SIG_new();
index ab631a5..e12b9b2 100644 (file)
@@ -319,6 +319,7 @@ int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
        int ret = 0;
        size_t i;
        EC_POINT *p=NULL;
+       EC_POINT *acc = NULL;
 
        if (ctx == NULL)
                {
@@ -338,15 +339,16 @@ int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
                }
 
        if ((p = EC_POINT_new(group)) == NULL) goto err;
+       if ((acc = EC_POINT_new(group)) == NULL) goto err;
 
-       if (!EC_POINT_set_to_infinity(group, r)) goto err;
+       if (!EC_POINT_set_to_infinity(group, acc)) goto err;
 
        if (scalar)
                {
                if (!ec_GF2m_montgomery_point_multiply(group, p, scalar, group->generator, ctx)) goto err;
-               if (BN_is_negative(scalar)) 
+               if (BN_is_negative(scalar))
                        if (!group->meth->invert(group, p, ctx)) goto err;
-               if (!group->meth->add(group, r, r, p, ctx)) goto err;
+               if (!group->meth->add(group, acc, acc, p, ctx)) goto err;
                }
 
        for (i = 0; i < num; i++)
@@ -354,13 +356,16 @@ int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
                if (!ec_GF2m_montgomery_point_multiply(group, p, scalars[i], points[i], ctx)) goto err;
                if (BN_is_negative(scalars[i]))
                        if (!group->meth->invert(group, p, ctx)) goto err;
-               if (!group->meth->add(group, r, r, p, ctx)) goto err;
+               if (!group->meth->add(group, acc, acc, p, ctx)) goto err;
                }
 
+       if (!EC_POINT_copy(r, acc)) goto err;
+
        ret = 1;
 
   err:
        if (p) EC_POINT_free(p);
+       if (acc) EC_POINT_free(acc);
        if (new_ctx != NULL)
                BN_CTX_free(new_ctx);
        return ret;
index f05df53..19f2167 100644 (file)
@@ -169,11 +169,13 @@ static void ec_pre_comp_clear_free(void *pre_)
                EC_POINT **p;
 
                for (p = pre->points; *p != NULL; p++)
+                       {
                        EC_POINT_clear_free(*p);
-               OPENSSL_cleanse(pre->points, sizeof pre->points);
+                       OPENSSL_cleanse(p, sizeof *p);
+                       }
                OPENSSL_free(pre->points);
                }
-       OPENSSL_cleanse(pre, sizeof pre);
+       OPENSSL_cleanse(pre, sizeof *pre);
        OPENSSL_free(pre);
        }
 
index e89b1d4..4d8ea03 100644 (file)
@@ -96,7 +96,6 @@ const ECDH_METHOD *ECDH_get_default_method(void)
 
 int ECDH_set_method(EC_KEY *eckey, const ECDH_METHOD *meth)
        {
-       const ECDH_METHOD *mtmp;
        ECDH_DATA *ecdh;
 
        ecdh = ecdh_check(eckey);
@@ -104,8 +103,8 @@ int ECDH_set_method(EC_KEY *eckey, const ECDH_METHOD *meth)
        if (ecdh == NULL)
                return 0;
 
-        mtmp = ecdh->meth;
 #if 0
+        mtmp = ecdh->meth;
         if (mtmp->finish)
                mtmp->finish(eckey);
 #endif
index 85e8a3a..2ebae3a 100644 (file)
@@ -83,7 +83,6 @@ const ECDSA_METHOD *ECDSA_get_default_method(void)
 
 int ECDSA_set_method(EC_KEY *eckey, const ECDSA_METHOD *meth)
 {
-        const ECDSA_METHOD *mtmp;
        ECDSA_DATA *ecdsa;
 
        ecdsa = ecdsa_check(eckey);
@@ -91,7 +90,6 @@ int ECDSA_set_method(EC_KEY *eckey, const ECDSA_METHOD *meth)
        if (ecdsa == NULL)
                return 0;
 
-        mtmp = ecdsa->meth;
 #ifndef OPENSSL_NO_ENGINE
        if (ecdsa->engine)
        {
index b42c747..28546a8 100644 (file)
@@ -235,7 +235,7 @@ void EVP_DecodeInit(EVP_ENCODE_CTX *ctx)
 int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
             const unsigned char *in, int inl)
        {
-       int seof= -1,eof=0,rv= -1,ret=0,i,v,tmp,n,ln,tmp2,exp_nl;
+       int seof= -1,eof=0,rv= -1,ret=0,i,v,tmp,n,ln,exp_nl;
        unsigned char *d;
 
        n=ctx->num;
@@ -319,7 +319,6 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl,
                         * lines.  We process the line and then need to
                         * accept the '\n' */
                        if ((v != B64_EOF) && (n >= 64)) exp_nl=1;
-                       tmp2=v;
                        if (n > 0)
                                {
                                v=EVP_DecodeBlock(out,d,n);
index bead6a2..c268d25 100644 (file)
@@ -204,6 +204,7 @@ skip_to_init:
                        case EVP_CIPH_OFB_MODE:
 
                        ctx->num = 0;
+                       /* fall-through */
 
                        case EVP_CIPH_CBC_MODE:
 
index b2d8de3..5481d4b 100644 (file)
@@ -134,6 +134,8 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id)
                id = pkey->ameth->pkey_id;
                }
 #ifndef OPENSSL_NO_ENGINE
+       if (pkey && pkey->engine)
+               e = pkey->engine;
        /* Try to find an ENGINE which implements this method */
        if (e)
                {
index 45015fe..6c98fc4 100644 (file)
@@ -138,12 +138,9 @@ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len)
 
 int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len)
        {
-       int j;
        unsigned int i;
        unsigned char buf[EVP_MAX_MD_SIZE];
 
-       j=EVP_MD_block_size(ctx->md);
-
        if (!EVP_DigestFinal_ex(&ctx->md_ctx,buf,&i))
                goto err;
        if (!EVP_MD_CTX_copy_ex(&ctx->md_ctx,&ctx->o_ctx))
index 1cb7839..bb73819 100644 (file)
                                asm (                   \
                                "roll %1,%0"            \
                                : "=r"(ret)             \
-                               : "I"(n), "0"(a)        \
+                               : "I"(n), "0"((unsigned int)(a))        \
                                : "cc");                \
                           ret;                         \
                        })
@@ -383,6 +383,7 @@ int HASH_FINAL (unsigned char *md, HASH_CTX *c)
        }
 
 #ifndef MD32_REG_T
+#if defined(__alpha) || defined(__sparcv9) || defined(__mips)
 #define MD32_REG_T long
 /*
  * This comment was originaly written for MD5, which is why it
@@ -400,9 +401,15 @@ int HASH_FINAL (unsigned char *md, HASH_CTX *c)
  * Well, to be honest it should say that this *prevents* 
  * performance degradation.
  *                             <appro@fy.chalmers.se>
- * Apparently there're LP64 compilers that generate better
- * code if A-D are declared int. Most notably GCC-x86_64
- * generates better code.
+ */
+#else
+/*
+ * Above is not absolute and there are LP64 compilers that
+ * generate better code if MD32_REG_T is defined int. The above
+ * pre-processor condition reflects the circumstances under which
+ * the conclusion was made and is subject to further extension.
  *                             <appro@fy.chalmers.se>
  */
+#define MD32_REG_T int
+#endif
 #endif
index 12bbfcf..af5fc16 100644 (file)
@@ -397,11 +397,12 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
 
 
                case OHS_ASN1_HEADER:
-               /* Now reading ASN1 header: can read at least 6 bytes which
-                * is more than enough for any valid ASN1 SEQUENCE header
+               /* Now reading ASN1 header: can read at least 2 bytes which
+                * is enough for ASN1 SEQUENCE header and either length field
+                * or at least the length of the length field.
                 */
                n = BIO_get_mem_data(rctx->mem, &p);
-               if (n < 6)
+               if (n < 2)
                        goto next_io;
 
                /* Check it is an ASN1 SEQUENCE */
@@ -414,6 +415,11 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx)
                /* Check out length field */
                if (*p & 0x80)
                        {
+                       /* If MSB set on initial length octet we can now
+                        * always read 6 octets: make sure we have them.
+                        */
+                       if (n < 6)
+                               goto next_io;
                        n = *p & 0x7F;
                        /* Not NDEF or excessive length */
                        if (!n || (n > 4))
index 1695c9c..87608ff 100644 (file)
@@ -182,7 +182,6 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
         {
        int i, ret = 0;
        long l;
-       unsigned char *p;
        OCSP_CERTID *cid = NULL;
        OCSP_BASICRESP *br = NULL;
        OCSP_RESPID *rid = NULL;
@@ -207,7 +206,6 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
                return 1;
                }
 
-       p = ASN1_STRING_data(rb->response);
        i = ASN1_STRING_length(rb->response);
        if (!(br = OCSP_response_get1_basic(o))) goto err;
        rd = br->tbsResponseData;
index 2fb110f..6c66aee 100644 (file)
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER 0x1000001fL
+#define OPENSSL_VERSION_NUMBER 0x1000002f
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT   "OpenSSL 1.0.0a-fips 1 Jun 2010"
+#define OPENSSL_VERSION_TEXT   "OpenSSL 1.0.0b-fips 16 Nov 2010"
 #else
-#define OPENSSL_VERSION_TEXT   "OpenSSL 1.0.0a 1 Jun 2010"
+#define OPENSSL_VERSION_TEXT   "OpenSSL 1.0.0b 16 Nov 2010"
 #endif
 #define OPENSSL_VERSION_PTEXT  " part of " OPENSSL_VERSION_TEXT
 
index 42e4861..cfc89a9 100644 (file)
@@ -482,7 +482,6 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen,
 
 int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
        {
-       int o;
        const EVP_CIPHER *enc=NULL;
        char *p,c;
        char **header_pp = &header;
@@ -522,7 +521,6 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
                header++;
                }
        *header='\0';
-       o=OBJ_sn2nid(p);
        cipher->cipher=enc=EVP_get_cipherbyname(p);
        *header=c;
        header++;
index d998a67..5f130c4 100644 (file)
@@ -662,7 +662,7 @@ static int do_PVK_header(const unsigned char **in, unsigned int length,
                
        {
        const unsigned char *p = *in;
-       unsigned int pvk_magic, keytype, is_encrypted;
+       unsigned int pvk_magic, is_encrypted;
        if (skip_magic)
                {
                if (length < 20)
@@ -689,7 +689,7 @@ static int do_PVK_header(const unsigned char **in, unsigned int length,
                }
        /* Skip reserved */
        p += 4;
-       keytype = read_ledword(&p);
+       /*keytype = */read_ledword(&p);
        is_encrypted = read_ledword(&p);
        *psaltlen = read_ledword(&p);
        *pkeylen = read_ledword(&p);
@@ -839,7 +839,7 @@ EVP_PKEY *b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u)
 static int i2b_PVK(unsigned char **out, EVP_PKEY*pk, int enclevel,
                pem_password_cb *cb, void *u)
        {
-       int outlen = 24, noinc, pklen;
+       int outlen = 24, pklen;
        unsigned char *p, *salt = NULL;
        if (enclevel)
                outlen += PVK_SALTLEN;
@@ -850,10 +850,7 @@ static int i2b_PVK(unsigned char **out, EVP_PKEY*pk, int enclevel,
        if (!out)
                return outlen;
        if (*out)
-               {
                p = *out;
-               noinc = 0;
-               }
        else
                {
                p = OPENSSL_malloc(outlen);
@@ -863,7 +860,6 @@ static int i2b_PVK(unsigned char **out, EVP_PKEY*pk, int enclevel,
                        return -1;
                        }
                *out = p;
-               noinc = 1;
                }
 
        write_ledword(&p, MS_PVKMAGIC);
index a29794b..424203f 100644 (file)
@@ -107,6 +107,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
        unsigned char *B, *D, *I, *p, *Ai;
        int Slen, Plen, Ilen, Ijlen;
        int i, j, u, v;
+       int ret = 0;
        BIGNUM *Ij, *Bpl1;      /* These hold Ij and B + 1 */
        EVP_MD_CTX ctx;
 #ifdef  DEBUG_KEYGEN
@@ -144,10 +145,8 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
        I = OPENSSL_malloc (Ilen);
        Ij = BN_new();
        Bpl1 = BN_new();
-       if (!D || !Ai || !B || !I || !Ij || !Bpl1) {
-               PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI,ERR_R_MALLOC_FAILURE);
-               return 0;
-       }
+       if (!D || !Ai || !B || !I || !Ij || !Bpl1)
+               goto err;
        for (i = 0; i < v; i++) D[i] = id;
        p = I;
        for (i = 0; i < Slen; i++) *p++ = salt[i % saltlen];
@@ -164,28 +163,22 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
                }
                memcpy (out, Ai, min (n, u));
                if (u >= n) {
-                       OPENSSL_free (Ai);
-                       OPENSSL_free (B);
-                       OPENSSL_free (D);
-                       OPENSSL_free (I);
-                       BN_free (Ij);
-                       BN_free (Bpl1);
-                       EVP_MD_CTX_cleanup(&ctx);
 #ifdef DEBUG_KEYGEN
                        fprintf(stderr, "Output KEY (length %d)\n", tmpn);
                        h__dump(tmpout, tmpn);
 #endif
-                       return 1;       
+                       ret = 1;
+                       goto end;
                }
                n -= u;
                out += u;
                for (j = 0; j < v; j++) B[j] = Ai[j % u];
                /* Work out B + 1 first then can use B as tmp space */
-               BN_bin2bn (B, v, Bpl1);
-               BN_add_word (Bpl1, 1);
+               if (!BN_bin2bn (B, v, Bpl1)) goto err;
+               if (!BN_add_word (Bpl1, 1)) goto err;
                for (j = 0; j < Ilen ; j+=v) {
-                       BN_bin2bn (I + j, v, Ij);
-                       BN_add (Ij, Ij, Bpl1);
+                       if (!BN_bin2bn (I + j, v, Ij)) goto err;
+                       if (!BN_add (Ij, Ij, Bpl1)) goto err;
                        BN_bn2bin (Ij, B);
                        Ijlen = BN_num_bytes (Ij);
                        /* If more than 2^(v*8) - 1 cut off MSB */
@@ -201,6 +194,19 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
                        } else BN_bn2bin (Ij, I + j);
                }
        }
+
+err:
+       PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI,ERR_R_MALLOC_FAILURE);
+
+end:
+       OPENSSL_free (Ai);
+       OPENSSL_free (B);
+       OPENSSL_free (D);
+       OPENSSL_free (I);
+       BN_free (Ij);
+       BN_free (Bpl1);
+       EVP_MD_CTX_cleanup(&ctx);
+       return ret;
 }
 #ifdef DEBUG_KEYGEN
 void h__dump (unsigned char *p, int len)
index 451de84..3bf1a36 100644 (file)
@@ -422,7 +422,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
        X509_ALGOR *enc_alg=NULL;
        STACK_OF(X509_ALGOR) *md_sk=NULL;
        STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL;
-       X509_ALGOR *xalg=NULL;
        PKCS7_RECIP_INFO *ri=NULL;
 
        i=OBJ_obj2nid(p7->type);
@@ -445,7 +444,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
                        PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE);
                        goto err;
                        }
-               xalg=p7->d.signed_and_enveloped->enc_data->algorithm;
                break;
        case NID_pkcs7_enveloped:
                rsk=p7->d.enveloped->recipientinfo;
@@ -457,7 +455,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert)
                        PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE);
                        goto err;
                        }
-               xalg=p7->d.enveloped->enc_data->algorithm;
                break;
        default:
                PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CONTENT_TYPE);
index 3ca0952..d411269 100644 (file)
@@ -591,7 +591,6 @@ X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si)
 int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher)
        {
        int i;
-       ASN1_OBJECT *objtmp;
        PKCS7_ENC_CONTENT *ec;
 
        i=OBJ_obj2nid(p7->type);
@@ -614,7 +613,6 @@ int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher)
                PKCS7err(PKCS7_F_PKCS7_SET_CIPHER,PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER);
                return(0);
        }
-       objtmp = OBJ_nid2obj(i);
 
        ec->cipher = cipher;
        return 1;
index 99a6fb8..eab13a1 100644 (file)
@@ -167,14 +167,13 @@ pqueue_pop(pqueue_s *pq)
 pitem *
 pqueue_find(pqueue_s *pq, unsigned char *prio64be)
        {
-       pitem *next, *prev = NULL;
+       pitem *next;
        pitem *found = NULL;
 
        if ( pq->items == NULL)
                return NULL;
 
-       for ( next = pq->items; next->next != NULL; 
-                 prev = next, next = next->next)
+       for ( next = pq->items; next->next != NULL; next = next->next)
                {
                if ( memcmp(next->priority, prio64be,8) == 0)
                        {
index 88088ce..b2f04ff 100644 (file)
@@ -476,11 +476,14 @@ static int ssleay_rand_bytes(unsigned char *buf, int num)
                MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
 
 #ifndef PURIFY /* purify complains */
-               /* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */
+               /* The following line uses the supplied buffer as a small
+                * source of entropy: since this buffer is often uninitialised
+                * it may cause programs such as purify or valgrind to
+                * complain. So for those builds it is not used: the removal
+                * of such a small source of entropy has negligible impact on
+                * security.
+                */
                MD_Update(&m,buf,j);
-               /* We know that line may cause programs such as
-                  purify and valgrind to complain about use of
-                  uninitialized data.  */
 #endif
 
                k=(st_idx+MD_DIGEST_LENGTH/2)-st_num;
index f177ffb..8d5b8d2 100644 (file)
@@ -160,8 +160,8 @@ int RAND_poll(void)
          rdtsc
          mov tsc, eax        
       }
-#else
-      asm volatile("rdtsc":"=A" (tsc));
+#elif defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
+      asm volatile("rdtsc":"=a"(tsc)::"edx");
 #endif
 
       RAND_add(&tsc, sizeof(tsc), 1);
index 4ed40b7..678b0fe 100644 (file)
@@ -269,7 +269,6 @@ err:
 const char *RAND_file_name(char *buf, size_t size)
        {
        char *s=NULL;
-       int ok = 0;
 #ifdef __OpenBSD__
        struct stat sb;
 #endif
@@ -298,7 +297,6 @@ const char *RAND_file_name(char *buf, size_t size)
                        BUF_strlcat(buf,"/",size);
 #endif
                        BUF_strlcat(buf,RFILE,size);
-                       ok = 1;
                        }
                else
                        buf[0] = '\0'; /* no file name */
index c5eaeea..7c94188 100644 (file)
@@ -675,7 +675,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
                rsa->_method_mod_n)) goto err;
 
        if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12))
-               BN_sub(ret, rsa->n, ret);
+               if (!BN_sub(ret, rsa->n, ret)) goto err;
 
        p=buf;
        i=BN_bn2bin(ret,p);
index 891cb84..da59178 100644 (file)
@@ -2030,6 +2030,31 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void)
 #define sk_void_sort(st) SKM_sk_sort(void, (st))
 #define sk_void_is_sorted(st) SKM_sk_is_sorted(void, (st))
 
+#define sk_OPENSSL_STRING_new(cmp) ((STACK_OF(OPENSSL_STRING) *)sk_new(CHECKED_SK_CMP_FUNC(char, cmp)))
+#define sk_OPENSSL_STRING_new_null() ((STACK_OF(OPENSSL_STRING) *)sk_new_null())
+#define sk_OPENSSL_STRING_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val))
+#define sk_OPENSSL_STRING_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val))
+#define sk_OPENSSL_STRING_value(st, i) ((OPENSSL_STRING)sk_value(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), i))
+#define sk_OPENSSL_STRING_num(st) SKM_sk_num(OPENSSL_STRING, st)
+#define sk_OPENSSL_STRING_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_SK_FREE_FUNC2(OPENSSL_STRING, free_func))
+#define sk_OPENSSL_STRING_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val), i)
+#define sk_OPENSSL_STRING_free(st) SKM_sk_free(OPENSSL_STRING, st)
+#define sk_OPENSSL_STRING_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), i, CHECKED_PTR_OF(char, val))
+#define sk_OPENSSL_STRING_zero(st) SKM_sk_zero(OPENSSL_STRING, (st))
+#define sk_OPENSSL_STRING_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val))
+#define sk_OPENSSL_STRING_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_CONST_PTR_OF(char, val))
+#define sk_OPENSSL_STRING_delete(st, i) SKM_sk_delete(OPENSSL_STRING, (st), (i))
+#define sk_OPENSSL_STRING_delete_ptr(st, ptr) (OPENSSL_STRING *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, ptr))
+#define sk_OPENSSL_STRING_set_cmp_func(st, cmp)  \
+       ((int (*)(const char * const *,const char * const *)) \
+       sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_SK_CMP_FUNC(char, cmp)))
+#define sk_OPENSSL_STRING_dup(st) SKM_sk_dup(OPENSSL_STRING, st)
+#define sk_OPENSSL_STRING_shift(st) SKM_sk_shift(OPENSSL_STRING, (st))
+#define sk_OPENSSL_STRING_pop(st) (char *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st))
+#define sk_OPENSSL_STRING_sort(st) SKM_sk_sort(OPENSSL_STRING, (st))
+#define sk_OPENSSL_STRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_STRING, (st))
+
+
 #define sk_OPENSSL_BLOCK_new(cmp) ((STACK_OF(OPENSSL_BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp)))
 #define sk_OPENSSL_BLOCK_new_null() ((STACK_OF(OPENSSL_BLOCK) *)sk_new_null())
 #define sk_OPENSSL_BLOCK_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val))
@@ -2080,31 +2105,6 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void)
 #define sk_OPENSSL_PSTRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_PSTRING, (st))
 
 
-#define sk_OPENSSL_STRING_new(cmp) ((STACK_OF(OPENSSL_STRING) *)sk_new(CHECKED_SK_CMP_FUNC(char, cmp)))
-#define sk_OPENSSL_STRING_new_null() ((STACK_OF(OPENSSL_STRING) *)sk_new_null())
-#define sk_OPENSSL_STRING_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val))
-#define sk_OPENSSL_STRING_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val))
-#define sk_OPENSSL_STRING_value(st, i) ((OPENSSL_STRING)sk_value(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), i))
-#define sk_OPENSSL_STRING_num(st) SKM_sk_num(OPENSSL_STRING, st)
-#define sk_OPENSSL_STRING_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_SK_FREE_FUNC2(OPENSSL_STRING, free_func))
-#define sk_OPENSSL_STRING_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val), i)
-#define sk_OPENSSL_STRING_free(st) SKM_sk_free(OPENSSL_STRING, st)
-#define sk_OPENSSL_STRING_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), i, CHECKED_PTR_OF(char, val))
-#define sk_OPENSSL_STRING_zero(st) SKM_sk_zero(OPENSSL_STRING, (st))
-#define sk_OPENSSL_STRING_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val))
-#define sk_OPENSSL_STRING_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_CONST_PTR_OF(char, val))
-#define sk_OPENSSL_STRING_delete(st, i) SKM_sk_delete(OPENSSL_STRING, (st), (i))
-#define sk_OPENSSL_STRING_delete_ptr(st, ptr) (OPENSSL_STRING *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, ptr))
-#define sk_OPENSSL_STRING_set_cmp_func(st, cmp)  \
-       ((int (*)(const char * const *,const char * const *)) \
-       sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_SK_CMP_FUNC(char, cmp)))
-#define sk_OPENSSL_STRING_dup(st) SKM_sk_dup(OPENSSL_STRING, st)
-#define sk_OPENSSL_STRING_shift(st) SKM_sk_shift(OPENSSL_STRING, (st))
-#define sk_OPENSSL_STRING_pop(st) (char *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st))
-#define sk_OPENSSL_STRING_sort(st) SKM_sk_sort(OPENSSL_STRING, (st))
-#define sk_OPENSSL_STRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_STRING, (st))
-
-
 #define d2i_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \
        SKM_ASN1_SET_OF_d2i(ACCESS_DESCRIPTION, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) 
 #define i2d_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, i2d_func, ex_tag, ex_class, is_set) \
index 604f4fb..e6f8a40 100644 (file)
@@ -258,6 +258,7 @@ typedef struct x509_cinf_st
        ASN1_BIT_STRING *issuerUID;             /* [ 1 ] optional in v2 */
        ASN1_BIT_STRING *subjectUID;            /* [ 2 ] optional in v2 */
        STACK_OF(X509_EXTENSION) *extensions;   /* [ 3 ] optional in v3 */
+       ASN1_ENCODING enc;
        } X509_CINF;
 
 /* This stuff is certificate "auxiliary info"
index 87ebf62..bd6695d 100644 (file)
@@ -2034,7 +2034,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
        if (store)
                ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param);
        else
-               ctx->param->flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
+               ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE;
 
        if (store)
                {
index ebae30b..8ec88c2 100644 (file)
@@ -90,6 +90,7 @@ int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r)
 
 int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)
        {
+       x->cert_info->enc.modified = 1;
        return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), x->cert_info->signature,
                x->sig_alg, x->signature, x->cert_info,pkey,md));
        }
index 92f6b24..bb97773 100644 (file)
@@ -341,9 +341,8 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr,
                                const X509_POLICY_CACHE *cache)
        {
        int i;
-       X509_POLICY_LEVEL *last;
        X509_POLICY_DATA *data;
-       last = curr - 1;
+
        for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++)
                {
                data = sk_X509_POLICY_DATA_value(cache->data, i);
index 689df46..a01dc64 100644 (file)
@@ -189,7 +189,6 @@ static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method,
                        print_nc_ipadd(bp, tree->base->d.ip);
                else
                        GENERAL_NAME_print(bp, tree->base);
-               tree = sk_GENERAL_SUBTREE_value(trees, i);
                BIO_puts(bp, "\n");
                }
        return 1;
index 42c0733..e4e89af 100644 (file)
@@ -343,7 +343,7 @@ Create a cleartext signed message:
  openssl smime -sign -in message.txt -text -out mail.msg \
        -signer mycert.pem
 
-Create an opaque signed message
+Create an opaque signed message:
 
  openssl smime -sign -in message.txt -text -out mail.msg -nodetach \
        -signer mycert.pem
@@ -397,11 +397,11 @@ it with:
  -----BEGIN PKCS7-----
  -----END PKCS7-----
 
-and using the command, 
+and using the command: 
 
  openssl smime -verify -inform PEM -in signature.pem -content content.txt
 
-alternatively you can base64 decode the signature and use
+Alternatively you can base64 decode the signature and use:
 
  openssl smime -verify -inform DER -in signature.der -content content.txt
 
@@ -427,7 +427,7 @@ Ideally a database should be maintained of a certificates for each email
 address.
 
 The code doesn't currently take note of the permitted symmetric encryption
-algorithms as supplied in the SMIMECapabilities signed attribute. this means the
+algorithms as supplied in the SMIMECapabilities signed attribute. This means the
 user has to manually include the correct encryption algorithm. It should store
 the list of permitted ciphers in a database and only use those.
 
index f620a21..e6c2839 100644 (file)
@@ -39,7 +39,7 @@ static ASN1_STRING  *encode_gost_algor_params(const EVP_PKEY *key)
        ASN1_STRING *params = ASN1_STRING_new();
        GOST_KEY_PARAMS *gkp = GOST_KEY_PARAMS_new();
        int pkey_param_nid = NID_undef;
-       int cipher_param_nid = NID_undef;
+
        if (!params || !gkp) 
                {
                GOSTerr(GOST_F_ENCODE_GOST_ALGOR_PARAMS,
@@ -52,7 +52,6 @@ static ASN1_STRING  *encode_gost_algor_params(const EVP_PKEY *key)
                {
                case NID_id_GostR3410_2001:
                        pkey_param_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(EVP_PKEY_get0((EVP_PKEY *)key)));
-                       cipher_param_nid = get_encryption_params(NULL)->nid;
                        break;
                case NID_id_GostR3410_94:
                        pkey_param_nid = (int) gost94_nid_by_params(EVP_PKEY_get0((EVP_PKEY *)key));
@@ -64,7 +63,6 @@ static ASN1_STRING  *encode_gost_algor_params(const EVP_PKEY *key)
                                params=NULL;
                                goto err;
                                }       
-                       cipher_param_nid = get_encryption_params(NULL)->nid;
                        break;
                }       
        gkp->key_params = OBJ_nid2obj(pkey_param_nid);
index 9c2729c..fdc2100 100644 (file)
@@ -1077,11 +1077,11 @@ static int hwcrhk_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
 static int hwcrhk_rsa_finish(RSA *rsa)
        {
        HWCryptoHook_RSAKeyHandle *hptr;
-       int ret;
+
        hptr = RSA_get_ex_data(rsa, hndidx_rsa);
        if (hptr)
                 {
-                ret = p_hwcrhk_RSAUnloadKey(*hptr, NULL);
+                p_hwcrhk_RSAUnloadKey(*hptr, NULL);
                 OPENSSL_free(hptr);
                RSA_set_ex_data(rsa, hndidx_rsa, NULL);
                 }
index bc65179..2e64ff3 100644 (file)
@@ -811,7 +811,6 @@ static DSA_SIG *cswift_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa)
        SW_PARAM sw_param;
        SW_STATUS sw_status;
        SW_LARGENUMBER arg, res;
-       unsigned char *ptr;
        BN_CTX *ctx;
        BIGNUM *dsa_p = NULL;
        BIGNUM *dsa_q = NULL;
@@ -899,7 +898,6 @@ static DSA_SIG *cswift_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa)
                goto err;
                }
        /* Convert the response */
-       ptr = (unsigned char *)result->d;
        if((to_return = DSA_SIG_new()) == NULL)
                goto err;
        to_return->r = BN_bin2bn((unsigned char *)result->d, 20, NULL);
index 9b747b9..aa5709b 100644 (file)
@@ -630,10 +630,8 @@ static int ubsec_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
                        const BIGNUM *dq, const BIGNUM *qinv, BN_CTX *ctx)
        {
        int     y_len,
-               m_len,
                fd;
 
-       m_len = BN_num_bytes(p) + BN_num_bytes(q) + 1;
        y_len = BN_num_bits(p) + BN_num_bits(q);
 
        /* Check if hardware can't handle this argument. */
index a5439d5..1fd58bf 100644 (file)
@@ -296,9 +296,6 @@ dtls1_process_buffered_records(SSL *s)
     item = pqueue_peek(s->d1->unprocessed_rcds.q);
     if (item)
         {
-        DTLS1_RECORD_DATA *rdata;
-        rdata = (DTLS1_RECORD_DATA *)item->data;
-        
         /* Check if epoch is current. */
         if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch)
             return(1);  /* Nothing to do. */
@@ -528,14 +525,12 @@ int dtls1_get_record(SSL *s)
        int ssl_major,ssl_minor;
        int i,n;
        SSL3_RECORD *rr;
-       SSL_SESSION *sess;
        unsigned char *p = NULL;
        unsigned short version;
        DTLS1_BITMAP *bitmap;
        unsigned int is_next_epoch;
 
        rr= &(s->s3->rrec);
-       sess=s->session;
 
        /* The epoch may have changed.  If so, process all the
         * pending records.  This is a non-blocking operation. */
index e3fce53..3bf7283 100644 (file)
@@ -92,15 +92,8 @@ const SSL_CIPHER *ssl23_get_cipher(unsigned int u)
  * available */
 const SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p)
        {
-       SSL_CIPHER c;
        const SSL_CIPHER *cp;
-       unsigned long id;
-       int n;
 
-       n=ssl3_num_ciphers();
-       id=0x03000000|((unsigned long)p[0]<<16L)|
-               ((unsigned long)p[1]<<8L)|(unsigned long)p[2];
-       c.id=id;
        cp=ssl3_get_cipher_by_char(p);
 #ifndef OPENSSL_NO_SSL2
        if (cp == NULL)
index 1434e73..9471676 100644 (file)
@@ -697,7 +697,6 @@ static int server_hello(SSL *s)
        {
        unsigned char *p,*d;
        int n,hit;
-       STACK_OF(SSL_CIPHER) *sk;
 
        p=(unsigned char *)s->init_buf->data;
        if (s->state == SSL2_ST_SEND_SERVER_HELLO_A)
@@ -778,7 +777,6 @@ static int server_hello(SSL *s)
                        
                        /* lets send out the ciphers we like in the
                         * prefered order */
-                       sk= s->session->ciphers;
                        n=ssl_cipher_list_to_bytes(s,s->session->ciphers,d,0);
                        d+=n;
                        s2n(n,p);               /* add cipher length */
index 41769fe..6eab135 100644 (file)
@@ -1508,6 +1508,7 @@ int ssl3_get_key_exchange(SSL *s)
                s->session->sess_cert->peer_ecdh_tmp=ecdh;
                ecdh=NULL;
                BN_CTX_free(bn_ctx);
+               bn_ctx = NULL;
                EC_POINT_free(srvr_ecpoint);
                srvr_ecpoint = NULL;
                }
index 3d7aec9..58386e1 100644 (file)
@@ -214,7 +214,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
 
 int ssl3_change_cipher_state(SSL *s, int which)
        {
-       unsigned char *p,*key_block,*mac_secret;
+       unsigned char *p,*mac_secret;
        unsigned char exp_key[EVP_MAX_KEY_LENGTH];
        unsigned char exp_iv[EVP_MAX_IV_LENGTH];
        unsigned char *ms,*key,*iv,*er1,*er2;
@@ -239,7 +239,6 @@ int ssl3_change_cipher_state(SSL *s, int which)
        else
                comp=s->s3->tmp.new_compression->method;
 #endif
-       key_block=s->s3->tmp.key_block;
 
        if (which & SSL3_CC_READ)
                {
index 92f73b6..d0921c5 100644 (file)
@@ -2579,12 +2579,19 @@ int ssl3_get_client_key_exchange(SSL *s)
                        {
                        int ret = 0;
                        EVP_PKEY_CTX *pkey_ctx;
-                       EVP_PKEY *client_pub_pkey = NULL;
+                       EVP_PKEY *client_pub_pkey = NULL, *pk = NULL;
                        unsigned char premaster_secret[32], *start;
-                       size_t outlen=32, inlen;                        
+                       size_t outlen=32, inlen;
+                       unsigned long alg_a;
 
                        /* Get our certificate private key*/
-                       pkey_ctx = EVP_PKEY_CTX_new(s->cert->key->privatekey,NULL);     
+                       alg_a = s->s3->tmp.new_cipher->algorithm_auth;
+                       if (alg_a & SSL_aGOST94)
+                               pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey;
+                       else if (alg_a & SSL_aGOST01)
+                               pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey;
+
+                       pkey_ctx = EVP_PKEY_CTX_new(pk,NULL);
                        EVP_PKEY_decrypt_init(pkey_ctx);
                        /* If client certificate is present and is of the same type, maybe
                         * use it for key exchange.  Don't mind errors from
index 2870997..d7f4c60 100644 (file)
@@ -357,7 +357,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
 SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
                             long length)
        {
-       int version,ssl_version=0,i;
+       int ssl_version=0,i;
        long id;
        ASN1_INTEGER ai,*aip;
        ASN1_OCTET_STRING os,*osp;
@@ -371,7 +371,6 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
 
        ai.data=NULL; ai.length=0;
        M_ASN1_D2I_get_x(ASN1_INTEGER,aip,d2i_ASN1_INTEGER);
-       version=(int)ASN1_INTEGER_get(aip);
        if (ai.data != NULL) { OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; }
 
        /* we don't care about the version right now :-) */
index bee3507..a8ce186 100644 (file)
@@ -1027,7 +1027,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                 const SSL_CIPHER **ca_list)
        {
        unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength;
-       const char *l, *start, *buf;
+       const char *l, *buf;
        int j, multi, found, rule, retval, ok, buflen;
        unsigned long cipher_id = 0;
        char ch;
@@ -1064,7 +1064,6 @@ static int ssl_cipher_process_rulestr(const char *rule_str,
                alg_ssl = 0;
                algo_strength = 0;
 
-               start=l;
                for (;;)
                        {
                        ch = *l;
@@ -1456,7 +1455,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        int is_export,pkl,kl;
        const char *ver,*exp_str;
        const char *kx,*au,*enc,*mac;
-       unsigned long alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl,alg2,alg_s;
+       unsigned long alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl,alg2;
 #ifdef KSSL_DEBUG
        static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx/%lx/%lx/%lx/%lx\n";
 #else
@@ -1469,7 +1468,6 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len)
        alg_mac = cipher->algorithm_mac;
        alg_ssl = cipher->algorithm_ssl;
 
-       alg_s=cipher->algo_strength;
        alg2=cipher->algorithm2;
 
        is_export=SSL_C_IS_EXPORT(cipher);
index 3157f20..912592b 100644 (file)
@@ -2110,23 +2110,12 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs)
 /* THIS NEEDS CLEANING UP */
 X509 *ssl_get_server_send_cert(SSL *s)
        {
-       unsigned long alg_k,alg_a,mask_k,mask_a;
+       unsigned long alg_k,alg_a;
        CERT *c;
-       int i,is_export;
+       int i;
 
        c=s->cert;
        ssl_set_cert_masks(c, s->s3->tmp.new_cipher);
-       is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher);
-       if (is_export)
-               {
-               mask_k = c->export_mask_k;
-               mask_a = c->export_mask_a;
-               }
-       else
-               {
-               mask_k = c->mask_k;
-               mask_a = c->mask_a;
-               }
        
        alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
        alg_a = s->s3->tmp.new_cipher->algorithm_auth;
index 9719541..793ea43 100644 (file)
@@ -157,7 +157,7 @@ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
                        const void *seed5, int seed5_len,
                        unsigned char *out, int olen)
        {
-       int chunk,n;
+       int chunk;
        unsigned int j;
        HMAC_CTX ctx;
        HMAC_CTX ctx_tmp;
@@ -187,7 +187,6 @@ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
        if (!HMAC_Final(&ctx,A1,&A1_len))
                goto err;
 
-       n=0;
        for (;;)
                {
                if (!HMAC_Init_ex(&ctx,NULL,0,NULL,NULL)) /* re-init */
@@ -309,13 +308,13 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km,
 int tls1_change_cipher_state(SSL *s, int which)
        {
        static const unsigned char empty[]="";
-       unsigned char *p,*key_block,*mac_secret;
+       unsigned char *p,*mac_secret;
        unsigned char *exp_label;
        unsigned char tmp1[EVP_MAX_KEY_LENGTH];
        unsigned char tmp2[EVP_MAX_KEY_LENGTH];
        unsigned char iv1[EVP_MAX_IV_LENGTH*2];
        unsigned char iv2[EVP_MAX_IV_LENGTH*2];
-       unsigned char *ms,*key,*iv,*er1,*er2;
+       unsigned char *ms,*key,*iv;
        int client_write;
        EVP_CIPHER_CTX *dd;
        const EVP_CIPHER *c;
@@ -337,7 +336,6 @@ int tls1_change_cipher_state(SSL *s, int which)
 #ifndef OPENSSL_NO_COMP
        comp=s->s3->tmp.new_compression;
 #endif
-       key_block=s->s3->tmp.key_block;
 
 #ifdef KSSL_DEBUG
        printf("tls1_change_cipher_state(which= %d) w/\n", which);
@@ -448,8 +446,6 @@ int tls1_change_cipher_state(SSL *s, int which)
                       cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl;
        /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */
        k=EVP_CIPHER_iv_length(c);
-       er1= &(s->s3->client_random[0]);
-       er2= &(s->s3->server_random[0]);
        if (    (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) ||
                (which == SSL3_CHANGE_CIPHER_SERVER_READ))
                {
@@ -880,7 +876,7 @@ int tls1_final_finish_mac(SSL *s,
 int tls1_mac(SSL *ssl, unsigned char *md, int send)
        {
        SSL3_RECORD *rec;
-       unsigned char *mac_sec,*seq;
+       unsigned char *seq;
        EVP_MD_CTX *hash;
        size_t md_size;
        int i;
@@ -892,14 +888,12 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
        if (send)
                {
                rec= &(ssl->s3->wrec);
-               mac_sec= &(ssl->s3->write_mac_secret[0]);
                seq= &(ssl->s3->write_sequence[0]);
                hash=ssl->write_hash;
                }
        else
                {
                rec= &(ssl->s3->rrec);
-               mac_sec= &(ssl->s3->read_mac_secret[0]);
                seq= &(ssl->s3->read_sequence[0]);
                hash=ssl->read_hash;
                }
index e8bc34c..eea5916 100644 (file)
@@ -714,14 +714,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                switch (servname_type)
                                        {
                                case TLSEXT_NAMETYPE_host_name:
-                                       if (s->session->tlsext_hostname == NULL)
+                                       if (!s->hit)
                                                {
-                                               if (len > TLSEXT_MAXLEN_host_name || 
-                                                       ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
+                                               if(s->session->tlsext_hostname)
+                                                       {
+                                                       *al = SSL_AD_DECODE_ERROR;
+                                                       return 0;
+                                                       }
+                                               if (len > TLSEXT_MAXLEN_host_name)
                                                        {
                                                        *al = TLS1_AD_UNRECOGNIZED_NAME;
                                                        return 0;
                                                        }
+                                               if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
+                                                       {
+                                                       *al = TLS1_AD_INTERNAL_ERROR;
+                                                       return 0;
+                                                       }
                                                memcpy(s->session->tlsext_hostname, sdata, len);
                                                s->session->tlsext_hostname[len]='\0';
                                                if (strlen(s->session->tlsext_hostname) != len) {
@@ -734,7 +743,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 
                                                }
                                        else 
-                                               s->servername_done = strlen(s->session->tlsext_hostname) == len 
+                                               s->servername_done = s->session->tlsext_hostname
+                                                       && strlen(s->session->tlsext_hostname) == len 
                                                        && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
                                        
                                        break;
@@ -765,15 +775,22 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                *al = TLS1_AD_DECODE_ERROR;
                                return 0;
                                }
-                       s->session->tlsext_ecpointformatlist_length = 0;
-                       if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
-                       if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
+                       if (!s->hit)
                                {
-                               *al = TLS1_AD_INTERNAL_ERROR;
-                               return 0;
+                               if(s->session->tlsext_ecpointformatlist)
+                                       {
+                                       *al = TLS1_AD_DECODE_ERROR;
+                                       return 0;
+                                       }
+                               s->session->tlsext_ecpointformatlist_length = 0;
+                               if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
+                                       {
+                                       *al = TLS1_AD_INTERNAL_ERROR;
+                                       return 0;
+                                       }
+                               s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
+                               memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
                                }
-                       s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
-                       memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
 #if 0
                        fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
                        sdata = s->session->tlsext_ecpointformatlist;
@@ -794,15 +811,22 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                *al = TLS1_AD_DECODE_ERROR;
                                return 0;
                                }
-                       s->session->tlsext_ellipticcurvelist_length = 0;
-                       if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist);
-                       if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
+                       if (!s->hit)
                                {
-                               *al = TLS1_AD_INTERNAL_ERROR;
-                               return 0;
+                               if(s->session->tlsext_ellipticcurvelist)
+                                       {
+                                       *al = TLS1_AD_DECODE_ERROR;
+                                       return 0;
+                                       }
+                               s->session->tlsext_ellipticcurvelist_length = 0;
+                               if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
+                                       {
+                                       *al = TLS1_AD_INTERNAL_ERROR;
+                                       return 0;
+                                       }
+                               s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
+                               memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
                                }
-                       s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
-                       memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
 #if 0
                        fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
                        sdata = s->session->tlsext_ellipticcurvelist;
@@ -983,9 +1007,9 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 
 int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
        {
+       unsigned short length;
        unsigned short type;
        unsigned short size;
-       unsigned short len;  
        unsigned char *data = *p;
        int tlsext_servername = 0;
        int renegotiate_seen = 0;
@@ -993,7 +1017,12 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
        if (data >= (d+n-2))
                goto ri_check;
 
-       n2s(data,len);
+       n2s(data,length);
+       if (data+length != d+n)
+               {
+               *al = SSL_AD_DECODE_ERROR;
+               return 0;
+               }
 
        while(data <= (d+n-4))
                {