From 75607dda74918d370b045dec1010449d46ec7ba8 Mon Sep 17 00:00:00 2001 From: Peter Avalos Date: Sat, 11 Apr 2009 03:00:56 +0000 Subject: [PATCH] Upgrade to OpenSSL-0.9.8k. This fixes security issues (CVE-2009-0590, CVE-2009-0591, CVE-2009-0789) and other minor bugs. See CHANGES for more details. --- crypto/openssl/CHANGES | 48 +++++++++++++++++-- crypto/openssl/FAQ | 2 +- crypto/openssl/NEWS | 5 ++ crypto/openssl/README | 2 +- crypto/openssl/README.DELETED | 16 +++++++ crypto/openssl/apps/apps.c | 2 +- crypto/openssl/apps/ca.c | 2 +- crypto/openssl/apps/enc.c | 3 +- crypto/openssl/apps/engine.c | 4 +- crypto/openssl/apps/rand.c | 27 +++++++++-- crypto/openssl/apps/x509.c | 2 +- crypto/openssl/crypto/asn1/a_bytes.c | 2 +- crypto/openssl/crypto/asn1/asn1.h | 3 ++ crypto/openssl/crypto/asn1/asn1_err.c | 2 + crypto/openssl/crypto/asn1/asn1_par.c | 2 + crypto/openssl/crypto/asn1/asn_mime.c | 2 - crypto/openssl/crypto/asn1/t_x509.c | 2 +- crypto/openssl/crypto/asn1/tasn_dec.c | 44 ++++++++++++----- crypto/openssl/crypto/bio/bss_mem.c | 22 +++++---- crypto/openssl/crypto/bio/bss_sock.c | 5 ++ crypto/openssl/crypto/cms/cms_smime.c | 4 +- crypto/openssl/crypto/evp/enc_min.c | 2 +- crypto/openssl/crypto/opensslv.h | 6 +-- crypto/openssl/crypto/pem/pem.h | 4 ++ crypto/openssl/crypto/pkcs12/p12_crt.c | 3 ++ crypto/openssl/crypto/pkcs7/pk7_smime.c | 3 +- crypto/openssl/crypto/rand/rand_unix.c | 2 +- crypto/openssl/crypto/ripemd/README | 2 +- crypto/openssl/crypto/rsa/rsa_x931g.c | 4 +- crypto/openssl/crypto/symhacks.h | 4 ++ crypto/openssl/crypto/ui/ui_lib.c | 1 + crypto/openssl/crypto/x509/x509_cmp.c | 3 +- crypto/openssl/crypto/x509/x509_vpm.c | 16 +++++-- crypto/openssl/crypto/x509v3/v3_addr.c | 33 +++++++------ crypto/openssl/crypto/x509v3/v3_cpols.c | 7 ++- crypto/openssl/crypto/x509v3/v3_utl.c | 2 +- crypto/openssl/doc/apps/rand.pod | 5 ++ crypto/openssl/doc/apps/x509.pod | 2 +- .../openssl/doc/ssl/SSL_CIPHER_get_name.pod | 2 +- crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod | 2 +- crypto/openssl/doc/ssl/SSL_SESSION_free.pod | 2 +- crypto/openssl/doc/ssl/SSL_free.pod | 2 +- crypto/openssl/ssl/kssl.c | 2 +- crypto/openssl/ssl/s3_clnt.c | 2 +- crypto/openssl/ssl/ssl_ciph.c | 2 +- crypto/openssl/ssl/ssl_lib.c | 2 + 46 files changed, 236 insertions(+), 80 deletions(-) diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES index c888c56c26..04d332e338 100644 --- a/crypto/openssl/CHANGES +++ b/crypto/openssl/CHANGES @@ -2,11 +2,51 @@ OpenSSL CHANGES _______________ - Changes between 0.9.8i and 0.9.8j [07 Jan 2009] + Changes between 0.9.8j and 0.9.8k [25 Mar 2009] - *) Properly check EVP_VerifyFinal() and similar return values - (CVE-2008-5077). - [Ben Laurie, Bodo Moeller, Google Security Team] + *) Don't set val to NULL when freeing up structures, it is freed up by + underlying code. If sizeof(void *) > sizeof(long) this can result in + zeroing past the valid field. (CVE-2009-0789) + [Paolo Ganci ] + + *) Fix bug where return value of CMS_SignerInfo_verify_content() was not + checked correctly. This would allow some invalid signed attributes to + appear to verify correctly. (CVE-2009-0591) + [Ivan Nestlerode ] + + *) Reject UniversalString and BMPString types with invalid lengths. This + prevents a crash in ASN1_STRING_print_ex() which assumes the strings have + a legal length. (CVE-2009-0590) + [Steve Henson] + + *) Set S/MIME signing as the default purpose rather than setting it + unconditionally. This allows applications to override it at the store + level. + [Steve Henson] + + *) Permit restricted recursion of ASN1 strings. This is needed in practice + to handle some structures. + [Steve Henson] + + *) Improve efficiency of mem_gets: don't search whole buffer each time + for a '\n' + [Jeremy Shapiro ] + + *) New -hex option for openssl rand. + [Matthieu Herrb] + + *) Print out UTF8String and NumericString when parsing ASN1. + [Steve Henson] + + *) Support NumericString type for name components. + [Steve Henson] + + *) Allow CC in the environment to override the automatically chosen + compiler. Note that nothing is done to ensure flags work with the + chosen compiler. + [Ben Laurie] + + Changes between 0.9.8i and 0.9.8j [07 Jan 2009] *) Properly check EVP_VerifyFinal() and similar return values (CVE-2008-5077). diff --git a/crypto/openssl/FAQ b/crypto/openssl/FAQ index ce71246fb8..942a671f2c 100644 --- a/crypto/openssl/FAQ +++ b/crypto/openssl/FAQ @@ -78,7 +78,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from . -OpenSSL 0.9.8j was released on Jan 7th, 2009. +OpenSSL 0.9.8k was released on Mar 25th, 2009. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at = 0); + assert(l > 0); assert(buf[l-1] == '\n'); buf[l-1] = '\0'; BN_hex2bn(bn, buf); diff --git a/crypto/openssl/apps/ca.c b/crypto/openssl/apps/ca.c index 87f0405f5d..68516ee9bd 100644 --- a/crypto/openssl/apps/ca.c +++ b/crypto/openssl/apps/ca.c @@ -83,7 +83,7 @@ # else # include # endif -# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE) +# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE) && !defined(__TANDEM) # include # endif #endif diff --git a/crypto/openssl/apps/enc.c b/crypto/openssl/apps/enc.c index 47c6eb604d..f4f9a4c4a4 100644 --- a/crypto/openssl/apps/enc.c +++ b/crypto/openssl/apps/enc.c @@ -533,7 +533,8 @@ bad: BIO_printf(bio_err,"invalid hex iv value\n"); goto end; } - if ((hiv == NULL) && (str == NULL)) + if ((hiv == NULL) && (str == NULL) + && EVP_CIPHER_iv_length(cipher) != 0) { /* No IV was explicitly set and no IV was generated * during EVP_BytesToKey. Hence the IV is undefined, diff --git a/crypto/openssl/apps/engine.c b/crypto/openssl/apps/engine.c index 1d0dd9bfbc..17bd81fb79 100644 --- a/crypto/openssl/apps/engine.c +++ b/crypto/openssl/apps/engine.c @@ -252,7 +252,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent /* Now decide on the output */ if(xpos == 0) /* Do an indent */ - xpos = BIO_printf(bio_out, indent); + xpos = BIO_puts(bio_out, indent); else /* Otherwise prepend a ", " */ xpos += BIO_printf(bio_out, ", "); @@ -263,7 +263,7 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent (xpos + (int)strlen(name) > line_wrap)) { BIO_printf(bio_out, "\n"); - xpos = BIO_printf(bio_out, indent); + xpos = BIO_puts(bio_out, indent); } xpos += BIO_printf(bio_out, "%s", name); } diff --git a/crypto/openssl/apps/rand.c b/crypto/openssl/apps/rand.c index c3b26c466d..44a1d46a03 100644 --- a/crypto/openssl/apps/rand.c +++ b/crypto/openssl/apps/rand.c @@ -68,7 +68,8 @@ /* -out file - write to file * -rand file:file - PRNG seed files - * -base64 - encode output + * -base64 - base64 encode output + * -hex - hex encode output * num - write 'num' bytes */ @@ -84,6 +85,7 @@ int MAIN(int argc, char **argv) char *outfile = NULL; char *inrand = NULL; int base64 = 0; + int hex = 0; BIO *out = NULL; int num = -1; #ifndef OPENSSL_NO_ENGINE @@ -133,6 +135,13 @@ int MAIN(int argc, char **argv) else badopt = 1; } + else if (strcmp(argv[i], "-hex") == 0) + { + if (!hex) + hex = 1; + else + badopt = 1; + } else if (isdigit((unsigned char)argv[i][0])) { if (num < 0) @@ -148,6 +157,9 @@ int MAIN(int argc, char **argv) badopt = 1; } + if (hex && base64) + badopt = 1; + if (num < 0) badopt = 1; @@ -160,7 +172,8 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "-engine e - use engine e, possibly a hardware device.\n"); #endif BIO_printf(bio_err, "-rand file%cfile%c... - seed PRNG from files\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); - BIO_printf(bio_err, "-base64 - encode output\n"); + BIO_printf(bio_err, "-base64 - base64 encode output\n"); + BIO_printf(bio_err, "-hex - hex encode output\n"); goto err; } @@ -210,9 +223,17 @@ int MAIN(int argc, char **argv) r = RAND_bytes(buf, chunk); if (r <= 0) goto err; - BIO_write(out, buf, chunk); + if (!hex) + BIO_write(out, buf, chunk); + else + { + for (i = 0; i < chunk; i++) + BIO_printf(out, "%02x", buf[i]); + } num -= chunk; } + if (hex) + BIO_puts(out, "\n"); (void)BIO_flush(out); app_RAND_write_file(NULL, bio_err); diff --git a/crypto/openssl/apps/x509.c b/crypto/openssl/apps/x509.c index d904d34021..6debce4419 100644 --- a/crypto/openssl/apps/x509.c +++ b/crypto/openssl/apps/x509.c @@ -114,7 +114,7 @@ static const char *x509_usage[]={ " -alias - output certificate alias\n", " -noout - no certificate output\n", " -ocspid - print OCSP hash values for the subject name and public key\n", -" -ocspurl - print OCSP Responder URL(s)\n", +" -ocsp_uri - print OCSP Responder URL(s)\n", " -trustout - output a \"trusted\" certificate\n", " -clrtrust - clear all trusted purposes\n", " -clrreject - clear all rejected purposes\n", diff --git a/crypto/openssl/crypto/asn1/a_bytes.c b/crypto/openssl/crypto/asn1/a_bytes.c index 8d13f9c931..92d630cdba 100644 --- a/crypto/openssl/crypto/asn1/a_bytes.c +++ b/crypto/openssl/crypto/asn1/a_bytes.c @@ -79,7 +79,7 @@ ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a, const unsigned char **pp, if (tag >= 32) { - i=ASN1_R_TAG_VALUE_TOO_HIGH;; + i=ASN1_R_TAG_VALUE_TOO_HIGH; goto err; } if (!(ASN1_tag2bit(tag) & type)) diff --git a/crypto/openssl/crypto/asn1/asn1.h b/crypto/openssl/crypto/asn1/asn1.h index 424cd348bb..e3385226d4 100644 --- a/crypto/openssl/crypto/asn1/asn1.h +++ b/crypto/openssl/crypto/asn1/asn1.h @@ -612,6 +612,7 @@ typedef struct BIT_STRING_BITNAME_st { B_ASN1_GENERALIZEDTIME #define B_ASN1_PRINTABLE \ + B_ASN1_NUMERICSTRING| \ B_ASN1_PRINTABLESTRING| \ B_ASN1_T61STRING| \ B_ASN1_IA5STRING| \ @@ -1217,6 +1218,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_BAD_OBJECT_HEADER 102 #define ASN1_R_BAD_PASSWORD_READ 103 #define ASN1_R_BAD_TAG 104 +#define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 210 #define ASN1_R_BN_LIB 105 #define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106 #define ASN1_R_BUFFER_TOO_SMALL 107 @@ -1306,6 +1308,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158 #define ASN1_R_UNEXPECTED_EOC 159 +#define ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH 211 #define ASN1_R_UNKNOWN_FORMAT 160 #define ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM 161 #define ASN1_R_UNKNOWN_OBJECT_TYPE 162 diff --git a/crypto/openssl/crypto/asn1/asn1_err.c b/crypto/openssl/crypto/asn1/asn1_err.c index f8a3e2e6cd..5f5de98eed 100644 --- a/crypto/openssl/crypto/asn1/asn1_err.c +++ b/crypto/openssl/crypto/asn1/asn1_err.c @@ -195,6 +195,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]= {ERR_REASON(ASN1_R_BAD_OBJECT_HEADER) ,"bad object header"}, {ERR_REASON(ASN1_R_BAD_PASSWORD_READ) ,"bad password read"}, {ERR_REASON(ASN1_R_BAD_TAG) ,"bad tag"}, +{ERR_REASON(ASN1_R_BMPSTRING_IS_WRONG_LENGTH),"bmpstring is wrong length"}, {ERR_REASON(ASN1_R_BN_LIB) ,"bn lib"}, {ERR_REASON(ASN1_R_BOOLEAN_IS_WRONG_LENGTH),"boolean is wrong length"}, {ERR_REASON(ASN1_R_BUFFER_TOO_SMALL) ,"buffer too small"}, @@ -284,6 +285,7 @@ static ERR_STRING_DATA ASN1_str_reasons[]= {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"}, {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"}, {ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"}, +{ERR_REASON(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH),"universalstring is wrong length"}, {ERR_REASON(ASN1_R_UNKNOWN_FORMAT) ,"unknown format"}, {ERR_REASON(ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM),"unknown message digest algorithm"}, {ERR_REASON(ASN1_R_UNKNOWN_OBJECT_TYPE) ,"unknown object type"}, diff --git a/crypto/openssl/crypto/asn1/asn1_par.c b/crypto/openssl/crypto/asn1/asn1_par.c index 501b62a4b1..8657f73d66 100644 --- a/crypto/openssl/crypto/asn1/asn1_par.c +++ b/crypto/openssl/crypto/asn1/asn1_par.c @@ -213,6 +213,8 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offse (tag == V_ASN1_T61STRING) || (tag == V_ASN1_IA5STRING) || (tag == V_ASN1_VISIBLESTRING) || + (tag == V_ASN1_NUMERICSTRING) || + (tag == V_ASN1_UTF8STRING) || (tag == V_ASN1_UTCTIME) || (tag == V_ASN1_GENERALIZEDTIME)) { diff --git a/crypto/openssl/crypto/asn1/asn_mime.c b/crypto/openssl/crypto/asn1/asn_mime.c index bc80b20d63..d8d9e76cc0 100644 --- a/crypto/openssl/crypto/asn1/asn_mime.c +++ b/crypto/openssl/crypto/asn1/asn_mime.c @@ -152,7 +152,6 @@ static ASN1_VALUE *b64_read_asn1(BIO *bio, const ASN1_ITEM *it) static int asn1_write_micalg(BIO *out, STACK_OF(X509_ALGOR) *mdalgs) { - const EVP_MD *md; int i, have_unknown = 0, write_comma, md_nid; have_unknown = 0; write_comma = 0; @@ -162,7 +161,6 @@ static int asn1_write_micalg(BIO *out, STACK_OF(X509_ALGOR) *mdalgs) BIO_write(out, ",", 1); write_comma = 1; md_nid = OBJ_obj2nid(sk_X509_ALGOR_value(mdalgs, i)->algorithm); - md = EVP_get_digestbynid(md_nid); switch(md_nid) { case NID_sha1: diff --git a/crypto/openssl/crypto/asn1/t_x509.c b/crypto/openssl/crypto/asn1/t_x509.c index 8b09e5890f..8f746f9c05 100644 --- a/crypto/openssl/crypto/asn1/t_x509.c +++ b/crypto/openssl/crypto/asn1/t_x509.c @@ -332,7 +332,7 @@ int X509_signature_print(BIO *bp, X509_ALGOR *sigalg, ASN1_STRING *sig) int ASN1_STRING_print(BIO *bp, ASN1_STRING *v) { int i,n; - char buf[80],*p;; + char buf[80],*p; if (v == NULL) return(0); n=0; diff --git a/crypto/openssl/crypto/asn1/tasn_dec.c b/crypto/openssl/crypto/asn1/tasn_dec.c index ced641698e..48bc1c0d4d 100644 --- a/crypto/openssl/crypto/asn1/tasn_dec.c +++ b/crypto/openssl/crypto/asn1/tasn_dec.c @@ -69,7 +69,7 @@ static int asn1_check_eoc(const unsigned char **in, long len); static int asn1_find_end(const unsigned char **in, long len, char inf); static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, - char inf, int tag, int aclass); + char inf, int tag, int aclass, int depth); static int collect_data(BUF_MEM *buf, const unsigned char **p, long plen); @@ -611,7 +611,6 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val, err: ASN1_template_free(val, tt); - *val = NULL; return 0; } @@ -758,7 +757,6 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, err: ASN1_template_free(val, tt); - *val = NULL; return 0; } @@ -878,7 +876,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, * internally irrespective of the type. So instead just check * for UNIVERSAL class and ignore the tag. */ - if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL)) + if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL, 0)) { free_cont = 1; goto err; @@ -1012,6 +1010,18 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, case V_ASN1_SET: case V_ASN1_SEQUENCE: default: + if (utype == V_ASN1_BMPSTRING && (len & 1)) + { + ASN1err(ASN1_F_ASN1_EX_C2I, + ASN1_R_BMPSTRING_IS_WRONG_LENGTH); + goto err; + } + if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) + { + ASN1err(ASN1_F_ASN1_EX_C2I, + ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH); + goto err; + } /* All based on ASN1_STRING and handled the same */ if (!*pval) { @@ -1128,8 +1138,18 @@ static int asn1_find_end(const unsigned char **in, long len, char inf) * if it is indefinite length. */ +#ifndef ASN1_MAX_STRING_NEST +/* This determines how many levels of recursion are permitted in ASN1 + * string types. If it is not limited stack overflows can occur. If set + * to zero no recursion is allowed at all. Although zero should be adequate + * examples exist that require a value of 1. So 5 should be more than enough. + */ +#define ASN1_MAX_STRING_NEST 5 +#endif + + static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, - char inf, int tag, int aclass) + char inf, int tag, int aclass, int depth) { const unsigned char *p, *q; long plen; @@ -1171,13 +1191,15 @@ static int asn1_collect(BUF_MEM *buf, const unsigned char **in, long len, /* If indefinite length constructed update max length */ if (cst) { -#ifdef OPENSSL_ALLOW_NESTED_ASN1_STRINGS - if (!asn1_collect(buf, &p, plen, ininf, tag, aclass)) + if (depth >= ASN1_MAX_STRING_NEST) + { + ASN1err(ASN1_F_ASN1_COLLECT, + ASN1_R_NESTED_ASN1_STRING); + return 0; + } + if (!asn1_collect(buf, &p, plen, ininf, tag, aclass, + depth + 1)) return 0; -#else - ASN1err(ASN1_F_ASN1_COLLECT, ASN1_R_NESTED_ASN1_STRING); - return 0; -#endif } else if (plen && !collect_data(buf, &p, plen)) return 0; diff --git a/crypto/openssl/crypto/bio/bss_mem.c b/crypto/openssl/crypto/bio/bss_mem.c index a4edb711ae..e7ab9cb3a3 100644 --- a/crypto/openssl/crypto/bio/bss_mem.c +++ b/crypto/openssl/crypto/bio/bss_mem.c @@ -284,6 +284,7 @@ static int mem_gets(BIO *bp, char *buf, int size) BIO_clear_retry_flags(bp); j=bm->length; + if ((size-1) < j) j=size-1; if (j <= 0) { *buf='\0'; @@ -292,17 +293,18 @@ static int mem_gets(BIO *bp, char *buf, int size) p=bm->data; for (i=0; i 0) buf[i]='\0'; ret=i; diff --git a/crypto/openssl/crypto/bio/bss_sock.c b/crypto/openssl/crypto/bio/bss_sock.c index 472dd75821..30c3ceab46 100644 --- a/crypto/openssl/crypto/bio/bss_sock.c +++ b/crypto/openssl/crypto/bio/bss_sock.c @@ -60,6 +60,9 @@ #include #define USE_SOCKETS #include "cryptlib.h" + +#ifndef OPENSSL_NO_SOCK + #include #ifdef WATT32 @@ -300,3 +303,5 @@ int BIO_sock_non_fatal_error(int err) } return(0); } + +#endif /* #ifndef OPENSSL_NO_SOCK */ diff --git a/crypto/openssl/crypto/cms/cms_smime.c b/crypto/openssl/crypto/cms/cms_smime.c index b9463f9abb..f35883aa22 100644 --- a/crypto/openssl/crypto/cms/cms_smime.c +++ b/crypto/openssl/crypto/cms/cms_smime.c @@ -298,7 +298,7 @@ static int cms_signerinfo_verify_cert(CMS_SignerInfo *si, CMS_R_STORE_INIT_ERROR); goto err; } - X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_SMIME_SIGN); + X509_STORE_CTX_set_default(&ctx, "smime_sign"); if (crls) X509_STORE_CTX_set0_crls(&ctx, crls); @@ -425,7 +425,7 @@ int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { si = sk_CMS_SignerInfo_value(sinfos, i); - if (!CMS_SignerInfo_verify_content(si, cmsbio)) + if (CMS_SignerInfo_verify_content(si, cmsbio) <= 0) { CMSerr(CMS_F_CMS_VERIFY, CMS_R_CONTENT_VERIFY_ERROR); diff --git a/crypto/openssl/crypto/evp/enc_min.c b/crypto/openssl/crypto/evp/enc_min.c index 3cb4626bef..7fba38ee24 100644 --- a/crypto/openssl/crypto/evp/enc_min.c +++ b/crypto/openssl/crypto/evp/enc_min.c @@ -199,7 +199,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp enc = 1; ctx->encrypt = enc; } -#ifdef OPENSSL_NO_FIPS +#ifdef OPENSSL_FIPS if(FIPS_selftest_failed()) { FIPSerr(FIPS_F_EVP_CIPHERINIT_EX,FIPS_R_FIPS_SELFTEST_FAILED); diff --git a/crypto/openssl/crypto/opensslv.h b/crypto/openssl/crypto/opensslv.h index 09687b5136..c6207f76b2 100644 --- a/crypto/openssl/crypto/opensslv.h +++ b/crypto/openssl/crypto/opensslv.h @@ -25,11 +25,11 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x009080afL +#define OPENSSL_VERSION_NUMBER 0x009080bfL #ifdef OPENSSL_FIPS -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8j-fips 07 Jan 2009" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8k-fips 25 Mar 2009" #else -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8j 07 Jan 2009" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8k 25 Mar 2009" #endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/crypto/openssl/crypto/pem/pem.h b/crypto/openssl/crypto/pem/pem.h index 6f8e01544b..6c193f1cbf 100644 --- a/crypto/openssl/crypto/pem/pem.h +++ b/crypto/openssl/crypto/pem/pem.h @@ -215,7 +215,9 @@ typedef struct pem_ctx_st #define IMPLEMENT_PEM_read_fp(name, type, str, asn1) /**/ #define IMPLEMENT_PEM_write_fp(name, type, str, asn1) /**/ +#define IMPLEMENT_PEM_write_fp_const(name, type, str, asn1) /**/ #define IMPLEMENT_PEM_write_cb_fp(name, type, str, asn1) /**/ +#define IMPLEMENT_PEM_write_cb_fp_const(name, type, str, asn1) /**/ #else @@ -355,6 +357,7 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \ #define DECLARE_PEM_read_fp(name, type) /**/ #define DECLARE_PEM_write_fp(name, type) /**/ +#define DECLARE_PEM_write_fp_const(name, type) /**/ #define DECLARE_PEM_write_cb_fp(name, type) /**/ #else @@ -392,6 +395,7 @@ int PEM_write_bio_##name(BIO *bp, type *x, const EVP_CIPHER *enc, \ #define DECLARE_PEM_read_bio(name, type) /**/ #define DECLARE_PEM_write_bio(name, type) /**/ +#define DECLARE_PEM_write_bio_const(name, type) /**/ #define DECLARE_PEM_write_cb_bio(name, type) /**/ #endif diff --git a/crypto/openssl/crypto/pkcs12/p12_crt.c b/crypto/openssl/crypto/pkcs12/p12_crt.c index e863de52ce..9522342fa5 100644 --- a/crypto/openssl/crypto/pkcs12/p12_crt.c +++ b/crypto/openssl/crypto/pkcs12/p12_crt.c @@ -170,6 +170,9 @@ PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, p12 = PKCS12_add_safes(safes, 0); + if (!p12) + goto err; + sk_PKCS7_pop_free(safes, PKCS7_free); safes = NULL; diff --git a/crypto/openssl/crypto/pkcs7/pk7_smime.c b/crypto/openssl/crypto/pkcs7/pk7_smime.c index c34db1d6fe..fd18ec3d95 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_smime.c +++ b/crypto/openssl/crypto/pkcs7/pk7_smime.c @@ -229,8 +229,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store, sk_X509_free(signers); return 0; } - X509_STORE_CTX_set_purpose(&cert_ctx, - X509_PURPOSE_SMIME_SIGN); + X509_STORE_CTX_set_default(&cert_ctx, "smime_sign"); } else if(!X509_STORE_CTX_init (&cert_ctx, store, signer, NULL)) { PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_X509_LIB); sk_X509_free(signers); diff --git a/crypto/openssl/crypto/rand/rand_unix.c b/crypto/openssl/crypto/rand/rand_unix.c index 6c2be5cb96..71b98ec212 100644 --- a/crypto/openssl/crypto/rand/rand_unix.c +++ b/crypto/openssl/crypto/rand/rand_unix.c @@ -232,7 +232,7 @@ int RAND_poll(void) t.tv_sec = 0; t.tv_usec = usec; - if (FD_SETSIZE > 0 && fd >= FD_SETSIZE) + if (FD_SETSIZE > 0 && (unsigned)fd >= FD_SETSIZE) { /* can't use select, so just try to read once anyway */ try_read = 1; diff --git a/crypto/openssl/crypto/ripemd/README b/crypto/openssl/crypto/ripemd/README index 7097707264..f1ffc8b134 100644 --- a/crypto/openssl/crypto/ripemd/README +++ b/crypto/openssl/crypto/ripemd/README @@ -4,7 +4,7 @@ http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html This is my implementation of RIPEMD-160. The pentium assember is a little off the pace since I only get 1050 cycles, while the best is 1013. I have a few ideas for how to get another 20 or so cycles, but at -this point I will not bother right now. I belive the trick will be +this point I will not bother right now. I believe the trick will be to remove my 'copy X array onto stack' until inside the RIP1() finctions the first time round. To do this I need another register and will only have one temporary one. A bit tricky.... I can also cleanup the saving of the 5 words diff --git a/crypto/openssl/crypto/rsa/rsa_x931g.c b/crypto/openssl/crypto/rsa/rsa_x931g.c index c640cc2ec9..bf94f8be7a 100644 --- a/crypto/openssl/crypto/rsa/rsa_x931g.c +++ b/crypto/openssl/crypto/rsa/rsa_x931g.c @@ -79,9 +79,9 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2, goto err; ctx = BN_CTX_new(); - BN_CTX_start(ctx); if (!ctx) goto err; + BN_CTX_start(ctx); r0 = BN_CTX_get(ctx); r1 = BN_CTX_get(ctx); @@ -190,7 +190,7 @@ int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1, BIGNUM *q2, if (ctx2) BN_CTX_free(ctx2); /* If this is set all calls successful */ - if (rsa->iqmp != NULL) + if (rsa && rsa->iqmp != NULL) return 1; return 0; diff --git a/crypto/openssl/crypto/symhacks.h b/crypto/openssl/crypto/symhacks.h index 6cfb5fe479..8728e6124d 100644 --- a/crypto/openssl/crypto/symhacks.h +++ b/crypto/openssl/crypto/symhacks.h @@ -62,6 +62,10 @@ VAX. */ #ifdef OPENSSL_SYS_VMS +/* Hack a long name in crypto/cryptlib.c */ +#undef int_CRYPTO_set_do_dynlock_callback +#define int_CRYPTO_set_do_dynlock_callback int_CRYPTO_set_do_dynlock_cb + /* Hack a long name in crypto/ex_data.c */ #undef CRYPTO_get_ex_data_implementation #define CRYPTO_get_ex_data_implementation CRYPTO_get_ex_data_impl diff --git a/crypto/openssl/crypto/ui/ui_lib.c b/crypto/openssl/crypto/ui/ui_lib.c index 7ab249c3be..ac0100808f 100644 --- a/crypto/openssl/crypto/ui/ui_lib.c +++ b/crypto/openssl/crypto/ui/ui_lib.c @@ -90,6 +90,7 @@ UI *UI_new_method(const UI_METHOD *method) ret->strings=NULL; ret->user_data=NULL; + ret->flags=0; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_UI, ret, &ret->ex_data); return ret; } diff --git a/crypto/openssl/crypto/x509/x509_cmp.c b/crypto/openssl/crypto/x509/x509_cmp.c index e4c682fc44..2faf92514a 100644 --- a/crypto/openssl/crypto/x509/x509_cmp.c +++ b/crypto/openssl/crypto/x509/x509_cmp.c @@ -288,7 +288,8 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) if (!(nabit & STR_TYPE_CMP) || !(nbbit & STR_TYPE_CMP)) return j; - j = asn1_string_memcmp(na->value, nb->value); + if (!asn1_string_memcmp(na->value, nb->value)) + j = 0; } else if (na->value->type == V_ASN1_PRINTABLESTRING) j=nocase_spacenorm_cmp(na->value, nb->value); diff --git a/crypto/openssl/crypto/x509/x509_vpm.c b/crypto/openssl/crypto/x509/x509_vpm.c index c92e65936f..2b06718aec 100644 --- a/crypto/openssl/crypto/x509/x509_vpm.c +++ b/crypto/openssl/crypto/x509/x509_vpm.c @@ -74,7 +74,7 @@ static void x509_verify_param_zero(X509_VERIFY_PARAM *param) param->name = NULL; param->purpose = 0; param->trust = 0; - param->inh_flags = X509_VP_FLAG_DEFAULT; + param->inh_flags = 0; param->flags = 0; param->depth = -1; if (param->policies) @@ -320,11 +320,21 @@ static const X509_VERIFY_PARAM default_table[] = { 0, /* flags */ 0, /* purpose */ 0, /* trust */ - 9, /* depth */ + 100, /* depth */ NULL /* policies */ }, { - "pkcs7", /* SSL/TLS client parameters */ + "pkcs7", /* S/MIME signing parameters */ + 0, /* Check time */ + 0, /* internal flags */ + 0, /* flags */ + X509_PURPOSE_SMIME_SIGN, /* purpose */ + X509_TRUST_EMAIL, /* trust */ + -1, /* depth */ + NULL /* policies */ + }, + { + "smime_sign", /* S/MIME signing parameters */ 0, /* Check time */ 0, /* internal flags */ 0, /* flags */ diff --git a/crypto/openssl/crypto/x509v3/v3_addr.c b/crypto/openssl/crypto/x509v3/v3_addr.c index a37f844d3c..efdf7c3ba7 100644 --- a/crypto/openssl/crypto/x509v3/v3_addr.c +++ b/crypto/openssl/crypto/x509v3/v3_addr.c @@ -61,7 +61,7 @@ #include #include -#include + #include "cryptlib.h" #include #include @@ -128,7 +128,7 @@ static int length_from_afi(const unsigned afi) /* * Extract the AFI from an IPAddressFamily. */ -unsigned v3_addr_get_afi(const IPAddressFamily *f) +unsigned int v3_addr_get_afi(const IPAddressFamily *f) { return ((f != NULL && f->addressFamily != NULL && @@ -147,7 +147,7 @@ static void addr_expand(unsigned char *addr, const int length, const unsigned char fill) { - assert(bs->length >= 0 && bs->length <= length); + OPENSSL_assert(bs->length >= 0 && bs->length <= length); if (bs->length > 0) { memcpy(addr, bs->data, bs->length); if ((bs->flags & 7) != 0) { @@ -190,6 +190,8 @@ static int i2r_address(BIO *out, BIO_printf(out, "%x%s", (addr[i] << 8) | addr[i+1], (i < 14 ? ":" : "")); if (i < 16) BIO_puts(out, ":"); + if (i == 0) + BIO_puts(out, ":"); break; default: for (i = 0; i < bs->length; i++) @@ -243,7 +245,7 @@ static int i2r_IPAddrBlocks(X509V3_EXT_METHOD *method, int i; for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { IPAddressFamily *f = sk_IPAddressFamily_value(addr, i); - const unsigned afi = v3_addr_get_afi(f); + const unsigned int afi = v3_addr_get_afi(f); switch (afi) { case IANA_AFI_IPV4: BIO_printf(out, "%*sIPv4", indent, ""); @@ -453,7 +455,7 @@ static int make_addressRange(IPAddressOrRange **result, if ((aor = IPAddressOrRange_new()) == NULL) return 0; aor->type = IPAddressOrRange_addressRange; - assert(aor->u.addressRange == NULL); + OPENSSL_assert(aor->u.addressRange == NULL); if ((aor->u.addressRange = IPAddressRange_new()) == NULL) goto err; if (aor->u.addressRange->min == NULL && @@ -522,7 +524,7 @@ static IPAddressFamily *make_IPAddressFamily(IPAddrBlocks *addr, for (i = 0; i < sk_IPAddressFamily_num(addr); i++) { f = sk_IPAddressFamily_value(addr, i); - assert(f->addressFamily->data != NULL); + OPENSSL_assert(f->addressFamily->data != NULL); if (f->addressFamily->length == keylen && !memcmp(f->addressFamily->data, key, keylen)) return f; @@ -654,7 +656,7 @@ static void extract_min_max(IPAddressOrRange *aor, unsigned char *max, int length) { - assert(aor != NULL && min != NULL && max != NULL); + OPENSSL_assert(aor != NULL && min != NULL && max != NULL); switch (aor->type) { case IPAddressOrRange_addressPrefix: addr_expand(min, aor->u.addressPrefix, length, 0x00); @@ -880,7 +882,7 @@ int v3_addr_canonize(IPAddrBlocks *addr) } (void)sk_IPAddressFamily_set_cmp_func(addr, IPAddressFamily_cmp); sk_IPAddressFamily_sort(addr); - assert(v3_addr_is_canonical(addr)); + OPENSSL_assert(v3_addr_is_canonical(addr)); return 1; } @@ -1127,7 +1129,10 @@ int v3_addr_subset(IPAddrBlocks *a, IPAddrBlocks *b) for (i = 0; i < sk_IPAddressFamily_num(a); i++) { IPAddressFamily *fa = sk_IPAddressFamily_value(a, i); int j = sk_IPAddressFamily_find(b, fa); - IPAddressFamily *fb = sk_IPAddressFamily_value(b, j); + IPAddressFamily *fb; + fb = sk_IPAddressFamily_value(b, j); + if (fb == NULL) + return 0; if (!addr_contains(fb->ipAddressChoice->u.addressesOrRanges, fa->ipAddressChoice->u.addressesOrRanges, length_from_afi(v3_addr_get_afi(fb)))) @@ -1164,9 +1169,9 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, int i, j, ret = 1; X509 *x = NULL; - assert(chain != NULL && sk_X509_num(chain) > 0); - assert(ctx != NULL || ext != NULL); - assert(ctx == NULL || ctx->verify_cb != NULL); + OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); + OPENSSL_assert(ctx != NULL || ext != NULL); + OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); /* * Figure out where to start. If we don't have an extension to @@ -1178,7 +1183,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, } else { i = 0; x = sk_X509_value(chain, i); - assert(x != NULL); + OPENSSL_assert(x != NULL); if ((ext = x->rfc3779_addr) == NULL) goto done; } @@ -1197,7 +1202,7 @@ static int v3_addr_validate_path_internal(X509_STORE_CTX *ctx, */ for (i++; i < sk_X509_num(chain); i++) { x = sk_X509_value(chain, i); - assert(x != NULL); + OPENSSL_assert(x != NULL); if (!v3_addr_is_canonical(x->rfc3779_addr)) validation_err(X509_V_ERR_INVALID_EXTENSION); if (x->rfc3779_addr == NULL) { diff --git a/crypto/openssl/crypto/x509v3/v3_cpols.c b/crypto/openssl/crypto/x509v3/v3_cpols.c index 95596055ab..ad0506d75c 100644 --- a/crypto/openssl/crypto/x509v3/v3_cpols.c +++ b/crypto/openssl/crypto/x509v3/v3_cpols.c @@ -181,7 +181,11 @@ static STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, pol = POLICYINFO_new(); pol->policyid = pobj; } - sk_POLICYINFO_push(pols, pol); + if (!sk_POLICYINFO_push(pols, pol)){ + POLICYINFO_free(pol); + X509V3err(X509V3_F_R2I_CERTPOL, ERR_R_MALLOC_FAILURE); + goto err; + } } sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); return pols; @@ -447,3 +451,4 @@ void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent) BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, ""); } +IMPLEMENT_STACK_OF(X509_POLICY_NODE) diff --git a/crypto/openssl/crypto/x509v3/v3_utl.c b/crypto/openssl/crypto/x509v3/v3_utl.c index a4236bbb6d..7a45216c00 100644 --- a/crypto/openssl/crypto/x509v3/v3_utl.c +++ b/crypto/openssl/crypto/x509v3/v3_utl.c @@ -84,7 +84,7 @@ int X509V3_add_value(const char *name, const char *value, CONF_VALUE *vtmp = NULL; char *tname = NULL, *tvalue = NULL; if(name && !(tname = BUF_strdup(name))) goto err; - if(value && !(tvalue = BUF_strdup(value))) goto err;; + if(value && !(tvalue = BUF_strdup(value))) goto err; if(!(vtmp = (CONF_VALUE *)OPENSSL_malloc(sizeof(CONF_VALUE)))) goto err; if(!*extlist && !(*extlist = sk_CONF_VALUE_new_null())) goto err; vtmp->section = NULL; diff --git a/crypto/openssl/doc/apps/rand.pod b/crypto/openssl/doc/apps/rand.pod index 75745ca002..d1d213ef43 100644 --- a/crypto/openssl/doc/apps/rand.pod +++ b/crypto/openssl/doc/apps/rand.pod @@ -10,6 +10,7 @@ B [B<-out> I] [B<-rand> I] [B<-base64>] +[B<-hex>] I =head1 DESCRIPTION @@ -41,6 +42,10 @@ all others. Perform base64 encoding on the output. +=item B<-hex> + +Show the output as a hex string. + =back =head1 SEE ALSO diff --git a/crypto/openssl/doc/apps/x509.pod b/crypto/openssl/doc/apps/x509.pod index a925da41f1..f43c175235 100644 --- a/crypto/openssl/doc/apps/x509.pod +++ b/crypto/openssl/doc/apps/x509.pod @@ -155,7 +155,7 @@ outputs the "hash" of the certificate issuer name. =item B<-hash> -synonym for "-hash" for backward compatibility reasons. +synonym for "-subject_hash" for backward compatibility reasons. =item B<-subject> diff --git a/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod b/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod index f81f692df5..f62a869a9b 100644 --- a/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod +++ b/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod @@ -28,7 +28,7 @@ SSL_CIPHER_get_version() returns the protocol version for B, currently SSL_CIPHER_description() returns a textual description of the cipher used into the buffer B of length B provided. B must be at least -128 bytes, otherwise a pointer to the the string "Buffer too small" is +128 bytes, otherwise a pointer to the string "Buffer too small" is returned. If B is NULL, a buffer of 128 bytes is allocated using OPENSSL_malloc(). If the allocation fails, a pointer to the string "OPENSSL_malloc Error" is returned. diff --git a/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod b/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod index ca8d81b82c..81566839d3 100644 --- a/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod +++ b/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod @@ -28,7 +28,7 @@ specifies the B function to be used. If no callback function shall be specified, the NULL pointer can be used for B. In this case last B set specifically for this B remains. If no special B was set before, the default callback for the underlying -B is used, that was valid at the the time B was created with +B is used, that was valid at the time B was created with L. SSL_CTX_set_verify_depth() sets the maximum B for the certificate chain diff --git a/crypto/openssl/doc/ssl/SSL_SESSION_free.pod b/crypto/openssl/doc/ssl/SSL_SESSION_free.pod index 558de01df9..110ec73ab6 100644 --- a/crypto/openssl/doc/ssl/SSL_SESSION_free.pod +++ b/crypto/openssl/doc/ssl/SSL_SESSION_free.pod @@ -14,7 +14,7 @@ SSL_SESSION_free - free an allocated SSL_SESSION structure SSL_SESSION_free() decrements the reference count of B and removes the B structure pointed to by B and frees up the allocated -memory, if the the reference count has reached 0. +memory, if the reference count has reached 0. =head1 NOTES diff --git a/crypto/openssl/doc/ssl/SSL_free.pod b/crypto/openssl/doc/ssl/SSL_free.pod index 2d4f8b6168..13c1abd9ec 100644 --- a/crypto/openssl/doc/ssl/SSL_free.pod +++ b/crypto/openssl/doc/ssl/SSL_free.pod @@ -14,7 +14,7 @@ SSL_free - free an allocated SSL structure SSL_free() decrements the reference count of B, and removes the SSL structure pointed to by B and frees up the allocated memory if the -the reference count has reached 0. +reference count has reached 0. =head1 NOTES diff --git a/crypto/openssl/ssl/kssl.c b/crypto/openssl/ssl/kssl.c index 6da75e6416..019030ae3c 100644 --- a/crypto/openssl/ssl/kssl.c +++ b/crypto/openssl/ssl/kssl.c @@ -946,7 +946,7 @@ kssl_err_set(KSSL_ERR *kssl_err, int reason, char *text) if (kssl_err == NULL) return; kssl_err->reason = reason; - BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, text); + BIO_snprintf(kssl_err->text, KSSL_ERR_MAX, "%s", text); return; } diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c index 5fd3520caf..50308487aa 100644 --- a/crypto/openssl/ssl/s3_clnt.c +++ b/crypto/openssl/ssl/s3_clnt.c @@ -173,7 +173,7 @@ int ssl3_connect(SSL *s) long num1; void (*cb)(const SSL *ssl,int type,int val)=NULL; int ret= -1; - int new_state,state,skip=0;; + int new_state,state,skip=0; RAND_add(&Time,sizeof(Time),0); ERR_clear_error(); diff --git a/crypto/openssl/ssl/ssl_ciph.c b/crypto/openssl/ssl/ssl_ciph.c index 0c2aa249b4..52f91cfe60 100644 --- a/crypto/openssl/ssl/ssl_ciph.c +++ b/crypto/openssl/ssl/ssl_ciph.c @@ -1355,7 +1355,7 @@ int SSL_COMP_add_compression_method(int id, COMP_METHOD *cm) comp->method=cm; load_builtin_compressions(); if (ssl_comp_methods - && !sk_SSL_COMP_find(ssl_comp_methods,comp)) + && sk_SSL_COMP_find(ssl_comp_methods,comp) >= 0) { OPENSSL_free(comp); MemCheck_on(); diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c index 68eee77e6f..893abff1f4 100644 --- a/crypto/openssl/ssl/ssl_lib.c +++ b/crypto/openssl/ssl/ssl_lib.c @@ -510,6 +510,8 @@ void SSL_free(SSL *s) if (s->ctx) SSL_CTX_free(s->ctx); #ifndef OPENSSL_NO_TLSEXT + if (s->tlsext_hostname) + OPENSSL_free(s->tlsext_hostname); if (s->initial_ctx) SSL_CTX_free(s->initial_ctx); if (s->tlsext_ocsp_exts) sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, -- 2.41.0