From 9f1859dd0071b08989ae41e3271508c700524b3e Mon Sep 17 00:00:00 2001 From: Peter Avalos Date: Wed, 17 Nov 2010 19:41:45 -1000 Subject: [PATCH] Import OpenSSL-1.0.0b. This primarily fixes CVE-2010-3864 and CVE-2010-2939. --- crypto/openssl/CHANGES | 50 +++++++++++++++- crypto/openssl/FAQ | 2 +- crypto/openssl/NEWS | 6 ++ crypto/openssl/PROBLEMS | 4 +- crypto/openssl/README | 2 +- crypto/openssl/README.DELETED | 1 + crypto/openssl/apps/apps.c | 5 +- crypto/openssl/apps/dh.c | 5 +- crypto/openssl/apps/dhparam.c | 5 +- crypto/openssl/apps/dsaparam.c | 9 +-- crypto/openssl/apps/ec.c | 5 +- crypto/openssl/apps/ecparam.c | 5 +- crypto/openssl/apps/enc.c | 5 +- crypto/openssl/apps/gendh.c | 5 +- crypto/openssl/apps/gendsa.c | 5 +- crypto/openssl/apps/pkcs7.c | 5 +- crypto/openssl/apps/pkeyparam.c | 3 +- crypto/openssl/apps/pkeyutl.c | 12 ++-- crypto/openssl/apps/rand.c | 5 +- crypto/openssl/apps/s_server.c | 5 +- crypto/openssl/apps/s_socket.c | 7 +-- crypto/openssl/apps/speed.c | 9 +-- crypto/openssl/apps/x509.c | 2 - crypto/openssl/crypto/aes/aes_wrap.c | 12 ++-- crypto/openssl/crypto/asn1/a_int.c | 3 +- crypto/openssl/crypto/asn1/n_pkey.c | 3 +- crypto/openssl/crypto/asn1/t_crl.c | 3 +- crypto/openssl/crypto/asn1/tasn_dec.c | 3 +- crypto/openssl/crypto/asn1/x_x509.c | 4 +- crypto/openssl/crypto/bio/bf_nbio.c | 2 - crypto/openssl/crypto/bio/bio_lib.c | 4 +- crypto/openssl/crypto/bio/bss_acpt.c | 5 +- crypto/openssl/crypto/bn/bn_exp2.c | 3 +- crypto/openssl/crypto/bn/bn_mul.c | 9 +-- crypto/openssl/crypto/conf/conf_api.c | 2 +- crypto/openssl/crypto/conf/conf_def.c | 13 +--- crypto/openssl/crypto/dsa/dsa_gen.c | 3 +- crypto/openssl/crypto/dsa/dsa_ossl.c | 2 +- crypto/openssl/crypto/ec/ec2_mult.c | 13 ++-- crypto/openssl/crypto/ec/ec_mult.c | 6 +- crypto/openssl/crypto/ecdh/ech_lib.c | 3 +- crypto/openssl/crypto/ecdsa/ecs_lib.c | 2 - crypto/openssl/crypto/evp/encode.c | 3 +- crypto/openssl/crypto/evp/evp_enc.c | 1 + crypto/openssl/crypto/evp/pmeth_lib.c | 2 + crypto/openssl/crypto/hmac/hmac.c | 3 - crypto/openssl/crypto/md32_common.h | 15 +++-- crypto/openssl/crypto/ocsp/ocsp_ht.c | 12 +++- crypto/openssl/crypto/ocsp/ocsp_prn.c | 2 - crypto/openssl/crypto/opensslv.h | 6 +- crypto/openssl/crypto/pem/pem_lib.c | 2 - crypto/openssl/crypto/pem/pvkfmt.c | 10 +--- crypto/openssl/crypto/pkcs12/p12_key.c | 38 +++++++----- crypto/openssl/crypto/pkcs7/pk7_doit.c | 3 - crypto/openssl/crypto/pkcs7/pk7_lib.c | 2 - crypto/openssl/crypto/pqueue/pqueue.c | 5 +- crypto/openssl/crypto/rand/md_rand.c | 11 ++-- crypto/openssl/crypto/rand/rand_nw.c | 4 +- crypto/openssl/crypto/rand/randfile.c | 2 - crypto/openssl/crypto/rsa/rsa_eay.c | 2 +- crypto/openssl/crypto/stack/safestack.h | 50 ++++++++-------- crypto/openssl/crypto/x509/x509.h | 1 + crypto/openssl/crypto/x509/x509_vfy.c | 2 +- crypto/openssl/crypto/x509/x_all.c | 1 + crypto/openssl/crypto/x509v3/pcy_tree.c | 3 +- crypto/openssl/crypto/x509v3/v3_ncons.c | 1 - crypto/openssl/doc/apps/smime.pod | 8 +-- crypto/openssl/engines/ccgost/gost_ameth.c | 4 +- crypto/openssl/engines/e_chil.c | 4 +- crypto/openssl/engines/e_cswift.c | 2 - crypto/openssl/engines/e_ubsec.c | 2 - crypto/openssl/ssl/d1_pkt.c | 5 -- crypto/openssl/ssl/s23_lib.c | 7 --- crypto/openssl/ssl/s2_srvr.c | 2 - crypto/openssl/ssl/s3_clnt.c | 1 + crypto/openssl/ssl/s3_enc.c | 3 +- crypto/openssl/ssl/s3_srvr.c | 13 +++- crypto/openssl/ssl/ssl_asn1.c | 3 +- crypto/openssl/ssl/ssl_ciph.c | 6 +- crypto/openssl/ssl/ssl_lib.c | 15 +---- crypto/openssl/ssl/t1_enc.c | 14 ++--- crypto/openssl/ssl/t1_lib.c | 69 +++++++++++++++------- 82 files changed, 293 insertions(+), 303 deletions(-) diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES index b139cf6244..aad698c5f8 100644 --- a/crypto/openssl/CHANGES +++ b/crypto/openssl/CHANGES @@ -2,6 +2,17 @@ OpenSSL CHANGES _______________ + Changes between 1.0.0a and 1.0.0b [16 Nov 2010] + + *) Fix extension code to avoid race conditions which can result in a buffer + overrun vulnerability: resumed sessions must not be modified as they can + be shared by multiple threads. CVE-2010-3864 + [Steve Henson] + + *) Fix WIN32 build system to correctly link an ENGINE directory into + a DLL. + [Steve Henson] + Changes between 1.0.0 and 1.0.0a [01 Jun 2010] *) Check return value of int_rsa_verify in pkey_rsa_verifyrecover @@ -849,7 +860,34 @@ *) Change 'Configure' script to enable Camellia by default. [NTT] - Changes between 0.9.8n and 0.9.8o [xx XXX xxxx] + Changes between 0.9.8o and 0.9.8p [xx XXX xxxx] + + *) Fix extension code to avoid race conditions which can result in a buffer + overrun vulnerability: resumed sessions must not be modified as they can + be shared by multiple threads. CVE-2010-3864 + + *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939 + [Steve Henson] + + *) Don't reencode certificate when calculating signature: cache and use + the original encoding instead. This makes signature verification of + some broken encodings work correctly. + [Steve Henson] + + *) ec2_GF2m_simple_mul bugfix: compute correct result if the output EC_POINT + is also one of the inputs. + [Emilia Käsper (Google)] + + *) Don't repeatedly append PBE algorithms to table if they already exist. + Sort table on each new add. This effectively makes the table read only + after all algorithms are added and subsequent calls to PKCS12_pbe_add + etc are non-op. + [Steve Henson] + + Changes between 0.9.8n and 0.9.8o [01 Jun 2010] + + [NB: OpenSSL 0.9.8o and later 0.9.8 patch levels were released after + OpenSSL 1.0.0.] *) Correct a typo in the CMS ASN1 module which can result in invalid memory access or freeing data twice (CVE-2010-0742) @@ -860,6 +898,12 @@ SSL_library_init and not OpenSSL_add_all_algorithms() will fail. [Steve Henson] + *) VMS fixes: + Reduce copying into .apps and .test in makevms.com + Don't try to use blank CA certificate in CA.com + Allow use of C files from original directories in maketests.com + [Steven M. Schweda" ] + Changes between 0.9.8m and 0.9.8n [24 Mar 2010] *) When rejecting SSL/TLS records due to an incorrect version number, never @@ -868,8 +912,8 @@ - OpenSSL 0.9.8f if 'short' is longer than 16 bits, the previous behavior could result in a read attempt at NULL when receiving specific incorrect SSL/TLS records once record payload - protection is active. (CVE-2010-####) - [Bodo Moeller, Adam Langley] + protection is active. (CVE-2010-0740) + [Bodo Moeller, Adam Langley ] *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL could be crashed if the relevant tables were not present (e.g. chrooted). diff --git a/crypto/openssl/FAQ b/crypto/openssl/FAQ index becee6663f..f7bdc8839c 100644 --- a/crypto/openssl/FAQ +++ b/crypto/openssl/FAQ @@ -79,7 +79,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from . -OpenSSL 1.0.0a was released on Jun 1st, 2010. +OpenSSL 1.0.0b was released on Nov 16th, 2010. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at count == 0) { diff --git a/crypto/openssl/apps/dh.c b/crypto/openssl/apps/dh.c index e9609d630d..dee9c01fce 100644 --- a/crypto/openssl/apps/dh.c +++ b/crypto/openssl/apps/dh.c @@ -88,9 +88,6 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { -#ifndef OPENSSL_NO_ENGINE - ENGINE *e = NULL; -#endif DH *dh=NULL; int i,badops=0,text=0; BIO *in=NULL,*out=NULL; @@ -189,7 +186,7 @@ bad: ERR_load_crypto_strings(); #ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + setup_engine(bio_err, engine, 0); #endif in=BIO_new(BIO_s_file()); diff --git a/crypto/openssl/apps/dhparam.c b/crypto/openssl/apps/dhparam.c index 5fab29eb87..b47097cbb2 100644 --- a/crypto/openssl/apps/dhparam.c +++ b/crypto/openssl/apps/dhparam.c @@ -149,9 +149,6 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { -#ifndef OPENSSL_NO_ENGINE - ENGINE *e = NULL; -#endif DH *dh=NULL; int i,badops=0,text=0; #ifndef OPENSSL_NO_DSA @@ -270,7 +267,7 @@ bad: ERR_load_crypto_strings(); #ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + setup_engine(bio_err, engine, 0); #endif if (g && !num) diff --git a/crypto/openssl/apps/dsaparam.c b/crypto/openssl/apps/dsaparam.c index 4305a739b3..fe72c1d3df 100644 --- a/crypto/openssl/apps/dsaparam.c +++ b/crypto/openssl/apps/dsaparam.c @@ -111,9 +111,6 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { -#ifndef OPENSSL_NO_ENGINE - ENGINE *e = NULL; -#endif DSA *dsa=NULL; int i,badops=0,text=0; BIO *in=NULL,*out=NULL; @@ -278,7 +275,7 @@ bad: } #ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + setup_engine(bio_err, engine, 0); #endif if (need_rand) @@ -357,12 +354,10 @@ bad: if (C) { unsigned char *data; - int l,len,bits_p,bits_q,bits_g; + int l,len,bits_p; len=BN_num_bytes(dsa->p); bits_p=BN_num_bits(dsa->p); - bits_q=BN_num_bits(dsa->q); - bits_g=BN_num_bits(dsa->g); data=(unsigned char *)OPENSSL_malloc(len+20); if (data == NULL) { diff --git a/crypto/openssl/apps/ec.c b/crypto/openssl/apps/ec.c index 31194b48df..896eabc13f 100644 --- a/crypto/openssl/apps/ec.c +++ b/crypto/openssl/apps/ec.c @@ -85,9 +85,6 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { -#ifndef OPENSSL_NO_ENGINE - ENGINE *e = NULL; -#endif int ret = 1; EC_KEY *eckey = NULL; const EC_GROUP *group; @@ -254,7 +251,7 @@ bad: ERR_load_crypto_strings(); #ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + setup_engine(bio_err, engine, 0); #endif if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) diff --git a/crypto/openssl/apps/ecparam.c b/crypto/openssl/apps/ecparam.c index e9aa0a184a..465480bedd 100644 --- a/crypto/openssl/apps/ecparam.c +++ b/crypto/openssl/apps/ecparam.c @@ -129,9 +129,6 @@ int MAIN(int argc, char **argv) char *infile = NULL, *outfile = NULL, *prog; BIO *in = NULL, *out = NULL; int informat, outformat, noout = 0, C = 0, ret = 1; -#ifndef OPENSSL_NO_ENGINE - ENGINE *e = NULL; -#endif char *engine = NULL; BIGNUM *ec_p = NULL, *ec_a = NULL, *ec_b = NULL, @@ -340,7 +337,7 @@ bad: } #ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + setup_engine(bio_err, engine, 0); #endif if (list_curves) diff --git a/crypto/openssl/apps/enc.c b/crypto/openssl/apps/enc.c index 3c2c91e920..c28d8b1948 100644 --- a/crypto/openssl/apps/enc.c +++ b/crypto/openssl/apps/enc.c @@ -101,9 +101,6 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { -#ifndef OPENSSL_NO_ENGINE - ENGINE *e = NULL; -#endif static const char magic[]="Salted__"; char mbuf[sizeof magic-1]; char *strbuf=NULL; @@ -328,7 +325,7 @@ bad: } #ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + setup_engine(bio_err, engine, 0); #endif if (md && (dgst=EVP_get_digestbyname(md)) == NULL) diff --git a/crypto/openssl/apps/gendh.c b/crypto/openssl/apps/gendh.c index caa7327a10..4ec776ba93 100644 --- a/crypto/openssl/apps/gendh.c +++ b/crypto/openssl/apps/gendh.c @@ -89,9 +89,6 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { BN_GENCB cb; -#ifndef OPENSSL_NO_ENGINE - ENGINE *e = NULL; -#endif DH *dh=NULL; int ret=1,num=DEFBITS; int g=2; @@ -163,7 +160,7 @@ bad: } #ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + setup_engine(bio_err, engine, 0); #endif out=BIO_new(BIO_s_file()); diff --git a/crypto/openssl/apps/gendsa.c b/crypto/openssl/apps/gendsa.c index 22c39629e5..62ea977905 100644 --- a/crypto/openssl/apps/gendsa.c +++ b/crypto/openssl/apps/gendsa.c @@ -78,9 +78,6 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { -#ifndef OPENSSL_NO_ENGINE - ENGINE *e = NULL; -#endif DSA *dsa=NULL; int ret=1; char *outfile=NULL; @@ -206,7 +203,7 @@ bad: } #ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + setup_engine(bio_err, engine, 0); #endif if(!app_passwd(bio_err, NULL, passargout, NULL, &passout)) { diff --git a/crypto/openssl/apps/pkcs7.c b/crypto/openssl/apps/pkcs7.c index 86d31b99a7..ae6cd33f73 100644 --- a/crypto/openssl/apps/pkcs7.c +++ b/crypto/openssl/apps/pkcs7.c @@ -82,9 +82,6 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { -#ifndef OPENSSL_NO_ENGINE - ENGINE *e = NULL; -#endif PKCS7 *p7=NULL; int i,badops=0; BIO *in=NULL,*out=NULL; @@ -182,7 +179,7 @@ bad: ERR_load_crypto_strings(); #ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + setup_engine(bio_err, engine, 0); #endif in=BIO_new(BIO_s_file()); diff --git a/crypto/openssl/apps/pkeyparam.c b/crypto/openssl/apps/pkeyparam.c index 7f18010f9d..6f7a357a36 100644 --- a/crypto/openssl/apps/pkeyparam.c +++ b/crypto/openssl/apps/pkeyparam.c @@ -74,7 +74,6 @@ int MAIN(int argc, char **argv) EVP_PKEY *pkey=NULL; int badarg = 0; #ifndef OPENSSL_NO_ENGINE - ENGINE *e = NULL; char *engine=NULL; #endif int ret = 1; @@ -141,7 +140,7 @@ int MAIN(int argc, char **argv) } #ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + setup_engine(bio_err, engine, 0); #endif if (infile) diff --git a/crypto/openssl/apps/pkeyutl.c b/crypto/openssl/apps/pkeyutl.c index 22a6c4bf39..7eb3f5c544 100644 --- a/crypto/openssl/apps/pkeyutl.c +++ b/crypto/openssl/apps/pkeyutl.c @@ -119,17 +119,17 @@ int MAIN(int argc, char **argv) if (!strcmp(*argv,"-in")) { if (--argc < 1) badarg = 1; - infile= *(++argv); + else infile= *(++argv); } else if (!strcmp(*argv,"-out")) { if (--argc < 1) badarg = 1; - outfile= *(++argv); + else outfile= *(++argv); } else if (!strcmp(*argv,"-sigfile")) { if (--argc < 1) badarg = 1; - sigfile= *(++argv); + else sigfile= *(++argv); } else if(!strcmp(*argv, "-inkey")) { @@ -159,17 +159,17 @@ int MAIN(int argc, char **argv) else if (!strcmp(*argv,"-passin")) { if (--argc < 1) badarg = 1; - passargin= *(++argv); + else passargin= *(++argv); } else if (strcmp(*argv,"-peerform") == 0) { if (--argc < 1) badarg = 1; - peerform=str2fmt(*(++argv)); + else peerform=str2fmt(*(++argv)); } else if (strcmp(*argv,"-keyform") == 0) { if (--argc < 1) badarg = 1; - keyform=str2fmt(*(++argv)); + else keyform=str2fmt(*(++argv)); } #ifndef OPENSSL_NO_ENGINE else if(!strcmp(*argv, "-engine")) diff --git a/crypto/openssl/apps/rand.c b/crypto/openssl/apps/rand.c index 44a1d46a03..790e79592c 100644 --- a/crypto/openssl/apps/rand.c +++ b/crypto/openssl/apps/rand.c @@ -77,9 +77,6 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { -#ifndef OPENSSL_NO_ENGINE - ENGINE *e = NULL; -#endif int i, r, ret = 1; int badopt; char *outfile = NULL; @@ -178,7 +175,7 @@ int MAIN(int argc, char **argv) } #ifndef OPENSSL_NO_ENGINE - e = setup_engine(bio_err, engine, 0); + setup_engine(bio_err, engine, 0); #endif app_RAND_load_file(NULL, bio_err, (inrand != NULL)); diff --git a/crypto/openssl/apps/s_server.c b/crypto/openssl/apps/s_server.c index 1a06d19bb1..8a0c34cf0f 100644 --- a/crypto/openssl/apps/s_server.c +++ b/crypto/openssl/apps/s_server.c @@ -2254,11 +2254,10 @@ static int www_body(char *hostname, int s, unsigned char *context) { char *buf=NULL; int ret=1; - int i,j,k,blank,dot; + int i,j,k,dot; SSL *con; const SSL_CIPHER *c; BIO *io,*ssl_bio,*sbio; - long total_bytes; buf=OPENSSL_malloc(bufsize); if (buf == NULL) return(0); @@ -2329,7 +2328,6 @@ static int www_body(char *hostname, int s, unsigned char *context) SSL_set_msg_callback_arg(con, bio_s_out); } - blank=0; for (;;) { if (hack) @@ -2559,7 +2557,6 @@ static int www_body(char *hostname, int s, unsigned char *context) BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n"); } /* send the file */ - total_bytes=0; for (;;) { i=BIO_read(file,buf,bufsize); diff --git a/crypto/openssl/apps/s_socket.c b/crypto/openssl/apps/s_socket.c index 6b8713de60..c08544a13c 100644 --- a/crypto/openssl/apps/s_socket.c +++ b/crypto/openssl/apps/s_socket.c @@ -327,7 +327,7 @@ static int init_server_long(int *sock, int port, char *ip, int type) { int ret=0; struct sockaddr_in server; - int s= -1,i; + int s= -1; if (!ssl_sock_init()) return(0); @@ -366,7 +366,6 @@ static int init_server_long(int *sock, int port, char *ip, int type) } /* Make it 128 for linux */ if (type==SOCK_STREAM && listen(s,128) == -1) goto err; - i=0; *sock=s; ret=1; err: @@ -384,7 +383,7 @@ static int init_server(int *sock, int port, int type) static int do_accept(int acc_sock, int *sock, char **host) { - int ret,i; + int ret; struct hostent *h1,*h2; static struct sockaddr_in from; int len; @@ -407,6 +406,7 @@ redoit: if (ret == INVALID_SOCKET) { #if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)) + int i; i=WSAGetLastError(); BIO_printf(bio_err,"accept error %d\n",i); #else @@ -461,7 +461,6 @@ redoit: BIO_printf(bio_err,"gethostbyname failure\n"); return(0); } - i=0; if (h2->h_addrtype != AF_INET) { BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n"); diff --git a/crypto/openssl/apps/speed.c b/crypto/openssl/apps/speed.c index 539bfff220..d5e9e24b4d 100644 --- a/crypto/openssl/apps/speed.c +++ b/crypto/openssl/apps/speed.c @@ -334,9 +334,6 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { -#ifndef OPENSSL_NO_ENGINE - ENGINE *e = NULL; -#endif unsigned char *buf=NULL,*buf2=NULL; int mret=1; long count=0,save_count=0; @@ -430,7 +427,6 @@ int MAIN(int argc, char **argv) unsigned char DES_iv[8]; unsigned char iv[2*MAX_BLOCK_SIZE/8]; #ifndef OPENSSL_NO_DES - DES_cblock *buf_as_des_cblock = NULL; static DES_cblock key ={0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0}; static DES_cblock key2={0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12}; static DES_cblock key3={0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34}; @@ -644,9 +640,6 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err,"out of memory\n"); goto end; } -#ifndef OPENSSL_NO_DES - buf_as_des_cblock = (DES_cblock *)buf; -#endif if ((buf2=(unsigned char *)OPENSSL_malloc((int)BUFSIZE)) == NULL) { BIO_printf(bio_err,"out of memory\n"); @@ -721,7 +714,7 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err,"no engine given\n"); goto end; } - e = setup_engine(bio_err, *argv, 0); + setup_engine(bio_err, *argv, 0); /* j will be increased again further down. We just don't want speed to confuse an engine with an algorithm, especially when none is given (which diff --git a/crypto/openssl/apps/x509.c b/crypto/openssl/apps/x509.c index e7e46d7b63..ed1e8c69ad 100644 --- a/crypto/openssl/apps/x509.c +++ b/crypto/openssl/apps/x509.c @@ -556,7 +556,6 @@ bad: if (reqfile) { EVP_PKEY *pkey; - X509_CINF *ci; BIO *in; if (!sign_flag && !CA_flag) @@ -624,7 +623,6 @@ bad: print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), nmflag); if ((x=X509_new()) == NULL) goto end; - ci=x->cert_info; if (sno == NULL) { diff --git a/crypto/openssl/crypto/aes/aes_wrap.c b/crypto/openssl/crypto/aes/aes_wrap.c index 9feacd65d8..e2d73d37ce 100644 --- a/crypto/openssl/crypto/aes/aes_wrap.c +++ b/crypto/openssl/crypto/aes/aes_wrap.c @@ -85,9 +85,9 @@ int AES_wrap_key(AES_KEY *key, const unsigned char *iv, A[7] ^= (unsigned char)(t & 0xff); if (t > 0xff) { - A[6] ^= (unsigned char)((t & 0xff) >> 8); - A[5] ^= (unsigned char)((t & 0xff) >> 16); - A[4] ^= (unsigned char)((t & 0xff) >> 24); + A[6] ^= (unsigned char)((t >> 8) & 0xff); + A[5] ^= (unsigned char)((t >> 16) & 0xff); + A[4] ^= (unsigned char)((t >> 24) & 0xff); } memcpy(R, B + 8, 8); } @@ -119,9 +119,9 @@ int AES_unwrap_key(AES_KEY *key, const unsigned char *iv, A[7] ^= (unsigned char)(t & 0xff); if (t > 0xff) { - A[6] ^= (unsigned char)((t & 0xff) >> 8); - A[5] ^= (unsigned char)((t & 0xff) >> 16); - A[4] ^= (unsigned char)((t & 0xff) >> 24); + A[6] ^= (unsigned char)((t >> 8) & 0xff); + A[5] ^= (unsigned char)((t >> 16) & 0xff); + A[4] ^= (unsigned char)((t >> 24) & 0xff); } memcpy(B + 8, R, 8); AES_decrypt(B, B, key); diff --git a/crypto/openssl/crypto/asn1/a_int.c b/crypto/openssl/crypto/asn1/a_int.c index c6fd204ae3..3348b8762c 100644 --- a/crypto/openssl/crypto/asn1/a_int.c +++ b/crypto/openssl/crypto/asn1/a_int.c @@ -273,7 +273,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp, { ASN1_INTEGER *ret=NULL; const unsigned char *p; - unsigned char *to,*s; + unsigned char *s; long len; int inf,tag,xclass; int i; @@ -308,7 +308,6 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp, i=ERR_R_MALLOC_FAILURE; goto err; } - to=s; ret->type=V_ASN1_INTEGER; if(len) { if ((*p == 0) && (len != 1)) diff --git a/crypto/openssl/crypto/asn1/n_pkey.c b/crypto/openssl/crypto/asn1/n_pkey.c index 60bc437938..e7d0439062 100644 --- a/crypto/openssl/crypto/asn1/n_pkey.c +++ b/crypto/openssl/crypto/asn1/n_pkey.c @@ -242,7 +242,7 @@ RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length, int sgckey) { RSA *ret=NULL; - const unsigned char *p, *kp; + const unsigned char *p; NETSCAPE_ENCRYPTED_PKEY *enckey = NULL; p = *pp; @@ -265,7 +265,6 @@ RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length, ASN1err(ASN1_F_D2I_RSA_NET,ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM); goto err; } - kp = enckey->enckey->digest->data; if (cb == NULL) cb=EVP_read_pw_string; if ((ret=d2i_RSA_NET_2(a, enckey->enckey->digest,cb, sgckey)) == NULL) goto err; diff --git a/crypto/openssl/crypto/asn1/t_crl.c b/crypto/openssl/crypto/asn1/t_crl.c index bdb244c015..ee5a687ce8 100644 --- a/crypto/openssl/crypto/asn1/t_crl.c +++ b/crypto/openssl/crypto/asn1/t_crl.c @@ -87,7 +87,7 @@ int X509_CRL_print(BIO *out, X509_CRL *x) STACK_OF(X509_REVOKED) *rev; X509_REVOKED *r; long l; - int i, n; + int i; char *p; BIO_printf(out, "Certificate Revocation List (CRL):\n"); @@ -107,7 +107,6 @@ int X509_CRL_print(BIO *out, X509_CRL *x) else BIO_printf(out,"NONE"); BIO_printf(out,"\n"); - n=X509_CRL_get_ext_count(x); X509V3_extensions_print(out, "CRL extensions", x->crl->extensions, 0, 8); diff --git a/crypto/openssl/crypto/asn1/tasn_dec.c b/crypto/openssl/crypto/asn1/tasn_dec.c index 3bee439968..87d7dfdf5c 100644 --- a/crypto/openssl/crypto/asn1/tasn_dec.c +++ b/crypto/openssl/crypto/asn1/tasn_dec.c @@ -168,7 +168,7 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, int i; int otag; int ret = 0; - ASN1_VALUE *pchval, **pchptr, *ptmpval; + ASN1_VALUE **pchptr, *ptmpval; if (!pval) return 0; if (aux && aux->asn1_cb) @@ -319,7 +319,6 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, goto err; } /* CHOICE type, try each possibility in turn */ - pchval = NULL; p = *in; for (i = 0, tt=it->templates; i < it->tcount; i++, tt++) { diff --git a/crypto/openssl/crypto/asn1/x_x509.c b/crypto/openssl/crypto/asn1/x_x509.c index dafd3cc921..de3df9eb51 100644 --- a/crypto/openssl/crypto/asn1/x_x509.c +++ b/crypto/openssl/crypto/asn1/x_x509.c @@ -63,7 +63,7 @@ #include #include -ASN1_SEQUENCE(X509_CINF) = { +ASN1_SEQUENCE_enc(X509_CINF, enc, 0) = { ASN1_EXP_OPT(X509_CINF, version, ASN1_INTEGER, 0), ASN1_SIMPLE(X509_CINF, serialNumber, ASN1_INTEGER), ASN1_SIMPLE(X509_CINF, signature, X509_ALGOR), @@ -74,7 +74,7 @@ ASN1_SEQUENCE(X509_CINF) = { ASN1_IMP_OPT(X509_CINF, issuerUID, ASN1_BIT_STRING, 1), ASN1_IMP_OPT(X509_CINF, subjectUID, ASN1_BIT_STRING, 2), ASN1_EXP_SEQUENCE_OF_OPT(X509_CINF, extensions, X509_EXTENSION, 3) -} ASN1_SEQUENCE_END(X509_CINF) +} ASN1_SEQUENCE_END_enc(X509_CINF, X509_CINF) IMPLEMENT_ASN1_FUNCTIONS(X509_CINF) /* X509 top level structure needs a bit of customisation */ diff --git a/crypto/openssl/crypto/bio/bf_nbio.c b/crypto/openssl/crypto/bio/bf_nbio.c index c72a23c2e1..028616c064 100644 --- a/crypto/openssl/crypto/bio/bf_nbio.c +++ b/crypto/openssl/crypto/bio/bf_nbio.c @@ -125,7 +125,6 @@ static int nbiof_free(BIO *a) static int nbiof_read(BIO *b, char *out, int outl) { - NBIO_TEST *nt; int ret=0; #if 1 int num; @@ -134,7 +133,6 @@ static int nbiof_read(BIO *b, char *out, int outl) if (out == NULL) return(0); if (b->next_bio == NULL) return(0); - nt=(NBIO_TEST *)b->ptr; BIO_clear_retry_flags(b); #if 1 diff --git a/crypto/openssl/crypto/bio/bio_lib.c b/crypto/openssl/crypto/bio/bio_lib.c index 77f4de9c32..e12bc3a2ca 100644 --- a/crypto/openssl/crypto/bio/bio_lib.c +++ b/crypto/openssl/crypto/bio/bio_lib.c @@ -110,7 +110,7 @@ int BIO_set(BIO *bio, BIO_METHOD *method) int BIO_free(BIO *a) { - int ret=0,i; + int i; if (a == NULL) return(0); @@ -133,7 +133,7 @@ int BIO_free(BIO *a) CRYPTO_free_ex_data(CRYPTO_EX_INDEX_BIO, a, &a->ex_data); if ((a->method == NULL) || (a->method->destroy == NULL)) return(1); - ret=a->method->destroy(a); + a->method->destroy(a); OPENSSL_free(a); return(1); } diff --git a/crypto/openssl/crypto/bio/bss_acpt.c b/crypto/openssl/crypto/bio/bss_acpt.c index 826f761143..5d49e1a72b 100644 --- a/crypto/openssl/crypto/bio/bss_acpt.c +++ b/crypto/openssl/crypto/bio/bss_acpt.c @@ -340,7 +340,6 @@ static int acpt_write(BIO *b, const char *in, int inl) static long acpt_ctrl(BIO *b, int cmd, long num, void *ptr) { - BIO *dbio; int *ip; long ret=1; BIO_ACCEPT *data; @@ -437,8 +436,8 @@ static long acpt_ctrl(BIO *b, int cmd, long num, void *ptr) ret=(long)data->bind_mode; break; case BIO_CTRL_DUP: - dbio=(BIO *)ptr; -/* if (data->param_port) EAY EAY +/* dbio=(BIO *)ptr; + if (data->param_port) EAY EAY BIO_set_port(dbio,data->param_port); if (data->param_hostname) BIO_set_hostname(dbio,data->param_hostname); diff --git a/crypto/openssl/crypto/bn/bn_exp2.c b/crypto/openssl/crypto/bn/bn_exp2.c index b3f43cec8c..bd0c34b91b 100644 --- a/crypto/openssl/crypto/bn/bn_exp2.c +++ b/crypto/openssl/crypto/bn/bn_exp2.c @@ -301,7 +301,8 @@ int BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1, r_is_one = 0; } } - BN_from_montgomery(rr,r,mont,ctx); + if (!BN_from_montgomery(rr,r,mont,ctx)) + goto err; ret=1; err: if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont); diff --git a/crypto/openssl/crypto/bn/bn_mul.c b/crypto/openssl/crypto/bn/bn_mul.c index a0e9ec3b46..12e5be80eb 100644 --- a/crypto/openssl/crypto/bn/bn_mul.c +++ b/crypto/openssl/crypto/bn/bn_mul.c @@ -551,7 +551,7 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n, int tna, int tnb, BN_ULONG *t) { int i,j,n2=n*2; - int c1,c2,neg,zero; + int c1,c2,neg; BN_ULONG ln,lo,*p; # ifdef BN_COUNT @@ -567,7 +567,7 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n, /* r=(a[0]-a[1])*(b[1]-b[0]) */ c1=bn_cmp_part_words(a,&(a[n]),tna,n-tna); c2=bn_cmp_part_words(&(b[n]),b,tnb,tnb-n); - zero=neg=0; + neg=0; switch (c1*3+c2) { case -4: @@ -575,7 +575,6 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n, bn_sub_part_words(&(t[n]),b, &(b[n]),tnb,n-tnb); /* - */ break; case -3: - zero=1; /* break; */ case -2: bn_sub_part_words(t, &(a[n]),a, tna,tna-n); /* - */ @@ -585,7 +584,6 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n, case -1: case 0: case 1: - zero=1; /* break; */ case 2: bn_sub_part_words(t, a, &(a[n]),tna,n-tna); /* + */ @@ -593,7 +591,6 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n, neg=1; break; case 3: - zero=1; /* break; */ case 4: bn_sub_part_words(t, a, &(a[n]),tna,n-tna); @@ -1012,7 +1009,6 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { if (i >= -1 && i <= 1) { - int sav_j =0; /* Find out the power of two lower or equal to the longest of the two numbers */ if (i >= 0) @@ -1023,7 +1019,6 @@ int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { j = BN_num_bits_word((BN_ULONG)bl); } - sav_j = j; j = 1<<(j-1); assert(j <= al || j <= bl); k = j+j; diff --git a/crypto/openssl/crypto/conf/conf_api.c b/crypto/openssl/crypto/conf/conf_api.c index 22617e5fa1..0c1ee2b738 100644 --- a/crypto/openssl/crypto/conf/conf_api.c +++ b/crypto/openssl/crypto/conf/conf_api.c @@ -285,7 +285,7 @@ CONF_VALUE *_CONF_new_section(CONF *conf, const char *section) v->value=(char *)sk; vv=lh_CONF_VALUE_insert(conf->data,v); - assert(vv == NULL); + OPENSSL_assert(vv == NULL); ok=1; err: if (!ok) diff --git a/crypto/openssl/crypto/conf/conf_def.c b/crypto/openssl/crypto/conf/conf_def.c index 0b571b0394..cf951320af 100644 --- a/crypto/openssl/crypto/conf/conf_def.c +++ b/crypto/openssl/crypto/conf/conf_def.c @@ -213,13 +213,12 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) int bufnum=0,i,ii; BUF_MEM *buff=NULL; char *s,*p,*end; - int again,n; + int again; long eline=0; char btmp[DECIMAL_SIZE(eline)+1]; CONF_VALUE *v=NULL,*tv; CONF_VALUE *sv=NULL; char *section=NULL,*buf; - STACK_OF(CONF_VALUE) *section_sk=NULL,*ts; char *start,*psection,*pname; void *h = (void *)(conf->data); @@ -250,7 +249,6 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) CONF_R_UNABLE_TO_CREATE_NEW_SECTION); goto err; } - section_sk=(STACK_OF(CONF_VALUE) *)sv->value; bufnum=0; again=0; @@ -309,7 +307,6 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) buf=buff->data; clear_comments(conf, buf); - n=strlen(buf); s=eat_ws(conf, buf); if (IS_EOF(conf,*s)) continue; /* blank line */ if (*s == '[') @@ -343,7 +340,6 @@ again: CONF_R_UNABLE_TO_CREATE_NEW_SECTION); goto err; } - section_sk=(STACK_OF(CONF_VALUE) *)sv->value; continue; } else @@ -406,13 +402,9 @@ again: CONF_R_UNABLE_TO_CREATE_NEW_SECTION); goto err; } - ts=(STACK_OF(CONF_VALUE) *)tv->value; } else - { tv=sv; - ts=section_sk; - } #if 1 if (_CONF_add_string(conf, tv, v) == 0) { @@ -465,9 +457,6 @@ err: static void clear_comments(CONF *conf, char *p) { - char *to; - - to=p; for (;;) { if (IS_FCOMMENT(conf,*p)) diff --git a/crypto/openssl/crypto/dsa/dsa_gen.c b/crypto/openssl/crypto/dsa/dsa_gen.c index 0fcd25f8b0..cb0b4538a4 100644 --- a/crypto/openssl/crypto/dsa/dsa_gen.c +++ b/crypto/openssl/crypto/dsa/dsa_gen.c @@ -120,7 +120,7 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, BIGNUM *r0,*W,*X,*c,*test; BIGNUM *g=NULL,*q=NULL,*p=NULL; BN_MONT_CTX *mont=NULL; - int i, k,n=0,b,m=0, qsize = qbits >> 3; + int i, k, n=0, m=0, qsize = qbits >> 3; int counter=0; int r=0; BN_CTX *ctx=NULL; @@ -232,7 +232,6 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, /* "offset = 2" */ n=(bits-1)/160; - b=(bits-1)-n*160; for (;;) { diff --git a/crypto/openssl/crypto/dsa/dsa_ossl.c b/crypto/openssl/crypto/dsa/dsa_ossl.c index 4fead07e80..1fb665ec57 100644 --- a/crypto/openssl/crypto/dsa/dsa_ossl.c +++ b/crypto/openssl/crypto/dsa/dsa_ossl.c @@ -185,7 +185,7 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) if (!BN_mod_mul(&xr,dsa->priv_key,r,dsa->q,ctx)) goto err;/* s = xr */ if (!BN_add(s, &xr, &m)) goto err; /* s = m + xr */ if (BN_cmp(s,dsa->q) > 0) - BN_sub(s,s,dsa->q); + if (!BN_sub(s,s,dsa->q)) goto err; if (!BN_mod_mul(s,s,kinv,dsa->q,ctx)) goto err; ret=DSA_SIG_new(); diff --git a/crypto/openssl/crypto/ec/ec2_mult.c b/crypto/openssl/crypto/ec/ec2_mult.c index ab631a50a2..e12b9b284a 100644 --- a/crypto/openssl/crypto/ec/ec2_mult.c +++ b/crypto/openssl/crypto/ec/ec2_mult.c @@ -319,6 +319,7 @@ int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, int ret = 0; size_t i; EC_POINT *p=NULL; + EC_POINT *acc = NULL; if (ctx == NULL) { @@ -338,15 +339,16 @@ int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, } if ((p = EC_POINT_new(group)) == NULL) goto err; + if ((acc = EC_POINT_new(group)) == NULL) goto err; - if (!EC_POINT_set_to_infinity(group, r)) goto err; + if (!EC_POINT_set_to_infinity(group, acc)) goto err; if (scalar) { if (!ec_GF2m_montgomery_point_multiply(group, p, scalar, group->generator, ctx)) goto err; - if (BN_is_negative(scalar)) + if (BN_is_negative(scalar)) if (!group->meth->invert(group, p, ctx)) goto err; - if (!group->meth->add(group, r, r, p, ctx)) goto err; + if (!group->meth->add(group, acc, acc, p, ctx)) goto err; } for (i = 0; i < num; i++) @@ -354,13 +356,16 @@ int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, if (!ec_GF2m_montgomery_point_multiply(group, p, scalars[i], points[i], ctx)) goto err; if (BN_is_negative(scalars[i])) if (!group->meth->invert(group, p, ctx)) goto err; - if (!group->meth->add(group, r, r, p, ctx)) goto err; + if (!group->meth->add(group, acc, acc, p, ctx)) goto err; } + if (!EC_POINT_copy(r, acc)) goto err; + ret = 1; err: if (p) EC_POINT_free(p); + if (acc) EC_POINT_free(acc); if (new_ctx != NULL) BN_CTX_free(new_ctx); return ret; diff --git a/crypto/openssl/crypto/ec/ec_mult.c b/crypto/openssl/crypto/ec/ec_mult.c index f05df5332e..19f21675fb 100644 --- a/crypto/openssl/crypto/ec/ec_mult.c +++ b/crypto/openssl/crypto/ec/ec_mult.c @@ -169,11 +169,13 @@ static void ec_pre_comp_clear_free(void *pre_) EC_POINT **p; for (p = pre->points; *p != NULL; p++) + { EC_POINT_clear_free(*p); - OPENSSL_cleanse(pre->points, sizeof pre->points); + OPENSSL_cleanse(p, sizeof *p); + } OPENSSL_free(pre->points); } - OPENSSL_cleanse(pre, sizeof pre); + OPENSSL_cleanse(pre, sizeof *pre); OPENSSL_free(pre); } diff --git a/crypto/openssl/crypto/ecdh/ech_lib.c b/crypto/openssl/crypto/ecdh/ech_lib.c index e89b1d4772..4d8ea03d3d 100644 --- a/crypto/openssl/crypto/ecdh/ech_lib.c +++ b/crypto/openssl/crypto/ecdh/ech_lib.c @@ -96,7 +96,6 @@ const ECDH_METHOD *ECDH_get_default_method(void) int ECDH_set_method(EC_KEY *eckey, const ECDH_METHOD *meth) { - const ECDH_METHOD *mtmp; ECDH_DATA *ecdh; ecdh = ecdh_check(eckey); @@ -104,8 +103,8 @@ int ECDH_set_method(EC_KEY *eckey, const ECDH_METHOD *meth) if (ecdh == NULL) return 0; - mtmp = ecdh->meth; #if 0 + mtmp = ecdh->meth; if (mtmp->finish) mtmp->finish(eckey); #endif diff --git a/crypto/openssl/crypto/ecdsa/ecs_lib.c b/crypto/openssl/crypto/ecdsa/ecs_lib.c index 85e8a3a7ed..2ebae3aa27 100644 --- a/crypto/openssl/crypto/ecdsa/ecs_lib.c +++ b/crypto/openssl/crypto/ecdsa/ecs_lib.c @@ -83,7 +83,6 @@ const ECDSA_METHOD *ECDSA_get_default_method(void) int ECDSA_set_method(EC_KEY *eckey, const ECDSA_METHOD *meth) { - const ECDSA_METHOD *mtmp; ECDSA_DATA *ecdsa; ecdsa = ecdsa_check(eckey); @@ -91,7 +90,6 @@ int ECDSA_set_method(EC_KEY *eckey, const ECDSA_METHOD *meth) if (ecdsa == NULL) return 0; - mtmp = ecdsa->meth; #ifndef OPENSSL_NO_ENGINE if (ecdsa->engine) { diff --git a/crypto/openssl/crypto/evp/encode.c b/crypto/openssl/crypto/evp/encode.c index b42c747249..28546a84bc 100644 --- a/crypto/openssl/crypto/evp/encode.c +++ b/crypto/openssl/crypto/evp/encode.c @@ -235,7 +235,7 @@ void EVP_DecodeInit(EVP_ENCODE_CTX *ctx) int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl) { - int seof= -1,eof=0,rv= -1,ret=0,i,v,tmp,n,ln,tmp2,exp_nl; + int seof= -1,eof=0,rv= -1,ret=0,i,v,tmp,n,ln,exp_nl; unsigned char *d; n=ctx->num; @@ -319,7 +319,6 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, * lines. We process the line and then need to * accept the '\n' */ if ((v != B64_EOF) && (n >= 64)) exp_nl=1; - tmp2=v; if (n > 0) { v=EVP_DecodeBlock(out,d,n); diff --git a/crypto/openssl/crypto/evp/evp_enc.c b/crypto/openssl/crypto/evp/evp_enc.c index bead6a2170..c268d25cb4 100644 --- a/crypto/openssl/crypto/evp/evp_enc.c +++ b/crypto/openssl/crypto/evp/evp_enc.c @@ -204,6 +204,7 @@ skip_to_init: case EVP_CIPH_OFB_MODE: ctx->num = 0; + /* fall-through */ case EVP_CIPH_CBC_MODE: diff --git a/crypto/openssl/crypto/evp/pmeth_lib.c b/crypto/openssl/crypto/evp/pmeth_lib.c index b2d8de3a8d..5481d4b8a5 100644 --- a/crypto/openssl/crypto/evp/pmeth_lib.c +++ b/crypto/openssl/crypto/evp/pmeth_lib.c @@ -134,6 +134,8 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id) id = pkey->ameth->pkey_id; } #ifndef OPENSSL_NO_ENGINE + if (pkey && pkey->engine) + e = pkey->engine; /* Try to find an ENGINE which implements this method */ if (e) { diff --git a/crypto/openssl/crypto/hmac/hmac.c b/crypto/openssl/crypto/hmac/hmac.c index 45015fe754..6c98fc43a3 100644 --- a/crypto/openssl/crypto/hmac/hmac.c +++ b/crypto/openssl/crypto/hmac/hmac.c @@ -138,12 +138,9 @@ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len) int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len) { - int j; unsigned int i; unsigned char buf[EVP_MAX_MD_SIZE]; - j=EVP_MD_block_size(ctx->md); - if (!EVP_DigestFinal_ex(&ctx->md_ctx,buf,&i)) goto err; if (!EVP_MD_CTX_copy_ex(&ctx->md_ctx,&ctx->o_ctx)) diff --git a/crypto/openssl/crypto/md32_common.h b/crypto/openssl/crypto/md32_common.h index 1cb783944e..bb7381952a 100644 --- a/crypto/openssl/crypto/md32_common.h +++ b/crypto/openssl/crypto/md32_common.h @@ -165,7 +165,7 @@ asm ( \ "roll %1,%0" \ : "=r"(ret) \ - : "I"(n), "0"(a) \ + : "I"(n), "0"((unsigned int)(a)) \ : "cc"); \ ret; \ }) @@ -383,6 +383,7 @@ int HASH_FINAL (unsigned char *md, HASH_CTX *c) } #ifndef MD32_REG_T +#if defined(__alpha) || defined(__sparcv9) || defined(__mips) #define MD32_REG_T long /* * This comment was originaly written for MD5, which is why it @@ -400,9 +401,15 @@ int HASH_FINAL (unsigned char *md, HASH_CTX *c) * Well, to be honest it should say that this *prevents* * performance degradation. * - * Apparently there're LP64 compilers that generate better - * code if A-D are declared int. Most notably GCC-x86_64 - * generates better code. + */ +#else +/* + * Above is not absolute and there are LP64 compilers that + * generate better code if MD32_REG_T is defined int. The above + * pre-processor condition reflects the circumstances under which + * the conclusion was made and is subject to further extension. * */ +#define MD32_REG_T int +#endif #endif diff --git a/crypto/openssl/crypto/ocsp/ocsp_ht.c b/crypto/openssl/crypto/ocsp/ocsp_ht.c index 12bbfcffd1..af5fc16691 100644 --- a/crypto/openssl/crypto/ocsp/ocsp_ht.c +++ b/crypto/openssl/crypto/ocsp/ocsp_ht.c @@ -397,11 +397,12 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx) case OHS_ASN1_HEADER: - /* Now reading ASN1 header: can read at least 6 bytes which - * is more than enough for any valid ASN1 SEQUENCE header + /* Now reading ASN1 header: can read at least 2 bytes which + * is enough for ASN1 SEQUENCE header and either length field + * or at least the length of the length field. */ n = BIO_get_mem_data(rctx->mem, &p); - if (n < 6) + if (n < 2) goto next_io; /* Check it is an ASN1 SEQUENCE */ @@ -414,6 +415,11 @@ int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx) /* Check out length field */ if (*p & 0x80) { + /* If MSB set on initial length octet we can now + * always read 6 octets: make sure we have them. + */ + if (n < 6) + goto next_io; n = *p & 0x7F; /* Not NDEF or excessive length */ if (!n || (n > 4)) diff --git a/crypto/openssl/crypto/ocsp/ocsp_prn.c b/crypto/openssl/crypto/ocsp/ocsp_prn.c index 1695c9c4ad..87608ff399 100644 --- a/crypto/openssl/crypto/ocsp/ocsp_prn.c +++ b/crypto/openssl/crypto/ocsp/ocsp_prn.c @@ -182,7 +182,6 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags) { int i, ret = 0; long l; - unsigned char *p; OCSP_CERTID *cid = NULL; OCSP_BASICRESP *br = NULL; OCSP_RESPID *rid = NULL; @@ -207,7 +206,6 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags) return 1; } - p = ASN1_STRING_data(rb->response); i = ASN1_STRING_length(rb->response); if (!(br = OCSP_response_get1_basic(o))) goto err; rd = br->tbsResponseData; diff --git a/crypto/openssl/crypto/opensslv.h b/crypto/openssl/crypto/opensslv.h index 2fb110fa0e..6c66aee4bc 100644 --- a/crypto/openssl/crypto/opensslv.h +++ b/crypto/openssl/crypto/opensslv.h @@ -25,11 +25,11 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x1000001fL +#define OPENSSL_VERSION_NUMBER 0x1000002f #ifdef OPENSSL_FIPS -#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0a-fips 1 Jun 2010" +#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0b-fips 16 Nov 2010" #else -#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0a 1 Jun 2010" +#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.0b 16 Nov 2010" #endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/crypto/openssl/crypto/pem/pem_lib.c b/crypto/openssl/crypto/pem/pem_lib.c index 42e4861bc1..cfc89a9921 100644 --- a/crypto/openssl/crypto/pem/pem_lib.c +++ b/crypto/openssl/crypto/pem/pem_lib.c @@ -482,7 +482,6 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen, int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher) { - int o; const EVP_CIPHER *enc=NULL; char *p,c; char **header_pp = &header; @@ -522,7 +521,6 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher) header++; } *header='\0'; - o=OBJ_sn2nid(p); cipher->cipher=enc=EVP_get_cipherbyname(p); *header=c; header++; diff --git a/crypto/openssl/crypto/pem/pvkfmt.c b/crypto/openssl/crypto/pem/pvkfmt.c index d998a67fa5..5f130c4528 100644 --- a/crypto/openssl/crypto/pem/pvkfmt.c +++ b/crypto/openssl/crypto/pem/pvkfmt.c @@ -662,7 +662,7 @@ static int do_PVK_header(const unsigned char **in, unsigned int length, { const unsigned char *p = *in; - unsigned int pvk_magic, keytype, is_encrypted; + unsigned int pvk_magic, is_encrypted; if (skip_magic) { if (length < 20) @@ -689,7 +689,7 @@ static int do_PVK_header(const unsigned char **in, unsigned int length, } /* Skip reserved */ p += 4; - keytype = read_ledword(&p); + /*keytype = */read_ledword(&p); is_encrypted = read_ledword(&p); *psaltlen = read_ledword(&p); *pkeylen = read_ledword(&p); @@ -839,7 +839,7 @@ EVP_PKEY *b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u) static int i2b_PVK(unsigned char **out, EVP_PKEY*pk, int enclevel, pem_password_cb *cb, void *u) { - int outlen = 24, noinc, pklen; + int outlen = 24, pklen; unsigned char *p, *salt = NULL; if (enclevel) outlen += PVK_SALTLEN; @@ -850,10 +850,7 @@ static int i2b_PVK(unsigned char **out, EVP_PKEY*pk, int enclevel, if (!out) return outlen; if (*out) - { p = *out; - noinc = 0; - } else { p = OPENSSL_malloc(outlen); @@ -863,7 +860,6 @@ static int i2b_PVK(unsigned char **out, EVP_PKEY*pk, int enclevel, return -1; } *out = p; - noinc = 1; } write_ledword(&p, MS_PVKMAGIC); diff --git a/crypto/openssl/crypto/pkcs12/p12_key.c b/crypto/openssl/crypto/pkcs12/p12_key.c index a29794bbbc..424203f648 100644 --- a/crypto/openssl/crypto/pkcs12/p12_key.c +++ b/crypto/openssl/crypto/pkcs12/p12_key.c @@ -107,6 +107,7 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, unsigned char *B, *D, *I, *p, *Ai; int Slen, Plen, Ilen, Ijlen; int i, j, u, v; + int ret = 0; BIGNUM *Ij, *Bpl1; /* These hold Ij and B + 1 */ EVP_MD_CTX ctx; #ifdef DEBUG_KEYGEN @@ -144,10 +145,8 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, I = OPENSSL_malloc (Ilen); Ij = BN_new(); Bpl1 = BN_new(); - if (!D || !Ai || !B || !I || !Ij || !Bpl1) { - PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI,ERR_R_MALLOC_FAILURE); - return 0; - } + if (!D || !Ai || !B || !I || !Ij || !Bpl1) + goto err; for (i = 0; i < v; i++) D[i] = id; p = I; for (i = 0; i < Slen; i++) *p++ = salt[i % saltlen]; @@ -164,28 +163,22 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, } memcpy (out, Ai, min (n, u)); if (u >= n) { - OPENSSL_free (Ai); - OPENSSL_free (B); - OPENSSL_free (D); - OPENSSL_free (I); - BN_free (Ij); - BN_free (Bpl1); - EVP_MD_CTX_cleanup(&ctx); #ifdef DEBUG_KEYGEN fprintf(stderr, "Output KEY (length %d)\n", tmpn); h__dump(tmpout, tmpn); #endif - return 1; + ret = 1; + goto end; } n -= u; out += u; for (j = 0; j < v; j++) B[j] = Ai[j % u]; /* Work out B + 1 first then can use B as tmp space */ - BN_bin2bn (B, v, Bpl1); - BN_add_word (Bpl1, 1); + if (!BN_bin2bn (B, v, Bpl1)) goto err; + if (!BN_add_word (Bpl1, 1)) goto err; for (j = 0; j < Ilen ; j+=v) { - BN_bin2bn (I + j, v, Ij); - BN_add (Ij, Ij, Bpl1); + if (!BN_bin2bn (I + j, v, Ij)) goto err; + if (!BN_add (Ij, Ij, Bpl1)) goto err; BN_bn2bin (Ij, B); Ijlen = BN_num_bytes (Ij); /* If more than 2^(v*8) - 1 cut off MSB */ @@ -201,6 +194,19 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, } else BN_bn2bin (Ij, I + j); } } + +err: + PKCS12err(PKCS12_F_PKCS12_KEY_GEN_UNI,ERR_R_MALLOC_FAILURE); + +end: + OPENSSL_free (Ai); + OPENSSL_free (B); + OPENSSL_free (D); + OPENSSL_free (I); + BN_free (Ij); + BN_free (Bpl1); + EVP_MD_CTX_cleanup(&ctx); + return ret; } #ifdef DEBUG_KEYGEN void h__dump (unsigned char *p, int len) diff --git a/crypto/openssl/crypto/pkcs7/pk7_doit.c b/crypto/openssl/crypto/pkcs7/pk7_doit.c index 451de84489..3bf1a367bb 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_doit.c +++ b/crypto/openssl/crypto/pkcs7/pk7_doit.c @@ -422,7 +422,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) X509_ALGOR *enc_alg=NULL; STACK_OF(X509_ALGOR) *md_sk=NULL; STACK_OF(PKCS7_RECIP_INFO) *rsk=NULL; - X509_ALGOR *xalg=NULL; PKCS7_RECIP_INFO *ri=NULL; i=OBJ_obj2nid(p7->type); @@ -445,7 +444,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE); goto err; } - xalg=p7->d.signed_and_enveloped->enc_data->algorithm; break; case NID_pkcs7_enveloped: rsk=p7->d.enveloped->recipientinfo; @@ -457,7 +455,6 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CIPHER_TYPE); goto err; } - xalg=p7->d.enveloped->enc_data->algorithm; break; default: PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_UNSUPPORTED_CONTENT_TYPE); diff --git a/crypto/openssl/crypto/pkcs7/pk7_lib.c b/crypto/openssl/crypto/pkcs7/pk7_lib.c index 3ca0952792..d411269b50 100644 --- a/crypto/openssl/crypto/pkcs7/pk7_lib.c +++ b/crypto/openssl/crypto/pkcs7/pk7_lib.c @@ -591,7 +591,6 @@ X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si) int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher) { int i; - ASN1_OBJECT *objtmp; PKCS7_ENC_CONTENT *ec; i=OBJ_obj2nid(p7->type); @@ -614,7 +613,6 @@ int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher) PKCS7err(PKCS7_F_PKCS7_SET_CIPHER,PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER); return(0); } - objtmp = OBJ_nid2obj(i); ec->cipher = cipher; return 1; diff --git a/crypto/openssl/crypto/pqueue/pqueue.c b/crypto/openssl/crypto/pqueue/pqueue.c index 99a6fb874d..eab13a1250 100644 --- a/crypto/openssl/crypto/pqueue/pqueue.c +++ b/crypto/openssl/crypto/pqueue/pqueue.c @@ -167,14 +167,13 @@ pqueue_pop(pqueue_s *pq) pitem * pqueue_find(pqueue_s *pq, unsigned char *prio64be) { - pitem *next, *prev = NULL; + pitem *next; pitem *found = NULL; if ( pq->items == NULL) return NULL; - for ( next = pq->items; next->next != NULL; - prev = next, next = next->next) + for ( next = pq->items; next->next != NULL; next = next->next) { if ( memcmp(next->priority, prio64be,8) == 0) { diff --git a/crypto/openssl/crypto/rand/md_rand.c b/crypto/openssl/crypto/rand/md_rand.c index 88088ce73c..b2f04ff13e 100644 --- a/crypto/openssl/crypto/rand/md_rand.c +++ b/crypto/openssl/crypto/rand/md_rand.c @@ -476,11 +476,14 @@ static int ssleay_rand_bytes(unsigned char *buf, int num) MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c)); #ifndef PURIFY /* purify complains */ - /* DO NOT REMOVE THE FOLLOWING CALL TO MD_Update()! */ + /* The following line uses the supplied buffer as a small + * source of entropy: since this buffer is often uninitialised + * it may cause programs such as purify or valgrind to + * complain. So for those builds it is not used: the removal + * of such a small source of entropy has negligible impact on + * security. + */ MD_Update(&m,buf,j); - /* We know that line may cause programs such as - purify and valgrind to complain about use of - uninitialized data. */ #endif k=(st_idx+MD_DIGEST_LENGTH/2)-st_num; diff --git a/crypto/openssl/crypto/rand/rand_nw.c b/crypto/openssl/crypto/rand/rand_nw.c index f177ffbe82..8d5b8d2e32 100644 --- a/crypto/openssl/crypto/rand/rand_nw.c +++ b/crypto/openssl/crypto/rand/rand_nw.c @@ -160,8 +160,8 @@ int RAND_poll(void) rdtsc mov tsc, eax } -#else - asm volatile("rdtsc":"=A" (tsc)); +#elif defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) + asm volatile("rdtsc":"=a"(tsc)::"edx"); #endif RAND_add(&tsc, sizeof(tsc), 1); diff --git a/crypto/openssl/crypto/rand/randfile.c b/crypto/openssl/crypto/rand/randfile.c index 4ed40b7b70..678b0fe0d6 100644 --- a/crypto/openssl/crypto/rand/randfile.c +++ b/crypto/openssl/crypto/rand/randfile.c @@ -269,7 +269,6 @@ err: const char *RAND_file_name(char *buf, size_t size) { char *s=NULL; - int ok = 0; #ifdef __OpenBSD__ struct stat sb; #endif @@ -298,7 +297,6 @@ const char *RAND_file_name(char *buf, size_t size) BUF_strlcat(buf,"/",size); #endif BUF_strlcat(buf,RFILE,size); - ok = 1; } else buf[0] = '\0'; /* no file name */ diff --git a/crypto/openssl/crypto/rsa/rsa_eay.c b/crypto/openssl/crypto/rsa/rsa_eay.c index c5eaeeae6b..7c941885f0 100644 --- a/crypto/openssl/crypto/rsa/rsa_eay.c +++ b/crypto/openssl/crypto/rsa/rsa_eay.c @@ -675,7 +675,7 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from, rsa->_method_mod_n)) goto err; if ((padding == RSA_X931_PADDING) && ((ret->d[0] & 0xf) != 12)) - BN_sub(ret, rsa->n, ret); + if (!BN_sub(ret, rsa->n, ret)) goto err; p=buf; i=BN_bn2bin(ret,p); diff --git a/crypto/openssl/crypto/stack/safestack.h b/crypto/openssl/crypto/stack/safestack.h index 891cb84a51..da59178c16 100644 --- a/crypto/openssl/crypto/stack/safestack.h +++ b/crypto/openssl/crypto/stack/safestack.h @@ -2030,6 +2030,31 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void) #define sk_void_sort(st) SKM_sk_sort(void, (st)) #define sk_void_is_sorted(st) SKM_sk_is_sorted(void, (st)) +#define sk_OPENSSL_STRING_new(cmp) ((STACK_OF(OPENSSL_STRING) *)sk_new(CHECKED_SK_CMP_FUNC(char, cmp))) +#define sk_OPENSSL_STRING_new_null() ((STACK_OF(OPENSSL_STRING) *)sk_new_null()) +#define sk_OPENSSL_STRING_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val)) +#define sk_OPENSSL_STRING_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val)) +#define sk_OPENSSL_STRING_value(st, i) ((OPENSSL_STRING)sk_value(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), i)) +#define sk_OPENSSL_STRING_num(st) SKM_sk_num(OPENSSL_STRING, st) +#define sk_OPENSSL_STRING_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_SK_FREE_FUNC2(OPENSSL_STRING, free_func)) +#define sk_OPENSSL_STRING_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val), i) +#define sk_OPENSSL_STRING_free(st) SKM_sk_free(OPENSSL_STRING, st) +#define sk_OPENSSL_STRING_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), i, CHECKED_PTR_OF(char, val)) +#define sk_OPENSSL_STRING_zero(st) SKM_sk_zero(OPENSSL_STRING, (st)) +#define sk_OPENSSL_STRING_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val)) +#define sk_OPENSSL_STRING_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_CONST_PTR_OF(char, val)) +#define sk_OPENSSL_STRING_delete(st, i) SKM_sk_delete(OPENSSL_STRING, (st), (i)) +#define sk_OPENSSL_STRING_delete_ptr(st, ptr) (OPENSSL_STRING *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, ptr)) +#define sk_OPENSSL_STRING_set_cmp_func(st, cmp) \ + ((int (*)(const char * const *,const char * const *)) \ + sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_SK_CMP_FUNC(char, cmp))) +#define sk_OPENSSL_STRING_dup(st) SKM_sk_dup(OPENSSL_STRING, st) +#define sk_OPENSSL_STRING_shift(st) SKM_sk_shift(OPENSSL_STRING, (st)) +#define sk_OPENSSL_STRING_pop(st) (char *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st)) +#define sk_OPENSSL_STRING_sort(st) SKM_sk_sort(OPENSSL_STRING, (st)) +#define sk_OPENSSL_STRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_STRING, (st)) + + #define sk_OPENSSL_BLOCK_new(cmp) ((STACK_OF(OPENSSL_BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp))) #define sk_OPENSSL_BLOCK_new_null() ((STACK_OF(OPENSSL_BLOCK) *)sk_new_null()) #define sk_OPENSSL_BLOCK_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(OPENSSL_BLOCK), st), CHECKED_PTR_OF(void, val)) @@ -2080,31 +2105,6 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void) #define sk_OPENSSL_PSTRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_PSTRING, (st)) -#define sk_OPENSSL_STRING_new(cmp) ((STACK_OF(OPENSSL_STRING) *)sk_new(CHECKED_SK_CMP_FUNC(char, cmp))) -#define sk_OPENSSL_STRING_new_null() ((STACK_OF(OPENSSL_STRING) *)sk_new_null()) -#define sk_OPENSSL_STRING_push(st, val) sk_push(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val)) -#define sk_OPENSSL_STRING_find(st, val) sk_find(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val)) -#define sk_OPENSSL_STRING_value(st, i) ((OPENSSL_STRING)sk_value(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), i)) -#define sk_OPENSSL_STRING_num(st) SKM_sk_num(OPENSSL_STRING, st) -#define sk_OPENSSL_STRING_pop_free(st, free_func) sk_pop_free(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_SK_FREE_FUNC2(OPENSSL_STRING, free_func)) -#define sk_OPENSSL_STRING_insert(st, val, i) sk_insert(CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val), i) -#define sk_OPENSSL_STRING_free(st) SKM_sk_free(OPENSSL_STRING, st) -#define sk_OPENSSL_STRING_set(st, i, val) sk_set((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), i, CHECKED_PTR_OF(char, val)) -#define sk_OPENSSL_STRING_zero(st) SKM_sk_zero(OPENSSL_STRING, (st)) -#define sk_OPENSSL_STRING_unshift(st, val) sk_unshift((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, val)) -#define sk_OPENSSL_STRING_find_ex(st, val) sk_find_ex((_STACK *)CHECKED_CONST_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_CONST_PTR_OF(char, val)) -#define sk_OPENSSL_STRING_delete(st, i) SKM_sk_delete(OPENSSL_STRING, (st), (i)) -#define sk_OPENSSL_STRING_delete_ptr(st, ptr) (OPENSSL_STRING *)sk_delete_ptr((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_PTR_OF(char, ptr)) -#define sk_OPENSSL_STRING_set_cmp_func(st, cmp) \ - ((int (*)(const char * const *,const char * const *)) \ - sk_set_cmp_func((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st), CHECKED_SK_CMP_FUNC(char, cmp))) -#define sk_OPENSSL_STRING_dup(st) SKM_sk_dup(OPENSSL_STRING, st) -#define sk_OPENSSL_STRING_shift(st) SKM_sk_shift(OPENSSL_STRING, (st)) -#define sk_OPENSSL_STRING_pop(st) (char *)sk_pop((_STACK *)CHECKED_PTR_OF(STACK_OF(OPENSSL_STRING), st)) -#define sk_OPENSSL_STRING_sort(st) SKM_sk_sort(OPENSSL_STRING, (st)) -#define sk_OPENSSL_STRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_STRING, (st)) - - #define d2i_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ SKM_ASN1_SET_OF_d2i(ACCESS_DESCRIPTION, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) #define i2d_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, i2d_func, ex_tag, ex_class, is_set) \ diff --git a/crypto/openssl/crypto/x509/x509.h b/crypto/openssl/crypto/x509/x509.h index 604f4fb27f..e6f8a40395 100644 --- a/crypto/openssl/crypto/x509/x509.h +++ b/crypto/openssl/crypto/x509/x509.h @@ -258,6 +258,7 @@ typedef struct x509_cinf_st ASN1_BIT_STRING *issuerUID; /* [ 1 ] optional in v2 */ ASN1_BIT_STRING *subjectUID; /* [ 2 ] optional in v2 */ STACK_OF(X509_EXTENSION) *extensions; /* [ 3 ] optional in v3 */ + ASN1_ENCODING enc; } X509_CINF; /* This stuff is certificate "auxiliary info" diff --git a/crypto/openssl/crypto/x509/x509_vfy.c b/crypto/openssl/crypto/x509/x509_vfy.c index 87ebf62525..bd6695d0c1 100644 --- a/crypto/openssl/crypto/x509/x509_vfy.c +++ b/crypto/openssl/crypto/x509/x509_vfy.c @@ -2034,7 +2034,7 @@ int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, if (store) ret = X509_VERIFY_PARAM_inherit(ctx->param, store->param); else - ctx->param->flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE; + ctx->param->inh_flags |= X509_VP_FLAG_DEFAULT|X509_VP_FLAG_ONCE; if (store) { diff --git a/crypto/openssl/crypto/x509/x_all.c b/crypto/openssl/crypto/x509/x_all.c index ebae30b701..8ec88c215a 100644 --- a/crypto/openssl/crypto/x509/x_all.c +++ b/crypto/openssl/crypto/x509/x_all.c @@ -90,6 +90,7 @@ int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r) int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) { + x->cert_info->enc.modified = 1; return(ASN1_item_sign(ASN1_ITEM_rptr(X509_CINF), x->cert_info->signature, x->sig_alg, x->signature, x->cert_info,pkey,md)); } diff --git a/crypto/openssl/crypto/x509v3/pcy_tree.c b/crypto/openssl/crypto/x509v3/pcy_tree.c index 92f6b24556..bb9777348f 100644 --- a/crypto/openssl/crypto/x509v3/pcy_tree.c +++ b/crypto/openssl/crypto/x509v3/pcy_tree.c @@ -341,9 +341,8 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache) { int i; - X509_POLICY_LEVEL *last; X509_POLICY_DATA *data; - last = curr - 1; + for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++) { data = sk_X509_POLICY_DATA_value(cache->data, i); diff --git a/crypto/openssl/crypto/x509v3/v3_ncons.c b/crypto/openssl/crypto/x509v3/v3_ncons.c index 689df46acd..a01dc64dd2 100644 --- a/crypto/openssl/crypto/x509v3/v3_ncons.c +++ b/crypto/openssl/crypto/x509v3/v3_ncons.c @@ -189,7 +189,6 @@ static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method, print_nc_ipadd(bp, tree->base->d.ip); else GENERAL_NAME_print(bp, tree->base); - tree = sk_GENERAL_SUBTREE_value(trees, i); BIO_puts(bp, "\n"); } return 1; diff --git a/crypto/openssl/doc/apps/smime.pod b/crypto/openssl/doc/apps/smime.pod index 42c0733bcb..e4e89af847 100644 --- a/crypto/openssl/doc/apps/smime.pod +++ b/crypto/openssl/doc/apps/smime.pod @@ -343,7 +343,7 @@ Create a cleartext signed message: openssl smime -sign -in message.txt -text -out mail.msg \ -signer mycert.pem -Create an opaque signed message +Create an opaque signed message: openssl smime -sign -in message.txt -text -out mail.msg -nodetach \ -signer mycert.pem @@ -397,11 +397,11 @@ it with: -----BEGIN PKCS7----- -----END PKCS7----- -and using the command, +and using the command: openssl smime -verify -inform PEM -in signature.pem -content content.txt -alternatively you can base64 decode the signature and use +Alternatively you can base64 decode the signature and use: openssl smime -verify -inform DER -in signature.der -content content.txt @@ -427,7 +427,7 @@ Ideally a database should be maintained of a certificates for each email address. The code doesn't currently take note of the permitted symmetric encryption -algorithms as supplied in the SMIMECapabilities signed attribute. this means the +algorithms as supplied in the SMIMECapabilities signed attribute. This means the user has to manually include the correct encryption algorithm. It should store the list of permitted ciphers in a database and only use those. diff --git a/crypto/openssl/engines/ccgost/gost_ameth.c b/crypto/openssl/engines/ccgost/gost_ameth.c index f620a216c8..e6c2839e5f 100644 --- a/crypto/openssl/engines/ccgost/gost_ameth.c +++ b/crypto/openssl/engines/ccgost/gost_ameth.c @@ -39,7 +39,7 @@ static ASN1_STRING *encode_gost_algor_params(const EVP_PKEY *key) ASN1_STRING *params = ASN1_STRING_new(); GOST_KEY_PARAMS *gkp = GOST_KEY_PARAMS_new(); int pkey_param_nid = NID_undef; - int cipher_param_nid = NID_undef; + if (!params || !gkp) { GOSTerr(GOST_F_ENCODE_GOST_ALGOR_PARAMS, @@ -52,7 +52,6 @@ static ASN1_STRING *encode_gost_algor_params(const EVP_PKEY *key) { case NID_id_GostR3410_2001: pkey_param_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(EVP_PKEY_get0((EVP_PKEY *)key))); - cipher_param_nid = get_encryption_params(NULL)->nid; break; case NID_id_GostR3410_94: pkey_param_nid = (int) gost94_nid_by_params(EVP_PKEY_get0((EVP_PKEY *)key)); @@ -64,7 +63,6 @@ static ASN1_STRING *encode_gost_algor_params(const EVP_PKEY *key) params=NULL; goto err; } - cipher_param_nid = get_encryption_params(NULL)->nid; break; } gkp->key_params = OBJ_nid2obj(pkey_param_nid); diff --git a/crypto/openssl/engines/e_chil.c b/crypto/openssl/engines/e_chil.c index 9c2729c96d..fdc2100e3d 100644 --- a/crypto/openssl/engines/e_chil.c +++ b/crypto/openssl/engines/e_chil.c @@ -1077,11 +1077,11 @@ static int hwcrhk_mod_exp_mont(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, static int hwcrhk_rsa_finish(RSA *rsa) { HWCryptoHook_RSAKeyHandle *hptr; - int ret; + hptr = RSA_get_ex_data(rsa, hndidx_rsa); if (hptr) { - ret = p_hwcrhk_RSAUnloadKey(*hptr, NULL); + p_hwcrhk_RSAUnloadKey(*hptr, NULL); OPENSSL_free(hptr); RSA_set_ex_data(rsa, hndidx_rsa, NULL); } diff --git a/crypto/openssl/engines/e_cswift.c b/crypto/openssl/engines/e_cswift.c index bc65179846..2e64ff3277 100644 --- a/crypto/openssl/engines/e_cswift.c +++ b/crypto/openssl/engines/e_cswift.c @@ -811,7 +811,6 @@ static DSA_SIG *cswift_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa) SW_PARAM sw_param; SW_STATUS sw_status; SW_LARGENUMBER arg, res; - unsigned char *ptr; BN_CTX *ctx; BIGNUM *dsa_p = NULL; BIGNUM *dsa_q = NULL; @@ -899,7 +898,6 @@ static DSA_SIG *cswift_dsa_sign(const unsigned char *dgst, int dlen, DSA *dsa) goto err; } /* Convert the response */ - ptr = (unsigned char *)result->d; if((to_return = DSA_SIG_new()) == NULL) goto err; to_return->r = BN_bin2bn((unsigned char *)result->d, 20, NULL); diff --git a/crypto/openssl/engines/e_ubsec.c b/crypto/openssl/engines/e_ubsec.c index 9b747b9aea..aa5709bd8c 100644 --- a/crypto/openssl/engines/e_ubsec.c +++ b/crypto/openssl/engines/e_ubsec.c @@ -630,10 +630,8 @@ static int ubsec_mod_exp_crt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *dq, const BIGNUM *qinv, BN_CTX *ctx) { int y_len, - m_len, fd; - m_len = BN_num_bytes(p) + BN_num_bytes(q) + 1; y_len = BN_num_bits(p) + BN_num_bits(q); /* Check if hardware can't handle this argument. */ diff --git a/crypto/openssl/ssl/d1_pkt.c b/crypto/openssl/ssl/d1_pkt.c index a5439d544f..1fd58bf598 100644 --- a/crypto/openssl/ssl/d1_pkt.c +++ b/crypto/openssl/ssl/d1_pkt.c @@ -296,9 +296,6 @@ dtls1_process_buffered_records(SSL *s) item = pqueue_peek(s->d1->unprocessed_rcds.q); if (item) { - DTLS1_RECORD_DATA *rdata; - rdata = (DTLS1_RECORD_DATA *)item->data; - /* Check if epoch is current. */ if (s->d1->unprocessed_rcds.epoch != s->d1->r_epoch) return(1); /* Nothing to do. */ @@ -528,14 +525,12 @@ int dtls1_get_record(SSL *s) int ssl_major,ssl_minor; int i,n; SSL3_RECORD *rr; - SSL_SESSION *sess; unsigned char *p = NULL; unsigned short version; DTLS1_BITMAP *bitmap; unsigned int is_next_epoch; rr= &(s->s3->rrec); - sess=s->session; /* The epoch may have changed. If so, process all the * pending records. This is a non-blocking operation. */ diff --git a/crypto/openssl/ssl/s23_lib.c b/crypto/openssl/ssl/s23_lib.c index e3fce53430..3bf728318a 100644 --- a/crypto/openssl/ssl/s23_lib.c +++ b/crypto/openssl/ssl/s23_lib.c @@ -92,15 +92,8 @@ const SSL_CIPHER *ssl23_get_cipher(unsigned int u) * available */ const SSL_CIPHER *ssl23_get_cipher_by_char(const unsigned char *p) { - SSL_CIPHER c; const SSL_CIPHER *cp; - unsigned long id; - int n; - n=ssl3_num_ciphers(); - id=0x03000000|((unsigned long)p[0]<<16L)| - ((unsigned long)p[1]<<8L)|(unsigned long)p[2]; - c.id=id; cp=ssl3_get_cipher_by_char(p); #ifndef OPENSSL_NO_SSL2 if (cp == NULL) diff --git a/crypto/openssl/ssl/s2_srvr.c b/crypto/openssl/ssl/s2_srvr.c index 1434e734dd..9471676872 100644 --- a/crypto/openssl/ssl/s2_srvr.c +++ b/crypto/openssl/ssl/s2_srvr.c @@ -697,7 +697,6 @@ static int server_hello(SSL *s) { unsigned char *p,*d; int n,hit; - STACK_OF(SSL_CIPHER) *sk; p=(unsigned char *)s->init_buf->data; if (s->state == SSL2_ST_SEND_SERVER_HELLO_A) @@ -778,7 +777,6 @@ static int server_hello(SSL *s) /* lets send out the ciphers we like in the * prefered order */ - sk= s->session->ciphers; n=ssl_cipher_list_to_bytes(s,s->session->ciphers,d,0); d+=n; s2n(n,p); /* add cipher length */ diff --git a/crypto/openssl/ssl/s3_clnt.c b/crypto/openssl/ssl/s3_clnt.c index 41769febab..6eab135c05 100644 --- a/crypto/openssl/ssl/s3_clnt.c +++ b/crypto/openssl/ssl/s3_clnt.c @@ -1508,6 +1508,7 @@ int ssl3_get_key_exchange(SSL *s) s->session->sess_cert->peer_ecdh_tmp=ecdh; ecdh=NULL; BN_CTX_free(bn_ctx); + bn_ctx = NULL; EC_POINT_free(srvr_ecpoint); srvr_ecpoint = NULL; } diff --git a/crypto/openssl/ssl/s3_enc.c b/crypto/openssl/ssl/s3_enc.c index 3d7aec97a2..58386e1ba0 100644 --- a/crypto/openssl/ssl/s3_enc.c +++ b/crypto/openssl/ssl/s3_enc.c @@ -214,7 +214,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num) int ssl3_change_cipher_state(SSL *s, int which) { - unsigned char *p,*key_block,*mac_secret; + unsigned char *p,*mac_secret; unsigned char exp_key[EVP_MAX_KEY_LENGTH]; unsigned char exp_iv[EVP_MAX_IV_LENGTH]; unsigned char *ms,*key,*iv,*er1,*er2; @@ -239,7 +239,6 @@ int ssl3_change_cipher_state(SSL *s, int which) else comp=s->s3->tmp.new_compression->method; #endif - key_block=s->s3->tmp.key_block; if (which & SSL3_CC_READ) { diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c index 92f73b6681..d0921c59fc 100644 --- a/crypto/openssl/ssl/s3_srvr.c +++ b/crypto/openssl/ssl/s3_srvr.c @@ -2579,12 +2579,19 @@ int ssl3_get_client_key_exchange(SSL *s) { int ret = 0; EVP_PKEY_CTX *pkey_ctx; - EVP_PKEY *client_pub_pkey = NULL; + EVP_PKEY *client_pub_pkey = NULL, *pk = NULL; unsigned char premaster_secret[32], *start; - size_t outlen=32, inlen; + size_t outlen=32, inlen; + unsigned long alg_a; /* Get our certificate private key*/ - pkey_ctx = EVP_PKEY_CTX_new(s->cert->key->privatekey,NULL); + alg_a = s->s3->tmp.new_cipher->algorithm_auth; + if (alg_a & SSL_aGOST94) + pk = s->cert->pkeys[SSL_PKEY_GOST94].privatekey; + else if (alg_a & SSL_aGOST01) + pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; + + pkey_ctx = EVP_PKEY_CTX_new(pk,NULL); EVP_PKEY_decrypt_init(pkey_ctx); /* If client certificate is present and is of the same type, maybe * use it for key exchange. Don't mind errors from diff --git a/crypto/openssl/ssl/ssl_asn1.c b/crypto/openssl/ssl/ssl_asn1.c index 28709978b5..d7f4c6087e 100644 --- a/crypto/openssl/ssl/ssl_asn1.c +++ b/crypto/openssl/ssl/ssl_asn1.c @@ -357,7 +357,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp) SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) { - int version,ssl_version=0,i; + int ssl_version=0,i; long id; ASN1_INTEGER ai,*aip; ASN1_OCTET_STRING os,*osp; @@ -371,7 +371,6 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, ai.data=NULL; ai.length=0; M_ASN1_D2I_get_x(ASN1_INTEGER,aip,d2i_ASN1_INTEGER); - version=(int)ASN1_INTEGER_get(aip); if (ai.data != NULL) { OPENSSL_free(ai.data); ai.data=NULL; ai.length=0; } /* we don't care about the version right now :-) */ diff --git a/crypto/openssl/ssl/ssl_ciph.c b/crypto/openssl/ssl/ssl_ciph.c index bee3507ea1..a8ce186b78 100644 --- a/crypto/openssl/ssl/ssl_ciph.c +++ b/crypto/openssl/ssl/ssl_ciph.c @@ -1027,7 +1027,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, const SSL_CIPHER **ca_list) { unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength; - const char *l, *start, *buf; + const char *l, *buf; int j, multi, found, rule, retval, ok, buflen; unsigned long cipher_id = 0; char ch; @@ -1064,7 +1064,6 @@ static int ssl_cipher_process_rulestr(const char *rule_str, alg_ssl = 0; algo_strength = 0; - start=l; for (;;) { ch = *l; @@ -1456,7 +1455,7 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) int is_export,pkl,kl; const char *ver,*exp_str; const char *kx,*au,*enc,*mac; - unsigned long alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl,alg2,alg_s; + unsigned long alg_mkey,alg_auth,alg_enc,alg_mac,alg_ssl,alg2; #ifdef KSSL_DEBUG static const char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s AL=%lx/%lx/%lx/%lx/%lx\n"; #else @@ -1469,7 +1468,6 @@ char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) alg_mac = cipher->algorithm_mac; alg_ssl = cipher->algorithm_ssl; - alg_s=cipher->algo_strength; alg2=cipher->algorithm2; is_export=SSL_C_IS_EXPORT(cipher); diff --git a/crypto/openssl/ssl/ssl_lib.c b/crypto/openssl/ssl/ssl_lib.c index 3157f20eac..912592b8bb 100644 --- a/crypto/openssl/ssl/ssl_lib.c +++ b/crypto/openssl/ssl/ssl_lib.c @@ -2110,23 +2110,12 @@ int ssl_check_srvr_ecc_cert_and_alg(X509 *x, const SSL_CIPHER *cs) /* THIS NEEDS CLEANING UP */ X509 *ssl_get_server_send_cert(SSL *s) { - unsigned long alg_k,alg_a,mask_k,mask_a; + unsigned long alg_k,alg_a; CERT *c; - int i,is_export; + int i; c=s->cert; ssl_set_cert_masks(c, s->s3->tmp.new_cipher); - is_export=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); - if (is_export) - { - mask_k = c->export_mask_k; - mask_a = c->export_mask_a; - } - else - { - mask_k = c->mask_k; - mask_a = c->mask_a; - } alg_k = s->s3->tmp.new_cipher->algorithm_mkey; alg_a = s->s3->tmp.new_cipher->algorithm_auth; diff --git a/crypto/openssl/ssl/t1_enc.c b/crypto/openssl/ssl/t1_enc.c index 9719541f2b..793ea43e90 100644 --- a/crypto/openssl/ssl/t1_enc.c +++ b/crypto/openssl/ssl/t1_enc.c @@ -157,7 +157,7 @@ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec, const void *seed5, int seed5_len, unsigned char *out, int olen) { - int chunk,n; + int chunk; unsigned int j; HMAC_CTX ctx; HMAC_CTX ctx_tmp; @@ -187,7 +187,6 @@ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec, if (!HMAC_Final(&ctx,A1,&A1_len)) goto err; - n=0; for (;;) { if (!HMAC_Init_ex(&ctx,NULL,0,NULL,NULL)) /* re-init */ @@ -309,13 +308,13 @@ static int tls1_generate_key_block(SSL *s, unsigned char *km, int tls1_change_cipher_state(SSL *s, int which) { static const unsigned char empty[]=""; - unsigned char *p,*key_block,*mac_secret; + unsigned char *p,*mac_secret; unsigned char *exp_label; unsigned char tmp1[EVP_MAX_KEY_LENGTH]; unsigned char tmp2[EVP_MAX_KEY_LENGTH]; unsigned char iv1[EVP_MAX_IV_LENGTH*2]; unsigned char iv2[EVP_MAX_IV_LENGTH*2]; - unsigned char *ms,*key,*iv,*er1,*er2; + unsigned char *ms,*key,*iv; int client_write; EVP_CIPHER_CTX *dd; const EVP_CIPHER *c; @@ -337,7 +336,6 @@ int tls1_change_cipher_state(SSL *s, int which) #ifndef OPENSSL_NO_COMP comp=s->s3->tmp.new_compression; #endif - key_block=s->s3->tmp.key_block; #ifdef KSSL_DEBUG printf("tls1_change_cipher_state(which= %d) w/\n", which); @@ -448,8 +446,6 @@ int tls1_change_cipher_state(SSL *s, int which) cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ k=EVP_CIPHER_iv_length(c); - er1= &(s->s3->client_random[0]); - er2= &(s->s3->server_random[0]); if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || (which == SSL3_CHANGE_CIPHER_SERVER_READ)) { @@ -880,7 +876,7 @@ int tls1_final_finish_mac(SSL *s, int tls1_mac(SSL *ssl, unsigned char *md, int send) { SSL3_RECORD *rec; - unsigned char *mac_sec,*seq; + unsigned char *seq; EVP_MD_CTX *hash; size_t md_size; int i; @@ -892,14 +888,12 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) if (send) { rec= &(ssl->s3->wrec); - mac_sec= &(ssl->s3->write_mac_secret[0]); seq= &(ssl->s3->write_sequence[0]); hash=ssl->write_hash; } else { rec= &(ssl->s3->rrec); - mac_sec= &(ssl->s3->read_mac_secret[0]); seq= &(ssl->s3->read_sequence[0]); hash=ssl->read_hash; } diff --git a/crypto/openssl/ssl/t1_lib.c b/crypto/openssl/ssl/t1_lib.c index e8bc34c111..eea59163aa 100644 --- a/crypto/openssl/ssl/t1_lib.c +++ b/crypto/openssl/ssl/t1_lib.c @@ -714,14 +714,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in switch (servname_type) { case TLSEXT_NAMETYPE_host_name: - if (s->session->tlsext_hostname == NULL) + if (!s->hit) { - if (len > TLSEXT_MAXLEN_host_name || - ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) + if(s->session->tlsext_hostname) + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } + if (len > TLSEXT_MAXLEN_host_name) { *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } + if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } memcpy(s->session->tlsext_hostname, sdata, len); s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) { @@ -734,7 +743,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in } else - s->servername_done = strlen(s->session->tlsext_hostname) == len + s->servername_done = s->session->tlsext_hostname + && strlen(s->session->tlsext_hostname) == len && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; break; @@ -765,15 +775,22 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in *al = TLS1_AD_DECODE_ERROR; return 0; } - s->session->tlsext_ecpointformatlist_length = 0; - if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); - if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) + if (!s->hit) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; + if(s->session->tlsext_ecpointformatlist) + { + *al = TLS1_AD_DECODE_ERROR; + return 0; + } + s->session->tlsext_ecpointformatlist_length = 0; + if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } + s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; + memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); } - s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; - memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); #if 0 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); sdata = s->session->tlsext_ecpointformatlist; @@ -794,15 +811,22 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in *al = TLS1_AD_DECODE_ERROR; return 0; } - s->session->tlsext_ellipticcurvelist_length = 0; - if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist); - if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) + if (!s->hit) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; + if(s->session->tlsext_ellipticcurvelist) + { + *al = TLS1_AD_DECODE_ERROR; + return 0; + } + s->session->tlsext_ellipticcurvelist_length = 0; + if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } + s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; + memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); } - s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; - memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); #if 0 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); sdata = s->session->tlsext_ellipticcurvelist; @@ -983,9 +1007,9 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al) { + unsigned short length; unsigned short type; unsigned short size; - unsigned short len; unsigned char *data = *p; int tlsext_servername = 0; int renegotiate_seen = 0; @@ -993,7 +1017,12 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in if (data >= (d+n-2)) goto ri_check; - n2s(data,len); + n2s(data,length); + if (data+length != d+n) + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } while(data <= (d+n-4)) { -- 2.41.0