openssl-1.0.1d upgrade
Change-Id: Ie980c8834cf2c843858182d98d1f60c65a2a9b70
diff --git a/apps/apps.c b/apps/apps.c
index 4e11915..1096eee 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -2132,7 +2132,7 @@
X509_NAME *n = NULL;
int nid;
- if (!buf || !ne_types || !ne_values)
+ if (!buf || !ne_types || !ne_values || !mval)
{
BIO_printf(bio_err, "malloc error\n");
goto error;
@@ -2236,6 +2236,7 @@
OPENSSL_free(ne_values);
OPENSSL_free(ne_types);
OPENSSL_free(buf);
+ OPENSSL_free(mval);
return n;
error:
@@ -2244,6 +2245,8 @@
OPENSSL_free(ne_values);
if (ne_types)
OPENSSL_free(ne_types);
+ if (mval)
+ OPENSSL_free(mval);
if (buf)
OPENSSL_free(buf);
return NULL;
diff --git a/apps/ca.c b/apps/ca.c
index 2a83d19..1cf50e0 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1408,6 +1408,7 @@
if (!NCONF_get_number(conf,section,
ENV_DEFAULT_CRL_HOURS, &crlhours))
crlhours = 0;
+ ERR_clear_error();
}
if ((crldays == 0) && (crlhours == 0) && (crlsec == 0))
{
diff --git a/apps/cms.c b/apps/cms.c
index d754140..5f77f8f 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -233,6 +233,8 @@
else if (!strcmp(*args,"-camellia256"))
cipher = EVP_camellia_256_cbc();
#endif
+ else if (!strcmp (*args, "-debug_decrypt"))
+ flags |= CMS_DEBUG_DECRYPT;
else if (!strcmp (*args, "-text"))
flags |= CMS_TEXT;
else if (!strcmp (*args, "-nointern"))
@@ -1039,6 +1041,8 @@
ret = 4;
if (operation == SMIME_DECRYPT)
{
+ if (flags & CMS_DEBUG_DECRYPT)
+ CMS_decrypt(cms, NULL, NULL, NULL, NULL, flags);
if (secret_key)
{
diff --git a/apps/dgst.c b/apps/dgst.c
index b08e9a7..81bd870 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -216,10 +216,10 @@
out_bin = 1;
else if (strcmp(*argv,"-d") == 0)
debug=1;
- else if (strcmp(*argv,"-non-fips-allow") == 0)
- non_fips_allow=1;
else if (!strcmp(*argv,"-fips-fingerprint"))
hmac_key = "etaonrishdlcupfm";
+ else if (strcmp(*argv,"-non-fips-allow") == 0)
+ non_fips_allow=1;
else if (!strcmp(*argv,"-hmac"))
{
if (--argc < 1)
diff --git a/apps/dhparam.c b/apps/dhparam.c
index b47097c..1297d6f 100644
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -332,7 +332,6 @@
BIO_printf(bio_err,"This is going to take a long time\n");
if(!dh || !DH_generate_parameters_ex(dh, num, g, &cb))
{
- if(dh) DH_free(dh);
ERR_print_errors(bio_err);
goto end;
}
diff --git a/apps/dsaparam.c b/apps/dsaparam.c
index fe72c1d..683d513 100644
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -326,6 +326,7 @@
goto end;
}
#endif
+ ERR_print_errors(bio_err);
BIO_printf(bio_err,"Error, DSA key generation failed\n");
goto end;
}
@@ -429,13 +430,19 @@
assert(need_rand);
if ((dsakey=DSAparams_dup(dsa)) == NULL) goto end;
- if (!DSA_generate_key(dsakey)) goto end;
+ if (!DSA_generate_key(dsakey))
+ {
+ ERR_print_errors(bio_err);
+ DSA_free(dsakey);
+ goto end;
+ }
if (outformat == FORMAT_ASN1)
i=i2d_DSAPrivateKey_bio(out,dsakey);
else if (outformat == FORMAT_PEM)
i=PEM_write_bio_DSAPrivateKey(out,dsakey,NULL,NULL,0,NULL,NULL);
else {
BIO_printf(bio_err,"bad output format specified for outfile\n");
+ DSA_free(dsakey);
goto end;
}
DSA_free(dsakey);
diff --git a/apps/genrsa.c b/apps/genrsa.c
index 37e9310..ece114c 100644
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -78,7 +78,7 @@
#include <openssl/pem.h>
#include <openssl/rand.h>
-#define DEFBITS 512
+#define DEFBITS 1024
#undef PROG
#define PROG genrsa_main
diff --git a/apps/ocsp.c b/apps/ocsp.c
index 01847df..83c5a76 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -617,7 +617,7 @@
BIO_printf (bio_err, "-ndays n number of days before next update\n");
BIO_printf (bio_err, "-resp_key_id identify reponse by signing certificate key ID\n");
BIO_printf (bio_err, "-nrequest n number of requests to accept (default unlimited)\n");
- BIO_printf (bio_err, "-<dgst alg> use specified digest in the request");
+ BIO_printf (bio_err, "-<dgst alg> use specified digest in the request\n");
goto end;
}
diff --git a/apps/s_cb.c b/apps/s_cb.c
index 2cd7337..84c3b44 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -237,8 +237,8 @@
/* If we are using DSA, we can copy the parameters from
* the private key */
-
-
+
+
/* Now we know that a key and cert have been set against
* the SSL context */
if (!SSL_CTX_check_private_key(ctx))
@@ -436,6 +436,8 @@
if (version == SSL3_VERSION ||
version == TLS1_VERSION ||
+ version == TLS1_1_VERSION ||
+ version == TLS1_2_VERSION ||
version == DTLS1_VERSION ||
version == DTLS1_BAD_VER)
{
diff --git a/apps/s_client.c b/apps/s_client.c
index 7dce4cf..3a40a3f 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -357,7 +357,7 @@
BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
BIO_printf(bio_err," -status - request certificate status from server\n");
BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
-# if !defined(OPENSSL_NO_NEXTPROTONEG)
+# ifndef OPENSSL_NO_NEXTPROTONEG
BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
# endif
#endif
@@ -537,7 +537,7 @@
ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
return SSL_TLSEXT_ERR_OK;
}
-# endif
+# endif /* ndef OPENSSL_NO_NEXTPROTONEG */
#endif
enum
@@ -1903,6 +1903,10 @@
print_stuff(bio_c_out,con,1);
SSL_free(con);
}
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+ if (next_proto.data)
+ OPENSSL_free(next_proto.data);
+#endif
if (ctx != NULL) SSL_CTX_free(ctx);
if (cert)
X509_free(cert);
@@ -1910,6 +1914,8 @@
EVP_PKEY_free(key);
if (pass)
OPENSSL_free(pass);
+ if (vpm)
+ X509_VERIFY_PARAM_free(vpm);
if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
diff --git a/apps/s_server.c b/apps/s_server.c
index 3f9b370..4720c05 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1206,13 +1206,13 @@
{
if (--argc < 1) goto bad;
srp_verifier_file = *(++argv);
- meth=TLSv1_server_method();
+ meth = TLSv1_server_method();
}
else if (strcmp(*argv, "-srpuserseed") == 0)
{
if (--argc < 1) goto bad;
srpuserseed = *(++argv);
- meth=TLSv1_server_method();
+ meth = TLSv1_server_method();
}
#endif
else if (strcmp(*argv,"-www") == 0)
@@ -1431,25 +1431,24 @@
goto end;
}
}
-
-# ifndef OPENSSL_NO_NEXTPROTONEG
- if (next_proto_neg_in)
- {
- unsigned short len;
- next_proto.data = next_protos_parse(&len,
- next_proto_neg_in);
- if (next_proto.data == NULL)
- goto end;
- next_proto.len = len;
- }
- else
- {
- next_proto.data = NULL;
- }
-# endif
#endif
}
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+ if (next_proto_neg_in)
+ {
+ unsigned short len;
+ next_proto.data = next_protos_parse(&len, next_proto_neg_in);
+ if (next_proto.data == NULL)
+ goto end;
+ next_proto.len = len;
+ }
+ else
+ {
+ next_proto.data = NULL;
+ }
+#endif
+
if (s_dcert_file)
{
@@ -1730,7 +1729,7 @@
}
#endif
- if (!set_cert_key_stuff(ctx,s_cert,s_key))
+ if (!set_cert_key_stuff(ctx, s_cert, s_key))
goto end;
#ifndef OPENSSL_NO_TLSEXT
if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2))
@@ -1738,7 +1737,7 @@
#endif
if (s_dcert != NULL)
{
- if (!set_cert_key_stuff(ctx,s_dcert,s_dkey))
+ if (!set_cert_key_stuff(ctx, s_dcert, s_dkey))
goto end;
}
@@ -1893,7 +1892,15 @@
OPENSSL_free(pass);
if (dpass)
OPENSSL_free(dpass);
+ if (vpm)
+ X509_VERIFY_PARAM_free(vpm);
#ifndef OPENSSL_NO_TLSEXT
+ if (tlscstatp.host)
+ OPENSSL_free(tlscstatp.host);
+ if (tlscstatp.port)
+ OPENSSL_free(tlscstatp.port);
+ if (tlscstatp.path)
+ OPENSSL_free(tlscstatp.path);
if (ctx2 != NULL) SSL_CTX_free(ctx2);
if (s_cert2)
X509_free(s_cert2);
@@ -2433,6 +2440,7 @@
BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
+
#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
if (next_proto_neg)
@@ -2701,6 +2709,11 @@
}
BIO_puts(io,"\n");
+ BIO_printf(io,
+ "Secure Renegotiation IS%s supported\n",
+ SSL_get_secure_renegotiation_support(con) ?
+ "" : " NOT");
+
/* The following is evil and should not really
* be done */
BIO_printf(io,"Ciphers supported in s_server binary\n");
diff --git a/apps/speed.c b/apps/speed.c
index ab62e01..9c251eb 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -254,7 +254,7 @@
"aes-128 cbc","aes-192 cbc","aes-256 cbc",
"camellia-128 cbc","camellia-192 cbc","camellia-256 cbc",
"evp","sha256","sha512","whirlpool",
- "aes-128 ige","aes-192 ige","aes-256 ige","ghash"};
+ "aes-128 ige","aes-192 ige","aes-256 ige","ghash" };
static double results[ALGOR_NUM][SIZE_NUM];
static int lengths[SIZE_NUM]={16,64,256,1024,8*1024};
#ifndef OPENSSL_NO_RSA
@@ -299,7 +299,7 @@
#if defined(_WIN32)
#if !defined(SIGALRM)
-#define SIGALRM
+# define SIGALRM
#endif
static unsigned int lapse,schlock;
static void alarm_win32(unsigned int secs) { lapse = secs*1000; }
diff --git a/apps/srp.c b/apps/srp.c
index 80e1b8a..9c7ae18 100644
--- a/apps/srp.c
+++ b/apps/srp.c
@@ -125,13 +125,13 @@
if (type == DB_SRP_INDEX)
for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
{
- pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
- if (pp[DB_srptype][0] == DB_SRP_INDEX && !strcmp(id, pp[DB_srpid]))
+ pp = sk_OPENSSL_PSTRING_value(db->db->data,i);
+ if (pp[DB_srptype][0] == DB_SRP_INDEX && !strcmp(id,pp[DB_srpid]))
return i;
}
else for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
{
- pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
+ pp = sk_OPENSSL_PSTRING_value(db->db->data,i);
if (pp[DB_srptype][0] != DB_SRP_INDEX && !strcmp(id,pp[DB_srpid]))
return i;
@@ -145,7 +145,7 @@
if (indx >= 0 && verbose)
{
int j;
- char **pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, indx);
+ char **pp = sk_OPENSSL_PSTRING_value(db->db->data, indx);
BIO_printf(bio, "%s \"%s\"\n", s, pp[DB_srpid]);
for (j = 0; j < DB_NUMBER; j++)
{
@@ -163,7 +163,7 @@
{
if (verbose > 0)
{
- char **pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+ char **pp = sk_OPENSSL_PSTRING_value(db->db->data,userindex);
if (pp[DB_srptype][0] != 'I')
{
@@ -517,7 +517,7 @@
/* Lets check some fields */
for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
{
- pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
+ pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
if (pp[DB_srptype][0] == DB_SRP_INDEX)
{
@@ -533,8 +533,8 @@
if (gNindex >= 0)
{
- gNrow = (char **)sk_OPENSSL_PSTRING_value(db->db->data, gNindex);
- print_entry(db, bio_err, gNindex, verbose > 1, "Default g and N") ;
+ gNrow = sk_OPENSSL_PSTRING_value(db->db->data,gNindex);
+ print_entry(db, bio_err, gNindex, verbose > 1, "Default g and N");
}
else if (maxgN > 0 && !SRP_get_default_gN(gN))
{
@@ -587,7 +587,7 @@
if (userindex >= 0)
{
/* reactivation of a new user */
- char **row = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+ char **row = sk_OPENSSL_PSTRING_value(db->db->data, userindex);
BIO_printf(bio_err, "user \"%s\" reactivated.\n", user);
row[DB_srptype][0] = 'V';
@@ -634,7 +634,7 @@
else
{
- char **row = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+ char **row = sk_OPENSSL_PSTRING_value(db->db->data, userindex);
char type = row[DB_srptype][0];
if (type == 'v')
{
@@ -664,9 +664,9 @@
if (!(gNid=srp_create_user(user,&(row[DB_srpverifier]), &(row[DB_srpsalt]),gNrow?gNrow[DB_srpsalt]:NULL, gNrow?gNrow[DB_srpverifier]:NULL, passout, bio_err,verbose)))
{
- BIO_printf(bio_err, "Cannot create srp verifier for user \"%s\", operation abandoned.\n", user);
- errors++;
- goto err;
+ BIO_printf(bio_err, "Cannot create srp verifier for user \"%s\", operation abandoned.\n", user);
+ errors++;
+ goto err;
}
row[DB_srptype][0] = 'v';
@@ -689,7 +689,7 @@
}
else
{
- char **xpp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+ char **xpp = sk_OPENSSL_PSTRING_value(db->db->data,userindex);
BIO_printf(bio_err, "user \"%s\" revoked. t\n", user);
xpp[DB_srptype][0] = 'R';
@@ -714,7 +714,7 @@
/* Lets check some fields */
for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
{
- pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
+ pp = sk_OPENSSL_PSTRING_value(db->db->data,i);
if (pp[DB_srptype][0] == 'v')
{
diff --git a/apps/verify.c b/apps/verify.c
index b9749dc..893670f 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -222,11 +222,19 @@
goto end;
}
- if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, crls, e);
+ ret = 0;
+ if (argc < 1)
+ {
+ if (1 != check(cert_ctx, NULL, untrusted, trusted, crls, e))
+ ret = -1;
+ }
else
+ {
for (i=0; i<argc; i++)
- check(cert_ctx,argv[i], untrusted, trusted, crls, e);
- ret=0;
+ if (1 != check(cert_ctx,argv[i], untrusted, trusted, crls, e))
+ ret = -1;
+ }
+
end:
if (ret == 1) {
BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
@@ -235,13 +243,16 @@
BIO_printf(bio_err," [-engine e]");
#endif
BIO_printf(bio_err," cert1 cert2 ...\n");
+
BIO_printf(bio_err,"recognized usages:\n");
- for(i = 0; i < X509_PURPOSE_get_count(); i++) {
+ for(i = 0; i < X509_PURPOSE_get_count(); i++)
+ {
X509_PURPOSE *ptmp;
ptmp = X509_PURPOSE_get0(i);
- BIO_printf(bio_err, "\t%-10s\t%s\n", X509_PURPOSE_get0_sname(ptmp),
- X509_PURPOSE_get0_name(ptmp));
- }
+ BIO_printf(bio_err, "\t%-10s\t%s\n",
+ X509_PURPOSE_get0_sname(ptmp),
+ X509_PURPOSE_get0_name(ptmp));
+ }
}
if (vpm) X509_VERIFY_PARAM_free(vpm);
if (cert_ctx != NULL) X509_STORE_free(cert_ctx);
@@ -249,7 +260,7 @@
sk_X509_pop_free(trusted, X509_free);
sk_X509_CRL_pop_free(crls, X509_CRL_free);
apps_shutdown();
- OPENSSL_EXIT(ret);
+ OPENSSL_EXIT(ret < 0 ? 2 : ret);
}
static int check(X509_STORE *ctx, char *file,
diff --git a/apps/x509.c b/apps/x509.c
index e6e5e0d..3863ab9 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -288,7 +288,7 @@
days=atoi(*(++argv));
if (days == 0)
{
- BIO_printf(STDout,"bad number of days\n");
+ BIO_printf(bio_err,"bad number of days\n");
goto bad;
}
}
@@ -912,7 +912,7 @@
}
else if (text == i)
{
- X509_print_ex(out,x,nmflag, certflag);
+ X509_print_ex(STDout,x,nmflag, certflag);
}
else if (startdate == i)
{