Recent changes from 0.9.6-stable.

INSTALL

@@ -132,8 +132,8 @@
      standard headers).  If it is a problem with OpenSSL itself, please
      report the problem to <openssl-bugs@openssl.org> (note that your
      message will be recorded in the request tracker publicly readable
-     via http://www.openssl.org/rt2.html and will be forwarded to a public
-     mailing list). Include the output of "make report" in your message.
+     via http://www.openssl.org/support/rt2.html and will be forwarded to a
+     public mailing list). Include the output of "make report" in your message.
      Please check out the request tracker. Maybe the bug was already
      reported or has already been fixed.
 
@@ -154,7 +154,7 @@
      in Makefile.ssl and run "make clean; make". Please send a bug
      report to <openssl-bugs@openssl.org>, including the output of
      "make report" in order to be added to the request tracker at
-     http://www.openssl.org/rt2.html.
+     http://www.openssl.org/support/rt2.html.
 
   4. If everything tests ok, install OpenSSL with
 

crypto/cryptlib.c

@@ -58,6 +58,7 @@
 
 #include <stdio.h>
 #include <string.h>
+#include <assert.h>
 #include "cryptlib.h"
 #include <openssl/crypto.h>
 #include <openssl/safestack.h>
@@ -206,10 +207,18 @@ int CRYPTO_get_new_dynlockid(void)
 	i=sk_CRYPTO_dynlock_find(dyn_locks,NULL);
 	/* If there was none, push, thereby creating a new one */
 	if (i == -1)
-		i=sk_CRYPTO_dynlock_push(dyn_locks,pointer);
+		/* Since sk_push() returns the number of items on the
+		   stack, not the location of the pushed item, we need
+		   to transform the returned number into a position,
+		   by decreasing it.  */
+		i=sk_CRYPTO_dynlock_push(dyn_locks,pointer) - 1;
+	else
+		/* If we found a place with a NULL pointer, put our pointer
+		   in it.  */
+		sk_CRYPTO_dynlock_set(dyn_locks,i,pointer);
 	CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK);
 
-	if (!i)
+	if (i == -1)
 		{
 		dynlock_destroy_callback(pointer->data,__FILE__,__LINE__);
 		OPENSSL_free(pointer);
@@ -400,17 +409,19 @@ void CRYPTO_lock(int mode, int type, const char *file, int line)
 		}
 #endif
 	if (type < 0)
+		{
+		if (dynlock_lock_callback != NULL)
 			{
 			struct CRYPTO_dynlock_value *pointer
 				= CRYPTO_get_dynlock_value(type);
 
-		if (pointer && dynlock_lock_callback)
-			{
+			assert(pointer != NULL);
+
 			dynlock_lock_callback(mode, pointer, file, line);
-			}
 
 			CRYPTO_destroy_dynlockid(type);
 			}
+		}
 	else
 		if (locking_callback != NULL)
 			locking_callback(mode,type,file,line);

crypto/des/des.c

@@ -86,6 +86,7 @@
 #endif
 #include <sys/stat.h>
 #endif
+#include <openssl/crypto.h>
 #include <openssl/des.h>
 #include <openssl/rand.h>
 

crypto/dsa/dsatest.c

@@ -217,6 +217,7 @@ end:
 static int cb_exit(int ec)
 	{
 	EXIT(ec);
+	return(0);		/* To keep some compilers quiet */
 	}
 
 static void MS_CALLBACK dsa_cb(int p, int n, void *arg)

crypto/x509/x509_vfy.c

@@ -897,7 +897,7 @@ void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
 		ctx->chain=NULL;
 		}
 	CRYPTO_free_ex_data(x509_store_ctx_method,ctx,&(ctx->ex_data));
-	OPENSSL_cleanse(&ctx->ex_data,sizeof(CRYPTO_EX_DATA));
+	memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
 	}
 
 void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, long flags)

ssl/s23_clnt.c

@@ -105,7 +105,7 @@ SSL_METHOD *SSLv23_client_method(void)
 
 int ssl23_connect(SSL *s)
 	{
-	BUF_MEM *buf;
+	BUF_MEM *buf=NULL;
 	unsigned long Time=time(NULL);
 	void (*cb)()=NULL;
 	int ret= -1;
@@ -159,6 +159,7 @@ int ssl23_connect(SSL *s)
 					goto end;
 					}
 				s->init_buf=buf;
+				buf=NULL;
 				}
 
 			if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
@@ -207,6 +208,8 @@ int ssl23_connect(SSL *s)
 		}
 end:
 	s->in_handshake--;
+	if (buf != NULL)
+		BUF_MEM_free(buf);
 	if (cb != NULL)
 		cb(s,SSL_CB_CONNECT_EXIT,ret);
 	return(ret);

ssl/s2_clnt.c

@@ -208,10 +208,13 @@ int ssl2_connect(SSL *s)
 			if (!BUF_MEM_grow(buf,
 				SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER))
 				{
+				if (buf == s->init_buf)
+					buf=NULL;
 				ret= -1;
 				goto end;
 				}
 			s->init_buf=buf;
+			buf=NULL;
 			s->init_num=0;
 			s->state=SSL2_ST_SEND_CLIENT_HELLO_A;
 			s->ctx->stats.sess_connect++;
@@ -338,6 +341,8 @@ int ssl2_connect(SSL *s)
 		}
 end:
 	s->in_handshake--;
+	if (buf != NULL)
+		BUF_MEM_free(buf);
 	if (cb != NULL) 
 		cb(s,SSL_CB_CONNECT_EXIT,ret);
 	return(ret);

ssl/s3_clnt.c

@@ -164,7 +164,7 @@ SSL_METHOD *SSLv3_client_method(void)
 
 int ssl3_connect(SSL *s)
 	{
-	BUF_MEM *buf;
+	BUF_MEM *buf=NULL;
 	unsigned long Time=time(NULL),l;
 	long num1;
 	void (*cb)()=NULL;
@@ -225,6 +225,7 @@ int ssl3_connect(SSL *s)
 					goto end;
 					}
 				s->init_buf=buf;
+				buf=NULL;
 				}
 
 			if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
@@ -503,6 +504,8 @@ int ssl3_connect(SSL *s)
 		}
 end:
 	s->in_handshake--;
+	if (buf != NULL)
+		BUF_MEM_free(buf);
 	if (cb != NULL)
 		cb(s,SSL_CB_CONNECT_EXIT,ret);
 	return(ret);

test/testssl

@@ -112,8 +112,12 @@ $ssltest -bio_pair -server_auth -client_auth $CA || exit 1
 
 #############################################################################
 
-echo test tls1 with 1024bit anonymous DH, multiple handshakes
-$ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time || exit 1
+if ../apps/openssl no-dh; then
+  echo skipping anonymous DH tests
+else
+  echo test tls1 with 1024bit anonymous DH, multiple handshakes
+  $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time || exit 1
+fi
 
 if ../apps/openssl no-rsa; then
   echo skipping RSA tests
@@ -121,8 +125,12 @@ else
   echo test tls1 with 1024bit RSA, no DHE, multiple handshakes
   ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time || exit 1
 
+  if ../apps/openssl no-dh; then
+    echo skipping RSA+DHE tests
+  else
     echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
     ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time || exit 1
+  fi
 fi
 
 exit 0

test/testssl.com

@@ -159,16 +159,25 @@ $	if $severity .ne. 1 then goto exit3
 $
 $!###########################################################################
 $
-$	write sys$output "test tls1 with 1024bit anonymous DH, multiple handshakes"
-$	'ssltest' -v -bio_pair -tls1 -cipher "ADH" -dhe1024dsa -num 10 -f -time
-$	if $severity .ne. 1 then goto exit3
-$
 $	set noon
 $	define/user sys$output nla0:
 $	mcr 'exe_dir'openssl no-rsa
-$	save_severity=$SEVERITY
+$	no_rsa=$SEVERITY
+$	define/user sys$output nla0:
+$	mcr 'exe_dir'openssl no-dh
+$	no_dh=$SEVERITY
 $	set on
-$	if save_severity
+$
+$	if no_dh
+$	then
+$	    write sys$output "skipping anonymous DH tests"
+$	else
+$	    write sys$output "test tls1 with 1024bit anonymous DH, multiple handshakes"
+$	    'ssltest' -v -bio_pair -tls1 -cipher "ADH" -dhe1024dsa -num 10 -f -time
+$	    if $severity .ne. 1 then goto exit3
+$	endif
+$
+$	if no_rsa
 $	then
 $	    write sys$output "skipping RSA tests"
 $	else
@@ -176,10 +185,15 @@ $	    write sys$output "test tls1 with 1024bit RSA, no DHE, multiple handshakes"
 $	    mcr 'texe_dir'ssltest -v -bio_pair -tls1 -cert [-.apps]server2.pem -no_dhe -num 10 -f -time
 $	    if $severity .ne. 1 then goto exit3
 $
+$	    if no_dh
+$	    then
+$		write sys$output "skipping RSA+DHE tests"
+$	    else
 $		write sys$output "test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes"
 $		mcr 'texe_dir'ssltest -v -bio_pair -tls1 -cert [-.apps]server2.pem -dhe1024dsa -num 10 -f -time
 $		if $severity .ne. 1 then goto exit3
 $	    endif
+$	endif
 $
 $	RET = 1
 $	goto exit