Changeset 31186


Ignore:
Timestamp:
Jan 27, 2017, 9:24:04 PM (4 weeks ago)
Author:
brainslayer
Message:

ssl update

Location:
src/router/openssl
Files:
101 edited

Legend:

Unmodified
Added
Removed
  • src/router/openssl/CHANGES

    r30700 r31186  
    22 OpenSSL CHANGES
    33 _______________
     4
     5 Changes between 1.0.2j and 1.0.2k [26 Jan 2017]
     6
     7  *) Truncated packet could crash via OOB read
     8
     9     If one side of an SSL/TLS path is running on a 32-bit host and a specific
     10     cipher is being used, then a truncated packet can cause that host to
     11     perform an out-of-bounds read, usually resulting in a crash.
     12
     13     This issue was reported to OpenSSL by Robert Święcki of Google.
     14     (CVE-2017-3731)
     15     [Andy Polyakov]
     16
     17  *) BN_mod_exp may produce incorrect results on x86_64
     18
     19     There is a carry propagating bug in the x86_64 Montgomery squaring
     20     procedure. No EC algorithms are affected. Analysis suggests that attacks
     21     against RSA and DSA as a result of this defect would be very difficult to
     22     perform and are not believed likely. Attacks against DH are considered just
     23     feasible (although very difficult) because most of the work necessary to
     24     deduce information about a private key may be performed offline. The amount
     25     of resources required for such an attack would be very significant and
     26     likely only accessible to a limited number of attackers. An attacker would
     27     additionally need online access to an unpatched system using the target
     28     private key in a scenario with persistent DH parameters and a private
     29     key that is shared between multiple clients. For example this can occur by
     30     default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
     31     similar to CVE-2015-3193 but must be treated as a separate problem.
     32
     33     This issue was reported to OpenSSL by the OSS-Fuzz project.
     34     (CVE-2017-3732)
     35     [Andy Polyakov]
     36
     37  *) Montgomery multiplication may produce incorrect results
     38
     39     There is a carry propagating bug in the Broadwell-specific Montgomery
     40     multiplication procedure that handles input lengths divisible by, but
     41     longer than 256 bits. Analysis suggests that attacks against RSA, DSA
     42     and DH private keys are impossible. This is because the subroutine in
     43     question is not used in operations with the private key itself and an input
     44     of the attacker's direct choice. Otherwise the bug can manifest itself as
     45     transient authentication and key negotiation failures or reproducible
     46     erroneous outcome of public-key operations with specially crafted input.
     47     Among EC algorithms only Brainpool P-512 curves are affected and one
     48     presumably can attack ECDH key negotiation. Impact was not analyzed in
     49     detail, because pre-requisites for attack are considered unlikely. Namely
     50     multiple clients have to choose the curve in question and the server has to
     51     share the private key among them, neither of which is default behaviour.
     52     Even then only clients that chose the curve will be affected.
     53
     54     This issue was publicly reported as transient failures and was not
     55     initially recognized as a security issue. Thanks to Richard Morgan for
     56     providing reproducible case.
     57     (CVE-2016-7055)
     58     [Andy Polyakov]
     59
     60  *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
     61     or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
     62     prevent issues where no progress is being made and the peer continually
     63     sends unrecognised record types, using up resources processing them.
     64     [Matt Caswell]
    465
    566 Changes between 1.0.2i and 1.0.2j [26 Sep 2016]
  • src/router/openssl/CONTRIBUTING

    r30692 r31186  
    1 HOW TO CONTRIBUTE TO PATCHES OpenSSL
     1HOW TO CONTRIBUTE PATCHES TO OpenSSL
    22------------------------------------
    33
     
    1212may be a good reason as to why that feature isn't implemented.
    1313
    14 The best way to submit a patch is to make a pull request on GitHub.
    15 (It is not necessary to send mail to rt@openssl.org to open a ticket!)
    16 If you think the patch could use feedback from the community, please
    17 start a thread on openssl-dev.
     14To submit a patch, make a pull request on GitHub.  If you think the patch
     15could use feedback from the community, please start a thread on openssl-dev
     16to discuss it.
    1817
    19 You can also submit patches by sending it as mail to rt@openssl.org.
    20 Please include the word "PATCH" and an explanation of what the patch
    21 does in the subject line.  If you do this, our preferred format is "git
    22 format-patch" output. For example to provide a patch file containing the
    23 last commit in your local git repository use the following command:
    24 
    25     % git format-patch --stdout HEAD^ >mydiffs.patch
    26 
    27 Another method of creating an acceptable patch file without using git is as
    28 follows:
    29 
    30     % cd openssl-work
    31     ...make your changes...
    32     % ./Configure dist; make clean
    33     % cd ..
    34     % diff -ur openssl-orig openssl-work >mydiffs.patch
    35 
    36 Note that pull requests are generally easier for the team, and community, to
    37 work with.  Pull requests benefit from all of the standard GitHub features,
    38 including code review tools, simpler integration, and CI build support.
    39 
    40 No matter how a patch is submitted, the following items will help make
    41 the acceptance and review process faster:
     18Having addressed the following items before the PR will help make the
     19acceptance and review process faster:
    4220
    4321    1. Anything other than trivial contributions will require a contributor
     
    5634        https://www.openssl.org/source/license.html
    5735
    58     3.  Patches should be as current as possible.  When using GitHub, please
    59     expect to have to rebase and update often. Note that we do not accept merge
    60     commits. You will be asked to remove them before a patch is considered
    61     acceptable.
     36    3.  Patches should be as current as possible; expect to have to rebase
     37    often. We do not accept merge commits; You will be asked to remove
     38    them before a patch is considered acceptable.
    6239
    6340    4.  Patches should follow our coding style (see
     
    6643    --strict-warnings Configure option.  OpenSSL compiles on many varied
    6744    platforms: try to ensure you only use portable features.
     45    Clean builds via Travis and AppVeyor are expected, and done whenever
     46    a PR is created or updated.
    6847
    69     5.  When at all possible, patches should include tests. These can either be
    70     added to an existing test, or completely new.  Please see test/README
    71     for information on the test framework.
     48    5.  When at all possible, patches should include tests. These can
     49    either be added to an existing test, or completely new.  Please see
     50    test/README for information on the test framework.
    7251
    73     6.  New features or changed functionality must include documentation. Please
    74     look at the "pod" files in doc/apps, doc/crypto and doc/ssl for examples of
    75     our style.
     52    6.  New features or changed functionality must include
     53    documentation. Please look at the "pod" files in doc/apps, doc/crypto
     54    and doc/ssl for examples of our style.
  • src/router/openssl/Configure

    r30692 r31186  
    88require 5.000;
    99use strict;
     10use File::Compare;
    1011
    1112# see INSTALL for instructions.
     
    5859#               library and will be loaded in run-time by the OpenSSL library.
    5960# sctp          include SCTP support
    60 # 386           generate 80386 code
    6161# enable-weak-ssl-ciphers
    6262#               Enable EXPORT and LOW SSLv3 ciphers that are disabled by
    6363#               default.  Note, weak SSLv2 ciphers are unconditionally
    6464#               disabled.
    65 # no-sse2       disables IA-32 SSE2 code, above option implies no-sse2
     65# 386           generate 80386 code in assembly modules
     66# no-sse2       disables IA-32 SSE2 code in assembly modules, the above
     67#               mentioned '386' option implies this one
    6668# no-<cipher>   build without specified algorithm (rsa, idea, rc5, ...)
    6769# -<xxx> +<xxx> compiler options are passed through
     
    18091811close(IN);
    18101812close(OUT);
    1811 rename($Makefile,"$Makefile.bak") || die "unable to rename $Makefile\n" if -e $Makefile;
    1812 rename("$Makefile.new",$Makefile) || die "unable to rename $Makefile.new\n";
     1813if ((compare($Makefile, "$Makefile.new"))
     1814        or file_newer('Configure', $Makefile)
     1815        or file_newer('config', $Makefile)
     1816        or file_newer('Makefile.org', $Makefile))
     1817        {
     1818        rename($Makefile,"$Makefile.bak") || die "unable to rename $Makefile\n" if -e $Makefile;
     1819        rename("$Makefile.new",$Makefile) || die "unable to rename $Makefile.new\n";
     1820        }
     1821else
     1822        { unlink("$Makefile.new"); }
    18131823
    18141824print "CC            =$cc\n";
     
    20022012print OUT "#endif\n";
    20032013close(OUT);
    2004 rename("crypto/opensslconf.h","crypto/opensslconf.h.bak") || die "unable to rename crypto/opensslconf.h\n" if -e "crypto/opensslconf.h";
    2005 rename("crypto/opensslconf.h.new","crypto/opensslconf.h") || die "unable to rename crypto/opensslconf.h.new\n";
    2006 
     2014if (compare("crypto/opensslconf.h.new","crypto/opensslconf.h"))
     2015        {
     2016        rename("crypto/opensslconf.h","crypto/opensslconf.h.bak") || die "unable to rename crypto/opensslconf.h\n" if -e "crypto/opensslconf.h";
     2017        rename("crypto/opensslconf.h.new","crypto/opensslconf.h") || die "unable to rename crypto/opensslconf.h.new\n";
     2018        }
     2019else
     2020        { unlink("crypto/opensslconf.h.new"); }
    20072021
    20082022# Fix the date
     
    23062320        return $errorcnt;
    23072321        }
     2322
     2323sub file_newer
     2324        {
     2325        my ($file1, $file2) = @_;
     2326        return (stat($file1))[9] > (stat($file2))[9]
     2327        }
  • src/router/openssl/INSTALL

    r30490 r31186  
    7575  no-asm        Do not use assembler code.
    7676
    77   386           Use the 80386 instruction set only (the default x86 code is
    78                 more efficient, but requires at least a 486). Note: Use
    79                 compiler flags for any other CPU specific configuration,
    80                 e.g. "-m32" to build x86 code on an x64 system.
    81 
    82   no-sse2       Exclude SSE2 code pathes. Normally SSE2 extention is
    83                 detected at run-time, but the decision whether or not the
    84                 machine code will be executed is taken solely on CPU
    85                 capability vector. This means that if you happen to run OS
    86                 kernel which does not support SSE2 extension on Intel P4
    87                 processor, then your application might be exposed to
    88                 "illegal instruction" exception. There might be a way
    89                 to enable support in kernel, e.g. FreeBSD kernel can be
    90                 compiled with CPU_ENABLE_SSE, and there is a way to
    91                 disengage SSE2 code pathes upon application start-up,
    92                 but if you aim for wider "audience" running such kernel,
    93                 consider no-sse2. Both 386 and no-asm options above imply
    94                 no-sse2.
     77  386           In 32-bit x86 builds, when generating assembly modules,
     78                use the 80386 instruction set only (the default x86 code
     79                is more efficient, but requires at least a 486). Note:
     80                This doesn't affect code generated by compiler, you're
     81                likely to complement configuration command line with
     82                suitable compiler-specific option.
     83
     84  no-sse2       Exclude SSE2 code paths from 32-bit x86 assembly modules.
     85                Normally SSE2 extension is detected at run-time, but the
     86                decision whether or not the machine code will be executed
     87                is taken solely on CPU capability vector. This means that
     88                if you happen to run OS kernel which does not support SSE2
     89                extension on Intel P4 processor, then your application
     90                might be exposed to "illegal instruction" exception.
     91                There might be a way to enable support in kernel, e.g.
     92                FreeBSD kernel can  be compiled with CPU_ENABLE_SSE, and
     93                there is a way to disengage SSE2 code paths upon application
     94                start-up, but if you aim for wider "audience" running
     95                such kernel, consider no-sse2. Both the 386 and
     96                no-asm options imply no-sse2.
    9597
    9698  no-<cipher>   Build without the specified cipher (bf, cast, des, dh, dsa,
     
    102104                be passed through to the compiler to allow you to
    103105                define preprocessor symbols, specify additional libraries,
    104                 library directories or other compiler options.
     106                library directories or other compiler options. It might be
     107                worth noting that some compilers generate code specifically
     108                for processor the compiler currently executes on. This is
     109                not necessarily what you might have in mind, since it might
     110                be unsuitable for execution on other, typically older,
     111                processor. Consult your compiler documentation.
    105112
    106113  -DHAVE_CRYPTODEV Enable the BSD cryptodev engine even if we are not using
     
    160167     directory, and the binary will be in the "apps" directory.
    161168
    162      If "make" fails, look at the output.  There may be reasons for
    163      the failure that aren't problems in OpenSSL itself (like missing
    164      standard headers).  If it is a problem with OpenSSL itself, please
    165      report the problem to <openssl-bugs@openssl.org> (note that your
    166      message will be recorded in the request tracker publicly readable
    167      at https://www.openssl.org/community/index.html#bugs and will be
    168      forwarded to a public mailing list). Include the output of "make
    169      report" in your message.  Please check out the request tracker. Maybe
    170      the bug was already reported or has already been fixed.
    171 
    172      [If you encounter assembler error messages, try the "no-asm"
    173      configuration option as an immediate fix.]
     169     If the build fails, look at the output.  There may be reasons
     170     for the failure that aren't problems in OpenSSL itself (like
     171     missing standard headers).  If you are having problems you can
     172     get help by sending an email to the openssl-users email list (see
     173     https://www.openssl.org/community/mailinglists.html for details). If
     174     it is a bug with OpenSSL itself, please open an issue on GitHub, at
     175     https://github.com/openssl/openssl/issues. Please review the existing
     176     ones first; maybe the bug was already reported or has already been
     177     fixed.
     178
     179     (If you encounter assembler error messages, try the "no-asm"
     180     configuration option as an immediate fix.)
    174181
    175182     Compiling parts of OpenSSL with gcc and others with the system
  • src/router/openssl/Makefile.org

    r30692 r31186  
    202202                $${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS} \
    203203                $${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS}     \
    204                 $${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS}
     204                $${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS}       \
     205                $${APPS+APPS}
    205206
    206207# LC_ALL=C ensures that error [and other] messages are delivered in
  • src/router/openssl/NEWS

    r30700 r31186  
    66  release. For more details please read the CHANGES file.
    77
     8  Major changes between OpenSSL 1.0.2j and OpenSSL 1.0.2k [26 Jan 2017]
     9
     10      o Truncated packet could crash via OOB read (CVE-2017-3731)
     11      o BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
     12      o Montgomery multiplication may produce incorrect results (CVE-2016-7055)
     13
    814  Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016]
    915
    10       o Fix Use After Free for large message sizes (CVE-2016-6309)
     16      o Missing CRL sanity check (CVE-2016-7052)
    1117
    1218  Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016]
  • src/router/openssl/README

    r30700 r31186  
    11
    2  OpenSSL 1.0.2j 26 Sep 2016
     2 OpenSSL 1.0.2k 26 Jan 2017
    33
    44 Copyright (c) 1998-2015 The OpenSSL Project
     
    6767 first:
    6868
    69     - Download the current snapshot from ftp://ftp.openssl.org/snapshot/
     69    - Download the latest version from the repository
    7070      to see if the problem has already been addressed
    71     - Remove ASM versions of libraries
     71    - Configure with no-asm
    7272    - Remove compiler optimisation flags
    7373
    74  If you wish to report a bug then please include the following information in
    75  any bug report:
     74 If you wish to report a bug then please include the following information
     75 and create an issue on GitHub:
    7676
    7777    - On Unix systems:
     
    8585    - Stack Traceback (if the application dumps core)
    8686
    87  Email the report to:
    88 
    89     rt@openssl.org
    90 
    91  In order to avoid spam, this is a moderated mailing list, and it might
    92  take a day for the ticket to show up.  (We also scan posts to make sure
    93  that security disclosures aren't publically posted by mistake.) Mail
    94  to this address is recorded in the public RT (request tracker) database
    95  (see https://www.openssl.org/community/index.html#bugs for details) and
    96  also forwarded the public openssl-dev mailing list.  Confidential mail
    97  may be sent to openssl-security@openssl.org (PGP key available from the
    98  key servers).
    99 
    100  Please do NOT use this for general assistance or support queries.
    10187 Just because something doesn't work the way you expect does not mean it
    10288 is necessarily a bug in OpenSSL.
    103 
    104  You can also make GitHub pull requests. If you do this, please also send
    105  mail to rt@openssl.org with a link to the PR so that we can more easily
    106  keep track of it.
    10789
    10890 HOW TO CONTRIBUTE TO OpenSSL
     
    11496 ----------
    11597
    116  A number of nations, in particular the U.S., restrict the use or export
    117  of cryptography. If you are potentially subject to such restrictions
    118  you should seek competent professional legal advice before attempting to
    119  develop or distribute cryptographic code.
     98 A number of nations restrict the use or export of cryptography. If you
     99 are potentially subject to such restrictions you should seek competent
     100 professional legal advice before attempting to develop or distribute
     101 cryptographic code.
  • src/router/openssl/apps/apps.c

    r30692 r31186  
    973973            BIO_printf(err, "no engine specified\n");
    974974        else {
    975             pkey = ENGINE_load_private_key(e, file, ui_method, &cb_data);
     975            if (ENGINE_init(e)) {
     976                pkey = ENGINE_load_private_key(e, file, ui_method, &cb_data);
     977                ENGINE_finish(e);
     978            }
    976979            if (!pkey) {
    977980                BIO_printf(err, "cannot load %s from engine\n", key_descrip);
     
    15331536    return e;
    15341537}
     1538#endif
    15351539
    15361540ENGINE *setup_engine(BIO *err, const char *engine, int debug)
     
    15381542    ENGINE *e = NULL;
    15391543
     1544#ifndef OPENSSL_NO_ENGINE
    15401545    if (engine) {
    15411546        if (strcmp(engine, "auto") == 0) {
     
    15621567
    15631568        BIO_printf(err, "engine \"%s\" set.\n", ENGINE_get_id(e));
    1564 
     1569    }
     1570#endif
     1571    return e;
     1572}
     1573
     1574void release_engine(ENGINE *e)
     1575{
     1576#ifndef OPENSSL_NO_ENGINE
     1577    if (e != NULL)
    15651578        /* Free our "structural" reference. */
    15661579        ENGINE_free(e);
    1567     }
    1568     return e;
    1569 }
    1570 #endif
     1580#endif
     1581}
    15711582
    15721583int load_config(BIO *err, CONF *cnf)
  • src/router/openssl/apps/apps.h

    r30692 r31186  
    260260                              const char *cert_descrip);
    261261X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath);
    262 # ifndef OPENSSL_NO_ENGINE
     262
    263263ENGINE *setup_engine(BIO *err, const char *engine, int debug);
    264 # endif
     264void release_engine(ENGINE *e);
    265265
    266266# ifndef OPENSSL_NO_OCSP
  • src/router/openssl/apps/ca.c

    r30692 r31186  
    320320    MS_STATIC char buf[3][BSIZE];
    321321    char *randfile = NULL;
    322 #ifndef OPENSSL_NO_ENGINE
    323322    char *engine = NULL;
    324 #endif
    325323    char *tofree = NULL;
    326324    DB_ATTR db_attr;
     
    596594        goto err;
    597595
    598 #ifndef OPENSSL_NO_ENGINE
    599596    e = setup_engine(bio_err, engine, 0);
    600 #endif
    601597
    602598    /* Lets get the config section we are using */
     
    14861482    NCONF_free(conf);
    14871483    NCONF_free(extconf);
     1484    release_engine(e);
    14881485    OBJ_cleanup();
    14891486    apps_shutdown();
     
    22282225    if (sk_CONF_VALUE_num(sk) == 0) {
    22292226        BIO_printf(bio_err, "no name/value pairs found in %s\n", infile);
    2230         CONF_free(parms);
    22312227        goto err;
    22322228    }
  • src/router/openssl/apps/cms.c

    r30490 r31186  
    144144    int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
    145145    int rctformat = FORMAT_SMIME, keyform = FORMAT_PEM;
    146 # ifndef OPENSSL_NO_ENGINE
    147146    char *engine = NULL;
    148 # endif
    149147    unsigned char *secret_key = NULL, *secret_keyid = NULL;
    150148    unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
     
    668666        goto end;
    669667    }
    670 # ifndef OPENSSL_NO_ENGINE
    671668    e = setup_engine(bio_err, engine, 0);
    672 # endif
    673669
    674670    if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
     
    11731169    CMS_ContentInfo_free(cms);
    11741170    CMS_ContentInfo_free(rcms);
     1171    release_engine(e);
    11751172    BIO_free(rctin);
    11761173    BIO_free(in);
  • src/router/openssl/apps/dgst.c

    r30692 r31186  
    538538    if (bmd != NULL)
    539539        BIO_free(bmd);
     540    release_engine(e);
    540541    apps_shutdown();
    541542    OPENSSL_EXIT(err);
  • src/router/openssl/apps/dh.c

    r30490 r31186  
    9595    int informat, outformat, check = 0, noout = 0, C = 0, ret = 1;
    9696    char *infile, *outfile, *prog;
    97 # ifndef OPENSSL_NO_ENGINE
    9897    char *engine;
    99 # endif
    10098
    10199    apps_startup();
     
    108106        goto end;
    109107
    110 # ifndef OPENSSL_NO_ENGINE
    111108    engine = NULL;
    112 # endif
    113109    infile = NULL;
    114110    outfile = NULL;
     
    184180    ERR_load_crypto_strings();
    185181
    186 # ifndef OPENSSL_NO_ENGINE
    187182    setup_engine(bio_err, engine, 0);
    188 # endif
    189183
    190184    in = BIO_new(BIO_s_file());
  • src/router/openssl/apps/dhparam.c

    r30490 r31186  
    160160    char *infile, *outfile, *prog;
    161161    char *inrand = NULL;
    162 # ifndef OPENSSL_NO_ENGINE
    163162    char *engine = NULL;
    164 # endif
     163    ENGINE *e = NULL;
    165164    int num = 0, g = 0;
    166165
     
    271270    ERR_load_crypto_strings();
    272271
    273 # ifndef OPENSSL_NO_ENGINE
    274     setup_engine(bio_err, engine, 0);
    275 # endif
     272    e = setup_engine(bio_err, engine, 0);
    276273
    277274    if (g && !num)
     
    513510    if (dh != NULL)
    514511        DH_free(dh);
     512    release_engine(e);
    515513    apps_shutdown();
    516514    OPENSSL_EXIT(ret);
  • src/router/openssl/apps/dsa.c

    r30490 r31186  
    107107    int pubin = 0, pubout = 0;
    108108    char *infile, *outfile, *prog;
    109 # ifndef OPENSSL_NO_ENGINE
    110109    char *engine;
    111 # endif
    112110    char *passargin = NULL, *passargout = NULL;
    113111    char *passin = NULL, *passout = NULL;
     
    125123        goto end;
    126124
    127 # ifndef OPENSSL_NO_ENGINE
    128125    engine = NULL;
    129 # endif
    130126    infile = NULL;
    131127    outfile = NULL;
     
    240236    ERR_load_crypto_strings();
    241237
    242 # ifndef OPENSSL_NO_ENGINE
    243238    e = setup_engine(bio_err, engine, 0);
    244 # endif
    245239
    246240    if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
     
    359353    if (dsa != NULL)
    360354        DSA_free(dsa);
     355    release_engine(e);
    361356    if (passin)
    362357        OPENSSL_free(passin);
  • src/router/openssl/apps/dsaparam.c

    r30490 r31186  
    122122    int numbits = -1, num, genkey = 0;
    123123    int need_rand = 0;
    124 # ifndef OPENSSL_NO_ENGINE
    125124    char *engine = NULL;
    126 # endif
     125    ENGINE *e = NULL;
    127126# ifdef GENCB_TEST
    128127    int timebomb = 0;
     
    264263    }
    265264
    266 # ifndef OPENSSL_NO_ENGINE
    267     setup_engine(bio_err, engine, 0);
    268 # endif
     265    e = setup_engine(bio_err, engine, 0);
    269266
    270267    if (need_rand) {
     
    434431    if (dsa != NULL)
    435432        DSA_free(dsa);
     433    release_engine(e);
    436434    apps_shutdown();
    437435    OPENSSL_EXIT(ret);
  • src/router/openssl/apps/ec.c

    r30490 r31186  
    9696    int pubin = 0, pubout = 0, param_out = 0;
    9797    char *infile, *outfile, *prog, *engine;
     98    ENGINE *e = NULL;
    9899    char *passargin = NULL, *passargout = NULL;
    99100    char *passin = NULL, *passout = NULL;
     
    236237    ERR_load_crypto_strings();
    237238
    238 # ifndef OPENSSL_NO_ENGINE
    239     setup_engine(bio_err, engine, 0);
    240 # endif
     239    e = setup_engine(bio_err, engine, 0);
    241240
    242241    if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
     
    350349    if (eckey)
    351350        EC_KEY_free(eckey);
     351    release_engine(e);
    352352    if (passin)
    353353        OPENSSL_free(passin);
  • src/router/openssl/apps/ecparam.c

    r30490 r31186  
    132132    int informat, outformat, noout = 0, C = 0, ret = 1;
    133133    char *engine = NULL;
     134    ENGINE *e = NULL;
    134135
    135136    BIGNUM *ec_p = NULL, *ec_a = NULL, *ec_b = NULL,
     
    312313    }
    313314
    314 # ifndef OPENSSL_NO_ENGINE
    315     setup_engine(bio_err, engine, 0);
    316 # endif
     315    e = setup_engine(bio_err, engine, 0);
    317316
    318317    if (list_curves) {
     
    621620    if (buffer)
    622621        OPENSSL_free(buffer);
     622    if (group != NULL)
     623        EC_GROUP_free(group);
     624    release_engine(e);
    623625    if (in != NULL)
    624626        BIO_free(in);
    625627    if (out != NULL)
    626628        BIO_free_all(out);
    627     if (group != NULL)
    628         EC_GROUP_free(group);
    629629    apps_shutdown();
    630630    OPENSSL_EXIT(ret);
  • src/router/openssl/apps/enc.c

    r30692 r31186  
    127127#define PROG_NAME_SIZE  39
    128128    char pname[PROG_NAME_SIZE + 1];
    129 #ifndef OPENSSL_NO_ENGINE
    130129    char *engine = NULL;
    131 #endif
     130    ENGINE *e = NULL;
    132131    const EVP_MD *dgst = NULL;
    133132    int non_fips_allow = 0;
     
    323322    }
    324323
    325 #ifndef OPENSSL_NO_ENGINE
    326     setup_engine(bio_err, engine, 0);
    327 #endif
     324    e = setup_engine(bio_err, engine, 0);
    328325
    329326    if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
     
    675672        BIO_free(bzl);
    676673#endif
     674    release_engine(e);
    677675    if (pass)
    678676        OPENSSL_free(pass);
  • src/router/openssl/apps/gendh.c

    r30490 r31186  
    9797    char *outfile = NULL;
    9898    char *inrand = NULL;
    99 # ifndef OPENSSL_NO_ENGINE
    10099    char *engine = NULL;
    101 # endif
    102100    BIO *out = NULL;
    103101
     
    163161        goto end;
    164162    }
    165 # ifndef OPENSSL_NO_ENGINE
    166163    setup_engine(bio_err, engine, 0);
    167 # endif
    168164
    169165    out = BIO_new(BIO_s_file());
  • src/router/openssl/apps/gendsa.c

    r30490 r31186  
    8686    BIO *out = NULL, *in = NULL;
    8787    const EVP_CIPHER *enc = NULL;
    88 # ifndef OPENSSL_NO_ENGINE
    8988    char *engine = NULL;
    90 # endif
     89    ENGINE *e = NULL;
    9190
    9291    apps_startup();
     
    209208        goto end;
    210209    }
    211 # ifndef OPENSSL_NO_ENGINE
    212     setup_engine(bio_err, engine, 0);
    213 # endif
     210    e = setup_engine(bio_err, engine, 0);
    214211
    215212    if (!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
     
    276273    if (dsa != NULL)
    277274        DSA_free(dsa);
     275    release_engine(e);
    278276    if (passout)
    279277        OPENSSL_free(passout);
  • src/router/openssl/apps/genpkey.c

    r30490 r31186  
    276276        BIO_free_all(out);
    277277    BIO_free(in);
     278    release_engine(e);
    278279    if (pass)
    279280        OPENSSL_free(pass);
    280 
    281281    return ret;
    282282}
  • src/router/openssl/apps/genrsa.c

    r30490 r31186  
    9090        {
    9191        BN_GENCB cb;
    92 #ifndef OPENSSL_NO_ENGINE
    9392        ENGINE *e = NULL;
    94 #endif
    9593        int ret=1;
    9694        int i,num=DEFBITS;
     
    10098        char *outfile=NULL;
    10199        char *passargout = NULL, *passout = NULL;
    102 #ifndef OPENSSL_NO_ENGINE
    103100        char *engine=NULL;
    104 #endif
    105101        char *inrand=NULL;
    106102        BIO *out=NULL;
     
    234230        }
    235231
    236 #ifndef OPENSSL_NO_ENGINE
    237232        e = setup_engine(bio_err, engine, 0);
    238 #endif
    239233
    240234        if (outfile == NULL)
     
    307301        if (rsa) RSA_free(rsa);
    308302        if (out) BIO_free_all(out);
     303        release_engine(e);
    309304        if(passout) OPENSSL_free(passout);
    310305        if (ret != 0)
  • src/router/openssl/apps/pkcs12.c

    r30692 r31186  
    130130    char *macalg = NULL;
    131131    char *CApath = NULL, *CAfile = NULL;
    132 # ifndef OPENSSL_NO_ENGINE
    133132    char *engine = NULL;
    134 # endif
    135133
    136134    apps_startup();
     
    409407        goto end;
    410408    }
    411 # ifndef OPENSSL_NO_ENGINE
    412409    e = setup_engine(bio_err, engine, 0);
    413 # endif
    414410
    415411    if (passarg) {
     
    759755    CRYPTO_remove_all_info();
    760756# endif
     757    release_engine(e);
    761758    BIO_free(in);
    762759    BIO_free_all(out);
     
    11131110}
    11141111
     1112#else
     1113static void *dummy = &dummy;
    11151114#endif
  • src/router/openssl/apps/pkcs7.c

    r30490 r31186  
    9191    int print_certs = 0, text = 0, noout = 0, p7_print = 0;
    9292    int ret = 1;
    93 #ifndef OPENSSL_NO_ENGINE
    9493    char *engine = NULL;
    95 #endif
     94    ENGINE *e = NULL;
    9695
    9796    apps_startup();
     
    176175    ERR_load_crypto_strings();
    177176
    178 #ifndef OPENSSL_NO_ENGINE
    179     setup_engine(bio_err, engine, 0);
    180 #endif
     177    e = setup_engine(bio_err, engine, 0);
    181178
    182179    in = BIO_new(BIO_s_file());
     
    304301    if (p7 != NULL)
    305302        PKCS7_free(p7);
     303    release_engine(e);
    306304    if (in != NULL)
    307305        BIO_free(in);
  • src/router/openssl/apps/pkcs8.c

    r30490 r31186  
    8888    int badarg = 0;
    8989    int ret = 1;
    90 #ifndef OPENSSL_NO_ENGINE
    9190    char *engine = NULL;
    92 #endif
    9391
    9492    if (bio_err == NULL)
     
    224222        goto end;
    225223    }
    226 #ifndef OPENSSL_NO_ENGINE
    227224    e = setup_engine(bio_err, engine, 0);
    228 #endif
    229225
    230226    if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
     
    392388    PKCS8_PRIV_KEY_INFO_free(p8inf);
    393389    EVP_PKEY_free(pkey);
     390    release_engine(e);
    394391    BIO_free_all(out);
    395392    BIO_free(in);
  • src/router/openssl/apps/pkey.c

    r30490 r31186  
    8080    char *passin = NULL, *passout = NULL;
    8181    int badarg = 0;
    82 #ifndef OPENSSL_NO_ENGINE
    8382    char *engine = NULL;
    84 #endif
    8583    int ret = 1;
    8684
     
    179177        return 1;
    180178    }
    181 #ifndef OPENSSL_NO_ENGINE
    182179    e = setup_engine(bio_err, engine, 0);
    183 #endif
    184180
    185181    if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
     
    241237 end:
    242238    EVP_PKEY_free(pkey);
     239    release_engine(e);
    243240    BIO_free_all(out);
    244241    BIO_free(in);
  • src/router/openssl/apps/pkeyparam.c

    r30490 r31186  
    7575    EVP_PKEY *pkey = NULL;
    7676    int badarg = 0;
    77 #ifndef OPENSSL_NO_ENGINE
    7877    char *engine = NULL;
    79 #endif
     78    ENGINE *e = NULL;
    8079    int ret = 1;
    8180
     
    135134        return 1;
    136135    }
    137 #ifndef OPENSSL_NO_ENGINE
    138     setup_engine(bio_err, engine, 0);
    139 #endif
     136    e = setup_engine(bio_err, engine, 0);
    140137
    141138    if (infile) {
     
    179176 end:
    180177    EVP_PKEY_free(pkey);
     178    release_engine(e);
    181179    BIO_free_all(out);
    182180    BIO_free(in);
  • src/router/openssl/apps/pkeyutl.c

    r30490 r31186  
    358358    if (ctx)
    359359        EVP_PKEY_CTX_free(ctx);
     360    release_engine(e);
    360361    BIO_free(in);
    361362    BIO_free_all(out);
  • src/router/openssl/apps/prime.c

    r30490 r31186  
    129129        OPENSSL_free(s);
    130130    } else {
     131        int r;
     132
    131133        if (hex)
    132             BN_hex2bn(&bn, argv[0]);
     134            r = BN_hex2bn(&bn, argv[0]);
    133135        else
    134             BN_dec2bn(&bn, argv[0]);
     136            r = BN_dec2bn(&bn, argv[0]);
     137
     138        if(!r) {
     139            BIO_printf(bio_err, "Failed to process value (%s)\n", argv[0]);
     140            goto end;
     141        }
    135142
    136143        BN_print(bio_out, bn);
     
    139146    }
    140147
     148 end:
    141149    BN_free(bn);
    142150    BIO_free_all(bio_out);
  • src/router/openssl/apps/rand.c

    r30490 r31186  
    8787    BIO *out = NULL;
    8888    int num = -1;
    89 #ifndef OPENSSL_NO_ENGINE
     89    ENGINE *e = NULL;
    9090    char *engine = NULL;
    91 #endif
    9291
    9392    apps_startup();
     
    163162        goto err;
    164163    }
    165 #ifndef OPENSSL_NO_ENGINE
    166     setup_engine(bio_err, engine, 0);
    167 #endif
     164    e = setup_engine(bio_err, engine, 0);
    168165
    169166    app_RAND_load_file(NULL, bio_err, (inrand != NULL));
     
    223220 err:
    224221    ERR_print_errors(bio_err);
     222    release_engine(e);
    225223    if (out)
    226224        BIO_free_all(out);
  • src/router/openssl/apps/req.c

    r30692 r31186  
    180180    char *infile, *outfile, *prog, *keyfile = NULL, *template =
    181181        NULL, *keyout = NULL;
    182 #ifndef OPENSSL_NO_ENGINE
    183182    char *engine = NULL;
    184 #endif
    185183    char *extensions = NULL;
    186184    char *req_exts = NULL;
     
    596594        goto end;
    597595
    598 #ifndef OPENSSL_NO_ENGINE
    599596    e = setup_engine(bio_err, engine, 0);
    600 #endif
    601597
    602598    if (keyfile != NULL) {
     
    10411037    X509_free(x509ss);
    10421038    ASN1_INTEGER_free(serial);
     1039    release_engine(e);
    10431040    if (passargin && passin)
    10441041        OPENSSL_free(passin);
  • src/router/openssl/apps/rsa.c

    r30490 r31186  
    112112    char *passargin = NULL, *passargout = NULL;
    113113    char *passin = NULL, *passout = NULL;
    114 # ifndef OPENSSL_NO_ENGINE
    115114    char *engine = NULL;
    116 # endif
    117115    int modulus = 0;
    118116
     
    255253    ERR_load_crypto_strings();
    256254
    257 # ifndef OPENSSL_NO_ENGINE
    258255    e = setup_engine(bio_err, engine, 0);
    259 # endif
    260256
    261257    if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
     
    420416        ret = 0;
    421417 end:
     418    release_engine(e);
    422419    if (out != NULL)
    423420        BIO_free_all(out);
  • src/router/openssl/apps/rsautl.c

    r30490 r31186  
    8989    BIO *in = NULL, *out = NULL;
    9090    char *infile = NULL, *outfile = NULL;
    91 # ifndef OPENSSL_NO_ENGINE
    9291    char *engine = NULL;
    93 # endif
    9492    char *keyfile = NULL;
    9593    char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY;
     
    196194        goto end;
    197195    }
    198 # ifndef OPENSSL_NO_ENGINE
    199196    e = setup_engine(bio_err, engine, 0);
    200 # endif
    201197    if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
    202198        BIO_printf(bio_err, "Error getting password\n");
     
    328324 end:
    329325    RSA_free(rsa);
     326    release_engine(e);
    330327    BIO_free(in);
    331328    BIO_free_all(out);
  • src/router/openssl/apps/s_cb.c

    r30692 r31186  
    549549    if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
    550550        BIO_printf(out, "read from %p [%p] (%lu bytes => %ld (0x%lX))\n",
    551                    (void *)bio, argp, (unsigned long)argi, ret, ret);
     551                   (void *)bio, (void *)argp, (unsigned long)argi, ret, ret);
    552552        BIO_dump(out, argp, (int)ret);
    553553        return (ret);
    554554    } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
    555555        BIO_printf(out, "write to %p [%p] (%lu bytes => %ld (0x%lX))\n",
    556                    (void *)bio, argp, (unsigned long)argi, ret, ret);
     556                   (void *)bio, (void *)argp, (unsigned long)argi, ret, ret);
    557557        BIO_dump(out, argp, (int)ret);
    558558    }
  • src/router/openssl/apps/s_client.c

    r30692 r31186  
    695695    int mbuf_len = 0;
    696696    struct timeval timeout, *timeoutp;
     697    char *engine_id = NULL;
     698    ENGINE *e = NULL;
    697699#ifndef OPENSSL_NO_ENGINE
    698     char *engine_id = NULL;
    699700    char *ssl_client_engine_id = NULL;
    700701    ENGINE *ssl_client_engine = NULL;
    701702#endif
    702     ENGINE *e = NULL;
    703703#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
    704704    struct timeval tv;
     
    11871187#endif
    11881188
     1189    e = setup_engine(bio_err, engine_id, 1);
    11891190#ifndef OPENSSL_NO_ENGINE
    1190     e = setup_engine(bio_err, engine_id, 1);
    11911191    if (ssl_client_engine_id) {
    11921192        ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
     
    21242124        OPENSSL_free(mbuf);
    21252125    }
     2126    release_engine(e);
    21262127    if (bio_c_out != NULL) {
    21272128        BIO_free(bio_c_out);
  • src/router/openssl/apps/s_server.c

    r30692 r31186  
    329329
    330330static int hack = 0;
    331 #ifndef OPENSSL_NO_ENGINE
    332331static char *engine_id = NULL;
    333 #endif
    334332static const char *session_id_prefix = NULL;
    335333
     
    485483    s_brief = 0;
    486484    hack = 0;
    487 # ifndef OPENSSL_NO_ENGINE
    488485    engine_id = NULL;
    489 # endif
    490486}
    491487#endif
     
    16041600    OpenSSL_add_ssl_algorithms();
    16051601
    1606 #ifndef OPENSSL_NO_ENGINE
    16071602    e = setup_engine(bio_err, engine_id, 1);
    1608 #endif
    16091603
    16101604    if (!app_passwd(bio_err, passarg, dpassarg, &pass, &dpass)) {
     
    21302124        OPENSSL_free(psk_key);
    21312125#endif
     2126    release_engine(e);
    21322127    if (bio_s_out != NULL) {
    21332128        BIO_free(bio_s_out);
  • src/router/openssl/apps/speed.c

    r30692 r31186  
    373373int MAIN(int argc, char **argv)
    374374{
     375    ENGINE *e = NULL;
    375376    unsigned char *buf = NULL, *buf2 = NULL;
    376377    int mret = 1;
     
    681682    }
    682683# endif
     684# ifndef OPENSSL_NO_RSA
     685    for (i = 0; i < RSA_NUM; i++)
     686        rsa_key[i] = NULL;
     687# endif
    683688
    684689    if (bio_err == NULL)
     
    688693    if (!load_config(bio_err, NULL))
    689694        goto end;
    690 
    691 # ifndef OPENSSL_NO_RSA
    692     memset(rsa_key, 0, sizeof(rsa_key));
    693     for (i = 0; i < RSA_NUM; i++)
    694         rsa_key[i] = NULL;
    695 # endif
    696695
    697696    if ((buf = (unsigned char *)OPENSSL_malloc((int)BUFSIZE)) == NULL) {
     
    761760                goto end;
    762761            }
    763             setup_engine(bio_err, *argv, 0);
     762            e = setup_engine(bio_err, *argv, 0);
    764763            /*
    765764             * j will be increased again further down.  We just don't want
     
    25732572# endif
    25742573
     2574    release_engine(e);
    25752575    apps_shutdown();
    25762576    OPENSSL_EXIT(mret);
  • src/router/openssl/apps/speed.c.orig

    r30692 r31186  
    26612661
    26622662    fds = malloc(multi * sizeof *fds);
     2663    if (fds == NULL) {
     2664        fprintf(stderr, "Out of memory in speed (do_multi)\n");
     2665        exit(1);
     2666    }
    26632667    for (n = 0; n < multi; ++n) {
    26642668        if (pipe(fd) == -1) {
  • src/router/openssl/apps/spkac.c

    r30490 r31186  
    9595    NETSCAPE_SPKI *spki = NULL;
    9696    EVP_PKEY *pkey = NULL;
    97 #ifndef OPENSSL_NO_ENGINE
    9897    char *engine = NULL;
    99 #endif
    10098
    10199    apps_startup();
     
    186184        goto end;
    187185    }
    188 #ifndef OPENSSL_NO_ENGINE
    189186    e = setup_engine(bio_err, engine, 0);
    190 #endif
    191187
    192188    if (keyfile) {
     
    306302    BIO_free_all(out);
    307303    EVP_PKEY_free(pkey);
     304    release_engine(e);
    308305    if (passin)
    309306        OPENSSL_free(passin);
  • src/router/openssl/apps/srp.c

    r30692 r31186  
    294294    long errorline = -1;
    295295    char *randfile = NULL;
    296 # ifndef OPENSSL_NO_ENGINE
     296    ENGINE *e = NULL;
    297297    char *engine = NULL;
    298 # endif
    299298    char *tofree = NULL;
    300299    DB_ATTR db_attr;
     
    412411    ERR_load_crypto_strings();
    413412
    414 # ifndef OPENSSL_NO_ENGINE
    415     setup_engine(bio_err, engine, 0);
    416 # endif
     413    e = setup_engine(bio_err, engine, 0);
    417414
    418415    if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
     
    761758        free_index(db);
    762759
     760    release_engine(e);
    763761    OBJ_cleanup();
    764762    apps_shutdown();
  • src/router/openssl/apps/verify.c

    r30692 r31186  
    9090    X509_VERIFY_PARAM *vpm = NULL;
    9191    int crl_download = 0;
    92 #ifndef OPENSSL_NO_ENGINE
    9392    char *engine = NULL;
    94 #endif
    9593
    9694    cert_ctx = X509_STORE_new();
     
    161159    }
    162160
    163 #ifndef OPENSSL_NO_ENGINE
    164161    e = setup_engine(bio_err, engine, 0);
    165 #endif
    166162
    167163    if (vpm)
     
    256252    sk_X509_pop_free(trusted, X509_free);
    257253    sk_X509_CRL_pop_free(crls, X509_CRL_free);
     254    release_engine(e);
    258255    apps_shutdown();
    259256    OPENSSL_EXIT(ret < 0 ? 2 : ret);
  • src/router/openssl/apps/x509.c

    r30692 r31186  
    219219    char *checkemail = NULL;
    220220    char *checkip = NULL;
    221 #ifndef OPENSSL_NO_ENGINE
    222221    char *engine = NULL;
    223 #endif
    224222
    225223    reqfile = 0;
     
    502500        goto end;
    503501    }
    504 #ifndef OPENSSL_NO_ENGINE
    505502    e = setup_engine(bio_err, engine, 0);
    506 #endif
    507503
    508504    if (need_rand)
     
    10411037    sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
    10421038    sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
     1039    release_engine(e);
    10431040    if (passin)
    10441041        OPENSSL_free(passin);
  • src/router/openssl/crypto/aes/asm/aes-s390x.pl

    r30490 r31186  
    15691569
    15701570########################################################################
    1571 # void AES_xts_encrypt(const char *inp,char *out,size_t len,
    1572 #       const AES_KEY *key1, const AES_KEY *key2,
     1571# void AES_xts_encrypt(const unsigned char *inp, unsigned char *out,
     1572#       size_t len, const AES_KEY *key1, const AES_KEY *key2,
    15731573#       const unsigned char iv[16]);
    15741574#
     
    19381938.size   AES_xts_encrypt,.-AES_xts_encrypt
    19391939___
    1940 # void AES_xts_decrypt(const char *inp,char *out,size_t len,
    1941 #       const AES_KEY *key1, const AES_KEY *key2,
     1940# void AES_xts_decrypt(const unsigned char *inp, unsigned char *out,
     1941#       size_t len, const AES_KEY *key1, const AES_KEY *key2,
    19421942#       const unsigned char iv[16]);
    19431943#
  • src/router/openssl/crypto/asn1/p5_pbev2.c

    r30692 r31186  
    9292                              unsigned char *aiv, int prf_nid)
    9393{
    94     X509_ALGOR *scheme = NULL, *kalg = NULL, *ret = NULL;
     94    X509_ALGOR *scheme = NULL, *ret = NULL;
    9595    int alg_nid, keylen;
    9696    EVP_CIPHER_CTX ctx;
    9797    unsigned char iv[EVP_MAX_IV_LENGTH];
    9898    PBE2PARAM *pbe2 = NULL;
    99     ASN1_OBJECT *obj;
    10099
    101100    alg_nid = EVP_CIPHER_type(cipher);
     
    105104        goto err;
    106105    }
    107     obj = OBJ_nid2obj(alg_nid);
    108106
    109107    if (!(pbe2 = PBE2PARAM_new()))
     
    113111    scheme = pbe2->encryption;
    114112
    115     scheme->algorithm = obj;
     113    scheme->algorithm = OBJ_nid2obj(alg_nid);
    116114    if (!(scheme->parameter = ASN1_TYPE_new()))
    117115        goto merr;
     
    189187    PBE2PARAM_free(pbe2);
    190188    /* Note 'scheme' is freed as part of pbe2 */
    191     X509_ALGOR_free(kalg);
    192189    X509_ALGOR_free(ret);
    193190
    194191    return NULL;
    195 
    196192}
    197193
  • src/router/openssl/crypto/asn1/x_crl.c

    r30490 r31186  
    255255        for (idx = 0; idx < sk_X509_EXTENSION_num(exts); idx++) {
    256256            int nid;
     257
    257258            ext = sk_X509_EXTENSION_value(exts, idx);
    258259            nid = OBJ_obj2nid(ext->object);
     
    264265                    || (nid == NID_authority_key_identifier)
    265266                    || (nid == NID_delta_crl))
    266                     break;;
     267                    continue;
    267268                crl->flags |= EXFLAG_CRITICAL;
    268269                break;
  • src/router/openssl/crypto/bn/asm/x86_64-mont.pl

    r30692 r31186  
    11511151        adox    -3*8($tptr),%r11
    11521152        adcx    %r15,%r12
    1153         adox    $zero,%r12
     1153        adox    -2*8($tptr),%r12
    11541154        adcx    $zero,%r13
     1155        adox    $zero,%r13
    11551156
    11561157        mov     $bptr,8(%rsp)           # off-load &b[i]
    1157         .byte   0x67
    11581158        mov     $mi,%r15
    11591159        imulq   24(%rsp),$mi            # "t[0]"*n0
     
    11621162        mulx    3*8($aptr),%rax,%r14
    11631163         mov    $mi,%rdx
    1164         adox    -2*8($tptr),%r12
    11651164        adcx    %rax,%r13
    11661165        adox    -1*8($tptr),%r13
  • src/router/openssl/crypto/bn/asm/x86_64-mont5.pl

    r30692 r31186  
    19281928.align  32
    19291929.L8x_tail_done:
     1930        xor     %rax,%rax
    19301931        add     (%rdx),%r8              # can this overflow?
    19311932        adc     \$0,%r9
     
    19351936        adc     \$0,%r13
    19361937        adc     \$0,%r14
    1937         adc     \$0,%r15                # can't overflow, because we
    1938                                         # started with "overhung" part
    1939                                         # of multiplication
    1940         xor     %rax,%rax
     1938        adc     \$0,%r15
     1939        adc     \$0,%rax
    19411940
    19421941        neg     $carry
     
    33833382.align  32
    33843383.Lsqrx8x_tail_done:
     3384        xor     %rax,%rax
    33853385        add     24+8(%rsp),%r8          # can this overflow?
    33863386        adc     \$0,%r9
     
    33903390        adc     \$0,%r13
    33913391        adc     \$0,%r14
    3392         adc     \$0,%r15                # can't overflow, because we
    3393                                         # started with "overhung" part
    3394                                         # of multiplication
    3395         mov     $carry,%rax             # xor   %rax,%rax
     3392        adc     \$0,%r15
     3393        adc     \$0,%rax
    33963394
    33973395        sub     16+8(%rsp),$carry       # mov 16(%rsp),%cf
     
    34083406        adc     8*6($tptr),%r14
    34093407        adc     8*7($tptr),%r15
    3410         adc     %rax,%rax               # top-most carry
     3408        adc     \$0,%rax                # top-most carry
    34113409
    34123410        mov     32+8(%rsp),%rbx         # n0
  • src/router/openssl/crypto/bn/bn_exp.c

    r30490 r31186  
    181181        }
    182182    }
    183     if (r != rr)
    184         BN_copy(r, rr);
     183    if (r != rr && BN_copy(r, rr) == NULL)
     184        goto err;
     185
    185186    ret = 1;
    186187 err:
  • src/router/openssl/crypto/bn/bn_mul.c

    r30490 r31186  
    10841084#endif
    10851085    bn_correct_top(rr);
    1086     if (r != rr)
    1087         BN_copy(r, rr);
     1086    if (r != rr && BN_copy(r, rr) == NULL)
     1087        goto err;
     1088
    10881089    ret = 1;
    10891090 err:
  • src/router/openssl/crypto/bn/bn_prime.c

    r30490 r31186  
    284284        if ((t = BN_CTX_get(ctx)) == NULL)
    285285            goto err;
    286         BN_copy(t, a);
     286        if (BN_copy(t, a) == NULL)
     287            goto err;
    287288        t->neg = 0;
    288289        A = t;
  • src/router/openssl/crypto/bn/bn_sqr.c

    r30490 r31186  
    144144    else
    145145        rr->top = max;
    146     if (rr != r)
    147         BN_copy(r, rr);
     146    if (r != rr && BN_copy(r, rr) == NULL)
     147        goto err;
     148
    148149    ret = 1;
    149150 err:
  • src/router/openssl/crypto/cms/cms_kari.c

    r30490 r31186  
    402402     * DES3 wrap otherwise use AES wrap similar to key size.
    403403     */
     404#ifndef OPENSSL_NO_DES
    404405    if (EVP_CIPHER_type(cipher) == NID_des_ede3_cbc)
    405406        kekcipher = EVP_des_ede3_wrap();
    406     else if (keylen <= 16)
     407    else
     408#endif
     409    if (keylen <= 16)
    407410        kekcipher = EVP_aes_128_wrap();
    408411    else if (keylen <= 24)
  • src/router/openssl/crypto/dh/dh_key.c

    r30490 r31186  
    224224    BN_CTX_start(ctx);
    225225    tmp = BN_CTX_get(ctx);
     226    if (tmp == NULL)
     227        goto err;
    226228
    227229    if (dh->priv_key == NULL) {
  • src/router/openssl/crypto/dsa/dsa_pmeth.c

    r30490 r31186  
    181181            return 0;
    182182        }
    183         dctx->md = p2;
     183        dctx->pmd = p2;
    184184        return 1;
    185185
  • src/router/openssl/crypto/ec/ec2_mult.c

    r30490 r31186  
    268268{
    269269    BIGNUM *x1, *x2, *z1, *z2;
    270     int ret = 0, i;
     270    int ret = 0, i, group_top;
    271271    BN_ULONG mask, word;
    272272
     
    298298    z2 = &r->Y;
    299299
    300     bn_wexpand(x1, group->field.top);
    301     bn_wexpand(z1, group->field.top);
    302     bn_wexpand(x2, group->field.top);
    303     bn_wexpand(z2, group->field.top);
     300    group_top = group->field.top;
     301    if (bn_wexpand(x1, group_top) == NULL
     302        || bn_wexpand(z1, group_top) == NULL
     303        || bn_wexpand(x2, group_top) == NULL
     304        || bn_wexpand(z2, group_top) == NULL)
     305        goto err;
    304306
    305307    if (!BN_GF2m_mod_arr(x1, &point->X, group->poly))
     
    330332        word = scalar->d[i];
    331333        while (mask) {
    332             BN_consttime_swap(word & mask, x1, x2, group->field.top);
    333             BN_consttime_swap(word & mask, z1, z2, group->field.top);
     334            BN_consttime_swap(word & mask, x1, x2, group_top);
     335            BN_consttime_swap(word & mask, z1, z2, group_top);
    334336            if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx))
    335337                goto err;
    336338            if (!gf2m_Mdouble(group, x1, z1, ctx))
    337339                goto err;
    338             BN_consttime_swap(word & mask, x1, x2, group->field.top);
    339             BN_consttime_swap(word & mask, z1, z2, group->field.top);
     340            BN_consttime_swap(word & mask, x1, x2, group_top);
     341            BN_consttime_swap(word & mask, z1, z2, group_top);
    340342            mask >>= 1;
    341343        }
  • src/router/openssl/crypto/ecdh/ech_ossl.c

    r30490 r31186  
    213213    if (ctx)
    214214        BN_CTX_free(ctx);
    215     if (buf)
     215    if (buf) {
     216        OPENSSL_cleanse(buf, buflen);
    216217        OPENSSL_free(buf);
     218    }
    217219    return (ret);
    218220}
  • src/router/openssl/crypto/err/err.c

    r30490 r31186  
    869869    unsigned long l, f, r;
    870870
     871    if (len == 0)
     872        return;
     873
    871874    l = ERR_GET_LIB(e);
    872875    f = ERR_GET_FUNC(e);
  • src/router/openssl/crypto/evp/e_aes.c

    r30490 r31186  
    156156# endif
    157157# ifdef AES_XTS_ASM
    158 void AES_xts_encrypt(const char *inp, char *out, size_t len,
     158void AES_xts_encrypt(const unsigned char *inp, unsigned char *out, size_t len,
    159159                     const AES_KEY *key1, const AES_KEY *key2,
    160160                     const unsigned char iv[16]);
    161 void AES_xts_decrypt(const char *inp, char *out, size_t len,
     161void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len,
    162162                     const AES_KEY *key1, const AES_KEY *key2,
    163163                     const unsigned char iv[16]);
  • src/router/openssl/crypto/evp/e_rc4_hmac_md5.c

    r30692 r31186  
    270270
    271271            if (!ctx->encrypt) {
     272                if (len < MD5_DIGEST_LENGTH)
     273                    return -1;
    272274                len -= MD5_DIGEST_LENGTH;
    273275                p[arg - 2] = len >> 8;
  • src/router/openssl/crypto/evp/evp.h

    r30490 r31186  
    13811381 * made after this point may be overwritten when the script is next run.
    13821382 */
     1383
    13831384void ERR_load_EVP_strings(void);
    13841385
     
    15001501# define EVP_R_INVALID_DIGEST                             152
    15011502# define EVP_R_INVALID_FIPS_MODE                          168
     1503# define EVP_R_INVALID_KEY                                171
    15021504# define EVP_R_INVALID_KEY_LENGTH                         130
    15031505# define EVP_R_INVALID_OPERATION                          148
     
    15391541# define EVP_R_WRONG_PUBLIC_KEY_TYPE                      110
    15401542
    1541 #ifdef  __cplusplus
     1543# ifdef  __cplusplus
    15421544}
     1545# endif
    15431546#endif
    1544 #endif
  • src/router/openssl/crypto/evp/evp_err.c

    r30490 r31186  
    11/* crypto/evp/evp_err.c */
    22/* ====================================================================
    3  * Copyright (c) 1999-2013 The OpenSSL Project.  All rights reserved.
     3 * Copyright (c) 1999-2016 The OpenSSL Project.  All rights reserved.
    44 *
    55 * Redistribution and use in source and binary forms, with or without
     
    193193    {ERR_REASON(EVP_R_INVALID_DIGEST), "invalid digest"},
    194194    {ERR_REASON(EVP_R_INVALID_FIPS_MODE), "invalid fips mode"},
     195    {ERR_REASON(EVP_R_INVALID_KEY), "invalid key"},
    195196    {ERR_REASON(EVP_R_INVALID_KEY_LENGTH), "invalid key length"},
    196197    {ERR_REASON(EVP_R_INVALID_OPERATION), "invalid operation"},
  • src/router/openssl/crypto/evp/pmeth_fn.c

    r30490 r31186  
    6666
    6767#define M_check_autoarg(ctx, arg, arglen, err) \
    68         if (ctx->pmeth->flags & EVP_PKEY_FLAG_AUTOARGLEN) \
    69                 { \
    70                 size_t pksize = (size_t)EVP_PKEY_size(ctx->pkey); \
    71                 if (!arg) \
    72                         { \
    73                         *arglen = pksize; \
    74                         return 1; \
    75                         } \
    76                 else if (*arglen < pksize) \
    77                         { \
    78                         EVPerr(err, EVP_R_BUFFER_TOO_SMALL); /*ckerr_ignore*/\
    79                         return 0; \
    80                         } \
    81                 }
     68    if (ctx->pmeth->flags & EVP_PKEY_FLAG_AUTOARGLEN) {           \
     69        size_t pksize = (size_t)EVP_PKEY_size(ctx->pkey);         \
     70                                                                  \
     71        if (pksize == 0) {                                        \
     72            EVPerr(err, EVP_R_INVALID_KEY); /*ckerr_ignore*/      \
     73            return 0;                                             \
     74        }                                                         \
     75        if (!arg) {                                               \
     76            *arglen = pksize;                                     \
     77            return 1;                                             \
     78        }                                                         \
     79        if (*arglen < pksize) {                                   \
     80            EVPerr(err, EVP_R_BUFFER_TOO_SMALL); /*ckerr_ignore*/ \
     81            return 0;                                             \
     82        }                                                         \
     83    }
    8284
    8385int EVP_PKEY_sign_init(EVP_PKEY_CTX *ctx)
  • src/router/openssl/crypto/evp/pmeth_lib.c

    r30692 r31186  
    200200{
    201201    EVP_PKEY_METHOD *pmeth;
     202
    202203    pmeth = OPENSSL_malloc(sizeof(EVP_PKEY_METHOD));
    203204    if (!pmeth)
     
    208209    pmeth->pkey_id = id;
    209210    pmeth->flags = flags | EVP_PKEY_FLAG_DYNAMIC;
    210 
    211     pmeth->init = 0;
    212     pmeth->copy = 0;
    213     pmeth->cleanup = 0;
    214     pmeth->paramgen_init = 0;
    215     pmeth->paramgen = 0;
    216     pmeth->keygen_init = 0;
    217     pmeth->keygen = 0;
    218     pmeth->sign_init = 0;
    219     pmeth->sign = 0;
    220     pmeth->verify_init = 0;
    221     pmeth->verify = 0;
    222     pmeth->verify_recover_init = 0;
    223     pmeth->verify_recover = 0;
    224     pmeth->signctx_init = 0;
    225     pmeth->signctx = 0;
    226     pmeth->verifyctx_init = 0;
    227     pmeth->verifyctx = 0;
    228     pmeth->encrypt_init = 0;
    229     pmeth->encrypt = 0;
    230     pmeth->decrypt_init = 0;
    231     pmeth->decrypt = 0;
    232     pmeth->derive_init = 0;
    233     pmeth->derive = 0;
    234     pmeth->ctrl = 0;
    235     pmeth->ctrl_str = 0;
    236 
    237211    return pmeth;
    238212}
  • src/router/openssl/crypto/modes/ctr128.c

    r30490 r31186  
    101101        d = data[n] += c;
    102102        /* did addition carry? */
    103         c = ((d - c) ^ d) >> (sizeof(size_t) * 8 - 1);
     103        c = ((d - c) & ~d) >> (sizeof(size_t) * 8 - 1);
    104104    } while (n);
    105105}
  • src/router/openssl/crypto/opensslv.h

    r30700 r31186  
    3131 *  major minor fix final patch/beta)
    3232 */
    33 # define OPENSSL_VERSION_NUMBER  0x100020afL
     33# define OPENSSL_VERSION_NUMBER  0x100020bfL
    3434# ifdef OPENSSL_FIPS
    35 #  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2j-fips  26 Sep 2016"
     35#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2k-fips  26 Jan 2017"
    3636# else
    37 #  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2j  26 Sep 2016"
     37#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2k  26 Jan 2017"
    3838# endif
    3939# define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
  • src/router/openssl/crypto/perlasm/x86_64-xlate.pl

    r30490 r31186  
    252252
    253253        # Solaris /usr/ccs/bin/as can't handle multiplications
    254         # in $self->{label}, new gas requires sign extension...
     254        # in $self->{label}...
    255255        use integer;
    256256        $self->{label} =~ s/(?<![\w\$\.])(0x?[0-9a-f]+)/oct($1)/egi;
    257257        $self->{label} =~ s/\b([0-9]+\s*[\*\/\%]\s*[0-9]+)\b/eval($1)/eg;
    258         $self->{label} =~ s/\b([0-9]+)\b/$1<<32>>32/eg;
     258
     259        # Some assemblers insist on signed presentation of 32-bit
     260        # offsets, but sign extension is a tricky business in perl...
     261        if ((1<<31)<<1) {
     262            $self->{label} =~ s/\b([0-9]+)\b/$1<<32>>32/eg;
     263        } else {
     264            $self->{label} =~ s/\b([0-9]+)\b/$1>>0/eg;
     265        }
    259266
    260267        if (!$self->{label} && $self->{index} && $self->{scale}==1 &&
  • src/router/openssl/crypto/rsa/rsa_gen.c

    r30490 r31186  
    143143        goto err;
    144144
    145     BN_copy(rsa->e, e_value);
     145    if (BN_copy(rsa->e, e_value) == NULL)
     146        goto err;
    146147
    147148    /* generate p and q */
  • src/router/openssl/crypto/rsa/rsa_oaep.c

    r30490 r31186  
    9090
    9191    if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0)
    92         return 0;
     92        goto err;
    9393    for (i = 0; i < emlen - mdlen; i++)
    9494        db[i] ^= dbmask[i];
    9595
    9696    if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0)
    97         return 0;
     97        goto err;
    9898    for (i = 0; i < mdlen; i++)
    9999        seed[i] ^= seedmask[i];
     
    101101    OPENSSL_free(dbmask);
    102102    return 1;
     103
     104 err:
     105    OPENSSL_free(dbmask);
     106    return 0;
    103107}
    104108
  • src/router/openssl/crypto/rsa/rsa_pmeth.c

    r30692 r31186  
    374374            return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen,
    375375                              sig, siglen, rsa);
     376        if (tbslen != (size_t)EVP_MD_size(rctx->md)) {
     377            RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH);
     378            return -1;
     379        }
    376380        if (rctx->pad_mode == RSA_X931_PADDING) {
    377381            if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, siglen) <= 0)
  • src/router/openssl/crypto/s390xcap.c

    r30490 r31186  
    44#include <setjmp.h>
    55#include <signal.h>
     6#include "cryptlib.h"
    67
    78extern unsigned long OPENSSL_s390xcap_P[];
  • src/router/openssl/crypto/ui/ui_lib.c

    r30692 r31186  
    165165                                           type, input_flags, result_buf);
    166166
    167     if (s) {
     167    if (s != NULL) {
    168168        if (allocate_string_stack(ui) >= 0) {
    169169            s->_.string_data.result_minsize = minsize;
     
    198198        UIerr(UI_F_GENERAL_ALLOCATE_BOOLEAN, ERR_R_PASSED_NULL_PARAMETER);
    199199    } else {
    200         for (p = ok_chars; *p; p++) {
    201             if (strchr(cancel_chars, *p)) {
     200        for (p = ok_chars; *p != '\0'; p++) {
     201            if (strchr(cancel_chars, *p) != NULL) {
    202202                UIerr(UI_F_GENERAL_ALLOCATE_BOOLEAN,
    203203                      UI_R_COMMON_OK_AND_CANCEL_CHARACTERS);
     
    208208                                    type, input_flags, result_buf);
    209209
    210         if (s) {
     210        if (s != NULL) {
    211211            if (allocate_string_stack(ui) >= 0) {
    212212                s->_.boolean_data.action_desc = action_desc;
     
    244244    char *prompt_copy = NULL;
    245245
    246     if (prompt) {
     246    if (prompt != NULL) {
    247247        prompt_copy = BUF_strdup(prompt);
    248248        if (prompt_copy == NULL) {
     
    272272    char *prompt_copy = NULL;
    273273
    274     if (prompt) {
     274    if (prompt != NULL) {
    275275        prompt_copy = BUF_strdup(prompt);
    276276        if (prompt_copy == NULL) {
     
    303303    char *cancel_chars_copy = NULL;
    304304
    305     if (prompt) {
     305    if (prompt != NULL) {
    306306        prompt_copy = BUF_strdup(prompt);
    307307        if (prompt_copy == NULL) {
     
    311311    }
    312312
    313     if (action_desc) {
     313    if (action_desc != NULL) {
    314314        action_desc_copy = BUF_strdup(action_desc);
    315315        if (action_desc_copy == NULL) {
     
    319319    }
    320320
    321     if (ok_chars) {
     321    if (ok_chars != NULL) {
    322322        ok_chars_copy = BUF_strdup(ok_chars);
    323323        if (ok_chars_copy == NULL) {
     
    327327    }
    328328
    329     if (cancel_chars) {
     329    if (cancel_chars != NULL) {
    330330        cancel_chars_copy = BUF_strdup(cancel_chars);
    331331        if (cancel_chars_copy == NULL) {
     
    360360    char *text_copy = NULL;
    361361
    362     if (text) {
     362    if (text != NULL) {
    363363        text_copy = BUF_strdup(text);
    364364        if (text_copy == NULL) {
     
    382382    char *text_copy = NULL;
    383383
    384     if (text) {
     384    if (text != NULL) {
    385385        text_copy = BUF_strdup(text);
    386386        if (text_copy == NULL) {
     
    398398    char *prompt = NULL;
    399399
    400     if (ui->meth->ui_construct_prompt)
     400    if (ui->meth->ui_construct_prompt != NULL)
    401401        prompt = ui->meth->ui_construct_prompt(ui, object_desc, object_name);
    402402    else {
     
    409409            return NULL;
    410410        len = sizeof(prompt1) - 1 + strlen(object_desc);
    411         if (object_name)
     411        if (object_name != NULL)
    412412            len += sizeof(prompt2) - 1 + strlen(object_name);
    413413        len += sizeof(prompt3) - 1;
     
    418418        BUF_strlcpy(prompt, prompt1, len + 1);
    419419        BUF_strlcat(prompt, object_desc, len + 1);
    420         if (object_name) {
     420        if (object_name != NULL) {
    421421            BUF_strlcat(prompt, prompt2, len + 1);
    422422            BUF_strlcat(prompt, object_name, len + 1);
     
    460460    uis.out_string = str;
    461461
    462     if (ui->meth->ui_write_string && !ui->meth->ui_write_string(ui, &uis))
     462    if (ui->meth->ui_write_string != NULL
     463        && ui->meth->ui_write_string(ui, &uis) <= 0)
    463464        return -1;
    464465    return 0;
     
    469470    int i, ok = 0;
    470471
    471     if (ui->meth->ui_open_session && !ui->meth->ui_open_session(ui))
    472         return -1;
     472    if (ui->meth->ui_open_session != NULL
     473        && ui->meth->ui_open_session(ui) <= 0) {
     474        ok = -1;
     475        goto err;
     476    }
    473477
    474478    if (ui->flags & UI_FLAG_PRINT_ERRORS)
     
    477481
    478482    for (i = 0; i < sk_UI_STRING_num(ui->strings); i++) {
    479         if (ui->meth->ui_write_string
    480             && !ui->meth->ui_write_string(ui,
    481                                           sk_UI_STRING_value(ui->strings, i)))
     483        if (ui->meth->ui_write_string != NULL
     484            && (ui->meth->ui_write_string(ui,
     485                                          sk_UI_STRING_value(ui->strings, i))
     486                <= 0))
    482487        {
    483488            ok = -1;
     
    486491    }
    487492
    488     if (ui->meth->ui_flush)
     493    if (ui->meth->ui_flush != NULL)
    489494        switch (ui->meth->ui_flush(ui)) {
    490495        case -1:               /* Interrupt/Cancel/something... */
     
    500505
    501506    for (i = 0; i < sk_UI_STRING_num(ui->strings); i++) {
    502         if (ui->meth->ui_read_string) {
     507        if (ui->meth->ui_read_string != NULL) {
    503508            switch (ui->meth->ui_read_string(ui,
    504509                                             sk_UI_STRING_value(ui->strings,
     
    517522    }
    518523 err:
    519     if (ui->meth->ui_close_session && !ui->meth->ui_close_session(ui))
     524    if (ui->meth->ui_close_session != NULL
     525        && ui->meth->ui_close_session(ui) <= 0)
    520526        return -1;
    521527    return ok;
     
    613619int UI_method_set_opener(UI_METHOD *method, int (*opener) (UI *ui))
    614620{
    615     if (method) {
     621    if (method != NULL) {
    616622        method->ui_open_session = opener;
    617623        return 0;
    618     } else
    619         return -1;
     624    }
     625    return -1;
    620626}
    621627
     
    623629                         int (*writer) (UI *ui, UI_STRING *uis))
    624630{
    625     if (method) {
     631    if (method != NULL) {
    626632        method->ui_write_string = writer;
    627633        return 0;
    628     } else
    629         return -1;
     634    }
     635    return -1;
    630636}
    631637
    632638int UI_method_set_flusher(UI_METHOD *method, int (*flusher) (UI *ui))
    633639{
    634     if (method) {
     640    if (method != NULL) {
    635641        method->ui_flush = flusher;
    636642        return 0;
    637     } else
    638         return -1;
     643    }
     644    return -1;
    639645}
    640646
     
    642648                         int (*reader) (UI *ui, UI_STRING *uis))
    643649{
    644     if (method) {
     650    if (method != NULL) {
    645651        method->ui_read_string = reader;
    646652        return 0;
    647     } else
    648         return -1;
     653    }
     654    return -1;
    649655}
    650656
    651657int UI_method_set_closer(UI_METHOD *method, int (*closer) (UI *ui))
    652658{
    653     if (method) {
     659    if (method != NULL) {
    654660        method->ui_close_session = closer;
    655661        return 0;
    656     } else
    657         return -1;
     662    }
     663    return -1;
    658664}
    659665
     
    665671                                                                  *object_name))
    666672{
    667     if (method) {
     673    if (method != NULL) {
    668674        method->ui_construct_prompt = prompt_constructor;
    669675        return 0;
    670     } else
    671         return -1;
    672 }
    673 
    674 int (*UI_method_get_opener(UI_METHOD *method)) (UI *) {
    675     if (method)
     676    }
     677    return -1;
     678}
     679
     680int (*UI_method_get_opener(UI_METHOD *method)) (UI *)
     681{
     682    if (method != NULL)
    676683        return method->ui_open_session;
    677     else
    678         return NULL;
    679 }
    680 
    681 int (*UI_method_get_writer(UI_METHOD *method)) (UI *, UI_STRING *) {
    682     if (method)
     684    return NULL;
     685}
     686
     687int (*UI_method_get_writer(UI_METHOD *method)) (UI *, UI_STRING *)
     688{
     689    if (method != NULL)
    683690        return method->ui_write_string;
    684     else
    685         return NULL;
    686 }
    687 
    688 int (*UI_method_get_flusher(UI_METHOD *method)) (UI *) {
    689     if (method)
     691    return NULL;
     692}
     693
     694int (*UI_method_get_flusher(UI_METHOD *method)) (UI *)
     695{
     696    if (method != NULL)
    690697        return method->ui_flush;
    691     else
    692         return NULL;
    693 }
    694 
    695 int (*UI_method_get_reader(UI_METHOD *method)) (UI *, UI_STRING *) {
    696     if (method)
     698    return NULL;
     699}
     700
     701int (*UI_method_get_reader(UI_METHOD *method)) (UI *, UI_STRING *)
     702{
     703    if (method != NULL)
    697704        return method->ui_read_string;
    698     else
    699         return NULL;
    700 }
    701 
    702 int (*UI_method_get_closer(UI_METHOD *method)) (UI *) {
    703     if (method)
     705    return NULL;
     706}
     707
     708int (*UI_method_get_closer(UI_METHOD *method)) (UI *)
     709{
     710    if (method != NULL)
    704711        return method->ui_close_session;
    705     else
    706         return NULL;
     712    return NULL;
    707713}
    708714
    709715char *(*UI_method_get_prompt_constructor(UI_METHOD *method)) (UI *,
    710716                                                              const char *,
    711                                                               const char *) {
    712     if (method)
     717                                                              const char *)
     718{
     719    if (method != NULL)
    713720        return method->ui_construct_prompt;
    714     else
    715         return NULL;
     721    return NULL;
    716722}
    717723
  • src/router/openssl/crypto/ui/ui_openssl.c

    r30490 r31186  
    446446    p = fgets(result, maxsize, tty_in);
    447447# endif
    448     if (!p)
     448    if (p == NULL)
    449449        goto error;
    450450    if (feof(tty_in))
     
    515515        else
    516516# endif
     517# ifdef ENODEV
     518            /*
     519             * MacOS X returns ENODEV (Operation not supported by device),
     520             * which seems appropriate.
     521             */
     522        if (errno == ENODEV)
     523            is_a_tty = 0;
     524        else
     525# endif
    517526            return 0;
    518527    }
     
    520529#ifdef OPENSSL_SYS_VMS
    521530    status = sys$assign(&terminal, &channel, 0, 0);
     531
     532    /* if there isn't a TT device, something is very wrong */
    522533    if (status != SS$_NORMAL)
    523534        return 0;
    524     status =
    525         sys$qiow(0, channel, IO$_SENSEMODE, &iosb, 0, 0, tty_orig, 12, 0, 0,
    526                  0, 0);
     535
     536    status = sys$qiow(0, channel, IO$_SENSEMODE, &iosb, 0, 0, tty_orig, 12,
     537                      0, 0, 0, 0);
     538
     539    /* If IO$_SENSEMODE doesn't work, this is not a terminal device */
    527540    if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL))
    528         return 0;
     541        is_a_tty = 0;
    529542#endif
    530543    return 1;
     
    543556#endif
    544557#ifdef OPENSSL_SYS_VMS
    545     tty_new[0] = tty_orig[0];
    546     tty_new[1] = tty_orig[1] | TT$M_NOECHO;
    547     tty_new[2] = tty_orig[2];
    548     status =
    549         sys$qiow(0, channel, IO$_SETMODE, &iosb, 0, 0, tty_new, 12, 0, 0, 0,
    550                  0);
    551     if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL))
    552         return 0;
     558    if (is_a_tty) {
     559        tty_new[0] = tty_orig[0];
     560        tty_new[1] = tty_orig[1] | TT$M_NOECHO;
     561        tty_new[2] = tty_orig[2];
     562        status = sys$qiow(0, channel, IO$_SETMODE, &iosb, 0, 0, tty_new, 12,
     563                          0, 0, 0, 0);
     564        if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL))
     565            return 0;
     566    }
    553567#endif
    554568    return 1;
     
    567581#endif
    568582#ifdef OPENSSL_SYS_VMS
    569     tty_new[0] = tty_orig[0];
    570     tty_new[1] = tty_orig[1] & ~TT$M_NOECHO;
    571     tty_new[2] = tty_orig[2];
    572     status =
    573         sys$qiow(0, channel, IO$_SETMODE, &iosb, 0, 0, tty_new, 12, 0, 0, 0,
    574                  0);
    575     if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL))
    576         return 0;
     583    if (is_a_tty) {
     584        tty_new[0] = tty_orig[0];
     585        tty_new[1] = tty_orig[1] & ~TT$M_NOECHO;
     586        tty_new[2] = tty_orig[2];
     587        status = sys$qiow(0, channel, IO$_SETMODE, &iosb, 0, 0, tty_new, 12,
     588                          0, 0, 0, 0);
     589        if ((status != SS$_NORMAL) || (iosb.iosb$w_value != SS$_NORMAL))
     590            return 0;
     591    }
    577592#endif
    578593    return 1;
     
    587602#ifdef OPENSSL_SYS_VMS
    588603    status = sys$dassgn(channel);
     604    if (status != SS$_NORMAL)
     605        return 0;
    589606#endif
    590607    CRYPTO_w_unlock(CRYPTO_LOCK_UI);
  • src/router/openssl/demos/easy_tls/easy-tls.c

    r30490 r31186  
    323323        n = (sizeof errbuf) - errbuf_i;
    324324        r = vsnprintf(errbuf + errbuf_i, n, fmt, args);
     325        va_end(args);
    325326        if (r >= n)
    326327            r = n - 1;
  • src/router/openssl/doc/apps/ocsp.pod

    r30490 r31186  
    2727[B<-url URL>]
    2828[B<-host host:n>]
     29[B<-header name value>]
    2930[B<-path>]
    3031[B<-CApath dir>]
     
    136137or "/" by default.
    137138
     139=item B<-header name value>
     140
     141If sending a request to an OCSP server, then the specified header name and
     142value are added to the HTTP request.  Note that the B<name> and B<value> must
     143be specified as two separate parameters, not as a single quoted string, and
     144that the header name does not have the trailing colon.
     145Some OCSP responders require a Host header; use this flag to provide it.
     146
    138147=item B<-timeout seconds>
    139148
  • src/router/openssl/doc/crypto/EVP_DigestSignInit.pod

    r30490 r31186  
    1111 int EVP_DigestSignInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
    1212                        const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
    13  int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
     13 int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
    1414 int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen);
    1515
  • src/router/openssl/doc/crypto/EVP_DigestVerifyInit.pod

    r30490 r31186  
    1111 int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
    1212                        const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
    13  int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt);
     13 int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt);
    1414 int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, size_t siglen);
    1515
  • src/router/openssl/doc/crypto/RSA_generate_key.pod

    r30490 r31186  
    5353
    5454RSA_generate_key is deprecated (new applications should use
    55 RSA_generate_key_ex instead). RSA_generate_key works in the same was as
     55RSA_generate_key_ex instead). RSA_generate_key works in the same way as
    5656RSA_generate_key_ex except it uses "old style" call backs. See
    5757L<BN_generate_prime(3)|BN_generate_prime(3)> for further details.
  • src/router/openssl/doc/crypto/X509_NAME_get_index_by_NID.pod

    r30490 r31186  
    8484Process all commonName entries:
    8585
    86  int loc;
     86 int lastpos = -1;
    8787 X509_NAME_ENTRY *e;
    8888
    89  loc = -1;
    9089 for (;;)
    9190        {
  • src/router/openssl/doc/crypto/X509_NAME_print_ex.pod

    r30490 r31186  
    2424written to FILE pointer B<fp>.
    2525
    26 X509_NAME_oneline() prints an ASCII version of B<a> to B<buf>. At most B<size>
    27 bytes will be written. If B<buf> is B<NULL> then a buffer is dynamically allocated
    28 and returned, otherwise B<buf> is returned.
     26X509_NAME_oneline() prints an ASCII version of B<a> to B<buf>.
     27If B<buf> is B<NULL> then a buffer is dynamically allocated and returned, and
     28B<size> is ignored.
     29Otherwise, at most B<size> bytes will be written, including the ending '\0',
     30and B<buf> is returned.
    2931
    3032X509_NAME_print() prints out B<name> to B<bp> indenting each line by B<obase>
  • src/router/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod

    r30490 r31186  
    3131session).
    3232
    33 A server will lookup up the session in its internal session storage. If the
     33A server will look up the session in its internal session storage. If the
    3434session is not found in internal storage or lookups for the internal storage
    3535have been deactivated (SSL_SESS_CACHE_NO_INTERNAL_LOOKUP), the server will try
  • src/router/openssl/doc/ssl/SSL_get_error.pod

    r30490 r31186  
    3939=item SSL_ERROR_ZERO_RETURN
    4040
    41 The TLS/SSL connection has been closed.  If the protocol version is SSL 3.0
    42 or TLS 1.0, this result code is returned only if a closure
    43 alert has occurred in the protocol, i.e. if the connection has been
    44 closed cleanly. Note that in this case B<SSL_ERROR_ZERO_RETURN>
    45 does not necessarily indicate that the underlying transport
    46 has been closed.
     41The TLS/SSL connection has been closed.
     42If the protocol version is SSL 3.0 or higher, this result code is returned only
     43if a closure alert has occurred in the protocol, i.e. if the connection has been
     44closed cleanly.
     45Note that in this case B<SSL_ERROR_ZERO_RETURN> does not necessarily
     46indicate that the underlying transport has been closed.
     47
    4748
    4849=item SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE
     
    9091=item SSL_ERROR_SYSCALL
    9192
    92 Some I/O error occurred.  The OpenSSL error queue may contain more
    93 information on the error.  If the error queue is empty
    94 (i.e. ERR_get_error() returns 0), B<ret> can be used to find out more
    95 about the error: If B<ret == 0>, an EOF was observed that violates
    96 the protocol.  If B<ret == -1>, the underlying B<BIO> reported an
    97 I/O error (for socket I/O on Unix systems, consult B<errno> for details).
     93Some non-recoverable I/O error occurred.
     94The OpenSSL error queue may contain more information on the error.
     95For socket I/O on Unix systems, consult B<errno> for details.
    9896
    9997=item SSL_ERROR_SSL
  • src/router/openssl/doc/ssl/SSL_read.pod

    r30490 r31186  
    8282=over 4
    8383
    84 =item E<gt>0
     84=item E<gt> 0
    8585
    86 The read operation was successful; the return value is the number of
    87 bytes actually read from the TLS/SSL connection.
     86The read operation was successful.
     87The return value is the number of bytes actually read from the TLS/SSL
     88connection.
    8889
    89 =item Z<>0
     90=item Z<><= 0
    9091
    91 The read operation was not successful. The reason may either be a clean
    92 shutdown due to a "close notify" alert sent by the peer (in which case
    93 the SSL_RECEIVED_SHUTDOWN flag in the ssl shutdown state is set
    94 (see L<SSL_shutdown(3)|SSL_shutdown(3)>,
    95 L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>). It is also possible, that
    96 the peer simply shut down the underlying transport and the shutdown is
    97 incomplete. Call SSL_get_error() with the return value B<ret> to find out,
    98 whether an error occurred or the connection was shut down cleanly
    99 (SSL_ERROR_ZERO_RETURN).
     92
     93=item E<lt>0
     94
     95The read operation was not successful, because either the connection was closed,
     96an error occurred or action must be taken by the calling process.
     97Call L<SSL_get_error(3)> with the return value B<ret> to find out the reason.
    10098
    10199SSLv2 (deprecated) does not support a shutdown alert protocol, so it can
     
    104102else.
    105103
    106 =item E<lt>0
    107 
    108 The read operation was not successful, because either an error occurred
    109 or action must be taken by the calling process. Call SSL_get_error() with the
    110 return value B<ret> to find out the reason.
     104Old documentation indicated a difference between 0 and -1, and that -1 was
     105retryable.
     106You should instead call SSL_get_error() to find out if it's retryable.
    111107
    112108=back
  • src/router/openssl/doc/ssl/SSL_write.pod

    r30490 r31186  
    7575=over 4
    7676
    77 =item E<gt>0
     77=item E<gt> 0
    7878
    7979The write operation was successful, the return value is the number of
    8080bytes actually written to the TLS/SSL connection.
    8181
    82 =item Z<>0
     82=item Z<><= 0
    8383
    84 The write operation was not successful. Probably the underlying connection
    85 was closed. Call SSL_get_error() with the return value B<ret> to find out,
    86 whether an error occurred or the connection was shut down cleanly
    87 (SSL_ERROR_ZERO_RETURN).
     84The write operation was not successful, because either the connection was
     85closed, an error occurred or action must be taken by the calling process.
     86Call SSL_get_error() with the return value B<ret> to find out the reason.
    8887
    8988SSLv2 (deprecated) does not support a shutdown alert protocol, so it can
     
    9190be checked, why the closure happened.
    9291
    93 =item E<lt>0
    94 
    95 The write operation was not successful, because either an error occurred
    96 or action must be taken by the calling process. Call SSL_get_error() with the
    97 return value B<ret> to find out the reason.
     92Old documentation indicated a difference between 0 and -1, and that -1 was
     93retryable.
     94You should instead call SSL_get_error() to find out if it's retryable.
    9895
    9996=back
  • src/router/openssl/engines/ccgost/Makefile

    r30490 r31186  
    3333                        LIBNAME=$(LIBNAME) \
    3434                        LIBEXTRAS='$(LIBOBJ)' \
    35                         LIBDEPS='-L$(TOP) -lcrypto' \
     35                        LIBDEPS='-L$(TOP) -lcrypto $(EX_LIBS)' \
    3636                        link_o.$(SHLIB_TARGET); \
    3737        else \
  • src/router/openssl/openssl.spec

    r30700 r31186  
    88Summary: Secure Sockets Layer and cryptography libraries and tools
    99Name: openssl
    10 Version: 1.0.2j
     10Version: 1.0.2k
    1111Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
    1212License: OpenSSL
  • src/router/openssl/ssl/bad_dtls_test.c

    r30693 r31186  
    757757    BIO *wbio;
    758758    BIO *err;
     759    time_t now = 0;
    759760    int testresult = 0;
    760761    int ret;
     
    774775    RAND_bytes(cookie, sizeof(cookie));
    775776    RAND_bytes(server_random + 4, sizeof(server_random) - 4);
    776     time((void *)server_random);
     777
     778    now = time(NULL);
     779    memcpy(server_random, &now, sizeof(now));
    777780
    778781    sess = client_session();
  • src/router/openssl/ssl/s23_pkt.c

    r30490 r31186  
    6464#include <openssl/buffer.h>
    6565
     66/*
     67 * Return values are as per SSL_write()
     68 */
    6669int ssl23_write_bytes(SSL *s)
    6770{
     
    7881            s->init_off = tot;
    7982            s->init_num = num;
    80             return (i);
     83            return i;
    8184        }
    8285        s->rwstate = SSL_NOTHING;
     
    8992}
    9093
    91 /* return regularly only when we have read (at least) 'n' bytes */
     94/* return regularly only when we have read (at least) 'n' bytes
     95 *
     96 * Return values are as per SSL_read()
     97 */
    9298int ssl23_read_bytes(SSL *s, int n)
    9399{
     
    103109                         n - s->packet_length);
    104110            if (j <= 0)
    105                 return (j);
     111                return j;
    106112            s->rwstate = SSL_NOTHING;
    107113            s->packet_length += j;
  • src/router/openssl/ssl/s2_lib.c

    r30490 r31186  
    255255     SSL_MD5,
    256256     SSL_SSLV2,
    257      SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
     257     SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
    258258     0,
    259259     112,
  • src/router/openssl/ssl/s2_pkt.c

    r30490 r31186  
    308308}
    309309
     310/*
     311 * Return values are as per SSL_read()
     312 */
    310313static int read_n(SSL *s, unsigned int n, unsigned int max,
    311314                  unsigned int extend)
     
    375378        if (i <= 0) {
    376379            s->s2->rbuf_left += newb;
    377             return (i);
     380            return i;
    378381        }
    379382        newb += i;
     
    442445}
    443446
     447/*
     448 * Return values are as per SSL_write()
     449 */
    444450static int write_pending(SSL *s, const unsigned char *buf, unsigned int len)
    445451{
     
    478484            return (s->s2->wpend_ret);
    479485        } else if (i <= 0)
    480             return (i);
     486            return i;
    481487        s->s2->wpend_off += i;
    482488        s->s2->wpend_len -= i;
  • src/router/openssl/ssl/s3_clnt.c

    r30692 r31186  
    17111711        p += i;
    17121712
    1713         if (BN_is_zero(dh->p)) {
    1714             SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_VALUE);
    1715             goto f_err;
    1716         }
    1717 
    1718 
    17191713        if (2 > n - param_len) {
    17201714            SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
     
    17371731        p += i;
    17381732
    1739         if (BN_is_zero(dh->g)) {
    1740             SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_VALUE);
    1741             goto f_err;
    1742         }
    1743 
    17441733        if (2 > n - param_len) {
    17451734            SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT);
     
    17661755            SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_PUB_KEY_VALUE);
    17671756            goto f_err;
     1757        }
     1758
     1759        /*-
     1760         * Check that p and g are suitable enough
     1761         *
     1762         * p is odd
     1763         * 1 < g < p - 1
     1764         */
     1765        {
     1766            BIGNUM *tmp = NULL;
     1767
     1768            if (!BN_is_odd(dh->p)) {
     1769                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_VALUE);
     1770                goto f_err;
     1771            }
     1772            if (BN_is_negative(dh->g) || BN_is_zero(dh->g)
     1773                || BN_is_one(dh->g)) {
     1774                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_VALUE);
     1775                goto f_err;
     1776            }
     1777            if ((tmp = BN_new()) == NULL
     1778                || BN_copy(tmp, dh->p) == NULL
     1779                || !BN_sub_word(tmp, 1)) {
     1780                BN_free(tmp);
     1781                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB);
     1782                goto err;
     1783            }
     1784            if (BN_cmp(dh->g, tmp) >= 0) {
     1785                BN_free(tmp);
     1786                SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_VALUE);
     1787                goto f_err;
     1788            }
     1789            BN_free(tmp);
    17681790        }
    17691791
  • src/router/openssl/ssl/s3_pkt.c

    r30692 r31186  
    137137static int ssl3_get_record(SSL *s);
    138138
     139/*
     140 * Return values are as per SSL_read()
     141 */
    139142int ssl3_read_n(SSL *s, int n, int max, int extend)
    140143{
     
    10831086}
    10841087
    1085 /* if s->s3->wbuf.left != 0, we need to call this */
     1088/* if s->s3->wbuf.left != 0, we need to call this
     1089 *
     1090 * Return values are as per SSL_write(), i.e.
     1091 */
    10861092int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
    10871093                       unsigned int len)
     
    11231129                wb->left = 0;
    11241130            }
    1125             return (i);
     1131            return i;
    11261132        }
    11271133        wb->offset += i;
     
    15941600    switch (rr->type) {
    15951601    default:
    1596 #ifndef OPENSSL_NO_TLS
    1597         /*
    1598          * TLS up to v1.1 just ignores unknown message types: TLS v1.2 give
    1599          * an unexpected message alert.
    1600          */
    1601         if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION) {
    1602             rr->length = 0;
    1603             goto start;
    1604         }
    1605 #endif
     1602        /*
     1603         * TLS 1.0 and 1.1 say you SHOULD ignore unrecognised record types, but
     1604         * TLS 1.2 says you MUST send an unexpected message alert. We use the
     1605         * TLS 1.2 behaviour for all protocol versions to prevent issues where
     1606         * no progress is being made and the peer continually sends unrecognised
     1607         * record types, using up resources processing them.
     1608         */
    16061609        al = SSL_AD_UNEXPECTED_MESSAGE;
    16071610        SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD);
  • src/router/openssl/ssl/s3_srvr.c

    r30692 r31186  
    507507                    * during re-negotiation:
    508508                    */
    509                    ((s->session->peer != NULL) &&
     509                   (s->s3->tmp.finish_md_len != 0 &&
    510510                    (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
    511511                   /*
     
    14661466    /* Handles TLS extensions that we couldn't check earlier */
    14671467    if (s->version >= SSL3_VERSION) {
    1468         if (ssl_check_clienthello_tlsext_late(s) <= 0) {
     1468        if (!ssl_check_clienthello_tlsext_late(s, &al)) {
    14691469            SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_CLIENTHELLO_TLSEXT);
    1470             goto err;
     1470            goto f_err;
    14711471        }
    14721472    }
     
    16021602#endif
    16031603#ifndef OPENSSL_NO_DH
     1604# ifdef OPENSSL_NO_RSA
     1605    int j;
     1606# endif
    16041607    DH *dh = NULL, *dhp;
    16051608#endif
     
    18631866            else
    18641867#endif
     1868#ifndef OPENSSL_NO_DH
     1869            /*
     1870             * for interoperability with some versions of the Microsoft TLS
     1871             * stack, we need to zero pad the DHE pub key to the same length
     1872             * as the prime, so use the length of the prime here
     1873             */
     1874            if ((i == 2) && (type & (SSL_kEDH)))
     1875                n += 2 + nr[0];
     1876            else
     1877#endif
    18651878                n += 2 + nr[i];
    18661879        }
     
    18951908                *p = nr[i];
    18961909                p++;
     1910            } else
     1911#endif
     1912#ifndef OPENSSL_NO_DH
     1913            /*
     1914             * for interoperability with some versions of the Microsoft TLS
     1915             * stack, we need to zero pad the DHE pub key to the same length
     1916             * as the prime
     1917             */
     1918            if ((i == 2) && (type & (SSL_kEDH))) {
     1919                s2n(nr[0], p);
     1920                for (j = 0; j < (nr[0] - nr[2]); ++j) {
     1921                    *p = 0;
     1922                    ++p;
     1923                }
    18971924            } else
    18981925#endif
  • src/router/openssl/ssl/ssl_cert.c

    r30490 r31186  
    316316            if (ret->pkeys[i].serverinfo == NULL) {
    317317                SSLerr(SSL_F_SSL_CERT_DUP, ERR_R_MALLOC_FAILURE);
    318                 return NULL;
     318                goto err;
    319319            }
    320320            ret->pkeys[i].serverinfo_length =
     
    393393    return (ret);
    394394
    395 #if !defined(OPENSSL_NO_DH) || !defined(OPENSSL_NO_ECDH)
    396395 err:
    397 #endif
    398396#ifndef OPENSSL_NO_RSA
    399397    if (ret->rsa_tmp != NULL)
  • src/router/openssl/ssl/ssl_err.c

    r30692 r31186  
    754754    {ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),
    755755     "tls invalid ecpointformat list"},
     756    {ERR_REASON(SSL_R_TOO_MANY_WARN_ALERTS), "too many warn alerts"},
    756757    {ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST),
    757758     "tls peer did not respond with certificate list"},
  • src/router/openssl/ssl/ssl_lib.c

    r30692 r31186  
    20312031    ret->rbuf_freelist->head = NULL;
    20322032    ret->wbuf_freelist = OPENSSL_malloc(sizeof(SSL3_BUF_FREELIST));
    2033     if (!ret->wbuf_freelist) {
    2034         OPENSSL_free(ret->rbuf_freelist);
     2033    if (!ret->wbuf_freelist)
    20352034        goto err;
    2036     }
    20372035    ret->wbuf_freelist->chunklen = 0;
    20382036    ret->wbuf_freelist->len = 0;
  • src/router/openssl/ssl/ssl_locl.h

    r30692 r31186  
    13851385                                 unsigned char *limit);
    13861386int tls1_set_server_sigalgs(SSL *s);
    1387 int ssl_check_clienthello_tlsext_late(SSL *s);
     1387int ssl_check_clienthello_tlsext_late(SSL *s, int *al);
    13881388int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data,
    13891389                                 unsigned char *d, int n);
  • src/router/openssl/ssl/ssl_sess.c

    r30692 r31186  
    770770         */
    771771        s = NULL;
     772    } else if (s == NULL &&
     773               lh_SSL_SESSION_retrieve(ctx->sessions, c) == NULL) {
     774        /* s == NULL can also mean OOM error in lh_SSL_SESSION_insert ... */
     775
     776        /*
     777         * ... so take back the extra reference and also don't add
     778         * the session to the SSL_SESSION_list at this time
     779         */
     780        s = c;
    772781    }
    773782
  • src/router/openssl/ssl/t1_lib.c

    r30692 r31186  
    133133#endif
    134134
     135#define CHECKLEN(curr, val, limit) \
     136    (((curr) >= (limit)) || (size_t)((limit) - (curr)) < (size_t)(val))
     137
    135138SSL3_ENC_METHOD TLSv1_enc_data = {
    136139    tls1_enc,
     
    12641267    if (s->tlsext_hostname != NULL) {
    12651268        /* Add TLS extension servername to the Client Hello message */
    1266         unsigned long size_str;
    1267         long lenmax;
     1269        size_t size_str;
    12681270
    12691271        /*-
     
    12751277         * + hostname length
    12761278         */
    1277 
    1278         if ((lenmax = limit - ret - 9) < 0
    1279             || (size_str =
    1280                 strlen(s->tlsext_hostname)) > (unsigned long)lenmax)
     1279        size_str = strlen(s->tlsext_hostname);
     1280        if (CHECKLEN(ret, 9 + size_str, limit))
    12811281            return NULL;
    12821282
     
    13221322                                     * Client Hello message */
    13231323
    1324         int login_len = strlen(s->srp_ctx.login);
     1324        size_t login_len = strlen(s->srp_ctx.login);
    13251325        if (login_len > 255 || login_len == 0) {
    13261326            SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
     
    13341334         * + srp user identity length
    13351335         */
    1336         if ((limit - ret - 5 - login_len) < 0)
     1336        if (CHECKLEN(ret, 5 + login_len, limit))
    13371337            return NULL;
    13381338
     
    13511351         * Add TLS extension ECPointFormats to the ClientHello message
    13521352         */
    1353         long lenmax;
    13541353        const unsigned char *pcurves, *pformats;
    13551354        size_t num_curves, num_formats, curves_list_len;
     
    13571356        tls1_get_formatlist(s, &pformats, &num_formats);
    13581357
    1359         if ((lenmax = limit - ret - 5) < 0)
    1360             return NULL;
    1361         if (num_formats > (size_t)lenmax)
    1362             return NULL;
    13631358        if (num_formats > 255) {
    13641359            SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    13651360            return NULL;
    13661361        }
     1362        /*-
     1363         * check for enough space.
     1364         * 4 bytes for the ec point formats type and extension length
     1365         * 1 byte for the length of the formats
     1366         * + formats length
     1367         */
     1368        if (CHECKLEN(ret, 5 + num_formats, limit))
     1369            return NULL;
    13671370
    13681371        s2n(TLSEXT_TYPE_ec_point_formats, ret);
     
    13801383            return NULL;
    13811384
    1382         if ((lenmax = limit - ret - 6) < 0)
    1383             return NULL;
    1384         if (num_curves > (size_t)lenmax / 2)
    1385             return NULL;
    13861385        if (num_curves > 65532 / 2) {
    13871386            SSLerr(SSL_F_SSL_ADD_CLIENTHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
     
    13891388        }
    13901389        curves_list_len = 2 * num_curves;
     1390        /*-
     1391         * check for enough space.
     1392         * 4 bytes for the ec curves type and extension length
     1393         * 2 bytes for the curve list length
     1394         * + curve list length
     1395         */
     1396        if (CHECKLEN(ret, 6 + curves_list_len, limit))
     1397            return NULL;
     1398
    13911399        s2n(TLSEXT_TYPE_elliptic_curves, ret);
    13921400        s2n(curves_list_len + 2, ret);
     
    13981406
    13991407    if (!(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
    1400         int ticklen;
     1408        size_t ticklen;
    14011409        if (!s->new_session && s->session && s->session->tlsext_tick)
    14021410            ticklen = s->session->tlsext_ticklen;
     
    14191427         * ticket
    14201428         */
    1421         if ((long)(limit - ret - 4 - ticklen) < 0)
     1429        if (CHECKLEN(ret, 4 + ticklen, limit))
    14221430            return NULL;
    14231431        s2n(TLSEXT_TYPE_session_ticket, ret);
    14241432        s2n(ticklen, ret);
    1425         if (ticklen) {
     1433        if (ticklen > 0) {
    14261434            memcpy(ret, s->session->tlsext_tick, ticklen);
    14271435            ret += ticklen;
     
    14341442        const unsigned char *salg;
    14351443        salglen = tls12_get_psigalgs(s, &salg);
    1436         if ((size_t)(limit - ret) < salglen + 6)
     1444
     1445        /*-
     1446         * check for enough space.
     1447         * 4 bytes for the sigalgs type and extension length
     1448         * 2 bytes for the sigalg list length
     1449         * + sigalg list length
     1450         */
     1451        if (CHECKLEN(ret, salglen + 6, limit))
    14371452            return NULL;
    14381453        s2n(TLSEXT_TYPE_signature_algorithms, ret);
     
    14611476    if (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp) {
    14621477        int i;
    1463         long extlen, idlen, itmp;
     1478        size_t extlen, idlen;
     1479        int lentmp;
    14641480        OCSP_RESPID *id;
    14651481
     
    14671483        for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
    14681484            id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
    1469             itmp = i2d_OCSP_RESPID(id, NULL);
    1470             if (itmp <= 0)
     1485            lentmp = i2d_OCSP_RESPID(id, NULL);
     1486            if (lentmp <= 0)
    14711487                return NULL;
    1472             idlen += itmp + 2;
     1488            idlen += (size_t)lentmp + 2;
    14731489        }
    14741490
    14751491        if (s->tlsext_ocsp_exts) {
    1476             extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
    1477             if (extlen < 0)
     1492            lentmp = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
     1493            if (lentmp < 0)
    14781494                return NULL;
     1495            extlen = (size_t)lentmp;
    14791496        } else
    14801497            extlen = 0;
    14811498
    1482         if ((long)(limit - ret - 7 - extlen - idlen) < 0)
    1483             return NULL;
    1484         s2n(TLSEXT_TYPE_status_request, ret);
    14851499        if (extlen + idlen > 0xFFF0)
    14861500            return NULL;
     1501        /*
     1502         * 2 bytes for status request type
     1503         * 2 bytes for status request len
     1504         * 1 byte for OCSP request type
     1505         * 2 bytes for length of ids
     1506         * 2 bytes for length of extensions
     1507         * + length of ids
     1508         * + length of extensions
     1509         */
     1510        if (CHECKLEN(ret, 9 + idlen + extlen, limit))
     1511            return NULL;
     1512
     1513        s2n(TLSEXT_TYPE_status_request, ret);
    14871514        s2n(extlen + idlen + 5, ret);
    14881515        *(ret++) = TLSEXT_STATUSTYPE_ocsp;
     
    14941521            /* skip over id len */
    14951522            ret += 2;
    1496             itmp = i2d_OCSP_RESPID(id, &ret);
     1523            lentmp = i2d_OCSP_RESPID(id, &ret);
    14971524            /* write id len */
    1498             s2n(itmp, q);
     1525            s2n(lentmp, q);
    14991526        }
    15001527        s2n(extlen, ret);
     
    15041531# ifndef OPENSSL_NO_HEARTBEATS
    15051532    /* Add Heartbeat extension */
    1506     if ((limit - ret - 4 - 1) < 0)
     1533
     1534    /*-
     1535     * check for enough space.
     1536     * 4 bytes for the heartbeat ext type and extension length
     1537     * 1 byte for the mode
     1538     */
     1539    if (CHECKLEN(ret, 5, limit))
    15071540        return NULL;
     1541
    15081542    s2n(TLSEXT_TYPE_heartbeat, ret);
    15091543    s2n(1, ret);
     
    15251559         * for Next Protocol Negotiation
    15261560         */
    1527         if (limit - ret - 4 < 0)
     1561
     1562        /*-
     1563         * check for enough space.
     1564         * 4 bytes for the NPN ext type and extension length
     1565         */
     1566        if (CHECKLEN(ret, 4, limit))
    15281567            return NULL;
    15291568        s2n(TLSEXT_TYPE_next_proto_neg, ret);
     
    15331572
    15341573    if (s->alpn_client_proto_list && !s->s3->tmp.finish_md_len) {
    1535         if ((size_t)(limit - ret) < 6 + s->alpn_client_proto_list_len)
     1574        /*-
     1575         * check for enough space.
     1576         * 4 bytes for the ALPN type and extension length
     1577         * 2 bytes for the ALPN protocol list length
     1578         * + ALPN protocol list length
     1579         */
     1580        if (CHECKLEN(ret, 6 + s->alpn_client_proto_list_len, limit))
    15361581            return NULL;
    15371582        s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
     
    15481593        ssl_add_clienthello_use_srtp_ext(s, 0, &el, 0);
    15491594
    1550         if ((limit - ret - 4 - el) < 0)
     1595        /*-
     1596         * check for enough space.
     1597         * 4 bytes for the SRTP type and extension length
     1598         * + SRTP profiles length
     1599         */
     1600        if (CHECKLEN(ret, 4 + el, limit))
    15511601            return NULL;
    15521602
     
    15881638                hlen = 0;
    15891639
     1640            /*-
     1641             * check for enough space. Strictly speaking we know we've already
     1642             * got enough space because to get here the message size is < 0x200,
     1643             * but we know that we've allocated far more than that in the buffer
     1644             * - but for consistency and robustness we're going to check anyway.
     1645             *
     1646             * 4 bytes for the padding type and extension length
     1647             * + padding length
     1648             */
     1649            if (CHECKLEN(ret, 4 + hlen, limit))
     1650                return NULL;
    15901651            s2n(TLSEXT_TYPE_padding, ret);
    15911652            s2n(hlen, ret);
     
    16451706        }
    16461707
    1647         if ((limit - ret - 4 - el) < 0)
     1708        /*-
     1709         * check for enough space.
     1710         * 4 bytes for the reneg type and extension length
     1711         * + reneg data length
     1712         */
     1713        if (CHECKLEN(ret, 4 + el, limit))
    16481714            return NULL;
    16491715
     
    16651731         * Add TLS extension ECPointFormats to the ServerHello message
    16661732         */
    1667         long lenmax;
    16681733
    16691734        tls1_get_formatlist(s, &plist, &plistlen);
    16701735
    1671         if ((lenmax = limit - ret - 5) < 0)
    1672             return NULL;
    1673         if (plistlen > (size_t)lenmax)
    1674             return NULL;
    16751736        if (plistlen > 255) {
    16761737            SSLerr(SSL_F_SSL_ADD_SERVERHELLO_TLSEXT, ERR_R_INTERNAL_ERROR);
    16771738            return NULL;
    16781739        }
     1740
     1741        /*-
     1742         * check for enough space.
     1743         * 4 bytes for the ec points format type and extension length
     1744         * 1 byte for the points format list length
     1745         * + length of points format list
     1746         */
     1747        if (CHECKLEN(ret, 5 + plistlen, limit))
     1748            return NULL;
    16791749
    16801750        s2n(TLSEXT_TYPE_ec_point_formats, ret);
     
    16921762
    16931763    if (s->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)) {
    1694         if ((long)(limit - ret - 4) < 0)
     1764        /*-
     1765         * check for enough space.
     1766         * 4 bytes for the Ticket type and extension length
     1767         */
     1768        if (CHECKLEN(ret, 4, limit))
    16951769            return NULL;
    16961770        s2n(TLSEXT_TYPE_session_ticket, ret);
     
    16991773
    17001774    if (s->tlsext_status_expected) {
    1701         if ((long)(limit - ret - 4) < 0)
     1775        /*-
     1776         * check for enough space.
     1777         * 4 bytes for the Status request type and extension length
     1778         */
     1779        if (CHECKLEN(ret, 4, limit))
    17021780            return NULL;
    17031781        s2n(TLSEXT_TYPE_status_request, ret);
     
    17271805        ssl_add_serverhello_use_srtp_ext(s, 0, &el, 0);
    17281806
    1729         if ((limit - ret - 4 - el) < 0)
     1807        /*-
     1808         * check for enough space.
     1809         * 4 bytes for the SRTP profiles type and extension length
     1810         * + length of the SRTP profiles list
     1811         */
     1812        if (CHECKLEN(ret, 4 + el, limit))
    17301813            return NULL;
    17311814
     
    17521835            0x06, 0x06, 0x2a, 0x85, 0x03, 0x02, 0x02, 0x17
    17531836        };
    1754         if (limit - ret < 36)
     1837
     1838        /* check for enough space. */
     1839        if (CHECKLEN(ret, sizeof(cryptopro_ext), limit))
    17551840            return NULL;
    1756         memcpy(ret, cryptopro_ext, 36);
    1757         ret += 36;
     1841        memcpy(ret, cryptopro_ext, sizeof(cryptopro_ext));
     1842        ret += sizeof(cryptopro_ext);
    17581843
    17591844    }
     
    17611846    /* Add Heartbeat extension if we've received one */
    17621847    if (s->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED) {
    1763         if ((limit - ret - 4 - 1) < 0)
     1848        /*-
     1849         * check for enough space.
     1850         * 4 bytes for the Heartbeat type and extension length
     1851         * 1 byte for the mode
     1852         */
     1853        if (CHECKLEN(ret, 5, limit))
    17641854            return NULL;
    17651855        s2n(TLSEXT_TYPE_heartbeat, ret);
     
    17901880                                              ctx->next_protos_advertised_cb_arg);
    17911881        if (r == SSL_TLSEXT_ERR_OK) {
    1792             if ((long)(limit - ret - 4 - npalen) < 0)
     1882            /*-
     1883             * check for enough space.
     1884             * 4 bytes for the NPN type and extension length
     1885             * + length of protocols list
     1886             */
     1887            if (CHECKLEN(ret, 4 + npalen, limit))
    17931888                return NULL;
    17941889            s2n(TLSEXT_TYPE_next_proto_neg, ret);
     
    18051900    if (s->s3->alpn_selected) {
    18061901        const unsigned char *selected = s->s3->alpn_selected;
    1807         unsigned len = s->s3->alpn_selected_len;
    1808 
    1809         if ((long)(limit - ret - 4 - 2 - 1 - len) < 0)
     1902        size_t len = s->s3->alpn_selected_len;
     1903
     1904        /*-
     1905         * check for enough space.
     1906         * 4 bytes for the ALPN type and extension length
     1907         * 2 bytes for ALPN data length
     1908         * 1 byte for selected protocol length
     1909         * + length of the selected protocol
     1910         */
     1911        if (CHECKLEN(ret, 7 + len, limit))
    18101912            return NULL;
    18111913        s2n(TLSEXT_TYPE_application_layer_protocol_negotiation, ret);
     
    19672069/*
    19682070 * Process the ALPN extension in a ClientHello.
    1969  * ret: a pointer to the TLSEXT return value: SSL_TLSEXT_ERR_*
    19702071 * al: a pointer to the alert value to send in the event of a failure.
    1971  * returns 1 on success, 0 on failure: al/ret set only on failure
     2072 * returns 1 on success, 0 on failure: al set only on failure
    19722073 */
    1973 static int tls1_alpn_handle_client_hello_late(SSL *s, int *ret, int *al)
     2074static int tls1_alpn_handle_client_hello_late(SSL *s, int *al)
    19742075{
    19752076    const unsigned char *selected = NULL;
     
    19872088            if (s->s3->alpn_selected == NULL) {
    19882089                *al = SSL_AD_INTERNAL_ERROR;
    1989                 *ret = SSL_TLSEXT_ERR_ALERT_FATAL;
    19902090                return 0;
    19912091            }
     
    30653165}
    30663166
    3067 int ssl_check_clienthello_tlsext_late(SSL *s)
    3068 {
    3069     int ret = SSL_TLSEXT_ERR_OK;
    3070     int al;
     3167/*
     3168 * Upon success, returns 1.
     3169 * Upon failure, returns 0 and sets |al| to the appropriate fatal alert.
     3170 */
     3171int ssl_check_clienthello_tlsext_late(SSL *s, int *al)
     3172{
    30713173
    30723174    /*
     
    30773179     */
    30783180    if ((s->tlsext_status_type != -1) && s->ctx && s->ctx->tlsext_status_cb) {
    3079         int r;
     3181        int ret;
    30803182        CERT_PKEY *certpkey;
    30813183        certpkey = ssl_get_server_send_pkey(s);
    30823184        /* If no certificate can't return certificate status */
    3083         if (certpkey == NULL) {
    3084             s->tlsext_status_expected = 0;
    3085             return 1;
    3086         }
    3087         /*
    3088          * Set current certificate to one we will use so SSL_get_certificate
    3089          * et al can pick it up.
    3090          */
    3091         s->cert->key = certpkey;
    3092         r = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
    3093         switch (r) {
    3094             /* We don't want to send a status request response */
    3095         case SSL_TLSEXT_ERR_NOACK:
    3096             s->tlsext_status_expected = 0;
    3097             break;
    3098             /* status request response should be sent */
    3099         case SSL_TLSEXT_ERR_OK:
    3100             if (s->tlsext_ocsp_resp)
    3101                 s->tlsext_status_expected = 1;
    3102             else
     3185        if (certpkey != NULL) {
     3186            /*
     3187             * Set current certificate to one we will use so SSL_get_certificate
     3188             * et al can pick it up.
     3189             */
     3190            s->cert->key = certpkey;
     3191            ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
     3192            switch (ret) {
     3193                /* We don't want to send a status request response */
     3194            case SSL_TLSEXT_ERR_NOACK:
    31033195                s->tlsext_status_expected = 0;
    3104             break;
    3105             /* something bad happened */
    3106         case SSL_TLSEXT_ERR_ALERT_FATAL:
    3107             ret = SSL_TLSEXT_ERR_ALERT_FATAL;
    3108             al = SSL_AD_INTERNAL_ERROR;
    3109             goto err;
    3110         }
    3111     } else
    3112         s->tlsext_status_expected = 0;
    3113 
    3114     if (!tls1_alpn_handle_client_hello_late(s, &ret, &al)) {
    3115         goto err;
    3116     }
    3117 
    3118  err:
    3119     switch (ret) {
    3120     case SSL_TLSEXT_ERR_ALERT_FATAL:
    3121         ssl3_send_alert(s, SSL3_AL_FATAL, al);
    3122         return -1;
    3123 
    3124     case SSL_TLSEXT_ERR_ALERT_WARNING:
    3125         ssl3_send_alert(s, SSL3_AL_WARNING, al);
    3126         return 1;
    3127 
    3128     default:
    3129         return 1;
    3130     }
     3196                break;
     3197                /* status request response should be sent */
     3198            case SSL_TLSEXT_ERR_OK:
     3199                if (s->tlsext_ocsp_resp)
     3200                    s->tlsext_status_expected = 1;
     3201                break;
     3202                /* something bad happened */
     3203            case SSL_TLSEXT_ERR_ALERT_FATAL:
     3204            default:
     3205                *al = SSL_AD_INTERNAL_ERROR;
     3206                return 0;
     3207            }
     3208        }
     3209    }
     3210
     3211    if (!tls1_alpn_handle_client_hello_late(s, al)) {
     3212        return 0;
     3213    }
     3214
     3215    return 1;
    31313216}
    31323217
  • src/router/openssl/util/domd

    r30490 r31186  
    1212if [ "$MAKEDEPEND" = "" ]; then MAKEDEPEND=makedepend; fi
    1313
    14 cp Makefile Makefile.save
     14# Preserve Makefile timestamp by moving instead of copying (cp -p is GNU only)
     15mv Makefile Makefile.save
     16cp Makefile.save Makefile
    1517# fake the presence of Kerberos
    1618touch $TOP/krb5.h
     
    3335    RC=$?
    3436fi
    35 mv Makefile.new Makefile
     37if ! cmp -s Makefile.save Makefile.new; then
     38    mv Makefile.new Makefile
     39else
     40    mv Makefile.save Makefile
     41    rm -f Makefile.new
     42fi
    3643# unfake the presence of Kerberos
    3744rm $TOP/krb5.h
  • src/router/openssl/util/mklink.pl

    r30490 r31186  
    5656    my $err = "";
    5757    if ($symlink_exists) {
    58         unlink "$from/$file";
    59         symlink("$to/$file", "$from/$file") or $err = " [$!]";
    60     } else {
     58        if (!-l "$from/$file") {
     59            unlink "$from/$file";
     60            symlink("$to/$file", "$from/$file") or $err = " [$!]";
     61        }
     62    } elsif (-d "$from" && (!-f "$from/$file" || ((stat("$file"))[9] > (stat("$from/$file"))[9]))) {
    6163        unlink "$from/$file";
    6264        open (OLD, "<$file") or die "Can't open $file: $!";
Note: See TracChangeset for help on using the changeset viewer.