Prepare for 0.9.8m release

there's no need to specify that directory in the include path.

CHANGES

@@ -2,7 +2,27 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 0.9.8l and 0.9.8m [xx XXX xxxx]
+ Changes between 0.9.8l and 0.9.8m [25 Feb 2010]
+
+  *) Always check bn_wexpend() return values for failure.  (CVE-2009-3245)
+     [Martin Olsson, Neel Mehta]
+
+  *) Fix X509_STORE locking: Every 'objs' access requires a lock (to
+     accommodate for stack sorting, always a write lock!).
+     [Bodo Moeller]
+
+  *) On some versions of WIN32 Heap32Next is very slow. This can cause
+     excessive delays in the RAND_poll(): over a minute. As a workaround
+     include a time check in the inner Heap32Next loop too.
+     [Steve Henson]
+
+  *) The code that handled flushing of data in SSL/TLS originally used the
+     BIO_CTRL_INFO ctrl to see if any data was pending first. This caused
+     the problem outlined in PR#1949. The fix suggested there however can
+     trigger problems with buggy BIO_CTRL_WPENDING (e.g. some versions
+     of Apache). So instead simplify the code to flush unconditionally.
+     This should be fine since flushing with no data to flush is a no op.
+     [Steve Henson]
 
   *) Handle TLS versions 2.0 and later properly and correctly use the
      highest version of TLS/SSL supported. Although TLS >= 2.0 is some way
@@ -11,7 +31,7 @@
 
   *) Modify compression code so it frees up structures without using the
      ex_data callbacks. This works around a problem where some applications
-     call CRYPTO_free_all_ex_data() before application exit (e.g. when
+     call CRYPTO_cleanup_all_ex_data() before application exit (e.g. when
      restarting) then use compression (e.g. SSL with compression) later.
      This results in significant per-connection memory leaks and
      has caused some security issues including CVE-2008-1678 and
@@ -23,7 +43,7 @@
      [Bodo Moeller]
 
   *) Add option SSL_OP_LEGACY_SERVER_CONNECT which will allow clients to
-     connect (but not renegotiate) with servers which do not support RI.
+     connect and renegotiate with servers which do not support RI.
      Until RI is more widely deployed this option is enabled by default.
      [Steve Henson]
 
@@ -31,14 +51,14 @@
      [Steve Henson]
 
   *) If client attempts to renegotiate and doesn't support RI respond with
-     a no_renegotiation alert as required by draft-ietf-tls-renegotiation.
-     Some renegotiating TLS clients will continue a connection gracefully
-     when they receive the alert. Unfortunately OpenSSL mishandled
-     this alert and would hang waiting for a server hello which it will never
-     receive. Now we treat a received no_renegotiation alert as a fatal 
-     error. This is because applications requesting a renegotiation might well
-     expect it to succeed and would have no code in place to handle the server
-     denying it so the only safe thing to do is to terminate the connection.
+     a no_renegotiation alert as required by RFC5746.  Some renegotiating
+     TLS clients will continue a connection gracefully when they receive
+     the alert. Unfortunately OpenSSL mishandled this alert and would hang
+     waiting for a server hello which it will never receive. Now we treat a
+     received no_renegotiation alert as a fatal error. This is because
+     applications requesting a renegotiation might well expect it to succeed
+     and would have no code in place to handle the server denying it so the
+     only safe thing to do is to terminate the connection.
      [Steve Henson]
 
   *) Add ctrl macro SSL_get_secure_renegotiation_support() which returns 1 if
@@ -50,10 +70,9 @@
      the updated NID creation version. This should correctly handle UTF8.
      [Steve Henson]
 
-  *) Implement draft-ietf-tls-renegotiation-03. Re-enable
-     renegotiation but require the extension as needed. Unfortunately,
-     SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION turns out to be a
-     bad idea. It has been replaced by
+  *) Implement RFC5746. Re-enable renegotiation but require the extension
+     as needed. Unfortunately, SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+     turns out to be a bad idea. It has been replaced by
      SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION which can be set with
      SSL_CTX_set_options(). This is really not recommended unless you
      know what you are doing.

FAQ

@@ -78,7 +78,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.8k was released on Mar 25th, 2009.
+OpenSSL 0.9.8m was released on Feb 25th, 2010.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:

Makefile.org

@@ -686,7 +686,7 @@ install_docs:
 		$(INSTALL_PREFIX)$(MANDIR)/man3 \
 		$(INSTALL_PREFIX)$(MANDIR)/man5 \
 		$(INSTALL_PREFIX)$(MANDIR)/man7
-	@pod2man="`cd util; ./pod2mantest $(PERL)`"; \
+	@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
 	here="`pwd`"; \
 	filecase=; \
 	if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" -o "$(PLATFORM)" = "mingw" ]; then \

NEWS

@@ -5,11 +5,13 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
-  Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m-beta1:
+  Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m:
 
+      o Cipher definition fixes.
+      o Workaround for slow RAND_poll() on some WIN32 versions.
       o Remove MD2 from algorithm tables.
       o SPKAC handling fixes.
-      o Implement draft-ietf-tls-renegotiation-03.
+      o Support for RFC5746 TLS renegotiation extension.
       o Compression memory leak fixed.
       o Compression session resumption fixed.
       o Ticket and SNI coexistence fixes.

README

@@ -1,5 +1,5 @@
 
- OpenSSL 0.9.8m-beta1
+ OpenSSL 0.9.8m
 
  Copyright (c) 1998-2009 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

STATUS

@@ -1,11 +1,11 @@
 
   OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2010/01/20 17:26:01 $
+  ______________                           $Date: 2010/02/25 17:18:22 $
 
   DEVELOPMENT STATE
 
     o  OpenSSL 1.0.0:  Under development...
-    o  OpenSSL 0.9.8m-beta1: Released on January 20th, 2010
+    o  OpenSSL 0.9.8m: Released on February  25th, 2010
     o  OpenSSL 0.9.8l: Released on November   5th, 2009
     o  OpenSSL 0.9.8k: Released on March     25th, 2009
     o  OpenSSL 0.9.8j: Released on January    7th, 2009

apps/dsa.c

@@ -65,11 +65,11 @@
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/err.h>
-#include <openssl/dsa.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/bn.h>
+#include <openssl/dsa.h>
 
 #undef PROG
 #define PROG	dsa_main

apps/dsaparam.c

@@ -475,4 +475,10 @@ static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *cb)
 #endif
 	return 1;
 	}
+#else /* !OPENSSL_NO_DSA */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
 #endif

apps/gendsa.c

@@ -279,4 +279,10 @@ end:
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 	}
+#else /* !OPENSSL_NO_DSA */
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
 #endif

apps/makeapps.com

@@ -70,10 +70,6 @@ $!
 $! Define what programs should be compiled
 $!
 $ PROGRAMS := OPENSSL
-$!$ PROGRAMS := VERIFY,ASN1PARS,REQ,DGST,DH,ENC,PASSWD,GENDH,ERRSTR,CA,CRL,-
-$!	      RSA,DSA,DSAPARAM,-
-$!	      X509,GENRSA,GENDSA,S_SERVER,S_CLIENT,SPEED,-
-$!	      S_TIME,VERSION,PKCS7,CRL2P7,SESS_ID,CIPHERS,NSEQ,
 $!
 $! Define The CRYPTO Library.
 $!
@@ -142,13 +138,13 @@ $! NOTE: Some might think this list ugly.  However, it's made this way to
 $! reflect the E_OBJ variable in Makefile as closely as possible, thereby
 $! making it fairly easy to verify that the lists are the same.
 $!
-$ LIB_FILES = "VERIFY;ASN1PARS;REQ;DGST;DH;DHPARAM;ENC;PASSWD;GENDH;ERRSTR;"+-
-	      "CA;PKCS7;CRL2P7;CRL;"+-
-	      "RSA;RSAUTL;DSA;DSAPARAM;EC;ECPARAM;"+-
-	      "X509;GENRSA;GENDSA;S_SERVER;S_CLIENT;SPEED;"+-
-	      "S_TIME;APPS;S_CB;S_SOCKET;APP_RAND;VERSION;SESS_ID;"+-
-	      "CIPHERS;NSEQ;PKCS12;PKCS8;SPKAC;SMIME;RAND;ENGINE;"+-
-	      "OCSP;PRIME;CMS"
+$ LIB_OPENSSL = "VERIFY,ASN1PARS,REQ,DGST,DH,DHPARAM,ENC,PASSWD,GENDH,ERRSTR,"+-
+		"CA,PKCS7,CRL2P7,CRL,"+-
+		"RSA,RSAUTL,DSA,DSAPARAM,EC,ECPARAM,"+-
+		"X509,GENRSA,GENDSA,S_SERVER,S_CLIENT,SPEED,"+-
+		"S_TIME,APPS,S_CB,S_SOCKET,APP_RAND,VERSION,SESS_ID,"+-
+		"CIPHERS,NSEQ,PKCS12,PKCS8,SPKAC,SMIME,RAND,ENGINE,"+-
+		"OCSP,PRIME,CMS"
 $ TCPIP_PROGRAMS = ",,"
 $ IF COMPILER .EQS. "VAXC" THEN -
      TCPIP_PROGRAMS = ",OPENSSL,"
@@ -161,121 +157,149 @@ $ PHASE := LIB
 $!
 $ RESTART: 
 $!
-$!  Define A File Counter And Set It To "0".
+$!  Define An App Counter And Set It To "0".
 $!
-$ FILE_COUNTER = 0
+$ APP_COUNTER = 0
 $!
-$! Top Of The File Loop.
+$!  Top Of The App Loop.
 $!
-$ NEXT_FILE:
+$ NEXT_APP:
 $!
-$! O.K, Extract The File Name From The File List.
+$!  Make The Application File Name
 $!
-$ FILE_NAME0 = F$EDIT(F$ELEMENT(FILE_COUNTER,";",'PHASE'_FILES),"TRIM")
-$ FILE_NAME = F$EDIT(F$ELEMENT(0,",",FILE_NAME0),"TRIM")
-$ EXTRA_OBJ = FILE_NAME0 - FILE_NAME
+$ CURRENT_APP = F$EDIT(F$ELEMENT(APP_COUNTER,",",PROGRAMS),"TRIM")
 $!
-$! Check To See If We Are At The End Of The File List.
+$!  Create The Executable File Name.
 $!
-$ IF (FILE_NAME0.EQS.";")
+$   EXE_FILE = EXE_DIR + CURRENT_APP + ".EXE"
+$!
+$!  Check To See If We Are At The End Of The File List.
+$!
+$ IF (CURRENT_APP.EQS.",")
 $ THEN
 $   IF (PHASE.EQS."LIB")
 $   THEN
 $     PHASE := APP
 $     GOTO RESTART
 $   ELSE
-$     GOTO FILE_DONE
+$     GOTO APP_DONE
 $   ENDIF
 $ ENDIF
 $!
-$! Increment The Counter.
+$!  Increment The Counter.
 $!
-$ FILE_COUNTER = FILE_COUNTER + 1
+$ APP_COUNTER = APP_COUNTER + 1
 $!
-$! Check to see if this program should actually be compiled
-$!
-$ IF PHASE .EQS. "APP" .AND. -
-     ","+PROGRAMS+"," - (","+F$EDIT(FILE_NAME,"UPCASE")+",") .EQS. ","+PROGRAMS+","
-$ THEN
-$   GOTO NEXT_FILE
-$ ENDIF
-$!
-$! Create The Source File Name.
-$!
-$ SOURCE_FILE = "SYS$DISK:[]" + FILE_NAME + ".C"
-$!
-$! Create The Object File Name.
-$!
-$ OBJECT_FILE = OBJ_DIR + FILE_NAME + ".OBJ"
-$!
-$! Create The Executable File Name.
-$!
-$ EXE_FILE = EXE_DIR + FILE_NAME + ".EXE"
-$ ON WARNING THEN GOTO NEXT_FILE
-$!
-$! Check To See If The File We Want To Compile Actually Exists.
-$!
-$ IF (F$SEARCH(SOURCE_FILE).EQS."")
-$ THEN
-$!
-$!  Tell The User That The File Dosen't Exist.
-$!
-$   WRITE SYS$OUTPUT ""
-$   WRITE SYS$OUTPUT "The File ",SOURCE_FILE," Dosen't Exist."
-$   WRITE SYS$OUTPUT ""
-$!
-$!  Exit The Build.
-$!
-$   GOTO EXIT
-$!
-$! End The File Exist Check.
-$!
-$ ENDIF
-$!
-$! Tell The User What We Are Building.
+$!  Decide if we're building the object files or not.
 $!
 $ IF (PHASE.EQS."LIB")
 $ THEN
-$   WRITE SYS$OUTPUT "Compiling The ",FILE_NAME,".C File."
-$ ELSE
-$   WRITE SYS$OUTPUT "Building The ",FILE_NAME," Application Program."
-$ ENDIF
 $!
-$! Compile The File.
+$!  Define A Library File Counter And Set It To "-1".
+$!  -1 Means The Application File Name Is To Be Used.
 $!
-$ ON ERROR THEN GOTO NEXT_FILE
-$ IF COMPILEWITH_CC2 - FILE_NAME .NES. COMPILEWITH_CC2
-$ THEN
-$   CC2/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
-$ ELSE
-$   CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
-$ ENDIF
+$   LIB_COUNTER = -1
 $!
-$ ON WARNING THEN GOTO NEXT_FILE
+$!  Create a .OPT file for the object files
 $!
-$ IF (PHASE.EQS."LIB") 
-$ THEN 
-$   GOTO NEXT_FILE
+$   OPEN/WRITE OBJECTS 'EXE_DIR''CURRENT_APP'.OPT
+$!
+$!  Top Of The File Loop.
+$!
+$  NEXT_LIB:
+$!
+$!  O.K, Extract The File Name From The File List.
+$!
+$   IF LIB_COUNTER .GE. 0
+$   THEN
+$     FILE_NAME = F$EDIT(F$ELEMENT(LIB_COUNTER,",",LIB_'CURRENT_APP'),"TRIM")
+$   ELSE
+$     FILE_NAME = CURRENT_APP
+$   ENDIF
+$!
+$!  Check To See If We Are At The End Of The File List.
+$!
+$   IF (FILE_NAME.EQS.",")
+$   THEN
+$     CLOSE OBJECTS
+$     GOTO NEXT_APP
+$   ENDIF
+$!
+$!  Increment The Counter.
+$!
+$   LIB_COUNTER = LIB_COUNTER + 1
+$!
+$!  Create The Source File Name.
+$!
+$   SOURCE_FILE = "SYS$DISK:[]" + FILE_NAME + ".C"
+$!
+$!  Create The Object File Name.
+$!
+$   OBJECT_FILE = OBJ_DIR + FILE_NAME + ".OBJ"
+$   ON WARNING THEN GOTO NEXT_LIB
+$!
+$!  Check To See If The File We Want To Compile Actually Exists.
+$!
+$   IF (F$SEARCH(SOURCE_FILE).EQS."")
+$   THEN
+$!
+$!    Tell The User That The File Dosen't Exist.
+$!
+$     WRITE SYS$OUTPUT ""
+$     WRITE SYS$OUTPUT "The File ",SOURCE_FILE," Dosen't Exist."
+$     WRITE SYS$OUTPUT ""
+$!
+$!    Exit The Build.
+$!
+$     GOTO EXIT
+$!
+$!  End The File Exist Check.
+$!
+$   ENDIF
+$!
+$!  Tell The User What We Are Building.
+$!
+$   IF (PHASE.EQS."LIB")
+$   THEN
+$     WRITE SYS$OUTPUT "Compiling The ",FILE_NAME,".C File."
+$   ELSE
+$     WRITE SYS$OUTPUT "Building The ",FILE_NAME," Application Program."
+$   ENDIF
+$!
+$!  Compile The File.
+$!
+$   ON ERROR THEN GOTO NEXT_LIB
+$   IF COMPILEWITH_CC2 - FILE_NAME .NES. COMPILEWITH_CC2
+$   THEN
+$     CC2/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$   ELSE
+$     CC/OBJECT='OBJECT_FILE' 'SOURCE_FILE'
+$   ENDIF
+$   WRITE OBJECTS OBJECT_FILE
+$!
+$   GOTO NEXT_LIB
 $ ENDIF
 $!
 $!  Check if this program works well without a TCPIP library
 $!
-$ IF TCPIP_LIB .EQS. "" .AND. TCPIP_PROGRAMS - FILE_NAME .NES. TCPIP_PROGRAMS
+$ IF TCPIP_LIB .EQS. "" .AND. TCPIP_PROGRAMS - CURRENT_APP .NES. TCPIP_PROGRAMS
 $ THEN
-$   WRITE SYS$OUTPUT FILE_NAME," needs a TCP/IP library.  Can't link.  Skipping..."
-$   GOTO NEXT_FILE
+$   WRITE SYS$OUTPUT CURRENT_APP," needs a TCP/IP library.  Can't link.  Skipping..."
+$   GOTO NEXT_APP
 $ ENDIF
 $!
 $! Link The Program.
 $! Check To See If We Are To Link With A Specific TCP/IP Library.
 $!
+$ ON WARNING THEN GOTO NEXT_APP
+$!
 $ IF (TCPIP_LIB.NES."")
 $ THEN
 $!
 $! Don't Link With The RSAREF Routines And TCP/IP Library.
 $!
 $   LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
-	'OBJECT_FILE''EXTRA_OBJ', -
+	'EXE_DIR''CURRENT_APP'.OPT/OPTION, -
         'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
         'TCPIP_LIB','OPT_FILE'/OPTION
 $!
@@ -286,7 +310,7 @@ $!
 $! Don't Link With The RSAREF Routines And Link With A TCP/IP Library.
 $!
 $   LINK/'DEBUGGER'/'TRACEBACK' /EXE='EXE_FILE' -
-	'OBJECT_FILE''EXTRA_OBJ', -
+	'EXE_DIR''CURRENT_APP'.OPT/OPTION, -
         'SSL_LIB'/LIBRARY,'CRYPTO_LIB'/LIBRARY, -
         'OPT_FILE'/OPTION
 $!
@@ -296,11 +320,11 @@ $ ENDIF
 $!
 $! Go Back And Do It Again.
 $!
-$ GOTO NEXT_FILE
+$ GOTO NEXT_APP
 $!
 $! All Done With This File.
 $!
-$ FILE_DONE:
+$ APP_DONE:
 $ EXIT:
 $!
 $! All Done, Time To Clean Up And Exit.

apps/speed.c

@@ -297,8 +297,12 @@ static const char *names[ALGOR_NUM]={
   "aes-128 ige","aes-192 ige","aes-256 ige"};
 static double results[ALGOR_NUM][SIZE_NUM];
 static int lengths[SIZE_NUM]={16,64,256,1024,8*1024};
+#ifndef OPENSSL_NO_RSA
 static double rsa_results[RSA_NUM][2];
+#endif
+#ifndef OPENSSL_NO_DSA
 static double dsa_results[DSA_NUM][2];
+#endif
 #ifndef OPENSSL_NO_ECDSA
 static double ecdsa_results[EC_NUM][2];
 #endif

crypto/aes/aes_cfb.c

@@ -201,7 +201,6 @@ void AES_cfb1_encrypt(const unsigned char *in, unsigned char *out,
     assert(in && out && key && ivec && num);
     assert(*num == 0);
 
-    memset(out,0,(length+7)/8);
     for(n=0 ; n < length ; ++n)
 	{
 	c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0;

crypto/bn/bn_div.c

@@ -102,7 +102,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
 	/* The next 2 are needed so we can do a dv->d[0]|=1 later
 	 * since BN_lshift1 will only work once there is a value :-) */
 	BN_zero(dv);
-	bn_wexpand(dv,1);
+	if(bn_wexpand(dv,1) == NULL) goto end;
 	dv->top=1;
 
 	if (!BN_lshift(D,D,nm-nd)) goto end;

crypto/bn/bn_gf2m.c

@@ -294,7 +294,8 @@ int	BN_GF2m_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b)
 	if (a->top < b->top) { at = b; bt = a; }
 	else { at = a; bt = b; }
 
-	bn_wexpand(r, at->top);
+	if(bn_wexpand(r, at->top) == NULL)
+		return 0;
 
 	for (i = 0; i < bt->top; i++)
 		{

crypto/cms/cms_lib.c

@@ -415,7 +415,11 @@ int cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain,
 			return 0;
 			}
 		BIO_get_md_ctx(chain, &mtmp);
-		if (EVP_MD_CTX_type(mtmp) == nid)
+		if (EVP_MD_CTX_type(mtmp) == nid
+		/* Workaround for broken implementations that use signature
+		 * algorithm  OID instead of digest.
+		 */
+			|| EVP_MD_pkey_type(EVP_MD_CTX_md(mtmp)) == nid)
 			{
 			EVP_MD_CTX_copy_ex(mctx, mtmp);
 			return 1;

crypto/ec/ec2_smpl.c

@@ -174,8 +174,10 @@ int ec_GF2m_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src)
 	dest->poly[2] = src->poly[2];
 	dest->poly[3] = src->poly[3];
 	dest->poly[4] = src->poly[4];
-	bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2);
-	bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2);
+	if(bn_wexpand(&dest->a, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL)
+		return 0;
+	if(bn_wexpand(&dest->b, (int)(dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL)
+		return 0;
 	for (i = dest->a.top; i < dest->a.dmax; i++) dest->a.d[i] = 0;
 	for (i = dest->b.top; i < dest->b.dmax; i++) dest->b.d[i] = 0;
 	return 1;
@@ -199,12 +201,12 @@ int ec_GF2m_simple_group_set_curve(EC_GROUP *group,
 
 	/* group->a */
 	if (!BN_GF2m_mod_arr(&group->a, a, group->poly)) goto err;
-	bn_wexpand(&group->a, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2);
+	if(bn_wexpand(&group->a, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) goto err;
 	for (i = group->a.top; i < group->a.dmax; i++) group->a.d[i] = 0;
 	
 	/* group->b */
 	if (!BN_GF2m_mod_arr(&group->b, b, group->poly)) goto err;
-	bn_wexpand(&group->b, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2);
+	if(bn_wexpand(&group->b, (int)(group->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) goto err;
 	for (i = group->b.top; i < group->b.dmax; i++) group->b.d[i] = 0;
 		
 	ret = 1;

crypto/engine/eng_cnf.c

@@ -95,7 +95,7 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
 	int ret = 0;
 	long do_init = -1;
 	STACK_OF(CONF_VALUE) *ecmds;
-	CONF_VALUE *ecmd;
+	CONF_VALUE *ecmd = NULL;
 	char *ctrlname, *ctrlvalue;
 	ENGINE *e = NULL;
 	int soft = 0;
@@ -157,7 +157,7 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
 					return 1;
 					}
 				if (!e)
-					return 0;
+					goto err;
 				}
 			/* Allow "EMPTY" to mean no value: this allows a valid
 			 * "value" to be passed to ctrls of type NO_INPUT
@@ -186,16 +186,27 @@ static int int_engine_configure(char *name, char *value, const CONF *cnf)
 				}
 			else if (!ENGINE_ctrl_cmd_string(e,
 					ctrlname, ctrlvalue, 0))
-				return 0;
+				goto err;
 			}
 
 
 
 		}
 	if (e && (do_init == -1) && !int_engine_init(e))
+		{
+		ecmd = NULL;
 		goto err;
+		}
 	ret = 1;
 	err:
+	if (ret != 1)
+		{
+		ENGINEerr(ENGINE_F_INT_ENGINE_CONFIGURE, ENGINE_R_ENGINE_CONFIGURATION_ERROR);
+		if (ecmd)
+			ERR_add_error_data(6, "section=", ecmd->section, 
+						", name=", ecmd->name,
+						", value=", ecmd->value);
+		}
 	if (e)
 		ENGINE_free(e);
 	return ret;

crypto/engine/eng_err.c

@@ -1,6 +1,6 @@
 /* crypto/engine/eng_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2010 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -124,6 +124,7 @@ static ERR_STRING_DATA ENGINE_str_reasons[]=
 {ERR_REASON(ENGINE_R_DSO_FAILURE)        ,"DSO failure"},
 {ERR_REASON(ENGINE_R_DSO_NOT_FOUND)      ,"dso not found"},
 {ERR_REASON(ENGINE_R_ENGINES_SECTION_ERROR),"engines section error"},
+{ERR_REASON(ENGINE_R_ENGINE_CONFIGURATION_ERROR),"engine configuration error"},
 {ERR_REASON(ENGINE_R_ENGINE_IS_NOT_IN_LIST),"engine is not in the list"},
 {ERR_REASON(ENGINE_R_ENGINE_SECTION_ERROR),"engine section error"},
 {ERR_REASON(ENGINE_R_FAILED_LOADING_PRIVATE_KEY),"failed loading private key"},

crypto/engine/eng_table.c

@@ -237,6 +237,7 @@ ENGINE *engine_table_select_tmp(ENGINE_TABLE **table, int nid, const char *f, in
 #endif
 		return NULL;
 		}
+	ERR_set_mark();
 	CRYPTO_w_lock(CRYPTO_LOCK_ENGINE);
 	/* Check again inside the lock otherwise we could race against cleanup
 	 * operations. But don't worry about a fprintf(stderr). */
@@ -310,6 +311,6 @@ end:
 	CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE);
 	/* Whatever happened, any failed init()s are not failures in this
 	 * context, so clear our error state. */
-	ERR_clear_error();
+	ERR_pop_to_mark();
 	return ret;
 	}

crypto/engine/engine.h

@@ -769,6 +769,7 @@ void ERR_load_ENGINE_strings(void);
 #define ENGINE_R_DSO_FAILURE				 104
 #define ENGINE_R_DSO_NOT_FOUND				 132
 #define ENGINE_R_ENGINES_SECTION_ERROR			 148
+#define ENGINE_R_ENGINE_CONFIGURATION_ERROR		 101
 #define ENGINE_R_ENGINE_IS_NOT_IN_LIST			 105
 #define ENGINE_R_ENGINE_SECTION_ERROR			 149
 #define ENGINE_R_FAILED_LOADING_PRIVATE_KEY		 128

crypto/evp/evp_locl.h

@@ -127,9 +127,9 @@ BLOCK_CIPHER_def1(cname, cbc, cbc, CBC, kstruct, nid, block_size, key_len, \
 #define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, \
 			     iv_len, cbits, flags, init_key, cleanup, \
 			     set_asn1, get_asn1, ctrl) \
-BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, 1, \
-		  key_len, iv_len, flags, init_key, cleanup, set_asn1, \
-		  get_asn1, ctrl)
+BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, \
+			(cbits + 7)/8, key_len, iv_len, \
+		flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
 
 #define BLOCK_CIPHER_def_ofb(cname, kstruct, nid, key_len, \
 			     iv_len, cbits, flags, init_key, cleanup, \
@@ -139,10 +139,10 @@ BLOCK_CIPHER_def1(cname, ofb##cbits, ofb, OFB, kstruct, nid, 1, \
 		  get_asn1, ctrl)
 
 #define BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, \
-			     iv_len, flags, init_key, cleanup, set_asn1, \
+			     flags, init_key, cleanup, set_asn1, \
 			     get_asn1, ctrl) \
 BLOCK_CIPHER_def1(cname, ecb, ecb, ECB, kstruct, nid, block_size, key_len, \
-		  iv_len, flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
+		  0, flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
 
 #define BLOCK_CIPHER_defs(cname, kstruct, \
 			  nid, block_size, key_len, iv_len, cbits, flags, \
@@ -153,7 +153,7 @@ BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, iv_len, cbits, \
 		     flags, init_key, cleanup, set_asn1, get_asn1, ctrl) \
 BLOCK_CIPHER_def_ofb(cname, kstruct, nid, key_len, iv_len, cbits, \
 		     flags, init_key, cleanup, set_asn1, get_asn1, ctrl) \
-BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, iv_len, flags, \
+BLOCK_CIPHER_def_ecb(cname, kstruct, nid, block_size, key_len, flags, \
 		     init_key, cleanup, set_asn1, get_asn1, ctrl)
 
 

crypto/o_init.c

@@ -58,6 +58,11 @@
 
 #include <e_os.h>
 #include <openssl/err.h>
+/* Internal only functions: only ever used here */
+extern	void int_ERR_lib_init(void);
+extern	void int_EVP_MD_init_engine_callbacks(void );
+extern	void int_EVP_CIPHER_init_engine_callbacks(void );
+extern	void int_RAND_init_engine_callbacks(void );
 
 /* Perform any essential OpenSSL initialization operations.
  * Currently only sets FIPS callbacks

crypto/objects/obj_dat.h

@@ -707,7 +707,7 @@ static unsigned char lvalues[5824]={
 0x2B,                                        /* [4582] OBJ_identified_organization */
 0x2B,0x81,0x04,                              /* [4583] OBJ_certicom_arc */
 0x67,0x2B,                                   /* [4586] OBJ_wap */
-0x67,0x2B,0x0D,                              /* [4588] OBJ_wap_wsg */
+0x67,0x2B,0x01,                              /* [4588] OBJ_wap_wsg */
 0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,     /* [4591] OBJ_X9_62_id_characteristic_two_basis */
 0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,0x01,/* [4599] OBJ_X9_62_onBasis */
 0x2A,0x86,0x48,0xCE,0x3D,0x01,0x02,0x03,0x02,/* [4608] OBJ_X9_62_tpBasis */
@@ -763,17 +763,17 @@ static unsigned char lvalues[5824]={
 0x2B,0x81,0x04,0x00,0x25,                    /* [4926] OBJ_sect409r1 */
 0x2B,0x81,0x04,0x00,0x26,                    /* [4931] OBJ_sect571k1 */
 0x2B,0x81,0x04,0x00,0x27,                    /* [4936] OBJ_sect571r1 */
-0x67,0x2B,0x0D,0x04,0x01,                    /* [4941] OBJ_wap_wsg_idm_ecid_wtls1 */
-0x67,0x2B,0x0D,0x04,0x03,                    /* [4946] OBJ_wap_wsg_idm_ecid_wtls3 */
-0x67,0x2B,0x0D,0x04,0x04,                    /* [4951] OBJ_wap_wsg_idm_ecid_wtls4 */
-0x67,0x2B,0x0D,0x04,0x05,                    /* [4956] OBJ_wap_wsg_idm_ecid_wtls5 */
-0x67,0x2B,0x0D,0x04,0x06,                    /* [4961] OBJ_wap_wsg_idm_ecid_wtls6 */
-0x67,0x2B,0x0D,0x04,0x07,                    /* [4966] OBJ_wap_wsg_idm_ecid_wtls7 */
-0x67,0x2B,0x0D,0x04,0x08,                    /* [4971] OBJ_wap_wsg_idm_ecid_wtls8 */
-0x67,0x2B,0x0D,0x04,0x09,                    /* [4976] OBJ_wap_wsg_idm_ecid_wtls9 */
-0x67,0x2B,0x0D,0x04,0x0A,                    /* [4981] OBJ_wap_wsg_idm_ecid_wtls10 */
-0x67,0x2B,0x0D,0x04,0x0B,                    /* [4986] OBJ_wap_wsg_idm_ecid_wtls11 */
-0x67,0x2B,0x0D,0x04,0x0C,                    /* [4991] OBJ_wap_wsg_idm_ecid_wtls12 */
+0x67,0x2B,0x01,0x04,0x01,                    /* [4941] OBJ_wap_wsg_idm_ecid_wtls1 */
+0x67,0x2B,0x01,0x04,0x03,                    /* [4946] OBJ_wap_wsg_idm_ecid_wtls3 */
+0x67,0x2B,0x01,0x04,0x04,                    /* [4951] OBJ_wap_wsg_idm_ecid_wtls4 */
+0x67,0x2B,0x01,0x04,0x05,                    /* [4956] OBJ_wap_wsg_idm_ecid_wtls5 */
+0x67,0x2B,0x01,0x04,0x06,                    /* [4961] OBJ_wap_wsg_idm_ecid_wtls6 */
+0x67,0x2B,0x01,0x04,0x07,                    /* [4966] OBJ_wap_wsg_idm_ecid_wtls7 */
+0x67,0x2B,0x01,0x04,0x08,                    /* [4971] OBJ_wap_wsg_idm_ecid_wtls8 */
+0x67,0x2B,0x01,0x04,0x09,                    /* [4976] OBJ_wap_wsg_idm_ecid_wtls9 */
+0x67,0x2B,0x01,0x04,0x0A,                    /* [4981] OBJ_wap_wsg_idm_ecid_wtls10 */
+0x67,0x2B,0x01,0x04,0x0B,                    /* [4986] OBJ_wap_wsg_idm_ecid_wtls11 */
+0x67,0x2B,0x01,0x04,0x0C,                    /* [4991] OBJ_wap_wsg_idm_ecid_wtls12 */
 0x55,0x1D,0x20,0x00,                         /* [4996] OBJ_any_policy */
 0x55,0x1D,0x21,                              /* [5000] OBJ_policy_mappings */
 0x55,0x1D,0x36,                              /* [5003] OBJ_inhibit_any_policy */
@@ -4240,7 +4240,7 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[516]),/* OBJ_set_policy                   2 23 42 5 */
 &(nid_objs[517]),/* OBJ_set_certExt                  2 23 42 7 */
 &(nid_objs[518]),/* OBJ_set_brand                    2 23 42 8 */
-&(nid_objs[679]),/* OBJ_wap_wsg                      2 23 43 13 */
+&(nid_objs[679]),/* OBJ_wap_wsg                      2 23 43 1 */
 &(nid_objs[382]),/* OBJ_Directory                    1 3 6 1 1 */
 &(nid_objs[383]),/* OBJ_Management                   1 3 6 1 2 */
 &(nid_objs[384]),/* OBJ_Experimental                 1 3 6 1 3 */
@@ -4426,17 +4426,17 @@ static ASN1_OBJECT *obj_objs[NUM_OBJ]={
 &(nid_objs[629]),/* OBJ_setAttr_IssCap_T2            2 23 42 3 3 4 */
 &(nid_objs[630]),/* OBJ_setAttr_IssCap_Sig           2 23 42 3 3 5 */
 &(nid_objs[642]),/* OBJ_set_brand_Novus              2 23 42 8 6011 */
-&(nid_objs[735]),/* OBJ_wap_wsg_idm_ecid_wtls1       2 23 43 13 4 1 */
-&(nid_objs[736]),/* OBJ_wap_wsg_idm_ecid_wtls3       2 23 43 13 4 3 */
-&(nid_objs[737]),/* OBJ_wap_wsg_idm_ecid_wtls4       2 23 43 13 4 4 */
-&(nid_objs[738]),/* OBJ_wap_wsg_idm_ecid_wtls5       2 23 43 13 4 5 */
-&(nid_objs[739]),/* OBJ_wap_wsg_idm_ecid_wtls6       2 23 43 13 4 6 */
-&(nid_objs[740]),/* OBJ_wap_wsg_idm_ecid_wtls7       2 23 43 13 4 7 */
-&(nid_objs[741]),/* OBJ_wap_wsg_idm_ecid_wtls8       2 23 43 13 4 8 */
-&(nid_objs[742]),/* OBJ_wap_wsg_idm_ecid_wtls9       2 23 43 13 4 9 */
-&(nid_objs[743]),/* OBJ_wap_wsg_idm_ecid_wtls10      2 23 43 13 4 10 */
-&(nid_objs[744]),/* OBJ_wap_wsg_idm_ecid_wtls11      2 23 43 13 4 11 */
-&(nid_objs[745]),/* OBJ_wap_wsg_idm_ecid_wtls12      2 23 43 13 4 12 */
+&(nid_objs[735]),/* OBJ_wap_wsg_idm_ecid_wtls1       2 23 43 1 4 1 */
+&(nid_objs[736]),/* OBJ_wap_wsg_idm_ecid_wtls3       2 23 43 1 4 3 */
+&(nid_objs[737]),/* OBJ_wap_wsg_idm_ecid_wtls4       2 23 43 1 4 4 */
+&(nid_objs[738]),/* OBJ_wap_wsg_idm_ecid_wtls5       2 23 43 1 4 5 */
+&(nid_objs[739]),/* OBJ_wap_wsg_idm_ecid_wtls6       2 23 43 1 4 6 */
+&(nid_objs[740]),/* OBJ_wap_wsg_idm_ecid_wtls7       2 23 43 1 4 7 */
+&(nid_objs[741]),/* OBJ_wap_wsg_idm_ecid_wtls8       2 23 43 1 4 8 */
+&(nid_objs[742]),/* OBJ_wap_wsg_idm_ecid_wtls9       2 23 43 1 4 9 */
+&(nid_objs[743]),/* OBJ_wap_wsg_idm_ecid_wtls10      2 23 43 1 4 10 */
+&(nid_objs[744]),/* OBJ_wap_wsg_idm_ecid_wtls11      2 23 43 1 4 11 */
+&(nid_objs[745]),/* OBJ_wap_wsg_idm_ecid_wtls12      2 23 43 1 4 12 */
 &(nid_objs[804]),/* OBJ_whirlpool                    1 0 10118 3 0 55 */
 &(nid_objs[124]),/* OBJ_rle_compression              1 1 1 1 666 1 */
 &(nid_objs[773]),/* OBJ_kisa                         1 2 410 200004 */

crypto/objects/obj_mac.h

@@ -122,7 +122,7 @@
 
 #define SN_wap_wsg		"wap-wsg"
 #define NID_wap_wsg		679
-#define OBJ_wap_wsg		OBJ_wap,13L
+#define OBJ_wap_wsg		OBJ_wap,1L
 
 #define SN_selected_attribute_types		"selected-attribute-types"
 #define LN_selected_attribute_types		"Selected Attribute Types"

crypto/objects/objects.txt

@@ -20,7 +20,7 @@ identified-organization 132	: certicom-arc
 joint-iso-itu-t 23	: international-organizations	: International Organizations
 
 international-organizations 43	: wap
-wap 13			: wap-wsg
+wap 1			: wap-wsg
 
 joint-iso-itu-t 5 1 5	: selected-attribute-types	: Selected Attribute Types
 

crypto/opensslv.h

@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER	0x009080d1L
+#define OPENSSL_VERSION_NUMBER	0x009080dfL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8m-fips-beta1 20 Jan 2010"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8m-fips 25 Feb 2010"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8m-beta1 20 Jan 2010"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8m 25 Feb 2010"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 

crypto/rand/rand_win.c

@@ -527,6 +527,7 @@ int RAND_poll(void)
 							RAND_add(&hentry,
 								hentry.dwSize, 5);
 						while (heap_next(&hentry)
+						&& (!good || (GetTickCount()-starttime)<MAXDELAY)
 							&& --entrycnt > 0);
 						}
 						}

crypto/rand/randfile.c

@@ -117,6 +117,15 @@ int RAND_load_file(const char *file, long bytes)
 
 	if (file == NULL) return(0);
 
+#ifdef PURIFY
+	/* struct stat can have padding and unused fields that may not be
+	 * initialized in the call to stat(). We need to clear the entire
+	 * structure before calling RAND_add() to avoid complaints from
+	 * applications such as Valgrind.
+	 */
+	memset(&sb, 0, sizeof(sb));
+#endif
+
 	if (stat(file,&sb) < 0) return(0);
 	RAND_add(&sb,sizeof(sb),0.0);
 	if (bytes == 0) return(ret);

crypto/rsa/rsa_sign.c

@@ -137,7 +137,12 @@ int RSA_sign(int type, const unsigned char *m, unsigned int m_len,
 		i2d_X509_SIG(&sig,&p);
 		s=tmps;
 	}
+#ifdef OPENSSL_FIPS
+	/* Bypass algorithm blocking: this is allowed if we get this far */
+	i=rsa->meth->rsa_priv_enc(i,s,sigret,rsa,RSA_PKCS1_PADDING);
+#else
 	i=RSA_private_encrypt(i,s,sigret,rsa,RSA_PKCS1_PADDING);
+#endif
 	if (i <= 0)
 		ret=0;
 	else
@@ -190,8 +195,11 @@ int RSA_verify(int dtype, const unsigned char *m, unsigned int m_len,
 		RSAerr(RSA_F_RSA_VERIFY, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE);
 		return 0;
 		}
-#endif
+	/* Bypass algorithm blocking: this is allowed */
+	i=rsa->meth->rsa_pub_dec((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
+#else
 	i=RSA_public_decrypt((int)siglen,sigbuf,s,rsa,RSA_PKCS1_PADDING);
+#endif
 
 	if (i <= 0) goto err;
 

crypto/symhacks.h

@@ -181,6 +181,15 @@
 #undef SSL_COMP_get_compression_methods
 #define SSL_COMP_get_compression_methods	SSL_COMP_get_compress_methods
 
+#undef ssl_add_clienthello_renegotiate_ext
+#define ssl_add_clienthello_renegotiate_ext	ssl_add_clienthello_reneg_ext
+#undef ssl_add_serverhello_renegotiate_ext
+#define ssl_add_serverhello_renegotiate_ext	ssl_add_serverhello_reneg_ext
+#undef ssl_parse_clienthello_renegotiate_ext
+#define ssl_parse_clienthello_renegotiate_ext	ssl_parse_clienthello_reneg_ext
+#undef ssl_parse_serverhello_renegotiate_ext
+#define ssl_parse_serverhello_renegotiate_ext	ssl_parse_serverhello_reneg_ext
+
 /* Hack some long ENGINE names */
 #undef ENGINE_get_default_BN_mod_exp_crt
 #define ENGINE_get_default_BN_mod_exp_crt	ENGINE_get_def_BN_mod_exp_crt

crypto/x509/by_dir.c

@@ -360,11 +360,11 @@ static int get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
 
 		/* we have added it to the cache so now pull
 		 * it out again */
-		CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE);
+		CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
 		j = sk_X509_OBJECT_find(xl->store_ctx->objs,&stmp);
 		if(j != -1) tmp=sk_X509_OBJECT_value(xl->store_ctx->objs,j);
 		else tmp = NULL;
-		CRYPTO_r_unlock(CRYPTO_LOCK_X509_STORE);
+		CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
 
 		if (tmp != NULL)
 			{
@@ -383,4 +383,3 @@ finish:
 	if (b != NULL) BUF_MEM_free(b);
 	return(ok);
 	}
-

crypto/x509/x509_lu.c

@@ -292,7 +292,9 @@ int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
 	X509_OBJECT stmp,*tmp;
 	int i,j;
 
+	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
 	tmp=X509_OBJECT_retrieve_by_subject(ctx->objs,type,name);
+	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
 
 	if (tmp == NULL)
 		{
@@ -346,7 +348,6 @@ int X509_STORE_add_cert(X509_STORE *ctx, X509 *x)
 
 	X509_OBJECT_up_ref_count(obj);
 
-
 	if (X509_OBJECT_retrieve_match(ctx->objs, obj))
 		{
 		X509_OBJECT_free_contents(obj);
@@ -452,15 +453,15 @@ int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
 
 X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, int type,
 	     X509_NAME *name)
-{
+	{
 	int idx;
 	idx = X509_OBJECT_idx_by_subject(h, type, name);
 	if (idx==-1) return NULL;
 	return sk_X509_OBJECT_value(h, idx);
-}
+	}
 
 X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x)
-{
+	{
 	int idx, i;
 	X509_OBJECT *obj;
 	idx = sk_X509_OBJECT_find(h, x);
@@ -475,13 +476,13 @@ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x
 			return obj;
 		}
 	return NULL;
-}
+	}
 
 
 /* Try to get issuer certificate from store. Due to limitations
  * of the API this can only retrieve a single certificate matching
  * a given subject name. However it will fill the cache with all
- * matching certificates, so we can examine the cache for all 
+ * matching certificates, so we can examine the cache for all
  * matches.
  *
  * Return values are:
@@ -489,13 +490,11 @@ X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x
  *  0 certificate not found.
  * -1 some other error.
  */
-
-
 int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
-{
+	{
 	X509_NAME *xn;
 	X509_OBJECT obj, *pobj;
-	int i, ok, idx;
+	int i, ok, idx, ret;
 	xn=X509_get_issuer_name(x);
 	ok=X509_STORE_get_by_subject(ctx,X509_LU_X509,xn,&obj);
 	if (ok != X509_LU_X509)
@@ -521,27 +520,34 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
 		return 1;
 		}
 	X509_OBJECT_free_contents(&obj);
-	/* Else find index of first matching cert */
-	idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
-	/* This shouldn't normally happen since we already have one match */
-	if (idx == -1) return 0;
 
-	/* Look through all matching certificates for a suitable issuer */
-	for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
+	/* Else find index of first cert accepted by 'check_issued' */
+	ret = 0;
+	CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+	idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs, X509_LU_X509, xn);
+	if (idx != -1) /* should be true as we've had at least one match */
 		{
-		pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
-		/* See if we've ran out of matches */
-		if (pobj->type != X509_LU_X509) return 0;
-		if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509))) return 0;
-		if (ctx->check_issued(ctx, x, pobj->data.x509))
+		/* Look through all matching certs for suitable issuer */
+		for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)
 			{
-			*issuer = pobj->data.x509;
-			X509_OBJECT_up_ref_count(pobj);
-			return 1;
+			pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);
+			/* See if we've run past the matches */
+			if (pobj->type != X509_LU_X509)
+				break;
+			if (X509_NAME_cmp(xn, X509_get_subject_name(pobj->data.x509)))
+				break;
+			if (ctx->check_issued(ctx, x, pobj->data.x509))
+				{
+				*issuer = pobj->data.x509;
+				X509_OBJECT_up_ref_count(pobj);
+				ret = 1;
+				break;
+				}
 			}
 		}
-	return 0;
-}
+	CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+	return ret;
+	}
 
 int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags)
 	{

doc/apps/verify.pod

@@ -171,8 +171,8 @@ the operation was successful.
 
 =item B<2 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: unable to get issuer certificate>
 
-the issuer certificate could not be found: this occurs if the issuer certificate
-of an untrusted certificate cannot be found.
+the issuer certificate of a looked up certificate could not be found. This
+normally means the list of trusted certificates is not complete.
 
 =item B<3 X509_V_ERR_UNABLE_TO_GET_CRL: unable to get certificate CRL>
 
@@ -249,8 +249,8 @@ be found locally.
 
 =item B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate>
 
-the issuer certificate of a locally looked up certificate could not be found. This normally means
-the list of trusted certificates is not complete.
+the issuer certificate could not be found: this occurs if the issuer
+certificate of an untrusted certificate cannot be found.
 
 =item B<21 X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate>
 
@@ -326,6 +326,10 @@ the certificates in the file will be recognised.
 Previous versions of OpenSSL assume certificates with matching subject name are identical and
 mishandled them.
 
+Previous versions of this documentation swapped the meaning of the
+B<X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT> and
+B<20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY> error codes.
+
 =head1 SEE ALSO
 
 L<x509(1)|x509(1)>

doc/ssl/SSL_CTX_set_options.pod

@@ -227,47 +227,91 @@ not be used by clients or servers.
 
 =item SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
 
-See the B<SECURE RENEGOTIATION> section for a discussion of the purpose of
-this option
+Allow legacy insecure renegotiation between OpenSSL and unpatched clients or
+servers. See the B<SECURE RENEGOTIATION> section for more details.
+
+=item SSL_OP_LEGACY_SERVER_CONNECT
+
+Allow legacy insecure renegotiation between OpenSSL and unpatched servers
+B<only>: this option is currently set by default. See the
+B<SECURE RENEGOTIATION> section for more details.
 
 =back
 
 =head1 SECURE RENEGOTIATION
 
 OpenSSL 0.9.8m and later always attempts to use secure renegotiation as
-described in draft-ietf-tls-renegotiation (FIXME: replace by RFC). This
-counters a prefix attack described in the draft and elsewhere (FIXME: need full
-reference).
+described in RFC5746. This counters the prefix attack described in
+CVE-2009-3555 and elsewhere.
+
+The deprecated and highly broken SSLv2 protocol does not support
+renegotiation at all: its use is B<strongly> discouraged.
 
 This attack has far reaching consequences which application writers should be
 aware of. In the description below an implementation supporting secure
 renegotiation is referred to as I<patched>. A server not supporting secure
 renegotiation is referred to as I<unpatched>.
 
-If an unpatched client attempts to connect to a patched OpenSSL server then
-the attempt will succeed but renegotiation is not permitted. As required
-by the standard a B<no_renegotiation> alert is sent back to the client if
-the TLS v1.0 protocol is used. If SSLv3.0 is used then renegotiation results
-in a fatal B<handshake_failed> alert.
+The following sections describe the operations permitted by OpenSSL's secure
+renegotiation implementation.
 
-If a patched OpenSSL client attempts to connect to an unpatched server
-then the connection will fail because it is not possible to determine
-whether an attack is taking place.
+=head2 Patched client and server
 
-If the option B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then the
-above restrictions are relaxed. Renegotiation is permissible and initial
-connections to unpatched servers will succeed.
+Connections and renegotiation are always permitted by OpenSSL implementations.
 
-This option should be used with caution because it leaves both clients and
-servers vulnerable. However unpatched servers and clients are likely to be
-around for some time and refusing to connect to unpatched servers or denying
-renegotion altogether may be unacceptable. So applications may be forced to
-tolerate unsafe renegotiation for the immediate future.
+=head2 Unpatched client and patched OpenSSL server
 
-The function SSL_get_secure_renegotiation_support() indicates whether the peer
-supports secure renegotiation. 
+The initial connection suceeds but client renegotiation is denied by the
+server with a B<no_renegotiation> warning alert if TLS v1.0 is used or a fatal
+B<handshake_failure> alert in SSL v3.0.
 
-The deprecated SSLv2 protocol does not support secure renegotiation at all.
+If the patched OpenSSL server attempts to renegotiate a fatal
+B<handshake_failure> alert is sent. This is because the server code may be
+unaware of the unpatched nature of the client.
+
+If the option B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then
+renegotiation B<always> succeeds.
+
+B<NB:> a bug in OpenSSL clients earlier than 0.9.8m (all of which are
+unpatched) will result in the connection hanging if it receives a
+B<no_renegotiation> alert. OpenSSL versions 0.9.8m and later will regard
+a B<no_renegotiation> alert as fatal and respond with a fatal
+B<handshake_failure> alert. This is because the OpenSSL API currently has
+no provision to indicate to an application that a renegotiation attempt
+was refused.
+
+=head2 Patched OpenSSL client and unpatched server.
+
+If the option B<SSL_OP_LEGACY_SERVER_CONNECT> or
+B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> is set then initial connections
+and renegotiation between patched OpenSSL clients and unpatched servers
+succeeds. If neither option is set then initial connections to unpatched
+servers will fail.
+
+The option B<SSL_OP_LEGACY_SERVER_CONNECT> is currently set by default even
+though it has security implications: otherwise it would be impossible to
+connect to unpatched servers (i.e. all of them initially) and this is clearly
+not acceptable. Renegotiation is permitted because this does not add any
+additional security issues: during an attack clients do not see any
+renegotiations anyway.
+
+As more servers become patched the option B<SSL_OP_LEGACY_SERVER_CONNECT> will
+B<not> be set by default in a future version of OpenSSL.
+
+OpenSSL client applications wishing to ensure they can connect to unpatched
+servers should always B<set> B<SSL_OP_LEGACY_SERVER_CONNECT>
+
+OpenSSL client applications that want to ensure they can B<not> connect to
+unpatched servers (and thus avoid any security issues) should always B<clear>
+B<SSL_OP_LEGACY_SERVER_CONNECT> using SSL_CTX_clear_options() or
+SSL_clear_options().
+
+The difference between the B<SSL_OP_LEGACY_SERVER_CONNECT> and
+B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> options is that
+B<SSL_OP_LEGACY_SERVER_CONNECT> enables initial connections and secure
+renegotiation between OpenSSL clients and unpatched servers B<only>, while
+B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> allows initial connections
+and renegotiation between OpenSSL and unpatched clients or servers.
 
 =head1 RETURN VALUES
 
@@ -307,7 +351,8 @@ enabled).
 SSL_CTX_clear_options() and SSL_clear_options() were first added in OpenSSL
 0.9.8m.
 
-B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION> was first added in OpenSSL
-0.9.8m.
+B<SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION>, B<SSL_OP_LEGACY_SERVER_CONNECT>
+and the function SSL_get_secure_renegotiation_support() were first added in
+OpenSSL 0.9.8m.
 
 =cut

engines/e_ubsec.c

@@ -934,7 +934,7 @@ static int ubsec_dh_generate_key(DH *dh)
                 priv_key = BN_new();
                 if (priv_key == NULL) goto err;
                 priv_key_len = BN_num_bits(dh->p);
-                bn_wexpand(priv_key, dh->p->top);
+                if(bn_wexpand(priv_key, dh->p->top) == NULL) goto err;
                 do
                         if (!BN_rand_range(priv_key, dh->p)) goto err;
                 while (BN_is_zero(priv_key));
@@ -949,7 +949,7 @@ static int ubsec_dh_generate_key(DH *dh)
                 {
                 pub_key = BN_new();
                 pub_key_len = BN_num_bits(dh->p);
-                bn_wexpand(pub_key, dh->p->top);
+                if(bn_wexpand(pub_key, dh->p->top) == NULL) goto err;
                 if(pub_key == NULL) goto err;
                 }
         else

fips/aes/fips_aesavs.c

@@ -89,7 +89,7 @@ int main(int argc, char *argv[])
 
 /*-----------------------------------------------*/
 
-int AESTest(EVP_CIPHER_CTX *ctx,
+static int AESTest(EVP_CIPHER_CTX *ctx,
 	    char *amode, int akeysz, unsigned char *aKey, 
 	    unsigned char *iVec, 
 	    int dir,  /* 0 = decrypt, 1 = encrypt */
@@ -238,7 +238,7 @@ enum XCrypt {XDECRYPT, XENCRYPT};
 #define gb(a,b) (((a)[(b)/8] >> (7-(b)%8))&1)
 #define sb(a,b,v) ((a)[(b)/8]=((a)[(b)/8]&~(1 << (7-(b)%8)))|(!!(v) << (7-(b)%8)))
 
-int do_mct(char *amode, 
+static int do_mct(char *amode, 
 	   int akeysz, unsigned char *aKey,unsigned char *iVec,
 	   int dir, unsigned char *text, int len,
 	   FILE *rfp)
@@ -546,7 +546,7 @@ int do_mct(char *amode,
   # Fri Aug 30 04:07:22 PM
   ----------------------------*/
 
-int proc_file(char *rqfile, char *rspfile)
+static int proc_file(char *rqfile, char *rspfile)
     {
     char afn[256], rfn[256];
     FILE *afp = NULL, *rfp = NULL;
@@ -767,7 +767,7 @@ int proc_file(char *rqfile, char *rspfile)
 		    err =1;
 		    break;
 		    }
-		if (len >= sizeof(plaintext))
+		if (len >= (int)sizeof(plaintext))
 		    {
 		    printf("Buffer overflow\n");
 		    }

fips/des/fips_desmovs.c

@@ -88,7 +88,7 @@ int main(int argc, char *argv[])
 
 #define VERBOSE 0
 
-int DESTest(EVP_CIPHER_CTX *ctx,
+static int DESTest(EVP_CIPHER_CTX *ctx,
 	    char *amode, int akeysz, unsigned char *aKey, 
 	    unsigned char *iVec, 
 	    int dir,  /* 0 = decrypt, 1 = encrypt */
@@ -128,16 +128,16 @@ int DESTest(EVP_CIPHER_CTX *ctx,
 
     return 1;
     }
-
-void DebugValue(char *tag, unsigned char *val, int len)
+#if 0
+static void DebugValue(char *tag, unsigned char *val, int len)
     {
     char obuf[2048];
     int olen;
     olen = bin2hex(val, len, obuf);
     printf("%s = %.*s\n", tag, olen, obuf);
     }
-
-void shiftin(unsigned char *dst,unsigned char *src,int nbits)
+#endif
+static void shiftin(unsigned char *dst,unsigned char *src,int nbits)
     {
     int n;
 
@@ -157,7 +157,7 @@ char *t_mode[6] = {"CBC","ECB","OFB","CFB1","CFB8","CFB64"};
 enum Mode {CBC, ECB, OFB, CFB1, CFB8, CFB64};
 int Sizes[6]={64,64,64,1,8,64};
 
-void do_mct(char *amode, 
+static void do_mct(char *amode, 
 	    int akeysz, int numkeys, unsigned char *akey,unsigned char *ivec,
 	    int dir, unsigned char *text, int len,
 	    FILE *rfp)
@@ -264,7 +264,7 @@ void do_mct(char *amode,
 	}
     }
     
-int proc_file(char *rqfile, char *rspfile)
+static int proc_file(char *rqfile, char *rspfile)
     {
     char afn[256], rfn[256];
     FILE *afp = NULL, *rfp = NULL;
@@ -532,7 +532,7 @@ int proc_file(char *rqfile, char *rspfile)
 		    err =1;
 		    break;
 		    }
-		if (len >= sizeof(plaintext))
+		if (len >= (int)sizeof(plaintext))
 		    {
 		    printf("Buffer overflow\n");
 		    }

fips/dsa/fips_dsatest.c

@@ -69,7 +69,6 @@
 #include <openssl/rand.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
-#include <openssl/dsa.h>
 #include <openssl/bn.h>
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
@@ -83,6 +82,7 @@ int main(int argc, char *argv[])
     return(0);
 }
 #else
+#include <openssl/dsa.h>
 #include <openssl/fips.h>
 #include <openssl/fips_rand.h>
 #include <openssl/dsa.h>

fips/dsa/fips_dssvs.c

@@ -40,7 +40,7 @@ static void pbn(const char *name, BIGNUM *bn)
 	return;
 	}
 
-void primes()
+static void primes()
     {
     char buf[10240];
     char lbuf[10240];
@@ -63,7 +63,7 @@ void primes()
 	}
     }
 
-void pqg()
+static void pqg()
     {
     char buf[1024];
     char lbuf[1024];
@@ -112,7 +112,7 @@ void pqg()
 	}
     }
 
-void pqgver()
+static void pqgver()
     {
     char buf[1024];
     char lbuf[1024];
@@ -212,7 +212,7 @@ static int dss_paramcheck(int nmod, BIGNUM *p, BIGNUM *q, BIGNUM *g,
     return 1;
     }
 
-void keyver()
+static void keyver()
     {
     char buf[1024];
     char lbuf[1024];
@@ -299,7 +299,7 @@ void keyver()
 	    BN_free(Y2);
     }
 
-void keypair()
+static void keypair()
     {
     char buf[1024];
     char lbuf[1024];
@@ -348,7 +348,7 @@ void keypair()
 	}
     }
 
-void siggen()
+static void siggen()
     {
     char buf[1024];
     char lbuf[1024];
@@ -421,7 +421,7 @@ void siggen()
 		FIPS_dsa_free(dsa);
     }
 
-void sigver()
+static void sigver()
     {
     DSA *dsa=NULL;
     char buf[1024];

fips/fips_test_suite.c

@@ -18,9 +18,6 @@
 #include <stdlib.h>
 #include <openssl/aes.h>
 #include <openssl/des.h>
-#include <openssl/rsa.h>
-#include <openssl/dsa.h>
-#include <openssl/dh.h>
 #include <openssl/hmac.h>
 #include <openssl/err.h>
 
@@ -37,6 +34,10 @@ int main(int argc, char *argv[])
     }
 #else
 
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/dh.h>
+
 #include <openssl/fips.h>
 #include "fips_utl.h"
 
@@ -379,7 +380,8 @@ static int Zeroize()
     BIGNUM *bn;
     unsigned char userkey[16] = 
 	{ 0x48, 0x50, 0xf0, 0xa3, 0x3a, 0xed, 0xd3, 0xaf, 0x6e, 0x47, 0x7f, 0x83, 0x02, 0xb1, 0x09, 0x68 };
-    int i, n;
+    size_t i;
+    int n;
 
     key = FIPS_rsa_new();
     bn = BN_new();
@@ -410,13 +412,18 @@ static int Zeroize()
     }
 
 static int Error;
-const char * Fail(const char *msg)
+static const char * Fail(const char *msg)
     {
     do_print_errors();
     Error++;
     return msg; 
     }
 
+static void test_msg(const char *msg, int result)
+	{
+	printf("%s...%s\n", msg, result ? "successful" : Fail("Failed!"));
+	}
+
 int main(int argc,char **argv)
     {
 
@@ -487,20 +494,14 @@ int main(int argc,char **argv)
     /* Non-Approved cryptographic operation
     */
     printf("1. Non-Approved cryptographic operation test...\n");
-    printf("\ta. Included algorithm (D-H)...");
-    printf( dh_test() ? "successful\n" :  Fail("FAILED!\n") );
+    test_msg("\ta. Included algorithm (D-H)...", dh_test());
 
     /* Power-up self test
     */
     ERR_clear_error();
-    printf("2. Automatic power-up self test...");
-    if (!FIPS_mode_set(1))
-	{
-	do_print_errors();
-        printf(Fail("FAILED!\n"));
+    test_msg("2. Automatic power-up self test", FIPS_mode_set(1));
+    if (!FIPS_mode())
 	exit(1);
-	}
-    printf("successful\n");
     if (do_corrupt_dsa_keygen)
             FIPS_corrupt_dsa_keygen();
     if (do_corrupt_rsa_keygen)
@@ -510,76 +511,66 @@ int main(int argc,char **argv)
 
     /* AES encryption/decryption
     */
-    printf("3. AES encryption/decryption...");
-    printf( FIPS_aes_test() ? "successful\n" :  Fail("FAILED!\n") );
+    test_msg("3. AES encryption/decryption", FIPS_aes_test());
 
     /* RSA key generation and encryption/decryption
     */
-    printf("4. RSA key generation and encryption/decryption...");
-    printf( FIPS_rsa_test(bad_rsa) ? "successful\n" :  Fail("FAILED!\n") );
+    test_msg("4. RSA key generation and encryption/decryption",
+						FIPS_rsa_test(bad_rsa));
 
     /* DES-CBC encryption/decryption
     */
-    printf("5. DES-ECB encryption/decryption...");
-    printf( FIPS_des3_test() ? "successful\n" :  Fail("FAILED!\n") );
+    test_msg("5. DES-ECB encryption/decryption", FIPS_des3_test());
 
     /* DSA key generation and signature validation
     */
-    printf("6. DSA key generation and signature validation...");
-    printf( FIPS_dsa_test(bad_dsa) ? "successful\n" :  Fail("FAILED!\n") );
+    test_msg("6. DSA key generation and signature validation",
+    						FIPS_dsa_test(bad_dsa));
 
     /* SHA-1 hash
     */
-    printf("7a. SHA-1 hash...");
-    printf( FIPS_sha1_test() ? "successful\n" :  Fail("FAILED!\n") );
+    test_msg("7a. SHA-1 hash", FIPS_sha1_test());
 
     /* SHA-256 hash
     */
-    printf("7b. SHA-256 hash...");
-    printf( FIPS_sha256_test() ? "successful\n" :  Fail("FAILED!\n") );
+    test_msg("7b. SHA-256 hash", FIPS_sha256_test());
 
     /* SHA-512 hash
     */
-    printf("7c. SHA-512 hash...");
-    printf( FIPS_sha512_test() ? "successful\n" :  Fail("FAILED!\n") );
+    test_msg("7c. SHA-512 hash", FIPS_sha512_test());
 
     /* HMAC-SHA-1 hash
     */
-    printf("7d. HMAC-SHA-1 hash...");
-    printf( FIPS_hmac_sha1_test() ? "successful\n" :  Fail("FAILED!\n") );
+    test_msg("7d. HMAC-SHA-1 hash", FIPS_hmac_sha1_test());
 
     /* HMAC-SHA-224 hash
     */
-    printf("7e. HMAC-SHA-224 hash...");
-    printf( FIPS_hmac_sha224_test() ? "successful\n" :  Fail("FAILED!\n") );
+    test_msg("7e. HMAC-SHA-224 hash", FIPS_hmac_sha224_test());
 
     /* HMAC-SHA-256 hash
     */
-    printf("7f. HMAC-SHA-256 hash...");
-    printf( FIPS_hmac_sha256_test() ? "successful\n" :  Fail("FAILED!\n") );
+    test_msg("7f. HMAC-SHA-256 hash", FIPS_hmac_sha256_test());
 
     /* HMAC-SHA-384 hash
     */
-    printf("7g. HMAC-SHA-384 hash...");
-    printf( FIPS_hmac_sha384_test() ? "successful\n" :  Fail("FAILED!\n") );
+    test_msg("7g. HMAC-SHA-384 hash", FIPS_hmac_sha384_test());
 
     /* HMAC-SHA-512 hash
     */
-    printf("7h. HMAC-SHA-512 hash...");
-    printf( FIPS_hmac_sha512_test() ? "successful\n" :  Fail("FAILED!\n") );
+    test_msg("7h. HMAC-SHA-512 hash", FIPS_hmac_sha512_test());
 
     /* Non-Approved cryptographic operation
     */
     printf("8. Non-Approved cryptographic operation test...\n");
-    printf("\ta. Included algorithm (D-H)...");
-    printf( dh_test() ? "successful as expected\n"
-	    : Fail("failed INCORRECTLY!\n") );
+    printf("\ta. Included algorithm (D-H)...%s\n",
+    		dh_test() ? "successful as expected"
+	    					: Fail("failed INCORRECTLY!") );
 
     /* Zeroization
     */
-    printf("9. Zero-ization...\n");
-    printf( Zeroize() ? "\tsuccessful as expected\n"
-	    : Fail("\tfailed INCORRECTLY!\n") );
+    printf("9. Zero-ization...\n\t%s\n",
+    		Zeroize() ? "successful as expected"
+					: Fail("failed INCORRECTLY!") );
 
     printf("\nAll tests completed with %d errors\n", Error);
     return Error ? 1 : 0;

fips/fips_utl.h

@@ -47,6 +47,22 @@
  *
  */
 
+void do_print_errors(void);
+int hex2bin(const char *in, unsigned char *out);
+unsigned char *hex2bin_m(const char *in, long *plen);
+int do_hex2bn(BIGNUM **pr, const char *in);
+int do_bn_print(FILE *out, BIGNUM *bn);
+int do_bn_print_name(FILE *out, const char *name, BIGNUM *bn);
+int parse_line(char **pkw, char **pval, char *linebuf, char *olinebuf);
+BIGNUM *hex2bn(const char *in);
+int bin2hex(const unsigned char *in,int len,char *out);
+void pv(const char *tag,const unsigned char *val,int len);
+int tidy_line(char *linebuf, char *olinebuf);
+int bint2bin(const char *in, int len, unsigned char *out);
+int bin2bint(const unsigned char *in,int len,char *out);
+void PrintValue(char *tag, unsigned char *val, int len);
+void OutputValue(char *tag, unsigned char *val, int len, FILE *rfp,int bitmode);
+
 void do_print_errors(void)
 	{
 	const char *file, *data;

fips/rand/fips_rngvs.c

@@ -31,7 +31,7 @@ int main(int argc, char **argv)
 
 #include "fips_utl.h"
 
-void vst()
+static void vst()
     {
     unsigned char *key = NULL;
     unsigned char *v = NULL;
@@ -108,7 +108,7 @@ void vst()
 	}
     }
 
-void mct()
+static void mct()
     {
     unsigned char *key = NULL;
     unsigned char *v = NULL;

fips/rsa/fips_rsagtest.c

@@ -63,7 +63,6 @@
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/err.h>
-#include <openssl/rsa.h>
 #include <openssl/bn.h>
 #include <openssl/x509v3.h>
 
@@ -77,6 +76,7 @@ int main(int argc, char *argv[])
 
 #else
 
+#include <openssl/rsa.h>
 #include "fips_utl.h"
 
 int rsa_test(FILE *out, FILE *in);

fips/rsa/fips_rsastest.c

@@ -63,7 +63,6 @@
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #include <openssl/err.h>
-#include <openssl/rsa.h>
 #include <openssl/bn.h>
 #include <openssl/x509v3.h>
 
@@ -77,6 +76,7 @@ int main(int argc, char *argv[])
 
 #else
 
+#include <openssl/rsa.h>
 #include "fips_utl.h"
 
 static int rsa_stest(FILE *out, FILE *in, int Saltlen);

fips/rsa/fips_rsavtest.c

@@ -65,7 +65,6 @@
 #include <openssl/err.h>
 #include <openssl/x509v3.h>
 #include <openssl/bn.h>
-#include <openssl/rsa.h>
 
 #ifndef OPENSSL_FIPS
 
@@ -77,6 +76,8 @@ int main(int argc, char *argv[])
 
 #else
 
+#include <openssl/rsa.h>
+
 #include "fips_utl.h"
 
 int rsa_test(FILE *out, FILE *in, int saltlen);

openssl.spec

@@ -2,7 +2,7 @@
 %define libmaj 0
 %define libmin 9
 %define librel 8
-%define librev k
+%define librev m
 Release: 1
 
 %define openssldir /var/ssl

ssl/d1_both.c

@@ -988,7 +988,7 @@ dtls1_retransmit_buffered_messages(SSL *s)
 		{
 		frag = (hm_fragment *)item->data;
 			if ( dtls1_retransmit_message(s,
-				dtls1_get_queue_priority(frag->msg_header.seq, frag->msg_header.is_ccs),
+				(unsigned short)dtls1_get_queue_priority(frag->msg_header.seq, frag->msg_header.is_ccs),
 				0, &found) <= 0 && found)
 			{
 			fprintf(stderr, "dtls1_retransmit_message() failed\n");

ssl/d1_clnt.c

@@ -145,7 +145,6 @@ int dtls1_connect(SSL *s)
 	{
 	BUF_MEM *buf=NULL;
 	unsigned long Time=(unsigned long)time(NULL),l;
-	long num1;
 	void (*cb)(const SSL *ssl,int type,int val)=NULL;
 	int ret= -1;
 	int new_state,state,skip=0;;
@@ -509,16 +508,13 @@ int dtls1_connect(SSL *s)
 			break;
 
 		case SSL3_ST_CW_FLUSH:
-			/* number of bytes to be flushed */
-			num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
-			if (num1 > 0)
+			s->rwstate=SSL_WRITING;
+			if (BIO_flush(s->wbio) <= 0)
 				{
-				s->rwstate=SSL_WRITING;
-				num1=BIO_flush(s->wbio);
-				if (num1 <= 0) { ret= -1; goto end; }
-				s->rwstate=SSL_NOTHING;
+				ret= -1;
+				goto end;
 				}
-
+			s->rwstate=SSL_NOTHING;
 			s->state=s->s3->tmp.next_state;
 			break;
 

ssl/d1_srvr.c

@@ -146,7 +146,6 @@ int dtls1_accept(SSL *s)
 	BUF_MEM *buf;
 	unsigned long l,Time=(unsigned long)time(NULL);
 	void (*cb)(const SSL *ssl,int type,int val)=NULL;
-	long num1;
 	int ret= -1;
 	int new_state,state,skip=0;
 
@@ -442,16 +441,13 @@ int dtls1_accept(SSL *s)
 			break;
 		
 		case SSL3_ST_SW_FLUSH:
-			/* number of bytes to be flushed */
-			num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
-			if (num1 > 0)
+			s->rwstate=SSL_WRITING;
+			if (BIO_flush(s->wbio) <= 0)
 				{
-				s->rwstate=SSL_WRITING;
-				num1=BIO_flush(s->wbio);
-				if (num1 <= 0) { ret= -1; goto end; }
-				s->rwstate=SSL_NOTHING;
+				ret= -1;
+				goto end;
 				}
-
+			s->rwstate=SSL_NOTHING;
 			s->state=s->s3->tmp.next_state;
 			break;
 
@@ -1307,9 +1303,10 @@ int dtls1_send_newsession_ticket(SSL *s)
 		p += hlen;
 		/* Now write out lengths: p points to end of data written */
 		/* Total length */
-		len = p - (unsigned char *)&(s->init_buf->data[DTLS1_HM_HEADER_LENGTH]);
+		len = p - (unsigned char *)(s->init_buf->data);
+		/* Ticket length */
 		p=(unsigned char *)&(s->init_buf->data[DTLS1_HM_HEADER_LENGTH]) + 4;
-		s2n(len - 18, p);  /* Ticket length */
+		s2n(len - DTLS1_HM_HEADER_LENGTH - 6, p);
 
 		/* number of bytes to write */
 		s->init_num= len;

ssl/s23_clnt.c

@@ -235,8 +235,6 @@ static int ssl23_client_hello(SSL *s)
 			ssl2_compat = 0;
 		if (s->tlsext_status_type != -1)
 			ssl2_compat = 0;
-		if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
-			ssl2_compat = 0;
 		}
 #endif
 

ssl/s23_srvr.c

@@ -493,11 +493,6 @@ int ssl23_get_client_hello(SSL *s)
 		SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL);
 		goto err;
 #else
-		if (!(s->ctx->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
-			{
-			SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
-			goto err;
-			}
 		/* we are talking sslv2 */
 		/* we need to clean up the SSLv3/TLSv1 setup and put in the
 		 * sslv2 stuff. */

ssl/s3_clnt.c

@@ -167,7 +167,6 @@ int ssl3_connect(SSL *s)
 	{
 	BUF_MEM *buf=NULL;
 	unsigned long Time=(unsigned long)time(NULL),l;
-	long num1;
 	void (*cb)(const SSL *ssl,int type,int val)=NULL;
 	int ret= -1;
 	int new_state,state,skip=0;
@@ -496,16 +495,13 @@ int ssl3_connect(SSL *s)
 			break;
 
 		case SSL3_ST_CW_FLUSH:
-			/* number of bytes to be flushed */
-			num1=BIO_ctrl(s->wbio,BIO_CTRL_INFO,0,NULL);
-			if (num1 > 0)
+			s->rwstate=SSL_WRITING;
+			if (BIO_flush(s->wbio) <= 0)
 				{
-				s->rwstate=SSL_WRITING;
-				num1=BIO_flush(s->wbio);
-				if (num1 <= 0) { ret= -1; goto end; }
-				s->rwstate=SSL_NOTHING;
+				ret= -1;
+				goto end;
 				}
-
+			s->rwstate=SSL_NOTHING;
 			s->state=s->s3->tmp.next_state;
 			break;
 

ssl/s3_srvr.c

@@ -166,7 +166,6 @@ int ssl3_accept(SSL *s)
 	BUF_MEM *buf;
 	unsigned long l,Time=(unsigned long)time(NULL);
 	void (*cb)(const SSL *ssl,int type,int val)=NULL;
-	long num1;
 	int ret= -1;
 	int new_state,state,skip=0;
 
@@ -248,6 +247,18 @@ int ssl3_accept(SSL *s)
 				s->state=SSL3_ST_SR_CLNT_HELLO_A;
 				s->ctx->stats.sess_accept++;
 				}
+			else if (!s->s3->send_connection_binding &&
+				!(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
+				{
+				/* Server attempting to renegotiate with
+				 * client that doesn't support secure
+				 * renegotiation.
+				 */
+				SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
+				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
+				ret = -1;
+				goto end;
+				}
 			else
 				{
 				/* s->state == SSL_ST_RENEGOTIATE,
@@ -435,15 +446,24 @@ int ssl3_accept(SSL *s)
 			break;
 		
 		case SSL3_ST_SW_FLUSH:
-			/* number of bytes to be flushed */
-			num1=BIO_ctrl(s->wbio,BIO_CTRL_WPENDING,0,NULL);
-			if (num1 > 0)
+
+			/* This code originally checked to see if
+			 * any data was pending using BIO_CTRL_INFO
+			 * and then flushed. This caused problems
+			 * as documented in PR#1939. The proposed
+			 * fix doesn't completely resolve this issue
+			 * as buggy implementations of BIO_CTRL_PENDING
+			 * still exist. So instead we just flush
+			 * unconditionally.
+			 */
+
+			s->rwstate=SSL_WRITING;
+			if (BIO_flush(s->wbio) <= 0)
 				{
-				s->rwstate=SSL_WRITING;
-				num1=BIO_flush(s->wbio);
-				if (num1 <= 0) { ret= -1; goto end; }
-				s->rwstate=SSL_NOTHING;
+				ret= -1;
+				goto end;
 				}
+			s->rwstate=SSL_NOTHING;
 
 			s->state=s->s3->tmp.next_state;
 			break;

ssl/ssl-lib.com

@@ -180,7 +180,7 @@ $ LIB_SSL = "s2_meth,s2_srvr,s2_clnt,s2_lib,s2_enc,s2_pkt,"+ -
 	    "ssl_lib,ssl_err2,ssl_cert,ssl_sess,"+ -
 	    "ssl_ciph,ssl_stat,ssl_rsa,"+ -
 	    "ssl_asn1,ssl_txt,ssl_algs,"+ -
-	    "bio_ssl,ssl_err,kssl"
+	    "bio_ssl,ssl_err,kssl,t1_reneg"
 $!
 $! Tell The User That We Are Compiling The Library.
 $!

ssl/ssl_asn1.c

@@ -334,7 +334,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
 			((unsigned long)os.data[1]<< 8L)|
 			 (unsigned long)os.data[2];
 		}
-	else if ((ssl_version>>8) == SSL3_VERSION_MAJOR)
+	else if ((ssl_version>>8) >= SSL3_VERSION_MAJOR)
 		{
 		if (os.length != 2)
 			{
@@ -355,7 +355,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
 	ret->cipher_id=id;
 
 	M_ASN1_D2I_get_x(ASN1_OCTET_STRING,osp,d2i_ASN1_OCTET_STRING);
-	if ((ssl_version>>8) == SSL3_VERSION_MAJOR)
+	if ((ssl_version>>8) >= SSL3_VERSION_MAJOR)
 		i=SSL3_MAX_SSL_SESSION_ID_LENGTH;
 	else /* if (ssl_version>>8 == SSL2_VERSION_MAJOR) */
 		i=SSL2_MAX_SSL_SESSION_ID_LENGTH;

ssl/ssl_lib.c

@@ -1601,7 +1601,7 @@ SSL_CTX *SSL_CTX_new(SSL_METHOD *meth)
 	/* Default is to connect to non-RI servers. When RI is more widely
 	 * deployed might change this.
 	 */
-	ret->options = SSL_OP_LEGACY_SERVER_CONNECT;
+	ret->options |= SSL_OP_LEGACY_SERVER_CONNECT;
 
 	return(ret);
 err:

ssl/ssl_sess.c

@@ -423,7 +423,7 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
 		p=buf;
 		l=ret->cipher_id;
 		l2n(l,p);
-		if ((ret->ssl_version>>8) == SSL3_VERSION_MAJOR)
+		if ((ret->ssl_version>>8) >= SSL3_VERSION_MAJOR)
 			ret->cipher=ssl_get_cipher_by_char(s,&(buf[2]));
 		else 
 			ret->cipher=ssl_get_cipher_by_char(s,&(buf[1]));

ssl/t1_lib.c

@@ -705,8 +705,8 @@ int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 	 * which doesn't support RI so for the immediate future tolerate RI
 	 * absence on initial connect only.
 	 */
-	if (!renegotiate_seen && 
-		(s->new_session || !(s->options & SSL_OP_LEGACY_SERVER_CONNECT))
+	if (!renegotiate_seen
+		&& !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)
 		&& !(s->options & SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
 		{
 		*al = SSL_AD_HANDSHAKE_FAILURE;

test/tests.com

@@ -12,6 +12,9 @@ $	if __arch .eqs. "" then __arch := UNK
 $	texe_dir := sys$disk:[-.'__arch'.exe.test]
 $	exe_dir := sys$disk:[-.'__arch'.exe.apps]
 $
+$	sslroot = f$parse("sys$disk:[-.apps];",,,,"syntax_only") - "].;"+ ".]"
+$	define /translation_attributes = concealed sslroot 'sslroot'
+$
 $	set default '__here'
 $
 $	on control_y then goto exit
@@ -270,4 +273,5 @@ $
 $
 $ exit:
 $	set default '__save_default'
+$	deassign sslroot
 $	exit

util/mkerr.pl

@@ -313,7 +313,7 @@ foreach $lib (keys %csrc)
 	} else {
 	    push @out,
 "/* ====================================================================\n",
-" * Copyright (c) 2001-2008 The OpenSSL Project.  All rights reserved.\n",
+" * Copyright (c) 2001-2010 The OpenSSL Project.  All rights reserved.\n",
 " *\n",
 " * Redistribution and use in source and binary forms, with or without\n",
 " * modification, are permitted provided that the following conditions\n",
@@ -487,7 +487,7 @@ EOF
 	print OUT <<"EOF";
 /* $cfile */
 /* ====================================================================
- * Copyright (c) 1999-2008 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2010 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions

util/pl/VC-32.pl

@@ -149,6 +149,18 @@ if ($no_sock)		{ $ex_libs=''; }
 elsif ($FLAVOR =~ /CE/)	{ $ex_libs='winsock.lib'; }
 else			{ $ex_libs='wsock32.lib'; }
 
+my $oflow;
+
+
+if ($FLAVOR =~ /WIN64/ and `cl 2>&1` =~ /14\.00\.4[0-9]{4}\./)
+	{
+	$oflow=' bufferoverflowu.lib';
+	}
+else
+	{
+	$oflow="";
+	}
+
 if ($FLAVOR =~ /CE/)
 	{
 	$ex_libs.=' $(WCECOMPAT)/lib/wcecompatex.lib';
@@ -157,7 +169,7 @@ if ($FLAVOR =~ /CE/)
 else
 	{
 	$ex_libs.=' gdi32.lib crypt32.lib advapi32.lib user32.lib';
-	$ex_libs.=' bufferoverflowu.lib' if ($FLAVOR =~ /WIN64/ and `cl 2>&1` =~ /14\.00\.4[0-9]{4}\./);
+	$ex_libs.= $oflow;
 
 	}
 
@@ -343,7 +355,7 @@ sub do_lib_rule
 
 		if ($name eq "")
 			{
-			$ex.=' bufferoverflowu.lib' if ($FLAVOR =~ /WIN64/);
+			$ex.= $oflow;
 			if ($target =~ /capi/)
 				{
 				$ex.=' crypt32.lib advapi32.lib';
@@ -358,7 +370,7 @@ sub do_lib_rule
 			$ex.=' unicows.lib' if ($FLAVOR =~ /NT/);
 			$ex.=' wsock32.lib gdi32.lib advapi32.lib user32.lib';
 			$ex.=' crypt32.lib';
-			$ex.=' bufferoverflowu.lib' if ($FLAVOR =~ /WIN64/);
+			$ex.= $oflow;
 			}
 		$ex.=" $zlib_lib" if $zlib_opt == 1 && $target =~ /O_CRYPTO/;