diff -urN vdt-1.1.13-1/gsi/openssl_gpt/CHANGES vdt-1.1.14-1/gsi/openssl_gpt/CHANGES --- vdt-1.1.13-1/gsi/openssl_gpt/CHANGES Mon Feb 9 23:15:32 2004 +++ vdt-1.1.14-1/gsi/openssl_gpt/CHANGES Thu Mar 18 21:14:55 2004 @@ -2,6 +2,12 @@ OpenSSL CHANGES _______________ + Changes between 0.9.6l and 0.9.6m [17 Mar 2004] + + *) Fix null-pointer assignment in do_change_cipher_spec() revealed + by using the Codenomicon TLS Test Tool (CAN-2004-0079) + [Joe Orton, Steve Henson] + Changes between 0.9.6k and 0.9.6l [04 Nov 2003] *) Fix additional bug revealed by the NISCC test suite: diff -urN vdt-1.1.13-1/gsi/openssl_gpt/LICENSE vdt-1.1.14-1/gsi/openssl_gpt/LICENSE --- vdt-1.1.13-1/gsi/openssl_gpt/LICENSE Fri Apr 11 00:04:00 2003 +++ vdt-1.1.14-1/gsi/openssl_gpt/LICENSE Thu Mar 18 21:14:55 2004 @@ -12,7 +12,7 @@ --------------- /* ==================================================================== - * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff -urN vdt-1.1.13-1/gsi/openssl_gpt/NEWS vdt-1.1.14-1/gsi/openssl_gpt/NEWS --- vdt-1.1.13-1/gsi/openssl_gpt/NEWS Mon Feb 9 23:15:32 2004 +++ vdt-1.1.14-1/gsi/openssl_gpt/NEWS Thu Mar 18 21:14:55 2004 @@ -5,6 +5,10 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.6l and OpenSSL 0.9.6m: + + o Security: fix null-pointer bug leading to crash + Major changes between OpenSSL 0.9.6k and OpenSSL 0.9.6l: o Security: fix ASN1 bug leading to large recursion diff -urN vdt-1.1.13-1/gsi/openssl_gpt/README vdt-1.1.14-1/gsi/openssl_gpt/README --- vdt-1.1.13-1/gsi/openssl_gpt/README Mon Feb 9 23:15:32 2004 +++ vdt-1.1.14-1/gsi/openssl_gpt/README Thu Mar 18 21:14:55 2004 @@ -1,7 +1,7 @@ - OpenSSL 0.9.6l 04 Nov 2003 + OpenSSL 0.9.6m 17 Mar 2004 - Copyright (c) 1998-2003 The OpenSSL Project + Copyright (c) 1998-2004 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. diff -urN vdt-1.1.13-1/gsi/openssl_gpt/apps/apps.h vdt-1.1.14-1/gsi/openssl_gpt/apps/apps.h --- vdt-1.1.13-1/gsi/openssl_gpt/apps/apps.h Fri Feb 21 21:45:20 2003 +++ vdt-1.1.14-1/gsi/openssl_gpt/apps/apps.h Thu Mar 18 21:14:56 2004 @@ -59,7 +59,11 @@ #ifndef HEADER_APPS_H #define HEADER_APPS_H -#include "openssl/e_os.h" +#ifdef FLAT_INC +#include "e_os.h" +#else +#include "../e_os.h" +#endif #include #include diff -urN vdt-1.1.13-1/gsi/openssl_gpt/apps/asn1pars.c vdt-1.1.14-1/gsi/openssl_gpt/apps/asn1pars.c --- vdt-1.1.13-1/gsi/openssl_gpt/apps/asn1pars.c Fri Feb 21 21:45:21 2003 +++ vdt-1.1.14-1/gsi/openssl_gpt/apps/asn1pars.c Thu Mar 18 21:14:56 2004 @@ -301,7 +301,15 @@ num=tmplen; } - if (length == 0) length=(unsigned int)num; + if (offset >= num) + { + BIO_printf(bio_err, "Error: offset too large\n"); + goto end; + } + + num -= offset; + + if ((length == 0) || ((long)length > num)) length=(unsigned int)num; if(derout) { if(BIO_write(derout, str + offset, length) != (int)length) { BIO_printf(bio_err, "Error writing output\n"); diff -urN vdt-1.1.13-1/gsi/openssl_gpt/certs/vsign3.pem vdt-1.1.14-1/gsi/openssl_gpt/certs/vsign3.pem --- vdt-1.1.13-1/gsi/openssl_gpt/certs/vsign3.pem Fri Mar 1 16:19:31 2002 +++ vdt-1.1.14-1/gsi/openssl_gpt/certs/vsign3.pem Thu Mar 18 21:14:58 2004 @@ -1,18 +1,17 @@ subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority notBefore=Jan 29 00:00:00 1996 GMT -notAfter=Jan 7 23:59:59 2004 GMT +notAfter=Aug 1 23:59:59 2028 GMT -----BEGIN CERTIFICATE----- -MIICPTCCAaYCEQDknv3zOugOz6URPhmkJAIyMA0GCSqGSIb3DQEBAgUAMF8xCzAJ -BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xh -c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05 -NjAxMjkwMDAwMDBaFw0wNDAxMDcyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYD -VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJp -bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOB -jQAwgYkCgYEAyVxZnvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqo -RAWq7AMfeH+ek7maAKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4 -rCNfcCk2pMmG57GaIMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATAN -BgkqhkiG9w0BAQIFAAOBgQBhcOwvP579K+ZoVCGwZ3kIDCCWMYoNer62Jt95LCJp -STbjl3diYaIy13pUITa6Ask05yXaRDWw0lyAXbOU+Pms7qRgdSoflUkjsUp89LNH -ciFbfperVKxi513srpvSybIk+4Kt6WcVS7qqpvCXoPawl1cAyAw8CaCCBLpB2veZ -pA== +MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG +A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz +cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2 +MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV +BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt +YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN +ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE +BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is +I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G +CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do +lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc +AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k -----END CERTIFICATE----- diff -urN vdt-1.1.13-1/gsi/openssl_gpt/crypto/asn1/a_strex.c vdt-1.1.14-1/gsi/openssl_gpt/crypto/asn1/a_strex.c --- vdt-1.1.13-1/gsi/openssl_gpt/crypto/asn1/a_strex.c Mon Feb 9 23:15:33 2004 +++ vdt-1.1.14-1/gsi/openssl_gpt/crypto/asn1/a_strex.c Thu Mar 18 21:14:59 2004 @@ -78,7 +78,8 @@ * and a FILE pointer. */ -int send_mem_chars(void *arg, const void *buf, int len) +#if 0 /* Not used */ +static int send_mem_chars(void *arg, const void *buf, int len) { unsigned char **out = arg; if(!out) return 1; @@ -86,15 +87,16 @@ *out += len; return 1; } +#endif -int send_bio_chars(void *arg, const void *buf, int len) +static int send_bio_chars(void *arg, const void *buf, int len) { if(!arg) return 1; if(BIO_write(arg, buf, len) != len) return 0; return 1; } -int send_fp_chars(void *arg, const void *buf, int len) +static int send_fp_chars(void *arg, const void *buf, int len) { if(!arg) return 1; if(fwrite(buf, 1, len, arg) != (unsigned int)len) return 0; @@ -240,7 +242,8 @@ * #01234 format. */ -int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str) +static int do_dump(unsigned long lflags, char_io *io_ch, void *arg, + ASN1_STRING *str) { /* Placing the ASN1_STRING in a temp ASN1_TYPE allows * the DER encoding to readily obtained diff -urN vdt-1.1.13-1/gsi/openssl_gpt/crypto/bf/bftest.c vdt-1.1.14-1/gsi/openssl_gpt/crypto/bf/bftest.c --- vdt-1.1.13-1/gsi/openssl_gpt/crypto/bf/bftest.c Fri Feb 21 21:47:41 2003 +++ vdt-1.1.14-1/gsi/openssl_gpt/crypto/bf/bftest.c Thu Mar 18 21:15:00 2004 @@ -63,7 +63,11 @@ #include #include +#ifdef FLAT_INC +#include "e_os.h" +#else #include "../e_os.h" +#endif #ifdef NO_BF int main(int argc, char *argv[]) diff -urN vdt-1.1.13-1/gsi/openssl_gpt/crypto/bio/b_print.c vdt-1.1.14-1/gsi/openssl_gpt/crypto/bio/b_print.c --- vdt-1.1.13-1/gsi/openssl_gpt/crypto/bio/b_print.c Mon Feb 9 23:15:33 2004 +++ vdt-1.1.14-1/gsi/openssl_gpt/crypto/bio/b_print.c Thu Mar 18 21:15:00 2004 @@ -565,12 +565,12 @@ } static LDOUBLE -pow10(int exp) +pow10(int in_exp) { LDOUBLE result = 1; - while (exp) { + while (in_exp) { result *= 10; - exp--; + in_exp--; } return result; } diff -urN vdt-1.1.13-1/gsi/openssl_gpt/crypto/cryptlib.h vdt-1.1.14-1/gsi/openssl_gpt/crypto/cryptlib.h --- vdt-1.1.13-1/gsi/openssl_gpt/crypto/cryptlib.h Fri Aug 9 16:01:34 2002 +++ vdt-1.1.14-1/gsi/openssl_gpt/crypto/cryptlib.h Thu Mar 18 21:14:59 2004 @@ -62,7 +62,11 @@ #include #include -#include "openssl/e_os.h" +#ifdef FLAT_INC +#include "e_os.h" +#else +#include "../e_os.h" +#endif #include #include diff -urN vdt-1.1.13-1/gsi/openssl_gpt/crypto/evp/e_rc4.c vdt-1.1.14-1/gsi/openssl_gpt/crypto/evp/e_rc4.c --- vdt-1.1.13-1/gsi/openssl_gpt/crypto/evp/e_rc4.c Fri Mar 1 16:23:23 2002 +++ vdt-1.1.14-1/gsi/openssl_gpt/crypto/evp/e_rc4.c Thu Mar 18 21:15:05 2004 @@ -110,9 +110,8 @@ static int rc4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) { - memcpy(&(ctx->c.rc4.key[0]),key,EVP_CIPHER_CTX_key_length(ctx)); RC4_set_key(&(ctx->c.rc4.ks),EVP_CIPHER_CTX_key_length(ctx), - ctx->c.rc4.key); + key); return 1; } diff -urN vdt-1.1.13-1/gsi/openssl_gpt/crypto/mem.c vdt-1.1.14-1/gsi/openssl_gpt/crypto/mem.c --- vdt-1.1.13-1/gsi/openssl_gpt/crypto/mem.c Fri Feb 21 21:46:35 2003 +++ vdt-1.1.14-1/gsi/openssl_gpt/crypto/mem.c Thu Mar 18 21:14:59 2004 @@ -175,7 +175,7 @@ void *ret = NULL; extern unsigned char cleanse_ctr; - if (num < 0) return NULL; + if (num <= 0) return NULL; allow_customize = 0; if (malloc_debug_func != NULL) @@ -216,7 +216,7 @@ void *ret = NULL; extern unsigned char cleanse_ctr; - if (num < 0) return NULL; + if (num <= 0) return NULL; allow_customize = 0; if (malloc_debug_func != NULL) @@ -247,7 +247,7 @@ if (str == NULL) return CRYPTO_malloc(num, file, line); - if (num < 0) return NULL; + if (num <= 0) return NULL; if (realloc_debug_func != NULL) realloc_debug_func(str, NULL, num, file, line, 0); diff -urN vdt-1.1.13-1/gsi/openssl_gpt/crypto/opensslconf.h vdt-1.1.14-1/gsi/openssl_gpt/crypto/opensslconf.h --- vdt-1.1.13-1/gsi/openssl_gpt/crypto/opensslconf.h Mon Feb 9 23:15:33 2004 +++ vdt-1.1.14-1/gsi/openssl_gpt/crypto/opensslconf.h Thu Mar 18 22:21:09 2004 @@ -8,7 +8,7 @@ #ifdef HEADER_CRYPTLIB_H # ifndef OPENSSLDIR -# define OPENSSLDIR "/sandbox/globus/globus" +# define OPENSSLDIR "/home/meder/globus-2.4" # endif #endif diff -urN vdt-1.1.13-1/gsi/openssl_gpt/crypto/opensslv.h vdt-1.1.14-1/gsi/openssl_gpt/crypto/opensslv.h --- vdt-1.1.13-1/gsi/openssl_gpt/crypto/opensslv.h Mon Feb 9 23:15:33 2004 +++ vdt-1.1.14-1/gsi/openssl_gpt/crypto/opensslv.h Thu Mar 18 21:14:59 2004 @@ -25,8 +25,8 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x009060cfL -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6l 04 Nov 2003" +#define OPENSSL_VERSION_NUMBER 0x009060dfL +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.6m 17 Mar 2004" #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff -urN vdt-1.1.13-1/gsi/openssl_gpt/crypto/pem/pem_lib.c vdt-1.1.14-1/gsi/openssl_gpt/crypto/pem/pem_lib.c --- vdt-1.1.13-1/gsi/openssl_gpt/crypto/pem/pem_lib.c Fri Feb 21 21:51:19 2003 +++ vdt-1.1.14-1/gsi/openssl_gpt/crypto/pem/pem_lib.c Thu Mar 18 21:15:07 2004 @@ -567,7 +567,7 @@ long len) { int nlen,n,i,j,outl; - unsigned char *buf; + unsigned char *buf = NULL; EVP_ENCODE_CTX ctx; int reason=ERR_R_BUF_LIB; @@ -587,7 +587,7 @@ goto err; } - buf=(unsigned char *)OPENSSL_malloc(PEM_BUFSIZE*8); + buf = OPENSSL_malloc(PEM_BUFSIZE*8); if (buf == NULL) { reason=ERR_R_MALLOC_FAILURE; @@ -608,12 +608,15 @@ EVP_EncodeFinal(&ctx,buf,&outl); if ((outl > 0) && (BIO_write(bp,(char *)buf,outl) != outl)) goto err; OPENSSL_free(buf); + buf = NULL; if ( (BIO_write(bp,"-----END ",9) != 9) || (BIO_write(bp,name,nlen) != nlen) || (BIO_write(bp,"-----\n",6) != 6)) goto err; return(i+outl); err: + if (buf) + OPENSSL_free(buf); PEMerr(PEM_F_PEM_WRITE_BIO,reason); return(0); } diff -urN vdt-1.1.13-1/gsi/openssl_gpt/crypto/x509/by_dir.c vdt-1.1.14-1/gsi/openssl_gpt/crypto/x509/by_dir.c --- vdt-1.1.13-1/gsi/openssl_gpt/crypto/x509/by_dir.c Fri Mar 1 16:25:49 2002 +++ vdt-1.1.14-1/gsi/openssl_gpt/crypto/x509/by_dir.c Thu Mar 18 21:15:10 2004 @@ -302,8 +302,36 @@ k=0; for (;;) { - sprintf(b->data,"%s/%08lx.%s%d",ctx->dirs[i],h, - postfix,k); + char c = '/'; +#ifdef VMS + c = ctx->dirs[i][strlen(ctx->dirs[i])-1]; + if (c != ':' && c != '>' && c != ']') + { + /* If no separator is present, we assume the + directory specifier is a logical name, and + add a colon. We really should use better + VMS routines for merging things like this, + but this will do for now... + -- Richard Levitte */ + c = ':'; + } + else + { + c = '\0'; + } +#endif + if (c == '\0') + { + /* This is special. When c == '\0', no + directory separator should be added. */ + sprintf(b->data,"%s%08lx.%s%d",ctx->dirs[i],h, + postfix,k); + } + else + { + sprintf(b->data,"%s%c%08lx.%s%d", + ctx->dirs[i],c,h,postfix,k); + } k++; if (stat(b->data,&st) < 0) break; diff -urN vdt-1.1.13-1/gsi/openssl_gpt/crypto/x509/x509type.c vdt-1.1.14-1/gsi/openssl_gpt/crypto/x509/x509type.c --- vdt-1.1.13-1/gsi/openssl_gpt/crypto/x509/x509type.c Mon Feb 9 23:15:33 2004 +++ vdt-1.1.14-1/gsi/openssl_gpt/crypto/x509/x509type.c Thu Mar 18 21:15:10 2004 @@ -106,7 +106,7 @@ break; } - if (EVP_PKEY_size(pk) <= 512/8) /* /8 because it's 512 bits we look + if (EVP_PKEY_size(pk) <= 1024/8)/* /8 because it's 1024 bits we look for, not bytes */ ret|=EVP_PKT_EXP; if(pkey==NULL) EVP_PKEY_free(pk); diff -urN vdt-1.1.13-1/gsi/openssl_gpt/dirt.sh vdt-1.1.14-1/gsi/openssl_gpt/dirt.sh --- vdt-1.1.13-1/gsi/openssl_gpt/dirt.sh Mon Feb 9 23:15:33 2004 +++ vdt-1.1.14-1/gsi/openssl_gpt/dirt.sh Thu Mar 18 21:20:55 2004 @@ -1,2 +1,2 @@ -DIRT_TIMESTAMP=1071622597 +DIRT_TIMESTAMP=1079641380 DIRT_BRANCH_ID=42 diff -urN vdt-1.1.13-1/gsi/openssl_gpt/pkgdata/pkg_data_src.gpt.in vdt-1.1.14-1/gsi/openssl_gpt/pkgdata/pkg_data_src.gpt.in --- vdt-1.1.13-1/gsi/openssl_gpt/pkgdata/pkg_data_src.gpt.in Mon Feb 9 23:15:33 2004 +++ vdt-1.1.14-1/gsi/openssl_gpt/pkgdata/pkg_data_src.gpt.in Thu Mar 18 21:20:48 2004 @@ -3,14 +3,14 @@ - + Openssl Library Openssl - 0.9.6l + 0.9.6m diff -urN vdt-1.1.13-1/gsi/openssl_gpt/ssl/s3_clnt.c vdt-1.1.14-1/gsi/openssl_gpt/ssl/s3_clnt.c --- vdt-1.1.13-1/gsi/openssl_gpt/ssl/s3_clnt.c Mon Feb 9 23:15:33 2004 +++ vdt-1.1.14-1/gsi/openssl_gpt/ssl/s3_clnt.c Thu Mar 18 21:15:16 2004 @@ -1786,7 +1786,7 @@ if (algs & SSL_kRSA) { if (rsa == NULL - || RSA_size(rsa) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) + || RSA_size(rsa)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_RSA_KEY); goto f_err; @@ -1798,7 +1798,7 @@ if (algs & (SSL_kEDH|SSL_kDHr|SSL_kDHd)) { if (dh == NULL - || DH_size(dh) > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) + || DH_size(dh)*8 > SSL_C_EXPORT_PKEYLENGTH(s->s3->tmp.new_cipher)) { SSLerr(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM,SSL_R_MISSING_EXPORT_TMP_DH_KEY); goto f_err; diff -urN vdt-1.1.13-1/gsi/openssl_gpt/ssl/s3_enc.c vdt-1.1.14-1/gsi/openssl_gpt/ssl/s3_enc.c --- vdt-1.1.13-1/gsi/openssl_gpt/ssl/s3_enc.c Fri Feb 21 21:55:55 2003 +++ vdt-1.1.14-1/gsi/openssl_gpt/ssl/s3_enc.c Thu Mar 18 21:15:16 2004 @@ -188,9 +188,9 @@ COMP_METHOD *comp; const EVP_MD *m; MD5_CTX md; - int exp,n,i,j,k,cl; + int is_exp,n,i,j,k,cl; - exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); + is_exp=SSL_C_IS_EXPORT(s->s3->tmp.new_cipher); c=s->s3->tmp.new_sym_enc; m=s->s3->tmp.new_hash; if (s->s3->tmp.new_compression == NULL) @@ -262,9 +262,9 @@ p=s->s3->tmp.key_block; i=EVP_MD_size(m); cl=EVP_CIPHER_key_length(c); - j=exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? - cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; - /* Was j=(exp)?5:EVP_CIPHER_key_length(c); */ + j=is_exp ? (cl < SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher) ? + cl : SSL_C_EXPORT_KEYLENGTH(s->s3->tmp.new_cipher)) : cl; + /* Was j=(is_exp)?5:EVP_CIPHER_key_length(c); */ k=EVP_CIPHER_iv_length(c); if ( (which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || (which == SSL3_CHANGE_CIPHER_SERVER_READ)) @@ -292,7 +292,7 @@ } memcpy(mac_secret,ms,i); - if (exp) + if (is_exp) { /* In here I set both the read and write key/iv to the * same value since only the correct one will be used :-). diff -urN vdt-1.1.13-1/gsi/openssl_gpt/ssl/s3_pkt.c vdt-1.1.14-1/gsi/openssl_gpt/ssl/s3_pkt.c --- vdt-1.1.13-1/gsi/openssl_gpt/ssl/s3_pkt.c Fri Feb 21 21:56:01 2003 +++ vdt-1.1.14-1/gsi/openssl_gpt/ssl/s3_pkt.c Thu Mar 18 21:15:16 2004 @@ -1079,6 +1079,14 @@ goto err; } + /* Check we have a cipher to change to */ + if (s->s3->tmp.new_cipher == NULL) + { + i=SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY); + goto err; + } + rr->length=0; s->s3->change_cipher_spec=1; if (!do_change_cipher_spec(s)) diff -urN vdt-1.1.13-1/gsi/openssl_gpt/ssl/ssl.h vdt-1.1.14-1/gsi/openssl_gpt/ssl/ssl.h --- vdt-1.1.13-1/gsi/openssl_gpt/ssl/ssl.h Fri Feb 21 21:56:18 2003 +++ vdt-1.1.14-1/gsi/openssl_gpt/ssl/ssl.h Thu Mar 18 21:15:16 2004 @@ -1175,8 +1175,8 @@ char *SSL_alert_desc_string_long(int value); char *SSL_alert_desc_string(int value); -void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *list); -void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *list); +void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list); +void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list); STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s); STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *s); int SSL_add_client_CA(SSL *ssl,X509 *x); diff -urN vdt-1.1.13-1/gsi/openssl_gpt/ssl/ssl_cert.c vdt-1.1.14-1/gsi/openssl_gpt/ssl/ssl_cert.c --- vdt-1.1.13-1/gsi/openssl_gpt/ssl/ssl_cert.c Fri Jun 14 00:52:08 2002 +++ vdt-1.1.14-1/gsi/openssl_gpt/ssl/ssl_cert.c Thu Mar 18 21:15:16 2004 @@ -483,12 +483,12 @@ return(i); } -static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *list) +static void set_client_CA_list(STACK_OF(X509_NAME) **ca_list,STACK_OF(X509_NAME) *name_list) { if (*ca_list != NULL) sk_X509_NAME_pop_free(*ca_list,X509_NAME_free); - *ca_list=list; + *ca_list=name_list; } STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk) @@ -510,14 +510,14 @@ return(ret); } -void SSL_set_client_CA_list(SSL *s,STACK_OF(X509_NAME) *list) +void SSL_set_client_CA_list(SSL *s,STACK_OF(X509_NAME) *name_list) { - set_client_CA_list(&(s->client_CA),list); + set_client_CA_list(&(s->client_CA),name_list); } -void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *list) +void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list) { - set_client_CA_list(&(ctx->client_CA),list); + set_client_CA_list(&(ctx->client_CA),name_list); } STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx) diff -urN vdt-1.1.13-1/gsi/openssl_gpt/ssl/ssl_ciph.c vdt-1.1.14-1/gsi/openssl_gpt/ssl/ssl_ciph.c --- vdt-1.1.13-1/gsi/openssl_gpt/ssl/ssl_ciph.c Mon Feb 9 23:15:33 2004 +++ vdt-1.1.14-1/gsi/openssl_gpt/ssl/ssl_ciph.c Thu Mar 18 21:15:16 2004 @@ -310,10 +310,10 @@ } static void ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, - int num_of_ciphers, unsigned long mask, CIPHER_ORDER *list, + int num_of_ciphers, unsigned long mask, CIPHER_ORDER *co_list, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) { - int i, list_num; + int i, co_list_num; SSL_CIPHER *c; /* @@ -324,18 +324,18 @@ */ /* Get the initial list of ciphers */ - list_num = 0; /* actual count of ciphers */ + co_list_num = 0; /* actual count of ciphers */ for (i = 0; i < num_of_ciphers; i++) { c = ssl_method->get_cipher(i); /* drop those that use any of that is not available */ if ((c != NULL) && c->valid && !(c->algorithms & mask)) { - list[list_num].cipher = c; - list[list_num].next = NULL; - list[list_num].prev = NULL; - list[list_num].active = 0; - list_num++; + co_list[co_list_num].cipher = c; + co_list[co_list_num].next = NULL; + co_list[co_list_num].prev = NULL; + co_list[co_list_num].active = 0; + co_list_num++; /* if (!sk_push(ca_list,(char *)c)) goto err; */ @@ -345,18 +345,18 @@ /* * Prepare linked list from list entries */ - for (i = 1; i < list_num - 1; i++) + for (i = 1; i < co_list_num - 1; i++) { - list[i].prev = &(list[i-1]); - list[i].next = &(list[i+1]); + co_list[i].prev = &(co_list[i-1]); + co_list[i].next = &(co_list[i+1]); } - if (list_num > 0) + if (co_list_num > 0) { - (*head_p) = &(list[0]); + (*head_p) = &(co_list[0]); (*head_p)->prev = NULL; - (*head_p)->next = &(list[1]); - (*tail_p) = &(list[list_num - 1]); - (*tail_p)->prev = &(list[list_num - 2]); + (*head_p)->next = &(co_list[1]); + (*tail_p) = &(co_list[co_list_num - 1]); + (*tail_p)->prev = &(co_list[co_list_num - 2]); (*tail_p)->next = NULL; } } @@ -402,7 +402,7 @@ static void ssl_cipher_apply_rule(unsigned long algorithms, unsigned long mask, unsigned long algo_strength, unsigned long mask_strength, - int rule, int strength_bits, CIPHER_ORDER *list, + int rule, int strength_bits, CIPHER_ORDER *co_list, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) { CIPHER_ORDER *head, *tail, *curr, *curr2, *tail2; @@ -497,8 +497,9 @@ *tail_p = tail; } -static int ssl_cipher_strength_sort(CIPHER_ORDER *list, CIPHER_ORDER **head_p, - CIPHER_ORDER **tail_p) +static int ssl_cipher_strength_sort(CIPHER_ORDER *co_list, + CIPHER_ORDER **head_p, + CIPHER_ORDER **tail_p) { int max_strength_bits, i, *number_uses; CIPHER_ORDER *curr; @@ -543,14 +544,14 @@ for (i = max_strength_bits; i >= 0; i--) if (number_uses[i] > 0) ssl_cipher_apply_rule(0, 0, 0, 0, CIPHER_ORD, i, - list, head_p, tail_p); + co_list, head_p, tail_p); OPENSSL_free(number_uses); return(1); } static int ssl_cipher_process_rulestr(const char *rule_str, - CIPHER_ORDER *list, CIPHER_ORDER **head_p, + CIPHER_ORDER *co_list, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p, SSL_CIPHER **ca_list) { unsigned long algorithms, mask, algo_strength, mask_strength; @@ -674,7 +675,7 @@ ok = 0; if ((buflen == 8) && !strncmp(buf, "STRENGTH", 8)) - ok = ssl_cipher_strength_sort(list, + ok = ssl_cipher_strength_sort(co_list, head_p, tail_p); else SSLerr(SSL_F_SSL_CIPHER_PROCESS_RULESTR, @@ -694,7 +695,7 @@ { ssl_cipher_apply_rule(algorithms, mask, algo_strength, mask_strength, rule, -1, - list, head_p, tail_p); + co_list, head_p, tail_p); } else { @@ -716,7 +717,7 @@ unsigned long disabled_mask; STACK_OF(SSL_CIPHER) *cipherstack; const char *rule_p; - CIPHER_ORDER *list = NULL, *head = NULL, *tail = NULL, *curr; + CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; SSL_CIPHER **ca_list = NULL; /* @@ -738,15 +739,15 @@ * it is used for allocation. */ num_of_ciphers = ssl_method->num_ciphers(); - list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers); - if (list == NULL) + co_list = (CIPHER_ORDER *)OPENSSL_malloc(sizeof(CIPHER_ORDER) * num_of_ciphers); + if (co_list == NULL) { SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); return(NULL); /* Failure */ } ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, disabled_mask, - list, &head, &tail); + co_list, &head, &tail); /* * We also need cipher aliases for selecting based on the rule_str. @@ -762,7 +763,7 @@ (SSL_CIPHER **)OPENSSL_malloc(sizeof(SSL_CIPHER *) * num_of_alias_max); if (ca_list == NULL) { - OPENSSL_free(list); + OPENSSL_free(co_list); SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST,ERR_R_MALLOC_FAILURE); return(NULL); /* Failure */ } @@ -778,21 +779,21 @@ if (strncmp(rule_str,"DEFAULT",7) == 0) { ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, - list, &head, &tail, ca_list); + co_list, &head, &tail, ca_list); rule_p += 7; if (*rule_p == ':') rule_p++; } if (ok && (strlen(rule_p) > 0)) - ok = ssl_cipher_process_rulestr(rule_p, list, &head, &tail, + ok = ssl_cipher_process_rulestr(rule_p, co_list, &head, &tail, ca_list); OPENSSL_free(ca_list); /* Not needed anymore */ if (!ok) { /* Rule processing failure */ - OPENSSL_free(list); + OPENSSL_free(co_list); return(NULL); } /* @@ -801,7 +802,7 @@ */ if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { - OPENSSL_free(list); + OPENSSL_free(co_list); return(NULL); } @@ -819,7 +820,7 @@ #endif } } - OPENSSL_free(list); /* Not needed any longer */ + OPENSSL_free(co_list); /* Not needed any longer */ /* * The following passage is a little bit odd. If pointer variables @@ -869,7 +870,7 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len) { int is_export,pkl,kl; - char *ver,*exp; + char *ver,*exp_str; char *kx,*au,*enc,*mac; unsigned long alg,alg2,alg_s; static char *format="%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s\n"; @@ -881,7 +882,7 @@ is_export=SSL_C_IS_EXPORT(cipher); pkl=SSL_C_EXPORT_PKEYLENGTH(cipher); kl=SSL_C_EXPORT_KEYLENGTH(cipher); - exp=is_export?" export":""; + exp_str=is_export?" export":""; if (alg & SSL_SSLV2) ver="SSLv2"; @@ -982,7 +983,7 @@ else if (len < 128) return("Buffer too small"); - BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp); + BIO_snprintf(buf,len,format,cipher->name,ver,kx,au,enc,mac,exp_str); return(buf); }