David Hartman wrote:
...
We have a copy of 0.9.8a in our source tree, and I made the changes to
our copy of 0.9.8a. I attached the diffs.
...
Index: crypto/aes/aes_cfb.c
===================================================================
RCS file:
/local/cvs/master/pspOpenSSL/Current/source/openssl/crypto/aes/aes_cfb.c,v
retrieving revision 1.1.1.1
diff -u -b -r1.1.1.1 aes_cfb.c
--- crypto/aes/aes_cfb.c 30 Aug 2005 19:33:35 -0000 1.1.1.1
+++ crypto/aes/aes_cfb.c 29 Dec 2005 23:54:52 -0000
@@ -165,7 +165,7 @@
int n,rem,num;
unsigned char ovec[AES_BLOCK_SIZE*2];
- if (nbits<=0 || nbits>128) return;
+ if (nbits<=0 || nbits>=128) return;
why ?
...
Index: crypto/asn1/a_strex.c
===================================================================
RCS file:
/local/cvs/master/pspOpenSSL/Current/source/openssl/crypto/asn1/a_strex.c,v
retrieving revision 1.2
diff -u -b -r1.2 a_strex.c
--- crypto/asn1/a_strex.c 29 Dec 2005 23:28:57 -0000 1.2
+++ crypto/asn1/a_strex.c 29 Dec 2005 23:54:53 -0000
@@ -165,7 +165,7 @@
{
int i, outlen, len;
unsigned char orflags, *p, *q;
- unsigned long c;
+ unsigned long c = 0;
p = buf;
q = buf + buflen;
outlen = 0;
the value 'c' should be set in the switch statement and if
'type & BUF_TYPE_WIDTH_MASK' is neither 0, 1, 2 or 4 it's an
error (and in this case 'c' would be uninitialized). I've added
a "default: return -1" and let do_print_ex() check the return
value of do_buf().
Index: crypto/asn1/t_pkey.c
===================================================================
RCS file:
/local/cvs/master/pspOpenSSL/Current/source/openssl/crypto/asn1/t_pkey.c,v
retrieving revision 1.2
diff -u -b -r1.2 t_pkey.c
--- crypto/asn1/t_pkey.c 29 Dec 2005 23:28:57 -0000 1.2
+++ crypto/asn1/t_pkey.c 29 Dec 2005 23:54:53 -0000
@@ -143,7 +143,7 @@
goto err;
}
- if (x->d != NULL)
+ if ((x->d != NULL) && (x->n != NULL))
{
if(!BIO_indent(bp,off,128))
goto err;
@@ -151,19 +151,23 @@
<= 0) goto err;
}
- if (x->d == NULL)
+ if ((x->d == NULL) && (x->n != NULL))
BIO_snprintf(str,sizeof str,"Modulus (%d
bit):",BN_num_bits(x->n));
else
BUF_strlcpy(str,"modulus:",sizeof str);
if (!print(bp,str,x->n,m,off)) goto err;
s=(x->d == NULL)?"Exponent:":"publicExponent:";
- if (!print(bp,s,x->e,m,off)) goto err;
- if (!print(bp,"privateExponent:",x->d,m,off)) goto err;
- if (!print(bp,"prime1:",x->p,m,off)) goto err;
- if (!print(bp,"prime2:",x->q,m,off)) goto err;
- if (!print(bp,"exponent1:",x->dmp1,m,off)) goto err;
- if (!print(bp,"exponent2:",x->dmq1,m,off)) goto err;
- if (!print(bp,"coefficient:",x->iqmp,m,off)) goto err;
+ if ((x->e != NULL) && !print(bp,s,x->e,m,off)) goto err;
+ if ((x->d != NULL) && !print(bp,"privateExponent:",x->d,m,off))
+ goto err;
+ if ((x->p != NULL) && !print(bp,"prime1:",x->p,m,off)) goto err;
+ if ((x->q != NULL) && !print(bp,"prime2:",x->q,m,off)) goto err;
+ if ((x->dmp1 != NULL) && !print(bp,"exponent1:",x->dmp1,m,off))
+ goto err;
+ if ((x->dmq1 != NULL) && !print(bp,"exponent2:",x->dmq1,m,off))
+ goto err;
+ if ((x->iqmp != NULL) && !print(bp,"coefficient:",x->iqmp,m,off))
+ goto err;
ret=1;
err:
if (m != NULL) OPENSSL_free(m);
ok
@@ -223,7 +227,7 @@
goto err;
}
- if (x->priv_key != NULL)
+ if ((x->priv_key != NULL) && (x->p != NULL))
this shouldn't be necessary as there's already a check for
'x->p != NULL' in DSA_print()
{
if(!BIO_indent(bp,off,128))
goto err;
@@ -760,7 +764,9 @@
BN_num_bits(x->p)) <= 0)
goto err;
if (!print(bp,"p:",x->p,m,4)) goto err;
+ if (x->q)
if (!print(bp,"q:",x->q,m,4)) goto err;
+ if (x->g)
if (!print(bp,"g:",x->g,m,4)) goto err;
ret=1;
ok
err:
Index: crypto/asn1/tasn_dec.c
===================================================================
RCS file:
/local/cvs/master/pspOpenSSL/Current/source/openssl/crypto/asn1/tasn_dec.c,v
retrieving revision 1.1.1.1
diff -u -b -r1.1.1.1 tasn_dec.c
--- crypto/asn1/tasn_dec.c 30 Aug 2005 19:33:35 -0000 1.1.1.1
+++ crypto/asn1/tasn_dec.c 29 Dec 2005 23:54:54 -0000
@@ -283,6 +283,12 @@
{
wp = *(unsigned char **)in;
imphack = *wp;
+ if (!p)
+ {
+ ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
+ ERR_R_NESTED_ASN1_ERROR);
+ goto err;
+ }
*wp = (unsigned char)((*p & V_ASN1_CONSTRUCTED)
| it->utype);
}
to be honest I don't understand this code right now, will look at it
again later
@@ -924,6 +930,7 @@
if (!*pval)
{
typ = ASN1_TYPE_new();
+ if (!typ) goto err;
*pval = (ASN1_VALUE *)typ;
}
else
ok
@@ -1047,7 +1054,7 @@
err:
if (!ret)
{
- ASN1_TYPE_free(typ);
+ if (typ) ASN1_TYPE_free(typ);
if (opval)
*opval = NULL;
}
ASN1_TYPE_free(NULL) should cause no problems
Index: crypto/asn1/tasn_new.c
===================================================================
RCS file:
/local/cvs/master/pspOpenSSL/Current/source/openssl/crypto/asn1/tasn_new.c,v
retrieving revision 1.2
diff -u -b -r1.2 tasn_new.c
--- crypto/asn1/tasn_new.c 29 Dec 2005 23:28:57 -0000 1.2
+++ crypto/asn1/tasn_new.c 29 Dec 2005 23:54:54 -0000
@@ -231,6 +231,8 @@
{
const ASN1_EXTERN_FUNCS *ef;
+ if (!it) return;
+
switch(it->itype)
{
Index: crypto/bio/b_print.c
===================================================================
RCS file:
/local/cvs/master/pspOpenSSL/Current/source/openssl/crypto/bio/b_print.c,v
retrieving revision 1.1.1.1
diff -u -b -r1.1.1.1 b_print.c
--- crypto/bio/b_print.c 30 Aug 2005 19:33:35 -0000 1.1.1.1
+++ crypto/bio/b_print.c 29 Dec 2005 23:54:55 -0000
@@ -741,6 +741,7 @@
*buffer = OPENSSL_malloc(*maxlen);
if (*currlen > 0) {
assert(*sbuffer != NULL);
I guess this should be "assert(*buffer != NULL)"
+ if (*sbuffer && *buffer)
memcpy(*buffer, *sbuffer, *currlen);
}
*sbuffer = NULL;
@@ -756,7 +757,7 @@
if (*currlen < *maxlen) {
if (*sbuffer)
(*sbuffer)[(*currlen)++] = (char)c;
- else
+ else if (*buffer)
(*buffer)[(*currlen)++] = (char)c;
}
I will look at this again later
Index: crypto/bio/bss_file.c
Index: crypto/bn/bn_gf2m.c
ok
Index: crypto/conf/conf_def.c
===================================================================
RCS file:
/local/cvs/master/pspOpenSSL/Current/source/openssl/crypto/conf/conf_def.c,v
retrieving revision 1.2
diff -u -b -r1.2 conf_def.c
--- crypto/conf/conf_def.c 29 Dec 2005 23:29:14 -0000 1.2
+++ crypto/conf/conf_def.c 29 Dec 2005 23:54:58 -0000
@@ -629,7 +629,12 @@
CONFerr(CONF_F_STR_COPY,CONF_R_VARIABLE_HAS_NO_VALUE);
goto err;
}
-
BUF_MEM_grow_clean(buf,(strlen(p)+buf->length-(e-from)));
+ if (!BUF_MEM_grow_clean(buf,
+ (strlen(p)+buf->length-(e-from))))
+ {
+ CONFerr(CONF_F_STR_COPY, ERR_R_BUF_LIB);
+ goto err;
+ }
while (*p)
buf->data[to++]= *(p++);
Index: crypto/ec/ec_asn1.c
ok
Index: crypto/ec/ec_lib.c
===================================================================
RCS file:
/local/cvs/master/pspOpenSSL/Current/source/openssl/crypto/ec/ec_lib.c,v
retrieving revision 1.1.1.1
diff -u -b -r1.1.1.1 ec_lib.c
--- crypto/ec/ec_lib.c 30 Aug 2005 19:33:35 -0000 1.1.1.1
+++ crypto/ec/ec_lib.c 29 Dec 2005 23:55:02 -0000
@@ -124,7 +124,7 @@
{
if (!group) return;
- if (group->meth->group_finish != 0)
+ if ((group->meth != NULL) && (group->meth->group_finish != 0))
group->meth->group_finish(group);
group->meth should never be NULL
Index: crypto/ec/ec_mult.c
===================================================================
RCS file:
/local/cvs/master/pspOpenSSL/Current/source/openssl/crypto/ec/ec_mult.c,v
retrieving revision 1.1.1.1
diff -u -b -r1.1.1.1 ec_mult.c
--- crypto/ec/ec_mult.c 30 Aug 2005 19:33:35 -0000 1.1.1.1
+++ crypto/ec/ec_mult.c 29 Dec 2005 23:55:02 -0000
@@ -436,7 +436,19 @@
{
size_t bits;
- bits = i < num ? BN_num_bits(scalars[i]) : BN_num_bits(scalar);
+ if (i < num)
+ {
+ if (scalars[i] != NULL)
+ bits = BN_num_bits(scalars[i]);
+ else goto err;
+ }
unless the user supplies a NULL pointer for a BIGNUM this
shouldn't be necessary
+ else
+ {
+ if (scalar != NULL)
+ bits = BN_num_bits(scalar);
+ else goto err;
+ }
this shouldn't be necessary as we have 'i >= num' if and only if
'num_scalar > 0' but this could only happen if 'scalar != NULL'.
Index: crypto/ecdsa/ecs_lib.c
Index: crypto/err/err.c
ok
Index: crypto/evp/bio_md.c
===================================================================
RCS file:
/local/cvs/master/pspOpenSSL/Current/source/openssl/crypto/evp/bio_md.c,v
retrieving revision 1.1.1.1
diff -u -b -r1.1.1.1 bio_md.c
--- crypto/evp/bio_md.c 30 Aug 2005 19:33:35 -0000 1.1.1.1
+++ crypto/evp/bio_md.c 29 Dec 2005 23:55:03 -0000
@@ -158,7 +158,7 @@
}
}
BIO_clear_retry_flags(b);
- BIO_copy_next_retry(b);
+ if (b->next_bio != NULL) BIO_copy_next_retry(b);
return(ret);
}
in line 126 (using revision 1.13) there's already a check for
'b->next_bio != NULL'
Index: crypto/evp/p5_crpt.c
===================================================================
RCS file:
/local/cvs/master/pspOpenSSL/Current/source/openssl/crypto/evp/p5_crpt.c,v
retrieving revision 1.2
diff -u -b -r1.2 p5_crpt.c
--- crypto/evp/p5_crpt.c 29 Dec 2005 23:29:46 -0000 1.2
+++ crypto/evp/p5_crpt.c 29 Dec 2005 23:55:05 -0000
@@ -113,8 +113,13 @@
unsigned char *salt;
const unsigned char *pbuf;
+ if (!param) {
+ EVPerr(EVP_F_PKCS5_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
+ return 0;
+ }
+
/* Extract useful info from parameter */
- if (param == NULL || param->type != V_ASN1_SEQUENCE ||
+ if (param->type != V_ASN1_SEQUENCE ||
param->value.sequence == NULL) {
EVPerr(EVP_F_PKCS5_PBE_KEYIVGEN,EVP_R_DECODE_ERROR);
return 0;
why ?
Index: crypto/objects/obj_lib.c
Index: crypto/rsa/rsa_depr.c
Index: crypto/store/str_meth.
Index: crypto/x509/x509_r2x.c
Index: crypto/x509v3/pcy_tree.c
Index: engines/e_cswift.c
Index: engines/e_sureware.c
Index: ssl/d1_enc.c
Index: ssl/d1_pkt.c
Index: ssl/s3_srvr.c
ok
Please have a look at a recent snapahot from the head.
Cheers,
Nils
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
