[openssl.org #3436] Platform strategy
I am closing this item as it is not actually a defect (although we do appreciate getting rapid feedback on the roadmap). The discussion in terms of platform strategy should continue on the openssl-dev mailing list as we work through tackling platform related issues. Separately I'm looking through the range of systems and the automated building items that various users have put in place - it is great to see the enthusiasm for the range of platforms OpenSSL works on. If you are able to provide access to a platform to the OpenSSL development team then noting that on openssl-dev would be useful. Thanks, Tim. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2204] Contribution [OS: all] [Version openssl-0.9.8m]
Closing this item - see #3434 which is an overlapping (and more detailed replacement). Further discussions on AES wrapping should be added into that ticket and/or continue on openssl-dev. Thanks, Tim. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3387] Bug Report with fixes: null pointer and uninitialised memory errors
On 8/06/2014 11:40 AM, Kurt Roeckx via RT wrote: On Sun, Jun 08, 2014 at 12:01:28AM +0200, Tim Hudson via RT wrote: Already fixed in the 1.0.1 stable branch so it is already included in 1.0.1h onwards and 1.0.1m is the current recommended version. [...] Can you re-run parfait against the current release version of OpenSSL for that branch - i.e. 1.0.1m It seems you have your branches mixed up. The latest version is 1.0.1h. There is an also an 1.0.0m, but that's from an older branch. Opps - you are right - I did indeed mean *1.0.1h* ... 'm' is in the 1.0.0 branch - and I am requesting is for it to be run against the current 1.0.1 version not an older version - which was especially noticeable when it is pointing out an already resolved item. It is always a good idea to run any tools against the current release versions for a particular branch - and also handy to see the same reports against master so that the forward development version also gets items picked up - as it contains the latest not-yet-in-a-release code. For coverity we use master and OpenSSL_1_0_1-stable Tim. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3387] Bug Report with fixes: null pointer and uninitialised memory errors
On 7/06/2014 7:10 PM, Jenny Yung via RT wrote: Hello, We ran parfait on OpenSSL and found the following errors in openssl-1.0.1g: 1. Error: Uninitialised memory (CWE 456) Possible access to uninitialised memory 'num' at line 267 of components/openssl/openssl-1.0.1/build/sparcv9-wanboot/crypto/evp/bio_b64.c in function 'b64_read'. num allocated at line 146. num uninitialised when ctx-start != 0 at line 221. Already fixed in the 1.0.1 stable branch so it is already included in 1.0.1h onwards and 1.0.1m is the current recommended version. commit a41d5174e27c99d1caefd76a8e927c814ede509e Author: Dr. Stephen Henson st...@openssl.org Date: Tue May 6 14:07:37 2014 +0100 Initialize num properly. PR#3289 PR#3345 (cherry picked from commit 3ba1e406c2309adb427ced9815ebf05f5b58d155) 2. Error: Null pointer dereference (CWE 476) Read from null pointer rctx at line 114 of components/openssl/openssl-1.0.1/build/sparcv9-wanboot/crypto/ocsp/ocsp_ht.c in function 'OCSP_REQ_CTX_free'. Function OCSP_sendreq_new may return constant 'NULL' at line 171, called at line 491 in function 'OCSP_sendreq _bio'. Constant 'NULL' passed into function OCSP_REQ_CTX_free, argument rctx, from call at line 498. Null pointer introduced at line 171 in function 'OCSP_sendreq_new'. This indicates a different issue is present - in that the error handling path will leak memory. rctx-iobuf = OPENSSL_malloc(rctx-iobuflen); if (!rctx-iobuf) return 0; So if malloc fails rctx itself isn't freed - so that will leak. That will need to be looked at too. 3. Error: Null pointer dereference (CWE 476) Read from null pointer rctx at line 268 of components/openssl/openssl-1.0.1/build/sparcv9-wanboot/crypto/ocsp/ocsp_ht.c in function 'OCSP_sendreq_nbio'. Function OCSP_sendreq_new may return constant 'NULL' at line 171, called at line 491 in function 'OCSP_sendreq_bio'. Constant 'NULL' passed into function OCSP_sendreq_nbio, argument rctx, from call at line 495. Null pointer introduced at line 171 in function 'OCSP_sendreq_new'. Looks good - but missed other issue with memory leak on malloc failure. 4. Error: Null pointer dereference (CWE 476) Read from null pointer frag at line 1175 of components/openssl/openssl-1.0.1/build/sparcv9-wanboot/ssl/d1_both.c in function 'dtls1_buffer_message'. Function dtls1_hm_fragment_new may return constant 'NULL' at line 189, called at line 1173. Null pointer introduced at line 189 in function 'dtls1_hm_fragment_new'. Looks good. The following changes fixes the errors: 2 --- openssl-1.0.1g/crypto/evp/bio_b64.c.~1~ Tue Jun 3 14:13:33 2014 3 +++ openssl-1.0.1g/crypto/evp/bio_b64.c Tue Jun 3 14:14:23 2014 4 @@ -143,7 +143,7 @@ 5 6 static int b64_read(BIO *b, char *out, int outl) 7 { 8 - int ret=0,i,ii,j,k,x,n,num,ret_code=0; 9 + int ret=0,i,ii,j,k,x,n,num=0,ret_code=0; 10 BIO_B64_CTX *ctx; 11 unsigned char *p,*q; Already covered in previous commits. 12 13 --- openssl-1.0.1g/crypto/ocsp/ocsp_ht.c.~1~Tue Jun 3 14:15:18 2014 14 +++ openssl-1.0.1g/crypto/ocsp/ocsp_ht.cTue Jun 3 14:15:46 2014 15 @@ -490,6 +490,9 @@ 16 17 ctx = OCSP_sendreq_new(b, path, req, -1); 18 19 + if (!ctx) 20 + return NULL; 21 + 22 do 23 { 24 rv = OCSP_sendreq_nbio(resp, ctx); Looks reasonable - although I don't think the spin loop there is appropriate - basically with no delay, and no select, this will spin on a non-blocking retry condition (which is meant to make it back to the caller to enter their event loop. That is a broader issue to look at. 25 --- openssl-1.0.1g/ssl/d1_both.c.~1~Tue Jun 3 14:16:25 2014 26 +++ openssl-1.0.1g/ssl/d1_both.cTue Jun 3 14:17:26 2014 27 @@ -1172,6 +1172,8 @@ 28 29 frag = dtls1_hm_fragment_new(s-init_num, 0); 30 31 + if (!frag) 32 + return 0; 33 memcpy(frag-fragment, s-init_buf-data, s-init_num); 34 35 if ( is_ccs) That looks good as a patch. Can you integrate this into the next release of OpenSSL? Can you re-run parfait against the current release version of OpenSSL for that branch - i.e. 1.0.1m It would also be helpful to see suggested patch as a separate RT issue - so we can discuss and track them individually. Thanks, Tim. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2578] s_client bind ip
On 24/05/2014 11:06 PM, Krzysztof Kwiatkowski via RT wrote: Hello, This patch implements request for ticket 2578. I've also created pull request in github that you can find here: https://github.com/openssl/openssl/pull/108 Why is there a crypto/objects/obj_xref.h change mixed in with this patch? It does not belong there. Thanks, Tim. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3289] base64 BIO decoding bug - patch supplied + examples
Re-opening item. See https://rt.openssl.org/Ticket/Display.html?id=3345 This patch introduced an uninitialised read. A num=0 initialisation is required prior to the for loop. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3345] potential bug in crypto/evp/bio_b64.c
On Tue May 06 05:13:42 2014, arthurm...@gmail.com wrote: Coverity run has uncovered the following use of uninitialized local variable in b64_read(). This applies to both 1.0.1g and master branch: See https://rt.openssl.org/Ticket/Display.html?id=3289 which is the patch which introduced this issue. I have re-opened that RT issue. Tim. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3340] coverity issues 966593-966596
coverity issues 966593-966596 966593 Uninitialized scalar variable The variable will contain an arbitrary value left from earlier computations. In SRP_create_verifier: Use of an uninitialized variable __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3341] coverity issue 966597
966597 Uninitialized scalar variable The variable will contain an arbitrary value left from earlier computations. In d2i_SSL_SESSION: Use of an uninitialized variable __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3342] coverity issue 966577
966577 Resource leak The system resource will not be reclaimed and reused, reducing the future availability of the resource. In init_client_ip: Leak of memory or pointers to system resources __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3046] bug report, openssl 1.0.1e sha1 hash generation
The two echo commands are different values (being different actual echo programs) and hence have different digests. As a user: macbuild:~ tjh$ echo -n 12345 | od -x 000 3231 3433 0035 005 As root: echo -n 12345 | od -x 000 6e2d 3120 3332 3534 000a 011 The root echo is one that does not support the -n option: macbuild:~ root# echo -n 12345 -n 12345 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3039] Can't Compile openssl-fips-1.1.2: collect2: ld returned 1 exit status
On Fri May 03 19:05:13 2013, burton.sm...@williams.com wrote: Thanks, but after playing with this puzzle for a while I combined the configuration options that were supposed to correct it individually. It worked. Closed as resolved. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3274] Quoting problem in v1.0.1f
On Tue Mar 04 16:03:58 2014, dominik.stras...@onespin-solutions.com wrote: Hi all, the top level Makefile has a small with quoting when CC has an argument. The attached mini-patch fixes the problem Closing item s resolved as SteveH checked in a fix for this in master, 1.0.1 stable and 1.0.2 stable after the issue was reported. https://github.com/openssl/openssl/commit/24e20db4aa18ff8a6f67ae7faf80cf2b99f8b74a https://github.com/openssl/openssl/commit/19a68574a9d1f59c355385a1b64cbd443bf49e00 https://github.com/openssl/openssl/commit/7f6e09b5316928a9da24d2f695d1885a26dd38ec Thanks, Tim. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3232] [PATCH] Makefile.org: Fix usage of CC=gcc -m32
Note: PR#3274 is a duplicate of this issue just closed. Closing this item too as resolved as SteveH checked in a fix for this in master, 1.0.1 stable and 1.0.2 stable after the issue was reported. https://github.com/openssl/openssl/commit/24e20db4aa18ff8a6f67ae7faf80cf2b99f8b74a https://github.com/openssl/openssl/commit/19a68574a9d1f59c355385a1b64cbd443bf49e00 https://github.com/openssl/openssl/commit/7f6e09b5316928a9da24d2f695d1885a26dd38ec Thanks, Tim. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3289] base64 BIO decoding bug - patch supplied + examples
On Wed Apr 02 19:22:14 2014, e...@pobox.com wrote: Fixing one of my own bugs, there since SSLeay days I belive :-) Closing item as resolved. SteveH committed the fix across all branches ... https://github.com/openssl/openssl/commit/10378fb5f4c67270b800e8f7c600cd0548874811 https://github.com/openssl/openssl/commit/bfc3424d1fbaf684c812c03e3c6cb8d38d2d6f1d etc Thanks, __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3309] Bug: Missing critical flag for extended key usage not detected in time-stamp verification
On Wed Apr 16 14:25:34 2014, s...@pdflib.com wrote: Am 15.04.14 20:00, schrieb Stephen Henson via RT: I've just added a fix (and to two other cases in the same file). Let me know of any problems. Closed as resolved. SteveH committed changes across all branches. https://github.com/openssl/openssl/commit/300b9f0b704048f60776881f1d378c74d9c32fbd etc Tim. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3253] Compile issues - Solaris 10
On Mon Feb 03 15:16:14 2014, steve wrote: ... I've just committed a fix. Let me know of any problems. Closed as resolved. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3183] SSL_set_SSL_CTX() should apply more settings from the SSL_CTX being switched to
Leaving issue open. Note: SteveH checked in a partial fix adding in a getter function - SSL_CTX_get_ssl_method https://github.com/openssl/openssl/commit/ba168244a14bbd056e502d7daa04cae4aabe9d0d Tim. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3216] Invalid shell syntax == in test/testssl (only 0.9.8 and 1.0.0)
On Tue Jan 07 09:26:25 2014, rainer.j...@kippdata.de wrote: File test/testssl in branches 0.9.8 and 1.0.0 contains the line if [ $protocol == SSLv3 ] ; then Closed as resolved. SteveH committed fixes. https://github.com/openssl/openssl/commit/080ae6843299c873808c04487d4ccf51624fe618 Tim __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3106] [PATCH] Fix build with OPENSSL_NO_NEXTPROTONEG.
Marking issue as resolved. SteveH checked in fixes. https://github.com/openssl/openssl/commit/2911575c6e790541e495927a60121d7546a66962 Tim. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3172] Duplicated entry in ssl_option_single
Closed as resolved. SteveH committed fix. https://github.com/openssl/openssl/commit/44314cf64d1e51c7493799e77b14ae4e94a4c8cf Tim. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3147] [PATCH 2/2] POD: Fix list termination
Closed as resolved. SteveH committed patch. https://github.com/openssl/openssl/commit/c8919dde09d56f03615a52031964bc9a77b26e90 Tim. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3146] [PATCH 1/2] POD: Fix item numbering
Closed item as resolved. SteveH committed patch. https://github.com/openssl/openssl/commit/ed77017b594754240013c378b4f7c10440c94d7a Tim. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3071] [PATCH] Documentation updates from the wiki
On Fri Jun 07 20:12:54 2013, fr...@baggins.org wrote: This patch is the first submission of what is planned to be a regular series of patches. It represents the collected updates made to the pod documentation published on the openssl wiki: Closed as resolved. Patch was committed. Tim __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2538] Code error - bad condition in s3_srvr.c
On Mon Jun 06 17:23:48 2011, tm...@redhat.com wrote: There is code error in s3_srvr.c function ssl3_get_cert_verify(). The bug was found by Coverity scan. Closing as resolved. Andy committed fix across all branches. https://github.com/openssl/openssl/commit/3b1fb1a0226e29c9d7c79ff7fbde21ef9cac4deb Tim. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2836] [PATCH] Staple the correct OCSP Response when multiple certs are configured
Closing item as resolved. SteveH committed patches across all branches. Tim __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3068] [PATCH] Safari broken ECDHE-ECDSA workaround
On Tue Jun 04 17:53:41 2013, rob.stradl...@comodo.com wrote: The Safari browser on OSX versions 10.8 to 10.8.3 advertises support for several ECDHE-ECDSA ciphers but fails to negotiate them. Closing as resolved. Ben committed fixes across all branches. https://github.com/openssl/openssl/commit/cadbbd51c8b4e66515cd3e97754cfeda606c7b15 Tim. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3033] Bug Report: Make Error: can't encode register '%ch' in an instruction requiring REX prefix.
Closing item as resolved. Tim. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3320] Invalid large memory access in openssl due to a bug on the client side
On 26/04/2014 11:04 PM, Kurt Roeckx via RT wrote: Libressl has a patch for this at: http://anoncvs.estpak.ee/cgi-bin/cgit/openbsd-src/commit/lib/libssl?id=cb8b51bf2f6517fe96ab0d20c4d9bba2eef1b67c I believe that patch is not really the correct fix. My understanding is that tot is what is already written, and that len is until where we want to write and so that len should never be smaller than tot and I think we should instead find out why len can be smaller then tot and fix that instead. Actually the code should check that the caller has violated the API requirements (that the buffer and len values in subsequent calls must match the original call when a non-blocking IO reports incomplete) and report an error at that point. Silently truncating the request isn't really the right behaviour. The referenced note from the list at http://marc.info/?l=openssl-devm=139809485525663w=2 http://marc.info/?l=openssl-devm=139809485525663w=2 makes the circumstances to trigger this clear. i=SSL_write(s,buf,len); /* assuming that the non-blocking handling returns -1 indicating buffer is not yet (completely) written */ /* this is what the API requires - recalling with the same parameters */ i=SSL_write(s,buf,len); /* this is what the caller did ... and that leaves tot len if less than someval bytes have gone out between the first call and then the rest of the pending bytes make it out in this call then bingo we get the library writing out a large buffer because it isn't checking ... */ i=SSL_write(s,buf,len-someval); The actual effect is that if a user incorrectly calls the API the library will (under the right set of circumstances which are not that unusual but neither the typical context) actually send out beyond the number of bytes the user is expecting to see sent from the buffer because of the n = (len - tot) when tot len and that is undesirable behaviour and well beyond the 'len' argument of the call - thereby allowing the users incorrect use of the API to turn into their leakage of whatever happens to be beyond the buffer. BUT (and this is the important thing) the circumstances described as required to produce this context get checked in ssl3_write_pending to make sure that len cannot actually be smaller than the previous write. if ((s-s3-wpend_tot (int)len) The right fix is perhaps to add in the following check ... if ( len tot) { SSLerr(SSL_F_SSL3_WRITE_BYTES,SSL_R_BAD_LENGTH); return(-1); } I've created a pull request for this at https://github.com/openssl/openssl/pull/83 Thanks, Tim. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2046] OpenSSL 1.0.0 beta 3 ASM fails on z/Linux 64-bit
I kicked off some builds last night as I was curious as to the answer to the question - 0.9.8d fails in make test, 0.9.8k passes in make test. The 1.0.0 beta 3 fails with the SHA1 asm code and in the AES asm code. I haven't had a chance to look into this in any detail - just noting that the out-of-the-box build isn't working. ./config -no-asm works so the issues are all in the asm code. 0.9.8k passes make test, 0.9.8d fails make test in BN code. ./config make make test tjh:~/work/openssl-1.0.0-beta3/test gdb sha1test GNU gdb 6.4 Copyright 2005 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as s390x-suse-linux...ruUsing host libthread_db library /lib64/libthread_db.so.1. (gdb) run Starting program: /home/tjh/work/openssl-1.0.0-beta3/test/sha1test Program received signal SIGILL, Illegal instruction. sha1_block_data_order () at sha1-s390x.s:13 13 lg %r0,16(%r15) Current language: auto; currently asm (gdb) Linux somewhere 2.6.16.21-0.8-default #1 SMP Mon Jul 3 18:25:39 UTC 2006 s390x s390x s390x GNU/Linux tjh:~/work/openssl-1.0.0-beta3 gcc -v Using built-in specs. Target: s390x-suse-linux Configured with: ../configure --enable-threads=posix --prefix=/usr --with-local-prefix=/usr/local --infodir=/usr/share/info --mandir=/usr/share/man --libdir=/usr/lib64 --libexecdir=/usr/lib64 --enable-languages=c,c++,objc,fortran,java --enable-checking=release --with-gxx-include-dir=/usr/include/c++/4.1.0 --enable-ssp --disable-libssp --enable-java-awt=gtk --enable-gtk-cairo --disable-libjava-multilib --with-slibdir=/lib64 --with-system-zlib --enable-shared --enable-__cxa_atexit --enable-libstdcxx-allocator=new --without-system-libunwind --with-tune=z9-109 --with-arch=z900 --with-long-double-128 --host=s390x-suse-linux Thread model: posix gcc version 4.1.0 (SUSE Linux) tjh:~/work/openssl-1.0.0-beta3 cat /proc/cpuinfo vendor_id : IBM/S390 # processors: 1 bogomips per cpu: 888.01 processor 0: version = FF, identification = 0117C9, machine = 2064 PGP.sig Description: PGP signature
[openssl.org #1642] patch purify errors
There are a few UMRs and one FIU in the current OpenSSL-0.9.8g code base. The attached patch fixes this with minimal code changes. A better solution would be to use a BN_init call on each of the local BN variables being used which would be a trivial adaptation of this patch. Without this patch there are 17014 purify errors across a total of 208 unique code paths in a make test for a purify build under linux. There remains one purify error I'm still tracking down. TOTAL-ERRORS: 44 UNIQUE-ERRORS: 1 44 - UMR AES_cbc_encrypt [aes_cbc.c:77] aes_256_cbc_cipher [e_aes.c:87] EVP_Cipher [evp_lib.c:183] ssl3_enc [s3_enc.c:497] do_ssl3_write [s3_pkt.c:684] [heap=1 loc=318 size=18698 malloc [rtlib.o] default_malloc_ex [mem.c:79] CRYPTO_malloc [mem.c:304] ssl3_setup_buffers [s3_both.c:612] ssl3_connect [s3_clnt.c:228] heap=1 loc=318 size=18698] Tim. Index: crypto/asn1/f_int.c === RCS file: /usr/local/mirrors/openssl/openssl/crypto/asn1/f_int.c,v retrieving revision 1.10 diff -b -c -r1.10 f_int.c *** crypto/asn1/f_int.c 13 Nov 2002 15:42:13 - 1.10 --- crypto/asn1/f_int.c 13 Feb 2008 23:19:35 - *** *** 181,186 --- 181,187 } for (j=0; ji; j++,k+=2) { + s[num+j]='\0'; for (n=0; n2; n++) { m=bufp[k+n]; Index: crypto/bn/bn_gcd.c === RCS file: /usr/local/mirrors/openssl/openssl/crypto/bn/bn_gcd.c,v retrieving revision 1.18.2.5 diff -b -c -r1.18.2.5 bn_gcd.c *** crypto/bn/bn_gcd.c 11 Jun 2007 16:33:50 - 1.18.2.5 --- crypto/bn/bn_gcd.c 13 Feb 2008 23:20:49 - *** *** 542,547 --- 542,548 /* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, * BN_div_no_branch will be called eventually. */ + local_B.flags=0; pB = local_B; BN_with_flags(pB, B, BN_FLG_CONSTTIME); if (!BN_nnmod(B, pB, A, ctx)) goto err; *** *** 567,572 --- 568,574 /* Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, * BN_div_no_branch will be called eventually. */ + local_A.flags=0; pA = local_A; BN_with_flags(pA, A, BN_FLG_CONSTTIME); Index: crypto/bn/bn_mont.c === RCS file: /usr/local/mirrors/openssl/openssl/crypto/bn/bn_mont.c,v retrieving revision 1.36.2.8 diff -b -c -r1.36.2.8 bn_mont.c *** crypto/bn/bn_mont.c 11 Nov 2007 20:43:23 - 1.36.2.8 --- crypto/bn/bn_mont.c 13 Feb 2008 23:20:49 - *** *** 417,422 --- 417,423 tmod.top = buf[0] != 0 ? 1 : 0; tmod.dmax=2; tmod.neg=0; + tmod.flags=0; /* Ri = R^-1 mod N*/ if ((BN_mod_inverse(Ri,R,tmod,ctx)) == NULL) goto err; Index: crypto/evp/evp_test.c === RCS file: /usr/local/mirrors/openssl/openssl/crypto/evp/evp_test.c,v retrieving revision 1.24.2.3 diff -b -c -r1.24.2.3 evp_test.c *** crypto/evp/evp_test.c 23 Apr 2007 23:50:05 - 1.24.2.3 --- crypto/evp/evp_test.c 13 Feb 2008 23:20:49 - *** *** 320,326 int main(int argc,char **argv) { const char *szTestFile; ! FILE *f; if(argc != 2) { --- 320,326 int main(int argc,char **argv) { const char *szTestFile; ! FILE *f = NULL; if(argc != 2) { *** *** 436,441 --- 436,444 } } + if (f) + fclose(f); + #ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); #endif Index: crypto/rsa/rsa_eay.c === RCS file: /usr/local/mirrors/openssl/openssl/crypto/rsa/rsa_eay.c,v retrieving revision 1.46.2.8 diff -b -c -r1.46.2.8 rsa_eay.c *** crypto/rsa/rsa_eay.c28 Mar 2007 00:14:21 - 1.46.2.8 --- crypto/rsa/rsa_eay.c13 Feb 2008 23:20:49 - *** *** 755,760 --- 755,761 if (!(rsa-flags RSA_FLAG_NO_CONSTTIME)) { c = local_c; + local_c.flags = 0; BN_with_flags(c, I, BN_FLG_CONSTTIME); if (!BN_mod(r1,c,rsa-q,ctx)) goto err; } *** *** 767,772 --- 768,774 if (!(rsa-flags RSA_FLAG_NO_CONSTTIME)) {