Merge 'OpenSSL_1_0_2-stable' into 1.0.2-chacha

Fixed issue #5
Cleaned up code of ssl/t1_enc.c a bit
Please note that this file still isn't completely up-to-date (merged)
with the official 1.0.2 branch

Author: PeterMosmans

apps/apps.c

@@ -2775,7 +2775,7 @@ void print_cert_checks(BIO *bio, X509 *x,
         return;
     if (checkhost) {
         BIO_printf(bio, "Hostname %s does%s match certificate\n",
-                   checkhost, X509_check_host(x, checkhost, 0, 0, NULL)
+                   checkhost, X509_check_host(x, checkhost, 0, 0, NULL) == 1
                    ? "" : " NOT");
     }
 

apps/openssl.c

@@ -428,10 +428,6 @@ int main(int Argc, char *ARGV[])
     if (arg.data != NULL)
         OPENSSL_free(arg.data);
 
-    if (bio_err != NULL) {
-        BIO_free(bio_err);
-        bio_err = NULL;
-    }
 #if defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64)
     /* Free any duplicate Argv[] storage. */
     if (free_Argv) {
@@ -440,6 +436,10 @@ int main(int Argc, char *ARGV[])
 #endif
     apps_shutdown();
     CRYPTO_mem_leaks(bio_err);
+    if (bio_err != NULL) {
+        BIO_free(bio_err);
+        bio_err = NULL;
+    }
 
     OPENSSL_EXIT(ret);
 }

crypto/conf/conf_def.c

@@ -585,7 +585,11 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
                 CONFerr(CONF_F_STR_COPY, CONF_R_VARIABLE_HAS_NO_VALUE);
                 goto err;
             }
-            BUF_MEM_grow_clean(buf, (strlen(p) + buf->length - (e - from)));
+            if (!BUF_MEM_grow_clean(buf,
+                        (strlen(p) + buf->length - (e - from)))) {
+                CONFerr(CONF_F_STR_COPY, ERR_R_MALLOC_FAILURE);
+                goto err;
+            }
             while (*p)
                 buf->data[to++] = *(p++);
 

crypto/ex_data.c

@@ -500,6 +500,8 @@ static void int_free_ex_data(int class_index, void *obj, CRYPTO_EX_DATA *ad)
     EX_CLASS_ITEM *item;
     void *ptr;
     CRYPTO_EX_DATA_FUNCS **storage = NULL;
+    if (ex_data == NULL)
+        return;
     if ((item = def_get_class(class_index)) == NULL)
         return;
     CRYPTO_r_lock(CRYPTO_LOCK_EX_DATA);

crypto/objects/objects.pl

@@ -121,9 +121,9 @@
 print OUT <<'EOF';
 /* crypto/objects/obj_mac.h */
 
-/* THIS FILE IS GENERATED FROM objects.txt by objects.pl via the
- * following command:
- * perl objects.pl objects.txt obj_mac.num obj_mac.h
+/*
+ * THIS FILE IS GENERATED FROM objects.txt by objects.pl via the following
+ * command: perl objects.pl objects.txt obj_mac.num obj_mac.h
  */
 
 /* Copyright (C) 1995-1997 Eric Young ([email protected])
@@ -132,21 +132,21 @@
  * This package is an SSL implementation written
  * by Eric Young ([email protected]).
  * The implementation was written so as to conform with Netscapes SSL.
- * 
+ *
  * This library is free for commercial and non-commercial use as long as
  * the following conditions are aheared to.  The following conditions
  * apply to all code found in this distribution, be it the RC4, RSA,
  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
  * included with this distribution is covered by the same copyright terms
  * except that the holder is Tim Hudson ([email protected]).
- * 
+ *
  * Copyright remains Eric Young's, and as such any Copyright notices in
  * the code are not to be removed.
  * If this package is used in a product, Eric Young should be given attribution
  * as the author of the parts of the library used.
  * This can be in the form of a textual message at program startup or
  * in documentation (online or textual) provided with the package.
- * 
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
@@ -161,10 +161,10 @@
  *     Eric Young ([email protected])"
  *    The word 'cryptographic' can be left out if the rouines from the library
  *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
+ * 4. If you include any Windows specific code (or a derivative thereof) from
  *    the apps directory (application code) you must include an acknowledgement:
  *    "This product includes software written by Tim Hudson ([email protected])"
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -176,28 +176,36 @@
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
- * 
+ *
  * The licence and distribution terms for any publically available version or
  * derivative of this code cannot be changed.  i.e. this code cannot simply be
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
 
-#define SN_undef			"UNDEF"
-#define LN_undef			"undefined"
-#define NID_undef			0
-#define OBJ_undef			0L
-
+#define SN_undef                        "UNDEF"
+#define LN_undef                        "undefined"
+#define NID_undef                       0
+#define OBJ_undef                       0L
 EOF
 
+sub expand
+	{
+	my $string = shift;
+
+	1 while $string =~ s/\t+/' ' x (length($&) * 8 - length($`) % 8)/e;
+
+	return $string;
+	}
+
 foreach (sort { $a <=> $b } keys %ordern)
 	{
 	$Cname=$ordern{$_};
-	print OUT "#define SN_",$Cname,"\t\t\"",$sn{$Cname},"\"\n" if $sn{$Cname} ne "";
-	print OUT "#define LN_",$Cname,"\t\t\"",$ln{$Cname},"\"\n" if $ln{$Cname} ne "";
-	print OUT "#define NID_",$Cname,"\t\t",$nid{$Cname},"\n" if $nid{$Cname} ne "";
-	print OUT "#define OBJ_",$Cname,"\t\t",$obj{$Cname},"\n" if $obj{$Cname} ne "";
 	print OUT "\n";
+	print OUT expand("#define SN_$Cname\t\t\"$sn{$Cname}\"\n") if $sn{$Cname} ne "";
+	print OUT expand("#define LN_$Cname\t\t\"$ln{$Cname}\"\n") if $ln{$Cname} ne "";
+	print OUT expand("#define NID_$Cname\t\t$nid{$Cname}\n") if $nid{$Cname} ne "";
+	print OUT expand("#define OBJ_$Cname\t\t$obj{$Cname}\n") if $obj{$Cname} ne "";
 	}
 
 close OUT;

crypto/rand/rand_egd.c

@@ -113,6 +113,7 @@ int RAND_egd_bytes(const char *path, int bytes)
 #else
 # include <openssl/opensslconf.h>
 # include OPENSSL_UNISTD
+# include <stddef.h>
 # include <sys/types.h>
 # include <sys/socket.h>
 # ifndef NO_SYS_UN_H

crypto/x509v3/v3_utl.c

@@ -901,8 +901,13 @@ static int do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal,
         int astrlen;
         unsigned char *astr;
         astrlen = ASN1_STRING_to_UTF8(&astr, a);
-        if (astrlen < 0)
+        if (astrlen < 0) {
+            /*
+             * -1 could be an internal malloc failure or a decoding error from
+             * malformed input; we can't distinguish.
+             */
             return -1;
+        }
         rv = equal(astr, astrlen, (unsigned char *)b, blen, flags);
         if (rv > 0 && peername)
             *peername = BUF_strndup((char *)astr, astrlen);

doc/crypto/X509_check_host.pod

@@ -109,9 +109,12 @@ but would not match a peer certificate with a DNS name of
 =head1 RETURN VALUES
 
 The functions return 1 for a successful match, 0 for a failed match
-and -1 for an internal error: typically a memory allocation failure.
+and -1 for an internal error: typically a memory allocation failure
+or an ASN.1 decoding error.
 
-X509_check_ip_asc() can also return -2 if the IP address string is malformed.
+All functions can also return -2 if the input is malformed. For example,
+X509_check_host() returns -2 if the provided B<name> contains embedded
+NULs.
 
 =head1 NOTES
 

engines/ccgost/gost_eng.c

@@ -76,6 +76,10 @@ static int bind_gost(ENGINE *e, const char *id)
     int ret = 0;
     if (id && strcmp(id, engine_gost_id))
         return 0;
+    if (ameth_GostR3410_94) {
+        printf("GOST engine already loaded\n");
+        goto end;
+    }
 
     if (!ENGINE_set_id(e, engine_gost_id)) {
         printf("ENGINE_set_id failed\n");