David Hartman wrote:
....
> We have a copy of 0.9.8a in our source tree, and I made the changes to
> our copy of 0.9.8a. I attached the diffs.

....
> Index: crypto/aes/aes_cfb.c
> ================================================== =================
> RCS file: /local/cvs/master/pspOpenSSL/Current/source/openssl/crypto/aes/aes_cfb.c,v
> retrieving revision 1.1.1.1
> diff -u -b -r1.1.1.1 aes_cfb.c
> --- crypto/aes/aes_cfb.c 30 Aug 2005 19:33:35 -0000 1.1.1.1
> +++ crypto/aes/aes_cfb.c 29 Dec 2005 23:54:52 -0000
> @@ -165,7 +165,7 @@
> int n,rem,num;
> unsigned char ovec[AES_BLOCK_SIZE*2];
>
> - if (nbits<=0 || nbits>128) return;
> + if (nbits<=0 || nbits>=128) return;


why ?

....
> Index: crypto/asn1/a_strex.c
> ================================================== =================
> RCS file: /local/cvs/master/pspOpenSSL/Current/source/openssl/crypto/asn1/a_strex.c,v
> retrieving revision 1.2
> diff -u -b -r1.2 a_strex.c
> --- crypto/asn1/a_strex.c 29 Dec 2005 23:28:57 -0000 1.2
> +++ crypto/asn1/a_strex.c 29 Dec 2005 23:54:53 -0000
> @@ -165,7 +165,7 @@
> {
> int i, outlen, len;
> unsigned char orflags, *p, *q;
> - unsigned long c;
> + unsigned long c = 0;
> p = buf;
> q = buf + buflen;
> outlen = 0;


the value 'c' should be set in the switch statement and if
'type & BUF_TYPE_WIDTH_MASK' is neither 0, 1, 2 or 4 it's an
error (and in this case 'c' would be uninitialized). I've added
a "default: return -1" and let do_print_ex() check the return
value of do_buf().

> Index: crypto/asn1/t_pkey.c
> ================================================== =================
> RCS file: /local/cvs/master/pspOpenSSL/Current/source/openssl/crypto/asn1/t_pkey.c,v
> retrieving revision 1.2
> diff -u -b -r1.2 t_pkey.c
> --- crypto/asn1/t_pkey.c 29 Dec 2005 23:28:57 -0000 1.2
> +++ crypto/asn1/t_pkey.c 29 Dec 2005 23:54:53 -0000
> @@ -143,7 +143,7 @@
> goto err;
> }
>
> - if (x->d != NULL)
> + if ((x->d != NULL) && (x->n != NULL))
> {
> if(!BIO_indent(bp,off,128))
> goto err;
> @@ -151,19 +151,23 @@
> <= 0) goto err;
> }
>
> - if (x->d == NULL)
> + if ((x->d == NULL) && (x->n != NULL))
> BIO_snprintf(str,sizeof str,"Modulus (%d bit):",BN_num_bits(x->n));
> else
> BUF_strlcpy(str,"modulus:",sizeof str);
> if (!print(bp,str,x->n,m,off)) goto err;
> s=(x->d == NULL)?"Exponent:":"publicExponent:";
> - if (!print(bp,s,x->e,m,off)) goto err;
> - if (!print(bp,"privateExponent:",x->d,m,off)) goto err;
> - if (!print(bp,"prime1:",x->p,m,off)) goto err;
> - if (!print(bp,"prime2:",x->q,m,off)) goto err;
> - if (!print(bp,"exponent1:",x->dmp1,m,off)) goto err;
> - if (!print(bp,"exponent2:",x->dmq1,m,off)) goto err;
> - if (!print(bp,"coefficient:",x->iqmp,m,off)) goto err;
> + if ((x->e != NULL) && !print(bp,s,x->e,m,off)) goto err;
> + if ((x->d != NULL) && !print(bp,"privateExponent:",x->d,m,off))
> + goto err;
> + if ((x->p != NULL) && !print(bp,"prime1:",x->p,m,off)) goto err;
> + if ((x->q != NULL) && !print(bp,"prime2:",x->q,m,off)) goto err;
> + if ((x->dmp1 != NULL) && !print(bp,"exponent1:",x->dmp1,m,off))
> + goto err;
> + if ((x->dmq1 != NULL) && !print(bp,"exponent2:",x->dmq1,m,off))
> + goto err;
> + if ((x->iqmp != NULL) && !print(bp,"coefficient:",x->iqmp,m,off))
> + goto err;
> ret=1;
> err:
> if (m != NULL) OPENSSL_free(m);


ok

> @@ -223,7 +227,7 @@
> goto err;
> }
>
> - if (x->priv_key != NULL)
> + if ((x->priv_key != NULL) && (x->p != NULL))


this shouldn't be necessary as there's already a check for
'x->p != NULL' in DSA_print()

> {
> if(!BIO_indent(bp,off,128))
> goto err;
> @@ -760,7 +764,9 @@
> BN_num_bits(x->p)) <= 0)
> goto err;
> if (!print(bp,"p:",x->p,m,4)) goto err;
> + if (x->q)
> if (!print(bp,"q:",x->q,m,4)) goto err;
> + if (x->g)
> if (!print(bp,"g:",x->g,m,4)) goto err;
> ret=1;


ok

> err:
> Index: crypto/asn1/tasn_dec.c
> ================================================== =================
> RCS file: /local/cvs/master/pspOpenSSL/Current/source/openssl/crypto/asn1/tasn_dec.c,v
> retrieving revision 1.1.1.1
> diff -u -b -r1.1.1.1 tasn_dec.c
> --- crypto/asn1/tasn_dec.c 30 Aug 2005 19:33:35 -0000 1.1.1.1
> +++ crypto/asn1/tasn_dec.c 29 Dec 2005 23:54:54 -0000
> @@ -283,6 +283,12 @@
> {
> wp = *(unsigned char **)in;
> imphack = *wp;
> + if (!p)
> + {
> + ASN1err(ASN1_F_ASN1_ITEM_EX_D2I,
> + ERR_R_NESTED_ASN1_ERROR);
> + goto err;
> + }
> *wp = (unsigned char)((*p & V_ASN1_CONSTRUCTED)
> | it->utype);
> }


to be honest I don't understand this code right now, will look at it
again later

> @@ -924,6 +930,7 @@
> if (!*pval)
> {
> typ = ASN1_TYPE_new();
> + if (!typ) goto err;
> *pval = (ASN1_VALUE *)typ;
> }
> else


ok

> @@ -1047,7 +1054,7 @@
> err:
> if (!ret)
> {
> - ASN1_TYPE_free(typ);
> + if (typ) ASN1_TYPE_free(typ);
> if (opval)
> *opval = NULL;
> }


ASN1_TYPE_free(NULL) should cause no problems

> Index: crypto/asn1/tasn_new.c
> ================================================== =================
> RCS file: /local/cvs/master/pspOpenSSL/Current/source/openssl/crypto/asn1/tasn_new.c,v
> retrieving revision 1.2
> diff -u -b -r1.2 tasn_new.c
> --- crypto/asn1/tasn_new.c 29 Dec 2005 23:28:57 -0000 1.2
> +++ crypto/asn1/tasn_new.c 29 Dec 2005 23:54:54 -0000
> @@ -231,6 +231,8 @@
> {
> const ASN1_EXTERN_FUNCS *ef;
>
> + if (!it) return;
> +
> switch(it->itype)
> {
>
> Index: crypto/bio/b_print.c
> ================================================== =================
> RCS file: /local/cvs/master/pspOpenSSL/Current/source/openssl/crypto/bio/b_print.c,v
> retrieving revision 1.1.1.1
> diff -u -b -r1.1.1.1 b_print.c
> --- crypto/bio/b_print.c 30 Aug 2005 19:33:35 -0000 1.1.1.1
> +++ crypto/bio/b_print.c 29 Dec 2005 23:54:55 -0000
> @@ -741,6 +741,7 @@
> *buffer = OPENSSL_malloc(*maxlen);
> if (*currlen > 0) {
> assert(*sbuffer != NULL);


I guess this should be "assert(*buffer != NULL)"

> + if (*sbuffer && *buffer)
> memcpy(*buffer, *sbuffer, *currlen);
> }
> *sbuffer = NULL;
> @@ -756,7 +757,7 @@
> if (*currlen < *maxlen) {
> if (*sbuffer)
> (*sbuffer)[(*currlen)++] = (char)c;
> - else
> + else if (*buffer)
> (*buffer)[(*currlen)++] = (char)c;
> }


I will look at this again later

> Index: crypto/bio/bss_file.c
> Index: crypto/bn/bn_gf2m.c


ok

> Index: crypto/conf/conf_def.c
> ================================================== =================
> RCS file: /local/cvs/master/pspOpenSSL/Current/source/openssl/crypto/conf/conf_def.c,v
> retrieving revision 1.2
> diff -u -b -r1.2 conf_def.c
> --- crypto/conf/conf_def.c 29 Dec 2005 23:29:14 -0000 1.2
> +++ crypto/conf/conf_def.c 29 Dec 2005 23:54:58 -0000
> @@ -629,7 +629,12 @@
> CONFerr(CONF_F_STR_COPY,CONF_R_VARIABLE_HAS_NO_VAL UE);
> goto err;
> }
> - BUF_MEM_grow_clean(buf,(strlen(p)+buf->length-(e-from)));
> + if (!BUF_MEM_grow_clean(buf,
> + (strlen(p)+buf->length-(e-from))))
> + {
> + CONFerr(CONF_F_STR_COPY, ERR_R_BUF_LIB);
> + goto err;
> + }
> while (*p)
> buf->data[to++]= *(p++);
>
> Index: crypto/ec/ec_asn1.c


ok

> Index: crypto/ec/ec_lib.c
> ================================================== =================
> RCS file: /local/cvs/master/pspOpenSSL/Current/source/openssl/crypto/ec/ec_lib.c,v
> retrieving revision 1.1.1.1
> diff -u -b -r1.1.1.1 ec_lib.c
> --- crypto/ec/ec_lib.c 30 Aug 2005 19:33:35 -0000 1.1.1.1
> +++ crypto/ec/ec_lib.c 29 Dec 2005 23:55:02 -0000
> @@ -124,7 +124,7 @@
> {
> if (!group) return;
>
> - if (group->meth->group_finish != 0)
> + if ((group->meth != NULL) && (group->meth->group_finish != 0))
> group->meth->group_finish(group);


group->meth should never be NULL

> Index: crypto/ec/ec_mult.c
> ================================================== =================
> RCS file: /local/cvs/master/pspOpenSSL/Current/source/openssl/crypto/ec/ec_mult.c,v
> retrieving revision 1.1.1.1
> diff -u -b -r1.1.1.1 ec_mult.c
> --- crypto/ec/ec_mult.c 30 Aug 2005 19:33:35 -0000 1.1.1.1
> +++ crypto/ec/ec_mult.c 29 Dec 2005 23:55:02 -0000
> @@ -436,7 +436,19 @@
> {
> size_t bits;
>
> - bits = i < num ? BN_num_bits(scalars[i]) : BN_num_bits(scalar);
> + if (i < num)
> + {
> + if (scalars[i] != NULL)
> + bits = BN_num_bits(scalars[i]);
> + else goto err;
> + }


unless the user supplies a NULL pointer for a BIGNUM this
shouldn't be necessary

> + else
> + {
> + if (scalar != NULL)
> + bits = BN_num_bits(scalar);
> + else goto err;
> + }


this shouldn't be necessary as we have 'i >= num' if and only if
'num_scalar > 0' but this could only happen if 'scalar != NULL'.

> Index: crypto/ecdsa/ecs_lib.c
> Index: crypto/err/err.c


ok

> Index: crypto/evp/bio_md.c
> ================================================== =================
> RCS file: /local/cvs/master/pspOpenSSL/Current/source/openssl/crypto/evp/bio_md.c,v
> retrieving revision 1.1.1.1
> diff -u -b -r1.1.1.1 bio_md.c
> --- crypto/evp/bio_md.c 30 Aug 2005 19:33:35 -0000 1.1.1.1
> +++ crypto/evp/bio_md.c 29 Dec 2005 23:55:03 -0000
> @@ -158,7 +158,7 @@
> }
> }
> BIO_clear_retry_flags(b);
> - BIO_copy_next_retry(b);
> + if (b->next_bio != NULL) BIO_copy_next_retry(b);
> return(ret);
> }
>


in line 126 (using revision 1.13) there's already a check for
'b->next_bio != NULL'

> Index: crypto/evp/p5_crpt.c
> ================================================== =================
> RCS file: /local/cvs/master/pspOpenSSL/Current/source/openssl/crypto/evp/p5_crpt.c,v
> retrieving revision 1.2
> diff -u -b -r1.2 p5_crpt.c
> --- crypto/evp/p5_crpt.c 29 Dec 2005 23:29:46 -0000 1.2
> +++ crypto/evp/p5_crpt.c 29 Dec 2005 23:55:05 -0000
> @@ -113,8 +113,13 @@
> unsigned char *salt;
> const unsigned char *pbuf;
>
> + if (!param) {
> + EVPerr(EVP_F_PKCS5_PBE_KEYIVGEN,EVP_R_DECODE_ERROR );
> + return 0;
> + }
> +
> /* Extract useful info from parameter */
> - if (param == NULL || param->type != V_ASN1_SEQUENCE ||
> + if (param->type != V_ASN1_SEQUENCE ||
> param->value.sequence == NULL) {
> EVPerr(EVP_F_PKCS5_PBE_KEYIVGEN,EVP_R_DECODE_ERROR );
> return 0;


why ?

> Index: crypto/objects/obj_lib.c
> Index: crypto/rsa/rsa_depr.c
> Index: crypto/store/str_meth.
> Index: crypto/x509/x509_r2x.c
> Index: crypto/x509v3/pcy_tree.c
> Index: engines/e_cswift.c
> Index: engines/e_sureware.c
> Index: ssl/d1_enc.c
> Index: ssl/d1_pkt.c
> Index: ssl/s3_srvr.c


ok

Please have a look at a recent snapahot from the head.

Cheers,
Nils

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org