Reduce version skew.
authorBen Laurie <ben@openssl.org>
Fri, 8 Jun 2012 09:18:47 +0000 (09:18 +0000)
committerBen Laurie <ben@openssl.org>
Fri, 8 Jun 2012 09:18:47 +0000 (09:18 +0000)
86 files changed:
apps/ca.c
apps/dgst.c
apps/dsaparam.c
apps/s_cb.c
apps/s_client.c
apps/s_server.c
apps/speed.c
apps/srp.c
apps/verify.c
apps/x509.c
crypto/aes/aes_misc.c
crypto/bio/bss_dgram.c
crypto/bn/bn_div.c
crypto/bn/bn_gcd.c
crypto/camellia/cmll_misc.c
crypto/cast/c_skey.c
crypto/cms/cms_enc.c
crypto/cms/cms_lib.c
crypto/cryptlib.c
crypto/cryptlib.h
crypto/crypto.h
crypto/des/set_key.c
crypto/des/str2key.c
crypto/ec/ec.h
crypto/ec/ec_pmeth.c
crypto/ec/ecp_mont.c
crypto/ec/ectest.c
crypto/ecdh/ech_key.c
crypto/err/err_all.c
crypto/evp/Makefile
crypto/evp/digest.c
crypto/evp/e_aes_cbc_hmac_sha1.c
crypto/evp/e_rc4.c
crypto/evp/evp.h
crypto/evp/m_dss.c
crypto/evp/m_dss1.c
crypto/evp/m_md4.c
crypto/evp/m_md5.c
crypto/evp/m_mdc2.c
crypto/evp/m_ripemd.c
crypto/evp/m_sha.c
crypto/evp/m_sha1.c
crypto/evp/m_wp.c
crypto/evp/p_sign.c
crypto/evp/p_verify.c
crypto/idea/i_skey.c
crypto/mdc2/mdc2dgst.c
crypto/mem.c
crypto/modes/asm/ghash-x86.pl
crypto/modes/gcm128.c
crypto/pem/pem_lib.c
crypto/pem/pem_seal.c
crypto/perlasm/cbc.pl
crypto/perlasm/x86masm.pl
crypto/pkcs12/p12_key.c
crypto/pkcs7/bio_pk7.c
crypto/rand/md_rand.c
crypto/rand/rand_lib.c
crypto/rand/randfile.c
crypto/rc2/rc2_skey.c
crypto/rsa/rsa.h
crypto/rsa/rsa_eay.c
crypto/seed/seed.c
crypto/sha/asm/sha1-ia64.pl
crypto/sha/asm/sha1-sparcv9a.pl
crypto/sha/asm/sha512-586.pl
crypto/sha/sha1_one.c
crypto/sha/sha1dgst.c
crypto/sha/sha_dgst.c
crypto/srp/srp_vfy.c
crypto/ui/ui_openssl.c
crypto/whrlpool/asm/wp-mmx.pl
crypto/x509/x509_cmp.c
crypto/x86cpuid.pl
ssl/dtls1.h
ssl/s2_srvr.c
ssl/s3_both.c
ssl/s3_clnt.c
ssl/s3_pkt.c
ssl/s3_srvr.c
ssl/ssl.h
ssl/ssl3.h
ssl/ssl_lib.c
ssl/ssl_rsa.c
ssl/ssltest.c
ssl/tls_srp.c

index 2a83d19..1cf50e0 100644 (file)
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1408,6 +1408,7 @@ bad:
                        if (!NCONF_get_number(conf,section,
                                ENV_DEFAULT_CRL_HOURS, &crlhours))
                                crlhours = 0;
+                       ERR_clear_error();
                        }
                if ((crldays == 0) && (crlhours == 0) && (crlsec == 0))
                        {
index b08e9a7..81bd870 100644 (file)
@@ -216,10 +216,10 @@ int MAIN(int argc, char **argv)
                        out_bin = 1;
                else if (strcmp(*argv,"-d") == 0)
                        debug=1;
-               else if (strcmp(*argv,"-non-fips-allow") == 0)
-                       non_fips_allow=1;
                else if (!strcmp(*argv,"-fips-fingerprint"))
                        hmac_key = "etaonrishdlcupfm";
+               else if (strcmp(*argv,"-non-fips-allow") == 0)
+                       non_fips_allow=1;
                else if (!strcmp(*argv,"-hmac"))
                        {
                        if (--argc < 1)
index fe72c1d..683d513 100644 (file)
@@ -326,6 +326,7 @@ bad:
                                goto end;
                                }
 #endif
+                       ERR_print_errors(bio_err);
                        BIO_printf(bio_err,"Error, DSA key generation failed\n");
                        goto end;
                        }
@@ -429,13 +430,19 @@ bad:
 
                assert(need_rand);
                if ((dsakey=DSAparams_dup(dsa)) == NULL) goto end;
-               if (!DSA_generate_key(dsakey)) goto end;
+               if (!DSA_generate_key(dsakey))
+                       {
+                       ERR_print_errors(bio_err);
+                       DSA_free(dsakey);
+                       goto end;
+                       }
                if      (outformat == FORMAT_ASN1)
                        i=i2d_DSAPrivateKey_bio(out,dsakey);
                else if (outformat == FORMAT_PEM)
                        i=PEM_write_bio_DSAPrivateKey(out,dsakey,NULL,NULL,0,NULL,NULL);
                else    {
                        BIO_printf(bio_err,"bad output format specified for outfile\n");
+                       DSA_free(dsakey);
                        goto end;
                        }
                DSA_free(dsakey);
index 2cd7337..160b5bd 100644 (file)
@@ -237,8 +237,8 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file)
 
                /* If we are using DSA, we can copy the parameters from
                 * the private key */
-               
-               
+
+
                /* Now we know that a key and cert have been set against
                 * the SSL context */
                if (!SSL_CTX_check_private_key(ctx))
index fc806eb..95d23e8 100644 (file)
@@ -357,7 +357,7 @@ static void sc_usage(void)
        BIO_printf(bio_err," -tlsextdebug      - hex dump of all TLS extensions received\n");
        BIO_printf(bio_err," -status           - request certificate status from server\n");
        BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
-# if !defined(OPENSSL_NO_NEXTPROTONEG)
+# ifndef OPENSSL_NO_NEXTPROTONEG
        BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
 # endif
 #endif
@@ -536,7 +536,7 @@ static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, con
        ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
        return SSL_TLSEXT_ERR_OK;
        }
-# endif
+# endif  /* ndef OPENSSL_NO_NEXTPROTONEG */
 #endif
 
 enum
index 3f9b370..7125afa 100644 (file)
@@ -1206,13 +1206,13 @@ int MAIN(int argc, char *argv[])
                        {
                        if (--argc < 1) goto bad;
                        srp_verifier_file = *(++argv);
-                       meth=TLSv1_server_method();
+                       meth = TLSv1_server_method();
                        }
                else if (strcmp(*argv, "-srpuserseed") == 0)
                        {
                        if (--argc < 1) goto bad;
                        srpuserseed = *(++argv);
-                       meth=TLSv1_server_method();
+                       meth = TLSv1_server_method();
                        }
 #endif
                else if (strcmp(*argv,"-www") == 0)
@@ -1730,7 +1730,7 @@ bad:
                }
 #endif
        
-       if (!set_cert_key_stuff(ctx,s_cert,s_key))
+       if (!set_cert_key_stuff(ctx, s_cert, s_key))
                goto end;
 #ifndef OPENSSL_NO_TLSEXT
        if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2))
@@ -1738,7 +1738,7 @@ bad:
 #endif
        if (s_dcert != NULL)
                {
-               if (!set_cert_key_stuff(ctx,s_dcert,s_dkey))
+               if (!set_cert_key_stuff(ctx, s_dcert, s_dkey))
                        goto end;
                }
 
@@ -2433,6 +2433,7 @@ static int init_ssl_connection(SSL *con)
                BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
        str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
        BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
+
 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
        SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
        if (next_proto_neg)
@@ -2701,6 +2702,11 @@ static int www_body(char *hostname, int s, unsigned char *context)
                                }
                        BIO_puts(io,"\n");
 
+                       BIO_printf(io,
+                               "Secure Renegotiation IS%s supported\n",
+                               SSL_get_secure_renegotiation_support(con) ?
+                                                       "" : " NOT");
+
                        /* The following is evil and should not really
                         * be done */
                        BIO_printf(io,"Ciphers supported in s_server binary\n");
index 8358b12..9886ca3 100644 (file)
@@ -254,7 +254,7 @@ static const char *names[ALGOR_NUM]={
   "aes-128 cbc","aes-192 cbc","aes-256 cbc",
   "camellia-128 cbc","camellia-192 cbc","camellia-256 cbc",
   "evp","sha256","sha512","whirlpool",
-  "aes-128 ige","aes-192 ige","aes-256 ige","ghash"};
+  "aes-128 ige","aes-192 ige","aes-256 ige","ghash" };
 static double results[ALGOR_NUM][SIZE_NUM];
 static int lengths[SIZE_NUM]={16,64,256,1024,8*1024};
 #ifndef OPENSSL_NO_RSA
@@ -299,7 +299,7 @@ static SIGRETTYPE sig_done(int sig)
 #if defined(_WIN32)
 
 #if !defined(SIGALRM)
-#define SIGALRM
+# define SIGALRM
 #endif
 static unsigned int lapse,schlock;
 static void alarm_win32(unsigned int secs) { lapse = secs*1000; }
index 80e1b8a..9c7ae18 100644 (file)
@@ -125,13 +125,13 @@ static int get_index(CA_DB *db, char* id, char type)
        if (type == DB_SRP_INDEX) 
        for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
                {
-               pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
-               if (pp[DB_srptype][0] == DB_SRP_INDEX  && !strcmp(id, pp[DB_srpid])) 
+               pp = sk_OPENSSL_PSTRING_value(db->db->data,i);
+               if (pp[DB_srptype][0] == DB_SRP_INDEX  && !strcmp(id,pp[DB_srpid])) 
                        return i;
                }
        else for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
                {
-               pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
+               pp = sk_OPENSSL_PSTRING_value(db->db->data,i);
 
                if (pp[DB_srptype][0] != DB_SRP_INDEX && !strcmp(id,pp[DB_srpid])) 
                        return i;
@@ -145,7 +145,7 @@ static void print_entry(CA_DB *db, BIO *bio, int indx, int verbose, char *s)
        if (indx >= 0 && verbose)
                {
                int j;
-               char **pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, indx);
+               char **pp = sk_OPENSSL_PSTRING_value(db->db->data, indx);
                BIO_printf(bio, "%s \"%s\"\n", s, pp[DB_srpid]);
                for (j = 0; j < DB_NUMBER; j++)
                        {
@@ -163,7 +163,7 @@ static void print_user(CA_DB *db, BIO *bio, int userindex, int verbose)
        {
        if (verbose > 0)
                {
-               char **pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+               char **pp = sk_OPENSSL_PSTRING_value(db->db->data,userindex);
 
                if (pp[DB_srptype][0] != 'I')
                        {
@@ -517,7 +517,7 @@ bad:
        /* Lets check some fields */
        for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
                {
-               pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
+               pp = sk_OPENSSL_PSTRING_value(db->db->data, i);
        
                if (pp[DB_srptype][0] == DB_SRP_INDEX)
                        {
@@ -533,8 +533,8 @@ bad:
 
        if (gNindex >= 0)
                {
-               gNrow = (char **)sk_OPENSSL_PSTRING_value(db->db->data, gNindex);
-               print_entry(db, bio_err, gNindex, verbose > 1, "Default g and N") ;
+               gNrow = sk_OPENSSL_PSTRING_value(db->db->data,gNindex);
+               print_entry(db, bio_err, gNindex, verbose > 1, "Default g and N");
                }
        else if (maxgN > 0 && !SRP_get_default_gN(gN))
                {
@@ -587,7 +587,7 @@ bad:
                        if (userindex >= 0)
                                {
                                /* reactivation of a new user */
-                               char **row = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+                               char **row = sk_OPENSSL_PSTRING_value(db->db->data, userindex);
                                BIO_printf(bio_err, "user \"%s\" reactivated.\n", user);
                                row[DB_srptype][0] = 'V';
 
@@ -634,7 +634,7 @@ bad:
                        else
                                {
 
-                               char **row = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+                               char **row = sk_OPENSSL_PSTRING_value(db->db->data, userindex);
                                char type = row[DB_srptype][0];
                                if (type == 'v')
                                        {
@@ -664,9 +664,9 @@ bad:
 
                                        if (!(gNid=srp_create_user(user,&(row[DB_srpverifier]), &(row[DB_srpsalt]),gNrow?gNrow[DB_srpsalt]:NULL, gNrow?gNrow[DB_srpverifier]:NULL, passout, bio_err,verbose)))
                                                {
-                                                       BIO_printf(bio_err, "Cannot create srp verifier for user \"%s\", operation abandoned.\n", user);
-                                                       errors++;
-                                                       goto err;
+                                               BIO_printf(bio_err, "Cannot create srp verifier for user \"%s\", operation abandoned.\n", user);
+                                               errors++;
+                                               goto err;
                                                }
 
                                        row[DB_srptype][0] = 'v';
@@ -689,7 +689,7 @@ bad:
                                }
                        else
                                {
-                               char **xpp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, userindex);
+                               char **xpp = sk_OPENSSL_PSTRING_value(db->db->data,userindex);
                                BIO_printf(bio_err, "user \"%s\" revoked. t\n", user);
 
                                xpp[DB_srptype][0] = 'R';
@@ -714,7 +714,7 @@ bad:
                /* Lets check some fields */
                for (i = 0; i < sk_OPENSSL_PSTRING_num(db->db->data); i++)
                        {
-                       pp = (char **)sk_OPENSSL_PSTRING_value(db->db->data, i);
+                       pp = sk_OPENSSL_PSTRING_value(db->db->data,i);
        
                        if (pp[DB_srptype][0] == 'v')
                                {
index b9749dc..0f34b86 100644 (file)
@@ -235,13 +235,16 @@ end:
                BIO_printf(bio_err," [-engine e]");
 #endif
                BIO_printf(bio_err," cert1 cert2 ...\n");
+
                BIO_printf(bio_err,"recognized usages:\n");
-               for(i = 0; i < X509_PURPOSE_get_count(); i++) {
+               for(i = 0; i < X509_PURPOSE_get_count(); i++)
+                       {
                        X509_PURPOSE *ptmp;
                        ptmp = X509_PURPOSE_get0(i);
-                       BIO_printf(bio_err, "\t%-10s\t%s\n", X509_PURPOSE_get0_sname(ptmp),
-                                                               X509_PURPOSE_get0_name(ptmp));
-               }
+                       BIO_printf(bio_err, "\t%-10s\t%s\n",
+                                  X509_PURPOSE_get0_sname(ptmp),
+                                  X509_PURPOSE_get0_name(ptmp));
+                       }
        }
        if (vpm) X509_VERIFY_PARAM_free(vpm);
        if (cert_ctx != NULL) X509_STORE_free(cert_ctx);
index e6e5e0d..3863ab9 100644 (file)
@@ -288,7 +288,7 @@ int MAIN(int argc, char **argv)
                        days=atoi(*(++argv));
                        if (days == 0)
                                {
-                               BIO_printf(STDout,"bad number of days\n");
+                               BIO_printf(bio_err,"bad number of days\n");
                                goto bad;
                                }
                        }
@@ -912,7 +912,7 @@ bad:
                                }
                        else if (text == i)
                                {
-                               X509_print_ex(out,x,nmflag, certflag);
+                               X509_print_ex(STDout,x,nmflag, certflag);
                                }
                        else if (startdate == i)
                                {
index f083488..6c181ca 100644 (file)
@@ -50,7 +50,6 @@
  */
 
 #include <openssl/opensslv.h>
-#include <openssl/crypto.h>
 #include <openssl/aes.h>
 #include "aes_locl.h"
 
index 1b1e4be..46cbe8a 100644 (file)
 #define IP_MTU      14 /* linux is lame */
 #endif
 
+#ifdef __FreeBSD__
+/* Standard definition causes type-punning problems. */
+#undef IN6_IS_ADDR_V4MAPPED
+#define s6_addr32 __u6_addr.__u6_addr32
+#define IN6_IS_ADDR_V4MAPPED(a)               \
+        (((a)->s6_addr32[0] == 0) &&          \
+         ((a)->s6_addr32[1] == 0) &&          \
+         ((a)->s6_addr32[2] == htonl(0x0000ffff)))
+#endif
+
 #ifdef WATT32
 #define sock_write SockWrite  /* Watt-32 uses same names */
 #define sock_read  SockRead
index 52b3304..7b24031 100644 (file)
@@ -141,6 +141,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
     *
     *                                  <appro@fy.chalmers.se>
     */
+#undef bn_div_words
 #  define bn_div_words(n0,n1,d0)               \
        ({  asm volatile (                      \
                "divl   %4"                     \
@@ -155,6 +156,7 @@ int BN_div(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d,
     * Same story here, but it's 128-bit by 64-bit division. Wow!
     *                                  <appro@fy.chalmers.se>
     */
+#  undef bn_div_words
 #  define bn_div_words(n0,n1,d0)               \
        ({  asm volatile (                      \
                "divq   %4"                     \
index 4a35211..a808f53 100644 (file)
@@ -205,6 +205,7 @@ err:
 /* solves ax == 1 (mod n) */
 static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
         const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx);
+
 BIGNUM *BN_mod_inverse(BIGNUM *in,
        const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
        {
index f44d485..614b43b 100644 (file)
@@ -50,7 +50,6 @@
  */
  
 #include <openssl/opensslv.h>
-#include <openssl/crypto.h>
 #include <openssl/camellia.h>
 #include "cmll_locl.h"
 
index cb6bf9f..3c18774 100644 (file)
@@ -56,7 +56,6 @@
  * [including the GNU Public Licence.]
  */
 
-#include <openssl/crypto.h>
 #include <openssl/cast.h>
 #include "cast_lcl.h"
 #include "cast_s.h"
index f873ce3..bebeaf2 100644 (file)
@@ -74,7 +74,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
        X509_ALGOR *calg = ec->contentEncryptionAlgorithm;
        unsigned char iv[EVP_MAX_IV_LENGTH], *piv = NULL;
        unsigned char *tkey = NULL;
-       size_t tkeylen;
+       size_t tkeylen = 0;
 
        int ok = 0;
 
index f88e8f3..b62d1bf 100644 (file)
@@ -411,9 +411,7 @@ int cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain,
                 * algorithm  OID instead of digest.
                 */
                        || EVP_MD_pkey_type(EVP_MD_CTX_md(mtmp)) == nid)
-                       {
                        return EVP_MD_CTX_copy_ex(mctx, mtmp);
-                       }
                chain = BIO_next(chain);
                }
        }
index 766ea8c..97f0ddb 100644 (file)
@@ -704,6 +704,7 @@ void OPENSSL_cpuid_setup(void)
     }
     else
        vec = OPENSSL_ia32_cpuid();
+
     /*
      * |(1<<10) sets a reserved bit to signal that variable
      * was initialized already... This is to avoid interference
index 1761f6b..d26f963 100644 (file)
@@ -100,7 +100,7 @@ extern "C" {
 
 void OPENSSL_cpuid_setup(void);
 extern unsigned int OPENSSL_ia32cap_P[];
-void OPENSSL_showfatal(const char *,...);
+void OPENSSL_showfatal(const char *fmta,...);
 void *OPENSSL_stderr(void);
 extern int OPENSSL_NONPIC_relocated;
 
index 6aeda0a..6160576 100644 (file)
@@ -488,10 +488,10 @@ void CRYPTO_get_mem_debug_functions(void (**m)(void *,int,const char *,int,int),
                                    long (**go)(void));
 
 void *CRYPTO_malloc_locked(int num, const char *file, int line);
-void CRYPTO_free_locked(void *);
+void CRYPTO_free_locked(void *ptr);
 void *CRYPTO_malloc(int num, const char *file, int line);
 char *CRYPTO_strdup(const char *str, const char *file, int line);
-void CRYPTO_free(void *);
+void CRYPTO_free(void *ptr);
 void *CRYPTO_realloc(void *addr,int num, const char *file, int line);
 void *CRYPTO_realloc_clean(void *addr,int old_num,int num,const char *file,
                           int line);
index d3e69ca..da4d62e 100644 (file)
@@ -63,9 +63,8 @@
  * 1.1 added norm_expand_bits
  * 1.0 First working version
  */
-#include "des_locl.h"
-
 #include <openssl/crypto.h>
+#include "des_locl.h"
 
 OPENSSL_IMPLEMENT_GLOBAL(int,DES_check_key,0)  /* defaults to false */
 
index 9c2054b..1077f99 100644 (file)
@@ -56,8 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-#include "des_locl.h"
 #include <openssl/crypto.h>
+#include "des_locl.h"
 
 void DES_string_to_key(const char *str, DES_cblock *key)
        {
index 9d01325..126fc14 100644 (file)
@@ -274,10 +274,10 @@ int EC_GROUP_get_curve_name(const EC_GROUP *group);
 void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag);
 int EC_GROUP_get_asn1_flag(const EC_GROUP *group);
 
-void EC_GROUP_set_point_conversion_form(EC_GROUP *, point_conversion_form_t);
+void EC_GROUP_set_point_conversion_form(EC_GROUP *group, point_conversion_form_t form);
 point_conversion_form_t EC_GROUP_get_point_conversion_form(const EC_GROUP *);
 
-unsigned char *EC_GROUP_get0_seed(const EC_GROUP *);
+unsigned char *EC_GROUP_get0_seed(const EC_GROUP *x);
 size_t EC_GROUP_get_seed_len(const EC_GROUP *);
 size_t EC_GROUP_set_seed(EC_GROUP *, const unsigned char *, size_t len);
 
@@ -626,8 +626,8 @@ int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *c
  */
 int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx);
 
-int EC_POINT_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
-int EC_POINTs_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *);
+int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx);
+int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx);
 
 /** Computes r = generator * n sum_{i=0}^num p[i] * m[i]
  *  \param  group  underlying EC_GROUP object
@@ -800,16 +800,16 @@ const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key);
 int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub);
 
 unsigned EC_KEY_get_enc_flags(const EC_KEY *key);
-void EC_KEY_set_enc_flags(EC_KEY *, unsigned int);
-point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *);
-void EC_KEY_set_conv_form(EC_KEY *, point_conversion_form_t);
+void EC_KEY_set_enc_flags(EC_KEY *eckey, unsigned int flags);
+point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key);
+void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform);
 /* functions to set/get method specific data  */
-void *EC_KEY_get_key_method_data(EC_KEY *, 
+void *EC_KEY_get_key_method_data(EC_KEY *key
        void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
-void EC_KEY_insert_key_method_data(EC_KEY *, void *data,
+void EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
        void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *));
 /* wrapper functions for the underlying EC_GROUP object */
-void EC_KEY_set_asn1_flag(EC_KEY *, int);
+void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);
 
 /** Creates a table of pre-computed multiples of the generator to 
  *  accelerate further EC_KEY operations.
index d1ed66c..66ee397 100644 (file)
@@ -188,7 +188,7 @@ static int pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen)
 
        pubkey = EC_KEY_get0_public_key(ctx->peerkey->pkey.ec);
 
-       /* NB: unlike PKS#3 DH, if *outlen is less than maximum size this is
+       /* NB: unlike PKCS#3 DH, if *outlen is less than maximum size this is
         * not an error, the result is truncated.
         */
 
index 079e474..f04f132 100644 (file)
@@ -114,7 +114,6 @@ const EC_METHOD *EC_GFp_mont_method(void)
                ec_GFp_mont_field_decode,
                ec_GFp_mont_field_set_to_one };
 
-
        return &ret;
 #endif
        }
index f107782..102eaa9 100644 (file)
@@ -236,7 +236,7 @@ static void group_order_tests(EC_GROUP *group)
        }
 
 static void prime_field_tests(void)
-       {       
+       {
        BN_CTX *ctx = NULL;
        BIGNUM *p, *a, *b;
        EC_GROUP *group;
index f44da92..2988899 100644 (file)
@@ -68,9 +68,6 @@
  */
 
 #include "ech_locl.h"
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
 
 int ECDH_compute_key(void *out, size_t outlen, const EC_POINT *pub_key,
        EC_KEY *eckey,
index bd8946d..edafdc0 100644 (file)
@@ -95,6 +95,9 @@
 #include <openssl/ui.h>
 #include <openssl/ocsp.h>
 #include <openssl/err.h>
+#ifdef OPENSSL_FIPS
+#include <openssl/fips.h>
+#endif
 #include <openssl/ts.h>
 #ifndef OPENSSL_NO_CMS
 #include <openssl/cms.h>
 #endif
 #include <openssl/comp.h>
 
-#ifdef OPENSSL_FIPS
-#include <openssl/fips.h>
-#endif
-
 void ERR_load_crypto_strings(void)
        {
 #ifndef OPENSSL_NO_ERR
@@ -153,6 +152,9 @@ void ERR_load_crypto_strings(void)
 #endif
        ERR_load_OCSP_strings();
        ERR_load_UI_strings();
+#ifdef OPENSSL_FIPS
+       ERR_load_FIPS_strings();
+#endif
 #ifndef OPENSSL_NO_CMS
        ERR_load_CMS_strings();
 #endif
@@ -160,8 +162,5 @@ void ERR_load_crypto_strings(void)
        ERR_load_JPAKE_strings();
 #endif
        ERR_load_COMP_strings();
-#endif
-#ifdef OPENSSL_FIPS
-       ERR_load_FIPS_strings();
 #endif
        }
index 0fe1b96..a6ae5b3 100644 (file)
@@ -67,7 +67,7 @@ files:
 links:
        @$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
        @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
-       cp $(TESTDATA) ../../test
+       [ ! -f $(TESTDATA) ] || cp $(TESTDATA) ../../test
        @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
 
 install:
index 467e6b5..6fc469f 100644 (file)
@@ -267,6 +267,7 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *size)
        return FIPS_digestfinal(ctx, md, size);
 #else
        int ret;
+
        OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE);
        ret=ctx->digest->final(ctx,md);
        if (size != NULL)
index 710fb79..a5034d7 100644 (file)
@@ -58,7 +58,6 @@
 #include <openssl/objects.h>
 #include <openssl/aes.h>
 #include <openssl/sha.h>
-#include "evp_locl.h"
 
 #ifndef EVP_CIPH_FLAG_AEAD_CIPHER
 #define EVP_CIPH_FLAG_AEAD_CIPHER      0x200000
index b4f6bda..8b5175e 100644 (file)
@@ -62,7 +62,6 @@
 #ifndef OPENSSL_NO_RC4
 
 #include <openssl/evp.h>
-#include "evp_locl.h"
 #include <openssl/objects.h>
 #include <openssl/rc4.h>
 
index 0d1b20a..293a52b 100644 (file)
@@ -402,7 +402,6 @@ struct evp_cipher_st
 /* Length of tag for TLS */
 #define EVP_GCM_TLS_TAG_LEN                            16
 
-
 typedef struct evp_cipher_info_st
        {
        const EVP_CIPHER *cipher;
@@ -789,8 +788,8 @@ const EVP_CIPHER *EVP_aes_128_cfb128(void);
 # define EVP_aes_128_cfb EVP_aes_128_cfb128
 const EVP_CIPHER *EVP_aes_128_ofb(void);
 const EVP_CIPHER *EVP_aes_128_ctr(void);
-const EVP_CIPHER *EVP_aes_128_gcm(void);
 const EVP_CIPHER *EVP_aes_128_ccm(void);
+const EVP_CIPHER *EVP_aes_128_gcm(void);
 const EVP_CIPHER *EVP_aes_128_xts(void);
 const EVP_CIPHER *EVP_aes_192_ecb(void);
 const EVP_CIPHER *EVP_aes_192_cbc(void);
@@ -800,8 +799,8 @@ const EVP_CIPHER *EVP_aes_192_cfb128(void);
 # define EVP_aes_192_cfb EVP_aes_192_cfb128
 const EVP_CIPHER *EVP_aes_192_ofb(void);
 const EVP_CIPHER *EVP_aes_192_ctr(void);
-const EVP_CIPHER *EVP_aes_192_gcm(void);
 const EVP_CIPHER *EVP_aes_192_ccm(void);
+const EVP_CIPHER *EVP_aes_192_gcm(void);
 const EVP_CIPHER *EVP_aes_256_ecb(void);
 const EVP_CIPHER *EVP_aes_256_cbc(void);
 const EVP_CIPHER *EVP_aes_256_cfb1(void);
@@ -810,8 +809,8 @@ const EVP_CIPHER *EVP_aes_256_cfb128(void);
 # define EVP_aes_256_cfb EVP_aes_256_cfb128
 const EVP_CIPHER *EVP_aes_256_ofb(void);
 const EVP_CIPHER *EVP_aes_256_ctr(void);
-const EVP_CIPHER *EVP_aes_256_gcm(void);
 const EVP_CIPHER *EVP_aes_256_ccm(void);
+const EVP_CIPHER *EVP_aes_256_gcm(void);
 const EVP_CIPHER *EVP_aes_256_xts(void);
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1)
 const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void);
index 4ad63ad..6fb7e9a 100644 (file)
@@ -60,7 +60,7 @@
 #include "cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/objects.h>
-#include <openssl/x509.h>
+#include <openssl/sha.h>
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
index f80170e..2df362a 100644 (file)
@@ -63,7 +63,7 @@
 
 #include <openssl/evp.h>
 #include <openssl/objects.h>
-#include <openssl/x509.h>
+#include <openssl/sha.h>
 #ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
 #endif
index 6d47f61..1e0b7c5 100644 (file)
@@ -69,8 +69,6 @@
 #include <openssl/rsa.h>
 #endif
 
-#include "evp_locl.h"
-
 static int init(EVP_MD_CTX *ctx)
        { return MD4_Init(ctx->md_data); }
 
index 9a8bae0..63c1421 100644 (file)
@@ -68,7 +68,6 @@
 #ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
 #endif
-#include "evp_locl.h"
 
 static int init(EVP_MD_CTX *ctx)
        { return MD5_Init(ctx->md_data); }
index 3602bed..b08d559 100644 (file)
@@ -69,8 +69,6 @@
 #include <openssl/rsa.h>
 #endif
 
-#include "evp_locl.h"
-
 static int init(EVP_MD_CTX *ctx)
        { return MDC2_Init(ctx->md_data); }
 
index 7bf4804..a1d60ee 100644 (file)
@@ -68,7 +68,6 @@
 #ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
 #endif
-#include "evp_locl.h"
 
 static int init(EVP_MD_CTX *ctx)
        { return RIPEMD160_Init(ctx->md_data); }
index 8769cdd..acccc8f 100644 (file)
@@ -67,7 +67,6 @@
 #ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
 #endif
-#include "evp_locl.h"
 
 static int init(EVP_MD_CTX *ctx)
        { return SHA_Init(ctx->md_data); }
index 3cb11f1..bd0c01a 100644 (file)
@@ -65,7 +65,7 @@
 
 #include <openssl/evp.h>
 #include <openssl/objects.h>
-#include <openssl/x509.h>
+#include <openssl/sha.h>
 #ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
 #endif
index c51bc2d..1ce47c0 100644 (file)
@@ -9,7 +9,6 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/whrlpool.h>
-#include "evp_locl.h"
 
 static int init(EVP_MD_CTX *ctx)
        { return WHIRLPOOL_Init(ctx->md_data); }
index dfa48c1..8afb664 100644 (file)
@@ -80,7 +80,7 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, unsigned int *siglen,
        {
        unsigned char m[EVP_MAX_MD_SIZE];
        unsigned int m_len;
-       int i=0,ok=0,v;
+       int i = 0,ok = 0,v;
        EVP_MD_CTX tmp_ctx;
        EVP_PKEY_CTX *pkctx = NULL;
 
index 5f5c409..c66d63c 100644 (file)
@@ -67,7 +67,7 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf,
        {
        unsigned char m[EVP_MAX_MD_SIZE];
        unsigned int m_len;
-       int i=-1,ok=0,v;
+       int i = 0,ok = 0,v;
        EVP_MD_CTX tmp_ctx;
        EVP_PKEY_CTX *pkctx = NULL;
 
index afb8309..2debbc1 100644 (file)
@@ -56,7 +56,6 @@
  * [including the GNU Public Licence.]
  */
 
-#include <openssl/crypto.h>
 #include <openssl/idea.h>
 #include "idea_lcl.h"
 
index b74bb1a..d66ed6a 100644 (file)
@@ -59,9 +59,9 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <openssl/crypto.h>
 #include <openssl/des.h>
 #include <openssl/mdc2.h>
-#include <openssl/crypto.h>
 
 #undef c2l
 #define c2l(c,l)       (l =((DES_LONG)(*((c)++)))    , \
index 21c0011..1cc62ea 100644 (file)
@@ -121,10 +121,10 @@ static void (*set_debug_options_func)(long) = NULL;
 static long (*get_debug_options_func)(void) = NULL;
 #endif
 
-
 int CRYPTO_set_mem_functions(void *(*m)(size_t), void *(*r)(void *, size_t),
        void (*f)(void *))
        {
+       /* Dummy call just to ensure OPENSSL_init() gets linked in */
        OPENSSL_init();
        if (!allow_customize)
                return 0;
index 6b09669..83c727e 100644 (file)
@@ -635,7 +635,7 @@ sub mmx_loop() {
     { my @lo  = ("mm0","mm1","mm2");
       my @hi  = ("mm3","mm4","mm5");
       my @tmp = ("mm6","mm7");
-      my $off1=0,$off2=0,$i;
+      my ($off1,$off2,$i) = (0,0,);
 
       &add     ($Htbl,128);                    # optimize for size
       &lea     ("edi",&DWP(16+128,"esp"));
@@ -883,7 +883,7 @@ sub reduction_alg9 {        # 17/13 times faster than Intel version
 my ($Xhi,$Xi) = @_;
 
        # 1st phase
-       &movdqa         ($T1,$Xi)               #
+       &movdqa         ($T1,$Xi);              #
        &psllq          ($Xi,1);
        &pxor           ($Xi,$T1);              #
        &psllq          ($Xi,5);                #
@@ -1019,7 +1019,7 @@ my ($Xhi,$Xi) = @_;
        &movdqa         ($Xhn,$Xn);
         &pxor          ($Xhi,$T1);             # "Ii+Xi", consume early
 
-         &movdqa       ($T1,$Xi)               #&reduction_alg9($Xhi,$Xi); 1st phase
+         &movdqa       ($T1,$Xi);              #&reduction_alg9($Xhi,$Xi); 1st phase
          &psllq        ($Xi,1);
          &pxor         ($Xi,$T1);              #
          &psllq        ($Xi,5);                #
index 7d6d034..ec6c1b3 100644 (file)
@@ -723,7 +723,7 @@ void CRYPTO_gcm128_init(GCM128_CONTEXT *ctx,void *key,block128_f block)
 #  endif
        gcm_init_4bit(ctx->Htable,ctx->H.u);
 #  if  defined(GHASH_ASM_X86)                  /* x86 only */
-#   if defined(OPENSSL_IA32_SSE2)
+#   if defined(OPENSSL_IA32_SSE2)
        if (OPENSSL_ia32cap_P[0]&(1<<25)) {     /* check SSE bit */
 #   else
        if (OPENSSL_ia32cap_P[0]&(1<<23)) {     /* check MMX bit */
index cfc89a9..5a421fc 100644 (file)
@@ -394,7 +394,8 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
                        goto err;
                /* The 'iv' is used as the iv and as a salt.  It is
                 * NOT taken from the BytesToKey function */
-               EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL);
+               if (!EVP_BytesToKey(enc,EVP_md5(),iv,kstr,klen,1,key,NULL))
+                       goto err;
 
                if (kstr == (unsigned char *)buf) OPENSSL_cleanse(buf,PEM_BUFSIZE);
 
@@ -406,12 +407,15 @@ int PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp,
                /* k=strlen(buf); */
 
                EVP_CIPHER_CTX_init(&ctx);
-               EVP_EncryptInit_ex(&ctx,enc,NULL,key,iv);
-               EVP_EncryptUpdate(&ctx,data,&j,data,i);
-               EVP_EncryptFinal_ex(&ctx,&(data[j]),&i);
+               ret = 1;
+               if (!EVP_EncryptInit_ex(&ctx,enc,NULL,key,iv)
+                       || !EVP_EncryptUpdate(&ctx,data,&j,data,i)
+                       || !EVP_EncryptFinal_ex(&ctx,&(data[j]),&i))
+                       ret = 0;
                EVP_CIPHER_CTX_cleanup(&ctx);
+               if (ret == 0)
+                       goto err;
                i+=j;
-               ret=1;
                }
        else
                {
@@ -459,14 +463,17 @@ int PEM_do_header(EVP_CIPHER_INFO *cipher, unsigned char *data, long *plen,
        ebcdic2ascii(buf, buf, klen);
 #endif
 
-       EVP_BytesToKey(cipher->cipher,EVP_md5(),&(cipher->iv[0]),
-               (unsigned char *)buf,klen,1,key,NULL);
+       if (!EVP_BytesToKey(cipher->cipher,EVP_md5(),&(cipher->iv[0]),
+               (unsigned char *)buf,klen,1,key,NULL))
+               return 0;
 
        j=(int)len;
        EVP_CIPHER_CTX_init(&ctx);
-       EVP_DecryptInit_ex(&ctx,cipher->cipher,NULL, key,&(cipher->iv[0]));
-       EVP_DecryptUpdate(&ctx,data,&i,data,j);
-       o=EVP_DecryptFinal_ex(&ctx,&(data[i]),&j);
+       o = EVP_DecryptInit_ex(&ctx,cipher->cipher,NULL, key,&(cipher->iv[0]));
+       if (o)
+               o = EVP_DecryptUpdate(&ctx,data,&i,data,j);
+       if (o)
+               o = EVP_DecryptFinal_ex(&ctx,&(data[i]),&j);
        EVP_CIPHER_CTX_cleanup(&ctx);
        OPENSSL_cleanse((char *)buf,sizeof(buf));
        OPENSSL_cleanse((char *)key,sizeof(key));
index 59690b5..b6b4e13 100644 (file)
@@ -96,7 +96,8 @@ int PEM_SealInit(PEM_ENCODE_SEAL_CTX *ctx, EVP_CIPHER *type, EVP_MD *md_type,
        EVP_EncodeInit(&ctx->encode);
 
        EVP_MD_CTX_init(&ctx->md);
-       EVP_SignInit(&ctx->md,md_type);
+       if (!EVP_SignInit(&ctx->md,md_type))
+               goto err;
 
        EVP_CIPHER_CTX_init(&ctx->cipher);
        ret=EVP_SealInit(&ctx->cipher,type,ek,ekl,iv,pubk,npubk);
@@ -163,7 +164,8 @@ int PEM_SealFinal(PEM_ENCODE_SEAL_CTX *ctx, unsigned char *sig, int *sigl,
                goto err;
                }
 
-       EVP_EncryptFinal_ex(&ctx->cipher,s,(int *)&i);
+       if (!EVP_EncryptFinal_ex(&ctx->cipher,s,(int *)&i))
+               goto err;
        EVP_EncodeUpdate(&ctx->encode,out,&j,s,i);
        *outl=j;
        out+=j;
index 6fc2510..24561e7 100644 (file)
@@ -150,7 +150,7 @@ sub cbc
 &set_label("PIC_point");
        &blindpop("edx");
        &lea("ecx",&DWP(&label("cbc_enc_jmp_table")."-".&label("PIC_point"),"edx"));
-       &mov($count,&DWP(0,"ecx",$count,4))
+       &mov($count,&DWP(0,"ecx",$count,4));
        &add($count,"edx");
        &xor("ecx","ecx");
        &xor("edx","edx");
index 96b1b73..f937d07 100644 (file)
@@ -33,6 +33,7 @@ sub ::generic
 sub ::call     { &::emit("call",(&::islabel($_[0]) or "$nmdecor$_[0]")); }
 sub ::call_ptr { &::emit("call",@_);   }
 sub ::jmp_ptr  { &::emit("jmp",@_);    }
+sub ::lock     { &::data_byte(0xf0);   }
 
 sub get_mem
 { my($size,$addr,$reg1,$reg2,$idx)=@_;
index c55c7b6..61d5850 100644 (file)
@@ -176,24 +176,32 @@ int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt,
                out += u;
                for (j = 0; j < v; j++) B[j] = Ai[j % u];
                /* Work out B + 1 first then can use B as tmp space */
-               if (!BN_bin2bn (B, v, Bpl1)) goto err;
-               if (!BN_add_word (Bpl1, 1)) goto err;
+               if (!BN_bin2bn (B, v, Bpl1))
+                       goto err;
+               if (!BN_add_word (Bpl1, 1))
+                       goto err;
                for (j = 0; j < Ilen ; j+=v) {
-                       if (!BN_bin2bn (I + j, v, Ij)) goto err;
-                       if (!BN_add (Ij, Ij, Bpl1)) goto err;
-                       BN_bn2bin (Ij, B);
+                       if (!BN_bin2bn(I + j, v, Ij))
+                               goto err;
+                       if (!BN_add(Ij, Ij, Bpl1))
+                               goto err;
+                       if (!BN_bn2bin(Ij, B))
+                               goto err;
                        Ijlen = BN_num_bytes (Ij);
                        /* If more than 2^(v*8) - 1 cut off MSB */
                        if (Ijlen > v) {
-                               BN_bn2bin (Ij, B);
+                               if (!BN_bn2bin (Ij, B))
+                                       goto err;
                                memcpy (I + j, B + 1, v);
 #ifndef PKCS12_BROKEN_KEYGEN
                        /* If less than v bytes pad with zeroes */
                        } else if (Ijlen < v) {
                                memset(I + j, 0, v - Ijlen);
-                               BN_bn2bin(Ij, I + j + v - Ijlen); 
+                               if (!BN_bn2bin(Ij, I + j + v - Ijlen))
+                                       goto err;
 #endif
-                       } else BN_bn2bin (Ij, I + j);
+                       } else if (!BN_bn2bin (Ij, I + j))
+                               goto err;
                }
        }
 
index c8d06d6..0fd31e7 100644 (file)
@@ -56,7 +56,7 @@
 #include <openssl/pkcs7.h>
 #include <openssl/bio.h>
 
-#ifndef OPENSSL_SYSNAME_NETWARE
+#if !defined(OPENSSL_SYSNAME_NETWARE) && !defined(OPENSSL_SYSNAME_VXWORKS)
 #include <memory.h>
 #endif
 #include <stdio.h>
index fcdd3f2..1e3bcb9 100644 (file)
 
 #include "e_os.h"
 
+#include <openssl/crypto.h>
 #include <openssl/rand.h>
 #include "rand_lcl.h"
 
-#include <openssl/crypto.h>
 #include <openssl/err.h>
 
 #ifdef BN_DEBUG
index daf1dab..89c8a38 100644 (file)
@@ -235,14 +235,12 @@ static size_t drbg_get_adin(DRBG_CTX *ctx, unsigned char **pout)
 static int drbg_rand_add(DRBG_CTX *ctx, const void *in, int inlen,
                                double entropy)
        {
-       RAND_SSLeay()->add(in, inlen, entropy);
-       return 1;
+       return RAND_SSLeay()->add(in, inlen, entropy);
        }
 
 static int drbg_rand_seed(DRBG_CTX *ctx, const void *in, int inlen)
        {
-       RAND_SSLeay()->seed(in, inlen);
-       return 1;
+       return RAND_SSLeay()->seed(in, inlen);
        }
 
 #ifndef OPENSSL_DRBG_DEFAULT_TYPE
index 030e07f..7f14280 100644 (file)
@@ -57,7 +57,9 @@
  */
 
 /* We need to define this to get macros like S_IFBLK and S_IFCHR */
+#if !defined(OPENSSL_SYS_VXWORKS)
 #define _XOPEN_SOURCE 500
+#endif
 
 #include <errno.h>
 #include <stdio.h>
index 6668ac0..065b2fd 100644 (file)
@@ -56,7 +56,6 @@
  * [including the GNU Public Licence.]
  */
 
-#include <openssl/crypto.h>
 #include <openssl/rc2.h>
 #include "rc2_locl.h"
 
index 4814a2f..5f269e5 100644 (file)
@@ -280,7 +280,7 @@ struct rsa_st
 
 RSA *  RSA_new(void);
 RSA *  RSA_new_method(ENGINE *engine);
-int    RSA_size(const RSA *);
+int    RSA_size(const RSA *rsa);
 
 /* Deprecated version */
 #ifndef OPENSSL_NO_DEPRECATED
index 2e1ddd4..88ee2cb 100644 (file)
@@ -847,12 +847,12 @@ static int RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
        if (!BN_mod(r0,pr1,rsa->p,ctx)) goto err;
 
        /* If p < q it is occasionally possible for the correction of
-         * adding 'p' if r0 is negative above to leave the result still
+        * adding 'p' if r0 is negative above to leave the result still
         * negative. This can break the private key operations: the following
         * second correction should *always* correct this rare occurrence.
         * This will *never* happen with OpenSSL generated keys because
-         * they ensure p > q [steve]
-         */
+        * they ensure p > q [steve]
+        */
        if (BN_is_negative(r0))
                if (!BN_add(r0,r0,rsa->p)) goto err;
        if (!BN_mul(r1,r0,rsa->q,ctx)) goto err;
index 3e675a8..6e1a6b9 100644 (file)
@@ -32,7 +32,6 @@
 #include <memory.h>
 #endif
 
-#include <openssl/crypto.h>
 #include <openssl/seed.h>
 #include "seed_locl.h"
 
index db28f08..02d35d1 100644 (file)
@@ -271,7 +271,8 @@ tmp6=loc13;
 
 ___
 
-{ my $i,@V=($A,$B,$C,$D,$E);
+{ my $i;
+  my @V=($A,$B,$C,$D,$E);
 
        for($i=0;$i<16;$i++)    { &BODY_00_15(\$code,$i,@V); unshift(@V,pop(@V)); }
        for(;$i<20;$i++)        { &BODY_16_19(\$code,$i,@V); unshift(@V,pop(@V)); }
index 85e8d68..e65291b 100644 (file)
@@ -549,7 +549,7 @@ ___
 # programmer detect if current CPU is VIS capable at run-time.
 sub unvis {
 my ($mnemonic,$rs1,$rs2,$rd)=@_;
-my $ref,$opf;
+my ($ref,$opf);
 my %visopf = ( "fmul8ulx16"    => 0x037,
                "faligndata"    => 0x048,
                "fpadd32"       => 0x052,
index 5b9f333..7eab6a5 100644 (file)
@@ -142,9 +142,9 @@ sub BODY_00_15_x86 {
        &mov    ("edx",$Ehi);
        &mov    ("esi","ecx");
 
-       &shr    ("ecx",9)       # lo>>9
+       &shr    ("ecx",9);      # lo>>9
        &mov    ("edi","edx");
-       &shr    ("edx",9)       # hi>>9
+       &shr    ("edx",9);      # hi>>9
        &mov    ("ebx","ecx");
        &shl    ("esi",14);     # lo<<14
        &mov    ("eax","edx");
@@ -207,9 +207,9 @@ sub BODY_00_15_x86 {
        &mov    ($Dhi,"ebx");
        &mov    ("esi","ecx");
 
-       &shr    ("ecx",2)       # lo>>2
+       &shr    ("ecx",2);      # lo>>2
        &mov    ("edi","edx");
-       &shr    ("edx",2)       # hi>>2
+       &shr    ("edx",2);      # hi>>2
        &mov    ("ebx","ecx");
        &shl    ("esi",4);      # lo<<4
        &mov    ("eax","edx");
@@ -452,9 +452,9 @@ if ($sse2) {
        &mov    ("edx",&DWP(8*(9+15+16-1)+4,"esp"));
        &mov    ("esi","ecx");
 
-       &shr    ("ecx",1)       # lo>>1
+       &shr    ("ecx",1);      # lo>>1
        &mov    ("edi","edx");
-       &shr    ("edx",1)       # hi>>1
+       &shr    ("edx",1);      # hi>>1
        &mov    ("eax","ecx");
        &shl    ("esi",24);     # lo<<24
        &mov    ("ebx","edx");
@@ -488,9 +488,9 @@ if ($sse2) {
        &mov    ("edx",&DWP(8*(9+15+16-14)+4,"esp"));
        &mov    ("esi","ecx");
 
-       &shr    ("ecx",6)       # lo>>6
+       &shr    ("ecx",6);      # lo>>6
        &mov    ("edi","edx");
-       &shr    ("edx",6)       # hi>>6
+       &shr    ("edx",6);      # hi>>6
        &mov    ("eax","ecx");
        &shl    ("esi",3);      # lo<<3
        &mov    ("ebx","edx");
index 7c65b60..c56ec94 100644 (file)
@@ -58,8 +58,8 @@
 
 #include <stdio.h>
 #include <string.h>
-#include <openssl/sha.h>
 #include <openssl/crypto.h>
+#include <openssl/sha.h>
 
 #ifndef OPENSSL_NO_SHA1
 unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md)
index 81219af..a986902 100644 (file)
@@ -56,8 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-#include <openssl/opensslconf.h>
 #include <openssl/crypto.h>
+#include <openssl/opensslconf.h>
 #if !defined(OPENSSL_NO_SHA1) && !defined(OPENSSL_NO_SHA)
 
 #undef  SHA_0
index c946ad8..fb63b17 100644 (file)
@@ -56,8 +56,8 @@
  * [including the GNU Public Licence.]
  */
 
-#include <openssl/opensslconf.h>
 #include <openssl/crypto.h>
+#include <openssl/opensslconf.h>
 #if !defined(OPENSSL_NO_SHA0) && !defined(OPENSSL_NO_SHA)
 
 #undef  SHA_1
index c8be907..4a3d13e 100644 (file)
@@ -390,7 +390,7 @@ int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file)
                }
        for (i = 0; i < sk_OPENSSL_PSTRING_num(tmpdb->data); i++)
                {
-               pp = (char **)sk_OPENSSL_PSTRING_value(tmpdb->data,i);
+               pp = sk_OPENSSL_PSTRING_value(tmpdb->data,i);
                if (pp[DB_srptype][0] == DB_SRP_INDEX)
                        {
                        /*we add this couple in the internal Stack */
@@ -581,7 +581,8 @@ char *SRP_create_verifier(const char *user, const char *pass, char **salt,
        if (*salt == NULL)
                {
                char *tmp_salt;
-               if ((tmp_salt = (char *)OPENSSL_malloc(SRP_RANDOM_SALT_LEN * 2)) == NULL)
+
+               if ((tmp_salt = OPENSSL_malloc(SRP_RANDOM_SALT_LEN * 2)) == NULL)
                        {
                        OPENSSL_free(vf);
                        goto err;
index 5832a73..a38c758 100644 (file)
  * sigaction and fileno included. -pedantic would be more appropriate for
  * the intended purposes, but we can't prevent users from adding -ansi.
  */
+#if defined(OPENSSL_SYSNAME_VXWORKS)
+#include <sys/types.h>
+#endif
+
 #if !defined(_POSIX_C_SOURCE) && defined(OPENSSL_SYS_VMS)
+#ifndef _POSIX_C_SOURCE
 #define _POSIX_C_SOURCE 2
 #endif
+#endif
 #include <signal.h>
 #include <stdio.h>
 #include <string.h>
index 32cf163..cb2381c 100644 (file)
@@ -119,7 +119,7 @@ $tbl="ebp";
        &mov    ("eax",&DWP(0,"esp"));
        &mov    ("ebx",&DWP(4,"esp"));
 for($i=0;$i<8;$i++) {
-    my $func = ($i==0)? movq : pxor;
+    my $func = ($i==0)? \&movq : \&pxor;
        &movb   (&LB("ecx"),&LB("eax"));
        &movb   (&LB("edx"),&HB("eax"));
        &scale  ("esi","ecx");
index 7c2aaee..352aa37 100644 (file)
@@ -86,10 +86,9 @@ unsigned long X509_issuer_and_serial_hash(X509 *a)
 
        EVP_MD_CTX_init(&ctx);
        f=X509_NAME_oneline(a->cert_info->issuer,NULL,0);
-       ret=strlen(f);
        if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL))
                goto err;
-       if (!EVP_DigestUpdate(&ctx,(unsigned char *)f,ret))
+       if (!EVP_DigestUpdate(&ctx,(unsigned char *)f,strlen(f)))
                goto err;
        OPENSSL_free(f);
        if(!EVP_DigestUpdate(&ctx,(unsigned char *)a->cert_info->serialNumber->data,
@@ -249,14 +248,14 @@ unsigned long X509_NAME_hash_old(X509_NAME *x)
        i2d_X509_NAME(x,NULL);
        EVP_MD_CTX_init(&md_ctx);
        EVP_MD_CTX_set_flags(&md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-       EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL);
-       EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length);
-       EVP_DigestFinal_ex(&md_ctx,md,NULL);
+       if (EVP_DigestInit_ex(&md_ctx, EVP_md5(), NULL)
+           && EVP_DigestUpdate(&md_ctx, x->bytes->data, x->bytes->length)
+           && EVP_DigestFinal_ex(&md_ctx,md,NULL))
+               ret=(((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)|
+                    ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
+                    )&0xffffffffL;
        EVP_MD_CTX_cleanup(&md_ctx);
 
-       ret=(   ((unsigned long)md[0]     )|((unsigned long)md[1]<<8L)|
-               ((unsigned long)md[2]<<16L)|((unsigned long)md[3]<<24L)
-               )&0xffffffffL;
        return(ret);
        }
 #endif
index 39fd8f2..c18b0e2 100644 (file)
@@ -165,7 +165,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
        &jnz    (&label("nohalt"));     # not enough privileges
 
        &pushf  ();
-       &pop    ("eax")
+       &pop    ("eax");
        &bt     ("eax",9);
        &jnc    (&label("nohalt"));     # interrupts are disabled
 
@@ -280,7 +280,7 @@ for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); }
 #      arguments is 1 or 2!
 &function_begin_B("OPENSSL_indirect_call");
        {
-       my $i,$max=7;           # $max has to be chosen as 4*n-1
+       my ($max,$i)=(7,);      # $max has to be chosen as 4*n-1
                                # in order to preserve eventual
                                # stack alignment
        &push   ("ebp");
index 5008bf6..e65d501 100644 (file)
@@ -57,8 +57,8 @@
  *
  */
 
-#ifndef HEADER_DTLS1_H 
-#define HEADER_DTLS1_H 
+#ifndef HEADER_DTLS1_H
+#define HEADER_DTLS1_H
 
 #include <openssl/buffer.h>
 #include <openssl/pqueue.h>
 #elif defined(OPENSSL_SYS_NETWARE) && !defined(_WINSOCK2API_)
 #include <sys/timeval.h>
 #else
+#if defined(OPENSSL_SYS_VXWORKS)
+#include <sys/times.h>
+#else
 #include <sys/time.h>
 #endif
+#endif
 
 #ifdef  __cplusplus
 extern "C" {
index bc885e8..2cba426 100644 (file)
@@ -1059,10 +1059,12 @@ static int request_certificate(SSL *s)
                EVP_PKEY *pkey=NULL;
 
                EVP_MD_CTX_init(&ctx);
-               EVP_VerifyInit_ex(&ctx,s->ctx->rsa_md5, NULL);
-               EVP_VerifyUpdate(&ctx,s->s2->key_material,
-                                s->s2->key_material_length);
-               EVP_VerifyUpdate(&ctx,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
+               if (!EVP_VerifyInit_ex(&ctx,s->ctx->rsa_md5, NULL)
+                   || !EVP_VerifyUpdate(&ctx,s->s2->key_material,
+                                        s->s2->key_material_length)
+                   || !EVP_VerifyUpdate(&ctx,ccd,
+                                        SSL2_MIN_CERT_CHALLENGE_LENGTH))
+                       goto msg_end;
 
                i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL);
                buf2=OPENSSL_malloc((unsigned int)i);
@@ -1073,7 +1075,11 @@ static int request_certificate(SSL *s)
                        }
                p2=buf2;
                i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&p2);
-               EVP_VerifyUpdate(&ctx,buf2,(unsigned int)i);
+               if (!EVP_VerifyUpdate(&ctx,buf2,(unsigned int)i))
+                       {
+                       OPENSSL_free(buf2);
+                       goto msg_end;
+                       }
                OPENSSL_free(buf2);
 
                pkey=X509_get_pubkey(x509);
index b63460a..918da35 100644 (file)
@@ -204,7 +204,8 @@ int ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen)
 
 #ifndef OPENSSL_NO_NEXTPROTONEG
 /* ssl3_take_mac calculates the Finished MAC for the handshakes messages seen to far. */
-static void ssl3_take_mac(SSL *s) {
+static void ssl3_take_mac(SSL *s)
+       {
        const char *sender;
        int slen;
 
@@ -221,7 +222,7 @@ static void ssl3_take_mac(SSL *s) {
 
        s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
                sender,slen,s->s3->tmp.peer_finish_md);
-}
+       }
 #endif
 
 int ssl3_get_finished(SSL *s, int a, int b)
@@ -231,8 +232,9 @@ int ssl3_get_finished(SSL *s, int a, int b)
        unsigned char *p;
 
 #ifdef OPENSSL_NO_NEXTPROTONEG
-       /* the mac has already been generated when we received the change
-        * cipher spec message and is in s->s3->tmp.peer_finish_md. */
+       /* the mac has already been generated when we received the
+        * change cipher spec message and is in s->s3->tmp.peer_finish_md.
+        */ 
 #endif
 
        n=s->method->ssl_get_message(s,
@@ -537,12 +539,14 @@ long ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
                s->init_num += i;
                n -= i;
                }
+
 #ifndef OPENSSL_NO_NEXTPROTONEG
        /* If receiving Finished, record MAC of prior handshake messages for
         * Finished verification. */
        if (*s->init_buf->data == SSL3_MT_FINISHED)
                ssl3_take_mac(s);
 #endif
+
        /* Feed this message into MAC computation. */
        ssl3_finish_mac(s, (unsigned char *)s->init_buf->data, s->init_num + 4);
        if (s->msg_callback)
index b80d052..7b4bc63 100644 (file)
@@ -459,7 +459,6 @@ int ssl3_connect(SSL *s)
                                SSL3_ST_CW_CHANGE_A,SSL3_ST_CW_CHANGE_B);
                        if (ret <= 0) goto end;
 
-
 #if defined(OPENSSL_NO_TLSEXT) || defined(OPENSSL_NO_NEXTPROTONEG)
                        s->state=SSL3_ST_CW_FINISHED_A;
 #else
index f71c03b..dca3458 100644 (file)
@@ -1239,7 +1239,7 @@ start:
                                goto f_err;
                                }
 #ifdef SSL_AD_MISSING_SRP_USERNAME
-                       if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
+                       else if (alert_descr == SSL_AD_MISSING_SRP_USERNAME)
                                return(0);
 #endif
                        }
index 118939f..38e1281 100644 (file)
@@ -191,7 +191,8 @@ static int ssl_check_srp_ext_ClientHello(SSL *s, int *al)
                {
                if(s->srp_ctx.login == NULL)
                        {
-                       /* There isn't any srp login extension !!! */
+                       /* RFC 5054 says SHOULD reject, 
+                          we do so if There is no srp login name */
                        ret = SSL3_AL_FATAL;
                        *al = SSL_AD_UNKNOWN_PSK_IDENTITY;
                        }
@@ -378,6 +379,7 @@ int ssl3_accept(SSL *s)
                                }
                        }
 #endif         
+                       
                        s->renegotiate = 2;
                        s->state=SSL3_ST_SW_SRVR_HELLO_A;
                        s->init_num=0;
index 8b0c2a2..dcb8a62 100644 (file)
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -493,6 +493,9 @@ struct ssl_session_st
        char *psk_identity_hint;
        char *psk_identity;
 #endif
+       /* Used to indicate that session resumption is not allowed.
+        * Applications can also set this bit for a new session via
+        * not_resumable_session_cb to disable session caching and tickets. */
        int not_resumable;
 
        /* The cert is the certificate used to establish this connection */
@@ -535,7 +538,7 @@ struct ssl_session_st
 #endif /* OPENSSL_NO_EC */
        /* RFC4507 info */
        unsigned char *tlsext_tick;     /* Session ticket */
-       size_t  tlsext_ticklen;         /* Session ticket length */     
+       size_t tlsext_ticklen;          /* Session ticket length */
        long tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */
 #endif
 #ifndef OPENSSL_NO_SRP
@@ -927,6 +930,7 @@ struct ssl_ctx_st
        /* Callback for status request */
        int (*tlsext_status_cb)(SSL *ssl, void *arg);
        void *tlsext_status_arg;
+
        /* draft-rescorla-tls-opaque-prf-input-00.txt information */
        int (*tlsext_opaque_prf_input_callback)(SSL *, void *peerinput, size_t len, void *arg);
        void *tlsext_opaque_prf_input_callback_arg;
@@ -952,6 +956,7 @@ struct ssl_ctx_st
 #endif
 
 #ifndef OPENSSL_NO_TLSEXT
+
 # ifndef OPENSSL_NO_NEXTPROTONEG
        /* Next protocol negotiation information */
        /* (for experimental NPN extension). */
index 112e627..247e88c 100644 (file)
@@ -578,8 +578,10 @@ typedef struct ssl3_state_st
 #define SSL3_ST_CW_CERT_VRFY_B         (0x191|SSL_ST_CONNECT)
 #define SSL3_ST_CW_CHANGE_A            (0x1A0|SSL_ST_CONNECT)
 #define SSL3_ST_CW_CHANGE_B            (0x1A1|SSL_ST_CONNECT)
+#ifndef OPENSSL_NO_NEXTPROTONEG
 #define SSL3_ST_CW_NEXT_PROTO_A                (0x200|SSL_ST_CONNECT)
 #define SSL3_ST_CW_NEXT_PROTO_B                (0x201|SSL_ST_CONNECT)
+#endif
 #define SSL3_ST_CW_FINISHED_A          (0x1B0|SSL_ST_CONNECT)
 #define SSL3_ST_CW_FINISHED_B          (0x1B1|SSL_ST_CONNECT)
 /* read from server */
@@ -629,8 +631,10 @@ typedef struct ssl3_state_st
 #define SSL3_ST_SR_CERT_VRFY_B         (0x1A1|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_CHANGE_A            (0x1B0|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_CHANGE_B            (0x1B1|SSL_ST_ACCEPT)
+#ifndef OPENSSL_NO_NEXTPROTONEG
 #define SSL3_ST_SR_NEXT_PROTO_A                (0x210|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_NEXT_PROTO_B                (0x211|SSL_ST_ACCEPT)
+#endif
 #define SSL3_ST_SR_FINISHED_A          (0x1C0|SSL_ST_ACCEPT)
 #define SSL3_ST_SR_FINISHED_B          (0x1C1|SSL_ST_ACCEPT)
 /* write to client */
@@ -655,7 +659,9 @@ typedef struct ssl3_state_st
 #define SSL3_MT_CLIENT_KEY_EXCHANGE            16
 #define SSL3_MT_FINISHED                       20
 #define SSL3_MT_CERTIFICATE_STATUS             22
+#ifndef OPENSSL_NO_NEXTPROTONEG
 #define SSL3_MT_NEXT_PROTO                     67
+#endif
 #define DTLS1_MT_HELLO_VERIFY_REQUEST    3
 
 
index f82d071..f232d55 100644 (file)
@@ -2608,7 +2608,7 @@ const char *SSL_get_version(const SSL *s)
                return("TLSv1.2");
        else if (s->version == TLS1_1_VERSION)
                return("TLSv1.1");
-       if (s->version == TLS1_VERSION)
+       else if (s->version == TLS1_VERSION)
                return("TLSv1");
        else if (s->version == SSL3_VERSION)
                return("SSLv3");
index c0960b5..60e7b66 100644 (file)
@@ -710,7 +710,7 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
 
        ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */
 
-       in=BIO_new(BIO_s_file_internal());
+       in = BIO_new(BIO_s_file_internal());
        if (in == NULL)
                {
                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_BUF_LIB);
@@ -723,14 +723,16 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
                goto end;
                }
 
-       x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata);
+       x=PEM_read_bio_X509_AUX(in,NULL,ctx->default_passwd_callback,
+                               ctx->default_passwd_callback_userdata);
        if (x == NULL)
                {
                SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE,ERR_R_PEM_LIB);
                goto end;
                }
 
-       ret=SSL_CTX_use_certificate(ctx,x);
+       ret = SSL_CTX_use_certificate(ctx, x);
+
        if (ERR_peek_error() != 0)
                ret = 0;  /* Key/certificate mismatch doesn't imply ret==0 ... */
        if (ret)
@@ -742,13 +744,15 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
                int r;
                unsigned long err;
                
-               if (ctx->extra_certs != NULL) 
+               if (ctx->extra_certs != NULL)
                        {
                        sk_X509_pop_free(ctx->extra_certs, X509_free);
                        ctx->extra_certs = NULL;
                        }
 
-               while ((ca = PEM_read_bio_X509(in,NULL,ctx->default_passwd_callback,ctx->default_passwd_callback_userdata))
+               while ((ca = PEM_read_bio_X509(in, NULL,
+                                       ctx->default_passwd_callback,
+                                       ctx->default_passwd_callback_userdata))
                        != NULL)
                        {
                        r = SSL_CTX_add_extra_chain_cert(ctx, ca);
index 0f8fd39..316bbb0 100644 (file)
@@ -543,8 +543,8 @@ int main(int argc, char *argv[])
        int comp = 0;
 #ifndef OPENSSL_NO_COMP
        COMP_METHOD *cm = NULL;
-#endif
        STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
+#endif
        int test_cipherlist = 0;
 #ifdef OPENSSL_FIPS
        int fips_mode=0;
index 8512c4d..2315a7c 100644 (file)
@@ -242,7 +242,8 @@ int SSL_srp_server_param_with_username(SSL *s, int *ad)
                (s->srp_ctx.v == NULL))
                return SSL3_AL_FATAL;
 
-       RAND_bytes(b, sizeof(b));
+       if (RAND_bytes(b, sizeof(b)) <= 0)
+               return SSL3_AL_FATAL;
        s->srp_ctx.b = BN_bin2bn(b,sizeof(b),NULL);
        OPENSSL_cleanse(b,sizeof(b));