Updates from stable branch.

diff --git a/crypto/asn1/asn_mime.c b/crypto/asn1/asn_mime.c
index fe7c4ec7abe4952ee2c6c62b5f0128528decf0b3..bc80b20d6323a1d209d868cd5a419b1e32c8a689 100644 (file)
--- a/crypto/asn1/asn_mime.c
+++ b/crypto/asn1/asn_mime.c
@@ -526,6 +526,8 @@ int SMIME_text(BIO *in, BIO *out)
        sk_MIME_HEADER_pop_free(headers, mime_hdr_free);
        while ((len = BIO_read(in, iobuf, sizeof(iobuf))) > 0)
                                                BIO_write(out, iobuf, len);
+       if (len < 0)
+               return 0;
        return 1;
 }
 

diff --git a/crypto/asn1/t_x509.c b/crypto/asn1/t_x509.c
index eb776b7b3b1f222f7419a4c012da01ccc117b8f3..ae72b525d7d4142da3bd2c0fca7e4448bd658869 100644 (file)
--- a/crypto/asn1/t_x509.c
+++ b/crypto/asn1/t_x509.c
@@ -393,8 +393,9 @@ int ASN1_GENERALIZEDTIME_print(BIO *bp, ASN1_GENERALIZEDTIME *tm)
        d= (v[6]-'0')*10+(v[7]-'0');
        h= (v[8]-'0')*10+(v[9]-'0');
        m=  (v[10]-'0')*10+(v[11]-'0');
-       if (    (v[12] >= '0') && (v[12] <= '9') &&
-               (v[13] >= '0') && (v[13] <= '9'))
+       if (i >= 14 &&
+           (v[12] >= '0') && (v[12] <= '9') &&
+           (v[13] >= '0') && (v[13] <= '9'))
                s=  (v[12]-'0')*10+(v[13]-'0');
 
        if (BIO_printf(bp,"%s %2d %02d:%02d:%02d %d%s",
@@ -428,8 +429,9 @@ int ASN1_UTCTIME_print(BIO *bp, ASN1_UTCTIME *tm)
        d= (v[4]-'0')*10+(v[5]-'0');
        h= (v[6]-'0')*10+(v[7]-'0');
        m=  (v[8]-'0')*10+(v[9]-'0');
-       if (    (v[10] >= '0') && (v[10] <= '9') &&
-               (v[11] >= '0') && (v[11] <= '9'))
+       if (i >=12 &&
+           (v[10] >= '0') && (v[10] <= '9') &&
+           (v[11] >= '0') && (v[11] <= '9'))
                s=  (v[10]-'0')*10+(v[11]-'0');
 
        if (BIO_printf(bp,"%s %2d %02d:%02d:%02d %d%s",
@@ -501,4 +503,3 @@ err:
        OPENSSL_free(b);
        return(ret);
        }
-

diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index f79c504e913705c650967fa652818b4649225f2f..b35d28d411a3f77d6fb22626262b03cb33c7e769 100644 (file)
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@@ -89,11 +89,13 @@ static int cms_copy_content(BIO *out, BIO *in, unsigned int flags)
                                if (!BIO_get_cipher_status(in))
                                        goto err;
                                }
+                       if (i < 0)
+                               goto err;
                        break;
                        }
                                
-               if (tmpout)
-                       BIO_write(tmpout, buf, i);
+               if (tmpout && (BIO_write(tmpout, buf, i) != i))
+                       goto err;
        }
 
        if(flags & CMS_TEXT)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 9a62ebcf679e5349532294b8cbbfdc974d2c99c8..336c40ddd7e7d6a76a9759038667f04741b41392 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -394,7 +394,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
 #ifdef OPENSSL_NO_CHAIN_VERIFY
        return 1;
 #else
-       int i, ok=0, must_be_ca;
+       int i, ok=0, must_be_ca, plen = 0;
        X509 *x;
        int (*cb)(int xok,X509_STORE_CTX *xctx);
        int proxy_path_length = 0;
@@ -495,9 +495,10 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                                if (!ok) goto end;
                                }
                        }
-               /* Check pathlen */
-               if ((i > 1) && (x->ex_pathlen != -1)
-                          && (i > (x->ex_pathlen + proxy_path_length + 1)))
+               /* Check pathlen if not self issued */
+               if ((i > 1) && !(x->ex_flags & EXFLAG_SI)
+                          && (x->ex_pathlen != -1)
+                          && (plen > (x->ex_pathlen + proxy_path_length + 1)))
                        {
                        ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
                        ctx->error_depth = i;
@@ -505,6 +506,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
                        ok=cb(0,ctx);
                        if (!ok) goto end;
                        }
+               /* Increment path length if not self issued */
+               if (!(x->ex_flags & EXFLAG_SI))
+                       plen++;
                /* If this certificate is a proxy certificate, the next
                   certificate must be another proxy certificate or a EE
                   certificate.  If not, the next certificate must be a

diff --git a/crypto/x509v3/pcy_data.c b/crypto/x509v3/pcy_data.c
index 614d2b493550790436833e950b880b98ca27450b..4711b1ee927b9d824ded08083e0b7be7a4e327f8 100644 (file)
--- a/crypto/x509v3/pcy_data.c
+++ b/crypto/x509v3/pcy_data.c
@@ -87,6 +87,12 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit)
        X509_POLICY_DATA *ret;
        if (!policy && !id)
                return NULL;
+       if (id)
+               {
+               id = OBJ_dup(id);
+               if (!id)
+                       return NULL;
+               }
        ret = OPENSSL_malloc(sizeof(X509_POLICY_DATA));
        if (!ret)
                return NULL;
@@ -94,6 +100,8 @@ X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, ASN1_OBJECT *id, int crit)
        if (!ret->expected_policy_set)
                {
                OPENSSL_free(ret);
+               if (id)
+                       ASN1_OBJECT_free(id);
                return NULL;
                }
 

diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509v3/pcy_tree.c
index 4fda1d419af6da9488b7a952eedd60920265e8c1..b1ce77b9afc7ad9d5ebb11177ae2a6a8d7625768 100644 (file)
--- a/crypto/x509v3/pcy_tree.c
+++ b/crypto/x509v3/pcy_tree.c
@@ -130,9 +130,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                        ret = 2;
                if (explicit_policy > 0)
                        {
-                       explicit_policy--;
-                       if (!(x->ex_flags & EXFLAG_SS)
-                               && (cache->explicit_skip != -1)
+                       if (!(x->ex_flags & EXFLAG_SI))
+                               explicit_policy--;
+                       if ((cache->explicit_skip != -1)
                                && (cache->explicit_skip < explicit_policy))
                                explicit_policy = cache->explicit_skip;
                        }
@@ -197,13 +197,14 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                        /* Any matching allowed if certificate is self
                         * issued and not the last in the chain.
                         */
-                       if (!(x->ex_flags & EXFLAG_SS) || (i == 0))
+                       if (!(x->ex_flags & EXFLAG_SI) || (i == 0))
                                level->flags |= X509_V_FLAG_INHIBIT_ANY;
                        }
                else
                        {
-                       any_skip--;
-                       if ((cache->any_skip > 0)
+                       if (!(x->ex_flags & EXFLAG_SI))
+                               any_skip--;
+                       if ((cache->any_skip >= 0)
                                && (cache->any_skip < any_skip))
                                any_skip = cache->any_skip;
                        }
@@ -213,7 +214,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs,
                else
                        {
                        map_skip--;
-                       if ((cache->map_skip > 0)
+                       if ((cache->map_skip >= 0)
                                && (cache->map_skip < map_skip))
                                map_skip = cache->map_skip;
                        }
@@ -310,7 +311,8 @@ static int tree_link_any(X509_POLICY_LEVEL *curr,
 
                if (data == NULL)
                        return 0;
-               data->qualifier_set = curr->anyPolicy->data->qualifier_set;
+               /* Curr may not have anyPolicy */
+               data->qualifier_set = cache->anyPolicy->qualifier_set;
                data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS;
                if (!level_add_node(curr, data, node, tree))
                        {

diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509v3/v3_purp.c
index b2f5cdfa05f3cbfb8c54808d8aa91c1017ca7c25..c54e7887c70752469ff572b13270d38410ef4b1c 100644 (file)
--- a/crypto/x509v3/v3_purp.c
+++ b/crypto/x509v3/v3_purp.c
@@ -291,7 +291,9 @@ int X509_supported_extension(X509_EXTENSION *ex)
                NID_sbgp_ipAddrBlock,   /* 290 */
                NID_sbgp_autonomousSysNum, /* 291 */
 #endif
-               NID_proxyCertInfo       /* 661 */
+               NID_policy_constraints, /* 401 */
+               NID_proxyCertInfo,      /* 661 */
+               NID_inhibit_any_policy  /* 748 */
        };
 
        int ex_nid;
@@ -325,7 +327,7 @@ static void x509v3_cache_extensions(X509 *x)
 #endif
        /* Does subject name match issuer ? */
        if(!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x)))
-                        x->ex_flags |= EXFLAG_SS;
+                        x->ex_flags |= EXFLAG_SI;
        /* V1 should mean no extensions ... */
        if(!X509_get_version(x)) x->ex_flags |= EXFLAG_V1;
        /* Handle basic constraints */

diff --git a/crypto/x509v3/x509v3.h b/crypto/x509v3/x509v3.h
index db2b0482c152e57fcc1749ca097ab053f82bdb1a..5ba59f71c94555fcc9523472290a5ded2fcf42f0 100644 (file)
--- a/crypto/x509v3/x509v3.h
+++ b/crypto/x509v3/x509v3.h
@@ -363,6 +363,8 @@ DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
 #define EXFLAG_NSCERT          0x8
 
 #define EXFLAG_CA              0x10
+/* Really self issued not necessarily self signed */
+#define EXFLAG_SI              0x20
 #define EXFLAG_SS              0x20
 #define EXFLAG_V1              0x40
 #define EXFLAG_INVALID         0x80
@@ -370,7 +372,7 @@ DECLARE_ASN1_FUNCTIONS(PROXY_CERT_INFO_EXTENSION)
 #define EXFLAG_CRITICAL                0x200
 #define EXFLAG_PROXY           0x400
 
-#define EXFLAG_INVALID_POLICY  0x400
+#define EXFLAG_INVALID_POLICY  0x800
 
 #define KU_DIGITAL_SIGNATURE   0x0080
 #define KU_NON_REPUDIATION     0x0040