[openssl-commits] [openssl] OpenSSL_1_0_1-stable update

Richard Levitte levitte at openssl.org
Fri Oct 23 18:53:39 UTC 2015


The branch OpenSSL_1_0_1-stable has been updated
       via  200c8ed4f5dd5fce21a3688c2f41d474a3aceca4 (commit)
       via  a5524e534b22fa6fbba53dddb6a5543371a66a03 (commit)
       via  edd0f5c201823cea2947506619d1936e9b5c4b92 (commit)
       via  020bc42893e579cb3c586386de9f800c6fe0ae54 (commit)
       via  61587d65eabb90d78aad46c674f14707f4407acf (commit)
       via  71d5679cd31f52472b1a42b12af2562edb05fb0f (commit)
       via  418c0511610677c74ee63bd916ab3015e57ef40b (commit)
       via  6a3dd58678b3dcd2bb40d4b0d9965c786d10342a (commit)
      from  2d404dc38031122147043af31a1f1de364903be2 (commit)


- Log -----------------------------------------------------------------
commit 200c8ed4f5dd5fce21a3688c2f41d474a3aceca4
Author: Alessandro Ghedini <alessandro at ghedini.me>
Date:   Thu Oct 8 22:00:27 2015 +0200

    Remove useless code
    
    RT#4081
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (cherry picked from commit 070c23325af4526c9a8532a60d63522c58d5554b)

commit a5524e534b22fa6fbba53dddb6a5543371a66a03
Author: Alessandro Ghedini <alessandro at ghedini.me>
Date:   Thu Oct 8 14:50:27 2015 +0200

    Check memory allocation
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (cherry picked from commit 8cf9d71a3a43d9b98a8a278d47dc08088a954a7b)

commit edd0f5c201823cea2947506619d1936e9b5c4b92
Author: Alessandro Ghedini <alessandro at ghedini.me>
Date:   Thu Oct 8 14:41:09 2015 +0200

    Fix references to various RFCs
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (cherry picked from commit 3240e7cf5f651d9d94814b4d494fbe294e463b72)

commit 020bc42893e579cb3c586386de9f800c6fe0ae54
Author: Alessandro Ghedini <alessandro at ghedini.me>
Date:   Thu Oct 8 14:40:42 2015 +0200

    Fix typos
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (cherry picked from commit d900a015b5a89ea2018e6122dd2738925e4d68ab)

commit 61587d65eabb90d78aad46c674f14707f4407acf
Author: Alessandro Ghedini <alessandro at ghedini.me>
Date:   Thu Oct 8 14:39:58 2015 +0200

    Set salt length after the malloc has succeeded
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (cherry picked from commit c2319cf9fce87a2e82efb6e58ced11a85190dc3d)

commit 71d5679cd31f52472b1a42b12af2562edb05fb0f
Author: Alessandro Ghedini <alessandro at ghedini.me>
Date:   Thu Oct 8 14:38:57 2015 +0200

    Fix memory leaks and other mistakes on errors
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (cherry picked from commit 3f6c7691870d1cd2ad0e0c83638cef3f35a0b548)

commit 418c0511610677c74ee63bd916ab3015e57ef40b
Author: Alessandro Ghedini <alessandro at ghedini.me>
Date:   Thu Oct 8 14:37:21 2015 +0200

    Replace malloc+strlcpy with strdup
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (cherry picked from commit 8acaabec429b39f9436f6a88006384d72d292539)

commit 6a3dd58678b3dcd2bb40d4b0d9965c786d10342a
Author: Alessandro Ghedini <alessandro at ghedini.me>
Date:   Fri Oct 2 15:16:08 2015 +0200

    Do not treat 0 return value from BIO_get_fd() as error
    
    0 is a valid file descriptor.
    
    RT#4068
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    (cherry picked from commit 4428c7dba8f6f407d915c1226f4e0f673e8be241)

-----------------------------------------------------------------------

Summary of changes:
 apps/apps.c                      |  3 ---
 apps/ca.c                        | 12 +++---------
 apps/ecparam.c                   |  2 --
 apps/engine.c                    |  5 -----
 apps/ocsp.c                      |  4 ++--
 crypto/aes/asm/aesni-x86.pl      |  2 +-
 crypto/bio/b_dump.c              |  1 -
 crypto/bn/asm/ia64.S             |  2 +-
 crypto/bn/bn_gf2m.c              |  2 +-
 crypto/bn/bn_recp.c              |  4 +++-
 crypto/bn/bn_x931p.c             |  7 +++++--
 crypto/conf/conf_def.c           |  3 +--
 crypto/dsa/dsa_gen.c             | 18 +++++-------------
 crypto/evp/evp_key.c             |  4 ++--
 crypto/evp/evp_pbe.c             | 16 ++++++++++++----
 crypto/hmac/hm_ameth.c           |  9 +++++++--
 crypto/ocsp/ocsp_lib.c           |  6 ------
 crypto/ocsp/ocsp_prn.c           |  3 +--
 crypto/pem/pvkfmt.c              | 10 ++++------
 crypto/pkcs12/p12_add.c          | 27 ++++++++++++++++++++-------
 crypto/pkcs12/p12_mutl.c         |  4 ++--
 crypto/pkcs7/pk7_doit.c          |  1 -
 crypto/sha/asm/sha512-parisc.pl  |  2 +-
 crypto/x509/x509_lu.c            |  2 --
 demos/engines/zencod/hw_zencod.c |  2 +-
 doc/crypto/BIO_read.pod          |  6 +++---
 doc/crypto/BN_rand.pod           |  2 +-
 doc/crypto/d2i_X509_NAME.pod     |  2 +-
 ssl/s3_clnt.c                    |  2 +-
 ssl/s3_srvr.c                    |  1 -
 ssl/tls1.h                       | 15 ++++++---------
 31 files changed, 84 insertions(+), 95 deletions(-)

diff --git a/apps/apps.c b/apps/apps.c
index 1e48307..8ab4833 100644
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -119,9 +119,6 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#if !defined(OPENSSL_SYSNAME_WIN32) && !defined(NETWARE_CLIB)
-# include <strings.h>
-#endif
 #include <sys/types.h>
 #include <ctype.h>
 #include <errno.h>
diff --git a/apps/ca.c b/apps/ca.c
index 97ad0c1..73846de 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -99,25 +99,19 @@
 #undef PROG
 #define PROG ca_main
 
-#define BASE_SECTION    "ca"
-#define CONFIG_FILE "openssl.cnf"
+#define BASE_SECTION            "ca"
+#define CONFIG_FILE             "openssl.cnf"
 
 #define ENV_DEFAULT_CA          "default_ca"
 
-#define STRING_MASK     "string_mask"
+#define STRING_MASK             "string_mask"
 #define UTF8_IN                 "utf8"
 
-#define ENV_DIR                 "dir"
-#define ENV_CERTS               "certs"
-#define ENV_CRL_DIR             "crl_dir"
-#define ENV_CA_DB               "CA_DB"
 #define ENV_NEW_CERTS_DIR       "new_certs_dir"
 #define ENV_CERTIFICATE         "certificate"
 #define ENV_SERIAL              "serial"
 #define ENV_CRLNUMBER           "crlnumber"
-#define ENV_CRL                 "crl"
 #define ENV_PRIVATE_KEY         "private_key"
-#define ENV_RANDFILE            "RANDFILE"
 #define ENV_DEFAULT_DAYS        "default_days"
 #define ENV_DEFAULT_STARTDATE   "default_startdate"
 #define ENV_DEFAULT_ENDDATE     "default_enddate"
diff --git a/apps/ecparam.c b/apps/ecparam.c
index 88ecbc0..402fb31 100644
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -413,8 +413,6 @@ int MAIN(int argc, char **argv)
     }
 
     if (check) {
-        if (group == NULL)
-            BIO_printf(bio_err, "no elliptic curve parameters\n");
         BIO_printf(bio_err, "checking elliptic curve parameters: ");
         if (!EC_GROUP_check(group, NULL)) {
             BIO_printf(bio_err, "failed\n");
diff --git a/apps/engine.c b/apps/engine.c
index 3d70cac..460ec60 100644
--- a/apps/engine.c
+++ b/apps/engine.c
@@ -99,8 +99,6 @@ static void identity(char *ptr)
 
 static int append_buf(char **buf, const char *s, int *size, int step)
 {
-    int l = strlen(s);
-
     if (*buf == NULL) {
         *size = step;
         *buf = OPENSSL_malloc(*size);
@@ -109,9 +107,6 @@ static int append_buf(char **buf, const char *s, int *size, int step)
         **buf = '\0';
     }
 
-    if (**buf != '\0')
-        l += 2;                 /* ", " */
-
     if (strlen(*buf) + strlen(s) >= (unsigned int)*size) {
         *size += step;
         *buf = OPENSSL_realloc(*buf, *size);
diff --git a/apps/ocsp.c b/apps/ocsp.c
index 572f064..9fd9568 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -1220,8 +1220,8 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
         return NULL;
     }
 
-    if (BIO_get_fd(cbio, &fd) <= 0) {
-        BIO_puts(err, "Can't get connection fd\n");
+    if (BIO_get_fd(cbio, &fd) < 0) {
+        BIO_puts(bio_err, "Can't get connection fd\n");
         goto err;
     }
 
diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl
index 3dc345b..8c1d0b5 100644
--- a/crypto/aes/asm/aesni-x86.pl
+++ b/crypto/aes/asm/aesni-x86.pl
@@ -74,7 +74,7 @@ $inout3="xmm5";	$in1="xmm5";
 $inout4="xmm6";	$in0="xmm6";
 $inout5="xmm7";	$ivec="xmm7";
 
-# AESNI extenstion
+# AESNI extension
 sub aeskeygenassist
 { my($dst,$src,$imm)=@_;
     if ("$dst:$src" =~ /xmm([0-7]):xmm([0-7])/)
diff --git a/crypto/bio/b_dump.c b/crypto/bio/b_dump.c
index 3293c72..87c8162 100644
--- a/crypto/bio/b_dump.c
+++ b/crypto/bio/b_dump.c
@@ -104,7 +104,6 @@ int BIO_dump_indent_cb(int (*cb) (const void *data, size_t len, void *u),
     if ((rows * dump_width) < len)
         rows++;
     for (i = 0; i < rows; i++) {
-        buf[0] = '\0';          /* start with empty string */
         BUF_strlcpy(buf, str, sizeof buf);
         BIO_snprintf(tmp, sizeof tmp, "%04x - ", i * dump_width);
         BUF_strlcat(buf, tmp, sizeof buf);
diff --git a/crypto/bn/asm/ia64.S b/crypto/bn/asm/ia64.S
index c0cee82..a9a42ab 100644
--- a/crypto/bn/asm/ia64.S
+++ b/crypto/bn/asm/ia64.S
@@ -422,7 +422,7 @@ bn_mul_add_words:
 
 // This loop spins in 3*(n+10) ticks on Itanium and in 2*(n+10) on
 // Itanium 2. Yes, unlike previous versions it scales:-) Previous
-// version was peforming *all* additions in IALU and was starving
+// version was performing *all* additions in IALU and was starving
 // for those even on Itanium 2. In this version one addition is
 // moved to FPU and is folded with multiplication. This is at cost
 // of propogating the result from previous call to this subroutine
diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c
index a0ba8de..a7a04f8 100644
--- a/crypto/bn/bn_gf2m.c
+++ b/crypto/bn/bn_gf2m.c
@@ -576,7 +576,7 @@ int BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const int p[],
     bn_check_top(a);
     BN_CTX_start(ctx);
     if ((s = BN_CTX_get(ctx)) == NULL)
-        return 0;
+        goto err;
     if (!bn_wexpand(s, 2 * a->top))
         goto err;
 
diff --git a/crypto/bn/bn_recp.c b/crypto/bn/bn_recp.c
index 6826f93..7497ac6 100644
--- a/crypto/bn/bn_recp.c
+++ b/crypto/bn/bn_recp.c
@@ -152,8 +152,10 @@ int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m,
 
     if (BN_ucmp(m, &(recp->N)) < 0) {
         BN_zero(d);
-        if (!BN_copy(r, m))
+        if (!BN_copy(r, m)) {
+            BN_CTX_end(ctx);
             return 0;
+        }
         BN_CTX_end(ctx);
         return (1);
     }
diff --git a/crypto/bn/bn_x931p.c b/crypto/bn/bn_x931p.c
index 6d76b12..efa48bd 100644
--- a/crypto/bn/bn_x931p.c
+++ b/crypto/bn/bn_x931p.c
@@ -213,14 +213,14 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx)
      * exceeded.
      */
     if (!BN_rand(Xp, nbits, 1, 0))
-        return 0;
+        goto err;
 
     BN_CTX_start(ctx);
     t = BN_CTX_get(ctx);
 
     for (i = 0; i < 1000; i++) {
         if (!BN_rand(Xq, nbits, 1, 0))
-            return 0;
+            goto err;
         /* Check that |Xp - Xq| > 2^(nbits - 100) */
         BN_sub(t, Xp, Xq);
         if (BN_num_bits(t) > (nbits - 100))
@@ -234,6 +234,9 @@ int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx)
 
     return 0;
 
+ err:
+    BN_CTX_end(ctx);
+    return 0;
 }
 
 /*
diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c
index faca9ae..68c77ce 100644
--- a/crypto/conf/conf_def.c
+++ b/crypto/conf/conf_def.c
@@ -225,12 +225,11 @@ static int def_load_bio(CONF *conf, BIO *in, long *line)
         goto err;
     }
 
-    section = (char *)OPENSSL_malloc(10);
+    section = BUF_strdup("default");
     if (section == NULL) {
         CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE);
         goto err;
     }
-    BUF_strlcpy(section, "default", 10);
 
     if (_CONF_new_data(conf) == 0) {
         CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE);
diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c
index 0dada3d..34c6113 100644
--- a/crypto/dsa/dsa_gen.c
+++ b/crypto/dsa/dsa_gen.c
@@ -112,16 +112,8 @@ int DSA_generate_parameters_ex(DSA *ret, int bits,
     }
 # endif
     else {
-        const EVP_MD *evpmd;
-        size_t qbits = bits >= 2048 ? 256 : 160;
-
-        if (bits >= 2048) {
-            qbits = 256;
-            evpmd = EVP_sha256();
-        } else {
-            qbits = 160;
-            evpmd = EVP_sha1();
-        }
+        const EVP_MD *evpmd = bits >= 2048 ? EVP_sha256() : EVP_sha1();
+        size_t qbits = EVP_MD_size(evpmd) * 8;
 
         return dsa_builtin_paramgen(ret, bits, qbits, evpmd,
                                     seed_in, seed_len, NULL, counter_ret,
@@ -174,14 +166,14 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits,
     if (seed_in != NULL)
         memcpy(seed, seed_in, seed_len);
 
+    if ((mont = BN_MONT_CTX_new()) == NULL)
+        goto err;
+
     if ((ctx = BN_CTX_new()) == NULL)
         goto err;
 
     BN_CTX_start(ctx);
 
-    if ((mont = BN_MONT_CTX_new()) == NULL)
-        goto err;
-
     r0 = BN_CTX_get(ctx);
     g = BN_CTX_get(ctx);
     W = BN_CTX_get(ctx);
diff --git a/crypto/evp/evp_key.c b/crypto/evp/evp_key.c
index 71fa627..122bc28 100644
--- a/crypto/evp/evp_key.c
+++ b/crypto/evp/evp_key.c
@@ -137,7 +137,7 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
     EVP_MD_CTX_init(&c);
     for (;;) {
         if (!EVP_DigestInit_ex(&c, md, NULL))
-            return 0;
+            goto err;
         if (addmd++)
             if (!EVP_DigestUpdate(&c, &(md_buf[0]), mds))
                 goto err;
@@ -188,6 +188,6 @@ int EVP_BytesToKey(const EVP_CIPHER *type, const EVP_MD *md,
     rv = type->key_len;
  err:
     EVP_MD_CTX_cleanup(&c);
-    OPENSSL_cleanse(&(md_buf[0]), EVP_MAX_MD_SIZE);
+    OPENSSL_cleanse(md_buf, sizeof(md_buf));
     return rv;
 }
diff --git a/crypto/evp/evp_pbe.c b/crypto/evp/evp_pbe.c
index e3fa95d..7934c95 100644
--- a/crypto/evp/evp_pbe.c
+++ b/crypto/evp/evp_pbe.c
@@ -228,12 +228,16 @@ int EVP_PBE_alg_add_type(int pbe_type, int pbe_nid, int cipher_nid,
                          int md_nid, EVP_PBE_KEYGEN *keygen)
 {
     EVP_PBE_CTL *pbe_tmp;
-    if (!pbe_algs)
+
+    if (pbe_algs == NULL) {
         pbe_algs = sk_EVP_PBE_CTL_new(pbe_cmp);
-    if (!(pbe_tmp = (EVP_PBE_CTL *)OPENSSL_malloc(sizeof(EVP_PBE_CTL)))) {
-        EVPerr(EVP_F_EVP_PBE_ALG_ADD_TYPE, ERR_R_MALLOC_FAILURE);
-        return 0;
+        if (pbe_algs == NULL)
+            goto err;
     }
+
+    if ((pbe_tmp = OPENSSL_malloc(sizeof(*pbe_tmp))) == NULL)
+        goto err;
+
     pbe_tmp->pbe_type = pbe_type;
     pbe_tmp->pbe_nid = pbe_nid;
     pbe_tmp->cipher_nid = cipher_nid;
@@ -242,6 +246,10 @@ int EVP_PBE_alg_add_type(int pbe_type, int pbe_nid, int cipher_nid,
 
     sk_EVP_PBE_CTL_push(pbe_algs, pbe_tmp);
     return 1;
+
+ err:
+    EVPerr(EVP_F_EVP_PBE_ALG_ADD_TYPE, ERR_R_MALLOC_FAILURE);
+    return 0;
 }
 
 int EVP_PBE_alg_add(int nid, const EVP_CIPHER *cipher, const EVP_MD *md,
diff --git a/crypto/hmac/hm_ameth.c b/crypto/hmac/hm_ameth.c
index 641c797..cf14743 100644
--- a/crypto/hmac/hm_ameth.c
+++ b/crypto/hmac/hm_ameth.c
@@ -108,9 +108,14 @@ static int old_hmac_decode(EVP_PKEY *pkey,
     ASN1_OCTET_STRING *os;
     os = ASN1_OCTET_STRING_new();
     if (!os || !ASN1_OCTET_STRING_set(os, *pder, derlen))
-        return 0;
-    EVP_PKEY_assign(pkey, EVP_PKEY_HMAC, os);
+        goto err;
+    if (!EVP_PKEY_assign(pkey, EVP_PKEY_HMAC, os))
+        goto err;
     return 1;
+
+ err:
+    ASN1_OCTET_STRING_free(os);
+    return 0;
 }
 
 static int old_hmac_encode(const EVP_PKEY *pkey, unsigned char **pder)
diff --git a/crypto/ocsp/ocsp_lib.c b/crypto/ocsp/ocsp_lib.c
index d28d6b5..8db62ba 100644
--- a/crypto/ocsp/ocsp_lib.c
+++ b/crypto/ocsp/ocsp_lib.c
@@ -246,12 +246,6 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath,
     if ((p = strchr(p, ':'))) {
         *p = 0;
         port = p + 1;
-    } else {
-        /* Not found: set default port */
-        if (*pssl)
-            port = "443";
-        else
-            port = "80";
     }
 
     *pport = BUF_strdup(port);
diff --git a/crypto/ocsp/ocsp_prn.c b/crypto/ocsp/ocsp_prn.c
index 1834256..47d5f83 100644
--- a/crypto/ocsp/ocsp_prn.c
+++ b/crypto/ocsp/ocsp_prn.c
@@ -212,8 +212,7 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE *o, unsigned long flags)
         return 1;
     }
 
-    i = ASN1_STRING_length(rb->response);
-    if (!(br = OCSP_response_get1_basic(o)))
+    if ((br = OCSP_response_get1_basic(o)) == NULL)
         goto err;
     rd = br->tbsResponseData;
     l = ASN1_INTEGER_get(rd->version);
diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c
index ee4b6a8..82d4527 100644
--- a/crypto/pem/pvkfmt.c
+++ b/crypto/pem/pvkfmt.c
@@ -624,13 +624,11 @@ static int do_PVK_header(const unsigned char **in, unsigned int length,
             PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_PVK_TOO_SHORT);
             return 0;
         }
-        length -= 20;
     } else {
         if (length < 24) {
             PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_PVK_TOO_SHORT);
             return 0;
         }
-        length -= 24;
         pvk_magic = read_ledword(&p);
         if (pvk_magic != MS_PVKMAGIC) {
             PEMerr(PEM_F_DO_PVK_HEADER, PEM_R_BAD_MAGIC_NUMBER);
@@ -692,23 +690,23 @@ static EVP_PKEY *do_PVK_body(const unsigned char **in,
             inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 0, u);
         if (inlen <= 0) {
             PEMerr(PEM_F_DO_PVK_BODY, PEM_R_BAD_PASSWORD_READ);
-            return NULL;
+            goto err;
         }
         enctmp = OPENSSL_malloc(keylen + 8);
         if (!enctmp) {
             PEMerr(PEM_F_DO_PVK_BODY, ERR_R_MALLOC_FAILURE);
-            return NULL;
+            goto err;
         }
         if (!derive_pvk_key(keybuf, p, saltlen,
                             (unsigned char *)psbuf, inlen))
-            return NULL;
+            goto err;
         p += saltlen;
         /* Copy BLOBHEADER across, decrypt rest */
         memcpy(enctmp, p, 8);
         p += 8;
         if (keylen < 8) {
             PEMerr(PEM_F_DO_PVK_BODY, PEM_R_PVK_TOO_SHORT);
-            return NULL;
+            goto err;
         }
         inlen = keylen - 8;
         q = enctmp + 8;
diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c
index 982805d..d9f03a3 100644
--- a/crypto/pkcs12/p12_add.c
+++ b/crypto/pkcs12/p12_add.c
@@ -75,15 +75,19 @@ PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it,
     bag->type = OBJ_nid2obj(nid1);
     if (!ASN1_item_pack(obj, it, &bag->value.octet)) {
         PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
-        return NULL;
+        goto err;
     }
     if (!(safebag = PKCS12_SAFEBAG_new())) {
         PKCS12err(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG, ERR_R_MALLOC_FAILURE);
-        return NULL;
+        goto err;
     }
     safebag->value.bag = bag;
     safebag->type = OBJ_nid2obj(nid2);
     return safebag;
+
+ err:
+    PKCS12_BAGS_free(bag);
+    return NULL;
 }
 
 /* Turn PKCS8 object into a keybag */
@@ -127,6 +131,7 @@ PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass,
           PKCS8_encrypt(pbe_nid, pbe_ciph, pass, passlen, salt, saltlen, iter,
                         p8))) {
         PKCS12err(PKCS12_F_PKCS12_MAKE_SHKEYBAG, ERR_R_MALLOC_FAILURE);
+        PKCS12_SAFEBAG_free(bag);
         return NULL;
     }
 
@@ -144,14 +149,18 @@ PKCS7 *PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk)
     p7->type = OBJ_nid2obj(NID_pkcs7_data);
     if (!(p7->d.data = M_ASN1_OCTET_STRING_new())) {
         PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, ERR_R_MALLOC_FAILURE);
-        return NULL;
+        goto err;
     }
 
     if (!ASN1_item_pack(sk, ASN1_ITEM_rptr(PKCS12_SAFEBAGS), &p7->d.data)) {
         PKCS12err(PKCS12_F_PKCS12_PACK_P7DATA, PKCS12_R_CANT_PACK_STRUCTURE);
-        return NULL;
+        goto err;
     }
     return p7;
+
+ err:
+    PKCS7_free(p7);
+    return NULL;
 }
 
 /* Unpack SAFEBAGS from PKCS#7 data ContentInfo */
@@ -181,7 +190,7 @@ PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,
     if (!PKCS7_set_type(p7, NID_pkcs7_encrypted)) {
         PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA,
                   PKCS12_R_ERROR_SETTING_ENCRYPTED_DATA_TYPE);
-        return NULL;
+        goto err;
     }
 
     pbe_ciph = EVP_get_cipherbynid(pbe_nid);
@@ -193,7 +202,7 @@ PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,
 
     if (!pbe) {
         PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, ERR_R_MALLOC_FAILURE);
-        return NULL;
+        goto err;
     }
     X509_ALGOR_free(p7->d.encrypted->enc_data->algorithm);
     p7->d.encrypted->enc_data->algorithm = pbe;
@@ -202,10 +211,14 @@ PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen,
           PKCS12_item_i2d_encrypt(pbe, ASN1_ITEM_rptr(PKCS12_SAFEBAGS), pass,
                                   passlen, bags, 1))) {
         PKCS12err(PKCS12_F_PKCS12_PACK_P7ENCDATA, PKCS12_R_ENCRYPT_ERROR);
-        return NULL;
+        goto err;
     }
 
     return p7;
+
+ err:
+    PKCS7_free(p7);
+    return NULL;
 }
 
 STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass,
diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
index 5ab4bf2..a927782 100644
--- a/crypto/pkcs12/p12_mutl.c
+++ b/crypto/pkcs12/p12_mutl.c
@@ -173,11 +173,11 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
     }
     if (!saltlen)
         saltlen = PKCS12_SALT_LEN;
-    p12->mac->salt->length = saltlen;
-    if (!(p12->mac->salt->data = OPENSSL_malloc(saltlen))) {
+    if ((p12->mac->salt->data = OPENSSL_malloc(saltlen)) == NULL) {
         PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
         return 0;
     }
+    p12->mac->salt->length = saltlen;
     if (!salt) {
         if (RAND_pseudo_bytes(p12->mac->salt->data, saltlen) < 0)
             return 0;
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index c8d7db0..83f3b77 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -1156,7 +1156,6 @@ PKCS7_ISSUER_AND_SERIAL *PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx)
     rsk = p7->d.signed_and_enveloped->recipientinfo;
     if (rsk == NULL)
         return NULL;
-    ri = sk_PKCS7_RECIP_INFO_value(rsk, 0);
     if (sk_PKCS7_RECIP_INFO_num(rsk) <= idx)
         return (NULL);
     ri = sk_PKCS7_RECIP_INFO_value(rsk, idx);
diff --git a/crypto/sha/asm/sha512-parisc.pl b/crypto/sha/asm/sha512-parisc.pl
index fc0e15b..6cad72e 100755
--- a/crypto/sha/asm/sha512-parisc.pl
+++ b/crypto/sha/asm/sha512-parisc.pl
@@ -19,7 +19,7 @@
 # SHA512 performance is >2.9x better than gcc 3.2 generated code on
 # PA-7100LC, PA-RISC 1.1 processor. Then implementation detects if the
 # code is executed on PA-RISC 2.0 processor and switches to 64-bit
-# code path delivering adequate peformance even in "blended" 32-bit
+# code path delivering adequate performance even in "blended" 32-bit
 # build. Though 64-bit code is not any faster than code generated by
 # vendor compiler on PA-8600...
 #
diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index 8415d1d..8084c4a 100644
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -523,8 +523,6 @@ STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
     X509_OBJECT *obj, xobj;
     sk = sk_X509_CRL_new_null();
     CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
-    /* Check cache first */
-    idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_CRL, nm, &cnt);
 
     /*
      * Always do lookup to possibly add new CRLs to cache
diff --git a/demos/engines/zencod/hw_zencod.c b/demos/engines/zencod/hw_zencod.c
index 0c0f524..daf0aef 100644
--- a/demos/engines/zencod/hw_zencod.c
+++ b/demos/engines/zencod/hw_zencod.c
@@ -610,7 +610,7 @@ static int zencod_init(ENGINE *e)
     ptr_zencod_rc4_cipher = ptr_rc4_1;
 
     /*
-     * We should peform a test to see if there is actually any unit runnig on
+     * We should perform a test to see if there is actually any unit runnig on
      * the system ... Even if the cryptozen library is loaded the module coul
      * not be loaded on the system ... For now we may just open and close the
      * device !!
diff --git a/doc/crypto/BIO_read.pod b/doc/crypto/BIO_read.pod
index b345281..2c177f0 100644
--- a/doc/crypto/BIO_read.pod
+++ b/doc/crypto/BIO_read.pod
@@ -9,9 +9,9 @@ BIO_read, BIO_write, BIO_gets, BIO_puts - BIO I/O functions
  #include <openssl/bio.h>
 
  int	BIO_read(BIO *b, void *buf, int len);
- int	BIO_gets(BIO *b,char *buf, int size);
+ int	BIO_gets(BIO *b, char *buf, int size);
  int	BIO_write(BIO *b, const void *buf, int len);
- int	BIO_puts(BIO *b,const char *buf);
+ int	BIO_puts(BIO *b, const char *buf);
 
 =head1 DESCRIPTION
 
@@ -26,7 +26,7 @@ return the digest and other BIOs may not support BIO_gets() at all.
 
 BIO_write() attempts to write B<len> bytes from B<buf> to BIO B<b>.
 
-BIO_puts() attempts to write a null terminated string B<buf> to BIO B<b>
+BIO_puts() attempts to write a null terminated string B<buf> to BIO B<b>.
 
 =head1 RETURN VALUES
 
diff --git a/doc/crypto/BN_rand.pod b/doc/crypto/BN_rand.pod
index b91231c..fde5f72 100644
--- a/doc/crypto/BN_rand.pod
+++ b/doc/crypto/BN_rand.pod
@@ -19,7 +19,7 @@ BN_rand, BN_pseudo_rand - generate pseudo-random number
 =head1 DESCRIPTION
 
 BN_rand() generates a cryptographically strong pseudo-random number of
-B<bits> bits in length and stores it in B<rnd>. If B<top> is -1, the
+B<bits> in length and stores it in B<rnd>. If B<top> is -1, the
 most significant bit of the random number can be zero. If B<top> is 0,
 it is set to 1, and if B<top> is 1, the two most significant bits of
 the number will be set to 1, so that the product of two such random
diff --git a/doc/crypto/d2i_X509_NAME.pod b/doc/crypto/d2i_X509_NAME.pod
index 343ffe1..b025de7 100644
--- a/doc/crypto/d2i_X509_NAME.pod
+++ b/doc/crypto/d2i_X509_NAME.pod
@@ -14,7 +14,7 @@ d2i_X509_NAME, i2d_X509_NAME - X509_NAME encoding functions
 =head1 DESCRIPTION
 
 These functions decode and encode an B<X509_NAME> structure which is the
-the same as the B<Name> type defined in RFC2459 (and elsewhere) and used
+same as the B<Name> type defined in RFC2459 (and elsewhere) and used
 for example in certificate subject and issuer names.
 
 Othewise the functions behave in a similar way to d2i_X509() and i2d_X509()
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
index 47b3189..104349e 100644
--- a/ssl/s3_clnt.c
+++ b/ssl/s3_clnt.c
@@ -2377,6 +2377,7 @@ int ssl3_send_client_key_exchange(SSL *s)
                     || (pkey->pkey.rsa == NULL)) {
                     SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,
                            ERR_R_INTERNAL_ERROR);
+                    EVP_PKEY_free(pkey);
                     goto err;
                 }
                 rsa = pkey->pkey.rsa;
@@ -3217,7 +3218,6 @@ int ssl3_send_client_certificate(SSL *s)
          * If we get an error, we need to ssl->rwstate=SSL_X509_LOOKUP;
          * return(-1); We then get retied later
          */
-        i = 0;
         i = ssl_do_client_cert_cb(s, &x509, &pkey);
         if (i < 0) {
             s->rwstate = SSL_X509_LOOKUP;
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 208063c..aa57937 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -383,7 +383,6 @@ int ssl3_accept(SSL *s)
                      */
                     if (al != TLS1_AD_UNKNOWN_PSK_IDENTITY)
                         SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_CLIENTHELLO_TLSEXT);
-                    ret = SSL_TLSEXT_ERR_ALERT_FATAL;
                     ret = -1;
                     s->state = SSL_ST_ERR;
                     goto end;
diff --git a/ssl/tls1.h b/ssl/tls1.h
index 69d8186..91504b1 100644
--- a/ssl/tls1.h
+++ b/ssl/tls1.h
@@ -235,8 +235,7 @@ extern "C" {
 
 /*
  * ExtensionType value for TLS padding extension.
- * http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
- * http://tools.ietf.org/html/draft-agl-tls-padding-03
+ * http://tools.ietf.org/html/draft-agl-tls-padding
  */
 # define TLSEXT_TYPE_padding     21
 
@@ -261,20 +260,19 @@ extern "C" {
 #  define TLSEXT_TYPE_next_proto_neg              13172
 # endif
 
-/* NameType value from RFC 3546 */
+/* NameType value from RFC3546 */
 # define TLSEXT_NAMETYPE_host_name 0
-/* status request value from RFC 3546 */
+/* status request value from RFC3546 */
 # define TLSEXT_STATUSTYPE_ocsp 1
 
-/* ECPointFormat values from draft-ietf-tls-ecc-12 */
+/* ECPointFormat values from RFC4492 */
 # define TLSEXT_ECPOINTFORMAT_first                      0
 # define TLSEXT_ECPOINTFORMAT_uncompressed               0
 # define TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime  1
 # define TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2  2
 # define TLSEXT_ECPOINTFORMAT_last                       2
 
-/* Signature and hash algorithms from RFC 5246 */
-
+/* Signature and hash algorithms from RFC5246 */
 # define TLSEXT_signature_anonymous                      0
 # define TLSEXT_signature_rsa                            1
 # define TLSEXT_signature_dsa                            2
@@ -404,7 +402,6 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 # define TLS1_CK_DHE_DSS_WITH_RC4_128_SHA                0x03000066
 
 /* AES ciphersuites from RFC3268 */
-
 # define TLS1_CK_RSA_WITH_AES_128_SHA                    0x0300002F
 # define TLS1_CK_DH_DSS_WITH_AES_128_SHA                 0x03000030
 # define TLS1_CK_DH_RSA_WITH_AES_128_SHA                 0x03000031
@@ -570,7 +567,7 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb)
 # define TLS1_TXT_DHE_RSA_WITH_AES_256_SHA               "DHE-RSA-AES256-SHA"
 # define TLS1_TXT_ADH_WITH_AES_256_SHA                   "ADH-AES256-SHA"
 
-/* ECC ciphersuites from draft-ietf-tls-ecc-01.txt (Mar 15, 2001) */
+/* ECC ciphersuites from RFC4492 */
 # define TLS1_TXT_ECDH_ECDSA_WITH_NULL_SHA               "ECDH-ECDSA-NULL-SHA"
 # define TLS1_TXT_ECDH_ECDSA_WITH_RC4_128_SHA            "ECDH-ECDSA-RC4-SHA"
 # define TLS1_TXT_ECDH_ECDSA_WITH_DES_192_CBC3_SHA       "ECDH-ECDSA-DES-CBC3-SHA"


More information about the openssl-commits mailing list