Apply by doing: cd /usr/src patch -p0 < 002_asn1.patch And then rebuild and install OpenSSL: cd lib/libssl make obj make depend make make install Index: lib/libssl/src/crypto/asn1/asn1_lib.c =================================================================== RCS file: /cvs/src/lib/libssl/src/crypto/asn1/asn1_lib.c,v retrieving revision 1.11 retrieving revision 1.11.2.1 diff -u -p -r1.11 -r1.11.2.1 --- lib/libssl/src/crypto/asn1/asn1_lib.c 5 Apr 2003 11:05:07 -0000 1.11 +++ lib/libssl/src/crypto/asn1/asn1_lib.c 31 Oct 2003 00:13:15 -0000 1.11.2.1 @@ -104,10 +104,12 @@ int ASN1_get_object(unsigned char **pp, l<<=7L; l|= *(p++)&0x7f; if (--max == 0) goto err; + if (l > (INT_MAX >> 7L)) goto err; } l<<=7L; l|= *(p++)&0x7f; tag=(int)l; + if (--max == 0) goto err; } else { Index: lib/libssl/src/crypto/asn1/tasn_dec.c =================================================================== RCS file: /cvs/src/lib/libssl/src/crypto/asn1/tasn_dec.c,v retrieving revision 1.3 retrieving revision 1.3.2.1 diff -u -p -r1.3 -r1.3.2.1 --- lib/libssl/src/crypto/asn1/tasn_dec.c 12 May 2003 02:18:35 -0000 1.3 +++ lib/libssl/src/crypto/asn1/tasn_dec.c 31 Oct 2003 00:13:15 -0000 1.3.2.1 @@ -691,6 +691,7 @@ static int asn1_d2i_ex_primitive(ASN1_VA int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it) { + ASN1_VALUE **opval = NULL; ASN1_STRING *stmp; ASN1_TYPE *typ = NULL; int ret = 0; @@ -705,6 +706,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsig *pval = (ASN1_VALUE *)typ; } else typ = (ASN1_TYPE *)*pval; if(utype != typ->type) ASN1_TYPE_set(typ, utype, NULL); + opval = pval; pval = (ASN1_VALUE **)&typ->value.ptr; } switch(utype) { @@ -796,7 +798,12 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsig ret = 1; err: - if(!ret) ASN1_TYPE_free(typ); + if(!ret) + { + ASN1_TYPE_free(typ); + if (opval) + *opval = NULL; + } return ret; } Index: lib/libssl/src/crypto/x509/x509_vfy.c =================================================================== RCS file: /cvs/src/lib/libssl/src/crypto/x509/x509_vfy.c,v retrieving revision 1.7 retrieving revision 1.7.2.1 diff -u -p -r1.7 -r1.7.2.1 --- lib/libssl/src/crypto/x509/x509_vfy.c 12 May 2003 02:18:39 -0000 1.7 +++ lib/libssl/src/crypto/x509/x509_vfy.c 31 Oct 2003 00:13:15 -0000 1.7.2.1 @@ -674,7 +674,7 @@ static int internal_verify(X509_STORE_CT ok=(*cb)(0,ctx); if (!ok) goto end; } - if (X509_verify(xs,pkey) <= 0) + else if (X509_verify(xs,pkey) <= 0) /* XXX For the final trusted self-signed cert, * this is a waste of time. That check should * optional so that e.g. 'openssl x509' can be Index: lib/libssl/src/ssl/s3_clnt.c =================================================================== RCS file: /cvs/src/lib/libssl/src/ssl/s3_clnt.c,v retrieving revision 1.14 retrieving revision 1.14.2.1 diff -u -p -r1.14 -r1.14.2.1 --- lib/libssl/src/ssl/s3_clnt.c 6 Aug 2003 21:08:06 -0000 1.14 +++ lib/libssl/src/ssl/s3_clnt.c 31 Oct 2003 00:13:15 -0000 1.14.2.1 @@ -1768,6 +1768,7 @@ static int ssl3_send_client_verify(SSL * *(d++)=SSL3_MT_CERTIFICATE_VERIFY; l2n3(n,d); + s->state=SSL3_ST_CW_CERT_VRFY_B; s->init_num=(int)n+4; s->init_off=0; } Index: lib/libssl/src/ssl/s3_srvr.c =================================================================== RCS file: /cvs/src/lib/libssl/src/ssl/s3_srvr.c,v retrieving revision 1.16 retrieving revision 1.16.2.1 diff -u -p -r1.16 -r1.16.2.1 --- lib/libssl/src/ssl/s3_srvr.c 12 May 2003 02:18:40 -0000 1.16 +++ lib/libssl/src/ssl/s3_srvr.c 31 Oct 2003 00:13:15 -0000 1.16.2.1 @@ -432,10 +432,11 @@ int ssl3_accept(SSL *s) if (ret == 2) s->state = SSL3_ST_SR_CLNT_HELLO_C; else { - /* could be sent for a DH cert, even if we - * have not asked for it :-) */ - ret=ssl3_get_client_certificate(s); - if (ret <= 0) goto end; + if (s->s3->tmp.cert_request) + { + ret=ssl3_get_client_certificate(s); + if (ret <= 0) goto end; + } s->init_num=0; s->state=SSL3_ST_SR_KEY_EXCH_A; } @@ -845,6 +846,9 @@ static int ssl3_get_client_hello(SSL *s) } /* TLS does not mind if there is extra stuff */ +#if 0 /* SSL 3.0 does not mind either, so we should disable this test + * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b, + * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */ if (s->version == SSL3_VERSION) { if (p < (d+n)) @@ -856,6 +860,7 @@ static int ssl3_get_client_hello(SSL *s) goto f_err; } } +#endif /* Given s->session->ciphers and SSL_get_ciphers, we must * pick a cipher */ @@ -1353,6 +1358,7 @@ static int ssl3_send_certificate_request s->init_num += 4; #endif + s->state = SSL3_ST_SW_CERT_REQ_B; } /* SSL3_ST_SW_CERT_REQ_B */