[packages/openssl.git] / openssl-0.9.6c-security.patch

--- crypto/cryptlib.c.orig	Fri Nov 23 13:57:59 2001
+++ crypto/cryptlib.c	Fri Jul 26 10:43:56 2002
@@ -491,3 +491,11 @@
 #endif
 
 #endif
+
+void OpenSSLDie(const char *file,int line,const char *assertion)
+    {
+    fprintf(stderr,"%s(%d): OpenSSL internal error, assertion failed: %s\n",
+	    file,line,assertion);
+    abort();
+    }
+
--- crypto/cryptlib.h.orig	Tue May  2 06:35:04 2000
+++ crypto/cryptlib.h	Fri Jul 26 10:43:56 2002
@@ -89,6 +89,14 @@
 #define X509_CERT_DIR_EVP        "SSL_CERT_DIR"
 #define X509_CERT_FILE_EVP       "SSL_CERT_FILE"
 
+/* size of string represenations */
+#define DECIMAL_SIZE(type)     ((sizeof(type)*8+2)/3+1)
+#define HEX_SIZE(type)         ((sizeof(type)*2)
+
+/* die if we have to */
+void OpenSSLDie(const char *file,int line,const char *assertion);
+#define die(e)	((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e))
+
 #ifdef  __cplusplus
 }
 #endif
--- crypto/asn1/asn1_lib.c.orig	Fri Mar 30 06:42:32 2001
+++ crypto/asn1/asn1_lib.c	Fri Jul 26 10:43:56 2002
@@ -57,6 +57,7 @@
  */
 
 #include <stdio.h>
+#include <limits.h>
 #include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/asn1_mac.h>
@@ -124,15 +124,13 @@
 		(int)(omax+ *pp));
 
 #endif
-#if 0
-	if ((p+ *plength) > (omax+ *pp))
+	if (*plength > (omax - (p - *pp)))
 		{
 		ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG);
 		/* Set this so that even if things are not long enough
 		 * the values are set correctly */
 		ret|=0x80;
 		}
-#endif
 	*pp=p;
 	return(ret|inf);
 err:
@@ -143,7 +142,7 @@
 static int asn1_get_length(unsigned char **pp, int *inf, long *rl, int max)
 	{
 	unsigned char *p= *pp;
-	long ret=0;
+	unsigned long ret=0;
 	int i;
 
 	if (max-- < 1) return(0);
@@ -159,6 +157,8 @@
 		i= *p&0x7f;
 		if (*(p++) & 0x80)
 			{
+			if (i > sizeof(long))
+				return 0;
 			if (max-- == 0) return(0);
 			while (i-- > 0)
 				{
@@ -170,8 +171,10 @@
 		else
 			ret=i;
 		}
+	if (ret > LONG_MAX)
+		return 0;
 	*pp=p;
-	*rl=ret;
+	*rl=(long)ret;
 	return(1);
 	}
  
@@ -407,7 +407,7 @@
 
 void asn1_add_error(unsigned char *address, int offset)
 	{
-	char buf1[16],buf2[16];
+	char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1];
 
 	sprintf(buf1,"%lu",(unsigned long)address);
 	sprintf(buf2,"%d",offset);
--- crypto/conf/conf_def.c.orig	Tue Jun  6 09:21:12 2000
+++ crypto/conf/conf_def.c	Fri Jul 26 10:43:56 2002
@@ -67,6 +67,7 @@
 #include "conf_def.h"
 #include <openssl/buffer.h>
 #include <openssl/err.h>
+#include "cryptlib.h"
 
 static char *eat_ws(CONF *conf, char *p);
 static char *eat_alpha_numeric(CONF *conf, char *p);
@@ -180,12 +181,12 @@
 static int def_load(CONF *conf, BIO *in, long *line)
 	{
 #define BUFSIZE	512
-	char btmp[16];
 	int bufnum=0,i,ii;
 	BUF_MEM *buff=NULL;
 	char *s,*p,*end;
 	int again,n;
 	long eline=0;
+	char btmp[DECIMAL_SIZE(eline)+1];
 	CONF_VALUE *v=NULL,*tv;
 	CONF_VALUE *sv=NULL;
 	char *section=NULL,*buf;
--- crypto/objects/obj_dat.c.orig	Mon Sep  4 09:34:35 2000
+++ crypto/objects/obj_dat.c	Fri Jul 26 10:43:56 2002
@@ -428,7 +428,7 @@
 	unsigned long l;
 	unsigned char *p;
 	const char *s;
-	char tbuf[32];
+	char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2];
 
 	if (buf_len <= 0) return(0);
 
--- ssl/s2_clnt.c.orig	Sat Nov 10 03:43:51 2001
+++ ssl/s2_clnt.c	Fri Jul 26 10:43:56 2002
@@ -116,6 +116,7 @@
 #include <openssl/buffer.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
+#include "cryptlib.h"
 
 static SSL_METHOD *ssl2_get_client_method(int ver);
 static int get_server_finished(SSL *s);
@@ -517,6 +518,7 @@
 		}
 		
 	s->s2->conn_id_length=s->s2->tmp.conn_id_length;
+	die(s->s2->conn_id_length <= sizeof s->s2->conn_id);
 	memcpy(s->s2->conn_id,p,s->s2->tmp.conn_id_length);
 	return(1);
 	}
@@ -618,6 +620,7 @@
 		/* make key_arg data */
 		i=EVP_CIPHER_iv_length(c);
 		sess->key_arg_length=i;
+		die(i <= SSL_MAX_KEY_ARG_LENGTH);
 		if (i > 0) RAND_pseudo_bytes(sess->key_arg,i);
 
 		/* make a master key */
@@ -625,6 +628,7 @@
 		sess->master_key_length=i;
 		if (i > 0)
 			{
+			die(i <= sizeof sess->master_key);
 			if (RAND_bytes(sess->master_key,i) <= 0)
 				{
 				ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
@@ -668,6 +672,7 @@
 		d+=enc;
 		karg=sess->key_arg_length;	
 		s2n(karg,p); /* key arg size */
+		die(karg <= sizeof sess->key_arg);
 		memcpy(d,sess->key_arg,(unsigned int)karg);
 		d+=karg;
 
@@ -688,6 +693,7 @@
 		{
 		p=(unsigned char *)s->init_buf->data;
 		*(p++)=SSL2_MT_CLIENT_FINISHED;
+		die(s->s2->conn_id_length <= sizeof s->s2->conn_id);
 		memcpy(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length);
 
 		s->state=SSL2_ST_SEND_CLIENT_FINISHED_B;
@@ -944,6 +950,8 @@
 		{
 		if (!(s->options & SSL_OP_MICROSOFT_SESS_ID_BUG))
 			{
+			die(s->session->session_id_length
+			    <= sizeof s->session->session_id);
 			if (memcmp(buf,s->session->session_id,
 				(unsigned int)s->session->session_id_length) != 0)
 				{
--- ssl/s2_lib.c.orig	Tue Dec 26 05:06:47 2000
+++ ssl/s2_lib.c	Fri Jul 26 10:52:20 2002
@@ -62,6 +62,7 @@
 #include <openssl/rsa.h>
 #include <openssl/objects.h>
 #include <openssl/md5.h>
+#include "cryptlib.h"
 
 static long ssl2_default_timeout(void );
 const char *ssl2_version_str="SSLv2" OPENSSL_VERSION_PTEXT;
@@ -425,10 +426,14 @@
 #endif
 
 	km=s->s2->key_material;
+	die(s->s2->key_material_length <= sizeof s->s2->key_material);
 	for (i=0; i<s->s2->key_material_length; i+=MD5_DIGEST_LENGTH)
 		{
 		MD5_Init(&ctx);
-
+		
+		die(s->session->master_key_length >= 0
+		    && s->session->master_key_length
+		    < sizeof s->session->master_key);
 		MD5_Update(&ctx,s->session->master_key,s->session->master_key_length);
 		MD5_Update(&ctx,&c,1);
 		c++;
@@ -463,6 +468,7 @@
 /*	state=s->rwstate;*/
 	error=s->error;
 	s->error=0;
+	die(error >= 0 && error <= 3);
 	i=ssl2_write(s,&(buf[3-error]),error);
 /*	if (i == error) s->rwstate=state; */
 
--- ssl/s2_srvr.c.orig	Wed Nov 14 14:19:47 2001
+++ ssl/s2_srvr.c	Fri Jul 26 10:43:56 2002
@@ -116,6 +116,7 @@
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
+#include "cryptlib.h"
 
 static SSL_METHOD *ssl2_get_server_method(int ver);
 static int get_client_master_key(SSL *s);
@@ -417,11 +418,18 @@
 		n2s(p,i); s->s2->tmp.clear=i;
 		n2s(p,i); s->s2->tmp.enc=i;
 		n2s(p,i); s->session->key_arg_length=i;
+		if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH)
+			{
+			SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,
+				   SSL_R_KEY_ARG_TOO_LONG);
+			return -1;
+			}
 		s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B;
 		}
 
 	/* SSL2_ST_GET_CLIENT_MASTER_KEY_B */
 	p=(unsigned char *)s->init_buf->data;
+	die(s->init_buf->length >= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER);
 	keya=s->session->key_arg_length;
 	len = 10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc + (unsigned long)keya;
 	if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
@@ -502,6 +510,7 @@
 #endif
 
 	if (is_export) i+=s->s2->tmp.clear;
+	die(i <= SSL_MAX_MASTER_KEY_LENGTH);
 	s->session->master_key_length=i;
 	memcpy(s->session->master_key,p,(unsigned int)i);
 	return(1);
@@ -649,6 +658,7 @@
 	p+=s->s2->tmp.session_id_length;
 
 	/* challenge */
+	die(s->s2->challenge_length <= sizeof s->s2->challenge);
 	memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length);
 	return(1);
 mem_err:
@@ -800,6 +810,7 @@
 		}
 
 	/* SSL2_ST_GET_CLIENT_FINISHED_B */
+	die(s->s2->conn_id_length <= sizeof s->s2->conn_id);
 	len = 1 + (unsigned long)s->s2->conn_id_length;
 	n = (int)len - s->init_num;
 	i = ssl2_read(s,(char *)&(p[s->init_num]),n);
@@ -825,6 +836,7 @@
 		{
 		p=(unsigned char *)s->init_buf->data;
 		*(p++)=SSL2_MT_SERVER_VERIFY;
+		die(s->s2->challenge_length <= sizeof s->s2->challenge);
 		memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length);
 		/* p+=s->s2->challenge_length; */
 
@@ -844,6 +856,8 @@
 		p=(unsigned char *)s->init_buf->data;
 		*(p++)=SSL2_MT_SERVER_FINISHED;
 
+		die(s->session->session_id_length
+		    <= sizeof s->session->session_id);
 		memcpy(p,s->session->session_id,
 			(unsigned int)s->session->session_id_length);
 		/* p+=s->session->session_id_length; */
--- ssl/s3_clnt.c.orig	Thu Oct 25 02:18:54 2001
+++ ssl/s3_clnt.c	Fri Jul 26 10:56:23 2002
@@ -64,6 +64,7 @@
 #include <openssl/sha.h>
 #include <openssl/evp.h>
 #include "ssl_locl.h"
+#include "cryptlib.h"
 
 static SSL_METHOD *ssl3_get_client_method(int ver);
 static int ssl3_client_hello(SSL *s);
@@ -492,6 +493,7 @@
 		*(p++)=i;
 		if (i != 0)
 			{
+			die(i <= sizeof s->session->session_id);
 			memcpy(p,s->session->session_id,i);
 			p+=i;
 			}
@@ -572,6 +574,14 @@
 
 	/* get the session-id */
 	j= *(p++);
+
+       if(j > sizeof s->session->session_id)
+               {
+               al=SSL_AD_ILLEGAL_PARAMETER;
+               SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
+                      SSL_R_SSL3_SESSION_ID_TOO_LONG);
+               goto f_err;
+               }
 
 	if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))
 		{
--- ssl/ssl.h.orig	Mon Dec 17 12:24:39 2001
+++ ssl/ssl.h	Fri Jul 26 11:36:19 2002
@@ -1423,6 +1423,7 @@
 #define SSL_R_INVALID_COMMAND				 280
 #define SSL_R_INVALID_PURPOSE				 278
 #define SSL_R_INVALID_TRUST				 279
+#define SSL_R_KEY_ARG_TOO_LONG				 1112
 #define SSL_R_LENGTH_MISMATCH				 159
 #define SSL_R_LENGTH_TOO_SHORT				 160
 #define SSL_R_LIBRARY_BUG				 274
@@ -1491,6 +1492,7 @@
 #define SSL_R_SHORT_READ				 219
 #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE	 220
 #define SSL_R_SSL23_DOING_SESSION_ID_REUSE		 221
+#define SSL_R_SSL3_SESSION_ID_TOO_LONG			 1113
 #define SSL_R_SSL3_SESSION_ID_TOO_SHORT			 222
 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE		 1042
 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC		 1020
--- ssl/ssl_asn1.c.orig	Thu Jun  1 16:19:19 2000
+++ ssl/ssl_asn1.c	Fri Jul 26 11:37:53 2002
@@ -62,6 +62,7 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include "ssl_locl.h"
+#include "cryptlib.h"
 
 typedef struct ssl_session_asn1_st
 	{
@@ -275,6 +276,7 @@
 		os.length=i;
 
 	ret->session_id_length=os.length;
+	die(os.length <= sizeof ret->session_id);
 	memcpy(ret->session_id,os.data,os.length);
 
 	M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
--- ssl/ssl_err.c.orig	Fri Nov  9 18:15:29 2001
+++ ssl/ssl_err.c	Fri Jul 26 11:39:21 2002
@@ -1,6 +1,6 @@
 /* ssl/ssl_err.c */
 /* ====================================================================
- * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2002 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -275,6 +275,7 @@
 {SSL_R_INVALID_COMMAND                   ,"invalid command"},
 {SSL_R_INVALID_PURPOSE                   ,"invalid purpose"},
 {SSL_R_INVALID_TRUST                     ,"invalid trust"},
+{SSL_R_KEY_ARG_TOO_LONG                  ,"key arg too long"},
 {SSL_R_LENGTH_MISMATCH                   ,"length mismatch"},
 {SSL_R_LENGTH_TOO_SHORT                  ,"length too short"},
 {SSL_R_LIBRARY_BUG                       ,"library bug"},
@@ -343,6 +344,7 @@
 {SSL_R_SHORT_READ                        ,"short read"},
 {SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"},
 {SSL_R_SSL23_DOING_SESSION_ID_REUSE      ,"ssl23 doing session id reuse"},
+{SSL_R_SSL3_SESSION_ID_TOO_LONG          ,"ssl3 session id too long"},
 {SSL_R_SSL3_SESSION_ID_TOO_SHORT         ,"ssl3 session id too short"},
 {SSL_R_SSLV3_ALERT_BAD_CERTIFICATE       ,"sslv3 alert bad certificate"},
 {SSL_R_SSLV3_ALERT_BAD_RECORD_MAC        ,"sslv3 alert bad record mac"},
--- ssl/ssl_sess.c.orig	Wed Nov 29 11:12:32 2000
+++ ssl/ssl_sess.c	Fri Jul 26 10:43:56 2002
@@ -60,6 +60,7 @@
 #include <openssl/lhash.h>
 #include <openssl/rand.h>
 #include "ssl_locl.h"
+#include "cryptlib.h"
 
 static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
 static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
@@ -199,6 +200,7 @@
 		ss->session_id_length=0;
 		}
 
+	die(s->sid_ctx_length <= sizeof ss->sid_ctx);
 	memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length);
 	ss->sid_ctx_length=s->sid_ctx_length;
 	s->session=ss;
--- ssl/s3_srvr.c.orig	Thu Oct 25 02:18:56 2001
+++ ssl/s3_srvr.c	Fri Jul 26 11:27:08 2002
@@ -122,6 +122,7 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include "ssl_locl.h"
+#include "cryptlib.h"
 
 static SSL_METHOD *ssl3_get_server_method(int ver);
 static int ssl3_get_client_hello(SSL *s);
@@ -942,6 +943,7 @@
 			s->session->session_id_length=0;
 
 		sl=s->session->session_id_length;
+		die(sl <= sizeof s->session->session_id);
 		*(p++)=sl;
 		memcpy(p,s->session->session_id,sl);
 		p+=sl;
Commit	Line	Data
9920e6ec JB	1	--- crypto/cryptlib.c.orig Fri Nov 23 13:57:59 2001
	2	+++ crypto/cryptlib.c Fri Jul 26 10:43:56 2002
	3	@@ -491,3 +491,11 @@
	4	#endif
	5
	6	#endif
	7	+
	8	+void OpenSSLDie(const char file,int line,const char assertion)
	9	+ {
	10	+ fprintf(stderr,"%s(%d): OpenSSL internal error, assertion failed: %s\n",
	11	+ file,line,assertion);
	12	+ abort();
	13	+ }
	14	+
	15	--- crypto/cryptlib.h.orig Tue May 2 06:35:04 2000
	16	+++ crypto/cryptlib.h Fri Jul 26 10:43:56 2002
	17	@@ -89,6 +89,14 @@
	18	#define X509_CERT_DIR_EVP "SSL_CERT_DIR"
	19	#define X509_CERT_FILE_EVP "SSL_CERT_FILE"
	20
	21	+/* size of string represenations */
	22	+#define DECIMAL_SIZE(type) ((sizeof(type)*8+2)/3+1)
	23	+#define HEX_SIZE(type) ((sizeof(type)*2)
	24	+
	25	+/* die if we have to */
	26	+void OpenSSLDie(const char file,int line,const char assertion);
	27	+#define die(e) ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e))
	28	+
	29	#ifdef __cplusplus
	30	}
	31	#endif
	32	--- crypto/asn1/asn1_lib.c.orig Fri Mar 30 06:42:32 2001
	33	+++ crypto/asn1/asn1_lib.c Fri Jul 26 10:43:56 2002
b0dc1116 MM	34	@@ -57,6 +57,7 @@
	35	*/
	36
	37	#include <stdio.h>
	38	+#include <limits.h>
	39	#include "cryptlib.h"
	40	#include <openssl/asn1.h>
	41	#include <openssl/asn1_mac.h>
e635c11d JB	42	@@ -124,15 +124,13 @@
	43	(int)(omax+ *pp));
	44
	45	#endif
	46	-#if 0
	47	- if ((p+ plength) > (omax+ pp))
d1002cd6	48	+ if (plength > (omax - (p - pp)))
e635c11d JB	49	{
	50	ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG);
	51	/* Set this so that even if things are not long enough
	52	* the values are set correctly */
	53	ret\|=0x80;
	54	}
	55	-#endif
	56	*pp=p;
	57	return(ret\|inf);
	58	err:
b0dc1116 MM	59	@@ -143,7 +142,7 @@
	60	static int asn1_get_length(unsigned char *pp, int inf, long *rl, int max)
	61	{
	62	unsigned char p= pp;
	63	- long ret=0;
	64	+ unsigned long ret=0;
	65	int i;
	66
	67	if (max-- < 1) return(0);
e635c11d JB	68	@@ -159,6 +157,8 @@
	69	i= *p&0x7f;
	70	if (*(p++) & 0x80)
	71	{
	72	+ if (i > sizeof(long))
	73	+ return 0;
	74	if (max-- == 0) return(0);
	75	while (i-- > 0)
	76	{
b0dc1116	77	@@ -170,8 +171,10 @@
e635c11d JB	78	else
	79	ret=i;
	80	}
b0dc1116	81	+ if (ret > LONG_MAX)
e635c11d JB	82	+ return 0;
e635c11d JB	83	*pp=p;
b0dc1116 MM	84	- *rl=ret;
b0dc1116 MM	85	+ *rl=(long)ret;
e635c11d	86	return(1);
b0dc1116 MM	87	}
b0dc1116 MM	88
9920e6ec JB	89	@@ -407,7 +407,7 @@
	90
	91	void asn1_add_error(unsigned char *address, int offset)
	92	{
	93	- char buf1[16],buf2[16];
	94	+ char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1];
	95
	96	sprintf(buf1,"%lu",(unsigned long)address);
	97	sprintf(buf2,"%d",offset);
	98	--- crypto/conf/conf_def.c.orig Tue Jun 6 09:21:12 2000
	99	+++ crypto/conf/conf_def.c Fri Jul 26 10:43:56 2002
	100	@@ -67,6 +67,7 @@
	101	#include "conf_def.h"
	102	#include <openssl/buffer.h>
	103	#include <openssl/err.h>
	104	+#include "cryptlib.h"
	105
	106	static char eat_ws(CONF conf, char *p);
	107	static char eat_alpha_numeric(CONF conf, char *p);
	108	@@ -180,12 +181,12 @@
	109	static int def_load(CONF conf, BIO in, long *line)
	110	{
	111	#define BUFSIZE 512
	112	- char btmp[16];
	113	int bufnum=0,i,ii;
	114	BUF_MEM *buff=NULL;
	115	char s,p,*end;
	116	int again,n;
	117	long eline=0;
	118	+ char btmp[DECIMAL_SIZE(eline)+1];
	119	CONF_VALUE v=NULL,tv;
	120	CONF_VALUE *sv=NULL;
	121	char section=NULL,buf;
	122	--- crypto/objects/obj_dat.c.orig Mon Sep 4 09:34:35 2000
	123	+++ crypto/objects/obj_dat.c Fri Jul 26 10:43:56 2002
	124	@@ -428,7 +428,7 @@
	125	unsigned long l;
	126	unsigned char *p;
	127	const char *s;
	128	- char tbuf[32];
	129	+ char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2];
	130
	131	if (buf_len <= 0) return(0);
	132
	133	--- ssl/s2_clnt.c.orig Sat Nov 10 03:43:51 2001
	134	+++ ssl/s2_clnt.c Fri Jul 26 10:43:56 2002
	135	@@ -116,6 +116,7 @@
	136	#include <openssl/buffer.h>
	137	#include <openssl/objects.h>
	138	#include <openssl/evp.h>
	139	+#include "cryptlib.h"
	140
	141	static SSL_METHOD *ssl2_get_client_method(int ver);
	142	static int get_server_finished(SSL *s);
	143	@@ -517,6 +518,7 @@
	144	}
	145
	146	s->s2->conn_id_length=s->s2->tmp.conn_id_length;
	147	+ die(s->s2->conn_id_length <= sizeof s->s2->conn_id);
	148	memcpy(s->s2->conn_id,p,s->s2->tmp.conn_id_length);
	149	return(1);
	150	}
	151	@@ -618,6 +620,7 @@
	152	/* make key_arg data */
153	i=EVP_CIPHER_iv_length(c);
154	sess->key_arg_length=i;
155	+ die(i <= SSL_MAX_KEY_ARG_LENGTH);
156	if (i > 0) RAND_pseudo_bytes(sess->key_arg,i);
157
158	/* make a master key */
159	@@ -625,6 +628,7 @@
160	sess->master_key_length=i;
161	if (i > 0)
162	{
163	+ die(i <= sizeof sess->master_key);
164	if (RAND_bytes(sess->master_key,i) <= 0)
165	{
166	ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR);
167	@@ -668,6 +672,7 @@
168	d+=enc;
169	karg=sess->key_arg_length;
170	s2n(karg,p); /* key arg size */
171	+ die(karg <= sizeof sess->key_arg);
172	memcpy(d,sess->key_arg,(unsigned int)karg);
173	d+=karg;
174
175	@@ -688,6 +693,7 @@
176	{
177	p=(unsigned char *)s->init_buf->data;
178	*(p++)=SSL2_MT_CLIENT_FINISHED;
179	+ die(s->s2->conn_id_length <= sizeof s->s2->conn_id);
180	memcpy(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length);
181
182	s->state=SSL2_ST_SEND_CLIENT_FINISHED_B;
183	@@ -944,6 +950,8 @@
184	{
185	if (!(s->options & SSL_OP_MICROSOFT_SESS_ID_BUG))
186	{
187	+ die(s->session->session_id_length
188	+ <= sizeof s->session->session_id);
189	if (memcmp(buf,s->session->session_id,
190	(unsigned int)s->session->session_id_length) != 0)
191	{
192	--- ssl/s2_lib.c.orig Tue Dec 26 05:06:47 2000
193	+++ ssl/s2_lib.c Fri Jul 26 10:52:20 2002
194	@@ -62,6 +62,7 @@
195	#include <openssl/rsa.h>
196	#include <openssl/objects.h>
197	#include <openssl/md5.h>
198	+#include "cryptlib.h"
199
200	static long ssl2_default_timeout(void );
201	const char *ssl2_version_str="SSLv2" OPENSSL_VERSION_PTEXT;
202	@@ -425,10 +426,14 @@
203	#endif
204
205	km=s->s2->key_material;
206	+ die(s->s2->key_material_length <= sizeof s->s2->key_material);
207	for (i=0; i<s->s2->key_material_length; i+=MD5_DIGEST_LENGTH)
208	{
209	MD5_Init(&ctx);
210	-
211	+
212	+ die(s->session->master_key_length >= 0
213	+ && s->session->master_key_length
214	+ < sizeof s->session->master_key);
215	MD5_Update(&ctx,s->session->master_key,s->session->master_key_length);
216	MD5_Update(&ctx,&c,1);
217	c++;
218	@@ -463,6 +468,7 @@
219	/* state=s->rwstate;*/
220	error=s->error;
221	s->error=0;
222	+ die(error >= 0 && error <= 3);
223	i=ssl2_write(s,&(buf[3-error]),error);
224	/* if (i == error) s->rwstate=state; */
225
226	--- ssl/s2_srvr.c.orig Wed Nov 14 14:19:47 2001
227	+++ ssl/s2_srvr.c Fri Jul 26 10:43:56 2002
228	@@ -116,6 +116,7 @@
229	#include <openssl/rand.h>
230	#include <openssl/objects.h>
231	#include <openssl/evp.h>
232	+#include "cryptlib.h"
233
234	static SSL_METHOD *ssl2_get_server_method(int ver);
235	static int get_client_master_key(SSL *s);
236	@@ -417,11 +418,18 @@
237	n2s(p,i); s->s2->tmp.clear=i;
238	n2s(p,i); s->s2->tmp.enc=i;
239	n2s(p,i); s->session->key_arg_length=i;
240	+ if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH)
241	+ {
242	+ SSLerr(SSL_F_GET_CLIENT_MASTER_KEY,
243	+ SSL_R_KEY_ARG_TOO_LONG);
244	+ return -1;
245	+ }
246	s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B;
247	}
248
249	/* SSL2_ST_GET_CLIENT_MASTER_KEY_B */
250	p=(unsigned char *)s->init_buf->data;
251	+ die(s->init_buf->length >= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER);
252	keya=s->session->key_arg_length;
253	len = 10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc + (unsigned long)keya;
254	if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER)
255	@@ -502,6 +510,7 @@
256	#endif
257
258	if (is_export) i+=s->s2->tmp.clear;
259	+ die(i <= SSL_MAX_MASTER_KEY_LENGTH);
260	s->session->master_key_length=i;
261	memcpy(s->session->master_key,p,(unsigned int)i);
262	return(1);
263	@@ -649,6 +658,7 @@
264	p+=s->s2->tmp.session_id_length;
265
266	/* challenge */
267	+ die(s->s2->challenge_length <= sizeof s->s2->challenge);
268	memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length);
269	return(1);
270	mem_err:
271	@@ -800,6 +810,7 @@
272	}
273
274	/* SSL2_ST_GET_CLIENT_FINISHED_B */
275	+ die(s->s2->conn_id_length <= sizeof s->s2->conn_id);
276	len = 1 + (unsigned long)s->s2->conn_id_length;
277	n = (int)len - s->init_num;
278	i = ssl2_read(s,(char *)&(p[s->init_num]),n);
279	@@ -825,6 +836,7 @@
280	{
281	p=(unsigned char *)s->init_buf->data;
282	*(p++)=SSL2_MT_SERVER_VERIFY;
283	+ die(s->s2->challenge_length <= sizeof s->s2->challenge);
284	memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length);
285	/* p+=s->s2->challenge_length; */
286
287	@@ -844,6 +856,8 @@
288	p=(unsigned char *)s->init_buf->data;
289	*(p++)=SSL2_MT_SERVER_FINISHED;
290
291	+ die(s->session->session_id_length
292	+ <= sizeof s->session->session_id);
293	memcpy(p,s->session->session_id,
294	(unsigned int)s->session->session_id_length);
295	/* p+=s->session->session_id_length; */
296	--- ssl/s3_clnt.c.orig Thu Oct 25 02:18:54 2001
297	+++ ssl/s3_clnt.c Fri Jul 26 10:56:23 2002
298	@@ -64,6 +64,7 @@
299	#include <openssl/sha.h>
300	#include <openssl/evp.h>
301	#include "ssl_locl.h"
302	+#include "cryptlib.h"
303
304	static SSL_METHOD *ssl3_get_client_method(int ver);
305	static int ssl3_client_hello(SSL *s);
306	@@ -492,6 +493,7 @@
307	*(p++)=i;
308	if (i != 0)
309	{
310	+ die(i <= sizeof s->session->session_id);
311	memcpy(p,s->session->session_id,i);
312	p+=i;
313	}
314	@@ -572,6 +574,14 @@
315
316	/* get the session-id */
317	j= *(p++);
318	+
319	+ if(j > sizeof s->session->session_id)
320	+ {
321	+ al=SSL_AD_ILLEGAL_PARAMETER;
322	+ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,
323	+ SSL_R_SSL3_SESSION_ID_TOO_LONG);
324	+ goto f_err;
325	+ }
326
327	if ((j != 0) && (j != SSL3_SESSION_ID_SIZE))
328	{
329	--- ssl/ssl.h.orig Mon Dec 17 12:24:39 2001
330	+++ ssl/ssl.h Fri Jul 26 11:36:19 2002
331	@@ -1423,6 +1423,7 @@
332	#define SSL_R_INVALID_COMMAND 280
333	#define SSL_R_INVALID_PURPOSE 278
334	#define SSL_R_INVALID_TRUST 279
335	+#define SSL_R_KEY_ARG_TOO_LONG 1112
336	#define SSL_R_LENGTH_MISMATCH 159
337	#define SSL_R_LENGTH_TOO_SHORT 160
338	#define SSL_R_LIBRARY_BUG 274
339	@@ -1491,6 +1492,7 @@
340	#define SSL_R_SHORT_READ 219
341	#define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
342	#define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221
343	+#define SSL_R_SSL3_SESSION_ID_TOO_LONG 1113
344	#define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222
345	#define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042
346	#define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020
347	--- ssl/ssl_asn1.c.orig Thu Jun 1 16:19:19 2000
348	+++ ssl/ssl_asn1.c Fri Jul 26 11:37:53 2002
349	@@ -62,6 +62,7 @@
350	#include <openssl/objects.h>
351	#include <openssl/x509.h>
352	#include "ssl_locl.h"
353	+#include "cryptlib.h"
354
355	typedef struct ssl_session_asn1_st
356	{
357	@@ -275,6 +276,7 @@
358	os.length=i;
359
360	ret->session_id_length=os.length;
361	+ die(os.length <= sizeof ret->session_id);
362	memcpy(ret->session_id,os.data,os.length);
363
364	M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
365	--- ssl/ssl_err.c.orig Fri Nov 9 18:15:29 2001
366	+++ ssl/ssl_err.c Fri Jul 26 11:39:21 2002
367	@@ -1,6 +1,6 @@
368	/* ssl/ssl_err.c */
369	/* ====================================================================
370	- * Copyright (c) 1999 The OpenSSL Project. All rights reserved.
371	+ * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved.
372	*
373	* Redistribution and use in source and binary forms, with or without
374	* modification, are permitted provided that the following conditions
375	@@ -275,6 +275,7 @@
376	{SSL_R_INVALID_COMMAND ,"invalid command"},
377	{SSL_R_INVALID_PURPOSE ,"invalid purpose"},
378	{SSL_R_INVALID_TRUST ,"invalid trust"},
379	+{SSL_R_KEY_ARG_TOO_LONG ,"key arg too long"},
380	{SSL_R_LENGTH_MISMATCH ,"length mismatch"},
381	{SSL_R_LENGTH_TOO_SHORT ,"length too short"},
382	{SSL_R_LIBRARY_BUG ,"library bug"},
383	@@ -343,6 +344,7 @@
384	{SSL_R_SHORT_READ ,"short read"},
385	{SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"},
386	{SSL_R_SSL23_DOING_SESSION_ID_REUSE ,"ssl23 doing session id reuse"},
387	+{SSL_R_SSL3_SESSION_ID_TOO_LONG ,"ssl3 session id too long"},
388	{SSL_R_SSL3_SESSION_ID_TOO_SHORT ,"ssl3 session id too short"},
389	{SSL_R_SSLV3_ALERT_BAD_CERTIFICATE ,"sslv3 alert bad certificate"},
390	{SSL_R_SSLV3_ALERT_BAD_RECORD_MAC ,"sslv3 alert bad record mac"},
391	--- ssl/ssl_sess.c.orig Wed Nov 29 11:12:32 2000
392	+++ ssl/ssl_sess.c Fri Jul 26 10:43:56 2002
393	@@ -60,6 +60,7 @@
394	#include <openssl/lhash.h>
395	#include <openssl/rand.h>
396	#include "ssl_locl.h"
397	+#include "cryptlib.h"
398
399	static void SSL_SESSION_list_remove(SSL_CTX ctx, SSL_SESSION s);
400	static void SSL_SESSION_list_add(SSL_CTX ctx,SSL_SESSION s);
401	@@ -199,6 +200,7 @@
402	ss->session_id_length=0;
403	}
404
405	+ die(s->sid_ctx_length <= sizeof ss->sid_ctx);
406	memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length);
407	ss->sid_ctx_length=s->sid_ctx_length;
408	s->session=ss;
409	--- ssl/s3_srvr.c.orig Thu Oct 25 02:18:56 2001
410	+++ ssl/s3_srvr.c Fri Jul 26 11:27:08 2002
411	@@ -122,6 +122,7 @@
412	#include <openssl/evp.h>
413	#include <openssl/x509.h>
414	#include "ssl_locl.h"
415	+#include "cryptlib.h"
416
417	static SSL_METHOD *ssl3_get_server_method(int ver);
418	static int ssl3_get_client_hello(SSL *s);
419	@@ -942,6 +943,7 @@
420	s->session->session_id_length=0;
421
422	sl=s->session->session_id_length;
423	+ die(sl <= sizeof s->session->session_id);
424	*(p++)=sl;
425	memcpy(p,s->session->session_id,sl);
426	p+=sl;