Submitted by: Julia Lawall <julia@diku.dk> The functions ENGINE_ctrl(), OPENSSL_isservice(), EVP_PKEY_sign(), CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error fix so the return code is checked correctly.
diff --git a/CHANGES b/CHANGES index 17fd386..fab83ce 100644 --- a/CHANGES +++ b/CHANGES
@@ -4,6 +4,10 @@ Changes between 0.9.8k and 1.0 [xx XXX xxxx] + *) The function EVP_PKEY_sign() returns <=0 on error: check return code + correctly. + [Julia Lawall <julia@diku.dk>] + *) Update verify callback code in apps/s_cb.c and apps/verify.c, it needlessly dereferenced structures, used obsolete functions and didn't handle all updated verify codes correctly. @@ -819,6 +823,12 @@ Changes between 0.9.8k and 0.9.8l [xx XXX xxxx] + *) The functions ENGINE_ctrl(), OPENSSL_isservice(), + CMS_get1_RecipientRequest() and RAND_bytes() can return <=0 on error + fixes for a few places where the return code is not checked + correctly. + [Julia Lawall <julia@diku.dk>] + *) Add --strict-warnings option to Configure script to include devteam warnings in other configurations. [Steve Henson]
diff --git a/apps/ts.c b/apps/ts.c index d73b4eb..bedb602 100644 --- a/apps/ts.c +++ b/apps/ts.c
@@ -649,7 +649,7 @@ /* Generating random byte sequence. */ if (len > (int)sizeof(buf)) goto err; - if (!RAND_bytes(buf, len)) goto err; + if (RAND_bytes(buf, len) <= 0) goto err; /* Find the first non-zero byte and creating ASN1_INTEGER object. */ for (i = 0; i < len && !buf[i]; ++i);
diff --git a/crypto/cms/cms_ess.c b/crypto/cms/cms_ess.c index deb67dd..90c0b82 100644 --- a/crypto/cms/cms_ess.c +++ b/crypto/cms/cms_ess.c
@@ -344,7 +344,7 @@ /* Get original receipt request details */ - if (!CMS_get1_ReceiptRequest(osi, &rr)) + if (CMS_get1_ReceiptRequest(osi, &rr) <= 0) { CMSerr(CMS_F_CMS_RECEIPT_VERIFY, CMS_R_NO_RECEIPT_REQUEST); goto err; @@ -385,7 +385,7 @@ /* Get original receipt request details */ - if (!CMS_get1_ReceiptRequest(si, &rr)) + if (CMS_get1_ReceiptRequest(si, &rr) <= 0) { CMSerr(CMS_F_CMS_ENCODE_RECEIPT, CMS_R_NO_RECEIPT_REQUEST); goto err;
diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c index 2768c48..62bc495 100644 --- a/crypto/cryptlib.c +++ b/crypto/cryptlib.c
@@ -860,7 +860,7 @@ #if defined(_WIN32_WINNT) && _WIN32_WINNT>=0x0333 /* this -------------v--- guards NT-specific calls */ - if (GetVersion() < 0x80000000 && OPENSSL_isservice()) + if (GetVersion() < 0x80000000 && OPENSSL_isservice() > 0) { HANDLE h = RegisterEventSource(0,_T("OPENSSL")); const TCHAR *pmsg=buf; ReportEvent(h,EVENTLOG_ERROR_TYPE,0,0,0,1,0,&pmsg,0);
diff --git a/crypto/engine/eng_ctrl.c b/crypto/engine/eng_ctrl.c index 95b6b45..5ce25d9 100644 --- a/crypto/engine/eng_ctrl.c +++ b/crypto/engine/eng_ctrl.c
@@ -280,7 +280,7 @@ } /* Force the result of the control command to 0 or 1, for the reasons * mentioned before. */ - if (ENGINE_ctrl(e, num, i, p, f)) + if (ENGINE_ctrl(e, num, i, p, f) > 0) return 1; return 0; } @@ -345,7 +345,7 @@ * usage of these commands is consistent across applications and * that certain applications don't understand it one way, and * others another. */ - if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL)) + if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL) > 0) return 1; return 0; } @@ -360,7 +360,7 @@ if(flags & ENGINE_CMD_FLAG_STRING) { /* Same explanation as above */ - if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL)) + if(ENGINE_ctrl(e, num, 0, (void *)arg, NULL) > 0) return 1; return 0; } @@ -383,7 +383,7 @@ } /* Force the result of the control command to 0 or 1, for the reasons * mentioned before. */ - if(ENGINE_ctrl(e, num, l, NULL, NULL)) + if(ENGINE_ctrl(e, num, l, NULL, NULL) > 0) return 1; return 0; }
diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c index 775c361..ac211e2 100644 --- a/crypto/rsa/rsa_pss.c +++ b/crypto/rsa/rsa_pss.c
@@ -222,7 +222,7 @@ ERR_R_MALLOC_FAILURE); goto err; } - if (!RAND_bytes(salt, sLen)) + if (RAND_bytes(salt, sLen) <= 0) goto err; } maskedDBLen = emLen - hLen - 1;
diff --git a/ssl/d1_enc.c b/ssl/d1_enc.c index 7f3e57f..8fa5734 100644 --- a/ssl/d1_enc.c +++ b/ssl/d1_enc.c
@@ -155,7 +155,7 @@ __FILE__, __LINE__); else if ( EVP_CIPHER_block_size(ds->cipher) > 1) { - if (!RAND_bytes(rec->input, EVP_CIPHER_block_size(ds->cipher))) + if (RAND_bytes(rec->input, EVP_CIPHER_block_size(ds->cipher)) <= 0) return -1; } }
diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 861ce30..a62ffd5 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c
@@ -2707,7 +2707,7 @@ s->method->ssl3_enc->cert_verify_mac(s, NID_id_GostR3411_94, data); - if (!EVP_PKEY_sign(pctx,signbuf,&sigsize,data,32)) { + if (EVP_PKEY_sign(pctx, signbuf, &sigsize, data, 32) <= 0) { SSLerr(SSL_F_SSL3_SEND_CLIENT_VERIFY, ERR_R_INTERNAL_ERROR); goto err;