import openssl-0.9.7d

3 files changed, 21 insertions, 10 deletions

diff --git a/src/lib/libcrypto/ocsp/ocsp_ext.c b/src/lib/libcrypto/ocsp/ocsp_ext.c
index d6c8899f58..57399433fc 100644
--- a/src/lib/libcrypto/ocsp/ocsp_ext.c
+++ b/src/lib/libcrypto/ocsp/ocsp_ext.c
@@ -305,6 +305,8 @@ err:
 
 /* Add a nonce to an extension stack. A nonce can be specificed or if NULL
  * a random nonce will be generated.
+ * Note: OpenSSL 0.9.7d and later create an OCTET STRING containing the 
+ * nonce, previous versions used the raw nonce.
  */
 
 static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
@@ -313,20 +315,28 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val,
         ASN1_OCTET_STRING os;
         int ret = 0;
         if (len <= 0) len = OCSP_DEFAULT_NONCE_LENGTH;
-        if (val) tmpval = val;
+        /* Create the OCTET STRING manually by writing out the header and
+         * appending the content octets. This avoids an extra memory allocation
+         * operation in some cases. Applications should *NOT* do this because
+         * it relies on library internals.
+         */
+        os.length = ASN1_object_size(0, len, V_ASN1_OCTET_STRING);
+        os.data = OPENSSL_malloc(os.length);
+        if (os.data == NULL)
+                goto err;
+        tmpval = os.data;
+        ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
+        if (val)
+                memcpy(tmpval, val, len);
         else
-                {
-                if (!(tmpval = OPENSSL_malloc(len))) goto err;
                 RAND_pseudo_bytes(tmpval, len);
-                }
-        os.data = tmpval;
-        os.length = len;
         if(!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
                         &os, 0, X509V3_ADD_REPLACE))
                                 goto err;
         ret = 1;
         err:
-        if(!val) OPENSSL_free(tmpval);
+        if (os.data)
+                OPENSSL_free(os.data);
         return ret;
         }
 
diff --git a/src/lib/libcrypto/ocsp/ocsp_lib.c b/src/lib/libcrypto/ocsp/ocsp_lib.c
index 3875af165c..9e87fc7895 100644
--- a/src/lib/libcrypto/ocsp/ocsp_lib.c
+++ b/src/lib/libcrypto/ocsp/ocsp_lib.c
@@ -253,6 +253,7 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pss
 
 
         err:
+        if (buf) OPENSSL_free(buf);
         if (*ppath) OPENSSL_free(*ppath);
         if (*pport) OPENSSL_free(*pport);
         if (*phost) OPENSSL_free(*phost);
diff --git a/src/lib/libcrypto/ocsp/ocsp_vfy.c b/src/lib/libcrypto/ocsp/ocsp_vfy.c
index 1f5fda7ca3..3d58dfb06c 100644
--- a/src/lib/libcrypto/ocsp/ocsp_vfy.c
+++ b/src/lib/libcrypto/ocsp/ocsp_vfy.c
@@ -3,7 +3,7 @@
  * project 2000.
  */
 /* ====================================================================
- * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2000-2004 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -272,7 +272,7 @@ static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret)
 
         for (i = 1; i < idcount; i++)
                 {
-                tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
+                tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
                 /* Check to see if IDs match */
                 if (OCSP_id_issuer_cmp(cid, tmpid))
                         {
@@ -330,7 +330,7 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
                 OCSP_CERTID *tmpid;
                 for (i = 0; i < sk_OCSP_SINGLERESP_num(sresp); i++)
                         {
-                        tmpid = sk_OCSP_SINGLERESP_value(sresp, 0)->certId;
+                        tmpid = sk_OCSP_SINGLERESP_value(sresp, i)->certId;
                         ret = ocsp_match_issuerid(cert, tmpid, NULL);
                         if (ret <= 0) return ret;
                         }