From f65ff03d106f4cfe162bfde4780426b7bbc2e4ee Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Tue, 7 Jul 2015 08:57:00 -0400
Subject: Update openssl: 1.0.1m -> 1.0.1o

---
 openssl/crypto/ocsp/Makefile   |  2 ++
 openssl/crypto/ocsp/ocsp_ext.c |  4 ++--
 openssl/crypto/ocsp/ocsp_vfy.c | 21 +++++++++++++++++----
 3 files changed, 21 insertions(+), 6 deletions(-)

(limited to 'openssl/crypto/ocsp')

diff --git a/openssl/crypto/ocsp/Makefile b/openssl/crypto/ocsp/Makefile
index 60c414cf4..96a1b156b 100644
--- a/openssl/crypto/ocsp/Makefile
+++ b/openssl/crypto/ocsp/Makefile
@@ -64,6 +64,8 @@ tests:
 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
+update: depend
+
 depend:
 	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
diff --git a/openssl/crypto/ocsp/ocsp_ext.c b/openssl/crypto/ocsp/ocsp_ext.c
index 849cb2f76..c19648c73 100644
--- a/openssl/crypto/ocsp/ocsp_ext.c
+++ b/openssl/crypto/ocsp/ocsp_ext.c
@@ -361,8 +361,8 @@ static int ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts,
     ASN1_put_object(&tmpval, 0, len, V_ASN1_OCTET_STRING, V_ASN1_UNIVERSAL);
     if (val)
         memcpy(tmpval, val, len);
-    else
-        RAND_pseudo_bytes(tmpval, len);
+    else if (RAND_pseudo_bytes(tmpval, len) < 0)
+        goto err;
     if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce,
                          &os, 0, X509V3_ADD_REPLACE))
         goto err;
diff --git a/openssl/crypto/ocsp/ocsp_vfy.c b/openssl/crypto/ocsp/ocsp_vfy.c
index 6c0ccb565..d4a257c33 100644
--- a/openssl/crypto/ocsp/ocsp_vfy.c
+++ b/openssl/crypto/ocsp/ocsp_vfy.c
@@ -83,6 +83,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
 {
     X509 *signer, *x;
     STACK_OF(X509) *chain = NULL;
+    STACK_OF(X509) *untrusted = NULL;
     X509_STORE_CTX ctx;
     int i, ret = 0;
     ret = ocsp_find_signer(&signer, bs, certs, st, flags);
@@ -107,10 +108,20 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
     }
     if (!(flags & OCSP_NOVERIFY)) {
         int init_res;
-        if (flags & OCSP_NOCHAIN)
-            init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL);
-        else
-            init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
+        if (flags & OCSP_NOCHAIN) {
+            untrusted = NULL;
+        } else if (bs->certs && certs) {
+            untrusted = sk_X509_dup(bs->certs);
+            for (i = 0; i < sk_X509_num(certs); i++) {
+                if (!sk_X509_push(untrusted, sk_X509_value(certs, i))) {
+                    OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_MALLOC_FAILURE);
+                    goto end;
+                }
+            }
+        } else {
+            untrusted = bs->certs;
+        }
+        init_res = X509_STORE_CTX_init(&ctx, st, signer, untrusted);
         if (!init_res) {
             ret = -1;
             OCSPerr(OCSP_F_OCSP_BASIC_VERIFY, ERR_R_X509_LIB);
@@ -161,6 +172,8 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
  end:
     if (chain)
         sk_X509_pop_free(chain, X509_free);
+    if (bs->certs && certs)
+        sk_X509_free(untrusted);
     return ret;
 }
 
-- 
cgit v1.2.3