Apply by doing:

Apply by doing:
cd /usr/src
patch -p0 < 002_asn1.patch

And then rebuild and install OpenSSL:
cd lib/libssl
make obj
make depend
make
make install

Index: lib/libssl/src/crypto/asn1/asn1_lib.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/crypto/asn1/asn1_lib.c,v
retrieving revision 1.11
retrieving revision 1.11.2.1
diff -u -p -r1.11 -r1.11.2.1
--- lib/libssl/src/crypto/asn1/asn1_lib.c 5 Apr 2003 11:05:07 -0000 1.11
+++ lib/libssl/src/crypto/asn1/asn1_lib.c 31 Oct 2003 00:13:15 -0000 1.11.2.1
@@ -104,10 +104,12 @@ int ASN1_get_object(unsigned char **pp,
l<<=7L;
l|= *(p++)&0x7f;
if (--max == 0) goto err;
+ if (l > (INT_MAX >> 7L)) goto err;
}
l<<=7L;
l|= *(p++)&0x7f;
tag=(int)l;
+ if (--max == 0) goto err;
}
else
{
Index: lib/libssl/src/crypto/asn1/tasn_dec.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/crypto/asn1/tasn_dec.c,v
retrieving revision 1.3
retrieving revision 1.3.2.1
diff -u -p -r1.3 -r1.3.2.1
--- lib/libssl/src/crypto/asn1/tasn_dec.c 12 May 2003 02:18:35 -0000 1.3
+++ lib/libssl/src/crypto/asn1/tasn_dec.c 31 Oct 2003 00:13:15 -0000 1.3.2.1
@@ -691,6 +691,7 @@ static int asn1_d2i_ex_primitive(ASN1_VA

int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it)
{
+ ASN1_VALUE **opval = NULL;
ASN1_STRING *stmp;
ASN1_TYPE *typ = NULL;
int ret = 0;
@@ -705,6 +706,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsig
*pval = (ASN1_VALUE *)typ;
} else typ = (ASN1_TYPE *)*pval;
if(utype != typ->type) ASN1_TYPE_set(typ, utype, NULL);
+ opval = pval;
pval = (ASN1_VALUE **)&typ->value.ptr;
}
switch(utype) {
@@ -796,7 +798,12 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsig

ret = 1;
err:
- if(!ret) ASN1_TYPE_free(typ);
+ if(!ret)
+ {
+ ASN1_TYPE_free(typ);
+ if (opval)
+ *opval = NULL;
+ }
return ret;
}

Index: lib/libssl/src/crypto/x509/x509_vfy.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/crypto/x509/x509_vfy.c,v
retrieving revision 1.7
retrieving revision 1.7.2.1
diff -u -p -r1.7 -r1.7.2.1
--- lib/libssl/src/crypto/x509/x509_vfy.c 12 May 2003 02:18:39 -0000 1.7
+++ lib/libssl/src/crypto/x509/x509_vfy.c 31 Oct 2003 00:13:15 -0000 1.7.2.1
@@ -674,7 +674,7 @@ static int internal_verify(X509_STORE_CT
ok=(*cb)(0,ctx);
if (!ok) goto end;
}
- if (X509_verify(xs,pkey) <= 0)
+ else if (X509_verify(xs,pkey) <= 0)
/* XXX For the final trusted self-signed cert,
* this is a waste of time. That check should
* optional so that e.g. 'openssl x509' can be
Index: lib/libssl/src/ssl/s3_clnt.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/ssl/s3_clnt.c,v
retrieving revision 1.14
retrieving revision 1.14.2.1
diff -u -p -r1.14 -r1.14.2.1
--- lib/libssl/src/ssl/s3_clnt.c 6 Aug 2003 21:08:06 -0000 1.14
+++ lib/libssl/src/ssl/s3_clnt.c 31 Oct 2003 00:13:15 -0000 1.14.2.1
@@ -1768,6 +1768,7 @@ static int ssl3_send_client_verify(SSL *
*(d++)=SSL3_MT_CERTIFICATE_VERIFY;
l2n3(n,d);

+ s->state=SSL3_ST_CW_CERT_VRFY_B;
s->init_num=(int)n+4;
s->init_off=0;
}
Index: lib/libssl/src/ssl/s3_srvr.c
===================================================================
RCS file: /cvs/src/lib/libssl/src/ssl/s3_srvr.c,v
retrieving revision 1.16
retrieving revision 1.16.2.1
diff -u -p -r1.16 -r1.16.2.1
--- lib/libssl/src/ssl/s3_srvr.c 12 May 2003 02:18:40 -0000 1.16
+++ lib/libssl/src/ssl/s3_srvr.c 31 Oct 2003 00:13:15 -0000 1.16.2.1
@@ -432,10 +432,11 @@ int ssl3_accept(SSL *s)
if (ret == 2)
s->state = SSL3_ST_SR_CLNT_HELLO_C;
else {
- /* could be sent for a DH cert, even if we
- * have not asked for it :-) */
- ret=ssl3_get_client_certificate(s);
- if (ret <= 0) goto end;
+ if (s->s3->tmp.cert_request)
+ {
+ ret=ssl3_get_client_certificate(s);
+ if (ret <= 0) goto end;
+ }
s->init_num=0;
s->state=SSL3_ST_SR_KEY_EXCH_A;
}
@@ -845,6 +846,9 @@ static int ssl3_get_client_hello(SSL *s)
}

/* TLS does not mind if there is extra stuff */
+#if 0 /* SSL 3.0 does not mind either, so we should disable this test
+ * (was enabled in 0.9.6d through 0.9.6j and 0.9.7 through 0.9.7b,
+ * in earlier SSLeay/OpenSSL releases this test existed but was buggy) */
if (s->version == SSL3_VERSION)
{
if (p < (d+n))
@@ -856,6 +860,7 @@ static int ssl3_get_client_hello(SSL *s)
goto f_err;
}
}
+#endif

/* Given s->session->ciphers and SSL_get_ciphers, we must
* pick a cipher */
@@ -1353,6 +1358,7 @@ static int ssl3_send_certificate_request
s->init_num += 4;
#endif

+ s->state = SSL3_ST_SW_CERT_REQ_B;
}

/* SSL3_ST_SW_CERT_REQ_B */