Make the necessary changes to work with the recent "ex_data" overhaul.

See the commit log message for that for more information.

NB: X509_STORE_CTX's use of "ex_data" support was actually misimplemented
(initialisation by "memset" won't/can't/doesn't work). This fixes that but
requires that X509_STORE_CTX_init() be able to handle errors - so its
prototype has been changed to return 'int' rather than 'void'. All uses of
that function throughout the source code have been tracked down and
adjusted.

18 files changed, 114 insertions, 123 deletions

diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c
index b0d859d..b50167c 100644
--- a/crypto/asn1/x_x509.c
+++ b/crypto/asn1/x_x509.c
@@ -63,9 +63,6 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
-static int x509_meth_num = 0;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_meth = NULL;
-
 ASN1_SEQUENCE(X509_CINF) = {
 	ASN1_EXP_OPT(X509_CINF, version, ASN1_INTEGER, 0),
 	ASN1_SIMPLE(X509_CINF, serialNumber, ASN1_INTEGER),
@@ -96,7 +93,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
 		ret->skid = NULL;
 		ret->akid = NULL;
 		ret->aux = NULL;
-		CRYPTO_new_ex_data(x509_meth, ret, &ret->ex_data);
+		CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
 		break;
 
 		case ASN1_OP_D2I_POST:
@@ -105,7 +102,7 @@ static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
 		break;
 
 		case ASN1_OP_FREE_POST:
-		CRYPTO_free_ex_data(x509_meth,ret,&ret->ex_data);
+		CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509, ret, &ret->ex_data);
 		X509_CERT_AUX_free(ret->aux);
 		ASN1_OCTET_STRING_free(ret->skid);
 		AUTHORITY_KEYID_free(ret->akid);
@@ -142,10 +139,8 @@ ASN1_METHOD *X509_asn1_meth(void)
 int X509_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
 	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
         {
-	if(CRYPTO_get_ex_new_index(x509_meth_num, &x509_meth, argl, argp,
-				new_func, dup_func, free_func) < 0)
-		return -1;
-	return (x509_meth_num++);
+	return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509, argl, argp,
+				new_func, dup_func, free_func);
         }
 
 int X509_set_ex_data(X509 *r, int idx, void *arg)
diff --git a/crypto/bio/bio_lib.c b/crypto/bio/bio_lib.c
index dcf0338..50df223 100644
--- a/crypto/bio/bio_lib.c
+++ b/crypto/bio/bio_lib.c
@@ -63,9 +63,6 @@
 #include <openssl/bio.h>
 #include <openssl/stack.h>
 
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *bio_meth=NULL;
-static int bio_meth_num=0;
-
 BIO *BIO_new(BIO_METHOD *method)
 	{
 	BIO *ret=NULL;
@@ -100,10 +97,14 @@ int BIO_set(BIO *bio, BIO_METHOD *method)
 	bio->references=1;
 	bio->num_read=0L;
 	bio->num_write=0L;
-	CRYPTO_new_ex_data(bio_meth,bio,&bio->ex_data);
+	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_BIO, bio, &bio->ex_data);
 	if (method->create != NULL)
 		if (!method->create(bio))
+			{
+			CRYPTO_free_ex_data(CRYPTO_EX_INDEX_BIO, bio,
+					&bio->ex_data);
 			return(0);
+			}
 	return(1);
 	}
 
@@ -129,7 +130,7 @@ int BIO_free(BIO *a)
 		((i=(int)a->callback(a,BIO_CB_FREE,NULL,0,0L,1L)) <= 0))
 			return(i);
 
-	CRYPTO_free_ex_data(bio_meth,a,&a->ex_data);
+	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_BIO, a, &a->ex_data);
 
 	if ((a->method == NULL) || (a->method->destroy == NULL)) return(1);
 	ret=a->method->destroy(a);
@@ -482,7 +483,8 @@ BIO *BIO_dup_chain(BIO *in)
 			}
 
 		/* copy app data */
-		if (!CRYPTO_dup_ex_data(bio_meth,&new->ex_data,&bio->ex_data))
+		if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_BIO, &new->ex_data,
+					&bio->ex_data))
 			goto err;
 
 		if (ret == NULL)
@@ -512,10 +514,8 @@ void BIO_copy_next_retry(BIO *b)
 int BIO_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
 	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
 	{
-	if(CRYPTO_get_ex_new_index(bio_meth_num, &bio_meth, argl, argp,
-				new_func, dup_func, free_func) < 0)
-		return -1;
-	return (bio_meth_num++);
+	return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_BIO, argl, argp,
+				new_func, dup_func, free_func);
 	}
 
 int BIO_set_ex_data(BIO *bio, int idx, void *data)
diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c
index f96b454..7c30461 100644
--- a/crypto/dh/dh_lib.c
+++ b/crypto/dh/dh_lib.c
@@ -65,8 +65,6 @@
 const char *DH_version="Diffie-Hellman" OPENSSL_VERSION_PTEXT;
 
 static const DH_METHOD *default_DH_method = NULL;
-static int dh_meth_num = 0;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *dh_meth = NULL;
 
 void DH_set_default_openssl_method(const DH_METHOD *meth)
 {
@@ -174,10 +172,10 @@ DH *DH_new_method(ENGINE *engine)
 	ret->method_mont_p=NULL;
 	ret->references = 1;
 	ret->flags=meth->flags;
-	CRYPTO_new_ex_data(dh_meth,ret,&ret->ex_data);
+	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data);
 	if ((meth->init != NULL) && !meth->init(ret))
 		{
-		CRYPTO_free_ex_data(dh_meth,ret,&ret->ex_data);
+		CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data);
 		OPENSSL_free(ret);
 		ret=NULL;
 		}
@@ -206,7 +204,7 @@ void DH_free(DH *r)
 	if(meth->finish) meth->finish(r);
 	ENGINE_finish(r->engine);
 
-	CRYPTO_free_ex_data(dh_meth, r, &r->ex_data);
+	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, r, &r->ex_data);
 
 	if (r->p != NULL) BN_clear_free(r->p);
 	if (r->g != NULL) BN_clear_free(r->g);
@@ -238,10 +236,8 @@ int DH_up(DH *r)
 int DH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
 	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
         {
-	if(CRYPTO_get_ex_new_index(dh_meth_num, &dh_meth, argl, argp,
-				new_func, dup_func, free_func) < 0)
-		return -1;
-	return (dh_meth_num++);
+	return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_DH, argl, argp,
+				new_func, dup_func, free_func);
         }
 
 int DH_set_ex_data(DH *d, int idx, void *arg)
diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c
index 98878df..bae39c2 100644
--- a/crypto/dsa/dsa_lib.c
+++ b/crypto/dsa/dsa_lib.c
@@ -68,8 +68,6 @@
 const char *DSA_version="DSA" OPENSSL_VERSION_PTEXT;
 
 static const DSA_METHOD *default_DSA_method = NULL;
-static int dsa_meth_num = 0;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *dsa_meth = NULL;
 
 void DSA_set_default_openssl_method(const DSA_METHOD *meth)
 {
@@ -181,10 +179,10 @@ DSA *DSA_new_method(ENGINE *engine)
 
 	ret->references=1;
 	ret->flags=meth->flags;
-	CRYPTO_new_ex_data(dsa_meth,ret,&ret->ex_data);
+	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data);
 	if ((meth->init != NULL) && !meth->init(ret))
 		{
-		CRYPTO_free_ex_data(dsa_meth,ret,&ret->ex_data);
+		CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data);
 		OPENSSL_free(ret);
 		ret=NULL;
 		}
@@ -216,7 +214,7 @@ void DSA_free(DSA *r)
 	if(meth->finish) meth->finish(r);
 	ENGINE_finish(r->engine);
 
-	CRYPTO_free_ex_data(dsa_meth, r, &r->ex_data);
+	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, r, &r->ex_data);
 
 	if (r->p != NULL) BN_clear_free(r->p);
 	if (r->q != NULL) BN_clear_free(r->q);
@@ -266,10 +264,8 @@ int DSA_size(const DSA *r)
 int DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
 	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
         {
-	if(CRYPTO_get_ex_new_index(dsa_meth_num, &dsa_meth, argl, argp,
-				new_func, dup_func, free_func) < 0)
-		return -1;
-	return (dsa_meth_num++);
+	return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_DSA, argl, argp,
+				new_func, dup_func, free_func);
         }
 
 int DSA_set_ex_data(DSA *d, int idx, void *arg)
diff --git a/crypto/dsa/dsatest.c b/crypto/dsa/dsatest.c
index 9eea866..5f24b59 100644
--- a/crypto/dsa/dsatest.c
+++ b/crypto/dsa/dsatest.c
@@ -202,6 +202,7 @@ end:
 	if (!ret)
 		ERR_print_errors(bio_err);
 	if (dsa != NULL) DSA_free(dsa);
+	CRYPTO_cleanup_all_ex_data();
 	ERR_remove_state(0);
 	CRYPTO_mem_leaks(bio_err);
 	if (bio_err != NULL)
diff --git a/crypto/ec/ectest.c b/crypto/ec/ectest.c
index c1f0b44..1d0b337 100644
--- a/crypto/ec/ectest.c
+++ b/crypto/ec/ectest.c
@@ -619,6 +619,7 @@ int main(int argc, char *argv[])
 	if (P_521) EC_GROUP_free(P_521);
 
 	ENGINE_cleanup();
+	CRYPTO_cleanup_all_ex_data();
 	ERR_free_strings();
 	ERR_remove_state(0);
 	CRYPTO_mem_leaks_fp(stderr);
diff --git a/crypto/engine/engine_list.c b/crypto/engine/engine_list.c
index 53eadbb..926ff5a 100644
--- a/crypto/engine/engine_list.c
+++ b/crypto/engine/engine_list.c
@@ -61,14 +61,6 @@
 #include "engine_int.h"
 #include <openssl/engine.h>
 
-/* Weird "ex_data" handling. Some have suggested there's some problems with the
- * CRYPTO_EX_DATA code (or model), but for now I'm implementing it exactly as
- * it's done in crypto/rsa/. That way the usage and documentation of that can be
- * used to assist here, and any changes or fixes made there should similarly map
- * over here quite straightforwardly. */
-static int engine_ex_data_num = 0;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *engine_ex_data_stack = NULL;
-
 /* The linked-list of pointers to engine types. engine_list_head
  * incorporates an implicit structural reference but engine_list_tail
  * does not - the latter is a computational niceity and only points
@@ -85,7 +77,7 @@ static ENGINE *engine_list_tail = NULL;
  * is needed because the engine list may genuinely become empty during
  * use (so we can't use engine_list_head as an indicator for example. */
 static int engine_list_flag = 0;
-static int ENGINE_free_nolock(ENGINE *e);
+static int ENGINE_free_util(ENGINE *e, int locked);
 
 /* These static functions starting with a lower case "engine_" always
  * take place when CRYPTO_LOCK_ENGINE has been locked up. */
@@ -177,7 +169,7 @@ static int engine_list_remove(ENGINE *e)
 		engine_list_head = e->next;
 	if(engine_list_tail == e)
 		engine_list_tail = e->prev;
-	ENGINE_free_nolock(e);
+	ENGINE_free_util(e, 0);
 	return 1;
 	}
 
@@ -199,7 +191,7 @@ static int engine_internal_check(void)
 		toret = 0;
 	else
 		engine_list_flag = 1;
-	ENGINE_free_nolock(def_engine);
+	ENGINE_free_util(def_engine, 0);
 	return 1;
 	}
 
@@ -393,11 +385,11 @@ ENGINE *ENGINE_new(void)
 	memset(ret, 0, sizeof(ENGINE));
 	ret->struct_ref = 1;
 	engine_ref_debug(ret, 0, 1)
-	CRYPTO_new_ex_data(engine_ex_data_stack, ret, &ret->ex_data);
+	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_ENGINE, ret, &ret->ex_data);
 	return ret;
 	}
 
-int ENGINE_free(ENGINE *e)
+static int ENGINE_free_util(ENGINE *e, int locked)
 	{
 	int i;
 
@@ -407,7 +399,10 @@ int ENGINE_free(ENGINE *e)
 			ERR_R_PASSED_NULL_PARAMETER);
 		return 0;
 		}
-	i = CRYPTO_add(&e->struct_ref,-1,CRYPTO_LOCK_ENGINE);
+	if(locked)
+		i = CRYPTO_add(&e->struct_ref,-1,CRYPTO_LOCK_ENGINE);
+	else
+		i = --e->struct_ref;
 	engine_ref_debug(e, 0, -1)
 	if (i > 0) return 1;
 #ifdef REF_CHECK
@@ -418,44 +413,21 @@ int ENGINE_free(ENGINE *e)
 		}
 #endif
 	sk_ENGINE_EVP_CIPHER_pop_free(e->ciphers,ENGINE_free_engine_cipher);
-	CRYPTO_free_ex_data(engine_ex_data_stack, e, &e->ex_data);
+	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ENGINE, e, &e->ex_data);
 	OPENSSL_free(e);
 	return 1;
 	}
 
-static int ENGINE_free_nolock(ENGINE *e)
+int ENGINE_free(ENGINE *e)
 	{
-	int i;
-
-	if(e == NULL)
-		{
-		ENGINEerr(ENGINE_F_ENGINE_FREE,
-			ERR_R_PASSED_NULL_PARAMETER);
-		return 0;
-		}
-	
-	i=--e->struct_ref;
-	engine_ref_debug(e, 0, -1)
-	if (i > 0) return 1;
-#ifdef REF_CHECK
-	if (i < 0)
-		{
-		fprintf(stderr,"ENGINE_free, bad structural reference count\n");
-		abort();
-		}
-#endif
-	CRYPTO_free_ex_data(engine_ex_data_stack, e, &e->ex_data);
-	OPENSSL_free(e);
-	return 1;
+	return ENGINE_free_util(e, 1);
 	}
 
 int ENGINE_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
 		CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
 	{
-	if(CRYPTO_get_ex_new_index(engine_ex_data_num, &engine_ex_data_stack,
-			argl, argp, new_func, dup_func, free_func) < 0)
-		return -1;
-	return (engine_ex_data_num++);
+	return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_ENGINE, argl, argp,
+			new_func, dup_func, free_func);
 	}
 
 int ENGINE_set_ex_data(ENGINE *e, int idx, void *arg)
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index 43b62a8..1f5fda7 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -101,10 +101,16 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
 		}
 	if (!(flags & OCSP_NOVERIFY))
 		{
+		int init_res;
 		if(flags & OCSP_NOCHAIN)
-			X509_STORE_CTX_init(&ctx, st, signer, NULL);
+			init_res = X509_STORE_CTX_init(&ctx, st, signer, NULL);
 		else
-			X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
+			init_res = X509_STORE_CTX_init(&ctx, st, signer, bs->certs);
+		if(!init_res)
+			{
+			OCSPerr(OCSP_F_OCSP_BASIC_VERIFY,ERR_R_X509_LIB);
+			goto end;
+			}
 
 		X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
 		ret = X509_verify_cert(&ctx);
@@ -389,10 +395,17 @@ int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *st
 		}
 	if (!(flags & OCSP_NOVERIFY))
 		{
+		int init_res;
 		if(flags & OCSP_NOCHAIN)
-			X509_STORE_CTX_init(&ctx, store, signer, NULL);
+			init_res = X509_STORE_CTX_init(&ctx, store, signer, NULL);
 		else
-			X509_STORE_CTX_init(&ctx, store, signer, req->optionalSignature->certs);
+			init_res = X509_STORE_CTX_init(&ctx, store, signer,
+					req->optionalSignature->certs);
+		if(!init_res)
+			{
+			OCSPerr(OCSP_F_OCSP_REQUEST_VERIFY,ERR_R_X509_LIB);
+			return 0;
+			}
 
 		X509_STORE_CTX_set_purpose(&ctx, X509_PURPOSE_OCSP_HELPER);
 		X509_STORE_CTX_set_trust(&ctx, X509_TRUST_OCSP_REQUEST);
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index e2c82a2..4ff021e 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -663,7 +663,11 @@ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio,
 		}
 
 	/* Lets verify */
-	X509_STORE_CTX_init(ctx,cert_store,x509,cert);
+	if(!X509_STORE_CTX_init(ctx,cert_store,x509,cert))
+		{
+		PKCS7err(PKCS7_F_PKCS7_DATAVERIFY,ERR_R_X509_LIB);
+		goto err;
+		}
 	X509_STORE_CTX_set_purpose(ctx, X509_PURPOSE_SMIME_SIGN);
 	i=X509_verify_cert(ctx);
 	if (i <= 0) 
diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c
index 348ec1d..f0d071e 100644
--- a/crypto/pkcs7/pk7_smime.c
+++ b/crypto/pkcs7/pk7_smime.c
@@ -201,11 +201,20 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
 	if (!(flags & PKCS7_NOVERIFY)) for (k = 0; k < sk_X509_num(signers); k++) {
 		signer = sk_X509_value (signers, k);
 		if (!(flags & PKCS7_NOCHAIN)) {
-			X509_STORE_CTX_init(&cert_ctx, store, signer,
-							p7->d.sign->cert);
+			if(!X509_STORE_CTX_init(&cert_ctx, store, signer,
+							p7->d.sign->cert))
+				{
+				PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_X509_LIB);
+				sk_X509_free(signers);
+				return 0;
+				}
 			X509_STORE_CTX_set_purpose(&cert_ctx,
 						X509_PURPOSE_SMIME_SIGN);
-		} else X509_STORE_CTX_init (&cert_ctx, store, signer, NULL);
+		} else if(!X509_STORE_CTX_init (&cert_ctx, store, signer, NULL)) {
+			PKCS7err(PKCS7_F_PKCS7_VERIFY,ERR_R_X509_LIB);
+			sk_X509_free(signers);
+			return 0;
+		}
 		i = X509_verify_cert(&cert_ctx);
 		if (i <= 0) j = X509_STORE_CTX_get_error(&cert_ctx);
 		X509_STORE_CTX_cleanup(&cert_ctx);
diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c
index 3accf01..e3368c1 100644
--- a/crypto/rsa/rsa_lib.c
+++ b/crypto/rsa/rsa_lib.c
@@ -67,8 +67,6 @@
 const char *RSA_version="RSA" OPENSSL_VERSION_PTEXT;
 
 static const RSA_METHOD *default_RSA_meth=NULL;
-static int rsa_meth_num=0;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *rsa_meth=NULL;
 
 RSA *RSA_new(void)
 	{
@@ -198,10 +196,10 @@ RSA *RSA_new_method(ENGINE *engine)
 	ret->blinding=NULL;
 	ret->bignum_data=NULL;
 	ret->flags=meth->flags;
-	CRYPTO_new_ex_data(rsa_meth,ret,&ret->ex_data);
+	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
 	if ((meth->init != NULL) && !meth->init(ret))
 		{
-		CRYPTO_free_ex_data(rsa_meth, ret, &ret->ex_data);
+		CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data);
 		OPENSSL_free(ret);
 		ret=NULL;
 		}
@@ -233,7 +231,7 @@ void RSA_free(RSA *r)
 		meth->finish(r);
 	ENGINE_finish(r->engine);
 
-	CRYPTO_free_ex_data(rsa_meth,r,&r->ex_data);
+	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
 
 	if (r->n != NULL) BN_clear_free(r->n);
 	if (r->e != NULL) BN_clear_free(r->e);
@@ -267,10 +265,8 @@ int RSA_up(RSA *r)
 int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
 	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
         {
-	if(CRYPTO_get_ex_new_index(rsa_meth_num, &rsa_meth, argl, argp,
-				new_func, dup_func, free_func) < 0)
-		return -1;
-	return (rsa_meth_num++);
+	return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_RSA, argl, argp,
+				new_func, dup_func, free_func);
         }
 
 int RSA_set_ex_data(RSA *r, int idx, void *arg)
diff --git a/crypto/rsa/rsa_test.c b/crypto/rsa/rsa_test.c
index 2c0a1d5..5dee24b 100644
--- a/crypto/rsa/rsa_test.c
+++ b/crypto/rsa/rsa_test.c
@@ -307,6 +307,7 @@ int main(int argc, char *argv[])
 	RSA_free(key);
 	}
 
+    CRYPTO_cleanup_all_ex_data();
     ERR_remove_state(0);
 
     CRYPTO_mem_leaks_fp(stdout);
diff --git a/crypto/ui/ui_lib.c b/crypto/ui/ui_lib.c
index c526426..16946ca 100644
--- a/crypto/ui/ui_lib.c
+++ b/crypto/ui/ui_lib.c
@@ -66,8 +66,6 @@
 IMPLEMENT_STACK_OF(UI_STRING_ST)
 
 static const UI_METHOD *default_UI_meth=NULL;
-static int ui_meth_num=0;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ui_meth=NULL;
 
 UI *UI_new(void)
 	{
@@ -91,7 +89,7 @@ UI *UI_new_method(const UI_METHOD *method)
 
 	ret->strings=NULL;
 	ret->user_data=NULL;
-	CRYPTO_new_ex_data(ui_meth,ret,&ret->ex_data);
+	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_UI, ret, &ret->ex_data);
 	return ret;
 	}
 
@@ -119,6 +117,7 @@ void UI_free(UI *ui)
 	if (ui == NULL)
 		return;
 	sk_UI_STRING_pop_free(ui->strings,free_string);
+	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_UI, ui, &ui->ex_data);
 	OPENSSL_free(ui);
 	}
 
@@ -574,10 +573,8 @@ int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f)())
 int UI_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
 	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
         {
-	if(CRYPTO_get_ex_new_index(ui_meth_num, &ui_meth, argl, argp,
-				new_func, dup_func, free_func) < 0)
-		return -1;
-	return (ui_meth_num++);
+	return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_UI, argl, argp,
+				new_func, dup_func, free_func);
         }
 
 int UI_set_ex_data(UI *r, int idx, void *arg)
diff --git a/crypto/x509/x509.h b/crypto/x509/x509.h
index 2d0ecf2..f1040ac 100644
--- a/crypto/x509/x509.h
+++ b/crypto/x509/x509.h
@@ -1221,6 +1221,8 @@ void ERR_load_X509_strings(void);
 #define X509_F_X509_REQ_TO_X509				 123
 #define X509_F_X509_STORE_ADD_CERT			 124
 #define X509_F_X509_STORE_ADD_CRL			 125
+#define X509_F_X509_STORE_CTX_INIT			 143
+#define X509_F_X509_STORE_CTX_NEW			 142
 #define X509_F_X509_STORE_CTX_PURPOSE_INHERIT		 134
 #define X509_F_X509_TO_X509_REQ				 126
 #define X509_F_X509_TRUST_ADD				 133
diff --git a/crypto/x509/x509_err.c b/crypto/x509/x509_err.c
index fa72c16..5bbf4ac 100644
--- a/crypto/x509/x509_err.c
+++ b/crypto/x509/x509_err.c
@@ -100,6 +100,8 @@ static ERR_STRING_DATA X509_str_functs[]=
 {ERR_PACK(0,X509_F_X509_REQ_TO_X509,0),	"X509_REQ_to_X509"},
 {ERR_PACK(0,X509_F_X509_STORE_ADD_CERT,0),	"X509_STORE_add_cert"},
 {ERR_PACK(0,X509_F_X509_STORE_ADD_CRL,0),	"X509_STORE_add_crl"},
+{ERR_PACK(0,X509_F_X509_STORE_CTX_INIT,0),	"X509_STORE_CTX_init"},
+{ERR_PACK(0,X509_F_X509_STORE_CTX_NEW,0),	"X509_STORE_CTX_new"},
 {ERR_PACK(0,X509_F_X509_STORE_CTX_PURPOSE_INHERIT,0),	"X509_STORE_CTX_purpose_inherit"},
 {ERR_PACK(0,X509_F_X509_TO_X509_REQ,0),	"X509_to_X509_REQ"},
 {ERR_PACK(0,X509_F_X509_TRUST_ADD,0),	"X509_TRUST_add"},
diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index a298343..b780dae 100644
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -62,8 +62,6 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_meth=NULL;
-
 X509_LOOKUP *X509_LOOKUP_new(X509_LOOKUP_METHOD *method)
 	{
 	X509_LOOKUP *ret;
@@ -202,7 +200,7 @@ X509_STORE *X509_STORE_new(void)
 	ret->cert_crl = 0;
 	ret->cleanup = 0;
 
-	memset(&ret->ex_data,0,sizeof(CRYPTO_EX_DATA));
+	CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE, ret, &ret->ex_data);
 	ret->references=1;
 	ret->depth=0;
 	return ret;
@@ -245,7 +243,7 @@ void X509_STORE_free(X509_STORE *vfy)
 	sk_X509_LOOKUP_free(sk);
 	sk_X509_OBJECT_pop_free(vfy->objs, cleanup);
 
-	CRYPTO_free_ex_data(x509_store_meth,vfy,&vfy->ex_data);
+	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE, vfy, &vfy->ex_data);
 	OPENSSL_free(vfy);
 	}
 
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 4c3aae7..892b784 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -80,9 +80,6 @@ static int check_cert(X509_STORE_CTX *ctx);
 static int internal_verify(X509_STORE_CTX *ctx);
 const char *X509_version="X.509" OPENSSL_VERSION_PTEXT;
 
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_ctx_method=NULL;
-static int x509_store_ctx_num=0;
-
 
 static int null_callback(int ok, X509_STORE_CTX *e)
 	{
@@ -891,14 +888,9 @@ int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_fu
 	     CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func)
 	{
 	/* This function is (usually) called only once, by
-	 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c).
-	 * That function uses locking, so we don't (usually)
-	 * have to worry about locking here. For the whole cruel
-	 * truth, see crypto/ex_data.c */
-	if(CRYPTO_get_ex_new_index(x509_store_ctx_num, &x509_store_ctx_method,
-			argl, argp, new_func, dup_func, free_func) < 0)
-		return -1;
-	return (x509_store_ctx_num++);
+	 * SSL_get_ex_data_X509_STORE_CTX_idx (ssl/ssl_cert.c). */
+	return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp,
+			new_func, dup_func, free_func);
 	}
 
 int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data)
@@ -1032,7 +1024,12 @@ X509_STORE_CTX *X509_STORE_CTX_new(void)
 {
 	X509_STORE_CTX *ctx;
 	ctx = (X509_STORE_CTX *)OPENSSL_malloc(sizeof(X509_STORE_CTX));
-	if (ctx) memset(ctx, 0, sizeof(X509_STORE_CTX));
+	if (!ctx)
+		{
+		X509err(X509_F_X509_STORE_CTX_NEW,ERR_R_MALLOC_FAILURE);
+		return NULL;
+		}
+	memset(ctx, 0, sizeof(X509_STORE_CTX));
 	return ctx;
 }
 
@@ -1042,7 +1039,7 @@ void X509_STORE_CTX_free(X509_STORE_CTX *ctx)
 	OPENSSL_free(ctx);
 }
 
-void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
+int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
 	     STACK_OF(X509) *chain)
 	{
 	ctx->ctx=store;
@@ -1111,7 +1108,18 @@ void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509,
 
 	ctx->cleanup = store->cleanup;
 
-	memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA));
+	/* This memset() can't make any sense anyway, so it's removed. As
+	 * X509_STORE_CTX_cleanup does a proper "free" on the ex_data, we put a
+	 * corresponding "new" here and remove this bogus initialisation. */
+	/* memset(&(ctx->ex_data),0,sizeof(CRYPTO_EX_DATA)); */
+	if(!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
+				&(ctx->ex_data)))
+		{
+		OPENSSL_free(ctx);
+		X509err(X509_F_X509_STORE_CTX_INIT,ERR_R_MALLOC_FAILURE);
+		return 0;
+		}
+	return 1;
 	}
 
 /* Set alternative lookup method: just a STACK of trusted certificates.
@@ -1132,7 +1140,7 @@ void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx)
 		sk_X509_pop_free(ctx->chain,X509_free);
 		ctx->chain=NULL;
 		}
-	CRYPTO_free_ex_data(x509_store_ctx_method,ctx,&(ctx->ex_data));
+	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx, &(ctx->ex_data));
 	memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
 	}
 
diff --git a/crypto/x509/x509_vfy.h b/crypto/x509/x509_vfy.h
index 043ed49..689062f 100644
--- a/crypto/x509/x509_vfy.h
+++ b/crypto/x509/x509_vfy.h
@@ -332,7 +332,7 @@ X509_STORE_CTX *X509_STORE_CTX_new(void);
 int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
 
 void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
-void X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
+int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store,
 			 X509 *x509, STACK_OF(X509) *chain);
 void X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
 void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);