From: Peter Avalos <pavalos@dragonflybsd.org>
Date: Thu, 25 Oct 2007 04:11:26 +0000 (+0000)
Subject: Import OpenSSL-0.9.8g.
X-Git-Tag: v2.0.1~1984^2
X-Git-Url: https://gitweb.dragonflybsd.org/~tuxillo/dragonfly.git/commitdiff_plain/96768186732c5f9af34797b7f7493c4e37c7f094

Import OpenSSL-0.9.8g.
---

diff --git a/crypto/openssl-0.9/CHANGES b/crypto/openssl-0.9/CHANGES
index 05bd75df9f..512b11537d 100644
--- a/crypto/openssl-0.9/CHANGES
+++ b/crypto/openssl-0.9/CHANGES
@@ -2,6 +2,15 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 0.9.8f and 0.9.8g  [19 Oct 2007]
+
+  *) Fix various bugs:
+     + Binary incompatibility of ssl_ctx_st structure
+     + DTLS interoperation with non-compliant servers
+     + Don't call get_session_cb() without proposed session
+     + Fix ia64 assembler code
+     [Andy Polyakov, Steve Henson]
+
  Changes between 0.9.8e and 0.9.8f  [11 Oct 2007]
 
   *) DTLS Handshake overhaul. There were longstanding issues with
diff --git a/crypto/openssl-0.9/FAQ b/crypto/openssl-0.9/FAQ
index 7cd71ca0a9..96d39f5cc7 100644
--- a/crypto/openssl-0.9/FAQ
+++ b/crypto/openssl-0.9/FAQ
@@ -75,7 +75,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.8f was released on October 11th, 2007.
+OpenSSL 0.9.8g was released on October 19th, 2007.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
diff --git a/crypto/openssl-0.9/NEWS b/crypto/openssl-0.9/NEWS
index ef9023956a..40ded1aebf 100644
--- a/crypto/openssl-0.9/NEWS
+++ b/crypto/openssl-0.9/NEWS
@@ -5,6 +5,10 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g:
+
+      o Fixes for bugs introduced with 0.9.8f.
+
   Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f:
 
       o Add gcc 4.2 support.
diff --git a/crypto/openssl-0.9/README b/crypto/openssl-0.9/README
index 6759d768eb..2b49835606 100644
--- a/crypto/openssl-0.9/README
+++ b/crypto/openssl-0.9/README
@@ -1,5 +1,5 @@
 
- OpenSSL 0.9.8f
+ OpenSSL 0.9.8g
 
  Copyright (c) 1998-2007 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/crypto/openssl-0.9/apps/CA.pl b/crypto/openssl-0.9/apps/CA.pl
index 05f11dd611..a3965ecea9 100644
--- a/crypto/openssl-0.9/apps/CA.pl
+++ b/crypto/openssl-0.9/apps/CA.pl
@@ -1,4 +1,4 @@
-#!/usr/bin/perl5
+#!/usr/bin/perl
 #
 # CA - wrapper around ca to make it easier to use ... basically ca requires
 #      some setup stuff to be done before you can use it and this makes
diff --git a/crypto/openssl-0.9/crypto/opensslv.h b/crypto/openssl-0.9/crypto/opensslv.h
index b237c2f67d..f76910a6f5 100644
--- a/crypto/openssl-0.9/crypto/opensslv.h
+++ b/crypto/openssl-0.9/crypto/opensslv.h
@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER	0x00908070L
+#define OPENSSL_VERSION_NUMBER	0x0090807fL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8f-fips 11 Oct 2007"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8g-fips 19 Oct 2007"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8f 11 Oct 2007"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.8g 19 Oct 2007"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 
diff --git a/crypto/openssl-0.9/ssl/d1_both.c b/crypto/openssl-0.9/ssl/d1_both.c
index 22bd28a4bb..15a201a25c 100644
--- a/crypto/openssl-0.9/ssl/d1_both.c
+++ b/crypto/openssl-0.9/ssl/d1_both.c
@@ -297,9 +297,9 @@ int dtls1_do_write(SSL *s, int type)
 				{
 				/* should not be done for 'Hello Request's, but in that case
 				 * we'll ignore the result anyway */
-				unsigned char *p = &s->init_buf->data[s->init_off];
+				unsigned char *p = (unsigned char *)&s->init_buf->data[s->init_off];
 				const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
-				int len;
+				int xlen;
 
 				if (frag_off == 0 && s->client_version != DTLS1_BAD_VER)
 					{
@@ -311,15 +311,15 @@ int dtls1_do_write(SSL *s, int type)
 					l2n3(0,p);
 					l2n3(msg_hdr->msg_len,p);
 					p  -= DTLS1_HM_HEADER_LENGTH;
-					len = ret;
+					xlen = ret;
 					}
 				else
 					{
 					p  += DTLS1_HM_HEADER_LENGTH;
-					len = ret - DTLS1_HM_HEADER_LENGTH;
+					xlen = ret - DTLS1_HM_HEADER_LENGTH;
 					}
 
-				ssl3_finish_mac(s, p, len);
+				ssl3_finish_mac(s, p, xlen);
 				}
 
 			if (ret == s->init_num)
@@ -398,7 +398,7 @@ long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
 		 * the potential damage caused by malformed overlaps. */
 		if ((unsigned int)s->init_num >= msg_hdr->msg_len)
 			{
-			unsigned char *p = s->init_buf->data;
+			unsigned char *p = (unsigned char *)s->init_buf->data;
 			unsigned long msg_len = msg_hdr->msg_len;
 
 			/* reconstruct message header as if it was
@@ -525,7 +525,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
 
 		if (al==0) /* no alert */
 			{
-			unsigned char *p = s->init_buf->data+DTLS1_HM_HEADER_LENGTH;
+			unsigned char *p = (unsigned char *)s->init_buf->data+DTLS1_HM_HEADER_LENGTH;
 			memcpy(&p[frag->msg_header.frag_off],
 				frag->fragment,frag->msg_header.frag_len);
 			}
@@ -683,7 +683,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
 
 	if ( frag_len > 0)
 		{
-		unsigned char *p=s->init_buf->data+DTLS1_HM_HEADER_LENGTH;
+		unsigned char *p=(unsigned char *)s->init_buf->data+DTLS1_HM_HEADER_LENGTH;
 
 		i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
 			&p[frag_off],frag_len,0);
@@ -777,11 +777,11 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int b)
 		p=(unsigned char *)s->init_buf->data;
 		*p++=SSL3_MT_CCS;
 		s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;
-		s->d1->next_handshake_write_seq++;
 		s->init_num=DTLS1_CCS_HEADER_LENGTH;
 
 		if (s->client_version == DTLS1_BAD_VER)
 			{
+			s->d1->next_handshake_write_seq++;
 			s2n(s->d1->handshake_write_seq,p);
 			s->init_num+=2;
 			}
@@ -974,6 +974,7 @@ dtls1_buffer_message(SSL *s, int is_ccs)
 	pitem *item;
 	hm_fragment *frag;
 	PQ_64BIT seq64;
+	unsigned int epoch = s->d1->w_epoch;
 
 	/* this function is called immediately after a message has 
 	 * been serialized */
@@ -987,6 +988,7 @@ dtls1_buffer_message(SSL *s, int is_ccs)
 		{
 		OPENSSL_assert(s->d1->w_msg_hdr.msg_len + 
 			DTLS1_CCS_HEADER_LENGTH <= (unsigned int)s->init_num);
+		epoch++;
 		}
 	else
 		{
@@ -1002,7 +1004,7 @@ dtls1_buffer_message(SSL *s, int is_ccs)
 	frag->msg_header.is_ccs = is_ccs;
 
 	pq_64bit_init(&seq64);
-	pq_64bit_assign_word(&seq64, frag->msg_header.seq);
+	pq_64bit_assign_word(&seq64, epoch<<16 | frag->msg_header.seq);
 
 	item = pitem_new(seq64, frag);
 	pq_64bit_free(&seq64);
diff --git a/crypto/openssl-0.9/ssl/d1_pkt.c b/crypto/openssl-0.9/ssl/d1_pkt.c
index b1248770b5..377696deac 100644
--- a/crypto/openssl-0.9/ssl/d1_pkt.c
+++ b/crypto/openssl-0.9/ssl/d1_pkt.c
@@ -1006,8 +1006,8 @@ start:
 		/* do this whenever CCS is processed */
 		dtls1_reset_seq_numbers(s, SSL3_CC_READ);
 
-		/* handshake read seq is reset upon handshake completion */
-		s->d1->handshake_read_seq++;
+		if (s->client_version == DTLS1_BAD_VER)
+			s->d1->handshake_read_seq++;
 
 		goto start;
 		}
diff --git a/crypto/openssl-0.9/ssl/ssl.h b/crypto/openssl-0.9/ssl/ssl.h
index 52caf88b16..ed811195a5 100644
--- a/crypto/openssl-0.9/ssl/ssl.h
+++ b/crypto/openssl-0.9/ssl/ssl.h
@@ -990,7 +990,6 @@ struct ssl_st
 	int first_packet;
 	int client_version;	/* what was passed, used for
 				 * SSLv3/TLS rollback check */
-	unsigned int max_send_fragment;
 #ifndef OPENSSL_NO_TLSEXT
 	/* TLS extension debug callback */
 	void (*tlsext_debug_cb)(SSL *s, int client_server, int type,
diff --git a/crypto/openssl-0.9/ssl/ssl_sess.c b/crypto/openssl-0.9/ssl/ssl_sess.c
index d30a24f2fe..ee88be2b88 100644
--- a/crypto/openssl-0.9/ssl/ssl_sess.c
+++ b/crypto/openssl-0.9/ssl/ssl_sess.c
@@ -320,10 +320,12 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
 		fatal = 1;
  		goto err;
 		}
-	else if (r == 0)
+	else if (r == 0 || (!ret && !len))
 		goto err;
 	else if (!ret && !(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
 #else
+	if (len == 0)
+		goto err;
 	if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
 #endif
 		{
diff --git a/crypto/openssl-0.9/ssl/t1_lib.c b/crypto/openssl-0.9/ssl/t1_lib.c
index fabc634d68..7690ed6570 100644
--- a/crypto/openssl-0.9/ssl/t1_lib.c
+++ b/crypto/openssl-0.9/ssl/t1_lib.c
@@ -617,6 +617,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
 			memcpy(sess->session_id, sess_id, sesslen);
 		sess->session_id_length = sesslen;
 		*psess = sess;
+		s->tlsext_ticket_expected = 0;
 		return 1;
 		}
 	/* If session decrypt failure indicate a cache miss and set state to