Merge from vendor branch OPENSSL:
authorPeter Avalos <pavalos@dragonflybsd.org>
Thu, 25 Oct 2007 04:11:26 +0000 (04:11 +0000)
committerPeter Avalos <pavalos@dragonflybsd.org>
Thu, 25 Oct 2007 04:11:26 +0000 (04:11 +0000)
Import OpenSSL-0.9.8g.

crypto/openssl-0.9/CHANGES
crypto/openssl-0.9/FAQ
crypto/openssl-0.9/NEWS
crypto/openssl-0.9/README
crypto/openssl-0.9/apps/CA.pl
crypto/openssl-0.9/crypto/opensslv.h
crypto/openssl-0.9/ssl/d1_both.c
crypto/openssl-0.9/ssl/d1_pkt.c
crypto/openssl-0.9/ssl/ssl.h
crypto/openssl-0.9/ssl/ssl_sess.c
crypto/openssl-0.9/ssl/t1_lib.c

index 05bd75d..512b115 100644 (file)
@@ -2,6 +2,15 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 0.9.8f and 0.9.8g  [19 Oct 2007]
+
+  *) Fix various bugs:
+     + Binary incompatibility of ssl_ctx_st structure
+     + DTLS interoperation with non-compliant servers
+     + Don't call get_session_cb() without proposed session
+     + Fix ia64 assembler code
+     [Andy Polyakov, Steve Henson]
+
  Changes between 0.9.8e and 0.9.8f  [11 Oct 2007]
 
   *) DTLS Handshake overhaul. There were longstanding issues with
index 7cd71ca..96d39f5 100644 (file)
@@ -75,7 +75,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.8f was released on October 11th, 2007.
+OpenSSL 0.9.8g was released on October 19th, 2007.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
index ef90239..40ded1a 100644 (file)
@@ -5,6 +5,10 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g:
+
+      o Fixes for bugs introduced with 0.9.8f.
+
   Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f:
 
       o Add gcc 4.2 support.
index 6759d76..2b49835 100644 (file)
@@ -1,5 +1,5 @@
 
- OpenSSL 0.9.8f
+ OpenSSL 0.9.8g
 
  Copyright (c) 1998-2007 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
index 05f11dd..a3965ec 100644 (file)
@@ -1,4 +1,4 @@
-#!/usr/bin/perl5
+#!/usr/bin/perl
 #
 # CA - wrapper around ca to make it easier to use ... basically ca requires
 #      some setup stuff to be done before you can use it and this makes
index b237c2f..f76910a 100644 (file)
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER 0x00908070L
+#define OPENSSL_VERSION_NUMBER 0x0090807fL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT   "OpenSSL 0.9.8f-fips 11 Oct 2007"
+#define OPENSSL_VERSION_TEXT   "OpenSSL 0.9.8g-fips 19 Oct 2007"
 #else
-#define OPENSSL_VERSION_TEXT   "OpenSSL 0.9.8f 11 Oct 2007"
+#define OPENSSL_VERSION_TEXT   "OpenSSL 0.9.8g 19 Oct 2007"
 #endif
 #define OPENSSL_VERSION_PTEXT  " part of " OPENSSL_VERSION_TEXT
 
index 22bd28a..15a201a 100644 (file)
@@ -297,9 +297,9 @@ int dtls1_do_write(SSL *s, int type)
                                {
                                /* should not be done for 'Hello Request's, but in that case
                                 * we'll ignore the result anyway */
-                               unsigned char *p = &s->init_buf->data[s->init_off];
+                               unsigned char *p = (unsigned char *)&s->init_buf->data[s->init_off];
                                const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr;
-                               int len;
+                               int xlen;
 
                                if (frag_off == 0 && s->client_version != DTLS1_BAD_VER)
                                        {
@@ -311,15 +311,15 @@ int dtls1_do_write(SSL *s, int type)
                                        l2n3(0,p);
                                        l2n3(msg_hdr->msg_len,p);
                                        p  -= DTLS1_HM_HEADER_LENGTH;
-                                       len = ret;
+                                       xlen = ret;
                                        }
                                else
                                        {
                                        p  += DTLS1_HM_HEADER_LENGTH;
-                                       len = ret - DTLS1_HM_HEADER_LENGTH;
+                                       xlen = ret - DTLS1_HM_HEADER_LENGTH;
                                        }
 
-                               ssl3_finish_mac(s, p, len);
+                               ssl3_finish_mac(s, p, xlen);
                                }
 
                        if (ret == s->init_num)
@@ -398,7 +398,7 @@ long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok)
                 * the potential damage caused by malformed overlaps. */
                if ((unsigned int)s->init_num >= msg_hdr->msg_len)
                        {
-                       unsigned char *p = s->init_buf->data;
+                       unsigned char *p = (unsigned char *)s->init_buf->data;
                        unsigned long msg_len = msg_hdr->msg_len;
 
                        /* reconstruct message header as if it was
@@ -525,7 +525,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok)
 
                if (al==0) /* no alert */
                        {
-                       unsigned char *p = s->init_buf->data+DTLS1_HM_HEADER_LENGTH;
+                       unsigned char *p = (unsigned char *)s->init_buf->data+DTLS1_HM_HEADER_LENGTH;
                        memcpy(&p[frag->msg_header.frag_off],
                                frag->fragment,frag->msg_header.frag_len);
                        }
@@ -683,7 +683,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
 
        if ( frag_len > 0)
                {
-               unsigned char *p=s->init_buf->data+DTLS1_HM_HEADER_LENGTH;
+               unsigned char *p=(unsigned char *)s->init_buf->data+DTLS1_HM_HEADER_LENGTH;
 
                i=s->method->ssl_read_bytes(s,SSL3_RT_HANDSHAKE,
                        &p[frag_off],frag_len,0);
@@ -777,11 +777,11 @@ int dtls1_send_change_cipher_spec(SSL *s, int a, int b)
                p=(unsigned char *)s->init_buf->data;
                *p++=SSL3_MT_CCS;
                s->d1->handshake_write_seq = s->d1->next_handshake_write_seq;
-               s->d1->next_handshake_write_seq++;
                s->init_num=DTLS1_CCS_HEADER_LENGTH;
 
                if (s->client_version == DTLS1_BAD_VER)
                        {
+                       s->d1->next_handshake_write_seq++;
                        s2n(s->d1->handshake_write_seq,p);
                        s->init_num+=2;
                        }
@@ -974,6 +974,7 @@ dtls1_buffer_message(SSL *s, int is_ccs)
        pitem *item;
        hm_fragment *frag;
        PQ_64BIT seq64;
+       unsigned int epoch = s->d1->w_epoch;
 
        /* this function is called immediately after a message has 
         * been serialized */
@@ -987,6 +988,7 @@ dtls1_buffer_message(SSL *s, int is_ccs)
                {
                OPENSSL_assert(s->d1->w_msg_hdr.msg_len + 
                        DTLS1_CCS_HEADER_LENGTH <= (unsigned int)s->init_num);
+               epoch++;
                }
        else
                {
@@ -1002,7 +1004,7 @@ dtls1_buffer_message(SSL *s, int is_ccs)
        frag->msg_header.is_ccs = is_ccs;
 
        pq_64bit_init(&seq64);
-       pq_64bit_assign_word(&seq64, frag->msg_header.seq);
+       pq_64bit_assign_word(&seq64, epoch<<16 | frag->msg_header.seq);
 
        item = pitem_new(seq64, frag);
        pq_64bit_free(&seq64);
index b124877..377696d 100644 (file)
@@ -1006,8 +1006,8 @@ start:
                /* do this whenever CCS is processed */
                dtls1_reset_seq_numbers(s, SSL3_CC_READ);
 
-               /* handshake read seq is reset upon handshake completion */
-               s->d1->handshake_read_seq++;
+               if (s->client_version == DTLS1_BAD_VER)
+                       s->d1->handshake_read_seq++;
 
                goto start;
                }
index 52caf88..ed81119 100644 (file)
@@ -990,7 +990,6 @@ struct ssl_st
        int first_packet;
        int client_version;     /* what was passed, used for
                                 * SSLv3/TLS rollback check */
-       unsigned int max_send_fragment;
 #ifndef OPENSSL_NO_TLSEXT
        /* TLS extension debug callback */
        void (*tlsext_debug_cb)(SSL *s, int client_server, int type,
index d30a24f..ee88be2 100644 (file)
@@ -320,10 +320,12 @@ int ssl_get_prev_session(SSL *s, unsigned char *session_id, int len,
                fatal = 1;
                goto err;
                }
-       else if (r == 0)
+       else if (r == 0 || (!ret && !len))
                goto err;
        else if (!ret && !(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
 #else
+       if (len == 0)
+               goto err;
        if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP))
 #endif
                {
index fabc634..7690ed6 100644 (file)
@@ -617,6 +617,7 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen,
                        memcpy(sess->session_id, sess_id, sesslen);
                sess->session_id_length = sesslen;
                *psess = sess;
+               s->tlsext_ticket_expected = 0;
                return 1;
                }
        /* If session decrypt failure indicate a cache miss and set state to