Module Name: src
Committed By: christos
Date: Sat Jan 11 18:34:37 UTC 2014
Modified Files:
src/crypto/external/bsd/openssl/dist: Configure
src/crypto/external/bsd/openssl/dist/crypto: opensslv.h
src/crypto/external/bsd/openssl/dist/crypto/buffer: buffer.c
src/crypto/external/bsd/openssl/dist/crypto/evp: e_aes.c
src/crypto/external/bsd/openssl/dist/crypto/rand: md_rand.c
src/crypto/external/bsd/openssl/dist/crypto/x509: x509_vfy.c
src/crypto/external/bsd/openssl/dist/doc/ssl:
SSL_CTX_set_client_CA_list.pod SSL_accept.pod SSL_do_handshake.pod
SSL_shutdown.pod
src/crypto/external/bsd/openssl/dist/ssl: d1_pkt.c d1_srvr.c s23_clnt.c
s3_clnt.c s3_lib.c s3_pkt.c s3_srvr.c ssl.h ssl3.h ssl_locl.h
ssltest.c t1_enc.c t1_lib.c
src/crypto/external/bsd/openssl/lib/libcrypto: shlib_version
src/crypto/external/bsd/openssl/lib/libdes: shlib_version
src/crypto/external/bsd/openssl/lib/libssl: shlib_version
Removed Files:
src/crypto/external/bsd/openssl/dist/test: test_aesni
Log Message:
merge conflicts
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/crypto/external/bsd/openssl/dist/Configure
cvs rdiff -u -r1.6 -r1.7 \
src/crypto/external/bsd/openssl/dist/crypto/opensslv.h
cvs rdiff -u -r1.3 -r1.4 \
src/crypto/external/bsd/openssl/dist/crypto/buffer/buffer.c
cvs rdiff -u -r1.2 -r1.3 \
src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c
cvs rdiff -u -r1.5 -r1.6 \
src/crypto/external/bsd/openssl/dist/crypto/rand/md_rand.c
cvs rdiff -u -r1.4 -r1.5 \
src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c
cvs rdiff -u -r1.2 -r1.3 \
src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_set_client_CA_list.pod
\
src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_accept.pod \
src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_do_handshake.pod \
src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_shutdown.pod
cvs rdiff -u -r1.6 -r1.7 src/crypto/external/bsd/openssl/dist/ssl/d1_pkt.c \
src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h \
src/crypto/external/bsd/openssl/dist/ssl/t1_enc.c
cvs rdiff -u -r1.3 -r1.4 src/crypto/external/bsd/openssl/dist/ssl/d1_srvr.c
cvs rdiff -u -r1.4 -r1.5 src/crypto/external/bsd/openssl/dist/ssl/s23_clnt.c \
src/crypto/external/bsd/openssl/dist/ssl/ssl.h \
src/crypto/external/bsd/openssl/dist/ssl/ssl3.h
cvs rdiff -u -r1.7 -r1.8 src/crypto/external/bsd/openssl/dist/ssl/s3_clnt.c
cvs rdiff -u -r1.9 -r1.10 src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c \
src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c
cvs rdiff -u -r1.12 -r1.13 src/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c
cvs rdiff -u -r1.13 -r1.14 src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c
cvs rdiff -u -r1.5 -r1.6 src/crypto/external/bsd/openssl/dist/ssl/ssltest.c
cvs rdiff -u -r1.3 -r0 src/crypto/external/bsd/openssl/dist/test/test_aesni
cvs rdiff -u -r1.7 -r1.8 \
src/crypto/external/bsd/openssl/lib/libcrypto/shlib_version
cvs rdiff -u -r1.1 -r1.2 \
src/crypto/external/bsd/openssl/lib/libdes/shlib_version
cvs rdiff -u -r1.7 -r1.8 \
src/crypto/external/bsd/openssl/lib/libssl/shlib_version
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/external/bsd/openssl/dist/Configure
diff -u src/crypto/external/bsd/openssl/dist/Configure:1.5 src/crypto/external/bsd/openssl/dist/Configure:1.6
--- src/crypto/external/bsd/openssl/dist/Configure:1.5 Tue Feb 12 14:52:11 2013
+++ src/crypto/external/bsd/openssl/dist/Configure Sat Jan 11 13:34:36 2014
@@ -178,7 +178,7 @@ my %table=(
"debug-ben-no-opt", "gcc: -Wall -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG -Werror -DL_ENDIAN -DTERMIOS -Wall -g3::(unknown)::::::",
"debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
"debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-bodo", "gcc:$gcc_devteam_warn -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"debug-bodo", "gcc:$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"debug-ulf", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations:::CYGWIN32:::${no_asm}:win32:cygwin-shared:::.dll",
"debug-steve64", "gcc:$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -Wno-overlength-strings -g::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-steve32", "gcc:$gcc_devteam_warn -m32 -DL_ENDIAN -DCONF_DEBUG -DDEBUG_SAFESTACK -g -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
Index: src/crypto/external/bsd/openssl/dist/crypto/opensslv.h
diff -u src/crypto/external/bsd/openssl/dist/crypto/opensslv.h:1.6 src/crypto/external/bsd/openssl/dist/crypto/opensslv.h:1.7
--- src/crypto/external/bsd/openssl/dist/crypto/opensslv.h:1.6 Tue Feb 12 14:52:11 2013
+++ src/crypto/external/bsd/openssl/dist/crypto/opensslv.h Sat Jan 11 13:34:36 2014
@@ -25,11 +25,11 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-#define OPENSSL_VERSION_NUMBER 0x1000105fL
+#define OPENSSL_VERSION_NUMBER 0x1000106fL
#ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1e-fips 11 Feb 2013"
+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1f-fips 6 Jan 2014"
#else
-#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1e 11 Feb 2013"
+#define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1f 6 Jan 2014"
#endif
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
Index: src/crypto/external/bsd/openssl/dist/crypto/buffer/buffer.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/buffer/buffer.c:1.3 src/crypto/external/bsd/openssl/dist/crypto/buffer/buffer.c:1.4
--- src/crypto/external/bsd/openssl/dist/crypto/buffer/buffer.c:1.3 Wed Apr 25 07:02:46 2012
+++ src/crypto/external/bsd/openssl/dist/crypto/buffer/buffer.c Sat Jan 11 13:34:36 2014
@@ -179,14 +179,14 @@ int BUF_MEM_grow_clean(BUF_MEM *str, siz
return(len);
}
-void BUF_reverse(unsigned char *out, unsigned char *in, size_t size)
+void BUF_reverse(unsigned char *out, const unsigned char *in, size_t size)
{
size_t i;
if (in)
{
out += size - 1;
for (i = 0; i < size; i++)
- *in++ = *out--;
+ *out-- = *in++;
}
else
{
Index: src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c:1.2 src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c:1.3
--- src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c:1.2 Mon Feb 18 16:20:50 2013
+++ src/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c Sat Jan 11 13:34:36 2014
@@ -849,7 +849,10 @@ static int aes_gcm_init_key(EVP_CIPHER_C
gctx->ctr = NULL;
break;
}
+ else
#endif
+ (void)0; /* terminate potentially open 'else' */
+
AES_set_encrypt_key(key, ctx->key_len * 8, &gctx->ks);
CRYPTO_gcm128_init(&gctx->gcm, &gctx->ks, (block128_f)AES_encrypt);
#ifdef AES_CTR_ASM
@@ -1090,14 +1093,17 @@ static int aes_xts_init_key(EVP_CIPHER_C
xctx->xts.block1 = (block128_f)vpaes_decrypt;
}
- vpaes_set_encrypt_key(key + ctx->key_len/2,
+ vpaes_set_encrypt_key(key + ctx->key_len/2,
ctx->key_len * 4, &xctx->ks2);
- xctx->xts.block2 = (block128_f)vpaes_encrypt;
+ xctx->xts.block2 = (block128_f)vpaes_encrypt;
- xctx->xts.key1 = &xctx->ks1;
- break;
- }
+ xctx->xts.key1 = &xctx->ks1;
+ break;
+ }
+ else
#endif
+ (void)0; /* terminate potentially open 'else' */
+
if (enc)
{
AES_set_encrypt_key(key, ctx->key_len * 4, &xctx->ks1);
Index: src/crypto/external/bsd/openssl/dist/crypto/rand/md_rand.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/rand/md_rand.c:1.5 src/crypto/external/bsd/openssl/dist/crypto/rand/md_rand.c:1.6
--- src/crypto/external/bsd/openssl/dist/crypto/rand/md_rand.c:1.5 Sun Jul 28 10:13:29 2013
+++ src/crypto/external/bsd/openssl/dist/crypto/rand/md_rand.c Sat Jan 11 13:34:36 2014
@@ -378,8 +378,11 @@ static int ssleay_rand_bytes(unsigned ch
* are fed into the hash function and the results are kept in the
* global 'md'.
*/
-
- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+#ifdef OPENSSL_FIPS
+ /* NB: in FIPS mode we are already under a lock */
+ if (!FIPS_mode())
+#endif
+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
/* prevent ssleay_rand_bytes() from trying to obtain the lock again */
CRYPTO_w_lock(CRYPTO_LOCK_RAND2);
@@ -461,7 +464,10 @@ static int ssleay_rand_bytes(unsigned ch
/* before unlocking, we must clear 'crypto_lock_rand' */
crypto_lock_rand = 0;
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode())
+#endif
+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
while (num > 0)
{
@@ -513,10 +519,16 @@ static int ssleay_rand_bytes(unsigned ch
MD_Init(&m);
MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
MD_Update(&m,local_md,MD_DIGEST_LENGTH);
- CRYPTO_w_lock(CRYPTO_LOCK_RAND);
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode())
+#endif
+ CRYPTO_w_lock(CRYPTO_LOCK_RAND);
MD_Update(&m,md,MD_DIGEST_LENGTH);
MD_Final(&m,md);
- CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
+#ifdef OPENSSL_FIPS
+ if (!FIPS_mode())
+#endif
+ CRYPTO_w_unlock(CRYPTO_LOCK_RAND);
EVP_MD_CTX_cleanup(&m);
if (ok)
Index: src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c:1.4 src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c:1.5
--- src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c:1.4 Tue Feb 5 16:31:26 2013
+++ src/crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c Sat Jan 11 13:34:36 2014
@@ -694,6 +694,7 @@ static int check_cert(X509_STORE_CTX *ct
X509_CRL *crl = NULL, *dcrl = NULL;
X509 *x;
int ok, cnum;
+ unsigned int last_reasons;
cnum = ctx->error_depth;
x = sk_X509_value(ctx->chain, cnum);
ctx->current_cert = x;
@@ -702,6 +703,7 @@ static int check_cert(X509_STORE_CTX *ct
ctx->current_reasons = 0;
while (ctx->current_reasons != CRLDP_ALL_REASONS)
{
+ last_reasons = ctx->current_reasons;
/* Try to retrieve relevant CRL */
if (ctx->get_crl)
ok = ctx->get_crl(ctx, &crl, x);
@@ -745,6 +747,15 @@ static int check_cert(X509_STORE_CTX *ct
X509_CRL_free(dcrl);
crl = NULL;
dcrl = NULL;
+ /* If reasons not updated we wont get anywhere by
+ * another iteration, so exit loop.
+ */
+ if (last_reasons == ctx->current_reasons)
+ {
+ ctx->error = X509_V_ERR_UNABLE_TO_GET_CRL;
+ ok = ctx->verify_cb(0, ctx);
+ goto err;
+ }
}
err:
X509_CRL_free(crl);
Index: src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_set_client_CA_list.pod
diff -u src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_set_client_CA_list.pod:1.2 src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_set_client_CA_list.pod:1.3
--- src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_set_client_CA_list.pod:1.2 Sun Jan 24 16:19:53 2010
+++ src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_CTX_set_client_CA_list.pod Sat Jan 11 13:34:36 2014
@@ -66,16 +66,16 @@ values:
=over 4
-=item Z<>1
-
-The operation succeeded.
-
=item 0
A failure while manipulating the STACK_OF(X509_NAME) object occurred or
the X509_NAME could not be extracted from B<cacert>. Check the error stack
to find out the reason.
+=item 1
+
+The operation succeeded.
+
=back
=head1 EXAMPLES
Index: src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_accept.pod
diff -u src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_accept.pod:1.2 src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_accept.pod:1.3
--- src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_accept.pod:1.2 Sun Jan 24 16:19:53 2010
+++ src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_accept.pod Sat Jan 11 13:34:36 2014
@@ -44,17 +44,17 @@ The following return values can occur:
=over 4
-=item Z<>1
-
-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
-established.
-
=item 0
The TLS/SSL handshake was not successful but was shut down controlled and
by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
return value B<ret> to find out the reason.
+=item 1
+
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
+established.
+
=item E<lt>0
The TLS/SSL handshake was not successful because a fatal error occurred either
Index: src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_do_handshake.pod
diff -u src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_do_handshake.pod:1.2 src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_do_handshake.pod:1.3
--- src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_do_handshake.pod:1.2 Sun Jan 24 16:19:53 2010
+++ src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_do_handshake.pod Sat Jan 11 13:34:36 2014
@@ -45,17 +45,17 @@ The following return values can occur:
=over 4
-=item Z<>1
-
-The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
-established.
-
=item 0
The TLS/SSL handshake was not successful but was shut down controlled and
by the specifications of the TLS/SSL protocol. Call SSL_get_error() with the
return value B<ret> to find out the reason.
+=item 1
+
+The TLS/SSL handshake was successfully completed, a TLS/SSL connection has been
+established.
+
=item E<lt>0
The TLS/SSL handshake was not successful because a fatal error occurred either
Index: src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_shutdown.pod
diff -u src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_shutdown.pod:1.2 src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_shutdown.pod:1.3
--- src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_shutdown.pod:1.2 Sun Jan 24 16:19:53 2010
+++ src/crypto/external/bsd/openssl/dist/doc/ssl/SSL_shutdown.pod Sat Jan 11 13:34:36 2014
@@ -92,11 +92,6 @@ The following return values can occur:
=over 4
-=item Z<>1
-
-The shutdown was successfully completed. The "close notify" alert was sent
-and the peer's "close notify" alert was received.
-
=item 0
The shutdown is not yet finished. Call SSL_shutdown() for a second time,
@@ -104,6 +99,11 @@ if a bidirectional shutdown shall be per
The output of L<SSL_get_error(3)|SSL_get_error(3)> may be misleading, as an
erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
+=item 1
+
+The shutdown was successfully completed. The "close notify" alert was sent
+and the peer's "close notify" alert was received.
+
=item -1
The shutdown was not successful because a fatal error occurred either
Index: src/crypto/external/bsd/openssl/dist/ssl/d1_pkt.c
diff -u src/crypto/external/bsd/openssl/dist/ssl/d1_pkt.c:1.6 src/crypto/external/bsd/openssl/dist/ssl/d1_pkt.c:1.7
--- src/crypto/external/bsd/openssl/dist/ssl/d1_pkt.c:1.6 Tue Feb 12 14:52:11 2013
+++ src/crypto/external/bsd/openssl/dist/ssl/d1_pkt.c Sat Jan 11 13:34:37 2014
@@ -847,6 +847,12 @@ start:
}
}
+ if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE)
+ {
+ rr->length = 0;
+ goto start;
+ }
+
/* we now have a packet which can be read and processed */
if (s->s3->change_cipher_spec /* set when we receive ChangeCipherSpec,
@@ -1051,6 +1057,7 @@ start:
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
!s->s3->renegotiate)
{
+ s->d1->handshake_read_seq++;
s->new_session = 1;
ssl3_renegotiate(s);
if (ssl3_renegotiate_check(s))
Index: src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h
diff -u src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h:1.6 src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h:1.7
--- src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h:1.6 Tue Feb 5 16:31:27 2013
+++ src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h Sat Jan 11 13:34:37 2014
@@ -621,6 +621,8 @@ extern SSL3_ENC_METHOD TLSv1_enc_data;
extern SSL3_ENC_METHOD SSLv3_enc_data;
extern SSL3_ENC_METHOD DTLSv1_enc_data;
+#define SSL_IS_DTLS(s) (s->method->version == DTLS1_VERSION)
+
#define IMPLEMENT_tls_meth_func(version, func_name, s_accept, s_connect, \
s_get_meth) \
const SSL_METHOD *func_name(void) \
@@ -847,6 +849,7 @@ void ssl_set_cert_masks(CERT *c, const S
STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
int ssl_verify_alarm_type(long type);
void ssl_load_ciphers(void);
+int ssl_fill_hello_random(SSL *s, int server, unsigned char *field, int len);
int ssl2_enc_init(SSL *s, int client);
int ssl2_generate_key_material(SSL *s);
Index: src/crypto/external/bsd/openssl/dist/ssl/t1_enc.c
diff -u src/crypto/external/bsd/openssl/dist/ssl/t1_enc.c:1.6 src/crypto/external/bsd/openssl/dist/ssl/t1_enc.c:1.7
--- src/crypto/external/bsd/openssl/dist/ssl/t1_enc.c:1.6 Tue Feb 5 16:31:27 2013
+++ src/crypto/external/bsd/openssl/dist/ssl/t1_enc.c Sat Jan 11 13:34:37 2014
@@ -414,15 +414,20 @@ int tls1_change_cipher_state(SSL *s, int
s->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM;
else
s->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM;
- if (s->enc_write_ctx != NULL)
+ if (s->enc_write_ctx != NULL && !SSL_IS_DTLS(s))
reuse_dd = 1;
- else if ((s->enc_write_ctx=OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL)
+ else if ((s->enc_write_ctx=EVP_CIPHER_CTX_new()) == NULL)
goto err;
- else
- /* make sure it's intialized in case we exit later with an error */
- EVP_CIPHER_CTX_init(s->enc_write_ctx);
dd= s->enc_write_ctx;
- mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
+ if (SSL_IS_DTLS(s))
+ {
+ mac_ctx = EVP_MD_CTX_create();
+ if (!mac_ctx)
+ goto err;
+ s->write_hash = mac_ctx;
+ }
+ else
+ mac_ctx = ssl_replace_hash(&s->write_hash,NULL);
#ifndef OPENSSL_NO_COMP
if (s->compress != NULL)
{
@@ -917,18 +922,19 @@ int tls1_final_finish_mac(SSL *s,
if (mask & ssl_get_algorithm2(s))
{
int hashsize = EVP_MD_size(md);
- if (hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)) || s->s3->handshake_dgst == NULL)
+ EVP_MD_CTX *hdgst = s->s3->handshake_dgst[idx];
+ if (!hdgst || hashsize < 0 || hashsize > (int)(sizeof buf - (size_t)(q-buf)))
{
/* internal error: 'buf' is too small for this cipersuite! */
err = 1;
}
else
{
- EVP_MD_CTX_copy_ex(&ctx,s->s3->handshake_dgst[idx]);
- EVP_DigestFinal_ex(&ctx,q,&i);
- if (i != (unsigned int)hashsize) /* can't really happen */
+ if (!EVP_MD_CTX_copy_ex(&ctx, hdgst) ||
+ !EVP_DigestFinal_ex(&ctx,q,&i) ||
+ (i != (unsigned int)hashsize))
err = 1;
- q+=i;
+ q+=hashsize;
}
}
}
Index: src/crypto/external/bsd/openssl/dist/ssl/d1_srvr.c
diff -u src/crypto/external/bsd/openssl/dist/ssl/d1_srvr.c:1.3 src/crypto/external/bsd/openssl/dist/ssl/d1_srvr.c:1.4
--- src/crypto/external/bsd/openssl/dist/ssl/d1_srvr.c:1.3 Thu Jul 26 15:58:39 2012
+++ src/crypto/external/bsd/openssl/dist/ssl/d1_srvr.c Sat Jan 11 13:34:37 2014
@@ -276,10 +276,11 @@ int dtls1_accept(SSL *s)
case SSL3_ST_SW_HELLO_REQ_B:
s->shutdown=0;
+ dtls1_clear_record_buffer(s);
dtls1_start_timer(s);
ret=dtls1_send_hello_request(s);
if (ret <= 0) goto end;
- s->s3->tmp.next_state=SSL3_ST_SW_HELLO_REQ_C;
+ s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
s->state=SSL3_ST_SW_FLUSH;
s->init_num=0;
@@ -721,10 +722,13 @@ int dtls1_accept(SSL *s)
if (ret <= 0) goto end;
#ifndef OPENSSL_NO_SCTP
- /* Change to new shared key of SCTP-Auth,
- * will be ignored if no SCTP used.
- */
- BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
+ if (!s->hit)
+ {
+ /* Change to new shared key of SCTP-Auth,
+ * will be ignored if no SCTP used.
+ */
+ BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
+ }
#endif
s->state=SSL3_ST_SW_FINISHED_A;
@@ -749,7 +753,16 @@ int dtls1_accept(SSL *s)
if (ret <= 0) goto end;
s->state=SSL3_ST_SW_FLUSH;
if (s->hit)
+ {
s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
+
+#ifndef OPENSSL_NO_SCTP
+ /* Change to new shared key of SCTP-Auth,
+ * will be ignored if no SCTP used.
+ */
+ BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_NEXT_AUTH_KEY, 0, NULL);
+#endif
+ }
else
{
s->s3->tmp.next_state=SSL_ST_OK;
@@ -912,15 +925,13 @@ int dtls1_send_server_hello(SSL *s)
unsigned char *p,*d;
int i;
unsigned int sl;
- unsigned long l,Time;
+ unsigned long l;
if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
{
buf=(unsigned char *)s->init_buf->data;
p=s->s3->server_random;
- Time=(unsigned long)time(NULL); /* Time */
- l2n(Time,p);
- RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4);
+ ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE);
/* Do the message type and length last */
d=p= &(buf[DTLS1_HM_HEADER_LENGTH]);
Index: src/crypto/external/bsd/openssl/dist/ssl/s23_clnt.c
diff -u src/crypto/external/bsd/openssl/dist/ssl/s23_clnt.c:1.4 src/crypto/external/bsd/openssl/dist/ssl/s23_clnt.c:1.5
--- src/crypto/external/bsd/openssl/dist/ssl/s23_clnt.c:1.4 Thu Jul 26 15:58:39 2012
+++ src/crypto/external/bsd/openssl/dist/ssl/s23_clnt.c Sat Jan 11 13:34:37 2014
@@ -269,12 +269,35 @@ static int ssl23_no_ssl2_ciphers(SSL *s)
return 1;
}
+/* Fill a ClientRandom or ServerRandom field of length len. Returns <= 0
+ * on failure, 1 on success. */
+int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len)
+ {
+ int send_time = 0;
+
+ if (len < 4)
+ return 0;
+ if (server)
+ send_time = (s->mode & SSL_MODE_SEND_SERVERHELLO_TIME) != 0;
+ else
+ send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0;
+ if (send_time)
+ {
+ unsigned long Time = time(NULL);
+ unsigned char *p = result;
+ l2n(Time, p);
+ return RAND_pseudo_bytes(p, len-4);
+ }
+ else
+ return RAND_pseudo_bytes(result, len);
+ }
+
static int ssl23_client_hello(SSL *s)
{
unsigned char *buf;
unsigned char *p,*d;
int i,ch_len;
- unsigned long Time,l;
+ unsigned long l;
int ssl2_compat;
int version = 0, version_major, version_minor;
#ifndef OPENSSL_NO_COMP
@@ -355,9 +378,7 @@ static int ssl23_client_hello(SSL *s)
#endif
p=s->s3->client_random;
- Time=(unsigned long)time(NULL); /* Time */
- l2n(Time,p);
- if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+ if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
return -1;
if (version == TLS1_2_VERSION)
Index: src/crypto/external/bsd/openssl/dist/ssl/ssl.h
diff -u src/crypto/external/bsd/openssl/dist/ssl/ssl.h:1.4 src/crypto/external/bsd/openssl/dist/ssl/ssl.h:1.5
--- src/crypto/external/bsd/openssl/dist/ssl/ssl.h:1.4 Tue Feb 5 16:31:27 2013
+++ src/crypto/external/bsd/openssl/dist/ssl/ssl.h Sat Jan 11 13:34:37 2014
@@ -555,11 +555,14 @@ struct ssl_session_st
#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
-#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */
+#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L
#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
#define SSL_OP_TLS_D5_BUG 0x00000100L
#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L
+/* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */
+#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0
+
/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
* in OpenSSL 0.9.6d. Usually (depending on the application protocol)
* the workaround is not needed. Unfortunately some broken SSL/TLS
@@ -641,6 +644,12 @@ struct ssl_session_st
* TLS only.) "Released" buffers are put onto a free-list in the context
* or just freed (depending on the context's setting for freelist_max_len). */
#define SSL_MODE_RELEASE_BUFFERS 0x00000010L
+/* Send the current time in the Random fields of the ClientHello and
+ * ServerHello records for compatibility with hypothetical implementations
+ * that require it.
+ */
+#define SSL_MODE_SEND_CLIENTHELLO_TIME 0x00000020L
+#define SSL_MODE_SEND_SERVERHELLO_TIME 0x00000040L
/* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value,
* they cannot be used to clear bits. */
Index: src/crypto/external/bsd/openssl/dist/ssl/ssl3.h
diff -u src/crypto/external/bsd/openssl/dist/ssl/ssl3.h:1.4 src/crypto/external/bsd/openssl/dist/ssl/ssl3.h:1.5
--- src/crypto/external/bsd/openssl/dist/ssl/ssl3.h:1.4 Tue Feb 5 16:31:27 2013
+++ src/crypto/external/bsd/openssl/dist/ssl/ssl3.h Sat Jan 11 13:34:37 2014
@@ -539,6 +539,15 @@ typedef struct ssl3_state_st
/* Set if we saw the Next Protocol Negotiation extension from our peer. */
int next_proto_neg_seen;
#endif
+
+#ifndef OPENSSL_NO_TLSEXT
+#ifndef OPENSSL_NO_EC
+ /* This is set to true if we believe that this is a version of Safari
+ * running on OS X 10.6 or newer. We wish to know this because Safari
+ * on 10.8 .. 10.8.3 has broken ECDHE-ECDSA support. */
+ char is_probably_safari;
+#endif /* !OPENSSL_NO_EC */
+#endif /* !OPENSSL_NO_TLSEXT */
} SSL3_STATE;
#endif
Index: src/crypto/external/bsd/openssl/dist/ssl/s3_clnt.c
diff -u src/crypto/external/bsd/openssl/dist/ssl/s3_clnt.c:1.7 src/crypto/external/bsd/openssl/dist/ssl/s3_clnt.c:1.8
--- src/crypto/external/bsd/openssl/dist/ssl/s3_clnt.c:1.7 Tue Feb 12 14:52:11 2013
+++ src/crypto/external/bsd/openssl/dist/ssl/s3_clnt.c Sat Jan 11 13:34:37 2014
@@ -655,7 +655,7 @@ int ssl3_client_hello(SSL *s)
unsigned char *buf;
unsigned char *p,*d;
int i;
- unsigned long Time,l;
+ unsigned long l;
#ifndef OPENSSL_NO_COMP
int j;
SSL_COMP *comp;
@@ -680,9 +680,8 @@ int ssl3_client_hello(SSL *s)
/* else use the pre-loaded session */
p=s->s3->client_random;
- Time=(unsigned long)time(NULL); /* Time */
- l2n(Time,p);
- if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+
+ if (ssl_fill_hello_random(s, 0, p, SSL3_RANDOM_SIZE) <= 0)
goto err;
/* Do the message type and length last */
Index: src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c
diff -u src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c:1.9 src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c:1.10
--- src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c:1.9 Tue Feb 5 16:31:26 2013
+++ src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c Sat Jan 11 13:34:37 2014
@@ -1683,7 +1683,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_3DES,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
168,
168,
@@ -1699,7 +1699,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_AES128,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
128,
128,
@@ -1715,7 +1715,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_AES256,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP|SSL_HIGH,
+ SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF,
256,
256,
@@ -3037,6 +3037,11 @@ void ssl3_clear(SSL *s)
s->s3->tmp.ecdh = NULL;
}
#endif
+#ifndef OPENSSL_NO_TLSEXT
+#ifndef OPENSSL_NO_EC
+ s->s3->is_probably_safari = 0;
+#endif /* !OPENSSL_NO_EC */
+#endif /* !OPENSSL_NO_TLSEXT */
rp = s->s3->rbuf.buf;
wp = s->s3->wbuf.buf;
@@ -4016,6 +4021,13 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, S
ii=sk_SSL_CIPHER_find(allow,c);
if (ii >= 0)
{
+#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_TLSEXT)
+ if ((alg_k & SSL_kEECDH) && (alg_a & SSL_aECDSA) && s->s3->is_probably_safari)
+ {
+ if (!ret) ret=sk_SSL_CIPHER_value(allow,ii);
+ continue;
+ }
+#endif
ret=sk_SSL_CIPHER_value(allow,ii);
break;
}
@@ -4274,7 +4286,7 @@ need to go to SSL_ST_ACCEPT.
long ssl_get_algorithm2(SSL *s)
{
long alg2 = s->s3->tmp.new_cipher->algorithm2;
- if (TLS1_get_version(s) >= TLS1_2_VERSION &&
+ if (s->method->version == TLS1_2_VERSION &&
alg2 == (SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF))
return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256;
return alg2;
Index: src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c
diff -u src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c:1.9 src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c:1.10
--- src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c:1.9 Tue Feb 12 14:52:11 2013
+++ src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c Sat Jan 11 13:34:37 2014
@@ -342,19 +342,11 @@ static unsigned char tls12_sigalgs[] = {
#ifndef OPENSSL_NO_SHA
tlsext_sigalg(TLSEXT_hash_sha1)
#endif
-#ifndef OPENSSL_NO_MD5
- tlsext_sigalg_rsa(TLSEXT_hash_md5)
-#endif
};
int tls12_get_req_sig_algs(SSL *s, unsigned char *p)
{
size_t slen = sizeof(tls12_sigalgs);
-#ifdef OPENSSL_FIPS
- /* If FIPS mode don't include MD5 which is last */
- if (FIPS_mode())
- slen -= 2;
-#endif
if (p)
memcpy(p, tls12_sigalgs, slen);
return (int)slen;
@@ -866,6 +858,89 @@ unsigned char *ssl_add_serverhello_tlsex
return ret;
}
+#ifndef OPENSSL_NO_EC
+/* ssl_check_for_safari attempts to fingerprint Safari using OS X
+ * SecureTransport using the TLS extension block in |d|, of length |n|.
+ * Safari, since 10.6, sends exactly these extensions, in this order:
+ * SNI,
+ * elliptic_curves
+ * ec_point_formats
+ *
+ * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
+ * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
+ * Sadly we cannot differentiate 10.6, 10.7 and 10.8.4 (which work), from
+ * 10.8..10.8.3 (which don't work).
+ */
+static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
+ unsigned short type, size;
+ static const unsigned char kSafariExtensionsBlock[] = {
+ 0x00, 0x0a, /* elliptic_curves extension */
+ 0x00, 0x08, /* 8 bytes */
+ 0x00, 0x06, /* 6 bytes of curve ids */
+ 0x00, 0x17, /* P-256 */
+ 0x00, 0x18, /* P-384 */
+ 0x00, 0x19, /* P-521 */
+
+ 0x00, 0x0b, /* ec_point_formats */
+ 0x00, 0x02, /* 2 bytes */
+ 0x01, /* 1 point format */
+ 0x00, /* uncompressed */
+ };
+
+ /* The following is only present in TLS 1.2 */
+ static const unsigned char kSafariTLS12ExtensionsBlock[] = {
+ 0x00, 0x0d, /* signature_algorithms */
+ 0x00, 0x0c, /* 12 bytes */
+ 0x00, 0x0a, /* 10 bytes */
+ 0x05, 0x01, /* SHA-384/RSA */
+ 0x04, 0x01, /* SHA-256/RSA */
+ 0x02, 0x01, /* SHA-1/RSA */
+ 0x04, 0x03, /* SHA-256/ECDSA */
+ 0x02, 0x03, /* SHA-1/ECDSA */
+ };
+
+ if (data >= (d+n-2))
+ return;
+ data += 2;
+
+ if (data > (d+n-4))
+ return;
+ n2s(data,type);
+ n2s(data,size);
+
+ if (type != TLSEXT_TYPE_server_name)
+ return;
+
+ if (data+size > d+n)
+ return;
+ data += size;
+
+ if (TLS1_get_client_version(s) >= TLS1_2_VERSION)
+ {
+ const size_t len1 = sizeof(kSafariExtensionsBlock);
+ const size_t len2 = sizeof(kSafariTLS12ExtensionsBlock);
+
+ if (data + len1 + len2 != d+n)
+ return;
+ if (memcmp(data, kSafariExtensionsBlock, len1) != 0)
+ return;
+ if (memcmp(data + len1, kSafariTLS12ExtensionsBlock, len2) != 0)
+ return;
+ }
+ else
+ {
+ const size_t len = sizeof(kSafariExtensionsBlock);
+
+ if (data + len != d+n)
+ return;
+ if (memcmp(data, kSafariExtensionsBlock, len) != 0)
+ return;
+ }
+
+ s->s3->is_probably_safari = 1;
+}
+#endif /* !OPENSSL_NO_EC */
+
int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, int n, int *al)
{
unsigned short type;
@@ -886,6 +961,11 @@ int ssl_parse_clienthello_tlsext(SSL *s,
SSL_TLSEXT_HB_DONT_SEND_REQUESTS);
#endif
+#ifndef OPENSSL_NO_EC
+ if (s->options & SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
+ ssl_check_for_safari(s, data, d, n);
+#endif /* !OPENSSL_NO_EC */
+
if (data >= (d+n-2))
goto ri_check;
n2s(data,len);
@@ -2364,14 +2444,6 @@ const EVP_MD *tls12_get_hash(unsigned ch
{
switch(hash_alg)
{
-#ifndef OPENSSL_NO_MD5
- case TLSEXT_hash_md5:
-#ifdef OPENSSL_FIPS
- if (FIPS_mode())
- return NULL;
-#endif
- return EVP_md5();
-#endif
#ifndef OPENSSL_NO_SHA
case TLSEXT_hash_sha1:
return EVP_sha1();
Index: src/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c
diff -u src/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c:1.12 src/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c:1.13
--- src/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c:1.12 Tue Feb 12 14:52:11 2013
+++ src/crypto/external/bsd/openssl/dist/ssl/s3_pkt.c Sat Jan 11 13:34:37 2014
@@ -335,7 +335,7 @@ fprintf(stderr, "Record type=%d, Length=
if (version != s->version)
{
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
- if ((s->version & 0xFF00) == (version & 0xFF00))
+ if ((s->version & 0xFF00) == (version & 0xFF00) && !s->enc_write_ctx && !s->write_hash)
/* Send back error using their minor version number :-) */
s->version = (unsigned short)version;
al=SSL_AD_PROTOCOL_VERSION;
@@ -1460,8 +1460,14 @@ int ssl3_do_change_cipher_spec(SSL *s)
slen=s->method->ssl3_enc->client_finished_label_len;
}
- s->s3->tmp.peer_finish_md_len = s->method->ssl3_enc->final_finish_mac(s,
+ i = s->method->ssl3_enc->final_finish_mac(s,
sender,slen,s->s3->tmp.peer_finish_md);
+ if (i == 0)
+ {
+ SSLerr(SSL_F_SSL3_DO_CHANGE_CIPHER_SPEC, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ s->s3->tmp.peer_finish_md_len = i;
return(1);
}
Index: src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c
diff -u src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c:1.13 src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c:1.14
--- src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c:1.13 Tue Feb 12 14:52:11 2013
+++ src/crypto/external/bsd/openssl/dist/ssl/s3_srvr.c Sat Jan 11 13:34:37 2014
@@ -968,7 +968,8 @@ int ssl3_get_client_hello(SSL *s)
(s->version != DTLS1_VERSION && s->client_version < s->version))
{
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, SSL_R_WRONG_VERSION_NUMBER);
- if ((s->client_version>>8) == SSL3_VERSION_MAJOR)
+ if ((s->client_version>>8) == SSL3_VERSION_MAJOR &&
+ !s->enc_write_ctx && !s->write_hash)
{
/* similar to ssl3_get_record, send alert using remote version number */
s->version = s->client_version;
@@ -1203,12 +1204,9 @@ int ssl3_get_client_hello(SSL *s)
* server_random before calling tls_session_secret_cb in order to allow
* SessionTicket processing to use it in key derivation. */
{
- unsigned long Time;
unsigned char *pos;
- Time=(unsigned long)time(NULL); /* Time */
pos=s->s3->server_random;
- l2n(Time,pos);
- if (RAND_pseudo_bytes(pos,SSL3_RANDOM_SIZE-4) <= 0)
+ if (ssl_fill_hello_random(s, 1, pos, SSL3_RANDOM_SIZE) <= 0)
{
al=SSL_AD_INTERNAL_ERROR;
goto f_err;
@@ -1445,19 +1443,13 @@ int ssl3_send_server_hello(SSL *s)
unsigned char *p,*d;
int i,sl;
unsigned long l;
-#ifdef OPENSSL_NO_TLSEXT
- unsigned long Time;
-#endif
if (s->state == SSL3_ST_SW_SRVR_HELLO_A)
{
buf=(unsigned char *)s->init_buf->data;
#ifdef OPENSSL_NO_TLSEXT
p=s->s3->server_random;
- /* Generate server_random if it was not needed previously */
- Time=(unsigned long)time(NULL); /* Time */
- l2n(Time,p);
- if (RAND_pseudo_bytes(p,SSL3_RANDOM_SIZE-4) <= 0)
+ if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0)
return -1;
#endif
/* Do the message type and length last */
Index: src/crypto/external/bsd/openssl/dist/ssl/ssltest.c
diff -u src/crypto/external/bsd/openssl/dist/ssl/ssltest.c:1.5 src/crypto/external/bsd/openssl/dist/ssl/ssltest.c:1.6
--- src/crypto/external/bsd/openssl/dist/ssl/ssltest.c:1.5 Tue Feb 5 16:31:27 2013
+++ src/crypto/external/bsd/openssl/dist/ssl/ssltest.c Sat Jan 11 13:34:37 2014
@@ -881,7 +881,13 @@ bad:
meth=SSLv23_method();
#else
#ifdef OPENSSL_NO_SSL2
- meth=SSLv3_method();
+ if (tls1)
+ meth=TLSv1_method();
+ else
+ if (ssl3)
+ meth=SSLv3_method();
+ else
+ meth=SSLv23_method();
#else
meth=SSLv2_method();
#endif
Index: src/crypto/external/bsd/openssl/lib/libcrypto/shlib_version
diff -u src/crypto/external/bsd/openssl/lib/libcrypto/shlib_version:1.7 src/crypto/external/bsd/openssl/lib/libcrypto/shlib_version:1.8
--- src/crypto/external/bsd/openssl/lib/libcrypto/shlib_version:1.7 Tue Feb 5 18:38:46 2013
+++ src/crypto/external/bsd/openssl/lib/libcrypto/shlib_version Sat Jan 11 13:34:37 2014
@@ -1,5 +1,5 @@
-# $NetBSD: shlib_version,v 1.7 2013/02/05 23:38:46 christos Exp $
+# $NetBSD: shlib_version,v 1.8 2014/01/11 18:34:37 christos Exp $
# Remember to update distrib/sets/lists/base/shl.* when changing
#
major=8
-minor=1
+minor=2
Index: src/crypto/external/bsd/openssl/lib/libdes/shlib_version
diff -u src/crypto/external/bsd/openssl/lib/libdes/shlib_version:1.1 src/crypto/external/bsd/openssl/lib/libdes/shlib_version:1.2
--- src/crypto/external/bsd/openssl/lib/libdes/shlib_version:1.1 Sun Jul 19 19:30:58 2009
+++ src/crypto/external/bsd/openssl/lib/libdes/shlib_version Sat Jan 11 13:34:37 2014
@@ -1,4 +1,4 @@
-# $NetBSD: shlib_version,v 1.1 2009/07/19 23:30:58 christos Exp $
+# $NetBSD: shlib_version,v 1.2 2014/01/11 18:34:37 christos Exp $
# Remember to update distrib/sets/lists/base/shl.* when changing
#
# This library is currently only a symbolic link to libcrypto, so
@@ -6,4 +6,4 @@
# change them there.
#
major=8
-minor=1
+minor=2
Index: src/crypto/external/bsd/openssl/lib/libssl/shlib_version
diff -u src/crypto/external/bsd/openssl/lib/libssl/shlib_version:1.7 src/crypto/external/bsd/openssl/lib/libssl/shlib_version:1.8
--- src/crypto/external/bsd/openssl/lib/libssl/shlib_version:1.7 Tue Feb 5 18:38:46 2013
+++ src/crypto/external/bsd/openssl/lib/libssl/shlib_version Sat Jan 11 13:34:37 2014
@@ -1,5 +1,5 @@
-# $NetBSD: shlib_version,v 1.7 2013/02/05 23:38:46 christos Exp $
+# $NetBSD: shlib_version,v 1.8 2014/01/11 18:34:37 christos Exp $
# Remember to update distrib/sets/lists/base/shl.* when changing
#
major=10
-minor=1
+minor=2
