Author: simon Date: Thu Apr 1 15:19:51 2010 New Revision: 206046 URL: http://svn.freebsd.org/changeset/base/206046
Log: Merge OpenSSL 0.9.8n into head. This fixes CVE-2010-0740 which only affected -CURRENT (OpenSSL 0.9.8m) but not -STABLE branches. I have not yet been able to find out if CVE-2010-0433 impacts FreeBSD. This will be investigated further. Security: CVE-2010-0433, CVE-2010-0740 Security: http://www.openssl.org/news/secadv_20100324.txt Modified: head/crypto/openssl/CHANGES head/crypto/openssl/FAQ head/crypto/openssl/Makefile head/crypto/openssl/NEWS head/crypto/openssl/README head/crypto/openssl/apps/req.c head/crypto/openssl/apps/speed.c head/crypto/openssl/config head/crypto/openssl/crypto/asn1/a_object.c head/crypto/openssl/crypto/bio/bss_file.c head/crypto/openssl/crypto/bn/asm/ppc.pl head/crypto/openssl/crypto/bn/asm/x86_64-gcc.c head/crypto/openssl/crypto/bn/bn_div.c head/crypto/openssl/crypto/engine/eng_all.c head/crypto/openssl/crypto/engine/eng_cryptodev.c head/crypto/openssl/crypto/evp/digest.c head/crypto/openssl/crypto/evp/evp_locl.h head/crypto/openssl/crypto/evp/names.c head/crypto/openssl/crypto/md32_common.h head/crypto/openssl/crypto/ocsp/ocsp_prn.c head/crypto/openssl/crypto/opensslv.h head/crypto/openssl/crypto/rand/rand_win.c head/crypto/openssl/engines/e_capi.c head/crypto/openssl/engines/e_chil.c head/crypto/openssl/fips/Makefile head/crypto/openssl/openssl.spec head/crypto/openssl/ssl/kssl.c head/crypto/openssl/ssl/s3_pkt.c Directory Properties: head/crypto/openssl/ (props changed) Modified: head/crypto/openssl/CHANGES ============================================================================== --- head/crypto/openssl/CHANGES Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/CHANGES Thu Apr 1 15:19:51 2010 (r206046) @@ -2,6 +2,21 @@ OpenSSL CHANGES _______________ + Changes between 0.9.8m and 0.9.8n [24 Mar 2010] + + *) When rejecting SSL/TLS records due to an incorrect version number, never + update s->server with a new major version number. As of + - OpenSSL 0.9.8m if 'short' is a 16-bit type, + - OpenSSL 0.9.8f if 'short' is longer than 16 bits, + the previous behavior could result in a read attempt at NULL when + receiving specific incorrect SSL/TLS records once record payload + protection is active. (CVE-2010-0740) + [Bodo Moeller, Adam Langley <a...@chromium.org>] + + *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL + could be crashed if the relevant tables were not present (e.g. chrooted). + [Tomas Hoger <tho...@redhat.com>] + Changes between 0.9.8l and 0.9.8m [25 Feb 2010] *) Always check bn_wexpend() return values for failure. (CVE-2009-3245) Modified: head/crypto/openssl/FAQ ============================================================================== --- head/crypto/openssl/FAQ Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/FAQ Thu Apr 1 15:19:51 2010 (r206046) @@ -78,7 +78,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from <URL: http://www.openssl.org>. -OpenSSL 0.9.8m was released on Feb 25th, 2010. +OpenSSL 0.9.8n was released on Mar 24th, 2010. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at <URL: Modified: head/crypto/openssl/Makefile ============================================================================== --- head/crypto/openssl/Makefile Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/Makefile Thu Apr 1 15:19:51 2010 (r206046) @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=0.9.8m +VERSION=0.9.8n MAJOR=0 MINOR=9.8 SHLIB_VERSION_NUMBER=0.9.8 Modified: head/crypto/openssl/NEWS ============================================================================== --- head/crypto/openssl/NEWS Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/NEWS Thu Apr 1 15:19:51 2010 (r206046) @@ -5,6 +5,11 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n: + + o CFB cipher definition fixes. + o Fix security issues CVE-2010-0740 and CVE-2010-0433. + Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m: o Cipher definition fixes. Modified: head/crypto/openssl/README ============================================================================== --- head/crypto/openssl/README Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/README Thu Apr 1 15:19:51 2010 (r206046) @@ -1,5 +1,5 @@ - OpenSSL 0.9.8m + OpenSSL 0.9.8n Copyright (c) 1998-2009 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson Modified: head/crypto/openssl/apps/req.c ============================================================================== --- head/crypto/openssl/apps/req.c Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/apps/req.c Thu Apr 1 15:19:51 2010 (r206046) @@ -1433,11 +1433,17 @@ start2: for (;;) BIO_snprintf(buf,sizeof buf,"%s_min",type); if (!NCONF_get_number(req_conf,attr_sect,buf, &n_min)) + { + ERR_clear_error(); n_min = -1; + } BIO_snprintf(buf,sizeof buf,"%s_max",type); if (!NCONF_get_number(req_conf,attr_sect,buf, &n_max)) + { + ERR_clear_error(); n_max = -1; + } if (!add_attribute_object(req, v->value,def,value,nid,n_min,n_max, chtype)) Modified: head/crypto/openssl/apps/speed.c ============================================================================== --- head/crypto/openssl/apps/speed.c Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/apps/speed.c Thu Apr 1 15:19:51 2010 (r206046) @@ -254,12 +254,18 @@ # endif #endif -#if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_NETWARE) -# define NO_FORK 1 -#elif HAVE_FORK +#ifndef HAVE_FORK +# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_NETWARE) +# define HAVE_FORK 0 +# else +# define HAVE_FORK 1 +# endif +#endif + +#if HAVE_FORK # undef NO_FORK #else -# define NO_FORK 1 +# define NO_FORK #endif #undef BUFSIZE Modified: head/crypto/openssl/config ============================================================================== --- head/crypto/openssl/config Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/config Thu Apr 1 15:19:51 2010 (r206046) @@ -741,6 +741,10 @@ case "$GUESSOS" in OBJECT_MODE=${OBJECT_MODE:-32} if [ "$CC" = "gcc" ]; then OUT="aix-gcc" + if [ $OBJECT_MODE -eq 64 ]; then + echo 'Your $OBJECT_MODE was found to be set to 64' + OUT="aix64-gcc" + fi elif [ $OBJECT_MODE -eq 64 ]; then echo 'Your $OBJECT_MODE was found to be set to 64' OUT="aix64-cc" Modified: head/crypto/openssl/crypto/asn1/a_object.c ============================================================================== --- head/crypto/openssl/crypto/asn1/a_object.c Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/crypto/asn1/a_object.c Thu Apr 1 15:19:51 2010 (r206046) @@ -291,12 +291,12 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT ASN1_OBJECT *ret=NULL; const unsigned char *p; int i; - /* Sanity check OID encoding: can't have 0x80 in subidentifiers, see: - * X.690 8.19.2 + /* Sanity check OID encoding: can't have leading 0x80 in + * subidentifiers, see: X.690 8.19.2 */ for (i = 0, p = *pp + 1; i < len - 1; i++, p++) { - if (*p == 0x80) + if (*p == 0x80 && (!i || !(p[-1] & 0x80))) { ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_INVALID_OBJECT_ENCODING); return NULL; Modified: head/crypto/openssl/crypto/bio/bss_file.c ============================================================================== --- head/crypto/openssl/crypto/bio/bss_file.c Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/crypto/bio/bss_file.c Thu Apr 1 15:19:51 2010 (r206046) @@ -272,9 +272,9 @@ static long MS_CALLBACK file_ctrl(BIO *b BIO_clear_flags(b,BIO_FLAGS_UPLINK); #endif #endif -#ifdef UP_fsetmode +#ifdef UP_fsetmod if (b->flags&BIO_FLAGS_UPLINK) - UP_fsetmode(b->ptr,num&BIO_FP_TEXT?'t':'b'); + UP_fsetmod(b->ptr,(char)((num&BIO_FP_TEXT)?'t':'b')); else #endif { Modified: head/crypto/openssl/crypto/bn/asm/ppc.pl ============================================================================== --- head/crypto/openssl/crypto/bn/asm/ppc.pl Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/crypto/bn/asm/ppc.pl Thu Apr 1 15:19:51 2010 (r206046) @@ -2074,5 +2074,7 @@ EOF $data =~ s/^(\s*)cmplw(\s+)([^,]+),(.*)/$1cmpl$2$3,0,$4/gm; # assembler X doesn't accept li, load immediate value #$data =~ s/^(\s*)li(\s+)([^,]+),(.*)/$1addi$2$3,0,$4/gm; + # assembler Y chokes on apostrophes in comments + $data =~ s/'//gm; return($data); } Modified: head/crypto/openssl/crypto/bn/asm/x86_64-gcc.c ============================================================================== --- head/crypto/openssl/crypto/bn/asm/x86_64-gcc.c Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/crypto/bn/asm/x86_64-gcc.c Thu Apr 1 15:19:51 2010 (r206046) @@ -59,6 +59,7 @@ #undef mul #undef mul_add +#undef sqr /* * "m"(a), "+m"(r) is the way to favor DirectPath �-code; Modified: head/crypto/openssl/crypto/bn/bn_div.c ============================================================================== --- head/crypto/openssl/crypto/bn/bn_div.c Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/crypto/bn/bn_div.c Thu Apr 1 15:19:51 2010 (r206046) @@ -337,7 +337,10 @@ X) -> 0x%08X\n", t2 -= d1; } #else /* !BN_LLONG */ - BN_ULONG t2l,t2h,ql,qh; + BN_ULONG t2l,t2h; +#if !defined(BN_UMULT_LOHI) && !defined(BN_UMULT_HIGH) + BN_ULONG ql,qh; +#endif q=bn_div_words(n0,n1,d0); #ifdef BN_DEBUG_LEVITTE @@ -561,7 +564,10 @@ X) -> 0x%08X\n", t2 -= d1; } #else /* !BN_LLONG */ - BN_ULONG t2l,t2h,ql,qh; + BN_ULONG t2l,t2h; +#if !defined(BN_UMULT_LOHI) && !defined(BN_UMULT_HIGH) + BN_ULONG ql,qh; +#endif q=bn_div_words(n0,n1,d0); #ifdef BN_DEBUG_LEVITTE Modified: head/crypto/openssl/crypto/engine/eng_all.c ============================================================================== --- head/crypto/openssl/crypto/engine/eng_all.c Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/crypto/engine/eng_all.c Thu Apr 1 15:19:51 2010 (r206046) @@ -104,7 +104,7 @@ void ENGINE_load_builtin_engines(void) #endif #endif #ifndef OPENSSL_NO_HW -#if defined(__OpenBSD__) || defined(__FreeBSD__) +#if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV) ENGINE_load_cryptodev(); #endif #if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG) Modified: head/crypto/openssl/crypto/engine/eng_cryptodev.c ============================================================================== --- head/crypto/openssl/crypto/engine/eng_cryptodev.c Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/crypto/engine/eng_cryptodev.c Thu Apr 1 15:19:51 2010 (r206046) @@ -755,10 +755,18 @@ cryptodev_bn_mod_exp(BIGNUM *r, const BI goto err; kop.crk_iparams = 3; - if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL) == -1) { + if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL)) { const RSA_METHOD *meth = RSA_PKCS1_SSLeay(); + printf("OCF asym process failed, Running in software\n"); + ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont); + + } else if (ECANCELED == kop.crk_status) { + const RSA_METHOD *meth = RSA_PKCS1_SSLeay(); + printf("OCF hardware operation cancelled. Running in Software\n"); ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont); } + /* else cryptodev operation worked ok ==> ret = 1*/ + err: zapparams(&kop); return (ret); @@ -801,10 +809,18 @@ cryptodev_rsa_mod_exp(BIGNUM *r0, const goto err; kop.crk_iparams = 6; - if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL) == -1) { + if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL)) { const RSA_METHOD *meth = RSA_PKCS1_SSLeay(); + printf("OCF asym process failed, running in Software\n"); + ret = (*meth->rsa_mod_exp)(r0, I, rsa, ctx); + + } else if (ECANCELED == kop.crk_status) { + const RSA_METHOD *meth = RSA_PKCS1_SSLeay(); + printf("OCF hardware operation cancelled. Running in Software\n"); ret = (*meth->rsa_mod_exp)(r0, I, rsa, ctx); } + /* else cryptodev operation worked ok ==> ret = 1*/ + err: zapparams(&kop); return (ret); @@ -940,7 +956,8 @@ cryptodev_dsa_verify(const unsigned char kop.crk_iparams = 7; if (cryptodev_asym(&kop, 0, NULL, 0, NULL) == 0) { - dsaret = kop.crk_status; +/*OCF success value is 0, if not zero, change dsaret to fail*/ + if(0 != kop.crk_status) dsaret = 0; } else { const DSA_METHOD *meth = DSA_OpenSSL(); Modified: head/crypto/openssl/crypto/evp/digest.c ============================================================================== --- head/crypto/openssl/crypto/evp/digest.c Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/crypto/evp/digest.c Thu Apr 1 15:19:51 2010 (r206046) @@ -235,6 +235,7 @@ static int do_evp_md_engine(EVP_MD_CTX * { /* Same comment from evp_enc.c */ EVPerr(EVP_F_DO_EVP_MD_ENGINE,EVP_R_INITIALIZATION_ERROR); + ENGINE_finish(impl); return 0; } /* We'll use the ENGINE's private digest definition */ Modified: head/crypto/openssl/crypto/evp/evp_locl.h ============================================================================== --- head/crypto/openssl/crypto/evp/evp_locl.h Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/crypto/evp/evp_locl.h Thu Apr 1 15:19:51 2010 (r206046) @@ -127,9 +127,9 @@ BLOCK_CIPHER_def1(cname, cbc, cbc, CBC, #define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, \ iv_len, cbits, flags, init_key, cleanup, \ set_asn1, get_asn1, ctrl) \ -BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, \ - (cbits + 7)/8, key_len, iv_len, \ - flags, init_key, cleanup, set_asn1, get_asn1, ctrl) +BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, 1, \ + key_len, iv_len, flags, init_key, cleanup, set_asn1, \ + get_asn1, ctrl) #define BLOCK_CIPHER_def_ofb(cname, kstruct, nid, key_len, \ iv_len, cbits, flags, init_key, cleanup, \ Modified: head/crypto/openssl/crypto/evp/names.c ============================================================================== --- head/crypto/openssl/crypto/evp/names.c Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/crypto/evp/names.c Thu Apr 1 15:19:51 2010 (r206046) @@ -90,7 +90,7 @@ int EVP_add_digest(const EVP_MD *md) r=OBJ_NAME_add(OBJ_nid2ln(md->type),OBJ_NAME_TYPE_MD_METH,(const char *)md); if (r == 0) return(0); - if (md->type != md->pkey_type) + if (md->pkey_type && md->type != md->pkey_type) { r=OBJ_NAME_add(OBJ_nid2sn(md->pkey_type), OBJ_NAME_TYPE_MD_METH|OBJ_NAME_ALIAS,name); Modified: head/crypto/openssl/crypto/md32_common.h ============================================================================== --- head/crypto/openssl/crypto/md32_common.h Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/crypto/md32_common.h Thu Apr 1 15:19:51 2010 (r206046) @@ -241,11 +241,11 @@ #ifndef PEDANTIC # if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) # if defined(__s390x__) -# define HOST_c2l(c,l) ({ asm ("lrv %0,0(%1)" \ - :"=r"(l) : "r"(c)); \ +# define HOST_c2l(c,l) ({ asm ("lrv %0,%1" \ + :"=d"(l) :"m"(*(const unsigned int *)(c));\ (c)+=4; (l); }) -# define HOST_l2c(l,c) ({ asm ("strv %0,0(%1)" \ - : : "r"(l),"r"(c) : "memory"); \ +# define HOST_l2c(l,c) ({ asm ("strv %1,%0" \ + :"=m"(*(unsigned int *)(c)) :"d"(l));\ (c)+=4; (l); }) # endif # endif Modified: head/crypto/openssl/crypto/ocsp/ocsp_prn.c ============================================================================== --- head/crypto/openssl/crypto/ocsp/ocsp_prn.c Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/crypto/ocsp/ocsp_prn.c Thu Apr 1 15:19:51 2010 (r206046) @@ -275,6 +275,7 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RE } if (!X509V3_extensions_print(bp, "Response Extensions", rd->responseExtensions, flags, 4)) + goto err; if(X509_signature_print(bp, br->signatureAlgorithm, br->signature) <= 0) goto err; Modified: head/crypto/openssl/crypto/opensslv.h ============================================================================== --- head/crypto/openssl/crypto/opensslv.h Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/crypto/opensslv.h Thu Apr 1 15:19:51 2010 (r206046) @@ -25,11 +25,11 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x009080dfL +#define OPENSSL_VERSION_NUMBER 0x009080efL #ifdef OPENSSL_FIPS -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8m-fips 25 Feb 2010" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8n-fips 24 Mar 2010" #else -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8m 25 Feb 2010" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8n 24 Mar 2010" #endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT Modified: head/crypto/openssl/crypto/rand/rand_win.c ============================================================================== --- head/crypto/openssl/crypto/rand/rand_win.c Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/crypto/rand/rand_win.c Thu Apr 1 15:19:51 2010 (r206046) @@ -750,7 +750,7 @@ static void readscreen(void) int y; /* y-coordinate of screen lines to grab */ int n = 16; /* number of screen lines to grab at a time */ - if (GetVersion() >= 0x80000000 || !OPENSSL_isservice()) + if (GetVersion() < 0x80000000 && OPENSSL_isservice()>0) return; /* Create a screen DC and a memory DC compatible to screen DC */ Modified: head/crypto/openssl/engines/e_capi.c ============================================================================== --- head/crypto/openssl/engines/e_capi.c Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/engines/e_capi.c Thu Apr 1 15:19:51 2010 (r206046) @@ -83,6 +83,10 @@ #define CERT_STORE_CREATE_NEW_FLAG 0x00002000 #endif +#ifndef CERT_SYSTEM_STORE_CURRENT_USER +#define CERT_SYSTEM_STORE_CURRENT_USER 0x00010000 +#endif + #include <openssl/engine.h> #include <openssl/pem.h> #include <openssl/x509v3.h> Modified: head/crypto/openssl/engines/e_chil.c ============================================================================== --- head/crypto/openssl/engines/e_chil.c Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/engines/e_chil.c Thu Apr 1 15:19:51 2010 (r206046) @@ -1204,6 +1204,11 @@ static int hwcrhk_get_pass(const char *p pem_password_cb *callback = NULL; void *callback_data = NULL; UI_METHOD *ui_method = NULL; + /* Despite what the documentation says prompt_info can be + * an empty string. + */ + if (prompt_info && !*prompt_info) + prompt_info = NULL; if (cactx) { @@ -1305,8 +1310,10 @@ static int hwcrhk_insert_card(const char { char answer; char buf[BUFSIZ]; - - if (wrong_info) + /* Despite what the documentation says wrong_info can be + * an empty string. + */ + if (wrong_info && *wrong_info) BIO_snprintf(buf, sizeof(buf)-1, "Current card: \"%s\"\n", wrong_info); ok = UI_dup_info_string(ui, buf); Modified: head/crypto/openssl/fips/Makefile ============================================================================== --- head/crypto/openssl/fips/Makefile Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/fips/Makefile Thu Apr 1 15:19:51 2010 (r206046) @@ -123,7 +123,7 @@ fips_premain_dso$(EXE_EXT): fips_premain $(FIPSLIBDIR)fipscanister.o ../libcrypto.a $(EX_LIBS) # this is executed only when linking with external fipscanister.o fips_standalone_sha1$(EXE_EXT): sha/fips_standalone_sha1.c - if [ -z $(HOSTCC) ] ; then \ + if [ -z "$(HOSTCC)" ] ; then \ $(CC) $(CFLAGS) -DFIPSCANISTER_O -o $@ sha/fips_standalone_sha1.c $(FIPSLIBDIR)fipscanister.o $(EX_LIBS) ; \ else \ $(HOSTCC) $(HOSTCFLAGS) -o $ $@ -I../include -I../crypto sha/fips_standalone_sha1.c ../crypto/sha/sha1dgst.c ; \ Modified: head/crypto/openssl/openssl.spec ============================================================================== --- head/crypto/openssl/openssl.spec Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/openssl.spec Thu Apr 1 15:19:51 2010 (r206046) @@ -2,7 +2,7 @@ %define libmaj 0 %define libmin 9 %define librel 8 -%define librev m +%define librev n Release: 1 %define openssldir /var/ssl Modified: head/crypto/openssl/ssl/kssl.c ============================================================================== --- head/crypto/openssl/ssl/kssl.c Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/ssl/kssl.c Thu Apr 1 15:19:51 2010 (r206046) @@ -1802,6 +1802,9 @@ kssl_ctx_show(KSSL_CTX *kssl_ctx) kssl_ctx->service_name ? kssl_ctx->service_name: KRB5SVC, KRB5_NT_SRV_HST, &princ); + if (krb5rc) + goto exit; + krb5rc = krb5_kt_get_entry(krb5context, krb5keytab, princ, 0 /* IGNORE_VNO */, Modified: head/crypto/openssl/ssl/s3_pkt.c ============================================================================== --- head/crypto/openssl/ssl/s3_pkt.c Thu Apr 1 15:17:52 2010 (r206045) +++ head/crypto/openssl/ssl/s3_pkt.c Thu Apr 1 15:19:51 2010 (r206046) @@ -291,9 +291,9 @@ again: if (version != s->version) { SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER); - /* Send back error using their - * version number :-) */ - s->version=version; + if ((s->version & 0xFF00) == (version & 0xFF00)) + /* Send back error using their minor version number :-) */ + s->version = (unsigned short)version; al=SSL_AD_PROTOCOL_VERSION; goto f_err; } _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
