Resolve conflicts, and garbage collect some local changes that are no

longer required

6 files changed, 38 insertions, 27 deletions

diff --git a/crypto/openssl/ssl/s23_clnt.c b/crypto/openssl/ssl/s23_clnt.c
index c6b2323..8a3daaf 100644
--- a/crypto/openssl/ssl/s23_clnt.c
+++ b/crypto/openssl/ssl/s23_clnt.c
@@ -368,7 +368,9 @@ static int ssl23_get_server_hello(SSL *s)
 			}
 
 		s->state=SSL2_ST_GET_SERVER_HELLO_A;
-		s->s2->ssl2_rollback=1;
+		if (!(s->client_version == SSL2_VERSION))
+			/* use special padding (SSL 3.0 draft/RFC 2246, App. E.2) */
+			s->s2->ssl2_rollback=1;
 
 		/* setup the 5 bytes we have read so we get them from
 		 * the sslv2 buffer */
diff --git a/crypto/openssl/ssl/s23_srvr.c b/crypto/openssl/ssl/s23_srvr.c
index c1c2e9d..2dbf614 100644
--- a/crypto/openssl/ssl/s23_srvr.c
+++ b/crypto/openssl/ssl/s23_srvr.c
@@ -299,7 +299,7 @@ int ssl23_get_client_hello(SSL *s)
 					if (n <= 0) return(n);
 					p=s->packet;
 
-					if ((buf=Malloc(n)) == NULL)
+					if ((buf=OPENSSL_malloc(n)) == NULL)
 						{
 						SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,ERR_R_MALLOC_FAILURE);
 						goto err;
@@ -350,16 +350,21 @@ int ssl23_get_client_hello(SSL *s)
 			 * SSLv3 or tls1 header
 			 */
 			
-			v[0]=p[1]; /* major version */
+			v[0]=p[1]; /* major version (= SSL3_VERSION_MAJOR) */
 			/* We must look at client_version inside the Client Hello message
-			 * to get the correct minor version: */
-			v[1]=p[10];
-			/* However if we have only a pathologically small fragment of the
-			 * Client Hello message, we simply use the version from the
-			 * record header -- this is incorrect but unlikely to fail in
-			 * practice */
+			 * to get the correct minor version.
+			 * However if we have only a pathologically small fragment of the
+			 * Client Hello message, this would be difficult, we'd have
+			 * to read at least one additional record to find out.
+			 * This doesn't usually happen in real life, so we just complain
+			 * for now.
+			 */
 			if (p[3] == 0 && p[4] < 6)
-				v[1]=p[2];
+				{
+				SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_RECORD_TOO_SMALL);
+				goto err;
+				}
+			v[1]=p[10]; /* minor version according to client_version */
 			if (v[1] >= TLS1_VERSION_MINOR)
 				{
 				if (!(s->options & SSL_OP_NO_TLSv1))
@@ -497,9 +502,12 @@ int ssl23_get_client_hello(SSL *s)
 
 		s->state=SSL2_ST_GET_CLIENT_HELLO_A;
 		if ((s->options & SSL_OP_MSIE_SSLV2_RSA_PADDING) ||
-			use_sslv2_strong)
+			use_sslv2_strong ||
+			(s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3))
 			s->s2->ssl2_rollback=0;
 		else
+			/* reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0
+			 * (SSL 3.0 draft/RFC 2246, App. E.2) */
 			s->s2->ssl2_rollback=1;
 
 		/* setup the n bytes we have read so we get them from
@@ -561,10 +569,10 @@ int ssl23_get_client_hello(SSL *s)
 		}
 	s->init_num=0;
 
-	if (buf != buf_space) Free(buf);
+	if (buf != buf_space) OPENSSL_free(buf);
 	s->first_packet=1;
 	return(SSL_accept(s));
 err:
-	if (buf != buf_space) Free(buf);
+	if (buf != buf_space) OPENSSL_free(buf);
 	return(-1);
 	}
diff --git a/crypto/openssl/ssl/s2_clnt.c b/crypto/openssl/ssl/s2_clnt.c
index 5781f98..e448a60 100644
--- a/crypto/openssl/ssl/s2_clnt.c
+++ b/crypto/openssl/ssl/s2_clnt.c
@@ -922,6 +922,7 @@ int ssl2_set_certificate(SSL *s, int type, int len, unsigned char *data)
 		SSLerr(SSL_F_SSL2_SET_CERTIFICATE,SSL_R_CERTIFICATE_VERIFY_FAILED);
 		goto err;
 		}
+	ERR_clear_error(); /* but we keep s->verify_result */
 
 	/* server's cert for this session */
 	sc=ssl_sess_cert_new();
diff --git a/crypto/openssl/ssl/s2_enc.c b/crypto/openssl/ssl/s2_enc.c
index 204acd7..7643f96 100644
--- a/crypto/openssl/ssl/s2_enc.c
+++ b/crypto/openssl/ssl/s2_enc.c
@@ -82,11 +82,11 @@ int ssl2_enc_init(SSL *s, int client)
 
 	if ((s->enc_read_ctx == NULL) &&
 		((s->enc_read_ctx=(EVP_CIPHER_CTX *)
-		Malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
+		OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
 		goto err;
 	if ((s->enc_write_ctx == NULL) &&
 		((s->enc_write_ctx=(EVP_CIPHER_CTX *)
-		Malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
+		OPENSSL_malloc(sizeof(EVP_CIPHER_CTX))) == NULL))
 		goto err;
 
 	rs= s->enc_read_ctx;
diff --git a/crypto/openssl/ssl/s2_lib.c b/crypto/openssl/ssl/s2_lib.c
index 8230f3b..c64c8d8 100644
--- a/crypto/openssl/ssl/s2_lib.c
+++ b/crypto/openssl/ssl/s2_lib.c
@@ -269,12 +269,12 @@ int ssl2_new(SSL *s)
 	{
 	SSL2_STATE *s2;
 
-	if ((s2=Malloc(sizeof *s2)) == NULL) goto err;
+	if ((s2=OPENSSL_malloc(sizeof *s2)) == NULL) goto err;
 	memset(s2,0,sizeof *s2);
 
-	if ((s2->rbuf=Malloc(
+	if ((s2->rbuf=OPENSSL_malloc(
 		SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err;
-	if ((s2->wbuf=Malloc(
+	if ((s2->wbuf=OPENSSL_malloc(
 		SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err;
 	s->s2=s2;
 
@@ -283,9 +283,9 @@ int ssl2_new(SSL *s)
 err:
 	if (s2 != NULL)
 		{
-		if (s2->wbuf != NULL) Free(s2->wbuf);
-		if (s2->rbuf != NULL) Free(s2->rbuf);
-		Free(s2);
+		if (s2->wbuf != NULL) OPENSSL_free(s2->wbuf);
+		if (s2->rbuf != NULL) OPENSSL_free(s2->rbuf);
+		OPENSSL_free(s2);
 		}
 	return(0);
 	}
@@ -298,10 +298,10 @@ void ssl2_free(SSL *s)
 	    return;
 
 	s2=s->s2;
-	if (s2->rbuf != NULL) Free(s2->rbuf);
-	if (s2->wbuf != NULL) Free(s2->wbuf);
+	if (s2->rbuf != NULL) OPENSSL_free(s2->rbuf);
+	if (s2->wbuf != NULL) OPENSSL_free(s2->wbuf);
 	memset(s2,0,sizeof *s2);
-	Free(s2);
+	OPENSSL_free(s2);
 	s->s2=NULL;
 	}
 
@@ -386,7 +386,7 @@ SSL_CIPHER *ssl2_get_cipher_by_char(const unsigned char *p)
 	cpp=(SSL_CIPHER **)OBJ_bsearch((char *)&cp,
 		(char *)sorted,
 		SSL2_NUM_CIPHERS,sizeof(SSL_CIPHER *),
-		(int (*)())ssl_cipher_ptr_id_cmp);
+		FP_ICC ssl_cipher_ptr_id_cmp);
 	if ((cpp == NULL) || !(*cpp)->valid)
 		return(NULL);
 	else
diff --git a/crypto/openssl/ssl/s2_srvr.c b/crypto/openssl/ssl/s2_srvr.c
index 51c70df..2f3ec61 100644
--- a/crypto/openssl/ssl/s2_srvr.c
+++ b/crypto/openssl/ssl/s2_srvr.c
@@ -900,7 +900,7 @@ static int request_certificate(SSL *s)
 		EVP_VerifyUpdate(&ctx,ccd,SSL2_MIN_CERT_CHALLENGE_LENGTH);
 
 		i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,NULL);
-		buf2=Malloc((unsigned int)i);
+		buf2=OPENSSL_malloc((unsigned int)i);
 		if (buf2 == NULL)
 			{
 			SSLerr(SSL_F_REQUEST_CERTIFICATE,ERR_R_MALLOC_FAILURE);
@@ -909,7 +909,7 @@ static int request_certificate(SSL *s)
 		p2=buf2;
 		i=i2d_X509(s->cert->pkeys[SSL_PKEY_RSA_ENC].x509,&p2);
 		EVP_VerifyUpdate(&ctx,buf2,(unsigned int)i);
-		Free(buf2);
+		OPENSSL_free(buf2);
 
 		pkey=X509_get_pubkey(x509);
 		if (pkey == NULL) goto end;