diff options
| author | jkim <jkim@FreeBSD.org> | 2014-04-08 21:06:58 +0000 |
|---|---|---|
| committer | jkim <jkim@FreeBSD.org> | 2014-04-08 21:06:58 +0000 |
| commit | 89b378c4b34c70b60981e17ea385f14c9e285912 (patch) | |
| tree | 782ade2dc94388e4ddc56b20d9c7ccf578d61077 /crypto/openssl/ssl | |
| parent | 808e531530813c805e5f01db2b51e22340fd77a6 (diff) | |
| download | FreeBSD-src-89b378c4b34c70b60981e17ea385f14c9e285912.zip FreeBSD-src-89b378c4b34c70b60981e17ea385f14c9e285912.tar.gz | |
Merge OpenSSL 1.0.1g.
Approved by: benl (maintainer)
Diffstat (limited to 'crypto/openssl/ssl')
| -rw-r--r-- | crypto/openssl/ssl/kssl.h | 9 | ||||
| -rw-r--r-- | crypto/openssl/ssl/s23_clnt.c | 2 | ||||
| -rw-r--r-- | crypto/openssl/ssl/s3_srvr.c | 4 | ||||
| -rw-r--r-- | crypto/openssl/ssl/ssl.h | 2 | ||||
| -rw-r--r-- | crypto/openssl/ssl/t1_enc.c | 3 | ||||
| -rw-r--r-- | crypto/openssl/ssl/t1_lib.c | 32 | ||||
| -rw-r--r-- | crypto/openssl/ssl/tls1.h | 6 |
7 files changed, 52 insertions, 6 deletions
diff --git a/crypto/openssl/ssl/kssl.h b/crypto/openssl/ssl/kssl.h index 8242fd5..e4df843 100644 --- a/crypto/openssl/ssl/kssl.h +++ b/crypto/openssl/ssl/kssl.h @@ -70,6 +70,15 @@ #include <stdio.h> #include <ctype.h> #include <krb5.h> +#ifdef OPENSSL_SYS_WIN32 +/* These can sometimes get redefined indirectly by krb5 header files + * after they get undefed in ossl_typ.h + */ +#undef X509_NAME +#undef X509_EXTENSIONS +#undef OCSP_REQUEST +#undef OCSP_RESPONSE +#endif #ifdef __cplusplus extern "C" { diff --git a/crypto/openssl/ssl/s23_clnt.c b/crypto/openssl/ssl/s23_clnt.c index 84670b6..2b93c63 100644 --- a/crypto/openssl/ssl/s23_clnt.c +++ b/crypto/openssl/ssl/s23_clnt.c @@ -283,7 +283,7 @@ int ssl_fill_hello_random(SSL *s, int server, unsigned char *result, int len) send_time = (s->mode & SSL_MODE_SEND_CLIENTHELLO_TIME) != 0; if (send_time) { - unsigned long Time = time(NULL); + unsigned long Time = (unsigned long)time(NULL); unsigned char *p = result; l2n(Time, p); return RAND_pseudo_bytes(p, len-4); diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c index 52efed3..9ac19c0 100644 --- a/crypto/openssl/ssl/s3_srvr.c +++ b/crypto/openssl/ssl/s3_srvr.c @@ -1830,7 +1830,7 @@ int ssl3_send_server_key_exchange(SSL *s) SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,SSL_R_UNKNOWN_KEY_EXCHANGE_TYPE); goto f_err; } - for (i=0; r[i] != NULL && i<4; i++) + for (i=0; i < 4 && r[i] != NULL; i++) { nr[i]=BN_num_bytes(r[i]); #ifndef OPENSSL_NO_SRP @@ -1866,7 +1866,7 @@ int ssl3_send_server_key_exchange(SSL *s) d=(unsigned char *)s->init_buf->data; p= &(d[4]); - for (i=0; r[i] != NULL && i<4; i++) + for (i=0; i < 4 && r[i] != NULL; i++) { #ifndef OPENSSL_NO_SRP if ((i == 2) && (type & SSL_kSRP)) diff --git a/crypto/openssl/ssl/ssl.h b/crypto/openssl/ssl/ssl.h index dece04d..7219a0e 100644 --- a/crypto/openssl/ssl/ssl.h +++ b/crypto/openssl/ssl/ssl.h @@ -915,7 +915,7 @@ struct ssl_ctx_st */ unsigned int max_send_fragment; -#ifndef OPENSSL_ENGINE +#ifndef OPENSSL_NO_ENGINE /* Engine to pass requests for client certs to */ ENGINE *client_cert_engine; diff --git a/crypto/openssl/ssl/t1_enc.c b/crypto/openssl/ssl/t1_enc.c index 56db834..0c4cdde 100644 --- a/crypto/openssl/ssl/t1_enc.c +++ b/crypto/openssl/ssl/t1_enc.c @@ -986,7 +986,8 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send) } else { - EVP_MD_CTX_copy(&hmac,hash); + if (!EVP_MD_CTX_copy(&hmac,hash)) + return -1; mac_ctx = &hmac; } diff --git a/crypto/openssl/ssl/t1_lib.c b/crypto/openssl/ssl/t1_lib.c index 2e0fca4..bddffd9 100644 --- a/crypto/openssl/ssl/t1_lib.c +++ b/crypto/openssl/ssl/t1_lib.c @@ -662,6 +662,36 @@ unsigned char *ssl_add_clienthello_tlsext(SSL *s, unsigned char *p, unsigned cha } #endif +#ifdef TLSEXT_TYPE_padding + /* Add padding to workaround bugs in F5 terminators. + * See https://tools.ietf.org/html/draft-agl-tls-padding-03 + * + * NB: because this code works out the length of all existing + * extensions it MUST always appear last. + */ + { + int hlen = ret - (unsigned char *)s->init_buf->data; + /* The code in s23_clnt.c to build ClientHello messages includes the + * 5-byte record header in the buffer, while the code in s3_clnt.c does + * not. */ + if (s->state == SSL23_ST_CW_CLNT_HELLO_A) + hlen -= 5; + if (hlen > 0xff && hlen < 0x200) + { + hlen = 0x200 - hlen; + if (hlen >= 4) + hlen -= 4; + else + hlen = 0; + + s2n(TLSEXT_TYPE_padding, ret); + s2n(hlen, ret); + memset(ret, 0, hlen); + ret += hlen; + } + } +#endif + if ((extdatalen = ret-p-2)== 0) return p; @@ -1261,7 +1291,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in } } else if (type == TLSEXT_TYPE_status_request && - s->version != DTLS1_VERSION && s->ctx->tlsext_status_cb) + s->version != DTLS1_VERSION) { if (size < 5) diff --git a/crypto/openssl/ssl/tls1.h b/crypto/openssl/ssl/tls1.h index c39c267..c992091 100644 --- a/crypto/openssl/ssl/tls1.h +++ b/crypto/openssl/ssl/tls1.h @@ -230,6 +230,12 @@ extern "C" { /* ExtensionType value from RFC5620 */ #define TLSEXT_TYPE_heartbeat 15 +/* ExtensionType value for TLS padding extension. + * http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml + * http://tools.ietf.org/html/draft-agl-tls-padding-03 + */ +#define TLSEXT_TYPE_padding 21 + /* ExtensionType value from RFC4507 */ #define TLSEXT_TYPE_session_ticket 35 |
