svn commit: r206046 - in head/crypto/openssl: . apps crypto
crypto/asn1 crypto/bio crypto/bn crypto/bn/asm crypto/engine
crypto/evp crypto/ocsp crypto/rand engines fips ssl
Simon L. Nielsen
simon at FreeBSD.org
Thu Apr 1 15:19:51 UTC 2010
Author: simon
Date: Thu Apr 1 15:19:51 2010
New Revision: 206046
URL: http://svn.freebsd.org/changeset/base/206046
Log:
Merge OpenSSL 0.9.8n into head.
This fixes CVE-2010-0740 which only affected -CURRENT (OpenSSL 0.9.8m)
but not -STABLE branches.
I have not yet been able to find out if CVE-2010-0433 impacts FreeBSD.
This will be investigated further.
Security: CVE-2010-0433, CVE-2010-0740
Security: http://www.openssl.org/news/secadv_20100324.txt
Modified:
head/crypto/openssl/CHANGES
head/crypto/openssl/FAQ
head/crypto/openssl/Makefile
head/crypto/openssl/NEWS
head/crypto/openssl/README
head/crypto/openssl/apps/req.c
head/crypto/openssl/apps/speed.c
head/crypto/openssl/config
head/crypto/openssl/crypto/asn1/a_object.c
head/crypto/openssl/crypto/bio/bss_file.c
head/crypto/openssl/crypto/bn/asm/ppc.pl
head/crypto/openssl/crypto/bn/asm/x86_64-gcc.c
head/crypto/openssl/crypto/bn/bn_div.c
head/crypto/openssl/crypto/engine/eng_all.c
head/crypto/openssl/crypto/engine/eng_cryptodev.c
head/crypto/openssl/crypto/evp/digest.c
head/crypto/openssl/crypto/evp/evp_locl.h
head/crypto/openssl/crypto/evp/names.c
head/crypto/openssl/crypto/md32_common.h
head/crypto/openssl/crypto/ocsp/ocsp_prn.c
head/crypto/openssl/crypto/opensslv.h
head/crypto/openssl/crypto/rand/rand_win.c
head/crypto/openssl/engines/e_capi.c
head/crypto/openssl/engines/e_chil.c
head/crypto/openssl/fips/Makefile
head/crypto/openssl/openssl.spec
head/crypto/openssl/ssl/kssl.c
head/crypto/openssl/ssl/s3_pkt.c
Directory Properties:
head/crypto/openssl/ (props changed)
Modified: head/crypto/openssl/CHANGES
==============================================================================
--- head/crypto/openssl/CHANGES Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/CHANGES Thu Apr 1 15:19:51 2010 (r206046)
@@ -2,6 +2,21 @@
OpenSSL CHANGES
_______________
+ Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
+
+ *) When rejecting SSL/TLS records due to an incorrect version number, never
+ update s->server with a new major version number. As of
+ - OpenSSL 0.9.8m if 'short' is a 16-bit type,
+ - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
+ the previous behavior could result in a read attempt at NULL when
+ receiving specific incorrect SSL/TLS records once record payload
+ protection is active. (CVE-2010-0740)
+ [Bodo Moeller, Adam Langley <agl at chromium.org>]
+
+ *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
+ could be crashed if the relevant tables were not present (e.g. chrooted).
+ [Tomas Hoger <thoger at redhat.com>]
+
Changes between 0.9.8l and 0.9.8m [25 Feb 2010]
*) Always check bn_wexpend() return values for failure. (CVE-2009-3245)
Modified: head/crypto/openssl/FAQ
==============================================================================
--- head/crypto/openssl/FAQ Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/FAQ Thu Apr 1 15:19:51 2010 (r206046)
@@ -78,7 +78,7 @@ OpenSSL - Frequently Asked Questions
* Which is the current version of OpenSSL?
The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.8m was released on Feb 25th, 2010.
+OpenSSL 0.9.8n was released on Mar 24th, 2010.
In addition to the current stable release, you can also access daily
snapshots of the OpenSSL development version at <URL:
Modified: head/crypto/openssl/Makefile
==============================================================================
--- head/crypto/openssl/Makefile Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/Makefile Thu Apr 1 15:19:51 2010 (r206046)
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
-VERSION=0.9.8m
+VERSION=0.9.8n
MAJOR=0
MINOR=9.8
SHLIB_VERSION_NUMBER=0.9.8
Modified: head/crypto/openssl/NEWS
==============================================================================
--- head/crypto/openssl/NEWS Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/NEWS Thu Apr 1 15:19:51 2010 (r206046)
@@ -5,6 +5,11 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n:
+
+ o CFB cipher definition fixes.
+ o Fix security issues CVE-2010-0740 and CVE-2010-0433.
+
Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m:
o Cipher definition fixes.
Modified: head/crypto/openssl/README
==============================================================================
--- head/crypto/openssl/README Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/README Thu Apr 1 15:19:51 2010 (r206046)
@@ -1,5 +1,5 @@
- OpenSSL 0.9.8m
+ OpenSSL 0.9.8n
Copyright (c) 1998-2009 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
Modified: head/crypto/openssl/apps/req.c
==============================================================================
--- head/crypto/openssl/apps/req.c Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/apps/req.c Thu Apr 1 15:19:51 2010 (r206046)
@@ -1433,11 +1433,17 @@ start2: for (;;)
BIO_snprintf(buf,sizeof buf,"%s_min",type);
if (!NCONF_get_number(req_conf,attr_sect,buf, &n_min))
+ {
+ ERR_clear_error();
n_min = -1;
+ }
BIO_snprintf(buf,sizeof buf,"%s_max",type);
if (!NCONF_get_number(req_conf,attr_sect,buf, &n_max))
+ {
+ ERR_clear_error();
n_max = -1;
+ }
if (!add_attribute_object(req,
v->value,def,value,nid,n_min,n_max, chtype))
Modified: head/crypto/openssl/apps/speed.c
==============================================================================
--- head/crypto/openssl/apps/speed.c Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/apps/speed.c Thu Apr 1 15:19:51 2010 (r206046)
@@ -254,12 +254,18 @@
# endif
#endif
-#if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_NETWARE)
-# define NO_FORK 1
-#elif HAVE_FORK
+#ifndef HAVE_FORK
+# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_NETWARE)
+# define HAVE_FORK 0
+# else
+# define HAVE_FORK 1
+# endif
+#endif
+
+#if HAVE_FORK
# undef NO_FORK
#else
-# define NO_FORK 1
+# define NO_FORK
#endif
#undef BUFSIZE
Modified: head/crypto/openssl/config
==============================================================================
--- head/crypto/openssl/config Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/config Thu Apr 1 15:19:51 2010 (r206046)
@@ -741,6 +741,10 @@ case "$GUESSOS" in
OBJECT_MODE=${OBJECT_MODE:-32}
if [ "$CC" = "gcc" ]; then
OUT="aix-gcc"
+ if [ $OBJECT_MODE -eq 64 ]; then
+ echo 'Your $OBJECT_MODE was found to be set to 64'
+ OUT="aix64-gcc"
+ fi
elif [ $OBJECT_MODE -eq 64 ]; then
echo 'Your $OBJECT_MODE was found to be set to 64'
OUT="aix64-cc"
Modified: head/crypto/openssl/crypto/asn1/a_object.c
==============================================================================
--- head/crypto/openssl/crypto/asn1/a_object.c Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/crypto/asn1/a_object.c Thu Apr 1 15:19:51 2010 (r206046)
@@ -291,12 +291,12 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT
ASN1_OBJECT *ret=NULL;
const unsigned char *p;
int i;
- /* Sanity check OID encoding: can't have 0x80 in subidentifiers, see:
- * X.690 8.19.2
+ /* Sanity check OID encoding: can't have leading 0x80 in
+ * subidentifiers, see: X.690 8.19.2
*/
for (i = 0, p = *pp + 1; i < len - 1; i++, p++)
{
- if (*p == 0x80)
+ if (*p == 0x80 && (!i || !(p[-1] & 0x80)))
{
ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_INVALID_OBJECT_ENCODING);
return NULL;
Modified: head/crypto/openssl/crypto/bio/bss_file.c
==============================================================================
--- head/crypto/openssl/crypto/bio/bss_file.c Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/crypto/bio/bss_file.c Thu Apr 1 15:19:51 2010 (r206046)
@@ -272,9 +272,9 @@ static long MS_CALLBACK file_ctrl(BIO *b
BIO_clear_flags(b,BIO_FLAGS_UPLINK);
#endif
#endif
-#ifdef UP_fsetmode
+#ifdef UP_fsetmod
if (b->flags&BIO_FLAGS_UPLINK)
- UP_fsetmode(b->ptr,num&BIO_FP_TEXT?'t':'b');
+ UP_fsetmod(b->ptr,(char)((num&BIO_FP_TEXT)?'t':'b'));
else
#endif
{
Modified: head/crypto/openssl/crypto/bn/asm/ppc.pl
==============================================================================
--- head/crypto/openssl/crypto/bn/asm/ppc.pl Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/crypto/bn/asm/ppc.pl Thu Apr 1 15:19:51 2010 (r206046)
@@ -2074,5 +2074,7 @@ EOF
$data =~ s/^(\s*)cmplw(\s+)([^,]+),(.*)/$1cmpl$2$3,0,$4/gm;
# assembler X doesn't accept li, load immediate value
#$data =~ s/^(\s*)li(\s+)([^,]+),(.*)/$1addi$2$3,0,$4/gm;
+ # assembler Y chokes on apostrophes in comments
+ $data =~ s/'//gm;
return($data);
}
Modified: head/crypto/openssl/crypto/bn/asm/x86_64-gcc.c
==============================================================================
--- head/crypto/openssl/crypto/bn/asm/x86_64-gcc.c Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/crypto/bn/asm/x86_64-gcc.c Thu Apr 1 15:19:51 2010 (r206046)
@@ -59,6 +59,7 @@
#undef mul
#undef mul_add
+#undef sqr
/*
* "m"(a), "+m"(r) is the way to favor DirectPath µ-code;
Modified: head/crypto/openssl/crypto/bn/bn_div.c
==============================================================================
--- head/crypto/openssl/crypto/bn/bn_div.c Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/crypto/bn/bn_div.c Thu Apr 1 15:19:51 2010 (r206046)
@@ -337,7 +337,10 @@ X) -> 0x%08X\n",
t2 -= d1;
}
#else /* !BN_LLONG */
- BN_ULONG t2l,t2h,ql,qh;
+ BN_ULONG t2l,t2h;
+#if !defined(BN_UMULT_LOHI) && !defined(BN_UMULT_HIGH)
+ BN_ULONG ql,qh;
+#endif
q=bn_div_words(n0,n1,d0);
#ifdef BN_DEBUG_LEVITTE
@@ -561,7 +564,10 @@ X) -> 0x%08X\n",
t2 -= d1;
}
#else /* !BN_LLONG */
- BN_ULONG t2l,t2h,ql,qh;
+ BN_ULONG t2l,t2h;
+#if !defined(BN_UMULT_LOHI) && !defined(BN_UMULT_HIGH)
+ BN_ULONG ql,qh;
+#endif
q=bn_div_words(n0,n1,d0);
#ifdef BN_DEBUG_LEVITTE
Modified: head/crypto/openssl/crypto/engine/eng_all.c
==============================================================================
--- head/crypto/openssl/crypto/engine/eng_all.c Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/crypto/engine/eng_all.c Thu Apr 1 15:19:51 2010 (r206046)
@@ -104,7 +104,7 @@ void ENGINE_load_builtin_engines(void)
#endif
#endif
#ifndef OPENSSL_NO_HW
-#if defined(__OpenBSD__) || defined(__FreeBSD__)
+#if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV)
ENGINE_load_cryptodev();
#endif
#if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG)
Modified: head/crypto/openssl/crypto/engine/eng_cryptodev.c
==============================================================================
--- head/crypto/openssl/crypto/engine/eng_cryptodev.c Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/crypto/engine/eng_cryptodev.c Thu Apr 1 15:19:51 2010 (r206046)
@@ -755,10 +755,18 @@ cryptodev_bn_mod_exp(BIGNUM *r, const BI
goto err;
kop.crk_iparams = 3;
- if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL) == -1) {
+ if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL)) {
const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+ printf("OCF asym process failed, Running in software\n");
+ ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont);
+
+ } else if (ECANCELED == kop.crk_status) {
+ const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+ printf("OCF hardware operation cancelled. Running in Software\n");
ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont);
}
+ /* else cryptodev operation worked ok ==> ret = 1*/
+
err:
zapparams(&kop);
return (ret);
@@ -801,10 +809,18 @@ cryptodev_rsa_mod_exp(BIGNUM *r0, const
goto err;
kop.crk_iparams = 6;
- if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL) == -1) {
+ if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL)) {
const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+ printf("OCF asym process failed, running in Software\n");
+ ret = (*meth->rsa_mod_exp)(r0, I, rsa, ctx);
+
+ } else if (ECANCELED == kop.crk_status) {
+ const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+ printf("OCF hardware operation cancelled. Running in Software\n");
ret = (*meth->rsa_mod_exp)(r0, I, rsa, ctx);
}
+ /* else cryptodev operation worked ok ==> ret = 1*/
+
err:
zapparams(&kop);
return (ret);
@@ -940,7 +956,8 @@ cryptodev_dsa_verify(const unsigned char
kop.crk_iparams = 7;
if (cryptodev_asym(&kop, 0, NULL, 0, NULL) == 0) {
- dsaret = kop.crk_status;
+/*OCF success value is 0, if not zero, change dsaret to fail*/
+ if(0 != kop.crk_status) dsaret = 0;
} else {
const DSA_METHOD *meth = DSA_OpenSSL();
Modified: head/crypto/openssl/crypto/evp/digest.c
==============================================================================
--- head/crypto/openssl/crypto/evp/digest.c Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/crypto/evp/digest.c Thu Apr 1 15:19:51 2010 (r206046)
@@ -235,6 +235,7 @@ static int do_evp_md_engine(EVP_MD_CTX *
{
/* Same comment from evp_enc.c */
EVPerr(EVP_F_DO_EVP_MD_ENGINE,EVP_R_INITIALIZATION_ERROR);
+ ENGINE_finish(impl);
return 0;
}
/* We'll use the ENGINE's private digest definition */
Modified: head/crypto/openssl/crypto/evp/evp_locl.h
==============================================================================
--- head/crypto/openssl/crypto/evp/evp_locl.h Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/crypto/evp/evp_locl.h Thu Apr 1 15:19:51 2010 (r206046)
@@ -127,9 +127,9 @@ BLOCK_CIPHER_def1(cname, cbc, cbc, CBC,
#define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, \
iv_len, cbits, flags, init_key, cleanup, \
set_asn1, get_asn1, ctrl) \
-BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, \
- (cbits + 7)/8, key_len, iv_len, \
- flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
+BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, 1, \
+ key_len, iv_len, flags, init_key, cleanup, set_asn1, \
+ get_asn1, ctrl)
#define BLOCK_CIPHER_def_ofb(cname, kstruct, nid, key_len, \
iv_len, cbits, flags, init_key, cleanup, \
Modified: head/crypto/openssl/crypto/evp/names.c
==============================================================================
--- head/crypto/openssl/crypto/evp/names.c Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/crypto/evp/names.c Thu Apr 1 15:19:51 2010 (r206046)
@@ -90,7 +90,7 @@ int EVP_add_digest(const EVP_MD *md)
r=OBJ_NAME_add(OBJ_nid2ln(md->type),OBJ_NAME_TYPE_MD_METH,(const char *)md);
if (r == 0) return(0);
- if (md->type != md->pkey_type)
+ if (md->pkey_type && md->type != md->pkey_type)
{
r=OBJ_NAME_add(OBJ_nid2sn(md->pkey_type),
OBJ_NAME_TYPE_MD_METH|OBJ_NAME_ALIAS,name);
Modified: head/crypto/openssl/crypto/md32_common.h
==============================================================================
--- head/crypto/openssl/crypto/md32_common.h Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/crypto/md32_common.h Thu Apr 1 15:19:51 2010 (r206046)
@@ -241,11 +241,11 @@
#ifndef PEDANTIC
# if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
# if defined(__s390x__)
-# define HOST_c2l(c,l) ({ asm ("lrv %0,0(%1)" \
- :"=r"(l) : "r"(c)); \
+# define HOST_c2l(c,l) ({ asm ("lrv %0,%1" \
+ :"=d"(l) :"m"(*(const unsigned int *)(c));\
(c)+=4; (l); })
-# define HOST_l2c(l,c) ({ asm ("strv %0,0(%1)" \
- : : "r"(l),"r"(c) : "memory"); \
+# define HOST_l2c(l,c) ({ asm ("strv %1,%0" \
+ :"=m"(*(unsigned int *)(c)) :"d"(l));\
(c)+=4; (l); })
# endif
# endif
Modified: head/crypto/openssl/crypto/ocsp/ocsp_prn.c
==============================================================================
--- head/crypto/openssl/crypto/ocsp/ocsp_prn.c Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/crypto/ocsp/ocsp_prn.c Thu Apr 1 15:19:51 2010 (r206046)
@@ -275,6 +275,7 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RE
}
if (!X509V3_extensions_print(bp, "Response Extensions",
rd->responseExtensions, flags, 4))
+ goto err;
if(X509_signature_print(bp, br->signatureAlgorithm, br->signature) <= 0)
goto err;
Modified: head/crypto/openssl/crypto/opensslv.h
==============================================================================
--- head/crypto/openssl/crypto/opensslv.h Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/crypto/opensslv.h Thu Apr 1 15:19:51 2010 (r206046)
@@ -25,11 +25,11 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-#define OPENSSL_VERSION_NUMBER 0x009080dfL
+#define OPENSSL_VERSION_NUMBER 0x009080efL
#ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8m-fips 25 Feb 2010"
+#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8n-fips 24 Mar 2010"
#else
-#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8m 25 Feb 2010"
+#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8n 24 Mar 2010"
#endif
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
Modified: head/crypto/openssl/crypto/rand/rand_win.c
==============================================================================
--- head/crypto/openssl/crypto/rand/rand_win.c Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/crypto/rand/rand_win.c Thu Apr 1 15:19:51 2010 (r206046)
@@ -750,7 +750,7 @@ static void readscreen(void)
int y; /* y-coordinate of screen lines to grab */
int n = 16; /* number of screen lines to grab at a time */
- if (GetVersion() >= 0x80000000 || !OPENSSL_isservice())
+ if (GetVersion() < 0x80000000 && OPENSSL_isservice()>0)
return;
/* Create a screen DC and a memory DC compatible to screen DC */
Modified: head/crypto/openssl/engines/e_capi.c
==============================================================================
--- head/crypto/openssl/engines/e_capi.c Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/engines/e_capi.c Thu Apr 1 15:19:51 2010 (r206046)
@@ -83,6 +83,10 @@
#define CERT_STORE_CREATE_NEW_FLAG 0x00002000
#endif
+#ifndef CERT_SYSTEM_STORE_CURRENT_USER
+#define CERT_SYSTEM_STORE_CURRENT_USER 0x00010000
+#endif
+
#include <openssl/engine.h>
#include <openssl/pem.h>
#include <openssl/x509v3.h>
Modified: head/crypto/openssl/engines/e_chil.c
==============================================================================
--- head/crypto/openssl/engines/e_chil.c Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/engines/e_chil.c Thu Apr 1 15:19:51 2010 (r206046)
@@ -1204,6 +1204,11 @@ static int hwcrhk_get_pass(const char *p
pem_password_cb *callback = NULL;
void *callback_data = NULL;
UI_METHOD *ui_method = NULL;
+ /* Despite what the documentation says prompt_info can be
+ * an empty string.
+ */
+ if (prompt_info && !*prompt_info)
+ prompt_info = NULL;
if (cactx)
{
@@ -1305,8 +1310,10 @@ static int hwcrhk_insert_card(const char
{
char answer;
char buf[BUFSIZ];
-
- if (wrong_info)
+ /* Despite what the documentation says wrong_info can be
+ * an empty string.
+ */
+ if (wrong_info && *wrong_info)
BIO_snprintf(buf, sizeof(buf)-1,
"Current card: \"%s\"\n", wrong_info);
ok = UI_dup_info_string(ui, buf);
Modified: head/crypto/openssl/fips/Makefile
==============================================================================
--- head/crypto/openssl/fips/Makefile Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/fips/Makefile Thu Apr 1 15:19:51 2010 (r206046)
@@ -123,7 +123,7 @@ fips_premain_dso$(EXE_EXT): fips_premain
$(FIPSLIBDIR)fipscanister.o ../libcrypto.a $(EX_LIBS)
# this is executed only when linking with external fipscanister.o
fips_standalone_sha1$(EXE_EXT): sha/fips_standalone_sha1.c
- if [ -z $(HOSTCC) ] ; then \
+ if [ -z "$(HOSTCC)" ] ; then \
$(CC) $(CFLAGS) -DFIPSCANISTER_O -o $@ sha/fips_standalone_sha1.c $(FIPSLIBDIR)fipscanister.o $(EX_LIBS) ; \
else \
$(HOSTCC) $(HOSTCFLAGS) -o $ $@ -I../include -I../crypto sha/fips_standalone_sha1.c ../crypto/sha/sha1dgst.c ; \
Modified: head/crypto/openssl/openssl.spec
==============================================================================
--- head/crypto/openssl/openssl.spec Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/openssl.spec Thu Apr 1 15:19:51 2010 (r206046)
@@ -2,7 +2,7 @@
%define libmaj 0
%define libmin 9
%define librel 8
-%define librev m
+%define librev n
Release: 1
%define openssldir /var/ssl
Modified: head/crypto/openssl/ssl/kssl.c
==============================================================================
--- head/crypto/openssl/ssl/kssl.c Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/ssl/kssl.c Thu Apr 1 15:19:51 2010 (r206046)
@@ -1802,6 +1802,9 @@ kssl_ctx_show(KSSL_CTX *kssl_ctx)
kssl_ctx->service_name ? kssl_ctx->service_name: KRB5SVC,
KRB5_NT_SRV_HST, &princ);
+ if (krb5rc)
+ goto exit;
+
krb5rc = krb5_kt_get_entry(krb5context, krb5keytab,
princ,
0 /* IGNORE_VNO */,
Modified: head/crypto/openssl/ssl/s3_pkt.c
==============================================================================
--- head/crypto/openssl/ssl/s3_pkt.c Thu Apr 1 15:17:52 2010 (r206045)
+++ head/crypto/openssl/ssl/s3_pkt.c Thu Apr 1 15:19:51 2010 (r206046)
@@ -291,9 +291,9 @@ again:
if (version != s->version)
{
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
- /* Send back error using their
- * version number :-) */
- s->version=version;
+ if ((s->version & 0xFF00) == (version & 0xFF00))
+ /* Send back error using their minor version number :-) */
+ s->version = (unsigned short)version;
al=SSL_AD_PROTOCOL_VERSION;
goto f_err;
}
More information about the svn-src-all
mailing list