OpenSSL 1.0.0f: import upstream source

35 files changed, 432 insertions, 149 deletions

diff --git a/src/lib/libcrypto/rand/rand_unix.c b/src/lib/libcrypto/rand/rand_unix.c
index e9ead3a529..e3a65571c8 100644
--- a/src/lib/libcrypto/rand/rand_unix.c
+++ b/src/lib/libcrypto/rand/rand_unix.c
@@ -133,47 +133,87 @@
 # define FD_SETSIZE (8*sizeof(fd_set))
 #endif
 
-#ifdef __VOS__
+#if defined(OPENSSL_SYS_VOS)
+
+/* The following algorithm repeatedly samples the real-time clock
+   (RTC) to generate a sequence of unpredictable data.  The algorithm
+   relies upon the uneven execution speed of the code (due to factors
+   such as cache misses, interrupts, bus activity, and scheduling) and
+   upon the rather large relative difference between the speed of the
+   clock and the rate at which it can be read.
+
+   If this code is ported to an environment where execution speed is
+   more constant or where the RTC ticks at a much slower rate, or the
+   clock can be read with fewer instructions, it is likely that the
+   results would be far more predictable.
+
+   As a precaution, we generate 4 times the minimum required amount of
+   seed data.  */
+
 int RAND_poll(void)
 {
-        unsigned char buf[ENTROPY_NEEDED];
+        short int code;
+        gid_t curr_gid;
         pid_t curr_pid;
         uid_t curr_uid;
-        static int first=1;
-        int i;
-        long rnd = 0;
+        int i, k;
         struct timespec ts;
-        unsigned seed;
-
-/* The VOS random() function starts from a static seed so its
-   initial value is predictable.  If random() returns the
-   initial value, reseed it with dynamic data.  The VOS
-   real-time clock has a granularity of 1 nsec so it should be
-   reasonably difficult to predict its exact value.  Do not
-   gratuitously reseed the PRNG because other code in this
-   process or thread may be using it.  */
-
-        if (first) {
-                first = 0;
-                rnd = random ();
-                if (rnd == 1804289383) {
-                        clock_gettime (CLOCK_REALTIME, &ts);
-                        curr_pid = getpid();
-                        curr_uid = getuid();
-                        seed = ts.tv_sec ^ ts.tv_nsec ^ curr_pid ^ curr_uid;
-                        srandom (seed);
-                }
-        }
+        unsigned char v;
 
-        for (i = 0; i < sizeof(buf); i++) {
-                if (i % 4 == 0)
-                        rnd = random();
-                buf[i] = rnd;
-                rnd >>= 8;
-        }
-        RAND_add(buf, sizeof(buf), ENTROPY_NEEDED);
-        memset(buf, 0, sizeof(buf));
+#ifdef OPENSSL_SYS_VOS_HPPA
+        long duration;
+        extern void s$sleep (long *_duration, short int *_code);
+#else
+#ifdef OPENSSL_SYS_VOS_IA32
+        long long duration;
+        extern void s$sleep2 (long long *_duration, short int *_code);
+#else
+#error "Unsupported Platform."
+#endif /* OPENSSL_SYS_VOS_IA32 */
+#endif /* OPENSSL_SYS_VOS_HPPA */
+
+        /* Seed with the gid, pid, and uid, to ensure *some*
+           variation between different processes.  */
+
+        curr_gid = getgid();
+        RAND_add (&curr_gid, sizeof curr_gid, 1);
+        curr_gid = 0;
+
+        curr_pid = getpid();
+        RAND_add (&curr_pid, sizeof curr_pid, 1);
+        curr_pid = 0;
+
+        curr_uid = getuid();
+        RAND_add (&curr_uid, sizeof curr_uid, 1);
+        curr_uid = 0;
 
+        for (i=0; i<(ENTROPY_NEEDED*4); i++)
+        {
+                /* burn some cpu; hope for interrupts, cache
+                   collisions, bus interference, etc.  */
+                for (k=0; k<99; k++)
+                        ts.tv_nsec = random ();
+
+#ifdef OPENSSL_SYS_VOS_HPPA
+                /* sleep for 1/1024 of a second (976 us).  */
+                duration = 1;
+                s$sleep (&duration, &code);
+#else
+#ifdef OPENSSL_SYS_VOS_IA32
+                /* sleep for 1/65536 of a second (15 us).  */
+                duration = 1;
+                s$sleep2 (&duration, &code);
+#endif /* OPENSSL_SYS_VOS_IA32 */
+#endif /* OPENSSL_SYS_VOS_HPPA */
+
+                /* get wall clock time.  */
+                clock_gettime (CLOCK_REALTIME, &ts);
+
+                /* take 8 bits */
+                v = (unsigned char) (ts.tv_nsec % 256);
+                RAND_add (&v, sizeof v, 1);
+                v = 0;
+        }
         return 1;
 }
 #elif defined __OpenBSD__
diff --git a/src/lib/libssl/src/CHANGES b/src/lib/libssl/src/CHANGES
index a0de5abb60..03e744a049 100644
--- a/src/lib/libssl/src/CHANGES
+++ b/src/lib/libssl/src/CHANGES
@@ -2,6 +2,63 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.0e and 1.0.0f [4 Jan 2012]
+
+  *) Nadhem Alfardan and Kenny Paterson have discovered an extension
+     of the Vaudenay padding oracle attack on CBC mode encryption
+     which enables an efficient plaintext recovery attack against
+     the OpenSSL implementation of DTLS. Their attack exploits timing
+     differences arising during decryption processing. A research
+     paper describing this attack can be found at:
+                  http://www.isg.rhul.ac.uk/~kp/dtls.pdf
+     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
+     Security Group at Royal Holloway, University of London
+     (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
+     <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
+     for preparing the fix. (CVE-2011-4108)
+     [Robin Seggelmann, Michael Tuexen]
+
+  *) Clear bytes used for block padding of SSL 3.0 records.
+     (CVE-2011-4576)
+     [Adam Langley (Google)]
+
+  *) Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619)
+     [Adam Langley (Google)]
+
+  *) Check parameters are not NULL in GOST ENGINE. (CVE-2012-0027)
+     [Andrey Kulikov <amdeich@gmail.com>]
+
+  *) Prevent malformed RFC3779 data triggering an assertion failure.
+     Thanks to Andrew Chi, BBN Technologies, for discovering the flaw
+     and Rob Austein <sra@hactrn.net> for fixing it. (CVE-2011-4577)
+     [Rob Austein <sra@hactrn.net>]
+
+  *) Improved PRNG seeding for VOS.
+     [Paul Green <Paul.Green@stratus.com>]
+
+  *) Fix ssl_ciph.c set-up race.
+     [Adam Langley (Google)]
+
+  *) Fix spurious failures in ecdsatest.c.
+     [Emilia Käsper (Google)]
+
+  *) Fix the BIO_f_buffer() implementation (which was mixing different
+     interpretations of the '..._len' fields).
+     [Adam Langley (Google)]
+
+  *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
+     BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
+     threads won't reuse the same blinding coefficients.
+
+     This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
+     lock to call BN_BLINDING_invert_ex, and avoids one use of
+     BN_BLINDING_update for each BN_BLINDING structure (previously,
+     the last update always remained unused).
+     [Emilia Käsper (Google)]
+
+  *) In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
+     [Bob Buckholz (Google)]
+
  Changes between 1.0.0d and 1.0.0e [6 Sep 2011]
 
   *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
@@ -909,6 +966,26 @@
   
  Changes between 0.9.8r and 0.9.8s [xx XXX xxxx]
 
+  *) Fix ssl_ciph.c set-up race.
+     [Adam Langley (Google)]
+
+  *) Fix spurious failures in ecdsatest.c.
+     [Emilia Käsper (Google)]
+
+  *) Fix the BIO_f_buffer() implementation (which was mixing different
+     interpretations of the '..._len' fields).
+     [Adam Langley (Google)]
+
+  *) Fix handling of BN_BLINDING: now BN_BLINDING_invert_ex (rather than
+     BN_BLINDING_invert_ex) calls BN_BLINDING_update, ensuring that concurrent
+     threads won't reuse the same blinding coefficients.
+
+     This also avoids the need to obtain the CRYPTO_LOCK_RSA_BLINDING
+     lock to call BN_BLINDING_invert_ex, and avoids one use of
+     BN_BLINDING_update for each BN_BLINDING structure (previously,
+     the last update always remained unused).
+     [Emilia Käsper (Google)]
+
   *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
      for multi-threaded use of ECDH.
      [Adam Langley (Google)]
diff --git a/src/lib/libssl/src/Configure b/src/lib/libssl/src/Configure
index 429ab2e5eb..7941c93f64 100644
--- a/src/lib/libssl/src/Configure
+++ b/src/lib/libssl/src/Configure
@@ -196,8 +196,8 @@ my %table=(
 "cc",           "cc:-O::(unknown)::::::",
 
 ####VOS Configurations
-"vos-gcc","gcc:-O3 -Wall -D_POSIX_C_SOURCE=200112L -D_BSD -D_VOS_EXTENDED_NAMES -DB_ENDIAN::(unknown):VOS:-Wl,-map:BN_LLONG:${no_asm}:::::.so:",
-"debug-vos-gcc","gcc:-O0 -g -Wall -D_POSIX_C_SOURCE=200112L -D_BSD -D_VOS_EXTENDED_NAMES -DB_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG::(unknown):VOS:-Wl,-map:BN_LLONG:${no_asm}:::::.so:",
+"vos-gcc","gcc:-O3 -Wall -DOPENSSL_SYSNAME_VOS -D_POSIX_C_SOURCE=200112L -D_BSD -D_VOS_EXTENDED_NAMES -DB_ENDIAN::(unknown):VOS:-Wl,-map:BN_LLONG:${no_asm}:::::.so:",
+"debug-vos-gcc","gcc:-O0 -g -Wall -DOPENSSL_SYSNAME_VOS -D_POSIX_C_SOURCE=200112L -D_BSD -D_VOS_EXTENDED_NAMES -DB_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG::(unknown):VOS:-Wl,-map:BN_LLONG:${no_asm}:::::.so:",
 
 #### Solaris x86 with GNU C setups
 # -DOPENSSL_NO_INLINE_ASM switches off inline assembler. We have to do it
@@ -553,7 +553,7 @@ my %table=(
 "darwin64-ppc-cc","cc:-arch ppc64 -O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc64_asm}:osx64:dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "darwin-i386-cc","cc:-arch i386 -O3 -fomit-frame-pointer -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:${x86_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "debug-darwin-i386-cc","cc:-arch i386 -g3 -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:${x86_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"darwin64-x86_64-cc","cc:-arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin64-x86_64-cc","cc:-arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 "debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc32_asm}:osx32:dlfcn:darwin-shared:-fPIC:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 
 ##### A/UX
diff --git a/src/lib/libssl/src/FAQ b/src/lib/libssl/src/FAQ
index fe54856a62..3b07cd363d 100644
--- a/src/lib/libssl/src/FAQ
+++ b/src/lib/libssl/src/FAQ
@@ -82,7 +82,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.0e was released on Sep 6th, 2011.
+OpenSSL 1.0.0f was released on Jan 4th, 2012.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
diff --git a/src/lib/libssl/src/Makefile b/src/lib/libssl/src/Makefile
index 445e15d671..8fe888587e 100644
--- a/src/lib/libssl/src/Makefile
+++ b/src/lib/libssl/src/Makefile
@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=1.0.0e
+VERSION=1.0.0f
 MAJOR=1
 MINOR=0.0
 SHLIB_VERSION_NUMBER=1.0.0
diff --git a/src/lib/libssl/src/NEWS b/src/lib/libssl/src/NEWS
index 672810dcc7..1fb25c626c 100644
--- a/src/lib/libssl/src/NEWS
+++ b/src/lib/libssl/src/NEWS
@@ -5,6 +5,14 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.0f:
+
+      o Fix for DTLS plaintext recovery attack CVE-2011-4108
+      o Clear block padding bytes of SSL 3.0 records CVE-2011-4576
+      o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619
+      o Check parameters are not NULL in GOST ENGINE CVE-2012-0027
+      o Check for malformed RFC3779 data CVE-2011-4577
+
   Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e:
 
       o Fix for CRL vulnerability issue CVE-2011-3207
diff --git a/src/lib/libssl/src/README b/src/lib/libssl/src/README
index 898437989a..50d54d5706 100644
--- a/src/lib/libssl/src/README
+++ b/src/lib/libssl/src/README
@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.0e 6 Sep 2011
+ OpenSSL 1.0.0f 4 Jan 2012
 
  Copyright (c) 1998-2011 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/src/lib/libssl/src/VMS/mkshared.com b/src/lib/libssl/src/VMS/mkshared.com
index 794e1de62a..b0d1fdaac3 100644
--- a/src/lib/libssl/src/VMS/mkshared.com
+++ b/src/lib/libssl/src/VMS/mkshared.com
@@ -6,6 +6,7 @@ $! P2: Zlib object library path (optional).
 $!
 $! Input:       [.UTIL]LIBEAY.NUM,[.xxx.EXE.CRYPTO]SSL_LIBCRYPTO[32].OLB
 $!              [.UTIL]SSLEAY.NUM,[.xxx.EXE.SSL]SSL_LIBSSL[32].OLB
+$!              [.CRYPTO.xxx]OPENSSLCONF.H
 $! Output:      [.xxx.EXE.CRYPTO]SSL_LIBCRYPTO_SHR[32].OPT,.MAP,.EXE
 $!              [.xxx.EXE.SSL]SSL_LIBSSL_SRH[32].OPT,.MAP,.EXE
 $!
@@ -70,6 +71,9 @@ $     endif
 $   endif
 $ endif
 $!
+$! ----- Prepare info for processing: disabled algorithms info
+$ gosub read_disabled_algorithms_info
+$!
 $ ZLIB = p2
 $ zlib_lib = ""
 $ if (ZLIB .nes. "")
@@ -384,8 +388,7 @@ $	alg_i = alg_i + 1
 $       if alg_entry .eqs. "" then goto loop2
 $       if alg_entry .nes. ","
 $       then
-$         if alg_entry .eqs. "KRB5" then goto loop ! Special for now
-$         if alg_entry .eqs. "STATIC_ENGINE" then goto loop ! Special for now
+$         if disabled_algorithms - ("," + alg_entry + ",") .nes disabled_algorithms then goto loop
 $         if f$trnlnm("OPENSSL_NO_"+alg_entry) .nes. "" then goto loop
 $         goto loop2
 $       endif
@@ -452,3 +455,22 @@ $     endif
 $   endloop_rvi:
 $   close vf
 $   return
+$
+$! The disabled algorithms reader
+$ read_disabled_algorithms_info:
+$   disabled_algorithms = ","
+$   open /read cf [.CRYPTO.'ARCH']OPENSSLCONF.H
+$   loop_rci:
+$     read/err=endloop_rci/end=endloop_rci cf rci_line
+$     rci_line = f$edit(rci_line,"TRIM,COMPRESS")
+$     rci_ei = 0
+$     if f$extract(0,9,rci_line) .eqs. "# define " then rci_ei = 2
+$     if f$extract(0,8,rci_line) .eqs. "#define " then rci_ei = 1
+$     if rci_ei .eq. 0 then goto loop_rci
+$     rci_e = f$element(rci_ei," ",rci_line)
+$     if f$extract(0,11,rci_e) .nes. "OPENSSL_NO_" then goto loop_rci
+$     disabled_algorithms = disabled_algorithms + f$extract(11,999,rci_e) + ","
+$     goto loop_rci
+$   endloop_rci:
+$   close cf
+$   return
diff --git a/src/lib/libssl/src/apps/openssl-vms.cnf b/src/lib/libssl/src/apps/openssl-vms.cnf
index 20ed61bc3e..45e46a0fb4 100644
--- a/src/lib/libssl/src/apps/openssl-vms.cnf
+++ b/src/lib/libssl/src/apps/openssl-vms.cnf
@@ -145,7 +145,7 @@ localityName			= Locality Name (eg, city)
 organizationalUnitName          = Organizational Unit Name (eg, section)
 #organizationalUnitName_default =
 
-commonName                      = Common Name (eg, YOUR name)
+commonName                      = Common Name (e.g. server FQDN or YOUR name)
 commonName_max                  = 64
 
 emailAddress                    = Email Address
diff --git a/src/lib/libssl/src/apps/openssl.cnf b/src/lib/libssl/src/apps/openssl.cnf
index 9d2cd5bfa5..18760c6e67 100644
--- a/src/lib/libssl/src/apps/openssl.cnf
+++ b/src/lib/libssl/src/apps/openssl.cnf
@@ -145,7 +145,7 @@ localityName			= Locality Name (eg, city)
 organizationalUnitName          = Organizational Unit Name (eg, section)
 #organizationalUnitName_default =
 
-commonName                      = Common Name (eg, YOUR name)
+commonName                      = Common Name (e.g. server FQDN or YOUR name)
 commonName_max                  = 64
 
 emailAddress                    = Email Address
diff --git a/src/lib/libssl/src/apps/x509.c b/src/lib/libssl/src/apps/x509.c
index ed1e8c69ad..9f5eaeb6be 100644
--- a/src/lib/libssl/src/apps/x509.c
+++ b/src/lib/libssl/src/apps/x509.c
@@ -987,7 +987,7 @@ bad:
                                 else
                                         {
                                         pk=load_key(bio_err,
-                                                keyfile, FORMAT_PEM, 0,
+                                                keyfile, keyformat, 0,
                                                 passin, e, "request key");
                                         if (pk == NULL) goto end;
                                         }
diff --git a/src/lib/libssl/src/crypto/bio/bf_buff.c b/src/lib/libssl/src/crypto/bio/bf_buff.c
index c1fd75aaad..4b5a132d8a 100644
--- a/src/lib/libssl/src/crypto/bio/bf_buff.c
+++ b/src/lib/libssl/src/crypto/bio/bf_buff.c
@@ -209,7 +209,7 @@ start:
         /* add to buffer and return */
         if (i >= inl)
                 {
-                memcpy(&(ctx->obuf[ctx->obuf_len]),in,inl);
+                memcpy(&(ctx->obuf[ctx->obuf_off+ctx->obuf_len]),in,inl);
                 ctx->obuf_len+=inl;
                 return(num+inl);
                 }
@@ -219,7 +219,7 @@ start:
                 {
                 if (i > 0) /* lets fill it up if we can */
                         {
-                        memcpy(&(ctx->obuf[ctx->obuf_len]),in,i);
+                        memcpy(&(ctx->obuf[ctx->obuf_off+ctx->obuf_len]),in,i);
                         in+=i;
                         inl-=i;
                         num+=i;
@@ -294,9 +294,9 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr)
         case BIO_C_GET_BUFF_NUM_LINES:
                 ret=0;
                 p1=ctx->ibuf;
-                for (i=ctx->ibuf_off; i<ctx->ibuf_len; i++)
+                for (i=0; i<ctx->ibuf_len; i++)
                         {
-                        if (p1[i] == '\n') ret++;
+                        if (p1[ctx->ibuf_off + i] == '\n') ret++;
                         }
                 break;
         case BIO_CTRL_WPENDING:
@@ -399,17 +399,18 @@ static long buffer_ctrl(BIO *b, int cmd, long num, void *ptr)
                 for (;;)
                         {
                         BIO_clear_retry_flags(b);
-                        if (ctx->obuf_len > ctx->obuf_off)
+                        if (ctx->obuf_len > 0)
                                 {
                                 r=BIO_write(b->next_bio,
                                         &(ctx->obuf[ctx->obuf_off]),
-                                        ctx->obuf_len-ctx->obuf_off);
+                                        ctx->obuf_len);
 #if 0
-fprintf(stderr,"FLUSH [%3d] %3d -> %3d\n",ctx->obuf_off,ctx->obuf_len-ctx->obuf_off,r);
+fprintf(stderr,"FLUSH [%3d] %3d -> %3d\n",ctx->obuf_off,ctx->obuf_len,r);
 #endif
                                 BIO_copy_next_retry(b);
                                 if (r <= 0) return((long)r);
                                 ctx->obuf_off+=r;
+                                ctx->obuf_len-=r;
                                 }
                         else
                                 {
diff --git a/src/lib/libssl/src/crypto/bio/bio.h b/src/lib/libssl/src/crypto/bio/bio.h
index 152802fbdf..ab47abcf14 100644
--- a/src/lib/libssl/src/crypto/bio/bio.h
+++ b/src/lib/libssl/src/crypto/bio/bio.h
@@ -306,6 +306,15 @@ DECLARE_STACK_OF(BIO)
 
 typedef struct bio_f_buffer_ctx_struct
         {
+        /* Buffers are setup like this:
+         *
+         * <---------------------- size ----------------------->
+         * +---------------------------------------------------+
+         * | consumed | remaining          | free space        |
+         * +---------------------------------------------------+
+         * <-- off --><------- len ------->
+         */
+
         /* BIO *bio; */ /* this is now in the BIO struct */
         int ibuf_size;  /* how big is the input buffer */
         int obuf_size;  /* how big is the output buffer */
diff --git a/src/lib/libssl/src/crypto/bn/asm/ppc.pl b/src/lib/libssl/src/crypto/bn/asm/ppc.pl
index 37c65d3511..f4093177e6 100644
--- a/src/lib/libssl/src/crypto/bn/asm/ppc.pl
+++ b/src/lib/libssl/src/crypto/bn/asm/ppc.pl
@@ -949,7 +949,7 @@ $data=<<EOF;
         addze   r11,r0
                                         #mul_add_c(a[3],b[2],c3,c1,c2);
         $LD     r6,`3*$BNSZ`(r4)
-        $LD     r7,`2*$BNSZ`(r4)
+        $LD     r7,`2*$BNSZ`(r5)
         $UMULL  r8,r6,r7
         $UMULH  r9,r6,r7
         addc    r12,r8,r12
diff --git a/src/lib/libssl/src/crypto/bn/bn_blind.c b/src/lib/libssl/src/crypto/bn/bn_blind.c
index e060592fdc..9ed8bc2b40 100644
--- a/src/lib/libssl/src/crypto/bn/bn_blind.c
+++ b/src/lib/libssl/src/crypto/bn/bn_blind.c
@@ -126,7 +126,7 @@ struct bn_blinding_st
                                   * used only by crypto/rsa/rsa_eay.c, rsa_lib.c */
 #endif
         CRYPTO_THREADID tid;
-        unsigned int  counter;
+        int counter;
         unsigned long flags;
         BN_MONT_CTX *m_ctx;
         int (*bn_mod_exp)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
@@ -160,7 +160,10 @@ BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod)
         if (BN_get_flags(mod, BN_FLG_CONSTTIME) != 0)
                 BN_set_flags(ret->mod, BN_FLG_CONSTTIME);
 
-        ret->counter = BN_BLINDING_COUNTER;
+        /* Set the counter to the special value -1
+         * to indicate that this is never-used fresh blinding
+         * that does not need updating before first use. */
+        ret->counter = -1;
         CRYPTO_THREADID_current(&ret->tid);
         return(ret);
 err:
@@ -190,7 +193,10 @@ int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
                 goto err;
                 }
 
-        if (--(b->counter) == 0 && b->e != NULL &&
+        if (b->counter == -1)
+                b->counter = 0;
+
+        if (++b->counter == BN_BLINDING_COUNTER && b->e != NULL &&
                 !(b->flags & BN_BLINDING_NO_RECREATE))
                 {
                 /* re-create blinding parameters */
@@ -205,8 +211,8 @@ int BN_BLINDING_update(BN_BLINDING *b, BN_CTX *ctx)
 
         ret=1;
 err:
-        if (b->counter == 0)
-                b->counter = BN_BLINDING_COUNTER;
+        if (b->counter == BN_BLINDING_COUNTER)
+                b->counter = 0;
         return(ret);
         }
 
@@ -227,6 +233,12 @@ int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx)
                 return(0);
                 }
 
+        if (b->counter == -1)
+                /* Fresh blinding, doesn't need updating. */
+                b->counter = 0;
+        else if (!BN_BLINDING_update(b,ctx))
+                return(0);
+
         if (r != NULL)
                 {
                 if (!BN_copy(r, b->Ai)) ret=0;
@@ -247,22 +259,19 @@ int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ct
         int ret;
 
         bn_check_top(n);
-        if ((b->A == NULL) || (b->Ai == NULL))
-                {
-                BNerr(BN_F_BN_BLINDING_INVERT_EX,BN_R_NOT_INITIALIZED);
-                return(0);
-                }
 
         if (r != NULL)
                 ret = BN_mod_mul(n, n, r, b->mod, ctx);
         else
-                ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
-
-        if (ret >= 0)
                 {
-                if (!BN_BLINDING_update(b,ctx))
+                if (b->Ai == NULL)
+                        {
+                        BNerr(BN_F_BN_BLINDING_INVERT_EX,BN_R_NOT_INITIALIZED);
                         return(0);
+                        }
+                ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx);
                 }
+
         bn_check_top(n);
         return(ret);
         }
diff --git a/src/lib/libssl/src/crypto/opensslv.h b/src/lib/libssl/src/crypto/opensslv.h
index 310a3387be..d6d61a0c7d 100644
--- a/src/lib/libssl/src/crypto/opensslv.h
+++ b/src/lib/libssl/src/crypto/opensslv.h
@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER  0x1000005fL
+#define OPENSSL_VERSION_NUMBER  0x1000006fL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.0e-fips 6 Sep 2011"
+#define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.0f-fips 4 Jan 2012"
 #else
-#define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.0e 6 Sep 2011"
+#define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.0f 4 Jan 2012"
 #endif
 #define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
diff --git a/src/lib/libssl/src/crypto/rand/rand_unix.c b/src/lib/libssl/src/crypto/rand/rand_unix.c
index e9ead3a529..e3a65571c8 100644
--- a/src/lib/libssl/src/crypto/rand/rand_unix.c
+++ b/src/lib/libssl/src/crypto/rand/rand_unix.c
@@ -133,47 +133,87 @@
 # define FD_SETSIZE (8*sizeof(fd_set))
 #endif
 
-#ifdef __VOS__
+#if defined(OPENSSL_SYS_VOS)
+
+/* The following algorithm repeatedly samples the real-time clock
+   (RTC) to generate a sequence of unpredictable data.  The algorithm
+   relies upon the uneven execution speed of the code (due to factors
+   such as cache misses, interrupts, bus activity, and scheduling) and
+   upon the rather large relative difference between the speed of the
+   clock and the rate at which it can be read.
+
+   If this code is ported to an environment where execution speed is
+   more constant or where the RTC ticks at a much slower rate, or the
+   clock can be read with fewer instructions, it is likely that the
+   results would be far more predictable.
+
+   As a precaution, we generate 4 times the minimum required amount of
+   seed data.  */
+
 int RAND_poll(void)
 {
-        unsigned char buf[ENTROPY_NEEDED];
+        short int code;
+        gid_t curr_gid;
         pid_t curr_pid;
         uid_t curr_uid;
-        static int first=1;
-        int i;
-        long rnd = 0;
+        int i, k;
         struct timespec ts;
-        unsigned seed;
-
-/* The VOS random() function starts from a static seed so its
-   initial value is predictable.  If random() returns the
-   initial value, reseed it with dynamic data.  The VOS
-   real-time clock has a granularity of 1 nsec so it should be
-   reasonably difficult to predict its exact value.  Do not
-   gratuitously reseed the PRNG because other code in this
-   process or thread may be using it.  */
-
-        if (first) {
-                first = 0;
-                rnd = random ();
-                if (rnd == 1804289383) {
-                        clock_gettime (CLOCK_REALTIME, &ts);
-                        curr_pid = getpid();
-                        curr_uid = getuid();
-                        seed = ts.tv_sec ^ ts.tv_nsec ^ curr_pid ^ curr_uid;
-                        srandom (seed);
-                }
-        }
+        unsigned char v;
 
-        for (i = 0; i < sizeof(buf); i++) {
-                if (i % 4 == 0)
-                        rnd = random();
-                buf[i] = rnd;
-                rnd >>= 8;
-        }
-        RAND_add(buf, sizeof(buf), ENTROPY_NEEDED);
-        memset(buf, 0, sizeof(buf));
+#ifdef OPENSSL_SYS_VOS_HPPA
+        long duration;
+        extern void s$sleep (long *_duration, short int *_code);
+#else
+#ifdef OPENSSL_SYS_VOS_IA32
+        long long duration;
+        extern void s$sleep2 (long long *_duration, short int *_code);
+#else
+#error "Unsupported Platform."
+#endif /* OPENSSL_SYS_VOS_IA32 */
+#endif /* OPENSSL_SYS_VOS_HPPA */
+
+        /* Seed with the gid, pid, and uid, to ensure *some*
+           variation between different processes.  */
+
+        curr_gid = getgid();
+        RAND_add (&curr_gid, sizeof curr_gid, 1);
+        curr_gid = 0;
+
+        curr_pid = getpid();
+        RAND_add (&curr_pid, sizeof curr_pid, 1);
+        curr_pid = 0;
+
+        curr_uid = getuid();
+        RAND_add (&curr_uid, sizeof curr_uid, 1);
+        curr_uid = 0;
 
+        for (i=0; i<(ENTROPY_NEEDED*4); i++)
+        {
+                /* burn some cpu; hope for interrupts, cache
+                   collisions, bus interference, etc.  */
+                for (k=0; k<99; k++)
+                        ts.tv_nsec = random ();
+
+#ifdef OPENSSL_SYS_VOS_HPPA
+                /* sleep for 1/1024 of a second (976 us).  */
+                duration = 1;
+                s$sleep (&duration, &code);
+#else
+#ifdef OPENSSL_SYS_VOS_IA32
+                /* sleep for 1/65536 of a second (15 us).  */
+                duration = 1;
+                s$sleep2 (&duration, &code);
+#endif /* OPENSSL_SYS_VOS_IA32 */
+#endif /* OPENSSL_SYS_VOS_HPPA */
+
+                /* get wall clock time.  */
+                clock_gettime (CLOCK_REALTIME, &ts);
+
+                /* take 8 bits */
+                v = (unsigned char) (ts.tv_nsec % 256);
+                RAND_add (&v, sizeof v, 1);
+                v = 0;
+        }
         return 1;
 }
 #elif defined __OpenBSD__
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_eay.c b/src/lib/libssl/src/crypto/rsa/rsa_eay.c
index 7c941885f0..2e1ddd48d3 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_eay.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_eay.c
@@ -314,51 +314,56 @@ static BN_BLINDING *rsa_get_blinding(RSA *rsa, int *local, BN_CTX *ctx)
         return ret;
 }
 
-static int rsa_blinding_convert(BN_BLINDING *b, int local, BIGNUM *f,
-        BIGNUM *r, BN_CTX *ctx)
-{
-        if (local)
+static int rsa_blinding_convert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
+        BN_CTX *ctx)
+        {
+        if (unblind == NULL)
+                /* Local blinding: store the unblinding factor
+                 * in BN_BLINDING. */
                 return BN_BLINDING_convert_ex(f, NULL, b, ctx);
         else
                 {
-                int ret;
-                CRYPTO_r_lock(CRYPTO_LOCK_RSA_BLINDING);
-                ret = BN_BLINDING_convert_ex(f, r, b, ctx);
-                CRYPTO_r_unlock(CRYPTO_LOCK_RSA_BLINDING);
-                return ret;
-                }
-}
-
-static int rsa_blinding_invert(BN_BLINDING *b, int local, BIGNUM *f,
-        BIGNUM *r, BN_CTX *ctx)
-{
-        if (local)
-                return BN_BLINDING_invert_ex(f, NULL, b, ctx);
-        else
-                {
+                /* Shared blinding: store the unblinding factor
+                 * outside BN_BLINDING. */
                 int ret;
                 CRYPTO_w_lock(CRYPTO_LOCK_RSA_BLINDING);
-                ret = BN_BLINDING_invert_ex(f, r, b, ctx);
+                ret = BN_BLINDING_convert_ex(f, unblind, b, ctx);
                 CRYPTO_w_unlock(CRYPTO_LOCK_RSA_BLINDING);
                 return ret;
                 }
-}
+        }
+
+static int rsa_blinding_invert(BN_BLINDING *b, BIGNUM *f, BIGNUM *unblind,
+        BN_CTX *ctx)
+        {
+        /* For local blinding, unblind is set to NULL, and BN_BLINDING_invert_ex
+         * will use the unblinding factor stored in BN_BLINDING.
+         * If BN_BLINDING is shared between threads, unblind must be non-null:
+         * BN_BLINDING_invert_ex will then use the local unblinding factor,
+         * and will only read the modulus from BN_BLINDING.
+         * In both cases it's safe to access the blinding without a lock.
+         */
+        return BN_BLINDING_invert_ex(f, unblind, b, ctx);
+        }
 
 /* signing */
 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
              unsigned char *to, RSA *rsa, int padding)
         {
-        BIGNUM *f, *ret, *br, *res;
+        BIGNUM *f, *ret, *res;
         int i,j,k,num=0,r= -1;
         unsigned char *buf=NULL;
         BN_CTX *ctx=NULL;
         int local_blinding = 0;
+        /* Used only if the blinding structure is shared. A non-NULL unblind
+         * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
+         * the unblinding factor outside the blinding structure. */
+        BIGNUM *unblind = NULL;
         BN_BLINDING *blinding = NULL;
 
         if ((ctx=BN_CTX_new()) == NULL) goto err;
         BN_CTX_start(ctx);
         f   = BN_CTX_get(ctx);
-        br  = BN_CTX_get(ctx);
         ret = BN_CTX_get(ctx);
         num = BN_num_bytes(rsa->n);
         buf = OPENSSL_malloc(num);
@@ -406,8 +411,15 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                 }
         
         if (blinding != NULL)
-                if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx))
+                {
+                if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL))
+                        {
+                        RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT,ERR_R_MALLOC_FAILURE);
+                        goto err;
+                        }
+                if (!rsa_blinding_convert(blinding, f, unblind, ctx))
                         goto err;
+                }
 
         if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
                 ((rsa->p != NULL) &&
@@ -441,7 +453,7 @@ static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
                 }
 
         if (blinding)
-                if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx))
+                if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
                         goto err;
 
         if (padding == RSA_X931_PADDING)
@@ -480,18 +492,21 @@ err:
 static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
              unsigned char *to, RSA *rsa, int padding)
         {
-        BIGNUM *f, *ret, *br;
+        BIGNUM *f, *ret;
         int j,num=0,r= -1;
         unsigned char *p;
         unsigned char *buf=NULL;
         BN_CTX *ctx=NULL;
         int local_blinding = 0;
+        /* Used only if the blinding structure is shared. A non-NULL unblind
+         * instructs rsa_blinding_convert() and rsa_blinding_invert() to store
+         * the unblinding factor outside the blinding structure. */
+        BIGNUM *unblind = NULL;
         BN_BLINDING *blinding = NULL;
 
         if((ctx = BN_CTX_new()) == NULL) goto err;
         BN_CTX_start(ctx);
         f   = BN_CTX_get(ctx);
-        br  = BN_CTX_get(ctx);
         ret = BN_CTX_get(ctx);
         num = BN_num_bytes(rsa->n);
         buf = OPENSSL_malloc(num);
@@ -529,8 +544,15 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                 }
         
         if (blinding != NULL)
-                if (!rsa_blinding_convert(blinding, local_blinding, f, br, ctx))
+                {
+                if (!local_blinding && ((unblind = BN_CTX_get(ctx)) == NULL))
+                        {
+                        RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT,ERR_R_MALLOC_FAILURE);
                         goto err;
+                        }
+                if (!rsa_blinding_convert(blinding, f, unblind, ctx))
+                        goto err;
+                }
 
         /* do the decrypt */
         if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
@@ -564,7 +586,7 @@ static int RSA_eay_private_decrypt(int flen, const unsigned char *from,
                 }
 
         if (blinding)
-                if (!rsa_blinding_invert(blinding, local_blinding, ret, br, ctx))
+                if (!rsa_blinding_invert(blinding, ret, unblind, ctx))
                         goto err;
 
         p=buf;
diff --git a/src/lib/libssl/src/crypto/x509/x509_vfy.c b/src/lib/libssl/src/crypto/x509/x509_vfy.c
index 5a0b0249b4..701ec565e9 100644
--- a/src/lib/libssl/src/crypto/x509/x509_vfy.c
+++ b/src/lib/libssl/src/crypto/x509/x509_vfy.c
@@ -1732,7 +1732,7 @@ int X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time)
         atm.length=sizeof(buff2);
         atm.data=(unsigned char *)buff2;
 
-        if (X509_time_adj(&atm,-offset*60, cmp_time) == NULL)
+        if (X509_time_adj(&atm, offset*60, cmp_time) == NULL)
                 return 0;
 
         if (ctm->type == V_ASN1_UTCTIME)
diff --git a/src/lib/libssl/src/doc/ssl/SSL_clear.pod b/src/lib/libssl/src/doc/ssl/SSL_clear.pod
index 8e077e31c9..d4df1bfac3 100644
--- a/src/lib/libssl/src/doc/ssl/SSL_clear.pod
+++ b/src/lib/libssl/src/doc/ssl/SSL_clear.pod
@@ -39,10 +39,16 @@ for a description of the method's properties.
 SSL_clear() resets the SSL object to allow for another connection. The
 reset operation however keeps several settings of the last sessions
 (some of these settings were made automatically during the last
-handshake). It only makes sense when opening a new session (or reusing
-an old one) with the same peer that shares these settings.
-SSL_clear() is not a short form for the sequence
-L<SSL_free(3)|SSL_free(3)>; L<SSL_new(3)|SSL_new(3)>; .
+handshake). It only makes sense for a new connection with the exact
+same peer that shares these settings, and may fail if that peer
+changes its settings between connections. Use the sequence
+L<SSL_get_session(3)|SSL_get_session(3)>;
+L<SSL_new(3)|SSL_new(3)>;
+L<SSL_set_session(3)|SSL_set_session(3)>;
+L<SSL_free(3)|SSL_free(3)>
+instead to avoid such failures
+(or simply L<SSL_free(3)|SSL_free(3)>; L<SSL_new(3)|SSL_new(3)>
+if session reuse is not desired).
 
 =head1 RETURN VALUES
 
diff --git a/src/lib/libssl/src/e_os2.h b/src/lib/libssl/src/e_os2.h
index 4c785c62cf..d30724d304 100644
--- a/src/lib/libssl/src/e_os2.h
+++ b/src/lib/libssl/src/e_os2.h
@@ -193,8 +193,14 @@ extern "C" {
 #endif
 
 /* --------------------------------- VOS ----------------------------------- */
-#ifdef OPENSSL_SYSNAME_VOS
+#if defined(__VOS__) || defined(OPENSSL_SYSNAME_VOS)
 # define OPENSSL_SYS_VOS
+#ifdef __HPPA__
+# define OPENSSL_SYS_VOS_HPPA
+#endif
+#ifdef __IA32__
+# define OPENSSL_SYS_VOS_IA32
+#endif
 #endif
 
 /* ------------------------------- VxWorks --------------------------------- */
diff --git a/src/lib/libssl/src/openssl.spec b/src/lib/libssl/src/openssl.spec
index e4db875539..703cea2a5f 100644
--- a/src/lib/libssl/src/openssl.spec
+++ b/src/lib/libssl/src/openssl.spec
@@ -2,7 +2,7 @@
 %define libmaj 1
 %define libmin 0
 %define librel 0
-%define librev e
+%define librev f
 Release: 1
 
 %define openssldir /var/ssl
diff --git a/src/lib/libssl/src/ssl/s3_clnt.c b/src/lib/libssl/src/ssl/s3_clnt.c
index 50bd415b56..53223bd38d 100644
--- a/src/lib/libssl/src/ssl/s3_clnt.c
+++ b/src/lib/libssl/src/ssl/s3_clnt.c
@@ -953,7 +953,7 @@ int ssl3_get_server_hello(SSL *s)
                 /* wrong packet length */
                 al=SSL_AD_DECODE_ERROR;
                 SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_BAD_PACKET_LENGTH);
-                goto err;
+                goto f_err;
                 }
 
         return(1);
@@ -1837,7 +1837,7 @@ int ssl3_get_new_session_ticket(SSL *s)
         if (n < 6)
                 {
                 /* need at least ticket_lifetime_hint + ticket length */
-                al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR;
+                al = SSL_AD_DECODE_ERROR;
                 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
                 goto f_err;
                 }
@@ -1848,7 +1848,7 @@ int ssl3_get_new_session_ticket(SSL *s)
         /* ticket_lifetime_hint + ticket_length + ticket */
         if (ticklen + 6 != n)
                 {
-                al = SSL3_AL_FATAL,SSL_AD_DECODE_ERROR;
+                al = SSL_AD_DECODE_ERROR;
                 SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET,SSL_R_LENGTH_MISMATCH);
                 goto f_err;
                 }
diff --git a/src/lib/libssl/src/ssl/s3_enc.c b/src/lib/libssl/src/ssl/s3_enc.c
index 58386e1ba0..b14597076d 100644
--- a/src/lib/libssl/src/ssl/s3_enc.c
+++ b/src/lib/libssl/src/ssl/s3_enc.c
@@ -511,6 +511,9 @@ int ssl3_enc(SSL *s, int send)
 
                         /* we need to add 'i-1' padding bytes */
                         l+=i;
+                        /* the last of these zero bytes will be overwritten
+                         * with the padding length. */
+                        memset(&rec->input[rec->length], 0, i);
                         rec->length+=i;
                         rec->input[l-1]=(i-1);
                         }
diff --git a/src/lib/libssl/src/ssl/s3_lib.c b/src/lib/libssl/src/ssl/s3_lib.c
index 62c791cb72..1130244aeb 100644
--- a/src/lib/libssl/src/ssl/s3_lib.c
+++ b/src/lib/libssl/src/ssl/s3_lib.c
@@ -2177,6 +2177,7 @@ void ssl3_clear(SSL *s)
         {
         unsigned char *rp,*wp;
         size_t rlen, wlen;
+        int init_extra;
 
 #ifdef TLSEXT_TYPE_opaque_prf_input
         if (s->s3->client_opaque_prf_input != NULL)
@@ -2215,6 +2216,7 @@ void ssl3_clear(SSL *s)
         wp = s->s3->wbuf.buf;
         rlen = s->s3->rbuf.len;
         wlen = s->s3->wbuf.len;
+        init_extra = s->s3->init_extra;
         if (s->s3->handshake_buffer) {
                 BIO_free(s->s3->handshake_buffer);
                 s->s3->handshake_buffer = NULL;
@@ -2227,6 +2229,7 @@ void ssl3_clear(SSL *s)
         s->s3->wbuf.buf = wp;
         s->s3->rbuf.len = rlen;
         s->s3->wbuf.len = wlen;
+        s->s3->init_extra = init_extra;
 
         ssl_free_wbio_buffer(s);
 
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index c3b5ff33ff..d734c359fb 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -258,6 +258,7 @@ int ssl3_accept(SSL *s)
                                 }
 
                         s->init_num=0;
+                        s->s3->flags &= ~SSL3_FLAGS_SGC_RESTART_DONE;
 
                         if (s->state != SSL_ST_RENEGOTIATE)
                                 {
@@ -755,6 +756,14 @@ int ssl3_check_client_hello(SSL *s)
         int ok;
         long n;
 
+        /* We only allow the client to restart the handshake once per
+         * negotiation. */
+        if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
+                {
+                SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
+                return -1;
+                }
+
         /* this function is called when we really expect a Certificate message,
          * so permit appropriate message length */
         n=s->method->ssl_get_message(s,
@@ -783,6 +792,7 @@ int ssl3_check_client_hello(SSL *s)
                         s->s3->tmp.ecdh = NULL;
                         }
 #endif
+                s->s3->flags |= SSL3_FLAGS_SGC_RESTART_DONE;
                 return 2;
                 }
         return 1;
@@ -2130,6 +2140,7 @@ int ssl3_get_client_key_exchange(SSL *s)
                 if (i <= 0)
                         {
                         SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,ERR_R_DH_LIB);
+                        BN_clear_free(pub);
                         goto err;
                         }
 
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h
index e4c3f65010..8f922eea72 100644
--- a/src/lib/libssl/src/ssl/ssl.h
+++ b/src/lib/libssl/src/ssl/ssl.h
@@ -1882,6 +1882,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL3_CALLBACK_CTRL                         233
 #define SSL_F_SSL3_CHANGE_CIPHER_STATE                   129
 #define SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM              130
+#define SSL_F_SSL3_CHECK_CLIENT_HELLO                    304
 #define SSL_F_SSL3_CLIENT_HELLO                          131
 #define SSL_F_SSL3_CONNECT                               132
 #define SSL_F_SSL3_CTRL                                  213
@@ -2139,6 +2140,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_MISSING_TMP_RSA_KEY                        172
 #define SSL_R_MISSING_TMP_RSA_PKEY                       173
 #define SSL_R_MISSING_VERIFY_MESSAGE                     174
+#define SSL_R_MULTIPLE_SGC_RESTARTS                      346
 #define SSL_R_NON_SSLV2_INITIAL_PACKET                   175
 #define SSL_R_NO_CERTIFICATES_RETURNED                   176
 #define SSL_R_NO_CERTIFICATE_ASSIGNED                    177
diff --git a/src/lib/libssl/src/ssl/ssl3.h b/src/lib/libssl/src/ssl/ssl3.h
index baaa89e717..9c2c41287a 100644
--- a/src/lib/libssl/src/ssl/ssl3.h
+++ b/src/lib/libssl/src/ssl/ssl3.h
@@ -379,6 +379,17 @@ typedef struct ssl3_buffer_st
 #define SSL3_FLAGS_POP_BUFFER                   0x0004
 #define TLS1_FLAGS_TLS_PADDING_BUG              0x0008
 #define TLS1_FLAGS_SKIP_CERT_VERIFY             0x0010
+ 
+/* SSL3_FLAGS_SGC_RESTART_DONE is set when we
+ * restart a handshake because of MS SGC and so prevents us
+ * from restarting the handshake in a loop. It's reset on a
+ * renegotiation, so effectively limits the client to one restart
+ * per negotiation. This limits the possibility of a DDoS
+ * attack where the client handshakes in a loop using SGC to
+ * restart. Servers which permit renegotiation can still be
+ * effected, but we can't prevent that.
+ */
+#define SSL3_FLAGS_SGC_RESTART_DONE             0x0040
 
 typedef struct ssl3_state_st
         {
diff --git a/src/lib/libssl/src/ssl/ssl_ciph.c b/src/lib/libssl/src/ssl/ssl_ciph.c
index a8ce186b78..54ba7ef5b4 100644
--- a/src/lib/libssl/src/ssl/ssl_ciph.c
+++ b/src/lib/libssl/src/ssl/ssl_ciph.c
@@ -446,6 +446,7 @@ static void load_builtin_compressions(void)
                                                 sk_SSL_COMP_push(ssl_comp_methods,comp);
                                                 }
                                         }
+                                        sk_SSL_COMP_sort(ssl_comp_methods);
                                 }
                         MemCheck_on();
                         }
diff --git a/src/lib/libssl/src/ssl/ssl_err.c b/src/lib/libssl/src/ssl/ssl_err.c
index 0eed464749..e9be77109f 100644
--- a/src/lib/libssl/src/ssl/ssl_err.c
+++ b/src/lib/libssl/src/ssl/ssl_err.c
@@ -1,6 +1,6 @@
 /* ssl/ssl_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2009 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -137,6 +137,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_FUNC(SSL_F_SSL3_CALLBACK_CTRL),    "SSL3_CALLBACK_CTRL"},
 {ERR_FUNC(SSL_F_SSL3_CHANGE_CIPHER_STATE),      "SSL3_CHANGE_CIPHER_STATE"},
 {ERR_FUNC(SSL_F_SSL3_CHECK_CERT_AND_ALGORITHM), "SSL3_CHECK_CERT_AND_ALGORITHM"},
+{ERR_FUNC(SSL_F_SSL3_CHECK_CLIENT_HELLO),       "SSL3_CHECK_CLIENT_HELLO"},
 {ERR_FUNC(SSL_F_SSL3_CLIENT_HELLO),     "SSL3_CLIENT_HELLO"},
 {ERR_FUNC(SSL_F_SSL3_CONNECT),  "SSL3_CONNECT"},
 {ERR_FUNC(SSL_F_SSL3_CTRL),     "SSL3_CTRL"},
@@ -397,6 +398,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
 {ERR_REASON(SSL_R_MISSING_TMP_RSA_KEY)   ,"missing tmp rsa key"},
 {ERR_REASON(SSL_R_MISSING_TMP_RSA_PKEY)  ,"missing tmp rsa pkey"},
 {ERR_REASON(SSL_R_MISSING_VERIFY_MESSAGE),"missing verify message"},
+{ERR_REASON(SSL_R_MULTIPLE_SGC_RESTARTS) ,"multiple sgc restarts"},
 {ERR_REASON(SSL_R_NON_SSLV2_INITIAL_PACKET),"non sslv2 initial packet"},
 {ERR_REASON(SSL_R_NO_CERTIFICATES_RETURNED),"no certificates returned"},
 {ERR_REASON(SSL_R_NO_CERTIFICATE_ASSIGNED),"no certificate assigned"},
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index 46732791fd..8e89911f48 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -1054,6 +1054,9 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
                 s->max_cert_list=larg;
                 return(l);
         case SSL_CTRL_SET_MTU:
+                if (larg < (long)dtls1_min_mtu())
+                        return 0;
+
                 if (SSL_version(s) == DTLS1_VERSION ||
                     SSL_version(s) == DTLS1_BAD_VER)
                         {
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h
index 4c78393f3f..cea622a2a6 100644
--- a/src/lib/libssl/src/ssl/ssl_locl.h
+++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -950,6 +950,7 @@ void dtls1_stop_timer(SSL *s);
 int dtls1_is_timer_expired(SSL *s);
 void dtls1_double_timeout(SSL *s);
 int dtls1_send_newsession_ticket(SSL *s);
+unsigned int dtls1_min_mtu(void);
 
 /* some client-only functions */
 int ssl3_client_hello(SSL *s);
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c
index 85371c87b8..26cbae449e 100644
--- a/src/lib/libssl/src/ssl/t1_lib.c
+++ b/src/lib/libssl/src/ssl/t1_lib.c
@@ -971,6 +971,12 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                 sdata = data;
                                 if (dsize > 0)
                                         {
+                                        if (s->tlsext_ocsp_exts)
+                                                {
+                                                sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
+                                                                           X509_EXTENSION_free);
+                                                }
+
                                         s->tlsext_ocsp_exts =
                                                 d2i_X509_EXTENSIONS(NULL,
                                                         &sdata, dsize);
diff --git a/src/lib/libssl/src/test/testssl b/src/lib/libssl/src/test/testssl
index f9d7c5d65f..b55364ae88 100644
--- a/src/lib/libssl/src/test/testssl
+++ b/src/lib/libssl/src/test/testssl
@@ -100,8 +100,8 @@ echo test sslv2/sslv3 via BIO pair
 $ssltest $extra || exit 1
 
 if [ $dsa_cert = NO ]; then
-  echo test sslv2/sslv3 w/o DHE via BIO pair
-  $ssltest -bio_pair -no_dhe $extra || exit 1
+  echo 'test sslv2/sslv3 w/o (EC)DHE via BIO pair'
+  $ssltest -bio_pair -no_dhe -no_ecdhe $extra || exit 1
 fi
 
 echo test sslv2/sslv3 with 1024bit DHE via BIO pair
@@ -131,8 +131,8 @@ fi
 if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
   echo skipping RSA tests
 else
-  echo test tls1 with 1024bit RSA, no DHE, multiple handshakes
-  ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1
+  echo 'test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes'
+  ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1
 
   if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
     echo skipping RSA+DHE tests
diff --git a/src/lib/libssl/src/util/mkerr.pl b/src/lib/libssl/src/util/mkerr.pl
index 2c99467d34..aec401c773 100644
--- a/src/lib/libssl/src/util/mkerr.pl
+++ b/src/lib/libssl/src/util/mkerr.pl
@@ -769,7 +769,7 @@ EOF
         undef %err_reason_strings;
 }
 
-if($debug && defined(%notrans)) {
+if($debug && %notrans) {
         print STDERR "The following function codes were not translated:\n";
         foreach(sort keys %notrans)
         {