diff options
| -rw-r--r-- | src/lib/libssl/src/ssl/ssl.h | 7 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/t1_lib.c | 21 | ||||
| -rw-r--r-- | src/lib/libssl/ssl.h | 7 | ||||
| -rw-r--r-- | src/lib/libssl/t1_lib.c | 21 |
4 files changed, 36 insertions, 20 deletions
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h index 857709f7c5..1851cd9525 100644 --- a/src/lib/libssl/src/ssl/ssl.h +++ b/src/lib/libssl/src/ssl/ssl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl.h,v 1.63 2014/08/10 14:42:56 jsing Exp $ */ | 1 | /* $OpenBSD: ssl.h,v 1.64 2014/09/21 17:11:04 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -514,7 +514,7 @@ struct ssl_session_st { | |||
| 514 | /* Allow initial connection to servers that don't support RI */ | 514 | /* Allow initial connection to servers that don't support RI */ |
| 515 | #define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L | 515 | #define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L |
| 516 | #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L | 516 | #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L |
| 517 | #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L | 517 | #define SSL_OP_TLSEXT_PADDING 0x00000010L |
| 518 | #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L | 518 | #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L |
| 519 | #define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L | 519 | #define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L |
| 520 | #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L | 520 | #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L |
| @@ -524,6 +524,9 @@ struct ssl_session_st { | |||
| 524 | /* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */ | 524 | /* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */ |
| 525 | #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0 | 525 | #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0 |
| 526 | 526 | ||
| 527 | /* Refers to ancient SSLREF and SSLv2, retained for compatibility */ | ||
| 528 | #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0 | ||
| 529 | |||
| 527 | /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added | 530 | /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added |
| 528 | * in OpenSSL 0.9.6d. Usually (depending on the application protocol) | 531 | * in OpenSSL 0.9.6d. Usually (depending on the application protocol) |
| 529 | * the workaround is not needed. | 532 | * the workaround is not needed. |
diff --git a/src/lib/libssl/src/ssl/t1_lib.c b/src/lib/libssl/src/ssl/t1_lib.c index c25f10bfab..87a65e3db2 100644 --- a/src/lib/libssl/src/ssl/t1_lib.c +++ b/src/lib/libssl/src/ssl/t1_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_lib.c,v 1.54 2014/08/07 22:27:28 guenther Exp $ */ | 1 | /* $OpenBSD: t1_lib.c,v 1.55 2014/09/21 17:11:04 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -635,18 +635,24 @@ skip_ext: | |||
| 635 | } | 635 | } |
| 636 | #endif | 636 | #endif |
| 637 | 637 | ||
| 638 | #ifdef TLSEXT_TYPE_padding | 638 | /* |
| 639 | /* Add padding to workaround bugs in F5 terminators. | 639 | * Add padding to workaround bugs in F5 terminators. |
| 640 | * See https://tools.ietf.org/html/draft-agl-tls-padding-03 | 640 | * See https://tools.ietf.org/html/draft-agl-tls-padding-03 |
| 641 | * | 641 | * |
| 642 | * Note that this seems to trigger issues with IronPort SMTP | ||
| 643 | * appliances. | ||
| 644 | * | ||
| 642 | * NB: because this code works out the length of all existing | 645 | * NB: because this code works out the length of all existing |
| 643 | * extensions it MUST always appear last. | 646 | * extensions it MUST always appear last. |
| 644 | */ | 647 | */ |
| 645 | { | 648 | if (s->options & SSL_OP_TLSEXT_PADDING) { |
| 646 | int hlen = ret - (unsigned char *)s->init_buf->data; | 649 | int hlen = ret - (unsigned char *)s->init_buf->data; |
| 647 | /* The code in s23_clnt.c to build ClientHello messages includes the | 650 | |
| 648 | * 5-byte record header in the buffer, while the code in s3_clnt.c does | 651 | /* |
| 649 | * not. */ | 652 | * The code in s23_clnt.c to build ClientHello messages |
| 653 | * includes the 5-byte record header in the buffer, while the | ||
| 654 | * code in s3_clnt.c does not. | ||
| 655 | */ | ||
| 650 | if (s->state == SSL23_ST_CW_CLNT_HELLO_A) | 656 | if (s->state == SSL23_ST_CW_CLNT_HELLO_A) |
| 651 | hlen -= 5; | 657 | hlen -= 5; |
| 652 | if (hlen > 0xff && hlen < 0x200) { | 658 | if (hlen > 0xff && hlen < 0x200) { |
| @@ -662,7 +668,6 @@ skip_ext: | |||
| 662 | ret += hlen; | 668 | ret += hlen; |
| 663 | } | 669 | } |
| 664 | } | 670 | } |
| 665 | #endif | ||
| 666 | 671 | ||
| 667 | if ((extdatalen = ret - p - 2) == 0) | 672 | if ((extdatalen = ret - p - 2) == 0) |
| 668 | return p; | 673 | return p; |
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h index 857709f7c5..1851cd9525 100644 --- a/src/lib/libssl/ssl.h +++ b/src/lib/libssl/ssl.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl.h,v 1.63 2014/08/10 14:42:56 jsing Exp $ */ | 1 | /* $OpenBSD: ssl.h,v 1.64 2014/09/21 17:11:04 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -514,7 +514,7 @@ struct ssl_session_st { | |||
| 514 | /* Allow initial connection to servers that don't support RI */ | 514 | /* Allow initial connection to servers that don't support RI */ |
| 515 | #define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L | 515 | #define SSL_OP_LEGACY_SERVER_CONNECT 0x00000004L |
| 516 | #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L | 516 | #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L |
| 517 | #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L | 517 | #define SSL_OP_TLSEXT_PADDING 0x00000010L |
| 518 | #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L | 518 | #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L |
| 519 | #define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L | 519 | #define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x00000040L |
| 520 | #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L | 520 | #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L |
| @@ -524,6 +524,9 @@ struct ssl_session_st { | |||
| 524 | /* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */ | 524 | /* Hasn't done anything since OpenSSL 0.9.7h, retained for compatibility */ |
| 525 | #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0 | 525 | #define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x0 |
| 526 | 526 | ||
| 527 | /* Refers to ancient SSLREF and SSLv2, retained for compatibility */ | ||
| 528 | #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x0 | ||
| 529 | |||
| 527 | /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added | 530 | /* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added |
| 528 | * in OpenSSL 0.9.6d. Usually (depending on the application protocol) | 531 | * in OpenSSL 0.9.6d. Usually (depending on the application protocol) |
| 529 | * the workaround is not needed. | 532 | * the workaround is not needed. |
diff --git a/src/lib/libssl/t1_lib.c b/src/lib/libssl/t1_lib.c index c25f10bfab..87a65e3db2 100644 --- a/src/lib/libssl/t1_lib.c +++ b/src/lib/libssl/t1_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: t1_lib.c,v 1.54 2014/08/07 22:27:28 guenther Exp $ */ | 1 | /* $OpenBSD: t1_lib.c,v 1.55 2014/09/21 17:11:04 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -635,18 +635,24 @@ skip_ext: | |||
| 635 | } | 635 | } |
| 636 | #endif | 636 | #endif |
| 637 | 637 | ||
| 638 | #ifdef TLSEXT_TYPE_padding | 638 | /* |
| 639 | /* Add padding to workaround bugs in F5 terminators. | 639 | * Add padding to workaround bugs in F5 terminators. |
| 640 | * See https://tools.ietf.org/html/draft-agl-tls-padding-03 | 640 | * See https://tools.ietf.org/html/draft-agl-tls-padding-03 |
| 641 | * | 641 | * |
| 642 | * Note that this seems to trigger issues with IronPort SMTP | ||
| 643 | * appliances. | ||
| 644 | * | ||
| 642 | * NB: because this code works out the length of all existing | 645 | * NB: because this code works out the length of all existing |
| 643 | * extensions it MUST always appear last. | 646 | * extensions it MUST always appear last. |
| 644 | */ | 647 | */ |
| 645 | { | 648 | if (s->options & SSL_OP_TLSEXT_PADDING) { |
| 646 | int hlen = ret - (unsigned char *)s->init_buf->data; | 649 | int hlen = ret - (unsigned char *)s->init_buf->data; |
| 647 | /* The code in s23_clnt.c to build ClientHello messages includes the | 650 | |
| 648 | * 5-byte record header in the buffer, while the code in s3_clnt.c does | 651 | /* |
| 649 | * not. */ | 652 | * The code in s23_clnt.c to build ClientHello messages |
| 653 | * includes the 5-byte record header in the buffer, while the | ||
| 654 | * code in s3_clnt.c does not. | ||
| 655 | */ | ||
| 650 | if (s->state == SSL23_ST_CW_CLNT_HELLO_A) | 656 | if (s->state == SSL23_ST_CW_CLNT_HELLO_A) |
| 651 | hlen -= 5; | 657 | hlen -= 5; |
| 652 | if (hlen > 0xff && hlen < 0x200) { | 658 | if (hlen > 0xff && hlen < 0x200) { |
| @@ -662,7 +668,6 @@ skip_ext: | |||
| 662 | ret += hlen; | 668 | ret += hlen; |
| 663 | } | 669 | } |
| 664 | } | 670 | } |
| 665 | #endif | ||
| 666 | 671 | ||
| 667 | if ((extdatalen = ret - p - 2) == 0) | 672 | if ((extdatalen = ret - p - 2) == 0) |
| 668 | return p; | 673 | return p; |