From cca15d6bb80232fe2868e39e44b3fed5e5c1e64a Mon Sep 17 00:00:00 2001
From: nbd <nbd@3c298f89-4303-0410-b956-a3cf2f4a3e73>
Date: Mon, 1 Mar 2010 18:46:43 +0000
Subject: openssl: upgrade to 0.9.8m (patch by Peter Wagner)

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@19939 3c298f89-4303-0410-b956-a3cf2f4a3e73
---
 .../openssl/patches/001-upstream_dtls_cisco.patch  | 139 ---------------------
 1 file changed, 139 deletions(-)
 delete mode 100644 package/openssl/patches/001-upstream_dtls_cisco.patch

(limited to 'package/openssl/patches/001-upstream_dtls_cisco.patch')

diff --git a/package/openssl/patches/001-upstream_dtls_cisco.patch b/package/openssl/patches/001-upstream_dtls_cisco.patch
deleted file mode 100644
index 46f4bb223..000000000
--- a/package/openssl/patches/001-upstream_dtls_cisco.patch
+++ /dev/null
@@ -1,139 +0,0 @@
---- a/ssl/d1_clnt.c
-+++ b/ssl/d1_clnt.c
-@@ -130,7 +130,7 @@ static int dtls1_get_hello_verify(SSL *s
- 
- static SSL_METHOD *dtls1_get_client_method(int ver)
- 	{
--	if (ver == DTLS1_VERSION)
-+	if (ver == DTLS1_VERSION || ver == DTLS1_BAD_VER)
- 		return(DTLSv1_client_method());
- 	else
- 		return(NULL);
-@@ -181,7 +181,8 @@ int dtls1_connect(SSL *s)
- 			s->server=0;
- 			if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
- 
--			if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00))
-+			if ((s->version & 0xff00 ) != (DTLS1_VERSION & 0xff00) &&
-+			    (s->version & 0xff00 ) != (DTLS1_BAD_VER & 0xff00))
- 				{
- 				SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
- 				ret = -1;
---- a/ssl/d1_lib.c
-+++ b/ssl/d1_lib.c
-@@ -187,7 +187,10 @@ void dtls1_free(SSL *s)
- void dtls1_clear(SSL *s)
- 	{
- 	ssl3_clear(s);
--	s->version=DTLS1_VERSION;
-+	if (s->options & SSL_OP_CISCO_ANYCONNECT)
-+		s->version=DTLS1_BAD_VER;
-+	else
-+		s->version=DTLS1_VERSION;
- 	}
- 
- /*
---- a/ssl/d1_pkt.c
-+++ b/ssl/d1_pkt.c
-@@ -987,15 +987,17 @@ start:
- 	if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC)
- 		{
- 		struct ccs_header_st ccs_hdr;
-+		int ccs_hdr_len = DTLS1_CCS_HEADER_LENGTH;
- 
- 		dtls1_get_ccs_header(rr->data, &ccs_hdr);
- 
- 		/* 'Change Cipher Spec' is just a single byte, so we know
- 		 * exactly what the record payload has to look like */
- 		/* XDTLS: check that epoch is consistent */
--		if (	(s->client_version == DTLS1_BAD_VER && rr->length != 3) ||
--			(s->client_version != DTLS1_BAD_VER && rr->length != DTLS1_CCS_HEADER_LENGTH) || 
--			(rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
-+		if (s->client_version == DTLS1_BAD_VER || s->version == DTLS1_BAD_VER)
-+			ccs_hdr_len = 3;
-+
-+		if ((rr->length != ccs_hdr_len) || (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS))
- 			{
- 			i=SSL_AD_ILLEGAL_PARAMETER;
- 			SSLerr(SSL_F_DTLS1_READ_BYTES,SSL_R_BAD_CHANGE_CIPHER_SPEC);
-@@ -1311,7 +1313,7 @@ int do_dtls1_write(SSL *s, int type, con
- #if 0
- 	/* 'create_empty_fragment' is true only when this function calls itself */
- 	if (!clear && !create_empty_fragment && !s->s3->empty_fragment_done
--		&& SSL_version(s) != DTLS1_VERSION)
-+	    && SSL_version(s) != DTLS1_VERSION && SSL_version(s) != DTLS1_BAD_VER)
- 		{
- 		/* countermeasure against known-IV weakness in CBC ciphersuites
- 		 * (see http://www.openssl.org/~bodo/tls-cbc.txt) 
---- a/ssl/s3_clnt.c
-+++ b/ssl/s3_clnt.c
-@@ -708,7 +708,7 @@ int ssl3_get_server_hello(SSL *s)
- 
- 	if (!ok) return((int)n);
- 
--	if ( SSL_version(s) == DTLS1_VERSION)
-+	if ( SSL_version(s) == DTLS1_VERSION || SSL_version(s) == DTLS1_BAD_VER)
- 		{
- 		if ( s->s3->tmp.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST)
- 			{
---- a/ssl/ssl.h
-+++ b/ssl/ssl.h
-@@ -510,6 +510,8 @@ typedef struct ssl_session_st
- #define SSL_OP_COOKIE_EXCHANGE              0x00002000L
- /* Don't use RFC4507 ticket extension */
- #define SSL_OP_NO_TICKET	            0x00004000L
-+/* Use Cisco's "speshul" version of DTLS_BAD_VER (as client)  */
-+#define SSL_OP_CISCO_ANYCONNECT		    0x00008000L
- 
- /* As server, disallow session resumption on renegotiation */
- #define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION	0x00010000L
---- a/ssl/ssl_lib.c
-+++ b/ssl/ssl_lib.c
-@@ -995,7 +995,8 @@ long SSL_ctrl(SSL *s,int cmd,long larg,v
- 		s->max_cert_list=larg;
- 		return(l);
- 	case SSL_CTRL_SET_MTU:
--		if (SSL_version(s) == DTLS1_VERSION)
-+		if (SSL_version(s) == DTLS1_VERSION ||
-+		    SSL_version(s) == DTLS1_BAD_VER)
- 			{
- 			s->d1->mtu = larg;
- 			return larg;
---- a/ssl/ssl_sess.c
-+++ b/ssl/ssl_sess.c
-@@ -211,6 +211,11 @@ int ssl_get_new_session(SSL *s, int sess
- 			ss->ssl_version=TLS1_VERSION;
- 			ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
- 			}
-+		else if (s->version == DTLS1_BAD_VER)
-+			{
-+			ss->ssl_version=DTLS1_BAD_VER;
-+			ss->session_id_length=SSL3_SSL_SESSION_ID_LENGTH;
-+			}
- 		else if (s->version == DTLS1_VERSION)
- 			{
- 			ss->ssl_version=DTLS1_VERSION;
---- a/ssl/t1_enc.c
-+++ b/ssl/t1_enc.c
-@@ -765,10 +765,10 @@ int tls1_mac(SSL *ssl, unsigned char *md
- 	HMAC_CTX_init(&hmac);
- 	HMAC_Init_ex(&hmac,mac_sec,EVP_MD_size(hash),hash,NULL);
- 
--	if (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER)
-+	if (ssl->version == DTLS1_BAD_VER ||
-+	    (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER))
- 		{
- 		unsigned char dtlsseq[8],*p=dtlsseq;
--
- 		s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p);
- 		memcpy (p,&seq[2],6);
- 
-@@ -793,7 +793,7 @@ printf("rec=");
- {unsigned int z; for (z=0; z<rec->length; z++) printf("%02X ",buf[z]); printf("\n"); }
- #endif
- 
--	if ( SSL_version(ssl) != DTLS1_VERSION)
-+	if ( SSL_version(ssl) != DTLS1_VERSION && SSL_version(ssl) != DTLS1_BAD_VER)
- 		{
- 		for (i=7; i>=0; i--)
- 			{
-- 
cgit v1.2.3