aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSimon L. B. Nielsen <simon@FreeBSD.org>2010-04-01 12:25:40 +0000
committerSimon L. B. Nielsen <simon@FreeBSD.org>2010-04-01 12:25:40 +0000
commit0cedaa6c89235ed396068f2ebf546c9a909439e1 (patch)
treeea91d9b180fa36b1886b046a286630c089f57475
parentf7a1b4761cf3f798e1b42d703d38221b47ce1eec (diff)
downloadsrc-0cedaa6c89235ed396068f2ebf546c9a909439e1.tar.gz
src-0cedaa6c89235ed396068f2ebf546c9a909439e1.zip
Import OpenSSL 0.9.8n.vendor/openssl/0.9.8n
Notes
Notes: svn path=/vendor-crypto/openssl/dist/; revision=206035 svn path=/vendor-crypto/openssl/0.9.8n/; revision=206037; tag=vendor/openssl/0.9.8n
-rw-r--r--CHANGES15
-rw-r--r--FAQ2
-rw-r--r--Makefile2
-rw-r--r--NEWS5
-rw-r--r--README2
-rw-r--r--apps/req.c6
-rw-r--r--apps/speed.c14
-rwxr-xr-xconfig4
-rw-r--r--crypto/asn1/a_object.c6
-rw-r--r--crypto/bio/bss_file.c4
-rw-r--r--crypto/bn/asm/ppc.pl2
-rw-r--r--crypto/bn/asm/x86_64-gcc.c1
-rw-r--r--crypto/bn/bn_div.c10
-rw-r--r--crypto/engine/eng_all.c2
-rw-r--r--crypto/engine/eng_cryptodev.c23
-rw-r--r--crypto/evp/digest.c1
-rw-r--r--crypto/evp/evp_locl.h6
-rw-r--r--crypto/evp/names.c2
-rw-r--r--crypto/md32_common.h8
-rw-r--r--crypto/ocsp/ocsp_prn.c1
-rw-r--r--crypto/opensslv.h6
-rw-r--r--crypto/rand/rand_win.c2
-rw-r--r--engines/e_capi.c4
-rw-r--r--engines/e_chil.c11
-rw-r--r--fips/Makefile2
-rw-r--r--openssl.spec2
-rw-r--r--ssl/kssl.c3
-rw-r--r--ssl/s3_pkt.c6
28 files changed, 115 insertions, 37 deletions
diff --git a/CHANGES b/CHANGES
index 97b3810f40a8..b350da79f66b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,21 @@
OpenSSL CHANGES
_______________
+ Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
+
+ *) When rejecting SSL/TLS records due to an incorrect version number, never
+ update s->server with a new major version number. As of
+ - OpenSSL 0.9.8m if 'short' is a 16-bit type,
+ - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
+ the previous behavior could result in a read attempt at NULL when
+ receiving specific incorrect SSL/TLS records once record payload
+ protection is active. (CVE-2010-0740)
+ [Bodo Moeller, Adam Langley <agl@chromium.org>]
+
+ *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
+ could be crashed if the relevant tables were not present (e.g. chrooted).
+ [Tomas Hoger <thoger@redhat.com>]
+
Changes between 0.9.8l and 0.9.8m [25 Feb 2010]
*) Always check bn_wexpend() return values for failure. (CVE-2009-3245)
diff --git a/FAQ b/FAQ
index 8041479c7ead..f7aaede4ca08 100644
--- a/FAQ
+++ b/FAQ
@@ -78,7 +78,7 @@ OpenSSL - Frequently Asked Questions
* Which is the current version of OpenSSL?
The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.8m was released on Feb 25th, 2010.
+OpenSSL 0.9.8n was released on Mar 24th, 2010.
In addition to the current stable release, you can also access daily
snapshots of the OpenSSL development version at <URL:
diff --git a/Makefile b/Makefile
index e085f28f812b..7f48abdd4780 100644
--- a/Makefile
+++ b/Makefile
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
-VERSION=0.9.8m
+VERSION=0.9.8n
MAJOR=0
MINOR=9.8
SHLIB_VERSION_NUMBER=0.9.8
diff --git a/NEWS b/NEWS
index 7bff9591d457..a00d06af68d2 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,11 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n:
+
+ o CFB cipher definition fixes.
+ o Fix security issues CVE-2010-0740 and CVE-2010-0433.
+
Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m:
o Cipher definition fixes.
diff --git a/README b/README
index 0cfba9c6c3f6..2a96ba3c2dbc 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
- OpenSSL 0.9.8m
+ OpenSSL 0.9.8n
Copyright (c) 1998-2009 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/apps/req.c b/apps/req.c
index 314197de839b..9f55cdeabd4c 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -1433,11 +1433,17 @@ start2: for (;;)
BIO_snprintf(buf,sizeof buf,"%s_min",type);
if (!NCONF_get_number(req_conf,attr_sect,buf, &n_min))
+ {
+ ERR_clear_error();
n_min = -1;
+ }
BIO_snprintf(buf,sizeof buf,"%s_max",type);
if (!NCONF_get_number(req_conf,attr_sect,buf, &n_max))
+ {
+ ERR_clear_error();
n_max = -1;
+ }
if (!add_attribute_object(req,
v->value,def,value,nid,n_min,n_max, chtype))
diff --git a/apps/speed.c b/apps/speed.c
index 07f0ae04a614..393a7baade38 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -254,12 +254,18 @@
# endif
#endif
-#if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_NETWARE)
-# define NO_FORK 1
-#elif HAVE_FORK
+#ifndef HAVE_FORK
+# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_NETWARE)
+# define HAVE_FORK 0
+# else
+# define HAVE_FORK 1
+# endif
+#endif
+
+#if HAVE_FORK
# undef NO_FORK
#else
-# define NO_FORK 1
+# define NO_FORK
#endif
#undef BUFSIZE
diff --git a/config b/config
index 4d789df5ecb9..b9d1c7aa2688 100755
--- a/config
+++ b/config
@@ -741,6 +741,10 @@ case "$GUESSOS" in
OBJECT_MODE=${OBJECT_MODE:-32}
if [ "$CC" = "gcc" ]; then
OUT="aix-gcc"
+ if [ $OBJECT_MODE -eq 64 ]; then
+ echo 'Your $OBJECT_MODE was found to be set to 64'
+ OUT="aix64-gcc"
+ fi
elif [ $OBJECT_MODE -eq 64 ]; then
echo 'Your $OBJECT_MODE was found to be set to 64'
OUT="aix64-cc"
diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c
index d169f8c14736..365e4673a95c 100644
--- a/crypto/asn1/a_object.c
+++ b/crypto/asn1/a_object.c
@@ -291,12 +291,12 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
ASN1_OBJECT *ret=NULL;
const unsigned char *p;
int i;
- /* Sanity check OID encoding: can't have 0x80 in subidentifiers, see:
- * X.690 8.19.2
+ /* Sanity check OID encoding: can't have leading 0x80 in
+ * subidentifiers, see: X.690 8.19.2
*/
for (i = 0, p = *pp + 1; i < len - 1; i++, p++)
{
- if (*p == 0x80)
+ if (*p == 0x80 && (!i || !(p[-1] & 0x80)))
{
ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_INVALID_OBJECT_ENCODING);
return NULL;
diff --git a/crypto/bio/bss_file.c b/crypto/bio/bss_file.c
index 62c10731d4a6..47fa266dfc48 100644
--- a/crypto/bio/bss_file.c
+++ b/crypto/bio/bss_file.c
@@ -272,9 +272,9 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
BIO_clear_flags(b,BIO_FLAGS_UPLINK);
#endif
#endif
-#ifdef UP_fsetmode
+#ifdef UP_fsetmod
if (b->flags&BIO_FLAGS_UPLINK)
- UP_fsetmode(b->ptr,num&BIO_FP_TEXT?'t':'b');
+ UP_fsetmod(b->ptr,(char)((num&BIO_FP_TEXT)?'t':'b'));
else
#endif
{
diff --git a/crypto/bn/asm/ppc.pl b/crypto/bn/asm/ppc.pl
index 08e005347388..806e53ad6e1d 100644
--- a/crypto/bn/asm/ppc.pl
+++ b/crypto/bn/asm/ppc.pl
@@ -2074,5 +2074,7 @@ EOF
$data =~ s/^(\s*)cmplw(\s+)([^,]+),(.*)/$1cmpl$2$3,0,$4/gm;
# assembler X doesn't accept li, load immediate value
#$data =~ s/^(\s*)li(\s+)([^,]+),(.*)/$1addi$2$3,0,$4/gm;
+ # assembler Y chokes on apostrophes in comments
+ $data =~ s/'//gm;
return($data);
}
diff --git a/crypto/bn/asm/x86_64-gcc.c b/crypto/bn/asm/x86_64-gcc.c
index 2b2bc1ef60a1..b1b8a1109bf7 100644
--- a/crypto/bn/asm/x86_64-gcc.c
+++ b/crypto/bn/asm/x86_64-gcc.c
@@ -59,6 +59,7 @@
#undef mul
#undef mul_add
+#undef sqr
/*
* "m"(a), "+m"(r) is the way to favor DirectPath -code;
diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c
index 7c35545354ee..78c6507113bf 100644
--- a/crypto/bn/bn_div.c
+++ b/crypto/bn/bn_div.c
@@ -337,7 +337,10 @@ X) -> 0x%08X\n",
t2 -= d1;
}
#else /* !BN_LLONG */
- BN_ULONG t2l,t2h,ql,qh;
+ BN_ULONG t2l,t2h;
+#if !defined(BN_UMULT_LOHI) && !defined(BN_UMULT_HIGH)
+ BN_ULONG ql,qh;
+#endif
q=bn_div_words(n0,n1,d0);
#ifdef BN_DEBUG_LEVITTE
@@ -561,7 +564,10 @@ X) -> 0x%08X\n",
t2 -= d1;
}
#else /* !BN_LLONG */
- BN_ULONG t2l,t2h,ql,qh;
+ BN_ULONG t2l,t2h;
+#if !defined(BN_UMULT_LOHI) && !defined(BN_UMULT_HIGH)
+ BN_ULONG ql,qh;
+#endif
q=bn_div_words(n0,n1,d0);
#ifdef BN_DEBUG_LEVITTE
diff --git a/crypto/engine/eng_all.c b/crypto/engine/eng_all.c
index d29cd57dc2f1..f29c167c0698 100644
--- a/crypto/engine/eng_all.c
+++ b/crypto/engine/eng_all.c
@@ -104,7 +104,7 @@ void ENGINE_load_builtin_engines(void)
#endif
#endif
#ifndef OPENSSL_NO_HW
-#if defined(__OpenBSD__) || defined(__FreeBSD__)
+#if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV)
ENGINE_load_cryptodev();
#endif
#if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG)
diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
index 1a1e1c2655ac..eef1e2d81424 100644
--- a/crypto/engine/eng_cryptodev.c
+++ b/crypto/engine/eng_cryptodev.c
@@ -755,10 +755,18 @@ cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
goto err;
kop.crk_iparams = 3;
- if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL) == -1) {
+ if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL)) {
const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+ printf("OCF asym process failed, Running in software\n");
+ ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont);
+
+ } else if (ECANCELED == kop.crk_status) {
+ const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+ printf("OCF hardware operation cancelled. Running in Software\n");
ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont);
}
+ /* else cryptodev operation worked ok ==> ret = 1*/
+
err:
zapparams(&kop);
return (ret);
@@ -801,10 +809,18 @@ cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
goto err;
kop.crk_iparams = 6;
- if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL) == -1) {
+ if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL)) {
const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+ printf("OCF asym process failed, running in Software\n");
+ ret = (*meth->rsa_mod_exp)(r0, I, rsa, ctx);
+
+ } else if (ECANCELED == kop.crk_status) {
+ const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
+ printf("OCF hardware operation cancelled. Running in Software\n");
ret = (*meth->rsa_mod_exp)(r0, I, rsa, ctx);
}
+ /* else cryptodev operation worked ok ==> ret = 1*/
+
err:
zapparams(&kop);
return (ret);
@@ -940,7 +956,8 @@ cryptodev_dsa_verify(const unsigned char *dgst, int dlen,
kop.crk_iparams = 7;
if (cryptodev_asym(&kop, 0, NULL, 0, NULL) == 0) {
- dsaret = kop.crk_status;
+/*OCF success value is 0, if not zero, change dsaret to fail*/
+ if(0 != kop.crk_status) dsaret = 0;
} else {
const DSA_METHOD *meth = DSA_OpenSSL();
diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c
index 6a8f39bef791..10a36071f71b 100644
--- a/crypto/evp/digest.c
+++ b/crypto/evp/digest.c
@@ -235,6 +235,7 @@ static int do_evp_md_engine(EVP_MD_CTX *ctx, const EVP_MD **ptype, ENGINE *impl)
{
/* Same comment from evp_enc.c */
EVPerr(EVP_F_DO_EVP_MD_ENGINE,EVP_R_INITIALIZATION_ERROR);
+ ENGINE_finish(impl);
return 0;
}
/* We'll use the ENGINE's private digest definition */
diff --git a/crypto/evp/evp_locl.h b/crypto/evp/evp_locl.h
index 72105b0fe2b0..ef6c432538aa 100644
--- a/crypto/evp/evp_locl.h
+++ b/crypto/evp/evp_locl.h
@@ -127,9 +127,9 @@ BLOCK_CIPHER_def1(cname, cbc, cbc, CBC, kstruct, nid, block_size, key_len, \
#define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, \
iv_len, cbits, flags, init_key, cleanup, \
set_asn1, get_asn1, ctrl) \
-BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, \
- (cbits + 7)/8, key_len, iv_len, \
- flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
+BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, 1, \
+ key_len, iv_len, flags, init_key, cleanup, set_asn1, \
+ get_asn1, ctrl)
#define BLOCK_CIPHER_def_ofb(cname, kstruct, nid, key_len, \
iv_len, cbits, flags, init_key, cleanup, \
diff --git a/crypto/evp/names.c b/crypto/evp/names.c
index e2e04c3570f4..945879dc39a6 100644
--- a/crypto/evp/names.c
+++ b/crypto/evp/names.c
@@ -90,7 +90,7 @@ int EVP_add_digest(const EVP_MD *md)
r=OBJ_NAME_add(OBJ_nid2ln(md->type),OBJ_NAME_TYPE_MD_METH,(const char *)md);
if (r == 0) return(0);
- if (md->type != md->pkey_type)
+ if (md->pkey_type && md->type != md->pkey_type)
{
r=OBJ_NAME_add(OBJ_nid2sn(md->pkey_type),
OBJ_NAME_TYPE_MD_METH|OBJ_NAME_ALIAS,name);
diff --git a/crypto/md32_common.h b/crypto/md32_common.h
index 61bcd9786f86..606aea6b9da2 100644
--- a/crypto/md32_common.h
+++ b/crypto/md32_common.h
@@ -241,11 +241,11 @@
#ifndef PEDANTIC
# if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
# if defined(__s390x__)
-# define HOST_c2l(c,l) ({ asm ("lrv %0,0(%1)" \
- :"=r"(l) : "r"(c)); \
+# define HOST_c2l(c,l) ({ asm ("lrv %0,%1" \
+ :"=d"(l) :"m"(*(const unsigned int *)(c));\
(c)+=4; (l); })
-# define HOST_l2c(l,c) ({ asm ("strv %0,0(%1)" \
- : : "r"(l),"r"(c) : "memory"); \
+# define HOST_l2c(l,c) ({ asm ("strv %1,%0" \
+ :"=m"(*(unsigned int *)(c)) :"d"(l));\
(c)+=4; (l); })
# endif
# endif
diff --git a/crypto/ocsp/ocsp_prn.c b/crypto/ocsp/ocsp_prn.c
index 01f81e7a59a2..90dd1aa38ed4 100644
--- a/crypto/ocsp/ocsp_prn.c
+++ b/crypto/ocsp/ocsp_prn.c
@@ -275,6 +275,7 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
}
if (!X509V3_extensions_print(bp, "Response Extensions",
rd->responseExtensions, flags, 4))
+ goto err;
if(X509_signature_print(bp, br->signatureAlgorithm, br->signature) <= 0)
goto err;
diff --git a/crypto/opensslv.h b/crypto/opensslv.h
index 3d794d9dad44..9f3981c3d3a5 100644
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -25,11 +25,11 @@
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-#define OPENSSL_VERSION_NUMBER 0x009080dfL
+#define OPENSSL_VERSION_NUMBER 0x009080efL
#ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8m-fips 25 Feb 2010"
+#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8n-fips 24 Mar 2010"
#else
-#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8m 25 Feb 2010"
+#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8n 24 Mar 2010"
#endif
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
diff --git a/crypto/rand/rand_win.c b/crypto/rand/rand_win.c
index 5198351cf34e..5d134e186bb0 100644
--- a/crypto/rand/rand_win.c
+++ b/crypto/rand/rand_win.c
@@ -750,7 +750,7 @@ static void readscreen(void)
int y; /* y-coordinate of screen lines to grab */
int n = 16; /* number of screen lines to grab at a time */
- if (GetVersion() >= 0x80000000 || !OPENSSL_isservice())
+ if (GetVersion() < 0x80000000 && OPENSSL_isservice()>0)
return;
/* Create a screen DC and a memory DC compatible to screen DC */
diff --git a/engines/e_capi.c b/engines/e_capi.c
index fd7f13ca2cfc..59b2ab7b5896 100644
--- a/engines/e_capi.c
+++ b/engines/e_capi.c
@@ -83,6 +83,10 @@
#define CERT_STORE_CREATE_NEW_FLAG 0x00002000
#endif
+#ifndef CERT_SYSTEM_STORE_CURRENT_USER
+#define CERT_SYSTEM_STORE_CURRENT_USER 0x00010000
+#endif
+
#include <openssl/engine.h>
#include <openssl/pem.h>
#include <openssl/x509v3.h>
diff --git a/engines/e_chil.c b/engines/e_chil.c
index e1847622ea74..3a07076b4fef 100644
--- a/engines/e_chil.c
+++ b/engines/e_chil.c
@@ -1204,6 +1204,11 @@ static int hwcrhk_get_pass(const char *prompt_info,
pem_password_cb *callback = NULL;
void *callback_data = NULL;
UI_METHOD *ui_method = NULL;
+ /* Despite what the documentation says prompt_info can be
+ * an empty string.
+ */
+ if (prompt_info && !*prompt_info)
+ prompt_info = NULL;
if (cactx)
{
@@ -1305,8 +1310,10 @@ static int hwcrhk_insert_card(const char *prompt_info,
{
char answer;
char buf[BUFSIZ];
-
- if (wrong_info)
+ /* Despite what the documentation says wrong_info can be
+ * an empty string.
+ */
+ if (wrong_info && *wrong_info)
BIO_snprintf(buf, sizeof(buf)-1,
"Current card: \"%s\"\n", wrong_info);
ok = UI_dup_info_string(ui, buf);
diff --git a/fips/Makefile b/fips/Makefile
index 720a883a6949..546b54b2fd4d 100644
--- a/fips/Makefile
+++ b/fips/Makefile
@@ -123,7 +123,7 @@ fips_premain_dso$(EXE_EXT): fips_premain.c
$(FIPSLIBDIR)fipscanister.o ../libcrypto.a $(EX_LIBS)
# this is executed only when linking with external fipscanister.o
fips_standalone_sha1$(EXE_EXT): sha/fips_standalone_sha1.c
- if [ -z $(HOSTCC) ] ; then \
+ if [ -z "$(HOSTCC)" ] ; then \
$(CC) $(CFLAGS) -DFIPSCANISTER_O -o $@ sha/fips_standalone_sha1.c $(FIPSLIBDIR)fipscanister.o $(EX_LIBS) ; \
else \
$(HOSTCC) $(HOSTCFLAGS) -o $ $@ -I../include -I../crypto sha/fips_standalone_sha1.c ../crypto/sha/sha1dgst.c ; \
diff --git a/openssl.spec b/openssl.spec
index eb4bcede28fa..19a002f92c23 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -2,7 +2,7 @@
%define libmaj 0
%define libmin 9
%define librel 8
-%define librev m
+%define librev n
Release: 1
%define openssldir /var/ssl
diff --git a/ssl/kssl.c b/ssl/kssl.c
index 73401c92a3e9..5cba28b89b8b 100644
--- a/ssl/kssl.c
+++ b/ssl/kssl.c
@@ -1802,6 +1802,9 @@ kssl_ctx_show(KSSL_CTX *kssl_ctx)
kssl_ctx->service_name ? kssl_ctx->service_name: KRB5SVC,
KRB5_NT_SRV_HST, &princ);
+ if (krb5rc)
+ goto exit;
+
krb5rc = krb5_kt_get_entry(krb5context, krb5keytab,
princ,
0 /* IGNORE_VNO */,
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index a2ba5748d5eb..5e3583c04d42 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -291,9 +291,9 @@ again:
if (version != s->version)
{
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
- /* Send back error using their
- * version number :-) */
- s->version=version;
+ if ((s->version & 0xFF00) == (version & 0xFF00))
+ /* Send back error using their minor version number :-) */
+ s->version = (unsigned short)version;
al=SSL_AD_PROTOCOL_VERSION;
goto f_err;
}