From 620a89a1d3c4137f6b3f2a88a6e5c214f6e38fc9 Mon Sep 17 00:00:00 2001
From: bz <bz@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Wed, 30 May 2012 12:01:28 +0000
Subject: [PATCH] Update the previous openssl fix. [12:01]

Fix a bug in crypt(3) ignoring characters of a passphrase. [12:02]

Security:	FreeBSD-SA-12:01.openssl (revised)
Security:	FreeBSD-SA-12:02.crypt
Approved by:	so (bz, simon)


git-svn-id: svn://svn.freebsd.org/base/stable/9@236304 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 crypto/openssl/crypto/buffer/buffer.c |  2 +-
 crypto/openssl/ssl/s3_srvr.c          | 15 +++++++--------
 secure/lib/libcrypt/crypt-des.c       |  2 +-
 3 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/crypto/openssl/crypto/buffer/buffer.c b/crypto/openssl/crypto/buffer/buffer.c
index 0335d48f6..3b4c79f70 100644
--- a/crypto/openssl/crypto/buffer/buffer.c
+++ b/crypto/openssl/crypto/buffer/buffer.c
@@ -166,7 +166,7 @@ int BUF_MEM_grow_clean(BUF_MEM *str, int len)
 	/* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */
 	if (len > LIMIT_BEFORE_EXPANSION)
 		{
-		BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
+		BUFerr(BUF_F_BUF_MEM_GROW_CLEAN,ERR_R_MALLOC_FAILURE);
 		return 0;
 		}
 	n=(len+3)/3*4;
diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c
index 24e499109..36d929be2 100644
--- a/crypto/openssl/ssl/s3_srvr.c
+++ b/crypto/openssl/ssl/s3_srvr.c
@@ -698,14 +698,6 @@ int ssl3_check_client_hello(SSL *s)
 	int ok;
 	long n;
 
-	/* We only allow the client to restart the handshake once per
-	 * negotiation. */
-	if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
-		{
-		SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
-		return -1;
-		}
-
 	/* this function is called when we really expect a Certificate message,
 	 * so permit appropriate message length */
 	n=s->method->ssl_get_message(s,
@@ -718,6 +710,13 @@ int ssl3_check_client_hello(SSL *s)
 	s->s3->tmp.reuse_message = 1;
 	if (s->s3->tmp.message_type == SSL3_MT_CLIENT_HELLO)
 		{
+		/* We only allow the client to restart the handshake once per
+		 * negotiation. */
+		if (s->s3->flags & SSL3_FLAGS_SGC_RESTART_DONE)
+			{
+			SSLerr(SSL_F_SSL3_CHECK_CLIENT_HELLO, SSL_R_MULTIPLE_SGC_RESTARTS);
+			return -1;
+			}
 		/* Throw away what we have done so far in the current handshake,
 		 * which will now be aborted. (A full SSL_clear would be too much.) */
 #ifndef OPENSSL_NO_DH
diff --git a/secure/lib/libcrypt/crypt-des.c b/secure/lib/libcrypt/crypt-des.c
index 9adff936f..6bb9bc03c 100644
--- a/secure/lib/libcrypt/crypt-des.c
+++ b/secure/lib/libcrypt/crypt-des.c
@@ -606,7 +606,7 @@ crypt_des(const char *key, const char *setting)
 	q = (u_char *)keybuf;
 	while (q - (u_char *)keybuf - 8) {
 		*q++ = *key << 1;
-		if (*(q - 1))
+		if (*key != '\0')
 			key++;
 	}
 	if (des_setkey((char *)keybuf))
-- 
2.45.0