Date: Mon, 26 Sep 2016 14:13:11 +0000 (UTC) From: Jung-uk Kim <jkim@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r306340 - in vendor-crypto/openssl/dist: . crypto crypto/engine crypto/x509 ssl Message-ID: <201609261413.u8QEDBK7092731@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jkim Date: Mon Sep 26 14:13:11 2016 New Revision: 306340 URL: https://svnweb.freebsd.org/changeset/base/306340 Log: Import OpenSSL 1.0.2j. Modified: vendor-crypto/openssl/dist/CHANGES vendor-crypto/openssl/dist/FREEBSD-upgrade vendor-crypto/openssl/dist/Makefile vendor-crypto/openssl/dist/NEWS vendor-crypto/openssl/dist/README vendor-crypto/openssl/dist/crypto/engine/eng_cryptodev.c vendor-crypto/openssl/dist/crypto/opensslv.h vendor-crypto/openssl/dist/crypto/x509/x509_vfy.c vendor-crypto/openssl/dist/ssl/t1_ext.c Modified: vendor-crypto/openssl/dist/CHANGES ============================================================================== --- vendor-crypto/openssl/dist/CHANGES Mon Sep 26 14:01:41 2016 (r306339) +++ vendor-crypto/openssl/dist/CHANGES Mon Sep 26 14:13:11 2016 (r306340) @@ -2,6 +2,18 @@ OpenSSL CHANGES _______________ + Changes between 1.0.2i and 1.0.2j [26 Sep 2016] + + *) Missing CRL sanity check + + A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0 + but was omitted from OpenSSL 1.0.2i. As a result any attempt to use + CRLs in OpenSSL 1.0.2i will crash with a null pointer exception. + + This issue only affects the OpenSSL 1.0.2i + (CVE-2016-7052) + [Matt Caswell] + Changes between 1.0.2h and 1.0.2i [22 Sep 2016] *) OCSP Status Request extension unbounded memory growth Modified: vendor-crypto/openssl/dist/FREEBSD-upgrade ============================================================================== --- vendor-crypto/openssl/dist/FREEBSD-upgrade Mon Sep 26 14:01:41 2016 (r306339) +++ vendor-crypto/openssl/dist/FREEBSD-upgrade Mon Sep 26 14:13:11 2016 (r306340) @@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/Subv # Xlist setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist setenv FSVN "svn+ssh://repo.freebsd.org/base" -setenv OSSLVER 1.0.2i -# OSSLTAG format: v1_0_2i +setenv OSSLVER 1.0.2j +# OSSLTAG format: v1_0_2j ###setenv OSSLTAG v`echo ${OSSLVER} | tr . _` Modified: vendor-crypto/openssl/dist/Makefile ============================================================================== --- vendor-crypto/openssl/dist/Makefile Mon Sep 26 14:01:41 2016 (r306339) +++ vendor-crypto/openssl/dist/Makefile Mon Sep 26 14:13:11 2016 (r306340) @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.2i +VERSION=1.0.2j MAJOR=1 MINOR=0.2 SHLIB_VERSION_NUMBER=1.0.0 Modified: vendor-crypto/openssl/dist/NEWS ============================================================================== --- vendor-crypto/openssl/dist/NEWS Mon Sep 26 14:01:41 2016 (r306339) +++ vendor-crypto/openssl/dist/NEWS Mon Sep 26 14:13:11 2016 (r306340) @@ -5,6 +5,10 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016] + + o Fix Use After Free for large message sizes (CVE-2016-6309) + Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016] o OCSP Status Request extension unbounded memory growth (CVE-2016-6304) Modified: vendor-crypto/openssl/dist/README ============================================================================== --- vendor-crypto/openssl/dist/README Mon Sep 26 14:01:41 2016 (r306339) +++ vendor-crypto/openssl/dist/README Mon Sep 26 14:13:11 2016 (r306340) @@ -1,5 +1,5 @@ - OpenSSL 1.0.2i 22 Sep 2016 + OpenSSL 1.0.2j 26 Sep 2016 Copyright (c) 1998-2015 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson Modified: vendor-crypto/openssl/dist/crypto/engine/eng_cryptodev.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/engine/eng_cryptodev.c Mon Sep 26 14:01:41 2016 (r306339) +++ vendor-crypto/openssl/dist/crypto/engine/eng_cryptodev.c Mon Sep 26 14:13:11 2016 (r306340) @@ -939,7 +939,7 @@ static int cryptodev_digest_copy(EVP_MD_ if (fstate->mac_len != 0) { if (fstate->mac_data != NULL) { dstate->mac_data = OPENSSL_malloc(fstate->mac_len); - if (dstate->ac_data == NULL) { + if (dstate->mac_data == NULL) { printf("cryptodev_digest_init: malloc failed\n"); return 0; } Modified: vendor-crypto/openssl/dist/crypto/opensslv.h ============================================================================== --- vendor-crypto/openssl/dist/crypto/opensslv.h Mon Sep 26 14:01:41 2016 (r306339) +++ vendor-crypto/openssl/dist/crypto/opensslv.h Mon Sep 26 14:13:11 2016 (r306340) @@ -30,11 +30,11 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x1000209fL +# define OPENSSL_VERSION_NUMBER 0x100020afL # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2i-fips 22 Sep 2016" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2j-fips 26 Sep 2016" # else -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2i 22 Sep 2016" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2j 26 Sep 2016" # endif # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT Modified: vendor-crypto/openssl/dist/crypto/x509/x509_vfy.c ============================================================================== --- vendor-crypto/openssl/dist/crypto/x509/x509_vfy.c Mon Sep 26 14:01:41 2016 (r306339) +++ vendor-crypto/openssl/dist/crypto/x509/x509_vfy.c Mon Sep 26 14:13:11 2016 (r306340) @@ -1124,10 +1124,10 @@ static int get_crl_sk(X509_STORE_CTX *ct crl = sk_X509_CRL_value(crls, i); reasons = *preasons; crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x); - if (crl_score < best_score) + if (crl_score < best_score || crl_score == 0) continue; /* If current CRL is equivalent use it if it is newer */ - if (crl_score == best_score) { + if (crl_score == best_score && best_crl != NULL) { int day, sec; if (ASN1_TIME_diff(&day, &sec, X509_CRL_get_lastUpdate(best_crl), X509_CRL_get_lastUpdate(crl)) == 0) Modified: vendor-crypto/openssl/dist/ssl/t1_ext.c ============================================================================== --- vendor-crypto/openssl/dist/ssl/t1_ext.c Mon Sep 26 14:01:41 2016 (r306339) +++ vendor-crypto/openssl/dist/ssl/t1_ext.c Mon Sep 26 14:13:11 2016 (r306340) @@ -275,7 +275,9 @@ int SSL_extension_supported(unsigned int case TLSEXT_TYPE_ec_point_formats: case TLSEXT_TYPE_elliptic_curves: case TLSEXT_TYPE_heartbeat: +# ifndef OPENSSL_NO_NEXTPROTONEG case TLSEXT_TYPE_next_proto_neg: +# endif case TLSEXT_TYPE_padding: case TLSEXT_TYPE_renegotiate: case TLSEXT_TYPE_server_name:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201609261413.u8QEDBK7092731>