From owner-svn-src-all@FreeBSD.ORG Thu Jun 11 19:41:16 2015 Return-Path: Delivered-To: svn-src-all@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 15711E81; Thu, 11 Jun 2015 19:41:16 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 00C541FA0; Thu, 11 Jun 2015 19:41:16 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t5BJ16nd038660; Thu, 11 Jun 2015 19:01:06 GMT (envelope-from jkim@FreeBSD.org) Received: (from jkim@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t5BJ0ukU038588; Thu, 11 Jun 2015 19:00:56 GMT (envelope-from jkim@FreeBSD.org) Message-Id: <201506111900.t5BJ0ukU038588@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: jkim set sender to jkim@FreeBSD.org using -f From: Jung-uk Kim Date: Thu, 11 Jun 2015 19:00:56 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r284283 - in head: crypto/openssl crypto/openssl/apps crypto/openssl/crypto crypto/openssl/crypto/aes crypto/openssl/crypto/asn1 crypto/openssl/crypto/bf crypto/openssl/crypto/bio crypt... X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Jun 2015 19:41:16 -0000 Author: jkim Date: Thu Jun 11 19:00:55 2015 New Revision: 284283 URL: https://svnweb.freebsd.org/changeset/base/284283 Log: Merge OpenSSL 1.0.1n. Modified: head/crypto/openssl/CHANGES head/crypto/openssl/Configure head/crypto/openssl/Makefile head/crypto/openssl/Makefile.org head/crypto/openssl/NEWS head/crypto/openssl/README head/crypto/openssl/apps/Makefile head/crypto/openssl/apps/apps.c head/crypto/openssl/apps/asn1pars.c head/crypto/openssl/apps/ca.c head/crypto/openssl/apps/cms.c head/crypto/openssl/apps/dhparam.c head/crypto/openssl/apps/enc.c head/crypto/openssl/apps/gendh.c head/crypto/openssl/apps/ocsp.c head/crypto/openssl/apps/s_cb.c head/crypto/openssl/apps/s_client.c head/crypto/openssl/apps/s_server.c head/crypto/openssl/apps/s_time.c head/crypto/openssl/apps/smime.c head/crypto/openssl/apps/srp.c head/crypto/openssl/apps/verify.c head/crypto/openssl/crypto/Makefile head/crypto/openssl/crypto/aes/Makefile head/crypto/openssl/crypto/asn1/Makefile head/crypto/openssl/crypto/asn1/a_int.c head/crypto/openssl/crypto/asn1/asn1_gen.c head/crypto/openssl/crypto/asn1/asn_mime.c head/crypto/openssl/crypto/asn1/bio_ndef.c head/crypto/openssl/crypto/asn1/tasn_new.c head/crypto/openssl/crypto/asn1/tasn_prn.c head/crypto/openssl/crypto/asn1/x_x509.c head/crypto/openssl/crypto/bf/Makefile head/crypto/openssl/crypto/bio/Makefile head/crypto/openssl/crypto/bio/b_print.c head/crypto/openssl/crypto/bio/bf_nbio.c head/crypto/openssl/crypto/bio/bio_lib.c head/crypto/openssl/crypto/bio/bss_dgram.c head/crypto/openssl/crypto/bn/Makefile head/crypto/openssl/crypto/bn/bn.h head/crypto/openssl/crypto/bn/bn_err.c head/crypto/openssl/crypto/bn/bn_gf2m.c head/crypto/openssl/crypto/bn/bn_lcl.h head/crypto/openssl/crypto/bn/bn_print.c head/crypto/openssl/crypto/bn/bn_rand.c head/crypto/openssl/crypto/bn/bn_shift.c head/crypto/openssl/crypto/buffer/Makefile head/crypto/openssl/crypto/buffer/buffer.c head/crypto/openssl/crypto/camellia/Makefile head/crypto/openssl/crypto/cast/Makefile head/crypto/openssl/crypto/cmac/Makefile head/crypto/openssl/crypto/cmac/cmac.c head/crypto/openssl/crypto/cms/Makefile head/crypto/openssl/crypto/cms/cms_pwri.c head/crypto/openssl/crypto/cms/cms_smime.c head/crypto/openssl/crypto/comp/Makefile head/crypto/openssl/crypto/conf/Makefile head/crypto/openssl/crypto/cryptlib.c head/crypto/openssl/crypto/des/Makefile head/crypto/openssl/crypto/des/des.c head/crypto/openssl/crypto/des/enc_writ.c head/crypto/openssl/crypto/dh/Makefile head/crypto/openssl/crypto/dh/dh_ameth.c head/crypto/openssl/crypto/dsa/Makefile head/crypto/openssl/crypto/dsa/dsa_gen.c head/crypto/openssl/crypto/dsa/dsa_ossl.c head/crypto/openssl/crypto/dso/Makefile head/crypto/openssl/crypto/dso/dso_lib.c head/crypto/openssl/crypto/ec/Makefile head/crypto/openssl/crypto/ec/ec2_oct.c head/crypto/openssl/crypto/ec/ec_asn1.c head/crypto/openssl/crypto/ec/ec_check.c head/crypto/openssl/crypto/ec/ec_key.c head/crypto/openssl/crypto/ec/ec_lcl.h head/crypto/openssl/crypto/ec/ec_lib.c head/crypto/openssl/crypto/ec/eck_prn.c head/crypto/openssl/crypto/ec/ecp_oct.c head/crypto/openssl/crypto/ec/ectest.c head/crypto/openssl/crypto/ecdh/Makefile head/crypto/openssl/crypto/ecdsa/Makefile head/crypto/openssl/crypto/ecdsa/ecdsatest.c head/crypto/openssl/crypto/engine/Makefile head/crypto/openssl/crypto/engine/eng_table.c head/crypto/openssl/crypto/err/Makefile head/crypto/openssl/crypto/evp/Makefile head/crypto/openssl/crypto/evp/bio_ok.c head/crypto/openssl/crypto/evp/e_aes.c head/crypto/openssl/crypto/evp/e_aes_cbc_hmac_sha1.c head/crypto/openssl/crypto/evp/e_rc4_hmac_md5.c head/crypto/openssl/crypto/evp/encode.c head/crypto/openssl/crypto/evp/evp.h head/crypto/openssl/crypto/evp/p_seal.c head/crypto/openssl/crypto/hmac/Makefile head/crypto/openssl/crypto/hmac/hmac.c head/crypto/openssl/crypto/hmac/hmac.h head/crypto/openssl/crypto/hmac/hmactest.c head/crypto/openssl/crypto/idea/Makefile head/crypto/openssl/crypto/jpake/Makefile head/crypto/openssl/crypto/krb5/Makefile head/crypto/openssl/crypto/lhash/Makefile head/crypto/openssl/crypto/md2/Makefile head/crypto/openssl/crypto/md32_common.h head/crypto/openssl/crypto/md4/Makefile head/crypto/openssl/crypto/md5/Makefile head/crypto/openssl/crypto/mdc2/Makefile head/crypto/openssl/crypto/mem.c head/crypto/openssl/crypto/modes/Makefile head/crypto/openssl/crypto/modes/gcm128.c head/crypto/openssl/crypto/objects/Makefile head/crypto/openssl/crypto/objects/o_names.c head/crypto/openssl/crypto/objects/obj_dat.c head/crypto/openssl/crypto/objects/objects.README head/crypto/openssl/crypto/objects/objects.pl head/crypto/openssl/crypto/ocsp/Makefile head/crypto/openssl/crypto/ocsp/ocsp_ext.c head/crypto/openssl/crypto/ocsp/ocsp_vfy.c head/crypto/openssl/crypto/opensslv.h head/crypto/openssl/crypto/pem/Makefile head/crypto/openssl/crypto/pem/pem_lib.c head/crypto/openssl/crypto/pem/pem_pk8.c head/crypto/openssl/crypto/pkcs12/Makefile head/crypto/openssl/crypto/pkcs12/p12_mutl.c head/crypto/openssl/crypto/pkcs7/Makefile head/crypto/openssl/crypto/pkcs7/pk7_doit.c head/crypto/openssl/crypto/pqueue/Makefile head/crypto/openssl/crypto/rand/Makefile head/crypto/openssl/crypto/rc2/Makefile head/crypto/openssl/crypto/rc4/Makefile head/crypto/openssl/crypto/rc5/Makefile head/crypto/openssl/crypto/ripemd/Makefile head/crypto/openssl/crypto/rsa/Makefile head/crypto/openssl/crypto/rsa/rsa_pmeth.c head/crypto/openssl/crypto/seed/Makefile head/crypto/openssl/crypto/sha/Makefile head/crypto/openssl/crypto/srp/Makefile head/crypto/openssl/crypto/srp/srp_vfy.c head/crypto/openssl/crypto/stack/Makefile head/crypto/openssl/crypto/store/Makefile head/crypto/openssl/crypto/threads/th-lock.c head/crypto/openssl/crypto/ts/Makefile head/crypto/openssl/crypto/txt_db/Makefile head/crypto/openssl/crypto/ui/Makefile head/crypto/openssl/crypto/whrlpool/Makefile head/crypto/openssl/crypto/x509/Makefile head/crypto/openssl/crypto/x509/x509_lu.c head/crypto/openssl/crypto/x509/x509_vfy.c head/crypto/openssl/crypto/x509/x509_vfy.h head/crypto/openssl/crypto/x509/x509_vpm.c head/crypto/openssl/crypto/x509/x509type.c head/crypto/openssl/crypto/x509v3/Makefile head/crypto/openssl/crypto/x509v3/v3_alt.c head/crypto/openssl/crypto/x509v3/v3_cpols.c head/crypto/openssl/crypto/x509v3/v3_utl.c head/crypto/openssl/doc/apps/cms.pod head/crypto/openssl/doc/apps/config.pod head/crypto/openssl/doc/apps/dhparam.pod head/crypto/openssl/doc/apps/ocsp.pod head/crypto/openssl/doc/apps/s_client.pod head/crypto/openssl/doc/apps/s_server.pod head/crypto/openssl/doc/apps/smime.pod head/crypto/openssl/doc/apps/verify.pod head/crypto/openssl/doc/crypto/BN_rand.pod head/crypto/openssl/doc/crypto/BN_set_bit.pod head/crypto/openssl/doc/crypto/X509_VERIFY_PARAM_set_flags.pod head/crypto/openssl/doc/crypto/pem.pod head/crypto/openssl/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod head/crypto/openssl/e_os2.h head/crypto/openssl/engines/Makefile head/crypto/openssl/engines/ccgost/Makefile head/crypto/openssl/engines/ccgost/e_gost_err.c head/crypto/openssl/engines/ccgost/e_gost_err.h head/crypto/openssl/engines/ccgost/gost2001.c head/crypto/openssl/engines/ccgost/gost94_keyx.c head/crypto/openssl/engines/ccgost/gost_ameth.c head/crypto/openssl/engines/ccgost/gost_pmeth.c head/crypto/openssl/engines/ccgost/gost_sign.c head/crypto/openssl/engines/e_sureware.c head/crypto/openssl/ssl/Makefile head/crypto/openssl/ssl/d1_both.c head/crypto/openssl/ssl/d1_clnt.c head/crypto/openssl/ssl/d1_lib.c head/crypto/openssl/ssl/d1_pkt.c head/crypto/openssl/ssl/d1_srvr.c head/crypto/openssl/ssl/s2_pkt.c head/crypto/openssl/ssl/s2_srvr.c head/crypto/openssl/ssl/s3_both.c head/crypto/openssl/ssl/s3_cbc.c head/crypto/openssl/ssl/s3_clnt.c head/crypto/openssl/ssl/s3_pkt.c head/crypto/openssl/ssl/s3_srvr.c head/crypto/openssl/ssl/ssl.h head/crypto/openssl/ssl/ssl_err.c head/crypto/openssl/ssl/ssl_lib.c head/crypto/openssl/ssl/ssl_locl.h head/crypto/openssl/ssl/ssl_sess.c head/crypto/openssl/ssl/ssl_stat.c head/crypto/openssl/ssl/ssltest.c head/crypto/openssl/ssl/t1_enc.c head/crypto/openssl/ssl/t1_lib.c head/crypto/openssl/ssl/tls_srp.c head/crypto/openssl/util/mk1mf.pl head/crypto/openssl/util/mkerr.pl head/crypto/openssl/util/pl/BC-32.pl head/crypto/openssl/util/pl/VC-32.pl head/secure/lib/libcrypto/Makefile.inc head/secure/lib/libcrypto/man/ASN1_OBJECT_new.3 head/secure/lib/libcrypto/man/ASN1_STRING_length.3 head/secure/lib/libcrypto/man/ASN1_STRING_new.3 head/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3 head/secure/lib/libcrypto/man/ASN1_generate_nconf.3 head/secure/lib/libcrypto/man/BIO_ctrl.3 head/secure/lib/libcrypto/man/BIO_f_base64.3 head/secure/lib/libcrypto/man/BIO_f_buffer.3 head/secure/lib/libcrypto/man/BIO_f_cipher.3 head/secure/lib/libcrypto/man/BIO_f_md.3 head/secure/lib/libcrypto/man/BIO_f_null.3 head/secure/lib/libcrypto/man/BIO_f_ssl.3 head/secure/lib/libcrypto/man/BIO_find_type.3 head/secure/lib/libcrypto/man/BIO_new.3 head/secure/lib/libcrypto/man/BIO_new_CMS.3 head/secure/lib/libcrypto/man/BIO_push.3 head/secure/lib/libcrypto/man/BIO_read.3 head/secure/lib/libcrypto/man/BIO_s_accept.3 head/secure/lib/libcrypto/man/BIO_s_bio.3 head/secure/lib/libcrypto/man/BIO_s_connect.3 head/secure/lib/libcrypto/man/BIO_s_fd.3 head/secure/lib/libcrypto/man/BIO_s_file.3 head/secure/lib/libcrypto/man/BIO_s_mem.3 head/secure/lib/libcrypto/man/BIO_s_null.3 head/secure/lib/libcrypto/man/BIO_s_socket.3 head/secure/lib/libcrypto/man/BIO_set_callback.3 head/secure/lib/libcrypto/man/BIO_should_retry.3 head/secure/lib/libcrypto/man/BN_BLINDING_new.3 head/secure/lib/libcrypto/man/BN_CTX_new.3 head/secure/lib/libcrypto/man/BN_CTX_start.3 head/secure/lib/libcrypto/man/BN_add.3 head/secure/lib/libcrypto/man/BN_add_word.3 head/secure/lib/libcrypto/man/BN_bn2bin.3 head/secure/lib/libcrypto/man/BN_cmp.3 head/secure/lib/libcrypto/man/BN_copy.3 head/secure/lib/libcrypto/man/BN_generate_prime.3 head/secure/lib/libcrypto/man/BN_mod_inverse.3 head/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3 head/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3 head/secure/lib/libcrypto/man/BN_new.3 head/secure/lib/libcrypto/man/BN_num_bytes.3 head/secure/lib/libcrypto/man/BN_rand.3 head/secure/lib/libcrypto/man/BN_set_bit.3 head/secure/lib/libcrypto/man/BN_swap.3 head/secure/lib/libcrypto/man/BN_zero.3 head/secure/lib/libcrypto/man/CMS_add0_cert.3 head/secure/lib/libcrypto/man/CMS_add1_recipient_cert.3 head/secure/lib/libcrypto/man/CMS_add1_signer.3 head/secure/lib/libcrypto/man/CMS_compress.3 head/secure/lib/libcrypto/man/CMS_decrypt.3 head/secure/lib/libcrypto/man/CMS_encrypt.3 head/secure/lib/libcrypto/man/CMS_final.3 head/secure/lib/libcrypto/man/CMS_get0_RecipientInfos.3 head/secure/lib/libcrypto/man/CMS_get0_SignerInfos.3 head/secure/lib/libcrypto/man/CMS_get0_type.3 head/secure/lib/libcrypto/man/CMS_get1_ReceiptRequest.3 head/secure/lib/libcrypto/man/CMS_sign.3 head/secure/lib/libcrypto/man/CMS_sign_receipt.3 head/secure/lib/libcrypto/man/CMS_uncompress.3 head/secure/lib/libcrypto/man/CMS_verify.3 head/secure/lib/libcrypto/man/CMS_verify_receipt.3 head/secure/lib/libcrypto/man/CONF_modules_free.3 head/secure/lib/libcrypto/man/CONF_modules_load_file.3 head/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3 head/secure/lib/libcrypto/man/DH_generate_key.3 head/secure/lib/libcrypto/man/DH_generate_parameters.3 head/secure/lib/libcrypto/man/DH_get_ex_new_index.3 head/secure/lib/libcrypto/man/DH_new.3 head/secure/lib/libcrypto/man/DH_set_method.3 head/secure/lib/libcrypto/man/DH_size.3 head/secure/lib/libcrypto/man/DSA_SIG_new.3 head/secure/lib/libcrypto/man/DSA_do_sign.3 head/secure/lib/libcrypto/man/DSA_dup_DH.3 head/secure/lib/libcrypto/man/DSA_generate_key.3 head/secure/lib/libcrypto/man/DSA_generate_parameters.3 head/secure/lib/libcrypto/man/DSA_get_ex_new_index.3 head/secure/lib/libcrypto/man/DSA_new.3 head/secure/lib/libcrypto/man/DSA_set_method.3 head/secure/lib/libcrypto/man/DSA_sign.3 head/secure/lib/libcrypto/man/DSA_size.3 head/secure/lib/libcrypto/man/ERR_GET_LIB.3 head/secure/lib/libcrypto/man/ERR_clear_error.3 head/secure/lib/libcrypto/man/ERR_error_string.3 head/secure/lib/libcrypto/man/ERR_get_error.3 head/secure/lib/libcrypto/man/ERR_load_crypto_strings.3 head/secure/lib/libcrypto/man/ERR_load_strings.3 head/secure/lib/libcrypto/man/ERR_print_errors.3 head/secure/lib/libcrypto/man/ERR_put_error.3 head/secure/lib/libcrypto/man/ERR_remove_state.3 head/secure/lib/libcrypto/man/ERR_set_mark.3 head/secure/lib/libcrypto/man/EVP_BytesToKey.3 head/secure/lib/libcrypto/man/EVP_DigestInit.3 head/secure/lib/libcrypto/man/EVP_DigestSignInit.3 head/secure/lib/libcrypto/man/EVP_DigestVerifyInit.3 head/secure/lib/libcrypto/man/EVP_EncryptInit.3 head/secure/lib/libcrypto/man/EVP_OpenInit.3 head/secure/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3 head/secure/lib/libcrypto/man/EVP_PKEY_CTX_new.3 head/secure/lib/libcrypto/man/EVP_PKEY_cmp.3 head/secure/lib/libcrypto/man/EVP_PKEY_decrypt.3 head/secure/lib/libcrypto/man/EVP_PKEY_derive.3 head/secure/lib/libcrypto/man/EVP_PKEY_encrypt.3 head/secure/lib/libcrypto/man/EVP_PKEY_get_default_digest.3 head/secure/lib/libcrypto/man/EVP_PKEY_keygen.3 head/secure/lib/libcrypto/man/EVP_PKEY_new.3 head/secure/lib/libcrypto/man/EVP_PKEY_print_private.3 head/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3 head/secure/lib/libcrypto/man/EVP_PKEY_sign.3 head/secure/lib/libcrypto/man/EVP_PKEY_verify.3 head/secure/lib/libcrypto/man/EVP_PKEY_verify_recover.3 head/secure/lib/libcrypto/man/EVP_SealInit.3 head/secure/lib/libcrypto/man/EVP_SignInit.3 head/secure/lib/libcrypto/man/EVP_VerifyInit.3 head/secure/lib/libcrypto/man/OBJ_nid2obj.3 head/secure/lib/libcrypto/man/OPENSSL_Applink.3 head/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3 head/secure/lib/libcrypto/man/OPENSSL_config.3 head/secure/lib/libcrypto/man/OPENSSL_ia32cap.3 head/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3 head/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3 head/secure/lib/libcrypto/man/PEM_write_bio_CMS_stream.3 head/secure/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3 head/secure/lib/libcrypto/man/PKCS12_create.3 head/secure/lib/libcrypto/man/PKCS12_parse.3 head/secure/lib/libcrypto/man/PKCS7_decrypt.3 head/secure/lib/libcrypto/man/PKCS7_encrypt.3 head/secure/lib/libcrypto/man/PKCS7_sign.3 head/secure/lib/libcrypto/man/PKCS7_sign_add_signer.3 head/secure/lib/libcrypto/man/PKCS7_verify.3 head/secure/lib/libcrypto/man/RAND_add.3 head/secure/lib/libcrypto/man/RAND_bytes.3 head/secure/lib/libcrypto/man/RAND_cleanup.3 head/secure/lib/libcrypto/man/RAND_egd.3 head/secure/lib/libcrypto/man/RAND_load_file.3 head/secure/lib/libcrypto/man/RAND_set_rand_method.3 head/secure/lib/libcrypto/man/RSA_blinding_on.3 head/secure/lib/libcrypto/man/RSA_check_key.3 head/secure/lib/libcrypto/man/RSA_generate_key.3 head/secure/lib/libcrypto/man/RSA_get_ex_new_index.3 head/secure/lib/libcrypto/man/RSA_new.3 head/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 head/secure/lib/libcrypto/man/RSA_print.3 head/secure/lib/libcrypto/man/RSA_private_encrypt.3 head/secure/lib/libcrypto/man/RSA_public_encrypt.3 head/secure/lib/libcrypto/man/RSA_set_method.3 head/secure/lib/libcrypto/man/RSA_sign.3 head/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3 head/secure/lib/libcrypto/man/RSA_size.3 head/secure/lib/libcrypto/man/SMIME_read_CMS.3 head/secure/lib/libcrypto/man/SMIME_read_PKCS7.3 head/secure/lib/libcrypto/man/SMIME_write_CMS.3 head/secure/lib/libcrypto/man/SMIME_write_PKCS7.3 head/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3 head/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3 head/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3 head/secure/lib/libcrypto/man/X509_NAME_print_ex.3 head/secure/lib/libcrypto/man/X509_STORE_CTX_get_error.3 head/secure/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3 head/secure/lib/libcrypto/man/X509_STORE_CTX_new.3 head/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 head/secure/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3 head/secure/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 head/secure/lib/libcrypto/man/X509_new.3 head/secure/lib/libcrypto/man/X509_verify_cert.3 head/secure/lib/libcrypto/man/bio.3 head/secure/lib/libcrypto/man/blowfish.3 head/secure/lib/libcrypto/man/bn.3 head/secure/lib/libcrypto/man/bn_internal.3 head/secure/lib/libcrypto/man/buffer.3 head/secure/lib/libcrypto/man/crypto.3 head/secure/lib/libcrypto/man/d2i_ASN1_OBJECT.3 head/secure/lib/libcrypto/man/d2i_CMS_ContentInfo.3 head/secure/lib/libcrypto/man/d2i_DHparams.3 head/secure/lib/libcrypto/man/d2i_DSAPublicKey.3 head/secure/lib/libcrypto/man/d2i_ECPrivateKey.3 head/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey.3 head/secure/lib/libcrypto/man/d2i_RSAPublicKey.3 head/secure/lib/libcrypto/man/d2i_X509.3 head/secure/lib/libcrypto/man/d2i_X509_ALGOR.3 head/secure/lib/libcrypto/man/d2i_X509_CRL.3 head/secure/lib/libcrypto/man/d2i_X509_NAME.3 head/secure/lib/libcrypto/man/d2i_X509_REQ.3 head/secure/lib/libcrypto/man/d2i_X509_SIG.3 head/secure/lib/libcrypto/man/des.3 head/secure/lib/libcrypto/man/dh.3 head/secure/lib/libcrypto/man/dsa.3 head/secure/lib/libcrypto/man/ecdsa.3 head/secure/lib/libcrypto/man/engine.3 head/secure/lib/libcrypto/man/err.3 head/secure/lib/libcrypto/man/evp.3 head/secure/lib/libcrypto/man/hmac.3 head/secure/lib/libcrypto/man/i2d_CMS_bio_stream.3 head/secure/lib/libcrypto/man/i2d_PKCS7_bio_stream.3 head/secure/lib/libcrypto/man/lh_stats.3 head/secure/lib/libcrypto/man/lhash.3 head/secure/lib/libcrypto/man/md5.3 head/secure/lib/libcrypto/man/mdc2.3 head/secure/lib/libcrypto/man/pem.3 head/secure/lib/libcrypto/man/rand.3 head/secure/lib/libcrypto/man/rc4.3 head/secure/lib/libcrypto/man/ripemd.3 head/secure/lib/libcrypto/man/rsa.3 head/secure/lib/libcrypto/man/sha.3 head/secure/lib/libcrypto/man/threads.3 head/secure/lib/libcrypto/man/ui.3 head/secure/lib/libcrypto/man/ui_compat.3 head/secure/lib/libcrypto/man/x509.3 head/secure/lib/libssl/man/SSL_CIPHER_get_name.3 head/secure/lib/libssl/man/SSL_COMP_add_compression_method.3 head/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 head/secure/lib/libssl/man/SSL_CTX_add_session.3 head/secure/lib/libssl/man/SSL_CTX_ctrl.3 head/secure/lib/libssl/man/SSL_CTX_flush_sessions.3 head/secure/lib/libssl/man/SSL_CTX_free.3 head/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3 head/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3 head/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3 head/secure/lib/libssl/man/SSL_CTX_new.3 head/secure/lib/libssl/man/SSL_CTX_sess_number.3 head/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 head/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 head/secure/lib/libssl/man/SSL_CTX_sessions.3 head/secure/lib/libssl/man/SSL_CTX_set_cert_store.3 head/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 head/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3 head/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3 head/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 head/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 head/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3 head/secure/lib/libssl/man/SSL_CTX_set_info_callback.3 head/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3 head/secure/lib/libssl/man/SSL_CTX_set_mode.3 head/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3 head/secure/lib/libssl/man/SSL_CTX_set_options.3 head/secure/lib/libssl/man/SSL_CTX_set_psk_client_callback.3 head/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 head/secure/lib/libssl/man/SSL_CTX_set_read_ahead.3 head/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 head/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3 head/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3 head/secure/lib/libssl/man/SSL_CTX_set_timeout.3 head/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 head/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 head/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 head/secure/lib/libssl/man/SSL_CTX_set_verify.3 head/secure/lib/libssl/man/SSL_CTX_use_certificate.3 head/secure/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3 head/secure/lib/libssl/man/SSL_SESSION_free.3 head/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 head/secure/lib/libssl/man/SSL_SESSION_get_time.3 head/secure/lib/libssl/man/SSL_accept.3 head/secure/lib/libssl/man/SSL_alert_type_string.3 head/secure/lib/libssl/man/SSL_clear.3 head/secure/lib/libssl/man/SSL_connect.3 head/secure/lib/libssl/man/SSL_do_handshake.3 head/secure/lib/libssl/man/SSL_free.3 head/secure/lib/libssl/man/SSL_get_SSL_CTX.3 head/secure/lib/libssl/man/SSL_get_ciphers.3 head/secure/lib/libssl/man/SSL_get_client_CA_list.3 head/secure/lib/libssl/man/SSL_get_current_cipher.3 head/secure/lib/libssl/man/SSL_get_default_timeout.3 head/secure/lib/libssl/man/SSL_get_error.3 head/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 head/secure/lib/libssl/man/SSL_get_ex_new_index.3 head/secure/lib/libssl/man/SSL_get_fd.3 head/secure/lib/libssl/man/SSL_get_peer_cert_chain.3 head/secure/lib/libssl/man/SSL_get_peer_certificate.3 head/secure/lib/libssl/man/SSL_get_psk_identity.3 head/secure/lib/libssl/man/SSL_get_rbio.3 head/secure/lib/libssl/man/SSL_get_session.3 head/secure/lib/libssl/man/SSL_get_verify_result.3 head/secure/lib/libssl/man/SSL_get_version.3 head/secure/lib/libssl/man/SSL_library_init.3 head/secure/lib/libssl/man/SSL_load_client_CA_file.3 head/secure/lib/libssl/man/SSL_new.3 head/secure/lib/libssl/man/SSL_pending.3 head/secure/lib/libssl/man/SSL_read.3 head/secure/lib/libssl/man/SSL_rstate_string.3 head/secure/lib/libssl/man/SSL_session_reused.3 head/secure/lib/libssl/man/SSL_set_bio.3 head/secure/lib/libssl/man/SSL_set_connect_state.3 head/secure/lib/libssl/man/SSL_set_fd.3 head/secure/lib/libssl/man/SSL_set_session.3 head/secure/lib/libssl/man/SSL_set_shutdown.3 head/secure/lib/libssl/man/SSL_set_verify_result.3 head/secure/lib/libssl/man/SSL_shutdown.3 head/secure/lib/libssl/man/SSL_state_string.3 head/secure/lib/libssl/man/SSL_want.3 head/secure/lib/libssl/man/SSL_write.3 head/secure/lib/libssl/man/d2i_SSL_SESSION.3 head/secure/lib/libssl/man/ssl.3 head/secure/usr.bin/openssl/man/CA.pl.1 head/secure/usr.bin/openssl/man/asn1parse.1 head/secure/usr.bin/openssl/man/c_rehash.1 head/secure/usr.bin/openssl/man/ca.1 head/secure/usr.bin/openssl/man/ciphers.1 head/secure/usr.bin/openssl/man/cms.1 head/secure/usr.bin/openssl/man/crl.1 head/secure/usr.bin/openssl/man/crl2pkcs7.1 head/secure/usr.bin/openssl/man/dgst.1 head/secure/usr.bin/openssl/man/dhparam.1 head/secure/usr.bin/openssl/man/dsa.1 head/secure/usr.bin/openssl/man/dsaparam.1 head/secure/usr.bin/openssl/man/ec.1 head/secure/usr.bin/openssl/man/ecparam.1 head/secure/usr.bin/openssl/man/enc.1 head/secure/usr.bin/openssl/man/errstr.1 head/secure/usr.bin/openssl/man/gendsa.1 head/secure/usr.bin/openssl/man/genpkey.1 head/secure/usr.bin/openssl/man/genrsa.1 head/secure/usr.bin/openssl/man/nseq.1 head/secure/usr.bin/openssl/man/ocsp.1 head/secure/usr.bin/openssl/man/openssl.1 head/secure/usr.bin/openssl/man/passwd.1 head/secure/usr.bin/openssl/man/pkcs12.1 head/secure/usr.bin/openssl/man/pkcs7.1 head/secure/usr.bin/openssl/man/pkcs8.1 head/secure/usr.bin/openssl/man/pkey.1 head/secure/usr.bin/openssl/man/pkeyparam.1 head/secure/usr.bin/openssl/man/pkeyutl.1 head/secure/usr.bin/openssl/man/rand.1 head/secure/usr.bin/openssl/man/req.1 head/secure/usr.bin/openssl/man/rsa.1 head/secure/usr.bin/openssl/man/rsautl.1 head/secure/usr.bin/openssl/man/s_client.1 head/secure/usr.bin/openssl/man/s_server.1 head/secure/usr.bin/openssl/man/s_time.1 head/secure/usr.bin/openssl/man/sess_id.1 head/secure/usr.bin/openssl/man/smime.1 head/secure/usr.bin/openssl/man/speed.1 head/secure/usr.bin/openssl/man/spkac.1 head/secure/usr.bin/openssl/man/ts.1 head/secure/usr.bin/openssl/man/tsget.1 head/secure/usr.bin/openssl/man/verify.1 head/secure/usr.bin/openssl/man/version.1 head/secure/usr.bin/openssl/man/x509.1 head/secure/usr.bin/openssl/man/x509v3_config.1 Directory Properties: head/crypto/openssl/ (props changed) Modified: head/crypto/openssl/CHANGES ============================================================================== --- head/crypto/openssl/CHANGES Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/CHANGES Thu Jun 11 19:00:55 2015 (r284283) @@ -2,6 +2,77 @@ OpenSSL CHANGES _______________ + Changes between 1.0.1m and 1.0.1n [11 Jun 2015] + + *) Malformed ECParameters causes infinite loop + + When processing an ECParameters structure OpenSSL enters an infinite loop + if the curve specified is over a specially malformed binary polynomial + field. + + This can be used to perform denial of service against any + system which processes public keys, certificate requests or + certificates. This includes TLS clients and TLS servers with + client authentication enabled. + + This issue was reported to OpenSSL by Joseph Barr-Pixton. + (CVE-2015-1788) + [Andy Polyakov] + + *) Exploitable out-of-bounds read in X509_cmp_time + + X509_cmp_time does not properly check the length of the ASN1_TIME + string and can read a few bytes out of bounds. In addition, + X509_cmp_time accepts an arbitrary number of fractional seconds in the + time string. + + An attacker can use this to craft malformed certificates and CRLs of + various sizes and potentially cause a segmentation fault, resulting in + a DoS on applications that verify certificates or CRLs. TLS clients + that verify CRLs are affected. TLS clients and servers with client + authentication enabled may be affected if they use custom verification + callbacks. + + This issue was reported to OpenSSL by Robert Swiecki (Google), and + independently by Hanno Böck. + (CVE-2015-1789) + [Emilia Käsper] + + *) PKCS7 crash with missing EnvelopedContent + + The PKCS#7 parsing code does not handle missing inner EncryptedContent + correctly. An attacker can craft malformed ASN.1-encoded PKCS#7 blobs + with missing content and trigger a NULL pointer dereference on parsing. + + Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 + structures from untrusted sources are affected. OpenSSL clients and + servers are not affected. + + This issue was reported to OpenSSL by Michal Zalewski (Google). + (CVE-2015-1790) + [Emilia Käsper] + + *) CMS verify infinite loop with unknown hash function + + When verifying a signedData message the CMS code can enter an infinite loop + if presented with an unknown hash function OID. This can be used to perform + denial of service against any system which verifies signedData messages using + the CMS code. + This issue was reported to OpenSSL by Johannes Bauer. + (CVE-2015-1792) + [Stephen Henson] + + *) Race condition handling NewSessionTicket + + If a NewSessionTicket is received by a multi-threaded client when attempting to + reuse a previous ticket then a race condition can occur potentially leading to + a double free of the ticket data. + (CVE-2015-1791) + [Matt Caswell] + + *) Reject DH handshakes with parameters shorter than 768 bits. + [Kurt Roeckx and Emilia Kasper] + Changes between 1.0.1l and 1.0.1m [19 Mar 2015] *) Segmentation fault in ASN1_TYPE_cmp fix Modified: head/crypto/openssl/Configure ============================================================================== --- head/crypto/openssl/Configure Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/Configure Thu Jun 11 19:00:55 2015 (r284283) @@ -230,12 +230,12 @@ my %table=( #### SPARC Solaris with GNU C setups "solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"solaris-sparcv8-gcc","gcc:-mcpu=v8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # -m32 should be safe to add as long as driver recognizes -mcpu=ultrasparc "solaris-sparcv9-gcc","gcc:-m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "solaris64-sparcv9-gcc","gcc:-m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/64", #### -"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=v8 -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -O -g -mcpu=ultrasparc -pedantic -ansi -Wall -Wshadow -Wno-long-long -D__EXTENSIONS__ -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", #### SPARC Solaris with Sun C setups @@ -252,7 +252,7 @@ my %table=( #### SunOS configs, assuming sparc for the gcc one. #"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:${no_asm}::", -"sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:${no_asm}::", +"sunos-gcc","gcc:-O3 -mcpu=v8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:${no_asm}::", #### IRIX 5.x configs # -mips2 flag is added by ./config when appropriate. @@ -379,7 +379,7 @@ my %table=( #### SPARC Linux setups # Ray Miller has patiently # assisted with debugging of following two configs. -"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"linux-sparcv8","gcc:-mcpu=v8 -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv8_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # it's a real mess with -mcpu=ultrasparc option under Linux, but # -Wa,-Av8plus should do the trick no matter what. "linux-sparcv9","gcc:-m32 -mcpu=ultrasparc -DB_ENDIAN -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${sparcv9_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", @@ -413,7 +413,7 @@ my %table=( "BSD-x86", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "BSD-x86-elf", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-BSD-x86-elf", "gcc:-DL_ENDIAN -O3 -Wall -g::${BSDthreads}:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", -"BSD-sparcv8", "gcc:-DB_ENDIAN -O3 -mv8 -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${sparcv8_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", +"BSD-sparcv8", "gcc:-DB_ENDIAN -O3 -mcpu=v8 -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${sparcv8_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "BSD-generic64","gcc:-O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", # -DMD32_REG_T=int doesn't actually belong in sparc64 target, it Modified: head/crypto/openssl/Makefile ============================================================================== --- head/crypto/openssl/Makefile Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/Makefile Thu Jun 11 19:00:55 2015 (r284283) @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.1m +VERSION=1.0.1n MAJOR=1 MINOR=0.1 SHLIB_VERSION_NUMBER=1.0.0 @@ -186,7 +186,7 @@ WTARFILE= $(NAME)-win.tar EXHEADER= e_os2.h HEADER= e_os.h -all: Makefile build_all openssl.pc libssl.pc libcrypto.pc +all: Makefile build_all # as we stick to -e, CLEARENV ensures that local variables in lower # Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn @@ -272,7 +272,10 @@ reflect: sub_all: build_all build_all: build_libs build_apps build_tests build_tools -build_libs: build_crypto build_ssl build_engines +build_libs: build_libcrypto build_libssl openssl.pc + +build_libcrypto: build_crypto build_engines libcrypto.pc +build_libssl: build_ssl libssl.pc build_crypto: @dir=crypto; target=all; $(BUILD_ONE_CMD) @@ -461,6 +464,9 @@ tests: rehash report: @$(PERL) util/selftest.pl +update: errors stacks util/libeay.num util/ssleay.num TABLE + @set -e; target=update; $(RECURSIVE_BUILD_CMD) + depend: @set -e; target=depend; $(RECURSIVE_BUILD_CMD) @@ -485,26 +491,10 @@ util/libeay.num:: util/ssleay.num:: $(PERL) util/mkdef.pl ssl update -crypto/objects/obj_dat.h: crypto/objects/obj_dat.pl crypto/objects/obj_mac.h - $(PERL) crypto/objects/obj_dat.pl crypto/objects/obj_mac.h crypto/objects/obj_dat.h -crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num - $(PERL) crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h -crypto/objects/obj_xref.h: crypto/objects/objxref.pl crypto/objects/obj_xref.txt crypto/objects/obj_mac.num - $(PERL) crypto/objects/objxref.pl crypto/objects/obj_mac.num crypto/objects/obj_xref.txt >crypto/objects/obj_xref.h - -apps/openssl-vms.cnf: apps/openssl.cnf - $(PERL) VMS/VMSify-conf.pl < apps/openssl.cnf > apps/openssl-vms.cnf - -crypto/bn/bn_prime.h: crypto/bn/bn_prime.pl - $(PERL) crypto/bn/bn_prime.pl >crypto/bn/bn_prime.h - - TABLE: Configure (echo 'Output of `Configure TABLE'"':"; \ $(PERL) Configure TABLE) > TABLE -update: errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h crypto/objects/obj_xref.h apps/openssl-vms.cnf crypto/bn/bn_prime.h TABLE depend - # Build distribution tar-file. As the list of files returned by "find" is # pretty long, on several platforms a "too many arguments" error or similar # would occur. Therefore the list of files is temporarily stored into a file Modified: head/crypto/openssl/Makefile.org ============================================================================== --- head/crypto/openssl/Makefile.org Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/Makefile.org Thu Jun 11 19:00:55 2015 (r284283) @@ -184,7 +184,7 @@ WTARFILE= $(NAME)-win.tar EXHEADER= e_os2.h HEADER= e_os.h -all: Makefile build_all openssl.pc libssl.pc libcrypto.pc +all: Makefile build_all # as we stick to -e, CLEARENV ensures that local variables in lower # Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn @@ -270,7 +270,10 @@ reflect: sub_all: build_all build_all: build_libs build_apps build_tests build_tools -build_libs: build_crypto build_ssl build_engines +build_libs: build_libcrypto build_libssl openssl.pc + +build_libcrypto: build_crypto build_engines libcrypto.pc +build_libssl: build_ssl libssl.pc build_crypto: @dir=crypto; target=all; $(BUILD_ONE_CMD) @@ -459,6 +462,9 @@ tests: rehash report: @$(PERL) util/selftest.pl +update: errors stacks util/libeay.num util/ssleay.num TABLE + @set -e; target=update; $(RECURSIVE_BUILD_CMD) + depend: @set -e; target=depend; $(RECURSIVE_BUILD_CMD) @@ -483,26 +489,10 @@ util/libeay.num:: util/ssleay.num:: $(PERL) util/mkdef.pl ssl update -crypto/objects/obj_dat.h: crypto/objects/obj_dat.pl crypto/objects/obj_mac.h - $(PERL) crypto/objects/obj_dat.pl crypto/objects/obj_mac.h crypto/objects/obj_dat.h -crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num - $(PERL) crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h -crypto/objects/obj_xref.h: crypto/objects/objxref.pl crypto/objects/obj_xref.txt crypto/objects/obj_mac.num - $(PERL) crypto/objects/objxref.pl crypto/objects/obj_mac.num crypto/objects/obj_xref.txt >crypto/objects/obj_xref.h - -apps/openssl-vms.cnf: apps/openssl.cnf - $(PERL) VMS/VMSify-conf.pl < apps/openssl.cnf > apps/openssl-vms.cnf - -crypto/bn/bn_prime.h: crypto/bn/bn_prime.pl - $(PERL) crypto/bn/bn_prime.pl >crypto/bn/bn_prime.h - - TABLE: Configure (echo 'Output of `Configure TABLE'"':"; \ $(PERL) Configure TABLE) > TABLE -update: errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h crypto/objects/obj_xref.h apps/openssl-vms.cnf crypto/bn/bn_prime.h TABLE depend - # Build distribution tar-file. As the list of files returned by "find" is # pretty long, on several platforms a "too many arguments" error or similar # would occur. Therefore the list of files is temporarily stored into a file Modified: head/crypto/openssl/NEWS ============================================================================== --- head/crypto/openssl/NEWS Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/NEWS Thu Jun 11 19:00:55 2015 (r284283) @@ -5,6 +5,14 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.1m and OpenSSL 1.0.1n [11 Jun 2015] + + o Malformed ECParameters causes infinite loop (CVE-2015-1788) + o Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789) + o PKCS7 crash with missing EnvelopedContent (CVE-2015-1790) + o CMS verify infinite loop with unknown hash function (CVE-2015-1792) + o Race condition handling NewSessionTicket (CVE-2015-1791) + Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.1m [19 Mar 2015] o Segmentation fault in ASN1_TYPE_cmp fix (CVE-2015-0286) Modified: head/crypto/openssl/README ============================================================================== --- head/crypto/openssl/README Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/README Thu Jun 11 19:00:55 2015 (r284283) @@ -1,5 +1,5 @@ - OpenSSL 1.0.1m 19 Mar 2015 + OpenSSL 1.0.1n 11 Jun 2015 Copyright (c) 1998-2011 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson Modified: head/crypto/openssl/apps/Makefile ============================================================================== --- head/crypto/openssl/apps/Makefile Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/apps/Makefile Thu Jun 11 19:00:55 2015 (r284283) @@ -94,6 +94,9 @@ req: sreq.o $(A_OBJ) $(DLIBCRYPTO) sreq.o: req.c $(CC) -c $(INCLUDES) $(CFLAG) -o sreq.o req.c +openssl-vms.cnf: openssl.cnf + $(PERL) $(TOP)/VMS/VMSify-conf.pl < openssl.cnf > openssl-vms.cnf + files: $(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO @@ -127,12 +130,12 @@ links: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff -depend: - @if [ -z "$(THIS)" ]; then \ - $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; \ - else \ - $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC); \ - fi +update: openssl-vms.cnf local_depend + +depend: local_depend + @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi +local_depend: + @[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC); \ dclean: $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new @@ -144,10 +147,10 @@ clean: rm -f req $(DLIBSSL): - (cd ..; $(MAKE) DIRS=ssl all) + (cd ..; $(MAKE) build_libssl) $(DLIBCRYPTO): - (cd ..; $(MAKE) DIRS=crypto all) + (cd ..; $(MAKE) build_libcrypto) $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL) $(RM) $(EXE) Modified: head/crypto/openssl/apps/apps.c ============================================================================== --- head/crypto/openssl/apps/apps.c Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/apps/apps.c Thu Jun 11 19:00:55 2015 (r284283) @@ -572,7 +572,7 @@ int password_callback(char *buf, int buf char *prompt = NULL; prompt = UI_construct_prompt(ui, "pass phrase", prompt_info); - if(!prompt) { + if (!prompt) { BIO_printf(bio_err, "Out of memory\n"); UI_free(ui); return 0; @@ -586,7 +586,7 @@ int password_callback(char *buf, int buf PW_MIN_LENGTH, bufsiz - 1); if (ok >= 0 && verify) { buff = (char *)OPENSSL_malloc(bufsiz); - if(!buff) { + if (!buff) { BIO_printf(bio_err, "Out of memory\n"); UI_free(ui); OPENSSL_free(prompt); @@ -2238,6 +2238,8 @@ int args_verify(char ***pargs, int *parg flags |= X509_V_FLAG_NOTIFY_POLICY; else if (!strcmp(arg, "-check_ss_sig")) flags |= X509_V_FLAG_CHECK_SS_SIGNATURE; + else if (!strcmp(arg, "-no_alt_chains")) + flags |= X509_V_FLAG_NO_ALT_CHAINS; else return 0; Modified: head/crypto/openssl/apps/asn1pars.c ============================================================================== --- head/crypto/openssl/apps/asn1pars.c Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/apps/asn1pars.c Thu Jun 11 19:00:55 2015 (r284283) @@ -375,7 +375,7 @@ static int do_generate(BIO *bio, char *g { CONF *cnf = NULL; int len; - long errline; + long errline = 0; unsigned char *p; ASN1_TYPE *atyp = NULL; Modified: head/crypto/openssl/apps/ca.c ============================================================================== --- head/crypto/openssl/apps/ca.c Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/apps/ca.c Thu Jun 11 19:00:55 2015 (r284283) @@ -558,7 +558,7 @@ int MAIN(int argc, char **argv) #ifdef OPENSSL_SYS_VMS len = strlen(s) + sizeof(CONFIG_FILE); tofree = OPENSSL_malloc(len); - if(!tofree) { + if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); goto err; } @@ -566,7 +566,7 @@ int MAIN(int argc, char **argv) #else len = strlen(s) + sizeof(CONFIG_FILE) + 1; tofree = OPENSSL_malloc(len); - if(!tofree) { + if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); goto err; } @@ -2803,7 +2803,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, i ASN1_GENERALIZEDTIME *comp_time = NULL; tmp = BUF_strdup(str); - if(!tmp) { + if (!tmp) { BIO_printf(bio_err, "memory allocation failure\n"); goto err; } @@ -2825,7 +2825,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, i if (prevtm) { *prevtm = ASN1_UTCTIME_new(); - if(!*prevtm) { + if (!*prevtm) { BIO_printf(bio_err, "memory allocation failure\n"); goto err; } @@ -2869,7 +2869,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, i goto err; } comp_time = ASN1_GENERALIZEDTIME_new(); - if(!comp_time) { + if (!comp_time) { BIO_printf(bio_err, "memory allocation failure\n"); goto err; } Modified: head/crypto/openssl/apps/cms.c ============================================================================== --- head/crypto/openssl/apps/cms.c Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/apps/cms.c Thu Jun 11 19:00:55 2015 (r284283) @@ -581,6 +581,8 @@ int MAIN(int argc, char **argv) "-CApath dir trusted certificates directory\n"); BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); BIO_printf(bio_err, + "-no_alt_chains only ever use the first certificate chain found\n"); + BIO_printf(bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); BIO_printf(bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); Modified: head/crypto/openssl/apps/dhparam.c ============================================================================== --- head/crypto/openssl/apps/dhparam.c Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/apps/dhparam.c Thu Jun 11 19:00:55 2015 (r284283) @@ -130,7 +130,7 @@ # undef PROG # define PROG dhparam_main -# define DEFBITS 512 +# define DEFBITS 2048 /*- * -inform arg - input format - default PEM (DER or PEM) @@ -254,7 +254,7 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, " -5 generate parameters using 5 as the generator value\n"); BIO_printf(bio_err, - " numbits number of bits in to generate (default 512)\n"); + " numbits number of bits in to generate (default 2048)\n"); # ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err, " -engine e use engine e, possibly a hardware device.\n"); Modified: head/crypto/openssl/apps/enc.c ============================================================================== --- head/crypto/openssl/apps/enc.c Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/apps/enc.c Thu Jun 11 19:00:55 2015 (r284283) @@ -548,9 +548,14 @@ int MAIN(int argc, char **argv) else OPENSSL_cleanse(str, strlen(str)); } - if ((hiv != NULL) && !set_hex(hiv, iv, sizeof iv)) { - BIO_printf(bio_err, "invalid hex iv value\n"); - goto end; + if (hiv != NULL) { + int siz = EVP_CIPHER_iv_length(cipher); + if (siz == 0) { + BIO_printf(bio_err, "warning: iv not use by this cipher\n"); + } else if (!set_hex(hiv, iv, sizeof iv)) { + BIO_printf(bio_err, "invalid hex iv value\n"); + goto end; + } } if ((hiv == NULL) && (str == NULL) && EVP_CIPHER_iv_length(cipher) != 0) { @@ -562,7 +567,7 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "iv undefined\n"); goto end; } - if ((hkey != NULL) && !set_hex(hkey, key, sizeof key)) { + if ((hkey != NULL) && !set_hex(hkey, key, EVP_CIPHER_key_length(cipher))) { BIO_printf(bio_err, "invalid hex key value\n"); goto end; } Modified: head/crypto/openssl/apps/gendh.c ============================================================================== --- head/crypto/openssl/apps/gendh.c Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/apps/gendh.c Thu Jun 11 19:00:55 2015 (r284283) @@ -80,7 +80,7 @@ # include # include -# define DEFBITS 512 +# define DEFBITS 2048 # undef PROG # define PROG gendh_main Modified: head/crypto/openssl/apps/ocsp.c ============================================================================== --- head/crypto/openssl/apps/ocsp.c Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/apps/ocsp.c Thu Jun 11 19:00:55 2015 (r284283) @@ -519,6 +519,8 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); BIO_printf(bio_err, + "-no_alt_chains only ever use the first certificate chain found\n"); + BIO_printf(bio_err, "-VAfile file validator certificates file\n"); BIO_printf(bio_err, "-validity_period n maximum validity discrepancy in seconds\n"); Modified: head/crypto/openssl/apps/s_cb.c ============================================================================== --- head/crypto/openssl/apps/s_cb.c Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/apps/s_cb.c Thu Jun 11 19:00:55 2015 (r284283) @@ -111,6 +111,7 @@ #include #include +#include /* for memcpy() */ #define USE_SOCKETS #define NON_MAIN #include "apps.h" @@ -747,7 +748,7 @@ int MS_CALLBACK generate_cookie_callback /* Initialize a random secret */ if (!cookie_initialized) { - if (!RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH)) { + if (RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH) <= 0) { BIO_printf(bio_err, "error setting random cookie secret\n"); return 0; } Modified: head/crypto/openssl/apps/s_client.c ============================================================================== --- head/crypto/openssl/apps/s_client.c Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/apps/s_client.c Thu Jun 11 19:00:55 2015 (r284283) @@ -323,6 +323,8 @@ static void sc_usage(void) BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); BIO_printf(bio_err, + " -no_alt_chains - only ever use the first certificate chain found\n"); + BIO_printf(bio_err, " -reconnect - Drop and re-make the connection with the same Session-ID\n"); BIO_printf(bio_err, " -pause - sleep(1) after each read(2) and write(2) system call\n"); @@ -547,7 +549,7 @@ static char *MS_CALLBACK ssl_give_srp_cl PW_CB_DATA cb_tmp; int l; - if(!pass) { + if (!pass) { BIO_printf(bio_err, "Malloc failure\n"); return NULL; } @@ -1177,13 +1179,12 @@ int MAIN(int argc, char **argv) if (!set_cert_key_stuff(ctx, cert, key)) goto end; - if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) || - (!SSL_CTX_set_default_verify_paths(ctx))) { - /* - * BIO_printf(bio_err,"error setting default verify locations\n"); - */ + if ((CAfile || CApath) + && !SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) { + ERR_print_errors(bio_err); + } + if (!SSL_CTX_set_default_verify_paths(ctx)) { ERR_print_errors(bio_err); - /* goto end; */ } #ifndef OPENSSL_NO_TLSEXT if (servername != NULL) { Modified: head/crypto/openssl/apps/s_server.c ============================================================================== --- head/crypto/openssl/apps/s_server.c Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/apps/s_server.c Thu Jun 11 19:00:55 2015 (r284283) @@ -219,7 +219,7 @@ static int generate_session_id(const SSL unsigned int *id_len); #ifndef OPENSSL_NO_DH static DH *load_dh_param(const char *dhfile); -static DH *get_dh512(void); +static DH *get_dh2048(void); #endif #ifdef MONOLITH @@ -227,30 +227,48 @@ static void s_server_init(void); #endif #ifndef OPENSSL_NO_DH -static unsigned char dh512_p[] = { - 0xDA, 0x58, 0x3C, 0x16, 0xD9, 0x85, 0x22, 0x89, 0xD0, 0xE4, 0xAF, 0x75, - 0x6F, 0x4C, 0xCA, 0x92, 0xDD, 0x4B, 0xE5, 0x33, 0xB8, 0x04, 0xFB, 0x0F, - 0xED, 0x94, 0xEF, 0x9C, 0x8A, 0x44, 0x03, 0xED, 0x57, 0x46, 0x50, 0xD3, - 0x69, 0x99, 0xDB, 0x29, 0xD7, 0x76, 0x27, 0x6B, 0xA2, 0xD3, 0xD4, 0x12, - 0xE2, 0x18, 0xF4, 0xDD, 0x1E, 0x08, 0x4C, 0xF6, 0xD8, 0x00, 0x3E, 0x7C, - 0x47, 0x74, 0xE8, 0x33, +static unsigned char dh2048_p[] = { + 0xF6,0x42,0x57,0xB7,0x08,0x7F,0x08,0x17,0x72,0xA2,0xBA,0xD6, + 0xA9,0x42,0xF3,0x05,0xE8,0xF9,0x53,0x11,0x39,0x4F,0xB6,0xF1, + 0x6E,0xB9,0x4B,0x38,0x20,0xDA,0x01,0xA7,0x56,0xA3,0x14,0xE9, + 0x8F,0x40,0x55,0xF3,0xD0,0x07,0xC6,0xCB,0x43,0xA9,0x94,0xAD, + 0xF7,0x4C,0x64,0x86,0x49,0xF8,0x0C,0x83,0xBD,0x65,0xE9,0x17, + 0xD4,0xA1,0xD3,0x50,0xF8,0xF5,0x59,0x5F,0xDC,0x76,0x52,0x4F, + 0x3D,0x3D,0x8D,0xDB,0xCE,0x99,0xE1,0x57,0x92,0x59,0xCD,0xFD, + 0xB8,0xAE,0x74,0x4F,0xC5,0xFC,0x76,0xBC,0x83,0xC5,0x47,0x30, + 0x61,0xCE,0x7C,0xC9,0x66,0xFF,0x15,0xF9,0xBB,0xFD,0x91,0x5E, + 0xC7,0x01,0xAA,0xD3,0x5B,0x9E,0x8D,0xA0,0xA5,0x72,0x3A,0xD4, + 0x1A,0xF0,0xBF,0x46,0x00,0x58,0x2B,0xE5,0xF4,0x88,0xFD,0x58, + 0x4E,0x49,0xDB,0xCD,0x20,0xB4,0x9D,0xE4,0x91,0x07,0x36,0x6B, + 0x33,0x6C,0x38,0x0D,0x45,0x1D,0x0F,0x7C,0x88,0xB3,0x1C,0x7C, + 0x5B,0x2D,0x8E,0xF6,0xF3,0xC9,0x23,0xC0,0x43,0xF0,0xA5,0x5B, + 0x18,0x8D,0x8E,0xBB,0x55,0x8C,0xB8,0x5D,0x38,0xD3,0x34,0xFD, + 0x7C,0x17,0x57,0x43,0xA3,0x1D,0x18,0x6C,0xDE,0x33,0x21,0x2C, + 0xB5,0x2A,0xFF,0x3C,0xE1,0xB1,0x29,0x40,0x18,0x11,0x8D,0x7C, + 0x84,0xA7,0x0A,0x72,0xD6,0x86,0xC4,0x03,0x19,0xC8,0x07,0x29, + 0x7A,0xCA,0x95,0x0C,0xD9,0x96,0x9F,0xAB,0xD0,0x0A,0x50,0x9B, + 0x02,0x46,0xD3,0x08,0x3D,0x66,0xA4,0x5D,0x41,0x9F,0x9C,0x7C, + 0xBD,0x89,0x4B,0x22,0x19,0x26,0xBA,0xAB,0xA2,0x5E,0xC3,0x55, + 0xE9,0x32,0x0B,0x3B, }; -static unsigned char dh512_g[] = { +static unsigned char dh2048_g[] = { 0x02, }; -static DH *get_dh512(void) +DH *get_dh2048() { - DH *dh = NULL; + DH *dh; if ((dh = DH_new()) == NULL) - return (NULL); - dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); - dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); - if ((dh->p == NULL) || (dh->g == NULL)) - return (NULL); - return (dh); + return NULL; + dh->p=BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL); + dh->g=BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL); + if (dh->p == NULL || dh->g == NULL) { + DH_free(dh); + return NULL; + } + return dh; } #endif @@ -523,6 +541,8 @@ static void sv_usage(void) BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); BIO_printf(bio_err, + " -no_alt_chains - only ever use the first certificate chain found\n"); + BIO_printf(bio_err, " -nocert - Don't use any certificates (Anon-DH)\n"); BIO_printf(bio_err, " -cipher arg - play with 'openssl ciphers' to see what goes here\n"); @@ -720,7 +740,7 @@ static int ebcdic_write(BIO *b, const ch num = inl; wbuf = (EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num); - if(!wbuf) + if (!wbuf) return 0; OPENSSL_free(b->ptr); @@ -998,7 +1018,7 @@ int MAIN(int argc, char *argv[]) int off = 0; int no_tmp_rsa = 0, no_dhe = 0, nocert = 0; #ifndef OPENSSL_NO_ECDH - int no_ecdhe; + int no_ecdhe = 0; #endif int state = 0; const SSL_METHOD *meth = NULL; @@ -1654,7 +1674,11 @@ int MAIN(int argc, char *argv[]) BIO_printf(bio_s_out, "Setting temp DH parameters\n"); } else { BIO_printf(bio_s_out, "Using default temp DH parameters\n"); - dh = get_dh512(); + dh = get_dh2048(); + if (dh == NULL) { + ERR_print_errors(bio_err); + goto end; + } } (void)BIO_flush(bio_s_out); @@ -2251,8 +2275,10 @@ static int sv_body(char *hostname, int s ret = 1; goto err; } - l += k; - i -= k; + if (k > 0) { + l += k; + i -= k; + } if (i <= 0) break; } @@ -2916,7 +2942,8 @@ static int generate_session_id(const SSL { unsigned int count = 0; do { - RAND_pseudo_bytes(id, *id_len); + if (RAND_pseudo_bytes(id, *id_len) < 0) + return 0; /* * Prefix the session_id with the required prefix. NB: If our prefix * is too long, clip it - but there will be worse effects anyway, eg. Modified: head/crypto/openssl/apps/s_time.c ============================================================================== --- head/crypto/openssl/apps/s_time.c Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/apps/s_time.c Thu Jun 11 19:00:55 2015 (r284283) @@ -302,7 +302,7 @@ static int parseArgs(int argc, char **ar if (--argc < 1) goto bad; maxTime = atoi(*(++argv)); - if(maxTime <= 0) { + if (maxTime <= 0) { BIO_printf(bio_err, "time must be > 0\n"); badop = 1; } Modified: head/crypto/openssl/apps/smime.c ============================================================================== --- head/crypto/openssl/apps/smime.c Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/apps/smime.c Thu Jun 11 19:00:55 2015 (r284283) @@ -442,6 +442,8 @@ int MAIN(int argc, char **argv) "-CApath dir trusted certificates directory\n"); BIO_printf(bio_err, "-CAfile file trusted certificates file\n"); BIO_printf(bio_err, + "-no_alt_chains only ever use the first certificate chain found\n"); + BIO_printf(bio_err, "-crl_check check revocation status of signer's certificate using CRLs\n"); BIO_printf(bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n"); Modified: head/crypto/openssl/apps/srp.c ============================================================================== --- head/crypto/openssl/apps/srp.c Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/apps/srp.c Thu Jun 11 19:00:55 2015 (r284283) @@ -435,7 +435,7 @@ int MAIN(int argc, char **argv) # ifdef OPENSSL_SYS_VMS len = strlen(s) + sizeof(CONFIG_FILE); tofree = OPENSSL_malloc(len); - if(!tofree) { + if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); goto err; } @@ -443,7 +443,7 @@ int MAIN(int argc, char **argv) # else len = strlen(s) + sizeof(CONFIG_FILE) + 1; tofree = OPENSSL_malloc(len); - if(!tofree) { + if (!tofree) { BIO_printf(bio_err, "Out of memory\n"); goto err; } Modified: head/crypto/openssl/apps/verify.c ============================================================================== --- head/crypto/openssl/apps/verify.c Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/apps/verify.c Thu Jun 11 19:00:55 2015 (r284283) @@ -227,7 +227,7 @@ int MAIN(int argc, char **argv) if (ret == 1) { BIO_printf(bio_err, "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]"); - BIO_printf(bio_err, " [-attime timestamp]"); + BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err, " [-engine e]"); #endif Modified: head/crypto/openssl/crypto/Makefile ============================================================================== --- head/crypto/openssl/crypto/Makefile Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/crypto/Makefile Thu Jun 11 19:00:55 2015 (r284283) @@ -126,12 +126,17 @@ install: lint: @target=lint; $(RECURSIVE_MAKE) -depend: +update: local_depend + @[ -z "$(THIS)" ] || (set -e; target=update; $(RECURSIVE_MAKE) ) + @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi + +depend: local_depend + @[ -z "$(THIS)" ] || (set -e; target=depend; $(RECURSIVE_MAKE) ) + @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi +local_depend: @[ -z "$(THIS)" -o -f buildinf.h ] || touch buildinf.h # fake buildinf.h if it does not exist @[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDE) $(DEPFLAG) -- $(PROGS) $(LIBSRC) @[ -z "$(THIS)" -o -s buildinf.h ] || rm buildinf.h - @[ -z "$(THIS)" ] || (set -e; target=depend; $(RECURSIVE_MAKE) ) - @if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi clean: rm -f buildinf.h *.s *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff Modified: head/crypto/openssl/crypto/aes/Makefile ============================================================================== --- head/crypto/openssl/crypto/aes/Makefile Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/crypto/aes/Makefile Thu Jun 11 19:00:55 2015 (r284283) @@ -106,6 +106,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) Modified: head/crypto/openssl/crypto/asn1/Makefile ============================================================================== --- head/crypto/openssl/crypto/asn1/Makefile Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/crypto/asn1/Makefile Thu Jun 11 19:00:55 2015 (r284283) @@ -93,6 +93,8 @@ tests: lint: lint -DLINT $(INCLUDES) $(SRC)>fluff +update: depend + depend: @[ -n "$(MAKEDEPEND)" ] # should be set by top Makefile... $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC) Modified: head/crypto/openssl/crypto/asn1/a_int.c ============================================================================== --- head/crypto/openssl/crypto/asn1/a_int.c Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/crypto/asn1/a_int.c Thu Jun 11 19:00:55 2015 (r284283) @@ -124,6 +124,8 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, un else { ret = a->length; i = a->data[0]; + if (ret == 1 && i == 0) + neg = 0; if (!neg && (i > 127)) { pad = 1; pb = 0; @@ -162,7 +164,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, un p += a->length - 1; i = a->length; /* Copy zeros to destination as long as source is zero */ - while (!*n) { + while (!*n && i > 1) { *(p--) = 0; n--; i--; @@ -419,7 +421,7 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(const B ASN1err(ASN1_F_BN_TO_ASN1_INTEGER, ERR_R_NESTED_ASN1_ERROR); goto err; } - if (BN_is_negative(bn)) + if (BN_is_negative(bn) && !BN_is_zero(bn)) ret->type = V_ASN1_NEG_INTEGER; else ret->type = V_ASN1_INTEGER; Modified: head/crypto/openssl/crypto/asn1/asn1_gen.c ============================================================================== --- head/crypto/openssl/crypto/asn1/asn1_gen.c Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/crypto/asn1/asn1_gen.c Thu Jun 11 19:00:55 2015 (r284283) @@ -74,6 +74,8 @@ #define ASN1_GEN_STR(str,val) {str, sizeof(str) - 1, val} #define ASN1_FLAG_EXP_MAX 20 +/* Maximum number of nested sequences */ +#define ASN1_GEN_SEQ_MAX_DEPTH 50 /* Input formats */ @@ -110,13 +112,16 @@ typedef struct { int exp_count; } tag_exp_arg; +static ASN1_TYPE *generate_v3(char *str, X509V3_CTX *cnf, int depth, + int *perr); static int bitstr_cb(const char *elem, int len, void *bitstr); static int asn1_cb(const char *elem, int len, void *bitstr); static int append_exp(tag_exp_arg *arg, int exp_tag, int exp_class, int exp_constructed, int exp_pad, int imp_ok); static int parse_tagging(const char *vstart, int vlen, int *ptag, int *pclass); -static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf); +static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf, + int depth, int *perr); static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype); static int asn1_str2tag(const char *tagstr, int len); @@ -133,6 +138,16 @@ ASN1_TYPE *ASN1_generate_nconf(char *str ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf) { + int err = 0; + ASN1_TYPE *ret = generate_v3(str, cnf, 0, &err); + if (err) + ASN1err(ASN1_F_ASN1_GENERATE_V3, err); + return ret; +} + +static ASN1_TYPE *generate_v3(char *str, X509V3_CTX *cnf, int depth, + int *perr) +{ ASN1_TYPE *ret; tag_exp_arg asn1_tags; tag_exp_type *etmp; @@ -152,17 +167,22 @@ ASN1_TYPE *ASN1_generate_v3(char *str, X asn1_tags.imp_class = -1; asn1_tags.format = ASN1_GEN_FORMAT_ASCII; asn1_tags.exp_count = 0; - if (CONF_parse_list(str, ',', 1, asn1_cb, &asn1_tags) != 0) + if (CONF_parse_list(str, ',', 1, asn1_cb, &asn1_tags) != 0) { + *perr = ASN1_R_UNKNOWN_TAG; return NULL; + } if ((asn1_tags.utype == V_ASN1_SEQUENCE) || (asn1_tags.utype == V_ASN1_SET)) { if (!cnf) { - ASN1err(ASN1_F_ASN1_GENERATE_V3, - ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG); + *perr = ASN1_R_SEQUENCE_OR_SET_NEEDS_CONFIG; return NULL; } - ret = asn1_multi(asn1_tags.utype, asn1_tags.str, cnf); + if (depth >= ASN1_GEN_SEQ_MAX_DEPTH) { + *perr = ASN1_R_ILLEGAL_NESTED_TAGGING; + return NULL; + } + ret = asn1_multi(asn1_tags.utype, asn1_tags.str, cnf, depth, perr); } else ret = asn1_str2type(asn1_tags.str, asn1_tags.format, asn1_tags.utype); @@ -280,7 +300,7 @@ static int asn1_cb(const char *elem, int int tmp_tag, tmp_class; if (elem == NULL) - return 0; + return -1; for (i = 0, p = elem; i < len; p++, i++) { /* Look for the ':' in name value pairs */ @@ -353,7 +373,7 @@ static int asn1_cb(const char *elem, int break; case ASN1_GEN_FLAG_FORMAT: - if(!vstart) { + if (!vstart) { ASN1err(ASN1_F_ASN1_CB, ASN1_R_UNKNOWN_FORMAT); return -1; } @@ -435,7 +455,8 @@ static int parse_tagging(const char *vst /* Handle multiple types: SET and SEQUENCE */ -static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf) +static ASN1_TYPE *asn1_multi(int utype, const char *section, X509V3_CTX *cnf, + int depth, int *perr) { ASN1_TYPE *ret = NULL; STACK_OF(ASN1_TYPE) *sk = NULL; @@ -454,7 +475,8 @@ static ASN1_TYPE *asn1_multi(int utype, goto bad; for (i = 0; i < sk_CONF_VALUE_num(sect); i++) { ASN1_TYPE *typ = - ASN1_generate_v3(sk_CONF_VALUE_value(sect, i)->value, cnf); + generate_v3(sk_CONF_VALUE_value(sect, i)->value, cnf, + depth + 1, perr); if (!typ) goto bad; if (!sk_ASN1_TYPE_push(sk, typ)) Modified: head/crypto/openssl/crypto/asn1/asn_mime.c ============================================================================== --- head/crypto/openssl/crypto/asn1/asn_mime.c Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/crypto/asn1/asn_mime.c Thu Jun 11 19:00:55 2015 (r284283) @@ -289,7 +289,8 @@ int SMIME_write_ASN1(BIO *bio, ASN1_VALU if ((flags & SMIME_DETACHED) && data) { /* We want multipart/signed */ /* Generate a random boundary */ - RAND_pseudo_bytes((unsigned char *)bound, 32); + if (RAND_pseudo_bytes((unsigned char *)bound, 32) < 0) + return 0; for (i = 0; i < 32; i++) { c = bound[i] & 0xf; if (c < 10) Modified: head/crypto/openssl/crypto/asn1/bio_ndef.c ============================================================================== --- head/crypto/openssl/crypto/asn1/bio_ndef.c Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/crypto/asn1/bio_ndef.c Thu Jun 11 19:00:55 2015 (r284283) @@ -162,7 +162,7 @@ static int ndef_prefix(BIO *b, unsigned derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it); p = OPENSSL_malloc(derlen); - if(!p) + if (!p) return 0; ndef_aux->derbuf = p; @@ -232,7 +232,7 @@ static int ndef_suffix(BIO *b, unsigned derlen = ASN1_item_ndef_i2d(ndef_aux->val, NULL, ndef_aux->it); p = OPENSSL_malloc(derlen); - if(!p) + if (!p) return 0; ndef_aux->derbuf = p; Modified: head/crypto/openssl/crypto/asn1/tasn_new.c ============================================================================== --- head/crypto/openssl/crypto/asn1/tasn_new.c Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/crypto/asn1/tasn_new.c Thu Jun 11 19:00:55 2015 (r284283) @@ -100,9 +100,6 @@ static int asn1_item_ex_combine_new(ASN1 else asn1_cb = 0; - if (!combine) - *pval = NULL; - #ifdef CRYPTO_MDEBUG if (it->sname) CRYPTO_push_info(it->sname); Modified: head/crypto/openssl/crypto/asn1/tasn_prn.c ============================================================================== --- head/crypto/openssl/crypto/asn1/tasn_prn.c Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/crypto/asn1/tasn_prn.c Thu Jun 11 19:00:55 2015 (r284283) @@ -290,7 +290,7 @@ static int asn1_item_print_ctx(BIO *out, for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { const ASN1_TEMPLATE *seqtt; seqtt = asn1_do_adb(fld, tt, 1); - if(!seqtt) + if (!seqtt) return 0; tmpfld = asn1_get_field_ptr(fld, seqtt); if (!asn1_template_print_ctx(out, tmpfld, Modified: head/crypto/openssl/crypto/asn1/x_x509.c ============================================================================== --- head/crypto/openssl/crypto/asn1/x_x509.c Thu Jun 11 18:04:49 2015 (r284282) +++ head/crypto/openssl/crypto/asn1/x_x509.c Thu Jun 11 19:00:55 2015 (r284283) @@ -177,7 +177,7 @@ X509 *d2i_X509_AUX(X509 **a, const unsig /* Save start position */ q = *pp; - if(!a || *a == NULL) { + if (!a || *a == NULL) { freeret = 1; } ret = d2i_X509(a, pp, length); @@ -192,7 +192,7 @@ X509 *d2i_X509_AUX(X509 **a, const unsig goto err; return ret; err: - if(freeret) { + if (freeret) { X509_free(ret); *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***