From owner-svn-src-vendor@freebsd.org Thu Jan 26 18:32:16 2017 Return-Path: Delivered-To: svn-src-vendor@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A6E20CC35F5; Thu, 26 Jan 2017 18:32:16 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4500ABA5; Thu, 26 Jan 2017 18:32:16 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v0QIWFr0042934; Thu, 26 Jan 2017 18:32:15 GMT (envelope-from jkim@FreeBSD.org) Received: (from jkim@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v0QIWCt1042905; Thu, 26 Jan 2017 18:32:12 GMT (envelope-from jkim@FreeBSD.org) Message-Id: <201701261832.v0QIWCt1042905@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jkim set sender to jkim@FreeBSD.org using -f From: Jung-uk Kim Date: Thu, 26 Jan 2017 18:32:12 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r312823 - in vendor-crypto/openssl/dist: . apps crypto crypto/aes/asm crypto/asn1 crypto/bn crypto/bn/asm crypto/cms crypto/dh crypto/dsa crypto/ec crypto/ecdh crypto/err crypto/evp cry... X-SVN-Group: vendor-crypto MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-vendor@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the vendor work area tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2017 18:32:16 -0000 Author: jkim Date: Thu Jan 26 18:32:12 2017 New Revision: 312823 URL: https://svnweb.freebsd.org/changeset/base/312823 Log: Import OpenSSL 1.0.2k. Modified: vendor-crypto/openssl/dist/CHANGES vendor-crypto/openssl/dist/CONTRIBUTING vendor-crypto/openssl/dist/Configure vendor-crypto/openssl/dist/INSTALL vendor-crypto/openssl/dist/Makefile vendor-crypto/openssl/dist/Makefile.org vendor-crypto/openssl/dist/NEWS vendor-crypto/openssl/dist/README vendor-crypto/openssl/dist/apps/apps.c vendor-crypto/openssl/dist/apps/apps.h vendor-crypto/openssl/dist/apps/ca.c vendor-crypto/openssl/dist/apps/cms.c vendor-crypto/openssl/dist/apps/dgst.c vendor-crypto/openssl/dist/apps/dh.c vendor-crypto/openssl/dist/apps/dhparam.c vendor-crypto/openssl/dist/apps/dsa.c vendor-crypto/openssl/dist/apps/dsaparam.c vendor-crypto/openssl/dist/apps/ec.c vendor-crypto/openssl/dist/apps/ecparam.c vendor-crypto/openssl/dist/apps/enc.c vendor-crypto/openssl/dist/apps/gendh.c vendor-crypto/openssl/dist/apps/gendsa.c vendor-crypto/openssl/dist/apps/genpkey.c vendor-crypto/openssl/dist/apps/genrsa.c vendor-crypto/openssl/dist/apps/pkcs12.c vendor-crypto/openssl/dist/apps/pkcs7.c vendor-crypto/openssl/dist/apps/pkcs8.c vendor-crypto/openssl/dist/apps/pkey.c vendor-crypto/openssl/dist/apps/pkeyparam.c vendor-crypto/openssl/dist/apps/pkeyutl.c vendor-crypto/openssl/dist/apps/prime.c vendor-crypto/openssl/dist/apps/rand.c vendor-crypto/openssl/dist/apps/req.c vendor-crypto/openssl/dist/apps/rsa.c vendor-crypto/openssl/dist/apps/rsautl.c vendor-crypto/openssl/dist/apps/s_cb.c vendor-crypto/openssl/dist/apps/s_client.c vendor-crypto/openssl/dist/apps/s_server.c vendor-crypto/openssl/dist/apps/smime.c vendor-crypto/openssl/dist/apps/speed.c vendor-crypto/openssl/dist/apps/spkac.c vendor-crypto/openssl/dist/apps/srp.c vendor-crypto/openssl/dist/apps/verify.c vendor-crypto/openssl/dist/apps/x509.c vendor-crypto/openssl/dist/crypto/aes/asm/aes-s390x.pl vendor-crypto/openssl/dist/crypto/asn1/p5_pbev2.c vendor-crypto/openssl/dist/crypto/asn1/x_crl.c vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-mont.pl vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-mont5.pl vendor-crypto/openssl/dist/crypto/bn/bn_exp.c vendor-crypto/openssl/dist/crypto/bn/bn_mul.c vendor-crypto/openssl/dist/crypto/bn/bn_prime.c vendor-crypto/openssl/dist/crypto/bn/bn_sqr.c vendor-crypto/openssl/dist/crypto/cms/cms_kari.c vendor-crypto/openssl/dist/crypto/dh/dh_key.c vendor-crypto/openssl/dist/crypto/dsa/dsa_pmeth.c vendor-crypto/openssl/dist/crypto/ec/ec2_mult.c vendor-crypto/openssl/dist/crypto/ecdh/ech_ossl.c vendor-crypto/openssl/dist/crypto/err/err.c vendor-crypto/openssl/dist/crypto/evp/e_aes.c vendor-crypto/openssl/dist/crypto/evp/e_rc4_hmac_md5.c vendor-crypto/openssl/dist/crypto/evp/evp.h vendor-crypto/openssl/dist/crypto/evp/evp_err.c vendor-crypto/openssl/dist/crypto/evp/pmeth_fn.c vendor-crypto/openssl/dist/crypto/evp/pmeth_lib.c vendor-crypto/openssl/dist/crypto/modes/ctr128.c vendor-crypto/openssl/dist/crypto/opensslv.h vendor-crypto/openssl/dist/crypto/perlasm/x86_64-xlate.pl vendor-crypto/openssl/dist/crypto/rsa/rsa_gen.c vendor-crypto/openssl/dist/crypto/rsa/rsa_oaep.c vendor-crypto/openssl/dist/crypto/rsa/rsa_pmeth.c vendor-crypto/openssl/dist/crypto/s390xcap.c vendor-crypto/openssl/dist/crypto/ui/ui_lib.c vendor-crypto/openssl/dist/crypto/ui/ui_openssl.c vendor-crypto/openssl/dist/doc/apps/ocsp.pod vendor-crypto/openssl/dist/doc/crypto/EVP_DigestSignInit.pod vendor-crypto/openssl/dist/doc/crypto/EVP_DigestVerifyInit.pod vendor-crypto/openssl/dist/doc/crypto/RSA_generate_key.pod vendor-crypto/openssl/dist/doc/crypto/X509_NAME_get_index_by_NID.pod vendor-crypto/openssl/dist/doc/crypto/X509_NAME_print_ex.pod vendor-crypto/openssl/dist/doc/ssl/SSL_CTX_set_session_cache_mode.pod vendor-crypto/openssl/dist/doc/ssl/SSL_get_error.pod vendor-crypto/openssl/dist/doc/ssl/SSL_read.pod vendor-crypto/openssl/dist/doc/ssl/SSL_write.pod vendor-crypto/openssl/dist/engines/ccgost/Makefile vendor-crypto/openssl/dist/ssl/bad_dtls_test.c vendor-crypto/openssl/dist/ssl/s23_pkt.c vendor-crypto/openssl/dist/ssl/s2_lib.c vendor-crypto/openssl/dist/ssl/s2_pkt.c vendor-crypto/openssl/dist/ssl/s3_clnt.c vendor-crypto/openssl/dist/ssl/s3_pkt.c vendor-crypto/openssl/dist/ssl/s3_srvr.c vendor-crypto/openssl/dist/ssl/ssl_cert.c vendor-crypto/openssl/dist/ssl/ssl_err.c vendor-crypto/openssl/dist/ssl/ssl_lib.c vendor-crypto/openssl/dist/ssl/ssl_locl.h vendor-crypto/openssl/dist/ssl/ssl_sess.c vendor-crypto/openssl/dist/ssl/t1_lib.c vendor-crypto/openssl/dist/util/domd vendor-crypto/openssl/dist/util/mklink.pl Modified: vendor-crypto/openssl/dist/CHANGES ============================================================================== --- vendor-crypto/openssl/dist/CHANGES Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/CHANGES Thu Jan 26 18:32:12 2017 (r312823) @@ -2,6 +2,67 @@ OpenSSL CHANGES _______________ + Changes between 1.0.2j and 1.0.2k [26 Jan 2017] + + *) Truncated packet could crash via OOB read + + If one side of an SSL/TLS path is running on a 32-bit host and a specific + cipher is being used, then a truncated packet can cause that host to + perform an out-of-bounds read, usually resulting in a crash. + + This issue was reported to OpenSSL by Robert Święcki of Google. + (CVE-2017-3731) + [Andy Polyakov] + + *) BN_mod_exp may produce incorrect results on x86_64 + + There is a carry propagating bug in the x86_64 Montgomery squaring + procedure. No EC algorithms are affected. Analysis suggests that attacks + against RSA and DSA as a result of this defect would be very difficult to + perform and are not believed likely. Attacks against DH are considered just + feasible (although very difficult) because most of the work necessary to + deduce information about a private key may be performed offline. The amount + of resources required for such an attack would be very significant and + likely only accessible to a limited number of attackers. An attacker would + additionally need online access to an unpatched system using the target + private key in a scenario with persistent DH parameters and a private + key that is shared between multiple clients. For example this can occur by + default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very + similar to CVE-2015-3193 but must be treated as a separate problem. + + This issue was reported to OpenSSL by the OSS-Fuzz project. + (CVE-2017-3732) + [Andy Polyakov] + + *) Montgomery multiplication may produce incorrect results + + There is a carry propagating bug in the Broadwell-specific Montgomery + multiplication procedure that handles input lengths divisible by, but + longer than 256 bits. Analysis suggests that attacks against RSA, DSA + and DH private keys are impossible. This is because the subroutine in + question is not used in operations with the private key itself and an input + of the attacker's direct choice. Otherwise the bug can manifest itself as + transient authentication and key negotiation failures or reproducible + erroneous outcome of public-key operations with specially crafted input. + Among EC algorithms only Brainpool P-512 curves are affected and one + presumably can attack ECDH key negotiation. Impact was not analyzed in + detail, because pre-requisites for attack are considered unlikely. Namely + multiple clients have to choose the curve in question and the server has to + share the private key among them, neither of which is default behaviour. + Even then only clients that chose the curve will be affected. + + This issue was publicly reported as transient failures and was not + initially recognized as a security issue. Thanks to Richard Morgan for + providing reproducible case. + (CVE-2016-7055) + [Andy Polyakov] + + *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0 + or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to + prevent issues where no progress is being made and the peer continually + sends unrecognised record types, using up resources processing them. + [Matt Caswell] + Changes between 1.0.2i and 1.0.2j [26 Sep 2016] *) Missing CRL sanity check Modified: vendor-crypto/openssl/dist/CONTRIBUTING ============================================================================== --- vendor-crypto/openssl/dist/CONTRIBUTING Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/CONTRIBUTING Thu Jan 26 18:32:12 2017 (r312823) @@ -1,4 +1,4 @@ -HOW TO CONTRIBUTE TO PATCHES OpenSSL +HOW TO CONTRIBUTE PATCHES TO OpenSSL ------------------------------------ (Please visit https://www.openssl.org/community/getting-started.html for @@ -11,34 +11,12 @@ OpenSSL community you might want to disc list first. Someone may be already working on the same thing or there may be a good reason as to why that feature isn't implemented. -The best way to submit a patch is to make a pull request on GitHub. -(It is not necessary to send mail to rt@openssl.org to open a ticket!) -If you think the patch could use feedback from the community, please -start a thread on openssl-dev. - -You can also submit patches by sending it as mail to rt@openssl.org. -Please include the word "PATCH" and an explanation of what the patch -does in the subject line. If you do this, our preferred format is "git -format-patch" output. For example to provide a patch file containing the -last commit in your local git repository use the following command: - - % git format-patch --stdout HEAD^ >mydiffs.patch - -Another method of creating an acceptable patch file without using git is as -follows: - - % cd openssl-work - ...make your changes... - % ./Configure dist; make clean - % cd .. - % diff -ur openssl-orig openssl-work >mydiffs.patch - -Note that pull requests are generally easier for the team, and community, to -work with. Pull requests benefit from all of the standard GitHub features, -including code review tools, simpler integration, and CI build support. +To submit a patch, make a pull request on GitHub. If you think the patch +could use feedback from the community, please start a thread on openssl-dev +to discuss it. -No matter how a patch is submitted, the following items will help make -the acceptance and review process faster: +Having addressed the following items before the PR will help make the +acceptance and review process faster: 1. Anything other than trivial contributions will require a contributor licensing agreement, giving us permission to use your code. See @@ -55,21 +33,22 @@ the acceptance and review process faster in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html - 3. Patches should be as current as possible. When using GitHub, please - expect to have to rebase and update often. Note that we do not accept merge - commits. You will be asked to remove them before a patch is considered - acceptable. + 3. Patches should be as current as possible; expect to have to rebase + often. We do not accept merge commits; You will be asked to remove + them before a patch is considered acceptable. 4. Patches should follow our coding style (see https://www.openssl.org/policies/codingstyle.html) and compile without warnings. Where gcc or clang is availble you should use the --strict-warnings Configure option. OpenSSL compiles on many varied platforms: try to ensure you only use portable features. + Clean builds via Travis and AppVeyor are expected, and done whenever + a PR is created or updated. - 5. When at all possible, patches should include tests. These can either be - added to an existing test, or completely new. Please see test/README - for information on the test framework. - - 6. New features or changed functionality must include documentation. Please - look at the "pod" files in doc/apps, doc/crypto and doc/ssl for examples of - our style. + 5. When at all possible, patches should include tests. These can + either be added to an existing test, or completely new. Please see + test/README for information on the test framework. + + 6. New features or changed functionality must include + documentation. Please look at the "pod" files in doc/apps, doc/crypto + and doc/ssl for examples of our style. Modified: vendor-crypto/openssl/dist/Configure ============================================================================== --- vendor-crypto/openssl/dist/Configure Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/Configure Thu Jan 26 18:32:12 2017 (r312823) @@ -7,6 +7,7 @@ eval 'exec perl -S $0 ${1+"$@"}' require 5.000; use strict; +use File::Compare; # see INSTALL for instructions. @@ -57,12 +58,13 @@ my $usage="Usage: Configure [no- # zlib-dynamic Like "zlib", but the zlib library is expected to be a shared # library and will be loaded in run-time by the OpenSSL library. # sctp include SCTP support -# 386 generate 80386 code # enable-weak-ssl-ciphers # Enable EXPORT and LOW SSLv3 ciphers that are disabled by # default. Note, weak SSLv2 ciphers are unconditionally # disabled. -# no-sse2 disables IA-32 SSE2 code, above option implies no-sse2 +# 386 generate 80386 code in assembly modules +# no-sse2 disables IA-32 SSE2 code in assembly modules, the above +# mentioned '386' option implies this one # no- build without specified algorithm (rsa, idea, rc5, ...) # - + compiler options are passed through # @@ -1792,8 +1794,16 @@ while () } close(IN); close(OUT); -rename($Makefile,"$Makefile.bak") || die "unable to rename $Makefile\n" if -e $Makefile; -rename("$Makefile.new",$Makefile) || die "unable to rename $Makefile.new\n"; +if ((compare($Makefile, "$Makefile.new")) + or file_newer('Configure', $Makefile) + or file_newer('config', $Makefile) + or file_newer('Makefile.org', $Makefile)) + { + rename($Makefile,"$Makefile.bak") || die "unable to rename $Makefile\n" if -e $Makefile; + rename("$Makefile.new",$Makefile) || die "unable to rename $Makefile.new\n"; + } +else + { unlink("$Makefile.new"); } print "CC =$cc\n"; print "CFLAG =$cflags\n"; @@ -1985,9 +1995,13 @@ print OUT "#ifdef __cplusplus\n"; print OUT "}\n"; print OUT "#endif\n"; close(OUT); -rename("crypto/opensslconf.h","crypto/opensslconf.h.bak") || die "unable to rename crypto/opensslconf.h\n" if -e "crypto/opensslconf.h"; -rename("crypto/opensslconf.h.new","crypto/opensslconf.h") || die "unable to rename crypto/opensslconf.h.new\n"; - +if (compare("crypto/opensslconf.h.new","crypto/opensslconf.h")) + { + rename("crypto/opensslconf.h","crypto/opensslconf.h.bak") || die "unable to rename crypto/opensslconf.h\n" if -e "crypto/opensslconf.h"; + rename("crypto/opensslconf.h.new","crypto/opensslconf.h") || die "unable to rename crypto/opensslconf.h.new\n"; + } +else + { unlink("crypto/opensslconf.h.new"); } # Fix the date @@ -2289,3 +2303,9 @@ sub test_sanity print STDERR "No sanity errors detected!\n" if $errorcnt == 0; return $errorcnt; } + +sub file_newer + { + my ($file1, $file2) = @_; + return (stat($file1))[9] > (stat($file2))[9] + } Modified: vendor-crypto/openssl/dist/INSTALL ============================================================================== --- vendor-crypto/openssl/dist/INSTALL Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/INSTALL Thu Jan 26 18:32:12 2017 (r312823) @@ -74,24 +74,26 @@ no-asm Do not use assembler code. - 386 Use the 80386 instruction set only (the default x86 code is - more efficient, but requires at least a 486). Note: Use - compiler flags for any other CPU specific configuration, - e.g. "-m32" to build x86 code on an x64 system. - - no-sse2 Exclude SSE2 code pathes. Normally SSE2 extention is - detected at run-time, but the decision whether or not the - machine code will be executed is taken solely on CPU - capability vector. This means that if you happen to run OS - kernel which does not support SSE2 extension on Intel P4 - processor, then your application might be exposed to - "illegal instruction" exception. There might be a way - to enable support in kernel, e.g. FreeBSD kernel can be - compiled with CPU_ENABLE_SSE, and there is a way to - disengage SSE2 code pathes upon application start-up, - but if you aim for wider "audience" running such kernel, - consider no-sse2. Both 386 and no-asm options above imply - no-sse2. + 386 In 32-bit x86 builds, when generating assembly modules, + use the 80386 instruction set only (the default x86 code + is more efficient, but requires at least a 486). Note: + This doesn't affect code generated by compiler, you're + likely to complement configuration command line with + suitable compiler-specific option. + + no-sse2 Exclude SSE2 code paths from 32-bit x86 assembly modules. + Normally SSE2 extension is detected at run-time, but the + decision whether or not the machine code will be executed + is taken solely on CPU capability vector. This means that + if you happen to run OS kernel which does not support SSE2 + extension on Intel P4 processor, then your application + might be exposed to "illegal instruction" exception. + There might be a way to enable support in kernel, e.g. + FreeBSD kernel can be compiled with CPU_ENABLE_SSE, and + there is a way to disengage SSE2 code paths upon application + start-up, but if you aim for wider "audience" running + such kernel, consider no-sse2. Both the 386 and + no-asm options imply no-sse2. no- Build without the specified cipher (bf, cast, des, dh, dsa, hmac, md2, md5, mdc2, rc2, rc4, rc5, rsa, sha). @@ -101,7 +103,12 @@ -Dxxx, -lxxx, -Lxxx, -fxxx, -mXXX, -Kxxx These system specific options will be passed through to the compiler to allow you to define preprocessor symbols, specify additional libraries, - library directories or other compiler options. + library directories or other compiler options. It might be + worth noting that some compilers generate code specifically + for processor the compiler currently executes on. This is + not necessarily what you might have in mind, since it might + be unsuitable for execution on other, typically older, + processor. Consult your compiler documentation. -DHAVE_CRYPTODEV Enable the BSD cryptodev engine even if we are not using BSD. Useful if you are running ocf-linux or something @@ -159,18 +166,18 @@ OpenSSL binary ("openssl"). The libraries will be built in the top-level directory, and the binary will be in the "apps" directory. - If "make" fails, look at the output. There may be reasons for - the failure that aren't problems in OpenSSL itself (like missing - standard headers). If it is a problem with OpenSSL itself, please - report the problem to (note that your - message will be recorded in the request tracker publicly readable - at https://www.openssl.org/community/index.html#bugs and will be - forwarded to a public mailing list). Include the output of "make - report" in your message. Please check out the request tracker. Maybe - the bug was already reported or has already been fixed. + If the build fails, look at the output. There may be reasons + for the failure that aren't problems in OpenSSL itself (like + missing standard headers). If you are having problems you can + get help by sending an email to the openssl-users email list (see + https://www.openssl.org/community/mailinglists.html for details). If + it is a bug with OpenSSL itself, please open an issue on GitHub, at + https://github.com/openssl/openssl/issues. Please review the existing + ones first; maybe the bug was already reported or has already been + fixed. - [If you encounter assembler error messages, try the "no-asm" - configuration option as an immediate fix.] + (If you encounter assembler error messages, try the "no-asm" + configuration option as an immediate fix.) Compiling parts of OpenSSL with gcc and others with the system compiler will result in unresolved symbols on some systems. Modified: vendor-crypto/openssl/dist/Makefile ============================================================================== --- vendor-crypto/openssl/dist/Makefile Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/Makefile Thu Jan 26 18:32:12 2017 (r312823) @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.2j +VERSION=1.0.2k MAJOR=1 MINOR=0.2 SHLIB_VERSION_NUMBER=1.0.0 @@ -203,7 +203,8 @@ CLEARENV= TOP= && unset TOP $${LIB+LIB} $${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS} \ $${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS} \ $${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS} \ - $${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS} + $${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS} \ + $${APPS+APPS} # LC_ALL=C ensures that error [and other] messages are delivered in # same language for uniform treatment. Modified: vendor-crypto/openssl/dist/Makefile.org ============================================================================== --- vendor-crypto/openssl/dist/Makefile.org Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/Makefile.org Thu Jan 26 18:32:12 2017 (r312823) @@ -201,7 +201,8 @@ CLEARENV= TOP= && unset TOP $${LIB+LIB} $${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS} \ $${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS} \ $${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS} \ - $${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS} + $${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS} \ + $${APPS+APPS} # LC_ALL=C ensures that error [and other] messages are delivered in # same language for uniform treatment. Modified: vendor-crypto/openssl/dist/NEWS ============================================================================== --- vendor-crypto/openssl/dist/NEWS Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/NEWS Thu Jan 26 18:32:12 2017 (r312823) @@ -5,9 +5,15 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.2j and OpenSSL 1.0.2k [26 Jan 2017] + + o Truncated packet could crash via OOB read (CVE-2017-3731) + o BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732) + o Montgomery multiplication may produce incorrect results (CVE-2016-7055) + Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016] - o Fix Use After Free for large message sizes (CVE-2016-6309) + o Missing CRL sanity check (CVE-2016-7052) Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016] Modified: vendor-crypto/openssl/dist/README ============================================================================== --- vendor-crypto/openssl/dist/README Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/README Thu Jan 26 18:32:12 2017 (r312823) @@ -1,5 +1,5 @@ - OpenSSL 1.0.2j 26 Sep 2016 + OpenSSL 1.0.2k 26 Jan 2017 Copyright (c) 1998-2015 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson @@ -66,13 +66,13 @@ If you have any problems with OpenSSL then please take the following steps first: - - Download the current snapshot from ftp://ftp.openssl.org/snapshot/ + - Download the latest version from the repository to see if the problem has already been addressed - - Remove ASM versions of libraries + - Configure with no-asm - Remove compiler optimisation flags - If you wish to report a bug then please include the following information in - any bug report: + If you wish to report a bug then please include the following information + and create an issue on GitHub: - On Unix systems: Self-test report generated by 'make report' @@ -84,27 +84,9 @@ - Problem Description (steps that will reproduce the problem, if known) - Stack Traceback (if the application dumps core) - Email the report to: - - rt@openssl.org - - In order to avoid spam, this is a moderated mailing list, and it might - take a day for the ticket to show up. (We also scan posts to make sure - that security disclosures aren't publically posted by mistake.) Mail - to this address is recorded in the public RT (request tracker) database - (see https://www.openssl.org/community/index.html#bugs for details) and - also forwarded the public openssl-dev mailing list. Confidential mail - may be sent to openssl-security@openssl.org (PGP key available from the - key servers). - - Please do NOT use this for general assistance or support queries. Just because something doesn't work the way you expect does not mean it is necessarily a bug in OpenSSL. - You can also make GitHub pull requests. If you do this, please also send - mail to rt@openssl.org with a link to the PR so that we can more easily - keep track of it. - HOW TO CONTRIBUTE TO OpenSSL ---------------------------- @@ -113,7 +95,7 @@ LEGALITIES ---------- - A number of nations, in particular the U.S., restrict the use or export - of cryptography. If you are potentially subject to such restrictions - you should seek competent professional legal advice before attempting to - develop or distribute cryptographic code. + A number of nations restrict the use or export of cryptography. If you + are potentially subject to such restrictions you should seek competent + professional legal advice before attempting to develop or distribute + cryptographic code. Modified: vendor-crypto/openssl/dist/apps/apps.c ============================================================================== --- vendor-crypto/openssl/dist/apps/apps.c Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/apps/apps.c Thu Jan 26 18:32:12 2017 (r312823) @@ -972,7 +972,10 @@ EVP_PKEY *load_key(BIO *err, const char if (!e) BIO_printf(err, "no engine specified\n"); else { - pkey = ENGINE_load_private_key(e, file, ui_method, &cb_data); + if (ENGINE_init(e)) { + pkey = ENGINE_load_private_key(e, file, ui_method, &cb_data); + ENGINE_finish(e); + } if (!pkey) { BIO_printf(err, "cannot load %s from engine\n", key_descrip); ERR_print_errors(err); @@ -1532,11 +1535,13 @@ static ENGINE *try_load_engine(BIO *err, } return e; } +#endif ENGINE *setup_engine(BIO *err, const char *engine, int debug) { ENGINE *e = NULL; +#ifndef OPENSSL_NO_ENGINE if (engine) { if (strcmp(engine, "auto") == 0) { BIO_printf(err, "enabling auto ENGINE support\n"); @@ -1561,13 +1566,19 @@ ENGINE *setup_engine(BIO *err, const cha } BIO_printf(err, "engine \"%s\" set.\n", ENGINE_get_id(e)); - - /* Free our "structural" reference. */ - ENGINE_free(e); } +#endif return e; } + +void release_engine(ENGINE *e) +{ +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + /* Free our "structural" reference. */ + ENGINE_free(e); #endif +} int load_config(BIO *err, CONF *cnf) { Modified: vendor-crypto/openssl/dist/apps/apps.h ============================================================================== --- vendor-crypto/openssl/dist/apps/apps.h Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/apps/apps.h Thu Jan 26 18:32:12 2017 (r312823) @@ -259,9 +259,9 @@ STACK_OF(X509_CRL) *load_crls(BIO *err, const char *pass, ENGINE *e, const char *cert_descrip); X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath); -# ifndef OPENSSL_NO_ENGINE + ENGINE *setup_engine(BIO *err, const char *engine, int debug); -# endif +void release_engine(ENGINE *e); # ifndef OPENSSL_NO_OCSP OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, Modified: vendor-crypto/openssl/dist/apps/ca.c ============================================================================== --- vendor-crypto/openssl/dist/apps/ca.c Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/apps/ca.c Thu Jan 26 18:32:12 2017 (r312823) @@ -319,9 +319,7 @@ int MAIN(int argc, char **argv) #define BSIZE 256 MS_STATIC char buf[3][BSIZE]; char *randfile = NULL; -#ifndef OPENSSL_NO_ENGINE char *engine = NULL; -#endif char *tofree = NULL; DB_ATTR db_attr; @@ -595,9 +593,7 @@ int MAIN(int argc, char **argv) if (!load_config(bio_err, conf)) goto err; -#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); -#endif /* Lets get the config section we are using */ if (section == NULL) { @@ -1485,6 +1481,7 @@ int MAIN(int argc, char **argv) X509_CRL_free(crl); NCONF_free(conf); NCONF_free(extconf); + release_engine(e); OBJ_cleanup(); apps_shutdown(); OPENSSL_EXIT(ret); @@ -2227,7 +2224,6 @@ static int certify_spkac(X509 **xret, ch sk = CONF_get_section(parms, "default"); if (sk_CONF_VALUE_num(sk) == 0) { BIO_printf(bio_err, "no name/value pairs found in %s\n", infile); - CONF_free(parms); goto err; } Modified: vendor-crypto/openssl/dist/apps/cms.c ============================================================================== --- vendor-crypto/openssl/dist/apps/cms.c Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/apps/cms.c Thu Jan 26 18:32:12 2017 (r312823) @@ -143,9 +143,7 @@ int MAIN(int argc, char **argv) const EVP_MD *sign_md = NULL; int informat = FORMAT_SMIME, outformat = FORMAT_SMIME; int rctformat = FORMAT_SMIME, keyform = FORMAT_PEM; -# ifndef OPENSSL_NO_ENGINE char *engine = NULL; -# endif unsigned char *secret_key = NULL, *secret_keyid = NULL; unsigned char *pwri_pass = NULL, *pwri_tmp = NULL; size_t secret_keylen = 0, secret_keyidlen = 0; @@ -665,9 +663,7 @@ int MAIN(int argc, char **argv) "cert.pem recipient certificate(s) for encryption\n"); goto end; } -# ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); -# endif if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); @@ -1170,6 +1166,7 @@ int MAIN(int argc, char **argv) EVP_PKEY_free(key); CMS_ContentInfo_free(cms); CMS_ContentInfo_free(rcms); + release_engine(e); BIO_free(rctin); BIO_free(in); BIO_free(indata); Modified: vendor-crypto/openssl/dist/apps/dgst.c ============================================================================== --- vendor-crypto/openssl/dist/apps/dgst.c Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/apps/dgst.c Thu Jan 26 18:32:12 2017 (r312823) @@ -537,6 +537,7 @@ int MAIN(int argc, char **argv) OPENSSL_free(sigbuf); if (bmd != NULL) BIO_free(bmd); + release_engine(e); apps_shutdown(); OPENSSL_EXIT(err); } Modified: vendor-crypto/openssl/dist/apps/dh.c ============================================================================== --- vendor-crypto/openssl/dist/apps/dh.c Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/apps/dh.c Thu Jan 26 18:32:12 2017 (r312823) @@ -94,9 +94,7 @@ int MAIN(int argc, char **argv) BIO *in = NULL, *out = NULL; int informat, outformat, check = 0, noout = 0, C = 0, ret = 1; char *infile, *outfile, *prog; -# ifndef OPENSSL_NO_ENGINE char *engine; -# endif apps_startup(); @@ -107,9 +105,7 @@ int MAIN(int argc, char **argv) if (!load_config(bio_err, NULL)) goto end; -# ifndef OPENSSL_NO_ENGINE engine = NULL; -# endif infile = NULL; outfile = NULL; informat = FORMAT_PEM; @@ -183,9 +179,7 @@ int MAIN(int argc, char **argv) ERR_load_crypto_strings(); -# ifndef OPENSSL_NO_ENGINE setup_engine(bio_err, engine, 0); -# endif in = BIO_new(BIO_s_file()); out = BIO_new(BIO_s_file()); Modified: vendor-crypto/openssl/dist/apps/dhparam.c ============================================================================== --- vendor-crypto/openssl/dist/apps/dhparam.c Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/apps/dhparam.c Thu Jan 26 18:32:12 2017 (r312823) @@ -159,9 +159,8 @@ int MAIN(int argc, char **argv) int informat, outformat, check = 0, noout = 0, C = 0, ret = 1; char *infile, *outfile, *prog; char *inrand = NULL; -# ifndef OPENSSL_NO_ENGINE char *engine = NULL; -# endif + ENGINE *e = NULL; int num = 0, g = 0; apps_startup(); @@ -270,9 +269,7 @@ int MAIN(int argc, char **argv) ERR_load_crypto_strings(); -# ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); -# endif + e = setup_engine(bio_err, engine, 0); if (g && !num) num = DEFBITS; @@ -512,6 +509,7 @@ int MAIN(int argc, char **argv) BIO_free_all(out); if (dh != NULL) DH_free(dh); + release_engine(e); apps_shutdown(); OPENSSL_EXIT(ret); } Modified: vendor-crypto/openssl/dist/apps/dsa.c ============================================================================== --- vendor-crypto/openssl/dist/apps/dsa.c Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/apps/dsa.c Thu Jan 26 18:32:12 2017 (r312823) @@ -106,9 +106,7 @@ int MAIN(int argc, char **argv) int informat, outformat, text = 0, noout = 0; int pubin = 0, pubout = 0; char *infile, *outfile, *prog; -# ifndef OPENSSL_NO_ENGINE char *engine; -# endif char *passargin = NULL, *passargout = NULL; char *passin = NULL, *passout = NULL; int modulus = 0; @@ -124,9 +122,7 @@ int MAIN(int argc, char **argv) if (!load_config(bio_err, NULL)) goto end; -# ifndef OPENSSL_NO_ENGINE engine = NULL; -# endif infile = NULL; outfile = NULL; informat = FORMAT_PEM; @@ -239,9 +235,7 @@ int MAIN(int argc, char **argv) ERR_load_crypto_strings(); -# ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); -# endif if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); @@ -358,6 +352,7 @@ int MAIN(int argc, char **argv) BIO_free_all(out); if (dsa != NULL) DSA_free(dsa); + release_engine(e); if (passin) OPENSSL_free(passin); if (passout) Modified: vendor-crypto/openssl/dist/apps/dsaparam.c ============================================================================== --- vendor-crypto/openssl/dist/apps/dsaparam.c Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/apps/dsaparam.c Thu Jan 26 18:32:12 2017 (r312823) @@ -121,9 +121,8 @@ int MAIN(int argc, char **argv) char *infile, *outfile, *prog, *inrand = NULL; int numbits = -1, num, genkey = 0; int need_rand = 0; -# ifndef OPENSSL_NO_ENGINE char *engine = NULL; -# endif + ENGINE *e = NULL; # ifdef GENCB_TEST int timebomb = 0; # endif @@ -263,9 +262,7 @@ int MAIN(int argc, char **argv) } } -# ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); -# endif + e = setup_engine(bio_err, engine, 0); if (need_rand) { app_RAND_load_file(NULL, bio_err, (inrand != NULL)); @@ -433,6 +430,7 @@ int MAIN(int argc, char **argv) BIO_free_all(out); if (dsa != NULL) DSA_free(dsa); + release_engine(e); apps_shutdown(); OPENSSL_EXIT(ret); } Modified: vendor-crypto/openssl/dist/apps/ec.c ============================================================================== --- vendor-crypto/openssl/dist/apps/ec.c Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/apps/ec.c Thu Jan 26 18:32:12 2017 (r312823) @@ -95,6 +95,7 @@ int MAIN(int argc, char **argv) int informat, outformat, text = 0, noout = 0; int pubin = 0, pubout = 0, param_out = 0; char *infile, *outfile, *prog, *engine; + ENGINE *e = NULL; char *passargin = NULL, *passargout = NULL; char *passin = NULL, *passout = NULL; point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED; @@ -235,9 +236,7 @@ int MAIN(int argc, char **argv) ERR_load_crypto_strings(); -# ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); -# endif + e = setup_engine(bio_err, engine, 0); if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); @@ -349,6 +348,7 @@ int MAIN(int argc, char **argv) BIO_free_all(out); if (eckey) EC_KEY_free(eckey); + release_engine(e); if (passin) OPENSSL_free(passin); if (passout) Modified: vendor-crypto/openssl/dist/apps/ecparam.c ============================================================================== --- vendor-crypto/openssl/dist/apps/ecparam.c Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/apps/ecparam.c Thu Jan 26 18:32:12 2017 (r312823) @@ -131,6 +131,7 @@ int MAIN(int argc, char **argv) BIO *in = NULL, *out = NULL; int informat, outformat, noout = 0, C = 0, ret = 1; char *engine = NULL; + ENGINE *e = NULL; BIGNUM *ec_p = NULL, *ec_a = NULL, *ec_b = NULL, *ec_gen = NULL, *ec_order = NULL, *ec_cofactor = NULL; @@ -311,9 +312,7 @@ int MAIN(int argc, char **argv) } } -# ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); -# endif + e = setup_engine(bio_err, engine, 0); if (list_curves) { EC_builtin_curve *curves = NULL; @@ -620,12 +619,13 @@ int MAIN(int argc, char **argv) BN_free(ec_cofactor); if (buffer) OPENSSL_free(buffer); + if (group != NULL) + EC_GROUP_free(group); + release_engine(e); if (in != NULL) BIO_free(in); if (out != NULL) BIO_free_all(out); - if (group != NULL) - EC_GROUP_free(group); apps_shutdown(); OPENSSL_EXIT(ret); } Modified: vendor-crypto/openssl/dist/apps/enc.c ============================================================================== --- vendor-crypto/openssl/dist/apps/enc.c Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/apps/enc.c Thu Jan 26 18:32:12 2017 (r312823) @@ -126,9 +126,8 @@ int MAIN(int argc, char **argv) NULL, *wbio = NULL; #define PROG_NAME_SIZE 39 char pname[PROG_NAME_SIZE + 1]; -#ifndef OPENSSL_NO_ENGINE char *engine = NULL; -#endif + ENGINE *e = NULL; const EVP_MD *dgst = NULL; int non_fips_allow = 0; @@ -322,9 +321,7 @@ int MAIN(int argc, char **argv) argv++; } -#ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); -#endif + e = setup_engine(bio_err, engine, 0); if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { BIO_printf(bio_err, @@ -674,6 +671,7 @@ int MAIN(int argc, char **argv) if (bzl != NULL) BIO_free(bzl); #endif + release_engine(e); if (pass) OPENSSL_free(pass); apps_shutdown(); Modified: vendor-crypto/openssl/dist/apps/gendh.c ============================================================================== --- vendor-crypto/openssl/dist/apps/gendh.c Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/apps/gendh.c Thu Jan 26 18:32:12 2017 (r312823) @@ -96,9 +96,7 @@ int MAIN(int argc, char **argv) int g = 2; char *outfile = NULL; char *inrand = NULL; -# ifndef OPENSSL_NO_ENGINE char *engine = NULL; -# endif BIO *out = NULL; apps_startup(); @@ -162,9 +160,7 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, " the random number generator\n"); goto end; } -# ifndef OPENSSL_NO_ENGINE setup_engine(bio_err, engine, 0); -# endif out = BIO_new(BIO_s_file()); if (out == NULL) { Modified: vendor-crypto/openssl/dist/apps/gendsa.c ============================================================================== --- vendor-crypto/openssl/dist/apps/gendsa.c Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/apps/gendsa.c Thu Jan 26 18:32:12 2017 (r312823) @@ -85,9 +85,8 @@ int MAIN(int argc, char **argv) char *passargout = NULL, *passout = NULL; BIO *out = NULL, *in = NULL; const EVP_CIPHER *enc = NULL; -# ifndef OPENSSL_NO_ENGINE char *engine = NULL; -# endif + ENGINE *e = NULL; apps_startup(); @@ -206,9 +205,7 @@ int MAIN(int argc, char **argv) " - a DSA parameter file as generated by the dsaparam command\n"); goto end; } -# ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); -# endif + e = setup_engine(bio_err, engine, 0); if (!app_passwd(bio_err, NULL, passargout, NULL, &passout)) { BIO_printf(bio_err, "Error getting password\n"); @@ -273,6 +270,7 @@ int MAIN(int argc, char **argv) BIO_free_all(out); if (dsa != NULL) DSA_free(dsa); + release_engine(e); if (passout) OPENSSL_free(passout); apps_shutdown(); Modified: vendor-crypto/openssl/dist/apps/genpkey.c ============================================================================== --- vendor-crypto/openssl/dist/apps/genpkey.c Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/apps/genpkey.c Thu Jan 26 18:32:12 2017 (r312823) @@ -275,9 +275,9 @@ int MAIN(int argc, char **argv) if (out) BIO_free_all(out); BIO_free(in); + release_engine(e); if (pass) OPENSSL_free(pass); - return ret; } Modified: vendor-crypto/openssl/dist/apps/genrsa.c ============================================================================== --- vendor-crypto/openssl/dist/apps/genrsa.c Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/apps/genrsa.c Thu Jan 26 18:32:12 2017 (r312823) @@ -91,9 +91,7 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { BN_GENCB cb; -# ifndef OPENSSL_NO_ENGINE ENGINE *e = NULL; -# endif int ret = 1; int i, num = DEFBITS; long l; @@ -101,9 +99,7 @@ int MAIN(int argc, char **argv) unsigned long f4 = RSA_F4; char *outfile = NULL; char *passargout = NULL, *passout = NULL; -# ifndef OPENSSL_NO_ENGINE char *engine = NULL; -# endif char *inrand = NULL; BIO *out = NULL; BIGNUM *bn = BN_new(); @@ -240,9 +236,7 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "Error getting password\n"); goto err; } -# ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); -# endif if (outfile == NULL) { BIO_set_fp(out, stdout, BIO_NOCLOSE); @@ -314,6 +308,7 @@ int MAIN(int argc, char **argv) RSA_free(rsa); if (out) BIO_free_all(out); + release_engine(e); if (passout) OPENSSL_free(passout); if (ret != 0) Modified: vendor-crypto/openssl/dist/apps/pkcs12.c ============================================================================== --- vendor-crypto/openssl/dist/apps/pkcs12.c Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/apps/pkcs12.c Thu Jan 26 18:32:12 2017 (r312823) @@ -129,9 +129,7 @@ int MAIN(int argc, char **argv) char *inrand = NULL; char *macalg = NULL; char *CApath = NULL, *CAfile = NULL; -# ifndef OPENSSL_NO_ENGINE char *engine = NULL; -# endif apps_startup(); @@ -406,9 +404,7 @@ int MAIN(int argc, char **argv) "-LMK Add local machine keyset attribute to private key\n"); goto end; } -# ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); -# endif if (passarg) { if (export_cert) @@ -756,6 +752,7 @@ int MAIN(int argc, char **argv) # ifdef CRYPTO_MDEBUG CRYPTO_remove_all_info(); # endif + release_engine(e); BIO_free(in); BIO_free_all(out); if (canames) @@ -1110,4 +1107,6 @@ static int set_pbe(BIO *err, int *ppbe, return 1; } +#else +static void *dummy = &dummy; #endif Modified: vendor-crypto/openssl/dist/apps/pkcs7.c ============================================================================== --- vendor-crypto/openssl/dist/apps/pkcs7.c Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/apps/pkcs7.c Thu Jan 26 18:32:12 2017 (r312823) @@ -90,9 +90,8 @@ int MAIN(int argc, char **argv) char *infile, *outfile, *prog; int print_certs = 0, text = 0, noout = 0, p7_print = 0; int ret = 1; -#ifndef OPENSSL_NO_ENGINE char *engine = NULL; -#endif + ENGINE *e = NULL; apps_startup(); @@ -175,9 +174,7 @@ int MAIN(int argc, char **argv) ERR_load_crypto_strings(); -#ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); -#endif + e = setup_engine(bio_err, engine, 0); in = BIO_new(BIO_s_file()); out = BIO_new(BIO_s_file()); @@ -303,6 +300,7 @@ int MAIN(int argc, char **argv) end: if (p7 != NULL) PKCS7_free(p7); + release_engine(e); if (in != NULL) BIO_free(in); if (out != NULL) Modified: vendor-crypto/openssl/dist/apps/pkcs8.c ============================================================================== --- vendor-crypto/openssl/dist/apps/pkcs8.c Thu Jan 26 18:18:35 2017 (r312822) +++ vendor-crypto/openssl/dist/apps/pkcs8.c Thu Jan 26 18:32:12 2017 (r312823) @@ -87,9 +87,7 @@ int MAIN(int argc, char **argv) char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL; int badarg = 0; int ret = 1; -#ifndef OPENSSL_NO_ENGINE char *engine = NULL; -#endif if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); @@ -223,9 +221,7 @@ int MAIN(int argc, char **argv) *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***