Date: Thu, 22 Sep 2016 13:04:03 +0000 (UTC) From: Jung-uk Kim <jkim@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r306189 - in vendor-crypto/openssl/dist: . apps crypto crypto/aes/asm crypto/asn1 crypto/bio crypto/bn crypto/bn/asm crypto/cms crypto/comp crypto/conf crypto/des crypto/des/asm crypto/... Message-ID: <201609221304.u8MD43ee009275@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jkim Date: Thu Sep 22 13:04:03 2016 New Revision: 306189 URL: https://svnweb.freebsd.org/changeset/base/306189 Log: Import OpenSSL 1.0.2i. Added: vendor-crypto/openssl/dist/doc/crypto/d2i_PrivateKey.pod vendor-crypto/openssl/dist/ssl/bad_dtls_test.c (contents, props changed) vendor-crypto/openssl/dist/ssl/dtlstest.c (contents, props changed) Modified: vendor-crypto/openssl/dist/CHANGES vendor-crypto/openssl/dist/CONTRIBUTING vendor-crypto/openssl/dist/Configure vendor-crypto/openssl/dist/FREEBSD-Xlist vendor-crypto/openssl/dist/FREEBSD-upgrade vendor-crypto/openssl/dist/Makefile vendor-crypto/openssl/dist/Makefile.org vendor-crypto/openssl/dist/Makefile.shared vendor-crypto/openssl/dist/NEWS vendor-crypto/openssl/dist/README vendor-crypto/openssl/dist/apps/CA.pl vendor-crypto/openssl/dist/apps/CA.pl.in vendor-crypto/openssl/dist/apps/apps.c vendor-crypto/openssl/dist/apps/apps.h vendor-crypto/openssl/dist/apps/ca.c vendor-crypto/openssl/dist/apps/dgst.c vendor-crypto/openssl/dist/apps/enc.c vendor-crypto/openssl/dist/apps/passwd.c vendor-crypto/openssl/dist/apps/pkcs12.c vendor-crypto/openssl/dist/apps/req.c vendor-crypto/openssl/dist/apps/s_apps.h vendor-crypto/openssl/dist/apps/s_cb.c vendor-crypto/openssl/dist/apps/s_client.c vendor-crypto/openssl/dist/apps/s_server.c vendor-crypto/openssl/dist/apps/speed.c vendor-crypto/openssl/dist/apps/srp.c vendor-crypto/openssl/dist/apps/verify.c vendor-crypto/openssl/dist/apps/x509.c vendor-crypto/openssl/dist/crypto/LPdir_unix.c vendor-crypto/openssl/dist/crypto/aes/asm/bsaes-armv7.pl vendor-crypto/openssl/dist/crypto/asn1/a_bytes.c vendor-crypto/openssl/dist/crypto/asn1/a_object.c vendor-crypto/openssl/dist/crypto/asn1/a_set.c vendor-crypto/openssl/dist/crypto/asn1/a_strex.c vendor-crypto/openssl/dist/crypto/asn1/a_strnid.c vendor-crypto/openssl/dist/crypto/asn1/ameth_lib.c vendor-crypto/openssl/dist/crypto/asn1/asn1_lib.c vendor-crypto/openssl/dist/crypto/asn1/asn_mime.c vendor-crypto/openssl/dist/crypto/asn1/bio_asn1.c vendor-crypto/openssl/dist/crypto/asn1/bio_ndef.c vendor-crypto/openssl/dist/crypto/asn1/charmap.pl vendor-crypto/openssl/dist/crypto/asn1/d2i_pr.c vendor-crypto/openssl/dist/crypto/asn1/f_enum.c vendor-crypto/openssl/dist/crypto/asn1/f_int.c vendor-crypto/openssl/dist/crypto/asn1/f_string.c vendor-crypto/openssl/dist/crypto/asn1/i2d_pr.c vendor-crypto/openssl/dist/crypto/asn1/p5_pbe.c vendor-crypto/openssl/dist/crypto/asn1/p5_pbev2.c vendor-crypto/openssl/dist/crypto/asn1/t_req.c vendor-crypto/openssl/dist/crypto/asn1/tasn_dec.c vendor-crypto/openssl/dist/crypto/asn1/tasn_enc.c vendor-crypto/openssl/dist/crypto/asn1/tasn_prn.c vendor-crypto/openssl/dist/crypto/asn1/tasn_utl.c vendor-crypto/openssl/dist/crypto/asn1/x_bignum.c vendor-crypto/openssl/dist/crypto/asn1/x_name.c vendor-crypto/openssl/dist/crypto/asn1/x_x509.c vendor-crypto/openssl/dist/crypto/bio/b_print.c vendor-crypto/openssl/dist/crypto/bio/bf_nbio.c vendor-crypto/openssl/dist/crypto/bio/bio.h vendor-crypto/openssl/dist/crypto/bio/bss_bio.c vendor-crypto/openssl/dist/crypto/bio/bss_file.c vendor-crypto/openssl/dist/crypto/bio/bss_rtcp.c vendor-crypto/openssl/dist/crypto/bn/asm/x86-mont.pl vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-gcc.c vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-mont.pl vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-mont5.pl vendor-crypto/openssl/dist/crypto/bn/bn.h vendor-crypto/openssl/dist/crypto/bn/bn_div.c vendor-crypto/openssl/dist/crypto/bn/bn_lib.c vendor-crypto/openssl/dist/crypto/bn/bn_print.c vendor-crypto/openssl/dist/crypto/bn/bn_rand.c vendor-crypto/openssl/dist/crypto/bn/bn_word.c vendor-crypto/openssl/dist/crypto/bn/bntest.c vendor-crypto/openssl/dist/crypto/cms/cms_enc.c vendor-crypto/openssl/dist/crypto/cms/cms_ess.c vendor-crypto/openssl/dist/crypto/cms/cms_lib.c vendor-crypto/openssl/dist/crypto/cms/cms_pwri.c vendor-crypto/openssl/dist/crypto/comp/comp.h vendor-crypto/openssl/dist/crypto/conf/conf_def.h vendor-crypto/openssl/dist/crypto/conf/conf_mod.c vendor-crypto/openssl/dist/crypto/conf/keysets.pl vendor-crypto/openssl/dist/crypto/des/asm/dest4-sparcv9.pl vendor-crypto/openssl/dist/crypto/des/des.c vendor-crypto/openssl/dist/crypto/des/enc_writ.c vendor-crypto/openssl/dist/crypto/dh/dh_ameth.c vendor-crypto/openssl/dist/crypto/dsa/dsa_ameth.c vendor-crypto/openssl/dist/crypto/dsa/dsa_gen.c vendor-crypto/openssl/dist/crypto/dsa/dsa_ossl.c vendor-crypto/openssl/dist/crypto/ec/Makefile vendor-crypto/openssl/dist/crypto/ec/asm/ecp_nistz256-x86_64.pl vendor-crypto/openssl/dist/crypto/ec/ec_ameth.c vendor-crypto/openssl/dist/crypto/ec/ec_key.c vendor-crypto/openssl/dist/crypto/ec/ecp_nistz256.c vendor-crypto/openssl/dist/crypto/engine/eng_cryptodev.c vendor-crypto/openssl/dist/crypto/evp/bio_enc.c vendor-crypto/openssl/dist/crypto/evp/bio_ok.c vendor-crypto/openssl/dist/crypto/evp/c_all.c vendor-crypto/openssl/dist/crypto/evp/digest.c vendor-crypto/openssl/dist/crypto/evp/e_rc4_hmac_md5.c vendor-crypto/openssl/dist/crypto/evp/e_seed.c vendor-crypto/openssl/dist/crypto/evp/evp_enc.c vendor-crypto/openssl/dist/crypto/evp/evp_test.c vendor-crypto/openssl/dist/crypto/evp/openbsd_hw.c vendor-crypto/openssl/dist/crypto/evp/p_lib.c vendor-crypto/openssl/dist/crypto/evp/pmeth_gn.c vendor-crypto/openssl/dist/crypto/evp/pmeth_lib.c vendor-crypto/openssl/dist/crypto/hmac/hmac.c vendor-crypto/openssl/dist/crypto/jpake/jpake.c vendor-crypto/openssl/dist/crypto/lhash/lhash.c vendor-crypto/openssl/dist/crypto/md2/md2_dgst.c vendor-crypto/openssl/dist/crypto/md32_common.h vendor-crypto/openssl/dist/crypto/mdc2/mdc2dgst.c vendor-crypto/openssl/dist/crypto/mem.c vendor-crypto/openssl/dist/crypto/mem_clr.c vendor-crypto/openssl/dist/crypto/modes/asm/ghash-sparcv9.pl vendor-crypto/openssl/dist/crypto/o_init.c vendor-crypto/openssl/dist/crypto/o_time.c vendor-crypto/openssl/dist/crypto/objects/o_names.c vendor-crypto/openssl/dist/crypto/ocsp/ocsp_cl.c vendor-crypto/openssl/dist/crypto/ocsp/ocsp_ext.c vendor-crypto/openssl/dist/crypto/ocsp/ocsp_lib.c vendor-crypto/openssl/dist/crypto/opensslv.h vendor-crypto/openssl/dist/crypto/ossl_typ.h vendor-crypto/openssl/dist/crypto/pem/pem.h vendor-crypto/openssl/dist/crypto/pem/pem_err.c vendor-crypto/openssl/dist/crypto/pem/pem_lib.c vendor-crypto/openssl/dist/crypto/pem/pvkfmt.c vendor-crypto/openssl/dist/crypto/perlasm/sparcv9_modes.pl vendor-crypto/openssl/dist/crypto/pkcs12/p12_mutl.c vendor-crypto/openssl/dist/crypto/pkcs12/p12_npas.c vendor-crypto/openssl/dist/crypto/pkcs12/p12_utl.c vendor-crypto/openssl/dist/crypto/pkcs12/pkcs12.h vendor-crypto/openssl/dist/crypto/pkcs7/pk7_doit.c vendor-crypto/openssl/dist/crypto/rand/md_rand.c vendor-crypto/openssl/dist/crypto/rand/rand_unix.c vendor-crypto/openssl/dist/crypto/rand/randfile.c vendor-crypto/openssl/dist/crypto/rsa/rsa_ameth.c vendor-crypto/openssl/dist/crypto/rsa/rsa_chk.c vendor-crypto/openssl/dist/crypto/rsa/rsa_lib.c vendor-crypto/openssl/dist/crypto/rsa/rsa_pmeth.c vendor-crypto/openssl/dist/crypto/sha/asm/sha1-x86_64.pl vendor-crypto/openssl/dist/crypto/sparccpuid.S vendor-crypto/openssl/dist/crypto/srp/srp_lib.c vendor-crypto/openssl/dist/crypto/srp/srp_vfy.c vendor-crypto/openssl/dist/crypto/ts/ts.h vendor-crypto/openssl/dist/crypto/ts/ts_lib.c vendor-crypto/openssl/dist/crypto/ts/ts_rsp_verify.c vendor-crypto/openssl/dist/crypto/ui/ui_lib.c vendor-crypto/openssl/dist/crypto/whrlpool/wp_dgst.c vendor-crypto/openssl/dist/crypto/x509/by_dir.c vendor-crypto/openssl/dist/crypto/x509/x509.h vendor-crypto/openssl/dist/crypto/x509/x509_att.c vendor-crypto/openssl/dist/crypto/x509/x509_err.c vendor-crypto/openssl/dist/crypto/x509/x509_obj.c vendor-crypto/openssl/dist/crypto/x509/x509_r2x.c vendor-crypto/openssl/dist/crypto/x509/x509_txt.c vendor-crypto/openssl/dist/crypto/x509/x509_vfy.c vendor-crypto/openssl/dist/crypto/x509/x509_vfy.h vendor-crypto/openssl/dist/crypto/x509/x509spki.c vendor-crypto/openssl/dist/crypto/x509v3/v3_addr.c vendor-crypto/openssl/dist/crypto/x509v3/v3_alt.c vendor-crypto/openssl/dist/crypto/x509v3/v3_conf.c vendor-crypto/openssl/dist/doc/apps/cms.pod vendor-crypto/openssl/dist/doc/apps/s_client.pod vendor-crypto/openssl/dist/doc/apps/s_server.pod vendor-crypto/openssl/dist/doc/apps/smime.pod vendor-crypto/openssl/dist/doc/apps/verify.pod vendor-crypto/openssl/dist/doc/apps/x509.pod vendor-crypto/openssl/dist/doc/apps/x509v3_config.pod vendor-crypto/openssl/dist/doc/crypto/BIO_s_bio.pod vendor-crypto/openssl/dist/doc/crypto/BN_bn2bin.pod vendor-crypto/openssl/dist/doc/crypto/BN_rand.pod vendor-crypto/openssl/dist/doc/crypto/EVP_EncryptInit.pod vendor-crypto/openssl/dist/doc/crypto/EVP_PKEY_cmp.pod vendor-crypto/openssl/dist/doc/crypto/OBJ_nid2obj.pod vendor-crypto/openssl/dist/doc/crypto/OPENSSL_config.pod vendor-crypto/openssl/dist/doc/crypto/OPENSSL_ia32cap.pod vendor-crypto/openssl/dist/doc/crypto/X509_verify_cert.pod vendor-crypto/openssl/dist/doc/crypto/d2i_X509.pod vendor-crypto/openssl/dist/doc/crypto/hmac.pod vendor-crypto/openssl/dist/doc/crypto/rand.pod vendor-crypto/openssl/dist/doc/crypto/ui.pod vendor-crypto/openssl/dist/engines/ccgost/gost2001.c vendor-crypto/openssl/dist/engines/ccgost/gost2001_keyx.c vendor-crypto/openssl/dist/engines/ccgost/gost94_keyx.c vendor-crypto/openssl/dist/engines/ccgost/gost_ameth.c vendor-crypto/openssl/dist/engines/ccgost/gost_pmeth.c vendor-crypto/openssl/dist/engines/e_4758cca.c vendor-crypto/openssl/dist/engines/e_aep.c vendor-crypto/openssl/dist/engines/e_capi.c vendor-crypto/openssl/dist/engines/e_chil.c vendor-crypto/openssl/dist/ssl/Makefile vendor-crypto/openssl/dist/ssl/d1_both.c vendor-crypto/openssl/dist/ssl/d1_clnt.c vendor-crypto/openssl/dist/ssl/d1_lib.c vendor-crypto/openssl/dist/ssl/d1_pkt.c vendor-crypto/openssl/dist/ssl/d1_srvr.c vendor-crypto/openssl/dist/ssl/s23_clnt.c vendor-crypto/openssl/dist/ssl/s2_clnt.c vendor-crypto/openssl/dist/ssl/s2_srvr.c vendor-crypto/openssl/dist/ssl/s3_both.c vendor-crypto/openssl/dist/ssl/s3_clnt.c vendor-crypto/openssl/dist/ssl/s3_enc.c vendor-crypto/openssl/dist/ssl/s3_lib.c vendor-crypto/openssl/dist/ssl/s3_pkt.c vendor-crypto/openssl/dist/ssl/s3_srvr.c vendor-crypto/openssl/dist/ssl/ssl.h vendor-crypto/openssl/dist/ssl/ssl_asn1.c vendor-crypto/openssl/dist/ssl/ssl_ciph.c vendor-crypto/openssl/dist/ssl/ssl_err.c vendor-crypto/openssl/dist/ssl/ssl_lib.c vendor-crypto/openssl/dist/ssl/ssl_locl.h vendor-crypto/openssl/dist/ssl/ssl_rsa.c vendor-crypto/openssl/dist/ssl/ssl_sess.c vendor-crypto/openssl/dist/ssl/ssltest.c vendor-crypto/openssl/dist/ssl/sslv2conftest.c vendor-crypto/openssl/dist/ssl/t1_enc.c vendor-crypto/openssl/dist/ssl/t1_lib.c vendor-crypto/openssl/dist/util/mk1mf.pl vendor-crypto/openssl/dist/util/mkerr.pl vendor-crypto/openssl/dist/util/ssleay.num Modified: vendor-crypto/openssl/dist/CHANGES ============================================================================== --- vendor-crypto/openssl/dist/CHANGES Thu Sep 22 12:53:11 2016 (r306188) +++ vendor-crypto/openssl/dist/CHANGES Thu Sep 22 13:04:03 2016 (r306189) @@ -2,6 +2,166 @@ OpenSSL CHANGES _______________ + Changes between 1.0.2h and 1.0.2i [22 Sep 2016] + + *) OCSP Status Request extension unbounded memory growth + + A malicious client can send an excessively large OCSP Status Request + extension. If that client continually requests renegotiation, sending a + large OCSP Status Request extension each time, then there will be unbounded + memory growth on the server. This will eventually lead to a Denial Of + Service attack through memory exhaustion. Servers with a default + configuration are vulnerable even if they do not support OCSP. Builds using + the "no-ocsp" build time option are not affected. + + This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) + (CVE-2016-6304) + [Matt Caswell] + + *) In order to mitigate the SWEET32 attack, the DES ciphers were moved from + HIGH to MEDIUM. + + This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan + Leurent (INRIA) + (CVE-2016-2183) + [Rich Salz] + + *) OOB write in MDC2_Update() + + An overflow can occur in MDC2_Update() either if called directly or + through the EVP_DigestUpdate() function using MDC2. If an attacker + is able to supply very large amounts of input data after a previous + call to EVP_EncryptUpdate() with a partial block then a length check + can overflow resulting in a heap corruption. + + The amount of data needed is comparable to SIZE_MAX which is impractical + on most platforms. + + This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) + (CVE-2016-6303) + [Stephen Henson] + + *) Malformed SHA512 ticket DoS + + If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a + DoS attack where a malformed ticket will result in an OOB read which will + ultimately crash. + + The use of SHA512 in TLS session tickets is comparatively rare as it requires + a custom server callback and ticket lookup mechanism. + + This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) + (CVE-2016-6302) + [Stephen Henson] + + *) OOB write in BN_bn2dec() + + The function BN_bn2dec() does not check the return value of BN_div_word(). + This can cause an OOB write if an application uses this function with an + overly large BIGNUM. This could be a problem if an overly large certificate + or CRL is printed out from an untrusted source. TLS is not affected because + record limits will reject an oversized certificate before it is parsed. + + This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) + (CVE-2016-2182) + [Stephen Henson] + + *) OOB read in TS_OBJ_print_bio() + + The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is + the total length the OID text representation would use and not the amount + of data written. This will result in OOB reads when large OIDs are + presented. + + This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) + (CVE-2016-2180) + [Stephen Henson] + + *) Pointer arithmetic undefined behaviour + + Avoid some undefined pointer arithmetic + + A common idiom in the codebase is to check limits in the following manner: + "p + len > limit" + + Where "p" points to some malloc'd data of SIZE bytes and + limit == p + SIZE + + "len" here could be from some externally supplied data (e.g. from a TLS + message). + + The rules of C pointer arithmetic are such that "p + len" is only well + defined where len <= SIZE. Therefore the above idiom is actually + undefined behaviour. + + For example this could cause problems if some malloc implementation + provides an address for "p" such that "p + len" actually overflows for + values of len that are too big and therefore p + len < limit. + + This issue was reported to OpenSSL by Guido Vranken + (CVE-2016-2177) + [Matt Caswell] + + *) Constant time flag not preserved in DSA signing + + Operations in the DSA signing algorithm should run in constant time in + order to avoid side channel attacks. A flaw in the OpenSSL DSA + implementation means that a non-constant time codepath is followed for + certain operations. This has been demonstrated through a cache-timing + attack to be sufficient for an attacker to recover the private DSA key. + + This issue was reported by César Pereida (Aalto University), Billy Brumley + (Tampere University of Technology), and Yuval Yarom (The University of + Adelaide and NICTA). + (CVE-2016-2178) + [César Pereida] + + *) DTLS buffered message DoS + + In a DTLS connection where handshake messages are delivered out-of-order + those messages that OpenSSL is not yet ready to process will be buffered + for later use. Under certain circumstances, a flaw in the logic means that + those messages do not get removed from the buffer even though the handshake + has been completed. An attacker could force up to approx. 15 messages to + remain in the buffer when they are no longer required. These messages will + be cleared when the DTLS connection is closed. The default maximum size for + a message is 100k. Therefore the attacker could force an additional 1500k + to be consumed per connection. By opening many simulataneous connections an + attacker could cause a DoS attack through memory exhaustion. + + This issue was reported to OpenSSL by Quan Luo. + (CVE-2016-2179) + [Matt Caswell] + + *) DTLS replay protection DoS + + A flaw in the DTLS replay attack protection mechanism means that records + that arrive for future epochs update the replay protection "window" before + the MAC for the record has been validated. This could be exploited by an + attacker by sending a record for the next epoch (which does not have to + decrypt or have a valid MAC), with a very large sequence number. This means + that all subsequent legitimate packets are dropped causing a denial of + service for a specific DTLS connection. + + This issue was reported to OpenSSL by the OCAP audit team. + (CVE-2016-2181) + [Matt Caswell] + + *) Certificate message OOB reads + + In OpenSSL 1.0.2 and earlier some missing message length checks can result + in OOB reads of up to 2 bytes beyond an allocated buffer. There is a + theoretical DoS risk but this has not been observed in practice on common + platforms. + + The messages affected are client certificate, client certificate request + and server certificate. As a result the attack can only be performed + against a client or a server which enables client authentication. + + This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.) + (CVE-2016-6306) + [Stephen Henson] + Changes between 1.0.2g and 1.0.2h [3 May 2016] *) Prevent padding oracle in AES-NI CBC MAC check Modified: vendor-crypto/openssl/dist/CONTRIBUTING ============================================================================== --- vendor-crypto/openssl/dist/CONTRIBUTING Thu Sep 22 12:53:11 2016 (r306188) +++ vendor-crypto/openssl/dist/CONTRIBUTING Thu Sep 22 13:04:03 2016 (r306189) @@ -1,38 +1,75 @@ -HOW TO CONTRIBUTE TO OpenSSL ----------------------------- +HOW TO CONTRIBUTE TO PATCHES OpenSSL +------------------------------------ -Development is coordinated on the openssl-dev mailing list (see -http://www.openssl.org for information on subscribing). If you -would like to submit a patch, send it to rt@openssl.org with -the string "[PATCH]" in the subject. Please be sure to include a -textual explanation of what your patch does. - -You can also make GitHub pull requests. If you do this, please also send -mail to rt@openssl.org with a brief description and a link to the PR so -that we can more easily keep track of it. +(Please visit https://www.openssl.org/community/getting-started.html for +other ideas about how to contribute.) +Development is coordinated on the openssl-dev mailing list (see the +above link or https://mta.openssl.org for information on subscribing). If you are unsure as to whether a feature will be useful for the general -OpenSSL community please discuss it on the openssl-dev mailing list first. -Someone may be already working on the same thing or there may be a good -reason as to why that feature isn't implemented. - -Patches should be as up to date as possible, preferably relative to the -current Git or the last snapshot. They should follow our coding style -(see https://www.openssl.org/policies/codingstyle.html) and compile without -warnings using the --strict-warnings flag. OpenSSL compiles on many varied -platforms: try to ensure you only use portable features. - -Our preferred format for patch files is "git format-patch" output. For example -to provide a patch file containing the last commit in your local git repository -use the following command: +OpenSSL community you might want to discuss it on the openssl-dev mailing +list first. Someone may be already working on the same thing or there +may be a good reason as to why that feature isn't implemented. + +The best way to submit a patch is to make a pull request on GitHub. +(It is not necessary to send mail to rt@openssl.org to open a ticket!) +If you think the patch could use feedback from the community, please +start a thread on openssl-dev. + +You can also submit patches by sending it as mail to rt@openssl.org. +Please include the word "PATCH" and an explanation of what the patch +does in the subject line. If you do this, our preferred format is "git +format-patch" output. For example to provide a patch file containing the +last commit in your local git repository use the following command: -# git format-patch --stdout HEAD^ >mydiffs.patch + % git format-patch --stdout HEAD^ >mydiffs.patch Another method of creating an acceptable patch file without using git is as follows: -# cd openssl-work -# [your changes] -# ./Configure dist; make clean -# cd .. -# diff -ur openssl-orig openssl-work > mydiffs.patch + % cd openssl-work + ...make your changes... + % ./Configure dist; make clean + % cd .. + % diff -ur openssl-orig openssl-work >mydiffs.patch + +Note that pull requests are generally easier for the team, and community, to +work with. Pull requests benefit from all of the standard GitHub features, +including code review tools, simpler integration, and CI build support. + +No matter how a patch is submitted, the following items will help make +the acceptance and review process faster: + + 1. Anything other than trivial contributions will require a contributor + licensing agreement, giving us permission to use your code. See + https://www.openssl.org/policies/cla.html for details. + + 2. All source files should start with the following text (with + appropriate comment characters at the start of each line and the + year(s) updated): + + Copyright 20xx-20yy The OpenSSL Project Authors. All Rights Reserved. + + Licensed under the OpenSSL license (the "License"). You may not use + this file except in compliance with the License. You can obtain a copy + in the file LICENSE in the source distribution or at + https://www.openssl.org/source/license.html + + 3. Patches should be as current as possible. When using GitHub, please + expect to have to rebase and update often. Note that we do not accept merge + commits. You will be asked to remove them before a patch is considered + acceptable. + + 4. Patches should follow our coding style (see + https://www.openssl.org/policies/codingstyle.html) and compile without + warnings. Where gcc or clang is availble you should use the + --strict-warnings Configure option. OpenSSL compiles on many varied + platforms: try to ensure you only use portable features. + + 5. When at all possible, patches should include tests. These can either be + added to an existing test, or completely new. Please see test/README + for information on the test framework. + + 6. New features or changed functionality must include documentation. Please + look at the "pod" files in doc/apps, doc/crypto and doc/ssl for examples of + our style. Modified: vendor-crypto/openssl/dist/Configure ============================================================================== --- vendor-crypto/openssl/dist/Configure Thu Sep 22 12:53:11 2016 (r306188) +++ vendor-crypto/openssl/dist/Configure Thu Sep 22 13:04:03 2016 (r306189) @@ -799,7 +799,7 @@ my @experimental = (); # This is what $depflags will look like with the above defaults # (we need this to see if we should advise the user to run "make depend"): -my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_LIBUNBOUND -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST"; +my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_LIBUNBOUND -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_SSL2 -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST -DOPENSSL_NO_WEAK_SSL_CIPHERS"; # Explicit "no-..." options will be collected in %disabled along with the defaults. # To remove something from %disabled, use "enable-foo" (unless it's experimental). @@ -1082,11 +1082,6 @@ if (defined($disabled{"md5"}) || defined $disabled{"tls1"} = "forced"; } -if (defined($disabled{"tls1"})) - { - $disabled{"tlsext"} = "forced"; - } - if (defined($disabled{"ec"}) || defined($disabled{"dsa"}) || defined($disabled{"dh"})) { @@ -1254,6 +1249,7 @@ my $shared_extension = $fields[$idx_shar my $ranlib = $ENV{'RANLIB'} || $fields[$idx_ranlib]; my $ar = $ENV{'AR'} || "ar"; my $arflags = $fields[$idx_arflags]; +my $windres = $ENV{'RC'} || $ENV{'WINDRES'} || "windres"; my $multilib = $fields[$idx_multilib]; # if $prefix/lib$multilib is not an existing directory, then @@ -1562,8 +1558,15 @@ $cpuid_obj="mem_clr.o" unless ($cpuid_ob $des_obj=$des_enc unless ($des_obj =~ /\.o$/); $bf_obj=$bf_enc unless ($bf_obj =~ /\.o$/); $cast_obj=$cast_enc unless ($cast_obj =~ /\.o$/); -$rc4_obj=$rc4_enc unless ($rc4_obj =~ /\.o$/); $rc5_obj=$rc5_enc unless ($rc5_obj =~ /\.o$/); +if ($rc4_obj =~ /\.o$/) + { + $cflags.=" -DRC4_ASM"; + } +else + { + $rc4_obj=$rc4_enc; + } if ($sha1_obj =~ /\.o$/) { # $sha1_obj=$sha1_enc; @@ -1717,12 +1720,14 @@ while (<IN>) s/^AR=\s*/AR= \$\(CROSS_COMPILE\)/; s/^NM=\s*/NM= \$\(CROSS_COMPILE\)/; s/^RANLIB=\s*/RANLIB= \$\(CROSS_COMPILE\)/; + s/^RC=\s*/RC= \$\(CROSS_COMPILE\)/; s/^MAKEDEPPROG=.*$/MAKEDEPPROG= \$\(CROSS_COMPILE\)$cc/ if $cc eq "gcc"; } else { s/^CC=.*$/CC= $cc/; s/^AR=\s*ar/AR= $ar/; s/^RANLIB=.*/RANLIB= $ranlib/; + s/^RC=.*/RC= $windres/; s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq "gcc"; s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $ecc eq "gcc" || $ecc eq "clang"; } Modified: vendor-crypto/openssl/dist/FREEBSD-Xlist ============================================================================== --- vendor-crypto/openssl/dist/FREEBSD-Xlist Thu Sep 22 12:53:11 2016 (r306188) +++ vendor-crypto/openssl/dist/FREEBSD-Xlist Thu Sep 22 13:04:03 2016 (r306189) @@ -26,7 +26,7 @@ openssl-*/apps/demoCA openssl-*/apps/demoSRP openssl-*/apps/md4.c openssl-*/apps/openssl-vms.cnf -openssl-*/apps/vms_decc_init.c +openssl-*/apps/vms_* openssl-*/apps/winrand.c openssl-*/bugs openssl-*/certs/demo Modified: vendor-crypto/openssl/dist/FREEBSD-upgrade ============================================================================== --- vendor-crypto/openssl/dist/FREEBSD-upgrade Thu Sep 22 12:53:11 2016 (r306188) +++ vendor-crypto/openssl/dist/FREEBSD-upgrade Thu Sep 22 13:04:03 2016 (r306189) @@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/Subv # Xlist setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist setenv FSVN "svn+ssh://repo.freebsd.org/base" -setenv OSSLVER 1.0.2h -# OSSLTAG format: v1_0_2h +setenv OSSLVER 1.0.2i +# OSSLTAG format: v1_0_2i ###setenv OSSLTAG v`echo ${OSSLVER} | tr . _` Modified: vendor-crypto/openssl/dist/Makefile ============================================================================== --- vendor-crypto/openssl/dist/Makefile Thu Sep 22 12:53:11 2016 (r306188) +++ vendor-crypto/openssl/dist/Makefile Thu Sep 22 13:04:03 2016 (r306189) @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.2h +VERSION=1.0.2i MAJOR=1 MINOR=0.2 SHLIB_VERSION_NUMBER=1.0.0 @@ -68,6 +68,7 @@ EXE_EXT= ARFLAGS= AR= ar $(ARFLAGS) r RANLIB= /usr/bin/ranlib +RC= windres NM= nm PERL= /usr/bin/perl TAR= tar @@ -210,6 +211,7 @@ BUILDENV= LC_ALL=C PLATFORM='$(PLATFORM) CC='$(CC)' CFLAG='$(CFLAG)' \ AS='$(CC)' ASFLAG='$(CFLAG) -c' \ AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)' \ + RC='$(RC)' \ CROSS_COMPILE='$(CROSS_COMPILE)' \ PERL='$(PERL)' ENGDIRS='$(ENGDIRS)' \ SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)' \ @@ -368,6 +370,7 @@ libcrypto.pc: Makefile echo 'exec_prefix=$${prefix}'; \ echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \ echo 'includedir=$${prefix}/include'; \ + echo 'enginesdir=$${libdir}/engines'; \ echo ''; \ echo 'Name: OpenSSL-libcrypto'; \ echo 'Description: OpenSSL cryptography library'; \ Modified: vendor-crypto/openssl/dist/Makefile.org ============================================================================== --- vendor-crypto/openssl/dist/Makefile.org Thu Sep 22 12:53:11 2016 (r306188) +++ vendor-crypto/openssl/dist/Makefile.org Thu Sep 22 13:04:03 2016 (r306189) @@ -66,6 +66,7 @@ EXE_EXT= ARFLAGS= AR=ar $(ARFLAGS) r RANLIB= ranlib +RC= windres NM= nm PERL= perl TAR= tar @@ -208,6 +209,7 @@ BUILDENV= LC_ALL=C PLATFORM='$(PLATFORM) CC='$(CC)' CFLAG='$(CFLAG)' \ AS='$(CC)' ASFLAG='$(CFLAG) -c' \ AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)' \ + RC='$(RC)' \ CROSS_COMPILE='$(CROSS_COMPILE)' \ PERL='$(PERL)' ENGDIRS='$(ENGDIRS)' \ SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)' \ @@ -366,6 +368,7 @@ libcrypto.pc: Makefile echo 'exec_prefix=$${prefix}'; \ echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \ echo 'includedir=$${prefix}/include'; \ + echo 'enginesdir=$${libdir}/engines'; \ echo ''; \ echo 'Name: OpenSSL-libcrypto'; \ echo 'Description: OpenSSL cryptography library'; \ Modified: vendor-crypto/openssl/dist/Makefile.shared ============================================================================== --- vendor-crypto/openssl/dist/Makefile.shared Thu Sep 22 12:53:11 2016 (r306188) +++ vendor-crypto/openssl/dist/Makefile.shared Thu Sep 22 13:04:03 2016 (r306189) @@ -293,7 +293,7 @@ link_a.cygwin: fi; \ dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \ $(PERL) util/mkrc.pl $$dll_name | \ - $(CROSS_COMPILE)windres -o rc.o; \ + $(RC) -o rc.o; \ extras="$$extras rc.o"; \ ALLSYMSFLAGS='-Wl,--whole-archive'; \ NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ Modified: vendor-crypto/openssl/dist/NEWS ============================================================================== --- vendor-crypto/openssl/dist/NEWS Thu Sep 22 12:53:11 2016 (r306188) +++ vendor-crypto/openssl/dist/NEWS Thu Sep 22 13:04:03 2016 (r306189) @@ -5,6 +5,20 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016] + + o OCSP Status Request extension unbounded memory growth (CVE-2016-6304) + o SWEET32 Mitigation (CVE-2016-2183) + o OOB write in MDC2_Update() (CVE-2016-6303) + o Malformed SHA512 ticket DoS (CVE-2016-6302) + o OOB write in BN_bn2dec() (CVE-2016-2182) + o OOB read in TS_OBJ_print_bio() (CVE-2016-2180) + o Pointer arithmetic undefined behaviour (CVE-2016-2177) + o Constant time flag not preserved in DSA signing (CVE-2016-2178) + o DTLS buffered message DoS (CVE-2016-2179) + o DTLS replay protection DoS (CVE-2016-2181) + o Certificate message OOB reads (CVE-2016-6306) + Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016] o Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107) Modified: vendor-crypto/openssl/dist/README ============================================================================== --- vendor-crypto/openssl/dist/README Thu Sep 22 12:53:11 2016 (r306188) +++ vendor-crypto/openssl/dist/README Thu Sep 22 13:04:03 2016 (r306189) @@ -1,5 +1,5 @@ - OpenSSL 1.0.2h 3 May 2016 + OpenSSL 1.0.2i 22 Sep 2016 Copyright (c) 1998-2015 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson Modified: vendor-crypto/openssl/dist/apps/CA.pl ============================================================================== --- vendor-crypto/openssl/dist/apps/CA.pl Thu Sep 22 12:53:11 2016 (r306188) +++ vendor-crypto/openssl/dist/apps/CA.pl Thu Sep 22 13:04:03 2016 (r306189) @@ -64,7 +64,7 @@ $RET = 0; foreach (@ARGV) { if ( /^(-\?|-h|-help)$/ ) { - print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; + print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-signcert|-verify\n"; exit 0; } elsif (/^-newcert$/) { # create a certificate @@ -186,4 +186,3 @@ while (<IN>) { } } } - Modified: vendor-crypto/openssl/dist/apps/CA.pl.in ============================================================================== --- vendor-crypto/openssl/dist/apps/CA.pl.in Thu Sep 22 12:53:11 2016 (r306188) +++ vendor-crypto/openssl/dist/apps/CA.pl.in Thu Sep 22 13:04:03 2016 (r306189) @@ -64,7 +64,7 @@ $RET = 0; foreach (@ARGV) { if ( /^(-\?|-h|-help)$/ ) { - print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n"; + print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-signcert|-verify\n"; exit 0; } elsif (/^-newcert$/) { # create a certificate @@ -186,4 +186,3 @@ while (<IN>) { } } } - Modified: vendor-crypto/openssl/dist/apps/apps.c ============================================================================== --- vendor-crypto/openssl/dist/apps/apps.c Thu Sep 22 12:53:11 2016 (r306188) +++ vendor-crypto/openssl/dist/apps/apps.c Thu Sep 22 13:04:03 2016 (r306189) @@ -215,7 +215,8 @@ int args_from_file(char *file, int *argc if (arg != NULL) OPENSSL_free(arg); arg = (char **)OPENSSL_malloc(sizeof(char *) * (i * 2)); - + if (arg == NULL) + return 0; *argv = arg; num = 0; p = buf; @@ -2374,6 +2375,8 @@ int args_verify(char ***pargs, int *parg flags |= X509_V_FLAG_PARTIAL_CHAIN; else if (!strcmp(arg, "-no_alt_chains")) flags |= X509_V_FLAG_NO_ALT_CHAINS; + else if (!strcmp(arg, "-allow_proxy_certs")) + flags |= X509_V_FLAG_ALLOW_PROXY_CERTS; else return 0; @@ -3195,6 +3198,36 @@ int app_isdir(const char *name) #endif /* raw_read|write section */ +#if defined(__VMS) +# include "vms_term_sock.h" +static int stdin_sock = -1; + +static void close_stdin_sock(void) +{ + TerminalSocket (TERM_SOCK_DELETE, &stdin_sock); +} + +int fileno_stdin(void) +{ + if (stdin_sock == -1) { + TerminalSocket(TERM_SOCK_CREATE, &stdin_sock); + atexit(close_stdin_sock); + } + + return stdin_sock; +} +#else +int fileno_stdin(void) +{ + return fileno(stdin); +} +#endif + +int fileno_stdout(void) +{ + return fileno(stdout); +} + #if defined(_WIN32) && defined(STD_INPUT_HANDLE) int raw_read_stdin(void *buf, int siz) { @@ -3204,10 +3237,17 @@ int raw_read_stdin(void *buf, int siz) else return (-1); } +#elif defined(__VMS) +#include <sys/socket.h> + +int raw_read_stdin(void *buf, int siz) +{ + return recv(fileno_stdin(), buf, siz, 0); +} #else int raw_read_stdin(void *buf, int siz) { - return read(fileno(stdin), buf, siz); + return read(fileno_stdin(), buf, siz); } #endif @@ -3223,6 +3263,6 @@ int raw_write_stdout(const void *buf, in #else int raw_write_stdout(const void *buf, int siz) { - return write(fileno(stdout), buf, siz); + return write(fileno_stdout(), buf, siz); } #endif Modified: vendor-crypto/openssl/dist/apps/apps.h ============================================================================== --- vendor-crypto/openssl/dist/apps/apps.h Thu Sep 22 12:53:11 2016 (r306188) +++ vendor-crypto/openssl/dist/apps/apps.h Thu Sep 22 13:04:03 2016 (r306189) @@ -375,6 +375,8 @@ void store_setup_crl_download(X509_STORE # define SERIAL_RAND_BITS 64 int app_isdir(const char *); +int fileno_stdin(void); +int fileno_stdout(void); int raw_read_stdin(void *, int); int raw_write_stdout(const void *, int); Modified: vendor-crypto/openssl/dist/apps/ca.c ============================================================================== --- vendor-crypto/openssl/dist/apps/ca.c Thu Sep 22 12:53:11 2016 (r306188) +++ vendor-crypto/openssl/dist/apps/ca.c Thu Sep 22 13:04:03 2016 (r306189) @@ -2103,25 +2103,23 @@ static int do_body(X509 **xret, EVP_PKEY goto err; /* We now just add it to the database */ - row[DB_type] = (char *)OPENSSL_malloc(2); - tm = X509_get_notAfter(ret); - row[DB_exp_date] = (char *)OPENSSL_malloc(tm->length + 1); - memcpy(row[DB_exp_date], tm->data, tm->length); - row[DB_exp_date][tm->length] = '\0'; - - row[DB_rev_date] = NULL; - - /* row[DB_serial] done already */ - row[DB_file] = (char *)OPENSSL_malloc(8); + row[DB_type] = OPENSSL_malloc(2); + row[DB_exp_date] = OPENSSL_malloc(tm->length + 1); + row[DB_rev_date] = OPENSSL_malloc(1); + row[DB_file] = OPENSSL_malloc(8); row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0); - if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) || + (row[DB_rev_date] == NULL) || (row[DB_file] == NULL) || (row[DB_name] == NULL)) { BIO_printf(bio_err, "Memory allocation failure\n"); goto err; } - BUF_strlcpy(row[DB_file], "unknown", 8); + + memcpy(row[DB_exp_date], tm->data, tm->length); + row[DB_exp_date][tm->length] = '\0'; + row[DB_rev_date][0] = '\0'; + strcpy(row[DB_file], "unknown"); row[DB_type][0] = 'V'; row[DB_type][1] = '\0'; @@ -2307,6 +2305,7 @@ static int certify_spkac(X509 **xret, ch j = NETSCAPE_SPKI_verify(spki, pktmp); if (j <= 0) { + EVP_PKEY_free(pktmp); BIO_printf(bio_err, "signature verification failed on SPKAC public key\n"); goto err; Modified: vendor-crypto/openssl/dist/apps/dgst.c ============================================================================== --- vendor-crypto/openssl/dist/apps/dgst.c Thu Sep 22 12:53:11 2016 (r306188) +++ vendor-crypto/openssl/dist/apps/dgst.c Thu Sep 22 13:04:03 2016 (r306189) @@ -243,6 +243,11 @@ int MAIN(int argc, char **argv) argv++; } + if (keyfile != NULL && argc > 1) { + BIO_printf(bio_err, "Can only sign or verify one file\n"); + goto end; + } + if (do_verify && !sigfile) { BIO_printf(bio_err, "No signature to verify: use the -signature option\n"); Modified: vendor-crypto/openssl/dist/apps/enc.c ============================================================================== --- vendor-crypto/openssl/dist/apps/enc.c Thu Sep 22 12:53:11 2016 (r306188) +++ vendor-crypto/openssl/dist/apps/enc.c Thu Sep 22 13:04:03 2016 (r306189) @@ -509,7 +509,7 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "invalid hex salt value\n"); goto end; } - } else if (RAND_pseudo_bytes(salt, sizeof salt) < 0) + } else if (RAND_bytes(salt, sizeof salt) <= 0) goto end; /* * If -P option then don't bother writing Modified: vendor-crypto/openssl/dist/apps/passwd.c ============================================================================== --- vendor-crypto/openssl/dist/apps/passwd.c Thu Sep 22 12:53:11 2016 (r306188) +++ vendor-crypto/openssl/dist/apps/passwd.c Thu Sep 22 13:04:03 2016 (r306189) @@ -416,7 +416,7 @@ static int do_passwd(int passed_salt, ch if (*salt_malloc_p == NULL) goto err; } - if (RAND_pseudo_bytes((unsigned char *)*salt_p, 2) < 0) + if (RAND_bytes((unsigned char *)*salt_p, 2) <= 0) goto err; (*salt_p)[0] = cov_2char[(*salt_p)[0] & 0x3f]; /* 6 bits */ (*salt_p)[1] = cov_2char[(*salt_p)[1] & 0x3f]; /* 6 bits */ @@ -437,7 +437,7 @@ static int do_passwd(int passed_salt, ch if (*salt_malloc_p == NULL) goto err; } - if (RAND_pseudo_bytes((unsigned char *)*salt_p, 8) < 0) + if (RAND_bytes((unsigned char *)*salt_p, 8) <= 0) goto err; for (i = 0; i < 8; i++) Modified: vendor-crypto/openssl/dist/apps/pkcs12.c ============================================================================== --- vendor-crypto/openssl/dist/apps/pkcs12.c Thu Sep 22 12:53:11 2016 (r306188) +++ vendor-crypto/openssl/dist/apps/pkcs12.c Thu Sep 22 13:04:03 2016 (r306189) @@ -832,6 +832,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS1 EVP_PKEY *pkey; PKCS8_PRIV_KEY_INFO *p8; X509 *x509; + int ret = 0; switch (M_PKCS12_bag_type(bag)) { case NID_keyBag: @@ -844,7 +845,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS1 if (!(pkey = EVP_PKCS82PKEY(p8))) return 0; print_attribs(out, p8->attributes, "Key Attributes"); - PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass); + ret = PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass); EVP_PKEY_free(pkey); break; @@ -864,7 +865,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS1 } print_attribs(out, p8->attributes, "Key Attributes"); PKCS8_PRIV_KEY_INFO_free(p8); - PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass); + ret = PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass); EVP_PKEY_free(pkey); break; @@ -884,7 +885,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS1 if (!(x509 = PKCS12_certbag2x509(bag))) return 0; dump_cert_text(out, x509); - PEM_write_bio_X509(out, x509); + ret = PEM_write_bio_X509(out, x509); X509_free(x509); break; @@ -902,7 +903,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS1 return 1; break; } - return 1; + return ret; } /* Given a single certificate return a verified chain or NULL if error */ @@ -931,16 +932,70 @@ static int get_cert_chain(X509 *cert, X5 int alg_print(BIO *x, X509_ALGOR *alg) { - PBEPARAM *pbe; - const unsigned char *p; - p = alg->parameter->value.sequence->data; - pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length); - if (!pbe) - return 1; - BIO_printf(bio_err, "%s, Iteration %ld\n", - OBJ_nid2ln(OBJ_obj2nid(alg->algorithm)), - ASN1_INTEGER_get(pbe->iter)); - PBEPARAM_free(pbe); + int pbenid, aparamtype; + ASN1_OBJECT *aoid; + void *aparam; + PBEPARAM *pbe = NULL; + + X509_ALGOR_get0(&aoid, &aparamtype, &aparam, alg); + + pbenid = OBJ_obj2nid(aoid); + + BIO_printf(x, "%s", OBJ_nid2ln(pbenid)); + + /* + * If PBE algorithm is PBES2 decode algorithm parameters + * for additional details. + */ + if (pbenid == NID_pbes2) { + PBE2PARAM *pbe2 = NULL; + int encnid; + if (aparamtype == V_ASN1_SEQUENCE) + pbe2 = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBE2PARAM)); + if (pbe2 == NULL) { + BIO_puts(x, "<unsupported parameters>"); + goto done; + } + X509_ALGOR_get0(&aoid, &aparamtype, &aparam, pbe2->keyfunc); + pbenid = OBJ_obj2nid(aoid); + X509_ALGOR_get0(&aoid, NULL, NULL, pbe2->encryption); + encnid = OBJ_obj2nid(aoid); + BIO_printf(x, ", %s, %s", OBJ_nid2ln(pbenid), + OBJ_nid2sn(encnid)); + /* If KDF is PBKDF2 decode parameters */ + if (pbenid == NID_id_pbkdf2) { + PBKDF2PARAM *kdf = NULL; + int prfnid; + if (aparamtype == V_ASN1_SEQUENCE) + kdf = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBKDF2PARAM)); + if (kdf == NULL) { + BIO_puts(x, "<unsupported parameters>"); + goto done; + } + + if (kdf->prf == NULL) { + prfnid = NID_hmacWithSHA1; + } else { + X509_ALGOR_get0(&aoid, NULL, NULL, kdf->prf); + prfnid = OBJ_obj2nid(aoid); + } + BIO_printf(x, ", Iteration %ld, PRF %s", + ASN1_INTEGER_get(kdf->iter), OBJ_nid2sn(prfnid)); + PBKDF2PARAM_free(kdf); + } + PBE2PARAM_free(pbe2); + } else { + if (aparamtype == V_ASN1_SEQUENCE) + pbe = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBEPARAM)); + if (pbe == NULL) { + BIO_puts(x, "<unsupported parameters>"); + goto done; + } + BIO_printf(x, ", Iteration %ld", ASN1_INTEGER_get(pbe->iter)); + PBEPARAM_free(pbe); + } + done: + BIO_puts(x, "\n"); return 1; } Modified: vendor-crypto/openssl/dist/apps/req.c ============================================================================== --- vendor-crypto/openssl/dist/apps/req.c Thu Sep 22 12:53:11 2016 (r306188) +++ vendor-crypto/openssl/dist/apps/req.c Thu Sep 22 13:04:03 2016 (r306189) @@ -332,9 +332,10 @@ int MAIN(int argc, char **argv) subject = 1; else if (strcmp(*argv, "-text") == 0) text = 1; - else if (strcmp(*argv, "-x509") == 0) + else if (strcmp(*argv, "-x509") == 0) { + newreq = 1; x509 = 1; - else if (strcmp(*argv, "-asn1-kludge") == 0) + } else if (strcmp(*argv, "-asn1-kludge") == 0) kludge = 1; else if (strcmp(*argv, "-no-asn1-kludge") == 0) kludge = 0; @@ -756,7 +757,7 @@ int MAIN(int argc, char **argv) } } - if (newreq || x509) { + if (newreq) { if (pkey == NULL) { BIO_printf(bio_err, "you need to specify a private key\n"); goto end; @@ -1331,12 +1332,11 @@ static int auto_info(X509_REQ *req, STAC break; } #ifndef CHARSET_EBCDIC - if (*p == '+') + if (*type == '+') { #else - if (*p == os_toascii['+']) + if (*type == os_toascii['+']) { #endif - { - p++; + type++; mval = -1; } else mval = 0; Modified: vendor-crypto/openssl/dist/apps/s_apps.h ============================================================================== --- vendor-crypto/openssl/dist/apps/s_apps.h Thu Sep 22 12:53:11 2016 (r306188) +++ vendor-crypto/openssl/dist/apps/s_apps.h Thu Sep 22 13:04:03 2016 (r306189) @@ -199,7 +199,8 @@ int load_excert(SSL_EXCERT **pexc, BIO * void print_ssl_summary(BIO *bio, SSL *s); #ifdef HEADER_SSL_H int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx, - int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr); + int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr, + int *no_prot_opt); int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake); int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, Modified: vendor-crypto/openssl/dist/apps/s_cb.c ============================================================================== --- vendor-crypto/openssl/dist/apps/s_cb.c Thu Sep 22 12:53:11 2016 (r306188) +++ vendor-crypto/openssl/dist/apps/s_cb.c Thu Sep 22 13:04:03 2016 (r306189) @@ -1507,11 +1507,18 @@ void print_ssl_summary(BIO *bio, SSL *s) } int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx, - int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr) + int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr, + int *no_prot_opt) { char *arg = **pargs, *argn = (*pargs)[1]; int rv; + if (strcmp(arg, "-no_ssl2") == 0 || strcmp(arg, "-no_ssl3") == 0 + || strcmp(arg, "-no_tls1") == 0 || strcmp(arg, "-no_tls1_1") == 0 + || strcmp(arg, "-no_tls1_2") == 0) { + *no_prot_opt = 1; + } + /* Attempt to run SSL configuration command */ rv = SSL_CONF_cmd_argv(cctx, pargc, pargs); /* If parameter not recognised just return */ Modified: vendor-crypto/openssl/dist/apps/s_client.c ============================================================================== --- vendor-crypto/openssl/dist/apps/s_client.c Thu Sep 22 12:53:11 2016 (r306188) +++ vendor-crypto/openssl/dist/apps/s_client.c Thu Sep 22 13:04:03 2016 (r306189) @@ -242,9 +242,9 @@ static unsigned int psk_client_cb(SSL *s unsigned char *psk, unsigned int max_psk_len) { - unsigned int psk_len = 0; int ret; - BIGNUM *bn = NULL; + long key_len; + unsigned char *key; if (c_debug) BIO_printf(bio_c_out, "psk_client_cb\n"); @@ -265,32 +265,29 @@ static unsigned int psk_client_cb(SSL *s if (c_debug) BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret); - ret = BN_hex2bn(&bn, psk_key); - if (!ret) { - BIO_printf(bio_err, "Could not convert PSK key '%s' to BIGNUM\n", + + /* convert the PSK key to binary */ + key = string_to_hex(psk_key, &key_len); + if (key == NULL) { + BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n", psk_key); - if (bn) - BN_free(bn); return 0; } - - if ((unsigned int)BN_num_bytes(bn) > max_psk_len) { + if ((unsigned long)key_len > (unsigned long)max_psk_len) { BIO_printf(bio_err, - "psk buffer of callback is too small (%d) for key (%d)\n", - max_psk_len, BN_num_bytes(bn)); - BN_free(bn); + "psk buffer of callback is too small (%d) for key (%ld)\n", + max_psk_len, key_len); + OPENSSL_free(key); return 0; } - psk_len = BN_bn2bin(bn, psk); - BN_free(bn); - if (psk_len == 0) - goto out_err; + memcpy(psk, key, key_len); + OPENSSL_free(key); if (c_debug) - BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len); + BIO_printf(bio_c_out, "created PSK len=%ld\n", key_len); - return psk_len; + return key_len; out_err: if (c_debug) BIO_printf(bio_err, "Error in PSK client callback\n"); @@ -747,6 +744,7 @@ int MAIN(int argc, char **argv) int crl_format = FORMAT_PEM; int crl_download = 0; STACK_OF(X509_CRL) *crls = NULL; + int prot_opt = 0, no_prot_opt = 0; meth = SSLv23_client_method(); @@ -850,7 +848,8 @@ int MAIN(int argc, char **argv) if (badarg) goto bad; continue; - } else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args)) { + } else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args, + &no_prot_opt)) { if (badarg) goto bad; continue; @@ -942,31 +941,42 @@ int MAIN(int argc, char **argv) } #endif #ifndef OPENSSL_NO_SSL2 - else if (strcmp(*argv, "-ssl2") == 0) + else if (strcmp(*argv, "-ssl2") == 0) { meth = SSLv2_client_method(); + prot_opt++; + } #endif #ifndef OPENSSL_NO_SSL3_METHOD - else if (strcmp(*argv, "-ssl3") == 0) + else if (strcmp(*argv, "-ssl3") == 0) { meth = SSLv3_client_method(); + prot_opt++; + } #endif #ifndef OPENSSL_NO_TLS1 - else if (strcmp(*argv, "-tls1_2") == 0) + else if (strcmp(*argv, "-tls1_2") == 0) { meth = TLSv1_2_client_method(); - else if (strcmp(*argv, "-tls1_1") == 0) + prot_opt++; + } else if (strcmp(*argv, "-tls1_1") == 0) { meth = TLSv1_1_client_method(); - else if (strcmp(*argv, "-tls1") == 0) + prot_opt++; + } else if (strcmp(*argv, "-tls1") == 0) { meth = TLSv1_client_method(); + prot_opt++; + } #endif #ifndef OPENSSL_NO_DTLS1 else if (strcmp(*argv, "-dtls") == 0) { *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201609221304.u8MD43ee009275>