svn commit: r306189 - in vendor-crypto/openssl/dist: . apps crypto crypto/aes/asm crypto/asn1 crypto/bio crypto/bn crypto/bn/asm crypto/cms crypto/comp crypto/conf crypto/des crypto/des/asm crypto/...
Jung-uk Kim
jkim at FreeBSD.org
Thu Sep 22 13:04:07 UTC 2016
Author: jkim
Date: Thu Sep 22 13:04:03 2016
New Revision: 306189
URL: https://svnweb.freebsd.org/changeset/base/306189
Log:
Import OpenSSL 1.0.2i.
Added:
vendor-crypto/openssl/dist/doc/crypto/d2i_PrivateKey.pod
vendor-crypto/openssl/dist/ssl/bad_dtls_test.c (contents, props changed)
vendor-crypto/openssl/dist/ssl/dtlstest.c (contents, props changed)
Modified:
vendor-crypto/openssl/dist/CHANGES
vendor-crypto/openssl/dist/CONTRIBUTING
vendor-crypto/openssl/dist/Configure
vendor-crypto/openssl/dist/FREEBSD-Xlist
vendor-crypto/openssl/dist/FREEBSD-upgrade
vendor-crypto/openssl/dist/Makefile
vendor-crypto/openssl/dist/Makefile.org
vendor-crypto/openssl/dist/Makefile.shared
vendor-crypto/openssl/dist/NEWS
vendor-crypto/openssl/dist/README
vendor-crypto/openssl/dist/apps/CA.pl
vendor-crypto/openssl/dist/apps/CA.pl.in
vendor-crypto/openssl/dist/apps/apps.c
vendor-crypto/openssl/dist/apps/apps.h
vendor-crypto/openssl/dist/apps/ca.c
vendor-crypto/openssl/dist/apps/dgst.c
vendor-crypto/openssl/dist/apps/enc.c
vendor-crypto/openssl/dist/apps/passwd.c
vendor-crypto/openssl/dist/apps/pkcs12.c
vendor-crypto/openssl/dist/apps/req.c
vendor-crypto/openssl/dist/apps/s_apps.h
vendor-crypto/openssl/dist/apps/s_cb.c
vendor-crypto/openssl/dist/apps/s_client.c
vendor-crypto/openssl/dist/apps/s_server.c
vendor-crypto/openssl/dist/apps/speed.c
vendor-crypto/openssl/dist/apps/srp.c
vendor-crypto/openssl/dist/apps/verify.c
vendor-crypto/openssl/dist/apps/x509.c
vendor-crypto/openssl/dist/crypto/LPdir_unix.c
vendor-crypto/openssl/dist/crypto/aes/asm/bsaes-armv7.pl
vendor-crypto/openssl/dist/crypto/asn1/a_bytes.c
vendor-crypto/openssl/dist/crypto/asn1/a_object.c
vendor-crypto/openssl/dist/crypto/asn1/a_set.c
vendor-crypto/openssl/dist/crypto/asn1/a_strex.c
vendor-crypto/openssl/dist/crypto/asn1/a_strnid.c
vendor-crypto/openssl/dist/crypto/asn1/ameth_lib.c
vendor-crypto/openssl/dist/crypto/asn1/asn1_lib.c
vendor-crypto/openssl/dist/crypto/asn1/asn_mime.c
vendor-crypto/openssl/dist/crypto/asn1/bio_asn1.c
vendor-crypto/openssl/dist/crypto/asn1/bio_ndef.c
vendor-crypto/openssl/dist/crypto/asn1/charmap.pl
vendor-crypto/openssl/dist/crypto/asn1/d2i_pr.c
vendor-crypto/openssl/dist/crypto/asn1/f_enum.c
vendor-crypto/openssl/dist/crypto/asn1/f_int.c
vendor-crypto/openssl/dist/crypto/asn1/f_string.c
vendor-crypto/openssl/dist/crypto/asn1/i2d_pr.c
vendor-crypto/openssl/dist/crypto/asn1/p5_pbe.c
vendor-crypto/openssl/dist/crypto/asn1/p5_pbev2.c
vendor-crypto/openssl/dist/crypto/asn1/t_req.c
vendor-crypto/openssl/dist/crypto/asn1/tasn_dec.c
vendor-crypto/openssl/dist/crypto/asn1/tasn_enc.c
vendor-crypto/openssl/dist/crypto/asn1/tasn_prn.c
vendor-crypto/openssl/dist/crypto/asn1/tasn_utl.c
vendor-crypto/openssl/dist/crypto/asn1/x_bignum.c
vendor-crypto/openssl/dist/crypto/asn1/x_name.c
vendor-crypto/openssl/dist/crypto/asn1/x_x509.c
vendor-crypto/openssl/dist/crypto/bio/b_print.c
vendor-crypto/openssl/dist/crypto/bio/bf_nbio.c
vendor-crypto/openssl/dist/crypto/bio/bio.h
vendor-crypto/openssl/dist/crypto/bio/bss_bio.c
vendor-crypto/openssl/dist/crypto/bio/bss_file.c
vendor-crypto/openssl/dist/crypto/bio/bss_rtcp.c
vendor-crypto/openssl/dist/crypto/bn/asm/x86-mont.pl
vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-gcc.c
vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-mont.pl
vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-mont5.pl
vendor-crypto/openssl/dist/crypto/bn/bn.h
vendor-crypto/openssl/dist/crypto/bn/bn_div.c
vendor-crypto/openssl/dist/crypto/bn/bn_lib.c
vendor-crypto/openssl/dist/crypto/bn/bn_print.c
vendor-crypto/openssl/dist/crypto/bn/bn_rand.c
vendor-crypto/openssl/dist/crypto/bn/bn_word.c
vendor-crypto/openssl/dist/crypto/bn/bntest.c
vendor-crypto/openssl/dist/crypto/cms/cms_enc.c
vendor-crypto/openssl/dist/crypto/cms/cms_ess.c
vendor-crypto/openssl/dist/crypto/cms/cms_lib.c
vendor-crypto/openssl/dist/crypto/cms/cms_pwri.c
vendor-crypto/openssl/dist/crypto/comp/comp.h
vendor-crypto/openssl/dist/crypto/conf/conf_def.h
vendor-crypto/openssl/dist/crypto/conf/conf_mod.c
vendor-crypto/openssl/dist/crypto/conf/keysets.pl
vendor-crypto/openssl/dist/crypto/des/asm/dest4-sparcv9.pl
vendor-crypto/openssl/dist/crypto/des/des.c
vendor-crypto/openssl/dist/crypto/des/enc_writ.c
vendor-crypto/openssl/dist/crypto/dh/dh_ameth.c
vendor-crypto/openssl/dist/crypto/dsa/dsa_ameth.c
vendor-crypto/openssl/dist/crypto/dsa/dsa_gen.c
vendor-crypto/openssl/dist/crypto/dsa/dsa_ossl.c
vendor-crypto/openssl/dist/crypto/ec/Makefile
vendor-crypto/openssl/dist/crypto/ec/asm/ecp_nistz256-x86_64.pl
vendor-crypto/openssl/dist/crypto/ec/ec_ameth.c
vendor-crypto/openssl/dist/crypto/ec/ec_key.c
vendor-crypto/openssl/dist/crypto/ec/ecp_nistz256.c
vendor-crypto/openssl/dist/crypto/engine/eng_cryptodev.c
vendor-crypto/openssl/dist/crypto/evp/bio_enc.c
vendor-crypto/openssl/dist/crypto/evp/bio_ok.c
vendor-crypto/openssl/dist/crypto/evp/c_all.c
vendor-crypto/openssl/dist/crypto/evp/digest.c
vendor-crypto/openssl/dist/crypto/evp/e_rc4_hmac_md5.c
vendor-crypto/openssl/dist/crypto/evp/e_seed.c
vendor-crypto/openssl/dist/crypto/evp/evp_enc.c
vendor-crypto/openssl/dist/crypto/evp/evp_test.c
vendor-crypto/openssl/dist/crypto/evp/openbsd_hw.c
vendor-crypto/openssl/dist/crypto/evp/p_lib.c
vendor-crypto/openssl/dist/crypto/evp/pmeth_gn.c
vendor-crypto/openssl/dist/crypto/evp/pmeth_lib.c
vendor-crypto/openssl/dist/crypto/hmac/hmac.c
vendor-crypto/openssl/dist/crypto/jpake/jpake.c
vendor-crypto/openssl/dist/crypto/lhash/lhash.c
vendor-crypto/openssl/dist/crypto/md2/md2_dgst.c
vendor-crypto/openssl/dist/crypto/md32_common.h
vendor-crypto/openssl/dist/crypto/mdc2/mdc2dgst.c
vendor-crypto/openssl/dist/crypto/mem.c
vendor-crypto/openssl/dist/crypto/mem_clr.c
vendor-crypto/openssl/dist/crypto/modes/asm/ghash-sparcv9.pl
vendor-crypto/openssl/dist/crypto/o_init.c
vendor-crypto/openssl/dist/crypto/o_time.c
vendor-crypto/openssl/dist/crypto/objects/o_names.c
vendor-crypto/openssl/dist/crypto/ocsp/ocsp_cl.c
vendor-crypto/openssl/dist/crypto/ocsp/ocsp_ext.c
vendor-crypto/openssl/dist/crypto/ocsp/ocsp_lib.c
vendor-crypto/openssl/dist/crypto/opensslv.h
vendor-crypto/openssl/dist/crypto/ossl_typ.h
vendor-crypto/openssl/dist/crypto/pem/pem.h
vendor-crypto/openssl/dist/crypto/pem/pem_err.c
vendor-crypto/openssl/dist/crypto/pem/pem_lib.c
vendor-crypto/openssl/dist/crypto/pem/pvkfmt.c
vendor-crypto/openssl/dist/crypto/perlasm/sparcv9_modes.pl
vendor-crypto/openssl/dist/crypto/pkcs12/p12_mutl.c
vendor-crypto/openssl/dist/crypto/pkcs12/p12_npas.c
vendor-crypto/openssl/dist/crypto/pkcs12/p12_utl.c
vendor-crypto/openssl/dist/crypto/pkcs12/pkcs12.h
vendor-crypto/openssl/dist/crypto/pkcs7/pk7_doit.c
vendor-crypto/openssl/dist/crypto/rand/md_rand.c
vendor-crypto/openssl/dist/crypto/rand/rand_unix.c
vendor-crypto/openssl/dist/crypto/rand/randfile.c
vendor-crypto/openssl/dist/crypto/rsa/rsa_ameth.c
vendor-crypto/openssl/dist/crypto/rsa/rsa_chk.c
vendor-crypto/openssl/dist/crypto/rsa/rsa_lib.c
vendor-crypto/openssl/dist/crypto/rsa/rsa_pmeth.c
vendor-crypto/openssl/dist/crypto/sha/asm/sha1-x86_64.pl
vendor-crypto/openssl/dist/crypto/sparccpuid.S
vendor-crypto/openssl/dist/crypto/srp/srp_lib.c
vendor-crypto/openssl/dist/crypto/srp/srp_vfy.c
vendor-crypto/openssl/dist/crypto/ts/ts.h
vendor-crypto/openssl/dist/crypto/ts/ts_lib.c
vendor-crypto/openssl/dist/crypto/ts/ts_rsp_verify.c
vendor-crypto/openssl/dist/crypto/ui/ui_lib.c
vendor-crypto/openssl/dist/crypto/whrlpool/wp_dgst.c
vendor-crypto/openssl/dist/crypto/x509/by_dir.c
vendor-crypto/openssl/dist/crypto/x509/x509.h
vendor-crypto/openssl/dist/crypto/x509/x509_att.c
vendor-crypto/openssl/dist/crypto/x509/x509_err.c
vendor-crypto/openssl/dist/crypto/x509/x509_obj.c
vendor-crypto/openssl/dist/crypto/x509/x509_r2x.c
vendor-crypto/openssl/dist/crypto/x509/x509_txt.c
vendor-crypto/openssl/dist/crypto/x509/x509_vfy.c
vendor-crypto/openssl/dist/crypto/x509/x509_vfy.h
vendor-crypto/openssl/dist/crypto/x509/x509spki.c
vendor-crypto/openssl/dist/crypto/x509v3/v3_addr.c
vendor-crypto/openssl/dist/crypto/x509v3/v3_alt.c
vendor-crypto/openssl/dist/crypto/x509v3/v3_conf.c
vendor-crypto/openssl/dist/doc/apps/cms.pod
vendor-crypto/openssl/dist/doc/apps/s_client.pod
vendor-crypto/openssl/dist/doc/apps/s_server.pod
vendor-crypto/openssl/dist/doc/apps/smime.pod
vendor-crypto/openssl/dist/doc/apps/verify.pod
vendor-crypto/openssl/dist/doc/apps/x509.pod
vendor-crypto/openssl/dist/doc/apps/x509v3_config.pod
vendor-crypto/openssl/dist/doc/crypto/BIO_s_bio.pod
vendor-crypto/openssl/dist/doc/crypto/BN_bn2bin.pod
vendor-crypto/openssl/dist/doc/crypto/BN_rand.pod
vendor-crypto/openssl/dist/doc/crypto/EVP_EncryptInit.pod
vendor-crypto/openssl/dist/doc/crypto/EVP_PKEY_cmp.pod
vendor-crypto/openssl/dist/doc/crypto/OBJ_nid2obj.pod
vendor-crypto/openssl/dist/doc/crypto/OPENSSL_config.pod
vendor-crypto/openssl/dist/doc/crypto/OPENSSL_ia32cap.pod
vendor-crypto/openssl/dist/doc/crypto/X509_verify_cert.pod
vendor-crypto/openssl/dist/doc/crypto/d2i_X509.pod
vendor-crypto/openssl/dist/doc/crypto/hmac.pod
vendor-crypto/openssl/dist/doc/crypto/rand.pod
vendor-crypto/openssl/dist/doc/crypto/ui.pod
vendor-crypto/openssl/dist/engines/ccgost/gost2001.c
vendor-crypto/openssl/dist/engines/ccgost/gost2001_keyx.c
vendor-crypto/openssl/dist/engines/ccgost/gost94_keyx.c
vendor-crypto/openssl/dist/engines/ccgost/gost_ameth.c
vendor-crypto/openssl/dist/engines/ccgost/gost_pmeth.c
vendor-crypto/openssl/dist/engines/e_4758cca.c
vendor-crypto/openssl/dist/engines/e_aep.c
vendor-crypto/openssl/dist/engines/e_capi.c
vendor-crypto/openssl/dist/engines/e_chil.c
vendor-crypto/openssl/dist/ssl/Makefile
vendor-crypto/openssl/dist/ssl/d1_both.c
vendor-crypto/openssl/dist/ssl/d1_clnt.c
vendor-crypto/openssl/dist/ssl/d1_lib.c
vendor-crypto/openssl/dist/ssl/d1_pkt.c
vendor-crypto/openssl/dist/ssl/d1_srvr.c
vendor-crypto/openssl/dist/ssl/s23_clnt.c
vendor-crypto/openssl/dist/ssl/s2_clnt.c
vendor-crypto/openssl/dist/ssl/s2_srvr.c
vendor-crypto/openssl/dist/ssl/s3_both.c
vendor-crypto/openssl/dist/ssl/s3_clnt.c
vendor-crypto/openssl/dist/ssl/s3_enc.c
vendor-crypto/openssl/dist/ssl/s3_lib.c
vendor-crypto/openssl/dist/ssl/s3_pkt.c
vendor-crypto/openssl/dist/ssl/s3_srvr.c
vendor-crypto/openssl/dist/ssl/ssl.h
vendor-crypto/openssl/dist/ssl/ssl_asn1.c
vendor-crypto/openssl/dist/ssl/ssl_ciph.c
vendor-crypto/openssl/dist/ssl/ssl_err.c
vendor-crypto/openssl/dist/ssl/ssl_lib.c
vendor-crypto/openssl/dist/ssl/ssl_locl.h
vendor-crypto/openssl/dist/ssl/ssl_rsa.c
vendor-crypto/openssl/dist/ssl/ssl_sess.c
vendor-crypto/openssl/dist/ssl/ssltest.c
vendor-crypto/openssl/dist/ssl/sslv2conftest.c
vendor-crypto/openssl/dist/ssl/t1_enc.c
vendor-crypto/openssl/dist/ssl/t1_lib.c
vendor-crypto/openssl/dist/util/mk1mf.pl
vendor-crypto/openssl/dist/util/mkerr.pl
vendor-crypto/openssl/dist/util/ssleay.num
Modified: vendor-crypto/openssl/dist/CHANGES
==============================================================================
--- vendor-crypto/openssl/dist/CHANGES Thu Sep 22 12:53:11 2016 (r306188)
+++ vendor-crypto/openssl/dist/CHANGES Thu Sep 22 13:04:03 2016 (r306189)
@@ -2,6 +2,166 @@
OpenSSL CHANGES
_______________
+ Changes between 1.0.2h and 1.0.2i [22 Sep 2016]
+
+ *) OCSP Status Request extension unbounded memory growth
+
+ A malicious client can send an excessively large OCSP Status Request
+ extension. If that client continually requests renegotiation, sending a
+ large OCSP Status Request extension each time, then there will be unbounded
+ memory growth on the server. This will eventually lead to a Denial Of
+ Service attack through memory exhaustion. Servers with a default
+ configuration are vulnerable even if they do not support OCSP. Builds using
+ the "no-ocsp" build time option are not affected.
+
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ (CVE-2016-6304)
+ [Matt Caswell]
+
+ *) In order to mitigate the SWEET32 attack, the DES ciphers were moved from
+ HIGH to MEDIUM.
+
+ This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan
+ Leurent (INRIA)
+ (CVE-2016-2183)
+ [Rich Salz]
+
+ *) OOB write in MDC2_Update()
+
+ An overflow can occur in MDC2_Update() either if called directly or
+ through the EVP_DigestUpdate() function using MDC2. If an attacker
+ is able to supply very large amounts of input data after a previous
+ call to EVP_EncryptUpdate() with a partial block then a length check
+ can overflow resulting in a heap corruption.
+
+ The amount of data needed is comparable to SIZE_MAX which is impractical
+ on most platforms.
+
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ (CVE-2016-6303)
+ [Stephen Henson]
+
+ *) Malformed SHA512 ticket DoS
+
+ If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
+ DoS attack where a malformed ticket will result in an OOB read which will
+ ultimately crash.
+
+ The use of SHA512 in TLS session tickets is comparatively rare as it requires
+ a custom server callback and ticket lookup mechanism.
+
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ (CVE-2016-6302)
+ [Stephen Henson]
+
+ *) OOB write in BN_bn2dec()
+
+ The function BN_bn2dec() does not check the return value of BN_div_word().
+ This can cause an OOB write if an application uses this function with an
+ overly large BIGNUM. This could be a problem if an overly large certificate
+ or CRL is printed out from an untrusted source. TLS is not affected because
+ record limits will reject an oversized certificate before it is parsed.
+
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ (CVE-2016-2182)
+ [Stephen Henson]
+
+ *) OOB read in TS_OBJ_print_bio()
+
+ The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
+ the total length the OID text representation would use and not the amount
+ of data written. This will result in OOB reads when large OIDs are
+ presented.
+
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ (CVE-2016-2180)
+ [Stephen Henson]
+
+ *) Pointer arithmetic undefined behaviour
+
+ Avoid some undefined pointer arithmetic
+
+ A common idiom in the codebase is to check limits in the following manner:
+ "p + len > limit"
+
+ Where "p" points to some malloc'd data of SIZE bytes and
+ limit == p + SIZE
+
+ "len" here could be from some externally supplied data (e.g. from a TLS
+ message).
+
+ The rules of C pointer arithmetic are such that "p + len" is only well
+ defined where len <= SIZE. Therefore the above idiom is actually
+ undefined behaviour.
+
+ For example this could cause problems if some malloc implementation
+ provides an address for "p" such that "p + len" actually overflows for
+ values of len that are too big and therefore p + len < limit.
+
+ This issue was reported to OpenSSL by Guido Vranken
+ (CVE-2016-2177)
+ [Matt Caswell]
+
+ *) Constant time flag not preserved in DSA signing
+
+ Operations in the DSA signing algorithm should run in constant time in
+ order to avoid side channel attacks. A flaw in the OpenSSL DSA
+ implementation means that a non-constant time codepath is followed for
+ certain operations. This has been demonstrated through a cache-timing
+ attack to be sufficient for an attacker to recover the private DSA key.
+
+ This issue was reported by César Pereida (Aalto University), Billy Brumley
+ (Tampere University of Technology), and Yuval Yarom (The University of
+ Adelaide and NICTA).
+ (CVE-2016-2178)
+ [César Pereida]
+
+ *) DTLS buffered message DoS
+
+ In a DTLS connection where handshake messages are delivered out-of-order
+ those messages that OpenSSL is not yet ready to process will be buffered
+ for later use. Under certain circumstances, a flaw in the logic means that
+ those messages do not get removed from the buffer even though the handshake
+ has been completed. An attacker could force up to approx. 15 messages to
+ remain in the buffer when they are no longer required. These messages will
+ be cleared when the DTLS connection is closed. The default maximum size for
+ a message is 100k. Therefore the attacker could force an additional 1500k
+ to be consumed per connection. By opening many simulataneous connections an
+ attacker could cause a DoS attack through memory exhaustion.
+
+ This issue was reported to OpenSSL by Quan Luo.
+ (CVE-2016-2179)
+ [Matt Caswell]
+
+ *) DTLS replay protection DoS
+
+ A flaw in the DTLS replay attack protection mechanism means that records
+ that arrive for future epochs update the replay protection "window" before
+ the MAC for the record has been validated. This could be exploited by an
+ attacker by sending a record for the next epoch (which does not have to
+ decrypt or have a valid MAC), with a very large sequence number. This means
+ that all subsequent legitimate packets are dropped causing a denial of
+ service for a specific DTLS connection.
+
+ This issue was reported to OpenSSL by the OCAP audit team.
+ (CVE-2016-2181)
+ [Matt Caswell]
+
+ *) Certificate message OOB reads
+
+ In OpenSSL 1.0.2 and earlier some missing message length checks can result
+ in OOB reads of up to 2 bytes beyond an allocated buffer. There is a
+ theoretical DoS risk but this has not been observed in practice on common
+ platforms.
+
+ The messages affected are client certificate, client certificate request
+ and server certificate. As a result the attack can only be performed
+ against a client or a server which enables client authentication.
+
+ This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+ (CVE-2016-6306)
+ [Stephen Henson]
+
Changes between 1.0.2g and 1.0.2h [3 May 2016]
*) Prevent padding oracle in AES-NI CBC MAC check
Modified: vendor-crypto/openssl/dist/CONTRIBUTING
==============================================================================
--- vendor-crypto/openssl/dist/CONTRIBUTING Thu Sep 22 12:53:11 2016 (r306188)
+++ vendor-crypto/openssl/dist/CONTRIBUTING Thu Sep 22 13:04:03 2016 (r306189)
@@ -1,38 +1,75 @@
-HOW TO CONTRIBUTE TO OpenSSL
-----------------------------
+HOW TO CONTRIBUTE TO PATCHES OpenSSL
+------------------------------------
-Development is coordinated on the openssl-dev mailing list (see
-http://www.openssl.org for information on subscribing). If you
-would like to submit a patch, send it to rt at openssl.org with
-the string "[PATCH]" in the subject. Please be sure to include a
-textual explanation of what your patch does.
-
-You can also make GitHub pull requests. If you do this, please also send
-mail to rt at openssl.org with a brief description and a link to the PR so
-that we can more easily keep track of it.
+(Please visit https://www.openssl.org/community/getting-started.html for
+other ideas about how to contribute.)
+Development is coordinated on the openssl-dev mailing list (see the
+above link or https://mta.openssl.org for information on subscribing).
If you are unsure as to whether a feature will be useful for the general
-OpenSSL community please discuss it on the openssl-dev mailing list first.
-Someone may be already working on the same thing or there may be a good
-reason as to why that feature isn't implemented.
-
-Patches should be as up to date as possible, preferably relative to the
-current Git or the last snapshot. They should follow our coding style
-(see https://www.openssl.org/policies/codingstyle.html) and compile without
-warnings using the --strict-warnings flag. OpenSSL compiles on many varied
-platforms: try to ensure you only use portable features.
-
-Our preferred format for patch files is "git format-patch" output. For example
-to provide a patch file containing the last commit in your local git repository
-use the following command:
+OpenSSL community you might want to discuss it on the openssl-dev mailing
+list first. Someone may be already working on the same thing or there
+may be a good reason as to why that feature isn't implemented.
+
+The best way to submit a patch is to make a pull request on GitHub.
+(It is not necessary to send mail to rt at openssl.org to open a ticket!)
+If you think the patch could use feedback from the community, please
+start a thread on openssl-dev.
+
+You can also submit patches by sending it as mail to rt at openssl.org.
+Please include the word "PATCH" and an explanation of what the patch
+does in the subject line. If you do this, our preferred format is "git
+format-patch" output. For example to provide a patch file containing the
+last commit in your local git repository use the following command:
-# git format-patch --stdout HEAD^ >mydiffs.patch
+ % git format-patch --stdout HEAD^ >mydiffs.patch
Another method of creating an acceptable patch file without using git is as
follows:
-# cd openssl-work
-# [your changes]
-# ./Configure dist; make clean
-# cd ..
-# diff -ur openssl-orig openssl-work > mydiffs.patch
+ % cd openssl-work
+ ...make your changes...
+ % ./Configure dist; make clean
+ % cd ..
+ % diff -ur openssl-orig openssl-work >mydiffs.patch
+
+Note that pull requests are generally easier for the team, and community, to
+work with. Pull requests benefit from all of the standard GitHub features,
+including code review tools, simpler integration, and CI build support.
+
+No matter how a patch is submitted, the following items will help make
+the acceptance and review process faster:
+
+ 1. Anything other than trivial contributions will require a contributor
+ licensing agreement, giving us permission to use your code. See
+ https://www.openssl.org/policies/cla.html for details.
+
+ 2. All source files should start with the following text (with
+ appropriate comment characters at the start of each line and the
+ year(s) updated):
+
+ Copyright 20xx-20yy The OpenSSL Project Authors. All Rights Reserved.
+
+ Licensed under the OpenSSL license (the "License"). You may not use
+ this file except in compliance with the License. You can obtain a copy
+ in the file LICENSE in the source distribution or at
+ https://www.openssl.org/source/license.html
+
+ 3. Patches should be as current as possible. When using GitHub, please
+ expect to have to rebase and update often. Note that we do not accept merge
+ commits. You will be asked to remove them before a patch is considered
+ acceptable.
+
+ 4. Patches should follow our coding style (see
+ https://www.openssl.org/policies/codingstyle.html) and compile without
+ warnings. Where gcc or clang is availble you should use the
+ --strict-warnings Configure option. OpenSSL compiles on many varied
+ platforms: try to ensure you only use portable features.
+
+ 5. When at all possible, patches should include tests. These can either be
+ added to an existing test, or completely new. Please see test/README
+ for information on the test framework.
+
+ 6. New features or changed functionality must include documentation. Please
+ look at the "pod" files in doc/apps, doc/crypto and doc/ssl for examples of
+ our style.
Modified: vendor-crypto/openssl/dist/Configure
==============================================================================
--- vendor-crypto/openssl/dist/Configure Thu Sep 22 12:53:11 2016 (r306188)
+++ vendor-crypto/openssl/dist/Configure Thu Sep 22 13:04:03 2016 (r306189)
@@ -799,7 +799,7 @@ my @experimental = ();
# This is what $depflags will look like with the above defaults
# (we need this to see if we should advise the user to run "make depend"):
-my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_LIBUNBOUND -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST";
+my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_LIBUNBOUND -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_SSL2 -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST -DOPENSSL_NO_WEAK_SSL_CIPHERS";
# Explicit "no-..." options will be collected in %disabled along with the defaults.
# To remove something from %disabled, use "enable-foo" (unless it's experimental).
@@ -1082,11 +1082,6 @@ if (defined($disabled{"md5"}) || defined
$disabled{"tls1"} = "forced";
}
-if (defined($disabled{"tls1"}))
- {
- $disabled{"tlsext"} = "forced";
- }
-
if (defined($disabled{"ec"}) || defined($disabled{"dsa"})
|| defined($disabled{"dh"}))
{
@@ -1254,6 +1249,7 @@ my $shared_extension = $fields[$idx_shar
my $ranlib = $ENV{'RANLIB'} || $fields[$idx_ranlib];
my $ar = $ENV{'AR'} || "ar";
my $arflags = $fields[$idx_arflags];
+my $windres = $ENV{'RC'} || $ENV{'WINDRES'} || "windres";
my $multilib = $fields[$idx_multilib];
# if $prefix/lib$multilib is not an existing directory, then
@@ -1562,8 +1558,15 @@ $cpuid_obj="mem_clr.o" unless ($cpuid_ob
$des_obj=$des_enc unless ($des_obj =~ /\.o$/);
$bf_obj=$bf_enc unless ($bf_obj =~ /\.o$/);
$cast_obj=$cast_enc unless ($cast_obj =~ /\.o$/);
-$rc4_obj=$rc4_enc unless ($rc4_obj =~ /\.o$/);
$rc5_obj=$rc5_enc unless ($rc5_obj =~ /\.o$/);
+if ($rc4_obj =~ /\.o$/)
+ {
+ $cflags.=" -DRC4_ASM";
+ }
+else
+ {
+ $rc4_obj=$rc4_enc;
+ }
if ($sha1_obj =~ /\.o$/)
{
# $sha1_obj=$sha1_enc;
@@ -1717,12 +1720,14 @@ while (<IN>)
s/^AR=\s*/AR= \$\(CROSS_COMPILE\)/;
s/^NM=\s*/NM= \$\(CROSS_COMPILE\)/;
s/^RANLIB=\s*/RANLIB= \$\(CROSS_COMPILE\)/;
+ s/^RC=\s*/RC= \$\(CROSS_COMPILE\)/;
s/^MAKEDEPPROG=.*$/MAKEDEPPROG= \$\(CROSS_COMPILE\)$cc/ if $cc eq "gcc";
}
else {
s/^CC=.*$/CC= $cc/;
s/^AR=\s*ar/AR= $ar/;
s/^RANLIB=.*/RANLIB= $ranlib/;
+ s/^RC=.*/RC= $windres/;
s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq "gcc";
s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $ecc eq "gcc" || $ecc eq "clang";
}
Modified: vendor-crypto/openssl/dist/FREEBSD-Xlist
==============================================================================
--- vendor-crypto/openssl/dist/FREEBSD-Xlist Thu Sep 22 12:53:11 2016 (r306188)
+++ vendor-crypto/openssl/dist/FREEBSD-Xlist Thu Sep 22 13:04:03 2016 (r306189)
@@ -26,7 +26,7 @@ openssl-*/apps/demoCA
openssl-*/apps/demoSRP
openssl-*/apps/md4.c
openssl-*/apps/openssl-vms.cnf
-openssl-*/apps/vms_decc_init.c
+openssl-*/apps/vms_*
openssl-*/apps/winrand.c
openssl-*/bugs
openssl-*/certs/demo
Modified: vendor-crypto/openssl/dist/FREEBSD-upgrade
==============================================================================
--- vendor-crypto/openssl/dist/FREEBSD-upgrade Thu Sep 22 12:53:11 2016 (r306188)
+++ vendor-crypto/openssl/dist/FREEBSD-upgrade Thu Sep 22 13:04:03 2016 (r306189)
@@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/Subv
# Xlist
setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist
setenv FSVN "svn+ssh://repo.freebsd.org/base"
-setenv OSSLVER 1.0.2h
-# OSSLTAG format: v1_0_2h
+setenv OSSLVER 1.0.2i
+# OSSLTAG format: v1_0_2i
###setenv OSSLTAG v`echo ${OSSLVER} | tr . _`
Modified: vendor-crypto/openssl/dist/Makefile
==============================================================================
--- vendor-crypto/openssl/dist/Makefile Thu Sep 22 12:53:11 2016 (r306188)
+++ vendor-crypto/openssl/dist/Makefile Thu Sep 22 13:04:03 2016 (r306189)
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
-VERSION=1.0.2h
+VERSION=1.0.2i
MAJOR=1
MINOR=0.2
SHLIB_VERSION_NUMBER=1.0.0
@@ -68,6 +68,7 @@ EXE_EXT=
ARFLAGS=
AR= ar $(ARFLAGS) r
RANLIB= /usr/bin/ranlib
+RC= windres
NM= nm
PERL= /usr/bin/perl
TAR= tar
@@ -210,6 +211,7 @@ BUILDENV= LC_ALL=C PLATFORM='$(PLATFORM)
CC='$(CC)' CFLAG='$(CFLAG)' \
AS='$(CC)' ASFLAG='$(CFLAG) -c' \
AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)' \
+ RC='$(RC)' \
CROSS_COMPILE='$(CROSS_COMPILE)' \
PERL='$(PERL)' ENGDIRS='$(ENGDIRS)' \
SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)' \
@@ -368,6 +370,7 @@ libcrypto.pc: Makefile
echo 'exec_prefix=$${prefix}'; \
echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
echo 'includedir=$${prefix}/include'; \
+ echo 'enginesdir=$${libdir}/engines'; \
echo ''; \
echo 'Name: OpenSSL-libcrypto'; \
echo 'Description: OpenSSL cryptography library'; \
Modified: vendor-crypto/openssl/dist/Makefile.org
==============================================================================
--- vendor-crypto/openssl/dist/Makefile.org Thu Sep 22 12:53:11 2016 (r306188)
+++ vendor-crypto/openssl/dist/Makefile.org Thu Sep 22 13:04:03 2016 (r306189)
@@ -66,6 +66,7 @@ EXE_EXT=
ARFLAGS=
AR=ar $(ARFLAGS) r
RANLIB= ranlib
+RC= windres
NM= nm
PERL= perl
TAR= tar
@@ -208,6 +209,7 @@ BUILDENV= LC_ALL=C PLATFORM='$(PLATFORM)
CC='$(CC)' CFLAG='$(CFLAG)' \
AS='$(CC)' ASFLAG='$(CFLAG) -c' \
AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)' \
+ RC='$(RC)' \
CROSS_COMPILE='$(CROSS_COMPILE)' \
PERL='$(PERL)' ENGDIRS='$(ENGDIRS)' \
SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)' \
@@ -366,6 +368,7 @@ libcrypto.pc: Makefile
echo 'exec_prefix=$${prefix}'; \
echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
echo 'includedir=$${prefix}/include'; \
+ echo 'enginesdir=$${libdir}/engines'; \
echo ''; \
echo 'Name: OpenSSL-libcrypto'; \
echo 'Description: OpenSSL cryptography library'; \
Modified: vendor-crypto/openssl/dist/Makefile.shared
==============================================================================
--- vendor-crypto/openssl/dist/Makefile.shared Thu Sep 22 12:53:11 2016 (r306188)
+++ vendor-crypto/openssl/dist/Makefile.shared Thu Sep 22 13:04:03 2016 (r306189)
@@ -293,7 +293,7 @@ link_a.cygwin:
fi; \
dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \
$(PERL) util/mkrc.pl $$dll_name | \
- $(CROSS_COMPILE)windres -o rc.o; \
+ $(RC) -o rc.o; \
extras="$$extras rc.o"; \
ALLSYMSFLAGS='-Wl,--whole-archive'; \
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
Modified: vendor-crypto/openssl/dist/NEWS
==============================================================================
--- vendor-crypto/openssl/dist/NEWS Thu Sep 22 12:53:11 2016 (r306188)
+++ vendor-crypto/openssl/dist/NEWS Thu Sep 22 13:04:03 2016 (r306189)
@@ -5,6 +5,20 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016]
+
+ o OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
+ o SWEET32 Mitigation (CVE-2016-2183)
+ o OOB write in MDC2_Update() (CVE-2016-6303)
+ o Malformed SHA512 ticket DoS (CVE-2016-6302)
+ o OOB write in BN_bn2dec() (CVE-2016-2182)
+ o OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
+ o Pointer arithmetic undefined behaviour (CVE-2016-2177)
+ o Constant time flag not preserved in DSA signing (CVE-2016-2178)
+ o DTLS buffered message DoS (CVE-2016-2179)
+ o DTLS replay protection DoS (CVE-2016-2181)
+ o Certificate message OOB reads (CVE-2016-6306)
+
Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016]
o Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
Modified: vendor-crypto/openssl/dist/README
==============================================================================
--- vendor-crypto/openssl/dist/README Thu Sep 22 12:53:11 2016 (r306188)
+++ vendor-crypto/openssl/dist/README Thu Sep 22 13:04:03 2016 (r306189)
@@ -1,5 +1,5 @@
- OpenSSL 1.0.2h 3 May 2016
+ OpenSSL 1.0.2i 22 Sep 2016
Copyright (c) 1998-2015 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
Modified: vendor-crypto/openssl/dist/apps/CA.pl
==============================================================================
--- vendor-crypto/openssl/dist/apps/CA.pl Thu Sep 22 12:53:11 2016 (r306188)
+++ vendor-crypto/openssl/dist/apps/CA.pl Thu Sep 22 13:04:03 2016 (r306189)
@@ -64,7 +64,7 @@ $RET = 0;
foreach (@ARGV) {
if ( /^(-\?|-h|-help)$/ ) {
- print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
+ print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-signcert|-verify\n";
exit 0;
} elsif (/^-newcert$/) {
# create a certificate
@@ -186,4 +186,3 @@ while (<IN>) {
}
}
}
-
Modified: vendor-crypto/openssl/dist/apps/CA.pl.in
==============================================================================
--- vendor-crypto/openssl/dist/apps/CA.pl.in Thu Sep 22 12:53:11 2016 (r306188)
+++ vendor-crypto/openssl/dist/apps/CA.pl.in Thu Sep 22 13:04:03 2016 (r306189)
@@ -64,7 +64,7 @@ $RET = 0;
foreach (@ARGV) {
if ( /^(-\?|-h|-help)$/ ) {
- print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
+ print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-signcert|-verify\n";
exit 0;
} elsif (/^-newcert$/) {
# create a certificate
@@ -186,4 +186,3 @@ while (<IN>) {
}
}
}
-
Modified: vendor-crypto/openssl/dist/apps/apps.c
==============================================================================
--- vendor-crypto/openssl/dist/apps/apps.c Thu Sep 22 12:53:11 2016 (r306188)
+++ vendor-crypto/openssl/dist/apps/apps.c Thu Sep 22 13:04:03 2016 (r306189)
@@ -215,7 +215,8 @@ int args_from_file(char *file, int *argc
if (arg != NULL)
OPENSSL_free(arg);
arg = (char **)OPENSSL_malloc(sizeof(char *) * (i * 2));
-
+ if (arg == NULL)
+ return 0;
*argv = arg;
num = 0;
p = buf;
@@ -2374,6 +2375,8 @@ int args_verify(char ***pargs, int *parg
flags |= X509_V_FLAG_PARTIAL_CHAIN;
else if (!strcmp(arg, "-no_alt_chains"))
flags |= X509_V_FLAG_NO_ALT_CHAINS;
+ else if (!strcmp(arg, "-allow_proxy_certs"))
+ flags |= X509_V_FLAG_ALLOW_PROXY_CERTS;
else
return 0;
@@ -3195,6 +3198,36 @@ int app_isdir(const char *name)
#endif
/* raw_read|write section */
+#if defined(__VMS)
+# include "vms_term_sock.h"
+static int stdin_sock = -1;
+
+static void close_stdin_sock(void)
+{
+ TerminalSocket (TERM_SOCK_DELETE, &stdin_sock);
+}
+
+int fileno_stdin(void)
+{
+ if (stdin_sock == -1) {
+ TerminalSocket(TERM_SOCK_CREATE, &stdin_sock);
+ atexit(close_stdin_sock);
+ }
+
+ return stdin_sock;
+}
+#else
+int fileno_stdin(void)
+{
+ return fileno(stdin);
+}
+#endif
+
+int fileno_stdout(void)
+{
+ return fileno(stdout);
+}
+
#if defined(_WIN32) && defined(STD_INPUT_HANDLE)
int raw_read_stdin(void *buf, int siz)
{
@@ -3204,10 +3237,17 @@ int raw_read_stdin(void *buf, int siz)
else
return (-1);
}
+#elif defined(__VMS)
+#include <sys/socket.h>
+
+int raw_read_stdin(void *buf, int siz)
+{
+ return recv(fileno_stdin(), buf, siz, 0);
+}
#else
int raw_read_stdin(void *buf, int siz)
{
- return read(fileno(stdin), buf, siz);
+ return read(fileno_stdin(), buf, siz);
}
#endif
@@ -3223,6 +3263,6 @@ int raw_write_stdout(const void *buf, in
#else
int raw_write_stdout(const void *buf, int siz)
{
- return write(fileno(stdout), buf, siz);
+ return write(fileno_stdout(), buf, siz);
}
#endif
Modified: vendor-crypto/openssl/dist/apps/apps.h
==============================================================================
--- vendor-crypto/openssl/dist/apps/apps.h Thu Sep 22 12:53:11 2016 (r306188)
+++ vendor-crypto/openssl/dist/apps/apps.h Thu Sep 22 13:04:03 2016 (r306189)
@@ -375,6 +375,8 @@ void store_setup_crl_download(X509_STORE
# define SERIAL_RAND_BITS 64
int app_isdir(const char *);
+int fileno_stdin(void);
+int fileno_stdout(void);
int raw_read_stdin(void *, int);
int raw_write_stdout(const void *, int);
Modified: vendor-crypto/openssl/dist/apps/ca.c
==============================================================================
--- vendor-crypto/openssl/dist/apps/ca.c Thu Sep 22 12:53:11 2016 (r306188)
+++ vendor-crypto/openssl/dist/apps/ca.c Thu Sep 22 13:04:03 2016 (r306189)
@@ -2103,25 +2103,23 @@ static int do_body(X509 **xret, EVP_PKEY
goto err;
/* We now just add it to the database */
- row[DB_type] = (char *)OPENSSL_malloc(2);
-
tm = X509_get_notAfter(ret);
- row[DB_exp_date] = (char *)OPENSSL_malloc(tm->length + 1);
- memcpy(row[DB_exp_date], tm->data, tm->length);
- row[DB_exp_date][tm->length] = '\0';
-
- row[DB_rev_date] = NULL;
-
- /* row[DB_serial] done already */
- row[DB_file] = (char *)OPENSSL_malloc(8);
+ row[DB_type] = OPENSSL_malloc(2);
+ row[DB_exp_date] = OPENSSL_malloc(tm->length + 1);
+ row[DB_rev_date] = OPENSSL_malloc(1);
+ row[DB_file] = OPENSSL_malloc(8);
row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
-
if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
+ (row[DB_rev_date] == NULL) ||
(row[DB_file] == NULL) || (row[DB_name] == NULL)) {
BIO_printf(bio_err, "Memory allocation failure\n");
goto err;
}
- BUF_strlcpy(row[DB_file], "unknown", 8);
+
+ memcpy(row[DB_exp_date], tm->data, tm->length);
+ row[DB_exp_date][tm->length] = '\0';
+ row[DB_rev_date][0] = '\0';
+ strcpy(row[DB_file], "unknown");
row[DB_type][0] = 'V';
row[DB_type][1] = '\0';
@@ -2307,6 +2305,7 @@ static int certify_spkac(X509 **xret, ch
j = NETSCAPE_SPKI_verify(spki, pktmp);
if (j <= 0) {
+ EVP_PKEY_free(pktmp);
BIO_printf(bio_err,
"signature verification failed on SPKAC public key\n");
goto err;
Modified: vendor-crypto/openssl/dist/apps/dgst.c
==============================================================================
--- vendor-crypto/openssl/dist/apps/dgst.c Thu Sep 22 12:53:11 2016 (r306188)
+++ vendor-crypto/openssl/dist/apps/dgst.c Thu Sep 22 13:04:03 2016 (r306189)
@@ -243,6 +243,11 @@ int MAIN(int argc, char **argv)
argv++;
}
+ if (keyfile != NULL && argc > 1) {
+ BIO_printf(bio_err, "Can only sign or verify one file\n");
+ goto end;
+ }
+
if (do_verify && !sigfile) {
BIO_printf(bio_err,
"No signature to verify: use the -signature option\n");
Modified: vendor-crypto/openssl/dist/apps/enc.c
==============================================================================
--- vendor-crypto/openssl/dist/apps/enc.c Thu Sep 22 12:53:11 2016 (r306188)
+++ vendor-crypto/openssl/dist/apps/enc.c Thu Sep 22 13:04:03 2016 (r306189)
@@ -509,7 +509,7 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err, "invalid hex salt value\n");
goto end;
}
- } else if (RAND_pseudo_bytes(salt, sizeof salt) < 0)
+ } else if (RAND_bytes(salt, sizeof salt) <= 0)
goto end;
/*
* If -P option then don't bother writing
Modified: vendor-crypto/openssl/dist/apps/passwd.c
==============================================================================
--- vendor-crypto/openssl/dist/apps/passwd.c Thu Sep 22 12:53:11 2016 (r306188)
+++ vendor-crypto/openssl/dist/apps/passwd.c Thu Sep 22 13:04:03 2016 (r306189)
@@ -416,7 +416,7 @@ static int do_passwd(int passed_salt, ch
if (*salt_malloc_p == NULL)
goto err;
}
- if (RAND_pseudo_bytes((unsigned char *)*salt_p, 2) < 0)
+ if (RAND_bytes((unsigned char *)*salt_p, 2) <= 0)
goto err;
(*salt_p)[0] = cov_2char[(*salt_p)[0] & 0x3f]; /* 6 bits */
(*salt_p)[1] = cov_2char[(*salt_p)[1] & 0x3f]; /* 6 bits */
@@ -437,7 +437,7 @@ static int do_passwd(int passed_salt, ch
if (*salt_malloc_p == NULL)
goto err;
}
- if (RAND_pseudo_bytes((unsigned char *)*salt_p, 8) < 0)
+ if (RAND_bytes((unsigned char *)*salt_p, 8) <= 0)
goto err;
for (i = 0; i < 8; i++)
Modified: vendor-crypto/openssl/dist/apps/pkcs12.c
==============================================================================
--- vendor-crypto/openssl/dist/apps/pkcs12.c Thu Sep 22 12:53:11 2016 (r306188)
+++ vendor-crypto/openssl/dist/apps/pkcs12.c Thu Sep 22 13:04:03 2016 (r306189)
@@ -832,6 +832,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS1
EVP_PKEY *pkey;
PKCS8_PRIV_KEY_INFO *p8;
X509 *x509;
+ int ret = 0;
switch (M_PKCS12_bag_type(bag)) {
case NID_keyBag:
@@ -844,7 +845,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS1
if (!(pkey = EVP_PKCS82PKEY(p8)))
return 0;
print_attribs(out, p8->attributes, "Key Attributes");
- PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
+ ret = PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
EVP_PKEY_free(pkey);
break;
@@ -864,7 +865,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS1
}
print_attribs(out, p8->attributes, "Key Attributes");
PKCS8_PRIV_KEY_INFO_free(p8);
- PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
+ ret = PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
EVP_PKEY_free(pkey);
break;
@@ -884,7 +885,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS1
if (!(x509 = PKCS12_certbag2x509(bag)))
return 0;
dump_cert_text(out, x509);
- PEM_write_bio_X509(out, x509);
+ ret = PEM_write_bio_X509(out, x509);
X509_free(x509);
break;
@@ -902,7 +903,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS1
return 1;
break;
}
- return 1;
+ return ret;
}
/* Given a single certificate return a verified chain or NULL if error */
@@ -931,16 +932,70 @@ static int get_cert_chain(X509 *cert, X5
int alg_print(BIO *x, X509_ALGOR *alg)
{
- PBEPARAM *pbe;
- const unsigned char *p;
- p = alg->parameter->value.sequence->data;
- pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length);
- if (!pbe)
- return 1;
- BIO_printf(bio_err, "%s, Iteration %ld\n",
- OBJ_nid2ln(OBJ_obj2nid(alg->algorithm)),
- ASN1_INTEGER_get(pbe->iter));
- PBEPARAM_free(pbe);
+ int pbenid, aparamtype;
+ ASN1_OBJECT *aoid;
+ void *aparam;
+ PBEPARAM *pbe = NULL;
+
+ X509_ALGOR_get0(&aoid, &aparamtype, &aparam, alg);
+
+ pbenid = OBJ_obj2nid(aoid);
+
+ BIO_printf(x, "%s", OBJ_nid2ln(pbenid));
+
+ /*
+ * If PBE algorithm is PBES2 decode algorithm parameters
+ * for additional details.
+ */
+ if (pbenid == NID_pbes2) {
+ PBE2PARAM *pbe2 = NULL;
+ int encnid;
+ if (aparamtype == V_ASN1_SEQUENCE)
+ pbe2 = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBE2PARAM));
+ if (pbe2 == NULL) {
+ BIO_puts(x, "<unsupported parameters>");
+ goto done;
+ }
+ X509_ALGOR_get0(&aoid, &aparamtype, &aparam, pbe2->keyfunc);
+ pbenid = OBJ_obj2nid(aoid);
+ X509_ALGOR_get0(&aoid, NULL, NULL, pbe2->encryption);
+ encnid = OBJ_obj2nid(aoid);
+ BIO_printf(x, ", %s, %s", OBJ_nid2ln(pbenid),
+ OBJ_nid2sn(encnid));
+ /* If KDF is PBKDF2 decode parameters */
+ if (pbenid == NID_id_pbkdf2) {
+ PBKDF2PARAM *kdf = NULL;
+ int prfnid;
+ if (aparamtype == V_ASN1_SEQUENCE)
+ kdf = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBKDF2PARAM));
+ if (kdf == NULL) {
+ BIO_puts(x, "<unsupported parameters>");
+ goto done;
+ }
+
+ if (kdf->prf == NULL) {
+ prfnid = NID_hmacWithSHA1;
+ } else {
+ X509_ALGOR_get0(&aoid, NULL, NULL, kdf->prf);
+ prfnid = OBJ_obj2nid(aoid);
+ }
+ BIO_printf(x, ", Iteration %ld, PRF %s",
+ ASN1_INTEGER_get(kdf->iter), OBJ_nid2sn(prfnid));
+ PBKDF2PARAM_free(kdf);
+ }
+ PBE2PARAM_free(pbe2);
+ } else {
+ if (aparamtype == V_ASN1_SEQUENCE)
+ pbe = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBEPARAM));
+ if (pbe == NULL) {
+ BIO_puts(x, "<unsupported parameters>");
+ goto done;
+ }
+ BIO_printf(x, ", Iteration %ld", ASN1_INTEGER_get(pbe->iter));
+ PBEPARAM_free(pbe);
+ }
+ done:
+ BIO_puts(x, "\n");
return 1;
}
Modified: vendor-crypto/openssl/dist/apps/req.c
==============================================================================
--- vendor-crypto/openssl/dist/apps/req.c Thu Sep 22 12:53:11 2016 (r306188)
+++ vendor-crypto/openssl/dist/apps/req.c Thu Sep 22 13:04:03 2016 (r306189)
@@ -332,9 +332,10 @@ int MAIN(int argc, char **argv)
subject = 1;
else if (strcmp(*argv, "-text") == 0)
text = 1;
- else if (strcmp(*argv, "-x509") == 0)
+ else if (strcmp(*argv, "-x509") == 0) {
+ newreq = 1;
x509 = 1;
- else if (strcmp(*argv, "-asn1-kludge") == 0)
+ } else if (strcmp(*argv, "-asn1-kludge") == 0)
kludge = 1;
else if (strcmp(*argv, "-no-asn1-kludge") == 0)
kludge = 0;
@@ -756,7 +757,7 @@ int MAIN(int argc, char **argv)
}
}
- if (newreq || x509) {
+ if (newreq) {
if (pkey == NULL) {
BIO_printf(bio_err, "you need to specify a private key\n");
goto end;
@@ -1331,12 +1332,11 @@ static int auto_info(X509_REQ *req, STAC
break;
}
#ifndef CHARSET_EBCDIC
- if (*p == '+')
+ if (*type == '+') {
#else
- if (*p == os_toascii['+'])
+ if (*type == os_toascii['+']) {
#endif
- {
- p++;
+ type++;
mval = -1;
} else
mval = 0;
Modified: vendor-crypto/openssl/dist/apps/s_apps.h
==============================================================================
--- vendor-crypto/openssl/dist/apps/s_apps.h Thu Sep 22 12:53:11 2016 (r306188)
+++ vendor-crypto/openssl/dist/apps/s_apps.h Thu Sep 22 13:04:03 2016 (r306189)
@@ -199,7 +199,8 @@ int load_excert(SSL_EXCERT **pexc, BIO *
void print_ssl_summary(BIO *bio, SSL *s);
#ifdef HEADER_SSL_H
int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
- int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr);
+ int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr,
+ int *no_prot_opt);
int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake);
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
Modified: vendor-crypto/openssl/dist/apps/s_cb.c
==============================================================================
--- vendor-crypto/openssl/dist/apps/s_cb.c Thu Sep 22 12:53:11 2016 (r306188)
+++ vendor-crypto/openssl/dist/apps/s_cb.c Thu Sep 22 13:04:03 2016 (r306189)
@@ -1507,11 +1507,18 @@ void print_ssl_summary(BIO *bio, SSL *s)
}
int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
- int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr)
+ int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr,
+ int *no_prot_opt)
{
char *arg = **pargs, *argn = (*pargs)[1];
int rv;
+ if (strcmp(arg, "-no_ssl2") == 0 || strcmp(arg, "-no_ssl3") == 0
+ || strcmp(arg, "-no_tls1") == 0 || strcmp(arg, "-no_tls1_1") == 0
+ || strcmp(arg, "-no_tls1_2") == 0) {
+ *no_prot_opt = 1;
+ }
+
/* Attempt to run SSL configuration command */
rv = SSL_CONF_cmd_argv(cctx, pargc, pargs);
/* If parameter not recognised just return */
Modified: vendor-crypto/openssl/dist/apps/s_client.c
==============================================================================
--- vendor-crypto/openssl/dist/apps/s_client.c Thu Sep 22 12:53:11 2016 (r306188)
+++ vendor-crypto/openssl/dist/apps/s_client.c Thu Sep 22 13:04:03 2016 (r306189)
@@ -242,9 +242,9 @@ static unsigned int psk_client_cb(SSL *s
unsigned char *psk,
unsigned int max_psk_len)
{
- unsigned int psk_len = 0;
int ret;
- BIGNUM *bn = NULL;
+ long key_len;
+ unsigned char *key;
if (c_debug)
BIO_printf(bio_c_out, "psk_client_cb\n");
@@ -265,32 +265,29 @@ static unsigned int psk_client_cb(SSL *s
if (c_debug)
BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity,
ret);
- ret = BN_hex2bn(&bn, psk_key);
- if (!ret) {
- BIO_printf(bio_err, "Could not convert PSK key '%s' to BIGNUM\n",
+
+ /* convert the PSK key to binary */
+ key = string_to_hex(psk_key, &key_len);
+ if (key == NULL) {
+ BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
psk_key);
- if (bn)
- BN_free(bn);
return 0;
}
-
- if ((unsigned int)BN_num_bytes(bn) > max_psk_len) {
+ if ((unsigned long)key_len > (unsigned long)max_psk_len) {
BIO_printf(bio_err,
- "psk buffer of callback is too small (%d) for key (%d)\n",
- max_psk_len, BN_num_bytes(bn));
- BN_free(bn);
+ "psk buffer of callback is too small (%d) for key (%ld)\n",
+ max_psk_len, key_len);
+ OPENSSL_free(key);
return 0;
}
- psk_len = BN_bn2bin(bn, psk);
- BN_free(bn);
- if (psk_len == 0)
- goto out_err;
+ memcpy(psk, key, key_len);
+ OPENSSL_free(key);
if (c_debug)
- BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
+ BIO_printf(bio_c_out, "created PSK len=%ld\n", key_len);
- return psk_len;
+ return key_len;
out_err:
if (c_debug)
BIO_printf(bio_err, "Error in PSK client callback\n");
@@ -747,6 +744,7 @@ int MAIN(int argc, char **argv)
int crl_format = FORMAT_PEM;
int crl_download = 0;
STACK_OF(X509_CRL) *crls = NULL;
+ int prot_opt = 0, no_prot_opt = 0;
meth = SSLv23_client_method();
@@ -850,7 +848,8 @@ int MAIN(int argc, char **argv)
if (badarg)
goto bad;
continue;
- } else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args)) {
+ } else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args,
+ &no_prot_opt)) {
if (badarg)
goto bad;
continue;
@@ -942,31 +941,42 @@ int MAIN(int argc, char **argv)
}
#endif
#ifndef OPENSSL_NO_SSL2
- else if (strcmp(*argv, "-ssl2") == 0)
+ else if (strcmp(*argv, "-ssl2") == 0) {
meth = SSLv2_client_method();
+ prot_opt++;
+ }
#endif
#ifndef OPENSSL_NO_SSL3_METHOD
- else if (strcmp(*argv, "-ssl3") == 0)
+ else if (strcmp(*argv, "-ssl3") == 0) {
meth = SSLv3_client_method();
+ prot_opt++;
+ }
#endif
#ifndef OPENSSL_NO_TLS1
- else if (strcmp(*argv, "-tls1_2") == 0)
+ else if (strcmp(*argv, "-tls1_2") == 0) {
meth = TLSv1_2_client_method();
- else if (strcmp(*argv, "-tls1_1") == 0)
+ prot_opt++;
+ } else if (strcmp(*argv, "-tls1_1") == 0) {
meth = TLSv1_1_client_method();
- else if (strcmp(*argv, "-tls1") == 0)
+ prot_opt++;
+ } else if (strcmp(*argv, "-tls1") == 0) {
meth = TLSv1_client_method();
+ prot_opt++;
+ }
#endif
#ifndef OPENSSL_NO_DTLS1
else if (strcmp(*argv, "-dtls") == 0) {
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-all
mailing list