svn commit: r276864 - in stable/10: crypto/openssl crypto/openssl/apps crypto/openssl/crypto crypto/openssl/crypto/aes/asm crypto/openssl/crypto/asn1 crypto/openssl/crypto/bio crypto/openssl/crypto...
Jung-uk Kim
jkim at FreeBSD.org
Fri Jan 9 00:58:29 UTC 2015
Author: jkim
Date: Fri Jan 9 00:58:20 2015
New Revision: 276864
URL: https://svnweb.freebsd.org/changeset/base/276864
Log:
MFC: r276861, r276863
Merge OpenSSL 1.0.1k.
Added:
stable/10/crypto/openssl/util/mkbuildinf.pl
- copied, changed from r276861, head/crypto/openssl/util/mkbuildinf.pl
Deleted:
stable/10/crypto/openssl/crypto/bn/asm/mips3.s
Modified:
stable/10/crypto/openssl/CHANGES
stable/10/crypto/openssl/Configure
stable/10/crypto/openssl/Makefile
stable/10/crypto/openssl/NEWS
stable/10/crypto/openssl/README
stable/10/crypto/openssl/apps/ca.c
stable/10/crypto/openssl/apps/dgst.c
stable/10/crypto/openssl/apps/ocsp.c
stable/10/crypto/openssl/apps/openssl.c
stable/10/crypto/openssl/apps/s_client.c
stable/10/crypto/openssl/apps/s_server.c
stable/10/crypto/openssl/apps/s_time.c
stable/10/crypto/openssl/apps/speed.c
stable/10/crypto/openssl/crypto/Makefile
stable/10/crypto/openssl/crypto/aes/asm/aes-mips.pl
stable/10/crypto/openssl/crypto/asn1/a_bitstr.c
stable/10/crypto/openssl/crypto/asn1/a_type.c
stable/10/crypto/openssl/crypto/asn1/a_verify.c
stable/10/crypto/openssl/crypto/asn1/asn1.h
stable/10/crypto/openssl/crypto/asn1/asn1_err.c
stable/10/crypto/openssl/crypto/asn1/tasn_dec.c
stable/10/crypto/openssl/crypto/asn1/x_algor.c
stable/10/crypto/openssl/crypto/asn1/x_name.c
stable/10/crypto/openssl/crypto/bio/bio.h
stable/10/crypto/openssl/crypto/bio/bss_dgram.c
stable/10/crypto/openssl/crypto/bn/asm/mips.pl
stable/10/crypto/openssl/crypto/bn/asm/x86_64-gcc.c
stable/10/crypto/openssl/crypto/bn/bn.h
stable/10/crypto/openssl/crypto/bn/bn_asm.c
stable/10/crypto/openssl/crypto/bn/bn_ctx.c
stable/10/crypto/openssl/crypto/bn/bn_div.c
stable/10/crypto/openssl/crypto/bn/bntest.c
stable/10/crypto/openssl/crypto/constant_time_locl.h
stable/10/crypto/openssl/crypto/cversion.c
stable/10/crypto/openssl/crypto/dsa/dsa_asn1.c
stable/10/crypto/openssl/crypto/dso/dso_dlfcn.c
stable/10/crypto/openssl/crypto/ec/ec_lib.c
stable/10/crypto/openssl/crypto/ec/ec_mult.c
stable/10/crypto/openssl/crypto/ec/ec_pmeth.c
stable/10/crypto/openssl/crypto/ec/ecp_nistp256.c
stable/10/crypto/openssl/crypto/ec/ectest.c
stable/10/crypto/openssl/crypto/ecdsa/Makefile
stable/10/crypto/openssl/crypto/ecdsa/ecs_vrf.c
stable/10/crypto/openssl/crypto/engine/eng_dyn.c
stable/10/crypto/openssl/crypto/evp/Makefile
stable/10/crypto/openssl/crypto/evp/e_des3.c
stable/10/crypto/openssl/crypto/evp/evp_enc.c
stable/10/crypto/openssl/crypto/md32_common.h
stable/10/crypto/openssl/crypto/mem.c
stable/10/crypto/openssl/crypto/objects/obj_xref.h
stable/10/crypto/openssl/crypto/objects/objxref.pl
stable/10/crypto/openssl/crypto/opensslv.h
stable/10/crypto/openssl/crypto/sha/asm/sha1-mips.pl
stable/10/crypto/openssl/crypto/sha/asm/sha512-mips.pl
stable/10/crypto/openssl/crypto/ts/ts_rsp_sign.c
stable/10/crypto/openssl/crypto/x509/x509.h
stable/10/crypto/openssl/crypto/x509/x509_vpm.c
stable/10/crypto/openssl/crypto/x509/x_all.c
stable/10/crypto/openssl/doc/HOWTO/certificates.txt
stable/10/crypto/openssl/doc/HOWTO/proxy_certificates.txt
stable/10/crypto/openssl/doc/apps/dgst.pod
stable/10/crypto/openssl/doc/apps/ocsp.pod
stable/10/crypto/openssl/doc/crypto/EVP_EncryptInit.pod
stable/10/crypto/openssl/doc/crypto/EVP_PKEY_encrypt.pod
stable/10/crypto/openssl/doc/crypto/X509_NAME_add_entry_by_txt.pod
stable/10/crypto/openssl/doc/crypto/X509_NAME_get_index_by_NID.pod
stable/10/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod
stable/10/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
stable/10/crypto/openssl/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
stable/10/crypto/openssl/e_os.h
stable/10/crypto/openssl/engines/e_padlock.c
stable/10/crypto/openssl/ssl/d1_both.c
stable/10/crypto/openssl/ssl/d1_clnt.c
stable/10/crypto/openssl/ssl/d1_enc.c
stable/10/crypto/openssl/ssl/d1_lib.c
stable/10/crypto/openssl/ssl/d1_pkt.c
stable/10/crypto/openssl/ssl/d1_srvr.c
stable/10/crypto/openssl/ssl/dtls1.h
stable/10/crypto/openssl/ssl/kssl.c
stable/10/crypto/openssl/ssl/s23_srvr.c
stable/10/crypto/openssl/ssl/s2_enc.c
stable/10/crypto/openssl/ssl/s2_pkt.c
stable/10/crypto/openssl/ssl/s2_srvr.c
stable/10/crypto/openssl/ssl/s3_both.c
stable/10/crypto/openssl/ssl/s3_clnt.c
stable/10/crypto/openssl/ssl/s3_enc.c
stable/10/crypto/openssl/ssl/s3_lib.c
stable/10/crypto/openssl/ssl/s3_meth.c
stable/10/crypto/openssl/ssl/s3_pkt.c
stable/10/crypto/openssl/ssl/s3_srvr.c
stable/10/crypto/openssl/ssl/srtp.h
stable/10/crypto/openssl/ssl/ssl.h
stable/10/crypto/openssl/ssl/ssl3.h
stable/10/crypto/openssl/ssl/ssl_cert.c
stable/10/crypto/openssl/ssl/ssl_ciph.c
stable/10/crypto/openssl/ssl/ssl_lib.c
stable/10/crypto/openssl/ssl/ssl_locl.h
stable/10/crypto/openssl/ssl/ssl_sess.c
stable/10/crypto/openssl/ssl/ssltest.c
stable/10/crypto/openssl/ssl/t1_enc.c
stable/10/crypto/openssl/ssl/t1_lib.c
stable/10/crypto/openssl/util/libeay.num
stable/10/crypto/openssl/util/mk1mf.pl
stable/10/crypto/openssl/util/mkdef.pl
stable/10/crypto/openssl/util/pl/netware.pl
stable/10/crypto/openssl/util/ssleay.num
stable/10/secure/lib/libcrypto/Makefile.inc
stable/10/secure/lib/libcrypto/man/ASN1_OBJECT_new.3
stable/10/secure/lib/libcrypto/man/ASN1_STRING_length.3
stable/10/secure/lib/libcrypto/man/ASN1_STRING_new.3
stable/10/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3
stable/10/secure/lib/libcrypto/man/ASN1_generate_nconf.3
stable/10/secure/lib/libcrypto/man/BIO_ctrl.3
stable/10/secure/lib/libcrypto/man/BIO_f_base64.3
stable/10/secure/lib/libcrypto/man/BIO_f_buffer.3
stable/10/secure/lib/libcrypto/man/BIO_f_cipher.3
stable/10/secure/lib/libcrypto/man/BIO_f_md.3
stable/10/secure/lib/libcrypto/man/BIO_f_null.3
stable/10/secure/lib/libcrypto/man/BIO_f_ssl.3
stable/10/secure/lib/libcrypto/man/BIO_find_type.3
stable/10/secure/lib/libcrypto/man/BIO_new.3
stable/10/secure/lib/libcrypto/man/BIO_new_CMS.3
stable/10/secure/lib/libcrypto/man/BIO_push.3
stable/10/secure/lib/libcrypto/man/BIO_read.3
stable/10/secure/lib/libcrypto/man/BIO_s_accept.3
stable/10/secure/lib/libcrypto/man/BIO_s_bio.3
stable/10/secure/lib/libcrypto/man/BIO_s_connect.3
stable/10/secure/lib/libcrypto/man/BIO_s_fd.3
stable/10/secure/lib/libcrypto/man/BIO_s_file.3
stable/10/secure/lib/libcrypto/man/BIO_s_mem.3
stable/10/secure/lib/libcrypto/man/BIO_s_null.3
stable/10/secure/lib/libcrypto/man/BIO_s_socket.3
stable/10/secure/lib/libcrypto/man/BIO_set_callback.3
stable/10/secure/lib/libcrypto/man/BIO_should_retry.3
stable/10/secure/lib/libcrypto/man/BN_BLINDING_new.3
stable/10/secure/lib/libcrypto/man/BN_CTX_new.3
stable/10/secure/lib/libcrypto/man/BN_CTX_start.3
stable/10/secure/lib/libcrypto/man/BN_add.3
stable/10/secure/lib/libcrypto/man/BN_add_word.3
stable/10/secure/lib/libcrypto/man/BN_bn2bin.3
stable/10/secure/lib/libcrypto/man/BN_cmp.3
stable/10/secure/lib/libcrypto/man/BN_copy.3
stable/10/secure/lib/libcrypto/man/BN_generate_prime.3
stable/10/secure/lib/libcrypto/man/BN_mod_inverse.3
stable/10/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3
stable/10/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3
stable/10/secure/lib/libcrypto/man/BN_new.3
stable/10/secure/lib/libcrypto/man/BN_num_bytes.3
stable/10/secure/lib/libcrypto/man/BN_rand.3
stable/10/secure/lib/libcrypto/man/BN_set_bit.3
stable/10/secure/lib/libcrypto/man/BN_swap.3
stable/10/secure/lib/libcrypto/man/BN_zero.3
stable/10/secure/lib/libcrypto/man/CMS_add0_cert.3
stable/10/secure/lib/libcrypto/man/CMS_add1_recipient_cert.3
stable/10/secure/lib/libcrypto/man/CMS_add1_signer.3
stable/10/secure/lib/libcrypto/man/CMS_compress.3
stable/10/secure/lib/libcrypto/man/CMS_decrypt.3
stable/10/secure/lib/libcrypto/man/CMS_encrypt.3
stable/10/secure/lib/libcrypto/man/CMS_final.3
stable/10/secure/lib/libcrypto/man/CMS_get0_RecipientInfos.3
stable/10/secure/lib/libcrypto/man/CMS_get0_SignerInfos.3
stable/10/secure/lib/libcrypto/man/CMS_get0_type.3
stable/10/secure/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
stable/10/secure/lib/libcrypto/man/CMS_sign.3
stable/10/secure/lib/libcrypto/man/CMS_sign_receipt.3
stable/10/secure/lib/libcrypto/man/CMS_uncompress.3
stable/10/secure/lib/libcrypto/man/CMS_verify.3
stable/10/secure/lib/libcrypto/man/CMS_verify_receipt.3
stable/10/secure/lib/libcrypto/man/CONF_modules_free.3
stable/10/secure/lib/libcrypto/man/CONF_modules_load_file.3
stable/10/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3
stable/10/secure/lib/libcrypto/man/DH_generate_key.3
stable/10/secure/lib/libcrypto/man/DH_generate_parameters.3
stable/10/secure/lib/libcrypto/man/DH_get_ex_new_index.3
stable/10/secure/lib/libcrypto/man/DH_new.3
stable/10/secure/lib/libcrypto/man/DH_set_method.3
stable/10/secure/lib/libcrypto/man/DH_size.3
stable/10/secure/lib/libcrypto/man/DSA_SIG_new.3
stable/10/secure/lib/libcrypto/man/DSA_do_sign.3
stable/10/secure/lib/libcrypto/man/DSA_dup_DH.3
stable/10/secure/lib/libcrypto/man/DSA_generate_key.3
stable/10/secure/lib/libcrypto/man/DSA_generate_parameters.3
stable/10/secure/lib/libcrypto/man/DSA_get_ex_new_index.3
stable/10/secure/lib/libcrypto/man/DSA_new.3
stable/10/secure/lib/libcrypto/man/DSA_set_method.3
stable/10/secure/lib/libcrypto/man/DSA_sign.3
stable/10/secure/lib/libcrypto/man/DSA_size.3
stable/10/secure/lib/libcrypto/man/ERR_GET_LIB.3
stable/10/secure/lib/libcrypto/man/ERR_clear_error.3
stable/10/secure/lib/libcrypto/man/ERR_error_string.3
stable/10/secure/lib/libcrypto/man/ERR_get_error.3
stable/10/secure/lib/libcrypto/man/ERR_load_crypto_strings.3
stable/10/secure/lib/libcrypto/man/ERR_load_strings.3
stable/10/secure/lib/libcrypto/man/ERR_print_errors.3
stable/10/secure/lib/libcrypto/man/ERR_put_error.3
stable/10/secure/lib/libcrypto/man/ERR_remove_state.3
stable/10/secure/lib/libcrypto/man/ERR_set_mark.3
stable/10/secure/lib/libcrypto/man/EVP_BytesToKey.3
stable/10/secure/lib/libcrypto/man/EVP_DigestInit.3
stable/10/secure/lib/libcrypto/man/EVP_DigestSignInit.3
stable/10/secure/lib/libcrypto/man/EVP_DigestVerifyInit.3
stable/10/secure/lib/libcrypto/man/EVP_EncryptInit.3
stable/10/secure/lib/libcrypto/man/EVP_OpenInit.3
stable/10/secure/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
stable/10/secure/lib/libcrypto/man/EVP_PKEY_CTX_new.3
stable/10/secure/lib/libcrypto/man/EVP_PKEY_cmp.3
stable/10/secure/lib/libcrypto/man/EVP_PKEY_decrypt.3
stable/10/secure/lib/libcrypto/man/EVP_PKEY_derive.3
stable/10/secure/lib/libcrypto/man/EVP_PKEY_encrypt.3
stable/10/secure/lib/libcrypto/man/EVP_PKEY_get_default_digest.3
stable/10/secure/lib/libcrypto/man/EVP_PKEY_keygen.3
stable/10/secure/lib/libcrypto/man/EVP_PKEY_new.3
stable/10/secure/lib/libcrypto/man/EVP_PKEY_print_private.3
stable/10/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3
stable/10/secure/lib/libcrypto/man/EVP_PKEY_sign.3
stable/10/secure/lib/libcrypto/man/EVP_PKEY_verify.3
stable/10/secure/lib/libcrypto/man/EVP_PKEY_verify_recover.3
stable/10/secure/lib/libcrypto/man/EVP_SealInit.3
stable/10/secure/lib/libcrypto/man/EVP_SignInit.3
stable/10/secure/lib/libcrypto/man/EVP_VerifyInit.3
stable/10/secure/lib/libcrypto/man/OBJ_nid2obj.3
stable/10/secure/lib/libcrypto/man/OPENSSL_Applink.3
stable/10/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3
stable/10/secure/lib/libcrypto/man/OPENSSL_config.3
stable/10/secure/lib/libcrypto/man/OPENSSL_ia32cap.3
stable/10/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3
stable/10/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3
stable/10/secure/lib/libcrypto/man/PEM_write_bio_CMS_stream.3
stable/10/secure/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3
stable/10/secure/lib/libcrypto/man/PKCS12_create.3
stable/10/secure/lib/libcrypto/man/PKCS12_parse.3
stable/10/secure/lib/libcrypto/man/PKCS7_decrypt.3
stable/10/secure/lib/libcrypto/man/PKCS7_encrypt.3
stable/10/secure/lib/libcrypto/man/PKCS7_sign.3
stable/10/secure/lib/libcrypto/man/PKCS7_sign_add_signer.3
stable/10/secure/lib/libcrypto/man/PKCS7_verify.3
stable/10/secure/lib/libcrypto/man/RAND_add.3
stable/10/secure/lib/libcrypto/man/RAND_bytes.3
stable/10/secure/lib/libcrypto/man/RAND_cleanup.3
stable/10/secure/lib/libcrypto/man/RAND_egd.3
stable/10/secure/lib/libcrypto/man/RAND_load_file.3
stable/10/secure/lib/libcrypto/man/RAND_set_rand_method.3
stable/10/secure/lib/libcrypto/man/RSA_blinding_on.3
stable/10/secure/lib/libcrypto/man/RSA_check_key.3
stable/10/secure/lib/libcrypto/man/RSA_generate_key.3
stable/10/secure/lib/libcrypto/man/RSA_get_ex_new_index.3
stable/10/secure/lib/libcrypto/man/RSA_new.3
stable/10/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3
stable/10/secure/lib/libcrypto/man/RSA_print.3
stable/10/secure/lib/libcrypto/man/RSA_private_encrypt.3
stable/10/secure/lib/libcrypto/man/RSA_public_encrypt.3
stable/10/secure/lib/libcrypto/man/RSA_set_method.3
stable/10/secure/lib/libcrypto/man/RSA_sign.3
stable/10/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3
stable/10/secure/lib/libcrypto/man/RSA_size.3
stable/10/secure/lib/libcrypto/man/SMIME_read_CMS.3
stable/10/secure/lib/libcrypto/man/SMIME_read_PKCS7.3
stable/10/secure/lib/libcrypto/man/SMIME_write_CMS.3
stable/10/secure/lib/libcrypto/man/SMIME_write_PKCS7.3
stable/10/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3
stable/10/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3
stable/10/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3
stable/10/secure/lib/libcrypto/man/X509_NAME_print_ex.3
stable/10/secure/lib/libcrypto/man/X509_STORE_CTX_get_error.3
stable/10/secure/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3
stable/10/secure/lib/libcrypto/man/X509_STORE_CTX_new.3
stable/10/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
stable/10/secure/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3
stable/10/secure/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
stable/10/secure/lib/libcrypto/man/X509_new.3
stable/10/secure/lib/libcrypto/man/X509_verify_cert.3
stable/10/secure/lib/libcrypto/man/bio.3
stable/10/secure/lib/libcrypto/man/blowfish.3
stable/10/secure/lib/libcrypto/man/bn.3
stable/10/secure/lib/libcrypto/man/bn_internal.3
stable/10/secure/lib/libcrypto/man/buffer.3
stable/10/secure/lib/libcrypto/man/crypto.3
stable/10/secure/lib/libcrypto/man/d2i_ASN1_OBJECT.3
stable/10/secure/lib/libcrypto/man/d2i_DHparams.3
stable/10/secure/lib/libcrypto/man/d2i_DSAPublicKey.3
stable/10/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey.3
stable/10/secure/lib/libcrypto/man/d2i_RSAPublicKey.3
stable/10/secure/lib/libcrypto/man/d2i_X509.3
stable/10/secure/lib/libcrypto/man/d2i_X509_ALGOR.3
stable/10/secure/lib/libcrypto/man/d2i_X509_CRL.3
stable/10/secure/lib/libcrypto/man/d2i_X509_NAME.3
stable/10/secure/lib/libcrypto/man/d2i_X509_REQ.3
stable/10/secure/lib/libcrypto/man/d2i_X509_SIG.3
stable/10/secure/lib/libcrypto/man/des.3
stable/10/secure/lib/libcrypto/man/dh.3
stable/10/secure/lib/libcrypto/man/dsa.3
stable/10/secure/lib/libcrypto/man/ecdsa.3
stable/10/secure/lib/libcrypto/man/engine.3
stable/10/secure/lib/libcrypto/man/err.3
stable/10/secure/lib/libcrypto/man/evp.3
stable/10/secure/lib/libcrypto/man/hmac.3
stable/10/secure/lib/libcrypto/man/i2d_CMS_bio_stream.3
stable/10/secure/lib/libcrypto/man/i2d_PKCS7_bio_stream.3
stable/10/secure/lib/libcrypto/man/lh_stats.3
stable/10/secure/lib/libcrypto/man/lhash.3
stable/10/secure/lib/libcrypto/man/md5.3
stable/10/secure/lib/libcrypto/man/mdc2.3
stable/10/secure/lib/libcrypto/man/pem.3
stable/10/secure/lib/libcrypto/man/rand.3
stable/10/secure/lib/libcrypto/man/rc4.3
stable/10/secure/lib/libcrypto/man/ripemd.3
stable/10/secure/lib/libcrypto/man/rsa.3
stable/10/secure/lib/libcrypto/man/sha.3
stable/10/secure/lib/libcrypto/man/threads.3
stable/10/secure/lib/libcrypto/man/ui.3
stable/10/secure/lib/libcrypto/man/ui_compat.3
stable/10/secure/lib/libcrypto/man/x509.3
stable/10/secure/lib/libssl/man/SSL_CIPHER_get_name.3
stable/10/secure/lib/libssl/man/SSL_COMP_add_compression_method.3
stable/10/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
stable/10/secure/lib/libssl/man/SSL_CTX_add_session.3
stable/10/secure/lib/libssl/man/SSL_CTX_ctrl.3
stable/10/secure/lib/libssl/man/SSL_CTX_flush_sessions.3
stable/10/secure/lib/libssl/man/SSL_CTX_free.3
stable/10/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3
stable/10/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3
stable/10/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3
stable/10/secure/lib/libssl/man/SSL_CTX_new.3
stable/10/secure/lib/libssl/man/SSL_CTX_sess_number.3
stable/10/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
stable/10/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
stable/10/secure/lib/libssl/man/SSL_CTX_sessions.3
stable/10/secure/lib/libssl/man/SSL_CTX_set_cert_store.3
stable/10/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
stable/10/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3
stable/10/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3
stable/10/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
stable/10/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
stable/10/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3
stable/10/secure/lib/libssl/man/SSL_CTX_set_info_callback.3
stable/10/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3
stable/10/secure/lib/libssl/man/SSL_CTX_set_mode.3
stable/10/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3
stable/10/secure/lib/libssl/man/SSL_CTX_set_options.3
stable/10/secure/lib/libssl/man/SSL_CTX_set_psk_client_callback.3
stable/10/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
stable/10/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
stable/10/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3
stable/10/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3
stable/10/secure/lib/libssl/man/SSL_CTX_set_timeout.3
stable/10/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3
stable/10/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
stable/10/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
stable/10/secure/lib/libssl/man/SSL_CTX_set_verify.3
stable/10/secure/lib/libssl/man/SSL_CTX_use_certificate.3
stable/10/secure/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3
stable/10/secure/lib/libssl/man/SSL_SESSION_free.3
stable/10/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
stable/10/secure/lib/libssl/man/SSL_SESSION_get_time.3
stable/10/secure/lib/libssl/man/SSL_accept.3
stable/10/secure/lib/libssl/man/SSL_alert_type_string.3
stable/10/secure/lib/libssl/man/SSL_clear.3
stable/10/secure/lib/libssl/man/SSL_connect.3
stable/10/secure/lib/libssl/man/SSL_do_handshake.3
stable/10/secure/lib/libssl/man/SSL_free.3
stable/10/secure/lib/libssl/man/SSL_get_SSL_CTX.3
stable/10/secure/lib/libssl/man/SSL_get_ciphers.3
stable/10/secure/lib/libssl/man/SSL_get_client_CA_list.3
stable/10/secure/lib/libssl/man/SSL_get_current_cipher.3
stable/10/secure/lib/libssl/man/SSL_get_default_timeout.3
stable/10/secure/lib/libssl/man/SSL_get_error.3
stable/10/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
stable/10/secure/lib/libssl/man/SSL_get_ex_new_index.3
stable/10/secure/lib/libssl/man/SSL_get_fd.3
stable/10/secure/lib/libssl/man/SSL_get_peer_cert_chain.3
stable/10/secure/lib/libssl/man/SSL_get_peer_certificate.3
stable/10/secure/lib/libssl/man/SSL_get_psk_identity.3
stable/10/secure/lib/libssl/man/SSL_get_rbio.3
stable/10/secure/lib/libssl/man/SSL_get_session.3
stable/10/secure/lib/libssl/man/SSL_get_verify_result.3
stable/10/secure/lib/libssl/man/SSL_get_version.3
stable/10/secure/lib/libssl/man/SSL_library_init.3
stable/10/secure/lib/libssl/man/SSL_load_client_CA_file.3
stable/10/secure/lib/libssl/man/SSL_new.3
stable/10/secure/lib/libssl/man/SSL_pending.3
stable/10/secure/lib/libssl/man/SSL_read.3
stable/10/secure/lib/libssl/man/SSL_rstate_string.3
stable/10/secure/lib/libssl/man/SSL_session_reused.3
stable/10/secure/lib/libssl/man/SSL_set_bio.3
stable/10/secure/lib/libssl/man/SSL_set_connect_state.3
stable/10/secure/lib/libssl/man/SSL_set_fd.3
stable/10/secure/lib/libssl/man/SSL_set_session.3
stable/10/secure/lib/libssl/man/SSL_set_shutdown.3
stable/10/secure/lib/libssl/man/SSL_set_verify_result.3
stable/10/secure/lib/libssl/man/SSL_shutdown.3
stable/10/secure/lib/libssl/man/SSL_state_string.3
stable/10/secure/lib/libssl/man/SSL_want.3
stable/10/secure/lib/libssl/man/SSL_write.3
stable/10/secure/lib/libssl/man/d2i_SSL_SESSION.3
stable/10/secure/lib/libssl/man/ssl.3
stable/10/secure/usr.bin/openssl/man/CA.pl.1
stable/10/secure/usr.bin/openssl/man/asn1parse.1
stable/10/secure/usr.bin/openssl/man/c_rehash.1
stable/10/secure/usr.bin/openssl/man/ca.1
stable/10/secure/usr.bin/openssl/man/ciphers.1
stable/10/secure/usr.bin/openssl/man/cms.1
stable/10/secure/usr.bin/openssl/man/crl.1
stable/10/secure/usr.bin/openssl/man/crl2pkcs7.1
stable/10/secure/usr.bin/openssl/man/dgst.1
stable/10/secure/usr.bin/openssl/man/dhparam.1
stable/10/secure/usr.bin/openssl/man/dsa.1
stable/10/secure/usr.bin/openssl/man/dsaparam.1
stable/10/secure/usr.bin/openssl/man/ec.1
stable/10/secure/usr.bin/openssl/man/ecparam.1
stable/10/secure/usr.bin/openssl/man/enc.1
stable/10/secure/usr.bin/openssl/man/errstr.1
stable/10/secure/usr.bin/openssl/man/gendsa.1
stable/10/secure/usr.bin/openssl/man/genpkey.1
stable/10/secure/usr.bin/openssl/man/genrsa.1
stable/10/secure/usr.bin/openssl/man/nseq.1
stable/10/secure/usr.bin/openssl/man/ocsp.1
stable/10/secure/usr.bin/openssl/man/openssl.1
stable/10/secure/usr.bin/openssl/man/passwd.1
stable/10/secure/usr.bin/openssl/man/pkcs12.1
stable/10/secure/usr.bin/openssl/man/pkcs7.1
stable/10/secure/usr.bin/openssl/man/pkcs8.1
stable/10/secure/usr.bin/openssl/man/pkey.1
stable/10/secure/usr.bin/openssl/man/pkeyparam.1
stable/10/secure/usr.bin/openssl/man/pkeyutl.1
stable/10/secure/usr.bin/openssl/man/rand.1
stable/10/secure/usr.bin/openssl/man/req.1
stable/10/secure/usr.bin/openssl/man/rsa.1
stable/10/secure/usr.bin/openssl/man/rsautl.1
stable/10/secure/usr.bin/openssl/man/s_client.1
stable/10/secure/usr.bin/openssl/man/s_server.1
stable/10/secure/usr.bin/openssl/man/s_time.1
stable/10/secure/usr.bin/openssl/man/sess_id.1
stable/10/secure/usr.bin/openssl/man/smime.1
stable/10/secure/usr.bin/openssl/man/speed.1
stable/10/secure/usr.bin/openssl/man/spkac.1
stable/10/secure/usr.bin/openssl/man/ts.1
stable/10/secure/usr.bin/openssl/man/tsget.1
stable/10/secure/usr.bin/openssl/man/verify.1
stable/10/secure/usr.bin/openssl/man/version.1
stable/10/secure/usr.bin/openssl/man/x509.1
stable/10/secure/usr.bin/openssl/man/x509v3_config.1
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/crypto/openssl/CHANGES
==============================================================================
--- stable/10/crypto/openssl/CHANGES Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/CHANGES Fri Jan 9 00:58:20 2015 (r276864)
@@ -2,6 +2,136 @@
OpenSSL CHANGES
_______________
+ Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
+
+ *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
+ message can cause a segmentation fault in OpenSSL due to a NULL pointer
+ dereference. This could lead to a Denial Of Service attack. Thanks to
+ Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
+ (CVE-2014-3571)
+ [Steve Henson]
+
+ *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
+ dtls1_buffer_record function under certain conditions. In particular this
+ could occur if an attacker sent repeated DTLS records with the same
+ sequence number but for the next epoch. The memory leak could be exploited
+ by an attacker in a Denial of Service attack through memory exhaustion.
+ Thanks to Chris Mueller for reporting this issue.
+ (CVE-2015-0206)
+ [Matt Caswell]
+
+ *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
+ built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
+ method would be set to NULL which could later result in a NULL pointer
+ dereference. Thanks to Frank Schmirler for reporting this issue.
+ (CVE-2014-3569)
+ [Kurt Roeckx]
+
+ *) Abort handshake if server key exchange message is omitted for ephemeral
+ ECDH ciphersuites.
+
+ Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
+ reporting this issue.
+ (CVE-2014-3572)
+ [Steve Henson]
+
+ *) Remove non-export ephemeral RSA code on client and server. This code
+ violated the TLS standard by allowing the use of temporary RSA keys in
+ non-export ciphersuites and could be used by a server to effectively
+ downgrade the RSA key length used to a value smaller than the server
+ certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
+ INRIA or reporting this issue.
+ (CVE-2015-0204)
+ [Steve Henson]
+
+ *) Fixed issue where DH client certificates are accepted without verification.
+ An OpenSSL server will accept a DH certificate for client authentication
+ without the certificate verify message. This effectively allows a client to
+ authenticate without the use of a private key. This only affects servers
+ which trust a client certificate authority which issues certificates
+ containing DH keys: these are extremely rare and hardly ever encountered.
+ Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
+ this issue.
+ (CVE-2015-0205)
+ [Steve Henson]
+
+ *) Ensure that the session ID context of an SSL is updated when its
+ SSL_CTX is updated via SSL_set_SSL_CTX.
+
+ The session ID context is typically set from the parent SSL_CTX,
+ and can vary with the CTX.
+ [Adam Langley]
+
+ *) Fix various certificate fingerprint issues.
+
+ By using non-DER or invalid encodings outside the signed portion of a
+ certificate the fingerprint can be changed without breaking the signature.
+ Although no details of the signed portion of the certificate can be changed
+ this can cause problems with some applications: e.g. those using the
+ certificate fingerprint for blacklists.
+
+ 1. Reject signatures with non zero unused bits.
+
+ If the BIT STRING containing the signature has non zero unused bits reject
+ the signature. All current signature algorithms require zero unused bits.
+
+ 2. Check certificate algorithm consistency.
+
+ Check the AlgorithmIdentifier inside TBS matches the one in the
+ certificate signature. NB: this will result in signature failure
+ errors for some broken certificates.
+
+ Thanks to Konrad Kraszewski from Google for reporting this issue.
+
+ 3. Check DSA/ECDSA signatures use DER.
+
+ Reencode DSA/ECDSA signatures and compare with the original received
+ signature. Return an error if there is a mismatch.
+
+ This will reject various cases including garbage after signature
+ (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
+ program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
+ (negative or with leading zeroes).
+
+ Further analysis was conducted and fixes were developed by Stephen Henson
+ of the OpenSSL core team.
+
+ (CVE-2014-8275)
+ [Steve Henson]
+
+ *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
+ results on some platforms, including x86_64. This bug occurs at random
+ with a very low probability, and is not known to be exploitable in any
+ way, though its exact impact is difficult to determine. Thanks to Pieter
+ Wuille (Blockstream) who reported this issue and also suggested an initial
+ fix. Further analysis was conducted by the OpenSSL development team and
+ Adam Langley of Google. The final fix was developed by Andy Polyakov of
+ the OpenSSL core team.
+ (CVE-2014-3570)
+ [Andy Polyakov]
+
+ *) Do not resume sessions on the server if the negotiated protocol
+ version does not match the session's version. Resuming with a different
+ version, while not strictly forbidden by the RFC, is of questionable
+ sanity and breaks all known clients.
+ [David Benjamin, Emilia Käsper]
+
+ *) Tighten handling of the ChangeCipherSpec (CCS) message: reject
+ early CCS messages during renegotiation. (Note that because
+ renegotiation is encrypted, this early CCS was not exploitable.)
+ [Emilia Käsper]
+
+ *) Tighten client-side session ticket handling during renegotiation:
+ ensure that the client only accepts a session ticket if the server sends
+ the extension anew in the ServerHello. Previously, a TLS client would
+ reuse the old extension state and thus accept a session ticket if one was
+ announced in the initial ServerHello.
+
+ Similarly, ensure that the client requires a session ticket if one
+ was advertised in the ServerHello. Previously, a TLS client would
+ ignore a missing NewSessionTicket message.
+ [Emilia Käsper]
+
Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
*) SRTP Memory Leak.
Modified: stable/10/crypto/openssl/Configure
==============================================================================
--- stable/10/crypto/openssl/Configure Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/Configure Fri Jan 9 00:58:20 2015 (r276864)
@@ -804,6 +804,11 @@ PROCESS_ARGS:
{
$disabled{"tls1"} = "option(tls)"
}
+ elsif ($1 eq "ssl3-method")
+ {
+ $disabled{"ssl3-method"} = "option(ssl)";
+ $disabled{"ssl3"} = "option(ssl)";
+ }
else
{
$disabled{$1} = "option";
Modified: stable/10/crypto/openssl/Makefile
==============================================================================
--- stable/10/crypto/openssl/Makefile Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/Makefile Fri Jan 9 00:58:20 2015 (r276864)
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
-VERSION=1.0.1j
+VERSION=1.0.1k
MAJOR=1
MINOR=0.1
SHLIB_VERSION_NUMBER=1.0.0
Modified: stable/10/crypto/openssl/NEWS
==============================================================================
--- stable/10/crypto/openssl/NEWS Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/NEWS Fri Jan 9 00:58:20 2015 (r276864)
@@ -5,6 +5,17 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.1k [8 Jan 2015]
+
+ o Fix for CVE-2014-3571
+ o Fix for CVE-2015-0206
+ o Fix for CVE-2014-3569
+ o Fix for CVE-2014-3572
+ o Fix for CVE-2015-0204
+ o Fix for CVE-2015-0205
+ o Fix for CVE-2014-8275
+ o Fix for CVE-2014-3570
+
Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014]
o Fix for CVE-2014-3513
Modified: stable/10/crypto/openssl/README
==============================================================================
--- stable/10/crypto/openssl/README Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/README Fri Jan 9 00:58:20 2015 (r276864)
@@ -1,5 +1,5 @@
- OpenSSL 1.0.1j 15 Oct 2014
+ OpenSSL 1.0.1k 8 Jan 2015
Copyright (c) 1998-2011 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
Modified: stable/10/crypto/openssl/apps/ca.c
==============================================================================
--- stable/10/crypto/openssl/apps/ca.c Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/apps/ca.c Fri Jan 9 00:58:20 2015 (r276864)
@@ -703,7 +703,7 @@ bad:
ERR_clear_error();
#ifdef RL_DEBUG
if (!p)
- BIO_printf(bio_err, "DEBUG: unique_subject undefined\n", p);
+ BIO_printf(bio_err, "DEBUG: unique_subject undefined\n");
#endif
#ifdef RL_DEBUG
BIO_printf(bio_err, "DEBUG: configured unique_subject is %d\n",
Modified: stable/10/crypto/openssl/apps/dgst.c
==============================================================================
--- stable/10/crypto/openssl/apps/dgst.c Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/apps/dgst.c Fri Jan 9 00:58:20 2015 (r276864)
@@ -273,6 +273,8 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err,"-d to output debug info\n");
BIO_printf(bio_err,"-hex output as hex dump\n");
BIO_printf(bio_err,"-binary output in binary form\n");
+ BIO_printf(bio_err,"-hmac arg set the HMAC key to arg\n");
+ BIO_printf(bio_err,"-non-fips-allow allow use of non FIPS digest\n");
BIO_printf(bio_err,"-sign file sign digest using private key in file\n");
BIO_printf(bio_err,"-verify file verify a signature using public key in file\n");
BIO_printf(bio_err,"-prverify file verify a signature using private key in file\n");
Modified: stable/10/crypto/openssl/apps/ocsp.c
==============================================================================
--- stable/10/crypto/openssl/apps/ocsp.c Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/apps/ocsp.c Fri Jan 9 00:58:20 2015 (r276864)
@@ -583,51 +583,52 @@ int MAIN(int argc, char **argv)
BIO_printf (bio_err, "OCSP utility\n");
BIO_printf (bio_err, "Usage ocsp [options]\n");
BIO_printf (bio_err, "where options are\n");
- BIO_printf (bio_err, "-out file output filename\n");
- BIO_printf (bio_err, "-issuer file issuer certificate\n");
- BIO_printf (bio_err, "-cert file certificate to check\n");
- BIO_printf (bio_err, "-serial n serial number to check\n");
- BIO_printf (bio_err, "-signer file certificate to sign OCSP request with\n");
- BIO_printf (bio_err, "-signkey file private key to sign OCSP request with\n");
- BIO_printf (bio_err, "-sign_other file additional certificates to include in signed request\n");
- BIO_printf (bio_err, "-no_certs don't include any certificates in signed request\n");
- BIO_printf (bio_err, "-req_text print text form of request\n");
- BIO_printf (bio_err, "-resp_text print text form of response\n");
- BIO_printf (bio_err, "-text print text form of request and response\n");
- BIO_printf (bio_err, "-reqout file write DER encoded OCSP request to \"file\"\n");
- BIO_printf (bio_err, "-respout file write DER encoded OCSP reponse to \"file\"\n");
- BIO_printf (bio_err, "-reqin file read DER encoded OCSP request from \"file\"\n");
- BIO_printf (bio_err, "-respin file read DER encoded OCSP reponse from \"file\"\n");
- BIO_printf (bio_err, "-nonce add OCSP nonce to request\n");
- BIO_printf (bio_err, "-no_nonce don't add OCSP nonce to request\n");
- BIO_printf (bio_err, "-url URL OCSP responder URL\n");
- BIO_printf (bio_err, "-host host:n send OCSP request to host on port n\n");
- BIO_printf (bio_err, "-path path to use in OCSP request\n");
- BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
- BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
- BIO_printf (bio_err, "-VAfile file validator certificates file\n");
- BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
- BIO_printf (bio_err, "-status_age n maximum status age in seconds\n");
- BIO_printf (bio_err, "-noverify don't verify response at all\n");
- BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n");
- BIO_printf (bio_err, "-trust_other don't verify additional certificates\n");
- BIO_printf (bio_err, "-no_intern don't search certificates contained in response for signer\n");
+ BIO_printf (bio_err, "-out file output filename\n");
+ BIO_printf (bio_err, "-issuer file issuer certificate\n");
+ BIO_printf (bio_err, "-cert file certificate to check\n");
+ BIO_printf (bio_err, "-serial n serial number to check\n");
+ BIO_printf (bio_err, "-signer file certificate to sign OCSP request with\n");
+ BIO_printf (bio_err, "-signkey file private key to sign OCSP request with\n");
+ BIO_printf (bio_err, "-sign_other file additional certificates to include in signed request\n");
+ BIO_printf (bio_err, "-no_certs don't include any certificates in signed request\n");
+ BIO_printf (bio_err, "-req_text print text form of request\n");
+ BIO_printf (bio_err, "-resp_text print text form of response\n");
+ BIO_printf (bio_err, "-text print text form of request and response\n");
+ BIO_printf (bio_err, "-reqout file write DER encoded OCSP request to \"file\"\n");
+ BIO_printf (bio_err, "-respout file write DER encoded OCSP reponse to \"file\"\n");
+ BIO_printf (bio_err, "-reqin file read DER encoded OCSP request from \"file\"\n");
+ BIO_printf (bio_err, "-respin file read DER encoded OCSP reponse from \"file\"\n");
+ BIO_printf (bio_err, "-nonce add OCSP nonce to request\n");
+ BIO_printf (bio_err, "-no_nonce don't add OCSP nonce to request\n");
+ BIO_printf (bio_err, "-url URL OCSP responder URL\n");
+ BIO_printf (bio_err, "-host host:n send OCSP request to host on port n\n");
+ BIO_printf (bio_err, "-path path to use in OCSP request\n");
+ BIO_printf (bio_err, "-CApath dir trusted certificates directory\n");
+ BIO_printf (bio_err, "-CAfile file trusted certificates file\n");
+ BIO_printf (bio_err, "-VAfile file validator certificates file\n");
+ BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
+ BIO_printf (bio_err, "-status_age n maximum status age in seconds\n");
+ BIO_printf (bio_err, "-noverify don't verify response at all\n");
+ BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n");
+ BIO_printf (bio_err, "-trust_other don't verify additional certificates\n");
+ BIO_printf (bio_err, "-no_intern don't search certificates contained in response for signer\n");
BIO_printf (bio_err, "-no_signature_verify don't check signature on response\n");
- BIO_printf (bio_err, "-no_cert_verify don't check signing certificate\n");
- BIO_printf (bio_err, "-no_chain don't chain verify response\n");
- BIO_printf (bio_err, "-no_cert_checks don't do additional checks on signing certificate\n");
- BIO_printf (bio_err, "-port num port to run responder on\n");
- BIO_printf (bio_err, "-index file certificate status index file\n");
- BIO_printf (bio_err, "-CA file CA certificate\n");
- BIO_printf (bio_err, "-rsigner file responder certificate to sign responses with\n");
- BIO_printf (bio_err, "-rkey file responder key to sign responses with\n");
- BIO_printf (bio_err, "-rother file other certificates to include in response\n");
- BIO_printf (bio_err, "-resp_no_certs don't include any certificates in response\n");
- BIO_printf (bio_err, "-nmin n number of minutes before next update\n");
- BIO_printf (bio_err, "-ndays n number of days before next update\n");
- BIO_printf (bio_err, "-resp_key_id identify reponse by signing certificate key ID\n");
- BIO_printf (bio_err, "-nrequest n number of requests to accept (default unlimited)\n");
- BIO_printf (bio_err, "-<dgst alg> use specified digest in the request\n");
+ BIO_printf (bio_err, "-no_cert_verify don't check signing certificate\n");
+ BIO_printf (bio_err, "-no_chain don't chain verify response\n");
+ BIO_printf (bio_err, "-no_cert_checks don't do additional checks on signing certificate\n");
+ BIO_printf (bio_err, "-port num port to run responder on\n");
+ BIO_printf (bio_err, "-index file certificate status index file\n");
+ BIO_printf (bio_err, "-CA file CA certificate\n");
+ BIO_printf (bio_err, "-rsigner file responder certificate to sign responses with\n");
+ BIO_printf (bio_err, "-rkey file responder key to sign responses with\n");
+ BIO_printf (bio_err, "-rother file other certificates to include in response\n");
+ BIO_printf (bio_err, "-resp_no_certs don't include any certificates in response\n");
+ BIO_printf (bio_err, "-nmin n number of minutes before next update\n");
+ BIO_printf (bio_err, "-ndays n number of days before next update\n");
+ BIO_printf (bio_err, "-resp_key_id identify reponse by signing certificate key ID\n");
+ BIO_printf (bio_err, "-nrequest n number of requests to accept (default unlimited)\n");
+ BIO_printf (bio_err, "-<dgst alg> use specified digest in the request\n");
+ BIO_printf (bio_err, "-timeout n timeout connection to OCSP responder after n seconds\n");
goto end;
}
@@ -1398,16 +1399,7 @@ OCSP_RESPONSE *process_responder(BIO *er
if (use_ssl == 1)
{
BIO *sbio;
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
ctx = SSL_CTX_new(SSLv23_client_method());
-#elif !defined(OPENSSL_NO_SSL3)
- ctx = SSL_CTX_new(SSLv3_client_method());
-#elif !defined(OPENSSL_NO_SSL2)
- ctx = SSL_CTX_new(SSLv2_client_method());
-#else
- BIO_printf(err, "SSL is disabled\n");
- goto end;
-#endif
if (ctx == NULL)
{
BIO_printf(err, "Error creating SSL context.\n");
Modified: stable/10/crypto/openssl/apps/openssl.c
==============================================================================
--- stable/10/crypto/openssl/apps/openssl.c Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/apps/openssl.c Fri Jan 9 00:58:20 2015 (r276864)
@@ -435,9 +435,7 @@ end:
if (prog != NULL) lh_FUNCTION_free(prog);
if (arg.data != NULL) OPENSSL_free(arg.data);
- apps_shutdown();
- CRYPTO_mem_leaks(bio_err);
if (bio_err != NULL)
{
BIO_free(bio_err);
@@ -450,6 +448,9 @@ end:
OPENSSL_free(Argv);
}
#endif
+ apps_shutdown();
+ CRYPTO_mem_leaks(bio_err);
+
OPENSSL_EXIT(ret);
}
Modified: stable/10/crypto/openssl/apps/s_client.c
==============================================================================
--- stable/10/crypto/openssl/apps/s_client.c Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/apps/s_client.c Fri Jan 9 00:58:20 2015 (r276864)
@@ -329,10 +329,12 @@ static void sc_usage(void)
BIO_printf(bio_err," -srppass arg - password for 'user'\n");
BIO_printf(bio_err," -srp_lateuser - SRP username into second ClientHello message\n");
BIO_printf(bio_err," -srp_moregroups - Tolerate other than the known g N values.\n");
- BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
+ BIO_printf(bio_err," -srp_strength int - minimal length in bits for N (default %d).\n",SRP_MINIMAL_N);
#endif
BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
+#ifndef OPENSSL_NO_SSL3_METHOD
BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
+#endif
BIO_printf(bio_err," -tls1_2 - just use TLSv1.2\n");
BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
BIO_printf(bio_err," -tls1 - just use TLSv1\n");
@@ -807,7 +809,7 @@ int MAIN(int argc, char **argv)
else if (strcmp(*argv,"-ssl2") == 0)
meth=SSLv2_client_method();
#endif
-#ifndef OPENSSL_NO_SSL3
+#ifndef OPENSSL_NO_SSL3_METHOD
else if (strcmp(*argv,"-ssl3") == 0)
meth=SSLv3_client_method();
#endif
@@ -1319,10 +1321,22 @@ re_start:
BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
}
- if (socket_mtu > 28)
+ if (socket_mtu)
{
+ if(socket_mtu < DTLS_get_link_min_mtu(con))
+ {
+ BIO_printf(bio_err,"MTU too small. Must be at least %ld\n",
+ DTLS_get_link_min_mtu(con));
+ BIO_free(sbio);
+ goto shut;
+ }
SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
- SSL_set_mtu(con, socket_mtu - 28);
+ if(!DTLS_set_link_mtu(con, socket_mtu))
+ {
+ BIO_printf(bio_err, "Failed to set MTU\n");
+ BIO_free(sbio);
+ goto shut;
+ }
}
else
/* want to do MTU discovery */
Modified: stable/10/crypto/openssl/apps/s_server.c
==============================================================================
--- stable/10/crypto/openssl/apps/s_server.c Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/apps/s_server.c Fri Jan 9 00:58:20 2015 (r276864)
@@ -515,7 +515,9 @@ static void sv_usage(void)
BIO_printf(bio_err," -srpuserseed string - A seed string for a default user salt.\n");
#endif
BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n");
+#ifndef OPENSSL_NO_SSL3_METHOD
BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n");
+#endif
BIO_printf(bio_err," -tls1_2 - Just talk TLSv1.2\n");
BIO_printf(bio_err," -tls1_1 - Just talk TLSv1.1\n");
BIO_printf(bio_err," -tls1 - Just talk TLSv1\n");
@@ -1251,7 +1253,7 @@ int MAIN(int argc, char *argv[])
else if (strcmp(*argv,"-ssl2") == 0)
{ meth=SSLv2_server_method(); }
#endif
-#ifndef OPENSSL_NO_SSL3
+#ifndef OPENSSL_NO_SSL3_METHOD
else if (strcmp(*argv,"-ssl3") == 0)
{ meth=SSLv3_server_method(); }
#endif
@@ -2049,10 +2051,24 @@ static int sv_body(char *hostname, int s
BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
}
- if (socket_mtu > 28)
+ if (socket_mtu)
{
+ if(socket_mtu < DTLS_get_link_min_mtu(con))
+ {
+ BIO_printf(bio_err,"MTU too small. Must be at least %ld\n",
+ DTLS_get_link_min_mtu(con));
+ ret = -1;
+ BIO_free(sbio);
+ goto err;
+ }
SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
- SSL_set_mtu(con, socket_mtu - 28);
+ if(!DTLS_set_link_mtu(con, socket_mtu))
+ {
+ BIO_printf(bio_err, "Failed to set MTU\n");
+ ret = -1;
+ BIO_free(sbio);
+ goto err;
+ }
}
else
/* want to do MTU discovery */
Modified: stable/10/crypto/openssl/apps/s_time.c
==============================================================================
--- stable/10/crypto/openssl/apps/s_time.c Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/apps/s_time.c Fri Jan 9 00:58:20 2015 (r276864)
@@ -349,13 +349,7 @@ int MAIN(int argc, char **argv)
if (bio_err == NULL)
bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
s_time_meth=SSLv23_client_method();
-#elif !defined(OPENSSL_NO_SSL3)
- s_time_meth=SSLv3_client_method();
-#elif !defined(OPENSSL_NO_SSL2)
- s_time_meth=SSLv2_client_method();
-#endif
/* parse the command line arguments */
if( parseArgs( argc, argv ) < 0 )
Modified: stable/10/crypto/openssl/apps/speed.c
==============================================================================
--- stable/10/crypto/openssl/apps/speed.c Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/apps/speed.c Fri Jan 9 00:58:20 2015 (r276864)
@@ -225,7 +225,7 @@
#undef BUFSIZE
#define BUFSIZE ((long)1024*8+1)
-int run=0;
+static volatile int run=0;
static int mr=0;
static int usertime=1;
@@ -2739,27 +2739,6 @@ static int do_multi(int multi)
else
rsa_results[k][1]=d;
}
- else if(!strncmp(buf,"+F2:",4))
- {
- int k;
- double d;
-
- p=buf+4;
- k=atoi(sstrsep(&p,sep));
- sstrsep(&p,sep);
-
- d=atof(sstrsep(&p,sep));
- if(n)
- rsa_results[k][0]=1/(1/rsa_results[k][0]+1/d);
- else
- rsa_results[k][0]=d;
-
- d=atof(sstrsep(&p,sep));
- if(n)
- rsa_results[k][1]=1/(1/rsa_results[k][1]+1/d);
- else
- rsa_results[k][1]=d;
- }
#ifndef OPENSSL_NO_DSA
else if(!strncmp(buf,"+F3:",4))
{
Modified: stable/10/crypto/openssl/crypto/Makefile
==============================================================================
--- stable/10/crypto/openssl/crypto/Makefile Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/crypto/Makefile Fri Jan 9 00:58:20 2015 (r276864)
@@ -56,12 +56,7 @@ top:
all: shared
buildinf.h: ../Makefile
- ( echo "#ifndef MK1MF_BUILD"; \
- echo ' /* auto-generated by crypto/Makefile for crypto/cversion.c */'; \
- echo ' #define CFLAGS "$(CC) $(CFLAG)"'; \
- echo ' #define PLATFORM "$(PLATFORM)"'; \
- echo " #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \
- echo '#endif' ) >buildinf.h
+ $(PERL) $(TOP)/util/mkbuildinf.pl "$(CFLAGS)" "$(PLATFORM)" >buildinf.h
x86cpuid.s: x86cpuid.pl perlasm/x86asm.pl
$(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@
Modified: stable/10/crypto/openssl/crypto/aes/asm/aes-mips.pl
==============================================================================
--- stable/10/crypto/openssl/crypto/aes/asm/aes-mips.pl Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/crypto/aes/asm/aes-mips.pl Fri Jan 9 00:58:20 2015 (r276864)
@@ -70,7 +70,7 @@ $pf = ($flavour =~ /nubi/i) ? $t0 : $t2;
#
######################################################################
-$big_endian=(`echo MIPSEL | $ENV{CC} -E -P -`=~/MIPSEL/)?1:0;
+$big_endian=(`echo MIPSEL | $ENV{CC} -E -`=~/MIPSEL/)?1:0 if ($ENV{CC});
for (@ARGV) { $output=$_ if (/^\w[\w\-]*\.\w+$/); }
open STDOUT,">$output";
Modified: stable/10/crypto/openssl/crypto/asn1/a_bitstr.c
==============================================================================
--- stable/10/crypto/openssl/crypto/asn1/a_bitstr.c Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/crypto/asn1/a_bitstr.c Fri Jan 9 00:58:20 2015 (r276864)
@@ -136,11 +136,16 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN
p= *pp;
i= *(p++);
+ if (i > 7)
+ {
+ i=ASN1_R_INVALID_BIT_STRING_BITS_LEFT;
+ goto err;
+ }
/* We do this to preserve the settings. If we modify
* the settings, via the _set_bit function, we will recalculate
* on output */
ret->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */
- ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|(i&0x07)); /* set */
+ ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|i); /* set */
if (len-- > 1) /* using one because of the bits left byte */
{
Modified: stable/10/crypto/openssl/crypto/asn1/a_type.c
==============================================================================
--- stable/10/crypto/openssl/crypto/asn1/a_type.c Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/crypto/asn1/a_type.c Fri Jan 9 00:58:20 2015 (r276864)
@@ -113,7 +113,7 @@ IMPLEMENT_STACK_OF(ASN1_TYPE)
IMPLEMENT_ASN1_SET_OF(ASN1_TYPE)
/* Returns 0 if they are equal, != 0 otherwise. */
-int ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b)
+int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b)
{
int result = -1;
Modified: stable/10/crypto/openssl/crypto/asn1/a_verify.c
==============================================================================
--- stable/10/crypto/openssl/crypto/asn1/a_verify.c Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/crypto/asn1/a_verify.c Fri Jan 9 00:58:20 2015 (r276864)
@@ -90,6 +90,12 @@ int ASN1_verify(i2d_of_void *i2d, X509_A
ASN1err(ASN1_F_ASN1_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
goto err;
}
+
+ if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7)
+ {
+ ASN1err(ASN1_F_ASN1_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
+ goto err;
+ }
inl=i2d(data,NULL);
buf_in=OPENSSL_malloc((unsigned int)inl);
@@ -146,6 +152,12 @@ int ASN1_item_verify(const ASN1_ITEM *it
return -1;
}
+ if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7)
+ {
+ ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
+ return -1;
+ }
+
EVP_MD_CTX_init(&ctx);
/* Convert signature OID into digest and public key OIDs */
Modified: stable/10/crypto/openssl/crypto/asn1/asn1.h
==============================================================================
--- stable/10/crypto/openssl/crypto/asn1/asn1.h Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/crypto/asn1/asn1.h Fri Jan 9 00:58:20 2015 (r276864)
@@ -776,7 +776,7 @@ DECLARE_ASN1_FUNCTIONS_fname(ASN1_TYPE,
int ASN1_TYPE_get(ASN1_TYPE *a);
void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value);
int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value);
-int ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b);
+int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b);
ASN1_OBJECT * ASN1_OBJECT_new(void );
void ASN1_OBJECT_free(ASN1_OBJECT *a);
@@ -1329,6 +1329,7 @@ void ERR_load_ASN1_strings(void);
#define ASN1_R_ILLEGAL_TIME_VALUE 184
#define ASN1_R_INTEGER_NOT_ASCII_FORMAT 185
#define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG 128
+#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT 220
#define ASN1_R_INVALID_BMPSTRING_LENGTH 129
#define ASN1_R_INVALID_DIGIT 130
#define ASN1_R_INVALID_MIME_TYPE 205
@@ -1378,6 +1379,7 @@ void ERR_load_ASN1_strings(void);
#define ASN1_R_TIME_NOT_ASCII_FORMAT 193
#define ASN1_R_TOO_LONG 155
#define ASN1_R_TYPE_NOT_CONSTRUCTED 156
+#define ASN1_R_TYPE_NOT_PRIMITIVE 218
#define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157
#define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158
#define ASN1_R_UNEXPECTED_EOC 159
Modified: stable/10/crypto/openssl/crypto/asn1/asn1_err.c
==============================================================================
--- stable/10/crypto/openssl/crypto/asn1/asn1_err.c Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/crypto/asn1/asn1_err.c Fri Jan 9 00:58:20 2015 (r276864)
@@ -1,6 +1,6 @@
/* crypto/asn1/asn1_err.c */
/* ====================================================================
- * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1999-2014 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -246,6 +246,7 @@ static ERR_STRING_DATA ASN1_str_reasons[
{ERR_REASON(ASN1_R_ILLEGAL_TIME_VALUE) ,"illegal time value"},
{ERR_REASON(ASN1_R_INTEGER_NOT_ASCII_FORMAT),"integer not ascii format"},
{ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG),"integer too large for long"},
+{ERR_REASON(ASN1_R_INVALID_BIT_STRING_BITS_LEFT),"invalid bit string bits left"},
{ERR_REASON(ASN1_R_INVALID_BMPSTRING_LENGTH),"invalid bmpstring length"},
{ERR_REASON(ASN1_R_INVALID_DIGIT) ,"invalid digit"},
{ERR_REASON(ASN1_R_INVALID_MIME_TYPE) ,"invalid mime type"},
@@ -295,6 +296,7 @@ static ERR_STRING_DATA ASN1_str_reasons[
{ERR_REASON(ASN1_R_TIME_NOT_ASCII_FORMAT),"time not ascii format"},
{ERR_REASON(ASN1_R_TOO_LONG) ,"too long"},
{ERR_REASON(ASN1_R_TYPE_NOT_CONSTRUCTED) ,"type not constructed"},
+{ERR_REASON(ASN1_R_TYPE_NOT_PRIMITIVE) ,"type not primitive"},
{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"},
{ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"},
{ERR_REASON(ASN1_R_UNEXPECTED_EOC) ,"unexpected eoc"},
Modified: stable/10/crypto/openssl/crypto/asn1/tasn_dec.c
==============================================================================
--- stable/10/crypto/openssl/crypto/asn1/tasn_dec.c Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/crypto/asn1/tasn_dec.c Fri Jan 9 00:58:20 2015 (r276864)
@@ -870,6 +870,14 @@ static int asn1_d2i_ex_primitive(ASN1_VA
}
else if (cst)
{
+ if (utype == V_ASN1_NULL || utype == V_ASN1_BOOLEAN
+ || utype == V_ASN1_OBJECT || utype == V_ASN1_INTEGER
+ || utype == V_ASN1_ENUMERATED)
+ {
+ ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
+ ASN1_R_TYPE_NOT_PRIMITIVE);
+ return 0;
+ }
buf.length = 0;
buf.max = 0;
buf.data = NULL;
Modified: stable/10/crypto/openssl/crypto/asn1/x_algor.c
==============================================================================
--- stable/10/crypto/openssl/crypto/asn1/x_algor.c Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/crypto/asn1/x_algor.c Fri Jan 9 00:58:20 2015 (r276864)
@@ -142,3 +142,14 @@ void X509_ALGOR_set_md(X509_ALGOR *alg,
X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_MD_type(md)), param_type, NULL);
}
+
+int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b)
+ {
+ int rv;
+ rv = OBJ_cmp(a->algorithm, b->algorithm);
+ if (rv)
+ return rv;
+ if (!a->parameter && !b->parameter)
+ return 0;
+ return ASN1_TYPE_cmp(a->parameter, b->parameter);
+ }
Modified: stable/10/crypto/openssl/crypto/asn1/x_name.c
==============================================================================
--- stable/10/crypto/openssl/crypto/asn1/x_name.c Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/crypto/asn1/x_name.c Fri Jan 9 00:58:20 2015 (r276864)
@@ -350,6 +350,8 @@ static int x509_name_canon(X509_NAME *a)
set = entry->set;
}
tmpentry = X509_NAME_ENTRY_new();
+ if (!tmpentry)
+ goto err;
tmpentry->object = OBJ_dup(entry->object);
if (!asn1_string_canon(tmpentry->value, entry->value))
goto err;
Modified: stable/10/crypto/openssl/crypto/bio/bio.h
==============================================================================
--- stable/10/crypto/openssl/crypto/bio/bio.h Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/crypto/bio/bio.h Fri Jan 9 00:58:20 2015 (r276864)
@@ -175,6 +175,8 @@ extern "C" {
#define BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT 45 /* Next DTLS handshake timeout to
* adjust socket timeouts */
+#define BIO_CTRL_DGRAM_GET_MTU_OVERHEAD 49
+
#ifndef OPENSSL_NO_SCTP
/* SCTP stuff */
#define BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE 50
@@ -607,6 +609,8 @@ int BIO_ctrl_reset_read_request(BIO *b);
(int)BIO_ctrl(b, BIO_CTRL_DGRAM_GET_PEER, 0, (char *)peer)
#define BIO_dgram_set_peer(b,peer) \
(int)BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, (char *)peer)
+#define BIO_dgram_get_mtu_overhead(b) \
+ (unsigned int)BIO_ctrl((b), BIO_CTRL_DGRAM_GET_MTU_OVERHEAD, 0, NULL)
/* These two aren't currently implemented */
/* int BIO_get_ex_num(BIO *bio); */
Modified: stable/10/crypto/openssl/crypto/bio/bss_dgram.c
==============================================================================
--- stable/10/crypto/openssl/crypto/bio/bss_dgram.c Fri Jan 9 00:42:10 2015 (r276863)
+++ stable/10/crypto/openssl/crypto/bio/bss_dgram.c Fri Jan 9 00:58:20 2015 (r276864)
@@ -454,6 +454,36 @@ static int dgram_write(BIO *b, const cha
return(ret);
}
+static long dgram_get_mtu_overhead(bio_dgram_data *data)
+ {
+ long ret;
+
+ switch (data->peer.sa.sa_family)
+ {
+ case AF_INET:
+ /* Assume this is UDP - 20 bytes for IP, 8 bytes for UDP */
+ ret = 28;
+ break;
+#if OPENSSL_USE_IPV6
+ case AF_INET6:
+#ifdef IN6_IS_ADDR_V4MAPPED
+ if (IN6_IS_ADDR_V4MAPPED(&data->peer.sa_in6.sin6_addr))
+ /* Assume this is UDP - 20 bytes for IP, 8 bytes for UDP */
+ ret = 28;
+ else
+#endif
+ /* Assume this is UDP - 40 bytes for IP, 8 bytes for UDP */
+ ret = 48;
+ break;
+#endif
+ default:
+ /* We don't know. Go with the historical default */
+ ret = 28;
+ break;
+ }
+ return ret;
+ }
+
static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
{
long ret=1;
@@ -630,23 +660,24 @@ static long dgram_ctrl(BIO *b, int cmd,
#endif
break;
case BIO_CTRL_DGRAM_GET_FALLBACK_MTU:
+ ret = -dgram_get_mtu_overhead(data);
switch (data->peer.sa.sa_family)
{
case AF_INET:
- ret = 576 - 20 - 8;
+ ret += 576;
break;
#if OPENSSL_USE_IPV6
case AF_INET6:
#ifdef IN6_IS_ADDR_V4MAPPED
if (IN6_IS_ADDR_V4MAPPED(&data->peer.sa_in6.sin6_addr))
- ret = 576 - 20 - 8;
+ ret += 576;
else
#endif
- ret = 1280 - 40 - 8;
+ ret += 1280;
break;
#endif
default:
- ret = 576 - 20 - 8;
+ ret += 576;
break;
}
break;
@@ -847,6 +878,9 @@ static long dgram_ctrl(BIO *b, int cmd,
ret = 0;
break;
#endif
+ case BIO_CTRL_DGRAM_GET_MTU_OVERHEAD:
+ ret = dgram_get_mtu_overhead(data);
+ break;
default:
ret=0;
break;
@@ -893,10 +927,18 @@ BIO *BIO_new_dgram_sctp(int fd, int clos
/* Activate SCTP-AUTH for DATA and FORWARD-TSN chunks */
auth.sauth_chunk = OPENSSL_SCTP_DATA_CHUNK_TYPE;
ret = setsockopt(fd, IPPROTO_SCTP, SCTP_AUTH_CHUNK, &auth, sizeof(struct sctp_authchunk));
- OPENSSL_assert(ret >= 0);
+ if (ret < 0)
+ {
+ BIO_vfree(bio);
+ return(NULL);
+ }
auth.sauth_chunk = OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE;
ret = setsockopt(fd, IPPROTO_SCTP, SCTP_AUTH_CHUNK, &auth, sizeof(struct sctp_authchunk));
- OPENSSL_assert(ret >= 0);
+ if (ret < 0)
+ {
+ BIO_vfree(bio);
+ return(NULL);
+ }
/* Test if activation was successful. When using accept(),
* SCTP-AUTH has to be activated for the listening socket
@@ -905,7 +947,13 @@ BIO *BIO_new_dgram_sctp(int fd, int clos
authchunks = OPENSSL_malloc(sockopt_len);
memset(authchunks, 0, sizeof(sockopt_len));
ret = getsockopt(fd, IPPROTO_SCTP, SCTP_LOCAL_AUTH_CHUNKS, authchunks, &sockopt_len);
- OPENSSL_assert(ret >= 0);
+
+ if (ret < 0)
+ {
+ OPENSSL_free(authchunks);
+ BIO_vfree(bio);
+ return(NULL);
+ }
for (p = (unsigned char*) authchunks->gauth_chunks;
p < (unsigned char*) authchunks + sockopt_len;
@@ -927,16 +975,28 @@ BIO *BIO_new_dgram_sctp(int fd, int clos
event.se_type = SCTP_AUTHENTICATION_EVENT;
event.se_on = 1;
ret = setsockopt(fd, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(struct sctp_event));
- OPENSSL_assert(ret >= 0);
+ if (ret < 0)
+ {
+ BIO_vfree(bio);
+ return(NULL);
+ }
#else
sockopt_len = (socklen_t) sizeof(struct sctp_event_subscribe);
ret = getsockopt(fd, IPPROTO_SCTP, SCTP_EVENTS, &event, &sockopt_len);
- OPENSSL_assert(ret >= 0);
+ if (ret < 0)
+ {
+ BIO_vfree(bio);
+ return(NULL);
+ }
event.sctp_authentication_event = 1;
ret = setsockopt(fd, IPPROTO_SCTP, SCTP_EVENTS, &event, sizeof(struct sctp_event_subscribe));
- OPENSSL_assert(ret >= 0);
+ if (ret < 0)
+ {
+ BIO_vfree(bio);
+ return(NULL);
+ }
#endif
#endif
@@ -944,7 +1004,11 @@ BIO *BIO_new_dgram_sctp(int fd, int clos
* larger than the max record size of 2^14 + 2048 + 13
*/
ret = setsockopt(fd, IPPROTO_SCTP, SCTP_PARTIAL_DELIVERY_POINT, &optval, sizeof(optval));
- OPENSSL_assert(ret >= 0);
+ if (ret < 0)
+ {
+ BIO_vfree(bio);
+ return(NULL);
+ }
return(bio);
}
@@ -982,7 +1046,12 @@ static int dgram_sctp_free(BIO *a)
return 0;
data = (bio_dgram_sctp_data *)a->ptr;
- if(data != NULL) OPENSSL_free(data);
+ if(data != NULL)
+ {
+ if(data->saved_message.data != NULL)
+ OPENSSL_free(data->saved_message.data);
+ OPENSSL_free(data);
+ }
return(1);
}
@@ -1034,6 +1103,13 @@ static int dgram_sctp_read(BIO *b, char
msg.msg_flags = 0;
n = recvmsg(b->num, &msg, 0);
+ if (n <= 0)
+ {
+ if (n < 0)
+ ret = n;
+ break;
+ }
+
if (msg.msg_controllen > 0)
{
for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg))
@@ -1073,13 +1149,6 @@ static int dgram_sctp_read(BIO *b, char
}
}
- if (n <= 0)
- {
- if (n < 0)
- ret = n;
- break;
- }
-
if (msg.msg_flags & MSG_NOTIFICATION)
{
snp = (union sctp_notification*) out;
@@ -1099,6 +1168,7 @@ static int dgram_sctp_read(BIO *b, char
dgram_sctp_write(data->saved_message.bio, data->saved_message.data,
data->saved_message.length);
OPENSSL_free(data->saved_message.data);
+ data->saved_message.data = NULL;
data->saved_message.length = 0;
}
@@ -1109,16 +1179,28 @@ static int dgram_sctp_read(BIO *b, char
event.se_type = SCTP_SENDER_DRY_EVENT;
event.se_on = 0;
i = setsockopt(b->num, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(struct sctp_event));
- OPENSSL_assert(i >= 0);
+ if (i < 0)
+ {
+ ret = i;
+ break;
+ }
#else
eventsize = sizeof(struct sctp_event_subscribe);
i = getsockopt(b->num, IPPROTO_SCTP, SCTP_EVENTS, &event, &eventsize);
- OPENSSL_assert(i >= 0);
+ if (i < 0)
+ {
+ ret = i;
+ break;
+ }
event.sctp_sender_dry_event = 0;
i = setsockopt(b->num, IPPROTO_SCTP, SCTP_EVENTS, &event, sizeof(struct sctp_event_subscribe));
- OPENSSL_assert(i >= 0);
+ if (i < 0)
+ {
+ ret = i;
+ break;
+ }
#endif
}
@@ -1151,8 +1233,8 @@ static int dgram_sctp_read(BIO *b, char
*/
optlen = (socklen_t) sizeof(int);
ret = getsockopt(b->num, SOL_SOCKET, SO_RCVBUF, &optval, &optlen);
- OPENSSL_assert(ret >= 0);
- OPENSSL_assert(optval >= 18445);
+ if (ret >= 0)
+ OPENSSL_assert(optval >= 18445);
/* Test if SCTP doesn't partially deliver below
* max record size (2^14 + 2048 + 13)
@@ -1160,8 +1242,8 @@ static int dgram_sctp_read(BIO *b, char
optlen = (socklen_t) sizeof(int);
ret = getsockopt(b->num, IPPROTO_SCTP, SCTP_PARTIAL_DELIVERY_POINT,
&optval, &optlen);
- OPENSSL_assert(ret >= 0);
- OPENSSL_assert(optval >= 18445);
+ if (ret >= 0)
+ OPENSSL_assert(optval >= 18445);
/* Partially delivered notification??? Probably a bug.... */
OPENSSL_assert(!(msg.msg_flags & MSG_NOTIFICATION));
@@ -1195,15 +1277,15 @@ static int dgram_sctp_read(BIO *b, char
authchunks = OPENSSL_malloc(optlen);
memset(authchunks, 0, sizeof(optlen));
ii = getsockopt(b->num, IPPROTO_SCTP, SCTP_PEER_AUTH_CHUNKS, authchunks, &optlen);
- OPENSSL_assert(ii >= 0);
- for (p = (unsigned char*) authchunks->gauth_chunks;
- p < (unsigned char*) authchunks + optlen;
- p += sizeof(uint8_t))
- {
- if (*p == OPENSSL_SCTP_DATA_CHUNK_TYPE) auth_data = 1;
- if (*p == OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE) auth_forward = 1;
- }
+ if (ii >= 0)
+ for (p = (unsigned char*) authchunks->gauth_chunks;
+ p < (unsigned char*) authchunks + optlen;
+ p += sizeof(uint8_t))
+ {
+ if (*p == OPENSSL_SCTP_DATA_CHUNK_TYPE) auth_data = 1;
+ if (*p == OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE) auth_forward = 1;
+ }
OPENSSL_free(authchunks);
@@ -1258,9 +1340,11 @@ static int dgram_sctp_write(BIO *b, cons
if (data->save_shutdown && !BIO_dgram_sctp_wait_for_dry(b))
{
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-stable
mailing list