svn commit: r291709 - in vendor-crypto/openssl/dist-1.0.1: . apps crypto crypto/aes/asm crypto/asn1 crypto/bio crypto/bn crypto/bn/asm crypto/buffer crypto/cms crypto/comp crypto/conf crypto/dsa cr...
Jung-uk Kim
jkim at FreeBSD.org
Thu Dec 3 17:24:18 UTC 2015
Author: jkim
Date: Thu Dec 3 17:24:16 2015
New Revision: 291709
URL: https://svnweb.freebsd.org/changeset/base/291709
Log:
Import OpenSSL 1.0.1q.
Added:
vendor-crypto/openssl/dist-1.0.1/CONTRIBUTING
vendor-crypto/openssl/dist-1.0.1/appveyor.yml
vendor-crypto/openssl/dist-1.0.1/doc/dir-locals.example.el
vendor-crypto/openssl/dist-1.0.1/doc/openssl-c-indent.el
vendor-crypto/openssl/dist-1.0.1/ssl/clienthellotest.c (contents, props changed)
vendor-crypto/openssl/dist-1.0.1/util/toutf8.sh (contents, props changed)
Deleted:
vendor-crypto/openssl/dist-1.0.1/util/pod2mantest
Modified:
vendor-crypto/openssl/dist-1.0.1/CHANGES
vendor-crypto/openssl/dist-1.0.1/Configure
vendor-crypto/openssl/dist-1.0.1/FAQ
vendor-crypto/openssl/dist-1.0.1/FREEBSD-upgrade
vendor-crypto/openssl/dist-1.0.1/Makefile
vendor-crypto/openssl/dist-1.0.1/Makefile.org
vendor-crypto/openssl/dist-1.0.1/NEWS
vendor-crypto/openssl/dist-1.0.1/README
vendor-crypto/openssl/dist-1.0.1/apps/Makefile
vendor-crypto/openssl/dist-1.0.1/apps/apps.c
vendor-crypto/openssl/dist-1.0.1/apps/asn1pars.c
vendor-crypto/openssl/dist-1.0.1/apps/ca.c
vendor-crypto/openssl/dist-1.0.1/apps/ecparam.c
vendor-crypto/openssl/dist-1.0.1/apps/engine.c
vendor-crypto/openssl/dist-1.0.1/apps/ocsp.c
vendor-crypto/openssl/dist-1.0.1/apps/pkcs12.c
vendor-crypto/openssl/dist-1.0.1/apps/s_client.c
vendor-crypto/openssl/dist-1.0.1/apps/s_server.c
vendor-crypto/openssl/dist-1.0.1/crypto/aes/asm/aes-586.pl
vendor-crypto/openssl/dist-1.0.1/crypto/aes/asm/aesni-x86.pl
vendor-crypto/openssl/dist-1.0.1/crypto/asn1/asn1_par.c
vendor-crypto/openssl/dist-1.0.1/crypto/asn1/d2i_pr.c
vendor-crypto/openssl/dist-1.0.1/crypto/asn1/tasn_dec.c
vendor-crypto/openssl/dist-1.0.1/crypto/asn1/x_bignum.c
vendor-crypto/openssl/dist-1.0.1/crypto/asn1/x_pubkey.c
vendor-crypto/openssl/dist-1.0.1/crypto/asn1/x_x509.c
vendor-crypto/openssl/dist-1.0.1/crypto/bio/b_dump.c
vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_file.c
vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/armv4-gf2m.pl
vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/ia64.S
vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/s390x-gf2m.pl
vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/x86-gf2m.pl
vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/x86_64-gcc.c
vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/x86_64-gf2m.pl
vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_exp.c
vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_gcd.c
vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_gf2m.c
vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_mont.c
vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_recp.c
vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_x931p.c
vendor-crypto/openssl/dist-1.0.1/crypto/bn/bntest.c
vendor-crypto/openssl/dist-1.0.1/crypto/buffer/buf_str.c
vendor-crypto/openssl/dist-1.0.1/crypto/buffer/buffer.h
vendor-crypto/openssl/dist-1.0.1/crypto/cms/cms_enc.c
vendor-crypto/openssl/dist-1.0.1/crypto/cms/cms_pwri.c
vendor-crypto/openssl/dist-1.0.1/crypto/cms/cms_smime.c
vendor-crypto/openssl/dist-1.0.1/crypto/comp/c_zlib.c
vendor-crypto/openssl/dist-1.0.1/crypto/conf/conf_def.c
vendor-crypto/openssl/dist-1.0.1/crypto/conf/conf_sap.c
vendor-crypto/openssl/dist-1.0.1/crypto/cryptlib.c
vendor-crypto/openssl/dist-1.0.1/crypto/dsa/dsa_ameth.c
vendor-crypto/openssl/dist-1.0.1/crypto/dsa/dsa_gen.c
vendor-crypto/openssl/dist-1.0.1/crypto/ec/ec.h
vendor-crypto/openssl/dist-1.0.1/crypto/ec/ec_asn1.c
vendor-crypto/openssl/dist-1.0.1/crypto/ec/ec_key.c
vendor-crypto/openssl/dist-1.0.1/crypto/engine/eng_cryptodev.c
vendor-crypto/openssl/dist-1.0.1/crypto/engine/eng_list.c
vendor-crypto/openssl/dist-1.0.1/crypto/evp/e_des3.c
vendor-crypto/openssl/dist-1.0.1/crypto/evp/encode.c
vendor-crypto/openssl/dist-1.0.1/crypto/evp/evp_key.c
vendor-crypto/openssl/dist-1.0.1/crypto/evp/evp_lib.c
vendor-crypto/openssl/dist-1.0.1/crypto/evp/evp_pbe.c
vendor-crypto/openssl/dist-1.0.1/crypto/evp/p_lib.c
vendor-crypto/openssl/dist-1.0.1/crypto/evp/pmeth_gn.c
vendor-crypto/openssl/dist-1.0.1/crypto/hmac/hm_ameth.c
vendor-crypto/openssl/dist-1.0.1/crypto/jpake/jpake.c
vendor-crypto/openssl/dist-1.0.1/crypto/mem_clr.c
vendor-crypto/openssl/dist-1.0.1/crypto/modes/asm/ghash-armv4.pl
vendor-crypto/openssl/dist-1.0.1/crypto/modes/asm/ghash-x86.pl
vendor-crypto/openssl/dist-1.0.1/crypto/ocsp/ocsp_lib.c
vendor-crypto/openssl/dist-1.0.1/crypto/ocsp/ocsp_prn.c
vendor-crypto/openssl/dist-1.0.1/crypto/opensslconf.h
vendor-crypto/openssl/dist-1.0.1/crypto/opensslconf.h.in
vendor-crypto/openssl/dist-1.0.1/crypto/opensslv.h
vendor-crypto/openssl/dist-1.0.1/crypto/pem/pem_info.c
vendor-crypto/openssl/dist-1.0.1/crypto/pem/pvkfmt.c
vendor-crypto/openssl/dist-1.0.1/crypto/pkcs12/p12_add.c
vendor-crypto/openssl/dist-1.0.1/crypto/pkcs12/p12_crpt.c
vendor-crypto/openssl/dist-1.0.1/crypto/pkcs12/p12_mutl.c
vendor-crypto/openssl/dist-1.0.1/crypto/pkcs7/pk7_doit.c
vendor-crypto/openssl/dist-1.0.1/crypto/rc4/asm/rc4-x86_64.pl
vendor-crypto/openssl/dist-1.0.1/crypto/rsa/rsa_ameth.c
vendor-crypto/openssl/dist-1.0.1/crypto/rsa/rsa_gen.c
vendor-crypto/openssl/dist-1.0.1/crypto/rsa/rsa_sign.c
vendor-crypto/openssl/dist-1.0.1/crypto/rsa/rsa_test.c
vendor-crypto/openssl/dist-1.0.1/crypto/sha/asm/sha1-586.pl
vendor-crypto/openssl/dist-1.0.1/crypto/sha/asm/sha256-586.pl
vendor-crypto/openssl/dist-1.0.1/crypto/sha/asm/sha512-586.pl
vendor-crypto/openssl/dist-1.0.1/crypto/sha/asm/sha512-parisc.pl
vendor-crypto/openssl/dist-1.0.1/crypto/sparccpuid.S
vendor-crypto/openssl/dist-1.0.1/crypto/srp/srp_vfy.c
vendor-crypto/openssl/dist-1.0.1/crypto/ts/ts_rsp_verify.c
vendor-crypto/openssl/dist-1.0.1/crypto/whrlpool/asm/wp-mmx.pl
vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509_cmp.c
vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509_lu.c
vendor-crypto/openssl/dist-1.0.1/crypto/x509v3/v3_cpols.c
vendor-crypto/openssl/dist-1.0.1/crypto/x509v3/v3_ncons.c
vendor-crypto/openssl/dist-1.0.1/crypto/x509v3/v3_pci.c
vendor-crypto/openssl/dist-1.0.1/crypto/x509v3/v3_pcia.c
vendor-crypto/openssl/dist-1.0.1/doc/apps/ciphers.pod
vendor-crypto/openssl/dist-1.0.1/doc/apps/dgst.pod
vendor-crypto/openssl/dist-1.0.1/doc/apps/genrsa.pod
vendor-crypto/openssl/dist-1.0.1/doc/apps/req.pod
vendor-crypto/openssl/dist-1.0.1/doc/apps/x509.pod
vendor-crypto/openssl/dist-1.0.1/doc/crypto/BIO_read.pod
vendor-crypto/openssl/dist-1.0.1/doc/crypto/BN_rand.pod
vendor-crypto/openssl/dist-1.0.1/doc/crypto/DSA_generate_parameters.pod
vendor-crypto/openssl/dist-1.0.1/doc/crypto/EVP_DigestVerifyInit.pod
vendor-crypto/openssl/dist-1.0.1/doc/crypto/EVP_SignInit.pod
vendor-crypto/openssl/dist-1.0.1/doc/crypto/buffer.pod
vendor-crypto/openssl/dist-1.0.1/doc/crypto/d2i_X509_NAME.pod
vendor-crypto/openssl/dist-1.0.1/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
vendor-crypto/openssl/dist-1.0.1/e_os.h
vendor-crypto/openssl/dist-1.0.1/engines/e_chil.c
vendor-crypto/openssl/dist-1.0.1/ssl/Makefile
vendor-crypto/openssl/dist-1.0.1/ssl/bio_ssl.c
vendor-crypto/openssl/dist-1.0.1/ssl/d1_both.c
vendor-crypto/openssl/dist-1.0.1/ssl/d1_clnt.c
vendor-crypto/openssl/dist-1.0.1/ssl/d1_srvr.c
vendor-crypto/openssl/dist-1.0.1/ssl/s23_clnt.c
vendor-crypto/openssl/dist-1.0.1/ssl/s3_cbc.c
vendor-crypto/openssl/dist-1.0.1/ssl/s3_clnt.c
vendor-crypto/openssl/dist-1.0.1/ssl/s3_enc.c
vendor-crypto/openssl/dist-1.0.1/ssl/s3_lib.c
vendor-crypto/openssl/dist-1.0.1/ssl/s3_srvr.c
vendor-crypto/openssl/dist-1.0.1/ssl/ssl.h
vendor-crypto/openssl/dist-1.0.1/ssl/ssl3.h
vendor-crypto/openssl/dist-1.0.1/ssl/ssl_asn1.c
vendor-crypto/openssl/dist-1.0.1/ssl/ssl_cert.c
vendor-crypto/openssl/dist-1.0.1/ssl/ssl_ciph.c
vendor-crypto/openssl/dist-1.0.1/ssl/ssl_err.c
vendor-crypto/openssl/dist-1.0.1/ssl/ssl_lib.c
vendor-crypto/openssl/dist-1.0.1/ssl/ssl_locl.h
vendor-crypto/openssl/dist-1.0.1/ssl/ssl_rsa.c
vendor-crypto/openssl/dist-1.0.1/ssl/ssl_sess.c
vendor-crypto/openssl/dist-1.0.1/ssl/ssltest.c
vendor-crypto/openssl/dist-1.0.1/ssl/t1_enc.c
vendor-crypto/openssl/dist-1.0.1/ssl/t1_lib.c
vendor-crypto/openssl/dist-1.0.1/ssl/tls1.h
vendor-crypto/openssl/dist-1.0.1/util/indent.pro
vendor-crypto/openssl/dist-1.0.1/util/mk1mf.pl
vendor-crypto/openssl/dist-1.0.1/util/mkrc.pl
vendor-crypto/openssl/dist-1.0.1/util/mkstack.pl
vendor-crypto/openssl/dist-1.0.1/util/pl/VC-32.pl
vendor-crypto/openssl/dist-1.0.1/util/selftest.pl
Modified: vendor-crypto/openssl/dist-1.0.1/CHANGES
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/CHANGES Thu Dec 3 17:23:35 2015 (r291708)
+++ vendor-crypto/openssl/dist-1.0.1/CHANGES Thu Dec 3 17:24:16 2015 (r291709)
@@ -2,6 +2,45 @@
OpenSSL CHANGES
_______________
+ Changes between 1.0.1p and 1.0.1q [3 Dec 2015]
+
+ *) Certificate verify crash with missing PSS parameter
+
+ The signature verification routines will crash with a NULL pointer
+ dereference if presented with an ASN.1 signature using the RSA PSS
+ algorithm and absent mask generation function parameter. Since these
+ routines are used to verify certificate signature algorithms this can be
+ used to crash any certificate verification operation and exploited in a
+ DoS attack. Any application which performs certificate verification is
+ vulnerable including OpenSSL clients and servers which enable client
+ authentication.
+
+ This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG).
+ (CVE-2015-3194)
+ [Stephen Henson]
+
+ *) X509_ATTRIBUTE memory leak
+
+ When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
+ memory. This structure is used by the PKCS#7 and CMS routines so any
+ application which reads PKCS#7 or CMS data from untrusted sources is
+ affected. SSL/TLS is not affected.
+
+ This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
+ libFuzzer.
+ (CVE-2015-3195)
+ [Stephen Henson]
+
+ *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
+ This changes the decoding behaviour for some invalid messages,
+ though the change is mostly in the more lenient direction, and
+ legacy behaviour is preserved as much as possible.
+ [Emilia Käsper]
+
+ *) In DSA_generate_parameters_ex, if the provided seed is too short,
+ return an error
+ [Rich Salz and Ismo Puustinen <ismo.puustinen at intel.com>]
+
Changes between 1.0.1o and 1.0.1p [9 Jul 2015]
*) Alternate chains certificate forgery
@@ -15,10 +54,19 @@
This issue was reported to OpenSSL by Adam Langley/David Benjamin
(Google/BoringSSL).
+ (CVE-2015-1793)
[Matt Caswell]
- Changes between 1.0.1n and 1.0.1o [12 Jun 2015]
+ *) Race condition handling PSK identify hint
+
+ If PSK identity hints are received by a multi-threaded client then
+ the values are wrongly updated in the parent SSL_CTX structure. This can
+ result in a race condition potentially leading to a double free of the
+ identify hint data.
+ (CVE-2015-3196)
+ [Stephen Henson]
+ Changes between 1.0.1n and 1.0.1o [12 Jun 2015]
*) Fix HMAC ABI incompatibility. The previous version introduced an ABI
incompatibility in the handling of HMAC. The previous ABI has now been
restored.
@@ -55,9 +103,9 @@
callbacks.
This issue was reported to OpenSSL by Robert Swiecki (Google), and
- independently by Hanno Böck.
+ independently by Hanno Böck.
(CVE-2015-1789)
- [Emilia Käsper]
+ [Emilia Käsper]
*) PKCS7 crash with missing EnvelopedContent
@@ -71,7 +119,7 @@
This issue was reported to OpenSSL by Michal Zalewski (Google).
(CVE-2015-1790)
- [Emilia Käsper]
+ [Emilia Käsper]
*) CMS verify infinite loop with unknown hash function
@@ -94,6 +142,9 @@
*) Reject DH handshakes with parameters shorter than 768 bits.
[Kurt Roeckx and Emilia Kasper]
+ *) dhparam: generate 2048-bit parameters by default.
+ [Kurt Roeckx and Emilia Kasper]
+
Changes between 1.0.1l and 1.0.1m [19 Mar 2015]
*) Segmentation fault in ASN1_TYPE_cmp fix
@@ -132,7 +183,7 @@
This issue was reported to OpenSSL by Michal Zalewski (Google).
(CVE-2015-0289)
- [Emilia Käsper]
+ [Emilia Käsper]
*) DoS via reachable assert in SSLv2 servers fix
@@ -140,10 +191,10 @@
servers that both support SSLv2 and enable export cipher suites by sending
a specially crafted SSLv2 CLIENT-MASTER-KEY message.
- This issue was discovered by Sean Burford (Google) and Emilia Käsper
+ This issue was discovered by Sean Burford (Google) and Emilia Käsper
(OpenSSL development team).
(CVE-2015-0293)
- [Emilia Käsper]
+ [Emilia Käsper]
*) Use After Free following d2i_ECPrivatekey error fix
@@ -288,12 +339,12 @@
version does not match the session's version. Resuming with a different
version, while not strictly forbidden by the RFC, is of questionable
sanity and breaks all known clients.
- [David Benjamin, Emilia Käsper]
+ [David Benjamin, Emilia Käsper]
*) Tighten handling of the ChangeCipherSpec (CCS) message: reject
early CCS messages during renegotiation. (Note that because
renegotiation is encrypted, this early CCS was not exploitable.)
- [Emilia Käsper]
+ [Emilia Käsper]
*) Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
@@ -304,7 +355,7 @@
Similarly, ensure that the client requires a session ticket if one
was advertised in the ServerHello. Previously, a TLS client would
ignore a missing NewSessionTicket message.
- [Emilia Käsper]
+ [Emilia Käsper]
Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
@@ -384,10 +435,10 @@
with a null pointer dereference (read) by specifying an anonymous (EC)DH
ciphersuite and sending carefully crafted handshake messages.
- Thanks to Felix Gröbert (Google) for discovering and researching this
+ Thanks to Felix Gröbert (Google) for discovering and researching this
issue.
(CVE-2014-3510)
- [Emilia Käsper]
+ [Emilia Käsper]
*) By sending carefully crafted DTLS packets an attacker could cause openssl
to leak memory. This can be exploited through a Denial of Service attack.
@@ -424,7 +475,7 @@
properly negotiated with the client. This can be exploited through a
Denial of Service attack.
- Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
+ Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
discovering and researching this issue.
(CVE-2014-5139)
[Steve Henson]
@@ -436,7 +487,7 @@
Thanks to Ivan Fratric (Google) for discovering this issue.
(CVE-2014-3508)
- [Emilia Käsper, and Steve Henson]
+ [Emilia Käsper, and Steve Henson]
*) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
for corner cases. (Certain input points at infinity could lead to
@@ -466,15 +517,15 @@
client or server. This is potentially exploitable to run arbitrary
code on a vulnerable client or server.
- Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
- [Jüri Aedla, Steve Henson]
+ Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
+ [Jüri Aedla, Steve Henson]
*) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
are subject to a denial of service attack.
- Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
+ Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
this issue. (CVE-2014-3470)
- [Felix Gröbert, Ivan Fratric, Steve Henson]
+ [Felix Gröbert, Ivan Fratric, Steve Henson]
*) Harmonize version and its documentation. -f flag is used to display
compilation flags.
@@ -553,9 +604,9 @@
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
- Emilia Käsper for the initial patch.
+ Emilia Käsper for the initial patch.
(CVE-2013-0169)
- [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+ [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
*) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
ciphersuites which can be exploited in a denial of service attack.
@@ -730,7 +781,7 @@
EC_GROUP_new_by_curve_name() will automatically use these (while
EC_GROUP_new_curve_GFp() currently prefers the more flexible
implementations).
- [Emilia Käsper, Adam Langley, Bodo Moeller (Google)]
+ [Emilia Käsper, Adam Langley, Bodo Moeller (Google)]
*) Use type ossl_ssize_t instad of ssize_t which isn't available on
all platforms. Move ssize_t definition from e_os.h to the public
@@ -1006,7 +1057,7 @@
[Adam Langley (Google)]
*) Fix spurious failures in ecdsatest.c.
- [Emilia Käsper (Google)]
+ [Emilia Käsper (Google)]
*) Fix the BIO_f_buffer() implementation (which was mixing different
interpretations of the '..._len' fields).
@@ -1020,7 +1071,7 @@
lock to call BN_BLINDING_invert_ex, and avoids one use of
BN_BLINDING_update for each BN_BLINDING structure (previously,
the last update always remained unused).
- [Emilia Käsper (Google)]
+ [Emilia Käsper (Google)]
*) In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
[Bob Buckholz (Google)]
@@ -1829,7 +1880,7 @@
*) Add RFC 3161 compliant time stamp request creation, response generation
and response verification functionality.
- [Zoltán Glózik <zglozik at opentsa.org>, The OpenTSA Project]
+ [Zoltán Glózik <zglozik at opentsa.org>, The OpenTSA Project]
*) Add initial support for TLS extensions, specifically for the server_name
extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now
@@ -2997,7 +3048,7 @@
*) BN_CTX_get() should return zero-valued bignums, providing the same
initialised value as BN_new().
- [Geoff Thorpe, suggested by Ulf Möller]
+ [Geoff Thorpe, suggested by Ulf Möller]
*) Support for inhibitAnyPolicy certificate extension.
[Steve Henson]
@@ -3016,7 +3067,7 @@
some point, these tighter rules will become openssl's default to improve
maintainability, though the assert()s and other overheads will remain only
in debugging configurations. See bn.h for more details.
- [Geoff Thorpe, Nils Larsch, Ulf Möller]
+ [Geoff Thorpe, Nils Larsch, Ulf Möller]
*) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure
that can only be obtained through BN_CTX_new() (which implicitly
@@ -3083,7 +3134,7 @@
[Douglas Stebila (Sun Microsystems Laboratories)]
*) Add the possibility to load symbols globally with DSO.
- [Götz Babin-Ebell <babin-ebell at trustcenter.de> via Richard Levitte]
+ [Götz Babin-Ebell <babin-ebell at trustcenter.de> via Richard Levitte]
*) Add the functions ERR_set_mark() and ERR_pop_to_mark() for better
control of the error stack.
@@ -3798,7 +3849,7 @@
[Steve Henson]
*) Undo Cygwin change.
- [Ulf Möller]
+ [Ulf Möller]
*) Added support for proxy certificates according to RFC 3820.
Because they may be a security thread to unaware applications,
@@ -3831,11 +3882,11 @@
[Stephen Henson, reported by UK NISCC]
*) Use Windows randomness collection on Cygwin.
- [Ulf Möller]
+ [Ulf Möller]
*) Fix hang in EGD/PRNGD query when communication socket is closed
prematurely by EGD/PRNGD.
- [Darren Tucker <dtucker at zip.com.au> via Lutz Jänicke, resolves #1014]
+ [Darren Tucker <dtucker at zip.com.au> via Lutz Jänicke, resolves #1014]
*) Prompt for pass phrases when appropriate for PKCS12 input format.
[Steve Henson]
@@ -4297,7 +4348,7 @@
pointers passed to them whenever necessary. Otherwise it is possible
the caller may have overwritten (or deallocated) the original string
data when a later ENGINE operation tries to use the stored values.
- [Götz Babin-Ebell <babinebell at trustcenter.de>]
+ [Götz Babin-Ebell <babinebell at trustcenter.de>]
*) Improve diagnostics in file reading and command-line digests.
[Ben Laurie aided and abetted by Solar Designer <solar at openwall.com>]
@@ -6402,7 +6453,7 @@ des-cbc 3624.96k 5258.21k
[Bodo Moeller]
*) BN_sqr() bug fix.
- [Ulf Möller, reported by Jim Ellis <jim.ellis at cavium.com>]
+ [Ulf Möller, reported by Jim Ellis <jim.ellis at cavium.com>]
*) Rabin-Miller test analyses assume uniformly distributed witnesses,
so use BN_pseudo_rand_range() instead of using BN_pseudo_rand()
@@ -6562,7 +6613,7 @@ des-cbc 3624.96k 5258.21k
[Bodo Moeller]
*) Fix OAEP check.
- [Ulf Möller, Bodo Möller]
+ [Ulf Möller, Bodo Möller]
*) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
@@ -6824,10 +6875,10 @@ des-cbc 3624.96k 5258.21k
[Bodo Moeller]
*) Use better test patterns in bntest.
- [Ulf Möller]
+ [Ulf Möller]
*) rand_win.c fix for Borland C.
- [Ulf Möller]
+ [Ulf Möller]
*) BN_rshift bugfix for n == 0.
[Bodo Moeller]
@@ -6972,14 +7023,14 @@ des-cbc 3624.96k 5258.21k
*) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR
BIO_ctrl (for BIO pairs).
- [Bodo Möller]
+ [Bodo Möller]
*) Add DSO method for VMS.
[Richard Levitte]
*) Bug fix: Montgomery multiplication could produce results with the
wrong sign.
- [Ulf Möller]
+ [Ulf Möller]
*) Add RPM specification openssl.spec and modify it to build three
packages. The default package contains applications, application
@@ -6997,7 +7048,7 @@ des-cbc 3624.96k 5258.21k
*) Don't set the two most significant bits to one when generating a
random number < q in the DSA library.
- [Ulf Möller]
+ [Ulf Möller]
*) New SSL API mode 'SSL_MODE_AUTO_RETRY'. This disables the default
behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if
@@ -7263,7 +7314,7 @@ des-cbc 3624.96k 5258.21k
*) Randomness polling function for Win9x, as described in:
Peter Gutmann, Software Generation of Practically Strong
Random Numbers.
- [Ulf Möller]
+ [Ulf Möller]
*) Fix so PRNG is seeded in req if using an already existing
DSA key.
@@ -7483,7 +7534,7 @@ des-cbc 3624.96k 5258.21k
[Steve Henson]
*) Eliminate non-ANSI declarations in crypto.h and stack.h.
- [Ulf Möller]
+ [Ulf Möller]
*) Fix for SSL server purpose checking. Server checking was
rejecting certificates which had extended key usage present
@@ -7515,7 +7566,7 @@ des-cbc 3624.96k 5258.21k
[Bodo Moeller]
*) Bugfix for linux-elf makefile.one.
- [Ulf Möller]
+ [Ulf Möller]
*) RSA_get_default_method() will now cause a default
RSA_METHOD to be chosen if one doesn't exist already.
@@ -7604,7 +7655,7 @@ des-cbc 3624.96k 5258.21k
[Steve Henson]
*) des_quad_cksum() byte order bug fix.
- [Ulf Möller, using the problem description in krb4-0.9.7, where
+ [Ulf Möller, using the problem description in krb4-0.9.7, where
the solution is attributed to Derrick J Brashear <shadow at DEMENTIA.ORG>]
*) Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly
@@ -7705,7 +7756,7 @@ des-cbc 3624.96k 5258.21k
[Rolf Haberrecker <rolf at suse.de>]
*) Assembler module support for Mingw32.
- [Ulf Möller]
+ [Ulf Möller]
*) Shared library support for HPUX (in shlib/).
[Lutz Jaenicke <Lutz.Jaenicke at aet.TU-Cottbus.DE> and Anonymous]
@@ -7724,7 +7775,7 @@ des-cbc 3624.96k 5258.21k
*) BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n]
case was implemented. This caused BN_div_recp() to fail occasionally.
- [Ulf Möller]
+ [Ulf Möller]
*) Add an optional second argument to the set_label() in the perl
assembly language builder. If this argument exists and is set
@@ -7754,14 +7805,14 @@ des-cbc 3624.96k 5258.21k
[Steve Henson]
*) Fix potential buffer overrun problem in BIO_printf().
- [Ulf Möller, using public domain code by Patrick Powell; problem
+ [Ulf Möller, using public domain code by Patrick Powell; problem
pointed out by David Sacerdote <das33 at cornell.edu>]
*) Support EGD <http://www.lothar.com/tech/crypto/>. New functions
RAND_egd() and RAND_status(). In the command line application,
the EGD socket can be specified like a seed file using RANDFILE
or -rand.
- [Ulf Möller]
+ [Ulf Möller]
*) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures.
Some CAs (e.g. Verisign) distribute certificates in this form.
@@ -7794,7 +7845,7 @@ des-cbc 3624.96k 5258.21k
#define OPENSSL_ALGORITHM_DEFINES
#include <openssl/opensslconf.h>
defines all pertinent NO_<algo> symbols, such as NO_IDEA, NO_RSA, etc.
- [Richard Levitte, Ulf and Bodo Möller]
+ [Richard Levitte, Ulf and Bodo Möller]
*) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS
record layer.
@@ -7845,17 +7896,17 @@ des-cbc 3624.96k 5258.21k
*) Bug fix for BN_div_recp() for numerators with an even number of
bits.
- [Ulf Möller]
+ [Ulf Möller]
*) More tests in bntest.c, and changed test_bn output.
- [Ulf Möller]
+ [Ulf Möller]
*) ./config recognizes MacOS X now.
[Andy Polyakov]
*) Bug fix for BN_div() when the first words of num and divsor are
equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0).
- [Ulf Möller]
+ [Ulf Möller]
*) Add support for various broken PKCS#8 formats, and command line
options to produce them.
@@ -7863,11 +7914,11 @@ des-cbc 3624.96k 5258.21k
*) New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to
get temporary BIGNUMs from a BN_CTX.
- [Ulf Möller]
+ [Ulf Möller]
*) Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont()
for p == 0.
- [Ulf Möller]
+ [Ulf Möller]
*) Change the SSLeay_add_all_*() functions to OpenSSL_add_all_*() and
include a #define from the old name to the new. The original intent
@@ -7891,7 +7942,7 @@ des-cbc 3624.96k 5258.21k
*) Source code cleanups: use const where appropriate, eliminate casts,
use void * instead of char * in lhash.
- [Ulf Möller]
+ [Ulf Möller]
*) Bugfix: ssl3_send_server_key_exchange was not restartable
(the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of
@@ -7936,13 +7987,13 @@ des-cbc 3624.96k 5258.21k
[Steve Henson]
*) New function BN_pseudo_rand().
- [Ulf Möller]
+ [Ulf Möller]
*) Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable)
bignum version of BN_from_montgomery() with the working code from
SSLeay 0.9.0 (the word based version is faster anyway), and clean up
the comments.
- [Ulf Möller]
+ [Ulf Möller]
*) Avoid a race condition in s2_clnt.c (function get_server_hello) that
made it impossible to use the same SSL_SESSION data structure in
@@ -7952,25 +8003,25 @@ des-cbc 3624.96k 5258.21k
*) The return value of RAND_load_file() no longer counts bytes obtained
by stat(). RAND_load_file(..., -1) is new and uses the complete file
to seed the PRNG (previously an explicit byte count was required).
- [Ulf Möller, Bodo Möller]
+ [Ulf Möller, Bodo Möller]
*) Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes
used (char *) instead of (void *) and had casts all over the place.
[Steve Henson]
*) Make BN_generate_prime() return NULL on error if ret!=NULL.
- [Ulf Möller]
+ [Ulf Möller]
*) Retain source code compatibility for BN_prime_checks macro:
BN_is_prime(..., BN_prime_checks, ...) now uses
BN_prime_checks_for_size to determine the appropriate number of
Rabin-Miller iterations.
- [Ulf Möller]
+ [Ulf Möller]
*) Diffie-Hellman uses "safe" primes: DH_check() return code renamed to
DH_CHECK_P_NOT_SAFE_PRIME.
(Check if this is true? OpenPGP calls them "strong".)
- [Ulf Möller]
+ [Ulf Möller]
*) Merge the functionality of "dh" and "gendh" programs into a new program
"dhparam". The old programs are retained for now but will handle DH keys
@@ -8026,7 +8077,7 @@ des-cbc 3624.96k 5258.21k
*) Add missing #ifndefs that caused missing symbols when building libssl
as a shared library without RSA. Use #ifndef NO_SSL2 instead of
NO_RSA in ssl/s2*.c.
- [Kris Kennaway <kris at hub.freebsd.org>, modified by Ulf Möller]
+ [Kris Kennaway <kris at hub.freebsd.org>, modified by Ulf Möller]
*) Precautions against using the PRNG uninitialized: RAND_bytes() now
has a return value which indicates the quality of the random data
@@ -8035,7 +8086,7 @@ des-cbc 3624.96k 5258.21k
guaranteed to be unique but not unpredictable. RAND_add is like
RAND_seed, but takes an extra argument for an entropy estimate
(RAND_seed always assumes full entropy).
- [Ulf Möller]
+ [Ulf Möller]
*) Do more iterations of Rabin-Miller probable prime test (specifically,
3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
@@ -8065,7 +8116,7 @@ des-cbc 3624.96k 5258.21k
[Steve Henson]
*) Honor the no-xxx Configure options when creating .DEF files.
- [Ulf Möller]
+ [Ulf Möller]
*) Add PKCS#10 attributes to field table: challengePassword,
unstructuredName and unstructuredAddress. These are taken from
@@ -8899,7 +8950,7 @@ des-cbc 3624.96k 5258.21k
*) More DES library cleanups: remove references to srand/rand and
delete an unused file.
- [Ulf Möller]
+ [Ulf Möller]
*) Add support for the the free Netwide assembler (NASM) under Win32,
since not many people have MASM (ml) and it can be hard to obtain.
@@ -8988,7 +9039,7 @@ des-cbc 3624.96k 5258.21k
worked.
*) Fix problems with no-hmac etc.
- [Ulf Möller, pointed out by Brian Wellington <bwelling at tislabs.com>]
+ [Ulf Möller, pointed out by Brian Wellington <bwelling at tislabs.com>]
*) New functions RSA_get_default_method(), RSA_set_method() and
RSA_get_method(). These allows replacement of RSA_METHODs without having
@@ -9105,7 +9156,7 @@ des-cbc 3624.96k 5258.21k
[Ben Laurie]
*) DES library cleanups.
- [Ulf Möller]
+ [Ulf Möller]
*) Add support for PKCS#5 v2.0 PBE algorithms. This will permit PKCS#8 to be
used with any cipher unlike PKCS#5 v1.5 which can at most handle 64 bit
@@ -9148,7 +9199,7 @@ des-cbc 3624.96k 5258.21k
[Christian Forster <fo at hawo.stw.uni-erlangen.de>]
*) config now generates no-xxx options for missing ciphers.
- [Ulf Möller]
+ [Ulf Möller]
*) Support the EBCDIC character set (work in progress).
File ebcdic.c not yet included because it has a different license.
@@ -9261,7 +9312,7 @@ des-cbc 3624.96k 5258.21k
[Bodo Moeller]
*) Move openssl.cnf out of lib/.
- [Ulf Möller]
+ [Ulf Möller]
*) Fix various things to let OpenSSL even pass ``egcc -pipe -O2 -Wall
-Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
@@ -9318,10 +9369,10 @@ des-cbc 3624.96k 5258.21k
[Ben Laurie]
*) Support Borland C++ builder.
- [Janez Jere <jj at void.si>, modified by Ulf Möller]
+ [Janez Jere <jj at void.si>, modified by Ulf Möller]
*) Support Mingw32.
- [Ulf Möller]
+ [Ulf Möller]
*) SHA-1 cleanups and performance enhancements.
[Andy Polyakov <appro at fy.chalmers.se>]
@@ -9330,7 +9381,7 @@ des-cbc 3624.96k 5258.21k
[Andy Polyakov <appro at fy.chalmers.se>]
*) Accept any -xxx and +xxx compiler options in Configure.
- [Ulf Möller]
+ [Ulf Möller]
*) Update HPUX configuration.
[Anonymous]
@@ -9363,7 +9414,7 @@ des-cbc 3624.96k 5258.21k
[Bodo Moeller]
*) OAEP decoding bug fix.
- [Ulf Möller]
+ [Ulf Möller]
*) Support INSTALL_PREFIX for package builders, as proposed by
David Harris.
@@ -9386,21 +9437,21 @@ des-cbc 3624.96k 5258.21k
[Niels Poppe <niels at netbox.org>]
*) New Configure option no-<cipher> (rsa, idea, rc5, ...).
- [Ulf Möller]
+ [Ulf Möller]
*) Add the PKCS#12 API documentation to openssl.txt. Preliminary support for
extension adding in x509 utility.
[Steve Henson]
*) Remove NOPROTO sections and error code comments.
- [Ulf Möller]
+ [Ulf Möller]
*) Partial rewrite of the DEF file generator to now parse the ANSI
prototypes.
[Steve Henson]
*) New Configure options --prefix=DIR and --openssldir=DIR.
- [Ulf Möller]
+ [Ulf Möller]
*) Complete rewrite of the error code script(s). It is all now handled
by one script at the top level which handles error code gathering,
@@ -9429,7 +9480,7 @@ des-cbc 3624.96k 5258.21k
[Steve Henson]
*) Move the autogenerated header file parts to crypto/opensslconf.h.
- [Ulf Möller]
+ [Ulf Möller]
*) Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of
8 of keying material. Merlin has also confirmed interop with this fix
@@ -9447,13 +9498,13 @@ des-cbc 3624.96k 5258.21k
[Andy Polyakov <appro at fy.chalmers.se>]
*) Change functions to ANSI C.
- [Ulf Möller]
+ [Ulf Möller]
*) Fix typos in error codes.
- [Martin Kraemer <Martin.Kraemer at MchP.Siemens.De>, Ulf Möller]
+ [Martin Kraemer <Martin.Kraemer at MchP.Siemens.De>, Ulf Möller]
*) Remove defunct assembler files from Configure.
- [Ulf Möller]
+ [Ulf Möller]
*) SPARC v8 assembler BIGNUM implementation.
[Andy Polyakov <appro at fy.chalmers.se>]
@@ -9490,7 +9541,7 @@ des-cbc 3624.96k 5258.21k
[Steve Henson]
*) New Configure option "rsaref".
- [Ulf Möller]
+ [Ulf Möller]
*) Don't auto-generate pem.h.
[Bodo Moeller]
@@ -9538,7 +9589,7 @@ des-cbc 3624.96k 5258.21k
*) New functions DSA_do_sign and DSA_do_verify to provide access to
the raw DSA values prior to ASN.1 encoding.
- [Ulf Möller]
+ [Ulf Möller]
*) Tweaks to Configure
[Niels Poppe <niels at netbox.org>]
@@ -9548,11 +9599,11 @@ des-cbc 3624.96k 5258.21k
[Steve Henson]
*) New variables $(RANLIB) and $(PERL) in the Makefiles.
- [Ulf Möller]
+ [Ulf Möller]
*) New config option to avoid instructions that are illegal on the 80386.
The default code is faster, but requires at least a 486.
- [Ulf Möller]
+ [Ulf Möller]
*) Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and
SSL2_SERVER_VERSION (not used at all) macros, which are now the
@@ -10091,7 +10142,7 @@ des-cbc 3624.96k 5258.21k
Hagino <itojun at kame.net>]
*) File was opened incorrectly in randfile.c.
- [Ulf Möller <ulf at fitug.de>]
+ [Ulf Möller <ulf at fitug.de>]
*) Beginning of support for GeneralizedTime. d2i, i2d, check and print
functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or
@@ -10101,7 +10152,7 @@ des-cbc 3624.96k 5258.21k
[Steve Henson]
*) Correct Linux 1 recognition in config.
- [Ulf Möller <ulf at fitug.de>]
+ [Ulf Möller <ulf at fitug.de>]
*) Remove pointless MD5 hash when using DSA keys in ca.
[Anonymous <nobody at replay.com>]
@@ -10248,7 +10299,7 @@ des-cbc 3624.96k 5258.21k
*) Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but
was already fixed by Eric for 0.9.1 it seems.
- [Ben Laurie - pointed out by Ulf Möller <ulf at fitug.de>]
+ [Ben Laurie - pointed out by Ulf Möller <ulf at fitug.de>]
*) Autodetect FreeBSD3.
[Ben Laurie]
Added: vendor-crypto/openssl/dist-1.0.1/CONTRIBUTING
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ vendor-crypto/openssl/dist-1.0.1/CONTRIBUTING Thu Dec 3 17:24:16 2015 (r291709)
@@ -0,0 +1,38 @@
+HOW TO CONTRIBUTE TO OpenSSL
+----------------------------
+
+Development is coordinated on the openssl-dev mailing list (see
+http://www.openssl.org for information on subscribing). If you
+would like to submit a patch, send it to rt at openssl.org with
+the string "[PATCH]" in the subject. Please be sure to include a
+textual explanation of what your patch does.
+
+You can also make GitHub pull requests. If you do this, please also send
+mail to rt at openssl.org with a brief description and a link to the PR so
+that we can more easily keep track of it.
+
+If you are unsure as to whether a feature will be useful for the general
+OpenSSL community please discuss it on the openssl-dev mailing list first.
+Someone may be already working on the same thing or there may be a good
+reason as to why that feature isn't implemented.
+
+Patches should be as up to date as possible, preferably relative to the
+current Git or the last snapshot. They should follow our coding style
+(see https://www.openssl.org/policies/codingstyle.html) and compile without
+warnings using the --strict-warnings flag. OpenSSL compiles on many varied
+platforms: try to ensure you only use portable features.
+
+Our preferred format for patch files is "git format-patch" output. For example
+to provide a patch file containing the last commit in your local git repository
+use the following command:
+
+# git format-patch --stdout HEAD^ >mydiffs.patch
+
+Another method of creating an acceptable patch file without using git is as
+follows:
+
+# cd openssl-work
+# [your changes]
+# ./Configure dist; make clean
+# cd ..
+# diff -ur openssl-orig openssl-work > mydiffs.patch
Modified: vendor-crypto/openssl/dist-1.0.1/Configure
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/Configure Thu Dec 3 17:23:35 2015 (r291708)
+++ vendor-crypto/openssl/dist-1.0.1/Configure Thu Dec 3 17:24:16 2015 (r291709)
@@ -105,6 +105,8 @@ my $usage="Usage: Configure [no-<cipher>
my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED";
+my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof -Qunused-arguments";
+
my $strict_warnings = 0;
my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL";
@@ -197,6 +199,7 @@ my %table=(
"debug-linux-generic32","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-linux-generic64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-linux-x86_64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"debug-linux-x86_64-clang","clang: -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"dist", "cc:-O::(unknown)::::::",
# Basic configs that should work on any (32 and less bit) box
@@ -361,6 +364,7 @@ my %table=(
"linux-ia64-ecc","ecc:-DL_ENDIAN -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"linux-x86_64-clang","clang: -m64 -DL_ENDIAN -O3 -Wall -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
#### So called "highgprs" target for z/Architecture CPUs
# "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
@@ -1574,11 +1578,20 @@ if ($shlib_version_number =~ /(^[0-9]*)\
if ($strict_warnings)
{
+ my $ecc = $cc;
+ $ecc = "clang" if `$cc --version 2>&1` =~ /clang/;
my $wopt;
- die "ERROR --strict-warnings requires gcc" unless ($cc =~ /gcc$/);
+ die "ERROR --strict-warnings requires gcc or clang" unless ($ecc =~ /gcc$/ or $ecc =~ /clang$/);
foreach $wopt (split /\s+/, $gcc_devteam_warn)
{
- $cflags .= " $wopt" unless ($cflags =~ /$wopt/)
+ $cflags .= " $wopt" unless ($cflags =~ /(^|\s)$wopt(\s|$)/)
+ }
+ if ($ecc eq "clang")
+ {
+ foreach $wopt (split /\s+/, $clang_devteam_warn)
+ {
+ $cflags .= " $wopt" unless ($cflags =~ /(^|\s)$wopt(\s|$)/)
+ }
}
}
Modified: vendor-crypto/openssl/dist-1.0.1/FAQ
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/FAQ Thu Dec 3 17:23:35 2015 (r291708)
+++ vendor-crypto/openssl/dist-1.0.1/FAQ Thu Dec 3 17:24:16 2015 (r291709)
@@ -1,1039 +1,2 @@
-OpenSSL - Frequently Asked Questions
---------------------------------------
-
-[MISC] Miscellaneous questions
-
-* Which is the current version of OpenSSL?
-* Where is the documentation?
-* How can I contact the OpenSSL developers?
-* Where can I get a compiled version of OpenSSL?
-* Why aren't tools like 'autoconf' and 'libtool' used?
-* What is an 'engine' version?
-* How do I check the authenticity of the OpenSSL distribution?
-* How does the versioning scheme work?
-
-[LEGAL] Legal questions
-
-* Do I need patent licenses to use OpenSSL?
-* Can I use OpenSSL with GPL software?
-
-[USER] Questions on using the OpenSSL applications
-
-* Why do I get a "PRNG not seeded" error message?
-* Why do I get an "unable to write 'random state'" error message?
-* How do I create certificates or certificate requests?
-* Why can't I create certificate requests?
-* Why does <SSL program> fail with a certificate verify error?
-* Why can I only use weak ciphers when I connect to a server using OpenSSL?
-* How can I create DSA certificates?
-* Why can't I make an SSL connection using a DSA certificate?
-* How can I remove the passphrase on a private key?
-* Why can't I use OpenSSL certificates with SSL client authentication?
-* Why does my browser give a warning about a mismatched hostname?
-* How do I install a CA certificate into a browser?
-* Why is OpenSSL x509 DN output not conformant to RFC2253?
-* What is a "128 bit certificate"? Can I create one with OpenSSL?
-* Why does OpenSSL set the authority key identifier extension incorrectly?
-* How can I set up a bundle of commercial root CA certificates?
-
-[BUILD] Questions about building and testing OpenSSL
-
-* Why does the linker complain about undefined symbols?
-* Why does the OpenSSL test fail with "bc: command not found"?
-* Why does the OpenSSL test fail with "bc: 1 no implemented"?
-* Why does the OpenSSL test fail with "bc: stack empty"?
-* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
-* Why does the OpenSSL compilation fail with "ar: command not found"?
-* Why does the OpenSSL compilation fail on Win32 with VC++?
-* What is special about OpenSSL on Redhat?
-* Why does the OpenSSL compilation fail on MacOS X?
-* Why does the OpenSSL test suite fail on MacOS X?
-* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
-* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
-* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
-* Why does compiler fail to compile sha512.c?
-* Test suite still fails, what to do?
-* I think I've found a bug, what should I do?
-* I'm SURE I've found a bug, how do I report it?
-* I've found a security issue, how do I report it?
-
-[PROG] Questions about programming with OpenSSL
-
-* Is OpenSSL thread-safe?
-* I've compiled a program under Windows and it crashes: why?
-* How do I read or write a DER encoded buffer using the ASN1 functions?
-* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
-* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
-* I've called <some function> and it fails, why?
-* I just get a load of numbers for the error output, what do they mean?
-* Why do I get errors about unknown algorithms?
-* Why can't the OpenSSH configure script detect OpenSSL?
-* Can I use OpenSSL's SSL library with non-blocking I/O?
-* Why doesn't my server application receive a client certificate?
-* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
-* I think I've detected a memory leak, is this a bug?
-* Why does Valgrind complain about the use of uninitialized data?
-* Why doesn't a memory BIO work when a file does?
-* Where are the declarations and implementations of d2i_X509() etc?
-
-===============================================================================
-
-[MISC] ========================================================================
-
-* Which is the current version of OpenSSL?
-
-The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.1e was released on Feb 11th, 2013.
-
-In addition to the current stable release, you can also access daily
-snapshots of the OpenSSL development version at <URL:
-ftp://ftp.openssl.org/snapshot/>, or get it by anonymous Git access.
-
-
-* Where is the documentation?
-
-OpenSSL is a library that provides cryptographic functionality to
-applications such as secure web servers. Be sure to read the
-documentation of the application you want to use. The INSTALL file
-explains how to install this library.
-
-OpenSSL includes a command line utility that can be used to perform a
-variety of cryptographic functions. It is described in the openssl(1)
-manpage. Documentation for developers is currently being written. Many
-manual pages are available; overviews over libcrypto and
-libssl are given in the crypto(3) and ssl(3) manpages.
-
-The OpenSSL manpages are installed in /usr/local/ssl/man/ (or a
-different directory if you specified one as described in INSTALL).
-In addition, you can read the most current versions at
-<URL: http://www.openssl.org/docs/>. Note that the online documents refer
-to the very latest development versions of OpenSSL and may include features
-not present in released versions. If in doubt refer to the documentation
-that came with the version of OpenSSL you are using. The pod format
-documentation is included in each OpenSSL distribution under the docs
-directory.
-
-There is some documentation about certificate extensions and PKCS#12
-in doc/openssl.txt
-
-The original SSLeay documentation is included in OpenSSL as
-doc/ssleay.txt. It may be useful when none of the other resources
-help, but please note that it reflects the obsolete version SSLeay
-0.6.6.
-
-
-* How can I contact the OpenSSL developers?
-
-The README file describes how to submit bug reports and patches to
-OpenSSL. Information on the OpenSSL mailing lists is available from
-<URL: http://www.openssl.org>.
-
-
-* Where can I get a compiled version of OpenSSL?
-
-You can finder pointers to binary distributions in
-<URL: http://www.openssl.org/related/binaries.html> .
-
-Some applications that use OpenSSL are distributed in binary form.
-When using such an application, you don't need to install OpenSSL
-yourself; the application will include the required parts (e.g. DLLs).
-
-If you want to build OpenSSL on a Windows system and you don't have
-a C compiler, read the "Mingw32" section of INSTALL.W32 for information
-on how to obtain and install the free GNU C compiler.
-
-A number of Linux and *BSD distributions include OpenSSL.
-
-
-* Why aren't tools like 'autoconf' and 'libtool' used?
-
-autoconf will probably be used in future OpenSSL versions. If it was
-less Unix-centric, it might have been used much earlier.
-
-* What is an 'engine' version?
-
-With version 0.9.6 OpenSSL was extended to interface to external crypto
-hardware. This was realized in a special release '0.9.6-engine'. With
-version 0.9.7 the changes were merged into the main development line,
-so that the special release is no longer necessary.
-
-* How do I check the authenticity of the OpenSSL distribution?
-
-We provide MD5 digests and ASC signatures of each tarball.
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-vendor
mailing list