From owner-svn-src-releng@FreeBSD.ORG Mon Oct 20 01:45:41 2014 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5460C8B7; Mon, 20 Oct 2014 01:45:41 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 27BE6394; Mon, 20 Oct 2014 01:45:41 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9K1jfUu099521; Mon, 20 Oct 2014 01:45:41 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9K1jfUZ099520; Mon, 20 Oct 2014 01:45:41 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201410200145.s9K1jfUZ099520@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Mon, 20 Oct 2014 01:45:41 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r273297 - releng/10.1/share/man/man4 X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2014 01:45:41 -0000 Author: emaste Date: Mon Oct 20 01:45:40 2014 New Revision: 273297 URL: https://svnweb.freebsd.org/changeset/base/273297 Log: MFS10 r273294 (r273178 in HEAD): Update vt(4) for UEFI defaults and special keys vt(4) is the default console for UEFI boot [1], and the bitmapped kern.vt.spclkeys sysctl has been replaced with individual kern.vt.kbd_* enable sysctls. PR: 193710 Approved by: re Modified: releng/10.1/share/man/man4/vt.4 Directory Properties: releng/10.1/ (props changed) Modified: releng/10.1/share/man/man4/vt.4 ============================================================================== --- releng/10.1/share/man/man4/vt.4 Mon Oct 20 01:01:55 2014 (r273296) +++ releng/10.1/share/man/man4/vt.4 Mon Oct 20 01:45:40 2014 (r273297) @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd July 2, 2014 +.Dd October 16, 2014 .Dt "VIRTUAL TERMINALS" 4 .Os .Sh NAME @@ -45,6 +45,15 @@ In .Xr loader.conf 5 : .Cd hw.vga.textmode=1 .Cd kern.vty=vt +.Pp +In +.Xr loader.conf 5 or +.Xr sysctl.conf 5 : +.Cd kern.vt.kbd_halt=1 +.Cd kern.vt.kbd_poweroff=1 +.Cd kern.vt.kbd_reboot=1 +.Cd kern.vt.kbd_debug=1 +.Cd kern.vt.kbd_panic=0 .Sh DESCRIPTION The .Nm @@ -184,17 +193,41 @@ Set to 1 to use virtual terminals in tex Features that require graphics mode, like loadable fonts, will be disabled. .It Va kern.vty -When both -.Nm -and -.Xr sc 4 have been compiled into the kernel, the one to use for the -system console can be selected by setting this value to +Set this value to .Ql vt or -.Ql sc . -If this value is not set, +.Ql sc +to override the default driver used for the system console. +By default, .Xr sc 4 -is used. +is used on computers that boot from BIOS, and +.Nm +is used on computers that boot from UEFI. +.Sh KEYBOARD SYSCTL TUNABLES +These settings control whether certain special key combinations are enabled or +ignored. +The specific key combinations can be configured by using a +.Xr keymap 5 +file. +.Pp +These settings can be entered at the +.Xr loader 8 +prompt or in +.Xr loader.conf 5 +and can also be changed at runtime with the +.Xr sysctl 8 +command. +.Bl -tag -width indent +.It Va kern.vt.kbd_halt +Enable halt keyboard combination. +.It Va kern.vt.kbd_poweroff +Enable power off key combination. +.It Va kern.vt.kbd_reboot. +Enable reboot key combination, usually Ctrl+Alt+Del. +.It Va kern.vt.kbd_debug +Enable debug request key combination, usually Ctrl+Alt+Esc. +.It Va kern.vt.kbd_panic +Enable panic key combination. .El .Sh FILES .Bl -tag -width /usr/share/vt/keymaps/* -compact From owner-svn-src-releng@FreeBSD.ORG Mon Oct 20 03:17:49 2014 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 958E8C1E; Mon, 20 Oct 2014 03:17:49 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 820D9E1C; Mon, 20 Oct 2014 03:17:49 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9K3Hnpg043071; Mon, 20 Oct 2014 03:17:49 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9K3Hnfe043070; Mon, 20 Oct 2014 03:17:49 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201410200317.s9K3Hnfe043070@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Mon, 20 Oct 2014 03:17:49 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r273300 - releng/10.1/sys/dev/vt X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2014 03:17:49 -0000 Author: emaste Date: Mon Oct 20 03:17:48 2014 New Revision: 273300 URL: https://svnweb.freebsd.org/changeset/base/273300 Log: MFS10 r273296 (r273219 in HEAD): Do nothing in vt_upgrade if there is no vt driver Previously, if no drivers attached at boot we would panic with "vtbuf_fill_locked begin.tp_row 0 must be < screen height 0". PR: 192248 Approved by: re Modified: releng/10.1/sys/dev/vt/vt_core.c Directory Properties: releng/10.1/ (props changed) Modified: releng/10.1/sys/dev/vt/vt_core.c ============================================================================== --- releng/10.1/sys/dev/vt/vt_core.c Mon Oct 20 02:57:30 2014 (r273299) +++ releng/10.1/sys/dev/vt/vt_core.c Mon Oct 20 03:17:48 2014 (r273300) @@ -2491,6 +2491,8 @@ vt_upgrade(struct vt_device *vd) if (!vty_enabled(VTY_VT)) return; + if (main_vd->vd_driver == NULL) + return; for (i = 0; i < VT_MAXWINDOWS; i++) { vw = vd->vd_windows[i]; From owner-svn-src-releng@FreeBSD.ORG Mon Oct 20 05:17:17 2014 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5F1E6C0E; Mon, 20 Oct 2014 05:17:17 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4B020A58; Mon, 20 Oct 2014 05:17:17 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9K5HH2V098853; Mon, 20 Oct 2014 05:17:17 GMT (envelope-from tuexen@FreeBSD.org) Received: (from tuexen@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9K5HGQn098847; Mon, 20 Oct 2014 05:17:16 GMT (envelope-from tuexen@FreeBSD.org) Message-Id: <201410200517.s9K5HGQn098847@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: tuexen set sender to tuexen@FreeBSD.org using -f From: Michael Tuexen Date: Mon, 20 Oct 2014 05:17:16 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r273303 - releng/10.1/sys/netinet X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2014 05:17:17 -0000 Author: tuexen Date: Mon Oct 20 05:17:16 2014 New Revision: 273303 URL: https://svnweb.freebsd.org/changeset/base/273303 Log: MFC10 r273275 (r273168 in head): Fix the reported streams in a SCTP_STREAM_RESET_EVENT, if a sent incoming stream reset request was responded with failed or denied. Thanks to Peter Bostroem from Google for reporting the issue. Approved by: re (hrs) Sponsored 2y: Modified: releng/10.1/sys/netinet/sctp_header.h releng/10.1/sys/netinet/sctp_input.c releng/10.1/sys/netinet/sctp_input.h Directory Properties: releng/10.1/ (props changed) Modified: releng/10.1/sys/netinet/sctp_header.h ============================================================================== --- releng/10.1/sys/netinet/sctp_header.h Mon Oct 20 04:42:28 2014 (r273302) +++ releng/10.1/sys/netinet/sctp_header.h Mon Oct 20 05:17:16 2014 (r273303) @@ -450,6 +450,11 @@ struct sctp_pktdrop_chunk { /**********STREAM RESET STUFF ******************/ +struct sctp_stream_reset_request { + struct sctp_paramhdr ph; + uint32_t request_seq; +} SCTP_PACKED; + struct sctp_stream_reset_out_request { struct sctp_paramhdr ph; uint32_t request_seq; /* monotonically increasing seq no */ @@ -464,7 +469,6 @@ struct sctp_stream_reset_in_request { uint16_t list_of_streams[]; /* if not all list of streams */ } SCTP_PACKED; - struct sctp_stream_reset_tsn_request { struct sctp_paramhdr ph; uint32_t request_seq; Modified: releng/10.1/sys/netinet/sctp_input.c ============================================================================== --- releng/10.1/sys/netinet/sctp_input.c Mon Oct 20 04:42:28 2014 (r273302) +++ releng/10.1/sys/netinet/sctp_input.c Mon Oct 20 05:17:16 2014 (r273303) @@ -3496,12 +3496,12 @@ sctp_reset_out_streams(struct sctp_tcb * } -struct sctp_stream_reset_out_request * +struct sctp_stream_reset_request * sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk) { struct sctp_association *asoc; struct sctp_chunkhdr *ch; - struct sctp_stream_reset_out_request *r; + struct sctp_stream_reset_request *r; struct sctp_tmit_chunk *chk; int len, clen; @@ -3524,7 +3524,7 @@ sctp_find_stream_reset(struct sctp_tcb * } clen = chk->send_size; ch = mtod(chk->data, struct sctp_chunkhdr *); - r = (struct sctp_stream_reset_out_request *)(ch + 1); + r = (struct sctp_stream_reset_request *)(ch + 1); if (ntohl(r->request_seq) == seq) { /* found it */ return (r); @@ -3532,7 +3532,7 @@ sctp_find_stream_reset(struct sctp_tcb * len = SCTP_SIZE32(ntohs(r->ph.param_length)); if (clen > (len + (int)sizeof(struct sctp_chunkhdr))) { /* move to the next one, there can only be a max of two */ - r = (struct sctp_stream_reset_out_request *)((caddr_t)r + len); + r = (struct sctp_stream_reset_request *)((caddr_t)r + len); if (ntohl(r->request_seq) == seq) { return (r); } @@ -3576,7 +3576,9 @@ sctp_handle_stream_reset_response(struct int lparm_len; struct sctp_association *asoc = &stcb->asoc; struct sctp_tmit_chunk *chk; - struct sctp_stream_reset_out_request *srparam; + struct sctp_stream_reset_request *req_param; + struct sctp_stream_reset_out_request *req_out_param; + struct sctp_stream_reset_in_request *req_in_param; uint32_t number_entries; if (asoc->stream_reset_outstanding == 0) { @@ -3584,35 +3586,36 @@ sctp_handle_stream_reset_response(struct return (0); } if (seq == stcb->asoc.str_reset_seq_out) { - srparam = sctp_find_stream_reset(stcb, seq, &chk); - if (srparam) { + req_param = sctp_find_stream_reset(stcb, seq, &chk); + if (req_param != NULL) { stcb->asoc.str_reset_seq_out++; - type = ntohs(srparam->ph.param_type); - lparm_len = ntohs(srparam->ph.param_length); + type = ntohs(req_param->ph.param_type); + lparm_len = ntohs(req_param->ph.param_length); if (type == SCTP_STR_RESET_OUT_REQUEST) { + req_out_param = (struct sctp_stream_reset_out_request *)req_param; number_entries = (lparm_len - sizeof(struct sctp_stream_reset_out_request)) / sizeof(uint16_t); asoc->stream_reset_out_is_outstanding = 0; if (asoc->stream_reset_outstanding) asoc->stream_reset_outstanding--; if (action == SCTP_STREAM_RESET_RESULT_PERFORMED) { /* do it */ - sctp_reset_out_streams(stcb, number_entries, srparam->list_of_streams); + sctp_reset_out_streams(stcb, number_entries, req_out_param->list_of_streams); } else if (action == SCTP_STREAM_RESET_RESULT_DENIED) { - sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_DENIED_OUT, stcb, number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED); + sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_DENIED_OUT, stcb, number_entries, req_out_param->list_of_streams, SCTP_SO_NOT_LOCKED); } else { - sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED); + sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_OUT, stcb, number_entries, req_out_param->list_of_streams, SCTP_SO_NOT_LOCKED); } } else if (type == SCTP_STR_RESET_IN_REQUEST) { - /* Answered my request */ + req_in_param = (struct sctp_stream_reset_in_request *)req_param; number_entries = (lparm_len - sizeof(struct sctp_stream_reset_in_request)) / sizeof(uint16_t); if (asoc->stream_reset_outstanding) asoc->stream_reset_outstanding--; if (action == SCTP_STREAM_RESET_RESULT_DENIED) { sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_DENIED_IN, stcb, - number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED); + number_entries, req_in_param->list_of_streams, SCTP_SO_NOT_LOCKED); } else if (action != SCTP_STREAM_RESET_RESULT_PERFORMED) { sctp_ulp_notify(SCTP_NOTIFY_STR_RESET_FAILED_IN, stcb, - number_entries, srparam->list_of_streams, SCTP_SO_NOT_LOCKED); + number_entries, req_in_param->list_of_streams, SCTP_SO_NOT_LOCKED); } } else if (type == SCTP_STR_RESET_ADD_OUT_STREAMS) { /* Ok we now may have more streams */ Modified: releng/10.1/sys/netinet/sctp_input.h ============================================================================== --- releng/10.1/sys/netinet/sctp_input.h Mon Oct 20 04:42:28 2014 (r273302) +++ releng/10.1/sys/netinet/sctp_input.h Mon Oct 20 05:17:16 2014 (r273303) @@ -48,7 +48,7 @@ sctp_common_input_processing(struct mbuf uint8_t, uint32_t, uint32_t, uint16_t); -struct sctp_stream_reset_out_request * +struct sctp_stream_reset_request * sctp_find_stream_reset(struct sctp_tcb *stcb, uint32_t seq, struct sctp_tmit_chunk **bchk); From owner-svn-src-releng@FreeBSD.ORG Mon Oct 20 07:15:05 2014 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9CA574B5; Mon, 20 Oct 2014 07:15:05 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 892DF69B; Mon, 20 Oct 2014 07:15:05 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9K7F5hI062985; Mon, 20 Oct 2014 07:15:05 GMT (envelope-from mav@FreeBSD.org) Received: (from mav@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9K7F5XP062984; Mon, 20 Oct 2014 07:15:05 GMT (envelope-from mav@FreeBSD.org) Message-Id: <201410200715.s9K7F5XP062984@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: mav set sender to mav@FreeBSD.org using -f From: Alexander Motin Date: Mon, 20 Oct 2014 07:15:05 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r273304 - releng/10.1/sys/kern X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2014 07:15:05 -0000 Author: mav Date: Mon Oct 20 07:15:04 2014 New Revision: 273304 URL: https://svnweb.freebsd.org/changeset/base/273304 Log: MFS10 r273272 (r273143 in head): Remove setting BIO_DONE flag for BIOs that have done() method. This fixes use-after-free, caused by geom_disk, completing same BIO twice to save extra allocation, and getting BIO_DONE set after the first. Approved by: re (hrs) Modified: releng/10.1/sys/kern/vfs_bio.c Directory Properties: releng/10.1/ (props changed) Modified: releng/10.1/sys/kern/vfs_bio.c ============================================================================== --- releng/10.1/sys/kern/vfs_bio.c Mon Oct 20 05:17:16 2014 (r273303) +++ releng/10.1/sys/kern/vfs_bio.c Mon Oct 20 07:15:04 2014 (r273304) @@ -3582,10 +3582,8 @@ biodone(struct bio *bp) bp->bio_flags |= BIO_DONE; wakeup(bp); mtx_unlock(mtxp); - } else { - bp->bio_flags |= BIO_DONE; + } else done(bp); - } } /* From owner-svn-src-releng@FreeBSD.ORG Tue Oct 21 02:41:41 2014 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 679EBBC7; Tue, 21 Oct 2014 02:41:41 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 39B4EF29; Tue, 21 Oct 2014 02:41:41 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9L2ffoN062611; Tue, 21 Oct 2014 02:41:41 GMT (envelope-from gjb@FreeBSD.org) Received: (from gjb@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9L2ffqU062610; Tue, 21 Oct 2014 02:41:41 GMT (envelope-from gjb@FreeBSD.org) Message-Id: <201410210241.s9L2ffqU062610@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: gjb set sender to gjb@FreeBSD.org using -f From: Glen Barber Date: Tue, 21 Oct 2014 02:41:41 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r273364 - releng/10.1/release X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2014 02:41:41 -0000 Author: gjb Date: Tue Oct 21 02:41:40 2014 New Revision: 273364 URL: https://svnweb.freebsd.org/changeset/base/273364 Log: MFstable10 r273354: MFC r273204: Add more descriptive metadata to the ISO images. MFstable10 r273355: Fix label for the UEFI bootonly cd. PR: 165876 Approved by: re (hrs) Sponsored by: The FreeBSD Foundation Modified: releng/10.1/release/Makefile Directory Properties: releng/10.1/ (props changed) Modified: releng/10.1/release/Makefile ============================================================================== --- releng/10.1/release/Makefile Tue Oct 21 01:57:36 2014 (r273363) +++ releng/10.1/release/Makefile Tue Oct 21 02:41:40 2014 (r273364) @@ -62,6 +62,8 @@ OSRELEASE= ${TYPE}-${REVISION}-${BRANCH} .endfor .endif +VOLUME_LABEL= ${OSRELEASE:C/[-\.]/_/g:S/^$${TYPE}_//} + .if !exists(${DOCDIR}) NODOC= true .endif @@ -254,28 +256,31 @@ dvd: release.iso: disc1.iso disc1.iso: system - sh ${.CURDIR}/${TARGET}/mkisoimages.sh -b FreeBSD_Install ${.TARGET} release + sh ${.CURDIR}/${TARGET}/mkisoimages.sh -b ${VOLUME_LABEL}_CD ${.TARGET} release uefi-disc1.iso: system .if exists(${.CURDIR}/${TARGET}/mkisoimages-uefi.sh) - sh ${.CURDIR}/${TARGET}/mkisoimages-uefi.sh -b FreeBSD_Install ${.TARGET} release + sh ${.CURDIR}/${TARGET}/mkisoimages-uefi.sh -b ${VOLUME_LABEL}_UEFICD \ + ${.TARGET} release .endif uefi-bootonly.iso: bootonly .if exists(${.CURDIR}/${TARGET}/mkisoimages-uefi.sh) - sh ${.CURDIR}/${TARGET}/mkisoimages-uefi.sh -b FreeBSD_Install ${.TARGET} bootonly + sh ${.CURDIR}/${TARGET}/mkisoimages-uefi.sh -b ${VOLUME_LABEL}_UEFIBO \ + ${.TARGET} bootonly .endif dvd1.iso: dvd pkg-stage - sh ${.CURDIR}/${TARGET}/mkisoimages.sh -b FreeBSD_Install ${.TARGET} dvd + sh ${.CURDIR}/${TARGET}/mkisoimages.sh -b ${VOLUME_LABEL}_DVD ${.TARGET} dvd uefi-dvd1.iso: dvd pkg-stage .if exists(${.CURDIR}/${TARGET}/mkisoimages-uefi.sh) - sh ${.CURDIR}/${TARGET}/mkisoimages-uefi.sh -b FreeBSD_Install ${.TARGET} dvd + sh ${.CURDIR}/${TARGET}/mkisoimages-uefi.sh -b ${VOLUME_LABEL}_UEFIDVD \ + ${.TARGET} dvd .endif bootonly.iso: bootonly - sh ${.CURDIR}/${TARGET}/mkisoimages.sh -b FreeBSD_Install ${.TARGET} bootonly + sh ${.CURDIR}/${TARGET}/mkisoimages.sh -b ${VOLUME_LABEL}_BO ${.TARGET} bootonly memstick: memstick.img memstick.img: system From owner-svn-src-releng@FreeBSD.ORG Tue Oct 21 16:20:24 2014 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CA3A7BB6; Tue, 21 Oct 2014 16:20:24 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AB3BE307; Tue, 21 Oct 2014 16:20:24 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9LGKO2H048834; Tue, 21 Oct 2014 16:20:24 GMT (envelope-from emaste@FreeBSD.org) Received: (from emaste@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9LGKOWr048832; Tue, 21 Oct 2014 16:20:24 GMT (envelope-from emaste@FreeBSD.org) Message-Id: <201410211620.s9LGKOWr048832@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: emaste set sender to emaste@FreeBSD.org using -f From: Ed Maste Date: Tue, 21 Oct 2014 16:20:24 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r273386 - releng/10.1/share/man/man8 X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2014 16:20:25 -0000 Author: emaste Date: Tue Oct 21 16:20:23 2014 New Revision: 273386 URL: https://svnweb.freebsd.org/changeset/base/273386 Log: Add basic UEFI boot procedure manpage MFS10 of r273385 (r273218,r273235 in HEAD) Approved by: re (gjb) Added: releng/10.1/share/man/man8/uefi.8 - copied unchanged from r273385, stable/10/share/man/man8/uefi.8 Modified: releng/10.1/share/man/man8/Makefile Directory Properties: releng/10.1/ (props changed) Modified: releng/10.1/share/man/man8/Makefile ============================================================================== --- releng/10.1/share/man/man8/Makefile Tue Oct 21 14:47:26 2014 (r273385) +++ releng/10.1/share/man/man8/Makefile Tue Oct 21 16:20:23 2014 (r273386) @@ -11,6 +11,7 @@ MAN= crash.8 \ rc.sendmail.8 \ rc.subr.8 \ rescue.8 \ + ${_uefi.8} \ yp.8 MLINKS= rc.8 rc.atm.8 \ @@ -25,4 +26,8 @@ MLINKS+=yp.8 NIS.8 \ yp.8 nis.8 \ yp.8 YP.8 +.if ${MACHINE_CPUARCH} == "amd64" +_uefi.8= uefi.8 +.endif + .include Copied: releng/10.1/share/man/man8/uefi.8 (from r273385, stable/10/share/man/man8/uefi.8) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ releng/10.1/share/man/man8/uefi.8 Tue Oct 21 16:20:23 2014 (r273386, copy of r273385, stable/10/share/man/man8/uefi.8) @@ -0,0 +1,152 @@ +.\" Copyright (c) 2014 The FreeBSD Foundation +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd October 17, 2014 +.Dt UEFI 8 +.Os +.Sh NAME +.Nm UEFI +.Nd Unified Extensible Firmware Interface bootstrapping procedures +.Sh DESCRIPTION +The +.Nm +Unified Extensible Firmware Interface provides boot- and run-time services +to operating systems. +.Nm +is a replacement for the legacy BIOS on the i386 and amd64 CPU architectures, +and is also used on arm64 and ia64. +.Pp +The +.Nm +boot process loads system bootstrap code located in an EFI System Partition +(ESP). +The ESP is a GPT or MBR partition with a specific identifier that contains an +.Xr msdosfs 5 +FAT file system with a specified file hierarchy. +.Bl -column -offset indent ".Sy Partition Scheme" ".Sy ESP Identifier" +.It Sy "Partition Scheme" Ta Sy "ESP Identifier" +.It GPT Ta C12A7328-F81F-11D2-BA4B-00A0C93EC93B +.It MBR Ta 0xEF +.El +.Pp +The +.Nm +boot process proceeds as follows: +.Bl -enum -offset indent -compact +.It +.Nm +firmware runs at power up and searches for an OS loader in the EFI system +partition. +The path to the loader may be set by an EFI environment variable. +If not set, the default is +.Pa /EFI/BOOT/BOOTX64.EFI . +The default +.Nm +boot configuration for +.Fx +installs +.Pa boot1.efi +as +.Pa /EFI/BOOT/BOOTX64.EFI . +.It +.Pa boot1.efi +locates the first partition with the type +.Li freebsd-ufs , +and from it loads +.Pa loader.efi . +.It +.Pa loader.efi +loads and boots the kernel, as described in +.Xr loader 8 . +.El +.Pp +The +.Xr vt 4 +system console is automatically selected when booting via +.Nm . +.Sh FILES +.Bl -tag -width /boot/loader -compact +.It Pa /boot/boot1.efi +First stage +.Nm +bootstrap +.It Pa /boot/boot1.efifat +.Xr msdosfs 5 +FAT file system image containing +.Pa boot1.efi +for use by +.Xr bsdinstall 8 +and the +.Ar bootcode +argument to +.Xr gpart 8 . +.It Pa /boot/loader.efi +Final stage bootstrap +.It Pa /boot/kernel/kernel +default kernel +.It Pa /boot/kernel.old/kernel +typical non-default kernel (optional) +.El +.Sh SEE ALSO +.Xr vt 4 , +.Xr msdosfs 5 , +.Xr boot 8 , +.Xr gpart 8 +.Sh HISTORY +.Nm +boot support first appeared in +.Fx 10.1 . +.Sh AUTHORS +.An -nosplit +.Nm +boot support was developed by +.An Benno Rice Aq Mt benno@FreeBSD.org , +.An Ed Maste Aq Mt emaste@FreeBSD.org , +and +.An Nathan Whitehorn Aq Mt nwhitehorn@FreeBSD.org . +The +.Fx +Foundation sponsored portions of the work. +.Sh CAVEATS +EFI environment variables are not supported by +.Xr loader 8 +or the kernel. +.Pp +.Pa boot1.efi +loads +.Pa loader.efi +from the first FreeBSD-UFS file system it locates, even if it is on a +different disk. +.Pp +.Pa boot1.efi +cannot load +.Pa loader.efi +from a +.Xr ZFS 8 +file system. +As a result, +.Nm +does not support a typical root file system on ZFS configuration. From owner-svn-src-releng@FreeBSD.ORG Tue Oct 21 19:00:38 2014 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D4E9F4A0; Tue, 21 Oct 2014 19:00:38 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BB9428EC; Tue, 21 Oct 2014 19:00:38 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9LJ0cSE030550; Tue, 21 Oct 2014 19:00:38 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9LJ0XiD030248; Tue, 21 Oct 2014 19:00:33 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201410211900.s9LJ0XiD030248@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Tue, 21 Oct 2014 19:00:33 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r273399 - in releng/10.1: . crypto/openssl crypto/openssl/apps crypto/openssl/crypto crypto/openssl/crypto/aes/asm crypto/openssl/crypto/asn1 crypto/openssl/crypto/bn crypto/openssl/cry... X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2014 19:00:39 -0000 Author: delphij Date: Tue Oct 21 19:00:32 2014 New Revision: 273399 URL: https://svnweb.freebsd.org/changeset/base/273399 Log: MFS r273149 (jkim): MFC: r273144, r273146 Merge OpenSSL 1.0.1j. This is part of an upcoming FreeBSD security advisory. Approved by: re (so@ blanket) Added: releng/10.1/crypto/openssl/crypto/constant_time_locl.h - copied unchanged from r273149, stable/10/crypto/openssl/crypto/constant_time_locl.h releng/10.1/crypto/openssl/crypto/constant_time_test.c - copied unchanged from r273149, stable/10/crypto/openssl/crypto/constant_time_test.c releng/10.1/crypto/openssl/doc/apps/c_rehash.pod - copied unchanged from r273149, stable/10/crypto/openssl/doc/apps/c_rehash.pod releng/10.1/crypto/openssl/doc/crypto/CMS_add1_signer.pod - copied unchanged from r273149, stable/10/crypto/openssl/doc/crypto/CMS_add1_signer.pod releng/10.1/secure/lib/libcrypto/man/CMS_add1_signer.3 - copied unchanged from r273149, stable/10/secure/lib/libcrypto/man/CMS_add1_signer.3 releng/10.1/secure/usr.bin/openssl/man/c_rehash.1 - copied unchanged from r273149, stable/10/secure/usr.bin/openssl/man/c_rehash.1 Deleted: releng/10.1/crypto/openssl/doc/crypto/CMS_sign_add1_signer.pod releng/10.1/secure/lib/libcrypto/man/CMS_sign_add1_signer.3 Modified: releng/10.1/ObsoleteFiles.inc releng/10.1/crypto/openssl/CHANGES releng/10.1/crypto/openssl/Configure releng/10.1/crypto/openssl/Makefile releng/10.1/crypto/openssl/NEWS releng/10.1/crypto/openssl/README releng/10.1/crypto/openssl/apps/s_client.c releng/10.1/crypto/openssl/crypto/Makefile releng/10.1/crypto/openssl/crypto/aes/asm/aesni-x86_64.pl releng/10.1/crypto/openssl/crypto/asn1/a_strex.c releng/10.1/crypto/openssl/crypto/bn/asm/x86_64-gcc.c releng/10.1/crypto/openssl/crypto/bn/bn_exp.c releng/10.1/crypto/openssl/crypto/bn/bn_nist.c releng/10.1/crypto/openssl/crypto/bn/exptest.c releng/10.1/crypto/openssl/crypto/dsa/dsa_ameth.c releng/10.1/crypto/openssl/crypto/ebcdic.h releng/10.1/crypto/openssl/crypto/ec/ec.h releng/10.1/crypto/openssl/crypto/ec/ec2_smpl.c releng/10.1/crypto/openssl/crypto/ec/ec_ameth.c releng/10.1/crypto/openssl/crypto/ec/ec_asn1.c releng/10.1/crypto/openssl/crypto/ec/ecp_mont.c releng/10.1/crypto/openssl/crypto/ec/ecp_nist.c releng/10.1/crypto/openssl/crypto/ec/ecp_smpl.c releng/10.1/crypto/openssl/crypto/ec/ectest.c releng/10.1/crypto/openssl/crypto/evp/Makefile releng/10.1/crypto/openssl/crypto/evp/e_aes.c releng/10.1/crypto/openssl/crypto/evp/evp_enc.c releng/10.1/crypto/openssl/crypto/md5/asm/md5-x86_64.pl releng/10.1/crypto/openssl/crypto/modes/modes.h releng/10.1/crypto/openssl/crypto/ocsp/ocsp_vfy.c releng/10.1/crypto/openssl/crypto/opensslconf.h releng/10.1/crypto/openssl/crypto/opensslv.h releng/10.1/crypto/openssl/crypto/ossl_typ.h releng/10.1/crypto/openssl/crypto/pkcs7/pkcs7.h releng/10.1/crypto/openssl/crypto/pqueue/pqueue.h releng/10.1/crypto/openssl/crypto/rsa/Makefile releng/10.1/crypto/openssl/crypto/rsa/rsa.h releng/10.1/crypto/openssl/crypto/rsa/rsa_err.c releng/10.1/crypto/openssl/crypto/rsa/rsa_oaep.c releng/10.1/crypto/openssl/crypto/rsa/rsa_pk1.c releng/10.1/crypto/openssl/crypto/rsa/rsa_sign.c releng/10.1/crypto/openssl/crypto/stack/safestack.h releng/10.1/crypto/openssl/doc/apps/dgst.pod releng/10.1/crypto/openssl/doc/crypto/BIO_s_accept.pod releng/10.1/crypto/openssl/doc/crypto/EVP_DigestInit.pod releng/10.1/crypto/openssl/doc/crypto/EVP_DigestVerifyInit.pod releng/10.1/crypto/openssl/doc/crypto/EVP_EncryptInit.pod releng/10.1/crypto/openssl/doc/crypto/EVP_PKEY_set1_RSA.pod releng/10.1/crypto/openssl/doc/crypto/EVP_PKEY_sign.pod releng/10.1/crypto/openssl/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod releng/10.1/crypto/openssl/e_os.h releng/10.1/crypto/openssl/ssl/Makefile releng/10.1/crypto/openssl/ssl/d1_both.c releng/10.1/crypto/openssl/ssl/d1_lib.c releng/10.1/crypto/openssl/ssl/d1_srtp.c releng/10.1/crypto/openssl/ssl/dtls1.h releng/10.1/crypto/openssl/ssl/s23_clnt.c releng/10.1/crypto/openssl/ssl/s23_srvr.c releng/10.1/crypto/openssl/ssl/s2_lib.c releng/10.1/crypto/openssl/ssl/s3_cbc.c releng/10.1/crypto/openssl/ssl/s3_clnt.c releng/10.1/crypto/openssl/ssl/s3_enc.c releng/10.1/crypto/openssl/ssl/s3_lib.c releng/10.1/crypto/openssl/ssl/s3_pkt.c releng/10.1/crypto/openssl/ssl/s3_srvr.c releng/10.1/crypto/openssl/ssl/srtp.h releng/10.1/crypto/openssl/ssl/ssl.h releng/10.1/crypto/openssl/ssl/ssl3.h releng/10.1/crypto/openssl/ssl/ssl_err.c releng/10.1/crypto/openssl/ssl/ssl_lib.c releng/10.1/crypto/openssl/ssl/t1_enc.c releng/10.1/crypto/openssl/ssl/t1_lib.c releng/10.1/crypto/openssl/ssl/tls1.h releng/10.1/crypto/openssl/util/mk1mf.pl releng/10.1/crypto/openssl/util/mkdef.pl releng/10.1/crypto/openssl/util/ssleay.num releng/10.1/secure/lib/libcrypto/Makefile.inc releng/10.1/secure/lib/libcrypto/Makefile.man releng/10.1/secure/lib/libcrypto/man/ASN1_OBJECT_new.3 releng/10.1/secure/lib/libcrypto/man/ASN1_STRING_length.3 releng/10.1/secure/lib/libcrypto/man/ASN1_STRING_new.3 releng/10.1/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3 releng/10.1/secure/lib/libcrypto/man/ASN1_generate_nconf.3 releng/10.1/secure/lib/libcrypto/man/BIO_ctrl.3 releng/10.1/secure/lib/libcrypto/man/BIO_f_base64.3 releng/10.1/secure/lib/libcrypto/man/BIO_f_buffer.3 releng/10.1/secure/lib/libcrypto/man/BIO_f_cipher.3 releng/10.1/secure/lib/libcrypto/man/BIO_f_md.3 releng/10.1/secure/lib/libcrypto/man/BIO_f_null.3 releng/10.1/secure/lib/libcrypto/man/BIO_f_ssl.3 releng/10.1/secure/lib/libcrypto/man/BIO_find_type.3 releng/10.1/secure/lib/libcrypto/man/BIO_new.3 releng/10.1/secure/lib/libcrypto/man/BIO_new_CMS.3 releng/10.1/secure/lib/libcrypto/man/BIO_push.3 releng/10.1/secure/lib/libcrypto/man/BIO_read.3 releng/10.1/secure/lib/libcrypto/man/BIO_s_accept.3 releng/10.1/secure/lib/libcrypto/man/BIO_s_bio.3 releng/10.1/secure/lib/libcrypto/man/BIO_s_connect.3 releng/10.1/secure/lib/libcrypto/man/BIO_s_fd.3 releng/10.1/secure/lib/libcrypto/man/BIO_s_file.3 releng/10.1/secure/lib/libcrypto/man/BIO_s_mem.3 releng/10.1/secure/lib/libcrypto/man/BIO_s_null.3 releng/10.1/secure/lib/libcrypto/man/BIO_s_socket.3 releng/10.1/secure/lib/libcrypto/man/BIO_set_callback.3 releng/10.1/secure/lib/libcrypto/man/BIO_should_retry.3 releng/10.1/secure/lib/libcrypto/man/BN_BLINDING_new.3 releng/10.1/secure/lib/libcrypto/man/BN_CTX_new.3 releng/10.1/secure/lib/libcrypto/man/BN_CTX_start.3 releng/10.1/secure/lib/libcrypto/man/BN_add.3 releng/10.1/secure/lib/libcrypto/man/BN_add_word.3 releng/10.1/secure/lib/libcrypto/man/BN_bn2bin.3 releng/10.1/secure/lib/libcrypto/man/BN_cmp.3 releng/10.1/secure/lib/libcrypto/man/BN_copy.3 releng/10.1/secure/lib/libcrypto/man/BN_generate_prime.3 releng/10.1/secure/lib/libcrypto/man/BN_mod_inverse.3 releng/10.1/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3 releng/10.1/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3 releng/10.1/secure/lib/libcrypto/man/BN_new.3 releng/10.1/secure/lib/libcrypto/man/BN_num_bytes.3 releng/10.1/secure/lib/libcrypto/man/BN_rand.3 releng/10.1/secure/lib/libcrypto/man/BN_set_bit.3 releng/10.1/secure/lib/libcrypto/man/BN_swap.3 releng/10.1/secure/lib/libcrypto/man/BN_zero.3 releng/10.1/secure/lib/libcrypto/man/CMS_add0_cert.3 releng/10.1/secure/lib/libcrypto/man/CMS_add1_recipient_cert.3 releng/10.1/secure/lib/libcrypto/man/CMS_compress.3 releng/10.1/secure/lib/libcrypto/man/CMS_decrypt.3 releng/10.1/secure/lib/libcrypto/man/CMS_encrypt.3 releng/10.1/secure/lib/libcrypto/man/CMS_final.3 releng/10.1/secure/lib/libcrypto/man/CMS_get0_RecipientInfos.3 releng/10.1/secure/lib/libcrypto/man/CMS_get0_SignerInfos.3 releng/10.1/secure/lib/libcrypto/man/CMS_get0_type.3 releng/10.1/secure/lib/libcrypto/man/CMS_get1_ReceiptRequest.3 releng/10.1/secure/lib/libcrypto/man/CMS_sign.3 releng/10.1/secure/lib/libcrypto/man/CMS_sign_receipt.3 releng/10.1/secure/lib/libcrypto/man/CMS_uncompress.3 releng/10.1/secure/lib/libcrypto/man/CMS_verify.3 releng/10.1/secure/lib/libcrypto/man/CMS_verify_receipt.3 releng/10.1/secure/lib/libcrypto/man/CONF_modules_free.3 releng/10.1/secure/lib/libcrypto/man/CONF_modules_load_file.3 releng/10.1/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3 releng/10.1/secure/lib/libcrypto/man/DH_generate_key.3 releng/10.1/secure/lib/libcrypto/man/DH_generate_parameters.3 releng/10.1/secure/lib/libcrypto/man/DH_get_ex_new_index.3 releng/10.1/secure/lib/libcrypto/man/DH_new.3 releng/10.1/secure/lib/libcrypto/man/DH_set_method.3 releng/10.1/secure/lib/libcrypto/man/DH_size.3 releng/10.1/secure/lib/libcrypto/man/DSA_SIG_new.3 releng/10.1/secure/lib/libcrypto/man/DSA_do_sign.3 releng/10.1/secure/lib/libcrypto/man/DSA_dup_DH.3 releng/10.1/secure/lib/libcrypto/man/DSA_generate_key.3 releng/10.1/secure/lib/libcrypto/man/DSA_generate_parameters.3 releng/10.1/secure/lib/libcrypto/man/DSA_get_ex_new_index.3 releng/10.1/secure/lib/libcrypto/man/DSA_new.3 releng/10.1/secure/lib/libcrypto/man/DSA_set_method.3 releng/10.1/secure/lib/libcrypto/man/DSA_sign.3 releng/10.1/secure/lib/libcrypto/man/DSA_size.3 releng/10.1/secure/lib/libcrypto/man/ERR_GET_LIB.3 releng/10.1/secure/lib/libcrypto/man/ERR_clear_error.3 releng/10.1/secure/lib/libcrypto/man/ERR_error_string.3 releng/10.1/secure/lib/libcrypto/man/ERR_get_error.3 releng/10.1/secure/lib/libcrypto/man/ERR_load_crypto_strings.3 releng/10.1/secure/lib/libcrypto/man/ERR_load_strings.3 releng/10.1/secure/lib/libcrypto/man/ERR_print_errors.3 releng/10.1/secure/lib/libcrypto/man/ERR_put_error.3 releng/10.1/secure/lib/libcrypto/man/ERR_remove_state.3 releng/10.1/secure/lib/libcrypto/man/ERR_set_mark.3 releng/10.1/secure/lib/libcrypto/man/EVP_BytesToKey.3 releng/10.1/secure/lib/libcrypto/man/EVP_DigestInit.3 releng/10.1/secure/lib/libcrypto/man/EVP_DigestSignInit.3 releng/10.1/secure/lib/libcrypto/man/EVP_DigestVerifyInit.3 releng/10.1/secure/lib/libcrypto/man/EVP_EncryptInit.3 releng/10.1/secure/lib/libcrypto/man/EVP_OpenInit.3 releng/10.1/secure/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3 releng/10.1/secure/lib/libcrypto/man/EVP_PKEY_CTX_new.3 releng/10.1/secure/lib/libcrypto/man/EVP_PKEY_cmp.3 releng/10.1/secure/lib/libcrypto/man/EVP_PKEY_decrypt.3 releng/10.1/secure/lib/libcrypto/man/EVP_PKEY_derive.3 releng/10.1/secure/lib/libcrypto/man/EVP_PKEY_encrypt.3 releng/10.1/secure/lib/libcrypto/man/EVP_PKEY_get_default_digest.3 releng/10.1/secure/lib/libcrypto/man/EVP_PKEY_keygen.3 releng/10.1/secure/lib/libcrypto/man/EVP_PKEY_new.3 releng/10.1/secure/lib/libcrypto/man/EVP_PKEY_print_private.3 releng/10.1/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3 releng/10.1/secure/lib/libcrypto/man/EVP_PKEY_sign.3 releng/10.1/secure/lib/libcrypto/man/EVP_PKEY_verify.3 releng/10.1/secure/lib/libcrypto/man/EVP_PKEY_verify_recover.3 releng/10.1/secure/lib/libcrypto/man/EVP_SealInit.3 releng/10.1/secure/lib/libcrypto/man/EVP_SignInit.3 releng/10.1/secure/lib/libcrypto/man/EVP_VerifyInit.3 releng/10.1/secure/lib/libcrypto/man/OBJ_nid2obj.3 releng/10.1/secure/lib/libcrypto/man/OPENSSL_Applink.3 releng/10.1/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3 releng/10.1/secure/lib/libcrypto/man/OPENSSL_config.3 releng/10.1/secure/lib/libcrypto/man/OPENSSL_ia32cap.3 releng/10.1/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3 releng/10.1/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3 releng/10.1/secure/lib/libcrypto/man/PEM_write_bio_CMS_stream.3 releng/10.1/secure/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3 releng/10.1/secure/lib/libcrypto/man/PKCS12_create.3 releng/10.1/secure/lib/libcrypto/man/PKCS12_parse.3 releng/10.1/secure/lib/libcrypto/man/PKCS7_decrypt.3 releng/10.1/secure/lib/libcrypto/man/PKCS7_encrypt.3 releng/10.1/secure/lib/libcrypto/man/PKCS7_sign.3 releng/10.1/secure/lib/libcrypto/man/PKCS7_sign_add_signer.3 releng/10.1/secure/lib/libcrypto/man/PKCS7_verify.3 releng/10.1/secure/lib/libcrypto/man/RAND_add.3 releng/10.1/secure/lib/libcrypto/man/RAND_bytes.3 releng/10.1/secure/lib/libcrypto/man/RAND_cleanup.3 releng/10.1/secure/lib/libcrypto/man/RAND_egd.3 releng/10.1/secure/lib/libcrypto/man/RAND_load_file.3 releng/10.1/secure/lib/libcrypto/man/RAND_set_rand_method.3 releng/10.1/secure/lib/libcrypto/man/RSA_blinding_on.3 releng/10.1/secure/lib/libcrypto/man/RSA_check_key.3 releng/10.1/secure/lib/libcrypto/man/RSA_generate_key.3 releng/10.1/secure/lib/libcrypto/man/RSA_get_ex_new_index.3 releng/10.1/secure/lib/libcrypto/man/RSA_new.3 releng/10.1/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 releng/10.1/secure/lib/libcrypto/man/RSA_print.3 releng/10.1/secure/lib/libcrypto/man/RSA_private_encrypt.3 releng/10.1/secure/lib/libcrypto/man/RSA_public_encrypt.3 releng/10.1/secure/lib/libcrypto/man/RSA_set_method.3 releng/10.1/secure/lib/libcrypto/man/RSA_sign.3 releng/10.1/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3 releng/10.1/secure/lib/libcrypto/man/RSA_size.3 releng/10.1/secure/lib/libcrypto/man/SMIME_read_CMS.3 releng/10.1/secure/lib/libcrypto/man/SMIME_read_PKCS7.3 releng/10.1/secure/lib/libcrypto/man/SMIME_write_CMS.3 releng/10.1/secure/lib/libcrypto/man/SMIME_write_PKCS7.3 releng/10.1/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3 releng/10.1/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3 releng/10.1/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3 releng/10.1/secure/lib/libcrypto/man/X509_NAME_print_ex.3 releng/10.1/secure/lib/libcrypto/man/X509_STORE_CTX_get_error.3 releng/10.1/secure/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3 releng/10.1/secure/lib/libcrypto/man/X509_STORE_CTX_new.3 releng/10.1/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 releng/10.1/secure/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3 releng/10.1/secure/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 releng/10.1/secure/lib/libcrypto/man/X509_new.3 releng/10.1/secure/lib/libcrypto/man/X509_verify_cert.3 releng/10.1/secure/lib/libcrypto/man/bio.3 releng/10.1/secure/lib/libcrypto/man/blowfish.3 releng/10.1/secure/lib/libcrypto/man/bn.3 releng/10.1/secure/lib/libcrypto/man/bn_internal.3 releng/10.1/secure/lib/libcrypto/man/buffer.3 releng/10.1/secure/lib/libcrypto/man/crypto.3 releng/10.1/secure/lib/libcrypto/man/d2i_ASN1_OBJECT.3 releng/10.1/secure/lib/libcrypto/man/d2i_DHparams.3 releng/10.1/secure/lib/libcrypto/man/d2i_DSAPublicKey.3 releng/10.1/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey.3 releng/10.1/secure/lib/libcrypto/man/d2i_RSAPublicKey.3 releng/10.1/secure/lib/libcrypto/man/d2i_X509.3 releng/10.1/secure/lib/libcrypto/man/d2i_X509_ALGOR.3 releng/10.1/secure/lib/libcrypto/man/d2i_X509_CRL.3 releng/10.1/secure/lib/libcrypto/man/d2i_X509_NAME.3 releng/10.1/secure/lib/libcrypto/man/d2i_X509_REQ.3 releng/10.1/secure/lib/libcrypto/man/d2i_X509_SIG.3 releng/10.1/secure/lib/libcrypto/man/des.3 releng/10.1/secure/lib/libcrypto/man/dh.3 releng/10.1/secure/lib/libcrypto/man/dsa.3 releng/10.1/secure/lib/libcrypto/man/ecdsa.3 releng/10.1/secure/lib/libcrypto/man/engine.3 releng/10.1/secure/lib/libcrypto/man/err.3 releng/10.1/secure/lib/libcrypto/man/evp.3 releng/10.1/secure/lib/libcrypto/man/hmac.3 releng/10.1/secure/lib/libcrypto/man/i2d_CMS_bio_stream.3 releng/10.1/secure/lib/libcrypto/man/i2d_PKCS7_bio_stream.3 releng/10.1/secure/lib/libcrypto/man/lh_stats.3 releng/10.1/secure/lib/libcrypto/man/lhash.3 releng/10.1/secure/lib/libcrypto/man/md5.3 releng/10.1/secure/lib/libcrypto/man/mdc2.3 releng/10.1/secure/lib/libcrypto/man/pem.3 releng/10.1/secure/lib/libcrypto/man/rand.3 releng/10.1/secure/lib/libcrypto/man/rc4.3 releng/10.1/secure/lib/libcrypto/man/ripemd.3 releng/10.1/secure/lib/libcrypto/man/rsa.3 releng/10.1/secure/lib/libcrypto/man/sha.3 releng/10.1/secure/lib/libcrypto/man/threads.3 releng/10.1/secure/lib/libcrypto/man/ui.3 releng/10.1/secure/lib/libcrypto/man/ui_compat.3 releng/10.1/secure/lib/libcrypto/man/x509.3 releng/10.1/secure/lib/libssl/man/SSL_CIPHER_get_name.3 releng/10.1/secure/lib/libssl/man/SSL_COMP_add_compression_method.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_add_session.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_ctrl.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_flush_sessions.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_free.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_new.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_sess_number.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_sessions.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_set_cert_store.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_set_info_callback.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_set_mode.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_set_options.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_set_psk_client_callback.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_set_timeout.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_set_verify.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_use_certificate.3 releng/10.1/secure/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3 releng/10.1/secure/lib/libssl/man/SSL_SESSION_free.3 releng/10.1/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 releng/10.1/secure/lib/libssl/man/SSL_SESSION_get_time.3 releng/10.1/secure/lib/libssl/man/SSL_accept.3 releng/10.1/secure/lib/libssl/man/SSL_alert_type_string.3 releng/10.1/secure/lib/libssl/man/SSL_clear.3 releng/10.1/secure/lib/libssl/man/SSL_connect.3 releng/10.1/secure/lib/libssl/man/SSL_do_handshake.3 releng/10.1/secure/lib/libssl/man/SSL_free.3 releng/10.1/secure/lib/libssl/man/SSL_get_SSL_CTX.3 releng/10.1/secure/lib/libssl/man/SSL_get_ciphers.3 releng/10.1/secure/lib/libssl/man/SSL_get_client_CA_list.3 releng/10.1/secure/lib/libssl/man/SSL_get_current_cipher.3 releng/10.1/secure/lib/libssl/man/SSL_get_default_timeout.3 releng/10.1/secure/lib/libssl/man/SSL_get_error.3 releng/10.1/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 releng/10.1/secure/lib/libssl/man/SSL_get_ex_new_index.3 releng/10.1/secure/lib/libssl/man/SSL_get_fd.3 releng/10.1/secure/lib/libssl/man/SSL_get_peer_cert_chain.3 releng/10.1/secure/lib/libssl/man/SSL_get_peer_certificate.3 releng/10.1/secure/lib/libssl/man/SSL_get_psk_identity.3 releng/10.1/secure/lib/libssl/man/SSL_get_rbio.3 releng/10.1/secure/lib/libssl/man/SSL_get_session.3 releng/10.1/secure/lib/libssl/man/SSL_get_verify_result.3 releng/10.1/secure/lib/libssl/man/SSL_get_version.3 releng/10.1/secure/lib/libssl/man/SSL_library_init.3 releng/10.1/secure/lib/libssl/man/SSL_load_client_CA_file.3 releng/10.1/secure/lib/libssl/man/SSL_new.3 releng/10.1/secure/lib/libssl/man/SSL_pending.3 releng/10.1/secure/lib/libssl/man/SSL_read.3 releng/10.1/secure/lib/libssl/man/SSL_rstate_string.3 releng/10.1/secure/lib/libssl/man/SSL_session_reused.3 releng/10.1/secure/lib/libssl/man/SSL_set_bio.3 releng/10.1/secure/lib/libssl/man/SSL_set_connect_state.3 releng/10.1/secure/lib/libssl/man/SSL_set_fd.3 releng/10.1/secure/lib/libssl/man/SSL_set_session.3 releng/10.1/secure/lib/libssl/man/SSL_set_shutdown.3 releng/10.1/secure/lib/libssl/man/SSL_set_verify_result.3 releng/10.1/secure/lib/libssl/man/SSL_shutdown.3 releng/10.1/secure/lib/libssl/man/SSL_state_string.3 releng/10.1/secure/lib/libssl/man/SSL_want.3 releng/10.1/secure/lib/libssl/man/SSL_write.3 releng/10.1/secure/lib/libssl/man/d2i_SSL_SESSION.3 releng/10.1/secure/lib/libssl/man/ssl.3 releng/10.1/secure/usr.bin/openssl/Makefile.man releng/10.1/secure/usr.bin/openssl/man/CA.pl.1 releng/10.1/secure/usr.bin/openssl/man/asn1parse.1 releng/10.1/secure/usr.bin/openssl/man/ca.1 releng/10.1/secure/usr.bin/openssl/man/ciphers.1 releng/10.1/secure/usr.bin/openssl/man/cms.1 releng/10.1/secure/usr.bin/openssl/man/crl.1 releng/10.1/secure/usr.bin/openssl/man/crl2pkcs7.1 releng/10.1/secure/usr.bin/openssl/man/dgst.1 releng/10.1/secure/usr.bin/openssl/man/dhparam.1 releng/10.1/secure/usr.bin/openssl/man/dsa.1 releng/10.1/secure/usr.bin/openssl/man/dsaparam.1 releng/10.1/secure/usr.bin/openssl/man/ec.1 releng/10.1/secure/usr.bin/openssl/man/ecparam.1 releng/10.1/secure/usr.bin/openssl/man/enc.1 releng/10.1/secure/usr.bin/openssl/man/errstr.1 releng/10.1/secure/usr.bin/openssl/man/gendsa.1 releng/10.1/secure/usr.bin/openssl/man/genpkey.1 releng/10.1/secure/usr.bin/openssl/man/genrsa.1 releng/10.1/secure/usr.bin/openssl/man/nseq.1 releng/10.1/secure/usr.bin/openssl/man/ocsp.1 releng/10.1/secure/usr.bin/openssl/man/openssl.1 releng/10.1/secure/usr.bin/openssl/man/passwd.1 releng/10.1/secure/usr.bin/openssl/man/pkcs12.1 releng/10.1/secure/usr.bin/openssl/man/pkcs7.1 releng/10.1/secure/usr.bin/openssl/man/pkcs8.1 releng/10.1/secure/usr.bin/openssl/man/pkey.1 releng/10.1/secure/usr.bin/openssl/man/pkeyparam.1 releng/10.1/secure/usr.bin/openssl/man/pkeyutl.1 releng/10.1/secure/usr.bin/openssl/man/rand.1 releng/10.1/secure/usr.bin/openssl/man/req.1 releng/10.1/secure/usr.bin/openssl/man/rsa.1 releng/10.1/secure/usr.bin/openssl/man/rsautl.1 releng/10.1/secure/usr.bin/openssl/man/s_client.1 releng/10.1/secure/usr.bin/openssl/man/s_server.1 releng/10.1/secure/usr.bin/openssl/man/s_time.1 releng/10.1/secure/usr.bin/openssl/man/sess_id.1 releng/10.1/secure/usr.bin/openssl/man/smime.1 releng/10.1/secure/usr.bin/openssl/man/speed.1 releng/10.1/secure/usr.bin/openssl/man/spkac.1 releng/10.1/secure/usr.bin/openssl/man/ts.1 releng/10.1/secure/usr.bin/openssl/man/tsget.1 releng/10.1/secure/usr.bin/openssl/man/verify.1 releng/10.1/secure/usr.bin/openssl/man/version.1 releng/10.1/secure/usr.bin/openssl/man/x509.1 releng/10.1/secure/usr.bin/openssl/man/x509v3_config.1 Directory Properties: releng/10.1/ (props changed) Modified: releng/10.1/ObsoleteFiles.inc ============================================================================== --- releng/10.1/ObsoleteFiles.inc Tue Oct 21 18:31:08 2014 (r273398) +++ releng/10.1/ObsoleteFiles.inc Tue Oct 21 19:00:32 2014 (r273399) @@ -38,6 +38,8 @@ # xargs -n1 | sort | uniq -d; # done +# 20141015: OpenSSL 1.0.1j import +OLD_FILES+=usr/share/openssl/man/man3/CMS_sign_add1_signer.3.gz # 20140917: hv_kvpd rc.d script removed in favor of devd configuration OLD_FILES+=etc/rc.d/hv_kvpd # 20140814: libopie version bump Modified: releng/10.1/crypto/openssl/CHANGES ============================================================================== --- releng/10.1/crypto/openssl/CHANGES Tue Oct 21 18:31:08 2014 (r273398) +++ releng/10.1/crypto/openssl/CHANGES Tue Oct 21 19:00:32 2014 (r273399) @@ -2,6 +2,57 @@ OpenSSL CHANGES _______________ + Changes between 1.0.1i and 1.0.1j [15 Oct 2014] + + *) SRTP Memory Leak. + + A flaw in the DTLS SRTP extension parsing code allows an attacker, who + sends a carefully crafted handshake message, to cause OpenSSL to fail + to free up to 64k of memory causing a memory leak. This could be + exploited in a Denial Of Service attack. This issue affects OpenSSL + 1.0.1 server implementations for both SSL/TLS and DTLS regardless of + whether SRTP is used or configured. Implementations of OpenSSL that + have been compiled with OPENSSL_NO_SRTP defined are not affected. + + The fix was developed by the OpenSSL team. + (CVE-2014-3513) + [OpenSSL team] + + *) Session Ticket Memory Leak. + + When an OpenSSL SSL/TLS/DTLS server receives a session ticket the + integrity of that ticket is first verified. In the event of a session + ticket integrity check failing, OpenSSL will fail to free memory + causing a memory leak. By sending a large number of invalid session + tickets an attacker could exploit this issue in a Denial Of Service + attack. + (CVE-2014-3567) + [Steve Henson] + + *) Build option no-ssl3 is incomplete. + + When OpenSSL is configured with "no-ssl3" as a build option, servers + could accept and complete a SSL 3.0 handshake, and clients could be + configured to send them. + (CVE-2014-3568) + [Akamai and the OpenSSL team] + + *) Add support for TLS_FALLBACK_SCSV. + Client applications doing fallback retries should call + SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). + (CVE-2014-3566) + [Adam Langley, Bodo Moeller] + + *) Add additional DigestInfo checks. + + Reencode DigestInto in DER and check against the original when + verifying RSA signature: this will reject any improperly encoded + DigestInfo structures. + + Note: this is a precautionary measure and no attacks are currently known. + + [Steve Henson] + Changes between 1.0.1h and 1.0.1i [6 Aug 2014] *) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the Modified: releng/10.1/crypto/openssl/Configure ============================================================================== --- releng/10.1/crypto/openssl/Configure Tue Oct 21 18:31:08 2014 (r273398) +++ releng/10.1/crypto/openssl/Configure Tue Oct 21 19:00:32 2014 (r273399) @@ -1767,6 +1767,9 @@ open(OUT,'>crypto/opensslconf.h.new') || print OUT "/* opensslconf.h */\n"; print OUT "/* WARNING: Generated automatically from opensslconf.h.in by Configure. */\n\n"; +print OUT "#ifdef __cplusplus\n"; +print OUT "extern \"C\" {\n"; +print OUT "#endif\n"; print OUT "/* OpenSSL was configured with the following options: */\n"; my $openssl_algorithm_defines_trans = $openssl_algorithm_defines; $openssl_experimental_defines =~ s/^\s*#\s*define\s+OPENSSL_NO_(.*)/#ifndef OPENSSL_EXPERIMENTAL_$1\n# ifndef OPENSSL_NO_$1\n# define OPENSSL_NO_$1\n# endif\n#endif/mg; @@ -1871,6 +1874,9 @@ while () { print OUT $_; } } close(IN); +print OUT "#ifdef __cplusplus\n"; +print OUT "}\n"; +print OUT "#endif\n"; close(OUT); rename("crypto/opensslconf.h","crypto/opensslconf.h.bak") || die "unable to rename crypto/opensslconf.h\n" if -e "crypto/opensslconf.h"; rename("crypto/opensslconf.h.new","crypto/opensslconf.h") || die "unable to rename crypto/opensslconf.h.new\n"; Modified: releng/10.1/crypto/openssl/Makefile ============================================================================== --- releng/10.1/crypto/openssl/Makefile Tue Oct 21 18:31:08 2014 (r273398) +++ releng/10.1/crypto/openssl/Makefile Tue Oct 21 19:00:32 2014 (r273399) @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.1i +VERSION=1.0.1j MAJOR=1 MINOR=0.1 SHLIB_VERSION_NUMBER=1.0.0 Modified: releng/10.1/crypto/openssl/NEWS ============================================================================== --- releng/10.1/crypto/openssl/NEWS Tue Oct 21 18:31:08 2014 (r273398) +++ releng/10.1/crypto/openssl/NEWS Tue Oct 21 19:00:32 2014 (r273399) @@ -5,6 +5,13 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014] + + o Fix for CVE-2014-3513 + o Fix for CVE-2014-3567 + o Mitigation for CVE-2014-3566 (SSL protocol vulnerability) + o Fix for CVE-2014-3568 + Major changes between OpenSSL 1.0.1h and OpenSSL 1.0.1i [6 Aug 2014] o Fix for CVE-2014-3512 Modified: releng/10.1/crypto/openssl/README ============================================================================== --- releng/10.1/crypto/openssl/README Tue Oct 21 18:31:08 2014 (r273398) +++ releng/10.1/crypto/openssl/README Tue Oct 21 19:00:32 2014 (r273399) @@ -1,5 +1,5 @@ - OpenSSL 1.0.1i 6 Aug 2014 + OpenSSL 1.0.1j 15 Oct 2014 Copyright (c) 1998-2011 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson Modified: releng/10.1/crypto/openssl/apps/s_client.c ============================================================================== --- releng/10.1/crypto/openssl/apps/s_client.c Tue Oct 21 18:31:08 2014 (r273398) +++ releng/10.1/crypto/openssl/apps/s_client.c Tue Oct 21 19:00:32 2014 (r273399) @@ -337,6 +337,7 @@ static void sc_usage(void) BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n"); BIO_printf(bio_err," -tls1 - just use TLSv1\n"); BIO_printf(bio_err," -dtls1 - just use DTLSv1\n"); + BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n"); BIO_printf(bio_err," -mtu - set the link layer MTU\n"); BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); @@ -617,6 +618,7 @@ int MAIN(int argc, char **argv) char *sess_out = NULL; struct sockaddr peer; int peerlen = sizeof(peer); + int fallback_scsv = 0; int enable_timeouts = 0 ; long socket_mtu = 0; #ifndef OPENSSL_NO_JPAKE @@ -823,6 +825,10 @@ int MAIN(int argc, char **argv) meth=DTLSv1_client_method(); socket_type=SOCK_DGRAM; } + else if (strcmp(*argv,"-fallback_scsv") == 0) + { + fallback_scsv = 1; + } else if (strcmp(*argv,"-timeout") == 0) enable_timeouts=1; else if (strcmp(*argv,"-mtu") == 0) @@ -1235,6 +1241,10 @@ bad: SSL_set_session(con, sess); SSL_SESSION_free(sess); } + + if (fallback_scsv) + SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV); + #ifndef OPENSSL_NO_TLSEXT if (servername != NULL) { Modified: releng/10.1/crypto/openssl/crypto/Makefile ============================================================================== --- releng/10.1/crypto/openssl/crypto/Makefile Tue Oct 21 18:31:08 2014 (r273398) +++ releng/10.1/crypto/openssl/crypto/Makefile Tue Oct 21 19:00:32 2014 (r273399) @@ -32,6 +32,7 @@ CPUID_OBJ=mem_clr.o LIBS= GENERAL=Makefile README crypto-lib.com install.com +TEST=constant_time_test.c LIB= $(TOP)/libcrypto.a SHARED_LIB= libcrypto$(SHLIB_EXT) @@ -44,7 +45,8 @@ SRC= $(LIBSRC) EXHEADER= crypto.h opensslv.h opensslconf.h ebcdic.h symhacks.h \ ossl_typ.h -HEADER= cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h $(EXHEADER) +HEADER= cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h \ + constant_time_locl.h $(EXHEADER) ALL= $(GENERAL) $(SRC) $(HEADER) Modified: releng/10.1/crypto/openssl/crypto/aes/asm/aesni-x86_64.pl ============================================================================== --- releng/10.1/crypto/openssl/crypto/aes/asm/aesni-x86_64.pl Tue Oct 21 18:31:08 2014 (r273398) +++ releng/10.1/crypto/openssl/crypto/aes/asm/aesni-x86_64.pl Tue Oct 21 19:00:32 2014 (r273399) @@ -525,6 +525,16 @@ $code.=<<___; .type aesni_ecb_encrypt,\@function,5 .align 16 aesni_ecb_encrypt: +___ +$code.=<<___ if ($win64); + lea -0x58(%rsp),%rsp + movaps %xmm6,(%rsp) + movaps %xmm7,0x10(%rsp) + movaps %xmm8,0x20(%rsp) + movaps %xmm9,0x30(%rsp) +.Lecb_enc_body: +___ +$code.=<<___; and \$-16,$len jz .Lecb_ret @@ -805,6 +815,16 @@ $code.=<<___; movups $inout5,0x50($out) .Lecb_ret: +___ +$code.=<<___ if ($win64); + movaps (%rsp),%xmm6 + movaps 0x10(%rsp),%xmm7 + movaps 0x20(%rsp),%xmm8 + movaps 0x30(%rsp),%xmm9 + lea 0x58(%rsp),%rsp +.Lecb_enc_ret: +___ +$code.=<<___; ret .size aesni_ecb_encrypt,.-aesni_ecb_encrypt ___ @@ -2730,28 +2750,9 @@ $code.=<<___; .extern __imp_RtlVirtualUnwind ___ $code.=<<___ if ($PREFIX eq "aesni"); -.type ecb_se_handler,\@abi-omnipotent -.align 16 -ecb_se_handler: - push %rsi - push %rdi - push %rbx - push %rbp - push %r12 - push %r13 - push %r14 - push %r15 - pushfq - sub \$64,%rsp - - mov 152($context),%rax # pull context->Rsp - - jmp .Lcommon_seh_tail -.size ecb_se_handler,.-ecb_se_handler - -.type ccm64_se_handler,\@abi-omnipotent +.type ecb_ccm64_se_handler,\@abi-omnipotent .align 16 -ccm64_se_handler: +ecb_ccm64_se_handler: push %rsi push %rdi push %rbx @@ -2788,7 +2789,7 @@ ccm64_se_handler: lea 0x58(%rax),%rax # adjust stack pointer jmp .Lcommon_seh_tail -.size ccm64_se_handler,.-ccm64_se_handler +.size ecb_ccm64_se_handler,.-ecb_ccm64_se_handler .type ctr32_se_handler,\@abi-omnipotent .align 16 @@ -2993,14 +2994,15 @@ ___ $code.=<<___ if ($PREFIX eq "aesni"); .LSEH_info_ecb: .byte 9,0,0,0 - .rva ecb_se_handler + .rva ecb_ccm64_se_handler + .rva .Lecb_enc_body,.Lecb_enc_ret # HandlerData[] .LSEH_info_ccm64_enc: .byte 9,0,0,0 - .rva ccm64_se_handler + .rva ecb_ccm64_se_handler .rva .Lccm64_enc_body,.Lccm64_enc_ret # HandlerData[] .LSEH_info_ccm64_dec: .byte 9,0,0,0 - .rva ccm64_se_handler + .rva ecb_ccm64_se_handler .rva .Lccm64_dec_body,.Lccm64_dec_ret # HandlerData[] .LSEH_info_ctr32: .byte 9,0,0,0 Modified: releng/10.1/crypto/openssl/crypto/asn1/a_strex.c ============================================================================== --- releng/10.1/crypto/openssl/crypto/asn1/a_strex.c Tue Oct 21 18:31:08 2014 (r273398) +++ releng/10.1/crypto/openssl/crypto/asn1/a_strex.c Tue Oct 21 19:00:32 2014 (r273399) @@ -568,6 +568,7 @@ int ASN1_STRING_to_UTF8(unsigned char ** mbflag |= MBSTRING_FLAG; stmp.data = NULL; stmp.length = 0; + stmp.flags = 0; ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING); if(ret < 0) return ret; *out = stmp.data; Modified: releng/10.1/crypto/openssl/crypto/bn/asm/x86_64-gcc.c ============================================================================== --- releng/10.1/crypto/openssl/crypto/bn/asm/x86_64-gcc.c Tue Oct 21 18:31:08 2014 (r273398) +++ releng/10.1/crypto/openssl/crypto/bn/asm/x86_64-gcc.c Tue Oct 21 19:00:32 2014 (r273399) @@ -189,7 +189,7 @@ BN_ULONG bn_add_words (BN_ULONG *rp, con if (n <= 0) return 0; - asm ( + asm volatile ( " subq %2,%2 \n" ".p2align 4 \n" "1: movq (%4,%2,8),%0 \n" @@ -200,7 +200,7 @@ BN_ULONG bn_add_words (BN_ULONG *rp, con " sbbq %0,%0 \n" : "=&a"(ret),"+c"(n),"=&r"(i) : "r"(rp),"r"(ap),"r"(bp) - : "cc" + : "cc", "memory" ); return ret&1; @@ -212,7 +212,7 @@ BN_ULONG bn_sub_words (BN_ULONG *rp, con if (n <= 0) return 0; - asm ( + asm volatile ( " subq %2,%2 \n" ".p2align 4 \n" "1: movq (%4,%2,8),%0 \n" @@ -223,7 +223,7 @@ BN_ULONG bn_sub_words (BN_ULONG *rp, con " sbbq %0,%0 \n" : "=&a"(ret),"+c"(n),"=&r"(i) : "r"(rp),"r"(ap),"r"(bp) - : "cc" + : "cc", "memory" ); return ret&1; Modified: releng/10.1/crypto/openssl/crypto/bn/bn_exp.c ============================================================================== --- releng/10.1/crypto/openssl/crypto/bn/bn_exp.c Tue Oct 21 18:31:08 2014 (r273398) +++ releng/10.1/crypto/openssl/crypto/bn/bn_exp.c Tue Oct 21 19:00:32 2014 (r273399) @@ -874,7 +874,14 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ bits = BN_num_bits(p); if (bits == 0) { - ret = BN_one(rr); + /* x**0 mod 1 is still zero. */ + if (BN_is_one(m)) + { + ret = 1; + BN_zero(rr); + } + else + ret = BN_one(rr); return ret; } if (a == 0) Modified: releng/10.1/crypto/openssl/crypto/bn/bn_nist.c ============================================================================== --- releng/10.1/crypto/openssl/crypto/bn/bn_nist.c Tue Oct 21 18:31:08 2014 (r273398) +++ releng/10.1/crypto/openssl/crypto/bn/bn_nist.c Tue Oct 21 19:00:32 2014 (r273399) @@ -1088,9 +1088,9 @@ int BN_nist_mod_521(BIGNUM *r, const BIG /* ... and right shift */ for (val=t_d[0],i=0; i>BN_NIST_521_RSHIFT; - val = t_d[i+1]; - t_d[i] = (tmp | val<>BN_NIST_521_RSHIFT | + (tmp=t_d[i+1])<>BN_NIST_521_RSHIFT; /* lower 521 bits */ Modified: releng/10.1/crypto/openssl/crypto/bn/exptest.c ============================================================================== --- releng/10.1/crypto/openssl/crypto/bn/exptest.c Tue Oct 21 18:31:08 2014 (r273398) +++ releng/10.1/crypto/openssl/crypto/bn/exptest.c Tue Oct 21 19:00:32 2014 (r273399) @@ -71,6 +71,43 @@ static const char rnd_seed[] = "string to make the random number generator think it has entropy"; +/* test_exp_mod_zero tests that x**0 mod 1 == 0. It returns zero on success. */ +static int test_exp_mod_zero() { + BIGNUM a, p, m; + BIGNUM r; + BN_CTX *ctx = BN_CTX_new(); + int ret = 1; + + BN_init(&m); + BN_one(&m); + + BN_init(&a); + BN_one(&a); + + BN_init(&p); + BN_zero(&p); + + BN_init(&r); + BN_mod_exp(&r, &a, &p, &m, ctx); + BN_CTX_free(ctx); + + if (BN_is_zero(&r)) + ret = 0; + else + { + printf("1**0 mod 1 = "); + BN_print_fp(stdout, &r); + printf(", should be 0\n"); + } + + BN_free(&r); + BN_free(&a); + BN_free(&p); + BN_free(&m); + + return ret; +} + int main(int argc, char *argv[]) { BN_CTX *ctx; @@ -190,7 +227,13 @@ int main(int argc, char *argv[]) ERR_remove_thread_state(NULL); CRYPTO_mem_leaks(out); BIO_free(out); - printf(" done\n"); + printf("\n"); + + if (test_exp_mod_zero() != 0) + goto err; + + printf("done\n"); + EXIT(0); err: ERR_load_crypto_strings(); Copied: releng/10.1/crypto/openssl/crypto/constant_time_locl.h (from r273149, stable/10/crypto/openssl/crypto/constant_time_locl.h) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ releng/10.1/crypto/openssl/crypto/constant_time_locl.h Tue Oct 21 19:00:32 2014 (r273399, copy of r273149, stable/10/crypto/openssl/crypto/constant_time_locl.h) @@ -0,0 +1,216 @@ +/* crypto/constant_time_locl.h */ +/* + * Utilities for constant-time cryptography. + * + * Author: Emilia Kasper (emilia@openssl.org) + * Based on previous work by Bodo Moeller, Emilia Kasper, Adam Langley + * (Google). + * ==================================================================== + * Copyright (c) 2014 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +#ifndef HEADER_CONSTANT_TIME_LOCL_H +#define HEADER_CONSTANT_TIME_LOCL_H + +#include "e_os.h" /* For 'inline' */ + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * The boolean methods return a bitmask of all ones (0xff...f) for true + * and 0 for false. This is useful for choosing a value based on the result + * of a conditional in constant time. For example, + * + * if (a < b) { + * c = a; + * } else { + * c = b; + * } + * + * can be written as + * + * unsigned int lt = constant_time_lt(a, b); + * c = constant_time_select(lt, a, b); + */ + +/* + * Returns the given value with the MSB copied to all the other + * bits. Uses the fact that arithmetic shift shifts-in the sign bit. + * However, this is not ensured by the C standard so you may need to + * replace this with something else on odd CPUs. + */ +static inline unsigned int constant_time_msb(unsigned int a); + +/* + * Returns 0xff..f if a < b and 0 otherwise. + */ +static inline unsigned int constant_time_lt(unsigned int a, unsigned int b); +/* Convenience method for getting an 8-bit mask. */ +static inline unsigned char constant_time_lt_8(unsigned int a, unsigned int b); + +/* + * Returns 0xff..f if a >= b and 0 otherwise. + */ +static inline unsigned int constant_time_ge(unsigned int a, unsigned int b); +/* Convenience method for getting an 8-bit mask. */ +static inline unsigned char constant_time_ge_8(unsigned int a, unsigned int b); + +/* + * Returns 0xff..f if a == 0 and 0 otherwise. + */ +static inline unsigned int constant_time_is_zero(unsigned int a); +/* Convenience method for getting an 8-bit mask. */ +static inline unsigned char constant_time_is_zero_8(unsigned int a); + + +/* + * Returns 0xff..f if a == b and 0 otherwise. + */ +static inline unsigned int constant_time_eq(unsigned int a, unsigned int b); +/* Convenience method for getting an 8-bit mask. */ +static inline unsigned char constant_time_eq_8(unsigned int a, unsigned int b); +/* Signed integers. */ +static inline unsigned int constant_time_eq_int(int a, int b); +/* Convenience method for getting an 8-bit mask. */ +static inline unsigned char constant_time_eq_int_8(int a, int b); + + +/* + * Returns (mask & a) | (~mask & b). + * + * When |mask| is all 1s or all 0s (as returned by the methods above), + * the select methods return either |a| (if |mask| is nonzero) or |b| + * (if |mask| is zero). + */ +static inline unsigned int constant_time_select(unsigned int mask, + unsigned int a, unsigned int b); +/* Convenience method for unsigned chars. */ +static inline unsigned char constant_time_select_8(unsigned char mask, + unsigned char a, unsigned char b); +/* Convenience method for signed integers. */ +static inline int constant_time_select_int(unsigned int mask, int a, int b); + +static inline unsigned int constant_time_msb(unsigned int a) + { + return (unsigned int)((int)(a) >> (sizeof(int) * 8 - 1)); + } + +static inline unsigned int constant_time_lt(unsigned int a, unsigned int b) + { + unsigned int lt; + /* Case 1: msb(a) == msb(b). a < b iff the MSB of a - b is set.*/ + lt = ~(a ^ b) & (a - b); + /* Case 2: msb(a) != msb(b). a < b iff the MSB of b is set. */ + lt |= ~a & b; + return constant_time_msb(lt); + } + +static inline unsigned char constant_time_lt_8(unsigned int a, unsigned int b) + { + return (unsigned char)(constant_time_lt(a, b)); + } + +static inline unsigned int constant_time_ge(unsigned int a, unsigned int b) + { + unsigned int ge; + /* Case 1: msb(a) == msb(b). a >= b iff the MSB of a - b is not set.*/ + ge = ~((a ^ b) | (a - b)); + /* Case 2: msb(a) != msb(b). a >= b iff the MSB of a is set. */ + ge |= a & ~b; + return constant_time_msb(ge); + } + +static inline unsigned char constant_time_ge_8(unsigned int a, unsigned int b) + { + return (unsigned char)(constant_time_ge(a, b)); + } + +static inline unsigned int constant_time_is_zero(unsigned int a) + { + return constant_time_msb(~a & (a - 1)); + } + +static inline unsigned char constant_time_is_zero_8(unsigned int a) + { + return (unsigned char)(constant_time_is_zero(a)); + } + +static inline unsigned int constant_time_eq(unsigned int a, unsigned int b) + { + return constant_time_is_zero(a ^ b); + } + +static inline unsigned char constant_time_eq_8(unsigned int a, unsigned int b) + { + return (unsigned char)(constant_time_eq(a, b)); + } + +static inline unsigned int constant_time_eq_int(int a, int b) + { + return constant_time_eq((unsigned)(a), (unsigned)(b)); + } + +static inline unsigned char constant_time_eq_int_8(int a, int b) + { + return constant_time_eq_8((unsigned)(a), (unsigned)(b)); + } + +static inline unsigned int constant_time_select(unsigned int mask, + unsigned int a, unsigned int b) + { + return (mask & a) | (~mask & b); + } + +static inline unsigned char constant_time_select_8(unsigned char mask, + unsigned char a, unsigned char b) + { + return (unsigned char)(constant_time_select(mask, a, b)); + } + +inline int constant_time_select_int(unsigned int mask, int a, int b) + { + return (int)(constant_time_select(mask, (unsigned)(a), (unsigned)(b))); + } + +#ifdef __cplusplus +} +#endif + +#endif /* HEADER_CONSTANT_TIME_LOCL_H */ Copied: releng/10.1/crypto/openssl/crypto/constant_time_test.c (from r273149, stable/10/crypto/openssl/crypto/constant_time_test.c) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ releng/10.1/crypto/openssl/crypto/constant_time_test.c Tue Oct 21 19:00:32 2014 (r273399, copy of r273149, stable/10/crypto/openssl/crypto/constant_time_test.c) @@ -0,0 +1,330 @@ +/* crypto/constant_time_test.c */ +/* + * Utilities for constant-time cryptography. + * + * Author: Emilia Kasper (emilia@openssl.org) + * Based on previous work by Bodo Moeller, Emilia Kasper, Adam Langley + * (Google). + * ==================================================================== + * Copyright (c) 2014 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +#include "../crypto/constant_time_locl.h" + +#include +#include +#include + +static const unsigned int CONSTTIME_TRUE = (unsigned)(~0); +static const unsigned int CONSTTIME_FALSE = 0; +static const unsigned char CONSTTIME_TRUE_8 = 0xff; +static const unsigned char CONSTTIME_FALSE_8 = 0; + +static int test_binary_op(unsigned int (*op)(unsigned int a, unsigned int b), + const char* op_name, unsigned int a, unsigned int b, int is_true) + { + unsigned c = op(a, b); + if (is_true && c != CONSTTIME_TRUE) + { + fprintf(stderr, "Test failed for %s(%du, %du): expected %du " + "(TRUE), got %du\n", op_name, a, b, CONSTTIME_TRUE, c); + return 1; + } + else if (!is_true && c != CONSTTIME_FALSE) + { + fprintf(stderr, "Test failed for %s(%du, %du): expected %du " + "(FALSE), got %du\n", op_name, a, b, CONSTTIME_FALSE, + c); + return 1; + } + return 0; + } + +static int test_binary_op_8(unsigned char (*op)(unsigned int a, unsigned int b), + const char* op_name, unsigned int a, unsigned int b, int is_true) + { + unsigned char c = op(a, b); + if (is_true && c != CONSTTIME_TRUE_8) + { + fprintf(stderr, "Test failed for %s(%du, %du): expected %u " + "(TRUE), got %u\n", op_name, a, b, CONSTTIME_TRUE_8, c); + return 1; + } + else if (!is_true && c != CONSTTIME_FALSE_8) + { + fprintf(stderr, "Test failed for %s(%du, %du): expected %u " + "(FALSE), got %u\n", op_name, a, b, CONSTTIME_FALSE_8, + c); + return 1; + } + return 0; + } + +static int test_is_zero(unsigned int a) + { + unsigned int c = constant_time_is_zero(a); + if (a == 0 && c != CONSTTIME_TRUE) + { + fprintf(stderr, "Test failed for constant_time_is_zero(%du): " + "expected %du (TRUE), got %du\n", a, CONSTTIME_TRUE, c); + return 1; + } + else if (a != 0 && c != CONSTTIME_FALSE) + { + fprintf(stderr, "Test failed for constant_time_is_zero(%du): " + "expected %du (FALSE), got %du\n", a, CONSTTIME_FALSE, + c); + return 1; + } + return 0; + } + +static int test_is_zero_8(unsigned int a) + { + unsigned char c = constant_time_is_zero_8(a); + if (a == 0 && c != CONSTTIME_TRUE_8) + { + fprintf(stderr, "Test failed for constant_time_is_zero(%du): " + "expected %u (TRUE), got %u\n", a, CONSTTIME_TRUE_8, c); + return 1; + } + else if (a != 0 && c != CONSTTIME_FALSE) + { + fprintf(stderr, "Test failed for constant_time_is_zero(%du): " + "expected %u (FALSE), got %u\n", a, CONSTTIME_FALSE_8, + c); + return 1; + } + return 0; + } + +static int test_select(unsigned int a, unsigned int b) + { + unsigned int selected = constant_time_select(CONSTTIME_TRUE, a, b); + if (selected != a) + { + fprintf(stderr, "Test failed for constant_time_select(%du, %du," + "%du): expected %du(first value), got %du\n", + CONSTTIME_TRUE, a, b, a, selected); + return 1; + } + selected = constant_time_select(CONSTTIME_FALSE, a, b); + if (selected != b) + { + fprintf(stderr, "Test failed for constant_time_select(%du, %du," + "%du): expected %du(second value), got %du\n", + CONSTTIME_FALSE, a, b, b, selected); + return 1; + } + return 0; + } + +static int test_select_8(unsigned char a, unsigned char b) + { + unsigned char selected = constant_time_select_8(CONSTTIME_TRUE_8, a, b); + if (selected != a) + { + fprintf(stderr, "Test failed for constant_time_select(%u, %u," + "%u): expected %u(first value), got %u\n", + CONSTTIME_TRUE, a, b, a, selected); + return 1; + } + selected = constant_time_select_8(CONSTTIME_FALSE_8, a, b); + if (selected != b) + { + fprintf(stderr, "Test failed for constant_time_select(%u, %u," + "%u): expected %u(second value), got %u\n", + CONSTTIME_FALSE, a, b, b, selected); + return 1; + } + return 0; + } + +static int test_select_int(int a, int b) + { + int selected = constant_time_select_int(CONSTTIME_TRUE, a, b); + if (selected != a) + { + fprintf(stderr, "Test failed for constant_time_select(%du, %d," + "%d): expected %d(first value), got %d\n", + CONSTTIME_TRUE, a, b, a, selected); + return 1; + } + selected = constant_time_select_int(CONSTTIME_FALSE, a, b); + if (selected != b) + { + fprintf(stderr, "Test failed for constant_time_select(%du, %d," + "%d): expected %d(second value), got %d\n", + CONSTTIME_FALSE, a, b, b, selected); + return 1; + } + return 0; + } + +static int test_eq_int(int a, int b) + { + unsigned int equal = constant_time_eq_int(a, b); + if (a == b && equal != CONSTTIME_TRUE) + { + fprintf(stderr, "Test failed for constant_time_eq_int(%d, %d): " + "expected %du(TRUE), got %du\n", + a, b, CONSTTIME_TRUE, equal); + return 1; + } + else if (a != b && equal != CONSTTIME_FALSE) + { + fprintf(stderr, "Test failed for constant_time_eq_int(%d, %d): " + "expected %du(FALSE), got %du\n", + a, b, CONSTTIME_FALSE, equal); + return 1; + } + return 0; + } + +static int test_eq_int_8(int a, int b) + { + unsigned char equal = constant_time_eq_int_8(a, b); + if (a == b && equal != CONSTTIME_TRUE_8) + { + fprintf(stderr, "Test failed for constant_time_eq_int_8(%d, %d): " + "expected %u(TRUE), got %u\n", + a, b, CONSTTIME_TRUE_8, equal); + return 1; + } + else if (a != b && equal != CONSTTIME_FALSE_8) + { + fprintf(stderr, "Test failed for constant_time_eq_int_8(%d, %d): " + "expected %u(FALSE), got %u\n", + a, b, CONSTTIME_FALSE_8, equal); + return 1; + } + return 0; + } + +static unsigned int test_values[] = {0, 1, 1024, 12345, 32000, UINT_MAX/2-1, + UINT_MAX/2, UINT_MAX/2+1, UINT_MAX-1, + UINT_MAX}; + +static unsigned char test_values_8[] = {0, 1, 2, 20, 32, 127, 128, 129, 255}; + +static int signed_test_values[] = {0, 1, -1, 1024, -1024, 12345, -12345, + 32000, -32000, INT_MAX, INT_MIN, INT_MAX-1, + INT_MIN+1}; + + +int main(int argc, char *argv[]) + { + unsigned int a, b, i, j; + int c, d; + unsigned char e, f; + int num_failed = 0, num_all = 0; + fprintf(stdout, "Testing constant time operations...\n"); + + for (i = 0; i < sizeof(test_values)/sizeof(int); ++i) + { + a = test_values[i]; + num_failed += test_is_zero(a); + num_failed += test_is_zero_8(a); + num_all += 2; + for (j = 0; j < sizeof(test_values)/sizeof(int); ++j) + { + b = test_values[j]; + num_failed += test_binary_op(&constant_time_lt, + "constant_time_lt", a, b, a < b); + num_failed += test_binary_op_8(&constant_time_lt_8, + "constant_time_lt_8", a, b, a < b); + num_failed += test_binary_op(&constant_time_lt, + "constant_time_lt_8", b, a, b < a); + num_failed += test_binary_op_8(&constant_time_lt_8, + "constant_time_lt_8", b, a, b < a); + num_failed += test_binary_op(&constant_time_ge, + "constant_time_ge", a, b, a >= b); + num_failed += test_binary_op_8(&constant_time_ge_8, + "constant_time_ge_8", a, b, a >= b); + num_failed += test_binary_op(&constant_time_ge, + "constant_time_ge", b, a, b >= a); + num_failed += test_binary_op_8(&constant_time_ge_8, + "constant_time_ge_8", b, a, b >= a); + num_failed += test_binary_op(&constant_time_eq, + "constant_time_eq", a, b, a == b); + num_failed += test_binary_op_8(&constant_time_eq_8, + "constant_time_eq_8", a, b, a == b); + num_failed += test_binary_op(&constant_time_eq, + "constant_time_eq", b, a, b == a); + num_failed += test_binary_op_8(&constant_time_eq_8, + "constant_time_eq_8", b, a, b == a); + num_failed += test_select(a, b); + num_all += 13; + } + } + + for (i = 0; i < sizeof(signed_test_values)/sizeof(int); ++i) + { + c = signed_test_values[i]; + for (j = 0; j < sizeof(signed_test_values)/sizeof(int); ++j) + { + d = signed_test_values[j]; + num_failed += test_select_int(c, d); + num_failed += test_eq_int(c, d); + num_failed += test_eq_int_8(c, d); + num_all += 3; + } + } + + for (i = 0; i < sizeof(test_values_8); ++i) + { + e = test_values_8[i]; + for (j = 0; j < sizeof(test_values_8); ++j) + { + f = test_values_8[j]; + num_failed += test_select_8(e, f); + num_all += 1; + } + } + + if (!num_failed) + { + fprintf(stdout, "ok (ran %d tests)\n", num_all); + return EXIT_SUCCESS; + } + else + { + fprintf(stdout, "%d of %d tests failed!\n", num_failed, num_all); + return EXIT_FAILURE; + } + } Modified: releng/10.1/crypto/openssl/crypto/dsa/dsa_ameth.c ============================================================================== --- releng/10.1/crypto/openssl/crypto/dsa/dsa_ameth.c Tue Oct 21 18:31:08 2014 (r273398) +++ releng/10.1/crypto/openssl/crypto/dsa/dsa_ameth.c Tue Oct 21 19:00:32 2014 (r273399) @@ -307,6 +307,12 @@ static int dsa_priv_encode(PKCS8_PRIV_KE unsigned char *dp = NULL; int dplen; + if (!pkey->pkey.dsa || !pkey->pkey.dsa->priv_key) + { + DSAerr(DSA_F_DSA_PRIV_ENCODE,DSA_R_MISSING_PARAMETERS); + goto err; + } + params = ASN1_STRING_new(); if (!params) @@ -701,4 +707,3 @@ const EVP_PKEY_ASN1_METHOD dsa_asn1_meth old_dsa_priv_encode } }; - Modified: releng/10.1/crypto/openssl/crypto/ebcdic.h ============================================================================== --- releng/10.1/crypto/openssl/crypto/ebcdic.h Tue Oct 21 18:31:08 2014 (r273398) +++ releng/10.1/crypto/openssl/crypto/ebcdic.h Tue Oct 21 19:00:32 2014 (r273399) *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-src-releng@FreeBSD.ORG Tue Oct 21 20:20:37 2014 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DDBDAD17; Tue, 21 Oct 2014 20:20:37 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C95AA250; Tue, 21 Oct 2014 20:20:37 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9LKKboA069687; Tue, 21 Oct 2014 20:20:37 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9LKKbwR069684; Tue, 21 Oct 2014 20:20:37 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201410212020.s9LKKbwR069684@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Tue, 21 Oct 2014 20:20:37 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r273414 - in releng/10.1: sbin/routed sys/kern usr.sbin/rtsold X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2014 20:20:38 -0000 Author: delphij Date: Tue Oct 21 20:20:36 2014 New Revision: 273414 URL: https://svnweb.freebsd.org/changeset/base/273414 Log: Fix rtsold(8) remote buffer overflow vulnerability. [SA-14:20] Fix routed(8) remote denial of service vulnerability. [SA-14:21] Fix memory leak in sandboxed namei lookup. [SA-14:22] Approved by: re (so@ blanket) Modified: releng/10.1/sbin/routed/input.c releng/10.1/sys/kern/vfs_lookup.c releng/10.1/usr.sbin/rtsold/rtsol.c Modified: releng/10.1/sbin/routed/input.c ============================================================================== --- releng/10.1/sbin/routed/input.c Tue Oct 21 20:20:26 2014 (r273413) +++ releng/10.1/sbin/routed/input.c Tue Oct 21 20:20:36 2014 (r273414) @@ -288,6 +288,10 @@ input(struct sockaddr_in *from, /* rece /* Answer a query from a utility program * with all we know. */ + if (aifp == NULL) { + trace_pkt("ignore remote query"); + return; + } if (from->sin_port != htons(RIP_PORT)) { supply(from, aifp, OUT_QUERY, 0, rip->rip_vers, ap != 0); Modified: releng/10.1/sys/kern/vfs_lookup.c ============================================================================== --- releng/10.1/sys/kern/vfs_lookup.c Tue Oct 21 20:20:26 2014 (r273413) +++ releng/10.1/sys/kern/vfs_lookup.c Tue Oct 21 20:20:36 2014 (r273414) @@ -121,6 +121,16 @@ TUNABLE_INT("vfs.lookup_shared", &lookup * if symbolic link, massage name in buffer and continue * } */ +static void +namei_cleanup_cnp(struct componentname *cnp) +{ + uma_zfree(namei_zone, cnp->cn_pnbuf); +#ifdef DIAGNOSTIC + cnp->cn_pnbuf = NULL; + cnp->cn_nameptr = NULL; +#endif +} + int namei(struct nameidata *ndp) { @@ -185,11 +195,7 @@ namei(struct nameidata *ndp) } #endif if (error) { - uma_zfree(namei_zone, cnp->cn_pnbuf); -#ifdef DIAGNOSTIC - cnp->cn_pnbuf = NULL; - cnp->cn_nameptr = NULL; -#endif + namei_cleanup_cnp(cnp); ndp->ni_vp = NULL; return (error); } @@ -256,11 +262,7 @@ namei(struct nameidata *ndp) } } if (error) { - uma_zfree(namei_zone, cnp->cn_pnbuf); -#ifdef DIAGNOSTIC - cnp->cn_pnbuf = NULL; - cnp->cn_nameptr = NULL; -#endif + namei_cleanup_cnp(cnp); return (error); } } @@ -286,6 +288,7 @@ namei(struct nameidata *ndp) if (KTRPOINT(curthread, KTR_CAPFAIL)) ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL); #endif + namei_cleanup_cnp(cnp); return (ENOTCAPABLE); } while (*(cnp->cn_nameptr) == '/') { @@ -298,11 +301,7 @@ namei(struct nameidata *ndp) ndp->ni_startdir = dp; error = lookup(ndp); if (error) { - uma_zfree(namei_zone, cnp->cn_pnbuf); -#ifdef DIAGNOSTIC - cnp->cn_pnbuf = NULL; - cnp->cn_nameptr = NULL; -#endif + namei_cleanup_cnp(cnp); SDT_PROBE(vfs, namei, lookup, return, error, NULL, 0, 0, 0); return (error); @@ -312,11 +311,7 @@ namei(struct nameidata *ndp) */ if ((cnp->cn_flags & ISSYMLINK) == 0) { if ((cnp->cn_flags & (SAVENAME | SAVESTART)) == 0) { - uma_zfree(namei_zone, cnp->cn_pnbuf); -#ifdef DIAGNOSTIC - cnp->cn_pnbuf = NULL; - cnp->cn_nameptr = NULL; -#endif + namei_cleanup_cnp(cnp); } else cnp->cn_flags |= HASBUF; @@ -378,11 +373,7 @@ namei(struct nameidata *ndp) vput(ndp->ni_vp); dp = ndp->ni_dvp; } - uma_zfree(namei_zone, cnp->cn_pnbuf); -#ifdef DIAGNOSTIC - cnp->cn_pnbuf = NULL; - cnp->cn_nameptr = NULL; -#endif + namei_cleanup_cnp(cnp); vput(ndp->ni_vp); ndp->ni_vp = NULL; vrele(ndp->ni_dvp); Modified: releng/10.1/usr.sbin/rtsold/rtsol.c ============================================================================== --- releng/10.1/usr.sbin/rtsold/rtsol.c Tue Oct 21 20:20:26 2014 (r273413) +++ releng/10.1/usr.sbin/rtsold/rtsol.c Tue Oct 21 20:20:36 2014 (r273414) @@ -933,7 +933,8 @@ dname_labeldec(char *dst, size_t dlen, c dst_origin = dst; memset(dst, '\0', dlen); while (src && (len = (uint8_t)(*src++) & 0x3f) && - (src + len) <= src_last) { + (src + len) <= src_last && + (dst - dst_origin < (ssize_t)dlen)) { if (dst != dst_origin) *dst++ = '.'; warnmsg(LOG_DEBUG, __func__, "labellen = %zd", len); From owner-svn-src-releng@FreeBSD.ORG Tue Oct 21 20:21:19 2014 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6E1B3E3F; Tue, 21 Oct 2014 20:21:19 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5685B256; Tue, 21 Oct 2014 20:21:19 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9LKLJp9072813; Tue, 21 Oct 2014 20:21:19 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9LKLBhE072729; Tue, 21 Oct 2014 20:21:11 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201410212021.s9LKLBhE072729@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Tue, 21 Oct 2014 20:21:11 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r273415 - in releng: 10.0 10.0/crypto/openssl/apps 10.0/crypto/openssl/ssl 10.0/sbin/routed 10.0/sys/conf 10.0/sys/kern 10.0/usr.sbin/rtsold 9.1 9.1/crypto/openssl/apps 9.1/crypto/opens... X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2014 20:21:19 -0000 Author: delphij Date: Tue Oct 21 20:21:10 2014 New Revision: 273415 URL: https://svnweb.freebsd.org/changeset/base/273415 Log: Fix rtsold(8) remote buffer overflow vulnerability. [SA-14:20] Fix routed(8) remote denial of service vulnerability. [SA-14:21] Fix memory leak in sandboxed namei lookup. [SA-14:22] Fix OpenSSL multiple vulnerabilities. [SA-14:23] Approved by: so Modified: releng/10.0/UPDATING releng/10.0/crypto/openssl/apps/s_client.c releng/10.0/crypto/openssl/ssl/d1_lib.c releng/10.0/crypto/openssl/ssl/d1_srtp.c releng/10.0/crypto/openssl/ssl/dtls1.h releng/10.0/crypto/openssl/ssl/s23_clnt.c releng/10.0/crypto/openssl/ssl/s23_srvr.c releng/10.0/crypto/openssl/ssl/s2_lib.c releng/10.0/crypto/openssl/ssl/s3_enc.c releng/10.0/crypto/openssl/ssl/s3_lib.c releng/10.0/crypto/openssl/ssl/ssl.h releng/10.0/crypto/openssl/ssl/ssl3.h releng/10.0/crypto/openssl/ssl/ssl_err.c releng/10.0/crypto/openssl/ssl/ssl_lib.c releng/10.0/crypto/openssl/ssl/t1_enc.c releng/10.0/crypto/openssl/ssl/t1_lib.c releng/10.0/crypto/openssl/ssl/tls1.h releng/10.0/sbin/routed/input.c releng/10.0/sys/conf/newvers.sh releng/10.0/sys/kern/vfs_lookup.c releng/10.0/usr.sbin/rtsold/rtsol.c releng/9.1/UPDATING releng/9.1/crypto/openssl/apps/s_cb.c releng/9.1/crypto/openssl/apps/s_client.c releng/9.1/crypto/openssl/crypto/err/openssl.ec releng/9.1/crypto/openssl/doc/apps/s_client.pod releng/9.1/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod releng/9.1/crypto/openssl/ssl/d1_lib.c releng/9.1/crypto/openssl/ssl/dtls1.h releng/9.1/crypto/openssl/ssl/s23_clnt.c releng/9.1/crypto/openssl/ssl/s23_srvr.c releng/9.1/crypto/openssl/ssl/s2_lib.c releng/9.1/crypto/openssl/ssl/s3_enc.c releng/9.1/crypto/openssl/ssl/s3_lib.c releng/9.1/crypto/openssl/ssl/ssl.h releng/9.1/crypto/openssl/ssl/ssl3.h releng/9.1/crypto/openssl/ssl/ssl_err.c releng/9.1/crypto/openssl/ssl/ssl_lib.c releng/9.1/crypto/openssl/ssl/ssl_stat.c releng/9.1/crypto/openssl/ssl/t1_enc.c releng/9.1/crypto/openssl/ssl/t1_lib.c releng/9.1/crypto/openssl/ssl/tls1.h releng/9.1/sbin/routed/input.c releng/9.1/sys/conf/newvers.sh releng/9.1/sys/kern/vfs_lookup.c releng/9.1/usr.sbin/rtsold/rtsol.c releng/9.2/UPDATING releng/9.2/crypto/openssl/apps/s_cb.c releng/9.2/crypto/openssl/apps/s_client.c releng/9.2/crypto/openssl/crypto/err/openssl.ec releng/9.2/crypto/openssl/doc/apps/s_client.pod releng/9.2/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod releng/9.2/crypto/openssl/ssl/d1_lib.c releng/9.2/crypto/openssl/ssl/dtls1.h releng/9.2/crypto/openssl/ssl/s23_clnt.c releng/9.2/crypto/openssl/ssl/s23_srvr.c releng/9.2/crypto/openssl/ssl/s2_lib.c releng/9.2/crypto/openssl/ssl/s3_enc.c releng/9.2/crypto/openssl/ssl/s3_lib.c releng/9.2/crypto/openssl/ssl/ssl.h releng/9.2/crypto/openssl/ssl/ssl3.h releng/9.2/crypto/openssl/ssl/ssl_err.c releng/9.2/crypto/openssl/ssl/ssl_lib.c releng/9.2/crypto/openssl/ssl/ssl_stat.c releng/9.2/crypto/openssl/ssl/t1_enc.c releng/9.2/crypto/openssl/ssl/t1_lib.c releng/9.2/crypto/openssl/ssl/tls1.h releng/9.2/sbin/routed/input.c releng/9.2/sys/conf/newvers.sh releng/9.2/sys/kern/vfs_lookup.c releng/9.2/usr.sbin/rtsold/rtsol.c releng/9.3/UPDATING releng/9.3/crypto/openssl/apps/s_client.c releng/9.3/crypto/openssl/crypto/err/openssl.ec releng/9.3/crypto/openssl/doc/apps/s_client.pod releng/9.3/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod releng/9.3/crypto/openssl/ssl/d1_lib.c releng/9.3/crypto/openssl/ssl/dtls1.h releng/9.3/crypto/openssl/ssl/s23_clnt.c releng/9.3/crypto/openssl/ssl/s23_srvr.c releng/9.3/crypto/openssl/ssl/s2_lib.c releng/9.3/crypto/openssl/ssl/s3_enc.c releng/9.3/crypto/openssl/ssl/s3_lib.c releng/9.3/crypto/openssl/ssl/ssl.h releng/9.3/crypto/openssl/ssl/ssl3.h releng/9.3/crypto/openssl/ssl/ssl_err.c releng/9.3/crypto/openssl/ssl/ssl_lib.c releng/9.3/crypto/openssl/ssl/t1_enc.c releng/9.3/crypto/openssl/ssl/t1_lib.c releng/9.3/crypto/openssl/ssl/tls1.h releng/9.3/sbin/routed/input.c releng/9.3/sys/conf/newvers.sh releng/9.3/sys/kern/vfs_lookup.c releng/9.3/usr.sbin/rtsold/rtsol.c Modified: releng/10.0/UPDATING ============================================================================== --- releng/10.0/UPDATING Tue Oct 21 20:20:36 2014 (r273414) +++ releng/10.0/UPDATING Tue Oct 21 20:21:10 2014 (r273415) @@ -16,6 +16,19 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20141021: p10 FreeBSD-SA-14:20.rtsold + FreeBSD-SA-14:21.routed + FreeBSD-SA-14:22.namei + FreeBSD-SA-14:23.openssl + + Fix rtsold(8) remote buffer overflow vulnerability. [SA-14:20] + + Fix routed(8) remote denial of service vulnerability. [SA-14:21] + + Fix memory leak in sandboxed namei lookup. [SA-14:22] + + Fix OpenSSL multiple vulnerabilities. [SA-14:23] + 20140916: p9 FreeBSD-SA-14:19.tcp Fix Denial of Service in TCP packet processing. [SA-14:19] Modified: releng/10.0/crypto/openssl/apps/s_client.c ============================================================================== --- releng/10.0/crypto/openssl/apps/s_client.c Tue Oct 21 20:20:36 2014 (r273414) +++ releng/10.0/crypto/openssl/apps/s_client.c Tue Oct 21 20:21:10 2014 (r273415) @@ -335,6 +335,7 @@ static void sc_usage(void) BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n"); BIO_printf(bio_err," -tls1 - just use TLSv1\n"); BIO_printf(bio_err," -dtls1 - just use DTLSv1\n"); + BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n"); BIO_printf(bio_err," -mtu - set the link layer MTU\n"); BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); @@ -615,6 +616,7 @@ int MAIN(int argc, char **argv) char *sess_out = NULL; struct sockaddr peer; int peerlen = sizeof(peer); + int fallback_scsv = 0; int enable_timeouts = 0 ; long socket_mtu = 0; #ifndef OPENSSL_NO_JPAKE @@ -821,6 +823,10 @@ int MAIN(int argc, char **argv) meth=DTLSv1_client_method(); socket_type=SOCK_DGRAM; } + else if (strcmp(*argv,"-fallback_scsv") == 0) + { + fallback_scsv = 1; + } else if (strcmp(*argv,"-timeout") == 0) enable_timeouts=1; else if (strcmp(*argv,"-mtu") == 0) @@ -1233,6 +1239,10 @@ bad: SSL_set_session(con, sess); SSL_SESSION_free(sess); } + + if (fallback_scsv) + SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV); + #ifndef OPENSSL_NO_TLSEXT if (servername != NULL) { Modified: releng/10.0/crypto/openssl/ssl/d1_lib.c ============================================================================== --- releng/10.0/crypto/openssl/ssl/d1_lib.c Tue Oct 21 20:20:36 2014 (r273414) +++ releng/10.0/crypto/openssl/ssl/d1_lib.c Tue Oct 21 20:21:10 2014 (r273415) @@ -262,6 +262,16 @@ long dtls1_ctrl(SSL *s, int cmd, long la case DTLS_CTRL_LISTEN: ret = dtls1_listen(s, parg); break; + case SSL_CTRL_CHECK_PROTO_VERSION: + /* For library-internal use; checks that the current protocol + * is the highest enabled version (according to s->ctx->method, + * as version negotiation may have changed s->method). */ +#if DTLS_MAX_VERSION != DTLS1_VERSION +# error Code needs update for DTLS_method() support beyond DTLS1_VERSION. +#endif + /* Just one protocol version is supported so far; + * fail closed if the version is not as expected. */ + return s->version == DTLS_MAX_VERSION; default: ret = ssl3_ctrl(s, cmd, larg, parg); Modified: releng/10.0/crypto/openssl/ssl/d1_srtp.c ============================================================================== --- releng/10.0/crypto/openssl/ssl/d1_srtp.c Tue Oct 21 20:20:36 2014 (r273414) +++ releng/10.0/crypto/openssl/ssl/d1_srtp.c Tue Oct 21 20:21:10 2014 (r273415) @@ -168,25 +168,6 @@ static int find_profile_by_name(char *pr return 1; } -static int find_profile_by_num(unsigned profile_num, - SRTP_PROTECTION_PROFILE **pptr) - { - SRTP_PROTECTION_PROFILE *p; - - p=srtp_known_profiles; - while(p->name) - { - if(p->id == profile_num) - { - *pptr=p; - return 0; - } - p++; - } - - return 1; - } - static int ssl_ctx_make_profiles(const char *profiles_string,STACK_OF(SRTP_PROTECTION_PROFILE) **out) { STACK_OF(SRTP_PROTECTION_PROFILE) *profiles; @@ -209,11 +190,19 @@ static int ssl_ctx_make_profiles(const c if(!find_profile_by_name(ptr,&p, col ? col-ptr : (int)strlen(ptr))) { + if (sk_SRTP_PROTECTION_PROFILE_find(profiles,p) >= 0) + { + SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); + sk_SRTP_PROTECTION_PROFILE_free(profiles); + return 1; + } + sk_SRTP_PROTECTION_PROFILE_push(profiles,p); } else { SSLerr(SSL_F_SSL_CTX_MAKE_PROFILES,SSL_R_SRTP_UNKNOWN_PROTECTION_PROFILE); + sk_SRTP_PROTECTION_PROFILE_free(profiles); return 1; } @@ -305,13 +294,12 @@ int ssl_add_clienthello_use_srtp_ext(SSL int ssl_parse_clienthello_use_srtp_ext(SSL *s, unsigned char *d, int len,int *al) { - SRTP_PROTECTION_PROFILE *cprof,*sprof; - STACK_OF(SRTP_PROTECTION_PROFILE) *clnt=0,*srvr; + SRTP_PROTECTION_PROFILE *sprof; + STACK_OF(SRTP_PROTECTION_PROFILE) *srvr; int ct; int mki_len; - int i,j; - int id; - int ret; + int i, srtp_pref; + unsigned int id; /* Length value + the MKI length */ if(len < 3) @@ -341,22 +329,32 @@ int ssl_parse_clienthello_use_srtp_ext(S return 1; } + srvr=SSL_get_srtp_profiles(s); + s->srtp_profile = NULL; + /* Search all profiles for a match initially */ + srtp_pref = sk_SRTP_PROTECTION_PROFILE_num(srvr); - clnt=sk_SRTP_PROTECTION_PROFILE_new_null(); - while(ct) { n2s(d,id); ct-=2; len-=2; - if(!find_profile_by_num(id,&cprof)) - { - sk_SRTP_PROTECTION_PROFILE_push(clnt,cprof); - } - else + /* + * Only look for match in profiles of higher preference than + * current match. + * If no profiles have been have been configured then this + * does nothing. + */ + for (i = 0; i < srtp_pref; i++) { - ; /* Ignore */ + sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i); + if (sprof->id == id) + { + s->srtp_profile = sprof; + srtp_pref = i; + break; + } } } @@ -371,36 +369,7 @@ int ssl_parse_clienthello_use_srtp_ext(S return 1; } - srvr=SSL_get_srtp_profiles(s); - - /* Pick our most preferred profile. If no profiles have been - configured then the outer loop doesn't run - (sk_SRTP_PROTECTION_PROFILE_num() = -1) - and so we just return without doing anything */ - for(i=0;iid==sprof->id) - { - s->srtp_profile=sprof; - *al=0; - ret=0; - goto done; - } - } - } - - ret=0; - -done: - if(clnt) sk_SRTP_PROTECTION_PROFILE_free(clnt); - - return ret; + return 0; } int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, int *len, int maxlen) Modified: releng/10.0/crypto/openssl/ssl/dtls1.h ============================================================================== --- releng/10.0/crypto/openssl/ssl/dtls1.h Tue Oct 21 20:20:36 2014 (r273414) +++ releng/10.0/crypto/openssl/ssl/dtls1.h Tue Oct 21 20:21:10 2014 (r273415) @@ -84,6 +84,8 @@ extern "C" { #endif #define DTLS1_VERSION 0xFEFF +#define DTLS_MAX_VERSION DTLS1_VERSION + #define DTLS1_BAD_VER 0x0100 #if 0 @@ -284,4 +286,3 @@ typedef struct dtls1_record_data_st } #endif #endif - Modified: releng/10.0/crypto/openssl/ssl/s23_clnt.c ============================================================================== --- releng/10.0/crypto/openssl/ssl/s23_clnt.c Tue Oct 21 20:20:36 2014 (r273414) +++ releng/10.0/crypto/openssl/ssl/s23_clnt.c Tue Oct 21 20:21:10 2014 (r273415) @@ -125,9 +125,11 @@ static const SSL_METHOD *ssl23_get_clien if (ver == SSL2_VERSION) return(SSLv2_client_method()); #endif +#ifndef OPENSSL_NO_SSL3 if (ver == SSL3_VERSION) return(SSLv3_client_method()); - else if (ver == TLS1_VERSION) +#endif + if (ver == TLS1_VERSION) return(TLSv1_client_method()); else if (ver == TLS1_1_VERSION) return(TLSv1_1_client_method()); @@ -677,6 +679,7 @@ static int ssl23_get_server_hello(SSL *s { /* we have sslv3 or tls1 (server hello or alert) */ +#ifndef OPENSSL_NO_SSL3 if ((p[2] == SSL3_VERSION_MINOR) && !(s->options & SSL_OP_NO_SSLv3)) { @@ -691,7 +694,9 @@ static int ssl23_get_server_hello(SSL *s s->version=SSL3_VERSION; s->method=SSLv3_client_method(); } - else if ((p[2] == TLS1_VERSION_MINOR) && + else +#endif + if ((p[2] == TLS1_VERSION_MINOR) && !(s->options & SSL_OP_NO_TLSv1)) { s->version=TLS1_VERSION; @@ -715,6 +720,9 @@ static int ssl23_get_server_hello(SSL *s goto err; } + /* ensure that TLS_MAX_VERSION is up-to-date */ + OPENSSL_assert(s->version <= TLS_MAX_VERSION); + if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING) { /* fatal alert */ Modified: releng/10.0/crypto/openssl/ssl/s23_srvr.c ============================================================================== --- releng/10.0/crypto/openssl/ssl/s23_srvr.c Tue Oct 21 20:20:36 2014 (r273414) +++ releng/10.0/crypto/openssl/ssl/s23_srvr.c Tue Oct 21 20:21:10 2014 (r273415) @@ -127,9 +127,11 @@ static const SSL_METHOD *ssl23_get_serve if (ver == SSL2_VERSION) return(SSLv2_server_method()); #endif +#ifndef OPENSSL_NO_SSL3 if (ver == SSL3_VERSION) return(SSLv3_server_method()); - else if (ver == TLS1_VERSION) +#endif + if (ver == TLS1_VERSION) return(TLSv1_server_method()); else if (ver == TLS1_1_VERSION) return(TLSv1_1_server_method()); @@ -421,6 +423,9 @@ int ssl23_get_client_hello(SSL *s) } } + /* ensure that TLS_MAX_VERSION is up-to-date */ + OPENSSL_assert(s->version <= TLS_MAX_VERSION); + #ifdef OPENSSL_FIPS if (FIPS_mode() && (s->version < TLS1_VERSION)) { @@ -597,6 +602,12 @@ int ssl23_get_client_hello(SSL *s) if ((type == 2) || (type == 3)) { /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */ + s->method = ssl23_get_server_method(s->version); + if (s->method == NULL) + { + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); + goto err; + } if (!ssl_init_wbio_buffer(s,1)) goto err; @@ -624,14 +635,6 @@ int ssl23_get_client_hello(SSL *s) s->s3->rbuf.left=0; s->s3->rbuf.offset=0; } - if (s->version == TLS1_2_VERSION) - s->method = TLSv1_2_server_method(); - else if (s->version == TLS1_1_VERSION) - s->method = TLSv1_1_server_method(); - else if (s->version == TLS1_VERSION) - s->method = TLSv1_server_method(); - else - s->method = SSLv3_server_method(); #if 0 /* ssl3_get_client_hello does this */ s->client_version=(v[0]<<8)|v[1]; #endif Modified: releng/10.0/crypto/openssl/ssl/s2_lib.c ============================================================================== --- releng/10.0/crypto/openssl/ssl/s2_lib.c Tue Oct 21 20:20:36 2014 (r273414) +++ releng/10.0/crypto/openssl/ssl/s2_lib.c Tue Oct 21 20:21:10 2014 (r273415) @@ -391,6 +391,8 @@ long ssl2_ctrl(SSL *s, int cmd, long lar case SSL_CTRL_GET_SESSION_REUSED: ret=s->hit; break; + case SSL_CTRL_CHECK_PROTO_VERSION: + return ssl3_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, larg, parg); default: break; } @@ -437,7 +439,7 @@ int ssl2_put_cipher_by_char(const SSL_CI if (p != NULL) { l=c->id; - if ((l & 0xff000000) != 0x02000000) return(0); + if ((l & 0xff000000) != 0x02000000 && l != SSL3_CK_FALLBACK_SCSV) return(0); p[0]=((unsigned char)(l>>16L))&0xFF; p[1]=((unsigned char)(l>> 8L))&0xFF; p[2]=((unsigned char)(l ))&0xFF; Modified: releng/10.0/crypto/openssl/ssl/s3_enc.c ============================================================================== --- releng/10.0/crypto/openssl/ssl/s3_enc.c Tue Oct 21 20:20:36 2014 (r273414) +++ releng/10.0/crypto/openssl/ssl/s3_enc.c Tue Oct 21 20:21:10 2014 (r273415) @@ -892,7 +892,7 @@ int ssl3_alert_code(int code) case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(SSL3_AD_HANDSHAKE_FAILURE); case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(SSL3_AD_HANDSHAKE_FAILURE); case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY); + case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK); default: return(-1); } } - Modified: releng/10.0/crypto/openssl/ssl/s3_lib.c ============================================================================== --- releng/10.0/crypto/openssl/ssl/s3_lib.c Tue Oct 21 20:20:36 2014 (r273414) +++ releng/10.0/crypto/openssl/ssl/s3_lib.c Tue Oct 21 20:21:10 2014 (r273415) @@ -3350,6 +3350,33 @@ long ssl3_ctrl(SSL *s, int cmd, long lar #endif #endif /* !OPENSSL_NO_TLSEXT */ + + case SSL_CTRL_CHECK_PROTO_VERSION: + /* For library-internal use; checks that the current protocol + * is the highest enabled version (according to s->ctx->method, + * as version negotiation may have changed s->method). */ + if (s->version == s->ctx->method->version) + return 1; + /* Apparently we're using a version-flexible SSL_METHOD + * (not at its highest protocol version). */ + if (s->ctx->method->version == SSLv23_method()->version) + { +#if TLS_MAX_VERSION != TLS1_2_VERSION +# error Code needs update for SSLv23_method() support beyond TLS1_2_VERSION. +#endif + if (!(s->options & SSL_OP_NO_TLSv1_2)) + return s->version == TLS1_2_VERSION; + if (!(s->options & SSL_OP_NO_TLSv1_1)) + return s->version == TLS1_1_VERSION; + if (!(s->options & SSL_OP_NO_TLSv1)) + return s->version == TLS1_VERSION; + if (!(s->options & SSL_OP_NO_SSLv3)) + return s->version == SSL3_VERSION; + if (!(s->options & SSL_OP_NO_SSLv2)) + return s->version == SSL2_VERSION; + } + return 0; /* Unexpected state; fail closed. */ + default: break; } @@ -3709,6 +3736,7 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx break; #endif #endif + default: return(0); } @@ -4279,4 +4307,3 @@ long ssl_get_algorithm2(SSL *s) return SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256; return alg2; } - Modified: releng/10.0/crypto/openssl/ssl/ssl.h ============================================================================== --- releng/10.0/crypto/openssl/ssl/ssl.h Tue Oct 21 20:20:36 2014 (r273414) +++ releng/10.0/crypto/openssl/ssl/ssl.h Tue Oct 21 20:21:10 2014 (r273415) @@ -642,6 +642,10 @@ struct ssl_session_st * TLS only.) "Released" buffers are put onto a free-list in the context * or just freed (depending on the context's setting for freelist_max_len). */ #define SSL_MODE_RELEASE_BUFFERS 0x00000010L +/* Send TLS_FALLBACK_SCSV in the ClientHello. + * To be set by applications that reconnect with a downgraded protocol + * version; see draft-ietf-tls-downgrade-scsv-00 for details. */ +#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, * they cannot be used to clear bits. */ @@ -1500,6 +1504,7 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE #define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */ +#define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */ #define SSL_ERROR_NONE 0 #define SSL_ERROR_SSL 1 @@ -1610,6 +1615,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION) #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82 #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83 +#define SSL_CTRL_CHECK_PROTO_VERSION 119 + #define DTLSv1_get_timeout(ssl, arg) \ SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) #define DTLSv1_handle_timeout(ssl) \ @@ -2364,6 +2371,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_HTTPS_PROXY_REQUEST 155 #define SSL_R_HTTP_REQUEST 156 #define SSL_R_ILLEGAL_PADDING 283 +#define SSL_R_INAPPROPRIATE_FALLBACK 373 #define SSL_R_INCONSISTENT_COMPRESSION 340 #define SSL_R_INVALID_CHALLENGE_LENGTH 158 #define SSL_R_INVALID_COMMAND 280 @@ -2510,6 +2518,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021 #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051 #define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060 +#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086 #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071 #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080 #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100 Modified: releng/10.0/crypto/openssl/ssl/ssl3.h ============================================================================== --- releng/10.0/crypto/openssl/ssl/ssl3.h Tue Oct 21 20:20:36 2014 (r273414) +++ releng/10.0/crypto/openssl/ssl/ssl3.h Tue Oct 21 20:21:10 2014 (r273415) @@ -128,9 +128,14 @@ extern "C" { #endif -/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */ +/* Signalling cipher suite value from RFC 5746 + * (TLS_EMPTY_RENEGOTIATION_INFO_SCSV) */ #define SSL3_CK_SCSV 0x030000FF +/* Signalling cipher suite value from draft-ietf-tls-downgrade-scsv-00 + * (TLS_FALLBACK_SCSV) */ +#define SSL3_CK_FALLBACK_SCSV 0x03005600 + #define SSL3_CK_RSA_NULL_MD5 0x03000001 #define SSL3_CK_RSA_NULL_SHA 0x03000002 #define SSL3_CK_RSA_RC4_40_MD5 0x03000003 Modified: releng/10.0/crypto/openssl/ssl/ssl_err.c ============================================================================== --- releng/10.0/crypto/openssl/ssl/ssl_err.c Tue Oct 21 20:20:36 2014 (r273414) +++ releng/10.0/crypto/openssl/ssl/ssl_err.c Tue Oct 21 20:21:10 2014 (r273415) @@ -383,6 +383,7 @@ static ERR_STRING_DATA SSL_str_reasons[] {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"}, {ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"}, {ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"}, +{ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK),"inappropriate fallback"}, {ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION),"inconsistent compression"}, {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"}, {ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"}, @@ -529,6 +530,7 @@ static ERR_STRING_DATA SSL_str_reasons[] {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"}, {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"}, {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"}, +{ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),"tlsv1 alert inappropriate fallback"}, {ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"}, {ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"}, {ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"}, Modified: releng/10.0/crypto/openssl/ssl/ssl_lib.c ============================================================================== --- releng/10.0/crypto/openssl/ssl/ssl_lib.c Tue Oct 21 20:20:36 2014 (r273414) +++ releng/10.0/crypto/openssl/ssl/ssl_lib.c Tue Oct 21 20:21:10 2014 (r273415) @@ -1383,6 +1383,8 @@ int ssl_cipher_list_to_bytes(SSL *s,STAC if (sk == NULL) return(0); q=p; + if (put_cb == NULL) + put_cb = s->method->put_cipher_by_char; for (i=0; isrp_ctx.srp_Mask & SSL_kSRP)) continue; #endif /* OPENSSL_NO_SRP */ - j = put_cb ? put_cb(c,p) : ssl_put_cipher_by_char(s,c,p); + j = put_cb(c,p); p+=j; } - /* If p == q, no ciphers and caller indicates an error. Otherwise - * add SCSV if not renegotiating. - */ - if (p != q && !s->renegotiate) + /* If p == q, no ciphers; caller indicates an error. + * Otherwise, add applicable SCSVs. */ + if (p != q) { - static SSL_CIPHER scsv = + if (!s->renegotiate) { - 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 - }; - j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p); - p+=j; + static SSL_CIPHER scsv = + { + 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 + }; + j = put_cb(&scsv,p); + p+=j; #ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "SCSV sent by client\n"); + fprintf(stderr, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n"); #endif - } + } + + if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) + { + static SSL_CIPHER scsv = + { + 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, 0, 0 + }; + j = put_cb(&scsv,p); + p+=j; + } + } return(p-q); } @@ -1435,11 +1449,12 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe const SSL_CIPHER *c; STACK_OF(SSL_CIPHER) *sk; int i,n; + if (s->s3) s->s3->send_connection_binding = 0; n=ssl_put_cipher_by_char(s,NULL,NULL); - if ((num%n) != 0) + if (n == 0 || (num%n) != 0) { SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); return(NULL); @@ -1454,7 +1469,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe for (i=0; is3 && (n != 3 || !p[0]) && (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) && (p[n-1] == (SSL3_CK_SCSV & 0xff))) @@ -1474,6 +1489,23 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe continue; } + /* Check for TLS_FALLBACK_SCSV */ + if ((n != 3 || !p[0]) && + (p[n-2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) && + (p[n-1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) + { + /* The SCSV indicates that the client previously tried a higher version. + * Fail if the current version is an unexpected downgrade. */ + if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL)) + { + SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_INAPPROPRIATE_FALLBACK); + if (s->s3) + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK); + goto err; + } + continue; + } + c=ssl_get_cipher_by_char(s,p); p+=n; if (c != NULL) Modified: releng/10.0/crypto/openssl/ssl/t1_enc.c ============================================================================== --- releng/10.0/crypto/openssl/ssl/t1_enc.c Tue Oct 21 20:20:36 2014 (r273414) +++ releng/10.0/crypto/openssl/ssl/t1_enc.c Tue Oct 21 20:21:10 2014 (r273415) @@ -1243,6 +1243,7 @@ int tls1_alert_code(int code) case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE); case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE); case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY); + case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK); #if 0 /* not appropriate for TLS, not used for DTLS */ case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); Modified: releng/10.0/crypto/openssl/ssl/t1_lib.c ============================================================================== --- releng/10.0/crypto/openssl/ssl/t1_lib.c Tue Oct 21 20:20:36 2014 (r273414) +++ releng/10.0/crypto/openssl/ssl/t1_lib.c Tue Oct 21 20:21:10 2014 (r273415) @@ -650,7 +650,7 @@ unsigned char *ssl_add_clienthello_tlsex #endif #ifndef OPENSSL_NO_SRTP - if(SSL_get_srtp_profiles(s)) + if(SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s)) { int el; @@ -784,7 +784,7 @@ unsigned char *ssl_add_serverhello_tlsex #endif #ifndef OPENSSL_NO_SRTP - if(s->srtp_profile) + if(SSL_IS_DTLS(s) && s->srtp_profile) { int el; @@ -1334,7 +1334,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, /* session ticket processed earlier */ #ifndef OPENSSL_NO_SRTP - else if (type == TLSEXT_TYPE_use_srtp) + else if (SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) + && type == TLSEXT_TYPE_use_srtp) { if(ssl_parse_clienthello_use_srtp_ext(s, data, size, al)) @@ -1589,7 +1590,7 @@ int ssl_parse_serverhello_tlsext(SSL *s, } #endif #ifndef OPENSSL_NO_SRTP - else if (type == TLSEXT_TYPE_use_srtp) + else if (SSL_IS_DTLS(s) && type == TLSEXT_TYPE_use_srtp) { if(ssl_parse_serverhello_use_srtp_ext(s, data, size, al)) @@ -2238,7 +2239,10 @@ static int tls_decrypt_ticket(SSL *s, co HMAC_Final(&hctx, tick_hmac, NULL); HMAC_CTX_cleanup(&hctx); if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) + { + EVP_CIPHER_CTX_cleanup(&ctx); return 2; + } /* Attempt to decrypt session data */ /* Move p after IV to start of encrypted ticket, update length */ p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); Modified: releng/10.0/crypto/openssl/ssl/tls1.h ============================================================================== --- releng/10.0/crypto/openssl/ssl/tls1.h Tue Oct 21 20:20:36 2014 (r273414) +++ releng/10.0/crypto/openssl/ssl/tls1.h Tue Oct 21 20:21:10 2014 (r273415) @@ -159,17 +159,19 @@ extern "C" { #define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0 +#define TLS1_VERSION 0x0301 +#define TLS1_1_VERSION 0x0302 #define TLS1_2_VERSION 0x0303 -#define TLS1_2_VERSION_MAJOR 0x03 -#define TLS1_2_VERSION_MINOR 0x03 +#define TLS_MAX_VERSION TLS1_2_VERSION + +#define TLS1_VERSION_MAJOR 0x03 +#define TLS1_VERSION_MINOR 0x01 -#define TLS1_1_VERSION 0x0302 #define TLS1_1_VERSION_MAJOR 0x03 #define TLS1_1_VERSION_MINOR 0x02 -#define TLS1_VERSION 0x0301 -#define TLS1_VERSION_MAJOR 0x03 -#define TLS1_VERSION_MINOR 0x01 +#define TLS1_2_VERSION_MAJOR 0x03 +#define TLS1_2_VERSION_MINOR 0x03 #define TLS1_get_version(s) \ ((s->version >> 8) == TLS1_VERSION_MAJOR ? s->version : 0) @@ -187,6 +189,7 @@ extern "C" { #define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */ #define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */ #define TLS1_AD_INTERNAL_ERROR 80 /* fatal */ +#define TLS1_AD_INAPPROPRIATE_FALLBACK 86 /* fatal */ #define TLS1_AD_USER_CANCELLED 90 #define TLS1_AD_NO_RENEGOTIATION 100 /* codes 110-114 are from RFC3546 */ Modified: releng/10.0/sbin/routed/input.c ============================================================================== --- releng/10.0/sbin/routed/input.c Tue Oct 21 20:20:36 2014 (r273414) +++ releng/10.0/sbin/routed/input.c Tue Oct 21 20:21:10 2014 (r273415) @@ -288,6 +288,10 @@ input(struct sockaddr_in *from, /* rece /* Answer a query from a utility program * with all we know. */ + if (aifp == NULL) { + trace_pkt("ignore remote query"); + return; + } if (from->sin_port != htons(RIP_PORT)) { supply(from, aifp, OUT_QUERY, 0, rip->rip_vers, ap != 0); Modified: releng/10.0/sys/conf/newvers.sh ============================================================================== --- releng/10.0/sys/conf/newvers.sh Tue Oct 21 20:20:36 2014 (r273414) +++ releng/10.0/sys/conf/newvers.sh Tue Oct 21 20:21:10 2014 (r273415) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.0" -BRANCH="RELEASE-p9" +BRANCH="RELEASE-p10" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/10.0/sys/kern/vfs_lookup.c ============================================================================== --- releng/10.0/sys/kern/vfs_lookup.c Tue Oct 21 20:20:36 2014 (r273414) +++ releng/10.0/sys/kern/vfs_lookup.c Tue Oct 21 20:21:10 2014 (r273415) @@ -121,6 +121,16 @@ TUNABLE_INT("vfs.lookup_shared", &lookup * if symbolic link, massage name in buffer and continue * } */ +static void +namei_cleanup_cnp(struct componentname *cnp) +{ + uma_zfree(namei_zone, cnp->cn_pnbuf); +#ifdef DIAGNOSTIC + cnp->cn_pnbuf = NULL; + cnp->cn_nameptr = NULL; +#endif +} + int namei(struct nameidata *ndp) { @@ -185,11 +195,7 @@ namei(struct nameidata *ndp) } #endif if (error) { - uma_zfree(namei_zone, cnp->cn_pnbuf); -#ifdef DIAGNOSTIC - cnp->cn_pnbuf = NULL; - cnp->cn_nameptr = NULL; -#endif + namei_cleanup_cnp(cnp); ndp->ni_vp = NULL; return (error); } @@ -256,11 +262,7 @@ namei(struct nameidata *ndp) } } if (error) { - uma_zfree(namei_zone, cnp->cn_pnbuf); -#ifdef DIAGNOSTIC - cnp->cn_pnbuf = NULL; - cnp->cn_nameptr = NULL; -#endif + namei_cleanup_cnp(cnp); return (error); } } @@ -286,6 +288,7 @@ namei(struct nameidata *ndp) if (KTRPOINT(curthread, KTR_CAPFAIL)) ktrcapfail(CAPFAIL_LOOKUP, NULL, NULL); #endif + namei_cleanup_cnp(cnp); return (ENOTCAPABLE); } while (*(cnp->cn_nameptr) == '/') { @@ -298,11 +301,7 @@ namei(struct nameidata *ndp) ndp->ni_startdir = dp; error = lookup(ndp); if (error) { - uma_zfree(namei_zone, cnp->cn_pnbuf); -#ifdef DIAGNOSTIC - cnp->cn_pnbuf = NULL; - cnp->cn_nameptr = NULL; -#endif + namei_cleanup_cnp(cnp); SDT_PROBE(vfs, namei, lookup, return, error, NULL, 0, 0, 0); return (error); @@ -312,11 +311,7 @@ namei(struct nameidata *ndp) */ if ((cnp->cn_flags & ISSYMLINK) == 0) { if ((cnp->cn_flags & (SAVENAME | SAVESTART)) == 0) { - uma_zfree(namei_zone, cnp->cn_pnbuf); -#ifdef DIAGNOSTIC - cnp->cn_pnbuf = NULL; - cnp->cn_nameptr = NULL; -#endif + namei_cleanup_cnp(cnp); } else cnp->cn_flags |= HASBUF; @@ -378,11 +373,7 @@ namei(struct nameidata *ndp) vput(ndp->ni_vp); dp = ndp->ni_dvp; } - uma_zfree(namei_zone, cnp->cn_pnbuf); -#ifdef DIAGNOSTIC - cnp->cn_pnbuf = NULL; - cnp->cn_nameptr = NULL; -#endif + namei_cleanup_cnp(cnp); vput(ndp->ni_vp); ndp->ni_vp = NULL; vrele(ndp->ni_dvp); Modified: releng/10.0/usr.sbin/rtsold/rtsol.c ============================================================================== --- releng/10.0/usr.sbin/rtsold/rtsol.c Tue Oct 21 20:20:36 2014 (r273414) +++ releng/10.0/usr.sbin/rtsold/rtsol.c Tue Oct 21 20:21:10 2014 (r273415) @@ -933,7 +933,8 @@ dname_labeldec(char *dst, size_t dlen, c dst_origin = dst; memset(dst, '\0', dlen); while (src && (len = (uint8_t)(*src++) & 0x3f) && - (src + len) <= src_last) { + (src + len) <= src_last && + (dst - dst_origin < (ssize_t)dlen)) { if (dst != dst_origin) *dst++ = '.'; warnmsg(LOG_DEBUG, __func__, "labellen = %zd", len); Modified: releng/9.1/UPDATING ============================================================================== --- releng/9.1/UPDATING Tue Oct 21 20:20:36 2014 (r273414) +++ releng/9.1/UPDATING Tue Oct 21 20:21:10 2014 (r273415) @@ -9,6 +9,19 @@ handbook. Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20141021: p20 FreeBSD-SA-14:20.rtsold + FreeBSD-SA-14:21.routed + FreeBSD-SA-14:22.namei + FreeBSD-SA-14:23.openssl + + Fix rtsold(8) remote buffer overflow vulnerability. [SA-14:20] + + Fix routed(8) remote denial of service vulnerability. [SA-14:21] + + Fix memory leak in sandboxed namei lookup. [SA-14:22] + + Fix OpenSSL multiple vulnerabilities. [SA-14:23] + 20140916: p19 FreeBSD-SA-14:19.tcp Fix Denial of Service in TCP packet processing. [SA-14:19] Modified: releng/9.1/crypto/openssl/apps/s_cb.c ============================================================================== --- releng/9.1/crypto/openssl/apps/s_cb.c Tue Oct 21 20:20:36 2014 (r273414) +++ releng/9.1/crypto/openssl/apps/s_cb.c Tue Oct 21 20:21:10 2014 (r273415) @@ -518,6 +518,24 @@ void MS_CALLBACK msg_cb(int write_p, int case 100: str_details2 = " no_renegotiation"; break; + case 110: + str_details2 = " unsupported_extension"; + break; + case 111: + str_details2 = " certificate_unobtainable"; + break; + case 112: + str_details2 = " unrecognized_name"; + break; + case 113: + str_details2 = " bad_certificate_status_response"; + break; + case 114: + str_details2 = " bad_certificate_hash_value"; + break; + case 115: + str_details2 = " unknown_psk_identity"; + break; } } } Modified: releng/9.1/crypto/openssl/apps/s_client.c ============================================================================== --- releng/9.1/crypto/openssl/apps/s_client.c Tue Oct 21 20:20:36 2014 (r273414) +++ releng/9.1/crypto/openssl/apps/s_client.c Tue Oct 21 20:21:10 2014 (r273415) @@ -226,6 +226,7 @@ static void sc_usage(void) BIO_printf(bio_err," -ssl3 - just use SSLv3\n"); BIO_printf(bio_err," -tls1 - just use TLSv1\n"); BIO_printf(bio_err," -dtls1 - just use DTLSv1\n"); + BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n"); BIO_printf(bio_err," -mtu - set the link layer MTU\n"); BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); @@ -339,6 +340,7 @@ int MAIN(int argc, char **argv) char *sess_out = NULL; struct sockaddr peer; int peerlen = sizeof(peer); + int fallback_scsv = 0; int enable_timeouts = 0 ; long socket_mtu = 0; #ifndef OPENSSL_NO_JPAKE @@ -488,6 +490,10 @@ int MAIN(int argc, char **argv) socket_mtu = atol(*(++argv)); } #endif + else if (strcmp(*argv,"-fallback_scsv") == 0) + { + fallback_scsv = 1; + } else if (strcmp(*argv,"-bugs") == 0) bugs=1; else if (strcmp(*argv,"-keyform") == 0) @@ -778,6 +784,10 @@ bad: SSL_set_session(con, sess); SSL_SESSION_free(sess); } + + if (fallback_scsv) + SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV); + #ifndef OPENSSL_NO_TLSEXT if (servername != NULL) { Modified: releng/9.1/crypto/openssl/crypto/err/openssl.ec ============================================================================== --- releng/9.1/crypto/openssl/crypto/err/openssl.ec Tue Oct 21 20:20:36 2014 (r273414) +++ releng/9.1/crypto/openssl/crypto/err/openssl.ec Tue Oct 21 20:21:10 2014 (r273415) @@ -69,8 +69,14 @@ R SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION R SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070 R SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071 R SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080 +R SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086 R SSL_R_TLSV1_ALERT_USER_CANCELLED 1090 R SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100 +R SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110 +R SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111 +R SSL_R_TLSV1_UNRECOGNIZED_NAME 1112 +R SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113 +R SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114 R RSAREF_R_CONTENT_ENCODING 0x0400 R RSAREF_R_DATA 0x0401 Modified: releng/9.1/crypto/openssl/doc/apps/s_client.pod ============================================================================== --- releng/9.1/crypto/openssl/doc/apps/s_client.pod Tue Oct 21 20:20:36 2014 (r273414) +++ releng/9.1/crypto/openssl/doc/apps/s_client.pod Tue Oct 21 20:21:10 2014 (r273415) @@ -34,6 +34,7 @@ B B [B<-no_ssl2>] [B<-no_ssl3>] [B<-no_tls1>] +[B<-fallback_scsv>] [B<-bugs>] [B<-cipher cipherlist>] [B<-starttls protocol>] @@ -167,10 +168,13 @@ these options disable the use of certain the initial handshake uses a method which should be compatible with all servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. -Unfortunately there are a lot of ancient and broken servers in use which +Unfortunately there are still ancient and broken servers in use which cannot handle this technique and will fail to connect. Some servers only -work if TLS is turned off with the B<-no_tls> option others will only -support SSL v2 and may need the B<-ssl2> option. +work if TLS is turned off. + +=item B<-fallback_scsv> + +Send TLS_FALLBACK_SCSV in the ClientHello. =item B<-bugs> Modified: releng/9.1/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod ============================================================================== --- releng/9.1/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod Tue Oct 21 20:20:36 2014 (r273414) +++ releng/9.1/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod Tue Oct 21 20:21:10 2014 (r273415) @@ -61,6 +61,12 @@ deal with read/write operations returnin flag SSL_MODE_AUTO_RETRY will cause read/write operations to only return after the handshake and successful completion. +=item SSL_MODE_FALLBACK_SCSV + +Send TLS_FALLBACK_SCSV in the ClientHello. +To be set by applications that reconnect with a downgraded protocol +version; see draft-ietf-tls-downgrade-scsv-00 for details. + =back =head1 RETURN VALUES Modified: releng/9.1/crypto/openssl/ssl/d1_lib.c ============================================================================== --- releng/9.1/crypto/openssl/ssl/d1_lib.c Tue Oct 21 20:20:36 2014 (r273414) +++ releng/9.1/crypto/openssl/ssl/d1_lib.c Tue Oct 21 20:21:10 2014 (r273415) @@ -301,6 +301,16 @@ long dtls1_ctrl(SSL *s, int cmd, long la case DTLS_CTRL_LISTEN: ret = dtls1_listen(s, parg); break; + case SSL_CTRL_CHECK_PROTO_VERSION: + /* For library-internal use; checks that the current protocol + * is the highest enabled version (according to s->ctx->method, + * as version negotiation may have changed s->method). */ +#if DTLS_MAX_VERSION != DTLS1_VERSION +# error Code needs update for DTLS_method() support beyond DTLS1_VERSION. +#endif + /* Just one protocol version is supported so far; + * fail closed if the version is not as expected. */ + return s->version == DTLS_MAX_VERSION; default: ret = ssl3_ctrl(s, cmd, larg, parg); Modified: releng/9.1/crypto/openssl/ssl/dtls1.h ============================================================================== --- releng/9.1/crypto/openssl/ssl/dtls1.h Tue Oct 21 20:20:36 2014 (r273414) *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-src-releng@FreeBSD.ORG Tue Oct 21 20:21:34 2014 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A1AF7F66; Tue, 21 Oct 2014 20:21:34 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8B1B025D; Tue, 21 Oct 2014 20:21:34 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9LKLYMJ072982; Tue, 21 Oct 2014 20:21:34 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9LKLS4D072930; Tue, 21 Oct 2014 20:21:28 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201410212021.s9LKLS4D072930@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Tue, 21 Oct 2014 20:21:28 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r273416 - in releng/8.4: . crypto/openssl/apps crypto/openssl/crypto/err crypto/openssl/doc/apps crypto/openssl/doc/ssl crypto/openssl/ssl sbin/routed sys/conf X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2014 20:21:34 -0000 Author: delphij Date: Tue Oct 21 20:21:27 2014 New Revision: 273416 URL: https://svnweb.freebsd.org/changeset/base/273416 Log: Fix routed(8) remote denial of service vulnerability. [SA-14:21] Fix OpenSSL multiple vulnerabilities. [SA-14:23] Approved by: so Modified: releng/8.4/UPDATING releng/8.4/crypto/openssl/apps/s_cb.c releng/8.4/crypto/openssl/apps/s_client.c releng/8.4/crypto/openssl/crypto/err/openssl.ec releng/8.4/crypto/openssl/doc/apps/s_client.pod releng/8.4/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod releng/8.4/crypto/openssl/ssl/d1_lib.c releng/8.4/crypto/openssl/ssl/dtls1.h releng/8.4/crypto/openssl/ssl/s23_clnt.c releng/8.4/crypto/openssl/ssl/s23_srvr.c releng/8.4/crypto/openssl/ssl/s2_lib.c releng/8.4/crypto/openssl/ssl/s3_enc.c releng/8.4/crypto/openssl/ssl/s3_lib.c releng/8.4/crypto/openssl/ssl/ssl.h releng/8.4/crypto/openssl/ssl/ssl3.h releng/8.4/crypto/openssl/ssl/ssl_err.c releng/8.4/crypto/openssl/ssl/ssl_lib.c releng/8.4/crypto/openssl/ssl/ssl_stat.c releng/8.4/crypto/openssl/ssl/t1_enc.c releng/8.4/crypto/openssl/ssl/t1_lib.c releng/8.4/crypto/openssl/ssl/tls1.h releng/8.4/sbin/routed/input.c releng/8.4/sys/conf/newvers.sh Modified: releng/8.4/UPDATING ============================================================================== --- releng/8.4/UPDATING Tue Oct 21 20:21:10 2014 (r273415) +++ releng/8.4/UPDATING Tue Oct 21 20:21:27 2014 (r273416) @@ -15,6 +15,13 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20141021: p17 FreeBSD-SA-14:21.routed + FreeBSD-SA-14:23.openssl + + Fix routed(8) remote denial of service vulnerability. [SA-14:21] + + Fix OpenSSL multiple vulnerabilities. [SA-14:23] + 20140916: p16 FreeBSD-SA-14:19.tcp Fix Denial of Service in TCP packet processing. [SA-14:19] Modified: releng/8.4/crypto/openssl/apps/s_cb.c ============================================================================== --- releng/8.4/crypto/openssl/apps/s_cb.c Tue Oct 21 20:21:10 2014 (r273415) +++ releng/8.4/crypto/openssl/apps/s_cb.c Tue Oct 21 20:21:27 2014 (r273416) @@ -518,6 +518,24 @@ void MS_CALLBACK msg_cb(int write_p, int case 100: str_details2 = " no_renegotiation"; break; + case 110: + str_details2 = " unsupported_extension"; + break; + case 111: + str_details2 = " certificate_unobtainable"; + break; + case 112: + str_details2 = " unrecognized_name"; + break; + case 113: + str_details2 = " bad_certificate_status_response"; + break; + case 114: + str_details2 = " bad_certificate_hash_value"; + break; + case 115: + str_details2 = " unknown_psk_identity"; + break; } } } Modified: releng/8.4/crypto/openssl/apps/s_client.c ============================================================================== --- releng/8.4/crypto/openssl/apps/s_client.c Tue Oct 21 20:21:10 2014 (r273415) +++ releng/8.4/crypto/openssl/apps/s_client.c Tue Oct 21 20:21:27 2014 (r273416) @@ -226,6 +226,7 @@ static void sc_usage(void) BIO_printf(bio_err," -ssl3 - just use SSLv3\n"); BIO_printf(bio_err," -tls1 - just use TLSv1\n"); BIO_printf(bio_err," -dtls1 - just use DTLSv1\n"); + BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n"); BIO_printf(bio_err," -mtu - set the link layer MTU\n"); BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n"); @@ -339,6 +340,7 @@ int MAIN(int argc, char **argv) char *sess_out = NULL; struct sockaddr peer; int peerlen = sizeof(peer); + int fallback_scsv = 0; int enable_timeouts = 0 ; long socket_mtu = 0; #ifndef OPENSSL_NO_JPAKE @@ -488,6 +490,10 @@ int MAIN(int argc, char **argv) socket_mtu = atol(*(++argv)); } #endif + else if (strcmp(*argv,"-fallback_scsv") == 0) + { + fallback_scsv = 1; + } else if (strcmp(*argv,"-bugs") == 0) bugs=1; else if (strcmp(*argv,"-keyform") == 0) @@ -778,6 +784,10 @@ bad: SSL_set_session(con, sess); SSL_SESSION_free(sess); } + + if (fallback_scsv) + SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV); + #ifndef OPENSSL_NO_TLSEXT if (servername != NULL) { Modified: releng/8.4/crypto/openssl/crypto/err/openssl.ec ============================================================================== --- releng/8.4/crypto/openssl/crypto/err/openssl.ec Tue Oct 21 20:21:10 2014 (r273415) +++ releng/8.4/crypto/openssl/crypto/err/openssl.ec Tue Oct 21 20:21:27 2014 (r273416) @@ -69,8 +69,14 @@ R SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION R SSL_R_TLSV1_ALERT_PROTOCOL_VERSION 1070 R SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071 R SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080 +R SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086 R SSL_R_TLSV1_ALERT_USER_CANCELLED 1090 R SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100 +R SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110 +R SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111 +R SSL_R_TLSV1_UNRECOGNIZED_NAME 1112 +R SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113 +R SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114 R RSAREF_R_CONTENT_ENCODING 0x0400 R RSAREF_R_DATA 0x0401 Modified: releng/8.4/crypto/openssl/doc/apps/s_client.pod ============================================================================== --- releng/8.4/crypto/openssl/doc/apps/s_client.pod Tue Oct 21 20:21:10 2014 (r273415) +++ releng/8.4/crypto/openssl/doc/apps/s_client.pod Tue Oct 21 20:21:27 2014 (r273416) @@ -34,6 +34,7 @@ B B [B<-no_ssl2>] [B<-no_ssl3>] [B<-no_tls1>] +[B<-fallback_scsv>] [B<-bugs>] [B<-cipher cipherlist>] [B<-starttls protocol>] @@ -167,10 +168,13 @@ these options disable the use of certain the initial handshake uses a method which should be compatible with all servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. -Unfortunately there are a lot of ancient and broken servers in use which +Unfortunately there are still ancient and broken servers in use which cannot handle this technique and will fail to connect. Some servers only -work if TLS is turned off with the B<-no_tls> option others will only -support SSL v2 and may need the B<-ssl2> option. +work if TLS is turned off. + +=item B<-fallback_scsv> + +Send TLS_FALLBACK_SCSV in the ClientHello. =item B<-bugs> Modified: releng/8.4/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod ============================================================================== --- releng/8.4/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod Tue Oct 21 20:21:10 2014 (r273415) +++ releng/8.4/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod Tue Oct 21 20:21:27 2014 (r273416) @@ -61,6 +61,12 @@ deal with read/write operations returnin flag SSL_MODE_AUTO_RETRY will cause read/write operations to only return after the handshake and successful completion. +=item SSL_MODE_FALLBACK_SCSV + +Send TLS_FALLBACK_SCSV in the ClientHello. +To be set by applications that reconnect with a downgraded protocol +version; see draft-ietf-tls-downgrade-scsv-00 for details. + =back =head1 RETURN VALUES Modified: releng/8.4/crypto/openssl/ssl/d1_lib.c ============================================================================== --- releng/8.4/crypto/openssl/ssl/d1_lib.c Tue Oct 21 20:21:10 2014 (r273415) +++ releng/8.4/crypto/openssl/ssl/d1_lib.c Tue Oct 21 20:21:27 2014 (r273416) @@ -301,6 +301,16 @@ long dtls1_ctrl(SSL *s, int cmd, long la case DTLS_CTRL_LISTEN: ret = dtls1_listen(s, parg); break; + case SSL_CTRL_CHECK_PROTO_VERSION: + /* For library-internal use; checks that the current protocol + * is the highest enabled version (according to s->ctx->method, + * as version negotiation may have changed s->method). */ +#if DTLS_MAX_VERSION != DTLS1_VERSION +# error Code needs update for DTLS_method() support beyond DTLS1_VERSION. +#endif + /* Just one protocol version is supported so far; + * fail closed if the version is not as expected. */ + return s->version == DTLS_MAX_VERSION; default: ret = ssl3_ctrl(s, cmd, larg, parg); Modified: releng/8.4/crypto/openssl/ssl/dtls1.h ============================================================================== --- releng/8.4/crypto/openssl/ssl/dtls1.h Tue Oct 21 20:21:10 2014 (r273415) +++ releng/8.4/crypto/openssl/ssl/dtls1.h Tue Oct 21 20:21:27 2014 (r273416) @@ -80,6 +80,8 @@ extern "C" { #endif #define DTLS1_VERSION 0xFEFF +#define DTLS_MAX_VERSION DTLS1_VERSION + #define DTLS1_BAD_VER 0x0100 #if 0 @@ -262,4 +264,3 @@ typedef struct dtls1_record_data_st } #endif #endif - Modified: releng/8.4/crypto/openssl/ssl/s23_clnt.c ============================================================================== --- releng/8.4/crypto/openssl/ssl/s23_clnt.c Tue Oct 21 20:21:10 2014 (r273415) +++ releng/8.4/crypto/openssl/ssl/s23_clnt.c Tue Oct 21 20:21:27 2014 (r273416) @@ -72,9 +72,11 @@ static SSL_METHOD *ssl23_get_client_meth if (ver == SSL2_VERSION) return(SSLv2_client_method()); #endif +#ifndef OPENSSL_NO_SSL3 if (ver == SSL3_VERSION) return(SSLv3_client_method()); - else if (ver == TLS1_VERSION) +#endif + if (ver == TLS1_VERSION) return(TLSv1_client_method()); else return(NULL); @@ -509,7 +511,7 @@ static int ssl23_get_server_hello(SSL *s /* use special padding (SSL 3.0 draft/RFC 2246, App. E.2) */ s->s2->ssl2_rollback=1; - /* setup the 5 bytes we have read so we get them from + /* setup the 7 bytes we have read so we get them from * the sslv2 buffer */ s->rstate=SSL_ST_READ_HEADER; s->packet_length=n; @@ -525,28 +527,15 @@ static int ssl23_get_server_hello(SSL *s s->handshake_func=s->method->ssl_connect; #endif } - else if ((p[0] == SSL3_RT_HANDSHAKE) && - (p[1] == SSL3_VERSION_MAJOR) && - ((p[2] == SSL3_VERSION_MINOR) || - (p[2] == TLS1_VERSION_MINOR)) && - (p[5] == SSL3_MT_SERVER_HELLO)) + else if (p[1] == SSL3_VERSION_MAJOR && + ((p[2] == SSL3_VERSION_MINOR) || + (p[2] == TLS1_VERSION_MINOR)) && + ((p[0] == SSL3_RT_HANDSHAKE && p[5] == SSL3_MT_SERVER_HELLO) || + (p[0] == SSL3_RT_ALERT && p[3] == 0 && p[4] == 2))) { - /* we have sslv3 or tls1 */ - - if (!ssl_init_wbio_buffer(s,1)) goto err; - - /* we are in this state */ - s->state=SSL3_ST_CR_SRVR_HELLO_A; - - /* put the 5 bytes we have read into the input buffer - * for SSLv3 */ - s->rstate=SSL_ST_READ_HEADER; - s->packet_length=n; - s->packet= &(s->s3->rbuf.buf[0]); - memcpy(s->packet,buf,n); - s->s3->rbuf.left=n; - s->s3->rbuf.offset=0; + /* we have sslv3 or tls1 (server hello or alert) */ +#ifndef OPENSSL_NO_SSL3 if ((p[2] == SSL3_VERSION_MINOR) && !(s->options & SSL_OP_NO_SSLv3)) { @@ -561,7 +550,9 @@ static int ssl23_get_server_hello(SSL *s s->version=SSL3_VERSION; s->method=SSLv3_client_method(); } - else if ((p[2] == TLS1_VERSION_MINOR) && + else +#endif + if ((p[2] == TLS1_VERSION_MINOR) && !(s->options & SSL_OP_NO_TLSv1)) { s->version=TLS1_VERSION; @@ -572,35 +563,55 @@ static int ssl23_get_server_hello(SSL *s SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); goto err; } - - s->handshake_func=s->method->ssl_connect; - } - else if ((p[0] == SSL3_RT_ALERT) && - (p[1] == SSL3_VERSION_MAJOR) && - ((p[2] == SSL3_VERSION_MINOR) || - (p[2] == TLS1_VERSION_MINOR)) && - (p[3] == 0) && - (p[4] == 2)) - { - void (*cb)(const SSL *ssl,int type,int val)=NULL; - int j; - /* An alert */ - if (s->info_callback != NULL) - cb=s->info_callback; - else if (s->ctx->info_callback != NULL) - cb=s->ctx->info_callback; - - i=p[5]; - if (cb != NULL) + /* ensure that TLS_MAX_VERSION is up-to-date */ + OPENSSL_assert(s->version <= TLS_MAX_VERSION); + + if (p[0] == SSL3_RT_ALERT && p[5] != SSL3_AL_WARNING) { - j=(i<<8)|p[6]; - cb(s,SSL_CB_READ_ALERT,j); + /* fatal alert */ + + void (*cb)(const SSL *ssl,int type,int val)=NULL; + int j; + + if (s->info_callback != NULL) + cb=s->info_callback; + else if (s->ctx->info_callback != NULL) + cb=s->ctx->info_callback; + + i=p[5]; + if (cb != NULL) + { + j=(i<<8)|p[6]; + cb(s,SSL_CB_READ_ALERT,j); + } + + if (s->msg_callback) + s->msg_callback(0, s->version, SSL3_RT_ALERT, p+5, 2, s, s->msg_callback_arg); + + s->rwstate=SSL_NOTHING; + SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_AD_REASON_OFFSET+p[6]); + goto err; } - s->rwstate=SSL_NOTHING; - SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,SSL_AD_REASON_OFFSET+p[6]); - goto err; + if (!ssl_init_wbio_buffer(s,1)) goto err; + + /* we are in this state */ + s->state=SSL3_ST_CR_SRVR_HELLO_A; + + /* put the 7 bytes we have read into the input buffer + * for SSLv3 */ + s->rstate=SSL_ST_READ_HEADER; + s->packet_length=n; + if (s->s3->rbuf.buf == NULL) + if (!ssl3_setup_buffers(s)) + goto err; + s->packet= &(s->s3->rbuf.buf[0]); + memcpy(s->packet,buf,n); + s->s3->rbuf.left=n; + s->s3->rbuf.offset=0; + + s->handshake_func=s->method->ssl_connect; } else { Modified: releng/8.4/crypto/openssl/ssl/s23_srvr.c ============================================================================== --- releng/8.4/crypto/openssl/ssl/s23_srvr.c Tue Oct 21 20:21:10 2014 (r273415) +++ releng/8.4/crypto/openssl/ssl/s23_srvr.c Tue Oct 21 20:21:27 2014 (r273416) @@ -124,9 +124,11 @@ static SSL_METHOD *ssl23_get_server_meth if (ver == SSL2_VERSION) return(SSLv2_server_method()); #endif +#ifndef OPENSSL_NO_SSL3 if (ver == SSL3_VERSION) return(SSLv3_server_method()); - else if (ver == TLS1_VERSION) +#endif + if (ver == TLS1_VERSION) return(TLSv1_server_method()); else return(NULL); @@ -398,6 +400,9 @@ int ssl23_get_client_hello(SSL *s) } #endif + /* ensure that TLS_MAX_VERSION is up-to-date */ + OPENSSL_assert(s->version <= TLS_MAX_VERSION); + if (s->state == SSL23_ST_SR_CLNT_HELLO_B) { /* we have SSLv3/TLSv1 in an SSLv2 header @@ -554,6 +559,12 @@ int ssl23_get_client_hello(SSL *s) if ((type == 2) || (type == 3)) { /* we have SSLv3/TLSv1 (type 2: SSL2 style, type 3: SSL3/TLS style) */ + s->method = ssl23_get_server_method(s->version); + if (s->method == NULL) + { + SSLerr(SSL_F_SSL23_GET_CLIENT_HELLO,SSL_R_UNSUPPORTED_PROTOCOL); + goto err; + } if (!ssl_init_wbio_buffer(s,1)) goto err; @@ -577,11 +588,6 @@ int ssl23_get_client_hello(SSL *s) s->s3->rbuf.left=0; s->s3->rbuf.offset=0; } - - if (s->version == TLS1_VERSION) - s->method = TLSv1_server_method(); - else - s->method = SSLv3_server_method(); #if 0 /* ssl3_get_client_hello does this */ s->client_version=(v[0]<<8)|v[1]; #endif Modified: releng/8.4/crypto/openssl/ssl/s2_lib.c ============================================================================== --- releng/8.4/crypto/openssl/ssl/s2_lib.c Tue Oct 21 20:21:10 2014 (r273415) +++ releng/8.4/crypto/openssl/ssl/s2_lib.c Tue Oct 21 20:21:27 2014 (r273416) @@ -314,6 +314,8 @@ long ssl2_ctrl(SSL *s, int cmd, long lar case SSL_CTRL_GET_SESSION_REUSED: ret=s->hit; break; + case SSL_CTRL_CHECK_PROTO_VERSION: + return ssl3_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, larg, parg); default: break; } @@ -362,7 +364,7 @@ int ssl2_put_cipher_by_char(const SSL_CI if (p != NULL) { l=c->id; - if ((l & 0xff000000) != 0x02000000) return(0); + if ((l & 0xff000000) != 0x02000000 && l != SSL3_CK_FALLBACK_SCSV) return(0); p[0]=((unsigned char)(l>>16L))&0xFF; p[1]=((unsigned char)(l>> 8L))&0xFF; p[2]=((unsigned char)(l ))&0xFF; Modified: releng/8.4/crypto/openssl/ssl/s3_enc.c ============================================================================== --- releng/8.4/crypto/openssl/ssl/s3_enc.c Tue Oct 21 20:21:10 2014 (r273415) +++ releng/8.4/crypto/openssl/ssl/s3_enc.c Tue Oct 21 20:21:27 2014 (r273416) @@ -758,7 +758,13 @@ int ssl3_alert_code(int code) case SSL_AD_INTERNAL_ERROR: return(SSL3_AD_HANDSHAKE_FAILURE); case SSL_AD_USER_CANCELLED: return(SSL3_AD_HANDSHAKE_FAILURE); case SSL_AD_NO_RENEGOTIATION: return(-1); /* Don't send it :-) */ + case SSL_AD_UNSUPPORTED_EXTENSION: return(SSL3_AD_HANDSHAKE_FAILURE); + case SSL_AD_CERTIFICATE_UNOBTAINABLE: return(SSL3_AD_HANDSHAKE_FAILURE); + case SSL_AD_UNRECOGNIZED_NAME: return(SSL3_AD_HANDSHAKE_FAILURE); + case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(SSL3_AD_HANDSHAKE_FAILURE); + case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(SSL3_AD_HANDSHAKE_FAILURE); + case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY); + case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK); default: return(-1); } } - Modified: releng/8.4/crypto/openssl/ssl/s3_lib.c ============================================================================== --- releng/8.4/crypto/openssl/ssl/s3_lib.c Tue Oct 21 20:21:10 2014 (r273415) +++ releng/8.4/crypto/openssl/ssl/s3_lib.c Tue Oct 21 20:21:27 2014 (r273416) @@ -1981,6 +1981,29 @@ long ssl3_ctrl(SSL *s, int cmd, long lar break; #endif /* !OPENSSL_NO_TLSEXT */ + + case SSL_CTRL_CHECK_PROTO_VERSION: + /* For library-internal use; checks that the current protocol + * is the highest enabled version (according to s->ctx->method, + * as version negotiation may have changed s->method). */ + if (s->version == s->ctx->method->version) + return 1; + /* Apparently we're using a version-flexible SSL_METHOD + * (not at its highest protocol version). */ + if (s->ctx->method->version == SSLv23_method()->version) + { +#if TLS_MAX_VERSION != TLS1_VERSION +# error Code needs update for SSLv23_method() support beyond TLS1_VERSION. +#endif + if (!(s->options & SSL_OP_NO_TLSv1)) + return s->version == TLS1_VERSION; + if (!(s->options & SSL_OP_NO_SSLv3)) + return s->version == SSL3_VERSION; + if (!(s->options & SSL_OP_NO_SSLv2)) + return s->version == SSL2_VERSION; + } + return 0; /* Unexpected state; fail closed. */ + default: break; } @@ -2269,6 +2292,7 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx break; #endif + default: return(0); } Modified: releng/8.4/crypto/openssl/ssl/ssl.h ============================================================================== --- releng/8.4/crypto/openssl/ssl/ssl.h Tue Oct 21 20:21:10 2014 (r273415) +++ releng/8.4/crypto/openssl/ssl/ssl.h Tue Oct 21 20:21:27 2014 (r273416) @@ -560,6 +560,10 @@ typedef struct ssl_session_st #define SSL_MODE_AUTO_RETRY 0x00000004L /* Don't attempt to automatically build certificate chain */ #define SSL_MODE_NO_AUTO_CHAIN 0x00000008L +/* Send TLS_FALLBACK_SCSV in the ClientHello. + * To be set by applications that reconnect with a downgraded protocol + * version; see draft-ietf-tls-downgrade-scsv-00 for details. */ +#define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080L /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, @@ -1204,6 +1208,9 @@ size_t SSL_get_peer_finished(const SSL * #define SSL_AD_CERTIFICATE_UNOBTAINABLE TLS1_AD_CERTIFICATE_UNOBTAINABLE #define SSL_AD_UNRECOGNIZED_NAME TLS1_AD_UNRECOGNIZED_NAME #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE +#define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE +#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */ +#define SSL_AD_INAPPROPRIATE_FALLBACK TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */ #define SSL_ERROR_NONE 0 #define SSL_ERROR_SSL 1 @@ -1293,6 +1300,8 @@ size_t SSL_get_peer_finished(const SSL * #define SSL_CTRL_CLEAR_OPTIONS 77 #define SSL_CTRL_CLEAR_MODE 78 +#define SSL_CTRL_CHECK_PROTO_VERSION 119 + #define DTLSv1_get_timeout(ssl, arg) \ SSL_ctrl(ssl,DTLS_CTRL_GET_TIMEOUT,0, (void *)arg) #define DTLSv1_handle_timeout(ssl) \ @@ -1940,6 +1949,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_HTTPS_PROXY_REQUEST 155 #define SSL_R_HTTP_REQUEST 156 #define SSL_R_ILLEGAL_PADDING 283 +#define SSL_R_INAPPROPRIATE_FALLBACK 373 #define SSL_R_INVALID_CHALLENGE_LENGTH 158 #define SSL_R_INVALID_COMMAND 280 #define SSL_R_INVALID_PURPOSE 278 @@ -2067,6 +2077,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED 1021 #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR 1051 #define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION 1060 +#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK 1086 #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY 1071 #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080 #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION 1100 @@ -2074,6 +2085,11 @@ void ERR_load_SSL_strings(void); #define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW 1022 #define SSL_R_TLSV1_ALERT_UNKNOWN_CA 1048 #define SSL_R_TLSV1_ALERT_USER_CANCELLED 1090 +#define SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE 1114 +#define SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE 1113 +#define SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE 1111 +#define SSL_R_TLSV1_UNRECOGNIZED_NAME 1112 +#define SSL_R_TLSV1_UNSUPPORTED_EXTENSION 1110 #define SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER 232 #define SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST 227 #define SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST 233 Modified: releng/8.4/crypto/openssl/ssl/ssl3.h ============================================================================== --- releng/8.4/crypto/openssl/ssl/ssl3.h Tue Oct 21 20:21:10 2014 (r273415) +++ releng/8.4/crypto/openssl/ssl/ssl3.h Tue Oct 21 20:21:27 2014 (r273416) @@ -129,9 +129,14 @@ extern "C" { #endif -/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */ +/* Signalling cipher suite value from RFC 5746 + * (TLS_EMPTY_RENEGOTIATION_INFO_SCSV) */ #define SSL3_CK_SCSV 0x030000FF +/* Signalling cipher suite value from draft-ietf-tls-downgrade-scsv-00 + * (TLS_FALLBACK_SCSV) */ +#define SSL3_CK_FALLBACK_SCSV 0x03005600 + #define SSL3_CK_RSA_NULL_MD5 0x03000001 #define SSL3_CK_RSA_NULL_SHA 0x03000002 #define SSL3_CK_RSA_RC4_40_MD5 0x03000003 Modified: releng/8.4/crypto/openssl/ssl/ssl_err.c ============================================================================== --- releng/8.4/crypto/openssl/ssl/ssl_err.c Tue Oct 21 20:21:10 2014 (r273415) +++ releng/8.4/crypto/openssl/ssl/ssl_err.c Tue Oct 21 20:21:27 2014 (r273416) @@ -341,6 +341,7 @@ static ERR_STRING_DATA SSL_str_reasons[] {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST) ,"https proxy request"}, {ERR_REASON(SSL_R_HTTP_REQUEST) ,"http request"}, {ERR_REASON(SSL_R_ILLEGAL_PADDING) ,"illegal padding"}, +{ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK),"inappropriate fallback"}, {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH),"invalid challenge length"}, {ERR_REASON(SSL_R_INVALID_COMMAND) ,"invalid command"}, {ERR_REASON(SSL_R_INVALID_PURPOSE) ,"invalid purpose"}, @@ -468,6 +469,7 @@ static ERR_STRING_DATA SSL_str_reasons[] {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED),"tlsv1 alert decryption failed"}, {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR),"tlsv1 alert decrypt error"}, {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION),"tlsv1 alert export restriction"}, +{ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK),"tlsv1 alert inappropriate fallback"}, {ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY),"tlsv1 alert insufficient security"}, {ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR),"tlsv1 alert internal error"}, {ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION),"tlsv1 alert no renegotiation"}, @@ -475,6 +477,11 @@ static ERR_STRING_DATA SSL_str_reasons[] {ERR_REASON(SSL_R_TLSV1_ALERT_RECORD_OVERFLOW),"tlsv1 alert record overflow"}, {ERR_REASON(SSL_R_TLSV1_ALERT_UNKNOWN_CA),"tlsv1 alert unknown ca"}, {ERR_REASON(SSL_R_TLSV1_ALERT_USER_CANCELLED),"tlsv1 alert user cancelled"}, +{ERR_REASON(SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE),"tlsv1 bad certificate hash value"}, +{ERR_REASON(SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE),"tlsv1 bad certificate status response"}, +{ERR_REASON(SSL_R_TLSV1_CERTIFICATE_UNOBTAINABLE),"tlsv1 certificate unobtainable"}, +{ERR_REASON(SSL_R_TLSV1_UNRECOGNIZED_NAME),"tlsv1 unrecognized name"}, +{ERR_REASON(SSL_R_TLSV1_UNSUPPORTED_EXTENSION),"tlsv1 unsupported extension"}, {ERR_REASON(SSL_R_TLS_CLIENT_CERT_REQ_WITH_ANON_CIPHER),"tls client cert req with anon cipher"}, {ERR_REASON(SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST),"tls invalid ecpointformat list"}, {ERR_REASON(SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST),"tls peer did not respond with certificate list"}, Modified: releng/8.4/crypto/openssl/ssl/ssl_lib.c ============================================================================== --- releng/8.4/crypto/openssl/ssl/ssl_lib.c Tue Oct 21 20:21:10 2014 (r273415) +++ releng/8.4/crypto/openssl/ssl/ssl_lib.c Tue Oct 21 20:21:27 2014 (r273416) @@ -1292,6 +1292,8 @@ int ssl_cipher_list_to_bytes(SSL *s,STAC if (sk == NULL) return(0); q=p; + if (put_cb == NULL) + put_cb = s->method->put_cipher_by_char; for (i=0; inew_session) + /* If p == q, no ciphers; caller indicates an error. + * Otherwise, add applicable SCSVs. */ + if (p != q) { - static SSL_CIPHER scsv = + if (!s->new_session) { - 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, - }; - j = put_cb ? put_cb(&scsv,p) : ssl_put_cipher_by_char(s,&scsv,p); - p+=j; + static SSL_CIPHER scsv = + { + 0, NULL, SSL3_CK_SCSV, 0, 0, 0, 0, 0, 0, 0, + }; + j = put_cb(&scsv,p); + p+=j; #ifdef OPENSSL_RI_DEBUG - fprintf(stderr, "SCSV sent by client\n"); + fprintf(stderr, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV sent by client\n"); #endif - } + } + + if (s->mode & SSL_MODE_SEND_FALLBACK_SCSV) + { + static SSL_CIPHER scsv = + { + 0, NULL, SSL3_CK_FALLBACK_SCSV, 0, 0, 0, 0, 0, 0, 0, + }; + j = put_cb(&scsv,p); + p+=j; + } + } return(p-q); } @@ -1329,11 +1343,12 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe SSL_CIPHER *c; STACK_OF(SSL_CIPHER) *sk; int i,n; + if (s->s3) s->s3->send_connection_binding = 0; n=ssl_put_cipher_by_char(s,NULL,NULL); - if ((num%n) != 0) + if (n == 0 || (num%n) != 0) { SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); return(NULL); @@ -1348,7 +1363,7 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe for (i=0; is3 && (n != 3 || !p[0]) && (p[n-2] == ((SSL3_CK_SCSV >> 8) & 0xff)) && (p[n-1] == (SSL3_CK_SCSV & 0xff))) @@ -1368,6 +1383,23 @@ STACK_OF(SSL_CIPHER) *ssl_bytes_to_ciphe continue; } + /* Check for TLS_FALLBACK_SCSV */ + if ((n != 3 || !p[0]) && + (p[n-2] == ((SSL3_CK_FALLBACK_SCSV >> 8) & 0xff)) && + (p[n-1] == (SSL3_CK_FALLBACK_SCSV & 0xff))) + { + /* The SCSV indicates that the client previously tried a higher version. + * Fail if the current version is an unexpected downgrade. */ + if (!SSL_ctrl(s, SSL_CTRL_CHECK_PROTO_VERSION, 0, NULL)) + { + SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,SSL_R_INAPPROPRIATE_FALLBACK); + if (s->s3) + ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INAPPROPRIATE_FALLBACK); + goto err; + } + continue; + } + c=ssl_get_cipher_by_char(s,p); p+=n; if (c != NULL) Modified: releng/8.4/crypto/openssl/ssl/ssl_stat.c ============================================================================== --- releng/8.4/crypto/openssl/ssl/ssl_stat.c Tue Oct 21 20:21:10 2014 (r273415) +++ releng/8.4/crypto/openssl/ssl/ssl_stat.c Tue Oct 21 20:21:27 2014 (r273416) @@ -414,6 +414,12 @@ const char *SSL_alert_desc_string(int va case TLS1_AD_INTERNAL_ERROR: str="IE"; break; case TLS1_AD_USER_CANCELLED: str="US"; break; case TLS1_AD_NO_RENEGOTIATION: str="NR"; break; + case TLS1_AD_UNSUPPORTED_EXTENSION: str="UE"; break; + case TLS1_AD_CERTIFICATE_UNOBTAINABLE: str="CO"; break; + case TLS1_AD_UNRECOGNIZED_NAME: str="UN"; break; + case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE: str="BR"; break; + case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE: str="BH"; break; + case TLS1_AD_UNKNOWN_PSK_IDENTITY: str="UP"; break; default: str="UK"; break; } return(str); @@ -497,6 +503,24 @@ const char *SSL_alert_desc_string_long(i case TLS1_AD_NO_RENEGOTIATION: str="no renegotiation"; break; + case TLS1_AD_UNSUPPORTED_EXTENSION: + str="unsupported extension"; + break; + case TLS1_AD_CERTIFICATE_UNOBTAINABLE: + str="certificate unobtainable"; + break; + case TLS1_AD_UNRECOGNIZED_NAME: + str="unrecognized name"; + break; + case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE: + str="bad certificate status response"; + break; + case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE: + str="bad certificate hash value"; + break; + case TLS1_AD_UNKNOWN_PSK_IDENTITY: + str="unknown PSK identity"; + break; default: str="unknown"; break; } return(str); Modified: releng/8.4/crypto/openssl/ssl/t1_enc.c ============================================================================== --- releng/8.4/crypto/openssl/ssl/t1_enc.c Tue Oct 21 20:21:10 2014 (r273415) +++ releng/8.4/crypto/openssl/ssl/t1_enc.c Tue Oct 21 20:21:27 2014 (r273416) @@ -853,6 +853,13 @@ int tls1_alert_code(int code) case SSL_AD_INTERNAL_ERROR: return(TLS1_AD_INTERNAL_ERROR); case SSL_AD_USER_CANCELLED: return(TLS1_AD_USER_CANCELLED); case SSL_AD_NO_RENEGOTIATION: return(TLS1_AD_NO_RENEGOTIATION); + case SSL_AD_UNSUPPORTED_EXTENSION: return(TLS1_AD_UNSUPPORTED_EXTENSION); + case SSL_AD_CERTIFICATE_UNOBTAINABLE: return(TLS1_AD_CERTIFICATE_UNOBTAINABLE); + case SSL_AD_UNRECOGNIZED_NAME: return(TLS1_AD_UNRECOGNIZED_NAME); + case SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE: return(TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE); + case SSL_AD_BAD_CERTIFICATE_HASH_VALUE: return(TLS1_AD_BAD_CERTIFICATE_HASH_VALUE); + case SSL_AD_UNKNOWN_PSK_IDENTITY:return(TLS1_AD_UNKNOWN_PSK_IDENTITY); + case SSL_AD_INAPPROPRIATE_FALLBACK:return(TLS1_AD_INAPPROPRIATE_FALLBACK); #ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE case DTLS1_AD_MISSING_HANDSHAKE_MESSAGE: return (DTLS1_AD_MISSING_HANDSHAKE_MESSAGE); @@ -860,4 +867,3 @@ int tls1_alert_code(int code) default: return(-1); } } - Modified: releng/8.4/crypto/openssl/ssl/t1_lib.c ============================================================================== --- releng/8.4/crypto/openssl/ssl/t1_lib.c Tue Oct 21 20:21:10 2014 (r273415) +++ releng/8.4/crypto/openssl/ssl/t1_lib.c Tue Oct 21 20:21:27 2014 (r273416) @@ -1013,7 +1013,10 @@ static int tls_decrypt_ticket(SSL *s, co HMAC_Final(&hctx, tick_hmac, NULL); HMAC_CTX_cleanup(&hctx); if (CRYPTO_memcmp(tick_hmac, etick + eticklen, mlen)) + { + EVP_CIPHER_CTX_cleanup(&ctx); goto tickerr; + } /* Attempt to decrypt session data */ /* Move p after IV to start of encrypted ticket, update length */ p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); Modified: releng/8.4/crypto/openssl/ssl/tls1.h ============================================================================== --- releng/8.4/crypto/openssl/ssl/tls1.h Tue Oct 21 20:21:10 2014 (r273415) +++ releng/8.4/crypto/openssl/ssl/tls1.h Tue Oct 21 20:21:27 2014 (r273416) @@ -81,6 +81,15 @@ extern "C" { #define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0 #define TLS1_VERSION 0x0301 +#define TLS1_1_VERSION 0x0302 +#define TLS1_2_VERSION 0x0303 +/* TLS 1.1 and 1.2 are not supported by this version of OpenSSL, so + * TLS_MAX_VERSION indicates TLS 1.0 regardless of the above + * definitions. (s23_clnt.c and s23_srvr.c have an OPENSSL_assert() + * check that would catch the error if TLS_MAX_VERSION was too low.) + */ +#define TLS_MAX_VERSION TLS1_VERSION + #define TLS1_VERSION_MAJOR 0x03 #define TLS1_VERSION_MINOR 0x01 @@ -94,6 +103,7 @@ extern "C" { #define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */ #define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */ #define TLS1_AD_INTERNAL_ERROR 80 /* fatal */ +#define TLS1_AD_INAPPROPRIATE_FALLBACK 86 /* fatal */ #define TLS1_AD_USER_CANCELLED 90 #define TLS1_AD_NO_RENEGOTIATION 100 /* codes 110-114 are from RFC3546 */ @@ -405,6 +415,3 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_T } #endif #endif - - - Modified: releng/8.4/sbin/routed/input.c ============================================================================== --- releng/8.4/sbin/routed/input.c Tue Oct 21 20:21:10 2014 (r273415) +++ releng/8.4/sbin/routed/input.c Tue Oct 21 20:21:27 2014 (r273416) @@ -288,6 +288,10 @@ input(struct sockaddr_in *from, /* rece /* Answer a query from a utility program * with all we know. */ + if (aifp == NULL) { + trace_pkt("ignore remote query"); + return; + } if (from->sin_port != htons(RIP_PORT)) { supply(from, aifp, OUT_QUERY, 0, rip->rip_vers, ap != 0); Modified: releng/8.4/sys/conf/newvers.sh ============================================================================== --- releng/8.4/sys/conf/newvers.sh Tue Oct 21 20:21:10 2014 (r273415) +++ releng/8.4/sys/conf/newvers.sh Tue Oct 21 20:21:27 2014 (r273416) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.4" -BRANCH="RELEASE-p16" +BRANCH="RELEASE-p17" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi From owner-svn-src-releng@FreeBSD.ORG Tue Oct 21 21:44:25 2014 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D3F8772A; Tue, 21 Oct 2014 21:44:25 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A515422C; Tue, 21 Oct 2014 21:44:25 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9LLiPmx013214; Tue, 21 Oct 2014 21:44:25 GMT (envelope-from gjb@FreeBSD.org) Received: (from gjb@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9LLiPaN013213; Tue, 21 Oct 2014 21:44:25 GMT (envelope-from gjb@FreeBSD.org) Message-Id: <201410212144.s9LLiPaN013213@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: gjb set sender to gjb@FreeBSD.org using -f From: Glen Barber Date: Tue, 21 Oct 2014 21:44:25 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r273433 - releng/10.1/release/doc/en_US.ISO8859-1/relnotes stable/9/release/doc/en_US.ISO8859-1/errata X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2014 21:44:25 -0000 Author: gjb Date: Tue Oct 21 21:44:24 2014 New Revision: 273433 URL: https://svnweb.freebsd.org/changeset/base/273433 Log: Document the following security advisories: FreeBSD-SA-14:20.rtsold FreeBSD-SA-14:21.routed FreeBSD-SA-14:22.namei FreeBSD-SA-14:23.openssl Approved by: re (implicit) Sponsored by: The FreeBSD Foundation Modified: releng/10.1/release/doc/en_US.ISO8859-1/relnotes/article.xml Changes in other areas also in this revision: Modified: stable/9/release/doc/en_US.ISO8859-1/errata/article.xml Modified: releng/10.1/release/doc/en_US.ISO8859-1/relnotes/article.xml ============================================================================== --- releng/10.1/release/doc/en_US.ISO8859-1/relnotes/article.xml Tue Oct 21 21:37:53 2014 (r273432) +++ releng/10.1/release/doc/en_US.ISO8859-1/relnotes/article.xml Tue Oct 21 21:44:24 2014 (r273433) @@ -287,6 +287,33 @@ Denial of Service in TCP packet processing. + + + SA-14:20.rtsold + 21 October 2014 + Remote buffer overflow + vulnerability. + + + + SA-14:21.routed + 21 October 2014 + Remote denial of service + vulnerability. + + + + SA-14:22.namei + 21 October 2014 + Memory leak in sandboxed namei + lookup. + + + + SA-14:23.openssl + 21 October 2014 + Multiple vulerabilities. + From owner-svn-src-releng@FreeBSD.ORG Tue Oct 21 23:07:31 2014 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6739BECC; Tue, 21 Oct 2014 23:07:31 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 52CAEC56; Tue, 21 Oct 2014 23:07:31 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9LN7Vao051784; Tue, 21 Oct 2014 23:07:31 GMT (envelope-from gjb@FreeBSD.org) Received: (from gjb@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9LN7VCO051783; Tue, 21 Oct 2014 23:07:31 GMT (envelope-from gjb@FreeBSD.org) Message-Id: <201410212307.s9LN7VCO051783@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: gjb set sender to gjb@FreeBSD.org using -f From: Glen Barber Date: Tue, 21 Oct 2014 23:07:31 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r273435 - releng/10.1/sys/dev/hyperv/storvsc X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2014 23:07:31 -0000 Author: gjb Date: Tue Oct 21 23:07:30 2014 New Revision: 273435 URL: https://svnweb.freebsd.org/changeset/base/273435 Log: MFstable10 r273429: MFC r273402: Fix an issue where a FreeBSD virtual machine provisioned in the Microsoft Azure service does not recognize the second attached disk on the system. PR: 194376 Approved by: re (delphij) Sponsored by: The FreeBSD Foundation Modified: releng/10.1/sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c Directory Properties: releng/10.1/ (props changed) Modified: releng/10.1/sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c ============================================================================== --- releng/10.1/sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c Tue Oct 21 21:49:06 2014 (r273434) +++ releng/10.1/sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c Tue Oct 21 23:07:30 2014 (r273435) @@ -75,7 +75,7 @@ __FBSDID("$FreeBSD$"); #define STORVSC_MAX_IO_REQUESTS (STORVSC_MAX_LUNS_PER_TARGET * 2) #define BLKVSC_MAX_IDE_DISKS_PER_TARGET (1) #define BLKVSC_MAX_IO_REQUESTS STORVSC_MAX_IO_REQUESTS -#define STORVSC_MAX_TARGETS (1) +#define STORVSC_MAX_TARGETS (2) struct storvsc_softc; @@ -584,7 +584,6 @@ hv_storvsc_on_iocompletion(struct storvs vm_srb = &vstor_packet->u.vm_srb; - request->sense_info_len = 0; if (((vm_srb->scsi_status & 0xFF) == SCSI_STATUS_CHECK_COND) && (vm_srb->srb_status & SRB_STATUS_AUTOSENSE_VALID)) { /* Autosense data available */ From owner-svn-src-releng@FreeBSD.ORG Tue Oct 21 23:09:10 2014 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 37A9C201; Tue, 21 Oct 2014 23:09:10 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 21990C69; Tue, 21 Oct 2014 23:09:10 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9LN9ANX052195; Tue, 21 Oct 2014 23:09:10 GMT (envelope-from gjb@FreeBSD.org) Received: (from gjb@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9LN99hx052194; Tue, 21 Oct 2014 23:09:09 GMT (envelope-from gjb@FreeBSD.org) Message-Id: <201410212309.s9LN99hx052194@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: gjb set sender to gjb@FreeBSD.org using -f From: Glen Barber Date: Tue, 21 Oct 2014 23:09:09 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r273437 - releng/10.1/sys/conf X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2014 23:09:10 -0000 Author: gjb Date: Tue Oct 21 23:09:09 2014 New Revision: 273437 URL: https://svnweb.freebsd.org/changeset/base/273437 Log: Update releng/10.1 to -RC3 as part of the 10.1-RELEASE cycle. Approved by: re (implicit) Sponsored by: The FreeBSD Foundation Modified: releng/10.1/sys/conf/newvers.sh Modified: releng/10.1/sys/conf/newvers.sh ============================================================================== --- releng/10.1/sys/conf/newvers.sh Tue Oct 21 23:08:46 2014 (r273436) +++ releng/10.1/sys/conf/newvers.sh Tue Oct 21 23:09:09 2014 (r273437) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.1" -BRANCH="RC2" +BRANCH="RC3" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi From owner-svn-src-releng@FreeBSD.ORG Tue Oct 21 23:50:48 2014 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 53F38863; Tue, 21 Oct 2014 23:50:48 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3D39EA; Tue, 21 Oct 2014 23:50:48 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9LNolbZ073360; Tue, 21 Oct 2014 23:50:47 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9LNokjs073355; Tue, 21 Oct 2014 23:50:46 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201410212350.s9LNokjs073355@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Tue, 21 Oct 2014 23:50:46 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r273438 - in releng/9.3: . contrib/tzdata lib/libcrypt sys/conf X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2014 23:50:48 -0000 Author: delphij Date: Tue Oct 21 23:50:46 2014 New Revision: 273438 URL: https://svnweb.freebsd.org/changeset/base/273438 Log: Time zone data file update. [EN-14:10] Change crypt(3) default hashing algorithm back to DES. [EN-14:11] Approved by: so Added: releng/9.3/contrib/tzdata/zone1970.tab Modified: releng/9.3/UPDATING releng/9.3/contrib/tzdata/africa releng/9.3/contrib/tzdata/antarctica releng/9.3/contrib/tzdata/asia releng/9.3/contrib/tzdata/australasia releng/9.3/contrib/tzdata/backward releng/9.3/contrib/tzdata/etcetera releng/9.3/contrib/tzdata/europe releng/9.3/contrib/tzdata/factory releng/9.3/contrib/tzdata/leap-seconds.list releng/9.3/contrib/tzdata/northamerica releng/9.3/contrib/tzdata/pacificnew releng/9.3/contrib/tzdata/southamerica releng/9.3/contrib/tzdata/systemv releng/9.3/contrib/tzdata/yearistype.sh releng/9.3/contrib/tzdata/zone.tab releng/9.3/lib/libcrypt/crypt.c releng/9.3/sys/conf/newvers.sh Modified: releng/9.3/UPDATING ============================================================================== --- releng/9.3/UPDATING Tue Oct 21 23:09:09 2014 (r273437) +++ releng/9.3/UPDATING Tue Oct 21 23:50:46 2014 (r273438) @@ -11,6 +11,13 @@ handbook: Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20141022: p4 FreeBSD-EN-14:10.tzdata + FreeBSD-EN-14:11.crypt + + Time zone data file update. [EN-14:10] + + Change crypt(3) default hashing algorithm back to DES. [EN-14:11] + 20141021: p3 FreeBSD-SA-14:20.rtsold FreeBSD-SA-14:21.routed FreeBSD-SA-14:22.namei Modified: releng/9.3/contrib/tzdata/africa ============================================================================== --- releng/9.3/contrib/tzdata/africa Tue Oct 21 23:09:09 2014 (r273437) +++ releng/9.3/contrib/tzdata/africa Tue Oct 21 23:50:46 2014 (r273438) @@ -1,4 +1,3 @@ -#
 # This file is in the public domain, so clarified as of
 # 2009-05-17 by Arthur David Olson.
 
@@ -35,13 +34,13 @@
 # Previous editions of this database used WAT, CAT, SAT, and EAT
 # for +0:00 through +3:00, respectively,
 # but Mark R V Murray reports that
-# `SAST' is the official abbreviation for +2:00 in the country of South Africa,
-# `CAT' is commonly used for +2:00 in countries north of South Africa, and
-# `WAT' is probably the best name for +1:00, as the common phrase for
-# the area that includes Nigeria is ``West Africa''.
-# He has heard of ``Western Sahara Time'' for +0:00 but can find no reference.
+# 'SAST' is the official abbreviation for +2:00 in the country of South Africa,
+# 'CAT' is commonly used for +2:00 in countries north of South Africa, and
+# 'WAT' is probably the best name for +1:00, as the common phrase for
+# the area that includes Nigeria is "West Africa".
+# He has heard of "Western Sahara Time" for +0:00 but can find no reference.
 #
-# To make things confusing, `WAT' seems to have been used for -1:00 long ago;
+# To make things confusing, 'WAT' seems to have been used for -1:00 long ago;
 # I'd guess that this was because people needed _some_ name for -1:00,
 # and at the time, far west Africa was the only major land area in -1:00.
 # This usage is now obsolete, as the last use of -1:00 on the African
@@ -54,7 +53,7 @@
 #	 2:00	SAST	South Africa Standard Time
 # and Murray suggests the following abbreviation:
 #	 1:00	WAT	West Africa Time
-# I realize that this leads to `WAT' being used for both -1:00 and 1:00
+# I realize that this leads to 'WAT' being used for both -1:00 and 1:00
 # for times before 1976, but this is the best I can think of
 # until we get more information.
 #
@@ -131,9 +130,7 @@ Zone	Africa/Gaborone	1:43:40 -	LMT	1885
 			2:00	-	CAT
 
 # Burkina Faso
-# Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone Africa/Ouagadougou	-0:06:04 -	LMT	1912
-			 0:00	-	GMT
+# See Africa/Abidjan.
 
 # Burundi
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -161,7 +158,7 @@ Zone	Africa/Bangui	1:14:20	-	LMT	1912
 
 # Chad
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Africa/Ndjamena	1:00:12 -	LMT	1912
+Zone	Africa/Ndjamena	1:00:12 -	LMT	1912 # N'Djamena
 			1:00	-	WAT	1979 Oct 14
 			1:00	1:00	WAST	1980 Mar  8
 			1:00	-	WAT
@@ -183,10 +180,20 @@ Zone Africa/Lubumbashi	1:49:52 -	LMT	189
 Zone Africa/Brazzaville	1:01:08 -	LMT	1912
 			1:00	-	WAT
 
-# Cote D'Ivoire
+# Côte D'Ivoire / Ivory Coast
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Africa/Abidjan	-0:16:08 -	LMT	1912
 			 0:00	-	GMT
+Link Africa/Abidjan Africa/Bamako	# Mali
+Link Africa/Abidjan Africa/Banjul	# Gambia
+Link Africa/Abidjan Africa/Conakry	# Guinea
+Link Africa/Abidjan Africa/Dakar	# Senegal
+Link Africa/Abidjan Africa/Freetown	# Sierra Leone
+Link Africa/Abidjan Africa/Lome		# Togo
+Link Africa/Abidjan Africa/Nouakchott	# Mauritania
+Link Africa/Abidjan Africa/Ouagadougou	# Burkina Faso
+Link Africa/Abidjan Africa/Sao_Tome	# São Tomé and Príncipe
+Link Africa/Abidjan Atlantic/St_Helena	# St Helena
 
 # Djibouti
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -231,13 +238,9 @@ Rule	Egypt	1990	1994	-	May	 1	1:00	1:00	
 # Egyptians would approve the cancellation."
 #
 # Egypt to cancel daylight saving time
-# 
 # http://www.almasryalyoum.com/en/node/407168
-# 
 # or
-# 
 # http://www.worldtimezone.com/dst_news/dst_news_egypt04.html
-# 
 Rule	Egypt	1995	2010	-	Apr	lastFri	 0:00s	1:00	S
 Rule	Egypt	1995	2005	-	Sep	lastThu	24:00	0	-
 # From Steffen Thorsen (2006-09-19):
@@ -249,7 +252,7 @@ Rule	Egypt	2006	only	-	Sep	21	24:00	0	-
 # From Dirk Losch (2007-08-14):
 # I received a mail from an airline which says that the daylight
 # saving time in Egypt will end in the night of 2007-09-06 to 2007-09-07.
-# From Jesper Norgaard Welen (2007-08-15): [The following agree:]
+# From Jesper Nørgaard Welen (2007-08-15): [The following agree:]
 # http://www.nentjes.info/Bill/bill5.htm
 # http://www.timeanddate.com/worldclock/city.html?n=53
 # From Steffen Thorsen (2007-09-04): The official information...:
@@ -288,15 +291,9 @@ Rule	Egypt	2007	only	-	Sep	Thu>=1	24:00	
 #
 # timeanddate[2] and another site I've found[3] also support that.
 #
-# [1] 
-# https://bugzilla.redhat.com/show_bug.cgi?id=492263
-# 
-# [2] 
-# http://www.timeanddate.com/worldclock/clockchange.html?n=53
-# 
-# [3] 
-# http://wwp.greenwichmeantime.com/time-zone/africa/egypt/
-# 
+# [1] https://bugzilla.redhat.com/show_bug.cgi?id=492263
+# [2] http://www.timeanddate.com/worldclock/clockchange.html?n=53
+# [3] http://wwp.greenwichmeantime.com/time-zone/africa/egypt/
 
 # From Arthur David Olson (2009-04-20):
 # In 2009 (and for the next several years), Ramadan ends before the fourth
@@ -306,14 +303,10 @@ Rule	Egypt	2007	only	-	Sep	Thu>=1	24:00	
 # From Steffen Thorsen (2009-08-11):
 # We have been able to confirm the August change with the Egyptian Cabinet
 # Information and Decision Support Center:
-# 
 # http://www.timeanddate.com/news/time/egypt-dst-ends-2009.html
-# 
 #
 # The Middle East News Agency
-# 
 # http://www.mena.org.eg/index.aspx
-# 
 # also reports "Egypt starts winter time on August 21"
 # today in article numbered "71, 11/08/2009 12:25 GMT."
 # Only the title above is available without a subscription to their service,
@@ -321,19 +314,14 @@ Rule	Egypt	2007	only	-	Sep	Thu>=1	24:00	
 # (at least today).
 
 # From Alexander Krivenyshev (2010-07-20):
-# According to News from Egypt -  Al-Masry Al-Youm Egypt's cabinet has
+# According to News from Egypt - Al-Masry Al-Youm Egypt's cabinet has
 # decided that Daylight Saving Time will not be used in Egypt during
 # Ramadan.
 #
 # Arabic translation:
-# "Clocks to go back during Ramadan--and then forward again"
-# 
+# "Clocks to go back during Ramadan - and then forward again"
 # http://www.almasryalyoum.com/en/news/clocks-go-back-during-ramadan-and-then-forward-again
-# 
-# or
-# 
 # http://www.worldtimezone.com/dst_news/dst_news_egypt02.html
-# 
 
 # From Ahmad El-Dardiry (2014-05-07):
 # Egypt is to change back to Daylight system on May 15
@@ -433,10 +421,15 @@ Zone	Africa/Asmara	2:35:32 -	LMT	1870
 			3:00	-	EAT
 
 # Ethiopia
-# From Paul Eggert (2006-03-22):
-# Shanks & Pottenger write that Ethiopia had six narrowly-spaced time zones
-# between 1870 and 1890, and that they merged to 38E50 (2:35:20) in 1890.
-# We'll guess that 38E50 is for Adis Dera.
+# From Paul Eggert (2014-07-31):
+# Like the Swahili of Kenya and Tanzania, many Ethiopians keep a
+# 12-hour clock starting at our 06:00, so their "8 o'clock" is our
+# 02:00 or 14:00.  Keep this in mind when you ask the time in Amharic.
+#
+# Shanks & Pottenger write that Ethiopia had six narrowly-spaced time
+# zones between 1870 and 1890, that they merged to 38E50 (2:35:20) in
+# 1890, and that they switched to 3:00 on 1936-05-05.  Perhaps 38E50
+# was for Adis Dera.  Quite likely the Shanks data are wrong anyway.
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone Africa/Addis_Ababa	2:34:48 -	LMT	1870
 			2:35:20	-	ADMT	1936 May 5    # Adis Dera MT
@@ -448,28 +441,24 @@ Zone Africa/Libreville	0:37:48 -	LMT	191
 			1:00	-	WAT
 
 # Gambia
-# Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Africa/Banjul	-1:06:36 -	LMT	1912
-			-1:06:36 -	BMT	1935	# Banjul Mean Time
-			-1:00	-	WAT	1964
-			 0:00	-	GMT
+# See Africa/Abidjan.
 
 # Ghana
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
-# Whitman says DST was observed from 1931 to ``the present'';
-# go with Shanks & Pottenger.
-Rule	Ghana	1936	1942	-	Sep	 1	0:00	0:20	GHST
-Rule	Ghana	1936	1942	-	Dec	31	0:00	0	GMT
+# Whitman says DST was observed from 1931 to "the present";
+# Shanks & Pottenger say 1936 to 1942;
+# and September 1 to January 1 is given by:
+# Scott Keltie J, Epstein M (eds), The Statesman's Year-Book,
+# 57th ed. Macmillan, London (1920), OCLC 609408015, pp xxviii.
+# For lack of better info, assume DST was observed from 1920 to 1942.
+Rule	Ghana	1920	1942	-	Sep	 1	0:00	0:20	GHST
+Rule	Ghana	1920	1942	-	Dec	31	0:00	0	GMT
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Africa/Accra	-0:00:52 -	LMT	1918
 			 0:00	Ghana	%s
 
 # Guinea
-# Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Africa/Conakry	-0:54:52 -	LMT	1912
-			 0:00	-	GMT	1934 Feb 26
-			-1:00	-	WAT	1960
-			 0:00	-	GMT
+# See Africa/Abidjan.
 
 # Guinea-Bissau
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -577,18 +566,8 @@ Zone	Africa/Blantyre	2:20:00 -	LMT	1903 
 			2:00	-	CAT
 
 # Mali
-# Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Africa/Bamako	-0:32:00 -	LMT	1912
-			 0:00	-	GMT	1934 Feb 26
-			-1:00	-	WAT	1960 Jun 20
-			 0:00	-	GMT
-
 # Mauritania
-# Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone Africa/Nouakchott	-1:03:48 -	LMT	1912
-			 0:00	-	GMT	1934 Feb 26
-			-1:00	-	WAT	1960 Nov 28
-			 0:00	-	GMT
+# See Africa/Abidjan.
 
 # Mauritius
 
@@ -612,9 +591,7 @@ Zone Africa/Nouakchott	-1:03:48 -	LMT	19
 
 # From Steffen Thorsen (2008-07-10):
 # According to
-# 
 # http://www.lexpress.mu/display_article.php?news_id=111216
-# 
 # (in French), Mauritius will start and end their DST a few days earlier
 # than previously announced (2008-11-01 to 2009-03-31).  The new start
 # date is 2008-10-26 at 02:00 and the new end date is 2009-03-27 (no time
@@ -633,18 +610,13 @@ Zone Africa/Nouakchott	-1:03:48 -	LMT	19
 # published on Monday, June 30, 2008...
 #
 # I guess that article in French "Le gouvernement avance l'introduction
-# de l'heure d'ete" stating that DST in Mauritius starting on October 26
-# and ending on March 27, 2009 is the most recent one.
-# ...
-# 
+# de l'heure d'été" stating that DST in Mauritius starting on October 26
+# and ending on March 27, 2009 is the most recent one....
 # http://www.worldtimezone.com/dst_news/dst_news_mauritius02.html
-# 
 
 # From Riad M. Hossen Ally (2008-08-03):
 # The Government of Mauritius weblink
-# 
 # http://www.gov.mu/portal/site/pmosite/menuitem.4ca0efdee47462e7440a600248a521ca/?content_id=4728ca68b2a5b110VgnVCM1000000a04a8c0RCRD
-# 
 # Cabinet Decision of July 18th, 2008 states as follows:
 #
 # 4. ...Cabinet has agreed to the introduction into the National Assembly
@@ -654,33 +626,25 @@ Zone Africa/Nouakchott	-1:03:48 -	LMT	19
 # States of America. It will start at two o'clock in the morning on the
 # last Sunday of October and will end at two o'clock in the morning on
 # the last Sunday of March the following year. The summer time for the
-# year 2008 - 2009 will, therefore, be effective as from 26 October 2008
+# year 2008-2009 will, therefore, be effective as from 26 October 2008
 # and end on 29 March 2009.
 
 # From Ed Maste (2008-10-07):
 # THE TIME BILL (No. XXVII of 2008) Explanatory Memorandum states the
 # beginning / ending of summer time is 2 o'clock standard time in the
 # morning of the last Sunday of October / last Sunday of March.
-# 
 # http://www.gov.mu/portal/goc/assemblysite/file/bill2708.pdf
-# 
 
 # From Steffen Thorsen (2009-06-05):
 # According to several sources, Mauritius will not continue to observe
 # DST the coming summer...
 #
 # Some sources, in French:
-# 
 # http://www.defimedia.info/news/946/Rashid-Beebeejaun-:-%C2%AB-L%E2%80%99heure-d%E2%80%99%C3%A9t%C3%A9-ne-sera-pas-appliqu%C3%A9e-cette-ann%C3%A9e-%C2%BB
-# 
-# 
 # http://lexpress.mu/Story/3398~Beebeejaun---Les-objectifs-d-%C3%A9conomie-d-%C3%A9nergie-de-l-heure-d-%C3%A9t%C3%A9-ont-%C3%A9t%C3%A9-atteints-
-# 
 #
 # Our wrap-up:
-# 
 # http://www.timeanddate.com/news/time/mauritius-dst-will-not-repeat.html
-# 
 
 # From Arthur David Olson (2009-07-11):
 # The "mauritius-dst-will-not-repeat" wrapup includes this:
@@ -704,7 +668,7 @@ Zone	Indian/Mayotte	3:00:56 -	LMT	1911 J
 			3:00	-	EAT
 
 # Morocco
-# See the `europe' file for Spanish Morocco (Africa/Ceuta).
+# See the 'europe' file for Spanish Morocco (Africa/Ceuta).
 
 # From Alex Krivenyshev (2008-05-09):
 # Here is an article that Morocco plan to introduce Daylight Saving Time between
@@ -712,60 +676,43 @@ Zone	Indian/Mayotte	3:00:56 -	LMT	1911 J
 #
 # "... Morocco is to save energy by adjusting its clock during summer so it will
 # be one hour ahead of GMT between 1 June and 27 September, according to
-# Communication Minister and Gov ernment Spokesman, Khalid Naciri...."
+# Communication Minister and Government Spokesman, Khalid Naciri...."
 #
-# 
 # http://www.worldtimezone.net/dst_news/dst_news_morocco01.html
-# 
-# OR
-# 
 # http://en.afrik.com/news11892.html
-# 
 
 # From Alex Krivenyshev (2008-05-09):
 # The Morocco time change can be confirmed on Morocco web site Maghreb Arabe Presse:
-# 
 # http://www.map.ma/eng/sections/box3/morocco_shifts_to_da/view
-# 
 #
 # Morocco shifts to daylight time on June 1st through September 27, Govt.
 # spokesman.
 
 # From Patrice Scattolin (2008-05-09):
 # According to this article:
-# 
 # http://www.avmaroc.com/actualite/heure-dete-comment-a127896.html
-# 
-# (and republished here:
-# 
-# http://www.actu.ma/heure-dete-comment_i127896_0.html
-# 
-# )
-# the changes occurs at midnight:
-#
-# saturday night may 31st at midnight (which in french is to be
-# intrepreted as the night between saturday and sunday)
-# sunday night the 28th  at midnight
-#
-# Seeing that the 28th is monday, I am guessing that she intends to say
-# the midnight of the 28th which is the midnight between sunday and
-# monday, which jives with other sources that say that it's inclusive
-# june1st to sept 27th.
+# (and republished here: )
+# the changes occur at midnight:
+#
+# Saturday night May 31st at midnight (which in French is to be
+# interpreted as the night between Saturday and Sunday)
+# Sunday night the 28th at midnight
+#
+# Seeing that the 28th is Monday, I am guessing that she intends to say
+# the midnight of the 28th which is the midnight between Sunday and
+# Monday, which jives with other sources that say that it's inclusive
+# June 1st to Sept 27th.
 #
 # The decision was taken by decree *2-08-224 *but I can't find the decree
 # published on the web.
 #
 # It's also confirmed here:
-# 
 # http://www.maroc.ma/NR/exeres/FACF141F-D910-44B0-B7FA-6E03733425D1.htm
-# 
-# on a government portal as being  between june 1st and sept 27th (not yet
-# posted in english).
+# on a government portal as being between June 1st and Sept 27th (not yet
+# posted in English).
 #
-# The following google query will generate many relevant hits:
-# 
+# The following Google query will generate many relevant hits:
 # http://www.google.com/search?hl=en&q=Conseil+de+gouvernement+maroc+heure+avance&btnG=Search
-# 
 
 # From Steffen Thorsen (2008-08-27):
 # Morocco will change the clocks back on the midnight between August 31
@@ -773,47 +720,32 @@ Zone	Indian/Mayotte	3:00:56 -	LMT	1911 J
 # of September:
 #
 # One article about it (in French):
-# 
 # http://www.menara.ma/fr/Actualites/Maroc/Societe/ci.retour_a_l_heure_gmt_a_partir_du_dimanche_31_aout_a_minuit_officiel_.default
-# 
 #
 # We have some further details posted here:
-# 
 # http://www.timeanddate.com/news/time/morocco-ends-dst-early-2008.html
-# 
 
 # From Steffen Thorsen (2009-03-17):
 # Morocco will observe DST from 2009-06-01 00:00 to 2009-08-21 00:00 according
 # to many sources, such as
-# 
 # http://news.marweb.com/morocco/entertainment/morocco-daylight-saving.html
-# 
-# 
 # http://www.medi1sat.ma/fr/depeche.aspx?idp=2312
-# 
 # (French)
 #
 # Our summary:
-# 
 # http://www.timeanddate.com/news/time/morocco-starts-dst-2009.html
-# 
 
 # From Alexander Krivenyshev (2009-03-17):
 # Here is a link to official document from Royaume du Maroc Premier Ministre,
-# Ministere de la Modernisation des Secteurs Publics
+# Ministère de la Modernisation des Secteurs Publics
 #
 # Under Article 1 of Royal Decree No. 455-67 of Act 23 safar 1387 (2 june 1967)
 # concerning the amendment of the legal time, the Ministry of Modernization of
 # Public Sectors announced that the official time in the Kingdom will be
 # advanced 60 minutes from Sunday 31 May 2009 at midnight.
 #
-# 
 # http://www.mmsp.gov.ma/francais/Actualites_fr/PDF_Actualites_Fr/HeureEte_FR.pdf
-# 
-#
-# 
 # http://www.worldtimezone.com/dst_news/dst_news_morocco03.html
-# 
 
 # From Steffen Thorsen (2010-04-13):
 # Several news media in Morocco report that the Ministry of Modernization
@@ -821,14 +753,10 @@ Zone	Indian/Mayotte	3:00:56 -	LMT	1911 J
 # 2010-05-02 to 2010-08-08.
 #
 # Example:
-# 
 # http://www.lavieeco.com/actualites/4099-le-maroc-passera-a-l-heure-d-ete-gmt1-le-2-mai.html
-# 
 # (French)
 # Our page:
-# 
 # http://www.timeanddate.com/news/time/morocco-starts-dst-2010.html
-# 
 
 # From Dan Abitol (2011-03-30):
 # ...Rules for Africa/Casablanca are the following (24h format)
@@ -838,34 +766,20 @@ Zone	Indian/Mayotte	3:00:56 -	LMT	1911 J
 # The change was broadcast on the FM Radio
 # I ve called ANRT (telecom regulations in Morocco) at
 # +212.537.71.84.00
-# 
 # http://www.anrt.net.ma/fr/
-# 
 # They said that
-# 
 # http://www.map.ma/fr/sections/accueil/l_heure_legale_au_ma/view
-# 
 # is the official publication to look at.
 # They said that the decision was already taken.
 #
 # More articles in the press
-# 
-# http://www.yabiladi.com/articles/details/5058/secret-l-heure-d-ete-maroc-lev
-# 
-# e.html
-# 
+# http://www.yabiladi.com/articles/details/5058/secret-l-heure-d-ete-maroc-leve.html
 # http://www.lematin.ma/Actualite/Express/Article.asp?id=148923
-# 
-# 
 # http://www.lavieeco.com/actualite/Le-Maroc-passe-sur-GMT%2B1-a-partir-de-dim
-# anche-prochain-5538.html
-# 
 
 # From Petr Machata (2011-03-30):
 # They have it written in English here:
-# 
 # http://www.map.ma/eng/sections/home/morocco_to_spring_fo/view
-# 
 #
 # It says there that "Morocco will resume its standard time on July 31,
 # 2011 at midnight." Now they don't say whether they mean midnight of
@@ -873,20 +787,16 @@ Zone	Indian/Mayotte	3:00:56 -	LMT	1911 J
 # also been like that in the past.
 
 # From Alexander Krivenyshev (2012-03-09):
-# According to Infomédiaire web site from Morocco (infomediaire.ma),
-# on March 9, 2012, (in French) Heure légale:
-# Le Maroc adopte officiellement l'heure d'été
-# 
+# According to Infomédiaire web site from Morocco (infomediaire.ma),
+# on March 9, 2012, (in French) Heure légale:
+# Le Maroc adopte officiellement l'heure d'été
 # http://www.infomediaire.ma/news/maroc/heure-l%C3%A9gale-le-maroc-adopte-officiellement-lheure-d%C3%A9t%C3%A9
-# 
 # Governing Council adopted draft decree, that Morocco DST starts on
 # the last Sunday of March (March 25, 2012) and ends on
 # last Sunday of September (September 30, 2012)
 # except the month of Ramadan.
 # or (brief)
-# 
 # http://www.worldtimezone.com/dst_news/dst_news_morocco06.html
-# 
 
 # From Arthur David Olson (2012-03-10):
 # The infomediaire.ma source indicates that the system is to be in
@@ -897,17 +807,13 @@ Zone	Indian/Mayotte	3:00:56 -	LMT	1911 J
 
 # From Christophe Tropamer (2012-03-16):
 # Seen Morocco change again:
-# 
 # http://www.le2uminutes.com/actualite.php
-# 
-# "...à partir du dernier dimance d'avril et non fins mars,
-# comme annoncé précédemment."
+# "...à partir du dernier dimanche d'avril et non fins mars,
+# comme annoncé précédemment."
 
 # From Milamber Space Network (2012-07-17):
 # The official return to GMT is announced by the Moroccan government:
-# 
 # http://www.mmsp.gov.ma/fr/actualites.aspx?id=288 [in French]
-# 
 #
 # Google translation, lightly edited:
 # Back to the standard time of the Kingdom (GMT)
@@ -1052,7 +958,7 @@ Zone Africa/Casablanca	-0:30:20 -	LMT	19
 # Assume that this has been true since Western Sahara switched to GMT,
 # since most of it was then controlled by Morocco.
 
-Zone Africa/El_Aaiun	-0:52:48 -	LMT	1934 Jan
+Zone Africa/El_Aaiun	-0:52:48 -	LMT	1934 Jan # El Aaiún
 			-1:00	-	WAT	1976 Apr 14
 			 0:00	Morocco	WE%sT
 
@@ -1102,15 +1008,17 @@ Zone	Africa/Niamey	 0:08:28 -	LMT	1912
 Zone	Africa/Lagos	0:13:36 -	LMT	1919 Sep
 			1:00	-	WAT
 
-# Reunion
+# Réunion
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Indian/Reunion	3:41:52 -	LMT	1911 Jun	# Saint-Denis
-			4:00	-	RET	# Reunion Time
+			4:00	-	RET	# Réunion Time
 #
-# Scattered Islands (Iles Eparses) administered from Reunion are as follows.
+# Crozet Islands also observes Réunion time; see the 'antarctica' file.
+#
+# Scattered Islands (Îles Éparses) administered from Réunion are as follows.
 # The following information about them is taken from
-# Iles Eparses (www.outre-mer.gouv.fr/domtom/ile.htm, 1997-07-22, in French;
-# no longer available as of 1999-08-17).
+# Îles Éparses (, 1997-07-22,
+# in French; no longer available as of 1999-08-17).
 # We have no info about their time zone histories.
 #
 # Bassas da India - uninhabited
@@ -1125,28 +1033,17 @@ Zone	Africa/Kigali	2:00:16 -	LMT	1935 Ju
 			2:00	-	CAT
 
 # St Helena
-# Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone Atlantic/St_Helena	-0:22:48 -	LMT	1890		# Jamestown
-			-0:22:48 -	JMT	1951	# Jamestown Mean Time
-			 0:00	-	GMT
+# See Africa/Abidjan.
 # The other parts of the St Helena territory are similar:
 #	Tristan da Cunha: on GMT, say Whitman and the CIA
-#	Ascension: on GMT, says usno1995 and the CIA
+#	Ascension: on GMT, say the USNO (1995-12-21) and the CIA
 #	Gough (scientific station since 1955; sealers wintered previously):
 #		on GMT, says the CIA
-#	Inaccessible, Nightingale: no information, but probably GMT
-
-# Sao Tome and Principe
-# Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Africa/Sao_Tome	 0:26:56 -	LMT	1884
-			-0:36:32 -	LMT	1912	# Lisbon Mean Time
-			 0:00	-	GMT
+#	Inaccessible, Nightingale: uninhabited
 
+# São Tomé and Príncipe
 # Senegal
-# Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Africa/Dakar	-1:09:44 -	LMT	1912
-			-1:00	-	WAT	1941 Jun
-			 0:00	-	GMT
+# See Africa/Abidjan.
 
 # Seychelles
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -1160,17 +1057,7 @@ Zone	Indian/Mahe	3:41:48 -	LMT	1906 Jun	
 # Possibly the islands were uninhabited.
 
 # Sierra Leone
-# Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
-# Whitman gives Mar 31 - Aug 31 for 1931 on; go with Shanks & Pottenger.
-Rule	SL	1935	1942	-	Jun	 1	0:00	0:40	SLST
-Rule	SL	1935	1942	-	Oct	 1	0:00	0	WAT
-Rule	SL	1957	1962	-	Jun	 1	0:00	1:00	SLST
-Rule	SL	1957	1962	-	Sep	 1	0:00	0	GMT
-# Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Africa/Freetown	-0:53:00 -	LMT	1882
-			-0:53:00 -	FMT	1913 Jun # Freetown Mean Time
-			-1:00	SL	%s	1957
-			 0:00	SL	%s
+# See Africa/Abidjan.
 
 # Somalia
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -1193,9 +1080,9 @@ Zone Africa/Johannesburg 1:52:00 -	LMT	1
 
 # Sudan
 #
-# From 
-# Sudan News Agency (2000-01-13)
-# , also reported by Michael De Beukelaer-Dossche via Steffen Thorsen:
+# From 
+# Sudan News Agency (2000-01-13),
+# also reported by Michaël De Beukelaer-Dossche via Steffen Thorsen:
 # Clocks will be moved ahead for 60 minutes all over the Sudan as of noon
 # Saturday....  This was announced Thursday by Caretaker State Minister for
 # Manpower Abdul-Rahman Nur-Eddin.
@@ -1226,14 +1113,12 @@ Zone Africa/Dar_es_Salaam 2:37:08 -	LMT	
 			3:00	-	EAT
 
 # Togo
-# Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Africa/Lome	0:04:52 -	LMT	1893
-			0:00	-	GMT
+# See Africa/Abidjan.
 
 # Tunisia
 
 # From Gwillim Law (2005-04-30):
-# My correspondent, Risto Nykanen, has alerted me to another adoption of DST,
+# My correspondent, Risto Nykänen, has alerted me to another adoption of DST,
 # this time in Tunisia.  According to Yahoo France News
 # , in a story attributed to AP
 # and dated 2005-04-26, "Tunisia has decided to advance its official time by
@@ -1242,7 +1127,7 @@ Zone	Africa/Lome	0:04:52 -	LMT	1893
 # Saturday."  (My translation)
 #
 # From Oscar van Vlijmen (2005-05-02):
-# LaPresse, the first national daily newspaper ...
+# La Presse, the first national daily newspaper ...
 # 
 # ... DST for 2005: on: Sun May 1 0h standard time, off: Fri Sept. 30,
 # 1h standard time.
@@ -1256,18 +1141,12 @@ Zone	Africa/Lome	0:04:52 -	LMT	1893
 # From Steffen Thorsen (2009-03-16):
 # According to several news sources, Tunisia will not observe DST this year.
 # (Arabic)
-# 
 # http://www.elbashayer.com/?page=viewn&nid=42546
-# 
-# 
 # http://www.babnet.net/kiwidetail-15295.asp
-# 
 #
 # We have also confirmed this with the US embassy in Tunisia.
 # We have a wrap-up about this on the following page:
-# 
 # http://www.timeanddate.com/news/time/tunisia-cancels-dst-2009.html
-# 
 
 # From Alexander Krivenyshev (2009-03-17):
 # Here is a link to Tunis Afrique Presse News Agency
@@ -1275,20 +1154,17 @@ Zone	Africa/Lome	0:04:52 -	LMT	1893
 # Standard time to be kept the whole year long (tap.info.tn):
 #
 # (in English)
-# 
 # http://www.tap.info.tn/en/index.php?option=com_content&task=view&id=26813&Itemid=157
-# 
 #
 # (in Arabic)
-# 
 # http://www.tap.info.tn/ar/index.php?option=com_content&task=view&id=61240&Itemid=1
-# 
 
-# From Arthur David Olson (2009--3-18):
-# The Tunis Afrique Presse News Agency notice contains this: "This measure is due to the fact
-# that the fasting month of ramadan coincides with the period concerned by summer time.
-# Therefore, the standard time will be kept unchanged the whole year long."
-# So foregoing DST seems to be an exception (albeit one that may be repeated in the  future).
+# From Arthur David Olson (2009-03-18):
+# The Tunis Afrique Presse News Agency notice contains this: "This measure is
+# due to the fact that the fasting month of Ramadan coincides with the period
+# concerned by summer time.  Therefore, the standard time will be kept
+# unchanged the whole year long."  So foregoing DST seems to be an exception
+# (albeit one that may be repeated in the future).
 
 # From Alexander Krivenyshev (2010-03-27):
 # According to some news reports Tunis confirmed not to use DST in 2010
@@ -1300,12 +1176,8 @@ Zone	Africa/Lome	0:04:52 -	LMT	1893
 # coincided with the month of Ramadan..."
 #
 # (in Arabic)
-# 
 # http://www.moheet.com/show_news.aspx?nid=358861&pg=1
-# 
 # http://www.almadenahnews.com/newss/news.php?c=118&id=38036
-# or
-# 
 # http://www.worldtimezone.com/dst_news/dst_news_tunis02.html
 
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S

Modified: releng/9.3/contrib/tzdata/antarctica
==============================================================================
--- releng/9.3/contrib/tzdata/antarctica	Tue Oct 21 23:09:09 2014	(r273437)
+++ releng/9.3/contrib/tzdata/antarctica	Tue Oct 21 23:50:46 2014	(r273438)
@@ -1,16 +1,13 @@
-# 
 # This file is in the public domain, so clarified as of
 # 2009-05-17 by Arthur David Olson.
 
 # From Paul Eggert (1999-11-15):
 # To keep things manageable, we list only locations occupied year-round; see
-# 
 # COMNAP - Stations and Bases
-# 
+# 
 # and
-# 
 # Summary of the Peri-Antarctic Islands (1998-07-23)
-# 
+# 
 # for information.
 # Unless otherwise specified, we have no time zone information.
 #
@@ -55,19 +52,19 @@ Rule	ChileAQ	2012	max	-	Sep	Sun>=2	4:00u
 
 # Argentina - year-round bases
 # Belgrano II, Confin Coast, -770227-0343737, since 1972-02-05
-# Esperanza, San Martin Land, -6323-05659, since 1952-12-17
-# Jubany, Potter Peninsula, King George Island, -6414-0602320, since 1982-01
-# Marambio, Seymour I, -6414-05637, since 1969-10-29
+# Carlini, Potter Cove, King George Island, -6414-0602320, since 1982-01
+# Esperanza, Hope Bay, -6323-05659, since 1952-12-17
+# Marambio, -6414-05637, since 1969-10-29
 # Orcadas, Laurie I, -6016-04444, since 1904-02-22
-# San Martin, Debenham I, -6807-06708, since 1951-03-21
+# San Martín, Barry I, -6808-06706, since 1951-03-21
 #	(except 1960-03 / 1976-03-21)
 
 # Australia - territories
 # Heard Island, McDonald Islands (uninhabited)
 #	previously sealers and scientific personnel wintered
-#	
 #	Margaret Turner reports
-#	 (1999-09-30) that they're UTC+5, with no DST;
+#	
+#	(1999-09-30) that they're UTC+5, with no DST;
 #	presumably this is when they have visitors.
 #
 # year-round bases
@@ -84,14 +81,10 @@ Rule	ChileAQ	2012	max	-	Sep	Sun>=2	4:00u
 # The changes occurred on 2009-10-18 at 02:00 (local times).
 #
 # Government source: (Australian Antarctic Division)
-# 
 # http://www.aad.gov.au/default.asp?casid=37079
-# 
 #
 # We have more background information here:
-# 
 # http://www.timeanddate.com/news/time/antarctica-new-times.html
-# 
 
 # From Steffen Thorsen (2010-03-10):
 # We got these changes from the Australian Antarctic Division: ...
@@ -106,19 +99,17 @@ Rule	ChileAQ	2012	max	-	Sep	Sun>=2	4:00u
 # - Mawson station stays on UTC+5.
 #
 # Background:
-# 
 # http://www.timeanddate.com/news/time/antartica-time-changes-2010.html
-# 
 
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone Antarctica/Casey	0	-	zzz	1969
-			8:00	-	WST	2009 Oct 18 2:00
-						# Western (Aus) Standard Time
+			8:00	-	AWST	2009 Oct 18 2:00
+						# Australian Western Std Time
 			11:00	-	CAST	2010 Mar 5 2:00
 						# Casey Time
-			8:00	-	WST	2011 Oct 28 2:00
+			8:00	-	AWST	2011 Oct 28 2:00
 			11:00	-	CAST	2012 Feb 21 17:00u
-			8:00	-	WST
+			8:00	-	AWST
 Zone Antarctica/Davis	0	-	zzz	1957 Jan 13
 			7:00	-	DAVT	1964 Nov # Davis Time
 			0	-	zzz	1969 Feb
@@ -132,24 +123,27 @@ Zone Antarctica/Mawson	0	-	zzz	1954 Feb 
 						# Mawson Time
 			5:00	-	MAWT
 # References:
-# 
 # Casey Weather (1998-02-26)
-# 
-# 
+# 
 # Davis Station, Antarctica (1998-02-26)
-# 
-# 
+# 
 # Mawson Station, Antarctica (1998-02-25)
-# 
+# 
+
+# Belgium - year-round base
+# Princess Elisabeth, Queen Maud Land, -713412+0231200, since 2007
 
 # Brazil - year-round base
-# Comandante Ferraz, King George Island, -6205+05824, since 1983/4
+# Ferraz, King George Island, -6205+05824, since 1983/4
+
+# Bulgaria - year-round base
+# St. Kliment Ohridski, Livingston Island, -623829-0602153, since 1988
 
 # Chile - year-round bases and towns
 # Escudero, South Shetland Is, -621157-0585735, since 1994
-# Presidente Eduadro Frei, King George Island, -6214-05848, since 1969-03-07
-# General Bernardo O'Higgins, Antarctic Peninsula, -6319-05704, since 1948-02
-# Capitan Arturo Prat, -6230-05941
+# Frei Montalva, King George Island, -6214-05848, since 1969-03-07
+# O'Higgins, Antarctic Peninsula, -6319-05704, since 1948-02
+# Prat, -6230-05941
 # Villa Las Estrellas (a town), around the Frei base, since 1984-04-09
 # These locations have always used Santiago time; use TZ='America/Santiago'.
 
@@ -157,31 +151,35 @@ Zone Antarctica/Mawson	0	-	zzz	1954 Feb 
 # Great Wall, King George Island, -6213-05858, since 1985-02-20
 # Zhongshan, Larsemann Hills, Prydz Bay, -6922+07623, since 1989-02-26
 
-# France - year-round bases
+# France - year-round bases (also see "France & Italy")
 #
 # From Antoine Leca (1997-01-20):
 # Time data are from Nicole Pailleau at the IFRTP
 # (French Institute for Polar Research and Technology).
-# She confirms that French Southern Territories and Terre Adelie bases
-# don't observe daylight saving time, even if Terre Adelie supplies came
+# She confirms that French Southern Territories and Terre Adélie bases
+# don't observe daylight saving time, even if Terre Adélie supplies came
 # from Tasmania.
 #
 # French Southern Territories with year-round inhabitants
 #
-# Martin-de-Vivies Base, Amsterdam Island, -374105+0773155, since 1950
-# Alfred-Faure Base, Crozet Islands, -462551+0515152, since 1964
-# Port-aux-Francais, Kerguelen Islands, -492110+0701303, since 1951;
+# Alfred Faure, Possession Island, Crozet Islands, -462551+0515152, since 1964;
+#	sealing & whaling stations operated variously 1802/1911+;
+#	see Indian/Reunion.
+#
+# Martin-de-Viviès, Amsterdam Island, -374105+0773155, since 1950
+# Port-aux-Français, Kerguelen Islands, -492110+0701303, since 1951;
 #	whaling & sealing station operated 1908/1914, 1920/1929, and 1951/1956
 #
 # St Paul Island - near Amsterdam, uninhabited
 #	fishing stations operated variously 1819/1931
 #
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone Indian/Kerguelen	0	-	zzz	1950	# Port-aux-Francais
+Zone Indian/Kerguelen	0	-	zzz	1950	# Port-aux-Français
 			5:00	-	TFT	# ISO code TF Time
 #
 # year-round base in the main continent
-# Dumont-d'Urville, Ile des Petrels, -6640+14001, since 1956-11
+# Dumont d'Urville, Île des Pétrels, -6640+14001, since 1956-11
+#  (2005-12-05)
 #
 # Another base at Port-Martin, 50km east, began operation in 1947.
 # It was destroyed by fire on 1952-01-14.
@@ -191,20 +189,22 @@ Zone Antarctica/DumontDUrville 0 -	zzz	1
 			10:00	-	PMT	1952 Jan 14 # Port-Martin Time
 			0	-	zzz	1956 Nov
 			10:00	-	DDUT	# Dumont-d'Urville Time
-# Reference:
-# 
-# Dumont d'Urville Station (2005-12-05)
-# 
+
+# France & Italy - year-round base
+# Concordia, -750600+1232000, since 2005
 
 # Germany - year-round base
-# Georg von Neumayer, -7039-00815
+# Neumayer III, -704080-0081602, since 2009
 
-# India - year-round base
-# Dakshin Gangotri, -7005+01200
+# India - year-round bases
+# Bharati, -692428+0761114, since 2012
+# Maitri, -704558+0114356, since 1989
+
+# Italy - year-round base (also see "France & Italy")
+# Zuchelli, Terra Nova Bay, -744140+1640647, since 1986
 
 # Japan - year-round bases
-# Dome Fuji, -7719+03942
-# Syowa, -690022+0393524
+# Syowa (also known as Showa), -690022+0393524, since 1957
 #
 # From Hideyuki Suzuki (1999-02-06):
 # In all Japanese stations, +0300 is used as the standard time.
@@ -216,11 +216,11 @@ Zone Antarctica/DumontDUrville 0 -	zzz	1
 Zone Antarctica/Syowa	0	-	zzz	1957 Jan 29
 			3:00	-	SYOT	# Syowa Time
 # See:
-# 
 # NIPR Antarctic Research Activities (1999-08-17)
-# 
+# 
 
 # S Korea - year-round base
+# Jang Bogo, Terra Nova Bay, -743700+1641205 since 2014
 # King Sejong, King George Island, -6213-05847, since 1988
 
 # New Zealand - claims
@@ -269,6 +269,9 @@ Zone Antarctica/Troll	0	-	zzz	2005 Feb 1
 # Poland - year-round base
 # Arctowski, King George Island, -620945-0582745, since 1977
 
+# Romania - year-bound base
+# Law-Racoviță, Larsemann Hills, -692319+0762251, since 1986
+
 # Russia - year-round bases
 # Bellingshausen, King George Island, -621159-0585337, since 1968-02-22
 # Mirny, Davis coast, -6633+09301, since 1956-02
@@ -278,8 +281,8 @@ Zone Antarctica/Troll	0	-	zzz	2005 Feb 1
 #	year-round from 1960/61 to 1992
 
 # Vostok, since 1957-12-16, temporarily closed 1994-02/1994-11
-# 
-# From Craig Mundell (1994-12-15):
+# From Craig Mundell (1994-12-15)
+# :
 # Vostok, which is one of the Russian stations, is set on the same
 # time as Moscow, Russia.
 #
@@ -294,7 +297,7 @@ Zone Antarctica/Troll	0	-	zzz	2005 Feb 1
 #
 # From Paul Eggert (2001-05-04):
 # This seems to be hopelessly confusing, so I asked Lee Hotz about it
-# in person.  He said that some Antartic locations set their local
+# in person.  He said that some Antarctic locations set their local
 # time so that noon is the warmest part of the day, and that this
 # changes during the year and does not necessarily correspond to mean
 # solar noon.  So the Vostok time might have been whatever the clocks
@@ -306,9 +309,12 @@ Zone Antarctica/Vostok	0	-	zzz	1957 Dec 
 
 # S Africa - year-round bases
 # Marion Island, -4653+03752
-# Sanae, -7141-00250
+# SANAE IV, Vesleskarvet, Queen Maud Land, -714022-0025026, since 1997
+
+# Ukraine - year-round base
+# Vernadsky (formerly Faraday), Galindez Island, -651445-0641526, since 1954
 
-# UK
+# United Kingdom
 #
 # British Antarctic Territories (BAT) claims
 # South Orkney Islands
@@ -364,7 +370,7 @@ Zone Antarctica/Palmer	0	-	zzz	1965
 # but that he found it more convenient to keep GMT+12
 # as supplies for the station were coming from McMurdo Sound,
 # which was on GMT+12 because New Zealand was on GMT+12 all year
-# at that time (1957).  (Source: Siple's book 90 degrees SOUTH.)
+# at that time (1957).  (Source: Siple's book 90 Degrees South.)
 #
 # From Susan Smith
 # http://www.cybertours.com/whs/pole10.html

Modified: releng/9.3/contrib/tzdata/asia
==============================================================================
--- releng/9.3/contrib/tzdata/asia	Tue Oct 21 23:09:09 2014	(r273437)
+++ releng/9.3/contrib/tzdata/asia	Tue Oct 21 23:50:46 2014	(r273438)

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***

From owner-svn-src-releng@FreeBSD.ORG  Tue Oct 21 23:52:27 2014
Return-Path: 
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 2DF0C99F;
 Tue, 21 Oct 2014 23:52:27 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 1596D12A;
 Tue, 21 Oct 2014 23:52:27 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9LNqRON074690;
 Tue, 21 Oct 2014 23:52:27 GMT (envelope-from delphij@FreeBSD.org)
Received: (from delphij@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9LNqQRN074686;
 Tue, 21 Oct 2014 23:52:26 GMT (envelope-from delphij@FreeBSD.org)
Message-Id: <201410212352.s9LNqQRN074686@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: delphij set sender to
 delphij@FreeBSD.org using -f
From: Xin LI 
Date: Tue, 21 Oct 2014 23:52:26 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r273439 - in releng: 10.0 10.0/contrib/tzdata
 10.0/sys/conf 8.4 8.4/share/zoneinfo 8.4/sys/conf 9.1 9.1/contrib/tzdata
 9.1/sys/conf 9.2 9.2/contrib/tzdata 9.2/sys/conf
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree 
List-Unsubscribe: ,
 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,
 
X-List-Received-Date: Tue, 21 Oct 2014 23:52:27 -0000

Author: delphij
Date: Tue Oct 21 23:52:25 2014
New Revision: 273439
URL: https://svnweb.freebsd.org/changeset/base/273439

Log:
  Time zone data file update. [EN-14:10]
  
  Approved by:	so

Added:
  releng/10.0/contrib/tzdata/zone1970.tab
  releng/8.4/share/zoneinfo/leap-seconds.list   (contents, props changed)
  releng/8.4/share/zoneinfo/zone1970.tab   (contents, props changed)
  releng/9.1/contrib/tzdata/leap-seconds.list
  releng/9.1/contrib/tzdata/zone1970.tab
  releng/9.2/contrib/tzdata/leap-seconds.list
  releng/9.2/contrib/tzdata/zone1970.tab
Modified:
  releng/10.0/UPDATING
  releng/10.0/contrib/tzdata/africa
  releng/10.0/contrib/tzdata/antarctica
  releng/10.0/contrib/tzdata/asia
  releng/10.0/contrib/tzdata/australasia
  releng/10.0/contrib/tzdata/backward
  releng/10.0/contrib/tzdata/etcetera
  releng/10.0/contrib/tzdata/europe
  releng/10.0/contrib/tzdata/factory
  releng/10.0/contrib/tzdata/leap-seconds.list
  releng/10.0/contrib/tzdata/northamerica
  releng/10.0/contrib/tzdata/pacificnew
  releng/10.0/contrib/tzdata/southamerica
  releng/10.0/contrib/tzdata/systemv
  releng/10.0/contrib/tzdata/yearistype.sh
  releng/10.0/contrib/tzdata/zone.tab
  releng/10.0/sys/conf/newvers.sh
  releng/8.4/UPDATING
  releng/8.4/share/zoneinfo/africa
  releng/8.4/share/zoneinfo/antarctica
  releng/8.4/share/zoneinfo/asia
  releng/8.4/share/zoneinfo/australasia
  releng/8.4/share/zoneinfo/backward
  releng/8.4/share/zoneinfo/etcetera
  releng/8.4/share/zoneinfo/europe
  releng/8.4/share/zoneinfo/factory
  releng/8.4/share/zoneinfo/northamerica
  releng/8.4/share/zoneinfo/pacificnew
  releng/8.4/share/zoneinfo/southamerica
  releng/8.4/share/zoneinfo/systemv
  releng/8.4/share/zoneinfo/yearistype.sh
  releng/8.4/share/zoneinfo/zone.tab
  releng/8.4/sys/conf/newvers.sh
  releng/9.1/UPDATING
  releng/9.1/contrib/tzdata/africa
  releng/9.1/contrib/tzdata/antarctica
  releng/9.1/contrib/tzdata/asia
  releng/9.1/contrib/tzdata/australasia
  releng/9.1/contrib/tzdata/backward
  releng/9.1/contrib/tzdata/etcetera
  releng/9.1/contrib/tzdata/europe
  releng/9.1/contrib/tzdata/factory
  releng/9.1/contrib/tzdata/leapseconds
  releng/9.1/contrib/tzdata/northamerica
  releng/9.1/contrib/tzdata/pacificnew
  releng/9.1/contrib/tzdata/southamerica
  releng/9.1/contrib/tzdata/systemv
  releng/9.1/contrib/tzdata/yearistype.sh
  releng/9.1/contrib/tzdata/zone.tab
  releng/9.1/sys/conf/newvers.sh
  releng/9.2/UPDATING
  releng/9.2/contrib/tzdata/africa
  releng/9.2/contrib/tzdata/antarctica
  releng/9.2/contrib/tzdata/asia
  releng/9.2/contrib/tzdata/australasia
  releng/9.2/contrib/tzdata/backward
  releng/9.2/contrib/tzdata/etcetera
  releng/9.2/contrib/tzdata/europe
  releng/9.2/contrib/tzdata/factory
  releng/9.2/contrib/tzdata/northamerica
  releng/9.2/contrib/tzdata/pacificnew
  releng/9.2/contrib/tzdata/southamerica
  releng/9.2/contrib/tzdata/systemv
  releng/9.2/contrib/tzdata/yearistype.sh
  releng/9.2/contrib/tzdata/zone.tab
  releng/9.2/sys/conf/newvers.sh

Modified: releng/10.0/UPDATING
==============================================================================
--- releng/10.0/UPDATING	Tue Oct 21 23:50:46 2014	(r273438)
+++ releng/10.0/UPDATING	Tue Oct 21 23:52:25 2014	(r273439)
@@ -16,6 +16,10 @@ from older versions of FreeBSD, try WITH
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20141022:	p11	FreeBSD-EN-14:10.tzdata
+
+	Time zone data file update. [EN-14:10]
+
 20141021:	p10	FreeBSD-SA-14:20.rtsold
 			FreeBSD-SA-14:21.routed
 			FreeBSD-SA-14:22.namei

Modified: releng/10.0/contrib/tzdata/africa
==============================================================================
--- releng/10.0/contrib/tzdata/africa	Tue Oct 21 23:50:46 2014	(r273438)
+++ releng/10.0/contrib/tzdata/africa	Tue Oct 21 23:52:25 2014	(r273439)
@@ -1,4 +1,3 @@
-# 
 # This file is in the public domain, so clarified as of
 # 2009-05-17 by Arthur David Olson.
 
@@ -35,13 +34,13 @@
 # Previous editions of this database used WAT, CAT, SAT, and EAT
 # for +0:00 through +3:00, respectively,
 # but Mark R V Murray reports that
-# `SAST' is the official abbreviation for +2:00 in the country of South Africa,
-# `CAT' is commonly used for +2:00 in countries north of South Africa, and
-# `WAT' is probably the best name for +1:00, as the common phrase for
-# the area that includes Nigeria is ``West Africa''.
-# He has heard of ``Western Sahara Time'' for +0:00 but can find no reference.
+# 'SAST' is the official abbreviation for +2:00 in the country of South Africa,
+# 'CAT' is commonly used for +2:00 in countries north of South Africa, and
+# 'WAT' is probably the best name for +1:00, as the common phrase for
+# the area that includes Nigeria is "West Africa".
+# He has heard of "Western Sahara Time" for +0:00 but can find no reference.
 #
-# To make things confusing, `WAT' seems to have been used for -1:00 long ago;
+# To make things confusing, 'WAT' seems to have been used for -1:00 long ago;
 # I'd guess that this was because people needed _some_ name for -1:00,
 # and at the time, far west Africa was the only major land area in -1:00.
 # This usage is now obsolete, as the last use of -1:00 on the African
@@ -54,7 +53,7 @@
 #	 2:00	SAST	South Africa Standard Time
 # and Murray suggests the following abbreviation:
 #	 1:00	WAT	West Africa Time
-# I realize that this leads to `WAT' being used for both -1:00 and 1:00
+# I realize that this leads to 'WAT' being used for both -1:00 and 1:00
 # for times before 1976, but this is the best I can think of
 # until we get more information.
 #
@@ -131,9 +130,7 @@ Zone	Africa/Gaborone	1:43:40 -	LMT	1885
 			2:00	-	CAT
 
 # Burkina Faso
-# Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone Africa/Ouagadougou	-0:06:04 -	LMT	1912
-			 0:00	-	GMT
+# See Africa/Abidjan.
 
 # Burundi
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -161,7 +158,7 @@ Zone	Africa/Bangui	1:14:20	-	LMT	1912
 
 # Chad
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Africa/Ndjamena	1:00:12 -	LMT	1912
+Zone	Africa/Ndjamena	1:00:12 -	LMT	1912 # N'Djamena
 			1:00	-	WAT	1979 Oct 14
 			1:00	1:00	WAST	1980 Mar  8
 			1:00	-	WAT
@@ -183,10 +180,20 @@ Zone Africa/Lubumbashi	1:49:52 -	LMT	189
 Zone Africa/Brazzaville	1:01:08 -	LMT	1912
 			1:00	-	WAT
 
-# Cote D'Ivoire
+# Côte D'Ivoire / Ivory Coast
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Africa/Abidjan	-0:16:08 -	LMT	1912
 			 0:00	-	GMT
+Link Africa/Abidjan Africa/Bamako	# Mali
+Link Africa/Abidjan Africa/Banjul	# Gambia
+Link Africa/Abidjan Africa/Conakry	# Guinea
+Link Africa/Abidjan Africa/Dakar	# Senegal
+Link Africa/Abidjan Africa/Freetown	# Sierra Leone
+Link Africa/Abidjan Africa/Lome		# Togo
+Link Africa/Abidjan Africa/Nouakchott	# Mauritania
+Link Africa/Abidjan Africa/Ouagadougou	# Burkina Faso
+Link Africa/Abidjan Africa/Sao_Tome	# São Tomé and Príncipe
+Link Africa/Abidjan Atlantic/St_Helena	# St Helena
 
 # Djibouti
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -231,30 +238,26 @@ Rule	Egypt	1990	1994	-	May	 1	1:00	1:00	
 # Egyptians would approve the cancellation."
 #
 # Egypt to cancel daylight saving time
-# 
 # http://www.almasryalyoum.com/en/node/407168
-# 
 # or
-# 
 # http://www.worldtimezone.com/dst_news/dst_news_egypt04.html
-# 
 Rule	Egypt	1995	2010	-	Apr	lastFri	 0:00s	1:00	S
-Rule	Egypt	1995	2005	-	Sep	lastThu	23:00s	0	-
+Rule	Egypt	1995	2005	-	Sep	lastThu	24:00	0	-
 # From Steffen Thorsen (2006-09-19):
 # The Egyptian Gazette, issue 41,090 (2006-09-18), page 1, reports:
 # Egypt will turn back clocks by one hour at the midnight of Thursday
 # after observing the daylight saving time since May.
 # http://news.gom.com.eg/gazette/pdf/2006/09/18/01.pdf
-Rule	Egypt	2006	only	-	Sep	21	23:00s	0	-
+Rule	Egypt	2006	only	-	Sep	21	24:00	0	-
 # From Dirk Losch (2007-08-14):
 # I received a mail from an airline which says that the daylight
 # saving time in Egypt will end in the night of 2007-09-06 to 2007-09-07.
-# From Jesper Norgaard Welen (2007-08-15): [The following agree:]
+# From Jesper Nørgaard Welen (2007-08-15): [The following agree:]
 # http://www.nentjes.info/Bill/bill5.htm
 # http://www.timeanddate.com/worldclock/city.html?n=53
 # From Steffen Thorsen (2007-09-04): The official information...:
 # http://www.sis.gov.eg/En/EgyptOnline/Miscellaneous/000002/0207000000000000001580.htm
-Rule	Egypt	2007	only	-	Sep	Thu>=1	23:00s	0	-
+Rule	Egypt	2007	only	-	Sep	Thu>=1	24:00	0	-
 # From Abdelrahman Hassan (2007-09-06):
 # Due to the Hijri (lunar Islamic calendar) year being 11 days shorter
 # than the year of the Gregorian calendar, Ramadan shifts earlier each
@@ -288,15 +291,9 @@ Rule	Egypt	2007	only	-	Sep	Thu>=1	23:00s
 #
 # timeanddate[2] and another site I've found[3] also support that.
 #
-# [1] 
-# https://bugzilla.redhat.com/show_bug.cgi?id=492263
-# 
-# [2] 
-# http://www.timeanddate.com/worldclock/clockchange.html?n=53
-# 
-# [3] 
-# http://wwp.greenwichmeantime.com/time-zone/africa/egypt/
-# 
+# [1] https://bugzilla.redhat.com/show_bug.cgi?id=492263
+# [2] http://www.timeanddate.com/worldclock/clockchange.html?n=53
+# [3] http://wwp.greenwichmeantime.com/time-zone/africa/egypt/
 
 # From Arthur David Olson (2009-04-20):
 # In 2009 (and for the next several years), Ramadan ends before the fourth
@@ -306,14 +303,10 @@ Rule	Egypt	2007	only	-	Sep	Thu>=1	23:00s
 # From Steffen Thorsen (2009-08-11):
 # We have been able to confirm the August change with the Egyptian Cabinet
 # Information and Decision Support Center:
-# 
 # http://www.timeanddate.com/news/time/egypt-dst-ends-2009.html
-# 
 #
 # The Middle East News Agency
-# 
 # http://www.mena.org.eg/index.aspx
-# 
 # also reports "Egypt starts winter time on August 21"
 # today in article numbered "71, 11/08/2009 12:25 GMT."
 # Only the title above is available without a subscription to their service,
@@ -321,25 +314,94 @@ Rule	Egypt	2007	only	-	Sep	Thu>=1	23:00s
 # (at least today).
 
 # From Alexander Krivenyshev (2010-07-20):
-# According to News from Egypt -  Al-Masry Al-Youm Egypt's cabinet has
+# According to News from Egypt - Al-Masry Al-Youm Egypt's cabinet has
 # decided that Daylight Saving Time will not be used in Egypt during
 # Ramadan.
 #
 # Arabic translation:
-# "Clocks to go back during Ramadan--and then forward again"
-# 
+# "Clocks to go back during Ramadan - and then forward again"
 # http://www.almasryalyoum.com/en/news/clocks-go-back-during-ramadan-and-then-forward-again
-# 
-# or
-# 
 # http://www.worldtimezone.com/dst_news/dst_news_egypt02.html
-# 
 
-Rule	Egypt	2008	only	-	Aug	lastThu	23:00s	0	-
-Rule	Egypt	2009	only	-	Aug	20	23:00s	0	-
-Rule	Egypt	2010	only	-	Aug	11	0:00	0	-
-Rule	Egypt	2010	only	-	Sep	10	0:00	1:00	S
-Rule	Egypt	2010	only	-	Sep	lastThu	23:00s	0	-
+# From Ahmad El-Dardiry (2014-05-07):
+# Egypt is to change back to Daylight system on May 15
+# http://english.ahram.org.eg/NewsContent/1/64/100735/Egypt/Politics-/Egypts-government-to-reapply-daylight-saving-time-.aspx
+
+# From Gunther Vermier (2015-05-13):
+# our Egypt office confirms that the change will be at 15 May "midnight" (24:00)
+
+# From Imed Chihi (2014-06-04):
+# We have finally "located" a precise official reference about the DST changes
+# in Egypt.  The Ministers Cabinet decision is explained at
+# http://www.cabinet.gov.eg/Media/CabinetMeetingsDetails.aspx?id=347 ...
+# [T]his (Arabic) site is not accessible outside Egypt, but the page ...
+# translates into: "With regard to daylight saving time, it is scheduled to
+# take effect at exactly twelve o'clock this evening, Thursday, 15 MAY 2014,
+# to be suspended by twelve o'clock on the evening of Thursday, 26 JUN 2014,
+# and re-established again at the end of the month of Ramadan, at twelve
+# o'clock on the evening of Thursday, 31 JUL 2014."  This statement has been
+# reproduced by other (more accessible) sites[, e.g.,]...
+# http://elgornal.net/news/news.aspx?id=4699258
+
+# From Paul Eggert (2014-06-04):
+# Sarah El Deeb and Lee Keath of AP report that the Egyptian government says
+# the change is because of blackouts in Cairo, even though Ahram Online (cited
+# above) says DST had no affect on electricity consumption.  There is
+# no information about when DST will end this fall.  See:
+# http://abcnews.go.com/International/wireStory/el-sissi-pushes-egyptians-line-23614833
+#
+# For now, guess that later spring and fall transitions will use
+# 2010's rules, and guess that Egypt will switch to standard time at
+# 24:00 the last Thursday before Ramadan, and back to DST at 00:00 the
+# first Friday after Ramadan.  To implement this,
+# transition dates for 2015 through 2037 were determined by running
+# the following program under GNU Emacs 24.3, with the results integrated
+# by hand into the table below.  Ramadan again intrudes on the guessed
+# DST starting in 2038, but that's beyond our somewhat-arbitrary cutoff.
+# (let ((islamic-year 1436))
+#   (while (< islamic-year 1460)
+#     (let ((a (calendar-islamic-to-absolute (list 9 1 islamic-year)))
+#           (b (calendar-islamic-to-absolute (list 10 1 islamic-year)))
+#           (friday 5))
+#       (while (/= friday (mod a 7))
+#         (setq a (1- a)))
+#       (while (/= friday (mod b 7))
+#         (setq b (1+ b)))
+#       (setq a (1- a))
+#       (setq b (1- b))
+#       (setq a (calendar-gregorian-from-absolute a))
+#       (setq b (calendar-gregorian-from-absolute b))
+#       (insert
+#        (format
+#         (concat "Rule\tEgypt\t%d\tonly\t-\t%s\t%2d\t24:00\t0\t-\n"
+#                 "Rule\tEgypt\t%d\tonly\t-\t%s\t%2d\t24:00\t1:00\tS\n")
+#         (car (cdr (cdr a))) (calendar-month-name (car a) t) (car (cdr a))
+#         (car (cdr (cdr b))) (calendar-month-name (car b) t) (car (cdr b)))))
+#     (setq islamic-year (+ 1 islamic-year))))
+Rule	Egypt	2008	only	-	Aug	lastThu	24:00	0	-
+Rule	Egypt	2009	only	-	Aug	20	24:00	0	-
+Rule	Egypt	2010	only	-	Aug	10	24:00	0	-
+Rule	Egypt	2010	only	-	Sep	 9	24:00	1:00	S
+Rule	Egypt	2010	only	-	Sep	lastThu	24:00	0	-
+Rule	Egypt	2014	only	-	May	15	24:00	1:00	S
+Rule	Egypt	2014	only	-	Jun	26	24:00	0	-
+Rule	Egypt	2014	only	-	Jul	31	24:00	1:00	S
+Rule	Egypt	2014	max	-	Sep	lastThu	24:00	0	-
+Rule	Egypt	2015	2019	-	Apr	lastFri	 0:00s	1:00	S
+Rule	Egypt	2015	only	-	Jun	11	24:00	0	-
+Rule	Egypt	2015	only	-	Jul	23	24:00	1:00	S
+Rule	Egypt	2016	only	-	Jun	 2	24:00	0	-
+Rule	Egypt	2016	only	-	Jul	 7	24:00	1:00	S
+Rule	Egypt	2017	only	-	May	25	24:00	0	-
+Rule	Egypt	2017	only	-	Jun	29	24:00	1:00	S
+Rule	Egypt	2018	only	-	May	10	24:00	0	-
+Rule	Egypt	2018	only	-	Jun	14	24:00	1:00	S
+Rule	Egypt	2019	only	-	May	 2	24:00	0	-
+Rule	Egypt	2019	only	-	Jun	 6	24:00	1:00	S
+Rule	Egypt	2020	only	-	May	28	24:00	1:00	S
+Rule	Egypt	2021	only	-	May	13	24:00	1:00	S
+Rule	Egypt	2022	only	-	May	 5	24:00	1:00	S
+Rule	Egypt	2023	max	-	Apr	lastFri	 0:00s	1:00	S
 
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Africa/Cairo	2:05:09 -	LMT	1900 Oct
@@ -359,10 +421,15 @@ Zone	Africa/Asmara	2:35:32 -	LMT	1870
 			3:00	-	EAT
 
 # Ethiopia
-# From Paul Eggert (2006-03-22):
-# Shanks & Pottenger write that Ethiopia had six narrowly-spaced time zones
-# between 1870 and 1890, and that they merged to 38E50 (2:35:20) in 1890.
-# We'll guess that 38E50 is for Adis Dera.
+# From Paul Eggert (2014-07-31):
+# Like the Swahili of Kenya and Tanzania, many Ethiopians keep a
+# 12-hour clock starting at our 06:00, so their "8 o'clock" is our
+# 02:00 or 14:00.  Keep this in mind when you ask the time in Amharic.
+#
+# Shanks & Pottenger write that Ethiopia had six narrowly-spaced time
+# zones between 1870 and 1890, that they merged to 38E50 (2:35:20) in
+# 1890, and that they switched to 3:00 on 1936-05-05.  Perhaps 38E50
+# was for Adis Dera.  Quite likely the Shanks data are wrong anyway.
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone Africa/Addis_Ababa	2:34:48 -	LMT	1870
 			2:35:20	-	ADMT	1936 May 5    # Adis Dera MT
@@ -374,28 +441,24 @@ Zone Africa/Libreville	0:37:48 -	LMT	191
 			1:00	-	WAT
 
 # Gambia
-# Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Africa/Banjul	-1:06:36 -	LMT	1912
-			-1:06:36 -	BMT	1935	# Banjul Mean Time
-			-1:00	-	WAT	1964
-			 0:00	-	GMT
+# See Africa/Abidjan.
 
 # Ghana
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
-# Whitman says DST was observed from 1931 to ``the present'';
-# go with Shanks & Pottenger.
-Rule	Ghana	1936	1942	-	Sep	 1	0:00	0:20	GHST
-Rule	Ghana	1936	1942	-	Dec	31	0:00	0	GMT
+# Whitman says DST was observed from 1931 to "the present";
+# Shanks & Pottenger say 1936 to 1942;
+# and September 1 to January 1 is given by:
+# Scott Keltie J, Epstein M (eds), The Statesman's Year-Book,
+# 57th ed. Macmillan, London (1920), OCLC 609408015, pp xxviii.
+# For lack of better info, assume DST was observed from 1920 to 1942.
+Rule	Ghana	1920	1942	-	Sep	 1	0:00	0:20	GHST
+Rule	Ghana	1920	1942	-	Dec	31	0:00	0	GMT
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Africa/Accra	-0:00:52 -	LMT	1918
 			 0:00	Ghana	%s
 
 # Guinea
-# Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Africa/Conakry	-0:54:52 -	LMT	1912
-			 0:00	-	GMT	1934 Feb 26
-			-1:00	-	WAT	1960
-			 0:00	-	GMT
+# See Africa/Abidjan.
 
 # Guinea-Bissau
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -503,18 +566,8 @@ Zone	Africa/Blantyre	2:20:00 -	LMT	1903 
 			2:00	-	CAT
 
 # Mali
-# Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Africa/Bamako	-0:32:00 -	LMT	1912
-			 0:00	-	GMT	1934 Feb 26
-			-1:00	-	WAT	1960 Jun 20
-			 0:00	-	GMT
-
 # Mauritania
-# Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone Africa/Nouakchott	-1:03:48 -	LMT	1912
-			 0:00	-	GMT	1934 Feb 26
-			-1:00	-	WAT	1960 Nov 28
-			 0:00	-	GMT
+# See Africa/Abidjan.
 
 # Mauritius
 
@@ -538,9 +591,7 @@ Zone Africa/Nouakchott	-1:03:48 -	LMT	19
 
 # From Steffen Thorsen (2008-07-10):
 # According to
-# 
 # http://www.lexpress.mu/display_article.php?news_id=111216
-# 
 # (in French), Mauritius will start and end their DST a few days earlier
 # than previously announced (2008-11-01 to 2009-03-31).  The new start
 # date is 2008-10-26 at 02:00 and the new end date is 2009-03-27 (no time
@@ -559,18 +610,13 @@ Zone Africa/Nouakchott	-1:03:48 -	LMT	19
 # published on Monday, June 30, 2008...
 #
 # I guess that article in French "Le gouvernement avance l'introduction
-# de l'heure d'ete" stating that DST in Mauritius starting on October 26
-# and ending on March 27, 2009 is the most recent one.
-# ...
-# 
+# de l'heure d'été" stating that DST in Mauritius starting on October 26
+# and ending on March 27, 2009 is the most recent one....
 # http://www.worldtimezone.com/dst_news/dst_news_mauritius02.html
-# 
 
 # From Riad M. Hossen Ally (2008-08-03):
 # The Government of Mauritius weblink
-# 
 # http://www.gov.mu/portal/site/pmosite/menuitem.4ca0efdee47462e7440a600248a521ca/?content_id=4728ca68b2a5b110VgnVCM1000000a04a8c0RCRD
-# 
 # Cabinet Decision of July 18th, 2008 states as follows:
 #
 # 4. ...Cabinet has agreed to the introduction into the National Assembly
@@ -580,33 +626,25 @@ Zone Africa/Nouakchott	-1:03:48 -	LMT	19
 # States of America. It will start at two o'clock in the morning on the
 # last Sunday of October and will end at two o'clock in the morning on
 # the last Sunday of March the following year. The summer time for the
-# year 2008 - 2009 will, therefore, be effective as from 26 October 2008
+# year 2008-2009 will, therefore, be effective as from 26 October 2008
 # and end on 29 March 2009.
 
 # From Ed Maste (2008-10-07):
 # THE TIME BILL (No. XXVII of 2008) Explanatory Memorandum states the
 # beginning / ending of summer time is 2 o'clock standard time in the
 # morning of the last Sunday of October / last Sunday of March.
-# 
 # http://www.gov.mu/portal/goc/assemblysite/file/bill2708.pdf
-# 
 
 # From Steffen Thorsen (2009-06-05):
 # According to several sources, Mauritius will not continue to observe
 # DST the coming summer...
 #
 # Some sources, in French:
-# 
 # http://www.defimedia.info/news/946/Rashid-Beebeejaun-:-%C2%AB-L%E2%80%99heure-d%E2%80%99%C3%A9t%C3%A9-ne-sera-pas-appliqu%C3%A9e-cette-ann%C3%A9e-%C2%BB
-# 
-# 
 # http://lexpress.mu/Story/3398~Beebeejaun---Les-objectifs-d-%C3%A9conomie-d-%C3%A9nergie-de-l-heure-d-%C3%A9t%C3%A9-ont-%C3%A9t%C3%A9-atteints-
-# 
 #
 # Our wrap-up:
-# 
 # http://www.timeanddate.com/news/time/mauritius-dst-will-not-repeat.html
-# 
 
 # From Arthur David Olson (2009-07-11):
 # The "mauritius-dst-will-not-repeat" wrapup includes this:
@@ -630,7 +668,7 @@ Zone	Indian/Mayotte	3:00:56 -	LMT	1911 J
 			3:00	-	EAT
 
 # Morocco
-# See the `europe' file for Spanish Morocco (Africa/Ceuta).
+# See the 'europe' file for Spanish Morocco (Africa/Ceuta).
 
 # From Alex Krivenyshev (2008-05-09):
 # Here is an article that Morocco plan to introduce Daylight Saving Time between
@@ -638,60 +676,43 @@ Zone	Indian/Mayotte	3:00:56 -	LMT	1911 J
 #
 # "... Morocco is to save energy by adjusting its clock during summer so it will
 # be one hour ahead of GMT between 1 June and 27 September, according to
-# Communication Minister and Gov ernment Spokesman, Khalid Naciri...."
+# Communication Minister and Government Spokesman, Khalid Naciri...."
 #
-# 
 # http://www.worldtimezone.net/dst_news/dst_news_morocco01.html
-# 
-# OR
-# 
 # http://en.afrik.com/news11892.html
-# 
 
 # From Alex Krivenyshev (2008-05-09):
 # The Morocco time change can be confirmed on Morocco web site Maghreb Arabe Presse:
-# 
 # http://www.map.ma/eng/sections/box3/morocco_shifts_to_da/view
-# 
 #
 # Morocco shifts to daylight time on June 1st through September 27, Govt.
 # spokesman.
 
 # From Patrice Scattolin (2008-05-09):
 # According to this article:
-# 
 # http://www.avmaroc.com/actualite/heure-dete-comment-a127896.html
-# 
-# (and republished here:
-# 
-# http://www.actu.ma/heure-dete-comment_i127896_0.html
-# 
-# )
-# the changes occurs at midnight:
-#
-# saturday night may 31st at midnight (which in french is to be
-# intrepreted as the night between saturday and sunday)
-# sunday night the 28th  at midnight
-#
-# Seeing that the 28th is monday, I am guessing that she intends to say
-# the midnight of the 28th which is the midnight between sunday and
-# monday, which jives with other sources that say that it's inclusive
-# june1st to sept 27th.
+# (and republished here: )
+# the changes occur at midnight:
+#
+# Saturday night May 31st at midnight (which in French is to be
+# interpreted as the night between Saturday and Sunday)
+# Sunday night the 28th at midnight
+#
+# Seeing that the 28th is Monday, I am guessing that she intends to say
+# the midnight of the 28th which is the midnight between Sunday and
+# Monday, which jives with other sources that say that it's inclusive
+# June 1st to Sept 27th.
 #
 # The decision was taken by decree *2-08-224 *but I can't find the decree
 # published on the web.
 #
 # It's also confirmed here:
-# 
 # http://www.maroc.ma/NR/exeres/FACF141F-D910-44B0-B7FA-6E03733425D1.htm
-# 
-# on a government portal as being  between june 1st and sept 27th (not yet
-# posted in english).
+# on a government portal as being between June 1st and Sept 27th (not yet
+# posted in English).
 #
-# The following google query will generate many relevant hits:
-# 
+# The following Google query will generate many relevant hits:
 # http://www.google.com/search?hl=en&q=Conseil+de+gouvernement+maroc+heure+avance&btnG=Search
-# 
 
 # From Steffen Thorsen (2008-08-27):
 # Morocco will change the clocks back on the midnight between August 31
@@ -699,47 +720,32 @@ Zone	Indian/Mayotte	3:00:56 -	LMT	1911 J
 # of September:
 #
 # One article about it (in French):
-# 
 # http://www.menara.ma/fr/Actualites/Maroc/Societe/ci.retour_a_l_heure_gmt_a_partir_du_dimanche_31_aout_a_minuit_officiel_.default
-# 
 #
 # We have some further details posted here:
-# 
 # http://www.timeanddate.com/news/time/morocco-ends-dst-early-2008.html
-# 
 
 # From Steffen Thorsen (2009-03-17):
 # Morocco will observe DST from 2009-06-01 00:00 to 2009-08-21 00:00 according
 # to many sources, such as
-# 
 # http://news.marweb.com/morocco/entertainment/morocco-daylight-saving.html
-# 
-# 
 # http://www.medi1sat.ma/fr/depeche.aspx?idp=2312
-# 
 # (French)
 #
 # Our summary:
-# 
 # http://www.timeanddate.com/news/time/morocco-starts-dst-2009.html
-# 
 
 # From Alexander Krivenyshev (2009-03-17):
 # Here is a link to official document from Royaume du Maroc Premier Ministre,
-# Ministere de la Modernisation des Secteurs Publics
+# Ministère de la Modernisation des Secteurs Publics
 #
 # Under Article 1 of Royal Decree No. 455-67 of Act 23 safar 1387 (2 june 1967)
 # concerning the amendment of the legal time, the Ministry of Modernization of
 # Public Sectors announced that the official time in the Kingdom will be
 # advanced 60 minutes from Sunday 31 May 2009 at midnight.
 #
-# 
 # http://www.mmsp.gov.ma/francais/Actualites_fr/PDF_Actualites_Fr/HeureEte_FR.pdf
-# 
-#
-# 
 # http://www.worldtimezone.com/dst_news/dst_news_morocco03.html
-# 
 
 # From Steffen Thorsen (2010-04-13):
 # Several news media in Morocco report that the Ministry of Modernization
@@ -747,14 +753,10 @@ Zone	Indian/Mayotte	3:00:56 -	LMT	1911 J
 # 2010-05-02 to 2010-08-08.
 #
 # Example:
-# 
 # http://www.lavieeco.com/actualites/4099-le-maroc-passera-a-l-heure-d-ete-gmt1-le-2-mai.html
-# 
 # (French)
 # Our page:
-# 
 # http://www.timeanddate.com/news/time/morocco-starts-dst-2010.html
-# 
 
 # From Dan Abitol (2011-03-30):
 # ...Rules for Africa/Casablanca are the following (24h format)
@@ -764,34 +766,20 @@ Zone	Indian/Mayotte	3:00:56 -	LMT	1911 J
 # The change was broadcast on the FM Radio
 # I ve called ANRT (telecom regulations in Morocco) at
 # +212.537.71.84.00
-# 
 # http://www.anrt.net.ma/fr/
-# 
 # They said that
-# 
 # http://www.map.ma/fr/sections/accueil/l_heure_legale_au_ma/view
-# 
 # is the official publication to look at.
 # They said that the decision was already taken.
 #
 # More articles in the press
-# 
-# http://www.yabiladi.com/articles/details/5058/secret-l-heure-d-ete-maroc-lev
-# 
-# e.html
-# 
+# http://www.yabiladi.com/articles/details/5058/secret-l-heure-d-ete-maroc-leve.html
 # http://www.lematin.ma/Actualite/Express/Article.asp?id=148923
-# 
-# 
 # http://www.lavieeco.com/actualite/Le-Maroc-passe-sur-GMT%2B1-a-partir-de-dim
-# anche-prochain-5538.html
-# 
 
 # From Petr Machata (2011-03-30):
 # They have it written in English here:
-# 
 # http://www.map.ma/eng/sections/home/morocco_to_spring_fo/view
-# 
 #
 # It says there that "Morocco will resume its standard time on July 31,
 # 2011 at midnight." Now they don't say whether they mean midnight of
@@ -799,20 +787,16 @@ Zone	Indian/Mayotte	3:00:56 -	LMT	1911 J
 # also been like that in the past.
 
 # From Alexander Krivenyshev (2012-03-09):
-# According to Infomédiaire web site from Morocco (infomediaire.ma),
-# on March 9, 2012, (in French) Heure légale:
-# Le Maroc adopte officiellement l'heure d'été
-# 
+# According to Infomédiaire web site from Morocco (infomediaire.ma),
+# on March 9, 2012, (in French) Heure légale:
+# Le Maroc adopte officiellement l'heure d'été
 # http://www.infomediaire.ma/news/maroc/heure-l%C3%A9gale-le-maroc-adopte-officiellement-lheure-d%C3%A9t%C3%A9
-# 
 # Governing Council adopted draft decree, that Morocco DST starts on
 # the last Sunday of March (March 25, 2012) and ends on
 # last Sunday of September (September 30, 2012)
 # except the month of Ramadan.
 # or (brief)
-# 
 # http://www.worldtimezone.com/dst_news/dst_news_morocco06.html
-# 
 
 # From Arthur David Olson (2012-03-10):
 # The infomediaire.ma source indicates that the system is to be in
@@ -823,17 +807,13 @@ Zone	Indian/Mayotte	3:00:56 -	LMT	1911 J
 
 # From Christophe Tropamer (2012-03-16):
 # Seen Morocco change again:
-# 
 # http://www.le2uminutes.com/actualite.php
-# 
-# "...à partir du dernier dimance d'avril et non fins mars,
-# comme annoncé précédemment."
+# "...à partir du dernier dimanche d'avril et non fins mars,
+# comme annoncé précédemment."
 
 # From Milamber Space Network (2012-07-17):
 # The official return to GMT is announced by the Moroccan government:
-# 
 # http://www.mmsp.gov.ma/fr/actualites.aspx?id=288 [in French]
-# 
 #
 # Google translation, lightly edited:
 # Back to the standard time of the Kingdom (GMT)
@@ -868,39 +848,39 @@ Zone	Indian/Mayotte	3:00:56 -	LMT	1911 J
 # Another source (specifying the time for start and end in the decree):
 # http://www.lemag.ma/Heure-d-ete-au-Maroc-jusqu-au-27-octobre_a75620.html
 
-# From Paul Eggert (2013-10-03):
-# To estimate what the Moroccan government will do in future years,
-# transition dates for 2014 through 2038 were determined by running
-# the following program under GNU Emacs 24.3:
-#
-# (let ((islamic-year 1435))
-#   (while (< islamic-year 1461)
-#     (let ((a
-#	     (calendar-gregorian-from-absolute
-#	      (calendar-islamic-to-absolute (list 9 1 islamic-year))))
-#	    (b
-#	     (calendar-gregorian-from-absolute
-#	      (calendar-islamic-to-absolute (list 10 1 islamic-year)))))
-#	(insert
-#	 (format
-#	  (concat "Rule\tMorocco\t%d\tonly\t-\t%s\t %2d\t 3:00\t0\t-\n"
-#		  "Rule\tMorocco\t%d\tonly\t-\t%s\t %2d\t 2:00\t1:00\tS\n")
-#	  (car (cdr (cdr a))) (calendar-month-name (car a) t) (car (cdr a))
-#	  (car (cdr (cdr b))) (calendar-month-name (car b) t) (car (cdr b)))))
+# From Sebastien Willemijns (2014-03-18):
+# http://www.afriquinfos.com/articles/2014/3/18/maroc-heure-dete-avancez-tous-horloges-247891.asp
+
+# From Milamber Space Network (2014-06-05):
+# The Moroccan government has recently announced that the country will return
+# to standard time at 03:00 on Saturday, June 28, 2014 local time....  DST
+# will resume again at 02:00 on Saturday, August 2, 2014....
+# http://www.mmsp.gov.ma/fr/actualites.aspx?id=586
+
+# From Paul Eggert (2014-06-05):
+# For now, guess that later spring and fall transitions will use 2014's rules,
+# and guess that Morocco will switch to standard time at 03:00 the last
+# Saturday before Ramadan, and back to DST at 02:00 the first Saturday after
+# Ramadan.  To implement this, transition dates for 2015 through 2037 were
+# determined by running the following program under GNU Emacs 24.3, with the
+# results integrated by hand into the table below.
+# (let ((islamic-year 1436))
+#   (while (< islamic-year 1460)
+#     (let ((a (calendar-islamic-to-absolute (list 9 1 islamic-year)))
+#           (b (calendar-islamic-to-absolute (list 10 1 islamic-year)))
+#           (saturday 6))
+#       (while (/= saturday (mod (setq a (1- a)) 7)))
+#       (while (/= saturday (mod b 7))
+#         (setq b (1+ b)))
+#       (setq a (calendar-gregorian-from-absolute a))
+#       (setq b (calendar-gregorian-from-absolute b))
+#       (insert
+#        (format
+#         (concat "Rule\tMorocco\t%d\tonly\t-\t%s\t%2d\t 3:00\t0\t-\n"
+#                 "Rule\tMorocco\t%d\tonly\t-\t%s\t%2d\t 2:00\t1:00\tS\n")
+#         (car (cdr (cdr a))) (calendar-month-name (car a) t) (car (cdr a))
+#         (car (cdr (cdr b))) (calendar-month-name (car b) t) (car (cdr b)))))
 #     (setq islamic-year (+ 1 islamic-year))))
-#
-# with spring-forward transitions removed for 2023-2025, when the
-# normal spring-forward date falls during the estimated Ramadan; with
-# all transitions removed for 2026-2035, where the estimated Ramadan
-# falls entirely outside daylight-saving time; and with fall-back
-# transitions removed for 2036-2037, where the normal fall-back
-# date falls during the estimated Ramadan.  Normally, the table would
-# stop after 2037 because 32-bit time_t values roll around early in 2038,
-# but that would imply a prediction of perpetual DST after March 2038
-# due to the year-2037 glitches.  So, this table instead stops after
-# 2038, the first non-glitchy year after the 32-bit rollover.
-# An advantage of stopping after 2038 is that it lets zic guess
-# TZ='WET0WEST,M3.5.0,M10.5.0/3' for time stamps far in the future.
 
 # RULE	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 
@@ -922,46 +902,44 @@ Rule	Morocco	1978	only	-	Aug	 4	 0:00	0	
 Rule	Morocco	2008	only	-	Jun	 1	 0:00	1:00	S
 Rule	Morocco	2008	only	-	Sep	 1	 0:00	0	-
 Rule	Morocco	2009	only	-	Jun	 1	 0:00	1:00	S
-Rule	Morocco	2009	only	-	Aug	 21	 0:00	0	-
+Rule	Morocco	2009	only	-	Aug	21	 0:00	0	-
 Rule	Morocco	2010	only	-	May	 2	 0:00	1:00	S
 Rule	Morocco	2010	only	-	Aug	 8	 0:00	0	-
 Rule	Morocco	2011	only	-	Apr	 3	 0:00	1:00	S
-Rule	Morocco	2011	only	-	Jul	 31	 0	0	-
-Rule	Morocco	2012	2013	-	Apr	 lastSun 2:00	1:00	S
-Rule	Morocco	2012	only	-	Sep	 30	 3:00	0	-
-Rule	Morocco	2012	only	-	Jul	 20	 3:00	0	-
-Rule	Morocco	2012	only	-	Aug	 20	 2:00	1:00	S
-Rule	Morocco	2013	only	-	Jul	  7	 3:00	0	-
-Rule	Morocco	2013	only	-	Aug	 10	 2:00	1:00	S
-Rule	Morocco	2013	2035	-	Oct	 lastSun 3:00	0	-
-Rule	Morocco	2014	2022	-	Mar	 lastSun 2:00	1:00	S
-Rule	Morocco	2014	only	-	Jun	 29	 3:00	0	-
-Rule	Morocco	2014	only	-	Jul	 29	 2:00	1:00	S
-Rule	Morocco	2015	only	-	Jun	 18	 3:00	0	-
-Rule	Morocco	2015	only	-	Jul	 18	 2:00	1:00	S
-Rule	Morocco	2016	only	-	Jun	  7	 3:00	0	-
-Rule	Morocco	2016	only	-	Jul	  7	 2:00	1:00	S
-Rule	Morocco	2017	only	-	May	 27	 3:00	0	-
-Rule	Morocco	2017	only	-	Jun	 26	 2:00	1:00	S
-Rule	Morocco	2018	only	-	May	 16	 3:00	0	-
-Rule	Morocco	2018	only	-	Jun	 15	 2:00	1:00	S
-Rule	Morocco	2019	only	-	May	  6	 3:00	0	-
-Rule	Morocco	2019	only	-	Jun	  5	 2:00	1:00	S
-Rule	Morocco	2020	only	-	Apr	 24	 3:00	0	-
-Rule	Morocco	2020	only	-	May	 24	 2:00	1:00	S
-Rule	Morocco	2021	only	-	Apr	 13	 3:00	0	-
-Rule	Morocco	2021	only	-	May	 13	 2:00	1:00	S
-Rule	Morocco	2022	only	-	Apr	  3	 3:00	0	-
-Rule	Morocco	2022	only	-	May	  3	 2:00	1:00	S
-Rule	Morocco	2023	only	-	Apr	 22	 2:00	1:00	S
-Rule	Morocco	2024	only	-	Apr	 10	 2:00	1:00	S
-Rule	Morocco	2025	only	-	Mar	 31	 2:00	1:00	S
-Rule	Morocco	2026	max	-	Mar	 lastSun 2:00	1:00	S
-Rule	Morocco	2036	only	-	Oct	 21	 3:00	0	-
-Rule	Morocco	2037	only	-	Oct	 11	 3:00	0	-
-Rule	Morocco	2038	only	-	Sep	 30	 3:00	0	-
-Rule	Morocco	2038	only	-	Oct	 30	 2:00	1:00	S
-Rule	Morocco	2038	max	-	Oct	 lastSun 3:00	0	-
+Rule	Morocco	2011	only	-	Jul	31	 0	0	-
+Rule	Morocco	2012	2013	-	Apr	lastSun	 2:00	1:00	S
+Rule	Morocco	2012	only	-	Sep	30	 3:00	0	-
+Rule	Morocco	2012	only	-	Jul	20	 3:00	0	-
+Rule	Morocco	2012	only	-	Aug	20	 2:00	1:00	S
+Rule	Morocco	2013	only	-	Jul	 7	 3:00	0	-
+Rule	Morocco	2013	only	-	Aug	10	 2:00	1:00	S
+Rule	Morocco	2013	max	-	Oct	lastSun	 3:00	0	-
+Rule	Morocco	2014	2022	-	Mar	lastSun	 2:00	1:00	S
+Rule	Morocco	2014	only	-	Jun	28	 3:00	0	-
+Rule	Morocco	2014	only	-	Aug	 2	 2:00	1:00	S
+Rule	Morocco	2015	only	-	Jun	13	 3:00	0	-
+Rule	Morocco	2015	only	-	Jul	18	 2:00	1:00	S
+Rule	Morocco	2016	only	-	Jun	 4	 3:00	0	-
+Rule	Morocco	2016	only	-	Jul	 9	 2:00	1:00	S
+Rule	Morocco	2017	only	-	May	20	 3:00	0	-
+Rule	Morocco	2017	only	-	Jul	 1	 2:00	1:00	S
+Rule	Morocco	2018	only	-	May	12	 3:00	0	-
+Rule	Morocco	2018	only	-	Jun	16	 2:00	1:00	S
+Rule	Morocco	2019	only	-	May	 4	 3:00	0	-
+Rule	Morocco	2019	only	-	Jun	 8	 2:00	1:00	S
+Rule	Morocco	2020	only	-	Apr	18	 3:00	0	-
+Rule	Morocco	2020	only	-	May	30	 2:00	1:00	S
+Rule	Morocco	2021	only	-	Apr	10	 3:00	0	-
+Rule	Morocco	2021	only	-	May	15	 2:00	1:00	S
+Rule	Morocco	2022	only	-	Apr	 2	 3:00	0	-
+Rule	Morocco	2022	only	-	May	 7	 2:00	1:00	S
+Rule	Morocco	2023	only	-	Apr	22	 2:00	1:00	S
+Rule	Morocco	2024	only	-	Apr	13	 2:00	1:00	S
+Rule	Morocco	2025	only	-	Apr	 5	 2:00	1:00	S
+Rule	Morocco	2026	max	-	Mar	lastSun	 2:00	1:00	S
+Rule	Morocco	2035	only	-	Oct	27	 3:00	0	-
+Rule	Morocco	2036	only	-	Oct	18	 3:00	0	-
+Rule	Morocco	2037	only	-	Oct	10	 3:00	0	-
 
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone Africa/Casablanca	-0:30:20 -	LMT	1913 Oct 26
@@ -980,7 +958,7 @@ Zone Africa/Casablanca	-0:30:20 -	LMT	19
 # Assume that this has been true since Western Sahara switched to GMT,
 # since most of it was then controlled by Morocco.
 
-Zone Africa/El_Aaiun	-0:52:48 -	LMT	1934 Jan
+Zone Africa/El_Aaiun	-0:52:48 -	LMT	1934 Jan # El Aaiún
 			-1:00	-	WAT	1976 Apr 14
 			 0:00	Morocco	WE%sT
 
@@ -1030,15 +1008,17 @@ Zone	Africa/Niamey	 0:08:28 -	LMT	1912
 Zone	Africa/Lagos	0:13:36 -	LMT	1919 Sep
 			1:00	-	WAT
 
-# Reunion
+# Réunion
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Indian/Reunion	3:41:52 -	LMT	1911 Jun	# Saint-Denis
-			4:00	-	RET	# Reunion Time
+			4:00	-	RET	# Réunion Time
 #
-# Scattered Islands (Iles Eparses) administered from Reunion are as follows.
+# Crozet Islands also observes Réunion time; see the 'antarctica' file.
+#
+# Scattered Islands (Îles Éparses) administered from Réunion are as follows.
 # The following information about them is taken from
-# Iles Eparses (www.outre-mer.gouv.fr/domtom/ile.htm, 1997-07-22, in French;
-# no longer available as of 1999-08-17).
+# Îles Éparses (, 1997-07-22,
+# in French; no longer available as of 1999-08-17).
 # We have no info about their time zone histories.
 #
 # Bassas da India - uninhabited
@@ -1053,28 +1033,17 @@ Zone	Africa/Kigali	2:00:16 -	LMT	1935 Ju
 			2:00	-	CAT
 
 # St Helena
-# Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone Atlantic/St_Helena	-0:22:48 -	LMT	1890		# Jamestown
-			-0:22:48 -	JMT	1951	# Jamestown Mean Time
-			 0:00	-	GMT
+# See Africa/Abidjan.
 # The other parts of the St Helena territory are similar:
 #	Tristan da Cunha: on GMT, say Whitman and the CIA
-#	Ascension: on GMT, says usno1995 and the CIA
+#	Ascension: on GMT, say the USNO (1995-12-21) and the CIA
 #	Gough (scientific station since 1955; sealers wintered previously):
 #		on GMT, says the CIA
-#	Inaccessible, Nightingale: no information, but probably GMT
-
-# Sao Tome and Principe
-# Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Africa/Sao_Tome	 0:26:56 -	LMT	1884
-			-0:36:32 -	LMT	1912	# Lisbon Mean Time
-			 0:00	-	GMT
+#	Inaccessible, Nightingale: uninhabited
 
+# São Tomé and Príncipe
 # Senegal
-# Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Africa/Dakar	-1:09:44 -	LMT	1912
-			-1:00	-	WAT	1941 Jun
-			 0:00	-	GMT
+# See Africa/Abidjan.
 
 # Seychelles
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -1088,17 +1057,7 @@ Zone	Indian/Mahe	3:41:48 -	LMT	1906 Jun	
 # Possibly the islands were uninhabited.
 
 # Sierra Leone
-# Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
-# Whitman gives Mar 31 - Aug 31 for 1931 on; go with Shanks & Pottenger.
-Rule	SL	1935	1942	-	Jun	 1	0:00	0:40	SLST
-Rule	SL	1935	1942	-	Oct	 1	0:00	0	WAT
-Rule	SL	1957	1962	-	Jun	 1	0:00	1:00	SLST
-Rule	SL	1957	1962	-	Sep	 1	0:00	0	GMT
-# Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Africa/Freetown	-0:53:00 -	LMT	1882
-			-0:53:00 -	FMT	1913 Jun # Freetown Mean Time
-			-1:00	SL	%s	1957
-			 0:00	SL	%s
+# See Africa/Abidjan.
 
 # Somalia
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -1121,9 +1080,9 @@ Zone Africa/Johannesburg 1:52:00 -	LMT	1
 
 # Sudan
 #
-# From 
-# Sudan News Agency (2000-01-13)
-# , also reported by Michael De Beukelaer-Dossche via Steffen Thorsen:
+# From 
+# Sudan News Agency (2000-01-13),
+# also reported by Michaël De Beukelaer-Dossche via Steffen Thorsen:
 # Clocks will be moved ahead for 60 minutes all over the Sudan as of noon
 # Saturday....  This was announced Thursday by Caretaker State Minister for
 # Manpower Abdul-Rahman Nur-Eddin.
@@ -1154,14 +1113,12 @@ Zone Africa/Dar_es_Salaam 2:37:08 -	LMT	
 			3:00	-	EAT
 
 # Togo
-# Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Africa/Lome	0:04:52 -	LMT	1893
-			0:00	-	GMT
+# See Africa/Abidjan.
 
 # Tunisia
 
 # From Gwillim Law (2005-04-30):
-# My correspondent, Risto Nykanen, has alerted me to another adoption of DST,
+# My correspondent, Risto Nykänen, has alerted me to another adoption of DST,
 # this time in Tunisia.  According to Yahoo France News
 # , in a story attributed to AP
 # and dated 2005-04-26, "Tunisia has decided to advance its official time by
@@ -1170,7 +1127,7 @@ Zone	Africa/Lome	0:04:52 -	LMT	1893
 # Saturday."  (My translation)
 #
 # From Oscar van Vlijmen (2005-05-02):
-# LaPresse, the first national daily newspaper ...
+# La Presse, the first national daily newspaper ...
 # 
 # ... DST for 2005: on: Sun May 1 0h standard time, off: Fri Sept. 30,
 # 1h standard time.
@@ -1184,18 +1141,12 @@ Zone	Africa/Lome	0:04:52 -	LMT	1893
 # From Steffen Thorsen (2009-03-16):
 # According to several news sources, Tunisia will not observe DST this year.
 # (Arabic)
-# 
 # http://www.elbashayer.com/?page=viewn&nid=42546
-# 
-# 
 # http://www.babnet.net/kiwidetail-15295.asp
-# 
 #
 # We have also confirmed this with the US embassy in Tunisia.
 # We have a wrap-up about this on the following page:
-# 
 # http://www.timeanddate.com/news/time/tunisia-cancels-dst-2009.html
-# 
 
 # From Alexander Krivenyshev (2009-03-17):
 # Here is a link to Tunis Afrique Presse News Agency
@@ -1203,20 +1154,17 @@ Zone	Africa/Lome	0:04:52 -	LMT	1893
 # Standard time to be kept the whole year long (tap.info.tn):
 #
 # (in English)
-# 
 # http://www.tap.info.tn/en/index.php?option=com_content&task=view&id=26813&Itemid=157
-# 
 #
 # (in Arabic)
-# 
 # http://www.tap.info.tn/ar/index.php?option=com_content&task=view&id=61240&Itemid=1
-# 
 
-# From Arthur David Olson (2009--3-18):
-# The Tunis Afrique Presse News Agency notice contains this: "This measure is due to the fact
-# that the fasting month of ramadan coincides with the period concerned by summer time.
-# Therefore, the standard time will be kept unchanged the whole year long."
-# So foregoing DST seems to be an exception (albeit one that may be repeated in the  future).
+# From Arthur David Olson (2009-03-18):
+# The Tunis Afrique Presse News Agency notice contains this: "This measure is
+# due to the fact that the fasting month of Ramadan coincides with the period
+# concerned by summer time.  Therefore, the standard time will be kept
+# unchanged the whole year long."  So foregoing DST seems to be an exception
+# (albeit one that may be repeated in the future).
 
 # From Alexander Krivenyshev (2010-03-27):
 # According to some news reports Tunis confirmed not to use DST in 2010
@@ -1228,12 +1176,8 @@ Zone	Africa/Lome	0:04:52 -	LMT	1893
 # coincided with the month of Ramadan..."
 #
 # (in Arabic)
-# 
 # http://www.moheet.com/show_news.aspx?nid=358861&pg=1
-# 
 # http://www.almadenahnews.com/newss/news.php?c=118&id=38036
-# or
-# 
 # http://www.worldtimezone.com/dst_news/dst_news_tunis02.html
 
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S

Modified: releng/10.0/contrib/tzdata/antarctica
==============================================================================
--- releng/10.0/contrib/tzdata/antarctica	Tue Oct 21 23:50:46 2014	(r273438)
+++ releng/10.0/contrib/tzdata/antarctica	Tue Oct 21 23:52:25 2014	(r273439)
@@ -1,16 +1,13 @@
-# 
 # This file is in the public domain, so clarified as of
 # 2009-05-17 by Arthur David Olson.
 
 # From Paul Eggert (1999-11-15):
 # To keep things manageable, we list only locations occupied year-round; see
-# 
 # COMNAP - Stations and Bases
-# 
+# 
 # and
-# 
 # Summary of the Peri-Antarctic Islands (1998-07-23)
-# 
+# 
 # for information.
 # Unless otherwise specified, we have no time zone information.
 #
@@ -55,19 +52,19 @@ Rule	ChileAQ	2012	max	-	Sep	Sun>=2	4:00u

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***

From owner-svn-src-releng@FreeBSD.ORG  Fri Oct 24 07:50:36 2014
Return-Path: 
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 39138B55;
 Fri, 24 Oct 2014 07:50:36 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 1ABC078C;
 Fri, 24 Oct 2014 07:50:36 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9O7oZ6R065971;
 Fri, 24 Oct 2014 07:50:35 GMT (envelope-from delphij@FreeBSD.org)
Received: (from delphij@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9O7oZHj065967;
 Fri, 24 Oct 2014 07:50:35 GMT (envelope-from delphij@FreeBSD.org)
Message-Id: <201410240750.s9O7oZHj065967@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: delphij set sender to
 delphij@FreeBSD.org using -f
From: Xin LI 
Date: Fri, 24 Oct 2014 07:50:35 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r273581 - in releng/10.1/sys/dev/hyperv: netvsc
 stordisengage storvsc utilities
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree 
List-Unsubscribe: ,
 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,
 
X-List-Received-Date: Fri, 24 Oct 2014 07:50:36 -0000

Author: delphij
Date: Fri Oct 24 07:50:34 2014
New Revision: 273581
URL: https://svnweb.freebsd.org/changeset/base/273581

Log:
  MFS r273580: MFC r273577:
  
  Return BUS_PROBE_DEFAULT instead of BUS_PROBE_VENDOR or 0 for in-tree
  driver.  This change was verified by Microsoft.
  
  Approved by:	re (kib)

Modified:
  releng/10.1/sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c
  releng/10.1/sys/dev/hyperv/stordisengage/hv_ata_pci_disengage.c
  releng/10.1/sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c
  releng/10.1/sys/dev/hyperv/utilities/hv_util.c
Directory Properties:
  releng/10.1/   (props changed)

Modified: releng/10.1/sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c
==============================================================================
--- releng/10.1/sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c	Fri Oct 24 07:06:01 2014	(r273580)
+++ releng/10.1/sys/dev/hyperv/netvsc/hv_netvsc_drv_freebsd.c	Fri Oct 24 07:50:34 2014	(r273581)
@@ -218,7 +218,7 @@ netvsc_probe(device_t dev)
 		if (bootverbose)
 			printf("Netvsc probe... DONE \n");
 
-		return (0);
+		return (BUS_PROBE_DEFAULT);
 	}
 
 	return (ENXIO);

Modified: releng/10.1/sys/dev/hyperv/stordisengage/hv_ata_pci_disengage.c
==============================================================================
--- releng/10.1/sys/dev/hyperv/stordisengage/hv_ata_pci_disengage.c	Fri Oct 24 07:06:01 2014	(r273580)
+++ releng/10.1/sys/dev/hyperv/stordisengage/hv_ata_pci_disengage.c	Fri Oct 24 07:50:34 2014	(r273581)
@@ -116,7 +116,7 @@ hv_ata_pci_probe(device_t dev)
 
 	device_set_desc(dev, "Hyper-V ATA storage disengage driver");
 
-	return (BUS_PROBE_VENDOR);
+	return (BUS_PROBE_DEFAULT);
 }
 
 static int

Modified: releng/10.1/sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c
==============================================================================
--- releng/10.1/sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c	Fri Oct 24 07:06:01 2014	(r273580)
+++ releng/10.1/sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c	Fri Oct 24 07:50:34 2014	(r273581)
@@ -689,14 +689,14 @@ storvsc_probe(device_t dev)
 			if(bootverbose)
 				device_printf(dev,
 					"Enlightened ATA/IDE detected\n");
-			ret = 0;
+			ret = BUS_PROBE_DEFAULT;
 		} else if(bootverbose)
 			device_printf(dev, "Emulated ATA/IDE set (hw.ata.disk_enable set)\n");
 		break;
 	case DRIVER_STORVSC:
 		if(bootverbose)
 			device_printf(dev, "Enlightened SCSI device detected\n");
-		ret = 0;
+		ret = BUS_PROBE_DEFAULT;
 		break;
 	default:
 		ret = ENXIO;

Modified: releng/10.1/sys/dev/hyperv/utilities/hv_util.c
==============================================================================
--- releng/10.1/sys/dev/hyperv/utilities/hv_util.c	Fri Oct 24 07:06:01 2014	(r273580)
+++ releng/10.1/sys/dev/hyperv/utilities/hv_util.c	Fri Oct 24 07:50:34 2014	(r273581)
@@ -378,7 +378,7 @@ hv_util_probe(device_t dev)
 	    const char *p = vmbus_get_type(dev);
 	    if (service_table[i].enabled && !memcmp(p, &service_table[i].guid, sizeof(hv_guid))) {
 		device_set_softc(dev, (void *) (&service_table[i]));
-		rtn_value = 0;
+		rtn_value = BUS_PROBE_DEFAULT;
 	    }
 	}
 

From owner-svn-src-releng@FreeBSD.ORG  Fri Oct 24 21:40:45 2014
Return-Path: 
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 805162D3;
 Fri, 24 Oct 2014 21:40:45 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 6C26D131;
 Fri, 24 Oct 2014 21:40:45 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9OLejUp062173;
 Fri, 24 Oct 2014 21:40:45 GMT (envelope-from gjb@FreeBSD.org)
Received: (from gjb@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9OLejVH062172;
 Fri, 24 Oct 2014 21:40:45 GMT (envelope-from gjb@FreeBSD.org)
Message-Id: <201410242140.s9OLejVH062172@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: gjb set sender to gjb@FreeBSD.org
 using -f
From: Glen Barber 
Date: Fri, 24 Oct 2014 21:40:45 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r273608 - releng/10.1/release/doc/en_US.ISO8859-1/relnotes
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree 
List-Unsubscribe: ,
 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,
 
X-List-Received-Date: Fri, 24 Oct 2014 21:40:45 -0000

Author: gjb
Date: Fri Oct 24 21:40:44 2014
New Revision: 273608
URL: https://svnweb.freebsd.org/changeset/base/273608

Log:
  Document r273399, OpenSSL updated to version 1.0.1j.
  
  Approved by:	re (implicit)
  Sponsored by:	The FreeBSD Foundation

Modified:
  releng/10.1/release/doc/en_US.ISO8859-1/relnotes/article.xml

Modified: releng/10.1/release/doc/en_US.ISO8859-1/relnotes/article.xml
==============================================================================
--- releng/10.1/release/doc/en_US.ISO8859-1/relnotes/article.xml	Fri Oct 24 21:08:36 2014	(r273607)
+++ releng/10.1/release/doc/en_US.ISO8859-1/relnotes/article.xml	Fri Oct 24 21:40:44 2014	(r273608)
@@ -1621,9 +1621,6 @@
 	ldns have been updated to version
 	1.4.22.
 
-      OpenSSL has
-	been updated to version 1.0.1i.
-
       The lite version of
 	Subversion included in the
 	&os; base system and its dependencies have been
@@ -1666,6 +1663,9 @@
 
       OpenPAM has
 	been updated to Ourouparia (20140912).
+
+      OpenSSL has
+	been updated to version 1.0.1j.
     
 
     

From owner-svn-src-releng@FreeBSD.ORG  Sat Oct 25 01:17:30 2014
Return-Path: 
Delivered-To: svn-src-releng@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id CFEDB2AA;
 Sat, 25 Oct 2014 01:17:30 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id A1FB896E;
 Sat, 25 Oct 2014 01:17:30 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9P1HUaV066780;
 Sat, 25 Oct 2014 01:17:30 GMT (envelope-from gjb@FreeBSD.org)
Received: (from gjb@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9P1HUAl066779;
 Sat, 25 Oct 2014 01:17:30 GMT (envelope-from gjb@FreeBSD.org)
Message-Id: <201410250117.s9P1HUAl066779@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: gjb set sender to gjb@FreeBSD.org
 using -f
From: Glen Barber 
Date: Sat, 25 Oct 2014 01:17:30 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-releng@freebsd.org
Subject: svn commit: r273620 - releng/10.1/release/doc/en_US.ISO8859-1/errata
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-releng@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: SVN commit messages for the release engineering / security commits to
 the src tree 
List-Unsubscribe: ,
 
List-Archive: 
List-Post: 
List-Help: 
List-Subscribe: ,
 
X-List-Received-Date: Sat, 25 Oct 2014 01:17:30 -0000

Author: gjb
Date: Sat Oct 25 01:17:29 2014
New Revision: 273620
URL: https://svnweb.freebsd.org/changeset/base/273620

Log:
  Note to avoid using GENERIC kernel on i386 when using
  multi-disk ZFS pools, referencing an old UPDATING entry
  that predates 10.0-RELEASE.
  
  Approved by:	re (implicit)
  Sponsored by:	The FreeBSD Foundation

Modified:
  releng/10.1/release/doc/en_US.ISO8859-1/errata/article.xml

Modified: releng/10.1/release/doc/en_US.ISO8859-1/errata/article.xml
==============================================================================
--- releng/10.1/release/doc/en_US.ISO8859-1/errata/article.xml	Sat Oct 25 00:37:35 2014	(r273619)
+++ releng/10.1/release/doc/en_US.ISO8859-1/errata/article.xml	Sat Oct 25 01:17:29 2014	(r273620)
@@ -132,6 +132,49 @@ boot
 	  instability may be present on virtual machines running
 	  on other hypervisors, such as Xen or KVM.
       
+
+      
+	&os;/&arch.i386; &release.current; configured with
+	  a multi-disk ZFS dataset (mirror, raidz1, raidz2, raidz3)
+	  may crash during boot when the ZFS pool mount is attempted
+	  while booting an unmodified GENERIC
+	  kernel.
+
+	As described in /usr/src/UPDATING
+	  entry 20121223, rebuilding the kernel
+	  with options KSTACK_PAGES=4 has been
+	  observed to resolve the boot-time crash.  This, however, is
+	  not an ideal solution for inclusion in the
+	  GENERIC kernel configuration, as
+	  increasing KSTACK_PAGES implicitly
+	  decreases available usermode threads in an environment that
+	  is already resource-starved.
+
+	Taking into account the heavy resource requirements of
+	  ZFS, in addition to the &arch.i386;-specific tuning
+	  requirements for general workloads, using ZFS with the
+	  &os;/&arch.i386; GENERIC kernel
+	  is strongly discouraged.
+
+	
+	  It is extremely important to take note that, by
+	    default, &man.freebsd-update.8; will install the
+	    GENERIC kernel configuration, and
+	    as such, &man.freebsd-update.8; consumers are strongly
+	    encouraged to avoid &os;-provided kernel binary upgrades
+	    with such configurations.
+	
+
+	
+	  Although there is slight change in how the crash
+	    manifests on &os;/&arch.i386; between &release.prev; and
+	    &release.current;, and given the date of the
+	    /usr/src/UPDATING entry, there is no
+	    evidence suggesting this is a regression between
+	    &os; &release.prev; and &os; &release.current;
+	    directly.
+	
+