From owner-svn-src-releng@freebsd.org Thu Feb 23 07:11:52 2017 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4D841CEA692; Thu, 23 Feb 2017 07:11:52 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AFA1D2E6; Thu, 23 Feb 2017 07:11:51 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v1N7Bo32017554; Thu, 23 Feb 2017 07:11:50 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v1N7BmW5017529; Thu, 23 Feb 2017 07:11:48 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201702230711.v1N7BmW5017529@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Thu, 23 Feb 2017 07:11:48 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r314125 - in releng/11.0: . contrib/mdocml crypto/openssl crypto/openssl/apps crypto/openssl/crypto crypto/openssl/crypto/aes/asm crypto/openssl/crypto/asn1 crypto/openssl/crypto/bn cry... X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Feb 2017 07:11:52 -0000 Author: delphij Date: Thu Feb 23 07:11:48 2017 New Revision: 314125 URL: https://svnweb.freebsd.org/changeset/base/314125 Log: Fix multiple vulnerabilities of OpenSSL. [SA-17:02] Fix system hang when booting when PCI-express HotPlug is enabled. [EN-17:01] Fix NIS master updates are not pushed to NIS slave. [EN-17:02] Fix compatibility with Hyper-V/storage after KB3172614 or KB3179574. [EN-17:03] Make makewhatis output reproducible. [EN-17:04] Approved by: so Modified: releng/11.0/UPDATING releng/11.0/contrib/mdocml/mandocdb.c releng/11.0/crypto/openssl/CHANGES releng/11.0/crypto/openssl/CONTRIBUTING releng/11.0/crypto/openssl/Configure releng/11.0/crypto/openssl/INSTALL releng/11.0/crypto/openssl/Makefile releng/11.0/crypto/openssl/Makefile.org releng/11.0/crypto/openssl/NEWS releng/11.0/crypto/openssl/README releng/11.0/crypto/openssl/apps/apps.c releng/11.0/crypto/openssl/apps/apps.h releng/11.0/crypto/openssl/apps/ca.c releng/11.0/crypto/openssl/apps/cms.c releng/11.0/crypto/openssl/apps/dgst.c releng/11.0/crypto/openssl/apps/dh.c releng/11.0/crypto/openssl/apps/dhparam.c releng/11.0/crypto/openssl/apps/dsa.c releng/11.0/crypto/openssl/apps/dsaparam.c releng/11.0/crypto/openssl/apps/ec.c releng/11.0/crypto/openssl/apps/ecparam.c releng/11.0/crypto/openssl/apps/enc.c releng/11.0/crypto/openssl/apps/gendh.c releng/11.0/crypto/openssl/apps/gendsa.c releng/11.0/crypto/openssl/apps/genpkey.c releng/11.0/crypto/openssl/apps/genrsa.c releng/11.0/crypto/openssl/apps/pkcs12.c releng/11.0/crypto/openssl/apps/pkcs7.c releng/11.0/crypto/openssl/apps/pkcs8.c releng/11.0/crypto/openssl/apps/pkey.c releng/11.0/crypto/openssl/apps/pkeyparam.c releng/11.0/crypto/openssl/apps/pkeyutl.c releng/11.0/crypto/openssl/apps/prime.c releng/11.0/crypto/openssl/apps/rand.c releng/11.0/crypto/openssl/apps/req.c releng/11.0/crypto/openssl/apps/rsa.c releng/11.0/crypto/openssl/apps/rsautl.c releng/11.0/crypto/openssl/apps/s_cb.c releng/11.0/crypto/openssl/apps/s_client.c releng/11.0/crypto/openssl/apps/s_server.c releng/11.0/crypto/openssl/apps/smime.c releng/11.0/crypto/openssl/apps/speed.c releng/11.0/crypto/openssl/apps/spkac.c releng/11.0/crypto/openssl/apps/srp.c releng/11.0/crypto/openssl/apps/verify.c releng/11.0/crypto/openssl/apps/x509.c releng/11.0/crypto/openssl/crypto/aes/asm/aes-s390x.pl releng/11.0/crypto/openssl/crypto/asn1/p5_pbev2.c releng/11.0/crypto/openssl/crypto/asn1/x_crl.c releng/11.0/crypto/openssl/crypto/bn/asm/x86_64-mont.pl releng/11.0/crypto/openssl/crypto/bn/asm/x86_64-mont5.pl releng/11.0/crypto/openssl/crypto/bn/bn_exp.c releng/11.0/crypto/openssl/crypto/bn/bn_mul.c releng/11.0/crypto/openssl/crypto/bn/bn_prime.c releng/11.0/crypto/openssl/crypto/bn/bn_sqr.c releng/11.0/crypto/openssl/crypto/cms/cms_kari.c releng/11.0/crypto/openssl/crypto/dh/dh_key.c releng/11.0/crypto/openssl/crypto/dsa/dsa_pmeth.c releng/11.0/crypto/openssl/crypto/ec/ec2_mult.c releng/11.0/crypto/openssl/crypto/ecdh/ech_ossl.c releng/11.0/crypto/openssl/crypto/err/err.c releng/11.0/crypto/openssl/crypto/evp/e_aes.c releng/11.0/crypto/openssl/crypto/evp/e_rc4_hmac_md5.c releng/11.0/crypto/openssl/crypto/evp/evp.h releng/11.0/crypto/openssl/crypto/evp/evp_err.c releng/11.0/crypto/openssl/crypto/evp/pmeth_fn.c releng/11.0/crypto/openssl/crypto/evp/pmeth_lib.c releng/11.0/crypto/openssl/crypto/modes/ctr128.c releng/11.0/crypto/openssl/crypto/opensslv.h releng/11.0/crypto/openssl/crypto/perlasm/x86_64-xlate.pl releng/11.0/crypto/openssl/crypto/rsa/rsa_gen.c releng/11.0/crypto/openssl/crypto/rsa/rsa_oaep.c releng/11.0/crypto/openssl/crypto/rsa/rsa_pmeth.c releng/11.0/crypto/openssl/crypto/s390xcap.c releng/11.0/crypto/openssl/crypto/ui/ui_lib.c releng/11.0/crypto/openssl/crypto/ui/ui_openssl.c releng/11.0/crypto/openssl/doc/apps/ocsp.pod releng/11.0/crypto/openssl/doc/crypto/EVP_DigestSignInit.pod releng/11.0/crypto/openssl/doc/crypto/EVP_DigestVerifyInit.pod releng/11.0/crypto/openssl/doc/crypto/RSA_generate_key.pod releng/11.0/crypto/openssl/doc/crypto/X509_NAME_get_index_by_NID.pod releng/11.0/crypto/openssl/doc/crypto/X509_NAME_print_ex.pod releng/11.0/crypto/openssl/doc/ssl/SSL_CTX_set_session_cache_mode.pod releng/11.0/crypto/openssl/doc/ssl/SSL_get_error.pod releng/11.0/crypto/openssl/doc/ssl/SSL_read.pod releng/11.0/crypto/openssl/doc/ssl/SSL_write.pod releng/11.0/crypto/openssl/engines/ccgost/Makefile releng/11.0/crypto/openssl/ssl/bad_dtls_test.c releng/11.0/crypto/openssl/ssl/s23_pkt.c releng/11.0/crypto/openssl/ssl/s2_lib.c releng/11.0/crypto/openssl/ssl/s2_pkt.c releng/11.0/crypto/openssl/ssl/s3_clnt.c releng/11.0/crypto/openssl/ssl/s3_pkt.c releng/11.0/crypto/openssl/ssl/s3_srvr.c releng/11.0/crypto/openssl/ssl/ssl_cert.c releng/11.0/crypto/openssl/ssl/ssl_err.c releng/11.0/crypto/openssl/ssl/ssl_lib.c releng/11.0/crypto/openssl/ssl/ssl_locl.h releng/11.0/crypto/openssl/ssl/ssl_sess.c releng/11.0/crypto/openssl/ssl/t1_lib.c releng/11.0/crypto/openssl/util/domd releng/11.0/crypto/openssl/util/mklink.pl releng/11.0/libexec/ypxfr/ypxfr_getmap.c releng/11.0/secure/lib/libcrypto/Makefile.inc releng/11.0/secure/lib/libcrypto/amd64/x86_64-mont.S releng/11.0/secure/lib/libcrypto/amd64/x86_64-mont5.S releng/11.0/secure/lib/libcrypto/man/ASN1_OBJECT_new.3 releng/11.0/secure/lib/libcrypto/man/ASN1_STRING_length.3 releng/11.0/secure/lib/libcrypto/man/ASN1_STRING_new.3 releng/11.0/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3 releng/11.0/secure/lib/libcrypto/man/ASN1_TIME_set.3 releng/11.0/secure/lib/libcrypto/man/ASN1_generate_nconf.3 releng/11.0/secure/lib/libcrypto/man/BIO_ctrl.3 releng/11.0/secure/lib/libcrypto/man/BIO_f_base64.3 releng/11.0/secure/lib/libcrypto/man/BIO_f_buffer.3 releng/11.0/secure/lib/libcrypto/man/BIO_f_cipher.3 releng/11.0/secure/lib/libcrypto/man/BIO_f_md.3 releng/11.0/secure/lib/libcrypto/man/BIO_f_null.3 releng/11.0/secure/lib/libcrypto/man/BIO_f_ssl.3 releng/11.0/secure/lib/libcrypto/man/BIO_find_type.3 releng/11.0/secure/lib/libcrypto/man/BIO_new.3 releng/11.0/secure/lib/libcrypto/man/BIO_new_CMS.3 releng/11.0/secure/lib/libcrypto/man/BIO_push.3 releng/11.0/secure/lib/libcrypto/man/BIO_read.3 releng/11.0/secure/lib/libcrypto/man/BIO_s_accept.3 releng/11.0/secure/lib/libcrypto/man/BIO_s_bio.3 releng/11.0/secure/lib/libcrypto/man/BIO_s_connect.3 releng/11.0/secure/lib/libcrypto/man/BIO_s_fd.3 releng/11.0/secure/lib/libcrypto/man/BIO_s_file.3 releng/11.0/secure/lib/libcrypto/man/BIO_s_mem.3 releng/11.0/secure/lib/libcrypto/man/BIO_s_null.3 releng/11.0/secure/lib/libcrypto/man/BIO_s_socket.3 releng/11.0/secure/lib/libcrypto/man/BIO_set_callback.3 releng/11.0/secure/lib/libcrypto/man/BIO_should_retry.3 releng/11.0/secure/lib/libcrypto/man/BN_BLINDING_new.3 releng/11.0/secure/lib/libcrypto/man/BN_CTX_new.3 releng/11.0/secure/lib/libcrypto/man/BN_CTX_start.3 releng/11.0/secure/lib/libcrypto/man/BN_add.3 releng/11.0/secure/lib/libcrypto/man/BN_add_word.3 releng/11.0/secure/lib/libcrypto/man/BN_bn2bin.3 releng/11.0/secure/lib/libcrypto/man/BN_cmp.3 releng/11.0/secure/lib/libcrypto/man/BN_copy.3 releng/11.0/secure/lib/libcrypto/man/BN_generate_prime.3 releng/11.0/secure/lib/libcrypto/man/BN_mod_inverse.3 releng/11.0/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3 releng/11.0/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3 releng/11.0/secure/lib/libcrypto/man/BN_new.3 releng/11.0/secure/lib/libcrypto/man/BN_num_bytes.3 releng/11.0/secure/lib/libcrypto/man/BN_rand.3 releng/11.0/secure/lib/libcrypto/man/BN_set_bit.3 releng/11.0/secure/lib/libcrypto/man/BN_swap.3 releng/11.0/secure/lib/libcrypto/man/BN_zero.3 releng/11.0/secure/lib/libcrypto/man/CMS_add0_cert.3 releng/11.0/secure/lib/libcrypto/man/CMS_add1_recipient_cert.3 releng/11.0/secure/lib/libcrypto/man/CMS_add1_signer.3 releng/11.0/secure/lib/libcrypto/man/CMS_compress.3 releng/11.0/secure/lib/libcrypto/man/CMS_decrypt.3 releng/11.0/secure/lib/libcrypto/man/CMS_encrypt.3 releng/11.0/secure/lib/libcrypto/man/CMS_final.3 releng/11.0/secure/lib/libcrypto/man/CMS_get0_RecipientInfos.3 releng/11.0/secure/lib/libcrypto/man/CMS_get0_SignerInfos.3 releng/11.0/secure/lib/libcrypto/man/CMS_get0_type.3 releng/11.0/secure/lib/libcrypto/man/CMS_get1_ReceiptRequest.3 releng/11.0/secure/lib/libcrypto/man/CMS_sign.3 releng/11.0/secure/lib/libcrypto/man/CMS_sign_receipt.3 releng/11.0/secure/lib/libcrypto/man/CMS_uncompress.3 releng/11.0/secure/lib/libcrypto/man/CMS_verify.3 releng/11.0/secure/lib/libcrypto/man/CMS_verify_receipt.3 releng/11.0/secure/lib/libcrypto/man/CONF_modules_free.3 releng/11.0/secure/lib/libcrypto/man/CONF_modules_load_file.3 releng/11.0/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3 releng/11.0/secure/lib/libcrypto/man/DH_generate_key.3 releng/11.0/secure/lib/libcrypto/man/DH_generate_parameters.3 releng/11.0/secure/lib/libcrypto/man/DH_get_ex_new_index.3 releng/11.0/secure/lib/libcrypto/man/DH_new.3 releng/11.0/secure/lib/libcrypto/man/DH_set_method.3 releng/11.0/secure/lib/libcrypto/man/DH_size.3 releng/11.0/secure/lib/libcrypto/man/DSA_SIG_new.3 releng/11.0/secure/lib/libcrypto/man/DSA_do_sign.3 releng/11.0/secure/lib/libcrypto/man/DSA_dup_DH.3 releng/11.0/secure/lib/libcrypto/man/DSA_generate_key.3 releng/11.0/secure/lib/libcrypto/man/DSA_generate_parameters.3 releng/11.0/secure/lib/libcrypto/man/DSA_get_ex_new_index.3 releng/11.0/secure/lib/libcrypto/man/DSA_new.3 releng/11.0/secure/lib/libcrypto/man/DSA_set_method.3 releng/11.0/secure/lib/libcrypto/man/DSA_sign.3 releng/11.0/secure/lib/libcrypto/man/DSA_size.3 releng/11.0/secure/lib/libcrypto/man/EC_GFp_simple_method.3 releng/11.0/secure/lib/libcrypto/man/EC_GROUP_copy.3 releng/11.0/secure/lib/libcrypto/man/EC_GROUP_new.3 releng/11.0/secure/lib/libcrypto/man/EC_KEY_new.3 releng/11.0/secure/lib/libcrypto/man/EC_POINT_add.3 releng/11.0/secure/lib/libcrypto/man/EC_POINT_new.3 releng/11.0/secure/lib/libcrypto/man/ERR_GET_LIB.3 releng/11.0/secure/lib/libcrypto/man/ERR_clear_error.3 releng/11.0/secure/lib/libcrypto/man/ERR_error_string.3 releng/11.0/secure/lib/libcrypto/man/ERR_get_error.3 releng/11.0/secure/lib/libcrypto/man/ERR_load_crypto_strings.3 releng/11.0/secure/lib/libcrypto/man/ERR_load_strings.3 releng/11.0/secure/lib/libcrypto/man/ERR_print_errors.3 releng/11.0/secure/lib/libcrypto/man/ERR_put_error.3 releng/11.0/secure/lib/libcrypto/man/ERR_remove_state.3 releng/11.0/secure/lib/libcrypto/man/ERR_set_mark.3 releng/11.0/secure/lib/libcrypto/man/EVP_BytesToKey.3 releng/11.0/secure/lib/libcrypto/man/EVP_DigestInit.3 releng/11.0/secure/lib/libcrypto/man/EVP_DigestSignInit.3 releng/11.0/secure/lib/libcrypto/man/EVP_DigestVerifyInit.3 releng/11.0/secure/lib/libcrypto/man/EVP_EncodeInit.3 releng/11.0/secure/lib/libcrypto/man/EVP_EncryptInit.3 releng/11.0/secure/lib/libcrypto/man/EVP_OpenInit.3 releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3 releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_CTX_new.3 releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_cmp.3 releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_decrypt.3 releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_derive.3 releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_encrypt.3 releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_get_default_digest.3 releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_keygen.3 releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_new.3 releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_print_private.3 releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3 releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_sign.3 releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_verify.3 releng/11.0/secure/lib/libcrypto/man/EVP_PKEY_verify_recover.3 releng/11.0/secure/lib/libcrypto/man/EVP_SealInit.3 releng/11.0/secure/lib/libcrypto/man/EVP_SignInit.3 releng/11.0/secure/lib/libcrypto/man/EVP_VerifyInit.3 releng/11.0/secure/lib/libcrypto/man/OBJ_nid2obj.3 releng/11.0/secure/lib/libcrypto/man/OPENSSL_Applink.3 releng/11.0/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3 releng/11.0/secure/lib/libcrypto/man/OPENSSL_config.3 releng/11.0/secure/lib/libcrypto/man/OPENSSL_ia32cap.3 releng/11.0/secure/lib/libcrypto/man/OPENSSL_instrument_bus.3 releng/11.0/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3 releng/11.0/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3 releng/11.0/secure/lib/libcrypto/man/PEM_write_bio_CMS_stream.3 releng/11.0/secure/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3 releng/11.0/secure/lib/libcrypto/man/PKCS12_create.3 releng/11.0/secure/lib/libcrypto/man/PKCS12_parse.3 releng/11.0/secure/lib/libcrypto/man/PKCS7_decrypt.3 releng/11.0/secure/lib/libcrypto/man/PKCS7_encrypt.3 releng/11.0/secure/lib/libcrypto/man/PKCS7_sign.3 releng/11.0/secure/lib/libcrypto/man/PKCS7_sign_add_signer.3 releng/11.0/secure/lib/libcrypto/man/PKCS7_verify.3 releng/11.0/secure/lib/libcrypto/man/RAND_add.3 releng/11.0/secure/lib/libcrypto/man/RAND_bytes.3 releng/11.0/secure/lib/libcrypto/man/RAND_cleanup.3 releng/11.0/secure/lib/libcrypto/man/RAND_egd.3 releng/11.0/secure/lib/libcrypto/man/RAND_load_file.3 releng/11.0/secure/lib/libcrypto/man/RAND_set_rand_method.3 releng/11.0/secure/lib/libcrypto/man/RSA_blinding_on.3 releng/11.0/secure/lib/libcrypto/man/RSA_check_key.3 releng/11.0/secure/lib/libcrypto/man/RSA_generate_key.3 releng/11.0/secure/lib/libcrypto/man/RSA_get_ex_new_index.3 releng/11.0/secure/lib/libcrypto/man/RSA_new.3 releng/11.0/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 releng/11.0/secure/lib/libcrypto/man/RSA_print.3 releng/11.0/secure/lib/libcrypto/man/RSA_private_encrypt.3 releng/11.0/secure/lib/libcrypto/man/RSA_public_encrypt.3 releng/11.0/secure/lib/libcrypto/man/RSA_set_method.3 releng/11.0/secure/lib/libcrypto/man/RSA_sign.3 releng/11.0/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3 releng/11.0/secure/lib/libcrypto/man/RSA_size.3 releng/11.0/secure/lib/libcrypto/man/SMIME_read_CMS.3 releng/11.0/secure/lib/libcrypto/man/SMIME_read_PKCS7.3 releng/11.0/secure/lib/libcrypto/man/SMIME_write_CMS.3 releng/11.0/secure/lib/libcrypto/man/SMIME_write_PKCS7.3 releng/11.0/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3 releng/11.0/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3 releng/11.0/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3 releng/11.0/secure/lib/libcrypto/man/X509_NAME_print_ex.3 releng/11.0/secure/lib/libcrypto/man/X509_STORE_CTX_get_error.3 releng/11.0/secure/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3 releng/11.0/secure/lib/libcrypto/man/X509_STORE_CTX_new.3 releng/11.0/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3 releng/11.0/secure/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3 releng/11.0/secure/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 releng/11.0/secure/lib/libcrypto/man/X509_check_host.3 releng/11.0/secure/lib/libcrypto/man/X509_new.3 releng/11.0/secure/lib/libcrypto/man/X509_verify_cert.3 releng/11.0/secure/lib/libcrypto/man/bio.3 releng/11.0/secure/lib/libcrypto/man/blowfish.3 releng/11.0/secure/lib/libcrypto/man/bn.3 releng/11.0/secure/lib/libcrypto/man/bn_internal.3 releng/11.0/secure/lib/libcrypto/man/buffer.3 releng/11.0/secure/lib/libcrypto/man/crypto.3 releng/11.0/secure/lib/libcrypto/man/d2i_ASN1_OBJECT.3 releng/11.0/secure/lib/libcrypto/man/d2i_CMS_ContentInfo.3 releng/11.0/secure/lib/libcrypto/man/d2i_DHparams.3 releng/11.0/secure/lib/libcrypto/man/d2i_DSAPublicKey.3 releng/11.0/secure/lib/libcrypto/man/d2i_ECPKParameters.3 releng/11.0/secure/lib/libcrypto/man/d2i_ECPrivateKey.3 releng/11.0/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey.3 releng/11.0/secure/lib/libcrypto/man/d2i_PrivateKey.3 releng/11.0/secure/lib/libcrypto/man/d2i_RSAPublicKey.3 releng/11.0/secure/lib/libcrypto/man/d2i_X509.3 releng/11.0/secure/lib/libcrypto/man/d2i_X509_ALGOR.3 releng/11.0/secure/lib/libcrypto/man/d2i_X509_CRL.3 releng/11.0/secure/lib/libcrypto/man/d2i_X509_NAME.3 releng/11.0/secure/lib/libcrypto/man/d2i_X509_REQ.3 releng/11.0/secure/lib/libcrypto/man/d2i_X509_SIG.3 releng/11.0/secure/lib/libcrypto/man/des.3 releng/11.0/secure/lib/libcrypto/man/dh.3 releng/11.0/secure/lib/libcrypto/man/dsa.3 releng/11.0/secure/lib/libcrypto/man/ec.3 releng/11.0/secure/lib/libcrypto/man/ecdsa.3 releng/11.0/secure/lib/libcrypto/man/engine.3 releng/11.0/secure/lib/libcrypto/man/err.3 releng/11.0/secure/lib/libcrypto/man/evp.3 releng/11.0/secure/lib/libcrypto/man/hmac.3 releng/11.0/secure/lib/libcrypto/man/i2d_CMS_bio_stream.3 releng/11.0/secure/lib/libcrypto/man/i2d_PKCS7_bio_stream.3 releng/11.0/secure/lib/libcrypto/man/lh_stats.3 releng/11.0/secure/lib/libcrypto/man/lhash.3 releng/11.0/secure/lib/libcrypto/man/md5.3 releng/11.0/secure/lib/libcrypto/man/mdc2.3 releng/11.0/secure/lib/libcrypto/man/pem.3 releng/11.0/secure/lib/libcrypto/man/rand.3 releng/11.0/secure/lib/libcrypto/man/rc4.3 releng/11.0/secure/lib/libcrypto/man/ripemd.3 releng/11.0/secure/lib/libcrypto/man/rsa.3 releng/11.0/secure/lib/libcrypto/man/sha.3 releng/11.0/secure/lib/libcrypto/man/threads.3 releng/11.0/secure/lib/libcrypto/man/ui.3 releng/11.0/secure/lib/libcrypto/man/ui_compat.3 releng/11.0/secure/lib/libcrypto/man/x509.3 releng/11.0/secure/lib/libssl/man/SSL_CIPHER_get_name.3 releng/11.0/secure/lib/libssl/man/SSL_COMP_add_compression_method.3 releng/11.0/secure/lib/libssl/man/SSL_CONF_CTX_new.3 releng/11.0/secure/lib/libssl/man/SSL_CONF_CTX_set1_prefix.3 releng/11.0/secure/lib/libssl/man/SSL_CONF_CTX_set_flags.3 releng/11.0/secure/lib/libssl/man/SSL_CONF_CTX_set_ssl_ctx.3 releng/11.0/secure/lib/libssl/man/SSL_CONF_cmd.3 releng/11.0/secure/lib/libssl/man/SSL_CONF_cmd_argv.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_add1_chain_cert.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_add_session.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_ctrl.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_flush_sessions.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_free.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_get0_param.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_new.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_sess_number.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_sessions.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set1_curves.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set1_verify_cert_store.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_cert_cb.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_cert_store.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_custom_cli_ext.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_info_callback.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_mode.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_options.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_psk_client_callback.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_read_ahead.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_timeout.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_set_verify.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_use_certificate.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3 releng/11.0/secure/lib/libssl/man/SSL_CTX_use_serverinfo.3 releng/11.0/secure/lib/libssl/man/SSL_SESSION_free.3 releng/11.0/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 releng/11.0/secure/lib/libssl/man/SSL_SESSION_get_time.3 releng/11.0/secure/lib/libssl/man/SSL_accept.3 releng/11.0/secure/lib/libssl/man/SSL_alert_type_string.3 releng/11.0/secure/lib/libssl/man/SSL_check_chain.3 releng/11.0/secure/lib/libssl/man/SSL_clear.3 releng/11.0/secure/lib/libssl/man/SSL_connect.3 releng/11.0/secure/lib/libssl/man/SSL_do_handshake.3 releng/11.0/secure/lib/libssl/man/SSL_free.3 releng/11.0/secure/lib/libssl/man/SSL_get_SSL_CTX.3 releng/11.0/secure/lib/libssl/man/SSL_get_ciphers.3 releng/11.0/secure/lib/libssl/man/SSL_get_client_CA_list.3 releng/11.0/secure/lib/libssl/man/SSL_get_current_cipher.3 releng/11.0/secure/lib/libssl/man/SSL_get_default_timeout.3 releng/11.0/secure/lib/libssl/man/SSL_get_error.3 releng/11.0/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 releng/11.0/secure/lib/libssl/man/SSL_get_ex_new_index.3 releng/11.0/secure/lib/libssl/man/SSL_get_fd.3 releng/11.0/secure/lib/libssl/man/SSL_get_peer_cert_chain.3 releng/11.0/secure/lib/libssl/man/SSL_get_peer_certificate.3 releng/11.0/secure/lib/libssl/man/SSL_get_psk_identity.3 releng/11.0/secure/lib/libssl/man/SSL_get_rbio.3 releng/11.0/secure/lib/libssl/man/SSL_get_session.3 releng/11.0/secure/lib/libssl/man/SSL_get_verify_result.3 releng/11.0/secure/lib/libssl/man/SSL_get_version.3 releng/11.0/secure/lib/libssl/man/SSL_library_init.3 releng/11.0/secure/lib/libssl/man/SSL_load_client_CA_file.3 releng/11.0/secure/lib/libssl/man/SSL_new.3 releng/11.0/secure/lib/libssl/man/SSL_pending.3 releng/11.0/secure/lib/libssl/man/SSL_read.3 releng/11.0/secure/lib/libssl/man/SSL_rstate_string.3 releng/11.0/secure/lib/libssl/man/SSL_session_reused.3 releng/11.0/secure/lib/libssl/man/SSL_set_bio.3 releng/11.0/secure/lib/libssl/man/SSL_set_connect_state.3 releng/11.0/secure/lib/libssl/man/SSL_set_fd.3 releng/11.0/secure/lib/libssl/man/SSL_set_session.3 releng/11.0/secure/lib/libssl/man/SSL_set_shutdown.3 releng/11.0/secure/lib/libssl/man/SSL_set_verify_result.3 releng/11.0/secure/lib/libssl/man/SSL_shutdown.3 releng/11.0/secure/lib/libssl/man/SSL_state_string.3 releng/11.0/secure/lib/libssl/man/SSL_want.3 releng/11.0/secure/lib/libssl/man/SSL_write.3 releng/11.0/secure/lib/libssl/man/d2i_SSL_SESSION.3 releng/11.0/secure/lib/libssl/man/ssl.3 releng/11.0/secure/usr.bin/openssl/man/CA.pl.1 releng/11.0/secure/usr.bin/openssl/man/asn1parse.1 releng/11.0/secure/usr.bin/openssl/man/c_rehash.1 releng/11.0/secure/usr.bin/openssl/man/ca.1 releng/11.0/secure/usr.bin/openssl/man/ciphers.1 releng/11.0/secure/usr.bin/openssl/man/cms.1 releng/11.0/secure/usr.bin/openssl/man/crl.1 releng/11.0/secure/usr.bin/openssl/man/crl2pkcs7.1 releng/11.0/secure/usr.bin/openssl/man/dgst.1 releng/11.0/secure/usr.bin/openssl/man/dhparam.1 releng/11.0/secure/usr.bin/openssl/man/dsa.1 releng/11.0/secure/usr.bin/openssl/man/dsaparam.1 releng/11.0/secure/usr.bin/openssl/man/ec.1 releng/11.0/secure/usr.bin/openssl/man/ecparam.1 releng/11.0/secure/usr.bin/openssl/man/enc.1 releng/11.0/secure/usr.bin/openssl/man/errstr.1 releng/11.0/secure/usr.bin/openssl/man/gendsa.1 releng/11.0/secure/usr.bin/openssl/man/genpkey.1 releng/11.0/secure/usr.bin/openssl/man/genrsa.1 releng/11.0/secure/usr.bin/openssl/man/nseq.1 releng/11.0/secure/usr.bin/openssl/man/ocsp.1 releng/11.0/secure/usr.bin/openssl/man/openssl.1 releng/11.0/secure/usr.bin/openssl/man/passwd.1 releng/11.0/secure/usr.bin/openssl/man/pkcs12.1 releng/11.0/secure/usr.bin/openssl/man/pkcs7.1 releng/11.0/secure/usr.bin/openssl/man/pkcs8.1 releng/11.0/secure/usr.bin/openssl/man/pkey.1 releng/11.0/secure/usr.bin/openssl/man/pkeyparam.1 releng/11.0/secure/usr.bin/openssl/man/pkeyutl.1 releng/11.0/secure/usr.bin/openssl/man/rand.1 releng/11.0/secure/usr.bin/openssl/man/req.1 releng/11.0/secure/usr.bin/openssl/man/rsa.1 releng/11.0/secure/usr.bin/openssl/man/rsautl.1 releng/11.0/secure/usr.bin/openssl/man/s_client.1 releng/11.0/secure/usr.bin/openssl/man/s_server.1 releng/11.0/secure/usr.bin/openssl/man/s_time.1 releng/11.0/secure/usr.bin/openssl/man/sess_id.1 releng/11.0/secure/usr.bin/openssl/man/smime.1 releng/11.0/secure/usr.bin/openssl/man/speed.1 releng/11.0/secure/usr.bin/openssl/man/spkac.1 releng/11.0/secure/usr.bin/openssl/man/ts.1 releng/11.0/secure/usr.bin/openssl/man/tsget.1 releng/11.0/secure/usr.bin/openssl/man/verify.1 releng/11.0/secure/usr.bin/openssl/man/version.1 releng/11.0/secure/usr.bin/openssl/man/x509.1 releng/11.0/secure/usr.bin/openssl/man/x509v3_config.1 releng/11.0/sys/cam/ata/ata_xpt.c releng/11.0/sys/conf/files.amd64 releng/11.0/sys/conf/files.i386 releng/11.0/sys/conf/newvers.sh releng/11.0/sys/dev/hyperv/storvsc/hv_storvsc_drv_freebsd.c releng/11.0/sys/dev/pci/pci_pci.c releng/11.0/sys/modules/hyperv/Makefile releng/11.0/sys/sys/eventhandler.h releng/11.0/sys/x86/x86/io_apic.c Modified: releng/11.0/UPDATING ============================================================================== --- releng/11.0/UPDATING Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/UPDATING Thu Feb 23 07:11:48 2017 (r314125) @@ -16,6 +16,24 @@ from older versions of FreeBSD, try WITH the tip of head, and then rebuild without this option. The bootstrap process from older version of current across the gcc/clang cutover is a bit fragile. +20170223 p8 FreeBSD-SA-17:02.openssl + FreeBSD-EN-17:01.pcie + FreeBSD-EN-17:02.yp + FreeBSD-EN-17:03.hyperv + FreeBSD-EN-17:04.mandoc + + Fix multiple vulnerabilities of OpenSSL. [SA-17:02] + + Fix system hang when booting when PCI-express HotPlug is enabled. + [EN-17:01] + + Fix NIS master updates are not pushed to NIS slave. [EN-17:02] + + Fix compatibility with Hyper-V/storage after KB3172614 or + KB3179574. [EN-17:03] + + Make makewhatis output reproducible. [EN-17:04] + 20170111 p7 FreeBSD-SA-17:01.openssh Fix multiple vulnerabilities of OpenSSH. Modified: releng/11.0/contrib/mdocml/mandocdb.c ============================================================================== --- releng/11.0/contrib/mdocml/mandocdb.c Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/contrib/mdocml/mandocdb.c Thu Feb 23 07:11:48 2017 (r314125) @@ -101,6 +101,7 @@ struct mpage { char *arch; /* architecture from file content */ char *title; /* title from file content */ char *desc; /* description from file content */ + struct mpage *next; /* singly linked list */ struct mlink *mlinks; /* singly linked list */ int form; /* format from file content */ int name_head_done; @@ -144,6 +145,7 @@ static void dbadd_mlink_name(const stru static int dbopen(int); static void dbprune(void); static void filescan(const char *); +static int fts_compare(const FTSENT *const *, const FTSENT *const *); static void mlink_add(struct mlink *, const struct stat *); static void mlink_check(struct mpage *, struct mlink *); static void mlink_free(struct mlink *); @@ -202,6 +204,7 @@ static struct ohash strings; /* table o static sqlite3 *db = NULL; /* current database */ static sqlite3_stmt *stmts[STMT__MAX]; /* current statements */ static uint64_t name_mask; +static struct mpage *mpage_head; static const struct mdoc_handler mdocs[MDOC_MAX] = { { NULL, 0 }, /* Ap */ @@ -562,6 +565,20 @@ usage: return (int)MANDOCLEVEL_BADARG; } +static int +fts_compare(const FTSENT *const *a, const FTSENT *const *b) +{ + + /* + * The mpage list is processed in the opposite order to which pages are + * added, so traverse the hierarchy in reverse alpha order, resulting + * in database inserts in alpha order. This is not required for correct + * operation, but is helpful when inspecting the database during + * development. + */ + return -strcmp((*a)->fts_name, (*b)->fts_name); +} + /* * Scan a directory tree rooted at "basedir" for manpages. * We use fts(), scanning directory parts along the way for clues to our @@ -591,8 +608,8 @@ treescan(void) argv[0] = "."; argv[1] = (char *)NULL; - f = fts_open((char * const *)argv, - FTS_PHYSICAL | FTS_NOCHDIR, NULL); + f = fts_open((char * const *)argv, FTS_PHYSICAL | FTS_NOCHDIR, + fts_compare); if (f == NULL) { exitcode = (int)MANDOCLEVEL_SYSERR; say("", "&fts_open"); @@ -957,6 +974,8 @@ mlink_add(struct mlink *mlink, const str mpage = mandoc_calloc(1, sizeof(struct mpage)); mpage->inodev.st_ino = inodev.st_ino; mpage->inodev.st_dev = inodev.st_dev; + mpage->next = mpage_head; + mpage_head = mpage; ohash_insert(&mpages, slot, mpage); } else mlink->next = mpage->mlinks; @@ -980,20 +999,18 @@ mpages_free(void) { struct mpage *mpage; struct mlink *mlink; - unsigned int slot; - mpage = ohash_first(&mpages, &slot); - while (NULL != mpage) { + while (NULL != (mpage = mpage_head)) { while (NULL != (mlink = mpage->mlinks)) { mpage->mlinks = mlink->next; mlink_free(mlink); } + mpage_head = mpage->next; free(mpage->sec); free(mpage->arch); free(mpage->title); free(mpage->desc); free(mpage); - mpage = ohash_next(&mpages, &slot); } } @@ -1114,18 +1131,14 @@ mpages_merge(struct mparse *mp) char *sodest; char *cp; int fd; - unsigned int pslot; if ( ! nodb) SQL_EXEC("BEGIN TRANSACTION"); - mpage = ohash_first(&mpages, &pslot); - while (mpage != NULL) { + for (mpage = mpage_head; mpage != NULL; mpage = mpage->next) { mlinks_undupe(mpage); - if ((mlink = mpage->mlinks) == NULL) { - mpage = ohash_next(&mpages, &pslot); + if ((mlink = mpage->mlinks) == NULL) continue; - } name_mask = NAME_MASK; mandoc_ohash_init(&names, 4, offsetof(struct str, key)); @@ -1247,7 +1260,6 @@ mpages_merge(struct mparse *mp) nextpage: ohash_delete(&strings); ohash_delete(&names); - mpage = ohash_next(&mpages, &pslot); } if (0 == nodb) Modified: releng/11.0/crypto/openssl/CHANGES ============================================================================== --- releng/11.0/crypto/openssl/CHANGES Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/crypto/openssl/CHANGES Thu Feb 23 07:11:48 2017 (r314125) @@ -2,6 +2,67 @@ OpenSSL CHANGES _______________ + Changes between 1.0.2j and 1.0.2k [26 Jan 2017] + + *) Truncated packet could crash via OOB read + + If one side of an SSL/TLS path is running on a 32-bit host and a specific + cipher is being used, then a truncated packet can cause that host to + perform an out-of-bounds read, usually resulting in a crash. + + This issue was reported to OpenSSL by Robert Święcki of Google. + (CVE-2017-3731) + [Andy Polyakov] + + *) BN_mod_exp may produce incorrect results on x86_64 + + There is a carry propagating bug in the x86_64 Montgomery squaring + procedure. No EC algorithms are affected. Analysis suggests that attacks + against RSA and DSA as a result of this defect would be very difficult to + perform and are not believed likely. Attacks against DH are considered just + feasible (although very difficult) because most of the work necessary to + deduce information about a private key may be performed offline. The amount + of resources required for such an attack would be very significant and + likely only accessible to a limited number of attackers. An attacker would + additionally need online access to an unpatched system using the target + private key in a scenario with persistent DH parameters and a private + key that is shared between multiple clients. For example this can occur by + default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very + similar to CVE-2015-3193 but must be treated as a separate problem. + + This issue was reported to OpenSSL by the OSS-Fuzz project. + (CVE-2017-3732) + [Andy Polyakov] + + *) Montgomery multiplication may produce incorrect results + + There is a carry propagating bug in the Broadwell-specific Montgomery + multiplication procedure that handles input lengths divisible by, but + longer than 256 bits. Analysis suggests that attacks against RSA, DSA + and DH private keys are impossible. This is because the subroutine in + question is not used in operations with the private key itself and an input + of the attacker's direct choice. Otherwise the bug can manifest itself as + transient authentication and key negotiation failures or reproducible + erroneous outcome of public-key operations with specially crafted input. + Among EC algorithms only Brainpool P-512 curves are affected and one + presumably can attack ECDH key negotiation. Impact was not analyzed in + detail, because pre-requisites for attack are considered unlikely. Namely + multiple clients have to choose the curve in question and the server has to + share the private key among them, neither of which is default behaviour. + Even then only clients that chose the curve will be affected. + + This issue was publicly reported as transient failures and was not + initially recognized as a security issue. Thanks to Richard Morgan for + providing reproducible case. + (CVE-2016-7055) + [Andy Polyakov] + + *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0 + or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to + prevent issues where no progress is being made and the peer continually + sends unrecognised record types, using up resources processing them. + [Matt Caswell] + Changes between 1.0.2i and 1.0.2j [26 Sep 2016] *) Missing CRL sanity check Modified: releng/11.0/crypto/openssl/CONTRIBUTING ============================================================================== --- releng/11.0/crypto/openssl/CONTRIBUTING Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/crypto/openssl/CONTRIBUTING Thu Feb 23 07:11:48 2017 (r314125) @@ -1,4 +1,4 @@ -HOW TO CONTRIBUTE TO PATCHES OpenSSL +HOW TO CONTRIBUTE PATCHES TO OpenSSL ------------------------------------ (Please visit https://www.openssl.org/community/getting-started.html for @@ -11,34 +11,12 @@ OpenSSL community you might want to disc list first. Someone may be already working on the same thing or there may be a good reason as to why that feature isn't implemented. -The best way to submit a patch is to make a pull request on GitHub. -(It is not necessary to send mail to rt@openssl.org to open a ticket!) -If you think the patch could use feedback from the community, please -start a thread on openssl-dev. - -You can also submit patches by sending it as mail to rt@openssl.org. -Please include the word "PATCH" and an explanation of what the patch -does in the subject line. If you do this, our preferred format is "git -format-patch" output. For example to provide a patch file containing the -last commit in your local git repository use the following command: - - % git format-patch --stdout HEAD^ >mydiffs.patch - -Another method of creating an acceptable patch file without using git is as -follows: - - % cd openssl-work - ...make your changes... - % ./Configure dist; make clean - % cd .. - % diff -ur openssl-orig openssl-work >mydiffs.patch - -Note that pull requests are generally easier for the team, and community, to -work with. Pull requests benefit from all of the standard GitHub features, -including code review tools, simpler integration, and CI build support. +To submit a patch, make a pull request on GitHub. If you think the patch +could use feedback from the community, please start a thread on openssl-dev +to discuss it. -No matter how a patch is submitted, the following items will help make -the acceptance and review process faster: +Having addressed the following items before the PR will help make the +acceptance and review process faster: 1. Anything other than trivial contributions will require a contributor licensing agreement, giving us permission to use your code. See @@ -55,21 +33,22 @@ the acceptance and review process faster in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html - 3. Patches should be as current as possible. When using GitHub, please - expect to have to rebase and update often. Note that we do not accept merge - commits. You will be asked to remove them before a patch is considered - acceptable. + 3. Patches should be as current as possible; expect to have to rebase + often. We do not accept merge commits; You will be asked to remove + them before a patch is considered acceptable. 4. Patches should follow our coding style (see https://www.openssl.org/policies/codingstyle.html) and compile without warnings. Where gcc or clang is availble you should use the --strict-warnings Configure option. OpenSSL compiles on many varied platforms: try to ensure you only use portable features. + Clean builds via Travis and AppVeyor are expected, and done whenever + a PR is created or updated. - 5. When at all possible, patches should include tests. These can either be - added to an existing test, or completely new. Please see test/README - for information on the test framework. - - 6. New features or changed functionality must include documentation. Please - look at the "pod" files in doc/apps, doc/crypto and doc/ssl for examples of - our style. + 5. When at all possible, patches should include tests. These can + either be added to an existing test, or completely new. Please see + test/README for information on the test framework. + + 6. New features or changed functionality must include + documentation. Please look at the "pod" files in doc/apps, doc/crypto + and doc/ssl for examples of our style. Modified: releng/11.0/crypto/openssl/Configure ============================================================================== --- releng/11.0/crypto/openssl/Configure Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/crypto/openssl/Configure Thu Feb 23 07:11:48 2017 (r314125) @@ -7,6 +7,7 @@ eval 'exec perl -S $0 ${1+"$@"}' require 5.000; use strict; +use File::Compare; # see INSTALL for instructions. @@ -57,12 +58,13 @@ my $usage="Usage: Configure [no- # zlib-dynamic Like "zlib", but the zlib library is expected to be a shared # library and will be loaded in run-time by the OpenSSL library. # sctp include SCTP support -# 386 generate 80386 code # enable-weak-ssl-ciphers # Enable EXPORT and LOW SSLv3 ciphers that are disabled by # default. Note, weak SSLv2 ciphers are unconditionally # disabled. -# no-sse2 disables IA-32 SSE2 code, above option implies no-sse2 +# 386 generate 80386 code in assembly modules +# no-sse2 disables IA-32 SSE2 code in assembly modules, the above +# mentioned '386' option implies this one # no- build without specified algorithm (rsa, idea, rc5, ...) # - + compiler options are passed through # @@ -1792,8 +1794,16 @@ while () } close(IN); close(OUT); -rename($Makefile,"$Makefile.bak") || die "unable to rename $Makefile\n" if -e $Makefile; -rename("$Makefile.new",$Makefile) || die "unable to rename $Makefile.new\n"; +if ((compare($Makefile, "$Makefile.new")) + or file_newer('Configure', $Makefile) + or file_newer('config', $Makefile) + or file_newer('Makefile.org', $Makefile)) + { + rename($Makefile,"$Makefile.bak") || die "unable to rename $Makefile\n" if -e $Makefile; + rename("$Makefile.new",$Makefile) || die "unable to rename $Makefile.new\n"; + } +else + { unlink("$Makefile.new"); } print "CC =$cc\n"; print "CFLAG =$cflags\n"; @@ -1985,9 +1995,13 @@ print OUT "#ifdef __cplusplus\n"; print OUT "}\n"; print OUT "#endif\n"; close(OUT); -rename("crypto/opensslconf.h","crypto/opensslconf.h.bak") || die "unable to rename crypto/opensslconf.h\n" if -e "crypto/opensslconf.h"; -rename("crypto/opensslconf.h.new","crypto/opensslconf.h") || die "unable to rename crypto/opensslconf.h.new\n"; - +if (compare("crypto/opensslconf.h.new","crypto/opensslconf.h")) + { + rename("crypto/opensslconf.h","crypto/opensslconf.h.bak") || die "unable to rename crypto/opensslconf.h\n" if -e "crypto/opensslconf.h"; + rename("crypto/opensslconf.h.new","crypto/opensslconf.h") || die "unable to rename crypto/opensslconf.h.new\n"; + } +else + { unlink("crypto/opensslconf.h.new"); } # Fix the date @@ -2289,3 +2303,9 @@ sub test_sanity print STDERR "No sanity errors detected!\n" if $errorcnt == 0; return $errorcnt; } + +sub file_newer + { + my ($file1, $file2) = @_; + return (stat($file1))[9] > (stat($file2))[9] + } Modified: releng/11.0/crypto/openssl/INSTALL ============================================================================== --- releng/11.0/crypto/openssl/INSTALL Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/crypto/openssl/INSTALL Thu Feb 23 07:11:48 2017 (r314125) @@ -74,24 +74,26 @@ no-asm Do not use assembler code. - 386 Use the 80386 instruction set only (the default x86 code is - more efficient, but requires at least a 486). Note: Use - compiler flags for any other CPU specific configuration, - e.g. "-m32" to build x86 code on an x64 system. - - no-sse2 Exclude SSE2 code pathes. Normally SSE2 extention is - detected at run-time, but the decision whether or not the - machine code will be executed is taken solely on CPU - capability vector. This means that if you happen to run OS - kernel which does not support SSE2 extension on Intel P4 - processor, then your application might be exposed to - "illegal instruction" exception. There might be a way - to enable support in kernel, e.g. FreeBSD kernel can be - compiled with CPU_ENABLE_SSE, and there is a way to - disengage SSE2 code pathes upon application start-up, - but if you aim for wider "audience" running such kernel, - consider no-sse2. Both 386 and no-asm options above imply - no-sse2. + 386 In 32-bit x86 builds, when generating assembly modules, + use the 80386 instruction set only (the default x86 code + is more efficient, but requires at least a 486). Note: + This doesn't affect code generated by compiler, you're + likely to complement configuration command line with + suitable compiler-specific option. + + no-sse2 Exclude SSE2 code paths from 32-bit x86 assembly modules. + Normally SSE2 extension is detected at run-time, but the + decision whether or not the machine code will be executed + is taken solely on CPU capability vector. This means that + if you happen to run OS kernel which does not support SSE2 + extension on Intel P4 processor, then your application + might be exposed to "illegal instruction" exception. + There might be a way to enable support in kernel, e.g. + FreeBSD kernel can be compiled with CPU_ENABLE_SSE, and + there is a way to disengage SSE2 code paths upon application + start-up, but if you aim for wider "audience" running + such kernel, consider no-sse2. Both the 386 and + no-asm options imply no-sse2. no- Build without the specified cipher (bf, cast, des, dh, dsa, hmac, md2, md5, mdc2, rc2, rc4, rc5, rsa, sha). @@ -101,7 +103,12 @@ -Dxxx, -lxxx, -Lxxx, -fxxx, -mXXX, -Kxxx These system specific options will be passed through to the compiler to allow you to define preprocessor symbols, specify additional libraries, - library directories or other compiler options. + library directories or other compiler options. It might be + worth noting that some compilers generate code specifically + for processor the compiler currently executes on. This is + not necessarily what you might have in mind, since it might + be unsuitable for execution on other, typically older, + processor. Consult your compiler documentation. -DHAVE_CRYPTODEV Enable the BSD cryptodev engine even if we are not using BSD. Useful if you are running ocf-linux or something @@ -159,18 +166,18 @@ OpenSSL binary ("openssl"). The libraries will be built in the top-level directory, and the binary will be in the "apps" directory. - If "make" fails, look at the output. There may be reasons for - the failure that aren't problems in OpenSSL itself (like missing - standard headers). If it is a problem with OpenSSL itself, please - report the problem to (note that your - message will be recorded in the request tracker publicly readable - at https://www.openssl.org/community/index.html#bugs and will be - forwarded to a public mailing list). Include the output of "make - report" in your message. Please check out the request tracker. Maybe - the bug was already reported or has already been fixed. + If the build fails, look at the output. There may be reasons + for the failure that aren't problems in OpenSSL itself (like + missing standard headers). If you are having problems you can + get help by sending an email to the openssl-users email list (see + https://www.openssl.org/community/mailinglists.html for details). If + it is a bug with OpenSSL itself, please open an issue on GitHub, at + https://github.com/openssl/openssl/issues. Please review the existing + ones first; maybe the bug was already reported or has already been + fixed. - [If you encounter assembler error messages, try the "no-asm" - configuration option as an immediate fix.] + (If you encounter assembler error messages, try the "no-asm" + configuration option as an immediate fix.) Compiling parts of OpenSSL with gcc and others with the system compiler will result in unresolved symbols on some systems. Modified: releng/11.0/crypto/openssl/Makefile ============================================================================== --- releng/11.0/crypto/openssl/Makefile Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/crypto/openssl/Makefile Thu Feb 23 07:11:48 2017 (r314125) @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=1.0.2j +VERSION=1.0.2k MAJOR=1 MINOR=0.2 SHLIB_VERSION_NUMBER=1.0.0 @@ -203,7 +203,8 @@ CLEARENV= TOP= && unset TOP $${LIB+LIB} $${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS} \ $${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS} \ $${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS} \ - $${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS} + $${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS} \ + $${APPS+APPS} # LC_ALL=C ensures that error [and other] messages are delivered in # same language for uniform treatment. Modified: releng/11.0/crypto/openssl/Makefile.org ============================================================================== --- releng/11.0/crypto/openssl/Makefile.org Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/crypto/openssl/Makefile.org Thu Feb 23 07:11:48 2017 (r314125) @@ -201,7 +201,8 @@ CLEARENV= TOP= && unset TOP $${LIB+LIB} $${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS} \ $${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS} \ $${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS} \ - $${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS} + $${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS} \ + $${APPS+APPS} # LC_ALL=C ensures that error [and other] messages are delivered in # same language for uniform treatment. Modified: releng/11.0/crypto/openssl/NEWS ============================================================================== --- releng/11.0/crypto/openssl/NEWS Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/crypto/openssl/NEWS Thu Feb 23 07:11:48 2017 (r314125) @@ -5,9 +5,15 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.2j and OpenSSL 1.0.2k [26 Jan 2017] + + o Truncated packet could crash via OOB read (CVE-2017-3731) + o BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732) + o Montgomery multiplication may produce incorrect results (CVE-2016-7055) + Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016] - o Fix Use After Free for large message sizes (CVE-2016-6309) + o Missing CRL sanity check (CVE-2016-7052) Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016] Modified: releng/11.0/crypto/openssl/README ============================================================================== --- releng/11.0/crypto/openssl/README Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/crypto/openssl/README Thu Feb 23 07:11:48 2017 (r314125) @@ -1,5 +1,5 @@ - OpenSSL 1.0.2j 26 Sep 2016 + OpenSSL 1.0.2k 26 Jan 2017 Copyright (c) 1998-2015 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson @@ -66,13 +66,13 @@ If you have any problems with OpenSSL then please take the following steps first: - - Download the current snapshot from ftp://ftp.openssl.org/snapshot/ + - Download the latest version from the repository to see if the problem has already been addressed - - Remove ASM versions of libraries + - Configure with no-asm - Remove compiler optimisation flags - If you wish to report a bug then please include the following information in - any bug report: + If you wish to report a bug then please include the following information + and create an issue on GitHub: - On Unix systems: Self-test report generated by 'make report' @@ -84,27 +84,9 @@ - Problem Description (steps that will reproduce the problem, if known) - Stack Traceback (if the application dumps core) - Email the report to: - - rt@openssl.org - - In order to avoid spam, this is a moderated mailing list, and it might - take a day for the ticket to show up. (We also scan posts to make sure - that security disclosures aren't publically posted by mistake.) Mail - to this address is recorded in the public RT (request tracker) database - (see https://www.openssl.org/community/index.html#bugs for details) and - also forwarded the public openssl-dev mailing list. Confidential mail - may be sent to openssl-security@openssl.org (PGP key available from the - key servers). - - Please do NOT use this for general assistance or support queries. Just because something doesn't work the way you expect does not mean it is necessarily a bug in OpenSSL. - You can also make GitHub pull requests. If you do this, please also send - mail to rt@openssl.org with a link to the PR so that we can more easily - keep track of it. - HOW TO CONTRIBUTE TO OpenSSL ---------------------------- @@ -113,7 +95,7 @@ LEGALITIES ---------- - A number of nations, in particular the U.S., restrict the use or export - of cryptography. If you are potentially subject to such restrictions - you should seek competent professional legal advice before attempting to - develop or distribute cryptographic code. + A number of nations restrict the use or export of cryptography. If you + are potentially subject to such restrictions you should seek competent + professional legal advice before attempting to develop or distribute + cryptographic code. Modified: releng/11.0/crypto/openssl/apps/apps.c ============================================================================== --- releng/11.0/crypto/openssl/apps/apps.c Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/crypto/openssl/apps/apps.c Thu Feb 23 07:11:48 2017 (r314125) @@ -972,7 +972,10 @@ EVP_PKEY *load_key(BIO *err, const char if (!e) BIO_printf(err, "no engine specified\n"); else { - pkey = ENGINE_load_private_key(e, file, ui_method, &cb_data); + if (ENGINE_init(e)) { + pkey = ENGINE_load_private_key(e, file, ui_method, &cb_data); + ENGINE_finish(e); + } if (!pkey) { BIO_printf(err, "cannot load %s from engine\n", key_descrip); ERR_print_errors(err); @@ -1532,11 +1535,13 @@ static ENGINE *try_load_engine(BIO *err, } return e; } +#endif ENGINE *setup_engine(BIO *err, const char *engine, int debug) { ENGINE *e = NULL; +#ifndef OPENSSL_NO_ENGINE if (engine) { if (strcmp(engine, "auto") == 0) { BIO_printf(err, "enabling auto ENGINE support\n"); @@ -1561,13 +1566,19 @@ ENGINE *setup_engine(BIO *err, const cha } BIO_printf(err, "engine \"%s\" set.\n", ENGINE_get_id(e)); - - /* Free our "structural" reference. */ - ENGINE_free(e); } +#endif return e; } + +void release_engine(ENGINE *e) +{ +#ifndef OPENSSL_NO_ENGINE + if (e != NULL) + /* Free our "structural" reference. */ + ENGINE_free(e); #endif +} int load_config(BIO *err, CONF *cnf) { Modified: releng/11.0/crypto/openssl/apps/apps.h ============================================================================== --- releng/11.0/crypto/openssl/apps/apps.h Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/crypto/openssl/apps/apps.h Thu Feb 23 07:11:48 2017 (r314125) @@ -259,9 +259,9 @@ STACK_OF(X509_CRL) *load_crls(BIO *err, const char *pass, ENGINE *e, const char *cert_descrip); X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath); -# ifndef OPENSSL_NO_ENGINE + ENGINE *setup_engine(BIO *err, const char *engine, int debug); -# endif +void release_engine(ENGINE *e); # ifndef OPENSSL_NO_OCSP OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req, Modified: releng/11.0/crypto/openssl/apps/ca.c ============================================================================== --- releng/11.0/crypto/openssl/apps/ca.c Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/crypto/openssl/apps/ca.c Thu Feb 23 07:11:48 2017 (r314125) @@ -319,9 +319,7 @@ int MAIN(int argc, char **argv) #define BSIZE 256 MS_STATIC char buf[3][BSIZE]; char *randfile = NULL; -#ifndef OPENSSL_NO_ENGINE char *engine = NULL; -#endif char *tofree = NULL; DB_ATTR db_attr; @@ -595,9 +593,7 @@ int MAIN(int argc, char **argv) if (!load_config(bio_err, conf)) goto err; -#ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); -#endif /* Lets get the config section we are using */ if (section == NULL) { @@ -1485,6 +1481,7 @@ int MAIN(int argc, char **argv) X509_CRL_free(crl); NCONF_free(conf); NCONF_free(extconf); + release_engine(e); OBJ_cleanup(); apps_shutdown(); OPENSSL_EXIT(ret); @@ -2227,7 +2224,6 @@ static int certify_spkac(X509 **xret, ch sk = CONF_get_section(parms, "default"); if (sk_CONF_VALUE_num(sk) == 0) { BIO_printf(bio_err, "no name/value pairs found in %s\n", infile); - CONF_free(parms); goto err; } Modified: releng/11.0/crypto/openssl/apps/cms.c ============================================================================== --- releng/11.0/crypto/openssl/apps/cms.c Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/crypto/openssl/apps/cms.c Thu Feb 23 07:11:48 2017 (r314125) @@ -143,9 +143,7 @@ int MAIN(int argc, char **argv) const EVP_MD *sign_md = NULL; int informat = FORMAT_SMIME, outformat = FORMAT_SMIME; int rctformat = FORMAT_SMIME, keyform = FORMAT_PEM; -# ifndef OPENSSL_NO_ENGINE char *engine = NULL; -# endif unsigned char *secret_key = NULL, *secret_keyid = NULL; unsigned char *pwri_pass = NULL, *pwri_tmp = NULL; size_t secret_keylen = 0, secret_keyidlen = 0; @@ -665,9 +663,7 @@ int MAIN(int argc, char **argv) "cert.pem recipient certificate(s) for encryption\n"); goto end; } -# ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); -# endif if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) { BIO_printf(bio_err, "Error getting password\n"); @@ -1170,6 +1166,7 @@ int MAIN(int argc, char **argv) EVP_PKEY_free(key); CMS_ContentInfo_free(cms); CMS_ContentInfo_free(rcms); + release_engine(e); BIO_free(rctin); BIO_free(in); BIO_free(indata); Modified: releng/11.0/crypto/openssl/apps/dgst.c ============================================================================== --- releng/11.0/crypto/openssl/apps/dgst.c Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/crypto/openssl/apps/dgst.c Thu Feb 23 07:11:48 2017 (r314125) @@ -537,6 +537,7 @@ int MAIN(int argc, char **argv) OPENSSL_free(sigbuf); if (bmd != NULL) BIO_free(bmd); + release_engine(e); apps_shutdown(); OPENSSL_EXIT(err); } Modified: releng/11.0/crypto/openssl/apps/dh.c ============================================================================== --- releng/11.0/crypto/openssl/apps/dh.c Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/crypto/openssl/apps/dh.c Thu Feb 23 07:11:48 2017 (r314125) @@ -94,9 +94,7 @@ int MAIN(int argc, char **argv) BIO *in = NULL, *out = NULL; int informat, outformat, check = 0, noout = 0, C = 0, ret = 1; char *infile, *outfile, *prog; -# ifndef OPENSSL_NO_ENGINE char *engine; -# endif apps_startup(); @@ -107,9 +105,7 @@ int MAIN(int argc, char **argv) if (!load_config(bio_err, NULL)) goto end; -# ifndef OPENSSL_NO_ENGINE engine = NULL; -# endif infile = NULL; outfile = NULL; informat = FORMAT_PEM; @@ -183,9 +179,7 @@ int MAIN(int argc, char **argv) ERR_load_crypto_strings(); -# ifndef OPENSSL_NO_ENGINE setup_engine(bio_err, engine, 0); -# endif in = BIO_new(BIO_s_file()); out = BIO_new(BIO_s_file()); Modified: releng/11.0/crypto/openssl/apps/dhparam.c ============================================================================== --- releng/11.0/crypto/openssl/apps/dhparam.c Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/crypto/openssl/apps/dhparam.c Thu Feb 23 07:11:48 2017 (r314125) @@ -159,9 +159,8 @@ int MAIN(int argc, char **argv) int informat, outformat, check = 0, noout = 0, C = 0, ret = 1; char *infile, *outfile, *prog; char *inrand = NULL; -# ifndef OPENSSL_NO_ENGINE char *engine = NULL; -# endif + ENGINE *e = NULL; int num = 0, g = 0; apps_startup(); @@ -270,9 +269,7 @@ int MAIN(int argc, char **argv) ERR_load_crypto_strings(); -# ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); -# endif + e = setup_engine(bio_err, engine, 0); if (g && !num) num = DEFBITS; @@ -512,6 +509,7 @@ int MAIN(int argc, char **argv) BIO_free_all(out); if (dh != NULL) DH_free(dh); + release_engine(e); apps_shutdown(); OPENSSL_EXIT(ret); } Modified: releng/11.0/crypto/openssl/apps/dsa.c ============================================================================== --- releng/11.0/crypto/openssl/apps/dsa.c Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/crypto/openssl/apps/dsa.c Thu Feb 23 07:11:48 2017 (r314125) @@ -106,9 +106,7 @@ int MAIN(int argc, char **argv) int informat, outformat, text = 0, noout = 0; int pubin = 0, pubout = 0; char *infile, *outfile, *prog; -# ifndef OPENSSL_NO_ENGINE char *engine; -# endif char *passargin = NULL, *passargout = NULL; char *passin = NULL, *passout = NULL; int modulus = 0; @@ -124,9 +122,7 @@ int MAIN(int argc, char **argv) if (!load_config(bio_err, NULL)) goto end; -# ifndef OPENSSL_NO_ENGINE engine = NULL; -# endif infile = NULL; outfile = NULL; informat = FORMAT_PEM; @@ -239,9 +235,7 @@ int MAIN(int argc, char **argv) ERR_load_crypto_strings(); -# ifndef OPENSSL_NO_ENGINE e = setup_engine(bio_err, engine, 0); -# endif if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); @@ -358,6 +352,7 @@ int MAIN(int argc, char **argv) BIO_free_all(out); if (dsa != NULL) DSA_free(dsa); + release_engine(e); if (passin) OPENSSL_free(passin); if (passout) Modified: releng/11.0/crypto/openssl/apps/dsaparam.c ============================================================================== --- releng/11.0/crypto/openssl/apps/dsaparam.c Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/crypto/openssl/apps/dsaparam.c Thu Feb 23 07:11:48 2017 (r314125) @@ -121,9 +121,8 @@ int MAIN(int argc, char **argv) char *infile, *outfile, *prog, *inrand = NULL; int numbits = -1, num, genkey = 0; int need_rand = 0; -# ifndef OPENSSL_NO_ENGINE char *engine = NULL; -# endif + ENGINE *e = NULL; # ifdef GENCB_TEST int timebomb = 0; # endif @@ -263,9 +262,7 @@ int MAIN(int argc, char **argv) } } -# ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); -# endif + e = setup_engine(bio_err, engine, 0); if (need_rand) { app_RAND_load_file(NULL, bio_err, (inrand != NULL)); @@ -433,6 +430,7 @@ int MAIN(int argc, char **argv) BIO_free_all(out); if (dsa != NULL) DSA_free(dsa); + release_engine(e); apps_shutdown(); OPENSSL_EXIT(ret); } Modified: releng/11.0/crypto/openssl/apps/ec.c ============================================================================== --- releng/11.0/crypto/openssl/apps/ec.c Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/crypto/openssl/apps/ec.c Thu Feb 23 07:11:48 2017 (r314125) @@ -95,6 +95,7 @@ int MAIN(int argc, char **argv) int informat, outformat, text = 0, noout = 0; int pubin = 0, pubout = 0, param_out = 0; char *infile, *outfile, *prog, *engine; + ENGINE *e = NULL; char *passargin = NULL, *passargout = NULL; char *passin = NULL, *passout = NULL; point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED; @@ -235,9 +236,7 @@ int MAIN(int argc, char **argv) ERR_load_crypto_strings(); -# ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); -# endif + e = setup_engine(bio_err, engine, 0); if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) { BIO_printf(bio_err, "Error getting passwords\n"); @@ -349,6 +348,7 @@ int MAIN(int argc, char **argv) BIO_free_all(out); if (eckey) EC_KEY_free(eckey); + release_engine(e); if (passin) OPENSSL_free(passin); if (passout) Modified: releng/11.0/crypto/openssl/apps/ecparam.c ============================================================================== --- releng/11.0/crypto/openssl/apps/ecparam.c Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/crypto/openssl/apps/ecparam.c Thu Feb 23 07:11:48 2017 (r314125) @@ -131,6 +131,7 @@ int MAIN(int argc, char **argv) BIO *in = NULL, *out = NULL; int informat, outformat, noout = 0, C = 0, ret = 1; char *engine = NULL; + ENGINE *e = NULL; BIGNUM *ec_p = NULL, *ec_a = NULL, *ec_b = NULL, *ec_gen = NULL, *ec_order = NULL, *ec_cofactor = NULL; @@ -311,9 +312,7 @@ int MAIN(int argc, char **argv) } } -# ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); -# endif + e = setup_engine(bio_err, engine, 0); if (list_curves) { EC_builtin_curve *curves = NULL; @@ -620,12 +619,13 @@ int MAIN(int argc, char **argv) BN_free(ec_cofactor); if (buffer) OPENSSL_free(buffer); + if (group != NULL) + EC_GROUP_free(group); + release_engine(e); if (in != NULL) BIO_free(in); if (out != NULL) BIO_free_all(out); - if (group != NULL) - EC_GROUP_free(group); apps_shutdown(); OPENSSL_EXIT(ret); } Modified: releng/11.0/crypto/openssl/apps/enc.c ============================================================================== --- releng/11.0/crypto/openssl/apps/enc.c Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/crypto/openssl/apps/enc.c Thu Feb 23 07:11:48 2017 (r314125) @@ -126,9 +126,8 @@ int MAIN(int argc, char **argv) NULL, *wbio = NULL; #define PROG_NAME_SIZE 39 char pname[PROG_NAME_SIZE + 1]; -#ifndef OPENSSL_NO_ENGINE char *engine = NULL; -#endif + ENGINE *e = NULL; const EVP_MD *dgst = NULL; int non_fips_allow = 0; @@ -322,9 +321,7 @@ int MAIN(int argc, char **argv) argv++; } -#ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); -#endif + e = setup_engine(bio_err, engine, 0); if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { BIO_printf(bio_err, @@ -674,6 +671,7 @@ int MAIN(int argc, char **argv) if (bzl != NULL) BIO_free(bzl); #endif + release_engine(e); if (pass) OPENSSL_free(pass); apps_shutdown(); Modified: releng/11.0/crypto/openssl/apps/gendh.c ============================================================================== --- releng/11.0/crypto/openssl/apps/gendh.c Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/crypto/openssl/apps/gendh.c Thu Feb 23 07:11:48 2017 (r314125) @@ -96,9 +96,7 @@ int MAIN(int argc, char **argv) int g = 2; char *outfile = NULL; char *inrand = NULL; -# ifndef OPENSSL_NO_ENGINE char *engine = NULL; -# endif BIO *out = NULL; apps_startup(); @@ -162,9 +160,7 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, " the random number generator\n"); goto end; } -# ifndef OPENSSL_NO_ENGINE setup_engine(bio_err, engine, 0); -# endif out = BIO_new(BIO_s_file()); if (out == NULL) { Modified: releng/11.0/crypto/openssl/apps/gendsa.c ============================================================================== --- releng/11.0/crypto/openssl/apps/gendsa.c Thu Feb 23 07:07:21 2017 (r314124) +++ releng/11.0/crypto/openssl/apps/gendsa.c Thu Feb 23 07:11:48 2017 (r314125) @@ -85,9 +85,8 @@ int MAIN(int argc, char **argv) char *passargout = NULL, *passout = NULL; BIO *out = NULL, *in = NULL; const EVP_CIPHER *enc = NULL; -# ifndef OPENSSL_NO_ENGINE char *engine = NULL; -# endif + ENGINE *e = NULL; apps_startup(); @@ -206,9 +205,7 @@ int MAIN(int argc, char **argv) " - a DSA parameter file as generated by the dsaparam command\n"); goto end; } -# ifndef OPENSSL_NO_ENGINE - setup_engine(bio_err, engine, 0); -# endif + e = setup_engine(bio_err, engine, 0); *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-src-releng@freebsd.org Thu Feb 23 07:12:19 2017 Return-Path: Delivered-To: svn-src-releng@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BD17CCEA715; Thu, 23 Feb 2017 07:12:19 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 70C28685; Thu, 23 Feb 2017 07:12:19 +0000 (UTC) (envelope-from delphij@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v1N7CI6W020567; Thu, 23 Feb 2017 07:12:18 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v1N7CIvQ020564; Thu, 23 Feb 2017 07:12:18 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201702230712.v1N7CIvQ020564@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Thu, 23 Feb 2017 07:12:18 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r314126 - in releng/10.3: . crypto/openssl/crypto/evp sys/conf X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Feb 2017 07:12:19 -0000 Author: delphij Date: Thu Feb 23 07:12:18 2017 New Revision: 314126 URL: https://svnweb.freebsd.org/changeset/base/314126 Log: Fix OpenSSL RC4_MD5 cipher vulnerability. Approved by: so Modified: releng/10.3/UPDATING releng/10.3/crypto/openssl/crypto/evp/e_rc4_hmac_md5.c releng/10.3/sys/conf/newvers.sh Modified: releng/10.3/UPDATING ============================================================================== --- releng/10.3/UPDATING Thu Feb 23 07:11:48 2017 (r314125) +++ releng/10.3/UPDATING Thu Feb 23 07:12:18 2017 (r314126) @@ -16,6 +16,10 @@ from older versions of FreeBSD, try WITH stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20170223 p17 FreeBSD-SA-17:02.openssl + + Fix OpenSSL RC4_MD5 cipher vulnerability. + 20170111 p16 FreeBSD-SA-17:01.openssh Fix multiple vulnerabilities of OpenSSH. Modified: releng/10.3/crypto/openssl/crypto/evp/e_rc4_hmac_md5.c ============================================================================== --- releng/10.3/crypto/openssl/crypto/evp/e_rc4_hmac_md5.c Thu Feb 23 07:11:48 2017 (r314125) +++ releng/10.3/crypto/openssl/crypto/evp/e_rc4_hmac_md5.c Thu Feb 23 07:12:18 2017 (r314126) @@ -267,6 +267,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_ len = p[arg - 2] << 8 | p[arg - 1]; if (!ctx->encrypt) { + if (len < MD5_DIGEST_LENGTH) + return -1; len -= MD5_DIGEST_LENGTH; p[arg - 2] = len >> 8; p[arg - 1] = len; Modified: releng/10.3/sys/conf/newvers.sh ============================================================================== --- releng/10.3/sys/conf/newvers.sh Thu Feb 23 07:11:48 2017 (r314125) +++ releng/10.3/sys/conf/newvers.sh Thu Feb 23 07:12:18 2017 (r314126) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.3" -BRANCH="RELEASE-p16" +BRANCH="RELEASE-p17" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi