From owner-svn-src-all@FreeBSD.ORG Wed Feb 25 05:57:01 2015 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1AFD7EC7; Wed, 25 Feb 2015 05:57:01 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F3515928; Wed, 25 Feb 2015 05:57:00 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t1P5v0Bh089128; Wed, 25 Feb 2015 05:57:00 GMT (envelope-from delphij@FreeBSD.org) Received: (from delphij@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t1P5uuXI089096; Wed, 25 Feb 2015 05:56:56 GMT (envelope-from delphij@FreeBSD.org) Message-Id: <201502250556.t1P5uuXI089096@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: delphij set sender to delphij@FreeBSD.org using -f From: Xin LI Date: Wed, 25 Feb 2015 05:56:56 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r279265 - in releng: 8.4 8.4/contrib/bind9/lib/dns 8.4/crypto/openssl 8.4/crypto/openssl/apps 8.4/crypto/openssl/crypto 8.4/crypto/openssl/crypto/asn1 8.4/crypto/openssl/crypto/bio 8.4/... X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2015 05:57:01 -0000 Author: delphij Date: Wed Feb 25 05:56:54 2015 New Revision: 279265 URL: https://svnweb.freebsd.org/changeset/base/279265 Log: Fix integer overflow in IGMP protocol. [SA-15:04] Fix BIND remote denial of service vulnerability. [SA-15:05] Fix vt(4) crash with improper ioctl parameters. [EN-15:01] Updated base system OpenSSL to 0.9.8zd. [EN-15:02] Fix freebsd-update libraries update ordering issue. [EN-15:03] Approved by: so Added: releng/8.4/crypto/openssl/crypto/constant_time_locl.h (contents, props changed) releng/8.4/crypto/openssl/crypto/constant_time_test.c (contents, props changed) releng/8.4/crypto/openssl/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod releng/8.4/crypto/openssl/test/constant_time_test.c (contents, props changed) releng/8.4/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 (contents, props changed) releng/9.3/crypto/openssl/crypto/constant_time_locl.h (contents, props changed) releng/9.3/crypto/openssl/crypto/constant_time_test.c (contents, props changed) releng/9.3/crypto/openssl/doc/ssl/SSL_CTX_set_tlsext_ticket_key_cb.pod releng/9.3/crypto/openssl/test/constant_time_test.c (contents, props changed) releng/9.3/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3 (contents, props changed) Deleted: releng/8.4/crypto/openssl/crypto/pkcs7/bio_ber.c releng/8.4/crypto/openssl/crypto/pkcs7/dec.c releng/8.4/crypto/openssl/crypto/pkcs7/des.pem releng/8.4/crypto/openssl/crypto/pkcs7/doc releng/8.4/crypto/openssl/crypto/pkcs7/enc.c releng/8.4/crypto/openssl/crypto/pkcs7/es1.pem releng/8.4/crypto/openssl/crypto/pkcs7/example.c releng/8.4/crypto/openssl/crypto/pkcs7/example.h releng/8.4/crypto/openssl/crypto/pkcs7/info.pem releng/8.4/crypto/openssl/crypto/pkcs7/infokey.pem releng/8.4/crypto/openssl/crypto/pkcs7/p7/ releng/8.4/crypto/openssl/crypto/pkcs7/server.pem releng/8.4/crypto/openssl/crypto/pkcs7/sign.c releng/8.4/crypto/openssl/crypto/pkcs7/t/ releng/8.4/crypto/openssl/crypto/pkcs7/verify.c releng/8.4/crypto/openssl/demos/eay/ releng/8.4/crypto/openssl/demos/maurice/ releng/9.3/crypto/openssl/crypto/pkcs7/bio_ber.c releng/9.3/crypto/openssl/crypto/pkcs7/dec.c releng/9.3/crypto/openssl/crypto/pkcs7/des.pem releng/9.3/crypto/openssl/crypto/pkcs7/doc releng/9.3/crypto/openssl/crypto/pkcs7/enc.c releng/9.3/crypto/openssl/crypto/pkcs7/es1.pem releng/9.3/crypto/openssl/crypto/pkcs7/example.c releng/9.3/crypto/openssl/crypto/pkcs7/example.h releng/9.3/crypto/openssl/crypto/pkcs7/info.pem releng/9.3/crypto/openssl/crypto/pkcs7/infokey.pem releng/9.3/crypto/openssl/crypto/pkcs7/p7/ releng/9.3/crypto/openssl/crypto/pkcs7/server.pem releng/9.3/crypto/openssl/crypto/pkcs7/sign.c releng/9.3/crypto/openssl/crypto/pkcs7/t/ releng/9.3/crypto/openssl/crypto/pkcs7/verify.c releng/9.3/crypto/openssl/demos/eay/ releng/9.3/crypto/openssl/demos/maurice/ Modified: releng/8.4/UPDATING releng/8.4/contrib/bind9/lib/dns/zone.c releng/8.4/crypto/openssl/ACKNOWLEDGMENTS releng/8.4/crypto/openssl/CHANGES releng/8.4/crypto/openssl/Configure releng/8.4/crypto/openssl/FAQ releng/8.4/crypto/openssl/Makefile releng/8.4/crypto/openssl/Makefile.org releng/8.4/crypto/openssl/NEWS releng/8.4/crypto/openssl/README releng/8.4/crypto/openssl/apps/apps.c releng/8.4/crypto/openssl/apps/ca.c releng/8.4/crypto/openssl/apps/crl2p7.c releng/8.4/crypto/openssl/apps/ocsp.c releng/8.4/crypto/openssl/apps/req.c releng/8.4/crypto/openssl/apps/s_server.c releng/8.4/crypto/openssl/apps/smime.c releng/8.4/crypto/openssl/apps/speed.c releng/8.4/crypto/openssl/crypto/LPdir_vms.c releng/8.4/crypto/openssl/crypto/LPdir_win.c releng/8.4/crypto/openssl/crypto/Makefile releng/8.4/crypto/openssl/crypto/asn1/a_int.c releng/8.4/crypto/openssl/crypto/asn1/a_strnid.c releng/8.4/crypto/openssl/crypto/asn1/asn1_lib.c releng/8.4/crypto/openssl/crypto/asn1/asn_mime.c releng/8.4/crypto/openssl/crypto/asn1/asn_pack.c releng/8.4/crypto/openssl/crypto/asn1/evp_asn1.c releng/8.4/crypto/openssl/crypto/asn1/t_pkey.c releng/8.4/crypto/openssl/crypto/asn1/t_x509.c releng/8.4/crypto/openssl/crypto/asn1/tasn_enc.c releng/8.4/crypto/openssl/crypto/bio/bio_lib.c releng/8.4/crypto/openssl/crypto/bn/asm/x86_64-gcc.c releng/8.4/crypto/openssl/crypto/bn/bn_exp.c releng/8.4/crypto/openssl/crypto/bn/bn_gf2m.c releng/8.4/crypto/openssl/crypto/bn/bn_lib.c releng/8.4/crypto/openssl/crypto/bn/bn_mont.c releng/8.4/crypto/openssl/crypto/bn/bn_sqr.c releng/8.4/crypto/openssl/crypto/bn/exptest.c releng/8.4/crypto/openssl/crypto/cms/cms_cd.c releng/8.4/crypto/openssl/crypto/cms/cms_env.c releng/8.4/crypto/openssl/crypto/cms/cms_lib.c releng/8.4/crypto/openssl/crypto/cms/cms_sd.c releng/8.4/crypto/openssl/crypto/cms/cms_smime.c releng/8.4/crypto/openssl/crypto/conf/conf_api.c releng/8.4/crypto/openssl/crypto/conf/conf_def.c releng/8.4/crypto/openssl/crypto/ec/ec_key.c releng/8.4/crypto/openssl/crypto/ec/ec_lib.c releng/8.4/crypto/openssl/crypto/ec/ecp_smpl.c releng/8.4/crypto/openssl/crypto/ecdsa/Makefile releng/8.4/crypto/openssl/crypto/engine/eng_all.c releng/8.4/crypto/openssl/crypto/engine/engine.h releng/8.4/crypto/openssl/crypto/err/err_all.c releng/8.4/crypto/openssl/crypto/evp/bio_b64.c releng/8.4/crypto/openssl/crypto/evp/encode.c releng/8.4/crypto/openssl/crypto/idea/ideatest.c releng/8.4/crypto/openssl/crypto/md32_common.h releng/8.4/crypto/openssl/crypto/ocsp/ocsp_ht.c releng/8.4/crypto/openssl/crypto/ocsp/ocsp_lib.c releng/8.4/crypto/openssl/crypto/opensslv.h releng/8.4/crypto/openssl/crypto/pkcs12/p12_crt.c releng/8.4/crypto/openssl/crypto/pkcs12/p12_kiss.c releng/8.4/crypto/openssl/crypto/pkcs7/Makefile releng/8.4/crypto/openssl/crypto/rand/md_rand.c releng/8.4/crypto/openssl/crypto/rsa/Makefile releng/8.4/crypto/openssl/crypto/rsa/rsa.h releng/8.4/crypto/openssl/crypto/rsa/rsa_eay.c releng/8.4/crypto/openssl/crypto/rsa/rsa_err.c releng/8.4/crypto/openssl/crypto/rsa/rsa_oaep.c releng/8.4/crypto/openssl/crypto/rsa/rsa_pk1.c releng/8.4/crypto/openssl/crypto/rsa/rsa_sign.c releng/8.4/crypto/openssl/crypto/ui/ui_lib.c releng/8.4/crypto/openssl/crypto/x86cpuid.pl releng/8.4/crypto/openssl/demos/x509/mkreq.c releng/8.4/crypto/openssl/doc/apps/asn1parse.pod releng/8.4/crypto/openssl/doc/apps/ca.pod releng/8.4/crypto/openssl/doc/apps/crl.pod releng/8.4/crypto/openssl/doc/apps/dhparam.pod releng/8.4/crypto/openssl/doc/apps/dsa.pod releng/8.4/crypto/openssl/doc/apps/ecparam.pod releng/8.4/crypto/openssl/doc/apps/gendsa.pod releng/8.4/crypto/openssl/doc/apps/genrsa.pod releng/8.4/crypto/openssl/doc/apps/rsa.pod releng/8.4/crypto/openssl/doc/apps/s_client.pod releng/8.4/crypto/openssl/doc/apps/s_server.pod releng/8.4/crypto/openssl/doc/apps/smime.pod releng/8.4/crypto/openssl/doc/apps/verify.pod releng/8.4/crypto/openssl/doc/apps/x509.pod releng/8.4/crypto/openssl/doc/apps/x509v3_config.pod releng/8.4/crypto/openssl/doc/crypto/ASN1_generate_nconf.pod releng/8.4/crypto/openssl/doc/crypto/BIO_f_base64.pod releng/8.4/crypto/openssl/doc/crypto/BIO_push.pod releng/8.4/crypto/openssl/doc/crypto/CONF_modules_free.pod releng/8.4/crypto/openssl/doc/crypto/CONF_modules_load_file.pod releng/8.4/crypto/openssl/doc/crypto/ERR_get_error.pod releng/8.4/crypto/openssl/doc/crypto/OPENSSL_config.pod releng/8.4/crypto/openssl/doc/crypto/RSA_set_method.pod releng/8.4/crypto/openssl/doc/crypto/RSA_sign.pod releng/8.4/crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod releng/8.4/crypto/openssl/doc/crypto/des.pod releng/8.4/crypto/openssl/doc/crypto/ecdsa.pod releng/8.4/crypto/openssl/doc/crypto/err.pod releng/8.4/crypto/openssl/doc/crypto/pem.pod releng/8.4/crypto/openssl/doc/crypto/ui.pod releng/8.4/crypto/openssl/doc/fingerprints.txt releng/8.4/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod releng/8.4/crypto/openssl/doc/ssl/SSL_COMP_add_compression_method.pod releng/8.4/crypto/openssl/doc/ssl/SSL_CTX_add_extra_chain_cert.pod releng/8.4/crypto/openssl/doc/ssl/SSL_CTX_add_session.pod releng/8.4/crypto/openssl/doc/ssl/SSL_CTX_load_verify_locations.pod releng/8.4/crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod releng/8.4/crypto/openssl/doc/ssl/SSL_CTX_set_client_cert_cb.pod releng/8.4/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod releng/8.4/crypto/openssl/doc/ssl/SSL_CTX_set_msg_callback.pod releng/8.4/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod releng/8.4/crypto/openssl/doc/ssl/SSL_CTX_set_session_id_context.pod releng/8.4/crypto/openssl/doc/ssl/SSL_CTX_set_ssl_version.pod releng/8.4/crypto/openssl/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod releng/8.4/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod releng/8.4/crypto/openssl/doc/ssl/SSL_accept.pod releng/8.4/crypto/openssl/doc/ssl/SSL_clear.pod releng/8.4/crypto/openssl/doc/ssl/SSL_connect.pod releng/8.4/crypto/openssl/doc/ssl/SSL_do_handshake.pod releng/8.4/crypto/openssl/doc/ssl/SSL_get_version.pod releng/8.4/crypto/openssl/doc/ssl/SSL_read.pod releng/8.4/crypto/openssl/doc/ssl/SSL_session_reused.pod releng/8.4/crypto/openssl/doc/ssl/SSL_set_fd.pod releng/8.4/crypto/openssl/doc/ssl/SSL_set_session.pod releng/8.4/crypto/openssl/doc/ssl/SSL_set_shutdown.pod releng/8.4/crypto/openssl/doc/ssl/SSL_shutdown.pod releng/8.4/crypto/openssl/doc/ssl/SSL_write.pod releng/8.4/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod releng/8.4/crypto/openssl/e_os.h releng/8.4/crypto/openssl/openssl.spec releng/8.4/crypto/openssl/ssl/Makefile releng/8.4/crypto/openssl/ssl/d1_both.c releng/8.4/crypto/openssl/ssl/d1_lib.c releng/8.4/crypto/openssl/ssl/d1_pkt.c releng/8.4/crypto/openssl/ssl/d1_srvr.c releng/8.4/crypto/openssl/ssl/s23_lib.c releng/8.4/crypto/openssl/ssl/s3_cbc.c releng/8.4/crypto/openssl/ssl/s3_clnt.c releng/8.4/crypto/openssl/ssl/s3_lib.c releng/8.4/crypto/openssl/ssl/s3_pkt.c releng/8.4/crypto/openssl/ssl/s3_srvr.c releng/8.4/crypto/openssl/ssl/ssl.h releng/8.4/crypto/openssl/ssl/ssl3.h releng/8.4/crypto/openssl/ssl/ssl_ciph.c releng/8.4/crypto/openssl/ssl/ssl_lib.c releng/8.4/crypto/openssl/ssl/ssl_stat.c releng/8.4/crypto/openssl/ssl/ssltest.c releng/8.4/crypto/openssl/ssl/t1_enc.c releng/8.4/crypto/openssl/ssl/t1_lib.c releng/8.4/crypto/openssl/ssl/tls1.h releng/8.4/crypto/openssl/test/Makefile releng/8.4/crypto/openssl/test/cms-test.pl releng/8.4/crypto/openssl/test/testssl releng/8.4/crypto/openssl/util/libeay.num releng/8.4/crypto/openssl/util/mk1mf.pl releng/8.4/crypto/openssl/util/mkerr.pl releng/8.4/crypto/openssl/util/pl/VC-32.pl releng/8.4/secure/lib/libcrypto/Makefile releng/8.4/secure/lib/libcrypto/Makefile.inc releng/8.4/secure/lib/libcrypto/man/ASN1_OBJECT_new.3 releng/8.4/secure/lib/libcrypto/man/ASN1_STRING_length.3 releng/8.4/secure/lib/libcrypto/man/ASN1_STRING_new.3 releng/8.4/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3 releng/8.4/secure/lib/libcrypto/man/ASN1_generate_nconf.3 releng/8.4/secure/lib/libcrypto/man/BIO_ctrl.3 releng/8.4/secure/lib/libcrypto/man/BIO_f_base64.3 releng/8.4/secure/lib/libcrypto/man/BIO_f_buffer.3 releng/8.4/secure/lib/libcrypto/man/BIO_f_cipher.3 releng/8.4/secure/lib/libcrypto/man/BIO_f_md.3 releng/8.4/secure/lib/libcrypto/man/BIO_f_null.3 releng/8.4/secure/lib/libcrypto/man/BIO_f_ssl.3 releng/8.4/secure/lib/libcrypto/man/BIO_find_type.3 releng/8.4/secure/lib/libcrypto/man/BIO_new.3 releng/8.4/secure/lib/libcrypto/man/BIO_push.3 releng/8.4/secure/lib/libcrypto/man/BIO_read.3 releng/8.4/secure/lib/libcrypto/man/BIO_s_accept.3 releng/8.4/secure/lib/libcrypto/man/BIO_s_bio.3 releng/8.4/secure/lib/libcrypto/man/BIO_s_connect.3 releng/8.4/secure/lib/libcrypto/man/BIO_s_fd.3 releng/8.4/secure/lib/libcrypto/man/BIO_s_file.3 releng/8.4/secure/lib/libcrypto/man/BIO_s_mem.3 releng/8.4/secure/lib/libcrypto/man/BIO_s_null.3 releng/8.4/secure/lib/libcrypto/man/BIO_s_socket.3 releng/8.4/secure/lib/libcrypto/man/BIO_set_callback.3 releng/8.4/secure/lib/libcrypto/man/BIO_should_retry.3 releng/8.4/secure/lib/libcrypto/man/BN_BLINDING_new.3 releng/8.4/secure/lib/libcrypto/man/BN_CTX_new.3 releng/8.4/secure/lib/libcrypto/man/BN_CTX_start.3 releng/8.4/secure/lib/libcrypto/man/BN_add.3 releng/8.4/secure/lib/libcrypto/man/BN_add_word.3 releng/8.4/secure/lib/libcrypto/man/BN_bn2bin.3 releng/8.4/secure/lib/libcrypto/man/BN_cmp.3 releng/8.4/secure/lib/libcrypto/man/BN_copy.3 releng/8.4/secure/lib/libcrypto/man/BN_generate_prime.3 releng/8.4/secure/lib/libcrypto/man/BN_mod_inverse.3 releng/8.4/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3 releng/8.4/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3 releng/8.4/secure/lib/libcrypto/man/BN_new.3 releng/8.4/secure/lib/libcrypto/man/BN_num_bytes.3 releng/8.4/secure/lib/libcrypto/man/BN_rand.3 releng/8.4/secure/lib/libcrypto/man/BN_set_bit.3 releng/8.4/secure/lib/libcrypto/man/BN_swap.3 releng/8.4/secure/lib/libcrypto/man/BN_zero.3 releng/8.4/secure/lib/libcrypto/man/CONF_modules_free.3 releng/8.4/secure/lib/libcrypto/man/CONF_modules_load_file.3 releng/8.4/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3 releng/8.4/secure/lib/libcrypto/man/DH_generate_key.3 releng/8.4/secure/lib/libcrypto/man/DH_generate_parameters.3 releng/8.4/secure/lib/libcrypto/man/DH_get_ex_new_index.3 releng/8.4/secure/lib/libcrypto/man/DH_new.3 releng/8.4/secure/lib/libcrypto/man/DH_set_method.3 releng/8.4/secure/lib/libcrypto/man/DH_size.3 releng/8.4/secure/lib/libcrypto/man/DSA_SIG_new.3 releng/8.4/secure/lib/libcrypto/man/DSA_do_sign.3 releng/8.4/secure/lib/libcrypto/man/DSA_dup_DH.3 releng/8.4/secure/lib/libcrypto/man/DSA_generate_key.3 releng/8.4/secure/lib/libcrypto/man/DSA_generate_parameters.3 releng/8.4/secure/lib/libcrypto/man/DSA_get_ex_new_index.3 releng/8.4/secure/lib/libcrypto/man/DSA_new.3 releng/8.4/secure/lib/libcrypto/man/DSA_set_method.3 releng/8.4/secure/lib/libcrypto/man/DSA_sign.3 releng/8.4/secure/lib/libcrypto/man/DSA_size.3 releng/8.4/secure/lib/libcrypto/man/ERR_GET_LIB.3 releng/8.4/secure/lib/libcrypto/man/ERR_clear_error.3 releng/8.4/secure/lib/libcrypto/man/ERR_error_string.3 releng/8.4/secure/lib/libcrypto/man/ERR_get_error.3 releng/8.4/secure/lib/libcrypto/man/ERR_load_crypto_strings.3 releng/8.4/secure/lib/libcrypto/man/ERR_load_strings.3 releng/8.4/secure/lib/libcrypto/man/ERR_print_errors.3 releng/8.4/secure/lib/libcrypto/man/ERR_put_error.3 releng/8.4/secure/lib/libcrypto/man/ERR_remove_state.3 releng/8.4/secure/lib/libcrypto/man/ERR_set_mark.3 releng/8.4/secure/lib/libcrypto/man/EVP_BytesToKey.3 releng/8.4/secure/lib/libcrypto/man/EVP_DigestInit.3 releng/8.4/secure/lib/libcrypto/man/EVP_EncryptInit.3 releng/8.4/secure/lib/libcrypto/man/EVP_OpenInit.3 releng/8.4/secure/lib/libcrypto/man/EVP_PKEY_new.3 releng/8.4/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3 releng/8.4/secure/lib/libcrypto/man/EVP_SealInit.3 releng/8.4/secure/lib/libcrypto/man/EVP_SignInit.3 releng/8.4/secure/lib/libcrypto/man/EVP_VerifyInit.3 releng/8.4/secure/lib/libcrypto/man/OBJ_nid2obj.3 releng/8.4/secure/lib/libcrypto/man/OPENSSL_Applink.3 releng/8.4/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3 releng/8.4/secure/lib/libcrypto/man/OPENSSL_config.3 releng/8.4/secure/lib/libcrypto/man/OPENSSL_ia32cap.3 releng/8.4/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3 releng/8.4/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3 releng/8.4/secure/lib/libcrypto/man/PKCS12_create.3 releng/8.4/secure/lib/libcrypto/man/PKCS12_parse.3 releng/8.4/secure/lib/libcrypto/man/PKCS7_decrypt.3 releng/8.4/secure/lib/libcrypto/man/PKCS7_encrypt.3 releng/8.4/secure/lib/libcrypto/man/PKCS7_sign.3 releng/8.4/secure/lib/libcrypto/man/PKCS7_verify.3 releng/8.4/secure/lib/libcrypto/man/RAND_add.3 releng/8.4/secure/lib/libcrypto/man/RAND_bytes.3 releng/8.4/secure/lib/libcrypto/man/RAND_cleanup.3 releng/8.4/secure/lib/libcrypto/man/RAND_egd.3 releng/8.4/secure/lib/libcrypto/man/RAND_load_file.3 releng/8.4/secure/lib/libcrypto/man/RAND_set_rand_method.3 releng/8.4/secure/lib/libcrypto/man/RSA_blinding_on.3 releng/8.4/secure/lib/libcrypto/man/RSA_check_key.3 releng/8.4/secure/lib/libcrypto/man/RSA_generate_key.3 releng/8.4/secure/lib/libcrypto/man/RSA_get_ex_new_index.3 releng/8.4/secure/lib/libcrypto/man/RSA_new.3 releng/8.4/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 releng/8.4/secure/lib/libcrypto/man/RSA_print.3 releng/8.4/secure/lib/libcrypto/man/RSA_private_encrypt.3 releng/8.4/secure/lib/libcrypto/man/RSA_public_encrypt.3 releng/8.4/secure/lib/libcrypto/man/RSA_set_method.3 releng/8.4/secure/lib/libcrypto/man/RSA_sign.3 releng/8.4/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3 releng/8.4/secure/lib/libcrypto/man/RSA_size.3 releng/8.4/secure/lib/libcrypto/man/SMIME_read_PKCS7.3 releng/8.4/secure/lib/libcrypto/man/SMIME_write_PKCS7.3 releng/8.4/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3 releng/8.4/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3 releng/8.4/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3 releng/8.4/secure/lib/libcrypto/man/X509_NAME_print_ex.3 releng/8.4/secure/lib/libcrypto/man/X509_new.3 releng/8.4/secure/lib/libcrypto/man/bio.3 releng/8.4/secure/lib/libcrypto/man/blowfish.3 releng/8.4/secure/lib/libcrypto/man/bn.3 releng/8.4/secure/lib/libcrypto/man/bn_internal.3 releng/8.4/secure/lib/libcrypto/man/buffer.3 releng/8.4/secure/lib/libcrypto/man/crypto.3 releng/8.4/secure/lib/libcrypto/man/d2i_ASN1_OBJECT.3 releng/8.4/secure/lib/libcrypto/man/d2i_DHparams.3 releng/8.4/secure/lib/libcrypto/man/d2i_DSAPublicKey.3 releng/8.4/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey.3 releng/8.4/secure/lib/libcrypto/man/d2i_RSAPublicKey.3 releng/8.4/secure/lib/libcrypto/man/d2i_X509.3 releng/8.4/secure/lib/libcrypto/man/d2i_X509_ALGOR.3 releng/8.4/secure/lib/libcrypto/man/d2i_X509_CRL.3 releng/8.4/secure/lib/libcrypto/man/d2i_X509_NAME.3 releng/8.4/secure/lib/libcrypto/man/d2i_X509_REQ.3 releng/8.4/secure/lib/libcrypto/man/d2i_X509_SIG.3 releng/8.4/secure/lib/libcrypto/man/des.3 releng/8.4/secure/lib/libcrypto/man/dh.3 releng/8.4/secure/lib/libcrypto/man/dsa.3 releng/8.4/secure/lib/libcrypto/man/ecdsa.3 releng/8.4/secure/lib/libcrypto/man/engine.3 releng/8.4/secure/lib/libcrypto/man/err.3 releng/8.4/secure/lib/libcrypto/man/evp.3 releng/8.4/secure/lib/libcrypto/man/hmac.3 releng/8.4/secure/lib/libcrypto/man/lh_stats.3 releng/8.4/secure/lib/libcrypto/man/lhash.3 releng/8.4/secure/lib/libcrypto/man/md5.3 releng/8.4/secure/lib/libcrypto/man/mdc2.3 releng/8.4/secure/lib/libcrypto/man/pem.3 releng/8.4/secure/lib/libcrypto/man/rand.3 releng/8.4/secure/lib/libcrypto/man/rc4.3 releng/8.4/secure/lib/libcrypto/man/ripemd.3 releng/8.4/secure/lib/libcrypto/man/rsa.3 releng/8.4/secure/lib/libcrypto/man/sha.3 releng/8.4/secure/lib/libcrypto/man/threads.3 releng/8.4/secure/lib/libcrypto/man/ui.3 releng/8.4/secure/lib/libcrypto/man/ui_compat.3 releng/8.4/secure/lib/libcrypto/man/x509.3 releng/8.4/secure/lib/libssl/Makefile.man releng/8.4/secure/lib/libssl/man/SSL_CIPHER_get_name.3 releng/8.4/secure/lib/libssl/man/SSL_COMP_add_compression_method.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_add_session.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_ctrl.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_flush_sessions.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_free.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_new.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_sess_number.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_sessions.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_set_cert_store.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_set_info_callback.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_set_mode.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_set_options.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_set_timeout.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_set_verify.3 releng/8.4/secure/lib/libssl/man/SSL_CTX_use_certificate.3 releng/8.4/secure/lib/libssl/man/SSL_SESSION_free.3 releng/8.4/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 releng/8.4/secure/lib/libssl/man/SSL_SESSION_get_time.3 releng/8.4/secure/lib/libssl/man/SSL_accept.3 releng/8.4/secure/lib/libssl/man/SSL_alert_type_string.3 releng/8.4/secure/lib/libssl/man/SSL_clear.3 releng/8.4/secure/lib/libssl/man/SSL_connect.3 releng/8.4/secure/lib/libssl/man/SSL_do_handshake.3 releng/8.4/secure/lib/libssl/man/SSL_free.3 releng/8.4/secure/lib/libssl/man/SSL_get_SSL_CTX.3 releng/8.4/secure/lib/libssl/man/SSL_get_ciphers.3 releng/8.4/secure/lib/libssl/man/SSL_get_client_CA_list.3 releng/8.4/secure/lib/libssl/man/SSL_get_current_cipher.3 releng/8.4/secure/lib/libssl/man/SSL_get_default_timeout.3 releng/8.4/secure/lib/libssl/man/SSL_get_error.3 releng/8.4/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 releng/8.4/secure/lib/libssl/man/SSL_get_ex_new_index.3 releng/8.4/secure/lib/libssl/man/SSL_get_fd.3 releng/8.4/secure/lib/libssl/man/SSL_get_peer_cert_chain.3 releng/8.4/secure/lib/libssl/man/SSL_get_peer_certificate.3 releng/8.4/secure/lib/libssl/man/SSL_get_rbio.3 releng/8.4/secure/lib/libssl/man/SSL_get_session.3 releng/8.4/secure/lib/libssl/man/SSL_get_verify_result.3 releng/8.4/secure/lib/libssl/man/SSL_get_version.3 releng/8.4/secure/lib/libssl/man/SSL_library_init.3 releng/8.4/secure/lib/libssl/man/SSL_load_client_CA_file.3 releng/8.4/secure/lib/libssl/man/SSL_new.3 releng/8.4/secure/lib/libssl/man/SSL_pending.3 releng/8.4/secure/lib/libssl/man/SSL_read.3 releng/8.4/secure/lib/libssl/man/SSL_rstate_string.3 releng/8.4/secure/lib/libssl/man/SSL_session_reused.3 releng/8.4/secure/lib/libssl/man/SSL_set_bio.3 releng/8.4/secure/lib/libssl/man/SSL_set_connect_state.3 releng/8.4/secure/lib/libssl/man/SSL_set_fd.3 releng/8.4/secure/lib/libssl/man/SSL_set_session.3 releng/8.4/secure/lib/libssl/man/SSL_set_shutdown.3 releng/8.4/secure/lib/libssl/man/SSL_set_verify_result.3 releng/8.4/secure/lib/libssl/man/SSL_shutdown.3 releng/8.4/secure/lib/libssl/man/SSL_state_string.3 releng/8.4/secure/lib/libssl/man/SSL_want.3 releng/8.4/secure/lib/libssl/man/SSL_write.3 releng/8.4/secure/lib/libssl/man/d2i_SSL_SESSION.3 releng/8.4/secure/lib/libssl/man/ssl.3 releng/8.4/secure/usr.bin/openssl/man/CA.pl.1 releng/8.4/secure/usr.bin/openssl/man/asn1parse.1 releng/8.4/secure/usr.bin/openssl/man/ca.1 releng/8.4/secure/usr.bin/openssl/man/ciphers.1 releng/8.4/secure/usr.bin/openssl/man/crl.1 releng/8.4/secure/usr.bin/openssl/man/crl2pkcs7.1 releng/8.4/secure/usr.bin/openssl/man/dgst.1 releng/8.4/secure/usr.bin/openssl/man/dhparam.1 releng/8.4/secure/usr.bin/openssl/man/dsa.1 releng/8.4/secure/usr.bin/openssl/man/dsaparam.1 releng/8.4/secure/usr.bin/openssl/man/ec.1 releng/8.4/secure/usr.bin/openssl/man/ecparam.1 releng/8.4/secure/usr.bin/openssl/man/enc.1 releng/8.4/secure/usr.bin/openssl/man/errstr.1 releng/8.4/secure/usr.bin/openssl/man/gendsa.1 releng/8.4/secure/usr.bin/openssl/man/genrsa.1 releng/8.4/secure/usr.bin/openssl/man/nseq.1 releng/8.4/secure/usr.bin/openssl/man/ocsp.1 releng/8.4/secure/usr.bin/openssl/man/openssl.1 releng/8.4/secure/usr.bin/openssl/man/passwd.1 releng/8.4/secure/usr.bin/openssl/man/pkcs12.1 releng/8.4/secure/usr.bin/openssl/man/pkcs7.1 releng/8.4/secure/usr.bin/openssl/man/pkcs8.1 releng/8.4/secure/usr.bin/openssl/man/rand.1 releng/8.4/secure/usr.bin/openssl/man/req.1 releng/8.4/secure/usr.bin/openssl/man/rsa.1 releng/8.4/secure/usr.bin/openssl/man/rsautl.1 releng/8.4/secure/usr.bin/openssl/man/s_client.1 releng/8.4/secure/usr.bin/openssl/man/s_server.1 releng/8.4/secure/usr.bin/openssl/man/s_time.1 releng/8.4/secure/usr.bin/openssl/man/sess_id.1 releng/8.4/secure/usr.bin/openssl/man/smime.1 releng/8.4/secure/usr.bin/openssl/man/speed.1 releng/8.4/secure/usr.bin/openssl/man/spkac.1 releng/8.4/secure/usr.bin/openssl/man/verify.1 releng/8.4/secure/usr.bin/openssl/man/version.1 releng/8.4/secure/usr.bin/openssl/man/x509.1 releng/8.4/secure/usr.bin/openssl/man/x509v3_config.1 releng/8.4/sys/conf/newvers.sh releng/8.4/sys/netinet/igmp.c releng/8.4/usr.sbin/freebsd-update/freebsd-update.sh releng/9.3/UPDATING releng/9.3/contrib/bind9/lib/dns/zone.c releng/9.3/crypto/openssl/CHANGES releng/9.3/crypto/openssl/FAQ releng/9.3/crypto/openssl/Makefile releng/9.3/crypto/openssl/NEWS releng/9.3/crypto/openssl/README releng/9.3/crypto/openssl/apps/apps.c releng/9.3/crypto/openssl/apps/ca.c releng/9.3/crypto/openssl/apps/crl2p7.c releng/9.3/crypto/openssl/apps/ocsp.c releng/9.3/crypto/openssl/apps/s_server.c releng/9.3/crypto/openssl/apps/speed.c releng/9.3/crypto/openssl/crypto/LPdir_vms.c releng/9.3/crypto/openssl/crypto/LPdir_win.c releng/9.3/crypto/openssl/crypto/Makefile releng/9.3/crypto/openssl/crypto/asn1/asn1_lib.c releng/9.3/crypto/openssl/crypto/asn1/asn_mime.c releng/9.3/crypto/openssl/crypto/asn1/asn_pack.c releng/9.3/crypto/openssl/crypto/asn1/evp_asn1.c releng/9.3/crypto/openssl/crypto/asn1/t_x509.c releng/9.3/crypto/openssl/crypto/asn1/tasn_enc.c releng/9.3/crypto/openssl/crypto/bio/bio_lib.c releng/9.3/crypto/openssl/crypto/bn/asm/x86_64-gcc.c releng/9.3/crypto/openssl/crypto/bn/bn_exp.c releng/9.3/crypto/openssl/crypto/bn/bn_gf2m.c releng/9.3/crypto/openssl/crypto/bn/bn_lib.c releng/9.3/crypto/openssl/crypto/bn/bn_sqr.c releng/9.3/crypto/openssl/crypto/bn/exptest.c releng/9.3/crypto/openssl/crypto/conf/conf_api.c releng/9.3/crypto/openssl/crypto/conf/conf_def.c releng/9.3/crypto/openssl/crypto/ec/ec_key.c releng/9.3/crypto/openssl/crypto/ec/ec_lib.c releng/9.3/crypto/openssl/crypto/ec/ecp_smpl.c releng/9.3/crypto/openssl/crypto/ecdsa/Makefile releng/9.3/crypto/openssl/crypto/idea/ideatest.c releng/9.3/crypto/openssl/crypto/md32_common.h releng/9.3/crypto/openssl/crypto/ocsp/ocsp_ht.c releng/9.3/crypto/openssl/crypto/ocsp/ocsp_lib.c releng/9.3/crypto/openssl/crypto/opensslv.h releng/9.3/crypto/openssl/crypto/pkcs7/Makefile releng/9.3/crypto/openssl/crypto/rsa/Makefile releng/9.3/crypto/openssl/crypto/rsa/rsa.h releng/9.3/crypto/openssl/crypto/rsa/rsa_eay.c releng/9.3/crypto/openssl/crypto/rsa/rsa_err.c releng/9.3/crypto/openssl/crypto/rsa/rsa_oaep.c releng/9.3/crypto/openssl/crypto/rsa/rsa_pk1.c releng/9.3/crypto/openssl/crypto/rsa/rsa_sign.c releng/9.3/crypto/openssl/crypto/ui/ui_lib.c releng/9.3/crypto/openssl/doc/apps/asn1parse.pod releng/9.3/crypto/openssl/doc/apps/ca.pod releng/9.3/crypto/openssl/doc/apps/crl.pod releng/9.3/crypto/openssl/doc/apps/dhparam.pod releng/9.3/crypto/openssl/doc/apps/dsa.pod releng/9.3/crypto/openssl/doc/apps/ecparam.pod releng/9.3/crypto/openssl/doc/apps/gendsa.pod releng/9.3/crypto/openssl/doc/apps/genrsa.pod releng/9.3/crypto/openssl/doc/apps/rsa.pod releng/9.3/crypto/openssl/doc/apps/s_client.pod releng/9.3/crypto/openssl/doc/apps/s_server.pod releng/9.3/crypto/openssl/doc/apps/verify.pod releng/9.3/crypto/openssl/doc/apps/x509.pod releng/9.3/crypto/openssl/doc/apps/x509v3_config.pod releng/9.3/crypto/openssl/doc/crypto/ASN1_generate_nconf.pod releng/9.3/crypto/openssl/doc/crypto/BIO_f_base64.pod releng/9.3/crypto/openssl/doc/crypto/BIO_push.pod releng/9.3/crypto/openssl/doc/crypto/ERR_get_error.pod releng/9.3/crypto/openssl/doc/crypto/RSA_set_method.pod releng/9.3/crypto/openssl/doc/crypto/RSA_sign.pod releng/9.3/crypto/openssl/doc/crypto/des.pod releng/9.3/crypto/openssl/doc/crypto/err.pod releng/9.3/crypto/openssl/doc/crypto/pem.pod releng/9.3/crypto/openssl/doc/crypto/ui.pod releng/9.3/crypto/openssl/doc/fingerprints.txt releng/9.3/crypto/openssl/doc/ssl/SSL_CIPHER_get_name.pod releng/9.3/crypto/openssl/doc/ssl/SSL_CTX_add_extra_chain_cert.pod releng/9.3/crypto/openssl/doc/ssl/SSL_CTX_add_session.pod releng/9.3/crypto/openssl/doc/ssl/SSL_CTX_set_client_CA_list.pod releng/9.3/crypto/openssl/doc/ssl/SSL_CTX_set_client_cert_cb.pod releng/9.3/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod releng/9.3/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod releng/9.3/crypto/openssl/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod releng/9.3/crypto/openssl/doc/ssl/SSL_CTX_set_verify.pod releng/9.3/crypto/openssl/doc/ssl/SSL_get_version.pod releng/9.3/crypto/openssl/doc/ssl/SSL_shutdown.pod releng/9.3/crypto/openssl/doc/ssl/d2i_SSL_SESSION.pod releng/9.3/crypto/openssl/e_os.h releng/9.3/crypto/openssl/openssl.spec releng/9.3/crypto/openssl/ssl/Makefile releng/9.3/crypto/openssl/ssl/d1_both.c releng/9.3/crypto/openssl/ssl/d1_srvr.c releng/9.3/crypto/openssl/ssl/s23_lib.c releng/9.3/crypto/openssl/ssl/s3_cbc.c releng/9.3/crypto/openssl/ssl/s3_clnt.c releng/9.3/crypto/openssl/ssl/s3_pkt.c releng/9.3/crypto/openssl/ssl/s3_srvr.c releng/9.3/crypto/openssl/ssl/ssl.h releng/9.3/crypto/openssl/ssl/ssl_ciph.c releng/9.3/crypto/openssl/ssl/ssl_lib.c releng/9.3/crypto/openssl/ssl/ssl_stat.c releng/9.3/crypto/openssl/ssl/t1_lib.c releng/9.3/crypto/openssl/test/Makefile releng/9.3/crypto/openssl/util/mk1mf.pl releng/9.3/crypto/openssl/util/mkerr.pl releng/9.3/secure/lib/libcrypto/Makefile releng/9.3/secure/lib/libcrypto/Makefile.inc releng/9.3/secure/lib/libcrypto/man/ASN1_OBJECT_new.3 releng/9.3/secure/lib/libcrypto/man/ASN1_STRING_length.3 releng/9.3/secure/lib/libcrypto/man/ASN1_STRING_new.3 releng/9.3/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3 releng/9.3/secure/lib/libcrypto/man/ASN1_generate_nconf.3 releng/9.3/secure/lib/libcrypto/man/BIO_ctrl.3 releng/9.3/secure/lib/libcrypto/man/BIO_f_base64.3 releng/9.3/secure/lib/libcrypto/man/BIO_f_buffer.3 releng/9.3/secure/lib/libcrypto/man/BIO_f_cipher.3 releng/9.3/secure/lib/libcrypto/man/BIO_f_md.3 releng/9.3/secure/lib/libcrypto/man/BIO_f_null.3 releng/9.3/secure/lib/libcrypto/man/BIO_f_ssl.3 releng/9.3/secure/lib/libcrypto/man/BIO_find_type.3 releng/9.3/secure/lib/libcrypto/man/BIO_new.3 releng/9.3/secure/lib/libcrypto/man/BIO_push.3 releng/9.3/secure/lib/libcrypto/man/BIO_read.3 releng/9.3/secure/lib/libcrypto/man/BIO_s_accept.3 releng/9.3/secure/lib/libcrypto/man/BIO_s_bio.3 releng/9.3/secure/lib/libcrypto/man/BIO_s_connect.3 releng/9.3/secure/lib/libcrypto/man/BIO_s_fd.3 releng/9.3/secure/lib/libcrypto/man/BIO_s_file.3 releng/9.3/secure/lib/libcrypto/man/BIO_s_mem.3 releng/9.3/secure/lib/libcrypto/man/BIO_s_null.3 releng/9.3/secure/lib/libcrypto/man/BIO_s_socket.3 releng/9.3/secure/lib/libcrypto/man/BIO_set_callback.3 releng/9.3/secure/lib/libcrypto/man/BIO_should_retry.3 releng/9.3/secure/lib/libcrypto/man/BN_BLINDING_new.3 releng/9.3/secure/lib/libcrypto/man/BN_CTX_new.3 releng/9.3/secure/lib/libcrypto/man/BN_CTX_start.3 releng/9.3/secure/lib/libcrypto/man/BN_add.3 releng/9.3/secure/lib/libcrypto/man/BN_add_word.3 releng/9.3/secure/lib/libcrypto/man/BN_bn2bin.3 releng/9.3/secure/lib/libcrypto/man/BN_cmp.3 releng/9.3/secure/lib/libcrypto/man/BN_copy.3 releng/9.3/secure/lib/libcrypto/man/BN_generate_prime.3 releng/9.3/secure/lib/libcrypto/man/BN_mod_inverse.3 releng/9.3/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3 releng/9.3/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3 releng/9.3/secure/lib/libcrypto/man/BN_new.3 releng/9.3/secure/lib/libcrypto/man/BN_num_bytes.3 releng/9.3/secure/lib/libcrypto/man/BN_rand.3 releng/9.3/secure/lib/libcrypto/man/BN_set_bit.3 releng/9.3/secure/lib/libcrypto/man/BN_swap.3 releng/9.3/secure/lib/libcrypto/man/BN_zero.3 releng/9.3/secure/lib/libcrypto/man/CONF_modules_free.3 releng/9.3/secure/lib/libcrypto/man/CONF_modules_load_file.3 releng/9.3/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3 releng/9.3/secure/lib/libcrypto/man/DH_generate_key.3 releng/9.3/secure/lib/libcrypto/man/DH_generate_parameters.3 releng/9.3/secure/lib/libcrypto/man/DH_get_ex_new_index.3 releng/9.3/secure/lib/libcrypto/man/DH_new.3 releng/9.3/secure/lib/libcrypto/man/DH_set_method.3 releng/9.3/secure/lib/libcrypto/man/DH_size.3 releng/9.3/secure/lib/libcrypto/man/DSA_SIG_new.3 releng/9.3/secure/lib/libcrypto/man/DSA_do_sign.3 releng/9.3/secure/lib/libcrypto/man/DSA_dup_DH.3 releng/9.3/secure/lib/libcrypto/man/DSA_generate_key.3 releng/9.3/secure/lib/libcrypto/man/DSA_generate_parameters.3 releng/9.3/secure/lib/libcrypto/man/DSA_get_ex_new_index.3 releng/9.3/secure/lib/libcrypto/man/DSA_new.3 releng/9.3/secure/lib/libcrypto/man/DSA_set_method.3 releng/9.3/secure/lib/libcrypto/man/DSA_sign.3 releng/9.3/secure/lib/libcrypto/man/DSA_size.3 releng/9.3/secure/lib/libcrypto/man/ERR_GET_LIB.3 releng/9.3/secure/lib/libcrypto/man/ERR_clear_error.3 releng/9.3/secure/lib/libcrypto/man/ERR_error_string.3 releng/9.3/secure/lib/libcrypto/man/ERR_get_error.3 releng/9.3/secure/lib/libcrypto/man/ERR_load_crypto_strings.3 releng/9.3/secure/lib/libcrypto/man/ERR_load_strings.3 releng/9.3/secure/lib/libcrypto/man/ERR_print_errors.3 releng/9.3/secure/lib/libcrypto/man/ERR_put_error.3 releng/9.3/secure/lib/libcrypto/man/ERR_remove_state.3 releng/9.3/secure/lib/libcrypto/man/ERR_set_mark.3 releng/9.3/secure/lib/libcrypto/man/EVP_BytesToKey.3 releng/9.3/secure/lib/libcrypto/man/EVP_DigestInit.3 releng/9.3/secure/lib/libcrypto/man/EVP_EncryptInit.3 releng/9.3/secure/lib/libcrypto/man/EVP_OpenInit.3 releng/9.3/secure/lib/libcrypto/man/EVP_PKEY_new.3 releng/9.3/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3 releng/9.3/secure/lib/libcrypto/man/EVP_SealInit.3 releng/9.3/secure/lib/libcrypto/man/EVP_SignInit.3 releng/9.3/secure/lib/libcrypto/man/EVP_VerifyInit.3 releng/9.3/secure/lib/libcrypto/man/OBJ_nid2obj.3 releng/9.3/secure/lib/libcrypto/man/OPENSSL_Applink.3 releng/9.3/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3 releng/9.3/secure/lib/libcrypto/man/OPENSSL_config.3 releng/9.3/secure/lib/libcrypto/man/OPENSSL_ia32cap.3 releng/9.3/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3 releng/9.3/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3 releng/9.3/secure/lib/libcrypto/man/PKCS12_create.3 releng/9.3/secure/lib/libcrypto/man/PKCS12_parse.3 releng/9.3/secure/lib/libcrypto/man/PKCS7_decrypt.3 releng/9.3/secure/lib/libcrypto/man/PKCS7_encrypt.3 releng/9.3/secure/lib/libcrypto/man/PKCS7_sign.3 releng/9.3/secure/lib/libcrypto/man/PKCS7_verify.3 releng/9.3/secure/lib/libcrypto/man/RAND_add.3 releng/9.3/secure/lib/libcrypto/man/RAND_bytes.3 releng/9.3/secure/lib/libcrypto/man/RAND_cleanup.3 releng/9.3/secure/lib/libcrypto/man/RAND_egd.3 releng/9.3/secure/lib/libcrypto/man/RAND_load_file.3 releng/9.3/secure/lib/libcrypto/man/RAND_set_rand_method.3 releng/9.3/secure/lib/libcrypto/man/RSA_blinding_on.3 releng/9.3/secure/lib/libcrypto/man/RSA_check_key.3 releng/9.3/secure/lib/libcrypto/man/RSA_generate_key.3 releng/9.3/secure/lib/libcrypto/man/RSA_get_ex_new_index.3 releng/9.3/secure/lib/libcrypto/man/RSA_new.3 releng/9.3/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3 releng/9.3/secure/lib/libcrypto/man/RSA_print.3 releng/9.3/secure/lib/libcrypto/man/RSA_private_encrypt.3 releng/9.3/secure/lib/libcrypto/man/RSA_public_encrypt.3 releng/9.3/secure/lib/libcrypto/man/RSA_set_method.3 releng/9.3/secure/lib/libcrypto/man/RSA_sign.3 releng/9.3/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3 releng/9.3/secure/lib/libcrypto/man/RSA_size.3 releng/9.3/secure/lib/libcrypto/man/SMIME_read_PKCS7.3 releng/9.3/secure/lib/libcrypto/man/SMIME_write_PKCS7.3 releng/9.3/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3 releng/9.3/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3 releng/9.3/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3 releng/9.3/secure/lib/libcrypto/man/X509_NAME_print_ex.3 releng/9.3/secure/lib/libcrypto/man/X509_new.3 releng/9.3/secure/lib/libcrypto/man/bio.3 releng/9.3/secure/lib/libcrypto/man/blowfish.3 releng/9.3/secure/lib/libcrypto/man/bn.3 releng/9.3/secure/lib/libcrypto/man/bn_internal.3 releng/9.3/secure/lib/libcrypto/man/buffer.3 releng/9.3/secure/lib/libcrypto/man/crypto.3 releng/9.3/secure/lib/libcrypto/man/d2i_ASN1_OBJECT.3 releng/9.3/secure/lib/libcrypto/man/d2i_DHparams.3 releng/9.3/secure/lib/libcrypto/man/d2i_DSAPublicKey.3 releng/9.3/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey.3 releng/9.3/secure/lib/libcrypto/man/d2i_RSAPublicKey.3 releng/9.3/secure/lib/libcrypto/man/d2i_X509.3 releng/9.3/secure/lib/libcrypto/man/d2i_X509_ALGOR.3 releng/9.3/secure/lib/libcrypto/man/d2i_X509_CRL.3 releng/9.3/secure/lib/libcrypto/man/d2i_X509_NAME.3 releng/9.3/secure/lib/libcrypto/man/d2i_X509_REQ.3 releng/9.3/secure/lib/libcrypto/man/d2i_X509_SIG.3 releng/9.3/secure/lib/libcrypto/man/des.3 releng/9.3/secure/lib/libcrypto/man/dh.3 releng/9.3/secure/lib/libcrypto/man/dsa.3 releng/9.3/secure/lib/libcrypto/man/ecdsa.3 releng/9.3/secure/lib/libcrypto/man/engine.3 releng/9.3/secure/lib/libcrypto/man/err.3 releng/9.3/secure/lib/libcrypto/man/evp.3 releng/9.3/secure/lib/libcrypto/man/hmac.3 releng/9.3/secure/lib/libcrypto/man/lh_stats.3 releng/9.3/secure/lib/libcrypto/man/lhash.3 releng/9.3/secure/lib/libcrypto/man/md5.3 releng/9.3/secure/lib/libcrypto/man/mdc2.3 releng/9.3/secure/lib/libcrypto/man/pem.3 releng/9.3/secure/lib/libcrypto/man/rand.3 releng/9.3/secure/lib/libcrypto/man/rc4.3 releng/9.3/secure/lib/libcrypto/man/ripemd.3 releng/9.3/secure/lib/libcrypto/man/rsa.3 releng/9.3/secure/lib/libcrypto/man/sha.3 releng/9.3/secure/lib/libcrypto/man/threads.3 releng/9.3/secure/lib/libcrypto/man/ui.3 releng/9.3/secure/lib/libcrypto/man/ui_compat.3 releng/9.3/secure/lib/libcrypto/man/x509.3 releng/9.3/secure/lib/libssl/Makefile.man releng/9.3/secure/lib/libssl/man/SSL_CIPHER_get_name.3 releng/9.3/secure/lib/libssl/man/SSL_COMP_add_compression_method.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_add_session.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_ctrl.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_flush_sessions.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_free.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_new.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_sess_number.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_sessions.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_set_cert_store.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_set_info_callback.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_set_mode.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_set_options.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_set_timeout.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_set_verify.3 releng/9.3/secure/lib/libssl/man/SSL_CTX_use_certificate.3 releng/9.3/secure/lib/libssl/man/SSL_SESSION_free.3 releng/9.3/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3 releng/9.3/secure/lib/libssl/man/SSL_SESSION_get_time.3 releng/9.3/secure/lib/libssl/man/SSL_accept.3 releng/9.3/secure/lib/libssl/man/SSL_alert_type_string.3 releng/9.3/secure/lib/libssl/man/SSL_clear.3 releng/9.3/secure/lib/libssl/man/SSL_connect.3 releng/9.3/secure/lib/libssl/man/SSL_do_handshake.3 releng/9.3/secure/lib/libssl/man/SSL_free.3 releng/9.3/secure/lib/libssl/man/SSL_get_SSL_CTX.3 releng/9.3/secure/lib/libssl/man/SSL_get_ciphers.3 releng/9.3/secure/lib/libssl/man/SSL_get_client_CA_list.3 releng/9.3/secure/lib/libssl/man/SSL_get_current_cipher.3 releng/9.3/secure/lib/libssl/man/SSL_get_default_timeout.3 releng/9.3/secure/lib/libssl/man/SSL_get_error.3 releng/9.3/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3 releng/9.3/secure/lib/libssl/man/SSL_get_ex_new_index.3 releng/9.3/secure/lib/libssl/man/SSL_get_fd.3 releng/9.3/secure/lib/libssl/man/SSL_get_peer_cert_chain.3 releng/9.3/secure/lib/libssl/man/SSL_get_peer_certificate.3 releng/9.3/secure/lib/libssl/man/SSL_get_rbio.3 releng/9.3/secure/lib/libssl/man/SSL_get_session.3 releng/9.3/secure/lib/libssl/man/SSL_get_verify_result.3 releng/9.3/secure/lib/libssl/man/SSL_get_version.3 releng/9.3/secure/lib/libssl/man/SSL_library_init.3 releng/9.3/secure/lib/libssl/man/SSL_load_client_CA_file.3 releng/9.3/secure/lib/libssl/man/SSL_new.3 releng/9.3/secure/lib/libssl/man/SSL_pending.3 releng/9.3/secure/lib/libssl/man/SSL_read.3 releng/9.3/secure/lib/libssl/man/SSL_rstate_string.3 releng/9.3/secure/lib/libssl/man/SSL_session_reused.3 releng/9.3/secure/lib/libssl/man/SSL_set_bio.3 releng/9.3/secure/lib/libssl/man/SSL_set_connect_state.3 releng/9.3/secure/lib/libssl/man/SSL_set_fd.3 releng/9.3/secure/lib/libssl/man/SSL_set_session.3 releng/9.3/secure/lib/libssl/man/SSL_set_shutdown.3 releng/9.3/secure/lib/libssl/man/SSL_set_verify_result.3 releng/9.3/secure/lib/libssl/man/SSL_shutdown.3 releng/9.3/secure/lib/libssl/man/SSL_state_string.3 releng/9.3/secure/lib/libssl/man/SSL_want.3 releng/9.3/secure/lib/libssl/man/SSL_write.3 releng/9.3/secure/lib/libssl/man/d2i_SSL_SESSION.3 releng/9.3/secure/lib/libssl/man/ssl.3 releng/9.3/secure/usr.bin/openssl/man/CA.pl.1 releng/9.3/secure/usr.bin/openssl/man/asn1parse.1 releng/9.3/secure/usr.bin/openssl/man/ca.1 releng/9.3/secure/usr.bin/openssl/man/ciphers.1 releng/9.3/secure/usr.bin/openssl/man/crl.1 releng/9.3/secure/usr.bin/openssl/man/crl2pkcs7.1 releng/9.3/secure/usr.bin/openssl/man/dgst.1 releng/9.3/secure/usr.bin/openssl/man/dhparam.1 releng/9.3/secure/usr.bin/openssl/man/dsa.1 releng/9.3/secure/usr.bin/openssl/man/dsaparam.1 releng/9.3/secure/usr.bin/openssl/man/ec.1 releng/9.3/secure/usr.bin/openssl/man/ecparam.1 releng/9.3/secure/usr.bin/openssl/man/enc.1 releng/9.3/secure/usr.bin/openssl/man/errstr.1 releng/9.3/secure/usr.bin/openssl/man/gendsa.1 releng/9.3/secure/usr.bin/openssl/man/genrsa.1 releng/9.3/secure/usr.bin/openssl/man/nseq.1 releng/9.3/secure/usr.bin/openssl/man/ocsp.1 releng/9.3/secure/usr.bin/openssl/man/openssl.1 releng/9.3/secure/usr.bin/openssl/man/passwd.1 releng/9.3/secure/usr.bin/openssl/man/pkcs12.1 releng/9.3/secure/usr.bin/openssl/man/pkcs7.1 releng/9.3/secure/usr.bin/openssl/man/pkcs8.1 releng/9.3/secure/usr.bin/openssl/man/rand.1 releng/9.3/secure/usr.bin/openssl/man/req.1 releng/9.3/secure/usr.bin/openssl/man/rsa.1 releng/9.3/secure/usr.bin/openssl/man/rsautl.1 releng/9.3/secure/usr.bin/openssl/man/s_client.1 releng/9.3/secure/usr.bin/openssl/man/s_server.1 releng/9.3/secure/usr.bin/openssl/man/s_time.1 releng/9.3/secure/usr.bin/openssl/man/sess_id.1 releng/9.3/secure/usr.bin/openssl/man/smime.1 releng/9.3/secure/usr.bin/openssl/man/speed.1 releng/9.3/secure/usr.bin/openssl/man/spkac.1 releng/9.3/secure/usr.bin/openssl/man/verify.1 releng/9.3/secure/usr.bin/openssl/man/version.1 releng/9.3/secure/usr.bin/openssl/man/x509.1 releng/9.3/secure/usr.bin/openssl/man/x509v3_config.1 releng/9.3/sys/conf/newvers.sh releng/9.3/sys/dev/vt/vt_core.c releng/9.3/sys/netinet/igmp.c releng/9.3/usr.sbin/freebsd-update/freebsd-update.sh Modified: releng/8.4/UPDATING ============================================================================== --- releng/8.4/UPDATING Wed Feb 25 05:56:16 2015 (r279264) +++ releng/8.4/UPDATING Wed Feb 25 05:56:54 2015 (r279265) @@ -15,6 +15,22 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20150225: p24 FreeBSD-SA-15:04.igmp + FreeBSD-SA-15:05.bind + FreeBSD-EN-15:01.vt + FreeBSD-EN-15:02.openssl + FreeBSD-EN-15:03.freebsd-update + + Fix integer overflow in IGMP protocol. [SA-15:04] + + Fix BIND remote denial of service vulnerability. [SA-15:05] + + Fix vt(4) crash with improper ioctl parameters. [EN-15:01] + + Updated base system OpenSSL to 0.9.8zd. [EN-15:02] + + Fix freebsd-update libraries update ordering issue. [EN-15:03] + 20150127: p23 FreeBSD-SA-15:02.kmem FreeBSD-SA-15:03.sctp Modified: releng/8.4/contrib/bind9/lib/dns/zone.c ============================================================================== --- releng/8.4/contrib/bind9/lib/dns/zone.c Wed Feb 25 05:56:16 2015 (r279264) +++ releng/8.4/contrib/bind9/lib/dns/zone.c Wed Feb 25 05:56:54 2015 (r279265) @@ -7687,6 +7687,12 @@ keyfetch_done(isc_task_t *task, isc_even namebuf, tag); trustkey = ISC_TRUE; } + } else { + /* + * No previously known key, and the key is not + * secure, so skip it. + */ + continue; } /* Delete old version */ @@ -7733,7 +7739,7 @@ keyfetch_done(isc_task_t *task, isc_even trust_key(zone, keyname, &dnskey, mctx); } - if (!deletekey) + if (secure && !deletekey) set_refreshkeytimer(zone, &keydata, now); } Modified: releng/8.4/crypto/openssl/ACKNOWLEDGMENTS ============================================================================== --- releng/8.4/crypto/openssl/ACKNOWLEDGMENTS Wed Feb 25 05:56:16 2015 (r279264) +++ releng/8.4/crypto/openssl/ACKNOWLEDGMENTS Wed Feb 25 05:56:54 2015 (r279265) @@ -10,13 +10,18 @@ OpenSSL project. We would like to identify and thank the following such sponsors for their past or current significant support of the OpenSSL project: +Major support: + + Qualys http://www.qualys.com/ + Very significant support: - OpenGear: www.opengear.com + OpenGear: http://www.opengear.com/ Significant support: - PSW Group: www.psw.net + PSW Group: http://www.psw.net/ + Acano Ltd. http://acano.com/ Please note that we ask permission to identify sponsors and that some sponsors we consider eligible for inclusion here have requested to remain anonymous. Modified: releng/8.4/crypto/openssl/CHANGES ============================================================================== --- releng/8.4/crypto/openssl/CHANGES Wed Feb 25 05:56:16 2015 (r279264) +++ releng/8.4/crypto/openssl/CHANGES Wed Feb 25 05:56:54 2015 (r279265) @@ -2,6 +2,229 @@ OpenSSL CHANGES _______________ + Changes between 0.9.8zc and 0.9.8zd [8 Jan 2015] + + *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS + message can cause a segmentation fault in OpenSSL due to a NULL pointer + dereference. This could lead to a Denial Of Service attack. Thanks to + Markus Stenberg of Cisco Systems, Inc. for reporting this issue. + (CVE-2014-3571) + [Steve Henson] + + *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is + built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl + method would be set to NULL which could later result in a NULL pointer + dereference. Thanks to Frank Schmirler for reporting this issue. + (CVE-2014-3569) + [Kurt Roeckx] + + *) Abort handshake if server key exchange message is omitted for ephemeral + ECDH ciphersuites. + + Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for + reporting this issue. + (CVE-2014-3572) + [Steve Henson] + + *) Remove non-export ephemeral RSA code on client and server. This code + violated the TLS standard by allowing the use of temporary RSA keys in + non-export ciphersuites and could be used by a server to effectively + downgrade the RSA key length used to a value smaller than the server + certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at + INRIA or reporting this issue. + (CVE-2015-0204) + [Steve Henson] + + *) Fix various certificate fingerprint issues. + + By using non-DER or invalid encodings outside the signed portion of a + certificate the fingerprint can be changed without breaking the signature. + Although no details of the signed portion of the certificate can be changed + this can cause problems with some applications: e.g. those using the + certificate fingerprint for blacklists. + + 1. Reject signatures with non zero unused bits. + + If the BIT STRING containing the signature has non zero unused bits reject + the signature. All current signature algorithms require zero unused bits. + + 2. Check certificate algorithm consistency. + + Check the AlgorithmIdentifier inside TBS matches the one in the + certificate signature. NB: this will result in signature failure + errors for some broken certificates. + + Thanks to Konrad Kraszewski from Google for reporting this issue. + + 3. Check DSA/ECDSA signatures use DER. + + Reencode DSA/ECDSA signatures and compare with the original received + signature. Return an error if there is a mismatch. + + This will reject various cases including garbage after signature + (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS + program for discovering this case) and use of BER or invalid ASN.1 INTEGERs + (negative or with leading zeroes). + + Further analysis was conducted and fixes were developed by Stephen Henson + of the OpenSSL core team. + + (CVE-2014-8275) + [Steve Henson] + + *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect + results on some platforms, including x86_64. This bug occurs at random + with a very low probability, and is not known to be exploitable in any + way, though its exact impact is difficult to determine. Thanks to Pieter + Wuille (Blockstream) who reported this issue and also suggested an initial + fix. Further analysis was conducted by the OpenSSL development team and + Adam Langley of Google. The final fix was developed by Andy Polyakov of + the OpenSSL core team. + (CVE-2014-3570) + [Andy Polyakov] + + Changes between 0.9.8zb and 0.9.8zc [15 Oct 2014] + + *) Session Ticket Memory Leak. + + When an OpenSSL SSL/TLS/DTLS server receives a session ticket the + integrity of that ticket is first verified. In the event of a session + ticket integrity check failing, OpenSSL will fail to free memory + causing a memory leak. By sending a large number of invalid session + tickets an attacker could exploit this issue in a Denial Of Service + attack. + (CVE-2014-3567) + [Steve Henson] + + *) Build option no-ssl3 is incomplete. + + When OpenSSL is configured with "no-ssl3" as a build option, servers + could accept and complete a SSL 3.0 handshake, and clients could be + configured to send them. + (CVE-2014-3568) + [Akamai and the OpenSSL team] + + *) Add support for TLS_FALLBACK_SCSV. + Client applications doing fallback retries should call + SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV). + (CVE-2014-3566) + [Adam Langley, Bodo Moeller] + + *) Add additional DigestInfo checks. + + Reencode DigestInto in DER and check against the original when + verifying RSA signature: this will reject any improperly encoded + DigestInfo structures. + + Note: this is a precautionary measure and no attacks are currently known. + + [Steve Henson] + + Changes between 0.9.8za and 0.9.8zb [6 Aug 2014] + + *) OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject + to a denial of service attack. A malicious server can crash the client + with a null pointer dereference (read) by specifying an anonymous (EC)DH + ciphersuite and sending carefully crafted handshake messages. + + Thanks to Felix Gröbert (Google) for discovering and researching this + issue. + (CVE-2014-3510) + [Emilia Käsper] + + *) By sending carefully crafted DTLS packets an attacker could cause openssl + to leak memory. This can be exploited through a Denial of Service attack. + Thanks to Adam Langley for discovering and researching this issue. + (CVE-2014-3507) + [Adam Langley] + + *) An attacker can force openssl to consume large amounts of memory whilst + processing DTLS handshake messages. This can be exploited through a + Denial of Service attack. + Thanks to Adam Langley for discovering and researching this issue. + (CVE-2014-3506) + [Adam Langley] + + *) An attacker can force an error condition which causes openssl to crash + whilst processing DTLS packets due to memory being freed twice. This + can be exploited through a Denial of Service attack. + Thanks to Adam Langley and Wan-Teh Chang for discovering and researching + this issue. + (CVE-2014-3505) + [Adam Langley] + + *) A flaw in OBJ_obj2txt may cause pretty printing functions such as + X509_name_oneline, X509_name_print_ex et al. to leak some information + from the stack. Applications may be affected if they echo pretty printing + output to the attacker. + + Thanks to Ivan Fratric (Google) for discovering this issue. + (CVE-2014-3508) + [Emilia Käsper, and Steve Henson] + + *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) + for corner cases. (Certain input points at infinity could lead to + bogus results, with non-infinity inputs mapped to infinity too.) + [Bodo Moeller] + + Changes between 0.9.8y and 0.9.8za [5 Jun 2014] + + *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted + handshake can force the use of weak keying material in OpenSSL + SSL/TLS clients and servers. + + Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and + researching this issue. (CVE-2014-0224) + [KIKUCHI Masashi, Steve Henson] + + *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an + OpenSSL DTLS client the code can be made to recurse eventually crashing + in a DoS attack. + + Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue. + (CVE-2014-0221) + [Imre Rad, Steve Henson] + + *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can + be triggered by sending invalid DTLS fragments to an OpenSSL DTLS + client or server. This is potentially exploitable to run arbitrary + code on a vulnerable client or server. + + Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195) + [Jüri Aedla, Steve Henson] + + *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites + are subject to a denial of service attack. + + Thanks to Felix Gröbert and Ivan Fratric at Google for discovering + this issue. (CVE-2014-3470) + [Felix Gröbert, Ivan Fratric, Steve Henson] + + *) Fix for the attack described in the paper "Recovering OpenSSL + ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" + by Yuval Yarom and Naomi Benger. Details can be obtained from: + http://eprint.iacr.org/2014/140 + + Thanks to Yuval Yarom and Naomi Benger for discovering this + flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076) + [Yuval Yarom and Naomi Benger] + + Thanks to mancha for backporting the fix to the 0.9.8 branch. + + *) Fix handling of warning-level alerts in SSL23 client mode so they + don't cause client-side termination (eg. on SNI unrecognized_name + warnings). Add client and server support for six additional alerts + per RFC 6066 and RFC 4279. + [mancha] + + *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which + avoids preferring ECDHE-ECDSA ciphers when the client appears to be + Safari on OS X. Safari on OS X 10.8..10.8.3 advertises support for + several ECDHE-ECDSA ciphers, but fails to negotiate them. The bug + is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing + 10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer. + [Rob Stradling, Adam Langley] + Changes between 0.9.8x and 0.9.8y [5 Feb 2013] *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time. Modified: releng/8.4/crypto/openssl/Configure ============================================================================== --- releng/8.4/crypto/openssl/Configure Wed Feb 25 05:56:16 2015 (r279264) +++ releng/8.4/crypto/openssl/Configure Wed Feb 25 05:56:54 2015 (r279265) @@ -166,7 +166,7 @@ my %table=( "debug-ben-debug-noopt", "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DDEBUG_SAFESTACK -ggdb3 -pipe::(unknown)::::::", "debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::", "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", -"debug-bodo", "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}", +"debug-bodo", "gcc:$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", "debug-ulf", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations:::CYGWIN32:::${no_asm}:win32:cygwin-shared:::.dll", "debug-steve64", "gcc:$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-steve32", "gcc:$gcc_devteam_warn -m32 -DL_ENDIAN -DCONF_DEBUG -DDEBUG_SAFESTACK -g -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", Modified: releng/8.4/crypto/openssl/FAQ ============================================================================== --- releng/8.4/crypto/openssl/FAQ Wed Feb 25 05:56:16 2015 (r279264) +++ releng/8.4/crypto/openssl/FAQ Wed Feb 25 05:56:54 2015 (r279265) @@ -87,7 +87,7 @@ OpenSSL 1.0.1d was released on Feb 5th, In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at , or get it by anonymous CVS access. +ftp://ftp.openssl.org/snapshot/>, or get it by anonymous Git access. * Where is the documentation? @@ -113,11 +113,6 @@ that came with the version of OpenSSL yo documentation is included in each OpenSSL distribution under the docs directory. -For information on parts of libcrypto that are not yet documented, you -might want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's -predecessor, at . Much -of this still applies to OpenSSL. - There is some documentation about certificate extensions and PKCS#12 in doc/openssl.txt @@ -768,6 +763,9 @@ openssl-security@openssl.org if you don' acknowledging receipt then resend or mail it directly to one of the more active team members (e.g. Steve). +Note that bugs only present in the openssl utility are not in general +considered to be security issues. + [PROG] ======================================================================== * Is OpenSSL thread-safe? Modified: releng/8.4/crypto/openssl/Makefile ============================================================================== --- releng/8.4/crypto/openssl/Makefile Wed Feb 25 05:56:16 2015 (r279264) +++ releng/8.4/crypto/openssl/Makefile Wed Feb 25 05:56:54 2015 (r279265) @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=0.9.8y +VERSION=0.9.8zd MAJOR=0 MINOR=9.8 SHLIB_VERSION_NUMBER=0.9.8 @@ -71,7 +71,7 @@ ARD=ar $(ARFLAGS) d RANLIB= /usr/bin/ranlib PERL= /usr/bin/perl TAR= tar -TARFLAGS= --no-recursion +TARFLAGS= --no-recursion --record-size=10240 MAKEDEPPROG=makedepend LIBDIR=lib Modified: releng/8.4/crypto/openssl/Makefile.org ============================================================================== --- releng/8.4/crypto/openssl/Makefile.org Wed Feb 25 05:56:16 2015 (r279264) +++ releng/8.4/crypto/openssl/Makefile.org Wed Feb 25 05:56:54 2015 (r279265) @@ -69,7 +69,7 @@ ARD=ar $(ARFLAGS) d RANLIB= ranlib PERL= perl TAR= tar -TARFLAGS= --no-recursion +TARFLAGS= --no-recursion --record-size=10240 MAKEDEPPROG=makedepend LIBDIR=lib Modified: releng/8.4/crypto/openssl/NEWS ============================================================================== --- releng/8.4/crypto/openssl/NEWS Wed Feb 25 05:56:16 2015 (r279264) +++ releng/8.4/crypto/openssl/NEWS Wed Feb 25 05:56:54 2015 (r279265) @@ -5,34 +5,76 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. - Major changes between OpenSSL 0.9.8x and OpenSSL 0.9.8y: + Major changes between OpenSSL 0.9.8zc and OpenSSL 0.9.8zd [8 Jan 2015] + + o Fix for CVE-2014-3571 + o Fix for CVE-2014-3569 + o Fix for CVE-2014-3572 + o Fix for CVE-2015-0204 + o Fix for CVE-2014-8275 + o Fix for CVE-2014-3570 + + Major changes between OpenSSL 0.9.8zb and OpenSSL 0.9.8zc [15 Oct 2014]: + + o Fix for CVE-2014-3513 + o Fix for CVE-2014-3567 + o Mitigation for CVE-2014-3566 (SSL protocol vulnerability) + o Fix for CVE-2014-3568 + + Major changes between OpenSSL 0.9.8za and OpenSSL 0.9.8zb [6 Aug 2014]: + + o Fix for CVE-2014-3510 + o Fix for CVE-2014-3507 + o Fix for CVE-2014-3506 + o Fix for CVE-2014-3505 + o Fix for CVE-2014-3508 + + Known issues in OpenSSL 0.9.8za: + + o Compilation failure of s3_pkt.c on some platforms due to missing + include. Fixed in 0.9.8zb-dev. + o FIPS capable link failure with missing symbol BN_consttime_swap. + Fixed in 0.9.8zb-dev. Workaround is to compile with no-ec: the EC + algorithms are not FIPS approved in OpenSSL 0.9.8 anyway. + + Major changes between OpenSSL 0.9.8y and OpenSSL 0.9.8za [5 Jun 2014]: + + o Fix for CVE-2014-0224 + o Fix for CVE-2014-0221 + o Fix for CVE-2014-0195 + o Fix for CVE-2014-3470 + o Fix for CVE-2014-0076 + o Fix for CVE-2010-5298 + o Fix to TLS alert handling. + + Major changes between OpenSSL 0.9.8x and OpenSSL 0.9.8y [5 Feb 2013]: o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169 o Fix OCSP bad key DoS attack CVE-2013-0166 - Major changes between OpenSSL 0.9.8w and OpenSSL 0.9.8x: + Major changes between OpenSSL 0.9.8w and OpenSSL 0.9.8x [10 May 2012]: o Fix DTLS record length checking bug CVE-2012-2333 - Major changes between OpenSSL 0.9.8v and OpenSSL 0.9.8w: + Major changes between OpenSSL 0.9.8v and OpenSSL 0.9.8w [23 Apr 2012]: o Fix for CVE-2012-2131 (corrected fix for 0.9.8 and CVE-2012-2110) - Major changes between OpenSSL 0.9.8u and OpenSSL 0.9.8v: + Major changes between OpenSSL 0.9.8u and OpenSSL 0.9.8v [19 Apr 2012]: o Fix for ASN1 overflow bug CVE-2012-2110 - Major changes between OpenSSL 0.9.8t and OpenSSL 0.9.8u: + Major changes between OpenSSL 0.9.8t and OpenSSL 0.9.8u [12 Mar 2012]: o Fix for CMS/PKCS#7 MMA CVE-2012-0884 o Corrected fix for CVE-2011-4619 o Various DTLS fixes. - Major changes between OpenSSL 0.9.8s and OpenSSL 0.9.8t: + Major changes between OpenSSL 0.9.8s and OpenSSL 0.9.8t [18 Jan 2012]: o Fix for DTLS DoS issue CVE-2012-0050 - Major changes between OpenSSL 0.9.8r and OpenSSL 0.9.8s: + Major changes between OpenSSL 0.9.8r and OpenSSL 0.9.8s [4 Jan 2012]: o Fix for DTLS plaintext recovery attack CVE-2011-4108 o Fix policy check double free error CVE-2011-4109 @@ -40,20 +82,20 @@ o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619 o Check for malformed RFC3779 data CVE-2011-4577 - Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r: + Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r [8 Feb 2011]: o Fix for security issue CVE-2011-0014 - Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q: + Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q [2 Dec 2010]: o Fix for security issue CVE-2010-4180 o Fix for CVE-2010-4252 - Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p: + Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p [16 Nov 2010]: o Fix for security issue CVE-2010-3864. - Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o: + Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o [1 Jun 2010]: o Fix for security issue CVE-2010-0742. o Various DTLS fixes. @@ -61,12 +103,12 @@ o Fix for no-rc4 compilation. o Chil ENGINE unload workaround. - Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n: + Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n [24 Mar 2010]: o CFB cipher definition fixes. o Fix security issues CVE-2010-0740 and CVE-2010-0433. - Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m: + Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m [25 Feb 2010]: o Cipher definition fixes. o Workaround for slow RAND_poll() on some WIN32 versions. @@ -78,33 +120,33 @@ o Ticket and SNI coexistence fixes. o Many fixes to DTLS handling. - Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l: + Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l [5 Nov 2009]: o Temporary work around for CVE-2009-3555: disable renegotiation. - Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k: + Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k [25 Mar 2009]: o Fix various build issues. o Fix security issues (CVE-2009-0590, CVE-2009-0591, CVE-2009-0789) - Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j: + Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j [7 Jan 2009]: o Fix security issue (CVE-2008-5077) o Merge FIPS 140-2 branch code. - Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h: + Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h [28 May 2008]: o CryptoAPI ENGINE support. o Various precautionary measures. o Fix for bugs affecting certificate request creation. o Support for local machine keyset attribute in PKCS#12 files. - Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g: + Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g [19 Oct 2007]: o Backport of CMS functionality to 0.9.8. o Fixes for bugs introduced with 0.9.8f. - Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f: + Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f [11 Oct 2007]: o Add gcc 4.2 support. o Add support for AES and SSE2 assembly lanugauge optimization @@ -115,23 +157,23 @@ o RFC4507bis support. o TLS Extensions support. - Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e: + Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e [23 Feb 2007]: o Various ciphersuite selection fixes. o RFC3779 support. - Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d: + Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d [28 Sep 2006]: o Introduce limits to prevent malicious key DoS (CVE-2006-2940) o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343) o Changes to ciphersuite selection algorithm - Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c: + Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c [5 Sep 2006]: o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339 o New cipher Camellia - Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b: + Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b [4 May 2006]: o Cipher string fixes. o Fixes for VC++ 2005. @@ -141,12 +183,12 @@ o Built in dynamic engine compilation support on Win32. o Fixes auto dynamic engine loading in Win32. - Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a: + Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a [11 Oct 2005]: o Fix potential SSL 2.0 rollback, CVE-2005-2969 o Extended Windows CE support - Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8: + Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8 [5 Jul 2005]: o Major work on the BIGNUM library for higher efficiency and to make operations more streamlined and less contradictory. This @@ -220,36 +262,36 @@ o Added initial support for Win64. o Added alternate pkg-config files. - Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m: + Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m [23 Feb 2007]: o FIPS 1.1.1 module linking. o Various ciphersuite selection fixes. - Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l: + Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l [28 Sep 2006]: o Introduce limits to prevent malicious key DoS (CVE-2006-2940) o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343) - Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k: + Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k [5 Sep 2006]: o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339 - Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j: + Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j [4 May 2006]: o Visual C++ 2005 fixes. o Update Windows build system for FIPS. - Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i: + Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i [14 Oct 2005]: o Give EVP_MAX_MD_SIZE it's old value, except for a FIPS build. - Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h: + Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h [11 Oct 2005]: o Fix SSL 2.0 Rollback, CVE-2005-2969 o Allow use of fixed-length exponent on DSA signing o Default fixed-window RSA, DSA, DH private-key operations - Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g: + Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g [11 Apr 2005]: o More compilation issues fixed. o Adaptation to more modern Kerberos API. @@ -258,7 +300,7 @@ o More constification. o Added processing of proxy certificates (RFC 3820). - Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f: + Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f [22 Mar 2005]: o Several compilation issues fixed. o Many memory allocation failure checks added. @@ -266,12 +308,12 @@ o Mandatory basic checks on certificates. o Performance improvements. - Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e: + Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e [25 Oct 2004]: o Fix race condition in CRL checking code. o Fixes to PKCS#7 (S/MIME) code. - Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d: + Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d [17 Mar 2004]: o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug o Security: Fix null-pointer assignment in do_change_cipher_spec() @@ -279,14 +321,14 @@ o Multiple X509 verification fixes o Speed up HMAC and other operations - Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c: + Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c [30 Sep 2003]: o Security: fix various ASN1 parsing bugs. o New -ignore_err option to OCSP utility. o Various interop and bug fixes in S/MIME code. o SSL/TLS protocol fix for unrequested client certificates. - Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b: + Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b [10 Apr 2003]: o Security: counter the Klima-Pokorny-Rosa extension of Bleichbacher's attack @@ -297,7 +339,7 @@ o ASN.1: treat domainComponent correctly. o Documentation: fixes and additions. - Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a: + Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a [19 Feb 2003]: o Security: Important security related bugfixes. o Enhanced compatibility with MIT Kerberos. @@ -308,7 +350,7 @@ o SSL/TLS: now handles manual certificate chain building. o SSL/TLS: certain session ID malfunctions corrected. - Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7: + Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7 [30 Dec 2002]: o New library section OCSP. o Complete rewrite of ASN1 code. @@ -354,23 +396,23 @@ o SSL/TLS: add callback to retrieve SSL/TLS messages. o SSL/TLS: support AES cipher suites (RFC3268). - Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k: + Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k [30 Sep 2003]: o Security: fix various ASN1 parsing bugs. o SSL/TLS protocol fix for unrequested client certificates. - Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j: + Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j [10 Apr 2003]: o Security: counter the Klima-Pokorny-Rosa extension of Bleichbacher's attack o Security: make RSA blinding default. o Build: shared library support fixes. - Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i: + Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i [19 Feb 2003]: o Important security related bugfixes. - Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h: + Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h [5 Dec 2002]: o New configuration targets for Tandem OSS and A/UX. o New OIDs for Microsoft attributes. @@ -384,25 +426,25 @@ o Fixes for smaller building problems. o Updates of manuals, FAQ and other instructive documents. - Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g: + Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g [9 Aug 2002]: o Important building fixes on Unix. - Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f: + Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f [8 Aug 2002]: o Various important bugfixes. - Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e: + Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e [30 Jul 2002]: o Important security related bugfixes. o Various SSL/TLS library bugfixes. - Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d: + Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d [9 May 2002]: o Various SSL/TLS library bugfixes. o Fix DH parameter generation for 'non-standard' generators. - Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c: + Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c [21 Dec 2001]: o Various SSL/TLS library bugfixes. o BIGNUM library fixes. @@ -415,7 +457,7 @@ Broadcom and Cryptographic Appliance's keyserver [in 0.9.6c-engine release]. - Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b: + Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b [9 Jul 2001]: o Security fix: PRNG improvements. o Security fix: RSA OAEP check. @@ -432,7 +474,7 @@ o Increase default size for BIO buffering filter. o Compatibility fixes in some scripts. - Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a: + Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a [5 Apr 2001]: o Security fix: change behavior of OpenSSL to avoid using environment variables when running as root. @@ -457,7 +499,7 @@ o New function BN_rand_range(). o Add "-rand" option to openssl s_client and s_server. - Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6: + Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6 [10 Oct 2000]: o Some documentation for BIO and SSL libraries. o Enhanced chain verification using key identifiers. @@ -472,7 +514,7 @@ [1] The support for external crypto devices is currently a separate distribution. See the file README.ENGINE. - Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a: + Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a [1 Apr 2000]: o Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8 o Shared library support for HPUX and Solaris-gcc @@ -481,7 +523,7 @@ o New 'rand' application o New way to check for existence of algorithms from scripts - Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5: + Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5 [25 May 2000]: o S/MIME support in new 'smime' command o Documentation for the OpenSSL command line application @@ -517,7 +559,7 @@ o Enhanced support for Alpha Linux o Experimental MacOS support - Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4: + Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4 [9 Aug 1999]: o Transparent support for PKCS#8 format private keys: these are used by several software packages and are more secure than the standard @@ -528,7 +570,7 @@ o New pipe-like BIO that allows using the SSL library when actual I/O must be handled by the application (BIO pair) - Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3: + Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3 [24 May 1999]: o Lots of enhancements and cleanups to the Configuration mechanism o RSA OEAP related fixes o Added `openssl ca -revoke' option for revoking a certificate @@ -542,7 +584,7 @@ o Sparc assembler bignum implementation, optimized hash functions o Option to disable selected ciphers - Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b: + Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b [22 Mar 1999]: o Fixed a security hole related to session resumption o Fixed RSA encryption routines for the p < q case o "ALL" in cipher lists now means "everything except NULL ciphers" @@ -564,7 +606,7 @@ o Lots of memory leak fixes. o Lots of bug fixes. - Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c: + Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c [23 Dec 1998]: o Integration of the popular NO_RSA/NO_DSA patches o Initial support for compression inside the SSL record layer o Added BIO proxy and filtering functionality Modified: releng/8.4/crypto/openssl/README ============================================================================== --- releng/8.4/crypto/openssl/README Wed Feb 25 05:56:16 2015 (r279264) +++ releng/8.4/crypto/openssl/README Wed Feb 25 05:56:54 2015 (r279265) @@ -1,5 +1,5 @@ - OpenSSL 0.9.8y 5 Feb 2013 + OpenSSL 0.9.8zd 8 Jan 2015 Copyright (c) 1998-2011 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson @@ -190,7 +190,7 @@ reason as to why that feature isn't implemented. Patches should be as up to date as possible, preferably relative to the - current CVS or the last snapshot. They should follow the coding style of + current Git or the last snapshot. They should follow the coding style of OpenSSL and compile without warnings. Some of the core team developer targets can be used for testing purposes, (debug-steve64, debug-geoff etc). OpenSSL compiles on many varied platforms: try to ensure you only use portable Modified: releng/8.4/crypto/openssl/apps/apps.c ============================================================================== --- releng/8.4/crypto/openssl/apps/apps.c Wed Feb 25 05:56:16 2015 (r279264) +++ releng/8.4/crypto/openssl/apps/apps.c Wed Feb 25 05:56:54 2015 (r279265) @@ -362,6 +362,8 @@ int chopup_args(ARGS *arg, char *buf, in { arg->count=20; arg->data=(char **)OPENSSL_malloc(sizeof(char *)*arg->count); + if (arg->data == NULL) + return 0; } for (i=0; icount; i++) arg->data[i]=NULL; @@ -558,12 +560,12 @@ int password_callback(char *buf, int buf if (ok >= 0) ok = UI_add_input_string(ui,prompt,ui_flags,buf, - PW_MIN_LENGTH,BUFSIZ-1); + PW_MIN_LENGTH,bufsiz-1); if (ok >= 0 && verify) { buff = (char *)OPENSSL_malloc(bufsiz); ok = UI_add_verify_string(ui,prompt,ui_flags,buff, - PW_MIN_LENGTH,BUFSIZ-1, buf); + PW_MIN_LENGTH,bufsiz-1, buf); } if (ok >= 0) do @@ -1429,6 +1431,8 @@ char *make_config_name() len=strlen(t)+strlen(OPENSSL_CONF)+2; p=OPENSSL_malloc(len); + if (p == NULL) + return NULL; BUF_strlcpy(p,t,len); #ifndef OPENSSL_SYS_VMS BUF_strlcat(p,"/",len); Modified: releng/8.4/crypto/openssl/apps/ca.c ============================================================================== --- releng/8.4/crypto/openssl/apps/ca.c Wed Feb 25 05:56:16 2015 (r279264) +++ releng/8.4/crypto/openssl/apps/ca.c Wed Feb 25 05:56:54 2015 (r279265) @@ -1582,12 +1582,14 @@ static int certify(X509 **xret, char *in { ok=0; BIO_printf(bio_err,"Signature verification problems....\n"); + ERR_print_errors(bio_err); goto err; } if (i == 0) { ok=0; BIO_printf(bio_err,"Signature did not match the certificate request\n"); + ERR_print_errors(bio_err); goto err; } else @@ -2751,6 +2753,9 @@ char *make_revocation_str(int rev_type, revtm = X509_gmtime_adj(NULL, 0); + if (!revtm) + return NULL; + i = revtm->length + 1; if (reason) i += strlen(reason) + 1; Modified: releng/8.4/crypto/openssl/apps/crl2p7.c ============================================================================== --- releng/8.4/crypto/openssl/apps/crl2p7.c Wed Feb 25 05:56:16 2015 (r279264) +++ releng/8.4/crypto/openssl/apps/crl2p7.c Wed Feb 25 05:56:54 2015 (r279265) @@ -142,7 +142,13 @@ int MAIN(int argc, char **argv) { if (--argc < 1) goto bad; if(!certflst) certflst = sk_new_null(); - sk_push(certflst,*(++argv)); + if (!certflst) + goto end; + if (!sk_push(certflst,*(++argv))) + { + sk_free(certflst); + goto end; + } } else { Modified: releng/8.4/crypto/openssl/apps/ocsp.c ============================================================================== --- releng/8.4/crypto/openssl/apps/ocsp.c Wed Feb 25 05:56:16 2015 (r279264) +++ releng/8.4/crypto/openssl/apps/ocsp.c Wed Feb 25 05:56:54 2015 (r279265) @@ -98,6 +98,7 @@ int MAIN(int argc, char **argv) ENGINE *e = NULL; char **args; char *host = NULL, *port = NULL, *path = "/"; + char *thost = NULL, *tport = NULL, *tpath = NULL; char *reqin = NULL, *respin = NULL; char *reqout = NULL, *respout = NULL; char *signfile = NULL, *keyfile = NULL; @@ -173,6 +174,12 @@ int MAIN(int argc, char **argv) } else if (!strcmp(*args, "-url")) { + if (thost) + OPENSSL_free(thost); + if (tport) + OPENSSL_free(tport); + if (tpath) + OPENSSL_free(tpath); if (args[1]) { args++; @@ -181,6 +188,9 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, "Error parsing URL\n"); badarg = 1; } + thost = host; + tport = port; + tpath = path; } else badarg = 1; } @@ -871,12 +881,12 @@ end: sk_X509_pop_free(sign_other, X509_free); sk_X509_pop_free(verify_other, X509_free); - if (use_ssl != -1) - { - OPENSSL_free(host); - OPENSSL_free(port); - OPENSSL_free(path); - } + if (thost) + OPENSSL_free(thost); + if (tport) + OPENSSL_free(tport); + if (tpath) + OPENSSL_free(tpath); OPENSSL_EXIT(ret); } @@ -1334,7 +1344,7 @@ OCSP_RESPONSE *process_responder(BIO *er } resp = query_responder(err, cbio, path, req, req_timeout); if (!resp) - BIO_printf(bio_err, "Error querying OCSP responsder\n"); + BIO_printf(bio_err, "Error querying OCSP responder\n"); end: if (ctx) SSL_CTX_free(ctx); Modified: releng/8.4/crypto/openssl/apps/req.c ============================================================================== --- releng/8.4/crypto/openssl/apps/req.c Wed Feb 25 05:56:16 2015 (r279264) +++ releng/8.4/crypto/openssl/apps/req.c Wed Feb 25 05:56:54 2015 (r279265) @@ -1574,7 +1574,13 @@ start: #ifdef CHARSET_EBCDIC ebcdic2ascii(buf, buf, i); #endif - if(!req_check_len(i, n_min, n_max)) goto start; + if(!req_check_len(i, n_min, n_max)) + { + if (batch || value) + return 0; *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***