Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 22 Sep 2016 14:57:49 +0000 (UTC)
From:      Jung-uk Kim <jkim@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject:   svn commit: r306195 - in stable/11: crypto/openssl crypto/openssl/apps crypto/openssl/crypto crypto/openssl/crypto/aes/asm crypto/openssl/crypto/asn1 crypto/openssl/crypto/bio crypto/openssl/crypto...
Message-ID:  <201609221457.u8MEvndR052567@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: jkim
Date: Thu Sep 22 14:57:48 2016
New Revision: 306195
URL: https://svnweb.freebsd.org/changeset/base/306195

Log:
  MFC:	r306193
  
  Merge OpenSSL 1.0.2u.

Added:
  stable/11/crypto/openssl/doc/crypto/d2i_PrivateKey.pod
     - copied unchanged from r306193, head/crypto/openssl/doc/crypto/d2i_PrivateKey.pod
  stable/11/crypto/openssl/ssl/bad_dtls_test.c
     - copied unchanged from r306193, head/crypto/openssl/ssl/bad_dtls_test.c
  stable/11/crypto/openssl/ssl/dtlstest.c
     - copied unchanged from r306193, head/crypto/openssl/ssl/dtlstest.c
  stable/11/secure/lib/libcrypto/man/d2i_PrivateKey.3
     - copied unchanged from r306193, head/secure/lib/libcrypto/man/d2i_PrivateKey.3
Modified:
  stable/11/crypto/openssl/CHANGES
  stable/11/crypto/openssl/CONTRIBUTING
  stable/11/crypto/openssl/Configure
  stable/11/crypto/openssl/Makefile
  stable/11/crypto/openssl/Makefile.org
  stable/11/crypto/openssl/Makefile.shared
  stable/11/crypto/openssl/NEWS
  stable/11/crypto/openssl/README
  stable/11/crypto/openssl/apps/CA.pl
  stable/11/crypto/openssl/apps/CA.pl.in
  stable/11/crypto/openssl/apps/apps.c
  stable/11/crypto/openssl/apps/apps.h
  stable/11/crypto/openssl/apps/ca.c
  stable/11/crypto/openssl/apps/dgst.c
  stable/11/crypto/openssl/apps/enc.c
  stable/11/crypto/openssl/apps/passwd.c
  stable/11/crypto/openssl/apps/pkcs12.c
  stable/11/crypto/openssl/apps/req.c
  stable/11/crypto/openssl/apps/s_apps.h
  stable/11/crypto/openssl/apps/s_cb.c
  stable/11/crypto/openssl/apps/s_client.c
  stable/11/crypto/openssl/apps/s_server.c
  stable/11/crypto/openssl/apps/speed.c
  stable/11/crypto/openssl/apps/srp.c
  stable/11/crypto/openssl/apps/verify.c
  stable/11/crypto/openssl/apps/x509.c
  stable/11/crypto/openssl/crypto/LPdir_unix.c
  stable/11/crypto/openssl/crypto/aes/asm/bsaes-armv7.pl
  stable/11/crypto/openssl/crypto/asn1/a_bytes.c
  stable/11/crypto/openssl/crypto/asn1/a_object.c
  stable/11/crypto/openssl/crypto/asn1/a_set.c
  stable/11/crypto/openssl/crypto/asn1/a_strex.c
  stable/11/crypto/openssl/crypto/asn1/a_strnid.c
  stable/11/crypto/openssl/crypto/asn1/ameth_lib.c
  stable/11/crypto/openssl/crypto/asn1/asn1_lib.c
  stable/11/crypto/openssl/crypto/asn1/asn_mime.c
  stable/11/crypto/openssl/crypto/asn1/bio_asn1.c
  stable/11/crypto/openssl/crypto/asn1/bio_ndef.c
  stable/11/crypto/openssl/crypto/asn1/charmap.pl
  stable/11/crypto/openssl/crypto/asn1/d2i_pr.c
  stable/11/crypto/openssl/crypto/asn1/f_enum.c
  stable/11/crypto/openssl/crypto/asn1/f_int.c
  stable/11/crypto/openssl/crypto/asn1/f_string.c
  stable/11/crypto/openssl/crypto/asn1/i2d_pr.c
  stable/11/crypto/openssl/crypto/asn1/p5_pbe.c
  stable/11/crypto/openssl/crypto/asn1/p5_pbev2.c
  stable/11/crypto/openssl/crypto/asn1/t_req.c
  stable/11/crypto/openssl/crypto/asn1/tasn_dec.c
  stable/11/crypto/openssl/crypto/asn1/tasn_enc.c
  stable/11/crypto/openssl/crypto/asn1/tasn_prn.c
  stable/11/crypto/openssl/crypto/asn1/tasn_utl.c
  stable/11/crypto/openssl/crypto/asn1/x_bignum.c
  stable/11/crypto/openssl/crypto/asn1/x_name.c
  stable/11/crypto/openssl/crypto/asn1/x_x509.c
  stable/11/crypto/openssl/crypto/bio/b_print.c
  stable/11/crypto/openssl/crypto/bio/bf_nbio.c
  stable/11/crypto/openssl/crypto/bio/bio.h
  stable/11/crypto/openssl/crypto/bio/bss_bio.c
  stable/11/crypto/openssl/crypto/bio/bss_file.c
  stable/11/crypto/openssl/crypto/bio/bss_rtcp.c
  stable/11/crypto/openssl/crypto/bn/asm/x86-mont.pl
  stable/11/crypto/openssl/crypto/bn/asm/x86_64-gcc.c
  stable/11/crypto/openssl/crypto/bn/asm/x86_64-mont.pl
  stable/11/crypto/openssl/crypto/bn/asm/x86_64-mont5.pl
  stable/11/crypto/openssl/crypto/bn/bn.h
  stable/11/crypto/openssl/crypto/bn/bn_div.c
  stable/11/crypto/openssl/crypto/bn/bn_lib.c
  stable/11/crypto/openssl/crypto/bn/bn_print.c
  stable/11/crypto/openssl/crypto/bn/bn_rand.c
  stable/11/crypto/openssl/crypto/bn/bn_word.c
  stable/11/crypto/openssl/crypto/bn/bntest.c
  stable/11/crypto/openssl/crypto/cms/cms_enc.c
  stable/11/crypto/openssl/crypto/cms/cms_ess.c
  stable/11/crypto/openssl/crypto/cms/cms_lib.c
  stable/11/crypto/openssl/crypto/cms/cms_pwri.c
  stable/11/crypto/openssl/crypto/comp/comp.h
  stable/11/crypto/openssl/crypto/conf/conf_def.h
  stable/11/crypto/openssl/crypto/conf/conf_mod.c
  stable/11/crypto/openssl/crypto/conf/keysets.pl
  stable/11/crypto/openssl/crypto/des/asm/dest4-sparcv9.pl
  stable/11/crypto/openssl/crypto/des/des.c
  stable/11/crypto/openssl/crypto/des/enc_writ.c
  stable/11/crypto/openssl/crypto/dh/dh_ameth.c
  stable/11/crypto/openssl/crypto/dsa/dsa_ameth.c
  stable/11/crypto/openssl/crypto/dsa/dsa_gen.c
  stable/11/crypto/openssl/crypto/dsa/dsa_ossl.c
  stable/11/crypto/openssl/crypto/ec/Makefile
  stable/11/crypto/openssl/crypto/ec/asm/ecp_nistz256-x86_64.pl
  stable/11/crypto/openssl/crypto/ec/ec_ameth.c
  stable/11/crypto/openssl/crypto/ec/ec_key.c
  stable/11/crypto/openssl/crypto/ec/ecp_nistz256.c
  stable/11/crypto/openssl/crypto/engine/eng_cryptodev.c
  stable/11/crypto/openssl/crypto/evp/bio_enc.c
  stable/11/crypto/openssl/crypto/evp/bio_ok.c
  stable/11/crypto/openssl/crypto/evp/c_all.c
  stable/11/crypto/openssl/crypto/evp/digest.c
  stable/11/crypto/openssl/crypto/evp/e_rc4_hmac_md5.c
  stable/11/crypto/openssl/crypto/evp/e_seed.c
  stable/11/crypto/openssl/crypto/evp/evp_enc.c
  stable/11/crypto/openssl/crypto/evp/evp_test.c
  stable/11/crypto/openssl/crypto/evp/openbsd_hw.c
  stable/11/crypto/openssl/crypto/evp/p_lib.c
  stable/11/crypto/openssl/crypto/evp/pmeth_gn.c
  stable/11/crypto/openssl/crypto/evp/pmeth_lib.c
  stable/11/crypto/openssl/crypto/hmac/hmac.c
  stable/11/crypto/openssl/crypto/jpake/jpake.c
  stable/11/crypto/openssl/crypto/lhash/lhash.c
  stable/11/crypto/openssl/crypto/md2/md2_dgst.c
  stable/11/crypto/openssl/crypto/md32_common.h
  stable/11/crypto/openssl/crypto/mdc2/mdc2dgst.c
  stable/11/crypto/openssl/crypto/mem.c
  stable/11/crypto/openssl/crypto/mem_clr.c
  stable/11/crypto/openssl/crypto/modes/asm/ghash-sparcv9.pl
  stable/11/crypto/openssl/crypto/o_init.c
  stable/11/crypto/openssl/crypto/o_time.c
  stable/11/crypto/openssl/crypto/objects/o_names.c
  stable/11/crypto/openssl/crypto/ocsp/ocsp_cl.c
  stable/11/crypto/openssl/crypto/ocsp/ocsp_ext.c
  stable/11/crypto/openssl/crypto/ocsp/ocsp_lib.c
  stable/11/crypto/openssl/crypto/opensslv.h
  stable/11/crypto/openssl/crypto/ossl_typ.h
  stable/11/crypto/openssl/crypto/pem/pem.h
  stable/11/crypto/openssl/crypto/pem/pem_err.c
  stable/11/crypto/openssl/crypto/pem/pem_lib.c
  stable/11/crypto/openssl/crypto/pem/pvkfmt.c
  stable/11/crypto/openssl/crypto/perlasm/sparcv9_modes.pl
  stable/11/crypto/openssl/crypto/pkcs12/p12_mutl.c
  stable/11/crypto/openssl/crypto/pkcs12/p12_npas.c
  stable/11/crypto/openssl/crypto/pkcs12/p12_utl.c
  stable/11/crypto/openssl/crypto/pkcs12/pkcs12.h
  stable/11/crypto/openssl/crypto/pkcs7/pk7_doit.c
  stable/11/crypto/openssl/crypto/rand/md_rand.c
  stable/11/crypto/openssl/crypto/rand/rand_unix.c
  stable/11/crypto/openssl/crypto/rand/randfile.c
  stable/11/crypto/openssl/crypto/rsa/rsa_ameth.c
  stable/11/crypto/openssl/crypto/rsa/rsa_chk.c
  stable/11/crypto/openssl/crypto/rsa/rsa_lib.c
  stable/11/crypto/openssl/crypto/rsa/rsa_pmeth.c
  stable/11/crypto/openssl/crypto/sha/asm/sha1-x86_64.pl
  stable/11/crypto/openssl/crypto/sparccpuid.S
  stable/11/crypto/openssl/crypto/srp/srp_lib.c
  stable/11/crypto/openssl/crypto/srp/srp_vfy.c
  stable/11/crypto/openssl/crypto/ts/ts.h
  stable/11/crypto/openssl/crypto/ts/ts_lib.c
  stable/11/crypto/openssl/crypto/ts/ts_rsp_verify.c
  stable/11/crypto/openssl/crypto/ui/ui_lib.c
  stable/11/crypto/openssl/crypto/whrlpool/wp_dgst.c
  stable/11/crypto/openssl/crypto/x509/by_dir.c
  stable/11/crypto/openssl/crypto/x509/x509.h
  stable/11/crypto/openssl/crypto/x509/x509_att.c
  stable/11/crypto/openssl/crypto/x509/x509_err.c
  stable/11/crypto/openssl/crypto/x509/x509_obj.c
  stable/11/crypto/openssl/crypto/x509/x509_r2x.c
  stable/11/crypto/openssl/crypto/x509/x509_txt.c
  stable/11/crypto/openssl/crypto/x509/x509_vfy.c
  stable/11/crypto/openssl/crypto/x509/x509_vfy.h
  stable/11/crypto/openssl/crypto/x509/x509spki.c
  stable/11/crypto/openssl/crypto/x509v3/v3_addr.c
  stable/11/crypto/openssl/crypto/x509v3/v3_alt.c
  stable/11/crypto/openssl/crypto/x509v3/v3_conf.c
  stable/11/crypto/openssl/doc/apps/cms.pod
  stable/11/crypto/openssl/doc/apps/s_client.pod
  stable/11/crypto/openssl/doc/apps/s_server.pod
  stable/11/crypto/openssl/doc/apps/smime.pod
  stable/11/crypto/openssl/doc/apps/verify.pod
  stable/11/crypto/openssl/doc/apps/x509.pod
  stable/11/crypto/openssl/doc/apps/x509v3_config.pod
  stable/11/crypto/openssl/doc/crypto/BIO_s_bio.pod
  stable/11/crypto/openssl/doc/crypto/BN_bn2bin.pod
  stable/11/crypto/openssl/doc/crypto/BN_rand.pod
  stable/11/crypto/openssl/doc/crypto/EVP_EncryptInit.pod
  stable/11/crypto/openssl/doc/crypto/EVP_PKEY_cmp.pod
  stable/11/crypto/openssl/doc/crypto/OBJ_nid2obj.pod
  stable/11/crypto/openssl/doc/crypto/OPENSSL_config.pod
  stable/11/crypto/openssl/doc/crypto/OPENSSL_ia32cap.pod
  stable/11/crypto/openssl/doc/crypto/X509_verify_cert.pod
  stable/11/crypto/openssl/doc/crypto/d2i_X509.pod
  stable/11/crypto/openssl/doc/crypto/hmac.pod
  stable/11/crypto/openssl/doc/crypto/rand.pod
  stable/11/crypto/openssl/doc/crypto/ui.pod
  stable/11/crypto/openssl/engines/ccgost/gost2001.c
  stable/11/crypto/openssl/engines/ccgost/gost2001_keyx.c
  stable/11/crypto/openssl/engines/ccgost/gost94_keyx.c
  stable/11/crypto/openssl/engines/ccgost/gost_ameth.c
  stable/11/crypto/openssl/engines/ccgost/gost_pmeth.c
  stable/11/crypto/openssl/engines/e_4758cca.c
  stable/11/crypto/openssl/engines/e_aep.c
  stable/11/crypto/openssl/engines/e_capi.c
  stable/11/crypto/openssl/engines/e_chil.c
  stable/11/crypto/openssl/ssl/Makefile
  stable/11/crypto/openssl/ssl/d1_both.c
  stable/11/crypto/openssl/ssl/d1_clnt.c
  stable/11/crypto/openssl/ssl/d1_lib.c
  stable/11/crypto/openssl/ssl/d1_pkt.c
  stable/11/crypto/openssl/ssl/d1_srvr.c
  stable/11/crypto/openssl/ssl/s23_clnt.c
  stable/11/crypto/openssl/ssl/s2_clnt.c
  stable/11/crypto/openssl/ssl/s2_srvr.c
  stable/11/crypto/openssl/ssl/s3_both.c
  stable/11/crypto/openssl/ssl/s3_clnt.c
  stable/11/crypto/openssl/ssl/s3_enc.c
  stable/11/crypto/openssl/ssl/s3_lib.c
  stable/11/crypto/openssl/ssl/s3_pkt.c
  stable/11/crypto/openssl/ssl/s3_srvr.c
  stable/11/crypto/openssl/ssl/ssl.h
  stable/11/crypto/openssl/ssl/ssl_asn1.c
  stable/11/crypto/openssl/ssl/ssl_ciph.c
  stable/11/crypto/openssl/ssl/ssl_err.c
  stable/11/crypto/openssl/ssl/ssl_lib.c
  stable/11/crypto/openssl/ssl/ssl_locl.h
  stable/11/crypto/openssl/ssl/ssl_rsa.c
  stable/11/crypto/openssl/ssl/ssl_sess.c
  stable/11/crypto/openssl/ssl/ssltest.c
  stable/11/crypto/openssl/ssl/sslv2conftest.c
  stable/11/crypto/openssl/ssl/t1_enc.c
  stable/11/crypto/openssl/ssl/t1_lib.c
  stable/11/crypto/openssl/util/mk1mf.pl
  stable/11/crypto/openssl/util/mkerr.pl
  stable/11/crypto/openssl/util/ssleay.num
  stable/11/secure/lib/libcrypto/Makefile.inc
  stable/11/secure/lib/libcrypto/Makefile.man
  stable/11/secure/lib/libcrypto/amd64/ecp_nistz256-x86_64.S
  stable/11/secure/lib/libcrypto/amd64/sha1-x86_64.S
  stable/11/secure/lib/libcrypto/amd64/x86_64-mont.S
  stable/11/secure/lib/libcrypto/amd64/x86_64-mont5.S
  stable/11/secure/lib/libcrypto/arm/bsaes-armv7.S
  stable/11/secure/lib/libcrypto/i386/x86-mont.S
  stable/11/secure/lib/libcrypto/man/ASN1_OBJECT_new.3
  stable/11/secure/lib/libcrypto/man/ASN1_STRING_length.3
  stable/11/secure/lib/libcrypto/man/ASN1_STRING_new.3
  stable/11/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3
  stable/11/secure/lib/libcrypto/man/ASN1_TIME_set.3
  stable/11/secure/lib/libcrypto/man/ASN1_generate_nconf.3
  stable/11/secure/lib/libcrypto/man/BIO_ctrl.3
  stable/11/secure/lib/libcrypto/man/BIO_f_base64.3
  stable/11/secure/lib/libcrypto/man/BIO_f_buffer.3
  stable/11/secure/lib/libcrypto/man/BIO_f_cipher.3
  stable/11/secure/lib/libcrypto/man/BIO_f_md.3
  stable/11/secure/lib/libcrypto/man/BIO_f_null.3
  stable/11/secure/lib/libcrypto/man/BIO_f_ssl.3
  stable/11/secure/lib/libcrypto/man/BIO_find_type.3
  stable/11/secure/lib/libcrypto/man/BIO_new.3
  stable/11/secure/lib/libcrypto/man/BIO_new_CMS.3
  stable/11/secure/lib/libcrypto/man/BIO_push.3
  stable/11/secure/lib/libcrypto/man/BIO_read.3
  stable/11/secure/lib/libcrypto/man/BIO_s_accept.3
  stable/11/secure/lib/libcrypto/man/BIO_s_bio.3
  stable/11/secure/lib/libcrypto/man/BIO_s_connect.3
  stable/11/secure/lib/libcrypto/man/BIO_s_fd.3
  stable/11/secure/lib/libcrypto/man/BIO_s_file.3
  stable/11/secure/lib/libcrypto/man/BIO_s_mem.3
  stable/11/secure/lib/libcrypto/man/BIO_s_null.3
  stable/11/secure/lib/libcrypto/man/BIO_s_socket.3
  stable/11/secure/lib/libcrypto/man/BIO_set_callback.3
  stable/11/secure/lib/libcrypto/man/BIO_should_retry.3
  stable/11/secure/lib/libcrypto/man/BN_BLINDING_new.3
  stable/11/secure/lib/libcrypto/man/BN_CTX_new.3
  stable/11/secure/lib/libcrypto/man/BN_CTX_start.3
  stable/11/secure/lib/libcrypto/man/BN_add.3
  stable/11/secure/lib/libcrypto/man/BN_add_word.3
  stable/11/secure/lib/libcrypto/man/BN_bn2bin.3
  stable/11/secure/lib/libcrypto/man/BN_cmp.3
  stable/11/secure/lib/libcrypto/man/BN_copy.3
  stable/11/secure/lib/libcrypto/man/BN_generate_prime.3
  stable/11/secure/lib/libcrypto/man/BN_mod_inverse.3
  stable/11/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3
  stable/11/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3
  stable/11/secure/lib/libcrypto/man/BN_new.3
  stable/11/secure/lib/libcrypto/man/BN_num_bytes.3
  stable/11/secure/lib/libcrypto/man/BN_rand.3
  stable/11/secure/lib/libcrypto/man/BN_set_bit.3
  stable/11/secure/lib/libcrypto/man/BN_swap.3
  stable/11/secure/lib/libcrypto/man/BN_zero.3
  stable/11/secure/lib/libcrypto/man/CMS_add0_cert.3
  stable/11/secure/lib/libcrypto/man/CMS_add1_recipient_cert.3
  stable/11/secure/lib/libcrypto/man/CMS_add1_signer.3
  stable/11/secure/lib/libcrypto/man/CMS_compress.3
  stable/11/secure/lib/libcrypto/man/CMS_decrypt.3
  stable/11/secure/lib/libcrypto/man/CMS_encrypt.3
  stable/11/secure/lib/libcrypto/man/CMS_final.3
  stable/11/secure/lib/libcrypto/man/CMS_get0_RecipientInfos.3
  stable/11/secure/lib/libcrypto/man/CMS_get0_SignerInfos.3
  stable/11/secure/lib/libcrypto/man/CMS_get0_type.3
  stable/11/secure/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
  stable/11/secure/lib/libcrypto/man/CMS_sign.3
  stable/11/secure/lib/libcrypto/man/CMS_sign_receipt.3
  stable/11/secure/lib/libcrypto/man/CMS_uncompress.3
  stable/11/secure/lib/libcrypto/man/CMS_verify.3
  stable/11/secure/lib/libcrypto/man/CMS_verify_receipt.3
  stable/11/secure/lib/libcrypto/man/CONF_modules_free.3
  stable/11/secure/lib/libcrypto/man/CONF_modules_load_file.3
  stable/11/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3
  stable/11/secure/lib/libcrypto/man/DH_generate_key.3
  stable/11/secure/lib/libcrypto/man/DH_generate_parameters.3
  stable/11/secure/lib/libcrypto/man/DH_get_ex_new_index.3
  stable/11/secure/lib/libcrypto/man/DH_new.3
  stable/11/secure/lib/libcrypto/man/DH_set_method.3
  stable/11/secure/lib/libcrypto/man/DH_size.3
  stable/11/secure/lib/libcrypto/man/DSA_SIG_new.3
  stable/11/secure/lib/libcrypto/man/DSA_do_sign.3
  stable/11/secure/lib/libcrypto/man/DSA_dup_DH.3
  stable/11/secure/lib/libcrypto/man/DSA_generate_key.3
  stable/11/secure/lib/libcrypto/man/DSA_generate_parameters.3
  stable/11/secure/lib/libcrypto/man/DSA_get_ex_new_index.3
  stable/11/secure/lib/libcrypto/man/DSA_new.3
  stable/11/secure/lib/libcrypto/man/DSA_set_method.3
  stable/11/secure/lib/libcrypto/man/DSA_sign.3
  stable/11/secure/lib/libcrypto/man/DSA_size.3
  stable/11/secure/lib/libcrypto/man/EC_GFp_simple_method.3
  stable/11/secure/lib/libcrypto/man/EC_GROUP_copy.3
  stable/11/secure/lib/libcrypto/man/EC_GROUP_new.3
  stable/11/secure/lib/libcrypto/man/EC_KEY_new.3
  stable/11/secure/lib/libcrypto/man/EC_POINT_add.3
  stable/11/secure/lib/libcrypto/man/EC_POINT_new.3
  stable/11/secure/lib/libcrypto/man/ERR_GET_LIB.3
  stable/11/secure/lib/libcrypto/man/ERR_clear_error.3
  stable/11/secure/lib/libcrypto/man/ERR_error_string.3
  stable/11/secure/lib/libcrypto/man/ERR_get_error.3
  stable/11/secure/lib/libcrypto/man/ERR_load_crypto_strings.3
  stable/11/secure/lib/libcrypto/man/ERR_load_strings.3
  stable/11/secure/lib/libcrypto/man/ERR_print_errors.3
  stable/11/secure/lib/libcrypto/man/ERR_put_error.3
  stable/11/secure/lib/libcrypto/man/ERR_remove_state.3
  stable/11/secure/lib/libcrypto/man/ERR_set_mark.3
  stable/11/secure/lib/libcrypto/man/EVP_BytesToKey.3
  stable/11/secure/lib/libcrypto/man/EVP_DigestInit.3
  stable/11/secure/lib/libcrypto/man/EVP_DigestSignInit.3
  stable/11/secure/lib/libcrypto/man/EVP_DigestVerifyInit.3
  stable/11/secure/lib/libcrypto/man/EVP_EncodeInit.3
  stable/11/secure/lib/libcrypto/man/EVP_EncryptInit.3
  stable/11/secure/lib/libcrypto/man/EVP_OpenInit.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_CTX_new.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_cmp.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_decrypt.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_derive.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_encrypt.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_get_default_digest.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_keygen.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_new.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_print_private.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_sign.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_verify.3
  stable/11/secure/lib/libcrypto/man/EVP_PKEY_verify_recover.3
  stable/11/secure/lib/libcrypto/man/EVP_SealInit.3
  stable/11/secure/lib/libcrypto/man/EVP_SignInit.3
  stable/11/secure/lib/libcrypto/man/EVP_VerifyInit.3
  stable/11/secure/lib/libcrypto/man/OBJ_nid2obj.3
  stable/11/secure/lib/libcrypto/man/OPENSSL_Applink.3
  stable/11/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3
  stable/11/secure/lib/libcrypto/man/OPENSSL_config.3
  stable/11/secure/lib/libcrypto/man/OPENSSL_ia32cap.3
  stable/11/secure/lib/libcrypto/man/OPENSSL_instrument_bus.3
  stable/11/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3
  stable/11/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3
  stable/11/secure/lib/libcrypto/man/PEM_write_bio_CMS_stream.3
  stable/11/secure/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3
  stable/11/secure/lib/libcrypto/man/PKCS12_create.3
  stable/11/secure/lib/libcrypto/man/PKCS12_parse.3
  stable/11/secure/lib/libcrypto/man/PKCS7_decrypt.3
  stable/11/secure/lib/libcrypto/man/PKCS7_encrypt.3
  stable/11/secure/lib/libcrypto/man/PKCS7_sign.3
  stable/11/secure/lib/libcrypto/man/PKCS7_sign_add_signer.3
  stable/11/secure/lib/libcrypto/man/PKCS7_verify.3
  stable/11/secure/lib/libcrypto/man/RAND_add.3
  stable/11/secure/lib/libcrypto/man/RAND_bytes.3
  stable/11/secure/lib/libcrypto/man/RAND_cleanup.3
  stable/11/secure/lib/libcrypto/man/RAND_egd.3
  stable/11/secure/lib/libcrypto/man/RAND_load_file.3
  stable/11/secure/lib/libcrypto/man/RAND_set_rand_method.3
  stable/11/secure/lib/libcrypto/man/RSA_blinding_on.3
  stable/11/secure/lib/libcrypto/man/RSA_check_key.3
  stable/11/secure/lib/libcrypto/man/RSA_generate_key.3
  stable/11/secure/lib/libcrypto/man/RSA_get_ex_new_index.3
  stable/11/secure/lib/libcrypto/man/RSA_new.3
  stable/11/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3
  stable/11/secure/lib/libcrypto/man/RSA_print.3
  stable/11/secure/lib/libcrypto/man/RSA_private_encrypt.3
  stable/11/secure/lib/libcrypto/man/RSA_public_encrypt.3
  stable/11/secure/lib/libcrypto/man/RSA_set_method.3
  stable/11/secure/lib/libcrypto/man/RSA_sign.3
  stable/11/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3
  stable/11/secure/lib/libcrypto/man/RSA_size.3
  stable/11/secure/lib/libcrypto/man/SMIME_read_CMS.3
  stable/11/secure/lib/libcrypto/man/SMIME_read_PKCS7.3
  stable/11/secure/lib/libcrypto/man/SMIME_write_CMS.3
  stable/11/secure/lib/libcrypto/man/SMIME_write_PKCS7.3
  stable/11/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3
  stable/11/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3
  stable/11/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3
  stable/11/secure/lib/libcrypto/man/X509_NAME_print_ex.3
  stable/11/secure/lib/libcrypto/man/X509_STORE_CTX_get_error.3
  stable/11/secure/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3
  stable/11/secure/lib/libcrypto/man/X509_STORE_CTX_new.3
  stable/11/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
  stable/11/secure/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3
  stable/11/secure/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
  stable/11/secure/lib/libcrypto/man/X509_check_host.3
  stable/11/secure/lib/libcrypto/man/X509_new.3
  stable/11/secure/lib/libcrypto/man/X509_verify_cert.3
  stable/11/secure/lib/libcrypto/man/bio.3
  stable/11/secure/lib/libcrypto/man/blowfish.3
  stable/11/secure/lib/libcrypto/man/bn.3
  stable/11/secure/lib/libcrypto/man/bn_internal.3
  stable/11/secure/lib/libcrypto/man/buffer.3
  stable/11/secure/lib/libcrypto/man/crypto.3
  stable/11/secure/lib/libcrypto/man/d2i_ASN1_OBJECT.3
  stable/11/secure/lib/libcrypto/man/d2i_CMS_ContentInfo.3
  stable/11/secure/lib/libcrypto/man/d2i_DHparams.3
  stable/11/secure/lib/libcrypto/man/d2i_DSAPublicKey.3
  stable/11/secure/lib/libcrypto/man/d2i_ECPKParameters.3
  stable/11/secure/lib/libcrypto/man/d2i_ECPrivateKey.3
  stable/11/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey.3
  stable/11/secure/lib/libcrypto/man/d2i_RSAPublicKey.3
  stable/11/secure/lib/libcrypto/man/d2i_X509.3
  stable/11/secure/lib/libcrypto/man/d2i_X509_ALGOR.3
  stable/11/secure/lib/libcrypto/man/d2i_X509_CRL.3
  stable/11/secure/lib/libcrypto/man/d2i_X509_NAME.3
  stable/11/secure/lib/libcrypto/man/d2i_X509_REQ.3
  stable/11/secure/lib/libcrypto/man/d2i_X509_SIG.3
  stable/11/secure/lib/libcrypto/man/des.3
  stable/11/secure/lib/libcrypto/man/dh.3
  stable/11/secure/lib/libcrypto/man/dsa.3
  stable/11/secure/lib/libcrypto/man/ec.3
  stable/11/secure/lib/libcrypto/man/ecdsa.3
  stable/11/secure/lib/libcrypto/man/engine.3
  stable/11/secure/lib/libcrypto/man/err.3
  stable/11/secure/lib/libcrypto/man/evp.3
  stable/11/secure/lib/libcrypto/man/hmac.3
  stable/11/secure/lib/libcrypto/man/i2d_CMS_bio_stream.3
  stable/11/secure/lib/libcrypto/man/i2d_PKCS7_bio_stream.3
  stable/11/secure/lib/libcrypto/man/lh_stats.3
  stable/11/secure/lib/libcrypto/man/lhash.3
  stable/11/secure/lib/libcrypto/man/md5.3
  stable/11/secure/lib/libcrypto/man/mdc2.3
  stable/11/secure/lib/libcrypto/man/pem.3
  stable/11/secure/lib/libcrypto/man/rand.3
  stable/11/secure/lib/libcrypto/man/rc4.3
  stable/11/secure/lib/libcrypto/man/ripemd.3
  stable/11/secure/lib/libcrypto/man/rsa.3
  stable/11/secure/lib/libcrypto/man/sha.3
  stable/11/secure/lib/libcrypto/man/threads.3
  stable/11/secure/lib/libcrypto/man/ui.3
  stable/11/secure/lib/libcrypto/man/ui_compat.3
  stable/11/secure/lib/libcrypto/man/x509.3
  stable/11/secure/lib/libssl/man/SSL_CIPHER_get_name.3
  stable/11/secure/lib/libssl/man/SSL_COMP_add_compression_method.3
  stable/11/secure/lib/libssl/man/SSL_CONF_CTX_new.3
  stable/11/secure/lib/libssl/man/SSL_CONF_CTX_set1_prefix.3
  stable/11/secure/lib/libssl/man/SSL_CONF_CTX_set_flags.3
  stable/11/secure/lib/libssl/man/SSL_CONF_CTX_set_ssl_ctx.3
  stable/11/secure/lib/libssl/man/SSL_CONF_cmd.3
  stable/11/secure/lib/libssl/man/SSL_CONF_cmd_argv.3
  stable/11/secure/lib/libssl/man/SSL_CTX_add1_chain_cert.3
  stable/11/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
  stable/11/secure/lib/libssl/man/SSL_CTX_add_session.3
  stable/11/secure/lib/libssl/man/SSL_CTX_ctrl.3
  stable/11/secure/lib/libssl/man/SSL_CTX_flush_sessions.3
  stable/11/secure/lib/libssl/man/SSL_CTX_free.3
  stable/11/secure/lib/libssl/man/SSL_CTX_get0_param.3
  stable/11/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3
  stable/11/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3
  stable/11/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3
  stable/11/secure/lib/libssl/man/SSL_CTX_new.3
  stable/11/secure/lib/libssl/man/SSL_CTX_sess_number.3
  stable/11/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
  stable/11/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
  stable/11/secure/lib/libssl/man/SSL_CTX_sessions.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set1_curves.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set1_verify_cert_store.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_alpn_select_cb.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_cert_cb.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_cert_store.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_custom_cli_ext.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_info_callback.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_mode.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_options.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_psk_client_callback.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_read_ahead.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_timeout.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_tlsext_status_cb.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
  stable/11/secure/lib/libssl/man/SSL_CTX_set_verify.3
  stable/11/secure/lib/libssl/man/SSL_CTX_use_certificate.3
  stable/11/secure/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3
  stable/11/secure/lib/libssl/man/SSL_CTX_use_serverinfo.3
  stable/11/secure/lib/libssl/man/SSL_SESSION_free.3
  stable/11/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
  stable/11/secure/lib/libssl/man/SSL_SESSION_get_time.3
  stable/11/secure/lib/libssl/man/SSL_accept.3
  stable/11/secure/lib/libssl/man/SSL_alert_type_string.3
  stable/11/secure/lib/libssl/man/SSL_check_chain.3
  stable/11/secure/lib/libssl/man/SSL_clear.3
  stable/11/secure/lib/libssl/man/SSL_connect.3
  stable/11/secure/lib/libssl/man/SSL_do_handshake.3
  stable/11/secure/lib/libssl/man/SSL_free.3
  stable/11/secure/lib/libssl/man/SSL_get_SSL_CTX.3
  stable/11/secure/lib/libssl/man/SSL_get_ciphers.3
  stable/11/secure/lib/libssl/man/SSL_get_client_CA_list.3
  stable/11/secure/lib/libssl/man/SSL_get_current_cipher.3
  stable/11/secure/lib/libssl/man/SSL_get_default_timeout.3
  stable/11/secure/lib/libssl/man/SSL_get_error.3
  stable/11/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
  stable/11/secure/lib/libssl/man/SSL_get_ex_new_index.3
  stable/11/secure/lib/libssl/man/SSL_get_fd.3
  stable/11/secure/lib/libssl/man/SSL_get_peer_cert_chain.3
  stable/11/secure/lib/libssl/man/SSL_get_peer_certificate.3
  stable/11/secure/lib/libssl/man/SSL_get_psk_identity.3
  stable/11/secure/lib/libssl/man/SSL_get_rbio.3
  stable/11/secure/lib/libssl/man/SSL_get_session.3
  stable/11/secure/lib/libssl/man/SSL_get_verify_result.3
  stable/11/secure/lib/libssl/man/SSL_get_version.3
  stable/11/secure/lib/libssl/man/SSL_library_init.3
  stable/11/secure/lib/libssl/man/SSL_load_client_CA_file.3
  stable/11/secure/lib/libssl/man/SSL_new.3
  stable/11/secure/lib/libssl/man/SSL_pending.3
  stable/11/secure/lib/libssl/man/SSL_read.3
  stable/11/secure/lib/libssl/man/SSL_rstate_string.3
  stable/11/secure/lib/libssl/man/SSL_session_reused.3
  stable/11/secure/lib/libssl/man/SSL_set_bio.3
  stable/11/secure/lib/libssl/man/SSL_set_connect_state.3
  stable/11/secure/lib/libssl/man/SSL_set_fd.3
  stable/11/secure/lib/libssl/man/SSL_set_session.3
  stable/11/secure/lib/libssl/man/SSL_set_shutdown.3
  stable/11/secure/lib/libssl/man/SSL_set_verify_result.3
  stable/11/secure/lib/libssl/man/SSL_shutdown.3
  stable/11/secure/lib/libssl/man/SSL_state_string.3
  stable/11/secure/lib/libssl/man/SSL_want.3
  stable/11/secure/lib/libssl/man/SSL_write.3
  stable/11/secure/lib/libssl/man/d2i_SSL_SESSION.3
  stable/11/secure/lib/libssl/man/ssl.3
  stable/11/secure/usr.bin/openssl/man/CA.pl.1
  stable/11/secure/usr.bin/openssl/man/asn1parse.1
  stable/11/secure/usr.bin/openssl/man/c_rehash.1
  stable/11/secure/usr.bin/openssl/man/ca.1
  stable/11/secure/usr.bin/openssl/man/ciphers.1
  stable/11/secure/usr.bin/openssl/man/cms.1
  stable/11/secure/usr.bin/openssl/man/crl.1
  stable/11/secure/usr.bin/openssl/man/crl2pkcs7.1
  stable/11/secure/usr.bin/openssl/man/dgst.1
  stable/11/secure/usr.bin/openssl/man/dhparam.1
  stable/11/secure/usr.bin/openssl/man/dsa.1
  stable/11/secure/usr.bin/openssl/man/dsaparam.1
  stable/11/secure/usr.bin/openssl/man/ec.1
  stable/11/secure/usr.bin/openssl/man/ecparam.1
  stable/11/secure/usr.bin/openssl/man/enc.1
  stable/11/secure/usr.bin/openssl/man/errstr.1
  stable/11/secure/usr.bin/openssl/man/gendsa.1
  stable/11/secure/usr.bin/openssl/man/genpkey.1
  stable/11/secure/usr.bin/openssl/man/genrsa.1
  stable/11/secure/usr.bin/openssl/man/nseq.1
  stable/11/secure/usr.bin/openssl/man/ocsp.1
  stable/11/secure/usr.bin/openssl/man/openssl.1
  stable/11/secure/usr.bin/openssl/man/passwd.1
  stable/11/secure/usr.bin/openssl/man/pkcs12.1
  stable/11/secure/usr.bin/openssl/man/pkcs7.1
  stable/11/secure/usr.bin/openssl/man/pkcs8.1
  stable/11/secure/usr.bin/openssl/man/pkey.1
  stable/11/secure/usr.bin/openssl/man/pkeyparam.1
  stable/11/secure/usr.bin/openssl/man/pkeyutl.1
  stable/11/secure/usr.bin/openssl/man/rand.1
  stable/11/secure/usr.bin/openssl/man/req.1
  stable/11/secure/usr.bin/openssl/man/rsa.1
  stable/11/secure/usr.bin/openssl/man/rsautl.1
  stable/11/secure/usr.bin/openssl/man/s_client.1
  stable/11/secure/usr.bin/openssl/man/s_server.1
  stable/11/secure/usr.bin/openssl/man/s_time.1
  stable/11/secure/usr.bin/openssl/man/sess_id.1
  stable/11/secure/usr.bin/openssl/man/smime.1
  stable/11/secure/usr.bin/openssl/man/speed.1
  stable/11/secure/usr.bin/openssl/man/spkac.1
  stable/11/secure/usr.bin/openssl/man/ts.1
  stable/11/secure/usr.bin/openssl/man/tsget.1
  stable/11/secure/usr.bin/openssl/man/verify.1
  stable/11/secure/usr.bin/openssl/man/version.1
  stable/11/secure/usr.bin/openssl/man/x509.1
  stable/11/secure/usr.bin/openssl/man/x509v3_config.1
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/crypto/openssl/CHANGES
==============================================================================
--- stable/11/crypto/openssl/CHANGES	Thu Sep 22 13:59:27 2016	(r306194)
+++ stable/11/crypto/openssl/CHANGES	Thu Sep 22 14:57:48 2016	(r306195)
@@ -2,6 +2,166 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.2h and 1.0.2i [22 Sep 2016]
+
+  *) OCSP Status Request extension unbounded memory growth
+
+     A malicious client can send an excessively large OCSP Status Request
+     extension. If that client continually requests renegotiation, sending a
+     large OCSP Status Request extension each time, then there will be unbounded
+     memory growth on the server. This will eventually lead to a Denial Of
+     Service attack through memory exhaustion. Servers with a default
+     configuration are vulnerable even if they do not support OCSP. Builds using
+     the "no-ocsp" build time option are not affected.
+
+     This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+     (CVE-2016-6304)
+     [Matt Caswell]
+
+  *) In order to mitigate the SWEET32 attack, the DES ciphers were moved from
+     HIGH to MEDIUM.
+
+     This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan
+     Leurent (INRIA)
+     (CVE-2016-2183)
+     [Rich Salz]
+
+  *) OOB write in MDC2_Update()
+
+     An overflow can occur in MDC2_Update() either if called directly or
+     through the EVP_DigestUpdate() function using MDC2. If an attacker
+     is able to supply very large amounts of input data after a previous
+     call to EVP_EncryptUpdate() with a partial block then a length check
+     can overflow resulting in a heap corruption.
+
+     The amount of data needed is comparable to SIZE_MAX which is impractical
+     on most platforms.
+
+     This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+     (CVE-2016-6303)
+     [Stephen Henson]
+
+  *) Malformed SHA512 ticket DoS
+
+     If a server uses SHA512 for TLS session ticket HMAC it is vulnerable to a
+     DoS attack where a malformed ticket will result in an OOB read which will
+     ultimately crash.
+
+     The use of SHA512 in TLS session tickets is comparatively rare as it requires
+     a custom server callback and ticket lookup mechanism.
+
+     This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+     (CVE-2016-6302)
+     [Stephen Henson]
+
+  *) OOB write in BN_bn2dec()
+
+     The function BN_bn2dec() does not check the return value of BN_div_word().
+     This can cause an OOB write if an application uses this function with an
+     overly large BIGNUM. This could be a problem if an overly large certificate
+     or CRL is printed out from an untrusted source. TLS is not affected because
+     record limits will reject an oversized certificate before it is parsed.
+
+     This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+     (CVE-2016-2182)
+     [Stephen Henson]
+
+  *) OOB read in TS_OBJ_print_bio()
+
+     The function TS_OBJ_print_bio() misuses OBJ_obj2txt(): the return value is
+     the total length the OID text representation would use and not the amount
+     of data written. This will result in OOB reads when large OIDs are
+     presented.
+
+     This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+     (CVE-2016-2180)
+     [Stephen Henson]
+
+  *) Pointer arithmetic undefined behaviour
+
+     Avoid some undefined pointer arithmetic
+
+     A common idiom in the codebase is to check limits in the following manner:
+     "p + len > limit"
+
+     Where "p" points to some malloc'd data of SIZE bytes and
+     limit == p + SIZE
+
+     "len" here could be from some externally supplied data (e.g. from a TLS
+     message).
+
+     The rules of C pointer arithmetic are such that "p + len" is only well
+     defined where len <= SIZE. Therefore the above idiom is actually
+     undefined behaviour.
+
+     For example this could cause problems if some malloc implementation
+     provides an address for "p" such that "p + len" actually overflows for
+     values of len that are too big and therefore p + len < limit.
+
+     This issue was reported to OpenSSL by Guido Vranken
+     (CVE-2016-2177)
+     [Matt Caswell]
+
+  *) Constant time flag not preserved in DSA signing
+
+     Operations in the DSA signing algorithm should run in constant time in
+     order to avoid side channel attacks. A flaw in the OpenSSL DSA
+     implementation means that a non-constant time codepath is followed for
+     certain operations. This has been demonstrated through a cache-timing
+     attack to be sufficient for an attacker to recover the private DSA key.
+
+     This issue was reported by César Pereida (Aalto University), Billy Brumley
+     (Tampere University of Technology), and Yuval Yarom (The University of
+     Adelaide and NICTA).
+     (CVE-2016-2178)
+     [César Pereida]
+
+  *) DTLS buffered message DoS
+
+     In a DTLS connection where handshake messages are delivered out-of-order
+     those messages that OpenSSL is not yet ready to process will be buffered
+     for later use. Under certain circumstances, a flaw in the logic means that
+     those messages do not get removed from the buffer even though the handshake
+     has been completed. An attacker could force up to approx. 15 messages to
+     remain in the buffer when they are no longer required. These messages will
+     be cleared when the DTLS connection is closed. The default maximum size for
+     a message is 100k. Therefore the attacker could force an additional 1500k
+     to be consumed per connection. By opening many simulataneous connections an
+     attacker could cause a DoS attack through memory exhaustion.
+
+     This issue was reported to OpenSSL by Quan Luo.
+     (CVE-2016-2179)
+     [Matt Caswell]
+
+  *) DTLS replay protection DoS
+
+     A flaw in the DTLS replay attack protection mechanism means that records
+     that arrive for future epochs update the replay protection "window" before
+     the MAC for the record has been validated. This could be exploited by an
+     attacker by sending a record for the next epoch (which does not have to
+     decrypt or have a valid MAC), with a very large sequence number. This means
+     that all subsequent legitimate packets are dropped causing a denial of
+     service for a specific DTLS connection.
+
+     This issue was reported to OpenSSL by the OCAP audit team.
+     (CVE-2016-2181)
+     [Matt Caswell]
+
+  *) Certificate message OOB reads
+
+     In OpenSSL 1.0.2 and earlier some missing message length checks can result
+     in OOB reads of up to 2 bytes beyond an allocated buffer. There is a
+     theoretical DoS risk but this has not been observed in practice on common
+     platforms.
+
+     The messages affected are client certificate, client certificate request
+     and server certificate. As a result the attack can only be performed
+     against a client or a server which enables client authentication.
+
+     This issue was reported to OpenSSL by Shi Lei (Gear Team, Qihoo 360 Inc.)
+     (CVE-2016-6306)
+     [Stephen Henson]
+
  Changes between 1.0.2g and 1.0.2h [3 May 2016]
 
   *) Prevent padding oracle in AES-NI CBC MAC check

Modified: stable/11/crypto/openssl/CONTRIBUTING
==============================================================================
--- stable/11/crypto/openssl/CONTRIBUTING	Thu Sep 22 13:59:27 2016	(r306194)
+++ stable/11/crypto/openssl/CONTRIBUTING	Thu Sep 22 14:57:48 2016	(r306195)
@@ -1,38 +1,75 @@
-HOW TO CONTRIBUTE TO OpenSSL
-----------------------------
+HOW TO CONTRIBUTE TO PATCHES OpenSSL
+------------------------------------
 
-Development is coordinated on the openssl-dev mailing list (see
-http://www.openssl.org for information on subscribing). If you
-would like to submit a patch, send it to rt@openssl.org with
-the string "[PATCH]" in the subject. Please be sure to include a
-textual explanation of what your patch does.
-
-You can also make GitHub pull requests. If you do this, please also send
-mail to rt@openssl.org with a brief description and a link to the PR so
-that we can more easily keep track of it.
+(Please visit https://www.openssl.org/community/getting-started.html for
+other ideas about how to contribute.)
 
+Development is coordinated on the openssl-dev mailing list (see the
+above link or https://mta.openssl.org for information on subscribing).
 If you are unsure as to whether a feature will be useful for the general
-OpenSSL community please discuss it on the openssl-dev mailing list first.
-Someone may be already working on the same thing or there may be a good
-reason as to why that feature isn't implemented.
-
-Patches should be as up to date as possible, preferably relative to the
-current Git or the last snapshot. They should follow our coding style
-(see https://www.openssl.org/policies/codingstyle.html) and compile without
-warnings using the --strict-warnings flag.  OpenSSL compiles on many varied
-platforms: try to ensure you only use portable features.
-
-Our preferred format for patch files is "git format-patch" output. For example
-to provide a patch file containing the last commit in your local git repository
-use the following command:
+OpenSSL community you might want to discuss it on the openssl-dev mailing
+list first.  Someone may be already working on the same thing or there
+may be a good reason as to why that feature isn't implemented.
+
+The best way to submit a patch is to make a pull request on GitHub.
+(It is not necessary to send mail to rt@openssl.org to open a ticket!)
+If you think the patch could use feedback from the community, please
+start a thread on openssl-dev.
+
+You can also submit patches by sending it as mail to rt@openssl.org.
+Please include the word "PATCH" and an explanation of what the patch
+does in the subject line.  If you do this, our preferred format is "git
+format-patch" output. For example to provide a patch file containing the
+last commit in your local git repository use the following command:
 
-# git format-patch --stdout HEAD^ >mydiffs.patch
+    % git format-patch --stdout HEAD^ >mydiffs.patch
 
 Another method of creating an acceptable patch file without using git is as
 follows:
 
-# cd openssl-work
-# [your changes]
-# ./Configure dist; make clean
-# cd ..
-# diff -ur openssl-orig openssl-work > mydiffs.patch
+    % cd openssl-work
+    ...make your changes...
+    % ./Configure dist; make clean
+    % cd ..
+    % diff -ur openssl-orig openssl-work >mydiffs.patch
+
+Note that pull requests are generally easier for the team, and community, to
+work with.  Pull requests benefit from all of the standard GitHub features,
+including code review tools, simpler integration, and CI build support.
+
+No matter how a patch is submitted, the following items will help make
+the acceptance and review process faster:
+
+    1. Anything other than trivial contributions will require a contributor
+    licensing agreement, giving us permission to use your code. See
+    https://www.openssl.org/policies/cla.html for details.
+
+    2.  All source files should start with the following text (with
+    appropriate comment characters at the start of each line and the
+    year(s) updated):
+
+        Copyright 20xx-20yy The OpenSSL Project Authors. All Rights Reserved.
+
+        Licensed under the OpenSSL license (the "License").  You may not use
+        this file except in compliance with the License.  You can obtain a copy
+        in the file LICENSE in the source distribution or at
+        https://www.openssl.org/source/license.html
+
+    3.  Patches should be as current as possible.  When using GitHub, please
+    expect to have to rebase and update often. Note that we do not accept merge
+    commits. You will be asked to remove them before a patch is considered
+    acceptable.
+
+    4.  Patches should follow our coding style (see
+    https://www.openssl.org/policies/codingstyle.html) and compile without
+    warnings. Where gcc or clang is availble you should use the
+    --strict-warnings Configure option.  OpenSSL compiles on many varied
+    platforms: try to ensure you only use portable features.
+
+    5.  When at all possible, patches should include tests. These can either be
+    added to an existing test, or completely new.  Please see test/README
+    for information on the test framework.
+
+    6.  New features or changed functionality must include documentation. Please
+    look at the "pod" files in doc/apps, doc/crypto and doc/ssl for examples of
+    our style.

Modified: stable/11/crypto/openssl/Configure
==============================================================================
--- stable/11/crypto/openssl/Configure	Thu Sep 22 13:59:27 2016	(r306194)
+++ stable/11/crypto/openssl/Configure	Thu Sep 22 14:57:48 2016	(r306195)
@@ -799,7 +799,7 @@ my @experimental = ();
 
 # This is what $depflags will look like with the above defaults
 # (we need this to see if we should advise the user to run "make depend"):
-my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_LIBUNBOUND -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST";
+my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_LIBUNBOUND -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_SSL2 -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST -DOPENSSL_NO_WEAK_SSL_CIPHERS";
 
 # Explicit "no-..." options will be collected in %disabled along with the defaults.
 # To remove something from %disabled, use "enable-foo" (unless it's experimental).
@@ -1082,11 +1082,6 @@ if (defined($disabled{"md5"}) || defined
 	$disabled{"tls1"} = "forced";
 	}
 
-if (defined($disabled{"tls1"}))
-	{
-	$disabled{"tlsext"} = "forced";
-	}
-
 if (defined($disabled{"ec"}) || defined($disabled{"dsa"})
     || defined($disabled{"dh"}))
 	{
@@ -1254,6 +1249,7 @@ my $shared_extension = $fields[$idx_shar
 my $ranlib = $ENV{'RANLIB'} || $fields[$idx_ranlib];
 my $ar = $ENV{'AR'} || "ar";
 my $arflags = $fields[$idx_arflags];
+my $windres = $ENV{'RC'} || $ENV{'WINDRES'} || "windres";
 my $multilib = $fields[$idx_multilib];
 
 # if $prefix/lib$multilib is not an existing directory, then
@@ -1562,8 +1558,15 @@ $cpuid_obj="mem_clr.o"	unless ($cpuid_ob
 $des_obj=$des_enc	unless ($des_obj =~ /\.o$/);
 $bf_obj=$bf_enc		unless ($bf_obj =~ /\.o$/);
 $cast_obj=$cast_enc	unless ($cast_obj =~ /\.o$/);
-$rc4_obj=$rc4_enc	unless ($rc4_obj =~ /\.o$/);
 $rc5_obj=$rc5_enc	unless ($rc5_obj =~ /\.o$/);
+if ($rc4_obj =~ /\.o$/)
+	{
+	$cflags.=" -DRC4_ASM";
+	}
+else
+	{
+	$rc4_obj=$rc4_enc;
+	}
 if ($sha1_obj =~ /\.o$/)
 	{
 #	$sha1_obj=$sha1_enc;
@@ -1717,12 +1720,14 @@ while (<IN>)
 		s/^AR=\s*/AR= \$\(CROSS_COMPILE\)/;
 		s/^NM=\s*/NM= \$\(CROSS_COMPILE\)/;
 		s/^RANLIB=\s*/RANLIB= \$\(CROSS_COMPILE\)/;
+		s/^RC=\s*/RC= \$\(CROSS_COMPILE\)/;
 		s/^MAKEDEPPROG=.*$/MAKEDEPPROG= \$\(CROSS_COMPILE\)$cc/ if $cc eq "gcc";
 		}
 	else	{
 		s/^CC=.*$/CC= $cc/;
 		s/^AR=\s*ar/AR= $ar/;
 		s/^RANLIB=.*/RANLIB= $ranlib/;
+		s/^RC=.*/RC= $windres/;
 		s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq "gcc";
 		s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $ecc eq "gcc" || $ecc eq "clang";
 		}

Modified: stable/11/crypto/openssl/Makefile
==============================================================================
--- stable/11/crypto/openssl/Makefile	Thu Sep 22 13:59:27 2016	(r306194)
+++ stable/11/crypto/openssl/Makefile	Thu Sep 22 14:57:48 2016	(r306195)
@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=1.0.2h
+VERSION=1.0.2i
 MAJOR=1
 MINOR=0.2
 SHLIB_VERSION_NUMBER=1.0.0
@@ -68,6 +68,7 @@ EXE_EXT= 
 ARFLAGS= 
 AR= ar $(ARFLAGS) r
 RANLIB= /usr/bin/ranlib
+RC= windres
 NM= nm
 PERL= /usr/bin/perl
 TAR= tar
@@ -210,6 +211,7 @@ BUILDENV=	LC_ALL=C PLATFORM='$(PLATFORM)
 		CC='$(CC)' CFLAG='$(CFLAG)' 			\
 		AS='$(CC)' ASFLAG='$(CFLAG) -c'			\
 		AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)'	\
+		RC='$(RC)'              			\
 		CROSS_COMPILE='$(CROSS_COMPILE)'	\
 		PERL='$(PERL)' ENGDIRS='$(ENGDIRS)'		\
 		SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)'	\
@@ -368,6 +370,7 @@ libcrypto.pc: Makefile
 	    echo 'exec_prefix=$${prefix}'; \
 	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
 	    echo 'includedir=$${prefix}/include'; \
+	    echo 'enginesdir=$${libdir}/engines'; \
 	    echo ''; \
 	    echo 'Name: OpenSSL-libcrypto'; \
 	    echo 'Description: OpenSSL cryptography library'; \

Modified: stable/11/crypto/openssl/Makefile.org
==============================================================================
--- stable/11/crypto/openssl/Makefile.org	Thu Sep 22 13:59:27 2016	(r306194)
+++ stable/11/crypto/openssl/Makefile.org	Thu Sep 22 14:57:48 2016	(r306195)
@@ -66,6 +66,7 @@ EXE_EXT= 
 ARFLAGS?= r
 AR=ar $(ARFLAGS)
 RANLIB= ranlib
+RC= windres
 NM= nm
 PERL= perl
 TAR= tar
@@ -208,6 +209,7 @@ BUILDENV=	LC_ALL=C PLATFORM='$(PLATFORM)
 		CC='$(CC)' CFLAG='$(CFLAG)' 			\
 		AS='$(CC)' ASFLAG='$(CFLAG) -c'			\
 		AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)'	\
+		RC='$(RC)'              			\
 		CROSS_COMPILE='$(CROSS_COMPILE)'	\
 		PERL='$(PERL)' ENGDIRS='$(ENGDIRS)'		\
 		SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)'	\
@@ -366,6 +368,7 @@ libcrypto.pc: Makefile
 	    echo 'exec_prefix=$${prefix}'; \
 	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
 	    echo 'includedir=$${prefix}/include'; \
+	    echo 'enginesdir=$${libdir}/engines'; \
 	    echo ''; \
 	    echo 'Name: OpenSSL-libcrypto'; \
 	    echo 'Description: OpenSSL cryptography library'; \

Modified: stable/11/crypto/openssl/Makefile.shared
==============================================================================
--- stable/11/crypto/openssl/Makefile.shared	Thu Sep 22 13:59:27 2016	(r306194)
+++ stable/11/crypto/openssl/Makefile.shared	Thu Sep 22 14:57:48 2016	(r306195)
@@ -293,7 +293,7 @@ link_a.cygwin:
 	fi; \
 	dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \
 	$(PERL) util/mkrc.pl $$dll_name | \
-		$(CROSS_COMPILE)windres -o rc.o; \
+		$(RC) -o rc.o; \
 	extras="$$extras rc.o"; \
 	ALLSYMSFLAGS='-Wl,--whole-archive'; \
 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \

Modified: stable/11/crypto/openssl/NEWS
==============================================================================
--- stable/11/crypto/openssl/NEWS	Thu Sep 22 13:59:27 2016	(r306194)
+++ stable/11/crypto/openssl/NEWS	Thu Sep 22 14:57:48 2016	(r306195)
@@ -5,6 +5,20 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016]
+
+      o OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
+      o SWEET32 Mitigation (CVE-2016-2183)
+      o OOB write in MDC2_Update() (CVE-2016-6303)
+      o Malformed SHA512 ticket DoS (CVE-2016-6302)
+      o OOB write in BN_bn2dec() (CVE-2016-2182)
+      o OOB read in TS_OBJ_print_bio() (CVE-2016-2180)
+      o Pointer arithmetic undefined behaviour (CVE-2016-2177)
+      o Constant time flag not preserved in DSA signing (CVE-2016-2178)
+      o DTLS buffered message DoS (CVE-2016-2179)
+      o DTLS replay protection DoS (CVE-2016-2181)
+      o Certificate message OOB reads (CVE-2016-6306)
+
   Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016]
 
       o Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107)

Modified: stable/11/crypto/openssl/README
==============================================================================
--- stable/11/crypto/openssl/README	Thu Sep 22 13:59:27 2016	(r306194)
+++ stable/11/crypto/openssl/README	Thu Sep 22 14:57:48 2016	(r306195)
@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.2h 3 May 2016
+ OpenSSL 1.0.2i 22 Sep 2016
 
  Copyright (c) 1998-2015 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

Modified: stable/11/crypto/openssl/apps/CA.pl
==============================================================================
--- stable/11/crypto/openssl/apps/CA.pl	Thu Sep 22 13:59:27 2016	(r306194)
+++ stable/11/crypto/openssl/apps/CA.pl	Thu Sep 22 14:57:48 2016	(r306195)
@@ -64,7 +64,7 @@ $RET = 0;
 
 foreach (@ARGV) {
 	if ( /^(-\?|-h|-help)$/ ) {
-	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
+	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-signcert|-verify\n";
 	    exit 0;
 	} elsif (/^-newcert$/) {
 	    # create a certificate
@@ -186,4 +186,3 @@ while (<IN>) {
 	}
 }
 }
-

Modified: stable/11/crypto/openssl/apps/CA.pl.in
==============================================================================
--- stable/11/crypto/openssl/apps/CA.pl.in	Thu Sep 22 13:59:27 2016	(r306194)
+++ stable/11/crypto/openssl/apps/CA.pl.in	Thu Sep 22 14:57:48 2016	(r306195)
@@ -64,7 +64,7 @@ $RET = 0;
 
 foreach (@ARGV) {
 	if ( /^(-\?|-h|-help)$/ ) {
-	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
+	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-signcert|-verify\n";
 	    exit 0;
 	} elsif (/^-newcert$/) {
 	    # create a certificate
@@ -186,4 +186,3 @@ while (<IN>) {
 	}
 }
 }
-

Modified: stable/11/crypto/openssl/apps/apps.c
==============================================================================
--- stable/11/crypto/openssl/apps/apps.c	Thu Sep 22 13:59:27 2016	(r306194)
+++ stable/11/crypto/openssl/apps/apps.c	Thu Sep 22 14:57:48 2016	(r306195)
@@ -215,7 +215,8 @@ int args_from_file(char *file, int *argc
     if (arg != NULL)
         OPENSSL_free(arg);
     arg = (char **)OPENSSL_malloc(sizeof(char *) * (i * 2));
-
+    if (arg == NULL)
+        return 0;
     *argv = arg;
     num = 0;
     p = buf;
@@ -2374,6 +2375,8 @@ int args_verify(char ***pargs, int *parg
         flags |= X509_V_FLAG_PARTIAL_CHAIN;
     else if (!strcmp(arg, "-no_alt_chains"))
         flags |= X509_V_FLAG_NO_ALT_CHAINS;
+    else if (!strcmp(arg, "-allow_proxy_certs"))
+        flags |= X509_V_FLAG_ALLOW_PROXY_CERTS;
     else
         return 0;
 
@@ -3195,6 +3198,36 @@ int app_isdir(const char *name)
 #endif
 
 /* raw_read|write section */
+#if defined(__VMS)
+# include "vms_term_sock.h"
+static int stdin_sock = -1;
+
+static void close_stdin_sock(void)
+{
+    TerminalSocket (TERM_SOCK_DELETE, &stdin_sock);
+}
+
+int fileno_stdin(void)
+{
+    if (stdin_sock == -1) {
+        TerminalSocket(TERM_SOCK_CREATE, &stdin_sock);
+        atexit(close_stdin_sock);
+    }
+
+    return stdin_sock;
+}
+#else
+int fileno_stdin(void)
+{
+    return fileno(stdin);
+}
+#endif
+
+int fileno_stdout(void)
+{
+    return fileno(stdout);
+}
+
 #if defined(_WIN32) && defined(STD_INPUT_HANDLE)
 int raw_read_stdin(void *buf, int siz)
 {
@@ -3204,10 +3237,17 @@ int raw_read_stdin(void *buf, int siz)
     else
         return (-1);
 }
+#elif defined(__VMS)
+#include <sys/socket.h>
+
+int raw_read_stdin(void *buf, int siz)
+{
+    return recv(fileno_stdin(), buf, siz, 0);
+}
 #else
 int raw_read_stdin(void *buf, int siz)
 {
-    return read(fileno(stdin), buf, siz);
+    return read(fileno_stdin(), buf, siz);
 }
 #endif
 
@@ -3223,6 +3263,6 @@ int raw_write_stdout(const void *buf, in
 #else
 int raw_write_stdout(const void *buf, int siz)
 {
-    return write(fileno(stdout), buf, siz);
+    return write(fileno_stdout(), buf, siz);
 }
 #endif

Modified: stable/11/crypto/openssl/apps/apps.h
==============================================================================
--- stable/11/crypto/openssl/apps/apps.h	Thu Sep 22 13:59:27 2016	(r306194)
+++ stable/11/crypto/openssl/apps/apps.h	Thu Sep 22 14:57:48 2016	(r306195)
@@ -375,6 +375,8 @@ void store_setup_crl_download(X509_STORE
 # define SERIAL_RAND_BITS        64
 
 int app_isdir(const char *);
+int fileno_stdin(void);
+int fileno_stdout(void);
 int raw_read_stdin(void *, int);
 int raw_write_stdout(const void *, int);
 

Modified: stable/11/crypto/openssl/apps/ca.c
==============================================================================
--- stable/11/crypto/openssl/apps/ca.c	Thu Sep 22 13:59:27 2016	(r306194)
+++ stable/11/crypto/openssl/apps/ca.c	Thu Sep 22 14:57:48 2016	(r306195)
@@ -2103,25 +2103,23 @@ static int do_body(X509 **xret, EVP_PKEY
         goto err;
 
     /* We now just add it to the database */
-    row[DB_type] = (char *)OPENSSL_malloc(2);
-
     tm = X509_get_notAfter(ret);
-    row[DB_exp_date] = (char *)OPENSSL_malloc(tm->length + 1);
-    memcpy(row[DB_exp_date], tm->data, tm->length);
-    row[DB_exp_date][tm->length] = '\0';
-
-    row[DB_rev_date] = NULL;
-
-    /* row[DB_serial] done already */
-    row[DB_file] = (char *)OPENSSL_malloc(8);
+    row[DB_type] = OPENSSL_malloc(2);
+    row[DB_exp_date] = OPENSSL_malloc(tm->length + 1);
+    row[DB_rev_date] = OPENSSL_malloc(1);
+    row[DB_file] = OPENSSL_malloc(8);
     row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);
-
     if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
+        (row[DB_rev_date] == NULL) ||
         (row[DB_file] == NULL) || (row[DB_name] == NULL)) {
         BIO_printf(bio_err, "Memory allocation failure\n");
         goto err;
     }
-    BUF_strlcpy(row[DB_file], "unknown", 8);
+
+    memcpy(row[DB_exp_date], tm->data, tm->length);
+    row[DB_exp_date][tm->length] = '\0';
+    row[DB_rev_date][0] = '\0';
+    strcpy(row[DB_file], "unknown");
     row[DB_type][0] = 'V';
     row[DB_type][1] = '\0';
 
@@ -2307,6 +2305,7 @@ static int certify_spkac(X509 **xret, ch
 
     j = NETSCAPE_SPKI_verify(spki, pktmp);
     if (j <= 0) {
+        EVP_PKEY_free(pktmp);
         BIO_printf(bio_err,
                    "signature verification failed on SPKAC public key\n");
         goto err;

Modified: stable/11/crypto/openssl/apps/dgst.c
==============================================================================
--- stable/11/crypto/openssl/apps/dgst.c	Thu Sep 22 13:59:27 2016	(r306194)
+++ stable/11/crypto/openssl/apps/dgst.c	Thu Sep 22 14:57:48 2016	(r306195)
@@ -243,6 +243,11 @@ int MAIN(int argc, char **argv)
         argv++;
     }
 
+    if (keyfile != NULL && argc > 1) {
+        BIO_printf(bio_err, "Can only sign or verify one file\n");
+        goto end;
+    }
+
     if (do_verify && !sigfile) {
         BIO_printf(bio_err,
                    "No signature to verify: use the -signature option\n");

Modified: stable/11/crypto/openssl/apps/enc.c
==============================================================================
--- stable/11/crypto/openssl/apps/enc.c	Thu Sep 22 13:59:27 2016	(r306194)
+++ stable/11/crypto/openssl/apps/enc.c	Thu Sep 22 14:57:48 2016	(r306195)
@@ -509,7 +509,7 @@ int MAIN(int argc, char **argv)
                             BIO_printf(bio_err, "invalid hex salt value\n");
                             goto end;
                         }
-                    } else if (RAND_pseudo_bytes(salt, sizeof salt) < 0)
+                    } else if (RAND_bytes(salt, sizeof salt) <= 0)
                         goto end;
                     /*
                      * If -P option then don't bother writing

Modified: stable/11/crypto/openssl/apps/passwd.c
==============================================================================
--- stable/11/crypto/openssl/apps/passwd.c	Thu Sep 22 13:59:27 2016	(r306194)
+++ stable/11/crypto/openssl/apps/passwd.c	Thu Sep 22 14:57:48 2016	(r306195)
@@ -416,7 +416,7 @@ static int do_passwd(int passed_salt, ch
                 if (*salt_malloc_p == NULL)
                     goto err;
             }
-            if (RAND_pseudo_bytes((unsigned char *)*salt_p, 2) < 0)
+            if (RAND_bytes((unsigned char *)*salt_p, 2) <= 0)
                 goto err;
             (*salt_p)[0] = cov_2char[(*salt_p)[0] & 0x3f]; /* 6 bits */
             (*salt_p)[1] = cov_2char[(*salt_p)[1] & 0x3f]; /* 6 bits */
@@ -437,7 +437,7 @@ static int do_passwd(int passed_salt, ch
                 if (*salt_malloc_p == NULL)
                     goto err;
             }
-            if (RAND_pseudo_bytes((unsigned char *)*salt_p, 8) < 0)
+            if (RAND_bytes((unsigned char *)*salt_p, 8) <= 0)
                 goto err;
 
             for (i = 0; i < 8; i++)

Modified: stable/11/crypto/openssl/apps/pkcs12.c
==============================================================================
--- stable/11/crypto/openssl/apps/pkcs12.c	Thu Sep 22 13:59:27 2016	(r306194)
+++ stable/11/crypto/openssl/apps/pkcs12.c	Thu Sep 22 14:57:48 2016	(r306195)
@@ -832,6 +832,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS1
     EVP_PKEY *pkey;
     PKCS8_PRIV_KEY_INFO *p8;
     X509 *x509;
+    int ret = 0;
 
     switch (M_PKCS12_bag_type(bag)) {
     case NID_keyBag:
@@ -844,7 +845,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS1
         if (!(pkey = EVP_PKCS82PKEY(p8)))
             return 0;
         print_attribs(out, p8->attributes, "Key Attributes");
-        PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
+        ret = PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
         EVP_PKEY_free(pkey);
         break;
 
@@ -864,7 +865,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS1
         }
         print_attribs(out, p8->attributes, "Key Attributes");
         PKCS8_PRIV_KEY_INFO_free(p8);
-        PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
+        ret = PEM_write_bio_PrivateKey(out, pkey, enc, NULL, 0, NULL, pempass);
         EVP_PKEY_free(pkey);
         break;
 
@@ -884,7 +885,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS1
         if (!(x509 = PKCS12_certbag2x509(bag)))
             return 0;
         dump_cert_text(out, x509);
-        PEM_write_bio_X509(out, x509);
+        ret = PEM_write_bio_X509(out, x509);
         X509_free(x509);
         break;
 
@@ -902,7 +903,7 @@ int dump_certs_pkeys_bag(BIO *out, PKCS1
         return 1;
         break;
     }
-    return 1;
+    return ret;
 }
 
 /* Given a single certificate return a verified chain or NULL if error */
@@ -931,16 +932,70 @@ static int get_cert_chain(X509 *cert, X5
 
 int alg_print(BIO *x, X509_ALGOR *alg)
 {
-    PBEPARAM *pbe;
-    const unsigned char *p;
-    p = alg->parameter->value.sequence->data;
-    pbe = d2i_PBEPARAM(NULL, &p, alg->parameter->value.sequence->length);
-    if (!pbe)
-        return 1;
-    BIO_printf(bio_err, "%s, Iteration %ld\n",
-               OBJ_nid2ln(OBJ_obj2nid(alg->algorithm)),
-               ASN1_INTEGER_get(pbe->iter));
-    PBEPARAM_free(pbe);
+    int pbenid, aparamtype;
+    ASN1_OBJECT *aoid;
+    void *aparam;
+    PBEPARAM *pbe = NULL;
+
+    X509_ALGOR_get0(&aoid, &aparamtype, &aparam, alg);
+
+    pbenid = OBJ_obj2nid(aoid);
+
+    BIO_printf(x, "%s", OBJ_nid2ln(pbenid));
+
+    /*
+     * If PBE algorithm is PBES2 decode algorithm parameters
+     * for additional details.
+     */
+    if (pbenid == NID_pbes2) {
+        PBE2PARAM *pbe2 = NULL;
+        int encnid;
+        if (aparamtype == V_ASN1_SEQUENCE)
+            pbe2 = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBE2PARAM));
+        if (pbe2 == NULL) {
+            BIO_puts(x, "<unsupported parameters>");
+            goto done;
+        }
+        X509_ALGOR_get0(&aoid, &aparamtype, &aparam, pbe2->keyfunc);
+        pbenid = OBJ_obj2nid(aoid);
+        X509_ALGOR_get0(&aoid, NULL, NULL, pbe2->encryption);
+        encnid = OBJ_obj2nid(aoid);
+        BIO_printf(x, ", %s, %s", OBJ_nid2ln(pbenid),
+                   OBJ_nid2sn(encnid));
+        /* If KDF is PBKDF2 decode parameters */
+        if (pbenid == NID_id_pbkdf2) {
+            PBKDF2PARAM *kdf = NULL;
+            int prfnid;
+            if (aparamtype == V_ASN1_SEQUENCE)
+                kdf = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBKDF2PARAM));
+            if (kdf == NULL) {
+                BIO_puts(x, "<unsupported parameters>");
+                goto done;
+            }
+
+            if (kdf->prf == NULL) {
+                prfnid = NID_hmacWithSHA1;
+            } else {
+                X509_ALGOR_get0(&aoid, NULL, NULL, kdf->prf);
+                prfnid = OBJ_obj2nid(aoid);
+            }
+            BIO_printf(x, ", Iteration %ld, PRF %s",
+                       ASN1_INTEGER_get(kdf->iter), OBJ_nid2sn(prfnid));
+            PBKDF2PARAM_free(kdf);
+        }
+        PBE2PARAM_free(pbe2);
+    } else {
+        if (aparamtype == V_ASN1_SEQUENCE)
+            pbe = ASN1_item_unpack(aparam, ASN1_ITEM_rptr(PBEPARAM));
+        if (pbe == NULL) {
+            BIO_puts(x, "<unsupported parameters>");
+            goto done;
+        }
+        BIO_printf(x, ", Iteration %ld", ASN1_INTEGER_get(pbe->iter));
+        PBEPARAM_free(pbe);
+    }
+ done:
+    BIO_puts(x, "\n");
     return 1;
 }
 

Modified: stable/11/crypto/openssl/apps/req.c
==============================================================================
--- stable/11/crypto/openssl/apps/req.c	Thu Sep 22 13:59:27 2016	(r306194)
+++ stable/11/crypto/openssl/apps/req.c	Thu Sep 22 14:57:48 2016	(r306195)
@@ -332,9 +332,10 @@ int MAIN(int argc, char **argv)
             subject = 1;
         else if (strcmp(*argv, "-text") == 0)
             text = 1;
-        else if (strcmp(*argv, "-x509") == 0)
+        else if (strcmp(*argv, "-x509") == 0) {
+            newreq = 1;
             x509 = 1;
-        else if (strcmp(*argv, "-asn1-kludge") == 0)
+        } else if (strcmp(*argv, "-asn1-kludge") == 0)
             kludge = 1;
         else if (strcmp(*argv, "-no-asn1-kludge") == 0)
             kludge = 0;
@@ -756,7 +757,7 @@ int MAIN(int argc, char **argv)
         }
     }
 
-    if (newreq || x509) {
+    if (newreq) {
         if (pkey == NULL) {
             BIO_printf(bio_err, "you need to specify a private key\n");
             goto end;
@@ -1331,12 +1332,11 @@ static int auto_info(X509_REQ *req, STAC
                 break;
             }
 #ifndef CHARSET_EBCDIC
-        if (*p == '+')
+        if (*type == '+') {
 #else
-        if (*p == os_toascii['+'])
+        if (*type == os_toascii['+']) {
 #endif
-        {
-            p++;
+            type++;
             mval = -1;
         } else
             mval = 0;

Modified: stable/11/crypto/openssl/apps/s_apps.h
==============================================================================
--- stable/11/crypto/openssl/apps/s_apps.h	Thu Sep 22 13:59:27 2016	(r306194)
+++ stable/11/crypto/openssl/apps/s_apps.h	Thu Sep 22 14:57:48 2016	(r306195)
@@ -199,7 +199,8 @@ int load_excert(SSL_EXCERT **pexc, BIO *
 void print_ssl_summary(BIO *bio, SSL *s);
 #ifdef HEADER_SSL_H
 int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
-             int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr);
+             int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr,
+             int *no_prot_opt);
 int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
                   STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake);
 int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,

Modified: stable/11/crypto/openssl/apps/s_cb.c
==============================================================================
--- stable/11/crypto/openssl/apps/s_cb.c	Thu Sep 22 13:59:27 2016	(r306194)
+++ stable/11/crypto/openssl/apps/s_cb.c	Thu Sep 22 14:57:48 2016	(r306195)
@@ -1507,11 +1507,18 @@ void print_ssl_summary(BIO *bio, SSL *s)
 }
 
 int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
-             int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr)
+             int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr,
+             int *no_prot_opt)
 {
     char *arg = **pargs, *argn = (*pargs)[1];
     int rv;
 
+    if (strcmp(arg, "-no_ssl2") == 0 || strcmp(arg, "-no_ssl3") == 0
+        || strcmp(arg, "-no_tls1") == 0 || strcmp(arg, "-no_tls1_1") == 0
+        || strcmp(arg, "-no_tls1_2") == 0) {
+        *no_prot_opt = 1;
+    }
+
     /* Attempt to run SSL configuration command */
     rv = SSL_CONF_cmd_argv(cctx, pargc, pargs);
     /* If parameter not recognised just return */

Modified: stable/11/crypto/openssl/apps/s_client.c
==============================================================================
--- stable/11/crypto/openssl/apps/s_client.c	Thu Sep 22 13:59:27 2016	(r306194)
+++ stable/11/crypto/openssl/apps/s_client.c	Thu Sep 22 14:57:48 2016	(r306195)
@@ -242,9 +242,9 @@ static unsigned int psk_client_cb(SSL *s
                                   unsigned char *psk,
                                   unsigned int max_psk_len)
 {
-    unsigned int psk_len = 0;
     int ret;
-    BIGNUM *bn = NULL;
+    long key_len;
+    unsigned char *key;
 
     if (c_debug)
         BIO_printf(bio_c_out, "psk_client_cb\n");
@@ -265,32 +265,29 @@ static unsigned int psk_client_cb(SSL *s
     if (c_debug)
         BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity,
                    ret);
-    ret = BN_hex2bn(&bn, psk_key);
-    if (!ret) {
-        BIO_printf(bio_err, "Could not convert PSK key '%s' to BIGNUM\n",
+
+    /* convert the PSK key to binary */
+    key = string_to_hex(psk_key, &key_len);
+    if (key == NULL) {
+        BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
                    psk_key);
-        if (bn)
-            BN_free(bn);
         return 0;
     }
-
-    if ((unsigned int)BN_num_bytes(bn) > max_psk_len) {
+    if ((unsigned long)key_len > (unsigned long)max_psk_len) {
         BIO_printf(bio_err,
-                   "psk buffer of callback is too small (%d) for key (%d)\n",
-                   max_psk_len, BN_num_bytes(bn));
-        BN_free(bn);
+                   "psk buffer of callback is too small (%d) for key (%ld)\n",
+                   max_psk_len, key_len);
+        OPENSSL_free(key);
         return 0;
     }
 
-    psk_len = BN_bn2bin(bn, psk);
-    BN_free(bn);
-    if (psk_len == 0)
-        goto out_err;
+    memcpy(psk, key, key_len);
+    OPENSSL_free(key);
 
     if (c_debug)
-        BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
+        BIO_printf(bio_c_out, "created PSK len=%ld\n", key_len);
 
-    return psk_len;
+    return key_len;
  out_err:
     if (c_debug)
         BIO_printf(bio_err, "Error in PSK client callback\n");
@@ -747,6 +744,7 @@ int MAIN(int argc, char **argv)
     int crl_format = FORMAT_PEM;
     int crl_download = 0;
     STACK_OF(X509_CRL) *crls = NULL;
+    int prot_opt = 0, no_prot_opt = 0;
 
     meth = SSLv23_client_method();
 
@@ -850,7 +848,8 @@ int MAIN(int argc, char **argv)
             if (badarg)
                 goto bad;
             continue;
-        } else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args)) {
+        } else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args,
+                            &no_prot_opt)) {
             if (badarg)
                 goto bad;
             continue;
@@ -942,31 +941,42 @@ int MAIN(int argc, char **argv)
         }
 #endif
 #ifndef OPENSSL_NO_SSL2
-        else if (strcmp(*argv, "-ssl2") == 0)
+        else if (strcmp(*argv, "-ssl2") == 0) {
             meth = SSLv2_client_method();
+            prot_opt++;
+        }
 #endif
 #ifndef OPENSSL_NO_SSL3_METHOD
-        else if (strcmp(*argv, "-ssl3") == 0)
+        else if (strcmp(*argv, "-ssl3") == 0) {
             meth = SSLv3_client_method();
+            prot_opt++;
+        }
 #endif
 #ifndef OPENSSL_NO_TLS1
-        else if (strcmp(*argv, "-tls1_2") == 0)
+        else if (strcmp(*argv, "-tls1_2") == 0) {
             meth = TLSv1_2_client_method();
-        else if (strcmp(*argv, "-tls1_1") == 0)
+            prot_opt++;
+        } else if (strcmp(*argv, "-tls1_1") == 0) {
             meth = TLSv1_1_client_method();
-        else if (strcmp(*argv, "-tls1") == 0)
+            prot_opt++;
+        } else if (strcmp(*argv, "-tls1") == 0) {
             meth = TLSv1_client_method();
+            prot_opt++;
+        }
 #endif
 #ifndef OPENSSL_NO_DTLS1
         else if (strcmp(*argv, "-dtls") == 0) {
             meth = DTLS_client_method();
             socket_type = SOCK_DGRAM;
+            prot_opt++;
         } else if (strcmp(*argv, "-dtls1") == 0) {
             meth = DTLSv1_client_method();
             socket_type = SOCK_DGRAM;
+            prot_opt++;
         } else if (strcmp(*argv, "-dtls1_2") == 0) {
             meth = DTLSv1_2_client_method();
             socket_type = SOCK_DGRAM;
+            prot_opt++;
         } else if (strcmp(*argv, "-timeout") == 0)
             enable_timeouts = 1;
         else if (strcmp(*argv, "-mtu") == 0) {
@@ -1149,6 +1159,17 @@ int MAIN(int argc, char **argv)
     }
 #endif
 
+    if (prot_opt > 1) {
+        BIO_printf(bio_err, "Cannot supply multiple protocol flags\n");
+        goto end;
+    }
+
+    if (prot_opt == 1 && no_prot_opt) {

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201609221457.u8MEvndR052567>