Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 9 Jun 2014 05:50:58 +0000 (UTC)
From:      Jung-uk Kim <jkim@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r267256 - in head: crypto/openssl crypto/openssl/apps crypto/openssl/crypto crypto/openssl/crypto/asn1 crypto/openssl/crypto/bio crypto/openssl/crypto/bn crypto/openssl/crypto/cms crypt...
Message-ID:  <201406090550.s595owlV000465@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: jkim
Date: Mon Jun  9 05:50:57 2014
New Revision: 267256
URL: http://svnweb.freebsd.org/changeset/base/267256

Log:
  Merge OpenSSL 1.0.1h.
  
  Approved by:	so (delphij)

Added:
  head/crypto/openssl/ssl/heartbeat_test.c
     - copied unchanged from r267188, vendor-crypto/openssl/dist/ssl/heartbeat_test.c
Modified:
  head/crypto/openssl/ACKNOWLEDGMENTS
  head/crypto/openssl/CHANGES
  head/crypto/openssl/Makefile
  head/crypto/openssl/NEWS
  head/crypto/openssl/README
  head/crypto/openssl/apps/enc.c
  head/crypto/openssl/apps/ocsp.c
  head/crypto/openssl/apps/req.c
  head/crypto/openssl/apps/s_cb.c
  head/crypto/openssl/apps/s_socket.c
  head/crypto/openssl/apps/smime.c
  head/crypto/openssl/crypto/asn1/a_strnid.c
  head/crypto/openssl/crypto/bio/bss_dgram.c
  head/crypto/openssl/crypto/bn/bn_mont.c
  head/crypto/openssl/crypto/cms/cms_env.c
  head/crypto/openssl/crypto/cms/cms_sd.c
  head/crypto/openssl/crypto/cms/cms_smime.c
  head/crypto/openssl/crypto/dso/dso_dlfcn.c
  head/crypto/openssl/crypto/ec/ec_ameth.c
  head/crypto/openssl/crypto/ec/ec_asn1.c
  head/crypto/openssl/crypto/ec/ec_lcl.h
  head/crypto/openssl/crypto/evp/bio_b64.c
  head/crypto/openssl/crypto/evp/encode.c
  head/crypto/openssl/crypto/opensslv.h
  head/crypto/openssl/crypto/pkcs12/p12_crt.c
  head/crypto/openssl/crypto/pkcs12/p12_kiss.c
  head/crypto/openssl/crypto/pkcs7/pk7_doit.c
  head/crypto/openssl/crypto/pkcs7/pkcs7.h
  head/crypto/openssl/crypto/pkcs7/pkcs7err.c
  head/crypto/openssl/crypto/rsa/rsa_ameth.c
  head/crypto/openssl/crypto/srp/srp_vfy.c
  head/crypto/openssl/crypto/ts/ts_rsp_verify.c
  head/crypto/openssl/crypto/x509v3/v3_purp.c
  head/crypto/openssl/doc/apps/cms.pod
  head/crypto/openssl/doc/apps/enc.pod
  head/crypto/openssl/doc/apps/s_server.pod
  head/crypto/openssl/doc/apps/smime.pod
  head/crypto/openssl/doc/apps/verify.pod
  head/crypto/openssl/doc/apps/version.pod
  head/crypto/openssl/doc/apps/x509v3_config.pod
  head/crypto/openssl/doc/crypto/CMS_decrypt.pod
  head/crypto/openssl/doc/crypto/CONF_modules_free.pod
  head/crypto/openssl/doc/crypto/CONF_modules_load_file.pod
  head/crypto/openssl/doc/crypto/OPENSSL_config.pod
  head/crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod
  head/crypto/openssl/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod
  head/crypto/openssl/doc/fingerprints.txt
  head/crypto/openssl/doc/ssl/SSL_CTX_set_msg_callback.pod
  head/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
  head/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod
  head/crypto/openssl/engines/ccgost/gost_ameth.c
  head/crypto/openssl/ssl/Makefile
  head/crypto/openssl/ssl/d1_both.c
  head/crypto/openssl/ssl/d1_lib.c
  head/crypto/openssl/ssl/d1_pkt.c
  head/crypto/openssl/ssl/d1_srvr.c
  head/crypto/openssl/ssl/s3_pkt.c
  head/crypto/openssl/ssl/s3_srvr.c
  head/crypto/openssl/ssl/ssl.h
  head/crypto/openssl/ssl/ssl3.h
  head/crypto/openssl/ssl/ssl_asn1.c
  head/crypto/openssl/ssl/ssl_err.c
  head/crypto/openssl/ssl/ssl_lib.c
  head/crypto/openssl/ssl/t1_enc.c
  head/crypto/openssl/ssl/t1_lib.c
  head/secure/lib/libcrypto/Makefile.inc
  head/secure/lib/libcrypto/man/ASN1_OBJECT_new.3
  head/secure/lib/libcrypto/man/ASN1_STRING_length.3
  head/secure/lib/libcrypto/man/ASN1_STRING_new.3
  head/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3
  head/secure/lib/libcrypto/man/ASN1_generate_nconf.3
  head/secure/lib/libcrypto/man/BIO_ctrl.3
  head/secure/lib/libcrypto/man/BIO_f_base64.3
  head/secure/lib/libcrypto/man/BIO_f_buffer.3
  head/secure/lib/libcrypto/man/BIO_f_cipher.3
  head/secure/lib/libcrypto/man/BIO_f_md.3
  head/secure/lib/libcrypto/man/BIO_f_null.3
  head/secure/lib/libcrypto/man/BIO_f_ssl.3
  head/secure/lib/libcrypto/man/BIO_find_type.3
  head/secure/lib/libcrypto/man/BIO_new.3
  head/secure/lib/libcrypto/man/BIO_new_CMS.3
  head/secure/lib/libcrypto/man/BIO_push.3
  head/secure/lib/libcrypto/man/BIO_read.3
  head/secure/lib/libcrypto/man/BIO_s_accept.3
  head/secure/lib/libcrypto/man/BIO_s_bio.3
  head/secure/lib/libcrypto/man/BIO_s_connect.3
  head/secure/lib/libcrypto/man/BIO_s_fd.3
  head/secure/lib/libcrypto/man/BIO_s_file.3
  head/secure/lib/libcrypto/man/BIO_s_mem.3
  head/secure/lib/libcrypto/man/BIO_s_null.3
  head/secure/lib/libcrypto/man/BIO_s_socket.3
  head/secure/lib/libcrypto/man/BIO_set_callback.3
  head/secure/lib/libcrypto/man/BIO_should_retry.3
  head/secure/lib/libcrypto/man/BN_BLINDING_new.3
  head/secure/lib/libcrypto/man/BN_CTX_new.3
  head/secure/lib/libcrypto/man/BN_CTX_start.3
  head/secure/lib/libcrypto/man/BN_add.3
  head/secure/lib/libcrypto/man/BN_add_word.3
  head/secure/lib/libcrypto/man/BN_bn2bin.3
  head/secure/lib/libcrypto/man/BN_cmp.3
  head/secure/lib/libcrypto/man/BN_copy.3
  head/secure/lib/libcrypto/man/BN_generate_prime.3
  head/secure/lib/libcrypto/man/BN_mod_inverse.3
  head/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3
  head/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3
  head/secure/lib/libcrypto/man/BN_new.3
  head/secure/lib/libcrypto/man/BN_num_bytes.3
  head/secure/lib/libcrypto/man/BN_rand.3
  head/secure/lib/libcrypto/man/BN_set_bit.3
  head/secure/lib/libcrypto/man/BN_swap.3
  head/secure/lib/libcrypto/man/BN_zero.3
  head/secure/lib/libcrypto/man/CMS_add0_cert.3
  head/secure/lib/libcrypto/man/CMS_add1_recipient_cert.3
  head/secure/lib/libcrypto/man/CMS_compress.3
  head/secure/lib/libcrypto/man/CMS_decrypt.3
  head/secure/lib/libcrypto/man/CMS_encrypt.3
  head/secure/lib/libcrypto/man/CMS_final.3
  head/secure/lib/libcrypto/man/CMS_get0_RecipientInfos.3
  head/secure/lib/libcrypto/man/CMS_get0_SignerInfos.3
  head/secure/lib/libcrypto/man/CMS_get0_type.3
  head/secure/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
  head/secure/lib/libcrypto/man/CMS_sign.3
  head/secure/lib/libcrypto/man/CMS_sign_add1_signer.3
  head/secure/lib/libcrypto/man/CMS_sign_receipt.3
  head/secure/lib/libcrypto/man/CMS_uncompress.3
  head/secure/lib/libcrypto/man/CMS_verify.3
  head/secure/lib/libcrypto/man/CMS_verify_receipt.3
  head/secure/lib/libcrypto/man/CONF_modules_free.3
  head/secure/lib/libcrypto/man/CONF_modules_load_file.3
  head/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3
  head/secure/lib/libcrypto/man/DH_generate_key.3
  head/secure/lib/libcrypto/man/DH_generate_parameters.3
  head/secure/lib/libcrypto/man/DH_get_ex_new_index.3
  head/secure/lib/libcrypto/man/DH_new.3
  head/secure/lib/libcrypto/man/DH_set_method.3
  head/secure/lib/libcrypto/man/DH_size.3
  head/secure/lib/libcrypto/man/DSA_SIG_new.3
  head/secure/lib/libcrypto/man/DSA_do_sign.3
  head/secure/lib/libcrypto/man/DSA_dup_DH.3
  head/secure/lib/libcrypto/man/DSA_generate_key.3
  head/secure/lib/libcrypto/man/DSA_generate_parameters.3
  head/secure/lib/libcrypto/man/DSA_get_ex_new_index.3
  head/secure/lib/libcrypto/man/DSA_new.3
  head/secure/lib/libcrypto/man/DSA_set_method.3
  head/secure/lib/libcrypto/man/DSA_sign.3
  head/secure/lib/libcrypto/man/DSA_size.3
  head/secure/lib/libcrypto/man/ERR_GET_LIB.3
  head/secure/lib/libcrypto/man/ERR_clear_error.3
  head/secure/lib/libcrypto/man/ERR_error_string.3
  head/secure/lib/libcrypto/man/ERR_get_error.3
  head/secure/lib/libcrypto/man/ERR_load_crypto_strings.3
  head/secure/lib/libcrypto/man/ERR_load_strings.3
  head/secure/lib/libcrypto/man/ERR_print_errors.3
  head/secure/lib/libcrypto/man/ERR_put_error.3
  head/secure/lib/libcrypto/man/ERR_remove_state.3
  head/secure/lib/libcrypto/man/ERR_set_mark.3
  head/secure/lib/libcrypto/man/EVP_BytesToKey.3
  head/secure/lib/libcrypto/man/EVP_DigestInit.3
  head/secure/lib/libcrypto/man/EVP_DigestSignInit.3
  head/secure/lib/libcrypto/man/EVP_DigestVerifyInit.3
  head/secure/lib/libcrypto/man/EVP_EncryptInit.3
  head/secure/lib/libcrypto/man/EVP_OpenInit.3
  head/secure/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
  head/secure/lib/libcrypto/man/EVP_PKEY_CTX_new.3
  head/secure/lib/libcrypto/man/EVP_PKEY_cmp.3
  head/secure/lib/libcrypto/man/EVP_PKEY_decrypt.3
  head/secure/lib/libcrypto/man/EVP_PKEY_derive.3
  head/secure/lib/libcrypto/man/EVP_PKEY_encrypt.3
  head/secure/lib/libcrypto/man/EVP_PKEY_get_default_digest.3
  head/secure/lib/libcrypto/man/EVP_PKEY_keygen.3
  head/secure/lib/libcrypto/man/EVP_PKEY_new.3
  head/secure/lib/libcrypto/man/EVP_PKEY_print_private.3
  head/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3
  head/secure/lib/libcrypto/man/EVP_PKEY_sign.3
  head/secure/lib/libcrypto/man/EVP_PKEY_verify.3
  head/secure/lib/libcrypto/man/EVP_PKEY_verify_recover.3
  head/secure/lib/libcrypto/man/EVP_SealInit.3
  head/secure/lib/libcrypto/man/EVP_SignInit.3
  head/secure/lib/libcrypto/man/EVP_VerifyInit.3
  head/secure/lib/libcrypto/man/OBJ_nid2obj.3
  head/secure/lib/libcrypto/man/OPENSSL_Applink.3
  head/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3
  head/secure/lib/libcrypto/man/OPENSSL_config.3
  head/secure/lib/libcrypto/man/OPENSSL_ia32cap.3
  head/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3
  head/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3
  head/secure/lib/libcrypto/man/PEM_write_bio_CMS_stream.3
  head/secure/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3
  head/secure/lib/libcrypto/man/PKCS12_create.3
  head/secure/lib/libcrypto/man/PKCS12_parse.3
  head/secure/lib/libcrypto/man/PKCS7_decrypt.3
  head/secure/lib/libcrypto/man/PKCS7_encrypt.3
  head/secure/lib/libcrypto/man/PKCS7_sign.3
  head/secure/lib/libcrypto/man/PKCS7_sign_add_signer.3
  head/secure/lib/libcrypto/man/PKCS7_verify.3
  head/secure/lib/libcrypto/man/RAND_add.3
  head/secure/lib/libcrypto/man/RAND_bytes.3
  head/secure/lib/libcrypto/man/RAND_cleanup.3
  head/secure/lib/libcrypto/man/RAND_egd.3
  head/secure/lib/libcrypto/man/RAND_load_file.3
  head/secure/lib/libcrypto/man/RAND_set_rand_method.3
  head/secure/lib/libcrypto/man/RSA_blinding_on.3
  head/secure/lib/libcrypto/man/RSA_check_key.3
  head/secure/lib/libcrypto/man/RSA_generate_key.3
  head/secure/lib/libcrypto/man/RSA_get_ex_new_index.3
  head/secure/lib/libcrypto/man/RSA_new.3
  head/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3
  head/secure/lib/libcrypto/man/RSA_print.3
  head/secure/lib/libcrypto/man/RSA_private_encrypt.3
  head/secure/lib/libcrypto/man/RSA_public_encrypt.3
  head/secure/lib/libcrypto/man/RSA_set_method.3
  head/secure/lib/libcrypto/man/RSA_sign.3
  head/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3
  head/secure/lib/libcrypto/man/RSA_size.3
  head/secure/lib/libcrypto/man/SMIME_read_CMS.3
  head/secure/lib/libcrypto/man/SMIME_read_PKCS7.3
  head/secure/lib/libcrypto/man/SMIME_write_CMS.3
  head/secure/lib/libcrypto/man/SMIME_write_PKCS7.3
  head/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3
  head/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3
  head/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3
  head/secure/lib/libcrypto/man/X509_NAME_print_ex.3
  head/secure/lib/libcrypto/man/X509_STORE_CTX_get_error.3
  head/secure/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3
  head/secure/lib/libcrypto/man/X509_STORE_CTX_new.3
  head/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
  head/secure/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3
  head/secure/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
  head/secure/lib/libcrypto/man/X509_new.3
  head/secure/lib/libcrypto/man/X509_verify_cert.3
  head/secure/lib/libcrypto/man/bio.3
  head/secure/lib/libcrypto/man/blowfish.3
  head/secure/lib/libcrypto/man/bn.3
  head/secure/lib/libcrypto/man/bn_internal.3
  head/secure/lib/libcrypto/man/buffer.3
  head/secure/lib/libcrypto/man/crypto.3
  head/secure/lib/libcrypto/man/d2i_ASN1_OBJECT.3
  head/secure/lib/libcrypto/man/d2i_DHparams.3
  head/secure/lib/libcrypto/man/d2i_DSAPublicKey.3
  head/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey.3
  head/secure/lib/libcrypto/man/d2i_RSAPublicKey.3
  head/secure/lib/libcrypto/man/d2i_X509.3
  head/secure/lib/libcrypto/man/d2i_X509_ALGOR.3
  head/secure/lib/libcrypto/man/d2i_X509_CRL.3
  head/secure/lib/libcrypto/man/d2i_X509_NAME.3
  head/secure/lib/libcrypto/man/d2i_X509_REQ.3
  head/secure/lib/libcrypto/man/d2i_X509_SIG.3
  head/secure/lib/libcrypto/man/des.3
  head/secure/lib/libcrypto/man/dh.3
  head/secure/lib/libcrypto/man/dsa.3
  head/secure/lib/libcrypto/man/ecdsa.3
  head/secure/lib/libcrypto/man/engine.3
  head/secure/lib/libcrypto/man/err.3
  head/secure/lib/libcrypto/man/evp.3
  head/secure/lib/libcrypto/man/hmac.3
  head/secure/lib/libcrypto/man/i2d_CMS_bio_stream.3
  head/secure/lib/libcrypto/man/i2d_PKCS7_bio_stream.3
  head/secure/lib/libcrypto/man/lh_stats.3
  head/secure/lib/libcrypto/man/lhash.3
  head/secure/lib/libcrypto/man/md5.3
  head/secure/lib/libcrypto/man/mdc2.3
  head/secure/lib/libcrypto/man/pem.3
  head/secure/lib/libcrypto/man/rand.3
  head/secure/lib/libcrypto/man/rc4.3
  head/secure/lib/libcrypto/man/ripemd.3
  head/secure/lib/libcrypto/man/rsa.3
  head/secure/lib/libcrypto/man/sha.3
  head/secure/lib/libcrypto/man/threads.3
  head/secure/lib/libcrypto/man/ui.3
  head/secure/lib/libcrypto/man/ui_compat.3
  head/secure/lib/libcrypto/man/x509.3
  head/secure/lib/libssl/man/SSL_CIPHER_get_name.3
  head/secure/lib/libssl/man/SSL_COMP_add_compression_method.3
  head/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
  head/secure/lib/libssl/man/SSL_CTX_add_session.3
  head/secure/lib/libssl/man/SSL_CTX_ctrl.3
  head/secure/lib/libssl/man/SSL_CTX_flush_sessions.3
  head/secure/lib/libssl/man/SSL_CTX_free.3
  head/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3
  head/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3
  head/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3
  head/secure/lib/libssl/man/SSL_CTX_new.3
  head/secure/lib/libssl/man/SSL_CTX_sess_number.3
  head/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
  head/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
  head/secure/lib/libssl/man/SSL_CTX_sessions.3
  head/secure/lib/libssl/man/SSL_CTX_set_cert_store.3
  head/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
  head/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3
  head/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3
  head/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
  head/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
  head/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3
  head/secure/lib/libssl/man/SSL_CTX_set_info_callback.3
  head/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3
  head/secure/lib/libssl/man/SSL_CTX_set_mode.3
  head/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3
  head/secure/lib/libssl/man/SSL_CTX_set_options.3
  head/secure/lib/libssl/man/SSL_CTX_set_psk_client_callback.3
  head/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
  head/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
  head/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3
  head/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3
  head/secure/lib/libssl/man/SSL_CTX_set_timeout.3
  head/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
  head/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
  head/secure/lib/libssl/man/SSL_CTX_set_verify.3
  head/secure/lib/libssl/man/SSL_CTX_use_certificate.3
  head/secure/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3
  head/secure/lib/libssl/man/SSL_SESSION_free.3
  head/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
  head/secure/lib/libssl/man/SSL_SESSION_get_time.3
  head/secure/lib/libssl/man/SSL_accept.3
  head/secure/lib/libssl/man/SSL_alert_type_string.3
  head/secure/lib/libssl/man/SSL_clear.3
  head/secure/lib/libssl/man/SSL_connect.3
  head/secure/lib/libssl/man/SSL_do_handshake.3
  head/secure/lib/libssl/man/SSL_free.3
  head/secure/lib/libssl/man/SSL_get_SSL_CTX.3
  head/secure/lib/libssl/man/SSL_get_ciphers.3
  head/secure/lib/libssl/man/SSL_get_client_CA_list.3
  head/secure/lib/libssl/man/SSL_get_current_cipher.3
  head/secure/lib/libssl/man/SSL_get_default_timeout.3
  head/secure/lib/libssl/man/SSL_get_error.3
  head/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
  head/secure/lib/libssl/man/SSL_get_ex_new_index.3
  head/secure/lib/libssl/man/SSL_get_fd.3
  head/secure/lib/libssl/man/SSL_get_peer_cert_chain.3
  head/secure/lib/libssl/man/SSL_get_peer_certificate.3
  head/secure/lib/libssl/man/SSL_get_psk_identity.3
  head/secure/lib/libssl/man/SSL_get_rbio.3
  head/secure/lib/libssl/man/SSL_get_session.3
  head/secure/lib/libssl/man/SSL_get_verify_result.3
  head/secure/lib/libssl/man/SSL_get_version.3
  head/secure/lib/libssl/man/SSL_library_init.3
  head/secure/lib/libssl/man/SSL_load_client_CA_file.3
  head/secure/lib/libssl/man/SSL_new.3
  head/secure/lib/libssl/man/SSL_pending.3
  head/secure/lib/libssl/man/SSL_read.3
  head/secure/lib/libssl/man/SSL_rstate_string.3
  head/secure/lib/libssl/man/SSL_session_reused.3
  head/secure/lib/libssl/man/SSL_set_bio.3
  head/secure/lib/libssl/man/SSL_set_connect_state.3
  head/secure/lib/libssl/man/SSL_set_fd.3
  head/secure/lib/libssl/man/SSL_set_session.3
  head/secure/lib/libssl/man/SSL_set_shutdown.3
  head/secure/lib/libssl/man/SSL_set_verify_result.3
  head/secure/lib/libssl/man/SSL_shutdown.3
  head/secure/lib/libssl/man/SSL_state_string.3
  head/secure/lib/libssl/man/SSL_want.3
  head/secure/lib/libssl/man/SSL_write.3
  head/secure/lib/libssl/man/d2i_SSL_SESSION.3
  head/secure/lib/libssl/man/ssl.3
  head/secure/usr.bin/openssl/man/CA.pl.1
  head/secure/usr.bin/openssl/man/asn1parse.1
  head/secure/usr.bin/openssl/man/ca.1
  head/secure/usr.bin/openssl/man/ciphers.1
  head/secure/usr.bin/openssl/man/cms.1
  head/secure/usr.bin/openssl/man/crl.1
  head/secure/usr.bin/openssl/man/crl2pkcs7.1
  head/secure/usr.bin/openssl/man/dgst.1
  head/secure/usr.bin/openssl/man/dhparam.1
  head/secure/usr.bin/openssl/man/dsa.1
  head/secure/usr.bin/openssl/man/dsaparam.1
  head/secure/usr.bin/openssl/man/ec.1
  head/secure/usr.bin/openssl/man/ecparam.1
  head/secure/usr.bin/openssl/man/enc.1
  head/secure/usr.bin/openssl/man/errstr.1
  head/secure/usr.bin/openssl/man/gendsa.1
  head/secure/usr.bin/openssl/man/genpkey.1
  head/secure/usr.bin/openssl/man/genrsa.1
  head/secure/usr.bin/openssl/man/nseq.1
  head/secure/usr.bin/openssl/man/ocsp.1
  head/secure/usr.bin/openssl/man/openssl.1
  head/secure/usr.bin/openssl/man/passwd.1
  head/secure/usr.bin/openssl/man/pkcs12.1
  head/secure/usr.bin/openssl/man/pkcs7.1
  head/secure/usr.bin/openssl/man/pkcs8.1
  head/secure/usr.bin/openssl/man/pkey.1
  head/secure/usr.bin/openssl/man/pkeyparam.1
  head/secure/usr.bin/openssl/man/pkeyutl.1
  head/secure/usr.bin/openssl/man/rand.1
  head/secure/usr.bin/openssl/man/req.1
  head/secure/usr.bin/openssl/man/rsa.1
  head/secure/usr.bin/openssl/man/rsautl.1
  head/secure/usr.bin/openssl/man/s_client.1
  head/secure/usr.bin/openssl/man/s_server.1
  head/secure/usr.bin/openssl/man/s_time.1
  head/secure/usr.bin/openssl/man/sess_id.1
  head/secure/usr.bin/openssl/man/smime.1
  head/secure/usr.bin/openssl/man/speed.1
  head/secure/usr.bin/openssl/man/spkac.1
  head/secure/usr.bin/openssl/man/ts.1
  head/secure/usr.bin/openssl/man/tsget.1
  head/secure/usr.bin/openssl/man/verify.1
  head/secure/usr.bin/openssl/man/version.1
  head/secure/usr.bin/openssl/man/x509.1
  head/secure/usr.bin/openssl/man/x509v3_config.1
Directory Properties:
  head/crypto/openssl/   (props changed)

Modified: head/crypto/openssl/ACKNOWLEDGMENTS
==============================================================================
--- head/crypto/openssl/ACKNOWLEDGMENTS	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/ACKNOWLEDGMENTS	Mon Jun  9 05:50:57 2014	(r267256)
@@ -10,13 +10,18 @@ OpenSSL project.
 We would like to identify and thank the following such sponsors for their past
 or current significant support of the OpenSSL project:
 
+Major support:
+
+	Qualys		http://www.qualys.com/
+
 Very significant support:
 
-	OpenGear: www.opengear.com
+	OpenGear:	http://www.opengear.com/
 
 Significant support:
 
-	PSW Group: www.psw.net
+	PSW Group:	http://www.psw.net/
+	Acano Ltd.	http://acano.com/
 
 Please note that we ask permission to identify sponsors and that some sponsors
 we consider eligible for inclusion here have requested to remain anonymous.

Modified: head/crypto/openssl/CHANGES
==============================================================================
--- head/crypto/openssl/CHANGES	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/CHANGES	Mon Jun  9 05:50:57 2014	(r267256)
@@ -2,6 +2,50 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.1g and 1.0.1h [5 Jun 2014]
+
+  *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
+     handshake can force the use of weak keying material in OpenSSL
+     SSL/TLS clients and servers.
+
+     Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
+     researching this issue. (CVE-2014-0224)
+     [KIKUCHI Masashi, Steve Henson]
+
+  *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
+     OpenSSL DTLS client the code can be made to recurse eventually crashing
+     in a DoS attack.
+
+     Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
+     (CVE-2014-0221)
+     [Imre Rad, Steve Henson]
+
+  *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
+     be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
+     client or server. This is potentially exploitable to run arbitrary
+     code on a vulnerable client or server.
+
+     Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
+     [Jüri Aedla, Steve Henson]
+
+  *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
+     are subject to a denial of service attack.
+
+     Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
+     this issue. (CVE-2014-3470)
+     [Felix Gröbert, Ivan Fratric, Steve Henson]
+
+  *) Harmonize version and its documentation. -f flag is used to display
+     compilation flags.
+     [mancha <mancha1@zoho.com>]
+
+  *) Fix eckey_priv_encode so it immediately returns an error upon a failure
+     in i2d_ECPrivateKey.
+     [mancha <mancha1@zoho.com>]
+
+  *) Fix some double frees. These are not thought to be exploitable.
+     [mancha <mancha1@zoho.com>]
+
  Changes between 1.0.1f and 1.0.1g [7 Apr 2014]
 
   *) A missing bounds check in the handling of the TLS heartbeat extension

Modified: head/crypto/openssl/Makefile
==============================================================================
--- head/crypto/openssl/Makefile	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/Makefile	Mon Jun  9 05:50:57 2014	(r267256)
@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=1.0.1g
+VERSION=1.0.1h
 MAJOR=1
 MINOR=0.1
 SHLIB_VERSION_NUMBER=1.0.0

Modified: head/crypto/openssl/NEWS
==============================================================================
--- head/crypto/openssl/NEWS	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/NEWS	Mon Jun  9 05:50:57 2014	(r267256)
@@ -5,6 +5,14 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014]
+
+      o Fix for CVE-2014-0224
+      o Fix for CVE-2014-0221
+      o Fix for CVE-2014-0195
+      o Fix for CVE-2014-3470
+      o Fix for CVE-2010-5298
+
   Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]
 
       o Fix for CVE-2014-0160

Modified: head/crypto/openssl/README
==============================================================================
--- head/crypto/openssl/README	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/README	Mon Jun  9 05:50:57 2014	(r267256)
@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.1g 7 Apr 2014
+ OpenSSL 1.0.1h 5 Jun 2014
 
  Copyright (c) 1998-2011 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

Modified: head/crypto/openssl/apps/enc.c
==============================================================================
--- head/crypto/openssl/apps/enc.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/apps/enc.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -331,6 +331,12 @@ bad:
         setup_engine(bio_err, engine, 0);
 #endif
 
+	if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)
+		{
+		BIO_printf(bio_err, "AEAD ciphers not supported by the enc utility\n");
+		goto end;
+		}
+
 	if (md && (dgst=EVP_get_digestbyname(md)) == NULL)
 		{
 		BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);

Modified: head/crypto/openssl/apps/ocsp.c
==============================================================================
--- head/crypto/openssl/apps/ocsp.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/apps/ocsp.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -127,6 +127,7 @@ int MAIN(int argc, char **argv)
 	ENGINE *e = NULL;
 	char **args;
 	char *host = NULL, *port = NULL, *path = "/";
+	char *thost = NULL, *tport = NULL, *tpath = NULL;
 	char *reqin = NULL, *respin = NULL;
 	char *reqout = NULL, *respout = NULL;
 	char *signfile = NULL, *keyfile = NULL;
@@ -204,6 +205,12 @@ int MAIN(int argc, char **argv)
 			}
 		else if (!strcmp(*args, "-url"))
 			{
+			if (thost)
+				OPENSSL_free(thost);
+			if (tport)
+				OPENSSL_free(tport);
+			if (tpath)
+				OPENSSL_free(tpath);
 			if (args[1])
 				{
 				args++;
@@ -212,6 +219,9 @@ int MAIN(int argc, char **argv)
 					BIO_printf(bio_err, "Error parsing URL\n");
 					badarg = 1;
 					}
+				thost = host;
+				tport = port;
+				tpath = path;
 				}
 			else badarg = 1;
 			}
@@ -920,12 +930,12 @@ end:
 	sk_X509_pop_free(verify_other, X509_free);
 	sk_CONF_VALUE_pop_free(headers, X509V3_conf_free);
 
-	if (use_ssl != -1)
-		{
-		OPENSSL_free(host);
-		OPENSSL_free(port);
-		OPENSSL_free(path);
-		}
+	if (thost)
+		OPENSSL_free(thost);
+	if (tport)
+		OPENSSL_free(tport);
+	if (tpath)
+		OPENSSL_free(tpath);
 
 	OPENSSL_EXIT(ret);
 }

Modified: head/crypto/openssl/apps/req.c
==============================================================================
--- head/crypto/openssl/apps/req.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/apps/req.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -1489,7 +1489,13 @@ start:
 #ifdef CHARSET_EBCDIC
 	ebcdic2ascii(buf, buf, i);
 #endif
-	if(!req_check_len(i, n_min, n_max)) goto start;
+	if(!req_check_len(i, n_min, n_max))
+		{
+		if (batch || value)
+			return 0;
+		goto start;
+		}
+
 	if (!X509_NAME_add_entry_by_NID(n,nid, chtype,
 				(unsigned char *) buf, -1,-1,mval)) goto err;
 	ret=1;
@@ -1548,7 +1554,12 @@ start:
 #ifdef CHARSET_EBCDIC
 	ebcdic2ascii(buf, buf, i);
 #endif
-	if(!req_check_len(i, n_min, n_max)) goto start;
+	if(!req_check_len(i, n_min, n_max))
+		{
+		if (batch || value)
+			return 0;
+		goto start;
+		}
 
 	if(!X509_REQ_add1_attr_by_NID(req, nid, chtype,
 					(unsigned char *)buf, -1)) {

Modified: head/crypto/openssl/apps/s_cb.c
==============================================================================
--- head/crypto/openssl/apps/s_cb.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/apps/s_cb.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -747,6 +747,10 @@ void MS_CALLBACK tlsext_cb(SSL *s, int c
 		break;
 #endif
 
+		case TLSEXT_TYPE_padding:
+		extname = "TLS padding";
+		break;
+
 		default:
 		extname = "unknown";
 		break;

Modified: head/crypto/openssl/apps/s_socket.c
==============================================================================
--- head/crypto/openssl/apps/s_socket.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/apps/s_socket.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -274,7 +274,7 @@ static int init_client_ip(int *sock, uns
 		{
 		i=0;
 		i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
-		if (i < 0) { perror("keepalive"); return(0); }
+		if (i < 0) { closesocket(s); perror("keepalive"); return(0); }
 		}
 #endif
 
@@ -450,6 +450,7 @@ redoit:
 		if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
 			{
 			perror("OPENSSL_malloc");
+			closesocket(ret);
 			return(0);
 			}
 		BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);
@@ -458,11 +459,13 @@ redoit:
 		if (h2 == NULL)
 			{
 			BIO_printf(bio_err,"gethostbyname failure\n");
+			closesocket(ret);
 			return(0);
 			}
 		if (h2->h_addrtype != AF_INET)
 			{
 			BIO_printf(bio_err,"gethostbyname addr is not AF_INET\n");
+			closesocket(ret);
 			return(0);
 			}
 		}

Modified: head/crypto/openssl/apps/smime.c
==============================================================================
--- head/crypto/openssl/apps/smime.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/apps/smime.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -541,8 +541,8 @@ int MAIN(int argc, char **argv)
 		{
 		if (!cipher)
 			{
-#ifndef OPENSSL_NO_RC2			
-			cipher = EVP_rc2_40_cbc();
+#ifndef OPENSSL_NO_DES			
+			cipher = EVP_des_ede3_cbc();
 #else
 			BIO_printf(bio_err, "No cipher selected\n");
 			goto end;

Modified: head/crypto/openssl/crypto/asn1/a_strnid.c
==============================================================================
--- head/crypto/openssl/crypto/asn1/a_strnid.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/crypto/asn1/a_strnid.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -74,7 +74,7 @@ static int sk_table_cmp(const ASN1_STRIN
  * certain software (e.g. Netscape) has problems with them.
  */
 
-static unsigned long global_mask = 0xFFFFFFFFL;
+static unsigned long global_mask = B_ASN1_UTF8STRING;
 
 void ASN1_STRING_set_default_mask(unsigned long mask)
 {

Modified: head/crypto/openssl/crypto/bio/bss_dgram.c
==============================================================================
--- head/crypto/openssl/crypto/bio/bss_dgram.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/crypto/bio/bss_dgram.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -1333,7 +1333,7 @@ static long dgram_sctp_ctrl(BIO *b, int 
 	bio_dgram_sctp_data *data = NULL;
 	socklen_t sockopt_len = 0;
 	struct sctp_authkeyid authkeyid;
-	struct sctp_authkey *authkey;
+	struct sctp_authkey *authkey = NULL;
 
 	data = (bio_dgram_sctp_data *)b->ptr;
 
@@ -1388,6 +1388,11 @@ static long dgram_sctp_ctrl(BIO *b, int 
 		/* Add new key */
 		sockopt_len = sizeof(struct sctp_authkey) + 64 * sizeof(uint8_t);
 		authkey = OPENSSL_malloc(sockopt_len);
+		if (authkey == NULL)
+			{
+			ret = -1;
+			break;
+			}
 		memset(authkey, 0x00, sockopt_len);
 		authkey->sca_keynumber = authkeyid.scact_keynumber + 1;
 #ifndef __FreeBSD__
@@ -1399,6 +1404,8 @@ static long dgram_sctp_ctrl(BIO *b, int 
 		memcpy(&authkey->sca_key[0], ptr, 64 * sizeof(uint8_t));
 
 		ret = setsockopt(b->num, IPPROTO_SCTP, SCTP_AUTH_KEY, authkey, sockopt_len);
+		OPENSSL_free(authkey);
+		authkey = NULL;
 		if (ret < 0) break;
 
 		/* Reset active key */

Modified: head/crypto/openssl/crypto/bn/bn_mont.c
==============================================================================
--- head/crypto/openssl/crypto/bn/bn_mont.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/crypto/bn/bn_mont.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -478,32 +478,38 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CT
 BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
 					const BIGNUM *mod, BN_CTX *ctx)
 	{
-	int got_write_lock = 0;
 	BN_MONT_CTX *ret;
 
 	CRYPTO_r_lock(lock);
-	if (!*pmont)
+	ret = *pmont;
+	CRYPTO_r_unlock(lock);
+	if (ret)
+		return ret;
+
+	/* We don't want to serialise globally while doing our lazy-init math in
+	 * BN_MONT_CTX_set. That punishes threads that are doing independent
+	 * things. Instead, punish the case where more than one thread tries to
+	 * lazy-init the same 'pmont', by having each do the lazy-init math work
+	 * independently and only use the one from the thread that wins the race
+	 * (the losers throw away the work they've done). */
+	ret = BN_MONT_CTX_new();
+	if (!ret)
+		return NULL;
+	if (!BN_MONT_CTX_set(ret, mod, ctx))
 		{
-		CRYPTO_r_unlock(lock);
-		CRYPTO_w_lock(lock);
-		got_write_lock = 1;
+		BN_MONT_CTX_free(ret);
+		return NULL;
+		}
 
-		if (!*pmont)
-			{
-			ret = BN_MONT_CTX_new();
-			if (ret && !BN_MONT_CTX_set(ret, mod, ctx))
-				BN_MONT_CTX_free(ret);
-			else
-				*pmont = ret;
-			}
+	/* The locked compare-and-set, after the local work is done. */
+	CRYPTO_w_lock(lock);
+	if (*pmont)
+		{
+		BN_MONT_CTX_free(ret);
+		ret = *pmont;
 		}
-	
-	ret = *pmont;
-	
-	if (got_write_lock)
-		CRYPTO_w_unlock(lock);
 	else
-		CRYPTO_r_unlock(lock);
-		
+		*pmont = ret;
+	CRYPTO_w_unlock(lock);
 	return ret;
 	}

Modified: head/crypto/openssl/crypto/cms/cms_env.c
==============================================================================
--- head/crypto/openssl/crypto/cms/cms_env.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/crypto/cms/cms_env.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -185,6 +185,8 @@ CMS_RecipientInfo *CMS_add1_recipient_ce
 	if (flags & CMS_USE_KEYID)
 		{
 		ktri->version = 2;
+		if (env->version < 2)
+			env->version = 2;
 		type = CMS_RECIPINFO_KEYIDENTIFIER;
 		}
 	else

Modified: head/crypto/openssl/crypto/cms/cms_sd.c
==============================================================================
--- head/crypto/openssl/crypto/cms/cms_sd.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/crypto/cms/cms_sd.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -158,8 +158,8 @@ static void cms_sd_set_version(CMS_Signe
 			if (sd->version < 3)
 				sd->version = 3;
 			}
-		else
-			sd->version = 1;
+		else if (si->version < 1)
+			si->version = 1;
 		}
 
 	if (sd->version < 1)

Modified: head/crypto/openssl/crypto/cms/cms_smime.c
==============================================================================
--- head/crypto/openssl/crypto/cms/cms_smime.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/crypto/cms/cms_smime.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -611,7 +611,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInf
 	STACK_OF(CMS_RecipientInfo) *ris;
 	CMS_RecipientInfo *ri;
 	int i, r;
-	int debug = 0;
+	int debug = 0, ri_match = 0;
 	ris = CMS_get0_RecipientInfos(cms);
 	if (ris)
 		debug = cms->d.envelopedData->encryptedContentInfo->debug;
@@ -620,6 +620,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInf
 		ri = sk_CMS_RecipientInfo_value(ris, i);
 		if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_TRANS)
 				continue;
+		ri_match = 1;
 		/* If we have a cert try matching RecipientInfo
 		 * otherwise try them all.
 		 */
@@ -655,7 +656,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInf
 			}
 		}
 	/* If no cert and not debugging always return success */
-	if (!cert && !debug)
+	if (ri_match && !cert && !debug)
 		{
 		ERR_clear_error();
 		return 1;

Modified: head/crypto/openssl/crypto/dso/dso_dlfcn.c
==============================================================================
--- head/crypto/openssl/crypto/dso/dso_dlfcn.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/crypto/dso/dso_dlfcn.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -464,7 +464,7 @@ static int dlfcn_pathbyaddr(void *addr,c
 		return len;
 		}
 
-	ERR_add_error_data(4, "dlfcn_pathbyaddr(): ", dlerror());
+	ERR_add_error_data(2, "dlfcn_pathbyaddr(): ", dlerror());
 #endif
 	return -1;
 	}

Modified: head/crypto/openssl/crypto/ec/ec_ameth.c
==============================================================================
--- head/crypto/openssl/crypto/ec/ec_ameth.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/crypto/ec/ec_ameth.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -352,6 +352,7 @@ static int eckey_priv_encode(PKCS8_PRIV_
 		EC_KEY_set_enc_flags(ec_key, old_flags);
 		OPENSSL_free(ep);
 		ECerr(EC_F_ECKEY_PRIV_ENCODE, ERR_R_EC_LIB);
+		return 0;
 	}
 	/* restore old encoding flags */
 	EC_KEY_set_enc_flags(ec_key, old_flags);

Modified: head/crypto/openssl/crypto/ec/ec_asn1.c
==============================================================================
--- head/crypto/openssl/crypto/ec/ec_asn1.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/crypto/ec/ec_asn1.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -1435,8 +1435,11 @@ int i2o_ECPublicKey(EC_KEY *a, unsigned 
 				*out, buf_len, NULL))
 		{
 		ECerr(EC_F_I2O_ECPUBLICKEY, ERR_R_EC_LIB);
-		OPENSSL_free(*out);
-		*out = NULL;
+		if (new_buffer)
+			{
+			OPENSSL_free(*out);
+			*out = NULL;
+			}
 		return 0;
 		}
 	if (!new_buffer)

Modified: head/crypto/openssl/crypto/ec/ec_lcl.h
==============================================================================
--- head/crypto/openssl/crypto/ec/ec_lcl.h	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/crypto/ec/ec_lcl.h	Mon Jun  9 05:50:57 2014	(r267256)
@@ -404,7 +404,7 @@ int ec_GF2m_simple_mul(const EC_GROUP *g
 int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
 int ec_GF2m_have_precompute_mult(const EC_GROUP *group);
 
-#ifndef OPENSSL_EC_NISTP_64_GCC_128
+#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
 /* method functions in ecp_nistp224.c */
 int ec_GFp_nistp224_group_init(EC_GROUP *group);
 int ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *n, BN_CTX *);

Modified: head/crypto/openssl/crypto/evp/bio_b64.c
==============================================================================
--- head/crypto/openssl/crypto/evp/bio_b64.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/crypto/evp/bio_b64.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -226,6 +226,7 @@ static int b64_read(BIO *b, char *out, i
 		else if (ctx->start)
 			{
 			q=p=(unsigned char *)ctx->tmp;
+			num = 0;
 			for (j=0; j<i; j++)
 				{
 				if (*(q++) != '\n') continue;

Modified: head/crypto/openssl/crypto/evp/encode.c
==============================================================================
--- head/crypto/openssl/crypto/evp/encode.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/crypto/evp/encode.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -324,6 +324,7 @@ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx
 				v=EVP_DecodeBlock(out,d,n);
 				n=0;
 				if (v < 0) { rv=0; goto end; }
+				if (eof > v) { rv=-1; goto end; }
 				ret+=(v-eof);
 				}
 			else

Modified: head/crypto/openssl/crypto/opensslv.h
==============================================================================
--- head/crypto/openssl/crypto/opensslv.h	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/crypto/opensslv.h	Mon Jun  9 05:50:57 2014	(r267256)
@@ -25,11 +25,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER	0x1000107fL
+#define OPENSSL_VERSION_NUMBER	0x1000108fL
 #ifdef OPENSSL_FIPS
-#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1g-fips 7 Apr 2014"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1h-fips 5 Jun 2014"
 #else
-#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1g-freebsd 7 Apr 2014"
+#define OPENSSL_VERSION_TEXT	"OpenSSL 1.0.1h-freebsd 5 Jun 2014"
 #endif
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 

Modified: head/crypto/openssl/crypto/pkcs12/p12_crt.c
==============================================================================
--- head/crypto/openssl/crypto/pkcs12/p12_crt.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/crypto/pkcs12/p12_crt.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -96,7 +96,11 @@ PKCS12 *PKCS12_create(char *pass, char *
 			nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
 		else
 #endif
+#ifdef OPENSSL_NO_RC2
+		nid_cert = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+#else
 		nid_cert = NID_pbe_WithSHA1And40BitRC2_CBC;
+#endif
 		}
 	if (!nid_key)
 		nid_key = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
@@ -286,7 +290,11 @@ int PKCS12_add_safe(STACK_OF(PKCS7) **ps
 		free_safes = 0;
 
 	if (nid_safe == 0)
+#ifdef OPENSSL_NO_RC2
+		nid_safe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+#else
 		nid_safe = NID_pbe_WithSHA1And40BitRC2_CBC;
+#endif
 
 	if (nid_safe == -1)
 		p7 = PKCS12_pack_p7data(bags);

Modified: head/crypto/openssl/crypto/pkcs12/p12_kiss.c
==============================================================================
--- head/crypto/openssl/crypto/pkcs12/p12_kiss.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/crypto/pkcs12/p12_kiss.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -269,7 +269,7 @@ static int parse_bag(PKCS12_SAFEBAG *bag
 			int len, r;
 			unsigned char *data;
 			len = ASN1_STRING_to_UTF8(&data, fname);
-			if(len > 0) {
+			if(len >= 0) {
 				r = X509_alias_set1(x509, data, len);
 				OPENSSL_free(data);
 				if (!r)

Modified: head/crypto/openssl/crypto/pkcs7/pk7_doit.c
==============================================================================
--- head/crypto/openssl/crypto/pkcs7/pk7_doit.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/crypto/pkcs7/pk7_doit.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -440,6 +440,11 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKE
 		{
 	case NID_pkcs7_signed:
 		data_body=PKCS7_get_octet_string(p7->d.sign->contents);
+		if (!PKCS7_is_detached(p7) && data_body == NULL)
+			{
+			PKCS7err(PKCS7_F_PKCS7_DATADECODE,PKCS7_R_INVALID_SIGNED_DATA_TYPE);
+			goto err;
+			}
 		md_sk=p7->d.sign->md_algs;
 		break;
 	case NID_pkcs7_signedAndEnveloped:
@@ -928,6 +933,7 @@ int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_
 	if (EVP_DigestSignUpdate(&mctx,abuf,alen) <= 0)
 		goto err;
 	OPENSSL_free(abuf);
+	abuf = NULL;
 	if (EVP_DigestSignFinal(&mctx, NULL, &siglen) <= 0)
 		goto err;
 	abuf = OPENSSL_malloc(siglen);

Modified: head/crypto/openssl/crypto/pkcs7/pkcs7.h
==============================================================================
--- head/crypto/openssl/crypto/pkcs7/pkcs7.h	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/crypto/pkcs7/pkcs7.h	Mon Jun  9 05:50:57 2014	(r267256)
@@ -453,6 +453,7 @@ void ERR_load_PKCS7_strings(void);
 #define PKCS7_R_ERROR_SETTING_CIPHER			 121
 #define PKCS7_R_INVALID_MIME_TYPE			 131
 #define PKCS7_R_INVALID_NULL_POINTER			 143
+#define PKCS7_R_INVALID_SIGNED_DATA_TYPE		 155
 #define PKCS7_R_MIME_NO_CONTENT_TYPE			 132
 #define PKCS7_R_MIME_PARSE_ERROR			 133
 #define PKCS7_R_MIME_SIG_PARSE_ERROR			 134

Modified: head/crypto/openssl/crypto/pkcs7/pkcs7err.c
==============================================================================
--- head/crypto/openssl/crypto/pkcs7/pkcs7err.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/crypto/pkcs7/pkcs7err.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -1,6 +1,6 @@
 /* crypto/pkcs7/pkcs7err.c */
 /* ====================================================================
- * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2014 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -130,6 +130,7 @@ static ERR_STRING_DATA PKCS7_str_reasons
 {ERR_REASON(PKCS7_R_ERROR_SETTING_CIPHER),"error setting cipher"},
 {ERR_REASON(PKCS7_R_INVALID_MIME_TYPE)   ,"invalid mime type"},
 {ERR_REASON(PKCS7_R_INVALID_NULL_POINTER),"invalid null pointer"},
+{ERR_REASON(PKCS7_R_INVALID_SIGNED_DATA_TYPE),"invalid signed data type"},
 {ERR_REASON(PKCS7_R_MIME_NO_CONTENT_TYPE),"mime no content type"},
 {ERR_REASON(PKCS7_R_MIME_PARSE_ERROR)    ,"mime parse error"},
 {ERR_REASON(PKCS7_R_MIME_SIG_PARSE_ERROR),"mime sig parse error"},

Modified: head/crypto/openssl/crypto/rsa/rsa_ameth.c
==============================================================================
--- head/crypto/openssl/crypto/rsa/rsa_ameth.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/crypto/rsa/rsa_ameth.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -358,7 +358,7 @@ static int rsa_pss_param_print(BIO *bp, 
 		if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0)
 			goto err;
 		}
-	else if (BIO_puts(bp, "0x14 (default)") <= 0)
+	else if (BIO_puts(bp, "14 (default)") <= 0)
 		goto err;
 	BIO_puts(bp, "\n");
 

Modified: head/crypto/openssl/crypto/srp/srp_vfy.c
==============================================================================
--- head/crypto/openssl/crypto/srp/srp_vfy.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/crypto/srp/srp_vfy.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -93,6 +93,9 @@ static int t_fromb64(unsigned char *a, c
 		else a[i] = loc - b64table;
 		++i;
 		}
+	/* if nothing valid to process we have a zero length response */
+	if (i == 0)
+		return 0;
 	size = i;
 	i = size - 1;
 	j = size;

Modified: head/crypto/openssl/crypto/ts/ts_rsp_verify.c
==============================================================================
--- head/crypto/openssl/crypto/ts/ts_rsp_verify.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/crypto/ts/ts_rsp_verify.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -629,6 +629,7 @@ static int TS_compute_imprint(BIO *data,
 	X509_ALGOR_free(*md_alg);
 	OPENSSL_free(*imprint);
 	*imprint_len = 0;
+	*imprint = NULL;
 	return 0;
 	}
 

Modified: head/crypto/openssl/crypto/x509v3/v3_purp.c
==============================================================================
--- head/crypto/openssl/crypto/x509v3/v3_purp.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/crypto/x509v3/v3_purp.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -389,8 +389,8 @@ static void x509v3_cache_extensions(X509
 	/* Handle proxy certificates */
 	if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
 		if (x->ex_flags & EXFLAG_CA
-		    || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
-		    || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
+		    || X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0
+		    || X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) {
 			x->ex_flags |= EXFLAG_INVALID;
 		}
 		if (pci->pcPathLengthConstraint) {
@@ -670,7 +670,7 @@ static int check_purpose_timestamp_sign(
 		return 0;
 
 	/* Extended Key Usage MUST be critical */
-	i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, 0);
+	i_ext = X509_get_ext_by_NID((X509 *) x, NID_ext_key_usage, -1);
 	if (i_ext >= 0)
 		{
 		X509_EXTENSION *ext = X509_get_ext((X509 *) x, i_ext);

Modified: head/crypto/openssl/doc/apps/cms.pod
==============================================================================
--- head/crypto/openssl/doc/apps/cms.pod	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/doc/apps/cms.pod	Mon Jun  9 05:50:57 2014	(r267256)
@@ -90,6 +90,11 @@ decrypt mail using the supplied certific
 encrypted mail message in MIME format for the input file. The decrypted mail
 is written to the output file.
 
+=item B<-debug_decrypt>
+
+this option sets the B<CMS_DEBUG_DECRYPT> flag. This option should be used
+with caution: see the notes section below.
+
 =item B<-sign>
 
 sign mail using the supplied certificate and private key. Input file is
@@ -446,6 +451,16 @@ Streaming is always used for the B<-sign
 since the content is no longer part of the CMS structure the encoding
 remains DER.
 
+If the B<-decrypt> option is used without a recipient certificate then an
+attempt is made to locate the recipient by trying each potential recipient
+in turn using the supplied private key. To thwart the MMA attack
+(Bleichenbacher's attack on PKCS #1 v1.5 RSA padding) all recipients are
+tried whether they succeed or not and if no recipients match the message
+is "decrypted" using a random key which will typically output garbage. 
+The B<-debug_decrypt> option can be used to disable the MMA attack protection
+and return an error if no recipient can be found: this option should be used
+with caution. For a fuller description see L<CMS_decrypt(3)|CMS_decrypt(3)>).
+
 =head1 EXIT CODES
 
 =over 4

Modified: head/crypto/openssl/doc/apps/enc.pod
==============================================================================
--- head/crypto/openssl/doc/apps/enc.pod	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/doc/apps/enc.pod	Mon Jun  9 05:50:57 2014	(r267256)
@@ -215,6 +215,10 @@ unsupported options (for example B<opens
 list of ciphers, supported by your versesion of OpenSSL, including
 ones provided by configured engines.
 
+The B<enc> program does not support authenticated encryption modes
+like CCM and GCM. The utility does not store or retrieve the
+authentication tag.
+
 
  base64             Base 64
 

Modified: head/crypto/openssl/doc/apps/s_server.pod
==============================================================================
--- head/crypto/openssl/doc/apps/s_server.pod	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/doc/apps/s_server.pod	Mon Jun  9 05:50:57 2014	(r267256)
@@ -44,6 +44,7 @@ B<openssl> B<s_server>
 [B<-no_ssl3>]
 [B<-no_tls1>]
 [B<-no_dhe>]
+[B<-no_ecdhe>]
 [B<-bugs>]
 [B<-hack>]
 [B<-www>]
@@ -131,6 +132,11 @@ a static set of parameters hard coded in
 if this option is set then no DH parameters will be loaded effectively
 disabling the ephemeral DH cipher suites.
 
+=item B<-no_ecdhe>
+
+if this option is set then no ECDH parameters will be loaded effectively
+disabling the ephemeral ECDH cipher suites.
+
 =item B<-no_tmp_rsa>
 
 certain export cipher suites sometimes use a temporary RSA key, this option

Modified: head/crypto/openssl/doc/apps/smime.pod
==============================================================================
--- head/crypto/openssl/doc/apps/smime.pod	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/doc/apps/smime.pod	Mon Jun  9 05:50:57 2014	(r267256)
@@ -159,7 +159,7 @@ EVP_get_cipherbyname() function) can als
 example B<-aes_128_cbc>. See L<B<enc>|enc(1)> for list of ciphers
 supported by your version of OpenSSL.
 
-If not specified 40 bit RC2 is used. Only used with B<-encrypt>.
+If not specified triple DES is used. Only used with B<-encrypt>.
 
 =item B<-nointern>
 

Modified: head/crypto/openssl/doc/apps/verify.pod
==============================================================================
--- head/crypto/openssl/doc/apps/verify.pod	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/doc/apps/verify.pod	Mon Jun  9 05:50:57 2014	(r267256)
@@ -25,6 +25,7 @@ B<openssl> B<verify>
 [B<-untrusted file>]
 [B<-help>]
 [B<-issuer_checks>]
+[B<-attime timestamp>]
 [B<-verbose>]
 [B<->]
 [certificates]
@@ -80,6 +81,12 @@ rejected. The presence of rejection mess
 anything is wrong; during the normal verification process, several
 rejections may take place.
 
+=item B<-attime timestamp>
+
+Perform validation checks using time specified by B<timestamp> and not
+current system time. B<timestamp> is the number of seconds since
+01.01.1970 (UNIX time).
+
 =item B<-policy arg>
 
 Enable policy processing and add B<arg> to the user-initial-policy-set (see
@@ -386,7 +393,7 @@ an application specific error. Unused.
 
 =head1 BUGS
 
-Although the issuer checks are a considerably improvement over the old technique they still
+Although the issuer checks are a considerable improvement over the old technique they still
 suffer from limitations in the underlying X509_LOOKUP API. One consequence of this is that
 trusted certificates with matching subject name must either appear in a file (as specified by the
 B<-CAfile> option) or a directory (as specified by B<-CApath>. If they occur in both then only

Modified: head/crypto/openssl/doc/apps/version.pod
==============================================================================
--- head/crypto/openssl/doc/apps/version.pod	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/doc/apps/version.pod	Mon Jun  9 05:50:57 2014	(r267256)
@@ -13,6 +13,7 @@ B<openssl version>
 [B<-o>]
 [B<-f>]
 [B<-p>]
+[B<-d>]
 
 =head1 DESCRIPTION
 
@@ -38,7 +39,7 @@ the date the current version of OpenSSL 
 
 option information: various options set when the library was built.
 
-=item B<-c>
+=item B<-f>
 
 compilation flags.
 

Modified: head/crypto/openssl/doc/apps/x509v3_config.pod
==============================================================================
--- head/crypto/openssl/doc/apps/x509v3_config.pod	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/doc/apps/x509v3_config.pod	Mon Jun  9 05:50:57 2014	(r267256)
@@ -301,7 +301,7 @@ Example:
  O=Organisation
  CN=Some Name
 
- 
+
 =head2 Certificate Policies.
 
 This is a I<raw> extension. All the fields of this extension can be set by
@@ -390,7 +390,7 @@ Examples:
  nameConstraints=permitted;email:.somedomain.com
 
  nameConstraints=excluded;email:.com
-issuingDistributionPoint = idp_section
+
 
 =head2 OCSP No Check
 

Modified: head/crypto/openssl/doc/crypto/CMS_decrypt.pod
==============================================================================
--- head/crypto/openssl/doc/crypto/CMS_decrypt.pod	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/doc/crypto/CMS_decrypt.pod	Mon Jun  9 05:50:57 2014	(r267256)
@@ -27,7 +27,21 @@ function or errors about unknown algorit
 
 Although the recipients certificate is not needed to decrypt the data it is
 needed to locate the appropriate (of possible several) recipients in the CMS
-structure. If B<cert> is set to NULL all possible recipients are tried.
+structure.
+
+If B<cert> is set to NULL all possible recipients are tried. This case however
+is problematic. To thwart the MMA attack (Bleichenbacher's attack on
+PKCS #1 v1.5 RSA padding) all recipients are tried whether they succeed or
+not. If no recipient succeeds then a random symmetric key is used to decrypt
+the content: this will typically output garbage and may (but is not guaranteed
+to) ultimately return a padding error only. If CMS_decrypt() just returned an
+error when all recipient encrypted keys failed to decrypt an attacker could
+use this in a timing attack. If the special flag B<CMS_DEBUG_DECRYPT> is set
+then the above behaviour is modified and an error B<is> returned if no
+recipient encrypted key can be decrypted B<without> generating a random
+content encryption key. Applications should use this flag with
+B<extreme caution> especially in automated gateways as it can leave them
+open to attack.
 
 It is possible to determine the correct recipient key by other means (for
 example looking them up in a database) and setting them in the CMS structure

Modified: head/crypto/openssl/doc/crypto/CONF_modules_free.pod
==============================================================================
--- head/crypto/openssl/doc/crypto/CONF_modules_free.pod	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/doc/crypto/CONF_modules_free.pod	Mon Jun  9 05:50:57 2014	(r267256)
@@ -37,7 +37,7 @@ None of the functions return a value.
 =head1 SEE ALSO
 
 L<conf(5)|conf(5)>, L<OPENSSL_config(3)|OPENSSL_config(3)>,
-L<CONF_modules_load_file(3), CONF_modules_load_file(3)>
+L<CONF_modules_load_file(3)|CONF_modules_load_file(3)>
 
 =head1 HISTORY
 

Modified: head/crypto/openssl/doc/crypto/CONF_modules_load_file.pod
==============================================================================
--- head/crypto/openssl/doc/crypto/CONF_modules_load_file.pod	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/doc/crypto/CONF_modules_load_file.pod	Mon Jun  9 05:50:57 2014	(r267256)
@@ -51,7 +51,7 @@ return value of the failing module (this
 =head1 SEE ALSO
 
 L<conf(5)|conf(5)>, L<OPENSSL_config(3)|OPENSSL_config(3)>,
-L<CONF_free(3), CONF_free(3)>, L<err(3),err(3)>
+L<CONF_free(3)|CONF_free(3)>, L<err(3)|err(3)>
 
 =head1 HISTORY
 

Modified: head/crypto/openssl/doc/crypto/OPENSSL_config.pod
==============================================================================
--- head/crypto/openssl/doc/crypto/OPENSSL_config.pod	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/doc/crypto/OPENSSL_config.pod	Mon Jun  9 05:50:57 2014	(r267256)
@@ -73,7 +73,7 @@ Neither OPENSSL_config() nor OPENSSL_no_
 =head1 SEE ALSO
 
 L<conf(5)|conf(5)>, L<CONF_load_modules_file(3)|CONF_load_modules_file(3)>,
-L<CONF_modules_free(3),CONF_modules_free(3)>
+L<CONF_modules_free(3)|CONF_modules_free(3)>
 
 =head1 HISTORY
 

Modified: head/crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod
==============================================================================
--- head/crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/doc/crypto/X509_NAME_ENTRY_get_object.pod	Mon Jun  9 05:50:57 2014	(r267256)
@@ -65,7 +65,7 @@ set first so the relevant field informat
 =head1 SEE ALSO
 
 L<ERR_get_error(3)|ERR_get_error(3)>, L<d2i_X509_NAME(3)|d2i_X509_NAME(3)>,
-L<OBJ_nid2obj(3),OBJ_nid2obj(3)>
+L<OBJ_nid2obj(3)|OBJ_nid2obj(3)>
 
 =head1 HISTORY
 

Modified: head/crypto/openssl/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod
==============================================================================
--- head/crypto/openssl/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/doc/crypto/X509_STORE_CTX_get_ex_new_index.pod	Mon Jun  9 05:50:57 2014	(r267256)
@@ -15,7 +15,7 @@ X509_STORE_CTX_get_ex_new_index, X509_ST
 
  int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *d, int idx, void *arg);
 
- char *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *d, int idx);
+ void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *d, int idx);
 
 =head1 DESCRIPTION
 

Modified: head/crypto/openssl/doc/fingerprints.txt
==============================================================================
--- head/crypto/openssl/doc/fingerprints.txt	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/doc/fingerprints.txt	Mon Jun  9 05:50:57 2014	(r267256)
@@ -21,6 +21,13 @@ pub   2048R/F295C759 1998-12-13
       Key fingerprint = D0 5D 8C 61 6E 27 E6 60  41 EC B1 B8 D5 7E E5 97
 uid                  Dr S N Henson <shenson@drh-consultancy.demon.co.uk>
 
+pub   4096R/FA40E9E2 2005-03-19
+      Key fingerprint = 6260 5AA4 334A F9F0 DDE5  D349 D357 7507 FA40 E9E2
+uid                  Dr Stephen Henson <shenson@opensslfoundation.com>
+uid                  Dr Stephen Henson <shenson@drh-consultancy.co.uk>
+uid                  Dr Stephen N Henson <steve@openssl.org>
+sub   4096R/8811F530 2005-03-19
+
 pub   1024R/49A563D9 1997-02-24
       Key fingerprint = 7B 79 19 FA 71 6B 87 25  0E 77 21 E5 52 D9 83 BF
 uid                  Mark Cox <mjc@redhat.com>

Modified: head/crypto/openssl/doc/ssl/SSL_CTX_set_msg_callback.pod
==============================================================================
--- head/crypto/openssl/doc/ssl/SSL_CTX_set_msg_callback.pod	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/doc/ssl/SSL_CTX_set_msg_callback.pod	Mon Jun  9 05:50:57 2014	(r267256)
@@ -11,8 +11,8 @@ SSL_CTX_set_msg_callback, SSL_CTX_set_ms
  void SSL_CTX_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
  void SSL_CTX_set_msg_callback_arg(SSL_CTX *ctx, void *arg);
 
- void SSL_set_msg_callback(SSL_CTX *ctx, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
- void SSL_set_msg_callback_arg(SSL_CTX *ctx, void *arg);
+ void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg));
+ void SSL_set_msg_callback_arg(SSL *ssl, void *arg);
 
 =head1 DESCRIPTION
 

Modified: head/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
==============================================================================
--- head/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod	Mon Jun  9 05:50:57 2014	(r267256)
@@ -112,6 +112,12 @@ vulnerability affecting CBC ciphers, whi
 broken SSL implementations.  This option has no effect for connections
 using other ciphers.
 
+=item SSL_OP_TLSEXT_PADDING
+
+Adds a padding extension to ensure the ClientHello size is never between
+256 and 511 bytes in length. This is needed as a workaround for some
+implementations.
+
 =item SSL_OP_ALL
 
 All of the above bug workarounds.

Modified: head/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod
==============================================================================
--- head/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/doc/ssl/SSL_get_peer_cert_chain.pod	Mon Jun  9 05:50:57 2014	(r267256)
@@ -8,11 +8,11 @@ SSL_get_peer_cert_chain - get the X509 c
 
  #include <openssl/ssl.h>
 
- STACKOF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
+ STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *ssl);
 
 =head1 DESCRIPTION
 
-SSL_get_peer_cert_chain() returns a pointer to STACKOF(X509) certificates
+SSL_get_peer_cert_chain() returns a pointer to STACK_OF(X509) certificates
 forming the certificate chain of the peer. If called on the client side,
 the stack also contains the peer's certificate; if called on the server
 side, the peer's certificate must be obtained separately using
@@ -24,7 +24,7 @@ If the peer did not present a certificat
 The peer certificate chain is not necessarily available after reusing
 a session, in which case a NULL pointer is returned.
 
-The reference count of the STACKOF(X509) object is not incremented.
+The reference count of the STACK_OF(X509) object is not incremented.
 If the corresponding session is freed, the pointer must not be used
 any longer.
 
@@ -39,7 +39,7 @@ The following return values can occur:
 No certificate was presented by the peer or no connection was established
 or the certificate chain is no longer available when a session is reused.
 
-=item Pointer to a STACKOF(X509)
+=item Pointer to a STACK_OF(X509)
 
 The return value points to the certificate chain presented by the peer.
 

Modified: head/crypto/openssl/engines/ccgost/gost_ameth.c
==============================================================================
--- head/crypto/openssl/engines/ccgost/gost_ameth.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/engines/ccgost/gost_ameth.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -269,7 +269,7 @@ static int pkey_ctrl_gost(EVP_PKEY *pkey
 		case ASN1_PKEY_CTRL_CMS_ENVELOPE:
 			if (arg1 == 0)
 				{
-				X509_ALGOR *alg;
+				X509_ALGOR *alg = NULL;
 				ASN1_STRING * params = encode_gost_algor_params(pkey);
 				if (!params) 
 					{

Modified: head/crypto/openssl/ssl/Makefile
==============================================================================
--- head/crypto/openssl/ssl/Makefile	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/ssl/Makefile	Mon Jun  9 05:50:57 2014	(r267256)
@@ -15,7 +15,7 @@ KRB5_INCLUDES=
 CFLAGS= $(INCLUDES) $(CFLAG)
 
 GENERAL=Makefile README ssl-lib.com install.com
-TEST=ssltest.c
+TEST=ssltest.c heartbeat_test.c
 APPS=
 
 LIB=$(TOP)/libssl.a

Modified: head/crypto/openssl/ssl/d1_both.c
==============================================================================
--- head/crypto/openssl/ssl/d1_both.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/ssl/d1_both.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -683,8 +683,8 @@ dtls1_reassemble_fragment(SSL *s, struct
 		item = pitem_new(seq64be, frag);
 		if (item == NULL)
 			{
-			goto err;
 			i = -1;
+			goto err;
 			}
 
 		pqueue_insert(s->d1->buffered_messages, item);

Modified: head/crypto/openssl/ssl/d1_lib.c
==============================================================================
--- head/crypto/openssl/ssl/d1_lib.c	Mon Jun  9 03:38:03 2014	(r267255)
+++ head/crypto/openssl/ssl/d1_lib.c	Mon Jun  9 05:50:57 2014	(r267256)
@@ -176,9 +176,12 @@ static void dtls1_clear_queues(SSL *s)
 
 	while ( (item = pqueue_pop(s->d1->buffered_app_data.q)) != NULL)
 		{
-		frag = (hm_fragment *)item->data;

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201406090550.s595owlV000465>