Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 9 Jan 2015 00:58:21 +0000 (UTC)
From:      Jung-uk Kim <jkim@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org
Subject:   svn commit: r276864 - in stable/10: crypto/openssl crypto/openssl/apps crypto/openssl/crypto crypto/openssl/crypto/aes/asm crypto/openssl/crypto/asn1 crypto/openssl/crypto/bio crypto/openssl/crypto...
Message-ID:  <201501090058.t090wLUV011747@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: jkim
Date: Fri Jan  9 00:58:20 2015
New Revision: 276864
URL: https://svnweb.freebsd.org/changeset/base/276864

Log:
  MFC:		r276861, r276863
  
  Merge OpenSSL 1.0.1k.

Added:
  stable/10/crypto/openssl/util/mkbuildinf.pl
     - copied, changed from r276861, head/crypto/openssl/util/mkbuildinf.pl
Deleted:
  stable/10/crypto/openssl/crypto/bn/asm/mips3.s
Modified:
  stable/10/crypto/openssl/CHANGES
  stable/10/crypto/openssl/Configure
  stable/10/crypto/openssl/Makefile
  stable/10/crypto/openssl/NEWS
  stable/10/crypto/openssl/README
  stable/10/crypto/openssl/apps/ca.c
  stable/10/crypto/openssl/apps/dgst.c
  stable/10/crypto/openssl/apps/ocsp.c
  stable/10/crypto/openssl/apps/openssl.c
  stable/10/crypto/openssl/apps/s_client.c
  stable/10/crypto/openssl/apps/s_server.c
  stable/10/crypto/openssl/apps/s_time.c
  stable/10/crypto/openssl/apps/speed.c
  stable/10/crypto/openssl/crypto/Makefile
  stable/10/crypto/openssl/crypto/aes/asm/aes-mips.pl
  stable/10/crypto/openssl/crypto/asn1/a_bitstr.c
  stable/10/crypto/openssl/crypto/asn1/a_type.c
  stable/10/crypto/openssl/crypto/asn1/a_verify.c
  stable/10/crypto/openssl/crypto/asn1/asn1.h
  stable/10/crypto/openssl/crypto/asn1/asn1_err.c
  stable/10/crypto/openssl/crypto/asn1/tasn_dec.c
  stable/10/crypto/openssl/crypto/asn1/x_algor.c
  stable/10/crypto/openssl/crypto/asn1/x_name.c
  stable/10/crypto/openssl/crypto/bio/bio.h
  stable/10/crypto/openssl/crypto/bio/bss_dgram.c
  stable/10/crypto/openssl/crypto/bn/asm/mips.pl
  stable/10/crypto/openssl/crypto/bn/asm/x86_64-gcc.c
  stable/10/crypto/openssl/crypto/bn/bn.h
  stable/10/crypto/openssl/crypto/bn/bn_asm.c
  stable/10/crypto/openssl/crypto/bn/bn_ctx.c
  stable/10/crypto/openssl/crypto/bn/bn_div.c
  stable/10/crypto/openssl/crypto/bn/bntest.c
  stable/10/crypto/openssl/crypto/constant_time_locl.h
  stable/10/crypto/openssl/crypto/cversion.c
  stable/10/crypto/openssl/crypto/dsa/dsa_asn1.c
  stable/10/crypto/openssl/crypto/dso/dso_dlfcn.c
  stable/10/crypto/openssl/crypto/ec/ec_lib.c
  stable/10/crypto/openssl/crypto/ec/ec_mult.c
  stable/10/crypto/openssl/crypto/ec/ec_pmeth.c
  stable/10/crypto/openssl/crypto/ec/ecp_nistp256.c
  stable/10/crypto/openssl/crypto/ec/ectest.c
  stable/10/crypto/openssl/crypto/ecdsa/Makefile
  stable/10/crypto/openssl/crypto/ecdsa/ecs_vrf.c
  stable/10/crypto/openssl/crypto/engine/eng_dyn.c
  stable/10/crypto/openssl/crypto/evp/Makefile
  stable/10/crypto/openssl/crypto/evp/e_des3.c
  stable/10/crypto/openssl/crypto/evp/evp_enc.c
  stable/10/crypto/openssl/crypto/md32_common.h
  stable/10/crypto/openssl/crypto/mem.c
  stable/10/crypto/openssl/crypto/objects/obj_xref.h
  stable/10/crypto/openssl/crypto/objects/objxref.pl
  stable/10/crypto/openssl/crypto/opensslv.h
  stable/10/crypto/openssl/crypto/sha/asm/sha1-mips.pl
  stable/10/crypto/openssl/crypto/sha/asm/sha512-mips.pl
  stable/10/crypto/openssl/crypto/ts/ts_rsp_sign.c
  stable/10/crypto/openssl/crypto/x509/x509.h
  stable/10/crypto/openssl/crypto/x509/x509_vpm.c
  stable/10/crypto/openssl/crypto/x509/x_all.c
  stable/10/crypto/openssl/doc/HOWTO/certificates.txt
  stable/10/crypto/openssl/doc/HOWTO/proxy_certificates.txt
  stable/10/crypto/openssl/doc/apps/dgst.pod
  stable/10/crypto/openssl/doc/apps/ocsp.pod
  stable/10/crypto/openssl/doc/crypto/EVP_EncryptInit.pod
  stable/10/crypto/openssl/doc/crypto/EVP_PKEY_encrypt.pod
  stable/10/crypto/openssl/doc/crypto/X509_NAME_add_entry_by_txt.pod
  stable/10/crypto/openssl/doc/crypto/X509_NAME_get_index_by_NID.pod
  stable/10/crypto/openssl/doc/ssl/SSL_CTX_set_mode.pod
  stable/10/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod
  stable/10/crypto/openssl/doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod
  stable/10/crypto/openssl/e_os.h
  stable/10/crypto/openssl/engines/e_padlock.c
  stable/10/crypto/openssl/ssl/d1_both.c
  stable/10/crypto/openssl/ssl/d1_clnt.c
  stable/10/crypto/openssl/ssl/d1_enc.c
  stable/10/crypto/openssl/ssl/d1_lib.c
  stable/10/crypto/openssl/ssl/d1_pkt.c
  stable/10/crypto/openssl/ssl/d1_srvr.c
  stable/10/crypto/openssl/ssl/dtls1.h
  stable/10/crypto/openssl/ssl/kssl.c
  stable/10/crypto/openssl/ssl/s23_srvr.c
  stable/10/crypto/openssl/ssl/s2_enc.c
  stable/10/crypto/openssl/ssl/s2_pkt.c
  stable/10/crypto/openssl/ssl/s2_srvr.c
  stable/10/crypto/openssl/ssl/s3_both.c
  stable/10/crypto/openssl/ssl/s3_clnt.c
  stable/10/crypto/openssl/ssl/s3_enc.c
  stable/10/crypto/openssl/ssl/s3_lib.c
  stable/10/crypto/openssl/ssl/s3_meth.c
  stable/10/crypto/openssl/ssl/s3_pkt.c
  stable/10/crypto/openssl/ssl/s3_srvr.c
  stable/10/crypto/openssl/ssl/srtp.h
  stable/10/crypto/openssl/ssl/ssl.h
  stable/10/crypto/openssl/ssl/ssl3.h
  stable/10/crypto/openssl/ssl/ssl_cert.c
  stable/10/crypto/openssl/ssl/ssl_ciph.c
  stable/10/crypto/openssl/ssl/ssl_lib.c
  stable/10/crypto/openssl/ssl/ssl_locl.h
  stable/10/crypto/openssl/ssl/ssl_sess.c
  stable/10/crypto/openssl/ssl/ssltest.c
  stable/10/crypto/openssl/ssl/t1_enc.c
  stable/10/crypto/openssl/ssl/t1_lib.c
  stable/10/crypto/openssl/util/libeay.num
  stable/10/crypto/openssl/util/mk1mf.pl
  stable/10/crypto/openssl/util/mkdef.pl
  stable/10/crypto/openssl/util/pl/netware.pl
  stable/10/crypto/openssl/util/ssleay.num
  stable/10/secure/lib/libcrypto/Makefile.inc
  stable/10/secure/lib/libcrypto/man/ASN1_OBJECT_new.3
  stable/10/secure/lib/libcrypto/man/ASN1_STRING_length.3
  stable/10/secure/lib/libcrypto/man/ASN1_STRING_new.3
  stable/10/secure/lib/libcrypto/man/ASN1_STRING_print_ex.3
  stable/10/secure/lib/libcrypto/man/ASN1_generate_nconf.3
  stable/10/secure/lib/libcrypto/man/BIO_ctrl.3
  stable/10/secure/lib/libcrypto/man/BIO_f_base64.3
  stable/10/secure/lib/libcrypto/man/BIO_f_buffer.3
  stable/10/secure/lib/libcrypto/man/BIO_f_cipher.3
  stable/10/secure/lib/libcrypto/man/BIO_f_md.3
  stable/10/secure/lib/libcrypto/man/BIO_f_null.3
  stable/10/secure/lib/libcrypto/man/BIO_f_ssl.3
  stable/10/secure/lib/libcrypto/man/BIO_find_type.3
  stable/10/secure/lib/libcrypto/man/BIO_new.3
  stable/10/secure/lib/libcrypto/man/BIO_new_CMS.3
  stable/10/secure/lib/libcrypto/man/BIO_push.3
  stable/10/secure/lib/libcrypto/man/BIO_read.3
  stable/10/secure/lib/libcrypto/man/BIO_s_accept.3
  stable/10/secure/lib/libcrypto/man/BIO_s_bio.3
  stable/10/secure/lib/libcrypto/man/BIO_s_connect.3
  stable/10/secure/lib/libcrypto/man/BIO_s_fd.3
  stable/10/secure/lib/libcrypto/man/BIO_s_file.3
  stable/10/secure/lib/libcrypto/man/BIO_s_mem.3
  stable/10/secure/lib/libcrypto/man/BIO_s_null.3
  stable/10/secure/lib/libcrypto/man/BIO_s_socket.3
  stable/10/secure/lib/libcrypto/man/BIO_set_callback.3
  stable/10/secure/lib/libcrypto/man/BIO_should_retry.3
  stable/10/secure/lib/libcrypto/man/BN_BLINDING_new.3
  stable/10/secure/lib/libcrypto/man/BN_CTX_new.3
  stable/10/secure/lib/libcrypto/man/BN_CTX_start.3
  stable/10/secure/lib/libcrypto/man/BN_add.3
  stable/10/secure/lib/libcrypto/man/BN_add_word.3
  stable/10/secure/lib/libcrypto/man/BN_bn2bin.3
  stable/10/secure/lib/libcrypto/man/BN_cmp.3
  stable/10/secure/lib/libcrypto/man/BN_copy.3
  stable/10/secure/lib/libcrypto/man/BN_generate_prime.3
  stable/10/secure/lib/libcrypto/man/BN_mod_inverse.3
  stable/10/secure/lib/libcrypto/man/BN_mod_mul_montgomery.3
  stable/10/secure/lib/libcrypto/man/BN_mod_mul_reciprocal.3
  stable/10/secure/lib/libcrypto/man/BN_new.3
  stable/10/secure/lib/libcrypto/man/BN_num_bytes.3
  stable/10/secure/lib/libcrypto/man/BN_rand.3
  stable/10/secure/lib/libcrypto/man/BN_set_bit.3
  stable/10/secure/lib/libcrypto/man/BN_swap.3
  stable/10/secure/lib/libcrypto/man/BN_zero.3
  stable/10/secure/lib/libcrypto/man/CMS_add0_cert.3
  stable/10/secure/lib/libcrypto/man/CMS_add1_recipient_cert.3
  stable/10/secure/lib/libcrypto/man/CMS_add1_signer.3
  stable/10/secure/lib/libcrypto/man/CMS_compress.3
  stable/10/secure/lib/libcrypto/man/CMS_decrypt.3
  stable/10/secure/lib/libcrypto/man/CMS_encrypt.3
  stable/10/secure/lib/libcrypto/man/CMS_final.3
  stable/10/secure/lib/libcrypto/man/CMS_get0_RecipientInfos.3
  stable/10/secure/lib/libcrypto/man/CMS_get0_SignerInfos.3
  stable/10/secure/lib/libcrypto/man/CMS_get0_type.3
  stable/10/secure/lib/libcrypto/man/CMS_get1_ReceiptRequest.3
  stable/10/secure/lib/libcrypto/man/CMS_sign.3
  stable/10/secure/lib/libcrypto/man/CMS_sign_receipt.3
  stable/10/secure/lib/libcrypto/man/CMS_uncompress.3
  stable/10/secure/lib/libcrypto/man/CMS_verify.3
  stable/10/secure/lib/libcrypto/man/CMS_verify_receipt.3
  stable/10/secure/lib/libcrypto/man/CONF_modules_free.3
  stable/10/secure/lib/libcrypto/man/CONF_modules_load_file.3
  stable/10/secure/lib/libcrypto/man/CRYPTO_set_ex_data.3
  stable/10/secure/lib/libcrypto/man/DH_generate_key.3
  stable/10/secure/lib/libcrypto/man/DH_generate_parameters.3
  stable/10/secure/lib/libcrypto/man/DH_get_ex_new_index.3
  stable/10/secure/lib/libcrypto/man/DH_new.3
  stable/10/secure/lib/libcrypto/man/DH_set_method.3
  stable/10/secure/lib/libcrypto/man/DH_size.3
  stable/10/secure/lib/libcrypto/man/DSA_SIG_new.3
  stable/10/secure/lib/libcrypto/man/DSA_do_sign.3
  stable/10/secure/lib/libcrypto/man/DSA_dup_DH.3
  stable/10/secure/lib/libcrypto/man/DSA_generate_key.3
  stable/10/secure/lib/libcrypto/man/DSA_generate_parameters.3
  stable/10/secure/lib/libcrypto/man/DSA_get_ex_new_index.3
  stable/10/secure/lib/libcrypto/man/DSA_new.3
  stable/10/secure/lib/libcrypto/man/DSA_set_method.3
  stable/10/secure/lib/libcrypto/man/DSA_sign.3
  stable/10/secure/lib/libcrypto/man/DSA_size.3
  stable/10/secure/lib/libcrypto/man/ERR_GET_LIB.3
  stable/10/secure/lib/libcrypto/man/ERR_clear_error.3
  stable/10/secure/lib/libcrypto/man/ERR_error_string.3
  stable/10/secure/lib/libcrypto/man/ERR_get_error.3
  stable/10/secure/lib/libcrypto/man/ERR_load_crypto_strings.3
  stable/10/secure/lib/libcrypto/man/ERR_load_strings.3
  stable/10/secure/lib/libcrypto/man/ERR_print_errors.3
  stable/10/secure/lib/libcrypto/man/ERR_put_error.3
  stable/10/secure/lib/libcrypto/man/ERR_remove_state.3
  stable/10/secure/lib/libcrypto/man/ERR_set_mark.3
  stable/10/secure/lib/libcrypto/man/EVP_BytesToKey.3
  stable/10/secure/lib/libcrypto/man/EVP_DigestInit.3
  stable/10/secure/lib/libcrypto/man/EVP_DigestSignInit.3
  stable/10/secure/lib/libcrypto/man/EVP_DigestVerifyInit.3
  stable/10/secure/lib/libcrypto/man/EVP_EncryptInit.3
  stable/10/secure/lib/libcrypto/man/EVP_OpenInit.3
  stable/10/secure/lib/libcrypto/man/EVP_PKEY_CTX_ctrl.3
  stable/10/secure/lib/libcrypto/man/EVP_PKEY_CTX_new.3
  stable/10/secure/lib/libcrypto/man/EVP_PKEY_cmp.3
  stable/10/secure/lib/libcrypto/man/EVP_PKEY_decrypt.3
  stable/10/secure/lib/libcrypto/man/EVP_PKEY_derive.3
  stable/10/secure/lib/libcrypto/man/EVP_PKEY_encrypt.3
  stable/10/secure/lib/libcrypto/man/EVP_PKEY_get_default_digest.3
  stable/10/secure/lib/libcrypto/man/EVP_PKEY_keygen.3
  stable/10/secure/lib/libcrypto/man/EVP_PKEY_new.3
  stable/10/secure/lib/libcrypto/man/EVP_PKEY_print_private.3
  stable/10/secure/lib/libcrypto/man/EVP_PKEY_set1_RSA.3
  stable/10/secure/lib/libcrypto/man/EVP_PKEY_sign.3
  stable/10/secure/lib/libcrypto/man/EVP_PKEY_verify.3
  stable/10/secure/lib/libcrypto/man/EVP_PKEY_verify_recover.3
  stable/10/secure/lib/libcrypto/man/EVP_SealInit.3
  stable/10/secure/lib/libcrypto/man/EVP_SignInit.3
  stable/10/secure/lib/libcrypto/man/EVP_VerifyInit.3
  stable/10/secure/lib/libcrypto/man/OBJ_nid2obj.3
  stable/10/secure/lib/libcrypto/man/OPENSSL_Applink.3
  stable/10/secure/lib/libcrypto/man/OPENSSL_VERSION_NUMBER.3
  stable/10/secure/lib/libcrypto/man/OPENSSL_config.3
  stable/10/secure/lib/libcrypto/man/OPENSSL_ia32cap.3
  stable/10/secure/lib/libcrypto/man/OPENSSL_load_builtin_modules.3
  stable/10/secure/lib/libcrypto/man/OpenSSL_add_all_algorithms.3
  stable/10/secure/lib/libcrypto/man/PEM_write_bio_CMS_stream.3
  stable/10/secure/lib/libcrypto/man/PEM_write_bio_PKCS7_stream.3
  stable/10/secure/lib/libcrypto/man/PKCS12_create.3
  stable/10/secure/lib/libcrypto/man/PKCS12_parse.3
  stable/10/secure/lib/libcrypto/man/PKCS7_decrypt.3
  stable/10/secure/lib/libcrypto/man/PKCS7_encrypt.3
  stable/10/secure/lib/libcrypto/man/PKCS7_sign.3
  stable/10/secure/lib/libcrypto/man/PKCS7_sign_add_signer.3
  stable/10/secure/lib/libcrypto/man/PKCS7_verify.3
  stable/10/secure/lib/libcrypto/man/RAND_add.3
  stable/10/secure/lib/libcrypto/man/RAND_bytes.3
  stable/10/secure/lib/libcrypto/man/RAND_cleanup.3
  stable/10/secure/lib/libcrypto/man/RAND_egd.3
  stable/10/secure/lib/libcrypto/man/RAND_load_file.3
  stable/10/secure/lib/libcrypto/man/RAND_set_rand_method.3
  stable/10/secure/lib/libcrypto/man/RSA_blinding_on.3
  stable/10/secure/lib/libcrypto/man/RSA_check_key.3
  stable/10/secure/lib/libcrypto/man/RSA_generate_key.3
  stable/10/secure/lib/libcrypto/man/RSA_get_ex_new_index.3
  stable/10/secure/lib/libcrypto/man/RSA_new.3
  stable/10/secure/lib/libcrypto/man/RSA_padding_add_PKCS1_type_1.3
  stable/10/secure/lib/libcrypto/man/RSA_print.3
  stable/10/secure/lib/libcrypto/man/RSA_private_encrypt.3
  stable/10/secure/lib/libcrypto/man/RSA_public_encrypt.3
  stable/10/secure/lib/libcrypto/man/RSA_set_method.3
  stable/10/secure/lib/libcrypto/man/RSA_sign.3
  stable/10/secure/lib/libcrypto/man/RSA_sign_ASN1_OCTET_STRING.3
  stable/10/secure/lib/libcrypto/man/RSA_size.3
  stable/10/secure/lib/libcrypto/man/SMIME_read_CMS.3
  stable/10/secure/lib/libcrypto/man/SMIME_read_PKCS7.3
  stable/10/secure/lib/libcrypto/man/SMIME_write_CMS.3
  stable/10/secure/lib/libcrypto/man/SMIME_write_PKCS7.3
  stable/10/secure/lib/libcrypto/man/X509_NAME_ENTRY_get_object.3
  stable/10/secure/lib/libcrypto/man/X509_NAME_add_entry_by_txt.3
  stable/10/secure/lib/libcrypto/man/X509_NAME_get_index_by_NID.3
  stable/10/secure/lib/libcrypto/man/X509_NAME_print_ex.3
  stable/10/secure/lib/libcrypto/man/X509_STORE_CTX_get_error.3
  stable/10/secure/lib/libcrypto/man/X509_STORE_CTX_get_ex_new_index.3
  stable/10/secure/lib/libcrypto/man/X509_STORE_CTX_new.3
  stable/10/secure/lib/libcrypto/man/X509_STORE_CTX_set_verify_cb.3
  stable/10/secure/lib/libcrypto/man/X509_STORE_set_verify_cb_func.3
  stable/10/secure/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3
  stable/10/secure/lib/libcrypto/man/X509_new.3
  stable/10/secure/lib/libcrypto/man/X509_verify_cert.3
  stable/10/secure/lib/libcrypto/man/bio.3
  stable/10/secure/lib/libcrypto/man/blowfish.3
  stable/10/secure/lib/libcrypto/man/bn.3
  stable/10/secure/lib/libcrypto/man/bn_internal.3
  stable/10/secure/lib/libcrypto/man/buffer.3
  stable/10/secure/lib/libcrypto/man/crypto.3
  stable/10/secure/lib/libcrypto/man/d2i_ASN1_OBJECT.3
  stable/10/secure/lib/libcrypto/man/d2i_DHparams.3
  stable/10/secure/lib/libcrypto/man/d2i_DSAPublicKey.3
  stable/10/secure/lib/libcrypto/man/d2i_PKCS8PrivateKey.3
  stable/10/secure/lib/libcrypto/man/d2i_RSAPublicKey.3
  stable/10/secure/lib/libcrypto/man/d2i_X509.3
  stable/10/secure/lib/libcrypto/man/d2i_X509_ALGOR.3
  stable/10/secure/lib/libcrypto/man/d2i_X509_CRL.3
  stable/10/secure/lib/libcrypto/man/d2i_X509_NAME.3
  stable/10/secure/lib/libcrypto/man/d2i_X509_REQ.3
  stable/10/secure/lib/libcrypto/man/d2i_X509_SIG.3
  stable/10/secure/lib/libcrypto/man/des.3
  stable/10/secure/lib/libcrypto/man/dh.3
  stable/10/secure/lib/libcrypto/man/dsa.3
  stable/10/secure/lib/libcrypto/man/ecdsa.3
  stable/10/secure/lib/libcrypto/man/engine.3
  stable/10/secure/lib/libcrypto/man/err.3
  stable/10/secure/lib/libcrypto/man/evp.3
  stable/10/secure/lib/libcrypto/man/hmac.3
  stable/10/secure/lib/libcrypto/man/i2d_CMS_bio_stream.3
  stable/10/secure/lib/libcrypto/man/i2d_PKCS7_bio_stream.3
  stable/10/secure/lib/libcrypto/man/lh_stats.3
  stable/10/secure/lib/libcrypto/man/lhash.3
  stable/10/secure/lib/libcrypto/man/md5.3
  stable/10/secure/lib/libcrypto/man/mdc2.3
  stable/10/secure/lib/libcrypto/man/pem.3
  stable/10/secure/lib/libcrypto/man/rand.3
  stable/10/secure/lib/libcrypto/man/rc4.3
  stable/10/secure/lib/libcrypto/man/ripemd.3
  stable/10/secure/lib/libcrypto/man/rsa.3
  stable/10/secure/lib/libcrypto/man/sha.3
  stable/10/secure/lib/libcrypto/man/threads.3
  stable/10/secure/lib/libcrypto/man/ui.3
  stable/10/secure/lib/libcrypto/man/ui_compat.3
  stable/10/secure/lib/libcrypto/man/x509.3
  stable/10/secure/lib/libssl/man/SSL_CIPHER_get_name.3
  stable/10/secure/lib/libssl/man/SSL_COMP_add_compression_method.3
  stable/10/secure/lib/libssl/man/SSL_CTX_add_extra_chain_cert.3
  stable/10/secure/lib/libssl/man/SSL_CTX_add_session.3
  stable/10/secure/lib/libssl/man/SSL_CTX_ctrl.3
  stable/10/secure/lib/libssl/man/SSL_CTX_flush_sessions.3
  stable/10/secure/lib/libssl/man/SSL_CTX_free.3
  stable/10/secure/lib/libssl/man/SSL_CTX_get_ex_new_index.3
  stable/10/secure/lib/libssl/man/SSL_CTX_get_verify_mode.3
  stable/10/secure/lib/libssl/man/SSL_CTX_load_verify_locations.3
  stable/10/secure/lib/libssl/man/SSL_CTX_new.3
  stable/10/secure/lib/libssl/man/SSL_CTX_sess_number.3
  stable/10/secure/lib/libssl/man/SSL_CTX_sess_set_cache_size.3
  stable/10/secure/lib/libssl/man/SSL_CTX_sess_set_get_cb.3
  stable/10/secure/lib/libssl/man/SSL_CTX_sessions.3
  stable/10/secure/lib/libssl/man/SSL_CTX_set_cert_store.3
  stable/10/secure/lib/libssl/man/SSL_CTX_set_cert_verify_callback.3
  stable/10/secure/lib/libssl/man/SSL_CTX_set_cipher_list.3
  stable/10/secure/lib/libssl/man/SSL_CTX_set_client_CA_list.3
  stable/10/secure/lib/libssl/man/SSL_CTX_set_client_cert_cb.3
  stable/10/secure/lib/libssl/man/SSL_CTX_set_default_passwd_cb.3
  stable/10/secure/lib/libssl/man/SSL_CTX_set_generate_session_id.3
  stable/10/secure/lib/libssl/man/SSL_CTX_set_info_callback.3
  stable/10/secure/lib/libssl/man/SSL_CTX_set_max_cert_list.3
  stable/10/secure/lib/libssl/man/SSL_CTX_set_mode.3
  stable/10/secure/lib/libssl/man/SSL_CTX_set_msg_callback.3
  stable/10/secure/lib/libssl/man/SSL_CTX_set_options.3
  stable/10/secure/lib/libssl/man/SSL_CTX_set_psk_client_callback.3
  stable/10/secure/lib/libssl/man/SSL_CTX_set_quiet_shutdown.3
  stable/10/secure/lib/libssl/man/SSL_CTX_set_session_cache_mode.3
  stable/10/secure/lib/libssl/man/SSL_CTX_set_session_id_context.3
  stable/10/secure/lib/libssl/man/SSL_CTX_set_ssl_version.3
  stable/10/secure/lib/libssl/man/SSL_CTX_set_timeout.3
  stable/10/secure/lib/libssl/man/SSL_CTX_set_tlsext_ticket_key_cb.3
  stable/10/secure/lib/libssl/man/SSL_CTX_set_tmp_dh_callback.3
  stable/10/secure/lib/libssl/man/SSL_CTX_set_tmp_rsa_callback.3
  stable/10/secure/lib/libssl/man/SSL_CTX_set_verify.3
  stable/10/secure/lib/libssl/man/SSL_CTX_use_certificate.3
  stable/10/secure/lib/libssl/man/SSL_CTX_use_psk_identity_hint.3
  stable/10/secure/lib/libssl/man/SSL_SESSION_free.3
  stable/10/secure/lib/libssl/man/SSL_SESSION_get_ex_new_index.3
  stable/10/secure/lib/libssl/man/SSL_SESSION_get_time.3
  stable/10/secure/lib/libssl/man/SSL_accept.3
  stable/10/secure/lib/libssl/man/SSL_alert_type_string.3
  stable/10/secure/lib/libssl/man/SSL_clear.3
  stable/10/secure/lib/libssl/man/SSL_connect.3
  stable/10/secure/lib/libssl/man/SSL_do_handshake.3
  stable/10/secure/lib/libssl/man/SSL_free.3
  stable/10/secure/lib/libssl/man/SSL_get_SSL_CTX.3
  stable/10/secure/lib/libssl/man/SSL_get_ciphers.3
  stable/10/secure/lib/libssl/man/SSL_get_client_CA_list.3
  stable/10/secure/lib/libssl/man/SSL_get_current_cipher.3
  stable/10/secure/lib/libssl/man/SSL_get_default_timeout.3
  stable/10/secure/lib/libssl/man/SSL_get_error.3
  stable/10/secure/lib/libssl/man/SSL_get_ex_data_X509_STORE_CTX_idx.3
  stable/10/secure/lib/libssl/man/SSL_get_ex_new_index.3
  stable/10/secure/lib/libssl/man/SSL_get_fd.3
  stable/10/secure/lib/libssl/man/SSL_get_peer_cert_chain.3
  stable/10/secure/lib/libssl/man/SSL_get_peer_certificate.3
  stable/10/secure/lib/libssl/man/SSL_get_psk_identity.3
  stable/10/secure/lib/libssl/man/SSL_get_rbio.3
  stable/10/secure/lib/libssl/man/SSL_get_session.3
  stable/10/secure/lib/libssl/man/SSL_get_verify_result.3
  stable/10/secure/lib/libssl/man/SSL_get_version.3
  stable/10/secure/lib/libssl/man/SSL_library_init.3
  stable/10/secure/lib/libssl/man/SSL_load_client_CA_file.3
  stable/10/secure/lib/libssl/man/SSL_new.3
  stable/10/secure/lib/libssl/man/SSL_pending.3
  stable/10/secure/lib/libssl/man/SSL_read.3
  stable/10/secure/lib/libssl/man/SSL_rstate_string.3
  stable/10/secure/lib/libssl/man/SSL_session_reused.3
  stable/10/secure/lib/libssl/man/SSL_set_bio.3
  stable/10/secure/lib/libssl/man/SSL_set_connect_state.3
  stable/10/secure/lib/libssl/man/SSL_set_fd.3
  stable/10/secure/lib/libssl/man/SSL_set_session.3
  stable/10/secure/lib/libssl/man/SSL_set_shutdown.3
  stable/10/secure/lib/libssl/man/SSL_set_verify_result.3
  stable/10/secure/lib/libssl/man/SSL_shutdown.3
  stable/10/secure/lib/libssl/man/SSL_state_string.3
  stable/10/secure/lib/libssl/man/SSL_want.3
  stable/10/secure/lib/libssl/man/SSL_write.3
  stable/10/secure/lib/libssl/man/d2i_SSL_SESSION.3
  stable/10/secure/lib/libssl/man/ssl.3
  stable/10/secure/usr.bin/openssl/man/CA.pl.1
  stable/10/secure/usr.bin/openssl/man/asn1parse.1
  stable/10/secure/usr.bin/openssl/man/c_rehash.1
  stable/10/secure/usr.bin/openssl/man/ca.1
  stable/10/secure/usr.bin/openssl/man/ciphers.1
  stable/10/secure/usr.bin/openssl/man/cms.1
  stable/10/secure/usr.bin/openssl/man/crl.1
  stable/10/secure/usr.bin/openssl/man/crl2pkcs7.1
  stable/10/secure/usr.bin/openssl/man/dgst.1
  stable/10/secure/usr.bin/openssl/man/dhparam.1
  stable/10/secure/usr.bin/openssl/man/dsa.1
  stable/10/secure/usr.bin/openssl/man/dsaparam.1
  stable/10/secure/usr.bin/openssl/man/ec.1
  stable/10/secure/usr.bin/openssl/man/ecparam.1
  stable/10/secure/usr.bin/openssl/man/enc.1
  stable/10/secure/usr.bin/openssl/man/errstr.1
  stable/10/secure/usr.bin/openssl/man/gendsa.1
  stable/10/secure/usr.bin/openssl/man/genpkey.1
  stable/10/secure/usr.bin/openssl/man/genrsa.1
  stable/10/secure/usr.bin/openssl/man/nseq.1
  stable/10/secure/usr.bin/openssl/man/ocsp.1
  stable/10/secure/usr.bin/openssl/man/openssl.1
  stable/10/secure/usr.bin/openssl/man/passwd.1
  stable/10/secure/usr.bin/openssl/man/pkcs12.1
  stable/10/secure/usr.bin/openssl/man/pkcs7.1
  stable/10/secure/usr.bin/openssl/man/pkcs8.1
  stable/10/secure/usr.bin/openssl/man/pkey.1
  stable/10/secure/usr.bin/openssl/man/pkeyparam.1
  stable/10/secure/usr.bin/openssl/man/pkeyutl.1
  stable/10/secure/usr.bin/openssl/man/rand.1
  stable/10/secure/usr.bin/openssl/man/req.1
  stable/10/secure/usr.bin/openssl/man/rsa.1
  stable/10/secure/usr.bin/openssl/man/rsautl.1
  stable/10/secure/usr.bin/openssl/man/s_client.1
  stable/10/secure/usr.bin/openssl/man/s_server.1
  stable/10/secure/usr.bin/openssl/man/s_time.1
  stable/10/secure/usr.bin/openssl/man/sess_id.1
  stable/10/secure/usr.bin/openssl/man/smime.1
  stable/10/secure/usr.bin/openssl/man/speed.1
  stable/10/secure/usr.bin/openssl/man/spkac.1
  stable/10/secure/usr.bin/openssl/man/ts.1
  stable/10/secure/usr.bin/openssl/man/tsget.1
  stable/10/secure/usr.bin/openssl/man/verify.1
  stable/10/secure/usr.bin/openssl/man/version.1
  stable/10/secure/usr.bin/openssl/man/x509.1
  stable/10/secure/usr.bin/openssl/man/x509v3_config.1
Directory Properties:
  stable/10/   (props changed)

Modified: stable/10/crypto/openssl/CHANGES
==============================================================================
--- stable/10/crypto/openssl/CHANGES	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/CHANGES	Fri Jan  9 00:58:20 2015	(r276864)
@@ -2,6 +2,136 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.1j and 1.0.1k [8 Jan 2015]
+
+  *) Fix DTLS segmentation fault in dtls1_get_record. A carefully crafted DTLS
+     message can cause a segmentation fault in OpenSSL due to a NULL pointer
+     dereference. This could lead to a Denial Of Service attack. Thanks to
+     Markus Stenberg of Cisco Systems, Inc. for reporting this issue.
+     (CVE-2014-3571)
+     [Steve Henson]
+
+  *) Fix DTLS memory leak in dtls1_buffer_record. A memory leak can occur in the
+     dtls1_buffer_record function under certain conditions. In particular this
+     could occur if an attacker sent repeated DTLS records with the same
+     sequence number but for the next epoch. The memory leak could be exploited
+     by an attacker in a Denial of Service attack through memory exhaustion.
+     Thanks to Chris Mueller for reporting this issue.
+     (CVE-2015-0206)
+     [Matt Caswell]
+
+  *) Fix issue where no-ssl3 configuration sets method to NULL. When openssl is
+     built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl
+     method would be set to NULL which could later result in a NULL pointer
+     dereference. Thanks to Frank Schmirler for reporting this issue.
+     (CVE-2014-3569)
+     [Kurt Roeckx]
+
+  *) Abort handshake if server key exchange message is omitted for ephemeral
+     ECDH ciphersuites.
+
+     Thanks to Karthikeyan Bhargavan of the PROSECCO team at INRIA for
+     reporting this issue.
+     (CVE-2014-3572)
+     [Steve Henson]
+
+  *) Remove non-export ephemeral RSA code on client and server. This code
+     violated the TLS standard by allowing the use of temporary RSA keys in
+     non-export ciphersuites and could be used by a server to effectively
+     downgrade the RSA key length used to a value smaller than the server
+     certificate. Thanks for Karthikeyan Bhargavan of the PROSECCO team at
+     INRIA or reporting this issue.
+     (CVE-2015-0204)
+     [Steve Henson]
+
+  *) Fixed issue where DH client certificates are accepted without verification.
+     An OpenSSL server will accept a DH certificate for client authentication
+     without the certificate verify message. This effectively allows a client to
+     authenticate without the use of a private key. This only affects servers
+     which trust a client certificate authority which issues certificates
+     containing DH keys: these are extremely rare and hardly ever encountered.
+     Thanks for Karthikeyan Bhargavan of the PROSECCO team at INRIA or reporting
+     this issue.
+     (CVE-2015-0205)
+     [Steve Henson]
+
+  *) Ensure that the session ID context of an SSL is updated when its
+     SSL_CTX is updated via SSL_set_SSL_CTX.
+
+     The session ID context is typically set from the parent SSL_CTX,
+     and can vary with the CTX.
+     [Adam Langley]
+
+  *) Fix various certificate fingerprint issues.
+
+     By using non-DER or invalid encodings outside the signed portion of a
+     certificate the fingerprint can be changed without breaking the signature.
+     Although no details of the signed portion of the certificate can be changed
+     this can cause problems with some applications: e.g. those using the
+     certificate fingerprint for blacklists.
+
+     1. Reject signatures with non zero unused bits.
+
+     If the BIT STRING containing the signature has non zero unused bits reject
+     the signature. All current signature algorithms require zero unused bits.
+
+     2. Check certificate algorithm consistency.
+
+     Check the AlgorithmIdentifier inside TBS matches the one in the
+     certificate signature. NB: this will result in signature failure
+     errors for some broken certificates.
+
+     Thanks to Konrad Kraszewski from Google for reporting this issue.
+
+     3. Check DSA/ECDSA signatures use DER.
+
+     Reencode DSA/ECDSA signatures and compare with the original received
+     signature. Return an error if there is a mismatch.
+
+     This will reject various cases including garbage after signature
+     (thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
+     program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
+     (negative or with leading zeroes).
+
+     Further analysis was conducted and fixes were developed by Stephen Henson
+     of the OpenSSL core team.
+
+     (CVE-2014-8275)
+     [Steve Henson]
+
+   *) Correct Bignum squaring. Bignum squaring (BN_sqr) may produce incorrect
+      results on some platforms, including x86_64. This bug occurs at random
+      with a very low probability, and is not known to be exploitable in any
+      way, though its exact impact is difficult to determine. Thanks to Pieter
+      Wuille (Blockstream) who reported this issue and also suggested an initial
+      fix. Further analysis was conducted by the OpenSSL development team and
+      Adam Langley of Google. The final fix was developed by Andy Polyakov of
+      the OpenSSL core team.
+      (CVE-2014-3570)
+      [Andy Polyakov]
+
+   *) Do not resume sessions on the server if the negotiated protocol
+      version does not match the session's version. Resuming with a different
+      version, while not strictly forbidden by the RFC, is of questionable
+      sanity and breaks all known clients.
+      [David Benjamin, Emilia Käsper]
+
+   *) Tighten handling of the ChangeCipherSpec (CCS) message: reject
+      early CCS messages during renegotiation. (Note that because
+      renegotiation is encrypted, this early CCS was not exploitable.)
+      [Emilia Käsper]
+
+   *) Tighten client-side session ticket handling during renegotiation:
+      ensure that the client only accepts a session ticket if the server sends
+      the extension anew in the ServerHello. Previously, a TLS client would
+      reuse the old extension state and thus accept a session ticket if one was
+      announced in the initial ServerHello.
+
+      Similarly, ensure that the client requires a session ticket if one
+      was advertised in the ServerHello. Previously, a TLS client would
+      ignore a missing NewSessionTicket message.
+      [Emilia Käsper]
+
  Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
 
   *) SRTP Memory Leak.

Modified: stable/10/crypto/openssl/Configure
==============================================================================
--- stable/10/crypto/openssl/Configure	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/Configure	Fri Jan  9 00:58:20 2015	(r276864)
@@ -804,6 +804,11 @@ PROCESS_ARGS:
 					{
 					$disabled{"tls1"} = "option(tls)"
 					}
+				elsif ($1 eq "ssl3-method")
+					{
+					$disabled{"ssl3-method"} = "option(ssl)";
+					$disabled{"ssl3"} = "option(ssl)";
+					}
 				else
 					{
 					$disabled{$1} = "option";

Modified: stable/10/crypto/openssl/Makefile
==============================================================================
--- stable/10/crypto/openssl/Makefile	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/Makefile	Fri Jan  9 00:58:20 2015	(r276864)
@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=1.0.1j
+VERSION=1.0.1k
 MAJOR=1
 MINOR=0.1
 SHLIB_VERSION_NUMBER=1.0.0

Modified: stable/10/crypto/openssl/NEWS
==============================================================================
--- stable/10/crypto/openssl/NEWS	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/NEWS	Fri Jan  9 00:58:20 2015	(r276864)
@@ -5,6 +5,17 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.1k [8 Jan 2015]
+
+      o Fix for CVE-2014-3571
+      o Fix for CVE-2015-0206
+      o Fix for CVE-2014-3569
+      o Fix for CVE-2014-3572
+      o Fix for CVE-2015-0204
+      o Fix for CVE-2015-0205
+      o Fix for CVE-2014-8275
+      o Fix for CVE-2014-3570
+
   Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014]
 
       o Fix for CVE-2014-3513

Modified: stable/10/crypto/openssl/README
==============================================================================
--- stable/10/crypto/openssl/README	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/README	Fri Jan  9 00:58:20 2015	(r276864)
@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.1j 15 Oct 2014
+ OpenSSL 1.0.1k 8 Jan 2015
 
  Copyright (c) 1998-2011 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

Modified: stable/10/crypto/openssl/apps/ca.c
==============================================================================
--- stable/10/crypto/openssl/apps/ca.c	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/apps/ca.c	Fri Jan  9 00:58:20 2015	(r276864)
@@ -703,7 +703,7 @@ bad:
 		ERR_clear_error();
 #ifdef RL_DEBUG
 	if (!p)
-		BIO_printf(bio_err, "DEBUG: unique_subject undefined\n", p);
+		BIO_printf(bio_err, "DEBUG: unique_subject undefined\n");
 #endif
 #ifdef RL_DEBUG
 	BIO_printf(bio_err, "DEBUG: configured unique_subject is %d\n",

Modified: stable/10/crypto/openssl/apps/dgst.c
==============================================================================
--- stable/10/crypto/openssl/apps/dgst.c	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/apps/dgst.c	Fri Jan  9 00:58:20 2015	(r276864)
@@ -273,6 +273,8 @@ int MAIN(int argc, char **argv)
 		BIO_printf(bio_err,"-d              to output debug info\n");
 		BIO_printf(bio_err,"-hex            output as hex dump\n");
 		BIO_printf(bio_err,"-binary         output in binary form\n");
+		BIO_printf(bio_err,"-hmac arg       set the HMAC key to arg\n");
+		BIO_printf(bio_err,"-non-fips-allow allow use of non FIPS digest\n");
 		BIO_printf(bio_err,"-sign   file    sign digest using private key in file\n");
 		BIO_printf(bio_err,"-verify file    verify a signature using public key in file\n");
 		BIO_printf(bio_err,"-prverify file  verify a signature using private key in file\n");

Modified: stable/10/crypto/openssl/apps/ocsp.c
==============================================================================
--- stable/10/crypto/openssl/apps/ocsp.c	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/apps/ocsp.c	Fri Jan  9 00:58:20 2015	(r276864)
@@ -583,51 +583,52 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "OCSP utility\n");
 		BIO_printf (bio_err, "Usage ocsp [options]\n");
 		BIO_printf (bio_err, "where options are\n");
-		BIO_printf (bio_err, "-out file          output filename\n");
-		BIO_printf (bio_err, "-issuer file       issuer certificate\n");
-		BIO_printf (bio_err, "-cert file         certificate to check\n");
-		BIO_printf (bio_err, "-serial n          serial number to check\n");
-		BIO_printf (bio_err, "-signer file       certificate to sign OCSP request with\n");
-		BIO_printf (bio_err, "-signkey file      private key to sign OCSP request with\n");
-		BIO_printf (bio_err, "-sign_other file   additional certificates to include in signed request\n");
-		BIO_printf (bio_err, "-no_certs          don't include any certificates in signed request\n");
-		BIO_printf (bio_err, "-req_text          print text form of request\n");
-		BIO_printf (bio_err, "-resp_text         print text form of response\n");
-		BIO_printf (bio_err, "-text              print text form of request and response\n");
-		BIO_printf (bio_err, "-reqout file       write DER encoded OCSP request to \"file\"\n");
-		BIO_printf (bio_err, "-respout file      write DER encoded OCSP reponse to \"file\"\n");
-		BIO_printf (bio_err, "-reqin file        read DER encoded OCSP request from \"file\"\n");
-		BIO_printf (bio_err, "-respin file       read DER encoded OCSP reponse from \"file\"\n");
-		BIO_printf (bio_err, "-nonce             add OCSP nonce to request\n");
-		BIO_printf (bio_err, "-no_nonce          don't add OCSP nonce to request\n");
-		BIO_printf (bio_err, "-url URL           OCSP responder URL\n");
-		BIO_printf (bio_err, "-host host:n       send OCSP request to host on port n\n");
-		BIO_printf (bio_err, "-path              path to use in OCSP request\n");
-		BIO_printf (bio_err, "-CApath dir        trusted certificates directory\n");
-		BIO_printf (bio_err, "-CAfile file       trusted certificates file\n");
-		BIO_printf (bio_err, "-VAfile file       validator certificates file\n");
-		BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
-		BIO_printf (bio_err, "-status_age n      maximum status age in seconds\n");
-		BIO_printf (bio_err, "-noverify          don't verify response at all\n");
-		BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n");
-		BIO_printf (bio_err, "-trust_other       don't verify additional certificates\n");
-		BIO_printf (bio_err, "-no_intern         don't search certificates contained in response for signer\n");
+		BIO_printf (bio_err, "-out file            output filename\n");
+		BIO_printf (bio_err, "-issuer file         issuer certificate\n");
+		BIO_printf (bio_err, "-cert file           certificate to check\n");
+		BIO_printf (bio_err, "-serial n            serial number to check\n");
+		BIO_printf (bio_err, "-signer file         certificate to sign OCSP request with\n");
+		BIO_printf (bio_err, "-signkey file        private key to sign OCSP request with\n");
+		BIO_printf (bio_err, "-sign_other file     additional certificates to include in signed request\n");
+		BIO_printf (bio_err, "-no_certs            don't include any certificates in signed request\n");
+		BIO_printf (bio_err, "-req_text            print text form of request\n");
+		BIO_printf (bio_err, "-resp_text           print text form of response\n");
+		BIO_printf (bio_err, "-text                print text form of request and response\n");
+		BIO_printf (bio_err, "-reqout file         write DER encoded OCSP request to \"file\"\n");
+		BIO_printf (bio_err, "-respout file        write DER encoded OCSP reponse to \"file\"\n");
+		BIO_printf (bio_err, "-reqin file          read DER encoded OCSP request from \"file\"\n");
+		BIO_printf (bio_err, "-respin file         read DER encoded OCSP reponse from \"file\"\n");
+		BIO_printf (bio_err, "-nonce               add OCSP nonce to request\n");
+		BIO_printf (bio_err, "-no_nonce            don't add OCSP nonce to request\n");
+		BIO_printf (bio_err, "-url URL             OCSP responder URL\n");
+		BIO_printf (bio_err, "-host host:n         send OCSP request to host on port n\n");
+		BIO_printf (bio_err, "-path                path to use in OCSP request\n");
+		BIO_printf (bio_err, "-CApath dir          trusted certificates directory\n");
+		BIO_printf (bio_err, "-CAfile file         trusted certificates file\n");
+		BIO_printf (bio_err, "-VAfile file         validator certificates file\n");
+		BIO_printf (bio_err, "-validity_period n   maximum validity discrepancy in seconds\n");
+		BIO_printf (bio_err, "-status_age n        maximum status age in seconds\n");
+		BIO_printf (bio_err, "-noverify            don't verify response at all\n");
+		BIO_printf (bio_err, "-verify_other file   additional certificates to search for signer\n");
+		BIO_printf (bio_err, "-trust_other         don't verify additional certificates\n");
+		BIO_printf (bio_err, "-no_intern           don't search certificates contained in response for signer\n");
 		BIO_printf (bio_err, "-no_signature_verify don't check signature on response\n");
-		BIO_printf (bio_err, "-no_cert_verify    don't check signing certificate\n");
-		BIO_printf (bio_err, "-no_chain          don't chain verify response\n");
-		BIO_printf (bio_err, "-no_cert_checks    don't do additional checks on signing certificate\n");
-		BIO_printf (bio_err, "-port num		 port to run responder on\n");
-		BIO_printf (bio_err, "-index file	 certificate status index file\n");
-		BIO_printf (bio_err, "-CA file		 CA certificate\n");
-		BIO_printf (bio_err, "-rsigner file	 responder certificate to sign responses with\n");
-		BIO_printf (bio_err, "-rkey file	 responder key to sign responses with\n");
-		BIO_printf (bio_err, "-rother file	 other certificates to include in response\n");
-		BIO_printf (bio_err, "-resp_no_certs     don't include any certificates in response\n");
-		BIO_printf (bio_err, "-nmin n	 	 number of minutes before next update\n");
-		BIO_printf (bio_err, "-ndays n	 	 number of days before next update\n");
-		BIO_printf (bio_err, "-resp_key_id       identify reponse by signing certificate key ID\n");
-		BIO_printf (bio_err, "-nrequest n        number of requests to accept (default unlimited)\n");
-		BIO_printf (bio_err, "-<dgst alg>     use specified digest in the request\n");
+		BIO_printf (bio_err, "-no_cert_verify      don't check signing certificate\n");
+		BIO_printf (bio_err, "-no_chain            don't chain verify response\n");
+		BIO_printf (bio_err, "-no_cert_checks      don't do additional checks on signing certificate\n");
+		BIO_printf (bio_err, "-port num            port to run responder on\n");
+		BIO_printf (bio_err, "-index file          certificate status index file\n");
+		BIO_printf (bio_err, "-CA file             CA certificate\n");
+		BIO_printf (bio_err, "-rsigner file        responder certificate to sign responses with\n");
+		BIO_printf (bio_err, "-rkey file           responder key to sign responses with\n");
+		BIO_printf (bio_err, "-rother file         other certificates to include in response\n");
+		BIO_printf (bio_err, "-resp_no_certs       don't include any certificates in response\n");
+		BIO_printf (bio_err, "-nmin n              number of minutes before next update\n");
+		BIO_printf (bio_err, "-ndays n             number of days before next update\n");
+		BIO_printf (bio_err, "-resp_key_id         identify reponse by signing certificate key ID\n");
+		BIO_printf (bio_err, "-nrequest n          number of requests to accept (default unlimited)\n");
+		BIO_printf (bio_err, "-<dgst alg>          use specified digest in the request\n");
+		BIO_printf (bio_err, "-timeout n           timeout connection to OCSP responder after n seconds\n");
 		goto end;
 		}
 
@@ -1398,16 +1399,7 @@ OCSP_RESPONSE *process_responder(BIO *er
 	if (use_ssl == 1)
 		{
 		BIO *sbio;
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
 		ctx = SSL_CTX_new(SSLv23_client_method());
-#elif !defined(OPENSSL_NO_SSL3)
-		ctx = SSL_CTX_new(SSLv3_client_method());
-#elif !defined(OPENSSL_NO_SSL2)
-		ctx = SSL_CTX_new(SSLv2_client_method());
-#else
-		BIO_printf(err, "SSL is disabled\n");
-			goto end;
-#endif
 		if (ctx == NULL)
 			{
 			BIO_printf(err, "Error creating SSL context.\n");

Modified: stable/10/crypto/openssl/apps/openssl.c
==============================================================================
--- stable/10/crypto/openssl/apps/openssl.c	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/apps/openssl.c	Fri Jan  9 00:58:20 2015	(r276864)
@@ -435,9 +435,7 @@ end:
 	if (prog != NULL) lh_FUNCTION_free(prog);
 	if (arg.data != NULL) OPENSSL_free(arg.data);
 
-	apps_shutdown();
 
-	CRYPTO_mem_leaks(bio_err);
 	if (bio_err != NULL)
 		{
 		BIO_free(bio_err);
@@ -450,6 +448,9 @@ end:
 		OPENSSL_free(Argv);
 		}
 #endif
+	apps_shutdown();
+	CRYPTO_mem_leaks(bio_err);
+
 	OPENSSL_EXIT(ret);
 	}
 

Modified: stable/10/crypto/openssl/apps/s_client.c
==============================================================================
--- stable/10/crypto/openssl/apps/s_client.c	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/apps/s_client.c	Fri Jan  9 00:58:20 2015	(r276864)
@@ -329,10 +329,12 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -srppass arg      - password for 'user'\n");
 	BIO_printf(bio_err," -srp_lateuser     - SRP username into second ClientHello message\n");
 	BIO_printf(bio_err," -srp_moregroups   - Tolerate other than the known g N values.\n");
-	BIO_printf(bio_err," -srp_strength int - minimal mength in bits for N (default %d).\n",SRP_MINIMAL_N);
+	BIO_printf(bio_err," -srp_strength int - minimal length in bits for N (default %d).\n",SRP_MINIMAL_N);
 #endif
 	BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
+#ifndef OPENSSL_NO_SSL3_METHOD
 	BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
+#endif
 	BIO_printf(bio_err," -tls1_2       - just use TLSv1.2\n");
 	BIO_printf(bio_err," -tls1_1       - just use TLSv1.1\n");
 	BIO_printf(bio_err," -tls1         - just use TLSv1\n");
@@ -807,7 +809,7 @@ int MAIN(int argc, char **argv)
 		else if	(strcmp(*argv,"-ssl2") == 0)
 			meth=SSLv2_client_method();
 #endif
-#ifndef OPENSSL_NO_SSL3
+#ifndef OPENSSL_NO_SSL3_METHOD
 		else if	(strcmp(*argv,"-ssl3") == 0)
 			meth=SSLv3_client_method();
 #endif
@@ -1319,10 +1321,22 @@ re_start:
 			BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
 			}
 
-		if (socket_mtu > 28)
+		if (socket_mtu)
 			{
+			if(socket_mtu < DTLS_get_link_min_mtu(con))
+				{
+				BIO_printf(bio_err,"MTU too small. Must be at least %ld\n",
+					DTLS_get_link_min_mtu(con));
+				BIO_free(sbio);
+				goto shut;
+				}
 			SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
-			SSL_set_mtu(con, socket_mtu - 28);
+			if(!DTLS_set_link_mtu(con, socket_mtu))
+				{
+				BIO_printf(bio_err, "Failed to set MTU\n");
+				BIO_free(sbio);
+				goto shut;
+				}
 			}
 		else
 			/* want to do MTU discovery */

Modified: stable/10/crypto/openssl/apps/s_server.c
==============================================================================
--- stable/10/crypto/openssl/apps/s_server.c	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/apps/s_server.c	Fri Jan  9 00:58:20 2015	(r276864)
@@ -515,7 +515,9 @@ static void sv_usage(void)
 	BIO_printf(bio_err," -srpuserseed string - A seed string for a default user salt.\n");
 #endif
 	BIO_printf(bio_err," -ssl2         - Just talk SSLv2\n");
+#ifndef OPENSSL_NO_SSL3_METHOD
 	BIO_printf(bio_err," -ssl3         - Just talk SSLv3\n");
+#endif
 	BIO_printf(bio_err," -tls1_2       - Just talk TLSv1.2\n");
 	BIO_printf(bio_err," -tls1_1       - Just talk TLSv1.1\n");
 	BIO_printf(bio_err," -tls1         - Just talk TLSv1\n");
@@ -1251,7 +1253,7 @@ int MAIN(int argc, char *argv[])
 		else if	(strcmp(*argv,"-ssl2") == 0)
 			{ meth=SSLv2_server_method(); }
 #endif
-#ifndef OPENSSL_NO_SSL3
+#ifndef OPENSSL_NO_SSL3_METHOD
 		else if	(strcmp(*argv,"-ssl3") == 0)
 			{ meth=SSLv3_server_method(); }
 #endif
@@ -2049,10 +2051,24 @@ static int sv_body(char *hostname, int s
 			BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
 			}
 
-		if (socket_mtu > 28)
+		if (socket_mtu)
 			{
+			if(socket_mtu < DTLS_get_link_min_mtu(con))
+				{
+				BIO_printf(bio_err,"MTU too small. Must be at least %ld\n",
+					DTLS_get_link_min_mtu(con));
+				ret = -1;
+				BIO_free(sbio);
+				goto err;
+				}
 			SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
-			SSL_set_mtu(con, socket_mtu - 28);
+			if(!DTLS_set_link_mtu(con, socket_mtu))
+				{
+				BIO_printf(bio_err, "Failed to set MTU\n");
+				ret = -1;
+				BIO_free(sbio);
+				goto err;
+				}
 			}
 		else
 			/* want to do MTU discovery */

Modified: stable/10/crypto/openssl/apps/s_time.c
==============================================================================
--- stable/10/crypto/openssl/apps/s_time.c	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/apps/s_time.c	Fri Jan  9 00:58:20 2015	(r276864)
@@ -349,13 +349,7 @@ int MAIN(int argc, char **argv)
 	if (bio_err == NULL)
 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
 	s_time_meth=SSLv23_client_method();
-#elif !defined(OPENSSL_NO_SSL3)
-	s_time_meth=SSLv3_client_method();
-#elif !defined(OPENSSL_NO_SSL2)
-	s_time_meth=SSLv2_client_method();
-#endif
 
 	/* parse the command line arguments */
 	if( parseArgs( argc, argv ) < 0 )

Modified: stable/10/crypto/openssl/apps/speed.c
==============================================================================
--- stable/10/crypto/openssl/apps/speed.c	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/apps/speed.c	Fri Jan  9 00:58:20 2015	(r276864)
@@ -225,7 +225,7 @@
 
 #undef BUFSIZE
 #define BUFSIZE	((long)1024*8+1)
-int run=0;
+static volatile int run=0;
 
 static int mr=0;
 static int usertime=1;
@@ -2739,27 +2739,6 @@ static int do_multi(int multi)
 				else
 					rsa_results[k][1]=d;
 				}
-			else if(!strncmp(buf,"+F2:",4))
-				{
-				int k;
-				double d;
-				
-				p=buf+4;
-				k=atoi(sstrsep(&p,sep));
-				sstrsep(&p,sep);
-
-				d=atof(sstrsep(&p,sep));
-				if(n)
-					rsa_results[k][0]=1/(1/rsa_results[k][0]+1/d);
-				else
-					rsa_results[k][0]=d;
-
-				d=atof(sstrsep(&p,sep));
-				if(n)
-					rsa_results[k][1]=1/(1/rsa_results[k][1]+1/d);
-				else
-					rsa_results[k][1]=d;
-				}
 #ifndef OPENSSL_NO_DSA
 			else if(!strncmp(buf,"+F3:",4))
 				{

Modified: stable/10/crypto/openssl/crypto/Makefile
==============================================================================
--- stable/10/crypto/openssl/crypto/Makefile	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/crypto/Makefile	Fri Jan  9 00:58:20 2015	(r276864)
@@ -56,12 +56,7 @@ top:
 all: shared
 
 buildinf.h: ../Makefile
-	( echo "#ifndef MK1MF_BUILD"; \
-	echo '  /* auto-generated by crypto/Makefile for crypto/cversion.c */'; \
-	echo '  #define CFLAGS "$(CC) $(CFLAG)"'; \
-	echo '  #define PLATFORM "$(PLATFORM)"'; \
-	echo "  #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \
-	echo '#endif' ) >buildinf.h
+	$(PERL) $(TOP)/util/mkbuildinf.pl "$(CFLAGS)" "$(PLATFORM)" >buildinf.h
 
 x86cpuid.s:	x86cpuid.pl perlasm/x86asm.pl
 	$(PERL) x86cpuid.pl $(PERLASM_SCHEME) $(CFLAGS) $(PROCESSOR) > $@

Modified: stable/10/crypto/openssl/crypto/aes/asm/aes-mips.pl
==============================================================================
--- stable/10/crypto/openssl/crypto/aes/asm/aes-mips.pl	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/crypto/aes/asm/aes-mips.pl	Fri Jan  9 00:58:20 2015	(r276864)
@@ -70,7 +70,7 @@ $pf = ($flavour =~ /nubi/i) ? $t0 : $t2;
 #
 ######################################################################
 
-$big_endian=(`echo MIPSEL | $ENV{CC} -E -P -`=~/MIPSEL/)?1:0;
+$big_endian=(`echo MIPSEL | $ENV{CC} -E -`=~/MIPSEL/)?1:0 if ($ENV{CC});
 
 for (@ARGV) {	$output=$_ if (/^\w[\w\-]*\.\w+$/);	}
 open STDOUT,">$output";

Modified: stable/10/crypto/openssl/crypto/asn1/a_bitstr.c
==============================================================================
--- stable/10/crypto/openssl/crypto/asn1/a_bitstr.c	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/crypto/asn1/a_bitstr.c	Fri Jan  9 00:58:20 2015	(r276864)
@@ -136,11 +136,16 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN
 
 	p= *pp;
 	i= *(p++);
+	if (i > 7)
+		{
+		i=ASN1_R_INVALID_BIT_STRING_BITS_LEFT;
+		goto err;
+		}
 	/* We do this to preserve the settings.  If we modify
 	 * the settings, via the _set_bit function, we will recalculate
 	 * on output */
 	ret->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */
-	ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|(i&0x07)); /* set */
+	ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|i); /* set */
 
 	if (len-- > 1) /* using one because of the bits left byte */
 		{

Modified: stable/10/crypto/openssl/crypto/asn1/a_type.c
==============================================================================
--- stable/10/crypto/openssl/crypto/asn1/a_type.c	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/crypto/asn1/a_type.c	Fri Jan  9 00:58:20 2015	(r276864)
@@ -113,7 +113,7 @@ IMPLEMENT_STACK_OF(ASN1_TYPE)
 IMPLEMENT_ASN1_SET_OF(ASN1_TYPE)
 
 /* Returns 0 if they are equal, != 0 otherwise. */
-int ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b)
+int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b)
 	{
 	int result = -1;
 

Modified: stable/10/crypto/openssl/crypto/asn1/a_verify.c
==============================================================================
--- stable/10/crypto/openssl/crypto/asn1/a_verify.c	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/crypto/asn1/a_verify.c	Fri Jan  9 00:58:20 2015	(r276864)
@@ -90,6 +90,12 @@ int ASN1_verify(i2d_of_void *i2d, X509_A
 		ASN1err(ASN1_F_ASN1_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
 		goto err;
 		}
+
+	if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7)
+		{
+		ASN1err(ASN1_F_ASN1_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
+		goto err;
+		}
 	
 	inl=i2d(data,NULL);
 	buf_in=OPENSSL_malloc((unsigned int)inl);
@@ -146,6 +152,12 @@ int ASN1_item_verify(const ASN1_ITEM *it
 		return -1;
 		}
 
+	if (signature->type == V_ASN1_BIT_STRING && signature->flags & 0x7)
+		{
+		ASN1err(ASN1_F_ASN1_ITEM_VERIFY, ASN1_R_INVALID_BIT_STRING_BITS_LEFT);
+		return -1;
+		}
+
 	EVP_MD_CTX_init(&ctx);
 
 	/* Convert signature OID into digest and public key OIDs */

Modified: stable/10/crypto/openssl/crypto/asn1/asn1.h
==============================================================================
--- stable/10/crypto/openssl/crypto/asn1/asn1.h	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/crypto/asn1/asn1.h	Fri Jan  9 00:58:20 2015	(r276864)
@@ -776,7 +776,7 @@ DECLARE_ASN1_FUNCTIONS_fname(ASN1_TYPE, 
 int ASN1_TYPE_get(ASN1_TYPE *a);
 void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value);
 int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value);
-int            ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b);
+int            ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b);
 
 ASN1_OBJECT *	ASN1_OBJECT_new(void );
 void		ASN1_OBJECT_free(ASN1_OBJECT *a);
@@ -1329,6 +1329,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_ILLEGAL_TIME_VALUE			 184
 #define ASN1_R_INTEGER_NOT_ASCII_FORMAT			 185
 #define ASN1_R_INTEGER_TOO_LARGE_FOR_LONG		 128
+#define ASN1_R_INVALID_BIT_STRING_BITS_LEFT		 220
 #define ASN1_R_INVALID_BMPSTRING_LENGTH			 129
 #define ASN1_R_INVALID_DIGIT				 130
 #define ASN1_R_INVALID_MIME_TYPE			 205
@@ -1378,6 +1379,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_TIME_NOT_ASCII_FORMAT			 193
 #define ASN1_R_TOO_LONG					 155
 #define ASN1_R_TYPE_NOT_CONSTRUCTED			 156
+#define ASN1_R_TYPE_NOT_PRIMITIVE			 218
 #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY			 157
 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY		 158
 #define ASN1_R_UNEXPECTED_EOC				 159

Modified: stable/10/crypto/openssl/crypto/asn1/asn1_err.c
==============================================================================
--- stable/10/crypto/openssl/crypto/asn1/asn1_err.c	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/crypto/asn1/asn1_err.c	Fri Jan  9 00:58:20 2015	(r276864)
@@ -1,6 +1,6 @@
 /* crypto/asn1/asn1_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2014 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -246,6 +246,7 @@ static ERR_STRING_DATA ASN1_str_reasons[
 {ERR_REASON(ASN1_R_ILLEGAL_TIME_VALUE)   ,"illegal time value"},
 {ERR_REASON(ASN1_R_INTEGER_NOT_ASCII_FORMAT),"integer not ascii format"},
 {ERR_REASON(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG),"integer too large for long"},
+{ERR_REASON(ASN1_R_INVALID_BIT_STRING_BITS_LEFT),"invalid bit string bits left"},
 {ERR_REASON(ASN1_R_INVALID_BMPSTRING_LENGTH),"invalid bmpstring length"},
 {ERR_REASON(ASN1_R_INVALID_DIGIT)        ,"invalid digit"},
 {ERR_REASON(ASN1_R_INVALID_MIME_TYPE)    ,"invalid mime type"},
@@ -295,6 +296,7 @@ static ERR_STRING_DATA ASN1_str_reasons[
 {ERR_REASON(ASN1_R_TIME_NOT_ASCII_FORMAT),"time not ascii format"},
 {ERR_REASON(ASN1_R_TOO_LONG)             ,"too long"},
 {ERR_REASON(ASN1_R_TYPE_NOT_CONSTRUCTED) ,"type not constructed"},
+{ERR_REASON(ASN1_R_TYPE_NOT_PRIMITIVE)   ,"type not primitive"},
 {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY),"unable to decode rsa key"},
 {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY),"unable to decode rsa private key"},
 {ERR_REASON(ASN1_R_UNEXPECTED_EOC)       ,"unexpected eoc"},

Modified: stable/10/crypto/openssl/crypto/asn1/tasn_dec.c
==============================================================================
--- stable/10/crypto/openssl/crypto/asn1/tasn_dec.c	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/crypto/asn1/tasn_dec.c	Fri Jan  9 00:58:20 2015	(r276864)
@@ -870,6 +870,14 @@ static int asn1_d2i_ex_primitive(ASN1_VA
 		}
 	else if (cst)
 		{
+		if (utype == V_ASN1_NULL || utype == V_ASN1_BOOLEAN
+			|| utype == V_ASN1_OBJECT || utype == V_ASN1_INTEGER
+			|| utype == V_ASN1_ENUMERATED)
+			{
+			ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
+				ASN1_R_TYPE_NOT_PRIMITIVE);
+			return 0;
+			}
 		buf.length = 0;
 		buf.max = 0;
 		buf.data = NULL;

Modified: stable/10/crypto/openssl/crypto/asn1/x_algor.c
==============================================================================
--- stable/10/crypto/openssl/crypto/asn1/x_algor.c	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/crypto/asn1/x_algor.c	Fri Jan  9 00:58:20 2015	(r276864)
@@ -142,3 +142,14 @@ void X509_ALGOR_set_md(X509_ALGOR *alg, 
 	X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_MD_type(md)), param_type, NULL);
 
 	}
+
+int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b)
+	{
+	int rv;
+	rv = OBJ_cmp(a->algorithm, b->algorithm);
+	if (rv)
+		return rv;
+	if (!a->parameter && !b->parameter)
+		return 0;
+	return ASN1_TYPE_cmp(a->parameter, b->parameter);
+	}

Modified: stable/10/crypto/openssl/crypto/asn1/x_name.c
==============================================================================
--- stable/10/crypto/openssl/crypto/asn1/x_name.c	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/crypto/asn1/x_name.c	Fri Jan  9 00:58:20 2015	(r276864)
@@ -350,6 +350,8 @@ static int x509_name_canon(X509_NAME *a)
 			set = entry->set;
 			}
 		tmpentry = X509_NAME_ENTRY_new();
+		if (!tmpentry)
+			goto err;
 		tmpentry->object = OBJ_dup(entry->object);
 		if (!asn1_string_canon(tmpentry->value, entry->value))
 			goto err;

Modified: stable/10/crypto/openssl/crypto/bio/bio.h
==============================================================================
--- stable/10/crypto/openssl/crypto/bio/bio.h	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/crypto/bio/bio.h	Fri Jan  9 00:58:20 2015	(r276864)
@@ -175,6 +175,8 @@ extern "C" {
 #define BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT   45 /* Next DTLS handshake timeout to
                                               * adjust socket timeouts */
 
+#define BIO_CTRL_DGRAM_GET_MTU_OVERHEAD   49
+
 #ifndef OPENSSL_NO_SCTP
 /* SCTP stuff */
 #define BIO_CTRL_DGRAM_SCTP_SET_IN_HANDSHAKE	50
@@ -607,6 +609,8 @@ int BIO_ctrl_reset_read_request(BIO *b);
          (int)BIO_ctrl(b, BIO_CTRL_DGRAM_GET_PEER, 0, (char *)peer)
 #define BIO_dgram_set_peer(b,peer) \
          (int)BIO_ctrl(b, BIO_CTRL_DGRAM_SET_PEER, 0, (char *)peer)
+#define BIO_dgram_get_mtu_overhead(b) \
+         (unsigned int)BIO_ctrl((b), BIO_CTRL_DGRAM_GET_MTU_OVERHEAD, 0, NULL)
 
 /* These two aren't currently implemented */
 /* int BIO_get_ex_num(BIO *bio); */

Modified: stable/10/crypto/openssl/crypto/bio/bss_dgram.c
==============================================================================
--- stable/10/crypto/openssl/crypto/bio/bss_dgram.c	Fri Jan  9 00:42:10 2015	(r276863)
+++ stable/10/crypto/openssl/crypto/bio/bss_dgram.c	Fri Jan  9 00:58:20 2015	(r276864)
@@ -454,6 +454,36 @@ static int dgram_write(BIO *b, const cha
 	return(ret);
 	}
 
+static long dgram_get_mtu_overhead(bio_dgram_data *data)
+	{
+	long ret;
+
+	switch (data->peer.sa.sa_family)
+		{
+		case AF_INET:
+			/* Assume this is UDP - 20 bytes for IP, 8 bytes for UDP */
+			ret = 28;
+			break;
+#if OPENSSL_USE_IPV6
+		case AF_INET6:
+#ifdef IN6_IS_ADDR_V4MAPPED
+			if (IN6_IS_ADDR_V4MAPPED(&data->peer.sa_in6.sin6_addr))
+				/* Assume this is UDP - 20 bytes for IP, 8 bytes for UDP */
+				ret = 28;
+			else
+#endif
+				/* Assume this is UDP - 40 bytes for IP, 8 bytes for UDP */
+				ret = 48;
+			break;
+#endif
+		default:
+			/* We don't know. Go with the historical default */
+			ret = 28;
+			break;
+		}
+	return ret;
+	}
+
 static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
 	{
 	long ret=1;
@@ -630,23 +660,24 @@ static long dgram_ctrl(BIO *b, int cmd, 
 #endif
 		break;
 	case BIO_CTRL_DGRAM_GET_FALLBACK_MTU:
+		ret = -dgram_get_mtu_overhead(data);
 		switch (data->peer.sa.sa_family)
 			{
 			case AF_INET:
-				ret = 576 - 20 - 8;
+				ret += 576;
 				break;
 #if OPENSSL_USE_IPV6
 			case AF_INET6:
 #ifdef IN6_IS_ADDR_V4MAPPED
 				if (IN6_IS_ADDR_V4MAPPED(&data->peer.sa_in6.sin6_addr))
-					ret = 576 - 20 - 8;
+					ret += 576;
 				else
 #endif
-					ret = 1280 - 40 - 8;
+					ret += 1280;
 				break;
 #endif
 			default:
-				ret = 576 - 20 - 8;
+				ret += 576;
 				break;
 			}
 		break;
@@ -847,6 +878,9 @@ static long dgram_ctrl(BIO *b, int cmd, 
 			ret = 0;
 		break;
 #endif
+	case BIO_CTRL_DGRAM_GET_MTU_OVERHEAD:
+		ret = dgram_get_mtu_overhead(data);
+		break;
 	default:
 		ret=0;
 		break;
@@ -893,10 +927,18 @@ BIO *BIO_new_dgram_sctp(int fd, int clos
 	/* Activate SCTP-AUTH for DATA and FORWARD-TSN chunks */
 	auth.sauth_chunk = OPENSSL_SCTP_DATA_CHUNK_TYPE;
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_AUTH_CHUNK, &auth, sizeof(struct sctp_authchunk));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 	auth.sauth_chunk = OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE;
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_AUTH_CHUNK, &auth, sizeof(struct sctp_authchunk));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 
 	/* Test if activation was successful. When using accept(),
 	 * SCTP-AUTH has to be activated for the listening socket
@@ -905,7 +947,13 @@ BIO *BIO_new_dgram_sctp(int fd, int clos
 	authchunks = OPENSSL_malloc(sockopt_len);
 	memset(authchunks, 0, sizeof(sockopt_len));
 	ret = getsockopt(fd, IPPROTO_SCTP, SCTP_LOCAL_AUTH_CHUNKS, authchunks, &sockopt_len);
-	OPENSSL_assert(ret >= 0);
+
+	if (ret < 0)
+		{
+		OPENSSL_free(authchunks);
+		BIO_vfree(bio);
+		return(NULL);
+		}
 
 	for (p = (unsigned char*) authchunks->gauth_chunks;
 	     p < (unsigned char*) authchunks + sockopt_len;
@@ -927,16 +975,28 @@ BIO *BIO_new_dgram_sctp(int fd, int clos
 	event.se_type = SCTP_AUTHENTICATION_EVENT;
 	event.se_on = 1;
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(struct sctp_event));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 #else
 	sockopt_len = (socklen_t) sizeof(struct sctp_event_subscribe);
 	ret = getsockopt(fd, IPPROTO_SCTP, SCTP_EVENTS, &event, &sockopt_len);
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 
 	event.sctp_authentication_event = 1;
 
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_EVENTS, &event, sizeof(struct sctp_event_subscribe));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 #endif
 #endif
 
@@ -944,7 +1004,11 @@ BIO *BIO_new_dgram_sctp(int fd, int clos
 	 * larger than the max record size of 2^14 + 2048 + 13
 	 */
 	ret = setsockopt(fd, IPPROTO_SCTP, SCTP_PARTIAL_DELIVERY_POINT, &optval, sizeof(optval));
-	OPENSSL_assert(ret >= 0);
+	if (ret < 0)
+		{
+		BIO_vfree(bio);
+		return(NULL);
+		}
 
 	return(bio);
 	}
@@ -982,7 +1046,12 @@ static int dgram_sctp_free(BIO *a)
 		return 0;
 
 	data = (bio_dgram_sctp_data *)a->ptr;
-	if(data != NULL) OPENSSL_free(data);
+	if(data != NULL)
+		{
+		if(data->saved_message.data != NULL)
+			OPENSSL_free(data->saved_message.data);
+		OPENSSL_free(data);
+		}
 
 	return(1);
 	}
@@ -1034,6 +1103,13 @@ static int dgram_sctp_read(BIO *b, char 
 			msg.msg_flags = 0;
 			n = recvmsg(b->num, &msg, 0);
 
+			if (n <= 0)
+				{
+				if (n < 0)
+					ret = n;
+				break;
+				}
+
 			if (msg.msg_controllen > 0)
 				{
 				for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg))
@@ -1073,13 +1149,6 @@ static int dgram_sctp_read(BIO *b, char 
 					}
 				}
 
-			if (n <= 0)
-				{
-				if (n < 0)
-					ret = n;
-				break;
-				}
-
 			if (msg.msg_flags & MSG_NOTIFICATION)
 				{
 				snp = (union sctp_notification*) out;
@@ -1099,6 +1168,7 @@ static int dgram_sctp_read(BIO *b, char 
 						dgram_sctp_write(data->saved_message.bio, data->saved_message.data,
 						                 data->saved_message.length);
 						OPENSSL_free(data->saved_message.data);
+						data->saved_message.data = NULL;
 						data->saved_message.length = 0;
 						}
 
@@ -1109,16 +1179,28 @@ static int dgram_sctp_read(BIO *b, char 
 					event.se_type = SCTP_SENDER_DRY_EVENT;
 					event.se_on = 0;
 					i = setsockopt(b->num, IPPROTO_SCTP, SCTP_EVENT, &event, sizeof(struct sctp_event));
-					OPENSSL_assert(i >= 0);
+					if (i < 0)
+						{
+						ret = i;
+						break;
+						}
 #else
 					eventsize = sizeof(struct sctp_event_subscribe);
 					i = getsockopt(b->num, IPPROTO_SCTP, SCTP_EVENTS, &event, &eventsize);
-					OPENSSL_assert(i >= 0);
+					if (i < 0)
+						{
+						ret = i;
+						break;
+						}
 
 					event.sctp_sender_dry_event = 0;
 
 					i = setsockopt(b->num, IPPROTO_SCTP, SCTP_EVENTS, &event, sizeof(struct sctp_event_subscribe));
-					OPENSSL_assert(i >= 0);
+					if (i < 0)
+						{
+						ret = i;
+						break;
+						}
 #endif
 					}
 
@@ -1151,8 +1233,8 @@ static int dgram_sctp_read(BIO *b, char 
 			 */
 			optlen = (socklen_t) sizeof(int);
 			ret = getsockopt(b->num, SOL_SOCKET, SO_RCVBUF, &optval, &optlen);
-			OPENSSL_assert(ret >= 0);
-			OPENSSL_assert(optval >= 18445);
+			if (ret >= 0)
+				OPENSSL_assert(optval >= 18445);
 
 			/* Test if SCTP doesn't partially deliver below
 			 * max record size (2^14 + 2048 + 13)
@@ -1160,8 +1242,8 @@ static int dgram_sctp_read(BIO *b, char 
 			optlen = (socklen_t) sizeof(int);
 			ret = getsockopt(b->num, IPPROTO_SCTP, SCTP_PARTIAL_DELIVERY_POINT,
 			                 &optval, &optlen);
-			OPENSSL_assert(ret >= 0);
-			OPENSSL_assert(optval >= 18445);
+			if (ret >= 0)
+				OPENSSL_assert(optval >= 18445);
 
 			/* Partially delivered notification??? Probably a bug.... */
 			OPENSSL_assert(!(msg.msg_flags & MSG_NOTIFICATION));
@@ -1195,15 +1277,15 @@ static int dgram_sctp_read(BIO *b, char 
 			authchunks = OPENSSL_malloc(optlen);
 			memset(authchunks, 0, sizeof(optlen));
 			ii = getsockopt(b->num, IPPROTO_SCTP, SCTP_PEER_AUTH_CHUNKS, authchunks, &optlen);
-			OPENSSL_assert(ii >= 0);
 
-			for (p = (unsigned char*) authchunks->gauth_chunks;
-				 p < (unsigned char*) authchunks + optlen;
-				 p += sizeof(uint8_t))
-				{
-				if (*p == OPENSSL_SCTP_DATA_CHUNK_TYPE) auth_data = 1;
-				if (*p == OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE) auth_forward = 1;
-				}
+			if (ii >= 0)
+				for (p = (unsigned char*) authchunks->gauth_chunks;
+				     p < (unsigned char*) authchunks + optlen;
+				     p += sizeof(uint8_t))
+					{
+					if (*p == OPENSSL_SCTP_DATA_CHUNK_TYPE) auth_data = 1;
+					if (*p == OPENSSL_SCTP_FORWARD_CUM_TSN_CHUNK_TYPE) auth_forward = 1;
+					}
 
 			OPENSSL_free(authchunks);
 
@@ -1258,9 +1340,11 @@ static int dgram_sctp_write(BIO *b, cons
 	if (data->save_shutdown && !BIO_dgram_sctp_wait_for_dry(b))
 	{

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201501090058.t090wLUV011747>