Date: Thu, 3 Dec 2015 17:24:16 +0000 (UTC) From: Jung-uk Kim <jkim@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org Subject: svn commit: r291709 - in vendor-crypto/openssl/dist-1.0.1: . apps crypto crypto/aes/asm crypto/asn1 crypto/bio crypto/bn crypto/bn/asm crypto/buffer crypto/cms crypto/comp crypto/conf crypto/dsa cr... Message-ID: <201512031724.tB3HOGxe075508@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jkim Date: Thu Dec 3 17:24:16 2015 New Revision: 291709 URL: https://svnweb.freebsd.org/changeset/base/291709 Log: Import OpenSSL 1.0.1q. Added: vendor-crypto/openssl/dist-1.0.1/CONTRIBUTING vendor-crypto/openssl/dist-1.0.1/appveyor.yml vendor-crypto/openssl/dist-1.0.1/doc/dir-locals.example.el vendor-crypto/openssl/dist-1.0.1/doc/openssl-c-indent.el vendor-crypto/openssl/dist-1.0.1/ssl/clienthellotest.c (contents, props changed) vendor-crypto/openssl/dist-1.0.1/util/toutf8.sh (contents, props changed) Deleted: vendor-crypto/openssl/dist-1.0.1/util/pod2mantest Modified: vendor-crypto/openssl/dist-1.0.1/CHANGES vendor-crypto/openssl/dist-1.0.1/Configure vendor-crypto/openssl/dist-1.0.1/FAQ vendor-crypto/openssl/dist-1.0.1/FREEBSD-upgrade vendor-crypto/openssl/dist-1.0.1/Makefile vendor-crypto/openssl/dist-1.0.1/Makefile.org vendor-crypto/openssl/dist-1.0.1/NEWS vendor-crypto/openssl/dist-1.0.1/README vendor-crypto/openssl/dist-1.0.1/apps/Makefile vendor-crypto/openssl/dist-1.0.1/apps/apps.c vendor-crypto/openssl/dist-1.0.1/apps/asn1pars.c vendor-crypto/openssl/dist-1.0.1/apps/ca.c vendor-crypto/openssl/dist-1.0.1/apps/ecparam.c vendor-crypto/openssl/dist-1.0.1/apps/engine.c vendor-crypto/openssl/dist-1.0.1/apps/ocsp.c vendor-crypto/openssl/dist-1.0.1/apps/pkcs12.c vendor-crypto/openssl/dist-1.0.1/apps/s_client.c vendor-crypto/openssl/dist-1.0.1/apps/s_server.c vendor-crypto/openssl/dist-1.0.1/crypto/aes/asm/aes-586.pl vendor-crypto/openssl/dist-1.0.1/crypto/aes/asm/aesni-x86.pl vendor-crypto/openssl/dist-1.0.1/crypto/asn1/asn1_par.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/d2i_pr.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/tasn_dec.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/x_bignum.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/x_pubkey.c vendor-crypto/openssl/dist-1.0.1/crypto/asn1/x_x509.c vendor-crypto/openssl/dist-1.0.1/crypto/bio/b_dump.c vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_file.c vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/armv4-gf2m.pl vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/ia64.S vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/s390x-gf2m.pl vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/x86-gf2m.pl vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/x86_64-gcc.c vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/x86_64-gf2m.pl vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_exp.c vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_gcd.c vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_gf2m.c vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_mont.c vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_recp.c vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_x931p.c vendor-crypto/openssl/dist-1.0.1/crypto/bn/bntest.c vendor-crypto/openssl/dist-1.0.1/crypto/buffer/buf_str.c vendor-crypto/openssl/dist-1.0.1/crypto/buffer/buffer.h vendor-crypto/openssl/dist-1.0.1/crypto/cms/cms_enc.c vendor-crypto/openssl/dist-1.0.1/crypto/cms/cms_pwri.c vendor-crypto/openssl/dist-1.0.1/crypto/cms/cms_smime.c vendor-crypto/openssl/dist-1.0.1/crypto/comp/c_zlib.c vendor-crypto/openssl/dist-1.0.1/crypto/conf/conf_def.c vendor-crypto/openssl/dist-1.0.1/crypto/conf/conf_sap.c vendor-crypto/openssl/dist-1.0.1/crypto/cryptlib.c vendor-crypto/openssl/dist-1.0.1/crypto/dsa/dsa_ameth.c vendor-crypto/openssl/dist-1.0.1/crypto/dsa/dsa_gen.c vendor-crypto/openssl/dist-1.0.1/crypto/ec/ec.h vendor-crypto/openssl/dist-1.0.1/crypto/ec/ec_asn1.c vendor-crypto/openssl/dist-1.0.1/crypto/ec/ec_key.c vendor-crypto/openssl/dist-1.0.1/crypto/engine/eng_cryptodev.c vendor-crypto/openssl/dist-1.0.1/crypto/engine/eng_list.c vendor-crypto/openssl/dist-1.0.1/crypto/evp/e_des3.c vendor-crypto/openssl/dist-1.0.1/crypto/evp/encode.c vendor-crypto/openssl/dist-1.0.1/crypto/evp/evp_key.c vendor-crypto/openssl/dist-1.0.1/crypto/evp/evp_lib.c vendor-crypto/openssl/dist-1.0.1/crypto/evp/evp_pbe.c vendor-crypto/openssl/dist-1.0.1/crypto/evp/p_lib.c vendor-crypto/openssl/dist-1.0.1/crypto/evp/pmeth_gn.c vendor-crypto/openssl/dist-1.0.1/crypto/hmac/hm_ameth.c vendor-crypto/openssl/dist-1.0.1/crypto/jpake/jpake.c vendor-crypto/openssl/dist-1.0.1/crypto/mem_clr.c vendor-crypto/openssl/dist-1.0.1/crypto/modes/asm/ghash-armv4.pl vendor-crypto/openssl/dist-1.0.1/crypto/modes/asm/ghash-x86.pl vendor-crypto/openssl/dist-1.0.1/crypto/ocsp/ocsp_lib.c vendor-crypto/openssl/dist-1.0.1/crypto/ocsp/ocsp_prn.c vendor-crypto/openssl/dist-1.0.1/crypto/opensslconf.h vendor-crypto/openssl/dist-1.0.1/crypto/opensslconf.h.in vendor-crypto/openssl/dist-1.0.1/crypto/opensslv.h vendor-crypto/openssl/dist-1.0.1/crypto/pem/pem_info.c vendor-crypto/openssl/dist-1.0.1/crypto/pem/pvkfmt.c vendor-crypto/openssl/dist-1.0.1/crypto/pkcs12/p12_add.c vendor-crypto/openssl/dist-1.0.1/crypto/pkcs12/p12_crpt.c vendor-crypto/openssl/dist-1.0.1/crypto/pkcs12/p12_mutl.c vendor-crypto/openssl/dist-1.0.1/crypto/pkcs7/pk7_doit.c vendor-crypto/openssl/dist-1.0.1/crypto/rc4/asm/rc4-x86_64.pl vendor-crypto/openssl/dist-1.0.1/crypto/rsa/rsa_ameth.c vendor-crypto/openssl/dist-1.0.1/crypto/rsa/rsa_gen.c vendor-crypto/openssl/dist-1.0.1/crypto/rsa/rsa_sign.c vendor-crypto/openssl/dist-1.0.1/crypto/rsa/rsa_test.c vendor-crypto/openssl/dist-1.0.1/crypto/sha/asm/sha1-586.pl vendor-crypto/openssl/dist-1.0.1/crypto/sha/asm/sha256-586.pl vendor-crypto/openssl/dist-1.0.1/crypto/sha/asm/sha512-586.pl vendor-crypto/openssl/dist-1.0.1/crypto/sha/asm/sha512-parisc.pl vendor-crypto/openssl/dist-1.0.1/crypto/sparccpuid.S vendor-crypto/openssl/dist-1.0.1/crypto/srp/srp_vfy.c vendor-crypto/openssl/dist-1.0.1/crypto/ts/ts_rsp_verify.c vendor-crypto/openssl/dist-1.0.1/crypto/whrlpool/asm/wp-mmx.pl vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509_cmp.c vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509_lu.c vendor-crypto/openssl/dist-1.0.1/crypto/x509v3/v3_cpols.c vendor-crypto/openssl/dist-1.0.1/crypto/x509v3/v3_ncons.c vendor-crypto/openssl/dist-1.0.1/crypto/x509v3/v3_pci.c vendor-crypto/openssl/dist-1.0.1/crypto/x509v3/v3_pcia.c vendor-crypto/openssl/dist-1.0.1/doc/apps/ciphers.pod vendor-crypto/openssl/dist-1.0.1/doc/apps/dgst.pod vendor-crypto/openssl/dist-1.0.1/doc/apps/genrsa.pod vendor-crypto/openssl/dist-1.0.1/doc/apps/req.pod vendor-crypto/openssl/dist-1.0.1/doc/apps/x509.pod vendor-crypto/openssl/dist-1.0.1/doc/crypto/BIO_read.pod vendor-crypto/openssl/dist-1.0.1/doc/crypto/BN_rand.pod vendor-crypto/openssl/dist-1.0.1/doc/crypto/DSA_generate_parameters.pod vendor-crypto/openssl/dist-1.0.1/doc/crypto/EVP_DigestVerifyInit.pod vendor-crypto/openssl/dist-1.0.1/doc/crypto/EVP_SignInit.pod vendor-crypto/openssl/dist-1.0.1/doc/crypto/buffer.pod vendor-crypto/openssl/dist-1.0.1/doc/crypto/d2i_X509_NAME.pod vendor-crypto/openssl/dist-1.0.1/doc/ssl/SSL_CTX_add_extra_chain_cert.pod vendor-crypto/openssl/dist-1.0.1/e_os.h vendor-crypto/openssl/dist-1.0.1/engines/e_chil.c vendor-crypto/openssl/dist-1.0.1/ssl/Makefile vendor-crypto/openssl/dist-1.0.1/ssl/bio_ssl.c vendor-crypto/openssl/dist-1.0.1/ssl/d1_both.c vendor-crypto/openssl/dist-1.0.1/ssl/d1_clnt.c vendor-crypto/openssl/dist-1.0.1/ssl/d1_srvr.c vendor-crypto/openssl/dist-1.0.1/ssl/s23_clnt.c vendor-crypto/openssl/dist-1.0.1/ssl/s3_cbc.c vendor-crypto/openssl/dist-1.0.1/ssl/s3_clnt.c vendor-crypto/openssl/dist-1.0.1/ssl/s3_enc.c vendor-crypto/openssl/dist-1.0.1/ssl/s3_lib.c vendor-crypto/openssl/dist-1.0.1/ssl/s3_srvr.c vendor-crypto/openssl/dist-1.0.1/ssl/ssl.h vendor-crypto/openssl/dist-1.0.1/ssl/ssl3.h vendor-crypto/openssl/dist-1.0.1/ssl/ssl_asn1.c vendor-crypto/openssl/dist-1.0.1/ssl/ssl_cert.c vendor-crypto/openssl/dist-1.0.1/ssl/ssl_ciph.c vendor-crypto/openssl/dist-1.0.1/ssl/ssl_err.c vendor-crypto/openssl/dist-1.0.1/ssl/ssl_lib.c vendor-crypto/openssl/dist-1.0.1/ssl/ssl_locl.h vendor-crypto/openssl/dist-1.0.1/ssl/ssl_rsa.c vendor-crypto/openssl/dist-1.0.1/ssl/ssl_sess.c vendor-crypto/openssl/dist-1.0.1/ssl/ssltest.c vendor-crypto/openssl/dist-1.0.1/ssl/t1_enc.c vendor-crypto/openssl/dist-1.0.1/ssl/t1_lib.c vendor-crypto/openssl/dist-1.0.1/ssl/tls1.h vendor-crypto/openssl/dist-1.0.1/util/indent.pro vendor-crypto/openssl/dist-1.0.1/util/mk1mf.pl vendor-crypto/openssl/dist-1.0.1/util/mkrc.pl vendor-crypto/openssl/dist-1.0.1/util/mkstack.pl vendor-crypto/openssl/dist-1.0.1/util/pl/VC-32.pl vendor-crypto/openssl/dist-1.0.1/util/selftest.pl Modified: vendor-crypto/openssl/dist-1.0.1/CHANGES ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/CHANGES Thu Dec 3 17:23:35 2015 (r291708) +++ vendor-crypto/openssl/dist-1.0.1/CHANGES Thu Dec 3 17:24:16 2015 (r291709) @@ -2,6 +2,45 @@ OpenSSL CHANGES _______________ + Changes between 1.0.1p and 1.0.1q [3 Dec 2015] + + *) Certificate verify crash with missing PSS parameter + + The signature verification routines will crash with a NULL pointer + dereference if presented with an ASN.1 signature using the RSA PSS + algorithm and absent mask generation function parameter. Since these + routines are used to verify certificate signature algorithms this can be + used to crash any certificate verification operation and exploited in a + DoS attack. Any application which performs certificate verification is + vulnerable including OpenSSL clients and servers which enable client + authentication. + + This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG). + (CVE-2015-3194) + [Stephen Henson] + + *) X509_ATTRIBUTE memory leak + + When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak + memory. This structure is used by the PKCS#7 and CMS routines so any + application which reads PKCS#7 or CMS data from untrusted sources is + affected. SSL/TLS is not affected. + + This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using + libFuzzer. + (CVE-2015-3195) + [Stephen Henson] + + *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. + This changes the decoding behaviour for some invalid messages, + though the change is mostly in the more lenient direction, and + legacy behaviour is preserved as much as possible. + [Emilia Käsper] + + *) In DSA_generate_parameters_ex, if the provided seed is too short, + return an error + [Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>] + Changes between 1.0.1o and 1.0.1p [9 Jul 2015] *) Alternate chains certificate forgery @@ -15,10 +54,19 @@ This issue was reported to OpenSSL by Adam Langley/David Benjamin (Google/BoringSSL). + (CVE-2015-1793) [Matt Caswell] - Changes between 1.0.1n and 1.0.1o [12 Jun 2015] + *) Race condition handling PSK identify hint + + If PSK identity hints are received by a multi-threaded client then + the values are wrongly updated in the parent SSL_CTX structure. This can + result in a race condition potentially leading to a double free of the + identify hint data. + (CVE-2015-3196) + [Stephen Henson] + Changes between 1.0.1n and 1.0.1o [12 Jun 2015] *) Fix HMAC ABI incompatibility. The previous version introduced an ABI incompatibility in the handling of HMAC. The previous ABI has now been restored. @@ -55,9 +103,9 @@ callbacks. This issue was reported to OpenSSL by Robert Swiecki (Google), and - independently by Hanno Böck. + independently by Hanno Böck. (CVE-2015-1789) - [Emilia Käsper] + [Emilia Käsper] *) PKCS7 crash with missing EnvelopedContent @@ -71,7 +119,7 @@ This issue was reported to OpenSSL by Michal Zalewski (Google). (CVE-2015-1790) - [Emilia Käsper] + [Emilia Käsper] *) CMS verify infinite loop with unknown hash function @@ -94,6 +142,9 @@ *) Reject DH handshakes with parameters shorter than 768 bits. [Kurt Roeckx and Emilia Kasper] + *) dhparam: generate 2048-bit parameters by default. + [Kurt Roeckx and Emilia Kasper] + Changes between 1.0.1l and 1.0.1m [19 Mar 2015] *) Segmentation fault in ASN1_TYPE_cmp fix @@ -132,7 +183,7 @@ This issue was reported to OpenSSL by Michal Zalewski (Google). (CVE-2015-0289) - [Emilia Käsper] + [Emilia Käsper] *) DoS via reachable assert in SSLv2 servers fix @@ -140,10 +191,10 @@ servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message. - This issue was discovered by Sean Burford (Google) and Emilia Käsper + This issue was discovered by Sean Burford (Google) and Emilia Käsper (OpenSSL development team). (CVE-2015-0293) - [Emilia Käsper] + [Emilia Käsper] *) Use After Free following d2i_ECPrivatekey error fix @@ -288,12 +339,12 @@ version does not match the session's version. Resuming with a different version, while not strictly forbidden by the RFC, is of questionable sanity and breaks all known clients. - [David Benjamin, Emilia Käsper] + [David Benjamin, Emilia Käsper] *) Tighten handling of the ChangeCipherSpec (CCS) message: reject early CCS messages during renegotiation. (Note that because renegotiation is encrypted, this early CCS was not exploitable.) - [Emilia Käsper] + [Emilia Käsper] *) Tighten client-side session ticket handling during renegotiation: ensure that the client only accepts a session ticket if the server sends @@ -304,7 +355,7 @@ Similarly, ensure that the client requires a session ticket if one was advertised in the ServerHello. Previously, a TLS client would ignore a missing NewSessionTicket message. - [Emilia Käsper] + [Emilia Käsper] Changes between 1.0.1i and 1.0.1j [15 Oct 2014] @@ -384,10 +435,10 @@ with a null pointer dereference (read) by specifying an anonymous (EC)DH ciphersuite and sending carefully crafted handshake messages. - Thanks to Felix Gröbert (Google) for discovering and researching this + Thanks to Felix Gröbert (Google) for discovering and researching this issue. (CVE-2014-3510) - [Emilia Käsper] + [Emilia Käsper] *) By sending carefully crafted DTLS packets an attacker could cause openssl to leak memory. This can be exploited through a Denial of Service attack. @@ -424,7 +475,7 @@ properly negotiated with the client. This can be exploited through a Denial of Service attack. - Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for + Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for discovering and researching this issue. (CVE-2014-5139) [Steve Henson] @@ -436,7 +487,7 @@ Thanks to Ivan Fratric (Google) for discovering this issue. (CVE-2014-3508) - [Emilia Käsper, and Steve Henson] + [Emilia Käsper, and Steve Henson] *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.) for corner cases. (Certain input points at infinity could lead to @@ -466,15 +517,15 @@ client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. - Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195) - [Jüri Aedla, Steve Henson] + Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195) + [Jüri Aedla, Steve Henson] *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites are subject to a denial of service attack. - Thanks to Felix Gröbert and Ivan Fratric at Google for discovering + Thanks to Felix Gröbert and Ivan Fratric at Google for discovering this issue. (CVE-2014-3470) - [Felix Gröbert, Ivan Fratric, Steve Henson] + [Felix Gröbert, Ivan Fratric, Steve Henson] *) Harmonize version and its documentation. -f flag is used to display compilation flags. @@ -553,9 +604,9 @@ Thanks go to Nadhem Alfardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and - Emilia Käsper for the initial patch. + Emilia Käsper for the initial patch. (CVE-2013-0169) - [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson] + [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson] *) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode ciphersuites which can be exploited in a denial of service attack. @@ -730,7 +781,7 @@ EC_GROUP_new_by_curve_name() will automatically use these (while EC_GROUP_new_curve_GFp() currently prefers the more flexible implementations). - [Emilia Käsper, Adam Langley, Bodo Moeller (Google)] + [Emilia Käsper, Adam Langley, Bodo Moeller (Google)] *) Use type ossl_ssize_t instad of ssize_t which isn't available on all platforms. Move ssize_t definition from e_os.h to the public @@ -1006,7 +1057,7 @@ [Adam Langley (Google)] *) Fix spurious failures in ecdsatest.c. - [Emilia Käsper (Google)] + [Emilia Käsper (Google)] *) Fix the BIO_f_buffer() implementation (which was mixing different interpretations of the '..._len' fields). @@ -1020,7 +1071,7 @@ lock to call BN_BLINDING_invert_ex, and avoids one use of BN_BLINDING_update for each BN_BLINDING structure (previously, the last update always remained unused). - [Emilia Käsper (Google)] + [Emilia Käsper (Google)] *) In ssl3_clear, preserve s3->init_extra along with s3->rbuf. [Bob Buckholz (Google)] @@ -1829,7 +1880,7 @@ *) Add RFC 3161 compliant time stamp request creation, response generation and response verification functionality. - [Zoltán Glózik <zglozik@opentsa.org>, The OpenTSA Project] + [Zoltán Glózik <zglozik@opentsa.org>, The OpenTSA Project] *) Add initial support for TLS extensions, specifically for the server_name extension so far. The SSL_SESSION, SSL_CTX, and SSL data structures now @@ -2997,7 +3048,7 @@ *) BN_CTX_get() should return zero-valued bignums, providing the same initialised value as BN_new(). - [Geoff Thorpe, suggested by Ulf Möller] + [Geoff Thorpe, suggested by Ulf Möller] *) Support for inhibitAnyPolicy certificate extension. [Steve Henson] @@ -3016,7 +3067,7 @@ some point, these tighter rules will become openssl's default to improve maintainability, though the assert()s and other overheads will remain only in debugging configurations. See bn.h for more details. - [Geoff Thorpe, Nils Larsch, Ulf Möller] + [Geoff Thorpe, Nils Larsch, Ulf Möller] *) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure that can only be obtained through BN_CTX_new() (which implicitly @@ -3083,7 +3134,7 @@ [Douglas Stebila (Sun Microsystems Laboratories)] *) Add the possibility to load symbols globally with DSO. - [Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte] + [Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte] *) Add the functions ERR_set_mark() and ERR_pop_to_mark() for better control of the error stack. @@ -3798,7 +3849,7 @@ [Steve Henson] *) Undo Cygwin change. - [Ulf Möller] + [Ulf Möller] *) Added support for proxy certificates according to RFC 3820. Because they may be a security thread to unaware applications, @@ -3831,11 +3882,11 @@ [Stephen Henson, reported by UK NISCC] *) Use Windows randomness collection on Cygwin. - [Ulf Möller] + [Ulf Möller] *) Fix hang in EGD/PRNGD query when communication socket is closed prematurely by EGD/PRNGD. - [Darren Tucker <dtucker@zip.com.au> via Lutz Jänicke, resolves #1014] + [Darren Tucker <dtucker@zip.com.au> via Lutz Jänicke, resolves #1014] *) Prompt for pass phrases when appropriate for PKCS12 input format. [Steve Henson] @@ -4297,7 +4348,7 @@ pointers passed to them whenever necessary. Otherwise it is possible the caller may have overwritten (or deallocated) the original string data when a later ENGINE operation tries to use the stored values. - [Götz Babin-Ebell <babinebell@trustcenter.de>] + [Götz Babin-Ebell <babinebell@trustcenter.de>] *) Improve diagnostics in file reading and command-line digests. [Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>] @@ -6402,7 +6453,7 @@ des-cbc 3624.96k 5258.21k [Bodo Moeller] *) BN_sqr() bug fix. - [Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>] + [Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>] *) Rabin-Miller test analyses assume uniformly distributed witnesses, so use BN_pseudo_rand_range() instead of using BN_pseudo_rand() @@ -6562,7 +6613,7 @@ des-cbc 3624.96k 5258.21k [Bodo Moeller] *) Fix OAEP check. - [Ulf Möller, Bodo Möller] + [Ulf Möller, Bodo Möller] *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5 @@ -6824,10 +6875,10 @@ des-cbc 3624.96k 5258.21k [Bodo Moeller] *) Use better test patterns in bntest. - [Ulf Möller] + [Ulf Möller] *) rand_win.c fix for Borland C. - [Ulf Möller] + [Ulf Möller] *) BN_rshift bugfix for n == 0. [Bodo Moeller] @@ -6972,14 +7023,14 @@ des-cbc 3624.96k 5258.21k *) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR BIO_ctrl (for BIO pairs). - [Bodo Möller] + [Bodo Möller] *) Add DSO method for VMS. [Richard Levitte] *) Bug fix: Montgomery multiplication could produce results with the wrong sign. - [Ulf Möller] + [Ulf Möller] *) Add RPM specification openssl.spec and modify it to build three packages. The default package contains applications, application @@ -6997,7 +7048,7 @@ des-cbc 3624.96k 5258.21k *) Don't set the two most significant bits to one when generating a random number < q in the DSA library. - [Ulf Möller] + [Ulf Möller] *) New SSL API mode 'SSL_MODE_AUTO_RETRY'. This disables the default behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if @@ -7263,7 +7314,7 @@ des-cbc 3624.96k 5258.21k *) Randomness polling function for Win9x, as described in: Peter Gutmann, Software Generation of Practically Strong Random Numbers. - [Ulf Möller] + [Ulf Möller] *) Fix so PRNG is seeded in req if using an already existing DSA key. @@ -7483,7 +7534,7 @@ des-cbc 3624.96k 5258.21k [Steve Henson] *) Eliminate non-ANSI declarations in crypto.h and stack.h. - [Ulf Möller] + [Ulf Möller] *) Fix for SSL server purpose checking. Server checking was rejecting certificates which had extended key usage present @@ -7515,7 +7566,7 @@ des-cbc 3624.96k 5258.21k [Bodo Moeller] *) Bugfix for linux-elf makefile.one. - [Ulf Möller] + [Ulf Möller] *) RSA_get_default_method() will now cause a default RSA_METHOD to be chosen if one doesn't exist already. @@ -7604,7 +7655,7 @@ des-cbc 3624.96k 5258.21k [Steve Henson] *) des_quad_cksum() byte order bug fix. - [Ulf Möller, using the problem description in krb4-0.9.7, where + [Ulf Möller, using the problem description in krb4-0.9.7, where the solution is attributed to Derrick J Brashear <shadow@DEMENTIA.ORG>] *) Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly @@ -7705,7 +7756,7 @@ des-cbc 3624.96k 5258.21k [Rolf Haberrecker <rolf@suse.de>] *) Assembler module support for Mingw32. - [Ulf Möller] + [Ulf Möller] *) Shared library support for HPUX (in shlib/). [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous] @@ -7724,7 +7775,7 @@ des-cbc 3624.96k 5258.21k *) BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n] case was implemented. This caused BN_div_recp() to fail occasionally. - [Ulf Möller] + [Ulf Möller] *) Add an optional second argument to the set_label() in the perl assembly language builder. If this argument exists and is set @@ -7754,14 +7805,14 @@ des-cbc 3624.96k 5258.21k [Steve Henson] *) Fix potential buffer overrun problem in BIO_printf(). - [Ulf Möller, using public domain code by Patrick Powell; problem + [Ulf Möller, using public domain code by Patrick Powell; problem pointed out by David Sacerdote <das33@cornell.edu>] *) Support EGD <http://www.lothar.com/tech/crypto/>. New functions RAND_egd() and RAND_status(). In the command line application, the EGD socket can be specified like a seed file using RANDFILE or -rand. - [Ulf Möller] + [Ulf Möller] *) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures. Some CAs (e.g. Verisign) distribute certificates in this form. @@ -7794,7 +7845,7 @@ des-cbc 3624.96k 5258.21k #define OPENSSL_ALGORITHM_DEFINES #include <openssl/opensslconf.h> defines all pertinent NO_<algo> symbols, such as NO_IDEA, NO_RSA, etc. - [Richard Levitte, Ulf and Bodo Möller] + [Richard Levitte, Ulf and Bodo Möller] *) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS record layer. @@ -7845,17 +7896,17 @@ des-cbc 3624.96k 5258.21k *) Bug fix for BN_div_recp() for numerators with an even number of bits. - [Ulf Möller] + [Ulf Möller] *) More tests in bntest.c, and changed test_bn output. - [Ulf Möller] + [Ulf Möller] *) ./config recognizes MacOS X now. [Andy Polyakov] *) Bug fix for BN_div() when the first words of num and divsor are equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0). - [Ulf Möller] + [Ulf Möller] *) Add support for various broken PKCS#8 formats, and command line options to produce them. @@ -7863,11 +7914,11 @@ des-cbc 3624.96k 5258.21k *) New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to get temporary BIGNUMs from a BN_CTX. - [Ulf Möller] + [Ulf Möller] *) Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont() for p == 0. - [Ulf Möller] + [Ulf Möller] *) Change the SSLeay_add_all_*() functions to OpenSSL_add_all_*() and include a #define from the old name to the new. The original intent @@ -7891,7 +7942,7 @@ des-cbc 3624.96k 5258.21k *) Source code cleanups: use const where appropriate, eliminate casts, use void * instead of char * in lhash. - [Ulf Möller] + [Ulf Möller] *) Bugfix: ssl3_send_server_key_exchange was not restartable (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of @@ -7936,13 +7987,13 @@ des-cbc 3624.96k 5258.21k [Steve Henson] *) New function BN_pseudo_rand(). - [Ulf Möller] + [Ulf Möller] *) Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable) bignum version of BN_from_montgomery() with the working code from SSLeay 0.9.0 (the word based version is faster anyway), and clean up the comments. - [Ulf Möller] + [Ulf Möller] *) Avoid a race condition in s2_clnt.c (function get_server_hello) that made it impossible to use the same SSL_SESSION data structure in @@ -7952,25 +8003,25 @@ des-cbc 3624.96k 5258.21k *) The return value of RAND_load_file() no longer counts bytes obtained by stat(). RAND_load_file(..., -1) is new and uses the complete file to seed the PRNG (previously an explicit byte count was required). - [Ulf Möller, Bodo Möller] + [Ulf Möller, Bodo Möller] *) Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes used (char *) instead of (void *) and had casts all over the place. [Steve Henson] *) Make BN_generate_prime() return NULL on error if ret!=NULL. - [Ulf Möller] + [Ulf Möller] *) Retain source code compatibility for BN_prime_checks macro: BN_is_prime(..., BN_prime_checks, ...) now uses BN_prime_checks_for_size to determine the appropriate number of Rabin-Miller iterations. - [Ulf Möller] + [Ulf Möller] *) Diffie-Hellman uses "safe" primes: DH_check() return code renamed to DH_CHECK_P_NOT_SAFE_PRIME. (Check if this is true? OpenPGP calls them "strong".) - [Ulf Möller] + [Ulf Möller] *) Merge the functionality of "dh" and "gendh" programs into a new program "dhparam". The old programs are retained for now but will handle DH keys @@ -8026,7 +8077,7 @@ des-cbc 3624.96k 5258.21k *) Add missing #ifndefs that caused missing symbols when building libssl as a shared library without RSA. Use #ifndef NO_SSL2 instead of NO_RSA in ssl/s2*.c. - [Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller] + [Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller] *) Precautions against using the PRNG uninitialized: RAND_bytes() now has a return value which indicates the quality of the random data @@ -8035,7 +8086,7 @@ des-cbc 3624.96k 5258.21k guaranteed to be unique but not unpredictable. RAND_add is like RAND_seed, but takes an extra argument for an entropy estimate (RAND_seed always assumes full entropy). - [Ulf Möller] + [Ulf Möller] *) Do more iterations of Rabin-Miller probable prime test (specifically, 3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes @@ -8065,7 +8116,7 @@ des-cbc 3624.96k 5258.21k [Steve Henson] *) Honor the no-xxx Configure options when creating .DEF files. - [Ulf Möller] + [Ulf Möller] *) Add PKCS#10 attributes to field table: challengePassword, unstructuredName and unstructuredAddress. These are taken from @@ -8899,7 +8950,7 @@ des-cbc 3624.96k 5258.21k *) More DES library cleanups: remove references to srand/rand and delete an unused file. - [Ulf Möller] + [Ulf Möller] *) Add support for the the free Netwide assembler (NASM) under Win32, since not many people have MASM (ml) and it can be hard to obtain. @@ -8988,7 +9039,7 @@ des-cbc 3624.96k 5258.21k worked. *) Fix problems with no-hmac etc. - [Ulf Möller, pointed out by Brian Wellington <bwelling@tislabs.com>] + [Ulf Möller, pointed out by Brian Wellington <bwelling@tislabs.com>] *) New functions RSA_get_default_method(), RSA_set_method() and RSA_get_method(). These allows replacement of RSA_METHODs without having @@ -9105,7 +9156,7 @@ des-cbc 3624.96k 5258.21k [Ben Laurie] *) DES library cleanups. - [Ulf Möller] + [Ulf Möller] *) Add support for PKCS#5 v2.0 PBE algorithms. This will permit PKCS#8 to be used with any cipher unlike PKCS#5 v1.5 which can at most handle 64 bit @@ -9148,7 +9199,7 @@ des-cbc 3624.96k 5258.21k [Christian Forster <fo@hawo.stw.uni-erlangen.de>] *) config now generates no-xxx options for missing ciphers. - [Ulf Möller] + [Ulf Möller] *) Support the EBCDIC character set (work in progress). File ebcdic.c not yet included because it has a different license. @@ -9261,7 +9312,7 @@ des-cbc 3624.96k 5258.21k [Bodo Moeller] *) Move openssl.cnf out of lib/. - [Ulf Möller] + [Ulf Möller] *) Fix various things to let OpenSSL even pass ``egcc -pipe -O2 -Wall -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes @@ -9318,10 +9369,10 @@ des-cbc 3624.96k 5258.21k [Ben Laurie] *) Support Borland C++ builder. - [Janez Jere <jj@void.si>, modified by Ulf Möller] + [Janez Jere <jj@void.si>, modified by Ulf Möller] *) Support Mingw32. - [Ulf Möller] + [Ulf Möller] *) SHA-1 cleanups and performance enhancements. [Andy Polyakov <appro@fy.chalmers.se>] @@ -9330,7 +9381,7 @@ des-cbc 3624.96k 5258.21k [Andy Polyakov <appro@fy.chalmers.se>] *) Accept any -xxx and +xxx compiler options in Configure. - [Ulf Möller] + [Ulf Möller] *) Update HPUX configuration. [Anonymous] @@ -9363,7 +9414,7 @@ des-cbc 3624.96k 5258.21k [Bodo Moeller] *) OAEP decoding bug fix. - [Ulf Möller] + [Ulf Möller] *) Support INSTALL_PREFIX for package builders, as proposed by David Harris. @@ -9386,21 +9437,21 @@ des-cbc 3624.96k 5258.21k [Niels Poppe <niels@netbox.org>] *) New Configure option no-<cipher> (rsa, idea, rc5, ...). - [Ulf Möller] + [Ulf Möller] *) Add the PKCS#12 API documentation to openssl.txt. Preliminary support for extension adding in x509 utility. [Steve Henson] *) Remove NOPROTO sections and error code comments. - [Ulf Möller] + [Ulf Möller] *) Partial rewrite of the DEF file generator to now parse the ANSI prototypes. [Steve Henson] *) New Configure options --prefix=DIR and --openssldir=DIR. - [Ulf Möller] + [Ulf Möller] *) Complete rewrite of the error code script(s). It is all now handled by one script at the top level which handles error code gathering, @@ -9429,7 +9480,7 @@ des-cbc 3624.96k 5258.21k [Steve Henson] *) Move the autogenerated header file parts to crypto/opensslconf.h. - [Ulf Möller] + [Ulf Möller] *) Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of 8 of keying material. Merlin has also confirmed interop with this fix @@ -9447,13 +9498,13 @@ des-cbc 3624.96k 5258.21k [Andy Polyakov <appro@fy.chalmers.se>] *) Change functions to ANSI C. - [Ulf Möller] + [Ulf Möller] *) Fix typos in error codes. - [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>, Ulf Möller] + [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>, Ulf Möller] *) Remove defunct assembler files from Configure. - [Ulf Möller] + [Ulf Möller] *) SPARC v8 assembler BIGNUM implementation. [Andy Polyakov <appro@fy.chalmers.se>] @@ -9490,7 +9541,7 @@ des-cbc 3624.96k 5258.21k [Steve Henson] *) New Configure option "rsaref". - [Ulf Möller] + [Ulf Möller] *) Don't auto-generate pem.h. [Bodo Moeller] @@ -9538,7 +9589,7 @@ des-cbc 3624.96k 5258.21k *) New functions DSA_do_sign and DSA_do_verify to provide access to the raw DSA values prior to ASN.1 encoding. - [Ulf Möller] + [Ulf Möller] *) Tweaks to Configure [Niels Poppe <niels@netbox.org>] @@ -9548,11 +9599,11 @@ des-cbc 3624.96k 5258.21k [Steve Henson] *) New variables $(RANLIB) and $(PERL) in the Makefiles. - [Ulf Möller] + [Ulf Möller] *) New config option to avoid instructions that are illegal on the 80386. The default code is faster, but requires at least a 486. - [Ulf Möller] + [Ulf Möller] *) Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and SSL2_SERVER_VERSION (not used at all) macros, which are now the @@ -10091,7 +10142,7 @@ des-cbc 3624.96k 5258.21k Hagino <itojun@kame.net>] *) File was opened incorrectly in randfile.c. - [Ulf Möller <ulf@fitug.de>] + [Ulf Möller <ulf@fitug.de>] *) Beginning of support for GeneralizedTime. d2i, i2d, check and print functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or @@ -10101,7 +10152,7 @@ des-cbc 3624.96k 5258.21k [Steve Henson] *) Correct Linux 1 recognition in config. - [Ulf Möller <ulf@fitug.de>] + [Ulf Möller <ulf@fitug.de>] *) Remove pointless MD5 hash when using DSA keys in ca. [Anonymous <nobody@replay.com>] @@ -10248,7 +10299,7 @@ des-cbc 3624.96k 5258.21k *) Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but was already fixed by Eric for 0.9.1 it seems. - [Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>] + [Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>] *) Autodetect FreeBSD3. [Ben Laurie] Added: vendor-crypto/openssl/dist-1.0.1/CONTRIBUTING ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ vendor-crypto/openssl/dist-1.0.1/CONTRIBUTING Thu Dec 3 17:24:16 2015 (r291709) @@ -0,0 +1,38 @@ +HOW TO CONTRIBUTE TO OpenSSL +---------------------------- + +Development is coordinated on the openssl-dev mailing list (see +http://www.openssl.org for information on subscribing). If you +would like to submit a patch, send it to rt@openssl.org with +the string "[PATCH]" in the subject. Please be sure to include a +textual explanation of what your patch does. + +You can also make GitHub pull requests. If you do this, please also send +mail to rt@openssl.org with a brief description and a link to the PR so +that we can more easily keep track of it. + +If you are unsure as to whether a feature will be useful for the general +OpenSSL community please discuss it on the openssl-dev mailing list first. +Someone may be already working on the same thing or there may be a good +reason as to why that feature isn't implemented. + +Patches should be as up to date as possible, preferably relative to the +current Git or the last snapshot. They should follow our coding style +(see https://www.openssl.org/policies/codingstyle.html) and compile without +warnings using the --strict-warnings flag. OpenSSL compiles on many varied +platforms: try to ensure you only use portable features. + +Our preferred format for patch files is "git format-patch" output. For example +to provide a patch file containing the last commit in your local git repository +use the following command: + +# git format-patch --stdout HEAD^ >mydiffs.patch + +Another method of creating an acceptable patch file without using git is as +follows: + +# cd openssl-work +# [your changes] +# ./Configure dist; make clean +# cd .. +# diff -ur openssl-orig openssl-work > mydiffs.patch Modified: vendor-crypto/openssl/dist-1.0.1/Configure ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/Configure Thu Dec 3 17:23:35 2015 (r291708) +++ vendor-crypto/openssl/dist-1.0.1/Configure Thu Dec 3 17:24:16 2015 (r291709) @@ -105,6 +105,8 @@ my $usage="Usage: Configure [no-<cipher> my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED"; +my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof -Qunused-arguments"; + my $strict_warnings = 0; my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL"; @@ -197,6 +199,7 @@ my %table=( "debug-linux-generic32","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-linux-generic64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "debug-linux-x86_64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", +"debug-linux-x86_64-clang","clang: -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", "dist", "cc:-O::(unknown)::::::", # Basic configs that should work on any (32 and less bit) box @@ -361,6 +364,7 @@ my %table=( "linux-ia64-ecc","ecc:-DL_ENDIAN -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", "linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", +"linux-x86_64-clang","clang: -m64 -DL_ENDIAN -O3 -Wall -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", "linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64", #### So called "highgprs" target for z/Architecture CPUs # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see @@ -1574,11 +1578,20 @@ if ($shlib_version_number =~ /(^[0-9]*)\ if ($strict_warnings) { + my $ecc = $cc; + $ecc = "clang" if `$cc --version 2>&1` =~ /clang/; my $wopt; - die "ERROR --strict-warnings requires gcc" unless ($cc =~ /gcc$/); + die "ERROR --strict-warnings requires gcc or clang" unless ($ecc =~ /gcc$/ or $ecc =~ /clang$/); foreach $wopt (split /\s+/, $gcc_devteam_warn) { - $cflags .= " $wopt" unless ($cflags =~ /$wopt/) + $cflags .= " $wopt" unless ($cflags =~ /(^|\s)$wopt(\s|$)/) + } + if ($ecc eq "clang") + { + foreach $wopt (split /\s+/, $clang_devteam_warn) + { + $cflags .= " $wopt" unless ($cflags =~ /(^|\s)$wopt(\s|$)/) + } } } Modified: vendor-crypto/openssl/dist-1.0.1/FAQ ============================================================================== --- vendor-crypto/openssl/dist-1.0.1/FAQ Thu Dec 3 17:23:35 2015 (r291708) +++ vendor-crypto/openssl/dist-1.0.1/FAQ Thu Dec 3 17:24:16 2015 (r291709) @@ -1,1039 +1,2 @@ -OpenSSL - Frequently Asked Questions --------------------------------------- - -[MISC] Miscellaneous questions - -* Which is the current version of OpenSSL? -* Where is the documentation? -* How can I contact the OpenSSL developers? -* Where can I get a compiled version of OpenSSL? -* Why aren't tools like 'autoconf' and 'libtool' used? -* What is an 'engine' version? -* How do I check the authenticity of the OpenSSL distribution? -* How does the versioning scheme work? - -[LEGAL] Legal questions - -* Do I need patent licenses to use OpenSSL? -* Can I use OpenSSL with GPL software? - -[USER] Questions on using the OpenSSL applications - -* Why do I get a "PRNG not seeded" error message? -* Why do I get an "unable to write 'random state'" error message? -* How do I create certificates or certificate requests? -* Why can't I create certificate requests? -* Why does <SSL program> fail with a certificate verify error? -* Why can I only use weak ciphers when I connect to a server using OpenSSL? -* How can I create DSA certificates? -* Why can't I make an SSL connection using a DSA certificate? -* How can I remove the passphrase on a private key? -* Why can't I use OpenSSL certificates with SSL client authentication? -* Why does my browser give a warning about a mismatched hostname? -* How do I install a CA certificate into a browser? -* Why is OpenSSL x509 DN output not conformant to RFC2253? -* What is a "128 bit certificate"? Can I create one with OpenSSL? -* Why does OpenSSL set the authority key identifier extension incorrectly? -* How can I set up a bundle of commercial root CA certificates? - -[BUILD] Questions about building and testing OpenSSL - -* Why does the linker complain about undefined symbols? -* Why does the OpenSSL test fail with "bc: command not found"? -* Why does the OpenSSL test fail with "bc: 1 no implemented"? -* Why does the OpenSSL test fail with "bc: stack empty"? -* Why does the OpenSSL compilation fail on Alpha Tru64 Unix? -* Why does the OpenSSL compilation fail with "ar: command not found"? -* Why does the OpenSSL compilation fail on Win32 with VC++? -* What is special about OpenSSL on Redhat? -* Why does the OpenSSL compilation fail on MacOS X? -* Why does the OpenSSL test suite fail on MacOS X? -* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]? -* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"? -* Why does the OpenSSL test suite fail in sha512t on x86 CPU? -* Why does compiler fail to compile sha512.c? -* Test suite still fails, what to do? -* I think I've found a bug, what should I do? -* I'm SURE I've found a bug, how do I report it? -* I've found a security issue, how do I report it? - -[PROG] Questions about programming with OpenSSL - -* Is OpenSSL thread-safe? -* I've compiled a program under Windows and it crashes: why? -* How do I read or write a DER encoded buffer using the ASN1 functions? -* OpenSSL uses DER but I need BER format: does OpenSSL support BER? -* I've tried using <M_some_evil_pkcs12_macro> and I get errors why? -* I've called <some function> and it fails, why? -* I just get a load of numbers for the error output, what do they mean? -* Why do I get errors about unknown algorithms? -* Why can't the OpenSSH configure script detect OpenSSL? -* Can I use OpenSSL's SSL library with non-blocking I/O? -* Why doesn't my server application receive a client certificate? -* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier? -* I think I've detected a memory leak, is this a bug? -* Why does Valgrind complain about the use of uninitialized data? -* Why doesn't a memory BIO work when a file does? -* Where are the declarations and implementations of d2i_X509() etc? - -=============================================================================== - -[MISC] ======================================================================== - -* Which is the current version of OpenSSL? - -The current version is available from <URL: http://www.openssl.org>. -OpenSSL 1.0.1e was released on Feb 11th, 2013. - -In addition to the current stable release, you can also access daily -snapshots of the OpenSSL development version at <URL: -ftp://ftp.openssl.org/snapshot/>, or get it by anonymous Git access. - - -* Where is the documentation? - -OpenSSL is a library that provides cryptographic functionality to -applications such as secure web servers. Be sure to read the -documentation of the application you want to use. The INSTALL file -explains how to install this library. - -OpenSSL includes a command line utility that can be used to perform a -variety of cryptographic functions. It is described in the openssl(1) -manpage. Documentation for developers is currently being written. Many -manual pages are available; overviews over libcrypto and -libssl are given in the crypto(3) and ssl(3) manpages. - -The OpenSSL manpages are installed in /usr/local/ssl/man/ (or a -different directory if you specified one as described in INSTALL). -In addition, you can read the most current versions at -<URL: http://www.openssl.org/docs/>. Note that the online documents refer -to the very latest development versions of OpenSSL and may include features -not present in released versions. If in doubt refer to the documentation -that came with the version of OpenSSL you are using. The pod format -documentation is included in each OpenSSL distribution under the docs -directory. - -There is some documentation about certificate extensions and PKCS#12 -in doc/openssl.txt - -The original SSLeay documentation is included in OpenSSL as -doc/ssleay.txt. It may be useful when none of the other resources -help, but please note that it reflects the obsolete version SSLeay -0.6.6. - - -* How can I contact the OpenSSL developers? - -The README file describes how to submit bug reports and patches to -OpenSSL. Information on the OpenSSL mailing lists is available from -<URL: http://www.openssl.org>. - - -* Where can I get a compiled version of OpenSSL? - -You can finder pointers to binary distributions in -<URL: http://www.openssl.org/related/binaries.html> . - -Some applications that use OpenSSL are distributed in binary form. -When using such an application, you don't need to install OpenSSL -yourself; the application will include the required parts (e.g. DLLs). - -If you want to build OpenSSL on a Windows system and you don't have -a C compiler, read the "Mingw32" section of INSTALL.W32 for information -on how to obtain and install the free GNU C compiler. - -A number of Linux and *BSD distributions include OpenSSL. - - -* Why aren't tools like 'autoconf' and 'libtool' used? - -autoconf will probably be used in future OpenSSL versions. If it was -less Unix-centric, it might have been used much earlier. - -* What is an 'engine' version? - -With version 0.9.6 OpenSSL was extended to interface to external crypto -hardware. This was realized in a special release '0.9.6-engine'. With -version 0.9.7 the changes were merged into the main development line, -so that the special release is no longer necessary. - -* How do I check the authenticity of the OpenSSL distribution? - -We provide MD5 digests and ASC signatures of each tarball. *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201512031724.tB3HOGxe075508>