Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 3 Dec 2015 17:24:16 +0000 (UTC)
From:      Jung-uk Kim <jkim@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-vendor@freebsd.org
Subject:   svn commit: r291709 - in vendor-crypto/openssl/dist-1.0.1: . apps crypto crypto/aes/asm crypto/asn1 crypto/bio crypto/bn crypto/bn/asm crypto/buffer crypto/cms crypto/comp crypto/conf crypto/dsa cr...
Message-ID:  <201512031724.tB3HOGxe075508@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: jkim
Date: Thu Dec  3 17:24:16 2015
New Revision: 291709
URL: https://svnweb.freebsd.org/changeset/base/291709

Log:
  Import OpenSSL 1.0.1q.

Added:
  vendor-crypto/openssl/dist-1.0.1/CONTRIBUTING
  vendor-crypto/openssl/dist-1.0.1/appveyor.yml
  vendor-crypto/openssl/dist-1.0.1/doc/dir-locals.example.el
  vendor-crypto/openssl/dist-1.0.1/doc/openssl-c-indent.el
  vendor-crypto/openssl/dist-1.0.1/ssl/clienthellotest.c   (contents, props changed)
  vendor-crypto/openssl/dist-1.0.1/util/toutf8.sh   (contents, props changed)
Deleted:
  vendor-crypto/openssl/dist-1.0.1/util/pod2mantest
Modified:
  vendor-crypto/openssl/dist-1.0.1/CHANGES
  vendor-crypto/openssl/dist-1.0.1/Configure
  vendor-crypto/openssl/dist-1.0.1/FAQ
  vendor-crypto/openssl/dist-1.0.1/FREEBSD-upgrade
  vendor-crypto/openssl/dist-1.0.1/Makefile
  vendor-crypto/openssl/dist-1.0.1/Makefile.org
  vendor-crypto/openssl/dist-1.0.1/NEWS
  vendor-crypto/openssl/dist-1.0.1/README
  vendor-crypto/openssl/dist-1.0.1/apps/Makefile
  vendor-crypto/openssl/dist-1.0.1/apps/apps.c
  vendor-crypto/openssl/dist-1.0.1/apps/asn1pars.c
  vendor-crypto/openssl/dist-1.0.1/apps/ca.c
  vendor-crypto/openssl/dist-1.0.1/apps/ecparam.c
  vendor-crypto/openssl/dist-1.0.1/apps/engine.c
  vendor-crypto/openssl/dist-1.0.1/apps/ocsp.c
  vendor-crypto/openssl/dist-1.0.1/apps/pkcs12.c
  vendor-crypto/openssl/dist-1.0.1/apps/s_client.c
  vendor-crypto/openssl/dist-1.0.1/apps/s_server.c
  vendor-crypto/openssl/dist-1.0.1/crypto/aes/asm/aes-586.pl
  vendor-crypto/openssl/dist-1.0.1/crypto/aes/asm/aesni-x86.pl
  vendor-crypto/openssl/dist-1.0.1/crypto/asn1/asn1_par.c
  vendor-crypto/openssl/dist-1.0.1/crypto/asn1/d2i_pr.c
  vendor-crypto/openssl/dist-1.0.1/crypto/asn1/tasn_dec.c
  vendor-crypto/openssl/dist-1.0.1/crypto/asn1/x_bignum.c
  vendor-crypto/openssl/dist-1.0.1/crypto/asn1/x_pubkey.c
  vendor-crypto/openssl/dist-1.0.1/crypto/asn1/x_x509.c
  vendor-crypto/openssl/dist-1.0.1/crypto/bio/b_dump.c
  vendor-crypto/openssl/dist-1.0.1/crypto/bio/bss_file.c
  vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/armv4-gf2m.pl
  vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/ia64.S
  vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/s390x-gf2m.pl
  vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/x86-gf2m.pl
  vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/x86_64-gcc.c
  vendor-crypto/openssl/dist-1.0.1/crypto/bn/asm/x86_64-gf2m.pl
  vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_exp.c
  vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_gcd.c
  vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_gf2m.c
  vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_mont.c
  vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_recp.c
  vendor-crypto/openssl/dist-1.0.1/crypto/bn/bn_x931p.c
  vendor-crypto/openssl/dist-1.0.1/crypto/bn/bntest.c
  vendor-crypto/openssl/dist-1.0.1/crypto/buffer/buf_str.c
  vendor-crypto/openssl/dist-1.0.1/crypto/buffer/buffer.h
  vendor-crypto/openssl/dist-1.0.1/crypto/cms/cms_enc.c
  vendor-crypto/openssl/dist-1.0.1/crypto/cms/cms_pwri.c
  vendor-crypto/openssl/dist-1.0.1/crypto/cms/cms_smime.c
  vendor-crypto/openssl/dist-1.0.1/crypto/comp/c_zlib.c
  vendor-crypto/openssl/dist-1.0.1/crypto/conf/conf_def.c
  vendor-crypto/openssl/dist-1.0.1/crypto/conf/conf_sap.c
  vendor-crypto/openssl/dist-1.0.1/crypto/cryptlib.c
  vendor-crypto/openssl/dist-1.0.1/crypto/dsa/dsa_ameth.c
  vendor-crypto/openssl/dist-1.0.1/crypto/dsa/dsa_gen.c
  vendor-crypto/openssl/dist-1.0.1/crypto/ec/ec.h
  vendor-crypto/openssl/dist-1.0.1/crypto/ec/ec_asn1.c
  vendor-crypto/openssl/dist-1.0.1/crypto/ec/ec_key.c
  vendor-crypto/openssl/dist-1.0.1/crypto/engine/eng_cryptodev.c
  vendor-crypto/openssl/dist-1.0.1/crypto/engine/eng_list.c
  vendor-crypto/openssl/dist-1.0.1/crypto/evp/e_des3.c
  vendor-crypto/openssl/dist-1.0.1/crypto/evp/encode.c
  vendor-crypto/openssl/dist-1.0.1/crypto/evp/evp_key.c
  vendor-crypto/openssl/dist-1.0.1/crypto/evp/evp_lib.c
  vendor-crypto/openssl/dist-1.0.1/crypto/evp/evp_pbe.c
  vendor-crypto/openssl/dist-1.0.1/crypto/evp/p_lib.c
  vendor-crypto/openssl/dist-1.0.1/crypto/evp/pmeth_gn.c
  vendor-crypto/openssl/dist-1.0.1/crypto/hmac/hm_ameth.c
  vendor-crypto/openssl/dist-1.0.1/crypto/jpake/jpake.c
  vendor-crypto/openssl/dist-1.0.1/crypto/mem_clr.c
  vendor-crypto/openssl/dist-1.0.1/crypto/modes/asm/ghash-armv4.pl
  vendor-crypto/openssl/dist-1.0.1/crypto/modes/asm/ghash-x86.pl
  vendor-crypto/openssl/dist-1.0.1/crypto/ocsp/ocsp_lib.c
  vendor-crypto/openssl/dist-1.0.1/crypto/ocsp/ocsp_prn.c
  vendor-crypto/openssl/dist-1.0.1/crypto/opensslconf.h
  vendor-crypto/openssl/dist-1.0.1/crypto/opensslconf.h.in
  vendor-crypto/openssl/dist-1.0.1/crypto/opensslv.h
  vendor-crypto/openssl/dist-1.0.1/crypto/pem/pem_info.c
  vendor-crypto/openssl/dist-1.0.1/crypto/pem/pvkfmt.c
  vendor-crypto/openssl/dist-1.0.1/crypto/pkcs12/p12_add.c
  vendor-crypto/openssl/dist-1.0.1/crypto/pkcs12/p12_crpt.c
  vendor-crypto/openssl/dist-1.0.1/crypto/pkcs12/p12_mutl.c
  vendor-crypto/openssl/dist-1.0.1/crypto/pkcs7/pk7_doit.c
  vendor-crypto/openssl/dist-1.0.1/crypto/rc4/asm/rc4-x86_64.pl
  vendor-crypto/openssl/dist-1.0.1/crypto/rsa/rsa_ameth.c
  vendor-crypto/openssl/dist-1.0.1/crypto/rsa/rsa_gen.c
  vendor-crypto/openssl/dist-1.0.1/crypto/rsa/rsa_sign.c
  vendor-crypto/openssl/dist-1.0.1/crypto/rsa/rsa_test.c
  vendor-crypto/openssl/dist-1.0.1/crypto/sha/asm/sha1-586.pl
  vendor-crypto/openssl/dist-1.0.1/crypto/sha/asm/sha256-586.pl
  vendor-crypto/openssl/dist-1.0.1/crypto/sha/asm/sha512-586.pl
  vendor-crypto/openssl/dist-1.0.1/crypto/sha/asm/sha512-parisc.pl
  vendor-crypto/openssl/dist-1.0.1/crypto/sparccpuid.S
  vendor-crypto/openssl/dist-1.0.1/crypto/srp/srp_vfy.c
  vendor-crypto/openssl/dist-1.0.1/crypto/ts/ts_rsp_verify.c
  vendor-crypto/openssl/dist-1.0.1/crypto/whrlpool/asm/wp-mmx.pl
  vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509_cmp.c
  vendor-crypto/openssl/dist-1.0.1/crypto/x509/x509_lu.c
  vendor-crypto/openssl/dist-1.0.1/crypto/x509v3/v3_cpols.c
  vendor-crypto/openssl/dist-1.0.1/crypto/x509v3/v3_ncons.c
  vendor-crypto/openssl/dist-1.0.1/crypto/x509v3/v3_pci.c
  vendor-crypto/openssl/dist-1.0.1/crypto/x509v3/v3_pcia.c
  vendor-crypto/openssl/dist-1.0.1/doc/apps/ciphers.pod
  vendor-crypto/openssl/dist-1.0.1/doc/apps/dgst.pod
  vendor-crypto/openssl/dist-1.0.1/doc/apps/genrsa.pod
  vendor-crypto/openssl/dist-1.0.1/doc/apps/req.pod
  vendor-crypto/openssl/dist-1.0.1/doc/apps/x509.pod
  vendor-crypto/openssl/dist-1.0.1/doc/crypto/BIO_read.pod
  vendor-crypto/openssl/dist-1.0.1/doc/crypto/BN_rand.pod
  vendor-crypto/openssl/dist-1.0.1/doc/crypto/DSA_generate_parameters.pod
  vendor-crypto/openssl/dist-1.0.1/doc/crypto/EVP_DigestVerifyInit.pod
  vendor-crypto/openssl/dist-1.0.1/doc/crypto/EVP_SignInit.pod
  vendor-crypto/openssl/dist-1.0.1/doc/crypto/buffer.pod
  vendor-crypto/openssl/dist-1.0.1/doc/crypto/d2i_X509_NAME.pod
  vendor-crypto/openssl/dist-1.0.1/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
  vendor-crypto/openssl/dist-1.0.1/e_os.h
  vendor-crypto/openssl/dist-1.0.1/engines/e_chil.c
  vendor-crypto/openssl/dist-1.0.1/ssl/Makefile
  vendor-crypto/openssl/dist-1.0.1/ssl/bio_ssl.c
  vendor-crypto/openssl/dist-1.0.1/ssl/d1_both.c
  vendor-crypto/openssl/dist-1.0.1/ssl/d1_clnt.c
  vendor-crypto/openssl/dist-1.0.1/ssl/d1_srvr.c
  vendor-crypto/openssl/dist-1.0.1/ssl/s23_clnt.c
  vendor-crypto/openssl/dist-1.0.1/ssl/s3_cbc.c
  vendor-crypto/openssl/dist-1.0.1/ssl/s3_clnt.c
  vendor-crypto/openssl/dist-1.0.1/ssl/s3_enc.c
  vendor-crypto/openssl/dist-1.0.1/ssl/s3_lib.c
  vendor-crypto/openssl/dist-1.0.1/ssl/s3_srvr.c
  vendor-crypto/openssl/dist-1.0.1/ssl/ssl.h
  vendor-crypto/openssl/dist-1.0.1/ssl/ssl3.h
  vendor-crypto/openssl/dist-1.0.1/ssl/ssl_asn1.c
  vendor-crypto/openssl/dist-1.0.1/ssl/ssl_cert.c
  vendor-crypto/openssl/dist-1.0.1/ssl/ssl_ciph.c
  vendor-crypto/openssl/dist-1.0.1/ssl/ssl_err.c
  vendor-crypto/openssl/dist-1.0.1/ssl/ssl_lib.c
  vendor-crypto/openssl/dist-1.0.1/ssl/ssl_locl.h
  vendor-crypto/openssl/dist-1.0.1/ssl/ssl_rsa.c
  vendor-crypto/openssl/dist-1.0.1/ssl/ssl_sess.c
  vendor-crypto/openssl/dist-1.0.1/ssl/ssltest.c
  vendor-crypto/openssl/dist-1.0.1/ssl/t1_enc.c
  vendor-crypto/openssl/dist-1.0.1/ssl/t1_lib.c
  vendor-crypto/openssl/dist-1.0.1/ssl/tls1.h
  vendor-crypto/openssl/dist-1.0.1/util/indent.pro
  vendor-crypto/openssl/dist-1.0.1/util/mk1mf.pl
  vendor-crypto/openssl/dist-1.0.1/util/mkrc.pl
  vendor-crypto/openssl/dist-1.0.1/util/mkstack.pl
  vendor-crypto/openssl/dist-1.0.1/util/pl/VC-32.pl
  vendor-crypto/openssl/dist-1.0.1/util/selftest.pl

Modified: vendor-crypto/openssl/dist-1.0.1/CHANGES
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/CHANGES	Thu Dec  3 17:23:35 2015	(r291708)
+++ vendor-crypto/openssl/dist-1.0.1/CHANGES	Thu Dec  3 17:24:16 2015	(r291709)
@@ -2,6 +2,45 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.1p and 1.0.1q [3 Dec 2015]
+
+  *) Certificate verify crash with missing PSS parameter
+
+     The signature verification routines will crash with a NULL pointer
+     dereference if presented with an ASN.1 signature using the RSA PSS
+     algorithm and absent mask generation function parameter. Since these
+     routines are used to verify certificate signature algorithms this can be
+     used to crash any certificate verification operation and exploited in a
+     DoS attack. Any application which performs certificate verification is
+     vulnerable including OpenSSL clients and servers which enable client
+     authentication.
+
+     This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG).
+     (CVE-2015-3194)
+     [Stephen Henson]
+
+  *) X509_ATTRIBUTE memory leak
+
+     When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
+     memory. This structure is used by the PKCS#7 and CMS routines so any
+     application which reads PKCS#7 or CMS data from untrusted sources is
+     affected. SSL/TLS is not affected.
+
+     This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
+     libFuzzer.
+     (CVE-2015-3195)
+     [Stephen Henson]
+
+  *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
+     This changes the decoding behaviour for some invalid messages,
+     though the change is mostly in the more lenient direction, and
+     legacy behaviour is preserved as much as possible.
+     [Emilia Käsper]
+
+  *) In DSA_generate_parameters_ex, if the provided seed is too short,
+     return an error
+     [Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
+
  Changes between 1.0.1o and 1.0.1p [9 Jul 2015]
 
   *) Alternate chains certificate forgery
@@ -15,10 +54,19 @@
 
      This issue was reported to OpenSSL by Adam Langley/David Benjamin
      (Google/BoringSSL).
+     (CVE-2015-1793)
      [Matt Caswell]
 
- Changes between 1.0.1n and 1.0.1o [12 Jun 2015]
+  *) Race condition handling PSK identify hint
+
+     If PSK identity hints are received by a multi-threaded client then
+     the values are wrongly updated in the parent SSL_CTX structure. This can
+     result in a race condition potentially leading to a double free of the
+     identify hint data.
+     (CVE-2015-3196)
+     [Stephen Henson]
 
+ Changes between 1.0.1n and 1.0.1o [12 Jun 2015]
   *) Fix HMAC ABI incompatibility. The previous version introduced an ABI
      incompatibility in the handling of HMAC. The previous ABI has now been
      restored.
@@ -55,9 +103,9 @@
      callbacks.
 
      This issue was reported to OpenSSL by Robert Swiecki (Google), and
-     independently by Hanno Böck.
+     independently by Hanno Böck.
      (CVE-2015-1789)
-     [Emilia Käsper]
+     [Emilia Käsper]
 
   *) PKCS7 crash with missing EnvelopedContent
 
@@ -71,7 +119,7 @@
 
      This issue was reported to OpenSSL by Michal Zalewski (Google).
      (CVE-2015-1790)
-     [Emilia Käsper]
+     [Emilia Käsper]
 
   *) CMS verify infinite loop with unknown hash function
 
@@ -94,6 +142,9 @@
   *) Reject DH handshakes with parameters shorter than 768 bits.
      [Kurt Roeckx and Emilia Kasper]
 
+  *) dhparam: generate 2048-bit parameters by default.
+     [Kurt Roeckx and Emilia Kasper]
+
  Changes between 1.0.1l and 1.0.1m [19 Mar 2015]
 
   *) Segmentation fault in ASN1_TYPE_cmp fix
@@ -132,7 +183,7 @@
 
      This issue was reported to OpenSSL by Michal Zalewski (Google).
      (CVE-2015-0289)
-     [Emilia Käsper]
+     [Emilia Käsper]
 
   *) DoS via reachable assert in SSLv2 servers fix
 
@@ -140,10 +191,10 @@
      servers that both support SSLv2 and enable export cipher suites by sending
      a specially crafted SSLv2 CLIENT-MASTER-KEY message.
 
-     This issue was discovered by Sean Burford (Google) and Emilia Käsper
+     This issue was discovered by Sean Burford (Google) and Emilia Käsper
      (OpenSSL development team).
      (CVE-2015-0293)
-     [Emilia Käsper]
+     [Emilia Käsper]
 
   *) Use After Free following d2i_ECPrivatekey error fix
 
@@ -288,12 +339,12 @@
       version does not match the session's version. Resuming with a different
       version, while not strictly forbidden by the RFC, is of questionable
       sanity and breaks all known clients.
-      [David Benjamin, Emilia Käsper]
+      [David Benjamin, Emilia Käsper]
 
    *) Tighten handling of the ChangeCipherSpec (CCS) message: reject
       early CCS messages during renegotiation. (Note that because
       renegotiation is encrypted, this early CCS was not exploitable.)
-      [Emilia Käsper]
+      [Emilia Käsper]
 
    *) Tighten client-side session ticket handling during renegotiation:
       ensure that the client only accepts a session ticket if the server sends
@@ -304,7 +355,7 @@
       Similarly, ensure that the client requires a session ticket if one
       was advertised in the ServerHello. Previously, a TLS client would
       ignore a missing NewSessionTicket message.
-      [Emilia Käsper]
+      [Emilia Käsper]
 
  Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
 
@@ -384,10 +435,10 @@
      with a null pointer dereference (read) by specifying an anonymous (EC)DH
      ciphersuite and sending carefully crafted handshake messages.
 
-     Thanks to Felix Gröbert (Google) for discovering and researching this
+     Thanks to Felix Gröbert (Google) for discovering and researching this
      issue.
      (CVE-2014-3510)
-     [Emilia Käsper]
+     [Emilia Käsper]
 
   *) By sending carefully crafted DTLS packets an attacker could cause openssl
      to leak memory. This can be exploited through a Denial of Service attack.
@@ -424,7 +475,7 @@
      properly negotiated with the client. This can be exploited through a
      Denial of Service attack.
 
-     Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
+     Thanks to Joonas Kuorilehto and Riku Hietamäki (Codenomicon) for
      discovering and researching this issue.
      (CVE-2014-5139)
      [Steve Henson]
@@ -436,7 +487,7 @@
 
      Thanks to Ivan Fratric (Google) for discovering this issue.
      (CVE-2014-3508)
-     [Emilia Käsper, and Steve Henson]
+     [Emilia Käsper, and Steve Henson]
 
   *) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
      for corner cases. (Certain input points at infinity could lead to
@@ -466,15 +517,15 @@
      client or server. This is potentially exploitable to run arbitrary
      code on a vulnerable client or server.
 
-     Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
-     [Jüri Aedla, Steve Henson]
+     Thanks to Jüri Aedla for reporting this issue. (CVE-2014-0195)
+     [Jüri Aedla, Steve Henson]
 
   *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
      are subject to a denial of service attack.
 
-     Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
+     Thanks to Felix Gröbert and Ivan Fratric at Google for discovering
      this issue. (CVE-2014-3470)
-     [Felix Gröbert, Ivan Fratric, Steve Henson]
+     [Felix Gröbert, Ivan Fratric, Steve Henson]
 
   *) Harmonize version and its documentation. -f flag is used to display
      compilation flags.
@@ -553,9 +604,9 @@
      Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
      Security Group at Royal Holloway, University of London
      (www.isg.rhul.ac.uk) for discovering this flaw and Adam Langley and
-     Emilia Käsper for the initial patch.
+     Emilia Käsper for the initial patch.
      (CVE-2013-0169)
-     [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
+     [Emilia Käsper, Adam Langley, Ben Laurie, Andy Polyakov, Steve Henson]
 
   *) Fix flaw in AESNI handling of TLS 1.2 and 1.1 records for CBC mode
      ciphersuites which can be exploited in a denial of service attack.
@@ -730,7 +781,7 @@
      EC_GROUP_new_by_curve_name() will automatically use these (while
      EC_GROUP_new_curve_GFp() currently prefers the more flexible
      implementations).
-     [Emilia Käsper, Adam Langley, Bodo Moeller (Google)]
+     [Emilia Käsper, Adam Langley, Bodo Moeller (Google)]
 
   *) Use type ossl_ssize_t instad of ssize_t which isn't available on
      all platforms. Move ssize_t definition from e_os.h to the public
@@ -1006,7 +1057,7 @@
      [Adam Langley (Google)]
 
   *) Fix spurious failures in ecdsatest.c.
-     [Emilia Käsper (Google)]
+     [Emilia Käsper (Google)]
 
   *) Fix the BIO_f_buffer() implementation (which was mixing different
      interpretations of the '..._len' fields).
@@ -1020,7 +1071,7 @@
      lock to call BN_BLINDING_invert_ex, and avoids one use of
      BN_BLINDING_update for each BN_BLINDING structure (previously,
      the last update always remained unused).
-     [Emilia Käsper (Google)]
+     [Emilia Käsper (Google)]
 
   *) In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
      [Bob Buckholz (Google)]
@@ -1829,7 +1880,7 @@
 
   *) Add RFC 3161 compliant time stamp request creation, response generation
      and response verification functionality.
-     [Zoltán Glózik <zglozik@opentsa.org>, The OpenTSA Project]
+     [Zoltán Glózik <zglozik@opentsa.org>, The OpenTSA Project]
 
   *) Add initial support for TLS extensions, specifically for the server_name
      extension so far.  The SSL_SESSION, SSL_CTX, and SSL data structures now
@@ -2997,7 +3048,7 @@
 
   *) BN_CTX_get() should return zero-valued bignums, providing the same
      initialised value as BN_new().
-     [Geoff Thorpe, suggested by Ulf Möller]
+     [Geoff Thorpe, suggested by Ulf Möller]
 
   *) Support for inhibitAnyPolicy certificate extension.
      [Steve Henson]
@@ -3016,7 +3067,7 @@
      some point, these tighter rules will become openssl's default to improve
      maintainability, though the assert()s and other overheads will remain only
      in debugging configurations. See bn.h for more details.
-     [Geoff Thorpe, Nils Larsch, Ulf Möller]
+     [Geoff Thorpe, Nils Larsch, Ulf Möller]
 
   *) BN_CTX_init() has been deprecated, as BN_CTX is an opaque structure
      that can only be obtained through BN_CTX_new() (which implicitly
@@ -3083,7 +3134,7 @@
      [Douglas Stebila (Sun Microsystems Laboratories)]
 
   *) Add the possibility to load symbols globally with DSO.
-     [Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte]
+     [Götz Babin-Ebell <babin-ebell@trustcenter.de> via Richard Levitte]
 
   *) Add the functions ERR_set_mark() and ERR_pop_to_mark() for better
      control of the error stack.
@@ -3798,7 +3849,7 @@
      [Steve Henson]
 
   *) Undo Cygwin change.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Added support for proxy certificates according to RFC 3820.
      Because they may be a security thread to unaware applications,
@@ -3831,11 +3882,11 @@
      [Stephen Henson, reported by UK NISCC]
 
   *) Use Windows randomness collection on Cygwin.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Fix hang in EGD/PRNGD query when communication socket is closed
      prematurely by EGD/PRNGD.
-     [Darren Tucker <dtucker@zip.com.au> via Lutz Jänicke, resolves #1014]
+     [Darren Tucker <dtucker@zip.com.au> via Lutz Jänicke, resolves #1014]
 
   *) Prompt for pass phrases when appropriate for PKCS12 input format.
      [Steve Henson]
@@ -4297,7 +4348,7 @@
      pointers passed to them whenever necessary. Otherwise it is possible
      the caller may have overwritten (or deallocated) the original string
      data when a later ENGINE operation tries to use the stored values.
-     [Götz Babin-Ebell <babinebell@trustcenter.de>]
+     [Götz Babin-Ebell <babinebell@trustcenter.de>]
 
   *) Improve diagnostics in file reading and command-line digests.
      [Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>]
@@ -6402,7 +6453,7 @@ des-cbc           3624.96k     5258.21k 
      [Bodo Moeller]
 
   *) BN_sqr() bug fix.
-     [Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>]
+     [Ulf Möller, reported by Jim Ellis <jim.ellis@cavium.com>]
 
   *) Rabin-Miller test analyses assume uniformly distributed witnesses,
      so use BN_pseudo_rand_range() instead of using BN_pseudo_rand()
@@ -6562,7 +6613,7 @@ des-cbc           3624.96k     5258.21k 
      [Bodo Moeller]
 
   *) Fix OAEP check.
-     [Ulf Möller, Bodo Möller]
+     [Ulf Möller, Bodo Möller]
 
   *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
      RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5
@@ -6824,10 +6875,10 @@ des-cbc           3624.96k     5258.21k 
      [Bodo Moeller]
 
   *) Use better test patterns in bntest.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) rand_win.c fix for Borland C.
-     [Ulf Möller]
+     [Ulf Möller]
  
   *) BN_rshift bugfix for n == 0.
      [Bodo Moeller]
@@ -6972,14 +7023,14 @@ des-cbc           3624.96k     5258.21k 
 
   *) New BIO_shutdown_wr macro, which invokes the BIO_C_SHUTDOWN_WR
      BIO_ctrl (for BIO pairs).
-     [Bodo Möller]
+     [Bodo Möller]
 
   *) Add DSO method for VMS.
      [Richard Levitte]
 
   *) Bug fix: Montgomery multiplication could produce results with the
      wrong sign.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Add RPM specification openssl.spec and modify it to build three
      packages.  The default package contains applications, application
@@ -6997,7 +7048,7 @@ des-cbc           3624.96k     5258.21k 
 
   *) Don't set the two most significant bits to one when generating a
      random number < q in the DSA library.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) New SSL API mode 'SSL_MODE_AUTO_RETRY'.  This disables the default
      behaviour that SSL_read may result in SSL_ERROR_WANT_READ (even if
@@ -7263,7 +7314,7 @@ des-cbc           3624.96k     5258.21k 
   *) Randomness polling function for Win9x, as described in:
      Peter Gutmann, Software Generation of Practically Strong
      Random Numbers.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Fix so PRNG is seeded in req if using an already existing
      DSA key.
@@ -7483,7 +7534,7 @@ des-cbc           3624.96k     5258.21k 
      [Steve Henson]
 
   *) Eliminate non-ANSI declarations in crypto.h and stack.h.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Fix for SSL server purpose checking. Server checking was
      rejecting certificates which had extended key usage present
@@ -7515,7 +7566,7 @@ des-cbc           3624.96k     5258.21k 
      [Bodo Moeller]
 
   *) Bugfix for linux-elf makefile.one.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) RSA_get_default_method() will now cause a default
      RSA_METHOD to be chosen if one doesn't exist already.
@@ -7604,7 +7655,7 @@ des-cbc           3624.96k     5258.21k 
      [Steve Henson]
 
   *) des_quad_cksum() byte order bug fix.
-     [Ulf Möller, using the problem description in krb4-0.9.7, where
+     [Ulf Möller, using the problem description in krb4-0.9.7, where
       the solution is attributed to Derrick J Brashear <shadow@DEMENTIA.ORG>]
 
   *) Fix so V_ASN1_APP_CHOOSE works again: however its use is strongly
@@ -7705,7 +7756,7 @@ des-cbc           3624.96k     5258.21k 
      [Rolf Haberrecker <rolf@suse.de>]
 
   *) Assembler module support for Mingw32.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Shared library support for HPUX (in shlib/).
      [Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> and Anonymous]
@@ -7724,7 +7775,7 @@ des-cbc           3624.96k     5258.21k 
 
   *) BN_mul bugfix: In bn_mul_part_recursion() only the a>a[n] && b>b[n]
      case was implemented. This caused BN_div_recp() to fail occasionally.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Add an optional second argument to the set_label() in the perl
      assembly language builder. If this argument exists and is set
@@ -7754,14 +7805,14 @@ des-cbc           3624.96k     5258.21k 
      [Steve Henson]
 
   *) Fix potential buffer overrun problem in BIO_printf().
-     [Ulf Möller, using public domain code by Patrick Powell; problem
+     [Ulf Möller, using public domain code by Patrick Powell; problem
       pointed out by David Sacerdote <das33@cornell.edu>]
 
   *) Support EGD <http://www.lothar.com/tech/crypto/>.  New functions
      RAND_egd() and RAND_status().  In the command line application,
      the EGD socket can be specified like a seed file using RANDFILE
      or -rand.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Allow the string CERTIFICATE to be tolerated in PKCS#7 structures.
      Some CAs (e.g. Verisign) distribute certificates in this form.
@@ -7794,7 +7845,7 @@ des-cbc           3624.96k     5258.21k 
         #define OPENSSL_ALGORITHM_DEFINES
         #include <openssl/opensslconf.h>
      defines all pertinent NO_<algo> symbols, such as NO_IDEA, NO_RSA, etc.
-     [Richard Levitte, Ulf and Bodo Möller]
+     [Richard Levitte, Ulf and Bodo Möller]
 
   *) Bugfix: Tolerate fragmentation and interleaving in the SSL 3/TLS
      record layer.
@@ -7845,17 +7896,17 @@ des-cbc           3624.96k     5258.21k 
 
   *) Bug fix for BN_div_recp() for numerators with an even number of
      bits.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) More tests in bntest.c, and changed test_bn output.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) ./config recognizes MacOS X now.
      [Andy Polyakov]
 
   *) Bug fix for BN_div() when the first words of num and divsor are
      equal (it gave wrong results if (rem=(n1-q*d0)&BN_MASK2) < d0).
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Add support for various broken PKCS#8 formats, and command line
      options to produce them.
@@ -7863,11 +7914,11 @@ des-cbc           3624.96k     5258.21k 
 
   *) New functions BN_CTX_start(), BN_CTX_get() and BT_CTX_end() to
      get temporary BIGNUMs from a BN_CTX.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Correct return values in BN_mod_exp_mont() and BN_mod_exp2_mont()
      for p == 0.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Change the SSLeay_add_all_*() functions to OpenSSL_add_all_*() and
      include a #define from the old name to the new. The original intent
@@ -7891,7 +7942,7 @@ des-cbc           3624.96k     5258.21k 
 
   *) Source code cleanups: use const where appropriate, eliminate casts,
      use void * instead of char * in lhash.
-     [Ulf Möller] 
+     [Ulf Möller] 
 
   *) Bugfix: ssl3_send_server_key_exchange was not restartable
      (the state was not changed to SSL3_ST_SW_KEY_EXCH_B, and because of
@@ -7936,13 +7987,13 @@ des-cbc           3624.96k     5258.21k 
      [Steve Henson]
 
   *) New function BN_pseudo_rand().
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Clean up BN_mod_mul_montgomery(): replace the broken (and unreadable)
      bignum version of BN_from_montgomery() with the working code from
      SSLeay 0.9.0 (the word based version is faster anyway), and clean up
      the comments.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Avoid a race condition in s2_clnt.c (function get_server_hello) that
      made it impossible to use the same SSL_SESSION data structure in
@@ -7952,25 +8003,25 @@ des-cbc           3624.96k     5258.21k 
   *) The return value of RAND_load_file() no longer counts bytes obtained
      by stat().  RAND_load_file(..., -1) is new and uses the complete file
      to seed the PRNG (previously an explicit byte count was required).
-     [Ulf Möller, Bodo Möller]
+     [Ulf Möller, Bodo Möller]
 
   *) Clean up CRYPTO_EX_DATA functions, some of these didn't have prototypes
      used (char *) instead of (void *) and had casts all over the place.
      [Steve Henson]
 
   *) Make BN_generate_prime() return NULL on error if ret!=NULL.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Retain source code compatibility for BN_prime_checks macro:
      BN_is_prime(..., BN_prime_checks, ...) now uses
      BN_prime_checks_for_size to determine the appropriate number of
      Rabin-Miller iterations.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Diffie-Hellman uses "safe" primes: DH_check() return code renamed to
      DH_CHECK_P_NOT_SAFE_PRIME.
      (Check if this is true? OpenPGP calls them "strong".)
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Merge the functionality of "dh" and "gendh" programs into a new program
      "dhparam". The old programs are retained for now but will handle DH keys
@@ -8026,7 +8077,7 @@ des-cbc           3624.96k     5258.21k 
   *) Add missing #ifndefs that caused missing symbols when building libssl
      as a shared library without RSA.  Use #ifndef NO_SSL2 instead of
      NO_RSA in ssl/s2*.c. 
-     [Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller]
+     [Kris Kennaway <kris@hub.freebsd.org>, modified by Ulf Möller]
 
   *) Precautions against using the PRNG uninitialized: RAND_bytes() now
      has a return value which indicates the quality of the random data
@@ -8035,7 +8086,7 @@ des-cbc           3624.96k     5258.21k 
      guaranteed to be unique but not unpredictable. RAND_add is like
      RAND_seed, but takes an extra argument for an entropy estimate
      (RAND_seed always assumes full entropy).
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Do more iterations of Rabin-Miller probable prime test (specifically,
      3 for 1024-bit primes, 6 for 512-bit primes, 12 for 256-bit primes
@@ -8065,7 +8116,7 @@ des-cbc           3624.96k     5258.21k 
      [Steve Henson]
 
   *) Honor the no-xxx Configure options when creating .DEF files.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Add PKCS#10 attributes to field table: challengePassword, 
      unstructuredName and unstructuredAddress. These are taken from
@@ -8899,7 +8950,7 @@ des-cbc           3624.96k     5258.21k 
 
   *) More DES library cleanups: remove references to srand/rand and
      delete an unused file.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Add support for the the free Netwide assembler (NASM) under Win32,
      since not many people have MASM (ml) and it can be hard to obtain.
@@ -8988,7 +9039,7 @@ des-cbc           3624.96k     5258.21k 
      worked.
 
   *) Fix problems with no-hmac etc.
-     [Ulf Möller, pointed out by Brian Wellington <bwelling@tislabs.com>]
+     [Ulf Möller, pointed out by Brian Wellington <bwelling@tislabs.com>]
 
   *) New functions RSA_get_default_method(), RSA_set_method() and
      RSA_get_method(). These allows replacement of RSA_METHODs without having
@@ -9105,7 +9156,7 @@ des-cbc           3624.96k     5258.21k 
      [Ben Laurie]
 
   *) DES library cleanups.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Add support for PKCS#5 v2.0 PBE algorithms. This will permit PKCS#8 to be
      used with any cipher unlike PKCS#5 v1.5 which can at most handle 64 bit
@@ -9148,7 +9199,7 @@ des-cbc           3624.96k     5258.21k 
      [Christian Forster <fo@hawo.stw.uni-erlangen.de>]
 
   *) config now generates no-xxx options for missing ciphers.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Support the EBCDIC character set (work in progress).
      File ebcdic.c not yet included because it has a different license.
@@ -9261,7 +9312,7 @@ des-cbc           3624.96k     5258.21k 
      [Bodo Moeller]
 
   *) Move openssl.cnf out of lib/.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Fix various things to let OpenSSL even pass ``egcc -pipe -O2 -Wall
      -Wshadow -Wpointer-arith -Wcast-align -Wmissing-prototypes
@@ -9318,10 +9369,10 @@ des-cbc           3624.96k     5258.21k 
      [Ben Laurie]
 
   *) Support Borland C++ builder.
-     [Janez Jere <jj@void.si>, modified by Ulf Möller]
+     [Janez Jere <jj@void.si>, modified by Ulf Möller]
 
   *) Support Mingw32.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) SHA-1 cleanups and performance enhancements.
      [Andy Polyakov <appro@fy.chalmers.se>]
@@ -9330,7 +9381,7 @@ des-cbc           3624.96k     5258.21k 
      [Andy Polyakov <appro@fy.chalmers.se>]
 
   *) Accept any -xxx and +xxx compiler options in Configure.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Update HPUX configuration.
      [Anonymous]
@@ -9363,7 +9414,7 @@ des-cbc           3624.96k     5258.21k 
      [Bodo Moeller]
 
   *) OAEP decoding bug fix.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Support INSTALL_PREFIX for package builders, as proposed by
      David Harris.
@@ -9386,21 +9437,21 @@ des-cbc           3624.96k     5258.21k 
      [Niels Poppe <niels@netbox.org>]
 
   *) New Configure option no-<cipher> (rsa, idea, rc5, ...).
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Add the PKCS#12 API documentation to openssl.txt. Preliminary support for
      extension adding in x509 utility.
      [Steve Henson]
 
   *) Remove NOPROTO sections and error code comments.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Partial rewrite of the DEF file generator to now parse the ANSI
      prototypes.
      [Steve Henson]
 
   *) New Configure options --prefix=DIR and --openssldir=DIR.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Complete rewrite of the error code script(s). It is all now handled
      by one script at the top level which handles error code gathering,
@@ -9429,7 +9480,7 @@ des-cbc           3624.96k     5258.21k 
      [Steve Henson]
 
   *) Move the autogenerated header file parts to crypto/opensslconf.h.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Fix new 56-bit DES export ciphersuites: they were using 7 bytes instead of
      8 of keying material. Merlin has also confirmed interop with this fix
@@ -9447,13 +9498,13 @@ des-cbc           3624.96k     5258.21k 
      [Andy Polyakov <appro@fy.chalmers.se>]
 
   *) Change functions to ANSI C.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Fix typos in error codes.
-     [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>, Ulf Möller]
+     [Martin Kraemer <Martin.Kraemer@MchP.Siemens.De>, Ulf Möller]
 
   *) Remove defunct assembler files from Configure.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) SPARC v8 assembler BIGNUM implementation.
      [Andy Polyakov <appro@fy.chalmers.se>]
@@ -9490,7 +9541,7 @@ des-cbc           3624.96k     5258.21k 
      [Steve Henson]
 
   *) New Configure option "rsaref".
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Don't auto-generate pem.h.
      [Bodo Moeller]
@@ -9538,7 +9589,7 @@ des-cbc           3624.96k     5258.21k 
 
   *) New functions DSA_do_sign and DSA_do_verify to provide access to
      the raw DSA values prior to ASN.1 encoding.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) Tweaks to Configure
      [Niels Poppe <niels@netbox.org>]
@@ -9548,11 +9599,11 @@ des-cbc           3624.96k     5258.21k 
      [Steve Henson]
 
   *) New variables $(RANLIB) and $(PERL) in the Makefiles.
-     [Ulf Möller]
+     [Ulf Möller]
 
   *) New config option to avoid instructions that are illegal on the 80386.
      The default code is faster, but requires at least a 486.
-     [Ulf Möller]
+     [Ulf Möller]
   
   *) Got rid of old SSL2_CLIENT_VERSION (inconsistently used) and
      SSL2_SERVER_VERSION (not used at all) macros, which are now the
@@ -10091,7 +10142,7 @@ des-cbc           3624.96k     5258.21k 
       Hagino <itojun@kame.net>]
 
   *) File was opened incorrectly in randfile.c.
-     [Ulf Möller <ulf@fitug.de>]
+     [Ulf Möller <ulf@fitug.de>]
 
   *) Beginning of support for GeneralizedTime. d2i, i2d, check and print
      functions. Also ASN1_TIME suite which is a CHOICE of UTCTime or
@@ -10101,7 +10152,7 @@ des-cbc           3624.96k     5258.21k 
      [Steve Henson]
 
   *) Correct Linux 1 recognition in config.
-     [Ulf Möller <ulf@fitug.de>]
+     [Ulf Möller <ulf@fitug.de>]
 
   *) Remove pointless MD5 hash when using DSA keys in ca.
      [Anonymous <nobody@replay.com>]
@@ -10248,7 +10299,7 @@ des-cbc           3624.96k     5258.21k 
 
   *) Fix the RSA header declarations that hid a bug I fixed in 0.9.0b but
      was already fixed by Eric for 0.9.1 it seems.
-     [Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>]
+     [Ben Laurie - pointed out by Ulf Möller <ulf@fitug.de>]
 
   *) Autodetect FreeBSD3.
      [Ben Laurie]

Added: vendor-crypto/openssl/dist-1.0.1/CONTRIBUTING
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ vendor-crypto/openssl/dist-1.0.1/CONTRIBUTING	Thu Dec  3 17:24:16 2015	(r291709)
@@ -0,0 +1,38 @@
+HOW TO CONTRIBUTE TO OpenSSL
+----------------------------
+
+Development is coordinated on the openssl-dev mailing list (see
+http://www.openssl.org for information on subscribing). If you
+would like to submit a patch, send it to rt@openssl.org with
+the string "[PATCH]" in the subject. Please be sure to include a
+textual explanation of what your patch does.
+
+You can also make GitHub pull requests. If you do this, please also send
+mail to rt@openssl.org with a brief description and a link to the PR so
+that we can more easily keep track of it.
+
+If you are unsure as to whether a feature will be useful for the general
+OpenSSL community please discuss it on the openssl-dev mailing list first.
+Someone may be already working on the same thing or there may be a good
+reason as to why that feature isn't implemented.
+
+Patches should be as up to date as possible, preferably relative to the
+current Git or the last snapshot. They should follow our coding style
+(see https://www.openssl.org/policies/codingstyle.html) and compile without
+warnings using the --strict-warnings flag.  OpenSSL compiles on many varied
+platforms: try to ensure you only use portable features.
+
+Our preferred format for patch files is "git format-patch" output. For example
+to provide a patch file containing the last commit in your local git repository
+use the following command:
+
+# git format-patch --stdout HEAD^ >mydiffs.patch
+
+Another method of creating an acceptable patch file without using git is as
+follows:
+
+# cd openssl-work
+# [your changes]
+# ./Configure dist; make clean
+# cd ..
+# diff -ur openssl-orig openssl-work > mydiffs.patch

Modified: vendor-crypto/openssl/dist-1.0.1/Configure
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/Configure	Thu Dec  3 17:23:35 2015	(r291708)
+++ vendor-crypto/openssl/dist-1.0.1/Configure	Thu Dec  3 17:24:16 2015	(r291709)
@@ -105,6 +105,8 @@ my $usage="Usage: Configure [no-<cipher>
 
 my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED";
 
+my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof -Qunused-arguments";
+
 my $strict_warnings = 0;
 
 my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL";
@@ -197,6 +199,7 @@ my %table=(
 "debug-linux-generic32","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-generic64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-linux-x86_64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"debug-linux-x86_64-clang","clang: -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 "dist",		"cc:-O::(unknown)::::::",
 
 # Basic configs that should work on any (32 and less bit) box
@@ -361,6 +364,7 @@ my %table=(
 "linux-ia64-ecc","ecc:-DL_ENDIAN -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-x86_64",	"gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
+"linux-x86_64-clang","clang: -m64 -DL_ENDIAN -O3 -Wall -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 "linux64-s390x",	"gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 #### So called "highgprs" target for z/Architecture CPUs
 # "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
@@ -1574,11 +1578,20 @@ if ($shlib_version_number =~ /(^[0-9]*)\
 
 if ($strict_warnings)
 	{
+	my $ecc = $cc;
+	$ecc = "clang" if `$cc --version 2>&1` =~ /clang/;
 	my $wopt;
-	die "ERROR --strict-warnings requires gcc" unless ($cc =~ /gcc$/);
+	die "ERROR --strict-warnings requires gcc or clang" unless ($ecc =~ /gcc$/ or $ecc =~ /clang$/);
 	foreach $wopt (split /\s+/, $gcc_devteam_warn)
 		{
-		$cflags .= " $wopt" unless ($cflags =~ /$wopt/)
+		$cflags .= " $wopt" unless ($cflags =~ /(^|\s)$wopt(\s|$)/)
+		}
+	if ($ecc eq "clang")
+		{
+		foreach $wopt (split /\s+/, $clang_devteam_warn)
+			{
+			$cflags .= " $wopt" unless ($cflags =~ /(^|\s)$wopt(\s|$)/)
+			}
 		}
 	}
 

Modified: vendor-crypto/openssl/dist-1.0.1/FAQ
==============================================================================
--- vendor-crypto/openssl/dist-1.0.1/FAQ	Thu Dec  3 17:23:35 2015	(r291708)
+++ vendor-crypto/openssl/dist-1.0.1/FAQ	Thu Dec  3 17:24:16 2015	(r291709)
@@ -1,1039 +1,2 @@
-OpenSSL  -  Frequently Asked Questions
---------------------------------------
-
-[MISC] Miscellaneous questions
-
-* Which is the current version of OpenSSL?
-* Where is the documentation?
-* How can I contact the OpenSSL developers?
-* Where can I get a compiled version of OpenSSL?
-* Why aren't tools like 'autoconf' and 'libtool' used?
-* What is an 'engine' version?
-* How do I check the authenticity of the OpenSSL distribution?
-* How does the versioning scheme work?
-
-[LEGAL] Legal questions
-
-* Do I need patent licenses to use OpenSSL?
-* Can I use OpenSSL with GPL software? 
-
-[USER] Questions on using the OpenSSL applications
-
-* Why do I get a "PRNG not seeded" error message?
-* Why do I get an "unable to write 'random state'" error message?
-* How do I create certificates or certificate requests?
-* Why can't I create certificate requests?
-* Why does <SSL program> fail with a certificate verify error?
-* Why can I only use weak ciphers when I connect to a server using OpenSSL?
-* How can I create DSA certificates?
-* Why can't I make an SSL connection using a DSA certificate?
-* How can I remove the passphrase on a private key?
-* Why can't I use OpenSSL certificates with SSL client authentication?
-* Why does my browser give a warning about a mismatched hostname?
-* How do I install a CA certificate into a browser?
-* Why is OpenSSL x509 DN output not conformant to RFC2253?
-* What is a "128 bit certificate"? Can I create one with OpenSSL?
-* Why does OpenSSL set the authority key identifier extension incorrectly?
-* How can I set up a bundle of commercial root CA certificates?
-
-[BUILD] Questions about building and testing OpenSSL
-
-* Why does the linker complain about undefined symbols?
-* Why does the OpenSSL test fail with "bc: command not found"?
-* Why does the OpenSSL test fail with "bc: 1 no implemented"?
-* Why does the OpenSSL test fail with "bc: stack empty"?
-* Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
-* Why does the OpenSSL compilation fail with "ar: command not found"?
-* Why does the OpenSSL compilation fail on Win32 with VC++?
-* What is special about OpenSSL on Redhat?
-* Why does the OpenSSL compilation fail on MacOS X?
-* Why does the OpenSSL test suite fail on MacOS X?
-* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
-* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
-* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
-* Why does compiler fail to compile sha512.c?
-* Test suite still fails, what to do?
-* I think I've found a bug, what should I do?
-* I'm SURE I've found a bug, how do I report it?
-* I've found a security issue, how do I report it?
-
-[PROG] Questions about programming with OpenSSL
-
-* Is OpenSSL thread-safe?
-* I've compiled a program under Windows and it crashes: why?
-* How do I read or write a DER encoded buffer using the ASN1 functions?
-* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
-* I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
-* I've called <some function> and it fails, why?
-* I just get a load of numbers for the error output, what do they mean?
-* Why do I get errors about unknown algorithms?
-* Why can't the OpenSSH configure script detect OpenSSL?
-* Can I use OpenSSL's SSL library with non-blocking I/O?
-* Why doesn't my server application receive a client certificate?
-* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
-* I think I've detected a memory leak, is this a bug?
-* Why does Valgrind complain about the use of uninitialized data?
-* Why doesn't a memory BIO work when a file does?
-* Where are the declarations and implementations of d2i_X509() etc?
-
-===============================================================================
-
-[MISC] ========================================================================
-
-* Which is the current version of OpenSSL?
-
-The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 1.0.1e was released on Feb 11th, 2013.
-
-In addition to the current stable release, you can also access daily
-snapshots of the OpenSSL development version at <URL:
-ftp://ftp.openssl.org/snapshot/>, or get it by anonymous Git access.
-
-
-* Where is the documentation?
-
-OpenSSL is a library that provides cryptographic functionality to
-applications such as secure web servers.  Be sure to read the
-documentation of the application you want to use.  The INSTALL file
-explains how to install this library.
-
-OpenSSL includes a command line utility that can be used to perform a
-variety of cryptographic functions.  It is described in the openssl(1)
-manpage.  Documentation for developers is currently being written. Many
-manual pages are available; overviews over libcrypto and
-libssl are given in the crypto(3) and ssl(3) manpages.
-
-The OpenSSL manpages are installed in /usr/local/ssl/man/ (or a
-different directory if you specified one as described in INSTALL).
-In addition, you can read the most current versions at
-<URL: http://www.openssl.org/docs/>. Note that the online documents refer
-to the very latest development versions of OpenSSL and may include features
-not present in released versions. If in doubt refer to the documentation
-that came with the version of OpenSSL you are using. The pod format
-documentation is included in each OpenSSL distribution under the docs
-directory.
-
-There is some documentation about certificate extensions and PKCS#12
-in doc/openssl.txt
-
-The original SSLeay documentation is included in OpenSSL as
-doc/ssleay.txt.  It may be useful when none of the other resources
-help, but please note that it reflects the obsolete version SSLeay
-0.6.6.
-
-
-* How can I contact the OpenSSL developers?
-
-The README file describes how to submit bug reports and patches to
-OpenSSL.  Information on the OpenSSL mailing lists is available from
-<URL: http://www.openssl.org>.
-
-
-* Where can I get a compiled version of OpenSSL?
-
-You can finder pointers to binary distributions in
-<URL: http://www.openssl.org/related/binaries.html>; .
-
-Some applications that use OpenSSL are distributed in binary form.
-When using such an application, you don't need to install OpenSSL
-yourself; the application will include the required parts (e.g. DLLs).
-
-If you want to build OpenSSL on a Windows system and you don't have
-a C compiler, read the "Mingw32" section of INSTALL.W32 for information
-on how to obtain and install the free GNU C compiler.
-
-A number of Linux and *BSD distributions include OpenSSL.
-
-
-* Why aren't tools like 'autoconf' and 'libtool' used?
-
-autoconf will probably be used in future OpenSSL versions. If it was
-less Unix-centric, it might have been used much earlier.
-
-* What is an 'engine' version?
-
-With version 0.9.6 OpenSSL was extended to interface to external crypto
-hardware. This was realized in a special release '0.9.6-engine'. With
-version 0.9.7 the changes were merged into the main development line,
-so that the special release is no longer necessary.
-
-* How do I check the authenticity of the OpenSSL distribution?
-
-We provide MD5 digests and ASC signatures of each tarball.

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201512031724.tB3HOGxe075508>