Module Name: src
Committed By: christos
Date: Tue May 3 17:21:32 UTC 2016
Modified Files:
src/crypto/external/bsd/openssl/dist: CHANGES Makefile NEWS README
openssl.spec
src/crypto/external/bsd/openssl/dist/crypto: opensslv.h
src/crypto/external/bsd/openssl/dist/crypto/asn1: a_d2i_fp.c a_type.c
tasn_dec.c tasn_enc.c
src/crypto/external/bsd/openssl/dist/crypto/evp: Makefile evp_enc.c
src/crypto/external/bsd/openssl/dist/ssl: d1_both.c s2_lib.c s3_clnt.c
s3_lib.c ssl.h ssl_ciph.c ssl_locl.h t1_lib.c
src/crypto/external/bsd/openssl/dist/util: mk1mf.pl mkdef.pl ssleay.num
Log Message:
merge conflicts
To generate a diff of this commit:
cvs rdiff -u -r1.10 -r1.11 src/crypto/external/bsd/openssl/dist/CHANGES \
src/crypto/external/bsd/openssl/dist/NEWS \
src/crypto/external/bsd/openssl/dist/README \
src/crypto/external/bsd/openssl/dist/openssl.spec
cvs rdiff -u -r1.11 -r1.12 src/crypto/external/bsd/openssl/dist/Makefile
cvs rdiff -u -r1.19 -r1.20 \
src/crypto/external/bsd/openssl/dist/crypto/opensslv.h
cvs rdiff -u -r1.3 -r1.4 \
src/crypto/external/bsd/openssl/dist/crypto/asn1/a_d2i_fp.c \
src/crypto/external/bsd/openssl/dist/crypto/asn1/a_type.c
cvs rdiff -u -r1.4 -r1.5 \
src/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_dec.c \
src/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_enc.c
cvs rdiff -u -r1.5 -r1.6 \
src/crypto/external/bsd/openssl/dist/crypto/evp/Makefile
cvs rdiff -u -r1.4 -r1.5 \
src/crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c
cvs rdiff -u -r1.7 -r1.8 src/crypto/external/bsd/openssl/dist/ssl/d1_both.c
cvs rdiff -u -r1.5 -r1.6 src/crypto/external/bsd/openssl/dist/ssl/s2_lib.c
cvs rdiff -u -r1.17 -r1.18 src/crypto/external/bsd/openssl/dist/ssl/s3_clnt.c \
src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c
cvs rdiff -u -r1.14 -r1.15 src/crypto/external/bsd/openssl/dist/ssl/ssl.h
cvs rdiff -u -r1.10 -r1.11 \
src/crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c
cvs rdiff -u -r1.12 -r1.13 \
src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h
cvs rdiff -u -r1.20 -r1.21 src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c
cvs rdiff -u -r1.7 -r1.8 src/crypto/external/bsd/openssl/dist/util/mk1mf.pl
cvs rdiff -u -r1.3 -r1.4 src/crypto/external/bsd/openssl/dist/util/mkdef.pl \
src/crypto/external/bsd/openssl/dist/util/ssleay.num
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/external/bsd/openssl/dist/CHANGES
diff -u src/crypto/external/bsd/openssl/dist/CHANGES:1.10 src/crypto/external/bsd/openssl/dist/CHANGES:1.11
--- src/crypto/external/bsd/openssl/dist/CHANGES:1.10 Tue Mar 1 20:52:35 2016
+++ src/crypto/external/bsd/openssl/dist/CHANGES Tue May 3 13:21:32 2016
@@ -2,6 +2,103 @@
OpenSSL CHANGES
_______________
+ Changes between 1.0.1s and 1.0.1t [3 May 2016]
+
+ *) Prevent padding oracle in AES-NI CBC MAC check
+
+ A MITM attacker can use a padding oracle attack to decrypt traffic
+ when the connection uses an AES CBC cipher and the server support
+ AES-NI.
+
+ This issue was introduced as part of the fix for Lucky 13 padding
+ attack (CVE-2013-0169). The padding check was rewritten to be in
+ constant time by making sure that always the same bytes are read and
+ compared against either the MAC or padding bytes. But it no longer
+ checked that there was enough data to have both the MAC and padding
+ bytes.
+
+ This issue was reported by Juraj Somorovsky using TLS-Attacker.
+ (CVE-2016-2107)
+ [Kurt Roeckx]
+
+ *) Fix EVP_EncodeUpdate overflow
+
+ An overflow can occur in the EVP_EncodeUpdate() function which is used for
+ Base64 encoding of binary data. If an attacker is able to supply very large
+ amounts of input data then a length check can overflow resulting in a heap
+ corruption.
+
+ Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by
+ the PEM_write_bio* family of functions. These are mainly used within the
+ OpenSSL command line applications, so any application which processes data
+ from an untrusted source and outputs it as a PEM file should be considered
+ vulnerable to this issue. User applications that call these APIs directly
+ with large amounts of untrusted data may also be vulnerable.
+
+ This issue was reported by Guido Vranken.
+ (CVE-2016-2105)
+ [Matt Caswell]
+
+ *) Fix EVP_EncryptUpdate overflow
+
+ An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
+ is able to supply very large amounts of input data after a previous call to
+ EVP_EncryptUpdate() with a partial block then a length check can overflow
+ resulting in a heap corruption. Following an analysis of all OpenSSL
+ internal usage of the EVP_EncryptUpdate() function all usage is one of two
+ forms. The first form is where the EVP_EncryptUpdate() call is known to be
+ the first called function after an EVP_EncryptInit(), and therefore that
+ specific call must be safe. The second form is where the length passed to
+ EVP_EncryptUpdate() can be seen from the code to be some small value and
+ therefore there is no possibility of an overflow. Since all instances are
+ one of these two forms, it is believed that there can be no overflows in
+ internal code due to this problem. It should be noted that
+ EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
+ Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
+ of these calls have also been analysed too and it is believed there are no
+ instances in internal usage where an overflow could occur.
+
+ This issue was reported by Guido Vranken.
+ (CVE-2016-2106)
+ [Matt Caswell]
+
+ *) Prevent ASN.1 BIO excessive memory allocation
+
+ When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
+ a short invalid encoding can casuse allocation of large amounts of memory
+ potentially consuming excessive resources or exhausting memory.
+
+ Any application parsing untrusted data through d2i BIO functions is
+ affected. The memory based functions such as d2i_X509() are *not* affected.
+ Since the memory based functions are used by the TLS library, TLS
+ applications are not affected.
+
+ This issue was reported by Brian Carpenter.
+ (CVE-2016-2109)
+ [Stephen Henson]
+
+ *) EBCDIC overread
+
+ ASN1 Strings that are over 1024 bytes can cause an overread in applications
+ using the X509_NAME_oneline() function on EBCDIC systems. This could result
+ in arbitrary stack data being returned in the buffer.
+
+ This issue was reported by Guido Vranken.
+ (CVE-2016-2176)
+ [Matt Caswell]
+
+ *) Modify behavior of ALPN to invoke callback after SNI/servername
+ callback, such that updates to the SSL_CTX affect ALPN.
+ [Todd Short]
+
+ *) Remove LOW from the DEFAULT cipher list. This removes singles DES from the
+ default.
+ [Kurt Roeckx]
+
+ *) Only remove the SSLv2 methods with the no-ssl2-method option. When the
+ methods are enabled and ssl2 is disabled the methods return NULL.
+ [Kurt Roeckx]
+
Changes between 1.0.1r and 1.0.1s [1 Mar 2016]
* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
Index: src/crypto/external/bsd/openssl/dist/NEWS
diff -u src/crypto/external/bsd/openssl/dist/NEWS:1.10 src/crypto/external/bsd/openssl/dist/NEWS:1.11
--- src/crypto/external/bsd/openssl/dist/NEWS:1.10 Tue Mar 1 20:52:35 2016
+++ src/crypto/external/bsd/openssl/dist/NEWS Tue May 3 13:21:32 2016
@@ -5,6 +5,19 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.0.1s and OpenSSL 1.0.1t [3 May 2016]
+
+ o Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
+ o Fix EVP_EncodeUpdate overflow (CVE-2016-2105)
+ o Fix EVP_EncryptUpdate overflow (CVE-2016-2106)
+ o Prevent ASN.1 BIO excessive memory allocation (CVE-2016-2109)
+ o EBCDIC overread (CVE-2016-2176)
+ o Modify behavior of ALPN to invoke callback after SNI/servername
+ callback, such that updates to the SSL_CTX affect ALPN.
+ o Remove LOW from the DEFAULT cipher list. This removes singles DES from
+ the default.
+ o Only remove the SSLv2 methods with the no-ssl2-method option.
+
Major changes between OpenSSL 1.0.1r and OpenSSL 1.0.1s [1 Mar 2016]
o Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
Index: src/crypto/external/bsd/openssl/dist/README
diff -u src/crypto/external/bsd/openssl/dist/README:1.10 src/crypto/external/bsd/openssl/dist/README:1.11
--- src/crypto/external/bsd/openssl/dist/README:1.10 Tue Mar 1 20:52:35 2016
+++ src/crypto/external/bsd/openssl/dist/README Tue May 3 13:21:32 2016
@@ -1,5 +1,5 @@
- OpenSSL 1.0.1s 1 Mar 2016
+ OpenSSL 1.0.1t 3 May 2016
Copyright (c) 1998-2015 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
Index: src/crypto/external/bsd/openssl/dist/openssl.spec
diff -u src/crypto/external/bsd/openssl/dist/openssl.spec:1.10 src/crypto/external/bsd/openssl/dist/openssl.spec:1.11
--- src/crypto/external/bsd/openssl/dist/openssl.spec:1.10 Tue Mar 1 20:52:35 2016
+++ src/crypto/external/bsd/openssl/dist/openssl.spec Tue May 3 13:21:32 2016
@@ -7,7 +7,7 @@ Release: 1
Summary: Secure Sockets Layer and cryptography libraries and tools
Name: openssl
#Version: %{libmaj}.%{libmin}.%{librel}
-Version: 1.0.1s
+Version: 1.0.1t
Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
License: OpenSSL
Group: System Environment/Libraries
Index: src/crypto/external/bsd/openssl/dist/Makefile
diff -u src/crypto/external/bsd/openssl/dist/Makefile:1.11 src/crypto/external/bsd/openssl/dist/Makefile:1.12
--- src/crypto/external/bsd/openssl/dist/Makefile:1.11 Tue Mar 1 20:52:35 2016
+++ src/crypto/external/bsd/openssl/dist/Makefile Tue May 3 13:21:32 2016
@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
-VERSION=1.0.1s
+VERSION=1.0.1t
MAJOR=1
MINOR=0.1
SHLIB_VERSION_NUMBER=1.0.0
Index: src/crypto/external/bsd/openssl/dist/crypto/opensslv.h
diff -u src/crypto/external/bsd/openssl/dist/crypto/opensslv.h:1.19 src/crypto/external/bsd/openssl/dist/crypto/opensslv.h:1.20
--- src/crypto/external/bsd/openssl/dist/crypto/opensslv.h:1.19 Tue Mar 1 20:52:35 2016
+++ src/crypto/external/bsd/openssl/dist/crypto/opensslv.h Tue May 3 13:21:32 2016
@@ -30,11 +30,11 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x1000113fL
+# define OPENSSL_VERSION_NUMBER 0x1000114fL
# ifdef OPENSSL_FIPS
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1s-fips 1 Mar 2016"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1t-fips 3 May 2016"
# else
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1s 1 Mar 2016"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.1t 3 May 2016"
# endif
# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
Index: src/crypto/external/bsd/openssl/dist/crypto/asn1/a_d2i_fp.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/asn1/a_d2i_fp.c:1.3 src/crypto/external/bsd/openssl/dist/crypto/asn1/a_d2i_fp.c:1.4
--- src/crypto/external/bsd/openssl/dist/crypto/asn1/a_d2i_fp.c:1.3 Mon Mar 23 06:22:45 2015
+++ src/crypto/external/bsd/openssl/dist/crypto/asn1/a_d2i_fp.c Tue May 3 13:21:32 2016
@@ -141,6 +141,7 @@ void *ASN1_item_d2i_fp(const ASN1_ITEM *
#endif
#define HEADER_SIZE 8
+#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
{
BUF_MEM *b;
@@ -217,29 +218,44 @@ static int asn1_d2i_read_bio(BIO *in, BU
/* suck in c.slen bytes of data */
want = c.slen;
if (want > (len - off)) {
+ size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;
+
want -= (len - off);
if (want > INT_MAX /* BIO_read takes an int length */ ||
len + want < len) {
ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG);
goto err;
}
- if (!BUF_MEM_grow_clean(b, len + want)) {
- ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE);
- goto err;
- }
while (want > 0) {
- i = BIO_read(in, &(b->data[len]), want);
- if (i <= 0) {
- ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
- ASN1_R_NOT_ENOUGH_DATA);
+ /*
+ * Read content in chunks of increasing size
+ * so we can return an error for EOF without
+ * having to allocate the entire content length
+ * in one go.
+ */
+ size_t chunk = want > chunk_max ? chunk_max : want;
+
+ if (!BUF_MEM_grow_clean(b, len + chunk)) {
+ ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE);
goto err;
}
+ want -= chunk;
+ while (chunk > 0) {
+ i = BIO_read(in, &(b->data[len]), chunk);
+ if (i <= 0) {
+ ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
+ ASN1_R_NOT_ENOUGH_DATA);
+ goto err;
+ }
/*
* This can't overflow because |len+want| didn't
* overflow.
*/
- len += i;
- want -= i;
+ len += i;
+ chunk -= i;
+ }
+ if (chunk_max < INT_MAX/2)
+ chunk_max *= 2;
}
}
if (off + c.slen < off) {
Index: src/crypto/external/bsd/openssl/dist/crypto/asn1/a_type.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/asn1/a_type.c:1.3 src/crypto/external/bsd/openssl/dist/crypto/asn1/a_type.c:1.4
--- src/crypto/external/bsd/openssl/dist/crypto/asn1/a_type.c:1.3 Mon Mar 23 06:22:45 2015
+++ src/crypto/external/bsd/openssl/dist/crypto/asn1/a_type.c Tue May 3 13:21:32 2016
@@ -126,9 +126,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co
result = 0; /* They do not have content. */
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
case V_ASN1_BIT_STRING:
case V_ASN1_OCTET_STRING:
case V_ASN1_SEQUENCE:
Index: src/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_dec.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_dec.c:1.4 src/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_dec.c:1.5
--- src/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_dec.c:1.4 Sun Dec 6 16:52:35 2015
+++ src/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_dec.c Tue May 3 13:21:32 2016
@@ -903,9 +903,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
tint = (ASN1_INTEGER **)pval;
if (!c2i_ASN1_INTEGER(tint, &cont, len))
goto err;
Index: src/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_enc.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_enc.c:1.4 src/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_enc.c:1.5
--- src/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_enc.c:1.4 Mon Mar 23 06:22:45 2015
+++ src/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_enc.c Tue May 3 13:21:32 2016
@@ -611,9 +611,7 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsig
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
/*
* These are all have the same content format as ASN1_INTEGER
*/
Index: src/crypto/external/bsd/openssl/dist/crypto/evp/Makefile
diff -u src/crypto/external/bsd/openssl/dist/crypto/evp/Makefile:1.5 src/crypto/external/bsd/openssl/dist/crypto/evp/Makefile:1.6
--- src/crypto/external/bsd/openssl/dist/crypto/evp/Makefile:1.5 Fri Jun 12 13:01:12 2015
+++ src/crypto/external/bsd/openssl/dist/crypto/evp/Makefile Tue May 3 13:21:32 2016
@@ -199,8 +199,8 @@ e_aes.o: ../../include/openssl/opensslv.
e_aes.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
e_aes.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
e_aes.o: ../modes/modes_lcl.h e_aes.c evp_locl.h
-e_aes_cbc_hmac_sha1.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-e_aes_cbc_hmac_sha1.o: ../../include/openssl/bio.h
+e_aes_cbc_hmac_sha1.o: ../../e_os.h ../../include/openssl/aes.h
+e_aes_cbc_hmac_sha1.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
e_aes_cbc_hmac_sha1.o: ../../include/openssl/crypto.h
e_aes_cbc_hmac_sha1.o: ../../include/openssl/e_os2.h
e_aes_cbc_hmac_sha1.o: ../../include/openssl/evp.h
@@ -212,8 +212,8 @@ e_aes_cbc_hmac_sha1.o: ../../include/ope
e_aes_cbc_hmac_sha1.o: ../../include/openssl/safestack.h
e_aes_cbc_hmac_sha1.o: ../../include/openssl/sha.h
e_aes_cbc_hmac_sha1.o: ../../include/openssl/stack.h
-e_aes_cbc_hmac_sha1.o: ../../include/openssl/symhacks.h e_aes_cbc_hmac_sha1.c
-e_aes_cbc_hmac_sha1.o: evp_locl.h
+e_aes_cbc_hmac_sha1.o: ../../include/openssl/symhacks.h ../constant_time_locl.h
+e_aes_cbc_hmac_sha1.o: e_aes_cbc_hmac_sha1.c evp_locl.h
e_bf.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
e_bf.o: ../../include/openssl/blowfish.h ../../include/openssl/buffer.h
e_bf.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
Index: src/crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c
diff -u src/crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c:1.4 src/crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c:1.5
--- src/crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c:1.4 Mon Mar 23 06:22:47 2015
+++ src/crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c Tue May 3 13:21:32 2016
@@ -334,7 +334,7 @@ int EVP_EncryptUpdate(EVP_CIPHER_CTX *ct
bl = ctx->cipher->block_size;
OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
if (i != 0) {
- if (i + inl < bl) {
+ if (bl - i > inl) {
memcpy(&(ctx->buf[i]), in, inl);
ctx->buf_len += inl;
*outl = 0;
Index: src/crypto/external/bsd/openssl/dist/ssl/d1_both.c
diff -u src/crypto/external/bsd/openssl/dist/ssl/d1_both.c:1.7 src/crypto/external/bsd/openssl/dist/ssl/d1_both.c:1.8
--- src/crypto/external/bsd/openssl/dist/ssl/d1_both.c:1.7 Sat Jan 30 12:00:21 2016
+++ src/crypto/external/bsd/openssl/dist/ssl/d1_both.c Tue May 3 13:21:32 2016
@@ -1579,6 +1579,8 @@ int dtls1_process_heartbeat(SSL *s)
* plus 2 bytes payload length, plus payload, plus padding
*/
buffer = OPENSSL_malloc(write_length);
+ if (buffer == NULL)
+ return -1;
bp = buffer;
/* Enter response type, length and copy payload */
Index: src/crypto/external/bsd/openssl/dist/ssl/s2_lib.c
diff -u src/crypto/external/bsd/openssl/dist/ssl/s2_lib.c:1.5 src/crypto/external/bsd/openssl/dist/ssl/s2_lib.c:1.6
--- src/crypto/external/bsd/openssl/dist/ssl/s2_lib.c:1.5 Tue Mar 1 20:52:35 2016
+++ src/crypto/external/bsd/openssl/dist/ssl/s2_lib.c Tue May 3 13:21:32 2016
@@ -150,7 +150,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
SSL_RC4,
SSL_MD5,
SSL_SSLV2,
- SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
0,
128,
128,
@@ -167,7 +167,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
SSL_RC4,
SSL_MD5,
SSL_SSLV2,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL2_CF_5_BYTE_ENC,
40,
128,
@@ -184,7 +184,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
SSL_RC2,
SSL_MD5,
SSL_SSLV2,
- SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
0,
128,
128,
@@ -201,7 +201,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
SSL_RC2,
SSL_MD5,
SSL_SSLV2,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL2_CF_5_BYTE_ENC,
40,
128,
@@ -219,7 +219,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
SSL_IDEA,
SSL_MD5,
SSL_SSLV2,
- SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
0,
128,
128,
@@ -237,7 +237,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
SSL_DES,
SSL_MD5,
SSL_SSLV2,
- SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
0,
56,
56,
@@ -254,7 +254,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
SSL_3DES,
SSL_MD5,
SSL_SSLV2,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
0,
112,
168,
@@ -271,7 +271,7 @@ OPENSSL_GLOBAL const SSL_CIPHER ssl2_cip
SSL_RC4,
SSL_MD5,
SSL_SSLV2,
- SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL2_CF_8_BYTE_ENC,
64,
64,
Index: src/crypto/external/bsd/openssl/dist/ssl/s3_clnt.c
diff -u src/crypto/external/bsd/openssl/dist/ssl/s3_clnt.c:1.17 src/crypto/external/bsd/openssl/dist/ssl/s3_clnt.c:1.18
--- src/crypto/external/bsd/openssl/dist/ssl/s3_clnt.c:1.17 Sat Jan 30 12:00:21 2016
+++ src/crypto/external/bsd/openssl/dist/ssl/s3_clnt.c Tue May 3 13:21:32 2016
@@ -2104,6 +2104,7 @@ int ssl3_get_certificate_request(SSL *s)
SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST, ERR_R_MALLOC_FAILURE);
goto err;
}
+ xn = NULL;
p += l;
nc += l + 2;
@@ -2127,6 +2128,7 @@ int ssl3_get_certificate_request(SSL *s)
err:
s->state = SSL_ST_ERR;
done:
+ X509_NAME_free(xn);
if (ca_sk != NULL)
sk_X509_NAME_pop_free(ca_sk, X509_NAME_free);
return (ret);
Index: src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c
diff -u src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c:1.17 src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c:1.18
--- src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c:1.17 Tue Mar 1 20:52:35 2016
+++ src/crypto/external/bsd/openssl/dist/ssl/s3_lib.c Tue May 3 13:21:32 2016
@@ -213,7 +213,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_RC4,
SSL_MD5,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@@ -263,7 +263,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_RC2,
SSL_MD5,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@@ -299,7 +299,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
56,
@@ -317,7 +317,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -352,7 +352,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
56,
@@ -370,7 +370,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -404,7 +404,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
56,
@@ -422,7 +422,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -457,7 +457,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
56,
@@ -475,7 +475,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -509,7 +509,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
56,
@@ -527,7 +527,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -561,7 +561,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_RC4,
SSL_MD5,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@@ -578,7 +578,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_RC4,
SSL_MD5,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -595,7 +595,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@@ -613,7 +613,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -630,7 +630,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_3DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -700,7 +700,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -766,7 +766,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_DES,
SSL_MD5,
SSL_SSLV3,
- SSL_NOT_EXP | SSL_LOW,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_LOW,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -832,7 +832,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_DES,
SSL_SHA1,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
56,
@@ -850,7 +850,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_RC2,
SSL_SHA1,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@@ -868,7 +868,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_RC4,
SSL_SHA1,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@@ -886,7 +886,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_DES,
SSL_MD5,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
56,
@@ -904,7 +904,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_RC2,
SSL_MD5,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@@ -922,7 +922,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_RC4,
SSL_MD5,
SSL_SSLV3,
- SSL_EXPORT | SSL_EXP40,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP40,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
40,
128,
@@ -1016,7 +1016,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_AES128,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1111,7 +1111,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_AES256,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -1307,7 +1307,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_CAMELLIA128,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1327,7 +1327,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_RC4,
SSL_MD5,
SSL_TLSV1,
- SSL_EXPORT | SSL_EXP56,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
128,
@@ -1343,7 +1343,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_RC2,
SSL_MD5,
SSL_TLSV1,
- SSL_EXPORT | SSL_EXP56,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
128,
@@ -1361,7 +1361,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_DES,
SSL_SHA1,
SSL_TLSV1,
- SSL_EXPORT | SSL_EXP56,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -1379,7 +1379,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_DES,
SSL_SHA1,
SSL_TLSV1,
- SSL_EXPORT | SSL_EXP56,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
56,
@@ -1397,7 +1397,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_RC4,
SSL_SHA1,
SSL_TLSV1,
- SSL_EXPORT | SSL_EXP56,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
128,
@@ -1415,7 +1415,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_RC4,
SSL_SHA1,
SSL_TLSV1,
- SSL_EXPORT | SSL_EXP56,
+ SSL_NOT_DEFAULT | SSL_EXPORT | SSL_EXP56,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
56,
128,
@@ -1530,7 +1530,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_AES128,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -1546,7 +1546,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_AES256,
SSL_SHA256,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -1699,7 +1699,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_CAMELLIA256,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
@@ -1865,7 +1865,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_SEED,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -2045,7 +2045,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_AES128GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256,
128,
128,
@@ -2061,7 +2061,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_AES256GCM,
SSL_AEAD,
SSL_TLSV1_2,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_SHA384 | TLS1_PRF_SHA384,
256,
256,
@@ -2414,7 +2414,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_RC4,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_MEDIUM,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_MEDIUM,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -2430,7 +2430,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_3DES,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
112,
168,
@@ -2446,7 +2446,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_AES128,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
128,
128,
@@ -2462,7 +2462,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]
SSL_AES256,
SSL_SHA1,
SSL_TLSV1,
- SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
+ SSL_NOT_DEFAULT | SSL_NOT_EXP | SSL_HIGH | SSL_FIPS,
SSL_HANDSHAKE_MAC_DEFAULT | TLS1_PRF,
256,
256,
Index: src/crypto/external/bsd/openssl/dist/ssl/ssl.h
diff -u src/crypto/external/bsd/openssl/dist/ssl/ssl.h:1.14 src/crypto/external/bsd/openssl/dist/ssl/ssl.h:1.15
--- src/crypto/external/bsd/openssl/dist/ssl/ssl.h:1.14 Sat Jan 30 12:00:21 2016
+++ src/crypto/external/bsd/openssl/dist/ssl/ssl.h Tue May 3 13:21:32 2016
@@ -334,7 +334,7 @@ extern "C" {
* The following cipher list is used by default. It also is substituted when
* an application-defined cipher list string starts with 'DEFAULT'.
*/
-# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!aNULL:!eNULL:!SSLv2"
+# define SSL_DEFAULT_CIPHER_LIST "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"
/*
* As of OpenSSL 1.0.0, ssl_create_cipher_list() in ssl/ssl_ciph.c always
* starts with a reasonable order, and all we have to do for DEFAULT is
@@ -2017,7 +2017,7 @@ const char *SSL_get_version(const SSL *s
/* This sets the 'default' SSL version that SSL_new() will create */
int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth);
-# ifndef OPENSSL_NO_SSL2
+# ifndef OPENSSL_NO_SSL2_METHOD
const SSL_METHOD *SSLv2_method(void); /* SSLv2 */
const SSL_METHOD *SSLv2_server_method(void); /* SSLv2 */
const SSL_METHOD *SSLv2_client_method(void); /* SSLv2 */
Index: src/crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c
diff -u src/crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c:1.10 src/crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c:1.11
--- src/crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c:1.10 Sun Dec 6 16:52:37 2015
+++ src/crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c Tue May 3 13:21:32 2016
@@ -235,8 +235,7 @@ static const SSL_CIPHER cipher_aliases[]
* "COMPLEMENTOFDEFAULT" (does *not* include ciphersuites not found in
* ALL!)
*/
- {0, SSL_TXT_CMPDEF, 0, 0, SSL_aNULL, ~SSL_eNULL, 0, ~SSL_SSLV2,
- SSL_EXP_MASK, 0, 0, 0},
+ {0, SSL_TXT_CMPDEF, 0, 0, 0, 0, 0, 0, SSL_NOT_DEFAULT, 0, 0, 0},
/*
* key exchange aliases (some of those using only a single bit here
@@ -1000,10 +999,6 @@ static void ssl_cipher_apply_rule(unsign
cp->algorithm_enc, cp->algorithm_mac, cp->algorithm_ssl,
cp->algo_strength);
#endif
- if (algo_strength == SSL_EXP_MASK && SSL_C_IS_EXPORT(cp))
- goto ok;
- if (alg_ssl == ~SSL_SSLV2 && cp->algorithm_ssl == SSL_SSLV2)
- goto ok;
if (alg_mkey && !(alg_mkey & cp->algorithm_mkey))
continue;
if (alg_auth && !(alg_auth & cp->algorithm_auth))
@@ -1020,10 +1015,11 @@ static void ssl_cipher_apply_rule(unsign
if ((algo_strength & SSL_STRONG_MASK)
&& !(algo_strength & SSL_STRONG_MASK & cp->algo_strength))
continue;
+ if ((algo_strength & SSL_NOT_DEFAULT)
+ && !(cp->algo_strength & SSL_NOT_DEFAULT))
+ continue;
}
- ok:
-
#ifdef CIPHER_DEBUG
fprintf(stderr, "Action = %d\n", rule);
#endif
@@ -1307,6 +1303,10 @@ static int ssl_cipher_process_rulestr(co
ca_list[j]->algo_strength & SSL_STRONG_MASK;
}
+ if (ca_list[j]->algo_strength & SSL_NOT_DEFAULT) {
+ algo_strength |= SSL_NOT_DEFAULT;
+ }
+
if (ca_list[j]->valid) {
/*
* explicit ciphersuite found; its protocol version does not
Index: src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h
diff -u src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h:1.12 src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h:1.13
--- src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h:1.12 Sun Dec 6 16:52:37 2015
+++ src/crypto/external/bsd/openssl/dist/ssl/ssl_locl.h Tue May 3 13:21:32 2016
@@ -435,8 +435,9 @@
# define SSL_MEDIUM 0x00000040L
# define SSL_HIGH 0x00000080L
# define SSL_FIPS 0x00000100L
+# define SSL_NOT_DEFAULT 0x00000200L
-/* we have used 000001ff - 23 bits left to go */
+/* we have used 000003ff - 22 bits left to go */
/*-
* Macros to check the export status and cipher strength for export ciphers.
Index: src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c
diff -u src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c:1.20 src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c:1.21
--- src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c:1.20 Sat Jan 30 12:00:21 2016
+++ src/crypto/external/bsd/openssl/dist/ssl/t1_lib.c Tue May 3 13:21:32 2016
@@ -2321,8 +2321,10 @@ static int tls_decrypt_ticket(SSL *s, co
p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx);
eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx);
sdec = OPENSSL_malloc(eticklen);
- if (!sdec || EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) {
+ if (sdec == NULL
+ || EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) {
EVP_CIPHER_CTX_cleanup(&ctx);
+ OPENSSL_free(sdec);
return -1;
}
if (EVP_DecryptFinal(&ctx, sdec + slen, &mlen) <= 0) {
@@ -2579,6 +2581,8 @@ int tls1_process_heartbeat(SSL *s)
* plus 2 bytes payload length, plus payload, plus padding
*/
buffer = OPENSSL_malloc(1 + 2 + payload + padding);
+ if (buffer == NULL)
+ return -1;
bp = buffer;
/* Enter response type, length and copy payload */
Index: src/crypto/external/bsd/openssl/dist/util/mk1mf.pl
diff -u src/crypto/external/bsd/openssl/dist/util/mk1mf.pl:1.7 src/crypto/external/bsd/openssl/dist/util/mk1mf.pl:1.8
--- src/crypto/external/bsd/openssl/dist/util/mk1mf.pl:1.7 Tue Mar 1 20:52:35 2016
+++ src/crypto/external/bsd/openssl/dist/util/mk1mf.pl Tue May 3 13:21:32 2016
@@ -282,8 +282,9 @@ $cflags.=" -DOPENSSL_FIPS" if $fips;
$cflags.=" -DOPENSSL_NO_JPAKE" if $no_jpake;
$cflags.=" -DOPENSSL_NO_EC2M" if $no_ec2m;
$cflags.=" -DOPENSSL_NO_WEAK_SSL_CIPHERS" if $no_weak_ssl;
-$cflags.= " -DZLIB" if $zlib_opt;
-$cflags.= " -DZLIB_SHARED" if $zlib_opt == 2;
+$cflags.=" -DZLIB" if $zlib_opt;
+$cflags.=" -DZLIB_SHARED" if $zlib_opt == 2;
+$cflags.=" -DOPENSSL_NO_COMP" if $no_comp;
if ($no_static_engine)
{
@@ -780,6 +781,7 @@ sub var_add
return("") if $no_gost && $dir =~ /\/ccgost/;
return("") if $no_cms && $dir =~ /\/cms/;
return("") if $no_jpake && $dir =~ /\/jpake/;
+ return("") if $no_comp && $dir =~ /\/comp/;
if ($no_des && $dir =~ /\/des/)
{
if ($val =~ /read_pwd/)
@@ -1115,6 +1117,7 @@ sub read_options
"nw-mwasm" => \$nw_mwasm,
"gaswin" => \$gaswin,
"no-ssl2" => \$no_ssl2,
+ "no-ssl2-method" => 0,
"no-ssl3" => \$no_ssl3,
"no-ssl3-method" => 0,
"no-tlsext" => \$no_tlsext,
@@ -1156,6 +1159,7 @@ sub read_options
"no-unit-test" => 0,
"no-zlib" => 0,
"no-zlib-dynamic" => 0,
+ "no-comp" => \$no_comp,
"fips" => \$fips
);
@@ -1173,7 +1177,6 @@ sub read_options
}
}
}
- elsif (/^no-comp$/) { $xcflags = "-DOPENSSL_NO_COMP $xcflags"; }
elsif (/^enable-zlib$/) { $zlib_opt = 1 if $zlib_opt == 0 }
elsif (/^enable-zlib-dynamic$/)
{
Index: src/crypto/external/bsd/openssl/dist/util/mkdef.pl
diff -u src/crypto/external/bsd/openssl/dist/util/mkdef.pl:1.3 src/crypto/external/bsd/openssl/dist/util/mkdef.pl:1.4
--- src/crypto/external/bsd/openssl/dist/util/mkdef.pl:1.3 Tue Jan 13 03:16:09 2015
+++ src/crypto/external/bsd/openssl/dist/util/mkdef.pl Tue May 3 13:21:32 2016
@@ -107,6 +107,8 @@ my @known_algorithms = ( "RC2", "RC4", "
"CAPIENG",
# SSL v2
"SSL2",
+ # SSL v2 method
+ "SSL2_METHOD",
# SSL v3 method
"SSL3_METHOD",
# JPAKE
@@ -143,7 +145,7 @@ my $no_fp_api; my $no_static_engine=1; m
my $no_rfc3779; my $no_psk; my $no_tlsext; my $no_cms; my $no_capieng;
my $no_jpake; my $no_srp; my $no_ssl2; my $no_ec2m; my $no_nistp_gcc;
my $no_nextprotoneg; my $no_sctp; my $no_srtp;
-my $no_unit_test; my $no_ssl3_method;
+my $no_unit_test; my $no_ssl3_method; my $no_ssl2_method;
my $fips;
@@ -238,6 +240,7 @@ foreach (@ARGV, split(/ /, $options))
elsif (/^no-ec_nistp_64_gcc_128$/) { $no_nistp_gcc=1; }
elsif (/^no-nextprotoneg$/) { $no_nextprotoneg=1; }
elsif (/^no-ssl2$/) { $no_ssl2=1; }
+ elsif (/^no-ssl2-method$/) { $no_ssl2_method=1; }
elsif (/^no-ssl3-method$/) { $no_ssl3_method=1; }
elsif (/^no-capieng$/) { $no_capieng=1; }
elsif (/^no-jpake$/) { $no_jpake=1; }
@@ -1211,6 +1214,7 @@ sub is_valid
if ($keyword eq "EC_NISTP_64_GCC_128" && $no_nistp_gcc)
{ return 0; }
if ($keyword eq "SSL2" && $no_ssl2) { return 0; }
+ if ($keyword eq "SSL2_METHOD" && $no_ssl2_method) { return 0; }
if ($keyword eq "SSL3_METHOD" && $no_ssl3_method) { return 0; }
if ($keyword eq "CAPIENG" && $no_capieng) { return 0; }
if ($keyword eq "JPAKE" && $no_jpake) { return 0; }
Index: src/crypto/external/bsd/openssl/dist/util/ssleay.num
diff -u src/crypto/external/bsd/openssl/dist/util/ssleay.num:1.3 src/crypto/external/bsd/openssl/dist/util/ssleay.num:1.4
--- src/crypto/external/bsd/openssl/dist/util/ssleay.num:1.3 Tue Jan 13 03:16:09 2015
+++ src/crypto/external/bsd/openssl/dist/util/ssleay.num Tue May 3 13:21:32 2016
@@ -98,9 +98,9 @@ SSLeay_add_ssl_algorithms
SSLv23_client_method 110 EXIST::FUNCTION:RSA
SSLv23_method 111 EXIST::FUNCTION:RSA
SSLv23_server_method 112 EXIST::FUNCTION:RSA
-SSLv2_client_method 113 EXIST::FUNCTION:RSA,SSL2
-SSLv2_method 114 EXIST::FUNCTION:RSA,SSL2
-SSLv2_server_method 115 EXIST::FUNCTION:RSA,SSL2
+SSLv2_client_method 113 EXIST::FUNCTION:RSA,SSL2_METHOD
+SSLv2_method 114 EXIST::FUNCTION:RSA,SSL2_METHOD
+SSLv2_server_method 115 EXIST::FUNCTION:RSA,SSL2_METHOD
SSLv3_client_method 116 EXIST::FUNCTION:SSL3_METHOD
SSLv3_method 117 EXIST::FUNCTION:SSL3_METHOD
SSLv3_server_method 118 EXIST::FUNCTION:SSL3_METHOD
