Author: jkim
Date: Fri Jun  6 21:38:34 2014
New Revision: 267190
URL: http://svnweb.freebsd.org/changeset/base/267190

Log:
  Import OpenSSL 0.9.8za.
  
  Approved by:  so (delphij)

Deleted:
  vendor-crypto/openssl/dist-0.9.8/test/srptest.c
  vendor-crypto/openssl/dist-0.9.8/test/wp_test.c
Modified:
  vendor-crypto/openssl/dist-0.9.8/ACKNOWLEDGMENTS
  vendor-crypto/openssl/dist-0.9.8/CHANGES
  vendor-crypto/openssl/dist-0.9.8/Configure
  vendor-crypto/openssl/dist-0.9.8/FAQ
  vendor-crypto/openssl/dist-0.9.8/FREEBSD-upgrade
  vendor-crypto/openssl/dist-0.9.8/Makefile
  vendor-crypto/openssl/dist-0.9.8/Makefile.org
  vendor-crypto/openssl/dist-0.9.8/NEWS
  vendor-crypto/openssl/dist-0.9.8/README
  vendor-crypto/openssl/dist-0.9.8/apps/apps.c
  vendor-crypto/openssl/dist-0.9.8/apps/ocsp.c
  vendor-crypto/openssl/dist-0.9.8/apps/req.c
  vendor-crypto/openssl/dist-0.9.8/apps/s_cb.c
  vendor-crypto/openssl/dist-0.9.8/apps/smime.c
  vendor-crypto/openssl/dist-0.9.8/crypto/asn1/a_int.c
  vendor-crypto/openssl/dist-0.9.8/crypto/asn1/a_strnid.c
  vendor-crypto/openssl/dist-0.9.8/crypto/asn1/t_pkey.c
  vendor-crypto/openssl/dist-0.9.8/crypto/bn/bn.h
  vendor-crypto/openssl/dist-0.9.8/crypto/bn/bn_lib.c
  vendor-crypto/openssl/dist-0.9.8/crypto/bn/bn_mont.c
  vendor-crypto/openssl/dist-0.9.8/crypto/cms/cms_cd.c
  vendor-crypto/openssl/dist-0.9.8/crypto/cms/cms_env.c
  vendor-crypto/openssl/dist-0.9.8/crypto/cms/cms_lib.c
  vendor-crypto/openssl/dist-0.9.8/crypto/cms/cms_sd.c
  vendor-crypto/openssl/dist-0.9.8/crypto/cms/cms_smime.c
  vendor-crypto/openssl/dist-0.9.8/crypto/ec/ec2_mult.c
  vendor-crypto/openssl/dist-0.9.8/crypto/ec/ec_lib.c
  vendor-crypto/openssl/dist-0.9.8/crypto/engine/eng_all.c
  vendor-crypto/openssl/dist-0.9.8/crypto/engine/engine.h
  vendor-crypto/openssl/dist-0.9.8/crypto/err/err_all.c
  vendor-crypto/openssl/dist-0.9.8/crypto/err/openssl.ec
  vendor-crypto/openssl/dist-0.9.8/crypto/evp/bio_b64.c
  vendor-crypto/openssl/dist-0.9.8/crypto/evp/encode.c
  vendor-crypto/openssl/dist-0.9.8/crypto/opensslv.h
  vendor-crypto/openssl/dist-0.9.8/crypto/pkcs12/p12_crt.c
  vendor-crypto/openssl/dist-0.9.8/crypto/pkcs12/p12_kiss.c
  vendor-crypto/openssl/dist-0.9.8/crypto/x86cpuid.pl
  vendor-crypto/openssl/dist-0.9.8/demos/x509/mkreq.c
  vendor-crypto/openssl/dist-0.9.8/doc/apps/smime.pod
  vendor-crypto/openssl/dist-0.9.8/doc/apps/verify.pod
  vendor-crypto/openssl/dist-0.9.8/doc/crypto/CONF_modules_free.pod
  vendor-crypto/openssl/dist-0.9.8/doc/crypto/CONF_modules_load_file.pod
  vendor-crypto/openssl/dist-0.9.8/doc/crypto/ERR_get_error.pod
  vendor-crypto/openssl/dist-0.9.8/doc/crypto/OPENSSL_config.pod
  vendor-crypto/openssl/dist-0.9.8/doc/crypto/X509_NAME_ENTRY_get_object.pod
  vendor-crypto/openssl/dist-0.9.8/doc/crypto/ecdsa.pod
  vendor-crypto/openssl/dist-0.9.8/doc/fingerprints.txt
  vendor-crypto/openssl/dist-0.9.8/doc/ssl/SSL_CTX_set_client_CA_list.pod
  vendor-crypto/openssl/dist-0.9.8/doc/ssl/SSL_CTX_set_msg_callback.pod
  vendor-crypto/openssl/dist-0.9.8/doc/ssl/SSL_CTX_set_options.pod
  vendor-crypto/openssl/dist-0.9.8/doc/ssl/SSL_accept.pod
  vendor-crypto/openssl/dist-0.9.8/doc/ssl/SSL_connect.pod
  vendor-crypto/openssl/dist-0.9.8/doc/ssl/SSL_do_handshake.pod
  vendor-crypto/openssl/dist-0.9.8/doc/ssl/SSL_shutdown.pod
  vendor-crypto/openssl/dist-0.9.8/openssl.spec
  vendor-crypto/openssl/dist-0.9.8/ssl/d1_both.c
  vendor-crypto/openssl/dist-0.9.8/ssl/d1_lib.c
  vendor-crypto/openssl/dist-0.9.8/ssl/d1_pkt.c
  vendor-crypto/openssl/dist-0.9.8/ssl/d1_srvr.c
  vendor-crypto/openssl/dist-0.9.8/ssl/s23_clnt.c
  vendor-crypto/openssl/dist-0.9.8/ssl/s3_cbc.c
  vendor-crypto/openssl/dist-0.9.8/ssl/s3_clnt.c
  vendor-crypto/openssl/dist-0.9.8/ssl/s3_enc.c
  vendor-crypto/openssl/dist-0.9.8/ssl/s3_lib.c
  vendor-crypto/openssl/dist-0.9.8/ssl/s3_pkt.c
  vendor-crypto/openssl/dist-0.9.8/ssl/s3_srvr.c
  vendor-crypto/openssl/dist-0.9.8/ssl/ssl.h
  vendor-crypto/openssl/dist-0.9.8/ssl/ssl3.h
  vendor-crypto/openssl/dist-0.9.8/ssl/ssl_err.c
  vendor-crypto/openssl/dist-0.9.8/ssl/ssl_lib.c
  vendor-crypto/openssl/dist-0.9.8/ssl/ssl_stat.c
  vendor-crypto/openssl/dist-0.9.8/ssl/ssltest.c
  vendor-crypto/openssl/dist-0.9.8/ssl/t1_enc.c
  vendor-crypto/openssl/dist-0.9.8/ssl/t1_lib.c
  vendor-crypto/openssl/dist-0.9.8/ssl/tls1.h
  vendor-crypto/openssl/dist-0.9.8/test/Makefile
  vendor-crypto/openssl/dist-0.9.8/test/cms-test.pl
  vendor-crypto/openssl/dist-0.9.8/test/mdc2test.c
  vendor-crypto/openssl/dist-0.9.8/test/testssl
  vendor-crypto/openssl/dist-0.9.8/util/libeay.num
  vendor-crypto/openssl/dist-0.9.8/util/pl/VC-32.pl

Modified: vendor-crypto/openssl/dist-0.9.8/ACKNOWLEDGMENTS
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/ACKNOWLEDGMENTS    Fri Jun  6 21:00:19 
2014        (r267189)
+++ vendor-crypto/openssl/dist-0.9.8/ACKNOWLEDGMENTS    Fri Jun  6 21:38:34 
2014        (r267190)
@@ -10,13 +10,18 @@ OpenSSL project.
 We would like to identify and thank the following such sponsors for their past
 or current significant support of the OpenSSL project:
 
+Major support:
+
+       Qualys          http://www.qualys.com/
+
 Very significant support:
 
-       OpenGear: www.opengear.com
+       OpenGear:       http://www.opengear.com/
 
 Significant support:
 
-       PSW Group: www.psw.net
+       PSW Group:      http://www.psw.net/
+       Acano Ltd.      http://acano.com/
 
 Please note that we ask permission to identify sponsors and that some sponsors
 we consider eligible for inclusion here have requested to remain anonymous.

Modified: vendor-crypto/openssl/dist-0.9.8/CHANGES
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/CHANGES    Fri Jun  6 21:00:19 2014        
(r267189)
+++ vendor-crypto/openssl/dist-0.9.8/CHANGES    Fri Jun  6 21:38:34 2014        
(r267190)
@@ -2,6 +2,64 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 0.9.8y and 0.9.8za [5 Jun 2014]
+
+  *) Fix for SSL/TLS MITM flaw. An attacker using a carefully crafted
+     handshake can force the use of weak keying material in OpenSSL
+     SSL/TLS clients and servers.
+
+     Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
+     researching this issue. (CVE-2014-0224)
+     [KIKUCHI Masashi, Steve Henson]
+
+  *) Fix DTLS recursion flaw. By sending an invalid DTLS handshake to an
+     OpenSSL DTLS client the code can be made to recurse eventually crashing
+     in a DoS attack.
+
+     Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
+     (CVE-2014-0221)
+     [Imre Rad, Steve Henson]
+
+  *) Fix DTLS invalid fragment vulnerability. A buffer overrun attack can
+     be triggered by sending invalid DTLS fragments to an OpenSSL DTLS
+     client or server. This is potentially exploitable to run arbitrary
+     code on a vulnerable client or server.
+
+     Thanks to J�ri Aedla for reporting this issue. (CVE-2014-0195)
+     [J�ri Aedla, Steve Henson]
+
+  *) Fix bug in TLS code where clients enable anonymous ECDH ciphersuites
+     are subject to a denial of service attack.
+
+     Thanks to Felix Gr�bert and Ivan Fratric at Google for discovering
+     this issue. (CVE-2014-3470)
+     [Felix Gr�bert, Ivan Fratric, Steve Henson]
+
+  *) Fix for the attack described in the paper "Recovering OpenSSL
+     ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
+     by Yuval Yarom and Naomi Benger. Details can be obtained from:
+     http://eprint.iacr.org/2014/140
+
+     Thanks to Yuval Yarom and Naomi Benger for discovering this
+     flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
+     [Yuval Yarom and Naomi Benger]
+
+     Thanks to mancha for backporting the fix to the 0.9.8 branch.
+
+  *) Fix handling of warning-level alerts in SSL23 client mode so they
+     don't cause client-side termination (eg. on SNI unrecognized_name
+     warnings). Add client and server support for six additional alerts
+     per RFC 6066 and RFC 4279.
+     [mancha]
+
+  *) Add option SSL_OP_SAFARI_ECDHE_ECDSA_BUG (part of SSL_OP_ALL) which
+     avoids preferring ECDHE-ECDSA ciphers when the client appears to be
+     Safari on OS X.  Safari on OS X 10.8..10.8.3 advertises support for
+     several ECDHE-ECDSA ciphers, but fails to negotiate them.  The bug
+     is fixed in OS X 10.8.4, but Apple have ruled out both hot fixing
+     10.8..10.8.3 and forcing users to upgrade to 10.8.4 or newer.
+     [Rob Stradling, Adam Langley]
+
  Changes between 0.9.8x and 0.9.8y [5 Feb 2013]
 
   *) Make the decoding of SSLv3, TLS and DTLS CBC records constant time.

Modified: vendor-crypto/openssl/dist-0.9.8/Configure
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/Configure  Fri Jun  6 21:00:19 2014        
(r267189)
+++ vendor-crypto/openssl/dist-0.9.8/Configure  Fri Jun  6 21:38:34 2014        
(r267190)
@@ -166,7 +166,7 @@ my %table=(
 "debug-ben-debug-noopt",       "gcc:$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK 
-DCONF_DEBUG  -DDEBUG_SAFESTACK -ggdb3 -pipe::(unknown)::::::",
 "debug-ben-strict",    "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG 
-DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith 
-Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
 "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 
-Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-bodo",  "gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG 
-DBIO_PAIR_DEBUG -DPEDANTIC -g -march=i486 -pedantic -Wshadow -Wall 
-Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef 
-Wconversion -pipe::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} 
${x86_gcc_opts}:${x86_elf_asm}",
+"debug-bodo",  "gcc:$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG 
-DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g 
-DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT 
DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
 "debug-ulf", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG 
-DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG 
-DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes 
-Wmissing-declarations:::CYGWIN32:::${no_asm}:win32:cygwin-shared:::.dll",
 "debug-steve64", "gcc:$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG 
-DDEBUG_SAFESTACK -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG 
RC4_CHUNK DES_INT 
DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-steve32", "gcc:$gcc_devteam_warn -m32 -DL_ENDIAN -DCONF_DEBUG 
-DDEBUG_SAFESTACK -g -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG 
${x86_gcc_des} 
${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

Modified: vendor-crypto/openssl/dist-0.9.8/FAQ
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/FAQ        Fri Jun  6 21:00:19 2014        
(r267189)
+++ vendor-crypto/openssl/dist-0.9.8/FAQ        Fri Jun  6 21:38:34 2014        
(r267190)
@@ -87,7 +87,7 @@ OpenSSL 1.0.1d was released on Feb 5th, 
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
-ftp://ftp.openssl.org/snapshot/>, or get it by anonymous CVS access.
+ftp://ftp.openssl.org/snapshot/>, or get it by anonymous Git access.
 
 
 * Where is the documentation?
@@ -768,6 +768,9 @@ openssl-secur...@openssl.org if you don'
 acknowledging receipt then resend or mail it directly to one of the
 more active team members (e.g. Steve).
 
+Note that bugs only present in the openssl utility are not in general
+considered to be security issues. 
+
 [PROG] ========================================================================
 
 * Is OpenSSL thread-safe?

Modified: vendor-crypto/openssl/dist-0.9.8/FREEBSD-upgrade
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/FREEBSD-upgrade    Fri Jun  6 21:00:19 
2014        (r267189)
+++ vendor-crypto/openssl/dist-0.9.8/FREEBSD-upgrade    Fri Jun  6 21:38:34 
2014        (r267190)
@@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/Subv
 # Xlist
 setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist
 setenv FSVN "svn+ssh://svn.freebsd.org/base"
-setenv OSSLVER 0.9.8y
-# OSSLTAG format: v0_9_8y
+setenv OSSLVER 0.9.8za
+# OSSLTAG format: v0_9_8za
 
 ###setenv OSSLTAG v`echo ${OSSLVER} | tr . _`
 

Modified: vendor-crypto/openssl/dist-0.9.8/Makefile
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/Makefile   Fri Jun  6 21:00:19 2014        
(r267189)
+++ vendor-crypto/openssl/dist-0.9.8/Makefile   Fri Jun  6 21:38:34 2014        
(r267190)
@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=0.9.8y
+VERSION=0.9.8za
 MAJOR=0
 MINOR=9.8
 SHLIB_VERSION_NUMBER=0.9.8
@@ -71,7 +71,7 @@ ARD=ar $(ARFLAGS) d
 RANLIB= /usr/bin/ranlib
 PERL= /usr/bin/perl
 TAR= tar
-TARFLAGS= --no-recursion
+TARFLAGS= --no-recursion --record-size=10240
 MAKEDEPPROG=makedepend
 LIBDIR=lib
 

Modified: vendor-crypto/openssl/dist-0.9.8/Makefile.org
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/Makefile.org       Fri Jun  6 21:00:19 
2014        (r267189)
+++ vendor-crypto/openssl/dist-0.9.8/Makefile.org       Fri Jun  6 21:38:34 
2014        (r267190)
@@ -69,7 +69,7 @@ ARD=ar $(ARFLAGS) d
 RANLIB= ranlib
 PERL= perl
 TAR= tar
-TARFLAGS= --no-recursion
+TARFLAGS= --no-recursion --record-size=10240
 MAKEDEPPROG=makedepend
 LIBDIR=lib
 

Modified: vendor-crypto/openssl/dist-0.9.8/NEWS
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/NEWS       Fri Jun  6 21:00:19 2014        
(r267189)
+++ vendor-crypto/openssl/dist-0.9.8/NEWS       Fri Jun  6 21:38:34 2014        
(r267190)
@@ -5,34 +5,44 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
-  Major changes between OpenSSL 0.9.8x and OpenSSL 0.9.8y:
+  Major changes between OpenSSL 0.9.8y and OpenSSL 0.9.8za [5 Jun 2014]:
+
+      o Fix for CVE-2014-0224
+      o Fix for CVE-2014-0221
+      o Fix for CVE-2014-0195
+      o Fix for CVE-2014-3470
+      o Fix for CVE-2014-0076
+      o Fix for CVE-2010-5298
+      o Fix to TLS alert handling.
+
+  Major changes between OpenSSL 0.9.8x and OpenSSL 0.9.8y [5 Feb 2013]:
 
       o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
       o Fix OCSP bad key DoS attack CVE-2013-0166
 
-  Major changes between OpenSSL 0.9.8w and OpenSSL 0.9.8x:
+  Major changes between OpenSSL 0.9.8w and OpenSSL 0.9.8x [10 May 2012]:
 
       o Fix DTLS record length checking bug CVE-2012-2333
 
-  Major changes between OpenSSL 0.9.8v and OpenSSL 0.9.8w:
+  Major changes between OpenSSL 0.9.8v and OpenSSL 0.9.8w [23 Apr 2012]:
 
       o Fix for CVE-2012-2131 (corrected fix for 0.9.8 and CVE-2012-2110)
 
-  Major changes between OpenSSL 0.9.8u and OpenSSL 0.9.8v:
+  Major changes between OpenSSL 0.9.8u and OpenSSL 0.9.8v [19 Apr 2012]:
 
       o Fix for ASN1 overflow bug CVE-2012-2110
 
-  Major changes between OpenSSL 0.9.8t and OpenSSL 0.9.8u:
+  Major changes between OpenSSL 0.9.8t and OpenSSL 0.9.8u [12 Mar 2012]:
 
       o Fix for CMS/PKCS#7 MMA CVE-2012-0884
       o Corrected fix for CVE-2011-4619
       o Various DTLS fixes.
 
-  Major changes between OpenSSL 0.9.8s and OpenSSL 0.9.8t:
+  Major changes between OpenSSL 0.9.8s and OpenSSL 0.9.8t [18 Jan 2012]:
 
       o Fix for DTLS DoS issue CVE-2012-0050
 
-  Major changes between OpenSSL 0.9.8r and OpenSSL 0.9.8s:
+  Major changes between OpenSSL 0.9.8r and OpenSSL 0.9.8s [4 Jan 2012]:
 
       o Fix for DTLS plaintext recovery attack CVE-2011-4108
       o Fix policy check double free error CVE-2011-4109
@@ -40,20 +50,20 @@
       o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619
       o Check for malformed RFC3779 data CVE-2011-4577
 
-  Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r:
+  Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r [8 Feb 2011]:
 
       o Fix for security issue CVE-2011-0014
 
-  Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q:
+  Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q [2 Dec 2010]:
 
       o Fix for security issue CVE-2010-4180
       o Fix for CVE-2010-4252
 
-  Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p:
+  Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p [16 Nov 2010]:
 
       o Fix for security issue CVE-2010-3864.
 
-  Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o:
+  Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o [1 Jun 2010]:
 
       o Fix for security issue CVE-2010-0742.
       o Various DTLS fixes.
@@ -61,12 +71,12 @@
       o Fix for no-rc4 compilation.
       o Chil ENGINE unload workaround.
 
-  Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n:
+  Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n [24 Mar 2010]:
 
       o CFB cipher definition fixes.
       o Fix security issues CVE-2010-0740 and CVE-2010-0433.
 
-  Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m:
+  Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m [25 Feb 2010]:
 
       o Cipher definition fixes.
       o Workaround for slow RAND_poll() on some WIN32 versions.
@@ -78,33 +88,33 @@
       o Ticket and SNI coexistence fixes.
       o Many fixes to DTLS handling. 
 
-  Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l:
+  Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l [5 Nov 2009]:
 
       o Temporary work around for CVE-2009-3555: disable renegotiation.
 
-  Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k:
+  Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k [25 Mar 2009]:
 
       o Fix various build issues.
       o Fix security issues (CVE-2009-0590, CVE-2009-0591, CVE-2009-0789)
 
-  Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j:
+  Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j [7 Jan 2009]:
 
       o Fix security issue (CVE-2008-5077)
       o Merge FIPS 140-2 branch code.
 
-  Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h:
+  Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h [28 May 2008]:
 
       o CryptoAPI ENGINE support.
       o Various precautionary measures.
       o Fix for bugs affecting certificate request creation.
       o Support for local machine keyset attribute in PKCS#12 files.
 
-  Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g:
+  Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g [19 Oct 2007]:
 
       o Backport of CMS functionality to 0.9.8.
       o Fixes for bugs introduced with 0.9.8f.
 
-  Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f:
+  Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f [11 Oct 2007]:
 
       o Add gcc 4.2 support.
       o Add support for AES and SSE2 assembly lanugauge optimization
@@ -115,23 +125,23 @@
       o RFC4507bis support.
       o TLS Extensions support.
 
-  Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e:
+  Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e [23 Feb 2007]:
 
       o Various ciphersuite selection fixes.
       o RFC3779 support.
 
-  Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d:
+  Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d [28 Sep 2006]:
 
       o Introduce limits to prevent malicious key DoS  (CVE-2006-2940)
       o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343)
       o Changes to ciphersuite selection algorithm
 
-  Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c:
+  Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c [5 Sep 2006]:
 
       o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
       o New cipher Camellia
 
-  Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b:
+  Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b [4 May 2006]:
 
       o Cipher string fixes.
       o Fixes for VC++ 2005.
@@ -141,12 +151,12 @@
       o Built in dynamic engine compilation support on Win32.
       o Fixes auto dynamic engine loading in Win32.
 
-  Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a:
+  Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a [11 Oct 2005]:
 
       o Fix potential SSL 2.0 rollback, CVE-2005-2969
       o Extended Windows CE support
 
-  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8:
+  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8 [5 Jul 2005]:
 
       o Major work on the BIGNUM library for higher efficiency and to
         make operations more streamlined and less contradictory.  This
@@ -220,36 +230,36 @@
       o Added initial support for Win64.
       o Added alternate pkg-config files.
 
-  Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m:
+  Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m [23 Feb 2007]:
 
       o FIPS 1.1.1 module linking.
       o Various ciphersuite selection fixes.
 
-  Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l:
+  Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l [28 Sep 2006]:
 
       o Introduce limits to prevent malicious key DoS  (CVE-2006-2940)
       o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343)
 
-  Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k:
+  Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k [5 Sep 2006]:
 
       o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
 
-  Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j:
+  Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j [4 May 2006]:
 
       o Visual C++ 2005 fixes.
       o Update Windows build system for FIPS.
 
-  Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i:
+  Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i [14 Oct 2005]:
 
       o Give EVP_MAX_MD_SIZE it's old value, except for a FIPS build.
 
-  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h:
+  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h [11 Oct 2005]:
 
       o Fix SSL 2.0 Rollback, CVE-2005-2969
       o Allow use of fixed-length exponent on DSA signing
       o Default fixed-window RSA, DSA, DH private-key operations
 
-  Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g:
+  Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g [11 Apr 2005]:
 
       o More compilation issues fixed.
       o Adaptation to more modern Kerberos API.
@@ -258,7 +268,7 @@
       o More constification.
       o Added processing of proxy certificates (RFC 3820).
 
-  Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f:
+  Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f [22 Mar 2005]:
 
       o Several compilation issues fixed.
       o Many memory allocation failure checks added.
@@ -266,12 +276,12 @@
       o Mandatory basic checks on certificates.
       o Performance improvements.
 
-  Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e:
+  Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e [25 Oct 2004]:
 
       o Fix race condition in CRL checking code.
       o Fixes to PKCS#7 (S/MIME) code.
 
-  Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d:
+  Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d [17 Mar 2004]:
 
       o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug
       o Security: Fix null-pointer assignment in do_change_cipher_spec()
@@ -279,14 +289,14 @@
       o Multiple X509 verification fixes
       o Speed up HMAC and other operations
 
-  Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c:
+  Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c [30 Sep 2003]:
 
       o Security: fix various ASN1 parsing bugs.
       o New -ignore_err option to OCSP utility.
       o Various interop and bug fixes in S/MIME code.
       o SSL/TLS protocol fix for unrequested client certificates.
 
-  Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b:
+  Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b [10 Apr 2003]:
 
       o Security: counter the Klima-Pokorny-Rosa extension of
         Bleichbacher's attack 
@@ -297,7 +307,7 @@
       o ASN.1: treat domainComponent correctly.
       o Documentation: fixes and additions.
 
-  Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a:
+  Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a [19 Feb 2003]:
 
       o Security: Important security related bugfixes.
       o Enhanced compatibility with MIT Kerberos.
@@ -308,7 +318,7 @@
       o SSL/TLS: now handles manual certificate chain building.
       o SSL/TLS: certain session ID malfunctions corrected.
 
-  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7:
+  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7 [30 Dec 2002]:
 
       o New library section OCSP.
       o Complete rewrite of ASN1 code.
@@ -354,23 +364,23 @@
       o SSL/TLS: add callback to retrieve SSL/TLS messages.
       o SSL/TLS: support AES cipher suites (RFC3268).
 
-  Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k:
+  Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k [30 Sep 2003]:
 
       o Security: fix various ASN1 parsing bugs.
       o SSL/TLS protocol fix for unrequested client certificates.
 
-  Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j:
+  Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j [10 Apr 2003]:
 
       o Security: counter the Klima-Pokorny-Rosa extension of
         Bleichbacher's attack 
       o Security: make RSA blinding default.
       o Build: shared library support fixes.
 
-  Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i:
+  Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i [19 Feb 2003]:
 
       o Important security related bugfixes.
 
-  Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h:
+  Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h [5 Dec 2002]:
 
       o New configuration targets for Tandem OSS and A/UX.
       o New OIDs for Microsoft attributes.
@@ -384,25 +394,25 @@
       o Fixes for smaller building problems.
       o Updates of manuals, FAQ and other instructive documents.
 
-  Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g:
+  Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g [9 Aug 2002]:
 
       o Important building fixes on Unix.
 
-  Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f:
+  Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f [8 Aug 2002]:
 
       o Various important bugfixes.
 
-  Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e:
+  Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e [30 Jul 2002]:
 
       o Important security related bugfixes.
       o Various SSL/TLS library bugfixes.
 
-  Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d:
+  Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d [9 May 2002]:
 
       o Various SSL/TLS library bugfixes.
       o Fix DH parameter generation for 'non-standard' generators.
 
-  Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c:
+  Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c [21 Dec 2001]:
 
       o Various SSL/TLS library bugfixes.
       o BIGNUM library fixes.
@@ -415,7 +425,7 @@
         Broadcom and Cryptographic Appliance's keyserver
         [in 0.9.6c-engine release].
 
-  Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b:
+  Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b [9 Jul 2001]:
 
       o Security fix: PRNG improvements.
       o Security fix: RSA OAEP check.
@@ -432,7 +442,7 @@
       o Increase default size for BIO buffering filter.
       o Compatibility fixes in some scripts.
 
-  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a:
+  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a [5 Apr 2001]:
 
       o Security fix: change behavior of OpenSSL to avoid using
         environment variables when running as root.
@@ -457,7 +467,7 @@
       o New function BN_rand_range().
       o Add "-rand" option to openssl s_client and s_server.
 
-  Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6:
+  Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6 [10 Oct 2000]:
 
       o Some documentation for BIO and SSL libraries.
       o Enhanced chain verification using key identifiers.
@@ -472,7 +482,7 @@
     [1] The support for external crypto devices is currently a separate
         distribution.  See the file README.ENGINE.
 
-  Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a:
+  Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a [1 Apr 2000]:
 
       o Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8 
       o Shared library support for HPUX and Solaris-gcc
@@ -481,7 +491,7 @@
       o New 'rand' application
       o New way to check for existence of algorithms from scripts
 
-  Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5:
+  Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5 [25 May 2000]:
 
       o S/MIME support in new 'smime' command
       o Documentation for the OpenSSL command line application
@@ -517,7 +527,7 @@
       o Enhanced support for Alpha Linux
       o Experimental MacOS support
 
-  Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4:
+  Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4 [9 Aug 1999]:
 
       o Transparent support for PKCS#8 format private keys: these are used
         by several software packages and are more secure than the standard
@@ -528,7 +538,7 @@
       o New pipe-like BIO that allows using the SSL library when actual I/O
         must be handled by the application (BIO pair)
 
-  Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3:
+  Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3 [24 May 1999]:
       o Lots of enhancements and cleanups to the Configuration mechanism
       o RSA OEAP related fixes
       o Added `openssl ca -revoke' option for revoking a certificate
@@ -542,7 +552,7 @@
       o Sparc assembler bignum implementation, optimized hash functions
       o Option to disable selected ciphers
 
-  Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b:
+  Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b [22 Mar 1999]:
       o Fixed a security hole related to session resumption
       o Fixed RSA encryption routines for the p < q case
       o "ALL" in cipher lists now means "everything except NULL ciphers"
@@ -564,7 +574,7 @@
       o Lots of memory leak fixes.
       o Lots of bug fixes.
 
-  Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c:
+  Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c [23 Dec 1998]:
       o Integration of the popular NO_RSA/NO_DSA patches
       o Initial support for compression inside the SSL record layer
       o Added BIO proxy and filtering functionality

Modified: vendor-crypto/openssl/dist-0.9.8/README
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/README     Fri Jun  6 21:00:19 2014        
(r267189)
+++ vendor-crypto/openssl/dist-0.9.8/README     Fri Jun  6 21:38:34 2014        
(r267190)
@@ -1,5 +1,5 @@
 
- OpenSSL 0.9.8y 5 Feb 2013
+ OpenSSL 0.9.8za 5 Jun 2014
 
  Copyright (c) 1998-2011 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
@@ -190,7 +190,7 @@
  reason as to why that feature isn't implemented.
 
  Patches should be as up to date as possible, preferably relative to the
- current CVS or the last snapshot. They should follow the coding style of
+ current Git or the last snapshot. They should follow the coding style of
  OpenSSL and compile without warnings. Some of the core team developer targets
  can be used for testing purposes, (debug-steve64, debug-geoff etc). OpenSSL
  compiles on many varied platforms: try to ensure you only use portable

Modified: vendor-crypto/openssl/dist-0.9.8/apps/apps.c
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/apps/apps.c        Fri Jun  6 21:00:19 
2014        (r267189)
+++ vendor-crypto/openssl/dist-0.9.8/apps/apps.c        Fri Jun  6 21:38:34 
2014        (r267190)
@@ -558,12 +558,12 @@ int password_callback(char *buf, int buf
 
                if (ok >= 0)
                        ok = UI_add_input_string(ui,prompt,ui_flags,buf,
-                               PW_MIN_LENGTH,BUFSIZ-1);
+                               PW_MIN_LENGTH,bufsiz-1);
                if (ok >= 0 && verify)
                        {
                        buff = (char *)OPENSSL_malloc(bufsiz);
                        ok = UI_add_verify_string(ui,prompt,ui_flags,buff,
-                               PW_MIN_LENGTH,BUFSIZ-1, buf);
+                               PW_MIN_LENGTH,bufsiz-1, buf);
                        }
                if (ok >= 0)
                        do

Modified: vendor-crypto/openssl/dist-0.9.8/apps/ocsp.c
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/apps/ocsp.c        Fri Jun  6 21:00:19 
2014        (r267189)
+++ vendor-crypto/openssl/dist-0.9.8/apps/ocsp.c        Fri Jun  6 21:38:34 
2014        (r267190)
@@ -98,6 +98,7 @@ int MAIN(int argc, char **argv)
        ENGINE *e = NULL;
        char **args;
        char *host = NULL, *port = NULL, *path = "/";
+       char *thost = NULL, *tport = NULL, *tpath = NULL;
        char *reqin = NULL, *respin = NULL;
        char *reqout = NULL, *respout = NULL;
        char *signfile = NULL, *keyfile = NULL;
@@ -173,6 +174,12 @@ int MAIN(int argc, char **argv)
                        }
                else if (!strcmp(*args, "-url"))
                        {
+                       if (thost)
+                               OPENSSL_free(thost);
+                       if (tport)
+                               OPENSSL_free(tport);
+                       if (tpath)
+                               OPENSSL_free(tpath);
                        if (args[1])
                                {
                                args++;
@@ -181,6 +188,9 @@ int MAIN(int argc, char **argv)
                                        BIO_printf(bio_err, "Error parsing 
URL\n");
                                        badarg = 1;
                                        }
+                               thost = host;
+                               tport = port;
+                               tpath = path;
                                }
                        else badarg = 1;
                        }
@@ -871,12 +881,12 @@ end:
        sk_X509_pop_free(sign_other, X509_free);
        sk_X509_pop_free(verify_other, X509_free);
 
-       if (use_ssl != -1)
-               {
-               OPENSSL_free(host);
-               OPENSSL_free(port);
-               OPENSSL_free(path);
-               }
+       if (thost)
+               OPENSSL_free(thost);
+       if (tport)
+               OPENSSL_free(tport);
+       if (tpath)
+               OPENSSL_free(tpath);
 
        OPENSSL_EXIT(ret);
 }

Modified: vendor-crypto/openssl/dist-0.9.8/apps/req.c
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/apps/req.c Fri Jun  6 21:00:19 2014        
(r267189)
+++ vendor-crypto/openssl/dist-0.9.8/apps/req.c Fri Jun  6 21:38:34 2014        
(r267190)
@@ -1574,7 +1574,13 @@ start:
 #ifdef CHARSET_EBCDIC
        ebcdic2ascii(buf, buf, i);
 #endif
-       if(!req_check_len(i, n_min, n_max)) goto start;
+       if(!req_check_len(i, n_min, n_max))
+               {
+               if (batch || value)
+                       return 0;
+               goto start;
+               }
+
        if (!X509_NAME_add_entry_by_NID(n,nid, chtype,
                                (unsigned char *) buf, -1,-1,mval)) goto err;
        ret=1;
@@ -1633,7 +1639,12 @@ start:
 #ifdef CHARSET_EBCDIC
        ebcdic2ascii(buf, buf, i);
 #endif
-       if(!req_check_len(i, n_min, n_max)) goto start;
+       if(!req_check_len(i, n_min, n_max))
+               {
+               if (batch || value)
+                       return 0;
+               goto start;
+               }
 
        if(!X509_REQ_add1_attr_by_NID(req, nid, chtype,
                                        (unsigned char *)buf, -1)) {

Modified: vendor-crypto/openssl/dist-0.9.8/apps/s_cb.c
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/apps/s_cb.c        Fri Jun  6 21:00:19 
2014        (r267189)
+++ vendor-crypto/openssl/dist-0.9.8/apps/s_cb.c        Fri Jun  6 21:38:34 
2014        (r267190)
@@ -518,6 +518,24 @@ void MS_CALLBACK msg_cb(int write_p, int
                                case 100:
                                        str_details2 = " no_renegotiation";
                                        break;
+                               case 110:
+                                       str_details2 = " unsupported_extension";
+                                       break;
+                               case 111:
+                                       str_details2 = " 
certificate_unobtainable";
+                                       break;
+                               case 112:
+                                       str_details2 = " unrecognized_name";
+                                       break;
+                               case 113:
+                                       str_details2 = " 
bad_certificate_status_response";
+                                       break;
+                               case 114:
+                                       str_details2 = " 
bad_certificate_hash_value";
+                                       break;
+                               case 115:
+                                       str_details2 = " unknown_psk_identity";
+                                       break;
                                        }
                                }
                        }

Modified: vendor-crypto/openssl/dist-0.9.8/apps/smime.c
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/apps/smime.c       Fri Jun  6 21:00:19 
2014        (r267189)
+++ vendor-crypto/openssl/dist-0.9.8/apps/smime.c       Fri Jun  6 21:38:34 
2014        (r267190)
@@ -521,8 +521,8 @@ int MAIN(int argc, char **argv)
                {
                if (!cipher)
                        {
-#ifndef OPENSSL_NO_RC2                 
-                       cipher = EVP_rc2_40_cbc();
+#ifndef OPENSSL_NO_DES                 
+                       cipher = EVP_des_ede3_cbc();
 #else
                        BIO_printf(bio_err, "No cipher selected\n");
                        goto end;

Modified: vendor-crypto/openssl/dist-0.9.8/crypto/asn1/a_int.c
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/crypto/asn1/a_int.c        Fri Jun  6 
21:00:19 2014        (r267189)
+++ vendor-crypto/openssl/dist-0.9.8/crypto/asn1/a_int.c        Fri Jun  6 
21:38:34 2014        (r267190)
@@ -116,7 +116,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, un
        int pad=0,ret,i,neg;
        unsigned char *p,*n,pb=0;
 
-       if ((a == NULL) || (a->data == NULL)) return(0);
+       if (a == NULL) return(0);
        neg=a->type & V_ASN1_NEG;
        if (a->length == 0)
                ret=1;

Modified: vendor-crypto/openssl/dist-0.9.8/crypto/asn1/a_strnid.c
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/crypto/asn1/a_strnid.c     Fri Jun  6 
21:00:19 2014        (r267189)
+++ vendor-crypto/openssl/dist-0.9.8/crypto/asn1/a_strnid.c     Fri Jun  6 
21:38:34 2014        (r267190)
@@ -75,7 +75,7 @@ static int table_cmp(const void *a, cons
  * certain software (e.g. Netscape) has problems with them.
  */
 
-static unsigned long global_mask = 0xFFFFFFFFL;
+static unsigned long global_mask = B_ASN1_UTF8STRING;
 
 void ASN1_STRING_set_default_mask(unsigned long mask)
 {

Modified: vendor-crypto/openssl/dist-0.9.8/crypto/asn1/t_pkey.c
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/crypto/asn1/t_pkey.c       Fri Jun  6 
21:00:19 2014        (r267189)
+++ vendor-crypto/openssl/dist-0.9.8/crypto/asn1/t_pkey.c       Fri Jun  6 
21:38:34 2014        (r267190)
@@ -208,11 +208,6 @@ int DSA_print(BIO *bp, const DSA *x, int
 
        if (x->p)
                buf_len = (size_t)BN_num_bytes(x->p);
-       else
-               {
-               DSAerr(DSA_F_DSA_PRINT,DSA_R_MISSING_PARAMETERS);
-               goto err;
-               }
        if (x->q)
                if (buf_len < (i = (size_t)BN_num_bytes(x->q)))
                        buf_len = i;

Modified: vendor-crypto/openssl/dist-0.9.8/crypto/bn/bn.h
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/crypto/bn/bn.h     Fri Jun  6 21:00:19 
2014        (r267189)
+++ vendor-crypto/openssl/dist-0.9.8/crypto/bn/bn.h     Fri Jun  6 21:38:34 
2014        (r267190)
@@ -511,6 +511,8 @@ BIGNUM *BN_mod_inverse(BIGNUM *ret,
 BIGNUM *BN_mod_sqrt(BIGNUM *ret,
        const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
 
+void   BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords);
+
 /* Deprecated versions */
 #ifndef OPENSSL_NO_DEPRECATED
 BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,
@@ -740,11 +742,20 @@ int RAND_pseudo_bytes(unsigned char *buf
 
 #define bn_fix_top(a)          bn_check_top(a)
 
+#define bn_check_size(bn, bits) bn_wcheck_size(bn, 
((bits+BN_BITS2-1))/BN_BITS2)
+#define bn_wcheck_size(bn, words) \
+       do { \
+               const BIGNUM *_bnum2 = (bn); \
+               assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \
+       } while(0)
+
 #else /* !BN_DEBUG */
 
 #define bn_pollute(a)
 #define bn_check_top(a)
 #define bn_fix_top(a)          bn_correct_top(a)
+#define bn_check_size(bn, bits)
+#define bn_wcheck_size(bn, words)
 
 #endif
 

Modified: vendor-crypto/openssl/dist-0.9.8/crypto/bn/bn_lib.c
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/crypto/bn/bn_lib.c Fri Jun  6 21:00:19 
2014        (r267189)
+++ vendor-crypto/openssl/dist-0.9.8/crypto/bn/bn_lib.c Fri Jun  6 21:38:34 
2014        (r267190)
@@ -824,3 +824,55 @@ int bn_cmp_part_words(const BN_ULONG *a,
                }
        return bn_cmp_words(a,b,cl);
        }
+
+/* 
+ * Constant-time conditional swap of a and b.  
+ * a and b are swapped if condition is not 0.  The code assumes that at most 
one bit of condition is set.
+ * nwords is the number of words to swap.  The code assumes that at least 
nwords are allocated in both a and b,
+ * and that no more than nwords are used by either a or b.
+ * a and b cannot be the same number
+ */
+void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
+       {
+       BN_ULONG t;
+       int i;
+
+       bn_wcheck_size(a, nwords);
+       bn_wcheck_size(b, nwords);
+
+       assert(a != b);
+       assert((condition & (condition - 1)) == 0);
+       assert(sizeof(BN_ULONG) >= sizeof(int));
+
+       condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
+
+       t = (a->top^b->top) & condition;
+       a->top ^= t;
+       b->top ^= t;
+
+#define BN_CONSTTIME_SWAP(ind) \
+       do { \
+               t = (a->d[ind] ^ b->d[ind]) & condition; \
+               a->d[ind] ^= t; \
+               b->d[ind] ^= t; \
+       } while (0)
+
+
+       switch (nwords) {
+       default:
+               for (i = 10; i < nwords; i++) 
+                       BN_CONSTTIME_SWAP(i);
+               /* Fallthrough */
+       case 10: BN_CONSTTIME_SWAP(9); /* Fallthrough */
+       case 9: BN_CONSTTIME_SWAP(8); /* Fallthrough */
+       case 8: BN_CONSTTIME_SWAP(7); /* Fallthrough */
+       case 7: BN_CONSTTIME_SWAP(6); /* Fallthrough */
+       case 6: BN_CONSTTIME_SWAP(5); /* Fallthrough */
+       case 5: BN_CONSTTIME_SWAP(4); /* Fallthrough */
+       case 4: BN_CONSTTIME_SWAP(3); /* Fallthrough */
+       case 3: BN_CONSTTIME_SWAP(2); /* Fallthrough */
+       case 2: BN_CONSTTIME_SWAP(1); /* Fallthrough */
+       case 1: BN_CONSTTIME_SWAP(0);
+       }
+#undef BN_CONSTTIME_SWAP
+}

Modified: vendor-crypto/openssl/dist-0.9.8/crypto/bn/bn_mont.c
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/crypto/bn/bn_mont.c        Fri Jun  6 
21:00:19 2014        (r267189)
+++ vendor-crypto/openssl/dist-0.9.8/crypto/bn/bn_mont.c        Fri Jun  6 
21:38:34 2014        (r267190)
@@ -701,32 +701,38 @@ BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CT
 BN_MONT_CTX *BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock,
                                        const BIGNUM *mod, BN_CTX *ctx)
        {
-       int got_write_lock = 0;
        BN_MONT_CTX *ret;
 
        CRYPTO_r_lock(lock);
-       if (!*pmont)
+       ret = *pmont;
+       CRYPTO_r_unlock(lock);
+       if (ret)
+               return ret;
+
+       /* We don't want to serialise globally while doing our lazy-init math in
+        * BN_MONT_CTX_set. That punishes threads that are doing independent
+        * things. Instead, punish the case where more than one thread tries to
+        * lazy-init the same 'pmont', by having each do the lazy-init math work
+        * independently and only use the one from the thread that wins the race
+        * (the losers throw away the work they've done). */
+       ret = BN_MONT_CTX_new();
+       if (!ret)
+               return NULL;
+       if (!BN_MONT_CTX_set(ret, mod, ctx))
                {
-               CRYPTO_r_unlock(lock);
-               CRYPTO_w_lock(lock);
-               got_write_lock = 1;
+               BN_MONT_CTX_free(ret);
+               return NULL;
+               }
 
-               if (!*pmont)
-                       {
-                       ret = BN_MONT_CTX_new();
-                       if (ret && !BN_MONT_CTX_set(ret, mod, ctx))
-                               BN_MONT_CTX_free(ret);
-                       else
-                               *pmont = ret;
-                       }
+       /* The locked compare-and-set, after the local work is done. */
+       CRYPTO_w_lock(lock);
+       if (*pmont)
+               {
+               BN_MONT_CTX_free(ret);
+               ret = *pmont;
                }
-       
-       ret = *pmont;
-       
-       if (got_write_lock)
-               CRYPTO_w_unlock(lock);
        else
-               CRYPTO_r_unlock(lock);
-               
+               *pmont = ret;
+       CRYPTO_w_unlock(lock);
        return ret;
        }

Modified: vendor-crypto/openssl/dist-0.9.8/crypto/cms/cms_cd.c
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/crypto/cms/cms_cd.c        Fri Jun  6 
21:00:19 2014        (r267189)
+++ vendor-crypto/openssl/dist-0.9.8/crypto/cms/cms_cd.c        Fri Jun  6 
21:38:34 2014        (r267190)
@@ -58,7 +58,9 @@
 #include <openssl/err.h>
 #include <openssl/cms.h>
 #include <openssl/bio.h>
+#ifndef OPENSSL_NO_COMP
 #include <openssl/comp.h>
+#endif
 #include "cms_lcl.h"
 
 DECLARE_ASN1_ITEM(CMS_CompressedData)

Modified: vendor-crypto/openssl/dist-0.9.8/crypto/cms/cms_env.c
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/crypto/cms/cms_env.c       Fri Jun  6 
21:00:19 2014        (r267189)
+++ vendor-crypto/openssl/dist-0.9.8/crypto/cms/cms_env.c       Fri Jun  6 
21:38:34 2014        (r267190)
@@ -185,6 +185,8 @@ CMS_RecipientInfo *CMS_add1_recipient_ce
        if (flags & CMS_USE_KEYID)
                {
                ktri->version = 2;
+               if (env->version < 2)
+                       env->version = 2;
                type = CMS_RECIPINFO_KEYIDENTIFIER;
                }
        else

Modified: vendor-crypto/openssl/dist-0.9.8/crypto/cms/cms_lib.c
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/crypto/cms/cms_lib.c       Fri Jun  6 
21:00:19 2014        (r267189)
+++ vendor-crypto/openssl/dist-0.9.8/crypto/cms/cms_lib.c       Fri Jun  6 
21:38:34 2014        (r267190)
@@ -477,8 +477,6 @@ int CMS_add0_cert(CMS_ContentInfo *cms, 
        pcerts = cms_get0_certificate_choices(cms);
        if (!pcerts)
                return 0;
-       if (!pcerts)
-               return 0;
        for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++)
                {
                cch = sk_CMS_CertificateChoices_value(*pcerts, i);

Modified: vendor-crypto/openssl/dist-0.9.8/crypto/cms/cms_sd.c
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/crypto/cms/cms_sd.c        Fri Jun  6 
21:00:19 2014        (r267189)
+++ vendor-crypto/openssl/dist-0.9.8/crypto/cms/cms_sd.c        Fri Jun  6 
21:38:34 2014        (r267190)
@@ -157,8 +157,8 @@ static void cms_sd_set_version(CMS_Signe
                        if (sd->version < 3)
                                sd->version = 3;
                        }
-               else
-                       sd->version = 1;
+               else if (si->version < 1)
+                       si->version = 1;
                }
 
        if (sd->version < 1)

Modified: vendor-crypto/openssl/dist-0.9.8/crypto/cms/cms_smime.c
==============================================================================
--- vendor-crypto/openssl/dist-0.9.8/crypto/cms/cms_smime.c     Fri Jun  6 
21:00:19 2014        (r267189)
+++ vendor-crypto/openssl/dist-0.9.8/crypto/cms/cms_smime.c     Fri Jun  6 
21:38:34 2014        (r267190)
@@ -622,7 +622,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInf
        STACK_OF(CMS_RecipientInfo) *ris;
        CMS_RecipientInfo *ri;
        int i, r;
-       int debug = 0;
+       int debug = 0, ri_match = 0;
        ris = CMS_get0_RecipientInfos(cms);
        if (ris)
                debug = cms->d.envelopedData->encryptedContentInfo->debug;
@@ -631,6 +631,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInf
                ri = sk_CMS_RecipientInfo_value(ris, i);
                if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_TRANS)
                                continue;
+               ri_match = 1;
                /* If we have a cert try matching RecipientInfo
                 * otherwise try them all.
                 */
@@ -666,7 +667,7 @@ int CMS_decrypt_set1_pkey(CMS_ContentInf
                        }
                }

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to