src - FreeBSD source tree

diff options


context:
space:
mode:

author	Jung-uk Kim <jkim@FreeBSD.org>	2016-09-26 14:13:11 +0000
committer	Jung-uk Kim <jkim@FreeBSD.org>	2016-09-26 14:13:11 +0000
commit	e656c34a188598ebce6423c4fbc4860921d41be4 (patch)
tree	fd5089019665f3f3650638863afd64c274108bfe
parent	e1b483878d9824c63d376895da633b0b96fbbaed (diff)
download	src-e656c34a188598ebce6423c4fbc4860921d41be4.tar.gz src-e656c34a188598ebce6423c4fbc4860921d41be4.zip

Import OpenSSL 1.0.2j.vendor/openssl/1.0.2j

Notes

Notes: svn path=/vendor-crypto/openssl/dist/; revision=306340 svn path=/vendor-crypto/openssl/1.0.2j/; revision=306341; tag=vendor/openssl/1.0.2j

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

-rw-r--r--

crypto/engine/eng_cryptodev.c

-rw-r--r--

crypto/opensslv.h

-rw-r--r--

crypto/x509/x509_vfy.c

-rw-r--r--

ssl/t1_ext.c

9 files changed, 28 insertions, 10 deletions

diff --git a/CHANGES b/CHANGES
index 4bdd39064655..042afe37246c 100644
--- a/CHANGES
+++ b/CHANGES

@@ -2,6 +2,18 @@

OpenSSL CHANGES

_______________

+ Changes between 1.0.2i and 1.0.2j [26 Sep 2016]

+ *) Missing CRL sanity check

+ A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0

+ but was omitted from OpenSSL 1.0.2i. As a result any attempt to use

+ CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.

+ This issue only affects the OpenSSL 1.0.2i

+ (CVE-2016-7052)

+ [Matt Caswell]

Changes between 1.0.2h and 1.0.2i [22 Sep 2016]

*) OCSP Status Request extension unbounded memory growth

diff --git a/FREEBSD-upgrade b/FREEBSD-upgrade
index 8259537bc150..03b02f8b77d6 100644
--- a/FREEBSD-upgrade
+++ b/FREEBSD-upgrade

@@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/SubversionPrimer/VendorImports

# Xlist

setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist

setenv FSVN "svn+ssh://repo.freebsd.org/base"

-setenv OSSLVER 1.0.2i

-# OSSLTAG format: v1_0_2i

+setenv OSSLVER 1.0.2j

+# OSSLTAG format: v1_0_2j

###setenv OSSLTAG v`echo ${OSSLVER} | tr . _`

diff --git a/Makefile b/Makefile
index 58daaa5548ce..04bfb11a1701 100644
--- a/Makefile
+++ b/Makefile

@@ -4,7 +4,7 @@

## Makefile for OpenSSL

-VERSION=1.0.2i

+VERSION=1.0.2j

MAJOR=1

MINOR=0.2

SHLIB_VERSION_NUMBER=1.0.0

diff --git a/NEWS b/NEWS
index 5a652841cfcd..c0579632b2eb 100644
--- a/NEWS
+++ b/NEWS

@@ -5,6 +5,10 @@

This file gives a brief overview of the major changes between each OpenSSL

release. For more details please read the CHANGES file.

+ Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016]

+ o Fix Use After Free for large message sizes (CVE-2016-6309)

Major changes between OpenSSL 1.0.2h and OpenSSL 1.0.2i [22 Sep 2016]

o OCSP Status Request extension unbounded memory growth (CVE-2016-6304)

diff --git a/README b/README
index 70d4ddd93bea..6dedfc019738 100644
--- a/README
+++ b/README

@@ -1,5 +1,5 @@

- OpenSSL 1.0.2i 22 Sep 2016

+ OpenSSL 1.0.2j 26 Sep 2016

diff --git a/crypto/engine/eng_cryptodev.c b/crypto/engine/eng_cryptodev.c
index 65a74df2362e..2a2b95ce837e 100644
--- a/crypto/engine/eng_cryptodev.c
+++ b/crypto/engine/eng_cryptodev.c

@@ -939,7 +939,7 @@ static int cryptodev_digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from)

if (fstate->mac_len != 0) {

if (fstate->mac_data != NULL) {

dstate->mac_data = OPENSSL_malloc(fstate->mac_len);

- if (dstate->ac_data == NULL) {

+ if (dstate->mac_data == NULL) {

printf("cryptodev_digest_init: malloc failed\n");

return 0;

}

diff --git a/crypto/opensslv.h b/crypto/opensslv.h
index 2f585f0e0480..88faad652259 100644
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h

@@ -30,11 +30,11 @@ extern "C" {

* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for

* major minor fix final patch/beta)

-# define OPENSSL_VERSION_NUMBER 0x1000209fL

+# define OPENSSL_VERSION_NUMBER 0x100020afL

# ifdef OPENSSL_FIPS

-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2i-fips 22 Sep 2016"

+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2j-fips 26 Sep 2016"

# else

-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2i 22 Sep 2016"

+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2j 26 Sep 2016"

# endif

# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 8334b3fcff7f..b1472018baf7 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c

@@ -1124,10 +1124,10 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,

crl = sk_X509_CRL_value(crls, i);

reasons = *preasons;

crl_score = get_crl_score(ctx, &crl_issuer, &reasons, crl, x);

- if (crl_score < best_score)

+ if (crl_score < best_score || crl_score == 0)

continue;

/* If current CRL is equivalent use it if it is newer */

- if (crl_score == best_score) {

+ if (crl_score == best_score && best_crl != NULL) {

int day, sec;

if (ASN1_TIME_diff(&day, &sec, X509_CRL_get_lastUpdate(best_crl),

X509_CRL_get_lastUpdate(crl)) == 0)

diff --git a/ssl/t1_ext.c b/ssl/t1_ext.c
index 724ddf76acb3..79ed946a5142 100644
--- a/ssl/t1_ext.c
+++ b/ssl/t1_ext.c

@@ -275,7 +275,9 @@ int SSL_extension_supported(unsigned int ext_type)

case TLSEXT_TYPE_ec_point_formats:

case TLSEXT_TYPE_elliptic_curves:

case TLSEXT_TYPE_heartbeat:

+# ifndef OPENSSL_NO_NEXTPROTONEG

case TLSEXT_TYPE_next_proto_neg:

+# endif

case TLSEXT_TYPE_padding:

case TLSEXT_TYPE_renegotiate:

case TLSEXT_TYPE_server_name: