[src/trunk]: src/crypto/external/bsd/openssl/dist merge conflicts

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/9ad065a072e0
branches:  trunk
changeset: 339277:9ad065a072e0
user:      christos <christos%NetBSD.org@localhost>
date:      Thu Jul 09 14:31:01 2015 +0000

description:
merge conflicts

diffstat:

 crypto/external/bsd/openssl/dist/CHANGES                 |   15 +
 crypto/external/bsd/openssl/dist/Makefile                |   13 +-
 crypto/external/bsd/openssl/dist/NEWS                    |    4 +
 crypto/external/bsd/openssl/dist/README                  |    2 +-
 crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c      |    2 +-
 crypto/external/bsd/openssl/dist/crypto/opensslconf.h    |    2 +-
 crypto/external/bsd/openssl/dist/crypto/opensslv.h       |    6 +-
 crypto/external/bsd/openssl/dist/crypto/threads/mttest.c |  350 +++++++-------
 crypto/external/bsd/openssl/dist/crypto/x509/x509_vfy.c  |   26 +-
 crypto/external/bsd/openssl/dist/openssl.spec            |    2 +-
 crypto/external/bsd/openssl/dist/ssl/s3_clnt.c           |   17 +-
 crypto/external/bsd/openssl/dist/ssl/s3_srvr.c           |    2 +-
 crypto/external/bsd/openssl/dist/test/Makefile           |   31 +-
 crypto/external/bsd/openssl/dist/test/testssl            |   19 +-
 14 files changed, 266 insertions(+), 225 deletions(-)

diffs (truncated from 1151 to 300 lines):

diff -r 04893f85fab1 -r 9ad065a072e0 crypto/external/bsd/openssl/dist/CHANGES
--- a/crypto/external/bsd/openssl/dist/CHANGES  Thu Jul 09 14:15:22 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/CHANGES  Thu Jul 09 14:31:01 2015 +0000
@@ -2,6 +2,21 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.1o and 1.0.1p [9 Jul 2015]
+
+  *) Alternate chains certificate forgery
+
+     During certificate verfification, OpenSSL will attempt to find an
+     alternative certificate chain if the first attempt to build such a chain
+     fails. An error in the implementation of this logic can mean that an
+     attacker could cause certain checks on untrusted certificates to be
+     bypassed, such as the CA flag, enabling them to use a valid leaf
+     certificate to act as a CA and "issue" an invalid certificate.
+
+     This issue was reported to OpenSSL by Adam Langley/David Benjamin
+     (Google/BoringSSL).
+     [Matt Caswell]
+
  Changes between 1.0.1n and 1.0.1o [12 Jun 2015]
 
   *) Fix HMAC ABI incompatibility. The previous version introduced an ABI
diff -r 04893f85fab1 -r 9ad065a072e0 crypto/external/bsd/openssl/dist/Makefile
--- a/crypto/external/bsd/openssl/dist/Makefile Thu Jul 09 14:15:22 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/Makefile Thu Jul 09 14:31:01 2015 +0000
@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=1.0.1o
+VERSION=1.0.1p
 MAJOR=1
 MINOR=0.1
 SHLIB_VERSION_NUMBER=1.0.0
@@ -270,6 +270,7 @@
        @[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
 
 sub_all: build_all
+
 build_all: build_libs build_apps build_tests build_tools
 
 build_libs: build_libcrypto build_libssl openssl.pc
@@ -279,15 +280,15 @@
 
 build_crypto:
        @dir=crypto; target=all; $(BUILD_ONE_CMD)
-build_ssl:
+build_ssl: build_crypto
        @dir=ssl; target=all; $(BUILD_ONE_CMD)
-build_engines:
+build_engines: build_crypto
        @dir=engines; target=all; $(BUILD_ONE_CMD)
-build_apps:
+build_apps: build_libs
        @dir=apps; target=all; $(BUILD_ONE_CMD)
-build_tests:
+build_tests: build_libs
        @dir=test; target=all; $(BUILD_ONE_CMD)
-build_tools:
+build_tools: build_libs
        @dir=tools; target=all; $(BUILD_ONE_CMD)
 
 all_testapps: build_libs build_testapps
diff -r 04893f85fab1 -r 9ad065a072e0 crypto/external/bsd/openssl/dist/NEWS
--- a/crypto/external/bsd/openssl/dist/NEWS     Thu Jul 09 14:15:22 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/NEWS     Thu Jul 09 14:31:01 2015 +0000
@@ -5,6 +5,10 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.1o and OpenSSL 1.0.1p [9 Jul 2015]
+
+      o Alternate chains certificate forgery (CVE-2015-1793)
+
   Major changes between OpenSSL 1.0.1n and OpenSSL 1.0.1o [12 Jun 2015]
 
       o Fix HMAC ABI incompatibility
diff -r 04893f85fab1 -r 9ad065a072e0 crypto/external/bsd/openssl/dist/README
--- a/crypto/external/bsd/openssl/dist/README   Thu Jul 09 14:15:22 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/README   Thu Jul 09 14:31:01 2015 +0000
@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.1o 12 Jun 2015
+ OpenSSL 1.0.1p 9 Jul 2015
 
  Copyright (c) 1998-2011 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff -r 04893f85fab1 -r 9ad065a072e0 crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c
--- a/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c       Thu Jul 09 14:15:22 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/evp/e_aes.c       Thu Jul 09 14:31:01 2015 +0000
@@ -1146,7 +1146,7 @@
     case EVP_CTRL_CCM_SET_TAG:
         if ((arg & 1) || arg < 4 || arg > 16)
             return 0;
-        if ((c->encrypt && ptr) || (!c->encrypt && !ptr))
+        if (c->encrypt && ptr)
             return 0;
         if (ptr) {
             cctx->tag_set = 1;
diff -r 04893f85fab1 -r 9ad065a072e0 crypto/external/bsd/openssl/dist/crypto/opensslconf.h
--- a/crypto/external/bsd/openssl/dist/crypto/opensslconf.h     Thu Jul 09 14:15:22 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/opensslconf.h     Thu Jul 09 14:31:01 2015 +0000
@@ -203,7 +203,7 @@
 #endif
 
 #if defined(DES_RISC1) && defined(DES_RISC2)
-YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
+#error YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!!
 #endif
 
 /* Unroll the inner loop, this sometimes helps, sometimes hinders.
diff -r 04893f85fab1 -r 9ad065a072e0 crypto/external/bsd/openssl/dist/crypto/opensslv.h
--- a/crypto/external/bsd/openssl/dist/crypto/opensslv.h        Thu Jul 09 14:15:22 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/opensslv.h        Thu Jul 09 14:31:01 2015 +0000
@@ -30,11 +30,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER  0x100010ffL
+# define OPENSSL_VERSION_NUMBER  0x1000110fL
 # ifdef OPENSSL_FIPS
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.1o-fips 12 Jun 2015"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.1p-fips 9 Jul 2015"
 # else
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.1o 12 Jun 2015"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.1p 9 Jul 2015"
 # endif
 # define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
diff -r 04893f85fab1 -r 9ad065a072e0 crypto/external/bsd/openssl/dist/crypto/threads/mttest.c
--- a/crypto/external/bsd/openssl/dist/crypto/threads/mttest.c  Thu Jul 09 14:15:22 2015 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/threads/mttest.c  Thu Jul 09 14:31:01 2015 +0000
@@ -56,7 +56,6 @@
  * [including the GNU Public Licence.]
  */
 
-#include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
@@ -92,11 +91,6 @@
 #include <openssl/err.h>
 #include <openssl/rand.h>
 
-#ifdef OPENSSL_NO_FP_API
-# define APPS_WIN16
-# include "../buffer/bss_file.c"
-#endif
-
 #ifdef OPENSSL_SYS_NETWARE
 # define TEST_SERVER_CERT "/openssl/apps/server.pem"
 # define TEST_CLIENT_CERT "/openssl/apps/client.pem"
@@ -107,23 +101,23 @@
 
 #define MAX_THREAD_NUMBER       100
 
-int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *xs);
+int verify_callback(int ok, X509_STORE_CTX *xs);
 void thread_setup(void);
 void thread_cleanup(void);
 void do_threads(SSL_CTX *s_ctx, SSL_CTX *c_ctx);
 
-void irix_locking_callback(int mode, int type, char *file, int line);
-void solaris_locking_callback(int mode, int type, char *file, int line);
-void win32_locking_callback(int mode, int type, char *file, int line);
-void pthreads_locking_callback(int mode, int type, char *file, int line);
-void netware_locking_callback(int mode, int type, char *file, int line);
+void irix_locking_callback(int mode, int type, const char *file, int line);
+void solaris_locking_callback(int mode, int type, const char *file, int line);
+void win32_locking_callback(int mode, int type, const char *file, int line);
+void pthreads_locking_callback(int mode, int type, const char *file, int line);
+void netware_locking_callback(int mode, int type, const char *file, int line);
 void beos_locking_callback(int mode, int type, const char *file, int line);
 
-unsigned long irix_thread_id(void);
-unsigned long solaris_thread_id(void);
-unsigned long pthreads_thread_id(void);
-unsigned long netware_thread_id(void);
-unsigned long beos_thread_id(void);
+void irix_thread_id(CRYPTO_THREADID *tid);
+void solaris_thread_id(CRYPTO_THREADID *tid);
+void pthreads_thread_id(CRYPTO_THREADID *tid);
+void netware_thread_id(CRYPTO_THREADID *tid);
+void beos_thread_id(CRYPTO_THREADID *tid);
 
 #if defined(OPENSSL_SYS_NETWARE)
 static MPKMutex *lock_cs;
@@ -149,39 +143,39 @@
     "string to make the random number generator think it has entropy";
 
 int doit(char *ctx[4]);
-static void print_stats(FILE *fp, SSL_CTX *ctx)
+static void print_stats(BIO *bio, SSL_CTX *ctx)
 {
-    fprintf(fp, "%4ld items in the session cache\n",
-            SSL_CTX_sess_number(ctx));
-    fprintf(fp, "%4ld client connects (SSL_connect())\n",
-            SSL_CTX_sess_connect(ctx));
-    fprintf(fp, "%4ld client connects that finished\n",
-            SSL_CTX_sess_connect_good(ctx));
-    fprintf(fp, "%4ld server connects (SSL_accept())\n",
-            SSL_CTX_sess_accept(ctx));
-    fprintf(fp, "%4ld server connects that finished\n",
-            SSL_CTX_sess_accept_good(ctx));
-    fprintf(fp, "%4ld session cache hits\n", SSL_CTX_sess_hits(ctx));
-    fprintf(fp, "%4ld session cache misses\n", SSL_CTX_sess_misses(ctx));
-    fprintf(fp, "%4ld session cache timeouts\n", SSL_CTX_sess_timeouts(ctx));
+    BIO_printf(bio, "%4ld items in the session cache\n",
+              SSL_CTX_sess_number(ctx));
+    BIO_printf(bio, "%4ld client connects (SSL_connect())\n",
+              SSL_CTX_sess_connect(ctx));
+    BIO_printf(bio, "%4ld client connects that finished\n",
+              SSL_CTX_sess_connect_good(ctx));
+    BIO_printf(bio, "%4ld server connects (SSL_accept())\n",
+              SSL_CTX_sess_accept(ctx));
+    BIO_printf(bio, "%4ld server connects that finished\n",
+              SSL_CTX_sess_accept_good(ctx));
+    BIO_printf(bio, "%4ld session cache hits\n", SSL_CTX_sess_hits(ctx));
+    BIO_printf(bio, "%4ld session cache misses\n", SSL_CTX_sess_misses(ctx));
+    BIO_printf(bio, "%4ld session cache timeouts\n", SSL_CTX_sess_timeouts(ctx));
 }
 
 static void sv_usage(void)
 {
-    fprintf(stderr, "usage: ssltest [args ...]\n");
-    fprintf(stderr, "\n");
-    fprintf(stderr, " -server_auth  - check server certificate\n");
-    fprintf(stderr, " -client_auth  - do client authentication\n");
-    fprintf(stderr, " -v            - more output\n");
-    fprintf(stderr, " -CApath arg   - PEM format directory of CA's\n");
-    fprintf(stderr, " -CAfile arg   - PEM format file of CA's\n");
-    fprintf(stderr, " -threads arg  - number of threads\n");
-    fprintf(stderr, " -loops arg    - number of 'connections', per thread\n");
-    fprintf(stderr, " -reconnect    - reuse session-id's\n");
-    fprintf(stderr, " -stats        - server session-id cache stats\n");
-    fprintf(stderr, " -cert arg     - server certificate/key\n");
-    fprintf(stderr, " -ccert arg    - client certificate/key\n");
-    fprintf(stderr, " -ssl3         - just SSLv3n\n");
+    BIO_printf(bio_err, "usage: ssltest [args ...]\n");
+    BIO_printf(bio_err, "\n");
+    BIO_printf(bio_err, " -server_auth  - check server certificate\n");
+    BIO_printf(bio_err, " -client_auth  - do client authentication\n");
+    BIO_printf(bio_err, " -v            - more output\n");
+    BIO_printf(bio_err, " -CApath arg   - PEM format directory of CA's\n");
+    BIO_printf(bio_err, " -CAfile arg   - PEM format file of CA's\n");
+    BIO_printf(bio_err, " -threads arg  - number of threads\n");
+    BIO_printf(bio_err, " -loops arg    - number of 'connections', per thread\n");
+    BIO_printf(bio_err, " -reconnect    - reuse session-id's\n");
+    BIO_printf(bio_err, " -stats        - server session-id cache stats\n");
+    BIO_printf(bio_err, " -cert arg     - server certificate/key\n");
+    BIO_printf(bio_err, " -ccert arg    - client certificate/key\n");
+    BIO_printf(bio_err, " -ssl3         - just SSLv3n\n");
 }
 
 int main(int argc, char *argv[])
@@ -200,9 +194,9 @@
     RAND_seed(rnd_seed, sizeof rnd_seed);
 
     if (bio_err == NULL)
-        bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+        bio_err = BIO_new_fd(2, BIO_NOCLOSE);
     if (bio_stdout == NULL)
-        bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE);
+        bio_stdout = BIO_new_fd(1, BIO_NOCLOSE);
     argc--;
     argv++;
 
@@ -250,7 +244,7 @@
             if (number_of_loops == 0)
                 number_of_loops = 1;
         } else {
-            fprintf(stderr, "unknown option %s\n", *argv);
+            BIO_printf(bio_err, "unknown option %s\n", *argv);
             badop = 1;
             break;
         }
@@ -284,9 +278,12 @@
                                    SSL_SESS_CACHE_SERVER);
 
     if (!SSL_CTX_use_certificate_file(s_ctx, scert, SSL_FILETYPE_PEM)) {
+        BIO_printf(bio_err, "SSL_CTX_use_certificate_file (%s)\n", scert);
         ERR_print_errors(bio_err);
+        goto end;
     } else
         if (!SSL_CTX_use_RSAPrivateKey_file(s_ctx, scert, SSL_FILETYPE_PEM)) {
+        BIO_printf(bio_err, "SSL_CTX_use_RSAPrivateKey_file (%s)\n", scert);
         ERR_print_errors(bio_err);
         goto end;
     }
@@ -300,19 +297,19 @@
         (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
         (!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) ||
         (!SSL_CTX_set_default_verify_paths(c_ctx))) {
-        fprintf(stderr, "SSL_load_verify_locations\n");
+        BIO_printf(bio_err, "SSL_load_verify_locations\n");
         ERR_print_errors(bio_err);
         goto end;