svn commit: r298991 - in vendor-crypto/openssl/dist: . apps crypto crypto/aes/asm crypto/asn1 crypto/bn/asm crypto/comp crypto/evp crypto/modes/asm crypto/pem crypto/perlasm crypto/sha/asm crypto/x...

Jung-uk Kim jkim at FreeBSD.org
Tue May 3 18:00:31 UTC 2016


Author: jkim
Date: Tue May  3 18:00:27 2016
New Revision: 298991
URL: https://svnweb.freebsd.org/changeset/base/298991

Log:
  Import OpenSSL 1.0.2h.

Added:
  vendor-crypto/openssl/dist/doc/crypto/EVP_EncodeInit.pod
  vendor-crypto/openssl/dist/doc/ssl/SSL_CTX_set_alpn_select_cb.pod
Modified:
  vendor-crypto/openssl/dist/CHANGES
  vendor-crypto/openssl/dist/FREEBSD-upgrade
  vendor-crypto/openssl/dist/Makefile
  vendor-crypto/openssl/dist/NEWS
  vendor-crypto/openssl/dist/README
  vendor-crypto/openssl/dist/apps/pkcs7.c
  vendor-crypto/openssl/dist/crypto/aes/asm/aes-ppc.pl
  vendor-crypto/openssl/dist/crypto/aes/asm/aes-s390x.pl
  vendor-crypto/openssl/dist/crypto/asn1/a_bytes.c
  vendor-crypto/openssl/dist/crypto/asn1/a_d2i_fp.c
  vendor-crypto/openssl/dist/crypto/asn1/a_type.c
  vendor-crypto/openssl/dist/crypto/asn1/asn1_lib.c
  vendor-crypto/openssl/dist/crypto/asn1/asn1_par.c
  vendor-crypto/openssl/dist/crypto/asn1/t_x509.c
  vendor-crypto/openssl/dist/crypto/asn1/tasn_dec.c
  vendor-crypto/openssl/dist/crypto/asn1/tasn_enc.c
  vendor-crypto/openssl/dist/crypto/asn1/x_name.c
  vendor-crypto/openssl/dist/crypto/asn1/x_x509.c
  vendor-crypto/openssl/dist/crypto/bn/asm/ppc-mont.pl
  vendor-crypto/openssl/dist/crypto/bn/asm/ppc.pl
  vendor-crypto/openssl/dist/crypto/bn/asm/ppc64-mont.pl
  vendor-crypto/openssl/dist/crypto/bn/asm/x86-mont.pl
  vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-mont.pl
  vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-mont5.pl
  vendor-crypto/openssl/dist/crypto/comp/comp.h
  vendor-crypto/openssl/dist/crypto/evp/Makefile
  vendor-crypto/openssl/dist/crypto/evp/digest.c
  vendor-crypto/openssl/dist/crypto/evp/e_aes_cbc_hmac_sha1.c
  vendor-crypto/openssl/dist/crypto/evp/e_aes_cbc_hmac_sha256.c
  vendor-crypto/openssl/dist/crypto/evp/encode.c
  vendor-crypto/openssl/dist/crypto/evp/evp_enc.c
  vendor-crypto/openssl/dist/crypto/modes/asm/ghash-s390x.pl
  vendor-crypto/openssl/dist/crypto/opensslv.h
  vendor-crypto/openssl/dist/crypto/pem/pem_lib.c
  vendor-crypto/openssl/dist/crypto/pem/pvkfmt.c
  vendor-crypto/openssl/dist/crypto/perlasm/x86_64-xlate.pl
  vendor-crypto/openssl/dist/crypto/s390xcpuid.S
  vendor-crypto/openssl/dist/crypto/sha/asm/sha1-ppc.pl
  vendor-crypto/openssl/dist/crypto/sha/asm/sha1-s390x.pl
  vendor-crypto/openssl/dist/crypto/sha/asm/sha512-ppc.pl
  vendor-crypto/openssl/dist/crypto/sha/asm/sha512-s390x.pl
  vendor-crypto/openssl/dist/crypto/x509/x509.h
  vendor-crypto/openssl/dist/crypto/x509/x509_err.c
  vendor-crypto/openssl/dist/crypto/x509/x509_obj.c
  vendor-crypto/openssl/dist/doc/apps/ciphers.pod
  vendor-crypto/openssl/dist/doc/apps/ocsp.pod
  vendor-crypto/openssl/dist/doc/crypto/evp.pod
  vendor-crypto/openssl/dist/doc/ssl/SSL_CTX_use_serverinfo.pod
  vendor-crypto/openssl/dist/ssl/d1_both.c
  vendor-crypto/openssl/dist/ssl/s2_lib.c
  vendor-crypto/openssl/dist/ssl/s2_meth.c
  vendor-crypto/openssl/dist/ssl/s3_clnt.c
  vendor-crypto/openssl/dist/ssl/s3_lib.c
  vendor-crypto/openssl/dist/ssl/ssl.h
  vendor-crypto/openssl/dist/ssl/ssl_cert.c
  vendor-crypto/openssl/dist/ssl/ssl_ciph.c
  vendor-crypto/openssl/dist/ssl/ssl_lib.c
  vendor-crypto/openssl/dist/ssl/ssl_locl.h
  vendor-crypto/openssl/dist/ssl/ssl_rsa.c
  vendor-crypto/openssl/dist/ssl/ssltest.c
  vendor-crypto/openssl/dist/ssl/t1_lib.c
  vendor-crypto/openssl/dist/util/libeay.num
  vendor-crypto/openssl/dist/util/mk1mf.pl
  vendor-crypto/openssl/dist/util/mkdef.pl
  vendor-crypto/openssl/dist/util/shlib_wrap.sh
  vendor-crypto/openssl/dist/util/ssleay.num

Modified: vendor-crypto/openssl/dist/CHANGES
==============================================================================
--- vendor-crypto/openssl/dist/CHANGES	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/CHANGES	Tue May  3 18:00:27 2016	(r298991)
@@ -2,6 +2,103 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.2g and 1.0.2h [3 May 2016]
+
+  *) Prevent padding oracle in AES-NI CBC MAC check
+
+     A MITM attacker can use a padding oracle attack to decrypt traffic
+     when the connection uses an AES CBC cipher and the server support
+     AES-NI.
+
+     This issue was introduced as part of the fix for Lucky 13 padding
+     attack (CVE-2013-0169). The padding check was rewritten to be in
+     constant time by making sure that always the same bytes are read and
+     compared against either the MAC or padding bytes. But it no longer
+     checked that there was enough data to have both the MAC and padding
+     bytes.
+
+     This issue was reported by Juraj Somorovsky using TLS-Attacker.
+     (CVE-2016-2107)
+     [Kurt Roeckx]
+
+  *) Fix EVP_EncodeUpdate overflow
+
+     An overflow can occur in the EVP_EncodeUpdate() function which is used for
+     Base64 encoding of binary data. If an attacker is able to supply very large
+     amounts of input data then a length check can overflow resulting in a heap
+     corruption.
+
+     Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by
+     the PEM_write_bio* family of functions. These are mainly used within the
+     OpenSSL command line applications, so any application which processes data
+     from an untrusted source and outputs it as a PEM file should be considered
+     vulnerable to this issue. User applications that call these APIs directly
+     with large amounts of untrusted data may also be vulnerable.
+
+     This issue was reported by Guido Vranken.
+     (CVE-2016-2105)
+     [Matt Caswell]
+
+  *) Fix EVP_EncryptUpdate overflow
+
+     An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
+     is able to supply very large amounts of input data after a previous call to
+     EVP_EncryptUpdate() with a partial block then a length check can overflow
+     resulting in a heap corruption. Following an analysis of all OpenSSL
+     internal usage of the EVP_EncryptUpdate() function all usage is one of two
+     forms. The first form is where the EVP_EncryptUpdate() call is known to be
+     the first called function after an EVP_EncryptInit(), and therefore that
+     specific call must be safe. The second form is where the length passed to
+     EVP_EncryptUpdate() can be seen from the code to be some small value and
+     therefore there is no possibility of an overflow. Since all instances are
+     one of these two forms, it is believed that there can be no overflows in
+     internal code due to this problem. It should be noted that
+     EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
+     Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
+     of these calls have also been analysed too and it is believed there are no
+     instances in internal usage where an overflow could occur.
+
+     This issue was reported by Guido Vranken.
+     (CVE-2016-2106)
+     [Matt Caswell]
+
+  *) Prevent ASN.1 BIO excessive memory allocation
+
+     When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
+     a short invalid encoding can casuse allocation of large amounts of memory
+     potentially consuming excessive resources or exhausting memory.
+
+     Any application parsing untrusted data through d2i BIO functions is
+     affected. The memory based functions such as d2i_X509() are *not* affected.
+     Since the memory based functions are used by the TLS library, TLS
+     applications are not affected.
+
+     This issue was reported by Brian Carpenter.
+     (CVE-2016-2109)
+     [Stephen Henson]
+
+  *) EBCDIC overread
+
+     ASN1 Strings that are over 1024 bytes can cause an overread in applications
+     using the X509_NAME_oneline() function on EBCDIC systems. This could result
+     in arbitrary stack data being returned in the buffer.
+
+     This issue was reported by Guido Vranken.
+     (CVE-2016-2176)
+     [Matt Caswell]
+
+  *) Modify behavior of ALPN to invoke callback after SNI/servername
+     callback, such that updates to the SSL_CTX affect ALPN.
+     [Todd Short]
+
+  *) Remove LOW from the DEFAULT cipher list.  This removes singles DES from the
+     default.
+     [Kurt Roeckx]
+
+  *) Only remove the SSLv2 methods with the no-ssl2-method option. When the
+     methods are enabled and ssl2 is disabled the methods return NULL.
+     [Kurt Roeckx]
+
  Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
 
   * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.

Modified: vendor-crypto/openssl/dist/FREEBSD-upgrade
==============================================================================
--- vendor-crypto/openssl/dist/FREEBSD-upgrade	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/FREEBSD-upgrade	Tue May  3 18:00:27 2016	(r298991)
@@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/Subv
 # Xlist
 setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist
 setenv FSVN "svn+ssh://repo.freebsd.org/base"
-setenv OSSLVER 1.0.2f
-# OSSLTAG format: v1_0_2f
+setenv OSSLVER 1.0.2h
+# OSSLTAG format: v1_0_2h
 
 ###setenv OSSLTAG v`echo ${OSSLVER} | tr . _`
 

Modified: vendor-crypto/openssl/dist/Makefile
==============================================================================
--- vendor-crypto/openssl/dist/Makefile	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/Makefile	Tue May  3 18:00:27 2016	(r298991)
@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=1.0.2g
+VERSION=1.0.2h
 MAJOR=1
 MINOR=0.2
 SHLIB_VERSION_NUMBER=1.0.0

Modified: vendor-crypto/openssl/dist/NEWS
==============================================================================
--- vendor-crypto/openssl/dist/NEWS	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/NEWS	Tue May  3 18:00:27 2016	(r298991)
@@ -5,6 +5,19 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016]
+
+      o Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
+      o Fix EVP_EncodeUpdate overflow (CVE-2016-2105)
+      o Fix EVP_EncryptUpdate overflow (CVE-2016-2106)
+      o Prevent ASN.1 BIO excessive memory allocation (CVE-2016-2109)
+      o EBCDIC overread (CVE-2016-2176)
+      o Modify behavior of ALPN to invoke callback after SNI/servername
+        callback, such that updates to the SSL_CTX affect ALPN.
+      o Remove LOW from the DEFAULT cipher list.  This removes singles DES from
+        the default.
+      o Only remove the SSLv2 methods with the no-ssl2-method option.
+
   Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016]
 
       o Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.

Modified: vendor-crypto/openssl/dist/README
==============================================================================
--- vendor-crypto/openssl/dist/README	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/README	Tue May  3 18:00:27 2016	(r298991)
@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.2g 1 Mar 2016
+ OpenSSL 1.0.2h 3 May 2016
 
  Copyright (c) 1998-2015 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

Modified: vendor-crypto/openssl/dist/apps/pkcs7.c
==============================================================================
--- vendor-crypto/openssl/dist/apps/pkcs7.c	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/apps/pkcs7.c	Tue May  3 18:00:27 2016	(r298991)
@@ -235,12 +235,16 @@ int MAIN(int argc, char **argv)
         i = OBJ_obj2nid(p7->type);
         switch (i) {
         case NID_pkcs7_signed:
-            certs = p7->d.sign->cert;
-            crls = p7->d.sign->crl;
+            if (p7->d.sign != NULL) {
+                certs = p7->d.sign->cert;
+                crls = p7->d.sign->crl;
+            }
             break;
         case NID_pkcs7_signedAndEnveloped:
-            certs = p7->d.signed_and_enveloped->cert;
-            crls = p7->d.signed_and_enveloped->crl;
+            if (p7->d.signed_and_enveloped != NULL) {
+                certs = p7->d.signed_and_enveloped->cert;
+                crls = p7->d.signed_and_enveloped->crl;
+            }
             break;
         default:
             break;

Modified: vendor-crypto/openssl/dist/crypto/aes/asm/aes-ppc.pl
==============================================================================
--- vendor-crypto/openssl/dist/crypto/aes/asm/aes-ppc.pl	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/crypto/aes/asm/aes-ppc.pl	Tue May  3 18:00:27 2016	(r298991)
@@ -590,7 +590,7 @@ Lenc_loop:
 	xor	$s2,$t2,$acc14
 	xor	$s3,$t3,$acc15
 	addi	$key,$key,16
-	bdnz-	Lenc_loop
+	bdnz	Lenc_loop
 
 	addi	$Tbl2,$Tbl0,2048
 	nop
@@ -1068,7 +1068,7 @@ Ldec_loop:
 	xor	$s2,$t2,$acc14
 	xor	$s3,$t3,$acc15
 	addi	$key,$key,16
-	bdnz-	Ldec_loop
+	bdnz	Ldec_loop
 
 	addi	$Tbl2,$Tbl0,2048
 	nop

Modified: vendor-crypto/openssl/dist/crypto/aes/asm/aes-s390x.pl
==============================================================================
--- vendor-crypto/openssl/dist/crypto/aes/asm/aes-s390x.pl	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/crypto/aes/asm/aes-s390x.pl	Tue May  3 18:00:27 2016	(r298991)
@@ -818,13 +818,9 @@ $code.=<<___ if (!$softonly);
 	tmhl	%r0,0x4000	# check for message-security assist
 	jz	.Lekey_internal
 
-	lghi	%r0,0		# query capability vector
-	la	%r1,16($sp)
-	.long	0xb92f0042	# kmc %r4,%r2
-
-	llihh	%r1,0x8000
-	srlg	%r1,%r1,0(%r5)
-	ng	%r1,16($sp)
+	llihh	%r0,0x8000
+	srlg	%r0,%r0,0(%r5)
+	ng	%r0,48(%r1)	# check kmc capability vector
 	jz	.Lekey_internal
 
 	lmg	%r0,%r1,0($inp)	# just copy 128 bits...
@@ -1444,13 +1440,10 @@ $code.=<<___ if (0);	######### kmctr cod
 
 	llgfr	$s0,%r0
 	lgr	$s1,%r1
-	lghi	%r0,0
-	la	%r1,16($sp)
-	.long	0xb92d2042	# kmctr %r4,%r2,%r2
-
+	larl	%r1,OPENSSL_s390xcap_P
 	llihh	%r0,0x8000	# check if kmctr supports the function code
 	srlg	%r0,%r0,0($s0)
-	ng	%r0,16($sp)
+	ng	%r0,64(%r1)	# check kmctr capability vector
 	lgr	%r0,$s0
 	lgr	%r1,$s1
 	jz	.Lctr32_km_loop
@@ -1597,12 +1590,10 @@ $code.=<<___ if(1);
 	llgfr	$s0,%r0			# put aside the function code
 	lghi	$s1,0x7f
 	nr	$s1,%r0
-	lghi	%r0,0			# query capability vector
-	la	%r1,$tweak-16($sp)
-	.long	0xb92e0042		# km %r4,%r2
-	llihh	%r1,0x8000
-	srlg	%r1,%r1,32($s1)		# check for 32+function code
-	ng	%r1,$tweak-16($sp)
+	larl	%r1,OPENSSL_s390xcap_P
+	llihh	%r0,0x8000
+	srlg	%r0,%r0,32($s1)		# check for 32+function code
+	ng	%r0,32(%r1)		# check km capability vector
 	lgr	%r0,$s0			# restore the function code
 	la	%r1,0($key1)		# restore $key1
 	jz	.Lxts_km_vanilla
@@ -2229,7 +2220,7 @@ ___
 }
 $code.=<<___;
 .string	"AES for s390x, CRYPTOGAMS by <appro\@openssl.org>"
-.comm	OPENSSL_s390xcap_P,16,8
+.comm	OPENSSL_s390xcap_P,80,8
 ___
 
 $code =~ s/\`([^\`]*)\`/eval $1/gem;

Modified: vendor-crypto/openssl/dist/crypto/asn1/a_bytes.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/asn1/a_bytes.c	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/crypto/asn1/a_bytes.c	Tue May  3 18:00:27 2016	(r298991)
@@ -200,13 +200,13 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING 
     } else {
         if (len != 0) {
             if ((ret->length < len) || (ret->data == NULL)) {
-                if (ret->data != NULL)
-                    OPENSSL_free(ret->data);
                 s = (unsigned char *)OPENSSL_malloc((int)len + 1);
                 if (s == NULL) {
                     i = ERR_R_MALLOC_FAILURE;
                     goto err;
                 }
+                if (ret->data != NULL)
+                    OPENSSL_free(ret->data);
             } else
                 s = ret->data;
             memcpy(s, p, (int)len);

Modified: vendor-crypto/openssl/dist/crypto/asn1/a_d2i_fp.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/asn1/a_d2i_fp.c	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/crypto/asn1/a_d2i_fp.c	Tue May  3 18:00:27 2016	(r298991)
@@ -141,6 +141,7 @@ void *ASN1_item_d2i_fp(const ASN1_ITEM *
 #endif
 
 #define HEADER_SIZE   8
+#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
 static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 {
     BUF_MEM *b;
@@ -217,29 +218,44 @@ static int asn1_d2i_read_bio(BIO *in, BU
             /* suck in c.slen bytes of data */
             want = c.slen;
             if (want > (len - off)) {
+                size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;
+
                 want -= (len - off);
                 if (want > INT_MAX /* BIO_read takes an int length */  ||
                     len + want < len) {
                     ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG);
                     goto err;
                 }
-                if (!BUF_MEM_grow_clean(b, len + want)) {
-                    ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE);
-                    goto err;
-                }
                 while (want > 0) {
-                    i = BIO_read(in, &(b->data[len]), want);
-                    if (i <= 0) {
-                        ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
-                                ASN1_R_NOT_ENOUGH_DATA);
+                    /*
+                     * Read content in chunks of increasing size
+                     * so we can return an error for EOF without
+                     * having to allocate the entire content length
+                     * in one go.
+                     */
+                    size_t chunk = want > chunk_max ? chunk_max : want;
+
+                    if (!BUF_MEM_grow_clean(b, len + chunk)) {
+                        ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE);
                         goto err;
                     }
+                    want -= chunk;
+                    while (chunk > 0) {
+                        i = BIO_read(in, &(b->data[len]), chunk);
+                        if (i <= 0) {
+                            ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
+                                    ASN1_R_NOT_ENOUGH_DATA);
+                            goto err;
+                        }
                     /*
                      * This can't overflow because |len+want| didn't
                      * overflow.
                      */
-                    len += i;
-                    want -= i;
+                        len += i;
+                        chunk -= i;
+                    }
+                    if (chunk_max < INT_MAX/2)
+                        chunk_max *= 2;
                 }
             }
             if (off + c.slen < off) {

Modified: vendor-crypto/openssl/dist/crypto/asn1/a_type.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/asn1/a_type.c	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/crypto/asn1/a_type.c	Tue May  3 18:00:27 2016	(r298991)
@@ -126,9 +126,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, co
         result = 0;             /* They do not have content. */
         break;
     case V_ASN1_INTEGER:
-    case V_ASN1_NEG_INTEGER:
     case V_ASN1_ENUMERATED:
-    case V_ASN1_NEG_ENUMERATED:
     case V_ASN1_BIT_STRING:
     case V_ASN1_OCTET_STRING:
     case V_ASN1_SEQUENCE:

Modified: vendor-crypto/openssl/dist/crypto/asn1/asn1_lib.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/asn1/asn1_lib.c	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/crypto/asn1/asn1_lib.c	Tue May  3 18:00:27 2016	(r298991)
@@ -63,7 +63,7 @@
 #include <openssl/asn1_mac.h>
 
 static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
-                           int max);
+                           long max);
 static void asn1_put_length(unsigned char **pp, int length);
 const char ASN1_version[] = "ASN.1" OPENSSL_VERSION_PTEXT;
 
@@ -131,7 +131,7 @@ int ASN1_get_object(const unsigned char 
     }
     *ptag = tag;
     *pclass = xclass;
-    if (!asn1_get_length(&p, &inf, plength, (int)max))
+    if (!asn1_get_length(&p, &inf, plength, max))
         goto err;
 
     if (inf && !(ret & V_ASN1_CONSTRUCTED))
@@ -159,14 +159,14 @@ int ASN1_get_object(const unsigned char 
 }
 
 static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
-                           int max)
+                           long max)
 {
     const unsigned char *p = *pp;
     unsigned long ret = 0;
-    unsigned int i;
+    unsigned long i;
 
     if (max-- < 1)
-        return (0);
+        return 0;
     if (*p == 0x80) {
         *inf = 1;
         ret = 0;
@@ -175,15 +175,11 @@ static int asn1_get_length(const unsigne
         *inf = 0;
         i = *p & 0x7f;
         if (*(p++) & 0x80) {
-            if (i > sizeof(long))
+            if (i > sizeof(ret) || max < (long)i)
                 return 0;
-            if (max-- == 0)
-                return (0);
             while (i-- > 0) {
                 ret <<= 8L;
                 ret |= *(p++);
-                if (max-- == 0)
-                    return (0);
             }
         } else
             ret = i;
@@ -192,7 +188,7 @@ static int asn1_get_length(const unsigne
         return 0;
     *pp = p;
     *rl = (long)ret;
-    return (1);
+    return 1;
 }
 
 /*

Modified: vendor-crypto/openssl/dist/crypto/asn1/asn1_par.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/asn1/asn1_par.c	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/crypto/asn1/asn1_par.c	Tue May  3 18:00:27 2016	(r298991)
@@ -173,6 +173,8 @@ static int asn1_parse2(BIO *bp, const un
         if (!asn1_print_info(bp, tag, xclass, j, (indent) ? depth : 0))
             goto end;
         if (j & V_ASN1_CONSTRUCTED) {
+            const unsigned char *sp;
+
             ep = p + len;
             if (BIO_write(bp, "\n", 1) <= 0)
                 goto end;
@@ -182,6 +184,7 @@ static int asn1_parse2(BIO *bp, const un
                 goto end;
             }
             if ((j == 0x21) && (len == 0)) {
+                sp = p;
                 for (;;) {
                     r = asn1_parse2(bp, &p, (long)(tot - p),
                                     offset + (p - *pp), depth + 1,
@@ -190,19 +193,25 @@ static int asn1_parse2(BIO *bp, const un
                         ret = 0;
                         goto end;
                     }
-                    if ((r == 2) || (p >= tot))
+                    if ((r == 2) || (p >= tot)) {
+                        len = p - sp;
                         break;
+                    }
                 }
-            } else
+            } else {
+                long tmp = len;
+
                 while (p < ep) {
-                    r = asn1_parse2(bp, &p, (long)len,
-                                    offset + (p - *pp), depth + 1,
+                    sp = p;
+                    r = asn1_parse2(bp, &p, tmp, offset + (p - *pp), depth + 1,
                                     indent, dump);
                     if (r == 0) {
                         ret = 0;
                         goto end;
                     }
+                    tmp -= p - sp;
                 }
+            }
         } else if (xclass != 0) {
             p += len;
             if (BIO_write(bp, "\n", 1) <= 0)

Modified: vendor-crypto/openssl/dist/crypto/asn1/t_x509.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/asn1/t_x509.c	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/crypto/asn1/t_x509.c	Tue May  3 18:00:27 2016	(r298991)
@@ -140,7 +140,8 @@ int X509_print_ex(BIO *bp, X509 *x, unsi
             goto err;
 
         bs = X509_get_serialNumber(x);
-        if (bs->length <= (int)sizeof(long)) {
+        if (bs->length < (int)sizeof(long)
+            || (bs->length == sizeof(long) && (bs->data[0] & 0x80) == 0)) {
             l = ASN1_INTEGER_get(bs);
             if (bs->type == V_ASN1_NEG_INTEGER) {
                 l = -l;

Modified: vendor-crypto/openssl/dist/crypto/asn1/tasn_dec.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/asn1/tasn_dec.c	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/crypto/asn1/tasn_dec.c	Tue May  3 18:00:27 2016	(r298991)
@@ -901,9 +901,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const
         break;
 
     case V_ASN1_INTEGER:
-    case V_ASN1_NEG_INTEGER:
     case V_ASN1_ENUMERATED:
-    case V_ASN1_NEG_ENUMERATED:
         tint = (ASN1_INTEGER **)pval;
         if (!c2i_ASN1_INTEGER(tint, &cont, len))
             goto err;

Modified: vendor-crypto/openssl/dist/crypto/asn1/tasn_enc.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/asn1/tasn_enc.c	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/crypto/asn1/tasn_enc.c	Tue May  3 18:00:27 2016	(r298991)
@@ -611,9 +611,7 @@ int asn1_ex_i2c(ASN1_VALUE **pval, unsig
         break;
 
     case V_ASN1_INTEGER:
-    case V_ASN1_NEG_INTEGER:
     case V_ASN1_ENUMERATED:
-    case V_ASN1_NEG_ENUMERATED:
         /*
          * These are all have the same content format as ASN1_INTEGER
          */

Modified: vendor-crypto/openssl/dist/crypto/asn1/x_name.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/asn1/x_name.c	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/crypto/asn1/x_name.c	Tue May  3 18:00:27 2016	(r298991)
@@ -66,6 +66,13 @@
 typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY;
 DECLARE_STACK_OF(STACK_OF_X509_NAME_ENTRY)
 
+/*
+ * Maximum length of X509_NAME: much larger than anything we should
+ * ever see in practice.
+ */
+
+#define X509_NAME_MAX (1024 * 1024)
+
 static int x509_name_ex_d2i(ASN1_VALUE **val,
                             const unsigned char **in, long len,
                             const ASN1_ITEM *it,
@@ -192,6 +199,10 @@ static int x509_name_ex_d2i(ASN1_VALUE *
     int i, j, ret;
     STACK_OF(X509_NAME_ENTRY) *entries;
     X509_NAME_ENTRY *entry;
+    if (len > X509_NAME_MAX) {
+        ASN1err(ASN1_F_X509_NAME_EX_D2I, ASN1_R_TOO_LONG);
+        return 0;
+    }
     q = p;
 
     /* Get internal representation of Name */

Modified: vendor-crypto/openssl/dist/crypto/asn1/x_x509.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/asn1/x_x509.c	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/crypto/asn1/x_x509.c	Tue May  3 18:00:27 2016	(r298991)
@@ -201,10 +201,20 @@ X509 *d2i_X509_AUX(X509 **a, const unsig
 
 int i2d_X509_AUX(X509 *a, unsigned char **pp)
 {
-    int length;
+    int length, tmplen;
+    unsigned char *start = pp != NULL ? *pp : NULL;
     length = i2d_X509(a, pp);
-    if (a)
-        length += i2d_X509_CERT_AUX(a->aux, pp);
+    if (length < 0 || a == NULL)
+        return length;
+
+    tmplen = i2d_X509_CERT_AUX(a->aux, pp);
+    if (tmplen < 0) {
+        if (start != NULL)
+            *pp = start;
+        return tmplen;
+    }
+    length += tmplen;
+
     return length;
 }
 

Modified: vendor-crypto/openssl/dist/crypto/bn/asm/ppc-mont.pl
==============================================================================
--- vendor-crypto/openssl/dist/crypto/bn/asm/ppc-mont.pl	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/crypto/bn/asm/ppc-mont.pl	Tue May  3 18:00:27 2016	(r298991)
@@ -191,7 +191,7 @@ L1st:
 
 	addi	$j,$j,$BNSZ	; j++
 	addi	$tp,$tp,$BNSZ	; tp++
-	bdnz-	L1st
+	bdnz	L1st
 ;L1st
 	addc	$lo0,$alo,$hi0
 	addze	$hi0,$ahi
@@ -253,7 +253,7 @@ Linner:
 	addze	$hi1,$hi1
 	$ST	$lo1,0($tp)	; tp[j-1]
 	addi	$tp,$tp,$BNSZ	; tp++
-	bdnz-	Linner
+	bdnz	Linner
 ;Linner
 	$LD	$tj,$BNSZ($tp)	; tp[j]
 	addc	$lo0,$alo,$hi0
@@ -276,7 +276,7 @@ Linner:
 	slwi	$tj,$num,`log($BNSZ)/log(2)`
 	$UCMP	$i,$tj
 	addi	$i,$i,$BNSZ
-	ble-	Louter
+	ble	Louter
 

 	addi	$num,$num,2	; restore $num
 	subfc	$j,$j,$j	; j=0 and "clear" XER[CA]
@@ -289,7 +289,7 @@ Lsub:	$LDX	$tj,$tp,$j
 	subfe	$aj,$nj,$tj	; tp[j]-np[j]
 	$STX	$aj,$rp,$j
 	addi	$j,$j,$BNSZ
-	bdnz-	Lsub
+	bdnz	Lsub
 
 	li	$j,0
 	mtctr	$num
@@ -304,7 +304,7 @@ Lcopy:				; copy or in-place refresh
 	$STX	$tj,$rp,$j
 	$STX	$j,$tp,$j	; zap at once
 	addi	$j,$j,$BNSZ
-	bdnz-	Lcopy
+	bdnz	Lcopy
 
 	$POP	$tj,0($sp)
 	li	r3,1

Modified: vendor-crypto/openssl/dist/crypto/bn/asm/ppc.pl
==============================================================================
--- vendor-crypto/openssl/dist/crypto/bn/asm/ppc.pl	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/crypto/bn/asm/ppc.pl	Tue May  3 18:00:27 2016	(r298991)
@@ -1556,7 +1556,7 @@ Lppcasm_sub_mainloop:	
 				# if carry = 1 this is r7-r8. Else it
 				# is r7-r8 -1 as we need.
 	$STU	r6,$BNSZ(r3)
-	bdnz-	Lppcasm_sub_mainloop
+	bdnz	Lppcasm_sub_mainloop
 Lppcasm_sub_adios:	
 	subfze	r3,r0		# if carry bit is set then r3 = 0 else -1
 	andi.	r3,r3,1         # keep only last bit.
@@ -1603,7 +1603,7 @@ Lppcasm_add_mainloop:	
 	$LDU	r8,$BNSZ(r5)
 	adde	r8,r7,r8
 	$STU	r8,$BNSZ(r3)
-	bdnz-	Lppcasm_add_mainloop
+	bdnz	Lppcasm_add_mainloop
 Lppcasm_add_adios:	
 	addze	r3,r0			#return carry bit.
 	blr
@@ -1762,7 +1762,7 @@ Lppcasm_sqr_mainloop:	
 	$UMULH  r8,r6,r6
 	$STU	r7,$BNSZ(r3)
 	$STU	r8,$BNSZ(r3)
-	bdnz-	Lppcasm_sqr_mainloop
+	bdnz	Lppcasm_sqr_mainloop
 Lppcasm_sqr_adios:	
 	blr
 	.long	0
@@ -1827,7 +1827,7 @@ Lppcasm_mw_LOOP:	
 	
 	addi	r3,r3,`4*$BNSZ`
 	addi	r4,r4,`4*$BNSZ`
-	bdnz-	Lppcasm_mw_LOOP
+	bdnz	Lppcasm_mw_LOOP
 
 Lppcasm_mw_REM:
 	andi.	r5,r5,0x3
@@ -1951,7 +1951,7 @@ Lppcasm_maw_mainloop:	
 	$ST	r11,`3*$BNSZ`(r3)
 	addi	r3,r3,`4*$BNSZ`
 	addi	r4,r4,`4*$BNSZ`
-	bdnz-	Lppcasm_maw_mainloop
+	bdnz	Lppcasm_maw_mainloop
 	
 Lppcasm_maw_leftover:
 	andi.	r5,r5,0x3

Modified: vendor-crypto/openssl/dist/crypto/bn/asm/ppc64-mont.pl
==============================================================================
--- vendor-crypto/openssl/dist/crypto/bn/asm/ppc64-mont.pl	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/crypto/bn/asm/ppc64-mont.pl	Tue May  3 18:00:27 2016	(r298991)
@@ -734,7 +734,7 @@ $code.=<<___;
 ___
 }
 $code.=<<___;
-	bdnz-	L1st
+	bdnz	L1st
 

 	fctid	$dota,$dota
 	fctid	$dotb,$dotb
@@ -1280,7 +1280,7 @@ $code.=<<___;
 ___
 }
 $code.=<<___;
-	bdnz-	Linner
+	bdnz	Linner
 

 	fctid	$dota,$dota
 	fctid	$dotb,$dotb
@@ -1490,7 +1490,7 @@ Lsub:	ldx	$t0,$tp,$i
 	stdx	$t0,$rp,$i
 	stdx	$t2,$t6,$i
 	addi	$i,$i,16
-	bdnz-	Lsub
+	bdnz	Lsub
 
 	li	$i,0
 	subfe	$ovf,$i,$ovf	; handle upmost overflow bit
@@ -1517,7 +1517,7 @@ Lcopy:				; copy or in-place refresh
 	stdx	$i,$tp,$i	; zap tp at once
 	stdx	$i,$t4,$i
 	addi	$i,$i,16
-	bdnz-	Lcopy
+	bdnz	Lcopy
 ___
 $code.=<<___ if ($SIZE_T==4);
 	subf	$np,$num,$np	; rewind np
@@ -1550,7 +1550,7 @@ Lsub:	lwz	$t0,12($tp)	; load tp[j..j+3] 
 	stw	$t5,8($rp)
 	stw	$t6,12($rp)
 	stwu	$t7,16($rp)
-	bdnz-	Lsub
+	bdnz	Lsub
 
 	li	$i,0
 	subfe	$ovf,$i,$ovf	; handle upmost overflow bit
@@ -1582,7 +1582,7 @@ Lcopy:				; copy or in-place refresh
 	stwu	$t3,16($rp)
 	std	$i,8($tp)	; zap tp at once
 	stdu	$i,16($tp)
-	bdnz-	Lcopy
+	bdnz	Lcopy
 ___
 

 $code.=<<___;

Modified: vendor-crypto/openssl/dist/crypto/bn/asm/x86-mont.pl
==============================================================================
--- vendor-crypto/openssl/dist/crypto/bn/asm/x86-mont.pl	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/crypto/bn/asm/x86-mont.pl	Tue May  3 18:00:27 2016	(r298991)
@@ -85,6 +85,21 @@ $frame=32;				# size of above frame roun
 
 	&and	("esp",-64);		# align to cache line
 
+	# Some OSes, *cough*-dows, insist on stack being "wired" to
+	# physical memory in strictly sequential manner, i.e. if stack
+	# allocation spans two pages, then reference to farmost one can
+	# be punishable by SEGV. But page walking can do good even on
+	# other OSes, because it guarantees that villain thread hits
+	# the guard page before it can make damage to innocent one...
+	&mov	("eax","ebp");
+	&sub	("eax","esp");
+	&and	("eax",-4096);
+&set_label("page_walk");
+	&mov	("edx",&DWP(0,"esp","eax"));
+	&sub	("eax",4096);
+	&data_byte(0x2e);
+	&jnc	(&label("page_walk"));
+
 	################################# load argument block...
 	&mov	("eax",&DWP(0*4,"esi"));# BN_ULONG *rp
 	&mov	("ebx",&DWP(1*4,"esi"));# const BN_ULONG *ap

Modified: vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-mont.pl
==============================================================================
--- vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-mont.pl	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-mont.pl	Tue May  3 18:00:27 2016	(r298991)
@@ -130,6 +130,20 @@ $code.=<<___;
 
 	mov	%r11,8(%rsp,$num,8)	# tp[num+1]=%rsp
 .Lmul_body:
+	# Some OSes, *cough*-dows, insist on stack being "wired" to
+	# physical memory in strictly sequential manner, i.e. if stack
+	# allocation spans two pages, then reference to farmost one can
+	# be punishable by SEGV. But page walking can do good even on
+	# other OSes, because it guarantees that villain thread hits
+	# the guard page before it can make damage to innocent one...
+	sub	%rsp,%r11
+	and	\$-4096,%r11
+.Lmul_page_walk:
+	mov	(%rsp,%r11),%r10
+	sub	\$4096,%r11
+	.byte	0x66,0x2e		# predict non-taken
+	jnc	.Lmul_page_walk
+
 	mov	$bp,%r12		# reassign $bp
 ___
 		$bp="%r12";
@@ -342,6 +356,14 @@ $code.=<<___;
 
 	mov	%r11,8(%rsp,$num,8)	# tp[num+1]=%rsp
 .Lmul4x_body:
+	sub	%rsp,%r11
+	and	\$-4096,%r11
+.Lmul4x_page_walk:
+	mov	(%rsp,%r11),%r10
+	sub	\$4096,%r11
+	.byte	0x2e			# predict non-taken
+	jnc	.Lmul4x_page_walk
+
 	mov	$rp,16(%rsp,$num,8)	# tp[num+2]=$rp
 	mov	%rdx,%r12		# reassign $bp
 ___
@@ -795,6 +817,15 @@ bn_sqr8x_mont:
 	sub	%r11,%rsp
 .Lsqr8x_sp_done:
 	and	\$-64,%rsp
+	mov	%rax,%r11
+	sub	%rsp,%r11
+	and	\$-4096,%r11
+.Lsqr8x_page_walk:
+	mov	(%rsp,%r11),%r10
+	sub	\$4096,%r11
+	.byte	0x2e			# predict non-taken
+	jnc	.Lsqr8x_page_walk
+
 	mov	$num,%r10
 	neg	$num
 
@@ -932,8 +963,17 @@ bn_mulx4x_mont:
 	sub	$num,%r10		# -$num
 	mov	($n0),$n0		# *n0
 	lea	-72(%rsp,%r10),%rsp	# alloca(frame+$num+8)
-	lea	($bp,$num),%r10
 	and	\$-128,%rsp
+	mov	%rax,%r11
+	sub	%rsp,%r11
+	and	\$-4096,%r11
+.Lmulx4x_page_walk:
+	mov	(%rsp,%r11),%r10
+	sub	\$4096,%r11
+	.byte	0x66,0x2e		# predict non-taken
+	jnc	.Lmulx4x_page_walk
+
+	lea	($bp,$num),%r10
 	##############################################################
 	# Stack layout
 	# +0	num

Modified: vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-mont5.pl
==============================================================================
--- vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-mont5.pl	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/crypto/bn/asm/x86_64-mont5.pl	Tue May  3 18:00:27 2016	(r298991)
@@ -115,6 +115,20 @@ $code.=<<___;
 
 	mov	%rax,8(%rsp,$num,8)	# tp[num+1]=%rsp
 .Lmul_body:
+	# Some OSes, *cough*-dows, insist on stack being "wired" to
+	# physical memory in strictly sequential manner, i.e. if stack
+	# allocation spans two pages, then reference to farmost one can
+	# be punishable by SEGV. But page walking can do good even on
+	# other OSes, because it guarantees that villain thread hits
+	# the guard page before it can make damage to innocent one...
+	sub	%rsp,%rax
+	and	\$-4096,%rax
+.Lmul_page_walk:
+	mov	(%rsp,%rax),%r11
+	sub	\$4096,%rax
+	.byte	0x2e			# predict non-taken
+	jnc	.Lmul_page_walk
+
 	lea	128($bp),%r12		# reassign $bp (+size optimization)
 ___
 		$bp="%r12";
@@ -469,6 +483,15 @@ $code.=<<___;
 	sub	%r11,%rsp
 .Lmul4xsp_done:
 	and	\$-64,%rsp
+	mov	%rax,%r11
+	sub	%rsp,%r11
+	and	\$-4096,%r11
+.Lmul4x_page_walk:
+	mov	(%rsp,%r11),%r10
+	sub	\$4096,%r11
+	.byte	0x2e			# predict non-taken
+	jnc	.Lmul4x_page_walk
+
 	neg	$num
 
 	mov	%rax,40(%rsp)
@@ -1058,6 +1081,15 @@ $code.=<<___;
 	sub	%r11,%rsp
 .Lpwr_sp_done:
 	and	\$-64,%rsp
+	mov	%rax,%r11
+	sub	%rsp,%r11
+	and	\$-4096,%r11
+.Lpwr_page_walk:
+	mov	(%rsp,%r11),%r10
+	sub	\$4096,%r11
+	.byte	0x2e			# predict non-taken
+	jnc	.Lpwr_page_walk
+
 	mov	$num,%r10	
 	neg	$num
 
@@ -2028,7 +2060,16 @@ bn_from_mont8x:
 	sub	%r11,%rsp
 .Lfrom_sp_done:
 	and	\$-64,%rsp
-	mov	$num,%r10	
+	mov	%rax,%r11
+	sub	%rsp,%r11
+	and	\$-4096,%r11
+.Lfrom_page_walk:
+	mov	(%rsp,%r11),%r10
+	sub	\$4096,%r11
+	.byte	0x2e			# predict non-taken
+	jnc	.Lfrom_page_walk
+
+	mov	$num,%r10
 	neg	$num
 
 	##############################################################
@@ -2173,6 +2214,15 @@ bn_mulx4x_mont_gather5:
 	sub	%r11,%rsp
 .Lmulx4xsp_done:	
 	and	\$-64,%rsp		# ensure alignment
+	mov	%rax,%r11
+	sub	%rsp,%r11
+	and	\$-4096,%r11
+.Lmulx4x_page_walk:
+	mov	(%rsp,%r11),%r10
+	sub	\$4096,%r11
+	.byte	0x2e			# predict non-taken
+	jnc	.Lmulx4x_page_walk
+
 	##############################################################
 	# Stack layout
 	# +0	-num
@@ -2619,6 +2669,15 @@ bn_powerx5:
 	sub	%r11,%rsp
 .Lpwrx_sp_done:
 	and	\$-64,%rsp
+	mov	%rax,%r11
+	sub	%rsp,%r11
+	and	\$-4096,%r11
+.Lpwrx_page_walk:
+	mov	(%rsp,%r11),%r10
+	sub	\$4096,%r11
+	.byte	0x2e			# predict non-taken
+	jnc	.Lpwrx_page_walk
+
 	mov	$num,%r10	
 	neg	$num
 

Modified: vendor-crypto/openssl/dist/crypto/comp/comp.h
==============================================================================
--- vendor-crypto/openssl/dist/crypto/comp/comp.h	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/crypto/comp/comp.h	Tue May  3 18:00:27 2016	(r298991)
@@ -4,6 +4,10 @@
 
 # include <openssl/crypto.h>
 
+# ifdef OPENSSL_NO_COMP
+#  error COMP is disabled.
+# endif
+
 #ifdef  __cplusplus
 extern "C" {
 #endif

Modified: vendor-crypto/openssl/dist/crypto/evp/Makefile
==============================================================================
--- vendor-crypto/openssl/dist/crypto/evp/Makefile	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/crypto/evp/Makefile	Tue May  3 18:00:27 2016	(r298991)
@@ -199,8 +199,8 @@ e_aes.o: ../../include/openssl/opensslv.
 e_aes.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 e_aes.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 e_aes.o: ../modes/modes_lcl.h e_aes.c evp_locl.h
-e_aes_cbc_hmac_sha1.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-e_aes_cbc_hmac_sha1.o: ../../include/openssl/bio.h
+e_aes_cbc_hmac_sha1.o: ../../e_os.h ../../include/openssl/aes.h
+e_aes_cbc_hmac_sha1.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 e_aes_cbc_hmac_sha1.o: ../../include/openssl/crypto.h
 e_aes_cbc_hmac_sha1.o: ../../include/openssl/e_os2.h
 e_aes_cbc_hmac_sha1.o: ../../include/openssl/evp.h
@@ -214,9 +214,9 @@ e_aes_cbc_hmac_sha1.o: ../../include/ope
 e_aes_cbc_hmac_sha1.o: ../../include/openssl/safestack.h
 e_aes_cbc_hmac_sha1.o: ../../include/openssl/sha.h
 e_aes_cbc_hmac_sha1.o: ../../include/openssl/stack.h
-e_aes_cbc_hmac_sha1.o: ../../include/openssl/symhacks.h ../modes/modes_lcl.h
-e_aes_cbc_hmac_sha1.o: e_aes_cbc_hmac_sha1.c
-e_aes_cbc_hmac_sha256.o: ../../include/openssl/aes.h
+e_aes_cbc_hmac_sha1.o: ../../include/openssl/symhacks.h ../constant_time_locl.h
+e_aes_cbc_hmac_sha1.o: ../modes/modes_lcl.h e_aes_cbc_hmac_sha1.c
+e_aes_cbc_hmac_sha256.o: ../../e_os.h ../../include/openssl/aes.h
 e_aes_cbc_hmac_sha256.o: ../../include/openssl/asn1.h
 e_aes_cbc_hmac_sha256.o: ../../include/openssl/bio.h
 e_aes_cbc_hmac_sha256.o: ../../include/openssl/crypto.h
@@ -232,7 +232,8 @@ e_aes_cbc_hmac_sha256.o: ../../include/o
 e_aes_cbc_hmac_sha256.o: ../../include/openssl/safestack.h
 e_aes_cbc_hmac_sha256.o: ../../include/openssl/sha.h
 e_aes_cbc_hmac_sha256.o: ../../include/openssl/stack.h
-e_aes_cbc_hmac_sha256.o: ../../include/openssl/symhacks.h ../modes/modes_lcl.h
+e_aes_cbc_hmac_sha256.o: ../../include/openssl/symhacks.h
+e_aes_cbc_hmac_sha256.o: ../constant_time_locl.h ../modes/modes_lcl.h
 e_aes_cbc_hmac_sha256.o: e_aes_cbc_hmac_sha256.c
 e_bf.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 e_bf.o: ../../include/openssl/blowfish.h ../../include/openssl/buffer.h

Modified: vendor-crypto/openssl/dist/crypto/evp/digest.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/evp/digest.c	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/crypto/evp/digest.c	Tue May  3 18:00:27 2016	(r298991)
@@ -212,8 +212,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c
     }
 #endif
     if (ctx->digest != type) {
-        if (ctx->digest && ctx->digest->ctx_size)
+        if (ctx->digest && ctx->digest->ctx_size) {
             OPENSSL_free(ctx->md_data);
+            ctx->md_data = NULL;
+        }
         ctx->digest = type;
         if (!(ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) && type->ctx_size) {
             ctx->update = type->update;

Modified: vendor-crypto/openssl/dist/crypto/evp/e_aes_cbc_hmac_sha1.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/evp/e_aes_cbc_hmac_sha1.c	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/crypto/evp/e_aes_cbc_hmac_sha1.c	Tue May  3 18:00:27 2016	(r298991)
@@ -60,6 +60,7 @@
 # include <openssl/sha.h>
 # include <openssl/rand.h>
 # include "modes_lcl.h"
+# include "constant_time_locl.h"
 
 # ifndef EVP_CIPH_FLAG_AEAD_CIPHER
 #  define EVP_CIPH_FLAG_AEAD_CIPHER       0x200000
@@ -578,6 +579,8 @@ static int aesni_cbc_hmac_sha1_cipher(EV
             maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8);
             maxpad &= 255;
 
+            ret &= constant_time_ge(maxpad, pad);
+
             inp_len = len - (SHA_DIGEST_LENGTH + pad + 1);
             mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1)));
             inp_len &= mask;

Modified: vendor-crypto/openssl/dist/crypto/evp/e_aes_cbc_hmac_sha256.c
==============================================================================
--- vendor-crypto/openssl/dist/crypto/evp/e_aes_cbc_hmac_sha256.c	Tue May  3 17:11:33 2016	(r298990)
+++ vendor-crypto/openssl/dist/crypto/evp/e_aes_cbc_hmac_sha256.c	Tue May  3 18:00:27 2016	(r298991)
@@ -60,6 +60,7 @@
 # include <openssl/sha.h>

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***


More information about the svn-src-all mailing list