apps/CA.pl.in | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

---

config | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

---

Configure | 45 45 + 0 - 0 !
1 file changed, 45 insertions(+)

---

Configure | 2 1 + 1 - 0 !
Makefile.org | 2 1 + 1 - 0 !
engines/Makefile | 10 5 + 5 - 0 !
engines/ccgost/Makefile | 6 3 + 3 - 0 !
4 files changed, 10 insertions(+), 10 deletions(-)

---

Makefile.org | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---

Makefile.org | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---

Makefile.org | 7 4 + 3 - 0 !
1 file changed, 4 insertions(+), 3 deletions(-)

---

Makefile.shared | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---

Makefile.shared | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---

crypto/des/asm/desboth.pl | 17 14 + 3 - 0 !
crypto/perlasm/cbc.pl | 24 20 + 4 - 0 !
crypto/perlasm/x86gas.pl | 16 16 + 0 - 0 !
crypto/x86cpuid.pl | 10 5 + 5 - 0 !
4 files changed, 55 insertions(+), 12 deletions(-)

---

crypto/rand/md_rand.c | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

---

tools/c_rehash.in | 12 9 + 3 - 0 !
1 file changed, 9 insertions(+), 3 deletions(-)

---

doc/apps/c_rehash.pod | 55 55 + 0 - 0 !
1 file changed, 55 insertions(+)

---

Configure | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

---

crypto/sha/sha.h | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

---

Configure | 2 2 + 0 - 0 !
engines/ccgost/openssl.ld | 10 10 + 0 - 0 !
engines/openssl.ld | 10 10 + 0 - 0 !
openssl.ld | 4626 4626 + 0 - 0 !
4 files changed, 4648 insertions(+)

---

crypto/dso/dso_dlfcn.c | 6 2 + 4 - 0 !
1 file changed, 2 insertions(+), 4 deletions(-)

 always define _gnu_source

We need this atleast for kfreebsd because they also use glibc.
There shouldn't be a problem defining this on systems not using
glibc.

tools/c_rehash.in | 8 7 + 1 - 0 !
1 file changed, 7 insertions(+), 1 deletion(-)

 [patch] also create old hash for compatibility

doc/crypto/ASN1_generate_nconf.pod | 2 1 + 1 - 0 !
doc/crypto/BN_BLINDING_new.pod | 2 1 + 1 - 0 !
doc/crypto/EVP_BytesToKey.pod | 2 1 + 1 - 0 !
doc/crypto/EVP_EncryptInit.pod | 2 1 + 1 - 0 !
doc/crypto/EVP_PKEY_cmp.pod | 2 1 + 1 - 0 !
doc/crypto/X509_STORE_CTX_get_error.pod | 2 2 + 0 - 0 !
doc/crypto/pem.pod | 2 1 + 1 - 0 !
doc/ssl/SSL_CTX_set_client_CA_list.pod | 4 4 + 0 - 0 !
doc/ssl/SSL_CTX_set_verify.pod | 4 2 + 2 - 0 !
doc/ssl/SSL_CTX_use_psk_identity_hint.pod | 8 8 + 0 - 0 !
doc/ssl/SSL_accept.pod | 8 8 + 0 - 0 !
doc/ssl/SSL_connect.pod | 18 9 + 9 - 0 !
doc/ssl/SSL_do_handshake.pod | 8 8 + 0 - 0 !
doc/ssl/SSL_shutdown.pod | 8 8 + 0 - 0 !
14 files changed, 55 insertions(+), 17 deletions(-)

---

crypto/asn1/asn1_err.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---

apps/ca.c | 2 1 + 1 - 0 !
apps/ecparam.c | 4 2 + 2 - 0 !
crypto/evp/encode.c | 2 1 + 1 - 0 !
doc/apps/config.pod | 2 1 + 1 - 0 !
doc/apps/req.pod | 2 1 + 1 - 0 !
doc/apps/ts.pod | 4 2 + 2 - 0 !
doc/apps/tsget.pod | 2 1 + 1 - 0 !
doc/apps/x509v3_config.pod | 2 1 + 1 - 0 !
8 files changed, 10 insertions(+), 10 deletions(-)

---

doc/apps/req.pod | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---

doc/apps/pkcs12.pod | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---

doc/apps/s_server.pod | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---

doc/crypto/X509_VERIFY_PARAM_set_flags.pod | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---

doc/apps/ec.pod | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---

doc/apps/pkcs12.pod | 7 6 + 1 - 0 !
1 file changed, 6 insertions(+), 1 deletion(-)

---

apps/dgst.c | 2 2 + 0 - 0 !
doc/apps/dgst.pod | 10 10 + 0 - 0 !
2 files changed, 12 insertions(+)

 document openssl dgst -hmac option

I've committed the thing below in MirBSD; since the apps code
changes very little between OpenSSL versions, it will probably
apply to the Debian package as well. I'm open for better wor-
ding though, especially considering the FIPS option, which I
found as undocumented too.

crypto/x509/x509_vfy.c | 27 27 + 0 - 0 !
1 file changed, 27 insertions(+)

 make x509_verify_cert indicate that any certificate whose
 name contains "DigiNotar" is revoked.

crypto/x509/x509_vfy.c | 7 4 + 3 - 0 !
1 file changed, 4 insertions(+), 3 deletions(-)

 make x509_verify_cert indicate that any certificate whose
 name contains "Digicert Sdn. Bhd." (from Malaysia) is revoked.

tools/c_rehash.in | 72 44 + 28 - 0 !
1 file changed, 44 insertions(+), 28 deletions(-)

 generate hashes for all certs in a file
Bug: http://bugs.debian.org/628780
Forwared: no

apps/openssl.cnf | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---

ssl/ssltest.c | 8 7 + 1 - 0 !
1 file changed, 7 insertions(+), 1 deletion(-)

 fix in ssltest is no-ssl2 configured

crypto/x86cpuid.pl | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 x86cpuid.pl: make it work with older cpus.

crypto/evp/e_aes_cbc_hmac_sha1.c | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 e_aes_cbc_hmac_sha1.c: fix rare bad record mac on aes-ni plaforms.

ssl/s3_cbc.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 check dtls_bad_ver for version number.

ssl/ssl_lib.c | 4 1 + 3 - 0 !
1 file changed, 1 insertion(+), 3 deletions(-)

 fix for ssl_get_certificate

ssl/s3_both.c | 2 2 + 0 - 0 !
ssl/s3_lib.c | 2 1 + 1 - 0 !
ssl/s3_pkt.c | 8 7 + 1 - 0 !
ssl/t1_enc.c | 11 6 + 5 - 0 !
4 files changed, 16 insertions(+), 7 deletions(-)

 fix cve-2013-6449

This is a combination of upstream commits:
0294b2be5f4c11e60620c0018674ff0e17b14238
ca989269a2876bae79393bd54c3e72d49975fc75

crypto/evp/digest.c | 7 5 + 2 - 0 !
ssl/d1_both.c | 6 6 + 0 - 0 !
ssl/ssl_locl.h | 2 2 + 0 - 0 !
ssl/t1_enc.c | 17 11 + 6 - 0 !
4 files changed, 24 insertions(+), 8 deletions(-)

 [patch] fix dtls retransmission from previous session.

crypto/engine/eng_rdrand.c | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch] don't use rdrand engine as default unless explicitly
 requested.

crypto/rand/rand.h | 1 1 + 0 - 0 !
crypto/rand/rand_err.c | 1 1 + 0 - 0 !
crypto/rand/rand_lib.c | 8 8 + 0 - 0 !
3 files changed, 10 insertions(+)

 [patch] disable dual ec drbg.

ssl/s3_both.c | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 [patch] fix for tls record tampering bug cve-2013-4353

ssl/s3_pkt.c | 2 1 + 1 - 0 !
ssl/s3_srvr.c | 3 2 + 1 - 0 !
2 files changed, 3 insertions(+), 2 deletions(-)

 [patch] don't change version number if session established

ssl/d1_both.c | 26 18 + 8 - 0 !
ssl/t1_lib.c | 14 9 + 5 - 0 !
2 files changed, 27 insertions(+), 13 deletions(-)

 [patch] add heartbeat extension bounds check.

A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix (CVE-2014-0160)

ssl/s3_pkt.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] don't release the buffer when there still is data in it

RT: 2167, 3265

crypto/x509v3/v3_purp.c | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 [patch] extension checking fixes.

When looking for an extension we need to set the last found
position to -1 to properly search all extensions.

PR#3309.

crypto/bn/bn.h | 11 11 + 0 - 0 !
crypto/bn/bn_lib.c | 52 52 + 0 - 0 !
crypto/ec/ec2_mult.c | 27 16 + 11 - 0 !
3 files changed, 79 insertions(+), 11 deletions(-)

 [patch] fix for cve-2014-0076

Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"

doc/ssl/SSL_CTX_set_options.pod | 5 3 + 2 - 0 !
ssl/s3_lib.c | 12 12 + 0 - 0 !
ssl/ssl.h | 5 4 + 1 - 0 !
ssl/ssl3.h | 9 9 + 0 - 0 !
ssl/t1_lib.c | 88 88 + 0 - 0 !
5 files changed, 116 insertions(+), 3 deletions(-)

 [patch] don't prefer ecdhe-ecdsa ciphers when the client appears to
 be Safari on OS X. OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA
 ciphers.

ssl/s3_pkt.c | 7 4 + 3 - 0 !
1 file changed, 4 insertions(+), 3 deletions(-)

 [patch] fixed null pointer dereference. see pr#3321

ssl/s3_clnt.c | 4 4 + 0 - 0 !
ssl/s3_pkt.c | 11 10 + 1 - 0 !
ssl/s3_srvr.c | 5 5 + 0 - 0 !
ssl/ssl3.h | 1 1 + 0 - 0 !
4 files changed, 20 insertions(+), 1 deletion(-)

 fix for cve-2014-0224
    
    Only accept change cipher spec when it is expected instead of at any
    time. This prevents premature setting of session keys before the master
    secret is determined which an attacker could use as a MITM attack.
    
    Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
    and providing the initial fix this patch is based on.

ssl/s3_clnt.c | 7 7 + 0 - 0 !
1 file changed, 7 insertions(+)

---

ssl/d1_both.c | 9 9 + 0 - 0 !
1 file changed, 9 insertions(+)

 fix for cve-2014-0195
    
    A buffer overrun attack can be triggered by sending invalid DTLS fragments
    to an OpenSSL DTLS client or server. This is potentially exploitable to
    run arbitrary code on a vulnerable client or server.
    
    Fixed by adding consistency check for DTLS fragments.
    
    Thanks to Jri Aedla for reporting this issue.

ssl/d1_both.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 fix cve-2014-0221

    Unnecessary recursion when receiving a DTLS hello request can be used to
    crash a DTLS client. Fixed by handling DTLS hello request without recursion.
    
    Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.

ssl/ssl_ciph.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 disable zlib compression by default

This fixes CVE-2012-4929 (CRiME).

ssl/d1_both.c | 6 2 + 4 - 0 !
1 file changed, 2 insertions(+), 4 deletions(-)

 [patch 01/16] avoid double free when processing dtls packets.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The |item| variable, in both of these cases, may contain a pointer to a
|pitem| structure within |s->d1->buffered_messages|. It was being freed
in the error case while still being in |buffered_messages|. When the
error later caused the |SSL*| to be destroyed, the item would be double
freed.

Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
inconsistent with the other error paths (but correct).

Fixes CVE-2014-3505

ssl/d1_both.c | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch 02/16] added comment for the frag->reassembly == null case as
 per feedback from Emilia
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ssl/d1_both.c | 29 16 + 13 - 0 !
1 file changed, 16 insertions(+), 13 deletions(-)

 [patch 03/16] fix dtls handshake message size checks.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In |dtls1_reassemble_fragment|, the value of
|msg_hdr->frag_off+frag_len| was being checked against the maximum
handshake message size, but then |msg_len| bytes were allocated for the
fragment buffer. This means that so long as the fragment was within the
allowed size, the pending handshake message could consume 16MB + 2MB
(for the reassembly bitmap). Approx 10 outstanding handshake messages
are allowed, meaning that an attacker could consume ~180MB per DTLS
connection.

In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
check was applied.

Fixes CVE-2014-3506

Wholly based on patch by Adam Langley with one minor amendment.

ssl/d1_both.c | 22 19 + 3 - 0 !
1 file changed, 19 insertions(+), 3 deletions(-)

 [patch 04/16] fix memory leak from zero-length dtls fragments.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The |pqueue_insert| function can fail if one attempts to insert a
duplicate sequence number. When handling a fragment of an out of
sequence message, |dtls1_process_out_of_seq_message| would not call
|dtls1_reassemble_fragment| if the fragment's length was zero. It would
then allocate a fresh fragment and attempt to insert it, but ignore the
return value, leaking the fragment.

This allows an attacker to exhaust the memory of a DTLS peer.

Fixes CVE-2014-3507

ssl/d1_both.c | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 [patch 05/16] fix return code for truncated dtls fragment.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Previously, a truncated DTLS fragment in
|dtls1_process_out_of_seq_message| would cause *ok to be cleared, but
the return value would still be the number of bytes read. This would
cause |dtls1_get_message| not to consider it an error and it would
continue processing as normal until the calling function noticed that
*ok was zero.

I can't see an exploit here because |dtls1_get_message| uses
|s->init_num| as the length, which will always be zero from what I can
see.